1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/param.h> 30 #include <sys/types.h> 31 #include <sys/stream.h> 32 #include <sys/strsubr.h> 33 #include <sys/strsun.h> 34 #include <sys/stropts.h> 35 #include <sys/vnode.h> 36 #include <sys/sysmacros.h> 37 #define _SUN_TPI_VERSION 2 38 #include <sys/tihdr.h> 39 #include <sys/ddi.h> 40 #include <sys/sunddi.h> 41 #include <sys/mkdev.h> 42 #include <sys/debug.h> 43 #include <sys/kmem.h> 44 #include <sys/cmn_err.h> 45 #include <sys/proc.h> 46 #include <sys/suntpi.h> 47 #include <sys/policy.h> 48 49 #include <sys/socket.h> 50 #include <netinet/in.h> 51 #include <net/pfkeyv2.h> 52 #include <net/pfpolicy.h> 53 54 #include <inet/common.h> 55 #include <netinet/ip6.h> 56 #include <inet/ip.h> 57 #include <inet/ip6.h> 58 #include <inet/mi.h> 59 #include <inet/nd.h> 60 #include <inet/optcom.h> 61 #include <inet/ipsec_info.h> 62 #include <inet/ipsec_impl.h> 63 #include <inet/spdsock.h> 64 #include <inet/sadb.h> 65 66 #include <sys/isa_defs.h> 67 68 /* 69 * This is a transport provider for the PF_POLICY IPsec policy 70 * management socket, which provides a management interface into the 71 * SPD, allowing policy rules to be added, deleted, and queried. 72 * 73 * This effectively replaces the old private SIOC*IPSECONFIG ioctls 74 * with an extensible interface which will hopefully be public some 75 * day. 76 * 77 * See <net/pfpolicy.h> for more details on the protocol. 78 * 79 * We link against drv/ip and call directly into it to manipulate the 80 * SPD; see ipsec_impl.h for the policy data structures and spd.c for 81 * the code which maintains them. 82 * 83 * The MT model of this is QPAIR with the addition of some explicit 84 * locking to protect system-wide policy data structures. 85 */ 86 87 static vmem_t *spdsock_vmem; /* for minor numbers. */ 88 89 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t)) 90 91 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */ 92 static struct T_info_ack spdsock_g_t_info_ack = { 93 T_INFO_ACK, 94 T_INFINITE, /* TSDU_size. Maximum size messages. */ 95 T_INVALID, /* ETSDU_size. No expedited data. */ 96 T_INVALID, /* CDATA_size. No connect data. */ 97 T_INVALID, /* DDATA_size. No disconnect data. */ 98 0, /* ADDR_size. */ 99 0, /* OPT_size. No user-settable options */ 100 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */ 101 T_COTS, /* SERV_type. spdsock supports connection oriented. */ 102 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */ 103 (XPG4_1) /* Provider flags */ 104 }; 105 106 /* Named Dispatch Parameter Management Structure */ 107 typedef struct spdsockpparam_s { 108 uint_t spdsock_param_min; 109 uint_t spdsock_param_max; 110 uint_t spdsock_param_value; 111 char *spdsock_param_name; 112 } spdsockparam_t; 113 114 /* 115 * Table of NDD variables supported by spdsock. These are loaded into 116 * spdsock_g_nd in spdsock_init_nd. 117 * All of these are alterable, within the min/max values given, at run time. 118 */ 119 static spdsockparam_t spdsock_param_arr[] = { 120 /* min max value name */ 121 { 4096, 65536, 8192, "spdsock_xmit_hiwat"}, 122 { 0, 65536, 1024, "spdsock_xmit_lowat"}, 123 { 4096, 65536, 8192, "spdsock_recv_hiwat"}, 124 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"}, 125 { 0, 3, 0, "spdsock_debug"}, 126 }; 127 #define spdsock_xmit_hiwat spdsock_param_arr[0].spdsock_param_value 128 #define spdsock_xmit_lowat spdsock_param_arr[1].spdsock_param_value 129 #define spdsock_recv_hiwat spdsock_param_arr[2].spdsock_param_value 130 #define spdsock_max_buf spdsock_param_arr[3].spdsock_param_value 131 #define spdsock_debug spdsock_param_arr[4].spdsock_param_value 132 133 kmutex_t spdsock_param_lock; /* Protects the NDD variables. */ 134 135 /* 136 * To save algorithm update messages that are processed only after IPsec 137 * is loaded. 138 */ 139 static spd_ext_t *spdsock_extv_algs[SPD_EXT_MAX + 1]; 140 static mblk_t *spdsock_mp_algs = NULL; 141 static boolean_t spdsock_algs_pending = B_FALSE; 142 static ipsec_alginfo_t *spdsock_algs[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 143 static ipsec_algs_exec_mode_t spdsock_algs_exec_mode[IPSEC_NALGTYPES]; 144 static kmutex_t spdsock_alg_lock; 145 146 #define ss0dbg(a) printf a 147 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */ 148 #define ss1dbg(a) if (spdsock_debug != 0) printf a 149 #define ss2dbg(a) if (spdsock_debug > 1) printf a 150 #define ss3dbg(a) if (spdsock_debug > 2) printf a 151 152 static IDP spdsock_g_nd; 153 154 static int spdsock_close(queue_t *); 155 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *); 156 static void spdsock_wput(queue_t *, mblk_t *); 157 static void spdsock_wsrv(queue_t *); 158 static void spdsock_rsrv(queue_t *); 159 static void spdsock_loadcheck(void *); 160 static void spdsock_merge_algs(void); 161 162 static struct module_info info = { 163 5138, "spdsock", 1, INFPSZ, 512, 128 164 }; 165 166 static struct qinit rinit = { 167 NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close, 168 NULL, &info 169 }; 170 171 static struct qinit winit = { 172 (pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info 173 }; 174 175 struct streamtab spdsockinfo = { 176 &rinit, &winit 177 }; 178 179 /* mapping from alg type to protocol number, as per RFC 2407 */ 180 static const uint_t algproto[] = { 181 PROTO_IPSEC_AH, 182 PROTO_IPSEC_ESP, 183 }; 184 185 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0])) 186 187 /* mapping from kernel exec mode to spdsock exec mode */ 188 static const uint_t execmodes[] = { 189 SPD_ALG_EXEC_MODE_SYNC, 190 SPD_ALG_EXEC_MODE_ASYNC 191 }; 192 193 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0])) 194 195 /* ARGSUSED */ 196 static int 197 spdsock_param_get(q, mp, cp, cr) 198 queue_t *q; 199 mblk_t *mp; 200 caddr_t cp; 201 cred_t *cr; 202 { 203 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 204 uint_t value; 205 206 mutex_enter(&spdsock_param_lock); 207 value = spdsockpa->spdsock_param_value; 208 mutex_exit(&spdsock_param_lock); 209 210 (void) mi_mpprintf(mp, "%u", value); 211 return (0); 212 } 213 214 /* This routine sets an NDD variable in a spdsockparam_t structure. */ 215 /* ARGSUSED */ 216 static int 217 spdsock_param_set(q, mp, value, cp, cr) 218 queue_t *q; 219 mblk_t *mp; 220 char *value; 221 caddr_t cp; 222 cred_t *cr; 223 { 224 ulong_t new_value; 225 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 226 227 /* Convert the value from a string into a long integer. */ 228 if (ddi_strtoul(value, NULL, 10, &new_value) != 0) 229 return (EINVAL); 230 231 mutex_enter(&spdsock_param_lock); 232 /* 233 * Fail the request if the new value does not lie within the 234 * required bounds. 235 */ 236 if (new_value < spdsockpa->spdsock_param_min || 237 new_value > spdsockpa->spdsock_param_max) { 238 mutex_exit(&spdsock_param_lock); 239 return (EINVAL); 240 } 241 242 /* Set the new value */ 243 spdsockpa->spdsock_param_value = new_value; 244 mutex_exit(&spdsock_param_lock); 245 246 return (0); 247 } 248 249 boolean_t 250 spdsock_ddi_init(void) 251 { 252 spdsockparam_t *ssp = spdsock_param_arr; 253 int count = A_CNT(spdsock_param_arr); 254 255 if (!spdsock_g_nd) { 256 for (; count-- > 0; ssp++) { 257 if (ssp->spdsock_param_name != NULL && 258 (ssp->spdsock_param_name[0] != '\0')) { 259 if (!nd_load(&spdsock_g_nd, 260 ssp->spdsock_param_name, 261 spdsock_param_get, spdsock_param_set, 262 (caddr_t)ssp)) { 263 nd_free(&spdsock_g_nd); 264 return (B_FALSE); 265 } 266 } 267 } 268 } 269 270 spdsock_max_optsize = optcom_max_optsize( 271 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt); 272 273 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1, 274 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER); 275 276 mutex_init(&spdsock_param_lock, NULL, MUTEX_DEFAULT, NULL); 277 mutex_init(&spdsock_alg_lock, NULL, MUTEX_DEFAULT, NULL); 278 279 return (B_TRUE); 280 } 281 282 void 283 spdsock_ddi_destroy(void) 284 { 285 vmem_destroy(spdsock_vmem); 286 mutex_destroy(&spdsock_param_lock); 287 mutex_destroy(&spdsock_alg_lock); 288 nd_free(&spdsock_g_nd); 289 } 290 291 /* 292 * NOTE: large quantities of this should be shared with keysock. 293 * Would be nice to combine some of this into a common module, but 294 * not possible given time pressures. 295 */ 296 297 /* 298 * High-level reality checking of extensions. 299 */ 300 /* ARGSUSED */ /* XXX */ 301 static boolean_t 302 ext_check(spd_ext_t *ext) 303 { 304 305 return (B_TRUE); /* For now... */ 306 } 307 308 309 310 /* Return values for spdsock_get_ext(). */ 311 #define KGE_OK 0 312 #define KGE_DUP 1 313 #define KGE_UNK 2 314 #define KGE_LEN 3 315 #define KGE_CHK 4 316 317 /* 318 * Parse basic extension headers and return in the passed-in pointer vector. 319 * Return values include: 320 * 321 * KGE_OK Everything's nice and parsed out. 322 * If there are no extensions, place NULL in extv[0]. 323 * KGE_DUP There is a duplicate extension. 324 * First instance in appropriate bin. First duplicate in 325 * extv[0]. 326 * KGE_UNK Unknown extension type encountered. extv[0] contains 327 * unknown header. 328 * KGE_LEN Extension length error. 329 * KGE_CHK High-level reality check failed on specific extension. 330 * 331 * My apologies for some of the pointer arithmetic in here. I'm thinking 332 * like an assembly programmer, yet trying to make the compiler happy. 