1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/stream.h> 31 #include <sys/stropts.h> 32 #include <sys/ddi.h> 33 #include <sys/debug.h> 34 #include <sys/cmn_err.h> 35 #include <sys/stream.h> 36 #include <sys/strlog.h> 37 #include <sys/kmem.h> 38 #include <sys/sunddi.h> 39 #include <sys/tihdr.h> 40 #include <sys/atomic.h> 41 #include <sys/socket.h> 42 #include <sys/sysmacros.h> 43 #include <sys/crypto/common.h> 44 #include <sys/crypto/api.h> 45 #include <sys/zone.h> 46 #include <netinet/in.h> 47 #include <net/if.h> 48 #include <net/pfkeyv2.h> 49 #include <inet/common.h> 50 #include <netinet/ip6.h> 51 #include <inet/ip.h> 52 #include <inet/ip6.h> 53 #include <inet/ipsec_info.h> 54 #include <inet/ipsec_impl.h> 55 #include <inet/tcp.h> 56 #include <inet/sadb.h> 57 #include <inet/ipsecah.h> 58 #include <inet/ipsecesp.h> 59 #include <sys/random.h> 60 #include <sys/dlpi.h> 61 #include <sys/iphada.h> 62 #include <inet/ip_if.h> 63 #include <inet/ipdrop.h> 64 #include <inet/ipclassifier.h> 65 #include <inet/sctp_ip.h> 66 67 /* 68 * This source file contains Security Association Database (SADB) common 69 * routines. They are linked in with the AH module. Since AH has no chance 70 * of falling under export control, it was safe to link it in there. 71 */ 72 73 /* Packet dropper for generic SADB drops. */ 74 static ipdropper_t sadb_dropper; 75 76 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *, 77 ipsec_action_t *, uint32_t, uint32_t); 78 static void sadb_ill_df(ill_t *, mblk_t *, isaf_t *, int, boolean_t); 79 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *, boolean_t, mblk_t **); 80 static void sadb_drain_torchq(queue_t *q, mblk_t *); 81 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t); 82 static void sadb_destroy(sadb_t *sp); 83 84 static time_t sadb_add_time(time_t base, uint64_t delta); 85 86 #define SET_EXPIRE(sa, delta, exp) { \ 87 if (((sa)->ipsa_ ## delta) != 0) { \ 88 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 89 (sa)->ipsa_ ## delta); \ 90 } \ 91 } 92 93 #define UPDATE_EXPIRE(sa, delta, exp) { \ 94 if (((sa)->ipsa_ ## delta) != 0) { \ 95 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 96 (sa)->ipsa_ ## delta); \ 97 if (((sa)->ipsa_ ## exp) == 0) \ 98 (sa)->ipsa_ ## exp = tmp; \ 99 else \ 100 (sa)->ipsa_ ## exp = \ 101 MIN((sa)->ipsa_ ## exp, tmp); \ 102 } \ 103 } 104 105 106 /* wrap the macro so we can pass it as a function pointer */ 107 void 108 sadb_sa_refrele(void *target) 109 { 110 IPSA_REFRELE(((ipsa_t *)target)); 111 } 112 113 /* 114 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 115 * a signed type. 116 */ 117 #define TIME_MAX LONG_MAX 118 119 /* 120 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 121 * time_t is defined to be a signed type with the same range as 122 * "long". On ILP32 systems, we thus run the risk of wrapping around 123 * at end of time, as well as "overwrapping" the clock back around 124 * into a seemingly valid but incorrect future date earlier than the 125 * desired expiration. 126 * 127 * In order to avoid odd behavior (either negative lifetimes or loss 128 * of high order bits) when someone asks for bizarrely long SA 129 * lifetimes, we do a saturating add for expire times. 130 * 131 * We presume that ILP32 systems will be past end of support life when 132 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 133 * 134 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 135 * will hopefully have figured out clever ways to avoid the use of 136 * fixed-sized integers in computation. 137 */ 138 static time_t 139 sadb_add_time(time_t base, uint64_t delta) 140 { 141 time_t sum; 142 143 /* 144 * Clip delta to the maximum possible time_t value to 145 * prevent "overwrapping" back into a shorter-than-desired 146 * future time. 147 */ 148 if (delta > TIME_MAX) 149 delta = TIME_MAX; 150 /* 151 * This sum may still overflow. 152 */ 153 sum = base + delta; 154 155 /* 156 * .. so if the result is less than the base, we overflowed. 157 */ 158 if (sum < base) 159 sum = TIME_MAX; 160 161 return (sum); 162 } 163 164 /* 165 * Callers of this function have already created a working security 166 * association, and have found the appropriate table & hash chain. All this 167 * function does is check duplicates, and insert the SA. The caller needs to 168 * hold the hash bucket lock and increment the refcnt before insertion. 169 * 170 * Return 0 if success, EEXIST if collision. 171 */ 172 int 173 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 174 { 175 ipsa_t **ptpn = NULL; 176 ipsa_t *walker; 177 boolean_t unspecsrc; 178 179 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 180 181 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 182 183 walker = bucket->isaf_ipsa; 184 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 185 186 /* 187 * Find insertion point (pointed to with **ptpn). Insert at the head 188 * of the list unless there's an unspecified source address, then 189 * insert it after the last SA with a specified source address. 190 * 191 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 192 * checking for collisions. 193 */ 194 195 while (walker != NULL) { 196 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 197 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 198 if (walker->ipsa_spi == ipsa->ipsa_spi) 199 return (EEXIST); 200 201 mutex_enter(&walker->ipsa_lock); 202 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 203 (walker->ipsa_flags & IPSA_F_USED) && 204 ((walker->ipsa_unique_id & 205 walker->ipsa_unique_mask) == 206 (ipsa->ipsa_unique_id & 207 ipsa->ipsa_unique_mask))) { 208 walker->ipsa_flags |= IPSA_F_CINVALID; 209 } 210 mutex_exit(&walker->ipsa_lock); 211 } 212 213 if (ptpn == NULL && unspecsrc) { 214 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 215 walker->ipsa_addrfam)) 216 ptpn = walker->ipsa_ptpn; 217 else if (walker->ipsa_next == NULL) 218 ptpn = &walker->ipsa_next; 219 } 220 221 walker = walker->ipsa_next; 222 } 223 224 if (ptpn == NULL) 225 ptpn = &bucket->isaf_ipsa; 226 ipsa->ipsa_next = *ptpn; 227 ipsa->ipsa_ptpn = ptpn; 228 if (ipsa->ipsa_next != NULL) 229 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 230 *ptpn = ipsa; 231 ipsa->ipsa_linklock = &bucket->isaf_lock; 232 233 return (0); 234 } 235 236 /* 237 * Free a security association. Its reference count is 0, which means 238 * I must free it. The SA must be unlocked and must not be linked into 239 * any fanout list. 240 */ 241 static void 242 sadb_freeassoc(ipsa_t *ipsa) 243 { 244 ASSERT(!MUTEX_HELD(&ipsa->ipsa_lock)); 245 ASSERT(ipsa->ipsa_refcnt == 0); 246 ASSERT(ipsa->ipsa_next == NULL); 247 ASSERT(ipsa->ipsa_ptpn == NULL); 248 249 ip_drop_packet(sadb_clear_lpkt(ipsa), B_TRUE, NULL, NULL, 250 &ipdrops_sadb_inlarval_timeout, &sadb_dropper); 251 252 mutex_enter(&ipsa->ipsa_lock); 253 254 if (ipsa->ipsa_natt_ka_timer != 0) 255 (void) quntimeout(ipsa->ipsa_natt_q, ipsa->ipsa_natt_ka_timer); 256 257 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 258 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 259 mutex_exit(&ipsa->ipsa_lock); 260 261 /* bzero() these fields for paranoia's sake. */ 262 if (ipsa->ipsa_authkey != NULL) { 263 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 264 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 265 } 266 if (ipsa->ipsa_encrkey != NULL) { 267 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 268 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 269 } 270 if (ipsa->ipsa_src_cid != NULL) { 271 IPSID_REFRELE(ipsa->ipsa_src_cid); 272 } 273 if (ipsa->ipsa_dst_cid != NULL) { 274 IPSID_REFRELE(ipsa->ipsa_dst_cid); 275 } 276 if (ipsa->ipsa_proxy_cid != NULL) { 277 IPSID_REFRELE(ipsa->ipsa_proxy_cid); 278 } 279 if (ipsa->ipsa_integ != NULL) 280 kmem_free(ipsa->ipsa_integ, ipsa->ipsa_integlen); 281 if (ipsa->ipsa_sens != NULL) 282 kmem_free(ipsa->ipsa_sens, ipsa->ipsa_senslen); 283 284 mutex_destroy(&ipsa->ipsa_lock); 285 kmem_free(ipsa, sizeof (*ipsa)); 286 } 287 288 /* 289 * Unlink a security association from a hash bucket. Assume the hash bucket 290 * lock is held, but the association's lock is not. 291 * 292 * Note that we do not bump the bucket's generation number here because 293 * we might not be making a visible change to the set of visible SA's. 294 * All callers MUST bump the bucket's generation number before they unlock 295 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 296 * was present in the bucket at the time it was locked. 297 */ 298 void 299 sadb_unlinkassoc(ipsa_t *ipsa) 300 { 301 ASSERT(ipsa->ipsa_linklock != NULL); 302 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 303 304 /* These fields are protected by the link lock. */ 305 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 306 if (ipsa->ipsa_next != NULL) { 307 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 308 ipsa->ipsa_next = NULL; 309 } 310 311 ipsa->ipsa_ptpn = NULL; 312 313 /* This may destroy the SA. */ 314 IPSA_REFRELE(ipsa); 315 } 316 317 /* 318 * Create a larval security association with the specified SPI. All other 319 * fields are zeroed. 320 */ 321 static ipsa_t * 322 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam) 323 { 324 ipsa_t *newbie; 325 326 /* 327 * Allocate... 328 */ 329 330 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 331 if (newbie == NULL) { 332 /* Can't make new larval SA. */ 333 return (NULL); 334 } 335 336 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 337 newbie->ipsa_spi = spi; 338 339 /* 340 * Copy addresses... 341 */ 342 343 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 344 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 345 346 newbie->ipsa_addrfam = addrfam; 347 348 /* 349 * Set common initialization values, including refcnt. 350 */ 351 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 352 newbie->ipsa_state = IPSA_STATE_LARVAL; 353 newbie->ipsa_refcnt = 1; 354 newbie->ipsa_freefunc = sadb_freeassoc; 355 356 /* 357 * There aren't a lot of other common initialization values, as 358 * they are copied in from the PF_KEY message. 359 */ 360 361 return (newbie); 362 } 363 364 /* 365 * Call me to initialize a security association fanout. 366 */ 367 static int 368 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 369 { 370 isaf_t *table; 371 int i; 372 373 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 374 *tablep = table; 375 376 if (table == NULL) 377 return (ENOMEM); 378 379 for (i = 0; i < size; i++) { 380 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 381 table[i].isaf_ipsa = NULL; 382 table[i].isaf_gen = 0; 383 } 384 385 return (0); 386 } 387 388 /* 389 * Call me to initialize an acquire fanout 390 */ 391 static int 392 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 393 { 394 iacqf_t *table; 395 int i; 396 397 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 398 *tablep = table; 399 400 if (table == NULL) 401 return (ENOMEM); 402 403 for (i = 0; i < size; i++) { 404 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 405 table[i].iacqf_ipsacq = NULL; 406 } 407 408 return (0); 409 } 410 411 /* 412 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 413 * caller must clean up partial allocations. 414 */ 415 static int 416 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 417 { 418 ASSERT(sp->sdb_of == NULL); 419 ASSERT(sp->sdb_if == NULL); 420 ASSERT(sp->sdb_acq == NULL); 421 422 sp->sdb_hashsize = size; 423 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 424 return (ENOMEM); 425 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 426 return (ENOMEM); 427 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 428 return (ENOMEM); 429 430 return (0); 431 } 432 433 /* 434 * Call me to initialize an SADB instance; fall back to default size on failure. 435 */ 436 static void 437 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver) 438 { 439 ASSERT(sp->sdb_of == NULL); 440 ASSERT(sp->sdb_if == NULL); 441 ASSERT(sp->sdb_acq == NULL); 442 443 if (size < IPSEC_DEFAULT_HASH_SIZE) 444 size = IPSEC_DEFAULT_HASH_SIZE; 445 446 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 447 448 cmn_err(CE_WARN, 449 "Unable to allocate %u entry IPv%u %s SADB hash table", 450 size, ver, name); 451 452 sadb_destroy(sp); 453 size = IPSEC_DEFAULT_HASH_SIZE; 454 cmn_err(CE_WARN, "Falling back to %d entries", size); 455 (void) sadb_init_trial(sp, size, KM_SLEEP); 456 } 457 } 458 459 460 /* 461 * Initialize an SADB-pair. 462 */ 463 void 464 sadbp_init(const char *name, sadbp_t *sp, int type, int size) 465 { 466 sadb_init(name, &sp->s_v4, size, 4); 467 sadb_init(name, &sp->s_v6, size, 6); 468 469 sp->s_satype = type; 470 471 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 472 if (type == SADB_SATYPE_AH) 473 ip_drop_register(&sadb_dropper, "IPsec SADB"); 474 } 475 476 /* 477 * Deliver a single SADB_DUMP message representing a single SA. This is 478 * called many times by sadb_dump(). 479 * 480 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 481 * the caller should take that as a hint that dupb() on the "original answer" 482 * failed, and that perhaps the caller should try again with a copyb()ed 483 * "original answer". 484 */ 485 static int 486 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 487 sadb_msg_t *samsg) 488 { 489 mblk_t *answer; 490 491 answer = dupb(original_answer); 492 if (answer == NULL) 493 return (ENOBUFS); 494 answer->b_cont = sadb_sa2msg(ipsa, samsg); 495 if (answer->b_cont == NULL) { 496 freeb(answer); 497 return (ENOMEM); 498 } 499 500 /* Just do a putnext, and let keysock deal with flow control. */ 501 putnext(pfkey_q, answer); 502 return (0); 503 } 504 505 /* 506 * Common function to allocate and prepare a keysock_out_t M_CTL message. 507 */ 508 mblk_t * 509 sadb_keysock_out(minor_t serial) 510 { 511 mblk_t *mp; 512 keysock_out_t *kso; 513 514 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 515 if (mp != NULL) { 516 mp->b_datap->db_type = M_CTL; 517 mp->b_wptr += sizeof (ipsec_info_t); 518 kso = (keysock_out_t *)mp->b_rptr; 519 kso->ks_out_type = KEYSOCK_OUT; 520 kso->ks_out_len = sizeof (*kso); 521 kso->ks_out_serial = serial; 522 } 523 524 return (mp); 525 } 526 527 /* 528 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 529 * to keysock. 530 */ 531 static int 532 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 533 int num_entries, boolean_t do_peers) 534 { 535 int i, error = 0; 536 mblk_t *original_answer; 537 ipsa_t *walker; 538 sadb_msg_t *samsg; 539 540 /* 541 * For each IPSA hash bucket do: 542 * - Hold the mutex 543 * - Walk each entry, doing an sadb_dump_deliver() on it. 544 */ 545 ASSERT(mp->b_cont != NULL); 546 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 547 548 original_answer = sadb_keysock_out(serial); 549 if (original_answer == NULL) 550 return (ENOMEM); 551 552 for (i = 0; i < num_entries; i++) { 553 mutex_enter(&fanout[i].isaf_lock); 554 for (walker = fanout[i].isaf_ipsa; walker != NULL; 555 walker = walker->ipsa_next) { 556 if (!do_peers && walker->ipsa_haspeer) 557 continue; 558 error = sadb_dump_deliver(pfkey_q, original_answer, 559 walker, samsg); 560 if (error == ENOBUFS) { 561 mblk_t *new_original_answer; 562 563 /* Ran out of dupb's. Try a copyb. */ 564 new_original_answer = copyb(original_answer); 565 if (new_original_answer == NULL) { 566 error = ENOMEM; 567 } else { 568 freeb(original_answer); 569 original_answer = new_original_answer; 570 error = sadb_dump_deliver(pfkey_q, 571 original_answer, walker, samsg); 572 } 573 } 574 if (error != 0) 575 break; /* out of for loop. */ 576 } 577 mutex_exit(&fanout[i].isaf_lock); 578 if (error != 0) 579 break; /* out of for loop. */ 580 } 581 582 freeb(original_answer); 583 return (error); 584 } 585 586 /* 587 * Dump an entire SADB; outbound first, then inbound. 588 */ 589 590 int 591 sadb_dump(queue_t *pfkey_q, mblk_t *mp, minor_t serial, sadb_t *sp) 592 { 593 int error; 594 595 /* Dump outbound */ 596 error = sadb_dump_fanout(pfkey_q, mp, serial, sp->sdb_of, 597 sp->sdb_hashsize, B_TRUE); 598 if (error) 599 return (error); 600 601 /* Dump inbound */ 602 return sadb_dump_fanout(pfkey_q, mp, serial, sp->sdb_if, 603 sp->sdb_hashsize, B_FALSE); 604 } 605 606 /* 607 * Generic sadb table walker. 608 * 609 * Call "walkfn" for each SA in each bucket in "table"; pass the 610 * bucket, the entry and "cookie" to the callback function. 611 * Take care to ensure that walkfn can delete the SA without screwing 612 * up our traverse. 613 * 614 * The bucket is locked for the duration of the callback, both so that the 615 * callback can just call sadb_unlinkassoc() when it wants to delete something, 616 * and so that no new entries are added while we're walking the list. 617 */ 618 static void 619 sadb_walker(isaf_t *table, uint_t numentries, 620 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 621 void *cookie) 622 { 623 int i; 624 for (i = 0; i < numentries; i++) { 625 ipsa_t *entry, *next; 626 627 mutex_enter(&table[i].isaf_lock); 628 629 for (entry = table[i].isaf_ipsa; entry != NULL; 630 entry = next) { 631 next = entry->ipsa_next; 632 (*walkfn)(&table[i], entry, cookie); 633 } 634 mutex_exit(&table[i].isaf_lock); 635 } 636 } 637 638 /* 639 * From the given SA, construct a dl_ct_ipsec_key and 640 * a dl_ct_ipsec structures to be sent to the adapter as part 641 * of a DL_CONTROL_REQ. 642 * 643 * ct_sa must point to the storage allocated for the key 644 * structure and must be followed by storage allocated 645 * for the SA information that must be sent to the driver 646 * as part of the DL_CONTROL_REQ request. 647 * 648 * The is_inbound boolean indicates whether the specified 649 * SA is part of an inbound SA table. 650 * 651 * Returns B_TRUE if the corresponding SA must be passed to 652 * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE. 653 */ 654 static boolean_t 655 sadb_req_from_sa(ipsa_t *sa, mblk_t *mp, boolean_t is_inbound) 656 { 657 dl_ct_ipsec_key_t *keyp; 658 dl_ct_ipsec_t *sap; 659 void *ct_sa = mp->b_wptr; 660 661 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 662 663 keyp = (dl_ct_ipsec_key_t *)(ct_sa); 664 sap = (dl_ct_ipsec_t *)(keyp + 1); 665 666 IPSECHW_DEBUG(IPSECHW_CAPAB, ("sadb_req_from_sa: " 667 "is_inbound = %d\n", is_inbound)); 668 669 /* initialize flag */ 670 sap->sadb_sa_flags = 0; 671 if (is_inbound) { 672 sap->sadb_sa_flags |= DL_CT_IPSEC_INBOUND; 673 /* 674 * If an inbound SA has a peer, then mark it has being 675 * an outbound SA as well. 676 */ 677 if (sa->ipsa_haspeer) 678 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 679 } else { 680 /* 681 * If an outbound SA has a peer, then don't send it, 682 * since we will send the copy from the inbound table. 683 */ 684 if (sa->ipsa_haspeer) { 685 freemsg(mp); 686 return (B_FALSE); 687 } 688 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 689 } 690 691 keyp->dl_key_spi = sa->ipsa_spi; 692 bcopy(sa->ipsa_dstaddr, keyp->dl_key_dest_addr, 693 DL_CTL_IPSEC_ADDR_LEN); 694 keyp->dl_key_addr_family = sa->ipsa_addrfam; 695 696 sap->sadb_sa_auth = sa->ipsa_auth_alg; 697 sap->sadb_sa_encrypt = sa->ipsa_encr_alg; 698 699 sap->sadb_key_len_a = sa->ipsa_authkeylen; 700 sap->sadb_key_bits_a = sa->ipsa_authkeybits; 701 bcopy(sa->ipsa_authkey, 702 sap->sadb_key_data_a, sap->sadb_key_len_a); 703 704 sap->sadb_key_len_e = sa->ipsa_encrkeylen; 705 sap->sadb_key_bits_e = sa->ipsa_encrkeybits; 706 bcopy(sa->ipsa_encrkey, 707 sap->sadb_key_data_e, sap->sadb_key_len_e); 708 709 mp->b_wptr += sizeof (dl_ct_ipsec_t) + sizeof (dl_ct_ipsec_key_t); 710 return (B_TRUE); 711 } 712 713 /* 714 * Called from AH or ESP to format a message which will be used to inform 715 * IPsec-acceleration-capable ills of a SADB change. 716 * (It is not possible to send the message to IP directly from this function 717 * since the SA, if any, is locked during the call). 718 * 719 * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc) 720 * sa_type: identifies whether the operation applies to AH or ESP 721 * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP) 722 * sa: Pointer to an SA. Must be non-NULL and locked 723 * for ADD, DELETE, GET, and UPDATE operations. 724 * This function returns an mblk chain that must be passed to IP 725 * for forwarding to the IPsec capable providers. 