xref: /illumos-gate/usr/src/uts/common/inet/ip/tnet.c (revision c7402f0767d7a0360fabd0bd449c6baf9b282074)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/strsubr.h>
29 #include <sys/stropts.h>
30 #include <sys/sunddi.h>
31 #include <sys/cred.h>
32 #include <sys/debug.h>
33 #include <sys/kmem.h>
34 #include <sys/errno.h>
35 #include <sys/disp.h>
36 #include <netinet/in.h>
37 #include <netinet/in_systm.h>
38 #include <netinet/ip.h>
39 #include <netinet/ip_icmp.h>
40 #include <netinet/tcp.h>
41 #include <inet/common.h>
42 #include <inet/ipclassifier.h>
43 #include <inet/ip.h>
44 #include <inet/mib2.h>
45 #include <inet/nd.h>
46 #include <inet/tcp.h>
47 #include <inet/ip_rts.h>
48 #include <inet/ip_ire.h>
49 #include <inet/ip_if.h>
50 #include <sys/modhash.h>
51 
52 #include <sys/tsol/label.h>
53 #include <sys/tsol/label_macro.h>
54 #include <sys/tsol/tnet.h>
55 #include <sys/tsol/tndb.h>
56 #include <sys/strsun.h>
57 
58 /* tunable for strict error-reply behavior (TCP RST and ICMP Unreachable) */
59 int tsol_strict_error;
60 
61 /*
62  * Some notes on the Trusted Solaris IRE gateway security attributes:
63  *
64  * When running in Trusted mode, the routing subsystem determines whether or
65  * not a packet can be delivered to an off-link host (not directly reachable
66  * through an interface) based on the accreditation checks of the packet's
67  * security attributes against those associated with the next-hop gateway.
68  *
69  * The next-hop gateway's security attributes can be derived from two sources
70  * (in order of preference): route-related and the host database.  A Trusted
71  * system must be configured with at least the host database containing an
72  * entry for the next-hop gateway, or otherwise no accreditation checks can
73  * be performed, which may result in the inability to send packets to any
74  * off-link destination host.
75  *
76  * The major differences between the two sources are the number and type of
77  * security attributes used for accreditation checks.  A host database entry
78  * can contain at most one set of security attributes, specific only to the
79  * next-hop gateway.  On contrast, route-related security attributes are made
80  * up of a collection of security attributes for the distant networks, and
81  * are grouped together per next-hop gateway used to reach those networks.
82  * This is the preferred method, and the routing subsystem will fallback to
83  * the host database entry only if there are no route-related attributes
84  * associated with the next-hop gateway.
85  *
86  * In Trusted mode, all of the IRE entries (except LOCAL/LOOPBACK/BROADCAST/
87  * INTERFACE type) are initialized to contain a placeholder to store this
88  * information.  The ire_gw_secattr structure gets allocated, initialized
89  * and associated with the IRE during the time of the IRE creation.  The
90  * initialization process also includes resolving the host database entry
91  * of the next-hop gateway for fallback purposes.  It does not include any
92  * route-related attribute setup, as that process comes separately as part
93  * of the route requests (add/change) made to the routing subsystem.
94  *
95  * The underlying logic which involves associating IREs with the gateway
96  * security attributes are represented by the following data structures:
97  *
98  * tsol_gcdb_t, or "gcdb"
99  *
100  *	- This is a system-wide collection of records containing the
101  *	  currently used route-related security attributes, which are fed
102  *	  through the routing socket interface, e.g. "route add/change".
103  *
104  * tsol_gc_t, or "gc"
105  *
106  *	- This is the gateway credential structure, and it provides for the
107  *	  only mechanism to access the contents of gcdb.  More than one gc
108  *	  entries may refer to the same gcdb record.  gc's in the system are
109  *	  grouped according to the next-hop gateway address.
110  *
111  * tsol_gcgrp_t, or "gcgrp"
112  *
113  *	- Group of gateway credentials, and is unique per next-hop gateway
114  *	  address.  When the group is not empty, i.e. when gcgrp_count is
115  *	  greater than zero, it contains one or more gc's, each pointing to
116  *	  a gcdb record which indicates the gateway security attributes
117  *	  associated with the next-hop gateway.
118  *
119  * The fields of the tsol_ire_gw_secattr_t used from within the IRE are:
120  *
121  * igsa_lock
122  *
123  *	- Lock that protects all fields within tsol_ire_gw_secattr_t.
124  *
125  * igsa_rhc
126  *
127  *	- Remote host cache database entry of next-hop gateway.  This is
128  *	  used in the case when there are no route-related attributes
129  *	  configured for the IRE.
130  *
131  * igsa_gc
132  *
133  *	- A set of route-related attributes that only get set for prefix
134  *	  IREs.  If this is non-NULL, the prefix IRE has been associated
135  *	  with a set of gateway security attributes by way of route add/
136  *	  change functionality.  This field stays NULL for IRE_CACHEs.
137  *
138  * igsa_gcgrp
139  *
140  *	- Group of gc's which only gets set for IRE_CACHEs.  Each of the gc
141  *	  points to a gcdb record that contains the security attributes
142  *	  used to perform the credential checks of the packet which uses
143  *	  the IRE.  If the group is not empty, the list of gc's can be
144  *	  traversed starting at gcgrp_head.  This field stays NULL for
145  *	  prefix IREs.
146  */
147 
148 static kmem_cache_t *ire_gw_secattr_cache;
149 
150 #define	GCDB_HASH_SIZE	101
151 #define	GCGRP_HASH_SIZE	101
152 
153 #define	GCDB_REFRELE(p) {		\
154 	mutex_enter(&gcdb_lock);	\
155 	ASSERT((p)->gcdb_refcnt > 0);	\
156 	if (--((p)->gcdb_refcnt) == 0)	\
157 		gcdb_inactive(p);	\
158 	ASSERT(MUTEX_HELD(&gcdb_lock));	\
159 	mutex_exit(&gcdb_lock);		\
160 }
161 
162 static int gcdb_hash_size = GCDB_HASH_SIZE;
163 static int gcgrp_hash_size = GCGRP_HASH_SIZE;
164 static mod_hash_t *gcdb_hash;
165 static mod_hash_t *gcgrp4_hash;
166 static mod_hash_t *gcgrp6_hash;
167 
168 static kmutex_t gcdb_lock;
169 kmutex_t gcgrp_lock;
170 
171 static uint_t gcdb_hash_by_secattr(void *, mod_hash_key_t);
172 static int gcdb_hash_cmp(mod_hash_key_t, mod_hash_key_t);
173 static tsol_gcdb_t *gcdb_lookup(struct rtsa_s *, boolean_t);
174 static void gcdb_inactive(tsol_gcdb_t *);
175 
176 static uint_t gcgrp_hash_by_addr(void *, mod_hash_key_t);
177 static int gcgrp_hash_cmp(mod_hash_key_t, mod_hash_key_t);
178 
179 static int ire_gw_secattr_constructor(void *, void *, int);
180 static void ire_gw_secattr_destructor(void *, void *);
181 
182 void
183 tnet_init(void)
184 {
185 	ire_gw_secattr_cache = kmem_cache_create("ire_gw_secattr_cache",
186 	    sizeof (tsol_ire_gw_secattr_t), 64, ire_gw_secattr_constructor,
187 	    ire_gw_secattr_destructor, NULL, NULL, NULL, 0);
188 
189 	gcdb_hash = mod_hash_create_extended("gcdb_hash",
190 	    gcdb_hash_size, mod_hash_null_keydtor, mod_hash_null_valdtor,
191 	    gcdb_hash_by_secattr, NULL, gcdb_hash_cmp, KM_SLEEP);
192 
193 	gcgrp4_hash = mod_hash_create_extended("gcgrp4_hash",
194 	    gcgrp_hash_size, mod_hash_null_keydtor, mod_hash_null_valdtor,
195 	    gcgrp_hash_by_addr, NULL, gcgrp_hash_cmp, KM_SLEEP);
196 
197 	gcgrp6_hash = mod_hash_create_extended("gcgrp6_hash",
198 	    gcgrp_hash_size, mod_hash_null_keydtor, mod_hash_null_valdtor,
199 	    gcgrp_hash_by_addr, NULL, gcgrp_hash_cmp, KM_SLEEP);
200 
201 	mutex_init(&gcdb_lock, NULL, MUTEX_DEFAULT, NULL);
202 	mutex_init(&gcgrp_lock, NULL, MUTEX_DEFAULT, NULL);
203 }
204 
205 void
206 tnet_fini(void)
207 {
208 	kmem_cache_destroy(ire_gw_secattr_cache);
209 	mod_hash_destroy_hash(gcdb_hash);
210 	mod_hash_destroy_hash(gcgrp4_hash);
211 	mod_hash_destroy_hash(gcgrp6_hash);
212 	mutex_destroy(&gcdb_lock);
213 	mutex_destroy(&gcgrp_lock);
214 }
215 
216 /* ARGSUSED */
217 static int
218 ire_gw_secattr_constructor(void *buf, void *cdrarg, int kmflags)
219 {
220 	tsol_ire_gw_secattr_t *attrp = buf;
221 
222 	mutex_init(&attrp->igsa_lock, NULL, MUTEX_DEFAULT, NULL);
223 
224 	attrp->igsa_rhc = NULL;
225 	attrp->igsa_gc = NULL;
226 	attrp->igsa_gcgrp = NULL;
227 
228 	return (0);
229 }
230 
231 /* ARGSUSED */
232 static void
233 ire_gw_secattr_destructor(void *buf, void *cdrarg)
234 {
235 	tsol_ire_gw_secattr_t *attrp = (tsol_ire_gw_secattr_t *)buf;
236 
237 	mutex_destroy(&attrp->igsa_lock);
238 }
239 
240 tsol_ire_gw_secattr_t *
241 ire_gw_secattr_alloc(int kmflags)
242 {
243 	return (kmem_cache_alloc(ire_gw_secattr_cache, kmflags));
244 }
245 
246 void
247 ire_gw_secattr_free(tsol_ire_gw_secattr_t *attrp)
248 {
249 	ASSERT(MUTEX_NOT_HELD(&attrp->igsa_lock));
250 
251 	if (attrp->igsa_rhc != NULL) {
252 		TNRHC_RELE(attrp->igsa_rhc);
253 		attrp->igsa_rhc = NULL;
254 	}
255 
256 	if (attrp->igsa_gc != NULL) {
257 		GC_REFRELE(attrp->igsa_gc);
258 		attrp->igsa_gc = NULL;
259 	}
260 	if (attrp->igsa_gcgrp != NULL) {
261 		GCGRP_REFRELE(attrp->igsa_gcgrp);
262 		attrp->igsa_gcgrp = NULL;
263 	}
264 
265 	ASSERT(attrp->igsa_rhc == NULL);
266 	ASSERT(attrp->igsa_gc == NULL);
267 	ASSERT(attrp->igsa_gcgrp == NULL);
268 
269 	kmem_cache_free(ire_gw_secattr_cache, attrp);
270 }
271 
272 /* ARGSUSED */
273 static uint_t
274 gcdb_hash_by_secattr(void *hash_data, mod_hash_key_t key)
275 {
276 	const struct rtsa_s *rp = (struct rtsa_s *)key;
277 	const uint32_t *up, *ue;
278 	uint_t hash;
279 	int i;
280 
281 	ASSERT(rp != NULL);
282 
283 	/* See comments in hash_bylabel in zone.c for details */
284 	hash = rp->rtsa_doi + (rp->rtsa_doi << 1);
285 	up = (const uint32_t *)&rp->rtsa_slrange;
286 	ue = up + sizeof (rp->rtsa_slrange) / sizeof (*up);
287 	i = 1;
288 	while (up < ue) {
289 		/* using 2^n + 1, 1 <= n <= 16 as source of many primes */
290 		hash += *up + (*up << ((i % 16) + 1));
291 		up++;
292 		i++;
293 	}
294 	return (hash);
295 }
296 
297 static int
298 gcdb_hash_cmp(mod_hash_key_t key1, mod_hash_key_t key2)
299 {
300 	struct rtsa_s *rp1 = (struct rtsa_s *)key1;
301 	struct rtsa_s *rp2 = (struct rtsa_s *)key2;
302 
303 	ASSERT(rp1 != NULL && rp2 != NULL);
304 
305 	if (blequal(&rp1->rtsa_slrange.lower_bound,
306 	    &rp2->rtsa_slrange.lower_bound) &&
307 	    blequal(&rp1->rtsa_slrange.upper_bound,
308 	    &rp2->rtsa_slrange.upper_bound) &&
309 	    rp1->rtsa_doi == rp2->rtsa_doi)
310 		return (0);
311 
312 	/* No match; not found */
313 	return (-1);
314 }
315 
316 /* ARGSUSED */
317 static uint_t
318 gcgrp_hash_by_addr(void *hash_data, mod_hash_key_t key)
319 {
320 	tsol_gcgrp_addr_t *ga = (tsol_gcgrp_addr_t *)key;
321 	uint_t		idx = 0;
322 	uint32_t	*ap;
323 
324 	ASSERT(ga != NULL);
325 	ASSERT(ga->ga_af == AF_INET || ga->ga_af == AF_INET6);
326 
327 	ap = (uint32_t *)&ga->ga_addr.s6_addr32[0];
328 	idx ^= *ap++;
329 	idx ^= *ap++;
330 	idx ^= *ap++;
331 	idx ^= *ap;
332 
333 	return (idx);
334 }
335 
336 static int
337 gcgrp_hash_cmp(mod_hash_key_t key1, mod_hash_key_t key2)
338 {
339 	tsol_gcgrp_addr_t *ga1 = (tsol_gcgrp_addr_t *)key1;
340 	tsol_gcgrp_addr_t *ga2 = (tsol_gcgrp_addr_t *)key2;
341 
342 	ASSERT(ga1 != NULL && ga2 != NULL);
343 
344 	/* Address family must match */
345 	if (ga1->ga_af != ga2->ga_af)
346 		return (-1);
347 
348 	if (ga1->ga_addr.s6_addr32[0] == ga2->ga_addr.s6_addr32[0] &&
349 	    ga1->ga_addr.s6_addr32[1] == ga2->ga_addr.s6_addr32[1] &&
350 	    ga1->ga_addr.s6_addr32[2] == ga2->ga_addr.s6_addr32[2] &&
351 	    ga1->ga_addr.s6_addr32[3] == ga2->ga_addr.s6_addr32[3])
352 		return (0);
353 
354 	/* No match; not found */
355 	return (-1);
356 }
357 
358 #define	RTSAFLAGS	"\20\11cipso\3doi\2max_sl\1min_sl"
359 
360 int
361 rtsa_validate(const struct rtsa_s *rp)
362 {
363 	uint32_t mask = rp->rtsa_mask;
364 
365 	/* RTSA_CIPSO must be set, and DOI must not be zero */
366 	if ((mask & RTSA_CIPSO) == 0 || rp->rtsa_doi == 0) {
367 		DTRACE_PROBE2(tx__gcdb__log__error__rtsa__validate, char *,
368 		    "rtsa(1) lacks flag or has 0 doi.",
369 		    rtsa_s *, rp);
370 		return (EINVAL);
371 	}
372 	/*
373 	 * SL range must be specified, and it must have its
374 	 * upper bound dominating its lower bound.
