1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/stream.h> 29 #include <sys/stropts.h> 30 #include <sys/strsubr.h> 31 #include <sys/errno.h> 32 #include <sys/ddi.h> 33 #include <sys/debug.h> 34 #include <sys/cmn_err.h> 35 #include <sys/stream.h> 36 #include <sys/strlog.h> 37 #include <sys/kmem.h> 38 #include <sys/sunddi.h> 39 #include <sys/tihdr.h> 40 #include <sys/atomic.h> 41 #include <sys/socket.h> 42 #include <sys/sysmacros.h> 43 #include <sys/crypto/common.h> 44 #include <sys/crypto/api.h> 45 #include <sys/zone.h> 46 #include <netinet/in.h> 47 #include <net/if.h> 48 #include <net/pfkeyv2.h> 49 #include <net/pfpolicy.h> 50 #include <inet/common.h> 51 #include <netinet/ip6.h> 52 #include <inet/ip.h> 53 #include <inet/ip_ire.h> 54 #include <inet/ip6.h> 55 #include <inet/ipsec_info.h> 56 #include <inet/tcp.h> 57 #include <inet/sadb.h> 58 #include <inet/ipsec_impl.h> 59 #include <inet/ipsecah.h> 60 #include <inet/ipsecesp.h> 61 #include <sys/random.h> 62 #include <sys/dlpi.h> 63 #include <sys/strsun.h> 64 #include <sys/strsubr.h> 65 #include <inet/ip_if.h> 66 #include <inet/ipdrop.h> 67 #include <inet/ipclassifier.h> 68 #include <inet/sctp_ip.h> 69 #include <sys/tsol/tnet.h> 70 71 /* 72 * This source file contains Security Association Database (SADB) common 73 * routines. They are linked in with the AH module. Since AH has no chance 74 * of falling under export control, it was safe to link it in there. 75 */ 76 77 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *, 78 ipsec_action_t *, boolean_t, uint32_t, uint32_t, sadb_sens_t *, 79 netstack_t *); 80 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *); 81 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t, 82 netstack_t *); 83 static void sadb_destroy(sadb_t *, netstack_t *); 84 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *); 85 static ts_label_t *sadb_label_from_sens(sadb_sens_t *, uint64_t *); 86 static sadb_sens_t *sadb_make_sens_ext(ts_label_t *tsl, int *len); 87 88 static time_t sadb_add_time(time_t, uint64_t); 89 static void lifetime_fuzz(ipsa_t *); 90 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t); 91 static int get_ipsa_pair(ipsa_query_t *, ipsap_t *, int *); 92 static void init_ipsa_pair(ipsap_t *); 93 static void destroy_ipsa_pair(ipsap_t *); 94 static int update_pairing(ipsap_t *, ipsa_query_t *, keysock_in_t *, int *); 95 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset); 96 97 /* 98 * ipsacq_maxpackets is defined here to make it tunable 99 * from /etc/system. 100 */ 101 extern uint64_t ipsacq_maxpackets; 102 103 #define SET_EXPIRE(sa, delta, exp) { \ 104 if (((sa)->ipsa_ ## delta) != 0) { \ 105 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 106 (sa)->ipsa_ ## delta); \ 107 } \ 108 } 109 110 #define UPDATE_EXPIRE(sa, delta, exp) { \ 111 if (((sa)->ipsa_ ## delta) != 0) { \ 112 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 113 (sa)->ipsa_ ## delta); \ 114 if (((sa)->ipsa_ ## exp) == 0) \ 115 (sa)->ipsa_ ## exp = tmp; \ 116 else \ 117 (sa)->ipsa_ ## exp = \ 118 MIN((sa)->ipsa_ ## exp, tmp); \ 119 } \ 120 } 121 122 123 /* wrap the macro so we can pass it as a function pointer */ 124 void 125 sadb_sa_refrele(void *target) 126 { 127 IPSA_REFRELE(((ipsa_t *)target)); 128 } 129 130 /* 131 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 132 * a signed type. 133 */ 134 #define TIME_MAX LONG_MAX 135 136 /* 137 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 138 * time_t is defined to be a signed type with the same range as 139 * "long". On ILP32 systems, we thus run the risk of wrapping around 140 * at end of time, as well as "overwrapping" the clock back around 141 * into a seemingly valid but incorrect future date earlier than the 142 * desired expiration. 143 * 144 * In order to avoid odd behavior (either negative lifetimes or loss 145 * of high order bits) when someone asks for bizarrely long SA 146 * lifetimes, we do a saturating add for expire times. 147 * 148 * We presume that ILP32 systems will be past end of support life when 149 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 150 * 151 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 152 * will hopefully have figured out clever ways to avoid the use of 153 * fixed-sized integers in computation. 154 */ 155 static time_t 156 sadb_add_time(time_t base, uint64_t delta) 157 { 158 time_t sum; 159 160 /* 161 * Clip delta to the maximum possible time_t value to 162 * prevent "overwrapping" back into a shorter-than-desired 163 * future time. 164 */ 165 if (delta > TIME_MAX) 166 delta = TIME_MAX; 167 /* 168 * This sum may still overflow. 169 */ 170 sum = base + delta; 171 172 /* 173 * .. so if the result is less than the base, we overflowed. 174 */ 175 if (sum < base) 176 sum = TIME_MAX; 177 178 return (sum); 179 } 180 181 /* 182 * Callers of this function have already created a working security 183 * association, and have found the appropriate table & hash chain. All this 184 * function does is check duplicates, and insert the SA. The caller needs to 185 * hold the hash bucket lock and increment the refcnt before insertion. 186 * 187 * Return 0 if success, EEXIST if collision. 188 */ 189 #define SA_UNIQUE_MATCH(sa1, sa2) \ 190 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \ 191 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask)) 192 193 int 194 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 195 { 196 ipsa_t **ptpn = NULL; 197 ipsa_t *walker; 198 boolean_t unspecsrc; 199 200 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 201 202 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 203 204 walker = bucket->isaf_ipsa; 205 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 206 207 /* 208 * Find insertion point (pointed to with **ptpn). Insert at the head 209 * of the list unless there's an unspecified source address, then 210 * insert it after the last SA with a specified source address. 211 * 212 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 213 * checking for collisions. 214 */ 215 216 while (walker != NULL) { 217 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 218 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 219 if (walker->ipsa_spi == ipsa->ipsa_spi) 220 return (EEXIST); 221 222 mutex_enter(&walker->ipsa_lock); 223 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 224 (walker->ipsa_flags & IPSA_F_USED) && 225 SA_UNIQUE_MATCH(walker, ipsa)) { 226 walker->ipsa_flags |= IPSA_F_CINVALID; 227 } 228 mutex_exit(&walker->ipsa_lock); 229 } 230 231 if (ptpn == NULL && unspecsrc) { 232 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 233 walker->ipsa_addrfam)) 234 ptpn = walker->ipsa_ptpn; 235 else if (walker->ipsa_next == NULL) 236 ptpn = &walker->ipsa_next; 237 } 238 239 walker = walker->ipsa_next; 240 } 241 242 if (ptpn == NULL) 243 ptpn = &bucket->isaf_ipsa; 244 ipsa->ipsa_next = *ptpn; 245 ipsa->ipsa_ptpn = ptpn; 246 if (ipsa->ipsa_next != NULL) 247 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 248 *ptpn = ipsa; 249 ipsa->ipsa_linklock = &bucket->isaf_lock; 250 251 return (0); 252 } 253 #undef SA_UNIQUE_MATCH 254 255 /* 256 * Free a security association. Its reference count is 0, which means 257 * I must free it. The SA must be unlocked and must not be linked into 258 * any fanout list. 259 */ 260 static void 261 sadb_freeassoc(ipsa_t *ipsa) 262 { 263 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec; 264 mblk_t *asyncmp, *mp; 265 266 ASSERT(ipss != NULL); 267 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock)); 268 ASSERT(ipsa->ipsa_refcnt == 0); 269 ASSERT(ipsa->ipsa_next == NULL); 270 ASSERT(ipsa->ipsa_ptpn == NULL); 271 272 273 asyncmp = sadb_clear_lpkt(ipsa); 274 if (asyncmp != NULL) { 275 mp = ip_recv_attr_free_mblk(asyncmp); 276 ip_drop_packet(mp, B_TRUE, NULL, 277 DROPPER(ipss, ipds_sadb_inlarval_timeout), 278 &ipss->ipsec_sadb_dropper); 279 } 280 mutex_enter(&ipsa->ipsa_lock); 281 282 if (ipsa->ipsa_tsl != NULL) { 283 label_rele(ipsa->ipsa_tsl); 284 ipsa->ipsa_tsl = NULL; 285 } 286 287 if (ipsa->ipsa_otsl != NULL) { 288 label_rele(ipsa->ipsa_otsl); 289 ipsa->ipsa_otsl = NULL; 290 } 291 292 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 293 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 294 mutex_exit(&ipsa->ipsa_lock); 295 296 /* bzero() these fields for paranoia's sake. */ 297 if (ipsa->ipsa_authkey != NULL) { 298 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 299 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 300 } 301 if (ipsa->ipsa_encrkey != NULL) { 302 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 303 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 304 } 305 if (ipsa->ipsa_nonce_buf != NULL) { 306 bzero(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); 307 kmem_free(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); 308 } 309 if (ipsa->ipsa_src_cid != NULL) { 310 IPSID_REFRELE(ipsa->ipsa_src_cid); 311 } 312 if (ipsa->ipsa_dst_cid != NULL) { 313 IPSID_REFRELE(ipsa->ipsa_dst_cid); 314 } 315 if (ipsa->ipsa_emech.cm_param != NULL) 316 kmem_free(ipsa->ipsa_emech.cm_param, 317 ipsa->ipsa_emech.cm_param_len); 318 319 mutex_destroy(&ipsa->ipsa_lock); 320 kmem_free(ipsa, sizeof (*ipsa)); 321 } 322 323 /* 324 * Unlink a security association from a hash bucket. Assume the hash bucket 325 * lock is held, but the association's lock is not. 326 * 327 * Note that we do not bump the bucket's generation number here because 328 * we might not be making a visible change to the set of visible SA's. 329 * All callers MUST bump the bucket's generation number before they unlock 330 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 331 * was present in the bucket at the time it was locked. 332 */ 333 void 334 sadb_unlinkassoc(ipsa_t *ipsa) 335 { 336 ASSERT(ipsa->ipsa_linklock != NULL); 337 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 338 339 /* These fields are protected by the link lock. */ 340 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 341 if (ipsa->ipsa_next != NULL) { 342 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 343 ipsa->ipsa_next = NULL; 344 } 345 346 ipsa->ipsa_ptpn = NULL; 347 348 /* This may destroy the SA. */ 349 IPSA_REFRELE(ipsa); 350 } 351 352 void 353 sadb_delete_cluster(ipsa_t *assoc) 354 { 355 uint8_t protocol; 356 357 if (cl_inet_deletespi && 358 ((assoc->ipsa_state == IPSA_STATE_LARVAL) || 359 (assoc->ipsa_state == IPSA_STATE_MATURE))) { 360 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ? 361 IPPROTO_AH : IPPROTO_ESP; 362 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid, 363 protocol, assoc->ipsa_spi, NULL); 364 } 365 } 366 367 /* 368 * Create a larval security association with the specified SPI. All other 369 * fields are zeroed. 370 */ 371 static ipsa_t * 372 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam, 373 netstack_t *ns) 374 { 375 ipsa_t *newbie; 376 377 /* 378 * Allocate... 379 */ 380 381 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 382 if (newbie == NULL) { 383 /* Can't make new larval SA. */ 384 return (NULL); 385 } 386 387 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 388 newbie->ipsa_spi = spi; 389 newbie->ipsa_netstack = ns; /* No netstack_hold */ 390 391 /* 392 * Copy addresses... 393 */ 394 395 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 396 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 397 398 newbie->ipsa_addrfam = addrfam; 399 400 /* 401 * Set common initialization values, including refcnt. 402 */ 403 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 404 newbie->ipsa_state = IPSA_STATE_LARVAL; 405 newbie->ipsa_refcnt = 1; 406 newbie->ipsa_freefunc = sadb_freeassoc; 407 408 /* 409 * There aren't a lot of other common initialization values, as 410 * they are copied in from the PF_KEY message. 411 */ 412 413 return (newbie); 414 } 415 416 /* 417 * Call me to initialize a security association fanout. 418 */ 419 static int 420 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 421 { 422 isaf_t *table; 423 int i; 424 425 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 426 *tablep = table; 427 428 if (table == NULL) 429 return (ENOMEM); 430 431 for (i = 0; i < size; i++) { 432 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 433 table[i].isaf_ipsa = NULL; 434 table[i].isaf_gen = 0; 435 } 436 437 return (0); 438 } 439 440 /* 441 * Call me to initialize an acquire fanout 442 */ 443 static int 444 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 445 { 446 iacqf_t *table; 447 int i; 448 449 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 450 *tablep = table; 451 452 if (table == NULL) 453 return (ENOMEM); 454 455 for (i = 0; i < size; i++) { 456 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 457 table[i].iacqf_ipsacq = NULL; 458 } 459 460 return (0); 461 } 462 463 /* 464 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 465 * caller must clean up partial allocations. 466 */ 467 static int 468 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 469 { 470 ASSERT(sp->sdb_of == NULL); 471 ASSERT(sp->sdb_if == NULL); 472 ASSERT(sp->sdb_acq == NULL); 473 474 sp->sdb_hashsize = size; 475 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 476 return (ENOMEM); 477 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 478 return (ENOMEM); 479 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 480 return (ENOMEM); 481 482 return (0); 483 } 484 485 /* 486 * Call me to initialize an SADB instance; fall back to default size on failure. 487 */ 488 static void 489 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver, 490 netstack_t *ns) 491 { 492 ASSERT(sp->sdb_of == NULL); 493 ASSERT(sp->sdb_if == NULL); 494 ASSERT(sp->sdb_acq == NULL); 495 496 if (size < IPSEC_DEFAULT_HASH_SIZE) 497 size = IPSEC_DEFAULT_HASH_SIZE; 498 499 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 500 501 cmn_err(CE_WARN, 502 "Unable to allocate %u entry IPv%u %s SADB hash table", 503 size, ver, name); 504 505 sadb_destroy(sp, ns); 506 size = IPSEC_DEFAULT_HASH_SIZE; 507 cmn_err(CE_WARN, "Falling back to %d entries", size); 508 (void) sadb_init_trial(sp, size, KM_SLEEP); 509 } 510 } 511 512 513 /* 514 * Initialize an SADB-pair. 515 */ 516 void 517 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns) 518 { 519 sadb_init(name, &sp->s_v4, size, 4, ns); 520 sadb_init(name, &sp->s_v6, size, 6, ns); 521 522 sp->s_satype = type; 523 524 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 525 if (type == SADB_SATYPE_AH) { 526 ipsec_stack_t *ipss = ns->netstack_ipsec; 527 528 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB"); 529 sp->s_addflags = AH_ADD_SETTABLE_FLAGS; 530 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS; 531 } else { 532 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS; 533 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS; 534 } 535 } 536 537 /* 538 * Deliver a single SADB_DUMP message representing a single SA. This is 539 * called many times by sadb_dump(). 540 * 541 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 542 * the caller should take that as a hint that dupb() on the "original answer" 543 * failed, and that perhaps the caller should try again with a copyb()ed 544 * "original answer". 545 */ 546 static int 547 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 548 sadb_msg_t *samsg) 549 { 550 mblk_t *answer; 551 552 answer = dupb(original_answer); 553 if (answer == NULL) 554 return (ENOBUFS); 555 answer->b_cont = sadb_sa2msg(ipsa, samsg); 556 if (answer->b_cont == NULL) { 557 freeb(answer); 558 return (ENOMEM); 559 } 560 561 /* Just do a putnext, and let keysock deal with flow control. */ 562 putnext(pfkey_q, answer); 563 return (0); 564 } 565 566 /* 567 * Common function to allocate and prepare a keysock_out_t M_CTL message. 568 */ 569 mblk_t * 570 sadb_keysock_out(minor_t serial) 571 { 572 mblk_t *mp; 573 keysock_out_t *kso; 574 575 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 576 if (mp != NULL) { 577 mp->b_datap->db_type = M_CTL; 578 mp->b_wptr += sizeof (ipsec_info_t); 579 kso = (keysock_out_t *)mp->b_rptr; 580 kso->ks_out_type = KEYSOCK_OUT; 581 kso->ks_out_len = sizeof (*kso); 582 kso->ks_out_serial = serial; 583 } 584 585 return (mp); 586 } 587 588 /* 589 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 590 * to keysock. 591 */ 592 static int 593 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 594 int num_entries, boolean_t do_peers, time_t active_time) 595 { 596 int i, error = 0; 597 mblk_t *original_answer; 598 ipsa_t *walker; 599 sadb_msg_t *samsg; 600 time_t current; 601 602 /* 603 * For each IPSA hash bucket do: 604 * - Hold the mutex 605 * - Walk each entry, doing an sadb_dump_deliver() on it. 606 */ 607 ASSERT(mp->b_cont != NULL); 608 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 609 610 original_answer = sadb_keysock_out(serial); 611 if (original_answer == NULL) 612 return (ENOMEM); 613 614 current = gethrestime_sec(); 615 for (i = 0; i < num_entries; i++) { 616 mutex_enter(&fanout[i].isaf_lock); 617 for (walker = fanout[i].isaf_ipsa; walker != NULL; 618 walker = walker->ipsa_next) { 619 if (!do_peers && walker->ipsa_haspeer) 620 continue; 621 if ((active_time != 0) && 622 ((current - walker->ipsa_lastuse) > active_time)) 623 continue; 624 error = sadb_dump_deliver(pfkey_q, original_answer, 625 walker, samsg); 626 if (error == ENOBUFS) { 627 mblk_t *new_original_answer; 628 629 /* Ran out of dupb's. Try a copyb. */ 630 new_original_answer = copyb(original_answer); 631 if (new_original_answer == NULL) { 632 error = ENOMEM; 633 } else { 634 freeb(original_answer); 635 original_answer = new_original_answer; 636 error = sadb_dump_deliver(pfkey_q, 637 original_answer, walker, samsg); 638 } 639 } 640 if (error != 0) 641 break; /* out of for loop. */ 642 } 643 mutex_exit(&fanout[i].isaf_lock); 644 if (error != 0) 645 break; /* out of for loop. */ 646 } 647 648 freeb(original_answer); 649 return (error); 650 } 651 652 /* 653 * Dump an entire SADB; outbound first, then inbound. 654 */ 655 656 int 657 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp) 658 { 659 int error; 660 time_t active_time = 0; 661 sadb_x_edump_t *edump = 662 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP]; 663 664 if (edump != NULL) { 665 active_time = edump->sadb_x_edump_timeout; 666 } 667 668 /* Dump outbound */ 669 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of, 670 sp->sdb_hashsize, B_TRUE, active_time); 671 if (error) 672 return (error); 673 674 /* Dump inbound */ 675 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if, 676 sp->sdb_hashsize, B_FALSE, active_time); 677 } 678 679 /* 680 * Generic sadb table walker. 681 * 682 * Call "walkfn" for each SA in each bucket in "table"; pass the 683 * bucket, the entry and "cookie" to the callback function. 684 * Take care to ensure that walkfn can delete the SA without screwing 685 * up our traverse. 686 * 687 * The bucket is locked for the duration of the callback, both so that the 688 * callback can just call sadb_unlinkassoc() when it wants to delete something, 689 * and so that no new entries are added while we're walking the list. 690 */ 691 static void 692 sadb_walker(isaf_t *table, uint_t numentries, 693 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 694 void *cookie) 695 { 696 int i; 697 for (i = 0; i < numentries; i++) { 698 ipsa_t *entry, *next; 699 700 mutex_enter(&table[i].isaf_lock); 701 702 for (entry = table[i].isaf_ipsa; entry != NULL; 703 entry = next) { 704 next = entry->ipsa_next; 705 (*walkfn)(&table[i], entry, cookie); 706 } 707 mutex_exit(&table[i].isaf_lock); 708 } 709 } 710 711 /* 712 * Call me to free up a security association fanout. Use the forever 713 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 714 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 715 * when a module is unloaded). 716 */ 717 static void 718 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever, 719 boolean_t inbound) 720 { 721 int i; 722 isaf_t *table = *tablep; 723 uint8_t protocol; 724 ipsa_t *sa; 725 netstackid_t sid; 726 727 if (table == NULL) 728 return; 729 730 for (i = 0; i < numentries; i++) { 731 mutex_enter(&table[i].isaf_lock); 732 while ((sa = table[i].isaf_ipsa) != NULL) { 733 if (inbound && cl_inet_deletespi && 734 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) && 735 (sa->ipsa_state != IPSA_STATE_IDLE)) { 736 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ? 737 IPPROTO_AH : IPPROTO_ESP; 738 sid = sa->ipsa_netstack->netstack_stackid; 739 cl_inet_deletespi(sid, protocol, sa->ipsa_spi, 740 NULL); 741 } 742 sadb_unlinkassoc(sa); 743 } 744 table[i].isaf_gen++; 745 mutex_exit(&table[i].isaf_lock); 746 if (forever) 747 mutex_destroy(&(table[i].isaf_lock)); 748 } 749 750 if (forever) { 751 *tablep = NULL; 752 kmem_free(table, numentries * sizeof (*table)); 753 } 754 } 755 756 /* 757 * Entry points to sadb_destroyer(). 758 */ 759 static void 760 sadb_flush(sadb_t *sp, netstack_t *ns) 761 { 762 /* 763 * Flush out each bucket, one at a time. Were it not for keysock's 764 * enforcement, there would be a subtlety where I could add on the 765 * heels of a flush. With keysock's enforcement, however, this 766 * makes ESP's job easy. 767 */ 768 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE); 769 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE); 770 771 /* For each acquire, destroy it; leave the bucket mutex alone. */ 772 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns); 773 } 774 775 static void 776 sadb_destroy(sadb_t *sp, netstack_t *ns) 777 { 778 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE); 779 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE); 780 781 /* For each acquire, destroy it, including the bucket mutex. */ 782 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns); 783 784 ASSERT(sp->sdb_of == NULL); 785 ASSERT(sp->sdb_if == NULL); 786 ASSERT(sp->sdb_acq == NULL); 787 } 788 789 void 790 sadbp_flush(sadbp_t *spp, netstack_t *ns) 791 { 792 sadb_flush(&spp->s_v4, ns); 793 sadb_flush(&spp->s_v6, ns); 794 } 795 796 void 797 sadbp_destroy(sadbp_t *spp, netstack_t *ns) 798 { 799 sadb_destroy(&spp->s_v4, ns); 800 sadb_destroy(&spp->s_v6, ns); 801 802 if (spp->s_satype == SADB_SATYPE_AH) { 803 ipsec_stack_t *ipss = ns->netstack_ipsec; 804 805 ip_drop_unregister(&ipss->ipsec_sadb_dropper); 806 } 807 } 808 809 810 /* 811 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 812 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 813 * EINVAL. 814 */ 815 int 816 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft, 817 sadb_lifetime_t *idle) 818 { 819 if (hard == NULL || soft == NULL) 820 return (0); 821 822 if (hard->sadb_lifetime_allocations != 0 && 823 soft->sadb_lifetime_allocations != 0 && 824 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 825 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 826 827 if (hard->sadb_lifetime_bytes != 0 && 828 soft->sadb_lifetime_bytes != 0 && 829 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 830 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 831 832 if (hard->sadb_lifetime_addtime != 0 && 833 soft->sadb_lifetime_addtime != 0 && 834 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 835 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 836 837 if (hard->sadb_lifetime_usetime != 0 && 838 soft->sadb_lifetime_usetime != 0 && 839 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 840 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 841 842 if (idle != NULL) { 843 if (hard->sadb_lifetime_addtime != 0 && 844 idle->sadb_lifetime_addtime != 0 && 845 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 846 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 847 848 if (soft->sadb_lifetime_addtime != 0 && 849 idle->sadb_lifetime_addtime != 0 && 850 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 851 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 852 853 if (hard->sadb_lifetime_usetime != 0 && 854 idle->sadb_lifetime_usetime != 0 && 855 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 856 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 857 858 if (soft->sadb_lifetime_usetime != 0 && 859 idle->sadb_lifetime_usetime != 0 && 860 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 861 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 862 } 863 864 return (0); 865 } 866 867 /* 868 * Sanity check sensitivity labels. 869 * 870 * For now, just reject labels on unlabeled systems. 871 */ 872 int 873 sadb_labelchk(keysock_in_t *ksi) 874 { 875 if (!is_system_labeled()) { 876 if (ksi->ks_in_extv[SADB_EXT_SENSITIVITY] != NULL) 877 return (SADB_X_DIAGNOSTIC_BAD_LABEL); 878 879 if (ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS] != NULL) 880 return (SADB_X_DIAGNOSTIC_BAD_LABEL); 881 } 882 883 return (0); 884 } 885 886 /* 887 * Clone a security association for the purposes of inserting a single SA 888 * into inbound and outbound tables respectively. This function should only 889 * be called from sadb_common_add(). 890 */ 891 static ipsa_t * 892 sadb_cloneassoc(ipsa_t *ipsa) 893 { 894 ipsa_t *newbie; 895 boolean_t error = B_FALSE; 896 897 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock))); 898 899 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 900 if (newbie == NULL) 901 return (NULL); 902 903 /* Copy over what we can. */ 904 *newbie = *ipsa; 905 906 /* bzero and initialize locks, in case *_init() allocates... */ 907 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 908 909 if (newbie->ipsa_tsl != NULL) 910 label_hold(newbie->ipsa_tsl); 911 912 if (newbie->ipsa_otsl != NULL) 913 label_hold(newbie->ipsa_otsl); 914 915 /* 916 * While somewhat dain-bramaged, the most graceful way to 917 * recover from errors is to keep plowing through the 918 * allocations, and getting what I can. It's easier to call 919 * sadb_freeassoc() on the stillborn clone when all the 920 * pointers aren't pointing to the parent's data. 921 */ 922 923 if (ipsa->ipsa_authkey != NULL) { 924 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 925 KM_NOSLEEP); 926 if (newbie->ipsa_authkey == NULL) { 927 error = B_TRUE; 928 } else { 929 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 930 newbie->ipsa_authkeylen); 931 932 newbie->ipsa_kcfauthkey.ck_data = 933 newbie->ipsa_authkey; 934 } 935 936 if (newbie->ipsa_amech.cm_param != NULL) { 937 newbie->ipsa_amech.cm_param = 938 (char *)&newbie->ipsa_mac_len; 939 } 940 } 941 942 if (ipsa->ipsa_encrkey != NULL) { 943 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 944 KM_NOSLEEP); 945 if (newbie->ipsa_encrkey == NULL) { 946 error = B_TRUE; 947 } else { 948 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 949 newbie->ipsa_encrkeylen); 950 951 newbie->ipsa_kcfencrkey.ck_data = 952 newbie->ipsa_encrkey; 953 } 954 } 955 956 newbie->ipsa_authtmpl = NULL; 957 newbie->ipsa_encrtmpl = NULL; 958 newbie->ipsa_haspeer = B_TRUE; 959 960 if (ipsa->ipsa_src_cid != NULL) { 961 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 962 IPSID_REFHOLD(ipsa->ipsa_src_cid); 963 } 964 965 if (ipsa->ipsa_dst_cid != NULL) { 966 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 967 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 968 } 969 970 if (error) { 971 sadb_freeassoc(newbie); 972 return (NULL); 973 } 974 975 return (newbie); 976 } 977 978 /* 979 * Initialize a SADB address extension at the address specified by addrext. 980 * Return a pointer to the end of the new address extension. 981 */ 982 static uint8_t * 983 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 984 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix) 985 { 986 struct sockaddr_in *sin; 987 struct sockaddr_in6 *sin6; 988 uint8_t *cur = start; 989 int addrext_len; 990 int sin_len; 991 sadb_address_t *addrext = (sadb_address_t *)cur; 992 993 if (cur == NULL) 994 return (NULL); 995 996 cur += sizeof (*addrext); 997 if (cur > end) 998 return (NULL); 999 1000 addrext->sadb_address_proto = proto; 1001 addrext->sadb_address_prefixlen = prefix; 1002 addrext->sadb_address_reserved = 0; 1003 addrext->sadb_address_exttype = exttype; 1004 1005 switch (af) { 1006 case AF_INET: 1007 sin = (struct sockaddr_in *)cur; 1008 sin_len = sizeof (*sin); 1009 cur += sin_len; 1010 if (cur > end) 1011 return (NULL); 1012 1013 sin->sin_family = af; 1014 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1015 sin->sin_port = port; 1016 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1017 break; 1018 case AF_INET6: 1019 sin6 = (struct sockaddr_in6 *)cur; 1020 sin_len = sizeof (*sin6); 1021 cur += sin_len; 1022 if (cur > end) 1023 return (NULL); 1024 1025 bzero(sin6, sizeof (*sin6)); 1026 sin6->sin6_family = af; 1027 sin6->sin6_port = port; 1028 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1029 break; 1030 } 1031 1032 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1033 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1034 1035 cur = start + addrext_len; 1036 if (cur > end) 1037 cur = NULL; 1038 1039 return (cur); 1040 } 1041 1042 /* 1043 * Construct a key management cookie extension. 1044 */ 1045 1046 static uint8_t * 1047 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1048 { 1049 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1050 1051 if (cur == NULL) 1052 return (NULL); 1053 1054 cur += sizeof (*kmcext); 1055 1056 if (cur > end) 1057 return (NULL); 1058 1059 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1060 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1061 kmcext->sadb_x_kmc_proto = kmp; 1062 kmcext->sadb_x_kmc_cookie = kmc; 1063 kmcext->sadb_x_kmc_reserved = 0; 1064 1065 return (cur); 1066 } 1067 1068 /* 1069 * Given an original message header with sufficient space following it, and an 1070 * SA, construct a full PF_KEY message with all of the relevant extensions. 1071 * This is mostly used for SADB_GET, and SADB_DUMP. 1072 */ 1073 static mblk_t * 1074 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1075 { 1076 int alloclen, addrsize, paddrsize, authsize, encrsize; 1077 int srcidsize, dstidsize, senslen, osenslen; 1078 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1079 /* src/dst and proxy sockaddrs. */ 1080 /* 1081 * The following are pointers into the PF_KEY message this PF_KEY 1082 * message creates. 