726 */ 727 mblk_t * 728 sadb_fmt_sa_req(uint_t dl_operation, uint_t sa_type, ipsa_t *sa, 729 boolean_t is_inbound) 730 { 731 mblk_t *mp; 732 dl_control_req_t *ctrl; 733 boolean_t need_key = B_FALSE; 734 mblk_t *ctl_mp = NULL; 735 ipsec_ctl_t *ctl; 736 737 /* 738 * 1 allocate and initialize DL_CONTROL_REQ M_PROTO 739 * 2 if a key is needed for the operation 740 * 2.1 initialize key 741 * 2.2 if a full SA is needed for the operation 742 * 2.2.1 initialize full SA info 743 * 3 return message; caller will call ill_ipsec_capab_send_all() 744 * to send the resulting message to IPsec capable ills. 745 */ 746 747 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 748 749 /* 750 * Allocate DL_CONTROL_REQ M_PROTO 751 * We allocate room for the SA even if it's not needed 752 * by some of the operations (for example flush) 753 */ 754 mp = allocb(sizeof (dl_control_req_t) + 755 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 756 if (mp == NULL) 757 return (NULL); 758 mp->b_datap->db_type = M_PROTO; 759 760 /* initialize dl_control_req_t */ 761 ctrl = (dl_control_req_t *)mp->b_wptr; 762 ctrl->dl_primitive = DL_CONTROL_REQ; 763 ctrl->dl_operation = dl_operation; 764 ctrl->dl_type = sa_type == SADB_SATYPE_AH ? DL_CT_IPSEC_AH : 765 DL_CT_IPSEC_ESP; 766 ctrl->dl_key_offset = sizeof (dl_control_req_t); 767 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 768 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 769 sizeof (dl_ct_ipsec_key_t); 770 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 771 mp->b_wptr += sizeof (dl_control_req_t); 772 773 if ((dl_operation == DL_CO_SET) || (dl_operation == DL_CO_DELETE)) { 774 ASSERT(sa != NULL); 775 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 776 777 need_key = B_TRUE; 778 779 /* 780 * Initialize key and SA data. Note that for some 781 * operations the SA data is ignored by the provider 782 * (delete, etc.) 783 */ 784 if (!sadb_req_from_sa(sa, mp, is_inbound)) 785 return (NULL); 786 } 787 788 /* construct control message */ 789 ctl_mp = allocb(sizeof (ipsec_ctl_t), BPRI_HI); 790 if (ctl_mp == NULL) { 791 cmn_err(CE_WARN, "sadb_fmt_sa_req: allocb failed\n"); 792 freemsg(mp); 793 return (NULL); 794 } 795 796 ctl_mp->b_datap->db_type = M_CTL; 797 ctl_mp->b_wptr += sizeof (ipsec_ctl_t); 798 ctl_mp->b_cont = mp; 799 800 ctl = (ipsec_ctl_t *)ctl_mp->b_rptr; 801 ctl->ipsec_ctl_type = IPSEC_CTL; 802 ctl->ipsec_ctl_len = sizeof (ipsec_ctl_t); 803 ctl->ipsec_ctl_sa_type = sa_type; 804 805 if (need_key) { 806 /* 807 * Keep an additional reference on SA, since it will be 808 * needed by IP to send control messages corresponding 809 * to that SA from its perimeter. IP will do a 810 * IPSA_REFRELE when done with the request. 811 */ 812 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 813 IPSA_REFHOLD(sa); 814 ctl->ipsec_ctl_sa = sa; 815 } else 816 ctl->ipsec_ctl_sa = NULL; 817 818 return (ctl_mp); 819 } 820 821 822 /* 823 * Called by sadb_ill_download() to dump the entries for a specific 824 * fanout table. For each SA entry in the table passed as argument, 825 * use mp as a template and constructs a full DL_CONTROL message, and 826 * call ill_dlpi_send(), provided by IP, to send the resulting 827 * messages to the ill. 828 */ 829 static void 830 sadb_ill_df(ill_t *ill, mblk_t *mp, isaf_t *fanout, int num_entries, 831 boolean_t is_inbound) 832 { 833 ipsa_t *walker; 834 mblk_t *nmp, *salist; 835 int i, error = 0; 836 837 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_ill_df: fanout at 0x%p ne=%d\n", 838 (void *)fanout, num_entries)); 839 /* 840 * For each IPSA hash bucket do: 841 * - Hold the mutex 842 * - Walk each entry, sending a corresponding request to IP 843 * for it. 844 */ 845 ASSERT(mp->b_datap->db_type == M_PROTO); 846 847 for (i = 0; i < num_entries; i++) { 848 mutex_enter(&fanout[i].isaf_lock); 849 salist = NULL; 850 851 for (walker = fanout[i].isaf_ipsa; walker != NULL; 852 walker = walker->ipsa_next) { 853 IPSECHW_DEBUG(IPSECHW_SADB, 854 ("sadb_ill_df: sending SA to ill via IP \n")); 855 /* 856 * Duplicate the template mp passed and 857 * complete DL_CONTROL_REQ data. 858 * To be more memory efficient, we could use 859 * dupb() for the M_CTL and copyb() for the M_PROTO 860 * as the M_CTL, since the M_CTL is the same for 861 * every SA entry passed down to IP for the same ill. 862 * 863 * Note that copymsg/copyb ensure that the new mblk 864 * is at least as large as the source mblk even if it's 865 * not using all its storage -- therefore, nmp 866 * has trailing space for sadb_req_from_sa to add 867 * the SA-specific bits. 868 */ 869 mutex_enter(&walker->ipsa_lock); 870 if (ipsec_capab_match(ill, 871 ill->ill_phyint->phyint_ifindex, ill->ill_isv6, 872 walker)) { 873 nmp = copymsg(mp); 874 if (nmp == NULL) { 875 IPSECHW_DEBUG(IPSECHW_SADB, 876 ("sadb_ill_df: alloc error\n")); 877 error = ENOMEM; 878 mutex_exit(&walker->ipsa_lock); 879 break; 880 } 881 if (sadb_req_from_sa(walker, nmp, is_inbound)) { 882 nmp->b_next = salist; 883 salist = nmp; 884 } 885 } 886 mutex_exit(&walker->ipsa_lock); 887 } 888 mutex_exit(&fanout[i].isaf_lock); 889 while (salist != NULL) { 890 nmp = salist; 891 salist = nmp->b_next; 892 nmp->b_next = NULL; 893 ill_dlpi_send(ill, nmp); 894 } 895 if (error != 0) 896 break; /* out of for loop. */ 897 } 898 } 899 900 /* 901 * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of 902 * the type specified by sa_type to the specified ill. 903 * 904 * We call for each fanout table defined by the SADB (one per 905 * protocol). sadb_ill_df() finally calls ill_dlpi_send() for 906 * each SADB entry in order to send a corresponding DL_CONTROL_REQ 907 * message to the ill. 908 */ 909 void 910 sadb_ill_download(ill_t *ill, uint_t sa_type) 911 { 912 mblk_t *protomp; /* prototype message */ 913 dl_control_req_t *ctrl; 914 sadbp_t *spp; 915 sadb_t *sp; 916 int dlt; 917 918 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 919 920 /* 921 * Allocate and initialize prototype answer. A duplicate for 922 * each SA is sent down to the interface. 923 */ 924 925 /* DL_CONTROL_REQ M_PROTO mblk_t */ 926 protomp = allocb(sizeof (dl_control_req_t) + 927 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 928 if (protomp == NULL) 929 return; 930 protomp->b_datap->db_type = M_PROTO; 931 932 dlt = (sa_type == SADB_SATYPE_AH) ? DL_CT_IPSEC_AH : DL_CT_IPSEC_ESP; 933 spp = (sa_type == SADB_SATYPE_ESP) ? &esp_sadb : &ah_sadb; 934 935 ctrl = (dl_control_req_t *)protomp->b_wptr; 936 ctrl->dl_primitive = DL_CONTROL_REQ; 937 ctrl->dl_operation = DL_CO_SET; 938 ctrl->dl_type = dlt; 939 ctrl->dl_key_offset = sizeof (dl_control_req_t); 940 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 941 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 942 sizeof (dl_ct_ipsec_key_t); 943 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 944 protomp->b_wptr += sizeof (dl_control_req_t); 945 946 /* 947 * then for each SADB entry, we fill out the dl_ct_ipsec_key_t 948 * and dl_ct_ipsec_t 949 */ 950 sp = ill->ill_isv6 ? &(spp->s_v6) : &(spp->s_v4); 951 sadb_ill_df(ill, protomp, sp->sdb_of, sp->sdb_hashsize, B_FALSE); 952 sadb_ill_df(ill, protomp, sp->sdb_if, sp->sdb_hashsize, B_TRUE); 953 freemsg(protomp); 954 } 955 956 /* 957 * Call me to free up a security association fanout. Use the forever 958 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 959 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 960 * when a module is unloaded). 961 */ 962 static void 963 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever) 964 { 965 int i; 966 isaf_t *table = *tablep; 967 968 if (table == NULL) 969 return; 970 971 for (i = 0; i < numentries; i++) { 972 mutex_enter(&table[i].isaf_lock); 973 while (table[i].isaf_ipsa != NULL) 974 sadb_unlinkassoc(table[i].isaf_ipsa); 975 table[i].isaf_gen++; 976 mutex_exit(&table[i].isaf_lock); 977 if (forever) 978 mutex_destroy(&(table[i].isaf_lock)); 979 } 980 981 if (forever) { 982 *tablep = NULL; 983 kmem_free(table, numentries * sizeof (*table)); 984 } 985 } 986 987 /* 988 * Entry points to sadb_destroyer(). 989 */ 990 static void 991 sadb_flush(sadb_t *sp) 992 { 993 /* 994 * Flush out each bucket, one at a time. Were it not for keysock's 995 * enforcement, there would be a subtlety where I could add on the 996 * heels of a flush. With keysock's enforcement, however, this 997 * makes ESP's job easy. 998 */ 999 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE); 1000 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE); 1001 1002 /* For each acquire, destroy it; leave the bucket mutex alone. */ 1003 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE); 1004 } 1005 1006 static void 1007 sadb_destroy(sadb_t *sp) 1008 { 1009 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE); 1010 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE); 1011 1012 /* For each acquire, destroy it, including the bucket mutex. */ 1013 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE); 1014 1015 ASSERT(sp->sdb_of == NULL); 1016 ASSERT(sp->sdb_if == NULL); 1017 ASSERT(sp->sdb_acq == NULL); 1018 } 1019 1020 static void 1021 sadb_send_flush_req(sadbp_t *spp) 1022 { 1023 mblk_t *ctl_mp; 1024 1025 /* 1026 * we've been unplumbed, or never were plumbed; don't go there. 1027 */ 1028 if (spp->s_ip_q == NULL) 1029 return; 1030 1031 /* have IP send a flush msg to the IPsec accelerators */ 1032 ctl_mp = sadb_fmt_sa_req(DL_CO_FLUSH, spp->s_satype, NULL, B_TRUE); 1033 if (ctl_mp != NULL) 1034 putnext(spp->s_ip_q, ctl_mp); 1035 } 1036 1037 void 1038 sadbp_flush(sadbp_t *spp) 1039 { 1040 sadb_flush(&spp->s_v4); 1041 sadb_flush(&spp->s_v6); 1042 1043 sadb_send_flush_req(spp); 1044 } 1045 1046 void 1047 sadbp_destroy(sadbp_t *spp) 1048 { 1049 sadb_destroy(&spp->s_v4); 1050 sadb_destroy(&spp->s_v6); 1051 1052 sadb_send_flush_req(spp); 1053 if (spp->s_satype == SADB_SATYPE_AH) 1054 ip_drop_unregister(&sadb_dropper); 1055 } 1056 1057 1058 /* 1059 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 1060 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 1061 * EINVAL. 1062 */ 1063 int 1064 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft) 1065 { 1066 if (hard == NULL || soft == NULL) 1067 return (0); 1068 1069 if (hard->sadb_lifetime_allocations != 0 && 1070 soft->sadb_lifetime_allocations != 0 && 1071 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 1072 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 1073 1074 if (hard->sadb_lifetime_bytes != 0 && 1075 soft->sadb_lifetime_bytes != 0 && 1076 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 1077 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 1078 1079 if (hard->sadb_lifetime_addtime != 0 && 1080 soft->sadb_lifetime_addtime != 0 && 1081 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 1082 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1083 1084 if (hard->sadb_lifetime_usetime != 0 && 1085 soft->sadb_lifetime_usetime != 0 && 1086 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 1087 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1088 1089 return (0); 1090 } 1091 1092 /* 1093 * Clone a security association for the purposes of inserting a single SA 1094 * into inbound and outbound tables respectively. 1095 */ 1096 static ipsa_t * 1097 sadb_cloneassoc(ipsa_t *ipsa) 1098 { 1099 ipsa_t *newbie; 1100 boolean_t error = B_FALSE; 1101 1102 ASSERT(!MUTEX_HELD(&(ipsa->ipsa_lock))); 1103 1104 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 1105 if (newbie == NULL) 1106 return (NULL); 1107 1108 /* Copy over what we can. */ 1109 *newbie = *ipsa; 1110 1111 /* bzero and initialize locks, in case *_init() allocates... */ 1112 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 1113 1114 /* 1115 * While somewhat dain-bramaged, the most graceful way to 1116 * recover from errors is to keep plowing through the 1117 * allocations, and getting what I can. It's easier to call 1118 * sadb_freeassoc() on the stillborn clone when all the 1119 * pointers aren't pointing to the parent's data. 1120 */ 1121 1122 if (ipsa->ipsa_authkey != NULL) { 1123 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 1124 KM_NOSLEEP); 1125 if (newbie->ipsa_authkey == NULL) { 1126 error = B_TRUE; 1127 } else { 1128 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 1129 newbie->ipsa_authkeylen); 1130 1131 newbie->ipsa_kcfauthkey.ck_data = 1132 newbie->ipsa_authkey; 1133 } 1134 1135 if (newbie->ipsa_amech.cm_param != NULL) { 1136 newbie->ipsa_amech.cm_param = 1137 (char *)&newbie->ipsa_mac_len; 1138 } 1139 } 1140 1141 if (ipsa->ipsa_encrkey != NULL) { 1142 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 1143 KM_NOSLEEP); 1144 if (newbie->ipsa_encrkey == NULL) { 1145 error = B_TRUE; 1146 } else { 1147 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 1148 newbie->ipsa_encrkeylen); 1149 1150 newbie->ipsa_kcfencrkey.ck_data = 1151 newbie->ipsa_encrkey; 1152 } 1153 } 1154 1155 newbie->ipsa_authtmpl = NULL; 1156 newbie->ipsa_encrtmpl = NULL; 1157 1158 if (ipsa->ipsa_integ != NULL) { 1159 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 1160 KM_NOSLEEP); 1161 if (newbie->ipsa_integ == NULL) { 1162 error = B_TRUE; 1163 } else { 1164 bcopy(ipsa->ipsa_integ, newbie->ipsa_integ, 1165 newbie->ipsa_integlen); 1166 } 1167 } 1168 1169 if (ipsa->ipsa_sens != NULL) { 1170 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 1171 KM_NOSLEEP); 1172 if (newbie->ipsa_sens == NULL) { 1173 error = B_TRUE; 1174 } else { 1175 bcopy(ipsa->ipsa_sens, newbie->ipsa_sens, 1176 newbie->ipsa_senslen); 1177 } 1178 } 1179 1180 if (ipsa->ipsa_src_cid != NULL) { 1181 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 1182 IPSID_REFHOLD(ipsa->ipsa_src_cid); 1183 } 1184 1185 if (ipsa->ipsa_dst_cid != NULL) { 1186 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 1187 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 1188 } 1189 1190 #if 0 /* XXX PROXY - Proxy identities not supported yet. */ 1191 if (ipsa->ipsa_proxy_cid != NULL) { 1192 newbie->ipsa_proxy_cid = ipsa->ipsa_proxy_cid; 1193 IPSID_REFHOLD(ipsa->ipsa_proxy_cid); 1194 } 1195 #endif /* XXX PROXY */ 1196 1197 if (error) { 1198 sadb_freeassoc(newbie); 1199 return (NULL); 1200 } 1201 1202 return (newbie); 1203 } 1204 1205 /* 1206 * Initialize a SADB address extension at the address specified by addrext. 1207 * Return a pointer to the end of the new address extension. 1208 */ 1209 static uint8_t * 1210 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 1211 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto) 1212 { 1213 struct sockaddr_in *sin; 1214 struct sockaddr_in6 *sin6; 1215 uint8_t *cur = start; 1216 int addrext_len; 1217 int sin_len; 1218 sadb_address_t *addrext = (sadb_address_t *)cur; 1219 1220 if (cur == NULL) 1221 return (NULL); 1222 1223 cur += sizeof (*addrext); 1224 if (cur > end) 1225 return (NULL); 1226 1227 addrext->sadb_address_proto = proto; 1228 addrext->sadb_address_prefixlen = 0; 1229 addrext->sadb_address_reserved = 0; 1230 addrext->sadb_address_exttype = exttype; 1231 1232 switch (af) { 1233 case AF_INET: 1234 sin = (struct sockaddr_in *)cur; 1235 sin_len = sizeof (*sin); 1236 cur += sin_len; 1237 if (cur > end) 1238 return (NULL); 1239 1240 sin->sin_family = af; 1241 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1242 sin->sin_port = port; 1243 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1244 break; 1245 case AF_INET6: 1246 sin6 = (struct sockaddr_in6 *)cur; 1247 sin_len = sizeof (*sin6); 1248 cur += sin_len; 1249 if (cur > end) 1250 return (NULL); 1251 1252 bzero(sin6, sizeof (*sin6)); 1253 sin6->sin6_family = af; 1254 sin6->sin6_port = port; 1255 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1256 break; 1257 } 1258 1259 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1260 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1261 1262 cur = start + addrext_len; 1263 if (cur > end) 1264 cur = NULL; 1265 1266 return (cur); 1267 } 1268 1269 /* 1270 * Construct a key management cookie extension. 1271 */ 1272 1273 static uint8_t * 1274 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1275 { 1276 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1277 1278 if (cur == NULL) 1279 return (NULL); 1280 1281 cur += sizeof (*kmcext); 1282 1283 if (cur > end) 1284 return (NULL); 1285 1286 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1287 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1288 kmcext->sadb_x_kmc_proto = kmp; 1289 kmcext->sadb_x_kmc_cookie = kmc; 1290 kmcext->sadb_x_kmc_reserved = 0; 1291 1292 return (cur); 1293 } 1294 1295 /* 1296 * Given an original message header with sufficient space following it, and an 1297 * SA, construct a full PF_KEY message with all of the relevant extensions. 1298 * This is mostly used for SADB_GET, and SADB_DUMP. 1299 */ 1300 mblk_t * 1301 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1302 { 1303 int alloclen, addrsize, paddrsize, authsize, encrsize; 1304 int srcidsize, dstidsize; 1305 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1306 /* src/dst and proxy sockaddrs. */ 1307 /* 1308 * The following are pointers into the PF_KEY message this PF_KEY 1309 * message creates. 1310 */ 1311 sadb_msg_t *newsamsg; 1312 sadb_sa_t *assoc; 1313 sadb_lifetime_t *lt; 1314 sadb_key_t *key; 1315 sadb_ident_t *ident; 1316 sadb_sens_t *sens; 1317 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1318 mblk_t *mp; 1319 uint64_t *bitmap; 1320 uint8_t *cur, *end; 1321 /* These indicate the presence of the above extension fields. */ 1322 boolean_t soft, hard, proxy, auth, encr, sensinteg, srcid, dstid; 1323 #if 0 /* XXX PROXY see below... */ 1324 boolean_t proxyid, iv; 1325 int proxyidsize, ivsize; 1326 #endif /* XXX PROXY */ 1327 1328 /* First off, figure out the allocation length for this message. */ 1329 1330 /* 1331 * Constant stuff. This includes base, SA, address (src, dst), 1332 * and lifetime (current). 1333 */ 1334 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1335 sizeof (sadb_lifetime_t); 1336 1337 fam = ipsa->ipsa_addrfam; 1338 switch (fam) { 1339 case AF_INET: 1340 addrsize = roundup(sizeof (struct sockaddr_in) + 1341 sizeof (sadb_address_t), sizeof (uint64_t)); 1342 break; 1343 case AF_INET6: 1344 addrsize = roundup(sizeof (struct sockaddr_in6) + 1345 sizeof (sadb_address_t), sizeof (uint64_t)); 1346 break; 1347 default: 1348 return (NULL); 1349 } 1350 /* 1351 * Allocate TWO address extensions, for source and destination. 1352 * (Thus, the * 2.) 1353 */ 1354 alloclen += addrsize * 2; 1355 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1356 alloclen += addrsize; 1357 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1358 alloclen += addrsize; 1359 1360 1361 /* How 'bout other lifetimes? */ 1362 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1363 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1364 alloclen += sizeof (sadb_lifetime_t); 1365 soft = B_TRUE; 1366 } else { 1367 soft = B_FALSE; 1368 } 1369 1370 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1371 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1372 alloclen += sizeof (sadb_lifetime_t); 1373 hard = B_TRUE; 1374 } else { 1375 hard = B_FALSE; 1376 } 1377 1378 /* Proxy address? */ 1379 if (!IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_proxysrc, ipsa->ipsa_proxyfam)) { 1380 pfam = ipsa->ipsa_proxyfam; 1381 switch (pfam) { 1382 case AF_INET6: 1383 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1384 sizeof (sadb_address_t), sizeof (uint64_t)); 1385 break; 1386 case AF_INET: 1387 paddrsize = roundup(sizeof (struct sockaddr_in) + 1388 sizeof (sadb_address_t), sizeof (uint64_t)); 1389 break; 1390 default: 1391 cmn_err(CE_PANIC, 1392 "IPsec SADB: Proxy length failure.\n"); 1393 break; 1394 } 1395 proxy = B_TRUE; 1396 alloclen += paddrsize; 1397 } else { 1398 proxy = B_FALSE; 1399 } 1400 1401 /* For the following fields, assume that length != 0 ==> stuff */ 1402 if (ipsa->ipsa_authkeylen != 0) { 1403 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1404 sizeof (uint64_t)); 1405 alloclen += authsize; 1406 auth = B_TRUE; 1407 } else { 1408 auth = B_FALSE; 1409 } 1410 1411 if (ipsa->ipsa_encrkeylen != 0) { 1412 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen, 1413 sizeof (uint64_t)); 1414 alloclen += encrsize; 1415 encr = B_TRUE; 1416 } else { 1417 encr = B_FALSE; 1418 } 1419 1420 /* No need for roundup on sens and integ. */ 1421 if (ipsa->ipsa_integlen != 0 || ipsa->ipsa_senslen != 0) { 1422 alloclen += sizeof (sadb_key_t) + ipsa->ipsa_integlen + 1423 ipsa->ipsa_senslen; 1424 sensinteg = B_TRUE; 1425 } else { 1426 sensinteg = B_FALSE; 1427 } 1428 1429 /* 1430 * Must use strlen() here for lengths. Identities use NULL 1431 * pointers to indicate their nonexistence. 