375 	 */
376 	if ((mask & RTSA_SLRANGE) != RTSA_SLRANGE ||
377 	    !bldominates(&rp->rtsa_slrange.upper_bound,
378 	    &rp->rtsa_slrange.lower_bound)) {
379 		DTRACE_PROBE2(tx__gcdb__log__error__rtsa__validate, char *,
380 		    "rtsa(1) min_sl and max_sl not set or max_sl is "
381 		    "not dominating.", rtsa_s *, rp);
382 		return (EINVAL);
383 	}
384 	return (0);
385 }
386 
387 /*
388  * A brief explanation of the reference counting scheme:
389  *
390  * Prefix IREs have a non-NULL igsa_gc and a NULL igsa_gcgrp;
391  * IRE_CACHEs have it vice-versa.
392  *
393  * Apart from dynamic references due to to reference holds done
394  * actively by threads, we have the following references:
395  *
396  * gcdb_refcnt:
397  *	- Every tsol_gc_t pointing to a tsol_gcdb_t contributes a reference
398  *	  to the gcdb_refcnt.
399  *
400  * gc_refcnt:
401  *	- A prefix IRE that points to an igsa_gc contributes a reference
402  *	  to the gc_refcnt.
403  *
404  * gcgrp_refcnt:
405  *	- An IRE_CACHE that points to an igsa_gcgrp contributes a reference
406  *	  to the gcgrp_refcnt of the associated tsol_gcgrp_t.
407  *	- Every tsol_gc_t in the chain headed by tsol_gcgrp_t contributes
408  *	  a reference to the gcgrp_refcnt.
409  */
410 static tsol_gcdb_t *
411 gcdb_lookup(struct rtsa_s *rp, boolean_t alloc)
412 {
413 	tsol_gcdb_t *gcdb = NULL;
414 
415 	if (rtsa_validate(rp) != 0)
416 		return (NULL);
417 
418 	mutex_enter(&gcdb_lock);
419 	/* Find a copy in the cache; otherwise, create one and cache it */
420 	if (mod_hash_find(gcdb_hash, (mod_hash_key_t)rp,
421 	    (mod_hash_val_t *)&gcdb) == 0) {
422 		gcdb->gcdb_refcnt++;
423 		ASSERT(gcdb->gcdb_refcnt != 0);
424 
425 		DTRACE_PROBE2(tx__gcdb__log__info__gcdb__lookup, char *,
426 		    "gcdb(1) is in gcdb_hash(global)", tsol_gcdb_t *, gcdb);
427 	} else if (alloc) {
428 		gcdb = kmem_zalloc(sizeof (*gcdb), KM_NOSLEEP);
429 		if (gcdb != NULL) {
430 			gcdb->gcdb_refcnt = 1;
431 			gcdb->gcdb_mask = rp->rtsa_mask;
432 			gcdb->gcdb_doi = rp->rtsa_doi;
433 			gcdb->gcdb_slrange = rp->rtsa_slrange;
434 
435 			if (mod_hash_insert(gcdb_hash,
436 			    (mod_hash_key_t)&gcdb->gcdb_attr,
437 			    (mod_hash_val_t)gcdb) != 0) {
438 				mutex_exit(&gcdb_lock);
439 				kmem_free(gcdb, sizeof (*gcdb));
440 				return (NULL);
441 			}
442 
443 			DTRACE_PROBE2(tx__gcdb__log__info__gcdb__insert, char *,
444 			    "gcdb(1) inserted in gcdb_hash(global)",
445 			    tsol_gcdb_t *, gcdb);
446 		}
447 	}
448 	mutex_exit(&gcdb_lock);
449 	return (gcdb);
450 }
451 
452 static void
453 gcdb_inactive(tsol_gcdb_t *gcdb)
454 {
455 	ASSERT(MUTEX_HELD(&gcdb_lock));
456 	ASSERT(gcdb != NULL && gcdb->gcdb_refcnt == 0);
457 
458 	(void) mod_hash_remove(gcdb_hash, (mod_hash_key_t)&gcdb->gcdb_attr,
459 	    (mod_hash_val_t *)&gcdb);
460 
461 	DTRACE_PROBE2(tx__gcdb__log__info__gcdb__remove, char *,
462 	    "gcdb(1) removed from gcdb_hash(global)",
463 	    tsol_gcdb_t *, gcdb);
464 	kmem_free(gcdb, sizeof (*gcdb));
465 }
466 
467 tsol_gc_t *
468 gc_create(struct rtsa_s *rp, tsol_gcgrp_t *gcgrp, boolean_t *gcgrp_xtrarefp)
469 {
470 	tsol_gc_t *gc;
471 	tsol_gcdb_t *gcdb;
472 
473 	*gcgrp_xtrarefp = B_TRUE;
474 
475 	rw_enter(&gcgrp->gcgrp_rwlock, RW_WRITER);
476 	if ((gcdb = gcdb_lookup(rp, B_TRUE)) == NULL) {
477 		rw_exit(&gcgrp->gcgrp_rwlock);
478 		return (NULL);
479 	}
480 
481 	for (gc = gcgrp->gcgrp_head; gc != NULL; gc = gc->gc_next) {
482 		if (gc->gc_db == gcdb) {
483 			ASSERT(gc->gc_grp == gcgrp);
484 
485 			gc->gc_refcnt++;
486 			ASSERT(gc->gc_refcnt != 0);
487 
488 			GCDB_REFRELE(gcdb);
489 
490 			DTRACE_PROBE3(tx__gcdb__log__info__gc__create,
491 			    char *, "found gc(1) in gcgrp(2)",
492 			    tsol_gc_t *, gc, tsol_gcgrp_t *, gcgrp);
493 			rw_exit(&gcgrp->gcgrp_rwlock);
494 			return (gc);
495 		}
496 	}
497 
498 	gc = kmem_zalloc(sizeof (*gc), KM_NOSLEEP);
499 	if (gc != NULL) {
500 		if (gcgrp->gcgrp_head == NULL) {
501 			gcgrp->gcgrp_head = gcgrp->gcgrp_tail = gc;
502 		} else {
503 			gcgrp->gcgrp_tail->gc_next = gc;
504 			gc->gc_prev = gcgrp->gcgrp_tail;
505 			gcgrp->gcgrp_tail = gc;
506 		}
507 		gcgrp->gcgrp_count++;
508 		ASSERT(gcgrp->gcgrp_count != 0);
509 
510 		/* caller has incremented gcgrp reference for us */
511 		gc->gc_grp = gcgrp;
512 
513 		gc->gc_db = gcdb;
514 		gc->gc_refcnt = 1;
515 
516 		DTRACE_PROBE3(tx__gcdb__log__info__gc__create, char *,
517 		    "added gc(1) to gcgrp(2)", tsol_gc_t *, gc,
518 		    tsol_gcgrp_t *, gcgrp);
519 
520 		*gcgrp_xtrarefp = B_FALSE;
521 	}
522 	rw_exit(&gcgrp->gcgrp_rwlock);
523 
524 	return (gc);
525 }
526 
527 void
528 gc_inactive(tsol_gc_t *gc)
529 {
530 	tsol_gcgrp_t *gcgrp = gc->gc_grp;
531 
532 	ASSERT(gcgrp != NULL);
533 	ASSERT(RW_WRITE_HELD(&gcgrp->gcgrp_rwlock));
534 	ASSERT(gc->gc_refcnt == 0);
535 
536 	if (gc->gc_prev != NULL)
537 		gc->gc_prev->gc_next = gc->gc_next;
538 	else
539 		gcgrp->gcgrp_head = gc->gc_next;
540 	if (gc->gc_next != NULL)
541 		gc->gc_next->gc_prev = gc->gc_prev;
542 	else
543 		gcgrp->gcgrp_tail = gc->gc_prev;
544 	ASSERT(gcgrp->gcgrp_count > 0);
545 	gcgrp->gcgrp_count--;
546 
547 	/* drop lock before it's destroyed */
548 	rw_exit(&gcgrp->gcgrp_rwlock);
549 
550 	DTRACE_PROBE3(tx__gcdb__log__info__gc__remove, char *,
551 	    "removed inactive gc(1) from gcgrp(2)",
552 	    tsol_gc_t *, gc, tsol_gcgrp_t *, gcgrp);
553 
554 	GCGRP_REFRELE(gcgrp);
555 
556 	gc->gc_grp = NULL;
557 	gc->gc_prev = gc->gc_next = NULL;
558 
559 	if (gc->gc_db != NULL)
560 		GCDB_REFRELE(gc->gc_db);
561 
562 	kmem_free(gc, sizeof (*gc));
563 }
564 
565 tsol_gcgrp_t *
566 gcgrp_lookup(tsol_gcgrp_addr_t *ga, boolean_t alloc)
567 {
568 	tsol_gcgrp_t *gcgrp = NULL;
569 	mod_hash_t *hashp;
570 
571 	ASSERT(ga->ga_af == AF_INET || ga->ga_af == AF_INET6);
572 
573 	hashp = (ga->ga_af == AF_INET) ? gcgrp4_hash : gcgrp6_hash;
574 
575 	mutex_enter(&gcgrp_lock);
576 	if (mod_hash_find(hashp, (mod_hash_key_t)ga,
577 	    (mod_hash_val_t *)&gcgrp) == 0) {
578 		gcgrp->gcgrp_refcnt++;
579 		ASSERT(gcgrp->gcgrp_refcnt != 0);
580 
581 		DTRACE_PROBE3(tx__gcdb__log__info__gcgrp__lookup, char *,
582 		    "found gcgrp(1) in hash(2)", tsol_gcgrp_t *, gcgrp,
583 		    mod_hash_t *, hashp);
584 
585 	} else if (alloc) {
586 		gcgrp = kmem_zalloc(sizeof (*gcgrp), KM_NOSLEEP);
587 		if (gcgrp != NULL) {
588 			gcgrp->gcgrp_refcnt = 1;
589 			rw_init(&gcgrp->gcgrp_rwlock, NULL, RW_DEFAULT, NULL);
590 			bcopy(ga, &gcgrp->gcgrp_addr, sizeof (*ga));
591 
592 			if (mod_hash_insert(hashp,
593 			    (mod_hash_key_t)&gcgrp->gcgrp_addr,
594 			    (mod_hash_val_t)gcgrp) != 0) {
595 				mutex_exit(&gcgrp_lock);
596 				kmem_free(gcgrp, sizeof (*gcgrp));
597 				return (NULL);
598 			}
599 
600 			DTRACE_PROBE3(tx__gcdb__log__info__gcgrp__insert,
601 			    char *, "inserted gcgrp(1) in hash(2)",