1083 */ 1084 sadb_msg_t *newsamsg; 1085 sadb_sa_t *assoc; 1086 sadb_lifetime_t *lt; 1087 sadb_key_t *key; 1088 sadb_ident_t *ident; 1089 sadb_sens_t *sens; 1090 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1091 sadb_x_replay_ctr_t *repl_ctr; 1092 sadb_x_pair_t *pair_ext; 1093 1094 mblk_t *mp; 1095 uint8_t *cur, *end; 1096 /* These indicate the presence of the above extension fields. */ 1097 boolean_t soft = B_FALSE, hard = B_FALSE; 1098 boolean_t isrc = B_FALSE, idst = B_FALSE; 1099 boolean_t auth = B_FALSE, encr = B_FALSE; 1100 boolean_t sensinteg = B_FALSE, osensinteg = B_FALSE; 1101 boolean_t srcid = B_FALSE, dstid = B_FALSE; 1102 boolean_t idle; 1103 boolean_t paired; 1104 uint32_t otherspi; 1105 1106 /* First off, figure out the allocation length for this message. */ 1107 /* 1108 * Constant stuff. This includes base, SA, address (src, dst), 1109 * and lifetime (current). 1110 */ 1111 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1112 sizeof (sadb_lifetime_t); 1113 1114 fam = ipsa->ipsa_addrfam; 1115 switch (fam) { 1116 case AF_INET: 1117 addrsize = roundup(sizeof (struct sockaddr_in) + 1118 sizeof (sadb_address_t), sizeof (uint64_t)); 1119 break; 1120 case AF_INET6: 1121 addrsize = roundup(sizeof (struct sockaddr_in6) + 1122 sizeof (sadb_address_t), sizeof (uint64_t)); 1123 break; 1124 default: 1125 return (NULL); 1126 } 1127 /* 1128 * Allocate TWO address extensions, for source and destination. 1129 * (Thus, the * 2.) 1130 */ 1131 alloclen += addrsize * 2; 1132 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1133 alloclen += addrsize; 1134 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1135 alloclen += addrsize; 1136 1137 if (ipsa->ipsa_flags & IPSA_F_PAIRED) { 1138 paired = B_TRUE; 1139 alloclen += sizeof (sadb_x_pair_t); 1140 otherspi = ipsa->ipsa_otherspi; 1141 } else { 1142 paired = B_FALSE; 1143 } 1144 1145 /* How 'bout other lifetimes? */ 1146 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1147 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1148 alloclen += sizeof (sadb_lifetime_t); 1149 soft = B_TRUE; 1150 } 1151 1152 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1153 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1154 alloclen += sizeof (sadb_lifetime_t); 1155 hard = B_TRUE; 1156 } 1157 1158 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) { 1159 alloclen += sizeof (sadb_lifetime_t); 1160 idle = B_TRUE; 1161 } else { 1162 idle = B_FALSE; 1163 } 1164 1165 /* Inner addresses. */ 1166 if (ipsa->ipsa_innerfam != 0) { 1167 pfam = ipsa->ipsa_innerfam; 1168 switch (pfam) { 1169 case AF_INET6: 1170 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1171 sizeof (sadb_address_t), sizeof (uint64_t)); 1172 break; 1173 case AF_INET: 1174 paddrsize = roundup(sizeof (struct sockaddr_in) + 1175 sizeof (sadb_address_t), sizeof (uint64_t)); 1176 break; 1177 default: 1178 cmn_err(CE_PANIC, 1179 "IPsec SADB: Proxy length failure.\n"); 1180 break; 1181 } 1182 isrc = B_TRUE; 1183 idst = B_TRUE; 1184 alloclen += 2 * paddrsize; 1185 } 1186 1187 /* For the following fields, assume that length != 0 ==> stuff */ 1188 if (ipsa->ipsa_authkeylen != 0) { 1189 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1190 sizeof (uint64_t)); 1191 alloclen += authsize; 1192 auth = B_TRUE; 1193 } 1194 1195 if (ipsa->ipsa_encrkeylen != 0) { 1196 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen + 1197 ipsa->ipsa_nonce_len, sizeof (uint64_t)); 1198 alloclen += encrsize; 1199 encr = B_TRUE; 1200 } else { 1201 encr = B_FALSE; 1202 } 1203 1204 if (ipsa->ipsa_tsl != NULL) { 1205 senslen = sadb_sens_len_from_label(ipsa->ipsa_tsl); 1206 alloclen += senslen; 1207 sensinteg = B_TRUE; 1208 } 1209 1210 if (ipsa->ipsa_otsl != NULL) { 1211 osenslen = sadb_sens_len_from_label(ipsa->ipsa_otsl); 1212 alloclen += osenslen; 1213 osensinteg = B_TRUE; 1214 } 1215 1216 /* 1217 * Must use strlen() here for lengths. Identities use NULL 1218 * pointers to indicate their nonexistence. 1219 */ 1220 if (ipsa->ipsa_src_cid != NULL) { 1221 srcidsize = roundup(sizeof (sadb_ident_t) + 1222 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1223 sizeof (uint64_t)); 1224 alloclen += srcidsize; 1225 srcid = B_TRUE; 1226 } 1227 1228 if (ipsa->ipsa_dst_cid != NULL) { 1229 dstidsize = roundup(sizeof (sadb_ident_t) + 1230 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1231 sizeof (uint64_t)); 1232 alloclen += dstidsize; 1233 dstid = B_TRUE; 1234 } 1235 1236 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1237 alloclen += sizeof (sadb_x_kmc_t); 1238 1239 if (ipsa->ipsa_replay != 0) { 1240 alloclen += sizeof (sadb_x_replay_ctr_t); 1241 } 1242 1243 /* Make sure the allocation length is a multiple of 8 bytes. */ 1244 ASSERT((alloclen & 0x7) == 0); 1245 1246 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1247 mp = allocb(alloclen, BPRI_HI); 1248 if (mp == NULL) 1249 return (NULL); 1250 bzero(mp->b_rptr, alloclen); 1251 1252 mp->b_wptr += alloclen; 1253 end = mp->b_wptr; 1254 newsamsg = (sadb_msg_t *)mp->b_rptr; 1255 *newsamsg = *samsg; 1256 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1257 1258 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1259 1260 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1261 1262 assoc = (sadb_sa_t *)(newsamsg + 1); 1263 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1264 assoc->sadb_sa_exttype = SADB_EXT_SA; 1265 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1266 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1267 assoc->sadb_sa_state = ipsa->ipsa_state; 1268 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1269 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1270 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1271 1272 lt = (sadb_lifetime_t *)(assoc + 1); 1273 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1274 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1275 /* We do not support the concept. */ 1276 lt->sadb_lifetime_allocations = 0; 1277 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1278 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1279 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1280 1281 if (hard) { 1282 lt++; 1283 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1284 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1285 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1286 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1287 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1288 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1289 } 1290 1291 if (soft) { 1292 lt++; 1293 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1294 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1295 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1296 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1297 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1298 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1299 } 1300 1301 if (idle) { 1302 lt++; 1303 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1304 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 1305 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt; 1306 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt; 1307 } 1308 1309 cur = (uint8_t *)(lt + 1); 1310 1311 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */ 1312 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1313 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0, 1314 SA_PROTO(ipsa), 0); 1315 if (cur == NULL) { 1316 freemsg(mp); 1317 mp = NULL; 1318 goto bail; 1319 } 1320 1321 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1322 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0, 1323 SA_PROTO(ipsa), 0); 1324 if (cur == NULL) { 1325 freemsg(mp); 1326 mp = NULL; 1327 goto bail; 1328 } 1329 1330 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1331 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1332 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port, 1333 IPPROTO_UDP, 0); 1334 if (cur == NULL) { 1335 freemsg(mp); 1336 mp = NULL; 1337 goto bail; 1338 } 1339 } 1340 1341 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1342 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1343 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port, 1344 IPPROTO_UDP, 0); 1345 if (cur == NULL) { 1346 freemsg(mp); 1347 mp = NULL; 1348 goto bail; 1349 } 1350 } 1351 1352 /* If we are a tunnel-mode SA, fill in the inner-selectors. */ 1353 if (isrc) { 1354 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 1355 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa), 1356 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx); 1357 if (cur == NULL) { 1358 freemsg(mp); 1359 mp = NULL; 1360 goto bail; 1361 } 1362 } 1363 1364 if (idst) { 1365 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 1366 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa), 1367 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx); 1368 if (cur == NULL) { 1369 freemsg(mp); 1370 mp = NULL; 1371 goto bail; 1372 } 1373 } 1374 1375 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1376 cur = sadb_make_kmc_ext(cur, end, 1377 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1378 if (cur == NULL) { 1379 freemsg(mp); 1380 mp = NULL; 1381 goto bail; 1382 } 1383 } 1384 1385 walker = (sadb_ext_t *)cur; 1386 if (auth) { 1387 key = (sadb_key_t *)walker; 1388 key->sadb_key_len = SADB_8TO64(authsize); 1389 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1390 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1391 key->sadb_key_reserved = 0; 1392 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1393 walker = (sadb_ext_t *)((uint64_t *)walker + 1394 walker->sadb_ext_len); 1395 } 1396 1397 if (encr) { 1398 uint8_t *buf_ptr; 1399 key = (sadb_key_t *)walker; 1400 key->sadb_key_len = SADB_8TO64(encrsize); 1401 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1402 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1403 key->sadb_key_reserved = ipsa->ipsa_saltbits; 1404 buf_ptr = (uint8_t *)(key + 1); 1405 bcopy(ipsa->ipsa_encrkey, buf_ptr, ipsa->ipsa_encrkeylen); 1406 if (ipsa->ipsa_salt != NULL) { 1407 buf_ptr += ipsa->ipsa_encrkeylen; 1408 bcopy(ipsa->ipsa_salt, buf_ptr, ipsa->ipsa_saltlen); 1409 } 1410 walker = (sadb_ext_t *)((uint64_t *)walker + 1411 walker->sadb_ext_len); 1412 } 1413 1414 if (srcid) { 1415 ident = (sadb_ident_t *)walker; 1416 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1417 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1418 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1419 ident->sadb_ident_id = 0; 1420 ident->sadb_ident_reserved = 0; 1421 (void) strcpy((char *)(ident + 1), 1422 ipsa->ipsa_src_cid->ipsid_cid); 1423 walker = (sadb_ext_t *)((uint64_t *)walker + 1424 walker->sadb_ext_len); 1425 } 1426 1427 if (dstid) { 1428 ident = (sadb_ident_t *)walker; 1429 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1430 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1431 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1432 ident->sadb_ident_id = 0; 1433 ident->sadb_ident_reserved = 0; 1434 (void) strcpy((char *)(ident + 1), 1435 ipsa->ipsa_dst_cid->ipsid_cid); 1436 walker = (sadb_ext_t *)((uint64_t *)walker + 1437 walker->sadb_ext_len); 1438 } 1439 1440 if (sensinteg) { 1441 sens = (sadb_sens_t *)walker; 1442 sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY, 1443 ipsa->ipsa_tsl, senslen); 1444 1445 walker = (sadb_ext_t *)((uint64_t *)walker + 1446 walker->sadb_ext_len); 1447 } 1448 1449 if (osensinteg) { 1450 sens = (sadb_sens_t *)walker; 1451 1452 sadb_sens_from_label(sens, SADB_X_EXT_OUTER_SENS, 1453 ipsa->ipsa_otsl, osenslen); 1454 if (ipsa->ipsa_mac_exempt) 1455 sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT; 1456 1457 walker = (sadb_ext_t *)((uint64_t *)walker + 1458 walker->sadb_ext_len); 1459 } 1460 1461 if (paired) { 1462 pair_ext = (sadb_x_pair_t *)walker; 1463 1464 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t)); 1465 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR; 1466 pair_ext->sadb_x_pair_spi = otherspi; 1467 1468 walker = (sadb_ext_t *)((uint64_t *)walker + 1469 walker->sadb_ext_len); 1470 } 1471 1472 if (ipsa->ipsa_replay != 0) { 1473 repl_ctr = (sadb_x_replay_ctr_t *)walker; 1474 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr)); 1475 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; 1476 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay; 1477 repl_ctr->sadb_x_rc_replay64 = 0; 1478 walker = (sadb_ext_t *)(repl_ctr + 1); 1479 } 1480 1481 bail: 1482 /* Pardon any delays... */ 1483 mutex_exit(&ipsa->ipsa_lock); 1484 1485 return (mp); 1486 } 1487 1488 /* 1489 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1490 * and adjust base message accordingly. 1491 * 1492 * Assume message is pulled up in one piece of contiguous memory. 1493 * 1494 * Say if we start off with: 1495 * 1496 * +------+----+-------------+-----------+---------------+---------------+ 1497 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1498 * +------+----+-------------+-----------+---------------+---------------+ 1499 * 1500 * we will end up with 1501 * 1502 * +------+----+-------------+-----------+---------------+ 1503 * | base | SA | source addr | dest addr | soft lifetime | 1504 * +------+----+-------------+-----------+---------------+ 1505 */ 1506 static void 1507 sadb_strip(sadb_msg_t *samsg) 1508 { 1509 sadb_ext_t *ext; 1510 uint8_t *target = NULL; 1511 uint8_t *msgend; 1512 int sofar = SADB_8TO64(sizeof (*samsg)); 1513 int copylen; 1514 1515 ext = (sadb_ext_t *)(samsg + 1); 1516 msgend = (uint8_t *)samsg; 1517 msgend += SADB_64TO8(samsg->sadb_msg_len); 1518 while ((uint8_t *)ext < msgend) { 1519 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1520 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1521 ext->sadb_ext_type == SADB_X_EXT_EDUMP || 1522 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1523 /* 1524 * Aha! I found a header to be erased. 1525 */ 1526 1527 if (target != NULL) { 1528 /* 1529 * If I had a previous header to be erased, 1530 * copy over it. I can get away with just 1531 * copying backwards because the target will 1532 * always be 8 bytes behind the source. 1533 */ 1534 copylen = ((uint8_t *)ext) - (target + 1535 SADB_64TO8( 1536 ((sadb_ext_t *)target)->sadb_ext_len)); 1537 ovbcopy(((uint8_t *)ext - copylen), target, 1538 copylen); 1539 target += copylen; 1540 ((sadb_ext_t *)target)->sadb_ext_len = 1541 SADB_8TO64(((uint8_t *)ext) - target + 1542 SADB_64TO8(ext->sadb_ext_len)); 1543 } else { 1544 target = (uint8_t *)ext; 1545 } 1546 } else { 1547 sofar += ext->sadb_ext_len; 1548 } 1549 1550 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1551 } 1552 1553 ASSERT((uint8_t *)ext == msgend); 1554 1555 if (target != NULL) { 1556 copylen = ((uint8_t *)ext) - (target + 1557 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1558 if (copylen != 0) 1559 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1560 } 1561 1562 /* Adjust samsg. */ 1563 samsg->sadb_msg_len = (uint16_t)sofar; 1564 1565 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1566 } 1567 1568 /* 1569 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1570 * followed by an M_DATA with a PF_KEY message in it. The serial of 1571 * the sending keysock instance is included. 1572 */ 1573 void 1574 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1575 uint_t serial) 1576 { 1577 mblk_t *msg = mp->b_cont; 1578 sadb_msg_t *samsg; 1579 keysock_out_t *kso; 1580 1581 /* 1582 * Enough functions call this to merit a NULL queue check. 1583 */ 1584 if (pfkey_q == NULL) { 1585 freemsg(mp); 1586 return; 1587 } 1588 1589 ASSERT(msg != NULL); 1590 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1591 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1592 samsg = (sadb_msg_t *)msg->b_rptr; 1593 kso = (keysock_out_t *)mp->b_rptr; 1594 1595 kso->ks_out_type = KEYSOCK_OUT; 1596 kso->ks_out_len = sizeof (*kso); 1597 kso->ks_out_serial = serial; 1598 1599 /* 1600 * Only send the base message up in the event of an error. 1601 * Don't worry about bzero()-ing, because it was probably bogus 1602 * anyway. 1603 */ 1604 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1605 samsg = (sadb_msg_t *)msg->b_rptr; 1606 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1607 samsg->sadb_msg_errno = (uint8_t)error; 1608 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1609 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1610 1611 putnext(pfkey_q, mp); 1612 } 1613 1614 /* 1615 * Send a successful return packet back to keysock via the queue in pfkey_q. 1616 * 1617 * Often, an SA is associated with the reply message, it's passed in if needed, 1618 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1619 * and the caller will release said refcnt. 1620 */ 1621 void 1622 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1623 keysock_in_t *ksi, ipsa_t *ipsa) 1624 { 1625 keysock_out_t *kso; 1626 mblk_t *mp1; 1627 sadb_msg_t *newsamsg; 1628 uint8_t *oldend; 1629 1630 ASSERT((mp->b_cont != NULL) && 1631 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1632 ((void *)mp->b_rptr == (void *)ksi)); 1633 1634 switch (samsg->sadb_msg_type) { 1635 case SADB_ADD: 1636 case SADB_UPDATE: 1637 case SADB_X_UPDATEPAIR: 1638 case SADB_X_DELPAIR_STATE: 1639 case SADB_FLUSH: 1640 case SADB_DUMP: 1641 /* 1642 * I have all of the message already. I just need to strip 1643 * out the keying material and echo the message back. 1644 * 1645 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1646 * work. When DUMP reaches here, it should only be a base 1647 * message. 1648 */ 1649 justecho: 1650 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 1651 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL || 1652 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) { 1653 sadb_strip(samsg); 1654 /* Assume PF_KEY message is contiguous. */ 1655 ASSERT(mp->b_cont->b_cont == NULL); 1656 oldend = mp->b_cont->b_wptr; 1657 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 1658 SADB_64TO8(samsg->sadb_msg_len); 1659 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 1660 } 1661 break; 1662 case SADB_GET: 1663 /* 1664 * Do a lot of work here, because of the ipsa I just found. 1665 * First construct the new PF_KEY message, then abandon 1666 * the old one. 1667 */ 1668 mp1 = sadb_sa2msg(ipsa, samsg); 1669 if (mp1 == NULL) { 1670 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1671 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1672 return; 1673 } 1674 freemsg(mp->b_cont); 1675 mp->b_cont = mp1; 1676 break; 1677 case SADB_DELETE: 1678 case SADB_X_DELPAIR: 1679 if (ipsa == NULL) 1680 goto justecho; 1681 /* 1682 * Because listening KMds may require more info, treat 1683 * DELETE like a special case of GET. 1684 */ 1685 mp1 = sadb_sa2msg(ipsa, samsg); 1686 if (mp1 == NULL) { 1687 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1688 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1689 return; 1690 } 1691 newsamsg = (sadb_msg_t *)mp1->b_rptr; 1692 sadb_strip(newsamsg); 1693 oldend = mp1->b_wptr; 1694 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 1695 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 1696 freemsg(mp->b_cont); 1697 mp->b_cont = mp1; 1698 break; 1699 default: 1700 if (mp != NULL) 1701 freemsg(mp); 1702 return; 1703 } 1704 1705 /* ksi is now null and void. */ 1706 kso = (keysock_out_t *)ksi; 1707 kso->ks_out_type = KEYSOCK_OUT; 1708 kso->ks_out_len = sizeof (*kso); 1709 kso->ks_out_serial = ksi->ks_in_serial; 1710 /* We're ready to send... */ 1711 putnext(pfkey_q, mp); 1712 } 1713 1714 /* 1715 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 1716 */ 1717 void 1718 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 1719 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype) 1720 { 1721 keysock_hello_ack_t *kha; 1722 queue_t *oldq; 1723 1724 ASSERT(OTHERQ(q) != NULL); 1725 1726 /* 1727 * First, check atomically that I'm the first and only keysock 1728 * instance. 1729 * 1730 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 1731 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 1732 * messages. 1733 */ 1734 1735 oldq = atomic_cas_ptr((void **)pfkey_qp, NULL, OTHERQ(q)); 1736 if (oldq != NULL) { 1737 ASSERT(oldq != q); 1738 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 1739 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 1740 freemsg(mp); 1741 return; 1742 } 1743 1744 kha = (keysock_hello_ack_t *)mp->b_rptr; 1745 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 1746 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 1747 kha->ks_hello_satype = (uint8_t)satype; 1748 1749 /* 1750 * If we made it past the atomic_cas_ptr, then we have "exclusive" 1751 * access to the timeout handle. Fire it off after the default ager 1752 * interval. 1753 */ 1754 *top = qtimeout(*pfkey_qp, ager, agerarg, 1755 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT * 1000)); 1756 1757 putnext(*pfkey_qp, mp); 1758 } 1759 1760 /* 1761 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate. 1762 * 1763 * Check addresses themselves for wildcard or multicast. 1764 * Check ire table for local/non-local/broadcast. 1765 */ 1766 int 1767 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial, 1768 netstack_t *ns) 1769 { 1770 sadb_address_t *addr = (sadb_address_t *)ext; 1771 struct sockaddr_in *sin; 1772 struct sockaddr_in6 *sin6; 1773 int diagnostic, type; 1774 boolean_t normalized = B_FALSE; 1775 1776 ASSERT(ext != NULL); 1777 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 1778 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 1779 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) || 1780 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) || 1781 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) || 1782 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM)); 1783 1784 /* Assign both sockaddrs, the compiler will do the right thing. */ 1785 sin = (struct sockaddr_in *)(addr + 1); 1786 sin6 = (struct sockaddr_in6 *)(addr + 1); 1787 1788 if (sin6->sin6_family == AF_INET6) { 1789 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 1790 /* 1791 * Convert to an AF_INET sockaddr. This means the 1792 * return messages will have the extra space, but have 1793 * AF_INET sockaddrs instead of AF_INET6. 1794 * 1795 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 1796 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 1797 * equal to AF_INET <v4>, it shouldnt be a huge 1798 * problem. 1799 */ 1800 sin->sin_family = AF_INET; 1801 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, 1802 &sin->sin_addr); 1803 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 1804 normalized = B_TRUE; 1805 } 1806 } else if (sin->sin_family != AF_INET) { 1807 switch (ext->sadb_ext_type) { 1808 case SADB_EXT_ADDRESS_SRC: 1809 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 1810 break; 1811 case SADB_EXT_ADDRESS_DST: 1812 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 1813 break; 1814 case SADB_X_EXT_ADDRESS_INNER_SRC: 1815 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 1816 break; 1817 case SADB_X_EXT_ADDRESS_INNER_DST: 1818 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF; 1819 break; 1820 case SADB_X_EXT_ADDRESS_NATT_LOC: 1821 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF; 1822 break; 1823 case SADB_X_EXT_ADDRESS_NATT_REM: 1824 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF; 1825 break; 1826 /* There is no default, see above ASSERT. */ 1827 } 1828 bail: 1829 if (pfkey_q != NULL) { 1830 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, 1831 serial); 1832 } else { 1833 /* 1834 * Scribble in sadb_msg that we got passed in. 1835 * Overload "mp" to be an sadb_msg pointer. 1836 */ 1837 sadb_msg_t *samsg = (sadb_msg_t *)mp; 1838 1839 samsg->sadb_msg_errno = EINVAL; 1840 samsg->sadb_x_msg_diagnostic = diagnostic; 1841 } 1842 return (KS_IN_ADDR_UNKNOWN); 1843 } 1844 1845 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC || 1846 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) { 1847 /* 1848 * We need only check for prefix issues. 1849 */ 1850 1851 /* Set diagnostic now, in case we need it later. */ 1852 diagnostic = 1853 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ? 1854 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC : 1855 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST; 1856 1857 if (normalized) 1858 addr->sadb_address_prefixlen -= 96; 1859 1860 /* 1861 * Verify and mask out inner-addresses based on prefix length. 1862 */ 1863 if (sin->sin_family == AF_INET) { 1864 if (addr->sadb_address_prefixlen > 32) 1865 goto bail; 1866 sin->sin_addr.s_addr &= 1867 ip_plen_to_mask(addr->sadb_address_prefixlen); 1868 } else { 1869 in6_addr_t mask; 1870 1871 ASSERT(sin->sin_family == AF_INET6); 1872 /* 1873 * ip_plen_to_mask_v6() returns NULL if the value in 1874 * question is out of range. 1875 */ 1876 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen, 1877 &mask) == NULL) 1878 goto bail; 1879 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0]; 1880 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1]; 1881 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2]; 1882 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3]; 1883 } 1884 1885 /* We don't care in these cases. */ 1886 return (KS_IN_ADDR_DONTCARE); 1887 } 1888 1889 if (sin->sin_family == AF_INET6) { 1890 /* Check the easy ones now. */ 1891 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) 1892 return (KS_IN_ADDR_MBCAST); 1893 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) 1894 return (KS_IN_ADDR_UNSPEC); 1895 /* 1896 * At this point, we're a unicast IPv6 address. 1897 * 1898 * XXX Zones alert -> me/notme decision needs to be tempered 1899 * by what zone we're in when we go to zone-aware IPsec. 1900 */ 1901 if (ip_type_v6(&sin6->sin6_addr, ns->netstack_ip) == 1902 IRE_LOCAL) { 1903 /* Hey hey, it's local. */ 1904 return (KS_IN_ADDR_ME); 1905 } 1906 } else { 1907 ASSERT(sin->sin_family == AF_INET); 1908 if (sin->sin_addr.s_addr == INADDR_ANY) 1909 return (KS_IN_ADDR_UNSPEC); 1910 if (CLASSD(sin->sin_addr.s_addr)) 1911 return (KS_IN_ADDR_MBCAST); 1912 /* 1913 * At this point we're a unicast or broadcast IPv4 address. 1914 * 1915 * Check if the address is IRE_BROADCAST or IRE_LOCAL. 1916 * 1917 * XXX Zones alert -> me/notme decision needs to be tempered 1918 * by what zone we're in when we go to zone-aware IPsec. 1919 */ 1920 type = ip_type_v4(sin->sin_addr.s_addr, ns->netstack_ip); 1921 switch (type) { 1922 case IRE_LOCAL: 1923 return (KS_IN_ADDR_ME); 1924 case IRE_BROADCAST: 1925 return (KS_IN_ADDR_MBCAST); 1926 } 1927 } 1928 1929 return (KS_IN_ADDR_NOTME); 1930 } 1931 1932 /* 1933 * Address normalizations and reality checks for inbound PF_KEY messages. 1934 * 1935 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 1936 * the source to AF_INET. Do the same for the inner sources. 1937 */ 1938 boolean_t 1939 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns) 1940 { 1941 struct sockaddr_in *src, *isrc; 1942 struct sockaddr_in6 *dst, *idst; 1943 sadb_address_t *srcext, *dstext; 1944 uint16_t sport; 1945 sadb_ext_t **extv = ksi->ks_in_extv; 1946 int rc; 1947 1948 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) { 1949 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC], 1950 ksi->ks_in_serial, ns); 1951 if (rc == KS_IN_ADDR_UNKNOWN) 1952 return (B_FALSE); 1953 if (rc == KS_IN_ADDR_MBCAST) { 1954 sadb_pfkey_error(pfkey_q, mp, EINVAL, 1955 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial); 1956 return (B_FALSE); 1957 } 1958 ksi->ks_in_srctype = rc; 1959 } 1960 1961 if (extv[SADB_EXT_ADDRESS_DST] != NULL) { 1962 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST], 1963 ksi->ks_in_serial, ns); 1964 if (rc == KS_IN_ADDR_UNKNOWN) 1965 return (B_FALSE); 1966 if (rc == KS_IN_ADDR_UNSPEC) { 1967 sadb_pfkey_error(pfkey_q, mp, EINVAL, 1968 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial); 1969 return (B_FALSE); 1970 } 1971 ksi->ks_in_dsttype = rc; 1972 } 1973 1974 /* 1975 * NAT-Traversal addrs are simple enough to not require all of 1976 * the checks in sadb_addrcheck(). Just normalize or reject if not 1977 * AF_INET. 1978 */ 1979 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) { 1980 rc = sadb_addrcheck(pfkey_q, mp, 1981 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns); 1982 1983 /* 1984 * Local NAT-T addresses never use an IRE_LOCAL, so it should 1985 * always be NOTME, or UNSPEC (to handle both tunnel mode 1986 * AND local-port flexibility). 