1432 */ 1433 if (ipsa->ipsa_src_cid != NULL) { 1434 srcidsize = roundup(sizeof (sadb_ident_t) + 1435 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1436 sizeof (uint64_t)); 1437 alloclen += srcidsize; 1438 srcid = B_TRUE; 1439 } else { 1440 srcid = B_FALSE; 1441 } 1442 1443 if (ipsa->ipsa_dst_cid != NULL) { 1444 dstidsize = roundup(sizeof (sadb_ident_t) + 1445 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1446 sizeof (uint64_t)); 1447 alloclen += dstidsize; 1448 dstid = B_TRUE; 1449 } else { 1450 dstid = B_FALSE; 1451 } 1452 1453 #if 0 /* XXX PROXY not yet. */ 1454 if (ipsa->ipsa_proxy_cid != NULL) { 1455 proxyidsize = roundup(sizeof (sadb_ident_t) + 1456 strlen(ipsa->ipsa_proxy_cid->ipsid_cid) + 1, 1457 sizeof (uint64_t)); 1458 alloclen += proxyidsize; 1459 proxyid = B_TRUE; 1460 } else { 1461 proxyid = B_FALSE; 1462 } 1463 #endif /* XXX PROXY */ 1464 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1465 alloclen += sizeof (sadb_x_kmc_t); 1466 1467 /* Make sure the allocation length is a multiple of 8 bytes. */ 1468 ASSERT((alloclen & 0x7) == 0); 1469 1470 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1471 mp = allocb(alloclen, BPRI_HI); 1472 if (mp == NULL) 1473 return (NULL); 1474 1475 mp->b_wptr += alloclen; 1476 end = mp->b_wptr; 1477 newsamsg = (sadb_msg_t *)mp->b_rptr; 1478 *newsamsg = *samsg; 1479 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1480 1481 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1482 1483 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1484 1485 assoc = (sadb_sa_t *)(newsamsg + 1); 1486 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1487 assoc->sadb_sa_exttype = SADB_EXT_SA; 1488 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1489 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1490 assoc->sadb_sa_state = ipsa->ipsa_state; 1491 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1492 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1493 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1494 1495 lt = (sadb_lifetime_t *)(assoc + 1); 1496 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1497 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1498 lt->sadb_lifetime_allocations = ipsa->ipsa_alloc; 1499 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1500 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1501 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1502 1503 if (hard) { 1504 lt++; 1505 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1506 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1507 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1508 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1509 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1510 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1511 } 1512 1513 if (soft) { 1514 lt++; 1515 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1516 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1517 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1518 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1519 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1520 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1521 } 1522 1523 cur = (uint8_t *)(lt + 1); 1524 1525 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1526 ipsa->ipsa_srcaddr, SA_SRCPORT(ipsa), SA_PROTO(ipsa)); 1527 if (cur == NULL) { 1528 freemsg(mp); 1529 mp = NULL; 1530 goto bail; 1531 } 1532 1533 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1534 ipsa->ipsa_dstaddr, SA_DSTPORT(ipsa), SA_PROTO(ipsa)); 1535 if (cur == NULL) { 1536 freemsg(mp); 1537 mp = NULL; 1538 goto bail; 1539 } 1540 1541 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1542 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1543 fam, ipsa->ipsa_natt_addr_loc, 0, 0); 1544 if (cur == NULL) { 1545 freemsg(mp); 1546 mp = NULL; 1547 goto bail; 1548 } 1549 } 1550 1551 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1552 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1553 fam, ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_port, 1554 IPPROTO_UDP); 1555 if (cur == NULL) { 1556 freemsg(mp); 1557 mp = NULL; 1558 goto bail; 1559 } 1560 } 1561 1562 if (proxy) { 1563 /* 1564 * XXX PROXY When we expand the definition of proxy to include 1565 * both inner and outer IP addresses, this will have to 1566 * be expanded. 1567 */ 1568 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_PROXY, 1569 pfam, ipsa->ipsa_proxysrc, 0, 0); 1570 if (cur == NULL) { 1571 freemsg(mp); 1572 mp = NULL; 1573 goto bail; 1574 } 1575 } 1576 1577 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1578 cur = sadb_make_kmc_ext(cur, end, 1579 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1580 if (cur == NULL) { 1581 freemsg(mp); 1582 mp = NULL; 1583 goto bail; 1584 } 1585 } 1586 1587 walker = (sadb_ext_t *)cur; 1588 if (auth) { 1589 key = (sadb_key_t *)walker; 1590 key->sadb_key_len = SADB_8TO64(authsize); 1591 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1592 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1593 key->sadb_key_reserved = 0; 1594 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1595 walker = (sadb_ext_t *)((uint64_t *)walker + 1596 walker->sadb_ext_len); 1597 } 1598 1599 if (encr) { 1600 key = (sadb_key_t *)walker; 1601 key->sadb_key_len = SADB_8TO64(encrsize); 1602 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1603 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1604 key->sadb_key_reserved = 0; 1605 bcopy(ipsa->ipsa_encrkey, key + 1, ipsa->ipsa_encrkeylen); 1606 walker = (sadb_ext_t *)((uint64_t *)walker + 1607 walker->sadb_ext_len); 1608 } 1609 1610 if (srcid) { 1611 ident = (sadb_ident_t *)walker; 1612 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1613 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1614 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1615 ident->sadb_ident_id = 0; 1616 ident->sadb_ident_reserved = 0; 1617 (void) strcpy((char *)(ident + 1), 1618 ipsa->ipsa_src_cid->ipsid_cid); 1619 walker = (sadb_ext_t *)((uint64_t *)walker + 1620 walker->sadb_ext_len); 1621 } 1622 1623 if (dstid) { 1624 ident = (sadb_ident_t *)walker; 1625 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1626 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1627 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1628 ident->sadb_ident_id = 0; 1629 ident->sadb_ident_reserved = 0; 1630 (void) strcpy((char *)(ident + 1), 1631 ipsa->ipsa_dst_cid->ipsid_cid); 1632 walker = (sadb_ext_t *)((uint64_t *)walker + 1633 walker->sadb_ext_len); 1634 } 1635 1636 #if 0 /* XXX PROXY not yet */ 1637 if (proxyid) { 1638 ident = (sadb_ident_t *)walker; 1639 ident->sadb_ident_len = SADB_8TO64(proxyidsize); 1640 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_PROXY; 1641 ident->sadb_ident_type = ipsa->ipsa_pcid_type; 1642 ident->sadb_ident_id = 0; 1643 ident->sadb_ident_reserved = 0; 1644 (void) strcpy((char *)(ident + 1), ipsa->ipsa_proxy_cid); 1645 walker = (sadb_ext_t *)((uint64_t *)walker + 1646 walker->sadb_ext_len); 1647 } 1648 #endif /* XXX PROXY */ 1649 1650 if (sensinteg) { 1651 sens = (sadb_sens_t *)walker; 1652 sens->sadb_sens_len = SADB_8TO64(sizeof (sadb_sens_t *) + 1653 ipsa->ipsa_senslen + ipsa->ipsa_integlen); 1654 sens->sadb_sens_dpd = ipsa->ipsa_dpd; 1655 sens->sadb_sens_sens_level = ipsa->ipsa_senslevel; 1656 sens->sadb_sens_integ_level = ipsa->ipsa_integlevel; 1657 sens->sadb_sens_sens_len = SADB_8TO64(ipsa->ipsa_senslen); 1658 sens->sadb_sens_integ_len = SADB_8TO64(ipsa->ipsa_integlen); 1659 sens->sadb_sens_reserved = 0; 1660 bitmap = (uint64_t *)(sens + 1); 1661 if (ipsa->ipsa_sens != NULL) { 1662 bcopy(ipsa->ipsa_sens, bitmap, ipsa->ipsa_senslen); 1663 bitmap += sens->sadb_sens_sens_len; 1664 } 1665 if (ipsa->ipsa_integ != NULL) 1666 bcopy(ipsa->ipsa_integ, bitmap, ipsa->ipsa_integlen); 1667 walker = (sadb_ext_t *)((uint64_t *)walker + 1668 walker->sadb_ext_len); 1669 } 1670 1671 bail: 1672 /* Pardon any delays... */ 1673 mutex_exit(&ipsa->ipsa_lock); 1674 1675 return (mp); 1676 } 1677 1678 /* 1679 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1680 * and adjust base message accordingly. 1681 * 1682 * Assume message is pulled up in one piece of contiguous memory. 1683 * 1684 * Say if we start off with: 1685 * 1686 * +------+----+-------------+-----------+---------------+---------------+ 1687 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1688 * +------+----+-------------+-----------+---------------+---------------+ 1689 * 1690 * we will end up with 1691 * 1692 * +------+----+-------------+-----------+---------------+ 1693 * | base | SA | source addr | dest addr | soft lifetime | 1694 * +------+----+-------------+-----------+---------------+ 1695 */ 1696 static void 1697 sadb_strip(sadb_msg_t *samsg) 1698 { 1699 sadb_ext_t *ext; 1700 uint8_t *target = NULL; 1701 uint8_t *msgend; 1702 int sofar = SADB_8TO64(sizeof (*samsg)); 1703 int copylen; 1704 1705 ext = (sadb_ext_t *)(samsg + 1); 1706 msgend = (uint8_t *)samsg; 1707 msgend += SADB_64TO8(samsg->sadb_msg_len); 1708 while ((uint8_t *)ext < msgend) { 1709 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1710 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1711 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1712 /* 1713 * Aha! I found a header to be erased. 1714 */ 1715 1716 if (target != NULL) { 1717 /* 1718 * If I had a previous header to be erased, 1719 * copy over it. I can get away with just 1720 * copying backwards because the target will 1721 * always be 8 bytes behind the source. 1722 */ 1723 copylen = ((uint8_t *)ext) - (target + 1724 SADB_64TO8( 1725 ((sadb_ext_t *)target)->sadb_ext_len)); 1726 ovbcopy(((uint8_t *)ext - copylen), target, 1727 copylen); 1728 target += copylen; 1729 ((sadb_ext_t *)target)->sadb_ext_len = 1730 SADB_8TO64(((uint8_t *)ext) - target + 1731 SADB_64TO8(ext->sadb_ext_len)); 1732 } else { 1733 target = (uint8_t *)ext; 1734 } 1735 } else { 1736 sofar += ext->sadb_ext_len; 1737 } 1738 1739 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1740 } 1741 1742 ASSERT((uint8_t *)ext == msgend); 1743 1744 if (target != NULL) { 1745 copylen = ((uint8_t *)ext) - (target + 1746 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1747 if (copylen != 0) 1748 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1749 } 1750 1751 /* Adjust samsg. */ 1752 samsg->sadb_msg_len = (uint16_t)sofar; 1753 1754 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1755 } 1756 1757 /* 1758 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1759 * followed by an M_DATA with a PF_KEY message in it. The serial of 1760 * the sending keysock instance is included. 1761 */ 1762 void 1763 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1764 uint_t serial) 1765 { 1766 mblk_t *msg = mp->b_cont; 1767 sadb_msg_t *samsg; 1768 keysock_out_t *kso; 1769 1770 /* 1771 * Enough functions call this to merit a NULL queue check. 1772 */ 1773 if (pfkey_q == NULL) { 1774 freemsg(mp); 1775 return; 1776 } 1777 1778 ASSERT(msg != NULL); 1779 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1780 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1781 samsg = (sadb_msg_t *)msg->b_rptr; 1782 kso = (keysock_out_t *)mp->b_rptr; 1783 1784 kso->ks_out_type = KEYSOCK_OUT; 1785 kso->ks_out_len = sizeof (*kso); 1786 kso->ks_out_serial = serial; 1787 1788 /* 1789 * Only send the base message up in the event of an error. 1790 * Don't worry about bzero()-ing, because it was probably bogus 1791 * anyway. 1792 */ 1793 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1794 samsg = (sadb_msg_t *)msg->b_rptr; 1795 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1796 samsg->sadb_msg_errno = (uint8_t)error; 1797 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1798 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1799 1800 putnext(pfkey_q, mp); 1801 } 1802 1803 /* 1804 * Send a successful return packet back to keysock via the queue in pfkey_q. 1805 * 1806 * Often, an SA is associated with the reply message, it's passed in if needed, 1807 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1808 * and the caller will release said refcnt. 1809 */ 1810 void 1811 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1812 keysock_in_t *ksi, ipsa_t *ipsa) 1813 { 1814 keysock_out_t *kso; 1815 mblk_t *mp1; 1816 sadb_msg_t *newsamsg; 1817 uint8_t *oldend; 1818 1819 ASSERT((mp->b_cont != NULL) && 1820 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1821 ((void *)mp->b_rptr == (void *)ksi)); 1822 1823 switch (samsg->sadb_msg_type) { 1824 case SADB_ADD: 1825 case SADB_UPDATE: 1826 case SADB_FLUSH: 1827 case SADB_DUMP: 1828 /* 1829 * I have all of the message already. I just need to strip 1830 * out the keying material and echo the message back. 1831 * 1832 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1833 * work. When DUMP reaches here, it should only be a base 1834 * message. 1835 */ 1836 justecho: 1837 ASSERT(samsg->sadb_msg_type != SADB_DUMP || 1838 samsg->sadb_msg_len == SADB_8TO64(sizeof (sadb_msg_t))); 1839 1840 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 1841 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL) { 1842 sadb_strip(samsg); 1843 /* Assume PF_KEY message is contiguous. */ 1844 ASSERT(mp->b_cont->b_cont == NULL); 1845 oldend = mp->b_cont->b_wptr; 1846 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 1847 SADB_64TO8(samsg->sadb_msg_len); 1848 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 1849 } 1850 break; 1851 case SADB_GET: 1852 /* 1853 * Do a lot of work here, because of the ipsa I just found. 1854 * First abandon the PF_KEY message, then construct 1855 * the new one. 1856 */ 1857 mp1 = sadb_sa2msg(ipsa, samsg); 1858 if (mp1 == NULL) { 1859 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1860 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1861 return; 1862 } 1863 freemsg(mp->b_cont); 1864 mp->b_cont = mp1; 1865 break; 1866 case SADB_DELETE: 1867 if (ipsa == NULL) 1868 goto justecho; 1869 /* 1870 * Because listening KMds may require more info, treat 1871 * DELETE like a special case of GET. 1872 */ 1873 mp1 = sadb_sa2msg(ipsa, samsg); 1874 if (mp1 == NULL) { 1875 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1876 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1877 return; 1878 } 1879 newsamsg = (sadb_msg_t *)mp1->b_rptr; 1880 sadb_strip(newsamsg); 1881 oldend = mp1->b_wptr; 1882 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 1883 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 1884 freemsg(mp->b_cont); 1885 mp->b_cont = mp1; 1886 break; 1887 default: 1888 if (mp != NULL) 1889 freemsg(mp); 1890 return; 1891 } 1892 1893 /* ksi is now null and void. */ 1894 kso = (keysock_out_t *)ksi; 1895 kso->ks_out_type = KEYSOCK_OUT; 1896 kso->ks_out_len = sizeof (*kso); 1897 kso->ks_out_serial = ksi->ks_in_serial; 1898 /* We're ready to send... */ 1899 putnext(pfkey_q, mp); 1900 } 1901 1902 /* 1903 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 1904 */ 1905 void 1906 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 1907 void (*ager)(void *), timeout_id_t *top, int satype) 1908 { 1909 keysock_hello_ack_t *kha; 1910 queue_t *oldq; 1911 1912 ASSERT(OTHERQ(q) != NULL); 1913 1914 /* 1915 * First, check atomically that I'm the first and only keysock 1916 * instance. 1917 * 1918 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 1919 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 1920 * messages. 1921 */ 1922 1923 oldq = casptr((void **)pfkey_qp, NULL, OTHERQ(q)); 1924 if (oldq != NULL) { 1925 ASSERT(oldq != q); 1926 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 1927 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 1928 freemsg(mp); 1929 return; 1930 } 1931 1932 kha = (keysock_hello_ack_t *)mp->b_rptr; 1933 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 1934 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 1935 kha->ks_hello_satype = (uint8_t)satype; 1936 1937 /* 1938 * If we made it past the casptr, then we have "exclusive" access 1939 * to the timeout handle. Fire it off in 4 seconds, because it 1940 * just seems like a good interval. 1941 */ 1942 *top = qtimeout(*pfkey_qp, ager, NULL, drv_usectohz(4000000)); 1943 1944 putnext(*pfkey_qp, mp); 1945 } 1946 1947 /* 1948 * Send IRE_DB_REQ down to IP to get properties of address. 1949 * If I can determine the address, return the proper type. If an error 1950 * occurs, or if I have to send down an IRE_DB_REQ, return UNKNOWN, and 1951 * the caller will just let go of mp w/o freeing it. 1952 * 1953 * To handle the compatible IPv6 addresses (i.e. ::FFFF:<v4-address>), 1954 * this function will also convert such AF_INET6 addresses into AF_INET 1955 * addresses. 1956 * 1957 * Whomever called the function will handle the return message that IP sends 1958 * in response to the message this function generates. 1959 */ 1960 int 1961 sadb_addrcheck(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, 1962 uint_t serial) 1963 { 1964 sadb_address_t *addr = (sadb_address_t *)ext; 1965 struct sockaddr_in *sin; 1966 struct sockaddr_in6 *sin6; 1967 mblk_t *ire_db_req_mp; 1968 ire_t *ire; 1969 int diagnostic; 1970 1971 ASSERT(ext != NULL); 1972 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 1973 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 1974 (ext->sadb_ext_type == SADB_EXT_ADDRESS_PROXY)); 1975 1976 ire_db_req_mp = allocb(sizeof (ire_t), BPRI_HI); 1977 if (ire_db_req_mp == NULL) { 1978 /* cmn_err(CE_WARN, "sadb_addrcheck: allocb() failed.\n"); */ 1979 sadb_pfkey_error(pfkey_q, mp, ENOMEM, SADB_X_DIAGNOSTIC_NONE, 1980 serial); 1981 return (KS_IN_ADDR_UNKNOWN); 1982 } 1983 1984 ire_db_req_mp->b_datap->db_type = IRE_DB_REQ_TYPE; 1985 ire_db_req_mp->b_wptr += sizeof (ire_t); 1986 ire = (ire_t *)ire_db_req_mp->b_rptr; 1987 1988 /* Assign both sockaddrs, the compiler will do the right thing. */ 1989 sin = (struct sockaddr_in *)(addr + 1); 1990 sin6 = (struct sockaddr_in6 *)(addr + 1); 1991 1992 switch (sin->sin_family) { 1993 case AF_INET6: 1994 /* Because of the longer IPv6 addrs, do check first. */ 1995 if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 1996 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) { 1997 freemsg(ire_db_req_mp); 1998 return (KS_IN_ADDR_MBCAST); 1999 } 2000 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) { 2001 freemsg(ire_db_req_mp); 2002 return (KS_IN_ADDR_UNSPEC); 2003 } 2004 ire->ire_ipversion = IPV6_VERSION; 2005 ire->ire_addr_v6 = sin6->sin6_addr; 2006 break; /* Out of switch. */ 2007 } 2008 /* 2009 * Convert to an AF_INET sockaddr. This means 2010 * the return messages will have the extra space, but 2011 * have AF_INET sockaddrs instead of AF_INET6. 2012 * 2013 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 2014 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 2015 * equal to AF_INET <v4>, it shouldnt be a huge 2016 * problem. 2017 */ 2018 ASSERT(&sin->sin_port == &sin6->sin6_port); 2019 sin->sin_family = AF_INET; 2020 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, &sin->sin_addr); 2021 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 2022 /* FALLTHRU */ 2023 case AF_INET: 2024 ire->ire_ipversion = IPV4_VERSION; 2025 ire->ire_addr = sin->sin_addr.s_addr; 2026 if (ire->ire_addr == INADDR_ANY) { 2027 freemsg(ire_db_req_mp); 2028 return (KS_IN_ADDR_UNSPEC); 2029 } 2030 if (CLASSD(ire->ire_addr)) { 2031 freemsg(ire_db_req_mp); 2032 return (KS_IN_ADDR_MBCAST); 2033 } 2034 break; 2035 default: 2036 freemsg(ire_db_req_mp); 2037 2038 switch (ext->sadb_ext_type) { 2039 case SADB_EXT_ADDRESS_SRC: 2040 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 2041 break; 2042 case SADB_EXT_ADDRESS_DST: 2043 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 2044 break; 2045 case SADB_EXT_ADDRESS_PROXY: 2046 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 2047 break; 2048 /* There is no default, see above ASSERT. */ 2049 } 2050 2051 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, serial); 2052 return (KS_IN_ADDR_UNKNOWN); 2053 } 2054 ire_db_req_mp->b_cont = mp; 2055 2056 ASSERT(ip_q != NULL); 2057 putnext(ip_q, ire_db_req_mp); 2058 return (KS_IN_ADDR_UNKNOWN); 2059 } 2060 2061 /* 2062 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 2063 * the source to AF_INET. 2064 */ 2065 void 2066 sadb_srcaddrfix(keysock_in_t *ksi) 2067 { 2068 struct sockaddr_in *src; 2069 struct sockaddr_in6 *dst; 2070 sadb_address_t *srcext, *dstext; 2071 uint16_t sport; 2072 2073 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC || 2074 ksi->ks_in_dsttype == KS_IN_ADDR_NOTTHERE) 2075 return; 2076 2077 dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2078 dst = (struct sockaddr_in6 *)(dstext + 1); 2079 srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2080 src = (struct sockaddr_in *)(srcext + 1); 2081 2082 /* 2083 * If unspecified IPv4 source, but an IPv6 dest, don't bother 2084 * fixing, as it should be an error. 2085 */ 2086 if (dst->sin6_family == src->sin_family || 2087 src->sin_family == AF_INET) 2088 return; 2089 2090 /* 2091 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2092 * in the same place for sockaddr_in and sockaddr_in6. 2093 */ 2094 sport = src->sin_port; 2095 bzero(src, sizeof (*src)); 2096 src->sin_family = AF_INET; 2097 src->sin_port = sport; 2098 } 2099 2100 /* 2101 * Set the results in "addrtype", given an IRE as requested by 2102 * sadb_addrcheck(). 2103 */ 2104 int 2105 sadb_addrset(ire_t *ire) 2106 { 2107 if ((ire->ire_type & IRE_BROADCAST) || 2108 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2109 (ire->ire_ipversion == IPV6_VERSION && 2110 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2111 return (KS_IN_ADDR_MBCAST); 2112 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2113 return (KS_IN_ADDR_ME); 2114 return (KS_IN_ADDR_NOTME); 2115 } 2116 2117 2118 /* 2119 * Walker callback function to delete sa's based on src/dst address. 2120 * Assumes that we're called with *head locked, no other locks held; 2121 * Conveniently, and not coincidentally, this is both what sadb_walker 2122 * gives us and also what sadb_unlinkassoc expects. 2123 */ 2124 2125 struct sadb_purge_state 2126 { 2127 uint32_t *src; 2128 uint32_t *dst; 2129 sa_family_t af; 2130 boolean_t inbnd; 2131 char *sidstr; 2132 char *didstr; 2133 uint16_t sidtype; 2134 uint16_t didtype; 2135 uint32_t kmproto; 2136 mblk_t *mq; 2137 }; 2138 2139 static void 2140 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2141 { 2142 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2143 2144 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2145 2146 mutex_enter(&entry->ipsa_lock); 2147 2148 if ((entry->ipsa_state == IPSA_STATE_LARVAL) || 2149 (ps->src != NULL && 2150 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, ps->src, ps->af)) || 2151 (ps->dst != NULL && 2152 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_dstaddr, ps->dst, ps->af)) || 2153 (ps->didstr != NULL && 2154 (entry->ipsa_dst_cid != NULL) && 2155 !