1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/stream.h> 28 #include <sys/stropts.h> 29 #include <sys/errno.h> 30 #include <sys/ddi.h> 31 #include <sys/debug.h> 32 #include <sys/cmn_err.h> 33 #include <sys/stream.h> 34 #include <sys/strlog.h> 35 #include <sys/kmem.h> 36 #include <sys/sunddi.h> 37 #include <sys/tihdr.h> 38 #include <sys/atomic.h> 39 #include <sys/socket.h> 40 #include <sys/sysmacros.h> 41 #include <sys/crypto/common.h> 42 #include <sys/crypto/api.h> 43 #include <sys/zone.h> 44 #include <netinet/in.h> 45 #include <net/if.h> 46 #include <net/pfkeyv2.h> 47 #include <inet/common.h> 48 #include <netinet/ip6.h> 49 #include <inet/ip.h> 50 #include <inet/ip_ire.h> 51 #include <inet/ip6.h> 52 #include <inet/ipsec_info.h> 53 #include <inet/tcp.h> 54 #include <inet/sadb.h> 55 #include <inet/ipsec_impl.h> 56 #include <inet/ipsecah.h> 57 #include <inet/ipsecesp.h> 58 #include <sys/random.h> 59 #include <sys/dlpi.h> 60 #include <sys/iphada.h> 61 #include <inet/ip_if.h> 62 #include <inet/ipdrop.h> 63 #include <inet/ipclassifier.h> 64 #include <inet/sctp_ip.h> 65 #include <inet/tun.h> 66 67 /* 68 * This source file contains Security Association Database (SADB) common 69 * routines. They are linked in with the AH module. Since AH has no chance 70 * of falling under export control, it was safe to link it in there. 71 */ 72 73 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *, 74 ipsec_action_t *, boolean_t, uint32_t, uint32_t, netstack_t *); 75 static void sadb_ill_df(ill_t *, mblk_t *, isaf_t *, int, boolean_t); 76 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *, boolean_t, mblk_t **); 77 static void sadb_drain_torchq(queue_t *, mblk_t *); 78 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t, 79 netstack_t *); 80 static void sadb_destroy(sadb_t *, netstack_t *); 81 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *); 82 83 static time_t sadb_add_time(time_t, uint64_t); 84 static void lifetime_fuzz(ipsa_t *); 85 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t); 86 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset); 87 88 extern void (*cl_inet_getspi)(uint8_t protocol, uint8_t *ptr, size_t len); 89 extern int (*cl_inet_checkspi)(uint8_t protocol, uint32_t spi); 90 extern void (*cl_inet_deletespi)(uint8_t protocol, uint32_t spi); 91 92 /* 93 * ipsacq_maxpackets is defined here to make it tunable 94 * from /etc/system. 95 */ 96 extern uint64_t ipsacq_maxpackets; 97 98 #define SET_EXPIRE(sa, delta, exp) { \ 99 if (((sa)->ipsa_ ## delta) != 0) { \ 100 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 101 (sa)->ipsa_ ## delta); \ 102 } \ 103 } 104 105 #define UPDATE_EXPIRE(sa, delta, exp) { \ 106 if (((sa)->ipsa_ ## delta) != 0) { \ 107 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 108 (sa)->ipsa_ ## delta); \ 109 if (((sa)->ipsa_ ## exp) == 0) \ 110 (sa)->ipsa_ ## exp = tmp; \ 111 else \ 112 (sa)->ipsa_ ## exp = \ 113 MIN((sa)->ipsa_ ## exp, tmp); \ 114 } \ 115 } 116 117 118 /* wrap the macro so we can pass it as a function pointer */ 119 void 120 sadb_sa_refrele(void *target) 121 { 122 IPSA_REFRELE(((ipsa_t *)target)); 123 } 124 125 /* 126 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 127 * a signed type. 128 */ 129 #define TIME_MAX LONG_MAX 130 131 /* 132 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 133 * time_t is defined to be a signed type with the same range as 134 * "long". On ILP32 systems, we thus run the risk of wrapping around 135 * at end of time, as well as "overwrapping" the clock back around 136 * into a seemingly valid but incorrect future date earlier than the 137 * desired expiration. 138 * 139 * In order to avoid odd behavior (either negative lifetimes or loss 140 * of high order bits) when someone asks for bizarrely long SA 141 * lifetimes, we do a saturating add for expire times. 142 * 143 * We presume that ILP32 systems will be past end of support life when 144 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 145 * 146 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 147 * will hopefully have figured out clever ways to avoid the use of 148 * fixed-sized integers in computation. 149 */ 150 static time_t 151 sadb_add_time(time_t base, uint64_t delta) 152 { 153 time_t sum; 154 155 /* 156 * Clip delta to the maximum possible time_t value to 157 * prevent "overwrapping" back into a shorter-than-desired 158 * future time. 159 */ 160 if (delta > TIME_MAX) 161 delta = TIME_MAX; 162 /* 163 * This sum may still overflow. 164 */ 165 sum = base + delta; 166 167 /* 168 * .. so if the result is less than the base, we overflowed. 169 */ 170 if (sum < base) 171 sum = TIME_MAX; 172 173 return (sum); 174 } 175 176 /* 177 * Callers of this function have already created a working security 178 * association, and have found the appropriate table & hash chain. All this 179 * function does is check duplicates, and insert the SA. The caller needs to 180 * hold the hash bucket lock and increment the refcnt before insertion. 181 * 182 * Return 0 if success, EEXIST if collision. 183 */ 184 #define SA_UNIQUE_MATCH(sa1, sa2) \ 185 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \ 186 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask)) 187 188 int 189 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 190 { 191 ipsa_t **ptpn = NULL; 192 ipsa_t *walker; 193 boolean_t unspecsrc; 194 195 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 196 197 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 198 199 walker = bucket->isaf_ipsa; 200 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 201 202 /* 203 * Find insertion point (pointed to with **ptpn). Insert at the head 204 * of the list unless there's an unspecified source address, then 205 * insert it after the last SA with a specified source address. 206 * 207 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 208 * checking for collisions. 209 */ 210 211 while (walker != NULL) { 212 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 213 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 214 if (walker->ipsa_spi == ipsa->ipsa_spi) 215 return (EEXIST); 216 217 mutex_enter(&walker->ipsa_lock); 218 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 219 (walker->ipsa_flags & IPSA_F_USED) && 220 SA_UNIQUE_MATCH(walker, ipsa)) { 221 walker->ipsa_flags |= IPSA_F_CINVALID; 222 } 223 mutex_exit(&walker->ipsa_lock); 224 } 225 226 if (ptpn == NULL && unspecsrc) { 227 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 228 walker->ipsa_addrfam)) 229 ptpn = walker->ipsa_ptpn; 230 else if (walker->ipsa_next == NULL) 231 ptpn = &walker->ipsa_next; 232 } 233 234 walker = walker->ipsa_next; 235 } 236 237 if (ptpn == NULL) 238 ptpn = &bucket->isaf_ipsa; 239 ipsa->ipsa_next = *ptpn; 240 ipsa->ipsa_ptpn = ptpn; 241 if (ipsa->ipsa_next != NULL) 242 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 243 *ptpn = ipsa; 244 ipsa->ipsa_linklock = &bucket->isaf_lock; 245 246 return (0); 247 } 248 #undef SA_UNIQUE_MATCH 249 250 /* 251 * Free a security association. Its reference count is 0, which means 252 * I must free it. The SA must be unlocked and must not be linked into 253 * any fanout list. 254 */ 255 static void 256 sadb_freeassoc(ipsa_t *ipsa) 257 { 258 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec; 259 260 ASSERT(ipss != NULL); 261 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock)); 262 ASSERT(ipsa->ipsa_refcnt == 0); 263 ASSERT(ipsa->ipsa_next == NULL); 264 ASSERT(ipsa->ipsa_ptpn == NULL); 265 266 ip_drop_packet(sadb_clear_lpkt(ipsa), B_TRUE, NULL, NULL, 267 DROPPER(ipss, ipds_sadb_inlarval_timeout), 268 &ipss->ipsec_sadb_dropper); 269 270 mutex_enter(&ipsa->ipsa_lock); 271 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 272 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 273 mutex_exit(&ipsa->ipsa_lock); 274 275 /* bzero() these fields for paranoia's sake. */ 276 if (ipsa->ipsa_authkey != NULL) { 277 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 278 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 279 } 280 if (ipsa->ipsa_encrkey != NULL) { 281 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 282 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 283 } 284 if (ipsa->ipsa_src_cid != NULL) { 285 IPSID_REFRELE(ipsa->ipsa_src_cid); 286 } 287 if (ipsa->ipsa_dst_cid != NULL) { 288 IPSID_REFRELE(ipsa->ipsa_dst_cid); 289 } 290 if (ipsa->ipsa_integ != NULL) 291 kmem_free(ipsa->ipsa_integ, ipsa->ipsa_integlen); 292 if (ipsa->ipsa_sens != NULL) 293 kmem_free(ipsa->ipsa_sens, ipsa->ipsa_senslen); 294 295 mutex_destroy(&ipsa->ipsa_lock); 296 kmem_free(ipsa, sizeof (*ipsa)); 297 } 298 299 /* 300 * Unlink a security association from a hash bucket. Assume the hash bucket 301 * lock is held, but the association's lock is not. 302 * 303 * Note that we do not bump the bucket's generation number here because 304 * we might not be making a visible change to the set of visible SA's. 305 * All callers MUST bump the bucket's generation number before they unlock 306 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 307 * was present in the bucket at the time it was locked. 308 */ 309 void 310 sadb_unlinkassoc(ipsa_t *ipsa) 311 { 312 ASSERT(ipsa->ipsa_linklock != NULL); 313 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 314 315 /* These fields are protected by the link lock. */ 316 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 317 if (ipsa->ipsa_next != NULL) { 318 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 319 ipsa->ipsa_next = NULL; 320 } 321 322 ipsa->ipsa_ptpn = NULL; 323 324 /* This may destroy the SA. */ 325 IPSA_REFRELE(ipsa); 326 } 327 328 void 329 sadb_delete_cluster(ipsa_t *assoc) 330 { 331 uint8_t protocol; 332 333 if (cl_inet_deletespi && 334 ((assoc->ipsa_state == IPSA_STATE_LARVAL) || 335 (assoc->ipsa_state == IPSA_STATE_MATURE))) { 336 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ? 337 IPPROTO_AH : IPPROTO_ESP; 338 cl_inet_deletespi(protocol, assoc->ipsa_spi); 339 } 340 } 341 342 /* 343 * Create a larval security association with the specified SPI. All other 344 * fields are zeroed. 345 */ 346 static ipsa_t * 347 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam, 348 netstack_t *ns) 349 { 350 ipsa_t *newbie; 351 352 /* 353 * Allocate... 354 */ 355 356 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 357 if (newbie == NULL) { 358 /* Can't make new larval SA. */ 359 return (NULL); 360 } 361 362 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 363 newbie->ipsa_spi = spi; 364 newbie->ipsa_netstack = ns; /* No netstack_hold */ 365 366 /* 367 * Copy addresses... 368 */ 369 370 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 371 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 372 373 newbie->ipsa_addrfam = addrfam; 374 375 /* 376 * Set common initialization values, including refcnt. 377 */ 378 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 379 newbie->ipsa_state = IPSA_STATE_LARVAL; 380 newbie->ipsa_refcnt = 1; 381 newbie->ipsa_freefunc = sadb_freeassoc; 382 383 /* 384 * There aren't a lot of other common initialization values, as 385 * they are copied in from the PF_KEY message. 386 */ 387 388 return (newbie); 389 } 390 391 /* 392 * Call me to initialize a security association fanout. 393 */ 394 static int 395 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 396 { 397 isaf_t *table; 398 int i; 399 400 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 401 *tablep = table; 402 403 if (table == NULL) 404 return (ENOMEM); 405 406 for (i = 0; i < size; i++) { 407 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 408 table[i].isaf_ipsa = NULL; 409 table[i].isaf_gen = 0; 410 } 411 412 return (0); 413 } 414 415 /* 416 * Call me to initialize an acquire fanout 417 */ 418 static int 419 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 420 { 421 iacqf_t *table; 422 int i; 423 424 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 425 *tablep = table; 426 427 if (table == NULL) 428 return (ENOMEM); 429 430 for (i = 0; i < size; i++) { 431 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 432 table[i].iacqf_ipsacq = NULL; 433 } 434 435 return (0); 436 } 437 438 /* 439 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 440 * caller must clean up partial allocations. 441 */ 442 static int 443 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 444 { 445 ASSERT(sp->sdb_of == NULL); 446 ASSERT(sp->sdb_if == NULL); 447 ASSERT(sp->sdb_acq == NULL); 448 449 sp->sdb_hashsize = size; 450 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 451 return (ENOMEM); 452 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 453 return (ENOMEM); 454 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 455 return (ENOMEM); 456 457 return (0); 458 } 459 460 /* 461 * Call me to initialize an SADB instance; fall back to default size on failure. 462 */ 463 static void 464 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver, 465 netstack_t *ns) 466 { 467 ASSERT(sp->sdb_of == NULL); 468 ASSERT(sp->sdb_if == NULL); 469 ASSERT(sp->sdb_acq == NULL); 470 471 if (size < IPSEC_DEFAULT_HASH_SIZE) 472 size = IPSEC_DEFAULT_HASH_SIZE; 473 474 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 475 476 cmn_err(CE_WARN, 477 "Unable to allocate %u entry IPv%u %s SADB hash table", 478 size, ver, name); 479 480 sadb_destroy(sp, ns); 481 size = IPSEC_DEFAULT_HASH_SIZE; 482 cmn_err(CE_WARN, "Falling back to %d entries", size); 483 (void) sadb_init_trial(sp, size, KM_SLEEP); 484 } 485 } 486 487 488 /* 489 * Initialize an SADB-pair. 490 */ 491 void 492 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns) 493 { 494 sadb_init(name, &sp->s_v4, size, 4, ns); 495 sadb_init(name, &sp->s_v6, size, 6, ns); 496 497 sp->s_satype = type; 498 499 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 500 if (type == SADB_SATYPE_AH) { 501 ipsec_stack_t *ipss = ns->netstack_ipsec; 502 503 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB"); 504 sp->s_addflags = AH_ADD_SETTABLE_FLAGS; 505 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS; 506 } else { 507 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS; 508 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS; 509 } 510 } 511 512 /* 513 * Deliver a single SADB_DUMP message representing a single SA. This is 514 * called many times by sadb_dump(). 515 * 516 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 517 * the caller should take that as a hint that dupb() on the "original answer" 518 * failed, and that perhaps the caller should try again with a copyb()ed 519 * "original answer". 520 */ 521 static int 522 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 523 sadb_msg_t *samsg) 524 { 525 mblk_t *answer; 526 527 answer = dupb(original_answer); 528 if (answer == NULL) 529 return (ENOBUFS); 530 answer->b_cont = sadb_sa2msg(ipsa, samsg); 531 if (answer->b_cont == NULL) { 532 freeb(answer); 533 return (ENOMEM); 534 } 535 536 /* Just do a putnext, and let keysock deal with flow control. */ 537 putnext(pfkey_q, answer); 538 return (0); 539 } 540 541 /* 542 * Common function to allocate and prepare a keysock_out_t M_CTL message. 543 */ 544 mblk_t * 545 sadb_keysock_out(minor_t serial) 546 { 547 mblk_t *mp; 548 keysock_out_t *kso; 549 550 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 551 if (mp != NULL) { 552 mp->b_datap->db_type = M_CTL; 553 mp->b_wptr += sizeof (ipsec_info_t); 554 kso = (keysock_out_t *)mp->b_rptr; 555 kso->ks_out_type = KEYSOCK_OUT; 556 kso->ks_out_len = sizeof (*kso); 557 kso->ks_out_serial = serial; 558 } 559 560 return (mp); 561 } 562 563 /* 564 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 565 * to keysock. 566 */ 567 static int 568 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 569 int num_entries, boolean_t do_peers, time_t active_time) 570 { 571 int i, error = 0; 572 mblk_t *original_answer; 573 ipsa_t *walker; 574 sadb_msg_t *samsg; 575 time_t current; 576 577 /* 578 * For each IPSA hash bucket do: 579 * - Hold the mutex 580 * - Walk each entry, doing an sadb_dump_deliver() on it. 581 */ 582 ASSERT(mp->b_cont != NULL); 583 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 584 585 original_answer = sadb_keysock_out(serial); 586 if (original_answer == NULL) 587 return (ENOMEM); 588 589 current = gethrestime_sec(); 590 for (i = 0; i < num_entries; i++) { 591 mutex_enter(&fanout[i].isaf_lock); 592 for (walker = fanout[i].isaf_ipsa; walker != NULL; 593 walker = walker->ipsa_next) { 594 if (!do_peers && walker->ipsa_haspeer) 595 continue; 596 if ((active_time != 0) && 597 ((current - walker->ipsa_lastuse) > active_time)) 598 continue; 599 error = sadb_dump_deliver(pfkey_q, original_answer, 600 walker, samsg); 601 if (error == ENOBUFS) { 602 mblk_t *new_original_answer; 603 604 /* Ran out of dupb's. Try a copyb. */ 605 new_original_answer = copyb(original_answer); 606 if (new_original_answer == NULL) { 607 error = ENOMEM; 608 } else { 609 freeb(original_answer); 610 original_answer = new_original_answer; 611 error = sadb_dump_deliver(pfkey_q, 612 original_answer, walker, samsg); 613 } 614 } 615 if (error != 0) 616 break; /* out of for loop. */ 617 } 618 mutex_exit(&fanout[i].isaf_lock); 619 if (error != 0) 620 break; /* out of for loop. */ 621 } 622 623 freeb(original_answer); 624 return (error); 625 } 626 627 /* 628 * Dump an entire SADB; outbound first, then inbound. 629 */ 630 631 int 632 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp) 633 { 634 int error; 635 time_t active_time = 0; 636 sadb_x_edump_t *edump = 637 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP]; 638 639 if (edump != NULL) { 640 active_time = edump->sadb_x_edump_timeout; 641 } 642 643 /* Dump outbound */ 644 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of, 645 sp->sdb_hashsize, B_TRUE, active_time); 646 if (error) 647 return (error); 648 649 /* Dump inbound */ 650 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if, 651 sp->sdb_hashsize, B_FALSE, active_time); 652 } 653 654 /* 655 * Generic sadb table walker. 656 * 657 * Call "walkfn" for each SA in each bucket in "table"; pass the 658 * bucket, the entry and "cookie" to the callback function. 659 * Take care to ensure that walkfn can delete the SA without screwing 660 * up our traverse. 661 * 662 * The bucket is locked for the duration of the callback, both so that the 663 * callback can just call sadb_unlinkassoc() when it wants to delete something, 664 * and so that no new entries are added while we're walking the list. 665 */ 666 static void 667 sadb_walker(isaf_t *table, uint_t numentries, 668 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 669 void *cookie) 670 { 671 int i; 672 for (i = 0; i < numentries; i++) { 673 ipsa_t *entry, *next; 674 675 mutex_enter(&table[i].isaf_lock); 676 677 for (entry = table[i].isaf_ipsa; entry != NULL; 678 entry = next) { 679 next = entry->ipsa_next; 680 (*walkfn)(&table[i], entry, cookie); 681 } 682 mutex_exit(&table[i].isaf_lock); 683 } 684 } 685 686 /* 687 * From the given SA, construct a dl_ct_ipsec_key and 688 * a dl_ct_ipsec structures to be sent to the adapter as part 689 * of a DL_CONTROL_REQ. 690 * 691 * ct_sa must point to the storage allocated for the key 692 * structure and must be followed by storage allocated 693 * for the SA information that must be sent to the driver 694 * as part of the DL_CONTROL_REQ request. 695 * 696 * The is_inbound boolean indicates whether the specified 697 * SA is part of an inbound SA table. 698 * 699 * Returns B_TRUE if the corresponding SA must be passed to 700 * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE. 701 */ 702 static boolean_t 703 sadb_req_from_sa(ipsa_t *sa, mblk_t *mp, boolean_t is_inbound) 704 { 705 dl_ct_ipsec_key_t *keyp; 706 dl_ct_ipsec_t *sap; 707 void *ct_sa = mp->b_wptr; 708 709 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 710 711 keyp = (dl_ct_ipsec_key_t *)(ct_sa); 712 sap = (dl_ct_ipsec_t *)(keyp + 1); 713 714 IPSECHW_DEBUG(IPSECHW_CAPAB, ("sadb_req_from_sa: " 715 "is_inbound = %d\n", is_inbound)); 716 717 /* initialize flag */ 718 sap->sadb_sa_flags = 0; 719 if (is_inbound) { 720 sap->sadb_sa_flags |= DL_CT_IPSEC_INBOUND; 721 /* 722 * If an inbound SA has a peer, then mark it has being 723 * an outbound SA as well. 724 */ 725 if (sa->ipsa_haspeer) 726 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 727 } else { 728 /* 729 * If an outbound SA has a peer, then don't send it, 730 * since we will send the copy from the inbound table. 731 */ 732 if (sa->ipsa_haspeer) { 733 freemsg(mp); 734 return (B_FALSE); 735 } 736 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 737 } 738 739 keyp->dl_key_spi = sa->ipsa_spi; 740 bcopy(sa->ipsa_dstaddr, keyp->dl_key_dest_addr, 741 DL_CTL_IPSEC_ADDR_LEN); 742 keyp->dl_key_addr_family = sa->ipsa_addrfam; 743 744 sap->sadb_sa_auth = sa->ipsa_auth_alg; 745 sap->sadb_sa_encrypt = sa->ipsa_encr_alg; 746 747 sap->sadb_key_len_a = sa->ipsa_authkeylen; 748 sap->sadb_key_bits_a = sa->ipsa_authkeybits; 749 bcopy(sa->ipsa_authkey, 750 sap->sadb_key_data_a, sap->sadb_key_len_a); 751 752 sap->sadb_key_len_e = sa->ipsa_encrkeylen; 753 sap->sadb_key_bits_e = sa->ipsa_encrkeybits; 754 bcopy(sa->ipsa_encrkey, 755 sap->sadb_key_data_e, sap->sadb_key_len_e); 756 757 mp->b_wptr += sizeof (dl_ct_ipsec_t) + sizeof (dl_ct_ipsec_key_t); 758 return (B_TRUE); 759 } 760 761 /* 762 * Called from AH or ESP to format a message which will be used to inform 763 * IPsec-acceleration-capable ills of a SADB change. 764 * (It is not possible to send the message to IP directly from this function 765 * since the SA, if any, is locked during the call). 766 * 767 * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc) 768 * sa_type: identifies whether the operation applies to AH or ESP 769 * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP) 770 * sa: Pointer to an SA. Must be non-NULL and locked 771 * for ADD, DELETE, GET, and UPDATE operations. 772 * This function returns an mblk chain that must be passed to IP 773 * for forwarding to the IPsec capable providers. 774 */ 775 mblk_t * 776 sadb_fmt_sa_req(uint_t dl_operation, uint_t sa_type, ipsa_t *sa, 777 boolean_t is_inbound) 778 { 779 mblk_t *mp; 780 dl_control_req_t *ctrl; 781 boolean_t need_key = B_FALSE; 782 mblk_t *ctl_mp = NULL; 783 ipsec_ctl_t *ctl; 784 785 /* 786 * 1 allocate and initialize DL_CONTROL_REQ M_PROTO 787 * 2 if a key is needed for the operation 788 * 2.1 initialize key 789 * 2.2 if a full SA is needed for the operation 790 * 2.2.1 initialize full SA info 791 * 3 return message; caller will call ill_ipsec_capab_send_all() 792 * to send the resulting message to IPsec capable ills. 793 */ 794 795 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 796 797 /* 798 * Allocate DL_CONTROL_REQ M_PROTO 799 * We allocate room for the SA even if it's not needed 800 * by some of the operations (for example flush) 801 */ 802 mp = allocb(sizeof (dl_control_req_t) + 803 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 804 if (mp == NULL) 805 return (NULL); 806 mp->b_datap->db_type = M_PROTO; 807 808 /* initialize dl_control_req_t */ 809 ctrl = (dl_control_req_t *)mp->b_wptr; 810 ctrl->dl_primitive = DL_CONTROL_REQ; 811 ctrl->dl_operation = dl_operation; 812 ctrl->dl_type = sa_type == SADB_SATYPE_AH ? DL_CT_IPSEC_AH : 813 DL_CT_IPSEC_ESP; 814 ctrl->dl_key_offset = sizeof (dl_control_req_t); 815 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 816 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 817 sizeof (dl_ct_ipsec_key_t); 818 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 819 mp->b_wptr += sizeof (dl_control_req_t); 820 821 if ((dl_operation == DL_CO_SET) || (dl_operation == DL_CO_DELETE)) { 822 ASSERT(sa != NULL); 823 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 824 825 need_key = B_TRUE; 826 827 /* 828 * Initialize key and SA data. Note that for some 829 * operations the SA data is ignored by the provider 830 * (delete, etc.) 831 */ 832 if (!sadb_req_from_sa(sa, mp, is_inbound)) 833 return (NULL); 834 } 835 836 /* construct control message */ 837 ctl_mp = allocb(sizeof (ipsec_ctl_t), BPRI_HI); 838 if (ctl_mp == NULL) { 839 cmn_err(CE_WARN, "sadb_fmt_sa_req: allocb failed\n"); 840 freemsg(mp); 841 return (NULL); 842 } 843 844 ctl_mp->b_datap->db_type = M_CTL; 845 ctl_mp->b_wptr += sizeof (ipsec_ctl_t); 846 ctl_mp->b_cont = mp; 847 848 ctl = (ipsec_ctl_t *)ctl_mp->b_rptr; 849 ctl->ipsec_ctl_type = IPSEC_CTL; 850 ctl->ipsec_ctl_len = sizeof (ipsec_ctl_t); 851 ctl->ipsec_ctl_sa_type = sa_type; 852 853 if (need_key) { 854 /* 855 * Keep an additional reference on SA, since it will be 856 * needed by IP to send control messages corresponding 857 * to that SA from its perimeter. IP will do a 858 * IPSA_REFRELE when done with the request. 859 */ 860 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 861 IPSA_REFHOLD(sa); 862 ctl->ipsec_ctl_sa = sa; 863 } else 864 ctl->ipsec_ctl_sa = NULL; 865 866 return (ctl_mp); 867 } 868 869 870 /* 871 * Called by sadb_ill_download() to dump the entries for a specific 872 * fanout table. For each SA entry in the table passed as argument, 873 * use mp as a template and constructs a full DL_CONTROL message, and 874 * call ill_dlpi_send(), provided by IP, to send the resulting 875 * messages to the ill. 876 */ 877 static void 878 sadb_ill_df(ill_t *ill, mblk_t *mp, isaf_t *fanout, int num_entries, 879 boolean_t is_inbound) 880 { 881 ipsa_t *walker; 882 mblk_t *nmp, *salist; 883 int i, error = 0; 884 ip_stack_t *ipst = ill->ill_ipst; 885 netstack_t *ns = ipst->ips_netstack; 886 887 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_ill_df: fanout at 0x%p ne=%d\n", 888 (void *)fanout, num_entries)); 889 /* 890 * For each IPSA hash bucket do: 891 * - Hold the mutex 892 * - Walk each entry, sending a corresponding request to IP 893 * for it. 894 */ 895 ASSERT(mp->b_datap->db_type == M_PROTO); 896 897 for (i = 0; i < num_entries; i++) { 898 mutex_enter(&fanout[i].isaf_lock); 899 salist = NULL; 900 901 for (walker = fanout[i].isaf_ipsa; walker != NULL; 902 walker = walker->ipsa_next) { 903 IPSECHW_DEBUG(IPSECHW_SADB, 904 ("sadb_ill_df: sending SA to ill via IP \n")); 905 /* 906 * Duplicate the template mp passed and 907 * complete DL_CONTROL_REQ data. 908 * To be more memory efficient, we could use 909 * dupb() for the M_CTL and copyb() for the M_PROTO 910 * as the M_CTL, since the M_CTL is the same for 911 * every SA entry passed down to IP for the same ill. 912 * 913 * Note that copymsg/copyb ensure that the new mblk 914 * is at least as large as the source mblk even if it's 915 * not using all its storage -- therefore, nmp 916 * has trailing space for sadb_req_from_sa to add 917 * the SA-specific bits. 918 */ 919 mutex_enter(&walker->ipsa_lock); 920 if (ipsec_capab_match(ill, 921 ill->ill_phyint->phyint_ifindex, ill->ill_isv6, 922 walker, ns)) { 923 nmp = copymsg(mp); 924 if (nmp == NULL) { 925 IPSECHW_DEBUG(IPSECHW_SADB, 926 ("sadb_ill_df: alloc error\n")); 927 error = ENOMEM; 928 mutex_exit(&walker->ipsa_lock); 929 break; 930 } 931 if (sadb_req_from_sa(walker, nmp, is_inbound)) { 932 nmp->b_next = salist; 933 salist = nmp; 934 } 935 } 936 mutex_exit(&walker->ipsa_lock); 937 } 938 mutex_exit(&fanout[i].isaf_lock); 939 while (salist != NULL) { 940 nmp = salist; 941 salist = nmp->b_next; 942 nmp->b_next = NULL; 943 ill_dlpi_send(ill, nmp); 944 } 945 if (error != 0) 946 break; /* out of for loop. */ 947 } 948 } 949 950 /* 951 * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of 952 * the type specified by sa_type to the specified ill. 953 * 954 * We call for each fanout table defined by the SADB (one per 955 * protocol). sadb_ill_df() finally calls ill_dlpi_send() for 956 * each SADB entry in order to send a corresponding DL_CONTROL_REQ 957 * message to the ill. 958 */ 959 void 960 sadb_ill_download(ill_t *ill, uint_t sa_type) 961 { 962 mblk_t *protomp; /* prototype message */ 963 dl_control_req_t *ctrl; 964 sadbp_t *spp; 965 sadb_t *sp; 966 int dlt; 967 ip_stack_t *ipst = ill->ill_ipst; 968 netstack_t *ns = ipst->ips_netstack; 969 970 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 971 972 /* 973 * Allocate and initialize prototype answer. A duplicate for 974 * each SA is sent down to the interface. 