1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/stream.h> 28 #include <sys/stropts.h> 29 #include <sys/strsubr.h> 30 #include <sys/errno.h> 31 #include <sys/ddi.h> 32 #include <sys/debug.h> 33 #include <sys/cmn_err.h> 34 #include <sys/stream.h> 35 #include <sys/strlog.h> 36 #include <sys/kmem.h> 37 #include <sys/sunddi.h> 38 #include <sys/tihdr.h> 39 #include <sys/atomic.h> 40 #include <sys/socket.h> 41 #include <sys/sysmacros.h> 42 #include <sys/crypto/common.h> 43 #include <sys/crypto/api.h> 44 #include <sys/zone.h> 45 #include <netinet/in.h> 46 #include <net/if.h> 47 #include <net/pfkeyv2.h> 48 #include <net/pfpolicy.h> 49 #include <inet/common.h> 50 #include <netinet/ip6.h> 51 #include <inet/ip.h> 52 #include <inet/ip_ire.h> 53 #include <inet/ip6.h> 54 #include <inet/ipsec_info.h> 55 #include <inet/tcp.h> 56 #include <inet/sadb.h> 57 #include <inet/ipsec_impl.h> 58 #include <inet/ipsecah.h> 59 #include <inet/ipsecesp.h> 60 #include <sys/random.h> 61 #include <sys/dlpi.h> 62 #include <sys/iphada.h> 63 #include <sys/strsun.h> 64 #include <sys/strsubr.h> 65 #include <inet/ip_if.h> 66 #include <inet/ipdrop.h> 67 #include <inet/ipclassifier.h> 68 #include <inet/sctp_ip.h> 69 #include <sys/tsol/tnet.h> 70 71 /* 72 * This source file contains Security Association Database (SADB) common 73 * routines. They are linked in with the AH module. Since AH has no chance 74 * of falling under export control, it was safe to link it in there. 75 */ 76 77 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *, 78 ipsec_action_t *, boolean_t, uint32_t, uint32_t, sadb_sens_t *, 79 netstack_t *); 80 static void sadb_ill_df(ill_t *, mblk_t *, isaf_t *, int, boolean_t); 81 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *, boolean_t, mblk_t **); 82 static void sadb_drain_torchq(queue_t *, mblk_t *); 83 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t, 84 netstack_t *); 85 static void sadb_destroy(sadb_t *, netstack_t *); 86 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *); 87 static cred_t *sadb_cred_from_sens(sadb_sens_t *, uint64_t *); 88 static sadb_sens_t *sadb_make_sens_ext(cred_t *cr, int *len); 89 90 static time_t sadb_add_time(time_t, uint64_t); 91 static void lifetime_fuzz(ipsa_t *); 92 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t); 93 static int get_ipsa_pair(ipsa_query_t *, ipsap_t *, int *); 94 static void init_ipsa_pair(ipsap_t *); 95 static void destroy_ipsa_pair(ipsap_t *); 96 static int update_pairing(ipsap_t *, ipsa_query_t *, keysock_in_t *, int *); 97 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset); 98 99 extern void (*cl_inet_getspi)(netstackid_t stack_id, uint8_t protocol, 100 uint8_t *ptr, size_t len, void *args); 101 extern int (*cl_inet_checkspi)(netstackid_t stack_id, uint8_t protocol, 102 uint32_t spi, void *args); 103 extern void (*cl_inet_deletespi)(netstackid_t stack_id, uint8_t protocol, 104 uint32_t spi, void *args); 105 /* 106 * ipsacq_maxpackets is defined here to make it tunable 107 * from /etc/system. 108 */ 109 extern uint64_t ipsacq_maxpackets; 110 111 #define SET_EXPIRE(sa, delta, exp) { \ 112 if (((sa)->ipsa_ ## delta) != 0) { \ 113 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 114 (sa)->ipsa_ ## delta); \ 115 } \ 116 } 117 118 #define UPDATE_EXPIRE(sa, delta, exp) { \ 119 if (((sa)->ipsa_ ## delta) != 0) { \ 120 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 121 (sa)->ipsa_ ## delta); \ 122 if (((sa)->ipsa_ ## exp) == 0) \ 123 (sa)->ipsa_ ## exp = tmp; \ 124 else \ 125 (sa)->ipsa_ ## exp = \ 126 MIN((sa)->ipsa_ ## exp, tmp); \ 127 } \ 128 } 129 130 131 /* wrap the macro so we can pass it as a function pointer */ 132 void 133 sadb_sa_refrele(void *target) 134 { 135 IPSA_REFRELE(((ipsa_t *)target)); 136 } 137 138 /* 139 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 140 * a signed type. 141 */ 142 #define TIME_MAX LONG_MAX 143 144 /* 145 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 146 * time_t is defined to be a signed type with the same range as 147 * "long". On ILP32 systems, we thus run the risk of wrapping around 148 * at end of time, as well as "overwrapping" the clock back around 149 * into a seemingly valid but incorrect future date earlier than the 150 * desired expiration. 151 * 152 * In order to avoid odd behavior (either negative lifetimes or loss 153 * of high order bits) when someone asks for bizarrely long SA 154 * lifetimes, we do a saturating add for expire times. 155 * 156 * We presume that ILP32 systems will be past end of support life when 157 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 158 * 159 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 160 * will hopefully have figured out clever ways to avoid the use of 161 * fixed-sized integers in computation. 162 */ 163 static time_t 164 sadb_add_time(time_t base, uint64_t delta) 165 { 166 time_t sum; 167 168 /* 169 * Clip delta to the maximum possible time_t value to 170 * prevent "overwrapping" back into a shorter-than-desired 171 * future time. 172 */ 173 if (delta > TIME_MAX) 174 delta = TIME_MAX; 175 /* 176 * This sum may still overflow. 177 */ 178 sum = base + delta; 179 180 /* 181 * .. so if the result is less than the base, we overflowed. 182 */ 183 if (sum < base) 184 sum = TIME_MAX; 185 186 return (sum); 187 } 188 189 /* 190 * Callers of this function have already created a working security 191 * association, and have found the appropriate table & hash chain. All this 192 * function does is check duplicates, and insert the SA. The caller needs to 193 * hold the hash bucket lock and increment the refcnt before insertion. 194 * 195 * Return 0 if success, EEXIST if collision. 196 */ 197 #define SA_UNIQUE_MATCH(sa1, sa2) \ 198 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \ 199 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask)) 200 201 int 202 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 203 { 204 ipsa_t **ptpn = NULL; 205 ipsa_t *walker; 206 boolean_t unspecsrc; 207 208 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 209 210 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 211 212 walker = bucket->isaf_ipsa; 213 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 214 215 /* 216 * Find insertion point (pointed to with **ptpn). Insert at the head 217 * of the list unless there's an unspecified source address, then 218 * insert it after the last SA with a specified source address. 219 * 220 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 221 * checking for collisions. 222 */ 223 224 while (walker != NULL) { 225 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 226 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 227 if (walker->ipsa_spi == ipsa->ipsa_spi) 228 return (EEXIST); 229 230 mutex_enter(&walker->ipsa_lock); 231 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 232 (walker->ipsa_flags & IPSA_F_USED) && 233 SA_UNIQUE_MATCH(walker, ipsa)) { 234 walker->ipsa_flags |= IPSA_F_CINVALID; 235 } 236 mutex_exit(&walker->ipsa_lock); 237 } 238 239 if (ptpn == NULL && unspecsrc) { 240 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 241 walker->ipsa_addrfam)) 242 ptpn = walker->ipsa_ptpn; 243 else if (walker->ipsa_next == NULL) 244 ptpn = &walker->ipsa_next; 245 } 246 247 walker = walker->ipsa_next; 248 } 249 250 if (ptpn == NULL) 251 ptpn = &bucket->isaf_ipsa; 252 ipsa->ipsa_next = *ptpn; 253 ipsa->ipsa_ptpn = ptpn; 254 if (ipsa->ipsa_next != NULL) 255 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 256 *ptpn = ipsa; 257 ipsa->ipsa_linklock = &bucket->isaf_lock; 258 259 return (0); 260 } 261 #undef SA_UNIQUE_MATCH 262 263 /* 264 * Free a security association. Its reference count is 0, which means 265 * I must free it. The SA must be unlocked and must not be linked into 266 * any fanout list. 267 */ 268 static void 269 sadb_freeassoc(ipsa_t *ipsa) 270 { 271 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec; 272 273 ASSERT(ipss != NULL); 274 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock)); 275 ASSERT(ipsa->ipsa_refcnt == 0); 276 ASSERT(ipsa->ipsa_next == NULL); 277 ASSERT(ipsa->ipsa_ptpn == NULL); 278 279 mutex_enter(&ipsa->ipsa_lock); 280 /* Don't call sadb_clear_lpkt() since we hold the ipsa_lock anyway. */ 281 ip_drop_packet(ipsa->ipsa_lpkt, B_TRUE, NULL, NULL, 282 DROPPER(ipss, ipds_sadb_inlarval_timeout), 283 &ipss->ipsec_sadb_dropper); 284 285 if (ipsa->ipsa_cred != NULL) { 286 crfree(ipsa->ipsa_cred); 287 ipsa->ipsa_cred = NULL; 288 } 289 290 if (ipsa->ipsa_ocred != NULL) { 291 crfree(ipsa->ipsa_ocred); 292 ipsa->ipsa_ocred = NULL; 293 } 294 295 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 296 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 297 mutex_exit(&ipsa->ipsa_lock); 298 299 /* bzero() these fields for paranoia's sake. */ 300 if (ipsa->ipsa_authkey != NULL) { 301 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 302 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 303 } 304 if (ipsa->ipsa_encrkey != NULL) { 305 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 306 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 307 } 308 if (ipsa->ipsa_nonce_buf != NULL) { 309 bzero(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); 310 kmem_free(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); 311 } 312 if (ipsa->ipsa_src_cid != NULL) { 313 IPSID_REFRELE(ipsa->ipsa_src_cid); 314 } 315 if (ipsa->ipsa_dst_cid != NULL) { 316 IPSID_REFRELE(ipsa->ipsa_dst_cid); 317 } 318 if (ipsa->ipsa_emech.cm_param != NULL) 319 kmem_free(ipsa->ipsa_emech.cm_param, 320 ipsa->ipsa_emech.cm_param_len); 321 322 mutex_destroy(&ipsa->ipsa_lock); 323 kmem_free(ipsa, sizeof (*ipsa)); 324 } 325 326 /* 327 * Unlink a security association from a hash bucket. Assume the hash bucket 328 * lock is held, but the association's lock is not. 329 * 330 * Note that we do not bump the bucket's generation number here because 331 * we might not be making a visible change to the set of visible SA's. 332 * All callers MUST bump the bucket's generation number before they unlock 333 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 334 * was present in the bucket at the time it was locked. 335 */ 336 void 337 sadb_unlinkassoc(ipsa_t *ipsa) 338 { 339 ASSERT(ipsa->ipsa_linklock != NULL); 340 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 341 342 /* These fields are protected by the link lock. */ 343 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 344 if (ipsa->ipsa_next != NULL) { 345 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 346 ipsa->ipsa_next = NULL; 347 } 348 349 ipsa->ipsa_ptpn = NULL; 350 351 /* This may destroy the SA. */ 352 IPSA_REFRELE(ipsa); 353 } 354 355 void 356 sadb_delete_cluster(ipsa_t *assoc) 357 { 358 uint8_t protocol; 359 360 if (cl_inet_deletespi && 361 ((assoc->ipsa_state == IPSA_STATE_LARVAL) || 362 (assoc->ipsa_state == IPSA_STATE_MATURE))) { 363 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ? 364 IPPROTO_AH : IPPROTO_ESP; 365 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid, 366 protocol, assoc->ipsa_spi, NULL); 367 } 368 } 369 370 /* 371 * Create a larval security association with the specified SPI. All other 372 * fields are zeroed. 373 */ 374 static ipsa_t * 375 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam, 376 netstack_t *ns) 377 { 378 ipsa_t *newbie; 379 380 /* 381 * Allocate... 382 */ 383 384 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 385 if (newbie == NULL) { 386 /* Can't make new larval SA. */ 387 return (NULL); 388 } 389 390 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 391 newbie->ipsa_spi = spi; 392 newbie->ipsa_netstack = ns; /* No netstack_hold */ 393 394 /* 395 * Copy addresses... 396 */ 397 398 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 399 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 400 401 newbie->ipsa_addrfam = addrfam; 402 403 /* 404 * Set common initialization values, including refcnt. 405 */ 406 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 407 newbie->ipsa_state = IPSA_STATE_LARVAL; 408 newbie->ipsa_refcnt = 1; 409 newbie->ipsa_freefunc = sadb_freeassoc; 410 411 /* 412 * There aren't a lot of other common initialization values, as 413 * they are copied in from the PF_KEY message. 414 */ 415 416 return (newbie); 417 } 418 419 /* 420 * Call me to initialize a security association fanout. 421 */ 422 static int 423 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 424 { 425 isaf_t *table; 426 int i; 427 428 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 429 *tablep = table; 430 431 if (table == NULL) 432 return (ENOMEM); 433 434 for (i = 0; i < size; i++) { 435 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 436 table[i].isaf_ipsa = NULL; 437 table[i].isaf_gen = 0; 438 } 439 440 return (0); 441 } 442 443 /* 444 * Call me to initialize an acquire fanout 445 */ 446 static int 447 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 448 { 449 iacqf_t *table; 450 int i; 451 452 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 453 *tablep = table; 454 455 if (table == NULL) 456 return (ENOMEM); 457 458 for (i = 0; i < size; i++) { 459 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 460 table[i].iacqf_ipsacq = NULL; 461 } 462 463 return (0); 464 } 465 466 /* 467 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 468 * caller must clean up partial allocations. 469 */ 470 static int 471 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 472 { 473 ASSERT(sp->sdb_of == NULL); 474 ASSERT(sp->sdb_if == NULL); 475 ASSERT(sp->sdb_acq == NULL); 476 477 sp->sdb_hashsize = size; 478 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 479 return (ENOMEM); 480 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 481 return (ENOMEM); 482 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 483 return (ENOMEM); 484 485 return (0); 486 } 487 488 /* 489 * Call me to initialize an SADB instance; fall back to default size on failure. 490 */ 491 static void 492 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver, 493 netstack_t *ns) 494 { 495 ASSERT(sp->sdb_of == NULL); 496 ASSERT(sp->sdb_if == NULL); 497 ASSERT(sp->sdb_acq == NULL); 498 499 if (size < IPSEC_DEFAULT_HASH_SIZE) 500 size = IPSEC_DEFAULT_HASH_SIZE; 501 502 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 503 504 cmn_err(CE_WARN, 505 "Unable to allocate %u entry IPv%u %s SADB hash table", 506 size, ver, name); 507 508 sadb_destroy(sp, ns); 509 size = IPSEC_DEFAULT_HASH_SIZE; 510 cmn_err(CE_WARN, "Falling back to %d entries", size); 511 (void) sadb_init_trial(sp, size, KM_SLEEP); 512 } 513 } 514 515 516 /* 517 * Initialize an SADB-pair. 518 */ 519 void 520 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns) 521 { 522 sadb_init(name, &sp->s_v4, size, 4, ns); 523 sadb_init(name, &sp->s_v6, size, 6, ns); 524 525 sp->s_satype = type; 526 527 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 528 if (type == SADB_SATYPE_AH) { 529 ipsec_stack_t *ipss = ns->netstack_ipsec; 530 531 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB"); 532 sp->s_addflags = AH_ADD_SETTABLE_FLAGS; 533 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS; 534 } else { 535 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS; 536 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS; 537 } 538 } 539 540 /* 541 * Deliver a single SADB_DUMP message representing a single SA. This is 542 * called many times by sadb_dump(). 543 * 544 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 545 * the caller should take that as a hint that dupb() on the "original answer" 546 * failed, and that perhaps the caller should try again with a copyb()ed 547 * "original answer". 548 */ 549 static int 550 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 551 sadb_msg_t *samsg) 552 { 553 mblk_t *answer; 554 555 answer = dupb(original_answer); 556 if (answer == NULL) 557 return (ENOBUFS); 558 answer->b_cont = sadb_sa2msg(ipsa, samsg); 559 if (answer->b_cont == NULL) { 560 freeb(answer); 561 return (ENOMEM); 562 } 563 564 /* Just do a putnext, and let keysock deal with flow control. */ 565 putnext(pfkey_q, answer); 566 return (0); 567 } 568 569 /* 570 * Common function to allocate and prepare a keysock_out_t M_CTL message. 571 */ 572 mblk_t * 573 sadb_keysock_out(minor_t serial) 574 { 575 mblk_t *mp; 576 keysock_out_t *kso; 577 578 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 579 if (mp != NULL) { 580 mp->b_datap->db_type = M_CTL; 581 mp->b_wptr += sizeof (ipsec_info_t); 582 kso = (keysock_out_t *)mp->b_rptr; 583 kso->ks_out_type = KEYSOCK_OUT; 584 kso->ks_out_len = sizeof (*kso); 585 kso->ks_out_serial = serial; 586 } 587 588 return (mp); 589 } 590 591 /* 592 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 593 * to keysock. 594 */ 595 static int 596 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 597 int num_entries, boolean_t do_peers, time_t active_time) 598 { 599 int i, error = 0; 600 mblk_t *original_answer; 601 ipsa_t *walker; 602 sadb_msg_t *samsg; 603 time_t current; 604 605 /* 606 * For each IPSA hash bucket do: 607 * - Hold the mutex 608 * - Walk each entry, doing an sadb_dump_deliver() on it. 609 */ 610 ASSERT(mp->b_cont != NULL); 611 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 612 613 original_answer = sadb_keysock_out(serial); 614 if (original_answer == NULL) 615 return (ENOMEM); 616 617 current = gethrestime_sec(); 618 for (i = 0; i < num_entries; i++) { 619 mutex_enter(&fanout[i].isaf_lock); 620 for (walker = fanout[i].isaf_ipsa; walker != NULL; 621 walker = walker->ipsa_next) { 622 if (!do_peers && walker->ipsa_haspeer) 623 continue; 624 if ((active_time != 0) && 625 ((current - walker->ipsa_lastuse) > active_time)) 626 continue; 627 error = sadb_dump_deliver(pfkey_q, original_answer, 628 walker, samsg); 629 if (error == ENOBUFS) { 630 mblk_t *new_original_answer; 631 632 /* Ran out of dupb's. Try a copyb. */ 633 new_original_answer = copyb(original_answer); 634 if (new_original_answer == NULL) { 635 error = ENOMEM; 636 } else { 637 freeb(original_answer); 638 original_answer = new_original_answer; 639 error = sadb_dump_deliver(pfkey_q, 640 original_answer, walker, samsg); 641 } 642 } 643 if (error != 0) 644 break; /* out of for loop. */ 645 } 646 mutex_exit(&fanout[i].isaf_lock); 647 if (error != 0) 648 break; /* out of for loop. */ 649 } 650 651 freeb(original_answer); 652 return (error); 653 } 654 655 /* 656 * Dump an entire SADB; outbound first, then inbound. 657 */ 658 659 int 660 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp) 661 { 662 int error; 663 time_t active_time = 0; 664 sadb_x_edump_t *edump = 665 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP]; 666 667 if (edump != NULL) { 668 active_time = edump->sadb_x_edump_timeout; 669 } 670 671 /* Dump outbound */ 672 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of, 673 sp->sdb_hashsize, B_TRUE, active_time); 674 if (error) 675 return (error); 676 677 /* Dump inbound */ 678 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if, 679 sp->sdb_hashsize, B_FALSE, active_time); 680 } 681 682 /* 683 * Generic sadb table walker. 684 * 685 * Call "walkfn" for each SA in each bucket in "table"; pass the 686 * bucket, the entry and "cookie" to the callback function. 687 * Take care to ensure that walkfn can delete the SA without screwing 688 * up our traverse. 689 * 690 * The bucket is locked for the duration of the callback, both so that the 691 * callback can just call sadb_unlinkassoc() when it wants to delete something, 692 * and so that no new entries are added while we're walking the list. 693 */ 694 static void 695 sadb_walker(isaf_t *table, uint_t numentries, 696 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 697 void *cookie) 698 { 699 int i; 700 for (i = 0; i < numentries; i++) { 701 ipsa_t *entry, *next; 702 703 mutex_enter(&table[i].isaf_lock); 704 705 for (entry = table[i].isaf_ipsa; entry != NULL; 706 entry = next) { 707 next = entry->ipsa_next; 708 (*walkfn)(&table[i], entry, cookie); 709 } 710 mutex_exit(&table[i].isaf_lock); 711 } 712 } 713 714 /* 715 * From the given SA, construct a dl_ct_ipsec_key and 716 * a dl_ct_ipsec structures to be sent to the adapter as part 717 * of a DL_CONTROL_REQ. 718 * 719 * ct_sa must point to the storage allocated for the key 720 * structure and must be followed by storage allocated 721 * for the SA information that must be sent to the driver 722 * as part of the DL_CONTROL_REQ request. 723 * 724 * The is_inbound boolean indicates whether the specified 725 * SA is part of an inbound SA table. 726 * 727 * Returns B_TRUE if the corresponding SA must be passed to 728 * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE. 729 */ 730 static boolean_t 731 sadb_req_from_sa(ipsa_t *sa, mblk_t *mp, boolean_t is_inbound) 732 { 733 dl_ct_ipsec_key_t *keyp; 734 dl_ct_ipsec_t *sap; 735 void *ct_sa = mp->b_wptr; 736 737 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 738 739 keyp = (dl_ct_ipsec_key_t *)(ct_sa); 740 sap = (dl_ct_ipsec_t *)(keyp + 1); 741 742 IPSECHW_DEBUG(IPSECHW_CAPAB, ("sadb_req_from_sa: " 743 "is_inbound = %d\n", is_inbound)); 744 745 /* initialize flag */ 746 sap->sadb_sa_flags = 0; 747 if (is_inbound) { 748 sap->sadb_sa_flags |= DL_CT_IPSEC_INBOUND; 749 /* 750 * If an inbound SA has a peer, then mark it has being 751 * an outbound SA as well. 752 */ 753 if (sa->ipsa_haspeer) 754 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 755 } else { 756 /* 757 * If an outbound SA has a peer, then don't send it, 758 * since we will send the copy from the inbound table. 759 */ 760 if (sa->ipsa_haspeer) { 761 freemsg(mp); 762 return (B_FALSE); 763 } 764 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 765 } 766 767 keyp->dl_key_spi = sa->ipsa_spi; 768 bcopy(sa->ipsa_dstaddr, keyp->dl_key_dest_addr, 769 DL_CTL_IPSEC_ADDR_LEN); 770 keyp->dl_key_addr_family = sa->ipsa_addrfam; 771 772 sap->sadb_sa_auth = sa->ipsa_auth_alg; 773 sap->sadb_sa_encrypt = sa->ipsa_encr_alg; 774 775 sap->sadb_key_len_a = sa->ipsa_authkeylen; 776 sap->sadb_key_bits_a = sa->ipsa_authkeybits; 777 bcopy(sa->ipsa_authkey, 778 sap->sadb_key_data_a, sap->sadb_key_len_a); 779 780 sap->sadb_key_len_e = sa->ipsa_encrkeylen; 781 sap->sadb_key_bits_e = sa->ipsa_encrkeybits; 782 bcopy(sa->ipsa_encrkey, 783 sap->sadb_key_data_e, sap->sadb_key_len_e); 784 785 mp->b_wptr += sizeof (dl_ct_ipsec_t) + sizeof (dl_ct_ipsec_key_t); 786 return (B_TRUE); 787 } 788 789 /* 790 * Called from AH or ESP to format a message which will be used to inform 791 * IPsec-acceleration-capable ills of a SADB change. 792 * (It is not possible to send the message to IP directly from this function 793 * since the SA, if any, is locked during the call). 794 * 795 * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc) 796 * sa_type: identifies whether the operation applies to AH or ESP 797 * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP) 798 * sa: Pointer to an SA. Must be non-NULL and locked 799 * for ADD, DELETE, GET, and UPDATE operations. 800 * This function returns an mblk chain that must be passed to IP 801 * for forwarding to the IPsec capable providers. 802 */ 803 mblk_t * 804 sadb_fmt_sa_req(uint_t dl_operation, uint_t sa_type, ipsa_t *sa, 805 boolean_t is_inbound) 806 { 807 mblk_t *mp; 808 dl_control_req_t *ctrl; 809 boolean_t need_key = B_FALSE; 810 mblk_t *ctl_mp = NULL; 811 ipsec_ctl_t *ctl; 812 813 /* 814 * 1 allocate and initialize DL_CONTROL_REQ M_PROTO 815 * 2 if a key is needed for the operation 816 * 2.1 initialize key 817 * 2.2 if a full SA is needed for the operation 818 * 2.2.1 initialize full SA info 819 * 3 return message; caller will call ill_ipsec_capab_send_all() 820 * to send the resulting message to IPsec capable ills. 821 */ 822 823 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 824 825 /* 826 * Allocate DL_CONTROL_REQ M_PROTO 827 * We allocate room for the SA even if it's not needed 828 * by some of the operations (for example flush) 829 */ 830 mp = allocb(sizeof (dl_control_req_t) + 831 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 832 if (mp == NULL) 833 return (NULL); 834 mp->b_datap->db_type = M_PROTO; 835 836 /* initialize dl_control_req_t */ 837 ctrl = (dl_control_req_t *)mp->b_wptr; 838 ctrl->dl_primitive = DL_CONTROL_REQ; 839 ctrl->dl_operation = dl_operation; 840 ctrl->dl_type = sa_type == SADB_SATYPE_AH ? DL_CT_IPSEC_AH : 841 DL_CT_IPSEC_ESP; 842 ctrl->dl_key_offset = sizeof (dl_control_req_t); 843 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 844 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 845 sizeof (dl_ct_ipsec_key_t); 846 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 847 mp->b_wptr += sizeof (dl_control_req_t); 848 849 if ((dl_operation == DL_CO_SET) || (dl_operation == DL_CO_DELETE)) { 850 ASSERT(sa != NULL); 851 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 852 853 need_key = B_TRUE; 854 855 /* 856 * Initialize key and SA data. Note that for some 857 * operations the SA data is ignored by the provider 858 * (delete, etc.) 859 */ 860 if (!sadb_req_from_sa(sa, mp, is_inbound)) 861 return (NULL); 862 } 863 864 /* construct control message */ 865 ctl_mp = allocb(sizeof (ipsec_ctl_t), BPRI_HI); 866 if (ctl_mp == NULL) { 867 cmn_err(CE_WARN, "sadb_fmt_sa_req: allocb failed\n"); 868 freemsg(mp); 869 return (NULL); 870 } 871 872 ctl_mp->b_datap->db_type = M_CTL; 873 ctl_mp->b_wptr += sizeof (ipsec_ctl_t); 874 ctl_mp->b_cont = mp; 875 876 ctl = (ipsec_ctl_t *)ctl_mp->b_rptr; 877 ctl->ipsec_ctl_type = IPSEC_CTL; 878 ctl->ipsec_ctl_len = sizeof (ipsec_ctl_t); 879 ctl->ipsec_ctl_sa_type = sa_type; 880 881 if (need_key) { 882 /* 883 * Keep an additional reference on SA, since it will be 884 * needed by IP to send control messages corresponding 885 * to that SA from its perimeter. IP will do a 886 * IPSA_REFRELE when done with the request. 887 */ 888 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 889 IPSA_REFHOLD(sa); 890 ctl->ipsec_ctl_sa = sa; 891 } else 892 ctl->ipsec_ctl_sa = NULL; 893 894 return (ctl_mp); 895 } 896 897 898 /* 899 * Called by sadb_ill_download() to dump the entries for a specific 900 * fanout table. For each SA entry in the table passed as argument, 901 * use mp as a template and constructs a full DL_CONTROL message, and 902 * call ill_dlpi_send(), provided by IP, to send the resulting 903 * messages to the ill. 904 */ 905 static void 906 sadb_ill_df(ill_t *ill, mblk_t *mp, isaf_t *fanout, int num_entries, 907 boolean_t is_inbound) 908 { 909 ipsa_t *walker; 910 mblk_t *nmp, *salist; 911 int i, error = 0; 912 ip_stack_t *ipst = ill->ill_ipst; 913 netstack_t *ns = ipst->ips_netstack; 914 915 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_ill_df: fanout at 0x%p ne=%d\n", 916 (void *)fanout, num_entries)); 917 /* 918 * For each IPSA hash bucket do: 919 * - Hold the mutex 920 * - Walk each entry, sending a corresponding request to IP 921 * for it. 922 */ 923 ASSERT(mp->b_datap->db_type == M_PROTO); 924 925 for (i = 0; i < num_entries; i++) { 926 mutex_enter(&fanout[i].isaf_lock); 927 salist = NULL; 928 929 for (walker = fanout[i].isaf_ipsa; walker != NULL; 930 walker = walker->ipsa_next) { 931 IPSECHW_DEBUG(IPSECHW_SADB, 932 ("sadb_ill_df: sending SA to ill via IP \n")); 933 /* 934 * Duplicate the template mp passed and 935 * complete DL_CONTROL_REQ data. 936 * To be more memory efficient, we could use 937 * dupb() for the M_CTL and copyb() for the M_PROTO 938 * as the M_CTL, since the M_CTL is the same for 939 * every SA entry passed down to IP for the same ill. 940 * 941 * Note that copymsg/copyb ensure that the new mblk 942 * is at least as large as the source mblk even if it's 943 * not using all its storage -- therefore, nmp 944 * has trailing space for sadb_req_from_sa to add 945 * the SA-specific bits. 946 */ 947 mutex_enter(&walker->ipsa_lock); 948 if (ipsec_capab_match(ill, 949 ill->ill_phyint->phyint_ifindex, ill->ill_isv6, 950 walker, ns)) { 951 nmp = copymsg(mp); 952 if (nmp == NULL) { 953 IPSECHW_DEBUG(IPSECHW_SADB, 954 ("sadb_ill_df: alloc error\n")); 955 error = ENOMEM; 956 mutex_exit(&walker->ipsa_lock); 957 break; 958 } 959 if (sadb_req_from_sa(walker, nmp, is_inbound)) { 960 nmp->b_next = salist; 961 salist = nmp; 962 } 963 } 964 mutex_exit(&walker->ipsa_lock); 965 } 966 mutex_exit(&fanout[i].isaf_lock); 967 while (salist != NULL) { 968 nmp = salist; 969 salist = nmp->b_next; 970 nmp->b_next = NULL; 971 ill_dlpi_send(ill, nmp); 972 } 973 if (error != 0) 974 break; /* out of for loop. */ 975 } 976 } 977 978 /* 979 * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of 980 * the type specified by sa_type to the specified ill. 981 * 982 * We call for each fanout table defined by the SADB (one per 983 * protocol). sadb_ill_df() finally calls ill_dlpi_send() for 984 * each SADB entry in order to send a corresponding DL_CONTROL_REQ 985 * message to the ill. 986 */ 987 void 988 sadb_ill_download(ill_t *ill, uint_t sa_type) 989 { 990 mblk_t *protomp; /* prototype message */ 991 dl_control_req_t *ctrl; 992 sadbp_t *spp; 993 sadb_t *sp; 994 int dlt; 995 ip_stack_t *ipst = ill->ill_ipst; 996 netstack_t *ns = ipst->ips_netstack; 997 998 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 999 1000 /* 1001 * Allocate and initialize prototype answer. A duplicate for 1002 * each SA is sent down to the interface. 1003 */ 1004 1005 /* DL_CONTROL_REQ M_PROTO mblk_t */ 1006 protomp = allocb(sizeof (dl_control_req_t) + 1007 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 1008 if (protomp == NULL) 1009 return; 1010 protomp->b_datap->db_type = M_PROTO; 1011 1012 dlt = (sa_type == SADB_SATYPE_AH) ? DL_CT_IPSEC_AH : DL_CT_IPSEC_ESP; 1013 if (sa_type == SADB_SATYPE_ESP) { 1014 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 1015 1016 spp = &espstack->esp_sadb; 1017 } else { 1018 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 1019 1020 spp = &ahstack->ah_sadb; 1021 } 1022 1023 ctrl = (dl_control_req_t *)protomp->b_wptr; 1024 ctrl->dl_primitive = DL_CONTROL_REQ; 1025 ctrl->dl_operation = DL_CO_SET; 1026 ctrl->dl_type = dlt; 1027 ctrl->dl_key_offset = sizeof (dl_control_req_t); 1028 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 1029 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 1030 sizeof (dl_ct_ipsec_key_t); 1031 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 1032 protomp->b_wptr += sizeof (dl_control_req_t); 1033 1034 /* 1035 * then for each SADB entry, we fill out the dl_ct_ipsec_key_t 1036 * and dl_ct_ipsec_t 1037 */ 1038 sp = ill->ill_isv6 ? &(spp->s_v6) : &(spp->s_v4); 1039 sadb_ill_df(ill, protomp, sp->sdb_of, sp->sdb_hashsize, B_FALSE); 1040 sadb_ill_df(ill, protomp, sp->sdb_if, sp->sdb_hashsize, B_TRUE); 1041 freemsg(protomp); 1042 } 1043 1044 /* 1045 * Call me to free up a security association fanout. Use the forever 1046 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 1047 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 1048 * when a module is unloaded). 1049 */ 1050 static void 1051 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever, 1052 boolean_t inbound) 1053 { 1054 int i; 1055 isaf_t *table = *tablep; 1056 uint8_t protocol; 1057 ipsa_t *sa; 1058 netstackid_t sid; 1059 1060 if (table == NULL) 1061 return; 1062 1063 for (i = 0; i < numentries; i++) { 1064 mutex_enter(&table[i].isaf_lock); 1065 while ((sa = table[i].isaf_ipsa) != NULL) { 1066 if (inbound && cl_inet_deletespi && 1067 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) && 1068 (sa->ipsa_state != IPSA_STATE_IDLE)) { 1069 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ? 