333 */ 334 static int 335 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize) 336 { 337 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 338 339 /* Use extv[0] as the "current working pointer". */ 340 341 extv[0] = (spd_ext_t *)(basehdr + 1); 342 343 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) { 344 /* Check for unknown headers. */ 345 if (extv[0]->spd_ext_type == 0 || 346 extv[0]->spd_ext_type > SPD_EXT_MAX) 347 return (KGE_UNK); 348 349 /* 350 * Check length. Use uint64_t because extlen is in units 351 * of 64-bit words. If length goes beyond the msgsize, 352 * return an error. (Zero length also qualifies here.) 353 */ 354 if (extv[0]->spd_ext_len == 0 || 355 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) > 356 (void *)((uint8_t *)basehdr + msgsize)) 357 return (KGE_LEN); 358 359 /* Check for redundant headers. */ 360 if (extv[extv[0]->spd_ext_type] != NULL) 361 return (KGE_DUP); 362 363 /* 364 * Reality check the extension if possible at the spdsock 365 * level. 366 */ 367 if (!ext_check(extv[0])) 368 return (KGE_CHK); 369 370 /* If I make it here, assign the appropriate bin. */ 371 extv[extv[0]->spd_ext_type] = extv[0]; 372 373 /* Advance pointer (See above for uint64_t ptr reasoning.) */ 374 extv[0] = (spd_ext_t *) 375 ((uint64_t *)extv[0] + extv[0]->spd_ext_len); 376 } 377 378 /* Everything's cool. */ 379 380 /* 381 * If extv[0] == NULL, then there are no extension headers in this 382 * message. Ensure that this is the case. 383 */ 384 if (extv[0] == (spd_ext_t *)(basehdr + 1)) 385 extv[0] = NULL; 386 387 return (KGE_OK); 388 } 389 390 static const int bad_ext_diag[] = { 391 SPD_DIAGNOSTIC_MALFORMED_LCLPORT, 392 SPD_DIAGNOSTIC_MALFORMED_REMPORT, 393 SPD_DIAGNOSTIC_MALFORMED_PROTO, 394 SPD_DIAGNOSTIC_MALFORMED_LCLADDR, 395 SPD_DIAGNOSTIC_MALFORMED_REMADDR, 396 SPD_DIAGNOSTIC_MALFORMED_ACTION, 397 SPD_DIAGNOSTIC_MALFORMED_RULE, 398 SPD_DIAGNOSTIC_MALFORMED_RULESET, 399 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE 400 }; 401 402 static const int dup_ext_diag[] = { 403 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT, 404 SPD_DIAGNOSTIC_DUPLICATE_REMPORT, 405 SPD_DIAGNOSTIC_DUPLICATE_PROTO, 406 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR, 407 SPD_DIAGNOSTIC_DUPLICATE_REMADDR, 408 SPD_DIAGNOSTIC_DUPLICATE_ACTION, 409 SPD_DIAGNOSTIC_DUPLICATE_RULE, 410 SPD_DIAGNOSTIC_DUPLICATE_RULESET, 411 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE 412 }; 413 414 /* 415 * Transmit a PF_POLICY error message to the instance either pointed to 416 * by ks, the instance with serial number serial, or more, depending. 417 * 418 * The faulty message (or a reasonable facsimile thereof) is in mp. 419 * This function will free mp or recycle it for delivery, thereby causing 420 * the stream head to free it. 421 */ 422 static void 423 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic) 424 { 425 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 426 427 ASSERT(mp->b_datap->db_type == M_DATA); 428 429 if (spmsg->spd_msg_type < SPD_MIN || 430 spmsg->spd_msg_type > SPD_MAX) 431 spmsg->spd_msg_type = SPD_RESERVED; 432 433 /* 434 * Strip out extension headers. 435 */ 436 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim); 437 mp->b_wptr = mp->b_rptr + sizeof (*spmsg); 438 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t)); 439 spmsg->spd_msg_errno = (uint8_t)error; 440 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic; 441 442 qreply(q, mp); 443 } 444 445 static void 446 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic) 447 { 448 spdsock_error(q, mp, EINVAL, diagnostic); 449 } 450 451 static void 452 spd_echo(queue_t *q, mblk_t *mp) 453 { 454 qreply(q, mp); 455 } 456 457 /* ARGSUSED */ 458 static void 459 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, 460 mblk_t *mp, spd_ext_t **extv) 461 { 462 rw_enter(&iph->iph_lock, RW_WRITER); 463 ipsec_polhead_flush(iph); 464 rw_exit(&iph->iph_lock); 465 466 spd_echo(q, mp); 467 } 468 469 static boolean_t 470 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag) 471 { 472 bzero(sel, sizeof (*sel)); 473 474 if (extv[SPD_EXT_PROTO] != NULL) { 475 struct spd_proto *pr = 476 (struct spd_proto *)extv[SPD_EXT_PROTO]; 477 sel->ipsl_proto = pr->spd_proto_number; 478 sel->ipsl_valid |= IPSL_PROTOCOL; 479 } 480 if (extv[SPD_EXT_LCLPORT] != NULL) { 481 struct spd_portrange *pr = 482 (struct spd_portrange *)extv[SPD_EXT_LCLPORT]; 483 sel->ipsl_lport = pr->spd_ports_minport; 484 sel->ipsl_valid |= IPSL_LOCAL_PORT; 485 } 486 if (extv[SPD_EXT_REMPORT] != NULL) { 487 struct spd_portrange *pr = 488 (struct spd_portrange *)extv[SPD_EXT_REMPORT]; 489 sel->ipsl_rport = pr->spd_ports_minport; 490 sel->ipsl_valid |= IPSL_REMOTE_PORT; 491 } 492 493 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) { 494 struct spd_typecode *tc= 495 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE]; 496 497 sel->ipsl_valid |= IPSL_ICMP_TYPE; 498 sel->ipsl_icmp_type = tc->spd_typecode_type; 499 if (tc->spd_typecode_type_end < tc->spd_typecode_type) 500 sel->ipsl_icmp_type_end = tc->spd_typecode_type; 501 else 502 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end; 503 504 if (tc->spd_typecode_code != 255) { 505 sel->ipsl_valid |= IPSL_ICMP_CODE; 506 sel->ipsl_icmp_code = tc->spd_typecode_code; 507 if (tc->spd_typecode_code_end < tc->spd_typecode_code) 508 sel->ipsl_icmp_code_end = tc->spd_typecode_code; 509 else 510 sel->ipsl_icmp_code_end = 511 tc->spd_typecode_code_end; 512 } 513 } 514 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \ 515 if ((extv)[(extn)] != NULL) { \ 516 uint_t addrlen; \ 517 struct spd_address *ap = \ 518 (struct spd_address *)((extv)[(extn)]); \ 519 addrlen = (ap->spd_address_af == AF_INET6) ? \ 520 IPV6_ADDR_LEN : IP_ADDR_LEN; \ 521 if (SPD_64TO8(ap->spd_address_len) < \ 522 (addrlen + sizeof (*ap))) { \ 523 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \ 524 return (B_FALSE); \ 525 } \ 526 bcopy((ap+1), &((sel)->field), addrlen); \ 527 (sel)->pfield = ap->spd_address_prefixlen; \ 528 (sel)->ipsl_valid |= (bit); \ 529 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \ 530 IPSL_IPV6 : IPSL_IPV4; \ 531 } 532 533 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen, 534 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR); 535 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen, 536 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR); 537 538 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) == 539 (IPSL_IPV6|IPSL_IPV4)) { 540 *diag = SPD_DIAGNOSTIC_MIXED_AF; 541 return (B_FALSE); 542 } 543 544 #undef ADDR2SEL 545 546 return (B_TRUE); 547 } 548 549 static boolean_t 550 spd_convert_type(uint32_t type, ipsec_act_t *act) 551 { 552 switch (type) { 553 case SPD_ACTTYPE_DROP: 554 act->ipa_type = IPSEC_ACT_DISCARD; 555 return (B_TRUE); 556 557 case SPD_ACTTYPE_PASS: 558 act->ipa_type = IPSEC_ACT_CLEAR; 559 return (B_TRUE); 560 561 case SPD_ACTTYPE_IPSEC: 562 act->ipa_type = IPSEC_ACT_APPLY; 563 return (B_TRUE); 564 } 565 return (B_FALSE); 566 } 567 568 static boolean_t 569 spd_convert_flags(uint32_t flags, ipsec_act_t *act) 570 { 571 /* 572 * Note use of !! for boolean canonicalization. 573 */ 574 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH); 575 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP); 576 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA); 577 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE); 578 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE); 579 return (B_TRUE); 580 } 581 582 static void 583 spdsock_reset_act(ipsec_act_t *act) 584 { 585 bzero(act, sizeof (*act)); 586 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS; 587 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS; 588 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS; 589 } 590 591 /* 592 * Sanity check action against reality, and shrink-wrap key sizes.. 593 */ 594 static boolean_t 595 spdsock_check_action(ipsec_act_t *act, int *diag) 596 { 597 if ((act->ipa_type != IPSEC_ACT_APPLY) && 598 (act->ipa_apply.ipp_use_ah || 599 act->ipa_apply.ipp_use_esp || 600 act->ipa_apply.ipp_use_espa || 601 act->ipa_apply.ipp_use_se || 602 act->ipa_apply.ipp_use_unique)) { 603 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 604 return (B_FALSE); 605 } 606 if ((act->ipa_type == IPSEC_ACT_APPLY) && 607 !act->ipa_apply.ipp_use_ah && 608 !act->ipa_apply.ipp_use_esp) { 609 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 610 return (B_FALSE); 611 } 612 return (ipsec_check_action(act, diag)); 613 } 614 615 /* 616 * We may be short a few error checks here.. 617 */ 618 static boolean_t 619 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp, 620 int *diag) 621 { 622 struct spd_ext_actions *sactp = 623 (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 624 ipsec_act_t act, *actp, *endactp; 625 struct spd_attribute *attrp, *endattrp; 626 uint64_t *endp; 627 int nact; 628 629 *actpp = NULL; 630 *nactp = 0; 631 632 if (sactp == NULL) { 633 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT; 634 return (B_FALSE); 635 } 636 637 /* 638 * Parse the "action" extension and convert into an action chain. 