1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/param.h> 29 #include <sys/types.h> 30 #include <sys/stream.h> 31 #include <sys/strsubr.h> 32 #include <sys/strsun.h> 33 #include <sys/stropts.h> 34 #include <sys/zone.h> 35 #include <sys/vnode.h> 36 #include <sys/sysmacros.h> 37 #define _SUN_TPI_VERSION 2 38 #include <sys/tihdr.h> 39 #include <sys/ddi.h> 40 #include <sys/sunddi.h> 41 #include <sys/mkdev.h> 42 #include <sys/debug.h> 43 #include <sys/kmem.h> 44 #include <sys/cmn_err.h> 45 #include <sys/suntpi.h> 46 #include <sys/policy.h> 47 48 #include <sys/socket.h> 49 #include <netinet/in.h> 50 #include <net/pfkeyv2.h> 51 #include <net/pfpolicy.h> 52 53 #include <inet/common.h> 54 #include <netinet/ip6.h> 55 #include <inet/ip.h> 56 #include <inet/ip6.h> 57 #include <inet/mi.h> 58 #include <inet/nd.h> 59 #include <inet/ip_if.h> 60 #include <inet/tun.h> 61 #include <inet/optcom.h> 62 #include <inet/ipsec_info.h> 63 #include <inet/ipsec_impl.h> 64 #include <inet/spdsock.h> 65 #include <inet/sadb.h> 66 67 #include <sys/isa_defs.h> 68 69 #include <c2/audit.h> 70 71 /* 72 * This is a transport provider for the PF_POLICY IPsec policy 73 * management socket, which provides a management interface into the 74 * SPD, allowing policy rules to be added, deleted, and queried. 75 * 76 * This effectively replaces the old private SIOC*IPSECONFIG ioctls 77 * with an extensible interface which will hopefully be public some 78 * day. 79 * 80 * See <net/pfpolicy.h> for more details on the protocol. 81 * 82 * We link against drv/ip and call directly into it to manipulate the 83 * SPD; see ipsec_impl.h for the policy data structures and spd.c for 84 * the code which maintains them. 85 * 86 * The MT model of this is QPAIR with the addition of some explicit 87 * locking to protect system-wide policy data structures. 88 */ 89 90 static vmem_t *spdsock_vmem; /* for minor numbers. */ 91 92 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t)) 93 94 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */ 95 static struct T_info_ack spdsock_g_t_info_ack = { 96 T_INFO_ACK, 97 T_INFINITE, /* TSDU_size. Maximum size messages. */ 98 T_INVALID, /* ETSDU_size. No expedited data. */ 99 T_INVALID, /* CDATA_size. No connect data. */ 100 T_INVALID, /* DDATA_size. No disconnect data. */ 101 0, /* ADDR_size. */ 102 0, /* OPT_size. No user-settable options */ 103 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */ 104 T_COTS, /* SERV_type. spdsock supports connection oriented. */ 105 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */ 106 (XPG4_1) /* Provider flags */ 107 }; 108 109 /* Named Dispatch Parameter Management Structure */ 110 typedef struct spdsockparam_s { 111 uint_t spdsock_param_min; 112 uint_t spdsock_param_max; 113 uint_t spdsock_param_value; 114 char *spdsock_param_name; 115 } spdsockparam_t; 116 117 /* 118 * Table of NDD variables supported by spdsock. These are loaded into 119 * spdsock_g_nd in spdsock_init_nd. 120 * All of these are alterable, within the min/max values given, at run time. 121 */ 122 static spdsockparam_t lcl_param_arr[] = { 123 /* min max value name */ 124 { 4096, 65536, 8192, "spdsock_xmit_hiwat"}, 125 { 0, 65536, 1024, "spdsock_xmit_lowat"}, 126 { 4096, 65536, 8192, "spdsock_recv_hiwat"}, 127 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"}, 128 { 0, 3, 0, "spdsock_debug"}, 129 }; 130 #define spds_xmit_hiwat spds_params[0].spdsock_param_value 131 #define spds_xmit_lowat spds_params[1].spdsock_param_value 132 #define spds_recv_hiwat spds_params[2].spdsock_param_value 133 #define spds_max_buf spds_params[3].spdsock_param_value 134 #define spds_debug spds_params[4].spdsock_param_value 135 136 #define ss0dbg(a) printf a 137 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */ 138 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a 139 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a 140 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a 141 142 static int spdsock_close(queue_t *); 143 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *); 144 static void spdsock_wput(queue_t *, mblk_t *); 145 static void spdsock_wsrv(queue_t *); 146 static void spdsock_rsrv(queue_t *); 147 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns); 148 static void spdsock_stack_fini(netstackid_t stackid, void *arg); 149 static void spdsock_loadcheck(void *); 150 static void spdsock_merge_algs(spd_stack_t *); 151 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *); 152 static mblk_t *spdsock_dump_next_record(spdsock_t *); 153 154 static struct module_info info = { 155 5138, "spdsock", 1, INFPSZ, 512, 128 156 }; 157 158 static struct qinit rinit = { 159 NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close, 160 NULL, &info 161 }; 162 163 static struct qinit winit = { 164 (pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info 165 }; 166 167 struct streamtab spdsockinfo = { 168 &rinit, &winit 169 }; 170 171 /* mapping from alg type to protocol number, as per RFC 2407 */ 172 static const uint_t algproto[] = { 173 PROTO_IPSEC_AH, 174 PROTO_IPSEC_ESP, 175 }; 176 177 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0])) 178 179 /* mapping from kernel exec mode to spdsock exec mode */ 180 static const uint_t execmodes[] = { 181 SPD_ALG_EXEC_MODE_SYNC, 182 SPD_ALG_EXEC_MODE_ASYNC 183 }; 184 185 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0])) 186 187 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1) 188 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2) 189 190 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL) 191 192 /* ARGSUSED */ 193 static int 194 spdsock_param_get(q, mp, cp, cr) 195 queue_t *q; 196 mblk_t *mp; 197 caddr_t cp; 198 cred_t *cr; 199 { 200 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 201 uint_t value; 202 spdsock_t *ss = (spdsock_t *)q->q_ptr; 203 spd_stack_t *spds = ss->spdsock_spds; 204 205 mutex_enter(&spds->spds_param_lock); 206 value = spdsockpa->spdsock_param_value; 207 mutex_exit(&spds->spds_param_lock); 208 209 (void) mi_mpprintf(mp, "%u", value); 210 return (0); 211 } 212 213 /* This routine sets an NDD variable in a spdsockparam_t structure. */ 214 /* ARGSUSED */ 215 static int 216 spdsock_param_set(q, mp, value, cp, cr) 217 queue_t *q; 218 mblk_t *mp; 219 char *value; 220 caddr_t cp; 221 cred_t *cr; 222 { 223 ulong_t new_value; 224 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 225 spdsock_t *ss = (spdsock_t *)q->q_ptr; 226 spd_stack_t *spds = ss->spdsock_spds; 227 228 /* Convert the value from a string into a long integer. */ 229 if (ddi_strtoul(value, NULL, 10, &new_value) != 0) 230 return (EINVAL); 231 232 mutex_enter(&spds->spds_param_lock); 233 /* 234 * Fail the request if the new value does not lie within the 235 * required bounds. 236 */ 237 if (new_value < spdsockpa->spdsock_param_min || 238 new_value > spdsockpa->spdsock_param_max) { 239 mutex_exit(&spds->spds_param_lock); 240 return (EINVAL); 241 } 242 243 /* Set the new value */ 244 spdsockpa->spdsock_param_value = new_value; 245 mutex_exit(&spds->spds_param_lock); 246 247 return (0); 248 } 249 250 /* 251 * Initialize at module load time 252 */ 253 boolean_t 254 spdsock_ddi_init(void) 255 { 256 spdsock_max_optsize = optcom_max_optsize( 257 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt); 258 259 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1, 260 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER); 261 262 /* 263 * We want to be informed each time a stack is created or 264 * destroyed in the kernel, so we can maintain the 265 * set of spd_stack_t's. 266 */ 267 netstack_register(NS_SPDSOCK, spdsock_stack_init, NULL, 268 spdsock_stack_fini); 269 270 return (B_TRUE); 271 } 272 273 /* 274 * Walk through the param array specified registering each element with the 275 * named dispatch handler. 276 */ 277 static boolean_t 278 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt) 279 { 280 for (; cnt-- > 0; ssp++) { 281 if (ssp->spdsock_param_name != NULL && 282 ssp->spdsock_param_name[0]) { 283 if (!nd_load(ndp, 284 ssp->spdsock_param_name, 285 spdsock_param_get, spdsock_param_set, 286 (caddr_t)ssp)) { 287 nd_free(ndp); 288 return (B_FALSE); 289 } 290 } 291 } 292 return (B_TRUE); 293 } 294 295 /* 296 * Initialize for each stack instance 297 */ 298 /* ARGSUSED */ 299 static void * 300 spdsock_stack_init(netstackid_t stackid, netstack_t *ns) 301 { 302 spd_stack_t *spds; 303 spdsockparam_t *ssp; 304 305 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP); 306 spds->spds_netstack = ns; 307 308 ASSERT(spds->spds_g_nd == NULL); 309 310 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP); 311 spds->spds_params = ssp; 312 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr)); 313 314 (void) spdsock_param_register(&spds->spds_g_nd, ssp, 315 A_CNT(lcl_param_arr)); 316 317 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL); 318 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL); 319 320 return (spds); 321 } 322 323 void 324 spdsock_ddi_destroy(void) 325 { 326 vmem_destroy(spdsock_vmem); 327 328 netstack_unregister(NS_SPDSOCK); 329 } 330 331 /* ARGSUSED */ 332 static void 333 spdsock_stack_fini(netstackid_t stackid, void *arg) 334 { 335 spd_stack_t *spds = (spd_stack_t *)arg; 336 337 mutex_destroy(&spds->spds_param_lock); 338 mutex_destroy(&spds->spds_alg_lock); 339 nd_free(&spds->spds_g_nd); 340 kmem_free(spds->spds_params, sizeof (lcl_param_arr)); 341 spds->spds_params = NULL; 342 343 kmem_free(spds, sizeof (*spds)); 344 } 345 346 /* 347 * NOTE: large quantities of this should be shared with keysock. 348 * Would be nice to combine some of this into a common module, but 349 * not possible given time pressures. 350 */ 351 352 /* 353 * High-level reality checking of extensions. 354 */ 355 /* ARGSUSED */ /* XXX */ 356 static boolean_t 357 ext_check(spd_ext_t *ext) 358 { 359 spd_if_t *tunname = (spd_if_t *)ext; 360 int i; 361 char *idstr; 362 363 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) { 364 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */ 365 366 /* 367 * Make sure the strings in these identities are 368 * null-terminated. Let's "proactively" null-terminate the 369 * string at the last byte if it's not terminated sooner. 370 */ 371 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t); 372 idstr = (char *)(tunname + 1); 373 while (*idstr != '\0' && i > 0) { 374 i--; 375 idstr++; 376 } 377 if (i == 0) { 378 /* 379 * I.e., if the bozo user didn't NULL-terminate the 380 * string... 381 */ 382 idstr--; 383 *idstr = '\0'; 384 } 385 } 386 return (B_TRUE); /* For now... */ 387 } 388 389 390 391 /* Return values for spdsock_get_ext(). */ 392 #define KGE_OK 0 393 #define KGE_DUP 1 394 #define KGE_UNK 2 395 #define KGE_LEN 3 396 #define KGE_CHK 4 397 398 /* 399 * Parse basic extension headers and return in the passed-in pointer vector. 400 * Return values include: 401 * 402 * KGE_OK Everything's nice and parsed out. 403 * If there are no extensions, place NULL in extv[0]. 404 * KGE_DUP There is a duplicate extension. 405 * First instance in appropriate bin. First duplicate in 406 * extv[0]. 407 * KGE_UNK Unknown extension type encountered. extv[0] contains 408 * unknown header. 409 * KGE_LEN Extension length error. 410 * KGE_CHK High-level reality check failed on specific extension. 411 * 412 * My apologies for some of the pointer arithmetic in here. I'm thinking 413 * like an assembly programmer, yet trying to make the compiler happy. 414 */ 415 static int 416 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize) 417 { 418 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 419 420 /* Use extv[0] as the "current working pointer". */ 421 422 extv[0] = (spd_ext_t *)(basehdr + 1); 423 424 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) { 425 /* Check for unknown headers. */ 426 if (extv[0]->spd_ext_type == 0 || 427 extv[0]->spd_ext_type > SPD_EXT_MAX) 428 return (KGE_UNK); 429 430 /* 431 * Check length. Use uint64_t because extlen is in units 432 * of 64-bit words. If length goes beyond the msgsize, 433 * return an error. (Zero length also qualifies here.) 434 */ 435 if (extv[0]->spd_ext_len == 0 || 436 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) > 437 (void *)((uint8_t *)basehdr + msgsize)) 438 return (KGE_LEN); 439 440 /* Check for redundant headers. */ 441 if (extv[extv[0]->spd_ext_type] != NULL) 442 return (KGE_DUP); 443 444 /* 445 * Reality check the extension if possible at the spdsock 446 * level. 