1070 IPPROTO_AH : IPPROTO_ESP; 1071 sid = sa->ipsa_netstack->netstack_stackid; 1072 cl_inet_deletespi(sid, protocol, sa->ipsa_spi, 1073 NULL); 1074 } 1075 sadb_unlinkassoc(sa); 1076 } 1077 table[i].isaf_gen++; 1078 mutex_exit(&table[i].isaf_lock); 1079 if (forever) 1080 mutex_destroy(&(table[i].isaf_lock)); 1081 } 1082 1083 if (forever) { 1084 *tablep = NULL; 1085 kmem_free(table, numentries * sizeof (*table)); 1086 } 1087 } 1088 1089 /* 1090 * Entry points to sadb_destroyer(). 1091 */ 1092 static void 1093 sadb_flush(sadb_t *sp, netstack_t *ns) 1094 { 1095 /* 1096 * Flush out each bucket, one at a time. Were it not for keysock's 1097 * enforcement, there would be a subtlety where I could add on the 1098 * heels of a flush. With keysock's enforcement, however, this 1099 * makes ESP's job easy. 1100 */ 1101 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE); 1102 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE); 1103 1104 /* For each acquire, destroy it; leave the bucket mutex alone. */ 1105 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns); 1106 } 1107 1108 static void 1109 sadb_destroy(sadb_t *sp, netstack_t *ns) 1110 { 1111 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE); 1112 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE); 1113 1114 /* For each acquire, destroy it, including the bucket mutex. */ 1115 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns); 1116 1117 ASSERT(sp->sdb_of == NULL); 1118 ASSERT(sp->sdb_if == NULL); 1119 ASSERT(sp->sdb_acq == NULL); 1120 } 1121 1122 static void 1123 sadb_send_flush_req(sadbp_t *spp) 1124 { 1125 mblk_t *ctl_mp; 1126 1127 /* 1128 * we've been unplumbed, or never were plumbed; don't go there. 1129 */ 1130 if (spp->s_ip_q == NULL) 1131 return; 1132 1133 /* have IP send a flush msg to the IPsec accelerators */ 1134 ctl_mp = sadb_fmt_sa_req(DL_CO_FLUSH, spp->s_satype, NULL, B_TRUE); 1135 if (ctl_mp != NULL) 1136 putnext(spp->s_ip_q, ctl_mp); 1137 } 1138 1139 void 1140 sadbp_flush(sadbp_t *spp, netstack_t *ns) 1141 { 1142 sadb_flush(&spp->s_v4, ns); 1143 sadb_flush(&spp->s_v6, ns); 1144 1145 sadb_send_flush_req(spp); 1146 } 1147 1148 void 1149 sadbp_destroy(sadbp_t *spp, netstack_t *ns) 1150 { 1151 sadb_destroy(&spp->s_v4, ns); 1152 sadb_destroy(&spp->s_v6, ns); 1153 1154 sadb_send_flush_req(spp); 1155 if (spp->s_satype == SADB_SATYPE_AH) { 1156 ipsec_stack_t *ipss = ns->netstack_ipsec; 1157 1158 ip_drop_unregister(&ipss->ipsec_sadb_dropper); 1159 } 1160 } 1161 1162 1163 /* 1164 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 1165 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 1166 * EINVAL. 1167 */ 1168 int 1169 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft, 1170 sadb_lifetime_t *idle) 1171 { 1172 if (hard == NULL || soft == NULL) 1173 return (0); 1174 1175 if (hard->sadb_lifetime_allocations != 0 && 1176 soft->sadb_lifetime_allocations != 0 && 1177 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 1178 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 1179 1180 if (hard->sadb_lifetime_bytes != 0 && 1181 soft->sadb_lifetime_bytes != 0 && 1182 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 1183 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 1184 1185 if (hard->sadb_lifetime_addtime != 0 && 1186 soft->sadb_lifetime_addtime != 0 && 1187 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 1188 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1189 1190 if (hard->sadb_lifetime_usetime != 0 && 1191 soft->sadb_lifetime_usetime != 0 && 1192 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 1193 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1194 1195 if (idle != NULL) { 1196 if (hard->sadb_lifetime_addtime != 0 && 1197 idle->sadb_lifetime_addtime != 0 && 1198 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1199 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1200 1201 if (soft->sadb_lifetime_addtime != 0 && 1202 idle->sadb_lifetime_addtime != 0 && 1203 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1204 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1205 1206 if (hard->sadb_lifetime_usetime != 0 && 1207 idle->sadb_lifetime_usetime != 0 && 1208 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1209 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1210 1211 if (soft->sadb_lifetime_usetime != 0 && 1212 idle->sadb_lifetime_usetime != 0 && 1213 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1214 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1215 } 1216 1217 return (0); 1218 } 1219 1220 /* 1221 * Sanity check sensitivity labels. 1222 * 1223 * For now, just reject labels on unlabeled systems. 1224 */ 1225 int 1226 sadb_labelchk(keysock_in_t *ksi) 1227 { 1228 if (!is_system_labeled()) { 1229 if (ksi->ks_in_extv[SADB_EXT_SENSITIVITY] != NULL) 1230 return (SADB_X_DIAGNOSTIC_BAD_LABEL); 1231 1232 if (ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS] != NULL) 1233 return (SADB_X_DIAGNOSTIC_BAD_LABEL); 1234 } 1235 1236 return (0); 1237 } 1238 1239 /* 1240 * Clone a security association for the purposes of inserting a single SA 1241 * into inbound and outbound tables respectively. This function should only 1242 * be called from sadb_common_add(). 1243 */ 1244 static ipsa_t * 1245 sadb_cloneassoc(ipsa_t *ipsa) 1246 { 1247 ipsa_t *newbie; 1248 boolean_t error = B_FALSE; 1249 1250 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock))); 1251 1252 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 1253 if (newbie == NULL) 1254 return (NULL); 1255 1256 /* Copy over what we can. */ 1257 *newbie = *ipsa; 1258 1259 /* bzero and initialize locks, in case *_init() allocates... */ 1260 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 1261 1262 if (newbie->ipsa_cred != NULL) 1263 crhold(newbie->ipsa_cred); 1264 1265 if (newbie->ipsa_ocred != NULL) 1266 crhold(newbie->ipsa_ocred); 1267 1268 /* 1269 * While somewhat dain-bramaged, the most graceful way to 1270 * recover from errors is to keep plowing through the 1271 * allocations, and getting what I can. It's easier to call 1272 * sadb_freeassoc() on the stillborn clone when all the 1273 * pointers aren't pointing to the parent's data. 1274 */ 1275 1276 if (ipsa->ipsa_authkey != NULL) { 1277 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 1278 KM_NOSLEEP); 1279 if (newbie->ipsa_authkey == NULL) { 1280 error = B_TRUE; 1281 } else { 1282 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 1283 newbie->ipsa_authkeylen); 1284 1285 newbie->ipsa_kcfauthkey.ck_data = 1286 newbie->ipsa_authkey; 1287 } 1288 1289 if (newbie->ipsa_amech.cm_param != NULL) { 1290 newbie->ipsa_amech.cm_param = 1291 (char *)&newbie->ipsa_mac_len; 1292 } 1293 } 1294 1295 if (ipsa->ipsa_encrkey != NULL) { 1296 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 1297 KM_NOSLEEP); 1298 if (newbie->ipsa_encrkey == NULL) { 1299 error = B_TRUE; 1300 } else { 1301 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 1302 newbie->ipsa_encrkeylen); 1303 1304 newbie->ipsa_kcfencrkey.ck_data = 1305 newbie->ipsa_encrkey; 1306 } 1307 } 1308 1309 newbie->ipsa_authtmpl = NULL; 1310 newbie->ipsa_encrtmpl = NULL; 1311 newbie->ipsa_haspeer = B_TRUE; 1312 1313 if (ipsa->ipsa_src_cid != NULL) { 1314 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 1315 IPSID_REFHOLD(ipsa->ipsa_src_cid); 1316 } 1317 1318 if (ipsa->ipsa_dst_cid != NULL) { 1319 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 1320 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 1321 } 1322 1323 if (error) { 1324 sadb_freeassoc(newbie); 1325 return (NULL); 1326 } 1327 1328 return (newbie); 1329 } 1330 1331 /* 1332 * Initialize a SADB address extension at the address specified by addrext. 1333 * Return a pointer to the end of the new address extension. 1334 */ 1335 static uint8_t * 1336 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 1337 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix) 1338 { 1339 struct sockaddr_in *sin; 1340 struct sockaddr_in6 *sin6; 1341 uint8_t *cur = start; 1342 int addrext_len; 1343 int sin_len; 1344 sadb_address_t *addrext = (sadb_address_t *)cur; 1345 1346 if (cur == NULL) 1347 return (NULL); 1348 1349 cur += sizeof (*addrext); 1350 if (cur > end) 1351 return (NULL); 1352 1353 addrext->sadb_address_proto = proto; 1354 addrext->sadb_address_prefixlen = prefix; 1355 addrext->sadb_address_reserved = 0; 1356 addrext->sadb_address_exttype = exttype; 1357 1358 switch (af) { 1359 case AF_INET: 1360 sin = (struct sockaddr_in *)cur; 1361 sin_len = sizeof (*sin); 1362 cur += sin_len; 1363 if (cur > end) 1364 return (NULL); 1365 1366 sin->sin_family = af; 1367 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1368 sin->sin_port = port; 1369 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1370 break; 1371 case AF_INET6: 1372 sin6 = (struct sockaddr_in6 *)cur; 1373 sin_len = sizeof (*sin6); 1374 cur += sin_len; 1375 if (cur > end) 1376 return (NULL); 1377 1378 bzero(sin6, sizeof (*sin6)); 1379 sin6->sin6_family = af; 1380 sin6->sin6_port = port; 1381 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1382 break; 1383 } 1384 1385 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1386 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1387 1388 cur = start + addrext_len; 1389 if (cur > end) 1390 cur = NULL; 1391 1392 return (cur); 1393 } 1394 1395 /* 1396 * Construct a key management cookie extension. 1397 */ 1398 1399 static uint8_t * 1400 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1401 { 1402 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1403 1404 if (cur == NULL) 1405 return (NULL); 1406 1407 cur += sizeof (*kmcext); 1408 1409 if (cur > end) 1410 return (NULL); 1411 1412 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1413 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1414 kmcext->sadb_x_kmc_proto = kmp; 1415 kmcext->sadb_x_kmc_cookie = kmc; 1416 kmcext->sadb_x_kmc_reserved = 0; 1417 1418 return (cur); 1419 } 1420 1421 /* 1422 * Given an original message header with sufficient space following it, and an 1423 * SA, construct a full PF_KEY message with all of the relevant extensions. 1424 * This is mostly used for SADB_GET, and SADB_DUMP. 1425 */ 1426 static mblk_t * 1427 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1428 { 1429 int alloclen, addrsize, paddrsize, authsize, encrsize; 1430 int srcidsize, dstidsize, senslen, osenslen; 1431 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1432 /* src/dst and proxy sockaddrs. */ 1433 /* 1434 * The following are pointers into the PF_KEY message this PF_KEY 1435 * message creates. 1436 */ 1437 sadb_msg_t *newsamsg; 1438 sadb_sa_t *assoc; 1439 sadb_lifetime_t *lt; 1440 sadb_key_t *key; 1441 sadb_ident_t *ident; 1442 sadb_sens_t *sens; 1443 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1444 sadb_x_replay_ctr_t *repl_ctr; 1445 sadb_x_pair_t *pair_ext; 1446 1447 mblk_t *mp; 1448 uint8_t *cur, *end; 1449 /* These indicate the presence of the above extension fields. */ 1450 boolean_t soft = B_FALSE, hard = B_FALSE; 1451 boolean_t isrc = B_FALSE, idst = B_FALSE; 1452 boolean_t auth = B_FALSE, encr = B_FALSE; 1453 boolean_t sensinteg = B_FALSE, osensinteg = B_FALSE; 1454 boolean_t srcid = B_FALSE, dstid = B_FALSE; 1455 boolean_t idle; 1456 boolean_t paired; 1457 uint32_t otherspi; 1458 1459 /* First off, figure out the allocation length for this message. */ 1460 /* 1461 * Constant stuff. This includes base, SA, address (src, dst), 1462 * and lifetime (current). 1463 */ 1464 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1465 sizeof (sadb_lifetime_t); 1466 1467 fam = ipsa->ipsa_addrfam; 1468 switch (fam) { 1469 case AF_INET: 1470 addrsize = roundup(sizeof (struct sockaddr_in) + 1471 sizeof (sadb_address_t), sizeof (uint64_t)); 1472 break; 1473 case AF_INET6: 1474 addrsize = roundup(sizeof (struct sockaddr_in6) + 1475 sizeof (sadb_address_t), sizeof (uint64_t)); 1476 break; 1477 default: 1478 return (NULL); 1479 } 1480 /* 1481 * Allocate TWO address extensions, for source and destination. 1482 * (Thus, the * 2.) 1483 */ 1484 alloclen += addrsize * 2; 1485 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1486 alloclen += addrsize; 1487 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1488 alloclen += addrsize; 1489 1490 if (ipsa->ipsa_flags & IPSA_F_PAIRED) { 1491 paired = B_TRUE; 1492 alloclen += sizeof (sadb_x_pair_t); 1493 otherspi = ipsa->ipsa_otherspi; 1494 } else { 1495 paired = B_FALSE; 1496 } 1497 1498 /* How 'bout other lifetimes? */ 1499 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1500 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1501 alloclen += sizeof (sadb_lifetime_t); 1502 soft = B_TRUE; 1503 } 1504 1505 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1506 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1507 alloclen += sizeof (sadb_lifetime_t); 1508 hard = B_TRUE; 1509 } 1510 1511 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) { 1512 alloclen += sizeof (sadb_lifetime_t); 1513 idle = B_TRUE; 1514 } else { 1515 idle = B_FALSE; 1516 } 1517 1518 /* Inner addresses. */ 1519 if (ipsa->ipsa_innerfam != 0) { 1520 pfam = ipsa->ipsa_innerfam; 1521 switch (pfam) { 1522 case AF_INET6: 1523 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1524 sizeof (sadb_address_t), sizeof (uint64_t)); 1525 break; 1526 case AF_INET: 1527 paddrsize = roundup(sizeof (struct sockaddr_in) + 1528 sizeof (sadb_address_t), sizeof (uint64_t)); 1529 break; 1530 default: 1531 cmn_err(CE_PANIC, 1532 "IPsec SADB: Proxy length failure.\n"); 1533 break; 1534 } 1535 isrc = B_TRUE; 1536 idst = B_TRUE; 1537 alloclen += 2 * paddrsize; 1538 } 1539 1540 /* For the following fields, assume that length != 0 ==> stuff */ 1541 if (ipsa->ipsa_authkeylen != 0) { 1542 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1543 sizeof (uint64_t)); 1544 alloclen += authsize; 1545 auth = B_TRUE; 1546 } 1547 1548 if (ipsa->ipsa_encrkeylen != 0) { 1549 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen + 1550 ipsa->ipsa_nonce_len, sizeof (uint64_t)); 1551 alloclen += encrsize; 1552 encr = B_TRUE; 1553 } else { 1554 encr = B_FALSE; 1555 } 1556 1557 if (ipsa->ipsa_cred != NULL) { 1558 senslen = sadb_sens_len_from_cred(ipsa->ipsa_cred); 1559 alloclen += senslen; 1560 sensinteg = B_TRUE; 1561 } 1562 1563 if (ipsa->ipsa_ocred != NULL) { 1564 osenslen = sadb_sens_len_from_cred(ipsa->ipsa_ocred); 1565 alloclen += osenslen; 1566 osensinteg = B_TRUE; 1567 } 1568 1569 /* 1570 * Must use strlen() here for lengths. Identities use NULL 1571 * pointers to indicate their nonexistence. 1572 */ 1573 if (ipsa->ipsa_src_cid != NULL) { 1574 srcidsize = roundup(sizeof (sadb_ident_t) + 1575 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1576 sizeof (uint64_t)); 1577 alloclen += srcidsize; 1578 srcid = B_TRUE; 1579 } 1580 1581 if (ipsa->ipsa_dst_cid != NULL) { 1582 dstidsize = roundup(sizeof (sadb_ident_t) + 1583 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1584 sizeof (uint64_t)); 1585 alloclen += dstidsize; 1586 dstid = B_TRUE; 1587 } 1588 1589 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1590 alloclen += sizeof (sadb_x_kmc_t); 1591 1592 if (ipsa->ipsa_replay != 0) { 1593 alloclen += sizeof (sadb_x_replay_ctr_t); 1594 } 1595 1596 /* Make sure the allocation length is a multiple of 8 bytes. */ 1597 ASSERT((alloclen & 0x7) == 0); 1598 1599 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1600 mp = allocb(alloclen, BPRI_HI); 1601 if (mp == NULL) 1602 return (NULL); 1603 bzero(mp->b_rptr, alloclen); 1604 1605 mp->b_wptr += alloclen; 1606 end = mp->b_wptr; 1607 newsamsg = (sadb_msg_t *)mp->b_rptr; 1608 *newsamsg = *samsg; 1609 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1610 1611 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1612 1613 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1614 1615 assoc = (sadb_sa_t *)(newsamsg + 1); 1616 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1617 assoc->sadb_sa_exttype = SADB_EXT_SA; 1618 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1619 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1620 assoc->sadb_sa_state = ipsa->ipsa_state; 1621 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1622 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1623 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1624 1625 lt = (sadb_lifetime_t *)(assoc + 1); 1626 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1627 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1628 /* We do not support the concept. */ 1629 lt->sadb_lifetime_allocations = 0; 1630 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1631 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1632 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1633 1634 if (hard) { 1635 lt++; 1636 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1637 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1638 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1639 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1640 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1641 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1642 } 1643 1644 if (soft) { 1645 lt++; 1646 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1647 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1648 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1649 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1650 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1651 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1652 } 1653 1654 if (idle) { 1655 lt++; 1656 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1657 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 1658 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt; 1659 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt; 1660 } 1661 1662 cur = (uint8_t *)(lt + 1); 1663 1664 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */ 1665 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1666 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0, 1667 SA_PROTO(ipsa), 0); 1668 if (cur == NULL) { 1669 freemsg(mp); 1670 mp = NULL; 1671 goto bail; 1672 } 1673 1674 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1675 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0, 1676 SA_PROTO(ipsa), 0); 1677 if (cur == NULL) { 1678 freemsg(mp); 1679 mp = NULL; 1680 goto bail; 1681 } 1682 1683 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1684 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1685 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port, 1686 IPPROTO_UDP, 0); 1687 if (cur == NULL) { 1688 freemsg(mp); 1689 mp = NULL; 1690 goto bail; 1691 } 1692 } 1693 1694 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1695 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1696 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port, 1697 IPPROTO_UDP, 0); 1698 if (cur == NULL) { 1699 freemsg(mp); 1700 mp = NULL; 1701 goto bail; 1702 } 1703 } 1704 1705 /* If we are a tunnel-mode SA, fill in the inner-selectors. */ 1706 if (isrc) { 1707 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 1708 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa), 1709 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx); 1710 if (cur == NULL) { 1711 freemsg(mp); 1712 mp = NULL; 1713 goto bail; 1714 } 1715 } 1716 1717 if (idst) { 1718 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 1719 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa), 1720 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx); 1721 if (cur == NULL) { 1722 freemsg(mp); 1723 mp = NULL; 1724 goto bail; 1725 } 1726 } 1727 1728 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1729 cur = sadb_make_kmc_ext(cur, end, 1730 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1731 if (cur == NULL) { 1732 freemsg(mp); 1733 mp = NULL; 1734 goto bail; 1735 } 1736 } 1737 1738 walker = (sadb_ext_t *)cur; 1739 if (auth) { 1740 key = (sadb_key_t *)walker; 1741 key->sadb_key_len = SADB_8TO64(authsize); 1742 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1743 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1744 key->sadb_key_reserved = 0; 1745 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1746 walker = (sadb_ext_t *)((uint64_t *)walker + 1747 walker->sadb_ext_len); 1748 } 1749 1750 if (encr) { 1751 uint8_t *buf_ptr; 1752 key = (sadb_key_t *)walker; 1753 key->sadb_key_len = SADB_8TO64(encrsize); 1754 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1755 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1756 key->sadb_key_reserved = ipsa->ipsa_saltbits; 1757 buf_ptr = (uint8_t *)(key + 1); 1758 bcopy(ipsa->ipsa_encrkey, buf_ptr, ipsa->ipsa_encrkeylen); 1759 if (ipsa->ipsa_salt != NULL) { 1760 buf_ptr += ipsa->ipsa_encrkeylen; 1761 bcopy(ipsa->ipsa_salt, buf_ptr, ipsa->ipsa_saltlen); 1762 } 1763 walker = (sadb_ext_t *)((uint64_t *)walker + 1764 walker->sadb_ext_len); 1765 } 1766 1767 if (srcid) { 1768 ident = (sadb_ident_t *)walker; 1769 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1770 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1771 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1772 ident->sadb_ident_id = 0; 1773 ident->sadb_ident_reserved = 0; 1774 (void) strcpy((char *)(ident + 1), 1775 ipsa->ipsa_src_cid->ipsid_cid); 1776 walker = (sadb_ext_t *)((uint64_t *)walker + 1777 walker->sadb_ext_len); 1778 } 1779 1780 if (dstid) { 1781 ident = (sadb_ident_t *)walker; 1782 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1783 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1784 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1785 ident->sadb_ident_id = 0; 1786 ident->sadb_ident_reserved = 0; 1787 (void) strcpy((char *)(ident + 1), 1788 ipsa->ipsa_dst_cid->ipsid_cid); 1789 walker = (sadb_ext_t *)((uint64_t *)walker + 1790 walker->sadb_ext_len); 1791 } 1792 1793 if (sensinteg) { 1794 sens = (sadb_sens_t *)walker; 1795 sadb_sens_from_cred(sens, SADB_EXT_SENSITIVITY, 1796 ipsa->ipsa_cred, senslen); 1797 1798 walker = (sadb_ext_t *)((uint64_t *)walker + 1799 walker->sadb_ext_len); 1800 } 1801 1802 if (osensinteg) { 1803 sens = (sadb_sens_t *)walker; 1804 1805 sadb_sens_from_cred(sens, SADB_X_EXT_OUTER_SENS, 1806 ipsa->ipsa_ocred, osenslen); 1807 if (ipsa->ipsa_mac_exempt) 1808 sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT; 1809 1810 walker = (sadb_ext_t *)((uint64_t *)walker + 1811 walker->sadb_ext_len); 1812 } 1813 1814 if (paired) { 1815 pair_ext = (sadb_x_pair_t *)walker; 1816 1817 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t)); 1818 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR; 1819 pair_ext->sadb_x_pair_spi = otherspi; 1820 1821 walker = (sadb_ext_t *)((uint64_t *)walker + 1822 walker->sadb_ext_len); 1823 } 1824 1825 if (ipsa->ipsa_replay != 0) { 1826 repl_ctr = (sadb_x_replay_ctr_t *)walker; 1827 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr)); 1828 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; 1829 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay; 1830 repl_ctr->sadb_x_rc_replay64 = 0; 1831 walker = (sadb_ext_t *)(repl_ctr + 1); 1832 } 1833 1834 bail: 1835 /* Pardon any delays... */ 1836 mutex_exit(&ipsa->ipsa_lock); 1837 1838 return (mp); 1839 } 1840 1841 /* 1842 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1843 * and adjust base message accordingly. 1844 * 1845 * Assume message is pulled up in one piece of contiguous memory. 1846 * 1847 * Say if we start off with: 1848 * 1849 * +------+----+-------------+-----------+---------------+---------------+ 1850 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1851 * +------+----+-------------+-----------+---------------+---------------+ 1852 * 1853 * we will end up with 1854 * 1855 * +------+----+-------------+-----------+---------------+ 1856 * | base | SA | source addr | dest addr | soft lifetime | 1857 * +------+----+-------------+-----------+---------------+ 1858 */ 1859 static void 1860 sadb_strip(sadb_msg_t *samsg) 1861 { 1862 sadb_ext_t *ext; 1863 uint8_t *target = NULL; 1864 uint8_t *msgend; 1865 int sofar = SADB_8TO64(sizeof (*samsg)); 1866 int copylen; 1867 1868 ext = (sadb_ext_t *)(samsg + 1); 1869 msgend = (uint8_t *)samsg; 1870 msgend += SADB_64TO8(samsg->sadb_msg_len); 1871 while ((uint8_t *)ext < msgend) { 1872 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1873 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1874 ext->sadb_ext_type == SADB_X_EXT_EDUMP || 1875 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1876 /* 1877 * Aha! I found a header to be erased. 1878 */ 1879 1880 if (target != NULL) { 1881 /* 1882 * If I had a previous header to be erased, 1883 * copy over it. I can get away with just 1884 * copying backwards because the target will 1885 * always be 8 bytes behind the source. 1886 */ 1887 copylen = ((uint8_t *)ext) - (target + 1888 SADB_64TO8( 1889 ((sadb_ext_t *)target)->sadb_ext_len)); 1890 ovbcopy(((uint8_t *)ext - copylen), target, 1891 copylen); 1892 target += copylen; 1893 ((sadb_ext_t *)target)->sadb_ext_len = 1894 SADB_8TO64(((uint8_t *)ext) - target + 1895 SADB_64TO8(ext->sadb_ext_len)); 1896 } else { 1897 target = (uint8_t *)ext; 1898 } 1899 } else { 1900 sofar += ext->sadb_ext_len; 1901 } 1902 1903 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1904 } 1905 1906 ASSERT((uint8_t *)ext == msgend); 1907 1908 if (target != NULL) { 1909 copylen = ((uint8_t *)ext) - (target + 1910 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1911 if (copylen != 0) 1912 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1913 } 1914 1915 /* Adjust samsg. */ 1916 samsg->sadb_msg_len = (uint16_t)sofar; 1917 1918 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1919 } 1920 1921 /* 1922 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1923 * followed by an M_DATA with a PF_KEY message in it. The serial of 1924 * the sending keysock instance is included. 1925 */ 1926 void 1927 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1928 uint_t serial) 1929 { 1930 mblk_t *msg = mp->b_cont; 1931 sadb_msg_t *samsg; 1932 keysock_out_t *kso; 1933 1934 /* 1935 * Enough functions call this to merit a NULL queue check. 1936 */ 1937 if (pfkey_q == NULL) { 1938 freemsg(mp); 1939 return; 1940 } 1941 1942 ASSERT(msg != NULL); 1943 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1944 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1945 samsg = (sadb_msg_t *)msg->b_rptr; 1946 kso = (keysock_out_t *)mp->b_rptr; 1947 1948 kso->ks_out_type = KEYSOCK_OUT; 1949 kso->ks_out_len = sizeof (*kso); 1950 kso->ks_out_serial = serial; 1951 1952 /* 1953 * Only send the base message up in the event of an error. 1954 * Don't worry about bzero()-ing, because it was probably bogus 1955 * anyway. 1956 */ 1957 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1958 samsg = (sadb_msg_t *)msg->b_rptr; 1959 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1960 samsg->sadb_msg_errno = (uint8_t)error; 1961 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1962 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1963 1964 putnext(pfkey_q, mp); 1965 } 1966 1967 /* 1968 * Send a successful return packet back to keysock via the queue in pfkey_q. 1969 * 1970 * Often, an SA is associated with the reply message, it's passed in if needed, 1971 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1972 * and the caller will release said refcnt. 1973 */ 1974 void 1975 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1976 keysock_in_t *ksi, ipsa_t *ipsa) 1977 { 1978 keysock_out_t *kso; 1979 mblk_t *mp1; 1980 sadb_msg_t *newsamsg; 1981 uint8_t *oldend; 1982 1983 ASSERT((mp->b_cont != NULL) && 1984 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1985 ((void *)mp->b_rptr == (void *)ksi)); 1986 1987 switch (samsg->sadb_msg_type) { 1988 case SADB_ADD: 1989 case SADB_UPDATE: 1990 case SADB_X_UPDATEPAIR: 1991 case SADB_X_DELPAIR_STATE: 1992 case SADB_FLUSH: 1993 case SADB_DUMP: 1994 /* 1995 * I have all of the message already. I just need to strip 1996 * out the keying material and echo the message back. 1997 * 1998 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1999 * work. When DUMP reaches here, it should only be a base 2000 * message. 2001 */ 2002 justecho: 2003 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 2004 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL || 2005 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) { 2006 sadb_strip(samsg); 2007 /* Assume PF_KEY message is contiguous. */ 2008 ASSERT(mp->b_cont->b_cont == NULL); 2009 oldend = mp->b_cont->b_wptr; 2010 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 2011 SADB_64TO8(samsg->sadb_msg_len); 2012 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 2013 } 2014 break; 2015 case SADB_GET: 2016 /* 2017 * Do a lot of work here, because of the ipsa I just found. 2018 * First construct the new PF_KEY message, then abandon 2019 * the old one. 2020 */ 2021 mp1 = sadb_sa2msg(ipsa, samsg); 2022 if (mp1 == NULL) { 2023 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 2024 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 2025 return; 2026 } 2027 freemsg(mp->b_cont); 2028 mp->b_cont = mp1; 2029 break; 2030 case SADB_DELETE: 2031 case SADB_X_DELPAIR: 2032 if (ipsa == NULL) 2033 goto justecho; 2034 /* 2035 * Because listening KMds may require more info, treat 2036 * DELETE like a special case of GET. 2037 */ 2038 mp1 = sadb_sa2msg(ipsa, samsg); 2039 if (mp1 == NULL) { 2040 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 2041 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 2042 return; 2043 } 2044 newsamsg = (sadb_msg_t *)mp1->b_rptr; 2045 sadb_strip(newsamsg); 2046 oldend = mp1->b_wptr; 2047 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 2048 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 2049 freemsg(mp->b_cont); 2050 mp->b_cont = mp1; 2051 break; 2052 default: 2053 if (mp != NULL) 2054 freemsg(mp); 2055 return; 2056 } 2057 2058 /* ksi is now null and void. */ 2059 kso = (keysock_out_t *)ksi; 2060 kso->ks_out_type = KEYSOCK_OUT; 2061 kso->ks_out_len = sizeof (*kso); 2062 kso->ks_out_serial = ksi->ks_in_serial; 2063 /* We're ready to send... */ 2064 putnext(pfkey_q, mp); 2065 } 2066 2067 /* 2068 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 2069 */ 2070 void 2071 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 2072 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype) 2073 { 2074 keysock_hello_ack_t *kha; 2075 queue_t *oldq; 2076 2077 ASSERT(OTHERQ(q) != NULL); 2078 2079 /* 2080 * First, check atomically that I'm the first and only keysock 2081 * instance. 2082 * 2083 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 2084 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 2085 * messages. 2086 */ 2087 2088 oldq = casptr((void **)pfkey_qp, NULL, OTHERQ(q)); 2089 if (oldq != NULL) { 2090 ASSERT(oldq != q); 2091 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 2092 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 2093 freemsg(mp); 2094 return; 2095 } 2096 2097 kha = (keysock_hello_ack_t *)mp->b_rptr; 2098 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 2099 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 2100 kha->ks_hello_satype = (uint8_t)satype; 2101 2102 /* 2103 * If we made it past the casptr, then we have "exclusive" access 2104 * to the timeout handle. Fire it off after the default ager 2105 * interval. 2106 */ 2107 *top = qtimeout(*pfkey_qp, ager, agerarg, 2108 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT * 1000)); 2109 2110 putnext(*pfkey_qp, mp); 2111 } 2112 2113 /* 2114 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate. 2115 * 2116 * Check addresses themselves for wildcard or multicast. 2117 * Check ire table for local/non-local/broadcast. 