602 			    tsol_gcgrp_t *, gcgrp, mod_hash_t *, hashp);
603 		}
604 	}
605 	mutex_exit(&gcgrp_lock);
606 	return (gcgrp);
607 }
608 
609 void
610 gcgrp_inactive(tsol_gcgrp_t *gcgrp)
611 {
612 	tsol_gcgrp_addr_t *ga;
613 	mod_hash_t *hashp;
614 
615 	ASSERT(MUTEX_HELD(&gcgrp_lock));
616 	ASSERT(!RW_LOCK_HELD(&gcgrp->gcgrp_rwlock));
617 	ASSERT(gcgrp != NULL && gcgrp->gcgrp_refcnt == 0);
618 	ASSERT(gcgrp->gcgrp_head == NULL && gcgrp->gcgrp_count == 0);
619 
620 	ga = &gcgrp->gcgrp_addr;
621 	ASSERT(ga->ga_af == AF_INET || ga->ga_af == AF_INET6);
622 
623 	hashp = (ga->ga_af == AF_INET) ? gcgrp4_hash : gcgrp6_hash;
624 	(void) mod_hash_remove(hashp, (mod_hash_key_t)ga,
625 	    (mod_hash_val_t *)&gcgrp);
626 	rw_destroy(&gcgrp->gcgrp_rwlock);
627 
628 	DTRACE_PROBE3(tx__gcdb__log__info__gcgrp__remove, char *,
629 	    "removed inactive gcgrp(1) from hash(2)",
630 	    tsol_gcgrp_t *, gcgrp, mod_hash_t *, hashp);
631 
632 	kmem_free(gcgrp, sizeof (*gcgrp));
633 }
634 
635 /*
636  * Converts CIPSO option to sensitivity label.
637  * Validity checks based on restrictions defined in
638  * COMMERCIAL IP SECURITY OPTION (CIPSO 2.2) (draft-ietf-cipso-ipsecurity)
639  */
640 static boolean_t
641 cipso_to_sl(const uchar_t *option, bslabel_t *sl)
642 {
643 	const struct cipso_option *co = (const struct cipso_option *)option;
644 	const struct cipso_tag_type_1 *tt1;
645 
646 	tt1 = (struct cipso_tag_type_1 *)&co->cipso_tag_type[0];
647 	if (tt1->tag_type != 1 ||
648 	    tt1->tag_length < TSOL_TT1_MIN_LENGTH ||
649 	    tt1->tag_length > TSOL_TT1_MAX_LENGTH ||
650 	    tt1->tag_length + TSOL_CIPSO_TAG_OFFSET > co->cipso_length)
651 		return (B_FALSE);
652 
653 	bsllow(sl);	/* assumed: sets compartments to all zeroes */
654 	LCLASS_SET((_bslabel_impl_t *)sl, tt1->tag_sl);
655 	bcopy(tt1->tag_cat, &((_bslabel_impl_t *)sl)->compartments,
656 	    tt1->tag_length - TSOL_TT1_MIN_LENGTH);
657 	return (B_TRUE);
658 }
659 
660 /*
661  * Parse the CIPSO label in the incoming packet and construct a ts_label_t
662  * that reflects the CIPSO label and attach it to the dblk cred. Later as
663  * the mblk flows up through the stack any code that needs to examine the
664  * packet label can inspect the label from the dblk cred. This function is
665  * called right in ip_rput for all packets, i.e. locally destined and
666  * to be forwarded packets. The forwarding path needs to examine the label
667  * to determine how to forward the packet.
668  *
669  * For IPv4, IP header options have been pulled up, but other headers might not
670  * have been.  For IPv6, any hop-by-hop options have been pulled up, but any
671  * other headers might not be present.
672  */
673 boolean_t
674 tsol_get_pkt_label(mblk_t *mp, int version)
675 {
676 	tsol_tpc_t	*src_rhtp;
677 	uchar_t		*opt_ptr = NULL;
678 	const ipha_t	*ipha;
679 	bslabel_t	sl;
680 	uint32_t	doi;
681 	tsol_ip_label_t	label_type;
682 	const cipso_option_t *co;
683 	const void	*src;
684 	const ip6_t	*ip6h;
685 	cred_t		*credp;
686 	pid_t		cpid;
687 
688 	ASSERT(DB_TYPE(mp) == M_DATA);
689 
690 	if (mp->b_cont != NULL && !pullupmsg(mp, -1))
691 		return (B_FALSE);
692 
693 	if (version == IPV4_VERSION) {
694 		ipha = (const ipha_t *)mp->b_rptr;
695 		src = &ipha->ipha_src;
696 		label_type = tsol_get_option(mp, &opt_ptr);
697 	} else {
698 		uchar_t		*after_secopt;
699 		boolean_t	hbh_needed;
700 		const uchar_t	*ip6hbh;
701 		size_t		optlen;
702 
703 		label_type = OPT_NONE;
704 		ip6h = (const ip6_t *)mp->b_rptr;
705 		src = &ip6h->ip6_src;
706 		if (ip6h->ip6_nxt == IPPROTO_HOPOPTS) {
707 			ip6hbh = (const uchar_t *)&ip6h[1];
708 			optlen = (ip6hbh[1] + 1) << 3;
709 			ASSERT(ip6hbh + optlen <= mp->b_wptr);
710 			opt_ptr = tsol_find_secopt_v6(ip6hbh, optlen,
711 			    &after_secopt, &hbh_needed);
712 			/* tsol_find_secopt_v6 guarantees some sanity */
713 			if (opt_ptr != NULL &&
714 			    (optlen = opt_ptr[1]) >= 8) {
715 				opt_ptr += 2;
716 				bcopy(opt_ptr, &doi, sizeof (doi));
717 				doi = ntohl(doi);
718 				if (doi == IP6LS_DOI_V4 &&
719 				    opt_ptr[4] == IP6LS_TT_V4 &&
720 				    opt_ptr[5] <= optlen - 4 &&
721 				    opt_ptr[7] <= optlen - 6) {
722 					opt_ptr += sizeof (doi) + 2;
723 					label_type = OPT_CIPSO;
724 				}
725 			}
726 		}
727 	}
728 
729 	switch (label_type) {
730 	case OPT_CIPSO:
731 		/*
732 		 * Convert the CIPSO label to the internal format
733 		 * and attach it to the dblk cred.
734 		 * Validity checks based on restrictions defined in
735 		 * COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)
736 		 * (draft-ietf-cipso-ipsecurity)
737 		 */
738 		if (version == IPV6_VERSION && ip6opt_ls == 0)
739 			return (B_FALSE);
740 		co = (const struct cipso_option *)opt_ptr;
741 		if ((co->cipso_length <
742 		    TSOL_CIPSO_TAG_OFFSET + TSOL_TT1_MIN_LENGTH) ||
743 		    (co->cipso_length > IP_MAX_OPT_LENGTH))
744 			return (B_FALSE);
745 		bcopy(co->cipso_doi, &doi, sizeof (doi));
746 		doi = ntohl(doi);
747 		if (!cipso_to_sl(opt_ptr, &sl))
748 			return (B_FALSE);
749 		setbltype(&sl, SUN_SL_ID);
750 		break;
751 
752 	case OPT_NONE:
753 		/*
754 		 * Handle special cases that are not currently labeled, even
755 		 * though the sending system may otherwise be configured as
756 		 * labeled.
757 		 *	- IGMP
758 		 *	- IPv4 ICMP Router Discovery
759 		 *	- IPv6 Neighbor Discovery
760 		 */
761 		if (version == IPV4_VERSION) {
762 			if (ipha->ipha_protocol == IPPROTO_IGMP)
763 				return (B_TRUE);
764 			if (ipha->ipha_protocol == IPPROTO_ICMP) {
765 				const struct icmp *icmp = (const struct icmp *)
766 				    (mp->b_rptr + IPH_HDR_LENGTH(ipha));
767 
768 				if ((uchar_t *)icmp > mp->b_wptr) {
769 					if (!pullupmsg(mp,
770 					    (uchar_t *)icmp - mp->b_rptr + 1))
771 						return (B_FALSE);
772 					icmp = (const struct icmp *)
773 					    (mp->b_rptr +
774 					    IPH_HDR_LENGTH(ipha));
775 				}
776 				if (icmp->icmp_type == ICMP_ROUTERADVERT ||
777 				    icmp->icmp_type == ICMP_ROUTERSOLICIT)
778 					return (B_TRUE);
779 			}
780 			src = &ipha->ipha_src;
781 		} else {
782 			if (ip6h->ip6_nxt == IPPROTO_ICMPV6) {
783 				const icmp6_t *icmp6 = (const icmp6_t *)
784 				    (mp->b_rptr + IPV6_HDR_LEN);
785 
786 				if ((uchar_t *)icmp6 + ICMP6_MINLEN >
787 				    mp->b_wptr) {
788 					if (!pullupmsg(mp,
789 					    (uchar_t *)icmp6 - mp->b_rptr +
790 					    ICMP6_MINLEN))
791 						return (B_FALSE);
792 					icmp6 = (const icmp6_t *)
793 					    (mp->b_rptr + IPV6_HDR_LEN);
794 				}
795 				if (icmp6->icmp6_type >= MLD_LISTENER_QUERY &&
796 				    icmp6->icmp6_type <= ICMP6_MAX_INFO_TYPE)
797 					return (B_TRUE);
798 			}
799 			src = &ip6h->ip6_src;
800 		}
801 
802 		/*
803 		 * Look up the tnrhtp database and get the implicit label
804 		 * that is associated with this unlabeled host and attach
805 		 * it to the packet.
