1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/param.h> 27 #include <sys/types.h> 28 #include <sys/stream.h> 29 #include <sys/strsubr.h> 30 #include <sys/strsun.h> 31 #include <sys/stropts.h> 32 #include <sys/zone.h> 33 #include <sys/vnode.h> 34 #include <sys/sysmacros.h> 35 #define _SUN_TPI_VERSION 2 36 #include <sys/tihdr.h> 37 #include <sys/ddi.h> 38 #include <sys/sunddi.h> 39 #include <sys/mkdev.h> 40 #include <sys/debug.h> 41 #include <sys/kmem.h> 42 #include <sys/cmn_err.h> 43 #include <sys/suntpi.h> 44 #include <sys/policy.h> 45 #include <sys/dls.h> 46 47 #include <sys/socket.h> 48 #include <netinet/in.h> 49 #include <net/pfkeyv2.h> 50 #include <net/pfpolicy.h> 51 52 #include <inet/common.h> 53 #include <netinet/ip6.h> 54 #include <inet/ip.h> 55 #include <inet/ip6.h> 56 #include <inet/mi.h> 57 #include <inet/proto_set.h> 58 #include <inet/nd.h> 59 #include <inet/ip_if.h> 60 #include <inet/optcom.h> 61 #include <inet/ipsec_impl.h> 62 #include <inet/spdsock.h> 63 #include <inet/sadb.h> 64 #include <inet/iptun.h> 65 #include <inet/iptun/iptun_impl.h> 66 67 #include <sys/isa_defs.h> 68 69 #include <c2/audit.h> 70 71 /* 72 * This is a transport provider for the PF_POLICY IPsec policy 73 * management socket, which provides a management interface into the 74 * SPD, allowing policy rules to be added, deleted, and queried. 75 * 76 * This effectively replaces the old private SIOC*IPSECONFIG ioctls 77 * with an extensible interface which will hopefully be public some 78 * day. 79 * 80 * See <net/pfpolicy.h> for more details on the protocol. 81 * 82 * We link against drv/ip and call directly into it to manipulate the 83 * SPD; see ipsec_impl.h for the policy data structures and spd.c for 84 * the code which maintains them. 85 * 86 * The MT model of this is QPAIR with the addition of some explicit 87 * locking to protect system-wide policy data structures. 88 */ 89 90 static vmem_t *spdsock_vmem; /* for minor numbers. */ 91 92 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t)) 93 94 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */ 95 static struct T_info_ack spdsock_g_t_info_ack = { 96 T_INFO_ACK, 97 T_INFINITE, /* TSDU_size. Maximum size messages. */ 98 T_INVALID, /* ETSDU_size. No expedited data. */ 99 T_INVALID, /* CDATA_size. No connect data. */ 100 T_INVALID, /* DDATA_size. No disconnect data. */ 101 0, /* ADDR_size. */ 102 0, /* OPT_size. No user-settable options */ 103 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */ 104 T_COTS, /* SERV_type. spdsock supports connection oriented. */ 105 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */ 106 (XPG4_1) /* Provider flags */ 107 }; 108 109 /* Named Dispatch Parameter Management Structure */ 110 typedef struct spdsockparam_s { 111 uint_t spdsock_param_min; 112 uint_t spdsock_param_max; 113 uint_t spdsock_param_value; 114 char *spdsock_param_name; 115 } spdsockparam_t; 116 117 /* 118 * Table of NDD variables supported by spdsock. These are loaded into 119 * spdsock_g_nd in spdsock_init_nd. 120 * All of these are alterable, within the min/max values given, at run time. 121 */ 122 static spdsockparam_t lcl_param_arr[] = { 123 /* min max value name */ 124 { 4096, 65536, 8192, "spdsock_xmit_hiwat"}, 125 { 0, 65536, 1024, "spdsock_xmit_lowat"}, 126 { 4096, 65536, 8192, "spdsock_recv_hiwat"}, 127 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"}, 128 { 0, 3, 0, "spdsock_debug"}, 129 }; 130 #define spds_xmit_hiwat spds_params[0].spdsock_param_value 131 #define spds_xmit_lowat spds_params[1].spdsock_param_value 132 #define spds_recv_hiwat spds_params[2].spdsock_param_value 133 #define spds_max_buf spds_params[3].spdsock_param_value 134 #define spds_debug spds_params[4].spdsock_param_value 135 136 #define ss0dbg(a) printf a 137 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */ 138 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a 139 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a 140 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a 141 142 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \ 143 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \ 144 (ss)->spdsock_dump_head = (iph); \ 145 (ss)->spdsock_dump_gen = (iph)->iph_gen; \ 146 (ss)->spdsock_dump_cur_type = 0; \ 147 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \ 148 (ss)->spdsock_dump_cur_rule = NULL; \ 149 (ss)->spdsock_dump_count = 0; \ 150 (ss)->spdsock_dump_cur_chain = 0; \ 151 } 152 153 static int spdsock_close(queue_t *); 154 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *); 155 static void spdsock_wput(queue_t *, mblk_t *); 156 static void spdsock_wsrv(queue_t *); 157 static void spdsock_rsrv(queue_t *); 158 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns); 159 static void spdsock_stack_fini(netstackid_t stackid, void *arg); 160 static void spdsock_loadcheck(void *); 161 static void spdsock_merge_algs(spd_stack_t *); 162 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *); 163 static mblk_t *spdsock_dump_next_record(spdsock_t *); 164 static void update_iptun_policy(ipsec_tun_pol_t *); 165 166 static struct module_info info = { 167 5138, "spdsock", 1, INFPSZ, 512, 128 168 }; 169 170 static struct qinit rinit = { 171 NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close, 172 NULL, &info 173 }; 174 175 static struct qinit winit = { 176 (pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info 177 }; 178 179 struct streamtab spdsockinfo = { 180 &rinit, &winit 181 }; 182 183 /* mapping from alg type to protocol number, as per RFC 2407 */ 184 static const uint_t algproto[] = { 185 PROTO_IPSEC_AH, 186 PROTO_IPSEC_ESP, 187 }; 188 189 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0])) 190 191 /* mapping from kernel exec mode to spdsock exec mode */ 192 static const uint_t execmodes[] = { 193 SPD_ALG_EXEC_MODE_SYNC, 194 SPD_ALG_EXEC_MODE_ASYNC 195 }; 196 197 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0])) 198 199 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1) 200 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2) 201 202 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL) 203 204 /* ARGSUSED */ 205 static int 206 spdsock_param_get(q, mp, cp, cr) 207 queue_t *q; 208 mblk_t *mp; 209 caddr_t cp; 210 cred_t *cr; 211 { 212 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 213 uint_t value; 214 spdsock_t *ss = (spdsock_t *)q->q_ptr; 215 spd_stack_t *spds = ss->spdsock_spds; 216 217 mutex_enter(&spds->spds_param_lock); 218 value = spdsockpa->spdsock_param_value; 219 mutex_exit(&spds->spds_param_lock); 220 221 (void) mi_mpprintf(mp, "%u", value); 222 return (0); 223 } 224 225 /* This routine sets an NDD variable in a spdsockparam_t structure. */ 226 /* ARGSUSED */ 227 static int 228 spdsock_param_set(q, mp, value, cp, cr) 229 queue_t *q; 230 mblk_t *mp; 231 char *value; 232 caddr_t cp; 233 cred_t *cr; 234 { 235 ulong_t new_value; 236 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 237 spdsock_t *ss = (spdsock_t *)q->q_ptr; 238 spd_stack_t *spds = ss->spdsock_spds; 239 240 /* Convert the value from a string into a long integer. */ 241 if (ddi_strtoul(value, NULL, 10, &new_value) != 0) 242 return (EINVAL); 243 244 mutex_enter(&spds->spds_param_lock); 245 /* 246 * Fail the request if the new value does not lie within the 247 * required bounds. 248 */ 249 if (new_value < spdsockpa->spdsock_param_min || 250 new_value > spdsockpa->spdsock_param_max) { 251 mutex_exit(&spds->spds_param_lock); 252 return (EINVAL); 253 } 254 255 /* Set the new value */ 256 spdsockpa->spdsock_param_value = new_value; 257 mutex_exit(&spds->spds_param_lock); 258 259 return (0); 260 } 261 262 /* 263 * Initialize at module load time 264 */ 265 boolean_t 266 spdsock_ddi_init(void) 267 { 268 spdsock_max_optsize = optcom_max_optsize( 269 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt); 270 271 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1, 272 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER); 273 274 /* 275 * We want to be informed each time a stack is created or 276 * destroyed in the kernel, so we can maintain the 277 * set of spd_stack_t's. 278 */ 279 netstack_register(NS_SPDSOCK, spdsock_stack_init, NULL, 280 spdsock_stack_fini); 281 282 return (B_TRUE); 283 } 284 285 /* 286 * Walk through the param array specified registering each element with the 287 * named dispatch handler. 288 */ 289 static boolean_t 290 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt) 291 { 292 for (; cnt-- > 0; ssp++) { 293 if (ssp->spdsock_param_name != NULL && 294 ssp->spdsock_param_name[0]) { 295 if (!nd_load(ndp, 296 ssp->spdsock_param_name, 297 spdsock_param_get, spdsock_param_set, 298 (caddr_t)ssp)) { 299 nd_free(ndp); 300 return (B_FALSE); 301 } 302 } 303 } 304 return (B_TRUE); 305 } 306 307 /* 308 * Initialize for each stack instance 309 */ 310 /* ARGSUSED */ 311 static void * 312 spdsock_stack_init(netstackid_t stackid, netstack_t *ns) 313 { 314 spd_stack_t *spds; 315 spdsockparam_t *ssp; 316 317 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP); 318 spds->spds_netstack = ns; 319 320 ASSERT(spds->spds_g_nd == NULL); 321 322 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP); 323 spds->spds_params = ssp; 324 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr)); 325 326 (void) spdsock_param_register(&spds->spds_g_nd, ssp, 327 A_CNT(lcl_param_arr)); 328 329 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL); 330 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL); 331 332 return (spds); 333 } 334 335 void 336 spdsock_ddi_destroy(void) 337 { 338 vmem_destroy(spdsock_vmem); 339 340 netstack_unregister(NS_SPDSOCK); 341 } 342 343 /* ARGSUSED */ 344 static void 345 spdsock_stack_fini(netstackid_t stackid, void *arg) 346 { 347 spd_stack_t *spds = (spd_stack_t *)arg; 348 349 freemsg(spds->spds_mp_algs); 350 mutex_destroy(&spds->spds_param_lock); 351 mutex_destroy(&spds->spds_alg_lock); 352 nd_free(&spds->spds_g_nd); 353 kmem_free(spds->spds_params, sizeof (lcl_param_arr)); 354 spds->spds_params = NULL; 355 356 kmem_free(spds, sizeof (*spds)); 357 } 358 359 /* 360 * NOTE: large quantities of this should be shared with keysock. 361 * Would be nice to combine some of this into a common module, but 362 * not possible given time pressures. 363 */ 364 365 /* 366 * High-level reality checking of extensions. 367 */ 368 /* ARGSUSED */ /* XXX */ 369 static boolean_t 370 ext_check(spd_ext_t *ext) 371 { 372 spd_if_t *tunname = (spd_if_t *)ext; 373 int i; 374 char *idstr; 375 376 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) { 377 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */ 378 379 /* 380 * Make sure the strings in these identities are 381 * null-terminated. Let's "proactively" null-terminate the 382 * string at the last byte if it's not terminated sooner. 383 */ 384 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t); 385 idstr = (char *)(tunname + 1); 386 while (*idstr != '\0' && i > 0) { 387 i--; 388 idstr++; 389 } 390 if (i == 0) { 391 /* 392 * I.e., if the bozo user didn't NULL-terminate the 393 * string... 394 */ 395 idstr--; 396 *idstr = '\0'; 397 } 398 } 399 return (B_TRUE); /* For now... */ 400 } 401 402 403 404 /* Return values for spdsock_get_ext(). */ 405 #define KGE_OK 0 406 #define KGE_DUP 1 407 #define KGE_UNK 2 408 #define KGE_LEN 3 409 #define KGE_CHK 4 410 411 /* 412 * Parse basic extension headers and return in the passed-in pointer vector. 413 * Return values include: 414 * 415 * KGE_OK Everything's nice and parsed out. 416 * If there are no extensions, place NULL in extv[0]. 417 * KGE_DUP There is a duplicate extension. 418 * First instance in appropriate bin. First duplicate in 419 * extv[0]. 420 * KGE_UNK Unknown extension type encountered. extv[0] contains 421 * unknown header. 422 * KGE_LEN Extension length error. 423 * KGE_CHK High-level reality check failed on specific extension. 