2118 */ 2119 int 2120 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial, 2121 netstack_t *ns) 2122 { 2123 sadb_address_t *addr = (sadb_address_t *)ext; 2124 struct sockaddr_in *sin; 2125 struct sockaddr_in6 *sin6; 2126 ire_t *ire; 2127 int diagnostic, type; 2128 boolean_t normalized = B_FALSE; 2129 2130 ASSERT(ext != NULL); 2131 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 2132 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 2133 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) || 2134 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) || 2135 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) || 2136 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM)); 2137 2138 /* Assign both sockaddrs, the compiler will do the right thing. */ 2139 sin = (struct sockaddr_in *)(addr + 1); 2140 sin6 = (struct sockaddr_in6 *)(addr + 1); 2141 2142 if (sin6->sin6_family == AF_INET6) { 2143 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 2144 /* 2145 * Convert to an AF_INET sockaddr. This means the 2146 * return messages will have the extra space, but have 2147 * AF_INET sockaddrs instead of AF_INET6. 2148 * 2149 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 2150 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 2151 * equal to AF_INET <v4>, it shouldnt be a huge 2152 * problem. 2153 */ 2154 sin->sin_family = AF_INET; 2155 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, 2156 &sin->sin_addr); 2157 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 2158 normalized = B_TRUE; 2159 } 2160 } else if (sin->sin_family != AF_INET) { 2161 switch (ext->sadb_ext_type) { 2162 case SADB_EXT_ADDRESS_SRC: 2163 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 2164 break; 2165 case SADB_EXT_ADDRESS_DST: 2166 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 2167 break; 2168 case SADB_X_EXT_ADDRESS_INNER_SRC: 2169 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 2170 break; 2171 case SADB_X_EXT_ADDRESS_INNER_DST: 2172 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF; 2173 break; 2174 case SADB_X_EXT_ADDRESS_NATT_LOC: 2175 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF; 2176 break; 2177 case SADB_X_EXT_ADDRESS_NATT_REM: 2178 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF; 2179 break; 2180 /* There is no default, see above ASSERT. */ 2181 } 2182 bail: 2183 if (pfkey_q != NULL) { 2184 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, 2185 serial); 2186 } else { 2187 /* 2188 * Scribble in sadb_msg that we got passed in. 2189 * Overload "mp" to be an sadb_msg pointer. 2190 */ 2191 sadb_msg_t *samsg = (sadb_msg_t *)mp; 2192 2193 samsg->sadb_msg_errno = EINVAL; 2194 samsg->sadb_x_msg_diagnostic = diagnostic; 2195 } 2196 return (KS_IN_ADDR_UNKNOWN); 2197 } 2198 2199 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC || 2200 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) { 2201 /* 2202 * We need only check for prefix issues. 2203 */ 2204 2205 /* Set diagnostic now, in case we need it later. */ 2206 diagnostic = 2207 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ? 2208 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC : 2209 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST; 2210 2211 if (normalized) 2212 addr->sadb_address_prefixlen -= 96; 2213 2214 /* 2215 * Verify and mask out inner-addresses based on prefix length. 2216 */ 2217 if (sin->sin_family == AF_INET) { 2218 if (addr->sadb_address_prefixlen > 32) 2219 goto bail; 2220 sin->sin_addr.s_addr &= 2221 ip_plen_to_mask(addr->sadb_address_prefixlen); 2222 } else { 2223 in6_addr_t mask; 2224 2225 ASSERT(sin->sin_family == AF_INET6); 2226 /* 2227 * ip_plen_to_mask_v6() returns NULL if the value in 2228 * question is out of range. 2229 */ 2230 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen, 2231 &mask) == NULL) 2232 goto bail; 2233 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0]; 2234 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1]; 2235 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2]; 2236 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3]; 2237 } 2238 2239 /* We don't care in these cases. */ 2240 return (KS_IN_ADDR_DONTCARE); 2241 } 2242 2243 if (sin->sin_family == AF_INET6) { 2244 /* Check the easy ones now. */ 2245 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) 2246 return (KS_IN_ADDR_MBCAST); 2247 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) 2248 return (KS_IN_ADDR_UNSPEC); 2249 /* 2250 * At this point, we're a unicast IPv6 address. 2251 * 2252 * A ctable lookup for local is sufficient here. If we're 2253 * local, return KS_IN_ADDR_ME, otherwise KS_IN_ADDR_NOTME. 2254 * 2255 * XXX Zones alert -> me/notme decision needs to be tempered 2256 * by what zone we're in when we go to zone-aware IPsec. 2257 */ 2258 ire = ire_ctable_lookup_v6(&sin6->sin6_addr, NULL, 2259 IRE_LOCAL, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 2260 ns->netstack_ip); 2261 if (ire != NULL) { 2262 /* Hey hey, it's local. */ 2263 IRE_REFRELE(ire); 2264 return (KS_IN_ADDR_ME); 2265 } 2266 } else { 2267 ASSERT(sin->sin_family == AF_INET); 2268 if (sin->sin_addr.s_addr == INADDR_ANY) 2269 return (KS_IN_ADDR_UNSPEC); 2270 if (CLASSD(sin->sin_addr.s_addr)) 2271 return (KS_IN_ADDR_MBCAST); 2272 /* 2273 * At this point we're a unicast or broadcast IPv4 address. 2274 * 2275 * Lookup on the ctable for IRE_BROADCAST or IRE_LOCAL. 2276 * A NULL return value is NOTME, otherwise, look at the 2277 * returned ire for broadcast or not and return accordingly. 2278 * 2279 * XXX Zones alert -> me/notme decision needs to be tempered 2280 * by what zone we're in when we go to zone-aware IPsec. 2281 */ 2282 ire = ire_ctable_lookup(sin->sin_addr.s_addr, 0, 2283 IRE_LOCAL | IRE_BROADCAST, NULL, ALL_ZONES, NULL, 2284 MATCH_IRE_TYPE, ns->netstack_ip); 2285 if (ire != NULL) { 2286 /* Check for local or broadcast */ 2287 type = ire->ire_type; 2288 IRE_REFRELE(ire); 2289 ASSERT(type == IRE_LOCAL || type == IRE_BROADCAST); 2290 return ((type == IRE_LOCAL) ? KS_IN_ADDR_ME : 2291 KS_IN_ADDR_MBCAST); 2292 } 2293 } 2294 2295 return (KS_IN_ADDR_NOTME); 2296 } 2297 2298 /* 2299 * Address normalizations and reality checks for inbound PF_KEY messages. 2300 * 2301 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 2302 * the source to AF_INET. Do the same for the inner sources. 2303 */ 2304 boolean_t 2305 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns) 2306 { 2307 struct sockaddr_in *src, *isrc; 2308 struct sockaddr_in6 *dst, *idst; 2309 sadb_address_t *srcext, *dstext; 2310 uint16_t sport; 2311 sadb_ext_t **extv = ksi->ks_in_extv; 2312 int rc; 2313 2314 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) { 2315 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC], 2316 ksi->ks_in_serial, ns); 2317 if (rc == KS_IN_ADDR_UNKNOWN) 2318 return (B_FALSE); 2319 if (rc == KS_IN_ADDR_MBCAST) { 2320 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2321 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial); 2322 return (B_FALSE); 2323 } 2324 ksi->ks_in_srctype = rc; 2325 } 2326 2327 if (extv[SADB_EXT_ADDRESS_DST] != NULL) { 2328 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST], 2329 ksi->ks_in_serial, ns); 2330 if (rc == KS_IN_ADDR_UNKNOWN) 2331 return (B_FALSE); 2332 if (rc == KS_IN_ADDR_UNSPEC) { 2333 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2334 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial); 2335 return (B_FALSE); 2336 } 2337 ksi->ks_in_dsttype = rc; 2338 } 2339 2340 /* 2341 * NAT-Traversal addrs are simple enough to not require all of 2342 * the checks in sadb_addrcheck(). Just normalize or reject if not 2343 * AF_INET. 2344 */ 2345 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) { 2346 rc = sadb_addrcheck(pfkey_q, mp, 2347 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns); 2348 2349 /* 2350 * Local NAT-T addresses never use an IRE_LOCAL, so it should 2351 * always be NOTME, or UNSPEC (to handle both tunnel mode 2352 * AND local-port flexibility). 2353 */ 2354 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) { 2355 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2356 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC, 2357 ksi->ks_in_serial); 2358 return (B_FALSE); 2359 } 2360 src = (struct sockaddr_in *) 2361 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1); 2362 if (src->sin_family != AF_INET) { 2363 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2364 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF, 2365 ksi->ks_in_serial); 2366 return (B_FALSE); 2367 } 2368 } 2369 2370 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) { 2371 rc = sadb_addrcheck(pfkey_q, mp, 2372 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns); 2373 2374 /* 2375 * Remote NAT-T addresses never use an IRE_LOCAL, so it should 2376 * always be NOTME, or UNSPEC if it's a tunnel-mode SA. 2377 */ 2378 if (rc != KS_IN_ADDR_NOTME && 2379 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL && 2380 rc == KS_IN_ADDR_UNSPEC)) { 2381 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2382 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM, 2383 ksi->ks_in_serial); 2384 return (B_FALSE); 2385 } 2386 src = (struct sockaddr_in *) 2387 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1); 2388 if (src->sin_family != AF_INET) { 2389 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2390 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF, 2391 ksi->ks_in_serial); 2392 return (B_FALSE); 2393 } 2394 } 2395 2396 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) { 2397 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) { 2398 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2399 SADB_X_DIAGNOSTIC_MISSING_INNER_DST, 2400 ksi->ks_in_serial); 2401 return (B_FALSE); 2402 } 2403 2404 if (sadb_addrcheck(pfkey_q, mp, 2405 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns) 2406 == KS_IN_ADDR_UNKNOWN || 2407 sadb_addrcheck(pfkey_q, mp, 2408 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns) 2409 == KS_IN_ADDR_UNKNOWN) 2410 return (B_FALSE); 2411 2412 isrc = (struct sockaddr_in *) 2413 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) + 2414 1); 2415 idst = (struct sockaddr_in6 *) 2416 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) + 2417 1); 2418 if (isrc->sin_family != idst->sin6_family) { 2419 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2420 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH, 2421 ksi->ks_in_serial); 2422 return (B_FALSE); 2423 } 2424 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) { 2425 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2426 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC, 2427 ksi->ks_in_serial); 2428 return (B_FALSE); 2429 } else { 2430 isrc = NULL; /* For inner/outer port check below. */ 2431 } 2432 2433 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 2434 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC]; 2435 2436 if (dstext == NULL || srcext == NULL) 2437 return (B_TRUE); 2438 2439 dst = (struct sockaddr_in6 *)(dstext + 1); 2440 src = (struct sockaddr_in *)(srcext + 1); 2441 2442 if (isrc != NULL && 2443 (isrc->sin_port != 0 || idst->sin6_port != 0) && 2444 (src->sin_port != 0 || dst->sin6_port != 0)) { 2445 /* Can't set inner and outer ports in one SA. */ 2446 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2447 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS, 2448 ksi->ks_in_serial); 2449 return (B_FALSE); 2450 } 2451 2452 if (dst->sin6_family == src->sin_family) 2453 return (B_TRUE); 2454 2455 if (srcext->sadb_address_proto != dstext->sadb_address_proto) { 2456 if (srcext->sadb_address_proto == 0) { 2457 srcext->sadb_address_proto = dstext->sadb_address_proto; 2458 } else if (dstext->sadb_address_proto == 0) { 2459 dstext->sadb_address_proto = srcext->sadb_address_proto; 2460 } else { 2461 /* Inequal protocols, neither were 0. Report error. */ 2462 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2463 SADB_X_DIAGNOSTIC_PROTO_MISMATCH, 2464 ksi->ks_in_serial); 2465 return (B_FALSE); 2466 } 2467 } 2468 2469 /* 2470 * With the exception of an unspec IPv6 source and an IPv4 2471 * destination, address families MUST me matched. 2472 */ 2473 if (src->sin_family == AF_INET || 2474 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) { 2475 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2476 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial); 2477 return (B_FALSE); 2478 } 2479 2480 /* 2481 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2482 * in the same place for sockaddr_in and sockaddr_in6. 2483 */ 2484 sport = src->sin_port; 2485 bzero(src, sizeof (*src)); 2486 src->sin_family = AF_INET; 2487 src->sin_port = sport; 2488 2489 return (B_TRUE); 2490 } 2491 2492 /* 2493 * Set the results in "addrtype", given an IRE as requested by 2494 * sadb_addrcheck(). 2495 */ 2496 int 2497 sadb_addrset(ire_t *ire) 2498 { 2499 if ((ire->ire_type & IRE_BROADCAST) || 2500 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2501 (ire->ire_ipversion == IPV6_VERSION && 2502 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2503 return (KS_IN_ADDR_MBCAST); 2504 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2505 return (KS_IN_ADDR_ME); 2506 return (KS_IN_ADDR_NOTME); 2507 } 2508 2509 /* 2510 * Match primitives.. 2511 * !!! TODO: short term: inner selectors 2512 * ipv6 scope id (ifindex) 2513 * longer term: zone id. sensitivity label. uid. 2514 */ 2515 boolean_t 2516 sadb_match_spi(ipsa_query_t *sq, ipsa_t *sa) 2517 { 2518 return (sq->spi == sa->ipsa_spi); 2519 } 2520 2521 boolean_t 2522 sadb_match_dst_v6(ipsa_query_t *sq, ipsa_t *sa) 2523 { 2524 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_dstaddr, sq->dstaddr, AF_INET6)); 2525 } 2526 2527 boolean_t 2528 sadb_match_src_v6(ipsa_query_t *sq, ipsa_t *sa) 2529 { 2530 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_srcaddr, sq->srcaddr, AF_INET6)); 2531 } 2532 2533 boolean_t 2534 sadb_match_dst_v4(ipsa_query_t *sq, ipsa_t *sa) 2535 { 2536 return (sq->dstaddr[0] == sa->ipsa_dstaddr[0]); 2537 } 2538 2539 boolean_t 2540 sadb_match_src_v4(ipsa_query_t *sq, ipsa_t *sa) 2541 { 2542 return (sq->srcaddr[0] == sa->ipsa_srcaddr[0]); 2543 } 2544 2545 boolean_t 2546 sadb_match_dstid(ipsa_query_t *sq, ipsa_t *sa) 2547 { 2548 return ((sa->ipsa_dst_cid != NULL) && 2549 (sq->didtype == sa->ipsa_dst_cid->ipsid_type) && 2550 (strcmp(sq->didstr, sa->ipsa_dst_cid->ipsid_cid) == 0)); 2551 2552 } 2553 boolean_t 2554 sadb_match_srcid(ipsa_query_t *sq, ipsa_t *sa) 2555 { 2556 return ((sa->ipsa_src_cid != NULL) && 2557 (sq->sidtype == sa->ipsa_src_cid->ipsid_type) && 2558 (strcmp(sq->sidstr, sa->ipsa_src_cid->ipsid_cid) == 0)); 2559 } 2560 2561 boolean_t 2562 sadb_match_kmc(ipsa_query_t *sq, ipsa_t *sa) 2563 { 2564 #define M(a, b) (((a) == 0) || ((b) == 0) || ((a) == (b))) 2565 2566 return (M(sq->kmc, sa->ipsa_kmc) && M(sq->kmp, sa->ipsa_kmp)); 2567 2568 #undef M 2569 } 2570 2571 /* 2572 * Common function which extracts several PF_KEY extensions for ease of 2573 * SADB matching. 2574 * 2575 * XXX TODO: weed out ipsa_query_t fields not used during matching 2576 * or afterwards? 2577 */ 2578 int 2579 sadb_form_query(keysock_in_t *ksi, uint32_t req, uint32_t match, 2580 ipsa_query_t *sq, int *diagnostic) 2581 { 2582 int i; 2583 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); 2584 2585 for (i = 0; i < IPSA_NMATCH; i++) 2586 sq->matchers[i] = NULL; 2587 2588 ASSERT((req & ~match) == 0); 2589 2590 sq->req = req; 2591 sq->dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2592 sq->srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2593 sq->assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2594 2595 if ((req & IPSA_Q_DST) && (sq->dstext == NULL)) { 2596 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2597 return (EINVAL); 2598 } 2599 if ((req & IPSA_Q_SRC) && (sq->srcext == NULL)) { 2600 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 2601 return (EINVAL); 2602 } 2603 if ((req & IPSA_Q_SA) && (sq->assoc == NULL)) { 2604 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2605 return (EINVAL); 2606 } 2607 2608 if (match & IPSA_Q_SA) { 2609 *mfpp++ = sadb_match_spi; 2610 sq->spi = sq->assoc->sadb_sa_spi; 2611 } 2612 2613 if (sq->dstext != NULL) 2614 sq->dst = (struct sockaddr_in *)(sq->dstext + 1); 2615 else { 2616 sq->dst = NULL; 2617 sq->dst6 = NULL; 2618 sq->dstaddr = NULL; 2619 } 2620 2621 if (sq->srcext != NULL) 2622 sq->src = (struct sockaddr_in *)(sq->srcext + 1); 2623 else { 2624 sq->src = NULL; 2625 sq->src6 = NULL; 2626 sq->srcaddr = NULL; 2627 } 2628 2629 if (sq->dst != NULL) 2630 sq->af = sq->dst->sin_family; 2631 else if (sq->src != NULL) 2632 sq->af = sq->src->sin_family; 2633 else 2634 sq->af = AF_INET; 2635 2636 if (sq->af == AF_INET6) { 2637 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { 2638 *mfpp++ = sadb_match_dst_v6; 2639 sq->dst6 = (struct sockaddr_in6 *)sq->dst; 2640 sq->dstaddr = (uint32_t *)&(sq->dst6->sin6_addr); 2641 } else { 2642 match &= ~IPSA_Q_DST; 2643 sq->dstaddr = ALL_ZEROES_PTR; 2644 } 2645 2646 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { 2647 sq->src6 = (struct sockaddr_in6 *)(sq->srcext + 1); 2648 sq->srcaddr = (uint32_t *)&sq->src6->sin6_addr; 2649 if (sq->src6->sin6_family != AF_INET6) { 2650 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2651 return (EINVAL); 2652 } 2653 *mfpp++ = sadb_match_src_v6; 2654 } else { 2655 match &= ~IPSA_Q_SRC; 2656 sq->srcaddr = ALL_ZEROES_PTR; 2657 } 2658 } else { 2659 sq->src6 = sq->dst6 = NULL; 2660 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { 2661 *mfpp++ = sadb_match_dst_v4; 2662 sq->dstaddr = (uint32_t *)&sq->dst->sin_addr; 2663 } else { 2664 match &= ~IPSA_Q_DST; 2665 sq->dstaddr = ALL_ZEROES_PTR; 2666 } 2667 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { 2668 sq->srcaddr = (uint32_t *)&sq->src->sin_addr; 2669 if (sq->src->sin_family != AF_INET) { 2670 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2671 return (EINVAL); 2672 } 2673 *mfpp++ = sadb_match_src_v4; 2674 } else { 2675 match &= ~IPSA_Q_SRC; 2676 sq->srcaddr = ALL_ZEROES_PTR; 2677 } 2678 } 2679 2680 sq->dstid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2681 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) { 2682 sq->didstr = (char *)(sq->dstid + 1); 2683 sq->didtype = sq->dstid->sadb_ident_type; 2684 *mfpp++ = sadb_match_dstid; 2685 } 2686 2687 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2688 2689 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) { 2690 sq->sidstr = (char *)(sq->srcid + 1); 2691 sq->sidtype = sq->srcid->sadb_ident_type; 2692 *mfpp++ = sadb_match_srcid; 2693 } 2694 2695 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2696 sq->kmc = 0; 2697 sq->kmp = 0; 2698 2699 if ((match & IPSA_Q_KMC) && (sq->kmcext)) { 2700 sq->kmc = sq->kmcext->sadb_x_kmc_cookie; 2701 sq->kmp = sq->kmcext->sadb_x_kmc_proto; 2702 *mfpp++ = sadb_match_kmc; 2703 } 2704 2705 if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) { 2706 if (sq->af == AF_INET6) 2707 sq->sp = &sq->spp->s_v6; 2708 else 2709 sq->sp = &sq->spp->s_v4; 2710 } else { 2711 sq->sp = NULL; 2712 } 2713 2714 if (match & IPSA_Q_INBOUND) { 2715 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi); 2716 sq->inbound = &sq->sp->sdb_if[sq->inhash]; 2717 } else { 2718 sq->inhash = 0; 2719 sq->inbound = NULL; 2720 } 2721 2722 if (match & IPSA_Q_OUTBOUND) { 2723 if (sq->af == AF_INET6) { 2724 sq->outhash = OUTBOUND_HASH_V6(sq->sp, *(sq->dstaddr)); 2725 } else { 2726 sq->outhash = OUTBOUND_HASH_V4(sq->sp, *(sq->dstaddr)); 2727 } 2728 sq->outbound = &sq->sp->sdb_of[sq->outhash]; 2729 } else { 2730 sq->outhash = 0; 2731 sq->outbound = NULL; 2732 } 2733 sq->match = match; 2734 return (0); 2735 } 2736 2737 /* 2738 * Match an initialized query structure with a security association; 2739 * return B_TRUE on a match, B_FALSE on a miss. 2740 * Applies match functions set up by sadb_form_query() until one returns false. 2741 */ 2742 boolean_t 2743 sadb_match_query(ipsa_query_t *sq, ipsa_t *sa) 2744 { 2745 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); 2746 ipsa_match_fn_t mfp; 2747 2748 for (mfp = *mfpp++; mfp != NULL; mfp = *mfpp++) { 2749 if (!mfp(sq, sa)) 2750 return (B_FALSE); 2751 } 2752 return (B_TRUE); 2753 } 2754 2755 /* 2756 * Walker callback function to delete sa's based on src/dst address. 2757 * Assumes that we're called with *head locked, no other locks held; 2758 * Conveniently, and not coincidentally, this is both what sadb_walker 2759 * gives us and also what sadb_unlinkassoc expects. 2760 */ 2761 struct sadb_purge_state 2762 { 2763 ipsa_query_t sq; 2764 boolean_t inbnd; 2765 uint8_t sadb_sa_state; 2766 mblk_t *mq; 2767 }; 2768 2769 static void 2770 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2771 { 2772 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2773 2774 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2775 2776 mutex_enter(&entry->ipsa_lock); 2777 2778 if (entry->ipsa_state == IPSA_STATE_LARVAL || 2779 !sadb_match_query(&ps->sq, entry)) { 2780 mutex_exit(&entry->ipsa_lock); 2781 return; 2782 } 2783 2784 if (ps->inbnd) { 2785 sadb_delete_cluster(entry); 2786 } 2787 entry->ipsa_state = IPSA_STATE_DEAD; 2788 (void) sadb_torch_assoc(head, entry, ps->inbnd, &ps->mq); 2789 } 2790 2791 /* 2792 * Common code to purge an SA with a matching src or dst address. 2793 * Don't kill larval SA's in such a purge. 2794 */ 2795 int 2796 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, 2797 int *diagnostic, queue_t *pfkey_q, queue_t *ip_q) 2798 { 2799 struct sadb_purge_state ps; 2800 int error = sadb_form_query(ksi, 0, 2801 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC, 2802 &ps.sq, diagnostic); 2803 2804 ps.mq = NULL; 2805 2806 if (error != 0) 2807 return (error); 2808 2809 /* 2810 * This is simple, crude, and effective. 2811 * Unimplemented optimizations (TBD): 2812 * - we can limit how many places we search based on where we 2813 * think the SA is filed. 2814 * - if we get a dst address, we can hash based on dst addr to find 2815 * the correct bucket in the outbound table. 2816 */ 2817 ps.inbnd = B_TRUE; 2818 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2819 ps.inbnd = B_FALSE; 2820 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2821 2822 if (ps.mq != NULL) 2823 sadb_drain_torchq(ip_q, ps.mq); 2824 2825 ASSERT(mp->b_cont != NULL); 2826 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2827 NULL); 2828 return (0); 2829 } 2830 2831 static void 2832 sadb_delpair_state_one(isaf_t *head, ipsa_t *entry, void *cookie) 2833 { 2834 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2835 isaf_t *inbound_bucket; 2836 ipsa_t *peer_assoc; 2837 ipsa_query_t *sq = &ps->sq; 2838 2839 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2840 2841 mutex_enter(&entry->ipsa_lock); 2842 2843 if ((entry->ipsa_state != ps->sadb_sa_state) || 2844 ((sq->srcaddr != NULL) && 2845 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, sq->srcaddr, sq->af))) { 2846 mutex_exit(&entry->ipsa_lock); 2847 return; 2848 } 2849 2850 /* 2851 * The isaf_t *, which is passed in , is always an outbound bucket, 2852 * and we are preserving the outbound-then-inbound hash-bucket lock 2853 * ordering. The sadb_walker() which triggers this function is called 2854 * only on the outbound fanout, and the corresponding inbound bucket 2855 * lock is safe to acquire here. 2856 */ 2857 2858 if (entry->ipsa_haspeer) { 2859 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_spi); 2860 mutex_enter(&inbound_bucket->isaf_lock); 2861 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2862 entry->ipsa_spi, entry->ipsa_srcaddr, 2863 entry->ipsa_dstaddr, entry->ipsa_addrfam); 2864 } else { 2865 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_otherspi); 2866 mutex_enter(&inbound_bucket->isaf_lock); 2867 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2868 entry->ipsa_otherspi, entry->ipsa_dstaddr, 2869 entry->ipsa_srcaddr, entry->ipsa_addrfam); 2870 } 2871 2872 entry->ipsa_state = IPSA_STATE_DEAD; 2873 (void) sadb_torch_assoc(head, entry, B_FALSE, &ps->mq); 2874 if (peer_assoc != NULL) { 2875 mutex_enter(&peer_assoc->ipsa_lock); 2876 peer_assoc->ipsa_state = IPSA_STATE_DEAD; 2877 (void) sadb_torch_assoc(inbound_bucket, peer_assoc, 2878 B_FALSE, &ps->mq); 2879 } 2880 mutex_exit(&inbound_bucket->isaf_lock); 2881 } 2882 2883 static int 2884 sadb_delpair_state(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2885 int *diagnostic, queue_t *pfkey_q) 2886 { 2887 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2888 struct sadb_purge_state ps; 2889 int error; 2890 2891 ps.sq.spp = spp; /* XXX param */ 2892 ps.mq = NULL; 2893 2894 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SRC, 2895 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC, 2896 &ps.sq, diagnostic); 2897 if (error != 0) 2898 return (error); 2899 2900 ps.inbnd = B_FALSE; 2901 ps.sadb_sa_state = assoc->sadb_sa_state; 2902 sadb_walker(ps.sq.sp->sdb_of, ps.sq.sp->sdb_hashsize, 2903 sadb_delpair_state_one, &ps); 2904 2905 if (ps.mq != NULL) 2906 sadb_drain_torchq(pfkey_q, ps.mq); 2907 2908 ASSERT(mp->b_cont != NULL); 2909 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 2910 ksi, NULL); 2911 return (0); 2912 } 2913 2914 /* 2915 * Common code to delete/get an SA. 2916 */ 2917 int 2918 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2919 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type) 2920 { 2921 ipsa_query_t sq; 2922 ipsa_t *echo_target = NULL; 2923 ipsap_t ipsapp; 2924 mblk_t *torchq = NULL; 2925 uint_t error = 0; 2926 2927 if (sadb_msg_type == SADB_X_DELPAIR_STATE) 2928 return (sadb_delpair_state(mp, ksi, spp, diagnostic, pfkey_q)); 2929 2930 sq.spp = spp; /* XXX param */ 2931 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SA, 2932 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, 2933 &sq, diagnostic); 2934 if (error != 0) 2935 return (error); 2936 2937 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 2938 if (error != 0) { 2939 return (error); 2940 } 2941 2942 echo_target = ipsapp.ipsap_sa_ptr; 2943 if (echo_target == NULL) 2944 echo_target = ipsapp.ipsap_psa_ptr; 2945 2946 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) { 2947 /* 2948 * Bucket locks will be required if SA is actually unlinked. 2949 * get_ipsa_pair() returns valid hash bucket pointers even 2950 * if it can't find a pair SA pointer. To prevent a potential 2951 * deadlock, always lock the outbound bucket before the inbound. 2952 */ 2953 if (ipsapp.in_inbound_table) { 2954 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); 2955 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); 2956 } else { 2957 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); 2958 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); 2959 } 2960 2961 if (ipsapp.ipsap_sa_ptr != NULL) { 2962 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 2963 if (ipsapp.ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) { 2964 sadb_delete_cluster(ipsapp.ipsap_sa_ptr); 2965 } 2966 ipsapp.ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD; 2967 (void) sadb_torch_assoc(ipsapp.ipsap_bucket, 2968 ipsapp.ipsap_sa_ptr, B_FALSE, &torchq); 2969 /* 2970 * sadb_torch_assoc() releases the ipsa_lock 2971 * and calls sadb_unlinkassoc() which does a 2972 * IPSA_REFRELE. 2973 */ 2974 } 2975 if (ipsapp.ipsap_psa_ptr != NULL) { 2976 mutex_enter(&ipsapp.ipsap_psa_ptr->ipsa_lock); 2977 if (sadb_msg_type == SADB_X_DELPAIR || 2978 ipsapp.ipsap_psa_ptr->ipsa_haspeer) { 2979 if (ipsapp.ipsap_psa_ptr->ipsa_flags & 2980 IPSA_F_INBOUND) { 2981 sadb_delete_cluster 2982 (ipsapp.ipsap_psa_ptr); 2983 } 2984 ipsapp.ipsap_psa_ptr->ipsa_state = 2985 IPSA_STATE_DEAD; 2986 (void) sadb_torch_assoc(ipsapp.ipsap_pbucket, 2987 ipsapp.ipsap_psa_ptr, B_FALSE, &torchq); 2988 } else { 2989 /* 2990 * Only half of the "pair" has been deleted. 2991 * Update the remaining SA and remove references 2992 * to its pair SA, which is now gone. 2993 */ 2994 ipsapp.ipsap_psa_ptr->ipsa_otherspi = 0; 2995 ipsapp.ipsap_psa_ptr->ipsa_flags &= 2996 ~IPSA_F_PAIRED; 2997 mutex_exit(&ipsapp.ipsap_psa_ptr->ipsa_lock); 2998 } 2999 } else if (sadb_msg_type == SADB_X_DELPAIR) { 3000 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 3001 error = ESRCH; 3002 } 3003 mutex_exit(&ipsapp.ipsap_bucket->isaf_lock); 3004 mutex_exit(&ipsapp.ipsap_pbucket->isaf_lock); 3005 } 3006 3007 if (torchq != NULL) 3008 sadb_drain_torchq(spp->s_ip_q, torchq); 3009 3010 ASSERT(mp->b_cont != NULL); 3011 3012 if (error == 0) 3013 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *) 3014 mp->b_cont->b_rptr, ksi, echo_target); 3015 3016 destroy_ipsa_pair(&ipsapp); 3017 3018 return (error); 3019 } 3020 3021 /* 3022 * This function takes a sadb_sa_t and finds the ipsa_t structure 3023 * and the isaf_t (hash bucket) that its stored under. If the security 3024 * association has a peer, the ipsa_t structure and bucket for that security 3025 * association are also searched for. The "pair" of ipsa_t's and isaf_t's 3026 * are returned as a ipsap_t. 3027 * 3028 * The hash buckets are returned for convenience, if the calling function 3029 * needs to use the hash bucket locks, say to remove the SA's, it should 3030 * take care to observe the convention of locking outbound bucket then 3031 * inbound bucket. The flag in_inbound_table provides direction. 3032 * 3033 * Note that a "pair" is defined as one (but not both) of the following: 3034 * 3035 * A security association which has a soft reference to another security 3036 * association via its SPI. 3037 * 3038 * A security association that is not obviously "inbound" or "outbound" so 3039 * it appears in both hash tables, the "peer" being the same security 3040 * association in the other hash table. 3041 * 3042 * This function will return NULL if the ipsa_t can't be found in the 3043 * inbound or outbound hash tables (not found). If only one ipsa_t is 3044 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid 3045 * provided at least one ipsa_t is found. 3046 */ 3047 static int 3048 get_ipsa_pair(ipsa_query_t *sq, ipsap_t *ipsapp, int *diagnostic) 3049 { 3050 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN]; 3051 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN]; 3052 uint32_t pair_spi; 3053 3054 init_ipsa_pair(ipsapp); 3055 3056 ipsapp->in_inbound_table = B_FALSE; 3057 3058 /* Lock down both buckets. */ 3059 mutex_enter(&sq->outbound->isaf_lock); 3060 mutex_enter(&sq->inbound->isaf_lock); 3061 3062 if (sq->assoc->sadb_sa_flags & IPSA_F_INBOUND) { 3063 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, 3064 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 3065 if (ipsapp->ipsap_sa_ptr != NULL) { 3066 ipsapp->ipsap_bucket = sq->inbound; 3067 ipsapp->ipsap_pbucket = sq->outbound; 3068 ipsapp->in_inbound_table = B_TRUE; 3069 } else { 3070 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->outbound, 3071 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, 3072 sq->af); 3073 ipsapp->ipsap_bucket = sq->outbound; 3074 ipsapp->ipsap_pbucket = sq->inbound; 3075 } 3076 } else { 3077 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */ 3078 ipsapp->ipsap_sa_ptr = 3079 ipsec_getassocbyspi(sq->outbound, 3080 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 3081 if (ipsapp->ipsap_sa_ptr != NULL) { 3082 ipsapp->ipsap_bucket = sq->outbound; 3083 ipsapp->ipsap_pbucket = sq->inbound; 3084 } else { 3085 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, 3086 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, 3087 sq->af); 3088 ipsapp->ipsap_bucket = sq->inbound; 3089 ipsapp->ipsap_pbucket = sq->outbound; 3090 if (ipsapp->ipsap_sa_ptr != NULL) 3091 ipsapp->in_inbound_table = B_TRUE; 3092 } 3093 } 3094 3095 if (ipsapp->ipsap_sa_ptr == NULL) { 3096 mutex_exit(&sq->outbound->isaf_lock); 3097 mutex_exit(&sq->inbound->isaf_lock); 3098 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 3099 return (ESRCH); 3100 } 3101 3102 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) && 3103 ipsapp->in_inbound_table) { 3104 mutex_exit(&sq->outbound->isaf_lock); 3105 mutex_exit(&sq->inbound->isaf_lock); 3106 return (0); 3107 } 3108 3109 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 3110 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) { 3111 /* 3112 * haspeer implies no sa_pairing, look for same spi 3113 * in other hashtable. 