1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved. 24 * Copyright 2019, Joyent, Inc. 25 */ 26 27 #include <sys/param.h> 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/strsubr.h> 31 #include <sys/strsun.h> 32 #include <sys/stropts.h> 33 #include <sys/zone.h> 34 #include <sys/vnode.h> 35 #include <sys/sysmacros.h> 36 #define _SUN_TPI_VERSION 2 37 #include <sys/tihdr.h> 38 #include <sys/timod.h> 39 #include <sys/ddi.h> 40 #include <sys/sunddi.h> 41 #include <sys/mkdev.h> 42 #include <sys/debug.h> 43 #include <sys/kmem.h> 44 #include <sys/cmn_err.h> 45 #include <sys/suntpi.h> 46 #include <sys/policy.h> 47 #include <sys/dls.h> 48 49 #include <sys/socket.h> 50 #include <netinet/in.h> 51 #include <net/pfkeyv2.h> 52 #include <net/pfpolicy.h> 53 54 #include <inet/common.h> 55 #include <netinet/ip6.h> 56 #include <inet/ip.h> 57 #include <inet/ip6.h> 58 #include <inet/mi.h> 59 #include <inet/proto_set.h> 60 #include <inet/nd.h> 61 #include <inet/ip_if.h> 62 #include <inet/optcom.h> 63 #include <inet/ipsec_impl.h> 64 #include <inet/spdsock.h> 65 #include <inet/sadb.h> 66 #include <inet/iptun.h> 67 #include <inet/iptun/iptun_impl.h> 68 69 #include <sys/isa_defs.h> 70 71 #include <c2/audit.h> 72 73 /* 74 * This is a transport provider for the PF_POLICY IPsec policy 75 * management socket, which provides a management interface into the 76 * SPD, allowing policy rules to be added, deleted, and queried. 77 * 78 * This effectively replaces the old private SIOC*IPSECONFIG ioctls 79 * with an extensible interface which will hopefully be public some 80 * day. 81 * 82 * See <net/pfpolicy.h> for more details on the protocol. 83 * 84 * We link against drv/ip and call directly into it to manipulate the 85 * SPD; see ipsec_impl.h for the policy data structures and spd.c for 86 * the code which maintains them. 87 * 88 * The MT model of this is QPAIR with the addition of some explicit 89 * locking to protect system-wide policy data structures. 90 */ 91 92 static vmem_t *spdsock_vmem; /* for minor numbers. */ 93 94 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t)) 95 96 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */ 97 static struct T_info_ack spdsock_g_t_info_ack = { 98 T_INFO_ACK, 99 T_INFINITE, /* TSDU_size. Maximum size messages. */ 100 T_INVALID, /* ETSDU_size. No expedited data. */ 101 T_INVALID, /* CDATA_size. No connect data. */ 102 T_INVALID, /* DDATA_size. No disconnect data. */ 103 0, /* ADDR_size. */ 104 0, /* OPT_size. No user-settable options */ 105 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */ 106 T_COTS, /* SERV_type. spdsock supports connection oriented. */ 107 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */ 108 (XPG4_1) /* Provider flags */ 109 }; 110 111 /* Named Dispatch Parameter Management Structure */ 112 typedef struct spdsockparam_s { 113 uint_t spdsock_param_min; 114 uint_t spdsock_param_max; 115 uint_t spdsock_param_value; 116 char *spdsock_param_name; 117 } spdsockparam_t; 118 119 /* 120 * Table of NDD variables supported by spdsock. These are loaded into 121 * spdsock_g_nd in spdsock_init_nd. 122 * All of these are alterable, within the min/max values given, at run time. 123 */ 124 static spdsockparam_t lcl_param_arr[] = { 125 /* min max value name */ 126 { 4096, 65536, 8192, "spdsock_xmit_hiwat"}, 127 { 0, 65536, 1024, "spdsock_xmit_lowat"}, 128 { 4096, 65536, 8192, "spdsock_recv_hiwat"}, 129 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"}, 130 { 0, 3, 0, "spdsock_debug"}, 131 }; 132 #define spds_xmit_hiwat spds_params[0].spdsock_param_value 133 #define spds_xmit_lowat spds_params[1].spdsock_param_value 134 #define spds_recv_hiwat spds_params[2].spdsock_param_value 135 #define spds_max_buf spds_params[3].spdsock_param_value 136 #define spds_debug spds_params[4].spdsock_param_value 137 138 #define ss0dbg(a) printf a 139 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */ 140 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a 141 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a 142 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a 143 144 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \ 145 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \ 146 (ss)->spdsock_dump_head = (iph); \ 147 (ss)->spdsock_dump_gen = (iph)->iph_gen; \ 148 (ss)->spdsock_dump_cur_type = 0; \ 149 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \ 150 (ss)->spdsock_dump_cur_rule = NULL; \ 151 (ss)->spdsock_dump_count = 0; \ 152 (ss)->spdsock_dump_cur_chain = 0; \ 153 } 154 155 static int spdsock_close(queue_t *, int, cred_t *); 156 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *); 157 static int spdsock_wput(queue_t *, mblk_t *); 158 static int spdsock_wsrv(queue_t *); 159 static int spdsock_rsrv(queue_t *); 160 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns); 161 static void spdsock_stack_shutdown(netstackid_t stackid, void *arg); 162 static void spdsock_stack_fini(netstackid_t stackid, void *arg); 163 static void spdsock_loadcheck(void *); 164 static void spdsock_merge_algs(spd_stack_t *); 165 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *); 166 static mblk_t *spdsock_dump_next_record(spdsock_t *); 167 static void update_iptun_policy(ipsec_tun_pol_t *); 168 169 static struct module_info info = { 170 5138, "spdsock", 1, INFPSZ, 512, 128 171 }; 172 173 static struct qinit rinit = { 174 NULL, spdsock_rsrv, spdsock_open, spdsock_close, 175 NULL, &info 176 }; 177 178 static struct qinit winit = { 179 spdsock_wput, spdsock_wsrv, NULL, NULL, NULL, &info 180 }; 181 182 struct streamtab spdsockinfo = { 183 &rinit, &winit 184 }; 185 186 /* mapping from alg type to protocol number, as per RFC 2407 */ 187 static const uint_t algproto[] = { 188 PROTO_IPSEC_AH, 189 PROTO_IPSEC_ESP, 190 }; 191 192 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0])) 193 194 /* mapping from kernel exec mode to spdsock exec mode */ 195 static const uint_t execmodes[] = { 196 SPD_ALG_EXEC_MODE_SYNC, 197 SPD_ALG_EXEC_MODE_ASYNC 198 }; 199 200 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0])) 201 202 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1) 203 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2) 204 205 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL) 206 207 /* ARGSUSED */ 208 static int 209 spdsock_param_get( 210 queue_t *q, 211 mblk_t *mp, 212 caddr_t cp, 213 cred_t *cr) 214 { 215 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 216 uint_t value; 217 spdsock_t *ss = (spdsock_t *)q->q_ptr; 218 spd_stack_t *spds = ss->spdsock_spds; 219 220 mutex_enter(&spds->spds_param_lock); 221 value = spdsockpa->spdsock_param_value; 222 mutex_exit(&spds->spds_param_lock); 223 224 (void) mi_mpprintf(mp, "%u", value); 225 return (0); 226 } 227 228 /* This routine sets an NDD variable in a spdsockparam_t structure. */ 229 /* ARGSUSED */ 230 static int 231 spdsock_param_set( 232 queue_t *q, 233 mblk_t *mp, 234 char *value, 235 caddr_t cp, 236 cred_t *cr) 237 { 238 ulong_t new_value; 239 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 240 spdsock_t *ss = (spdsock_t *)q->q_ptr; 241 spd_stack_t *spds = ss->spdsock_spds; 242 243 /* Convert the value from a string into a long integer. */ 244 if (ddi_strtoul(value, NULL, 10, &new_value) != 0) 245 return (EINVAL); 246 247 mutex_enter(&spds->spds_param_lock); 248 /* 249 * Fail the request if the new value does not lie within the 250 * required bounds. 251 */ 252 if (new_value < spdsockpa->spdsock_param_min || 253 new_value > spdsockpa->spdsock_param_max) { 254 mutex_exit(&spds->spds_param_lock); 255 return (EINVAL); 256 } 257 258 /* Set the new value */ 259 spdsockpa->spdsock_param_value = new_value; 260 mutex_exit(&spds->spds_param_lock); 261 262 return (0); 263 } 264 265 /* 266 * Initialize at module load time 267 */ 268 boolean_t 269 spdsock_ddi_init(void) 270 { 271 spdsock_max_optsize = optcom_max_optsize( 272 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt); 273 274 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1, 275 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER); 276 277 /* 278 * We want to be informed each time a stack is created or 279 * destroyed in the kernel, so we can maintain the 280 * set of spd_stack_t's. 281 */ 282 netstack_register(NS_SPDSOCK, spdsock_stack_init, 283 spdsock_stack_shutdown, spdsock_stack_fini); 284 285 return (B_TRUE); 286 } 287 288 /* 289 * Walk through the param array specified registering each element with the 290 * named dispatch handler. 291 */ 292 static boolean_t 293 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt) 294 { 295 for (; cnt-- > 0; ssp++) { 296 if (ssp->spdsock_param_name != NULL && 297 ssp->spdsock_param_name[0]) { 298 if (!nd_load(ndp, 299 ssp->spdsock_param_name, 300 spdsock_param_get, spdsock_param_set, 301 (caddr_t)ssp)) { 302 nd_free(ndp); 303 return (B_FALSE); 304 } 305 } 306 } 307 return (B_TRUE); 308 } 309 310 /* 311 * Initialize for each stack instance 312 */ 313 /* ARGSUSED */ 314 static void * 315 spdsock_stack_init(netstackid_t stackid, netstack_t *ns) 316 { 317 spd_stack_t *spds; 318 spdsockparam_t *ssp; 319 320 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP); 321 spds->spds_netstack = ns; 322 323 ASSERT(spds->spds_g_nd == NULL); 324 325 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP); 326 spds->spds_params = ssp; 327 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr)); 328 329 (void) spdsock_param_register(&spds->spds_g_nd, ssp, 330 A_CNT(lcl_param_arr)); 331 332 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL); 333 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL); 334 335 return (spds); 336 } 337 338 void 339 spdsock_ddi_destroy(void) 340 { 341 vmem_destroy(spdsock_vmem); 342 343 netstack_unregister(NS_SPDSOCK); 344 } 345 346 /* 347 * Do pre-removal cleanup. 348 */ 349 /* ARGSUSED */ 350 static void 351 spdsock_stack_shutdown(netstackid_t stackid, void *arg) 352 { 353 spd_stack_t *spds = (spd_stack_t *)arg; 354 355 if (spds->spds_mp_algs != NULL) { 356 freemsg(spds->spds_mp_algs); 357 spds->spds_mp_algs = NULL; 358 } 359 } 360 361 /* ARGSUSED */ 362 static void 363 spdsock_stack_fini(netstackid_t stackid, void *arg) 364 { 365 spd_stack_t *spds = (spd_stack_t *)arg; 366 367 ASSERT(spds->spds_mp_algs == NULL); 368 mutex_destroy(&spds->spds_param_lock); 369 mutex_destroy(&spds->spds_alg_lock); 370 nd_free(&spds->spds_g_nd); 371 kmem_free(spds->spds_params, sizeof (lcl_param_arr)); 372 spds->spds_params = NULL; 373 374 kmem_free(spds, sizeof (*spds)); 375 } 376 377 /* 378 * NOTE: large quantities of this should be shared with keysock. 379 * Would be nice to combine some of this into a common module, but 380 * not possible given time pressures. 381 */ 382 383 /* 384 * High-level reality checking of extensions. 385 */ 386 /* ARGSUSED */ /* XXX */ 387 static boolean_t 388 ext_check(spd_ext_t *ext) 389 { 390 spd_if_t *tunname = (spd_if_t *)ext; 391 int i; 392 char *idstr; 393 394 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) { 395 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */ 396 397 /* 398 * Make sure the strings in these identities are 399 * null-terminated. Let's "proactively" null-terminate the 400 * string at the last byte if it's not terminated sooner. 401 */ 402 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t); 403 idstr = (char *)(tunname + 1); 404 while (*idstr != '\0' && i > 0) { 405 i--; 406 idstr++; 407 } 408 if (i == 0) { 409 /* 410 * I.e., if the bozo user didn't NULL-terminate the 411 * string... 412 */ 413 idstr--; 414 *idstr = '\0'; 415 } 416 } 417 return (B_TRUE); /* For now... */ 418 } 419 420 421 422 /* Return values for spdsock_get_ext(). */ 423 #define KGE_OK 0 424 #define KGE_DUP 1 425 #define KGE_UNK 2 426 #define KGE_LEN 3 427 #define KGE_CHK 4 428 429 /* 430 * Parse basic extension headers and return in the passed-in pointer vector. 431 * Return values include: 432 * 433 * KGE_OK Everything's nice and parsed out. 434 * If there are no extensions, place NULL in extv[0]. 435 * KGE_DUP There is a duplicate extension. 436 * First instance in appropriate bin. First duplicate in 437 * extv[0]. 438 * KGE_UNK Unknown extension type encountered. extv[0] contains 439 * unknown header. 440 * KGE_LEN Extension length error. 441 * KGE_CHK High-level reality check failed on specific extension. 442 * 443 * My apologies for some of the pointer arithmetic in here. I'm thinking 444 * like an assembly programmer, yet trying to make the compiler happy. 445 */ 446 static int 447 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize) 448 { 449 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 450 451 /* Use extv[0] as the "current working pointer". */ 452 453 extv[0] = (spd_ext_t *)(basehdr + 1); 454 455 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) { 456 /* Check for unknown headers. */ 457 if (extv[0]->spd_ext_type == 0 || 458 extv[0]->spd_ext_type > SPD_EXT_MAX) 459 return (KGE_UNK); 460 461 /* 462 * Check length. Use uint64_t because extlen is in units 463 * of 64-bit words. If length goes beyond the msgsize, 464 * return an error. (Zero length also qualifies here.) 465 */ 466 if (extv[0]->spd_ext_len == 0 || 467 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) > 468 (void *)((uint8_t *)basehdr + msgsize)) 469 return (KGE_LEN); 470 471 /* Check for redundant headers. */ 472 if (extv[extv[0]->spd_ext_type] != NULL) 473 return (KGE_DUP); 474 475 /* 476 * Reality check the extension if possible at the spdsock 477 * level. 