975 */ 976 977 /* DL_CONTROL_REQ M_PROTO mblk_t */ 978 protomp = allocb(sizeof (dl_control_req_t) + 979 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 980 if (protomp == NULL) 981 return; 982 protomp->b_datap->db_type = M_PROTO; 983 984 dlt = (sa_type == SADB_SATYPE_AH) ? DL_CT_IPSEC_AH : DL_CT_IPSEC_ESP; 985 if (sa_type == SADB_SATYPE_ESP) { 986 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 987 988 spp = &espstack->esp_sadb; 989 } else { 990 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 991 992 spp = &ahstack->ah_sadb; 993 } 994 995 ctrl = (dl_control_req_t *)protomp->b_wptr; 996 ctrl->dl_primitive = DL_CONTROL_REQ; 997 ctrl->dl_operation = DL_CO_SET; 998 ctrl->dl_type = dlt; 999 ctrl->dl_key_offset = sizeof (dl_control_req_t); 1000 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 1001 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 1002 sizeof (dl_ct_ipsec_key_t); 1003 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 1004 protomp->b_wptr += sizeof (dl_control_req_t); 1005 1006 /* 1007 * then for each SADB entry, we fill out the dl_ct_ipsec_key_t 1008 * and dl_ct_ipsec_t 1009 */ 1010 sp = ill->ill_isv6 ? &(spp->s_v6) : &(spp->s_v4); 1011 sadb_ill_df(ill, protomp, sp->sdb_of, sp->sdb_hashsize, B_FALSE); 1012 sadb_ill_df(ill, protomp, sp->sdb_if, sp->sdb_hashsize, B_TRUE); 1013 freemsg(protomp); 1014 } 1015 1016 /* 1017 * Call me to free up a security association fanout. Use the forever 1018 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 1019 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 1020 * when a module is unloaded). 1021 */ 1022 static void 1023 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever, 1024 boolean_t inbound) 1025 { 1026 int i; 1027 isaf_t *table = *tablep; 1028 uint8_t protocol; 1029 1030 if (table == NULL) 1031 return; 1032 1033 for (i = 0; i < numentries; i++) { 1034 mutex_enter(&table[i].isaf_lock); 1035 while (table[i].isaf_ipsa != NULL) { 1036 if (inbound && cl_inet_deletespi && 1037 (table[i].isaf_ipsa->ipsa_state != 1038 IPSA_STATE_ACTIVE_ELSEWHERE) && 1039 (table[i].isaf_ipsa->ipsa_state != 1040 IPSA_STATE_IDLE)) { 1041 protocol = (table[i].isaf_ipsa->ipsa_type == 1042 SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP; 1043 cl_inet_deletespi(protocol, 1044 table[i].isaf_ipsa->ipsa_spi); 1045 } 1046 sadb_unlinkassoc(table[i].isaf_ipsa); 1047 } 1048 table[i].isaf_gen++; 1049 mutex_exit(&table[i].isaf_lock); 1050 if (forever) 1051 mutex_destroy(&(table[i].isaf_lock)); 1052 } 1053 1054 if (forever) { 1055 *tablep = NULL; 1056 kmem_free(table, numentries * sizeof (*table)); 1057 } 1058 } 1059 1060 /* 1061 * Entry points to sadb_destroyer(). 1062 */ 1063 static void 1064 sadb_flush(sadb_t *sp, netstack_t *ns) 1065 { 1066 /* 1067 * Flush out each bucket, one at a time. Were it not for keysock's 1068 * enforcement, there would be a subtlety where I could add on the 1069 * heels of a flush. With keysock's enforcement, however, this 1070 * makes ESP's job easy. 1071 */ 1072 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE); 1073 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE); 1074 1075 /* For each acquire, destroy it; leave the bucket mutex alone. */ 1076 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns); 1077 } 1078 1079 static void 1080 sadb_destroy(sadb_t *sp, netstack_t *ns) 1081 { 1082 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE); 1083 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE); 1084 1085 /* For each acquire, destroy it, including the bucket mutex. */ 1086 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns); 1087 1088 ASSERT(sp->sdb_of == NULL); 1089 ASSERT(sp->sdb_if == NULL); 1090 ASSERT(sp->sdb_acq == NULL); 1091 } 1092 1093 static void 1094 sadb_send_flush_req(sadbp_t *spp) 1095 { 1096 mblk_t *ctl_mp; 1097 1098 /* 1099 * we've been unplumbed, or never were plumbed; don't go there. 1100 */ 1101 if (spp->s_ip_q == NULL) 1102 return; 1103 1104 /* have IP send a flush msg to the IPsec accelerators */ 1105 ctl_mp = sadb_fmt_sa_req(DL_CO_FLUSH, spp->s_satype, NULL, B_TRUE); 1106 if (ctl_mp != NULL) 1107 putnext(spp->s_ip_q, ctl_mp); 1108 } 1109 1110 void 1111 sadbp_flush(sadbp_t *spp, netstack_t *ns) 1112 { 1113 sadb_flush(&spp->s_v4, ns); 1114 sadb_flush(&spp->s_v6, ns); 1115 1116 sadb_send_flush_req(spp); 1117 } 1118 1119 void 1120 sadbp_destroy(sadbp_t *spp, netstack_t *ns) 1121 { 1122 sadb_destroy(&spp->s_v4, ns); 1123 sadb_destroy(&spp->s_v6, ns); 1124 1125 sadb_send_flush_req(spp); 1126 if (spp->s_satype == SADB_SATYPE_AH) { 1127 ipsec_stack_t *ipss = ns->netstack_ipsec; 1128 1129 ip_drop_unregister(&ipss->ipsec_sadb_dropper); 1130 } 1131 } 1132 1133 1134 /* 1135 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 1136 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 1137 * EINVAL. 1138 */ 1139 int 1140 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft, 1141 sadb_lifetime_t *idle) 1142 { 1143 if (hard == NULL || soft == NULL) 1144 return (0); 1145 1146 if (hard->sadb_lifetime_allocations != 0 && 1147 soft->sadb_lifetime_allocations != 0 && 1148 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 1149 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 1150 1151 if (hard->sadb_lifetime_bytes != 0 && 1152 soft->sadb_lifetime_bytes != 0 && 1153 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 1154 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 1155 1156 if (hard->sadb_lifetime_addtime != 0 && 1157 soft->sadb_lifetime_addtime != 0 && 1158 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 1159 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1160 1161 if (hard->sadb_lifetime_usetime != 0 && 1162 soft->sadb_lifetime_usetime != 0 && 1163 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 1164 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1165 1166 if (idle != NULL) { 1167 if (hard->sadb_lifetime_addtime != 0 && 1168 idle->sadb_lifetime_addtime != 0 && 1169 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1170 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1171 1172 if (soft->sadb_lifetime_addtime != 0 && 1173 idle->sadb_lifetime_addtime != 0 && 1174 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1175 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1176 1177 if (hard->sadb_lifetime_usetime != 0 && 1178 idle->sadb_lifetime_usetime != 0 && 1179 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1180 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1181 1182 if (soft->sadb_lifetime_usetime != 0 && 1183 idle->sadb_lifetime_usetime != 0 && 1184 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1185 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1186 } 1187 1188 return (0); 1189 } 1190 1191 /* 1192 * Clone a security association for the purposes of inserting a single SA 1193 * into inbound and outbound tables respectively. This function should only 1194 * be called from sadb_common_add(). 1195 */ 1196 static ipsa_t * 1197 sadb_cloneassoc(ipsa_t *ipsa) 1198 { 1199 ipsa_t *newbie; 1200 boolean_t error = B_FALSE; 1201 1202 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock))); 1203 1204 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 1205 if (newbie == NULL) 1206 return (NULL); 1207 1208 /* Copy over what we can. */ 1209 *newbie = *ipsa; 1210 1211 /* bzero and initialize locks, in case *_init() allocates... */ 1212 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 1213 1214 /* 1215 * While somewhat dain-bramaged, the most graceful way to 1216 * recover from errors is to keep plowing through the 1217 * allocations, and getting what I can. It's easier to call 1218 * sadb_freeassoc() on the stillborn clone when all the 1219 * pointers aren't pointing to the parent's data. 1220 */ 1221 1222 if (ipsa->ipsa_authkey != NULL) { 1223 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 1224 KM_NOSLEEP); 1225 if (newbie->ipsa_authkey == NULL) { 1226 error = B_TRUE; 1227 } else { 1228 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 1229 newbie->ipsa_authkeylen); 1230 1231 newbie->ipsa_kcfauthkey.ck_data = 1232 newbie->ipsa_authkey; 1233 } 1234 1235 if (newbie->ipsa_amech.cm_param != NULL) { 1236 newbie->ipsa_amech.cm_param = 1237 (char *)&newbie->ipsa_mac_len; 1238 } 1239 } 1240 1241 if (ipsa->ipsa_encrkey != NULL) { 1242 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 1243 KM_NOSLEEP); 1244 if (newbie->ipsa_encrkey == NULL) { 1245 error = B_TRUE; 1246 } else { 1247 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 1248 newbie->ipsa_encrkeylen); 1249 1250 newbie->ipsa_kcfencrkey.ck_data = 1251 newbie->ipsa_encrkey; 1252 } 1253 } 1254 1255 newbie->ipsa_authtmpl = NULL; 1256 newbie->ipsa_encrtmpl = NULL; 1257 newbie->ipsa_haspeer = B_TRUE; 1258 1259 if (ipsa->ipsa_integ != NULL) { 1260 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 1261 KM_NOSLEEP); 1262 if (newbie->ipsa_integ == NULL) { 1263 error = B_TRUE; 1264 } else { 1265 bcopy(ipsa->ipsa_integ, newbie->ipsa_integ, 1266 newbie->ipsa_integlen); 1267 } 1268 } 1269 1270 if (ipsa->ipsa_sens != NULL) { 1271 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 1272 KM_NOSLEEP); 1273 if (newbie->ipsa_sens == NULL) { 1274 error = B_TRUE; 1275 } else { 1276 bcopy(ipsa->ipsa_sens, newbie->ipsa_sens, 1277 newbie->ipsa_senslen); 1278 } 1279 } 1280 1281 if (ipsa->ipsa_src_cid != NULL) { 1282 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 1283 IPSID_REFHOLD(ipsa->ipsa_src_cid); 1284 } 1285 1286 if (ipsa->ipsa_dst_cid != NULL) { 1287 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 1288 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 1289 } 1290 1291 if (error) { 1292 sadb_freeassoc(newbie); 1293 return (NULL); 1294 } 1295 1296 return (newbie); 1297 } 1298 1299 /* 1300 * Initialize a SADB address extension at the address specified by addrext. 1301 * Return a pointer to the end of the new address extension. 1302 */ 1303 static uint8_t * 1304 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 1305 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix) 1306 { 1307 struct sockaddr_in *sin; 1308 struct sockaddr_in6 *sin6; 1309 uint8_t *cur = start; 1310 int addrext_len; 1311 int sin_len; 1312 sadb_address_t *addrext = (sadb_address_t *)cur; 1313 1314 if (cur == NULL) 1315 return (NULL); 1316 1317 cur += sizeof (*addrext); 1318 if (cur > end) 1319 return (NULL); 1320 1321 addrext->sadb_address_proto = proto; 1322 addrext->sadb_address_prefixlen = prefix; 1323 addrext->sadb_address_reserved = 0; 1324 addrext->sadb_address_exttype = exttype; 1325 1326 switch (af) { 1327 case AF_INET: 1328 sin = (struct sockaddr_in *)cur; 1329 sin_len = sizeof (*sin); 1330 cur += sin_len; 1331 if (cur > end) 1332 return (NULL); 1333 1334 sin->sin_family = af; 1335 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1336 sin->sin_port = port; 1337 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1338 break; 1339 case AF_INET6: 1340 sin6 = (struct sockaddr_in6 *)cur; 1341 sin_len = sizeof (*sin6); 1342 cur += sin_len; 1343 if (cur > end) 1344 return (NULL); 1345 1346 bzero(sin6, sizeof (*sin6)); 1347 sin6->sin6_family = af; 1348 sin6->sin6_port = port; 1349 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1350 break; 1351 } 1352 1353 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1354 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1355 1356 cur = start + addrext_len; 1357 if (cur > end) 1358 cur = NULL; 1359 1360 return (cur); 1361 } 1362 1363 /* 1364 * Construct a key management cookie extension. 1365 */ 1366 1367 static uint8_t * 1368 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1369 { 1370 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1371 1372 if (cur == NULL) 1373 return (NULL); 1374 1375 cur += sizeof (*kmcext); 1376 1377 if (cur > end) 1378 return (NULL); 1379 1380 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1381 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1382 kmcext->sadb_x_kmc_proto = kmp; 1383 kmcext->sadb_x_kmc_cookie = kmc; 1384 kmcext->sadb_x_kmc_reserved = 0; 1385 1386 return (cur); 1387 } 1388 1389 /* 1390 * Given an original message header with sufficient space following it, and an 1391 * SA, construct a full PF_KEY message with all of the relevant extensions. 1392 * This is mostly used for SADB_GET, and SADB_DUMP. 1393 */ 1394 static mblk_t * 1395 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1396 { 1397 int alloclen, addrsize, paddrsize, authsize, encrsize; 1398 int srcidsize, dstidsize; 1399 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1400 /* src/dst and proxy sockaddrs. */ 1401 /* 1402 * The following are pointers into the PF_KEY message this PF_KEY 1403 * message creates. 1404 */ 1405 sadb_msg_t *newsamsg; 1406 sadb_sa_t *assoc; 1407 sadb_lifetime_t *lt; 1408 sadb_key_t *key; 1409 sadb_ident_t *ident; 1410 sadb_sens_t *sens; 1411 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1412 sadb_x_replay_ctr_t *repl_ctr; 1413 sadb_x_pair_t *pair_ext; 1414 1415 mblk_t *mp; 1416 uint64_t *bitmap; 1417 uint8_t *cur, *end; 1418 /* These indicate the presence of the above extension fields. */ 1419 boolean_t soft, hard, isrc, idst, auth, encr, sensinteg, srcid, dstid; 1420 boolean_t idle; 1421 boolean_t paired; 1422 uint32_t otherspi; 1423 1424 /* First off, figure out the allocation length for this message. */ 1425 1426 /* 1427 * Constant stuff. This includes base, SA, address (src, dst), 1428 * and lifetime (current). 1429 */ 1430 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1431 sizeof (sadb_lifetime_t); 1432 1433 fam = ipsa->ipsa_addrfam; 1434 switch (fam) { 1435 case AF_INET: 1436 addrsize = roundup(sizeof (struct sockaddr_in) + 1437 sizeof (sadb_address_t), sizeof (uint64_t)); 1438 break; 1439 case AF_INET6: 1440 addrsize = roundup(sizeof (struct sockaddr_in6) + 1441 sizeof (sadb_address_t), sizeof (uint64_t)); 1442 break; 1443 default: 1444 return (NULL); 1445 } 1446 /* 1447 * Allocate TWO address extensions, for source and destination. 1448 * (Thus, the * 2.) 1449 */ 1450 alloclen += addrsize * 2; 1451 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1452 alloclen += addrsize; 1453 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1454 alloclen += addrsize; 1455 1456 if (ipsa->ipsa_flags & IPSA_F_PAIRED) { 1457 paired = B_TRUE; 1458 alloclen += sizeof (sadb_x_pair_t); 1459 otherspi = ipsa->ipsa_otherspi; 1460 } else { 1461 paired = B_FALSE; 1462 } 1463 1464 /* How 'bout other lifetimes? */ 1465 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1466 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1467 alloclen += sizeof (sadb_lifetime_t); 1468 soft = B_TRUE; 1469 } else { 1470 soft = B_FALSE; 1471 } 1472 1473 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1474 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1475 alloclen += sizeof (sadb_lifetime_t); 1476 hard = B_TRUE; 1477 } else { 1478 hard = B_FALSE; 1479 } 1480 1481 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) { 1482 alloclen += sizeof (sadb_lifetime_t); 1483 idle = B_TRUE; 1484 } else { 1485 idle = B_FALSE; 1486 } 1487 1488 /* Inner addresses. */ 1489 if (ipsa->ipsa_innerfam == 0) { 1490 isrc = B_FALSE; 1491 idst = B_FALSE; 1492 } else { 1493 pfam = ipsa->ipsa_innerfam; 1494 switch (pfam) { 1495 case AF_INET6: 1496 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1497 sizeof (sadb_address_t), sizeof (uint64_t)); 1498 break; 1499 case AF_INET: 1500 paddrsize = roundup(sizeof (struct sockaddr_in) + 1501 sizeof (sadb_address_t), sizeof (uint64_t)); 1502 break; 1503 default: 1504 cmn_err(CE_PANIC, 1505 "IPsec SADB: Proxy length failure.\n"); 1506 break; 1507 } 1508 isrc = B_TRUE; 1509 idst = B_TRUE; 1510 alloclen += 2 * paddrsize; 1511 } 1512 1513 /* For the following fields, assume that length != 0 ==> stuff */ 1514 if (ipsa->ipsa_authkeylen != 0) { 1515 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1516 sizeof (uint64_t)); 1517 alloclen += authsize; 1518 auth = B_TRUE; 1519 } else { 1520 auth = B_FALSE; 1521 } 1522 1523 if (ipsa->ipsa_encrkeylen != 0) { 1524 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen, 1525 sizeof (uint64_t)); 1526 alloclen += encrsize; 1527 encr = B_TRUE; 1528 } else { 1529 encr = B_FALSE; 1530 } 1531 1532 /* No need for roundup on sens and integ. */ 1533 if (ipsa->ipsa_integlen != 0 || ipsa->ipsa_senslen != 0) { 1534 alloclen += sizeof (sadb_key_t) + ipsa->ipsa_integlen + 1535 ipsa->ipsa_senslen; 1536 sensinteg = B_TRUE; 1537 } else { 1538 sensinteg = B_FALSE; 1539 } 1540 1541 /* 1542 * Must use strlen() here for lengths. Identities use NULL 1543 * pointers to indicate their nonexistence. 1544 */ 1545 if (ipsa->ipsa_src_cid != NULL) { 1546 srcidsize = roundup(sizeof (sadb_ident_t) + 1547 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1548 sizeof (uint64_t)); 1549 alloclen += srcidsize; 1550 srcid = B_TRUE; 1551 } else { 1552 srcid = B_FALSE; 1553 } 1554 1555 if (ipsa->ipsa_dst_cid != NULL) { 1556 dstidsize = roundup(sizeof (sadb_ident_t) + 1557 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1558 sizeof (uint64_t)); 1559 alloclen += dstidsize; 1560 dstid = B_TRUE; 1561 } else { 1562 dstid = B_FALSE; 1563 } 1564 1565 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1566 alloclen += sizeof (sadb_x_kmc_t); 1567 1568 if (ipsa->ipsa_replay != 0) { 1569 alloclen += sizeof (sadb_x_replay_ctr_t); 1570 } 1571 1572 /* Make sure the allocation length is a multiple of 8 bytes. */ 1573 ASSERT((alloclen & 0x7) == 0); 1574 1575 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1576 mp = allocb(alloclen, BPRI_HI); 1577 if (mp == NULL) 1578 return (NULL); 1579 1580 mp->b_wptr += alloclen; 1581 end = mp->b_wptr; 1582 newsamsg = (sadb_msg_t *)mp->b_rptr; 1583 *newsamsg = *samsg; 1584 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1585 1586 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1587 1588 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1589 1590 assoc = (sadb_sa_t *)(newsamsg + 1); 1591 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1592 assoc->sadb_sa_exttype = SADB_EXT_SA; 1593 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1594 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1595 assoc->sadb_sa_state = ipsa->ipsa_state; 1596 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1597 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1598 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1599 1600 lt = (sadb_lifetime_t *)(assoc + 1); 1601 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1602 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1603 /* We do not support the concept. */ 1604 lt->sadb_lifetime_allocations = 0; 1605 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1606 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1607 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1608 1609 if (hard) { 1610 lt++; 1611 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1612 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1613 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1614 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1615 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1616 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1617 } 1618 1619 if (soft) { 1620 lt++; 1621 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1622 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1623 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1624 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1625 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1626 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1627 } 1628 1629 if (idle) { 1630 lt++; 1631 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1632 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 1633 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt; 1634 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt; 1635 } 1636 1637 cur = (uint8_t *)(lt + 1); 1638 1639 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */ 1640 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1641 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0, 1642 SA_PROTO(ipsa), 0); 1643 if (cur == NULL) { 1644 freemsg(mp); 1645 mp = NULL; 1646 goto bail; 1647 } 1648 1649 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1650 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0, 1651 SA_PROTO(ipsa), 0); 1652 if (cur == NULL) { 1653 freemsg(mp); 1654 mp = NULL; 1655 goto bail; 1656 } 1657 1658 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1659 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1660 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port, 1661 IPPROTO_UDP, 0); 1662 if (cur == NULL) { 1663 freemsg(mp); 1664 mp = NULL; 1665 goto bail; 1666 } 1667 } 1668 1669 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1670 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1671 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port, 1672 IPPROTO_UDP, 0); 1673 if (cur == NULL) { 1674 freemsg(mp); 1675 mp = NULL; 1676 goto bail; 1677 } 1678 } 1679 1680 /* If we are a tunnel-mode SA, fill in the inner-selectors. */ 1681 if (isrc) { 1682 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 1683 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa), 1684 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx); 1685 if (cur == NULL) { 1686 freemsg(mp); 1687 mp = NULL; 1688 goto bail; 1689 } 1690 } 1691 1692 if (idst) { 1693 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 1694 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa), 1695 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx); 1696 if (cur == NULL) { 1697 freemsg(mp); 1698 mp = NULL; 1699 goto bail; 1700 } 1701 } 1702 1703 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1704 cur = sadb_make_kmc_ext(cur, end, 1705 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1706 if (cur == NULL) { 1707 freemsg(mp); 1708 mp = NULL; 1709 goto bail; 1710 } 1711 } 1712 1713 walker = (sadb_ext_t *)cur; 1714 if (auth) { 1715 key = (sadb_key_t *)walker; 1716 key->sadb_key_len = SADB_8TO64(authsize); 1717 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1718 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1719 key->sadb_key_reserved = 0; 1720 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1721 walker = (sadb_ext_t *)((uint64_t *)walker + 1722 walker->sadb_ext_len); 1723 } 1724 1725 if (encr) { 1726 key = (sadb_key_t *)walker; 1727 key->sadb_key_len = SADB_8TO64(encrsize); 1728 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1729 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1730 key->sadb_key_reserved = 0; 1731 bcopy(ipsa->ipsa_encrkey, key + 1, ipsa->ipsa_encrkeylen); 1732 walker = (sadb_ext_t *)((uint64_t *)walker + 1733 walker->sadb_ext_len); 1734 } 1735 1736 if (srcid) { 1737 ident = (sadb_ident_t *)walker; 1738 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1739 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1740 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1741 ident->sadb_ident_id = 0; 1742 ident->sadb_ident_reserved = 0; 1743 (void) strcpy((char *)(ident + 1), 1744 ipsa->ipsa_src_cid->ipsid_cid); 1745 walker = (sadb_ext_t *)((uint64_t *)walker + 1746 walker->sadb_ext_len); 1747 } 1748 1749 if (dstid) { 1750 ident = (sadb_ident_t *)walker; 1751 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1752 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1753 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1754 ident->sadb_ident_id = 0; 1755 ident->sadb_ident_reserved = 0; 1756 (void) strcpy((char *)(ident + 1), 1757 ipsa->ipsa_dst_cid->ipsid_cid); 1758 walker = (sadb_ext_t *)((uint64_t *)walker + 1759 walker->sadb_ext_len); 1760 } 1761 1762 if (sensinteg) { 1763 sens = (sadb_sens_t *)walker; 1764 sens->sadb_sens_len = SADB_8TO64(sizeof (sadb_sens_t *) + 1765 ipsa->ipsa_senslen + ipsa->ipsa_integlen); 1766 sens->sadb_sens_dpd = ipsa->ipsa_dpd; 1767 sens->sadb_sens_sens_level = ipsa->ipsa_senslevel; 1768 sens->sadb_sens_integ_level = ipsa->ipsa_integlevel; 1769 sens->sadb_sens_sens_len = SADB_8TO64(ipsa->ipsa_senslen); 1770 sens->sadb_sens_integ_len = SADB_8TO64(ipsa->ipsa_integlen); 1771 sens->sadb_sens_reserved = 0; 1772 bitmap = (uint64_t *)(sens + 1); 1773 if (ipsa->ipsa_sens != NULL) { 1774 bcopy(ipsa->ipsa_sens, bitmap, ipsa->ipsa_senslen); 1775 bitmap += sens->sadb_sens_sens_len; 1776 } 1777 if (ipsa->ipsa_integ != NULL) 1778 bcopy(ipsa->ipsa_integ, bitmap, ipsa->ipsa_integlen); 1779 walker = (sadb_ext_t *)((uint64_t *)walker + 1780 walker->sadb_ext_len); 1781 } 1782 1783 if (paired) { 1784 pair_ext = (sadb_x_pair_t *)walker; 1785 1786 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t)); 1787 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR; 1788 pair_ext->sadb_x_pair_spi = otherspi; 1789 1790 walker = (sadb_ext_t *)((uint64_t *)walker + 1791 walker->sadb_ext_len); 1792 } 1793 1794 if (ipsa->ipsa_replay != 0) { 1795 repl_ctr = (sadb_x_replay_ctr_t *)walker; 1796 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr)); 1797 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; 1798 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay; 1799 repl_ctr->sadb_x_rc_replay64 = 0; 1800 walker = (sadb_ext_t *)(repl_ctr + 1); 1801 } 1802 1803 bail: 1804 /* Pardon any delays... */ 1805 mutex_exit(&ipsa->ipsa_lock); 1806 1807 return (mp); 1808 } 1809 1810 /* 1811 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1812 * and adjust base message accordingly. 1813 * 1814 * Assume message is pulled up in one piece of contiguous memory. 1815 * 1816 * Say if we start off with: 1817 * 1818 * +------+----+-------------+-----------+---------------+---------------+ 1819 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1820 * +------+----+-------------+-----------+---------------+---------------+ 1821 * 1822 * we will end up with 1823 * 1824 * +------+----+-------------+-----------+---------------+ 1825 * | base | SA | source addr | dest addr | soft lifetime | 1826 * +------+----+-------------+-----------+---------------+ 1827 */ 1828 static void 1829 sadb_strip(sadb_msg_t *samsg) 1830 { 1831 sadb_ext_t *ext; 1832 uint8_t *target = NULL; 1833 uint8_t *msgend; 1834 int sofar = SADB_8TO64(sizeof (*samsg)); 1835 int copylen; 1836 1837 ext = (sadb_ext_t *)(samsg + 1); 1838 msgend = (uint8_t *)samsg; 1839 msgend += SADB_64TO8(samsg->sadb_msg_len); 1840 while ((uint8_t *)ext < msgend) { 1841 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1842 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1843 ext->sadb_ext_type == SADB_X_EXT_EDUMP || 1844 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1845 /* 1846 * Aha! I found a header to be erased. 1847 */ 1848 1849 if (target != NULL) { 1850 /* 1851 * If I had a previous header to be erased, 1852 * copy over it. I can get away with just 1853 * copying backwards because the target will 1854 * always be 8 bytes behind the source. 1855 */ 1856 copylen = ((uint8_t *)ext) - (target + 1857 SADB_64TO8( 1858 ((sadb_ext_t *)target)->sadb_ext_len)); 1859 ovbcopy(((uint8_t *)ext - copylen), target, 1860 copylen); 1861 target += copylen; 1862 ((sadb_ext_t *)target)->sadb_ext_len = 1863 SADB_8TO64(((uint8_t *)ext) - target + 1864 SADB_64TO8(ext->sadb_ext_len)); 1865 } else { 1866 target = (uint8_t *)ext; 1867 } 1868 } else { 1869 sofar += ext->sadb_ext_len; 1870 } 1871 1872 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1873 } 1874 1875 ASSERT((uint8_t *)ext == msgend); 1876 1877 if (target != NULL) { 1878 copylen = ((uint8_t *)ext) - (target + 1879 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1880 if (copylen != 0) 1881 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1882 } 1883 1884 /* Adjust samsg. */ 1885 samsg->sadb_msg_len = (uint16_t)sofar; 1886 1887 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1888 } 1889 1890 /* 1891 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1892 * followed by an M_DATA with a PF_KEY message in it. The serial of 1893 * the sending keysock instance is included. 1894 */ 1895 void 1896 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1897 uint_t serial) 1898 { 1899 mblk_t *msg = mp->b_cont; 1900 sadb_msg_t *samsg; 1901 keysock_out_t *kso; 1902 1903 /* 1904 * Enough functions call this to merit a NULL queue check. 1905 */ 1906 if (pfkey_q == NULL) { 1907 freemsg(mp); 1908 return; 1909 } 1910 1911 ASSERT(msg != NULL); 1912 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1913 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1914 samsg = (sadb_msg_t *)msg->b_rptr; 1915 kso = (keysock_out_t *)mp->b_rptr; 1916 1917 kso->ks_out_type = KEYSOCK_OUT; 1918 kso->ks_out_len = sizeof (*kso); 1919 kso->ks_out_serial = serial; 1920 1921 /* 1922 * Only send the base message up in the event of an error. 