1987 */ 1988 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) { 1989 sadb_pfkey_error(pfkey_q, mp, EINVAL, 1990 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC, 1991 ksi->ks_in_serial); 1992 return (B_FALSE); 1993 } 1994 src = (struct sockaddr_in *) 1995 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1); 1996 if (src->sin_family != AF_INET) { 1997 sadb_pfkey_error(pfkey_q, mp, EINVAL, 1998 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF, 1999 ksi->ks_in_serial); 2000 return (B_FALSE); 2001 } 2002 } 2003 2004 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) { 2005 rc = sadb_addrcheck(pfkey_q, mp, 2006 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns); 2007 2008 /* 2009 * Remote NAT-T addresses never use an IRE_LOCAL, so it should 2010 * always be NOTME, or UNSPEC if it's a tunnel-mode SA. 2011 */ 2012 if (rc != KS_IN_ADDR_NOTME && 2013 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL && 2014 rc == KS_IN_ADDR_UNSPEC)) { 2015 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2016 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM, 2017 ksi->ks_in_serial); 2018 return (B_FALSE); 2019 } 2020 src = (struct sockaddr_in *) 2021 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1); 2022 if (src->sin_family != AF_INET) { 2023 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2024 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF, 2025 ksi->ks_in_serial); 2026 return (B_FALSE); 2027 } 2028 } 2029 2030 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) { 2031 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) { 2032 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2033 SADB_X_DIAGNOSTIC_MISSING_INNER_DST, 2034 ksi->ks_in_serial); 2035 return (B_FALSE); 2036 } 2037 2038 if (sadb_addrcheck(pfkey_q, mp, 2039 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns) 2040 == KS_IN_ADDR_UNKNOWN || 2041 sadb_addrcheck(pfkey_q, mp, 2042 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns) 2043 == KS_IN_ADDR_UNKNOWN) 2044 return (B_FALSE); 2045 2046 isrc = (struct sockaddr_in *) 2047 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) + 2048 1); 2049 idst = (struct sockaddr_in6 *) 2050 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) + 2051 1); 2052 if (isrc->sin_family != idst->sin6_family) { 2053 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2054 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH, 2055 ksi->ks_in_serial); 2056 return (B_FALSE); 2057 } 2058 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) { 2059 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2060 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC, 2061 ksi->ks_in_serial); 2062 return (B_FALSE); 2063 } else { 2064 isrc = NULL; /* For inner/outer port check below. */ 2065 } 2066 2067 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 2068 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC]; 2069 2070 if (dstext == NULL || srcext == NULL) 2071 return (B_TRUE); 2072 2073 dst = (struct sockaddr_in6 *)(dstext + 1); 2074 src = (struct sockaddr_in *)(srcext + 1); 2075 2076 if (isrc != NULL && 2077 (isrc->sin_port != 0 || idst->sin6_port != 0) && 2078 (src->sin_port != 0 || dst->sin6_port != 0)) { 2079 /* Can't set inner and outer ports in one SA. */ 2080 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2081 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS, 2082 ksi->ks_in_serial); 2083 return (B_FALSE); 2084 } 2085 2086 if (dst->sin6_family == src->sin_family) 2087 return (B_TRUE); 2088 2089 if (srcext->sadb_address_proto != dstext->sadb_address_proto) { 2090 if (srcext->sadb_address_proto == 0) { 2091 srcext->sadb_address_proto = dstext->sadb_address_proto; 2092 } else if (dstext->sadb_address_proto == 0) { 2093 dstext->sadb_address_proto = srcext->sadb_address_proto; 2094 } else { 2095 /* Inequal protocols, neither were 0. Report error. */ 2096 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2097 SADB_X_DIAGNOSTIC_PROTO_MISMATCH, 2098 ksi->ks_in_serial); 2099 return (B_FALSE); 2100 } 2101 } 2102 2103 /* 2104 * With the exception of an unspec IPv6 source and an IPv4 2105 * destination, address families MUST me matched. 2106 */ 2107 if (src->sin_family == AF_INET || 2108 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) { 2109 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2110 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial); 2111 return (B_FALSE); 2112 } 2113 2114 /* 2115 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2116 * in the same place for sockaddr_in and sockaddr_in6. 2117 */ 2118 sport = src->sin_port; 2119 bzero(src, sizeof (*src)); 2120 src->sin_family = AF_INET; 2121 src->sin_port = sport; 2122 2123 return (B_TRUE); 2124 } 2125 2126 /* 2127 * Set the results in "addrtype", given an IRE as requested by 2128 * sadb_addrcheck(). 2129 */ 2130 int 2131 sadb_addrset(ire_t *ire) 2132 { 2133 if ((ire->ire_type & IRE_BROADCAST) || 2134 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2135 (ire->ire_ipversion == IPV6_VERSION && 2136 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2137 return (KS_IN_ADDR_MBCAST); 2138 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2139 return (KS_IN_ADDR_ME); 2140 return (KS_IN_ADDR_NOTME); 2141 } 2142 2143 /* 2144 * Match primitives.. 2145 * !!! TODO: short term: inner selectors 2146 * ipv6 scope id (ifindex) 2147 * longer term: zone id. sensitivity label. uid. 2148 */ 2149 boolean_t 2150 sadb_match_spi(ipsa_query_t *sq, ipsa_t *sa) 2151 { 2152 return (sq->spi == sa->ipsa_spi); 2153 } 2154 2155 boolean_t 2156 sadb_match_dst_v6(ipsa_query_t *sq, ipsa_t *sa) 2157 { 2158 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_dstaddr, sq->dstaddr, AF_INET6)); 2159 } 2160 2161 boolean_t 2162 sadb_match_src_v6(ipsa_query_t *sq, ipsa_t *sa) 2163 { 2164 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_srcaddr, sq->srcaddr, AF_INET6)); 2165 } 2166 2167 boolean_t 2168 sadb_match_dst_v4(ipsa_query_t *sq, ipsa_t *sa) 2169 { 2170 return (sq->dstaddr[0] == sa->ipsa_dstaddr[0]); 2171 } 2172 2173 boolean_t 2174 sadb_match_src_v4(ipsa_query_t *sq, ipsa_t *sa) 2175 { 2176 return (sq->srcaddr[0] == sa->ipsa_srcaddr[0]); 2177 } 2178 2179 boolean_t 2180 sadb_match_dstid(ipsa_query_t *sq, ipsa_t *sa) 2181 { 2182 return ((sa->ipsa_dst_cid != NULL) && 2183 (sq->didtype == sa->ipsa_dst_cid->ipsid_type) && 2184 (strcmp(sq->didstr, sa->ipsa_dst_cid->ipsid_cid) == 0)); 2185 2186 } 2187 boolean_t 2188 sadb_match_srcid(ipsa_query_t *sq, ipsa_t *sa) 2189 { 2190 return ((sa->ipsa_src_cid != NULL) && 2191 (sq->sidtype == sa->ipsa_src_cid->ipsid_type) && 2192 (strcmp(sq->sidstr, sa->ipsa_src_cid->ipsid_cid) == 0)); 2193 } 2194 2195 boolean_t 2196 sadb_match_kmc(ipsa_query_t *sq, ipsa_t *sa) 2197 { 2198 #define M(a, b) (((a) == 0) || ((b) == 0) || ((a) == (b))) 2199 2200 return (M(sq->kmc, sa->ipsa_kmc) && M(sq->kmp, sa->ipsa_kmp)); 2201 2202 #undef M 2203 } 2204 2205 /* 2206 * Common function which extracts several PF_KEY extensions for ease of 2207 * SADB matching. 2208 * 2209 * XXX TODO: weed out ipsa_query_t fields not used during matching 2210 * or afterwards? 2211 */ 2212 int 2213 sadb_form_query(keysock_in_t *ksi, uint32_t req, uint32_t match, 2214 ipsa_query_t *sq, int *diagnostic) 2215 { 2216 int i; 2217 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); 2218 2219 for (i = 0; i < IPSA_NMATCH; i++) 2220 sq->matchers[i] = NULL; 2221 2222 ASSERT((req & ~match) == 0); 2223 2224 sq->req = req; 2225 sq->dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2226 sq->srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2227 sq->assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2228 2229 if ((req & IPSA_Q_DST) && (sq->dstext == NULL)) { 2230 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2231 return (EINVAL); 2232 } 2233 if ((req & IPSA_Q_SRC) && (sq->srcext == NULL)) { 2234 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 2235 return (EINVAL); 2236 } 2237 if ((req & IPSA_Q_SA) && (sq->assoc == NULL)) { 2238 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2239 return (EINVAL); 2240 } 2241 2242 if (match & IPSA_Q_SA) { 2243 *mfpp++ = sadb_match_spi; 2244 sq->spi = sq->assoc->sadb_sa_spi; 2245 } 2246 2247 if (sq->dstext != NULL) 2248 sq->dst = (struct sockaddr_in *)(sq->dstext + 1); 2249 else { 2250 sq->dst = NULL; 2251 sq->dst6 = NULL; 2252 sq->dstaddr = NULL; 2253 } 2254 2255 if (sq->srcext != NULL) 2256 sq->src = (struct sockaddr_in *)(sq->srcext + 1); 2257 else { 2258 sq->src = NULL; 2259 sq->src6 = NULL; 2260 sq->srcaddr = NULL; 2261 } 2262 2263 if (sq->dst != NULL) 2264 sq->af = sq->dst->sin_family; 2265 else if (sq->src != NULL) 2266 sq->af = sq->src->sin_family; 2267 else 2268 sq->af = AF_INET; 2269 2270 if (sq->af == AF_INET6) { 2271 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { 2272 *mfpp++ = sadb_match_dst_v6; 2273 sq->dst6 = (struct sockaddr_in6 *)sq->dst; 2274 sq->dstaddr = (uint32_t *)&(sq->dst6->sin6_addr); 2275 } else { 2276 match &= ~IPSA_Q_DST; 2277 sq->dstaddr = ALL_ZEROES_PTR; 2278 } 2279 2280 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { 2281 sq->src6 = (struct sockaddr_in6 *)(sq->srcext + 1); 2282 sq->srcaddr = (uint32_t *)&sq->src6->sin6_addr; 2283 if (sq->src6->sin6_family != AF_INET6) { 2284 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2285 return (EINVAL); 2286 } 2287 *mfpp++ = sadb_match_src_v6; 2288 } else { 2289 match &= ~IPSA_Q_SRC; 2290 sq->srcaddr = ALL_ZEROES_PTR; 2291 } 2292 } else { 2293 sq->src6 = sq->dst6 = NULL; 2294 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { 2295 *mfpp++ = sadb_match_dst_v4; 2296 sq->dstaddr = (uint32_t *)&sq->dst->sin_addr; 2297 } else { 2298 match &= ~IPSA_Q_DST; 2299 sq->dstaddr = ALL_ZEROES_PTR; 2300 } 2301 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { 2302 sq->srcaddr = (uint32_t *)&sq->src->sin_addr; 2303 if (sq->src->sin_family != AF_INET) { 2304 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2305 return (EINVAL); 2306 } 2307 *mfpp++ = sadb_match_src_v4; 2308 } else { 2309 match &= ~IPSA_Q_SRC; 2310 sq->srcaddr = ALL_ZEROES_PTR; 2311 } 2312 } 2313 2314 sq->dstid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2315 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) { 2316 sq->didstr = (char *)(sq->dstid + 1); 2317 sq->didtype = sq->dstid->sadb_ident_type; 2318 *mfpp++ = sadb_match_dstid; 2319 } 2320 2321 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2322 2323 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) { 2324 sq->sidstr = (char *)(sq->srcid + 1); 2325 sq->sidtype = sq->srcid->sadb_ident_type; 2326 *mfpp++ = sadb_match_srcid; 2327 } 2328 2329 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2330 sq->kmc = 0; 2331 sq->kmp = 0; 2332 2333 if ((match & IPSA_Q_KMC) && (sq->kmcext)) { 2334 sq->kmc = sq->kmcext->sadb_x_kmc_cookie; 2335 sq->kmp = sq->kmcext->sadb_x_kmc_proto; 2336 *mfpp++ = sadb_match_kmc; 2337 } 2338 2339 if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) { 2340 if (sq->af == AF_INET6) 2341 sq->sp = &sq->spp->s_v6; 2342 else 2343 sq->sp = &sq->spp->s_v4; 2344 } else { 2345 sq->sp = NULL; 2346 } 2347 2348 if (match & IPSA_Q_INBOUND) { 2349 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi); 2350 sq->inbound = &sq->sp->sdb_if[sq->inhash]; 2351 } else { 2352 sq->inhash = 0; 2353 sq->inbound = NULL; 2354 } 2355 2356 if (match & IPSA_Q_OUTBOUND) { 2357 if (sq->af == AF_INET6) { 2358 sq->outhash = OUTBOUND_HASH_V6(sq->sp, *(sq->dstaddr)); 2359 } else { 2360 sq->outhash = OUTBOUND_HASH_V4(sq->sp, *(sq->dstaddr)); 2361 } 2362 sq->outbound = &sq->sp->sdb_of[sq->outhash]; 2363 } else { 2364 sq->outhash = 0; 2365 sq->outbound = NULL; 2366 } 2367 sq->match = match; 2368 return (0); 2369 } 2370 2371 /* 2372 * Match an initialized query structure with a security association; 2373 * return B_TRUE on a match, B_FALSE on a miss. 2374 * Applies match functions set up by sadb_form_query() until one returns false. 2375 */ 2376 boolean_t 2377 sadb_match_query(ipsa_query_t *sq, ipsa_t *sa) 2378 { 2379 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); 2380 ipsa_match_fn_t mfp; 2381 2382 for (mfp = *mfpp++; mfp != NULL; mfp = *mfpp++) { 2383 if (!mfp(sq, sa)) 2384 return (B_FALSE); 2385 } 2386 return (B_TRUE); 2387 } 2388 2389 /* 2390 * Walker callback function to delete sa's based on src/dst address. 2391 * Assumes that we're called with *head locked, no other locks held; 2392 * Conveniently, and not coincidentally, this is both what sadb_walker 2393 * gives us and also what sadb_unlinkassoc expects. 2394 */ 2395 struct sadb_purge_state 2396 { 2397 ipsa_query_t sq; 2398 boolean_t inbnd; 2399 uint8_t sadb_sa_state; 2400 }; 2401 2402 static void 2403 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2404 { 2405 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2406 2407 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2408 2409 mutex_enter(&entry->ipsa_lock); 2410 2411 if (entry->ipsa_state == IPSA_STATE_LARVAL || 2412 !sadb_match_query(&ps->sq, entry)) { 2413 mutex_exit(&entry->ipsa_lock); 2414 return; 2415 } 2416 2417 if (ps->inbnd) { 2418 sadb_delete_cluster(entry); 2419 } 2420 entry->ipsa_state = IPSA_STATE_DEAD; 2421 (void) sadb_torch_assoc(head, entry); 2422 } 2423 2424 /* 2425 * Common code to purge an SA with a matching src or dst address. 2426 * Don't kill larval SA's in such a purge. 2427 */ 2428 int 2429 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, 2430 int *diagnostic, queue_t *pfkey_q) 2431 { 2432 struct sadb_purge_state ps; 2433 int error = sadb_form_query(ksi, 0, 2434 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC, 2435 &ps.sq, diagnostic); 2436 2437 if (error != 0) 2438 return (error); 2439 2440 /* 2441 * This is simple, crude, and effective. 2442 * Unimplemented optimizations (TBD): 2443 * - we can limit how many places we search based on where we 2444 * think the SA is filed. 2445 * - if we get a dst address, we can hash based on dst addr to find 2446 * the correct bucket in the outbound table. 2447 */ 2448 ps.inbnd = B_TRUE; 2449 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2450 ps.inbnd = B_FALSE; 2451 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2452 2453 ASSERT(mp->b_cont != NULL); 2454 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2455 NULL); 2456 return (0); 2457 } 2458 2459 static void 2460 sadb_delpair_state_one(isaf_t *head, ipsa_t *entry, void *cookie) 2461 { 2462 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2463 isaf_t *inbound_bucket; 2464 ipsa_t *peer_assoc; 2465 ipsa_query_t *sq = &ps->sq; 2466 2467 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2468 2469 mutex_enter(&entry->ipsa_lock); 2470 2471 if ((entry->ipsa_state != ps->sadb_sa_state) || 2472 ((sq->srcaddr != NULL) && 2473 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, sq->srcaddr, sq->af))) { 2474 mutex_exit(&entry->ipsa_lock); 2475 return; 2476 } 2477 2478 /* 2479 * The isaf_t *, which is passed in , is always an outbound bucket, 2480 * and we are preserving the outbound-then-inbound hash-bucket lock 2481 * ordering. The sadb_walker() which triggers this function is called 2482 * only on the outbound fanout, and the corresponding inbound bucket 2483 * lock is safe to acquire here. 2484 */ 2485 2486 if (entry->ipsa_haspeer) { 2487 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_spi); 2488 mutex_enter(&inbound_bucket->isaf_lock); 2489 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2490 entry->ipsa_spi, entry->ipsa_srcaddr, 2491 entry->ipsa_dstaddr, entry->ipsa_addrfam); 2492 } else { 2493 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_otherspi); 2494 mutex_enter(&inbound_bucket->isaf_lock); 2495 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2496 entry->ipsa_otherspi, entry->ipsa_dstaddr, 2497 entry->ipsa_srcaddr, entry->ipsa_addrfam); 2498 } 2499 2500 entry->ipsa_state = IPSA_STATE_DEAD; 2501 (void) sadb_torch_assoc(head, entry); 2502 if (peer_assoc != NULL) { 2503 mutex_enter(&peer_assoc->ipsa_lock); 2504 peer_assoc->ipsa_state = IPSA_STATE_DEAD; 2505 (void) sadb_torch_assoc(inbound_bucket, peer_assoc); 2506 } 2507 mutex_exit(&inbound_bucket->isaf_lock); 2508 } 2509 2510 static int 2511 sadb_delpair_state(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2512 int *diagnostic, queue_t *pfkey_q) 2513 { 2514 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2515 struct sadb_purge_state ps; 2516 int error; 2517 2518 ps.sq.spp = spp; /* XXX param */ 2519 2520 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SRC, 2521 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC, 2522 &ps.sq, diagnostic); 2523 if (error != 0) 2524 return (error); 2525 2526 ps.inbnd = B_FALSE; 2527 ps.sadb_sa_state = assoc->sadb_sa_state; 2528 sadb_walker(ps.sq.sp->sdb_of, ps.sq.sp->sdb_hashsize, 2529 sadb_delpair_state_one, &ps); 2530 2531 ASSERT(mp->b_cont != NULL); 2532 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 2533 ksi, NULL); 2534 return (0); 2535 } 2536 2537 /* 2538 * Common code to delete/get an SA. 2539 */ 2540 int 2541 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2542 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type) 2543 { 2544 ipsa_query_t sq; 2545 ipsa_t *echo_target = NULL; 2546 ipsap_t ipsapp; 2547 uint_t error = 0; 2548 2549 if (sadb_msg_type == SADB_X_DELPAIR_STATE) 2550 return (sadb_delpair_state(mp, ksi, spp, diagnostic, pfkey_q)); 2551 2552 sq.spp = spp; /* XXX param */ 2553 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SA, 2554 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, 2555 &sq, diagnostic); 2556 if (error != 0) 2557 return (error); 2558 2559 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 2560 if (error != 0) { 2561 return (error); 2562 } 2563 2564 echo_target = ipsapp.ipsap_sa_ptr; 2565 if (echo_target == NULL) 2566 echo_target = ipsapp.ipsap_psa_ptr; 2567 2568 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) { 2569 /* 2570 * Bucket locks will be required if SA is actually unlinked. 2571 * get_ipsa_pair() returns valid hash bucket pointers even 2572 * if it can't find a pair SA pointer. To prevent a potential 2573 * deadlock, always lock the outbound bucket before the inbound. 2574 */ 2575 if (ipsapp.in_inbound_table) { 2576 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); 2577 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); 2578 } else { 2579 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); 2580 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); 2581 } 2582 2583 if (ipsapp.ipsap_sa_ptr != NULL) { 2584 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 2585 if (ipsapp.ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) { 2586 sadb_delete_cluster(ipsapp.ipsap_sa_ptr); 2587 } 2588 ipsapp.ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD; 2589 (void) sadb_torch_assoc(ipsapp.ipsap_bucket, 2590 ipsapp.ipsap_sa_ptr); 2591 /* 2592 * sadb_torch_assoc() releases the ipsa_lock 2593 * and calls sadb_unlinkassoc() which does a 2594 * IPSA_REFRELE. 2595 */ 2596 } 2597 if (ipsapp.ipsap_psa_ptr != NULL) { 2598 mutex_enter(&ipsapp.ipsap_psa_ptr->ipsa_lock); 2599 if (sadb_msg_type == SADB_X_DELPAIR || 2600 ipsapp.ipsap_psa_ptr->ipsa_haspeer) { 2601 if (ipsapp.ipsap_psa_ptr->ipsa_flags & 2602 IPSA_F_INBOUND) { 2603 sadb_delete_cluster 2604 (ipsapp.ipsap_psa_ptr); 2605 } 2606 ipsapp.ipsap_psa_ptr->ipsa_state = 2607 IPSA_STATE_DEAD; 2608 (void) sadb_torch_assoc(ipsapp.ipsap_pbucket, 2609 ipsapp.ipsap_psa_ptr); 2610 } else { 2611 /* 2612 * Only half of the "pair" has been deleted. 2613 * Update the remaining SA and remove references 2614 * to its pair SA, which is now gone. 2615 */ 2616 ipsapp.ipsap_psa_ptr->ipsa_otherspi = 0; 2617 ipsapp.ipsap_psa_ptr->ipsa_flags &= 2618 ~IPSA_F_PAIRED; 2619 mutex_exit(&ipsapp.ipsap_psa_ptr->ipsa_lock); 2620 } 2621 } else if (sadb_msg_type == SADB_X_DELPAIR) { 2622 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 2623 error = ESRCH; 2624 } 2625 mutex_exit(&ipsapp.ipsap_bucket->isaf_lock); 2626 mutex_exit(&ipsapp.ipsap_pbucket->isaf_lock); 2627 } 2628 2629 ASSERT(mp->b_cont != NULL); 2630 2631 if (error == 0) 2632 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *) 2633 mp->b_cont->b_rptr, ksi, echo_target); 2634 2635 destroy_ipsa_pair(&ipsapp); 2636 2637 return (error); 2638 } 2639 2640 /* 2641 * This function takes a sadb_sa_t and finds the ipsa_t structure 2642 * and the isaf_t (hash bucket) that its stored under. If the security 2643 * association has a peer, the ipsa_t structure and bucket for that security 2644 * association are also searched for. The "pair" of ipsa_t's and isaf_t's 2645 * are returned as a ipsap_t. 2646 * 2647 * The hash buckets are returned for convenience, if the calling function 2648 * needs to use the hash bucket locks, say to remove the SA's, it should 2649 * take care to observe the convention of locking outbound bucket then 2650 * inbound bucket. The flag in_inbound_table provides direction. 2651 * 2652 * Note that a "pair" is defined as one (but not both) of the following: 2653 * 2654 * A security association which has a soft reference to another security 2655 * association via its SPI. 2656 * 2657 * A security association that is not obviously "inbound" or "outbound" so 2658 * it appears in both hash tables, the "peer" being the same security 2659 * association in the other hash table. 2660 * 2661 * This function will return NULL if the ipsa_t can't be found in the 2662 * inbound or outbound hash tables (not found). If only one ipsa_t is 2663 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid 2664 * provided at least one ipsa_t is found. 2665 */ 2666 static int 2667 get_ipsa_pair(ipsa_query_t *sq, ipsap_t *ipsapp, int *diagnostic) 2668 { 2669 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN]; 2670 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN]; 2671 uint32_t pair_spi; 2672 2673 init_ipsa_pair(ipsapp); 2674 2675 ipsapp->in_inbound_table = B_FALSE; 2676 2677 /* Lock down both buckets. */ 2678 mutex_enter(&sq->outbound->isaf_lock); 2679 mutex_enter(&sq->inbound->isaf_lock); 2680 2681 if (sq->assoc->sadb_sa_flags & IPSA_F_INBOUND) { 2682 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, 2683 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 2684 if (ipsapp->ipsap_sa_ptr != NULL) { 2685 ipsapp->ipsap_bucket = sq->inbound; 2686 ipsapp->ipsap_pbucket = sq->outbound; 2687 ipsapp->in_inbound_table = B_TRUE; 2688 } else { 2689 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->outbound, 2690 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, 2691 sq->af); 2692 ipsapp->ipsap_bucket = sq->outbound; 2693 ipsapp->ipsap_pbucket = sq->inbound; 2694 } 2695 } else { 2696 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */ 2697 ipsapp->ipsap_sa_ptr = 2698 ipsec_getassocbyspi(sq->outbound, 2699 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 2700 if (ipsapp->ipsap_sa_ptr != NULL) { 2701 ipsapp->ipsap_bucket = sq->outbound; 2702 ipsapp->ipsap_pbucket = sq->inbound; 2703 } else { 2704 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, 2705 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, 2706 sq->af); 2707 ipsapp->ipsap_bucket = sq->inbound; 2708 ipsapp->ipsap_pbucket = sq->outbound; 2709 if (ipsapp->ipsap_sa_ptr != NULL) 2710 ipsapp->in_inbound_table = B_TRUE; 2711 } 2712 } 2713 2714 if (ipsapp->ipsap_sa_ptr == NULL) { 2715 mutex_exit(&sq->outbound->isaf_lock); 2716 mutex_exit(&sq->inbound->isaf_lock); 2717 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 2718 return (ESRCH); 2719 } 2720 2721 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) && 2722 ipsapp->in_inbound_table) { 2723 mutex_exit(&sq->outbound->isaf_lock); 2724 mutex_exit(&sq->inbound->isaf_lock); 2725 return (0); 2726 } 2727 2728 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2729 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) { 2730 /* 2731 * haspeer implies no sa_pairing, look for same spi 2732 * in other hashtable. 2733 */ 2734 ipsapp->ipsap_psa_ptr = 2735 ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 2736 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 2737 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2738 mutex_exit(&sq->outbound->isaf_lock); 2739 mutex_exit(&sq->inbound->isaf_lock); 2740 return (0); 2741 } 2742 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi; 2743 IPSA_COPY_ADDR(&pair_srcaddr, 2744 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, sq->af); 2745 IPSA_COPY_ADDR(&pair_dstaddr, 2746 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, sq->af); 2747 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2748 mutex_exit(&sq->inbound->isaf_lock); 2749 mutex_exit(&sq->outbound->isaf_lock); 2750 2751 if (pair_spi == 0) { 2752 ASSERT(ipsapp->ipsap_bucket != NULL); 2753 ASSERT(ipsapp->ipsap_pbucket != NULL); 2754 return (0); 2755 } 2756 2757 /* found sa in outbound sadb, peer should be inbound */ 2758 2759 if (ipsapp->in_inbound_table) { 2760 /* Found SA in inbound table, pair will be in outbound. */ 2761 if (sq->af == AF_INET6) { 2762 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sq->sp, 2763 *(uint32_t *)pair_srcaddr); 2764 } else { 2765 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sq->sp, 2766 *(uint32_t *)pair_srcaddr); 2767 } 2768 } else { 2769 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sq->sp, pair_spi); 2770 } 2771 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 2772 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 2773 pair_spi, pair_dstaddr, pair_srcaddr, sq->af); 2774 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 2775 ASSERT(ipsapp->ipsap_bucket != NULL); 2776 ASSERT(ipsapp->ipsap_pbucket != NULL); 2777 return (0); 2778 } 2779 2780 /* 2781 * Perform NAT-traversal cached checksum offset calculations here. 2782 */ 2783 static void 2784 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext, 2785 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr, 2786 uint32_t *dst_addr_ptr) 2787 { 2788 struct sockaddr_in *natt_loc, *natt_rem; 2789 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 2790 uint32_t running_sum = 0; 2791 2792 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 2793 2794 if (natt_rem_ext != NULL) { 2795 uint32_t l_src; 2796 uint32_t l_rem; 2797 2798 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 2799 2800 /* Ensured by sadb_addrfix(). */ 2801 ASSERT(natt_rem->sin_family == AF_INET); 2802 2803 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 2804 newbie->ipsa_remote_nat_port = natt_rem->sin_port; 2805 l_src = *src_addr_ptr; 2806 l_rem = *natt_rem_ptr; 2807 2808 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 2809 newbie->ipsa_natt_addr_rem = *natt_rem_ptr; 2810 2811 l_src = ntohl(l_src); 2812 DOWN_SUM(l_src); 2813 DOWN_SUM(l_src); 2814 l_rem = ntohl(l_rem); 2815 DOWN_SUM(l_rem); 2816 DOWN_SUM(l_rem); 2817 2818 /* 2819 * We're 1's complement for checksums, so check for wraparound 2820 * here. 2821 */ 2822 if (l_rem > l_src) 2823 l_src--; 2824 2825 running_sum += l_src - l_rem; 2826 2827 DOWN_SUM(running_sum); 2828 DOWN_SUM(running_sum); 2829 } 2830 2831 if (natt_loc_ext != NULL) { 2832 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 2833 2834 /* Ensured by sadb_addrfix(). */ 2835 ASSERT(natt_loc->sin_family == AF_INET); 2836 2837 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr); 2838 newbie->ipsa_local_nat_port = natt_loc->sin_port; 2839 2840 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 2841 newbie->ipsa_natt_addr_loc = *natt_loc_ptr; 2842 2843 /* 2844 * NAT-T port agility means we may have natt_loc_ext, but 2845 * only for a local-port change. 2846 */ 2847 if (natt_loc->sin_addr.s_addr != INADDR_ANY) { 2848 uint32_t l_dst = ntohl(*dst_addr_ptr); 2849 uint32_t l_loc = ntohl(*natt_loc_ptr); 2850 2851 DOWN_SUM(l_loc); 2852 DOWN_SUM(l_loc); 2853 DOWN_SUM(l_dst); 2854 DOWN_SUM(l_dst); 2855 2856 /* 2857 * We're 1's complement for checksums, so check for 2858 * wraparound here. 2859 */ 2860 if (l_loc > l_dst) 2861 l_dst--; 2862 2863 running_sum += l_dst - l_loc; 2864 DOWN_SUM(running_sum); 2865 DOWN_SUM(running_sum); 2866 } 2867 } 2868 2869 newbie->ipsa_inbound_cksum = running_sum; 2870 #undef DOWN_SUM 2871 } 2872 2873 /* 2874 * This function is called from consumers that need to insert a fully-grown 2875 * security association into its tables. This function takes into account that 2876 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 2877 * hash bucket parameters are set in order of what the SA will be most of the 2878 * time. (For example, an SA with an unspecified source, and a multicast 2879 * destination will primarily be an outbound SA. OTOH, if that destination 2880 * is unicast for this node, then the SA will primarily be inbound.) 2881 * 2882 * It takes a lot of parameters because even if clone is B_FALSE, this needs 2883 * to check both buckets for purposes of collision. 2884 * 2885 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 2886 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic 2887 * with additional diagnostic information because there is at least one EINVAL 2888 * case here. 2889 */ 2890 int 2891 sadb_common_add(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 2892 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 2893 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic, 2894 netstack_t *ns, sadbp_t *spp) 2895 { 2896 ipsa_t *newbie_clone = NULL, *scratch; 2897 ipsap_t ipsapp; 2898 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2899 sadb_address_t *srcext = 2900 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2901 sadb_address_t *dstext = 2902 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2903 sadb_address_t *isrcext = 2904 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC]; 2905 sadb_address_t *idstext = 2906 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST]; 2907 sadb_x_kmc_t *kmcext = 2908 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2909 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 2910 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 2911 sadb_sens_t *sens = 2912 (sadb_sens_t *)ksi->ks_in_extv[SADB_EXT_SENSITIVITY]; 2913 sadb_sens_t *osens = 2914 (sadb_sens_t *)ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS]; 2915 sadb_x_pair_t *pair_ext = 2916 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 2917 sadb_x_replay_ctr_t *replayext = 2918 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 2919 uint8_t protocol = 2920 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP; 2921 int salt_offset; 2922 uint8_t *buf_ptr; 2923 struct sockaddr_in *src, *dst, *isrc, *idst; 2924 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6; 2925 sadb_lifetime_t *soft = 2926 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 2927 sadb_lifetime_t *hard = 2928 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 2929 sadb_lifetime_t *idle = 2930 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 2931 sa_family_t af; 2932 int error = 0; 2933 boolean_t isupdate = (newbie != NULL); 2934 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr; 2935 ipsec_stack_t *ipss = ns->netstack_ipsec; 2936 ip_stack_t *ipst = ns->netstack_ip; 2937 ipsec_alginfo_t *alg; 2938 int rcode; 2939 boolean_t async = B_FALSE; 2940 2941 init_ipsa_pair(&ipsapp); 2942 2943 if (srcext == NULL) { 2944 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 2945 return (EINVAL); 2946 } 2947 if (dstext == NULL) { 2948 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2949 return (EINVAL); 2950 } 2951 if (assoc == NULL) { 2952 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2953 return (EINVAL); 2954 } 2955 2956 src = (struct sockaddr_in *)(srcext + 1); 2957 src6 = (struct sockaddr_in6 *)(srcext + 1); 2958 dst = (struct sockaddr_in *)(dstext + 1); 2959 dst6 = (struct sockaddr_in6 *)(dstext + 1); 2960 if (isrcext != NULL) { 2961 isrc = (struct sockaddr_in *)(isrcext + 1); 2962 isrc6 = (struct sockaddr_in6 *)(isrcext + 1); 2963 ASSERT(idstext != NULL); 2964 idst = (struct sockaddr_in *)(idstext + 1); 2965 idst6 = (struct sockaddr_in6 *)(idstext + 1); 2966 } else { 2967 isrc = NULL; 2968 isrc6 = NULL; 2969 } 2970 2971 af = src->sin_family; 2972 2973 if (af == AF_INET) { 2974 src_addr_ptr = (uint32_t *)&src->sin_addr; 2975 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 2976 } else { 2977 ASSERT(af == AF_INET6); 2978 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 2979 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 2980 } 2981 2982 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) && 2983 cl_inet_checkspi && 2984 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) { 2985 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol, 2986 assoc->sadb_sa_spi, NULL); 2987 if (rcode == -1) { 2988 return (EEXIST); 2989 } 2990 } 2991 2992 /* 2993 * Check to see if the new SA will be cloned AND paired. The 2994 * reason a SA will be cloned is the source or destination addresses 2995 * are not specific enough to determine if the SA goes in the outbound 2996 * or the inbound hash table, so its cloned and put in both. If 2997 * the SA is paired, it's soft linked to another SA for the other 2998 * direction. Keeping track and looking up SA's that are direction 2999 * unspecific and linked is too hard. 3000 */ 3001 if (clone && (pair_ext != NULL)) { 3002 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 3003 return (EINVAL); 3004 } 3005 3006 if (!isupdate) { 3007 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 3008 src_addr_ptr, dst_addr_ptr, af, ns); 3009 if (newbie == NULL) 3010 return (ENOMEM); 3011 } 3012 3013 mutex_enter(&newbie->ipsa_lock); 3014 3015 if (isrc != NULL) { 3016 if (isrc->sin_family == AF_INET) { 3017 if (srcext->sadb_address_proto != IPPROTO_ENCAP) { 3018 if (srcext->sadb_address_proto != 0) { 3019 /* 3020 * Mismatched outer-packet protocol 3021 * and inner-packet address family. 