478 */ 479 if (!ext_check(extv[0])) 480 return (KGE_CHK); 481 482 /* If I make it here, assign the appropriate bin. */ 483 extv[extv[0]->spd_ext_type] = extv[0]; 484 485 /* Advance pointer (See above for uint64_t ptr reasoning.) */ 486 extv[0] = (spd_ext_t *) 487 ((uint64_t *)extv[0] + extv[0]->spd_ext_len); 488 } 489 490 /* Everything's cool. */ 491 492 /* 493 * If extv[0] == NULL, then there are no extension headers in this 494 * message. Ensure that this is the case. 495 */ 496 if (extv[0] == (spd_ext_t *)(basehdr + 1)) 497 extv[0] = NULL; 498 499 return (KGE_OK); 500 } 501 502 static const int bad_ext_diag[] = { 503 SPD_DIAGNOSTIC_MALFORMED_LCLPORT, 504 SPD_DIAGNOSTIC_MALFORMED_REMPORT, 505 SPD_DIAGNOSTIC_MALFORMED_PROTO, 506 SPD_DIAGNOSTIC_MALFORMED_LCLADDR, 507 SPD_DIAGNOSTIC_MALFORMED_REMADDR, 508 SPD_DIAGNOSTIC_MALFORMED_ACTION, 509 SPD_DIAGNOSTIC_MALFORMED_RULE, 510 SPD_DIAGNOSTIC_MALFORMED_RULESET, 511 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE 512 }; 513 514 static const int dup_ext_diag[] = { 515 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT, 516 SPD_DIAGNOSTIC_DUPLICATE_REMPORT, 517 SPD_DIAGNOSTIC_DUPLICATE_PROTO, 518 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR, 519 SPD_DIAGNOSTIC_DUPLICATE_REMADDR, 520 SPD_DIAGNOSTIC_DUPLICATE_ACTION, 521 SPD_DIAGNOSTIC_DUPLICATE_RULE, 522 SPD_DIAGNOSTIC_DUPLICATE_RULESET, 523 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE 524 }; 525 526 /* 527 * Transmit a PF_POLICY error message to the instance either pointed to 528 * by ks, the instance with serial number serial, or more, depending. 529 * 530 * The faulty message (or a reasonable facsimile thereof) is in mp. 531 * This function will free mp or recycle it for delivery, thereby causing 532 * the stream head to free it. 533 */ 534 static void 535 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic) 536 { 537 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 538 539 ASSERT(mp->b_datap->db_type == M_DATA); 540 541 if (spmsg->spd_msg_type < SPD_MIN || 542 spmsg->spd_msg_type > SPD_MAX) 543 spmsg->spd_msg_type = SPD_RESERVED; 544 545 /* 546 * Strip out extension headers. 547 */ 548 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim); 549 mp->b_wptr = mp->b_rptr + sizeof (*spmsg); 550 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t)); 551 spmsg->spd_msg_errno = (uint8_t)error; 552 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic; 553 554 qreply(q, mp); 555 } 556 557 static void 558 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic) 559 { 560 spdsock_error(q, mp, EINVAL, diagnostic); 561 } 562 563 static void 564 spd_echo(queue_t *q, mblk_t *mp) 565 { 566 qreply(q, mp); 567 } 568 569 /* 570 * Do NOT consume a reference to itp. 571 */ 572 /*ARGSUSED*/ 573 static void 574 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns) 575 { 576 boolean_t active = (boolean_t)cookie; 577 ipsec_policy_head_t *iph; 578 579 iph = active ? itp->itp_policy : itp->itp_inactive; 580 IPPH_REFHOLD(iph); 581 mutex_enter(&itp->itp_lock); 582 spdsock_flush_one(iph, ns); /* Releases iph refhold. */ 583 if (active) 584 itp->itp_flags &= ~ITPF_PFLAGS; 585 else 586 itp->itp_flags &= ~ITPF_IFLAGS; 587 mutex_exit(&itp->itp_lock); 588 /* SPD_FLUSH is worth a tunnel MTU check. */ 589 update_iptun_policy(itp); 590 } 591 592 /* 593 * Clear out one polhead. 594 */ 595 static void 596 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns) 597 { 598 rw_enter(&iph->iph_lock, RW_WRITER); 599 ipsec_polhead_flush(iph, ns); 600 rw_exit(&iph->iph_lock); 601 IPPH_REFRELE(iph, ns); 602 } 603 604 static void 605 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp, 606 mblk_t *mp) 607 { 608 boolean_t active; 609 spdsock_t *ss = (spdsock_t *)q->q_ptr; 610 netstack_t *ns = ss->spdsock_spds->spds_netstack; 611 uint32_t auditing = AU_AUDITING(); 612 613 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) { 614 spdsock_flush_one(iph, ns); 615 if (auditing) { 616 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 617 cred_t *cr; 618 pid_t cpid; 619 620 cr = msg_getcred(mp, &cpid); 621 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 622 audit_pf_policy(SPD_FLUSH, cr, ns, 623 ITP_NAME(itp), active, 0, cpid); 624 } 625 } else { 626 active = (iph == ALL_ACTIVE_POLHEADS); 627 628 /* First flush the global policy. */ 629 spdsock_flush_one(active ? ipsec_system_policy(ns) : 630 ipsec_inactive_policy(ns), ns); 631 if (auditing) { 632 cred_t *cr; 633 pid_t cpid; 634 635 cr = msg_getcred(mp, &cpid); 636 audit_pf_policy(SPD_FLUSH, cr, ns, NULL, 637 active, 0, cpid); 638 } 639 /* Then flush every tunnel's appropriate one. */ 640 itp_walk(spdsock_flush_node, (void *)active, ns); 641 if (auditing) { 642 cred_t *cr; 643 pid_t cpid; 644 645 cr = msg_getcred(mp, &cpid); 646 audit_pf_policy(SPD_FLUSH, cr, ns, 647 "all tunnels", active, 0, cpid); 648 } 649 } 650 651 spd_echo(q, mp); 652 } 653 654 static boolean_t 655 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag) 656 { 657 bzero(sel, sizeof (*sel)); 658 659 if (extv[SPD_EXT_PROTO] != NULL) { 660 struct spd_proto *pr = 661 (struct spd_proto *)extv[SPD_EXT_PROTO]; 662 sel->ipsl_proto = pr->spd_proto_number; 663 sel->ipsl_valid |= IPSL_PROTOCOL; 664 } 665 if (extv[SPD_EXT_LCLPORT] != NULL) { 666 struct spd_portrange *pr = 667 (struct spd_portrange *)extv[SPD_EXT_LCLPORT]; 668 sel->ipsl_lport = pr->spd_ports_minport; 669 sel->ipsl_valid |= IPSL_LOCAL_PORT; 670 } 671 if (extv[SPD_EXT_REMPORT] != NULL) { 672 struct spd_portrange *pr = 673 (struct spd_portrange *)extv[SPD_EXT_REMPORT]; 674 sel->ipsl_rport = pr->spd_ports_minport; 675 sel->ipsl_valid |= IPSL_REMOTE_PORT; 676 } 677 678 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) { 679 struct spd_typecode *tc= 680 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE]; 681 682 sel->ipsl_valid |= IPSL_ICMP_TYPE; 683 sel->ipsl_icmp_type = tc->spd_typecode_type; 684 if (tc->spd_typecode_type_end < tc->spd_typecode_type) 685 sel->ipsl_icmp_type_end = tc->spd_typecode_type; 686 else 687 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end; 688 689 if (tc->spd_typecode_code != 255) { 690 sel->ipsl_valid |= IPSL_ICMP_CODE; 691 sel->ipsl_icmp_code = tc->spd_typecode_code; 692 if (tc->spd_typecode_code_end < tc->spd_typecode_code) 693 sel->ipsl_icmp_code_end = tc->spd_typecode_code; 694 else 695 sel->ipsl_icmp_code_end = 696 tc->spd_typecode_code_end; 697 } 698 } 699 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \ 700 if ((extv)[(extn)] != NULL) { \ 701 uint_t addrlen; \ 702 struct spd_address *ap = \ 703 (struct spd_address *)((extv)[(extn)]); \ 704 addrlen = (ap->spd_address_af == AF_INET6) ? \ 705 IPV6_ADDR_LEN : IP_ADDR_LEN; \ 706 if (SPD_64TO8(ap->spd_address_len) < \ 707 (addrlen + sizeof (*ap))) { \ 708 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \ 709 return (B_FALSE); \ 710 } \ 711 bcopy((ap+1), &((sel)->field), addrlen); \ 712 (sel)->pfield = ap->spd_address_prefixlen; \ 713 (sel)->ipsl_valid |= (bit); \ 714 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \ 715 IPSL_IPV6 : IPSL_IPV4; \ 716 } 717 718 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen, 719 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR); 720 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen, 721 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR); 722 723 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) == 724 (IPSL_IPV6|IPSL_IPV4)) { 725 *diag = SPD_DIAGNOSTIC_MIXED_AF; 726 return (B_FALSE); 727 } 728 729 #undef ADDR2SEL 730 731 return (B_TRUE); 732 } 733 734 static boolean_t 735 spd_convert_type(uint32_t type, ipsec_act_t *act) 736 { 737 switch (type) { 738 case SPD_ACTTYPE_DROP: 739 act->ipa_type = IPSEC_ACT_DISCARD; 740 return (B_TRUE); 741 742 case SPD_ACTTYPE_PASS: 743 act->ipa_type = IPSEC_ACT_CLEAR; 744 return (B_TRUE); 745 746 case SPD_ACTTYPE_IPSEC: 747 act->ipa_type = IPSEC_ACT_APPLY; 748 return (B_TRUE); 749 } 750 return (B_FALSE); 751 } 752 753 static boolean_t 754 spd_convert_flags(uint32_t flags, ipsec_act_t *act) 755 { 756 /* 757 * Note use of !! for boolean canonicalization. 758 */ 759 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH); 760 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP); 761 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA); 762 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE); 763 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE); 764 return (B_TRUE); 765 } 766 767 static void 768 spdsock_reset_act(ipsec_act_t *act) 769 { 770 bzero(act, sizeof (*act)); 771 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS; 772 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS; 773 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS; 774 } 775 776 /* 777 * Sanity check action against reality, and shrink-wrap key sizes.. 778 */ 779 static boolean_t 780 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag, 781 spd_stack_t *spds) 782 { 783 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) { 784 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 785 return (B_FALSE); 786 } 787 if ((act->ipa_type != IPSEC_ACT_APPLY) && 788 (act->ipa_apply.ipp_use_ah || 789 act->ipa_apply.ipp_use_esp || 790 act->ipa_apply.ipp_use_espa || 791 act->ipa_apply.ipp_use_se || 792 act->ipa_apply.ipp_use_unique)) { 793 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 794 return (B_FALSE); 795 } 796 if ((act->ipa_type == IPSEC_ACT_APPLY) && 797 !act->ipa_apply.ipp_use_ah && 798 !act->ipa_apply.ipp_use_esp) { 799 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 800 return (B_FALSE); 801 } 802 return (ipsec_check_action(act, diag, spds->spds_netstack)); 803 } 804 805 /* 806 * We may be short a few error checks here.. 807 */ 808 static boolean_t 809 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp, 810 int *diag, spd_stack_t *spds) 811 { 812 struct spd_ext_actions *sactp = 813 (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 814 ipsec_act_t act, *actp, *endactp; 815 struct spd_attribute *attrp, *endattrp; 816 uint64_t *endp; 817 int nact; 818 boolean_t tunnel_polhead; 819 820 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL && 821 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags & 822 SPD_RULE_FLAG_TUNNEL)); 823 824 *actpp = NULL; 825 *nactp = 0; 826 827 if (sactp == NULL) { 828 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT; 829 return (B_FALSE); 830 } 831 832 /* 833 * Parse the "action" extension and convert into an action chain. 834 */ 835 836 nact = sactp->spd_actions_count; 837 838 endp = (uint64_t *)sactp; 839 endp += sactp->spd_actions_len; 840 endattrp = (struct spd_attribute *)endp; 841 842 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP); 843 if (actp == NULL) { 844 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM; 845 return (B_FALSE); 846 } 847 *actpp = actp; 848 *nactp = nact; 849 endactp = actp + nact; 850 851 spdsock_reset_act(&act); 852 attrp = (struct spd_attribute *)(&sactp[1]); 853 854 for (; attrp < endattrp; attrp++) { 855 switch (attrp->spd_attr_tag) { 856 case SPD_ATTR_NOP: 857 break; 858 859 case SPD_ATTR_EMPTY: 860 spdsock_reset_act(&act); 861 break; 862 863 case SPD_ATTR_END: 864 attrp = endattrp; 865 /* FALLTHRU */ 866 case SPD_ATTR_NEXT: 867 if (actp >= endactp) { 868 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 869 goto fail; 870 } 871 if (!spdsock_check_action(&act, tunnel_polhead, 872 diag, spds)) 873 goto fail; 874 *actp++ = act; 875 spdsock_reset_act(&act); 876 break; 877 878 case SPD_ATTR_TYPE: 879 if (!spd_convert_type(attrp->spd_attr_value, &act)) { 880 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE; 881 goto fail; 882 } 883 break; 884 885 case SPD_ATTR_FLAGS: 886 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) { 887 /* 888 * Set "sa unique" for transport-mode 889 * tunnels whether we want to or not. 890 */ 891 attrp->spd_attr_value |= SPD_APPLY_UNIQUE; 892 } 893 if (!spd_convert_flags(attrp->spd_attr_value, &act)) { 894 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS; 895 goto fail; 896 } 897 break; 898 899 case SPD_ATTR_AH_AUTH: 900 if (attrp->spd_attr_value == 0) { 901 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG; 902 goto fail; 903 } 904 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value; 905 break; 906 907 case SPD_ATTR_ESP_ENCR: 908 if (attrp->spd_attr_value == 0) { 909 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG; 910 goto fail; 911 } 912 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value; 913 break; 914 915 case SPD_ATTR_ESP_AUTH: 916 if (attrp->spd_attr_value == 0) { 917 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG; 918 goto fail; 919 } 920 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value; 921 break; 922 923 case SPD_ATTR_ENCR_MINBITS: 924 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value; 925 break; 926 927 case SPD_ATTR_ENCR_MAXBITS: 928 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value; 929 break; 930 