447 */ 448 if (!ext_check(extv[0])) 449 return (KGE_CHK); 450 451 /* If I make it here, assign the appropriate bin. */ 452 extv[extv[0]->spd_ext_type] = extv[0]; 453 454 /* Advance pointer (See above for uint64_t ptr reasoning.) */ 455 extv[0] = (spd_ext_t *) 456 ((uint64_t *)extv[0] + extv[0]->spd_ext_len); 457 } 458 459 /* Everything's cool. */ 460 461 /* 462 * If extv[0] == NULL, then there are no extension headers in this 463 * message. Ensure that this is the case. 464 */ 465 if (extv[0] == (spd_ext_t *)(basehdr + 1)) 466 extv[0] = NULL; 467 468 return (KGE_OK); 469 } 470 471 static const int bad_ext_diag[] = { 472 SPD_DIAGNOSTIC_MALFORMED_LCLPORT, 473 SPD_DIAGNOSTIC_MALFORMED_REMPORT, 474 SPD_DIAGNOSTIC_MALFORMED_PROTO, 475 SPD_DIAGNOSTIC_MALFORMED_LCLADDR, 476 SPD_DIAGNOSTIC_MALFORMED_REMADDR, 477 SPD_DIAGNOSTIC_MALFORMED_ACTION, 478 SPD_DIAGNOSTIC_MALFORMED_RULE, 479 SPD_DIAGNOSTIC_MALFORMED_RULESET, 480 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE 481 }; 482 483 static const int dup_ext_diag[] = { 484 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT, 485 SPD_DIAGNOSTIC_DUPLICATE_REMPORT, 486 SPD_DIAGNOSTIC_DUPLICATE_PROTO, 487 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR, 488 SPD_DIAGNOSTIC_DUPLICATE_REMADDR, 489 SPD_DIAGNOSTIC_DUPLICATE_ACTION, 490 SPD_DIAGNOSTIC_DUPLICATE_RULE, 491 SPD_DIAGNOSTIC_DUPLICATE_RULESET, 492 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE 493 }; 494 495 /* 496 * Transmit a PF_POLICY error message to the instance either pointed to 497 * by ks, the instance with serial number serial, or more, depending. 498 * 499 * The faulty message (or a reasonable facsimile thereof) is in mp. 500 * This function will free mp or recycle it for delivery, thereby causing 501 * the stream head to free it. 502 */ 503 static void 504 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic) 505 { 506 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 507 508 ASSERT(mp->b_datap->db_type == M_DATA); 509 510 if (spmsg->spd_msg_type < SPD_MIN || 511 spmsg->spd_msg_type > SPD_MAX) 512 spmsg->spd_msg_type = SPD_RESERVED; 513 514 /* 515 * Strip out extension headers. 516 */ 517 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim); 518 mp->b_wptr = mp->b_rptr + sizeof (*spmsg); 519 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t)); 520 spmsg->spd_msg_errno = (uint8_t)error; 521 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic; 522 523 qreply(q, mp); 524 } 525 526 static void 527 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic) 528 { 529 spdsock_error(q, mp, EINVAL, diagnostic); 530 } 531 532 static void 533 spd_echo(queue_t *q, mblk_t *mp) 534 { 535 qreply(q, mp); 536 } 537 538 /* 539 * Do NOT consume a reference to itp. 540 */ 541 /*ARGSUSED*/ 542 static void 543 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns) 544 { 545 boolean_t active = (boolean_t)cookie; 546 ipsec_policy_head_t *iph; 547 548 iph = active ? itp->itp_policy : itp->itp_inactive; 549 IPPH_REFHOLD(iph); 550 mutex_enter(&itp->itp_lock); 551 spdsock_flush_one(iph, ns); 552 if (active) 553 itp->itp_flags &= ~ITPF_PFLAGS; 554 else 555 itp->itp_flags &= ~ITPF_IFLAGS; 556 mutex_exit(&itp->itp_lock); 557 } 558 559 /* 560 * Clear out one polhead. 561 */ 562 static void 563 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns) 564 { 565 rw_enter(&iph->iph_lock, RW_WRITER); 566 ipsec_polhead_flush(iph, ns); 567 rw_exit(&iph->iph_lock); 568 IPPH_REFRELE(iph, ns); 569 } 570 571 static void 572 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp, 573 mblk_t *mp) 574 { 575 boolean_t active; 576 spdsock_t *ss = (spdsock_t *)q->q_ptr; 577 spd_stack_t *spds = ss->spdsock_spds; 578 netstack_t *ns = spds->spds_netstack; 579 580 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) { 581 spdsock_flush_one(iph, spds->spds_netstack); 582 if (audit_active) { 583 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 584 585 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 586 audit_pf_policy(SPD_FLUSH, DB_CRED(mp), ns, 587 ITP_NAME(itp), active, 0, DB_CPID(mp)); 588 } 589 } else { 590 active = (iph == ALL_ACTIVE_POLHEADS); 591 592 /* First flush the global policy. */ 593 spdsock_flush_one(active ? ipsec_system_policy(ns) : 594 ipsec_inactive_policy(ns), ns); 595 if (audit_active) { 596 audit_pf_policy(SPD_FLUSH, DB_CRED(mp), ns, NULL, 597 active, 0, DB_CPID(mp)); 598 } 599 /* Then flush every tunnel's appropriate one. */ 600 itp_walk(spdsock_flush_node, (void *)active, 601 spds->spds_netstack); 602 if (audit_active) 603 audit_pf_policy(SPD_FLUSH, DB_CRED(mp), ns, 604 "all tunnels", active, 0, DB_CPID(mp)); 605 } 606 607 spd_echo(q, mp); 608 } 609 610 static boolean_t 611 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag) 612 { 613 bzero(sel, sizeof (*sel)); 614 615 if (extv[SPD_EXT_PROTO] != NULL) { 616 struct spd_proto *pr = 617 (struct spd_proto *)extv[SPD_EXT_PROTO]; 618 sel->ipsl_proto = pr->spd_proto_number; 619 sel->ipsl_valid |= IPSL_PROTOCOL; 620 } 621 if (extv[SPD_EXT_LCLPORT] != NULL) { 622 struct spd_portrange *pr = 623 (struct spd_portrange *)extv[SPD_EXT_LCLPORT]; 624 sel->ipsl_lport = pr->spd_ports_minport; 625 sel->ipsl_valid |= IPSL_LOCAL_PORT; 626 } 627 if (extv[SPD_EXT_REMPORT] != NULL) { 628 struct spd_portrange *pr = 629 (struct spd_portrange *)extv[SPD_EXT_REMPORT]; 630 sel->ipsl_rport = pr->spd_ports_minport; 631 sel->ipsl_valid |= IPSL_REMOTE_PORT; 632 } 633 634 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) { 635 struct spd_typecode *tc= 636 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE]; 637 638 sel->ipsl_valid |= IPSL_ICMP_TYPE; 639 sel->ipsl_icmp_type = tc->spd_typecode_type; 640 if (tc->spd_typecode_type_end < tc->spd_typecode_type) 641 sel->ipsl_icmp_type_end = tc->spd_typecode_type; 642 else 643 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end; 644 645 if (tc->spd_typecode_code != 255) { 646 sel->ipsl_valid |= IPSL_ICMP_CODE; 647 sel->ipsl_icmp_code = tc->spd_typecode_code; 648 if (tc->spd_typecode_code_end < tc->spd_typecode_code) 649 sel->ipsl_icmp_code_end = tc->spd_typecode_code; 650 else 651 sel->ipsl_icmp_code_end = 652 tc->spd_typecode_code_end; 653 } 654 } 655 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \ 656 if ((extv)[(extn)] != NULL) { \ 657 uint_t addrlen; \ 658 struct spd_address *ap = \ 659 (struct spd_address *)((extv)[(extn)]); \ 660 addrlen = (ap->spd_address_af == AF_INET6) ? \ 661 IPV6_ADDR_LEN : IP_ADDR_LEN; \ 662 if (SPD_64TO8(ap->spd_address_len) < \ 663 (addrlen + sizeof (*ap))) { \ 664 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \ 665 return (B_FALSE); \ 666 } \ 667 bcopy((ap+1), &((sel)->field), addrlen); \ 668 (sel)->pfield = ap->spd_address_prefixlen; \ 669 (sel)->ipsl_valid |= (bit); \ 670 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \ 671 IPSL_IPV6 : IPSL_IPV4; \ 672 } 673 674 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen, 675 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR); 676 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen, 677 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR); 678 679 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) == 680 (IPSL_IPV6|IPSL_IPV4)) { 681 *diag = SPD_DIAGNOSTIC_MIXED_AF; 682 return (B_FALSE); 683 } 684 685 #undef ADDR2SEL 686 687 return (B_TRUE); 688 } 689 690 static boolean_t 691 spd_convert_type(uint32_t type, ipsec_act_t *act) 692 { 693 switch (type) { 694 case SPD_ACTTYPE_DROP: 695 act->ipa_type = IPSEC_ACT_DISCARD; 696 return (B_TRUE); 697 698 case SPD_ACTTYPE_PASS: 699 act->ipa_type = IPSEC_ACT_CLEAR; 700 return (B_TRUE); 701 702 case SPD_ACTTYPE_IPSEC: 703 act->ipa_type = IPSEC_ACT_APPLY; 704 return (B_TRUE); 705 } 706 return (B_FALSE); 707 } 708 709 static boolean_t 710 spd_convert_flags(uint32_t flags, ipsec_act_t *act) 711 { 712 /* 713 * Note use of !! for boolean canonicalization. 714 */ 715 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH); 716 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP); 717 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA); 718 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE); 719 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE); 720 return (B_TRUE); 721 } 722 723 static void 724 spdsock_reset_act(ipsec_act_t *act) 725 { 726 bzero(act, sizeof (*act)); 727 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS; 728 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS; 729 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS; 730 } 731 732 /* 733 * Sanity check action against reality, and shrink-wrap key sizes.. 734 */ 735 static boolean_t 736 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag, 737 spd_stack_t *spds) 738 { 739 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) { 740 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 741 return (B_FALSE); 742 } 743 if ((act->ipa_type != IPSEC_ACT_APPLY) && 744 (act->ipa_apply.ipp_use_ah || 745 act->ipa_apply.ipp_use_esp || 746 act->ipa_apply.ipp_use_espa || 747 act->ipa_apply.ipp_use_se || 748 act->ipa_apply.ipp_use_unique)) { 749 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 750 return (B_FALSE); 751 } 752 if ((act->ipa_type == IPSEC_ACT_APPLY) && 753 !act->ipa_apply.ipp_use_ah && 754 !act->ipa_apply.ipp_use_esp) { 755 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 756 return (B_FALSE); 757 } 758 return (ipsec_check_action(act, diag, spds->spds_netstack)); 759 } 760 761 /* 762 * We may be short a few error checks here.. 763 */ 764 static boolean_t 765 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp, 766 int *diag, spd_stack_t *spds) 767 { 768 struct spd_ext_actions *sactp = 769 (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 770 ipsec_act_t act, *actp, *endactp; 771 struct spd_attribute *attrp, *endattrp; 772 uint64_t *endp; 773 int nact; 774 boolean_t tunnel_polhead; 775 776 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL && 777 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags & 778 SPD_RULE_FLAG_TUNNEL)); 779 780 *actpp = NULL; 781 *nactp = 0; 782 783 if (sactp == NULL) { 784 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT; 785 return (B_FALSE); 786 } 787 788 /* 789 * Parse the "action" extension and convert into an action chain. 790 */ 791 792 nact = sactp->spd_actions_count; 793 794 endp = (uint64_t *)sactp; 795 endp += sactp->spd_actions_len; 796 endattrp = (struct spd_attribute *)endp; 797 798 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP); 799 if (actp == NULL) { 800 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM; 801 return (B_FALSE); 802 } 803 *actpp = actp; 804 *nactp = nact; 805 endactp = actp + nact; 806 807 spdsock_reset_act(&act); 808 attrp = (struct spd_attribute *)(&sactp[1]); 809 810 for (; attrp < endattrp; attrp++) { 811 switch (attrp->spd_attr_tag) { 812 case SPD_ATTR_NOP: 813 break; 814 815 case SPD_ATTR_EMPTY: 816 spdsock_reset_act(&act); 817 break; 818 819 case SPD_ATTR_END: 820 attrp = endattrp; 821 /* FALLTHRU */ 822 case SPD_ATTR_NEXT: 823 if (actp >= endactp) { 824 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 825 goto fail; 826 } 827 if (!spdsock_check_action(&act, tunnel_polhead, 828 diag, spds)) 829 goto fail; 830 *actp++ = act; 831 spdsock_reset_act(&act); 832 break; 833 834 case SPD_ATTR_TYPE: 835 if (!spd_convert_type(attrp->spd_attr_value, &act)) { 836 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE; 837 goto fail; 838 } 839 break; 840 841 case SPD_ATTR_FLAGS: 842 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) { 843 /* 844 * Set "sa unique" for transport-mode 845 * tunnels whether we want to or not. 846 */ 847 attrp->spd_attr_value |= SPD_APPLY_UNIQUE; 848 } 849 if (!spd_convert_flags(attrp->spd_attr_value, &act)) { 850 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS; 851 goto fail; 852 } 853 break; 854 855 case SPD_ATTR_AH_AUTH: 856 if (attrp->spd_attr_value == 0) { 857 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG; 858 goto fail; 859 } 860 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value; 861 break; 862 863 case SPD_ATTR_ESP_ENCR: 864 if (attrp->spd_attr_value == 0) { 865 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG; 866 goto fail; 867 } 868 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value; 869 break; 870 871 case SPD_ATTR_ESP_AUTH: 872 if (attrp->spd_attr_value == 0) { 873 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG; 874 goto fail; 875 } 876 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value; 877 break; 878 879 case SPD_ATTR_ENCR_MINBITS: 880 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value; 881 break; 882 883 case SPD_ATTR_ENCR_MAXBITS: 884 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value; 885 break; 886 887 case SPD_ATTR_AH_MINBITS: 888 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value; 889 break; 890 891 case SPD_ATTR_AH_MAXBITS: 892 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value; 893 break; 894 895 case SPD_ATTR_ESPA_MINBITS: 896 