3114 */ 3115 ipsapp->ipsap_psa_ptr = 3116 ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 3117 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 3118 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 3119 mutex_exit(&sq->outbound->isaf_lock); 3120 mutex_exit(&sq->inbound->isaf_lock); 3121 return (0); 3122 } 3123 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi; 3124 IPSA_COPY_ADDR(&pair_srcaddr, 3125 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, sq->af); 3126 IPSA_COPY_ADDR(&pair_dstaddr, 3127 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, sq->af); 3128 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 3129 mutex_exit(&sq->inbound->isaf_lock); 3130 mutex_exit(&sq->outbound->isaf_lock); 3131 3132 if (pair_spi == 0) { 3133 ASSERT(ipsapp->ipsap_bucket != NULL); 3134 ASSERT(ipsapp->ipsap_pbucket != NULL); 3135 return (0); 3136 } 3137 3138 /* found sa in outbound sadb, peer should be inbound */ 3139 3140 if (ipsapp->in_inbound_table) { 3141 /* Found SA in inbound table, pair will be in outbound. */ 3142 if (sq->af == AF_INET6) { 3143 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sq->sp, 3144 *(uint32_t *)pair_srcaddr); 3145 } else { 3146 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sq->sp, 3147 *(uint32_t *)pair_srcaddr); 3148 } 3149 } else { 3150 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sq->sp, pair_spi); 3151 } 3152 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 3153 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 3154 pair_spi, pair_dstaddr, pair_srcaddr, sq->af); 3155 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 3156 ASSERT(ipsapp->ipsap_bucket != NULL); 3157 ASSERT(ipsapp->ipsap_pbucket != NULL); 3158 return (0); 3159 } 3160 3161 /* 3162 * Perform NAT-traversal cached checksum offset calculations here. 3163 */ 3164 static void 3165 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext, 3166 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr, 3167 uint32_t *dst_addr_ptr) 3168 { 3169 struct sockaddr_in *natt_loc, *natt_rem; 3170 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 3171 uint32_t running_sum = 0; 3172 3173 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 3174 3175 if (natt_rem_ext != NULL) { 3176 uint32_t l_src; 3177 uint32_t l_rem; 3178 3179 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 3180 3181 /* Ensured by sadb_addrfix(). */ 3182 ASSERT(natt_rem->sin_family == AF_INET); 3183 3184 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 3185 newbie->ipsa_remote_nat_port = natt_rem->sin_port; 3186 l_src = *src_addr_ptr; 3187 l_rem = *natt_rem_ptr; 3188 3189 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3190 newbie->ipsa_natt_addr_rem = *natt_rem_ptr; 3191 3192 l_src = ntohl(l_src); 3193 DOWN_SUM(l_src); 3194 DOWN_SUM(l_src); 3195 l_rem = ntohl(l_rem); 3196 DOWN_SUM(l_rem); 3197 DOWN_SUM(l_rem); 3198 3199 /* 3200 * We're 1's complement for checksums, so check for wraparound 3201 * here. 3202 */ 3203 if (l_rem > l_src) 3204 l_src--; 3205 3206 running_sum += l_src - l_rem; 3207 3208 DOWN_SUM(running_sum); 3209 DOWN_SUM(running_sum); 3210 } 3211 3212 if (natt_loc_ext != NULL) { 3213 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 3214 3215 /* Ensured by sadb_addrfix(). */ 3216 ASSERT(natt_loc->sin_family == AF_INET); 3217 3218 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr); 3219 newbie->ipsa_local_nat_port = natt_loc->sin_port; 3220 3221 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3222 newbie->ipsa_natt_addr_loc = *natt_loc_ptr; 3223 3224 /* 3225 * NAT-T port agility means we may have natt_loc_ext, but 3226 * only for a local-port change. 3227 */ 3228 if (natt_loc->sin_addr.s_addr != INADDR_ANY) { 3229 uint32_t l_dst = ntohl(*dst_addr_ptr); 3230 uint32_t l_loc = ntohl(*natt_loc_ptr); 3231 3232 DOWN_SUM(l_loc); 3233 DOWN_SUM(l_loc); 3234 DOWN_SUM(l_dst); 3235 DOWN_SUM(l_dst); 3236 3237 /* 3238 * We're 1's complement for checksums, so check for 3239 * wraparound here. 3240 */ 3241 if (l_loc > l_dst) 3242 l_dst--; 3243 3244 running_sum += l_dst - l_loc; 3245 DOWN_SUM(running_sum); 3246 DOWN_SUM(running_sum); 3247 } 3248 } 3249 3250 newbie->ipsa_inbound_cksum = running_sum; 3251 #undef DOWN_SUM 3252 } 3253 3254 /* 3255 * This function is called from consumers that need to insert a fully-grown 3256 * security association into its tables. This function takes into account that 3257 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 3258 * hash bucket parameters are set in order of what the SA will be most of the 3259 * time. (For example, an SA with an unspecified source, and a multicast 3260 * destination will primarily be an outbound SA. OTOH, if that destination 3261 * is unicast for this node, then the SA will primarily be inbound.) 3262 * 3263 * It takes a lot of parameters because even if clone is B_FALSE, this needs 3264 * to check both buckets for purposes of collision. 3265 * 3266 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 3267 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic 3268 * with additional diagnostic information because there is at least one EINVAL 3269 * case here. 3270 */ 3271 int 3272 sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 3273 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 3274 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic, 3275 netstack_t *ns, sadbp_t *spp) 3276 { 3277 ipsa_t *newbie_clone = NULL, *scratch; 3278 ipsap_t ipsapp; 3279 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3280 sadb_address_t *srcext = 3281 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3282 sadb_address_t *dstext = 3283 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3284 sadb_address_t *isrcext = 3285 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC]; 3286 sadb_address_t *idstext = 3287 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST]; 3288 sadb_x_kmc_t *kmcext = 3289 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 3290 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 3291 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 3292 sadb_sens_t *sens = 3293 (sadb_sens_t *)ksi->ks_in_extv[SADB_EXT_SENSITIVITY]; 3294 sadb_sens_t *osens = 3295 (sadb_sens_t *)ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS]; 3296 sadb_x_pair_t *pair_ext = 3297 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 3298 sadb_x_replay_ctr_t *replayext = 3299 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 3300 uint8_t protocol = 3301 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP; 3302 int salt_offset; 3303 uint8_t *buf_ptr; 3304 struct sockaddr_in *src, *dst, *isrc, *idst; 3305 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6; 3306 sadb_lifetime_t *soft = 3307 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 3308 sadb_lifetime_t *hard = 3309 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 3310 sadb_lifetime_t *idle = 3311 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 3312 sa_family_t af; 3313 int error = 0; 3314 boolean_t isupdate = (newbie != NULL); 3315 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr; 3316 mblk_t *ctl_mp = NULL; 3317 ipsec_stack_t *ipss = ns->netstack_ipsec; 3318 ip_stack_t *ipst = ns->netstack_ip; 3319 ipsec_alginfo_t *alg; 3320 int rcode; 3321 3322 init_ipsa_pair(&ipsapp); 3323 3324 if (srcext == NULL) { 3325 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 3326 return (EINVAL); 3327 } 3328 if (dstext == NULL) { 3329 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3330 return (EINVAL); 3331 } 3332 if (assoc == NULL) { 3333 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3334 return (EINVAL); 3335 } 3336 3337 src = (struct sockaddr_in *)(srcext + 1); 3338 src6 = (struct sockaddr_in6 *)(srcext + 1); 3339 dst = (struct sockaddr_in *)(dstext + 1); 3340 dst6 = (struct sockaddr_in6 *)(dstext + 1); 3341 if (isrcext != NULL) { 3342 isrc = (struct sockaddr_in *)(isrcext + 1); 3343 isrc6 = (struct sockaddr_in6 *)(isrcext + 1); 3344 ASSERT(idstext != NULL); 3345 idst = (struct sockaddr_in *)(idstext + 1); 3346 idst6 = (struct sockaddr_in6 *)(idstext + 1); 3347 } else { 3348 isrc = NULL; 3349 isrc6 = NULL; 3350 } 3351 3352 af = src->sin_family; 3353 3354 if (af == AF_INET) { 3355 src_addr_ptr = (uint32_t *)&src->sin_addr; 3356 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 3357 } else { 3358 ASSERT(af == AF_INET6); 3359 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 3360 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 3361 } 3362 3363 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) && 3364 cl_inet_checkspi && 3365 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) { 3366 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol, 3367 assoc->sadb_sa_spi, NULL); 3368 if (rcode == -1) { 3369 return (EEXIST); 3370 } 3371 } 3372 3373 /* 3374 * Check to see if the new SA will be cloned AND paired. The 3375 * reason a SA will be cloned is the source or destination addresses 3376 * are not specific enough to determine if the SA goes in the outbound 3377 * or the inbound hash table, so its cloned and put in both. If 3378 * the SA is paired, it's soft linked to another SA for the other 3379 * direction. Keeping track and looking up SA's that are direction 3380 * unspecific and linked is too hard. 3381 */ 3382 if (clone && (pair_ext != NULL)) { 3383 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 3384 return (EINVAL); 3385 } 3386 3387 if (!isupdate) { 3388 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 3389 src_addr_ptr, dst_addr_ptr, af, ns); 3390 if (newbie == NULL) 3391 return (ENOMEM); 3392 } 3393 3394 mutex_enter(&newbie->ipsa_lock); 3395 3396 if (isrc != NULL) { 3397 if (isrc->sin_family == AF_INET) { 3398 if (srcext->sadb_address_proto != IPPROTO_ENCAP) { 3399 if (srcext->sadb_address_proto != 0) { 3400 /* 3401 * Mismatched outer-packet protocol 3402 * and inner-packet address family. 3403 */ 3404 mutex_exit(&newbie->ipsa_lock); 3405 error = EPROTOTYPE; 3406 *diagnostic = 3407 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3408 goto error; 3409 } else { 3410 /* Fill in with explicit protocol. */ 3411 srcext->sadb_address_proto = 3412 IPPROTO_ENCAP; 3413 dstext->sadb_address_proto = 3414 IPPROTO_ENCAP; 3415 } 3416 } 3417 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr; 3418 idst_addr_ptr = (uint32_t *)&idst->sin_addr; 3419 } else { 3420 ASSERT(isrc->sin_family == AF_INET6); 3421 if (srcext->sadb_address_proto != IPPROTO_IPV6) { 3422 if (srcext->sadb_address_proto != 0) { 3423 /* 3424 * Mismatched outer-packet protocol 3425 * and inner-packet address family. 3426 */ 3427 mutex_exit(&newbie->ipsa_lock); 3428 error = EPROTOTYPE; 3429 *diagnostic = 3430 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3431 goto error; 3432 } else { 3433 /* Fill in with explicit protocol. */ 3434 srcext->sadb_address_proto = 3435 IPPROTO_IPV6; 3436 dstext->sadb_address_proto = 3437 IPPROTO_IPV6; 3438 } 3439 } 3440 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr; 3441 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr; 3442 } 3443 newbie->ipsa_innerfam = isrc->sin_family; 3444 3445 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr, 3446 newbie->ipsa_innerfam); 3447 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr, 3448 newbie->ipsa_innerfam); 3449 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen; 3450 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen; 3451 3452 /* Unique value uses inner-ports for Tunnel Mode... */ 3453 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port, 3454 idst->sin_port, dstext->sadb_address_proto, 3455 idstext->sadb_address_proto); 3456 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port, 3457 idst->sin_port, dstext->sadb_address_proto, 3458 idstext->sadb_address_proto); 3459 } else { 3460 /* ... and outer-ports for Transport Mode. */ 3461 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port, 3462 dst->sin_port, dstext->sadb_address_proto, 0); 3463 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port, 3464 dst->sin_port, dstext->sadb_address_proto, 0); 3465 } 3466 if (newbie->ipsa_unique_mask != (uint64_t)0) 3467 newbie->ipsa_flags |= IPSA_F_UNIQUE; 3468 3469 sadb_nat_calculations(newbie, 3470 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC], 3471 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM], 3472 src_addr_ptr, dst_addr_ptr); 3473 3474 newbie->ipsa_type = samsg->sadb_msg_satype; 3475 3476 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 3477 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE)); 3478 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 3479 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 3480 3481 newbie->ipsa_flags |= assoc->sadb_sa_flags; 3482 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC && 3483 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) { 3484 mutex_exit(&newbie->ipsa_lock); 3485 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC; 3486 error = EINVAL; 3487 goto error; 3488 } 3489 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM && 3490 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) { 3491 mutex_exit(&newbie->ipsa_lock); 3492 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM; 3493 error = EINVAL; 3494 goto error; 3495 } 3496 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL && 3497 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) { 3498 mutex_exit(&newbie->ipsa_lock); 3499 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 3500 error = EINVAL; 3501 goto error; 3502 } 3503 /* 3504 * If unspecified source address, force replay_wsize to 0. 3505 * This is because an SA that has multiple sources of secure 3506 * traffic cannot enforce a replay counter w/o synchronizing the 3507 * senders. 3508 */ 3509 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 3510 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 3511 else 3512 newbie->ipsa_replay_wsize = 0; 3513 3514 newbie->ipsa_addtime = gethrestime_sec(); 3515 3516 if (kmcext != NULL) { 3517 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 3518 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 3519 } 3520 3521 /* 3522 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 3523 * The spec says that one can update current lifetimes, but 3524 * that seems impractical, especially in the larval-to-mature 3525 * update that this function performs. 3526 */ 3527 if (soft != NULL) { 3528 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3529 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 3530 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3531 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 3532 SET_EXPIRE(newbie, softaddlt, softexpiretime); 3533 } 3534 if (hard != NULL) { 3535 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3536 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 3537 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3538 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3539 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 3540 } 3541 if (idle != NULL) { 3542 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 3543 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime; 3544 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime + 3545 newbie->ipsa_idleaddlt; 3546 newbie->ipsa_idletime = newbie->ipsa_idleaddlt; 3547 } 3548 3549 newbie->ipsa_authtmpl = NULL; 3550 newbie->ipsa_encrtmpl = NULL; 3551 3552 if (akey != NULL) { 3553 newbie->ipsa_authkeybits = akey->sadb_key_bits; 3554 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 3555 /* In case we have to round up to the next byte... */ 3556 if ((akey->sadb_key_bits & 0x7) != 0) 3557 newbie->ipsa_authkeylen++; 3558 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 3559 KM_NOSLEEP); 3560 if (newbie->ipsa_authkey == NULL) { 3561 error = ENOMEM; 3562 mutex_exit(&newbie->ipsa_lock); 3563 goto error; 3564 } 3565 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 3566 bzero(akey + 1, newbie->ipsa_authkeylen); 3567 3568 /* 3569 * Pre-initialize the kernel crypto framework key 3570 * structure. 3571 */ 3572 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 3573 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 3574 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 3575 3576 mutex_enter(&ipss->ipsec_alg_lock); 3577 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH] 3578 [newbie->ipsa_auth_alg]; 3579 if (alg != NULL && ALG_VALID(alg)) { 3580 newbie->ipsa_amech.cm_type = alg->alg_mech_type; 3581 newbie->ipsa_amech.cm_param = 3582 (char *)&newbie->ipsa_mac_len; 3583 newbie->ipsa_amech.cm_param_len = sizeof (size_t); 3584 newbie->ipsa_mac_len = (size_t)alg->alg_datalen; 3585 } else { 3586 newbie->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 3587 } 3588 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 3589 mutex_exit(&ipss->ipsec_alg_lock); 3590 if (error != 0) { 3591 mutex_exit(&newbie->ipsa_lock); 3592 /* 3593 * An error here indicates that alg is the wrong type 3594 * (IE: not authentication) or its not in the alg tables 3595 * created by ipsecalgs(1m), or Kcf does not like the 3596 * parameters passed in with this algorithm, which is 3597 * probably a coding error! 3598 */ 3599 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3600 3601 goto error; 3602 } 3603 } 3604 3605 if (ekey != NULL) { 3606 mutex_enter(&ipss->ipsec_alg_lock); 3607 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR] 3608 [newbie->ipsa_encr_alg]; 3609 3610 if (alg != NULL && ALG_VALID(alg)) { 3611 newbie->ipsa_emech.cm_type = alg->alg_mech_type; 3612 newbie->ipsa_datalen = alg->alg_datalen; 3613 if (alg->alg_flags & ALG_FLAG_COUNTERMODE) 3614 newbie->ipsa_flags |= IPSA_F_COUNTERMODE; 3615 3616 if (alg->alg_flags & ALG_FLAG_COMBINED) { 3617 newbie->ipsa_flags |= IPSA_F_COMBINED; 3618 newbie->ipsa_mac_len = alg->alg_icvlen; 3619 } 3620 3621 if (alg->alg_flags & ALG_FLAG_CCM) 3622 newbie->ipsa_noncefunc = ccm_params_init; 3623 else if (alg->alg_flags & ALG_FLAG_GCM) 3624 newbie->ipsa_noncefunc = gcm_params_init; 3625 else newbie->ipsa_noncefunc = cbc_params_init; 3626 3627 newbie->ipsa_saltlen = alg->alg_saltlen; 3628 newbie->ipsa_saltbits = SADB_8TO1(newbie->ipsa_saltlen); 3629 newbie->ipsa_iv_len = alg->alg_ivlen; 3630 newbie->ipsa_nonce_len = newbie->ipsa_saltlen + 3631 newbie->ipsa_iv_len; 3632 newbie->ipsa_emech.cm_param = NULL; 3633 newbie->ipsa_emech.cm_param_len = 0; 3634 } else { 3635 newbie->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 3636 } 3637 mutex_exit(&ipss->ipsec_alg_lock); 3638 3639 /* 3640 * The byte stream following the sadb_key_t is made up of: 3641 * key bytes, [salt bytes], [IV initial value] 3642 * All of these have variable length. The IV is typically 3643 * randomly generated by this function and not passed in. 3644 * By supporting the injection of a known IV, the whole 3645 * IPsec subsystem and the underlying crypto subsystem 3646 * can be tested with known test vectors. 3647 * 3648 * The keying material has been checked by ext_check() 3649 * and ipsec_valid_key_size(), after removing salt/IV 3650 * bits, whats left is the encryption key. If this is too 3651 * short, ipsec_create_ctx_tmpl() will fail and the SA 3652 * won't get created. 3653 * 3654 * set ipsa_encrkeylen to length of key only. 3655 */ 3656 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 3657 newbie->ipsa_encrkeybits -= ekey->sadb_key_reserved; 3658 newbie->ipsa_encrkeybits -= newbie->ipsa_saltbits; 3659 newbie->ipsa_encrkeylen = SADB_1TO8(newbie->ipsa_encrkeybits); 3660 3661 /* In case we have to round up to the next byte... */ 3662 if ((ekey->sadb_key_bits & 0x7) != 0) 3663 newbie->ipsa_encrkeylen++; 3664 3665 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 3666 KM_NOSLEEP); 3667 if (newbie->ipsa_encrkey == NULL) { 3668 error = ENOMEM; 3669 mutex_exit(&newbie->ipsa_lock); 3670 goto error; 3671 } 3672 3673 buf_ptr = (uint8_t *)(ekey + 1); 3674 bcopy(buf_ptr, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 3675 3676 if (newbie->ipsa_flags & IPSA_F_COMBINED) { 3677 /* 3678 * Combined mode algs need a nonce. Copy the salt and 3679 * IV into a buffer. The ipsa_nonce is a pointer into 3680 * this buffer, some bytes at the start of the buffer 3681 * may be unused, depends on the salt length. The IV 3682 * is 64 bit aligned so it can be incremented as a 3683 * uint64_t. Zero out key in samsg_t before freeing. 3684 */ 3685 3686 newbie->ipsa_nonce_buf = kmem_alloc( 3687 sizeof (ipsec_nonce_t), KM_NOSLEEP); 3688 if (newbie->ipsa_nonce_buf == NULL) { 3689 error = ENOMEM; 3690 mutex_exit(&newbie->ipsa_lock); 3691 goto error; 3692 } 3693 /* 3694 * Initialize nonce and salt pointers to point 3695 * to the nonce buffer. This is just in case we get 3696 * bad data, the pointers will be valid, the data 3697 * won't be. 3698 * 3699 * See sadb.h for layout of nonce. 3700 */ 3701 newbie->ipsa_iv = &newbie->ipsa_nonce_buf->iv; 3702 newbie->ipsa_salt = (uint8_t *)newbie->ipsa_nonce_buf; 3703 newbie->ipsa_nonce = newbie->ipsa_salt; 3704 if (newbie->ipsa_saltlen != 0) { 3705 salt_offset = MAXSALTSIZE - 3706 newbie->ipsa_saltlen; 3707 newbie->ipsa_salt = (uint8_t *) 3708 &newbie->ipsa_nonce_buf->salt[salt_offset]; 3709 newbie->ipsa_nonce = newbie->ipsa_salt; 3710 buf_ptr += newbie->ipsa_encrkeylen; 3711 bcopy(buf_ptr, newbie->ipsa_salt, 3712 newbie->ipsa_saltlen); 3713 } 3714 /* 3715 * The IV for CCM/GCM mode increments, it should not 3716 * repeat. Get a random value for the IV, make a 3717 * copy, the SA will expire when/if the IV ever 3718 * wraps back to the initial value. If an Initial IV 3719 * is passed in via PF_KEY, save this in the SA. 3720 * Initialising IV for inbound is pointless as its 3721 * taken from the inbound packet. 3722 */ 3723 if (!is_inbound) { 3724 if (ekey->sadb_key_reserved != 0) { 3725 buf_ptr += newbie->ipsa_saltlen; 3726 bcopy(buf_ptr, (uint8_t *)newbie-> 3727 ipsa_iv, SADB_1TO8(ekey-> 3728 sadb_key_reserved)); 3729 } else { 3730 (void) random_get_pseudo_bytes( 3731 (uint8_t *)newbie->ipsa_iv, 3732 newbie->ipsa_iv_len); 3733 } 3734 newbie->ipsa_iv_softexpire = 3735 (*newbie->ipsa_iv) << 9; 3736 newbie->ipsa_iv_hardexpire = *newbie->ipsa_iv; 3737 } 3738 } 3739 bzero((ekey + 1), SADB_1TO8(ekey->sadb_key_bits)); 3740 3741 /* 3742 * Pre-initialize the kernel crypto framework key 3743 * structure. 3744 */ 3745 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 3746 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 3747 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 3748 3749 mutex_enter(&ipss->ipsec_alg_lock); 3750 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 3751 mutex_exit(&ipss->ipsec_alg_lock); 3752 if (error != 0) { 3753 mutex_exit(&newbie->ipsa_lock); 3754 /* See above for error explanation. */ 3755 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3756 goto error; 3757 } 3758 } 3759 3760 /* 3761 * Ptrs to processing functions. 3762 */ 3763 if (newbie->ipsa_type == SADB_SATYPE_ESP) 3764 ipsecesp_init_funcs(newbie); 3765 else 3766 ipsecah_init_funcs(newbie); 3767 ASSERT(newbie->ipsa_output_func != NULL && 3768 newbie->ipsa_input_func != NULL); 3769 3770 /* 3771 * Certificate ID stuff. 3772 */ 3773 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 3774 sadb_ident_t *id = 3775 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 3776 3777 /* 3778 * Can assume strlen() will return okay because ext_check() in 3779 * keysock.c prepares the string for us. 3780 */ 3781 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 3782 (char *)(id+1), ns); 3783 if (newbie->ipsa_src_cid == NULL) { 3784 error = ENOMEM; 3785 mutex_exit(&newbie->ipsa_lock); 3786 goto error; 3787 } 3788 } 3789 3790 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 3791 sadb_ident_t *id = 3792 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 3793 3794 /* 3795 * Can assume strlen() will return okay because ext_check() in 3796 * keysock.c prepares the string for us. 3797 */ 3798 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 3799 (char *)(id+1), ns); 3800 if (newbie->ipsa_dst_cid == NULL) { 3801 error = ENOMEM; 3802 mutex_exit(&newbie->ipsa_lock); 3803 goto error; 3804 } 3805 } 3806 3807 /* 3808 * sensitivity label handling code: 3809 * Convert sens + bitmap into cred_t, and associate it 3810 * with the new SA. 3811 */ 3812 if (sens != NULL) { 3813 uint64_t *bitmap = (uint64_t *)(sens + 1); 3814 3815 newbie->ipsa_cred = sadb_cred_from_sens(sens, bitmap); 3816 } 3817 3818 /* 3819 * Likewise for outer sensitivity. 3820 */ 3821 if (osens != NULL) { 3822 uint64_t *bitmap = (uint64_t *)(osens + 1); 3823 cred_t *cred, *effective_cred; 3824 uint32_t *peer_addr_ptr; 3825 3826 peer_addr_ptr = is_inbound ? src_addr_ptr : dst_addr_ptr; 3827 3828 cred = sadb_cred_from_sens(osens, bitmap); 3829 newbie->ipsa_mac_exempt = CONN_MAC_DEFAULT; 3830 3831 if (osens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) { 3832 newbie->ipsa_mac_exempt = CONN_MAC_IMPLICIT; 3833 } 3834 3835 error = tsol_check_dest(cred, peer_addr_ptr, 3836 (af == AF_INET6)?IPV6_VERSION:IPV4_VERSION, 3837 newbie->ipsa_mac_exempt, &effective_cred); 3838 if (error != 0) { 3839 crfree(cred); 3840 mutex_exit(&newbie->ipsa_lock); 3841 goto error; 3842 } 3843 3844 if (effective_cred != NULL) { 3845 crfree(cred); 3846 cred = effective_cred; 3847 } 3848 3849 newbie->ipsa_ocred = cred; 3850 3851 if (af == AF_INET6) { 3852 error = tsol_compute_label_v6(cred, 3853 (in6_addr_t *)peer_addr_ptr, 3854 newbie->ipsa_opt_storage, ipst); 3855 } else { 3856 error = tsol_compute_label(cred, *peer_addr_ptr, 3857 newbie->ipsa_opt_storage, ipst); 3858 } 3859 if (error != 0) { 3860 mutex_exit(&newbie->ipsa_lock); 3861 goto error; 3862 } 3863 } 3864 3865 3866 if (replayext != NULL) { 3867 if ((replayext->sadb_x_rc_replay32 == 0) && 3868 (replayext->sadb_x_rc_replay64 != 0)) { 3869 error = EOPNOTSUPP; 3870 *diagnostic = SADB_X_DIAGNOSTIC_INVALID_REPLAY; 3871 mutex_exit(&newbie->ipsa_lock); 3872 goto error; 3873 } 3874 newbie->ipsa_replay = replayext->sadb_x_rc_replay32; 3875 } 3876 3877 /* now that the SA has been updated, set its new state */ 3878 newbie->ipsa_state = assoc->sadb_sa_state; 3879 3880 if (clone) { 3881 newbie->ipsa_haspeer = B_TRUE; 3882 } else { 3883 if (!is_inbound) { 3884 lifetime_fuzz(newbie); 3885 } 3886 } 3887 /* 3888 * The less locks I hold when doing an insertion and possible cloning, 3889 * the better! 3890 */ 3891 mutex_exit(&newbie->ipsa_lock); 3892 3893 if (clone) { 3894 newbie_clone = sadb_cloneassoc(newbie); 3895 3896 if (newbie_clone == NULL) { 3897 error = ENOMEM; 3898 goto error; 3899 } 3900 } 3901 3902 /* 3903 * Enter the bucket locks. The order of entry is outbound, 3904 * inbound. We map "primary" and "secondary" into outbound and inbound 3905 * based on the destination address type. If the destination address 3906 * type is for a node that isn't mine (or potentially mine), the 3907 * "primary" bucket is the outbound one. 3908 */ 3909 if (!is_inbound) { 3910 /* primary == outbound */ 3911 mutex_enter(&primary->isaf_lock); 3912 mutex_enter(&secondary->isaf_lock); 3913 } else { 3914 /* primary == inbound */ 3915 mutex_enter(&secondary->isaf_lock); 3916 mutex_enter(&primary->isaf_lock); 3917 } 3918 3919 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_common_add: spi = 0x%x\n", 3920 newbie->ipsa_spi)); 3921 3922 /* 3923 * sadb_insertassoc() doesn't increment the reference 3924 * count. We therefore have to increment the 3925 * reference count one more time to reflect the 3926 * pointers of the table that reference this SA. 3927 */ 3928 IPSA_REFHOLD(newbie); 3929 3930 if (isupdate) { 3931 /* 3932 * Unlink from larval holding cell in the "inbound" fanout. 3933 */ 3934 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 3935 newbie->ipsa_linklock == &secondary->isaf_lock); 3936 sadb_unlinkassoc(newbie); 3937 } 3938 3939 mutex_enter(&newbie->ipsa_lock); 3940 error = sadb_insertassoc(newbie, primary); 3941 if (error == 0) { 3942 ctl_mp = sadb_fmt_sa_req(DL_CO_SET, newbie->ipsa_type, newbie, 3943 is_inbound); 3944 } 3945 mutex_exit(&newbie->ipsa_lock); 3946 3947 if (error != 0) { 3948 /* 3949 * Since sadb_insertassoc() failed, we must decrement the 3950 * refcount again so the cleanup code will actually free 3951 * the offending SA. 3952 */ 3953 IPSA_REFRELE(newbie); 3954 goto error_unlock; 3955 } 3956 3957 if (newbie_clone != NULL) { 3958 mutex_enter(&newbie_clone->ipsa_lock); 3959 error = sadb_insertassoc(newbie_clone, secondary); 3960 mutex_exit(&newbie_clone->ipsa_lock); 3961 if (error != 0) { 3962 /* Collision in secondary table. */ 3963 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3964 goto error_unlock; 3965 } 3966 IPSA_REFHOLD(newbie_clone); 3967 } else { 3968 ASSERT(primary != secondary); 3969 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 3970 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 3971 if (scratch != NULL) { 3972 /* Collision in secondary table. */ 3973 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3974 /* Set the error, since ipsec_getassocbyspi() can't. */ 3975 error = EEXIST; 3976 goto error_unlock; 3977 } 3978 } 3979 3980 /* OKAY! So let's do some reality check assertions. */ 3981 3982 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock)); 3983 ASSERT(newbie_clone == NULL || 3984 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock))); 3985 /* 3986 * If hardware acceleration could happen, send it. 3987 */ 3988 if (ctl_mp != NULL) { 3989 putnext(ip_q, ctl_mp); 3990 ctl_mp = NULL; 3991 } 3992 3993 error_unlock: 3994 3995 /* 3996 * We can exit the locks in any order. Only entrance needs to 3997 * follow any protocol. 3998 */ 3999 mutex_exit(&secondary->isaf_lock); 4000 mutex_exit(&primary->isaf_lock); 4001 4002 if (pair_ext != NULL && error == 0) { 4003 /* update pair_spi if it exists. */ 4004 ipsa_query_t sq; 4005 4006 sq.spp = spp; /* XXX param */ 4007 error = sadb_form_query(ksi, IPSA_Q_DST, IPSA_Q_SRC|IPSA_Q_DST| 4008 IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, &sq, diagnostic); 4009 if (error) 4010 return (error); 4011 4012 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 4013 4014 if (error != 0) 4015 goto error; 4016 4017 if (ipsapp.ipsap_psa_ptr != NULL) { 4018 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 4019 error = EINVAL; 4020 } else { 4021 /* update_pairing() sets diagnostic */ 4022 error = update_pairing(&ipsapp, &sq, ksi, diagnostic); 4023 } 4024 } 4025 /* Common error point for this routine. */ 4026 error: 4027 if (newbie != NULL) { 4028 if (error != 0) { 4029 /* This SA is broken, let the reaper clean up. */ 4030 mutex_enter(&newbie->ipsa_lock); 4031 newbie->ipsa_state = IPSA_STATE_DEAD; 4032 newbie->ipsa_hardexpiretime = 1; 4033 mutex_exit(&newbie->ipsa_lock); 4034 } 4035 IPSA_REFRELE(newbie); 4036 } 4037 if (newbie_clone != NULL) { 4038 IPSA_REFRELE(newbie_clone); 4039 } 4040 if (ctl_mp != NULL) 4041 freemsg(ctl_mp); 4042 4043 if (error == 0) { 4044 /* 4045 * Construct favorable PF_KEY return message and send to 4046 * keysock. Update the flags in the original keysock message 4047 * to reflect the actual flags in the new SA. 4048 * (Q: Do I need to pass "newbie"? If I do, 4049 * make sure to REFHOLD, call, then REFRELE.) 