931 case SPD_ATTR_AH_MINBITS: 932 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value; 933 break; 934 935 case SPD_ATTR_AH_MAXBITS: 936 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value; 937 break; 938 939 case SPD_ATTR_ESPA_MINBITS: 940 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value; 941 break; 942 943 case SPD_ATTR_ESPA_MAXBITS: 944 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value; 945 break; 946 947 case SPD_ATTR_LIFE_SOFT_TIME: 948 case SPD_ATTR_LIFE_HARD_TIME: 949 case SPD_ATTR_LIFE_SOFT_BYTES: 950 case SPD_ATTR_LIFE_HARD_BYTES: 951 break; 952 953 case SPD_ATTR_KM_PROTO: 954 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value; 955 break; 956 957 case SPD_ATTR_KM_COOKIE: 958 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value; 959 break; 960 961 case SPD_ATTR_REPLAY_DEPTH: 962 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value; 963 break; 964 } 965 } 966 if (actp != endactp) { 967 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 968 goto fail; 969 } 970 971 return (B_TRUE); 972 fail: 973 ipsec_actvec_free(*actpp, nact); 974 *actpp = NULL; 975 return (B_FALSE); 976 } 977 978 typedef struct 979 { 980 ipsec_policy_t *pol; 981 int dir; 982 } tmprule_t; 983 984 static int 985 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule, 986 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af, 987 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 988 { 989 ipsec_policy_t *pol; 990 991 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4); 992 sel->ipsl_valid |= af; 993 994 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority, 995 index, spds->spds_netstack); 996 if (pol == NULL) 997 return (ENOMEM); 998 999 (*rp)->pol = pol; 1000 (*rp)->dir = dir; 1001 (*rp)++; 1002 1003 if (!ipsec_check_policy(iph, pol, dir)) 1004 return (EEXIST); 1005 1006 rule->spd_rule_index = pol->ipsp_index; 1007 return (0); 1008 } 1009 1010 static int 1011 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule, 1012 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs, 1013 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 1014 { 1015 int error; 1016 1017 if (afs & IPSL_IPV4) { 1018 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp, 1019 index, spds); 1020 if (error != 0) 1021 return (error); 1022 } 1023 if (afs & IPSL_IPV6) { 1024 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp, 1025 index, spds); 1026 if (error != 0) 1027 return (error); 1028 } 1029 return (0); 1030 } 1031 1032 1033 static void 1034 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1035 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1036 { 1037 ipsec_selkey_t sel; 1038 ipsec_act_t *actp; 1039 uint_t nact; 1040 int diag = 0, error, afs; 1041 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1042 tmprule_t rules[4], *rulep = &rules[0]; 1043 boolean_t tunnel_mode, empty_itp, active; 1044 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index; 1045 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1046 spd_stack_t *spds = ss->spdsock_spds; 1047 uint32_t auditing = AU_AUDITING(); 1048 1049 if (rule == NULL) { 1050 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1051 if (auditing) { 1052 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1053 cred_t *cr; 1054 pid_t cpid; 1055 1056 cr = msg_getcred(mp, &cpid); 1057 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1058 audit_pf_policy(SPD_ADDRULE, cr, 1059 spds->spds_netstack, ITP_NAME(itp), active, 1060 SPD_DIAGNOSTIC_NO_RULE_EXT, cpid); 1061 } 1062 return; 1063 } 1064 1065 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL); 1066 1067 if (itp != NULL) { 1068 mutex_enter(&itp->itp_lock); 1069 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph); 1070 active = (itp->itp_policy == iph); 1071 if (ITP_P_ISACTIVE(itp, iph)) { 1072 /* Check for mix-and-match of tunnel/transport. */ 1073 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) || 1074 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) { 1075 mutex_exit(&itp->itp_lock); 1076 spdsock_error(q, mp, EBUSY, 0); 1077 return; 1078 } 1079 empty_itp = B_FALSE; 1080 } else { 1081 empty_itp = B_TRUE; 1082 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE; 1083 if (tunnel_mode) 1084 itp->itp_flags |= active ? ITPF_P_TUNNEL : 1085 ITPF_I_TUNNEL; 1086 } 1087 } else { 1088 empty_itp = B_FALSE; 1089 } 1090 1091 if (rule->spd_rule_index != 0) { 1092 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX; 1093 error = EINVAL; 1094 goto fail2; 1095 } 1096 1097 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1098 error = EINVAL; 1099 goto fail2; 1100 } 1101 1102 if (itp != NULL) { 1103 if (tunnel_mode) { 1104 if (sel.ipsl_valid & 1105 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) { 1106 itp->itp_flags |= active ? 1107 ITPF_P_PER_PORT_SECURITY : 1108 ITPF_I_PER_PORT_SECURITY; 1109 } 1110 } else { 1111 /* 1112 * For now, we don't allow transport-mode on a tunnel 1113 * with ANY specific selectors. Bail if we have such 1114 * a request. 1115 */ 1116 if (sel.ipsl_valid & IPSL_WILDCARD) { 1117 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS; 1118 error = EINVAL; 1119 goto fail2; 1120 } 1121 } 1122 } 1123 1124 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) { 1125 error = EINVAL; 1126 goto fail2; 1127 } 1128 /* 1129 * If no addresses were specified, add both. 1130 */ 1131 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4); 1132 if (afs == 0) 1133 afs = (IPSL_IPV6|IPSL_IPV4); 1134 1135 rw_enter(&iph->iph_lock, RW_WRITER); 1136 1137 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) { 1138 error = mkrulepair(iph, rule, &sel, actp, nact, 1139 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds); 1140 if (error != 0) 1141 goto fail; 1142 } 1143 1144 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) { 1145 error = mkrulepair(iph, rule, &sel, actp, nact, 1146 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds); 1147 if (error != 0) 1148 goto fail; 1149 } 1150 1151 while ((--rulep) >= &rules[0]) { 1152 ipsec_enter_policy(iph, rulep->pol, rulep->dir, 1153 spds->spds_netstack); 1154 } 1155 rw_exit(&iph->iph_lock); 1156 if (itp != NULL) 1157 mutex_exit(&itp->itp_lock); 1158 1159 ipsec_actvec_free(actp, nact); 1160 spd_echo(q, mp); 1161 if (auditing) { 1162 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1163 cred_t *cr; 1164 pid_t cpid; 1165 1166 cr = msg_getcred(mp, &cpid); 1167 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1168 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1169 ITP_NAME(itp), active, 0, cpid); 1170 } 1171 return; 1172 1173 fail: 1174 rw_exit(&iph->iph_lock); 1175 while ((--rulep) >= &rules[0]) 1176 IPPOL_REFRELE(rulep->pol); 1177 ipsec_actvec_free(actp, nact); 1178 fail2: 1179 if (itp != NULL) { 1180 if (empty_itp) 1181 itp->itp_flags = 0; 1182 mutex_exit(&itp->itp_lock); 1183 } 1184 spdsock_error(q, mp, error, diag); 1185 if (auditing) { 1186 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1187 cred_t *cr; 1188 pid_t cpid; 1189 1190 cr = msg_getcred(mp, &cpid); 1191 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1192 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1193 ITP_NAME(itp), active, error, cpid); 1194 } 1195 } 1196 1197 void 1198 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1199 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1200 { 1201 ipsec_selkey_t sel; 1202 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1203 int err, diag = 0; 1204 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1205 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1206 uint32_t auditing = AU_AUDITING(); 1207 1208 if (rule == NULL) { 1209 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1210 if (auditing) { 1211 boolean_t active; 1212 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1213 cred_t *cr; 1214 pid_t cpid; 1215 1216 cr = msg_getcred(mp, &cpid); 1217 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1218 audit_pf_policy(SPD_DELETERULE, cr, ns, 1219 ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT, 1220 cpid); 1221 } 1222 return; 1223 } 1224 1225 /* 1226 * Must enter itp_lock first to avoid deadlock. See tun.c's 1227 * set_sec_simple() for the other case of itp_lock and iph_lock. 1228 */ 1229 if (itp != NULL) 1230 mutex_enter(&itp->itp_lock); 1231 1232 if (rule->spd_rule_index != 0) { 1233 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) != 1234 0) { 1235 err = ESRCH; 1236 goto fail; 1237 } 1238 } else { 1239 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1240 err = EINVAL; /* diag already set... */ 1241 goto fail; 1242 } 1243 1244 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) && 1245 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) { 1246 err = ESRCH; 1247 goto fail; 1248 } 1249 1250 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) && 1251 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) { 1252 err = ESRCH; 1253 goto fail; 1254 } 1255 } 1256 1257 if (itp != NULL) { 1258 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive); 1259 rw_enter(&iph->iph_lock, RW_READER); 1260 if (avl_numnodes(&iph->iph_rulebyid) == 0) { 1261 if (iph == itp->itp_policy) 1262 itp->itp_flags &= ~ITPF_PFLAGS; 1263 else 1264 itp->itp_flags &= ~ITPF_IFLAGS; 1265 } 1266 /* Can exit locks in any order. */ 1267 rw_exit(&iph->iph_lock); 1268 mutex_exit(&itp->itp_lock); 1269 } 1270 spd_echo(q, mp); 1271 if (auditing) { 1272 boolean_t active; 1273 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1274 cred_t *cr; 1275 pid_t cpid; 1276 1277 cr = msg_getcred(mp, &cpid); 1278 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1279 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1280 active, 0, cpid); 1281 } 1282 return; 1283 fail: 1284 if (itp != NULL) 1285 mutex_exit(&itp->itp_lock); 1286 spdsock_error(q, mp, err, diag); 1287 if (auditing) { 1288 boolean_t active; 1289 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1290 cred_t *cr; 1291 pid_t cpid; 1292 1293 cr = msg_getcred(mp, &cpid); 1294 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1295 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1296 active, err, cpid); 1297 } 1298 } 1299 1300 /* Do NOT consume a reference to itp. */ 1301 /* ARGSUSED */ 1302 static void 1303 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns) 1304 { 1305 mutex_enter(&itp->itp_lock); 1306 ITPF_SWAP(itp->itp_flags); 1307 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns); 1308 mutex_exit(&itp->itp_lock); 1309 /* SPD_FLIP is worth a tunnel MTU check. */ 1310 update_iptun_policy(itp); 1311 } 1312 1313 void 1314 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname) 1315 { 1316 char *tname; 1317 ipsec_tun_pol_t *itp; 1318 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1319 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1320 uint32_t auditing = AU_AUDITING(); 1321 1322 if (tunname != NULL) { 1323 tname = (char *)tunname->spd_if_name; 1324 if (*tname == '\0') { 1325 /* can't fail */ 1326 ipsec_swap_global_policy(ns); 1327 if (auditing) { 1328 boolean_t active; 1329 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1330 cred_t *cr; 1331 pid_t cpid; 1332 1333 cr = msg_getcred(mp, &cpid); 1334 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1335 audit_pf_policy(SPD_FLIP, cr, ns, 1336 NULL, active, 0, cpid); 1337 } 1338 itp_walk(spdsock_flip_node, NULL, ns); 1339 if (auditing) { 1340 boolean_t active; 1341 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1342 cred_t *cr; 1343 pid_t cpid; 1344 1345 cr = msg_getcred(mp, &cpid); 1346 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1347 audit_pf_policy(SPD_FLIP, cr, ns, 1348 "all tunnels", active, 0, cpid); 1349 } 1350 } else { 1351 itp = get_tunnel_policy(tname, ns); 1352 if (itp == NULL) { 1353 /* Better idea for "tunnel not found"? */ 1354 spdsock_error(q, mp, ESRCH, 0); 1355 if (auditing) { 1356 boolean_t active; 1357 spd_msg_t *spmsg = 1358 (spd_msg_t *)mp->b_rptr; 1359 cred_t *cr; 1360 pid_t cpid; 1361 1362 cr = msg_getcred(mp, &cpid); 1363 active = (spmsg->spd_msg_spdid == 1364 SPD_ACTIVE); 1365 audit_pf_policy(SPD_FLIP, cr, ns, 1366 ITP_NAME(itp), active, 1367 ESRCH, cpid); 1368 } 1369 return; 1370 } 1371 spdsock_flip_node(itp, NULL, ns); 1372 if (auditing) { 1373 boolean_t active; 1374 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1375 cred_t *cr; 1376 pid_t cpid; 1377 1378 cr = msg_getcred(mp, &cpid); 1379 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1380 audit_pf_policy(SPD_FLIP, cr, ns, 1381 ITP_NAME(itp), active, 0, cpid); 1382 } 1383 ITP_REFRELE(itp, ns); 1384 } 1385 } else { 1386 ipsec_swap_global_policy(ns); /* can't fail */ 1387 if (auditing) { 1388 boolean_t active; 1389 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1390 cred_t *cr; 1391 pid_t cpid; 1392 1393 cr = msg_getcred(mp, &cpid); 1394 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1395 audit_pf_policy(SPD_FLIP, cr, 1396 ns, NULL, active, 0, cpid); 1397 } 1398 } 1399 spd_echo(q, mp); 1400 } 1401 1402 /* 1403 * Unimplemented feature 1404 */ 1405 /* ARGSUSED */ 1406 static void 1407 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1408 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1409 { 1410 spdsock_error(q, mp, EINVAL, 0); 1411 } 1412 1413 1414 static mblk_t * 1415 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph, 1416 uint32_t count, uint16_t error) 1417 { 1418 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t); 1419 spd_msg_t *msg; 1420 spd_ruleset_ext_t *ruleset; 1421 mblk_t *m = allocb(len, BPRI_HI); 1422 1423 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1424 1425 if (m == NULL) { 1426 return (NULL); 1427 } 1428 msg = (spd_msg_t *)m->b_rptr; 1429 ruleset = (spd_ruleset_ext_t *)(&msg[1]); 1430 1431 m->b_wptr = (uint8_t *)&ruleset[1]; 1432 1433 *msg = *(spd_msg_t *)(req->b_rptr); 1434 msg->spd_msg_len = SPD_8TO64(len); 1435 msg->spd_msg_errno = error; 1436 1437 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset)); 1438 ruleset->spd_ruleset_type = SPD_EXT_RULESET; 1439 ruleset->spd_ruleset_count = count; 1440 ruleset->spd_ruleset_version = iph->iph_gen; 1441 return (m); 1442 } 1443 1444 static mblk_t * 1445 spdsock_dump_finish(spdsock_t *ss, int error) 1446 { 1447 mblk_t *m; 1448 ipsec_policy_head_t *iph = ss->spdsock_dump_head; 1449 mblk_t *req = ss->spdsock_dump_req; 1450 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1451 1452 rw_enter(&iph->iph_lock, RW_READER); 1453 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error); 1454 rw_exit(&iph->iph_lock); 1455 IPPH_REFRELE(iph, ns); 1456 if (ss->spdsock_itp != NULL) { 1457 ITP_REFRELE(ss->spdsock_itp, ns); 1458 ss->spdsock_itp = NULL; 1459 } 1460 ss->spdsock_dump_req = NULL; 1461 freemsg(req); 1462 1463 return (m); 1464 } 1465 1466 /* 1467 * Rule encoding functions. 