3022 */ 3023 mutex_exit(&newbie->ipsa_lock); 3024 error = EPROTOTYPE; 3025 *diagnostic = 3026 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3027 goto error; 3028 } else { 3029 /* Fill in with explicit protocol. */ 3030 srcext->sadb_address_proto = 3031 IPPROTO_ENCAP; 3032 dstext->sadb_address_proto = 3033 IPPROTO_ENCAP; 3034 } 3035 } 3036 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr; 3037 idst_addr_ptr = (uint32_t *)&idst->sin_addr; 3038 } else { 3039 ASSERT(isrc->sin_family == AF_INET6); 3040 if (srcext->sadb_address_proto != IPPROTO_IPV6) { 3041 if (srcext->sadb_address_proto != 0) { 3042 /* 3043 * Mismatched outer-packet protocol 3044 * and inner-packet address family. 3045 */ 3046 mutex_exit(&newbie->ipsa_lock); 3047 error = EPROTOTYPE; 3048 *diagnostic = 3049 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3050 goto error; 3051 } else { 3052 /* Fill in with explicit protocol. */ 3053 srcext->sadb_address_proto = 3054 IPPROTO_IPV6; 3055 dstext->sadb_address_proto = 3056 IPPROTO_IPV6; 3057 } 3058 } 3059 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr; 3060 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr; 3061 } 3062 newbie->ipsa_innerfam = isrc->sin_family; 3063 3064 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr, 3065 newbie->ipsa_innerfam); 3066 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr, 3067 newbie->ipsa_innerfam); 3068 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen; 3069 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen; 3070 3071 /* Unique value uses inner-ports for Tunnel Mode... */ 3072 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port, 3073 idst->sin_port, dstext->sadb_address_proto, 3074 idstext->sadb_address_proto); 3075 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port, 3076 idst->sin_port, dstext->sadb_address_proto, 3077 idstext->sadb_address_proto); 3078 } else { 3079 /* ... and outer-ports for Transport Mode. */ 3080 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port, 3081 dst->sin_port, dstext->sadb_address_proto, 0); 3082 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port, 3083 dst->sin_port, dstext->sadb_address_proto, 0); 3084 } 3085 if (newbie->ipsa_unique_mask != (uint64_t)0) 3086 newbie->ipsa_flags |= IPSA_F_UNIQUE; 3087 3088 sadb_nat_calculations(newbie, 3089 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC], 3090 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM], 3091 src_addr_ptr, dst_addr_ptr); 3092 3093 newbie->ipsa_type = samsg->sadb_msg_satype; 3094 3095 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 3096 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE)); 3097 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 3098 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 3099 3100 newbie->ipsa_flags |= assoc->sadb_sa_flags; 3101 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC && 3102 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) { 3103 mutex_exit(&newbie->ipsa_lock); 3104 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC; 3105 error = EINVAL; 3106 goto error; 3107 } 3108 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM && 3109 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) { 3110 mutex_exit(&newbie->ipsa_lock); 3111 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM; 3112 error = EINVAL; 3113 goto error; 3114 } 3115 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL && 3116 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) { 3117 mutex_exit(&newbie->ipsa_lock); 3118 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 3119 error = EINVAL; 3120 goto error; 3121 } 3122 /* 3123 * If unspecified source address, force replay_wsize to 0. 3124 * This is because an SA that has multiple sources of secure 3125 * traffic cannot enforce a replay counter w/o synchronizing the 3126 * senders. 3127 */ 3128 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 3129 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 3130 else 3131 newbie->ipsa_replay_wsize = 0; 3132 3133 newbie->ipsa_addtime = gethrestime_sec(); 3134 3135 if (kmcext != NULL) { 3136 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 3137 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 3138 } 3139 3140 /* 3141 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 3142 * The spec says that one can update current lifetimes, but 3143 * that seems impractical, especially in the larval-to-mature 3144 * update that this function performs. 3145 */ 3146 if (soft != NULL) { 3147 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3148 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 3149 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3150 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 3151 SET_EXPIRE(newbie, softaddlt, softexpiretime); 3152 } 3153 if (hard != NULL) { 3154 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3155 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 3156 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3157 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3158 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 3159 } 3160 if (idle != NULL) { 3161 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 3162 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime; 3163 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime + 3164 newbie->ipsa_idleaddlt; 3165 newbie->ipsa_idletime = newbie->ipsa_idleaddlt; 3166 } 3167 3168 newbie->ipsa_authtmpl = NULL; 3169 newbie->ipsa_encrtmpl = NULL; 3170 3171 #ifdef IPSEC_LATENCY_TEST 3172 if (akey != NULL && newbie->ipsa_auth_alg != SADB_AALG_NONE) { 3173 #else 3174 if (akey != NULL) { 3175 #endif 3176 async = (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] == 3177 IPSEC_ALGS_EXEC_ASYNC); 3178 3179 newbie->ipsa_authkeybits = akey->sadb_key_bits; 3180 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 3181 /* In case we have to round up to the next byte... */ 3182 if ((akey->sadb_key_bits & 0x7) != 0) 3183 newbie->ipsa_authkeylen++; 3184 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 3185 KM_NOSLEEP); 3186 if (newbie->ipsa_authkey == NULL) { 3187 error = ENOMEM; 3188 mutex_exit(&newbie->ipsa_lock); 3189 goto error; 3190 } 3191 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 3192 bzero(akey + 1, newbie->ipsa_authkeylen); 3193 3194 /* 3195 * Pre-initialize the kernel crypto framework key 3196 * structure. 3197 */ 3198 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 3199 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 3200 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 3201 3202 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 3203 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH] 3204 [newbie->ipsa_auth_alg]; 3205 if (alg != NULL && ALG_VALID(alg)) { 3206 newbie->ipsa_amech.cm_type = alg->alg_mech_type; 3207 newbie->ipsa_amech.cm_param = 3208 (char *)&newbie->ipsa_mac_len; 3209 newbie->ipsa_amech.cm_param_len = sizeof (size_t); 3210 newbie->ipsa_mac_len = (size_t)alg->alg_datalen; 3211 } else { 3212 newbie->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 3213 } 3214 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 3215 rw_exit(&ipss->ipsec_alg_lock); 3216 if (error != 0) { 3217 mutex_exit(&newbie->ipsa_lock); 3218 /* 3219 * An error here indicates that alg is the wrong type 3220 * (IE: not authentication) or its not in the alg tables 3221 * created by ipsecalgs(1m), or Kcf does not like the 3222 * parameters passed in with this algorithm, which is 3223 * probably a coding error! 3224 */ 3225 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3226 3227 goto error; 3228 } 3229 } 3230 3231 if (ekey != NULL) { 3232 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 3233 async = async || (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] == 3234 IPSEC_ALGS_EXEC_ASYNC); 3235 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR] 3236 [newbie->ipsa_encr_alg]; 3237 3238 if (alg != NULL && ALG_VALID(alg)) { 3239 newbie->ipsa_emech.cm_type = alg->alg_mech_type; 3240 newbie->ipsa_datalen = alg->alg_datalen; 3241 if (alg->alg_flags & ALG_FLAG_COUNTERMODE) 3242 newbie->ipsa_flags |= IPSA_F_COUNTERMODE; 3243 3244 if (alg->alg_flags & ALG_FLAG_COMBINED) { 3245 newbie->ipsa_flags |= IPSA_F_COMBINED; 3246 newbie->ipsa_mac_len = alg->alg_icvlen; 3247 } 3248 3249 if (alg->alg_flags & ALG_FLAG_CCM) 3250 newbie->ipsa_noncefunc = ccm_params_init; 3251 else if (alg->alg_flags & ALG_FLAG_GCM) 3252 newbie->ipsa_noncefunc = gcm_params_init; 3253 else newbie->ipsa_noncefunc = cbc_params_init; 3254 3255 newbie->ipsa_saltlen = alg->alg_saltlen; 3256 newbie->ipsa_saltbits = SADB_8TO1(newbie->ipsa_saltlen); 3257 newbie->ipsa_iv_len = alg->alg_ivlen; 3258 newbie->ipsa_nonce_len = newbie->ipsa_saltlen + 3259 newbie->ipsa_iv_len; 3260 newbie->ipsa_emech.cm_param = NULL; 3261 newbie->ipsa_emech.cm_param_len = 0; 3262 } else { 3263 newbie->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 3264 } 3265 rw_exit(&ipss->ipsec_alg_lock); 3266 3267 /* 3268 * The byte stream following the sadb_key_t is made up of: 3269 * key bytes, [salt bytes], [IV initial value] 3270 * All of these have variable length. The IV is typically 3271 * randomly generated by this function and not passed in. 3272 * By supporting the injection of a known IV, the whole 3273 * IPsec subsystem and the underlying crypto subsystem 3274 * can be tested with known test vectors. 3275 * 3276 * The keying material has been checked by ext_check() 3277 * and ipsec_valid_key_size(), after removing salt/IV 3278 * bits, whats left is the encryption key. If this is too 3279 * short, ipsec_create_ctx_tmpl() will fail and the SA 3280 * won't get created. 3281 * 3282 * set ipsa_encrkeylen to length of key only. 3283 */ 3284 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 3285 newbie->ipsa_encrkeybits -= ekey->sadb_key_reserved; 3286 newbie->ipsa_encrkeybits -= newbie->ipsa_saltbits; 3287 newbie->ipsa_encrkeylen = SADB_1TO8(newbie->ipsa_encrkeybits); 3288 3289 /* In case we have to round up to the next byte... */ 3290 if ((ekey->sadb_key_bits & 0x7) != 0) 3291 newbie->ipsa_encrkeylen++; 3292 3293 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 3294 KM_NOSLEEP); 3295 if (newbie->ipsa_encrkey == NULL) { 3296 error = ENOMEM; 3297 mutex_exit(&newbie->ipsa_lock); 3298 goto error; 3299 } 3300 3301 buf_ptr = (uint8_t *)(ekey + 1); 3302 bcopy(buf_ptr, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 3303 3304 if (newbie->ipsa_flags & IPSA_F_COMBINED) { 3305 /* 3306 * Combined mode algs need a nonce. Copy the salt and 3307 * IV into a buffer. The ipsa_nonce is a pointer into 3308 * this buffer, some bytes at the start of the buffer 3309 * may be unused, depends on the salt length. The IV 3310 * is 64 bit aligned so it can be incremented as a 3311 * uint64_t. Zero out key in samsg_t before freeing. 3312 */ 3313 3314 newbie->ipsa_nonce_buf = kmem_alloc( 3315 sizeof (ipsec_nonce_t), KM_NOSLEEP); 3316 if (newbie->ipsa_nonce_buf == NULL) { 3317 error = ENOMEM; 3318 mutex_exit(&newbie->ipsa_lock); 3319 goto error; 3320 } 3321 /* 3322 * Initialize nonce and salt pointers to point 3323 * to the nonce buffer. This is just in case we get 3324 * bad data, the pointers will be valid, the data 3325 * won't be. 3326 * 3327 * See sadb.h for layout of nonce. 3328 */ 3329 newbie->ipsa_iv = &newbie->ipsa_nonce_buf->iv; 3330 newbie->ipsa_salt = (uint8_t *)newbie->ipsa_nonce_buf; 3331 newbie->ipsa_nonce = newbie->ipsa_salt; 3332 if (newbie->ipsa_saltlen != 0) { 3333 salt_offset = MAXSALTSIZE - 3334 newbie->ipsa_saltlen; 3335 newbie->ipsa_salt = (uint8_t *) 3336 &newbie->ipsa_nonce_buf->salt[salt_offset]; 3337 newbie->ipsa_nonce = newbie->ipsa_salt; 3338 buf_ptr += newbie->ipsa_encrkeylen; 3339 bcopy(buf_ptr, newbie->ipsa_salt, 3340 newbie->ipsa_saltlen); 3341 } 3342 /* 3343 * The IV for CCM/GCM mode increments, it should not 3344 * repeat. Get a random value for the IV, make a 3345 * copy, the SA will expire when/if the IV ever 3346 * wraps back to the initial value. If an Initial IV 3347 * is passed in via PF_KEY, save this in the SA. 3348 * Initialising IV for inbound is pointless as its 3349 * taken from the inbound packet. 3350 */ 3351 if (!is_inbound) { 3352 if (ekey->sadb_key_reserved != 0) { 3353 buf_ptr += newbie->ipsa_saltlen; 3354 bcopy(buf_ptr, (uint8_t *)newbie-> 3355 ipsa_iv, SADB_1TO8(ekey-> 3356 sadb_key_reserved)); 3357 } else { 3358 (void) random_get_pseudo_bytes( 3359 (uint8_t *)newbie->ipsa_iv, 3360 newbie->ipsa_iv_len); 3361 } 3362 newbie->ipsa_iv_softexpire = 3363 (*newbie->ipsa_iv) << 9; 3364 newbie->ipsa_iv_hardexpire = *newbie->ipsa_iv; 3365 } 3366 } 3367 bzero((ekey + 1), SADB_1TO8(ekey->sadb_key_bits)); 3368 3369 /* 3370 * Pre-initialize the kernel crypto framework key 3371 * structure. 3372 */ 3373 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 3374 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 3375 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 3376 3377 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 3378 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 3379 rw_exit(&ipss->ipsec_alg_lock); 3380 if (error != 0) { 3381 mutex_exit(&newbie->ipsa_lock); 3382 /* See above for error explanation. */ 3383 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3384 goto error; 3385 } 3386 } 3387 3388 if (async) 3389 newbie->ipsa_flags |= IPSA_F_ASYNC; 3390 3391 /* 3392 * Ptrs to processing functions. 3393 */ 3394 if (newbie->ipsa_type == SADB_SATYPE_ESP) 3395 ipsecesp_init_funcs(newbie); 3396 else 3397 ipsecah_init_funcs(newbie); 3398 ASSERT(newbie->ipsa_output_func != NULL && 3399 newbie->ipsa_input_func != NULL); 3400 3401 /* 3402 * Certificate ID stuff. 3403 */ 3404 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 3405 sadb_ident_t *id = 3406 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 3407 3408 /* 3409 * Can assume strlen() will return okay because ext_check() in 3410 * keysock.c prepares the string for us. 3411 */ 3412 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 3413 (char *)(id+1), ns); 3414 if (newbie->ipsa_src_cid == NULL) { 3415 error = ENOMEM; 3416 mutex_exit(&newbie->ipsa_lock); 3417 goto error; 3418 } 3419 } 3420 3421 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 3422 sadb_ident_t *id = 3423 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 3424 3425 /* 3426 * Can assume strlen() will return okay because ext_check() in 3427 * keysock.c prepares the string for us. 3428 */ 3429 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 3430 (char *)(id+1), ns); 3431 if (newbie->ipsa_dst_cid == NULL) { 3432 error = ENOMEM; 3433 mutex_exit(&newbie->ipsa_lock); 3434 goto error; 3435 } 3436 } 3437 3438 /* 3439 * sensitivity label handling code: 3440 * Convert sens + bitmap into cred_t, and associate it 3441 * with the new SA. 3442 */ 3443 if (sens != NULL) { 3444 uint64_t *bitmap = (uint64_t *)(sens + 1); 3445 3446 newbie->ipsa_tsl = sadb_label_from_sens(sens, bitmap); 3447 } 3448 3449 /* 3450 * Likewise for outer sensitivity. 3451 */ 3452 if (osens != NULL) { 3453 uint64_t *bitmap = (uint64_t *)(osens + 1); 3454 ts_label_t *tsl, *effective_tsl; 3455 uint32_t *peer_addr_ptr; 3456 zoneid_t zoneid = GLOBAL_ZONEID; 3457 zone_t *zone; 3458 3459 peer_addr_ptr = is_inbound ? src_addr_ptr : dst_addr_ptr; 3460 3461 tsl = sadb_label_from_sens(osens, bitmap); 3462 newbie->ipsa_mac_exempt = CONN_MAC_DEFAULT; 3463 3464 if (osens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) { 3465 newbie->ipsa_mac_exempt = CONN_MAC_IMPLICIT; 3466 } 3467 3468 error = tsol_check_dest(tsl, peer_addr_ptr, 3469 (af == AF_INET6)?IPV6_VERSION:IPV4_VERSION, 3470 newbie->ipsa_mac_exempt, B_TRUE, &effective_tsl); 3471 if (error != 0) { 3472 label_rele(tsl); 3473 mutex_exit(&newbie->ipsa_lock); 3474 goto error; 3475 } 3476 3477 if (effective_tsl != NULL) { 3478 label_rele(tsl); 3479 tsl = effective_tsl; 3480 } 3481 3482 newbie->ipsa_otsl = tsl; 3483 3484 zone = zone_find_by_label(tsl); 3485 if (zone != NULL) { 3486 zoneid = zone->zone_id; 3487 zone_rele(zone); 3488 } 3489 /* 3490 * For exclusive stacks we set the zoneid to zero to operate 3491 * as if in the global zone for tsol_compute_label_v4/v6 3492 */ 3493 if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID) 3494 zoneid = GLOBAL_ZONEID; 3495 3496 if (af == AF_INET6) { 3497 error = tsol_compute_label_v6(tsl, zoneid, 3498 (in6_addr_t *)peer_addr_ptr, 3499 newbie->ipsa_opt_storage, ipst); 3500 } else { 3501 error = tsol_compute_label_v4(tsl, zoneid, 3502 *peer_addr_ptr, newbie->ipsa_opt_storage, ipst); 3503 } 3504 if (error != 0) { 3505 mutex_exit(&newbie->ipsa_lock); 3506 goto error; 3507 } 3508 } 3509 3510 3511 if (replayext != NULL) { 3512 if ((replayext->sadb_x_rc_replay32 == 0) && 3513 (replayext->sadb_x_rc_replay64 != 0)) { 3514 error = EOPNOTSUPP; 3515 *diagnostic = SADB_X_DIAGNOSTIC_INVALID_REPLAY; 3516 mutex_exit(&newbie->ipsa_lock); 3517 goto error; 3518 } 3519 newbie->ipsa_replay = replayext->sadb_x_rc_replay32; 3520 } 3521 3522 /* now that the SA has been updated, set its new state */ 3523 newbie->ipsa_state = assoc->sadb_sa_state; 3524 3525 if (clone) { 3526 newbie->ipsa_haspeer = B_TRUE; 3527 } else { 3528 if (!is_inbound) { 3529 lifetime_fuzz(newbie); 3530 } 3531 } 3532 /* 3533 * The less locks I hold when doing an insertion and possible cloning, 3534 * the better! 3535 */ 3536 mutex_exit(&newbie->ipsa_lock); 3537 3538 if (clone) { 3539 newbie_clone = sadb_cloneassoc(newbie); 3540 3541 if (newbie_clone == NULL) { 3542 error = ENOMEM; 3543 goto error; 3544 } 3545 } 3546 3547 /* 3548 * Enter the bucket locks. The order of entry is outbound, 3549 * inbound. We map "primary" and "secondary" into outbound and inbound 3550 * based on the destination address type. If the destination address 3551 * type is for a node that isn't mine (or potentially mine), the 3552 * "primary" bucket is the outbound one. 3553 */ 3554 if (!is_inbound) { 3555 /* primary == outbound */ 3556 mutex_enter(&primary->isaf_lock); 3557 mutex_enter(&secondary->isaf_lock); 3558 } else { 3559 /* primary == inbound */ 3560 mutex_enter(&secondary->isaf_lock); 3561 mutex_enter(&primary->isaf_lock); 3562 } 3563 3564 /* 3565 * sadb_insertassoc() doesn't increment the reference 3566 * count. We therefore have to increment the 3567 * reference count one more time to reflect the 3568 * pointers of the table that reference this SA. 3569 */ 3570 IPSA_REFHOLD(newbie); 3571 3572 if (isupdate) { 3573 /* 3574 * Unlink from larval holding cell in the "inbound" fanout. 3575 */ 3576 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 3577 newbie->ipsa_linklock == &secondary->isaf_lock); 3578 sadb_unlinkassoc(newbie); 3579 } 3580 3581 mutex_enter(&newbie->ipsa_lock); 3582 error = sadb_insertassoc(newbie, primary); 3583 mutex_exit(&newbie->ipsa_lock); 3584 3585 if (error != 0) { 3586 /* 3587 * Since sadb_insertassoc() failed, we must decrement the 3588 * refcount again so the cleanup code will actually free 3589 * the offending SA. 3590 */ 3591 IPSA_REFRELE(newbie); 3592 goto error_unlock; 3593 } 3594 3595 if (newbie_clone != NULL) { 3596 mutex_enter(&newbie_clone->ipsa_lock); 3597 error = sadb_insertassoc(newbie_clone, secondary); 3598 mutex_exit(&newbie_clone->ipsa_lock); 3599 if (error != 0) { 3600 /* Collision in secondary table. */ 3601 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3602 goto error_unlock; 3603 } 3604 IPSA_REFHOLD(newbie_clone); 3605 } else { 3606 ASSERT(primary != secondary); 3607 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 3608 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 3609 if (scratch != NULL) { 3610 /* Collision in secondary table. */ 3611 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3612 /* Set the error, since ipsec_getassocbyspi() can't. */ 3613 error = EEXIST; 3614 goto error_unlock; 3615 } 3616 } 3617 3618 /* OKAY! So let's do some reality check assertions. */ 3619 3620 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock)); 3621 ASSERT(newbie_clone == NULL || 3622 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock))); 3623 3624 error_unlock: 3625 3626 /* 3627 * We can exit the locks in any order. Only entrance needs to 3628 * follow any protocol. 3629 */ 3630 mutex_exit(&secondary->isaf_lock); 3631 mutex_exit(&primary->isaf_lock); 3632 3633 if (pair_ext != NULL && error == 0) { 3634 /* update pair_spi if it exists. */ 3635 ipsa_query_t sq; 3636 3637 sq.spp = spp; /* XXX param */ 3638 error = sadb_form_query(ksi, IPSA_Q_DST, IPSA_Q_SRC|IPSA_Q_DST| 3639 IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, &sq, diagnostic); 3640 if (error) 3641 return (error); 3642 3643 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 3644 3645 if (error != 0) 3646 goto error; 3647 3648 if (ipsapp.ipsap_psa_ptr != NULL) { 3649 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 3650 error = EINVAL; 3651 } else { 3652 /* update_pairing() sets diagnostic */ 3653 error = update_pairing(&ipsapp, &sq, ksi, diagnostic); 3654 } 3655 } 3656 /* Common error point for this routine. */ 3657 error: 3658 if (newbie != NULL) { 3659 if (error != 0) { 3660 /* This SA is broken, let the reaper clean up. */ 3661 mutex_enter(&newbie->ipsa_lock); 3662 newbie->ipsa_state = IPSA_STATE_DEAD; 3663 newbie->ipsa_hardexpiretime = 1; 3664 mutex_exit(&newbie->ipsa_lock); 3665 } 3666 IPSA_REFRELE(newbie); 3667 } 3668 if (newbie_clone != NULL) { 3669 IPSA_REFRELE(newbie_clone); 3670 } 3671 3672 if (error == 0) { 3673 /* 3674 * Construct favorable PF_KEY return message and send to 3675 * keysock. Update the flags in the original keysock message 3676 * to reflect the actual flags in the new SA. 3677 * (Q: Do I need to pass "newbie"? If I do, 3678 * make sure to REFHOLD, call, then REFRELE.) 3679 */ 3680 assoc->sadb_sa_flags = newbie->ipsa_flags; 3681 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 3682 } 3683 3684 destroy_ipsa_pair(&ipsapp); 3685 return (error); 3686 } 3687 3688 /* 3689 * Set the time of first use for a security association. Update any 3690 * expiration times as a result. 3691 */ 3692 void 3693 sadb_set_usetime(ipsa_t *assoc) 3694 { 3695 time_t snapshot = gethrestime_sec(); 3696 3697 mutex_enter(&assoc->ipsa_lock); 3698 assoc->ipsa_lastuse = snapshot; 3699 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime; 3700 3701 /* 3702 * Caller does check usetime before calling me usually, and 3703 * double-checking is better than a mutex_enter/exit hit. 3704 */ 3705 if (assoc->ipsa_usetime == 0) { 3706 /* 3707 * This is redundant for outbound SA's, as 3708 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 3709 * Inbound SAs, however, have no such protection. 3710 */ 3711 assoc->ipsa_flags |= IPSA_F_USED; 3712 assoc->ipsa_usetime = snapshot; 3713 3714 /* 3715 * After setting the use time, see if we have a use lifetime 3716 * that would cause the actual SA expiration time to shorten. 3717 */ 3718 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 3719 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 3720 } 3721 mutex_exit(&assoc->ipsa_lock); 3722 } 3723 3724 /* 3725 * Send up a PF_KEY expire message for this association. 3726 */ 3727 static void 3728 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 3729 { 3730 mblk_t *mp, *mp1; 3731 int alloclen, af; 3732 sadb_msg_t *samsg; 3733 sadb_lifetime_t *current, *expire; 3734 sadb_sa_t *saext; 3735 uint8_t *end; 3736 boolean_t tunnel_mode; 3737 3738 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3739 3740 /* Don't bother sending if there's no queue. */ 3741 if (pfkey_q == NULL) 3742 return; 3743 3744 mp = sadb_keysock_out(0); 3745 if (mp == NULL) { 3746 /* cmn_err(CE_WARN, */ 3747 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 3748 return; 3749 } 3750 3751 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 3752 2 * sizeof (sadb_address_t) + sizeof (*saext); 3753 3754 af = assoc->ipsa_addrfam; 3755 switch (af) { 3756 case AF_INET: 3757 alloclen += 2 * sizeof (struct sockaddr_in); 3758 break; 3759 case AF_INET6: 3760 alloclen += 2 * sizeof (struct sockaddr_in6); 3761 break; 3762 default: 3763 /* Won't happen unless there's a kernel bug. */ 3764 freeb(mp); 3765 cmn_err(CE_WARN, 3766 "sadb_expire_assoc: Unknown address length.\n"); 3767 return; 3768 } 3769 3770 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL); 3771 if (tunnel_mode) { 3772 alloclen += 2 * sizeof (sadb_address_t); 3773 switch (assoc->ipsa_innerfam) { 3774 case AF_INET: 3775 alloclen += 2 * sizeof (struct sockaddr_in); 3776 break; 3777 case AF_INET6: 3778 alloclen += 2 * sizeof (struct sockaddr_in6); 3779 break; 3780 default: 3781 /* Won't happen unless there's a kernel bug. */ 3782 freeb(mp); 3783 cmn_err(CE_WARN, "sadb_expire_assoc: " 3784 "Unknown inner address length.\n"); 3785 return; 3786 } 3787 } 3788 3789 mp->b_cont = allocb(alloclen, BPRI_HI); 3790 if (mp->b_cont == NULL) { 3791 freeb(mp); 3792 /* cmn_err(CE_WARN, */ 3793 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 3794 return; 3795 } 3796 3797 mp1 = mp; 3798 mp = mp->b_cont; 3799 end = mp->b_wptr + alloclen; 3800 3801 samsg = (sadb_msg_t *)mp->b_wptr; 3802 mp->b_wptr += sizeof (*samsg); 3803 samsg->sadb_msg_version = PF_KEY_V2; 3804 samsg->sadb_msg_type = SADB_EXPIRE; 3805 samsg->sadb_msg_errno = 0; 3806 samsg->sadb_msg_satype = assoc->ipsa_type; 3807 samsg->sadb_msg_len = SADB_8TO64(alloclen); 3808 samsg->sadb_msg_reserved = 0; 3809 samsg->sadb_msg_seq = 0; 3810 samsg->sadb_msg_pid = 0; 3811 3812 saext = (sadb_sa_t *)mp->b_wptr; 3813 mp->b_wptr += sizeof (*saext); 3814 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 3815 saext->sadb_sa_exttype = SADB_EXT_SA; 3816 saext->sadb_sa_spi = assoc->ipsa_spi; 3817 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 3818 saext->sadb_sa_state = assoc->ipsa_state; 3819 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 3820 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 3821 saext->sadb_sa_flags = assoc->ipsa_flags; 3822 3823 current = (sadb_lifetime_t *)mp->b_wptr; 3824 mp->b_wptr += sizeof (sadb_lifetime_t); 3825 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 3826 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3827 /* We do not support the concept. */ 3828 current->sadb_lifetime_allocations = 0; 3829 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 3830 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 3831 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 3832 3833 expire = (sadb_lifetime_t *)mp->b_wptr; 3834 mp->b_wptr += sizeof (*expire); 3835 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 3836 3837 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 3838 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 3839 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 3840 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 3841 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 3842 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 3843 } else if (assoc->ipsa_state == IPSA_STATE_DYING) { 3844 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 3845 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 3846 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 3847 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 3848 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 3849 } else { 3850 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE); 3851 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 3852 expire->sadb_lifetime_allocations = 0; 3853 expire->sadb_lifetime_bytes = 0; 3854 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt; 3855 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt; 3856 } 3857 3858 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 3859 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc), 3860 SA_PROTO(assoc), 0); 3861 ASSERT(mp->b_wptr != NULL); 3862 3863 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 3864 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc), 3865 SA_PROTO(assoc), 0); 3866 ASSERT(mp->b_wptr != NULL); 3867 3868 if (tunnel_mode) { 3869 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 3870 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam, 3871 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc), 3872 assoc->ipsa_innersrcpfx); 3873 ASSERT(mp->b_wptr != NULL); 3874 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 3875 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam, 3876 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc), 3877 assoc->ipsa_innerdstpfx); 3878 ASSERT(mp->b_wptr != NULL); 3879 } 3880 3881 /* Can just putnext, we're ready to go! */ 3882 putnext(pfkey_q, mp1); 3883 } 3884 3885 /* 3886 * "Age" the SA with the number of bytes that was used to protect traffic. 