1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
24 * Copyright 2019, Joyent, Inc.
25 */
26
27 #include <sys/param.h>
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/strsubr.h>
31 #include <sys/strsun.h>
32 #include <sys/stropts.h>
33 #include <sys/zone.h>
34 #include <sys/vnode.h>
35 #include <sys/sysmacros.h>
36 #define _SUN_TPI_VERSION 2
37 #include <sys/tihdr.h>
38 #include <sys/timod.h>
39 #include <sys/ddi.h>
40 #include <sys/sunddi.h>
41 #include <sys/mkdev.h>
42 #include <sys/debug.h>
43 #include <sys/kmem.h>
44 #include <sys/cmn_err.h>
45 #include <sys/suntpi.h>
46 #include <sys/policy.h>
47 #include <sys/dls.h>
48
49 #include <sys/socket.h>
50 #include <netinet/in.h>
51 #include <net/pfkeyv2.h>
52 #include <net/pfpolicy.h>
53
54 #include <inet/common.h>
55 #include <netinet/ip6.h>
56 #include <inet/ip.h>
57 #include <inet/ip6.h>
58 #include <inet/mi.h>
59 #include <inet/proto_set.h>
60 #include <inet/nd.h>
61 #include <inet/ip_if.h>
62 #include <inet/optcom.h>
63 #include <inet/ipsec_impl.h>
64 #include <inet/spdsock.h>
65 #include <inet/sadb.h>
66 #include <inet/iptun.h>
67 #include <inet/iptun/iptun_impl.h>
68
69 #include <sys/isa_defs.h>
70
71 #include <c2/audit.h>
72
73 /*
74 * This is a transport provider for the PF_POLICY IPsec policy
75 * management socket, which provides a management interface into the
76 * SPD, allowing policy rules to be added, deleted, and queried.
77 *
78 * This effectively replaces the old private SIOC*IPSECONFIG ioctls
79 * with an extensible interface which will hopefully be public some
80 * day.
81 *
82 * See <net/pfpolicy.h> for more details on the protocol.
83 *
84 * We link against drv/ip and call directly into it to manipulate the
85 * SPD; see ipsec_impl.h for the policy data structures and spd.c for
86 * the code which maintains them.
87 *
88 * The MT model of this is QPAIR with the addition of some explicit
89 * locking to protect system-wide policy data structures.
90 */
91
92 static vmem_t *spdsock_vmem; /* for minor numbers. */
93
94 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
95
96 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
97 static struct T_info_ack spdsock_g_t_info_ack = {
98 T_INFO_ACK,
99 T_INFINITE, /* TSDU_size. Maximum size messages. */
100 T_INVALID, /* ETSDU_size. No expedited data. */
101 T_INVALID, /* CDATA_size. No connect data. */
102 T_INVALID, /* DDATA_size. No disconnect data. */
103 0, /* ADDR_size. */
104 0, /* OPT_size. No user-settable options */
105 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */
106 T_COTS, /* SERV_type. spdsock supports connection oriented. */
107 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */
108 (XPG4_1) /* Provider flags */
109 };
110
111 /* Named Dispatch Parameter Management Structure */
112 typedef struct spdsockparam_s {
113 uint_t spdsock_param_min;
114 uint_t spdsock_param_max;
115 uint_t spdsock_param_value;
116 char *spdsock_param_name;
117 } spdsockparam_t;
118
119 /*
120 * Table of NDD variables supported by spdsock. These are loaded into
121 * spdsock_g_nd in spdsock_init_nd.
122 * All of these are alterable, within the min/max values given, at run time.
123 */
124 static spdsockparam_t lcl_param_arr[] = {
125 /* min max value name */
126 { 4096, 65536, 8192, "spdsock_xmit_hiwat"},
127 { 0, 65536, 1024, "spdsock_xmit_lowat"},
128 { 4096, 65536, 8192, "spdsock_recv_hiwat"},
129 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"},
130 { 0, 3, 0, "spdsock_debug"},
131 };
132 #define spds_xmit_hiwat spds_params[0].spdsock_param_value
133 #define spds_xmit_lowat spds_params[1].spdsock_param_value
134 #define spds_recv_hiwat spds_params[2].spdsock_param_value
135 #define spds_max_buf spds_params[3].spdsock_param_value
136 #define spds_debug spds_params[4].spdsock_param_value
137
138 #define ss0dbg(a) printf a
139 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
140 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a
141 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a
142 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a
143
144 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
145 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
146 (ss)->spdsock_dump_head = (iph); \
147 (ss)->spdsock_dump_gen = (iph)->iph_gen; \
148 (ss)->spdsock_dump_cur_type = 0; \
149 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
150 (ss)->spdsock_dump_cur_rule = NULL; \
151 (ss)->spdsock_dump_count = 0; \
152 (ss)->spdsock_dump_cur_chain = 0; \
153 }
154
155 static int spdsock_close(queue_t *, int, cred_t *);
156 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *);
157 static int spdsock_wput(queue_t *, mblk_t *);
158 static int spdsock_wsrv(queue_t *);
159 static int spdsock_rsrv(queue_t *);
160 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns);
161 static void spdsock_stack_shutdown(netstackid_t stackid, void *arg);
162 static void spdsock_stack_fini(netstackid_t stackid, void *arg);
163 static void spdsock_loadcheck(void *);
164 static void spdsock_merge_algs(spd_stack_t *);
165 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *);
166 static mblk_t *spdsock_dump_next_record(spdsock_t *);
167 static void update_iptun_policy(ipsec_tun_pol_t *);
168
169 static struct module_info info = {
170 5138, "spdsock", 1, INFPSZ, 512, 128
171 };
172
173 static struct qinit rinit = {
174 NULL, spdsock_rsrv, spdsock_open, spdsock_close,
175 NULL, &info
176 };
177
178 static struct qinit winit = {
179 spdsock_wput, spdsock_wsrv, NULL, NULL, NULL, &info
180 };
181
182 struct streamtab spdsockinfo = {
183 &rinit, &winit
184 };
185
186 /* mapping from alg type to protocol number, as per RFC 2407 */
187 static const uint_t algproto[] = {
188 PROTO_IPSEC_AH,
189 PROTO_IPSEC_ESP,
190 };
191
192 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0]))
193
194 /* mapping from kernel exec mode to spdsock exec mode */
195 static const uint_t execmodes[] = {
196 SPD_ALG_EXEC_MODE_SYNC,
197 SPD_ALG_EXEC_MODE_ASYNC
198 };
199
200 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0]))
201
202 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
203 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
204
205 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
206
207 /* ARGSUSED */
208 static int
spdsock_param_get(queue_t * q,mblk_t * mp,caddr_t cp,cred_t * cr)209 spdsock_param_get(
210 queue_t *q,
211 mblk_t *mp,
212 caddr_t cp,
213 cred_t *cr)
214 {
215 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp;
216 uint_t value;
217 spdsock_t *ss = (spdsock_t *)q->q_ptr;
218 spd_stack_t *spds = ss->spdsock_spds;
219
220 mutex_enter(&spds->spds_param_lock);
221 value = spdsockpa->spdsock_param_value;
222 mutex_exit(&spds->spds_param_lock);
223
224 (void) mi_mpprintf(mp, "%u", value);
225 return (0);
226 }
227
228 /* This routine sets an NDD variable in a spdsockparam_t structure. */
229 /* ARGSUSED */
230 static int
spdsock_param_set(queue_t * q,mblk_t * mp,char * value,caddr_t cp,cred_t * cr)231 spdsock_param_set(
232 queue_t *q,
233 mblk_t *mp,
234 char *value,
235 caddr_t cp,
236 cred_t *cr)
237 {
238 ulong_t new_value;
239 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp;
240 spdsock_t *ss = (spdsock_t *)q->q_ptr;
241 spd_stack_t *spds = ss->spdsock_spds;
242
243 /* Convert the value from a string into a long integer. */
244 if (ddi_strtoul(value, NULL, 10, &new_value) != 0)
245 return (EINVAL);
246
247 mutex_enter(&spds->spds_param_lock);
248 /*
249 * Fail the request if the new value does not lie within the
250 * required bounds.
251 */
252 if (new_value < spdsockpa->spdsock_param_min ||
253 new_value > spdsockpa->spdsock_param_max) {
254 mutex_exit(&spds->spds_param_lock);
255 return (EINVAL);
256 }
257
258 /* Set the new value */
259 spdsockpa->spdsock_param_value = new_value;
260 mutex_exit(&spds->spds_param_lock);
261
262 return (0);
263 }
264
265 /*
266 * Initialize at module load time
267 */
268 boolean_t
spdsock_ddi_init(void)269 spdsock_ddi_init(void)
270 {
271 spdsock_max_optsize = optcom_max_optsize(
272 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt);
273
274 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1,
275 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER);
276
277 /*
278 * We want to be informed each time a stack is created or
279 * destroyed in the kernel, so we can maintain the
280 * set of spd_stack_t's.
281 */
282 netstack_register(NS_SPDSOCK, spdsock_stack_init,
283 spdsock_stack_shutdown, spdsock_stack_fini);
284
285 return (B_TRUE);
286 }
287
288 /*
289 * Walk through the param array specified registering each element with the
290 * named dispatch handler.
291 */
292 static boolean_t
spdsock_param_register(IDP * ndp,spdsockparam_t * ssp,int cnt)293 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt)
294 {
295 for (; cnt-- > 0; ssp++) {
296 if (ssp->spdsock_param_name != NULL &&
297 ssp->spdsock_param_name[0]) {
298 if (!nd_load(ndp,
299 ssp->spdsock_param_name,
300 spdsock_param_get, spdsock_param_set,
301 (caddr_t)ssp)) {
302 nd_free(ndp);
303 return (B_FALSE);
304 }
305 }
306 }
307 return (B_TRUE);
308 }
309
310 /*
311 * Initialize for each stack instance
312 */
313 /* ARGSUSED */
314 static void *
spdsock_stack_init(netstackid_t stackid,netstack_t * ns)315 spdsock_stack_init(netstackid_t stackid, netstack_t *ns)
316 {
317 spd_stack_t *spds;
318 spdsockparam_t *ssp;
319
320 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP);
321 spds->spds_netstack = ns;
322
323 ASSERT(spds->spds_g_nd == NULL);
324
325 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
326 spds->spds_params = ssp;
327 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr));
328
329 (void) spdsock_param_register(&spds->spds_g_nd, ssp,
330 A_CNT(lcl_param_arr));
331
332 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL);
333 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL);
334
335 return (spds);
336 }
337
338 void
spdsock_ddi_destroy(void)339 spdsock_ddi_destroy(void)
340 {
341 vmem_destroy(spdsock_vmem);
342
343 netstack_unregister(NS_SPDSOCK);
344 }
345
346 /*
347 * Do pre-removal cleanup.
348 */
349 /* ARGSUSED */
350 static void
spdsock_stack_shutdown(netstackid_t stackid,void * arg)351 spdsock_stack_shutdown(netstackid_t stackid, void *arg)
352 {
353 spd_stack_t *spds = (spd_stack_t *)arg;
354
355 if (spds->spds_mp_algs != NULL) {
356 freemsg(spds->spds_mp_algs);
357 spds->spds_mp_algs = NULL;
358 }
359 }
360
361 /* ARGSUSED */
362 static void
spdsock_stack_fini(netstackid_t stackid,void * arg)363 spdsock_stack_fini(netstackid_t stackid, void *arg)
364 {
365 spd_stack_t *spds = (spd_stack_t *)arg;
366
367 ASSERT(spds->spds_mp_algs == NULL);
368 mutex_destroy(&spds->spds_param_lock);
369 mutex_destroy(&spds->spds_alg_lock);
370 nd_free(&spds->spds_g_nd);
371 kmem_free(spds->spds_params, sizeof (lcl_param_arr));
372 spds->spds_params = NULL;
373
374 kmem_free(spds, sizeof (*spds));
375 }
376
377 /*
378 * NOTE: large quantities of this should be shared with keysock.
379 * Would be nice to combine some of this into a common module, but
380 * not possible given time pressures.
381 */
382
383 /*
384 * High-level reality checking of extensions.
385 */
386 /* ARGSUSED */ /* XXX */
387 static boolean_t
ext_check(spd_ext_t * ext)388 ext_check(spd_ext_t *ext)
389 {
390 spd_if_t *tunname = (spd_if_t *)ext;
391 int i;
392 char *idstr;
393
394 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) {
395 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */
396
397 /*
398 * Make sure the strings in these identities are
399 * null-terminated. Let's "proactively" null-terminate the
400 * string at the last byte if it's not terminated sooner.
401 */
402 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t);
403 idstr = (char *)(tunname + 1);
404 while (*idstr != '\0' && i > 0) {
405 i--;
406 idstr++;
407 }
408 if (i == 0) {
409 /*
410 * I.e., if the bozo user didn't NULL-terminate the
411 * string...
412 */
413 idstr--;
414 *idstr = '\0';
415 }
416 }
417 return (B_TRUE); /* For now... */
418 }
419
420
421
422 /* Return values for spdsock_get_ext(). */
423 #define KGE_OK 0
424 #define KGE_DUP 1
425 #define KGE_UNK 2
426 #define KGE_LEN 3
427 #define KGE_CHK 4
428
429 /*
430 * Parse basic extension headers and return in the passed-in pointer vector.
431 * Return values include:
432 *
433 * KGE_OK Everything's nice and parsed out.
434 * If there are no extensions, place NULL in extv[0].
435 * KGE_DUP There is a duplicate extension.
436 * First instance in appropriate bin. First duplicate in
437 * extv[0].
438 * KGE_UNK Unknown extension type encountered. extv[0] contains
439 * unknown header.
440 * KGE_LEN Extension length error.
441 * KGE_CHK High-level reality check failed on specific extension.
442 *
443 * My apologies for some of the pointer arithmetic in here. I'm thinking
444 * like an assembly programmer, yet trying to make the compiler happy.
445 */
446 static int
spdsock_get_ext(spd_ext_t * extv[],spd_msg_t * basehdr,uint_t msgsize)447 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize)
448 {
449 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
450
451 /* Use extv[0] as the "current working pointer". */
452
453 extv[0] = (spd_ext_t *)(basehdr + 1);
454
455 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) {
456 /* Check for unknown headers. */
457 if (extv[0]->spd_ext_type == 0 ||
458 extv[0]->spd_ext_type > SPD_EXT_MAX)
459 return (KGE_UNK);
460
461 /*
462 * Check length. Use uint64_t because extlen is in units
463 * of 64-bit words. If length goes beyond the msgsize,
464 * return an error. (Zero length also qualifies here.)
465 */
466 if (extv[0]->spd_ext_len == 0 ||
467 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
468 (void *)((uint8_t *)basehdr + msgsize))
469 return (KGE_LEN);
470
471 /* Check for redundant headers. */
472 if (extv[extv[0]->spd_ext_type] != NULL)
473 return (KGE_DUP);
474
475 /*
476 * Reality check the extension if possible at the spdsock
477 * level.
478 */
479 if (!ext_check(extv[0]))
480 return (KGE_CHK);
481
482 /* If I make it here, assign the appropriate bin. */
483 extv[extv[0]->spd_ext_type] = extv[0];
484
485 /* Advance pointer (See above for uint64_t ptr reasoning.) */
486 extv[0] = (spd_ext_t *)
487 ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
488 }
489
490 /* Everything's cool. */
491
492 /*
493 * If extv[0] == NULL, then there are no extension headers in this
494 * message. Ensure that this is the case.