424 * 425 * My apologies for some of the pointer arithmetic in here. I'm thinking 426 * like an assembly programmer, yet trying to make the compiler happy. 427 */ 428 static int 429 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize) 430 { 431 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 432 433 /* Use extv[0] as the "current working pointer". */ 434 435 extv[0] = (spd_ext_t *)(basehdr + 1); 436 437 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) { 438 /* Check for unknown headers. */ 439 if (extv[0]->spd_ext_type == 0 || 440 extv[0]->spd_ext_type > SPD_EXT_MAX) 441 return (KGE_UNK); 442 443 /* 444 * Check length. Use uint64_t because extlen is in units 445 * of 64-bit words. If length goes beyond the msgsize, 446 * return an error. (Zero length also qualifies here.) 447 */ 448 if (extv[0]->spd_ext_len == 0 || 449 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) > 450 (void *)((uint8_t *)basehdr + msgsize)) 451 return (KGE_LEN); 452 453 /* Check for redundant headers. */ 454 if (extv[extv[0]->spd_ext_type] != NULL) 455 return (KGE_DUP); 456 457 /* 458 * Reality check the extension if possible at the spdsock 459 * level. 460 */ 461 if (!ext_check(extv[0])) 462 return (KGE_CHK); 463 464 /* If I make it here, assign the appropriate bin. */ 465 extv[extv[0]->spd_ext_type] = extv[0]; 466 467 /* Advance pointer (See above for uint64_t ptr reasoning.) */ 468 extv[0] = (spd_ext_t *) 469 ((uint64_t *)extv[0] + extv[0]->spd_ext_len); 470 } 471 472 /* Everything's cool. */ 473 474 /* 475 * If extv[0] == NULL, then there are no extension headers in this 476 * message. Ensure that this is the case. 477 */ 478 if (extv[0] == (spd_ext_t *)(basehdr + 1)) 479 extv[0] = NULL; 480 481 return (KGE_OK); 482 } 483 484 static const int bad_ext_diag[] = { 485 SPD_DIAGNOSTIC_MALFORMED_LCLPORT, 486 SPD_DIAGNOSTIC_MALFORMED_REMPORT, 487 SPD_DIAGNOSTIC_MALFORMED_PROTO, 488 SPD_DIAGNOSTIC_MALFORMED_LCLADDR, 489 SPD_DIAGNOSTIC_MALFORMED_REMADDR, 490 SPD_DIAGNOSTIC_MALFORMED_ACTION, 491 SPD_DIAGNOSTIC_MALFORMED_RULE, 492 SPD_DIAGNOSTIC_MALFORMED_RULESET, 493 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE 494 }; 495 496 static const int dup_ext_diag[] = { 497 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT, 498 SPD_DIAGNOSTIC_DUPLICATE_REMPORT, 499 SPD_DIAGNOSTIC_DUPLICATE_PROTO, 500 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR, 501 SPD_DIAGNOSTIC_DUPLICATE_REMADDR, 502 SPD_DIAGNOSTIC_DUPLICATE_ACTION, 503 SPD_DIAGNOSTIC_DUPLICATE_RULE, 504 SPD_DIAGNOSTIC_DUPLICATE_RULESET, 505 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE 506 }; 507 508 /* 509 * Transmit a PF_POLICY error message to the instance either pointed to 510 * by ks, the instance with serial number serial, or more, depending. 511 * 512 * The faulty message (or a reasonable facsimile thereof) is in mp. 513 * This function will free mp or recycle it for delivery, thereby causing 514 * the stream head to free it. 515 */ 516 static void 517 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic) 518 { 519 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 520 521 ASSERT(mp->b_datap->db_type == M_DATA); 522 523 if (spmsg->spd_msg_type < SPD_MIN || 524 spmsg->spd_msg_type > SPD_MAX) 525 spmsg->spd_msg_type = SPD_RESERVED; 526 527 /* 528 * Strip out extension headers. 529 */ 530 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim); 531 mp->b_wptr = mp->b_rptr + sizeof (*spmsg); 532 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t)); 533 spmsg->spd_msg_errno = (uint8_t)error; 534 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic; 535 536 qreply(q, mp); 537 } 538 539 static void 540 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic) 541 { 542 spdsock_error(q, mp, EINVAL, diagnostic); 543 } 544 545 static void 546 spd_echo(queue_t *q, mblk_t *mp) 547 { 548 qreply(q, mp); 549 } 550 551 /* 552 * Do NOT consume a reference to itp. 553 */ 554 /*ARGSUSED*/ 555 static void 556 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns) 557 { 558 boolean_t active = (boolean_t)cookie; 559 ipsec_policy_head_t *iph; 560 561 iph = active ? itp->itp_policy : itp->itp_inactive; 562 IPPH_REFHOLD(iph); 563 mutex_enter(&itp->itp_lock); 564 spdsock_flush_one(iph, ns); /* Releases iph refhold. */ 565 if (active) 566 itp->itp_flags &= ~ITPF_PFLAGS; 567 else 568 itp->itp_flags &= ~ITPF_IFLAGS; 569 mutex_exit(&itp->itp_lock); 570 /* SPD_FLUSH is worth a tunnel MTU check. */ 571 update_iptun_policy(itp); 572 } 573 574 /* 575 * Clear out one polhead. 576 */ 577 static void 578 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns) 579 { 580 rw_enter(&iph->iph_lock, RW_WRITER); 581 ipsec_polhead_flush(iph, ns); 582 rw_exit(&iph->iph_lock); 583 IPPH_REFRELE(iph, ns); 584 } 585 586 static void 587 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp, 588 mblk_t *mp) 589 { 590 boolean_t active; 591 spdsock_t *ss = (spdsock_t *)q->q_ptr; 592 netstack_t *ns = ss->spdsock_spds->spds_netstack; 593 uint32_t auditing = AU_AUDITING(); 594 595 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) { 596 spdsock_flush_one(iph, ns); 597 if (auditing) { 598 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 599 cred_t *cr; 600 pid_t cpid; 601 602 cr = msg_getcred(mp, &cpid); 603 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 604 audit_pf_policy(SPD_FLUSH, cr, ns, 605 ITP_NAME(itp), active, 0, cpid); 606 } 607 } else { 608 active = (iph == ALL_ACTIVE_POLHEADS); 609 610 /* First flush the global policy. */ 611 spdsock_flush_one(active ? ipsec_system_policy(ns) : 612 ipsec_inactive_policy(ns), ns); 613 if (auditing) { 614 cred_t *cr; 615 pid_t cpid; 616 617 cr = msg_getcred(mp, &cpid); 618 audit_pf_policy(SPD_FLUSH, cr, ns, NULL, 619 active, 0, cpid); 620 } 621 /* Then flush every tunnel's appropriate one. */ 622 itp_walk(spdsock_flush_node, (void *)active, ns); 623 if (auditing) { 624 cred_t *cr; 625 pid_t cpid; 626 627 cr = msg_getcred(mp, &cpid); 628 audit_pf_policy(SPD_FLUSH, cr, ns, 629 "all tunnels", active, 0, cpid); 630 } 631 } 632 633 spd_echo(q, mp); 634 } 635 636 static boolean_t 637 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag) 638 { 639 bzero(sel, sizeof (*sel)); 640 641 if (extv[SPD_EXT_PROTO] != NULL) { 642 struct spd_proto *pr = 643 (struct spd_proto *)extv[SPD_EXT_PROTO]; 644 sel->ipsl_proto = pr->spd_proto_number; 645 sel->ipsl_valid |= IPSL_PROTOCOL; 646 } 647 if (extv[SPD_EXT_LCLPORT] != NULL) { 648 struct spd_portrange *pr = 649 (struct spd_portrange *)extv[SPD_EXT_LCLPORT]; 650 sel->ipsl_lport = pr->spd_ports_minport; 651 sel->ipsl_valid |= IPSL_LOCAL_PORT; 652 } 653 if (extv[SPD_EXT_REMPORT] != NULL) { 654 struct spd_portrange *pr = 655 (struct spd_portrange *)extv[SPD_EXT_REMPORT]; 656 sel->ipsl_rport = pr->spd_ports_minport; 657 sel->ipsl_valid |= IPSL_REMOTE_PORT; 658 } 659 660 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) { 661 struct spd_typecode *tc= 662 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE]; 663 664 sel->ipsl_valid |= IPSL_ICMP_TYPE; 665 sel->ipsl_icmp_type = tc->spd_typecode_type; 666 if (tc->spd_typecode_type_end < tc->spd_typecode_type) 667 sel->ipsl_icmp_type_end = tc->spd_typecode_type; 668 else 669 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end; 670 671 if (tc->spd_typecode_code != 255) { 672 sel->ipsl_valid |= IPSL_ICMP_CODE; 673 sel->ipsl_icmp_code = tc->spd_typecode_code; 674 if (tc->spd_typecode_code_end < tc->spd_typecode_code) 675 sel->ipsl_icmp_code_end = tc->spd_typecode_code; 676 else 677 sel->ipsl_icmp_code_end = 678 tc->spd_typecode_code_end; 679 } 680 } 681 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \ 682 if ((extv)[(extn)] != NULL) { \ 683 uint_t addrlen; \ 684 struct spd_address *ap = \ 685 (struct spd_address *)((extv)[(extn)]); \ 686 addrlen = (ap->spd_address_af == AF_INET6) ? \ 687 IPV6_ADDR_LEN : IP_ADDR_LEN; \ 688 if (SPD_64TO8(ap->spd_address_len) < \ 689 (addrlen + sizeof (*ap))) { \ 690 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \ 691 return (B_FALSE); \ 692 } \ 693 bcopy((ap+1), &((sel)->field), addrlen); \ 694 (sel)->pfield = ap->spd_address_prefixlen; \ 695 (sel)->ipsl_valid |= (bit); \ 696 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \ 697 IPSL_IPV6 : IPSL_IPV4; \ 698 } 699 700 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen, 701 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR); 702 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen, 703 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR); 704 705 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) == 706 (IPSL_IPV6|IPSL_IPV4)) { 707 *diag = SPD_DIAGNOSTIC_MIXED_AF; 708 return (B_FALSE); 709 } 710 711 #undef ADDR2SEL 712 713 return (B_TRUE); 714 } 715 716 static boolean_t 717 spd_convert_type(uint32_t type, ipsec_act_t *act) 718 { 719 switch (type) { 720 case SPD_ACTTYPE_DROP: 721 act->ipa_type = IPSEC_ACT_DISCARD; 722 return (B_TRUE); 723 724 case SPD_ACTTYPE_PASS: 725 act->ipa_type = IPSEC_ACT_CLEAR; 726 return (B_TRUE); 727 728 case SPD_ACTTYPE_IPSEC: 729 act->ipa_type = IPSEC_ACT_APPLY; 730 return (B_TRUE); 731 } 732 return (B_FALSE); 733 } 734 735 static boolean_t 736 spd_convert_flags(uint32_t flags, ipsec_act_t *act) 737 { 738 /* 739 * Note use of !! for boolean canonicalization. 740 */ 741 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH); 742 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP); 743 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA); 744 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE); 745 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE); 746 return (B_TRUE); 747 } 748 749 static void 750 spdsock_reset_act(ipsec_act_t *act) 751 { 752 bzero(act, sizeof (*act)); 753 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS; 754 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS; 755 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS; 756 } 757 758 /* 759 * Sanity check action against reality, and shrink-wrap key sizes.. 760 */ 761 static boolean_t 762 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag, 763 spd_stack_t *spds) 764 { 765 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) { 766 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 767 return (B_FALSE); 768 } 769 if ((act->ipa_type != IPSEC_ACT_APPLY) && 770 (act->ipa_apply.ipp_use_ah || 771 act->ipa_apply.ipp_use_esp || 772 act->ipa_apply.ipp_use_espa || 773 act->ipa_apply.ipp_use_se || 774 act->ipa_apply.ipp_use_unique)) { 775 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 776 return (B_FALSE); 777 } 778 if ((act->ipa_type == IPSEC_ACT_APPLY) && 779 !act->ipa_apply.ipp_use_ah && 780 !act->ipa_apply.ipp_use_esp) { 781 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 782 return (B_FALSE); 783 } 784 return (ipsec_check_action(act, diag, spds->spds_netstack)); 785 } 786 787 /* 788 * We may be short a few error checks here.. 789 */ 790 static boolean_t 791 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp, 792 int *diag, spd_stack_t *spds) 793 { 794 struct spd_ext_actions *sactp = 795 (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 796 ipsec_act_t act, *actp, *endactp; 797 struct spd_attribute *attrp, *endattrp; 798 uint64_t *endp; 799 int nact; 800 boolean_t tunnel_polhead; 801 802 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL && 803 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags & 804 SPD_RULE_FLAG_TUNNEL)); 805 806 *actpp = NULL; 807 *nactp = 0; 808 809 if (sactp == NULL) { 810 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT; 811 return (B_FALSE); 812 } 813 814 /* 815 * Parse the "action" extension and convert into an action chain. 