3887 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 3888 * enough "charge" left in the SA to protect the data. Return B_FALSE 3889 * otherwise. (If B_FALSE is returned, the association either was, or became 3890 * DEAD.) 3891 */ 3892 boolean_t 3893 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 3894 boolean_t sendmsg) 3895 { 3896 boolean_t rc = B_TRUE; 3897 uint64_t newtotal; 3898 3899 mutex_enter(&assoc->ipsa_lock); 3900 newtotal = assoc->ipsa_bytes + bytes; 3901 if (assoc->ipsa_hardbyteslt != 0 && 3902 newtotal >= assoc->ipsa_hardbyteslt) { 3903 if (assoc->ipsa_state != IPSA_STATE_DEAD) { 3904 sadb_delete_cluster(assoc); 3905 /* 3906 * Send EXPIRE message to PF_KEY. May wish to pawn 3907 * this off on another non-interrupt thread. Also 3908 * unlink this SA immediately. 3909 */ 3910 assoc->ipsa_state = IPSA_STATE_DEAD; 3911 if (sendmsg) 3912 sadb_expire_assoc(pfkey_q, assoc); 3913 /* 3914 * Set non-zero expiration time so sadb_age_assoc() 3915 * will work when reaping. 3916 */ 3917 assoc->ipsa_hardexpiretime = (time_t)1; 3918 } /* Else someone beat me to it! */ 3919 rc = B_FALSE; 3920 } else if (assoc->ipsa_softbyteslt != 0 && 3921 (newtotal >= assoc->ipsa_softbyteslt)) { 3922 if (assoc->ipsa_state < IPSA_STATE_DYING) { 3923 /* 3924 * Send EXPIRE message to PF_KEY. May wish to pawn 3925 * this off on another non-interrupt thread. 3926 */ 3927 assoc->ipsa_state = IPSA_STATE_DYING; 3928 assoc->ipsa_bytes = newtotal; 3929 if (sendmsg) 3930 sadb_expire_assoc(pfkey_q, assoc); 3931 } /* Else someone beat me to it! */ 3932 } 3933 if (rc == B_TRUE) 3934 assoc->ipsa_bytes = newtotal; 3935 mutex_exit(&assoc->ipsa_lock); 3936 return (rc); 3937 } 3938 3939 /* 3940 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 3941 * sadb_age_assoc(). 3942 */ 3943 static ipsa_t * 3944 sadb_torch_assoc(isaf_t *head, ipsa_t *sa) 3945 { 3946 ASSERT(MUTEX_HELD(&head->isaf_lock)); 3947 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 3948 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 3949 3950 /* 3951 * Force cached SAs to be revalidated.. 3952 */ 3953 head->isaf_gen++; 3954 3955 mutex_exit(&sa->ipsa_lock); 3956 sadb_unlinkassoc(sa); 3957 3958 return (NULL); 3959 } 3960 3961 /* 3962 * Do various SA-is-idle activities depending on delta (the number of idle 3963 * seconds on the SA) and/or other properties of the SA. 3964 * 3965 * Return B_TRUE if I've sent a packet, because I have to drop the 3966 * association's mutex before sending a packet out the wire. 3967 */ 3968 /* ARGSUSED */ 3969 static boolean_t 3970 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound) 3971 { 3972 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp; 3973 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval; 3974 3975 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3976 3977 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) && 3978 delta >= nat_t_interval && 3979 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) { 3980 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP); 3981 assoc->ipsa_last_nat_t_ka = gethrestime_sec(); 3982 mutex_exit(&assoc->ipsa_lock); 3983 ipsecesp_send_keepalive(assoc); 3984 return (B_TRUE); 3985 } 3986 return (B_FALSE); 3987 } 3988 3989 /* 3990 * Return "assoc" if haspeer is true and I send an expire. This allows 3991 * the consumers' aging functions to tidy up an expired SA's peer. 3992 */ 3993 static ipsa_t * 3994 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 3995 time_t current, int reap_delay, boolean_t inbound) 3996 { 3997 ipsa_t *retval = NULL; 3998 boolean_t dropped_mutex = B_FALSE; 3999 4000 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4001 4002 mutex_enter(&assoc->ipsa_lock); 4003 4004 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) || 4005 ((assoc->ipsa_state == IPSA_STATE_IDLE) || 4006 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) && 4007 (assoc->ipsa_hardexpiretime != 0))) && 4008 (assoc->ipsa_hardexpiretime <= current)) { 4009 assoc->ipsa_state = IPSA_STATE_DEAD; 4010 return (sadb_torch_assoc(head, assoc)); 4011 } 4012 4013 /* 4014 * Check lifetimes. Fortunately, SA setup is done 4015 * such that there are only two times to look at, 4016 * softexpiretime, and hardexpiretime. 4017 * 4018 * Check hard first. 4019 */ 4020 4021 if (assoc->ipsa_hardexpiretime != 0 && 4022 assoc->ipsa_hardexpiretime <= current) { 4023 if (assoc->ipsa_state == IPSA_STATE_DEAD) 4024 return (sadb_torch_assoc(head, assoc)); 4025 4026 if (inbound) { 4027 sadb_delete_cluster(assoc); 4028 } 4029 4030 /* 4031 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 4032 */ 4033 assoc->ipsa_state = IPSA_STATE_DEAD; 4034 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) { 4035 /* 4036 * If the SA is paired or peered with another, put 4037 * a copy on a list which can be processed later, the 4038 * pair/peer SA needs to be updated so the both die 4039 * at the same time. 4040 * 4041 * If I return assoc, I have to bump up its reference 4042 * count to keep with the ipsa_t reference count 4043 * semantics. 4044 */ 4045 IPSA_REFHOLD(assoc); 4046 retval = assoc; 4047 } 4048 sadb_expire_assoc(pfkey_q, assoc); 4049 assoc->ipsa_hardexpiretime = current + reap_delay; 4050 } else if (assoc->ipsa_softexpiretime != 0 && 4051 assoc->ipsa_softexpiretime <= current && 4052 assoc->ipsa_state < IPSA_STATE_DYING) { 4053 /* 4054 * Send EXPIRE message to PF_KEY. May wish to pawn 4055 * this off on another non-interrupt thread. 4056 */ 4057 assoc->ipsa_state = IPSA_STATE_DYING; 4058 if (assoc->ipsa_haspeer) { 4059 /* 4060 * If the SA has a peer, update the peer's state 4061 * on SOFT_EXPIRE, this is mostly to prevent two 4062 * expire messages from effectively the same SA. 4063 * 4064 * Don't care about paired SA's, then can (and should) 4065 * be able to soft expire at different times. 4066 * 4067 * If I return assoc, I have to bump up its 4068 * reference count to keep with the ipsa_t reference 4069 * count semantics. 4070 */ 4071 IPSA_REFHOLD(assoc); 4072 retval = assoc; 4073 } 4074 sadb_expire_assoc(pfkey_q, assoc); 4075 } else if (assoc->ipsa_idletime != 0 && 4076 assoc->ipsa_idleexpiretime <= current) { 4077 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) { 4078 assoc->ipsa_state = IPSA_STATE_IDLE; 4079 } 4080 4081 /* 4082 * Need to handle Mature case 4083 */ 4084 if (assoc->ipsa_state == IPSA_STATE_MATURE) { 4085 sadb_expire_assoc(pfkey_q, assoc); 4086 } 4087 } else { 4088 /* Check idle time activities. */ 4089 dropped_mutex = sadb_idle_activities(assoc, 4090 current - assoc->ipsa_lastuse, inbound); 4091 } 4092 4093 if (!dropped_mutex) 4094 mutex_exit(&assoc->ipsa_lock); 4095 return (retval); 4096 } 4097 4098 /* 4099 * Called by a consumer protocol to do ther dirty work of reaping dead 4100 * Security Associations. 4101 * 4102 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed 4103 * SA's that are already marked DEAD, so expired SA's are only reaped 4104 * the second time sadb_ager() runs. 4105 */ 4106 void 4107 sadb_ager(sadb_t *sp, queue_t *pfkey_q, int reap_delay, netstack_t *ns) 4108 { 4109 int i; 4110 isaf_t *bucket; 4111 ipsa_t *assoc, *spare; 4112 iacqf_t *acqlist; 4113 ipsacq_t *acqrec, *spareacq; 4114 templist_t *haspeerlist, *newbie; 4115 /* Snapshot current time now. */ 4116 time_t current = gethrestime_sec(); 4117 haspeerlist = NULL; 4118 4119 /* 4120 * Do my dirty work. This includes aging real entries, aging 4121 * larvals, and aging outstanding ACQUIREs. 4122 * 4123 * I hope I don't tie up resources for too long. 4124 */ 4125 4126 /* Age acquires. */ 4127 4128 for (i = 0; i < sp->sdb_hashsize; i++) { 4129 acqlist = &sp->sdb_acq[i]; 4130 mutex_enter(&acqlist->iacqf_lock); 4131 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 4132 acqrec = spareacq) { 4133 spareacq = acqrec->ipsacq_next; 4134 if (current > acqrec->ipsacq_expire) 4135 sadb_destroy_acquire(acqrec, ns); 4136 } 4137 mutex_exit(&acqlist->iacqf_lock); 4138 } 4139 4140 /* Age inbound associations. */ 4141 for (i = 0; i < sp->sdb_hashsize; i++) { 4142 bucket = &(sp->sdb_if[i]); 4143 mutex_enter(&bucket->isaf_lock); 4144 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4145 assoc = spare) { 4146 spare = assoc->ipsa_next; 4147 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4148 reap_delay, B_TRUE) != NULL) { 4149 /* 4150 * Put SA's which have a peer or SA's which 4151 * are paired on a list for processing after 4152 * all the hash tables have been walked. 4153 * 4154 * sadb_age_assoc() increments the refcnt, 4155 * effectively doing an IPSA_REFHOLD(). 4156 */ 4157 newbie = kmem_alloc(sizeof (*newbie), 4158 KM_NOSLEEP); 4159 if (newbie == NULL) { 4160 /* 4161 * Don't forget to REFRELE(). 4162 */ 4163 IPSA_REFRELE(assoc); 4164 continue; /* for loop... */ 4165 } 4166 newbie->next = haspeerlist; 4167 newbie->ipsa = assoc; 4168 haspeerlist = newbie; 4169 } 4170 } 4171 mutex_exit(&bucket->isaf_lock); 4172 } 4173 4174 age_pair_peer_list(haspeerlist, sp, B_FALSE); 4175 haspeerlist = NULL; 4176 4177 /* Age outbound associations. */ 4178 for (i = 0; i < sp->sdb_hashsize; i++) { 4179 bucket = &(sp->sdb_of[i]); 4180 mutex_enter(&bucket->isaf_lock); 4181 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4182 assoc = spare) { 4183 spare = assoc->ipsa_next; 4184 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4185 reap_delay, B_FALSE) != NULL) { 4186 /* 4187 * sadb_age_assoc() increments the refcnt, 4188 * effectively doing an IPSA_REFHOLD(). 4189 */ 4190 newbie = kmem_alloc(sizeof (*newbie), 4191 KM_NOSLEEP); 4192 if (newbie == NULL) { 4193 /* 4194 * Don't forget to REFRELE(). 4195 */ 4196 IPSA_REFRELE(assoc); 4197 continue; /* for loop... */ 4198 } 4199 newbie->next = haspeerlist; 4200 newbie->ipsa = assoc; 4201 haspeerlist = newbie; 4202 } 4203 } 4204 mutex_exit(&bucket->isaf_lock); 4205 } 4206 4207 age_pair_peer_list(haspeerlist, sp, B_TRUE); 4208 4209 /* 4210 * Run a GC pass to clean out dead identities. 4211 */ 4212 ipsid_gc(ns); 4213 } 4214 4215 /* 4216 * Figure out when to reschedule the ager. 4217 */ 4218 timeout_id_t 4219 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 4220 void *agerarg, uint_t *intp, uint_t intmax, short mid) 4221 { 4222 hrtime_t end = gethrtime(); 4223 uint_t interval = *intp; /* "interval" is in ms. */ 4224 4225 /* 4226 * See how long this took. If it took too long, increase the 4227 * aging interval. 4228 */ 4229 if ((end - begin) > MSEC2NSEC(interval)) { 4230 if (interval >= intmax) { 4231 /* XXX Rate limit this? Or recommend flush? */ 4232 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 4233 "Too many SA's to age out in %d msec.\n", 4234 intmax); 4235 } else { 4236 /* Double by shifting by one bit. */ 4237 interval <<= 1; 4238 interval = min(interval, intmax); 4239 } 4240 } else if ((end - begin) <= (MSEC2NSEC(interval) / 2) && 4241 interval > SADB_AGE_INTERVAL_DEFAULT) { 4242 /* 4243 * If I took less than half of the interval, then I should 4244 * ratchet the interval back down. Never automatically 4245 * shift below the default aging interval. 4246 * 4247 * NOTE:This even overrides manual setting of the age 4248 * interval using NDD to lower the setting past the 4249 * default. In other words, if you set the interval 4250 * lower than the default, and your SADB gets too big, 4251 * the interval will only self-lower back to the default. 4252 */ 4253 /* Halve by shifting one bit. */ 4254 interval >>= 1; 4255 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 4256 } 4257 *intp = interval; 4258 return (qtimeout(pfkey_q, ager, agerarg, 4259 drv_usectohz(interval * (MICROSEC / MILLISEC)))); 4260 } 4261 4262 4263 /* 4264 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 4265 * message takes when updating a MATURE or DYING SA. 4266 */ 4267 static void 4268 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 4269 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound) 4270 { 4271 mutex_enter(&assoc->ipsa_lock); 4272 4273 /* 4274 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 4275 * passed in during an update message. We currently don't handle 4276 * these. 4277 */ 4278 4279 if (hard != NULL) { 4280 if (hard->sadb_lifetime_bytes != 0) 4281 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 4282 if (hard->sadb_lifetime_usetime != 0) 4283 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 4284 if (hard->sadb_lifetime_addtime != 0) 4285 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 4286 if (assoc->ipsa_hardaddlt != 0) { 4287 assoc->ipsa_hardexpiretime = 4288 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 4289 } 4290 if (assoc->ipsa_harduselt != 0 && 4291 assoc->ipsa_flags & IPSA_F_USED) { 4292 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 4293 } 4294 if (hard->sadb_lifetime_allocations != 0) 4295 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 4296 } 4297 4298 if (soft != NULL) { 4299 if (soft->sadb_lifetime_bytes != 0) { 4300 if (soft->sadb_lifetime_bytes > 4301 assoc->ipsa_hardbyteslt) { 4302 assoc->ipsa_softbyteslt = 4303 assoc->ipsa_hardbyteslt; 4304 } else { 4305 assoc->ipsa_softbyteslt = 4306 soft->sadb_lifetime_bytes; 4307 } 4308 } 4309 if (soft->sadb_lifetime_usetime != 0) { 4310 if (soft->sadb_lifetime_usetime > 4311 assoc->ipsa_harduselt) { 4312 assoc->ipsa_softuselt = 4313 assoc->ipsa_harduselt; 4314 } else { 4315 assoc->ipsa_softuselt = 4316 soft->sadb_lifetime_usetime; 4317 } 4318 } 4319 if (soft->sadb_lifetime_addtime != 0) { 4320 if (soft->sadb_lifetime_addtime > 4321 assoc->ipsa_hardexpiretime) { 4322 assoc->ipsa_softexpiretime = 4323 assoc->ipsa_hardexpiretime; 4324 } else { 4325 assoc->ipsa_softaddlt = 4326 soft->sadb_lifetime_addtime; 4327 } 4328 } 4329 if (assoc->ipsa_softaddlt != 0) { 4330 assoc->ipsa_softexpiretime = 4331 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 4332 } 4333 if (assoc->ipsa_softuselt != 0 && 4334 assoc->ipsa_flags & IPSA_F_USED) { 4335 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 4336 } 4337 if (outbound && assoc->ipsa_softexpiretime != 0) { 4338 if (assoc->ipsa_state == IPSA_STATE_MATURE) 4339 lifetime_fuzz(assoc); 4340 } 4341 4342 if (soft->sadb_lifetime_allocations != 0) 4343 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 4344 } 4345 4346 if (idle != NULL) { 4347 time_t current = gethrestime_sec(); 4348 if ((assoc->ipsa_idleexpiretime <= current) && 4349 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) { 4350 assoc->ipsa_idleexpiretime = 4351 current + assoc->ipsa_idleaddlt; 4352 } 4353 if (idle->sadb_lifetime_addtime != 0) 4354 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 4355 if (idle->sadb_lifetime_usetime != 0) 4356 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime; 4357 if (assoc->ipsa_idleaddlt != 0) { 4358 assoc->ipsa_idleexpiretime = 4359 current + idle->sadb_lifetime_addtime; 4360 assoc->ipsa_idletime = idle->sadb_lifetime_addtime; 4361 } 4362 if (assoc->ipsa_idleuselt != 0) { 4363 if (assoc->ipsa_idletime != 0) { 4364 assoc->ipsa_idletime = min(assoc->ipsa_idletime, 4365 assoc->ipsa_idleuselt); 4366 assoc->ipsa_idleexpiretime = 4367 current + assoc->ipsa_idletime; 4368 } else { 4369 assoc->ipsa_idleexpiretime = 4370 current + assoc->ipsa_idleuselt; 4371 assoc->ipsa_idletime = assoc->ipsa_idleuselt; 4372 } 4373 } 4374 } 4375 mutex_exit(&assoc->ipsa_lock); 4376 } 4377 4378 static int 4379 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst) 4380 { 4381 int rcode = 0; 4382 time_t current = gethrestime_sec(); 4383 4384 mutex_enter(&assoc->ipsa_lock); 4385 4386 switch (new_state) { 4387 case SADB_X_SASTATE_ACTIVE_ELSEWHERE: 4388 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) { 4389 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE; 4390 assoc->ipsa_idleexpiretime = 4391 current + assoc->ipsa_idletime; 4392 } 4393 break; 4394 case SADB_X_SASTATE_IDLE: 4395 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4396 assoc->ipsa_state = IPSA_STATE_IDLE; 4397 assoc->ipsa_idleexpiretime = 4398 current + assoc->ipsa_idletime; 4399 } else { 4400 rcode = EINVAL; 4401 } 4402 break; 4403 4404 case SADB_X_SASTATE_ACTIVE: 4405 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) { 4406 rcode = EINVAL; 4407 break; 4408 } 4409 assoc->ipsa_state = IPSA_STATE_MATURE; 4410 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime; 4411 4412 if (ipkt_lst == NULL) { 4413 break; 4414 } 4415 4416 if (assoc->ipsa_bpkt_head != NULL) { 4417 *ipkt_lst = assoc->ipsa_bpkt_head; 4418 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL; 4419 assoc->ipsa_mblkcnt = 0; 4420 } else { 4421 *ipkt_lst = NULL; 4422 } 4423 break; 4424 default: 4425 rcode = EINVAL; 4426 break; 4427 } 4428 4429 mutex_exit(&assoc->ipsa_lock); 4430 return (rcode); 4431 } 4432 4433 /* 4434 * Check a proposed KMC update for sanity. 4435 */ 4436 static int 4437 sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic) 4438 { 4439 uint32_t kmp = sq->kmp; 4440 uint32_t kmc = sq->kmc; 4441 4442 if (sa == NULL) 4443 return (0); 4444 4445 if (sa->ipsa_state == IPSA_STATE_DEAD) 4446 return (ESRCH); /* DEAD == Not there, in this case. */ 4447 4448 if ((kmp != 0) && ((sa->ipsa_kmp != 0) || (sa->ipsa_kmp != kmp))) { 4449 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4450 return (EINVAL); 4451 } 4452 4453 if ((kmc != 0) && ((sa->ipsa_kmc != 0) || (sa->ipsa_kmc != kmc))) { 4454 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4455 return (EINVAL); 4456 } 4457 4458 return (0); 4459 } 4460 4461 /* 4462 * Actually update the KMC info. 4463 */ 4464 static void 4465 sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa) 4466 { 4467 uint32_t kmp = sq->kmp; 4468 uint32_t kmc = sq->kmc; 4469 4470 if (kmp != 0) 4471 sa->ipsa_kmp = kmp; 4472 if (kmc != 0) 4473 sa->ipsa_kmc = kmc; 4474 } 4475 4476 /* 4477 * Common code to update an SA. 4478 */ 4479 4480 int 4481 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst, 4482 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q, 4483 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *), 4484 netstack_t *ns, uint8_t sadb_msg_type) 4485 { 4486 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 4487 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 4488 sadb_x_replay_ctr_t *replext = 4489 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 4490 sadb_lifetime_t *soft = 4491 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 4492 sadb_lifetime_t *hard = 4493 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 4494 sadb_lifetime_t *idle = 4495 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 4496 sadb_x_pair_t *pair_ext = 4497 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4498 ipsa_t *echo_target = NULL; 4499 ipsap_t ipsapp; 4500 ipsa_query_t sq; 4501 time_t current = gethrestime_sec(); 4502 4503 sq.spp = spp; /* XXX param */ 4504 int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA, 4505 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, 4506 &sq, diagnostic); 4507 4508 if (error != 0) 4509 return (error); 4510 4511 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 4512 if (error != 0) 4513 return (error); 4514 4515 if (ipsapp.ipsap_psa_ptr == NULL && ipsapp.ipsap_sa_ptr != NULL) { 4516 if (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) { 4517 /* 4518 * REFRELE the target and let the add_sa_func() 4519 * deal with updating a larval SA. 4520 */ 4521 destroy_ipsa_pair(&ipsapp); 4522 return (add_sa_func(mp, ksi, diagnostic, ns)); 4523 } 4524 } 4525 4526 /* 4527 * At this point we have an UPDATE to a MATURE SA. There should 4528 * not be any keying material present. 4529 */ 4530 if (akey != NULL) { 4531 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 4532 error = EINVAL; 4533 goto bail; 4534 } 4535 if (ekey != NULL) { 4536 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 4537 error = EINVAL; 4538 goto bail; 4539 } 4540 4541 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4542 if (ipsapp.ipsap_sa_ptr != NULL && 4543 ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4544 if ((error = sadb_update_state(ipsapp.ipsap_sa_ptr, 4545 sq.assoc->sadb_sa_state, NULL)) != 0) { 4546 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4547 goto bail; 4548 } 4549 } 4550 if (ipsapp.ipsap_psa_ptr != NULL && 4551 ipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4552 if ((error = sadb_update_state(ipsapp.ipsap_psa_ptr, 4553 sq.assoc->sadb_sa_state, NULL)) != 0) { 4554 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4555 goto bail; 4556 } 4557 } 4558 } 4559 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) { 4560 if (ipsapp.ipsap_sa_ptr != NULL) { 4561 error = sadb_update_state(ipsapp.ipsap_sa_ptr, 4562 sq.assoc->sadb_sa_state, 4563 (ipsapp.ipsap_sa_ptr->ipsa_flags & 4564 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4565 if (error) { 4566 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4567 goto bail; 4568 } 4569 } 4570 if (ipsapp.ipsap_psa_ptr != NULL) { 4571 error = sadb_update_state(ipsapp.ipsap_psa_ptr, 4572 sq.assoc->sadb_sa_state, 4573 (ipsapp.ipsap_psa_ptr->ipsa_flags & 4574 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4575 if (error) { 4576 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4577 goto bail; 4578 } 4579 } 4580 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4581 ksi, echo_target); 4582 goto bail; 4583 } 4584 4585 /* 4586 * Reality checks for updates of active associations. 4587 * Sundry first-pass UPDATE-specific reality checks. 4588 * Have to do the checks here, because it's after the add_sa code. 4589 * XXX STATS : logging/stats here? 4590 */ 4591 4592 if (!((sq.assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 4593 (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) { 4594 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4595 error = EINVAL; 4596 goto bail; 4597 } 4598 if (sq.assoc->sadb_sa_flags & ~spp->s_updateflags) { 4599 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 4600 error = EINVAL; 4601 goto bail; 4602 } 4603 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 4604 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_LIFETIME; 4605 error = EOPNOTSUPP; 4606 goto bail; 4607 } 4608 4609 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) { 4610 error = EINVAL; 4611 goto bail; 4612 } 4613 4614 if ((*diagnostic = sadb_labelchk(ksi)) != 0) 4615 return (EINVAL); 4616 4617 error = sadb_check_kmc(&sq, ipsapp.ipsap_sa_ptr, diagnostic); 4618 if (error != 0) 4619 goto bail; 4620 4621 error = sadb_check_kmc(&sq, ipsapp.ipsap_psa_ptr, diagnostic); 4622 if (error != 0) 4623 goto bail; 4624 4625 4626 if (ipsapp.ipsap_sa_ptr != NULL) { 4627 /* 4628 * Do not allow replay value change for MATURE or LARVAL SA. 4629 */ 4630 4631 if ((replext != NULL) && 4632 ((ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) || 4633 (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) { 4634 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4635 error = EINVAL; 4636 goto bail; 4637 } 4638 } 4639 4640 4641 if (ipsapp.ipsap_sa_ptr != NULL) { 4642 sadb_update_lifetimes(ipsapp.ipsap_sa_ptr, hard, soft, 4643 idle, B_TRUE); 4644 sadb_update_kmc(&sq, ipsapp.ipsap_sa_ptr); 4645 if ((replext != NULL) && 4646 (ipsapp.ipsap_sa_ptr->ipsa_replay_wsize != 0)) { 4647 /* 4648 * If an inbound SA, update the replay counter 4649 * and check off all the other sequence number 4650 */ 4651 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) { 4652 if (!sadb_replay_check(ipsapp.ipsap_sa_ptr, 4653 replext->sadb_x_rc_replay32)) { 4654 *diagnostic = 4655 SADB_X_DIAGNOSTIC_INVALID_REPLAY; 4656 error = EINVAL; 4657 goto bail; 4658 } 4659 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 4660 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime = 4661 current + 4662 ipsapp.ipsap_sa_ptr->ipsa_idletime; 4663 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock); 4664 } else { 4665 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 4666 ipsapp.ipsap_sa_ptr->ipsa_replay = 4667 replext->sadb_x_rc_replay32; 4668 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime = 4669 current + 4670 ipsapp.ipsap_sa_ptr->ipsa_idletime; 4671 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock); 4672 } 4673 } 4674 } 4675 4676 if (sadb_msg_type == SADB_X_UPDATEPAIR) { 4677 if (ipsapp.ipsap_psa_ptr != NULL) { 4678 sadb_update_lifetimes(ipsapp.ipsap_psa_ptr, hard, soft, 4679 idle, B_FALSE); 4680 sadb_update_kmc(&sq, ipsapp.ipsap_psa_ptr); 4681 } else { 4682 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 4683 error = ESRCH; 4684 goto bail; 4685 } 4686 } 4687 4688 if (pair_ext != NULL) 4689 error = update_pairing(&ipsapp, &sq, ksi, diagnostic); 4690 4691 if (error == 0) 4692 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4693 ksi, echo_target); 4694 bail: 4695 4696 destroy_ipsa_pair(&ipsapp); 4697 4698 return (error); 4699 } 4700 4701 4702 static int 4703 update_pairing(ipsap_t *ipsapp, ipsa_query_t *sq, keysock_in_t *ksi, 4704 int *diagnostic) 4705 { 4706 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 4707 sadb_x_pair_t *pair_ext = 4708 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4709 int error = 0; 4710 ipsap_t oipsapp; 4711 boolean_t undo_pair = B_FALSE; 4712 uint32_t ipsa_flags; 4713 4714 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi == 4715 assoc->sadb_sa_spi) { 4716 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4717 return (EINVAL); 4718 } 4719 4720 /* 4721 * Assume for now that the spi value provided in the SADB_UPDATE 4722 * message was valid, update the SA with its pair spi value. 4723 * If the spi turns out to be bogus or the SA no longer exists 4724 * then this will be detected when the reverse update is made 4725 * below. 4726 */ 4727 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4728 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4729 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi; 4730 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4731 4732 /* 4733 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair() 4734 * should now return pointers to the SA *AND* its pair, if this is not 4735 * the case, the "otherspi" either did not exist or was deleted. Also 4736 * check that "otherspi" is not already paired. If everything looks 4737 * good, complete the update. IPSA_REFRELE the first pair_pointer 4738 * after this update to ensure its not deleted until we are done. 4739 */ 4740 error = get_ipsa_pair(sq, &oipsapp, diagnostic); 4741 if (error != 0) { 4742 /* 4743 * This should never happen, calling function still has 4744 * IPSA_REFHELD on the SA we just updated. 4745 */ 4746 return (error); /* XXX EINVAL instead of ESRCH? */ 4747 } 4748 4749 if (oipsapp.ipsap_psa_ptr == NULL) { 4750 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4751 error = EINVAL; 4752 undo_pair = B_TRUE; 4753 } else { 4754 ipsa_flags = oipsapp.ipsap_psa_ptr->ipsa_flags; 4755 if ((oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) || 4756 (oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) { 4757 /* Its dead Jim! */ 4758 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4759 undo_pair = B_TRUE; 4760 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) == 4761 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) { 4762 /* This SA is in both hashtables. */ 4763 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4764 undo_pair = B_TRUE; 4765 } else if (ipsa_flags & IPSA_F_PAIRED) { 4766 /* This SA is already paired with another. */ 4767 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 4768 undo_pair = B_TRUE; 4769 } 4770 } 4771 4772 if (undo_pair) { 4773 /* The pair SA does not exist. */ 4774 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4775 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED; 4776 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0; 4777 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4778 } else { 4779 mutex_enter(&oipsapp.ipsap_psa_ptr->ipsa_lock); 4780 oipsapp.ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi; 4781 oipsapp.ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4782 mutex_exit(&oipsapp.ipsap_psa_ptr->ipsa_lock); 4783 } 4784 4785 destroy_ipsa_pair(&oipsapp); 4786 return (error); 4787 } 4788 4789 /* 4790 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 4791 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 4792 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 4793 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 4794 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 4795 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 4796 * other direction's SA. 4797 */ 4798 4799 /* 4800 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 4801 * grab it, lock it, and return it. Otherwise return NULL. 4802 * 4803 * XXX MLS number of arguments getting unwieldy here 4804 */ 4805 static ipsacq_t * 4806 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 4807 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst, 4808 uint64_t unique_id, ts_label_t *tsl) 4809 { 4810 ipsacq_t *walker; 4811 sa_family_t fam; 4812 uint32_t blank_address[4] = {0, 0, 0, 0}; 4813 4814 if (isrc == NULL) { 4815 ASSERT(idst == NULL); 4816 isrc = idst = blank_address; 4817 } 4818 4819 /* 4820 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 4821 * 4822 * XXX May need search for duplicates based on other things too! 4823 */ 4824 for (walker = bucket->iacqf_ipsacq; walker != NULL; 4825 walker = walker->ipsacq_next) { 4826 mutex_enter(&walker->ipsacq_lock); 4827 fam = walker->ipsacq_addrfam; 4828 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 4829 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 4830 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx, 4831 (in6_addr_t *)walker->ipsacq_innersrc) && 4832 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx, 4833 (in6_addr_t *)walker->ipsacq_innerdst) && 4834 (ap == walker->ipsacq_act) && 4835 (pp == walker->ipsacq_policy) && 4836 /* XXX do deep compares of ap/pp? */ 4837 (unique_id == walker->ipsacq_unique_id) && 4838 (ipsec_label_match(tsl, walker->ipsacq_tsl))) 4839 break; /* everything matched */ 4840 mutex_exit(&walker->ipsacq_lock); 4841 } 4842 4843 return (walker); 4844 } 4845 4846 /* 4847 * For this mblk, insert a new acquire record. Assume bucket contains addrs 4848 * of all of the same length. Give up (and drop) if memory 4849 * cannot be allocated for a new one; otherwise, invoke callback to 4850 * send the acquire up.. 4851 * 4852 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 4853 * list. The ah_add_sa_finish() routines can look at the packet's attached 4854 * attributes and handle this case specially. 