4050 */ 4051 assoc->sadb_sa_flags = newbie->ipsa_flags; 4052 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 4053 } 4054 4055 destroy_ipsa_pair(&ipsapp); 4056 return (error); 4057 } 4058 4059 /* 4060 * Set the time of first use for a security association. Update any 4061 * expiration times as a result. 4062 */ 4063 void 4064 sadb_set_usetime(ipsa_t *assoc) 4065 { 4066 time_t snapshot = gethrestime_sec(); 4067 4068 mutex_enter(&assoc->ipsa_lock); 4069 assoc->ipsa_lastuse = snapshot; 4070 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime; 4071 4072 /* 4073 * Caller does check usetime before calling me usually, and 4074 * double-checking is better than a mutex_enter/exit hit. 4075 */ 4076 if (assoc->ipsa_usetime == 0) { 4077 /* 4078 * This is redundant for outbound SA's, as 4079 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 4080 * Inbound SAs, however, have no such protection. 4081 */ 4082 assoc->ipsa_flags |= IPSA_F_USED; 4083 assoc->ipsa_usetime = snapshot; 4084 4085 /* 4086 * After setting the use time, see if we have a use lifetime 4087 * that would cause the actual SA expiration time to shorten. 4088 */ 4089 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 4090 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 4091 } 4092 mutex_exit(&assoc->ipsa_lock); 4093 } 4094 4095 /* 4096 * Send up a PF_KEY expire message for this association. 4097 */ 4098 static void 4099 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 4100 { 4101 mblk_t *mp, *mp1; 4102 int alloclen, af; 4103 sadb_msg_t *samsg; 4104 sadb_lifetime_t *current, *expire; 4105 sadb_sa_t *saext; 4106 uint8_t *end; 4107 boolean_t tunnel_mode; 4108 4109 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 4110 4111 /* Don't bother sending if there's no queue. */ 4112 if (pfkey_q == NULL) 4113 return; 4114 4115 /* If the SA is one of a pair, only SOFT expire the OUTBOUND SA */ 4116 if (assoc->ipsa_state == IPSA_STATE_DYING && 4117 (assoc->ipsa_flags & IPSA_F_PAIRED) && 4118 !(assoc->ipsa_flags & IPSA_F_OUTBOUND)) { 4119 return; 4120 } 4121 4122 mp = sadb_keysock_out(0); 4123 if (mp == NULL) { 4124 /* cmn_err(CE_WARN, */ 4125 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 4126 return; 4127 } 4128 4129 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 4130 2 * sizeof (sadb_address_t) + sizeof (*saext); 4131 4132 af = assoc->ipsa_addrfam; 4133 switch (af) { 4134 case AF_INET: 4135 alloclen += 2 * sizeof (struct sockaddr_in); 4136 break; 4137 case AF_INET6: 4138 alloclen += 2 * sizeof (struct sockaddr_in6); 4139 break; 4140 default: 4141 /* Won't happen unless there's a kernel bug. */ 4142 freeb(mp); 4143 cmn_err(CE_WARN, 4144 "sadb_expire_assoc: Unknown address length.\n"); 4145 return; 4146 } 4147 4148 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL); 4149 if (tunnel_mode) { 4150 alloclen += 2 * sizeof (sadb_address_t); 4151 switch (assoc->ipsa_innerfam) { 4152 case AF_INET: 4153 alloclen += 2 * sizeof (struct sockaddr_in); 4154 break; 4155 case AF_INET6: 4156 alloclen += 2 * sizeof (struct sockaddr_in6); 4157 break; 4158 default: 4159 /* Won't happen unless there's a kernel bug. */ 4160 freeb(mp); 4161 cmn_err(CE_WARN, "sadb_expire_assoc: " 4162 "Unknown inner address length.\n"); 4163 return; 4164 } 4165 } 4166 4167 mp->b_cont = allocb(alloclen, BPRI_HI); 4168 if (mp->b_cont == NULL) { 4169 freeb(mp); 4170 /* cmn_err(CE_WARN, */ 4171 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 4172 return; 4173 } 4174 4175 mp1 = mp; 4176 mp = mp->b_cont; 4177 end = mp->b_wptr + alloclen; 4178 4179 samsg = (sadb_msg_t *)mp->b_wptr; 4180 mp->b_wptr += sizeof (*samsg); 4181 samsg->sadb_msg_version = PF_KEY_V2; 4182 samsg->sadb_msg_type = SADB_EXPIRE; 4183 samsg->sadb_msg_errno = 0; 4184 samsg->sadb_msg_satype = assoc->ipsa_type; 4185 samsg->sadb_msg_len = SADB_8TO64(alloclen); 4186 samsg->sadb_msg_reserved = 0; 4187 samsg->sadb_msg_seq = 0; 4188 samsg->sadb_msg_pid = 0; 4189 4190 saext = (sadb_sa_t *)mp->b_wptr; 4191 mp->b_wptr += sizeof (*saext); 4192 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 4193 saext->sadb_sa_exttype = SADB_EXT_SA; 4194 saext->sadb_sa_spi = assoc->ipsa_spi; 4195 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 4196 saext->sadb_sa_state = assoc->ipsa_state; 4197 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 4198 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 4199 saext->sadb_sa_flags = assoc->ipsa_flags; 4200 4201 current = (sadb_lifetime_t *)mp->b_wptr; 4202 mp->b_wptr += sizeof (sadb_lifetime_t); 4203 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 4204 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 4205 /* We do not support the concept. */ 4206 current->sadb_lifetime_allocations = 0; 4207 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 4208 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 4209 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 4210 4211 expire = (sadb_lifetime_t *)mp->b_wptr; 4212 mp->b_wptr += sizeof (*expire); 4213 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 4214 4215 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 4216 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 4217 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 4218 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 4219 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 4220 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 4221 } else if (assoc->ipsa_state == IPSA_STATE_DYING) { 4222 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 4223 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 4224 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 4225 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 4226 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 4227 } else { 4228 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE); 4229 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 4230 expire->sadb_lifetime_allocations = 0; 4231 expire->sadb_lifetime_bytes = 0; 4232 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt; 4233 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt; 4234 } 4235 4236 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 4237 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc), 4238 SA_PROTO(assoc), 0); 4239 ASSERT(mp->b_wptr != NULL); 4240 4241 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 4242 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc), 4243 SA_PROTO(assoc), 0); 4244 ASSERT(mp->b_wptr != NULL); 4245 4246 if (tunnel_mode) { 4247 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 4248 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam, 4249 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc), 4250 assoc->ipsa_innersrcpfx); 4251 ASSERT(mp->b_wptr != NULL); 4252 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 4253 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam, 4254 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc), 4255 assoc->ipsa_innerdstpfx); 4256 ASSERT(mp->b_wptr != NULL); 4257 } 4258 4259 /* Can just putnext, we're ready to go! */ 4260 putnext(pfkey_q, mp1); 4261 } 4262 4263 /* 4264 * "Age" the SA with the number of bytes that was used to protect traffic. 4265 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 4266 * enough "charge" left in the SA to protect the data. Return B_FALSE 4267 * otherwise. (If B_FALSE is returned, the association either was, or became 4268 * DEAD.) 4269 */ 4270 boolean_t 4271 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 4272 boolean_t sendmsg) 4273 { 4274 boolean_t rc = B_TRUE; 4275 uint64_t newtotal; 4276 4277 mutex_enter(&assoc->ipsa_lock); 4278 newtotal = assoc->ipsa_bytes + bytes; 4279 if (assoc->ipsa_hardbyteslt != 0 && 4280 newtotal >= assoc->ipsa_hardbyteslt) { 4281 if (assoc->ipsa_state != IPSA_STATE_DEAD) { 4282 sadb_delete_cluster(assoc); 4283 /* 4284 * Send EXPIRE message to PF_KEY. May wish to pawn 4285 * this off on another non-interrupt thread. Also 4286 * unlink this SA immediately. 4287 */ 4288 assoc->ipsa_state = IPSA_STATE_DEAD; 4289 if (sendmsg) 4290 sadb_expire_assoc(pfkey_q, assoc); 4291 /* 4292 * Set non-zero expiration time so sadb_age_assoc() 4293 * will work when reaping. 4294 */ 4295 assoc->ipsa_hardexpiretime = (time_t)1; 4296 } /* Else someone beat me to it! */ 4297 rc = B_FALSE; 4298 } else if (assoc->ipsa_softbyteslt != 0 && 4299 (newtotal >= assoc->ipsa_softbyteslt)) { 4300 if (assoc->ipsa_state < IPSA_STATE_DYING) { 4301 /* 4302 * Send EXPIRE message to PF_KEY. May wish to pawn 4303 * this off on another non-interrupt thread. 4304 */ 4305 assoc->ipsa_state = IPSA_STATE_DYING; 4306 assoc->ipsa_bytes = newtotal; 4307 if (sendmsg) 4308 sadb_expire_assoc(pfkey_q, assoc); 4309 } /* Else someone beat me to it! */ 4310 } 4311 if (rc == B_TRUE) 4312 assoc->ipsa_bytes = newtotal; 4313 mutex_exit(&assoc->ipsa_lock); 4314 return (rc); 4315 } 4316 4317 /* 4318 * Push one or more DL_CO_DELETE messages queued up by 4319 * sadb_torch_assoc down to the underlying driver now that it's a 4320 * convenient time for it (i.e., ipsa bucket locks not held). 4321 */ 4322 static void 4323 sadb_drain_torchq(queue_t *q, mblk_t *mp) 4324 { 4325 while (mp != NULL) { 4326 mblk_t *next = mp->b_next; 4327 mp->b_next = NULL; 4328 if (q != NULL) 4329 putnext(q, mp); 4330 else 4331 freemsg(mp); 4332 mp = next; 4333 } 4334 } 4335 4336 /* 4337 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 4338 * sadb_age_assoc(). 4339 * 4340 * If SA is hardware-accelerated, and we can't allocate the mblk 4341 * containing the DL_CO_DELETE, just return; it will remain in the 4342 * table and be swept up by sadb_ager() in a subsequent pass. 4343 */ 4344 static ipsa_t * 4345 sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq) 4346 { 4347 mblk_t *mp; 4348 4349 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4350 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 4351 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 4352 4353 /* 4354 * Force cached SAs to be revalidated.. 4355 */ 4356 head->isaf_gen++; 4357 4358 if (sa->ipsa_flags & IPSA_F_HW) { 4359 mp = sadb_fmt_sa_req(DL_CO_DELETE, sa->ipsa_type, sa, inbnd); 4360 if (mp == NULL) { 4361 mutex_exit(&sa->ipsa_lock); 4362 return (NULL); 4363 } 4364 mp->b_next = *mq; 4365 *mq = mp; 4366 } 4367 mutex_exit(&sa->ipsa_lock); 4368 sadb_unlinkassoc(sa); 4369 4370 return (NULL); 4371 } 4372 4373 /* 4374 * Do various SA-is-idle activities depending on delta (the number of idle 4375 * seconds on the SA) and/or other properties of the SA. 4376 * 4377 * Return B_TRUE if I've sent a packet, because I have to drop the 4378 * association's mutex before sending a packet out the wire. 4379 */ 4380 /* ARGSUSED */ 4381 static boolean_t 4382 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound) 4383 { 4384 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp; 4385 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval; 4386 4387 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 4388 4389 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) && 4390 delta >= nat_t_interval && 4391 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) { 4392 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP); 4393 assoc->ipsa_last_nat_t_ka = gethrestime_sec(); 4394 mutex_exit(&assoc->ipsa_lock); 4395 ipsecesp_send_keepalive(assoc); 4396 return (B_TRUE); 4397 } 4398 return (B_FALSE); 4399 } 4400 4401 /* 4402 * Return "assoc" if haspeer is true and I send an expire. This allows 4403 * the consumers' aging functions to tidy up an expired SA's peer. 4404 */ 4405 static ipsa_t * 4406 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 4407 time_t current, int reap_delay, boolean_t inbound, mblk_t **mq) 4408 { 4409 ipsa_t *retval = NULL; 4410 boolean_t dropped_mutex = B_FALSE; 4411 4412 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4413 4414 mutex_enter(&assoc->ipsa_lock); 4415 4416 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) || 4417 ((assoc->ipsa_state == IPSA_STATE_IDLE) || 4418 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) && 4419 (assoc->ipsa_hardexpiretime != 0))) && 4420 (assoc->ipsa_hardexpiretime <= current)) { 4421 assoc->ipsa_state = IPSA_STATE_DEAD; 4422 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4423 } 4424 4425 /* 4426 * Check lifetimes. Fortunately, SA setup is done 4427 * such that there are only two times to look at, 4428 * softexpiretime, and hardexpiretime. 4429 * 4430 * Check hard first. 4431 */ 4432 4433 if (assoc->ipsa_hardexpiretime != 0 && 4434 assoc->ipsa_hardexpiretime <= current) { 4435 if (assoc->ipsa_state == IPSA_STATE_DEAD) 4436 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4437 4438 if (inbound) { 4439 sadb_delete_cluster(assoc); 4440 } 4441 4442 /* 4443 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 4444 */ 4445 assoc->ipsa_state = IPSA_STATE_DEAD; 4446 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) { 4447 /* 4448 * If the SA is paired or peered with another, put 4449 * a copy on a list which can be processed later, the 4450 * pair/peer SA needs to be updated so the both die 4451 * at the same time. 4452 * 4453 * If I return assoc, I have to bump up its reference 4454 * count to keep with the ipsa_t reference count 4455 * semantics. 4456 */ 4457 IPSA_REFHOLD(assoc); 4458 retval = assoc; 4459 } 4460 sadb_expire_assoc(pfkey_q, assoc); 4461 assoc->ipsa_hardexpiretime = current + reap_delay; 4462 } else if (assoc->ipsa_softexpiretime != 0 && 4463 assoc->ipsa_softexpiretime <= current && 4464 assoc->ipsa_state < IPSA_STATE_DYING) { 4465 /* 4466 * Send EXPIRE message to PF_KEY. May wish to pawn 4467 * this off on another non-interrupt thread. 4468 */ 4469 assoc->ipsa_state = IPSA_STATE_DYING; 4470 if (assoc->ipsa_haspeer) { 4471 /* 4472 * If the SA has a peer, update the peer's state 4473 * on SOFT_EXPIRE, this is mostly to prevent two 4474 * expire messages from effectively the same SA. 4475 * 4476 * Don't care about paired SA's, then can (and should) 4477 * be able to soft expire at different times. 4478 * 4479 * If I return assoc, I have to bump up its 4480 * reference count to keep with the ipsa_t reference 4481 * count semantics. 4482 */ 4483 IPSA_REFHOLD(assoc); 4484 retval = assoc; 4485 } 4486 sadb_expire_assoc(pfkey_q, assoc); 4487 } else if (assoc->ipsa_idletime != 0 && 4488 assoc->ipsa_idleexpiretime <= current) { 4489 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) { 4490 assoc->ipsa_state = IPSA_STATE_IDLE; 4491 } 4492 4493 /* 4494 * Need to handle Mature case 4495 */ 4496 if (assoc->ipsa_state == IPSA_STATE_MATURE) { 4497 sadb_expire_assoc(pfkey_q, assoc); 4498 } 4499 } else { 4500 /* Check idle time activities. */ 4501 dropped_mutex = sadb_idle_activities(assoc, 4502 current - assoc->ipsa_lastuse, inbound); 4503 } 4504 4505 if (!dropped_mutex) 4506 mutex_exit(&assoc->ipsa_lock); 4507 return (retval); 4508 } 4509 4510 /* 4511 * Called by a consumer protocol to do ther dirty work of reaping dead 4512 * Security Associations. 4513 * 4514 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed 4515 * SA's that are already marked DEAD, so expired SA's are only reaped 4516 * the second time sadb_ager() runs. 4517 */ 4518 void 4519 sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay, 4520 netstack_t *ns) 4521 { 4522 int i; 4523 isaf_t *bucket; 4524 ipsa_t *assoc, *spare; 4525 iacqf_t *acqlist; 4526 ipsacq_t *acqrec, *spareacq; 4527 templist_t *haspeerlist, *newbie; 4528 /* Snapshot current time now. */ 4529 time_t current = gethrestime_sec(); 4530 mblk_t *mq = NULL; 4531 haspeerlist = NULL; 4532 4533 /* 4534 * Do my dirty work. This includes aging real entries, aging 4535 * larvals, and aging outstanding ACQUIREs. 4536 * 4537 * I hope I don't tie up resources for too long. 4538 */ 4539 4540 /* Age acquires. */ 4541 4542 for (i = 0; i < sp->sdb_hashsize; i++) { 4543 acqlist = &sp->sdb_acq[i]; 4544 mutex_enter(&acqlist->iacqf_lock); 4545 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 4546 acqrec = spareacq) { 4547 spareacq = acqrec->ipsacq_next; 4548 if (current > acqrec->ipsacq_expire) 4549 sadb_destroy_acquire(acqrec, ns); 4550 } 4551 mutex_exit(&acqlist->iacqf_lock); 4552 } 4553 4554 /* Age inbound associations. */ 4555 for (i = 0; i < sp->sdb_hashsize; i++) { 4556 bucket = &(sp->sdb_if[i]); 4557 mutex_enter(&bucket->isaf_lock); 4558 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4559 assoc = spare) { 4560 spare = assoc->ipsa_next; 4561 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4562 reap_delay, B_TRUE, &mq) != NULL) { 4563 /* 4564 * Put SA's which have a peer or SA's which 4565 * are paired on a list for processing after 4566 * all the hash tables have been walked. 4567 * 4568 * sadb_age_assoc() increments the refcnt, 4569 * effectively doing an IPSA_REFHOLD(). 4570 */ 4571 newbie = kmem_alloc(sizeof (*newbie), 4572 KM_NOSLEEP); 4573 if (newbie == NULL) { 4574 /* 4575 * Don't forget to REFRELE(). 4576 */ 4577 IPSA_REFRELE(assoc); 4578 continue; /* for loop... */ 4579 } 4580 newbie->next = haspeerlist; 4581 newbie->ipsa = assoc; 4582 haspeerlist = newbie; 4583 } 4584 } 4585 mutex_exit(&bucket->isaf_lock); 4586 } 4587 4588 if (mq != NULL) { 4589 sadb_drain_torchq(ip_q, mq); 4590 mq = NULL; 4591 } 4592 age_pair_peer_list(haspeerlist, sp, B_FALSE); 4593 haspeerlist = NULL; 4594 4595 /* Age outbound associations. */ 4596 for (i = 0; i < sp->sdb_hashsize; i++) { 4597 bucket = &(sp->sdb_of[i]); 4598 mutex_enter(&bucket->isaf_lock); 4599 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4600 assoc = spare) { 4601 spare = assoc->ipsa_next; 4602 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4603 reap_delay, B_FALSE, &mq) != NULL) { 4604 /* 4605 * sadb_age_assoc() increments the refcnt, 4606 * effectively doing an IPSA_REFHOLD(). 4607 */ 4608 newbie = kmem_alloc(sizeof (*newbie), 4609 KM_NOSLEEP); 4610 if (newbie == NULL) { 4611 /* 4612 * Don't forget to REFRELE(). 4613 */ 4614 IPSA_REFRELE(assoc); 4615 continue; /* for loop... */ 4616 } 4617 newbie->next = haspeerlist; 4618 newbie->ipsa = assoc; 4619 haspeerlist = newbie; 4620 } 4621 } 4622 mutex_exit(&bucket->isaf_lock); 4623 } 4624 if (mq != NULL) { 4625 sadb_drain_torchq(ip_q, mq); 4626 mq = NULL; 4627 } 4628 4629 age_pair_peer_list(haspeerlist, sp, B_TRUE); 4630 4631 /* 4632 * Run a GC pass to clean out dead identities. 4633 */ 4634 ipsid_gc(ns); 4635 } 4636 4637 /* 4638 * Figure out when to reschedule the ager. 4639 */ 4640 timeout_id_t 4641 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 4642 void *agerarg, uint_t *intp, uint_t intmax, short mid) 4643 { 4644 hrtime_t end = gethrtime(); 4645 uint_t interval = *intp; 4646 4647 /* 4648 * See how long this took. If it took too long, increase the 4649 * aging interval. 4650 */ 4651 if ((end - begin) > (hrtime_t)interval * (hrtime_t)1000000) { 4652 if (interval >= intmax) { 4653 /* XXX Rate limit this? Or recommend flush? */ 4654 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 4655 "Too many SA's to age out in %d msec.\n", 4656 intmax); 4657 } else { 4658 /* Double by shifting by one bit. */ 4659 interval <<= 1; 4660 interval = min(interval, intmax); 4661 } 4662 } else if ((end - begin) <= (hrtime_t)interval * (hrtime_t)500000 && 4663 interval > SADB_AGE_INTERVAL_DEFAULT) { 4664 /* 4665 * If I took less than half of the interval, then I should 4666 * ratchet the interval back down. Never automatically 4667 * shift below the default aging interval. 4668 * 4669 * NOTE:This even overrides manual setting of the age 4670 * interval using NDD to lower the setting past the 4671 * default. In other words, if you set the interval 4672 * lower than the default, and your SADB gets too big, 4673 * the interval will only self-lower back to the default. 4674 */ 4675 /* Halve by shifting one bit. */ 4676 interval >>= 1; 4677 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 4678 } 4679 *intp = interval; 4680 return (qtimeout(pfkey_q, ager, agerarg, 4681 drv_usectohz(interval * 1000))); 4682 } 4683 4684 4685 /* 4686 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 4687 * message takes when updating a MATURE or DYING SA. 4688 */ 4689 static void 4690 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 4691 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound) 4692 { 4693 mutex_enter(&assoc->ipsa_lock); 4694 4695 /* 4696 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 4697 * passed in during an update message. We currently don't handle 4698 * these. 4699 */ 4700 4701 if (hard != NULL) { 4702 if (hard->sadb_lifetime_bytes != 0) 4703 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 4704 if (hard->sadb_lifetime_usetime != 0) 4705 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 4706 if (hard->sadb_lifetime_addtime != 0) 4707 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 4708 if (assoc->ipsa_hardaddlt != 0) { 4709 assoc->ipsa_hardexpiretime = 4710 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 4711 } 4712 if (assoc->ipsa_harduselt != 0 && 4713 assoc->ipsa_flags & IPSA_F_USED) { 4714 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 4715 } 4716 if (hard->sadb_lifetime_allocations != 0) 4717 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 4718 } 4719 4720 if (soft != NULL) { 4721 if (soft->sadb_lifetime_bytes != 0) { 4722 if (soft->sadb_lifetime_bytes > 4723 assoc->ipsa_hardbyteslt) { 4724 assoc->ipsa_softbyteslt = 4725 assoc->ipsa_hardbyteslt; 4726 } else { 4727 assoc->ipsa_softbyteslt = 4728 soft->sadb_lifetime_bytes; 4729 } 4730 } 4731 if (soft->sadb_lifetime_usetime != 0) { 4732 if (soft->sadb_lifetime_usetime > 4733 assoc->ipsa_harduselt) { 4734 assoc->ipsa_softuselt = 4735 assoc->ipsa_harduselt; 4736 } else { 4737 assoc->ipsa_softuselt = 4738 soft->sadb_lifetime_usetime; 4739 } 4740 } 4741 if (soft->sadb_lifetime_addtime != 0) { 4742 if (soft->sadb_lifetime_addtime > 4743 assoc->ipsa_hardexpiretime) { 4744 assoc->ipsa_softexpiretime = 4745 assoc->ipsa_hardexpiretime; 4746 } else { 4747 assoc->ipsa_softaddlt = 4748 soft->sadb_lifetime_addtime; 4749 } 4750 } 4751 if (assoc->ipsa_softaddlt != 0) { 4752 assoc->ipsa_softexpiretime = 4753 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 4754 } 4755 if (assoc->ipsa_softuselt != 0 && 4756 assoc->ipsa_flags & IPSA_F_USED) { 4757 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 4758 } 4759 if (outbound && assoc->ipsa_softexpiretime != 0) { 4760 if (assoc->ipsa_state == IPSA_STATE_MATURE) 4761 lifetime_fuzz(assoc); 4762 } 4763 4764 if (soft->sadb_lifetime_allocations != 0) 4765 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 4766 } 4767 4768 if (idle != NULL) { 4769 time_t current = gethrestime_sec(); 4770 if ((assoc->ipsa_idleexpiretime <= current) && 4771 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) { 4772 assoc->ipsa_idleexpiretime = 4773 current + assoc->ipsa_idleaddlt; 4774 } 4775 if (idle->sadb_lifetime_addtime != 0) 4776 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 4777 if (idle->sadb_lifetime_usetime != 0) 4778 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime; 4779 if (assoc->ipsa_idleaddlt != 0) { 4780 assoc->ipsa_idleexpiretime = 4781 current + idle->sadb_lifetime_addtime; 4782 assoc->ipsa_idletime = idle->sadb_lifetime_addtime; 4783 } 4784 if (assoc->ipsa_idleuselt != 0) { 4785 if (assoc->ipsa_idletime != 0) { 4786 assoc->ipsa_idletime = min(assoc->ipsa_idletime, 4787 assoc->ipsa_idleuselt); 4788 assoc->ipsa_idleexpiretime = 4789 current + assoc->ipsa_idletime; 4790 } else { 4791 assoc->ipsa_idleexpiretime = 4792 current + assoc->ipsa_idleuselt; 4793 assoc->ipsa_idletime = assoc->ipsa_idleuselt; 4794 } 4795 } 4796 } 4797 mutex_exit(&assoc->ipsa_lock); 4798 } 4799 4800 static int 4801 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst) 4802 { 4803 int rcode = 0; 4804 time_t current = gethrestime_sec(); 4805 4806 mutex_enter(&assoc->ipsa_lock); 4807 4808 switch (new_state) { 4809 case SADB_X_SASTATE_ACTIVE_ELSEWHERE: 4810 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) { 4811 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE; 4812 assoc->ipsa_idleexpiretime = 4813 current + assoc->ipsa_idletime; 4814 } 4815 break; 4816 case SADB_X_SASTATE_IDLE: 4817 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4818 assoc->ipsa_state = IPSA_STATE_IDLE; 4819 assoc->ipsa_idleexpiretime = 4820 current + assoc->ipsa_idletime; 4821 } else { 4822 rcode = EINVAL; 4823 } 4824 break; 4825 4826 case SADB_X_SASTATE_ACTIVE: 4827 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) { 4828 rcode = EINVAL; 4829 break; 4830 } 4831 assoc->ipsa_state = IPSA_STATE_MATURE; 4832 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime; 4833 4834 if (ipkt_lst == NULL) { 4835 break; 4836 } 4837 4838 if (assoc->ipsa_bpkt_head != NULL) { 4839 *ipkt_lst = assoc->ipsa_bpkt_head; 4840 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL; 4841 assoc->ipsa_mblkcnt = 0; 4842 } else { 4843 *ipkt_lst = NULL; 4844 } 4845 break; 4846 default: 4847 rcode = EINVAL; 4848 break; 4849 } 4850 4851 mutex_exit(&assoc->ipsa_lock); 4852 return (rcode); 4853 } 4854 4855 /* 4856 * Check a proposed KMC update for sanity. 4857 */ 4858 static int 4859 sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic) 4860 { 4861 uint32_t kmp = sq->kmp; 4862 uint32_t kmc = sq->kmc; 4863 4864 if (sa == NULL) 4865 return (0); 4866 4867 if (sa->ipsa_state == IPSA_STATE_DEAD) 4868 return (ESRCH); /* DEAD == Not there, in this case. */ 4869 4870 if ((kmp != 0) && ((sa->ipsa_kmp != 0) || (sa->ipsa_kmp != kmp))) { 4871 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4872 return (EINVAL); 4873 } 4874 4875 if ((kmc != 0) && ((sa->ipsa_kmc != 0) || (sa->ipsa_kmc != kmc))) { 4876 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4877 return (EINVAL); 4878 } 4879 4880 return (0); 4881 } 4882 4883 /* 4884 * Actually update the KMC info. 4885 */ 4886 static void 4887 sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa) 4888 { 4889 uint32_t kmp = sq->kmp; 4890 uint32_t kmc = sq->kmc; 4891 4892 if (kmp != 0) 4893 sa->ipsa_kmp = kmp; 4894 if (kmc != 0) 4895 sa->ipsa_kmc = kmc; 4896 } 4897 4898 /* 4899 * Common code to update an SA. 4900 */ 4901 4902 int 4903 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst, 4904 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q, 4905 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *), 4906 netstack_t *ns, uint8_t sadb_msg_type) 4907 { 4908 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 4909 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 4910 sadb_x_replay_ctr_t *replext = 4911 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 4912 sadb_lifetime_t *soft = 4913 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 4914 sadb_lifetime_t *hard = 4915 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 4916 sadb_lifetime_t *idle = 4917 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 4918 sadb_x_pair_t *pair_ext = 4919 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4920 ipsa_t *echo_target = NULL; 4921 ipsap_t ipsapp; 4922 ipsa_query_t sq; 4923 time_t current = gethrestime_sec(); 4924 4925 sq.spp = spp; /* XXX param */ 4926 int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA, 4927 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, 4928 &sq, diagnostic); 4929 4930 if (error != 0) 4931 return (error); 4932 4933 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 4934 if (error != 0) 4935 return (error); 4936 4937 if (ipsapp.ipsap_psa_ptr == NULL && ipsapp.ipsap_sa_ptr != NULL) { 4938 if (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) { 4939 /* 4940 * REFRELE the target and let the add_sa_func() 4941 * deal with updating a larval SA. 4942 */ 4943 destroy_ipsa_pair(&ipsapp); 4944 return (add_sa_func(mp, ksi, diagnostic, ns)); 4945 } 4946 } 4947 4948 /* 4949 * At this point we have an UPDATE to a MATURE SA. There should 4950 * not be any keying material present. 4951 */ 4952 if (akey != NULL) { 4953 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 4954 error = EINVAL; 4955 goto bail; 4956 } 4957 if (ekey != NULL) { 4958 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 4959 error = EINVAL; 4960 goto bail; 4961 } 4962 4963 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4964 if (ipsapp.ipsap_sa_ptr != NULL && 4965 ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4966 if ((error = sadb_update_state(ipsapp.ipsap_sa_ptr, 4967 sq.assoc->sadb_sa_state, NULL)) != 0) { 4968 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4969 goto bail; 4970 } 4971 } 4972 if (ipsapp.ipsap_psa_ptr != NULL && 4973 ipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4974 if ((error = sadb_update_state(ipsapp.ipsap_psa_ptr, 4975 sq.assoc->sadb_sa_state, NULL)) != 0) { 4976 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4977 goto bail; 4978 } 4979 } 4980 } 4981 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) { 4982 if (ipsapp.ipsap_sa_ptr != NULL) { 4983 error = sadb_update_state(ipsapp.ipsap_sa_ptr, 4984 sq.assoc->sadb_sa_state, 4985 (ipsapp.ipsap_sa_ptr->ipsa_flags & 4986 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4987 if (error) { 4988 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4989 goto bail; 4990 } 4991 } 4992 if (ipsapp.ipsap_psa_ptr != NULL) { 4993 error = sadb_update_state(ipsapp.ipsap_psa_ptr, 4994 sq.assoc->sadb_sa_state, 4995 (ipsapp.ipsap_psa_ptr->ipsa_flags & 4996 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4997 if (error) { 4998 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4999 goto bail; 5000 } 5001 } 5002 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 5003 ksi, echo_target); 5004 goto bail; 5005 } 5006 5007 /* 5008 * Reality checks for updates of active associations. 5009 * Sundry first-pass UPDATE-specific reality checks. 5010 * Have to do the checks here, because it's after the add_sa code. 5011 * XXX STATS : logging/stats here? 5012 */ 5013 5014 if (!