495 */
496 if (extv[0] == (spd_ext_t *)(basehdr + 1))
497 extv[0] = NULL;
498
499 return (KGE_OK);
500 }
501
502 static const int bad_ext_diag[] = {
503 SPD_DIAGNOSTIC_MALFORMED_LCLPORT,
504 SPD_DIAGNOSTIC_MALFORMED_REMPORT,
505 SPD_DIAGNOSTIC_MALFORMED_PROTO,
506 SPD_DIAGNOSTIC_MALFORMED_LCLADDR,
507 SPD_DIAGNOSTIC_MALFORMED_REMADDR,
508 SPD_DIAGNOSTIC_MALFORMED_ACTION,
509 SPD_DIAGNOSTIC_MALFORMED_RULE,
510 SPD_DIAGNOSTIC_MALFORMED_RULESET,
511 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
512 };
513
514 static const int dup_ext_diag[] = {
515 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT,
516 SPD_DIAGNOSTIC_DUPLICATE_REMPORT,
517 SPD_DIAGNOSTIC_DUPLICATE_PROTO,
518 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR,
519 SPD_DIAGNOSTIC_DUPLICATE_REMADDR,
520 SPD_DIAGNOSTIC_DUPLICATE_ACTION,
521 SPD_DIAGNOSTIC_DUPLICATE_RULE,
522 SPD_DIAGNOSTIC_DUPLICATE_RULESET,
523 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
524 };
525
526 /*
527 * Transmit a PF_POLICY error message to the instance either pointed to
528 * by ks, the instance with serial number serial, or more, depending.
529 *
530 * The faulty message (or a reasonable facsimile thereof) is in mp.
531 * This function will free mp or recycle it for delivery, thereby causing
532 * the stream head to free it.
533 */
534 static void
spdsock_error(queue_t * q,mblk_t * mp,int error,int diagnostic)535 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic)
536 {
537 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
538
539 ASSERT(mp->b_datap->db_type == M_DATA);
540
541 if (spmsg->spd_msg_type < SPD_MIN ||
542 spmsg->spd_msg_type > SPD_MAX)
543 spmsg->spd_msg_type = SPD_RESERVED;
544
545 /*
546 * Strip out extension headers.
547 */
548 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim);
549 mp->b_wptr = mp->b_rptr + sizeof (*spmsg);
550 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t));
551 spmsg->spd_msg_errno = (uint8_t)error;
552 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic;
553
554 qreply(q, mp);
555 }
556
557 static void
spdsock_diag(queue_t * q,mblk_t * mp,int diagnostic)558 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic)
559 {
560 spdsock_error(q, mp, EINVAL, diagnostic);
561 }
562
563 static void
spd_echo(queue_t * q,mblk_t * mp)564 spd_echo(queue_t *q, mblk_t *mp)
565 {
566 qreply(q, mp);
567 }
568
569 /*
570 * Do NOT consume a reference to itp.
571 */
572 /*ARGSUSED*/
573 static void
spdsock_flush_node(ipsec_tun_pol_t * itp,void * cookie,netstack_t * ns)574 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns)
575 {
576 boolean_t active = (boolean_t)cookie;
577 ipsec_policy_head_t *iph;
578
579 iph = active ? itp->itp_policy : itp->itp_inactive;
580 IPPH_REFHOLD(iph);
581 mutex_enter(&itp->itp_lock);
582 spdsock_flush_one(iph, ns); /* Releases iph refhold. */
583 if (active)
584 itp->itp_flags &= ~ITPF_PFLAGS;
585 else
586 itp->itp_flags &= ~ITPF_IFLAGS;
587 mutex_exit(&itp->itp_lock);
588 /* SPD_FLUSH is worth a tunnel MTU check. */
589 update_iptun_policy(itp);
590 }
591
592 /*
593 * Clear out one polhead.
594 */
595 static void
spdsock_flush_one(ipsec_policy_head_t * iph,netstack_t * ns)596 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns)
597 {
598 rw_enter(&iph->iph_lock, RW_WRITER);
599 ipsec_polhead_flush(iph, ns);
600 rw_exit(&iph->iph_lock);
601 IPPH_REFRELE(iph, ns);
602 }
603
604 static void
spdsock_flush(queue_t * q,ipsec_policy_head_t * iph,ipsec_tun_pol_t * itp,mblk_t * mp)605 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp,
606 mblk_t *mp)
607 {
608 boolean_t active;
609 spdsock_t *ss = (spdsock_t *)q->q_ptr;
610 netstack_t *ns = ss->spdsock_spds->spds_netstack;
611 uint32_t auditing = AU_AUDITING();
612
613 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) {
614 spdsock_flush_one(iph, ns);
615 if (auditing) {
616 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
617 cred_t *cr;
618 pid_t cpid;
619
620 cr = msg_getcred(mp, &cpid);
621 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
622 audit_pf_policy(SPD_FLUSH, cr, ns,
623 ITP_NAME(itp), active, 0, cpid);
624 }
625 } else {
626 active = (iph == ALL_ACTIVE_POLHEADS);
627
628 /* First flush the global policy. */
629 spdsock_flush_one(active ? ipsec_system_policy(ns) :
630 ipsec_inactive_policy(ns), ns);
631 if (auditing) {
632 cred_t *cr;
633 pid_t cpid;
634
635 cr = msg_getcred(mp, &cpid);
636 audit_pf_policy(SPD_FLUSH, cr, ns, NULL,
637 active, 0, cpid);
638 }
639 /* Then flush every tunnel's appropriate one. */
640 itp_walk(spdsock_flush_node, (void *)active, ns);
641 if (auditing) {
642 cred_t *cr;
643 pid_t cpid;
644
645 cr = msg_getcred(mp, &cpid);
646 audit_pf_policy(SPD_FLUSH, cr, ns,
647 "all tunnels", active, 0, cpid);
648 }
649 }
650
651 spd_echo(q, mp);
652 }
653
654 static boolean_t
spdsock_ext_to_sel(spd_ext_t ** extv,ipsec_selkey_t * sel,int * diag)655 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag)
656 {
657 bzero(sel, sizeof (*sel));
658
659 if (extv[SPD_EXT_PROTO] != NULL) {
660 struct spd_proto *pr =
661 (struct spd_proto *)extv[SPD_EXT_PROTO];
662 sel->ipsl_proto = pr->spd_proto_number;
663 sel->ipsl_valid |= IPSL_PROTOCOL;
664 }
665 if (extv[SPD_EXT_LCLPORT] != NULL) {
666 struct spd_portrange *pr =
667 (struct spd_portrange *)extv[SPD_EXT_LCLPORT];
668 sel->ipsl_lport = pr->spd_ports_minport;
669 sel->ipsl_valid |= IPSL_LOCAL_PORT;
670 }
671 if (extv[SPD_EXT_REMPORT] != NULL) {
672 struct spd_portrange *pr =
673 (struct spd_portrange *)extv[SPD_EXT_REMPORT];
674 sel->ipsl_rport = pr->spd_ports_minport;
675 sel->ipsl_valid |= IPSL_REMOTE_PORT;
676 }
677
678 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) {
679 struct spd_typecode *tc=
680 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE];
681
682 sel->ipsl_valid |= IPSL_ICMP_TYPE;
683 sel->ipsl_icmp_type = tc->spd_typecode_type;
684 if (tc->spd_typecode_type_end < tc->spd_typecode_type)
685 sel->ipsl_icmp_type_end = tc->spd_typecode_type;
686 else
687 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end;
688
689 if (tc->spd_typecode_code != 255) {
690 sel->ipsl_valid |= IPSL_ICMP_CODE;
691 sel->ipsl_icmp_code = tc->spd_typecode_code;
692 if (tc->spd_typecode_code_end < tc->spd_typecode_code)
693 sel->ipsl_icmp_code_end = tc->spd_typecode_code;
694 else
695 sel->ipsl_icmp_code_end =
696 tc->spd_typecode_code_end;
697 }
698 }
699 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \
700 if ((extv)[(extn)] != NULL) { \
701 uint_t addrlen; \
702 struct spd_address *ap = \
703 (struct spd_address *)((extv)[(extn)]); \
704 addrlen = (ap->spd_address_af == AF_INET6) ? \
705 IPV6_ADDR_LEN : IP_ADDR_LEN; \
706 if (SPD_64TO8(ap->spd_address_len) < \
707 (addrlen + sizeof (*ap))) { \
708 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \
709 return (B_FALSE); \
710 } \
711 bcopy((ap+1), &((sel)->field), addrlen); \
712 (sel)->pfield = ap->spd_address_prefixlen; \
713 (sel)->ipsl_valid |= (bit); \
714 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \
715 IPSL_IPV6 : IPSL_IPV4; \
716 }
717
718 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen,
719 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR);
720 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen,
721 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR);
722
723 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) ==
724 (IPSL_IPV6|IPSL_IPV4)) {
725 *diag = SPD_DIAGNOSTIC_MIXED_AF;
726 return (B_FALSE);
727 }
728
729 #undef ADDR2SEL
730
731 return (B_TRUE);
732 }
733
734 static boolean_t
spd_convert_type(uint32_t type,ipsec_act_t * act)735 spd_convert_type(uint32_t type, ipsec_act_t *act)
736 {
737 switch (type) {
738 case SPD_ACTTYPE_DROP:
739 act->ipa_type = IPSEC_ACT_DISCARD;
740 return (B_TRUE);
741
742 case SPD_ACTTYPE_PASS:
743 act->ipa_type = IPSEC_ACT_CLEAR;
744 return (B_TRUE);
745
746 case SPD_ACTTYPE_IPSEC:
747 act->ipa_type = IPSEC_ACT_APPLY;
748 return (B_TRUE);
749 }
750 return (B_FALSE);
751 }
752
753 static boolean_t
spd_convert_flags(uint32_t flags,ipsec_act_t * act)754 spd_convert_flags(uint32_t flags, ipsec_act_t *act)
755 {
756 /*
757 * Note use of !! for boolean canonicalization.
758 */
759 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH);
760 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP);
761 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA);
762 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE);
763 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE);
764 return (B_TRUE);
765 }
766
767 static void
spdsock_reset_act(ipsec_act_t * act)768 spdsock_reset_act(ipsec_act_t *act)
769 {
770 bzero(act, sizeof (*act));
771 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS;
772 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS;
773 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS;
774 }
775
776 /*
777 * Sanity check action against reality, and shrink-wrap key sizes..
778 */
779 static boolean_t
spdsock_check_action(ipsec_act_t * act,boolean_t tunnel_polhead,int * diag,spd_stack_t * spds)780 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag,
781 spd_stack_t *spds)
782 {
783 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) {
784 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
785 return (B_FALSE);
786 }
787 if ((act->ipa_type != IPSEC_ACT_APPLY) &&
788 (act->ipa_apply.ipp_use_ah ||
789 act->ipa_apply.ipp_use_esp ||
790 act->ipa_apply.ipp_use_espa ||
791 act->ipa_apply.ipp_use_se ||
792 act->ipa_apply.ipp_use_unique)) {
793 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
794 return (B_FALSE);
795 }
796 if ((act->ipa_type == IPSEC_ACT_APPLY) &&
797 !act->ipa_apply.ipp_use_ah &&
798 !act->ipa_apply.ipp_use_esp) {
799 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
800 return (B_FALSE);
801 }
802 return (ipsec_check_action(act, diag, spds->spds_netstack));
803 }
804
805 /*
806 * We may be short a few error checks here..
807 */
808 static boolean_t
spdsock_ext_to_actvec(spd_ext_t ** extv,ipsec_act_t ** actpp,uint_t * nactp,int * diag,spd_stack_t * spds)809 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp,
810 int *diag, spd_stack_t *spds)
811 {
812 struct spd_ext_actions *sactp =
813 (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
814 ipsec_act_t act, *actp, *endactp;
815 struct spd_attribute *attrp, *endattrp;
816 uint64_t *endp;
817 int nact;
818 boolean_t tunnel_polhead;
819
820 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL &&
821 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags &
822 SPD_RULE_FLAG_TUNNEL));
823
824 *actpp = NULL;
825 *nactp = 0;
826
827 if (sactp == NULL) {
828 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT;
829 return (B_FALSE);
830 }
831
832 /*
833 * Parse the "action" extension and convert into an action chain.
834 */
835
836 nact = sactp->spd_actions_count;
837
838 endp = (uint64_t *)sactp;
839 endp += sactp->spd_actions_len;
840 endattrp = (struct spd_attribute *)endp;
841
842 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP);
843 if (actp == NULL) {
844 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM;
845 return (B_FALSE);
846 }
847 *actpp = actp;
848 *nactp = nact;
849 endactp = actp + nact;
850
851 spdsock_reset_act(&act);
852 attrp = (struct spd_attribute *)(&sactp[1]);
853
854 for (; attrp < endattrp; attrp++) {
855 switch (attrp->spd_attr_tag) {
856 case SPD_ATTR_NOP:
857 break;
858
859 case SPD_ATTR_EMPTY:
860 spdsock_reset_act(&act);
861 break;
862
863 case SPD_ATTR_END:
864 attrp = endattrp;
865 /* FALLTHRU */
866 case SPD_ATTR_NEXT:
867 if (actp >= endactp) {
868 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
869 goto fail;
870 }
871 if (!spdsock_check_action(&act, tunnel_polhead,
872 diag, spds))
873 goto fail;
874 *actp++ = act;
875 spdsock_reset_act(&act);
876 break;
877
878 case SPD_ATTR_TYPE:
879 if (!spd_convert_type(attrp->spd_attr_value, &act)) {
880 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE;
881 goto fail;
882 }
883 break;
884
885 case SPD_ATTR_FLAGS:
886 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) {
887 /*
888 * Set "sa unique" for transport-mode
889 * tunnels whether we want to or not.