1923 * Don't worry about bzero()-ing, because it was probably bogus 1924 * anyway. 1925 */ 1926 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1927 samsg = (sadb_msg_t *)msg->b_rptr; 1928 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1929 samsg->sadb_msg_errno = (uint8_t)error; 1930 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1931 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1932 1933 putnext(pfkey_q, mp); 1934 } 1935 1936 /* 1937 * Send a successful return packet back to keysock via the queue in pfkey_q. 1938 * 1939 * Often, an SA is associated with the reply message, it's passed in if needed, 1940 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1941 * and the caller will release said refcnt. 1942 */ 1943 void 1944 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1945 keysock_in_t *ksi, ipsa_t *ipsa) 1946 { 1947 keysock_out_t *kso; 1948 mblk_t *mp1; 1949 sadb_msg_t *newsamsg; 1950 uint8_t *oldend; 1951 1952 ASSERT((mp->b_cont != NULL) && 1953 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1954 ((void *)mp->b_rptr == (void *)ksi)); 1955 1956 switch (samsg->sadb_msg_type) { 1957 case SADB_ADD: 1958 case SADB_UPDATE: 1959 case SADB_X_UPDATEPAIR: 1960 case SADB_X_DELPAIR_STATE: 1961 case SADB_FLUSH: 1962 case SADB_DUMP: 1963 /* 1964 * I have all of the message already. I just need to strip 1965 * out the keying material and echo the message back. 1966 * 1967 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1968 * work. When DUMP reaches here, it should only be a base 1969 * message. 1970 */ 1971 justecho: 1972 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 1973 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL || 1974 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) { 1975 sadb_strip(samsg); 1976 /* Assume PF_KEY message is contiguous. */ 1977 ASSERT(mp->b_cont->b_cont == NULL); 1978 oldend = mp->b_cont->b_wptr; 1979 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 1980 SADB_64TO8(samsg->sadb_msg_len); 1981 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 1982 } 1983 break; 1984 case SADB_GET: 1985 /* 1986 * Do a lot of work here, because of the ipsa I just found. 1987 * First construct the new PF_KEY message, then abandon 1988 * the old one. 1989 */ 1990 mp1 = sadb_sa2msg(ipsa, samsg); 1991 if (mp1 == NULL) { 1992 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1993 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1994 return; 1995 } 1996 freemsg(mp->b_cont); 1997 mp->b_cont = mp1; 1998 break; 1999 case SADB_DELETE: 2000 case SADB_X_DELPAIR: 2001 if (ipsa == NULL) 2002 goto justecho; 2003 /* 2004 * Because listening KMds may require more info, treat 2005 * DELETE like a special case of GET. 2006 */ 2007 mp1 = sadb_sa2msg(ipsa, samsg); 2008 if (mp1 == NULL) { 2009 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 2010 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 2011 return; 2012 } 2013 newsamsg = (sadb_msg_t *)mp1->b_rptr; 2014 sadb_strip(newsamsg); 2015 oldend = mp1->b_wptr; 2016 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 2017 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 2018 freemsg(mp->b_cont); 2019 mp->b_cont = mp1; 2020 break; 2021 default: 2022 if (mp != NULL) 2023 freemsg(mp); 2024 return; 2025 } 2026 2027 /* ksi is now null and void. */ 2028 kso = (keysock_out_t *)ksi; 2029 kso->ks_out_type = KEYSOCK_OUT; 2030 kso->ks_out_len = sizeof (*kso); 2031 kso->ks_out_serial = ksi->ks_in_serial; 2032 /* We're ready to send... */ 2033 putnext(pfkey_q, mp); 2034 } 2035 2036 /* 2037 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 2038 */ 2039 void 2040 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 2041 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype) 2042 { 2043 keysock_hello_ack_t *kha; 2044 queue_t *oldq; 2045 2046 ASSERT(OTHERQ(q) != NULL); 2047 2048 /* 2049 * First, check atomically that I'm the first and only keysock 2050 * instance. 2051 * 2052 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 2053 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 2054 * messages. 2055 */ 2056 2057 oldq = casptr((void **)pfkey_qp, NULL, OTHERQ(q)); 2058 if (oldq != NULL) { 2059 ASSERT(oldq != q); 2060 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 2061 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 2062 freemsg(mp); 2063 return; 2064 } 2065 2066 kha = (keysock_hello_ack_t *)mp->b_rptr; 2067 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 2068 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 2069 kha->ks_hello_satype = (uint8_t)satype; 2070 2071 /* 2072 * If we made it past the casptr, then we have "exclusive" access 2073 * to the timeout handle. Fire it off in 4 seconds, because it 2074 * just seems like a good interval. 2075 */ 2076 *top = qtimeout(*pfkey_qp, ager, agerarg, drv_usectohz(4000000)); 2077 2078 putnext(*pfkey_qp, mp); 2079 } 2080 2081 /* 2082 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate. 2083 * 2084 * Check addresses themselves for wildcard or multicast. 2085 * Check ire table for local/non-local/broadcast. 2086 */ 2087 int 2088 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial, 2089 netstack_t *ns) 2090 { 2091 sadb_address_t *addr = (sadb_address_t *)ext; 2092 struct sockaddr_in *sin; 2093 struct sockaddr_in6 *sin6; 2094 ire_t *ire; 2095 int diagnostic, type; 2096 boolean_t normalized = B_FALSE; 2097 2098 ASSERT(ext != NULL); 2099 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 2100 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 2101 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) || 2102 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) || 2103 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) || 2104 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM)); 2105 2106 /* Assign both sockaddrs, the compiler will do the right thing. */ 2107 sin = (struct sockaddr_in *)(addr + 1); 2108 sin6 = (struct sockaddr_in6 *)(addr + 1); 2109 2110 if (sin6->sin6_family == AF_INET6) { 2111 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 2112 /* 2113 * Convert to an AF_INET sockaddr. This means the 2114 * return messages will have the extra space, but have 2115 * AF_INET sockaddrs instead of AF_INET6. 2116 * 2117 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 2118 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 2119 * equal to AF_INET <v4>, it shouldnt be a huge 2120 * problem. 2121 */ 2122 sin->sin_family = AF_INET; 2123 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, 2124 &sin->sin_addr); 2125 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 2126 normalized = B_TRUE; 2127 } 2128 } else if (sin->sin_family != AF_INET) { 2129 switch (ext->sadb_ext_type) { 2130 case SADB_EXT_ADDRESS_SRC: 2131 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 2132 break; 2133 case SADB_EXT_ADDRESS_DST: 2134 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 2135 break; 2136 case SADB_X_EXT_ADDRESS_INNER_SRC: 2137 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 2138 break; 2139 case SADB_X_EXT_ADDRESS_INNER_DST: 2140 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF; 2141 break; 2142 case SADB_X_EXT_ADDRESS_NATT_LOC: 2143 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF; 2144 break; 2145 case SADB_X_EXT_ADDRESS_NATT_REM: 2146 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF; 2147 break; 2148 /* There is no default, see above ASSERT. */ 2149 } 2150 bail: 2151 if (pfkey_q != NULL) { 2152 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, 2153 serial); 2154 } else { 2155 /* 2156 * Scribble in sadb_msg that we got passed in. 2157 * Overload "mp" to be an sadb_msg pointer. 2158 */ 2159 sadb_msg_t *samsg = (sadb_msg_t *)mp; 2160 2161 samsg->sadb_msg_errno = EINVAL; 2162 samsg->sadb_x_msg_diagnostic = diagnostic; 2163 } 2164 return (KS_IN_ADDR_UNKNOWN); 2165 } 2166 2167 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC || 2168 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) { 2169 /* 2170 * We need only check for prefix issues. 2171 */ 2172 2173 /* Set diagnostic now, in case we need it later. */ 2174 diagnostic = 2175 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ? 2176 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC : 2177 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST; 2178 2179 if (normalized) 2180 addr->sadb_address_prefixlen -= 96; 2181 2182 /* 2183 * Verify and mask out inner-addresses based on prefix length. 2184 */ 2185 if (sin->sin_family == AF_INET) { 2186 if (addr->sadb_address_prefixlen > 32) 2187 goto bail; 2188 sin->sin_addr.s_addr &= 2189 ip_plen_to_mask(addr->sadb_address_prefixlen); 2190 } else { 2191 in6_addr_t mask; 2192 2193 ASSERT(sin->sin_family == AF_INET6); 2194 /* 2195 * ip_plen_to_mask_v6() returns NULL if the value in 2196 * question is out of range. 2197 */ 2198 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen, 2199 &mask) == NULL) 2200 goto bail; 2201 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0]; 2202 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1]; 2203 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2]; 2204 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3]; 2205 } 2206 2207 /* We don't care in these cases. */ 2208 return (KS_IN_ADDR_DONTCARE); 2209 } 2210 2211 if (sin->sin_family == AF_INET6) { 2212 /* Check the easy ones now. */ 2213 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) 2214 return (KS_IN_ADDR_MBCAST); 2215 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) 2216 return (KS_IN_ADDR_UNSPEC); 2217 /* 2218 * At this point, we're a unicast IPv6 address. 2219 * 2220 * A ctable lookup for local is sufficient here. If we're 2221 * local, return KS_IN_ADDR_ME, otherwise KS_IN_ADDR_NOTME. 2222 * 2223 * XXX Zones alert -> me/notme decision needs to be tempered 2224 * by what zone we're in when we go to zone-aware IPsec. 2225 */ 2226 ire = ire_ctable_lookup_v6(&sin6->sin6_addr, NULL, 2227 IRE_LOCAL, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 2228 ns->netstack_ip); 2229 if (ire != NULL) { 2230 /* Hey hey, it's local. */ 2231 IRE_REFRELE(ire); 2232 return (KS_IN_ADDR_ME); 2233 } 2234 } else { 2235 ASSERT(sin->sin_family == AF_INET); 2236 if (sin->sin_addr.s_addr == INADDR_ANY) 2237 return (KS_IN_ADDR_UNSPEC); 2238 if (CLASSD(sin->sin_addr.s_addr)) 2239 return (KS_IN_ADDR_MBCAST); 2240 /* 2241 * At this point we're a unicast or broadcast IPv4 address. 2242 * 2243 * Lookup on the ctable for IRE_BROADCAST or IRE_LOCAL. 2244 * A NULL return value is NOTME, otherwise, look at the 2245 * returned ire for broadcast or not and return accordingly. 2246 * 2247 * XXX Zones alert -> me/notme decision needs to be tempered 2248 * by what zone we're in when we go to zone-aware IPsec. 2249 */ 2250 ire = ire_ctable_lookup(sin->sin_addr.s_addr, 0, 2251 IRE_LOCAL | IRE_BROADCAST, NULL, ALL_ZONES, NULL, 2252 MATCH_IRE_TYPE, ns->netstack_ip); 2253 if (ire != NULL) { 2254 /* Check for local or broadcast */ 2255 type = ire->ire_type; 2256 IRE_REFRELE(ire); 2257 ASSERT(type == IRE_LOCAL || type == IRE_BROADCAST); 2258 return ((type == IRE_LOCAL) ? KS_IN_ADDR_ME : 2259 KS_IN_ADDR_MBCAST); 2260 } 2261 } 2262 2263 return (KS_IN_ADDR_NOTME); 2264 } 2265 2266 /* 2267 * Address normalizations and reality checks for inbound PF_KEY messages. 2268 * 2269 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 2270 * the source to AF_INET. Do the same for the inner sources. 2271 */ 2272 boolean_t 2273 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns) 2274 { 2275 struct sockaddr_in *src, *isrc; 2276 struct sockaddr_in6 *dst, *idst; 2277 sadb_address_t *srcext, *dstext; 2278 uint16_t sport; 2279 sadb_ext_t **extv = ksi->ks_in_extv; 2280 int rc; 2281 2282 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) { 2283 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC], 2284 ksi->ks_in_serial, ns); 2285 if (rc == KS_IN_ADDR_UNKNOWN) 2286 return (B_FALSE); 2287 if (rc == KS_IN_ADDR_MBCAST) { 2288 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2289 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial); 2290 return (B_FALSE); 2291 } 2292 ksi->ks_in_srctype = rc; 2293 } 2294 2295 if (extv[SADB_EXT_ADDRESS_DST] != NULL) { 2296 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST], 2297 ksi->ks_in_serial, ns); 2298 if (rc == KS_IN_ADDR_UNKNOWN) 2299 return (B_FALSE); 2300 if (rc == KS_IN_ADDR_UNSPEC) { 2301 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2302 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial); 2303 return (B_FALSE); 2304 } 2305 ksi->ks_in_dsttype = rc; 2306 } 2307 2308 /* 2309 * NAT-Traversal addrs are simple enough to not require all of 2310 * the checks in sadb_addrcheck(). Just normalize or reject if not 2311 * AF_INET. 2312 */ 2313 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) { 2314 rc = sadb_addrcheck(pfkey_q, mp, 2315 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns); 2316 2317 /* 2318 * Local NAT-T addresses never use an IRE_LOCAL, so it should 2319 * always be NOTME, or UNSPEC (to handle both tunnel mode 2320 * AND local-port flexibility). 2321 */ 2322 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) { 2323 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2324 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC, 2325 ksi->ks_in_serial); 2326 return (B_FALSE); 2327 } 2328 src = (struct sockaddr_in *) 2329 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1); 2330 if (src->sin_family != AF_INET) { 2331 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2332 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF, 2333 ksi->ks_in_serial); 2334 return (B_FALSE); 2335 } 2336 } 2337 2338 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) { 2339 rc = sadb_addrcheck(pfkey_q, mp, 2340 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns); 2341 2342 /* 2343 * Remote NAT-T addresses never use an IRE_LOCAL, so it should 2344 * always be NOTME, or UNSPEC if it's a tunnel-mode SA. 2345 */ 2346 if (rc != KS_IN_ADDR_NOTME && 2347 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL && 2348 rc == KS_IN_ADDR_UNSPEC)) { 2349 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2350 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM, 2351 ksi->ks_in_serial); 2352 return (B_FALSE); 2353 } 2354 src = (struct sockaddr_in *) 2355 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1); 2356 if (src->sin_family != AF_INET) { 2357 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2358 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF, 2359 ksi->ks_in_serial); 2360 return (B_FALSE); 2361 } 2362 } 2363 2364 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) { 2365 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) { 2366 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2367 SADB_X_DIAGNOSTIC_MISSING_INNER_DST, 2368 ksi->ks_in_serial); 2369 return (B_FALSE); 2370 } 2371 2372 if (sadb_addrcheck(pfkey_q, mp, 2373 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns) 2374 == KS_IN_ADDR_UNKNOWN || 2375 sadb_addrcheck(pfkey_q, mp, 2376 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns) 2377 == KS_IN_ADDR_UNKNOWN) 2378 return (B_FALSE); 2379 2380 isrc = (struct sockaddr_in *) 2381 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) + 2382 1); 2383 idst = (struct sockaddr_in6 *) 2384 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) + 2385 1); 2386 if (isrc->sin_family != idst->sin6_family) { 2387 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2388 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH, 2389 ksi->ks_in_serial); 2390 return (B_FALSE); 2391 } 2392 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) { 2393 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2394 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC, 2395 ksi->ks_in_serial); 2396 return (B_FALSE); 2397 } else { 2398 isrc = NULL; /* For inner/outer port check below. */ 2399 } 2400 2401 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 2402 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC]; 2403 2404 if (dstext == NULL || srcext == NULL) 2405 return (B_TRUE); 2406 2407 dst = (struct sockaddr_in6 *)(dstext + 1); 2408 src = (struct sockaddr_in *)(srcext + 1); 2409 2410 if (isrc != NULL && 2411 (isrc->sin_port != 0 || idst->sin6_port != 0) && 2412 (src->sin_port != 0 || dst->sin6_port != 0)) { 2413 /* Can't set inner and outer ports in one SA. */ 2414 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2415 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS, 2416 ksi->ks_in_serial); 2417 return (B_FALSE); 2418 } 2419 2420 if (dst->sin6_family == src->sin_family) 2421 return (B_TRUE); 2422 2423 if (srcext->sadb_address_proto != dstext->sadb_address_proto) { 2424 if (srcext->sadb_address_proto == 0) { 2425 srcext->sadb_address_proto = dstext->sadb_address_proto; 2426 } else if (dstext->sadb_address_proto == 0) { 2427 dstext->sadb_address_proto = srcext->sadb_address_proto; 2428 } else { 2429 /* Inequal protocols, neither were 0. Report error. */ 2430 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2431 SADB_X_DIAGNOSTIC_PROTO_MISMATCH, 2432 ksi->ks_in_serial); 2433 return (B_FALSE); 2434 } 2435 } 2436 2437 /* 2438 * With the exception of an unspec IPv6 source and an IPv4 2439 * destination, address families MUST me matched. 2440 */ 2441 if (src->sin_family == AF_INET || 2442 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) { 2443 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2444 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial); 2445 return (B_FALSE); 2446 } 2447 2448 /* 2449 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2450 * in the same place for sockaddr_in and sockaddr_in6. 2451 */ 2452 sport = src->sin_port; 2453 bzero(src, sizeof (*src)); 2454 src->sin_family = AF_INET; 2455 src->sin_port = sport; 2456 2457 return (B_TRUE); 2458 } 2459 2460 /* 2461 * Set the results in "addrtype", given an IRE as requested by 2462 * sadb_addrcheck(). 2463 */ 2464 int 2465 sadb_addrset(ire_t *ire) 2466 { 2467 if ((ire->ire_type & IRE_BROADCAST) || 2468 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2469 (ire->ire_ipversion == IPV6_VERSION && 2470 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2471 return (KS_IN_ADDR_MBCAST); 2472 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2473 return (KS_IN_ADDR_ME); 2474 return (KS_IN_ADDR_NOTME); 2475 } 2476 2477 2478 /* 2479 * Walker callback function to delete sa's based on src/dst address. 2480 * Assumes that we're called with *head locked, no other locks held; 2481 * Conveniently, and not coincidentally, this is both what sadb_walker 2482 * gives us and also what sadb_unlinkassoc expects. 2483 */ 2484 2485 struct sadb_purge_state 2486 { 2487 uint32_t *src; 2488 uint32_t *dst; 2489 sa_family_t af; 2490 boolean_t inbnd; 2491 char *sidstr; 2492 char *didstr; 2493 uint16_t sidtype; 2494 uint16_t didtype; 2495 uint32_t kmproto; 2496 uint8_t sadb_sa_state; 2497 mblk_t *mq; 2498 sadb_t *sp; 2499 }; 2500 2501 static void 2502 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2503 { 2504 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2505 2506 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2507 2508 mutex_enter(&entry->ipsa_lock); 2509 2510 if ((entry->ipsa_state == IPSA_STATE_LARVAL) || 2511 (ps->src != NULL && 2512 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, ps->src, ps->af)) || 2513 (ps->dst != NULL && 2514 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_dstaddr, ps->dst, ps->af)) || 2515 (ps->didstr != NULL && (entry->ipsa_dst_cid != NULL) && 2516 !(ps->didtype == entry->ipsa_dst_cid->ipsid_type && 2517 strcmp(ps->didstr, entry->ipsa_dst_cid->ipsid_cid) == 0)) || 2518 (ps->sidstr != NULL && (entry->ipsa_src_cid != NULL) && 2519 !(ps->sidtype == entry->ipsa_src_cid->ipsid_type && 2520 strcmp(ps->sidstr, entry->ipsa_src_cid->ipsid_cid) == 0)) || 2521 (ps->kmproto <= SADB_X_KMP_MAX && ps->kmproto != entry->ipsa_kmp)) { 2522 mutex_exit(&entry->ipsa_lock); 2523 return; 2524 } 2525 2526 if (ps->inbnd) { 2527 sadb_delete_cluster(entry); 2528 } 2529 entry->ipsa_state = IPSA_STATE_DEAD; 2530 (void) sadb_torch_assoc(head, entry, ps->inbnd, &ps->mq); 2531 } 2532 2533 /* 2534 * Common code to purge an SA with a matching src or dst address. 2535 * Don't kill larval SA's in such a purge. 2536 */ 2537 int 2538 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, queue_t *pfkey_q, 2539 queue_t *ip_q) 2540 { 2541 sadb_address_t *dstext = 2542 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2543 sadb_address_t *srcext = 2544 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2545 sadb_ident_t *dstid = 2546 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2547 sadb_ident_t *srcid = 2548 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2549 sadb_x_kmc_t *kmc = 2550 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2551 struct sockaddr_in *src, *dst; 2552 struct sockaddr_in6 *src6, *dst6; 2553 struct sadb_purge_state ps; 2554 2555 /* 2556 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2557 * takes care of them. 2558 */ 2559 2560 /* enforced by caller */ 2561 ASSERT((dstext != NULL) || (srcext != NULL)); 2562 2563 ps.src = NULL; 2564 ps.dst = NULL; 2565 #ifdef DEBUG 2566 ps.af = (sa_family_t)-1; 2567 #endif 2568 ps.mq = NULL; 2569 ps.sidstr = NULL; 2570 ps.didstr = NULL; 2571 ps.kmproto = SADB_X_KMP_MAX + 1; 2572 2573 if (dstext != NULL) { 2574 dst = (struct sockaddr_in *)(dstext + 1); 2575 ps.af = dst->sin_family; 2576 if (dst->sin_family == AF_INET6) { 2577 dst6 = (struct sockaddr_in6 *)dst; 2578 ps.dst = (uint32_t *)&dst6->sin6_addr; 2579 } else { 2580 ps.dst = (uint32_t *)&dst->sin_addr; 2581 } 2582 } 2583 2584 if (srcext != NULL) { 2585 src = (struct sockaddr_in *)(srcext + 1); 2586 ps.af = src->sin_family; 2587 if (src->sin_family == AF_INET6) { 2588 src6 = (struct sockaddr_in6 *)(srcext + 1); 2589 ps.src = (uint32_t *)&src6->sin6_addr; 2590 } else { 2591 ps.src = (uint32_t *)&src->sin_addr; 2592 } 2593 ASSERT(dstext == NULL || src->sin_family == dst->sin_family); 2594 } 2595 2596 ASSERT(ps.af != (sa_family_t)-1); 2597 2598 if (dstid != NULL) { 2599 /* 2600 * NOTE: May need to copy string in the future 2601 * if the inbound keysock message disappears for some strange 2602 * reason. 2603 */ 2604 ps.didstr = (char *)(dstid + 1); 2605 ps.didtype = dstid->sadb_ident_type; 2606 } 2607 2608 if (srcid != NULL) { 2609 /* 2610 * NOTE: May need to copy string in the future 2611 * if the inbound keysock message disappears for some strange 2612 * reason. 2613 */ 2614 ps.sidstr = (char *)(srcid + 1); 2615 ps.sidtype = srcid->sadb_ident_type; 2616 } 2617 2618 if (kmc != NULL) 2619 ps.kmproto = kmc->sadb_x_kmc_proto; 2620 2621 /* 2622 * This is simple, crude, and effective. 2623 * Unimplemented optimizations (TBD): 2624 * - we can limit how many places we search based on where we 2625 * think the SA is filed. 2626 * - if we get a dst address, we can hash based on dst addr to find 2627 * the correct bucket in the outbound table. 2628 */ 2629 ps.inbnd = B_TRUE; 2630 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2631 ps.inbnd = B_FALSE; 2632 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2633 2634 if (ps.mq != NULL) 2635 sadb_drain_torchq(ip_q, ps.mq); 2636 2637 ASSERT(mp->b_cont != NULL); 2638 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2639 NULL); 2640 return (0); 2641 } 2642 2643 static void 2644 sadb_delpair_state(isaf_t *head, ipsa_t *entry, void *cookie) 2645 { 2646 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2647 isaf_t *inbound_bucket; 2648 ipsa_t *peer_assoc; 2649 2650 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2651 2652 mutex_enter(&entry->ipsa_lock); 2653 2654 if ((entry->ipsa_state != ps->sadb_sa_state) || 2655 ((ps->src != NULL) && 2656 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, ps->src, ps->af))) { 2657 mutex_exit(&entry->ipsa_lock); 2658 return; 2659 } 2660 2661 /* 2662 * The isaf_t *, which is passed in , is always an outbound bucket, 2663 * and we are preserving the outbound-then-inbound hash-bucket lock 2664 * ordering. The sadb_walker() which triggers this function is called 2665 * only on the outbound fanout, and the corresponding inbound bucket 2666 * lock is safe to acquire here. 2667 */ 2668 2669 if (entry->ipsa_haspeer) { 2670 inbound_bucket = INBOUND_BUCKET(ps->sp, entry->ipsa_spi); 2671 mutex_enter(&inbound_bucket->isaf_lock); 2672 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2673 entry->ipsa_spi, entry->ipsa_srcaddr, 2674 entry->ipsa_dstaddr, entry->ipsa_addrfam); 2675 } else { 2676 inbound_bucket = INBOUND_BUCKET(ps->sp, entry->ipsa_otherspi); 2677 mutex_enter(&inbound_bucket->isaf_lock); 2678 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2679 entry->ipsa_otherspi, entry->ipsa_dstaddr, 2680 entry->ipsa_srcaddr, entry->ipsa_addrfam); 2681 } 2682 2683 entry->ipsa_state = IPSA_STATE_DEAD; 2684 (void) sadb_torch_assoc(head, entry, B_FALSE, &ps->mq); 2685 if (peer_assoc != NULL) { 2686 mutex_enter(&peer_assoc->ipsa_lock); 2687 peer_assoc->ipsa_state = IPSA_STATE_DEAD; 2688 (void) sadb_torch_assoc(inbound_bucket, peer_assoc, 2689 B_FALSE, &ps->mq); 2690 } 2691 mutex_exit(&inbound_bucket->isaf_lock); 2692 } 2693 2694 /* 2695 * Common code to delete/get an SA. 2696 */ 2697 int 2698 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2699 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type) 2700 { 2701 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2702 sadb_address_t *srcext = 2703 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2704 sadb_address_t *dstext = 2705 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2706 ipsa_t *echo_target = NULL; 2707 ipsap_t *ipsapp; 2708 mblk_t *torchq = NULL; 2709 uint_t error = 0; 2710 2711 if (assoc == NULL) { 2712 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2713 return (EINVAL); 2714 } 2715 2716 if (sadb_msg_type == SADB_X_DELPAIR_STATE) { 2717 struct sockaddr_in *src; 2718 struct sockaddr_in6 *src6; 2719 struct sadb_purge_state ps; 2720 2721 if (srcext == NULL) { 2722 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 2723 return (EINVAL); 2724 } 2725 ps.src = NULL; 2726 ps.mq = NULL; 2727 src = (struct sockaddr_in *)(srcext + 1); 2728 ps.af = src->sin_family; 2729 if (src->sin_family == AF_INET6) { 2730 src6 = (struct sockaddr_in6 *)(srcext + 1); 2731 ps.src = (uint32_t *)&src6->sin6_addr; 2732 ps.sp = &spp->s_v6; 2733 } else { 2734 ps.src = (uint32_t *)&src->sin_addr; 2735 ps.sp = &spp->s_v4; 2736 } 2737 ps.inbnd = B_FALSE; 2738 ps.sadb_sa_state = assoc->sadb_sa_state; 2739 sadb_walker(ps.sp->sdb_of, ps.sp->sdb_hashsize, 2740 sadb_delpair_state, &ps); 2741 2742 if (ps.mq != NULL) 2743 sadb_drain_torchq(pfkey_q, ps.mq); 2744 2745 ASSERT(mp->b_cont != NULL); 2746 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 2747 ksi, NULL); 2748 return (0); 2749 } 2750 2751 if (dstext == NULL) { 2752 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2753 return (EINVAL); 2754 } 2755 2756 ipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 2757 if (ipsapp == NULL) { 2758 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 2759 return (ESRCH); 2760 } 2761 2762 echo_target = ipsapp->ipsap_sa_ptr; 2763 if (echo_target == NULL) 2764 echo_target = ipsapp->ipsap_psa_ptr; 2765 2766 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) { 2767 /* 2768 * Bucket locks will be required if SA is actually unlinked. 2769 * get_ipsa_pair() returns valid hash bucket pointers even 2770 * if it can't find a pair SA pointer. 2771 */ 2772 mutex_enter(&ipsapp->ipsap_bucket->isaf_lock); 2773 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 2774 2775 if (ipsapp->ipsap_sa_ptr != NULL) { 2776 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2777 if (ipsapp->ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) { 2778 sadb_delete_cluster(ipsapp->ipsap_sa_ptr); 2779 } 2780 ipsapp->ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD; 2781 (void) sadb_torch_assoc(ipsapp->ipsap_bucket, 2782 ipsapp->ipsap_sa_ptr, B_FALSE, &torchq); 2783 /* 2784 * sadb_torch_assoc() releases the ipsa_lock 2785 * and calls sadb_unlinkassoc() which does a 2786 * IPSA_REFRELE. 