1468 * We do a two-pass encode. 1469 * If base != NULL, fill in encoded rule part starting at base+offset. 1470 * Always return "offset" plus length of to-be-encoded data. 1471 */ 1472 static uint_t 1473 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type, 1474 uint8_t type_end, uint8_t code, uint8_t code_end) 1475 { 1476 struct spd_typecode *tcp; 1477 1478 ASSERT(ALIGNED64(offset)); 1479 1480 if (base != NULL) { 1481 tcp = (struct spd_typecode *)(base + offset); 1482 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp)); 1483 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE; 1484 tcp->spd_typecode_code = code; 1485 tcp->spd_typecode_type = type; 1486 tcp->spd_typecode_type_end = type_end; 1487 tcp->spd_typecode_code_end = code_end; 1488 } 1489 offset += sizeof (*tcp); 1490 1491 ASSERT(ALIGNED64(offset)); 1492 1493 return (offset); 1494 } 1495 1496 static uint_t 1497 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto) 1498 { 1499 struct spd_proto *spp; 1500 1501 ASSERT(ALIGNED64(offset)); 1502 1503 if (base != NULL) { 1504 spp = (struct spd_proto *)(base + offset); 1505 spp->spd_proto_len = SPD_8TO64(sizeof (*spp)); 1506 spp->spd_proto_exttype = SPD_EXT_PROTO; 1507 spp->spd_proto_number = proto; 1508 spp->spd_proto_reserved1 = 0; 1509 spp->spd_proto_reserved2 = 0; 1510 } 1511 offset += sizeof (*spp); 1512 1513 ASSERT(ALIGNED64(offset)); 1514 1515 return (offset); 1516 } 1517 1518 static uint_t 1519 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port) 1520 { 1521 struct spd_portrange *spp; 1522 1523 ASSERT(ALIGNED64(offset)); 1524 1525 if (base != NULL) { 1526 spp = (struct spd_portrange *)(base + offset); 1527 spp->spd_ports_len = SPD_8TO64(sizeof (*spp)); 1528 spp->spd_ports_exttype = ext; 1529 spp->spd_ports_minport = port; 1530 spp->spd_ports_maxport = port; 1531 } 1532 offset += sizeof (*spp); 1533 1534 ASSERT(ALIGNED64(offset)); 1535 1536 return (offset); 1537 } 1538 1539 static uint_t 1540 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext, 1541 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen) 1542 { 1543 struct spd_address *sae; 1544 ipsec_addr_t *spdaddr; 1545 uint_t start = offset; 1546 uint_t addrlen; 1547 uint_t af; 1548 1549 if (sel->ipsl_valid & IPSL_IPV4) { 1550 af = AF_INET; 1551 addrlen = IP_ADDR_LEN; 1552 } else { 1553 af = AF_INET6; 1554 addrlen = IPV6_ADDR_LEN; 1555 } 1556 1557 ASSERT(ALIGNED64(offset)); 1558 1559 if (base != NULL) { 1560 sae = (struct spd_address *)(base + offset); 1561 sae->spd_address_exttype = ext; 1562 sae->spd_address_af = af; 1563 sae->spd_address_prefixlen = pfxlen; 1564 sae->spd_address_reserved2 = 0; 1565 1566 spdaddr = (ipsec_addr_t *)(&sae[1]); 1567 bcopy(addr, spdaddr, addrlen); 1568 } 1569 offset += sizeof (*sae); 1570 addrlen = roundup(addrlen, sizeof (uint64_t)); 1571 offset += addrlen; 1572 1573 ASSERT(ALIGNED64(offset)); 1574 1575 if (base != NULL) 1576 sae->spd_address_len = SPD_8TO64(offset - start); 1577 return (offset); 1578 } 1579 1580 static uint_t 1581 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel) 1582 { 1583 const ipsec_selkey_t *selkey = &sel->ipsl_key; 1584 1585 if (selkey->ipsl_valid & IPSL_PROTOCOL) 1586 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto); 1587 if (selkey->ipsl_valid & IPSL_LOCAL_PORT) 1588 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT, 1589 selkey->ipsl_lport); 1590 if (selkey->ipsl_valid & IPSL_REMOTE_PORT) 1591 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT, 1592 selkey->ipsl_rport); 1593 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR) 1594 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR, 1595 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen); 1596 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR) 1597 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR, 1598 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen); 1599 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) { 1600 offset = spdsock_encode_typecode(base, offset, 1601 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end, 1602 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1603 selkey->ipsl_icmp_code : 255, 1604 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1605 selkey->ipsl_icmp_code_end : 255); 1606 } 1607 return (offset); 1608 } 1609 1610 static uint_t 1611 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag, 1612 uint32_t value) 1613 { 1614 struct spd_attribute *attr; 1615 1616 ASSERT(ALIGNED64(offset)); 1617 1618 if (base != NULL) { 1619 attr = (struct spd_attribute *)(base + offset); 1620 attr->spd_attr_tag = tag; 1621 attr->spd_attr_value = value; 1622 } 1623 offset += sizeof (struct spd_attribute); 1624 1625 ASSERT(ALIGNED64(offset)); 1626 1627 return (offset); 1628 } 1629 1630 1631 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v)) 1632 1633 static uint_t 1634 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap) 1635 { 1636 const struct ipsec_act *act = &(ap->ipa_act); 1637 uint_t flags; 1638 1639 EMIT(SPD_ATTR_EMPTY, 0); 1640 switch (act->ipa_type) { 1641 case IPSEC_ACT_DISCARD: 1642 case IPSEC_ACT_REJECT: 1643 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP); 1644 break; 1645 case IPSEC_ACT_BYPASS: 1646 case IPSEC_ACT_CLEAR: 1647 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS); 1648 break; 1649 1650 case IPSEC_ACT_APPLY: 1651 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC); 1652 flags = 0; 1653 if (act->ipa_apply.ipp_use_ah) 1654 flags |= SPD_APPLY_AH; 1655 if (act->ipa_apply.ipp_use_esp) 1656 flags |= SPD_APPLY_ESP; 1657 if (act->ipa_apply.ipp_use_espa) 1658 flags |= SPD_APPLY_ESPA; 1659 if (act->ipa_apply.ipp_use_se) 1660 flags |= SPD_APPLY_SE; 1661 if (act->ipa_apply.ipp_use_unique) 1662 flags |= SPD_APPLY_UNIQUE; 1663 EMIT(SPD_ATTR_FLAGS, flags); 1664 if (flags & SPD_APPLY_AH) { 1665 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg); 1666 EMIT(SPD_ATTR_AH_MINBITS, 1667 act->ipa_apply.ipp_ah_minbits); 1668 EMIT(SPD_ATTR_AH_MAXBITS, 1669 act->ipa_apply.ipp_ah_maxbits); 1670 } 1671 if (flags & SPD_APPLY_ESP) { 1672 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg); 1673 EMIT(SPD_ATTR_ENCR_MINBITS, 1674 act->ipa_apply.ipp_espe_minbits); 1675 EMIT(SPD_ATTR_ENCR_MAXBITS, 1676 act->ipa_apply.ipp_espe_maxbits); 1677 if (flags & SPD_APPLY_ESPA) { 1678 EMIT(SPD_ATTR_ESP_AUTH, 1679 act->ipa_apply.ipp_esp_auth_alg); 1680 EMIT(SPD_ATTR_ESPA_MINBITS, 1681 act->ipa_apply.ipp_espa_minbits); 1682 EMIT(SPD_ATTR_ESPA_MAXBITS, 1683 act->ipa_apply.ipp_espa_maxbits); 1684 } 1685 } 1686 if (act->ipa_apply.ipp_km_proto != 0) 1687 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto); 1688 if (act->ipa_apply.ipp_km_cookie != 0) 1689 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie); 1690 if (act->ipa_apply.ipp_replay_depth != 0) 1691 EMIT(SPD_ATTR_REPLAY_DEPTH, 1692 act->ipa_apply.ipp_replay_depth); 1693 /* Add more here */ 1694 break; 1695 } 1696 1697 return (offset); 1698 } 1699 1700 static uint_t 1701 spdsock_encode_action_list(uint8_t *base, uint_t offset, 1702 const ipsec_action_t *ap) 1703 { 1704 struct spd_ext_actions *act; 1705 uint_t nact = 0; 1706 uint_t start = offset; 1707 1708 ASSERT(ALIGNED64(offset)); 1709 1710 if (base != NULL) { 1711 act = (struct spd_ext_actions *)(base + offset); 1712 act->spd_actions_len = 0; 1713 act->spd_actions_exttype = SPD_EXT_ACTION; 1714 act->spd_actions_count = 0; 1715 act->spd_actions_reserved = 0; 1716 } 1717 1718 offset += sizeof (*act); 1719 1720 ASSERT(ALIGNED64(offset)); 1721 1722 while (ap != NULL) { 1723 offset = spdsock_encode_action(base, offset, ap); 1724 ap = ap->ipa_next; 1725 nact++; 1726 if (ap != NULL) { 1727 EMIT(SPD_ATTR_NEXT, 0); 1728 } 1729 } 1730 EMIT(SPD_ATTR_END, 0); 1731 1732 ASSERT(ALIGNED64(offset)); 1733 1734 if (base != NULL) { 1735 act->spd_actions_count = nact; 1736 act->spd_actions_len = SPD_8TO64(offset - start); 1737 } 1738 1739 return (offset); 1740 } 1741 1742 #undef EMIT 1743 1744 /* ARGSUSED */ 1745 static uint_t 1746 spdsock_rule_flags(uint_t dir, uint_t af) 1747 { 1748 uint_t flags = 0; 1749 1750 if (dir == IPSEC_TYPE_INBOUND) 1751 flags |= SPD_RULE_FLAG_INBOUND; 1752 if (dir == IPSEC_TYPE_OUTBOUND) 1753 flags |= SPD_RULE_FLAG_OUTBOUND; 1754 1755 return (flags); 1756 } 1757 1758 1759 static uint_t 1760 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req, 1761 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name, 1762 boolean_t tunnel) 1763 { 1764 struct spd_msg *spmsg; 1765 struct spd_rule *spr; 1766 spd_if_t *sid; 1767 1768 uint_t start = offset; 1769 1770 ASSERT(ALIGNED64(offset)); 1771 1772 if (base != NULL) { 1773 spmsg = (struct spd_msg *)(base + offset); 1774 bzero(spmsg, sizeof (*spmsg)); 1775 spmsg->spd_msg_version = PF_POLICY_V1; 1776 spmsg->spd_msg_type = SPD_DUMP; 1777 spmsg->spd_msg_seq = req->spd_msg_seq; 1778 spmsg->spd_msg_pid = req->spd_msg_pid; 1779 } 1780 offset += sizeof (struct spd_msg); 1781 1782 ASSERT(ALIGNED64(offset)); 1783 1784 if (base != NULL) { 1785 spr = (struct spd_rule *)(base + offset); 1786 spr->spd_rule_type = SPD_EXT_RULE; 1787 spr->spd_rule_priority = rule->ipsp_prio; 1788 spr->spd_rule_flags = spdsock_rule_flags(dir, af); 1789 if (tunnel) 1790 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL; 1791 spr->spd_rule_unused = 0; 1792 spr->spd_rule_len = SPD_8TO64(sizeof (*spr)); 1793 spr->spd_rule_index = rule->ipsp_index; 1794 } 1795 offset += sizeof (struct spd_rule); 1796 1797 /* 1798 * If we have an interface name (i.e. if this policy head came from 1799 * a tunnel), add the SPD_EXT_TUN_NAME extension. 1800 */ 1801 if (name != NULL) { 1802 1803 ASSERT(ALIGNED64(offset)); 1804 1805 if (base != NULL) { 1806 sid = (spd_if_t *)(base + offset); 1807 sid->spd_if_exttype = SPD_EXT_TUN_NAME; 1808 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) + 1809 roundup((strlen(name) - 4), 8)); 1810 (void) strlcpy((char *)sid->spd_if_name, name, 1811 LIFNAMSIZ); 1812 } 1813 1814 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8); 1815 } 1816 1817 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel); 1818 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act); 1819 1820 ASSERT(ALIGNED64(offset)); 1821 1822 if (base != NULL) { 1823 spmsg->spd_msg_len = SPD_8TO64(offset - start); 1824 } 1825 return (offset); 1826 } 1827 1828 /* ARGSUSED */ 1829 static mblk_t * 1830 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule, 1831 uint_t dir, uint_t af, char *name, boolean_t tunnel) 1832 { 1833 mblk_t *m; 1834 uint_t len; 1835 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr; 1836 1837 /* 1838 * Figure out how much space we'll need. 1839 */ 1840 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name, 1841 tunnel); 1842 1843 /* 1844 * Allocate mblk. 1845 */ 1846 m = allocb(len, BPRI_HI); 1847 if (m == NULL) 1848 return (NULL); 1849 1850 /* 1851 * Fill it in.. 1852 */ 1853 m->b_wptr = m->b_rptr + len; 1854 bzero(m->b_rptr, len); 1855 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af, 1856 name, tunnel); 1857 return (m); 1858 } 1859 1860 static ipsec_policy_t * 1861 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph, 1862 ipsec_policy_t *cur) 1863 { 1864 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1865 1866 ss->spdsock_dump_count++; 1867 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next; 1868 return (cur); 1869 } 1870 1871 static ipsec_policy_t * 1872 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph) 1873 { 1874 ipsec_policy_t *cur; 1875 ipsec_policy_root_t *ipr; 1876 int chain, nchains, type, af; 1877 1878 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1879 1880 cur = ss->spdsock_dump_cur_rule; 1881 1882 if (cur != NULL) 1883 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1884 1885 type = ss->spdsock_dump_cur_type; 1886 1887 next: 1888 chain = ss->spdsock_dump_cur_chain; 1889 ipr = &iph->iph_root[type]; 1890 nchains = ipr->ipr_nchains; 1891 1892 while (chain < nchains) { 1893 cur = ipr->ipr_hash[chain].hash_head; 1894 chain++; 1895 if (cur != NULL) { 1896 ss->spdsock_dump_cur_chain = chain; 1897 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1898 } 1899 } 1900 ss->spdsock_dump_cur_chain = nchains; 1901 1902 af = ss->spdsock_dump_cur_af; 1903 while (af < IPSEC_NAF) { 1904 cur = ipr->ipr_nonhash[af]; 1905 af++; 1906 if (cur != NULL) { 1907 ss->spdsock_dump_cur_af = af; 1908 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1909 } 1910 } 1911 1912 type++; 1913 if (type >= IPSEC_NTYPES) 1914 return (NULL); 1915 1916 ss->spdsock_dump_cur_chain = 0; 1917 ss->spdsock_dump_cur_type = type; 1918 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 1919 goto next; 1920 1921 } 1922 1923 /* 1924 * If we're done with one policy head, but have more to go, we iterate through 1925 * another IPsec tunnel policy head (itp). Return NULL if it is an error 1926 * worthy of returning EAGAIN via PF_POLICY. 