((sq.assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 5015 (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) { 5016 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 5017 error = EINVAL; 5018 goto bail; 5019 } 5020 if (sq.assoc->sadb_sa_flags & ~spp->s_updateflags) { 5021 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 5022 error = EINVAL; 5023 goto bail; 5024 } 5025 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 5026 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_LIFETIME; 5027 error = EOPNOTSUPP; 5028 goto bail; 5029 } 5030 5031 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) { 5032 error = EINVAL; 5033 goto bail; 5034 } 5035 5036 if ((*diagnostic = sadb_labelchk(ksi)) != 0) 5037 return (EINVAL); 5038 5039 error = sadb_check_kmc(&sq, ipsapp.ipsap_sa_ptr, diagnostic); 5040 if (error != 0) 5041 goto bail; 5042 5043 error = sadb_check_kmc(&sq, ipsapp.ipsap_psa_ptr, diagnostic); 5044 if (error != 0) 5045 goto bail; 5046 5047 5048 if (ipsapp.ipsap_sa_ptr != NULL) { 5049 /* 5050 * Do not allow replay value change for MATURE or LARVAL SA. 5051 */ 5052 5053 if ((replext != NULL) && 5054 ((ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) || 5055 (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) { 5056 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 5057 error = EINVAL; 5058 goto bail; 5059 } 5060 } 5061 5062 5063 if (ipsapp.ipsap_sa_ptr != NULL) { 5064 sadb_update_lifetimes(ipsapp.ipsap_sa_ptr, hard, soft, 5065 idle, B_TRUE); 5066 sadb_update_kmc(&sq, ipsapp.ipsap_sa_ptr); 5067 if ((replext != NULL) && 5068 (ipsapp.ipsap_sa_ptr->ipsa_replay_wsize != 0)) { 5069 /* 5070 * If an inbound SA, update the replay counter 5071 * and check off all the other sequence number 5072 */ 5073 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) { 5074 if (!sadb_replay_check(ipsapp.ipsap_sa_ptr, 5075 replext->sadb_x_rc_replay32)) { 5076 *diagnostic = 5077 SADB_X_DIAGNOSTIC_INVALID_REPLAY; 5078 error = EINVAL; 5079 goto bail; 5080 } 5081 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 5082 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime = 5083 current + 5084 ipsapp.ipsap_sa_ptr->ipsa_idletime; 5085 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock); 5086 } else { 5087 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 5088 ipsapp.ipsap_sa_ptr->ipsa_replay = 5089 replext->sadb_x_rc_replay32; 5090 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime = 5091 current + 5092 ipsapp.ipsap_sa_ptr->ipsa_idletime; 5093 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock); 5094 } 5095 } 5096 } 5097 5098 if (sadb_msg_type == SADB_X_UPDATEPAIR) { 5099 if (ipsapp.ipsap_psa_ptr != NULL) { 5100 sadb_update_lifetimes(ipsapp.ipsap_psa_ptr, hard, soft, 5101 idle, B_FALSE); 5102 sadb_update_kmc(&sq, ipsapp.ipsap_psa_ptr); 5103 } else { 5104 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 5105 error = ESRCH; 5106 goto bail; 5107 } 5108 } 5109 5110 if (pair_ext != NULL) 5111 error = update_pairing(&ipsapp, &sq, ksi, diagnostic); 5112 5113 if (error == 0) 5114 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 5115 ksi, echo_target); 5116 bail: 5117 5118 destroy_ipsa_pair(&ipsapp); 5119 5120 return (error); 5121 } 5122 5123 5124 static int 5125 update_pairing(ipsap_t *ipsapp, ipsa_query_t *sq, keysock_in_t *ksi, 5126 int *diagnostic) 5127 { 5128 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 5129 sadb_x_pair_t *pair_ext = 5130 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 5131 int error = 0; 5132 ipsap_t oipsapp; 5133 boolean_t undo_pair = B_FALSE; 5134 uint32_t ipsa_flags; 5135 5136 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi == 5137 assoc->sadb_sa_spi) { 5138 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 5139 return (EINVAL); 5140 } 5141 5142 /* 5143 * Assume for now that the spi value provided in the SADB_UPDATE 5144 * message was valid, update the SA with its pair spi value. 5145 * If the spi turns out to be bogus or the SA no longer exists 5146 * then this will be detected when the reverse update is made 5147 * below. 5148 */ 5149 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 5150 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED; 5151 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi; 5152 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 5153 5154 /* 5155 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair() 5156 * should now return pointers to the SA *AND* its pair, if this is not 5157 * the case, the "otherspi" either did not exist or was deleted. Also 5158 * check that "otherspi" is not already paired. If everything looks 5159 * good, complete the update. IPSA_REFRELE the first pair_pointer 5160 * after this update to ensure its not deleted until we are done. 5161 */ 5162 error = get_ipsa_pair(sq, &oipsapp, diagnostic); 5163 if (error != 0) { 5164 /* 5165 * This should never happen, calling function still has 5166 * IPSA_REFHELD on the SA we just updated. 5167 */ 5168 return (error); /* XXX EINVAL instead of ESRCH? */ 5169 } 5170 5171 if (oipsapp.ipsap_psa_ptr == NULL) { 5172 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 5173 error = EINVAL; 5174 undo_pair = B_TRUE; 5175 } else { 5176 ipsa_flags = oipsapp.ipsap_psa_ptr->ipsa_flags; 5177 if ((oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) || 5178 (oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) { 5179 /* Its dead Jim! */ 5180 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 5181 undo_pair = B_TRUE; 5182 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) == 5183 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) { 5184 /* This SA is in both hashtables. */ 5185 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 5186 undo_pair = B_TRUE; 5187 } else if (ipsa_flags & IPSA_F_PAIRED) { 5188 /* This SA is already paired with another. */ 5189 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 5190 undo_pair = B_TRUE; 5191 } 5192 } 5193 5194 if (undo_pair) { 5195 /* The pair SA does not exist. */ 5196 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 5197 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED; 5198 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0; 5199 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 5200 } else { 5201 mutex_enter(&oipsapp.ipsap_psa_ptr->ipsa_lock); 5202 oipsapp.ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi; 5203 oipsapp.ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED; 5204 mutex_exit(&oipsapp.ipsap_psa_ptr->ipsa_lock); 5205 } 5206 5207 destroy_ipsa_pair(&oipsapp); 5208 return (error); 5209 } 5210 5211 /* 5212 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 5213 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 5214 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 5215 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 5216 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 5217 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 5218 * other direction's SA. 5219 */ 5220 5221 /* 5222 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 5223 * grab it, lock it, and return it. Otherwise return NULL. 5224 * 5225 * XXX MLS number of arguments getting unwieldy here 5226 */ 5227 static ipsacq_t * 5228 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 5229 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst, 5230 uint64_t unique_id, cred_t *cr) 5231 { 5232 ipsacq_t *walker; 5233 sa_family_t fam; 5234 uint32_t blank_address[4] = {0, 0, 0, 0}; 5235 5236 if (isrc == NULL) { 5237 ASSERT(idst == NULL); 5238 isrc = idst = blank_address; 5239 } 5240 5241 /* 5242 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 5243 * 5244 * XXX May need search for duplicates based on other things too! 5245 */ 5246 for (walker = bucket->iacqf_ipsacq; walker != NULL; 5247 walker = walker->ipsacq_next) { 5248 mutex_enter(&walker->ipsacq_lock); 5249 fam = walker->ipsacq_addrfam; 5250 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 5251 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 5252 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx, 5253 (in6_addr_t *)walker->ipsacq_innersrc) && 5254 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx, 5255 (in6_addr_t *)walker->ipsacq_innerdst) && 5256 (ap == walker->ipsacq_act) && 5257 (pp == walker->ipsacq_policy) && 5258 /* XXX do deep compares of ap/pp? */ 5259 (unique_id == walker->ipsacq_unique_id) && 5260 (ipsec_label_match(cr, walker->ipsacq_cred))) 5261 break; /* everything matched */ 5262 mutex_exit(&walker->ipsacq_lock); 5263 } 5264 5265 return (walker); 5266 } 5267 5268 /* 5269 * For this mblk, insert a new acquire record. Assume bucket contains addrs 5270 * of all of the same length. Give up (and drop) if memory 5271 * cannot be allocated for a new one; otherwise, invoke callback to 5272 * send the acquire up.. 5273 * 5274 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 5275 * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t 5276 * and handle this case specially. 5277 */ 5278 void 5279 sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp) 5280 { 5281 sadbp_t *spp; 5282 sadb_t *sp; 5283 ipsacq_t *newbie; 5284 iacqf_t *bucket; 5285 mblk_t *datamp = mp->b_cont; 5286 mblk_t *extended; 5287 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 5288 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 5289 uint32_t *src, *dst, *isrc, *idst; 5290 ipsec_policy_t *pp = io->ipsec_out_policy; 5291 ipsec_action_t *ap = io->ipsec_out_act; 5292 sa_family_t af; 5293 int hashoffset; 5294 uint32_t seq; 5295 uint64_t unique_id = 0; 5296 ipsec_selector_t sel; 5297 boolean_t tunnel_mode = io->ipsec_out_tunnel; 5298 cred_t *cr = NULL; 5299 netstack_t *ns = io->ipsec_out_ns; 5300 ipsec_stack_t *ipss = ns->netstack_ipsec; 5301 sadb_sens_t *sens = NULL; 5302 int sens_len; 5303 5304 ASSERT((pp != NULL) || (ap != NULL)); 5305 5306 ASSERT(need_ah != NULL || need_esp != NULL); 5307 5308 /* Assign sadb pointers */ 5309 if (need_esp) { /* ESP for AH+ESP */ 5310 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 5311 5312 spp = &espstack->esp_sadb; 5313 } else { 5314 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 5315 5316 spp = &ahstack->ah_sadb; 5317 } 5318 sp = io->ipsec_out_v4 ? &spp->s_v4 : &spp->s_v6; 5319 5320 ASSERT(mp->b_cont != NULL); 5321 5322 if (is_system_labeled()) 5323 cr = msg_getcred(mp->b_cont, NULL); 5324 5325 if (ap == NULL) 5326 ap = pp->ipsp_act; 5327 5328 ASSERT(ap != NULL); 5329 5330 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode) 5331 unique_id = SA_FORM_UNIQUE_ID(io); 5332 5333 /* 5334 * Set up an ACQUIRE record. 5335 * 5336 * Immediately, make sure the ACQUIRE sequence number doesn't slip 5337 * below the lowest point allowed in the kernel. (In other words, 5338 * make sure the high bit on the sequence number is set.) 5339 */ 5340 5341 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ; 5342 5343 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 5344 src = (uint32_t *)&ipha->ipha_src; 5345 dst = (uint32_t *)&ipha->ipha_dst; 5346 af = AF_INET; 5347 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 5348 ASSERT(io->ipsec_out_v4 == B_TRUE); 5349 } else { 5350 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 5351 src = (uint32_t *)&ip6h->ip6_src; 5352 dst = (uint32_t *)&ip6h->ip6_dst; 5353 af = AF_INET6; 5354 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 5355 ASSERT(io->ipsec_out_v4 == B_FALSE); 5356 } 5357 5358 if (tunnel_mode) { 5359 if (pp == NULL) { 5360 /* 5361 * Tunnel mode with no policy pointer means this is a 5362 * reflected ICMP (like a ECHO REQUEST) that came in 5363 * with self-encapsulated protection. Until we better 5364 * support this, drop the packet. 5365 */ 5366 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5367 DROPPER(ipss, ipds_spd_got_selfencap), 5368 &ipss->ipsec_spd_dropper); 5369 return; 5370 } 5371 /* Snag inner addresses. */ 5372 isrc = io->ipsec_out_insrc; 5373 idst = io->ipsec_out_indst; 5374 } else { 5375 isrc = idst = NULL; 5376 } 5377 5378 /* 5379 * Check buckets to see if there is an existing entry. If so, 5380 * grab it. sadb_checkacquire locks newbie if found. 5381 */ 5382 bucket = &(sp->sdb_acq[hashoffset]); 5383 mutex_enter(&bucket->iacqf_lock); 5384 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst, 5385 unique_id, cr); 5386 5387 if (newbie == NULL) { 5388 /* 5389 * Otherwise, allocate a new one. 5390 */ 5391 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 5392 if (newbie == NULL) { 5393 mutex_exit(&bucket->iacqf_lock); 5394 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5395 DROPPER(ipss, ipds_sadb_acquire_nomem), 5396 &ipss->ipsec_sadb_dropper); 5397 return; 5398 } 5399 newbie->ipsacq_policy = pp; 5400 if (pp != NULL) { 5401 IPPOL_REFHOLD(pp); 5402 } 5403 IPACT_REFHOLD(ap); 5404 newbie->ipsacq_act = ap; 5405 newbie->ipsacq_linklock = &bucket->iacqf_lock; 5406 newbie->ipsacq_next = bucket->iacqf_ipsacq; 5407 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 5408 if (newbie->ipsacq_next != NULL) 5409 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 5410 5411 bucket->iacqf_ipsacq = newbie; 5412 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 5413 mutex_enter(&newbie->ipsacq_lock); 5414 } 5415 5416 /* 5417 * XXX MLS does it actually help us to drop the bucket lock here? 5418 * we have inserted a half-built, locked acquire record into the 5419 * bucket. any competing thread will now be able to lock the bucket 5420 * to scan it, but will immediately pile up on the new acquire 5421 * record's lock; I don't think we gain anything here other than to 5422 * disperse blame for lock contention. 5423 * 5424 * we might be able to dispense with acquire record locks entirely.. 5425 * just use the bucket locks.. 5426 */ 5427 5428 mutex_exit(&bucket->iacqf_lock); 5429 5430 /* 5431 * This assert looks silly for now, but we may need to enter newbie's 5432 * mutex during a search. 5433 */ 5434 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 5435 5436 mp->b_next = NULL; 5437 /* Queue up packet. Use b_next. */ 5438 if (newbie->ipsacq_numpackets == 0) { 5439 /* First one. */ 5440 newbie->ipsacq_mp = mp; 5441 newbie->ipsacq_numpackets = 1; 5442 newbie->ipsacq_expire = gethrestime_sec(); 5443 /* 5444 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 5445 * value. 5446 */ 5447 newbie->ipsacq_expire += *spp->s_acquire_timeout; 5448 newbie->ipsacq_seq = seq; 5449 newbie->ipsacq_addrfam = af; 5450 5451 newbie->ipsacq_srcport = io->ipsec_out_src_port; 5452 newbie->ipsacq_dstport = io->ipsec_out_dst_port; 5453 newbie->ipsacq_icmp_type = io->ipsec_out_icmp_type; 5454 newbie->ipsacq_icmp_code = io->ipsec_out_icmp_code; 5455 if (tunnel_mode) { 5456 newbie->ipsacq_inneraddrfam = io->ipsec_out_inaf; 5457 newbie->ipsacq_proto = io->ipsec_out_inaf == AF_INET6 ? 5458 IPPROTO_IPV6 : IPPROTO_ENCAP; 5459 newbie->ipsacq_innersrcpfx = io->ipsec_out_insrcpfx; 5460 newbie->ipsacq_innerdstpfx = io->ipsec_out_indstpfx; 5461 IPSA_COPY_ADDR(newbie->ipsacq_innersrc, 5462 io->ipsec_out_insrc, io->ipsec_out_inaf); 5463 IPSA_COPY_ADDR(newbie->ipsacq_innerdst, 5464 io->ipsec_out_indst, io->ipsec_out_inaf); 5465 } else { 5466 newbie->ipsacq_proto = io->ipsec_out_proto; 5467 } 5468 newbie->ipsacq_unique_id = unique_id; 5469 5470 if (cr != NULL) { 5471 crhold(cr); 5472 newbie->ipsacq_cred = cr; 5473 } 5474 } else { 5475 /* Scan to the end of the list & insert. */ 5476 mblk_t *lastone = newbie->ipsacq_mp; 5477 5478 while (lastone->b_next != NULL) 5479 lastone = lastone->b_next; 5480 lastone->b_next = mp; 5481 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) { 5482 newbie->ipsacq_numpackets = ipsacq_maxpackets; 5483 lastone = newbie->ipsacq_mp; 5484 newbie->ipsacq_mp = lastone->b_next; 5485 lastone->b_next = NULL; 5486 ip_drop_packet(lastone, B_FALSE, NULL, NULL, 5487 DROPPER(ipss, ipds_sadb_acquire_toofull), 5488 &ipss->ipsec_sadb_dropper); 5489 } else { 5490 IP_ACQUIRE_STAT(ipss, qhiwater, 5491 newbie->ipsacq_numpackets); 5492 } 5493 } 5494 5495 /* 5496 * Reset addresses. Set them to the most recently added mblk chain, 5497 * so that the address pointers in the acquire record will point 5498 * at an mblk still attached to the acquire list. 5499 */ 5500 5501 newbie->ipsacq_srcaddr = src; 5502 newbie->ipsacq_dstaddr = dst; 5503 5504 /* 5505 * If the acquire record has more than one queued packet, we've 5506 * already sent an ACQUIRE, and don't need to repeat ourself. 5507 */ 5508 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 5509 /* I have an acquire outstanding already! */ 5510 mutex_exit(&newbie->ipsacq_lock); 5511 return; 5512 } 5513 5514 if (!keysock_extended_reg(ns)) 5515 goto punt_extended; 5516 /* 5517 * Construct an extended ACQUIRE. There are logging 5518 * opportunities here in failure cases. 5519 */ 5520 (void) memset(&sel, 0, sizeof (sel)); 5521 sel.ips_isv4 = io->ipsec_out_v4; 5522 if (tunnel_mode) { 5523 sel.ips_protocol = (io->ipsec_out_inaf == AF_INET) ? 5524 IPPROTO_ENCAP : IPPROTO_IPV6; 5525 } else { 5526 sel.ips_protocol = io->ipsec_out_proto; 5527 sel.ips_local_port = io->ipsec_out_src_port; 5528 sel.ips_remote_port = io->ipsec_out_dst_port; 5529 } 5530 sel.ips_icmp_type = io->ipsec_out_icmp_type; 5531 sel.ips_icmp_code = io->ipsec_out_icmp_code; 5532 sel.ips_is_icmp_inv_acq = 0; 5533 if (af == AF_INET) { 5534 sel.ips_local_addr_v4 = ipha->ipha_src; 5535 sel.ips_remote_addr_v4 = ipha->ipha_dst; 5536 } else { 5537 sel.ips_local_addr_v6 = ip6h->ip6_src; 5538 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 5539 } 5540 5541 extended = sadb_keysock_out(0); 5542 if (extended == NULL) 5543 goto punt_extended; 5544 5545 if (cr != NULL) { 5546 /* 5547 * XXX MLS correct condition here? 5548 * XXX MLS other credential attributes in acquire? 5549 * XXX malloc failure? don't fall back to original? 5550 */ 5551 sens = sadb_make_sens_ext(cr, &sens_len); 5552 5553 if (sens == NULL) { 5554 freeb(extended); 5555 goto punt_extended; 5556 } 5557 } 5558 5559 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, tunnel_mode, 5560 seq, 0, sens, ns); 5561 5562 if (sens != NULL) 5563 kmem_free(sens, sens_len); 5564 5565 if (extended->b_cont == NULL) { 5566 freeb(extended); 5567 goto punt_extended; 5568 } 5569 5570 /* 5571 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on 5572 * this new record. The send-acquire callback assumes that acqrec is 5573 * already locked. 5574 */ 5575 (*spp->s_acqfn)(newbie, extended, ns); 5576 return; 5577 5578 punt_extended: 5579 (*spp->s_acqfn)(newbie, NULL, ns); 5580 } 5581 5582 /* 5583 * Unlink and free an acquire record. 5584 */ 5585 void 5586 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns) 5587 { 5588 mblk_t *mp; 5589 ipsec_stack_t *ipss = ns->netstack_ipsec; 5590 5591 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 5592 5593 if (acqrec->ipsacq_policy != NULL) { 5594 IPPOL_REFRELE(acqrec->ipsacq_policy, ns); 5595 } 5596 if (acqrec->ipsacq_act != NULL) { 5597 IPACT_REFRELE(acqrec->ipsacq_act); 5598 } 5599 5600 /* Unlink */ 5601 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 5602 if (acqrec->ipsacq_next != NULL) 5603 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 5604 5605 if (acqrec->ipsacq_cred) { 5606 crfree(acqrec->ipsacq_cred); 5607 acqrec->ipsacq_cred = NULL; 5608 } 5609 5610 /* 5611 * Free hanging mp's. 5612 * 5613 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 5614 */ 5615 5616 mutex_enter(&acqrec->ipsacq_lock); 5617 while (acqrec->ipsacq_mp != NULL) { 5618 mp = acqrec->ipsacq_mp; 5619 acqrec->ipsacq_mp = mp->b_next; 5620 mp->b_next = NULL; 5621 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5622 DROPPER(ipss, ipds_sadb_acquire_timeout), 5623 &ipss->ipsec_sadb_dropper); 5624 } 5625 mutex_exit(&acqrec->ipsacq_lock); 5626 5627 /* Free */ 5628 mutex_destroy(&acqrec->ipsacq_lock); 5629 kmem_free(acqrec, sizeof (*acqrec)); 5630 } 5631 5632 /* 5633 * Destroy an acquire list fanout. 5634 */ 5635 static void 5636 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever, 5637 netstack_t *ns) 5638 { 5639 int i; 5640 iacqf_t *list = *listp; 5641 5642 if (list == NULL) 5643 return; 5644 5645 for (i = 0; i < numentries; i++) { 5646 mutex_enter(&(list[i].iacqf_lock)); 5647 while (list[i].iacqf_ipsacq != NULL) 5648 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns); 5649 mutex_exit(&(list[i].iacqf_lock)); 5650 if (forever) 5651 mutex_destroy(&(list[i].iacqf_lock)); 5652 } 5653 5654 if (forever) { 5655 *listp = NULL; 5656 kmem_free(list, numentries * sizeof (*list)); 5657 } 5658 } 5659 5660 /* 5661 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto 5662 * framework's view of reality vs. IPsec's. EF's wins, BTW. 5663 */ 5664 static uint8_t * 5665 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 5666 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 5667 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss) 5668 { 5669 uint8_t *cur = start; 5670 ipsec_alginfo_t *algp; 5671 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 5672 5673 cur += sizeof (*algdesc); 5674 if (cur >= limit) 5675 return (NULL); 5676 5677 ecomb->sadb_x_ecomb_numalgs++; 5678 5679 /* 5680 * Normalize vs. crypto framework's limits. This way, you can specify 5681 * a stronger policy, and when the framework loads a stronger version, 5682 * you can just keep plowing w/o rewhacking your SPD. 5683 */ 5684 mutex_enter(&ipss->ipsec_alg_lock); 5685 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ? 5686 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg]; 5687 if (algp == NULL) { 5688 mutex_exit(&ipss->ipsec_alg_lock); 5689 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */ 5690 } 5691 if (minbits < algp->alg_ef_minbits) 5692 minbits = algp->alg_ef_minbits; 5693 if (maxbits > algp->alg_ef_maxbits) 5694 maxbits = algp->alg_ef_maxbits; 5695 mutex_exit(&ipss->ipsec_alg_lock); 5696 5697 algdesc->sadb_x_algdesc_reserved = SADB_8TO1(algp->alg_saltlen); 5698 algdesc->sadb_x_algdesc_satype = satype; 5699 algdesc->sadb_x_algdesc_algtype = algtype; 5700 algdesc->sadb_x_algdesc_alg = alg; 5701 algdesc->sadb_x_algdesc_minbits = minbits; 5702 algdesc->sadb_x_algdesc_maxbits = maxbits; 5703 5704 return (cur); 5705 } 5706 5707 /* 5708 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 5709 * which must fit before *limit 5710 * 5711 * return NULL if we ran out of room or a pointer to the end of the ecomb. 5712 */ 5713 static uint8_t * 5714 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act, 5715 netstack_t *ns) 5716 { 5717 uint8_t *cur = start; 5718 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 5719 ipsec_prot_t *ipp; 5720 ipsec_stack_t *ipss = ns->netstack_ipsec; 5721 5722 cur += sizeof (*ecomb); 5723 if (cur >= limit) 5724 return (NULL); 5725 5726 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 5727 5728 ipp = &act->ipa_act.ipa_apply; 5729 5730 ecomb->sadb_x_ecomb_numalgs = 0; 5731 ecomb->sadb_x_ecomb_reserved = 0; 5732 ecomb->sadb_x_ecomb_reserved2 = 0; 5733 /* 5734 * No limits on allocations, since we really don't support that 5735 * concept currently. 5736 */ 5737 ecomb->sadb_x_ecomb_soft_allocations = 0; 5738 ecomb->sadb_x_ecomb_hard_allocations = 0; 5739 5740 /* 5741 * XXX TBD: Policy or global parameters will eventually be 5742 * able to fill in some of these. 5743 */ 5744 ecomb->sadb_x_ecomb_flags = 0; 5745 ecomb->sadb_x_ecomb_soft_bytes = 0; 5746 ecomb->sadb_x_ecomb_hard_bytes = 0; 5747 ecomb->sadb_x_ecomb_soft_addtime = 0; 5748 ecomb->sadb_x_ecomb_hard_addtime = 0; 5749 ecomb->sadb_x_ecomb_soft_usetime = 0; 5750 ecomb->sadb_x_ecomb_hard_usetime = 0; 5751 5752 if (ipp->ipp_use_ah) { 5753 cur = sadb_new_algdesc(cur, limit, ecomb, 5754 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 5755 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss); 5756 if (cur == NULL) 5757 return (NULL); 5758 ipsecah_fill_defs(ecomb, ns); 5759 } 5760 5761 if (ipp->ipp_use_esp) { 5762 if (ipp->ipp_use_espa) { 5763 cur = sadb_new_algdesc(cur, limit, ecomb, 5764 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 5765 ipp->ipp_esp_auth_alg, 5766 ipp->ipp_espa_minbits, 5767 ipp->ipp_espa_maxbits, ipss); 5768 if (cur == NULL) 5769 return (NULL); 5770 } 5771 5772 cur = sadb_new_algdesc(cur, limit, ecomb, 5773 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 5774 ipp->ipp_encr_alg, 5775 ipp->ipp_espe_minbits, 5776 ipp->ipp_espe_maxbits, ipss); 5777 if (cur == NULL) 5778 return (NULL); 5779 /* Fill in lifetimes if and only if AH didn't already... */ 5780 if (!ipp->ipp_use_ah) 5781 ipsecesp_fill_defs(ecomb, ns); 5782 } 5783 5784 return (cur); 5785 } 5786 5787 #include <sys/tsol/label_macro.h> /* XXX should not need this */ 5788 5789 /* 5790 * From a cred_t, construct a sensitivity label extension 5791 * 5792 * We send up a fixed-size sensitivity label bitmap, and are perhaps 5793 * overly chummy with the underlying data structures here. 5794 */ 5795 5796 /* ARGSUSED */ 5797 int 5798 sadb_sens_len_from_cred(cred_t *cr) 5799 { 5800 int baselen = sizeof (sadb_sens_t) + _C_LEN * 4; 5801 return (roundup(baselen, sizeof (uint64_t))); 5802 } 5803 5804 void 5805 sadb_sens_from_cred(sadb_sens_t *sens, int exttype, cred_t *cr, int senslen) 5806 { 5807 uint8_t *bitmap; 5808 bslabel_t *sl; 5809 ts_label_t *tsl; 5810 5811 /* LINTED */ 5812 ASSERT((_C_LEN & 1) == 0); 5813 ASSERT((senslen & 7) == 0); 5814 5815 tsl = crgetlabel(cr); 5816 sl = label2bslabel(tsl); 5817 5818 sens->sadb_sens_exttype = exttype; 5819 sens->sadb_sens_len = SADB_8TO64(senslen); 5820 5821 sens->sadb_sens_dpd = tsl->tsl_doi; 5822 sens->sadb_sens_sens_level = LCLASS(sl); 5823 sens->sadb_sens_integ_level = 0; /* TBD */ 5824 sens->sadb_sens_sens_len = _C_LEN >> 1; 5825 sens->sadb_sens_integ_len = 0; /* TBD */ 5826 sens->sadb_x_sens_flags = 0; 5827 5828 bitmap = (uint8_t *)(sens + 1); 5829 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4); 5830 } 5831 5832 static sadb_sens_t * 5833 sadb_make_sens_ext(cred_t *cr, int *len) 5834 { 5835 /* XXX allocation failure? */ 5836 int sens_len = sadb_sens_len_from_cred(cr); 5837 5838 sadb_sens_t *sens = kmem_alloc(sens_len, KM_SLEEP); 5839 5840 sadb_sens_from_cred(sens, SADB_EXT_SENSITIVITY, cr, sens_len); 5841 5842 *len = sens_len; 5843 5844 return (sens); 5845 } 5846 5847 /* 5848 * Okay, how do we report errors/invalid labels from this? 5849 * With a special designated "not a label" cred_t ? 5850 */ 5851 /* ARGSUSED */ 5852 cred_t * 5853 sadb_cred_from_sens(sadb_sens_t *sens, uint64_t *bitmap) 5854 { 5855 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len); 5856 bslabel_t sl; 5857 cred_t *cr; 5858 5859 if (sens->sadb_sens_integ_level != 0) 5860 return (NULL); 5861 if (sens->sadb_sens_integ_len != 0) 5862 return (NULL); 5863 if (bitmap_len > _C_LEN * 4) 5864 return (NULL); 5865 5866 bsllow(&sl); 5867 LCLASS_SET((_bslabel_impl_t *)&sl, sens->sadb_sens_sens_level); 5868 bcopy(bitmap, &((_bslabel_impl_t *)&sl)->compartments, 5869 bitmap_len); 5870 5871 cr = newcred_from_bslabel(&sl, sens->sadb_sens_dpd, KM_NOSLEEP); 5872 if (cr == NULL) 5873 return (cr); 5874 5875 if (sens->sadb_x_sens_flags & SADB_X_SENS_UNLABELED) 5876 crgetlabel(cr)->tsl_flags |= TSLF_UNLABELED; 5877 return (cr); 5878 } 5879 5880 /* End XXX label-library-leakage */ 5881 5882 /* 5883 * Construct an extended ACQUIRE message based on a selector and the resulting 5884 * IPsec action. 5885 * 5886 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE 5887 * generation. As a consequence, expect this function to evolve 5888 * rapidly. 5889 */ 5890 static mblk_t * 5891 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol, 5892 ipsec_action_t *act, boolean_t tunnel_mode, uint32_t seq, uint32_t pid, 5893 sadb_sens_t *sens, netstack_t *ns) 5894 { 5895 mblk_t *mp; 5896 sadb_msg_t *samsg; 5897 uint8_t *start, *cur, *end; 5898 uint32_t *saddrptr, *daddrptr; 5899 sa_family_t af; 5900 sadb_prop_t *eprop; 5901 ipsec_action_t *ap, *an; 5902 ipsec_selkey_t *ipsl; 5903 uint8_t proto, pfxlen; 5904 uint16_t lport, rport; 5905 uint32_t kmp, kmc; 5906 5907 /* 5908 * Find the action we want sooner rather than later.. 5909 */ 5910 an = NULL; 5911 if (pol == NULL) { 5912 ap = act; 5913 } else { 5914 ap = pol->ipsp_act; 5915 5916 if (ap != NULL) 5917 an = ap->ipa_next; 5918 } 5919 5920 /* 5921 * Just take a swag for the allocation for now. We can always 5922 * alter it later. 5923 */ 5924 #define SADB_EXTENDED_ACQUIRE_SIZE 4096 5925 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI); 5926 if (mp == NULL) 5927 return (NULL); 5928 5929 start = mp->b_rptr; 5930 end = start + SADB_EXTENDED_ACQUIRE_SIZE; 5931 5932 cur = start; 5933 5934 samsg = (sadb_msg_t *)cur; 5935 cur += sizeof (*samsg); 5936 5937 samsg->sadb_msg_version = PF_KEY_V2; 5938 samsg->sadb_msg_type = SADB_ACQUIRE; 5939 samsg->sadb_msg_errno = 0; 5940 samsg->sadb_msg_reserved = 0; 5941 samsg->sadb_msg_satype = 0; 5942 samsg->sadb_msg_seq = seq; 5943 samsg->sadb_msg_pid = pid; 5944 5945 if (tunnel_mode) { 5946 /* 5947 * Form inner address extensions based NOT on the inner 5948 * selectors (i.e. the packet data), but on the policy's 5949 * selector key (i.e. the policy's selector information). 5950 * 5951 * NOTE: The position of IPv4 and IPv6 addresses is the 5952 * same in ipsec_selkey_t (unless the compiler does very 5953 * strange things with unions, consult your local C language 5954 * lawyer for details). 5955 */ 5956 ASSERT(pol != NULL); 5957 5958 ipsl = &(pol->ipsp_sel->ipsl_key); 5959 if (ipsl->ipsl_valid & IPSL_IPV4) { 5960 af = AF_INET; 5961 ASSERT(sel->ips_protocol == IPPROTO_ENCAP); 5962 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6)); 5963 } else { 5964 af = AF_INET6; 5965 ASSERT(sel->ips_protocol == IPPROTO_IPV6); 5966 ASSERT(ipsl->ipsl_valid & IPSL_IPV6); 5967 } 5968 5969 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) { 5970 saddrptr = (uint32_t *)(&ipsl->ipsl_local); 5971 pfxlen = ipsl->ipsl_local_pfxlen; 5972 } else { 5973 saddrptr = (uint32_t *)(&ipv6_all_zeros); 5974 pfxlen = 0; 5975 } 5976 /* XXX What about ICMP type/code? */ 5977 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ? 5978 ipsl->ipsl_lport : 0; 5979 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ? 5980 ipsl->ipsl_proto : 0; 5981 5982 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5983 af, saddrptr, lport, proto, pfxlen); 5984 if (cur == NULL) { 5985 freeb(mp); 5986 return (NULL); 5987 } 5988 5989 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) { 5990 daddrptr = (uint32_t *)(&ipsl->ipsl_remote); 5991 pfxlen = ipsl->ipsl_remote_pfxlen; 5992 } else { 5993 daddrptr = (uint32_t *)(&ipv6_all_zeros); 5994 pfxlen = 0; 5995 } 5996 /* XXX What about ICMP type/code? */ 5997 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ? 5998 ipsl->ipsl_rport : 0; 5999 6000 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 6001 af, daddrptr, rport, proto, pfxlen); 6002 if (cur == NULL) { 6003 freeb(mp); 6004 return (NULL); 6005 } 6006 /* 6007 * TODO - if we go to 3408's dream of transport mode IP-in-IP 6008 * _with_ inner-packet address selectors, we'll need to further 6009 * distinguish tunnel mode here. For now, having inner 6010 * addresses and/or ports is sufficient. 6011 * 6012 * Meanwhile, whack proto/ports to reflect IP-in-IP for the 6013 * outer addresses. 6014 */ 6015 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */ 6016 lport = rport = 0; 6017 } else if ((ap != NULL) && (!ap->ipa_want_unique)) { 6018 proto = 0; 6019 lport = 0; 6020 rport = 0; 6021 if (pol != NULL) { 6022 ipsl = &(pol->ipsp_sel->ipsl_key); 6023 if (ipsl->ipsl_valid & IPSL_PROTOCOL) 6024 proto = ipsl->ipsl_proto; 6025 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT) 6026 rport = ipsl->ipsl_rport; 6027 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT) 6028 lport = ipsl->ipsl_lport; 6029 } 6030 } else { 6031 proto = sel->ips_protocol; 6032 lport = sel->ips_local_port; 6033 rport = sel->ips_remote_port; 6034 } 6035 6036 af = sel->ips_isv4 ? AF_INET : AF_INET6; 6037 6038 /* 6039 * NOTE: The position of IPv4 and IPv6 addresses is the same in 6040 * ipsec_selector_t. 6041 */ 6042 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 6043 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0); 6044 6045 if (cur == NULL) { 6046 freeb(mp); 6047 return (NULL); 6048 } 6049 6050 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 6051 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0); 6052 6053 if (cur == NULL) { 6054 freeb(mp); 6055 return (NULL); 6056 } 6057 6058 if (sens != NULL) { 6059 uint8_t *sensext = cur; 6060 int senslen = SADB_64TO8(sens->sadb_sens_len); 6061 6062 cur += senslen; 6063 if (cur > end) { 6064 freeb(mp); 6065 return (NULL); 6066 } 6067 bcopy(sens, sensext, senslen); 6068 } 6069 6070 /* 6071 * This section will change a lot as policy evolves. 6072 * For now, it'll be relatively simple. 