4855 */ 4856 void 4857 sadb_acquire(mblk_t *datamp, ip_xmit_attr_t *ixa, boolean_t need_ah, 4858 boolean_t need_esp) 4859 { 4860 mblk_t *asyncmp; 4861 sadbp_t *spp; 4862 sadb_t *sp; 4863 ipsacq_t *newbie; 4864 iacqf_t *bucket; 4865 mblk_t *extended; 4866 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 4867 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 4868 uint32_t *src, *dst, *isrc, *idst; 4869 ipsec_policy_t *pp = ixa->ixa_ipsec_policy; 4870 ipsec_action_t *ap = ixa->ixa_ipsec_action; 4871 sa_family_t af; 4872 int hashoffset; 4873 uint32_t seq; 4874 uint64_t unique_id = 0; 4875 ipsec_selector_t sel; 4876 boolean_t tunnel_mode = (ixa->ixa_flags & IXAF_IPSEC_TUNNEL) != 0; 4877 ts_label_t *tsl = NULL; 4878 netstack_t *ns = ixa->ixa_ipst->ips_netstack; 4879 ipsec_stack_t *ipss = ns->netstack_ipsec; 4880 sadb_sens_t *sens = NULL; 4881 int sens_len; 4882 4883 ASSERT((pp != NULL) || (ap != NULL)); 4884 4885 ASSERT(need_ah != NULL || need_esp != NULL); 4886 4887 /* Assign sadb pointers */ 4888 if (need_esp) { /* ESP for AH+ESP */ 4889 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 4890 4891 spp = &espstack->esp_sadb; 4892 } else { 4893 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 4894 4895 spp = &ahstack->ah_sadb; 4896 } 4897 sp = (ixa->ixa_flags & IXAF_IS_IPV4) ? &spp->s_v4 : &spp->s_v6; 4898 4899 if (is_system_labeled()) 4900 tsl = ixa->ixa_tsl; 4901 4902 if (ap == NULL) 4903 ap = pp->ipsp_act; 4904 4905 ASSERT(ap != NULL); 4906 4907 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode) 4908 unique_id = SA_FORM_UNIQUE_ID(ixa); 4909 4910 /* 4911 * Set up an ACQUIRE record. 4912 * 4913 * Immediately, make sure the ACQUIRE sequence number doesn't slip 4914 * below the lowest point allowed in the kernel. (In other words, 4915 * make sure the high bit on the sequence number is set.) 4916 */ 4917 4918 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ; 4919 4920 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 4921 src = (uint32_t *)&ipha->ipha_src; 4922 dst = (uint32_t *)&ipha->ipha_dst; 4923 af = AF_INET; 4924 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 4925 ASSERT(ixa->ixa_flags & IXAF_IS_IPV4); 4926 } else { 4927 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 4928 src = (uint32_t *)&ip6h->ip6_src; 4929 dst = (uint32_t *)&ip6h->ip6_dst; 4930 af = AF_INET6; 4931 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 4932 ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4)); 4933 } 4934 4935 if (tunnel_mode) { 4936 if (pp == NULL) { 4937 /* 4938 * Tunnel mode with no policy pointer means this is a 4939 * reflected ICMP (like a ECHO REQUEST) that came in 4940 * with self-encapsulated protection. Until we better 4941 * support this, drop the packet. 4942 */ 4943 ip_drop_packet(datamp, B_FALSE, NULL, 4944 DROPPER(ipss, ipds_spd_got_selfencap), 4945 &ipss->ipsec_spd_dropper); 4946 return; 4947 } 4948 /* Snag inner addresses. */ 4949 isrc = ixa->ixa_ipsec_insrc; 4950 idst = ixa->ixa_ipsec_indst; 4951 } else { 4952 isrc = idst = NULL; 4953 } 4954 4955 /* 4956 * Check buckets to see if there is an existing entry. If so, 4957 * grab it. sadb_checkacquire locks newbie if found. 4958 */ 4959 bucket = &(sp->sdb_acq[hashoffset]); 4960 mutex_enter(&bucket->iacqf_lock); 4961 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst, 4962 unique_id, tsl); 4963 4964 if (newbie == NULL) { 4965 /* 4966 * Otherwise, allocate a new one. 4967 */ 4968 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 4969 if (newbie == NULL) { 4970 mutex_exit(&bucket->iacqf_lock); 4971 ip_drop_packet(datamp, B_FALSE, NULL, 4972 DROPPER(ipss, ipds_sadb_acquire_nomem), 4973 &ipss->ipsec_sadb_dropper); 4974 return; 4975 } 4976 newbie->ipsacq_policy = pp; 4977 if (pp != NULL) { 4978 IPPOL_REFHOLD(pp); 4979 } 4980 IPACT_REFHOLD(ap); 4981 newbie->ipsacq_act = ap; 4982 newbie->ipsacq_linklock = &bucket->iacqf_lock; 4983 newbie->ipsacq_next = bucket->iacqf_ipsacq; 4984 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 4985 if (newbie->ipsacq_next != NULL) 4986 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 4987 4988 bucket->iacqf_ipsacq = newbie; 4989 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 4990 mutex_enter(&newbie->ipsacq_lock); 4991 } 4992 4993 /* 4994 * XXX MLS does it actually help us to drop the bucket lock here? 4995 * we have inserted a half-built, locked acquire record into the 4996 * bucket. any competing thread will now be able to lock the bucket 4997 * to scan it, but will immediately pile up on the new acquire 4998 * record's lock; I don't think we gain anything here other than to 4999 * disperse blame for lock contention. 5000 * 5001 * we might be able to dispense with acquire record locks entirely.. 5002 * just use the bucket locks.. 5003 */ 5004 5005 mutex_exit(&bucket->iacqf_lock); 5006 5007 /* 5008 * This assert looks silly for now, but we may need to enter newbie's 5009 * mutex during a search. 5010 */ 5011 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 5012 5013 /* 5014 * Make the ip_xmit_attr_t into something we can queue. 5015 * If no memory it frees datamp. 5016 */ 5017 asyncmp = ip_xmit_attr_to_mblk(ixa); 5018 if (asyncmp != NULL) 5019 linkb(asyncmp, datamp); 5020 5021 /* Queue up packet. Use b_next. */ 5022 5023 if (asyncmp == NULL) { 5024 /* Statistics for allocation failure */ 5025 if (ixa->ixa_flags & IXAF_IS_IPV4) { 5026 BUMP_MIB(&ixa->ixa_ipst->ips_ip_mib, 5027 ipIfStatsOutDiscards); 5028 } else { 5029 BUMP_MIB(&ixa->ixa_ipst->ips_ip6_mib, 5030 ipIfStatsOutDiscards); 5031 } 5032 ip_drop_output("No memory for asyncmp", datamp, NULL); 5033 freemsg(datamp); 5034 } else if (newbie->ipsacq_numpackets == 0) { 5035 /* First one. */ 5036 newbie->ipsacq_mp = asyncmp; 5037 newbie->ipsacq_numpackets = 1; 5038 newbie->ipsacq_expire = gethrestime_sec(); 5039 /* 5040 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 5041 * value. 5042 */ 5043 newbie->ipsacq_expire += *spp->s_acquire_timeout; 5044 newbie->ipsacq_seq = seq; 5045 newbie->ipsacq_addrfam = af; 5046 5047 newbie->ipsacq_srcport = ixa->ixa_ipsec_src_port; 5048 newbie->ipsacq_dstport = ixa->ixa_ipsec_dst_port; 5049 newbie->ipsacq_icmp_type = ixa->ixa_ipsec_icmp_type; 5050 newbie->ipsacq_icmp_code = ixa->ixa_ipsec_icmp_code; 5051 if (tunnel_mode) { 5052 newbie->ipsacq_inneraddrfam = ixa->ixa_ipsec_inaf; 5053 newbie->ipsacq_proto = ixa->ixa_ipsec_inaf == AF_INET6 ? 5054 IPPROTO_IPV6 : IPPROTO_ENCAP; 5055 newbie->ipsacq_innersrcpfx = ixa->ixa_ipsec_insrcpfx; 5056 newbie->ipsacq_innerdstpfx = ixa->ixa_ipsec_indstpfx; 5057 IPSA_COPY_ADDR(newbie->ipsacq_innersrc, 5058 ixa->ixa_ipsec_insrc, ixa->ixa_ipsec_inaf); 5059 IPSA_COPY_ADDR(newbie->ipsacq_innerdst, 5060 ixa->ixa_ipsec_indst, ixa->ixa_ipsec_inaf); 5061 } else { 5062 newbie->ipsacq_proto = ixa->ixa_ipsec_proto; 5063 } 5064 newbie->ipsacq_unique_id = unique_id; 5065 5066 if (ixa->ixa_tsl != NULL) { 5067 label_hold(ixa->ixa_tsl); 5068 newbie->ipsacq_tsl = ixa->ixa_tsl; 5069 } 5070 } else { 5071 /* Scan to the end of the list & insert. */ 5072 mblk_t *lastone = newbie->ipsacq_mp; 5073 5074 while (lastone->b_next != NULL) 5075 lastone = lastone->b_next; 5076 lastone->b_next = asyncmp; 5077 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) { 5078 newbie->ipsacq_numpackets = ipsacq_maxpackets; 5079 lastone = newbie->ipsacq_mp; 5080 newbie->ipsacq_mp = lastone->b_next; 5081 lastone->b_next = NULL; 5082 5083 /* Freeing the async message */ 5084 lastone = ip_xmit_attr_free_mblk(lastone); 5085 ip_drop_packet(lastone, B_FALSE, NULL, 5086 DROPPER(ipss, ipds_sadb_acquire_toofull), 5087 &ipss->ipsec_sadb_dropper); 5088 } else { 5089 IP_ACQUIRE_STAT(ipss, qhiwater, 5090 newbie->ipsacq_numpackets); 5091 } 5092 } 5093 5094 /* 5095 * Reset addresses. Set them to the most recently added mblk chain, 5096 * so that the address pointers in the acquire record will point 5097 * at an mblk still attached to the acquire list. 5098 */ 5099 5100 newbie->ipsacq_srcaddr = src; 5101 newbie->ipsacq_dstaddr = dst; 5102 5103 /* 5104 * If the acquire record has more than one queued packet, we've 5105 * already sent an ACQUIRE, and don't need to repeat ourself. 5106 */ 5107 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 5108 /* I have an acquire outstanding already! */ 5109 mutex_exit(&newbie->ipsacq_lock); 5110 return; 5111 } 5112 5113 if (!keysock_extended_reg(ns)) 5114 goto punt_extended; 5115 /* 5116 * Construct an extended ACQUIRE. There are logging 5117 * opportunities here in failure cases. 5118 */ 5119 bzero(&sel, sizeof (sel)); 5120 sel.ips_isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0; 5121 if (tunnel_mode) { 5122 sel.ips_protocol = (ixa->ixa_ipsec_inaf == AF_INET) ? 5123 IPPROTO_ENCAP : IPPROTO_IPV6; 5124 } else { 5125 sel.ips_protocol = ixa->ixa_ipsec_proto; 5126 sel.ips_local_port = ixa->ixa_ipsec_src_port; 5127 sel.ips_remote_port = ixa->ixa_ipsec_dst_port; 5128 } 5129 sel.ips_icmp_type = ixa->ixa_ipsec_icmp_type; 5130 sel.ips_icmp_code = ixa->ixa_ipsec_icmp_code; 5131 sel.ips_is_icmp_inv_acq = 0; 5132 if (af == AF_INET) { 5133 sel.ips_local_addr_v4 = ipha->ipha_src; 5134 sel.ips_remote_addr_v4 = ipha->ipha_dst; 5135 } else { 5136 sel.ips_local_addr_v6 = ip6h->ip6_src; 5137 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 5138 } 5139 5140 extended = sadb_keysock_out(0); 5141 if (extended == NULL) 5142 goto punt_extended; 5143 5144 if (ixa->ixa_tsl != NULL) { 5145 /* 5146 * XXX MLS correct condition here? 5147 * XXX MLS other credential attributes in acquire? 5148 * XXX malloc failure? don't fall back to original? 5149 */ 5150 sens = sadb_make_sens_ext(ixa->ixa_tsl, &sens_len); 5151 5152 if (sens == NULL) { 5153 freeb(extended); 5154 goto punt_extended; 5155 } 5156 } 5157 5158 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, tunnel_mode, 5159 seq, 0, sens, ns); 5160 5161 if (sens != NULL) 5162 kmem_free(sens, sens_len); 5163 5164 if (extended->b_cont == NULL) { 5165 freeb(extended); 5166 goto punt_extended; 5167 } 5168 5169 /* 5170 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on 5171 * this new record. The send-acquire callback assumes that acqrec is 5172 * already locked. 5173 */ 5174 (*spp->s_acqfn)(newbie, extended, ns); 5175 return; 5176 5177 punt_extended: 5178 (*spp->s_acqfn)(newbie, NULL, ns); 5179 } 5180 5181 /* 5182 * Unlink and free an acquire record. 5183 */ 5184 void 5185 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns) 5186 { 5187 mblk_t *mp; 5188 ipsec_stack_t *ipss = ns->netstack_ipsec; 5189 5190 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 5191 5192 if (acqrec->ipsacq_policy != NULL) { 5193 IPPOL_REFRELE(acqrec->ipsacq_policy); 5194 } 5195 if (acqrec->ipsacq_act != NULL) { 5196 IPACT_REFRELE(acqrec->ipsacq_act); 5197 } 5198 5199 /* Unlink */ 5200 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 5201 if (acqrec->ipsacq_next != NULL) 5202 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 5203 5204 if (acqrec->ipsacq_tsl != NULL) { 5205 label_rele(acqrec->ipsacq_tsl); 5206 acqrec->ipsacq_tsl = NULL; 5207 } 5208 5209 /* 5210 * Free hanging mp's. 5211 * 5212 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 5213 */ 5214 5215 mutex_enter(&acqrec->ipsacq_lock); 5216 while (acqrec->ipsacq_mp != NULL) { 5217 mp = acqrec->ipsacq_mp; 5218 acqrec->ipsacq_mp = mp->b_next; 5219 mp->b_next = NULL; 5220 /* Freeing the async message */ 5221 mp = ip_xmit_attr_free_mblk(mp); 5222 ip_drop_packet(mp, B_FALSE, NULL, 5223 DROPPER(ipss, ipds_sadb_acquire_timeout), 5224 &ipss->ipsec_sadb_dropper); 5225 } 5226 mutex_exit(&acqrec->ipsacq_lock); 5227 5228 /* Free */ 5229 mutex_destroy(&acqrec->ipsacq_lock); 5230 kmem_free(acqrec, sizeof (*acqrec)); 5231 } 5232 5233 /* 5234 * Destroy an acquire list fanout. 5235 */ 5236 static void 5237 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever, 5238 netstack_t *ns) 5239 { 5240 int i; 5241 iacqf_t *list = *listp; 5242 5243 if (list == NULL) 5244 return; 5245 5246 for (i = 0; i < numentries; i++) { 5247 mutex_enter(&(list[i].iacqf_lock)); 5248 while (list[i].iacqf_ipsacq != NULL) 5249 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns); 5250 mutex_exit(&(list[i].iacqf_lock)); 5251 if (forever) 5252 mutex_destroy(&(list[i].iacqf_lock)); 5253 } 5254 5255 if (forever) { 5256 *listp = NULL; 5257 kmem_free(list, numentries * sizeof (*list)); 5258 } 5259 } 5260 5261 /* 5262 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto 5263 * framework's view of reality vs. IPsec's. EF's wins, BTW. 5264 */ 5265 static uint8_t * 5266 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 5267 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 5268 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss) 5269 { 5270 uint8_t *cur = start; 5271 ipsec_alginfo_t *algp; 5272 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 5273 5274 cur += sizeof (*algdesc); 5275 if (cur >= limit) 5276 return (NULL); 5277 5278 ecomb->sadb_x_ecomb_numalgs++; 5279 5280 /* 5281 * Normalize vs. crypto framework's limits. This way, you can specify 5282 * a stronger policy, and when the framework loads a stronger version, 5283 * you can just keep plowing w/o rewhacking your SPD. 5284 */ 5285 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 5286 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ? 5287 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg]; 5288 if (algp == NULL) { 5289 rw_exit(&ipss->ipsec_alg_lock); 5290 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */ 5291 } 5292 if (minbits < algp->alg_ef_minbits) 5293 minbits = algp->alg_ef_minbits; 5294 if (maxbits > algp->alg_ef_maxbits) 5295 maxbits = algp->alg_ef_maxbits; 5296 rw_exit(&ipss->ipsec_alg_lock); 5297 5298 algdesc->sadb_x_algdesc_reserved = SADB_8TO1(algp->alg_saltlen); 5299 algdesc->sadb_x_algdesc_satype = satype; 5300 algdesc->sadb_x_algdesc_algtype = algtype; 5301 algdesc->sadb_x_algdesc_alg = alg; 5302 algdesc->sadb_x_algdesc_minbits = minbits; 5303 algdesc->sadb_x_algdesc_maxbits = maxbits; 5304 5305 return (cur); 5306 } 5307 5308 /* 5309 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 5310 * which must fit before *limit 5311 * 5312 * return NULL if we ran out of room or a pointer to the end of the ecomb. 5313 */ 5314 static uint8_t * 5315 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act, 5316 netstack_t *ns) 5317 { 5318 uint8_t *cur = start; 5319 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 5320 ipsec_prot_t *ipp; 5321 ipsec_stack_t *ipss = ns->netstack_ipsec; 5322 5323 cur += sizeof (*ecomb); 5324 if (cur >= limit) 5325 return (NULL); 5326 5327 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 5328 5329 ipp = &act->ipa_act.ipa_apply; 5330 5331 ecomb->sadb_x_ecomb_numalgs = 0; 5332 ecomb->sadb_x_ecomb_reserved = 0; 5333 ecomb->sadb_x_ecomb_reserved2 = 0; 5334 /* 5335 * No limits on allocations, since we really don't support that 5336 * concept currently. 5337 */ 5338 ecomb->sadb_x_ecomb_soft_allocations = 0; 5339 ecomb->sadb_x_ecomb_hard_allocations = 0; 5340 5341 /* 5342 * XXX TBD: Policy or global parameters will eventually be 5343 * able to fill in some of these. 5344 */ 5345 ecomb->sadb_x_ecomb_flags = 0; 5346 ecomb->sadb_x_ecomb_soft_bytes = 0; 5347 ecomb->sadb_x_ecomb_hard_bytes = 0; 5348 ecomb->sadb_x_ecomb_soft_addtime = 0; 5349 ecomb->sadb_x_ecomb_hard_addtime = 0; 5350 ecomb->sadb_x_ecomb_soft_usetime = 0; 5351 ecomb->sadb_x_ecomb_hard_usetime = 0; 5352 5353 if (ipp->ipp_use_ah) { 5354 cur = sadb_new_algdesc(cur, limit, ecomb, 5355 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 5356 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss); 5357 if (cur == NULL) 5358 return (NULL); 5359 ipsecah_fill_defs(ecomb, ns); 5360 } 5361 5362 if (ipp->ipp_use_esp) { 5363 if (ipp->ipp_use_espa) { 5364 cur = sadb_new_algdesc(cur, limit, ecomb, 5365 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 5366 ipp->ipp_esp_auth_alg, 5367 ipp->ipp_espa_minbits, 5368 ipp->ipp_espa_maxbits, ipss); 5369 if (cur == NULL) 5370 return (NULL); 5371 } 5372 5373 cur = sadb_new_algdesc(cur, limit, ecomb, 5374 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 5375 ipp->ipp_encr_alg, 5376 ipp->ipp_espe_minbits, 5377 ipp->ipp_espe_maxbits, ipss); 5378 if (cur == NULL) 5379 return (NULL); 5380 /* Fill in lifetimes if and only if AH didn't already... */ 5381 if (!ipp->ipp_use_ah) 5382 ipsecesp_fill_defs(ecomb, ns); 5383 } 5384 5385 return (cur); 5386 } 5387 5388 #include <sys/tsol/label_macro.h> /* XXX should not need this */ 5389 5390 /* 5391 * From a cred_t, construct a sensitivity label extension 5392 * 5393 * We send up a fixed-size sensitivity label bitmap, and are perhaps 5394 * overly chummy with the underlying data structures here. 5395 */ 5396 5397 /* ARGSUSED */ 5398 int 5399 sadb_sens_len_from_label(ts_label_t *tsl) 5400 { 5401 int baselen = sizeof (sadb_sens_t) + _C_LEN * 4; 5402 return (roundup(baselen, sizeof (uint64_t))); 5403 } 5404 5405 void 5406 sadb_sens_from_label(sadb_sens_t *sens, int exttype, ts_label_t *tsl, 5407 int senslen) 5408 { 5409 uint8_t *bitmap; 5410 bslabel_t *sl; 5411 5412 /* LINTED */ 5413 ASSERT((_C_LEN & 1) == 0); 5414 ASSERT((senslen & 7) == 0); 5415 5416 sl = label2bslabel(tsl); 5417 5418 sens->sadb_sens_exttype = exttype; 5419 sens->sadb_sens_len = SADB_8TO64(senslen); 5420 5421 sens->sadb_sens_dpd = tsl->tsl_doi; 5422 sens->sadb_sens_sens_level = LCLASS(sl); 5423 sens->sadb_sens_integ_level = 0; /* TBD */ 5424 sens->sadb_sens_sens_len = _C_LEN >> 1; 5425 sens->sadb_sens_integ_len = 0; /* TBD */ 5426 sens->sadb_x_sens_flags = 0; 5427 5428 bitmap = (uint8_t *)(sens + 1); 5429 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4); 5430 } 5431 5432 static sadb_sens_t * 5433 sadb_make_sens_ext(ts_label_t *tsl, int *len) 5434 { 5435 /* XXX allocation failure? */ 5436 int sens_len = sadb_sens_len_from_label(tsl); 5437 5438 sadb_sens_t *sens = kmem_alloc(sens_len, KM_SLEEP); 5439 5440 sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY, tsl, sens_len); 5441 5442 *len = sens_len; 5443 5444 return (sens); 5445 } 5446 5447 /* 5448 * Okay, how do we report errors/invalid labels from this? 5449 * With a special designated "not a label" cred_t ? 5450 */ 5451 /* ARGSUSED */ 5452 ts_label_t * 5453 sadb_label_from_sens(sadb_sens_t *sens, uint64_t *bitmap) 5454 { 5455 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len); 5456 bslabel_t sl; 5457 ts_label_t *tsl; 5458 5459 if (sens->sadb_sens_integ_level != 0) 5460 return (NULL); 5461 if (sens->sadb_sens_integ_len != 0) 5462 return (NULL); 5463 if (bitmap_len > _C_LEN * 4) 5464 return (NULL); 5465 5466 bsllow(&sl); 5467 LCLASS_SET((_bslabel_impl_t *)&sl, sens->sadb_sens_sens_level); 5468 bcopy(bitmap, &((_bslabel_impl_t *)&sl)->compartments, 5469 bitmap_len); 5470 5471 tsl = labelalloc(&sl, sens->sadb_sens_dpd, KM_NOSLEEP); 5472 if (tsl == NULL) 5473 return (NULL); 5474 5475 if (sens->sadb_x_sens_flags & SADB_X_SENS_UNLABELED) 5476 tsl->tsl_flags |= TSLF_UNLABELED; 5477 return (tsl); 5478 } 5479 5480 /* End XXX label-library-leakage */ 5481 5482 /* 5483 * Construct an extended ACQUIRE message based on a selector and the resulting 5484 * IPsec action. 5485 * 5486 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE 5487 * generation. As a consequence, expect this function to evolve 5488 * rapidly. 5489 */ 5490 static mblk_t * 5491 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol, 5492 ipsec_action_t *act, boolean_t tunnel_mode, uint32_t seq, uint32_t pid, 5493 sadb_sens_t *sens, netstack_t *ns) 5494 { 5495 mblk_t *mp; 5496 sadb_msg_t *samsg; 5497 uint8_t *start, *cur, *end; 5498 uint32_t *saddrptr, *daddrptr; 5499 sa_family_t af; 5500 sadb_prop_t *eprop; 5501 ipsec_action_t *ap, *an; 5502 ipsec_selkey_t *ipsl; 5503 uint8_t proto, pfxlen; 5504 uint16_t lport, rport; 5505 uint32_t kmp, kmc; 5506 5507 /* 5508 * Find the action we want sooner rather than later.. 5509 */ 5510 an = NULL; 5511 if (pol == NULL) { 5512 ap = act; 5513 } else { 5514 ap = pol->ipsp_act; 5515 5516 if (ap != NULL) 5517 an = ap->ipa_next; 5518 } 5519 5520 /* 5521 * Just take a swag for the allocation for now. We can always 5522 * alter it later. 5523 */ 5524 #define SADB_EXTENDED_ACQUIRE_SIZE 4096 5525 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI); 5526 if (mp == NULL) 5527 return (NULL); 5528 5529 start = mp->b_rptr; 5530 end = start + SADB_EXTENDED_ACQUIRE_SIZE; 5531 5532 cur = start; 5533 5534 samsg = (sadb_msg_t *)cur; 5535 cur += sizeof (*samsg); 5536 5537 samsg->sadb_msg_version = PF_KEY_V2; 5538 samsg->sadb_msg_type = SADB_ACQUIRE; 5539 samsg->sadb_msg_errno = 0; 5540 samsg->sadb_msg_reserved = 0; 5541 samsg->sadb_msg_satype = 0; 5542 samsg->sadb_msg_seq = seq; 5543 samsg->sadb_msg_pid = pid; 5544 5545 if (tunnel_mode) { 5546 /* 5547 * Form inner address extensions based NOT on the inner 5548 * selectors (i.e. the packet data), but on the policy's 5549 * selector key (i.e. the policy's selector information). 5550 * 5551 * NOTE: The position of IPv4 and IPv6 addresses is the 5552 * same in ipsec_selkey_t (unless the compiler does very 5553 * strange things with unions, consult your local C language 5554 * lawyer for details). 5555 */ 5556 ASSERT(pol != NULL); 5557 5558 ipsl = &(pol->ipsp_sel->ipsl_key); 5559 if (ipsl->ipsl_valid & IPSL_IPV4) { 5560 af = AF_INET; 5561 ASSERT(sel->ips_protocol == IPPROTO_ENCAP); 5562 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6)); 5563 } else { 5564 af = AF_INET6; 5565 ASSERT(sel->ips_protocol == IPPROTO_IPV6); 5566 ASSERT(ipsl->ipsl_valid & IPSL_IPV6); 5567 } 5568 5569 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) { 5570 saddrptr = (uint32_t *)(&ipsl->ipsl_local); 5571 pfxlen = ipsl->ipsl_local_pfxlen; 5572 } else { 5573 saddrptr = (uint32_t *)(&ipv6_all_zeros); 5574 pfxlen = 0; 5575 } 5576 /* XXX What about ICMP type/code? */ 5577 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ? 5578 ipsl->ipsl_lport : 0; 5579 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ? 5580 ipsl->ipsl_proto : 0; 5581 5582 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5583 af, saddrptr, lport, proto, pfxlen); 5584 if (cur == NULL) { 5585 freeb(mp); 5586 return (NULL); 5587 } 5588 5589 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) { 5590 daddrptr = (uint32_t *)(&ipsl->ipsl_remote); 5591 pfxlen = ipsl->ipsl_remote_pfxlen; 5592 } else { 5593 daddrptr = (uint32_t *)(&ipv6_all_zeros); 5594 pfxlen = 0; 5595 } 5596 /* XXX What about ICMP type/code? */ 5597 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ? 5598 ipsl->ipsl_rport : 0; 5599 5600 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5601 af, daddrptr, rport, proto, pfxlen); 5602 if (cur == NULL) { 5603 freeb(mp); 5604 return (NULL); 5605 } 5606 /* 5607 * TODO - if we go to 3408's dream of transport mode IP-in-IP 5608 * _with_ inner-packet address selectors, we'll need to further 5609 * distinguish tunnel mode here. For now, having inner 5610 * addresses and/or ports is sufficient. 5611 * 5612 * Meanwhile, whack proto/ports to reflect IP-in-IP for the 5613 * outer addresses. 5614 */ 5615 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */ 5616 lport = rport = 0; 5617 } else if ((ap != NULL) && (!ap->ipa_want_unique)) { 5618 proto = 0; 5619 lport = 0; 5620 rport = 0; 5621 if (pol != NULL) { 5622 ipsl = &(pol->ipsp_sel->ipsl_key); 5623 if (ipsl->ipsl_valid & IPSL_PROTOCOL) 5624 proto = ipsl->ipsl_proto; 5625 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT) 5626 rport = ipsl->ipsl_rport; 5627 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT) 5628 lport = ipsl->ipsl_lport; 5629 } 5630 } else { 5631 proto = sel->ips_protocol; 5632 lport = sel->ips_local_port; 5633 rport = sel->ips_remote_port; 5634 } 5635 5636 af = sel->ips_isv4 ? AF_INET : AF_INET6; 5637 5638 /* 5639 * NOTE: The position of IPv4 and IPv6 addresses is the same in 5640 * ipsec_selector_t. 5641 */ 5642 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 5643 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0); 5644 5645 if (cur == NULL) { 5646 freeb(mp); 5647 return (NULL); 5648 } 5649 5650 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 5651 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0); 5652 5653 if (cur == NULL) { 5654 freeb(mp); 5655 return (NULL); 5656 } 5657 5658 if (sens != NULL) { 5659 uint8_t *sensext = cur; 5660 int senslen = SADB_64TO8(sens->sadb_sens_len); 5661 5662 cur += senslen; 5663 if (cur > end) { 5664 freeb(mp); 5665 return (NULL); 5666 } 5667 bcopy(sens, sensext, senslen); 5668 } 5669 5670 /* 5671 * This section will change a lot as policy evolves. 5672 * For now, it'll be relatively simple. 5673 */ 5674 eprop = (sadb_prop_t *)cur; 5675 cur += sizeof (*eprop); 5676 if (cur > end) { 5677 /* no space left */ 5678 freeb(mp); 5679 return (NULL); 5680 } 5681 5682 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 5683 eprop->sadb_x_prop_ereserved = 0; 5684 eprop->sadb_x_prop_numecombs = 0; 5685 eprop->sadb_prop_replay = 32; /* default */ 5686 5687 kmc = kmp = 0; 5688 5689 for (; ap != NULL; ap = an) { 5690 an = (pol != NULL) ? ap->ipa_next : NULL; 5691 5692 /* 5693 * Skip non-IPsec policies 5694 */ 5695 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY) 5696 continue; 5697 5698 if (ap->ipa_act.ipa_apply.ipp_km_proto) 5699 kmp = ap->ipa_act.ipa_apply.ipp_km_proto; 5700 if (ap->ipa_act.ipa_apply.ipp_km_cookie) 5701 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie; 5702 if (ap->ipa_act.ipa_apply.ipp_replay_depth) { 5703 eprop->sadb_prop_replay = 5704 ap->ipa_act.ipa_apply.ipp_replay_depth; 5705 } 5706 5707 cur = sadb_action_to_ecomb(cur, end, ap, ns); 5708 if (cur == NULL) { /* no space */ 5709 freeb(mp); 5710 return (NULL); 5711 } 5712 eprop->sadb_x_prop_numecombs++; 5713 } 5714 5715 if (eprop->sadb_x_prop_numecombs == 0) { 5716 /* 5717 * This will happen if we fail to find a policy 5718 * allowing for IPsec processing. 5719 * Construct an error message. 5720 */ 5721 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 5722 samsg->sadb_msg_errno = ENOENT; 5723 samsg->sadb_x_msg_diagnostic = 0; 5724 return (mp); 5725 } 5726 5727 if ((kmp != 0) || (kmc != 0)) { 5728 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 5729 if (cur == NULL) { 5730 freeb(mp); 5731 return (NULL); 5732 } 5733 } 5734 5735 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop); 5736 samsg->sadb_msg_len = SADB_8TO64(cur - start); 5737 mp->b_wptr = cur; 5738 5739 return (mp); 5740 } 5741 5742 /* 5743 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype. 5744 * 5745 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we 5746 * succeed (i.e. return non-NULL). Caller MUST release it. This is to 5747 * maximize code consolidation while preventing algorithm changes from messing 5748 * with the callers finishing touches on the ACQUIRE itself. 5749 */ 5750 mblk_t * 5751 sadb_setup_acquire(ipsacq_t *acqrec, uint8_t satype, ipsec_stack_t *ipss) 5752 { 5753 uint_t allocsize; 5754 mblk_t *pfkeymp, *msgmp; 5755 sa_family_t af; 5756 uint8_t *cur, *end; 5757 sadb_msg_t *samsg; 5758 uint16_t sport_typecode; 5759 uint16_t dport_typecode; 5760 uint8_t check_proto; 5761 boolean_t tunnel_mode = (acqrec->ipsacq_inneraddrfam != 0); 5762 5763 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 5764 5765 pfkeymp = sadb_keysock_out(0); 5766 if (pfkeymp == NULL) 5767 return (NULL); 5768 5769 /* 5770 * First, allocate a basic ACQUIRE message 5771 */ 5772 allocsize = sizeof (sadb_msg_t) + sizeof (sadb_address_t) + 5773 sizeof (sadb_address_t) + sizeof (sadb_prop_t); 5774 5775 /* Make sure there's enough to cover both AF_INET and AF_INET6. */ 5776 allocsize += 2 * sizeof (struct sockaddr_in6); 5777 5778 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 5779 /* NOTE: The lock is now held through to this function's return. */ 5780 allocsize += ipss->ipsec_nalgs[IPSEC_ALG_AUTH] * 5781 ipss->ipsec_nalgs[IPSEC_ALG_ENCR] * sizeof (sadb_comb_t); 5782 5783 if (tunnel_mode) { 5784 /* Tunnel mode! */ 5785 allocsize += 2 * sizeof (sadb_address_t); 5786 /* Enough to cover both AF_INET and AF_INET6. */ 5787 allocsize += 2 * sizeof (struct sockaddr_in6); 5788 } 5789 5790 msgmp = allocb(allocsize, BPRI_HI); 5791 if (msgmp == NULL) { 5792 freeb(pfkeymp); 5793 rw_exit(&ipss->ipsec_alg_lock); 5794 return (NULL); 5795 } 5796 5797 pfkeymp->b_cont = msgmp; 5798 cur = msgmp->b_rptr; 5799 end = cur + allocsize; 5800 samsg = (sadb_msg_t *)cur; 5801 cur += sizeof (sadb_msg_t); 5802 5803 af = acqrec->ipsacq_addrfam; 5804 switch (af) { 5805 case AF_INET: 5806 check_proto = IPPROTO_ICMP; 5807 break; 5808 case AF_INET6: 5809 check_proto = IPPROTO_ICMPV6; 5810 break; 5811 default: 5812 /* This should never happen unless we have kernel bugs. */ 5813 cmn_err(CE_WARN, 5814 "sadb_setup_acquire: corrupt ACQUIRE record.\n"); 5815 ASSERT(0); 5816 rw_exit(&ipss->ipsec_alg_lock); 5817 return (NULL); 5818 } 5819 5820 samsg->sadb_msg_version = PF_KEY_V2; 5821 samsg->sadb_msg_type = SADB_ACQUIRE; 5822 samsg->sadb_msg_satype = satype; 5823 samsg->sadb_msg_errno = 0; 5824 samsg->sadb_msg_pid = 0; 5825 samsg->sadb_msg_reserved = 0; 5826 samsg->sadb_msg_seq = acqrec->ipsacq_seq; 5827 5828 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 5829 5830 if ((acqrec->ipsacq_proto == check_proto) || tunnel_mode) { 5831 sport_typecode = dport_typecode = 0; 5832 } else { 5833 sport_typecode = acqrec->ipsacq_srcport; 5834 dport_typecode = acqrec->ipsacq_dstport; 5835 } 5836 5837 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 5838 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto, 0); 5839 5840 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 5841 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto, 0); 5842 5843 if (tunnel_mode) { 5844 sport_typecode = acqrec->ipsacq_srcport; 5845 dport_typecode = acqrec->ipsacq_dstport; 5846 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5847 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innersrc, 5848 sport_typecode, acqrec->ipsacq_inner_proto, 5849 acqrec->ipsacq_innersrcpfx); 5850 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5851 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innerdst, 5852 dport_typecode, acqrec->ipsacq_inner_proto, 5853 acqrec->ipsacq_innerdstpfx); 5854 } 5855 5856 /* XXX Insert identity information here. */ 5857 5858 /* XXXMLS Insert sensitivity information here. */ 5859 5860 if (cur != NULL) 5861 samsg->sadb_msg_len = SADB_8TO64(cur - msgmp->b_rptr); 5862 else 5863 rw_exit(&ipss->ipsec_alg_lock); 5864 5865 return (pfkeymp); 5866 } 5867 5868 /* 5869 * Given an SADB_GETSPI message, find an appropriately ranged SA and 5870 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 5871 * If there was a memory allocation error, return NULL. (Assume NULL != 5872 * (ipsa_t *)-1). 