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value; 897 break; 898 899 case SPD_ATTR_ESPA_MAXBITS: 900 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value; 901 break; 902 903 case SPD_ATTR_LIFE_SOFT_TIME: 904 case SPD_ATTR_LIFE_HARD_TIME: 905 case SPD_ATTR_LIFE_SOFT_BYTES: 906 case SPD_ATTR_LIFE_HARD_BYTES: 907 break; 908 909 case SPD_ATTR_KM_PROTO: 910 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value; 911 break; 912 913 case SPD_ATTR_KM_COOKIE: 914 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value; 915 break; 916 917 case SPD_ATTR_REPLAY_DEPTH: 918 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value; 919 break; 920 } 921 } 922 if (actp != endactp) { 923 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 924 goto fail; 925 } 926 927 return (B_TRUE); 928 fail: 929 ipsec_actvec_free(*actpp, nact); 930 *actpp = NULL; 931 return (B_FALSE); 932 } 933 934 typedef struct 935 { 936 ipsec_policy_t *pol; 937 int dir; 938 } tmprule_t; 939 940 static int 941 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule, 942 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af, 943 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 944 { 945 ipsec_policy_t *pol; 946 947 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4); 948 sel->ipsl_valid |= af; 949 950 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority, 951 index, spds->spds_netstack); 952 if (pol == NULL) 953 return (ENOMEM); 954 955 (*rp)->pol = pol; 956 (*rp)->dir = dir; 957 (*rp)++; 958 959 if (!ipsec_check_policy(iph, pol, dir)) 960 return (EEXIST); 961 962 rule->spd_rule_index = pol->ipsp_index; 963 return (0); 964 } 965 966 static int 967 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule, 968 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs, 969 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 970 { 971 int error; 972 973 if (afs & IPSL_IPV4) { 974 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp, 975 index, spds); 976 if (error != 0) 977 return (error); 978 } 979 if (afs & IPSL_IPV6) { 980 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp, 981 index, spds); 982 if (error != 0) 983 return (error); 984 } 985 return (0); 986 } 987 988 989 static void 990 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 991 spd_ext_t **extv, ipsec_tun_pol_t *itp) 992 { 993 ipsec_selkey_t sel; 994 ipsec_act_t *actp; 995 uint_t nact; 996 int diag = 0, error, afs; 997 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 998 tmprule_t rules[4], *rulep = &rules[0]; 999 boolean_t tunnel_mode, empty_itp, active; 1000 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index; 1001 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1002 spd_stack_t *spds = ss->spdsock_spds; 1003 1004 if (rule == NULL) { 1005 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1006 if (audit_active) { 1007 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1008 1009 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1010 audit_pf_policy(SPD_ADDRULE, DB_CRED(mp), 1011 spds->spds_netstack, ITP_NAME(itp), active, 1012 SPD_DIAGNOSTIC_NO_RULE_EXT, DB_CPID(mp)); 1013 } 1014 return; 1015 } 1016 1017 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL); 1018 1019 if (itp != NULL) { 1020 mutex_enter(&itp->itp_lock); 1021 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph); 1022 active = (itp->itp_policy == iph); 1023 if (ITP_P_ISACTIVE(itp, iph)) { 1024 /* Check for mix-and-match of tunnel/transport. */ 1025 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) || 1026 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) { 1027 mutex_exit(&itp->itp_lock); 1028 spdsock_error(q, mp, EBUSY, 0); 1029 return; 1030 } 1031 empty_itp = B_FALSE; 1032 } else { 1033 empty_itp = B_TRUE; 1034 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE; 1035 if (tunnel_mode) 1036 itp->itp_flags |= active ? ITPF_P_TUNNEL : 1037 ITPF_I_TUNNEL; 1038 } 1039 } else { 1040 empty_itp = B_FALSE; 1041 } 1042 1043 if (rule->spd_rule_index != 0) { 1044 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX; 1045 error = EINVAL; 1046 goto fail2; 1047 } 1048 1049 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1050 error = EINVAL; 1051 goto fail2; 1052 } 1053 1054 if (itp != NULL) { 1055 if (tunnel_mode) { 1056 if (sel.ipsl_valid & 1057 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) { 1058 itp->itp_flags |= active ? 1059 ITPF_P_PER_PORT_SECURITY : 1060 ITPF_I_PER_PORT_SECURITY; 1061 } 1062 } else { 1063 /* 1064 * For now, we don't allow transport-mode on a tunnel 1065 * with ANY specific selectors. Bail if we have such 1066 * a request. 1067 */ 1068 if (sel.ipsl_valid & IPSL_WILDCARD) { 1069 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS; 1070 error = EINVAL; 1071 goto fail2; 1072 } 1073 } 1074 } 1075 1076 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) { 1077 error = EINVAL; 1078 goto fail2; 1079 } 1080 /* 1081 * If no addresses were specified, add both. 1082 */ 1083 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4); 1084 if (afs == 0) 1085 afs = (IPSL_IPV6|IPSL_IPV4); 1086 1087 rw_enter(&iph->iph_lock, RW_WRITER); 1088 1089 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) { 1090 error = mkrulepair(iph, rule, &sel, actp, nact, 1091 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds); 1092 if (error != 0) 1093 goto fail; 1094 } 1095 1096 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) { 1097 error = mkrulepair(iph, rule, &sel, actp, nact, 1098 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds); 1099 if (error != 0) 1100 goto fail; 1101 } 1102 1103 while ((--rulep) >= &rules[0]) { 1104 ipsec_enter_policy(iph, rulep->pol, rulep->dir, 1105 spds->spds_netstack); 1106 } 1107 rw_exit(&iph->iph_lock); 1108 if (itp != NULL) 1109 mutex_exit(&itp->itp_lock); 1110 1111 ipsec_actvec_free(actp, nact); 1112 spd_echo(q, mp); 1113 if (audit_active) { 1114 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1115 1116 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1117 audit_pf_policy(SPD_ADDRULE, DB_CRED(mp), spds->spds_netstack, 1118 ITP_NAME(itp), active, 0, DB_CPID(mp)); 1119 } 1120 return; 1121 1122 fail: 1123 rw_exit(&iph->iph_lock); 1124 while ((--rulep) >= &rules[0]) { 1125 IPPOL_REFRELE(rulep->pol, spds->spds_netstack); 1126 } 1127 ipsec_actvec_free(actp, nact); 1128 fail2: 1129 if (itp != NULL) { 1130 if (empty_itp) 1131 itp->itp_flags = 0; 1132 mutex_exit(&itp->itp_lock); 1133 } 1134 spdsock_error(q, mp, error, diag); 1135 if (audit_active) { 1136 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1137 1138 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1139 audit_pf_policy(SPD_ADDRULE, DB_CRED(mp), spds->spds_netstack, 1140 ITP_NAME(itp), active, error, DB_CPID(mp)); 1141 } 1142 } 1143 1144 void 1145 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1146 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1147 { 1148 ipsec_selkey_t sel; 1149 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1150 int err, diag = 0; 1151 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1152 spd_stack_t *spds = ss->spdsock_spds; 1153 1154 if (rule == NULL) { 1155 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1156 if (audit_active) { 1157 boolean_t active; 1158 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1159 1160 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1161 audit_pf_policy(SPD_DELETERULE, DB_CRED(mp), 1162 spds->spds_netstack, ITP_NAME(itp), active, 1163 SPD_DIAGNOSTIC_NO_RULE_EXT, DB_CPID(mp)); 1164 } 1165 return; 1166 } 1167 1168 /* 1169 * Must enter itp_lock first to avoid deadlock. See tun.c's 1170 * set_sec_simple() for the other case of itp_lock and iph_lock. 1171 */ 1172 if (itp != NULL) 1173 mutex_enter(&itp->itp_lock); 1174 1175 if (rule->spd_rule_index != 0) { 1176 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, 1177 spds->spds_netstack) != 0) { 1178 err = ESRCH; 1179 goto fail; 1180 } 1181 } else { 1182 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1183 err = EINVAL; /* diag already set... */ 1184 goto fail; 1185 } 1186 1187 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) && 1188 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, 1189 spds->spds_netstack)) { 1190 err = ESRCH; 1191 goto fail; 1192 } 1193 1194 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) && 1195 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, 1196 spds->spds_netstack)) { 1197 err = ESRCH; 1198 goto fail; 1199 } 1200 } 1201 1202 if (itp != NULL) { 1203 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive); 1204 rw_enter(&iph->iph_lock, RW_READER); 1205 if (avl_numnodes(&iph->iph_rulebyid) == 0) { 1206 if (iph == itp->itp_policy) 1207 itp->itp_flags &= ~ITPF_PFLAGS; 1208 else 1209 itp->itp_flags &= ~ITPF_IFLAGS; 1210 } 1211 /* Can exit locks in any order. */ 1212 rw_exit(&iph->iph_lock); 1213 mutex_exit(&itp->itp_lock); 1214 } 1215 spd_echo(q, mp); 1216 if (audit_active) { 1217 boolean_t active; 1218 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1219 1220 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1221 audit_pf_policy(SPD_DELETERULE, DB_CRED(mp), 1222 spds->spds_netstack, ITP_NAME(itp), active, 0, DB_CPID(mp)); 1223 } 1224 return; 1225 fail: 1226 if (itp != NULL) 1227 mutex_exit(&itp->itp_lock); 1228 spdsock_error(q, mp, err, diag); 1229 if (audit_active) { 1230 boolean_t active; 1231 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1232 1233 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1234 audit_pf_policy(SPD_DELETERULE, DB_CRED(mp), 1235 spds->spds_netstack, ITP_NAME(itp), active, err, 1236 DB_CPID(mp)); 1237 } 1238 } 1239 1240 /* Do NOT consume a reference to itp. */ 1241 /* ARGSUSED */ 1242 static void 1243 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns) 1244 { 1245 mutex_enter(&itp->itp_lock); 1246 ITPF_SWAP(itp->itp_flags); 1247 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns); 1248 mutex_exit(&itp->itp_lock); 1249 } 1250 1251 void 1252 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname) 1253 { 1254 char *tname; 1255 ipsec_tun_pol_t *itp; 1256 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1257 spd_stack_t *spds = ss->spdsock_spds; 1258 1259 if (tunname != NULL) { 1260 tname = (char *)tunname->spd_if_name; 1261 if (*tname == '\0') { 1262 /* can't fail */ 1263 ipsec_swap_global_policy(spds->spds_netstack); 1264 if (audit_active) { 1265 boolean_t active; 1266 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1267 1268 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1269 audit_pf_policy(SPD_FLIP, DB_CRED(mp), 1270 spds->spds_netstack, NULL, active, 0, 1271 DB_CPID(mp)); 1272 } 1273 itp_walk(spdsock_flip_node, NULL, spds->spds_netstack); 1274 if (audit_active) { 1275 boolean_t active; 1276 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1277 1278 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1279 audit_pf_policy(SPD_FLIP, DB_CRED(mp), 1280 spds->spds_netstack, "all tunnels", active, 1281 0, DB_CPID(mp)); 1282 } 1283 } else { 1284 itp = get_tunnel_policy(tname, spds->spds_netstack); 1285 if (itp == NULL) { 1286 /* Better idea for "tunnel not found"? */ 1287 spdsock_error(q, mp, ESRCH, 0); 1288 if (audit_active) { 1289 boolean_t active; 1290 spd_msg_t *spmsg = 1291 (spd_msg_t *)mp->b_rptr; 1292 1293 active = (spmsg->spd_msg_spdid == 1294 SPD_ACTIVE); 1295 audit_pf_policy(SPD_FLIP, DB_CRED(mp), 1296 spds->spds_netstack, ITP_NAME(itp), 1297 active, ESRCH, DB_CPID(mp)); 1298 } 1299 return; 1300 } 1301 spdsock_flip_node(itp, NULL, NULL); 1302 if (audit_active) { 1303 boolean_t active; 1304 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1305 1306 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1307 audit_pf_policy(SPD_FLIP, DB_CRED(mp), 1308 spds->spds_netstack, ITP_NAME(itp), active, 1309 0, DB_CPID(mp)); 1310 } 1311 ITP_REFRELE(itp, spds->spds_netstack); 1312 } 1313 } else { 1314 ipsec_swap_global_policy(spds->spds_netstack); /* can't fail */ 1315 if (audit_active) { 1316 boolean_t active; 1317 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1318 1319 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1320 audit_pf_policy(SPD_FLIP, DB_CRED(mp), 1321 spds->spds_netstack, NULL, active, 0, DB_CPID(mp)); 1322 } 1323 } 1324 spd_echo(q, mp); 1325 } 1326 1327 /* 1328 * Unimplemented feature 1329 */ 1330 /* ARGSUSED */ 1331 static void 1332 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1333 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1334 { 1335 spdsock_error(q, mp, EINVAL, 0); 1336 } 1337 1338 1339 static mblk_t * 1340 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph, 1341 uint32_t count, uint16_t error) 1342 { 1343 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t); 1344 spd_msg_t *msg; 1345 spd_ruleset_ext_t *ruleset; 1346 mblk_t *m = allocb(len, BPRI_HI); 1347 1348 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1349 1350 if (m == NULL) { 1351 return (NULL); 1352 } 1353 msg = (spd_msg_t *)m->b_rptr; 1354 ruleset = (spd_ruleset_ext_t *)(&msg[1]); 1355 1356 m->b_wptr = (uint8_t *)&ruleset[1]; 1357 1358 *msg = *(spd_msg_t *)(req->b_rptr); 1359 msg->spd_msg_len = SPD_8TO64(len); 1360 msg->spd_msg_errno = error; 1361 1362 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset)); 1363 ruleset->spd_ruleset_type = SPD_EXT_RULESET; 1364 ruleset->spd_ruleset_count = count; 1365 ruleset->spd_ruleset_version = iph->iph_gen; 1366 return (m); 1367 } 1368 1369 static mblk_t * 1370 spdsock_dump_finish(spdsock_t *ss, int error) 1371 { 1372 mblk_t *m; 1373 ipsec_policy_head_t *iph = ss->spdsock_dump_head; 1374 mblk_t *req = ss->spdsock_dump_req; 1375 ipsec_tun_pol_t *itp, dummy; 1376 spd_stack_t *spds = ss->spdsock_spds; 1377 netstack_t *ns = spds->spds_netstack; 1378 ipsec_stack_t *ipss = ns->netstack_ipsec; 1379 1380 ss->spdsock_dump_remaining_polheads--; 1381 if (error == 0 && ss->spdsock_dump_remaining_polheads != 0) { 1382 /* Attempt a respin with a new policy head. */ 1383 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 1384 /* NOTE: No need for ITP_REF*() macros here. */ 1385 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) { 1386 /* Bail with EAGAIN. */ 1387 error = EAGAIN; 1388 } else if (ss->spdsock_dump_name[0] == '\0') { 1389 /* Just finished global, find first node. */ 1390 itp = (ipsec_tun_pol_t *)avl_first( 1391 &ipss->ipsec_tunnel_policies); 1392 } else { 1393 /* 1394 * We just finished current-named polhead, find 1395 * the next one. 1396 */ 1397 (void) strncpy(dummy.itp_name, ss->spdsock_dump_name, 1398 LIFNAMSIZ); 1399 itp = (ipsec_tun_pol_t *)avl_find( 1400 &ipss->ipsec_tunnel_policies, &dummy, NULL); 1401 ASSERT(itp != NULL); 1402 itp = (ipsec_tun_pol_t *)AVL_NEXT( 1403 &ipss->ipsec_tunnel_policies, itp); 1404 /* remaining_polheads should maintain this assertion. */ 1405 ASSERT(itp != NULL); 1406 } 1407 if (error == 0) { 1408 (void) strncpy(ss->spdsock_dump_name, itp->itp_name, 1409 LIFNAMSIZ); 1410 /* Reset other spdsock_dump thingies. */ 1411 IPPH_REFRELE(ss->spdsock_dump_head, ns); 1412 if (ss->spdsock_dump_active) { 1413 ss->spdsock_dump_tunnel = 1414 itp->itp_flags & ITPF_P_TUNNEL; 1415 iph = itp->itp_policy; 1416 } else { 1417 ss->spdsock_dump_tunnel = 1418 itp->itp_flags & ITPF_I_TUNNEL; 1419 iph = itp->itp_inactive; 1420 } 1421 IPPH_REFHOLD(iph); 1422 rw_enter(&iph->iph_lock, RW_READER); 1423 ss->spdsock_dump_head = iph; 1424 ss->spdsock_dump_gen = iph->iph_gen; 1425 ss->spdsock_dump_cur_type = 0; 1426 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 1427 ss->spdsock_dump_cur_rule = NULL; 1428 ss->spdsock_dump_count = 0; 1429 ss->spdsock_dump_cur_chain = 0; 1430 rw_exit(&iph->iph_lock); 1431 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1432 /* And start again. */ 1433 return (spdsock_dump_next_record(ss)); 1434 } 1435 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1436 } 1437 1438 rw_enter(&iph->iph_lock, RW_READER); 1439 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error); 1440 rw_exit(&iph->iph_lock); 1441 IPPH_REFRELE(iph, ns); 1442 ss->spdsock_dump_req = NULL; 1443 freemsg(req); 1444 1445 return (m); 1446 } 1447 1448 /* 1449 * Rule encoding functions. 1450 * We do a two-pass encode. 1451 * If base != NULL, fill in encoded rule part starting at base+offset. 1452 * Always return "offset" plus length of to-be-encoded data. 1453 */ 1454 static uint_t 1455 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type, 1456 uint8_t type_end, uint8_t code, uint8_t code_end) 1457 { 1458 struct spd_typecode *tcp; 1459 1460 ASSERT(ALIGNED64(offset)); 1461 1462 if (base != NULL) { 1463 tcp = (struct spd_typecode *)(base + offset); 1464 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp)); 1465 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE; 1466 tcp->spd_typecode_code = code; 1467 tcp->spd_typecode_type = type; 1468 tcp->spd_typecode_type_end = type_end; 1469 tcp->spd_typecode_code_end = code_end; 1470 } 1471 offset += sizeof (*tcp); 1472 1473 ASSERT(ALIGNED64(offset)); 1474 1475 return (offset); 1476 } 1477 1478 static uint_t 1479 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto) 1480 { 1481 struct spd_proto *spp; 1482 1483 ASSERT(ALIGNED64(offset)); 1484 1485 if (base != NULL) { 1486 spp = (struct spd_proto *)(base + offset); 1487 spp->spd_proto_len = SPD_8TO64(sizeof (*spp)); 1488 spp->spd_proto_exttype = SPD_EXT_PROTO; 1489 spp->spd_proto_number = proto; 1490 spp->spd_proto_reserved1 = 0; 1491 spp->spd_proto_reserved2 = 0; 1492 } 1493 offset += sizeof (*spp); 1494 1495 ASSERT(ALIGNED64(offset)); 1496 1497 return (offset); 1498 } 1499 1500 static uint_t 1501 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port) 1502 { 1503 struct spd_portrange *spp; 1504 1505 ASSERT(ALIGNED64(offset)); 1506 1507 if (base != NULL) { 1508 spp = (struct spd_portrange *)(base + offset); 1509 spp->spd_ports_len = SPD_8TO64(sizeof (*spp)); 1510 spp->spd_ports_exttype = ext; 1511 spp->spd_ports_minport = port; 1512 spp->spd_ports_maxport = port; 1513 } 1514 offset += sizeof (*spp); 1515 1516 ASSERT(ALIGNED64(offset)); 1517 1518 return (offset); 1519 } 1520 1521 static uint_t 1522 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext, 1523 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen) 1524 { 1525 struct spd_address *sae; 1526 ipsec_addr_t *spdaddr; 1527 uint_t start = offset; 1528 uint_t addrlen; 1529 uint_t af; 1530 1531 if (sel->ipsl_valid & IPSL_IPV4) { 1532 af = AF_INET; 1533 addrlen = IP_ADDR_LEN; 1534 } else { 1535 af = AF_INET6; 1536 addrlen = IPV6_ADDR_LEN; 1537 } 1538 1539 ASSERT(ALIGNED64(offset)); 1540 1541 if (base != NULL) { 1542 sae = (struct spd_address *)(base + offset); 1543 sae->spd_address_exttype = ext; 1544 sae->spd_address_af = af; 1545 sae->spd_address_prefixlen = pfxlen; 1546 sae->spd_address_reserved2 = 0; 1547 1548 spdaddr = (ipsec_addr_t *)(&sae[1]); 1549 bcopy(addr, spdaddr, addrlen); 1550 } 1551 offset += sizeof (*sae); 1552 addrlen = roundup(addrlen, sizeof (uint64_t)); 1553 offset += addrlen; 1554 1555 ASSERT(ALIGNED64(offset)); 1556 1557 if (base != NULL) 1558 sae->spd_address_len = SPD_8TO64(offset - start); 1559 return (offset); 1560 } 1561 1562 static uint_t 1563 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel) 1564 { 1565 const ipsec_selkey_t *selkey = &sel->ipsl_key; 1566 1567 if (selkey->ipsl_valid & IPSL_PROTOCOL) 1568 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto); 1569 if (selkey->ipsl_valid & IPSL_LOCAL_PORT) 1570 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT, 1571 selkey->ipsl_lport); 1572 if (selkey->ipsl_valid & IPSL_REMOTE_PORT) 1573 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT, 1574 selkey->ipsl_rport); 1575 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR) 1576 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR, 1577 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen); 1578 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR) 1579 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR, 1580 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen); 1581 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) { 1582 offset = spdsock_encode_typecode(base, offset, 1583 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end, 1584 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1585 selkey->ipsl_icmp_code : 255, 1586 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1587 selkey->ipsl_icmp_code_end : 255); 1588 } 1589 return (offset); 1590 } 1591 1592 static uint_t 1593 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag, 1594 uint32_t value) 1595 { 1596 struct spd_attribute *attr; 1597 1598 ASSERT(ALIGNED64(offset)); 1599 1600 if (base != NULL) { 1601 attr = (struct spd_attribute *)(base + offset); 1602 attr->spd_attr_tag = tag; 1603 attr->spd_attr_value = value; 1604 } 1605 offset += sizeof (struct spd_attribute); 1606 1607 ASSERT(ALIGNED64(offset)); 1608 1609 return (offset); 1610 } 1611 1612 1613 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v)) 1614 1615 static uint_t 1616 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap) 1617 { 1618 const struct ipsec_act *act = &(ap->ipa_act); 1619 uint_t flags; 1620 1621 EMIT(SPD_ATTR_EMPTY, 0); 1622 switch (act->ipa_type) { 1623 case IPSEC_ACT_DISCARD: 1624 case IPSEC_ACT_REJECT: 1625 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP); 1626 break; 1627 case IPSEC_ACT_BYPASS: 1628 case IPSEC_ACT_CLEAR: 1629 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS); 1630 break; 1631 1632 case IPSEC_ACT_APPLY: 1633 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC); 1634 flags = 0; 1635 if (act->ipa_apply.ipp_use_ah) 1636 flags |= SPD_APPLY_AH; 1637 if (act->ipa_apply.ipp_use_esp) 1638 flags |= SPD_APPLY_ESP; 1639 if (act->ipa_apply.ipp_use_espa) 1640 flags |= SPD_APPLY_ESPA; 1641 if (act->ipa_apply.ipp_use_se) 1642 flags |= SPD_APPLY_SE; 1643 if (act->ipa_apply.ipp_use_unique) 1644 flags |= SPD_APPLY_UNIQUE; 1645 EMIT(SPD_ATTR_FLAGS, flags); 1646 if (flags & SPD_APPLY_AH) { 1647 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg); 1648 EMIT(SPD_ATTR_AH_MINBITS, 1649 act->ipa_apply.ipp_ah_minbits); 1650 EMIT(SPD_ATTR_AH_MAXBITS, 1651 act->ipa_apply.ipp_ah_maxbits); 1652 } 1653 if (flags & SPD_APPLY_ESP) { 1654 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg); 1655 EMIT(SPD_ATTR_ENCR_MINBITS, 1656 act->ipa_apply.ipp_espe_minbits); 1657 EMIT(SPD_ATTR_ENCR_MAXBITS, 1658 act->ipa_apply.ipp_espe_maxbits); 1659 if (flags & SPD_APPLY_ESPA) { 1660 EMIT(SPD_ATTR_ESP_AUTH, 1661 act->ipa_apply.ipp_esp_auth_alg); 1662 EMIT(SPD_ATTR_ESPA_MINBITS, 1663 act->ipa_apply.ipp_espa_minbits); 1664 EMIT(SPD_ATTR_ESPA_MAXBITS, 1665 act->ipa_apply.ipp_espa_maxbits); 1666 } 1667 } 1668 if (act->ipa_apply.ipp_km_proto != 0) 1669 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto); 1670 if (act->ipa_apply.ipp_km_cookie != 0) 1671 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie); 1672 if (act->ipa_apply.ipp_replay_depth != 0) 1673 EMIT(SPD_ATTR_REPLAY_DEPTH, 1674 act->ipa_apply.ipp_replay_depth); 1675 /* Add more here */ 1676 break; 1677 } 1678 1679 return (offset); 1680 } 1681 1682 static uint_t 1683 spdsock_encode_action_list(uint8_t *base, uint_t offset, 1684 const ipsec_action_t *ap) 1685 { 1686 struct spd_ext_actions *act; 1687 uint_t nact = 0; 1688 uint_t start = offset; 1689 1690 ASSERT(ALIGNED64(offset)); 1691 1692 if (base != NULL) { 1693 act = (struct spd_ext_actions *)(base + offset); 1694 act->spd_actions_len = 0; 1695 act->spd_actions_exttype = SPD_EXT_ACTION; 1696 act->spd_actions_count = 0; 1697 act->spd_actions_reserved = 0; 1698 } 1699 1700 offset += sizeof (*act); 1701 1702 ASSERT(ALIGNED64(offset)); 1703 1704 while (ap != NULL) { 1705 offset = spdsock_encode_action(base, offset, ap); 1706 ap = ap->ipa_next; 1707 nact++; 1708 if (ap != NULL) { 1709 EMIT(SPD_ATTR_NEXT, 0); 1710 } 1711 } 1712 EMIT(SPD_ATTR_END, 0); 1713 1714 ASSERT(ALIGNED64(offset)); 1715 1716 if (base != NULL) { 1717 act->spd_actions_count = nact; 1718 act->spd_actions_len = SPD_8TO64(offset - start); 1719 } 1720 1721 return (offset); 1722 } 1723 1724 #undef EMIT 1725 1726 /* ARGSUSED */ 1727 static uint_t 1728 spdsock_rule_flags(uint_t dir, uint_t af) 1729 { 1730 uint_t flags = 0; 1731 1732 if (dir == IPSEC_TYPE_INBOUND) 1733 flags |= SPD_RULE_FLAG_INBOUND; 1734 if (dir == IPSEC_TYPE_OUTBOUND) 1735 flags |= SPD_RULE_FLAG_OUTBOUND; 1736 1737 return (flags); 1738 } 1739 1740 1741 static uint_t 1742 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req, 1743 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name, 1744 boolean_t tunnel) 1745 { 1746 struct spd_msg *spmsg; 1747 struct spd_rule *spr; 1748 spd_if_t *sid; 1749 1750 uint_t start = offset; 1751 1752 ASSERT(ALIGNED64(offset)); 1753 1754 if (base != NULL) { 1755 spmsg = (struct spd_msg *)(base + offset); 1756 bzero(spmsg, sizeof (*spmsg)); 1757 spmsg->spd_msg_version = PF_POLICY_V1; 1758 spmsg->spd_msg_type = SPD_DUMP; 1759 spmsg->spd_msg_seq = req->spd_msg_seq; 1760 spmsg->spd_msg_pid = req->spd_msg_pid; 1761 } 1762 offset += sizeof (struct spd_msg); 1763 1764 ASSERT(ALIGNED64(offset)); 1765 1766 if (base != NULL) { 1767 spr = (struct spd_rule *)(base + offset); 1768 spr->spd_rule_type = SPD_EXT_RULE; 1769 spr->spd_rule_priority = rule->ipsp_prio; 1770 spr->spd_rule_flags = spdsock_rule_flags(dir, af); 1771 if (tunnel) 1772 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL; 1773 spr->spd_rule_unused = 0; 1774 spr->spd_rule_len = SPD_8TO64(sizeof (*spr)); 1775 spr->spd_rule_index = rule->ipsp_index; 1776 } 1777 offset += sizeof (struct spd_rule); 1778 1779 /* 1780 * If we have an interface name (i.e. if this policy head came from 1781 * a tunnel), add the SPD_EXT_TUN_NAME extension. 