2787 */ 2788 } 2789 if (ipsapp->ipsap_psa_ptr != NULL) { 2790 mutex_enter(&ipsapp->ipsap_psa_ptr->ipsa_lock); 2791 if (sadb_msg_type == SADB_X_DELPAIR) { 2792 if (ipsapp->ipsap_psa_ptr->ipsa_flags & 2793 IPSA_F_INBOUND) { 2794 sadb_delete_cluster( 2795 ipsapp->ipsap_psa_ptr); 2796 } 2797 ipsapp->ipsap_psa_ptr->ipsa_state = 2798 IPSA_STATE_DEAD; 2799 (void) sadb_torch_assoc(ipsapp->ipsap_pbucket, 2800 ipsapp->ipsap_psa_ptr, B_FALSE, &torchq); 2801 } else { 2802 /* 2803 * Only half of the "pair" has been deleted. 2804 * Update the remaining SA and remove references 2805 * to its pair SA, which is now gone. 2806 */ 2807 ipsapp->ipsap_psa_ptr->ipsa_otherspi = 0; 2808 ipsapp->ipsap_psa_ptr->ipsa_flags &= 2809 ~IPSA_F_PAIRED; 2810 mutex_exit(&ipsapp->ipsap_psa_ptr->ipsa_lock); 2811 } 2812 } else if (sadb_msg_type == SADB_X_DELPAIR) { 2813 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 2814 error = ESRCH; 2815 } 2816 mutex_exit(&ipsapp->ipsap_bucket->isaf_lock); 2817 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 2818 } 2819 2820 if (torchq != NULL) 2821 sadb_drain_torchq(spp->s_ip_q, torchq); 2822 2823 ASSERT(mp->b_cont != NULL); 2824 2825 if (error == 0) 2826 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *) 2827 mp->b_cont->b_rptr, ksi, echo_target); 2828 2829 destroy_ipsa_pair(ipsapp); 2830 2831 return (error); 2832 } 2833 2834 /* 2835 * This function takes a sadb_sa_t and finds the ipsa_t structure 2836 * and the isaf_t (hash bucket) that its stored under. If the security 2837 * association has a peer, the ipsa_t structure and bucket for that security 2838 * association are also searched for. The "pair" of ipsa_t's and isaf_t's 2839 * are returned as a ipsap_t. 2840 * 2841 * Note that a "pair" is defined as one (but not both) of the following: 2842 * 2843 * A security association which has a soft reference to another security 2844 * association via its SPI. 2845 * 2846 * A security association that is not obviously "inbound" or "outbound" so 2847 * it appears in both hash tables, the "peer" being the same security 2848 * association in the other hash table. 2849 * 2850 * This function will return NULL if the ipsa_t can't be found in the 2851 * inbound or outbound hash tables (not found). If only one ipsa_t is 2852 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid 2853 * provided at least one ipsa_t is found. 2854 */ 2855 ipsap_t * 2856 get_ipsa_pair(sadb_sa_t *assoc, sadb_address_t *srcext, sadb_address_t *dstext, 2857 sadbp_t *spp) 2858 { 2859 struct sockaddr_in *src, *dst; 2860 struct sockaddr_in6 *src6, *dst6; 2861 sadb_t *sp; 2862 uint32_t *srcaddr, *dstaddr; 2863 isaf_t *outbound_bucket, *inbound_bucket; 2864 boolean_t in_inbound_table = B_FALSE; 2865 ipsap_t *ipsapp; 2866 sa_family_t af; 2867 2868 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN]; 2869 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN]; 2870 uint32_t pair_spi; 2871 2872 ipsapp = kmem_zalloc(sizeof (*ipsapp), KM_NOSLEEP); 2873 if (ipsapp == NULL) 2874 return (NULL); 2875 2876 /* 2877 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2878 * takes care of them. 2879 */ 2880 2881 dst = (struct sockaddr_in *)(dstext + 1); 2882 af = dst->sin_family; 2883 if (af == AF_INET6) { 2884 sp = &spp->s_v6; 2885 dst6 = (struct sockaddr_in6 *)dst; 2886 dstaddr = (uint32_t *)&dst6->sin6_addr; 2887 if (srcext != NULL) { 2888 src6 = (struct sockaddr_in6 *)(srcext + 1); 2889 srcaddr = (uint32_t *)&src6->sin6_addr; 2890 ASSERT(src6->sin6_family == af); 2891 ASSERT(src6->sin6_family == AF_INET6); 2892 } else { 2893 srcaddr = ALL_ZEROES_PTR; 2894 } 2895 outbound_bucket = OUTBOUND_BUCKET_V6(sp, 2896 *(uint32_t *)dstaddr); 2897 } else { 2898 sp = &spp->s_v4; 2899 dstaddr = (uint32_t *)&dst->sin_addr; 2900 if (srcext != NULL) { 2901 src = (struct sockaddr_in *)(srcext + 1); 2902 srcaddr = (uint32_t *)&src->sin_addr; 2903 ASSERT(src->sin_family == af); 2904 ASSERT(src->sin_family == AF_INET); 2905 } else { 2906 srcaddr = ALL_ZEROES_PTR; 2907 } 2908 outbound_bucket = OUTBOUND_BUCKET_V4(sp, 2909 *(uint32_t *)dstaddr); 2910 } 2911 2912 inbound_bucket = INBOUND_BUCKET(sp, assoc->sadb_sa_spi); 2913 2914 /* Lock down both buckets. */ 2915 mutex_enter(&outbound_bucket->isaf_lock); 2916 mutex_enter(&inbound_bucket->isaf_lock); 2917 2918 if (assoc->sadb_sa_flags & IPSA_F_INBOUND) { 2919 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(inbound_bucket, 2920 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2921 if (ipsapp->ipsap_sa_ptr != NULL) { 2922 ipsapp->ipsap_bucket = inbound_bucket; 2923 ipsapp->ipsap_pbucket = outbound_bucket; 2924 in_inbound_table = B_TRUE; 2925 } else { 2926 ipsapp->ipsap_sa_ptr = 2927 ipsec_getassocbyspi(outbound_bucket, 2928 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2929 ipsapp->ipsap_bucket = outbound_bucket; 2930 ipsapp->ipsap_pbucket = inbound_bucket; 2931 } 2932 } else { 2933 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */ 2934 ipsapp->ipsap_sa_ptr = 2935 ipsec_getassocbyspi(outbound_bucket, 2936 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2937 if (ipsapp->ipsap_sa_ptr != NULL) { 2938 ipsapp->ipsap_bucket = outbound_bucket; 2939 ipsapp->ipsap_pbucket = inbound_bucket; 2940 } else { 2941 ipsapp->ipsap_sa_ptr = 2942 ipsec_getassocbyspi(inbound_bucket, 2943 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2944 ipsapp->ipsap_bucket = inbound_bucket; 2945 ipsapp->ipsap_pbucket = outbound_bucket; 2946 if (ipsapp->ipsap_sa_ptr != NULL) 2947 in_inbound_table = B_TRUE; 2948 } 2949 } 2950 2951 if (ipsapp->ipsap_sa_ptr == NULL) { 2952 mutex_exit(&outbound_bucket->isaf_lock); 2953 mutex_exit(&inbound_bucket->isaf_lock); 2954 kmem_free(ipsapp, sizeof (*ipsapp)); 2955 return (NULL); 2956 } 2957 2958 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) && 2959 in_inbound_table) { 2960 mutex_exit(&outbound_bucket->isaf_lock); 2961 mutex_exit(&inbound_bucket->isaf_lock); 2962 return (ipsapp); 2963 } 2964 2965 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2966 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) { 2967 /* 2968 * haspeer implies no sa_pairing, look for same spi 2969 * in other hashtable. 2970 */ 2971 ipsapp->ipsap_psa_ptr = 2972 ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 2973 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2974 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2975 mutex_exit(&outbound_bucket->isaf_lock); 2976 mutex_exit(&inbound_bucket->isaf_lock); 2977 return (ipsapp); 2978 } 2979 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi; 2980 IPSA_COPY_ADDR(&pair_srcaddr, 2981 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, af); 2982 IPSA_COPY_ADDR(&pair_dstaddr, 2983 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, af); 2984 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2985 mutex_exit(&outbound_bucket->isaf_lock); 2986 mutex_exit(&inbound_bucket->isaf_lock); 2987 2988 if (pair_spi == 0) { 2989 ASSERT(ipsapp->ipsap_bucket != NULL); 2990 ASSERT(ipsapp->ipsap_pbucket != NULL); 2991 return (ipsapp); 2992 } 2993 2994 /* found sa in outbound sadb, peer should be inbound */ 2995 2996 if (in_inbound_table) { 2997 /* Found SA in inbound table, pair will be in outbound. */ 2998 if (af == AF_INET6) { 2999 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sp, 3000 *(uint32_t *)pair_srcaddr); 3001 } else { 3002 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sp, 3003 *(uint32_t *)pair_srcaddr); 3004 } 3005 } else { 3006 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sp, pair_spi); 3007 } 3008 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 3009 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 3010 pair_spi, pair_dstaddr, pair_srcaddr, af); 3011 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 3012 ASSERT(ipsapp->ipsap_bucket != NULL); 3013 ASSERT(ipsapp->ipsap_pbucket != NULL); 3014 return (ipsapp); 3015 } 3016 3017 /* 3018 * Initialize the mechanism parameters associated with an SA. 3019 * These parameters can be shared by multiple packets, which saves 3020 * us from the overhead of consulting the algorithm table for 3021 * each packet. 3022 */ 3023 static void 3024 sadb_init_alginfo(ipsa_t *sa) 3025 { 3026 ipsec_alginfo_t *alg; 3027 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 3028 3029 mutex_enter(&ipss->ipsec_alg_lock); 3030 3031 if (sa->ipsa_encrkey != NULL) { 3032 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR][sa->ipsa_encr_alg]; 3033 if (alg != NULL && ALG_VALID(alg)) { 3034 sa->ipsa_emech.cm_type = alg->alg_mech_type; 3035 sa->ipsa_emech.cm_param = NULL; 3036 sa->ipsa_emech.cm_param_len = 0; 3037 sa->ipsa_iv_len = alg->alg_datalen; 3038 } else 3039 sa->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 3040 } 3041 3042 if (sa->ipsa_authkey != NULL) { 3043 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH][sa->ipsa_auth_alg]; 3044 if (alg != NULL && ALG_VALID(alg)) { 3045 sa->ipsa_amech.cm_type = alg->alg_mech_type; 3046 sa->ipsa_amech.cm_param = (char *)&sa->ipsa_mac_len; 3047 sa->ipsa_amech.cm_param_len = sizeof (size_t); 3048 sa->ipsa_mac_len = (size_t)alg->alg_datalen; 3049 } else 3050 sa->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 3051 } 3052 3053 mutex_exit(&ipss->ipsec_alg_lock); 3054 } 3055 3056 /* 3057 * Perform NAT-traversal cached checksum offset calculations here. 3058 */ 3059 static void 3060 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext, 3061 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr, 3062 uint32_t *dst_addr_ptr) 3063 { 3064 struct sockaddr_in *natt_loc, *natt_rem; 3065 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 3066 uint32_t running_sum = 0; 3067 3068 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 3069 3070 if (natt_rem_ext != NULL) { 3071 uint32_t l_src; 3072 uint32_t l_rem; 3073 3074 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 3075 3076 /* Ensured by sadb_addrfix(). */ 3077 ASSERT(natt_rem->sin_family == AF_INET); 3078 3079 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 3080 newbie->ipsa_remote_nat_port = natt_rem->sin_port; 3081 l_src = *src_addr_ptr; 3082 l_rem = *natt_rem_ptr; 3083 3084 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3085 newbie->ipsa_natt_addr_rem = *natt_rem_ptr; 3086 3087 l_src = ntohl(l_src); 3088 DOWN_SUM(l_src); 3089 DOWN_SUM(l_src); 3090 l_rem = ntohl(l_rem); 3091 DOWN_SUM(l_rem); 3092 DOWN_SUM(l_rem); 3093 3094 /* 3095 * We're 1's complement for checksums, so check for wraparound 3096 * here. 3097 */ 3098 if (l_rem > l_src) 3099 l_src--; 3100 3101 running_sum += l_src - l_rem; 3102 3103 DOWN_SUM(running_sum); 3104 DOWN_SUM(running_sum); 3105 } 3106 3107 if (natt_loc_ext != NULL) { 3108 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 3109 3110 /* Ensured by sadb_addrfix(). */ 3111 ASSERT(natt_loc->sin_family == AF_INET); 3112 3113 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr); 3114 newbie->ipsa_local_nat_port = natt_loc->sin_port; 3115 3116 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3117 newbie->ipsa_natt_addr_loc = *natt_loc_ptr; 3118 3119 /* 3120 * NAT-T port agility means we may have natt_loc_ext, but 3121 * only for a local-port change. 3122 */ 3123 if (natt_loc->sin_addr.s_addr != INADDR_ANY) { 3124 uint32_t l_dst = ntohl(*dst_addr_ptr); 3125 uint32_t l_loc = ntohl(*natt_loc_ptr); 3126 3127 DOWN_SUM(l_loc); 3128 DOWN_SUM(l_loc); 3129 DOWN_SUM(l_dst); 3130 DOWN_SUM(l_dst); 3131 3132 /* 3133 * We're 1's complement for checksums, so check for 3134 * wraparound here. 3135 */ 3136 if (l_loc > l_dst) 3137 l_dst--; 3138 3139 running_sum += l_dst - l_loc; 3140 DOWN_SUM(running_sum); 3141 DOWN_SUM(running_sum); 3142 } 3143 } 3144 3145 newbie->ipsa_inbound_cksum = running_sum; 3146 #undef DOWN_SUM 3147 } 3148 3149 /* 3150 * This function is called from consumers that need to insert a fully-grown 3151 * security association into its tables. This function takes into account that 3152 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 3153 * hash bucket parameters are set in order of what the SA will be most of the 3154 * time. (For example, an SA with an unspecified source, and a multicast 3155 * destination will primarily be an outbound SA. OTOH, if that destination 3156 * is unicast for this node, then the SA will primarily be inbound.) 3157 * 3158 * It takes a lot of parameters because even if clone is B_FALSE, this needs 3159 * to check both buckets for purposes of collision. 3160 * 3161 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 3162 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic 3163 * with additional diagnostic information because there is at least one EINVAL 3164 * case here. 3165 */ 3166 int 3167 sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 3168 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 3169 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic, 3170 netstack_t *ns, sadbp_t *spp) 3171 { 3172 ipsa_t *newbie_clone = NULL, *scratch; 3173 ipsap_t *ipsapp = NULL; 3174 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3175 sadb_address_t *srcext = 3176 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3177 sadb_address_t *dstext = 3178 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3179 sadb_address_t *isrcext = 3180 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC]; 3181 sadb_address_t *idstext = 3182 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST]; 3183 sadb_x_kmc_t *kmcext = 3184 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 3185 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 3186 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 3187 sadb_x_pair_t *pair_ext = 3188 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 3189 sadb_x_replay_ctr_t *replayext = 3190 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 3191 uint8_t protocol = 3192 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP; 3193 #if 0 3194 /* 3195 * XXXMLS - When Trusted Solaris or Multi-Level Secure functionality 3196 * comes to ON, examine these if 0'ed fragments. Look for XXXMLS. 3197 */ 3198 sadb_sens_t *sens = (sadb_sens_t *); 3199 #endif 3200 struct sockaddr_in *src, *dst, *isrc, *idst; 3201 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6; 3202 sadb_lifetime_t *soft = 3203 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 3204 sadb_lifetime_t *hard = 3205 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 3206 sadb_lifetime_t *idle = 3207 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 3208 sa_family_t af; 3209 int error = 0; 3210 boolean_t isupdate = (newbie != NULL); 3211 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr; 3212 mblk_t *ctl_mp = NULL; 3213 ipsec_stack_t *ipss = ns->netstack_ipsec; 3214 int rcode; 3215 3216 if (srcext == NULL) { 3217 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 3218 return (EINVAL); 3219 } 3220 if (dstext == NULL) { 3221 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3222 return (EINVAL); 3223 } 3224 if (assoc == NULL) { 3225 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3226 return (EINVAL); 3227 } 3228 3229 src = (struct sockaddr_in *)(srcext + 1); 3230 src6 = (struct sockaddr_in6 *)(srcext + 1); 3231 dst = (struct sockaddr_in *)(dstext + 1); 3232 dst6 = (struct sockaddr_in6 *)(dstext + 1); 3233 if (isrcext != NULL) { 3234 isrc = (struct sockaddr_in *)(isrcext + 1); 3235 isrc6 = (struct sockaddr_in6 *)(isrcext + 1); 3236 ASSERT(idstext != NULL); 3237 idst = (struct sockaddr_in *)(idstext + 1); 3238 idst6 = (struct sockaddr_in6 *)(idstext + 1); 3239 } else { 3240 isrc = NULL; 3241 isrc6 = NULL; 3242 } 3243 3244 af = src->sin_family; 3245 3246 if (af == AF_INET) { 3247 src_addr_ptr = (uint32_t *)&src->sin_addr; 3248 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 3249 } else { 3250 ASSERT(af == AF_INET6); 3251 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 3252 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 3253 } 3254 3255 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) && 3256 cl_inet_checkspi && 3257 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) { 3258 rcode = cl_inet_checkspi(protocol, assoc->sadb_sa_spi); 3259 if (rcode == -1) { 3260 return (EEXIST); 3261 } 3262 } 3263 3264 /* 3265 * Check to see if the new SA will be cloned AND paired. The 3266 * reason a SA will be cloned is the source or destination addresses 3267 * are not specific enough to determine if the SA goes in the outbound 3268 * or the inbound hash table, so its cloned and put in both. If 3269 * the SA is paired, it's soft linked to another SA for the other 3270 * direction. Keeping track and looking up SA's that are direction 3271 * unspecific and linked is too hard. 3272 */ 3273 if (clone && (pair_ext != NULL)) { 3274 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 3275 return (EINVAL); 3276 } 3277 3278 if (!isupdate) { 3279 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 3280 src_addr_ptr, dst_addr_ptr, af, ns); 3281 if (newbie == NULL) 3282 return (ENOMEM); 3283 } 3284 3285 mutex_enter(&newbie->ipsa_lock); 3286 3287 if (isrc != NULL) { 3288 if (isrc->sin_family == AF_INET) { 3289 if (srcext->sadb_address_proto != IPPROTO_ENCAP) { 3290 if (srcext->sadb_address_proto != 0) { 3291 /* 3292 * Mismatched outer-packet protocol 3293 * and inner-packet address family. 3294 */ 3295 mutex_exit(&newbie->ipsa_lock); 3296 error = EPROTOTYPE; 3297 goto error; 3298 } else { 3299 /* Fill in with explicit protocol. */ 3300 srcext->sadb_address_proto = 3301 IPPROTO_ENCAP; 3302 dstext->sadb_address_proto = 3303 IPPROTO_ENCAP; 3304 } 3305 } 3306 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr; 3307 idst_addr_ptr = (uint32_t *)&idst->sin_addr; 3308 } else { 3309 ASSERT(isrc->sin_family == AF_INET6); 3310 if (srcext->sadb_address_proto != IPPROTO_IPV6) { 3311 if (srcext->sadb_address_proto != 0) { 3312 /* 3313 * Mismatched outer-packet protocol 3314 * and inner-packet address family. 3315 */ 3316 mutex_exit(&newbie->ipsa_lock); 3317 error = EPROTOTYPE; 3318 goto error; 3319 } else { 3320 /* Fill in with explicit protocol. */ 3321 srcext->sadb_address_proto = 3322 IPPROTO_IPV6; 3323 dstext->sadb_address_proto = 3324 IPPROTO_IPV6; 3325 } 3326 } 3327 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr; 3328 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr; 3329 } 3330 newbie->ipsa_innerfam = isrc->sin_family; 3331 3332 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr, 3333 newbie->ipsa_innerfam); 3334 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr, 3335 newbie->ipsa_innerfam); 3336 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen; 3337 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen; 3338 3339 /* Unique value uses inner-ports for Tunnel Mode... */ 3340 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port, 3341 idst->sin_port, dstext->sadb_address_proto, 3342 idstext->sadb_address_proto); 3343 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port, 3344 idst->sin_port, dstext->sadb_address_proto, 3345 idstext->sadb_address_proto); 3346 } else { 3347 /* ... and outer-ports for Transport Mode. */ 3348 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port, 3349 dst->sin_port, dstext->sadb_address_proto, 0); 3350 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port, 3351 dst->sin_port, dstext->sadb_address_proto, 0); 3352 } 3353 if (newbie->ipsa_unique_mask != (uint64_t)0) 3354 newbie->ipsa_flags |= IPSA_F_UNIQUE; 3355 3356 sadb_nat_calculations(newbie, 3357 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC], 3358 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM], 3359 src_addr_ptr, dst_addr_ptr); 3360 3361 newbie->ipsa_type = samsg->sadb_msg_satype; 3362 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 3363 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE)); 3364 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 3365 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 3366 3367 newbie->ipsa_flags |= assoc->sadb_sa_flags; 3368 if ((newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC && 3369 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) || 3370 (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM && 3371 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) || 3372 (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL && 3373 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL)) { 3374 mutex_exit(&newbie->ipsa_lock); 3375 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 3376 error = EINVAL; 3377 goto error; 3378 } 3379 /* 3380 * If unspecified source address, force replay_wsize to 0. 3381 * This is because an SA that has multiple sources of secure 3382 * traffic cannot enforce a replay counter w/o synchronizing the 3383 * senders. 3384 */ 3385 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 3386 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 3387 else 3388 newbie->ipsa_replay_wsize = 0; 3389 3390 newbie->ipsa_addtime = gethrestime_sec(); 3391 3392 if (kmcext != NULL) { 3393 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 3394 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 3395 } 3396 3397 /* 3398 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 3399 * The spec says that one can update current lifetimes, but 3400 * that seems impractical, especially in the larval-to-mature 3401 * update that this function performs. 3402 */ 3403 if (soft != NULL) { 3404 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3405 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 3406 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3407 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 3408 SET_EXPIRE(newbie, softaddlt, softexpiretime); 3409 } 3410 if (hard != NULL) { 3411 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3412 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 3413 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3414 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3415 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 3416 } 3417 if (idle != NULL) { 3418 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 3419 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime; 3420 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime + 3421 newbie->ipsa_idleaddlt; 3422 newbie->ipsa_idletime = newbie->ipsa_idleaddlt; 3423 } 3424 3425 newbie->ipsa_authtmpl = NULL; 3426 newbie->ipsa_encrtmpl = NULL; 3427 3428 if (akey != NULL) { 3429 newbie->ipsa_authkeybits = akey->sadb_key_bits; 3430 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 3431 /* In case we have to round up to the next byte... */ 3432 if ((akey->sadb_key_bits & 0x7) != 0) 3433 newbie->ipsa_authkeylen++; 3434 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 3435 KM_NOSLEEP); 3436 if (newbie->ipsa_authkey == NULL) { 3437 error = ENOMEM; 3438 mutex_exit(&newbie->ipsa_lock); 3439 goto error; 3440 } 3441 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 3442 bzero(akey + 1, newbie->ipsa_authkeylen); 3443 3444 /* 3445 * Pre-initialize the kernel crypto framework key 3446 * structure. 3447 */ 3448 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 3449 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 3450 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 3451 3452 mutex_enter(&ipss->ipsec_alg_lock); 3453 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 3454 mutex_exit(&ipss->ipsec_alg_lock); 3455 if (error != 0) { 3456 mutex_exit(&newbie->ipsa_lock); 3457 goto error; 3458 } 3459 } 3460 3461 if (ekey != NULL) { 3462 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 3463 newbie->ipsa_encrkeylen = SADB_1TO8(ekey->sadb_key_bits); 3464 /* In case we have to round up to the next byte... */ 3465 if ((ekey->sadb_key_bits & 0x7) != 0) 3466 newbie->ipsa_encrkeylen++; 3467 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 3468 KM_NOSLEEP); 3469 if (newbie->ipsa_encrkey == NULL) { 3470 error = ENOMEM; 3471 mutex_exit(&newbie->ipsa_lock); 3472 goto error; 3473 } 3474 bcopy(ekey + 1, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 3475 /* XXX is this safe w.r.t db_ref, etc? */ 3476 bzero(ekey + 1, newbie->ipsa_encrkeylen); 3477 3478 /* 3479 * Pre-initialize the kernel crypto framework key 3480 * structure. 3481 */ 3482 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 3483 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 3484 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 3485 3486 mutex_enter(&ipss->ipsec_alg_lock); 3487 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 3488 mutex_exit(&ipss->ipsec_alg_lock); 3489 if (error != 0) { 3490 mutex_exit(&newbie->ipsa_lock); 3491 goto error; 3492 } 3493 } 3494 3495 sadb_init_alginfo(newbie); 3496 3497 /* 3498 * Ptrs to processing functions. 3499 */ 3500 if (newbie->ipsa_type == SADB_SATYPE_ESP) 3501 ipsecesp_init_funcs(newbie); 3502 else 3503 ipsecah_init_funcs(newbie); 3504 ASSERT(newbie->ipsa_output_func != NULL && 3505 newbie->ipsa_input_func != NULL); 3506 3507 /* 3508 * Certificate ID stuff. 3509 */ 3510 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 3511 sadb_ident_t *id = 3512 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 3513 3514 /* 3515 * Can assume strlen() will return okay because ext_check() in 3516 * keysock.c prepares the string for us. 3517 */ 3518 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 3519 (char *)(id+1), ns); 3520 if (newbie->ipsa_src_cid == NULL) { 3521 error = ENOMEM; 3522 mutex_exit(&newbie->ipsa_lock); 3523 goto error; 3524 } 3525 } 3526 3527 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 3528 sadb_ident_t *id = 3529 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 3530 3531 /* 3532 * Can assume strlen() will return okay because ext_check() in 3533 * keysock.c prepares the string for us. 3534 */ 3535 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 3536 (char *)(id+1), ns); 3537 if (newbie->ipsa_dst_cid == NULL) { 3538 error = ENOMEM; 3539 mutex_exit(&newbie->ipsa_lock); 3540 goto error; 3541 } 3542 } 3543 3544 #if 0 3545 /* XXXMLS SENSITIVITY handling code. */ 3546 if (sens != NULL) { 3547 int i; 3548 uint64_t *bitmap = (uint64_t *)(sens + 1); 3549 3550 newbie->ipsa_dpd = sens->sadb_sens_dpd; 3551 newbie->ipsa_senslevel = sens->sadb_sens_sens_level; 3552 newbie->ipsa_integlevel = sens->sadb_sens_integ_level; 3553 newbie->ipsa_senslen = SADB_64TO8(sens->sadb_sens_sens_len); 3554 newbie->ipsa_integlen = SADB_64TO8(sens->sadb_sens_integ_len); 3555 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 3556 KM_NOSLEEP); 3557 if (newbie->ipsa_integ == NULL) { 3558 error = ENOMEM; 3559 mutex_exit(&newbie->ipsa_lock); 3560 goto error; 3561 } 3562 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 3563 KM_NOSLEEP); 3564 if (newbie->ipsa_sens == NULL) { 3565 error = ENOMEM; 3566 mutex_exit(&newbie->ipsa_lock); 3567 goto error; 3568 } 3569 for (i = 0; i < sens->sadb_sens_sens_len; i++) { 3570 newbie->ipsa_sens[i] = *bitmap; 3571 bitmap++; 3572 } 3573 for (i = 0; i < sens->sadb_sens_integ_len; i++) { 3574 newbie->ipsa_integ[i] = *bitmap; 3575 bitmap++; 3576 } 3577 } 3578 3579 #endif 3580 3581 if (replayext != NULL) { 3582 if ((replayext->sadb_x_rc_replay32 == 0) && 3583 (replayext->sadb_x_rc_replay64 != 0)) { 3584 error = EOPNOTSUPP; 3585 mutex_exit(&newbie->ipsa_lock); 3586 goto error; 3587 } 3588 newbie->ipsa_replay = replayext->sadb_x_rc_replay32; 3589 } 3590 3591 /* now that the SA has been updated, set its new state */ 3592 newbie->ipsa_state = assoc->sadb_sa_state; 3593 3594 if (clone) { 3595 newbie->ipsa_haspeer = B_TRUE; 3596 } else { 3597 if (!is_inbound) { 3598 lifetime_fuzz(newbie); 3599 } 3600 } 3601 /* 3602 * The less locks I hold when doing an insertion and possible cloning, 3603 * the better! 3604 */ 3605 mutex_exit(&newbie->ipsa_lock); 3606 3607 if (clone) { 3608 newbie_clone = sadb_cloneassoc(newbie); 3609 3610 if (newbie_clone == NULL) { 3611 error = ENOMEM; 3612 goto error; 3613 } 3614 } 3615 3616 /* 3617 * Enter the bucket locks. The order of entry is outbound, 3618 * inbound. We map "primary" and "secondary" into outbound and inbound 3619 * based on the destination address type. If the destination address 3620 * type is for a node that isn't mine (or potentially mine), the 3621 * "primary" bucket is the outbound one. 3622 */ 3623 if (!is_inbound) { 3624 /* primary == outbound */ 3625 mutex_enter(&primary->isaf_lock); 3626 mutex_enter(&secondary->isaf_lock); 3627 } else { 3628 /* primary == inbound */ 3629 mutex_enter(&secondary->isaf_lock); 3630 mutex_enter(&primary->isaf_lock); 3631 } 3632 3633 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_common_add: spi = 0x%x\n", 3634 newbie->ipsa_spi)); 3635 3636 /* 3637 * sadb_insertassoc() doesn't increment the reference 3638 * count. We therefore have to increment the 3639 * reference count one more time to reflect the 3640 * pointers of the table that reference this SA. 3641 */ 3642 IPSA_REFHOLD(newbie); 3643 3644 if (isupdate) { 3645 /* 3646 * Unlink from larval holding cell in the "inbound" fanout. 