639 */ 640 641 nact = sactp->spd_actions_count; 642 643 endp = (uint64_t *)sactp; 644 endp += sactp->spd_actions_len; 645 endattrp = (struct spd_attribute *)endp; 646 647 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP); 648 if (actp == NULL) { 649 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM; 650 return (B_FALSE); 651 } 652 *actpp = actp; 653 *nactp = nact; 654 endactp = actp + nact; 655 656 spdsock_reset_act(&act); 657 attrp = (struct spd_attribute *)(&sactp[1]); 658 659 for (; attrp < endattrp; attrp++) { 660 switch (attrp->spd_attr_tag) { 661 case SPD_ATTR_NOP: 662 break; 663 664 case SPD_ATTR_EMPTY: 665 spdsock_reset_act(&act); 666 break; 667 668 case SPD_ATTR_END: 669 attrp = endattrp; 670 /* FALLTHRU */ 671 case SPD_ATTR_NEXT: 672 if (actp >= endactp) { 673 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 674 goto fail; 675 } 676 if (!spdsock_check_action(&act, diag)) 677 goto fail; 678 *actp++ = act; 679 break; 680 681 case SPD_ATTR_TYPE: 682 if (!spd_convert_type(attrp->spd_attr_value, &act)) { 683 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE; 684 goto fail; 685 } 686 break; 687 688 case SPD_ATTR_FLAGS: 689 if (!spd_convert_flags(attrp->spd_attr_value, &act)) { 690 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS; 691 goto fail; 692 } 693 break; 694 695 case SPD_ATTR_AH_AUTH: 696 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value; 697 break; 698 699 case SPD_ATTR_ESP_ENCR: 700 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value; 701 break; 702 703 case SPD_ATTR_ESP_AUTH: 704 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value; 705 break; 706 707 case SPD_ATTR_ENCR_MINBITS: 708 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value; 709 break; 710 711 case SPD_ATTR_ENCR_MAXBITS: 712 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value; 713 break; 714 715 case SPD_ATTR_AH_MINBITS: 716 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value; 717 break; 718 719 case SPD_ATTR_AH_MAXBITS: 720 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value; 721 break; 722 723 case SPD_ATTR_ESPA_MINBITS: 724 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value; 725 break; 726 727 case SPD_ATTR_ESPA_MAXBITS: 728 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value; 729 break; 730 731 case SPD_ATTR_LIFE_SOFT_TIME: 732 case SPD_ATTR_LIFE_HARD_TIME: 733 case SPD_ATTR_LIFE_SOFT_BYTES: 734 case SPD_ATTR_LIFE_HARD_BYTES: 735 break; 736 737 case SPD_ATTR_KM_PROTO: 738 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value; 739 break; 740 741 case SPD_ATTR_KM_COOKIE: 742 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value; 743 break; 744 745 case SPD_ATTR_REPLAY_DEPTH: 746 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value; 747 break; 748 } 749 } 750 if (actp != endactp) { 751 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 752 goto fail; 753 } 754 755 return (B_TRUE); 756 fail: 757 ipsec_actvec_free(*actpp, nact); 758 *actpp = NULL; 759 return (B_FALSE); 760 } 761 762 typedef struct 763 { 764 ipsec_policy_t *pol; 765 int dir; 766 } tmprule_t; 767 768 static int 769 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule, 770 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af, 771 tmprule_t **rp) 772 { 773 ipsec_policy_t *pol; 774 775 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4); 776 sel->ipsl_valid |= af; 777 778 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority); 779 if (pol == NULL) 780 return (ENOMEM); 781 782 (*rp)->pol = pol; 783 (*rp)->dir = dir; 784 (*rp)++; 785 786 if (!ipsec_check_policy(iph, pol, dir)) 787 return (EEXIST); 788 789 rule->spd_rule_index = pol->ipsp_index; 790 return (0); 791 } 792 793 static int 794 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule, 795 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs, 796 tmprule_t **rp) 797 { 798 int error; 799 800 if (afs & IPSL_IPV4) { 801 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp); 802 if (error != 0) 803 return (error); 804 } 805 if (afs & IPSL_IPV6) { 806 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp); 807 if (error != 0) 808 return (error); 809 } 810 return (0); 811 } 812 813 814 static void 815 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, 816 mblk_t *mp, spd_ext_t **extv) 817 { 818 ipsec_selkey_t sel; 819 ipsec_act_t *actp; 820 uint_t nact; 821 int diag, error, afs; 822 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 823 tmprule_t rules[4], *rulep = &rules[0]; 824 825 if (rule == NULL) { 826 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 827 return; 828 } 829 830 if (rule->spd_rule_index != 0) { 831 spdsock_diag(q, mp, SPD_DIAGNOSTIC_INVALID_RULE_INDEX); 832 return; 833 } 834 835 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 836 spdsock_diag(q, mp, diag); 837 return; 838 } 839 840 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag)) { 841 spdsock_diag(q, mp, diag); 842 return; 843 } 844 /* 845 * If no addresses were specified, add both. 846 */ 847 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4); 848 if (afs == 0) 849 afs = (IPSL_IPV6|IPSL_IPV4); 850 851 rw_enter(&iph->iph_lock, RW_WRITER); 852 853 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) { 854 error = mkrulepair(iph, rule, &sel, actp, nact, 855 IPSEC_TYPE_OUTBOUND, afs, &rulep); 856 if (error != 0) 857 goto fail; 858 } 859 860 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) { 861 error = mkrulepair(iph, rule, &sel, actp, nact, 862 IPSEC_TYPE_INBOUND, afs, &rulep); 863 if (error != 0) 864 goto fail; 865 } 866 867 while ((--rulep) >= &rules[0]) 868 ipsec_enter_policy(iph, rulep->pol, rulep->dir); 869 870 rw_exit(&iph->iph_lock); 871 872 ipsec_actvec_free(actp, nact); 873 spd_echo(q, mp); 874 return; 875 876 fail: 877 rw_exit(&iph->iph_lock); 878 while ((--rulep) >= &rules[0]) { 879 IPPOL_REFRELE(rulep->pol); 880 } 881 ipsec_actvec_free(actp, nact); 882 spdsock_error(q, mp, error, 0); 883 } 884 885 void 886 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, 887 mblk_t *mp, spd_ext_t **extv) 888 { 889 ipsec_selkey_t sel; 890 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 891 int diag; 892 893 if (rule == NULL) { 894 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 895 return; 896 } 897 898 if (rule->spd_rule_index != 0) { 899 if (ipsec_policy_delete_index(iph, rule->spd_rule_index) != 0) { 900 spdsock_error(q, mp, ESRCH, 0); 901 return; 902 } 903 } else { 904 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 905 spdsock_diag(q, mp, diag); 906 return; 907 } 908 909 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) { 910 if (!ipsec_policy_delete(iph, &sel, 911 IPSEC_TYPE_INBOUND)) 912 goto fail; 913 } 914 915 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) { 916 if (!ipsec_policy_delete(iph, &sel, 917 IPSEC_TYPE_OUTBOUND)) 918 goto fail; 919 } 920 } 921 spd_echo(q, mp); 922 return; 923 fail: 924 spdsock_error(q, mp, ESRCH, 0); 925 } 926 927 void 928 spdsock_flip(queue_t *q, mblk_t *mp) 929 { 930 ipsec_swap_policy(); /* can't fail */ 931 spd_echo(q, mp); 932 } 933 934 /* 935 * Unimplemented feature 936 */ 937 /* ARGSUSED */ 938 static void 939 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, 940 mblk_t *mp, spd_ext_t **extv) 941 { 942 spdsock_error(q, mp, EINVAL, 0); 943 } 944 945 946 static mblk_t * 947 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph, 948 uint32_t count, uint16_t error) 949 { 950 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t); 951 spd_msg_t *msg; 952 spd_ruleset_ext_t *ruleset; 953 mblk_t *m = allocb(len, BPRI_HI); 954 955 ASSERT(RW_READ_HELD(&iph->iph_lock)); 956 957 if (m == NULL) { 958 return (NULL); 959 } 960 msg = (spd_msg_t *)m->b_rptr; 961 ruleset = (spd_ruleset_ext_t *)(&msg[1]); 962 963 m->b_wptr = (uint8_t *)&ruleset[1]; 964 965 *msg = *(spd_msg_t *)(req->b_rptr); 966 msg->spd_msg_len = SPD_8TO64(len); 967 msg->spd_msg_errno = error; 968 969 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset)); 970 ruleset->spd_ruleset_type = SPD_EXT_RULESET; 971 ruleset->spd_ruleset_count = count; 972 ruleset->spd_ruleset_version = iph->iph_gen; 973 return (m); 974 } 975 976 static mblk_t * 977 spdsock_dump_finish(spdsock_t *ss, int error) 978 { 979 mblk_t *m; 980 ipsec_policy_head_t *iph = ss->spdsock_dump_head; 981 mblk_t *req = ss->spdsock_dump_req; 982 983 rw_enter(&iph->iph_lock, RW_READER); 984 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error); 985 rw_exit(&iph->iph_lock); 986 987 ss->spdsock_dump_req = NULL; 988 freemsg(req); 989 990 return (m); 991 } 992 993 /* 994 * Rule encoding functions. 995 * We do a two-pass encode. 996 * If base != NULL, fill in encoded rule part starting at base+offset. 