1782 */ 1783 if (name[0] != '\0') { 1784 1785 ASSERT(ALIGNED64(offset)); 1786 1787 if (base != NULL) { 1788 sid = (spd_if_t *)(base + offset); 1789 sid->spd_if_exttype = SPD_EXT_TUN_NAME; 1790 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) + 1791 roundup((strlen(name) - 4), 8)); 1792 (void) strlcpy((char *)sid->spd_if_name, name, 1793 LIFNAMSIZ); 1794 } 1795 1796 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8); 1797 } 1798 1799 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel); 1800 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act); 1801 1802 ASSERT(ALIGNED64(offset)); 1803 1804 if (base != NULL) { 1805 spmsg->spd_msg_len = SPD_8TO64(offset - start); 1806 } 1807 return (offset); 1808 } 1809 1810 /* ARGSUSED */ 1811 static mblk_t * 1812 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule, 1813 uint_t dir, uint_t af, char *name, boolean_t tunnel) 1814 { 1815 mblk_t *m; 1816 uint_t len; 1817 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr; 1818 1819 /* 1820 * Figure out how much space we'll need. 1821 */ 1822 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name, 1823 tunnel); 1824 1825 /* 1826 * Allocate mblk. 1827 */ 1828 m = allocb(len, BPRI_HI); 1829 if (m == NULL) 1830 return (NULL); 1831 1832 /* 1833 * Fill it in.. 1834 */ 1835 m->b_wptr = m->b_rptr + len; 1836 bzero(m->b_rptr, len); 1837 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af, 1838 name, tunnel); 1839 return (m); 1840 } 1841 1842 static ipsec_policy_t * 1843 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph, 1844 ipsec_policy_t *cur) 1845 { 1846 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1847 1848 ss->spdsock_dump_count++; 1849 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next; 1850 return (cur); 1851 } 1852 1853 static ipsec_policy_t * 1854 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph) 1855 { 1856 ipsec_policy_t *cur; 1857 ipsec_policy_root_t *ipr; 1858 int chain, nchains, type, af; 1859 1860 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1861 1862 cur = ss->spdsock_dump_cur_rule; 1863 1864 if (cur != NULL) 1865 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1866 1867 type = ss->spdsock_dump_cur_type; 1868 1869 next: 1870 chain = ss->spdsock_dump_cur_chain; 1871 ipr = &iph->iph_root[type]; 1872 nchains = ipr->ipr_nchains; 1873 1874 while (chain < nchains) { 1875 cur = ipr->ipr_hash[chain].hash_head; 1876 chain++; 1877 if (cur != NULL) { 1878 ss->spdsock_dump_cur_chain = chain; 1879 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1880 } 1881 } 1882 ss->spdsock_dump_cur_chain = nchains; 1883 1884 af = ss->spdsock_dump_cur_af; 1885 while (af < IPSEC_NAF) { 1886 cur = ipr->ipr_nonhash[af]; 1887 af++; 1888 if (cur != NULL) { 1889 ss->spdsock_dump_cur_af = af; 1890 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1891 } 1892 } 1893 1894 type++; 1895 if (type >= IPSEC_NTYPES) 1896 return (NULL); 1897 1898 ss->spdsock_dump_cur_chain = 0; 1899 ss->spdsock_dump_cur_type = type; 1900 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 1901 goto next; 1902 1903 } 1904 1905 static mblk_t * 1906 spdsock_dump_next_record(spdsock_t *ss) 1907 { 1908 ipsec_policy_head_t *iph; 1909 ipsec_policy_t *rule; 1910 mblk_t *m; 1911 mblk_t *req = ss->spdsock_dump_req; 1912 1913 iph = ss->spdsock_dump_head; 1914 1915 ASSERT(iph != NULL); 1916 1917 rw_enter(&iph->iph_lock, RW_READER); 1918 1919 if (iph->iph_gen != ss->spdsock_dump_gen) { 1920 rw_exit(&iph->iph_lock); 1921 return (spdsock_dump_finish(ss, EAGAIN)); 1922 } 1923 1924 rule = spdsock_dump_next_rule(ss, iph); 1925 1926 if (!rule) { 1927 rw_exit(&iph->iph_lock); 1928 return (spdsock_dump_finish(ss, 0)); 1929 } 1930 1931 m = spdsock_encode_rule(req, rule, ss->spdsock_dump_cur_type, 1932 ss->spdsock_dump_cur_af, ss->spdsock_dump_name, 1933 ss->spdsock_dump_tunnel); 1934 rw_exit(&iph->iph_lock); 1935 1936 if (m == NULL) 1937 return (spdsock_dump_finish(ss, ENOMEM)); 1938 return (m); 1939 } 1940 1941 /* 1942 * Dump records until we run into flow-control back-pressure. 1943 */ 1944 static void 1945 spdsock_dump_some(queue_t *q, spdsock_t *ss) 1946 { 1947 mblk_t *m, *dataind; 1948 1949 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) { 1950 m = spdsock_dump_next_record(ss); 1951 if (m == NULL) 1952 return; 1953 dataind = allocb(sizeof (struct T_data_req), BPRI_HI); 1954 if (dataind == NULL) { 1955 freemsg(m); 1956 return; 1957 } 1958 dataind->b_cont = m; 1959 dataind->b_wptr += sizeof (struct T_data_req); 1960 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND; 1961 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0; 1962 dataind->b_datap->db_type = M_PROTO; 1963 putnext(q, dataind); 1964 } 1965 } 1966 1967 /* 1968 * Start dumping. 1969 * Format a start-of-dump record, and set up the stream and kick the rsrv 1970 * procedure to continue the job.. 1971 */ 1972 /* ARGSUSED */ 1973 static void 1974 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp) 1975 { 1976 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1977 spd_stack_t *spds = ss->spdsock_spds; 1978 netstack_t *ns = spds->spds_netstack; 1979 ipsec_stack_t *ipss = ns->netstack_ipsec; 1980 mblk_t *mr; 1981 1982 /* spdsock_parse() already NULL-terminated spdsock_dump_name. */ 1983 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 1984 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 1985 ss->spdsock_dump_remaining_polheads = 1 + 1986 avl_numnodes(&ipss->ipsec_tunnel_policies); 1987 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen; 1988 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1989 if (iph == ALL_ACTIVE_POLHEADS) { 1990 iph = ipsec_system_policy(ns); 1991 ss->spdsock_dump_active = B_TRUE; 1992 } else { 1993 iph = ipsec_inactive_policy(spds->spds_netstack); 1994 ss->spdsock_dump_active = B_FALSE; 1995 } 1996 ASSERT(ss->spdsock_dump_name[0] == '\0'); 1997 } else { 1998 ss->spdsock_dump_remaining_polheads = 1; 1999 } 2000 2001 rw_enter(&iph->iph_lock, RW_READER); 2002 2003 mr = spdsock_dump_ruleset(mp, iph, 0, 0); 2004 2005 if (!mr) { 2006 rw_exit(&iph->iph_lock); 2007 spdsock_error(q, mp, ENOMEM, 0); 2008 return; 2009 } 2010 2011 ss->spdsock_dump_req = mp; 2012 ss->spdsock_dump_head = iph; 2013 ss->spdsock_dump_gen = iph->iph_gen; 2014 ss->spdsock_dump_cur_type = 0; 2015 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 2016 ss->spdsock_dump_cur_rule = NULL; 2017 ss->spdsock_dump_count = 0; 2018 ss->spdsock_dump_cur_chain = 0; 2019 rw_exit(&iph->iph_lock); 2020 2021 qreply(q, mr); 2022 qenable(OTHERQ(q)); 2023 } 2024 2025 /* Do NOT consume a reference to ITP. */ 2026 void 2027 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns) 2028 { 2029 int *errptr = (int *)ep; 2030 2031 if (*errptr != 0) 2032 return; /* We've failed already for some reason. */ 2033 mutex_enter(&itp->itp_lock); 2034 ITPF_CLONE(itp->itp_flags); 2035 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns); 2036 mutex_exit(&itp->itp_lock); 2037 } 2038 2039 void 2040 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname) 2041 { 2042 int error; 2043 char *tname; 2044 ipsec_tun_pol_t *itp; 2045 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2046 spd_stack_t *spds = ss->spdsock_spds; 2047 2048 if (tunname != NULL) { 2049 tname = (char *)tunname->spd_if_name; 2050 if (*tname == '\0') { 2051 error = ipsec_clone_system_policy(spds->spds_netstack); 2052 if (audit_active) { 2053 boolean_t active; 2054 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2055 2056 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2057 audit_pf_policy(SPD_CLONE, DB_CRED(mp), 2058 spds->spds_netstack, NULL, active, error, 2059 DB_CPID(mp)); 2060 } 2061 if (error == 0) { 2062 itp_walk(spdsock_clone_node, &error, 2063 spds->spds_netstack); 2064 if (audit_active) { 2065 boolean_t active; 2066 spd_msg_t *spmsg = 2067 (spd_msg_t *)mp->b_rptr; 2068 2069 active = (spmsg->spd_msg_spdid == 2070 SPD_ACTIVE); 2071 audit_pf_policy(SPD_CLONE, DB_CRED(mp), 2072 spds->spds_netstack, 2073 "all tunnels", active, 0, 2074 DB_CPID(mp)); 2075 } 2076 } 2077 } else { 2078 itp = get_tunnel_policy(tname, spds->spds_netstack); 2079 if (itp == NULL) { 2080 spdsock_error(q, mp, ENOENT, 0); 2081 if (audit_active) { 2082 boolean_t active; 2083 spd_msg_t *spmsg = 2084 (spd_msg_t *)mp->b_rptr; 2085 2086 active = (spmsg->spd_msg_spdid == 2087 SPD_ACTIVE); 2088 audit_pf_policy(SPD_CLONE, DB_CRED(mp), 2089 spds->spds_netstack, ITP_NAME(itp), 2090 active, ENOENT, DB_CPID(mp)); 2091 } 2092 return; 2093 } 2094 spdsock_clone_node(itp, &error, NULL); 2095 ITP_REFRELE(itp, spds->spds_netstack); 2096 if (audit_active) { 2097 boolean_t active; 2098 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2099 2100 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2101 audit_pf_policy(SPD_CLONE, DB_CRED(mp), 2102 spds->spds_netstack, ITP_NAME(itp), active, 2103 error, DB_CPID(mp)); 2104 } 2105 } 2106 } else { 2107 error = ipsec_clone_system_policy(spds->spds_netstack); 2108 if (audit_active) { 2109 boolean_t active; 2110 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2111 2112 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2113 audit_pf_policy(SPD_CLONE, DB_CRED(mp), 2114 spds->spds_netstack, NULL, active, error, 2115 DB_CPID(mp)); 2116 } 2117 } 2118 2119 if (error != 0) 2120 spdsock_error(q, mp, error, 0); 2121 else 2122 spd_echo(q, mp); 2123 } 2124 2125 /* 2126 * Process a SPD_ALGLIST request. The caller expects separate alg entries 2127 * for AH authentication, ESP authentication, and ESP encryption. 2128 * The same distinction is then used when setting the min and max key 2129 * sizes when defining policies. 2130 */ 2131 2132 #define SPDSOCK_AH_AUTH 0 2133 #define SPDSOCK_ESP_AUTH 1 2134 #define SPDSOCK_ESP_ENCR 2 2135 #define SPDSOCK_NTYPES 3 2136 2137 static const uint_t algattr[SPDSOCK_NTYPES] = { 2138 SPD_ATTR_AH_AUTH, 2139 SPD_ATTR_ESP_AUTH, 2140 SPD_ATTR_ESP_ENCR 2141 }; 2142 static const uint_t minbitsattr[SPDSOCK_NTYPES] = { 2143 SPD_ATTR_AH_MINBITS, 2144 SPD_ATTR_ESPA_MINBITS, 2145 SPD_ATTR_ENCR_MINBITS 2146 }; 2147 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = { 2148 SPD_ATTR_AH_MAXBITS, 2149 SPD_ATTR_ESPA_MAXBITS, 2150 SPD_ATTR_ENCR_MAXBITS 2151 }; 2152 static const uint_t defbitsattr[SPDSOCK_NTYPES] = { 2153 SPD_ATTR_AH_DEFBITS, 2154 SPD_ATTR_ESPA_DEFBITS, 2155 SPD_ATTR_ENCR_DEFBITS 2156 }; 2157 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = { 2158 SPD_ATTR_AH_INCRBITS, 2159 SPD_ATTR_ESPA_INCRBITS, 2160 SPD_ATTR_ENCR_INCRBITS 2161 }; 2162 2163 #define ATTRPERALG 6 /* fixed attributes per algs */ 2164 2165 void 2166 spdsock_alglist(queue_t *q, mblk_t *mp) 2167 { 2168 uint_t algtype; 2169 uint_t algidx; 2170 uint_t algcount; 2171 uint_t size; 2172 mblk_t *m; 2173 uint8_t *cur; 2174 spd_msg_t *msg; 2175 struct spd_ext_actions *act; 2176 struct spd_attribute *attr; 2177 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2178 spd_stack_t *spds = ss->spdsock_spds; 2179 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 2180 2181 mutex_enter(&ipss->ipsec_alg_lock); 2182 /* 2183 * The SPD client expects to receive separate entries for 2184 * AH authentication and ESP authentication supported algorithms. 2185 * 2186 * Don't return the "any" algorithms, if defined, as no 2187 * kernel policies can be set for these algorithms. 