816 */ 817 818 nact = sactp->spd_actions_count; 819 820 endp = (uint64_t *)sactp; 821 endp += sactp->spd_actions_len; 822 endattrp = (struct spd_attribute *)endp; 823 824 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP); 825 if (actp == NULL) { 826 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM; 827 return (B_FALSE); 828 } 829 *actpp = actp; 830 *nactp = nact; 831 endactp = actp + nact; 832 833 spdsock_reset_act(&act); 834 attrp = (struct spd_attribute *)(&sactp[1]); 835 836 for (; attrp < endattrp; attrp++) { 837 switch (attrp->spd_attr_tag) { 838 case SPD_ATTR_NOP: 839 break; 840 841 case SPD_ATTR_EMPTY: 842 spdsock_reset_act(&act); 843 break; 844 845 case SPD_ATTR_END: 846 attrp = endattrp; 847 /* FALLTHRU */ 848 case SPD_ATTR_NEXT: 849 if (actp >= endactp) { 850 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 851 goto fail; 852 } 853 if (!spdsock_check_action(&act, tunnel_polhead, 854 diag, spds)) 855 goto fail; 856 *actp++ = act; 857 spdsock_reset_act(&act); 858 break; 859 860 case SPD_ATTR_TYPE: 861 if (!spd_convert_type(attrp->spd_attr_value, &act)) { 862 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE; 863 goto fail; 864 } 865 break; 866 867 case SPD_ATTR_FLAGS: 868 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) { 869 /* 870 * Set "sa unique" for transport-mode 871 * tunnels whether we want to or not. 872 */ 873 attrp->spd_attr_value |= SPD_APPLY_UNIQUE; 874 } 875 if (!spd_convert_flags(attrp->spd_attr_value, &act)) { 876 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS; 877 goto fail; 878 } 879 break; 880 881 case SPD_ATTR_AH_AUTH: 882 if (attrp->spd_attr_value == 0) { 883 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG; 884 goto fail; 885 } 886 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value; 887 break; 888 889 case SPD_ATTR_ESP_ENCR: 890 if (attrp->spd_attr_value == 0) { 891 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG; 892 goto fail; 893 } 894 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value; 895 break; 896 897 case SPD_ATTR_ESP_AUTH: 898 if (attrp->spd_attr_value == 0) { 899 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG; 900 goto fail; 901 } 902 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value; 903 break; 904 905 case SPD_ATTR_ENCR_MINBITS: 906 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value; 907 break; 908 909 case SPD_ATTR_ENCR_MAXBITS: 910 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value; 911 break; 912 913 case SPD_ATTR_AH_MINBITS: 914 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value; 915 break; 916 917 case SPD_ATTR_AH_MAXBITS: 918 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value; 919 break; 920 921 case SPD_ATTR_ESPA_MINBITS: 922 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value; 923 break; 924 925 case SPD_ATTR_ESPA_MAXBITS: 926 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value; 927 break; 928 929 case SPD_ATTR_LIFE_SOFT_TIME: 930 case SPD_ATTR_LIFE_HARD_TIME: 931 case SPD_ATTR_LIFE_SOFT_BYTES: 932 case SPD_ATTR_LIFE_HARD_BYTES: 933 break; 934 935 case SPD_ATTR_KM_PROTO: 936 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value; 937 break; 938 939 case SPD_ATTR_KM_COOKIE: 940 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value; 941 break; 942 943 case SPD_ATTR_REPLAY_DEPTH: 944 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value; 945 break; 946 } 947 } 948 if (actp != endactp) { 949 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 950 goto fail; 951 } 952 953 return (B_TRUE); 954 fail: 955 ipsec_actvec_free(*actpp, nact); 956 *actpp = NULL; 957 return (B_FALSE); 958 } 959 960 typedef struct 961 { 962 ipsec_policy_t *pol; 963 int dir; 964 } tmprule_t; 965 966 static int 967 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule, 968 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af, 969 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 970 { 971 ipsec_policy_t *pol; 972 973 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4); 974 sel->ipsl_valid |= af; 975 976 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority, 977 index, spds->spds_netstack); 978 if (pol == NULL) 979 return (ENOMEM); 980 981 (*rp)->pol = pol; 982 (*rp)->dir = dir; 983 (*rp)++; 984 985 if (!ipsec_check_policy(iph, pol, dir)) 986 return (EEXIST); 987 988 rule->spd_rule_index = pol->ipsp_index; 989 return (0); 990 } 991 992 static int 993 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule, 994 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs, 995 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 996 { 997 int error; 998 999 if (afs & IPSL_IPV4) { 1000 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp, 1001 index, spds); 1002 if (error != 0) 1003 return (error); 1004 } 1005 if (afs & IPSL_IPV6) { 1006 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp, 1007 index, spds); 1008 if (error != 0) 1009 return (error); 1010 } 1011 return (0); 1012 } 1013 1014 1015 static void 1016 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1017 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1018 { 1019 ipsec_selkey_t sel; 1020 ipsec_act_t *actp; 1021 uint_t nact; 1022 int diag = 0, error, afs; 1023 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1024 tmprule_t rules[4], *rulep = &rules[0]; 1025 boolean_t tunnel_mode, empty_itp, active; 1026 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index; 1027 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1028 spd_stack_t *spds = ss->spdsock_spds; 1029 uint32_t auditing = AU_AUDITING(); 1030 1031 if (rule == NULL) { 1032 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1033 if (auditing) { 1034 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1035 cred_t *cr; 1036 pid_t cpid; 1037 1038 cr = msg_getcred(mp, &cpid); 1039 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1040 audit_pf_policy(SPD_ADDRULE, cr, 1041 spds->spds_netstack, ITP_NAME(itp), active, 1042 SPD_DIAGNOSTIC_NO_RULE_EXT, cpid); 1043 } 1044 return; 1045 } 1046 1047 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL); 1048 1049 if (itp != NULL) { 1050 mutex_enter(&itp->itp_lock); 1051 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph); 1052 active = (itp->itp_policy == iph); 1053 if (ITP_P_ISACTIVE(itp, iph)) { 1054 /* Check for mix-and-match of tunnel/transport. */ 1055 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) || 1056 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) { 1057 mutex_exit(&itp->itp_lock); 1058 spdsock_error(q, mp, EBUSY, 0); 1059 return; 1060 } 1061 empty_itp = B_FALSE; 1062 } else { 1063 empty_itp = B_TRUE; 1064 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE; 1065 if (tunnel_mode) 1066 itp->itp_flags |= active ? ITPF_P_TUNNEL : 1067 ITPF_I_TUNNEL; 1068 } 1069 } else { 1070 empty_itp = B_FALSE; 1071 } 1072 1073 if (rule->spd_rule_index != 0) { 1074 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX; 1075 error = EINVAL; 1076 goto fail2; 1077 } 1078 1079 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1080 error = EINVAL; 1081 goto fail2; 1082 } 1083 1084 if (itp != NULL) { 1085 if (tunnel_mode) { 1086 if (sel.ipsl_valid & 1087 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) { 1088 itp->itp_flags |= active ? 1089 ITPF_P_PER_PORT_SECURITY : 1090 ITPF_I_PER_PORT_SECURITY; 1091 } 1092 } else { 1093 /* 1094 * For now, we don't allow transport-mode on a tunnel 1095 * with ANY specific selectors. Bail if we have such 1096 * a request. 1097 */ 1098 if (sel.ipsl_valid & IPSL_WILDCARD) { 1099 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS; 1100 error = EINVAL; 1101 goto fail2; 1102 } 1103 } 1104 } 1105 1106 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) { 1107 error = EINVAL; 1108 goto fail2; 1109 } 1110 /* 1111 * If no addresses were specified, add both. 1112 */ 1113 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4); 1114 if (afs == 0) 1115 afs = (IPSL_IPV6|IPSL_IPV4); 1116 1117 rw_enter(&iph->iph_lock, RW_WRITER); 1118 1119 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) { 1120 error = mkrulepair(iph, rule, &sel, actp, nact, 1121 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds); 1122 if (error != 0) 1123 goto fail; 1124 } 1125 1126 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) { 1127 error = mkrulepair(iph, rule, &sel, actp, nact, 1128 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds); 1129 if (error != 0) 1130 goto fail; 1131 } 1132 1133 while ((--rulep) >= &rules[0]) { 1134 ipsec_enter_policy(iph, rulep->pol, rulep->dir, 1135 spds->spds_netstack); 1136 } 1137 rw_exit(&iph->iph_lock); 1138 if (itp != NULL) 1139 mutex_exit(&itp->itp_lock); 1140 1141 ipsec_actvec_free(actp, nact); 1142 spd_echo(q, mp); 1143 if (auditing) { 1144 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1145 cred_t *cr; 1146 pid_t cpid; 1147 1148 cr = msg_getcred(mp, &cpid); 1149 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1150 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1151 ITP_NAME(itp), active, 0, cpid); 1152 } 1153 return; 1154 1155 fail: 1156 rw_exit(&iph->iph_lock); 1157 while ((--rulep) >= &rules[0]) 1158 IPPOL_REFRELE(rulep->pol); 1159 ipsec_actvec_free(actp, nact); 1160 fail2: 1161 if (itp != NULL) { 1162 if (empty_itp) 1163 itp->itp_flags = 0; 1164 mutex_exit(&itp->itp_lock); 1165 } 1166 spdsock_error(q, mp, error, diag); 1167 if (auditing) { 1168 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1169 cred_t *cr; 1170 pid_t cpid; 1171 1172 cr = msg_getcred(mp, &cpid); 1173 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1174 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1175 ITP_NAME(itp), active, error, cpid); 1176 } 1177 } 1178 1179 void 1180 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1181 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1182 { 1183 ipsec_selkey_t sel; 1184 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1185 int err, diag = 0; 1186 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1187 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1188 uint32_t auditing = AU_AUDITING(); 1189 1190 if (rule == NULL) { 1191 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1192 if (auditing) { 1193 boolean_t active; 1194 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1195 cred_t *cr; 1196 pid_t cpid; 1197 1198 cr = msg_getcred(mp, &cpid); 1199 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1200 audit_pf_policy(SPD_DELETERULE, cr, ns, 1201 ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT, 1202 cpid); 1203 } 1204 return; 1205 } 1206 1207 /* 1208 * Must enter itp_lock first to avoid deadlock. See tun.c's 1209 * set_sec_simple() for the other case of itp_lock and iph_lock. 1210 */ 1211 if (itp != NULL) 1212 mutex_enter(&itp->itp_lock); 1213 1214 if (rule->spd_rule_index != 0) { 1215 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) != 1216 0) { 1217 err = ESRCH; 1218 goto fail; 1219 } 1220 } else { 1221 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1222 err = EINVAL; /* diag already set... */ 1223 goto fail; 1224 } 1225 1226 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) && 1227 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) { 1228 err = ESRCH; 1229 goto fail; 1230 } 1231 1232 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) && 1233 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) { 1234 err = ESRCH; 1235 goto fail; 1236 } 1237 } 1238 1239 if (itp != NULL) { 1240 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive); 1241 rw_enter(&iph->iph_lock, RW_READER); 1242 if (avl_numnodes(&iph->iph_rulebyid) == 0) { 1243 if (iph == itp->itp_policy) 1244 itp->itp_flags &= ~ITPF_PFLAGS; 1245 else 1246 itp->itp_flags &= ~ITPF_IFLAGS; 1247 } 1248 /* Can exit locks in any order. */ 1249 rw_exit(&iph->iph_lock); 1250 mutex_exit(&itp->itp_lock); 1251 } 1252 spd_echo(q, mp); 1253 if (auditing) { 1254 boolean_t active; 1255 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1256 cred_t *cr; 1257 pid_t cpid; 1258 1259 cr = msg_getcred(mp, &cpid); 1260 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1261 