(ps->didtype == entry->ipsa_dst_cid->ipsid_type && 2156 strcmp(ps->didstr, entry->ipsa_dst_cid->ipsid_cid) == 0)) || 2157 (ps->sidstr != NULL && 2158 (entry->ipsa_src_cid != NULL) && 2159 !(ps->sidtype == entry->ipsa_src_cid->ipsid_type && 2160 strcmp(ps->sidstr, entry->ipsa_src_cid->ipsid_cid) == 0)) || 2161 (ps->kmproto <= SADB_X_KMP_MAX && ps->kmproto != entry->ipsa_kmp)) { 2162 mutex_exit(&entry->ipsa_lock); 2163 return; 2164 } 2165 2166 entry->ipsa_state = IPSA_STATE_DEAD; 2167 (void) sadb_torch_assoc(head, entry, ps->inbnd, &ps->mq); 2168 } 2169 2170 /* 2171 * Common code to purge an SA with a matching src or dst address. 2172 * Don't kill larval SA's in such a purge. 2173 */ 2174 int 2175 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, 2176 int *diagnostic, queue_t *pfkey_q, queue_t *ip_q) 2177 { 2178 sadb_address_t *dstext = 2179 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2180 sadb_address_t *srcext = 2181 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2182 sadb_ident_t *dstid = 2183 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2184 sadb_ident_t *srcid = 2185 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2186 sadb_x_kmc_t *kmc = 2187 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2188 struct sockaddr_in *src, *dst; 2189 struct sockaddr_in6 *src6, *dst6; 2190 struct sadb_purge_state ps; 2191 2192 /* 2193 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2194 * takes care of them. 2195 */ 2196 2197 /* enforced by caller */ 2198 ASSERT((dstext != NULL) || (srcext != NULL)); 2199 2200 ps.src = NULL; 2201 ps.dst = NULL; 2202 #ifdef DEBUG 2203 ps.af = (sa_family_t)-1; 2204 #endif 2205 ps.mq = NULL; 2206 ps.sidstr = NULL; 2207 ps.didstr = NULL; 2208 ps.kmproto = SADB_X_KMP_MAX + 1; 2209 2210 if (dstext != NULL) { 2211 dst = (struct sockaddr_in *)(dstext + 1); 2212 ps.af = dst->sin_family; 2213 if (dst->sin_family == AF_INET6) { 2214 dst6 = (struct sockaddr_in6 *)dst; 2215 ps.dst = (uint32_t *)&dst6->sin6_addr; 2216 } else { 2217 ps.dst = (uint32_t *)&dst->sin_addr; 2218 } 2219 } 2220 2221 if (srcext != NULL) { 2222 src = (struct sockaddr_in *)(srcext + 1); 2223 ps.af = src->sin_family; 2224 if (src->sin_family == AF_INET6) { 2225 src6 = (struct sockaddr_in6 *)(srcext + 1); 2226 ps.src = (uint32_t *)&src6->sin6_addr; 2227 } else { 2228 ps.src = (uint32_t *)&src->sin_addr; 2229 } 2230 2231 if (dstext != NULL) { 2232 if (src->sin_family != dst->sin_family) { 2233 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2234 return (EINVAL); 2235 } 2236 } 2237 } 2238 ASSERT(ps.af != (sa_family_t)-1); 2239 2240 if (dstid != NULL) { 2241 /* 2242 * NOTE: May need to copy string in the future 2243 * if the inbound keysock message disappears for some strange 2244 * reason. 2245 */ 2246 ps.didstr = (char *)(dstid + 1); 2247 ps.didtype = dstid->sadb_ident_type; 2248 } 2249 2250 if (srcid != NULL) { 2251 /* 2252 * NOTE: May need to copy string in the future 2253 * if the inbound keysock message disappears for some strange 2254 * reason. 2255 */ 2256 ps.sidstr = (char *)(srcid + 1); 2257 ps.sidtype = srcid->sadb_ident_type; 2258 } 2259 2260 if (kmc != NULL) 2261 ps.kmproto = kmc->sadb_x_kmc_proto; 2262 2263 /* 2264 * This is simple, crude, and effective. 2265 * Unimplemented optimizations (TBD): 2266 * - we can limit how many places we search based on where we 2267 * think the SA is filed. 2268 * - if we get a dst address, we can hash based on dst addr to find 2269 * the correct bucket in the outbound table. 2270 */ 2271 ps.inbnd = B_TRUE; 2272 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2273 ps.inbnd = B_FALSE; 2274 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2275 2276 if (ps.mq != NULL) 2277 sadb_drain_torchq(ip_q, ps.mq); 2278 2279 ASSERT(mp->b_cont != NULL); 2280 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2281 NULL); 2282 return (0); 2283 } 2284 2285 /* 2286 * Common code to delete/get an SA. 2287 */ 2288 int 2289 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2290 int *diagnostic, queue_t *pfkey_q, boolean_t delete) 2291 { 2292 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2293 sadb_address_t *srcext = 2294 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2295 sadb_address_t *dstext = 2296 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2297 struct sockaddr_in *src, *dst; 2298 struct sockaddr_in6 *src6, *dst6; 2299 sadb_t *sp; 2300 ipsa_t *outbound_target, *inbound_target; 2301 isaf_t *inbound, *outbound; 2302 uint32_t *srcaddr, *dstaddr; 2303 mblk_t *torchq = NULL; 2304 sa_family_t af; 2305 2306 if (dstext == NULL) { 2307 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2308 return (EINVAL); 2309 } 2310 if (assoc == NULL) { 2311 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2312 return (EINVAL); 2313 } 2314 2315 /* 2316 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2317 * takes care of them. 2318 */ 2319 2320 dst = (struct sockaddr_in *)(dstext + 1); 2321 af = dst->sin_family; 2322 if (af == AF_INET6) { 2323 sp = &spp->s_v6; 2324 dst6 = (struct sockaddr_in6 *)dst; 2325 dstaddr = (uint32_t *)&dst6->sin6_addr; 2326 if (srcext != NULL) { 2327 src6 = (struct sockaddr_in6 *)(srcext + 1); 2328 srcaddr = (uint32_t *)&src6->sin6_addr; 2329 if (src6->sin6_family != AF_INET6) { 2330 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2331 return (EINVAL); 2332 } 2333 } else { 2334 srcaddr = ALL_ZEROES_PTR; 2335 } 2336 2337 outbound = OUTBOUND_BUCKET_V6(sp, *(uint32_t *)dstaddr); 2338 } else { 2339 sp = &spp->s_v4; 2340 dstaddr = (uint32_t *)&dst->sin_addr; 2341 if (srcext != NULL) { 2342 src = (struct sockaddr_in *)(srcext + 1); 2343 srcaddr = (uint32_t *)&src->sin_addr; 2344 if (src->sin_family != AF_INET) { 2345 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2346 return (EINVAL); 2347 } 2348 } else { 2349 srcaddr = ALL_ZEROES_PTR; 2350 } 2351 outbound = OUTBOUND_BUCKET_V4(sp, *(uint32_t *)dstaddr); 2352 } 2353 2354 inbound = INBOUND_BUCKET(sp, assoc->sadb_sa_spi); 2355 2356 /* Lock down both buckets. */ 2357 mutex_enter(&outbound->isaf_lock); 2358 mutex_enter(&inbound->isaf_lock); 2359 2360 /* Try outbound first. */ 2361 outbound_target = ipsec_getassocbyspi(outbound, assoc->sadb_sa_spi, 2362 srcaddr, dstaddr, af); 2363 2364 if (outbound_target == NULL || outbound_target->ipsa_haspeer) { 2365 inbound_target = ipsec_getassocbyspi(inbound, 2366 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2367 } else { 2368 inbound_target = NULL; 2369 } 2370 2371 if (outbound_target == NULL && inbound_target == NULL) { 2372 mutex_exit(&inbound->isaf_lock); 2373 mutex_exit(&outbound->isaf_lock); 2374 return (ESRCH); 2375 } 2376 2377 if (delete) { 2378 /* At this point, I have one or two SAs to be deleted. */ 2379 if (outbound_target != NULL) { 2380 mutex_enter(&outbound_target->ipsa_lock); 2381 outbound_target->ipsa_state = IPSA_STATE_DEAD; 2382 (void) sadb_torch_assoc(outbound, outbound_target, 2383 B_FALSE, &torchq); 2384 } 2385 2386 if (inbound_target != NULL) { 2387 mutex_enter(&inbound_target->ipsa_lock); 2388 inbound_target->ipsa_state = IPSA_STATE_DEAD; 2389 (void) sadb_torch_assoc(inbound, inbound_target, 2390 B_TRUE, &torchq); 2391 } 2392 } 2393 2394 mutex_exit(&inbound->isaf_lock); 2395 mutex_exit(&outbound->isaf_lock); 2396 2397 if (torchq != NULL) 2398 sadb_drain_torchq(spp->s_ip_q, torchq); 2399 2400 /* 2401 * Because of the multi-line macro nature of IPSA_REFRELE, keep 2402 * them in { }. 2403 */ 2404 ASSERT(mp->b_cont != NULL); 2405 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2406 (outbound_target != NULL ? outbound_target : inbound_target)); 2407 2408 if (outbound_target != NULL) { 2409 IPSA_REFRELE(outbound_target); 2410 } 2411 if (inbound_target != NULL) { 2412 IPSA_REFRELE(inbound_target); 2413 } 2414 2415 return (0); 2416 } 2417 2418 /* 2419 * Common code to set ipsa_unique_id; used from both add and update paths. 2420 */ 2421 static void 2422 sadb_set_unique(ipsa_t *sa, uint8_t proto, 2423 struct sockaddr_in *src, struct sockaddr_in *dst) 2424 { 2425 /* Assume that ports are in the same place for INET and INET6 */ 2426 uint16_t srcport = src->sin_port; 2427 uint16_t dstport = dst->sin_port; 2428 2429 sa->ipsa_unique_id = SA_UNIQUE_ID(srcport, dstport, proto); 2430 sa->ipsa_unique_mask = SA_UNIQUE_MASK(srcport, dstport, proto); 2431 if (sa->ipsa_unique_mask != 0) 2432 sa->ipsa_flags |= IPSA_F_UNIQUE; 2433 } 2434 2435 2436 /* 2437 * Initialize the mechanism parameters associated with an SA. 2438 * These parameters can be shared by multiple packets, which saves 2439 * us from the overhead of consulting the algorithm table for 2440 * each packet. 2441 */ 2442 static void 2443 sadb_init_alginfo(ipsa_t *sa) 2444 { 2445 ipsec_alginfo_t *alg; 2446 2447 mutex_enter(&alg_lock); 2448 2449 if (sa->ipsa_encrkey != NULL) { 2450 alg = ipsec_alglists[IPSEC_ALG_ENCR][sa->ipsa_encr_alg]; 2451 if (alg != NULL && ALG_VALID(alg)) { 2452 sa->ipsa_emech.cm_type = alg->alg_mech_type; 2453 sa->ipsa_emech.cm_param = NULL; 2454 sa->ipsa_emech.cm_param_len = 0; 2455 sa->ipsa_iv_len = alg->alg_datalen; 2456 } else 2457 sa->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 2458 } 2459 2460 if (sa->ipsa_authkey != NULL) { 2461 alg = ipsec_alglists[IPSEC_ALG_AUTH][sa->ipsa_auth_alg]; 2462 if (alg != NULL && ALG_VALID(alg)) { 2463 sa->ipsa_amech.cm_type = alg->alg_mech_type; 2464 sa->ipsa_amech.cm_param = (char *)&sa->ipsa_mac_len; 2465 sa->ipsa_amech.cm_param_len = sizeof (size_t); 2466 sa->ipsa_mac_len = (size_t)alg->alg_datalen; 2467 } else 2468 sa->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 2469 } 2470 2471 mutex_exit(&alg_lock); 2472 } 2473 2474 2475 /* 2476 * This function is called from consumers that need to insert a fully-grown 2477 * security association into its tables. This function takes into account that 2478 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 2479 * hash bucket parameters are set in order of what the SA will be most of the 2480 * time. (For example, an SA with an unspecified source, and a multicast 2481 * destination will primarily be an outbound SA. OTOH, if that destination 2482 * is unicast for this node, then the SA will primarily be inbound.) 2483 * 2484 * It takes a lot of parameters because even if clone is B_FALSE, this needs 2485 * to check both buckets for purposes of collision. 2486 * 2487 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 2488 * various error conditions. No need to set samsg->sadb_x_msg_diagnostic with 2489 * additional diagnostic information because ENOMEM and EEXIST are self- 2490 * explanitory. 2491 */ 2492 int 2493 sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 2494 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 2495 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound) 2496 { 2497 ipsa_t *newbie_clone = NULL, *scratch; 2498 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2499 sadb_address_t *srcext = 2500 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2501 sadb_address_t *dstext = 2502 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2503 sadb_address_t *proxyext = 2504 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_PROXY]; 2505 sadb_address_t *natt_loc_ext = 2506 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC]; 2507 sadb_address_t *natt_rem_ext = 2508 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM]; 2509 sadb_x_kmc_t *kmcext = 2510 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2511 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 2512 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 2513 #if 0 2514 /* 2515 * XXXMLS - When Trusted Solaris or Multi-Level Secure functionality 2516 * comes to ON, examine these if 0'ed fragments. Look for XXXMLS. 2517 */ 2518 sadb_sens_t *sens = (sadb_sens_t *); 2519 #endif 2520 struct sockaddr_in *src, *dst, *proxy, *natt_loc, *natt_rem; 2521 struct sockaddr_in6 *src6, *dst6, *proxy6, *natt_loc6, *natt_rem6; 2522 sadb_lifetime_t *soft = 2523 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 2524 sadb_lifetime_t *hard = 2525 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 2526 sa_family_t af; 2527 int error = 0; 2528 boolean_t isupdate = (newbie != NULL); 2529 uint32_t *src_addr_ptr, *dst_addr_ptr, *proxy_addr_ptr; 2530 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 2531 uint32_t running_sum = 0; 2532 mblk_t *ctl_mp = NULL; 2533 2534 src = (struct sockaddr_in *)(srcext + 1); 2535 src6 = (struct sockaddr_in6 *)(srcext + 1); 2536 dst = (struct sockaddr_in *)(dstext + 1); 2537 dst6 = (struct sockaddr_in6 *)(dstext + 1); 2538 if (proxyext != NULL) { 2539 proxy = (struct sockaddr_in *)(proxyext + 1); 2540 proxy6 = (struct sockaddr_in6 *)(proxyext + 1); 2541 } else { 2542 proxy = NULL; 2543 proxy6 = NULL; 2544 } 2545 2546 af = src->sin_family; 2547 2548 if (af == AF_INET) { 2549 src_addr_ptr = (uint32_t *)&src->sin_addr; 2550 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 2551 } else { 2552 ASSERT(af == AF_INET6); 2553 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 2554 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 2555 } 2556 2557 if (!isupdate) { 2558 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 2559 src_addr_ptr, dst_addr_ptr, af); 2560 if (newbie == NULL) 2561 return (ENOMEM); 2562 } 2563 2564 mutex_enter(&newbie->ipsa_lock); 2565 2566 if (proxy != NULL) { 2567 if (proxy->sin_family == AF_INET) { 2568 proxy_addr_ptr = (uint32_t *)&proxy->sin_addr; 2569 } else { 2570 ASSERT(proxy->sin_family == AF_INET6); 2571 proxy_addr_ptr = (uint32_t *)&proxy6->sin6_addr; 2572 } 2573 newbie->ipsa_proxyfam = proxy->sin_family; 2574 2575 IPSA_COPY_ADDR(newbie->ipsa_proxysrc, proxy_addr_ptr, 2576 newbie->ipsa_proxyfam); 2577 } 2578 2579 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 2580 2581 2582 if (natt_rem_ext != NULL) { 2583 uint32_t l_src; 2584 uint32_t l_rem; 2585 2586 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 2587 natt_rem6 = (struct sockaddr_in6 *)(natt_rem_ext + 1); 2588 2589 if (natt_rem->sin_family == AF_INET) { 2590 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 2591 newbie->ipsa_remote_port = natt_rem->sin_port; 2592 l_src = *src_addr_ptr; 2593 l_rem = *natt_rem_ptr; 2594 } else { 2595 if (!IN6_IS_ADDR_V4MAPPED(&natt_rem6->sin6_addr)) { 2596 goto error; 2597 } 2598 ASSERT(natt_rem->sin_family == AF_INET6); 2599 2600 natt_rem_ptr = ((uint32_t *) 2601 (&natt_rem6->sin6_addr)) + 3; 2602 newbie->ipsa_remote_port = natt_rem6->sin6_port; 2603 l_src = *src_addr_ptr; 2604 l_rem = *natt_rem_ptr; 2605 } 2606 IPSA_COPY_ADDR(newbie->ipsa_natt_addr_rem, natt_rem_ptr, af); 2607 2608 l_src = ntohl(l_src); 2609 DOWN_SUM(l_src); 2610 DOWN_SUM(l_src); 2611 l_rem = ntohl(l_rem); 2612 DOWN_SUM(l_rem); 2613 DOWN_SUM(l_rem); 2614 2615 /* 2616 * We're 1's complement for checksums, so check for wraparound 2617 * here. 2618 */ 2619 if (l_rem > l_src) 2620 l_src--; 2621 2622 running_sum += l_src - l_rem; 2623 2624 DOWN_SUM(running_sum); 2625 DOWN_SUM(running_sum); 2626 } 2627 2628 if (natt_loc_ext != NULL) { 2629 uint32_t l_dst; 2630 uint32_t l_loc; 2631 2632 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 2633 natt_loc6 = (struct sockaddr_in6 *)(natt_loc_ext + 1); 2634 2635 if (natt_loc->sin_family == AF_INET) { 2636 natt_loc_ptr = (uint32_t *)&natt_loc->sin_addr; 2637 l_dst = *dst_addr_ptr; 2638 l_loc = *natt_loc_ptr; 2639 2640 } else { 2641 if (!IN6_IS_ADDR_V4MAPPED(&natt_loc6->sin6_addr)) { 2642 goto error; 2643 } 2644 ASSERT(natt_loc->sin_family == AF_INET6); 2645 natt_loc_ptr = ((uint32_t *)&natt_loc6->sin6_addr) + 3; 2646 l_dst = *dst_addr_ptr; 2647 l_loc = *natt_loc_ptr; 2648 2649 } 2650 IPSA_COPY_ADDR(newbie->ipsa_natt_addr_loc, natt_loc_ptr, af); 2651 2652 l_loc = ntohl(l_loc); 2653 DOWN_SUM(l_loc); 2654 DOWN_SUM(l_loc); 2655 l_dst = ntohl(l_dst); 2656 DOWN_SUM(l_dst); 2657 DOWN_SUM(l_dst); 2658 2659 /* 2660 * We're 1's complement for checksums, so check for wraparound 2661 * here. 2662 */ 2663 if (l_loc > l_dst) 2664 l_dst--; 2665 2666 running_sum += l_dst - l_loc; 2667 DOWN_SUM(running_sum); 2668 DOWN_SUM(running_sum); 2669 } 2670 2671 newbie->ipsa_inbound_cksum = running_sum; 2672 #undef DOWN_SUM 2673 2674 newbie->ipsa_type = samsg->sadb_msg_satype; 2675 ASSERT(assoc->sadb_sa_state == SADB_SASTATE_MATURE); 2676 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 2677 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 2678 newbie->ipsa_flags = assoc->sadb_sa_flags; 2679 /* 2680 * If unspecified source address, force replay_wsize to 0. 2681 * This is because an SA that has multiple sources of secure 2682 * traffic cannot enforce a replay counter w/o synchronizing the 2683 * senders. 2684 */ 2685 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 2686 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 2687 else 2688 newbie->ipsa_replay_wsize = 0; 2689 2690 (void) drv_getparm(TIME, &newbie->ipsa_addtime); 2691 2692 /* Set unique value */ 2693 sadb_set_unique(newbie, dstext->sadb_address_proto, src, dst); 2694 2695 if (kmcext != NULL) { 2696 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 2697 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 2698 } 2699 2700 /* 2701 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 2702 * The spec says that one can update current lifetimes, but 2703 * that seems impractical, especially in the larval-to-mature 2704 * update that this function performs. 2705 */ 2706 if (soft != NULL) { 2707 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 2708 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 2709 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 2710 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 2711 SET_EXPIRE(newbie, softaddlt, softexpiretime); 2712 } 2713 if (hard != NULL) { 2714 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 2715 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 2716 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 2717 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 2718 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 2719 } 2720 2721 newbie->ipsa_authtmpl = NULL; 2722 newbie->ipsa_encrtmpl = NULL; 2723 2724 if (akey != NULL) { 2725 newbie->ipsa_authkeybits = akey->sadb_key_bits; 2726 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 2727 /* In case we have to round up to the next byte... */ 2728 if ((akey->sadb_key_bits & 0x7) != 0) 2729 newbie->ipsa_authkeylen++; 2730 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 2731 KM_NOSLEEP); 2732 if (newbie->ipsa_authkey == NULL) { 2733 error = ENOMEM; 2734 mutex_exit(&newbie->ipsa_lock); 2735 goto error; 2736 } 2737 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 2738 bzero(akey + 1, newbie->ipsa_authkeylen); 2739 2740 /* 2741 * Pre-initialize the kernel crypto framework key 2742 * structure. 2743 */ 2744 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 2745 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 2746 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 2747 2748 mutex_enter(&alg_lock); 2749 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 2750 mutex_exit(&alg_lock); 2751 if (error != 0) { 2752 mutex_exit(&newbie->ipsa_lock); 2753 goto error; 2754 } 2755 } 2756 2757 if (ekey != NULL) { 2758 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 2759 newbie->ipsa_encrkeylen = SADB_1TO8(ekey->sadb_key_bits); 2760 /* In case we have to round up to the next byte... */ 2761 if ((ekey->sadb_key_bits & 0x7) != 0) 2762 newbie->ipsa_encrkeylen++; 2763 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 2764 KM_NOSLEEP); 2765 if (newbie->ipsa_encrkey == NULL) { 2766 error = ENOMEM; 2767 mutex_exit(&newbie->ipsa_lock); 2768 goto error; 2769 } 2770 bcopy(ekey + 1, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 2771 /* XXX is this safe w.r.t db_ref, etc? */ 2772 bzero(ekey + 1, newbie->ipsa_encrkeylen); 2773 2774 /* 2775 * Pre-initialize the kernel crypto framework key 2776 * structure. 2777 */ 2778 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 2779 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 2780 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 2781 2782 mutex_enter(&alg_lock); 2783 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 2784 mutex_exit(&alg_lock); 2785 if (error != 0) { 2786 mutex_exit(&newbie->ipsa_lock); 2787 goto error; 2788 } 2789 } 2790 2791 sadb_init_alginfo(newbie); 2792 2793 /* 2794 * Ptrs to processing functions. 2795 */ 2796 if (newbie->ipsa_type == SADB_SATYPE_ESP) 2797 ipsecesp_init_funcs(newbie); 2798 else 2799 ipsecah_init_funcs(newbie); 2800 ASSERT(newbie->ipsa_output_func != NULL && 2801 newbie->ipsa_input_func != NULL); 2802 2803 /* 2804 * Certificate ID stuff. 