890 */
891 attrp->spd_attr_value |= SPD_APPLY_UNIQUE;
892 }
893 if (!spd_convert_flags(attrp->spd_attr_value, &act)) {
894 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS;
895 goto fail;
896 }
897 break;
898
899 case SPD_ATTR_AH_AUTH:
900 if (attrp->spd_attr_value == 0) {
901 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
902 goto fail;
903 }
904 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value;
905 break;
906
907 case SPD_ATTR_ESP_ENCR:
908 if (attrp->spd_attr_value == 0) {
909 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
910 goto fail;
911 }
912 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value;
913 break;
914
915 case SPD_ATTR_ESP_AUTH:
916 if (attrp->spd_attr_value == 0) {
917 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
918 goto fail;
919 }
920 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value;
921 break;
922
923 case SPD_ATTR_ENCR_MINBITS:
924 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value;
925 break;
926
927 case SPD_ATTR_ENCR_MAXBITS:
928 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value;
929 break;
930
931 case SPD_ATTR_AH_MINBITS:
932 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value;
933 break;
934
935 case SPD_ATTR_AH_MAXBITS:
936 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value;
937 break;
938
939 case SPD_ATTR_ESPA_MINBITS:
940 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value;
941 break;
942
943 case SPD_ATTR_ESPA_MAXBITS:
944 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value;
945 break;
946
947 case SPD_ATTR_LIFE_SOFT_TIME:
948 case SPD_ATTR_LIFE_HARD_TIME:
949 case SPD_ATTR_LIFE_SOFT_BYTES:
950 case SPD_ATTR_LIFE_HARD_BYTES:
951 break;
952
953 case SPD_ATTR_KM_PROTO:
954 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value;
955 break;
956
957 case SPD_ATTR_KM_COOKIE:
958 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value;
959 break;
960
961 case SPD_ATTR_REPLAY_DEPTH:
962 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value;
963 break;
964 }
965 }
966 if (actp != endactp) {
967 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
968 goto fail;
969 }
970
971 return (B_TRUE);
972 fail:
973 ipsec_actvec_free(*actpp, nact);
974 *actpp = NULL;
975 return (B_FALSE);
976 }
977
978 typedef struct
979 {
980 ipsec_policy_t *pol;
981 int dir;
982 } tmprule_t;
983
984 static int
mkrule(ipsec_policy_head_t * iph,struct spd_rule * rule,ipsec_selkey_t * sel,ipsec_act_t * actp,int nact,uint_t dir,uint_t af,tmprule_t ** rp,uint64_t * index,spd_stack_t * spds)985 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule,
986 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af,
987 tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
988 {
989 ipsec_policy_t *pol;
990
991 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4);
992 sel->ipsl_valid |= af;
993
994 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority,
995 index, spds->spds_netstack);
996 if (pol == NULL)
997 return (ENOMEM);
998
999 (*rp)->pol = pol;
1000 (*rp)->dir = dir;
1001 (*rp)++;
1002
1003 if (!ipsec_check_policy(iph, pol, dir))
1004 return (EEXIST);
1005
1006 rule->spd_rule_index = pol->ipsp_index;
1007 return (0);
1008 }
1009
1010 static int
mkrulepair(ipsec_policy_head_t * iph,struct spd_rule * rule,ipsec_selkey_t * sel,ipsec_act_t * actp,int nact,uint_t dir,uint_t afs,tmprule_t ** rp,uint64_t * index,spd_stack_t * spds)1011 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule,
1012 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs,
1013 tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
1014 {
1015 int error;
1016
1017 if (afs & IPSL_IPV4) {
1018 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp,
1019 index, spds);
1020 if (error != 0)
1021 return (error);
1022 }
1023 if (afs & IPSL_IPV6) {
1024 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp,
1025 index, spds);
1026 if (error != 0)
1027 return (error);
1028 }
1029 return (0);
1030 }
1031
1032
1033 static void
spdsock_addrule(queue_t * q,ipsec_policy_head_t * iph,mblk_t * mp,spd_ext_t ** extv,ipsec_tun_pol_t * itp)1034 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1035 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1036 {
1037 ipsec_selkey_t sel;
1038 ipsec_act_t *actp;
1039 uint_t nact;
1040 int diag = 0, error, afs;
1041 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1042 tmprule_t rules[4], *rulep = &rules[0];
1043 boolean_t tunnel_mode, empty_itp, active;
1044 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index;
1045 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1046 spd_stack_t *spds = ss->spdsock_spds;
1047 uint32_t auditing = AU_AUDITING();
1048
1049 if (rule == NULL) {
1050 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1051 if (auditing) {
1052 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1053 cred_t *cr;
1054 pid_t cpid;
1055
1056 cr = msg_getcred(mp, &cpid);
1057 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1058 audit_pf_policy(SPD_ADDRULE, cr,
1059 spds->spds_netstack, ITP_NAME(itp), active,
1060 SPD_DIAGNOSTIC_NO_RULE_EXT, cpid);
1061 }
1062 return;
1063 }
1064
1065 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL);
1066
1067 if (itp != NULL) {
1068 mutex_enter(&itp->itp_lock);
1069 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph);
1070 active = (itp->itp_policy == iph);
1071 if (ITP_P_ISACTIVE(itp, iph)) {
1072 /* Check for mix-and-match of tunnel/transport. */
1073 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) ||
1074 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) {
1075 mutex_exit(&itp->itp_lock);
1076 spdsock_error(q, mp, EBUSY, 0);
1077 return;
1078 }
1079 empty_itp = B_FALSE;
1080 } else {
1081 empty_itp = B_TRUE;
1082 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE;
1083 if (tunnel_mode)
1084 itp->itp_flags |= active ? ITPF_P_TUNNEL :
1085 ITPF_I_TUNNEL;
1086 }
1087 } else {
1088 empty_itp = B_FALSE;
1089 }
1090
1091 if (rule->spd_rule_index != 0) {
1092 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX;
1093 error = EINVAL;
1094 goto fail2;
1095 }
1096
1097 if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1098 error = EINVAL;
1099 goto fail2;
1100 }
1101
1102 if (itp != NULL) {
1103 if (tunnel_mode) {
1104 if (sel.ipsl_valid &
1105 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) {
1106 itp->itp_flags |= active ?
1107 ITPF_P_PER_PORT_SECURITY :
1108 ITPF_I_PER_PORT_SECURITY;
1109 }
1110 } else {
1111 /*
1112 * For now, we don't allow transport-mode on a tunnel
1113 * with ANY specific selectors. Bail if we have such
1114 * a request.
1115 */
1116 if (sel.ipsl_valid & IPSL_WILDCARD) {
1117 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS;
1118 error = EINVAL;
1119 goto fail2;
1120 }
1121 }
1122 }
1123
1124 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) {
1125 error = EINVAL;
1126 goto fail2;
1127 }
1128 /*
1129 * If no addresses were specified, add both.
1130 */
1131 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4);
1132 if (afs == 0)
1133 afs = (IPSL_IPV6|IPSL_IPV4);
1134
1135 rw_enter(&iph->iph_lock, RW_WRITER);
1136
1137 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) {
1138 error = mkrulepair(iph, rule, &sel, actp, nact,
1139 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds);
1140 if (error != 0)
1141 goto fail;
1142 }
1143
1144 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) {
1145 error = mkrulepair(iph, rule, &sel, actp, nact,
1146 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds);
1147 if (error != 0)
1148 goto fail;
1149 }
1150
1151 while ((--rulep) >= &rules[0]) {
1152 ipsec_enter_policy(iph, rulep->pol, rulep->dir,
1153 spds->spds_netstack);
1154 }
1155 rw_exit(&iph->iph_lock);
1156 if (itp != NULL)
1157 mutex_exit(&itp->itp_lock);
1158
1159 ipsec_actvec_free(actp, nact);
1160 spd_echo(q, mp);
1161 if (auditing) {
1162 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1163 cred_t *cr;
1164 pid_t cpid;
1165
1166 cr = msg_getcred(mp, &cpid);
1167 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1168 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1169 ITP_NAME(itp), active, 0, cpid);
1170 }
1171 return;
1172
1173 fail:
1174 rw_exit(&iph->iph_lock);
1175 while ((--rulep) >= &rules[0])
1176 IPPOL_REFRELE(rulep->pol);
1177 ipsec_actvec_free(actp, nact);
1178 fail2:
1179 if (itp != NULL) {
1180 if (empty_itp)
1181 itp->itp_flags = 0;
1182 mutex_exit(&itp->itp_lock);
1183 }
1184 spdsock_error(q, mp, error, diag);
1185 if (auditing) {
1186 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1187 cred_t *cr;
1188 pid_t cpid;
1189
1190 cr = msg_getcred(mp, &cpid);
1191 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1192 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1193 ITP_NAME(itp), active, error, cpid);
1194 }
1195 }
1196
1197 void
spdsock_deleterule(queue_t * q,ipsec_policy_head_t * iph,mblk_t * mp,spd_ext_t ** extv,ipsec_tun_pol_t * itp)1198 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1199 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1200 {
1201 ipsec_selkey_t sel;
1202 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1203 int err, diag = 0;
1204 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1205 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1206 uint32_t auditing = AU_AUDITING();
1207
1208 if (rule == NULL) {
1209 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1210 if (auditing) {
1211 boolean_t active;
1212 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1213 cred_t *cr;
1214 pid_t cpid;
1215
1216 cr = msg_getcred(mp, &cpid);
1217 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1218 audit_pf_policy(SPD_DELETERULE, cr, ns,
1219 ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT,
1220 cpid);
1221 }
1222 return;
1223 }
1224
1225 /*
1226 * Must enter itp_lock first to avoid deadlock. See tun.c's
1227 * set_sec_simple() for the other case of itp_lock and iph_lock.
1228 */
1229 if (itp != NULL)
1230 mutex_enter(&itp->itp_lock);
1231
1232 if (rule->spd_rule_index != 0) {
1233 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) !=
1234 0) {
1235 err = ESRCH;
1236 goto fail;
1237 }
1238 } else {
1239 if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1240 err = EINVAL; /* diag already set... */
1241 goto fail;
1242 }
1243
1244 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) &&
1245 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) {
1246 err = ESRCH;
1247 goto fail;
1248 }
1249
1250 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) &&
1251 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) {
1252 err = ESRCH;
1253 goto fail;
1254 }
1255 }
1256
1257 if (itp != NULL) {
1258 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive);
1259 rw_enter(&iph->iph_lock, RW_READER);
1260 if (avl_numnodes(&iph->iph_rulebyid) == 0) {
1261 if (iph == itp->itp_policy)
1262 itp->itp_flags &= ~ITPF_PFLAGS;
1263 else
1264 itp->itp_flags &= ~ITPF_IFLAGS;
1265 }
1266 /* Can exit locks in any order. */
1267 rw_exit(&iph->iph_lock);
1268 mutex_exit(&itp->itp_lock);
1269 }
1270 spd_echo(q, mp);
1271 if (auditing) {
1272 boolean_t active;
1273 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1274 cred_t *cr;
1275 pid_t cpid;
1276
1277 cr = msg_getcred(mp, &cpid);
1278 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1279 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1280 active, 0, cpid);
1281 }
1282 return;
1283 fail:
1284 if (itp != NULL)
1285 mutex_exit(&itp->itp_lock);
1286 spdsock_error(q, mp, err, diag);
1287 if (auditing) {
1288 boolean_t active;
1289 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1290 cred_t *cr;
1291 pid_t cpid;
1292
1293 cr = msg_getcred(mp, &cpid);
1294 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1295 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1296 active, err, cpid);
1297 }
1298 }
1299
1300 /* Do NOT consume a reference to itp. */
1301 /* ARGSUSED */
1302 static void
spdsock_flip_node(ipsec_tun_pol_t * itp,void * ignoreme,netstack_t * ns)1303 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns)
1304 {
1305 mutex_enter(&itp->itp_lock);
1306 ITPF_SWAP(itp->itp_flags);
1307 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns);
1308 mutex_exit(&itp->itp_lock);
1309 /* SPD_FLIP is worth a tunnel MTU check. */
1310 update_iptun_policy(itp);
1311 }
1312
1313 void
spdsock_flip(queue_t * q,mblk_t * mp,spd_if_t * tunname)1314 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname)
1315 {
1316 char *tname;
1317 ipsec_tun_pol_t *itp;
1318 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1319 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1320 uint32_t auditing = AU_AUDITING();
1321
1322 if (tunname != NULL) {
1323 tname = (char *)tunname->spd_if_name;
1324 if (*tname == '\0') {
1325 /* can't fail */
1326 ipsec_swap_global_policy(ns);
1327 if (auditing) {
1328 boolean_t active;
1329 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1330 cred_t *cr;
1331 pid_t cpid;
1332
1333 cr = msg_getcred(mp, &cpid);
1334 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1335 audit_pf_policy(SPD_FLIP, cr, ns,
1336 NULL, active, 0, cpid);
1337 }
1338 itp_walk(spdsock_flip_node, NULL, ns);
1339 if (auditing) {
1340 boolean_t active;
1341 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1342 cred_t *cr;
1343 pid_t cpid;
1344
1345 cr = msg_getcred(mp, &cpid);
1346 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1347 audit_pf_policy(SPD_FLIP, cr, ns,
1348 "all tunnels", active, 0, cpid);
1349 }
1350 } else {
1351 itp = get_tunnel_policy(tname, ns);
1352 if (itp == NULL) {
1353 /* Better idea for "tunnel not found"? */
1354 spdsock_error(q, mp, ESRCH, 0);
1355 if (auditing) {
1356 boolean_t active;
1357 spd_msg_t *spmsg =
1358 (spd_msg_t *)mp->b_rptr;
1359 cred_t *cr;
1360 pid_t cpid;
1361
1362 cr = msg_getcred(mp, &cpid);
1363 active = (spmsg->spd_msg_spdid ==
1364 SPD_ACTIVE);
1365 audit_pf_policy(SPD_FLIP, cr, ns,
1366 ITP_NAME(itp), active,
1367 ESRCH, cpid);
1368 }
1369 return;
1370 }
1371 spdsock_flip_node(itp, NULL, ns);
1372 if (auditing) {
1373 boolean_t active;
1374 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1375 cred_t *cr;
1376 pid_t cpid;
1377
1378 cr = msg_getcred(mp, &cpid);
1379 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1380 audit_pf_policy(SPD_FLIP, cr, ns,
1381 ITP_NAME(itp), active, 0, cpid);
1382 }
1383 ITP_REFRELE(itp, ns);
1384 }
1385 } else {
1386 ipsec_swap_global_policy(ns); /* can't fail */
1387 if (auditing) {
1388 boolean_t active;
1389 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1390 cred_t *cr;
1391 pid_t cpid;
1392
1393 cr = msg_getcred(mp, &cpid);
1394 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1395 audit_pf_policy(SPD_FLIP, cr,
1396 ns, NULL, active, 0, cpid);
1397 }
1398 }
1399 spd_echo(q, mp);
1400 }
1401
1402 /*
1403 * Unimplemented feature
1404 */
1405 /* ARGSUSED */
1406 static void
spdsock_lookup(queue_t * q,ipsec_policy_head_t * iph,mblk_t * mp,spd_ext_t ** extv,ipsec_tun_pol_t * itp)1407 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1408 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1409 {
1410 spdsock_error(q, mp, EINVAL, 0);
1411 }
1412
1413
1414 static mblk_t *
spdsock_dump_ruleset(mblk_t * req,ipsec_policy_head_t * iph,uint32_t count,uint16_t error)1415 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph,
1416 uint32_t count, uint16_t error)
1417 {
1418 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t);
1419 spd_msg_t *msg;
1420 spd_ruleset_ext_t *ruleset;
1421 mblk_t *m = allocb(len, BPRI_HI);
1422
1423 ASSERT(RW_READ_HELD(&iph->iph_lock));
1424
1425 if (m == NULL) {
1426 return (NULL);
1427 }
1428 msg = (spd_msg_t *)m->b_rptr;
1429 ruleset = (spd_ruleset_ext_t *)(&msg[1]);
1430
1431 m->b_wptr = (uint8_t *)&ruleset[1];
1432
1433 *msg = *(spd_msg_t *)(req->b_rptr);
1434 msg->spd_msg_len = SPD_8TO64(len);
1435 msg->spd_msg_errno = error;
1436
1437 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset));
1438 ruleset->spd_ruleset_type = SPD_EXT_RULESET;
1439 ruleset->spd_ruleset_count = count;
1440 ruleset->spd_ruleset_version = iph->iph_gen;
1441 return (m);
1442 }
1443
1444 static mblk_t *
spdsock_dump_finish(spdsock_t * ss,int error)1445 spdsock_dump_finish(spdsock_t *ss, int error)
1446 {
1447 mblk_t *m;
1448 ipsec_policy_head_t *iph = ss->spdsock_dump_head;
1449 mblk_t *req = ss->spdsock_dump_req;
1450 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1451
1452 rw_enter(&iph->iph_lock, RW_READER);
1453 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error);
1454 rw_exit(&iph->iph_lock);
1455 IPPH_REFRELE(iph, ns);
1456 if (ss->spdsock_itp != NULL) {
1457 ITP_REFRELE(ss->spdsock_itp, ns);
1458 ss->spdsock_itp = NULL;
1459 }
1460 ss->spdsock_dump_req = NULL;
1461 freemsg(req);
1462
1463 return (m);
1464 }
1465
1466 /*
1467 * Rule encoding functions.
1468 * We do a two-pass encode.
1469 * If base != NULL, fill in encoded rule part starting at base+offset.
1470 * Always return "offset" plus length of to-be-encoded data.