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1262 active, 0, cpid); 1263 } 1264 return; 1265 fail: 1266 if (itp != NULL) 1267 mutex_exit(&itp->itp_lock); 1268 spdsock_error(q, mp, err, diag); 1269 if (auditing) { 1270 boolean_t active; 1271 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1272 cred_t *cr; 1273 pid_t cpid; 1274 1275 cr = msg_getcred(mp, &cpid); 1276 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1277 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1278 active, err, cpid); 1279 } 1280 } 1281 1282 /* Do NOT consume a reference to itp. */ 1283 /* ARGSUSED */ 1284 static void 1285 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns) 1286 { 1287 mutex_enter(&itp->itp_lock); 1288 ITPF_SWAP(itp->itp_flags); 1289 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns); 1290 mutex_exit(&itp->itp_lock); 1291 /* SPD_FLIP is worth a tunnel MTU check. */ 1292 update_iptun_policy(itp); 1293 } 1294 1295 void 1296 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname) 1297 { 1298 char *tname; 1299 ipsec_tun_pol_t *itp; 1300 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1301 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1302 uint32_t auditing = AU_AUDITING(); 1303 1304 if (tunname != NULL) { 1305 tname = (char *)tunname->spd_if_name; 1306 if (*tname == '\0') { 1307 /* can't fail */ 1308 ipsec_swap_global_policy(ns); 1309 if (auditing) { 1310 boolean_t active; 1311 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1312 cred_t *cr; 1313 pid_t cpid; 1314 1315 cr = msg_getcred(mp, &cpid); 1316 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1317 audit_pf_policy(SPD_FLIP, cr, ns, 1318 NULL, active, 0, cpid); 1319 } 1320 itp_walk(spdsock_flip_node, NULL, ns); 1321 if (auditing) { 1322 boolean_t active; 1323 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1324 cred_t *cr; 1325 pid_t cpid; 1326 1327 cr = msg_getcred(mp, &cpid); 1328 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1329 audit_pf_policy(SPD_FLIP, cr, ns, 1330 "all tunnels", active, 0, cpid); 1331 } 1332 } else { 1333 itp = get_tunnel_policy(tname, ns); 1334 if (itp == NULL) { 1335 /* Better idea for "tunnel not found"? */ 1336 spdsock_error(q, mp, ESRCH, 0); 1337 if (auditing) { 1338 boolean_t active; 1339 spd_msg_t *spmsg = 1340 (spd_msg_t *)mp->b_rptr; 1341 cred_t *cr; 1342 pid_t cpid; 1343 1344 cr = msg_getcred(mp, &cpid); 1345 active = (spmsg->spd_msg_spdid == 1346 SPD_ACTIVE); 1347 audit_pf_policy(SPD_FLIP, cr, ns, 1348 ITP_NAME(itp), active, 1349 ESRCH, cpid); 1350 } 1351 return; 1352 } 1353 spdsock_flip_node(itp, NULL, ns); 1354 if (auditing) { 1355 boolean_t active; 1356 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1357 cred_t *cr; 1358 pid_t cpid; 1359 1360 cr = msg_getcred(mp, &cpid); 1361 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1362 audit_pf_policy(SPD_FLIP, cr, ns, 1363 ITP_NAME(itp), active, 0, cpid); 1364 } 1365 ITP_REFRELE(itp, ns); 1366 } 1367 } else { 1368 ipsec_swap_global_policy(ns); /* can't fail */ 1369 if (auditing) { 1370 boolean_t active; 1371 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1372 cred_t *cr; 1373 pid_t cpid; 1374 1375 cr = msg_getcred(mp, &cpid); 1376 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1377 audit_pf_policy(SPD_FLIP, cr, 1378 ns, NULL, active, 0, cpid); 1379 } 1380 } 1381 spd_echo(q, mp); 1382 } 1383 1384 /* 1385 * Unimplemented feature 1386 */ 1387 /* ARGSUSED */ 1388 static void 1389 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1390 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1391 { 1392 spdsock_error(q, mp, EINVAL, 0); 1393 } 1394 1395 1396 static mblk_t * 1397 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph, 1398 uint32_t count, uint16_t error) 1399 { 1400 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t); 1401 spd_msg_t *msg; 1402 spd_ruleset_ext_t *ruleset; 1403 mblk_t *m = allocb(len, BPRI_HI); 1404 1405 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1406 1407 if (m == NULL) { 1408 return (NULL); 1409 } 1410 msg = (spd_msg_t *)m->b_rptr; 1411 ruleset = (spd_ruleset_ext_t *)(&msg[1]); 1412 1413 m->b_wptr = (uint8_t *)&ruleset[1]; 1414 1415 *msg = *(spd_msg_t *)(req->b_rptr); 1416 msg->spd_msg_len = SPD_8TO64(len); 1417 msg->spd_msg_errno = error; 1418 1419 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset)); 1420 ruleset->spd_ruleset_type = SPD_EXT_RULESET; 1421 ruleset->spd_ruleset_count = count; 1422 ruleset->spd_ruleset_version = iph->iph_gen; 1423 return (m); 1424 } 1425 1426 static mblk_t * 1427 spdsock_dump_finish(spdsock_t *ss, int error) 1428 { 1429 mblk_t *m; 1430 ipsec_policy_head_t *iph = ss->spdsock_dump_head; 1431 mblk_t *req = ss->spdsock_dump_req; 1432 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1433 1434 rw_enter(&iph->iph_lock, RW_READER); 1435 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error); 1436 rw_exit(&iph->iph_lock); 1437 IPPH_REFRELE(iph, ns); 1438 if (ss->spdsock_itp != NULL) { 1439 ITP_REFRELE(ss->spdsock_itp, ns); 1440 ss->spdsock_itp = NULL; 1441 } 1442 ss->spdsock_dump_req = NULL; 1443 freemsg(req); 1444 1445 return (m); 1446 } 1447 1448 /* 1449 * Rule encoding functions. 1450 * We do a two-pass encode. 1451 * If base != NULL, fill in encoded rule part starting at base+offset. 1452 * Always return "offset" plus length of to-be-encoded data. 1453 */ 1454 static uint_t 1455 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type, 1456 uint8_t type_end, uint8_t code, uint8_t code_end) 1457 { 1458 struct spd_typecode *tcp; 1459 1460 ASSERT(ALIGNED64(offset)); 1461 1462 if (base != NULL) { 1463 tcp = (struct spd_typecode *)(base + offset); 1464 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp)); 1465 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE; 1466 tcp->spd_typecode_code = code; 1467 tcp->spd_typecode_type = type; 1468 tcp->spd_typecode_type_end = type_end; 1469 tcp->spd_typecode_code_end = code_end; 1470 } 1471 offset += sizeof (*tcp); 1472 1473 ASSERT(ALIGNED64(offset)); 1474 1475 return (offset); 1476 } 1477 1478 static uint_t 1479 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto) 1480 { 1481 struct spd_proto *spp; 1482 1483 ASSERT(ALIGNED64(offset)); 1484 1485 if (base != NULL) { 1486 spp = (struct spd_proto *)(base + offset); 1487 spp->spd_proto_len = SPD_8TO64(sizeof (*spp)); 1488 spp->spd_proto_exttype = SPD_EXT_PROTO; 1489 spp->spd_proto_number = proto; 1490 spp->spd_proto_reserved1 = 0; 1491 spp->spd_proto_reserved2 = 0; 1492 } 1493 offset += sizeof (*spp); 1494 1495 ASSERT(ALIGNED64(offset)); 1496 1497 return (offset); 1498 } 1499 1500 static uint_t 1501 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port) 1502 { 1503 struct spd_portrange *spp; 1504 1505 ASSERT(ALIGNED64(offset)); 1506 1507 if (base != NULL) { 1508 spp = (struct spd_portrange *)(base + offset); 1509 spp->spd_ports_len = SPD_8TO64(sizeof (*spp)); 1510 spp->spd_ports_exttype = ext; 1511 spp->spd_ports_minport = port; 1512 spp->spd_ports_maxport = port; 1513 } 1514 offset += sizeof (*spp); 1515 1516 ASSERT(ALIGNED64(offset)); 1517 1518 return (offset); 1519 } 1520 1521 static uint_t 1522 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext, 1523 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen) 1524 { 1525 struct spd_address *sae; 1526 ipsec_addr_t *spdaddr; 1527 uint_t start = offset; 1528 uint_t addrlen; 1529 uint_t af; 1530 1531 if (sel->ipsl_valid & IPSL_IPV4) { 1532 af = AF_INET; 1533 addrlen = IP_ADDR_LEN; 1534 } else { 1535 af = AF_INET6; 1536 addrlen = IPV6_ADDR_LEN; 1537 } 1538 1539 ASSERT(ALIGNED64(offset)); 1540 1541 if (base != NULL) { 1542 sae = (struct spd_address *)(base + offset); 1543 sae->spd_address_exttype = ext; 1544 sae->spd_address_af = af; 1545 sae->spd_address_prefixlen = pfxlen; 1546 sae->spd_address_reserved2 = 0; 1547 1548 spdaddr = (ipsec_addr_t *)(&sae[1]); 1549 bcopy(addr, spdaddr, addrlen); 1550 } 1551 offset += sizeof (*sae); 1552 addrlen = roundup(addrlen, sizeof (uint64_t)); 1553 offset += addrlen; 1554 1555 ASSERT(ALIGNED64(offset)); 1556 1557 if (base != NULL) 1558 sae->spd_address_len = SPD_8TO64(offset - start); 1559 return (offset); 1560 } 1561 1562 static uint_t 1563 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel) 1564 { 1565 const ipsec_selkey_t *selkey = &sel->ipsl_key; 1566 1567 if (selkey->ipsl_valid & IPSL_PROTOCOL) 1568 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto); 1569 if (selkey->ipsl_valid & IPSL_LOCAL_PORT) 1570 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT, 1571 selkey->ipsl_lport); 1572 if (selkey->ipsl_valid & IPSL_REMOTE_PORT) 1573 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT, 1574 selkey->ipsl_rport); 1575 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR) 1576 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR, 1577 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen); 1578 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR) 1579 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR, 1580 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen); 1581 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) { 1582 offset = spdsock_encode_typecode(base, offset, 1583 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end, 1584 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1585 selkey->ipsl_icmp_code : 255, 1586 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1587 selkey->ipsl_icmp_code_end : 255); 1588 } 1589 return (offset); 1590 } 1591 1592 static uint_t 1593 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag, 1594 uint32_t value) 1595 { 1596 struct spd_attribute *attr; 1597 1598 ASSERT(ALIGNED64(offset)); 1599 1600 if (base != NULL) { 1601 attr = (struct spd_attribute *)(base + offset); 1602 attr->spd_attr_tag = tag; 1603 attr->spd_attr_value = value; 1604 } 1605 offset += sizeof (struct spd_attribute); 1606 1607 ASSERT(ALIGNED64(offset)); 1608 1609 return (offset); 1610 } 1611 1612 1613 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v)) 1614 1615 static uint_t 1616 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap) 1617 { 1618 const struct ipsec_act *act = &(ap->ipa_act); 1619 uint_t flags; 1620 1621 EMIT(SPD_ATTR_EMPTY, 0); 1622 switch (act->ipa_type) { 1623 case IPSEC_ACT_DISCARD: 1624 case IPSEC_ACT_REJECT: 1625 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP); 1626 break; 1627 case IPSEC_ACT_BYPASS: 1628 case IPSEC_ACT_CLEAR: 1629 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS); 1630 break; 1631 1632 case IPSEC_ACT_APPLY: 1633 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC); 1634 flags = 0; 1635 if (act->ipa_apply.ipp_use_ah) 1636 flags |= SPD_APPLY_AH; 1637 if (act->ipa_apply.ipp_use_esp) 1638 flags |= SPD_APPLY_ESP; 1639 if (act->ipa_apply.ipp_use_espa) 1640 flags |= SPD_APPLY_ESPA; 1641 if (act->ipa_apply.ipp_use_se) 1642 flags |= SPD_APPLY_SE; 1643 if (act->ipa_apply.ipp_use_unique) 1644 flags |= SPD_APPLY_UNIQUE; 1645 EMIT(SPD_ATTR_FLAGS, flags); 1646 if (flags & SPD_APPLY_AH) { 1647 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg); 1648 EMIT(SPD_ATTR_AH_MINBITS, 1649 act->ipa_apply.ipp_ah_minbits); 1650 EMIT(SPD_ATTR_AH_MAXBITS, 1651 act->ipa_apply.ipp_ah_maxbits); 1652 } 1653 if (flags & SPD_APPLY_ESP) { 1654 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg); 1655 EMIT(SPD_ATTR_ENCR_MINBITS, 1656 act->ipa_apply.ipp_espe_minbits); 1657 EMIT(SPD_ATTR_ENCR_MAXBITS, 1658 act->ipa_apply.ipp_espe_maxbits); 1659 if (flags & SPD_APPLY_ESPA) { 1660 EMIT(SPD_ATTR_ESP_AUTH, 1661 act->ipa_apply.ipp_esp_auth_alg); 1662 EMIT(SPD_ATTR_ESPA_MINBITS, 1663 act->ipa_apply.ipp_espa_minbits); 1664 EMIT(SPD_ATTR_ESPA_MAXBITS, 1665 act->ipa_apply.ipp_espa_maxbits); 1666 } 1667 } 1668 if (act->ipa_apply.ipp_km_proto != 0) 1669 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto); 1670 if (act->ipa_apply.ipp_km_cookie != 0) 1671 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie); 