2805 */ 2806 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 2807 sadb_ident_t *id = 2808 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2809 2810 /* 2811 * Can assume strlen() will return okay because ext_check() in 2812 * keysock.c prepares the string for us. 2813 */ 2814 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 2815 (char *)(id+1)); 2816 if (newbie->ipsa_src_cid == NULL) { 2817 error = ENOMEM; 2818 mutex_exit(&newbie->ipsa_lock); 2819 goto error; 2820 } 2821 } 2822 2823 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 2824 sadb_ident_t *id = 2825 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2826 2827 /* 2828 * Can assume strlen() will return okay because ext_check() in 2829 * keysock.c prepares the string for us. 2830 */ 2831 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 2832 (char *)(id+1)); 2833 if (newbie->ipsa_dst_cid == NULL) { 2834 error = ENOMEM; 2835 mutex_exit(&newbie->ipsa_lock); 2836 goto error; 2837 } 2838 } 2839 2840 #if 0 2841 /* XXXMLS SENSITIVITY handling code. */ 2842 if (sens != NULL) { 2843 int i; 2844 uint64_t *bitmap = (uint64_t *)(sens + 1); 2845 2846 newbie->ipsa_dpd = sens->sadb_sens_dpd; 2847 newbie->ipsa_senslevel = sens->sadb_sens_sens_level; 2848 newbie->ipsa_integlevel = sens->sadb_sens_integ_level; 2849 newbie->ipsa_senslen = SADB_64TO8(sens->sadb_sens_sens_len); 2850 newbie->ipsa_integlen = SADB_64TO8(sens->sadb_sens_integ_len); 2851 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 2852 KM_NOSLEEP); 2853 if (newbie->ipsa_integ == NULL) { 2854 error = ENOMEM; 2855 mutex_exit(&newbie->ipsa_lock); 2856 goto error; 2857 } 2858 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 2859 KM_NOSLEEP); 2860 if (newbie->ipsa_sens == NULL) { 2861 error = ENOMEM; 2862 mutex_exit(&newbie->ipsa_lock); 2863 goto error; 2864 } 2865 for (i = 0; i < sens->sadb_sens_sens_len; i++) { 2866 newbie->ipsa_sens[i] = *bitmap; 2867 bitmap++; 2868 } 2869 for (i = 0; i < sens->sadb_sens_integ_len; i++) { 2870 newbie->ipsa_integ[i] = *bitmap; 2871 bitmap++; 2872 } 2873 } 2874 2875 #endif 2876 2877 /* now that the SA has been updated, set its new state */ 2878 newbie->ipsa_state = assoc->sadb_sa_state; 2879 2880 /* 2881 * The less locks I hold when doing an insertion and possible cloning, 2882 * the better! 2883 */ 2884 mutex_exit(&newbie->ipsa_lock); 2885 2886 if (clone) { 2887 newbie_clone = sadb_cloneassoc(newbie); 2888 2889 if (newbie_clone == NULL) { 2890 error = ENOMEM; 2891 goto error; 2892 } 2893 newbie->ipsa_haspeer = B_TRUE; 2894 newbie_clone->ipsa_haspeer = B_TRUE; 2895 } 2896 2897 /* 2898 * Enter the bucket locks. The order of entry is outbound, 2899 * inbound. We map "primary" and "secondary" into outbound and inbound 2900 * based on the destination address type. If the destination address 2901 * type is for a node that isn't mine (or potentially mine), the 2902 * "primary" bucket is the outbound one. 2903 */ 2904 if (ksi->ks_in_dsttype == KS_IN_ADDR_NOTME) { 2905 /* primary == outbound */ 2906 mutex_enter(&primary->isaf_lock); 2907 mutex_enter(&secondary->isaf_lock); 2908 } else { 2909 /* primary == inbound */ 2910 mutex_enter(&secondary->isaf_lock); 2911 mutex_enter(&primary->isaf_lock); 2912 } 2913 2914 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_common_add: spi = 0x%x\n", 2915 newbie->ipsa_spi)); 2916 2917 /* 2918 * sadb_insertassoc() doesn't increment the reference 2919 * count. We therefore have to increment the 2920 * reference count one more time to reflect the 2921 * pointers of the table that reference this SA. 2922 */ 2923 IPSA_REFHOLD(newbie); 2924 2925 if (isupdate) { 2926 /* 2927 * Unlink from larval holding cell in the "inbound" fanout. 2928 */ 2929 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 2930 newbie->ipsa_linklock == &secondary->isaf_lock); 2931 sadb_unlinkassoc(newbie); 2932 } 2933 2934 mutex_enter(&newbie->ipsa_lock); 2935 error = sadb_insertassoc(newbie, primary); 2936 if (error == 0) { 2937 ctl_mp = sadb_fmt_sa_req(DL_CO_SET, newbie->ipsa_type, newbie, 2938 is_inbound); 2939 } 2940 mutex_exit(&newbie->ipsa_lock); 2941 2942 if (error != 0) { 2943 /* 2944 * Since sadb_insertassoc() failed, we must decrement the 2945 * refcount again so the cleanup code will actually free 2946 * the offending SA. 2947 */ 2948 IPSA_REFRELE(newbie); 2949 goto error_unlock; 2950 } 2951 2952 if (newbie_clone != NULL) { 2953 mutex_enter(&newbie_clone->ipsa_lock); 2954 error = sadb_insertassoc(newbie_clone, secondary); 2955 mutex_exit(&newbie_clone->ipsa_lock); 2956 if (error != 0) { 2957 /* Collision in secondary table. */ 2958 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 2959 goto error_unlock; 2960 } 2961 IPSA_REFHOLD(newbie_clone); 2962 } else { 2963 ASSERT(primary != secondary); 2964 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 2965 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 2966 if (scratch != NULL) { 2967 /* Collision in secondary table. */ 2968 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 2969 /* Set the error, since ipsec_getassocbyspi() can't. */ 2970 error = EEXIST; 2971 goto error_unlock; 2972 } 2973 } 2974 2975 /* OKAY! So let's do some reality check assertions. */ 2976 2977 ASSERT(!MUTEX_HELD(&newbie->ipsa_lock)); 2978 ASSERT(newbie_clone == NULL || (!MUTEX_HELD(&newbie_clone->ipsa_lock))); 2979 /* 2980 * If hardware acceleration could happen, send it. 2981 */ 2982 if (ctl_mp != NULL) { 2983 putnext(ip_q, ctl_mp); 2984 ctl_mp = NULL; 2985 } 2986 2987 error_unlock: 2988 2989 /* 2990 * We can exit the locks in any order. Only entrance needs to 2991 * follow any protocol. 2992 */ 2993 mutex_exit(&secondary->isaf_lock); 2994 mutex_exit(&primary->isaf_lock); 2995 2996 /* Common error point for this routine. */ 2997 error: 2998 if (newbie != NULL) { 2999 IPSA_REFRELE(newbie); 3000 } 3001 if (newbie_clone != NULL) { 3002 IPSA_REFRELE(newbie_clone); 3003 } 3004 if (ctl_mp != NULL) 3005 freemsg(ctl_mp); 3006 3007 if (error == 0) { 3008 /* 3009 * Construct favorable PF_KEY return message and send to 3010 * keysock. (Q: Do I need to pass "newbie"? If I do, 3011 * make sure to REFHOLD, call, then REFRELE.) 3012 */ 3013 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 3014 } 3015 3016 return (error); 3017 } 3018 3019 /* 3020 * Set the time of first use for a security association. Update any 3021 * expiration times as a result. 3022 */ 3023 void 3024 sadb_set_usetime(ipsa_t *assoc) 3025 { 3026 mutex_enter(&assoc->ipsa_lock); 3027 /* 3028 * Caller does check usetime before calling me usually, and 3029 * double-checking is better than a mutex_enter/exit hit. 3030 */ 3031 if (assoc->ipsa_usetime == 0) { 3032 /* 3033 * This is redundant for outbound SA's, as 3034 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 3035 * Inbound SAs, however, have no such protection. 3036 */ 3037 assoc->ipsa_flags |= IPSA_F_USED; 3038 3039 (void) drv_getparm(TIME, &assoc->ipsa_usetime); 3040 3041 /* 3042 * After setting the use time, see if we have a use lifetime 3043 * that would cause the actual SA expiration time to shorten. 3044 */ 3045 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 3046 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 3047 } 3048 mutex_exit(&assoc->ipsa_lock); 3049 } 3050 3051 /* 3052 * Send up a PF_KEY expire message for this association. 3053 */ 3054 static void 3055 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 3056 { 3057 mblk_t *mp, *mp1; 3058 int alloclen, af; 3059 sadb_msg_t *samsg; 3060 sadb_lifetime_t *current, *expire; 3061 sadb_sa_t *saext; 3062 uint8_t *end; 3063 3064 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3065 3066 /* Don't bother sending if there's no queue. */ 3067 if (pfkey_q == NULL) 3068 return; 3069 3070 mp = sadb_keysock_out(0); 3071 if (mp == NULL) { 3072 /* cmn_err(CE_WARN, */ 3073 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 3074 return; 3075 } 3076 3077 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 3078 2*sizeof (sadb_address_t) + sizeof (*saext); 3079 3080 af = assoc->ipsa_addrfam; 3081 switch (af) { 3082 case AF_INET: 3083 alloclen += 2 * sizeof (struct sockaddr_in); 3084 break; 3085 case AF_INET6: 3086 alloclen += 2 * sizeof (struct sockaddr_in6); 3087 break; 3088 default: 3089 /* Won't happen unless there's a kernel bug. */ 3090 freeb(mp); 3091 cmn_err(CE_WARN, 3092 "sadb_expire_assoc: Unknown address length.\n"); 3093 return; 3094 } 3095 3096 mp->b_cont = allocb(alloclen, BPRI_HI); 3097 if (mp->b_cont == NULL) { 3098 freeb(mp); 3099 /* cmn_err(CE_WARN, */ 3100 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 3101 return; 3102 } 3103 3104 mp1 = mp; 3105 mp = mp->b_cont; 3106 end = mp->b_wptr + alloclen; 3107 3108 samsg = (sadb_msg_t *)mp->b_wptr; 3109 mp->b_wptr += sizeof (*samsg); 3110 samsg->sadb_msg_version = PF_KEY_V2; 3111 samsg->sadb_msg_type = SADB_EXPIRE; 3112 samsg->sadb_msg_errno = 0; 3113 samsg->sadb_msg_satype = assoc->ipsa_type; 3114 samsg->sadb_msg_len = SADB_8TO64(alloclen); 3115 samsg->sadb_msg_reserved = 0; 3116 samsg->sadb_msg_seq = 0; 3117 samsg->sadb_msg_pid = 0; 3118 3119 saext = (sadb_sa_t *)mp->b_wptr; 3120 mp->b_wptr += sizeof (*saext); 3121 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 3122 saext->sadb_sa_exttype = SADB_EXT_SA; 3123 saext->sadb_sa_spi = assoc->ipsa_spi; 3124 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 3125 saext->sadb_sa_state = assoc->ipsa_state; 3126 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 3127 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 3128 saext->sadb_sa_flags = assoc->ipsa_flags; 3129 3130 current = (sadb_lifetime_t *)mp->b_wptr; 3131 mp->b_wptr += sizeof (sadb_lifetime_t); 3132 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 3133 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3134 current->sadb_lifetime_allocations = assoc->ipsa_alloc; 3135 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 3136 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 3137 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 3138 3139 expire = (sadb_lifetime_t *)mp->b_wptr; 3140 mp->b_wptr += sizeof (*expire); 3141 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 3142 3143 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 3144 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 3145 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 3146 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 3147 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 3148 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 3149 } else { 3150 ASSERT(assoc->ipsa_state == IPSA_STATE_DYING); 3151 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 3152 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 3153 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 3154 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 3155 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 3156 } 3157 3158 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 3159 af, assoc->ipsa_srcaddr, SA_SRCPORT(assoc), SA_PROTO(assoc)); 3160 ASSERT(mp->b_wptr != NULL); 3161 3162 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 3163 af, assoc->ipsa_dstaddr, SA_DSTPORT(assoc), SA_PROTO(assoc)); 3164 ASSERT(mp->b_wptr != NULL); 3165 3166 /* Can just putnext, we're ready to go! */ 3167 putnext(pfkey_q, mp1); 3168 } 3169 3170 /* 3171 * "Age" the SA with the number of bytes that was used to protect traffic. 3172 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 3173 * enough "charge" left in the SA to protect the data. Return B_FALSE 3174 * otherwise. (If B_FALSE is returned, the association either was, or became 3175 * DEAD.) 3176 */ 3177 boolean_t 3178 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 3179 boolean_t sendmsg) 3180 { 3181 boolean_t rc = B_TRUE; 3182 uint64_t newtotal; 3183 3184 mutex_enter(&assoc->ipsa_lock); 3185 newtotal = assoc->ipsa_bytes + bytes; 3186 if (assoc->ipsa_hardbyteslt != 0 && 3187 newtotal >= assoc->ipsa_hardbyteslt) { 3188 if (assoc->ipsa_state < IPSA_STATE_DEAD) { 3189 /* 3190 * Send EXPIRE message to PF_KEY. May wish to pawn 3191 * this off on another non-interrupt thread. Also 3192 * unlink this SA immediately. 3193 */ 3194 assoc->ipsa_state = IPSA_STATE_DEAD; 3195 if (sendmsg) 3196 sadb_expire_assoc(pfkey_q, assoc); 3197 /* 3198 * Set non-zero expiration time so sadb_age_assoc() 3199 * will work when reaping. 3200 */ 3201 assoc->ipsa_hardexpiretime = (time_t)1; 3202 } /* Else someone beat me to it! */ 3203 rc = B_FALSE; 3204 } else if (assoc->ipsa_softbyteslt != 0 && 3205 (newtotal >= assoc->ipsa_softbyteslt)) { 3206 if (assoc->ipsa_state < IPSA_STATE_DYING) { 3207 /* 3208 * Send EXPIRE message to PF_KEY. May wish to pawn 3209 * this off on another non-interrupt thread. 3210 */ 3211 assoc->ipsa_state = IPSA_STATE_DYING; 3212 if (sendmsg) 3213 sadb_expire_assoc(pfkey_q, assoc); 3214 } /* Else someone beat me to it! */ 3215 } 3216 if (rc == B_TRUE) 3217 assoc->ipsa_bytes = newtotal; 3218 mutex_exit(&assoc->ipsa_lock); 3219 return (rc); 3220 } 3221 3222 /* 3223 * Push one or more DL_CO_DELETE messages queued up by 3224 * sadb_torch_assoc down to the underlying driver now that it's a 3225 * convenient time for it (i.e., ipsa bucket locks not held). 3226 */ 3227 static void 3228 sadb_drain_torchq(queue_t *q, mblk_t *mp) 3229 { 3230 while (mp != NULL) { 3231 mblk_t *next = mp->b_next; 3232 mp->b_next = NULL; 3233 if (q != NULL) 3234 putnext(q, mp); 3235 else 3236 freemsg(mp); 3237 mp = next; 3238 } 3239 } 3240 3241 /* 3242 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 3243 * sadb_age_assoc(). 3244 * 3245 * If SA is hardware-accelerated, and we can't allocate the mblk 3246 * containing the DL_CO_DELETE, just return; it will remain in the 3247 * table and be swept up by sadb_ager() in a subsequent pass. 3248 */ 3249 static ipsa_t * 3250 sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq) 3251 { 3252 mblk_t *mp; 3253 3254 ASSERT(MUTEX_HELD(&head->isaf_lock)); 3255 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 3256 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 3257 3258 /* 3259 * Force cached SAs to be revalidated.. 3260 */ 3261 head->isaf_gen++; 3262 3263 if (sa->ipsa_flags & IPSA_F_HW) { 3264 mp = sadb_fmt_sa_req(DL_CO_DELETE, sa->ipsa_type, sa, inbnd); 3265 if (mp == NULL) { 3266 mutex_exit(&sa->ipsa_lock); 3267 return (NULL); 3268 } 3269 mp->b_next = *mq; 3270 *mq = mp; 3271 } 3272 mutex_exit(&sa->ipsa_lock); 3273 sadb_unlinkassoc(sa); 3274 3275 return (NULL); 3276 } 3277 3278 /* 3279 * Return "assoc" iff haspeer is true and I send an expire. This allows 3280 * the consumers' aging functions to tidy up an expired SA's peer. 3281 */ 3282 static ipsa_t * 3283 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 3284 time_t current, int reap_delay, boolean_t inbnd, mblk_t **mq) 3285 { 3286 ipsa_t *retval = NULL; 3287 3288 ASSERT(MUTEX_HELD(&head->isaf_lock)); 3289 3290 mutex_enter(&assoc->ipsa_lock); 3291 3292 if ((assoc->ipsa_state == IPSA_STATE_LARVAL) && 3293 (assoc->ipsa_hardexpiretime <= current)) { 3294 assoc->ipsa_state = IPSA_STATE_DEAD; 3295 return (sadb_torch_assoc(head, assoc, inbnd, mq)); 3296 } 3297 3298 /* 3299 * Check lifetimes. Fortunately, SA setup is done 3300 * such that there are only two times to look at, 3301 * softexpiretime, and hardexpiretime. 3302 * 3303 * Check hard first. 3304 */ 3305 3306 if (assoc->ipsa_hardexpiretime != 0 && 3307 assoc->ipsa_hardexpiretime <= current) { 3308 if (assoc->ipsa_state == IPSA_STATE_DEAD) 3309 return (sadb_torch_assoc(head, assoc, inbnd, mq)); 3310 3311 /* 3312 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 3313 */ 3314 assoc->ipsa_state = IPSA_STATE_DEAD; 3315 if (assoc->ipsa_haspeer) { 3316 /* 3317 * If I return assoc, I have to bump up its 3318 * reference count to keep with the ipsa_t reference 3319 * count semantics. 3320 */ 3321 IPSA_REFHOLD(assoc); 3322 retval = assoc; 3323 } 3324 sadb_expire_assoc(pfkey_q, assoc); 3325 assoc->ipsa_hardexpiretime = current + reap_delay; 3326 } else if (assoc->ipsa_softexpiretime != 0 && 3327 assoc->ipsa_softexpiretime <= current && 3328 assoc->ipsa_state < IPSA_STATE_DYING) { 3329 /* 3330 * Send EXPIRE message to PF_KEY. May wish to pawn 3331 * this off on another non-interrupt thread. 3332 */ 3333 assoc->ipsa_state = IPSA_STATE_DYING; 3334 if (assoc->ipsa_haspeer) { 3335 /* 3336 * If I return assoc, I have to bump up its 3337 * reference count to keep with the ipsa_t reference 3338 * count semantics. 3339 */ 3340 IPSA_REFHOLD(assoc); 3341 retval = assoc; 3342 } 3343 sadb_expire_assoc(pfkey_q, assoc); 3344 } 3345 3346 mutex_exit(&assoc->ipsa_lock); 3347 return (retval); 3348 } 3349 3350 /* 3351 * Called by a consumer protocol to do ther dirty work of reaping dead 3352 * Security Associations. 3353 */ 3354 void 3355 sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay) 3356 { 3357 int i; 3358 isaf_t *bucket; 3359 ipsa_t *assoc, *spare; 3360 iacqf_t *acqlist; 3361 ipsacq_t *acqrec, *spareacq; 3362 struct templist { 3363 ipsa_t *ipsa; 3364 struct templist *next; 3365 } *haspeerlist = NULL, *newbie; 3366 time_t current; 3367 int outhash; 3368 mblk_t *mq = NULL; 3369 3370 /* 3371 * Do my dirty work. This includes aging real entries, aging 3372 * larvals, and aging outstanding ACQUIREs. 3373 * 3374 * I hope I don't tie up resources for too long. 3375 */ 3376 3377 /* Snapshot current time now. */ 3378 (void) drv_getparm(TIME, ¤t); 3379 3380 /* Age acquires. */ 3381 3382 for (i = 0; i < sp->sdb_hashsize; i++) { 3383 acqlist = &sp->sdb_acq[i]; 3384 mutex_enter(&acqlist->iacqf_lock); 3385 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 3386 acqrec = spareacq) { 3387 spareacq = acqrec->ipsacq_next; 3388 if (current > acqrec->ipsacq_expire) 3389 sadb_destroy_acquire(acqrec); 3390 } 3391 mutex_exit(&acqlist->iacqf_lock); 3392 } 3393 3394 /* Age inbound associations. */ 3395 for (i = 0; i < sp->sdb_hashsize; i++) { 3396 bucket = &(sp->sdb_if[i]); 3397 mutex_enter(&bucket->isaf_lock); 3398 for (assoc = bucket->isaf_ipsa; assoc != NULL; 3399 assoc = spare) { 3400 spare = assoc->ipsa_next; 3401 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 3402 reap_delay, B_TRUE, &mq) != NULL) { 3403 /* 3404 * sadb_age_assoc() increments the refcnt, 3405 * effectively doing an IPSA_REFHOLD(). 3406 */ 3407 newbie = kmem_alloc(sizeof (*newbie), 3408 KM_NOSLEEP); 3409 if (newbie == NULL) { 3410 /* 3411 * Don't forget to REFRELE(). 3412 */ 3413 IPSA_REFRELE(assoc); 3414 continue; /* for loop... */ 3415 } 3416 newbie->next = haspeerlist; 3417 newbie->ipsa = assoc; 3418 haspeerlist = newbie; 3419 } 3420 } 3421 mutex_exit(&bucket->isaf_lock); 3422 } 3423 3424 if (mq != NULL) { 3425 sadb_drain_torchq(ip_q, mq); 3426 mq = NULL; 3427 } 3428 /* 3429 * Haspeer cases will contain both IPv4 and IPv6. This code 3430 * is address independent. 3431 */ 3432 while (haspeerlist != NULL) { 3433 /* "spare" contains the SA that has a peer. */ 3434 spare = haspeerlist->ipsa; 3435 newbie = haspeerlist; 3436 haspeerlist = newbie->next; 3437 kmem_free(newbie, sizeof (*newbie)); 3438 /* 3439 * Pick peer bucket based on addrfam. 3440 */ 3441 if (spare->ipsa_addrfam == AF_INET6) { 3442 outhash = OUTBOUND_HASH_V6(sp, 3443 *((in6_addr_t *)&spare->ipsa_dstaddr)); 3444 } else { 3445 outhash = OUTBOUND_HASH_V4(sp, 3446 *((ipaddr_t *)&spare->ipsa_dstaddr)); 3447 } 3448 bucket = &(sp->sdb_of[outhash]); 3449 3450 mutex_enter(&bucket->isaf_lock); 3451 assoc = ipsec_getassocbyspi(bucket, spare->ipsa_spi, 3452 spare->ipsa_srcaddr, spare->ipsa_dstaddr, 3453 spare->ipsa_addrfam); 3454 mutex_exit(&bucket->isaf_lock); 3455 if (assoc != NULL) { 3456 mutex_enter(&assoc->ipsa_lock); 3457 mutex_enter(&spare->ipsa_lock); 3458 assoc->ipsa_state = spare->ipsa_state; 3459 if (assoc->ipsa_state == IPSA_STATE_DEAD) 3460 assoc->ipsa_hardexpiretime = 1; 3461 mutex_exit(&spare->ipsa_lock); 3462 mutex_exit(&assoc->ipsa_lock); 3463 IPSA_REFRELE(assoc); 3464 } 3465 IPSA_REFRELE(spare); 3466 } 3467 3468 /* Age outbound associations. */ 3469 for (i = 0; i < sp->sdb_hashsize; i++) { 3470 bucket = &(sp->sdb_of[i]); 3471 mutex_enter(&bucket->isaf_lock); 3472 for (assoc = bucket->isaf_ipsa; assoc != NULL; 3473 assoc = spare) { 3474 spare = assoc->ipsa_next; 3475 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 3476 reap_delay, B_FALSE, &mq) != NULL) { 3477 /* 3478 * sadb_age_assoc() increments the refcnt, 3479 * effectively doing an IPSA_REFHOLD(). 3480 */ 3481 newbie = kmem_alloc(sizeof (*newbie), 3482 KM_NOSLEEP); 3483 if (newbie == NULL) { 3484 /* 3485 * Don't forget to REFRELE(). 3486 */ 3487 IPSA_REFRELE(assoc); 3488 continue; /* for loop... */ 3489 } 3490 newbie->next = haspeerlist; 3491 newbie->ipsa = assoc; 3492 haspeerlist = newbie; 3493 } 3494 } 3495 mutex_exit(&bucket->isaf_lock); 3496 } 3497 if (mq != NULL) { 3498 sadb_drain_torchq(ip_q, mq); 3499 mq = NULL; 3500 } 3501 /* 3502 * Haspeer cases will contain both IPv4 and IPv6. This code 3503 * is address independent. 3504 */ 3505 while (haspeerlist != NULL) { 3506 /* "spare" contains the SA that has a peer. */ 3507 spare = haspeerlist->ipsa; 3508 newbie = haspeerlist; 3509 haspeerlist = newbie->next; 3510 kmem_free(newbie, sizeof (*newbie)); 3511 /* 3512 * Pick peer bucket based on addrfam. 3513 */ 3514 bucket = INBOUND_BUCKET(sp, spare->ipsa_spi); 3515 mutex_enter(&bucket->isaf_lock); 3516 assoc = ipsec_getassocbyspi(bucket, spare->ipsa_spi, 3517 spare->ipsa_srcaddr, spare->ipsa_dstaddr, 3518 spare->ipsa_addrfam); 3519 mutex_exit(&bucket->isaf_lock); 3520 if (assoc != NULL) { 3521 mutex_enter(&assoc->ipsa_lock); 3522 mutex_enter(&spare->ipsa_lock); 3523 assoc->ipsa_state = spare->ipsa_state; 3524 if (assoc->ipsa_state == IPSA_STATE_DEAD) 3525 assoc->ipsa_hardexpiretime = 1; 3526 mutex_exit(&spare->ipsa_lock); 3527 mutex_exit(&assoc->ipsa_lock); 3528 IPSA_REFRELE(assoc); 3529 } 3530 IPSA_REFRELE(spare); 3531 } 3532 /* 3533 * Run a GC pass to clean out dead identities. 