6073 */ 6074 eprop = (sadb_prop_t *)cur; 6075 cur += sizeof (*eprop); 6076 if (cur > end) { 6077 /* no space left */ 6078 freeb(mp); 6079 return (NULL); 6080 } 6081 6082 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 6083 eprop->sadb_x_prop_ereserved = 0; 6084 eprop->sadb_x_prop_numecombs = 0; 6085 eprop->sadb_prop_replay = 32; /* default */ 6086 6087 kmc = kmp = 0; 6088 6089 for (; ap != NULL; ap = an) { 6090 an = (pol != NULL) ? ap->ipa_next : NULL; 6091 6092 /* 6093 * Skip non-IPsec policies 6094 */ 6095 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY) 6096 continue; 6097 6098 if (ap->ipa_act.ipa_apply.ipp_km_proto) 6099 kmp = ap->ipa_act.ipa_apply.ipp_km_proto; 6100 if (ap->ipa_act.ipa_apply.ipp_km_cookie) 6101 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie; 6102 if (ap->ipa_act.ipa_apply.ipp_replay_depth) { 6103 eprop->sadb_prop_replay = 6104 ap->ipa_act.ipa_apply.ipp_replay_depth; 6105 } 6106 6107 cur = sadb_action_to_ecomb(cur, end, ap, ns); 6108 if (cur == NULL) { /* no space */ 6109 freeb(mp); 6110 return (NULL); 6111 } 6112 eprop->sadb_x_prop_numecombs++; 6113 } 6114 6115 if (eprop->sadb_x_prop_numecombs == 0) { 6116 /* 6117 * This will happen if we fail to find a policy 6118 * allowing for IPsec processing. 6119 * Construct an error message. 6120 */ 6121 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 6122 samsg->sadb_msg_errno = ENOENT; 6123 samsg->sadb_x_msg_diagnostic = 0; 6124 return (mp); 6125 } 6126 6127 if ((kmp != 0) || (kmc != 0)) { 6128 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 6129 if (cur == NULL) { 6130 freeb(mp); 6131 return (NULL); 6132 } 6133 } 6134 6135 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop); 6136 samsg->sadb_msg_len = SADB_8TO64(cur - start); 6137 mp->b_wptr = cur; 6138 6139 return (mp); 6140 } 6141 6142 /* 6143 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype. 6144 * 6145 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we 6146 * succeed (i.e. return non-NULL). Caller MUST release it. This is to 6147 * maximize code consolidation while preventing algorithm changes from messing 6148 * with the callers finishing touches on the ACQUIRE itself. 6149 */ 6150 mblk_t * 6151 sadb_setup_acquire(ipsacq_t *acqrec, uint8_t satype, ipsec_stack_t *ipss) 6152 { 6153 uint_t allocsize; 6154 mblk_t *pfkeymp, *msgmp; 6155 sa_family_t af; 6156 uint8_t *cur, *end; 6157 sadb_msg_t *samsg; 6158 uint16_t sport_typecode; 6159 uint16_t dport_typecode; 6160 uint8_t check_proto; 6161 boolean_t tunnel_mode = (acqrec->ipsacq_inneraddrfam != 0); 6162 6163 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 6164 6165 pfkeymp = sadb_keysock_out(0); 6166 if (pfkeymp == NULL) 6167 return (NULL); 6168 6169 /* 6170 * First, allocate a basic ACQUIRE message 6171 */ 6172 allocsize = sizeof (sadb_msg_t) + sizeof (sadb_address_t) + 6173 sizeof (sadb_address_t) + sizeof (sadb_prop_t); 6174 6175 /* Make sure there's enough to cover both AF_INET and AF_INET6. */ 6176 allocsize += 2 * sizeof (struct sockaddr_in6); 6177 6178 mutex_enter(&ipss->ipsec_alg_lock); 6179 /* NOTE: The lock is now held through to this function's return. */ 6180 allocsize += ipss->ipsec_nalgs[IPSEC_ALG_AUTH] * 6181 ipss->ipsec_nalgs[IPSEC_ALG_ENCR] * sizeof (sadb_comb_t); 6182 6183 if (tunnel_mode) { 6184 /* Tunnel mode! */ 6185 allocsize += 2 * sizeof (sadb_address_t); 6186 /* Enough to cover both AF_INET and AF_INET6. */ 6187 allocsize += 2 * sizeof (struct sockaddr_in6); 6188 } 6189 6190 msgmp = allocb(allocsize, BPRI_HI); 6191 if (msgmp == NULL) { 6192 freeb(pfkeymp); 6193 mutex_exit(&ipss->ipsec_alg_lock); 6194 return (NULL); 6195 } 6196 6197 pfkeymp->b_cont = msgmp; 6198 cur = msgmp->b_rptr; 6199 end = cur + allocsize; 6200 samsg = (sadb_msg_t *)cur; 6201 cur += sizeof (sadb_msg_t); 6202 6203 af = acqrec->ipsacq_addrfam; 6204 switch (af) { 6205 case AF_INET: 6206 check_proto = IPPROTO_ICMP; 6207 break; 6208 case AF_INET6: 6209 check_proto = IPPROTO_ICMPV6; 6210 break; 6211 default: 6212 /* This should never happen unless we have kernel bugs. */ 6213 cmn_err(CE_WARN, 6214 "sadb_setup_acquire: corrupt ACQUIRE record.\n"); 6215 ASSERT(0); 6216 mutex_exit(&ipss->ipsec_alg_lock); 6217 return (NULL); 6218 } 6219 6220 samsg->sadb_msg_version = PF_KEY_V2; 6221 samsg->sadb_msg_type = SADB_ACQUIRE; 6222 samsg->sadb_msg_satype = satype; 6223 samsg->sadb_msg_errno = 0; 6224 samsg->sadb_msg_pid = 0; 6225 samsg->sadb_msg_reserved = 0; 6226 samsg->sadb_msg_seq = acqrec->ipsacq_seq; 6227 6228 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 6229 6230 if ((acqrec->ipsacq_proto == check_proto) || tunnel_mode) { 6231 sport_typecode = dport_typecode = 0; 6232 } else { 6233 sport_typecode = acqrec->ipsacq_srcport; 6234 dport_typecode = acqrec->ipsacq_dstport; 6235 } 6236 6237 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 6238 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto, 0); 6239 6240 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 6241 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto, 0); 6242 6243 if (tunnel_mode) { 6244 sport_typecode = acqrec->ipsacq_srcport; 6245 dport_typecode = acqrec->ipsacq_dstport; 6246 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 6247 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innersrc, 6248 sport_typecode, acqrec->ipsacq_inner_proto, 6249 acqrec->ipsacq_innersrcpfx); 6250 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 6251 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innerdst, 6252 dport_typecode, acqrec->ipsacq_inner_proto, 6253 acqrec->ipsacq_innerdstpfx); 6254 } 6255 6256 /* XXX Insert identity information here. */ 6257 6258 /* XXXMLS Insert sensitivity information here. */ 6259 6260 if (cur != NULL) 6261 samsg->sadb_msg_len = SADB_8TO64(cur - msgmp->b_rptr); 6262 else 6263 mutex_exit(&ipss->ipsec_alg_lock); 6264 6265 return (pfkeymp); 6266 } 6267 6268 /* 6269 * Given an SADB_GETSPI message, find an appropriately ranged SA and 6270 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 6271 * If there was a memory allocation error, return NULL. (Assume NULL != 6272 * (ipsa_t *)-1). 6273 * 6274 * master_spi is passed in host order. 6275 */ 6276 ipsa_t * 6277 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic, 6278 netstack_t *ns, uint_t sa_type) 6279 { 6280 sadb_address_t *src = 6281 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 6282 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 6283 sadb_spirange_t *range = 6284 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 6285 struct sockaddr_in *ssa, *dsa; 6286 struct sockaddr_in6 *ssa6, *dsa6; 6287 uint32_t *srcaddr, *dstaddr; 6288 sa_family_t af; 6289 uint32_t add, min, max; 6290 uint8_t protocol = 6291 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP; 6292 6293 if (src == NULL) { 6294 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 6295 return ((ipsa_t *)-1); 6296 } 6297 if (dst == NULL) { 6298 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 6299 return ((ipsa_t *)-1); 6300 } 6301 if (range == NULL) { 6302 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 6303 return ((ipsa_t *)-1); 6304 } 6305 6306 min = ntohl(range->sadb_spirange_min); 6307 max = ntohl(range->sadb_spirange_max); 6308 dsa = (struct sockaddr_in *)(dst + 1); 6309 dsa6 = (struct sockaddr_in6 *)dsa; 6310 6311 ssa = (struct sockaddr_in *)(src + 1); 6312 ssa6 = (struct sockaddr_in6 *)ssa; 6313 ASSERT(dsa->sin_family == ssa->sin_family); 6314 6315 srcaddr = ALL_ZEROES_PTR; 6316 af = dsa->sin_family; 6317 switch (af) { 6318 case AF_INET: 6319 if (src != NULL) 6320 srcaddr = (uint32_t *)(&ssa->sin_addr); 6321 dstaddr = (uint32_t *)(&dsa->sin_addr); 6322 break; 6323 case AF_INET6: 6324 if (src != NULL) 6325 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 6326 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 6327 break; 6328 default: 6329 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 6330 return ((ipsa_t *)-1); 6331 } 6332 6333 if (master_spi < min || master_spi > max) { 6334 /* Return a random value in the range. */ 6335 if (cl_inet_getspi) { 6336 cl_inet_getspi(ns->netstack_stackid, protocol, 6337 (uint8_t *)&add, sizeof (add), NULL); 6338 } else { 6339 (void) random_get_pseudo_bytes((uint8_t *)&add, 6340 sizeof (add)); 6341 } 6342 master_spi = min + (add % (max - min + 1)); 6343 } 6344 6345 /* 6346 * Since master_spi is passed in host order, we need to htonl() it 6347 * for the purposes of creating a new SA. 6348 */ 6349 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af, 6350 ns)); 6351 } 6352 6353 /* 6354 * 6355 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 6356 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 6357 * and scan for the sequence number in question. I may wish to accept an 6358 * address pair with it, for easier searching. 6359 * 6360 * Caller frees the message, so we don't have to here. 6361 * 6362 * NOTE: The ip_q parameter may be used in the future for ACQUIRE 6363 * failures. 6364 */ 6365 /* ARGSUSED */ 6366 void 6367 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *ip_q, netstack_t *ns) 6368 { 6369 int i; 6370 ipsacq_t *acqrec; 6371 iacqf_t *bucket; 6372 6373 /* 6374 * I only accept the base header for this! 6375 * Though to be honest, requiring the dst address would help 6376 * immensely. 6377 * 6378 * XXX There are already cases where I can get the dst address. 6379 */ 6380 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 6381 return; 6382 6383 /* 6384 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 6385 * (and in the future send a message to IP with the appropriate error 6386 * number). 6387 * 6388 * Q: Do I want to reject if pid != 0? 6389 */ 6390 6391 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 6392 bucket = &sp->s_v4.sdb_acq[i]; 6393 mutex_enter(&bucket->iacqf_lock); 6394 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6395 acqrec = acqrec->ipsacq_next) { 6396 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6397 break; /* for acqrec... loop. */ 6398 } 6399 if (acqrec != NULL) 6400 break; /* for i = 0... loop. */ 6401 6402 mutex_exit(&bucket->iacqf_lock); 6403 } 6404 6405 if (acqrec == NULL) { 6406 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 6407 bucket = &sp->s_v6.sdb_acq[i]; 6408 mutex_enter(&bucket->iacqf_lock); 6409 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6410 acqrec = acqrec->ipsacq_next) { 6411 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6412 break; /* for acqrec... loop. */ 6413 } 6414 if (acqrec != NULL) 6415 break; /* for i = 0... loop. */ 6416 6417 mutex_exit(&bucket->iacqf_lock); 6418 } 6419 } 6420 6421 6422 if (acqrec == NULL) 6423 return; 6424 6425 /* 6426 * What do I do with the errno and IP? I may need mp's services a 6427 * little more. See sadb_destroy_acquire() for future directions 6428 * beyond free the mblk chain on the acquire record. 6429 */ 6430 6431 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 6432 sadb_destroy_acquire(acqrec, ns); 6433 /* Have to exit mutex here, because of breaking out of for loop. */ 6434 mutex_exit(&bucket->iacqf_lock); 6435 } 6436 6437 /* 6438 * The following functions work with the replay windows of an SA. They assume 6439 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 6440 * represents the highest sequence number packet received, and back 6441 * (ipsa->ipsa_replay_wsize) packets. 6442 */ 6443 6444 /* 6445 * Is the replay bit set? 6446 */ 6447 static boolean_t 6448 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 6449 { 6450 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6451 6452 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 6453 } 6454 6455 /* 6456 * Shift the bits of the replay window over. 6457 */ 6458 static void 6459 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 6460 { 6461 int i; 6462 int jump = ((shift - 1) >> 6) + 1; 6463 6464 if (shift == 0) 6465 return; 6466 6467 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 6468 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 6469 ipsa->ipsa_replay_arr[i + jump] |= 6470 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 6471 } 6472 ipsa->ipsa_replay_arr[i] <<= shift; 6473 } 6474 } 6475 6476 /* 6477 * Set a bit in the bit vector. 6478 */ 6479 static void 6480 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 6481 { 6482 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6483 6484 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 6485 } 6486 6487 #define SADB_MAX_REPLAY_VALUE 0xffffffff 6488 6489 /* 6490 * Assume caller has NOT done ntohl() already on seq. Check to see 6491 * if replay sequence number "seq" has been seen already. 6492 */ 6493 boolean_t 6494 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 6495 { 6496 boolean_t rc; 6497 uint32_t diff; 6498 6499 if (ipsa->ipsa_replay_wsize == 0) 6500 return (B_TRUE); 6501 6502 /* 6503 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 6504 */ 6505 6506 /* Convert sequence number into host order before holding the mutex. */ 6507 seq = ntohl(seq); 6508 6509 mutex_enter(&ipsa->ipsa_lock); 6510 6511 /* Initialize inbound SA's ipsa_replay field to last one received. */ 6512 if (ipsa->ipsa_replay == 0) 6513 ipsa->ipsa_replay = 1; 6514 6515 if (seq > ipsa->ipsa_replay) { 6516 /* 6517 * I have received a new "highest value received". Shift 6518 * the replay window over. 6519 */ 6520 diff = seq - ipsa->ipsa_replay; 6521 if (diff < ipsa->ipsa_replay_wsize) { 6522 /* In replay window, shift bits over. */ 6523 ipsa_shift_replay(ipsa, diff); 6524 } else { 6525 /* WAY FAR AHEAD, clear bits and start again. */ 6526 bzero(ipsa->ipsa_replay_arr, 6527 sizeof (ipsa->ipsa_replay_arr)); 6528 } 6529 ipsa_set_replay(ipsa, 0); 6530 ipsa->ipsa_replay = seq; 6531 rc = B_TRUE; 6532 goto done; 6533 } 6534 diff = ipsa->ipsa_replay - seq; 6535 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 6536 rc = B_FALSE; 6537 goto done; 6538 } 6539 /* Set this packet as seen. */ 6540 ipsa_set_replay(ipsa, diff); 6541 6542 rc = B_TRUE; 6543 done: 6544 mutex_exit(&ipsa->ipsa_lock); 6545 return (rc); 6546 } 6547 6548 /* 6549 * "Peek" and see if we should even bother going through the effort of 6550 * running an authentication check on the sequence number passed in. 6551 * this takes into account packets that are below the replay window, 6552 * and collisions with already replayed packets. Return B_TRUE if it 6553 * is okay to proceed, B_FALSE if this packet should be dropped immediately. 6554 * Assume same byte-ordering as sadb_replay_check. 6555 */ 6556 boolean_t 6557 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 6558 { 6559 boolean_t rc = B_FALSE; 6560 uint32_t diff; 6561 6562 if (ipsa->ipsa_replay_wsize == 0) 6563 return (B_TRUE); 6564 6565 /* 6566 * 0 is 0, regardless of byte order... :) 6567 * 6568 * If I get 0 on the wire (and there is a replay window) then the 6569 * sender most likely wrapped. This ipsa may need to be marked or 6570 * something. 6571 */ 6572 if (seq == 0) 6573 return (B_FALSE); 6574 6575 seq = ntohl(seq); 6576 mutex_enter(&ipsa->ipsa_lock); 6577 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 6578 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 6579 goto done; 6580 6581 /* 6582 * If I've hit 0xffffffff, then quite honestly, I don't need to 6583 * bother with formalities. I'm not accepting any more packets 6584 * on this SA. 6585 */ 6586 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 6587 /* 6588 * Since we're already holding the lock, update the 6589 * expire time ala. sadb_replay_delete() and return. 6590 */ 6591 ipsa->ipsa_hardexpiretime = (time_t)1; 6592 goto done; 6593 } 6594 6595 if (seq <= ipsa->ipsa_replay) { 6596 /* 6597 * This seq is in the replay window. I'm not below it, 6598 * because I already checked for that above! 6599 */ 6600 diff = ipsa->ipsa_replay - seq; 6601 if (ipsa_is_replay_set(ipsa, diff)) 6602 goto done; 6603 } 6604 /* Else return B_TRUE, I'm going to advance the window. */ 6605 6606 rc = B_TRUE; 6607 done: 6608 mutex_exit(&ipsa->ipsa_lock); 6609 return (rc); 6610 } 6611 6612 /* 6613 * Delete a single SA. 6614 * 6615 * For now, use the quick-and-dirty trick of making the association's 6616 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 6617 */ 6618 void 6619 sadb_replay_delete(ipsa_t *assoc) 6620 { 6621 mutex_enter(&assoc->ipsa_lock); 6622 assoc->ipsa_hardexpiretime = (time_t)1; 6623 mutex_exit(&assoc->ipsa_lock); 6624 } 6625 6626 /* 6627 * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_ 6628 * down. The caller will handle the T_BIND_ACK locally. 6629 */ 6630 boolean_t 6631 sadb_t_bind_req(queue_t *q, int proto) 6632 { 6633 struct T_bind_req *tbr; 6634 mblk_t *mp; 6635 6636 mp = allocb_cred(sizeof (struct T_bind_req) + 1, kcred, NOPID); 6637 if (mp == NULL) { 6638 /* cmn_err(CE_WARN, */ 6639 /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */ 6640 return (B_FALSE); 6641 } 6642 mp->b_datap->db_type = M_PCPROTO; 6643 tbr = (struct T_bind_req *)mp->b_rptr; 6644 mp->b_wptr += sizeof (struct T_bind_req); 6645 tbr->PRIM_type = T_BIND_REQ; 6646 tbr->ADDR_length = 0; 6647 tbr->ADDR_offset = 0; 6648 tbr->CONIND_number = 0; 6649 *mp->b_wptr = (uint8_t)proto; 6650 mp->b_wptr++; 6651 6652 putnext(q, mp); 6653 return (B_TRUE); 6654 } 6655 6656 /* 6657 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 6658 * this is designed to take only a format string with "* %x * %s *", so 6659 * that "spi" is printed first, then "addr" is converted using inet_pton(). 6660 * 6661 * This is abstracted out to save the stack space for only when inet_pton() 6662 * is called. Make sure "spi" is in network order; it usually is when this 6663 * would get called. 6664 */ 6665 void 6666 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 6667 uint32_t spi, void *addr, int af, netstack_t *ns) 6668 { 6669 char buf[INET6_ADDRSTRLEN]; 6670 6671 ASSERT(af == AF_INET6 || af == AF_INET); 6672 6673 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi), 6674 inet_ntop(af, addr, buf, sizeof (buf))); 6675 } 6676 6677 /* 6678 * Fills in a reference to the policy, if any, from the conn, in *ppp 6679 * Releases a reference to the passed conn_t. 6680 */ 6681 static void 6682 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp) 6683 { 6684 ipsec_policy_t *pp; 6685 ipsec_latch_t *ipl = connp->conn_latch; 6686 6687 if ((ipl != NULL) && (ipl->ipl_out_policy != NULL)) { 6688 pp = ipl->ipl_out_policy; 6689 IPPOL_REFHOLD(pp); 6690 } else { 6691 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel, 6692 connp->conn_netstack); 6693 } 6694 *ppp = pp; 6695 CONN_DEC_REF(connp); 6696 } 6697 6698 /* 6699 * The following functions scan through active conn_t structures 6700 * and return a reference to the best-matching policy it can find. 6701 * Caller must release the reference. 6702 */ 6703 static void 6704 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6705 { 6706 connf_t *connfp; 6707 conn_t *connp = NULL; 6708 ipsec_selector_t portonly; 6709 6710 bzero((void *)&portonly, sizeof (portonly)); 6711 6712 if (sel->ips_local_port == 0) 6713 return; 6714 6715 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port, 6716 ipst)]; 6717 mutex_enter(&connfp->connf_lock); 6718 6719 if (sel->ips_isv4) { 6720 connp = connfp->connf_head; 6721 while (connp != NULL) { 6722 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 6723 sel->ips_local_addr_v4, sel->ips_remote_port, 6724 sel->ips_remote_addr_v4)) 6725 break; 6726 connp = connp->conn_next; 6727 } 6728 6729 if (connp == NULL) { 6730 /* Try port-only match in IPv6. */ 6731 portonly.ips_local_port = sel->ips_local_port; 6732 sel = &portonly; 6733 } 6734 } 6735 6736 if (connp == NULL) { 6737 connp = connfp->connf_head; 6738 while (connp != NULL) { 6739 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 6740 sel->ips_local_addr_v6, sel->ips_remote_port, 6741 sel->ips_remote_addr_v6)) 6742 break; 6743 connp = connp->conn_next; 6744 } 6745 6746 if (connp == NULL) { 6747 mutex_exit(&connfp->connf_lock); 6748 return; 6749 } 6750 } 6751 6752 CONN_INC_REF(connp); 6753 mutex_exit(&connfp->connf_lock); 6754 6755 ipsec_conn_pol(sel, connp, ppp); 6756 } 6757 6758 static conn_t * 6759 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst) 6760 { 6761 connf_t *connfp; 6762 conn_t *connp = NULL; 6763 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 6764 6765 if (sel->ips_local_port == 0) 6766 return (NULL); 6767 6768 connfp = &ipst->ips_ipcl_bind_fanout[ 6769 IPCL_BIND_HASH(sel->ips_local_port, ipst)]; 6770 mutex_enter(&connfp->connf_lock); 6771 6772 if (sel->ips_isv4) { 6773 connp = connfp->connf_head; 6774 while (connp != NULL) { 6775 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 6776 sel->ips_local_addr_v4, pptr[1])) 6777 break; 6778 connp = connp->conn_next; 6779 } 6780 6781 if (connp == NULL) { 6782 /* Match to all-zeroes. */ 6783 v6addrmatch = &ipv6_all_zeros; 6784 } 6785 } 6786 6787 if (connp == NULL) { 6788 connp = connfp->connf_head; 6789 while (connp != NULL) { 6790 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 6791 *v6addrmatch, pptr[1])) 6792 break; 6793 connp = connp->conn_next; 6794 } 6795 6796 if (connp == NULL) { 6797 mutex_exit(&connfp->connf_lock); 6798 return (NULL); 6799 } 6800 } 6801 6802 CONN_INC_REF(connp); 6803 mutex_exit(&connfp->connf_lock); 6804 return (connp); 6805 } 6806 6807 static void 6808 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6809 { 6810 connf_t *connfp; 6811 conn_t *connp; 6812 uint32_t ports; 6813 uint16_t *pptr = (uint16_t *)&ports; 6814 6815 /* 6816 * Find TCP state in the following order: 6817 * 1.) Connected conns. 6818 * 2.) Listeners. 6819 * 6820 * Even though #2 will be the common case for inbound traffic, only 6821 * following this order insures correctness. 6822 */ 6823 6824 if (sel->ips_local_port == 0) 6825 return; 6826 6827 /* 6828 * 0 should be fport, 1 should be lport. SRC is the local one here. 6829 * See ipsec_construct_inverse_acquire() for details. 6830 */ 6831 pptr[0] = sel->ips_remote_port; 6832 pptr[1] = sel->ips_local_port; 6833 6834 connfp = &ipst->ips_ipcl_conn_fanout[ 6835 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)]; 6836 mutex_enter(&connfp->connf_lock); 6837 connp = connfp->connf_head; 6838 6839 if (sel->ips_isv4) { 6840 while (connp != NULL) { 6841 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 6842 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 6843 ports)) 6844 break; 6845 connp = connp->conn_next; 6846 } 6847 } else { 6848 while (connp != NULL) { 6849 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 6850 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 6851 ports)) 6852 break; 6853 connp = connp->conn_next; 6854 } 6855 } 6856 6857 if (connp != NULL) { 6858 CONN_INC_REF(connp); 6859 mutex_exit(&connfp->connf_lock); 6860 } else { 6861 mutex_exit(&connfp->connf_lock); 6862 6863 /* Try the listen hash. */ 6864 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL) 6865 return; 6866 } 6867 6868 ipsec_conn_pol(sel, connp, ppp); 6869 } 6870 6871 static void 6872 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6873 ip_stack_t *ipst) 6874 { 6875 conn_t *connp; 6876 uint32_t ports; 6877 uint16_t *pptr = (uint16_t *)&ports; 6878 6879 /* 6880 * Find SCP state in the following order: 6881 * 1.) Connected conns. 6882 * 2.) Listeners. 6883 * 6884 * Even though #2 will be the common case for inbound traffic, only 6885 * following this order insures correctness. 6886 */ 6887 6888 if (sel->ips_local_port == 0) 6889 return; 6890 6891 /* 6892 * 0 should be fport, 1 should be lport. SRC is the local one here. 6893 * See ipsec_construct_inverse_acquire() for details. 6894 */ 6895 pptr[0] = sel->ips_remote_port; 6896 pptr[1] = sel->ips_local_port; 6897 6898 if (sel->ips_isv4) { 6899 in6_addr_t src, dst; 6900 6901 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 6902 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 6903 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES, 6904 ipst->ips_netstack->netstack_sctp); 6905 } else { 6906 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 6907 &sel->ips_local_addr_v6, ports, ALL_ZONES, 6908 ipst->ips_netstack->netstack_sctp); 6909 } 6910 if (connp == NULL) 6911 return; 6912 ipsec_conn_pol(sel, connp, ppp); 6913 } 6914 6915 /* 6916 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions. 6917 * Returns 0 or errno, and always sets *diagnostic to something appropriate 6918 * to PF_KEY. 6919 * 6920 * NOTE: For right now, this function (and ipsec_selector_t for that matter), 6921 * ignore prefix lengths in the address extension. Since we match on first- 6922 * entered policies, this shouldn't matter. Also, since we normalize prefix- 6923 * set addresses to mask out the lower bits, we should get a suitable search 6924 * key for the SPD anyway. This is the function to change if the assumption 6925 * about suitable search keys is wrong. 6926 */ 6927 static int 6928 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext, 6929 sadb_address_t *dstext, int *diagnostic) 6930 { 6931 struct sockaddr_in *src, *dst; 6932 struct sockaddr_in6 *src6, *dst6; 6933 6934 *diagnostic = 0; 6935 6936 bzero(sel, sizeof (*sel)); 6937 sel->ips_protocol = srcext->sadb_address_proto; 6938 dst = (struct sockaddr_in *)(dstext + 1); 6939 if (dst->sin_family == AF_INET6) { 6940 dst6 = (struct sockaddr_in6 *)dst; 6941 src6 = (struct sockaddr_in6 *)(srcext + 1); 6942 if (src6->sin6_family != AF_INET6) { 6943 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6944 return (EINVAL); 6945 } 6946 sel->ips_remote_addr_v6 = dst6->sin6_addr; 6947 sel->ips_local_addr_v6 = src6->sin6_addr; 6948 if (sel->ips_protocol == IPPROTO_ICMPV6) { 6949 sel->ips_is_icmp_inv_acq = 1; 6950 } else { 6951 sel->ips_remote_port = dst6->sin6_port; 6952 sel->ips_local_port = src6->sin6_port; 6953 } 6954 sel->ips_isv4 = B_FALSE; 6955 } else { 6956 src = (struct sockaddr_in *)(srcext + 1); 6957 if (src->sin_family != AF_INET) { 6958 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6959 return (EINVAL); 6960 } 6961 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr; 6962 sel->ips_local_addr_v4 = src->sin_addr.s_addr; 6963 if (sel->ips_protocol == IPPROTO_ICMP) { 6964 sel->ips_is_icmp_inv_acq = 1; 6965 } else { 6966 sel->ips_remote_port = dst->sin_port; 6967 sel->ips_local_port = src->sin_port; 6968 } 6969 sel->ips_isv4 = B_TRUE; 6970 } 6971 return (0); 6972 } 6973 6974 /* 6975 * We have encapsulation. 6976 * - Lookup tun_t by address and look for an associated 6977 * tunnel policy 6978 * - If there are inner selectors 6979 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE 6980 * - Look up tunnel policy based on selectors 6981 * - Else 6982 * - Sanity check the negotation 6983 * - If appropriate, fall through to global policy 6984 */ 6985 static int 6986 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6987 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp, 6988 int *diagnostic, netstack_t *ns) 6989 { 6990 int err; 6991 ipsec_policy_head_t *polhead; 6992 6993 *diagnostic = 0; 6994 6995 /* Check for inner selectors and act appropriately */ 6996 6997 if (innsrcext != NULL) { 6998 /* Inner selectors present */ 6999 ASSERT(inndstext != NULL); 7000 if ((itp == NULL) || 7001 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) != 7002 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) { 7003 /* 7004 * If inner packet selectors, we must have negotiate 7005 * tunnel and active policy. If the tunnel has 7006 * transport-mode policy set on it, or has no policy, 7007 * fail. 7008 */ 7009 return (ENOENT); 7010 } else { 7011 /* 7012 * Reset "sel" to indicate inner selectors. Pass 7013 * inner PF_KEY address extensions for this to happen. 7014 */ 7015 if ((err = ipsec_get_inverse_acquire_sel(sel, 7016 innsrcext, inndstext, diagnostic)) != 0) 7017 return (err); 7018 /* 7019 * Now look for a tunnel policy based on those inner 7020 * selectors. (Common code is below.) 7021 */ 7022 } 7023 } else { 7024 /* No inner selectors present */ 7025 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) { 7026 /* 7027 * Transport mode negotiation with no tunnel policy 7028 * configured - return to indicate a global policy 7029 * check is needed. 7030 */ 7031 return (0); 7032 } else if (itp->itp_flags & ITPF_P_TUNNEL) { 7033 /* Tunnel mode set with no inner selectors. */ 7034 return (ENOENT); 7035 } 7036 /* 7037 * Else, this is a tunnel policy configured with ifconfig(1m) 7038 * or "negotiate transport" with ipsecconf(1m). We have an 7039 * itp with policy set based on any match, so don't bother 7040 * changing fields in "sel". 7041 */ 7042 } 7043 7044 ASSERT(itp != NULL); 7045 polhead = itp->itp_policy; 7046 ASSERT(polhead != NULL); 7047 rw_enter(&polhead->iph_lock, RW_READER); 7048 *ppp = ipsec_find_policy_head(NULL, polhead, 7049 IPSEC_TYPE_INBOUND, sel, ns); 7050 rw_exit(&polhead->iph_lock); 7051 7052 /* 7053 * Don't default to global if we didn't find a matching policy entry. 7054 * Instead, send ENOENT, just like if we hit a transport-mode tunnel. 7055 */ 7056 if (*ppp == NULL) 7057 return (ENOENT); 7058 7059 return (0); 7060 } 7061 7062 static void 7063 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 7064 ip_stack_t *ipst) 7065 { 7066 boolean_t isv4 = sel->ips_isv4; 7067 connf_t *connfp; 7068 conn_t *connp; 7069 7070 if (isv4) { 7071 connfp = &ipst->ips_ipcl_proto_fanout[sel->ips_protocol]; 7072 } else { 7073 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol]; 7074 } 7075 7076 mutex_enter(&connfp->connf_lock); 7077 for (connp = connfp->connf_head; connp != NULL; 7078 connp = connp->conn_next) { 7079 if (!((isv4 && !((connp->conn_src == 0 || 7080 connp->conn_src == sel->ips_local_addr_v4) && 7081 (connp->conn_rem == 0 || 7082 connp->conn_rem == sel->ips_remote_addr_v4))) || 7083 (!isv4 && !((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) || 7084 IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6, 7085 &sel->ips_local_addr_v6)) && 7086 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) || 7087 IN6_ARE_ADDR_EQUAL(&connp->conn_remv6, 7088 &sel->ips_remote_addr_v6)))))) { 7089 break; 7090 } 7091 } 7092 if (connp == NULL) { 7093 mutex_exit(&connfp->connf_lock); 7094 return; 7095 } 7096 7097 CONN_INC_REF(connp); 7098 mutex_exit(&connfp->connf_lock); 7099 7100 ipsec_conn_pol(sel, connp, ppp); 7101 } 7102 7103 /* 7104 * Construct an inverse ACQUIRE reply based on: 7105 * 7106 * 1.) Current global policy. 7107 * 2.) An conn_t match depending on what all was passed in the extv[]. 7108 * 3.) A tunnel's policy head. 7109 * ... 7110 * N.) Other stuff TBD (e.g. identities) 7111 * 7112 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 7113 * in this function so the caller can extract them where appropriately. 7114 * 7115 * The SRC address is the local one - just like an outbound ACQUIRE message. 7116 * 7117 * XXX MLS: key management supplies a label which we just reflect back up 7118 * again. clearly we need to involve the label in the rest of the checks. 