997 * Always return "offset" plus length of to-be-encoded data. 998 */ 999 static uint_t 1000 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type, 1001 uint8_t type_end, uint8_t code, uint8_t code_end) 1002 { 1003 struct spd_typecode *tcp; 1004 1005 ASSERT(ALIGNED64(offset)); 1006 1007 if (base != NULL) { 1008 tcp = (struct spd_typecode *)(base + offset); 1009 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp)); 1010 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE; 1011 tcp->spd_typecode_code = code; 1012 tcp->spd_typecode_type = type; 1013 tcp->spd_typecode_type_end = type_end; 1014 tcp->spd_typecode_code_end = code_end; 1015 } 1016 offset += sizeof (*tcp); 1017 1018 ASSERT(ALIGNED64(offset)); 1019 1020 return (offset); 1021 } 1022 1023 static uint_t 1024 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto) 1025 { 1026 struct spd_proto *spp; 1027 1028 ASSERT(ALIGNED64(offset)); 1029 1030 if (base != NULL) { 1031 spp = (struct spd_proto *)(base + offset); 1032 spp->spd_proto_len = SPD_8TO64(sizeof (*spp)); 1033 spp->spd_proto_exttype = SPD_EXT_PROTO; 1034 spp->spd_proto_number = proto; 1035 spp->spd_proto_reserved1 = 0; 1036 spp->spd_proto_reserved2 = 0; 1037 } 1038 offset += sizeof (*spp); 1039 1040 ASSERT(ALIGNED64(offset)); 1041 1042 return (offset); 1043 } 1044 1045 static uint_t 1046 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port) 1047 { 1048 struct spd_portrange *spp; 1049 1050 ASSERT(ALIGNED64(offset)); 1051 1052 if (base != NULL) { 1053 spp = (struct spd_portrange *)(base + offset); 1054 spp->spd_ports_len = SPD_8TO64(sizeof (*spp)); 1055 spp->spd_ports_exttype = ext; 1056 spp->spd_ports_minport = port; 1057 spp->spd_ports_maxport = port; 1058 } 1059 offset += sizeof (*spp); 1060 1061 ASSERT(ALIGNED64(offset)); 1062 1063 return (offset); 1064 } 1065 1066 static uint_t 1067 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext, 1068 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen) 1069 { 1070 struct spd_address *sae; 1071 ipsec_addr_t *spdaddr; 1072 uint_t start = offset; 1073 uint_t addrlen; 1074 uint_t af; 1075 1076 if (sel->ipsl_valid & IPSL_IPV4) { 1077 af = AF_INET; 1078 addrlen = IP_ADDR_LEN; 1079 } else { 1080 af = AF_INET6; 1081 addrlen = IPV6_ADDR_LEN; 1082 } 1083 1084 ASSERT(ALIGNED64(offset)); 1085 1086 if (base != NULL) { 1087 sae = (struct spd_address *)(base + offset); 1088 sae->spd_address_exttype = ext; 1089 sae->spd_address_af = af; 1090 sae->spd_address_prefixlen = pfxlen; 1091 sae->spd_address_reserved2 = 0; 1092 1093 spdaddr = (ipsec_addr_t *)(&sae[1]); 1094 bcopy(addr, spdaddr, addrlen); 1095 } 1096 offset += sizeof (*sae); 1097 addrlen = roundup(addrlen, sizeof (uint64_t)); 1098 offset += addrlen; 1099 1100 ASSERT(ALIGNED64(offset)); 1101 1102 if (base != NULL) 1103 sae->spd_address_len = SPD_8TO64(offset - start); 1104 return (offset); 1105 } 1106 1107 static uint_t 1108 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel) 1109 { 1110 const ipsec_selkey_t *selkey = &sel->ipsl_key; 1111 1112 if (selkey->ipsl_valid & IPSL_PROTOCOL) 1113 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto); 1114 if (selkey->ipsl_valid & IPSL_LOCAL_PORT) 1115 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT, 1116 selkey->ipsl_lport); 1117 if (selkey->ipsl_valid & IPSL_REMOTE_PORT) 1118 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT, 1119 selkey->ipsl_rport); 1120 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR) 1121 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR, 1122 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen); 1123 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR) 1124 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR, 1125 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen); 1126 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) { 1127 offset = spdsock_encode_typecode(base, offset, 1128 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end, 1129 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1130 selkey->ipsl_icmp_code : 255, 1131 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1132 selkey->ipsl_icmp_code_end : 255); 1133 } 1134 return (offset); 1135 } 1136 1137 static uint_t 1138 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag, 1139 uint32_t value) 1140 { 1141 struct spd_attribute *attr; 1142 1143 ASSERT(ALIGNED64(offset)); 1144 1145 if (base != NULL) { 1146 attr = (struct spd_attribute *)(base + offset); 1147 attr->spd_attr_tag = tag; 1148 attr->spd_attr_value = value; 1149 } 1150 offset += sizeof (struct spd_attribute); 1151 1152 ASSERT(ALIGNED64(offset)); 1153 1154 return (offset); 1155 } 1156 1157 1158 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v)) 1159 1160 static uint_t 1161 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap) 1162 { 1163 const struct ipsec_act *act = &(ap->ipa_act); 1164 uint_t flags; 1165 1166 EMIT(SPD_ATTR_EMPTY, 0); 1167 switch (act->ipa_type) { 1168 case IPSEC_ACT_DISCARD: 1169 case IPSEC_ACT_REJECT: 1170 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP); 1171 break; 1172 case IPSEC_ACT_BYPASS: 1173 case IPSEC_ACT_CLEAR: 1174 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS); 1175 break; 1176 1177 case IPSEC_ACT_APPLY: 1178 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC); 1179 flags = 0; 1180 if (act->ipa_apply.ipp_use_ah) 1181 flags |= SPD_APPLY_AH; 1182 if (act->ipa_apply.ipp_use_esp) 1183 flags |= SPD_APPLY_ESP; 1184 if (act->ipa_apply.ipp_use_espa) 1185 flags |= SPD_APPLY_ESPA; 1186 if (act->ipa_apply.ipp_use_se) 1187 flags |= SPD_APPLY_SE; 1188 if (act->ipa_apply.ipp_use_unique) 1189 flags |= SPD_APPLY_UNIQUE; 1190 EMIT(SPD_ATTR_FLAGS, flags); 1191 if (flags & SPD_APPLY_AH) { 1192 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg); 1193 EMIT(SPD_ATTR_AH_MINBITS, 1194 act->ipa_apply.ipp_ah_minbits); 1195 EMIT(SPD_ATTR_AH_MAXBITS, 1196 act->ipa_apply.ipp_ah_maxbits); 1197 } 1198 if (flags & SPD_APPLY_ESP) { 1199 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg); 1200 EMIT(SPD_ATTR_ENCR_MINBITS, 1201 act->ipa_apply.ipp_espe_minbits); 1202 EMIT(SPD_ATTR_ENCR_MAXBITS, 1203 act->ipa_apply.ipp_espe_maxbits); 1204 if (flags & SPD_APPLY_ESPA) { 1205 EMIT(SPD_ATTR_ESP_AUTH, 1206 act->ipa_apply.ipp_esp_auth_alg); 1207 EMIT(SPD_ATTR_ESPA_MINBITS, 1208 act->ipa_apply.ipp_espa_minbits); 1209 EMIT(SPD_ATTR_ESPA_MAXBITS, 1210 act->ipa_apply.ipp_espa_maxbits); 1211 } 1212 } 1213 if (act->ipa_apply.ipp_km_proto != 0) 1214 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto); 1215 if (act->ipa_apply.ipp_km_cookie != 0) 1216 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie); 1217 if (act->ipa_apply.ipp_replay_depth != 0) 1218 EMIT(SPD_ATTR_REPLAY_DEPTH, 1219 act->ipa_apply.ipp_replay_depth); 1220 /* Add more here */ 1221 break; 1222 } 1223 1224 return (offset); 1225 } 1226 1227 static uint_t 1228 spdsock_encode_action_list(uint8_t *base, uint_t offset, 1229 const ipsec_action_t *ap) 1230 { 1231 struct spd_ext_actions *act; 1232 uint_t nact = 0; 1233 uint_t start = offset; 1234 1235 ASSERT(ALIGNED64(offset)); 1236 1237 if (base != NULL) { 1238 act = (struct spd_ext_actions *)(base + offset); 1239 act->spd_actions_len = 0; 1240 act->spd_actions_exttype = SPD_EXT_ACTION; 1241 act->spd_actions_count = 0; 1242 act->spd_actions_reserved = 0; 1243 } 1244 1245 offset += sizeof (*act); 1246 1247 ASSERT(ALIGNED64(offset)); 1248 1249 while (ap != NULL) { 1250 offset = spdsock_encode_action(base, offset, ap); 1251 ap = ap->ipa_next; 1252 nact++; 1253 if (ap != NULL) { 1254 EMIT(SPD_ATTR_NEXT, 0); 1255 } 1256 } 1257 EMIT(SPD_ATTR_END, 0); 1258 1259 ASSERT(ALIGNED64(offset)); 1260 1261 if (base != NULL) { 1262 act->spd_actions_count = nact; 1263 act->spd_actions_len = SPD_8TO64(offset - start); 1264 } 1265 1266 return (offset); 1267 } 1268 1269 #undef EMIT 1270 1271 /* ARGSUSED */ 1272 static uint_t 1273 spdsock_rule_flags(uint_t dir, uint_t af) 1274 { 1275 uint_t flags = 0; 1276 1277 if (dir == IPSEC_TYPE_INBOUND) 1278 flags |= SPD_RULE_FLAG_INBOUND; 1279 if (dir == IPSEC_TYPE_OUTBOUND) 1280 flags |= SPD_RULE_FLAG_OUTBOUND; 1281 1282 return (flags); 1283 } 1284 1285 1286 static uint_t 1287 spdsock_encode_rule_head(uint8_t *base, uint_t offset, 1288 spd_msg_t *req, const ipsec_policy_t *rule, uint_t dir, uint_t af) 1289 { 1290 struct spd_msg *spmsg; 1291 struct spd_rule *spr; 1292 1293 uint_t start = offset; 1294 1295 ASSERT(ALIGNED64(offset)); 1296 1297 if (base != NULL) { 1298 spmsg = (struct spd_msg *)(base + offset); 1299 bzero(spmsg, sizeof (*spmsg)); 1300 spmsg->spd_msg_version = PF_POLICY_V1; 1301 spmsg->spd_msg_type = SPD_DUMP; 1302 spmsg->spd_msg_seq = req->spd_msg_seq; 1303 spmsg->spd_msg_pid = req->spd_msg_pid; 1304 } 1305 offset += sizeof (struct spd_msg); 1306 1307 ASSERT(ALIGNED64(offset)); 1308 1309 if (base != NULL) { 1310 spr = (struct spd_rule *)(base + offset); 1311 spr->spd_rule_type = SPD_EXT_RULE; 1312 spr->spd_rule_priority = rule->ipsp_prio; 1313 spr->spd_rule_flags = spdsock_rule_flags(dir, af); 1314 spr->spd_rule_unused = 0; 1315 spr->spd_rule_len = SPD_8TO64(sizeof (*spr)); 1316 spr->spd_rule_index = rule->ipsp_index; 1317 } 1318 offset += sizeof (struct spd_rule); 1319 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel); 1320 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act); 1321 1322 ASSERT(ALIGNED64(offset)); 1323 1324 if (base != NULL) { 1325 spmsg->spd_msg_len = SPD_8TO64(offset - start); 1326 } 1327 return (offset); 1328 } 1329 1330 /* ARGSUSED */ 1331 static mblk_t * 1332 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule, 1333 uint_t dir, uint_t af) 1334 { 1335 mblk_t *m; 1336 uint_t len; 1337 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr; 1338 1339 /* 1340 * Figure out how much space we'll need. 1341 */ 1342 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af); 1343 1344 /* 1345 * Allocate mblk. 1346 */ 1347 m = allocb(len, BPRI_HI); 1348 if (m == NULL) 1349 return (NULL); 1350 1351 /* 1352 * Fill it in.. 1353 */ 1354 m->b_wptr = m->b_rptr + len; 1355 bzero(m->b_rptr, len); 1356 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af); 1357 return (m); 1358 } 1359 1360 static