3534 */ 3535 ipsid_gc(); 3536 } 3537 3538 /* 3539 * Figure out when to reschedule the ager. 3540 */ 3541 timeout_id_t 3542 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 3543 uint_t *intp, uint_t intmax, short mid) 3544 { 3545 hrtime_t end = gethrtime(); 3546 uint_t interval = *intp; 3547 3548 /* 3549 * See how long this took. If it took too long, increase the 3550 * aging interval. 3551 */ 3552 if ((end - begin) > interval * 1000000) { 3553 if (interval >= intmax) { 3554 /* XXX Rate limit this? Or recommend flush? */ 3555 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 3556 "Too many SA's to age out in %d msec.\n", 3557 intmax); 3558 } else { 3559 /* Double by shifting by one bit. */ 3560 interval <<= 1; 3561 interval = min(interval, intmax); 3562 } 3563 } else if ((end - begin) <= interval * 500000 && 3564 interval > SADB_AGE_INTERVAL_DEFAULT) { 3565 /* 3566 * If I took less than half of the interval, then I should 3567 * ratchet the interval back down. Never automatically 3568 * shift below the default aging interval. 3569 * 3570 * NOTE:This even overrides manual setting of the age 3571 * interval using NDD. 3572 */ 3573 /* Halve by shifting one bit. */ 3574 interval >>= 1; 3575 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 3576 } 3577 *intp = interval; 3578 return (qtimeout(pfkey_q, ager, NULL, interval * drv_usectohz(1000))); 3579 } 3580 3581 3582 /* 3583 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 3584 * message takes when updating a MATURE or DYING SA. 3585 */ 3586 static void 3587 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 3588 sadb_lifetime_t *soft) 3589 { 3590 mutex_enter(&assoc->ipsa_lock); 3591 3592 assoc->ipsa_state = IPSA_STATE_MATURE; 3593 3594 /* 3595 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 3596 * passed in during an update message. We currently don't handle 3597 * these. 3598 */ 3599 3600 if (hard != NULL) { 3601 if (hard->sadb_lifetime_bytes != 0) 3602 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3603 if (hard->sadb_lifetime_usetime != 0) 3604 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 3605 if (hard->sadb_lifetime_addtime != 0) 3606 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3607 if (assoc->ipsa_hardaddlt != 0) { 3608 assoc->ipsa_hardexpiretime = 3609 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 3610 } 3611 if (assoc->ipsa_harduselt != 0) { 3612 if (assoc->ipsa_hardexpiretime != 0) { 3613 assoc->ipsa_hardexpiretime = 3614 min(assoc->ipsa_hardexpiretime, 3615 assoc->ipsa_usetime + 3616 assoc->ipsa_harduselt); 3617 } else { 3618 assoc->ipsa_hardexpiretime = 3619 assoc->ipsa_usetime + assoc->ipsa_harduselt; 3620 } 3621 } 3622 3623 if (hard->sadb_lifetime_allocations != 0) 3624 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3625 } 3626 3627 if (soft != NULL) { 3628 if (soft->sadb_lifetime_bytes != 0) 3629 assoc->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3630 if (soft->sadb_lifetime_usetime != 0) 3631 assoc->ipsa_softuselt = soft->sadb_lifetime_usetime; 3632 if (soft->sadb_lifetime_addtime != 0) 3633 assoc->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3634 if (assoc->ipsa_softaddlt != 0) { 3635 assoc->ipsa_softexpiretime = 3636 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 3637 } 3638 if (assoc->ipsa_softuselt != 0) { 3639 if (assoc->ipsa_softexpiretime != 0) { 3640 assoc->ipsa_softexpiretime = 3641 min(assoc->ipsa_softexpiretime, 3642 assoc->ipsa_usetime + 3643 assoc->ipsa_softuselt); 3644 } else { 3645 assoc->ipsa_softexpiretime = 3646 assoc->ipsa_usetime + assoc->ipsa_softuselt; 3647 } 3648 } 3649 3650 if (soft->sadb_lifetime_allocations != 0) 3651 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 3652 } 3653 3654 mutex_exit(&assoc->ipsa_lock); 3655 } 3656 3657 /* 3658 * Common code to update an SA. 3659 */ 3660 3661 int 3662 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, 3663 sadb_t *sp, int *diagnostic, queue_t *pfkey_q, 3664 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *)) 3665 { 3666 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3667 sadb_address_t *srcext = 3668 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3669 sadb_address_t *dstext = 3670 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3671 sadb_x_kmc_t *kmcext = 3672 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 3673 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 3674 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 3675 struct sockaddr_in *src, *dst; 3676 struct sockaddr_in6 *src6, *dst6; 3677 sadb_lifetime_t *soft = 3678 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 3679 sadb_lifetime_t *hard = 3680 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 3681 isaf_t *inbound, *outbound; 3682 ipsa_t *outbound_target = NULL, *inbound_target = NULL; 3683 int error = 0; 3684 uint32_t *srcaddr, *dstaddr; 3685 sa_family_t af; 3686 uint32_t kmp = 0, kmc = 0; 3687 3688 /* I need certain extensions present for either UPDATE message. */ 3689 if (srcext == NULL) { 3690 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 3691 return (EINVAL); 3692 } 3693 if (dstext == NULL) { 3694 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3695 return (EINVAL); 3696 } 3697 if (assoc == NULL) { 3698 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3699 return (EINVAL); 3700 } 3701 3702 if (kmcext != NULL) { 3703 kmp = kmcext->sadb_x_kmc_proto; 3704 kmc = kmcext->sadb_x_kmc_cookie; 3705 } 3706 3707 dst = (struct sockaddr_in *)(dstext + 1); 3708 src = (struct sockaddr_in *)(srcext + 1); 3709 af = dst->sin_family; 3710 if (af == AF_INET6) { 3711 dst6 = (struct sockaddr_in6 *)dst; 3712 src6 = (struct sockaddr_in6 *)src; 3713 3714 srcaddr = (uint32_t *)&src6->sin6_addr; 3715 dstaddr = (uint32_t *)&dst6->sin6_addr; 3716 outbound = OUTBOUND_BUCKET_V6(sp, *(uint32_t *)dstaddr); 3717 #if 0 3718 /* Not used for now... */ 3719 if (proxyext != NULL) 3720 proxy6 = (struct sockaddr_in6 *)(proxyext + 1); 3721 #endif 3722 } else { 3723 srcaddr = (uint32_t *)&src->sin_addr; 3724 dstaddr = (uint32_t *)&dst->sin_addr; 3725 outbound = OUTBOUND_BUCKET_V4(sp, *(uint32_t *)dstaddr); 3726 } 3727 inbound = INBOUND_BUCKET(sp, assoc->sadb_sa_spi); 3728 3729 /* Lock down both buckets. */ 3730 mutex_enter(&outbound->isaf_lock); 3731 mutex_enter(&inbound->isaf_lock); 3732 3733 /* Try outbound first. */ 3734 outbound_target = ipsec_getassocbyspi(outbound, assoc->sadb_sa_spi, 3735 srcaddr, dstaddr, af); 3736 inbound_target = ipsec_getassocbyspi(inbound, assoc->sadb_sa_spi, 3737 srcaddr, dstaddr, af); 3738 3739 mutex_exit(&inbound->isaf_lock); 3740 mutex_exit(&outbound->isaf_lock); 3741 3742 if (outbound_target == NULL) { 3743 if (inbound_target == NULL) { 3744 return (ESRCH); 3745 } else if (inbound_target->ipsa_state == IPSA_STATE_LARVAL) { 3746 /* 3747 * REFRELE the target and let the add_sa_func() 3748 * deal with updating a larval SA. 3749 */ 3750 IPSA_REFRELE(inbound_target); 3751 return (add_sa_func(mp, ksi, diagnostic)); 3752 } 3753 } 3754 3755 /* 3756 * Reality checks for updates of active associations. 3757 * Sundry first-pass UPDATE-specific reality checks. 3758 * Have to do the checks here, because it's after the add_sa code. 3759 * XXX STATS : logging/stats here? 3760 */ 3761 3762 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) { 3763 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 3764 error = EINVAL; 3765 goto bail; 3766 } 3767 if (assoc->sadb_sa_flags & ~(SADB_SAFLAGS_NOREPLAY | 3768 SADB_X_SAFLAGS_NATT_LOC | SADB_X_SAFLAGS_NATT_REM)) { 3769 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 3770 error = EINVAL; 3771 goto bail; 3772 } 3773 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 3774 error = EOPNOTSUPP; 3775 goto bail; 3776 } 3777 if ((*diagnostic = sadb_hardsoftchk(hard, soft)) != 0) { 3778 error = EINVAL; 3779 goto bail; 3780 } 3781 if (src->sin_family != dst->sin_family) { 3782 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 3783 error = EINVAL; 3784 goto bail; 3785 } 3786 if (akey != NULL) { 3787 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 3788 error = EINVAL; 3789 goto bail; 3790 } 3791 if (ekey != NULL) { 3792 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 3793 error = EINVAL; 3794 goto bail; 3795 } 3796 3797 if (outbound_target != NULL) { 3798 if (outbound_target->ipsa_state == IPSA_STATE_DEAD) { 3799 error = ESRCH; /* DEAD == Not there, in this case. */ 3800 goto bail; 3801 } 3802 if ((kmp != 0) && 3803 ((outbound_target->ipsa_kmp != 0) || 3804 (outbound_target->ipsa_kmp != kmp))) { 3805 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 3806 error = EINVAL; 3807 goto bail; 3808 } 3809 if ((kmc != 0) && 3810 ((outbound_target->ipsa_kmc != 0) || 3811 (outbound_target->ipsa_kmc != kmc))) { 3812 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 3813 error = EINVAL; 3814 goto bail; 3815 } 3816 } 3817 3818 if (inbound_target != NULL) { 3819 if (inbound_target->ipsa_state == IPSA_STATE_DEAD) { 3820 error = ESRCH; /* DEAD == Not there, in this case. */ 3821 goto bail; 3822 } 3823 if ((kmp != 0) && 3824 ((inbound_target->ipsa_kmp != 0) || 3825 (inbound_target->ipsa_kmp != kmp))) { 3826 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 3827 error = EINVAL; 3828 goto bail; 3829 } 3830 if ((kmc != 0) && 3831 ((inbound_target->ipsa_kmc != 0) || 3832 (inbound_target->ipsa_kmc != kmc))) { 3833 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 3834 error = EINVAL; 3835 goto bail; 3836 } 3837 } 3838 3839 if (outbound_target != NULL) { 3840 sadb_set_unique(outbound_target, dstext->sadb_address_proto, 3841 src, dst); 3842 sadb_update_lifetimes(outbound_target, hard, soft); 3843 if (kmp != 0) 3844 outbound_target->ipsa_kmp = kmp; 3845 if (kmc != 0) 3846 outbound_target->ipsa_kmc = kmc; 3847 } 3848 3849 if (inbound_target != NULL) { 3850 sadb_set_unique(inbound_target, dstext->sadb_address_proto, 3851 src, dst); 3852 sadb_update_lifetimes(inbound_target, hard, soft); 3853 if (kmp != 0) 3854 inbound_target->ipsa_kmp = kmp; 3855 if (kmc != 0) 3856 inbound_target->ipsa_kmc = kmc; 3857 } 3858 3859 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 3860 ksi, (outbound_target == NULL) ? inbound_target : outbound_target); 3861 3862 bail: 3863 /* 3864 * Because of the multi-line macro nature of IPSA_REFRELE, keep 3865 * them in { }. 3866 */ 3867 if (outbound_target != NULL) { 3868 IPSA_REFRELE(outbound_target); 3869 } 3870 if (inbound_target != NULL) { 3871 IPSA_REFRELE(inbound_target); 3872 } 3873 3874 return (error); 3875 } 3876 3877 /* 3878 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 3879 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 3880 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 3881 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 3882 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 3883 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 3884 * other direction's SA. 3885 */ 3886 3887 /* 3888 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 3889 * grab it, lock it, and return it. Otherwise return NULL. 3890 */ 3891 static ipsacq_t * 3892 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 3893 uint32_t *src, uint32_t *dst, uint64_t unique_id) 3894 { 3895 ipsacq_t *walker; 3896 sa_family_t fam; 3897 3898 /* 3899 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 3900 * 3901 * XXX May need search for duplicates based on other things too! 3902 */ 3903 for (walker = bucket->iacqf_ipsacq; walker != NULL; 3904 walker = walker->ipsacq_next) { 3905 mutex_enter(&walker->ipsacq_lock); 3906 fam = walker->ipsacq_addrfam; 3907 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 3908 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 3909 /* XXX PROXY should check for proxy addr here */ 3910 (ap == walker->ipsacq_act) && 3911 (pp == walker->ipsacq_policy) && 3912 /* XXX do deep compares of ap/pp? */ 3913 (unique_id == walker->ipsacq_unique_id)) 3914 break; /* everything matched */ 3915 mutex_exit(&walker->ipsacq_lock); 3916 } 3917 3918 return (walker); 3919 } 3920 3921 /* 3922 * For this mblk, insert a new acquire record. Assume bucket contains addrs 3923 * of all of the same length. Give up (and drop) if memory 3924 * cannot be allocated for a new one; otherwise, invoke callback to 3925 * send the acquire up.. 3926 * 3927 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 3928 * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t 3929 * and handle this case specially. 3930 */ 3931 void 3932 sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp) 3933 { 3934 sadbp_t *spp; 3935 sadb_t *sp; 3936 ipsacq_t *newbie; 3937 iacqf_t *bucket; 3938 mblk_t *datamp = mp->b_cont; 3939 mblk_t *extended; 3940 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 3941 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 3942 uint32_t *src, *dst; 3943 ipsec_policy_t *pp = io->ipsec_out_policy; 3944 ipsec_action_t *ap = io->ipsec_out_act; 3945 sa_family_t af; 3946 int hashoffset; 3947 uint32_t seq; 3948 uint64_t unique_id = 0; 3949 ipsec_selector_t sel; 3950 3951 ASSERT((pp != NULL) || (ap != NULL)); 3952 3953 ASSERT(need_ah != NULL || need_esp != NULL); 3954 /* Assign sadb pointers */ 3955 spp = need_esp ? &esp_sadb : &ah_sadb; /* ESP for AH+ESP */ 3956 sp = io->ipsec_out_v4 ? &spp->s_v4 : &spp->s_v6; 3957 3958 if (ap == NULL) 3959 ap = pp->ipsp_act; 3960 3961 ASSERT(ap != NULL); 3962 3963 if (ap->ipa_act.ipa_apply.ipp_use_unique) 3964 unique_id = SA_FORM_UNIQUE_ID(io); 3965 3966 /* 3967 * Set up an ACQUIRE record. 3968 * 3969 * Will eventually want to pull the PROXY source address from 3970 * either the inner IP header, or from a future extension to the 3971 * IPSEC_OUT message. 3972 * 3973 * Actually, we'll also want to check for duplicates. 3974 * 3975 * Immediately, make sure the ACQUIRE sequence number doesn't slip 3976 * below the lowest point allowed in the kernel. (In other words, 3977 * make sure the high bit on the sequence number is set.) 3978 */ 3979 3980 seq = keysock_next_seq() | IACQF_LOWEST_SEQ; 3981 3982 sel.ips_isv4 = io->ipsec_out_v4; 3983 sel.ips_protocol = io->ipsec_out_proto; 3984 sel.ips_local_port = io->ipsec_out_src_port; 3985 sel.ips_remote_port = io->ipsec_out_dst_port; 3986 sel.ips_icmp_type = io->ipsec_out_icmp_type; 3987 sel.ips_icmp_code = io->ipsec_out_icmp_code; 3988 sel.ips_is_icmp_inv_acq = 0; 3989 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 3990 src = (uint32_t *)&ipha->ipha_src; 3991 dst = (uint32_t *)&ipha->ipha_dst; 3992 /* No compiler dain-bramage (4438087) for IPv4 addresses. */ 3993 sel.ips_local_addr_v4 = ipha->ipha_src; 3994 sel.ips_remote_addr_v4 = ipha->ipha_dst; 3995 af = AF_INET; 3996 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 3997 ASSERT(io->ipsec_out_v4 == B_TRUE); 3998 } else { 3999 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 4000 src = (uint32_t *)&ip6h->ip6_src; 4001 dst = (uint32_t *)&ip6h->ip6_dst; 4002 sel.ips_local_addr_v6 = ip6h->ip6_src; 4003 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 4004 af = AF_INET6; 4005 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 4006 ASSERT(io->ipsec_out_v4 == B_FALSE); 4007 } 4008 4009 /* 4010 * Check buckets to see if there is an existing entry. If so, 4011 * grab it. sadb_checkacquire locks newbie if found. 4012 */ 4013 bucket = &(sp->sdb_acq[hashoffset]); 4014 mutex_enter(&bucket->iacqf_lock); 4015 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, unique_id); 4016 4017 if (newbie == NULL) { 4018 /* 4019 * Otherwise, allocate a new one. 4020 */ 4021 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 4022 if (newbie == NULL) { 4023 mutex_exit(&bucket->iacqf_lock); 4024 ip_drop_packet(mp, B_FALSE, NULL, NULL, 4025 &ipdrops_sadb_acquire_nomem, &sadb_dropper); 4026 return; 4027 } 4028 newbie->ipsacq_policy = pp; 4029 if (pp != NULL) { 4030 IPPOL_REFHOLD(pp); 4031 } 4032 IPACT_REFHOLD(ap); 4033 newbie->ipsacq_act = ap; 4034 newbie->ipsacq_linklock = &bucket->iacqf_lock; 4035 newbie->ipsacq_next = bucket->iacqf_ipsacq; 4036 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 4037 if (newbie->ipsacq_next != NULL) 4038 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 4039 bucket->iacqf_ipsacq = newbie; 4040 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 4041 mutex_enter(&newbie->ipsacq_lock); 4042 } 4043 4044 mutex_exit(&bucket->iacqf_lock); 4045 4046 /* 4047 * This assert looks silly for now, but we may need to enter newbie's 4048 * mutex during a search. 4049 */ 4050 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 4051 4052 mp->b_next = NULL; 4053 /* Queue up packet. Use b_next. */ 4054 if (newbie->ipsacq_numpackets == 0) { 4055 /* First one. */ 4056 newbie->ipsacq_mp = mp; 4057 newbie->ipsacq_numpackets = 1; 4058 (void) drv_getparm(TIME, &newbie->ipsacq_expire); 4059 /* 4060 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 4061 * value. 4062 */ 4063 newbie->ipsacq_expire += *spp->s_acquire_timeout; 4064 newbie->ipsacq_seq = seq; 4065 newbie->ipsacq_addrfam = af; 4066 4067 newbie->ipsacq_srcport = io->ipsec_out_src_port; 4068 newbie->ipsacq_dstport = io->ipsec_out_dst_port; 4069 newbie->ipsacq_icmp_type = io->ipsec_out_icmp_type; 4070 newbie->ipsacq_icmp_code = io->ipsec_out_icmp_code; 4071 newbie->ipsacq_proto = io->ipsec_out_proto; 4072 newbie->ipsacq_unique_id = unique_id; 4073 } else { 4074 /* Scan to the end of the list & insert. */ 4075 mblk_t *lastone = newbie->ipsacq_mp; 4076 4077 while (lastone->b_next != NULL) 4078 lastone = lastone->b_next; 4079 lastone->b_next = mp; 4080 if (newbie->ipsacq_numpackets++ == IPSACQ_MAXPACKETS) { 4081 newbie->ipsacq_numpackets = IPSACQ_MAXPACKETS; 4082 lastone = newbie->ipsacq_mp; 4083 newbie->ipsacq_mp = lastone->b_next; 4084 lastone->b_next = NULL; 4085 ip_drop_packet(lastone, B_FALSE, NULL, NULL, 4086 &ipdrops_sadb_acquire_toofull, &sadb_dropper); 4087 } 4088 } 4089 4090 /* 4091 * Reset addresses. Set them to the most recently added mblk chain, 4092 * so that the address pointers in the acquire record will point 4093 * at an mblk still attached to the acquire list. 4094 */ 4095 4096 newbie->ipsacq_srcaddr = src; 4097 newbie->ipsacq_dstaddr = dst; 4098 4099 /* 4100 * If the acquire record has more than one queued packet, we've 4101 * already sent an ACQUIRE, and don't need to repeat ourself. 4102 */ 4103 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 4104 /* I have an acquire outstanding already! */ 4105 mutex_exit(&newbie->ipsacq_lock); 4106 return; 4107 } 4108 4109 if (keysock_extended_reg()) { 4110 /* 4111 * Construct an extended ACQUIRE. There are logging 4112 * opportunities here in failure cases. 4113 */ 4114 4115 extended = sadb_keysock_out(0); 4116 if (extended != NULL) { 4117 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, 4118 seq, 0); 4119 if (extended->b_cont == NULL) { 4120 freeb(extended); 4121 extended = NULL; 4122 } 4123 } 4124 } else 4125 extended = NULL; 4126 4127 /* 4128 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on 4129 * this new record. The send-acquire callback assumes that acqrec is 4130 * already locked. 4131 */ 4132 (*spp->s_acqfn)(newbie, extended); 4133 } 4134 4135 /* 4136 * Unlink and free an acquire record. 4137 */ 4138 void 4139 sadb_destroy_acquire(ipsacq_t *acqrec) 4140 { 4141 mblk_t *mp; 4142 4143 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 4144 4145 if (acqrec->ipsacq_policy != NULL) { 4146 IPPOL_REFRELE(acqrec->ipsacq_policy); 4147 } 4148 if (acqrec->ipsacq_act != NULL) { 4149 IPACT_REFRELE(acqrec->ipsacq_act); 4150 } 4151 4152 /* Unlink */ 4153 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 4154 if (acqrec->ipsacq_next != NULL) 4155 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 4156 4157 /* 4158 * Free hanging mp's. 4159 * 4160 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 4161 */ 4162 4163 mutex_enter(&acqrec->ipsacq_lock); 4164 while (acqrec->ipsacq_mp != NULL) { 4165 mp = acqrec->ipsacq_mp; 4166 acqrec->ipsacq_mp = mp->b_next; 4167 mp->b_next = NULL; 4168 ip_drop_packet(mp, B_FALSE, NULL, NULL, 4169 &ipdrops_sadb_acquire_timeout, &sadb_dropper); 4170 } 4171 mutex_exit(&acqrec->ipsacq_lock); 4172 4173 /* Free */ 4174 mutex_destroy(&acqrec->ipsacq_lock); 4175 kmem_free(acqrec, sizeof (*acqrec)); 4176 } 4177 4178 /* 4179 * Destroy an acquire list fanout. 4180 */ 4181 static void 4182 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever) 4183 { 4184 int i; 4185 iacqf_t *list = *listp; 4186 4187 if (list == NULL) 4188 return; 4189 4190 for (i = 0; i < numentries; i++) { 4191 mutex_enter(&(list[i].iacqf_lock)); 4192 while (list[i].iacqf_ipsacq != NULL) 4193 sadb_destroy_acquire(list[i].iacqf_ipsacq); 4194 mutex_exit(&(list[i].iacqf_lock)); 4195 if (forever) 4196 mutex_destroy(&(list[i].iacqf_lock)); 4197 } 4198 4199 if (forever) { 4200 *listp = NULL; 4201 kmem_free(list, numentries * sizeof (*list)); 4202 } 4203 } 4204 4205 static uint8_t * 4206 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 4207 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 4208 uint8_t alg, uint16_t minbits, uint16_t maxbits) 4209 { 4210 uint8_t *cur = start; 4211 4212 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 4213 cur += sizeof (*algdesc); 4214 if (cur >= limit) 4215 return (NULL); 4216 4217 ecomb->sadb_x_ecomb_numalgs++; 4218 4219 algdesc->sadb_x_algdesc_satype = satype; 4220 algdesc->sadb_x_algdesc_algtype = algtype; 4221 algdesc->sadb_x_algdesc_alg = alg; 4222 algdesc->sadb_x_algdesc_minbits = minbits; 4223 algdesc->sadb_x_algdesc_maxbits = maxbits; 4224 algdesc->sadb_x_algdesc_reserved = 0; 4225 return (cur); 4226 } 4227 4228 /* 4229 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 4230 * which must fit before *limit 4231 * 4232 * return NULL if we ran out of room or a pointer to the end of the ecomb. 