7119 */ 7120 mblk_t * 7121 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[], 7122 netstack_t *ns) 7123 { 7124 int err; 7125 int diagnostic; 7126 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 7127 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST], 7128 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC], 7129 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]; 7130 sadb_sens_t *sens = (sadb_sens_t *)extv[SADB_EXT_SENSITIVITY]; 7131 struct sockaddr_in6 *src, *dst; 7132 struct sockaddr_in6 *isrc, *idst; 7133 ipsec_tun_pol_t *itp = NULL; 7134 ipsec_policy_t *pp = NULL; 7135 ipsec_selector_t sel, isel; 7136 mblk_t *retmp = NULL; 7137 ip_stack_t *ipst = ns->netstack_ip; 7138 7139 7140 /* Normalize addresses */ 7141 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns) 7142 == KS_IN_ADDR_UNKNOWN) { 7143 err = EINVAL; 7144 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC; 7145 goto bail; 7146 } 7147 src = (struct sockaddr_in6 *)(srcext + 1); 7148 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns) 7149 == KS_IN_ADDR_UNKNOWN) { 7150 err = EINVAL; 7151 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST; 7152 goto bail; 7153 } 7154 dst = (struct sockaddr_in6 *)(dstext + 1); 7155 if (src->sin6_family != dst->sin6_family) { 7156 err = EINVAL; 7157 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 7158 goto bail; 7159 } 7160 7161 /* Check for tunnel mode and act appropriately */ 7162 if (innsrcext != NULL) { 7163 if (inndstext == NULL) { 7164 err = EINVAL; 7165 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST; 7166 goto bail; 7167 } 7168 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 7169 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 7170 err = EINVAL; 7171 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC; 7172 goto bail; 7173 } 7174 isrc = (struct sockaddr_in6 *)(innsrcext + 1); 7175 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 7176 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 7177 err = EINVAL; 7178 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST; 7179 goto bail; 7180 } 7181 idst = (struct sockaddr_in6 *)(inndstext + 1); 7182 if (isrc->sin6_family != idst->sin6_family) { 7183 err = EINVAL; 7184 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 7185 goto bail; 7186 } 7187 if (isrc->sin6_family != AF_INET && 7188 isrc->sin6_family != AF_INET6) { 7189 err = EINVAL; 7190 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF; 7191 goto bail; 7192 } 7193 } else if (inndstext != NULL) { 7194 err = EINVAL; 7195 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 7196 goto bail; 7197 } 7198 7199 /* Get selectors first, based on outer addresses */ 7200 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic); 7201 if (err != 0) 7202 goto bail; 7203 7204 /* Check for tunnel mode mismatches. */ 7205 if (innsrcext != NULL && 7206 ((isrc->sin6_family == AF_INET && 7207 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) || 7208 (isrc->sin6_family == AF_INET6 && 7209 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) { 7210 err = EPROTOTYPE; 7211 goto bail; 7212 } 7213 7214 /* 7215 * Okay, we have the addresses and other selector information. 7216 * Let's first find a conn... 7217 */ 7218 pp = NULL; 7219 switch (sel.ips_protocol) { 7220 case IPPROTO_TCP: 7221 ipsec_tcp_pol(&sel, &pp, ipst); 7222 break; 7223 case IPPROTO_UDP: 7224 ipsec_udp_pol(&sel, &pp, ipst); 7225 break; 7226 case IPPROTO_SCTP: 7227 ipsec_sctp_pol(&sel, &pp, ipst); 7228 break; 7229 case IPPROTO_ENCAP: 7230 case IPPROTO_IPV6: 7231 /* 7232 * Assume sel.ips_remote_addr_* has the right address at 7233 * that exact position. 7234 */ 7235 itp = itp_get_byaddr((uint32_t *)(&sel.ips_local_addr_v6), 7236 (uint32_t *)(&sel.ips_remote_addr_v6), src->sin6_family, 7237 ipst); 7238 7239 if (innsrcext == NULL) { 7240 /* 7241 * Transport-mode tunnel, make sure we fake out isel 7242 * to contain something based on the outer protocol. 7243 */ 7244 bzero(&isel, sizeof (isel)); 7245 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP); 7246 } /* Else isel is initialized by ipsec_tun_pol(). */ 7247 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp, 7248 &diagnostic, ns); 7249 /* 7250 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it 7251 * may be. 7252 */ 7253 if (err != 0) 7254 goto bail; 7255 break; 7256 default: 7257 ipsec_oth_pol(&sel, &pp, ipst); 7258 break; 7259 } 7260 7261 /* 7262 * If we didn't find a matching conn_t or other policy head, take a 7263 * look in the global policy. 7264 */ 7265 if (pp == NULL) { 7266 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, NULL, &sel, 7267 ns); 7268 if (pp == NULL) { 7269 /* There's no global policy. */ 7270 err = ENOENT; 7271 diagnostic = 0; 7272 goto bail; 7273 } 7274 } 7275 7276 /* 7277 * Now that we have a policy entry/widget, construct an ACQUIRE 7278 * message based on that, fix fields where appropriate, 7279 * and return the message. 7280 */ 7281 retmp = sadb_extended_acquire(&sel, pp, NULL, 7282 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)), 7283 samsg->sadb_msg_seq, samsg->sadb_msg_pid, sens, ns); 7284 if (pp != NULL) { 7285 IPPOL_REFRELE(pp, ns); 7286 } 7287 ASSERT(err == 0 && diagnostic == 0); 7288 if (retmp == NULL) 7289 err = ENOMEM; 7290 bail: 7291 if (itp != NULL) { 7292 ITP_REFRELE(itp, ns); 7293 } 7294 samsg->sadb_msg_errno = (uint8_t)err; 7295 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 7296 return (retmp); 7297 } 7298 7299 /* 7300 * ipsa_lpkt is a one-element queue, only manipulated by the next two 7301 * functions. They have to hold the ipsa_lock because of potential races 7302 * between key management using SADB_UPDATE, and inbound packets that may 7303 * queue up on the larval SA (hence the 'l' in "lpkt"). 7304 */ 7305 7306 /* 7307 * sadb_set_lpkt: Return TRUE if we can swap in a value to ipsa->ipsa_lpkt and 7308 * freemsg the previous value. Return FALSE if we lost the race and the SA is 7309 * in a non-LARVAL state. free clue: ip_drop_packet(NULL) is safe. 7310 */ 7311 boolean_t 7312 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, netstack_t *ns) 7313 { 7314 mblk_t *opkt; 7315 ipsec_stack_t *ipss = ns->netstack_ipsec; 7316 boolean_t is_larval; 7317 7318 /* 7319 * Check the packet's netstack id in case we go asynch with a 7320 * taskq_dispatch. 7321 */ 7322 ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_type == IPSEC_IN); 7323 ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_stackid == 7324 ns->netstack_stackid); 7325 7326 mutex_enter(&ipsa->ipsa_lock); 7327 is_larval = (ipsa->ipsa_state == IPSA_STATE_LARVAL); 7328 if (is_larval) { 7329 opkt = ipsa->ipsa_lpkt; 7330 ipsa->ipsa_lpkt = npkt; 7331 } else { 7332 /* We lost the race. */ 7333 opkt = NULL; 7334 } 7335 mutex_exit(&ipsa->ipsa_lock); 7336 7337 ip_drop_packet(opkt, B_TRUE, NULL, NULL, 7338 DROPPER(ipss, ipds_sadb_inlarval_replace), 7339 &ipss->ipsec_sadb_dropper); 7340 return (is_larval); 7341 } 7342 7343 /* 7344 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 7345 * previous value. 7346 */ 7347 mblk_t * 7348 sadb_clear_lpkt(ipsa_t *ipsa) 7349 { 7350 mblk_t *opkt; 7351 7352 mutex_enter(&ipsa->ipsa_lock); 7353 opkt = ipsa->ipsa_lpkt; 7354 ipsa->ipsa_lpkt = NULL; 7355 mutex_exit(&ipsa->ipsa_lock); 7356 7357 return (opkt); 7358 } 7359 7360 /* 7361 * Buffer a packet that's in IDLE state as set by Solaris Clustering. 7362 */ 7363 void 7364 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, netstack_t *ns) 7365 { 7366 ipsec_stack_t *ipss = ns->netstack_ipsec; 7367 extern void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, 7368 sa_family_t, in6_addr_t, in6_addr_t, void *); 7369 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr); 7370 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr); 7371 7372 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE); 7373 7374 if (cl_inet_idlesa == NULL) { 7375 ip_drop_packet(bpkt, B_TRUE, NULL, NULL, 7376 DROPPER(ipss, ipds_sadb_inidle_overflow), 7377 &ipss->ipsec_sadb_dropper); 7378 return; 7379 } 7380 7381 cl_inet_idlesa(ns->netstack_stackid, 7382 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP, 7383 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL); 7384 7385 /* 7386 * Check the packet's netstack id in case we go asynch with a 7387 * taskq_dispatch. 7388 */ 7389 ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_type == IPSEC_IN); 7390 ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_stackid == 7391 ns->netstack_stackid); 7392 7393 mutex_enter(&ipsa->ipsa_lock); 7394 ipsa->ipsa_mblkcnt++; 7395 if (ipsa->ipsa_bpkt_head == NULL) { 7396 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt; 7397 } else { 7398 ipsa->ipsa_bpkt_tail->b_next = bpkt; 7399 ipsa->ipsa_bpkt_tail = bpkt; 7400 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) { 7401 mblk_t *tmp; 7402 tmp = ipsa->ipsa_bpkt_head; 7403 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next; 7404 ip_drop_packet(tmp, B_TRUE, NULL, NULL, 7405 DROPPER(ipss, ipds_sadb_inidle_overflow), 7406 &ipss->ipsec_sadb_dropper); 7407 ipsa->ipsa_mblkcnt --; 7408 } 7409 } 7410 mutex_exit(&ipsa->ipsa_lock); 7411 7412 } 7413 7414 /* 7415 * Stub function that taskq_dispatch() invokes to take the mblk (in arg) 7416 * and put into STREAMS again. 7417 */ 7418 void 7419 sadb_clear_buf_pkt(void *ipkt) 7420 { 7421 mblk_t *tmp, *buf_pkt; 7422 netstack_t *ns; 7423 ipsec_in_t *ii; 7424 7425 buf_pkt = (mblk_t *)ipkt; 7426 7427 ii = (ipsec_in_t *)buf_pkt->b_rptr; 7428 ASSERT(ii->ipsec_in_type == IPSEC_IN); 7429 ns = netstack_find_by_stackid(ii->ipsec_in_stackid); 7430 if (ns != NULL && ns != ii->ipsec_in_ns) { 7431 netstack_rele(ns); 7432 ns = NULL; /* For while-loop below. */ 7433 } 7434 7435 while (buf_pkt != NULL) { 7436 tmp = buf_pkt->b_next; 7437 buf_pkt->b_next = NULL; 7438 if (ns != NULL) 7439 ip_fanout_proto_again(buf_pkt, NULL, NULL, NULL); 7440 else 7441 freemsg(buf_pkt); 7442 buf_pkt = tmp; 7443 } 7444 if (ns != NULL) 7445 netstack_rele(ns); 7446 } 7447 /* 7448 * Walker callback used by sadb_alg_update() to free/create crypto 7449 * context template when a crypto software provider is removed or 7450 * added. 7451 */ 7452 7453 struct sadb_update_alg_state { 7454 ipsec_algtype_t alg_type; 7455 uint8_t alg_id; 7456 boolean_t is_added; 7457 }; 7458 7459 static void 7460 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 7461 { 7462 struct sadb_update_alg_state *update_state = 7463 (struct sadb_update_alg_state *)cookie; 7464 crypto_ctx_template_t *ctx_tmpl = NULL; 7465 7466 ASSERT(MUTEX_HELD(&head->isaf_lock)); 7467 7468 if (entry->ipsa_state == IPSA_STATE_LARVAL) 7469 return; 7470 7471 mutex_enter(&entry->ipsa_lock); 7472 7473 switch (update_state->alg_type) { 7474 case IPSEC_ALG_AUTH: 7475 if (entry->ipsa_auth_alg == update_state->alg_id) 7476 ctx_tmpl = &entry->ipsa_authtmpl; 7477 break; 7478 case IPSEC_ALG_ENCR: 7479 if (entry->ipsa_encr_alg == update_state->alg_id) 7480 ctx_tmpl = &entry->ipsa_encrtmpl; 7481 break; 7482 default: 7483 ctx_tmpl = NULL; 7484 } 7485 7486 if (ctx_tmpl == NULL) { 7487 mutex_exit(&entry->ipsa_lock); 7488 return; 7489 } 7490 7491 /* 7492 * The context template of the SA may be affected by the change 7493 * of crypto provider. 7494 */ 7495 if (update_state->is_added) { 7496 /* create the context template if not already done */ 7497 if (*ctx_tmpl == NULL) { 7498 (void) ipsec_create_ctx_tmpl(entry, 7499 update_state->alg_type); 7500 } 7501 } else { 7502 /* 7503 * The crypto provider was removed. If the context template 7504 * exists but it is no longer valid, free it. 7505 */ 7506 if (*ctx_tmpl != NULL) 7507 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 7508 } 7509 7510 mutex_exit(&entry->ipsa_lock); 7511 } 7512 7513 /* 7514 * Invoked by IP when an software crypto provider has been updated. 7515 * The type and id of the corresponding algorithm is passed as argument. 7516 * is_added is B_TRUE if the provider was added, B_FALSE if it was 7517 * removed. The function updates the SADB and free/creates the 7518 * context templates associated with SAs if needed. 7519 */ 7520 7521 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 7522 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 7523 &update_state) 7524 7525 void 7526 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added, 7527 netstack_t *ns) 7528 { 7529 struct sadb_update_alg_state update_state; 7530 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 7531 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 7532 7533 update_state.alg_type = alg_type; 7534 update_state.alg_id = alg_id; 7535 update_state.is_added = is_added; 7536 7537 if (alg_type == IPSEC_ALG_AUTH) { 7538 /* walk the AH tables only for auth. algorithm changes */ 7539 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of); 7540 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if); 7541 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of); 7542 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if); 7543 } 7544 7545 /* walk the ESP tables */ 7546 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of); 7547 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if); 7548 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of); 7549 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if); 7550 } 7551 7552 /* 7553 * Creates a context template for the specified SA. This function 7554 * is called when an SA is created and when a context template needs 7555 * to be created due to a change of software provider. 7556 */ 7557 int 7558 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7559 { 7560 ipsec_alginfo_t *alg; 7561 crypto_mechanism_t mech; 7562 crypto_key_t *key; 7563 crypto_ctx_template_t *sa_tmpl; 7564 int rv; 7565 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 7566 7567 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock)); 7568 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7569 7570 /* get pointers to the algorithm info, context template, and key */ 7571 switch (alg_type) { 7572 case IPSEC_ALG_AUTH: 7573 key = &sa->ipsa_kcfauthkey; 7574 sa_tmpl = &sa->ipsa_authtmpl; 7575 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 7576 break; 7577 case IPSEC_ALG_ENCR: 7578 key = &sa->ipsa_kcfencrkey; 7579 sa_tmpl = &sa->ipsa_encrtmpl; 7580 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 7581 break; 7582 default: 7583 alg = NULL; 7584 } 7585 7586 if (alg == NULL || !ALG_VALID(alg)) 7587 return (EINVAL); 7588 7589 /* initialize the mech info structure for the framework */ 7590 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 7591 mech.cm_type = alg->alg_mech_type; 7592 mech.cm_param = NULL; 7593 mech.cm_param_len = 0; 7594 7595 /* create a new context template */ 7596 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 7597 7598 /* 7599 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 7600 * providers are available for that mechanism. In that case 7601 * we don't fail, and will generate the context template from 7602 * the framework callback when a software provider for that 7603 * mechanism registers. 7604 * 7605 * The context template is assigned the special value 7606 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 7607 * lack of memory. No attempt will be made to use 7608 * the context template if it is set to this value. 7609 */ 7610 if (rv == CRYPTO_HOST_MEMORY) { 7611 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 7612 } else if (rv != CRYPTO_SUCCESS) { 7613 *sa_tmpl = NULL; 7614 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 7615 return (EINVAL); 7616 } 7617 7618 return (0); 7619 } 7620 7621 /* 7622 * Destroy the context template of the specified algorithm type 7623 * of the specified SA. Must be called while holding the SA lock. 7624 */ 7625 void 7626 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7627 { 7628 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7629 7630 if (alg_type == IPSEC_ALG_AUTH) { 7631 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 7632 sa->ipsa_authtmpl = NULL; 7633 else if (sa->ipsa_authtmpl != NULL) { 7634 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 7635 sa->ipsa_authtmpl = NULL; 7636 } 7637 } else { 7638 ASSERT(alg_type == IPSEC_ALG_ENCR); 7639 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 7640 sa->ipsa_encrtmpl = NULL; 7641 else if (sa->ipsa_encrtmpl != NULL) { 7642 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 7643 sa->ipsa_encrtmpl = NULL; 7644 } 7645 } 7646 } 7647 7648 /* 7649 * Use the kernel crypto framework to check the validity of a key received 7650 * via keysock. Returns 0 if the key is OK, -1 otherwise. 7651 */ 7652 int 7653 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 7654 boolean_t is_auth, int *diag) 7655 { 7656 crypto_mechanism_t mech; 7657 crypto_key_t crypto_key; 7658 int crypto_rc; 7659 7660 mech.cm_type = mech_type; 7661 mech.cm_param = NULL; 7662 mech.cm_param_len = 0; 7663 7664 crypto_key.ck_format = CRYPTO_KEY_RAW; 7665 crypto_key.ck_data = sadb_key + 1; 7666 crypto_key.ck_length = sadb_key->sadb_key_bits; 7667 7668 crypto_rc = crypto_key_check(&mech, &crypto_key); 7669 7670 switch (crypto_rc) { 7671 case CRYPTO_SUCCESS: 7672 return (0); 7673 case CRYPTO_MECHANISM_INVALID: 7674 case CRYPTO_MECH_NOT_SUPPORTED: 7675 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 7676 SADB_X_DIAGNOSTIC_BAD_EALG; 7677 break; 7678 case CRYPTO_KEY_SIZE_RANGE: 7679 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 7680 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 7681 break; 7682 case CRYPTO_WEAK_KEY: 7683 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 7684 SADB_X_DIAGNOSTIC_WEAK_EKEY; 7685 break; 7686 } 7687 7688 return (-1); 7689 } 7690 7691 /* 7692 * Whack options in the outer IP header when ipsec changes the outer label 7693 * 7694 * This is inelegant and really could use refactoring. 7695 */ 7696 int 7697 sadb_whack_label(mblk_t **mpp, ipsa_t *assoc) 7698 { 7699 int delta; 7700 int plen; 7701 dblk_t *db; 7702 int hlen; 7703 uint8_t *opt_storage = assoc->ipsa_opt_storage; 7704 mblk_t *mp = *mpp; 7705 ipha_t *ipha = (ipha_t *)mp->b_rptr; 7706 7707 plen = ntohs(ipha->ipha_length); 7708 7709 delta = tsol_remove_secopt(ipha, MBLKL(mp)); 7710 mp->b_wptr += delta; 7711 plen += delta; 7712 7713 /* XXX XXX code copied from tsol_check_label */ 7714 7715 /* Make sure we have room for the worst-case addition */ 7716 hlen = IPH_HDR_LENGTH(ipha) + opt_storage[IPOPT_OLEN]; 7717 hlen = (hlen + 3) & ~3; 7718 if (hlen > IP_MAX_HDR_LENGTH) 7719 hlen = IP_MAX_HDR_LENGTH; 7720 hlen -= IPH_HDR_LENGTH(ipha); 7721 7722 db = mp->b_datap; 7723 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) { 7724 int copylen; 7725 mblk_t *new_mp; 7726 7727 /* allocate enough to be meaningful, but not *too* much */ 7728 copylen = MBLKL(mp); 7729 if (copylen > 256) 7730 copylen = 256; 7731 new_mp = allocb_tmpl(hlen + copylen + 7732 (mp->b_rptr - mp->b_datap->db_base), mp); 7733 7734 if (new_mp == NULL) 7735 return (ENOMEM); 7736 7737 /* keep the bias */ 7738 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base; 7739 new_mp->b_wptr = new_mp->b_rptr + copylen; 7740 bcopy(mp->b_rptr, new_mp->b_rptr, copylen); 7741 new_mp->b_cont = mp; 7742 if ((mp->b_rptr += copylen) >= mp->b_wptr) { 7743 new_mp->b_cont = mp->b_cont; 7744 freeb(mp); 7745 } 7746 *mpp = mp = new_mp; 7747 ipha = (ipha_t *)mp->b_rptr; 7748 } 7749 7750 delta = tsol_prepend_option(assoc->ipsa_opt_storage, ipha, MBLKL(mp)); 7751 7752 ASSERT(delta != -1); 7753 7754 plen += delta; 7755 mp->b_wptr += delta; 7756 7757 /* 7758 * Paranoia 7759 */ 7760 db = mp->b_datap; 7761 7762 ASSERT3P(mp->b_wptr, <=, db->db_lim); 7763 ASSERT3P(mp->b_rptr, <=, db->db_lim); 7764 7765 ASSERT3P(mp->b_wptr, >=, db->db_base); 7766 ASSERT3P(mp->b_rptr, >=, db->db_base); 7767 /* End paranoia */ 7768 7769 ipha->ipha_length = htons(plen); 7770 7771 return (0); 7772 } 7773 7774 int 7775 sadb_whack_label_v6(mblk_t **mpp, ipsa_t *assoc) 7776 { 7777 int delta; 7778 int plen; 7779 dblk_t *db; 7780 int hlen; 7781 uint8_t *opt_storage = assoc->ipsa_opt_storage; 7782 uint_t sec_opt_len; /* label option length not including type, len */ 7783 mblk_t *mp = *mpp; 7784 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 7785 7786 plen = ntohs(ip6h->ip6_plen); 7787 7788 delta = tsol_remove_secopt_v6(ip6h, MBLKL(mp)); 7789 mp->b_wptr += delta; 7790 plen += delta; 7791 7792 /* XXX XXX code copied from tsol_check_label_v6 */ 7793 /* 7794 * Make sure we have room for the worst-case addition. Add 2 bytes for 7795 * the hop-by-hop ext header's next header and length fields. Add 7796 * another 2 bytes for the label option type, len and then round 7797 * up to the next 8-byte multiple. 7798 */ 7799 sec_opt_len = opt_storage[1]; 7800 7801 db = mp->b_datap; 7802 hlen = (4 + sec_opt_len + 7) & ~7; 7803 7804 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) { 7805 int copylen; 7806 mblk_t *new_mp; 7807 uint16_t hdr_len; 7808 7809 hdr_len = ip_hdr_length_v6(mp, ip6h); 7810 /* 7811 * Allocate enough to be meaningful, but not *too* much. 7812 * Also all the IPv6 extension headers must be in the same mblk 7813 */ 7814 copylen = MBLKL(mp); 7815 if (copylen > 256) 7816 copylen = 256; 7817 if (copylen < hdr_len) 7818 copylen = hdr_len; 7819 new_mp = allocb_tmpl(hlen + copylen + 7820 (mp->b_rptr - mp->b_datap->db_base), mp); 7821 if (new_mp == NULL) 7822 return (ENOMEM); 7823 7824 /* keep the bias */ 7825 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base; 7826 new_mp->b_wptr = new_mp->b_rptr + copylen; 7827 bcopy(mp->b_rptr, new_mp->b_rptr, copylen); 7828 new_mp->b_cont = mp; 7829 if ((mp->b_rptr += copylen) >= mp->b_wptr) { 7830 new_mp->b_cont = mp->b_cont; 7831 freeb(mp); 7832 } 7833 *mpp = mp = new_mp; 7834 ip6h = (ip6_t *)mp->b_rptr; 7835 } 7836 7837 delta = tsol_prepend_option_v6(assoc->ipsa_opt_storage, 7838 ip6h, MBLKL(mp)); 7839 7840 ASSERT(delta != -1); 7841 7842 plen += delta; 7843 mp->b_wptr += delta; 7844 7845 /* 7846 * Paranoia 7847 */ 7848 db = mp->b_datap; 7849 7850 ASSERT3P(mp->b_wptr, <=, db->db_lim); 7851 ASSERT3P(mp->b_rptr, <=, db->db_lim); 7852 7853 ASSERT3P(mp->b_wptr, >=, db->db_base); 7854 ASSERT3P(mp->b_rptr, >=, db->db_base); 7855 /* End paranoia */ 7856 7857 ip6h->ip6_plen = htons(plen); 7858 7859 return (0); 7860 } 7861 7862 7863 7864 /* 7865 * If this is an outgoing SA then add some fuzz to the 7866 * SOFT EXPIRE time. The reason for this is to stop 7867 * peers trying to renegotiate SOFT expiring SA's at 7868 * the same time. The amount of fuzz needs to be at 7869 * least 8 seconds which is the typical interval 7870 * sadb_ager(), although this is only a guide as it 7871 * selftunes. 7872 */ 7873 static void 7874 lifetime_fuzz(ipsa_t *assoc) 7875 { 7876 uint8_t rnd; 7877 7878 if (assoc->ipsa_softaddlt == 0) 7879 return; 7880 7881 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd)); 7882 rnd = (rnd & 0xF) + 8; 7883 assoc->ipsa_softexpiretime -= rnd; 7884 assoc->ipsa_softaddlt -= rnd; 7885 } 7886 7887 static void 7888 destroy_ipsa_pair(ipsap_t *ipsapp) 7889 { 7890 /* 7891 * Because of the multi-line macro nature of IPSA_REFRELE, keep 7892 * them in { }. 7893 */ 7894 if (ipsapp->ipsap_sa_ptr != NULL) { 7895 IPSA_REFRELE(ipsapp->ipsap_sa_ptr); 7896 } 7897 if (ipsapp->ipsap_psa_ptr != NULL) { 7898 IPSA_REFRELE(ipsapp->ipsap_psa_ptr); 7899 } 7900 init_ipsa_pair(ipsapp); 7901 } 7902 7903 static void 7904 init_ipsa_pair(ipsap_t *ipsapp) 7905 { 7906 ipsapp->ipsap_bucket = NULL; 7907 ipsapp->ipsap_sa_ptr = NULL; 7908 ipsapp->ipsap_pbucket = NULL; 7909 ipsapp->ipsap_psa_ptr = NULL; 7910 } 7911 7912 /* 7913 * The sadb_ager() function walks through the hash tables of SA's and ages 7914 * them, if the SA expires as a result, its marked as DEAD and will be reaped 7915 * the next time sadb_ager() runs. SA's which are paired or have a peer (same 7916 * SA appears in both the inbound and outbound tables because its not possible 7917 * to determine its direction) are placed on a list when they expire. This is 7918 * to ensure that pair/peer SA's are reaped at the same time, even if they 7919 * expire at different times. 7920 * 7921 * This function is called twice by sadb_ager(), one after processing the 7922 * inbound table, then again after processing the outbound table. 7923 */ 7924 void 7925 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound) 7926 { 7927 templist_t *listptr; 7928 int outhash; 7929 isaf_t *bucket; 7930 boolean_t haspeer; 7931 ipsa_t *peer_assoc, *dying; 7932 /* 7933 * Haspeer cases will contain both IPv4 and IPv6. This code 7934 * is address independent. 7935 */ 7936 while (haspeerlist != NULL) { 7937 /* "dying" contains the SA that has a peer. */ 7938 dying = haspeerlist->ipsa; 7939 haspeer = (dying->ipsa_haspeer); 7940 listptr = haspeerlist; 7941 haspeerlist = listptr->next; 7942 kmem_free(listptr, sizeof (*listptr)); 7943 /* 7944 * Pick peer bucket based on addrfam. 7945 */ 7946 if (outbound) { 7947 if (haspeer) 7948 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi); 7949 else 7950 bucket = INBOUND_BUCKET(sp, 7951 dying->ipsa_otherspi); 7952 } else { /* inbound */ 7953 if (haspeer) { 7954 if (dying->ipsa_addrfam == AF_INET6) { 7955 outhash = OUTBOUND_HASH_V6(sp, 7956 *((in6_addr_t *)&dying-> 7957 ipsa_dstaddr)); 7958 } else { 7959 outhash = OUTBOUND_HASH_V4(sp, 7960 *((ipaddr_t *)&dying-> 7961 ipsa_dstaddr)); 7962 } 7963 } else if (dying->ipsa_addrfam == AF_INET6) { 7964 outhash = OUTBOUND_HASH_V6(sp, 7965 *((in6_addr_t *)&dying-> 7966 ipsa_srcaddr)); 7967 } else { 7968 outhash = OUTBOUND_HASH_V4(sp, 7969 *((ipaddr_t *)&dying-> 7970 ipsa_srcaddr)); 7971 } 7972 bucket = &(sp->sdb_of[outhash]); 7973 } 7974 7975 mutex_enter(&bucket->isaf_lock); 7976 /* 7977 * "haspeer" SA's have the same src/dst address ordering, 7978 * "paired" SA's have the src/dst addresses reversed. 7979 */ 7980 if (haspeer) { 7981 peer_assoc = ipsec_getassocbyspi(bucket, 7982 dying->ipsa_spi, dying->ipsa_srcaddr, 7983 dying->ipsa_dstaddr, dying->ipsa_addrfam); 7984 } else { 7985 peer_assoc = ipsec_getassocbyspi(bucket, 7986 dying->ipsa_otherspi, dying->ipsa_dstaddr, 7987 dying->ipsa_srcaddr, dying->ipsa_addrfam); 7988 } 7989 7990 mutex_exit(&bucket->isaf_lock); 7991 if (peer_assoc != NULL) { 7992 mutex_enter(&peer_assoc->ipsa_lock); 7993 mutex_enter(&dying->ipsa_lock); 7994 if (!haspeer) { 7995 /* 7996 * Only SA's which have a "peer" or are 7997 * "paired" end up on this list, so this 7998 * must be a "paired" SA, update the flags 7999 * to break the pair. 8000 */ 8001 peer_assoc->ipsa_otherspi = 0; 8002 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED; 8003 dying->ipsa_otherspi = 0; 8004 dying->ipsa_flags &= ~IPSA_F_PAIRED; 8005 } 8006 if (haspeer || outbound) { 8007 /* 8008 * Update the state of the "inbound" SA when 8009 * the "outbound" SA has expired. Don't update 8010 * the "outbound" SA when the "inbound" SA 8011 * SA expires because setting the hard_addtime 8012 * below will cause this to happen. 8013 */ 8014 peer_assoc->ipsa_state = dying->ipsa_state; 8015 } 8016 if (dying->ipsa_state == IPSA_STATE_DEAD) 8017 peer_assoc->ipsa_hardexpiretime = 1; 8018 8019 mutex_exit(&dying->ipsa_lock); 8020 mutex_exit(&peer_assoc->ipsa_lock); 8021 IPSA_REFRELE(peer_assoc); 8022 } 8023 IPSA_REFRELE(dying); 8024 } 8025 } 8026 8027 /* 8028 * Ensure that the IV used for CCM mode never repeats. The IV should 8029 * only be updated by this function. Also check to see if the IV 8030 * is about to wrap and generate a SOFT Expire. This function is only 8031 * called for outgoing packets, the IV for incomming packets is taken 8032 * from the wire. If the outgoing SA needs to be expired, update 8033 * the matching incomming SA. 8034 */ 8035 boolean_t 8036 update_iv(uint8_t *iv_ptr, queue_t *pfkey_q, ipsa_t *assoc, 8037 ipsecesp_stack_t *espstack) 8038 { 8039 boolean_t rc = B_TRUE; 8040 isaf_t *inbound_bucket; 8041 sadb_t *sp; 8042 ipsa_t *pair_sa = NULL; 8043 int sa_new_state = 0; 8044 8045 /* For non counter modes, the IV is random data. */ 8046 if (!(assoc->ipsa_flags & IPSA_F_COUNTERMODE)) { 8047 (void) random_get_pseudo_bytes(iv_ptr, assoc->ipsa_iv_len); 8048 return (rc); 8049 } 8050 8051 mutex_enter(&assoc->ipsa_lock); 8052 8053 (*assoc->ipsa_iv)++; 8054 8055 if (*assoc->ipsa_iv == assoc->ipsa_iv_hardexpire) { 8056 sa_new_state = IPSA_STATE_DEAD; 8057 rc = B_FALSE; 8058 } else if (*assoc->ipsa_iv == assoc->ipsa_iv_softexpire) { 8059 if (assoc->ipsa_state != IPSA_STATE_DYING) { 8060 /* 8061 * This SA may have already been expired when its 8062 * PAIR_SA expired. 8063 */ 8064 sa_new_state = IPSA_STATE_DYING; 8065 } 8066 } 8067 if (sa_new_state) { 8068 /* 8069 * If there is a state change, we need to update this SA 8070 * and its "pair", we can find the bucket for the "pair" SA 8071 * while holding the ipsa_t mutex, but we won't actually 8072 * update anything untill the ipsa_t mutex has been released 8073 * for _this_ SA. 8074 */ 8075 assoc->ipsa_state = sa_new_state; 8076 if (assoc->ipsa_addrfam == AF_INET6) { 8077 sp = &espstack->esp_sadb.s_v6; 8078 } else { 8079 sp = &espstack->esp_sadb.s_v4; 8080 } 8081 inbound_bucket = INBOUND_BUCKET(sp, assoc->ipsa_otherspi); 8082 sadb_expire_assoc(pfkey_q, assoc); 8083 } 8084 if (rc == B_TRUE) 8085 bcopy(assoc->ipsa_iv, iv_ptr, assoc->ipsa_iv_len); 8086 8087 mutex_exit(&assoc->ipsa_lock); 8088 8089 if (sa_new_state) { 8090 /* Find the inbound SA, need to lock hash bucket. */ 8091 mutex_enter(&inbound_bucket->isaf_lock); 8092 pair_sa = ipsec_getassocbyspi(inbound_bucket, 8093 assoc->ipsa_otherspi, assoc->ipsa_dstaddr, 8094 assoc->ipsa_srcaddr, assoc->ipsa_addrfam); 8095 mutex_exit(&inbound_bucket->isaf_lock); 8096 if (pair_sa != NULL) { 8097 mutex_enter(&pair_sa->ipsa_lock); 8098 pair_sa->ipsa_state = sa_new_state; 8099 mutex_exit(&pair_sa->ipsa_lock); 8100 IPSA_REFRELE(pair_sa); 8101 } 8102 } 8103 8104 return (rc); 8105 } 8106 8107 void 8108 ccm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 8109 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 8110 { 8111 uchar_t *nonce; 8112 crypto_mechanism_t *combined_mech; 8113 CK_AES_CCM_PARAMS *params; 8114 8115 combined_mech = (crypto_mechanism_t *)cm_mech; 8116 params = (CK_AES_CCM_PARAMS *)(combined_mech + 1); 8117 nonce = (uchar_t *)(params + 1); 8118 params->ulMACSize = assoc->ipsa_mac_len; 8119 params->ulNonceSize = assoc->ipsa_nonce_len; 8120 params->ulAuthDataSize = sizeof (esph_t); 8121 params->ulDataSize = data_len; 8122 params->nonce = nonce; 8123 params->authData = esph; 8124 8125 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 8126 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_CCM_PARAMS); 8127 cm_mech->combined_mech.cm_param = (caddr_t)params; 8128 /* See gcm_params_init() for comments. */ 8129 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen); 8130 nonce += assoc->ipsa_saltlen; 8131 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len); 8132 crypto_data->cd_miscdata = NULL; 8133 } 8134 8135 /* ARGSUSED */ 8136 void 8137 cbc_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 8138 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 8139 { 8140 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 8141 cm_mech->combined_mech.cm_param_len = 0; 8142 cm_mech->combined_mech.cm_param = NULL; 8143 crypto_data->cd_miscdata = (char *)iv_ptr; 8144 } 8145 8146 /* ARGSUSED */ 8147 void 8148 gcm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 8149 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 8150 { 8151 uchar_t *nonce; 8152 crypto_mechanism_t *combined_mech; 8153 CK_AES_GCM_PARAMS *params; 8154 8155 combined_mech = (crypto_mechanism_t *)cm_mech; 8156 params = (CK_AES_GCM_PARAMS *)(combined_mech + 1); 8157 nonce = (uchar_t *)(params + 1); 8158 8159 params->pIv = nonce; 8160 params->ulIvLen = assoc->ipsa_nonce_len; 8161 params->ulIvBits = SADB_8TO1(assoc->ipsa_nonce_len); 8162 params->pAAD = esph; 8163 params->ulAADLen = sizeof (esph_t); 8164 params->ulTagBits = SADB_8TO1(assoc->ipsa_mac_len); 8165 8166 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 8167 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 8168 cm_mech->combined_mech.cm_param = (caddr_t)params; 8169 /* 8170 * Create the nonce, which is made up of the salt and the IV. 8171 * Copy the salt from the SA and the IV from the packet. 8172 * For inbound packets we copy the IV from the packet because it 8173 * was set by the sending system, for outbound packets we copy the IV 8174 * from the packet because the IV in the SA may be changed by another 8175 * thread, the IV in the packet was created while holding a mutex. 8176 */ 8177 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen); 8178 nonce += assoc->ipsa_saltlen; 8179 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len); 8180 crypto_data->cd_miscdata = NULL; 8181 } 8182