806 		 */
807 		if ((src_rhtp = find_tpc(src, version, B_FALSE)) == NULL)
808 			return (B_FALSE);
809 
810 		/* If the sender is labeled, drop the unlabeled packet. */
811 		if (src_rhtp->tpc_tp.host_type != UNLABELED) {
812 			TPC_RELE(src_rhtp);
813 			pr_addr_dbg("unlabeled packet forged from %s\n",
814 			    version == IPV4_VERSION ? AF_INET : AF_INET6, src);
815 			return (B_FALSE);
816 		}
817 
818 		sl = src_rhtp->tpc_tp.tp_def_label;
819 		setbltype(&sl, SUN_SL_ID);
820 		doi = src_rhtp->tpc_tp.tp_doi;
821 		TPC_RELE(src_rhtp);
822 		break;
823 
824 	default:
825 		return (B_FALSE);
826 	}
827 
828 	/* Make sure no other thread is messing with this mblk */
829 	ASSERT(DB_REF(mp) == 1);
830 	/* Preserve db_cpid */
831 	credp = msg_extractcred(mp, &cpid);
832 	if (credp == NULL) {
833 		credp = newcred_from_bslabel(&sl, doi, KM_NOSLEEP);
834 	} else {
835 		cred_t	*newcr;
836 
837 		newcr = copycred_from_bslabel(credp, &sl, doi,
838 		    KM_NOSLEEP);
839 		crfree(credp);
840 		credp = newcr;
841 	}
842 	if (credp == NULL)
843 		return (B_FALSE);
844 	mblk_setcred(mp, credp, cpid);
845 	crfree(credp);			/* mblk has ref on cred */
846 
847 	/*
848 	 * If the source was unlabeled, then flag as such,
849 	 * while remembering that CIPSO routers add headers.
850 	 */
851 	if (label_type == OPT_NONE) {
852 		crgetlabel(credp)->tsl_flags |= TSLF_UNLABELED;
853 	} else if (label_type == OPT_CIPSO) {
854 		if ((src_rhtp = find_tpc(src, version, B_FALSE)) == NULL)
855 			return (B_FALSE);
856 		if (src_rhtp->tpc_tp.host_type == UNLABELED)
857 			crgetlabel(credp)->tsl_flags |= TSLF_UNLABELED;
858 		TPC_RELE(src_rhtp);
859 	}
860 
861 	return (B_TRUE);
862 }
863 
864 /*
865  * This routine determines whether the given packet should be accepted locally.
866  * It does a range/set check on the packet's label by looking up the given
867  * address in the remote host database.
868  */
869 boolean_t
870 tsol_receive_local(const mblk_t *mp, const void *addr, uchar_t version,
871     boolean_t shared_addr, const conn_t *connp)
872 {
873 	const cred_t *credp;
874 	ts_label_t *plabel, *conn_plabel;
875 	tsol_tpc_t *tp;
876 	boolean_t retv;
877 	const bslabel_t *label, *conn_label;
878 
879 	/*
880 	 * The cases in which this can happen are:
881 	 *	- IPv6 Router Alert, where ip_rput_data_v6 deliberately skips
882 	 *	  over the label attachment process.
883 	 *	- MLD output looped-back to ourselves.
884 	 *	- IPv4 Router Discovery, where tsol_get_pkt_label intentionally
885 	 *	  avoids the labeling process.
886 	 * We trust that all valid paths in the code set the cred pointer when
887 	 * needed.
888 	 */
889 	if ((credp = msg_getcred(mp, NULL)) == NULL)
890 		return (B_TRUE);
891 
892 	/*
893 	 * If this packet is from the inside (not a remote host) and has the
894 	 * same zoneid as the selected destination, then no checks are
895 	 * necessary.  Membership in the zone is enough proof.  This is
896 	 * intended to be a hot path through this function.
897 	 */
898 	if (!crisremote(credp) &&
899 	    crgetzone(credp) == crgetzone(connp->conn_cred))
900 		return (B_TRUE);
901 
902 	plabel = crgetlabel(credp);
903 	conn_plabel = crgetlabel(connp->conn_cred);
904 	ASSERT(plabel != NULL && conn_plabel != NULL);
905 
906 	label = label2bslabel(plabel);
907 	conn_label = label2bslabel(crgetlabel(connp->conn_cred));
908 
909 	/*
910 	 * MLPs are always validated using the range and set of the local
911 	 * address, even when the remote host is unlabeled.
912 	 */
913 	if (connp->conn_mlp_type == mlptBoth ||
914 	/* LINTED: no consequent */
915 	    connp->conn_mlp_type == (shared_addr ? mlptShared : mlptPrivate)) {
916 		;
917 
918 	/*
919 	 * If this is a packet from an unlabeled sender, then we must apply
920 	 * different rules.  If the label is equal to the zone's label, then
921 	 * it's allowed.  If it's not equal, but the zone is either the global
922 	 * zone or the label is dominated by the zone's label, then allow it
923 	 * as long as it's in the range configured for the destination.
924 	 */
925 	} else if (plabel->tsl_flags & TSLF_UNLABELED) {
926 		if (plabel->tsl_doi == conn_plabel->tsl_doi &&
927 		    blequal(label, conn_label))
928 			return (B_TRUE);
929 
930 		/*
931 		 * conn_zoneid is global for an exclusive stack, thus we use
932 		 * conn_cred to get the zoneid
933 		 */
934 		if (!connp->conn_mac_exempt ||
935 		    (crgetzoneid(connp->conn_cred) != GLOBAL_ZONEID &&
936 		    (plabel->tsl_doi != conn_plabel->tsl_doi ||
937 		    !bldominates(conn_label, label)))) {
938 			DTRACE_PROBE3(
939 			    tx__ip__log__drop__receivelocal__mac_unl,
940 			    char *,
941 			    "unlabeled packet mp(1) fails mac for conn(2)",
942 			    mblk_t *, mp, conn_t *, connp);
943 			return (B_FALSE);
944 		}
945 
946 	/*
947 	 * If this is a packet from a labeled sender, verify the
948 	 * label on the packet matches the connection label.
949 	 */
950 	} else {
951 		if (plabel->tsl_doi != conn_plabel->tsl_doi ||
952 		    !blequal(label, conn_label)) {
953 			DTRACE_PROBE3(tx__ip__log__drop__receivelocal__mac__slp,
954 			    char *,
955 			    "packet mp(1) failed label match to SLP conn(2)",
956 			    mblk_t *, mp, conn_t *, connp);
957 			return (B_FALSE);
958 		}
959 		/*
960 		 * No further checks will be needed if this is a zone-
961 		 * specific address because (1) The process for bringing up
962 		 * the interface ensures the zone's label is within the zone-
963 		 * specific address's valid label range; (2) For cases where
964 		 * the conn is bound to the unspecified addresses, ip fanout
965 		 * logic ensures conn's zoneid equals the dest addr's zoneid;
966 		 * (3) Mac-exempt and mlp logic above already handle all
967 		 * cases where the zone label may not be the same as the
968 		 * conn label.
969 		 */
970 		if (!shared_addr)
971 			return (B_TRUE);
972 	}
973 
974 	tp = find_tpc(addr, version, B_FALSE);
975 	if (tp == NULL) {
976 		DTRACE_PROBE3(tx__ip__log__drop__receivelocal__no__tnr,
977 		    char *, "dropping mp(1), host(2) lacks entry",
978 		    mblk_t *, mp, void *, addr);
979 		return (B_FALSE);
980 	}
981 
982 	/*
983 	 * The local host address should not be unlabeled at this point.  The
984 	 * only way this can happen is that the destination isn't unicast.  We
985 	 * assume that the packet should not have had a label, and thus should
986 	 * have been handled by the TSLF_UNLABELED logic above.
987 	 */
988 	if (tp->tpc_tp.host_type == UNLABELED) {
989 		retv = B_FALSE;
990 		DTRACE_PROBE3(tx__ip__log__drop__receivelocal__flag, char *,
991 		    "mp(1) unlabeled source, but tp is not unlabeled.",
992 		    mblk_t *, mp, tsol_tpc_t *, tp);
993 
994 	} else if (tp->tpc_tp.host_type != SUN_CIPSO) {
995 		retv = B_FALSE;
996 		DTRACE_PROBE3(tx__ip__log__drop__receivelocal__tptype, char *,
997 		    "delivering mp(1), found unrecognized tpc(2) type.",
998 		    mblk_t *, mp, tsol_tpc_t *, tp);
999 
1000 	} else if (plabel->tsl_doi != tp->tpc_tp.tp_doi) {
1001 		retv = B_FALSE;
1002 		DTRACE_PROBE3(tx__ip__log__drop__receivelocal__mac, char *,
1003 		    "mp(1) could not be delievered to tp(2), doi mismatch",
1004 		    mblk_t *, mp, tsol_tpc_t *, tp);
1005 
1006 	} else if (!_blinrange(label, &tp->tpc_tp.tp_sl_range_cipso) &&
1007 	    !blinlset(label, tp->tpc_tp.tp_sl_set_cipso)) {
1008 		retv = B_FALSE;
1009 		DTRACE_PROBE3(tx__ip__log__drop__receivelocal__mac, char *,
1010 		    "mp(1) could not be delievered to tp(2), bad mac",
1011 		    mblk_t *, mp, tsol_tpc_t *, tp);
1012 	} else {
1013 		retv = B_TRUE;
1014 	}
1015 
1016 	TPC_RELE(tp);
1017 
1018 	return (retv);
1019 }
1020 
1021 boolean_t
1022 tsol_can_accept_raw(mblk_t *mp, boolean_t check_host)
1023 {
1024 	ts_label_t	*plabel = NULL;
1025 	tsol_tpc_t	*src_rhtp, *dst_rhtp;
1026 	boolean_t	retv;
1027 	cred_t		*credp;
1028 
1029 	credp = msg_getcred(mp, NULL);
1030 	if (credp != NULL)
1031 		plabel = crgetlabel(credp);
1032 
1033 	/* We are bootstrapping or the internal template was never deleted */
1034 	if (plabel == NULL)
1035 		return (B_TRUE);
1036 
1037 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
1038 		ipha_t *ipha = (ipha_t *)mp->b_rptr;
1039 
1040 		src_rhtp = find_tpc(&ipha->ipha_src, IPV4_VERSION,
1041 		    B_FALSE);
1042 		if (src_rhtp == NULL)
1043 			return (B_FALSE);
1044 		dst_rhtp = find_tpc(&ipha->ipha_dst, IPV4_VERSION,
1045 		    B_FALSE);
1046 	} else {
1047 		ip6_t *ip6h = (ip6_t *)mp->b_rptr;
1048 
1049 		src_rhtp = find_tpc(&ip6h->ip6_src, IPV6_VERSION,
1050 		    B_FALSE);
1051 		if (src_rhtp == NULL)
1052 			return (B_FALSE);
1053 		dst_rhtp = find_tpc(&ip6h->ip6_dst, IPV6_VERSION,
1054 		    B_FALSE);
1055 	}
1056 	if (dst_rhtp == NULL) {
1057 		TPC_RELE(src_rhtp);
1058 		return (B_FALSE);
1059 	}
1060 
1061 	if (label2doi(plabel) != src_rhtp->tpc_tp.tp_doi) {
1062 		retv = B_FALSE;
1063 
1064 	/*
1065 	 * Check that the packet's label is in the correct range for labeled
1066 	 * sender, or is equal to the default label for unlabeled sender.
1067 	 */
1068 	} else if ((src_rhtp->tpc_tp.host_type != UNLABELED &&
1069 	    !_blinrange(label2bslabel(plabel),
1070 	    &src_rhtp->tpc_tp.tp_sl_range_cipso) &&
1071 	    !blinlset(label2bslabel(plabel),
1072 	    src_rhtp->tpc_tp.tp_sl_set_cipso)) ||
1073 	    (src_rhtp->tpc_tp.host_type == UNLABELED &&
1074 	    !blequal(&plabel->tsl_label, &src_rhtp->tpc_tp.tp_def_label))) {
1075 		retv = B_FALSE;
1076 
1077 	} else if (check_host) {
1078 		retv = B_TRUE;
1079 
1080 	/*
1081 	 * Until we have SL range in the Zone structure, pass it
1082 	 * when our own address lookup returned an internal entry.