ipsec_policy_t * 1361 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph, 1362 ipsec_policy_t *cur) 1363 { 1364 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1365 1366 ss->spdsock_dump_count++; 1367 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next; 1368 return (cur); 1369 } 1370 1371 static ipsec_policy_t * 1372 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph) 1373 { 1374 ipsec_policy_t *cur; 1375 ipsec_policy_root_t *ipr; 1376 int chain, nchains, type, af; 1377 1378 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1379 1380 cur = ss->spdsock_dump_cur_rule; 1381 1382 if (cur != NULL) 1383 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1384 1385 type = ss->spdsock_dump_cur_type; 1386 1387 next: 1388 chain = ss->spdsock_dump_cur_chain; 1389 ipr = &iph->iph_root[type]; 1390 nchains = ipr->ipr_nchains; 1391 1392 while (chain < nchains) { 1393 cur = ipr->ipr_hash[chain].hash_head; 1394 chain++; 1395 if (cur != NULL) { 1396 ss->spdsock_dump_cur_chain = chain; 1397 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1398 } 1399 } 1400 ss->spdsock_dump_cur_chain = nchains; 1401 1402 af = ss->spdsock_dump_cur_af; 1403 while (af < IPSEC_NAF) { 1404 cur = ipr->ipr_nonhash[af]; 1405 af++; 1406 if (cur != NULL) { 1407 ss->spdsock_dump_cur_af = af; 1408 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1409 } 1410 } 1411 1412 type++; 1413 if (type >= IPSEC_NTYPES) 1414 return (NULL); 1415 1416 ss->spdsock_dump_cur_chain = 0; 1417 ss->spdsock_dump_cur_type = type; 1418 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 1419 goto next; 1420 1421 } 1422 1423 static mblk_t * 1424 spdsock_dump_next_record(spdsock_t *ss) 1425 { 1426 ipsec_policy_head_t *iph; 1427 ipsec_policy_t *rule; 1428 mblk_t *m; 1429 mblk_t *req = ss->spdsock_dump_req; 1430 1431 iph = ss->spdsock_dump_head; 1432 1433 ASSERT(iph != NULL); 1434 1435 rw_enter(&iph->iph_lock, RW_READER); 1436 1437 if (iph->iph_gen != ss->spdsock_dump_gen) { 1438 rw_exit(&iph->iph_lock); 1439 return (spdsock_dump_finish(ss, EAGAIN)); 1440 } 1441 1442 rule = spdsock_dump_next_rule(ss, iph); 1443 1444 if (!rule) { 1445 rw_exit(&iph->iph_lock); 1446 return (spdsock_dump_finish(ss, 0)); 1447 } 1448 1449 m = spdsock_encode_rule(req, rule, ss->spdsock_dump_cur_type, 1450 ss->spdsock_dump_cur_af); 1451 rw_exit(&iph->iph_lock); 1452 1453 if (m == NULL) 1454 return (spdsock_dump_finish(ss, ENOMEM)); 1455 return (m); 1456 } 1457 1458 /* 1459 * Dump records until we run into flow-control back-pressure. 1460 */ 1461 static void 1462 spdsock_dump_some(queue_t *q, spdsock_t *ss) 1463 { 1464 mblk_t *m, *dataind; 1465 1466 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) { 1467 m = spdsock_dump_next_record(ss); 1468 if (m == NULL) 1469 return; 1470 dataind = allocb(sizeof (struct T_data_req), BPRI_HI); 1471 if (dataind == NULL) { 1472 freemsg(m); 1473 return; 1474 } 1475 dataind->b_cont = m; 1476 dataind->b_wptr += sizeof (struct T_data_req); 1477 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND; 1478 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0; 1479 dataind->b_datap->db_type = M_PROTO; 1480 putnext(q, dataind); 1481 } 1482 } 1483 1484 /* 1485 * Start dumping. 1486 * Format a start-of-dump record, and set up the stream and kick the rsrv 1487 * procedure to continue the job.. 1488 */ 1489 /* ARGSUSED */ 1490 static void 1491 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, 1492 mblk_t *mp, spd_ext_t **extv) 1493 { 1494 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1495 mblk_t *mr; 1496 1497 rw_enter(&iph->iph_lock, RW_READER); 1498 1499 mr = spdsock_dump_ruleset(mp, iph, 0, 0); 1500 1501 if (!mr) { 1502 rw_exit(&iph->iph_lock); 1503 spdsock_error(q, mp, ENOMEM, 0); 1504 return; 1505 } 1506 1507 ss->spdsock_dump_req = mp; 1508 ss->spdsock_dump_head = iph; 1509 ss->spdsock_dump_gen = iph->iph_gen; 1510 ss->spdsock_dump_cur_type = 0; 1511 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 1512 ss->spdsock_dump_cur_rule = iph->iph_root[0].ipr_nonhash[IPSEC_AF_V4]; 1513 ss->spdsock_dump_count = 0; 1514 ss->spdsock_dump_cur_chain = 0; 1515 rw_exit(&iph->iph_lock); 1516 1517 qreply(q, mr); 1518 qenable(OTHERQ(q)); 1519 } 1520 1521 void 1522 spdsock_clone(queue_t *q, mblk_t *mp) 1523 { 1524 int error = ipsec_clone_system_policy(); 1525 if (error != 0) 1526 spdsock_error(q, mp, error, 0); 1527 else 1528 spd_echo(q, mp); 1529 } 1530 1531 /* 1532 * Process a SPD_ALGLIST request. The caller expects separate alg entries 1533 * for AH authentication, ESP authentication, and ESP encryption. 1534 * The same distinction is then used when setting the min and max key 1535 * sizes when defining policies. 1536 */ 1537 1538 #define SPDSOCK_AH_AUTH 0 1539 #define SPDSOCK_ESP_AUTH 1 1540 #define SPDSOCK_ESP_ENCR 2 1541 #define SPDSOCK_NTYPES 3 1542 1543 static const uint_t algattr[SPDSOCK_NTYPES] = { 1544 SPD_ATTR_AH_AUTH, 1545 SPD_ATTR_ESP_AUTH, 1546 SPD_ATTR_ESP_ENCR 1547 }; 1548 static const uint_t minbitsattr[SPDSOCK_NTYPES] = { 1549 SPD_ATTR_AH_MINBITS, 1550 SPD_ATTR_ESPA_MINBITS, 1551 SPD_ATTR_ENCR_MINBITS 1552 }; 1553 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = { 1554 SPD_ATTR_AH_MAXBITS, 1555 SPD_ATTR_ESPA_MAXBITS, 1556 SPD_ATTR_ENCR_MAXBITS 1557 }; 1558 static const uint_t defbitsattr[SPDSOCK_NTYPES] = { 1559 SPD_ATTR_AH_DEFBITS, 1560 SPD_ATTR_ESPA_DEFBITS, 1561 SPD_ATTR_ENCR_DEFBITS 1562 }; 1563 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = { 1564 SPD_ATTR_AH_INCRBITS, 1565 SPD_ATTR_ESPA_INCRBITS, 1566 SPD_ATTR_ENCR_INCRBITS 1567 }; 1568 1569 #define ATTRPERALG 6 /* fixed attributes per algs */ 1570 1571 void 1572 spdsock_alglist(queue_t *q, mblk_t *mp) 1573 { 1574 uint_t algtype; 1575 uint_t algidx; 1576 uint_t algcount; 1577 uint_t size; 1578 mblk_t *m; 1579 uint8_t *cur; 1580 spd_msg_t *msg; 1581 struct spd_ext_actions *act; 1582 struct spd_attribute *attr; 1583 1584 mutex_enter(&alg_lock); 1585 1586 /* 1587 * The SPD client expects to receive separate entries for 1588 * AH authentication and ESP authentication supported algorithms. 1589 * 1590 * Don't return the "any" algorithms, if defined, as no 1591 * kernel policies can be set for these algorithms. 1592 */ 1593 algcount = 2 * ipsec_nalgs[IPSEC_ALG_AUTH] + 1594 ipsec_nalgs[IPSEC_ALG_ENCR]; 1595 1596 if (ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL) 1597 algcount--; 1598 if (ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL) 1599 algcount--; 1600 1601 /* 1602 * For each algorithm, we encode: 1603 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 1604 */ 1605 1606 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) + 1607 ATTRPERALG * sizeof (struct spd_attribute) * algcount; 1608 1609 ASSERT(ALIGNED64(size)); 1610 1611 m = allocb(size, BPRI_HI); 1612 if (m == NULL) { 1613 mutex_exit(&alg_lock); 1614 spdsock_error(q, mp, ENOMEM, 0); 1615 return; 1616 } 1617 1618 m->b_wptr = m->b_rptr + size; 1619 cur = m->b_rptr; 1620 1621 msg = (spd_msg_t *)cur; 1622 bcopy(mp->b_rptr, cur, sizeof (*msg)); 1623 1624 msg->spd_msg_len = SPD_8TO64(size); 1625 msg->spd_msg_errno = 0; 1626 msg->spd_msg_diagnostic = 0; 1627 1628 cur += sizeof (*msg); 1629 1630 act = (struct spd_ext_actions *)cur; 1631 cur += sizeof (*act); 1632 1633 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 1634 act->spd_actions_exttype = SPD_EXT_ACTION; 1635 act->spd_actions_count = algcount; 1636 act->spd_actions_reserved = 0; 1637 1638 attr = (struct spd_attribute *)cur; 1639 1640 #define EMIT(tag, value) { \ 1641 attr->spd_attr_tag = (tag); \ 1642 attr->spd_attr_value = (value); \ 1643 attr++; \ 1644 } 1645 1646 /* 1647 * If you change the number of EMIT's here, change 1648 * ATTRPERALG above to match 1649 */ 1650 #define EMITALGATTRS(_type) { \ 1651 EMIT(algattr[_type], algid); /* 1 */ \ 1652 EMIT(minbitsattr[_type], minbits); /* 2 */ \ 1653 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \ 1654 EMIT(defbitsattr[_type], defbits); /* 4 */ \ 1655 EMIT(incrbitsattr[_type], incr); /* 5 */ \ 1656 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \ 1657 } 1658 1659 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 1660 for (algidx = 0; algidx < ipsec_nalgs[algtype]; algidx++) { 1661 int algid = ipsec_sortlist[algtype][algidx]; 1662 ipsec_alginfo_t *alg = ipsec_alglists[algtype][algid]; 1663 uint_t minbits = alg->alg_minbits; 1664 uint_t maxbits = alg->alg_maxbits; 1665 uint_t defbits = alg->alg_default_bits; 1666 uint_t incr = alg->alg_increment; 1667 1668 if (algtype == IPSEC_ALG_AUTH) { 1669 if (algid == SADB_AALG_NONE) 1670 continue; 1671 EMITALGATTRS(SPDSOCK_AH_AUTH); 1672 EMITALGATTRS(SPDSOCK_ESP_AUTH); 1673 } else { 1674 if (algid == SADB_EALG_NONE) 1675 continue; 1676 ASSERT(algtype == IPSEC_ALG_ENCR); 1677 EMITALGATTRS(SPDSOCK_ESP_ENCR); 1678 } 1679 } 1680 } 1681 1682 mutex_exit(&alg_lock); 1683 1684 #undef EMITALGATTRS 1685 #undef EMIT 1686 #undef ATTRPERALG 1687 1688 attr--; 1689 attr->spd_attr_tag = SPD_ATTR_END; 1690 1691 freemsg(mp); 1692 qreply(q, m); 1693 } 1694 1695 /* 1696 * Process a SPD_DUMPALGS request. 