1672 if (act->ipa_apply.ipp_replay_depth != 0) 1673 EMIT(SPD_ATTR_REPLAY_DEPTH, 1674 act->ipa_apply.ipp_replay_depth); 1675 /* Add more here */ 1676 break; 1677 } 1678 1679 return (offset); 1680 } 1681 1682 static uint_t 1683 spdsock_encode_action_list(uint8_t *base, uint_t offset, 1684 const ipsec_action_t *ap) 1685 { 1686 struct spd_ext_actions *act; 1687 uint_t nact = 0; 1688 uint_t start = offset; 1689 1690 ASSERT(ALIGNED64(offset)); 1691 1692 if (base != NULL) { 1693 act = (struct spd_ext_actions *)(base + offset); 1694 act->spd_actions_len = 0; 1695 act->spd_actions_exttype = SPD_EXT_ACTION; 1696 act->spd_actions_count = 0; 1697 act->spd_actions_reserved = 0; 1698 } 1699 1700 offset += sizeof (*act); 1701 1702 ASSERT(ALIGNED64(offset)); 1703 1704 while (ap != NULL) { 1705 offset = spdsock_encode_action(base, offset, ap); 1706 ap = ap->ipa_next; 1707 nact++; 1708 if (ap != NULL) { 1709 EMIT(SPD_ATTR_NEXT, 0); 1710 } 1711 } 1712 EMIT(SPD_ATTR_END, 0); 1713 1714 ASSERT(ALIGNED64(offset)); 1715 1716 if (base != NULL) { 1717 act->spd_actions_count = nact; 1718 act->spd_actions_len = SPD_8TO64(offset - start); 1719 } 1720 1721 return (offset); 1722 } 1723 1724 #undef EMIT 1725 1726 /* ARGSUSED */ 1727 static uint_t 1728 spdsock_rule_flags(uint_t dir, uint_t af) 1729 { 1730 uint_t flags = 0; 1731 1732 if (dir == IPSEC_TYPE_INBOUND) 1733 flags |= SPD_RULE_FLAG_INBOUND; 1734 if (dir == IPSEC_TYPE_OUTBOUND) 1735 flags |= SPD_RULE_FLAG_OUTBOUND; 1736 1737 return (flags); 1738 } 1739 1740 1741 static uint_t 1742 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req, 1743 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name, 1744 boolean_t tunnel) 1745 { 1746 struct spd_msg *spmsg; 1747 struct spd_rule *spr; 1748 spd_if_t *sid; 1749 1750 uint_t start = offset; 1751 1752 ASSERT(ALIGNED64(offset)); 1753 1754 if (base != NULL) { 1755 spmsg = (struct spd_msg *)(base + offset); 1756 bzero(spmsg, sizeof (*spmsg)); 1757 spmsg->spd_msg_version = PF_POLICY_V1; 1758 spmsg->spd_msg_type = SPD_DUMP; 1759 spmsg->spd_msg_seq = req->spd_msg_seq; 1760 spmsg->spd_msg_pid = req->spd_msg_pid; 1761 } 1762 offset += sizeof (struct spd_msg); 1763 1764 ASSERT(ALIGNED64(offset)); 1765 1766 if (base != NULL) { 1767 spr = (struct spd_rule *)(base + offset); 1768 spr->spd_rule_type = SPD_EXT_RULE; 1769 spr->spd_rule_priority = rule->ipsp_prio; 1770 spr->spd_rule_flags = spdsock_rule_flags(dir, af); 1771 if (tunnel) 1772 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL; 1773 spr->spd_rule_unused = 0; 1774 spr->spd_rule_len = SPD_8TO64(sizeof (*spr)); 1775 spr->spd_rule_index = rule->ipsp_index; 1776 } 1777 offset += sizeof (struct spd_rule); 1778 1779 /* 1780 * If we have an interface name (i.e. if this policy head came from 1781 * a tunnel), add the SPD_EXT_TUN_NAME extension. 1782 */ 1783 if (name != NULL) { 1784 1785 ASSERT(ALIGNED64(offset)); 1786 1787 if (base != NULL) { 1788 sid = (spd_if_t *)(base + offset); 1789 sid->spd_if_exttype = SPD_EXT_TUN_NAME; 1790 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) + 1791 roundup((strlen(name) - 4), 8)); 1792 (void) strlcpy((char *)sid->spd_if_name, name, 1793 LIFNAMSIZ); 1794 } 1795 1796 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8); 1797 } 1798 1799 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel); 1800 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act); 1801 1802 ASSERT(ALIGNED64(offset)); 1803 1804 if (base != NULL) { 1805 spmsg->spd_msg_len = SPD_8TO64(offset - start); 1806 } 1807 return (offset); 1808 } 1809 1810 /* ARGSUSED */ 1811 static mblk_t * 1812 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule, 1813 uint_t dir, uint_t af, char *name, boolean_t tunnel) 1814 { 1815 mblk_t *m; 1816 uint_t len; 1817 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr; 1818 1819 /* 1820 * Figure out how much space we'll need. 1821 */ 1822 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name, 1823 tunnel); 1824 1825 /* 1826 * Allocate mblk. 1827 */ 1828 m = allocb(len, BPRI_HI); 1829 if (m == NULL) 1830 return (NULL); 1831 1832 /* 1833 * Fill it in.. 1834 */ 1835 m->b_wptr = m->b_rptr + len; 1836 bzero(m->b_rptr, len); 1837 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af, 1838 name, tunnel); 1839 return (m); 1840 } 1841 1842 static ipsec_policy_t * 1843 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph, 1844 ipsec_policy_t *cur) 1845 { 1846 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1847 1848 ss->spdsock_dump_count++; 1849 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next; 1850 return (cur); 1851 } 1852 1853 static ipsec_policy_t * 1854 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph) 1855 { 1856 ipsec_policy_t *cur; 1857 ipsec_policy_root_t *ipr; 1858 int chain, nchains, type, af; 1859 1860 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1861 1862 cur = ss->spdsock_dump_cur_rule; 1863 1864 if (cur != NULL) 1865 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1866 1867 type = ss->spdsock_dump_cur_type; 1868 1869 next: 1870 chain = ss->spdsock_dump_cur_chain; 1871 ipr = &iph->iph_root[type]; 1872 nchains = ipr->ipr_nchains; 1873 1874 while (chain < nchains) { 1875 cur = ipr->ipr_hash[chain].hash_head; 1876 chain++; 1877 if (cur != NULL) { 1878 ss->spdsock_dump_cur_chain = chain; 1879 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1880 } 1881 } 1882 ss->spdsock_dump_cur_chain = nchains; 1883 1884 af = ss->spdsock_dump_cur_af; 1885 while (af < IPSEC_NAF) { 1886 cur = ipr->ipr_nonhash[af]; 1887 af++; 1888 if (cur != NULL) { 1889 ss->spdsock_dump_cur_af = af; 1890 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1891 } 1892 } 1893 1894 type++; 1895 if (type >= IPSEC_NTYPES) 1896 return (NULL); 1897 1898 ss->spdsock_dump_cur_chain = 0; 1899 ss->spdsock_dump_cur_type = type; 1900 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 1901 goto next; 1902 1903 } 1904 1905 /* 1906 * If we're done with one policy head, but have more to go, we iterate through 1907 * another IPsec tunnel policy head (itp). Return NULL if it is an error 1908 * worthy of returning EAGAIN via PF_POLICY. 1909 */ 1910 static ipsec_tun_pol_t * 1911 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss) 1912 { 1913 ipsec_tun_pol_t *itp; 1914 1915 ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock)); 1916 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) { 1917 /* Oops, state of the tunnel polheads changed. */ 1918 itp = NULL; 1919 } else if (ss->spdsock_itp == NULL) { 1920 /* Just finished global, find first node. */ 1921 itp = avl_first(&ipss->ipsec_tunnel_policies); 1922 } else { 1923 /* We just finished current polhead, find the next one. */ 1924 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp); 1925 } 1926 if (itp != NULL) { 1927 ITP_REFHOLD(itp); 1928 } 1929 if (ss->spdsock_itp != NULL) { 1930 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack); 1931 } 1932 ss->spdsock_itp = itp; 1933 return (itp); 1934 } 1935 1936 static mblk_t * 1937 spdsock_dump_next_record(spdsock_t *ss) 1938 { 1939 ipsec_policy_head_t *iph; 1940 ipsec_policy_t *rule; 1941 mblk_t *m; 1942 ipsec_tun_pol_t *itp; 1943 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1944 ipsec_stack_t *ipss = ns->netstack_ipsec; 1945 1946 iph = ss->spdsock_dump_head; 1947 1948 ASSERT(iph != NULL); 1949 1950 rw_enter(&iph->iph_lock, RW_READER); 1951 1952 if (iph->iph_gen != ss->spdsock_dump_gen) { 1953 rw_exit(&iph->iph_lock); 1954 return (spdsock_dump_finish(ss, EAGAIN)); 1955 } 1956 1957 while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) { 1958 rw_exit(&iph->iph_lock); 1959 if (--(ss->spdsock_dump_remaining_polheads) == 0) 1960 return (spdsock_dump_finish(ss, 0)); 1961 1962 1963 /* 1964 * If we reach here, we have more policy heads (tunnel 1965 * entries) to dump. Let's reset to a new policy head 1966 * and get some more rules. 1967 * 1968 * An empty policy head will have spdsock_dump_next_rule() 1969 * return NULL, and we loop (while dropping the number of 1970 * remaining polheads). If we loop to 0, we finish. We 1971 * keep looping until we hit 0 or until we have a rule to 1972 * encode. 1973 * 1974 * NOTE: No need for ITP_REF*() macros here as we're only 1975 * going after and refholding the policy head itself. 1976 */ 1977 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 1978 itp = spdsock_dump_iterate_next_tunnel(ss, ipss); 1979 if (itp == NULL) { 1980 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1981 return (spdsock_dump_finish(ss, EAGAIN)); 1982 } 1983 1984 /* Reset other spdsock_dump thingies. */ 1985 IPPH_REFRELE(ss->spdsock_dump_head, ns); 1986 if (ss->spdsock_dump_active) { 1987 ss->spdsock_dump_tunnel = 1988 itp->itp_flags & ITPF_P_TUNNEL; 1989 iph = itp->itp_policy; 1990 } else { 1991 ss->spdsock_dump_tunnel = 1992 itp->itp_flags & ITPF_I_TUNNEL; 1993 iph = itp->itp_inactive; 1994 } 1995 IPPH_REFHOLD(iph); 1996 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1997 1998 rw_enter(&iph->iph_lock, RW_READER); 1999 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 2000 } 2001 2002 m = spdsock_encode_rule(ss->spdsock_dump_req, rule, 2003 ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af, 2004 (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name, 2005 ss->spdsock_dump_tunnel); 2006 rw_exit(&iph->iph_lock); 2007 2008 if (m == NULL) 2009 return (spdsock_dump_finish(ss, ENOMEM)); 2010 return (m); 2011 } 2012 2013 /* 2014 * Dump records until we run into flow-control back-pressure. 2015 */ 2016 static void 2017 spdsock_dump_some(queue_t *q, spdsock_t *ss) 2018 { 2019 mblk_t *m, *dataind; 2020 2021 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) { 2022 m = spdsock_dump_next_record(ss); 2023 if (m == NULL) 2024 return; 2025 dataind = allocb(sizeof (struct T_data_req), BPRI_HI); 2026 if (dataind == NULL) { 2027 freemsg(m); 2028 return; 2029 } 2030 dataind->b_cont = m; 2031 dataind->b_wptr += sizeof (struct T_data_req); 2032 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND; 2033 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0; 2034 dataind->b_datap->db_type = M_PROTO; 2035 putnext(q, dataind); 2036 } 2037 } 2038 2039 /* 2040 * Start dumping. 