1927 */ 1928 static ipsec_tun_pol_t * 1929 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss) 1930 { 1931 ipsec_tun_pol_t *itp; 1932 1933 ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock)); 1934 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) { 1935 /* Oops, state of the tunnel polheads changed. */ 1936 itp = NULL; 1937 } else if (ss->spdsock_itp == NULL) { 1938 /* Just finished global, find first node. */ 1939 itp = avl_first(&ipss->ipsec_tunnel_policies); 1940 } else { 1941 /* We just finished current polhead, find the next one. */ 1942 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp); 1943 } 1944 if (itp != NULL) { 1945 ITP_REFHOLD(itp); 1946 } 1947 if (ss->spdsock_itp != NULL) { 1948 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack); 1949 } 1950 ss->spdsock_itp = itp; 1951 return (itp); 1952 } 1953 1954 static mblk_t * 1955 spdsock_dump_next_record(spdsock_t *ss) 1956 { 1957 ipsec_policy_head_t *iph; 1958 ipsec_policy_t *rule; 1959 mblk_t *m; 1960 ipsec_tun_pol_t *itp; 1961 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1962 ipsec_stack_t *ipss = ns->netstack_ipsec; 1963 1964 iph = ss->spdsock_dump_head; 1965 1966 ASSERT(iph != NULL); 1967 1968 rw_enter(&iph->iph_lock, RW_READER); 1969 1970 if (iph->iph_gen != ss->spdsock_dump_gen) { 1971 rw_exit(&iph->iph_lock); 1972 return (spdsock_dump_finish(ss, EAGAIN)); 1973 } 1974 1975 while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) { 1976 rw_exit(&iph->iph_lock); 1977 if (--(ss->spdsock_dump_remaining_polheads) == 0) 1978 return (spdsock_dump_finish(ss, 0)); 1979 1980 1981 /* 1982 * If we reach here, we have more policy heads (tunnel 1983 * entries) to dump. Let's reset to a new policy head 1984 * and get some more rules. 1985 * 1986 * An empty policy head will have spdsock_dump_next_rule() 1987 * return NULL, and we loop (while dropping the number of 1988 * remaining polheads). If we loop to 0, we finish. We 1989 * keep looping until we hit 0 or until we have a rule to 1990 * encode. 1991 * 1992 * NOTE: No need for ITP_REF*() macros here as we're only 1993 * going after and refholding the policy head itself. 1994 */ 1995 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 1996 itp = spdsock_dump_iterate_next_tunnel(ss, ipss); 1997 if (itp == NULL) { 1998 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1999 return (spdsock_dump_finish(ss, EAGAIN)); 2000 } 2001 2002 /* Reset other spdsock_dump thingies. */ 2003 IPPH_REFRELE(ss->spdsock_dump_head, ns); 2004 if (ss->spdsock_dump_active) { 2005 ss->spdsock_dump_tunnel = 2006 itp->itp_flags & ITPF_P_TUNNEL; 2007 iph = itp->itp_policy; 2008 } else { 2009 ss->spdsock_dump_tunnel = 2010 itp->itp_flags & ITPF_I_TUNNEL; 2011 iph = itp->itp_inactive; 2012 } 2013 IPPH_REFHOLD(iph); 2014 rw_exit(&ipss->ipsec_tunnel_policy_lock); 2015 2016 rw_enter(&iph->iph_lock, RW_READER); 2017 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 2018 } 2019 2020 m = spdsock_encode_rule(ss->spdsock_dump_req, rule, 2021 ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af, 2022 (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name, 2023 ss->spdsock_dump_tunnel); 2024 rw_exit(&iph->iph_lock); 2025 2026 if (m == NULL) 2027 return (spdsock_dump_finish(ss, ENOMEM)); 2028 return (m); 2029 } 2030 2031 /* 2032 * Dump records until we run into flow-control back-pressure. 2033 */ 2034 static void 2035 spdsock_dump_some(queue_t *q, spdsock_t *ss) 2036 { 2037 mblk_t *m, *dataind; 2038 2039 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) { 2040 m = spdsock_dump_next_record(ss); 2041 if (m == NULL) 2042 return; 2043 dataind = allocb(sizeof (struct T_data_req), BPRI_HI); 2044 if (dataind == NULL) { 2045 freemsg(m); 2046 return; 2047 } 2048 dataind->b_cont = m; 2049 dataind->b_wptr += sizeof (struct T_data_req); 2050 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND; 2051 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0; 2052 dataind->b_datap->db_type = M_PROTO; 2053 putnext(q, dataind); 2054 } 2055 } 2056 2057 /* 2058 * Start dumping. 2059 * Format a start-of-dump record, and set up the stream and kick the rsrv 2060 * procedure to continue the job.. 2061 */ 2062 /* ARGSUSED */ 2063 static void 2064 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp) 2065 { 2066 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2067 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2068 ipsec_stack_t *ipss = ns->netstack_ipsec; 2069 mblk_t *mr; 2070 2071 /* spdsock_open() already set spdsock_itp to NULL. */ 2072 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 2073 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 2074 ss->spdsock_dump_remaining_polheads = 1 + 2075 avl_numnodes(&ipss->ipsec_tunnel_policies); 2076 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen; 2077 rw_exit(&ipss->ipsec_tunnel_policy_lock); 2078 if (iph == ALL_ACTIVE_POLHEADS) { 2079 iph = ipsec_system_policy(ns); 2080 ss->spdsock_dump_active = B_TRUE; 2081 } else { 2082 iph = ipsec_inactive_policy(ns); 2083 ss->spdsock_dump_active = B_FALSE; 2084 } 2085 ASSERT(ss->spdsock_itp == NULL); 2086 } else { 2087 ss->spdsock_dump_remaining_polheads = 1; 2088 } 2089 2090 rw_enter(&iph->iph_lock, RW_READER); 2091 2092 mr = spdsock_dump_ruleset(mp, iph, 0, 0); 2093 2094 if (!mr) { 2095 rw_exit(&iph->iph_lock); 2096 spdsock_error(q, mp, ENOMEM, 0); 2097 return; 2098 } 2099 2100 ss->spdsock_dump_req = mp; 2101 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 2102 2103 rw_exit(&iph->iph_lock); 2104 2105 qreply(q, mr); 2106 qenable(OTHERQ(q)); 2107 } 2108 2109 /* Do NOT consume a reference to ITP. */ 2110 void 2111 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns) 2112 { 2113 int *errptr = (int *)ep; 2114 2115 if (*errptr != 0) 2116 return; /* We've failed already for some reason. */ 2117 mutex_enter(&itp->itp_lock); 2118 ITPF_CLONE(itp->itp_flags); 2119 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns); 2120 mutex_exit(&itp->itp_lock); 2121 } 2122 2123 void 2124 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname) 2125 { 2126 int error; 2127 char *tname; 2128 ipsec_tun_pol_t *itp; 2129 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2130 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2131 uint32_t auditing = AU_AUDITING(); 2132 2133 if (tunname != NULL) { 2134 tname = (char *)tunname->spd_if_name; 2135 if (*tname == '\0') { 2136 error = ipsec_clone_system_policy(ns); 2137 if (auditing) { 2138 boolean_t active; 2139 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2140 cred_t *cr; 2141 pid_t cpid; 2142 2143 cr = msg_getcred(mp, &cpid); 2144 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2145 audit_pf_policy(SPD_CLONE, cr, ns, 2146 NULL, active, error, cpid); 2147 } 2148 if (error == 0) { 2149 itp_walk(spdsock_clone_node, &error, ns); 2150 if (auditing) { 2151 boolean_t active; 2152 spd_msg_t *spmsg = 2153 (spd_msg_t *)mp->b_rptr; 2154 cred_t *cr; 2155 pid_t cpid; 2156 2157 cr = msg_getcred(mp, &cpid); 2158 active = (spmsg->spd_msg_spdid == 2159 SPD_ACTIVE); 2160 audit_pf_policy(SPD_CLONE, cr, 2161 ns, "all tunnels", active, 0, 2162 cpid); 2163 } 2164 } 2165 } else { 2166 itp = get_tunnel_policy(tname, ns); 2167 if (itp == NULL) { 2168 spdsock_error(q, mp, ENOENT, 0); 2169 if (auditing) { 2170 boolean_t active; 2171 spd_msg_t *spmsg = 2172 (spd_msg_t *)mp->b_rptr; 2173 cred_t *cr; 2174 pid_t cpid; 2175 2176 cr = msg_getcred(mp, &cpid); 2177 active = (spmsg->spd_msg_spdid == 2178 SPD_ACTIVE); 2179 audit_pf_policy(SPD_CLONE, cr, 2180 ns, NULL, active, ENOENT, cpid); 2181 } 2182 return; 2183 } 2184 spdsock_clone_node(itp, &error, NULL); 2185 if (auditing) { 2186 boolean_t active; 2187 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2188 cred_t *cr; 2189 pid_t cpid; 2190 2191 cr = msg_getcred(mp, &cpid); 2192 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2193 audit_pf_policy(SPD_CLONE, cr, ns, 2194 ITP_NAME(itp), active, error, cpid); 2195 } 2196 ITP_REFRELE(itp, ns); 2197 } 2198 } else { 2199 error = ipsec_clone_system_policy(ns); 2200 if (auditing) { 2201 boolean_t active; 2202 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2203 cred_t *cr; 2204 pid_t cpid; 2205 2206 cr = msg_getcred(mp, &cpid); 2207 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2208 audit_pf_policy(SPD_CLONE, cr, ns, NULL, 2209 active, error, cpid); 2210 } 2211 } 2212 2213 if (error != 0) 2214 spdsock_error(q, mp, error, 0); 2215 else 2216 spd_echo(q, mp); 2217 } 2218 2219 /* 2220 * Process a SPD_ALGLIST request. The caller expects separate alg entries 2221 * for AH authentication, ESP authentication, and ESP encryption. 2222 * The same distinction is then used when setting the min and max key 2223 * sizes when defining policies. 2224 */ 2225 2226 #define SPDSOCK_AH_AUTH 0 2227 #define SPDSOCK_ESP_AUTH 1 2228 #define SPDSOCK_ESP_ENCR 2 2229 #define SPDSOCK_NTYPES 3 2230 2231 static const uint_t algattr[SPDSOCK_NTYPES] = { 2232 SPD_ATTR_AH_AUTH, 2233 SPD_ATTR_ESP_AUTH, 2234 SPD_ATTR_ESP_ENCR 2235 }; 2236 static const uint_t minbitsattr[SPDSOCK_NTYPES] = { 2237 SPD_ATTR_AH_MINBITS, 2238 SPD_ATTR_ESPA_MINBITS, 2239 SPD_ATTR_ENCR_MINBITS 2240 }; 2241 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = { 2242 SPD_ATTR_AH_MAXBITS, 2243 SPD_ATTR_ESPA_MAXBITS, 2244 SPD_ATTR_ENCR_MAXBITS 2245 }; 2246 static const uint_t defbitsattr[SPDSOCK_NTYPES] = { 2247 SPD_ATTR_AH_DEFBITS, 2248 SPD_ATTR_ESPA_DEFBITS, 2249 SPD_ATTR_ENCR_DEFBITS 2250 }; 2251 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = { 2252 SPD_ATTR_AH_INCRBITS, 2253 SPD_ATTR_ESPA_INCRBITS, 2254 SPD_ATTR_ENCR_INCRBITS 2255 }; 2256 2257 #define ATTRPERALG 6 /* fixed attributes per algs */ 2258 2259 void 2260 spdsock_alglist(queue_t *q, mblk_t *mp) 2261 { 2262 uint_t algtype; 2263 uint_t algidx; 2264 uint_t algcount; 2265 uint_t size; 2266 mblk_t *m; 2267 uint8_t *cur; 2268 spd_msg_t *msg; 2269 struct spd_ext_actions *act; 2270 struct spd_attribute *attr; 2271 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2272 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2273 2274 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 2275 /* 2276 * The SPD client expects to receive separate entries for 2277 * AH authentication and ESP authentication supported algorithms. 2278 * 2279 * Don't return the "any" algorithms, if defined, as no 2280 * kernel policies can be set for these algorithms. 2281 */ 2282 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2283 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2284 2285 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL) 2286 algcount--; 2287 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL) 2288 algcount--; 2289 2290 /* 2291 * For each algorithm, we encode: 2292 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2293 */ 2294 2295 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) + 2296 ATTRPERALG * sizeof (struct spd_attribute) * algcount; 2297 2298 ASSERT(ALIGNED64(size)); 2299 2300 m = allocb(size, BPRI_HI); 2301 if (m == NULL) { 2302 rw_exit(&ipss->ipsec_alg_lock); 2303 spdsock_error(q, mp, ENOMEM, 0); 2304 return; 2305 } 2306 2307 m->b_wptr = m->b_rptr + size; 2308 cur = m->b_rptr; 2309 2310 msg = (spd_msg_t *)cur; 2311 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2312 2313 msg->spd_msg_len = SPD_8TO64(size); 2314 msg->spd_msg_errno = 0; 2315 msg->spd_msg_diagnostic = 0; 2316 2317 cur += sizeof (*msg); 2318 2319 act = (struct spd_ext_actions *)cur; 2320 cur += sizeof (*act); 2321 2322 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2323 act->spd_actions_exttype = SPD_EXT_ACTION; 2324 act->spd_actions_count = algcount; 2325 act->spd_actions_reserved = 0; 2326 2327 attr = (struct spd_attribute *)cur; 2328 2329 #define EMIT(tag, value) { \ 2330 attr->spd_attr_tag = (tag); \ 2331 attr->spd_attr_value = (value); \ 2332 attr++; \ 2333 } 2334 2335 /* 2336 * If you change the number of EMIT's here, change 2337 * ATTRPERALG above to match 2338 */ 2339 #define EMITALGATTRS(_type) { \ 2340 EMIT(algattr[_type], algid); /* 1 */ \ 2341 EMIT(minbitsattr[_type], minbits); /* 2 */ \ 2342 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \ 2343 EMIT(defbitsattr[_type], defbits); /* 4 */ \ 2344 EMIT(incrbitsattr[_type], incr); /* 5 */ \ 2345 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \ 2346 } 2347 2348 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2349 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2350 algidx++) { 2351 int algid = ipss->ipsec_sortlist[algtype][algidx]; 2352 ipsec_alginfo_t *alg = 2353 ipss->ipsec_alglists[algtype][algid]; 2354 uint_t minbits = alg->alg_minbits; 2355 uint_t maxbits = alg->alg_maxbits; 2356 uint_t defbits = alg->alg_default_bits; 2357 uint_t incr = alg->alg_increment; 2358 2359 if (algtype == IPSEC_ALG_AUTH) { 2360 if (algid == SADB_AALG_NONE) 2361 continue; 2362 EMITALGATTRS(SPDSOCK_AH_AUTH); 2363 EMITALGATTRS(SPDSOCK_ESP_AUTH); 2364 } else { 2365 if (algid == SADB_EALG_NONE) 2366 continue; 2367 ASSERT(algtype == IPSEC_ALG_ENCR); 2368 EMITALGATTRS(SPDSOCK_ESP_ENCR); 2369 } 2370 } 2371 } 2372 2373 rw_exit(&ipss->ipsec_alg_lock); 2374 2375 #undef EMITALGATTRS 2376 #undef EMIT 2377 #undef ATTRPERALG 2378 2379 attr--; 2380 attr->spd_attr_tag = SPD_ATTR_END; 2381 2382 freemsg(mp); 2383 qreply(q, m); 2384 } 2385 2386 /* 2387 * Process a SPD_DUMPALGS request. 