1083 	 */
1084 	} else switch (dst_rhtp->tpc_tp.host_type) {
1085 	case UNLABELED:
1086 		retv = B_TRUE;
1087 		break;
1088 
1089 	case SUN_CIPSO:
1090 		retv = _blinrange(label2bslabel(plabel),
1091 		    &dst_rhtp->tpc_tp.tp_sl_range_cipso) ||
1092 		    blinlset(label2bslabel(plabel),
1093 		    dst_rhtp->tpc_tp.tp_sl_set_cipso);
1094 		break;
1095 
1096 	default:
1097 		retv = B_FALSE;
1098 	}
1099 	TPC_RELE(src_rhtp);
1100 	TPC_RELE(dst_rhtp);
1101 	return (retv);
1102 }
1103 
1104 /*
1105  * This routine determines whether a response to a failed packet delivery or
1106  * connection should be sent back.  By default, the policy is to allow such
1107  * messages to be sent at all times, as these messages reveal little useful
1108  * information and are healthy parts of TCP/IP networking.
1109  *
1110  * If tsol_strict_error is set, then we do strict tests: if the packet label is
1111  * within the label range/set of this host/zone, return B_TRUE; otherwise
1112  * return B_FALSE, which causes the packet to be dropped silently.
1113  *
1114  * Note that tsol_get_pkt_label will cause the packet to drop if the sender is
1115  * marked as labeled in the remote host database, but the packet lacks a label.
1116  * This means that we don't need to do a lookup on the source; the
1117  * TSLF_UNLABELED flag is sufficient.
1118  */
1119 boolean_t
1120 tsol_can_reply_error(const mblk_t *mp)
1121 {
1122 	ts_label_t	*plabel = NULL;
1123 	tsol_tpc_t	*rhtp;
1124 	const ipha_t	*ipha;
1125 	const ip6_t	*ip6h;
1126 	boolean_t	retv;
1127 	bslabel_t	*pktbs;
1128 	cred_t		*credp;
1129 
1130 	/* Caller must pull up at least the IP header */
1131 	ASSERT(MBLKL(mp) >= (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION ?
1132 	    sizeof (*ipha) : sizeof (*ip6h)));
1133 
1134 	if (!tsol_strict_error)
1135 		return (B_TRUE);
1136 
1137 	credp = msg_getcred(mp, NULL);
1138 	if (credp != NULL)
1139 		plabel = crgetlabel(credp);
1140 
1141 	/* We are bootstrapping or the internal template was never deleted */
1142 	if (plabel == NULL)
1143 		return (B_TRUE);
1144 
1145 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
1146 		ipha = (const ipha_t *)mp->b_rptr;
1147 		rhtp = find_tpc(&ipha->ipha_dst, IPV4_VERSION, B_FALSE);
1148 	} else {
1149 		ip6h = (const ip6_t *)mp->b_rptr;
1150 		rhtp = find_tpc(&ip6h->ip6_dst, IPV6_VERSION, B_FALSE);
1151 	}
1152 
1153 	if (rhtp == NULL || label2doi(plabel) != rhtp->tpc_tp.tp_doi) {
1154 		retv = B_FALSE;
1155 	} else {
1156 		/*
1157 		 * If we're in the midst of forwarding, then the destination
1158 		 * address might not be labeled.  In that case, allow unlabeled
1159 		 * packets through only if the default label is the same, and
1160 		 * labeled ones if they dominate.
1161 		 */
1162 		pktbs = label2bslabel(plabel);
1163 		switch (rhtp->tpc_tp.host_type) {
1164 		case UNLABELED:
1165 			if (plabel->tsl_flags & TSLF_UNLABELED) {
1166 				retv = blequal(pktbs,
1167 				    &rhtp->tpc_tp.tp_def_label);
1168 			} else {
1169 				retv = bldominates(pktbs,
1170 				    &rhtp->tpc_tp.tp_def_label);
1171 			}
1172 			break;
1173 
1174 		case SUN_CIPSO:
1175 			retv = _blinrange(pktbs,
1176 			    &rhtp->tpc_tp.tp_sl_range_cipso) ||
1177 			    blinlset(pktbs, rhtp->tpc_tp.tp_sl_set_cipso);
1178 			break;
1179 
1180 		default:
1181 			retv = B_FALSE;
1182 			break;
1183 		}
1184 	}
1185 
1186 	if (rhtp != NULL)
1187 		TPC_RELE(rhtp);
1188 
1189 	return (retv);
1190 }
1191 
1192 /*
1193  * Finds the zone associated with the given packet.  Returns GLOBAL_ZONEID if
1194  * the zone cannot be located.
1195  *
1196  * This is used by the classifier when the packet matches an ALL_ZONES IRE, and
1197  * there's no MLP defined.
1198  *
1199  * Note that we assume that this is only invoked in the ALL_ZONES case.
1200  * Handling other cases would require handle exclusive stack zones where either
1201  * this routine or the callers would have to map from
1202  * the zoneid (zone->zone_id) to what IP uses in conn_zoneid etc.
1203  */
1204 zoneid_t
1205 tsol_packet_to_zoneid(const mblk_t *mp)
1206 {
1207 	cred_t *cr = msg_getcred(mp, NULL);
1208 	zone_t *zone;
1209 	ts_label_t *label;
1210 
1211 	if (cr != NULL) {
1212 		if ((label = crgetlabel(cr)) != NULL) {
1213 			zone = zone_find_by_label(label);
1214 			if (zone != NULL) {
1215 				zoneid_t zoneid = zone->zone_id;
1216 
1217 				zone_rele(zone);
1218 				return (zoneid);
1219 			}
1220 		}
1221 	}
1222 	return (GLOBAL_ZONEID);
1223 }
1224 
1225 int
1226 tsol_ire_match_gwattr(ire_t *ire, const ts_label_t *tsl)
1227 {
1228 	int		error = 0;
1229 	tsol_ire_gw_secattr_t *attrp = NULL;
1230 	tsol_tnrhc_t	*gw_rhc = NULL;
1231 	tsol_gcgrp_t	*gcgrp = NULL;
1232 	tsol_gc_t	*gc = NULL;
1233 	in_addr_t	ga_addr4;
1234 	void		*paddr = NULL;
1235 
1236 	/* Not in Trusted mode or IRE is local/loopback/broadcast/interface */
1237 	if (!is_system_labeled() ||
1238 	    (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK | IRE_BROADCAST |
1239 	    IRE_INTERFACE)))
1240 		goto done;
1241 
1242 	/*
1243 	 * If we don't have a label to compare with, or the IRE does not
1244 	 * contain any gateway security attributes, there's not much that
1245 	 * we can do.  We let the former case pass, and the latter fail,
1246 	 * since the IRE doesn't qualify for a match due to the lack of
1247 	 * security attributes.
1248 	 */
1249 	if (tsl == NULL || ire->ire_gw_secattr == NULL) {
1250 		if (tsl != NULL) {
1251 			DTRACE_PROBE3(tx__ip__log__drop__irematch__nogwsec,
1252 			    char *,
1253 			    "ire(1) lacks ire_gw_secattr matching label(2)",
1254 			    ire_t *, ire, ts_label_t *, tsl);
1255 			error = EACCES;
1256 		}
1257 		goto done;
1258 	}
1259 
1260 	attrp = ire->ire_gw_secattr;
1261 
1262 	/*
1263 	 * The possible lock order scenarios related to the tsol gateway
1264 	 * attribute locks are documented at the beginning of ip.c in the
1265 	 * lock order scenario section.
1266 	 */
1267 	mutex_enter(&attrp->igsa_lock);
1268 
1269 	/*
1270 	 * Depending on the IRE type (prefix vs. cache), we seek the group
1271 	 * structure which contains all security credentials of the gateway.
1272 	 * A prefix IRE is associated with at most one gateway credential,
1273 	 * while a cache IRE is associated with every credentials that the
1274 	 * gateway has.
1275 	 */
1276 	if ((gc = attrp->igsa_gc) != NULL) {			/* prefix */
1277 		gcgrp = gc->gc_grp;
1278 		ASSERT(gcgrp != NULL);
1279 		rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
1280 	} else if ((gcgrp = attrp->igsa_gcgrp) != NULL) {	/* cache */
1281 		rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
1282 		gc = gcgrp->gcgrp_head;
1283 		if (gc == NULL) {
1284 			/* gc group is empty, so the drop lock now */
1285 			ASSERT(gcgrp->gcgrp_count == 0);
1286 			rw_exit(&gcgrp->gcgrp_rwlock);
1287 			gcgrp = NULL;
1288 		}
1289 	}
1290 
1291 	if (gcgrp != NULL)
1292 		GCGRP_REFHOLD(gcgrp);
1293 
1294 	if ((gw_rhc = attrp->igsa_rhc) != NULL) {
1295 		/*
1296 		 * If our cached entry has grown stale, then discard it so we
1297 		 * can get a new one.
1298 		 */
1299 		if (gw_rhc->rhc_invalid || gw_rhc->rhc_tpc->tpc_invalid) {
1300 			TNRHC_RELE(gw_rhc);
1301 			attrp->igsa_rhc = gw_rhc = NULL;
1302 		} else {
1303 			TNRHC_HOLD(gw_rhc)
1304 		}
1305 	}
1306 
1307 	/* Last attempt at loading the template had failed; try again */
1308 	if (gw_rhc == NULL) {
1309 		if (gcgrp != NULL) {
1310 			tsol_gcgrp_addr_t *ga = &gcgrp->gcgrp_addr;
1311 
1312 			if (ire->ire_ipversion == IPV4_VERSION) {
1313 				ASSERT(ga->ga_af == AF_INET);
1314 				IN6_V4MAPPED_TO_IPADDR(&ga->ga_addr, ga_addr4);
1315 				paddr = &ga_addr4;
1316 			} else {
1317 				ASSERT(ga->ga_af == AF_INET6);
1318 				paddr = &ga->ga_addr;
1319 			}
1320 		} else if (ire->ire_ipversion == IPV6_VERSION &&
1321 		    !IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6)) {
1322 			paddr = &ire->ire_gateway_addr_v6;
1323 		} else if (ire->ire_ipversion == IPV4_VERSION &&
1324 		    ire->ire_gateway_addr != INADDR_ANY) {
1325 			paddr = &ire->ire_gateway_addr;
1326 		}
1327 
1328 		/* We've found a gateway address to do the template lookup */
1329 		if (paddr != NULL) {
1330 			ASSERT(gw_rhc == NULL);
1331 			gw_rhc = find_rhc(paddr, ire->ire_ipversion, B_FALSE);
1332 			if (gw_rhc != NULL) {
1333 				/*
1334 				 * Note that if the lookup above returned an
1335 				 * internal template, we'll use it for the
1336 				 * time being, and do another lookup next
1337 				 * time around.
1338 				 */
1339 				/* Another thread has loaded the template? */
1340 				if (attrp->igsa_rhc != NULL) {
1341 					TNRHC_RELE(gw_rhc)
1342 					/* reload, it could be different */
1343 					gw_rhc = attrp->igsa_rhc;
1344 				} else {
1345 					attrp->igsa_rhc = gw_rhc;
1346 				}
1347 				/*
1348 				 * Hold an extra reference just like we did
1349 				 * above prior to dropping the igsa_lock.
1350 				 */
1351 				TNRHC_HOLD(gw_rhc)
1352 			}
1353 		}
1354 	}
1355 
1356 	mutex_exit(&attrp->igsa_lock);
1357 	/* Gateway template not found */
1358 	if (gw_rhc == NULL) {
1359 		/*
1360 		 * If destination address is directly reachable through an
1361 		 * interface rather than through a learned route, pass it.
1362 		 */
1363 		if (paddr != NULL) {
1364 			DTRACE_PROBE3(
1365 			    tx__ip__log__drop__irematch__nogwtmpl, char *,
1366 			    "ire(1), label(2) off-link with no gw_rhc",
1367 			    ire_t *, ire, ts_label_t *, tsl);
1368 			error = EINVAL;
1369 		}
1370 		goto done;
1371 	}
1372 
1373 	if (gc != NULL) {
1374 		tsol_gcdb_t *gcdb;
1375 		/*
1376 		 * In the case of IRE_CACHE we've got one or more gateway
1377 		 * security credentials to compare against the passed in label.