2041 * Format a start-of-dump record, and set up the stream and kick the rsrv 2042 * procedure to continue the job.. 2043 */ 2044 /* ARGSUSED */ 2045 static void 2046 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp) 2047 { 2048 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2049 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2050 ipsec_stack_t *ipss = ns->netstack_ipsec; 2051 mblk_t *mr; 2052 2053 /* spdsock_open() already set spdsock_itp to NULL. */ 2054 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 2055 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 2056 ss->spdsock_dump_remaining_polheads = 1 + 2057 avl_numnodes(&ipss->ipsec_tunnel_policies); 2058 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen; 2059 rw_exit(&ipss->ipsec_tunnel_policy_lock); 2060 if (iph == ALL_ACTIVE_POLHEADS) { 2061 iph = ipsec_system_policy(ns); 2062 ss->spdsock_dump_active = B_TRUE; 2063 } else { 2064 iph = ipsec_inactive_policy(ns); 2065 ss->spdsock_dump_active = B_FALSE; 2066 } 2067 ASSERT(ss->spdsock_itp == NULL); 2068 } else { 2069 ss->spdsock_dump_remaining_polheads = 1; 2070 } 2071 2072 rw_enter(&iph->iph_lock, RW_READER); 2073 2074 mr = spdsock_dump_ruleset(mp, iph, 0, 0); 2075 2076 if (!mr) { 2077 rw_exit(&iph->iph_lock); 2078 spdsock_error(q, mp, ENOMEM, 0); 2079 return; 2080 } 2081 2082 ss->spdsock_dump_req = mp; 2083 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 2084 2085 rw_exit(&iph->iph_lock); 2086 2087 qreply(q, mr); 2088 qenable(OTHERQ(q)); 2089 } 2090 2091 /* Do NOT consume a reference to ITP. */ 2092 void 2093 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns) 2094 { 2095 int *errptr = (int *)ep; 2096 2097 if (*errptr != 0) 2098 return; /* We've failed already for some reason. */ 2099 mutex_enter(&itp->itp_lock); 2100 ITPF_CLONE(itp->itp_flags); 2101 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns); 2102 mutex_exit(&itp->itp_lock); 2103 } 2104 2105 void 2106 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname) 2107 { 2108 int error; 2109 char *tname; 2110 ipsec_tun_pol_t *itp; 2111 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2112 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2113 uint32_t auditing = AU_AUDITING(); 2114 2115 if (tunname != NULL) { 2116 tname = (char *)tunname->spd_if_name; 2117 if (*tname == '\0') { 2118 error = ipsec_clone_system_policy(ns); 2119 if (auditing) { 2120 boolean_t active; 2121 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2122 cred_t *cr; 2123 pid_t cpid; 2124 2125 cr = msg_getcred(mp, &cpid); 2126 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2127 audit_pf_policy(SPD_CLONE, cr, ns, 2128 NULL, active, error, cpid); 2129 } 2130 if (error == 0) { 2131 itp_walk(spdsock_clone_node, &error, ns); 2132 if (auditing) { 2133 boolean_t active; 2134 spd_msg_t *spmsg = 2135 (spd_msg_t *)mp->b_rptr; 2136 cred_t *cr; 2137 pid_t cpid; 2138 2139 cr = msg_getcred(mp, &cpid); 2140 active = (spmsg->spd_msg_spdid == 2141 SPD_ACTIVE); 2142 audit_pf_policy(SPD_CLONE, cr, 2143 ns, "all tunnels", active, 0, 2144 cpid); 2145 } 2146 } 2147 } else { 2148 itp = get_tunnel_policy(tname, ns); 2149 if (itp == NULL) { 2150 spdsock_error(q, mp, ENOENT, 0); 2151 if (auditing) { 2152 boolean_t active; 2153 spd_msg_t *spmsg = 2154 (spd_msg_t *)mp->b_rptr; 2155 cred_t *cr; 2156 pid_t cpid; 2157 2158 cr = msg_getcred(mp, &cpid); 2159 active = (spmsg->spd_msg_spdid == 2160 SPD_ACTIVE); 2161 audit_pf_policy(SPD_CLONE, cr, 2162 ns, NULL, active, ENOENT, cpid); 2163 } 2164 return; 2165 } 2166 spdsock_clone_node(itp, &error, NULL); 2167 if (auditing) { 2168 boolean_t active; 2169 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2170 cred_t *cr; 2171 pid_t cpid; 2172 2173 cr = msg_getcred(mp, &cpid); 2174 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2175 audit_pf_policy(SPD_CLONE, cr, ns, 2176 ITP_NAME(itp), active, error, cpid); 2177 } 2178 ITP_REFRELE(itp, ns); 2179 } 2180 } else { 2181 error = ipsec_clone_system_policy(ns); 2182 if (auditing) { 2183 boolean_t active; 2184 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2185 cred_t *cr; 2186 pid_t cpid; 2187 2188 cr = msg_getcred(mp, &cpid); 2189 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2190 audit_pf_policy(SPD_CLONE, cr, ns, NULL, 2191 active, error, cpid); 2192 } 2193 } 2194 2195 if (error != 0) 2196 spdsock_error(q, mp, error, 0); 2197 else 2198 spd_echo(q, mp); 2199 } 2200 2201 /* 2202 * Process a SPD_ALGLIST request. The caller expects separate alg entries 2203 * for AH authentication, ESP authentication, and ESP encryption. 2204 * The same distinction is then used when setting the min and max key 2205 * sizes when defining policies. 2206 */ 2207 2208 #define SPDSOCK_AH_AUTH 0 2209 #define SPDSOCK_ESP_AUTH 1 2210 #define SPDSOCK_ESP_ENCR 2 2211 #define SPDSOCK_NTYPES 3 2212 2213 static const uint_t algattr[SPDSOCK_NTYPES] = { 2214 SPD_ATTR_AH_AUTH, 2215 SPD_ATTR_ESP_AUTH, 2216 SPD_ATTR_ESP_ENCR 2217 }; 2218 static const uint_t minbitsattr[SPDSOCK_NTYPES] = { 2219 SPD_ATTR_AH_MINBITS, 2220 SPD_ATTR_ESPA_MINBITS, 2221 SPD_ATTR_ENCR_MINBITS 2222 }; 2223 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = { 2224 SPD_ATTR_AH_MAXBITS, 2225 SPD_ATTR_ESPA_MAXBITS, 2226 SPD_ATTR_ENCR_MAXBITS 2227 }; 2228 static const uint_t defbitsattr[SPDSOCK_NTYPES] = { 2229 SPD_ATTR_AH_DEFBITS, 2230 SPD_ATTR_ESPA_DEFBITS, 2231 SPD_ATTR_ENCR_DEFBITS 2232 }; 2233 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = { 2234 SPD_ATTR_AH_INCRBITS, 2235 SPD_ATTR_ESPA_INCRBITS, 2236 SPD_ATTR_ENCR_INCRBITS 2237 }; 2238 2239 #define ATTRPERALG 6 /* fixed attributes per algs */ 2240 2241 void 2242 spdsock_alglist(queue_t *q, mblk_t *mp) 2243 { 2244 uint_t algtype; 2245 uint_t algidx; 2246 uint_t algcount; 2247 uint_t size; 2248 mblk_t *m; 2249 uint8_t *cur; 2250 spd_msg_t *msg; 2251 struct spd_ext_actions *act; 2252 struct spd_attribute *attr; 2253 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2254 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2255 2256 mutex_enter(&ipss->ipsec_alg_lock); 2257 /* 2258 * The SPD client expects to receive separate entries for 2259 * AH authentication and ESP authentication supported algorithms. 2260 * 2261 * Don't return the "any" algorithms, if defined, as no 2262 * kernel policies can be set for these algorithms. 2263 */ 2264 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2265 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2266 2267 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL) 2268 algcount--; 2269 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL) 2270 algcount--; 2271 2272 /* 2273 * For each algorithm, we encode: 2274 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2275 */ 2276 2277 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) + 2278 ATTRPERALG * sizeof (struct spd_attribute) * algcount; 2279 2280 ASSERT(ALIGNED64(size)); 2281 2282 m = allocb(size, BPRI_HI); 2283 if (m == NULL) { 2284 mutex_exit(&ipss->ipsec_alg_lock); 2285 spdsock_error(q, mp, ENOMEM, 0); 2286 return; 2287 } 2288 2289 m->b_wptr = m->b_rptr + size; 2290 cur = m->b_rptr; 2291 2292 msg = (spd_msg_t *)cur; 2293 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2294 2295 msg->spd_msg_len = SPD_8TO64(size); 2296 msg->spd_msg_errno = 0; 2297 msg->spd_msg_diagnostic = 0; 2298 2299 cur += sizeof (*msg); 2300 2301 act = (struct spd_ext_actions *)cur; 2302 cur += sizeof (*act); 2303 2304 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2305 act->spd_actions_exttype = SPD_EXT_ACTION; 2306 act->spd_actions_count = algcount; 2307 act->spd_actions_reserved = 0; 2308 2309 attr = (struct spd_attribute *)cur; 2310 2311 #define EMIT(tag, value) { \ 2312 attr->spd_attr_tag = (tag); \ 2313 attr->spd_attr_value = (value); \ 2314 attr++; \ 2315 } 2316 2317 /* 2318 * If you change the number of EMIT's here, change 2319 * ATTRPERALG above to match 2320 */ 2321 #define EMITALGATTRS(_type) { \ 2322 EMIT(algattr[_type], algid); /* 1 */ \ 2323 EMIT(minbitsattr[_type], minbits); /* 2 */ \ 2324 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \ 2325 EMIT(defbitsattr[_type], defbits); /* 4 */ \ 2326 EMIT(incrbitsattr[_type], incr); /* 5 */ \ 2327 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \ 2328 } 2329 2330 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2331 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2332 algidx++) { 2333 int algid = ipss->ipsec_sortlist[algtype][algidx]; 2334 ipsec_alginfo_t *alg = 2335 ipss->ipsec_alglists[algtype][algid]; 2336 uint_t minbits = alg->alg_minbits; 2337 uint_t maxbits = alg->alg_maxbits; 2338 uint_t defbits = alg->alg_default_bits; 2339 uint_t incr = alg->alg_increment; 2340 2341 if (algtype == IPSEC_ALG_AUTH) { 2342 if (algid == SADB_AALG_NONE) 2343 continue; 2344 EMITALGATTRS(SPDSOCK_AH_AUTH); 2345 EMITALGATTRS(SPDSOCK_ESP_AUTH); 2346 } else { 2347 if (algid == SADB_EALG_NONE) 2348 continue; 2349 ASSERT(algtype == IPSEC_ALG_ENCR); 2350 EMITALGATTRS(SPDSOCK_ESP_ENCR); 2351 } 2352 } 2353 } 2354 2355 mutex_exit(&ipss->ipsec_alg_lock); 2356 2357 #undef EMITALGATTRS 2358 #undef EMIT 2359 #undef ATTRPERALG 2360 2361 attr--; 2362 attr->spd_attr_tag = SPD_ATTR_END; 2363 2364 freemsg(mp); 2365 qreply(q, m); 2366 } 2367 2368 /* 2369 * Process a SPD_DUMPALGS request. 2370 */ 2371 2372 #define ATTRPERALG 9 /* fixed attributes per algs */ 2373 2374 void 2375 spdsock_dumpalgs(queue_t *q, mblk_t *mp) 2376 { 2377 uint_t algtype; 2378 uint_t algidx; 2379 uint_t size; 2380 mblk_t *m; 2381 uint8_t *cur; 2382 spd_msg_t *msg; 2383 struct spd_ext_actions *act; 2384 struct spd_attribute *attr; 2385 ipsec_alginfo_t *alg; 2386 uint_t algid; 2387 uint_t i; 2388 uint_t alg_size; 2389 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2390 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2391 2392 mutex_enter(&ipss->ipsec_alg_lock); 2393 2394 /* 2395 * For each algorithm, we encode: 2396 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2397 * 2398 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE* 2399 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* / 2400 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT} 2401 */ 2402 2403 /* 2404 * Compute the size of the SPD message. 2405 */ 2406 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions); 2407 2408 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2409 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2410 algidx++) { 2411 algid = ipss->ipsec_sortlist[algtype][algidx]; 2412 alg = ipss->ipsec_alglists[algtype][algid]; 2413 alg_size = sizeof (struct spd_attribute) * 2414 (ATTRPERALG + alg->alg_nkey_sizes + 2415 alg->alg_nblock_sizes + alg->alg_nparams) + 2416 CRYPTO_MAX_MECH_NAME; 2417 size += alg_size; 2418 } 2419 } 2420 2421 ASSERT(ALIGNED64(size)); 2422 2423 m = allocb(size, BPRI_HI); 2424 if (m == NULL) { 2425 mutex_exit(&ipss->ipsec_alg_lock); 2426 spdsock_error(q, mp, ENOMEM, 0); 2427 return; 2428 } 2429 2430 m->b_wptr = m->b_rptr + size; 2431 cur = m->b_rptr; 2432 2433 msg = (spd_msg_t *)cur; 2434 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2435 2436 msg->spd_msg_len = SPD_8TO64(size); 2437 msg->spd_msg_errno = 0; 2438 msg->spd_msg_type = SPD_ALGLIST; 2439 2440 msg->spd_msg_diagnostic = 0; 2441 2442 cur += sizeof (*msg); 2443 2444 act = (struct spd_ext_actions *)cur; 2445 cur += sizeof (*act); 2446 2447 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2448 act->spd_actions_exttype = SPD_EXT_ACTION; 2449 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2450 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2451 act->spd_actions_reserved = 0; 2452 2453 /* 2454 * If there aren't any algorithms registered, return an empty message. 2455 * spdsock_get_ext() knows how to deal with this. 2456 */ 2457 if (act->spd_actions_count == 0) { 2458 act->spd_actions_len = 0; 2459 mutex_exit(&ipss->ipsec_alg_lock); 2460 goto error; 2461 } 2462 2463 attr = (struct spd_attribute *)cur; 2464 2465 #define EMIT(tag, value) { \ 2466 attr->spd_attr_tag = (tag); \ 2467 attr->spd_attr_value = (value); \ 2468 attr++; \ 2469 } 2470 2471 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2472 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2473 algidx++) { 2474 2475 algid = ipss->ipsec_sortlist[algtype][algidx]; 2476 alg = ipss->ipsec_alglists[algtype][algid]; 2477 2478 /* 2479 * If you change the number of EMIT's here, change 2480 * ATTRPERALG above to match 2481 */ 2482 EMIT(SPD_ATTR_ALG_ID, algid); 2483 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]); 2484 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment); 2485 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes); 2486 for (i = 0; i < alg->alg_nkey_sizes; i++) 2487 EMIT(SPD_ATTR_ALG_KEYSIZE, 2488 alg->alg_key_sizes[i]); 2489 2490 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes); 2491 for (i = 0; i < alg->alg_nblock_sizes; i++) 2492 EMIT(SPD_ATTR_ALG_BLOCKSIZE, 2493 alg->alg_block_sizes[i]); 2494 2495 EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams); 2496 for (i = 0; i < alg->alg_nparams; i++) 2497 EMIT(SPD_ATTR_ALG_PARAMS, 2498 alg->alg_params[i]); 2499 2500 EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags); 2501 2502 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME); 2503 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME); 2504 attr = (struct spd_attribute *)((char *)attr + 2505 CRYPTO_MAX_MECH_NAME); 2506 2507 EMIT(SPD_ATTR_NEXT, 0); 2508 } 2509 } 2510 2511 mutex_exit(&ipss->ipsec_alg_lock); 2512 2513 #undef EMITALGATTRS 2514 #undef EMIT 2515 #undef ATTRPERALG 2516 2517 attr--; 2518 attr->spd_attr_tag = SPD_ATTR_END; 2519 2520 error: 2521 freemsg(mp); 2522 qreply(q, m); 2523 } 2524 2525 /* 2526 * Do the actual work of processing an SPD_UPDATEALGS request. Can 2527 * be invoked either once IPsec is loaded on a cached request, or 2528 * when a request is received while IPsec is loaded. 