4233 */ 4234 static uint8_t * 4235 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act) 4236 { 4237 uint8_t *cur = start; 4238 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 4239 ipsec_prot_t *ipp; 4240 4241 cur += sizeof (*ecomb); 4242 if (cur >= limit) 4243 return (NULL); 4244 4245 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 4246 4247 ipp = &act->ipa_act.ipa_apply; 4248 4249 ecomb->sadb_x_ecomb_numalgs = 0; 4250 ecomb->sadb_x_ecomb_reserved = 0; 4251 ecomb->sadb_x_ecomb_reserved2 = 0; 4252 /* 4253 * No limits on allocations, since we really don't support that 4254 * concept currently. 4255 */ 4256 ecomb->sadb_x_ecomb_soft_allocations = 0; 4257 ecomb->sadb_x_ecomb_hard_allocations = 0; 4258 4259 /* 4260 * XXX TBD: Policy or global parameters will eventually be 4261 * able to fill in some of these. 4262 */ 4263 ecomb->sadb_x_ecomb_flags = 0; 4264 ecomb->sadb_x_ecomb_soft_bytes = 0; 4265 ecomb->sadb_x_ecomb_hard_bytes = 0; 4266 ecomb->sadb_x_ecomb_soft_addtime = 0; 4267 ecomb->sadb_x_ecomb_hard_addtime = 0; 4268 ecomb->sadb_x_ecomb_soft_usetime = 0; 4269 ecomb->sadb_x_ecomb_hard_usetime = 0; 4270 4271 if (ipp->ipp_use_ah) { 4272 cur = sadb_new_algdesc(cur, limit, ecomb, 4273 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 4274 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits); 4275 if (cur == NULL) 4276 return (NULL); 4277 ipsecah_fill_defs(ecomb); 4278 } 4279 4280 if (ipp->ipp_use_esp) { 4281 if (ipp->ipp_use_espa) { 4282 cur = sadb_new_algdesc(cur, limit, ecomb, 4283 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 4284 ipp->ipp_esp_auth_alg, 4285 ipp->ipp_espa_minbits, 4286 ipp->ipp_espa_maxbits); 4287 if (cur == NULL) 4288 return (NULL); 4289 } 4290 4291 cur = sadb_new_algdesc(cur, limit, ecomb, 4292 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 4293 ipp->ipp_encr_alg, 4294 ipp->ipp_espe_minbits, 4295 ipp->ipp_espe_maxbits); 4296 if (cur == NULL) 4297 return (NULL); 4298 /* Fill in lifetimes if and only if AH didn't already... */ 4299 if (!ipp->ipp_use_ah) 4300 ipsecesp_fill_defs(ecomb); 4301 } 4302 4303 return (cur); 4304 } 4305 4306 /* 4307 * Construct an extended ACQUIRE message based on a selector and the resulting 4308 * IPsec action. 4309 * 4310 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE 4311 * generation. As a consequence, expect this function to evolve 4312 * rapidly. 4313 */ 4314 static mblk_t * 4315 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol, 4316 ipsec_action_t *act, uint32_t seq, uint32_t pid) 4317 { 4318 mblk_t *mp; 4319 sadb_msg_t *samsg; 4320 uint8_t *start, *cur, *end; 4321 uint32_t *saddrptr, *daddrptr; 4322 sa_family_t af; 4323 sadb_prop_t *eprop; 4324 ipsec_action_t *ap, *an; 4325 uint8_t proto; 4326 uint16_t lport, rport; 4327 uint32_t kmp, kmc; 4328 4329 /* 4330 * Find the action we want sooner rather than later.. 4331 */ 4332 an = NULL; 4333 if (pol == NULL) { 4334 ap = act; 4335 } else { 4336 ap = pol->ipsp_act; 4337 4338 if (ap != NULL) 4339 an = ap->ipa_next; 4340 } 4341 4342 /* 4343 * Just take a swag for the allocation for now. We can always 4344 * alter it later. 4345 */ 4346 #define SADB_EXTENDED_ACQUIRE_SIZE 2048 4347 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI); 4348 if (mp == NULL) 4349 return (NULL); 4350 if (sel->ips_isv4) { 4351 af = AF_INET; 4352 saddrptr = (uint32_t *)(&sel->ips_local_addr_v4); 4353 daddrptr = (uint32_t *)(&sel->ips_remote_addr_v4); 4354 } else { 4355 af = AF_INET6; 4356 saddrptr = (uint32_t *)(&sel->ips_local_addr_v6); 4357 daddrptr = (uint32_t *)(&sel->ips_remote_addr_v6); 4358 } 4359 4360 start = mp->b_rptr; 4361 end = start + SADB_EXTENDED_ACQUIRE_SIZE; 4362 4363 cur = start; 4364 4365 samsg = (sadb_msg_t *)cur; 4366 cur += sizeof (*samsg); 4367 4368 samsg->sadb_msg_version = PF_KEY_V2; 4369 samsg->sadb_msg_type = SADB_ACQUIRE; 4370 samsg->sadb_msg_errno = 0; 4371 samsg->sadb_msg_reserved = 0; 4372 samsg->sadb_msg_satype = 0; 4373 samsg->sadb_msg_seq = seq; 4374 samsg->sadb_msg_pid = pid; 4375 4376 proto = sel->ips_protocol; 4377 lport = sel->ips_local_port; 4378 rport = sel->ips_remote_port; 4379 4380 /* 4381 * Unless our policy says "sa unique", drop port/proto 4382 * selectors, then add them back if policy rule includes them.. 4383 */ 4384 4385 if ((ap != NULL) && (!ap->ipa_want_unique)) { 4386 proto = 0; 4387 lport = 0; 4388 rport = 0; 4389 if (pol != NULL) { 4390 ipsec_selkey_t *psel = &pol->ipsp_sel->ipsl_key; 4391 if (psel->ipsl_valid & IPSL_PROTOCOL) 4392 proto = psel->ipsl_proto; 4393 if (psel->ipsl_valid & IPSL_REMOTE_PORT) 4394 rport = psel->ipsl_rport; 4395 if (psel->ipsl_valid & IPSL_LOCAL_PORT) 4396 lport = psel->ipsl_lport; 4397 } 4398 } 4399 4400 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 4401 saddrptr, lport, proto); 4402 4403 if (cur == NULL) { 4404 freeb(mp); 4405 return (NULL); 4406 } 4407 4408 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 4409 daddrptr, rport, proto); 4410 4411 if (cur == NULL) { 4412 freeb(mp); 4413 return (NULL); 4414 } 4415 4416 /* 4417 * This section will change a lot as policy evolves. 4418 * For now, it'll be relatively simple. 4419 */ 4420 eprop = (sadb_prop_t *)cur; 4421 cur += sizeof (*eprop); 4422 if (cur > end) { 4423 /* no space left */ 4424 freeb(mp); 4425 return (NULL); 4426 } 4427 4428 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 4429 eprop->sadb_x_prop_ereserved = 0; 4430 eprop->sadb_x_prop_numecombs = 0; 4431 eprop->sadb_prop_replay = 32; /* default */ 4432 4433 kmc = kmp = 0; 4434 4435 for (; ap != NULL; ap = an) { 4436 an = (pol != NULL) ? ap->ipa_next : NULL; 4437 4438 /* 4439 * Skip non-IPsec policies 4440 */ 4441 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY) 4442 continue; 4443 4444 if (ap->ipa_act.ipa_apply.ipp_km_proto) 4445 kmp = ap->ipa_act.ipa_apply.ipp_km_proto; 4446 if (ap->ipa_act.ipa_apply.ipp_km_cookie) 4447 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie; 4448 if (ap->ipa_act.ipa_apply.ipp_replay_depth) { 4449 eprop->sadb_prop_replay = 4450 ap->ipa_act.ipa_apply.ipp_replay_depth; 4451 } 4452 4453 cur = sadb_action_to_ecomb(cur, end, ap); 4454 if (cur == NULL) { /* no space */ 4455 freeb(mp); 4456 return (NULL); 4457 } 4458 eprop->sadb_x_prop_numecombs++; 4459 } 4460 4461 if (eprop->sadb_x_prop_numecombs == 0) { 4462 /* 4463 * This will happen if we fail to find a policy 4464 * allowing for IPsec processing. 4465 * Construct an error message. 4466 */ 4467 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 4468 samsg->sadb_msg_errno = ENOENT; 4469 samsg->sadb_x_msg_diagnostic = 0; 4470 return (mp); 4471 } 4472 4473 if ((kmp != 0) || (kmc != 0)) { 4474 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 4475 if (cur == NULL) { 4476 freeb(mp); 4477 return (NULL); 4478 } 4479 } 4480 4481 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop); 4482 samsg->sadb_msg_len = SADB_8TO64(cur-start); 4483 mp->b_wptr = cur; 4484 4485 return (mp); 4486 } 4487 4488 /* 4489 * Generic setup of an ACQUIRE message. Caller sets satype. 4490 */ 4491 uint8_t * 4492 sadb_setup_acquire(uint8_t *start, uint8_t *end, ipsacq_t *acqrec) 4493 { 4494 sa_family_t af; 4495 uint8_t *cur = start; 4496 sadb_msg_t *samsg = (sadb_msg_t *)cur; 4497 uint16_t sport_typecode; 4498 uint16_t dport_typecode; 4499 uint8_t check_proto; 4500 4501 cur += sizeof (sadb_msg_t); 4502 if (cur > end) 4503 return (NULL); 4504 4505 /* use the address length to find the address family */ 4506 af = acqrec->ipsacq_addrfam; 4507 switch (af) { 4508 case AF_INET: 4509 check_proto = IPPROTO_ICMP; 4510 break; 4511 case AF_INET6: 4512 check_proto = IPPROTO_ICMPV6; 4513 break; 4514 default: 4515 /* This should never happen unless we have kernel bugs. */ 4516 cmn_err(CE_WARN, 4517 "sadb_setup_acquire: corrupt ACQUIRE record.\n"); 4518 ASSERT(0); 4519 return (NULL); 4520 } 4521 4522 samsg->sadb_msg_version = PF_KEY_V2; 4523 samsg->sadb_msg_type = SADB_ACQUIRE; 4524 samsg->sadb_msg_errno = 0; 4525 samsg->sadb_msg_pid = 0; 4526 samsg->sadb_msg_reserved = 0; 4527 samsg->sadb_msg_seq = acqrec->ipsacq_seq; 4528 4529 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 4530 4531 if (acqrec->ipsacq_proto == check_proto) { 4532 sport_typecode = dport_typecode = 0; 4533 } else { 4534 sport_typecode = acqrec->ipsacq_srcport; 4535 dport_typecode = acqrec->ipsacq_dstport; 4536 } 4537 4538 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 4539 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto); 4540 4541 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 4542 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto); 4543 4544 if (cur != NULL) 4545 samsg->sadb_msg_len = SADB_8TO64(cur - start); 4546 4547 return (cur); 4548 } 4549 4550 /* 4551 * Given an SADB_GETSPI message, find an appropriately ranged SA and 4552 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 4553 * If there was a memory allocation error, return NULL. (Assume NULL != 4554 * (ipsa_t *)-1). 4555 * 4556 * master_spi is passed in host order. 4557 */ 4558 ipsa_t * 4559 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic) 4560 { 4561 sadb_address_t *src = 4562 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 4563 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 4564 sadb_spirange_t *range = 4565 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 4566 struct sockaddr_in *ssa, *dsa; 4567 struct sockaddr_in6 *ssa6, *dsa6; 4568 uint32_t *srcaddr, *dstaddr; 4569 sa_family_t af; 4570 uint32_t add, min, max; 4571 4572 if (src == NULL) { 4573 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 4574 return ((ipsa_t *)-1); 4575 } 4576 if (dst == NULL) { 4577 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 4578 return ((ipsa_t *)-1); 4579 } 4580 if (range == NULL) { 4581 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 4582 return ((ipsa_t *)-1); 4583 } 4584 4585 min = ntohl(range->sadb_spirange_min); 4586 max = ntohl(range->sadb_spirange_max); 4587 dsa = (struct sockaddr_in *)(dst + 1); 4588 dsa6 = (struct sockaddr_in6 *)dsa; 4589 4590 ssa = (struct sockaddr_in *)(src + 1); 4591 ssa6 = (struct sockaddr_in6 *)ssa; 4592 if (dsa->sin_family != ssa->sin_family) { 4593 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 4594 return ((ipsa_t *)-1); 4595 } 4596 4597 srcaddr = ALL_ZEROES_PTR; 4598 af = dsa->sin_family; 4599 switch (af) { 4600 case AF_INET: 4601 if (src != NULL) 4602 srcaddr = (uint32_t *)(&ssa->sin_addr); 4603 dstaddr = (uint32_t *)(&dsa->sin_addr); 4604 break; 4605 case AF_INET6: 4606 if (src != NULL) 4607 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 4608 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 4609 break; 4610 default: 4611 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 4612 return ((ipsa_t *)-1); 4613 } 4614 4615 if (master_spi < min || master_spi > max) { 4616 /* Return a random value in the range. */ 4617 (void) random_get_pseudo_bytes((uint8_t *)&add, sizeof (add)); 4618 master_spi = min + (add % (max - min + 1)); 4619 } 4620 4621 /* 4622 * Since master_spi is passed in host order, we need to htonl() it 4623 * for the purposes of creating a new SA. 4624 */ 4625 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af)); 4626 } 4627 4628 /* 4629 * 4630 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 4631 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 4632 * and scan for the sequence number in question. I may wish to accept an 4633 * address pair with it, for easier searching. 4634 * 4635 * Caller frees the message, so we don't have to here. 4636 * 4637 * NOTE: The ip_q parameter may be used in the future for ACQUIRE 4638 * failures. 4639 */ 4640 /* ARGSUSED */ 4641 void 4642 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *ip_q) 4643 { 4644 int i; 4645 ipsacq_t *acqrec; 4646 iacqf_t *bucket; 4647 4648 /* 4649 * I only accept the base header for this! 4650 * Though to be honest, requiring the dst address would help 4651 * immensely. 4652 * 4653 * XXX There are already cases where I can get the dst address. 4654 */ 4655 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 4656 return; 4657 4658 /* 4659 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 4660 * (and in the future send a message to IP with the appropriate error 4661 * number). 4662 * 4663 * Q: Do I want to reject if pid != 0? 4664 */ 4665 4666 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 4667 bucket = &sp->s_v4.sdb_acq[i]; 4668 mutex_enter(&bucket->iacqf_lock); 4669 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 4670 acqrec = acqrec->ipsacq_next) { 4671 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 4672 break; /* for acqrec... loop. */ 4673 } 4674 if (acqrec != NULL) 4675 break; /* for i = 0... loop. */ 4676 4677 mutex_exit(&bucket->iacqf_lock); 4678 } 4679 4680 if (acqrec == NULL) { 4681 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 4682 bucket = &sp->s_v6.sdb_acq[i]; 4683 mutex_enter(&bucket->iacqf_lock); 4684 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 4685 acqrec = acqrec->ipsacq_next) { 4686 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 4687 break; /* for acqrec... loop. */ 4688 } 4689 if (acqrec != NULL) 4690 break; /* for i = 0... loop. */ 4691 4692 mutex_exit(&bucket->iacqf_lock); 4693 } 4694 } 4695 4696 4697 if (acqrec == NULL) 4698 return; 4699 4700 /* 4701 * What do I do with the errno and IP? I may need mp's services a 4702 * little more. See sadb_destroy_acquire() for future directions 4703 * beyond free the mblk chain on the acquire record. 4704 */ 4705 4706 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 4707 sadb_destroy_acquire(acqrec); 4708 /* Have to exit mutex here, because of breaking out of for loop. */ 4709 mutex_exit(&bucket->iacqf_lock); 4710 } 4711 4712 /* 4713 * The following functions work with the replay windows of an SA. They assume 4714 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 4715 * represents the highest sequence number packet received, and back 4716 * (ipsa->ipsa_replay_wsize) packets. 4717 */ 4718 4719 /* 4720 * Is the replay bit set? 4721 */ 4722 static boolean_t 4723 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 4724 { 4725 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 4726 4727 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 4728 } 4729 4730 /* 4731 * Shift the bits of the replay window over. 4732 */ 4733 static void 4734 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 4735 { 4736 int i; 4737 int jump = ((shift - 1) >> 6) + 1; 4738 4739 if (shift == 0) 4740 return; 4741 4742 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 4743 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 4744 ipsa->ipsa_replay_arr[i + jump] |= 4745 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 4746 } 4747 ipsa->ipsa_replay_arr[i] <<= shift; 4748 } 4749 } 4750 4751 /* 4752 * Set a bit in the bit vector. 4753 */ 4754 static void 4755 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 4756 { 4757 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 4758 4759 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 4760 } 4761 4762 #define SADB_MAX_REPLAY_VALUE 0xffffffff 4763 4764 /* 4765 * Assume caller has NOT done ntohl() already on seq. Check to see 4766 * if replay sequence number "seq" has been seen already. 4767 */ 4768 boolean_t 4769 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 4770 { 4771 boolean_t rc; 4772 uint32_t diff; 4773 4774 if (ipsa->ipsa_replay_wsize == 0) 4775 return (B_TRUE); 4776 4777 /* 4778 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 4779 */ 4780 4781 /* Convert sequence number into host order before holding the mutex. */ 4782 seq = ntohl(seq); 4783 4784 mutex_enter(&ipsa->ipsa_lock); 4785 4786 /* Initialize inbound SA's ipsa_replay field to last one received. */ 4787 if (ipsa->ipsa_replay == 0) 4788 ipsa->ipsa_replay = 1; 4789 4790 if (seq > ipsa->ipsa_replay) { 4791 /* 4792 * I have received a new "highest value received". Shift 4793 * the replay window over. 4794 */ 4795 diff = seq - ipsa->ipsa_replay; 4796 if (diff < ipsa->ipsa_replay_wsize) { 4797 /* In replay window, shift bits over. */ 4798 ipsa_shift_replay(ipsa, diff); 4799 } else { 4800 /* WAY FAR AHEAD, clear bits and start again. */ 4801 bzero(ipsa->ipsa_replay_arr, 4802 sizeof (ipsa->ipsa_replay_arr)); 4803 } 4804 ipsa_set_replay(ipsa, 0); 4805 ipsa->ipsa_replay = seq; 4806 rc = B_TRUE; 4807 goto done; 4808 } 4809 diff = ipsa->ipsa_replay - seq; 4810 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 4811 rc = B_FALSE; 4812 goto done; 4813 } 4814 /* Set this packet as seen. */ 4815 ipsa_set_replay(ipsa, diff); 4816 4817 rc = B_TRUE; 4818 done: 4819 mutex_exit(&ipsa->ipsa_lock); 4820 return (rc); 4821 } 4822 4823 /* 4824 * "Peek" and see if we should even bother going through the effort of 4825 * running an authentication check on the sequence number passed in. 4826 * this takes into account packets that are below the replay window, 4827 * and collisions with already replayed packets. Return B_TRUE if it 4828 * is okay to proceed, B_FALSE if this packet should be dropped immeidately. 4829 * Assume same byte-ordering as sadb_replay_check. 4830 */ 4831 boolean_t 4832 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 4833 { 4834 boolean_t rc = B_FALSE; 4835 uint32_t diff; 4836 4837 if (ipsa->ipsa_replay_wsize == 0) 4838 return (B_TRUE); 4839 4840 /* 4841 * 0 is 0, regardless of byte order... :) 4842 * 4843 * If I get 0 on the wire (and there is a replay window) then the 4844 * sender most likely wrapped. This ipsa may need to be marked or 4845 * something. 4846 */ 4847 if (seq == 0) 4848 return (B_FALSE); 4849 4850 seq = ntohl(seq); 4851 mutex_enter(&ipsa->ipsa_lock); 4852 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 4853 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 4854 goto done; 4855 4856 /* 4857 * If I've hit 0xffffffff, then quite honestly, I don't need to 4858 * bother with formalities. I'm not accepting any more packets 4859 * on this SA. 4860 */ 4861 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 4862 /* 4863 * Since we're already holding the lock, update the 4864 * expire time ala. sadb_replay_delete() and return. 4865 */ 4866 ipsa->ipsa_hardexpiretime = (time_t)1; 4867 goto done; 4868 } 4869 4870 if (seq <= ipsa->ipsa_replay) { 4871 /* 4872 * This seq is in the replay window. I'm not below it, 4873 * because I already checked for that above! 4874 */ 4875 diff = ipsa->ipsa_replay - seq; 4876 if (ipsa_is_replay_set(ipsa, diff)) 4877 goto done; 4878 } 4879 /* Else return B_TRUE, I'm going to advance the window. */ 4880 4881 rc = B_TRUE; 4882 done: 4883 mutex_exit(&ipsa->ipsa_lock); 4884 return (rc); 4885 } 4886 4887 /* 4888 * Delete a single SA. 4889 * 4890 * For now, use the quick-and-dirty trick of making the association's 4891 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 4892 */ 4893 void 4894 sadb_replay_delete(ipsa_t *assoc) 4895 { 4896 mutex_enter(&assoc->ipsa_lock); 4897 assoc->ipsa_hardexpiretime = (time_t)1; 4898 mutex_exit(&assoc->ipsa_lock); 4899 } 4900 4901 /* 4902 * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_ 4903 * down. The caller will handle the T_BIND_ACK locally. 4904 */ 4905 boolean_t 4906 sadb_t_bind_req(queue_t *q, int proto) 4907 { 4908 struct T_bind_req *tbr; 4909 mblk_t *mp; 4910 4911 mp = allocb(sizeof (struct T_bind_req) + 1, BPRI_HI); 4912 if (mp == NULL) { 4913 /* cmn_err(CE_WARN, */ 4914 /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */ 4915 return (B_FALSE); 4916 } 4917 mp->b_datap->db_type = M_PCPROTO; 4918 tbr = (struct T_bind_req *)mp->b_rptr; 4919 mp->b_wptr += sizeof (struct T_bind_req); 4920 tbr->PRIM_type = T_BIND_REQ; 4921 tbr->ADDR_length = 0; 4922 tbr->ADDR_offset = 0; 4923 tbr->CONIND_number = 0; 4924 *mp->b_wptr = (uint8_t)proto; 4925 mp->b_wptr++; 4926 4927 putnext(q, mp); 4928 return (B_TRUE); 4929 } 4930 4931 /* 4932 * Rate-limiting front-end to strlog() for AH and ESP. Uses the ndd variables 4933 * in /dev/ip and the same rate-limiting clock so that there's a single 4934 * knob to turn to throttle the rate of messages. 4935 * 4936 * This function needs to be kept in synch with ipsec_log_policy_failure() in 4937 * ip.c. Eventually, ipsec_log_policy_failure() should use this function. 4938 */ 4939 void 4940 ipsec_rl_strlog(short mid, short sid, char level, ushort_t sl, char *fmt, ...) 