1378 		 * Perform label range comparison against each security
1379 		 * credential of the gateway. In the case of a prefix ire
1380 		 * we need to match against the security attributes of
1381 		 * just the route itself, so the loop is executed only once.
1382 		 */
1383 		ASSERT(gcgrp != NULL);
1384 		do {
1385 			gcdb = gc->gc_db;
1386 			if (tsl->tsl_doi == gcdb->gcdb_doi &&
1387 			    _blinrange(&tsl->tsl_label, &gcdb->gcdb_slrange))
1388 				break;
1389 			if (ire->ire_type == IRE_CACHE)
1390 				gc = gc->gc_next;
1391 			else
1392 				gc = NULL;
1393 		} while (gc != NULL);
1394 
1395 		if (gc == NULL) {
1396 			DTRACE_PROBE3(
1397 			    tx__ip__log__drop__irematch__nogcmatched,
1398 			    char *, "ire(1), tsl(2): all gc failed match",
1399 			    ire_t *, ire, ts_label_t *, tsl);
1400 			error = EACCES;
1401 		}
1402 	} else {
1403 		/*
1404 		 * We didn't find any gateway credentials in the IRE
1405 		 * attributes; fall back to the gateway's template for
1406 		 * label range checks, if we are required to do so.
1407 		 */
1408 		ASSERT(gw_rhc != NULL);
1409 		switch (gw_rhc->rhc_tpc->tpc_tp.host_type) {
1410 		case SUN_CIPSO:
1411 			if (tsl->tsl_doi != gw_rhc->rhc_tpc->tpc_tp.tp_doi ||
1412 			    (!_blinrange(&tsl->tsl_label,
1413 			    &gw_rhc->rhc_tpc->tpc_tp.tp_sl_range_cipso) &&
1414 			    !blinlset(&tsl->tsl_label,
1415 			    gw_rhc->rhc_tpc->tpc_tp.tp_sl_set_cipso))) {
1416 				error = EACCES;
1417 				DTRACE_PROBE4(
1418 				    tx__ip__log__drop__irematch__deftmpl,
1419 				    char *, "ire(1), tsl(2), gw_rhc(3) "
1420 				    "failed match (cipso gw)",
1421 				    ire_t *, ire, ts_label_t *, tsl,
1422 				    tsol_tnrhc_t *, gw_rhc);
1423 			}
1424 			break;
1425 
1426 		case UNLABELED:
1427 			if (tsl->tsl_doi != gw_rhc->rhc_tpc->tpc_tp.tp_doi ||
1428 			    (!_blinrange(&tsl->tsl_label,
1429 			    &gw_rhc->rhc_tpc->tpc_tp.tp_gw_sl_range) &&
1430 			    !blinlset(&tsl->tsl_label,
1431 			    gw_rhc->rhc_tpc->tpc_tp.tp_gw_sl_set))) {
1432 				error = EACCES;
1433 				DTRACE_PROBE4(
1434 				    tx__ip__log__drop__irematch__deftmpl,
1435 				    char *, "ire(1), tsl(2), gw_rhc(3) "
1436 				    "failed match (unlabeled gw)",
1437 				    ire_t *, ire, ts_label_t *, tsl,
1438 				    tsol_tnrhc_t *, gw_rhc);
1439 			}
1440 			break;
1441 		}
1442 	}
1443 
1444 done:
1445 
1446 	if (gcgrp != NULL) {
1447 		rw_exit(&gcgrp->gcgrp_rwlock);
1448 		GCGRP_REFRELE(gcgrp);
1449 	}
1450 
1451 	if (gw_rhc != NULL)
1452 		TNRHC_RELE(gw_rhc)
1453 
1454 	return (error);
1455 }
1456 
1457 /*
1458  * Performs label accreditation checks for packet forwarding.
1459  *
1460  * Returns a pointer to the modified mblk if allowed for forwarding,
1461  * or NULL if the packet must be dropped.
1462  */
1463 mblk_t *
1464 tsol_ip_forward(ire_t *ire, mblk_t *mp)
1465 {
1466 	tsol_ire_gw_secattr_t *attrp = NULL;
1467 	ipha_t		*ipha;
1468 	ip6_t		*ip6h;
1469 	const void	*pdst;
1470 	const void	*psrc;
1471 	boolean_t	off_link;
1472 	tsol_tpc_t	*dst_rhtp, *gw_rhtp;
1473 	tsol_ip_label_t label_type;
1474 	uchar_t		*opt_ptr = NULL;
1475 	ts_label_t	*tsl;
1476 	uint8_t		proto;
1477 	int		af, adjust;
1478 	uint16_t	iplen;
1479 	boolean_t	need_tpc_rele = B_FALSE;
1480 	ipaddr_t	*gw;
1481 	ip_stack_t	*ipst = ire->ire_ipst;
1482 	cred_t		*credp;
1483 	pid_t		pid;
1484 
1485 	ASSERT(ire != NULL && mp != NULL);
1486 	ASSERT(ire->ire_stq != NULL);
1487 
1488 	af = (ire->ire_ipversion == IPV4_VERSION) ? AF_INET : AF_INET6;
1489 
1490 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
1491 		ASSERT(ire->ire_ipversion == IPV4_VERSION);
1492 		ipha = (ipha_t *)mp->b_rptr;
1493 		psrc = &ipha->ipha_src;
1494 		pdst = &ipha->ipha_dst;
1495 		proto = ipha->ipha_protocol;
1496 
1497 		/*
1498 		 * off_link is TRUE if destination not directly reachable.
1499 		 * Surya note: we avoid creation of per-dst IRE_CACHE entries
1500 		 * for forwarded packets, so we set off_link to be TRUE
1501 		 * if the packet dst is different from the ire_addr of
1502 		 * the ire for the nexthop.
1503 		 */
1504 		off_link = ((ipha->ipha_dst != ire->ire_addr) ||
1505 		    (ire->ire_gateway_addr != INADDR_ANY));
1506 	} else {
1507 		ASSERT(ire->ire_ipversion == IPV6_VERSION);
1508 		ip6h = (ip6_t *)mp->b_rptr;
1509 		psrc = &ip6h->ip6_src;
1510 		pdst = &ip6h->ip6_dst;
1511 		proto = ip6h->ip6_nxt;
1512 
1513 		if (proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
1514 		    proto != IPPROTO_ICMPV6) {
1515 			uint8_t *nexthdrp;
1516 			uint16_t hdr_len;
1517 
1518 			if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &hdr_len,
1519 			    &nexthdrp)) {
1520 				/* malformed packet; drop it */
1521 				return (NULL);
1522 			}
1523 			proto = *nexthdrp;
1524 		}
1525 
1526 		/* destination not directly reachable? */
1527 		off_link = !IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6);
1528 	}
1529 
1530 	if ((tsl = msg_getlabel(mp)) == NULL)
1531 		return (mp);
1532 
1533 	label_type = tsol_get_option(mp, &opt_ptr);
1534 
1535 	ASSERT(psrc != NULL && pdst != NULL);
1536 	dst_rhtp = find_tpc(pdst, ire->ire_ipversion, B_FALSE);
1537 
1538 	if (dst_rhtp == NULL) {
1539 		/*
1540 		 * Without a template we do not know if forwarding
1541 		 * violates MAC
1542 		 */
1543 		DTRACE_PROBE3(tx__ip__log__drop__forward__nodst, char *,
1544 		    "mp(1) dropped, no template for destination ip4|6(2)",
1545 		    mblk_t *, mp, void *, pdst);
1546 		return (NULL);
1547 	}
1548 
1549 	/*
1550 	 * Gateway template must have existed for off-link destinations,
1551 	 * since tsol_ire_match_gwattr has ensured such condition.
1552 	 */
1553 	if (ire->ire_ipversion == IPV4_VERSION && off_link) {
1554 		/*
1555 		 * Surya note: first check if we can get the gw_rhtp from
1556 		 * the ire_gw_secattr->igsa_rhc; if this is null, then
1557 		 * do a lookup based on the ire_addr (address of gw)
1558 		 */
1559 		if (ire->ire_gw_secattr != NULL &&
1560 		    ire->ire_gw_secattr->igsa_rhc != NULL) {
1561 			attrp = ire->ire_gw_secattr;
1562 			gw_rhtp = attrp->igsa_rhc->rhc_tpc;
1563 		} else  {
1564 			/*
1565 			 * use the ire_addr if this is the IRE_CACHE of nexthop
1566 			 */
1567 			gw = (ire->ire_gateway_addr == NULL? &ire->ire_addr :
1568 			    &ire->ire_gateway_addr);
1569 			gw_rhtp = find_tpc(gw, ire->ire_ipversion, B_FALSE);
1570 			need_tpc_rele = B_TRUE;
1571 		}
1572 		if (gw_rhtp == NULL) {
1573 			DTRACE_PROBE3(tx__ip__log__drop__forward__nogw, char *,
1574 			    "mp(1) dropped, no gateway in ire attributes(2)",
1575 			    mblk_t *, mp, tsol_ire_gw_secattr_t *, attrp);
1576 			mp = NULL;
1577 			goto keep_label;
1578 		}
1579 	}
1580 	if (ire->ire_ipversion == IPV6_VERSION &&
1581 	    ((attrp = ire->ire_gw_secattr) == NULL || attrp->igsa_rhc == NULL ||
1582 	    (gw_rhtp = attrp->igsa_rhc->rhc_tpc) == NULL) && off_link) {
1583 		DTRACE_PROBE3(tx__ip__log__drop__forward__nogw, char *,
1584 		    "mp(1) dropped, no gateway in ire attributes(2)",
1585 		    mblk_t *, mp, tsol_ire_gw_secattr_t *, attrp);
1586 		mp = NULL;
1587 		goto keep_label;
1588 	}
1589 
1590 	/*
1591 	 * Check that the label for the packet is acceptable
1592 	 * by destination host; otherwise, drop it.
1593 	 */
1594 	switch (dst_rhtp->tpc_tp.host_type) {
1595 	case SUN_CIPSO:
1596 		if (tsl->tsl_doi != dst_rhtp->tpc_tp.tp_doi ||
1597 		    (!_blinrange(&tsl->tsl_label,
1598 		    &dst_rhtp->tpc_tp.tp_sl_range_cipso) &&
1599 		    !blinlset(&tsl->tsl_label,
1600 		    dst_rhtp->tpc_tp.tp_sl_set_cipso))) {
1601 			DTRACE_PROBE4(tx__ip__log__drop__forward__mac, char *,
1602 			    "labeled packet mp(1) dropped, label(2) fails "
1603 			    "destination(3) accredation check",
1604 			    mblk_t *, mp, ts_label_t *, tsl,
1605 			    tsol_tpc_t *, dst_rhtp);
1606 			mp = NULL;
1607 			goto keep_label;
1608 		}
1609 		break;
1610 
1611 
1612 	case UNLABELED:
1613 		if (tsl->tsl_doi != dst_rhtp->tpc_tp.tp_doi ||
1614 		    !blequal(&dst_rhtp->tpc_tp.tp_def_label,
1615 		    &tsl->tsl_label)) {
1616 			DTRACE_PROBE4(tx__ip__log__drop__forward__mac, char *,
1617 			    "unlabeled packet mp(1) dropped, label(2) fails "
1618 			    "destination(3) accredation check",
1619 			    mblk_t *, mp, ts_label_t *, tsl,
1620 			    tsol_tpc_t *, dst_rhtp);
1621 			mp = NULL;
1622 			goto keep_label;
1623 		}
1624 		break;
1625 	}
1626 	if (label_type == OPT_CIPSO) {
1627 		/*
1628 		 * We keep the label on any of the following cases:
1629 		 *
1630 		 *   1. The destination is labeled (on/off-link).
1631 		 *   2. The unlabeled destination is off-link,
1632 		 *	and the next hop gateway is labeled.