2188 */ 2189 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2190 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2191 2192 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL) 2193 algcount--; 2194 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL) 2195 algcount--; 2196 2197 /* 2198 * For each algorithm, we encode: 2199 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2200 */ 2201 2202 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) + 2203 ATTRPERALG * sizeof (struct spd_attribute) * algcount; 2204 2205 ASSERT(ALIGNED64(size)); 2206 2207 m = allocb(size, BPRI_HI); 2208 if (m == NULL) { 2209 mutex_exit(&ipss->ipsec_alg_lock); 2210 spdsock_error(q, mp, ENOMEM, 0); 2211 return; 2212 } 2213 2214 m->b_wptr = m->b_rptr + size; 2215 cur = m->b_rptr; 2216 2217 msg = (spd_msg_t *)cur; 2218 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2219 2220 msg->spd_msg_len = SPD_8TO64(size); 2221 msg->spd_msg_errno = 0; 2222 msg->spd_msg_diagnostic = 0; 2223 2224 cur += sizeof (*msg); 2225 2226 act = (struct spd_ext_actions *)cur; 2227 cur += sizeof (*act); 2228 2229 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2230 act->spd_actions_exttype = SPD_EXT_ACTION; 2231 act->spd_actions_count = algcount; 2232 act->spd_actions_reserved = 0; 2233 2234 attr = (struct spd_attribute *)cur; 2235 2236 #define EMIT(tag, value) { \ 2237 attr->spd_attr_tag = (tag); \ 2238 attr->spd_attr_value = (value); \ 2239 attr++; \ 2240 } 2241 2242 /* 2243 * If you change the number of EMIT's here, change 2244 * ATTRPERALG above to match 2245 */ 2246 #define EMITALGATTRS(_type) { \ 2247 EMIT(algattr[_type], algid); /* 1 */ \ 2248 EMIT(minbitsattr[_type], minbits); /* 2 */ \ 2249 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \ 2250 EMIT(defbitsattr[_type], defbits); /* 4 */ \ 2251 EMIT(incrbitsattr[_type], incr); /* 5 */ \ 2252 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \ 2253 } 2254 2255 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2256 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2257 algidx++) { 2258 int algid = ipss->ipsec_sortlist[algtype][algidx]; 2259 ipsec_alginfo_t *alg = 2260 ipss->ipsec_alglists[algtype][algid]; 2261 uint_t minbits = alg->alg_minbits; 2262 uint_t maxbits = alg->alg_maxbits; 2263 uint_t defbits = alg->alg_default_bits; 2264 uint_t incr = alg->alg_increment; 2265 2266 if (algtype == IPSEC_ALG_AUTH) { 2267 if (algid == SADB_AALG_NONE) 2268 continue; 2269 EMITALGATTRS(SPDSOCK_AH_AUTH); 2270 EMITALGATTRS(SPDSOCK_ESP_AUTH); 2271 } else { 2272 if (algid == SADB_EALG_NONE) 2273 continue; 2274 ASSERT(algtype == IPSEC_ALG_ENCR); 2275 EMITALGATTRS(SPDSOCK_ESP_ENCR); 2276 } 2277 } 2278 } 2279 2280 mutex_exit(&ipss->ipsec_alg_lock); 2281 2282 #undef EMITALGATTRS 2283 #undef EMIT 2284 #undef ATTRPERALG 2285 2286 attr--; 2287 attr->spd_attr_tag = SPD_ATTR_END; 2288 2289 freemsg(mp); 2290 qreply(q, m); 2291 } 2292 2293 /* 2294 * Process a SPD_DUMPALGS request. 2295 */ 2296 2297 #define ATTRPERALG 7 /* fixed attributes per algs */ 2298 2299 void 2300 spdsock_dumpalgs(queue_t *q, mblk_t *mp) 2301 { 2302 uint_t algtype; 2303 uint_t algidx; 2304 uint_t size; 2305 mblk_t *m; 2306 uint8_t *cur; 2307 spd_msg_t *msg; 2308 struct spd_ext_actions *act; 2309 struct spd_attribute *attr; 2310 ipsec_alginfo_t *alg; 2311 uint_t algid; 2312 uint_t i; 2313 uint_t alg_size; 2314 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2315 spd_stack_t *spds = ss->spdsock_spds; 2316 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 2317 2318 mutex_enter(&ipss->ipsec_alg_lock); 2319 2320 /* 2321 * For each algorithm, we encode: 2322 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2323 * 2324 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE* 2325 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_MECHNAME / {END, NEXT} 2326 */ 2327 2328 /* 2329 * Compute the size of the SPD message. 2330 */ 2331 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions); 2332 2333 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2334 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2335 algidx++) { 2336 algid = ipss->ipsec_sortlist[algtype][algidx]; 2337 alg = ipss->ipsec_alglists[algtype][algid]; 2338 alg_size = sizeof (struct spd_attribute) * 2339 (ATTRPERALG + alg->alg_nkey_sizes + 2340 alg->alg_nblock_sizes) + CRYPTO_MAX_MECH_NAME; 2341 size += alg_size; 2342 } 2343 } 2344 2345 ASSERT(ALIGNED64(size)); 2346 2347 m = allocb(size, BPRI_HI); 2348 if (m == NULL) { 2349 mutex_exit(&ipss->ipsec_alg_lock); 2350 spdsock_error(q, mp, ENOMEM, 0); 2351 return; 2352 } 2353 2354 m->b_wptr = m->b_rptr + size; 2355 cur = m->b_rptr; 2356 2357 msg = (spd_msg_t *)cur; 2358 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2359 2360 msg->spd_msg_len = SPD_8TO64(size); 2361 msg->spd_msg_errno = 0; 2362 msg->spd_msg_diagnostic = 0; 2363 2364 cur += sizeof (*msg); 2365 2366 act = (struct spd_ext_actions *)cur; 2367 cur += sizeof (*act); 2368 2369 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2370 act->spd_actions_exttype = SPD_EXT_ACTION; 2371 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2372 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2373 act->spd_actions_reserved = 0; 2374 2375 attr = (struct spd_attribute *)cur; 2376 2377 #define EMIT(tag, value) { \ 2378 attr->spd_attr_tag = (tag); \ 2379 attr->spd_attr_value = (value); \ 2380 attr++; \ 2381 } 2382 2383 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2384 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2385 algidx++) { 2386 2387 algid = ipss->ipsec_sortlist[algtype][algidx]; 2388 alg = ipss->ipsec_alglists[algtype][algid]; 2389 2390 /* 2391 * If you change the number of EMIT's here, change 2392 * ATTRPERALG above to match 2393 */ 2394 EMIT(SPD_ATTR_ALG_ID, algid); 2395 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]); 2396 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment); 2397 2398 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes); 2399 for (i = 0; i < alg->alg_nkey_sizes; i++) 2400 EMIT(SPD_ATTR_ALG_KEYSIZE, 2401 alg->alg_key_sizes[i]); 2402 2403 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes); 2404 for (i = 0; i < alg->alg_nblock_sizes; i++) 2405 EMIT(SPD_ATTR_ALG_BLOCKSIZE, 2406 alg->alg_block_sizes[i]); 2407 2408 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME); 2409 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME); 2410 attr = (struct spd_attribute *)((char *)attr + 2411 CRYPTO_MAX_MECH_NAME); 2412 2413 EMIT(SPD_ATTR_NEXT, 0); 2414 } 2415 } 2416 2417 mutex_exit(&ipss->ipsec_alg_lock); 2418 2419 #undef EMITALGATTRS 2420 #undef EMIT 2421 #undef ATTRPERALG 2422 2423 attr--; 2424 attr->spd_attr_tag = SPD_ATTR_END; 2425 2426 freemsg(mp); 2427 qreply(q, m); 2428 } 2429 2430 /* 2431 * Do the actual work of processing an SPD_UPDATEALGS request. Can 2432 * be invoked either once IPsec is loaded on a cached request, or 2433 * when a request is received while IPsec is loaded. 2434 */ 2435 static void 2436 spdsock_do_updatealg(spd_ext_t *extv[], int *diag, spd_stack_t *spds) 2437 { 2438 struct spd_ext_actions *actp; 2439 struct spd_attribute *attr, *endattr; 2440 uint64_t *start, *end; 2441 ipsec_alginfo_t *alg = NULL; 2442 ipsec_algtype_t alg_type = 0; 2443 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE; 2444 uint_t i, cur_key, cur_block, algid; 2445 2446 *diag = -1; 2447 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 2448 2449 /* parse the message, building the list of algorithms */ 2450 2451 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 2452 if (actp == NULL) { 2453 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT; 2454 return; 2455 } 2456 2457 start = (uint64_t *)actp; 2458 end = (start + actp->spd_actions_len); 2459 endattr = (struct spd_attribute *)end; 2460 attr = (struct spd_attribute *)&actp[1]; 2461 2462 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS * 2463 sizeof (ipsec_alginfo_t *)); 2464 2465 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2466 2467 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t)) 2468 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t)) 2469 2470 while (attr < endattr) { 2471 switch (attr->spd_attr_tag) { 2472 case SPD_ATTR_NOP: 2473 case SPD_ATTR_EMPTY: 2474 break; 2475 case SPD_ATTR_END: 2476 attr = endattr; 2477 /* FALLTHRU */ 2478 case SPD_ATTR_NEXT: 2479 if (doing_proto) { 2480 doing_proto = B_FALSE; 2481 break; 2482 } 2483 if (skip_alg) { 2484 ipsec_alg_free(alg); 2485 } else { 2486 ipsec_alg_free( 2487 spds->spds_algs[alg_type][alg->alg_id]); 2488 spds->spds_algs[alg_type][alg->alg_id] = 2489 alg; 2490 } 2491 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2492 break; 2493 2494 case SPD_ATTR_ALG_ID: 2495 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) { 2496 ss1dbg(spds, ("spdsock_do_updatealg: " 2497 "invalid alg id %d\n", 2498 attr->spd_attr_value)); 2499 *diag = SPD_DIAGNOSTIC_ALG_ID_RANGE; 2500 goto bail; 2501 } 2502 alg->alg_id = attr->spd_attr_value; 2503 break; 2504 2505 case SPD_ATTR_ALG_PROTO: 2506 /* find the alg type */ 2507 for (i = 0; i < NALGPROTOS; i++) 2508 if (algproto[i] == attr->spd_attr_value) 2509 break; 2510 skip_alg = (i == NALGPROTOS); 2511 if (!skip_alg) 2512 alg_type = i; 2513 break; 2514 2515 case SPD_ATTR_ALG_INCRBITS: 2516 alg->alg_increment = attr->spd_attr_value; 2517 break; 2518 2519 case SPD_ATTR_ALG_NKEYSIZES: 2520 if (alg->alg_key_sizes != NULL) { 2521 kmem_free(alg->alg_key_sizes, 2522 ALG_KEY_SIZES(alg)); 2523 } 2524 alg->alg_nkey_sizes = attr->spd_attr_value; 2525 /* 2526 * Allocate room for the trailing zero key size 2527 * value as well. 2528 */ 2529 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg), 2530 KM_SLEEP); 2531 cur_key = 0; 2532 break; 2533 2534 case SPD_ATTR_ALG_KEYSIZE: 2535 if (alg->alg_key_sizes == NULL || 2536 cur_key >= alg->alg_nkey_sizes) { 2537 ss1dbg(spds, ("spdsock_do_updatealg: " 2538 "too many key sizes\n")); 2539 *diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES; 2540 goto bail; 2541 } 2542 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value; 2543 break; 2544 2545 case SPD_ATTR_ALG_NBLOCKSIZES: 2546 if (alg->alg_block_sizes != NULL) { 2547 kmem_free(alg->alg_block_sizes, 2548 ALG_BLOCK_SIZES(alg)); 2549 } 2550 alg->alg_nblock_sizes = attr->spd_attr_value; 2551 /* 2552 * Allocate room for the trailing zero block size 2553 * value as well. 2554 */ 2555 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg), 2556 KM_SLEEP); 2557 cur_block = 0; 2558 break; 2559 2560 case SPD_ATTR_ALG_BLOCKSIZE: 2561 if (alg->alg_block_sizes == NULL || 2562 cur_block >= alg->alg_nblock_sizes) { 2563 ss1dbg(spds, ("spdsock_do_updatealg: " 2564 "too many block sizes\n")); 2565 *diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2566 goto bail; 2567 } 2568 alg->alg_block_sizes[cur_block++] = 2569 attr->spd_attr_value; 2570 break; 2571 2572 case SPD_ATTR_ALG_MECHNAME: { 2573 char *mech_name; 2574 2575 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) { 2576 ss1dbg(spds, ("spdsock_do_updatealg: " 2577 "mech name too long\n")); 2578 *diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN; 2579 goto bail; 2580 } 2581 mech_name = (char *)(attr + 1); 2582 bcopy(mech_name, alg->alg_mech_name, 2583 attr->spd_attr_value); 2584 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; 2585 attr = (struct spd_attribute *)((char *)attr + 2586 attr->spd_attr_value); 2587 break; 2588 } 2589 2590 case SPD_ATTR_PROTO_ID: 2591 doing_proto = B_TRUE; 2592 for (i = 0; i < NALGPROTOS; i++) { 2593 if (algproto[i] == attr->spd_attr_value) { 2594 alg_type = i; 2595 break; 2596 } 2597 } 2598 break; 2599 2600 case SPD_ATTR_PROTO_EXEC_MODE: 2601 if (!doing_proto) 2602 break; 2603 for (i = 0; i < NEXECMODES; i++) { 2604 if (execmodes[i] == attr->spd_attr_value) { 2605 spds->spds_algs_exec_mode[alg_type] = i; 2606 break; 2607 } 2608 } 2609 break; 2610 } 2611 attr++; 2612 } 2613 2614 #undef ALG_KEY_SIZES 2615 #undef ALG_BLOCK_SIZES 2616 2617 /* update the algorithm tables */ 2618 spdsock_merge_algs(spds); 2619 bail: 2620 /* cleanup */ 2621 ipsec_alg_free(alg); 2622 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++) 2623 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) 2624 if (spds->spds_algs[alg_type][algid] != NULL) 2625 ipsec_alg_free(spds->spds_algs[alg_type][algid]); 2626 } 2627 2628 /* 2629 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue 2630 * the request until IPsec loads. If IPsec is loaded, act on it 2631 * immediately. 2632 */ 2633 2634 static void 2635 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[]) 2636 { 2637 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2638 spd_stack_t *spds = ss->spdsock_spds; 2639 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 2640 2641 if (!ipsec_loaded(ipss)) { 2642 /* 2643 * IPsec is not loaded, save request and return nicely, 2644 * the message will be processed once IPsec loads. 2645 */ 2646 mblk_t *new_mp; 2647 2648 /* last update message wins */ 2649 if ((new_mp = copymsg(mp)) == NULL) { 2650 spdsock_error(q, mp, ENOMEM, 0); 2651 return; 2652 } 2653 mutex_enter(&spds->spds_alg_lock); 2654 bcopy(extv, spds->spds_extv_algs, 2655 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 2656 if (spds->spds_mp_algs != NULL) 2657 freemsg(spds->spds_mp_algs); 2658 spds->spds_mp_algs = mp; 2659 spds->spds_algs_pending = B_TRUE; 2660 mutex_exit(&spds->spds_alg_lock); 2661 if (audit_active) 2662 audit_pf_policy(SPD_UPDATEALGS, DB_CRED(mp), 2663 spds->spds_netstack, NULL, B_TRUE, EAGAIN, 2664 DB_CPID(mp)); 2665 spd_echo(q, new_mp); 2666 } else { 2667 /* 2668 * IPsec is loaded, act on the message immediately. 