1471 */
1472 static uint_t
spdsock_encode_typecode(uint8_t * base,uint_t offset,uint8_t type,uint8_t type_end,uint8_t code,uint8_t code_end)1473 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type,
1474 uint8_t type_end, uint8_t code, uint8_t code_end)
1475 {
1476 struct spd_typecode *tcp;
1477
1478 ASSERT(ALIGNED64(offset));
1479
1480 if (base != NULL) {
1481 tcp = (struct spd_typecode *)(base + offset);
1482 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp));
1483 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE;
1484 tcp->spd_typecode_code = code;
1485 tcp->spd_typecode_type = type;
1486 tcp->spd_typecode_type_end = type_end;
1487 tcp->spd_typecode_code_end = code_end;
1488 }
1489 offset += sizeof (*tcp);
1490
1491 ASSERT(ALIGNED64(offset));
1492
1493 return (offset);
1494 }
1495
1496 static uint_t
spdsock_encode_proto(uint8_t * base,uint_t offset,uint8_t proto)1497 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto)
1498 {
1499 struct spd_proto *spp;
1500
1501 ASSERT(ALIGNED64(offset));
1502
1503 if (base != NULL) {
1504 spp = (struct spd_proto *)(base + offset);
1505 spp->spd_proto_len = SPD_8TO64(sizeof (*spp));
1506 spp->spd_proto_exttype = SPD_EXT_PROTO;
1507 spp->spd_proto_number = proto;
1508 spp->spd_proto_reserved1 = 0;
1509 spp->spd_proto_reserved2 = 0;
1510 }
1511 offset += sizeof (*spp);
1512
1513 ASSERT(ALIGNED64(offset));
1514
1515 return (offset);
1516 }
1517
1518 static uint_t
spdsock_encode_port(uint8_t * base,uint_t offset,uint16_t ext,uint16_t port)1519 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port)
1520 {
1521 struct spd_portrange *spp;
1522
1523 ASSERT(ALIGNED64(offset));
1524
1525 if (base != NULL) {
1526 spp = (struct spd_portrange *)(base + offset);
1527 spp->spd_ports_len = SPD_8TO64(sizeof (*spp));
1528 spp->spd_ports_exttype = ext;
1529 spp->spd_ports_minport = port;
1530 spp->spd_ports_maxport = port;
1531 }
1532 offset += sizeof (*spp);
1533
1534 ASSERT(ALIGNED64(offset));
1535
1536 return (offset);
1537 }
1538
1539 static uint_t
spdsock_encode_addr(uint8_t * base,uint_t offset,uint16_t ext,const ipsec_selkey_t * sel,const ipsec_addr_t * addr,uint_t pfxlen)1540 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext,
1541 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen)
1542 {
1543 struct spd_address *sae;
1544 ipsec_addr_t *spdaddr;
1545 uint_t start = offset;
1546 uint_t addrlen;
1547 uint_t af;
1548
1549 if (sel->ipsl_valid & IPSL_IPV4) {
1550 af = AF_INET;
1551 addrlen = IP_ADDR_LEN;
1552 } else {
1553 af = AF_INET6;
1554 addrlen = IPV6_ADDR_LEN;
1555 }
1556
1557 ASSERT(ALIGNED64(offset));
1558
1559 if (base != NULL) {
1560 sae = (struct spd_address *)(base + offset);
1561 sae->spd_address_exttype = ext;
1562 sae->spd_address_af = af;
1563 sae->spd_address_prefixlen = pfxlen;
1564 sae->spd_address_reserved2 = 0;
1565
1566 spdaddr = (ipsec_addr_t *)(&sae[1]);
1567 bcopy(addr, spdaddr, addrlen);
1568 }
1569 offset += sizeof (*sae);
1570 addrlen = roundup(addrlen, sizeof (uint64_t));
1571 offset += addrlen;
1572
1573 ASSERT(ALIGNED64(offset));
1574
1575 if (base != NULL)
1576 sae->spd_address_len = SPD_8TO64(offset - start);
1577 return (offset);
1578 }
1579
1580 static uint_t
spdsock_encode_sel(uint8_t * base,uint_t offset,const ipsec_sel_t * sel)1581 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel)
1582 {
1583 const ipsec_selkey_t *selkey = &sel->ipsl_key;
1584
1585 if (selkey->ipsl_valid & IPSL_PROTOCOL)
1586 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto);
1587 if (selkey->ipsl_valid & IPSL_LOCAL_PORT)
1588 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT,
1589 selkey->ipsl_lport);
1590 if (selkey->ipsl_valid & IPSL_REMOTE_PORT)
1591 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT,
1592 selkey->ipsl_rport);
1593 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR)
1594 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR,
1595 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen);
1596 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR)
1597 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR,
1598 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen);
1599 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) {
1600 offset = spdsock_encode_typecode(base, offset,
1601 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end,
1602 (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1603 selkey->ipsl_icmp_code : 255,
1604 (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1605 selkey->ipsl_icmp_code_end : 255);
1606 }
1607 return (offset);
1608 }
1609
1610 static uint_t
spdsock_encode_actattr(uint8_t * base,uint_t offset,uint32_t tag,uint32_t value)1611 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag,
1612 uint32_t value)
1613 {
1614 struct spd_attribute *attr;
1615
1616 ASSERT(ALIGNED64(offset));
1617
1618 if (base != NULL) {
1619 attr = (struct spd_attribute *)(base + offset);
1620 attr->spd_attr_tag = tag;
1621 attr->spd_attr_value = value;
1622 }
1623 offset += sizeof (struct spd_attribute);
1624
1625 ASSERT(ALIGNED64(offset));
1626
1627 return (offset);
1628 }
1629
1630
1631 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1632
1633 static uint_t
spdsock_encode_action(uint8_t * base,uint_t offset,const ipsec_action_t * ap)1634 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap)
1635 {
1636 const struct ipsec_act *act = &(ap->ipa_act);
1637 uint_t flags;
1638
1639 EMIT(SPD_ATTR_EMPTY, 0);
1640 switch (act->ipa_type) {
1641 case IPSEC_ACT_DISCARD:
1642 case IPSEC_ACT_REJECT:
1643 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP);
1644 break;
1645 case IPSEC_ACT_BYPASS:
1646 case IPSEC_ACT_CLEAR:
1647 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS);
1648 break;
1649
1650 case IPSEC_ACT_APPLY:
1651 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC);
1652 flags = 0;
1653 if (act->ipa_apply.ipp_use_ah)
1654 flags |= SPD_APPLY_AH;
1655 if (act->ipa_apply.ipp_use_esp)
1656 flags |= SPD_APPLY_ESP;
1657 if (act->ipa_apply.ipp_use_espa)
1658 flags |= SPD_APPLY_ESPA;
1659 if (act->ipa_apply.ipp_use_se)
1660 flags |= SPD_APPLY_SE;
1661 if (act->ipa_apply.ipp_use_unique)
1662 flags |= SPD_APPLY_UNIQUE;
1663 EMIT(SPD_ATTR_FLAGS, flags);
1664 if (flags & SPD_APPLY_AH) {
1665 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg);
1666 EMIT(SPD_ATTR_AH_MINBITS,
1667 act->ipa_apply.ipp_ah_minbits);
1668 EMIT(SPD_ATTR_AH_MAXBITS,
1669 act->ipa_apply.ipp_ah_maxbits);
1670 }
1671 if (flags & SPD_APPLY_ESP) {
1672 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg);
1673 EMIT(SPD_ATTR_ENCR_MINBITS,
1674 act->ipa_apply.ipp_espe_minbits);
1675 EMIT(SPD_ATTR_ENCR_MAXBITS,
1676 act->ipa_apply.ipp_espe_maxbits);
1677 if (flags & SPD_APPLY_ESPA) {
1678 EMIT(SPD_ATTR_ESP_AUTH,
1679 act->ipa_apply.ipp_esp_auth_alg);
1680 EMIT(SPD_ATTR_ESPA_MINBITS,
1681 act->ipa_apply.ipp_espa_minbits);
1682 EMIT(SPD_ATTR_ESPA_MAXBITS,
1683 act->ipa_apply.ipp_espa_maxbits);
1684 }
1685 }
1686 if (act->ipa_apply.ipp_km_proto != 0)
1687 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto);
1688 if (act->ipa_apply.ipp_km_cookie != 0)
1689 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie);
1690 if (act->ipa_apply.ipp_replay_depth != 0)
1691 EMIT(SPD_ATTR_REPLAY_DEPTH,
1692 act->ipa_apply.ipp_replay_depth);
1693 /* Add more here */
1694 break;
1695 }
1696
1697 return (offset);
1698 }
1699
1700 static uint_t
spdsock_encode_action_list(uint8_t * base,uint_t offset,const ipsec_action_t * ap)1701 spdsock_encode_action_list(uint8_t *base, uint_t offset,
1702 const ipsec_action_t *ap)
1703 {
1704 struct spd_ext_actions *act;
1705 uint_t nact = 0;
1706 uint_t start = offset;
1707
1708 ASSERT(ALIGNED64(offset));
1709
1710 if (base != NULL) {
1711 act = (struct spd_ext_actions *)(base + offset);
1712 act->spd_actions_len = 0;
1713 act->spd_actions_exttype = SPD_EXT_ACTION;
1714 act->spd_actions_count = 0;
1715 act->spd_actions_reserved = 0;
1716 }
1717
1718 offset += sizeof (*act);
1719
1720 ASSERT(ALIGNED64(offset));
1721
1722 while (ap != NULL) {
1723 offset = spdsock_encode_action(base, offset, ap);
1724 ap = ap->ipa_next;
1725 nact++;
1726 if (ap != NULL) {
1727 EMIT(SPD_ATTR_NEXT, 0);
1728 }
1729 }
1730 EMIT(SPD_ATTR_END, 0);
1731
1732 ASSERT(ALIGNED64(offset));
1733
1734 if (base != NULL) {
1735 act->spd_actions_count = nact;
1736 act->spd_actions_len = SPD_8TO64(offset - start);
1737 }
1738
1739 return (offset);
1740 }
1741
1742 #undef EMIT
1743
1744 /* ARGSUSED */
1745 static uint_t
spdsock_rule_flags(uint_t dir,uint_t af)1746 spdsock_rule_flags(uint_t dir, uint_t af)
1747 {
1748 uint_t flags = 0;
1749
1750 if (dir == IPSEC_TYPE_INBOUND)
1751 flags |= SPD_RULE_FLAG_INBOUND;
1752 if (dir == IPSEC_TYPE_OUTBOUND)
1753 flags |= SPD_RULE_FLAG_OUTBOUND;
1754
1755 return (flags);
1756 }
1757
1758
1759 static uint_t
spdsock_encode_rule_head(uint8_t * base,uint_t offset,spd_msg_t * req,const ipsec_policy_t * rule,uint_t dir,uint_t af,char * name,boolean_t tunnel)1760 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req,
1761 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name,
1762 boolean_t tunnel)
1763 {
1764 struct spd_msg *spmsg;
1765 struct spd_rule *spr;
1766 spd_if_t *sid;
1767
1768 uint_t start = offset;
1769
1770 ASSERT(ALIGNED64(offset));
1771
1772 if (base != NULL) {
1773 spmsg = (struct spd_msg *)(base + offset);
1774 bzero(spmsg, sizeof (*spmsg));
1775 spmsg->spd_msg_version = PF_POLICY_V1;
1776 spmsg->spd_msg_type = SPD_DUMP;
1777 spmsg->spd_msg_seq = req->spd_msg_seq;
1778 spmsg->spd_msg_pid = req->spd_msg_pid;
1779 }
1780 offset += sizeof (struct spd_msg);
1781
1782 ASSERT(ALIGNED64(offset));
1783
1784 if (base != NULL) {
1785 spr = (struct spd_rule *)(base + offset);
1786 spr->spd_rule_type = SPD_EXT_RULE;
1787 spr->spd_rule_priority = rule->ipsp_prio;
1788 spr->spd_rule_flags = spdsock_rule_flags(dir, af);
1789 if (tunnel)
1790 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL;
1791 spr->spd_rule_unused = 0;
1792 spr->spd_rule_len = SPD_8TO64(sizeof (*spr));
1793 spr->spd_rule_index = rule->ipsp_index;
1794 }
1795 offset += sizeof (struct spd_rule);
1796
1797 /*
1798 * If we have an interface name (i.e. if this policy head came from
1799 * a tunnel), add the SPD_EXT_TUN_NAME extension.
1800 */
1801 if (name != NULL) {
1802
1803 ASSERT(ALIGNED64(offset));
1804
1805 if (base != NULL) {
1806 sid = (spd_if_t *)(base + offset);
1807 sid->spd_if_exttype = SPD_EXT_TUN_NAME;
1808 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) +
1809 roundup((strlen(name) - 4), 8));
1810 (void) strlcpy((char *)sid->spd_if_name, name,
1811 LIFNAMSIZ);
1812 }
1813
1814 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8);
1815 }
1816
1817 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel);
1818 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act);
1819
1820 ASSERT(ALIGNED64(offset));
1821
1822 if (base != NULL) {
1823 spmsg->spd_msg_len = SPD_8TO64(offset - start);
1824 }
1825 return (offset);
1826 }
1827
1828 /* ARGSUSED */
1829 static mblk_t *
spdsock_encode_rule(mblk_t * req,const ipsec_policy_t * rule,uint_t dir,uint_t af,char * name,boolean_t tunnel)1830 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule,
1831 uint_t dir, uint_t af, char *name, boolean_t tunnel)
1832 {
1833 mblk_t *m;
1834 uint_t len;
1835 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr;
1836
1837 /*
1838 * Figure out how much space we'll need.
1839 */
1840 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name,
1841 tunnel);
1842
1843 /*
1844 * Allocate mblk.
1845 */
1846 m = allocb(len, BPRI_HI);
1847 if (m == NULL)
1848 return (NULL);
1849
1850 /*
1851 * Fill it in..
1852 */
1853 m->b_wptr = m->b_rptr + len;
1854 bzero(m->b_rptr, len);
1855 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af,
1856 name, tunnel);
1857 return (m);
1858 }
1859
1860 static ipsec_policy_t *
spdsock_dump_next_in_chain(spdsock_t * ss,ipsec_policy_head_t * iph,ipsec_policy_t * cur)1861 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph,
1862 ipsec_policy_t *cur)
1863 {
1864 ASSERT(RW_READ_HELD(&iph->iph_lock));
1865
1866 ss->spdsock_dump_count++;
1867 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next;
1868 return (cur);
1869 }
1870
1871 static ipsec_policy_t *
spdsock_dump_next_rule(spdsock_t * ss,ipsec_policy_head_t * iph)1872 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph)
1873 {
1874 ipsec_policy_t *cur;
1875 ipsec_policy_root_t *ipr;
1876 int chain, nchains, type, af;
1877
1878 ASSERT(RW_READ_HELD(&iph->iph_lock));
1879
1880 cur = ss->spdsock_dump_cur_rule;
1881
1882 if (cur != NULL)
1883 return (spdsock_dump_next_in_chain(ss, iph, cur));
1884
1885 type = ss->spdsock_dump_cur_type;
1886
1887 next:
1888 chain = ss->spdsock_dump_cur_chain;
1889 ipr = &iph->iph_root[type];
1890 nchains = ipr->ipr_nchains;
1891
1892 while (chain < nchains) {
1893 cur = ipr->ipr_hash[chain].hash_head;
1894 chain++;
1895 if (cur != NULL) {
1896 ss->spdsock_dump_cur_chain = chain;
1897 return (spdsock_dump_next_in_chain(ss, iph, cur));
1898 }
1899 }
1900 ss->spdsock_dump_cur_chain = nchains;
1901
1902 af = ss->spdsock_dump_cur_af;
1903 while (af < IPSEC_NAF) {
1904 cur = ipr->ipr_nonhash[af];
1905 af++;
1906 if (cur != NULL) {
1907 ss->spdsock_dump_cur_af = af;
1908 return (spdsock_dump_next_in_chain(ss, iph, cur));
1909 }
1910 }
1911
1912 type++;
1913 if (type >= IPSEC_NTYPES)
1914 return (NULL);
1915
1916 ss->spdsock_dump_cur_chain = 0;
1917 ss->spdsock_dump_cur_type = type;
1918 ss->spdsock_dump_cur_af = IPSEC_AF_V4;
1919 goto next;
1920
1921 }
1922
1923 /*
1924 * If we're done with one policy head, but have more to go, we iterate through
1925 * another IPsec tunnel policy head (itp). Return NULL if it is an error
1926 * worthy of returning EAGAIN via PF_POLICY.