2529 */ 2530 static int 2531 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds) 2532 { 2533 struct spd_ext_actions *actp; 2534 struct spd_attribute *attr, *endattr; 2535 uint64_t *start, *end; 2536 ipsec_alginfo_t *alg = NULL; 2537 ipsec_algtype_t alg_type = 0; 2538 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE; 2539 uint_t i, cur_key, cur_block, algid; 2540 int diag = -1; 2541 2542 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 2543 2544 /* parse the message, building the list of algorithms */ 2545 2546 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 2547 if (actp == NULL) 2548 return (SPD_DIAGNOSTIC_NO_ACTION_EXT); 2549 2550 start = (uint64_t *)actp; 2551 end = (start + actp->spd_actions_len); 2552 endattr = (struct spd_attribute *)end; 2553 attr = (struct spd_attribute *)&actp[1]; 2554 2555 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS * 2556 sizeof (ipsec_alginfo_t *)); 2557 2558 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2559 2560 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t)) 2561 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t)) 2562 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t)) 2563 2564 while (attr < endattr) { 2565 switch (attr->spd_attr_tag) { 2566 case SPD_ATTR_NOP: 2567 case SPD_ATTR_EMPTY: 2568 break; 2569 case SPD_ATTR_END: 2570 attr = endattr; 2571 /* FALLTHRU */ 2572 case SPD_ATTR_NEXT: 2573 if (doing_proto) { 2574 doing_proto = B_FALSE; 2575 break; 2576 } 2577 if (skip_alg) { 2578 ipsec_alg_free(alg); 2579 } else { 2580 ipsec_alg_free( 2581 spds->spds_algs[alg_type][alg->alg_id]); 2582 spds->spds_algs[alg_type][alg->alg_id] = 2583 alg; 2584 } 2585 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2586 break; 2587 2588 case SPD_ATTR_ALG_ID: 2589 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) { 2590 ss1dbg(spds, ("spdsock_do_updatealg: " 2591 "invalid alg id %d\n", 2592 attr->spd_attr_value)); 2593 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE; 2594 goto bail; 2595 } 2596 alg->alg_id = attr->spd_attr_value; 2597 break; 2598 2599 case SPD_ATTR_ALG_PROTO: 2600 /* find the alg type */ 2601 for (i = 0; i < NALGPROTOS; i++) 2602 if (algproto[i] == attr->spd_attr_value) 2603 break; 2604 skip_alg = (i == NALGPROTOS); 2605 if (!skip_alg) 2606 alg_type = i; 2607 break; 2608 2609 case SPD_ATTR_ALG_INCRBITS: 2610 alg->alg_increment = attr->spd_attr_value; 2611 break; 2612 2613 case SPD_ATTR_ALG_NKEYSIZES: 2614 if (alg->alg_key_sizes != NULL) { 2615 kmem_free(alg->alg_key_sizes, 2616 ALG_KEY_SIZES(alg)); 2617 } 2618 alg->alg_nkey_sizes = attr->spd_attr_value; 2619 /* 2620 * Allocate room for the trailing zero key size 2621 * value as well. 2622 */ 2623 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg), 2624 KM_SLEEP); 2625 cur_key = 0; 2626 break; 2627 2628 case SPD_ATTR_ALG_KEYSIZE: 2629 if (alg->alg_key_sizes == NULL || 2630 cur_key >= alg->alg_nkey_sizes) { 2631 ss1dbg(spds, ("spdsock_do_updatealg: " 2632 "too many key sizes\n")); 2633 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES; 2634 goto bail; 2635 } 2636 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value; 2637 break; 2638 2639 case SPD_ATTR_ALG_FLAGS: 2640 /* 2641 * Flags (bit mask). The alg_flags element of 2642 * ipsecalg_flags_t is only 8 bits wide. The 2643 * user can set the VALID bit, but we will ignore it 2644 * and make the decision is the algorithm is valid. 2645 */ 2646 alg->alg_flags |= (uint8_t)attr->spd_attr_value; 2647 break; 2648 2649 case SPD_ATTR_ALG_NBLOCKSIZES: 2650 if (alg->alg_block_sizes != NULL) { 2651 kmem_free(alg->alg_block_sizes, 2652 ALG_BLOCK_SIZES(alg)); 2653 } 2654 alg->alg_nblock_sizes = attr->spd_attr_value; 2655 /* 2656 * Allocate room for the trailing zero block size 2657 * value as well. 2658 */ 2659 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg), 2660 KM_SLEEP); 2661 cur_block = 0; 2662 break; 2663 2664 case SPD_ATTR_ALG_BLOCKSIZE: 2665 if (alg->alg_block_sizes == NULL || 2666 cur_block >= alg->alg_nblock_sizes) { 2667 ss1dbg(spds, ("spdsock_do_updatealg: " 2668 "too many block sizes\n")); 2669 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2670 goto bail; 2671 } 2672 alg->alg_block_sizes[cur_block++] = 2673 attr->spd_attr_value; 2674 break; 2675 2676 case SPD_ATTR_ALG_NPARAMS: 2677 if (alg->alg_params != NULL) { 2678 kmem_free(alg->alg_params, 2679 ALG_PARAM_SIZES(alg)); 2680 } 2681 alg->alg_nparams = attr->spd_attr_value; 2682 /* 2683 * Allocate room for the trailing zero block size 2684 * value as well. 2685 */ 2686 alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg), 2687 KM_SLEEP); 2688 cur_block = 0; 2689 break; 2690 2691 case SPD_ATTR_ALG_PARAMS: 2692 if (alg->alg_params == NULL || 2693 cur_block >= alg->alg_nparams) { 2694 ss1dbg(spds, ("spdsock_do_updatealg: " 2695 "too many params\n")); 2696 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2697 goto bail; 2698 } 2699 /* 2700 * Array contains: iv_len, icv_len, salt_len 2701 * Any additional parameters are currently ignored. 2702 */ 2703 alg->alg_params[cur_block++] = 2704 attr->spd_attr_value; 2705 break; 2706 2707 case SPD_ATTR_ALG_MECHNAME: { 2708 char *mech_name; 2709 2710 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) { 2711 ss1dbg(spds, ("spdsock_do_updatealg: " 2712 "mech name too long\n")); 2713 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN; 2714 goto bail; 2715 } 2716 mech_name = (char *)(attr + 1); 2717 bcopy(mech_name, alg->alg_mech_name, 2718 attr->spd_attr_value); 2719 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; 2720 attr = (struct spd_attribute *)((char *)attr + 2721 attr->spd_attr_value); 2722 break; 2723 } 2724 2725 case SPD_ATTR_PROTO_ID: 2726 doing_proto = B_TRUE; 2727 for (i = 0; i < NALGPROTOS; i++) { 2728 if (algproto[i] == attr->spd_attr_value) { 2729 alg_type = i; 2730 break; 2731 } 2732 } 2733 break; 2734 2735 case SPD_ATTR_PROTO_EXEC_MODE: 2736 if (!doing_proto) 2737 break; 2738 for (i = 0; i < NEXECMODES; i++) { 2739 if (execmodes[i] == attr->spd_attr_value) { 2740 spds->spds_algs_exec_mode[alg_type] = i; 2741 break; 2742 } 2743 } 2744 break; 2745 } 2746 attr++; 2747 } 2748 2749 #undef ALG_KEY_SIZES 2750 #undef ALG_BLOCK_SIZES 2751 #undef ALG_PARAM_SIZES 2752 2753 /* update the algorithm tables */ 2754 spdsock_merge_algs(spds); 2755 bail: 2756 /* cleanup */ 2757 ipsec_alg_free(alg); 2758 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++) 2759 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) 2760 if (spds->spds_algs[alg_type][algid] != NULL) 2761 ipsec_alg_free(spds->spds_algs[alg_type][algid]); 2762 return (diag); 2763 } 2764 2765 /* 2766 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue 2767 * the request until IPsec loads. If IPsec is loaded, act on it 2768 * immediately. 2769 */ 2770 2771 static void 2772 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[]) 2773 { 2774 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2775 spd_stack_t *spds = ss->spdsock_spds; 2776 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 2777 uint32_t auditing = AU_AUDITING(); 2778 2779 if (!ipsec_loaded(ipss)) { 2780 /* 2781 * IPsec is not loaded, save request and return nicely, 2782 * the message will be processed once IPsec loads. 2783 */ 2784 mblk_t *new_mp; 2785 2786 /* last update message wins */ 2787 if ((new_mp = copymsg(mp)) == NULL) { 2788 spdsock_error(q, mp, ENOMEM, 0); 2789 return; 2790 } 2791 mutex_enter(&spds->spds_alg_lock); 2792 bcopy(extv, spds->spds_extv_algs, 2793 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 2794 if (spds->spds_mp_algs != NULL) 2795 freemsg(spds->spds_mp_algs); 2796 spds->spds_mp_algs = mp; 2797 spds->spds_algs_pending = B_TRUE; 2798 mutex_exit(&spds->spds_alg_lock); 2799 if (auditing) { 2800 cred_t *cr; 2801 pid_t cpid; 2802 2803 cr = msg_getcred(mp, &cpid); 2804 audit_pf_policy(SPD_UPDATEALGS, cr, 2805 spds->spds_netstack, NULL, B_TRUE, EAGAIN, 2806 cpid); 2807 } 2808 spd_echo(q, new_mp); 2809 } else { 2810 /* 2811 * IPsec is loaded, act on the message immediately. 2812 */ 2813 int diag; 2814 2815 mutex_enter(&spds->spds_alg_lock); 2816 diag = spdsock_do_updatealg(extv, spds); 2817 if (diag == -1) { 2818 /* Keep the lock held while we walk the SA tables. */ 2819 sadb_alg_update(IPSEC_ALG_ALL, 0, 0, 2820 spds->spds_netstack); 2821 mutex_exit(&spds->spds_alg_lock); 2822 spd_echo(q, mp); 2823 if (auditing) { 2824 cred_t *cr; 2825 pid_t cpid; 2826 2827 cr = msg_getcred(mp, &cpid); 2828 audit_pf_policy(SPD_UPDATEALGS, cr, 2829 spds->spds_netstack, NULL, B_TRUE, 0, 2830 cpid); 2831 } 2832 } else { 2833 mutex_exit(&spds->spds_alg_lock); 2834 spdsock_diag(q, mp, diag); 2835 if (auditing) { 2836 cred_t *cr; 2837 pid_t cpid; 2838 2839 cr = msg_getcred(mp, &cpid); 2840 audit_pf_policy(SPD_UPDATEALGS, cr, 2841 spds->spds_netstack, NULL, B_TRUE, diag, 2842 cpid); 2843 } 2844 } 2845 } 2846 } 2847 2848 /* 2849 * Find a tunnel instance (using the name to link ID mapping), and 2850 * update it after an IPsec change. We need to do this always in case 2851 * we add policy AFTER plumbing a tunnel. We also need to do this 2852 * because, as a side-effect, the tunnel's MTU is updated to reflect 2853 * any IPsec overhead in the itp's policy. 2854 */ 2855 static void 2856 update_iptun_policy(ipsec_tun_pol_t *itp) 2857 { 2858 datalink_id_t linkid; 2859 2860 if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0) 2861 iptun_set_policy(linkid, itp); 2862 } 2863 2864 /* 2865 * Sort through the mess of polhead options to retrieve an appropriate one. 2866 * Returns NULL if we send an spdsock error. Returns a valid pointer if we 2867 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or 2868 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to 2869 * act on ALL policy heads. 2870 */ 2871 static ipsec_policy_head_t * 2872 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid, 2873 int msgtype, ipsec_tun_pol_t **itpp) 2874 { 2875 ipsec_tun_pol_t *itp; 2876 ipsec_policy_head_t *iph; 2877 int errno; 2878 char *tname; 2879 boolean_t active; 2880 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2881 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2882 uint64_t gen; /* Placeholder */ 2883 2884 active = (spdid == SPD_ACTIVE); 2885 *itpp = NULL; 2886 if (!active && spdid != SPD_STANDBY) { 2887 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID); 2888 return (NULL); 2889 } 2890 2891 if (tunname != NULL) { 2892 /* Acting on a tunnel's SPD. */ 2893 tname = (char *)tunname->spd_if_name; 2894 if (*tname == '\0') { 2895 /* Handle all-polhead cases here. */ 2896 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) { 2897 spdsock_diag(q, mp, 2898 SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 2899 return (NULL); 2900 } 2901 return (active ? ALL_ACTIVE_POLHEADS : 2902 ALL_INACTIVE_POLHEADS); 2903 } 2904 2905 itp = get_tunnel_policy(tname, ns); 2906 if (itp == NULL) { 2907 if (msgtype != SPD_ADDRULE) { 2908 /* "Tunnel not found" */ 2909 spdsock_error(q, mp, ENOENT, 0); 2910 return (NULL); 2911 } 2912 2913 errno = 0; 2914 itp = create_tunnel_policy(tname, &errno, &gen, ns); 2915 if (itp == NULL) { 2916 /* 2917 * Something very bad happened, most likely 2918 * ENOMEM. Return an indicator. 