2388 */ 2389 2390 #define ATTRPERALG 9 /* fixed attributes per algs */ 2391 2392 void 2393 spdsock_dumpalgs(queue_t *q, mblk_t *mp) 2394 { 2395 uint_t algtype; 2396 uint_t algidx; 2397 uint_t size; 2398 mblk_t *m; 2399 uint8_t *cur; 2400 spd_msg_t *msg; 2401 struct spd_ext_actions *act; 2402 struct spd_attribute *attr; 2403 ipsec_alginfo_t *alg; 2404 uint_t algid; 2405 uint_t i; 2406 uint_t alg_size; 2407 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2408 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2409 2410 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 2411 2412 /* 2413 * For each algorithm, we encode: 2414 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2415 * 2416 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE* 2417 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* / 2418 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT} 2419 */ 2420 2421 /* 2422 * Compute the size of the SPD message. 2423 */ 2424 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions); 2425 2426 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2427 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2428 algidx++) { 2429 algid = ipss->ipsec_sortlist[algtype][algidx]; 2430 alg = ipss->ipsec_alglists[algtype][algid]; 2431 alg_size = sizeof (struct spd_attribute) * 2432 (ATTRPERALG + alg->alg_nkey_sizes + 2433 alg->alg_nblock_sizes + alg->alg_nparams) + 2434 CRYPTO_MAX_MECH_NAME; 2435 size += alg_size; 2436 } 2437 } 2438 2439 ASSERT(ALIGNED64(size)); 2440 2441 m = allocb(size, BPRI_HI); 2442 if (m == NULL) { 2443 rw_exit(&ipss->ipsec_alg_lock); 2444 spdsock_error(q, mp, ENOMEM, 0); 2445 return; 2446 } 2447 2448 m->b_wptr = m->b_rptr + size; 2449 cur = m->b_rptr; 2450 2451 msg = (spd_msg_t *)cur; 2452 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2453 2454 msg->spd_msg_len = SPD_8TO64(size); 2455 msg->spd_msg_errno = 0; 2456 msg->spd_msg_type = SPD_ALGLIST; 2457 2458 msg->spd_msg_diagnostic = 0; 2459 2460 cur += sizeof (*msg); 2461 2462 act = (struct spd_ext_actions *)cur; 2463 cur += sizeof (*act); 2464 2465 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2466 act->spd_actions_exttype = SPD_EXT_ACTION; 2467 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2468 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2469 act->spd_actions_reserved = 0; 2470 2471 /* 2472 * If there aren't any algorithms registered, return an empty message. 2473 * spdsock_get_ext() knows how to deal with this. 2474 */ 2475 if (act->spd_actions_count == 0) { 2476 act->spd_actions_len = 0; 2477 rw_exit(&ipss->ipsec_alg_lock); 2478 goto error; 2479 } 2480 2481 attr = (struct spd_attribute *)cur; 2482 2483 #define EMIT(tag, value) { \ 2484 attr->spd_attr_tag = (tag); \ 2485 attr->spd_attr_value = (value); \ 2486 attr++; \ 2487 } 2488 2489 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2490 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2491 algidx++) { 2492 2493 algid = ipss->ipsec_sortlist[algtype][algidx]; 2494 alg = ipss->ipsec_alglists[algtype][algid]; 2495 2496 /* 2497 * If you change the number of EMIT's here, change 2498 * ATTRPERALG above to match 2499 */ 2500 EMIT(SPD_ATTR_ALG_ID, algid); 2501 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]); 2502 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment); 2503 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes); 2504 for (i = 0; i < alg->alg_nkey_sizes; i++) 2505 EMIT(SPD_ATTR_ALG_KEYSIZE, 2506 alg->alg_key_sizes[i]); 2507 2508 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes); 2509 for (i = 0; i < alg->alg_nblock_sizes; i++) 2510 EMIT(SPD_ATTR_ALG_BLOCKSIZE, 2511 alg->alg_block_sizes[i]); 2512 2513 EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams); 2514 for (i = 0; i < alg->alg_nparams; i++) 2515 EMIT(SPD_ATTR_ALG_PARAMS, 2516 alg->alg_params[i]); 2517 2518 EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags); 2519 2520 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME); 2521 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME); 2522 attr = (struct spd_attribute *)((char *)attr + 2523 CRYPTO_MAX_MECH_NAME); 2524 2525 EMIT(SPD_ATTR_NEXT, 0); 2526 } 2527 } 2528 2529 rw_exit(&ipss->ipsec_alg_lock); 2530 2531 #undef EMITALGATTRS 2532 #undef EMIT 2533 #undef ATTRPERALG 2534 2535 attr--; 2536 attr->spd_attr_tag = SPD_ATTR_END; 2537 2538 error: 2539 freemsg(mp); 2540 qreply(q, m); 2541 } 2542 2543 /* 2544 * Do the actual work of processing an SPD_UPDATEALGS request. Can 2545 * be invoked either once IPsec is loaded on a cached request, or 2546 * when a request is received while IPsec is loaded. 2547 */ 2548 static int 2549 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds) 2550 { 2551 struct spd_ext_actions *actp; 2552 struct spd_attribute *attr, *endattr; 2553 uint64_t *start, *end; 2554 ipsec_alginfo_t *alg = NULL; 2555 ipsec_algtype_t alg_type = 0; 2556 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE; 2557 uint_t i, cur_key, cur_block, algid; 2558 int diag = -1; 2559 2560 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 2561 2562 /* parse the message, building the list of algorithms */ 2563 2564 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 2565 if (actp == NULL) 2566 return (SPD_DIAGNOSTIC_NO_ACTION_EXT); 2567 2568 start = (uint64_t *)actp; 2569 end = (start + actp->spd_actions_len); 2570 endattr = (struct spd_attribute *)end; 2571 attr = (struct spd_attribute *)&actp[1]; 2572 2573 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS * 2574 sizeof (ipsec_alginfo_t *)); 2575 2576 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2577 2578 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t)) 2579 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t)) 2580 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t)) 2581 2582 while (attr < endattr) { 2583 switch (attr->spd_attr_tag) { 2584 case SPD_ATTR_NOP: 2585 case SPD_ATTR_EMPTY: 2586 break; 2587 case SPD_ATTR_END: 2588 attr = endattr; 2589 /* FALLTHRU */ 2590 case SPD_ATTR_NEXT: 2591 if (doing_proto) { 2592 doing_proto = B_FALSE; 2593 break; 2594 } 2595 if (skip_alg) { 2596 ipsec_alg_free(alg); 2597 } else { 2598 ipsec_alg_free( 2599 spds->spds_algs[alg_type][alg->alg_id]); 2600 spds->spds_algs[alg_type][alg->alg_id] = 2601 alg; 2602 } 2603 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2604 break; 2605 2606 case SPD_ATTR_ALG_ID: 2607 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) { 2608 ss1dbg(spds, ("spdsock_do_updatealg: " 2609 "invalid alg id %d\n", 2610 attr->spd_attr_value)); 2611 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE; 2612 goto bail; 2613 } 2614 alg->alg_id = attr->spd_attr_value; 2615 break; 2616 2617 case SPD_ATTR_ALG_PROTO: 2618 /* find the alg type */ 2619 for (i = 0; i < NALGPROTOS; i++) 2620 if (algproto[i] == attr->spd_attr_value) 2621 break; 2622 skip_alg = (i == NALGPROTOS); 2623 if (!skip_alg) 2624 alg_type = i; 2625 break; 2626 2627 case SPD_ATTR_ALG_INCRBITS: 2628 alg->alg_increment = attr->spd_attr_value; 2629 break; 2630 2631 case SPD_ATTR_ALG_NKEYSIZES: 2632 if (alg->alg_key_sizes != NULL) { 2633 kmem_free(alg->alg_key_sizes, 2634 ALG_KEY_SIZES(alg)); 2635 } 2636 alg->alg_nkey_sizes = attr->spd_attr_value; 2637 /* 2638 * Allocate room for the trailing zero key size 2639 * value as well. 2640 */ 2641 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg), 2642 KM_SLEEP); 2643 cur_key = 0; 2644 break; 2645 2646 case SPD_ATTR_ALG_KEYSIZE: 2647 if (alg->alg_key_sizes == NULL || 2648 cur_key >= alg->alg_nkey_sizes) { 2649 ss1dbg(spds, ("spdsock_do_updatealg: " 2650 "too many key sizes\n")); 2651 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES; 2652 goto bail; 2653 } 2654 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value; 2655 break; 2656 2657 case SPD_ATTR_ALG_FLAGS: 2658 /* 2659 * Flags (bit mask). The alg_flags element of 2660 * ipsecalg_flags_t is only 8 bits wide. The 2661 * user can set the VALID bit, but we will ignore it 2662 * and make the decision is the algorithm is valid. 2663 */ 2664 alg->alg_flags |= (uint8_t)attr->spd_attr_value; 2665 break; 2666 2667 case SPD_ATTR_ALG_NBLOCKSIZES: 2668 if (alg->alg_block_sizes != NULL) { 2669 kmem_free(alg->alg_block_sizes, 2670 ALG_BLOCK_SIZES(alg)); 2671 } 2672 alg->alg_nblock_sizes = attr->spd_attr_value; 2673 /* 2674 * Allocate room for the trailing zero block size 2675 * value as well. 2676 */ 2677 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg), 2678 KM_SLEEP); 2679 cur_block = 0; 2680 break; 2681 2682 case SPD_ATTR_ALG_BLOCKSIZE: 2683 if (alg->alg_block_sizes == NULL || 2684 cur_block >= alg->alg_nblock_sizes) { 2685 ss1dbg(spds, ("spdsock_do_updatealg: " 2686 "too many block sizes\n")); 2687 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2688 goto bail; 2689 } 2690 alg->alg_block_sizes[cur_block++] = 2691 attr->spd_attr_value; 2692 break; 2693 2694 case SPD_ATTR_ALG_NPARAMS: 2695 if (alg->alg_params != NULL) { 2696 kmem_free(alg->alg_params, 2697 ALG_PARAM_SIZES(alg)); 2698 } 2699 alg->alg_nparams = attr->spd_attr_value; 2700 /* 2701 * Allocate room for the trailing zero block size 2702 * value as well. 2703 */ 2704 alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg), 2705 KM_SLEEP); 2706 cur_block = 0; 2707 break; 2708 2709 case SPD_ATTR_ALG_PARAMS: 2710 if (alg->alg_params == NULL || 2711 cur_block >= alg->alg_nparams) { 2712 ss1dbg(spds, ("spdsock_do_updatealg: " 2713 "too many params\n")); 2714 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2715 goto bail; 2716 } 2717 /* 2718 * Array contains: iv_len, icv_len, salt_len 2719 * Any additional parameters are currently ignored. 2720 */ 2721 alg->alg_params[cur_block++] = 2722 attr->spd_attr_value; 2723 break; 2724 2725 case SPD_ATTR_ALG_MECHNAME: { 2726 char *mech_name; 2727 2728 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) { 2729 ss1dbg(spds, ("spdsock_do_updatealg: " 2730 "mech name too long\n")); 2731 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN; 2732 goto bail; 2733 } 2734 mech_name = (char *)(attr + 1); 2735 bcopy(mech_name, alg->alg_mech_name, 2736 attr->spd_attr_value); 2737 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; 2738 attr = (struct spd_attribute *)((char *)attr + 2739 attr->spd_attr_value); 2740 break; 2741 } 2742 2743 case SPD_ATTR_PROTO_ID: 2744 doing_proto = B_TRUE; 2745 for (i = 0; i < NALGPROTOS; i++) { 2746 if (algproto[i] == attr->spd_attr_value) { 2747 alg_type = i; 2748 break; 2749 } 2750 } 2751 break; 2752 2753 case SPD_ATTR_PROTO_EXEC_MODE: 2754 if (!doing_proto) 2755 break; 2756 for (i = 0; i < NEXECMODES; i++) { 2757 if (execmodes[i] == attr->spd_attr_value) { 2758 spds->spds_algs_exec_mode[alg_type] = i; 2759 break; 2760 } 2761 } 2762 break; 2763 } 2764 attr++; 2765 } 2766 2767 #undef ALG_KEY_SIZES 2768 #undef ALG_BLOCK_SIZES 2769 #undef ALG_PARAM_SIZES 2770 2771 /* update the algorithm tables */ 2772 spdsock_merge_algs(spds); 2773 bail: 2774 /* cleanup */ 2775 ipsec_alg_free(alg); 2776 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++) { 2777 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 2778 if (spds->spds_algs[alg_type][algid] != NULL) { 2779 ipsec_alg_free( 2780 spds->spds_algs[alg_type][algid]); 2781 } 2782 } 2783 } 2784 return (diag); 2785 } 2786 2787 /* 2788 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue 2789 * the request until IPsec loads. If IPsec is loaded, act on it 2790 * immediately. 2791 */ 2792 2793 static void 2794 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[]) 2795 { 2796 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2797 spd_stack_t *spds = ss->spdsock_spds; 2798 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 2799 uint32_t auditing = AU_AUDITING(); 2800 2801 if (!ipsec_loaded(ipss)) { 2802 /* 2803 * IPsec is not loaded, save request and return nicely, 2804 * the message will be processed once IPsec loads. 