1927 */
1928 static ipsec_tun_pol_t *
spdsock_dump_iterate_next_tunnel(spdsock_t * ss,ipsec_stack_t * ipss)1929 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss)
1930 {
1931 ipsec_tun_pol_t *itp;
1932
1933 ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock));
1934 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) {
1935 /* Oops, state of the tunnel polheads changed. */
1936 itp = NULL;
1937 } else if (ss->spdsock_itp == NULL) {
1938 /* Just finished global, find first node. */
1939 itp = avl_first(&ipss->ipsec_tunnel_policies);
1940 } else {
1941 /* We just finished current polhead, find the next one. */
1942 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp);
1943 }
1944 if (itp != NULL) {
1945 ITP_REFHOLD(itp);
1946 }
1947 if (ss->spdsock_itp != NULL) {
1948 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack);
1949 }
1950 ss->spdsock_itp = itp;
1951 return (itp);
1952 }
1953
1954 static mblk_t *
spdsock_dump_next_record(spdsock_t * ss)1955 spdsock_dump_next_record(spdsock_t *ss)
1956 {
1957 ipsec_policy_head_t *iph;
1958 ipsec_policy_t *rule;
1959 mblk_t *m;
1960 ipsec_tun_pol_t *itp;
1961 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1962 ipsec_stack_t *ipss = ns->netstack_ipsec;
1963
1964 iph = ss->spdsock_dump_head;
1965
1966 ASSERT(iph != NULL);
1967
1968 rw_enter(&iph->iph_lock, RW_READER);
1969
1970 if (iph->iph_gen != ss->spdsock_dump_gen) {
1971 rw_exit(&iph->iph_lock);
1972 return (spdsock_dump_finish(ss, EAGAIN));
1973 }
1974
1975 while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) {
1976 rw_exit(&iph->iph_lock);
1977 if (--(ss->spdsock_dump_remaining_polheads) == 0)
1978 return (spdsock_dump_finish(ss, 0));
1979
1980
1981 /*
1982 * If we reach here, we have more policy heads (tunnel
1983 * entries) to dump. Let's reset to a new policy head
1984 * and get some more rules.
1985 *
1986 * An empty policy head will have spdsock_dump_next_rule()
1987 * return NULL, and we loop (while dropping the number of
1988 * remaining polheads). If we loop to 0, we finish. We
1989 * keep looping until we hit 0 or until we have a rule to
1990 * encode.
1991 *
1992 * NOTE: No need for ITP_REF*() macros here as we're only
1993 * going after and refholding the policy head itself.
1994 */
1995 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
1996 itp = spdsock_dump_iterate_next_tunnel(ss, ipss);
1997 if (itp == NULL) {
1998 rw_exit(&ipss->ipsec_tunnel_policy_lock);
1999 return (spdsock_dump_finish(ss, EAGAIN));
2000 }
2001
2002 /* Reset other spdsock_dump thingies. */
2003 IPPH_REFRELE(ss->spdsock_dump_head, ns);
2004 if (ss->spdsock_dump_active) {
2005 ss->spdsock_dump_tunnel =
2006 itp->itp_flags & ITPF_P_TUNNEL;
2007 iph = itp->itp_policy;
2008 } else {
2009 ss->spdsock_dump_tunnel =
2010 itp->itp_flags & ITPF_I_TUNNEL;
2011 iph = itp->itp_inactive;
2012 }
2013 IPPH_REFHOLD(iph);
2014 rw_exit(&ipss->ipsec_tunnel_policy_lock);
2015
2016 rw_enter(&iph->iph_lock, RW_READER);
2017 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2018 }
2019
2020 m = spdsock_encode_rule(ss->spdsock_dump_req, rule,
2021 ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af,
2022 (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name,
2023 ss->spdsock_dump_tunnel);
2024 rw_exit(&iph->iph_lock);
2025
2026 if (m == NULL)
2027 return (spdsock_dump_finish(ss, ENOMEM));
2028 return (m);
2029 }
2030
2031 /*
2032 * Dump records until we run into flow-control back-pressure.
2033 */
2034 static void
spdsock_dump_some(queue_t * q,spdsock_t * ss)2035 spdsock_dump_some(queue_t *q, spdsock_t *ss)
2036 {
2037 mblk_t *m, *dataind;
2038
2039 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) {
2040 m = spdsock_dump_next_record(ss);
2041 if (m == NULL)
2042 return;
2043 dataind = allocb(sizeof (struct T_data_req), BPRI_HI);
2044 if (dataind == NULL) {
2045 freemsg(m);
2046 return;
2047 }
2048 dataind->b_cont = m;
2049 dataind->b_wptr += sizeof (struct T_data_req);
2050 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND;
2051 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0;
2052 dataind->b_datap->db_type = M_PROTO;
2053 putnext(q, dataind);
2054 }
2055 }
2056
2057 /*
2058 * Start dumping.
2059 * Format a start-of-dump record, and set up the stream and kick the rsrv
2060 * procedure to continue the job..
2061 */
2062 /* ARGSUSED */
2063 static void
spdsock_dump(queue_t * q,ipsec_policy_head_t * iph,mblk_t * mp)2064 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp)
2065 {
2066 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2067 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2068 ipsec_stack_t *ipss = ns->netstack_ipsec;
2069 mblk_t *mr;
2070
2071 /* spdsock_open() already set spdsock_itp to NULL. */
2072 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
2073 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
2074 ss->spdsock_dump_remaining_polheads = 1 +
2075 avl_numnodes(&ipss->ipsec_tunnel_policies);
2076 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen;
2077 rw_exit(&ipss->ipsec_tunnel_policy_lock);
2078 if (iph == ALL_ACTIVE_POLHEADS) {
2079 iph = ipsec_system_policy(ns);
2080 ss->spdsock_dump_active = B_TRUE;
2081 } else {
2082 iph = ipsec_inactive_policy(ns);
2083 ss->spdsock_dump_active = B_FALSE;
2084 }
2085 ASSERT(ss->spdsock_itp == NULL);
2086 } else {
2087 ss->spdsock_dump_remaining_polheads = 1;
2088 }
2089
2090 rw_enter(&iph->iph_lock, RW_READER);
2091
2092 mr = spdsock_dump_ruleset(mp, iph, 0, 0);
2093
2094 if (!mr) {
2095 rw_exit(&iph->iph_lock);
2096 spdsock_error(q, mp, ENOMEM, 0);
2097 return;
2098 }
2099
2100 ss->spdsock_dump_req = mp;
2101 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2102
2103 rw_exit(&iph->iph_lock);
2104
2105 qreply(q, mr);
2106 qenable(OTHERQ(q));
2107 }
2108
2109 /* Do NOT consume a reference to ITP. */
2110 void
spdsock_clone_node(ipsec_tun_pol_t * itp,void * ep,netstack_t * ns)2111 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns)
2112 {
2113 int *errptr = (int *)ep;
2114
2115 if (*errptr != 0)
2116 return; /* We've failed already for some reason. */
2117 mutex_enter(&itp->itp_lock);
2118 ITPF_CLONE(itp->itp_flags);
2119 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns);
2120 mutex_exit(&itp->itp_lock);
2121 }
2122
2123 void
spdsock_clone(queue_t * q,mblk_t * mp,spd_if_t * tunname)2124 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname)
2125 {
2126 int error;
2127 char *tname;
2128 ipsec_tun_pol_t *itp;
2129 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2130 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2131 uint32_t auditing = AU_AUDITING();
2132
2133 if (tunname != NULL) {
2134 tname = (char *)tunname->spd_if_name;
2135 if (*tname == '\0') {
2136 error = ipsec_clone_system_policy(ns);
2137 if (auditing) {
2138 boolean_t active;
2139 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2140 cred_t *cr;
2141 pid_t cpid;
2142
2143 cr = msg_getcred(mp, &cpid);
2144 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2145 audit_pf_policy(SPD_CLONE, cr, ns,
2146 NULL, active, error, cpid);
2147 }
2148 if (error == 0) {
2149 itp_walk(spdsock_clone_node, &error, ns);
2150 if (auditing) {
2151 boolean_t active;
2152 spd_msg_t *spmsg =
2153 (spd_msg_t *)mp->b_rptr;
2154 cred_t *cr;
2155 pid_t cpid;
2156
2157 cr = msg_getcred(mp, &cpid);
2158 active = (spmsg->spd_msg_spdid ==
2159 SPD_ACTIVE);
2160 audit_pf_policy(SPD_CLONE, cr,
2161 ns, "all tunnels", active, 0,
2162 cpid);
2163 }
2164 }
2165 } else {
2166 itp = get_tunnel_policy(tname, ns);
2167 if (itp == NULL) {
2168 spdsock_error(q, mp, ENOENT, 0);
2169 if (auditing) {
2170 boolean_t active;
2171 spd_msg_t *spmsg =
2172 (spd_msg_t *)mp->b_rptr;
2173 cred_t *cr;
2174 pid_t cpid;
2175
2176 cr = msg_getcred(mp, &cpid);
2177 active = (spmsg->spd_msg_spdid ==
2178 SPD_ACTIVE);
2179 audit_pf_policy(SPD_CLONE, cr,
2180 ns, NULL, active, ENOENT, cpid);
2181 }
2182 return;
2183 }
2184 spdsock_clone_node(itp, &error, NULL);
2185 if (auditing) {
2186 boolean_t active;
2187 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2188 cred_t *cr;
2189 pid_t cpid;
2190
2191 cr = msg_getcred(mp, &cpid);
2192 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2193 audit_pf_policy(SPD_CLONE, cr, ns,
2194 ITP_NAME(itp), active, error, cpid);
2195 }
2196 ITP_REFRELE(itp, ns);
2197 }
2198 } else {
2199 error = ipsec_clone_system_policy(ns);
2200 if (auditing) {
2201 boolean_t active;
2202 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2203 cred_t *cr;
2204 pid_t cpid;
2205
2206 cr = msg_getcred(mp, &cpid);
2207 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2208 audit_pf_policy(SPD_CLONE, cr, ns, NULL,
2209 active, error, cpid);
2210 }
2211 }
2212
2213 if (error != 0)
2214 spdsock_error(q, mp, error, 0);
2215 else
2216 spd_echo(q, mp);
2217 }
2218
2219 /*
2220 * Process a SPD_ALGLIST request. The caller expects separate alg entries
2221 * for AH authentication, ESP authentication, and ESP encryption.
2222 * The same distinction is then used when setting the min and max key
2223 * sizes when defining policies.
2224 */
2225
2226 #define SPDSOCK_AH_AUTH 0
2227 #define SPDSOCK_ESP_AUTH 1
2228 #define SPDSOCK_ESP_ENCR 2
2229 #define SPDSOCK_NTYPES 3
2230
2231 static const uint_t algattr[SPDSOCK_NTYPES] = {
2232 SPD_ATTR_AH_AUTH,
2233 SPD_ATTR_ESP_AUTH,
2234 SPD_ATTR_ESP_ENCR
2235 };
2236 static const uint_t minbitsattr[SPDSOCK_NTYPES] = {
2237 SPD_ATTR_AH_MINBITS,
2238 SPD_ATTR_ESPA_MINBITS,
2239 SPD_ATTR_ENCR_MINBITS
2240 };
2241 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = {
2242 SPD_ATTR_AH_MAXBITS,
2243 SPD_ATTR_ESPA_MAXBITS,
2244 SPD_ATTR_ENCR_MAXBITS
2245 };
2246 static const uint_t defbitsattr[SPDSOCK_NTYPES] = {
2247 SPD_ATTR_AH_DEFBITS,
2248 SPD_ATTR_ESPA_DEFBITS,
2249 SPD_ATTR_ENCR_DEFBITS
2250 };
2251 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = {
2252 SPD_ATTR_AH_INCRBITS,
2253 SPD_ATTR_ESPA_INCRBITS,
2254 SPD_ATTR_ENCR_INCRBITS
2255 };
2256
2257 #define ATTRPERALG 6 /* fixed attributes per algs */
2258
2259 void
spdsock_alglist(queue_t * q,mblk_t * mp)2260 spdsock_alglist(queue_t *q, mblk_t *mp)
2261 {
2262 uint_t algtype;
2263 uint_t algidx;
2264 uint_t algcount;
2265 uint_t size;
2266 mblk_t *m;
2267 uint8_t *cur;
2268 spd_msg_t *msg;
2269 struct spd_ext_actions *act;
2270 struct spd_attribute *attr;
2271 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2272 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2273
2274 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2275 /*
2276 * The SPD client expects to receive separate entries for
2277 * AH authentication and ESP authentication supported algorithms.
2278 *
2279 * Don't return the "any" algorithms, if defined, as no
2280 * kernel policies can be set for these algorithms.
2281 */
2282 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2283 ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2284
2285 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL)
2286 algcount--;
2287 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL)
2288 algcount--;
2289
2290 /*
2291 * For each algorithm, we encode:
2292 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2293 */
2294
2295 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) +
2296 ATTRPERALG * sizeof (struct spd_attribute) * algcount;
2297
2298 ASSERT(ALIGNED64(size));
2299
2300 m = allocb(size, BPRI_HI);
2301 if (m == NULL) {
2302 rw_exit(&ipss->ipsec_alg_lock);
2303 spdsock_error(q, mp, ENOMEM, 0);
2304 return;
2305 }
2306
2307 m->b_wptr = m->b_rptr + size;
2308 cur = m->b_rptr;
2309
2310 msg = (spd_msg_t *)cur;
2311 bcopy(mp->b_rptr, cur, sizeof (*msg));
2312
2313 msg->spd_msg_len = SPD_8TO64(size);
2314 msg->spd_msg_errno = 0;
2315 msg->spd_msg_diagnostic = 0;
2316
2317 cur += sizeof (*msg);
2318
2319 act = (struct spd_ext_actions *)cur;
2320 cur += sizeof (*act);
2321
2322 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2323 act->spd_actions_exttype = SPD_EXT_ACTION;
2324 act->spd_actions_count = algcount;
2325 act->spd_actions_reserved = 0;
2326
2327 attr = (struct spd_attribute *)cur;
2328
2329 #define EMIT(tag, value) { \
2330 attr->spd_attr_tag = (tag); \
2331 attr->spd_attr_value = (value); \
2332 attr++; \
2333 }
2334
2335 /*
2336 * If you change the number of EMIT's here, change
2337 * ATTRPERALG above to match
2338 */
2339 #define EMITALGATTRS(_type) { \
2340 EMIT(algattr[_type], algid); /* 1 */ \
2341 EMIT(minbitsattr[_type], minbits); /* 2 */ \
2342 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \
2343 EMIT(defbitsattr[_type], defbits); /* 4 */ \
2344 EMIT(incrbitsattr[_type], incr); /* 5 */ \
2345 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \
2346 }
2347
2348 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2349 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2350 algidx++) {
2351 int algid = ipss->ipsec_sortlist[algtype][algidx];
2352 ipsec_alginfo_t *alg =
2353 ipss->ipsec_alglists[algtype][algid];
2354 uint_t minbits = alg->alg_minbits;
2355 uint_t maxbits = alg->alg_maxbits;
2356 uint_t defbits = alg->alg_default_bits;
2357 uint_t incr = alg->alg_increment;
2358
2359 if (algtype == IPSEC_ALG_AUTH) {
2360 if (algid == SADB_AALG_NONE)
2361 continue;
2362 EMITALGATTRS(SPDSOCK_AH_AUTH);
2363 EMITALGATTRS(SPDSOCK_ESP_AUTH);
2364 } else {
2365 if (algid == SADB_EALG_NONE)
2366 continue;
2367 ASSERT(algtype == IPSEC_ALG_ENCR);
2368 EMITALGATTRS(SPDSOCK_ESP_ENCR);
2369 }
2370 }
2371 }
2372
2373 rw_exit(&ipss->ipsec_alg_lock);
2374
2375 #undef EMITALGATTRS
2376 #undef EMIT
2377 #undef ATTRPERALG
2378
2379 attr--;
2380 attr->spd_attr_tag = SPD_ATTR_END;
2381
2382 freemsg(mp);
2383 qreply(q, m);
2384 }
2385
2386 /*
2387 * Process a SPD_DUMPALGS request.