3647 */ 3648 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 3649 newbie->ipsa_linklock == &secondary->isaf_lock); 3650 sadb_unlinkassoc(newbie); 3651 } 3652 3653 mutex_enter(&newbie->ipsa_lock); 3654 error = sadb_insertassoc(newbie, primary); 3655 if (error == 0) { 3656 ctl_mp = sadb_fmt_sa_req(DL_CO_SET, newbie->ipsa_type, newbie, 3657 is_inbound); 3658 } 3659 mutex_exit(&newbie->ipsa_lock); 3660 3661 if (error != 0) { 3662 /* 3663 * Since sadb_insertassoc() failed, we must decrement the 3664 * refcount again so the cleanup code will actually free 3665 * the offending SA. 3666 */ 3667 IPSA_REFRELE(newbie); 3668 goto error_unlock; 3669 } 3670 3671 if (newbie_clone != NULL) { 3672 mutex_enter(&newbie_clone->ipsa_lock); 3673 error = sadb_insertassoc(newbie_clone, secondary); 3674 mutex_exit(&newbie_clone->ipsa_lock); 3675 if (error != 0) { 3676 /* Collision in secondary table. */ 3677 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3678 goto error_unlock; 3679 } 3680 IPSA_REFHOLD(newbie_clone); 3681 } else { 3682 ASSERT(primary != secondary); 3683 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 3684 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 3685 if (scratch != NULL) { 3686 /* Collision in secondary table. */ 3687 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3688 /* Set the error, since ipsec_getassocbyspi() can't. */ 3689 error = EEXIST; 3690 goto error_unlock; 3691 } 3692 } 3693 3694 /* OKAY! So let's do some reality check assertions. */ 3695 3696 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock)); 3697 ASSERT(newbie_clone == NULL || 3698 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock))); 3699 /* 3700 * If hardware acceleration could happen, send it. 3701 */ 3702 if (ctl_mp != NULL) { 3703 putnext(ip_q, ctl_mp); 3704 ctl_mp = NULL; 3705 } 3706 3707 error_unlock: 3708 3709 /* 3710 * We can exit the locks in any order. Only entrance needs to 3711 * follow any protocol. 3712 */ 3713 mutex_exit(&secondary->isaf_lock); 3714 mutex_exit(&primary->isaf_lock); 3715 3716 if (pair_ext != NULL && error == 0) { 3717 /* update pair_spi if it exists. */ 3718 ipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 3719 if (ipsapp == NULL) { 3720 error = ESRCH; 3721 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 3722 } else if (ipsapp->ipsap_psa_ptr != NULL) { 3723 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 3724 error = EINVAL; 3725 } else { 3726 /* update_pairing() sets diagnostic */ 3727 error = update_pairing(ipsapp, ksi, diagnostic, spp); 3728 } 3729 } 3730 /* Common error point for this routine. */ 3731 error: 3732 if (newbie != NULL) { 3733 if (error != 0) { 3734 /* This SA is broken, let the reaper clean up. */ 3735 mutex_enter(&newbie->ipsa_lock); 3736 newbie->ipsa_state = IPSA_STATE_DEAD; 3737 newbie->ipsa_hardexpiretime = 1; 3738 mutex_exit(&newbie->ipsa_lock); 3739 } 3740 IPSA_REFRELE(newbie); 3741 } 3742 if (newbie_clone != NULL) { 3743 IPSA_REFRELE(newbie_clone); 3744 } 3745 if (ctl_mp != NULL) 3746 freemsg(ctl_mp); 3747 3748 if (error == 0) { 3749 /* 3750 * Construct favorable PF_KEY return message and send to 3751 * keysock. Update the flags in the original keysock message 3752 * to reflect the actual flags in the new SA. 3753 * (Q: Do I need to pass "newbie"? If I do, 3754 * make sure to REFHOLD, call, then REFRELE.) 3755 */ 3756 assoc->sadb_sa_flags = newbie->ipsa_flags; 3757 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 3758 } 3759 3760 destroy_ipsa_pair(ipsapp); 3761 return (error); 3762 } 3763 3764 /* 3765 * Set the time of first use for a security association. Update any 3766 * expiration times as a result. 3767 */ 3768 void 3769 sadb_set_usetime(ipsa_t *assoc) 3770 { 3771 time_t snapshot = gethrestime_sec(); 3772 3773 mutex_enter(&assoc->ipsa_lock); 3774 assoc->ipsa_lastuse = snapshot; 3775 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime; 3776 3777 /* 3778 * Caller does check usetime before calling me usually, and 3779 * double-checking is better than a mutex_enter/exit hit. 3780 */ 3781 if (assoc->ipsa_usetime == 0) { 3782 /* 3783 * This is redundant for outbound SA's, as 3784 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 3785 * Inbound SAs, however, have no such protection. 3786 */ 3787 assoc->ipsa_flags |= IPSA_F_USED; 3788 assoc->ipsa_usetime = snapshot; 3789 3790 /* 3791 * After setting the use time, see if we have a use lifetime 3792 * that would cause the actual SA expiration time to shorten. 3793 */ 3794 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 3795 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 3796 } 3797 mutex_exit(&assoc->ipsa_lock); 3798 } 3799 3800 /* 3801 * Send up a PF_KEY expire message for this association. 3802 */ 3803 static void 3804 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 3805 { 3806 mblk_t *mp, *mp1; 3807 int alloclen, af; 3808 sadb_msg_t *samsg; 3809 sadb_lifetime_t *current, *expire; 3810 sadb_sa_t *saext; 3811 uint8_t *end; 3812 boolean_t tunnel_mode; 3813 3814 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3815 3816 /* Don't bother sending if there's no queue. */ 3817 if (pfkey_q == NULL) 3818 return; 3819 3820 /* If the SA is one of a pair, only SOFT expire the OUTBOUND SA */ 3821 if (assoc->ipsa_state == IPSA_STATE_DYING && 3822 (assoc->ipsa_flags & IPSA_F_PAIRED) && 3823 !(assoc->ipsa_flags & IPSA_F_OUTBOUND)) { 3824 return; 3825 } 3826 3827 mp = sadb_keysock_out(0); 3828 if (mp == NULL) { 3829 /* cmn_err(CE_WARN, */ 3830 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 3831 return; 3832 } 3833 3834 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 3835 2 * sizeof (sadb_address_t) + sizeof (*saext); 3836 3837 af = assoc->ipsa_addrfam; 3838 switch (af) { 3839 case AF_INET: 3840 alloclen += 2 * sizeof (struct sockaddr_in); 3841 break; 3842 case AF_INET6: 3843 alloclen += 2 * sizeof (struct sockaddr_in6); 3844 break; 3845 default: 3846 /* Won't happen unless there's a kernel bug. */ 3847 freeb(mp); 3848 cmn_err(CE_WARN, 3849 "sadb_expire_assoc: Unknown address length.\n"); 3850 return; 3851 } 3852 3853 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL); 3854 if (tunnel_mode) { 3855 alloclen += 2 * sizeof (sadb_address_t); 3856 switch (assoc->ipsa_innerfam) { 3857 case AF_INET: 3858 alloclen += 2 * sizeof (struct sockaddr_in); 3859 break; 3860 case AF_INET6: 3861 alloclen += 2 * sizeof (struct sockaddr_in6); 3862 break; 3863 default: 3864 /* Won't happen unless there's a kernel bug. */ 3865 freeb(mp); 3866 cmn_err(CE_WARN, "sadb_expire_assoc: " 3867 "Unknown inner address length.\n"); 3868 return; 3869 } 3870 } 3871 3872 mp->b_cont = allocb(alloclen, BPRI_HI); 3873 if (mp->b_cont == NULL) { 3874 freeb(mp); 3875 /* cmn_err(CE_WARN, */ 3876 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 3877 return; 3878 } 3879 3880 mp1 = mp; 3881 mp = mp->b_cont; 3882 end = mp->b_wptr + alloclen; 3883 3884 samsg = (sadb_msg_t *)mp->b_wptr; 3885 mp->b_wptr += sizeof (*samsg); 3886 samsg->sadb_msg_version = PF_KEY_V2; 3887 samsg->sadb_msg_type = SADB_EXPIRE; 3888 samsg->sadb_msg_errno = 0; 3889 samsg->sadb_msg_satype = assoc->ipsa_type; 3890 samsg->sadb_msg_len = SADB_8TO64(alloclen); 3891 samsg->sadb_msg_reserved = 0; 3892 samsg->sadb_msg_seq = 0; 3893 samsg->sadb_msg_pid = 0; 3894 3895 saext = (sadb_sa_t *)mp->b_wptr; 3896 mp->b_wptr += sizeof (*saext); 3897 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 3898 saext->sadb_sa_exttype = SADB_EXT_SA; 3899 saext->sadb_sa_spi = assoc->ipsa_spi; 3900 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 3901 saext->sadb_sa_state = assoc->ipsa_state; 3902 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 3903 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 3904 saext->sadb_sa_flags = assoc->ipsa_flags; 3905 3906 current = (sadb_lifetime_t *)mp->b_wptr; 3907 mp->b_wptr += sizeof (sadb_lifetime_t); 3908 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 3909 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3910 /* We do not support the concept. */ 3911 current->sadb_lifetime_allocations = 0; 3912 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 3913 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 3914 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 3915 3916 expire = (sadb_lifetime_t *)mp->b_wptr; 3917 mp->b_wptr += sizeof (*expire); 3918 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 3919 3920 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 3921 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 3922 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 3923 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 3924 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 3925 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 3926 } else if (assoc->ipsa_state == IPSA_STATE_DYING) { 3927 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 3928 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 3929 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 3930 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 3931 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 3932 } else { 3933 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE); 3934 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 3935 expire->sadb_lifetime_allocations = 0; 3936 expire->sadb_lifetime_bytes = 0; 3937 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt; 3938 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt; 3939 } 3940 3941 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 3942 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc), 3943 SA_PROTO(assoc), 0); 3944 ASSERT(mp->b_wptr != NULL); 3945 3946 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 3947 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc), 3948 SA_PROTO(assoc), 0); 3949 ASSERT(mp->b_wptr != NULL); 3950 3951 if (tunnel_mode) { 3952 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 3953 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam, 3954 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc), 3955 assoc->ipsa_innersrcpfx); 3956 ASSERT(mp->b_wptr != NULL); 3957 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 3958 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam, 3959 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc), 3960 assoc->ipsa_innerdstpfx); 3961 ASSERT(mp->b_wptr != NULL); 3962 } 3963 3964 /* Can just putnext, we're ready to go! */ 3965 putnext(pfkey_q, mp1); 3966 } 3967 3968 /* 3969 * "Age" the SA with the number of bytes that was used to protect traffic. 3970 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 3971 * enough "charge" left in the SA to protect the data. Return B_FALSE 3972 * otherwise. (If B_FALSE is returned, the association either was, or became 3973 * DEAD.) 3974 */ 3975 boolean_t 3976 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 3977 boolean_t sendmsg) 3978 { 3979 boolean_t rc = B_TRUE; 3980 uint64_t newtotal; 3981 3982 mutex_enter(&assoc->ipsa_lock); 3983 newtotal = assoc->ipsa_bytes + bytes; 3984 if (assoc->ipsa_hardbyteslt != 0 && 3985 newtotal >= assoc->ipsa_hardbyteslt) { 3986 if (assoc->ipsa_state != IPSA_STATE_DEAD) { 3987 sadb_delete_cluster(assoc); 3988 /* 3989 * Send EXPIRE message to PF_KEY. May wish to pawn 3990 * this off on another non-interrupt thread. Also 3991 * unlink this SA immediately. 3992 */ 3993 assoc->ipsa_state = IPSA_STATE_DEAD; 3994 if (sendmsg) 3995 sadb_expire_assoc(pfkey_q, assoc); 3996 /* 3997 * Set non-zero expiration time so sadb_age_assoc() 3998 * will work when reaping. 3999 */ 4000 assoc->ipsa_hardexpiretime = (time_t)1; 4001 } /* Else someone beat me to it! */ 4002 rc = B_FALSE; 4003 } else if (assoc->ipsa_softbyteslt != 0 && 4004 (newtotal >= assoc->ipsa_softbyteslt)) { 4005 if (assoc->ipsa_state < IPSA_STATE_DYING) { 4006 /* 4007 * Send EXPIRE message to PF_KEY. May wish to pawn 4008 * this off on another non-interrupt thread. 4009 */ 4010 assoc->ipsa_state = IPSA_STATE_DYING; 4011 assoc->ipsa_bytes = newtotal; 4012 if (sendmsg) 4013 sadb_expire_assoc(pfkey_q, assoc); 4014 } /* Else someone beat me to it! */ 4015 } 4016 if (rc == B_TRUE) 4017 assoc->ipsa_bytes = newtotal; 4018 mutex_exit(&assoc->ipsa_lock); 4019 return (rc); 4020 } 4021 4022 /* 4023 * Push one or more DL_CO_DELETE messages queued up by 4024 * sadb_torch_assoc down to the underlying driver now that it's a 4025 * convenient time for it (i.e., ipsa bucket locks not held). 4026 */ 4027 static void 4028 sadb_drain_torchq(queue_t *q, mblk_t *mp) 4029 { 4030 while (mp != NULL) { 4031 mblk_t *next = mp->b_next; 4032 mp->b_next = NULL; 4033 if (q != NULL) 4034 putnext(q, mp); 4035 else 4036 freemsg(mp); 4037 mp = next; 4038 } 4039 } 4040 4041 /* 4042 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 4043 * sadb_age_assoc(). 4044 * 4045 * If SA is hardware-accelerated, and we can't allocate the mblk 4046 * containing the DL_CO_DELETE, just return; it will remain in the 4047 * table and be swept up by sadb_ager() in a subsequent pass. 4048 */ 4049 static ipsa_t * 4050 sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq) 4051 { 4052 mblk_t *mp; 4053 4054 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4055 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 4056 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 4057 4058 /* 4059 * Force cached SAs to be revalidated.. 4060 */ 4061 head->isaf_gen++; 4062 4063 if (sa->ipsa_flags & IPSA_F_HW) { 4064 mp = sadb_fmt_sa_req(DL_CO_DELETE, sa->ipsa_type, sa, inbnd); 4065 if (mp == NULL) { 4066 mutex_exit(&sa->ipsa_lock); 4067 return (NULL); 4068 } 4069 mp->b_next = *mq; 4070 *mq = mp; 4071 } 4072 mutex_exit(&sa->ipsa_lock); 4073 sadb_unlinkassoc(sa); 4074 4075 return (NULL); 4076 } 4077 4078 /* 4079 * Do various SA-is-idle activities depending on delta (the number of idle 4080 * seconds on the SA) and/or other properties of the SA. 4081 * 4082 * Return B_TRUE if I've sent a packet, because I have to drop the 4083 * association's mutex before sending a packet out the wire. 4084 */ 4085 /* ARGSUSED */ 4086 static boolean_t 4087 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound) 4088 { 4089 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp; 4090 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval; 4091 4092 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 4093 4094 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) && 4095 delta >= nat_t_interval && 4096 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) { 4097 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP); 4098 assoc->ipsa_last_nat_t_ka = gethrestime_sec(); 4099 mutex_exit(&assoc->ipsa_lock); 4100 ipsecesp_send_keepalive(assoc); 4101 return (B_TRUE); 4102 } 4103 return (B_FALSE); 4104 } 4105 4106 /* 4107 * Return "assoc" if haspeer is true and I send an expire. This allows 4108 * the consumers' aging functions to tidy up an expired SA's peer. 4109 */ 4110 static ipsa_t * 4111 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 4112 time_t current, int reap_delay, boolean_t inbound, mblk_t **mq) 4113 { 4114 ipsa_t *retval = NULL; 4115 boolean_t dropped_mutex = B_FALSE; 4116 4117 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4118 4119 mutex_enter(&assoc->ipsa_lock); 4120 4121 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) || 4122 ((assoc->ipsa_state == IPSA_STATE_IDLE) || 4123 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) && 4124 (assoc->ipsa_hardexpiretime != 0))) && 4125 (assoc->ipsa_hardexpiretime <= current)) { 4126 assoc->ipsa_state = IPSA_STATE_DEAD; 4127 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4128 } 4129 4130 /* 4131 * Check lifetimes. Fortunately, SA setup is done 4132 * such that there are only two times to look at, 4133 * softexpiretime, and hardexpiretime. 4134 * 4135 * Check hard first. 4136 */ 4137 4138 if (assoc->ipsa_hardexpiretime != 0 && 4139 assoc->ipsa_hardexpiretime <= current) { 4140 if (assoc->ipsa_state == IPSA_STATE_DEAD) 4141 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4142 4143 if (inbound) { 4144 sadb_delete_cluster(assoc); 4145 } 4146 4147 /* 4148 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 4149 */ 4150 assoc->ipsa_state = IPSA_STATE_DEAD; 4151 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) { 4152 /* 4153 * If the SA is paired or peered with another, put 4154 * a copy on a list which can be processed later, the 4155 * pair/peer SA needs to be updated so the both die 4156 * at the same time. 4157 * 4158 * If I return assoc, I have to bump up its reference 4159 * count to keep with the ipsa_t reference count 4160 * semantics. 4161 */ 4162 IPSA_REFHOLD(assoc); 4163 retval = assoc; 4164 } 4165 sadb_expire_assoc(pfkey_q, assoc); 4166 assoc->ipsa_hardexpiretime = current + reap_delay; 4167 } else if (assoc->ipsa_softexpiretime != 0 && 4168 assoc->ipsa_softexpiretime <= current && 4169 assoc->ipsa_state < IPSA_STATE_DYING) { 4170 /* 4171 * Send EXPIRE message to PF_KEY. May wish to pawn 4172 * this off on another non-interrupt thread. 4173 */ 4174 assoc->ipsa_state = IPSA_STATE_DYING; 4175 if (assoc->ipsa_haspeer) { 4176 /* 4177 * If the SA has a peer, update the peer's state 4178 * on SOFT_EXPIRE, this is mostly to prevent two 4179 * expire messages from effectively the same SA. 4180 * 4181 * Don't care about paired SA's, then can (and should) 4182 * be able to soft expire at different times. 4183 * 4184 * If I return assoc, I have to bump up its 4185 * reference count to keep with the ipsa_t reference 4186 * count semantics. 4187 */ 4188 IPSA_REFHOLD(assoc); 4189 retval = assoc; 4190 } 4191 sadb_expire_assoc(pfkey_q, assoc); 4192 } else if (assoc->ipsa_idletime != 0 && 4193 assoc->ipsa_idleexpiretime <= current) { 4194 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) { 4195 assoc->ipsa_state = IPSA_STATE_IDLE; 4196 } 4197 4198 /* 4199 * Need to handle Mature case 4200 */ 4201 if (assoc->ipsa_state == IPSA_STATE_MATURE && !inbound) { 4202 sadb_expire_assoc(pfkey_q, assoc); 4203 } 4204 } else { 4205 /* Check idle time activities. */ 4206 dropped_mutex = sadb_idle_activities(assoc, 4207 current - assoc->ipsa_lastuse, inbound); 4208 } 4209 4210 if (!dropped_mutex) 4211 mutex_exit(&assoc->ipsa_lock); 4212 return (retval); 4213 } 4214 4215 /* 4216 * Called by a consumer protocol to do ther dirty work of reaping dead 4217 * Security Associations. 4218 * 4219 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed 4220 * SA's that are already marked DEAD, so expired SA's are only reaped 4221 * the second time sadb_ager() runs. 4222 */ 4223 void 4224 sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay, 4225 netstack_t *ns) 4226 { 4227 int i; 4228 isaf_t *bucket; 4229 ipsa_t *assoc, *spare; 4230 iacqf_t *acqlist; 4231 ipsacq_t *acqrec, *spareacq; 4232 templist_t *haspeerlist, *newbie; 4233 /* Snapshot current time now. */ 4234 time_t current = gethrestime_sec(); 4235 mblk_t *mq = NULL; 4236 haspeerlist = NULL; 4237 4238 /* 4239 * Do my dirty work. This includes aging real entries, aging 4240 * larvals, and aging outstanding ACQUIREs. 4241 * 4242 * I hope I don't tie up resources for too long. 4243 */ 4244 4245 /* Age acquires. */ 4246 4247 for (i = 0; i < sp->sdb_hashsize; i++) { 4248 acqlist = &sp->sdb_acq[i]; 4249 mutex_enter(&acqlist->iacqf_lock); 4250 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 4251 acqrec = spareacq) { 4252 spareacq = acqrec->ipsacq_next; 4253 if (current > acqrec->ipsacq_expire) 4254 sadb_destroy_acquire(acqrec, ns); 4255 } 4256 mutex_exit(&acqlist->iacqf_lock); 4257 } 4258 4259 /* Age inbound associations. */ 4260 for (i = 0; i < sp->sdb_hashsize; i++) { 4261 bucket = &(sp->sdb_if[i]); 4262 mutex_enter(&bucket->isaf_lock); 4263 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4264 assoc = spare) { 4265 spare = assoc->ipsa_next; 4266 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4267 reap_delay, B_TRUE, &mq) != NULL) { 4268 /* 4269 * Put SA's which have a peer or SA's which 4270 * are paired on a list for processing after 4271 * all the hash tables have been walked. 4272 * 4273 * sadb_age_assoc() increments the refcnt, 4274 * effectively doing an IPSA_REFHOLD(). 4275 */ 4276 newbie = kmem_alloc(sizeof (*newbie), 4277 KM_NOSLEEP); 4278 if (newbie == NULL) { 4279 /* 4280 * Don't forget to REFRELE(). 4281 */ 4282 IPSA_REFRELE(assoc); 4283 continue; /* for loop... */ 4284 } 4285 newbie->next = haspeerlist; 4286 newbie->ipsa = assoc; 4287 haspeerlist = newbie; 4288 } 4289 } 4290 mutex_exit(&bucket->isaf_lock); 4291 } 4292 4293 if (mq != NULL) { 4294 sadb_drain_torchq(ip_q, mq); 4295 mq = NULL; 4296 } 4297 age_pair_peer_list(haspeerlist, sp, B_FALSE); 4298 haspeerlist = NULL; 4299 4300 /* Age outbound associations. */ 4301 for (i = 0; i < sp->sdb_hashsize; i++) { 4302 bucket = &(sp->sdb_of[i]); 4303 mutex_enter(&bucket->isaf_lock); 4304 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4305 assoc = spare) { 4306 spare = assoc->ipsa_next; 4307 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4308 reap_delay, B_FALSE, &mq) != NULL) { 4309 /* 4310 * sadb_age_assoc() increments the refcnt, 4311 * effectively doing an IPSA_REFHOLD(). 4312 */ 4313 newbie = kmem_alloc(sizeof (*newbie), 4314 KM_NOSLEEP); 4315 if (newbie == NULL) { 4316 /* 4317 * Don't forget to REFRELE(). 4318 */ 4319 IPSA_REFRELE(assoc); 4320 continue; /* for loop... */ 4321 } 4322 newbie->next = haspeerlist; 4323 newbie->ipsa = assoc; 4324 haspeerlist = newbie; 4325 } 4326 } 4327 mutex_exit(&bucket->isaf_lock); 4328 } 4329 if (mq != NULL) { 4330 sadb_drain_torchq(ip_q, mq); 4331 mq = NULL; 4332 } 4333 4334 age_pair_peer_list(haspeerlist, sp, B_TRUE); 4335 4336 /* 4337 * Run a GC pass to clean out dead identities. 4338 */ 4339 ipsid_gc(ns); 4340 } 4341 4342 /* 4343 * Figure out when to reschedule the ager. 4344 */ 4345 timeout_id_t 4346 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 4347 void *agerarg, uint_t *intp, uint_t intmax, short mid) 4348 { 4349 hrtime_t end = gethrtime(); 4350 uint_t interval = *intp; 4351 4352 /* 4353 * See how long this took. If it took too long, increase the 4354 * aging interval. 4355 */ 4356 if ((end - begin) > interval * 1000000) { 4357 if (interval >= intmax) { 4358 /* XXX Rate limit this? Or recommend flush? */ 4359 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 4360 "Too many SA's to age out in %d msec.\n", 4361 intmax); 4362 } else { 4363 /* Double by shifting by one bit. */ 4364 interval <<= 1; 4365 interval = min(interval, intmax); 4366 } 4367 } else if ((end - begin) <= interval * 500000 && 4368 interval > SADB_AGE_INTERVAL_DEFAULT) { 4369 /* 4370 * If I took less than half of the interval, then I should 4371 * ratchet the interval back down. Never automatically 4372 * shift below the default aging interval. 4373 * 4374 * NOTE:This even overrides manual setting of the age 4375 * interval using NDD. 4376 */ 4377 /* Halve by shifting one bit. */ 4378 interval >>= 1; 4379 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 4380 } 4381 *intp = interval; 4382 return (qtimeout(pfkey_q, ager, agerarg, 4383 interval * drv_usectohz(1000))); 4384 } 4385 4386 4387 /* 4388 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 4389 * message takes when updating a MATURE or DYING SA. 4390 */ 4391 static void 4392 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 4393 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound) 4394 { 4395 mutex_enter(&assoc->ipsa_lock); 4396 4397 /* 4398 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 4399 * passed in during an update message. We currently don't handle 4400 * these. 4401 */ 4402 4403 if (hard != NULL) { 4404 if (hard->sadb_lifetime_bytes != 0) 4405 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 4406 if (hard->sadb_lifetime_usetime != 0) 4407 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 4408 if (hard->sadb_lifetime_addtime != 0) 4409 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 4410 if (assoc->ipsa_hardaddlt != 0) { 4411 assoc->ipsa_hardexpiretime = 4412 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 4413 } 4414 if (assoc->ipsa_harduselt != 0 && 4415 assoc->ipsa_flags & IPSA_F_USED) { 4416 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 4417 } 4418 if (hard->sadb_lifetime_allocations != 0) 4419 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 4420 } 4421 4422 if (soft != NULL) { 4423 if (soft->sadb_lifetime_bytes != 0) { 4424 if (soft->sadb_lifetime_bytes > 4425 assoc->ipsa_hardbyteslt) { 4426 assoc->ipsa_softbyteslt = 4427 assoc->ipsa_hardbyteslt; 4428 } else { 4429 assoc->ipsa_softbyteslt = 4430 soft->sadb_lifetime_bytes; 4431 } 4432 } 4433 if (soft->sadb_lifetime_usetime != 0) { 4434 if (soft->sadb_lifetime_usetime > 4435 assoc->ipsa_harduselt) { 4436 assoc->ipsa_softuselt = 4437 assoc->ipsa_harduselt; 4438 } else { 4439 assoc->ipsa_softuselt = 4440 soft->sadb_lifetime_usetime; 4441 } 4442 } 4443 if (soft->sadb_lifetime_addtime != 0) { 4444 if (soft->sadb_lifetime_addtime > 4445 assoc->ipsa_hardexpiretime) { 4446 assoc->ipsa_softexpiretime = 4447 assoc->ipsa_hardexpiretime; 4448 } else { 4449 assoc->ipsa_softaddlt = 4450 soft->sadb_lifetime_addtime; 4451 } 4452 } 4453 if (assoc->ipsa_softaddlt != 0) { 4454 assoc->ipsa_softexpiretime = 4455 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 4456 } 4457 if (assoc->ipsa_softuselt != 0 && 4458 assoc->ipsa_flags & IPSA_F_USED) { 4459 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 4460 } 4461 if (outbound && assoc->ipsa_softexpiretime != 0) { 4462 if (assoc->ipsa_state == IPSA_STATE_MATURE) 4463 lifetime_fuzz(assoc); 4464 } 4465 4466 if (soft->sadb_lifetime_allocations != 0) 4467 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 4468 } 4469 4470 if (idle != NULL) { 4471 time_t current = gethrestime_sec(); 4472 if ((assoc->ipsa_idleexpiretime <= current) && 4473 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) { 4474 assoc->ipsa_idleexpiretime = 4475 current + assoc->ipsa_idleaddlt; 4476 } 4477 if (idle->sadb_lifetime_addtime != 0) 4478 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 4479 if (idle->sadb_lifetime_usetime != 0) 4480 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime; 4481 if (assoc->ipsa_idleaddlt != 0) { 4482 assoc->ipsa_idleexpiretime = 4483 current + idle->sadb_lifetime_addtime; 4484 assoc->ipsa_idletime = idle->sadb_lifetime_addtime; 4485 } 4486 if (assoc->ipsa_idleuselt != 0) { 4487 if (assoc->ipsa_idletime != 0) { 4488 assoc->ipsa_idletime = min(assoc->ipsa_idletime, 4489 assoc->ipsa_idleuselt); 4490 assoc->ipsa_idleexpiretime = 4491 current + assoc->ipsa_idletime; 4492 } else { 4493 assoc->ipsa_idleexpiretime = 4494 current + assoc->ipsa_idleuselt; 4495 assoc->ipsa_idletime = assoc->ipsa_idleuselt; 4496 } 4497 } 4498 } 4499 mutex_exit(&assoc->ipsa_lock); 4500 } 4501 4502 static int 4503 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst) 4504 { 4505 int rcode = 0; 4506 time_t current = gethrestime_sec(); 4507 4508 mutex_enter(&assoc->ipsa_lock); 4509 4510 switch (new_state) { 4511 case SADB_X_SASTATE_ACTIVE_ELSEWHERE: 4512 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) { 4513 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE; 4514 assoc->ipsa_idleexpiretime = 4515 current + assoc->ipsa_idletime; 4516 } 4517 break; 4518 case SADB_X_SASTATE_IDLE: 4519 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4520 assoc->ipsa_state = IPSA_STATE_IDLE; 4521 assoc->ipsa_idleexpiretime = 4522 current + assoc->ipsa_idletime; 4523 } else { 4524 rcode = EINVAL; 4525 } 4526 break; 4527 4528 case SADB_X_SASTATE_ACTIVE: 4529 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) { 4530 rcode = EINVAL; 4531 break; 4532 } 4533 assoc->ipsa_state = IPSA_STATE_MATURE; 4534 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime; 4535 4536 if (ipkt_lst == NULL) { 4537 break; 4538 } 4539 4540 if (assoc->ipsa_bpkt_head != NULL) { 4541 *ipkt_lst = assoc->ipsa_bpkt_head; 4542 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL; 4543 assoc->ipsa_mblkcnt = 0; 4544 } else { 4545 *ipkt_lst = NULL; 4546 } 4547 break; 4548 default: 4549 rcode = EINVAL; 4550 break; 4551 } 4552 4553 mutex_exit(&assoc->ipsa_lock); 4554 return (rcode); 4555 } 4556 4557 /* 4558 * Common code to update an SA. 4559 */ 4560 4561 int 4562 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst, 4563 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q, 4564 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *), 4565 netstack_t *ns, uint8_t sadb_msg_type) 4566 { 4567 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 4568 sadb_address_t *srcext = 4569 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 4570 sadb_address_t *dstext = 4571 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 4572 sadb_x_kmc_t *kmcext = 4573 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 4574 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 4575 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 4576 sadb_x_replay_ctr_t *replext = 4577 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 4578 sadb_lifetime_t *soft = 4579 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 4580 sadb_lifetime_t *hard = 4581 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 4582 sadb_lifetime_t *idle = 4583 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 4584 sadb_x_pair_t *pair_ext = 4585 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4586 ipsa_t *echo_target = NULL; 4587 int error = 0; 4588 ipsap_t *ipsapp = NULL; 4589 uint32_t kmp = 0, kmc = 0; 4590 time_t current = gethrestime_sec(); 4591 4592 4593 /* I need certain extensions present for either UPDATE message. */ 4594 if (srcext == NULL) { 4595 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 4596 return (EINVAL); 4597 } 4598 if (dstext == NULL) { 4599 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 4600 return (EINVAL); 4601 } 4602 if (assoc == NULL) { 4603 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 4604 return (EINVAL); 4605 } 4606 4607 if (kmcext != NULL) { 4608 kmp = kmcext->sadb_x_kmc_proto; 4609 kmc = kmcext->sadb_x_kmc_cookie; 4610 } 4611 4612 ipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 4613 if (ipsapp == NULL) { 4614 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 4615 return (ESRCH); 4616 } 4617 4618 if (ipsapp->ipsap_psa_ptr == NULL && ipsapp->ipsap_sa_ptr != NULL) { 4619 if (ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) { 4620 /* 4621 * REFRELE the target and let the add_sa_func() 4622 * deal with updating a larval SA. 4623 */ 4624 destroy_ipsa_pair(ipsapp); 4625 return (add_sa_func(mp, ksi, diagnostic, ns)); 4626 } 4627 } 4628 4629 if (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4630 if (ipsapp->ipsap_sa_ptr != NULL && 4631 ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4632 if ((error = sadb_update_state(ipsapp->ipsap_sa_ptr, 4633 assoc->sadb_sa_state, NULL)) != 0) { 4634 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4635 goto bail; 4636 } 4637 } 4638 if (ipsapp->ipsap_psa_ptr != NULL && 4639 ipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4640 if ((error = sadb_update_state(ipsapp->ipsap_psa_ptr, 4641 assoc->sadb_sa_state, NULL)) != 0) { 4642 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4643 goto bail; 4644 } 4645 } 4646 } 4647 if (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) { 4648 if (ipsapp->ipsap_sa_ptr != NULL) { 4649 error = sadb_update_state(ipsapp->ipsap_sa_ptr, 4650 assoc->sadb_sa_state, 4651 (ipsapp->ipsap_sa_ptr->ipsa_flags & 4652 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4653 if (error) { 4654 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4655 goto bail; 4656 } 4657 } 4658 if (ipsapp->ipsap_psa_ptr != NULL) { 4659 error = sadb_update_state(ipsapp->ipsap_psa_ptr, 4660 assoc->sadb_sa_state, 4661 (ipsapp->ipsap_psa_ptr->ipsa_flags & 4662 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4663 if (error) { 4664 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4665 goto bail; 4666 } 4667 } 4668 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4669 ksi, echo_target); 4670 goto bail; 4671 } 4672 4673 /* 4674 * Reality checks for updates of active associations. 