4941 { 4942 va_list adx; 4943 hrtime_t current = gethrtime(); 4944 4945 /* Convert interval (in msec) to hrtime (in nsec), which means * 10^6 */ 4946 if (ipsec_policy_failure_last + 4947 ((hrtime_t)ipsec_policy_log_interval * (hrtime_t)1000000) <= 4948 current) { 4949 /* 4950 * Throttle the logging such that I only log one 4951 * message every 'ipsec_policy_log_interval' amount 4952 * of time. 4953 */ 4954 va_start(adx, fmt); 4955 (void) vstrlog(mid, sid, level, sl, fmt, adx); 4956 va_end(adx); 4957 ipsec_policy_failure_last = current; 4958 } 4959 } 4960 4961 /* 4962 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 4963 * this is designed to take only a format string with "* %x * %s *", so 4964 * that "spi" is printed first, then "addr" is converted using inet_pton(). 4965 * 4966 * This is abstracted out to save the stack space for only when inet_pton() 4967 * is called. Make sure "spi" is in network order; it usually is when this 4968 * would get called. 4969 */ 4970 void 4971 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 4972 uint32_t spi, void *addr, int af) 4973 { 4974 char buf[INET6_ADDRSTRLEN]; 4975 4976 ASSERT(af == AF_INET6 || af == AF_INET); 4977 4978 ipsec_rl_strlog(mid, sid, level, sl, fmt, ntohl(spi), 4979 inet_ntop(af, addr, buf, sizeof (buf))); 4980 } 4981 4982 /* 4983 * Fills in a reference to the policy, if any, from the conn, in *ppp 4984 * Releases a reference to the passed conn_t. 4985 */ 4986 4987 /* ARGSUSED */ 4988 static void 4989 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp, 4990 ipsec_action_t **app) 4991 { 4992 ipsec_policy_t *pp; 4993 ipsec_latch_t *ipl = connp->conn_latch; 4994 4995 if ((ipl != NULL) && (ipl->ipl_out_policy != NULL)) { 4996 pp = ipl->ipl_out_policy; 4997 IPPOL_REFHOLD(pp); 4998 } else { 4999 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel); 5000 } 5001 *ppp = pp; 5002 CONN_DEC_REF(connp); 5003 } 5004 5005 /* 5006 * The following functions scan through active conn_t structures 5007 * and return a reference to the best-matching policy it can find. 5008 * Caller must release the reference. 5009 */ 5010 static void 5011 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ipsec_action_t **app) 5012 { 5013 connf_t *connfp; 5014 conn_t *connp = NULL; 5015 ipsec_selector_t portonly; 5016 5017 bzero((void*)&portonly, sizeof (portonly)); 5018 5019 if (sel->ips_local_port == 0) 5020 return; 5021 5022 connfp = &ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port)]; 5023 mutex_enter(&connfp->connf_lock); 5024 5025 if (sel->ips_isv4) { 5026 connp = connfp->connf_head; 5027 while (connp != NULL) { 5028 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 5029 sel->ips_local_addr_v4, sel->ips_remote_port, 5030 sel->ips_remote_addr_v4)) 5031 break; 5032 connp = connp->conn_next; 5033 } 5034 5035 if (connp == NULL) { 5036 /* Try port-only match in IPv6. */ 5037 portonly.ips_local_port = sel->ips_local_port; 5038 sel = &portonly; 5039 } 5040 } 5041 5042 if (connp == NULL) { 5043 connp = connfp->connf_head; 5044 while (connp != NULL) { 5045 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 5046 sel->ips_local_addr_v6, sel->ips_remote_port, 5047 sel->ips_remote_addr_v6)) 5048 break; 5049 connp = connp->conn_next; 5050 } 5051 5052 if (connp == NULL) { 5053 mutex_exit(&connfp->connf_lock); 5054 return; 5055 } 5056 } 5057 5058 CONN_INC_REF(connp); 5059 mutex_exit(&connfp->connf_lock); 5060 5061 ipsec_conn_pol(sel, connp, ppp, app); 5062 } 5063 5064 static conn_t * 5065 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel) 5066 { 5067 connf_t *connfp; 5068 conn_t *connp = NULL; 5069 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 5070 5071 if (sel->ips_local_port == 0) 5072 return (NULL); 5073 5074 connfp = &ipcl_bind_fanout[IPCL_BIND_HASH(sel->ips_local_port)]; 5075 mutex_enter(&connfp->connf_lock); 5076 5077 if (sel->ips_isv4) { 5078 connp = connfp->connf_head; 5079 while (connp != NULL) { 5080 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 5081 sel->ips_local_addr_v4, pptr[1])) 5082 break; 5083 connp = connp->conn_next; 5084 } 5085 5086 if (connp == NULL) { 5087 /* Match to all-zeroes. */ 5088 v6addrmatch = &ipv6_all_zeros; 5089 } 5090 } 5091 5092 if (connp == NULL) { 5093 connp = connfp->connf_head; 5094 while (connp != NULL) { 5095 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 5096 *v6addrmatch, pptr[1])) 5097 break; 5098 connp = connp->conn_next; 5099 } 5100 5101 if (connp == NULL) { 5102 mutex_exit(&connfp->connf_lock); 5103 return (NULL); 5104 } 5105 } 5106 5107 CONN_INC_REF(connp); 5108 mutex_exit(&connfp->connf_lock); 5109 return (connp); 5110 } 5111 5112 static void 5113 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ipsec_action_t **app) 5114 { 5115 connf_t *connfp; 5116 conn_t *connp; 5117 uint32_t ports; 5118 uint16_t *pptr = (uint16_t *)&ports; 5119 5120 /* 5121 * Find TCP state in the following order: 5122 * 1.) Connected conns. 5123 * 2.) Listeners. 5124 * 5125 * Even though #2 will be the common case for inbound traffic, only 5126 * following this order insures correctness. 5127 */ 5128 5129 if (sel->ips_local_port == 0) 5130 return; 5131 5132 /* 5133 * 0 should be fport, 1 should be lport. SRC is the local one here. 5134 * See ipsec_construct_inverse_acquire() for details. 5135 */ 5136 pptr[0] = sel->ips_remote_port; 5137 pptr[1] = sel->ips_local_port; 5138 5139 connfp = &ipcl_conn_fanout[IPCL_CONN_HASH(sel->ips_remote_addr_v4, 5140 ports)]; 5141 mutex_enter(&connfp->connf_lock); 5142 connp = connfp->connf_head; 5143 5144 if (sel->ips_isv4) { 5145 while (connp != NULL) { 5146 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 5147 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 5148 ports)) 5149 break; 5150 connp = connp->conn_next; 5151 } 5152 } else { 5153 while (connp != NULL) { 5154 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 5155 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 5156 ports)) 5157 break; 5158 connp = connp->conn_next; 5159 } 5160 } 5161 5162 if (connp != NULL) { 5163 CONN_INC_REF(connp); 5164 mutex_exit(&connfp->connf_lock); 5165 } else { 5166 mutex_exit(&connfp->connf_lock); 5167 5168 /* Try the listen hash. */ 5169 if ((connp = ipsec_find_listen_conn(pptr, sel)) == NULL) 5170 return; 5171 } 5172 5173 ipsec_conn_pol(sel, connp, ppp, app); 5174 } 5175 5176 static void 5177 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 5178 ipsec_action_t **app) 5179 { 5180 conn_t *connp; 5181 uint32_t ports; 5182 uint16_t *pptr = (uint16_t *)&ports; 5183 5184 /* 5185 * Find SCP state in the following order: 5186 * 1.) Connected conns. 5187 * 2.) Listeners. 5188 * 5189 * Even though #2 will be the common case for inbound traffic, only 5190 * following this order insures correctness. 5191 */ 5192 5193 if (sel->ips_local_port == 0) 5194 return; 5195 5196 /* 5197 * 0 should be fport, 1 should be lport. SRC is the local one here. 5198 * See ipsec_construct_inverse_acquire() for details. 5199 */ 5200 pptr[0] = sel->ips_remote_port; 5201 pptr[1] = sel->ips_local_port; 5202 5203 if (sel->ips_isv4) { 5204 in6_addr_t src, dst; 5205 5206 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 5207 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 5208 connp = sctp_find_conn(&dst, &src, ports, 0, ALL_ZONES); 5209 } else { 5210 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 5211 &sel->ips_local_addr_v6, ports, 0, ALL_ZONES); 5212 } 5213 if (connp == NULL) 5214 return; 5215 ipsec_conn_pol(sel, connp, ppp, app); 5216 } 5217 5218 static void 5219 ipsec_oth_pol(ipsec_selector_t *sel, 5220 ipsec_policy_t **ppp, ipsec_action_t **app) 5221 { 5222 boolean_t isv4 = sel->ips_isv4; 5223 connf_t *connfp; 5224 conn_t *connp; 5225 5226 if (isv4) { 5227 connfp = &ipcl_proto_fanout[sel->ips_protocol]; 5228 } else { 5229 connfp = &ipcl_proto_fanout_v6[sel->ips_protocol]; 5230 } 5231 5232 mutex_enter(&connfp->connf_lock); 5233 for (connp = connfp->connf_head; connp != NULL; 5234 connp = connp->conn_next) { 5235 if (!((isv4 && !((connp->conn_src == 0 || 5236 connp->conn_src == sel->ips_local_addr_v4) && 5237 (connp->conn_rem == 0 || 5238 connp->conn_rem == sel->ips_remote_addr_v4))) || 5239 (!isv4 && !((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) || 5240 IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6, 5241 &sel->ips_local_addr_v6)) && 5242 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) || 5243 IN6_ARE_ADDR_EQUAL(&connp->conn_remv6, 5244 &sel->ips_remote_addr_v6)))))) { 5245 break; 5246 } 5247 } 5248 if (connp == NULL) { 5249 mutex_exit(&connfp->connf_lock); 5250 return; 5251 } 5252 5253 CONN_INC_REF(connp); 5254 mutex_exit(&connfp->connf_lock); 5255 5256 ipsec_conn_pol(sel, connp, ppp, app); 5257 } 5258 5259 /* 5260 * Construct an inverse ACQUIRE reply based on: 5261 * 5262 * 1.) Current global policy. 5263 * 2.) An conn_t match depending on what all was passed in the extv[]. 5264 * ... 5265 * N.) Other stuff TBD (e.g. identities) 5266 * 5267 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 5268 * in this function so the caller can extract them where appropriately. 5269 * 5270 * The SRC address is the local one - just like an outbound ACQUIRE message. 5271 */ 5272 mblk_t * 5273 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[]) 5274 { 5275 int err; 5276 int diagnostic; 5277 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 5278 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 5279 struct sockaddr_in *src, *dst; 5280 struct sockaddr_in6 *src6, *dst6; 5281 ipsec_policy_t *pp; 5282 ipsec_action_t *ap; 5283 ipsec_selector_t sel; 5284 mblk_t *retmp; 5285 5286 bzero(&sel, sizeof (sel)); 5287 sel.ips_protocol = srcext->sadb_address_proto; 5288 dst = (struct sockaddr_in *)(dstext + 1); 5289 if (dst->sin_family == AF_INET6) { 5290 dst6 = (struct sockaddr_in6 *)dst; 5291 src6 = (struct sockaddr_in6 *)(srcext + 1); 5292 if (src6->sin6_family != AF_INET6) { 5293 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 5294 err = EINVAL; 5295 goto bail; 5296 } 5297 sel.ips_remote_addr_v6 = dst6->sin6_addr; 5298 sel.ips_local_addr_v6 = src6->sin6_addr; 5299 if (sel.ips_protocol == IPPROTO_ICMPV6) { 5300 sel.ips_is_icmp_inv_acq = 1; 5301 } else { 5302 sel.ips_remote_port = dst6->sin6_port; 5303 sel.ips_local_port = src6->sin6_port; 5304 } 5305 sel.ips_isv4 = B_FALSE; 5306 } else { 5307 src = (struct sockaddr_in *)(srcext + 1); 5308 if (src->sin_family != AF_INET) { 5309 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 5310 err = EINVAL; 5311 goto bail; 5312 } 5313 sel.ips_remote_addr_v4 = dst->sin_addr.s_addr; 5314 sel.ips_local_addr_v4 = src->sin_addr.s_addr; 5315 if (sel.ips_protocol == IPPROTO_ICMP) { 5316 sel.ips_is_icmp_inv_acq = 1; 5317 } else { 5318 sel.ips_remote_port = dst->sin_port; 5319 sel.ips_local_port = src->sin_port; 5320 } 5321 sel.ips_isv4 = B_TRUE; 5322 } 5323 5324 /* 5325 * Okay, we have the addresses and other selector information. 5326 * Let's first find a conn... 5327 */ 5328 pp = NULL; ap = NULL; 5329 switch (sel.ips_protocol) { 5330 case IPPROTO_TCP: 5331 ipsec_tcp_pol(&sel, &pp, &ap); 5332 break; 5333 case IPPROTO_UDP: 5334 ipsec_udp_pol(&sel, &pp, &ap); 5335 break; 5336 case IPPROTO_SCTP: 5337 ipsec_sctp_pol(&sel, &pp, &ap); 5338 break; 5339 default: 5340 ipsec_oth_pol(&sel, &pp, &ap); 5341 break; 5342 } 5343 5344 /* 5345 * If we didn't find a matching conn_t, take a look in the global 5346 * policy. 5347 */ 5348 if ((pp == NULL) && (ap == NULL)) { 5349 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, NULL, &sel); 5350 if (pp == NULL) { 5351 /* There's no global policy. */ 5352 err = ENOENT; 5353 diagnostic = 0; 5354 goto bail; 5355 } 5356 } 5357 5358 /* 5359 * Now that we have a policy entry/widget, construct an ACQUIRE 5360 * message based on that, fix fields where appropriate, 5361 * and return the message. 5362 */ 5363 retmp = sadb_extended_acquire(&sel, pp, ap, samsg->sadb_msg_seq, 5364 samsg->sadb_msg_pid); 5365 if (pp != NULL) { 5366 IPPOL_REFRELE(pp); 5367 } 5368 if (ap != NULL) { 5369 IPACT_REFRELE(ap); 5370 } 5371 if (retmp != NULL) { 5372 return (retmp); 5373 } else { 5374 err = ENOMEM; 5375 diagnostic = 0; 5376 bail: 5377 samsg->sadb_msg_errno = (uint8_t)err; 5378 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 5379 return (NULL); 5380 } 5381 } 5382 5383 /* 5384 * ipsa_lpkt is a one-element queue, only manipulated by casptr within 5385 * the next two functions. 5386 * 5387 * These functions loop calling casptr() until the swap "happens", 5388 * turning a compare-and-swap op into an atomic swap operation. 5389 */ 5390 5391 /* 5392 * sadb_set_lpkt: Atomically swap in a value to ipsa->ipsa_lpkt and 5393 * freemsg the previous value. free clue: freemsg(NULL) is safe. 5394 */ 5395 5396 void 5397 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt) 5398 { 5399 mblk_t *opkt; 5400 5401 membar_producer(); 5402 do 5403 opkt = ipsa->ipsa_lpkt; 5404 while (casptr(&ipsa->ipsa_lpkt, opkt, npkt) != opkt); 5405 5406 ip_drop_packet(opkt, B_TRUE, NULL, NULL, &ipdrops_sadb_inlarval_replace, 5407 &sadb_dropper); 5408 } 5409 5410 /* 5411 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 5412 * previous value. 5413 */ 5414 5415 mblk_t * 5416 sadb_clear_lpkt(ipsa_t *ipsa) 5417 { 5418 mblk_t *opkt; 5419 5420 do 5421 opkt = ipsa->ipsa_lpkt; 5422 while (casptr(&ipsa->ipsa_lpkt, opkt, NULL) != opkt); 5423 5424 return (opkt); 5425 } 5426 5427 /* 5428 * Walker callback used by sadb_alg_update() to free/create crypto 5429 * context template when a crypto software provider is removed or 5430 * added. 5431 */ 5432 5433 struct sadb_update_alg_state { 5434 ipsec_algtype_t alg_type; 5435 uint8_t alg_id; 5436 boolean_t is_added; 5437 }; 5438 5439 static void 5440 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 5441 { 5442 struct sadb_update_alg_state *update_state = 5443 (struct sadb_update_alg_state *)cookie; 5444 crypto_ctx_template_t *ctx_tmpl = NULL; 5445 5446 ASSERT(MUTEX_HELD(&head->isaf_lock)); 5447 5448 if (entry->ipsa_state == IPSA_STATE_LARVAL) 5449 return; 5450 5451 mutex_enter(&entry->ipsa_lock); 5452 5453 switch (update_state->alg_type) { 5454 case IPSEC_ALG_AUTH: 5455 if (entry->ipsa_auth_alg == update_state->alg_id) 5456 ctx_tmpl = &entry->ipsa_authtmpl; 5457 break; 5458 case IPSEC_ALG_ENCR: 5459 if (entry->ipsa_encr_alg == update_state->alg_id) 5460 ctx_tmpl = &entry->ipsa_encrtmpl; 5461 break; 5462 default: 5463 ctx_tmpl = NULL; 5464 } 5465 5466 if (ctx_tmpl == NULL) { 5467 mutex_exit(&entry->ipsa_lock); 5468 return; 5469 } 5470 5471 /* 5472 * The context template of the SA may be affected by the change 5473 * of crypto provider. 5474 */ 5475 if (update_state->is_added) { 5476 /* create the context template if not already done */ 5477 if (*ctx_tmpl == NULL) { 5478 (void) ipsec_create_ctx_tmpl(entry, 5479 update_state->alg_type); 5480 } 5481 } else { 5482 /* 5483 * The crypto provider was removed. If the context template 5484 * exists but it is no longer valid, free it. 5485 */ 5486 if (*ctx_tmpl != NULL) 5487 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 5488 } 5489 5490 mutex_exit(&entry->ipsa_lock); 5491 } 5492 5493 /* 5494 * Invoked by IP when an software crypto provider has been updated. 5495 * The type and id of the corresponding algorithm is passed as argument. 5496 * is_added is B_TRUE if the provider was added, B_FALSE if it was 5497 * removed. The function updates the SADB and free/creates the 5498 * context templates associated with SAs if needed. 5499 */ 5500 5501 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 5502 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 5503 &update_state) 5504 5505 void 5506 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added) 5507 { 5508 struct sadb_update_alg_state update_state; 5509 5510 update_state.alg_type = alg_type; 5511 update_state.alg_id = alg_id; 5512 update_state.is_added = is_added; 5513 5514 if (alg_type == IPSEC_ALG_AUTH) { 5515 /* walk the AH tables only for auth. algorithm changes */ 5516 SADB_ALG_UPDATE_WALK(ah_sadb.s_v4, sdb_of); 5517 SADB_ALG_UPDATE_WALK(ah_sadb.s_v4, sdb_if); 5518 SADB_ALG_UPDATE_WALK(ah_sadb.s_v6, sdb_of); 5519 SADB_ALG_UPDATE_WALK(ah_sadb.s_v6, sdb_if); 5520 } 5521 5522 /* walk the ESP tables */ 5523 SADB_ALG_UPDATE_WALK(esp_sadb.s_v4, sdb_of); 5524 SADB_ALG_UPDATE_WALK(esp_sadb.s_v4, sdb_if); 5525 SADB_ALG_UPDATE_WALK(esp_sadb.s_v6, sdb_of); 5526 SADB_ALG_UPDATE_WALK(esp_sadb.s_v6, sdb_if); 5527 } 5528 5529 /* 5530 * Creates a context template for the specified SA. This function 5531 * is called when an SA is created and when a context template needs 5532 * to be created due to a change of software provider. 5533 */ 5534 int 5535 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 5536 { 5537 ipsec_alginfo_t *alg; 5538 crypto_mechanism_t mech; 5539 crypto_key_t *key; 5540 crypto_ctx_template_t *sa_tmpl; 5541 int rv; 5542 5543 ASSERT(MUTEX_HELD(&alg_lock)); 5544 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 5545 5546 /* get pointers to the algorithm info, context template, and key */ 5547 switch (alg_type) { 5548 case IPSEC_ALG_AUTH: 5549 key = &sa->ipsa_kcfauthkey; 5550 sa_tmpl = &sa->ipsa_authtmpl; 5551 alg = ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 5552 break; 5553 case IPSEC_ALG_ENCR: 5554 key = &sa->ipsa_kcfencrkey; 5555 sa_tmpl = &sa->ipsa_encrtmpl; 5556 alg = ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 5557 break; 5558 default: 5559 alg = NULL; 5560 } 5561 5562 if (alg == NULL || !ALG_VALID(alg)) 5563 return (EINVAL); 5564 5565 /* initialize the mech info structure for the framework */ 5566 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 5567 mech.cm_type = alg->alg_mech_type; 5568 mech.cm_param = NULL; 5569 mech.cm_param_len = 0; 5570 5571 /* create a new context template */ 5572 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 5573 5574 /* 5575 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 5576 * providers are available for that mechanism. In that case 5577 * we don't fail, and will generate the context template from 5578 * the framework callback when a software provider for that 5579 * mechanism registers. 5580 * 5581 * The context template is assigned the special value 5582 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 5583 * lack of memory. No attempt will be made to use 5584 * the context template if it is set to this value. 5585 */ 5586 if (rv == CRYPTO_HOST_MEMORY) { 5587 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 5588 } else if (rv != CRYPTO_SUCCESS) { 5589 *sa_tmpl = NULL; 5590 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 5591 return (EINVAL); 5592 } 5593 5594 return (0); 5595 } 5596 5597 /* 5598 * Destroy the context template of the specified algorithm type 5599 * of the specified SA. Must be called while holding the SA lock. 5600 */ 5601 void 5602 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 5603 { 5604 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 5605 5606 if (alg_type == IPSEC_ALG_AUTH) { 5607 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 5608 sa->ipsa_authtmpl = NULL; 5609 else if (sa->ipsa_authtmpl != NULL) { 5610 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 5611 sa->ipsa_authtmpl = NULL; 5612 } 5613 } else { 5614 ASSERT(alg_type == IPSEC_ALG_ENCR); 5615 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 5616 sa->ipsa_encrtmpl = NULL; 5617 else if (sa->ipsa_encrtmpl != NULL) { 5618 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 5619 sa->ipsa_encrtmpl = NULL; 5620 } 5621 } 5622 } 5623 5624 /* 5625 * Use the kernel crypto framework to check the validity of a key received 5626 * via keysock. Returns 0 if the key is OK, -1 otherwise. 5627 */ 5628 int 5629 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 5630 boolean_t is_auth, int *diag) 5631 { 5632 crypto_mechanism_t mech; 5633 crypto_key_t crypto_key; 5634 int crypto_rc; 5635 5636 mech.cm_type = mech_type; 5637 mech.cm_param = NULL; 5638 mech.cm_param_len = 0; 5639 5640 crypto_key.ck_format = CRYPTO_KEY_RAW; 5641 crypto_key.ck_data = sadb_key + 1; 5642 crypto_key.ck_length = sadb_key->sadb_key_bits; 5643 5644 crypto_rc = crypto_key_check(&mech, &crypto_key); 5645 5646 switch (crypto_rc) { 5647 case CRYPTO_SUCCESS: 5648 return (0); 5649 case CRYPTO_MECHANISM_INVALID: 5650 case CRYPTO_MECH_NOT_SUPPORTED: 5651 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 5652 SADB_X_DIAGNOSTIC_BAD_EALG; 5653 break; 5654 case CRYPTO_KEY_SIZE_RANGE: 5655 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 5656 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 5657 break; 5658 case CRYPTO_WEAK_KEY: 5659 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 5660 SADB_X_DIAGNOSTIC_WEAK_EKEY; 5661 break; 5662 } 5663 5664 return (-1); 5665 } 5666 5667 /* ARGSUSED */ 5668 static void 5669 sadb_clear_timeouts_walker(isaf_t *head, ipsa_t *ipsa, void *q) 5670 { 5671 if (!(ipsa->ipsa_flags & IPSA_F_NATT)) 5672 return; 5673 5674 mutex_enter(&ipsa->ipsa_lock); 5675 if (ipsa->ipsa_natt_q != q) { 5676 mutex_exit(&ipsa->ipsa_lock); 5677 return; 5678 } 5679 5680 (void) quntimeout(ipsa->ipsa_natt_q, ipsa->ipsa_natt_ka_timer); 5681 5682 ipsa->ipsa_natt_ka_timer = 0; 5683 ipsa->ipsa_natt_q = NULL; 5684 mutex_exit(&ipsa->ipsa_lock); 5685 } 5686 5687 void 5688 sadb_clear_timeouts(queue_t *q) 5689 { 5690 sadb_t *sp = &esp_sadb.s_v4; 5691 5692 sadb_walker(sp->sdb_if, sp->sdb_hashsize, 5693 sadb_clear_timeouts_walker, q); 5694 } 5695