2388 */
2389
2390 #define ATTRPERALG 9 /* fixed attributes per algs */
2391
2392 void
spdsock_dumpalgs(queue_t * q,mblk_t * mp)2393 spdsock_dumpalgs(queue_t *q, mblk_t *mp)
2394 {
2395 uint_t algtype;
2396 uint_t algidx;
2397 uint_t size;
2398 mblk_t *m;
2399 uint8_t *cur;
2400 spd_msg_t *msg;
2401 struct spd_ext_actions *act;
2402 struct spd_attribute *attr;
2403 ipsec_alginfo_t *alg;
2404 uint_t algid;
2405 uint_t i;
2406 uint_t alg_size;
2407 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2408 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2409
2410 rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2411
2412 /*
2413 * For each algorithm, we encode:
2414 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2415 *
2416 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2417 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* /
2418 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT}
2419 */
2420
2421 /*
2422 * Compute the size of the SPD message.
2423 */
2424 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions);
2425
2426 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2427 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2428 algidx++) {
2429 algid = ipss->ipsec_sortlist[algtype][algidx];
2430 alg = ipss->ipsec_alglists[algtype][algid];
2431 alg_size = sizeof (struct spd_attribute) *
2432 (ATTRPERALG + alg->alg_nkey_sizes +
2433 alg->alg_nblock_sizes + alg->alg_nparams) +
2434 CRYPTO_MAX_MECH_NAME;
2435 size += alg_size;
2436 }
2437 }
2438
2439 ASSERT(ALIGNED64(size));
2440
2441 m = allocb(size, BPRI_HI);
2442 if (m == NULL) {
2443 rw_exit(&ipss->ipsec_alg_lock);
2444 spdsock_error(q, mp, ENOMEM, 0);
2445 return;
2446 }
2447
2448 m->b_wptr = m->b_rptr + size;
2449 cur = m->b_rptr;
2450
2451 msg = (spd_msg_t *)cur;
2452 bcopy(mp->b_rptr, cur, sizeof (*msg));
2453
2454 msg->spd_msg_len = SPD_8TO64(size);
2455 msg->spd_msg_errno = 0;
2456 msg->spd_msg_type = SPD_ALGLIST;
2457
2458 msg->spd_msg_diagnostic = 0;
2459
2460 cur += sizeof (*msg);
2461
2462 act = (struct spd_ext_actions *)cur;
2463 cur += sizeof (*act);
2464
2465 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2466 act->spd_actions_exttype = SPD_EXT_ACTION;
2467 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2468 ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2469 act->spd_actions_reserved = 0;
2470
2471 /*
2472 * If there aren't any algorithms registered, return an empty message.
2473 * spdsock_get_ext() knows how to deal with this.
2474 */
2475 if (act->spd_actions_count == 0) {
2476 act->spd_actions_len = 0;
2477 rw_exit(&ipss->ipsec_alg_lock);
2478 goto error;
2479 }
2480
2481 attr = (struct spd_attribute *)cur;
2482
2483 #define EMIT(tag, value) { \
2484 attr->spd_attr_tag = (tag); \
2485 attr->spd_attr_value = (value); \
2486 attr++; \
2487 }
2488
2489 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2490 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2491 algidx++) {
2492
2493 algid = ipss->ipsec_sortlist[algtype][algidx];
2494 alg = ipss->ipsec_alglists[algtype][algid];
2495
2496 /*
2497 * If you change the number of EMIT's here, change
2498 * ATTRPERALG above to match
2499 */
2500 EMIT(SPD_ATTR_ALG_ID, algid);
2501 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]);
2502 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment);
2503 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes);
2504 for (i = 0; i < alg->alg_nkey_sizes; i++)
2505 EMIT(SPD_ATTR_ALG_KEYSIZE,
2506 alg->alg_key_sizes[i]);
2507
2508 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes);
2509 for (i = 0; i < alg->alg_nblock_sizes; i++)
2510 EMIT(SPD_ATTR_ALG_BLOCKSIZE,
2511 alg->alg_block_sizes[i]);
2512
2513 EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams);
2514 for (i = 0; i < alg->alg_nparams; i++)
2515 EMIT(SPD_ATTR_ALG_PARAMS,
2516 alg->alg_params[i]);
2517
2518 EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags);
2519
2520 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME);
2521 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME);
2522 attr = (struct spd_attribute *)((char *)attr +
2523 CRYPTO_MAX_MECH_NAME);
2524
2525 EMIT(SPD_ATTR_NEXT, 0);
2526 }
2527 }
2528
2529 rw_exit(&ipss->ipsec_alg_lock);
2530
2531 #undef EMITALGATTRS
2532 #undef EMIT
2533 #undef ATTRPERALG
2534
2535 attr--;
2536 attr->spd_attr_tag = SPD_ATTR_END;
2537
2538 error:
2539 freemsg(mp);
2540 qreply(q, m);
2541 }
2542
2543 /*
2544 * Do the actual work of processing an SPD_UPDATEALGS request. Can
2545 * be invoked either once IPsec is loaded on a cached request, or
2546 * when a request is received while IPsec is loaded.
2547 */
2548 static int
spdsock_do_updatealg(spd_ext_t * extv[],spd_stack_t * spds)2549 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds)
2550 {
2551 struct spd_ext_actions *actp;
2552 struct spd_attribute *attr, *endattr;
2553 uint64_t *start, *end;
2554 ipsec_alginfo_t *alg = NULL;
2555 ipsec_algtype_t alg_type = 0;
2556 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE;
2557 uint_t i, cur_key, cur_block, algid;
2558 int diag = -1;
2559
2560 ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
2561
2562 /* parse the message, building the list of algorithms */
2563
2564 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
2565 if (actp == NULL)
2566 return (SPD_DIAGNOSTIC_NO_ACTION_EXT);
2567
2568 start = (uint64_t *)actp;
2569 end = (start + actp->spd_actions_len);
2570 endattr = (struct spd_attribute *)end;
2571 attr = (struct spd_attribute *)&actp[1];
2572
2573 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS *
2574 sizeof (ipsec_alginfo_t *));
2575
2576 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2577
2578 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2579 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2580 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t))
2581
2582 while (attr < endattr) {
2583 switch (attr->spd_attr_tag) {
2584 case SPD_ATTR_NOP:
2585 case SPD_ATTR_EMPTY:
2586 break;
2587 case SPD_ATTR_END:
2588 attr = endattr;
2589 /* FALLTHRU */
2590 case SPD_ATTR_NEXT:
2591 if (doing_proto) {
2592 doing_proto = B_FALSE;
2593 break;
2594 }
2595 if (skip_alg) {
2596 ipsec_alg_free(alg);
2597 } else {
2598 ipsec_alg_free(
2599 spds->spds_algs[alg_type][alg->alg_id]);
2600 spds->spds_algs[alg_type][alg->alg_id] =
2601 alg;
2602 }
2603 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2604 break;
2605
2606 case SPD_ATTR_ALG_ID:
2607 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) {
2608 ss1dbg(spds, ("spdsock_do_updatealg: "
2609 "invalid alg id %d\n",
2610 attr->spd_attr_value));
2611 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE;
2612 goto bail;
2613 }
2614 alg->alg_id = attr->spd_attr_value;
2615 break;
2616
2617 case SPD_ATTR_ALG_PROTO:
2618 /* find the alg type */
2619 for (i = 0; i < NALGPROTOS; i++)
2620 if (algproto[i] == attr->spd_attr_value)
2621 break;
2622 skip_alg = (i == NALGPROTOS);
2623 if (!skip_alg)
2624 alg_type = i;
2625 break;
2626
2627 case SPD_ATTR_ALG_INCRBITS:
2628 alg->alg_increment = attr->spd_attr_value;
2629 break;
2630
2631 case SPD_ATTR_ALG_NKEYSIZES:
2632 if (alg->alg_key_sizes != NULL) {
2633 kmem_free(alg->alg_key_sizes,
2634 ALG_KEY_SIZES(alg));
2635 }
2636 alg->alg_nkey_sizes = attr->spd_attr_value;
2637 /*
2638 * Allocate room for the trailing zero key size
2639 * value as well.
2640 */
2641 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg),
2642 KM_SLEEP);
2643 cur_key = 0;
2644 break;
2645
2646 case SPD_ATTR_ALG_KEYSIZE:
2647 if (alg->alg_key_sizes == NULL ||
2648 cur_key >= alg->alg_nkey_sizes) {
2649 ss1dbg(spds, ("spdsock_do_updatealg: "
2650 "too many key sizes\n"));
2651 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES;
2652 goto bail;
2653 }
2654 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value;
2655 break;
2656
2657 case SPD_ATTR_ALG_FLAGS:
2658 /*
2659 * Flags (bit mask). The alg_flags element of
2660 * ipsecalg_flags_t is only 8 bits wide. The
2661 * user can set the VALID bit, but we will ignore it
2662 * and make the decision is the algorithm is valid.
2663 */
2664 alg->alg_flags |= (uint8_t)attr->spd_attr_value;
2665 break;
2666
2667 case SPD_ATTR_ALG_NBLOCKSIZES:
2668 if (alg->alg_block_sizes != NULL) {
2669 kmem_free(alg->alg_block_sizes,
2670 ALG_BLOCK_SIZES(alg));
2671 }
2672 alg->alg_nblock_sizes = attr->spd_attr_value;
2673 /*
2674 * Allocate room for the trailing zero block size
2675 * value as well.
2676 */
2677 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg),
2678 KM_SLEEP);
2679 cur_block = 0;
2680 break;
2681
2682 case SPD_ATTR_ALG_BLOCKSIZE:
2683 if (alg->alg_block_sizes == NULL ||
2684 cur_block >= alg->alg_nblock_sizes) {
2685 ss1dbg(spds, ("spdsock_do_updatealg: "
2686 "too many block sizes\n"));
2687 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2688 goto bail;
2689 }
2690 alg->alg_block_sizes[cur_block++] =
2691 attr->spd_attr_value;
2692 break;
2693
2694 case SPD_ATTR_ALG_NPARAMS:
2695 if (alg->alg_params != NULL) {
2696 kmem_free(alg->alg_params,
2697 ALG_PARAM_SIZES(alg));
2698 }
2699 alg->alg_nparams = attr->spd_attr_value;
2700 /*
2701 * Allocate room for the trailing zero block size
2702 * value as well.
2703 */
2704 alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg),
2705 KM_SLEEP);
2706 cur_block = 0;
2707 break;
2708
2709 case SPD_ATTR_ALG_PARAMS:
2710 if (alg->alg_params == NULL ||
2711 cur_block >= alg->alg_nparams) {
2712 ss1dbg(spds, ("spdsock_do_updatealg: "
2713 "too many params\n"));
2714 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2715 goto bail;
2716 }
2717 /*
2718 * Array contains: iv_len, icv_len, salt_len
2719 * Any additional parameters are currently ignored.
2720 */
2721 alg->alg_params[cur_block++] =
2722 attr->spd_attr_value;
2723 break;
2724
2725 case SPD_ATTR_ALG_MECHNAME: {
2726 char *mech_name;
2727
2728 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) {
2729 ss1dbg(spds, ("spdsock_do_updatealg: "
2730 "mech name too long\n"));
2731 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN;
2732 goto bail;
2733 }
2734 mech_name = (char *)(attr + 1);
2735 bcopy(mech_name, alg->alg_mech_name,
2736 attr->spd_attr_value);
2737 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0';
2738 attr = (struct spd_attribute *)((char *)attr +
2739 attr->spd_attr_value);
2740 break;
2741 }
2742
2743 case SPD_ATTR_PROTO_ID:
2744 doing_proto = B_TRUE;
2745 for (i = 0; i < NALGPROTOS; i++) {
2746 if (algproto[i] == attr->spd_attr_value) {
2747 alg_type = i;
2748 break;
2749 }
2750 }
2751 break;
2752
2753 case SPD_ATTR_PROTO_EXEC_MODE:
2754 if (!doing_proto)
2755 break;
2756 for (i = 0; i < NEXECMODES; i++) {
2757 if (execmodes[i] == attr->spd_attr_value) {
2758 spds->spds_algs_exec_mode[alg_type] = i;
2759 break;
2760 }
2761 }
2762 break;
2763 }
2764 attr++;
2765 }
2766
2767 #undef ALG_KEY_SIZES
2768 #undef ALG_BLOCK_SIZES
2769 #undef ALG_PARAM_SIZES
2770
2771 /* update the algorithm tables */
2772 spdsock_merge_algs(spds);
2773 bail:
2774 /* cleanup */
2775 ipsec_alg_free(alg);
2776 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++) {
2777 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
2778 if (spds->spds_algs[alg_type][algid] != NULL) {
2779 ipsec_alg_free(
2780 spds->spds_algs[alg_type][algid]);
2781 }
2782 }
2783 }
2784 return (diag);
2785 }
2786
2787 /*
2788 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2789 * the request until IPsec loads. If IPsec is loaded, act on it
2790 * immediately.
2791 */
2792
2793 static void
spdsock_updatealg(queue_t * q,mblk_t * mp,spd_ext_t * extv[])2794 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
2795 {
2796 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2797 spd_stack_t *spds = ss->spdsock_spds;
2798 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec;
2799 uint32_t auditing = AU_AUDITING();
2800
2801 if (!ipsec_loaded(ipss)) {
2802 /*
2803 * IPsec is not loaded, save request and return nicely,
2804 * the message will be processed once IPsec loads.
2805 */
2806 mblk_t *new_mp;
2807
2808 /* last update message wins */
2809 if ((new_mp = copymsg(mp)) == NULL) {
2810 spdsock_error(q, mp, ENOMEM, 0);
2811 return;
2812 }
2813 mutex_enter(&spds->spds_alg_lock);
2814 bcopy(extv, spds->spds_extv_algs,
2815 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
2816 if (spds->spds_mp_algs != NULL)
2817 freemsg(spds->spds_mp_algs);
2818 spds->spds_mp_algs = mp;
2819 mutex_exit(&spds->spds_alg_lock);
2820 if (auditing) {
2821 cred_t *cr;
2822 pid_t cpid;
2823
2824 cr = msg_getcred(mp, &cpid);
2825 audit_pf_policy(SPD_UPDATEALGS, cr,
2826 spds->spds_netstack, NULL, B_TRUE, EAGAIN,
2827 cpid);
2828 }
2829 spd_echo(q, new_mp);
2830 } else {
2831 /*
2832 * IPsec is loaded, act on the message immediately.