2805 */ 2806 mblk_t *new_mp; 2807 2808 /* last update message wins */ 2809 if ((new_mp = copymsg(mp)) == NULL) { 2810 spdsock_error(q, mp, ENOMEM, 0); 2811 return; 2812 } 2813 mutex_enter(&spds->spds_alg_lock); 2814 bcopy(extv, spds->spds_extv_algs, 2815 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 2816 if (spds->spds_mp_algs != NULL) 2817 freemsg(spds->spds_mp_algs); 2818 spds->spds_mp_algs = mp; 2819 mutex_exit(&spds->spds_alg_lock); 2820 if (auditing) { 2821 cred_t *cr; 2822 pid_t cpid; 2823 2824 cr = msg_getcred(mp, &cpid); 2825 audit_pf_policy(SPD_UPDATEALGS, cr, 2826 spds->spds_netstack, NULL, B_TRUE, EAGAIN, 2827 cpid); 2828 } 2829 spd_echo(q, new_mp); 2830 } else { 2831 /* 2832 * IPsec is loaded, act on the message immediately. 2833 */ 2834 int diag; 2835 2836 mutex_enter(&spds->spds_alg_lock); 2837 diag = spdsock_do_updatealg(extv, spds); 2838 if (diag == -1) { 2839 /* Keep the lock held while we walk the SA tables. */ 2840 sadb_alg_update(IPSEC_ALG_ALL, 0, 0, 2841 spds->spds_netstack); 2842 mutex_exit(&spds->spds_alg_lock); 2843 spd_echo(q, mp); 2844 if (auditing) { 2845 cred_t *cr; 2846 pid_t cpid; 2847 2848 cr = msg_getcred(mp, &cpid); 2849 audit_pf_policy(SPD_UPDATEALGS, cr, 2850 spds->spds_netstack, NULL, B_TRUE, 0, 2851 cpid); 2852 } 2853 } else { 2854 mutex_exit(&spds->spds_alg_lock); 2855 spdsock_diag(q, mp, diag); 2856 if (auditing) { 2857 cred_t *cr; 2858 pid_t cpid; 2859 2860 cr = msg_getcred(mp, &cpid); 2861 audit_pf_policy(SPD_UPDATEALGS, cr, 2862 spds->spds_netstack, NULL, B_TRUE, diag, 2863 cpid); 2864 } 2865 } 2866 } 2867 } 2868 2869 /* 2870 * Find a tunnel instance (using the name to link ID mapping), and 2871 * update it after an IPsec change. We need to do this always in case 2872 * we add policy AFTER plumbing a tunnel. We also need to do this 2873 * because, as a side-effect, the tunnel's MTU is updated to reflect 2874 * any IPsec overhead in the itp's policy. 2875 */ 2876 static void 2877 update_iptun_policy(ipsec_tun_pol_t *itp) 2878 { 2879 datalink_id_t linkid; 2880 2881 if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0) 2882 iptun_set_policy(linkid, itp); 2883 } 2884 2885 /* 2886 * Sort through the mess of polhead options to retrieve an appropriate one. 2887 * Returns NULL if we send an spdsock error. Returns a valid pointer if we 2888 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or 2889 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to 2890 * act on ALL policy heads. 2891 */ 2892 static ipsec_policy_head_t * 2893 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid, 2894 int msgtype, ipsec_tun_pol_t **itpp) 2895 { 2896 ipsec_tun_pol_t *itp; 2897 ipsec_policy_head_t *iph; 2898 int errno; 2899 char *tname; 2900 boolean_t active; 2901 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2902 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2903 uint64_t gen; /* Placeholder */ 2904 2905 active = (spdid == SPD_ACTIVE); 2906 *itpp = NULL; 2907 if (!active && spdid != SPD_STANDBY) { 2908 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID); 2909 return (NULL); 2910 } 2911 2912 if (tunname != NULL) { 2913 /* Acting on a tunnel's SPD. */ 2914 tname = (char *)tunname->spd_if_name; 2915 if (*tname == '\0') { 2916 /* Handle all-polhead cases here. */ 2917 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) { 2918 spdsock_diag(q, mp, 2919 SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 2920 return (NULL); 2921 } 2922 return (active ? ALL_ACTIVE_POLHEADS : 2923 ALL_INACTIVE_POLHEADS); 2924 } 2925 2926 itp = get_tunnel_policy(tname, ns); 2927 if (itp == NULL) { 2928 if (msgtype != SPD_ADDRULE) { 2929 /* "Tunnel not found" */ 2930 spdsock_error(q, mp, ENOENT, 0); 2931 return (NULL); 2932 } 2933 2934 errno = 0; 2935 itp = create_tunnel_policy(tname, &errno, &gen, ns); 2936 if (itp == NULL) { 2937 /* 2938 * Something very bad happened, most likely 2939 * ENOMEM. Return an indicator. 2940 */ 2941 spdsock_error(q, mp, errno, 0); 2942 return (NULL); 2943 } 2944 } 2945 2946 /* Match up the itp to an iptun instance. */ 2947 update_iptun_policy(itp); 2948 2949 *itpp = itp; 2950 /* For spdsock dump state, set the polhead's name. */ 2951 if (msgtype == SPD_DUMP) { 2952 ITP_REFHOLD(itp); 2953 ss->spdsock_itp = itp; 2954 ss->spdsock_dump_tunnel = itp->itp_flags & 2955 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL); 2956 } 2957 } else { 2958 itp = NULL; 2959 /* For spdsock dump state, indicate it's global policy. */ 2960 if (msgtype == SPD_DUMP) 2961 ss->spdsock_itp = NULL; 2962 } 2963 2964 if (active) 2965 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy; 2966 else 2967 iph = (itp == NULL) ? ipsec_inactive_policy(ns) : 2968 itp->itp_inactive; 2969 2970 ASSERT(iph != NULL); 2971 if (itp != NULL) { 2972 IPPH_REFHOLD(iph); 2973 } 2974 2975 return (iph); 2976 } 2977 2978 static void 2979 spdsock_parse(queue_t *q, mblk_t *mp) 2980 { 2981 spd_msg_t *spmsg; 2982 spd_ext_t *extv[SPD_EXT_MAX + 1]; 2983 uint_t msgsize; 2984 ipsec_policy_head_t *iph; 2985 ipsec_tun_pol_t *itp; 2986 spd_if_t *tunname; 2987 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2988 spd_stack_t *spds = ss->spdsock_spds; 2989 netstack_t *ns = spds->spds_netstack; 2990 ipsec_stack_t *ipss = ns->netstack_ipsec; 2991 2992 /* Make sure nothing's below me. */ 2993 ASSERT(WR(q)->q_next == NULL); 2994 2995 spmsg = (spd_msg_t *)mp->b_rptr; 2996 2997 msgsize = SPD_64TO8(spmsg->spd_msg_len); 2998 2999 if (msgdsize(mp) != msgsize) { 3000 /* 3001 * Message len incorrect w.r.t. actual size. Send an error 3002 * (EMSGSIZE). It may be necessary to massage things a 3003 * bit. For example, if the spd_msg_type is hosed, 3004 * I need to set it to SPD_RESERVED to get delivery to 3005 * do the right thing. Then again, maybe just letting 3006 * the error delivery do the right thing. 3007 */ 3008 ss2dbg(spds, 3009 ("mblk (%lu) and base (%d) message sizes don't jibe.\n", 3010 msgdsize(mp), msgsize)); 3011 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE); 3012 return; 3013 } 3014 3015 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) { 3016 /* Get all message into one mblk. */ 3017 if (pullupmsg(mp, -1) == 0) { 3018 /* 3019 * Something screwy happened. 3020 */ 3021 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n")); 3022 return; 3023 } else { 3024 spmsg = (spd_msg_t *)mp->b_rptr; 3025 } 3026 } 3027 3028 switch (spdsock_get_ext(extv, spmsg, msgsize)) { 3029 case KGE_DUP: 3030 /* Handle duplicate extension. */ 3031 ss1dbg(spds, ("Got duplicate extension of type %d.\n", 3032 extv[0]->spd_ext_type)); 3033 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]); 3034 return; 3035 case KGE_UNK: 3036 /* Handle unknown extension. */ 3037 ss1dbg(spds, ("Got unknown extension of type %d.\n", 3038 extv[0]->spd_ext_type)); 3039 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT); 3040 return; 3041 case KGE_LEN: 3042 /* Length error. */ 3043 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n", 3044 extv[0]->spd_ext_len, extv[0]->spd_ext_type)); 3045 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN); 3046 return; 3047 case KGE_CHK: 3048 /* Reality check failed. */ 3049 ss1dbg(spds, ("Reality check failed on extension type %d.\n", 3050 extv[0]->spd_ext_type)); 3051 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]); 3052 return; 3053 default: 3054 /* Default case is no errors. */ 3055 break; 3056 } 3057 3058 /* 3059 * Special-case SPD_UPDATEALGS so as not to load IPsec. 3060 */ 3061 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) { 3062 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3063 3064 ASSERT(ss != NULL); 3065 ipsec_loader_loadnow(ipss); 3066 ss->spdsock_timeout_arg = mp; 3067 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck, 3068 q, LOADCHECK_INTERVAL); 3069 return; 3070 } 3071 3072 /* First check for messages that need no polheads at all. */ 3073 switch (spmsg->spd_msg_type) { 3074 case SPD_UPDATEALGS: 3075 spdsock_updatealg(q, mp, extv); 3076 return; 3077 case SPD_ALGLIST: 3078 spdsock_alglist(q, mp); 3079 return; 3080 case SPD_DUMPALGS: 3081 spdsock_dumpalgs(q, mp); 3082 return; 3083 } 3084 3085 /* 3086 * Then check for ones that need both primary/secondary polheads, 3087 * finding the appropriate tunnel policy if need be. 3088 */ 3089 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME]; 3090 switch (spmsg->spd_msg_type) { 3091 case SPD_FLIP: 3092 spdsock_flip(q, mp, tunname); 3093 return; 3094 case SPD_CLONE: 3095 spdsock_clone(q, mp, tunname); 3096 return; 3097 } 3098 3099 /* 3100 * Finally, find ones that operate on exactly one polhead, or 3101 * "all polheads" of a given type (active/inactive). 3102 */ 3103 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid, 3104 spmsg->spd_msg_type, &itp); 3105 if (iph == NULL) 3106 return; 3107 3108 /* All-polheads-ready operations. */ 3109 switch (spmsg->spd_msg_type) { 3110 case SPD_FLUSH: 3111 if (itp != NULL) { 3112 mutex_enter(&itp->itp_lock); 3113 if (spmsg->spd_msg_spdid == SPD_ACTIVE) 3114 itp->itp_flags &= ~ITPF_PFLAGS; 3115 else 3116 itp->itp_flags &= ~ITPF_IFLAGS; 3117 mutex_exit(&itp->itp_lock); 3118 } 3119 3120 spdsock_flush(q, iph, itp, mp); 3121 3122 if (itp != NULL) { 3123 /* SPD_FLUSH is worth a tunnel MTU check. */ 3124 update_iptun_policy(itp); 3125 ITP_REFRELE(itp, ns); 3126 } 3127 return; 3128 case SPD_DUMP: 3129 if (itp != NULL) 3130 ITP_REFRELE(itp, ns); 3131 spdsock_dump(q, iph, mp); 3132 return; 3133 } 3134 3135 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 3136 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 3137 return; 3138 } 3139 3140 /* Single-polhead-only operations. */ 3141 switch (spmsg->spd_msg_type) { 3142 case SPD_ADDRULE: 3143 spdsock_addrule(q, iph, mp, extv, itp); 3144 break; 3145 case SPD_DELETERULE: 3146 spdsock_deleterule(q, iph, mp, extv, itp); 3147 break; 3148 case SPD_LOOKUP: 3149 spdsock_lookup(q, iph, mp, extv, itp); 3150 break; 3151 default: 3152 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE); 3153 break; 3154 } 3155 3156 IPPH_REFRELE(iph, ns); 3157 if (itp != NULL) { 3158 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */ 3159 if (spmsg->spd_msg_type == SPD_ADDRULE || 3160 spmsg->spd_msg_type == SPD_DELETERULE) 3161 update_iptun_policy(itp); 3162 ITP_REFRELE(itp, ns); 3163 } 3164 } 3165 3166 /* 3167 * If an algorithm mapping was received before IPsec was loaded, process it. 3168 * Called from the IPsec loader. 3169 */ 3170 void 3171 spdsock_update_pending_algs(netstack_t *ns) 3172 { 3173 spd_stack_t *spds = ns->netstack_spdsock; 3174 3175 mutex_enter(&spds->spds_alg_lock); 3176 if (spds->spds_mp_algs != NULL) { 3177 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds); 3178 freemsg(spds->spds_mp_algs); 3179 spds->spds_mp_algs = NULL; 3180 } 3181 mutex_exit(&spds->spds_alg_lock); 3182 } 3183 3184 static void 3185 spdsock_loadcheck(void *arg) 3186 { 3187 queue_t *q = (queue_t *)arg; 3188 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3189 mblk_t *mp; 3190 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3191 3192 ASSERT(ss != NULL); 3193 3194 ss->spdsock_timeout = 0; 3195 mp = ss->spdsock_timeout_arg; 3196 ASSERT(mp != NULL); 3197 ss->spdsock_timeout_arg = NULL; 3198 if (ipsec_failed(ipss)) 3199 spdsock_error(q, mp, EPROTONOSUPPORT, 0); 3200 else 3201 spdsock_parse(q, mp); 3202 } 3203 3204 /* 3205 * Copy relevant state bits. 3206 */ 3207 static void 3208 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss) 3209 { 3210 *tap = spdsock_g_t_info_ack; 3211 tap->CURRENT_state = ss->spdsock_state; 3212 tap->OPT_size = spdsock_max_optsize; 3213 } 3214 3215 /* 3216 * This routine responds to T_CAPABILITY_REQ messages. It is called by 3217 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from 3218 * spdsock_g_t_info_ack. The current state of the stream is copied from 3219 * spdsock_state. 3220 */ 3221 static void 3222 spdsock_capability_req(queue_t *q, mblk_t *mp) 3223 { 3224 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3225 t_uscalar_t cap_bits1; 3226 struct T_capability_ack *tcap; 3227 3228 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1; 3229 3230 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack), 3231 mp->b_datap->db_type, T_CAPABILITY_ACK); 3232 if (mp == NULL) 3233 return; 3234 3235 tcap = (struct T_capability_ack *)mp->b_rptr; 3236 tcap->CAP_bits1 = 0; 3237 3238 if (cap_bits1 & TC1_INFO) { 3239 spdsock_copy_info(&tcap->INFO_ack, ss); 3240 tcap->CAP_bits1 |= TC1_INFO; 3241 } 3242 3243 qreply(q, mp); 3244 } 3245 3246 /* 3247 * This routine responds to T_INFO_REQ messages. It is called by 3248 * spdsock_wput_other. 3249 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack. 3250 * The current state of the stream is copied from spdsock_state. 3251 */ 3252 static void 3253 spdsock_info_req( 3254 queue_t *q, 3255 mblk_t *mp) 3256 { 3257 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO, 3258 T_INFO_ACK); 3259 if (mp == NULL) 3260 return; 3261 spdsock_copy_info((struct T_info_ack *)mp->b_rptr, 3262 (spdsock_t *)q->q_ptr); 3263 qreply(q, mp); 3264 } 3265 3266 /* 3267 * spdsock_err_ack. This routine creates a 3268 * T_ERROR_ACK message and passes it 3269 * upstream. 