4675 * Sundry first-pass UPDATE-specific reality checks. 4676 * Have to do the checks here, because it's after the add_sa code. 4677 * XXX STATS : logging/stats here? 4678 */ 4679 4680 if (!((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 4681 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) { 4682 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4683 error = EINVAL; 4684 goto bail; 4685 } 4686 4687 if (assoc->sadb_sa_flags & ~spp->s_updateflags) { 4688 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 4689 error = EINVAL; 4690 goto bail; 4691 } 4692 4693 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 4694 error = EOPNOTSUPP; 4695 goto bail; 4696 } 4697 4698 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) { 4699 error = EINVAL; 4700 goto bail; 4701 } 4702 if (akey != NULL) { 4703 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 4704 error = EINVAL; 4705 goto bail; 4706 } 4707 if (ekey != NULL) { 4708 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 4709 error = EINVAL; 4710 goto bail; 4711 } 4712 4713 if (ipsapp->ipsap_sa_ptr != NULL) { 4714 if (ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_DEAD) { 4715 error = ESRCH; /* DEAD == Not there, in this case. */ 4716 *diagnostic = SADB_X_DIAGNOSTIC_SA_EXPIRED; 4717 goto bail; 4718 } 4719 if ((kmp != 0) && 4720 ((ipsapp->ipsap_sa_ptr->ipsa_kmp != 0) || 4721 (ipsapp->ipsap_sa_ptr->ipsa_kmp != kmp))) { 4722 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4723 error = EINVAL; 4724 goto bail; 4725 } 4726 if ((kmc != 0) && 4727 ((ipsapp->ipsap_sa_ptr->ipsa_kmc != 0) || 4728 (ipsapp->ipsap_sa_ptr->ipsa_kmc != kmc))) { 4729 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4730 error = EINVAL; 4731 goto bail; 4732 } 4733 /* 4734 * Do not allow replay value change for MATURE or LARVAL SA. 4735 */ 4736 4737 if ((replext != NULL) && 4738 ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) || 4739 (ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) { 4740 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4741 error = EINVAL; 4742 goto bail; 4743 } 4744 } 4745 4746 if (ipsapp->ipsap_psa_ptr != NULL) { 4747 if (ipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) { 4748 *diagnostic = SADB_X_DIAGNOSTIC_SA_EXPIRED; 4749 error = ESRCH; /* DEAD == Not there, in this case. */ 4750 goto bail; 4751 } 4752 if ((kmp != 0) && 4753 ((ipsapp->ipsap_psa_ptr->ipsa_kmp != 0) || 4754 (ipsapp->ipsap_psa_ptr->ipsa_kmp != kmp))) { 4755 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4756 error = EINVAL; 4757 goto bail; 4758 } 4759 if ((kmc != 0) && 4760 ((ipsapp->ipsap_psa_ptr->ipsa_kmc != 0) || 4761 (ipsapp->ipsap_psa_ptr->ipsa_kmc != kmc))) { 4762 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4763 error = EINVAL; 4764 goto bail; 4765 } 4766 } 4767 4768 if (ipsapp->ipsap_sa_ptr != NULL) { 4769 sadb_update_lifetimes(ipsapp->ipsap_sa_ptr, hard, soft, 4770 idle, B_TRUE); 4771 if (kmp != 0) 4772 ipsapp->ipsap_sa_ptr->ipsa_kmp = kmp; 4773 if (kmc != 0) 4774 ipsapp->ipsap_sa_ptr->ipsa_kmc = kmc; 4775 if ((replext != NULL) && 4776 (ipsapp->ipsap_sa_ptr->ipsa_replay_wsize != 0)) { 4777 /* 4778 * If an inbound SA, update the replay counter 4779 * and check off all the other sequence number 4780 */ 4781 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) { 4782 if (!sadb_replay_check(ipsapp->ipsap_sa_ptr, 4783 replext->sadb_x_rc_replay32)) { 4784 error = EINVAL; 4785 goto bail; 4786 } 4787 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4788 ipsapp->ipsap_sa_ptr->ipsa_idleexpiretime = 4789 current + 4790 ipsapp->ipsap_sa_ptr->ipsa_idletime; 4791 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4792 } else { 4793 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4794 ipsapp->ipsap_sa_ptr->ipsa_replay = 4795 replext->sadb_x_rc_replay32; 4796 ipsapp->ipsap_sa_ptr->ipsa_idleexpiretime = 4797 current + 4798 ipsapp->ipsap_sa_ptr->ipsa_idletime; 4799 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4800 } 4801 } 4802 } 4803 4804 if (sadb_msg_type == SADB_X_UPDATEPAIR) { 4805 if (ipsapp->ipsap_psa_ptr != NULL) { 4806 sadb_update_lifetimes(ipsapp->ipsap_psa_ptr, hard, soft, 4807 idle, B_FALSE); 4808 if (kmp != 0) 4809 ipsapp->ipsap_psa_ptr->ipsa_kmp = kmp; 4810 if (kmc != 0) 4811 ipsapp->ipsap_psa_ptr->ipsa_kmc = kmc; 4812 } else { 4813 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 4814 error = ESRCH; 4815 goto bail; 4816 } 4817 } 4818 4819 if (pair_ext != NULL) 4820 error = update_pairing(ipsapp, ksi, diagnostic, spp); 4821 4822 if (error == 0) 4823 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4824 ksi, echo_target); 4825 bail: 4826 4827 destroy_ipsa_pair(ipsapp); 4828 4829 return (error); 4830 } 4831 4832 4833 int 4834 update_pairing(ipsap_t *ipsapp, keysock_in_t *ksi, int *diagnostic, 4835 sadbp_t *spp) 4836 { 4837 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 4838 sadb_address_t *srcext = 4839 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 4840 sadb_address_t *dstext = 4841 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 4842 sadb_x_pair_t *pair_ext = 4843 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4844 int error = 0; 4845 ipsap_t *oipsapp = NULL; 4846 boolean_t undo_pair = B_FALSE; 4847 uint32_t ipsa_flags; 4848 4849 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi == 4850 assoc->sadb_sa_spi) { 4851 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4852 return (EINVAL); 4853 } 4854 4855 /* 4856 * Assume for now that the spi value provided in the SADB_UPDATE 4857 * message was valid, update the SA with its pair spi value. 4858 * If the spi turns out to be bogus or the SA no longer exists 4859 * then this will be detected when the reverse update is made 4860 * below. 4861 */ 4862 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4863 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4864 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi; 4865 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4866 4867 /* 4868 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair() 4869 * should now return pointers to the SA *AND* its pair, if this is not 4870 * the case, the "otherspi" either did not exist or was deleted. Also 4871 * check that "otherspi" is not already paired. If everything looks 4872 * good, complete the update. IPSA_REFRELE the first pair_pointer 4873 * after this update to ensure its not deleted until we are done. 4874 */ 4875 oipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 4876 if (oipsapp == NULL) { 4877 /* 4878 * This should never happen, calling function still has 4879 * IPSA_REFHELD on the SA we just updated. 4880 */ 4881 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 4882 return (EINVAL); 4883 } 4884 4885 if (oipsapp->ipsap_psa_ptr == NULL) { 4886 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4887 undo_pair = B_TRUE; 4888 } else { 4889 ipsa_flags = oipsapp->ipsap_psa_ptr->ipsa_flags; 4890 if ((oipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) || 4891 (oipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) { 4892 /* Its dead Jim! */ 4893 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4894 undo_pair = B_TRUE; 4895 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) == 4896 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) { 4897 /* This SA is in both hashtables. */ 4898 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4899 undo_pair = B_TRUE; 4900 } else if (ipsa_flags & IPSA_F_PAIRED) { 4901 /* This SA is already paired with another. */ 4902 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 4903 undo_pair = B_TRUE; 4904 } 4905 } 4906 4907 if (undo_pair) { 4908 /* The pair SA does not exist. */ 4909 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4910 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED; 4911 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0; 4912 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4913 error = EINVAL; 4914 } else { 4915 mutex_enter(&oipsapp->ipsap_psa_ptr->ipsa_lock); 4916 oipsapp->ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi; 4917 oipsapp->ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4918 mutex_exit(&oipsapp->ipsap_psa_ptr->ipsa_lock); 4919 } 4920 4921 destroy_ipsa_pair(oipsapp); 4922 return (error); 4923 } 4924 4925 /* 4926 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 4927 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 4928 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 4929 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 4930 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 4931 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 4932 * other direction's SA. 4933 */ 4934 4935 /* 4936 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 4937 * grab it, lock it, and return it. Otherwise return NULL. 4938 */ 4939 static ipsacq_t * 4940 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 4941 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst, 4942 uint64_t unique_id) 4943 { 4944 ipsacq_t *walker; 4945 sa_family_t fam; 4946 uint32_t blank_address[4] = {0, 0, 0, 0}; 4947 4948 if (isrc == NULL) { 4949 ASSERT(idst == NULL); 4950 isrc = idst = blank_address; 4951 } 4952 4953 /* 4954 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 4955 * 4956 * XXX May need search for duplicates based on other things too! 4957 */ 4958 for (walker = bucket->iacqf_ipsacq; walker != NULL; 4959 walker = walker->ipsacq_next) { 4960 mutex_enter(&walker->ipsacq_lock); 4961 fam = walker->ipsacq_addrfam; 4962 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 4963 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 4964 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx, 4965 (in6_addr_t *)walker->ipsacq_innersrc) && 4966 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx, 4967 (in6_addr_t *)walker->ipsacq_innerdst) && 4968 (ap == walker->ipsacq_act) && 4969 (pp == walker->ipsacq_policy) && 4970 /* XXX do deep compares of ap/pp? */ 4971 (unique_id == walker->ipsacq_unique_id)) 4972 break; /* everything matched */ 4973 mutex_exit(&walker->ipsacq_lock); 4974 } 4975 4976 return (walker); 4977 } 4978 4979 /* 4980 * For this mblk, insert a new acquire record. Assume bucket contains addrs 4981 * of all of the same length. Give up (and drop) if memory 4982 * cannot be allocated for a new one; otherwise, invoke callback to 4983 * send the acquire up.. 4984 * 4985 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 4986 * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t 4987 * and handle this case specially. 4988 */ 4989 void 4990 sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp) 4991 { 4992 sadbp_t *spp; 4993 sadb_t *sp; 4994 ipsacq_t *newbie; 4995 iacqf_t *bucket; 4996 mblk_t *datamp = mp->b_cont; 4997 mblk_t *extended; 4998 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 4999 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 5000 uint32_t *src, *dst, *isrc, *idst; 5001 ipsec_policy_t *pp = io->ipsec_out_policy; 5002 ipsec_action_t *ap = io->ipsec_out_act; 5003 sa_family_t af; 5004 int hashoffset; 5005 uint32_t seq; 5006 uint64_t unique_id = 0; 5007 ipsec_selector_t sel; 5008 boolean_t tunnel_mode = io->ipsec_out_tunnel; 5009 netstack_t *ns = io->ipsec_out_ns; 5010 ipsec_stack_t *ipss = ns->netstack_ipsec; 5011 5012 ASSERT((pp != NULL) || (ap != NULL)); 5013 5014 ASSERT(need_ah != NULL || need_esp != NULL); 5015 /* Assign sadb pointers */ 5016 if (need_esp) { /* ESP for AH+ESP */ 5017 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 5018 5019 spp = &espstack->esp_sadb; 5020 } else { 5021 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 5022 5023 spp = &ahstack->ah_sadb; 5024 } 5025 sp = io->ipsec_out_v4 ? &spp->s_v4 : &spp->s_v6; 5026 5027 if (ap == NULL) 5028 ap = pp->ipsp_act; 5029 5030 ASSERT(ap != NULL); 5031 5032 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode) 5033 unique_id = SA_FORM_UNIQUE_ID(io); 5034 5035 /* 5036 * Set up an ACQUIRE record. 5037 * 5038 * Immediately, make sure the ACQUIRE sequence number doesn't slip 5039 * below the lowest point allowed in the kernel. (In other words, 5040 * make sure the high bit on the sequence number is set.) 5041 */ 5042 5043 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ; 5044 5045 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 5046 src = (uint32_t *)&ipha->ipha_src; 5047 dst = (uint32_t *)&ipha->ipha_dst; 5048 af = AF_INET; 5049 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 5050 ASSERT(io->ipsec_out_v4 == B_TRUE); 5051 } else { 5052 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 5053 src = (uint32_t *)&ip6h->ip6_src; 5054 dst = (uint32_t *)&ip6h->ip6_dst; 5055 af = AF_INET6; 5056 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 5057 ASSERT(io->ipsec_out_v4 == B_FALSE); 5058 } 5059 5060 if (tunnel_mode) { 5061 /* Snag inner addresses. */ 5062 isrc = io->ipsec_out_insrc; 5063 idst = io->ipsec_out_indst; 5064 } else { 5065 isrc = idst = NULL; 5066 } 5067 5068 /* 5069 * Check buckets to see if there is an existing entry. If so, 5070 * grab it. sadb_checkacquire locks newbie if found. 5071 */ 5072 bucket = &(sp->sdb_acq[hashoffset]); 5073 mutex_enter(&bucket->iacqf_lock); 5074 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst, 5075 unique_id); 5076 5077 if (newbie == NULL) { 5078 /* 5079 * Otherwise, allocate a new one. 5080 */ 5081 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 5082 if (newbie == NULL) { 5083 mutex_exit(&bucket->iacqf_lock); 5084 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5085 DROPPER(ipss, ipds_sadb_acquire_nomem), 5086 &ipss->ipsec_sadb_dropper); 5087 return; 5088 } 5089 newbie->ipsacq_policy = pp; 5090 if (pp != NULL) { 5091 IPPOL_REFHOLD(pp); 5092 } 5093 IPACT_REFHOLD(ap); 5094 newbie->ipsacq_act = ap; 5095 newbie->ipsacq_linklock = &bucket->iacqf_lock; 5096 newbie->ipsacq_next = bucket->iacqf_ipsacq; 5097 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 5098 if (newbie->ipsacq_next != NULL) 5099 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 5100 bucket->iacqf_ipsacq = newbie; 5101 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 5102 mutex_enter(&newbie->ipsacq_lock); 5103 } 5104 5105 mutex_exit(&bucket->iacqf_lock); 5106 5107 /* 5108 * This assert looks silly for now, but we may need to enter newbie's 5109 * mutex during a search. 5110 */ 5111 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 5112 5113 mp->b_next = NULL; 5114 /* Queue up packet. Use b_next. */ 5115 if (newbie->ipsacq_numpackets == 0) { 5116 /* First one. */ 5117 newbie->ipsacq_mp = mp; 5118 newbie->ipsacq_numpackets = 1; 5119 newbie->ipsacq_expire = gethrestime_sec(); 5120 /* 5121 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 5122 * value. 5123 */ 5124 newbie->ipsacq_expire += *spp->s_acquire_timeout; 5125 newbie->ipsacq_seq = seq; 5126 newbie->ipsacq_addrfam = af; 5127 5128 newbie->ipsacq_srcport = io->ipsec_out_src_port; 5129 newbie->ipsacq_dstport = io->ipsec_out_dst_port; 5130 newbie->ipsacq_icmp_type = io->ipsec_out_icmp_type; 5131 newbie->ipsacq_icmp_code = io->ipsec_out_icmp_code; 5132 if (tunnel_mode) { 5133 newbie->ipsacq_inneraddrfam = io->ipsec_out_inaf; 5134 newbie->ipsacq_proto = io->ipsec_out_inaf == AF_INET6 ? 5135 IPPROTO_IPV6 : IPPROTO_ENCAP; 5136 newbie->ipsacq_innersrcpfx = io->ipsec_out_insrcpfx; 5137 newbie->ipsacq_innerdstpfx = io->ipsec_out_indstpfx; 5138 IPSA_COPY_ADDR(newbie->ipsacq_innersrc, 5139 io->ipsec_out_insrc, io->ipsec_out_inaf); 5140 IPSA_COPY_ADDR(newbie->ipsacq_innerdst, 5141 io->ipsec_out_indst, io->ipsec_out_inaf); 5142 } else { 5143 newbie->ipsacq_proto = io->ipsec_out_proto; 5144 } 5145 newbie->ipsacq_unique_id = unique_id; 5146 } else { 5147 /* Scan to the end of the list & insert. */ 5148 mblk_t *lastone = newbie->ipsacq_mp; 5149 5150 while (lastone->b_next != NULL) 5151 lastone = lastone->b_next; 5152 lastone->b_next = mp; 5153 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) { 5154 newbie->ipsacq_numpackets = ipsacq_maxpackets; 5155 lastone = newbie->ipsacq_mp; 5156 newbie->ipsacq_mp = lastone->b_next; 5157 lastone->b_next = NULL; 5158 ip_drop_packet(lastone, B_FALSE, NULL, NULL, 5159 DROPPER(ipss, ipds_sadb_acquire_toofull), 5160 &ipss->ipsec_sadb_dropper); 5161 } else { 5162 IP_ACQUIRE_STAT(ipss, qhiwater, 5163 newbie->ipsacq_numpackets); 5164 } 5165 } 5166 5167 /* 5168 * Reset addresses. Set them to the most recently added mblk chain, 5169 * so that the address pointers in the acquire record will point 5170 * at an mblk still attached to the acquire list. 5171 */ 5172 5173 newbie->ipsacq_srcaddr = src; 5174 newbie->ipsacq_dstaddr = dst; 5175 5176 /* 5177 * If the acquire record has more than one queued packet, we've 5178 * already sent an ACQUIRE, and don't need to repeat ourself. 5179 */ 5180 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 5181 /* I have an acquire outstanding already! */ 5182 mutex_exit(&newbie->ipsacq_lock); 5183 return; 5184 } 5185 5186 if (keysock_extended_reg(ns)) { 5187 /* 5188 * Construct an extended ACQUIRE. There are logging 5189 * opportunities here in failure cases. 5190 */ 5191 5192 (void) memset(&sel, 0, sizeof (sel)); 5193 sel.ips_isv4 = io->ipsec_out_v4; 5194 if (tunnel_mode) { 5195 sel.ips_protocol = (io->ipsec_out_inaf == AF_INET) ? 5196 IPPROTO_ENCAP : IPPROTO_IPV6; 5197 } else { 5198 sel.ips_protocol = io->ipsec_out_proto; 5199 sel.ips_local_port = io->ipsec_out_src_port; 5200 sel.ips_remote_port = io->ipsec_out_dst_port; 5201 } 5202 sel.ips_icmp_type = io->ipsec_out_icmp_type; 5203 sel.ips_icmp_code = io->ipsec_out_icmp_code; 5204 sel.ips_is_icmp_inv_acq = 0; 5205 if (af == AF_INET) { 5206 sel.ips_local_addr_v4 = ipha->ipha_src; 5207 sel.ips_remote_addr_v4 = ipha->ipha_dst; 5208 } else { 5209 sel.ips_local_addr_v6 = ip6h->ip6_src; 5210 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 5211 } 5212 5213 extended = sadb_keysock_out(0); 5214 if (extended != NULL) { 5215 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, 5216 tunnel_mode, seq, 0, ns); 5217 if (extended->b_cont == NULL) { 5218 freeb(extended); 5219 extended = NULL; 5220 } 5221 } 5222 } else 5223 extended = NULL; 5224 5225 /* 5226 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on 5227 * this new record. The send-acquire callback assumes that acqrec is 5228 * already locked. 5229 */ 5230 (*spp->s_acqfn)(newbie, extended, ns); 5231 } 5232 5233 /* 5234 * Unlink and free an acquire record. 5235 */ 5236 void 5237 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns) 5238 { 5239 mblk_t *mp; 5240 ipsec_stack_t *ipss = ns->netstack_ipsec; 5241 5242 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 5243 5244 if (acqrec->ipsacq_policy != NULL) { 5245 IPPOL_REFRELE(acqrec->ipsacq_policy, ns); 5246 } 5247 if (acqrec->ipsacq_act != NULL) { 5248 IPACT_REFRELE(acqrec->ipsacq_act); 5249 } 5250 5251 /* Unlink */ 5252 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 5253 if (acqrec->ipsacq_next != NULL) 5254 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 5255 5256 /* 5257 * Free hanging mp's. 5258 * 5259 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 5260 */ 5261 5262 mutex_enter(&acqrec->ipsacq_lock); 5263 while (acqrec->ipsacq_mp != NULL) { 5264 mp = acqrec->ipsacq_mp; 5265 acqrec->ipsacq_mp = mp->b_next; 5266 mp->b_next = NULL; 5267 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5268 DROPPER(ipss, ipds_sadb_acquire_timeout), 5269 &ipss->ipsec_sadb_dropper); 5270 } 5271 mutex_exit(&acqrec->ipsacq_lock); 5272 5273 /* Free */ 5274 mutex_destroy(&acqrec->ipsacq_lock); 5275 kmem_free(acqrec, sizeof (*acqrec)); 5276 } 5277 5278 /* 5279 * Destroy an acquire list fanout. 5280 */ 5281 static void 5282 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever, 5283 netstack_t *ns) 5284 { 5285 int i; 5286 iacqf_t *list = *listp; 5287 5288 if (list == NULL) 5289 return; 5290 5291 for (i = 0; i < numentries; i++) { 5292 mutex_enter(&(list[i].iacqf_lock)); 5293 while (list[i].iacqf_ipsacq != NULL) 5294 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns); 5295 mutex_exit(&(list[i].iacqf_lock)); 5296 if (forever) 5297 mutex_destroy(&(list[i].iacqf_lock)); 5298 } 5299 5300 if (forever) { 5301 *listp = NULL; 5302 kmem_free(list, numentries * sizeof (*list)); 5303 } 5304 } 5305 5306 /* 5307 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto 5308 * framework's view of reality vs. IPsec's. EF's wins, BTW. 5309 */ 5310 static uint8_t * 5311 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 5312 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 5313 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss) 5314 { 5315 uint8_t *cur = start; 5316 ipsec_alginfo_t *algp; 5317 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 5318 5319 cur += sizeof (*algdesc); 5320 if (cur >= limit) 5321 return (NULL); 5322 5323 ecomb->sadb_x_ecomb_numalgs++; 5324 5325 /* 5326 * Normalize vs. crypto framework's limits. This way, you can specify 5327 * a stronger policy, and when the framework loads a stronger version, 5328 * you can just keep plowing w/o rewhacking your SPD. 5329 */ 5330 mutex_enter(&ipss->ipsec_alg_lock); 5331 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ? 5332 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg]; 5333 if (algp == NULL) { 5334 mutex_exit(&ipss->ipsec_alg_lock); 5335 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */ 5336 } 5337 if (minbits < algp->alg_ef_minbits) 5338 minbits = algp->alg_ef_minbits; 5339 if (maxbits > algp->alg_ef_maxbits) 5340 maxbits = algp->alg_ef_maxbits; 5341 mutex_exit(&ipss->ipsec_alg_lock); 5342 5343 algdesc->sadb_x_algdesc_satype = satype; 5344 algdesc->sadb_x_algdesc_algtype = algtype; 5345 algdesc->sadb_x_algdesc_alg = alg; 5346 algdesc->sadb_x_algdesc_minbits = minbits; 5347 algdesc->sadb_x_algdesc_maxbits = maxbits; 5348 algdesc->sadb_x_algdesc_reserved = 0; 5349 return (cur); 5350 } 5351 5352 /* 5353 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 5354 * which must fit before *limit 5355 * 5356 * return NULL if we ran out of room or a pointer to the end of the ecomb. 5357 */ 5358 static uint8_t * 5359 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act, 5360 netstack_t *ns) 5361 { 5362 uint8_t *cur = start; 5363 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 5364 ipsec_prot_t *ipp; 5365 ipsec_stack_t *ipss = ns->netstack_ipsec; 5366 5367 cur += sizeof (*ecomb); 5368 if (cur >= limit) 5369 return (NULL); 5370 5371 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 5372 5373 ipp = &act->ipa_act.ipa_apply; 5374 5375 ecomb->sadb_x_ecomb_numalgs = 0; 5376 ecomb->sadb_x_ecomb_reserved = 0; 5377 ecomb->sadb_x_ecomb_reserved2 = 0; 5378 /* 5379 * No limits on allocations, since we really don't support that 5380 * concept currently. 5381 */ 5382 ecomb->sadb_x_ecomb_soft_allocations = 0; 5383 ecomb->sadb_x_ecomb_hard_allocations = 0; 5384 5385 /* 5386 * XXX TBD: Policy or global parameters will eventually be 5387 * able to fill in some of these. 5388 */ 5389 ecomb->sadb_x_ecomb_flags = 0; 5390 ecomb->sadb_x_ecomb_soft_bytes = 0; 5391 ecomb->sadb_x_ecomb_hard_bytes = 0; 5392 ecomb->sadb_x_ecomb_soft_addtime = 0; 5393 ecomb->sadb_x_ecomb_hard_addtime = 0; 5394 ecomb->sadb_x_ecomb_soft_usetime = 0; 5395 ecomb->sadb_x_ecomb_hard_usetime = 0; 5396 5397 if (ipp->ipp_use_ah) { 5398 cur = sadb_new_algdesc(cur, limit, ecomb, 5399 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 5400 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss); 5401 if (cur == NULL) 5402 return (NULL); 5403 ipsecah_fill_defs(ecomb, ns); 5404 } 5405 5406 if (ipp->ipp_use_esp) { 5407 if (ipp->ipp_use_espa) { 5408 cur = sadb_new_algdesc(cur, limit, ecomb, 5409 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 5410 ipp->ipp_esp_auth_alg, 5411 ipp->ipp_espa_minbits, 5412 ipp->ipp_espa_maxbits, ipss); 5413 if (cur == NULL) 5414 return (NULL); 5415 } 5416 5417 cur = sadb_new_algdesc(cur, limit, ecomb, 5418 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 5419 ipp->ipp_encr_alg, 5420 ipp->ipp_espe_minbits, 5421 ipp->ipp_espe_maxbits, ipss); 5422 if (cur == NULL) 5423 return (NULL); 5424 /* Fill in lifetimes if and only if AH didn't already... */ 5425 if (!ipp->ipp_use_ah) 5426 ipsecesp_fill_defs(ecomb, ns); 5427 } 5428 5429 return (cur); 5430 } 5431 5432 /* 5433 * Construct an extended ACQUIRE message based on a selector and the resulting 5434 * IPsec action. 