1697 */ 1698 1699 #define ATTRPERALG 7 /* fixed attributes per algs */ 1700 1701 void 1702 spdsock_dumpalgs(queue_t *q, mblk_t *mp) 1703 { 1704 uint_t algtype; 1705 uint_t algidx; 1706 uint_t size; 1707 mblk_t *m; 1708 uint8_t *cur; 1709 spd_msg_t *msg; 1710 struct spd_ext_actions *act; 1711 struct spd_attribute *attr; 1712 ipsec_alginfo_t *alg; 1713 uint_t algid; 1714 uint_t i; 1715 uint_t alg_size; 1716 1717 mutex_enter(&alg_lock); 1718 1719 /* 1720 * For each algorithm, we encode: 1721 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 1722 * 1723 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE* 1724 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_MECHNAME / {END, NEXT} 1725 */ 1726 1727 /* 1728 * Compute the size of the SPD message. 1729 */ 1730 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions); 1731 1732 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 1733 for (algidx = 0; algidx < ipsec_nalgs[algtype]; algidx++) { 1734 algid = ipsec_sortlist[algtype][algidx]; 1735 alg = ipsec_alglists[algtype][algid]; 1736 alg_size = sizeof (struct spd_attribute) * 1737 (ATTRPERALG + alg->alg_nkey_sizes + 1738 alg->alg_nblock_sizes) + CRYPTO_MAX_MECH_NAME; 1739 size += alg_size; 1740 } 1741 } 1742 1743 ASSERT(ALIGNED64(size)); 1744 1745 m = allocb(size, BPRI_HI); 1746 if (m == NULL) { 1747 mutex_exit(&alg_lock); 1748 spdsock_error(q, mp, ENOMEM, 0); 1749 return; 1750 } 1751 1752 m->b_wptr = m->b_rptr + size; 1753 cur = m->b_rptr; 1754 1755 msg = (spd_msg_t *)cur; 1756 bcopy(mp->b_rptr, cur, sizeof (*msg)); 1757 1758 msg->spd_msg_len = SPD_8TO64(size); 1759 msg->spd_msg_errno = 0; 1760 msg->spd_msg_diagnostic = 0; 1761 1762 cur += sizeof (*msg); 1763 1764 act = (struct spd_ext_actions *)cur; 1765 cur += sizeof (*act); 1766 1767 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 1768 act->spd_actions_exttype = SPD_EXT_ACTION; 1769 act->spd_actions_count = ipsec_nalgs[IPSEC_ALG_AUTH] + 1770 ipsec_nalgs[IPSEC_ALG_ENCR]; 1771 act->spd_actions_reserved = 0; 1772 1773 attr = (struct spd_attribute *)cur; 1774 1775 #define EMIT(tag, value) { \ 1776 attr->spd_attr_tag = (tag); \ 1777 attr->spd_attr_value = (value); \ 1778 attr++; \ 1779 } 1780 1781 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 1782 for (algidx = 0; algidx < ipsec_nalgs[algtype]; algidx++) { 1783 1784 algid = ipsec_sortlist[algtype][algidx]; 1785 alg = ipsec_alglists[algtype][algid]; 1786 1787 /* 1788 * If you change the number of EMIT's here, change 1789 * ATTRPERALG above to match 1790 */ 1791 EMIT(SPD_ATTR_ALG_ID, algid); 1792 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]); 1793 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment); 1794 1795 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes); 1796 for (i = 0; i < alg->alg_nkey_sizes; i++) 1797 EMIT(SPD_ATTR_ALG_KEYSIZE, 1798 alg->alg_key_sizes[i]); 1799 1800 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes); 1801 for (i = 0; i < alg->alg_nblock_sizes; i++) 1802 EMIT(SPD_ATTR_ALG_BLOCKSIZE, 1803 alg->alg_block_sizes[i]); 1804 1805 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME); 1806 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME); 1807 attr = (struct spd_attribute *)((char *)attr + 1808 CRYPTO_MAX_MECH_NAME); 1809 1810 EMIT(SPD_ATTR_NEXT, 0); 1811 } 1812 } 1813 1814 mutex_exit(&alg_lock); 1815 1816 #undef EMITALGATTRS 1817 #undef EMIT 1818 #undef ATTRPERALG 1819 1820 attr--; 1821 attr->spd_attr_tag = SPD_ATTR_END; 1822 1823 freemsg(mp); 1824 qreply(q, m); 1825 } 1826 1827 /* 1828 * Do the actual work of processing an SPD_UPDATEALGS request. Can 1829 * be invoked either once IPsec is loaded on a cached request, or 1830 * when a request is received while IPsec is loaded. 1831 */ 1832 static void 1833 spdsock_do_updatealg(spd_ext_t *extv[], int *diag) 1834 { 1835 struct spd_ext_actions *actp; 1836 struct spd_attribute *attr, *endattr; 1837 uint64_t *start, *end; 1838 ipsec_alginfo_t *alg = NULL; 1839 ipsec_algtype_t alg_type = 0; 1840 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE; 1841 uint_t i, cur_key, cur_block, algid; 1842 1843 *diag = -1; 1844 ASSERT(MUTEX_HELD(&spdsock_alg_lock)); 1845 1846 /* parse the message, building the list of algorithms */ 1847 1848 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 1849 if (actp == NULL) { 1850 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT; 1851 return; 1852 } 1853 1854 start = (uint64_t *)actp; 1855 end = (start + actp->spd_actions_len); 1856 endattr = (struct spd_attribute *)end; 1857 attr = (struct spd_attribute *)&actp[1]; 1858 1859 bzero(spdsock_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS * 1860 sizeof (ipsec_alginfo_t *)); 1861 1862 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 1863 1864 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t)) 1865 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t)) 1866 1867 while (attr < endattr) { 1868 switch (attr->spd_attr_tag) { 1869 case SPD_ATTR_NOP: 1870 case SPD_ATTR_EMPTY: 1871 break; 1872 case SPD_ATTR_END: 1873 attr = endattr; 1874 /* FALLTHRU */ 1875 case SPD_ATTR_NEXT: 1876 if (doing_proto) { 1877 doing_proto = B_FALSE; 1878 break; 1879 } 1880 if (skip_alg) { 1881 ipsec_alg_free(alg); 1882 } else { 1883 ipsec_alg_free( 1884 spdsock_algs[alg_type][alg->alg_id]); 1885 spdsock_algs[alg_type][alg->alg_id] = alg; 1886 } 1887 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 1888 break; 1889 1890 case SPD_ATTR_ALG_ID: 1891 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) { 1892 ss1dbg(("spdsock_do_updatealg: " 1893 "invalid alg id %d\n", 1894 attr->spd_attr_value)); 1895 *diag = SPD_DIAGNOSTIC_ALG_ID_RANGE; 1896 goto bail; 1897 } 1898 alg->alg_id = attr->spd_attr_value; 1899 break; 1900 1901 case SPD_ATTR_ALG_PROTO: 1902 /* find the alg type */ 1903 for (i = 0; i < NALGPROTOS; i++) 1904 if (algproto[i] == attr->spd_attr_value) 1905 break; 1906 skip_alg = (i == NALGPROTOS); 1907 if (!skip_alg) 1908 alg_type = i; 1909 break; 1910 1911 case SPD_ATTR_ALG_INCRBITS: 1912 alg->alg_increment = attr->spd_attr_value; 1913 break; 1914 1915 case SPD_ATTR_ALG_NKEYSIZES: 1916 if (alg->alg_key_sizes != NULL) { 1917 kmem_free(alg->alg_key_sizes, 1918 ALG_KEY_SIZES(alg)); 1919 } 1920 alg->alg_nkey_sizes = attr->spd_attr_value; 1921 /* 1922 * Allocate room for the trailing zero key size 1923 * value as well. 1924 */ 1925 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg), 1926 KM_SLEEP); 1927 cur_key = 0; 1928 break; 1929 1930 case SPD_ATTR_ALG_KEYSIZE: 1931 if (alg->alg_key_sizes == NULL || 1932 cur_key >= alg->alg_nkey_sizes) { 1933 ss1dbg(("spdsock_do_updatealg: " 1934 "too many key sizes\n")); 1935 *diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES; 1936 goto bail; 1937 } 1938 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value; 1939 break; 1940 1941 case SPD_ATTR_ALG_NBLOCKSIZES: 1942 if (alg->alg_block_sizes != NULL) { 1943 kmem_free(alg->alg_block_sizes, 1944 ALG_BLOCK_SIZES(alg)); 1945 } 1946 alg->alg_nblock_sizes = attr->spd_attr_value; 1947 /* 1948 * Allocate room for the trailing zero block size 1949 * value as well. 1950 */ 1951 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg), 1952 KM_SLEEP); 1953 cur_block = 0; 1954 break; 1955 1956 case SPD_ATTR_ALG_BLOCKSIZE: 1957 if (alg->alg_block_sizes == NULL || 1958 cur_block >= alg->alg_nblock_sizes) { 1959 ss1dbg(("spdsock_do_updatealg: " 1960 "too many block sizes\n")); 1961 *diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 1962 goto bail; 1963 } 1964 alg->alg_block_sizes[cur_block++] = 1965 attr->spd_attr_value; 1966 break; 1967 1968 case SPD_ATTR_ALG_MECHNAME: { 1969 char *mech_name; 1970 1971 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) { 1972 ss1dbg(("spdsock_do_updatealg: " 1973 "mech name too long\n")); 1974 *diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN; 1975 goto bail; 1976 } 1977 mech_name = (char *)(attr + 1); 1978 bcopy(mech_name, alg->alg_mech_name, 1979 attr->spd_attr_value); 1980 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; 1981 attr = (struct spd_attribute *)((char *)attr + 1982 attr->spd_attr_value); 1983 break; 1984 } 1985 1986 case SPD_ATTR_PROTO_ID: 1987 doing_proto = B_TRUE; 1988 for (i = 0; i < NALGPROTOS; i++) { 1989 if (algproto[i] == attr->spd_attr_value) { 1990 alg_type = i; 1991 break; 1992 } 1993 } 1994 break; 1995 1996 case SPD_ATTR_PROTO_EXEC_MODE: 1997 if (!doing_proto) 1998 break; 1999 for (i = 0; i < NEXECMODES; i++) { 2000 if (execmodes[i] == attr->spd_attr_value) { 2001 spdsock_algs_exec_mode[alg_type] = i; 2002 break; 2003 } 2004 } 2005 break; 2006 } 2007 attr++; 2008 } 2009 2010 #undef ALG_KEY_SIZES 2011 #undef ALG_BLOCK_SIZES 2012 2013 /* update the algorithm tables */ 2014 spdsock_merge_algs(); 2015 bail: 2016 /* cleanup */ 2017 ipsec_alg_free(alg); 2018 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++) 2019 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) 2020 if (spdsock_algs[alg_type][algid] != NULL) 2021 ipsec_alg_free(spdsock_algs[alg_type][algid]); 2022 } 2023 2024 /* 2025 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue 2026 * the request until IPsec loads. If IPsec is loaded, act on it 2027 * immediately. 2028 */ 2029 2030 static void 2031 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[]) 2032 { 2033 if (!ipsec_loaded()) { 2034 /* 2035 * IPsec is not loaded, save request and return nicely, 2036 * the message will be processed once IPsec loads. 