1633 		 */
1634 		if (dst_rhtp->tpc_tp.host_type != UNLABELED ||
1635 		    (off_link &&
1636 		    gw_rhtp->tpc_tp.host_type != UNLABELED))
1637 			goto keep_label;
1638 
1639 		/*
1640 		 * Strip off the CIPSO option from the packet because: the
1641 		 * unlabeled destination host is directly reachable through
1642 		 * an interface (on-link); or, the unlabeled destination host
1643 		 * is not directly reachable (off-link), and the next hop
1644 		 * gateway is unlabeled.
1645 		 */
1646 		adjust = (af == AF_INET) ? tsol_remove_secopt(ipha, MBLKL(mp)) :
1647 		    tsol_remove_secopt_v6(ip6h, MBLKL(mp));
1648 
1649 		ASSERT(adjust <= 0);
1650 		if (adjust != 0) {
1651 
1652 			/* adjust is negative */
1653 			ASSERT((mp->b_wptr + adjust) >= mp->b_rptr);
1654 			mp->b_wptr += adjust;
1655 
1656 			if (af == AF_INET) {
1657 				ipha = (ipha_t *)mp->b_rptr;
1658 				iplen = ntohs(ipha->ipha_length) + adjust;
1659 				ipha->ipha_length = htons(iplen);
1660 				ipha->ipha_hdr_checksum = 0;
1661 				ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
1662 			}
1663 			DTRACE_PROBE3(tx__ip__log__info__forward__adjust,
1664 			    char *,
1665 			    "mp(1) adjusted(2) for CIPSO option removal",
1666 			    mblk_t *, mp, int, adjust);
1667 		}
1668 		goto keep_label;
1669 	}
1670 
1671 	ASSERT(label_type == OPT_NONE);
1672 	ASSERT(dst_rhtp != NULL);
1673 
1674 	/*
1675 	 * We need to add CIPSO option if the destination or the next hop
1676 	 * gateway is labeled.  Otherwise, pass the packet as is.
1677 	 */
1678 	if (dst_rhtp->tpc_tp.host_type == UNLABELED &&
1679 	    (!off_link || gw_rhtp->tpc_tp.host_type == UNLABELED))
1680 		goto keep_label;
1681 
1682 
1683 	credp = msg_getcred(mp, &pid);
1684 	if ((af == AF_INET &&
1685 	    tsol_check_label(credp, &mp, B_FALSE, ipst, pid) != 0) ||
1686 	    (af == AF_INET6 &&
1687 	    tsol_check_label_v6(credp, &mp, B_FALSE, ipst, pid) != 0)) {
1688 		mp = NULL;
1689 		goto keep_label;
1690 	}
1691 
1692 	if (af == AF_INET) {
1693 		ipha = (ipha_t *)mp->b_rptr;
1694 		ipha->ipha_hdr_checksum = 0;
1695 		ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
1696 	}
1697 
1698 keep_label:
1699 	TPC_RELE(dst_rhtp);
1700 	if (need_tpc_rele && gw_rhtp != NULL)
1701 		TPC_RELE(gw_rhtp);
1702 	return (mp);
1703 }
1704 
1705 /*
1706  * Name:	tsol_pmtu_adjust()
1707  *
1708  * Returns the adjusted mtu after removing security option.
1709  * Removes/subtracts the option if the packet's cred indicates an unlabeled
1710  * sender or if pkt_diff indicates this system enlarged the packet.
1711  */
1712 uint32_t
1713 tsol_pmtu_adjust(mblk_t *mp, uint32_t mtu, int pkt_diff, int af)
1714 {
1715 	int		label_adj = 0;
1716 	uint32_t	min_mtu = IP_MIN_MTU;
1717 	tsol_tpc_t	*src_rhtp;
1718 	void		*src;
1719 
1720 	/*
1721 	 * Note: label_adj is non-positive, indicating the number of
1722 	 * bytes removed by removing the security option from the
1723 	 * header.
1724 	 */
1725 	if (af == AF_INET6) {
1726 		ip6_t	*ip6h;
1727 
1728 		min_mtu = IPV6_MIN_MTU;
1729 		ip6h = (ip6_t *)mp->b_rptr;
1730 		src = &ip6h->ip6_src;
1731 		if ((src_rhtp = find_tpc(src, IPV6_VERSION, B_FALSE)) == NULL)
1732 			return (mtu);
1733 		if (pkt_diff > 0 || src_rhtp->tpc_tp.host_type == UNLABELED) {
1734 			label_adj = tsol_remove_secopt_v6(
1735 			    (ip6_t *)mp->b_rptr, MBLKL(mp));
1736 		}
1737 	} else {
1738 		ipha_t    *ipha;
1739 
1740 		ASSERT(af == AF_INET);
1741 		ipha = (ipha_t *)mp->b_rptr;
1742 		src = &ipha->ipha_src;
1743 		if ((src_rhtp = find_tpc(src, IPV4_VERSION, B_FALSE)) == NULL)
1744 			return (mtu);
1745 		if (pkt_diff > 0 || src_rhtp->tpc_tp.host_type == UNLABELED)
1746 			label_adj = tsol_remove_secopt(
1747 			    (ipha_t *)mp->b_rptr, MBLKL(mp));
1748 	}
1749 	/*
1750 	 * Make pkt_diff non-negative and the larger of the bytes
1751 	 * previously added (if any) or just removed, since label
1752 	 * addition + subtraction may not be completely idempotent.
1753 	 */
1754 	if (pkt_diff < -label_adj)
1755 		pkt_diff = -label_adj;
1756 	if (pkt_diff > 0 && pkt_diff < mtu)
1757 		mtu -= pkt_diff;
1758 
1759 	TPC_RELE(src_rhtp);
1760 	return (MAX(mtu, min_mtu));
1761 }
1762 
1763 /*
1764  * Name:	tsol_rtsa_init()
1765  *
1766  * Normal:	Sanity checks on the route security attributes provided by
1767  *		user.  Convert it into a route security parameter list to
1768  *		be returned to caller.
1769  *
1770  * Output:	EINVAL if bad security attributes in the routing message
1771  *		ENOMEM if unable to allocate data structures
1772  *		0 otherwise.
1773  *
1774  * Note:	On input, cp must point to the end of any addresses in
1775  *		the rt_msghdr_t structure.
1776  */
1777 int
1778 tsol_rtsa_init(rt_msghdr_t *rtm, tsol_rtsecattr_t *sp, caddr_t cp)
1779 {
1780 	uint_t	sacnt;
1781 	int	err;
1782 	caddr_t	lim;
1783 	tsol_rtsecattr_t *tp;
1784 
1785 	ASSERT((cp >= (caddr_t)&rtm[1]) && sp != NULL);
1786 
1787 	/*
1788 	 * In theory, we could accept as many security attributes configured
1789 	 * per route destination.  However, the current design is limited
1790 	 * such that at most only one set security attributes is allowed to
1791 	 * be associated with a prefix IRE.  We therefore assert for now.
1792 	 */
1793 	/* LINTED */
1794 	ASSERT(TSOL_RTSA_REQUEST_MAX == 1);
1795 
1796 	sp->rtsa_cnt = 0;
1797 	lim = (caddr_t)rtm + rtm->rtm_msglen;
1798 	ASSERT(cp <= lim);
1799 
1800 	if ((lim - cp) < sizeof (rtm_ext_t) ||
1801 	    ((rtm_ext_t *)cp)->rtmex_type != RTMEX_GATEWAY_SECATTR)
1802 		return (0);
1803 
1804 	if (((rtm_ext_t *)cp)->rtmex_len < sizeof (tsol_rtsecattr_t))
1805 		return (EINVAL);
1806 
1807 	cp += sizeof (rtm_ext_t);
1808 
1809 	if ((lim - cp) < sizeof (*tp) ||
1810 	    (tp = (tsol_rtsecattr_t *)cp, (sacnt = tp->rtsa_cnt) == 0) ||
1811 	    (lim - cp) < TSOL_RTSECATTR_SIZE(sacnt))
1812 		return (EINVAL);
1813 
1814 	/*
1815 	 * Trying to add route security attributes when system
1816 	 * labeling service is not available, or when user supllies
1817 	 * more than the maximum number of security attributes
1818 	 * allowed per request.
1819 	 */
1820 	if ((sacnt > 0 && !is_system_labeled()) ||
1821 	    sacnt > TSOL_RTSA_REQUEST_MAX)
1822 		return (EINVAL);
1823 
1824 	/* Ensure valid credentials */
1825 	if ((err = rtsa_validate(&((tsol_rtsecattr_t *)cp)->
1826 	    rtsa_attr[0])) != 0) {
1827 		cp += sizeof (*sp);
1828 		return (err);
1829 	}
1830 
1831 	bcopy(cp, sp, sizeof (*sp));
1832 	cp += sizeof (*sp);
1833 	return (0);
1834 }
1835 
1836 int
1837 tsol_ire_init_gwattr(ire_t *ire, uchar_t ipversion, tsol_gc_t *gc,
1838     tsol_gcgrp_t *gcgrp)
1839 {
1840 	tsol_ire_gw_secattr_t *attrp;
1841 	boolean_t exists = B_FALSE;
1842 	in_addr_t ga_addr4;
1843 	void *paddr = NULL;
1844 
1845 	ASSERT(ire != NULL);
1846 
1847 	/*
1848 	 * The only time that attrp can be NULL is when this routine is
1849 	 * called for the first time during the creation/initialization
1850 	 * of the corresponding IRE.  It will only get cleared when the
1851 	 * IRE is deleted.
1852 	 */
1853 	if ((attrp = ire->ire_gw_secattr) == NULL) {
1854 		attrp = ire_gw_secattr_alloc(KM_NOSLEEP);
1855 		if (attrp == NULL)
1856 			return (ENOMEM);
1857 		ire->ire_gw_secattr = attrp;
1858 	} else {
1859 		exists = B_TRUE;
1860 		mutex_enter(&attrp->igsa_lock);
1861 
1862 		if (attrp->igsa_rhc != NULL) {
1863 			TNRHC_RELE(attrp->igsa_rhc);
1864 			attrp->igsa_rhc = NULL;
1865 		}
1866 
1867 		if (attrp->igsa_gc != NULL)
1868 			GC_REFRELE(attrp->igsa_gc);
1869 		if (attrp->igsa_gcgrp != NULL)
1870 			GCGRP_REFRELE(attrp->igsa_gcgrp);
1871 	}
1872 	ASSERT(!exists || MUTEX_HELD(&attrp->igsa_lock));
1873 
1874 	/*
1875 	 * References already held by caller and we keep them;
1876 	 * note that both gc and gcgrp may be set to NULL to
1877 	 * clear out igsa_gc and igsa_gcgrp, respectively.
1878 	 */
1879 	attrp->igsa_gc = gc;
1880 	attrp->igsa_gcgrp = gcgrp;
1881 
1882 	if (gcgrp == NULL && gc != NULL) {
1883 		gcgrp = gc->gc_grp;
1884 		ASSERT(gcgrp != NULL);
1885 	}
1886 
1887 	/*
1888 	 * Intialize the template for gateway; we use the gateway's
1889 	 * address found in either the passed in gateway credential
1890 	 * or group pointer, or the ire_gateway_addr{_v6} field.
1891 	 */
1892 	if (gcgrp != NULL) {
1893 		tsol_gcgrp_addr_t *ga = &gcgrp->gcgrp_addr;
1894 
1895 		/*
1896 		 * Caller is holding a reference, and that we don't
1897 		 * need to hold any lock to access the address.