5873 * 5874 * master_spi is passed in host order. 5875 */ 5876 ipsa_t * 5877 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic, 5878 netstack_t *ns, uint_t sa_type) 5879 { 5880 sadb_address_t *src = 5881 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 5882 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 5883 sadb_spirange_t *range = 5884 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 5885 struct sockaddr_in *ssa, *dsa; 5886 struct sockaddr_in6 *ssa6, *dsa6; 5887 uint32_t *srcaddr, *dstaddr; 5888 sa_family_t af; 5889 uint32_t add, min, max; 5890 uint8_t protocol = 5891 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP; 5892 5893 if (src == NULL) { 5894 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 5895 return ((ipsa_t *)-1); 5896 } 5897 if (dst == NULL) { 5898 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 5899 return ((ipsa_t *)-1); 5900 } 5901 if (range == NULL) { 5902 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 5903 return ((ipsa_t *)-1); 5904 } 5905 5906 min = ntohl(range->sadb_spirange_min); 5907 max = ntohl(range->sadb_spirange_max); 5908 dsa = (struct sockaddr_in *)(dst + 1); 5909 dsa6 = (struct sockaddr_in6 *)dsa; 5910 5911 ssa = (struct sockaddr_in *)(src + 1); 5912 ssa6 = (struct sockaddr_in6 *)ssa; 5913 ASSERT(dsa->sin_family == ssa->sin_family); 5914 5915 srcaddr = ALL_ZEROES_PTR; 5916 af = dsa->sin_family; 5917 switch (af) { 5918 case AF_INET: 5919 if (src != NULL) 5920 srcaddr = (uint32_t *)(&ssa->sin_addr); 5921 dstaddr = (uint32_t *)(&dsa->sin_addr); 5922 break; 5923 case AF_INET6: 5924 if (src != NULL) 5925 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 5926 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 5927 break; 5928 default: 5929 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 5930 return ((ipsa_t *)-1); 5931 } 5932 5933 if (master_spi < min || master_spi > max) { 5934 /* Return a random value in the range. */ 5935 if (cl_inet_getspi) { 5936 cl_inet_getspi(ns->netstack_stackid, protocol, 5937 (uint8_t *)&add, sizeof (add), NULL); 5938 } else { 5939 (void) random_get_pseudo_bytes((uint8_t *)&add, 5940 sizeof (add)); 5941 } 5942 master_spi = min + (add % (max - min + 1)); 5943 } 5944 5945 /* 5946 * Since master_spi is passed in host order, we need to htonl() it 5947 * for the purposes of creating a new SA. 5948 */ 5949 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af, 5950 ns)); 5951 } 5952 5953 /* 5954 * 5955 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 5956 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 5957 * and scan for the sequence number in question. I may wish to accept an 5958 * address pair with it, for easier searching. 5959 * 5960 * Caller frees the message, so we don't have to here. 5961 * 5962 * NOTE: The pfkey_q parameter may be used in the future for ACQUIRE 5963 * failures. 5964 */ 5965 /* ARGSUSED */ 5966 void 5967 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *pfkey_q, 5968 netstack_t *ns) 5969 { 5970 int i; 5971 ipsacq_t *acqrec; 5972 iacqf_t *bucket; 5973 5974 /* 5975 * I only accept the base header for this! 5976 * Though to be honest, requiring the dst address would help 5977 * immensely. 5978 * 5979 * XXX There are already cases where I can get the dst address. 5980 */ 5981 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 5982 return; 5983 5984 /* 5985 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 5986 * (and in the future send a message to IP with the appropriate error 5987 * number). 5988 * 5989 * Q: Do I want to reject if pid != 0? 5990 */ 5991 5992 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 5993 bucket = &sp->s_v4.sdb_acq[i]; 5994 mutex_enter(&bucket->iacqf_lock); 5995 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 5996 acqrec = acqrec->ipsacq_next) { 5997 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 5998 break; /* for acqrec... loop. */ 5999 } 6000 if (acqrec != NULL) 6001 break; /* for i = 0... loop. */ 6002 6003 mutex_exit(&bucket->iacqf_lock); 6004 } 6005 6006 if (acqrec == NULL) { 6007 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 6008 bucket = &sp->s_v6.sdb_acq[i]; 6009 mutex_enter(&bucket->iacqf_lock); 6010 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6011 acqrec = acqrec->ipsacq_next) { 6012 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6013 break; /* for acqrec... loop. */ 6014 } 6015 if (acqrec != NULL) 6016 break; /* for i = 0... loop. */ 6017 6018 mutex_exit(&bucket->iacqf_lock); 6019 } 6020 } 6021 6022 6023 if (acqrec == NULL) 6024 return; 6025 6026 /* 6027 * What do I do with the errno and IP? I may need mp's services a 6028 * little more. See sadb_destroy_acquire() for future directions 6029 * beyond free the mblk chain on the acquire record. 6030 */ 6031 6032 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 6033 sadb_destroy_acquire(acqrec, ns); 6034 /* Have to exit mutex here, because of breaking out of for loop. */ 6035 mutex_exit(&bucket->iacqf_lock); 6036 } 6037 6038 /* 6039 * The following functions work with the replay windows of an SA. They assume 6040 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 6041 * represents the highest sequence number packet received, and back 6042 * (ipsa->ipsa_replay_wsize) packets. 6043 */ 6044 6045 /* 6046 * Is the replay bit set? 6047 */ 6048 static boolean_t 6049 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 6050 { 6051 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6052 6053 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 6054 } 6055 6056 /* 6057 * Shift the bits of the replay window over. 6058 */ 6059 static void 6060 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 6061 { 6062 int i; 6063 int jump = ((shift - 1) >> 6) + 1; 6064 6065 if (shift == 0) 6066 return; 6067 6068 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 6069 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 6070 ipsa->ipsa_replay_arr[i + jump] |= 6071 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 6072 } 6073 ipsa->ipsa_replay_arr[i] <<= shift; 6074 } 6075 } 6076 6077 /* 6078 * Set a bit in the bit vector. 6079 */ 6080 static void 6081 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 6082 { 6083 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6084 6085 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 6086 } 6087 6088 #define SADB_MAX_REPLAY_VALUE 0xffffffff 6089 6090 /* 6091 * Assume caller has NOT done ntohl() already on seq. Check to see 6092 * if replay sequence number "seq" has been seen already. 6093 */ 6094 boolean_t 6095 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 6096 { 6097 boolean_t rc; 6098 uint32_t diff; 6099 6100 if (ipsa->ipsa_replay_wsize == 0) 6101 return (B_TRUE); 6102 6103 /* 6104 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 6105 */ 6106 6107 /* Convert sequence number into host order before holding the mutex. */ 6108 seq = ntohl(seq); 6109 6110 mutex_enter(&ipsa->ipsa_lock); 6111 6112 /* Initialize inbound SA's ipsa_replay field to last one received. */ 6113 if (ipsa->ipsa_replay == 0) 6114 ipsa->ipsa_replay = 1; 6115 6116 if (seq > ipsa->ipsa_replay) { 6117 /* 6118 * I have received a new "highest value received". Shift 6119 * the replay window over. 6120 */ 6121 diff = seq - ipsa->ipsa_replay; 6122 if (diff < ipsa->ipsa_replay_wsize) { 6123 /* In replay window, shift bits over. */ 6124 ipsa_shift_replay(ipsa, diff); 6125 } else { 6126 /* WAY FAR AHEAD, clear bits and start again. */ 6127 bzero(ipsa->ipsa_replay_arr, 6128 sizeof (ipsa->ipsa_replay_arr)); 6129 } 6130 ipsa_set_replay(ipsa, 0); 6131 ipsa->ipsa_replay = seq; 6132 rc = B_TRUE; 6133 goto done; 6134 } 6135 diff = ipsa->ipsa_replay - seq; 6136 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 6137 rc = B_FALSE; 6138 goto done; 6139 } 6140 /* Set this packet as seen. */ 6141 ipsa_set_replay(ipsa, diff); 6142 6143 rc = B_TRUE; 6144 done: 6145 mutex_exit(&ipsa->ipsa_lock); 6146 return (rc); 6147 } 6148 6149 /* 6150 * "Peek" and see if we should even bother going through the effort of 6151 * running an authentication check on the sequence number passed in. 6152 * this takes into account packets that are below the replay window, 6153 * and collisions with already replayed packets. Return B_TRUE if it 6154 * is okay to proceed, B_FALSE if this packet should be dropped immediately. 6155 * Assume same byte-ordering as sadb_replay_check. 6156 */ 6157 boolean_t 6158 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 6159 { 6160 boolean_t rc = B_FALSE; 6161 uint32_t diff; 6162 6163 if (ipsa->ipsa_replay_wsize == 0) 6164 return (B_TRUE); 6165 6166 /* 6167 * 0 is 0, regardless of byte order... :) 6168 * 6169 * If I get 0 on the wire (and there is a replay window) then the 6170 * sender most likely wrapped. This ipsa may need to be marked or 6171 * something. 6172 */ 6173 if (seq == 0) 6174 return (B_FALSE); 6175 6176 seq = ntohl(seq); 6177 mutex_enter(&ipsa->ipsa_lock); 6178 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 6179 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 6180 goto done; 6181 6182 /* 6183 * If I've hit 0xffffffff, then quite honestly, I don't need to 6184 * bother with formalities. I'm not accepting any more packets 6185 * on this SA. 6186 */ 6187 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 6188 /* 6189 * Since we're already holding the lock, update the 6190 * expire time ala. sadb_replay_delete() and return. 6191 */ 6192 ipsa->ipsa_hardexpiretime = (time_t)1; 6193 goto done; 6194 } 6195 6196 if (seq <= ipsa->ipsa_replay) { 6197 /* 6198 * This seq is in the replay window. I'm not below it, 6199 * because I already checked for that above! 6200 */ 6201 diff = ipsa->ipsa_replay - seq; 6202 if (ipsa_is_replay_set(ipsa, diff)) 6203 goto done; 6204 } 6205 /* Else return B_TRUE, I'm going to advance the window. */ 6206 6207 rc = B_TRUE; 6208 done: 6209 mutex_exit(&ipsa->ipsa_lock); 6210 return (rc); 6211 } 6212 6213 /* 6214 * Delete a single SA. 6215 * 6216 * For now, use the quick-and-dirty trick of making the association's 6217 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 6218 */ 6219 void 6220 sadb_replay_delete(ipsa_t *assoc) 6221 { 6222 mutex_enter(&assoc->ipsa_lock); 6223 assoc->ipsa_hardexpiretime = (time_t)1; 6224 mutex_exit(&assoc->ipsa_lock); 6225 } 6226 6227 /* 6228 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 6229 * this is designed to take only a format string with "* %x * %s *", so 6230 * that "spi" is printed first, then "addr" is converted using inet_pton(). 6231 * 6232 * This is abstracted out to save the stack space for only when inet_pton() 6233 * is called. Make sure "spi" is in network order; it usually is when this 6234 * would get called. 6235 */ 6236 void 6237 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 6238 uint32_t spi, void *addr, int af, netstack_t *ns) 6239 { 6240 char buf[INET6_ADDRSTRLEN]; 6241 6242 ASSERT(af == AF_INET6 || af == AF_INET); 6243 6244 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi), 6245 inet_ntop(af, addr, buf, sizeof (buf))); 6246 } 6247 6248 /* 6249 * Fills in a reference to the policy, if any, from the conn, in *ppp 6250 */ 6251 static void 6252 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp) 6253 { 6254 ipsec_policy_t *pp; 6255 ipsec_latch_t *ipl = connp->conn_latch; 6256 6257 if ((ipl != NULL) && (connp->conn_ixa->ixa_ipsec_policy != NULL)) { 6258 pp = connp->conn_ixa->ixa_ipsec_policy; 6259 IPPOL_REFHOLD(pp); 6260 } else { 6261 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, sel, 6262 connp->conn_netstack); 6263 } 6264 *ppp = pp; 6265 } 6266 6267 /* 6268 * The following functions scan through active conn_t structures 6269 * and return a reference to the best-matching policy it can find. 6270 * Caller must release the reference. 6271 */ 6272 static void 6273 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6274 { 6275 connf_t *connfp; 6276 conn_t *connp = NULL; 6277 ipsec_selector_t portonly; 6278 6279 bzero((void *)&portonly, sizeof (portonly)); 6280 6281 if (sel->ips_local_port == 0) 6282 return; 6283 6284 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port, 6285 ipst)]; 6286 mutex_enter(&connfp->connf_lock); 6287 6288 if (sel->ips_isv4) { 6289 connp = connfp->connf_head; 6290 while (connp != NULL) { 6291 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 6292 sel->ips_local_addr_v4, sel->ips_remote_port, 6293 sel->ips_remote_addr_v4)) 6294 break; 6295 connp = connp->conn_next; 6296 } 6297 6298 if (connp == NULL) { 6299 /* Try port-only match in IPv6. */ 6300 portonly.ips_local_port = sel->ips_local_port; 6301 sel = &portonly; 6302 } 6303 } 6304 6305 if (connp == NULL) { 6306 connp = connfp->connf_head; 6307 while (connp != NULL) { 6308 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 6309 sel->ips_local_addr_v6, sel->ips_remote_port, 6310 sel->ips_remote_addr_v6)) 6311 break; 6312 connp = connp->conn_next; 6313 } 6314 6315 if (connp == NULL) { 6316 mutex_exit(&connfp->connf_lock); 6317 return; 6318 } 6319 } 6320 6321 CONN_INC_REF(connp); 6322 mutex_exit(&connfp->connf_lock); 6323 6324 ipsec_conn_pol(sel, connp, ppp); 6325 CONN_DEC_REF(connp); 6326 } 6327 6328 static conn_t * 6329 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst) 6330 { 6331 connf_t *connfp; 6332 conn_t *connp = NULL; 6333 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 6334 6335 if (sel->ips_local_port == 0) 6336 return (NULL); 6337 6338 connfp = &ipst->ips_ipcl_bind_fanout[ 6339 IPCL_BIND_HASH(sel->ips_local_port, ipst)]; 6340 mutex_enter(&connfp->connf_lock); 6341 6342 if (sel->ips_isv4) { 6343 connp = connfp->connf_head; 6344 while (connp != NULL) { 6345 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 6346 sel->ips_local_addr_v4, pptr[1])) 6347 break; 6348 connp = connp->conn_next; 6349 } 6350 6351 if (connp == NULL) { 6352 /* Match to all-zeroes. */ 6353 v6addrmatch = &ipv6_all_zeros; 6354 } 6355 } 6356 6357 if (connp == NULL) { 6358 connp = connfp->connf_head; 6359 while (connp != NULL) { 6360 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 6361 *v6addrmatch, pptr[1])) 6362 break; 6363 connp = connp->conn_next; 6364 } 6365 6366 if (connp == NULL) { 6367 mutex_exit(&connfp->connf_lock); 6368 return (NULL); 6369 } 6370 } 6371 6372 CONN_INC_REF(connp); 6373 mutex_exit(&connfp->connf_lock); 6374 return (connp); 6375 } 6376 6377 static void 6378 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6379 { 6380 connf_t *connfp; 6381 conn_t *connp; 6382 uint32_t ports; 6383 uint16_t *pptr = (uint16_t *)&ports; 6384 6385 /* 6386 * Find TCP state in the following order: 6387 * 1.) Connected conns. 6388 * 2.) Listeners. 6389 * 6390 * Even though #2 will be the common case for inbound traffic, only 6391 * following this order insures correctness. 6392 */ 6393 6394 if (sel->ips_local_port == 0) 6395 return; 6396 6397 /* 6398 * 0 should be fport, 1 should be lport. SRC is the local one here. 6399 * See ipsec_construct_inverse_acquire() for details. 6400 */ 6401 pptr[0] = sel->ips_remote_port; 6402 pptr[1] = sel->ips_local_port; 6403 6404 connfp = &ipst->ips_ipcl_conn_fanout[ 6405 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)]; 6406 mutex_enter(&connfp->connf_lock); 6407 connp = connfp->connf_head; 6408 6409 if (sel->ips_isv4) { 6410 while (connp != NULL) { 6411 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 6412 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 6413 ports)) 6414 break; 6415 connp = connp->conn_next; 6416 } 6417 } else { 6418 while (connp != NULL) { 6419 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 6420 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 6421 ports)) 6422 break; 6423 connp = connp->conn_next; 6424 } 6425 } 6426 6427 if (connp != NULL) { 6428 CONN_INC_REF(connp); 6429 mutex_exit(&connfp->connf_lock); 6430 } else { 6431 mutex_exit(&connfp->connf_lock); 6432 6433 /* Try the listen hash. */ 6434 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL) 6435 return; 6436 } 6437 6438 ipsec_conn_pol(sel, connp, ppp); 6439 CONN_DEC_REF(connp); 6440 } 6441 6442 static void 6443 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6444 ip_stack_t *ipst) 6445 { 6446 conn_t *connp; 6447 uint32_t ports; 6448 uint16_t *pptr = (uint16_t *)&ports; 6449 6450 /* 6451 * Find SCP state in the following order: 6452 * 1.) Connected conns. 6453 * 2.) Listeners. 6454 * 6455 * Even though #2 will be the common case for inbound traffic, only 6456 * following this order insures correctness. 6457 */ 6458 6459 if (sel->ips_local_port == 0) 6460 return; 6461 6462 /* 6463 * 0 should be fport, 1 should be lport. SRC is the local one here. 6464 * See ipsec_construct_inverse_acquire() for details. 6465 */ 6466 pptr[0] = sel->ips_remote_port; 6467 pptr[1] = sel->ips_local_port; 6468 6469 /* 6470 * For labeled systems, there's no need to check the 6471 * label here. It's known to be good as we checked 6472 * before allowing the connection to become bound. 6473 */ 6474 if (sel->ips_isv4) { 6475 in6_addr_t src, dst; 6476 6477 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 6478 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 6479 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES, 6480 0, ipst->ips_netstack->netstack_sctp); 6481 } else { 6482 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 6483 &sel->ips_local_addr_v6, ports, ALL_ZONES, 6484 0, ipst->ips_netstack->netstack_sctp); 6485 } 6486 if (connp == NULL) 6487 return; 6488 ipsec_conn_pol(sel, connp, ppp); 6489 CONN_DEC_REF(connp); 6490 } 6491 6492 /* 6493 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions. 6494 * Returns 0 or errno, and always sets *diagnostic to something appropriate 6495 * to PF_KEY. 6496 * 6497 * NOTE: For right now, this function (and ipsec_selector_t for that matter), 6498 * ignore prefix lengths in the address extension. Since we match on first- 6499 * entered policies, this shouldn't matter. Also, since we normalize prefix- 6500 * set addresses to mask out the lower bits, we should get a suitable search 6501 * key for the SPD anyway. This is the function to change if the assumption 6502 * about suitable search keys is wrong. 6503 */ 6504 static int 6505 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext, 6506 sadb_address_t *dstext, int *diagnostic) 6507 { 6508 struct sockaddr_in *src, *dst; 6509 struct sockaddr_in6 *src6, *dst6; 6510 6511 *diagnostic = 0; 6512 6513 bzero(sel, sizeof (*sel)); 6514 sel->ips_protocol = srcext->sadb_address_proto; 6515 dst = (struct sockaddr_in *)(dstext + 1); 6516 if (dst->sin_family == AF_INET6) { 6517 dst6 = (struct sockaddr_in6 *)dst; 6518 src6 = (struct sockaddr_in6 *)(srcext + 1); 6519 if (src6->sin6_family != AF_INET6) { 6520 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6521 return (EINVAL); 6522 } 6523 sel->ips_remote_addr_v6 = dst6->sin6_addr; 6524 sel->ips_local_addr_v6 = src6->sin6_addr; 6525 if (sel->ips_protocol == IPPROTO_ICMPV6) { 6526 sel->ips_is_icmp_inv_acq = 1; 6527 } else { 6528 sel->ips_remote_port = dst6->sin6_port; 6529 sel->ips_local_port = src6->sin6_port; 6530 } 6531 sel->ips_isv4 = B_FALSE; 6532 } else { 6533 src = (struct sockaddr_in *)(srcext + 1); 6534 if (src->sin_family != AF_INET) { 6535 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6536 return (EINVAL); 6537 } 6538 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr; 6539 sel->ips_local_addr_v4 = src->sin_addr.s_addr; 6540 if (sel->ips_protocol == IPPROTO_ICMP) { 6541 sel->ips_is_icmp_inv_acq = 1; 6542 } else { 6543 sel->ips_remote_port = dst->sin_port; 6544 sel->ips_local_port = src->sin_port; 6545 } 6546 sel->ips_isv4 = B_TRUE; 6547 } 6548 return (0); 6549 } 6550 6551 /* 6552 * We have encapsulation. 6553 * - Lookup tun_t by address and look for an associated 6554 * tunnel policy 6555 * - If there are inner selectors 6556 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE 6557 * - Look up tunnel policy based on selectors 6558 * - Else 6559 * - Sanity check the negotation 6560 * - If appropriate, fall through to global policy 6561 */ 6562 static int 6563 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6564 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp, 6565 int *diagnostic) 6566 { 6567 int err; 6568 ipsec_policy_head_t *polhead; 6569 6570 *diagnostic = 0; 6571 6572 /* Check for inner selectors and act appropriately */ 6573 6574 if (innsrcext != NULL) { 6575 /* Inner selectors present */ 6576 ASSERT(inndstext != NULL); 6577 if ((itp == NULL) || 6578 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) != 6579 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) { 6580 /* 6581 * If inner packet selectors, we must have negotiate 6582 * tunnel and active policy. If the tunnel has 6583 * transport-mode policy set on it, or has no policy, 6584 * fail. 6585 */ 6586 return (ENOENT); 6587 } else { 6588 /* 6589 * Reset "sel" to indicate inner selectors. Pass 6590 * inner PF_KEY address extensions for this to happen. 6591 */ 6592 if ((err = ipsec_get_inverse_acquire_sel(sel, 6593 innsrcext, inndstext, diagnostic)) != 0) 6594 return (err); 6595 /* 6596 * Now look for a tunnel policy based on those inner 6597 * selectors. (Common code is below.) 6598 */ 6599 } 6600 } else { 6601 /* No inner selectors present */ 6602 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) { 6603 /* 6604 * Transport mode negotiation with no tunnel policy 6605 * configured - return to indicate a global policy 6606 * check is needed. 6607 */ 6608 return (0); 6609 } else if (itp->itp_flags & ITPF_P_TUNNEL) { 6610 /* Tunnel mode set with no inner selectors. */ 6611 return (ENOENT); 6612 } 6613 /* 6614 * Else, this is a tunnel policy configured with ifconfig(1m) 6615 * or "negotiate transport" with ipsecconf(1m). We have an 6616 * itp with policy set based on any match, so don't bother 6617 * changing fields in "sel". 6618 */ 6619 } 6620 6621 ASSERT(itp != NULL); 6622 polhead = itp->itp_policy; 6623 ASSERT(polhead != NULL); 6624 rw_enter(&polhead->iph_lock, RW_READER); 6625 *ppp = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND, sel); 6626 rw_exit(&polhead->iph_lock); 6627 6628 /* 6629 * Don't default to global if we didn't find a matching policy entry. 6630 * Instead, send ENOENT, just like if we hit a transport-mode tunnel. 6631 */ 6632 if (*ppp == NULL) 6633 return (ENOENT); 6634 6635 return (0); 6636 } 6637 6638 /* 6639 * For sctp conn_faddr is the primary address, hence this is of limited 6640 * use for sctp. 6641 */ 6642 static void 6643 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6644 ip_stack_t *ipst) 6645 { 6646 boolean_t isv4 = sel->ips_isv4; 6647 connf_t *connfp; 6648 conn_t *connp; 6649 6650 if (isv4) { 6651 connfp = &ipst->ips_ipcl_proto_fanout_v4[sel->ips_protocol]; 6652 } else { 6653 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol]; 6654 } 6655 6656 mutex_enter(&connfp->connf_lock); 6657 for (connp = connfp->connf_head; connp != NULL; 6658 connp = connp->conn_next) { 6659 if (isv4) { 6660 if ((connp->conn_laddr_v4 == INADDR_ANY || 6661 connp->conn_laddr_v4 == sel->ips_local_addr_v4) && 6662 (connp->conn_faddr_v4 == INADDR_ANY || 6663 connp->conn_faddr_v4 == sel->ips_remote_addr_v4)) 6664 break; 6665 } else { 6666 if ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) || 6667 IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6, 6668 &sel->ips_local_addr_v6)) && 6669 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) || 6670 IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6, 6671 &sel->ips_remote_addr_v6))) 6672 break; 6673 } 6674 } 6675 if (connp == NULL) { 6676 mutex_exit(&connfp->connf_lock); 6677 return; 6678 } 6679 6680 CONN_INC_REF(connp); 6681 mutex_exit(&connfp->connf_lock); 6682 6683 ipsec_conn_pol(sel, connp, ppp); 6684 CONN_DEC_REF(connp); 6685 } 6686 6687 /* 6688 * Construct an inverse ACQUIRE reply based on: 6689 * 6690 * 1.) Current global policy. 6691 * 2.) An conn_t match depending on what all was passed in the extv[]. 6692 * 3.) A tunnel's policy head. 6693 * ... 6694 * N.) Other stuff TBD (e.g. identities) 6695 * 6696 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 6697 * in this function so the caller can extract them where appropriately. 6698 * 6699 * The SRC address is the local one - just like an outbound ACQUIRE message. 6700 * 6701 * XXX MLS: key management supplies a label which we just reflect back up 6702 * again. clearly we need to involve the label in the rest of the checks. 6703 */ 6704 mblk_t * 6705 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[], 6706 netstack_t *ns) 6707 { 6708 int err; 6709 int diagnostic; 6710 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 6711 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST], 6712 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC], 6713 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]; 6714 sadb_sens_t *sens = (sadb_sens_t *)extv[SADB_EXT_SENSITIVITY]; 6715 struct sockaddr_in6 *src, *dst; 6716 struct sockaddr_in6 *isrc, *idst; 6717 ipsec_tun_pol_t *itp = NULL; 6718 ipsec_policy_t *pp = NULL; 6719 ipsec_selector_t sel, isel; 6720 mblk_t *retmp = NULL; 6721 ip_stack_t *ipst = ns->netstack_ip; 6722 6723 6724 /* Normalize addresses */ 6725 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns) 6726 == KS_IN_ADDR_UNKNOWN) { 6727 err = EINVAL; 6728 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC; 6729 goto bail; 6730 } 6731 src = (struct sockaddr_in6 *)(srcext + 1); 6732 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns) 6733 == KS_IN_ADDR_UNKNOWN) { 6734 err = EINVAL; 6735 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST; 6736 goto bail; 6737 } 6738 dst = (struct sockaddr_in6 *)(dstext + 1); 6739 if (src->sin6_family != dst->sin6_family) { 6740 err = EINVAL; 6741 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6742 goto bail; 6743 } 6744 6745 /* Check for tunnel mode and act appropriately */ 6746 if (innsrcext != NULL) { 6747 if (inndstext == NULL) { 6748 err = EINVAL; 6749 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST; 6750 goto bail; 6751 } 6752 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6753 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6754 err = EINVAL; 6755 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC; 6756 goto bail; 6757 } 6758 isrc = (struct sockaddr_in6 *)(innsrcext + 1); 6759 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6760 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6761 err = EINVAL; 6762 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST; 6763 goto bail; 6764 } 6765 idst = (struct sockaddr_in6 *)(inndstext + 1); 6766 if (isrc->sin6_family != idst->sin6_family) { 6767 err = EINVAL; 6768 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 6769 goto bail; 6770 } 6771 if (isrc->sin6_family != AF_INET && 6772 isrc->sin6_family != AF_INET6) { 6773 err = EINVAL; 6774 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF; 6775 goto bail; 6776 } 6777 } else if (inndstext != NULL) { 6778 err = EINVAL; 6779 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 6780 goto bail; 6781 } 6782 6783 /* Get selectors first, based on outer addresses */ 6784 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic); 6785 if (err != 0) 6786 goto bail; 6787 6788 /* Check for tunnel mode mismatches. */ 6789 if (innsrcext != NULL && 6790 ((isrc->sin6_family == AF_INET && 6791 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) || 6792 (isrc->sin6_family == AF_INET6 && 6793 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) { 6794 err = EPROTOTYPE; 6795 goto bail; 6796 } 6797 6798 /* 6799 * Okay, we have the addresses and other selector information. 6800 * Let's first find a conn... 6801 */ 6802 pp = NULL; 6803 switch (sel.ips_protocol) { 6804 case IPPROTO_TCP: 6805 ipsec_tcp_pol(&sel, &pp, ipst); 6806 break; 6807 case IPPROTO_UDP: 6808 ipsec_udp_pol(&sel, &pp, ipst); 6809 break; 6810 case IPPROTO_SCTP: 6811 ipsec_sctp_pol(&sel, &pp, ipst); 6812 break; 6813 case IPPROTO_ENCAP: 6814 case IPPROTO_IPV6: 6815 /* 6816 * Assume sel.ips_remote_addr_* has the right address at 6817 * that exact position. 6818 */ 6819 itp = itp_get_byaddr((uint32_t *)(&sel.ips_local_addr_v6), 6820 (uint32_t *)(&sel.ips_remote_addr_v6), src->sin6_family, 6821 ipst); 6822 6823 if (innsrcext == NULL) { 6824 /* 6825 * Transport-mode tunnel, make sure we fake out isel 6826 * to contain something based on the outer protocol. 6827 */ 6828 bzero(&isel, sizeof (isel)); 6829 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP); 6830 } /* Else isel is initialized by ipsec_tun_pol(). */ 6831 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp, 6832 &diagnostic); 6833 /* 6834 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it 6835 * may be. 6836 */ 6837 if (err != 0) 6838 goto bail; 6839 break; 6840 default: 6841 ipsec_oth_pol(&sel, &pp, ipst); 6842 break; 6843 } 6844 6845 /* 6846 * If we didn't find a matching conn_t or other policy head, take a 6847 * look in the global policy. 6848 */ 6849 if (pp == NULL) { 6850 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, &sel, ns); 6851 if (pp == NULL) { 6852 /* There's no global policy. */ 6853 err = ENOENT; 6854 diagnostic = 0; 6855 goto bail; 6856 } 6857 } 6858 6859 /* 6860 * Now that we have a policy entry/widget, construct an ACQUIRE 6861 * message based on that, fix fields where appropriate, 6862 * and return the message. 