2669 */ 2670 int diag; 2671 2672 mutex_enter(&spds->spds_alg_lock); 2673 spdsock_do_updatealg(extv, &diag, spds); 2674 mutex_exit(&spds->spds_alg_lock); 2675 if (diag == -1) { 2676 spd_echo(q, mp); 2677 if (audit_active) 2678 audit_pf_policy(SPD_UPDATEALGS, DB_CRED(mp), 2679 spds->spds_netstack, NULL, B_TRUE, 0, 2680 DB_CPID(mp)); 2681 } else { 2682 spdsock_diag(q, mp, diag); 2683 if (audit_active) 2684 audit_pf_policy(SPD_UPDATEALGS, DB_CRED(mp), 2685 spds->spds_netstack, NULL, B_TRUE, diag, 2686 DB_CPID(mp)); 2687 } 2688 } 2689 } 2690 2691 /* 2692 * With a reference-held ill, dig down and find an instance of "tun", and 2693 * assign its tunnel policy pointer, while reference-holding it. Also, 2694 * release ill's refrence when finished. 2695 * 2696 * We'll be messing with q_next, so be VERY careful. 2697 */ 2698 static void 2699 find_tun_and_set_itp(ill_t *ill, ipsec_tun_pol_t *itp) 2700 { 2701 queue_t *q; 2702 tun_t *tun; 2703 2704 /* Don't bother if this ill is going away. */ 2705 if (ill->ill_flags & ILL_CONDEMNED) { 2706 ill_refrele(ill); 2707 return; 2708 } 2709 2710 2711 q = ill->ill_wq; 2712 claimstr(q); /* Lighter-weight than freezestr(). */ 2713 2714 do { 2715 /* Use strcmp() because "tun" is bounded. */ 2716 if (strcmp(q->q_qinfo->qi_minfo->mi_idname, "tun") == 0) { 2717 /* Aha! Got it. */ 2718 tun = (tun_t *)q->q_ptr; 2719 if (tun != NULL) { 2720 mutex_enter(&tun->tun_lock); 2721 if (tun->tun_itp != itp) { 2722 ASSERT(tun->tun_itp == NULL); 2723 ITP_REFHOLD(itp); 2724 tun->tun_itp = itp; 2725 } 2726 mutex_exit(&tun->tun_lock); 2727 goto release_and_return; 2728 } 2729 /* 2730 * Else assume this is some other module named "tun" 2731 * and move on, hoping we find one that actually has 2732 * something in q_ptr. 2733 */ 2734 } 2735 q = q->q_next; 2736 } while (q != NULL); 2737 2738 release_and_return: 2739 releasestr(ill->ill_wq); 2740 ill_refrele(ill); 2741 } 2742 2743 /* 2744 * Sort through the mess of polhead options to retrieve an appropriate one. 2745 * Returns NULL if we send an spdsock error. Returns a valid pointer if we 2746 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or 2747 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to 2748 * act on ALL policy heads. 2749 */ 2750 static ipsec_policy_head_t * 2751 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid, 2752 int msgtype, ipsec_tun_pol_t **itpp) 2753 { 2754 ipsec_tun_pol_t *itp; 2755 ipsec_policy_head_t *iph; 2756 int errno; 2757 char *tname; 2758 boolean_t active; 2759 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2760 spd_stack_t *spds = ss->spdsock_spds; 2761 netstack_t *ns = spds->spds_netstack; 2762 uint64_t gen; /* Placeholder */ 2763 ill_t *v4, *v6; 2764 2765 active = (spdid == SPD_ACTIVE); 2766 *itpp = NULL; 2767 if (!active && spdid != SPD_STANDBY) { 2768 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID); 2769 return (NULL); 2770 } 2771 2772 if (tunname != NULL) { 2773 /* Acting on a tunnel's SPD. */ 2774 tname = (char *)tunname->spd_if_name; 2775 if (*tname == '\0') { 2776 /* Handle all-polhead cases here. */ 2777 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) { 2778 spdsock_diag(q, mp, 2779 SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 2780 return (NULL); 2781 } 2782 return (active ? ALL_ACTIVE_POLHEADS : 2783 ALL_INACTIVE_POLHEADS); 2784 } 2785 2786 itp = get_tunnel_policy(tname, spds->spds_netstack); 2787 if (itp == NULL) { 2788 if (msgtype != SPD_ADDRULE) { 2789 /* "Tunnel not found" */ 2790 spdsock_error(q, mp, ENOENT, 0); 2791 return (NULL); 2792 } 2793 2794 errno = 0; 2795 itp = create_tunnel_policy(tname, &errno, &gen, 2796 spds->spds_netstack); 2797 if (itp == NULL) { 2798 /* 2799 * Something very bad happened, most likely 2800 * ENOMEM. Return an indicator. 2801 */ 2802 spdsock_error(q, mp, errno, 0); 2803 return (NULL); 2804 } 2805 } 2806 /* 2807 * Troll the plumbed tunnels and see if we have a 2808 * match. We need to do this always in case we add 2809 * policy AFTER plumbing a tunnel. 2810 */ 2811 v4 = ill_lookup_on_name(tname, B_FALSE, B_FALSE, NULL, 2812 NULL, NULL, &errno, NULL, ns->netstack_ip); 2813 if (v4 != NULL) 2814 find_tun_and_set_itp(v4, itp); 2815 v6 = ill_lookup_on_name(tname, B_FALSE, B_TRUE, NULL, 2816 NULL, NULL, &errno, NULL, ns->netstack_ip); 2817 if (v6 != NULL) 2818 find_tun_and_set_itp(v6, itp); 2819 ASSERT(itp != NULL); 2820 *itpp = itp; 2821 /* For spdsock dump state, set the polhead's name. */ 2822 if (msgtype == SPD_DUMP) { 2823 (void) strncpy(ss->spdsock_dump_name, tname, LIFNAMSIZ); 2824 ss->spdsock_dump_tunnel = itp->itp_flags & 2825 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL); 2826 } 2827 } else { 2828 itp = NULL; 2829 /* For spdsock dump state, indicate it's global policy. */ 2830 if (msgtype == SPD_DUMP) 2831 ss->spdsock_dump_name[0] = '\0'; 2832 } 2833 2834 if (active) 2835 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy; 2836 else 2837 iph = (itp == NULL) ? ipsec_inactive_policy(ns) : 2838 itp->itp_inactive; 2839 2840 ASSERT(iph != NULL); 2841 if (itp != NULL) { 2842 IPPH_REFHOLD(iph); 2843 } 2844 2845 return (iph); 2846 } 2847 2848 static void 2849 spdsock_parse(queue_t *q, mblk_t *mp) 2850 { 2851 spd_msg_t *spmsg; 2852 spd_ext_t *extv[SPD_EXT_MAX + 1]; 2853 uint_t msgsize; 2854 ipsec_policy_head_t *iph; 2855 ipsec_tun_pol_t *itp; 2856 spd_if_t *tunname; 2857 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2858 spd_stack_t *spds = ss->spdsock_spds; 2859 netstack_t *ns = spds->spds_netstack; 2860 ipsec_stack_t *ipss = ns->netstack_ipsec; 2861 2862 /* Make sure nothing's below me. */ 2863 ASSERT(WR(q)->q_next == NULL); 2864 2865 spmsg = (spd_msg_t *)mp->b_rptr; 2866 2867 msgsize = SPD_64TO8(spmsg->spd_msg_len); 2868 2869 if (msgdsize(mp) != msgsize) { 2870 /* 2871 * Message len incorrect w.r.t. actual size. Send an error 2872 * (EMSGSIZE). It may be necessary to massage things a 2873 * bit. For example, if the spd_msg_type is hosed, 2874 * I need to set it to SPD_RESERVED to get delivery to 2875 * do the right thing. Then again, maybe just letting 2876 * the error delivery do the right thing. 2877 */ 2878 ss2dbg(spds, 2879 ("mblk (%lu) and base (%d) message sizes don't jibe.\n", 2880 msgdsize(mp), msgsize)); 2881 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE); 2882 return; 2883 } 2884 2885 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) { 2886 /* Get all message into one mblk. */ 2887 if (pullupmsg(mp, -1) == 0) { 2888 /* 2889 * Something screwy happened. 2890 */ 2891 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n")); 2892 return; 2893 } else { 2894 spmsg = (spd_msg_t *)mp->b_rptr; 2895 } 2896 } 2897 2898 switch (spdsock_get_ext(extv, spmsg, msgsize)) { 2899 case KGE_DUP: 2900 /* Handle duplicate extension. */ 2901 ss1dbg(spds, ("Got duplicate extension of type %d.\n", 2902 extv[0]->spd_ext_type)); 2903 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]); 2904 return; 2905 case KGE_UNK: 2906 /* Handle unknown extension. */ 2907 ss1dbg(spds, ("Got unknown extension of type %d.\n", 2908 extv[0]->spd_ext_type)); 2909 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT); 2910 return; 2911 case KGE_LEN: 2912 /* Length error. */ 2913 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n", 2914 extv[0]->spd_ext_len, extv[0]->spd_ext_type)); 2915 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN); 2916 return; 2917 case KGE_CHK: 2918 /* Reality check failed. */ 2919 ss1dbg(spds, ("Reality check failed on extension type %d.\n", 2920 extv[0]->spd_ext_type)); 2921 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]); 2922 return; 2923 default: 2924 /* Default case is no errors. */ 2925 break; 2926 } 2927 2928 /* 2929 * Special-case SPD_UPDATEALGS so as not to load IPsec. 2930 */ 2931 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) { 2932 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2933 2934 ASSERT(ss != NULL); 2935 ipsec_loader_loadnow(ipss); 2936 ss->spdsock_timeout_arg = mp; 2937 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck, 2938 q, LOADCHECK_INTERVAL); 2939 return; 2940 } 2941 2942 /* First check for messages that need no polheads at all. */ 2943 switch (spmsg->spd_msg_type) { 2944 case SPD_UPDATEALGS: 2945 spdsock_updatealg(q, mp, extv); 2946 return; 2947 case SPD_ALGLIST: 2948 spdsock_alglist(q, mp); 2949 return; 2950 case SPD_DUMPALGS: 2951 spdsock_dumpalgs(q, mp); 2952 return; 2953 } 2954 2955 /* 2956 * Then check for ones that need both primary/secondary polheads, 2957 * finding the appropriate tunnel policy if need be. 2958 */ 2959 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME]; 2960 switch (spmsg->spd_msg_type) { 2961 case SPD_FLIP: 2962 spdsock_flip(q, mp, tunname); 2963 return; 2964 case SPD_CLONE: 2965 spdsock_clone(q, mp, tunname); 2966 return; 2967 } 2968 2969 /* 2970 * Finally, find ones that operate on exactly one polhead, or 2971 * "all polheads" of a given type (active/inactive). 2972 */ 2973 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid, 2974 spmsg->spd_msg_type, &itp); 2975 if (iph == NULL) 2976 return; 2977 2978 /* All-polheads-ready operations. */ 2979 switch (spmsg->spd_msg_type) { 2980 case SPD_FLUSH: 2981 if (itp != NULL) { 2982 mutex_enter(&itp->itp_lock); 2983 if (spmsg->spd_msg_spdid == SPD_ACTIVE) 2984 itp->itp_flags &= ~ITPF_PFLAGS; 2985 else 2986 itp->itp_flags &= ~ITPF_IFLAGS; 2987 mutex_exit(&itp->itp_lock); 2988 ITP_REFRELE(itp, ns); 2989 } 2990 spdsock_flush(q, iph, itp, mp); 2991 return; 2992 case SPD_DUMP: 2993 if (itp != NULL) 2994 ITP_REFRELE(itp, ns); 2995 spdsock_dump(q, iph, mp); 2996 return; 2997 } 2998 2999 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 3000 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 3001 return; 3002 } 3003 3004 /* Single-polhead-only operations. */ 3005 switch (spmsg->spd_msg_type) { 3006 case SPD_ADDRULE: 3007 spdsock_addrule(q, iph, mp, extv, itp); 3008 break; 3009 case SPD_DELETERULE: 3010 spdsock_deleterule(q, iph, mp, extv, itp); 3011 break; 3012 case SPD_LOOKUP: 3013 spdsock_lookup(q, iph, mp, extv, itp); 3014 break; 3015 default: 3016 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE); 3017 break; 3018 } 3019 3020 IPPH_REFRELE(iph, spds->spds_netstack); 3021 if (itp != NULL) 3022 ITP_REFRELE(itp, ns); 3023 } 3024 3025 /* 3026 * If an algorithm mapping was received before IPsec was loaded, process it. 3027 * Called from the IPsec loader. 3028 */ 3029 void 3030 spdsock_update_pending_algs(netstack_t *ns) 3031 { 3032 spd_stack_t *spds = ns->netstack_spdsock; 3033 3034 mutex_enter(&spds->spds_alg_lock); 3035 if (spds->spds_algs_pending) { 3036 int diag; 3037 3038 spdsock_do_updatealg(spds->spds_extv_algs, &diag, 3039 spds); 3040 spds->spds_algs_pending = B_FALSE; 3041 } 3042 mutex_exit(&spds->spds_alg_lock); 3043 } 3044 3045 static void 3046 spdsock_loadcheck(void *arg) 3047 { 3048 queue_t *q = (queue_t *)arg; 3049 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3050 mblk_t *mp; 3051 spd_stack_t *spds = ss->spdsock_spds; 3052 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 3053 3054 ASSERT(ss != NULL); 3055 3056 ss->spdsock_timeout = 0; 3057 mp = ss->spdsock_timeout_arg; 3058 ASSERT(mp != NULL); 3059 ss->spdsock_timeout_arg = NULL; 3060 if (ipsec_failed(ipss)) 3061 spdsock_error(q, mp, EPROTONOSUPPORT, 0); 3062 else 3063 spdsock_parse(q, mp); 3064 } 3065 3066 /* 3067 * Copy relevant state bits. 3068 */ 3069 static void 3070 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss) 3071 { 3072 *tap = spdsock_g_t_info_ack; 3073 tap->CURRENT_state = ss->spdsock_state; 3074 tap->OPT_size = spdsock_max_optsize; 3075 } 3076 3077 /* 3078 * This routine responds to T_CAPABILITY_REQ messages. It is called by 3079 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from 3080 * spdsock_g_t_info_ack. The current state of the stream is copied from 3081 * spdsock_state. 3082 */ 3083 static void 3084 spdsock_capability_req(queue_t *q, mblk_t *mp) 3085 { 3086 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3087 t_uscalar_t cap_bits1; 3088 struct T_capability_ack *tcap; 3089 3090 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1; 3091 3092 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack), 3093 mp->b_datap->db_type, T_CAPABILITY_ACK); 3094 if (mp == NULL) 3095 return; 3096 3097 tcap = (struct T_capability_ack *)mp->b_rptr; 3098 tcap->CAP_bits1 = 0; 3099 3100 if (cap_bits1 & TC1_INFO) { 3101 spdsock_copy_info(&tcap->INFO_ack, ss); 3102 tcap->CAP_bits1 |= TC1_INFO; 3103 } 3104 3105 qreply(q, mp); 3106 } 3107 3108 /* 3109 * This routine responds to T_INFO_REQ messages. It is called by 3110 * spdsock_wput_other. 3111 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack. 3112 * The current state of the stream is copied from spdsock_state. 3113 */ 3114 static void 3115 spdsock_info_req(q, mp) 3116 queue_t *q; 3117 mblk_t *mp; 3118 { 3119 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO, 3120 T_INFO_ACK); 3121 if (mp == NULL) 3122 return; 3123 spdsock_copy_info((struct T_info_ack *)mp->b_rptr, 3124 (spdsock_t *)q->q_ptr); 3125 qreply(q, mp); 3126 } 3127 3128 /* 3129 * spdsock_err_ack. This routine creates a 3130 * T_ERROR_ACK message and passes it 3131 * upstream. 