2037 */ 2038 mblk_t *new_mp; 2039 2040 /* last update message wins */ 2041 if ((new_mp = copymsg(mp)) == NULL) { 2042 spdsock_error(q, mp, ENOMEM, 0); 2043 return; 2044 } 2045 mutex_enter(&spdsock_alg_lock); 2046 bcopy(extv, spdsock_extv_algs, 2047 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 2048 if (spdsock_mp_algs != NULL) 2049 freemsg(spdsock_mp_algs); 2050 spdsock_mp_algs = mp; 2051 spdsock_algs_pending = B_TRUE; 2052 mutex_exit(&spdsock_alg_lock); 2053 2054 spd_echo(q, new_mp); 2055 } else { 2056 /* 2057 * IPsec is loaded, act on the message immediately. 2058 */ 2059 int diag; 2060 2061 mutex_enter(&spdsock_alg_lock); 2062 spdsock_do_updatealg(extv, &diag); 2063 mutex_exit(&spdsock_alg_lock); 2064 if (diag == -1) 2065 spd_echo(q, mp); 2066 else 2067 spdsock_diag(q, mp, diag); 2068 } 2069 } 2070 2071 static void 2072 spdsock_parse(queue_t *q, mblk_t *mp) 2073 { 2074 spd_msg_t *spmsg; 2075 spd_ext_t *extv[SPD_EXT_MAX + 1]; 2076 uint_t msgsize; 2077 ipsec_policy_head_t *iph; 2078 2079 /* Make sure nothing's below me. */ 2080 ASSERT(WR(q)->q_next == NULL); 2081 2082 spmsg = (spd_msg_t *)mp->b_rptr; 2083 2084 msgsize = SPD_64TO8(spmsg->spd_msg_len); 2085 2086 if (msgdsize(mp) != msgsize) { 2087 /* 2088 * Message len incorrect w.r.t. actual size. Send an error 2089 * (EMSGSIZE). It may be necessary to massage things a 2090 * bit. For example, if the spd_msg_type is hosed, 2091 * I need to set it to SPD_RESERVED to get delivery to 2092 * do the right thing. Then again, maybe just letting 2093 * the error delivery do the right thing. 2094 */ 2095 ss2dbg(("mblk (%lu) and base (%d) message sizes don't jibe.\n", 2096 msgdsize(mp), msgsize)); 2097 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE); 2098 return; 2099 } 2100 2101 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) { 2102 2103 /* Get all message into one mblk. */ 2104 if (pullupmsg(mp, -1) == 0) { 2105 /* 2106 * Something screwy happened. 2107 */ 2108 ss3dbg(("spdsock_parse: pullupmsg() failed.\n")); 2109 return; 2110 } else { 2111 spmsg = (spd_msg_t *)mp->b_rptr; 2112 } 2113 } 2114 2115 switch (spdsock_get_ext(extv, spmsg, msgsize)) { 2116 case KGE_DUP: 2117 /* Handle duplicate extension. */ 2118 ss1dbg(("Got duplicate extension of type %d.\n", 2119 extv[0]->spd_ext_type)); 2120 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]); 2121 return; 2122 case KGE_UNK: 2123 /* Handle unknown extension. */ 2124 ss1dbg(("Got unknown extension of type %d.\n", 2125 extv[0]->spd_ext_type)); 2126 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT); 2127 return; 2128 case KGE_LEN: 2129 /* Length error. */ 2130 ss1dbg(("Length %d on extension type %d overrun or 0.\n", 2131 extv[0]->spd_ext_len, extv[0]->spd_ext_type)); 2132 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN); 2133 return; 2134 case KGE_CHK: 2135 /* Reality check failed. */ 2136 ss1dbg(("Reality check failed on extension type %d.\n", 2137 extv[0]->spd_ext_type)); 2138 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]); 2139 return; 2140 default: 2141 /* Default case is no errors. */ 2142 break; 2143 } 2144 2145 /* 2146 * Which rule set are we operating on today? 2147 */ 2148 2149 switch (spmsg->spd_msg_spdid) { 2150 case SPD_ACTIVE: 2151 iph = ipsec_system_policy(); 2152 break; 2153 2154 case SPD_STANDBY: 2155 iph = ipsec_inactive_policy(); 2156 break; 2157 2158 default: 2159 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID); 2160 return; 2161 } 2162 2163 /* 2164 * Special-case SPD_UPDATEALGS so as not to load IPsec. 2165 */ 2166 if (!ipsec_loaded() && spmsg->spd_msg_type != SPD_UPDATEALGS) { 2167 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2168 2169 ASSERT(ss != NULL); 2170 ipsec_loader_loadnow(); 2171 ss->spdsock_timeout_arg = mp; 2172 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck, 2173 q, LOADCHECK_INTERVAL); 2174 return; 2175 } 2176 2177 switch (spmsg->spd_msg_type) { 2178 case SPD_UPDATEALGS: 2179 spdsock_updatealg(q, mp, extv); 2180 return; 2181 case SPD_FLUSH: 2182 spdsock_flush(q, iph, mp, extv); 2183 return; 2184 2185 case SPD_ADDRULE: 2186 spdsock_addrule(q, iph, mp, extv); 2187 return; 2188 2189 case SPD_DELETERULE: 2190 spdsock_deleterule(q, iph, mp, extv); 2191 return; 2192 2193 case SPD_FLIP: 2194 spdsock_flip(q, mp); 2195 return; 2196 2197 case SPD_LOOKUP: 2198 spdsock_lookup(q, iph, mp, extv); 2199 return; 2200 2201 case SPD_DUMP: 2202 spdsock_dump(q, iph, mp, extv); 2203 return; 2204 2205 case SPD_CLONE: 2206 spdsock_clone(q, mp); 2207 return; 2208 2209 case SPD_ALGLIST: 2210 spdsock_alglist(q, mp); 2211 return; 2212 2213 case SPD_DUMPALGS: 2214 spdsock_dumpalgs(q, mp); 2215 return; 2216 2217 default: 2218 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE); 2219 return; 2220 } 2221 } 2222 2223 /* 2224 * If an algorithm mapping was received before IPsec was loaded, process it. 2225 * Called from the IPsec loader. 2226 */ 2227 void 2228 spdsock_update_pending_algs(void) 2229 { 2230 mutex_enter(&spdsock_alg_lock); 2231 if (spdsock_algs_pending) { 2232 int diag; 2233 spdsock_do_updatealg(spdsock_extv_algs, &diag); 2234 spdsock_algs_pending = B_FALSE; 2235 } 2236 mutex_exit(&spdsock_alg_lock); 2237 } 2238 2239 static void 2240 spdsock_loadcheck(void *arg) 2241 { 2242 queue_t *q = (queue_t *)arg; 2243 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2244 mblk_t *mp; 2245 2246 ASSERT(ss != NULL); 2247 2248 ss->spdsock_timeout = 0; 2249 mp = ss->spdsock_timeout_arg; 2250 ASSERT(mp != NULL); 2251 ss->spdsock_timeout_arg = NULL; 2252 if (ipsec_failed()) 2253 spdsock_error(q, mp, EPROTONOSUPPORT, 0); 2254 else 2255 spdsock_parse(q, mp); 2256 } 2257 2258 /* 2259 * Copy relevant state bits. 2260 */ 2261 static void 2262 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss) 2263 { 2264 *tap = spdsock_g_t_info_ack; 2265 tap->CURRENT_state = ss->spdsock_state; 2266 tap->OPT_size = spdsock_max_optsize; 2267 } 2268 2269 /* 2270 * This routine responds to T_CAPABILITY_REQ messages. It is called by 2271 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from 2272 * spdsock_g_t_info_ack. The current state of the stream is copied from 2273 * spdsock_state. 2274 */ 2275 static void 2276 spdsock_capability_req(queue_t *q, mblk_t *mp) 2277 { 2278 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2279 t_uscalar_t cap_bits1; 2280 struct T_capability_ack *tcap; 2281 2282 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1; 2283 2284 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack), 2285 mp->b_datap->db_type, T_CAPABILITY_ACK); 2286 if (mp == NULL) 2287 return; 2288 2289 tcap = (struct T_capability_ack *)mp->b_rptr; 2290 tcap->CAP_bits1 = 0; 2291 2292 if (cap_bits1 & TC1_INFO) { 2293 spdsock_copy_info(&tcap->INFO_ack, ss); 2294 tcap->CAP_bits1 |= TC1_INFO; 2295 } 2296 2297 qreply(q, mp); 2298 } 2299 2300 /* 2301 * This routine responds to T_INFO_REQ messages. It is called by 2302 * spdsock_wput_other. 2303 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack. 2304 * The current state of the stream is copied from spdsock_state. 2305 */ 2306 static void 2307 spdsock_info_req(q, mp) 2308 queue_t *q; 2309 mblk_t *mp; 2310 { 2311 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO, 2312 T_INFO_ACK); 2313 if (mp == NULL) 2314 return; 2315 spdsock_copy_info((struct T_info_ack *)mp->b_rptr, 2316 (spdsock_t *)q->q_ptr); 2317 qreply(q, mp); 2318 } 2319 2320 /* 2321 * spdsock_err_ack. This routine creates a 2322 * T_ERROR_ACK message and passes it 2323 * upstream. 2324 */ 2325 static void 2326 spdsock_err_ack(q, mp, t_error, sys_error) 2327 queue_t *q; 2328 mblk_t *mp; 2329 int t_error; 2330 int sys_error; 2331 { 2332 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL) 2333 qreply(q, mp); 2334 } 2335 2336 /* 2337 * This routine retrieves the current status of socket options. 2338 * It returns the size of the option retrieved. 2339 */ 2340 /* ARGSUSED */ 2341 int 2342 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr) 2343 { 2344 int *i1 = (int *)ptr; 2345 2346 switch (level) { 2347 case SOL_SOCKET: 2348 switch (name) { 2349 case SO_TYPE: 2350 *i1 = SOCK_RAW; 2351 break; 2352 /* 2353 * The following two items can be manipulated, 2354 * but changing them should do nothing. 2355 */ 2356 case SO_SNDBUF: 2357 *i1 = (int)q->q_hiwat; 2358 break; 2359 case SO_RCVBUF: 2360 *i1 = (int)(RD(q)->q_hiwat); 2361 break; 2362 } 2363 break; 2364 default: 2365 return (0); 2366 } 2367 return (sizeof (int)); 2368 } 2369 2370 /* 2371 * This routine sets socket options. 2372 */ 2373 /* ARGSUSED */ 2374 int 2375 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name, 2376 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp, 2377 void *thisdg_attrs, cred_t *cr, mblk_t *mblk) 2378 { 2379 int *i1 = (int *)invalp; 2380 2381 switch (level) { 2382 case SOL_SOCKET: 2383 switch (name) { 2384 case SO_SNDBUF: 2385 if (*i1 > spdsock_max_buf) 2386 return (ENOBUFS); 2387 q->q_hiwat = *i1; 2388 break; 2389 case SO_RCVBUF: 2390 if (*i1 > spdsock_max_buf) 2391 return (ENOBUFS); 2392 RD(q)->q_hiwat = *i1; 2393 (void) mi_set_sth_hiwat(RD(q), *i1); 2394 break; 2395 } 2396 break; 2397 } 2398 return (0); 2399 } 2400 2401 2402 /* 2403 * Handle STREAMS messages. 