6863 */ 6864 retmp = sadb_extended_acquire(&sel, pp, NULL, 6865 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)), 6866 samsg->sadb_msg_seq, samsg->sadb_msg_pid, sens, ns); 6867 if (pp != NULL) { 6868 IPPOL_REFRELE(pp); 6869 } 6870 ASSERT(err == 0 && diagnostic == 0); 6871 if (retmp == NULL) 6872 err = ENOMEM; 6873 bail: 6874 if (itp != NULL) { 6875 ITP_REFRELE(itp, ns); 6876 } 6877 samsg->sadb_msg_errno = (uint8_t)err; 6878 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 6879 return (retmp); 6880 } 6881 6882 /* 6883 * ipsa_lpkt is a one-element queue, only manipulated by the next two 6884 * functions. They have to hold the ipsa_lock because of potential races 6885 * between key management using SADB_UPDATE, and inbound packets that may 6886 * queue up on the larval SA (hence the 'l' in "lpkt"). 6887 */ 6888 6889 /* 6890 * sadb_set_lpkt: 6891 * 6892 * Returns the passed-in packet if the SA is no longer larval. 6893 * 6894 * Returns NULL if the SA is larval, and needs to be swapped into the SA for 6895 * processing after an SADB_UPDATE. 6896 */ 6897 mblk_t * 6898 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, ip_recv_attr_t *ira) 6899 { 6900 mblk_t *opkt; 6901 6902 mutex_enter(&ipsa->ipsa_lock); 6903 opkt = ipsa->ipsa_lpkt; 6904 if (ipsa->ipsa_state == IPSA_STATE_LARVAL) { 6905 /* 6906 * Consume npkt and place it in the LARVAL SA's inbound 6907 * packet slot. 6908 */ 6909 mblk_t *attrmp; 6910 6911 attrmp = ip_recv_attr_to_mblk(ira); 6912 if (attrmp == NULL) { 6913 ill_t *ill = ira->ira_ill; 6914 6915 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards); 6916 ip_drop_input("ipIfStatsInDiscards", npkt, ill); 6917 freemsg(npkt); 6918 opkt = NULL; 6919 } else { 6920 ASSERT(attrmp->b_cont == NULL); 6921 attrmp->b_cont = npkt; 6922 ipsa->ipsa_lpkt = attrmp; 6923 } 6924 npkt = NULL; 6925 } else { 6926 /* 6927 * If not larval, we lost the race. NOTE: ipsa_lpkt may still 6928 * have been non-NULL in the non-larval case, because of 6929 * inbound packets arriving prior to sadb_common_add() 6930 * transferring the SA completely out of larval state, but 6931 * after lpkt was grabbed by the AH/ESP-specific add routines. 6932 * We should clear the old ipsa_lpkt in this case to make sure 6933 * that it doesn't linger on the now-MATURE IPsec SA, or get 6934 * picked up as an out-of-order packet. 6935 */ 6936 ipsa->ipsa_lpkt = NULL; 6937 } 6938 mutex_exit(&ipsa->ipsa_lock); 6939 6940 if (opkt != NULL) { 6941 ipsec_stack_t *ipss; 6942 6943 ipss = ira->ira_ill->ill_ipst->ips_netstack->netstack_ipsec; 6944 opkt = ip_recv_attr_free_mblk(opkt); 6945 ip_drop_packet(opkt, B_TRUE, ira->ira_ill, 6946 DROPPER(ipss, ipds_sadb_inlarval_replace), 6947 &ipss->ipsec_sadb_dropper); 6948 } 6949 return (npkt); 6950 } 6951 6952 /* 6953 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 6954 * previous value. 6955 */ 6956 mblk_t * 6957 sadb_clear_lpkt(ipsa_t *ipsa) 6958 { 6959 mblk_t *opkt; 6960 6961 mutex_enter(&ipsa->ipsa_lock); 6962 opkt = ipsa->ipsa_lpkt; 6963 ipsa->ipsa_lpkt = NULL; 6964 mutex_exit(&ipsa->ipsa_lock); 6965 return (opkt); 6966 } 6967 6968 /* 6969 * Buffer a packet that's in IDLE state as set by Solaris Clustering. 6970 */ 6971 void 6972 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, ip_recv_attr_t *ira) 6973 { 6974 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack; 6975 ipsec_stack_t *ipss = ns->netstack_ipsec; 6976 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr); 6977 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr); 6978 mblk_t *mp; 6979 6980 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE); 6981 6982 if (cl_inet_idlesa == NULL) { 6983 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill, 6984 DROPPER(ipss, ipds_sadb_inidle_overflow), 6985 &ipss->ipsec_sadb_dropper); 6986 return; 6987 } 6988 6989 cl_inet_idlesa(ns->netstack_stackid, 6990 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP, 6991 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL); 6992 6993 mp = ip_recv_attr_to_mblk(ira); 6994 if (mp == NULL) { 6995 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill, 6996 DROPPER(ipss, ipds_sadb_inidle_overflow), 6997 &ipss->ipsec_sadb_dropper); 6998 return; 6999 } 7000 linkb(mp, bpkt); 7001 7002 mutex_enter(&ipsa->ipsa_lock); 7003 ipsa->ipsa_mblkcnt++; 7004 if (ipsa->ipsa_bpkt_head == NULL) { 7005 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt; 7006 } else { 7007 ipsa->ipsa_bpkt_tail->b_next = bpkt; 7008 ipsa->ipsa_bpkt_tail = bpkt; 7009 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) { 7010 mblk_t *tmp; 7011 7012 tmp = ipsa->ipsa_bpkt_head; 7013 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next; 7014 tmp = ip_recv_attr_free_mblk(tmp); 7015 ip_drop_packet(tmp, B_TRUE, NULL, 7016 DROPPER(ipss, ipds_sadb_inidle_overflow), 7017 &ipss->ipsec_sadb_dropper); 7018 ipsa->ipsa_mblkcnt --; 7019 } 7020 } 7021 mutex_exit(&ipsa->ipsa_lock); 7022 } 7023 7024 /* 7025 * Stub function that taskq_dispatch() invokes to take the mblk (in arg) 7026 * and put into STREAMS again. 7027 */ 7028 void 7029 sadb_clear_buf_pkt(void *ipkt) 7030 { 7031 mblk_t *tmp, *buf_pkt; 7032 ip_recv_attr_t iras; 7033 7034 buf_pkt = (mblk_t *)ipkt; 7035 7036 while (buf_pkt != NULL) { 7037 mblk_t *data_mp; 7038 7039 tmp = buf_pkt->b_next; 7040 buf_pkt->b_next = NULL; 7041 7042 data_mp = buf_pkt->b_cont; 7043 buf_pkt->b_cont = NULL; 7044 if (!ip_recv_attr_from_mblk(buf_pkt, &iras)) { 7045 /* The ill or ip_stack_t disappeared on us. */ 7046 ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL); 7047 freemsg(data_mp); 7048 } else { 7049 ip_input_post_ipsec(data_mp, &iras); 7050 } 7051 ira_cleanup(&iras, B_TRUE); 7052 buf_pkt = tmp; 7053 } 7054 } 7055 /* 7056 * Walker callback used by sadb_alg_update() to free/create crypto 7057 * context template when a crypto software provider is removed or 7058 * added. 7059 */ 7060 7061 struct sadb_update_alg_state { 7062 ipsec_algtype_t alg_type; 7063 uint8_t alg_id; 7064 boolean_t is_added; 7065 boolean_t async_auth; 7066 boolean_t async_encr; 7067 }; 7068 7069 static void 7070 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 7071 { 7072 struct sadb_update_alg_state *update_state = 7073 (struct sadb_update_alg_state *)cookie; 7074 crypto_ctx_template_t *ctx_tmpl = NULL; 7075 7076 ASSERT(MUTEX_HELD(&head->isaf_lock)); 7077 7078 if (entry->ipsa_state == IPSA_STATE_LARVAL) 7079 return; 7080 7081 mutex_enter(&entry->ipsa_lock); 7082 7083 if ((entry->ipsa_encr_alg != SADB_EALG_NONE && entry->ipsa_encr_alg != 7084 SADB_EALG_NULL && update_state->async_encr) || 7085 (entry->ipsa_auth_alg != SADB_AALG_NONE && 7086 update_state->async_auth)) { 7087 entry->ipsa_flags |= IPSA_F_ASYNC; 7088 } else { 7089 entry->ipsa_flags &= ~IPSA_F_ASYNC; 7090 } 7091 7092 switch (update_state->alg_type) { 7093 case IPSEC_ALG_AUTH: 7094 if (entry->ipsa_auth_alg == update_state->alg_id) 7095 ctx_tmpl = &entry->ipsa_authtmpl; 7096 break; 7097 case IPSEC_ALG_ENCR: 7098 if (entry->ipsa_encr_alg == update_state->alg_id) 7099 ctx_tmpl = &entry->ipsa_encrtmpl; 7100 break; 7101 default: 7102 ctx_tmpl = NULL; 7103 } 7104 7105 if (ctx_tmpl == NULL) { 7106 mutex_exit(&entry->ipsa_lock); 7107 return; 7108 } 7109 7110 /* 7111 * The context template of the SA may be affected by the change 7112 * of crypto provider. 7113 */ 7114 if (update_state->is_added) { 7115 /* create the context template if not already done */ 7116 if (*ctx_tmpl == NULL) { 7117 (void) ipsec_create_ctx_tmpl(entry, 7118 update_state->alg_type); 7119 } 7120 } else { 7121 /* 7122 * The crypto provider was removed. If the context template 7123 * exists but it is no longer valid, free it. 7124 */ 7125 if (*ctx_tmpl != NULL) 7126 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 7127 } 7128 7129 mutex_exit(&entry->ipsa_lock); 7130 } 7131 7132 /* 7133 * Invoked by IP when an software crypto provider has been updated, or if 7134 * the crypto synchrony changes. The type and id of the corresponding 7135 * algorithm is passed as argument. The type is set to ALL in the case of 7136 * a synchrony change. 7137 * 7138 * is_added is B_TRUE if the provider was added, B_FALSE if it was 7139 * removed. The function updates the SADB and free/creates the 7140 * context templates associated with SAs if needed. 7141 */ 7142 7143 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 7144 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 7145 &update_state) 7146 7147 void 7148 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added, 7149 netstack_t *ns) 7150 { 7151 struct sadb_update_alg_state update_state; 7152 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 7153 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 7154 ipsec_stack_t *ipss = ns->netstack_ipsec; 7155 7156 update_state.alg_type = alg_type; 7157 update_state.alg_id = alg_id; 7158 update_state.is_added = is_added; 7159 update_state.async_auth = ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] == 7160 IPSEC_ALGS_EXEC_ASYNC; 7161 update_state.async_encr = ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] == 7162 IPSEC_ALGS_EXEC_ASYNC; 7163 7164 if (alg_type == IPSEC_ALG_AUTH || alg_type == IPSEC_ALG_ALL) { 7165 /* walk the AH tables only for auth. algorithm changes */ 7166 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of); 7167 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if); 7168 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of); 7169 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if); 7170 } 7171 7172 /* walk the ESP tables */ 7173 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of); 7174 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if); 7175 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of); 7176 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if); 7177 } 7178 7179 /* 7180 * Creates a context template for the specified SA. This function 7181 * is called when an SA is created and when a context template needs 7182 * to be created due to a change of software provider. 7183 */ 7184 int 7185 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7186 { 7187 ipsec_alginfo_t *alg; 7188 crypto_mechanism_t mech; 7189 crypto_key_t *key; 7190 crypto_ctx_template_t *sa_tmpl; 7191 int rv; 7192 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 7193 7194 ASSERT(RW_READ_HELD(&ipss->ipsec_alg_lock)); 7195 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7196 7197 /* get pointers to the algorithm info, context template, and key */ 7198 switch (alg_type) { 7199 case IPSEC_ALG_AUTH: 7200 key = &sa->ipsa_kcfauthkey; 7201 sa_tmpl = &sa->ipsa_authtmpl; 7202 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 7203 break; 7204 case IPSEC_ALG_ENCR: 7205 key = &sa->ipsa_kcfencrkey; 7206 sa_tmpl = &sa->ipsa_encrtmpl; 7207 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 7208 break; 7209 default: 7210 alg = NULL; 7211 } 7212 7213 if (alg == NULL || !ALG_VALID(alg)) 7214 return (EINVAL); 7215 7216 /* initialize the mech info structure for the framework */ 7217 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 7218 mech.cm_type = alg->alg_mech_type; 7219 mech.cm_param = NULL; 7220 mech.cm_param_len = 0; 7221 7222 /* create a new context template */ 7223 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 7224 7225 /* 7226 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 7227 * providers are available for that mechanism. In that case 7228 * we don't fail, and will generate the context template from 7229 * the framework callback when a software provider for that 7230 * mechanism registers. 7231 * 7232 * The context template is assigned the special value 7233 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 7234 * lack of memory. No attempt will be made to use 7235 * the context template if it is set to this value. 7236 */ 7237 if (rv == CRYPTO_HOST_MEMORY) { 7238 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 7239 } else if (rv != CRYPTO_SUCCESS) { 7240 *sa_tmpl = NULL; 7241 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 7242 return (EINVAL); 7243 } 7244 7245 return (0); 7246 } 7247 7248 /* 7249 * Destroy the context template of the specified algorithm type 7250 * of the specified SA. Must be called while holding the SA lock. 7251 */ 7252 void 7253 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7254 { 7255 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7256 7257 if (alg_type == IPSEC_ALG_AUTH) { 7258 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 7259 sa->ipsa_authtmpl = NULL; 7260 else if (sa->ipsa_authtmpl != NULL) { 7261 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 7262 sa->ipsa_authtmpl = NULL; 7263 } 7264 } else { 7265 ASSERT(alg_type == IPSEC_ALG_ENCR); 7266 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 7267 sa->ipsa_encrtmpl = NULL; 7268 else if (sa->ipsa_encrtmpl != NULL) { 7269 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 7270 sa->ipsa_encrtmpl = NULL; 7271 } 7272 } 7273 } 7274 7275 /* 7276 * Use the kernel crypto framework to check the validity of a key received 7277 * via keysock. Returns 0 if the key is OK, -1 otherwise. 7278 */ 7279 int 7280 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 7281 boolean_t is_auth, int *diag) 7282 { 7283 crypto_mechanism_t mech; 7284 crypto_key_t crypto_key; 7285 int crypto_rc; 7286 7287 mech.cm_type = mech_type; 7288 mech.cm_param = NULL; 7289 mech.cm_param_len = 0; 7290 7291 crypto_key.ck_format = CRYPTO_KEY_RAW; 7292 crypto_key.ck_data = sadb_key + 1; 7293 crypto_key.ck_length = sadb_key->sadb_key_bits; 7294 7295 crypto_rc = crypto_key_check(&mech, &crypto_key); 7296 7297 switch (crypto_rc) { 7298 case CRYPTO_SUCCESS: 7299 return (0); 7300 case CRYPTO_MECHANISM_INVALID: 7301 case CRYPTO_MECH_NOT_SUPPORTED: 7302 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 7303 SADB_X_DIAGNOSTIC_BAD_EALG; 7304 break; 7305 case CRYPTO_KEY_SIZE_RANGE: 7306 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 7307 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 7308 break; 7309 case CRYPTO_WEAK_KEY: 7310 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 7311 SADB_X_DIAGNOSTIC_WEAK_EKEY; 7312 break; 7313 } 7314 7315 return (-1); 7316 } 7317 7318 /* 7319 * Whack options in the outer IP header when ipsec changes the outer label 7320 * 7321 * This is inelegant and really could use refactoring. 7322 */ 7323 mblk_t * 7324 sadb_whack_label_v4(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter, 7325 ipdropper_t *dropper) 7326 { 7327 int delta; 7328 int plen; 7329 dblk_t *db; 7330 int hlen; 7331 uint8_t *opt_storage = assoc->ipsa_opt_storage; 7332 ipha_t *ipha = (ipha_t *)mp->b_rptr; 7333 7334 plen = ntohs(ipha->ipha_length); 7335 7336 delta = tsol_remove_secopt(ipha, MBLKL(mp)); 7337 mp->b_wptr += delta; 7338 plen += delta; 7339 7340 /* XXX XXX code copied from tsol_check_label */ 7341 7342 /* Make sure we have room for the worst-case addition */ 7343 hlen = IPH_HDR_LENGTH(ipha) + opt_storage[IPOPT_OLEN]; 7344 hlen = (hlen + 3) & ~3; 7345 if (hlen > IP_MAX_HDR_LENGTH) 7346 hlen = IP_MAX_HDR_LENGTH; 7347 hlen -= IPH_HDR_LENGTH(ipha); 7348 7349 db = mp->b_datap; 7350 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) { 7351 int copylen; 7352 mblk_t *new_mp; 7353 7354 /* allocate enough to be meaningful, but not *too* much */ 7355 copylen = MBLKL(mp); 7356 if (copylen > 256) 7357 copylen = 256; 7358 new_mp = allocb_tmpl(hlen + copylen + 7359 (mp->b_rptr - mp->b_datap->db_base), mp); 7360 7361 if (new_mp == NULL) { 7362 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper); 7363 return (NULL); 7364 } 7365 7366 /* keep the bias */ 7367 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base; 7368 new_mp->b_wptr = new_mp->b_rptr + copylen; 7369 bcopy(mp->b_rptr, new_mp->b_rptr, copylen); 7370 new_mp->b_cont = mp; 7371 if ((mp->b_rptr += copylen) >= mp->b_wptr) { 7372 new_mp->b_cont = mp->b_cont; 7373 freeb(mp); 7374 } 7375 mp = new_mp; 7376 ipha = (ipha_t *)mp->b_rptr; 7377 } 7378 7379 delta = tsol_prepend_option(assoc->ipsa_opt_storage, ipha, MBLKL(mp)); 7380 7381 ASSERT(delta != -1); 7382 7383 plen += delta; 7384 mp->b_wptr += delta; 7385 7386 /* 7387 * Paranoia 7388 */ 7389 db = mp->b_datap; 7390 7391 ASSERT3P(mp->b_wptr, <=, db->db_lim); 7392 ASSERT3P(mp->b_rptr, <=, db->db_lim); 7393 7394 ASSERT3P(mp->b_wptr, >=, db->db_base); 7395 ASSERT3P(mp->b_rptr, >=, db->db_base); 7396 /* End paranoia */ 7397 7398 ipha->ipha_length = htons(plen); 7399 7400 return (mp); 7401 } 7402 7403 mblk_t * 7404 sadb_whack_label_v6(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter, 7405 ipdropper_t *dropper) 7406 { 7407 int delta; 7408 int plen; 7409 dblk_t *db; 7410 int hlen; 7411 uint8_t *opt_storage = assoc->ipsa_opt_storage; 7412 uint_t sec_opt_len; /* label option length not including type, len */ 7413 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 7414 7415 plen = ntohs(ip6h->ip6_plen); 7416 7417 delta = tsol_remove_secopt_v6(ip6h, MBLKL(mp)); 7418 mp->b_wptr += delta; 7419 plen += delta; 7420 7421 /* XXX XXX code copied from tsol_check_label_v6 */ 7422 /* 7423 * Make sure we have room for the worst-case addition. Add 2 bytes for 7424 * the hop-by-hop ext header's next header and length fields. Add 7425 * another 2 bytes for the label option type, len and then round 7426 * up to the next 8-byte multiple. 7427 */ 7428 sec_opt_len = opt_storage[1]; 7429 7430 db = mp->b_datap; 7431 hlen = (4 + sec_opt_len + 7) & ~7; 7432 7433 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) { 7434 int copylen; 7435 mblk_t *new_mp; 7436 uint16_t hdr_len; 7437 7438 hdr_len = ip_hdr_length_v6(mp, ip6h); 7439 /* 7440 * Allocate enough to be meaningful, but not *too* much. 7441 * Also all the IPv6 extension headers must be in the same mblk 7442 */ 7443 copylen = MBLKL(mp); 7444 if (copylen > 256) 7445 copylen = 256; 7446 if (copylen < hdr_len) 7447 copylen = hdr_len; 7448 new_mp = allocb_tmpl(hlen + copylen + 7449 (mp->b_rptr - mp->b_datap->db_base), mp); 7450 if (new_mp == NULL) { 7451 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper); 7452 return (NULL); 7453 } 7454 7455 /* keep the bias */ 7456 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base; 7457 new_mp->b_wptr = new_mp->b_rptr + copylen; 7458 bcopy(mp->b_rptr, new_mp->b_rptr, copylen); 7459 new_mp->b_cont = mp; 7460 if ((mp->b_rptr += copylen) >= mp->b_wptr) { 7461 new_mp->b_cont = mp->b_cont; 7462 freeb(mp); 7463 } 7464 mp = new_mp; 7465 ip6h = (ip6_t *)mp->b_rptr; 7466 } 7467 7468 delta = tsol_prepend_option_v6(assoc->ipsa_opt_storage, 7469 ip6h, MBLKL(mp)); 7470 7471 ASSERT(delta != -1); 7472 7473 plen += delta; 7474 mp->b_wptr += delta; 7475 7476 /* 7477 * Paranoia 7478 */ 7479 db = mp->b_datap; 7480 7481 ASSERT3P(mp->b_wptr, <=, db->db_lim); 7482 ASSERT3P(mp->b_rptr, <=, db->db_lim); 7483 7484 ASSERT3P(mp->b_wptr, >=, db->db_base); 7485 ASSERT3P(mp->b_rptr, >=, db->db_base); 7486 /* End paranoia */ 7487 7488 ip6h->ip6_plen = htons(plen); 7489 7490 return (mp); 7491 } 7492 7493 /* Whack the labels and update ip_xmit_attr_t as needed */ 7494 mblk_t * 7495 sadb_whack_label(mblk_t *mp, ipsa_t *assoc, ip_xmit_attr_t *ixa, 7496 kstat_named_t *counter, ipdropper_t *dropper) 7497 { 7498 int adjust; 7499 int iplen; 7500 7501 if (ixa->ixa_flags & IXAF_IS_IPV4) { 7502 ipha_t *ipha = (ipha_t *)mp->b_rptr; 7503 7504 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION); 7505 iplen = ntohs(ipha->ipha_length); 7506 mp = sadb_whack_label_v4(mp, assoc, counter, dropper); 7507 if (mp == NULL) 7508 return (NULL); 7509 7510 ipha = (ipha_t *)mp->b_rptr; 7511 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION); 7512 adjust = (int)ntohs(ipha->ipha_length) - iplen; 7513 } else { 7514 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 7515 7516 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION); 7517 iplen = ntohs(ip6h->ip6_plen); 7518 mp = sadb_whack_label_v6(mp, assoc, counter, dropper); 7519 if (mp == NULL) 7520 return (NULL); 7521 7522 ip6h = (ip6_t *)mp->b_rptr; 7523 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION); 7524 adjust = (int)ntohs(ip6h->ip6_plen) - iplen; 7525 } 7526 ixa->ixa_pktlen += adjust; 7527 ixa->ixa_ip_hdr_length += adjust; 7528 return (mp); 7529 } 7530 7531 /* 7532 * If this is an outgoing SA then add some fuzz to the 7533 * SOFT EXPIRE time. The reason for this is to stop 7534 * peers trying to renegotiate SOFT expiring SA's at 7535 * the same time. The amount of fuzz needs to be at 7536 * least 8 seconds which is the typical interval 7537 * sadb_ager(), although this is only a guide as it 7538 * selftunes. 7539 */ 7540 static void 7541 lifetime_fuzz(ipsa_t *assoc) 7542 { 7543 uint8_t rnd; 7544 7545 if (assoc->ipsa_softaddlt == 0) 7546 return; 7547 7548 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd)); 7549 rnd = (rnd & 0xF) + 8; 7550 assoc->ipsa_softexpiretime -= rnd; 7551 assoc->ipsa_softaddlt -= rnd; 7552 } 7553 7554 static void 7555 destroy_ipsa_pair(ipsap_t *ipsapp) 7556 { 7557 /* 7558 * Because of the multi-line macro nature of IPSA_REFRELE, keep 7559 * them in { }. 7560 */ 7561 if (ipsapp->ipsap_sa_ptr != NULL) { 7562 IPSA_REFRELE(ipsapp->ipsap_sa_ptr); 7563 } 7564 if (ipsapp->ipsap_psa_ptr != NULL) { 7565 IPSA_REFRELE(ipsapp->ipsap_psa_ptr); 7566 } 7567 init_ipsa_pair(ipsapp); 7568 } 7569 7570 static void 7571 init_ipsa_pair(ipsap_t *ipsapp) 7572 { 7573 ipsapp->ipsap_bucket = NULL; 7574 ipsapp->ipsap_sa_ptr = NULL; 7575 ipsapp->ipsap_pbucket = NULL; 7576 ipsapp->ipsap_psa_ptr = NULL; 7577 } 7578 7579 /* 7580 * The sadb_ager() function walks through the hash tables of SA's and ages 7581 * them, if the SA expires as a result, its marked as DEAD and will be reaped 7582 * the next time sadb_ager() runs. SA's which are paired or have a peer (same 7583 * SA appears in both the inbound and outbound tables because its not possible 7584 * to determine its direction) are placed on a list when they expire. This is 7585 * to ensure that pair/peer SA's are reaped at the same time, even if they 7586 * expire at different times. 7587 * 7588 * This function is called twice by sadb_ager(), one after processing the 7589 * inbound table, then again after processing the outbound table. 7590 */ 7591 void 7592 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound) 7593 { 7594 templist_t *listptr; 7595 int outhash; 7596 isaf_t *bucket; 7597 boolean_t haspeer; 7598 ipsa_t *peer_assoc, *dying; 7599 /* 7600 * Haspeer cases will contain both IPv4 and IPv6. This code 7601 * is address independent. 7602 */ 7603 while (haspeerlist != NULL) { 7604 /* "dying" contains the SA that has a peer. */ 7605 dying = haspeerlist->ipsa; 7606 haspeer = (dying->ipsa_haspeer); 7607 listptr = haspeerlist; 7608 haspeerlist = listptr->next; 7609 kmem_free(listptr, sizeof (*listptr)); 7610 /* 7611 * Pick peer bucket based on addrfam. 7612 */ 7613 if (outbound) { 7614 if (haspeer) 7615 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi); 7616 else 7617 bucket = INBOUND_BUCKET(sp, 7618 dying->ipsa_otherspi); 7619 } else { /* inbound */ 7620 if (haspeer) { 7621 if (dying->ipsa_addrfam == AF_INET6) { 7622 outhash = OUTBOUND_HASH_V6(sp, 7623 *((in6_addr_t *)&dying-> 7624 ipsa_dstaddr)); 7625 } else { 7626 outhash = OUTBOUND_HASH_V4(sp, 7627 *((ipaddr_t *)&dying-> 7628 ipsa_dstaddr)); 7629 } 7630 } else if (dying->ipsa_addrfam == AF_INET6) { 7631 outhash = OUTBOUND_HASH_V6(sp, 7632 *((in6_addr_t *)&dying-> 7633 ipsa_srcaddr)); 7634 } else { 7635 outhash = OUTBOUND_HASH_V4(sp, 7636 *((ipaddr_t *)&dying-> 7637 ipsa_srcaddr)); 7638 } 7639 bucket = &(sp->sdb_of[outhash]); 7640 } 7641 7642 mutex_enter(&bucket->isaf_lock); 7643 /* 7644 * "haspeer" SA's have the same src/dst address ordering, 7645 * "paired" SA's have the src/dst addresses reversed. 7646 */ 7647 if (haspeer) { 7648 peer_assoc = ipsec_getassocbyspi(bucket, 7649 dying->ipsa_spi, dying->ipsa_srcaddr, 7650 dying->ipsa_dstaddr, dying->ipsa_addrfam); 7651 } else { 7652 peer_assoc = ipsec_getassocbyspi(bucket, 7653 dying->ipsa_otherspi, dying->ipsa_dstaddr, 7654 dying->ipsa_srcaddr, dying->ipsa_addrfam); 7655 } 7656 7657 mutex_exit(&bucket->isaf_lock); 7658 if (peer_assoc != NULL) { 7659 mutex_enter(&peer_assoc->ipsa_lock); 7660 mutex_enter(&dying->ipsa_lock); 7661 if (!haspeer) { 7662 /* 7663 * Only SA's which have a "peer" or are 7664 * "paired" end up on this list, so this 7665 * must be a "paired" SA, update the flags 7666 * to break the pair. 7667 */ 7668 peer_assoc->ipsa_otherspi = 0; 7669 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED; 7670 dying->ipsa_otherspi = 0; 7671 dying->ipsa_flags &= ~IPSA_F_PAIRED; 7672 } 7673 if (haspeer || outbound) { 7674 /* 7675 * Update the state of the "inbound" SA when 7676 * the "outbound" SA has expired. Don't update 7677 * the "outbound" SA when the "inbound" SA 7678 * SA expires because setting the hard_addtime 7679 * below will cause this to happen. 7680 */ 7681 peer_assoc->ipsa_state = dying->ipsa_state; 7682 } 7683 if (dying->ipsa_state == IPSA_STATE_DEAD) 7684 peer_assoc->ipsa_hardexpiretime = 1; 7685 7686 mutex_exit(&dying->ipsa_lock); 7687 mutex_exit(&peer_assoc->ipsa_lock); 7688 IPSA_REFRELE(peer_assoc); 7689 } 7690 IPSA_REFRELE(dying); 7691 } 7692 } 7693 7694 /* 7695 * Ensure that the IV used for CCM mode never repeats. The IV should 7696 * only be updated by this function. Also check to see if the IV 7697 * is about to wrap and generate a SOFT Expire. This function is only 7698 * called for outgoing packets, the IV for incomming packets is taken 7699 * from the wire. If the outgoing SA needs to be expired, update 7700 * the matching incomming SA. 7701 */ 7702 boolean_t 7703 update_iv(uint8_t *iv_ptr, queue_t *pfkey_q, ipsa_t *assoc, 7704 ipsecesp_stack_t *espstack) 7705 { 7706 boolean_t rc = B_TRUE; 7707 isaf_t *inbound_bucket; 7708 sadb_t *sp; 7709 ipsa_t *pair_sa = NULL; 7710 int sa_new_state = 0; 7711 7712 /* For non counter modes, the IV is random data. */ 7713 if (!(assoc->ipsa_flags & IPSA_F_COUNTERMODE)) { 7714 (void) random_get_pseudo_bytes(iv_ptr, assoc->ipsa_iv_len); 7715 return (rc); 7716 } 7717 7718 mutex_enter(&assoc->ipsa_lock); 7719 7720 (*assoc->ipsa_iv)++; 7721 7722 if (*assoc->ipsa_iv == assoc->ipsa_iv_hardexpire) { 7723 sa_new_state = IPSA_STATE_DEAD; 7724 rc = B_FALSE; 7725 } else if (*assoc->ipsa_iv == assoc->ipsa_iv_softexpire) { 7726 if (assoc->ipsa_state != IPSA_STATE_DYING) { 7727 /* 7728 * This SA may have already been expired when its 7729 * PAIR_SA expired. 7730 */ 7731 sa_new_state = IPSA_STATE_DYING; 7732 } 7733 } 7734 if (sa_new_state) { 7735 /* 7736 * If there is a state change, we need to update this SA 7737 * and its "pair", we can find the bucket for the "pair" SA 7738 * while holding the ipsa_t mutex, but we won't actually 7739 * update anything untill the ipsa_t mutex has been released 7740 * for _this_ SA. 7741 */ 7742 assoc->ipsa_state = sa_new_state; 7743 if (assoc->ipsa_addrfam == AF_INET6) { 7744 sp = &espstack->esp_sadb.s_v6; 7745 } else { 7746 sp = &espstack->esp_sadb.s_v4; 7747 } 7748 inbound_bucket = INBOUND_BUCKET(sp, assoc->ipsa_otherspi); 7749 sadb_expire_assoc(pfkey_q, assoc); 7750 } 7751 if (rc == B_TRUE) 7752 bcopy(assoc->ipsa_iv, iv_ptr, assoc->ipsa_iv_len); 7753 7754 mutex_exit(&assoc->ipsa_lock); 7755 7756 if (sa_new_state) { 7757 /* Find the inbound SA, need to lock hash bucket. */ 7758 mutex_enter(&inbound_bucket->isaf_lock); 7759 pair_sa = ipsec_getassocbyspi(inbound_bucket, 7760 assoc->ipsa_otherspi, assoc->ipsa_dstaddr, 7761 assoc->ipsa_srcaddr, assoc->ipsa_addrfam); 7762 mutex_exit(&inbound_bucket->isaf_lock); 7763 if (pair_sa != NULL) { 7764 mutex_enter(&pair_sa->ipsa_lock); 7765 pair_sa->ipsa_state = sa_new_state; 7766 mutex_exit(&pair_sa->ipsa_lock); 7767 IPSA_REFRELE(pair_sa); 7768 } 7769 } 7770 7771 return (rc); 7772 } 7773 7774 void 7775 ccm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 7776 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 7777 { 7778 uchar_t *nonce; 7779 crypto_mechanism_t *combined_mech; 7780 CK_AES_CCM_PARAMS *params; 7781 7782 combined_mech = (crypto_mechanism_t *)cm_mech; 7783 params = (CK_AES_CCM_PARAMS *)(combined_mech + 1); 7784 nonce = (uchar_t *)(params + 1); 7785 params->ulMACSize = assoc->ipsa_mac_len; 7786 params->ulNonceSize = assoc->ipsa_nonce_len; 7787 params->ulAuthDataSize = sizeof (esph_t); 7788 params->ulDataSize = data_len; 7789 params->nonce = nonce; 7790 params->authData = esph; 7791 7792 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 7793 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_CCM_PARAMS); 7794 cm_mech->combined_mech.cm_param = (caddr_t)params; 7795 /* See gcm_params_init() for comments. */ 7796 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen); 7797 nonce += assoc->ipsa_saltlen; 7798 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len); 7799 crypto_data->cd_miscdata = NULL; 7800 } 7801 7802 /* ARGSUSED */ 7803 void 7804 cbc_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 7805 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 7806 { 7807 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 7808 cm_mech->combined_mech.cm_param_len = 0; 7809 cm_mech->combined_mech.cm_param = NULL; 7810 crypto_data->cd_miscdata = (char *)iv_ptr; 7811 } 7812 7813 /* ARGSUSED */ 7814 void 7815 gcm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 7816 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 7817 { 7818 uchar_t *nonce; 7819 crypto_mechanism_t *combined_mech; 7820 CK_AES_GCM_PARAMS *params; 7821 7822 combined_mech = (crypto_mechanism_t *)cm_mech; 7823 params = (CK_AES_GCM_PARAMS *)(combined_mech + 1); 7824 nonce = (uchar_t *)(params + 1); 7825 7826 params->pIv = nonce; 7827 params->ulIvLen = assoc->ipsa_nonce_len; 7828 params->ulIvBits = SADB_8TO1(assoc->ipsa_nonce_len); 7829 params->pAAD = esph; 7830 params->ulAADLen = sizeof (esph_t); 7831 params->ulTagBits = SADB_8TO1(assoc->ipsa_mac_len); 7832 7833 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 7834 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 7835 cm_mech->combined_mech.cm_param = (caddr_t)params; 7836 /* 7837 * Create the nonce, which is made up of the salt and the IV. 7838 * Copy the salt from the SA and the IV from the packet. 7839 * For inbound packets we copy the IV from the packet because it 7840 * was set by the sending system, for outbound packets we copy the IV 7841 * from the packet because the IV in the SA may be changed by another 7842 * thread, the IV in the packet was created while holding a mutex. 7843 */ 7844 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen); 7845 nonce += assoc->ipsa_saltlen; 7846 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len); 7847 crypto_data->cd_miscdata = NULL; 7848 } 7849