3132 */ 3133 static void 3134 spdsock_err_ack(q, mp, t_error, sys_error) 3135 queue_t *q; 3136 mblk_t *mp; 3137 int t_error; 3138 int sys_error; 3139 { 3140 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL) 3141 qreply(q, mp); 3142 } 3143 3144 /* 3145 * This routine retrieves the current status of socket options. 3146 * It returns the size of the option retrieved. 3147 */ 3148 /* ARGSUSED */ 3149 int 3150 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr) 3151 { 3152 int *i1 = (int *)ptr; 3153 3154 switch (level) { 3155 case SOL_SOCKET: 3156 switch (name) { 3157 case SO_TYPE: 3158 *i1 = SOCK_RAW; 3159 break; 3160 /* 3161 * The following two items can be manipulated, 3162 * but changing them should do nothing. 3163 */ 3164 case SO_SNDBUF: 3165 *i1 = (int)q->q_hiwat; 3166 break; 3167 case SO_RCVBUF: 3168 *i1 = (int)(RD(q)->q_hiwat); 3169 break; 3170 } 3171 break; 3172 default: 3173 return (0); 3174 } 3175 return (sizeof (int)); 3176 } 3177 3178 /* 3179 * This routine sets socket options. 3180 */ 3181 /* ARGSUSED */ 3182 int 3183 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name, 3184 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp, 3185 void *thisdg_attrs, cred_t *cr, mblk_t *mblk) 3186 { 3187 int *i1 = (int *)invalp; 3188 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3189 spd_stack_t *spds = ss->spdsock_spds; 3190 3191 switch (level) { 3192 case SOL_SOCKET: 3193 switch (name) { 3194 case SO_SNDBUF: 3195 if (*i1 > spds->spds_max_buf) 3196 return (ENOBUFS); 3197 q->q_hiwat = *i1; 3198 break; 3199 case SO_RCVBUF: 3200 if (*i1 > spds->spds_max_buf) 3201 return (ENOBUFS); 3202 RD(q)->q_hiwat = *i1; 3203 (void) mi_set_sth_hiwat(RD(q), *i1); 3204 break; 3205 } 3206 break; 3207 } 3208 return (0); 3209 } 3210 3211 3212 /* 3213 * Handle STREAMS messages. 3214 */ 3215 static void 3216 spdsock_wput_other(queue_t *q, mblk_t *mp) 3217 { 3218 struct iocblk *iocp; 3219 int error; 3220 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3221 spd_stack_t *spds = ss->spdsock_spds; 3222 cred_t *cr; 3223 3224 switch (mp->b_datap->db_type) { 3225 case M_PROTO: 3226 case M_PCPROTO: 3227 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) { 3228 ss3dbg(spds, ( 3229 "spdsock_wput_other: Not big enough M_PROTO\n")); 3230 freemsg(mp); 3231 return; 3232 } 3233 cr = zone_get_kcred(netstackid_to_zoneid( 3234 spds->spds_netstack->netstack_stackid)); 3235 ASSERT(cr != NULL); 3236 3237 switch (((union T_primitives *)mp->b_rptr)->type) { 3238 case T_CAPABILITY_REQ: 3239 spdsock_capability_req(q, mp); 3240 break; 3241 case T_INFO_REQ: 3242 spdsock_info_req(q, mp); 3243 break; 3244 case T_SVR4_OPTMGMT_REQ: 3245 (void) svr4_optcom_req(q, mp, DB_CREDDEF(mp, cr), 3246 &spdsock_opt_obj); 3247 break; 3248 case T_OPTMGMT_REQ: 3249 (void) tpi_optcom_req(q, mp, DB_CREDDEF(mp, cr), 3250 &spdsock_opt_obj); 3251 break; 3252 case T_DATA_REQ: 3253 case T_EXDATA_REQ: 3254 case T_ORDREL_REQ: 3255 /* Illegal for spdsock. */ 3256 freemsg(mp); 3257 (void) putnextctl1(RD(q), M_ERROR, EPROTO); 3258 break; 3259 default: 3260 /* Not supported by spdsock. */ 3261 spdsock_err_ack(q, mp, TNOTSUPPORT, 0); 3262 break; 3263 } 3264 crfree(cr); 3265 return; 3266 case M_IOCTL: 3267 iocp = (struct iocblk *)mp->b_rptr; 3268 error = EINVAL; 3269 3270 switch (iocp->ioc_cmd) { 3271 case ND_SET: 3272 case ND_GET: 3273 if (nd_getset(q, spds->spds_g_nd, mp)) { 3274 qreply(q, mp); 3275 return; 3276 } else 3277 error = ENOENT; 3278 /* FALLTHRU */ 3279 default: 3280 miocnak(q, mp, 0, error); 3281 return; 3282 } 3283 case M_FLUSH: 3284 if (*mp->b_rptr & FLUSHW) { 3285 flushq(q, FLUSHALL); 3286 *mp->b_rptr &= ~FLUSHW; 3287 } 3288 if (*mp->b_rptr & FLUSHR) { 3289 qreply(q, mp); 3290 return; 3291 } 3292 /* Else FALLTHRU */ 3293 } 3294 3295 /* If fell through, just black-hole the message. */ 3296 freemsg(mp); 3297 } 3298 3299 static void 3300 spdsock_wput(queue_t *q, mblk_t *mp) 3301 { 3302 uint8_t *rptr = mp->b_rptr; 3303 mblk_t *mp1; 3304 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3305 spd_stack_t *spds = ss->spdsock_spds; 3306 3307 /* 3308 * If we're dumping, defer processing other messages until the 3309 * dump completes. 3310 */ 3311 if (ss->spdsock_dump_req != NULL) { 3312 if (!putq(q, mp)) 3313 freemsg(mp); 3314 return; 3315 } 3316 3317 switch (mp->b_datap->db_type) { 3318 case M_DATA: 3319 /* 3320 * Silently discard. 3321 */ 3322 ss2dbg(spds, ("raw M_DATA in spdsock.\n")); 3323 freemsg(mp); 3324 return; 3325 case M_PROTO: 3326 case M_PCPROTO: 3327 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) { 3328 if (((union T_primitives *)rptr)->type == T_DATA_REQ) { 3329 if ((mp1 = mp->b_cont) == NULL) { 3330 /* No data after T_DATA_REQ. */ 3331 ss2dbg(spds, 3332 ("No data after DATA_REQ.\n")); 3333 freemsg(mp); 3334 return; 3335 } 3336 freeb(mp); 3337 mp = mp1; 3338 ss2dbg(spds, ("T_DATA_REQ\n")); 3339 break; /* Out of switch. */ 3340 } 3341 } 3342 /* FALLTHRU */ 3343 default: 3344 ss3dbg(spds, ("In default wput case (%d %d).\n", 3345 mp->b_datap->db_type, ((union T_primitives *)rptr)->type)); 3346 spdsock_wput_other(q, mp); 3347 return; 3348 } 3349 3350 /* I now have a PF_POLICY message in an M_DATA block. */ 3351 spdsock_parse(q, mp); 3352 } 3353 3354 /* 3355 * Device open procedure, called when new queue pair created. 3356 * We are passed the read-side queue. 3357 */ 3358 /* ARGSUSED */ 3359 static int 3360 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp) 3361 { 3362 spdsock_t *ss; 3363 queue_t *oq = OTHERQ(q); 3364 minor_t ssminor; 3365 netstack_t *ns; 3366 spd_stack_t *spds; 3367 3368 if (secpolicy_ip_config(credp, B_FALSE) != 0) 3369 return (EPERM); 3370 3371 if (q->q_ptr != NULL) 3372 return (0); /* Re-open of an already open instance. */ 3373 3374 if (sflag & MODOPEN) 3375 return (EINVAL); 3376 3377 ns = netstack_find_by_cred(credp); 3378 ASSERT(ns != NULL); 3379 spds = ns->netstack_spdsock; 3380 ASSERT(spds != NULL); 3381 3382 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n")); 3383 3384 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP); 3385 if (ssminor == 0) { 3386 netstack_rele(spds->spds_netstack); 3387 return (ENOMEM); 3388 } 3389 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP); 3390 if (ss == NULL) { 3391 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1); 3392 netstack_rele(spds->spds_netstack); 3393 return (ENOMEM); 3394 } 3395 3396 ss->spdsock_minor = ssminor; 3397 ss->spdsock_state = TS_UNBND; 3398 ss->spdsock_dump_req = NULL; 3399 3400 ss->spdsock_spds = spds; 3401 3402 q->q_ptr = ss; 3403 oq->q_ptr = ss; 3404 3405 q->q_hiwat = spds->spds_recv_hiwat; 3406 3407 oq->q_hiwat = spds->spds_xmit_hiwat; 3408 oq->q_lowat = spds->spds_xmit_lowat; 3409 3410 qprocson(q); 3411 (void) mi_set_sth_hiwat(q, spds->spds_recv_hiwat); 3412 3413 *devp = makedevice(getmajor(*devp), ss->spdsock_minor); 3414 return (0); 3415 } 3416 3417 /* 3418 * Read-side service procedure, invoked when we get back-enabled 3419 * when buffer space becomes available. 3420 * 3421 * Dump another chunk if we were dumping before; when we finish, kick 3422 * the write-side queue in case it's waiting for read queue space. 3423 */ 3424 void 3425 spdsock_rsrv(queue_t *q) 3426 { 3427 spdsock_t *ss = q->q_ptr; 3428 3429 if (ss->spdsock_dump_req != NULL) 3430 spdsock_dump_some(q, ss); 3431 3432 if (ss->spdsock_dump_req == NULL) 3433 qenable(OTHERQ(q)); 3434 } 3435 3436 /* 3437 * Write-side service procedure, invoked when we defer processing 3438 * if another message is received while a dump is in progress. 3439 */ 3440 void 3441 spdsock_wsrv(queue_t *q) 3442 { 3443 spdsock_t *ss = q->q_ptr; 3444 mblk_t *mp; 3445 spd_stack_t *spds = ss->spdsock_spds; 3446 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 3447 3448 if (ss->spdsock_dump_req != NULL) { 3449 qenable(OTHERQ(q)); 3450 return; 3451 } 3452 3453 while ((mp = getq(q)) != NULL) { 3454 if (ipsec_loaded(ipss)) { 3455 spdsock_wput(q, mp); 3456 if (ss->spdsock_dump_req != NULL) 3457 return; 3458 } else if (!ipsec_failed(ipss)) { 3459 (void) putq(q, mp); 3460 } else { 3461 spdsock_error(q, mp, EPFNOSUPPORT, 0); 3462 } 3463 } 3464 } 3465 3466 static int 3467 spdsock_close(queue_t *q) 3468 { 3469 spdsock_t *ss = q->q_ptr; 3470 spd_stack_t *spds = ss->spdsock_spds; 3471 3472 qprocsoff(q); 3473 3474 /* Safe assumption. */ 3475 ASSERT(ss != NULL); 3476 3477 if (ss->spdsock_timeout != 0) 3478 (void) quntimeout(q, ss->spdsock_timeout); 3479 3480 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n")); 3481 3482 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1); 3483 netstack_rele(ss->spdsock_spds->spds_netstack); 3484 3485 kmem_free(ss, sizeof (spdsock_t)); 3486 return (0); 3487 } 3488 3489 /* 3490 * Merge the IPsec algorithms tables with the received algorithm information. 3491 */ 3492 void 3493 spdsock_merge_algs(spd_stack_t *spds) 3494 { 3495 ipsec_alginfo_t *alg, *oalg; 3496 ipsec_algtype_t algtype; 3497 uint_t algidx, algid, nalgs; 3498 crypto_mech_name_t *mechs; 3499 uint_t mech_count, mech_idx; 3500 netstack_t *ns = spds->spds_netstack; 3501 ipsec_stack_t *ipss = ns->netstack_ipsec; 3502 3503 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 3504 3505 /* 3506 * Get the list of supported mechanisms from the crypto framework. 3507 * If a mechanism is supported by KCF, resolve its mechanism 3508 * id and mark it as being valid. This operation must be done 3509 * without holding alg_lock, since it can cause a provider 3510 * module to be loaded and the provider notification callback to 3511 * be invoked. 3512 */ 3513 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 3514 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3515 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3516 int algflags = 0; 3517 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID; 3518 3519 alg = spds->spds_algs[algtype][algid]; 3520 if (alg == NULL) 3521 continue; 3522 3523 /* 3524 * The NULL encryption algorithm is a special 3525 * case because there are no mechanisms, yet 3526 * the algorithm is still valid. 3527 */ 3528 if (alg->alg_id == SADB_EALG_NULL) { 3529 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID; 3530 alg->alg_flags = ALG_FLAG_VALID; 3531 continue; 3532 } 3533 3534 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) { 3535 if (strncmp(alg->alg_mech_name, mechs[mech_idx], 3536 CRYPTO_MAX_MECH_NAME) == 0) { 3537 mt = crypto_mech2id(alg->alg_mech_name); 3538 ASSERT(mt != CRYPTO_MECHANISM_INVALID); 3539 algflags = ALG_FLAG_VALID; 3540 break; 3541 } 3542 } 3543 alg->alg_mech_type = mt; 3544 alg->alg_flags = algflags; 3545 } 3546 } 3547 3548 mutex_enter(&ipss->ipsec_alg_lock); 3549 3550 /* 3551 * For each algorithm currently defined, check if it is 3552 * present in the new tables created from the SPD_UPDATEALGS 3553 * message received from user-space. 3554 * Delete the algorithm entries that are currently defined 3555 * but not part of the new tables. 3556 */ 3557 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3558 nalgs = ipss->ipsec_nalgs[algtype]; 3559 for (algidx = 0; algidx < nalgs; algidx++) { 3560 algid = ipss->ipsec_sortlist[algtype][algidx]; 3561 if (spds->spds_algs[algtype][algid] == NULL) 3562 ipsec_alg_unreg(algtype, algid, ns); 3563 } 3564 } 3565 3566 /* 3567 * For each algorithm we just received, check if it is 3568 * present in the currently defined tables. If it is, swap 3569 * the entry with the one we just allocated. 3570 * If the new algorithm is not in the current tables, 3571 * add it. 3572 */ 3573 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3574 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3575 alg = spds->spds_algs[algtype][algid]; 3576 if (alg == NULL) 3577 continue; 3578 3579 if ((oalg = ipss->ipsec_alglists[algtype][algid]) == 3580 NULL) { 3581 /* 3582 * New algorithm, add it to the algorithm 3583 * table. 3584 */ 3585 ipsec_alg_reg(algtype, alg, ns); 3586 } else { 3587 /* 3588 * Algorithm is already in the table. Swap 3589 * the existing entry with the new one. 3590 */ 3591 ipsec_alg_fix_min_max(alg, algtype, ns); 3592 ipss->ipsec_alglists[algtype][algid] = alg; 3593 ipsec_alg_free(oalg); 3594 } 3595 spds->spds_algs[algtype][algid] = NULL; 3596 } 3597 } 3598 3599 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3600 ipss->ipsec_algs_exec_mode[algtype] = 3601 spds->spds_algs_exec_mode[algtype]; 3602 } 3603 3604 mutex_exit(&ipss->ipsec_alg_lock); 3605 3606 crypto_free_mech_list(mechs, mech_count); 3607 3608 ipsecah_algs_changed(ns); 3609 ipsecesp_algs_changed(ns); 3610 } 3611