1898 		 */
1899 		if (ipversion == IPV4_VERSION) {
1900 			ASSERT(ga->ga_af == AF_INET);
1901 			IN6_V4MAPPED_TO_IPADDR(&ga->ga_addr, ga_addr4);
1902 			paddr = &ga_addr4;
1903 		} else {
1904 			ASSERT(ga->ga_af == AF_INET6);
1905 			paddr = &ga->ga_addr;
1906 		}
1907 	} else if (ipversion == IPV6_VERSION &&
1908 	    !IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6)) {
1909 		paddr = &ire->ire_gateway_addr_v6;
1910 	} else if (ipversion == IPV4_VERSION &&
1911 	    ire->ire_gateway_addr != INADDR_ANY) {
1912 		paddr = &ire->ire_gateway_addr;
1913 	}
1914 
1915 	/*
1916 	 * Lookup the gateway template; note that we could get an internal
1917 	 * template here, which we cache anyway.  During IRE matching, we'll
1918 	 * try to update this gateway template cache and hopefully get a
1919 	 * real one.
1920 	 */
1921 	if (paddr != NULL) {
1922 		attrp->igsa_rhc = find_rhc(paddr, ipversion, B_FALSE);
1923 	}
1924 
1925 	if (exists)
1926 		mutex_exit(&attrp->igsa_lock);
1927 
1928 	return (0);
1929 }
1930 
1931 /*
1932  * This function figures the type of MLP that we'll be using based on the
1933  * address that the user is binding and the zone.  If the address is
1934  * unspecified, then we're looking at both private and shared.  If it's one
1935  * of the zone's private addresses, then it's private only.  If it's one
1936  * of the global addresses, then it's shared only.
1937  *
1938  * If we can't figure out what it is, then return mlptSingle.  That's actually
1939  * an error case.
1940  *
1941  * The callers are assume to pass in zone->zone_id and not the zoneid that
1942  * is stored in a conn_t (since the latter will be GLOBAL_ZONEID in an
1943  * exclusive stack zone).
1944  */
1945 mlp_type_t
1946 tsol_mlp_addr_type(zoneid_t zoneid, uchar_t version, const void *addr,
1947     ip_stack_t *ipst)
1948 {
1949 	in_addr_t in4;
1950 	ire_t *ire;
1951 	ipif_t *ipif;
1952 	zoneid_t addrzone;
1953 	zoneid_t ip_zoneid;
1954 
1955 	ASSERT(addr != NULL);
1956 
1957 	/*
1958 	 * For exclusive stacks we set the zoneid to zero
1959 	 * to operate as if in the global zone for IRE and conn_t comparisons.
1960 	 */
1961 	if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
1962 		ip_zoneid = GLOBAL_ZONEID;
1963 	else
1964 		ip_zoneid = zoneid;
1965 
1966 	if (version == IPV6_VERSION &&
1967 	    IN6_IS_ADDR_V4MAPPED((const in6_addr_t *)addr)) {
1968 		IN6_V4MAPPED_TO_IPADDR((const in6_addr_t *)addr, in4);
1969 		addr = &in4;
1970 		version = IPV4_VERSION;
1971 	}
1972 
1973 	if (version == IPV4_VERSION) {
1974 		in4 = *(const in_addr_t *)addr;
1975 		if (in4 == INADDR_ANY) {
1976 			return (mlptBoth);
1977 		}
1978 		ire = ire_cache_lookup(in4, ip_zoneid, NULL, ipst);
1979 	} else {
1980 		if (IN6_IS_ADDR_UNSPECIFIED((const in6_addr_t *)addr)) {
1981 			return (mlptBoth);
1982 		}
1983 		ire = ire_cache_lookup_v6(addr, ip_zoneid, NULL, ipst);
1984 	}
1985 	/*
1986 	 * If we can't find the IRE, then we have to behave exactly like
1987 	 * ip_bind_laddr{,_v6}.  That means looking up the IPIF so that users
1988 	 * can bind to addresses on "down" interfaces.
1989 	 *
1990 	 * If we can't find that either, then the bind is going to fail, so
1991 	 * just give up.  Note that there's a miniscule chance that the address
1992 	 * is in transition, but we don't bother handling that.
1993 	 */
1994 	if (ire == NULL) {
1995 		if (version == IPV4_VERSION)
1996 			ipif = ipif_lookup_addr(*(const in_addr_t *)addr, NULL,
1997 			    ip_zoneid, NULL, NULL, NULL, NULL, ipst);
1998 		else
1999 			ipif = ipif_lookup_addr_v6((const in6_addr_t *)addr,
2000 			    NULL, ip_zoneid, NULL, NULL, NULL, NULL, ipst);
2001 		if (ipif == NULL) {
2002 			return (mlptSingle);
2003 		}
2004 		addrzone = ipif->ipif_zoneid;
2005 		ipif_refrele(ipif);
2006 	} else {
2007 		addrzone = ire->ire_zoneid;
2008 		ire_refrele(ire);
2009 	}
2010 	return (addrzone == ALL_ZONES ? mlptShared : mlptPrivate);
2011 }
2012 
2013 /*
2014  * Since we are configuring local interfaces, and we know trusted
2015  * extension CDE requires local interfaces to be cipso host type in
2016  * order to function correctly, we'll associate a cipso template
2017  * to each local interface and let the interface come up.  Configuring
2018  * a local interface to be "unlabeled" host type is a configuration error.
2019  * We'll override that error and make the interface host type to be cipso
2020  * here.
2021  *
2022  * The code is optimized for the usual "success" case and unwinds things on
2023  * error.  We don't want to go to the trouble and expense of formatting the
2024  * interface name for the usual case where everything is configured correctly.
2025  */
2026 boolean_t
2027 tsol_check_interface_address(const ipif_t *ipif)
2028 {
2029 	tsol_tpc_t *tp;
2030 	char addrbuf[INET6_ADDRSTRLEN];
2031 	int af;
2032 	const void *addr;
2033 	zone_t *zone;
2034 	ts_label_t *plabel;
2035 	const bslabel_t *label;
2036 	char ifbuf[LIFNAMSIZ + 10];
2037 	const char *ifname;
2038 	boolean_t retval;
2039 	tsol_rhent_t rhent;
2040 	netstack_t *ns = ipif->ipif_ill->ill_ipst->ips_netstack;
2041 
2042 	if (IN6_IS_ADDR_V4MAPPED(&ipif->ipif_v6lcl_addr)) {
2043 		af = AF_INET;
2044 		addr = &V4_PART_OF_V6(ipif->ipif_v6lcl_addr);
2045 	} else {
2046 		af = AF_INET6;
2047 		addr = &ipif->ipif_v6lcl_addr;
2048 	}
2049 
2050 	tp = find_tpc(&ipif->ipif_v6lcl_addr, IPV6_VERSION, B_FALSE);
2051 
2052 	/* assumes that ALL_ZONES implies that there is no exclusive stack */
2053 	if (ipif->ipif_zoneid == ALL_ZONES) {
2054 		zone = NULL;
2055 	} else if (ns->netstack_stackid == GLOBAL_NETSTACKID) {
2056 		/* Shared stack case */
2057 		zone = zone_find_by_id(ipif->ipif_zoneid);
2058 	} else {
2059 		/* Exclusive stack case */
2060 		zone = zone_find_by_id(crgetzoneid(ipif->ipif_ill->ill_credp));
2061 	}
2062 	if (zone != NULL) {
2063 		plabel = zone->zone_slabel;
2064 		ASSERT(plabel != NULL);
2065 		label = label2bslabel(plabel);
2066 	}
2067 
2068 	/*
2069 	 * If it's CIPSO and an all-zones address, then we're done.
2070 	 * If it's a CIPSO zone specific address, the zone's label
2071 	 * must be in the range or set specified in the template.
2072 	 * When the remote host entry is missing or the template
2073 	 * type is incorrect for this interface, we create a
2074 	 * CIPSO host entry in kernel and allow the interface to be
2075 	 * brought up as CIPSO type.
2076 	 */
2077 	if (tp != NULL && (
2078 	    /* The all-zones case */
2079 	    (tp->tpc_tp.host_type == SUN_CIPSO &&
2080 	    tp->tpc_tp.tp_doi == default_doi &&
2081 	    ipif->ipif_zoneid == ALL_ZONES) ||
2082 	    /* The local-zone case */
2083 	    (zone != NULL && plabel->tsl_doi == tp->tpc_tp.tp_doi &&
2084 	    ((tp->tpc_tp.host_type == SUN_CIPSO &&
2085 	    (_blinrange(label, &tp->tpc_tp.tp_sl_range_cipso) ||
2086 	    blinlset(label, tp->tpc_tp.tp_sl_set_cipso))))))) {
2087 		if (zone != NULL)
2088 			zone_rele(zone);
2089 		TPC_RELE(tp);
2090 		return (B_TRUE);
2091 	}
2092 
2093 	ifname = ipif->ipif_ill->ill_name;
2094 	if (ipif->ipif_id != 0) {
2095 		(void) snprintf(ifbuf, sizeof (ifbuf), "%s:%u", ifname,
2096 		    ipif->ipif_id);
2097 		ifname = ifbuf;
2098 	}
2099 	(void) inet_ntop(af, addr, addrbuf, sizeof (addrbuf));
2100 
2101 	if (tp == NULL) {
2102 		cmn_err(CE_NOTE, "template entry for %s missing. Default to "
2103 		    "CIPSO type for %s", ifname, addrbuf);
2104 		retval = B_TRUE;
2105 	} else if (tp->tpc_tp.host_type == UNLABELED) {
2106 		cmn_err(CE_NOTE, "template type for %s incorrectly configured. "
2107 		    "Change to CIPSO type for %s", ifname, addrbuf);
2108 		retval = B_TRUE;
2109 	} else if (ipif->ipif_zoneid == ALL_ZONES) {
2110 		if (tp->tpc_tp.host_type != SUN_CIPSO) {
2111 			cmn_err(CE_NOTE, "%s failed: %s isn't set to CIPSO for "
2112 			    "all-zones. Converted to CIPSO.", ifname, addrbuf);
2113 			retval = B_TRUE;
2114 		} else {
2115 			cmn_err(CE_NOTE, "%s failed: %s has wrong DOI %d "
2116 			    "instead of %d", ifname, addrbuf,
2117 			    tp->tpc_tp.tp_doi, default_doi);
2118 			retval = B_FALSE;
2119 		}
2120 	} else if (zone == NULL) {
2121 		cmn_err(CE_NOTE, "%s failed: zoneid %d unknown",
2122 		    ifname, ipif->ipif_zoneid);
2123 		retval = B_FALSE;
2124 	} else if (plabel->tsl_doi != tp->tpc_tp.tp_doi) {
2125 		cmn_err(CE_NOTE, "%s failed: zone %s has DOI %d but %s has "
2126 		    "DOI %d", ifname, zone->zone_name, plabel->tsl_doi,
2127 		    addrbuf, tp->tpc_tp.tp_doi);
2128 		retval = B_FALSE;
2129 	} else {
2130 		cmn_err(CE_NOTE, "%s failed: zone %s label incompatible with "
2131 		    "%s", ifname, zone->zone_name, addrbuf);
2132 		tsol_print_label(label, "zone label");
2133 		retval = B_FALSE;
2134 	}
2135 
2136 	if (zone != NULL)
2137 		zone_rele(zone);
2138 	if (tp != NULL)
2139 		TPC_RELE(tp);
2140 	if (retval) {
2141 		/*
2142 		 * we've corrected a config error and let the interface
2143 		 * come up as cipso. Need to insert an rhent.
2144 		 */
2145 		if ((rhent.rh_address.ta_family = af) == AF_INET) {
2146 			rhent.rh_prefix = 32;
2147 			rhent.rh_address.ta_addr_v4 = *(struct in_addr *)addr;
2148 		} else {
2149 			rhent.rh_prefix = 128;
2150 			rhent.rh_address.ta_addr_v6 = *(in6_addr_t *)addr;
2151 		}
2152 		(void) strcpy(rhent.rh_template, "cipso");
2153 		if (tnrh_load(&rhent) != 0) {
2154 			cmn_err(CE_NOTE, "%s failed: Cannot insert CIPSO "
2155 			    "template for local addr %s", ifname, addrbuf);
2156 			retval = B_FALSE;
2157 		}
2158 	}
2159 	return (retval);
2160 }
2161