2404 */ 2405 static void 2406 spdsock_wput_other(queue_t *q, mblk_t *mp) 2407 { 2408 struct iocblk *iocp; 2409 int error; 2410 2411 switch (mp->b_datap->db_type) { 2412 case M_PROTO: 2413 case M_PCPROTO: 2414 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) { 2415 ss3dbg(( 2416 "spdsock_wput_other: Not big enough M_PROTO\n")); 2417 freemsg(mp); 2418 return; 2419 } 2420 switch (((union T_primitives *)mp->b_rptr)->type) { 2421 case T_CAPABILITY_REQ: 2422 spdsock_capability_req(q, mp); 2423 return; 2424 case T_INFO_REQ: 2425 spdsock_info_req(q, mp); 2426 return; 2427 case T_SVR4_OPTMGMT_REQ: 2428 (void) svr4_optcom_req(q, mp, DB_CREDDEF(mp, kcred), 2429 &spdsock_opt_obj); 2430 return; 2431 case T_OPTMGMT_REQ: 2432 (void) tpi_optcom_req(q, mp, DB_CREDDEF(mp, kcred), 2433 &spdsock_opt_obj); 2434 return; 2435 case T_DATA_REQ: 2436 case T_EXDATA_REQ: 2437 case T_ORDREL_REQ: 2438 /* Illegal for spdsock. */ 2439 freemsg(mp); 2440 (void) putnextctl1(RD(q), M_ERROR, EPROTO); 2441 return; 2442 default: 2443 /* Not supported by spdsock. */ 2444 spdsock_err_ack(q, mp, TNOTSUPPORT, 0); 2445 return; 2446 } 2447 case M_IOCTL: 2448 iocp = (struct iocblk *)mp->b_rptr; 2449 error = EINVAL; 2450 2451 switch (iocp->ioc_cmd) { 2452 case ND_SET: 2453 case ND_GET: 2454 if (nd_getset(q, spdsock_g_nd, mp)) { 2455 qreply(q, mp); 2456 return; 2457 } else 2458 error = ENOENT; 2459 /* FALLTHRU */ 2460 default: 2461 miocnak(q, mp, 0, error); 2462 return; 2463 } 2464 case M_FLUSH: 2465 if (*mp->b_rptr & FLUSHW) { 2466 flushq(q, FLUSHALL); 2467 *mp->b_rptr &= ~FLUSHW; 2468 } 2469 if (*mp->b_rptr & FLUSHR) { 2470 qreply(q, mp); 2471 return; 2472 } 2473 /* Else FALLTHRU */ 2474 } 2475 2476 /* If fell through, just black-hole the message. */ 2477 freemsg(mp); 2478 } 2479 2480 static void 2481 spdsock_wput(queue_t *q, mblk_t *mp) 2482 { 2483 uint8_t *rptr = mp->b_rptr; 2484 mblk_t *mp1; 2485 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2486 2487 /* 2488 * If we're dumping, defer processing other messages until the 2489 * dump completes. 2490 */ 2491 if (ss->spdsock_dump_req != NULL) { 2492 if (!putq(q, mp)) 2493 freemsg(mp); 2494 return; 2495 } 2496 2497 switch (mp->b_datap->db_type) { 2498 case M_DATA: 2499 /* 2500 * Silently discard. 2501 */ 2502 ss2dbg(("raw M_DATA in spdsock.\n")); 2503 freemsg(mp); 2504 return; 2505 case M_PROTO: 2506 case M_PCPROTO: 2507 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) { 2508 if (((union T_primitives *)rptr)->type == T_DATA_REQ) { 2509 if ((mp1 = mp->b_cont) == NULL) { 2510 /* No data after T_DATA_REQ. */ 2511 ss2dbg(("No data after DATA_REQ.\n")); 2512 freemsg(mp); 2513 return; 2514 } 2515 freeb(mp); 2516 mp = mp1; 2517 ss2dbg(("T_DATA_REQ\n")); 2518 break; /* Out of switch. */ 2519 } 2520 } 2521 /* FALLTHRU */ 2522 default: 2523 ss3dbg(("In default wput case (%d %d).\n", 2524 mp->b_datap->db_type, ((union T_primitives *)rptr)->type)); 2525 spdsock_wput_other(q, mp); 2526 return; 2527 } 2528 2529 /* I now have a PF_POLICY message in an M_DATA block. */ 2530 spdsock_parse(q, mp); 2531 } 2532 2533 /* 2534 * Device open procedure, called when new queue pair created. 2535 * We are passed the read-side queue. 2536 */ 2537 /* ARGSUSED */ 2538 static int 2539 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp) 2540 { 2541 spdsock_t *ss; 2542 queue_t *oq = OTHERQ(q); 2543 minor_t ssminor; 2544 2545 if (secpolicy_net_config(credp, B_FALSE) != 0) 2546 return (EPERM); 2547 2548 if (q->q_ptr != NULL) 2549 return (0); /* Re-open of an already open instance. */ 2550 2551 if (sflag & MODOPEN) 2552 return (EINVAL); 2553 2554 ss2dbg(("Made it into PF_POLICY socket open.\n")); 2555 2556 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP); 2557 if (ssminor == 0) 2558 return (ENOMEM); 2559 2560 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP); 2561 if (ss == NULL) { 2562 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1); 2563 return (ENOMEM); 2564 } 2565 2566 ss->spdsock_minor = ssminor; 2567 ss->spdsock_state = TS_UNBND; 2568 ss->spdsock_dump_req = NULL; 2569 2570 q->q_ptr = ss; 2571 oq->q_ptr = ss; 2572 2573 q->q_hiwat = spdsock_recv_hiwat; 2574 2575 oq->q_hiwat = spdsock_xmit_hiwat; 2576 oq->q_lowat = spdsock_xmit_lowat; 2577 2578 qprocson(q); 2579 (void) mi_set_sth_hiwat(q, spdsock_recv_hiwat); 2580 2581 *devp = makedevice(getmajor(*devp), ss->spdsock_minor); 2582 return (0); 2583 } 2584 2585 /* 2586 * Read-side service procedure, invoked when we get back-enabled 2587 * when buffer space becomes available. 2588 * 2589 * Dump another chunk if we were dumping before; when we finish, kick 2590 * the write-side queue in case it's waiting for read queue space. 2591 */ 2592 void 2593 spdsock_rsrv(queue_t *q) 2594 { 2595 spdsock_t *ss = q->q_ptr; 2596 2597 if (ss->spdsock_dump_req != NULL) 2598 spdsock_dump_some(q, ss); 2599 2600 if (ss->spdsock_dump_req == NULL) 2601 qenable(OTHERQ(q)); 2602 } 2603 2604 /* 2605 * Write-side service procedure, invoked when we defer processing 2606 * if another message is received while a dump is in progress. 2607 */ 2608 void 2609 spdsock_wsrv(queue_t *q) 2610 { 2611 spdsock_t *ss = q->q_ptr; 2612 mblk_t *mp; 2613 2614 if (ss->spdsock_dump_req != NULL) { 2615 qenable(OTHERQ(q)); 2616 return; 2617 } 2618 2619 while ((mp = getq(q)) != NULL) { 2620 if (ipsec_loaded()) { 2621 spdsock_wput(q, mp); 2622 if (ss->spdsock_dump_req != NULL) 2623 return; 2624 } else if (!ipsec_failed()) { 2625 (void) putq(q, mp); 2626 } else { 2627 spdsock_error(q, mp, EPFNOSUPPORT, 0); 2628 } 2629 } 2630 } 2631 2632 static int 2633 spdsock_close(queue_t *q) 2634 { 2635 spdsock_t *ss = q->q_ptr; 2636 2637 qprocsoff(q); 2638 2639 /* Safe assumption. */ 2640 ASSERT(ss != NULL); 2641 2642 if (ss->spdsock_timeout != 0) 2643 (void) quntimeout(q, ss->spdsock_timeout); 2644 2645 ss3dbg(("Driver close, PF_POLICY socket is going away.\n")); 2646 2647 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1); 2648 2649 kmem_free(ss, sizeof (spdsock_t)); 2650 return (0); 2651 } 2652 2653 /* 2654 * Merge the IPsec algorithms tables with the received algorithm information. 2655 */ 2656 void 2657 spdsock_merge_algs(void) 2658 { 2659 ipsec_alginfo_t *alg, *oalg; 2660 ipsec_algtype_t algtype; 2661 uint_t algidx, algid, nalgs; 2662 crypto_mech_name_t *mechs; 2663 uint_t mech_count, mech_idx; 2664 2665 ASSERT(MUTEX_HELD(&spdsock_alg_lock)); 2666 2667 /* 2668 * Get the list of supported mechanisms from the crypto framework. 2669 * If a mechanism is supported by KCF, resolve its mechanism 2670 * id and mark it as being valid. This operation must be done 2671 * without holding alg_lock, since it can cause a provider 2672 * module to be loaded and the provider notification callback to 2673 * be invoked. 2674 */ 2675 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 2676 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2677 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 2678 int algflags = 0; 2679 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID; 2680 2681 if ((alg = spdsock_algs[algtype][algid]) == NULL) 2682 continue; 2683 2684 /* 2685 * The NULL encryption algorithm is a special 2686 * case because there are no mechanisms, yet 2687 * the algorithm is still valid. 2688 */ 2689 if (alg->alg_id == SADB_EALG_NULL) { 2690 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID; 2691 alg->alg_flags = ALG_FLAG_VALID; 2692 continue; 2693 } 2694 2695 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) { 2696 if (strncmp(alg->alg_mech_name, mechs[mech_idx], 2697 CRYPTO_MAX_MECH_NAME) == 0) { 2698 mt = crypto_mech2id(alg->alg_mech_name); 2699 ASSERT(mt != CRYPTO_MECHANISM_INVALID); 2700 algflags = ALG_FLAG_VALID; 2701 break; 2702 } 2703 } 2704 alg->alg_mech_type = mt; 2705 alg->alg_flags = algflags; 2706 } 2707 } 2708 2709 mutex_enter(&alg_lock); 2710 2711 /* 2712 * For each algorithm currently defined, check if it is 2713 * present in the new tables created from the SPD_UPDATEALGS 2714 * message received from user-space. 2715 * Delete the algorithm entries that are currently defined 2716 * but not part of the new tables. 2717 */ 2718 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2719 nalgs = ipsec_nalgs[algtype]; 2720 for (algidx = 0; algidx < nalgs; algidx++) { 2721 algid = ipsec_sortlist[algtype][algidx]; 2722 if (spdsock_algs[algtype][algid] == NULL) 2723 ipsec_alg_unreg(algtype, algid); 2724 } 2725 } 2726 2727 /* 2728 * For each algorithm we just received, check if it is 2729 * present in the currently defined tables. If it is, swap 2730 * the entry with the one we just allocated. 2731 * If the new algorithm is not in the current tables, 2732 * add it. 2733 */ 2734 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2735 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 2736 if ((alg = spdsock_algs[algtype][algid]) == NULL) 2737 continue; 2738 2739 if ((oalg = ipsec_alglists[algtype][algid]) == NULL) { 2740 /* 2741 * New algorithm, add it to the algorithm 2742 * table. 2743 */ 2744 ipsec_alg_reg(algtype, alg); 2745 } else { 2746 /* 2747 * Algorithm is already in the table. Swap 2748 * the existing entry with the new one. 2749 */ 2750 ipsec_alg_fix_min_max(alg, algtype); 2751 ipsec_alglists[algtype][algid] = alg; 2752 ipsec_alg_free(oalg); 2753 } 2754 spdsock_algs[algtype][algid] = NULL; 2755 } 2756 } 2757 2758 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) 2759 ipsec_algs_exec_mode[algtype] = spdsock_algs_exec_mode[algtype]; 2760 2761 mutex_exit(&alg_lock); 2762 2763 crypto_free_mech_list(mechs, mech_count); 2764 2765 ipsecah_algs_changed(); 2766 ipsecesp_algs_changed(); 2767 } 2768