2833 */
2834 int diag;
2835
2836 mutex_enter(&spds->spds_alg_lock);
2837 diag = spdsock_do_updatealg(extv, spds);
2838 if (diag == -1) {
2839 /* Keep the lock held while we walk the SA tables. */
2840 sadb_alg_update(IPSEC_ALG_ALL, 0, 0,
2841 spds->spds_netstack);
2842 mutex_exit(&spds->spds_alg_lock);
2843 spd_echo(q, mp);
2844 if (auditing) {
2845 cred_t *cr;
2846 pid_t cpid;
2847
2848 cr = msg_getcred(mp, &cpid);
2849 audit_pf_policy(SPD_UPDATEALGS, cr,
2850 spds->spds_netstack, NULL, B_TRUE, 0,
2851 cpid);
2852 }
2853 } else {
2854 mutex_exit(&spds->spds_alg_lock);
2855 spdsock_diag(q, mp, diag);
2856 if (auditing) {
2857 cred_t *cr;
2858 pid_t cpid;
2859
2860 cr = msg_getcred(mp, &cpid);
2861 audit_pf_policy(SPD_UPDATEALGS, cr,
2862 spds->spds_netstack, NULL, B_TRUE, diag,
2863 cpid);
2864 }
2865 }
2866 }
2867 }
2868
2869 /*
2870 * Find a tunnel instance (using the name to link ID mapping), and
2871 * update it after an IPsec change. We need to do this always in case
2872 * we add policy AFTER plumbing a tunnel. We also need to do this
2873 * because, as a side-effect, the tunnel's MTU is updated to reflect
2874 * any IPsec overhead in the itp's policy.
2875 */
2876 static void
update_iptun_policy(ipsec_tun_pol_t * itp)2877 update_iptun_policy(ipsec_tun_pol_t *itp)
2878 {
2879 datalink_id_t linkid;
2880
2881 if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0)
2882 iptun_set_policy(linkid, itp);
2883 }
2884
2885 /*
2886 * Sort through the mess of polhead options to retrieve an appropriate one.
2887 * Returns NULL if we send an spdsock error. Returns a valid pointer if we
2888 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2889 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2890 * act on ALL policy heads.
2891 */
2892 static ipsec_policy_head_t *
get_appropriate_polhead(queue_t * q,mblk_t * mp,spd_if_t * tunname,int spdid,int msgtype,ipsec_tun_pol_t ** itpp)2893 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid,
2894 int msgtype, ipsec_tun_pol_t **itpp)
2895 {
2896 ipsec_tun_pol_t *itp;
2897 ipsec_policy_head_t *iph;
2898 int errno;
2899 char *tname;
2900 boolean_t active;
2901 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2902 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2903 uint64_t gen; /* Placeholder */
2904
2905 active = (spdid == SPD_ACTIVE);
2906 *itpp = NULL;
2907 if (!active && spdid != SPD_STANDBY) {
2908 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID);
2909 return (NULL);
2910 }
2911
2912 if (tunname != NULL) {
2913 /* Acting on a tunnel's SPD. */
2914 tname = (char *)tunname->spd_if_name;
2915 if (*tname == '\0') {
2916 /* Handle all-polhead cases here. */
2917 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) {
2918 spdsock_diag(q, mp,
2919 SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
2920 return (NULL);
2921 }
2922 return (active ? ALL_ACTIVE_POLHEADS :
2923 ALL_INACTIVE_POLHEADS);
2924 }
2925
2926 itp = get_tunnel_policy(tname, ns);
2927 if (itp == NULL) {
2928 if (msgtype != SPD_ADDRULE) {
2929 /* "Tunnel not found" */
2930 spdsock_error(q, mp, ENOENT, 0);
2931 return (NULL);
2932 }
2933
2934 errno = 0;
2935 itp = create_tunnel_policy(tname, &errno, &gen, ns);
2936 if (itp == NULL) {
2937 /*
2938 * Something very bad happened, most likely
2939 * ENOMEM. Return an indicator.
2940 */
2941 spdsock_error(q, mp, errno, 0);
2942 return (NULL);
2943 }
2944 }
2945
2946 /* Match up the itp to an iptun instance. */
2947 update_iptun_policy(itp);
2948
2949 *itpp = itp;
2950 /* For spdsock dump state, set the polhead's name. */
2951 if (msgtype == SPD_DUMP) {
2952 ITP_REFHOLD(itp);
2953 ss->spdsock_itp = itp;
2954 ss->spdsock_dump_tunnel = itp->itp_flags &
2955 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL);
2956 }
2957 } else {
2958 itp = NULL;
2959 /* For spdsock dump state, indicate it's global policy. */
2960 if (msgtype == SPD_DUMP)
2961 ss->spdsock_itp = NULL;
2962 }
2963
2964 if (active)
2965 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy;
2966 else
2967 iph = (itp == NULL) ? ipsec_inactive_policy(ns) :
2968 itp->itp_inactive;
2969
2970 ASSERT(iph != NULL);
2971 if (itp != NULL) {
2972 IPPH_REFHOLD(iph);
2973 }
2974
2975 return (iph);
2976 }
2977
2978 static void
spdsock_parse(queue_t * q,mblk_t * mp)2979 spdsock_parse(queue_t *q, mblk_t *mp)
2980 {
2981 spd_msg_t *spmsg;
2982 spd_ext_t *extv[SPD_EXT_MAX + 1];
2983 uint_t msgsize;
2984 ipsec_policy_head_t *iph;
2985 ipsec_tun_pol_t *itp;
2986 spd_if_t *tunname;
2987 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2988 spd_stack_t *spds = ss->spdsock_spds;
2989 netstack_t *ns = spds->spds_netstack;
2990 ipsec_stack_t *ipss = ns->netstack_ipsec;
2991
2992 /* Make sure nothing's below me. */
2993 ASSERT(WR(q)->q_next == NULL);
2994
2995 spmsg = (spd_msg_t *)mp->b_rptr;
2996
2997 msgsize = SPD_64TO8(spmsg->spd_msg_len);
2998
2999 if (msgdsize(mp) != msgsize) {
3000 /*
3001 * Message len incorrect w.r.t. actual size. Send an error
3002 * (EMSGSIZE). It may be necessary to massage things a
3003 * bit. For example, if the spd_msg_type is hosed,
3004 * I need to set it to SPD_RESERVED to get delivery to
3005 * do the right thing. Then again, maybe just letting
3006 * the error delivery do the right thing.
3007 */
3008 ss2dbg(spds,
3009 ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
3010 msgdsize(mp), msgsize));
3011 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE);
3012 return;
3013 }
3014
3015 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) {
3016 /* Get all message into one mblk. */
3017 if (pullupmsg(mp, -1) == 0) {
3018 /*
3019 * Something screwy happened.
3020 */
3021 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n"));
3022 return;
3023 } else {
3024 spmsg = (spd_msg_t *)mp->b_rptr;
3025 }
3026 }
3027
3028 switch (spdsock_get_ext(extv, spmsg, msgsize)) {
3029 case KGE_DUP:
3030 /* Handle duplicate extension. */
3031 ss1dbg(spds, ("Got duplicate extension of type %d.\n",
3032 extv[0]->spd_ext_type));
3033 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]);
3034 return;
3035 case KGE_UNK:
3036 /* Handle unknown extension. */
3037 ss1dbg(spds, ("Got unknown extension of type %d.\n",
3038 extv[0]->spd_ext_type));
3039 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT);
3040 return;
3041 case KGE_LEN:
3042 /* Length error. */
3043 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n",
3044 extv[0]->spd_ext_len, extv[0]->spd_ext_type));
3045 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN);
3046 return;
3047 case KGE_CHK:
3048 /* Reality check failed. */
3049 ss1dbg(spds, ("Reality check failed on extension type %d.\n",
3050 extv[0]->spd_ext_type));
3051 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]);
3052 return;
3053 default:
3054 /* Default case is no errors. */
3055 break;
3056 }
3057
3058 /*
3059 * Special-case SPD_UPDATEALGS so as not to load IPsec.
3060 */
3061 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) {
3062 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3063
3064 ASSERT(ss != NULL);
3065 ipsec_loader_loadnow(ipss);
3066 ss->spdsock_timeout_arg = mp;
3067 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck,
3068 q, LOADCHECK_INTERVAL);
3069 return;
3070 }
3071
3072 /* First check for messages that need no polheads at all. */
3073 switch (spmsg->spd_msg_type) {
3074 case SPD_UPDATEALGS:
3075 spdsock_updatealg(q, mp, extv);
3076 return;
3077 case SPD_ALGLIST:
3078 spdsock_alglist(q, mp);
3079 return;
3080 case SPD_DUMPALGS:
3081 spdsock_dumpalgs(q, mp);
3082 return;
3083 }
3084
3085 /*
3086 * Then check for ones that need both primary/secondary polheads,
3087 * finding the appropriate tunnel policy if need be.
3088 */
3089 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME];
3090 switch (spmsg->spd_msg_type) {
3091 case SPD_FLIP:
3092 spdsock_flip(q, mp, tunname);
3093 return;
3094 case SPD_CLONE:
3095 spdsock_clone(q, mp, tunname);
3096 return;
3097 }
3098
3099 /*
3100 * Finally, find ones that operate on exactly one polhead, or
3101 * "all polheads" of a given type (active/inactive).
3102 */
3103 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid,
3104 spmsg->spd_msg_type, &itp);
3105 if (iph == NULL)
3106 return;
3107
3108 /* All-polheads-ready operations. */
3109 switch (spmsg->spd_msg_type) {
3110 case SPD_FLUSH:
3111 if (itp != NULL) {
3112 mutex_enter(&itp->itp_lock);
3113 if (spmsg->spd_msg_spdid == SPD_ACTIVE)
3114 itp->itp_flags &= ~ITPF_PFLAGS;
3115 else
3116 itp->itp_flags &= ~ITPF_IFLAGS;
3117 mutex_exit(&itp->itp_lock);
3118 }
3119
3120 spdsock_flush(q, iph, itp, mp);
3121
3122 if (itp != NULL) {
3123 /* SPD_FLUSH is worth a tunnel MTU check. */
3124 update_iptun_policy(itp);
3125 ITP_REFRELE(itp, ns);
3126 }
3127 return;
3128 case SPD_DUMP:
3129 if (itp != NULL)
3130 ITP_REFRELE(itp, ns);
3131 spdsock_dump(q, iph, mp);
3132 return;
3133 }
3134
3135 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
3136 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
3137 return;
3138 }
3139
3140 /* Single-polhead-only operations. */
3141 switch (spmsg->spd_msg_type) {
3142 case SPD_ADDRULE:
3143 spdsock_addrule(q, iph, mp, extv, itp);
3144 break;
3145 case SPD_DELETERULE:
3146 spdsock_deleterule(q, iph, mp, extv, itp);
3147 break;
3148 case SPD_LOOKUP:
3149 spdsock_lookup(q, iph, mp, extv, itp);
3150 break;
3151 default:
3152 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE);
3153 break;
3154 }
3155
3156 IPPH_REFRELE(iph, ns);
3157 if (itp != NULL) {
3158 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */
3159 if (spmsg->spd_msg_type == SPD_ADDRULE ||
3160 spmsg->spd_msg_type == SPD_DELETERULE)
3161 update_iptun_policy(itp);
3162 ITP_REFRELE(itp, ns);
3163 }
3164 }
3165
3166 /*
3167 * If an algorithm mapping was received before IPsec was loaded, process it.
3168 * Called from the IPsec loader.
3169 */
3170 void
spdsock_update_pending_algs(netstack_t * ns)3171 spdsock_update_pending_algs(netstack_t *ns)
3172 {
3173 spd_stack_t *spds = ns->netstack_spdsock;
3174
3175 mutex_enter(&spds->spds_alg_lock);
3176 if (spds->spds_mp_algs != NULL) {
3177 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds);
3178 freemsg(spds->spds_mp_algs);
3179 spds->spds_mp_algs = NULL;
3180 }
3181 mutex_exit(&spds->spds_alg_lock);
3182 }
3183
3184 static void
spdsock_loadcheck(void * arg)3185 spdsock_loadcheck(void *arg)
3186 {
3187 queue_t *q = (queue_t *)arg;
3188 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3189 mblk_t *mp;
3190 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3191
3192 ASSERT(ss != NULL);
3193
3194 ss->spdsock_timeout = 0;
3195 mp = ss->spdsock_timeout_arg;
3196 ASSERT(mp != NULL);
3197 ss->spdsock_timeout_arg = NULL;
3198 if (ipsec_failed(ipss))
3199 spdsock_error(q, mp, EPROTONOSUPPORT, 0);
3200 else
3201 spdsock_parse(q, mp);
3202 }
3203
3204 /*
3205 * Copy relevant state bits.
3206 */
3207 static void
spdsock_copy_info(struct T_info_ack * tap,spdsock_t * ss)3208 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss)
3209 {
3210 *tap = spdsock_g_t_info_ack;
3211 tap->CURRENT_state = ss->spdsock_state;
3212 tap->OPT_size = spdsock_max_optsize;
3213 }
3214
3215 /*
3216 * This routine responds to T_CAPABILITY_REQ messages. It is called by
3217 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from
3218 * spdsock_g_t_info_ack. The current state of the stream is copied from
3219 * spdsock_state.
3220 */
3221 static void
spdsock_capability_req(queue_t * q,mblk_t * mp)3222 spdsock_capability_req(queue_t *q, mblk_t *mp)
3223 {
3224 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3225 t_uscalar_t cap_bits1;
3226 struct T_capability_ack *tcap;
3227
3228 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
3229
3230 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
3231 mp->b_datap->db_type, T_CAPABILITY_ACK);
3232 if (mp == NULL)
3233 return;
3234
3235 tcap = (struct T_capability_ack *)mp->b_rptr;
3236 tcap->CAP_bits1 = 0;
3237
3238 if (cap_bits1 & TC1_INFO) {
3239 spdsock_copy_info(&tcap->INFO_ack, ss);
3240 tcap->CAP_bits1 |= TC1_INFO;
3241 }
3242
3243 qreply(q, mp);
3244 }
3245
3246 /*
3247 * This routine responds to T_INFO_REQ messages. It is called by
3248 * spdsock_wput_other.
3249 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3250 * The current state of the stream is copied from spdsock_state.
3251 */
3252 static void
spdsock_info_req(queue_t * q,mblk_t * mp)3253 spdsock_info_req(
3254 queue_t *q,
3255 mblk_t *mp)
3256 {
3257 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
3258 T_INFO_ACK);
3259 if (mp == NULL)
3260 return;
3261 spdsock_copy_info((struct T_info_ack *)mp->b_rptr,
3262 (spdsock_t *)q->q_ptr);
3263 qreply(q, mp);
3264 }
3265
3266 /*
3267 * spdsock_err_ack. This routine creates a
3268 * T_ERROR_ACK message and passes it
3269 * upstream.
3270 */
3271 static void
spdsock_err_ack(queue_t * q,mblk_t * mp,int t_error,int sys_error)3272 spdsock_err_ack(
3273 queue_t *q,
3274 mblk_t *mp,
3275 int t_error,
3276 int sys_error)
3277 {
3278 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
3279 qreply(q, mp);
3280 }
3281
3282 /*
3283 * This routine retrieves the current status of socket options.
3284 * It returns the size of the option retrieved.
3285 */
3286 /* ARGSUSED */
3287 int
spdsock_opt_get(queue_t * q,int level,int name,uchar_t * ptr)3288 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
3289 {
3290 int *i1 = (int *)ptr;
3291
3292 switch (level) {
3293 case SOL_SOCKET:
3294 switch (name) {
3295 case SO_TYPE:
3296 *i1 = SOCK_RAW;
3297 break;
3298 /*
3299 * The following two items can be manipulated,
3300 * but changing them should do nothing.