5435 * 5436 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE 5437 * generation. As a consequence, expect this function to evolve 5438 * rapidly. 5439 */ 5440 static mblk_t * 5441 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol, 5442 ipsec_action_t *act, boolean_t tunnel_mode, uint32_t seq, uint32_t pid, 5443 netstack_t *ns) 5444 { 5445 mblk_t *mp; 5446 sadb_msg_t *samsg; 5447 uint8_t *start, *cur, *end; 5448 uint32_t *saddrptr, *daddrptr; 5449 sa_family_t af; 5450 sadb_prop_t *eprop; 5451 ipsec_action_t *ap, *an; 5452 ipsec_selkey_t *ipsl; 5453 uint8_t proto, pfxlen; 5454 uint16_t lport, rport; 5455 uint32_t kmp, kmc; 5456 5457 /* 5458 * Find the action we want sooner rather than later.. 5459 */ 5460 an = NULL; 5461 if (pol == NULL) { 5462 ap = act; 5463 } else { 5464 ap = pol->ipsp_act; 5465 5466 if (ap != NULL) 5467 an = ap->ipa_next; 5468 } 5469 5470 /* 5471 * Just take a swag for the allocation for now. We can always 5472 * alter it later. 5473 */ 5474 #define SADB_EXTENDED_ACQUIRE_SIZE 4096 5475 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI); 5476 if (mp == NULL) 5477 return (NULL); 5478 5479 start = mp->b_rptr; 5480 end = start + SADB_EXTENDED_ACQUIRE_SIZE; 5481 5482 cur = start; 5483 5484 samsg = (sadb_msg_t *)cur; 5485 cur += sizeof (*samsg); 5486 5487 samsg->sadb_msg_version = PF_KEY_V2; 5488 samsg->sadb_msg_type = SADB_ACQUIRE; 5489 samsg->sadb_msg_errno = 0; 5490 samsg->sadb_msg_reserved = 0; 5491 samsg->sadb_msg_satype = 0; 5492 samsg->sadb_msg_seq = seq; 5493 samsg->sadb_msg_pid = pid; 5494 5495 if (tunnel_mode) { 5496 /* 5497 * Form inner address extensions based NOT on the inner 5498 * selectors (i.e. the packet data), but on the policy's 5499 * selector key (i.e. the policy's selector information). 5500 * 5501 * NOTE: The position of IPv4 and IPv6 addresses is the 5502 * same in ipsec_selkey_t (unless the compiler does very 5503 * strange things with unions, consult your local C language 5504 * lawyer for details). 5505 */ 5506 ipsl = &(pol->ipsp_sel->ipsl_key); 5507 if (ipsl->ipsl_valid & IPSL_IPV4) { 5508 af = AF_INET; 5509 ASSERT(sel->ips_protocol == IPPROTO_ENCAP); 5510 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6)); 5511 } else { 5512 af = AF_INET6; 5513 ASSERT(sel->ips_protocol == IPPROTO_IPV6); 5514 ASSERT(ipsl->ipsl_valid & IPSL_IPV6); 5515 } 5516 5517 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) { 5518 saddrptr = (uint32_t *)(&ipsl->ipsl_local); 5519 pfxlen = ipsl->ipsl_local_pfxlen; 5520 } else { 5521 saddrptr = (uint32_t *)(&ipv6_all_zeros); 5522 pfxlen = 0; 5523 } 5524 /* XXX What about ICMP type/code? */ 5525 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ? 5526 ipsl->ipsl_lport : 0; 5527 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ? 5528 ipsl->ipsl_proto : 0; 5529 5530 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5531 af, saddrptr, lport, proto, pfxlen); 5532 if (cur == NULL) { 5533 freeb(mp); 5534 return (NULL); 5535 } 5536 5537 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) { 5538 daddrptr = (uint32_t *)(&ipsl->ipsl_remote); 5539 pfxlen = ipsl->ipsl_remote_pfxlen; 5540 } else { 5541 daddrptr = (uint32_t *)(&ipv6_all_zeros); 5542 pfxlen = 0; 5543 } 5544 /* XXX What about ICMP type/code? */ 5545 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ? 5546 ipsl->ipsl_rport : 0; 5547 5548 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5549 af, daddrptr, rport, proto, pfxlen); 5550 if (cur == NULL) { 5551 freeb(mp); 5552 return (NULL); 5553 } 5554 /* 5555 * TODO - if we go to 3408's dream of transport mode IP-in-IP 5556 * _with_ inner-packet address selectors, we'll need to further 5557 * distinguish tunnel mode here. For now, having inner 5558 * addresses and/or ports is sufficient. 5559 * 5560 * Meanwhile, whack proto/ports to reflect IP-in-IP for the 5561 * outer addresses. 5562 */ 5563 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */ 5564 lport = rport = 0; 5565 } else if ((ap != NULL) && (!ap->ipa_want_unique)) { 5566 proto = 0; 5567 lport = 0; 5568 rport = 0; 5569 if (pol != NULL) { 5570 ipsl = &(pol->ipsp_sel->ipsl_key); 5571 if (ipsl->ipsl_valid & IPSL_PROTOCOL) 5572 proto = ipsl->ipsl_proto; 5573 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT) 5574 rport = ipsl->ipsl_rport; 5575 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT) 5576 lport = ipsl->ipsl_lport; 5577 } 5578 } else { 5579 proto = sel->ips_protocol; 5580 lport = sel->ips_local_port; 5581 rport = sel->ips_remote_port; 5582 } 5583 5584 af = sel->ips_isv4 ? AF_INET : AF_INET6; 5585 5586 /* 5587 * NOTE: The position of IPv4 and IPv6 addresses is the same in 5588 * ipsec_selector_t. 5589 */ 5590 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 5591 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0); 5592 5593 if (cur == NULL) { 5594 freeb(mp); 5595 return (NULL); 5596 } 5597 5598 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 5599 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0); 5600 5601 if (cur == NULL) { 5602 freeb(mp); 5603 return (NULL); 5604 } 5605 5606 /* 5607 * This section will change a lot as policy evolves. 5608 * For now, it'll be relatively simple. 5609 */ 5610 eprop = (sadb_prop_t *)cur; 5611 cur += sizeof (*eprop); 5612 if (cur > end) { 5613 /* no space left */ 5614 freeb(mp); 5615 return (NULL); 5616 } 5617 5618 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 5619 eprop->sadb_x_prop_ereserved = 0; 5620 eprop->sadb_x_prop_numecombs = 0; 5621 eprop->sadb_prop_replay = 32; /* default */ 5622 5623 kmc = kmp = 0; 5624 5625 for (; ap != NULL; ap = an) { 5626 an = (pol != NULL) ? ap->ipa_next : NULL; 5627 5628 /* 5629 * Skip non-IPsec policies 5630 */ 5631 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY) 5632 continue; 5633 5634 if (ap->ipa_act.ipa_apply.ipp_km_proto) 5635 kmp = ap->ipa_act.ipa_apply.ipp_km_proto; 5636 if (ap->ipa_act.ipa_apply.ipp_km_cookie) 5637 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie; 5638 if (ap->ipa_act.ipa_apply.ipp_replay_depth) { 5639 eprop->sadb_prop_replay = 5640 ap->ipa_act.ipa_apply.ipp_replay_depth; 5641 } 5642 5643 cur = sadb_action_to_ecomb(cur, end, ap, ns); 5644 if (cur == NULL) { /* no space */ 5645 freeb(mp); 5646 return (NULL); 5647 } 5648 eprop->sadb_x_prop_numecombs++; 5649 } 5650 5651 if (eprop->sadb_x_prop_numecombs == 0) { 5652 /* 5653 * This will happen if we fail to find a policy 5654 * allowing for IPsec processing. 5655 * Construct an error message. 5656 */ 5657 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 5658 samsg->sadb_msg_errno = ENOENT; 5659 samsg->sadb_x_msg_diagnostic = 0; 5660 return (mp); 5661 } 5662 5663 if ((kmp != 0) || (kmc != 0)) { 5664 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 5665 if (cur == NULL) { 5666 freeb(mp); 5667 return (NULL); 5668 } 5669 } 5670 5671 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop); 5672 samsg->sadb_msg_len = SADB_8TO64(cur - start); 5673 mp->b_wptr = cur; 5674 5675 return (mp); 5676 } 5677 5678 /* 5679 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype. 5680 * 5681 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we 5682 * succeed (i.e. return non-NULL). Caller MUST release it. This is to 5683 * maximize code consolidation while preventing algorithm changes from messing 5684 * with the callers finishing touches on the ACQUIRE itself. 5685 */ 5686 mblk_t * 5687 sadb_setup_acquire(ipsacq_t *acqrec, uint8_t satype, ipsec_stack_t *ipss) 5688 { 5689 uint_t allocsize; 5690 mblk_t *pfkeymp, *msgmp; 5691 sa_family_t af; 5692 uint8_t *cur, *end; 5693 sadb_msg_t *samsg; 5694 uint16_t sport_typecode; 5695 uint16_t dport_typecode; 5696 uint8_t check_proto; 5697 boolean_t tunnel_mode = (acqrec->ipsacq_inneraddrfam != 0); 5698 5699 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 5700 5701 pfkeymp = sadb_keysock_out(0); 5702 if (pfkeymp == NULL) 5703 return (NULL); 5704 5705 /* 5706 * First, allocate a basic ACQUIRE message 5707 */ 5708 allocsize = sizeof (sadb_msg_t) + sizeof (sadb_address_t) + 5709 sizeof (sadb_address_t) + sizeof (sadb_prop_t); 5710 5711 /* Make sure there's enough to cover both AF_INET and AF_INET6. */ 5712 allocsize += 2 * sizeof (struct sockaddr_in6); 5713 5714 mutex_enter(&ipss->ipsec_alg_lock); 5715 /* NOTE: The lock is now held through to this function's return. */ 5716 allocsize += ipss->ipsec_nalgs[IPSEC_ALG_AUTH] * 5717 ipss->ipsec_nalgs[IPSEC_ALG_ENCR] * sizeof (sadb_comb_t); 5718 5719 if (tunnel_mode) { 5720 /* Tunnel mode! */ 5721 allocsize += 2 * sizeof (sadb_address_t); 5722 /* Enough to cover both AF_INET and AF_INET6. */ 5723 allocsize += 2 * sizeof (struct sockaddr_in6); 5724 } 5725 5726 msgmp = allocb(allocsize, BPRI_HI); 5727 if (msgmp == NULL) { 5728 freeb(pfkeymp); 5729 mutex_exit(&ipss->ipsec_alg_lock); 5730 return (NULL); 5731 } 5732 5733 pfkeymp->b_cont = msgmp; 5734 cur = msgmp->b_rptr; 5735 end = cur + allocsize; 5736 samsg = (sadb_msg_t *)cur; 5737 cur += sizeof (sadb_msg_t); 5738 5739 af = acqrec->ipsacq_addrfam; 5740 switch (af) { 5741 case AF_INET: 5742 check_proto = IPPROTO_ICMP; 5743 break; 5744 case AF_INET6: 5745 check_proto = IPPROTO_ICMPV6; 5746 break; 5747 default: 5748 /* This should never happen unless we have kernel bugs. */ 5749 cmn_err(CE_WARN, 5750 "sadb_setup_acquire: corrupt ACQUIRE record.\n"); 5751 ASSERT(0); 5752 mutex_exit(&ipss->ipsec_alg_lock); 5753 return (NULL); 5754 } 5755 5756 samsg->sadb_msg_version = PF_KEY_V2; 5757 samsg->sadb_msg_type = SADB_ACQUIRE; 5758 samsg->sadb_msg_satype = satype; 5759 samsg->sadb_msg_errno = 0; 5760 samsg->sadb_msg_pid = 0; 5761 samsg->sadb_msg_reserved = 0; 5762 samsg->sadb_msg_seq = acqrec->ipsacq_seq; 5763 5764 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 5765 5766 if ((acqrec->ipsacq_proto == check_proto) || tunnel_mode) { 5767 sport_typecode = dport_typecode = 0; 5768 } else { 5769 sport_typecode = acqrec->ipsacq_srcport; 5770 dport_typecode = acqrec->ipsacq_dstport; 5771 } 5772 5773 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 5774 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto, 0); 5775 5776 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 5777 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto, 0); 5778 5779 if (tunnel_mode) { 5780 sport_typecode = acqrec->ipsacq_srcport; 5781 dport_typecode = acqrec->ipsacq_dstport; 5782 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5783 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innersrc, 5784 sport_typecode, acqrec->ipsacq_inner_proto, 5785 acqrec->ipsacq_innersrcpfx); 5786 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5787 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innerdst, 5788 dport_typecode, acqrec->ipsacq_inner_proto, 5789 acqrec->ipsacq_innerdstpfx); 5790 } 5791 5792 /* XXX Insert identity information here. */ 5793 5794 /* XXXMLS Insert sensitivity information here. */ 5795 5796 if (cur != NULL) 5797 samsg->sadb_msg_len = SADB_8TO64(cur - msgmp->b_rptr); 5798 else 5799 mutex_exit(&ipss->ipsec_alg_lock); 5800 5801 return (pfkeymp); 5802 } 5803 5804 /* 5805 * Given an SADB_GETSPI message, find an appropriately ranged SA and 5806 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 5807 * If there was a memory allocation error, return NULL. (Assume NULL != 5808 * (ipsa_t *)-1). 5809 * 5810 * master_spi is passed in host order. 5811 */ 5812 ipsa_t * 5813 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic, 5814 netstack_t *ns, uint_t sa_type) 5815 { 5816 sadb_address_t *src = 5817 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 5818 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 5819 sadb_spirange_t *range = 5820 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 5821 struct sockaddr_in *ssa, *dsa; 5822 struct sockaddr_in6 *ssa6, *dsa6; 5823 uint32_t *srcaddr, *dstaddr; 5824 sa_family_t af; 5825 uint32_t add, min, max; 5826 uint8_t protocol = 5827 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP; 5828 5829 if (src == NULL) { 5830 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 5831 return ((ipsa_t *)-1); 5832 } 5833 if (dst == NULL) { 5834 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 5835 return ((ipsa_t *)-1); 5836 } 5837 if (range == NULL) { 5838 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 5839 return ((ipsa_t *)-1); 5840 } 5841 5842 min = ntohl(range->sadb_spirange_min); 5843 max = ntohl(range->sadb_spirange_max); 5844 dsa = (struct sockaddr_in *)(dst + 1); 5845 dsa6 = (struct sockaddr_in6 *)dsa; 5846 5847 ssa = (struct sockaddr_in *)(src + 1); 5848 ssa6 = (struct sockaddr_in6 *)ssa; 5849 ASSERT(dsa->sin_family == ssa->sin_family); 5850 5851 srcaddr = ALL_ZEROES_PTR; 5852 af = dsa->sin_family; 5853 switch (af) { 5854 case AF_INET: 5855 if (src != NULL) 5856 srcaddr = (uint32_t *)(&ssa->sin_addr); 5857 dstaddr = (uint32_t *)(&dsa->sin_addr); 5858 break; 5859 case AF_INET6: 5860 if (src != NULL) 5861 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 5862 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 5863 break; 5864 default: 5865 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 5866 return ((ipsa_t *)-1); 5867 } 5868 5869 if (master_spi < min || master_spi > max) { 5870 /* Return a random value in the range. */ 5871 if (cl_inet_getspi) { 5872 cl_inet_getspi(protocol, (uint8_t *)&add, sizeof (add)); 5873 } else { 5874 (void) random_get_pseudo_bytes((uint8_t *)&add, 5875 sizeof (add)); 5876 } 5877 master_spi = min + (add % (max - min + 1)); 5878 } 5879 5880 /* 5881 * Since master_spi is passed in host order, we need to htonl() it 5882 * for the purposes of creating a new SA. 5883 */ 5884 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af, 5885 ns)); 5886 } 5887 5888 /* 5889 * 5890 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 5891 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 5892 * and scan for the sequence number in question. I may wish to accept an 5893 * address pair with it, for easier searching. 5894 * 5895 * Caller frees the message, so we don't have to here. 5896 * 5897 * NOTE: The ip_q parameter may be used in the future for ACQUIRE 5898 * failures. 5899 */ 5900 /* ARGSUSED */ 5901 void 5902 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *ip_q, netstack_t *ns) 5903 { 5904 int i; 5905 ipsacq_t *acqrec; 5906 iacqf_t *bucket; 5907 5908 /* 5909 * I only accept the base header for this! 5910 * Though to be honest, requiring the dst address would help 5911 * immensely. 5912 * 5913 * XXX There are already cases where I can get the dst address. 5914 */ 5915 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 5916 return; 5917 5918 /* 5919 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 5920 * (and in the future send a message to IP with the appropriate error 5921 * number). 5922 * 5923 * Q: Do I want to reject if pid != 0? 5924 */ 5925 5926 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 5927 bucket = &sp->s_v4.sdb_acq[i]; 5928 mutex_enter(&bucket->iacqf_lock); 5929 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 5930 acqrec = acqrec->ipsacq_next) { 5931 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 5932 break; /* for acqrec... loop. */ 5933 } 5934 if (acqrec != NULL) 5935 break; /* for i = 0... loop. */ 5936 5937 mutex_exit(&bucket->iacqf_lock); 5938 } 5939 5940 if (acqrec == NULL) { 5941 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 5942 bucket = &sp->s_v6.sdb_acq[i]; 5943 mutex_enter(&bucket->iacqf_lock); 5944 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 5945 acqrec = acqrec->ipsacq_next) { 5946 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 5947 break; /* for acqrec... loop. */ 5948 } 5949 if (acqrec != NULL) 5950 break; /* for i = 0... loop. */ 5951 5952 mutex_exit(&bucket->iacqf_lock); 5953 } 5954 } 5955 5956 5957 if (acqrec == NULL) 5958 return; 5959 5960 /* 5961 * What do I do with the errno and IP? I may need mp's services a 5962 * little more. See sadb_destroy_acquire() for future directions 5963 * beyond free the mblk chain on the acquire record. 5964 */ 5965 5966 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 5967 sadb_destroy_acquire(acqrec, ns); 5968 /* Have to exit mutex here, because of breaking out of for loop. */ 5969 mutex_exit(&bucket->iacqf_lock); 5970 } 5971 5972 /* 5973 * The following functions work with the replay windows of an SA. They assume 5974 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 5975 * represents the highest sequence number packet received, and back 5976 * (ipsa->ipsa_replay_wsize) packets. 5977 */ 5978 5979 /* 5980 * Is the replay bit set? 5981 */ 5982 static boolean_t 5983 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 5984 { 5985 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 5986 5987 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 5988 } 5989 5990 /* 5991 * Shift the bits of the replay window over. 5992 */ 5993 static void 5994 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 5995 { 5996 int i; 5997 int jump = ((shift - 1) >> 6) + 1; 5998 5999 if (shift == 0) 6000 return; 6001 6002 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 6003 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 6004 ipsa->ipsa_replay_arr[i + jump] |= 6005 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 6006 } 6007 ipsa->ipsa_replay_arr[i] <<= shift; 6008 } 6009 } 6010 6011 /* 6012 * Set a bit in the bit vector. 6013 */ 6014 static void 6015 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 6016 { 6017 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6018 6019 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 6020 } 6021 6022 #define SADB_MAX_REPLAY_VALUE 0xffffffff 6023 6024 /* 6025 * Assume caller has NOT done ntohl() already on seq. Check to see 6026 * if replay sequence number "seq" has been seen already. 6027 */ 6028 boolean_t 6029 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 6030 { 6031 boolean_t rc; 6032 uint32_t diff; 6033 6034 if (ipsa->ipsa_replay_wsize == 0) 6035 return (B_TRUE); 6036 6037 /* 6038 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 6039 */ 6040 6041 /* Convert sequence number into host order before holding the mutex. */ 6042 seq = ntohl(seq); 6043 6044 mutex_enter(&ipsa->ipsa_lock); 6045 6046 /* Initialize inbound SA's ipsa_replay field to last one received. */ 6047 if (ipsa->ipsa_replay == 0) 6048 ipsa->ipsa_replay = 1; 6049 6050 if (seq > ipsa->ipsa_replay) { 6051 /* 6052 * I have received a new "highest value received". Shift 6053 * the replay window over. 6054 */ 6055 diff = seq - ipsa->ipsa_replay; 6056 if (diff < ipsa->ipsa_replay_wsize) { 6057 /* In replay window, shift bits over. */ 6058 ipsa_shift_replay(ipsa, diff); 6059 } else { 6060 /* WAY FAR AHEAD, clear bits and start again. */ 6061 bzero(ipsa->ipsa_replay_arr, 6062 sizeof (ipsa->ipsa_replay_arr)); 6063 } 6064 ipsa_set_replay(ipsa, 0); 6065 ipsa->ipsa_replay = seq; 6066 rc = B_TRUE; 6067 goto done; 6068 } 6069 diff = ipsa->ipsa_replay - seq; 6070 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 6071 rc = B_FALSE; 6072 goto done; 6073 } 6074 /* Set this packet as seen. */ 6075 ipsa_set_replay(ipsa, diff); 6076 6077 rc = B_TRUE; 6078 done: 6079 mutex_exit(&ipsa->ipsa_lock); 6080 return (rc); 6081 } 6082 6083 /* 6084 * "Peek" and see if we should even bother going through the effort of 6085 * running an authentication check on the sequence number passed in. 6086 * this takes into account packets that are below the replay window, 6087 * and collisions with already replayed packets. Return B_TRUE if it 6088 * is okay to proceed, B_FALSE if this packet should be dropped immediately. 6089 * Assume same byte-ordering as sadb_replay_check. 6090 */ 6091 boolean_t 6092 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 6093 { 6094 boolean_t rc = B_FALSE; 6095 uint32_t diff; 6096 6097 if (ipsa->ipsa_replay_wsize == 0) 6098 return (B_TRUE); 6099 6100 /* 6101 * 0 is 0, regardless of byte order... :) 6102 * 6103 * If I get 0 on the wire (and there is a replay window) then the 6104 * sender most likely wrapped. This ipsa may need to be marked or 6105 * something. 6106 */ 6107 if (seq == 0) 6108 return (B_FALSE); 6109 6110 seq = ntohl(seq); 6111 mutex_enter(&ipsa->ipsa_lock); 6112 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 6113 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 6114 goto done; 6115 6116 /* 6117 * If I've hit 0xffffffff, then quite honestly, I don't need to 6118 * bother with formalities. I'm not accepting any more packets 6119 * on this SA. 6120 */ 6121 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 6122 /* 6123 * Since we're already holding the lock, update the 6124 * expire time ala. sadb_replay_delete() and return. 6125 */ 6126 ipsa->ipsa_hardexpiretime = (time_t)1; 6127 goto done; 6128 } 6129 6130 if (seq <= ipsa->ipsa_replay) { 6131 /* 6132 * This seq is in the replay window. I'm not below it, 6133 * because I already checked for that above! 6134 */ 6135 diff = ipsa->ipsa_replay - seq; 6136 if (ipsa_is_replay_set(ipsa, diff)) 6137 goto done; 6138 } 6139 /* Else return B_TRUE, I'm going to advance the window. */ 6140 6141 rc = B_TRUE; 6142 done: 6143 mutex_exit(&ipsa->ipsa_lock); 6144 return (rc); 6145 } 6146 6147 /* 6148 * Delete a single SA. 6149 * 6150 * For now, use the quick-and-dirty trick of making the association's 6151 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 6152 */ 6153 void 6154 sadb_replay_delete(ipsa_t *assoc) 6155 { 6156 mutex_enter(&assoc->ipsa_lock); 6157 assoc->ipsa_hardexpiretime = (time_t)1; 6158 mutex_exit(&assoc->ipsa_lock); 6159 } 6160 6161 /* 6162 * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_ 6163 * down. The caller will handle the T_BIND_ACK locally. 6164 */ 6165 boolean_t 6166 sadb_t_bind_req(queue_t *q, int proto) 6167 { 6168 struct T_bind_req *tbr; 6169 mblk_t *mp; 6170 6171 mp = allocb(sizeof (struct T_bind_req) + 1, BPRI_HI); 6172 if (mp == NULL) { 6173 /* cmn_err(CE_WARN, */ 6174 /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */ 6175 return (B_FALSE); 6176 } 6177 mp->b_datap->db_type = M_PCPROTO; 6178 tbr = (struct T_bind_req *)mp->b_rptr; 6179 mp->b_wptr += sizeof (struct T_bind_req); 6180 tbr->PRIM_type = T_BIND_REQ; 6181 tbr->ADDR_length = 0; 6182 tbr->ADDR_offset = 0; 6183 tbr->CONIND_number = 0; 6184 *mp->b_wptr = (uint8_t)proto; 6185 mp->b_wptr++; 6186 6187 putnext(q, mp); 6188 return (B_TRUE); 6189 } 6190 6191 /* 6192 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 6193 * this is designed to take only a format string with "* %x * %s *", so 6194 * that "spi" is printed first, then "addr" is converted using inet_pton(). 6195 * 6196 * This is abstracted out to save the stack space for only when inet_pton() 6197 * is called. Make sure "spi" is in network order; it usually is when this 6198 * would get called. 6199 */ 6200 void 6201 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 6202 uint32_t spi, void *addr, int af, netstack_t *ns) 6203 { 6204 char buf[INET6_ADDRSTRLEN]; 6205 6206 ASSERT(af == AF_INET6 || af == AF_INET); 6207 6208 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi), 6209 inet_ntop(af, addr, buf, sizeof (buf))); 6210 } 6211 6212 /* 6213 * Fills in a reference to the policy, if any, from the conn, in *ppp 6214 * Releases a reference to the passed conn_t. 6215 */ 6216 static void 6217 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp) 6218 { 6219 ipsec_policy_t *pp; 6220 ipsec_latch_t *ipl = connp->conn_latch; 6221 6222 if ((ipl != NULL) && (ipl->ipl_out_policy != NULL)) { 6223 pp = ipl->ipl_out_policy; 6224 IPPOL_REFHOLD(pp); 6225 } else { 6226 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel, 6227 connp->conn_netstack); 6228 } 6229 *ppp = pp; 6230 CONN_DEC_REF(connp); 6231 } 6232 6233 /* 6234 * The following functions scan through active conn_t structures 6235 * and return a reference to the best-matching policy it can find. 6236 * Caller must release the reference. 6237 */ 6238 static void 6239 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6240 { 6241 connf_t *connfp; 6242 conn_t *connp = NULL; 6243 ipsec_selector_t portonly; 6244 6245 bzero((void *)&portonly, sizeof (portonly)); 6246 6247 if (sel->ips_local_port == 0) 6248 return; 6249 6250 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port, 6251 ipst)]; 6252 mutex_enter(&connfp->connf_lock); 6253 6254 if (sel->ips_isv4) { 6255 connp = connfp->connf_head; 6256 while (connp != NULL) { 6257 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 6258 sel->ips_local_addr_v4, sel->ips_remote_port, 6259 sel->ips_remote_addr_v4)) 6260 break; 6261 connp = connp->conn_next; 6262 } 6263 6264 if (connp == NULL) { 6265 /* Try port-only match in IPv6. */ 6266 portonly.ips_local_port = sel->ips_local_port; 6267 sel = &portonly; 6268 } 6269 } 6270 6271 if (connp == NULL) { 6272 connp = connfp->connf_head; 6273 while (connp != NULL) { 6274 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 6275 sel->ips_local_addr_v6, sel->ips_remote_port, 6276 sel->ips_remote_addr_v6)) 6277 break; 6278 connp = connp->conn_next; 6279 } 6280 6281 if (connp == NULL) { 6282 mutex_exit(&connfp->connf_lock); 6283 return; 6284 } 6285 } 6286 6287 CONN_INC_REF(connp); 6288 mutex_exit(&connfp->connf_lock); 6289 6290 ipsec_conn_pol(sel, connp, ppp); 6291 } 6292 6293 static conn_t * 6294 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst) 6295 { 6296 connf_t *connfp; 6297 conn_t *connp = NULL; 6298 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 6299 6300 if (sel->ips_local_port == 0) 6301 return (NULL); 6302 6303 connfp = &ipst->ips_ipcl_bind_fanout[ 6304 IPCL_BIND_HASH(sel->ips_local_port, ipst)]; 6305 mutex_enter(&connfp->connf_lock); 6306 6307 if (sel->ips_isv4) { 6308 connp = connfp->connf_head; 6309 while (connp != NULL) { 6310 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 6311 sel->ips_local_addr_v4, pptr[1])) 6312 break; 6313 connp = connp->conn_next; 6314 } 6315 6316 if (connp == NULL) { 6317 /* Match to all-zeroes. */ 6318 v6addrmatch = &ipv6_all_zeros; 6319 } 6320 } 6321 6322 if (connp == NULL) { 6323 connp = connfp->connf_head; 6324 while (connp != NULL) { 6325 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 6326 *v6addrmatch, pptr[1])) 6327 break; 6328 connp = connp->conn_next; 6329 } 6330 6331 if (connp == NULL) { 6332 mutex_exit(&connfp->connf_lock); 6333 return (NULL); 6334 } 6335 } 6336 6337 CONN_INC_REF(connp); 6338 mutex_exit(&connfp->connf_lock); 6339 return (connp); 6340 } 6341 6342 static void 6343 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6344 { 6345 connf_t *connfp; 6346 conn_t *connp; 6347 uint32_t ports; 6348 uint16_t *pptr = (uint16_t *)&ports; 6349 6350 /* 6351 * Find TCP state in the following order: 6352 * 1.) Connected conns. 6353 * 2.) Listeners. 6354 * 6355 * Even though #2 will be the common case for inbound traffic, only 6356 * following this order insures correctness. 6357 */ 6358 6359 if (sel->ips_local_port == 0) 6360 return; 6361 6362 /* 6363 * 0 should be fport, 1 should be lport. SRC is the local one here. 6364 * See ipsec_construct_inverse_acquire() for details. 6365 */ 6366 pptr[0] = sel->ips_remote_port; 6367 pptr[1] = sel->ips_local_port; 6368 6369 connfp = &ipst->ips_ipcl_conn_fanout[ 6370 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)]; 6371 mutex_enter(&connfp->connf_lock); 6372 connp = connfp->connf_head; 6373 6374 if (sel->ips_isv4) { 6375 while (connp != NULL) { 6376 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 6377 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 6378 ports)) 6379 break; 6380 connp = connp->conn_next; 6381 } 6382 } else { 6383 while (connp != NULL) { 6384 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 6385 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 6386 ports)) 6387 break; 6388 connp = connp->conn_next; 6389 } 6390 } 6391 6392 if (connp != NULL) { 6393 CONN_INC_REF(connp); 6394 mutex_exit(&connfp->connf_lock); 6395 } else { 6396 mutex_exit(&connfp->connf_lock); 6397 6398 /* Try the listen hash. */ 6399 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL) 6400 return; 6401 } 6402 6403 ipsec_conn_pol(sel, connp, ppp); 6404 } 6405 6406 static void 6407 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6408 ip_stack_t *ipst) 6409 { 6410 conn_t *connp; 6411 uint32_t ports; 6412 uint16_t *pptr = (uint16_t *)&ports; 6413 6414 /* 6415 * Find SCP state in the following order: 6416 * 1.) Connected conns. 