3270 */ 3271 static void 3272 spdsock_err_ack( 3273 queue_t *q, 3274 mblk_t *mp, 3275 int t_error, 3276 int sys_error) 3277 { 3278 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL) 3279 qreply(q, mp); 3280 } 3281 3282 /* 3283 * This routine retrieves the current status of socket options. 3284 * It returns the size of the option retrieved. 3285 */ 3286 /* ARGSUSED */ 3287 int 3288 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr) 3289 { 3290 int *i1 = (int *)ptr; 3291 3292 switch (level) { 3293 case SOL_SOCKET: 3294 switch (name) { 3295 case SO_TYPE: 3296 *i1 = SOCK_RAW; 3297 break; 3298 /* 3299 * The following two items can be manipulated, 3300 * but changing them should do nothing. 3301 */ 3302 case SO_SNDBUF: 3303 *i1 = (int)q->q_hiwat; 3304 break; 3305 case SO_RCVBUF: 3306 *i1 = (int)(RD(q)->q_hiwat); 3307 break; 3308 } 3309 break; 3310 default: 3311 return (0); 3312 } 3313 return (sizeof (int)); 3314 } 3315 3316 /* 3317 * This routine sets socket options. 3318 */ 3319 /* ARGSUSED */ 3320 int 3321 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name, 3322 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp, 3323 void *thisdg_attrs, cred_t *cr) 3324 { 3325 int *i1 = (int *)invalp; 3326 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3327 spd_stack_t *spds = ss->spdsock_spds; 3328 3329 switch (level) { 3330 case SOL_SOCKET: 3331 switch (name) { 3332 case SO_SNDBUF: 3333 if (*i1 > spds->spds_max_buf) 3334 return (ENOBUFS); 3335 q->q_hiwat = *i1; 3336 break; 3337 case SO_RCVBUF: 3338 if (*i1 > spds->spds_max_buf) 3339 return (ENOBUFS); 3340 RD(q)->q_hiwat = *i1; 3341 (void) proto_set_rx_hiwat(RD(q), NULL, *i1); 3342 break; 3343 } 3344 break; 3345 } 3346 return (0); 3347 } 3348 3349 3350 /* 3351 * Handle STREAMS messages. 3352 */ 3353 static void 3354 spdsock_wput_other(queue_t *q, mblk_t *mp) 3355 { 3356 struct iocblk *iocp; 3357 int error; 3358 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3359 spd_stack_t *spds = ss->spdsock_spds; 3360 cred_t *cr; 3361 3362 switch (mp->b_datap->db_type) { 3363 case M_PROTO: 3364 case M_PCPROTO: 3365 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) { 3366 ss3dbg(spds, ( 3367 "spdsock_wput_other: Not big enough M_PROTO\n")); 3368 freemsg(mp); 3369 return; 3370 } 3371 switch (((union T_primitives *)mp->b_rptr)->type) { 3372 case T_CAPABILITY_REQ: 3373 spdsock_capability_req(q, mp); 3374 break; 3375 case T_INFO_REQ: 3376 spdsock_info_req(q, mp); 3377 break; 3378 case T_SVR4_OPTMGMT_REQ: 3379 case T_OPTMGMT_REQ: 3380 /* 3381 * All Solaris components should pass a db_credp 3382 * for this TPI message, hence we ASSERT. 3383 * But in case there is some other M_PROTO that looks 3384 * like a TPI message sent by some other kernel 3385 * component, we check and return an error. 3386 */ 3387 cr = msg_getcred(mp, NULL); 3388 ASSERT(cr != NULL); 3389 if (cr == NULL) { 3390 spdsock_err_ack(q, mp, TSYSERR, EINVAL); 3391 return; 3392 } 3393 if (((union T_primitives *)mp->b_rptr)->type == 3394 T_SVR4_OPTMGMT_REQ) { 3395 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj); 3396 } else { 3397 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj); 3398 } 3399 break; 3400 case T_DATA_REQ: 3401 case T_EXDATA_REQ: 3402 case T_ORDREL_REQ: 3403 /* Illegal for spdsock. */ 3404 freemsg(mp); 3405 (void) putnextctl1(RD(q), M_ERROR, EPROTO); 3406 break; 3407 default: 3408 /* Not supported by spdsock. */ 3409 spdsock_err_ack(q, mp, TNOTSUPPORT, 0); 3410 break; 3411 } 3412 return; 3413 case M_IOCDATA: 3414 keysock_spdsock_wput_iocdata(q, mp, PF_POLICY); 3415 return; 3416 case M_IOCTL: 3417 iocp = (struct iocblk *)mp->b_rptr; 3418 error = EINVAL; 3419 3420 switch (iocp->ioc_cmd) { 3421 case TI_GETMYNAME: 3422 case TI_GETPEERNAME: 3423 /* 3424 * For pfiles(1) observability with getsockname(). 3425 * See keysock_spdsock_wput_iocdata() for the rest of 3426 * this. 3427 */ 3428 mi_copyin(q, mp, NULL, 3429 SIZEOF_STRUCT(strbuf, iocp->ioc_flag)); 3430 return; 3431 case ND_SET: 3432 case ND_GET: 3433 if (nd_getset(q, spds->spds_g_nd, mp)) { 3434 qreply(q, mp); 3435 return; 3436 } else 3437 error = ENOENT; 3438 /* FALLTHRU */ 3439 default: 3440 miocnak(q, mp, 0, error); 3441 return; 3442 } 3443 case M_FLUSH: 3444 if (*mp->b_rptr & FLUSHW) { 3445 flushq(q, FLUSHALL); 3446 *mp->b_rptr &= ~FLUSHW; 3447 } 3448 if (*mp->b_rptr & FLUSHR) { 3449 qreply(q, mp); 3450 return; 3451 } 3452 /* Else FALLTHRU */ 3453 } 3454 3455 /* If fell through, just black-hole the message. */ 3456 freemsg(mp); 3457 } 3458 3459 static int 3460 spdsock_wput(queue_t *q, mblk_t *mp) 3461 { 3462 uint8_t *rptr = mp->b_rptr; 3463 mblk_t *mp1; 3464 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3465 spd_stack_t *spds = ss->spdsock_spds; 3466 3467 /* 3468 * If we're dumping, defer processing other messages until the 3469 * dump completes. 3470 */ 3471 if (ss->spdsock_dump_req != NULL) { 3472 if (!putq(q, mp)) 3473 freemsg(mp); 3474 return (0); 3475 } 3476 3477 switch (mp->b_datap->db_type) { 3478 case M_DATA: 3479 /* 3480 * Silently discard. 3481 */ 3482 ss2dbg(spds, ("raw M_DATA in spdsock.\n")); 3483 freemsg(mp); 3484 return (0); 3485 case M_PROTO: 3486 case M_PCPROTO: 3487 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) { 3488 if (((union T_primitives *)rptr)->type == T_DATA_REQ) { 3489 if ((mp1 = mp->b_cont) == NULL) { 3490 /* No data after T_DATA_REQ. */ 3491 ss2dbg(spds, 3492 ("No data after DATA_REQ.\n")); 3493 freemsg(mp); 3494 return (0); 3495 } 3496 freeb(mp); 3497 mp = mp1; 3498 ss2dbg(spds, ("T_DATA_REQ\n")); 3499 break; /* Out of switch. */ 3500 } 3501 } 3502 /* FALLTHRU */ 3503 default: 3504 ss3dbg(spds, ("In default wput case (%d %d).\n", 3505 mp->b_datap->db_type, ((union T_primitives *)rptr)->type)); 3506 spdsock_wput_other(q, mp); 3507 return (0); 3508 } 3509 3510 /* I now have a PF_POLICY message in an M_DATA block. */ 3511 spdsock_parse(q, mp); 3512 return (0); 3513 } 3514 3515 /* 3516 * Device open procedure, called when new queue pair created. 3517 * We are passed the read-side queue. 3518 */ 3519 /* ARGSUSED */ 3520 static int 3521 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp) 3522 { 3523 spdsock_t *ss; 3524 queue_t *oq = OTHERQ(q); 3525 minor_t ssminor; 3526 netstack_t *ns; 3527 spd_stack_t *spds; 3528 3529 if (secpolicy_ip_config(credp, B_FALSE) != 0) 3530 return (EPERM); 3531 3532 if (q->q_ptr != NULL) 3533 return (0); /* Re-open of an already open instance. */ 3534 3535 if (sflag & MODOPEN) 3536 return (EINVAL); 3537 3538 ns = netstack_find_by_cred(credp); 3539 ASSERT(ns != NULL); 3540 spds = ns->netstack_spdsock; 3541 ASSERT(spds != NULL); 3542 3543 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n")); 3544 3545 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP); 3546 if (ssminor == 0) { 3547 netstack_rele(spds->spds_netstack); 3548 return (ENOMEM); 3549 } 3550 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP); 3551 if (ss == NULL) { 3552 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1); 3553 netstack_rele(spds->spds_netstack); 3554 return (ENOMEM); 3555 } 3556 3557 ss->spdsock_minor = ssminor; 3558 ss->spdsock_state = TS_UNBND; 3559 ss->spdsock_dump_req = NULL; 3560 3561 ss->spdsock_spds = spds; 3562 3563 q->q_ptr = ss; 3564 oq->q_ptr = ss; 3565 3566 q->q_hiwat = spds->spds_recv_hiwat; 3567 3568 oq->q_hiwat = spds->spds_xmit_hiwat; 3569 oq->q_lowat = spds->spds_xmit_lowat; 3570 3571 qprocson(q); 3572 (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat); 3573 3574 *devp = makedevice(getmajor(*devp), ss->spdsock_minor); 3575 return (0); 3576 } 3577 3578 /* 3579 * Read-side service procedure, invoked when we get back-enabled 3580 * when buffer space becomes available. 3581 * 3582 * Dump another chunk if we were dumping before; when we finish, kick 3583 * the write-side queue in case it's waiting for read queue space. 3584 */ 3585 int 3586 spdsock_rsrv(queue_t *q) 3587 { 3588 spdsock_t *ss = q->q_ptr; 3589 3590 if (ss->spdsock_dump_req != NULL) 3591 spdsock_dump_some(q, ss); 3592 3593 if (ss->spdsock_dump_req == NULL) 3594 qenable(OTHERQ(q)); 3595 return (0); 3596 } 3597 3598 /* 3599 * Write-side service procedure, invoked when we defer processing 3600 * if another message is received while a dump is in progress. 3601 */ 3602 int 3603 spdsock_wsrv(queue_t *q) 3604 { 3605 spdsock_t *ss = q->q_ptr; 3606 mblk_t *mp; 3607 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3608 3609 if (ss->spdsock_dump_req != NULL) { 3610 qenable(OTHERQ(q)); 3611 return (0); 3612 } 3613 3614 while ((mp = getq(q)) != NULL) { 3615 if (ipsec_loaded(ipss)) { 3616 (void) spdsock_wput(q, mp); 3617 if (ss->spdsock_dump_req != NULL) 3618 return (0); 3619 } else if (!ipsec_failed(ipss)) { 3620 (void) putq(q, mp); 3621 } else { 3622 spdsock_error(q, mp, EPFNOSUPPORT, 0); 3623 } 3624 } 3625 return (0); 3626 } 3627 3628 /* ARGSUSED */ 3629 static int 3630 spdsock_close(queue_t *q, int flags __unused, cred_t *credp __unused) 3631 { 3632 spdsock_t *ss = q->q_ptr; 3633 spd_stack_t *spds = ss->spdsock_spds; 3634 3635 qprocsoff(q); 3636 3637 /* Safe assumption. */ 3638 ASSERT(ss != NULL); 3639 3640 if (ss->spdsock_timeout != 0) 3641 (void) quntimeout(q, ss->spdsock_timeout); 3642 3643 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n")); 3644 3645 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1); 3646 netstack_rele(ss->spdsock_spds->spds_netstack); 3647 3648 kmem_free(ss, sizeof (spdsock_t)); 3649 return (0); 3650 } 3651 3652 /* 3653 * Merge the IPsec algorithms tables with the received algorithm information. 3654 */ 3655 void 3656 spdsock_merge_algs(spd_stack_t *spds) 3657 { 3658 ipsec_alginfo_t *alg, *oalg; 3659 ipsec_algtype_t algtype; 3660 uint_t algidx, algid, nalgs; 3661 crypto_mech_name_t *mechs; 3662 uint_t mech_count, mech_idx; 3663 netstack_t *ns = spds->spds_netstack; 3664 ipsec_stack_t *ipss = ns->netstack_ipsec; 3665 3666 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 3667 3668 /* 3669 * Get the list of supported mechanisms from the crypto framework. 3670 * If a mechanism is supported by KCF, resolve its mechanism 3671 * id and mark it as being valid. This operation must be done 3672 * without holding alg_lock, since it can cause a provider 3673 * module to be loaded and the provider notification callback to 3674 * be invoked. 3675 */ 3676 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 3677 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3678 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3679 int algflags = 0; 3680 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID; 3681 3682 alg = spds->spds_algs[algtype][algid]; 3683 if (alg == NULL) 3684 continue; 3685 3686 /* 3687 * The NULL encryption algorithm is a special 3688 * case because there are no mechanisms, yet 3689 * the algorithm is still valid. 3690 */ 3691 if (alg->alg_id == SADB_EALG_NULL) { 3692 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID; 3693 alg->alg_flags |= ALG_FLAG_VALID; 3694 continue; 3695 } 3696 3697 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) { 3698 if (strncmp(alg->alg_mech_name, mechs[mech_idx], 3699 CRYPTO_MAX_MECH_NAME) == 0) { 3700 mt = crypto_mech2id(alg->alg_mech_name); 3701 ASSERT(mt != CRYPTO_MECHANISM_INVALID); 3702 algflags = ALG_FLAG_VALID; 3703 break; 3704 } 3705 } 3706 alg->alg_mech_type = mt; 3707 alg->alg_flags |= algflags; 3708 } 3709 } 3710 3711 rw_enter(&ipss->ipsec_alg_lock, RW_WRITER); 3712 3713 /* 3714 * For each algorithm currently defined, check if it is 3715 * present in the new tables created from the SPD_UPDATEALGS 3716 * message received from user-space. 3717 * Delete the algorithm entries that are currently defined 3718 * but not part of the new tables. 3719 */ 3720 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3721 nalgs = ipss->ipsec_nalgs[algtype]; 3722 for (algidx = 0; algidx < nalgs; algidx++) { 3723 algid = ipss->ipsec_sortlist[algtype][algidx]; 3724 if (spds->spds_algs[algtype][algid] == NULL) 3725 ipsec_alg_unreg(algtype, algid, ns); 3726 } 3727 } 3728 3729 /* 3730 * For each algorithm we just received, check if it is 3731 * present in the currently defined tables. If it is, swap 3732 * the entry with the one we just allocated. 3733 * If the new algorithm is not in the current tables, 3734 * add it. 3735 */ 3736 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3737 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3738 alg = spds->spds_algs[algtype][algid]; 3739 if (alg == NULL) 3740 continue; 3741 3742 if ((oalg = ipss->ipsec_alglists[algtype][algid]) == 3743 NULL) { 3744 /* 3745 * New algorithm, add it to the algorithm 3746 * table. 3747 */ 3748 ipsec_alg_reg(algtype, alg, ns); 3749 } else { 3750 /* 3751 * Algorithm is already in the table. Swap 3752 * the existing entry with the new one. 3753 */ 3754 ipsec_alg_fix_min_max(alg, algtype, ns); 3755 ipss->ipsec_alglists[algtype][algid] = alg; 3756 ipsec_alg_free(oalg); 3757 } 3758 spds->spds_algs[algtype][algid] = NULL; 3759 } 3760 } 3761 3762 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3763 ipss->ipsec_algs_exec_mode[algtype] = 3764 spds->spds_algs_exec_mode[algtype]; 3765 } 3766 3767 rw_exit(&ipss->ipsec_alg_lock); 3768 3769 crypto_free_mech_list(mechs, mech_count); 3770 3771 ipsecah_algs_changed(ns); 3772 ipsecesp_algs_changed(ns); 3773 } 3774