3301 */
3302 case SO_SNDBUF:
3303 *i1 = (int)q->q_hiwat;
3304 break;
3305 case SO_RCVBUF:
3306 *i1 = (int)(RD(q)->q_hiwat);
3307 break;
3308 }
3309 break;
3310 default:
3311 return (0);
3312 }
3313 return (sizeof (int));
3314 }
3315
3316 /*
3317 * This routine sets socket options.
3318 */
3319 /* ARGSUSED */
3320 int
spdsock_opt_set(queue_t * q,uint_t mgmt_flags,int level,int name,uint_t inlen,uchar_t * invalp,uint_t * outlenp,uchar_t * outvalp,void * thisdg_attrs,cred_t * cr)3321 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name,
3322 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
3323 void *thisdg_attrs, cred_t *cr)
3324 {
3325 int *i1 = (int *)invalp;
3326 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3327 spd_stack_t *spds = ss->spdsock_spds;
3328
3329 switch (level) {
3330 case SOL_SOCKET:
3331 switch (name) {
3332 case SO_SNDBUF:
3333 if (*i1 > spds->spds_max_buf)
3334 return (ENOBUFS);
3335 q->q_hiwat = *i1;
3336 break;
3337 case SO_RCVBUF:
3338 if (*i1 > spds->spds_max_buf)
3339 return (ENOBUFS);
3340 RD(q)->q_hiwat = *i1;
3341 (void) proto_set_rx_hiwat(RD(q), NULL, *i1);
3342 break;
3343 }
3344 break;
3345 }
3346 return (0);
3347 }
3348
3349
3350 /*
3351 * Handle STREAMS messages.
3352 */
3353 static void
spdsock_wput_other(queue_t * q,mblk_t * mp)3354 spdsock_wput_other(queue_t *q, mblk_t *mp)
3355 {
3356 struct iocblk *iocp;
3357 int error;
3358 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3359 spd_stack_t *spds = ss->spdsock_spds;
3360 cred_t *cr;
3361
3362 switch (mp->b_datap->db_type) {
3363 case M_PROTO:
3364 case M_PCPROTO:
3365 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) {
3366 ss3dbg(spds, (
3367 "spdsock_wput_other: Not big enough M_PROTO\n"));
3368 freemsg(mp);
3369 return;
3370 }
3371 switch (((union T_primitives *)mp->b_rptr)->type) {
3372 case T_CAPABILITY_REQ:
3373 spdsock_capability_req(q, mp);
3374 break;
3375 case T_INFO_REQ:
3376 spdsock_info_req(q, mp);
3377 break;
3378 case T_SVR4_OPTMGMT_REQ:
3379 case T_OPTMGMT_REQ:
3380 /*
3381 * All Solaris components should pass a db_credp
3382 * for this TPI message, hence we ASSERT.
3383 * But in case there is some other M_PROTO that looks
3384 * like a TPI message sent by some other kernel
3385 * component, we check and return an error.
3386 */
3387 cr = msg_getcred(mp, NULL);
3388 ASSERT(cr != NULL);
3389 if (cr == NULL) {
3390 spdsock_err_ack(q, mp, TSYSERR, EINVAL);
3391 return;
3392 }
3393 if (((union T_primitives *)mp->b_rptr)->type ==
3394 T_SVR4_OPTMGMT_REQ) {
3395 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj);
3396 } else {
3397 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj);
3398 }
3399 break;
3400 case T_DATA_REQ:
3401 case T_EXDATA_REQ:
3402 case T_ORDREL_REQ:
3403 /* Illegal for spdsock. */
3404 freemsg(mp);
3405 (void) putnextctl1(RD(q), M_ERROR, EPROTO);
3406 break;
3407 default:
3408 /* Not supported by spdsock. */
3409 spdsock_err_ack(q, mp, TNOTSUPPORT, 0);
3410 break;
3411 }
3412 return;
3413 case M_IOCDATA:
3414 keysock_spdsock_wput_iocdata(q, mp, PF_POLICY);
3415 return;
3416 case M_IOCTL:
3417 iocp = (struct iocblk *)mp->b_rptr;
3418 error = EINVAL;
3419
3420 switch (iocp->ioc_cmd) {
3421 case TI_GETMYNAME:
3422 case TI_GETPEERNAME:
3423 /*
3424 * For pfiles(1) observability with getsockname().
3425 * See keysock_spdsock_wput_iocdata() for the rest of
3426 * this.
3427 */
3428 mi_copyin(q, mp, NULL,
3429 SIZEOF_STRUCT(strbuf, iocp->ioc_flag));
3430 return;
3431 case ND_SET:
3432 case ND_GET:
3433 if (nd_getset(q, spds->spds_g_nd, mp)) {
3434 qreply(q, mp);
3435 return;
3436 } else
3437 error = ENOENT;
3438 /* FALLTHRU */
3439 default:
3440 miocnak(q, mp, 0, error);
3441 return;
3442 }
3443 case M_FLUSH:
3444 if (*mp->b_rptr & FLUSHW) {
3445 flushq(q, FLUSHALL);
3446 *mp->b_rptr &= ~FLUSHW;
3447 }
3448 if (*mp->b_rptr & FLUSHR) {
3449 qreply(q, mp);
3450 return;
3451 }
3452 /* Else FALLTHRU */
3453 }
3454
3455 /* If fell through, just black-hole the message. */
3456 freemsg(mp);
3457 }
3458
3459 static int
spdsock_wput(queue_t * q,mblk_t * mp)3460 spdsock_wput(queue_t *q, mblk_t *mp)
3461 {
3462 uint8_t *rptr = mp->b_rptr;
3463 mblk_t *mp1;
3464 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3465 spd_stack_t *spds = ss->spdsock_spds;
3466
3467 /*
3468 * If we're dumping, defer processing other messages until the
3469 * dump completes.
3470 */
3471 if (ss->spdsock_dump_req != NULL) {
3472 if (!putq(q, mp))
3473 freemsg(mp);
3474 return (0);
3475 }
3476
3477 switch (mp->b_datap->db_type) {
3478 case M_DATA:
3479 /*
3480 * Silently discard.
3481 */
3482 ss2dbg(spds, ("raw M_DATA in spdsock.\n"));
3483 freemsg(mp);
3484 return (0);
3485 case M_PROTO:
3486 case M_PCPROTO:
3487 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) {
3488 if (((union T_primitives *)rptr)->type == T_DATA_REQ) {
3489 if ((mp1 = mp->b_cont) == NULL) {
3490 /* No data after T_DATA_REQ. */
3491 ss2dbg(spds,
3492 ("No data after DATA_REQ.\n"));
3493 freemsg(mp);
3494 return (0);
3495 }
3496 freeb(mp);
3497 mp = mp1;
3498 ss2dbg(spds, ("T_DATA_REQ\n"));
3499 break; /* Out of switch. */
3500 }
3501 }
3502 /* FALLTHRU */
3503 default:
3504 ss3dbg(spds, ("In default wput case (%d %d).\n",
3505 mp->b_datap->db_type, ((union T_primitives *)rptr)->type));
3506 spdsock_wput_other(q, mp);
3507 return (0);
3508 }
3509
3510 /* I now have a PF_POLICY message in an M_DATA block. */
3511 spdsock_parse(q, mp);
3512 return (0);
3513 }
3514
3515 /*
3516 * Device open procedure, called when new queue pair created.
3517 * We are passed the read-side queue.
3518 */
3519 /* ARGSUSED */
3520 static int
spdsock_open(queue_t * q,dev_t * devp,int flag,int sflag,cred_t * credp)3521 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
3522 {
3523 spdsock_t *ss;
3524 queue_t *oq = OTHERQ(q);
3525 minor_t ssminor;
3526 netstack_t *ns;
3527 spd_stack_t *spds;
3528
3529 if (secpolicy_ip_config(credp, B_FALSE) != 0)
3530 return (EPERM);
3531
3532 if (q->q_ptr != NULL)
3533 return (0); /* Re-open of an already open instance. */
3534
3535 if (sflag & MODOPEN)
3536 return (EINVAL);
3537
3538 ns = netstack_find_by_cred(credp);
3539 ASSERT(ns != NULL);
3540 spds = ns->netstack_spdsock;
3541 ASSERT(spds != NULL);
3542
3543 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n"));
3544
3545 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP);
3546 if (ssminor == 0) {
3547 netstack_rele(spds->spds_netstack);
3548 return (ENOMEM);
3549 }
3550 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP);
3551 if (ss == NULL) {
3552 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1);
3553 netstack_rele(spds->spds_netstack);
3554 return (ENOMEM);
3555 }
3556
3557 ss->spdsock_minor = ssminor;
3558 ss->spdsock_state = TS_UNBND;
3559 ss->spdsock_dump_req = NULL;
3560
3561 ss->spdsock_spds = spds;
3562
3563 q->q_ptr = ss;
3564 oq->q_ptr = ss;
3565
3566 q->q_hiwat = spds->spds_recv_hiwat;
3567
3568 oq->q_hiwat = spds->spds_xmit_hiwat;
3569 oq->q_lowat = spds->spds_xmit_lowat;
3570
3571 qprocson(q);
3572 (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat);
3573
3574 *devp = makedevice(getmajor(*devp), ss->spdsock_minor);
3575 return (0);
3576 }
3577
3578 /*
3579 * Read-side service procedure, invoked when we get back-enabled
3580 * when buffer space becomes available.
3581 *
3582 * Dump another chunk if we were dumping before; when we finish, kick
3583 * the write-side queue in case it's waiting for read queue space.
3584 */
3585 int
spdsock_rsrv(queue_t * q)3586 spdsock_rsrv(queue_t *q)
3587 {
3588 spdsock_t *ss = q->q_ptr;
3589
3590 if (ss->spdsock_dump_req != NULL)
3591 spdsock_dump_some(q, ss);
3592
3593 if (ss->spdsock_dump_req == NULL)
3594 qenable(OTHERQ(q));
3595 return (0);
3596 }
3597
3598 /*
3599 * Write-side service procedure, invoked when we defer processing
3600 * if another message is received while a dump is in progress.
3601 */
3602 int
spdsock_wsrv(queue_t * q)3603 spdsock_wsrv(queue_t *q)
3604 {
3605 spdsock_t *ss = q->q_ptr;
3606 mblk_t *mp;
3607 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3608
3609 if (ss->spdsock_dump_req != NULL) {
3610 qenable(OTHERQ(q));
3611 return (0);
3612 }
3613
3614 while ((mp = getq(q)) != NULL) {
3615 if (ipsec_loaded(ipss)) {
3616 (void) spdsock_wput(q, mp);
3617 if (ss->spdsock_dump_req != NULL)
3618 return (0);
3619 } else if (!ipsec_failed(ipss)) {
3620 (void) putq(q, mp);
3621 } else {
3622 spdsock_error(q, mp, EPFNOSUPPORT, 0);
3623 }
3624 }
3625 return (0);
3626 }
3627
3628 /* ARGSUSED */
3629 static int
spdsock_close(queue_t * q,int flags __unused,cred_t * credp __unused)3630 spdsock_close(queue_t *q, int flags __unused, cred_t *credp __unused)
3631 {
3632 spdsock_t *ss = q->q_ptr;
3633 spd_stack_t *spds = ss->spdsock_spds;
3634
3635 qprocsoff(q);
3636
3637 /* Safe assumption. */
3638 ASSERT(ss != NULL);
3639
3640 if (ss->spdsock_timeout != 0)
3641 (void) quntimeout(q, ss->spdsock_timeout);
3642
3643 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n"));
3644
3645 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1);
3646 netstack_rele(ss->spdsock_spds->spds_netstack);
3647
3648 kmem_free(ss, sizeof (spdsock_t));
3649 return (0);
3650 }
3651
3652 /*
3653 * Merge the IPsec algorithms tables with the received algorithm information.
3654 */
3655 void
spdsock_merge_algs(spd_stack_t * spds)3656 spdsock_merge_algs(spd_stack_t *spds)
3657 {
3658 ipsec_alginfo_t *alg, *oalg;
3659 ipsec_algtype_t algtype;
3660 uint_t algidx, algid, nalgs;
3661 crypto_mech_name_t *mechs;
3662 uint_t mech_count, mech_idx;
3663 netstack_t *ns = spds->spds_netstack;
3664 ipsec_stack_t *ipss = ns->netstack_ipsec;
3665
3666 ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
3667
3668 /*
3669 * Get the list of supported mechanisms from the crypto framework.
3670 * If a mechanism is supported by KCF, resolve its mechanism
3671 * id and mark it as being valid. This operation must be done
3672 * without holding alg_lock, since it can cause a provider
3673 * module to be loaded and the provider notification callback to
3674 * be invoked.
3675 */
3676 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
3677 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3678 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3679 int algflags = 0;
3680 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID;
3681
3682 alg = spds->spds_algs[algtype][algid];
3683 if (alg == NULL)
3684 continue;
3685
3686 /*
3687 * The NULL encryption algorithm is a special
3688 * case because there are no mechanisms, yet
3689 * the algorithm is still valid.
3690 */
3691 if (alg->alg_id == SADB_EALG_NULL) {
3692 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID;
3693 alg->alg_flags |= ALG_FLAG_VALID;
3694 continue;
3695 }
3696
3697 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) {
3698 if (strncmp(alg->alg_mech_name, mechs[mech_idx],
3699 CRYPTO_MAX_MECH_NAME) == 0) {
3700 mt = crypto_mech2id(alg->alg_mech_name);
3701 ASSERT(mt != CRYPTO_MECHANISM_INVALID);
3702 algflags = ALG_FLAG_VALID;
3703 break;
3704 }
3705 }
3706 alg->alg_mech_type = mt;
3707 alg->alg_flags |= algflags;
3708 }
3709 }
3710
3711 rw_enter(&ipss->ipsec_alg_lock, RW_WRITER);
3712
3713 /*
3714 * For each algorithm currently defined, check if it is
3715 * present in the new tables created from the SPD_UPDATEALGS
3716 * message received from user-space.
3717 * Delete the algorithm entries that are currently defined
3718 * but not part of the new tables.
3719 */
3720 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3721 nalgs = ipss->ipsec_nalgs[algtype];
3722 for (algidx = 0; algidx < nalgs; algidx++) {
3723 algid = ipss->ipsec_sortlist[algtype][algidx];
3724 if (spds->spds_algs[algtype][algid] == NULL)
3725 ipsec_alg_unreg(algtype, algid, ns);
3726 }
3727 }
3728
3729 /*
3730 * For each algorithm we just received, check if it is
3731 * present in the currently defined tables. If it is, swap
3732 * the entry with the one we just allocated.
3733 * If the new algorithm is not in the current tables,
3734 * add it.
3735 */
3736 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3737 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3738 alg = spds->spds_algs[algtype][algid];
3739 if (alg == NULL)
3740 continue;
3741
3742 if ((oalg = ipss->ipsec_alglists[algtype][algid]) ==
3743 NULL) {
3744 /*
3745 * New algorithm, add it to the algorithm
3746 * table.
3747 */
3748 ipsec_alg_reg(algtype, alg, ns);
3749 } else {
3750 /*
3751 * Algorithm is already in the table. Swap
3752 * the existing entry with the new one.
3753 */
3754 ipsec_alg_fix_min_max(alg, algtype, ns);
3755 ipss->ipsec_alglists[algtype][algid] = alg;
3756 ipsec_alg_free(oalg);
3757 }
3758 spds->spds_algs[algtype][algid] = NULL;
3759 }
3760 }
3761
3762 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3763 ipss->ipsec_algs_exec_mode[algtype] =
3764 spds->spds_algs_exec_mode[algtype];
3765 }
3766
3767 rw_exit(&ipss->ipsec_alg_lock);
3768
3769 crypto_free_mech_list(mechs, mech_count);
3770
3771 ipsecah_algs_changed(ns);
3772 ipsecesp_algs_changed(ns);
3773 }
3774