6417 * 2.) Listeners. 6418 * 6419 * Even though #2 will be the common case for inbound traffic, only 6420 * following this order insures correctness. 6421 */ 6422 6423 if (sel->ips_local_port == 0) 6424 return; 6425 6426 /* 6427 * 0 should be fport, 1 should be lport. SRC is the local one here. 6428 * See ipsec_construct_inverse_acquire() for details. 6429 */ 6430 pptr[0] = sel->ips_remote_port; 6431 pptr[1] = sel->ips_local_port; 6432 6433 if (sel->ips_isv4) { 6434 in6_addr_t src, dst; 6435 6436 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 6437 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 6438 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES, 6439 ipst->ips_netstack->netstack_sctp); 6440 } else { 6441 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 6442 &sel->ips_local_addr_v6, ports, ALL_ZONES, 6443 ipst->ips_netstack->netstack_sctp); 6444 } 6445 if (connp == NULL) 6446 return; 6447 ipsec_conn_pol(sel, connp, ppp); 6448 } 6449 6450 /* 6451 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions. 6452 * Returns 0 or errno, and always sets *diagnostic to something appropriate 6453 * to PF_KEY. 6454 * 6455 * NOTE: For right now, this function (and ipsec_selector_t for that matter), 6456 * ignore prefix lengths in the address extension. Since we match on first- 6457 * entered policies, this shouldn't matter. Also, since we normalize prefix- 6458 * set addresses to mask out the lower bits, we should get a suitable search 6459 * key for the SPD anyway. This is the function to change if the assumption 6460 * about suitable search keys is wrong. 6461 */ 6462 static int 6463 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext, 6464 sadb_address_t *dstext, int *diagnostic) 6465 { 6466 struct sockaddr_in *src, *dst; 6467 struct sockaddr_in6 *src6, *dst6; 6468 6469 *diagnostic = 0; 6470 6471 bzero(sel, sizeof (*sel)); 6472 sel->ips_protocol = srcext->sadb_address_proto; 6473 dst = (struct sockaddr_in *)(dstext + 1); 6474 if (dst->sin_family == AF_INET6) { 6475 dst6 = (struct sockaddr_in6 *)dst; 6476 src6 = (struct sockaddr_in6 *)(srcext + 1); 6477 if (src6->sin6_family != AF_INET6) { 6478 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6479 return (EINVAL); 6480 } 6481 sel->ips_remote_addr_v6 = dst6->sin6_addr; 6482 sel->ips_local_addr_v6 = src6->sin6_addr; 6483 if (sel->ips_protocol == IPPROTO_ICMPV6) { 6484 sel->ips_is_icmp_inv_acq = 1; 6485 } else { 6486 sel->ips_remote_port = dst6->sin6_port; 6487 sel->ips_local_port = src6->sin6_port; 6488 } 6489 sel->ips_isv4 = B_FALSE; 6490 } else { 6491 src = (struct sockaddr_in *)(srcext + 1); 6492 if (src->sin_family != AF_INET) { 6493 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6494 return (EINVAL); 6495 } 6496 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr; 6497 sel->ips_local_addr_v4 = src->sin_addr.s_addr; 6498 if (sel->ips_protocol == IPPROTO_ICMP) { 6499 sel->ips_is_icmp_inv_acq = 1; 6500 } else { 6501 sel->ips_remote_port = dst->sin_port; 6502 sel->ips_local_port = src->sin_port; 6503 } 6504 sel->ips_isv4 = B_TRUE; 6505 } 6506 return (0); 6507 } 6508 6509 /* 6510 * We have encapsulation. 6511 * - Lookup tun_t by address and look for an associated 6512 * tunnel policy 6513 * - If there are inner selectors 6514 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE 6515 * - Look up tunnel policy based on selectors 6516 * - Else 6517 * - Sanity check the negotation 6518 * - If appropriate, fall through to global policy 6519 */ 6520 static int 6521 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6522 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp, 6523 int *diagnostic, netstack_t *ns) 6524 { 6525 int err; 6526 ipsec_policy_head_t *polhead; 6527 6528 /* Check for inner selectors and act appropriately */ 6529 6530 if (innsrcext != NULL) { 6531 /* Inner selectors present */ 6532 ASSERT(inndstext != NULL); 6533 if ((itp == NULL) || 6534 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) != 6535 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) { 6536 /* 6537 * If inner packet selectors, we must have negotiate 6538 * tunnel and active policy. If the tunnel has 6539 * transport-mode policy set on it, or has no policy, 6540 * fail. 6541 */ 6542 return (ENOENT); 6543 } else { 6544 /* 6545 * Reset "sel" to indicate inner selectors. Pass 6546 * inner PF_KEY address extensions for this to happen. 6547 */ 6548 err = ipsec_get_inverse_acquire_sel(sel, 6549 innsrcext, inndstext, diagnostic); 6550 if (err != 0) { 6551 ITP_REFRELE(itp, ns); 6552 return (err); 6553 } 6554 /* 6555 * Now look for a tunnel policy based on those inner 6556 * selectors. (Common code is below.) 6557 */ 6558 } 6559 } else { 6560 /* No inner selectors present */ 6561 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) { 6562 /* 6563 * Transport mode negotiation with no tunnel policy 6564 * configured - return to indicate a global policy 6565 * check is needed. 6566 */ 6567 if (itp != NULL) { 6568 ITP_REFRELE(itp, ns); 6569 } 6570 return (0); 6571 } else if (itp->itp_flags & ITPF_P_TUNNEL) { 6572 /* Tunnel mode set with no inner selectors. */ 6573 ITP_REFRELE(itp, ns); 6574 return (ENOENT); 6575 } 6576 /* 6577 * Else, this is a tunnel policy configured with ifconfig(1m) 6578 * or "negotiate transport" with ipsecconf(1m). We have an 6579 * itp with policy set based on any match, so don't bother 6580 * changing fields in "sel". 6581 */ 6582 } 6583 6584 ASSERT(itp != NULL); 6585 polhead = itp->itp_policy; 6586 ASSERT(polhead != NULL); 6587 rw_enter(&polhead->iph_lock, RW_READER); 6588 *ppp = ipsec_find_policy_head(NULL, polhead, 6589 IPSEC_TYPE_INBOUND, sel, ns); 6590 rw_exit(&polhead->iph_lock); 6591 ITP_REFRELE(itp, ns); 6592 6593 /* 6594 * Don't default to global if we didn't find a matching policy entry. 6595 * Instead, send ENOENT, just like if we hit a transport-mode tunnel. 6596 */ 6597 if (*ppp == NULL) 6598 return (ENOENT); 6599 6600 return (0); 6601 } 6602 6603 static void 6604 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6605 ip_stack_t *ipst) 6606 { 6607 boolean_t isv4 = sel->ips_isv4; 6608 connf_t *connfp; 6609 conn_t *connp; 6610 6611 if (isv4) { 6612 connfp = &ipst->ips_ipcl_proto_fanout[sel->ips_protocol]; 6613 } else { 6614 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol]; 6615 } 6616 6617 mutex_enter(&connfp->connf_lock); 6618 for (connp = connfp->connf_head; connp != NULL; 6619 connp = connp->conn_next) { 6620 if (!((isv4 && !((connp->conn_src == 0 || 6621 connp->conn_src == sel->ips_local_addr_v4) && 6622 (connp->conn_rem == 0 || 6623 connp->conn_rem == sel->ips_remote_addr_v4))) || 6624 (!isv4 && !((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) || 6625 IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6, 6626 &sel->ips_local_addr_v6)) && 6627 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) || 6628 IN6_ARE_ADDR_EQUAL(&connp->conn_remv6, 6629 &sel->ips_remote_addr_v6)))))) { 6630 break; 6631 } 6632 } 6633 if (connp == NULL) { 6634 mutex_exit(&connfp->connf_lock); 6635 return; 6636 } 6637 6638 CONN_INC_REF(connp); 6639 mutex_exit(&connfp->connf_lock); 6640 6641 ipsec_conn_pol(sel, connp, ppp); 6642 } 6643 6644 /* 6645 * Construct an inverse ACQUIRE reply based on: 6646 * 6647 * 1.) Current global policy. 6648 * 2.) An conn_t match depending on what all was passed in the extv[]. 6649 * 3.) A tunnel's policy head. 6650 * ... 6651 * N.) Other stuff TBD (e.g. identities) 6652 * 6653 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 6654 * in this function so the caller can extract them where appropriately. 6655 * 6656 * The SRC address is the local one - just like an outbound ACQUIRE message. 6657 */ 6658 mblk_t * 6659 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[], 6660 netstack_t *ns) 6661 { 6662 int err; 6663 int diagnostic; 6664 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 6665 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST], 6666 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC], 6667 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]; 6668 struct sockaddr_in6 *src, *dst; 6669 struct sockaddr_in6 *isrc, *idst; 6670 ipsec_tun_pol_t *itp = NULL; 6671 ipsec_policy_t *pp = NULL; 6672 ipsec_selector_t sel, isel; 6673 mblk_t *retmp; 6674 ip_stack_t *ipst = ns->netstack_ip; 6675 ipsec_stack_t *ipss = ns->netstack_ipsec; 6676 6677 /* Normalize addresses */ 6678 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns) 6679 == KS_IN_ADDR_UNKNOWN) { 6680 err = EINVAL; 6681 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC; 6682 goto bail; 6683 } 6684 src = (struct sockaddr_in6 *)(srcext + 1); 6685 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns) 6686 == KS_IN_ADDR_UNKNOWN) { 6687 err = EINVAL; 6688 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST; 6689 goto bail; 6690 } 6691 dst = (struct sockaddr_in6 *)(dstext + 1); 6692 if (src->sin6_family != dst->sin6_family) { 6693 err = EINVAL; 6694 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6695 goto bail; 6696 } 6697 6698 /* Check for tunnel mode and act appropriately */ 6699 if (innsrcext != NULL) { 6700 if (inndstext == NULL) { 6701 err = EINVAL; 6702 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST; 6703 goto bail; 6704 } 6705 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6706 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6707 err = EINVAL; 6708 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC; 6709 goto bail; 6710 } 6711 isrc = (struct sockaddr_in6 *)(innsrcext + 1); 6712 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6713 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6714 err = EINVAL; 6715 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST; 6716 goto bail; 6717 } 6718 idst = (struct sockaddr_in6 *)(inndstext + 1); 6719 if (isrc->sin6_family != idst->sin6_family) { 6720 err = EINVAL; 6721 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 6722 goto bail; 6723 } 6724 if (isrc->sin6_family != AF_INET && 6725 isrc->sin6_family != AF_INET6) { 6726 err = EINVAL; 6727 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF; 6728 goto bail; 6729 } 6730 } else if (inndstext != NULL) { 6731 err = EINVAL; 6732 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 6733 goto bail; 6734 } 6735 6736 /* Get selectors first, based on outer addresses */ 6737 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic); 6738 if (err != 0) 6739 goto bail; 6740 6741 /* Check for tunnel mode mismatches. */ 6742 if (innsrcext != NULL && 6743 ((isrc->sin6_family == AF_INET && 6744 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) || 6745 (isrc->sin6_family == AF_INET6 && 6746 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) { 6747 err = EPROTOTYPE; 6748 goto bail; 6749 } 6750 6751 /* 6752 * Okay, we have the addresses and other selector information. 6753 * Let's first find a conn... 6754 */ 6755 pp = NULL; 6756 switch (sel.ips_protocol) { 6757 case IPPROTO_TCP: 6758 ipsec_tcp_pol(&sel, &pp, ipst); 6759 break; 6760 case IPPROTO_UDP: 6761 ipsec_udp_pol(&sel, &pp, ipst); 6762 break; 6763 case IPPROTO_SCTP: 6764 ipsec_sctp_pol(&sel, &pp, ipst); 6765 break; 6766 case IPPROTO_ENCAP: 6767 case IPPROTO_IPV6: 6768 rw_enter(&ipss->ipsec_itp_get_byaddr_rw_lock, RW_READER); 6769 /* 6770 * Assume sel.ips_remote_addr_* has the right address at 6771 * that exact position. 6772 */ 6773 itp = ipss->ipsec_itp_get_byaddr( 6774 (uint32_t *)(&sel.ips_local_addr_v6), 6775 (uint32_t *)(&sel.ips_remote_addr_v6), 6776 src->sin6_family, ns); 6777 rw_exit(&ipss->ipsec_itp_get_byaddr_rw_lock); 6778 if (innsrcext == NULL) { 6779 /* 6780 * Transport-mode tunnel, make sure we fake out isel 6781 * to contain something based on the outer protocol. 6782 */ 6783 bzero(&isel, sizeof (isel)); 6784 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP); 6785 } /* Else isel is initialized by ipsec_tun_pol(). */ 6786 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp, 6787 &diagnostic, ns); 6788 /* 6789 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it 6790 * may be. 6791 */ 6792 if (err != 0) 6793 goto bail; 6794 break; 6795 default: 6796 ipsec_oth_pol(&sel, &pp, ipst); 6797 break; 6798 } 6799 6800 /* 6801 * If we didn't find a matching conn_t or other policy head, take a 6802 * look in the global policy. 6803 */ 6804 if (pp == NULL) { 6805 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, NULL, &sel, 6806 ns); 6807 if (pp == NULL) { 6808 /* There's no global policy. */ 6809 err = ENOENT; 6810 diagnostic = 0; 6811 goto bail; 6812 } 6813 } 6814 6815 /* 6816 * Now that we have a policy entry/widget, construct an ACQUIRE 6817 * message based on that, fix fields where appropriate, 6818 * and return the message. 6819 */ 6820 retmp = sadb_extended_acquire(&sel, pp, NULL, 6821 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)), 6822 samsg->sadb_msg_seq, samsg->sadb_msg_pid, ns); 6823 if (pp != NULL) { 6824 IPPOL_REFRELE(pp, ns); 6825 } 6826 if (retmp != NULL) { 6827 return (retmp); 6828 } else { 6829 err = ENOMEM; 6830 diagnostic = 0; 6831 } 6832 bail: 6833 samsg->sadb_msg_errno = (uint8_t)err; 6834 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 6835 return (NULL); 6836 } 6837 6838 /* 6839 * ipsa_lpkt is a one-element queue, only manipulated by casptr within 6840 * the next two functions. 6841 * 6842 * These functions loop calling casptr() until the swap "happens", 6843 * turning a compare-and-swap op into an atomic swap operation. 6844 */ 6845 6846 /* 6847 * sadb_set_lpkt: Atomically swap in a value to ipsa->ipsa_lpkt and 6848 * freemsg the previous value. free clue: freemsg(NULL) is safe. 6849 */ 6850 6851 void 6852 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, netstack_t *ns) 6853 { 6854 mblk_t *opkt; 6855 ipsec_stack_t *ipss = ns->netstack_ipsec; 6856 6857 ASSERT(ipsa->ipsa_state == IPSA_STATE_LARVAL); 6858 6859 membar_producer(); 6860 do { 6861 opkt = ipsa->ipsa_lpkt; 6862 } while (casptr(&ipsa->ipsa_lpkt, opkt, npkt) != opkt); 6863 6864 ip_drop_packet(opkt, B_TRUE, NULL, NULL, 6865 DROPPER(ipss, ipds_sadb_inlarval_replace), 6866 &ipss->ipsec_sadb_dropper); 6867 } 6868 6869 /* 6870 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 6871 * previous value. 6872 */ 6873 6874 mblk_t * 6875 sadb_clear_lpkt(ipsa_t *ipsa) 6876 { 6877 mblk_t *opkt; 6878 6879 do { 6880 opkt = ipsa->ipsa_lpkt; 6881 } while (casptr(&ipsa->ipsa_lpkt, opkt, NULL) != opkt); 6882 6883 return (opkt); 6884 } 6885 6886 void 6887 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, netstack_t *ns) 6888 { 6889 ipsec_stack_t *ipss = ns->netstack_ipsec; 6890 6891 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE); 6892 mutex_enter(&ipsa->ipsa_lock); 6893 ipsa->ipsa_mblkcnt++; 6894 if (ipsa->ipsa_bpkt_head == NULL) { 6895 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt; 6896 } else { 6897 ipsa->ipsa_bpkt_tail->b_next = bpkt; 6898 ipsa->ipsa_bpkt_tail = bpkt; 6899 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) { 6900 mblk_t *tmp; 6901 tmp = ipsa->ipsa_bpkt_head; 6902 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next; 6903 ip_drop_packet(tmp, B_TRUE, NULL, NULL, 6904 DROPPER(ipss, ipds_sadb_inidle_overflow), 6905 &ipss->ipsec_sadb_dropper); 6906 ipsa->ipsa_mblkcnt --; 6907 } 6908 } 6909 mutex_exit(&ipsa->ipsa_lock); 6910 6911 } 6912 6913 /* 6914 * Stub function that taskq_dispatch() invokes to take the mblk (in arg) 6915 * and put into STREAMS again. 6916 */ 6917 void 6918 sadb_clear_buf_pkt(void *ipkt) 6919 { 6920 mblk_t *tmp, *buf_pkt; 6921 6922 buf_pkt = (mblk_t *)ipkt; 6923 6924 while (buf_pkt != NULL) { 6925 tmp = buf_pkt->b_next; 6926 buf_pkt->b_next = NULL; 6927 ip_fanout_proto_again(buf_pkt, NULL, NULL, NULL); 6928 buf_pkt = tmp; 6929 } 6930 } 6931 /* 6932 * Walker callback used by sadb_alg_update() to free/create crypto 6933 * context template when a crypto software provider is removed or 6934 * added. 6935 */ 6936 6937 struct sadb_update_alg_state { 6938 ipsec_algtype_t alg_type; 6939 uint8_t alg_id; 6940 boolean_t is_added; 6941 }; 6942 6943 static void 6944 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 6945 { 6946 struct sadb_update_alg_state *update_state = 6947 (struct sadb_update_alg_state *)cookie; 6948 crypto_ctx_template_t *ctx_tmpl = NULL; 6949 6950 ASSERT(MUTEX_HELD(&head->isaf_lock)); 6951 6952 if (entry->ipsa_state == IPSA_STATE_LARVAL) 6953 return; 6954 6955 mutex_enter(&entry->ipsa_lock); 6956 6957 switch (update_state->alg_type) { 6958 case IPSEC_ALG_AUTH: 6959 if (entry->ipsa_auth_alg == update_state->alg_id) 6960 ctx_tmpl = &entry->ipsa_authtmpl; 6961 break; 6962 case IPSEC_ALG_ENCR: 6963 if (entry->ipsa_encr_alg == update_state->alg_id) 6964 ctx_tmpl = &entry->ipsa_encrtmpl; 6965 break; 6966 default: 6967 ctx_tmpl = NULL; 6968 } 6969 6970 if (ctx_tmpl == NULL) { 6971 mutex_exit(&entry->ipsa_lock); 6972 return; 6973 } 6974 6975 /* 6976 * The context template of the SA may be affected by the change 6977 * of crypto provider. 6978 */ 6979 if (update_state->is_added) { 6980 /* create the context template if not already done */ 6981 if (*ctx_tmpl == NULL) { 6982 (void) ipsec_create_ctx_tmpl(entry, 6983 update_state->alg_type); 6984 } 6985 } else { 6986 /* 6987 * The crypto provider was removed. If the context template 6988 * exists but it is no longer valid, free it. 6989 */ 6990 if (*ctx_tmpl != NULL) 6991 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 6992 } 6993 6994 mutex_exit(&entry->ipsa_lock); 6995 } 6996 6997 /* 6998 * Invoked by IP when an software crypto provider has been updated. 6999 * The type and id of the corresponding algorithm is passed as argument. 7000 * is_added is B_TRUE if the provider was added, B_FALSE if it was 7001 * removed. The function updates the SADB and free/creates the 7002 * context templates associated with SAs if needed. 7003 */ 7004 7005 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 7006 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 7007 &update_state) 7008 7009 void 7010 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added, 7011 netstack_t *ns) 7012 { 7013 struct sadb_update_alg_state update_state; 7014 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 7015 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 7016 7017 update_state.alg_type = alg_type; 7018 update_state.alg_id = alg_id; 7019 update_state.is_added = is_added; 7020 7021 if (alg_type == IPSEC_ALG_AUTH) { 7022 /* walk the AH tables only for auth. algorithm changes */ 7023 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of); 7024 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if); 7025 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of); 7026 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if); 7027 } 7028 7029 /* walk the ESP tables */ 7030 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of); 7031 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if); 7032 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of); 7033 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if); 7034 } 7035 7036 /* 7037 * Creates a context template for the specified SA. This function 7038 * is called when an SA is created and when a context template needs 7039 * to be created due to a change of software provider. 7040 */ 7041 int 7042 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7043 { 7044 ipsec_alginfo_t *alg; 7045 crypto_mechanism_t mech; 7046 crypto_key_t *key; 7047 crypto_ctx_template_t *sa_tmpl; 7048 int rv; 7049 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 7050 7051 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock)); 7052 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7053 7054 /* get pointers to the algorithm info, context template, and key */ 7055 switch (alg_type) { 7056 case IPSEC_ALG_AUTH: 7057 key = &sa->ipsa_kcfauthkey; 7058 sa_tmpl = &sa->ipsa_authtmpl; 7059 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 7060 break; 7061 case IPSEC_ALG_ENCR: 7062 key = &sa->ipsa_kcfencrkey; 7063 sa_tmpl = &sa->ipsa_encrtmpl; 7064 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 7065 break; 7066 default: 7067 alg = NULL; 7068 } 7069 7070 if (alg == NULL || !ALG_VALID(alg)) 7071 return (EINVAL); 7072 7073 /* initialize the mech info structure for the framework */ 7074 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 7075 mech.cm_type = alg->alg_mech_type; 7076 mech.cm_param = NULL; 7077 mech.cm_param_len = 0; 7078 7079 /* create a new context template */ 7080 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 7081 7082 /* 7083 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 7084 * providers are available for that mechanism. In that case 7085 * we don't fail, and will generate the context template from 7086 * the framework callback when a software provider for that 7087 * mechanism registers. 7088 * 7089 * The context template is assigned the special value 7090 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 7091 * lack of memory. No attempt will be made to use 7092 * the context template if it is set to this value. 7093 */ 7094 if (rv == CRYPTO_HOST_MEMORY) { 7095 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 7096 } else if (rv != CRYPTO_SUCCESS) { 7097 *sa_tmpl = NULL; 7098 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 7099 return (EINVAL); 7100 } 7101 7102 return (0); 7103 } 7104 7105 /* 7106 * Destroy the context template of the specified algorithm type 7107 * of the specified SA. Must be called while holding the SA lock. 7108 */ 7109 void 7110 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7111 { 7112 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7113 7114 if (alg_type == IPSEC_ALG_AUTH) { 7115 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 7116 sa->ipsa_authtmpl = NULL; 7117 else if (sa->ipsa_authtmpl != NULL) { 7118 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 7119 sa->ipsa_authtmpl = NULL; 7120 } 7121 } else { 7122 ASSERT(alg_type == IPSEC_ALG_ENCR); 7123 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 7124 sa->ipsa_encrtmpl = NULL; 7125 else if (sa->ipsa_encrtmpl != NULL) { 7126 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 7127 sa->ipsa_encrtmpl = NULL; 7128 } 7129 } 7130 } 7131 7132 /* 7133 * Use the kernel crypto framework to check the validity of a key received 7134 * via keysock. Returns 0 if the key is OK, -1 otherwise. 7135 */ 7136 int 7137 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 7138 boolean_t is_auth, int *diag) 7139 { 7140 crypto_mechanism_t mech; 7141 crypto_key_t crypto_key; 7142 int crypto_rc; 7143 7144 mech.cm_type = mech_type; 7145 mech.cm_param = NULL; 7146 mech.cm_param_len = 0; 7147 7148 crypto_key.ck_format = CRYPTO_KEY_RAW; 7149 crypto_key.ck_data = sadb_key + 1; 7150 crypto_key.ck_length = sadb_key->sadb_key_bits; 7151 7152 crypto_rc = crypto_key_check(&mech, &crypto_key); 7153 7154 switch (crypto_rc) { 7155 case CRYPTO_SUCCESS: 7156 return (0); 7157 case CRYPTO_MECHANISM_INVALID: 7158 case CRYPTO_MECH_NOT_SUPPORTED: 7159 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 7160 SADB_X_DIAGNOSTIC_BAD_EALG; 7161 break; 7162 case CRYPTO_KEY_SIZE_RANGE: 7163 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 7164 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 7165 break; 7166 case CRYPTO_WEAK_KEY: 7167 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 7168 SADB_X_DIAGNOSTIC_WEAK_EKEY; 7169 break; 7170 } 7171 7172 return (-1); 7173 } 7174 /* 7175 * If this is an outgoing SA then add some fuzz to the 7176 * SOFT EXPIRE time. The reason for this is to stop 7177 * peers trying to renegotiate SOFT expiring SA's at 7178 * the same time. The amount of fuzz needs to be at 7179 * least 10 seconds which is the typical interval 7180 * sadb_ager(), although this is only a guide as it 7181 * selftunes. 7182 */ 7183 void 7184 lifetime_fuzz(ipsa_t *assoc) 7185 { 7186 uint8_t rnd; 7187 7188 if (assoc->ipsa_softaddlt == 0) 7189 return; 7190 7191 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd)); 7192 rnd = (rnd & 0xF) + 10; 7193 assoc->ipsa_softexpiretime -= rnd; 7194 assoc->ipsa_softaddlt -= rnd; 7195 } 7196 void 7197 destroy_ipsa_pair(ipsap_t *ipsapp) 7198 { 7199 if (ipsapp == NULL) 7200 return; 7201 7202 /* 7203 * Because of the multi-line macro nature of IPSA_REFRELE, keep 7204 * them in { }. 7205 */ 7206 if (ipsapp->ipsap_sa_ptr != NULL) { 7207 IPSA_REFRELE(ipsapp->ipsap_sa_ptr); 7208 } 7209 if (ipsapp->ipsap_psa_ptr != NULL) { 7210 IPSA_REFRELE(ipsapp->ipsap_psa_ptr); 7211 } 7212 7213 kmem_free(ipsapp, sizeof (*ipsapp)); 7214 } 7215 7216 /* 7217 * The sadb_ager() function walks through the hash tables of SA's and ages 7218 * them, if the SA expires as a result, its marked as DEAD and will be reaped 7219 * the next time sadb_ager() runs. SA's which are paired or have a peer (same 7220 * SA appears in both the inbound and outbound tables because its not possible 7221 * to determine its direction) are placed on a list when they expire. This is 7222 * to ensure that pair/peer SA's are reaped at the same time, even if they 7223 * expire at different times. 7224 * 7225 * This function is called twice by sadb_ager(), one after processing the 7226 * inbound table, then again after processing the outbound table. 7227 */ 7228 void 7229 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound) 7230 { 7231 templist_t *listptr; 7232 int outhash; 7233 isaf_t *bucket; 7234 boolean_t haspeer; 7235 ipsa_t *peer_assoc, *dying; 7236 /* 7237 * Haspeer cases will contain both IPv4 and IPv6. This code 7238 * is address independent. 7239 */ 7240 while (haspeerlist != NULL) { 7241 /* "dying" contains the SA that has a peer. */ 7242 dying = haspeerlist->ipsa; 7243 haspeer = (dying->ipsa_haspeer); 7244 listptr = haspeerlist; 7245 haspeerlist = listptr->next; 7246 kmem_free(listptr, sizeof (*listptr)); 7247 /* 7248 * Pick peer bucket based on addrfam. 7249 */ 7250 if (outbound) { 7251 if (haspeer) 7252 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi); 7253 else 7254 bucket = INBOUND_BUCKET(sp, 7255 dying->ipsa_otherspi); 7256 } else { /* inbound */ 7257 if (haspeer) { 7258 if (dying->ipsa_addrfam == AF_INET6) { 7259 outhash = OUTBOUND_HASH_V6(sp, 7260 *((in6_addr_t *)&dying-> 7261 ipsa_dstaddr)); 7262 } else { 7263 outhash = OUTBOUND_HASH_V4(sp, 7264 *((ipaddr_t *)&dying-> 7265 ipsa_dstaddr)); 7266 } 7267 } else if (dying->ipsa_addrfam == AF_INET6) { 7268 outhash = OUTBOUND_HASH_V6(sp, 7269 *((in6_addr_t *)&dying-> 7270 ipsa_srcaddr)); 7271 } else { 7272 outhash = OUTBOUND_HASH_V4(sp, 7273 *((ipaddr_t *)&dying-> 7274 ipsa_srcaddr)); 7275 } 7276 bucket = &(sp->sdb_of[outhash]); 7277 } 7278 7279 mutex_enter(&bucket->isaf_lock); 7280 /* 7281 * "haspeer" SA's have the same src/dst address ordering, 7282 * "paired" SA's have the src/dst addresses reversed. 7283 */ 7284 if (haspeer) { 7285 peer_assoc = ipsec_getassocbyspi(bucket, 7286 dying->ipsa_spi, dying->ipsa_srcaddr, 7287 dying->ipsa_dstaddr, dying->ipsa_addrfam); 7288 } else { 7289 peer_assoc = ipsec_getassocbyspi(bucket, 7290 dying->ipsa_otherspi, dying->ipsa_dstaddr, 7291 dying->ipsa_srcaddr, dying->ipsa_addrfam); 7292 } 7293 7294 mutex_exit(&bucket->isaf_lock); 7295 if (peer_assoc != NULL) { 7296 mutex_enter(&peer_assoc->ipsa_lock); 7297 mutex_enter(&dying->ipsa_lock); 7298 if (!haspeer) { 7299 /* 7300 * Only SA's which have a "peer" or are 7301 * "paired" end up on this list, so this 7302 * must be a "paired" SA, update the flags 7303 * to break the pair. 7304 */ 7305 peer_assoc->ipsa_otherspi = 0; 7306 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED; 7307 dying->ipsa_otherspi = 0; 7308 dying->ipsa_flags &= ~IPSA_F_PAIRED; 7309 } 7310 if (haspeer || outbound) { 7311 /* 7312 * Update the state of the "inbound" SA when 7313 * the "outbound" SA has expired. Don't update 7314 * the "outbound" SA when the "inbound" SA 7315 * SA expires because setting the hard_addtime 7316 * below will cause this to happen. 7317 */ 7318 peer_assoc->ipsa_state = dying->ipsa_state; 7319 } 7320 if (dying->ipsa_state == IPSA_STATE_DEAD) 7321 peer_assoc->ipsa_hardexpiretime = 1; 7322 7323 mutex_exit(&dying->ipsa_lock); 7324 mutex_exit(&peer_assoc->ipsa_lock); 7325 IPSA_REFRELE(peer_assoc); 7326 } 7327 IPSA_REFRELE(dying); 7328 } 7329 } 7330