2919 */ 2920 spdsock_error(q, mp, errno, 0); 2921 return (NULL); 2922 } 2923 } 2924 2925 /* Match up the itp to an iptun instance. */ 2926 update_iptun_policy(itp); 2927 2928 *itpp = itp; 2929 /* For spdsock dump state, set the polhead's name. */ 2930 if (msgtype == SPD_DUMP) { 2931 ITP_REFHOLD(itp); 2932 ss->spdsock_itp = itp; 2933 ss->spdsock_dump_tunnel = itp->itp_flags & 2934 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL); 2935 } 2936 } else { 2937 itp = NULL; 2938 /* For spdsock dump state, indicate it's global policy. */ 2939 if (msgtype == SPD_DUMP) 2940 ss->spdsock_itp = NULL; 2941 } 2942 2943 if (active) 2944 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy; 2945 else 2946 iph = (itp == NULL) ? ipsec_inactive_policy(ns) : 2947 itp->itp_inactive; 2948 2949 ASSERT(iph != NULL); 2950 if (itp != NULL) { 2951 IPPH_REFHOLD(iph); 2952 } 2953 2954 return (iph); 2955 } 2956 2957 static void 2958 spdsock_parse(queue_t *q, mblk_t *mp) 2959 { 2960 spd_msg_t *spmsg; 2961 spd_ext_t *extv[SPD_EXT_MAX + 1]; 2962 uint_t msgsize; 2963 ipsec_policy_head_t *iph; 2964 ipsec_tun_pol_t *itp; 2965 spd_if_t *tunname; 2966 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2967 spd_stack_t *spds = ss->spdsock_spds; 2968 netstack_t *ns = spds->spds_netstack; 2969 ipsec_stack_t *ipss = ns->netstack_ipsec; 2970 2971 /* Make sure nothing's below me. */ 2972 ASSERT(WR(q)->q_next == NULL); 2973 2974 spmsg = (spd_msg_t *)mp->b_rptr; 2975 2976 msgsize = SPD_64TO8(spmsg->spd_msg_len); 2977 2978 if (msgdsize(mp) != msgsize) { 2979 /* 2980 * Message len incorrect w.r.t. actual size. Send an error 2981 * (EMSGSIZE). It may be necessary to massage things a 2982 * bit. For example, if the spd_msg_type is hosed, 2983 * I need to set it to SPD_RESERVED to get delivery to 2984 * do the right thing. Then again, maybe just letting 2985 * the error delivery do the right thing. 2986 */ 2987 ss2dbg(spds, 2988 ("mblk (%lu) and base (%d) message sizes don't jibe.\n", 2989 msgdsize(mp), msgsize)); 2990 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE); 2991 return; 2992 } 2993 2994 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) { 2995 /* Get all message into one mblk. */ 2996 if (pullupmsg(mp, -1) == 0) { 2997 /* 2998 * Something screwy happened. 2999 */ 3000 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n")); 3001 return; 3002 } else { 3003 spmsg = (spd_msg_t *)mp->b_rptr; 3004 } 3005 } 3006 3007 switch (spdsock_get_ext(extv, spmsg, msgsize)) { 3008 case KGE_DUP: 3009 /* Handle duplicate extension. */ 3010 ss1dbg(spds, ("Got duplicate extension of type %d.\n", 3011 extv[0]->spd_ext_type)); 3012 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]); 3013 return; 3014 case KGE_UNK: 3015 /* Handle unknown extension. */ 3016 ss1dbg(spds, ("Got unknown extension of type %d.\n", 3017 extv[0]->spd_ext_type)); 3018 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT); 3019 return; 3020 case KGE_LEN: 3021 /* Length error. */ 3022 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n", 3023 extv[0]->spd_ext_len, extv[0]->spd_ext_type)); 3024 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN); 3025 return; 3026 case KGE_CHK: 3027 /* Reality check failed. */ 3028 ss1dbg(spds, ("Reality check failed on extension type %d.\n", 3029 extv[0]->spd_ext_type)); 3030 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]); 3031 return; 3032 default: 3033 /* Default case is no errors. */ 3034 break; 3035 } 3036 3037 /* 3038 * Special-case SPD_UPDATEALGS so as not to load IPsec. 3039 */ 3040 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) { 3041 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3042 3043 ASSERT(ss != NULL); 3044 ipsec_loader_loadnow(ipss); 3045 ss->spdsock_timeout_arg = mp; 3046 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck, 3047 q, LOADCHECK_INTERVAL); 3048 return; 3049 } 3050 3051 /* First check for messages that need no polheads at all. */ 3052 switch (spmsg->spd_msg_type) { 3053 case SPD_UPDATEALGS: 3054 spdsock_updatealg(q, mp, extv); 3055 return; 3056 case SPD_ALGLIST: 3057 spdsock_alglist(q, mp); 3058 return; 3059 case SPD_DUMPALGS: 3060 spdsock_dumpalgs(q, mp); 3061 return; 3062 } 3063 3064 /* 3065 * Then check for ones that need both primary/secondary polheads, 3066 * finding the appropriate tunnel policy if need be. 3067 */ 3068 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME]; 3069 switch (spmsg->spd_msg_type) { 3070 case SPD_FLIP: 3071 spdsock_flip(q, mp, tunname); 3072 return; 3073 case SPD_CLONE: 3074 spdsock_clone(q, mp, tunname); 3075 return; 3076 } 3077 3078 /* 3079 * Finally, find ones that operate on exactly one polhead, or 3080 * "all polheads" of a given type (active/inactive). 3081 */ 3082 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid, 3083 spmsg->spd_msg_type, &itp); 3084 if (iph == NULL) 3085 return; 3086 3087 /* All-polheads-ready operations. */ 3088 switch (spmsg->spd_msg_type) { 3089 case SPD_FLUSH: 3090 if (itp != NULL) { 3091 mutex_enter(&itp->itp_lock); 3092 if (spmsg->spd_msg_spdid == SPD_ACTIVE) 3093 itp->itp_flags &= ~ITPF_PFLAGS; 3094 else 3095 itp->itp_flags &= ~ITPF_IFLAGS; 3096 mutex_exit(&itp->itp_lock); 3097 } 3098 3099 spdsock_flush(q, iph, itp, mp); 3100 3101 if (itp != NULL) { 3102 /* SPD_FLUSH is worth a tunnel MTU check. */ 3103 update_iptun_policy(itp); 3104 ITP_REFRELE(itp, ns); 3105 } 3106 return; 3107 case SPD_DUMP: 3108 if (itp != NULL) 3109 ITP_REFRELE(itp, ns); 3110 spdsock_dump(q, iph, mp); 3111 return; 3112 } 3113 3114 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 3115 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 3116 return; 3117 } 3118 3119 /* Single-polhead-only operations. */ 3120 switch (spmsg->spd_msg_type) { 3121 case SPD_ADDRULE: 3122 spdsock_addrule(q, iph, mp, extv, itp); 3123 break; 3124 case SPD_DELETERULE: 3125 spdsock_deleterule(q, iph, mp, extv, itp); 3126 break; 3127 case SPD_LOOKUP: 3128 spdsock_lookup(q, iph, mp, extv, itp); 3129 break; 3130 default: 3131 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE); 3132 break; 3133 } 3134 3135 IPPH_REFRELE(iph, ns); 3136 if (itp != NULL) { 3137 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */ 3138 if (spmsg->spd_msg_type == SPD_ADDRULE || 3139 spmsg->spd_msg_type == SPD_DELETERULE) 3140 update_iptun_policy(itp); 3141 ITP_REFRELE(itp, ns); 3142 } 3143 } 3144 3145 /* 3146 * If an algorithm mapping was received before IPsec was loaded, process it. 3147 * Called from the IPsec loader. 3148 */ 3149 void 3150 spdsock_update_pending_algs(netstack_t *ns) 3151 { 3152 spd_stack_t *spds = ns->netstack_spdsock; 3153 3154 mutex_enter(&spds->spds_alg_lock); 3155 if (spds->spds_algs_pending) { 3156 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds); 3157 spds->spds_algs_pending = B_FALSE; 3158 } 3159 mutex_exit(&spds->spds_alg_lock); 3160 } 3161 3162 static void 3163 spdsock_loadcheck(void *arg) 3164 { 3165 queue_t *q = (queue_t *)arg; 3166 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3167 mblk_t *mp; 3168 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3169 3170 ASSERT(ss != NULL); 3171 3172 ss->spdsock_timeout = 0; 3173 mp = ss->spdsock_timeout_arg; 3174 ASSERT(mp != NULL); 3175 ss->spdsock_timeout_arg = NULL; 3176 if (ipsec_failed(ipss)) 3177 spdsock_error(q, mp, EPROTONOSUPPORT, 0); 3178 else 3179 spdsock_parse(q, mp); 3180 } 3181 3182 /* 3183 * Copy relevant state bits. 3184 */ 3185 static void 3186 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss) 3187 { 3188 *tap = spdsock_g_t_info_ack; 3189 tap->CURRENT_state = ss->spdsock_state; 3190 tap->OPT_size = spdsock_max_optsize; 3191 } 3192 3193 /* 3194 * This routine responds to T_CAPABILITY_REQ messages. It is called by 3195 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from 3196 * spdsock_g_t_info_ack. The current state of the stream is copied from 3197 * spdsock_state. 3198 */ 3199 static void 3200 spdsock_capability_req(queue_t *q, mblk_t *mp) 3201 { 3202 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3203 t_uscalar_t cap_bits1; 3204 struct T_capability_ack *tcap; 3205 3206 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1; 3207 3208 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack), 3209 mp->b_datap->db_type, T_CAPABILITY_ACK); 3210 if (mp == NULL) 3211 return; 3212 3213 tcap = (struct T_capability_ack *)mp->b_rptr; 3214 tcap->CAP_bits1 = 0; 3215 3216 if (cap_bits1 & TC1_INFO) { 3217 spdsock_copy_info(&tcap->INFO_ack, ss); 3218 tcap->CAP_bits1 |= TC1_INFO; 3219 } 3220 3221 qreply(q, mp); 3222 } 3223 3224 /* 3225 * This routine responds to T_INFO_REQ messages. It is called by 3226 * spdsock_wput_other. 3227 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack. 3228 * The current state of the stream is copied from spdsock_state. 3229 */ 3230 static void 3231 spdsock_info_req(q, mp) 3232 queue_t *q; 3233 mblk_t *mp; 3234 { 3235 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO, 3236 T_INFO_ACK); 3237 if (mp == NULL) 3238 return; 3239 spdsock_copy_info((struct T_info_ack *)mp->b_rptr, 3240 (spdsock_t *)q->q_ptr); 3241 qreply(q, mp); 3242 } 3243 3244 /* 3245 * spdsock_err_ack. This routine creates a 3246 * T_ERROR_ACK message and passes it 3247 * upstream. 3248 */ 3249 static void 3250 spdsock_err_ack(q, mp, t_error, sys_error) 3251 queue_t *q; 3252 mblk_t *mp; 3253 int t_error; 3254 int sys_error; 3255 { 3256 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL) 3257 qreply(q, mp); 3258 } 3259 3260 /* 3261 * This routine retrieves the current status of socket options. 3262 * It returns the size of the option retrieved. 3263 */ 3264 /* ARGSUSED */ 3265 int 3266 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr) 3267 { 3268 int *i1 = (int *)ptr; 3269 3270 switch (level) { 3271 case SOL_SOCKET: 3272 switch (name) { 3273 case SO_TYPE: 3274 *i1 = SOCK_RAW; 3275 break; 3276 /* 3277 * The following two items can be manipulated, 3278 * but changing them should do nothing. 3279 */ 3280 case SO_SNDBUF: 3281 *i1 = (int)q->q_hiwat; 3282 break; 3283 case SO_RCVBUF: 3284 *i1 = (int)(RD(q)->q_hiwat); 3285 break; 3286 } 3287 break; 3288 default: 3289 return (0); 3290 } 3291 return (sizeof (int)); 3292 } 3293 3294 /* 3295 * This routine sets socket options. 3296 */ 3297 /* ARGSUSED */ 3298 int 3299 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name, 3300 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp, 3301 void *thisdg_attrs, cred_t *cr) 3302 { 3303 int *i1 = (int *)invalp; 3304 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3305 spd_stack_t *spds = ss->spdsock_spds; 3306 3307 switch (level) { 3308 case SOL_SOCKET: 3309 switch (name) { 3310 case SO_SNDBUF: 3311 if (*i1 > spds->spds_max_buf) 3312 return (ENOBUFS); 3313 q->q_hiwat = *i1; 3314 break; 3315 case SO_RCVBUF: 3316 if (*i1 > spds->spds_max_buf) 3317 return (ENOBUFS); 3318 RD(q)->q_hiwat = *i1; 3319 (void) proto_set_rx_hiwat(RD(q), NULL, *i1); 3320 break; 3321 } 3322 break; 3323 } 3324 return (0); 3325 } 3326 3327 3328 /* 3329 * Handle STREAMS messages. 3330 */ 3331 static void 3332 spdsock_wput_other(queue_t *q, mblk_t *mp) 3333 { 3334 struct iocblk *iocp; 3335 int error; 3336 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3337 spd_stack_t *spds = ss->spdsock_spds; 3338 cred_t *cr; 3339 3340 switch (mp->b_datap->db_type) { 3341 case M_PROTO: 3342 case M_PCPROTO: 3343 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) { 3344 ss3dbg(spds, ( 3345 "spdsock_wput_other: Not big enough M_PROTO\n")); 3346 freemsg(mp); 3347 return; 3348 } 3349 switch (((union T_primitives *)mp->b_rptr)->type) { 3350 case T_CAPABILITY_REQ: 3351 spdsock_capability_req(q, mp); 3352 break; 3353 case T_INFO_REQ: 3354 spdsock_info_req(q, mp); 3355 break; 3356 case T_SVR4_OPTMGMT_REQ: 3357 case T_OPTMGMT_REQ: 3358 /* 3359 * All Solaris components should pass a db_credp 3360 * for this TPI message, hence we ASSERT. 3361 * But in case there is some other M_PROTO that looks 3362 * like a TPI message sent by some other kernel 3363 * component, we check and return an error. 3364 */ 3365 cr = msg_getcred(mp, NULL); 3366 ASSERT(cr != NULL); 3367 if (cr == NULL) { 3368 spdsock_err_ack(q, mp, TSYSERR, EINVAL); 3369 return; 3370 } 3371 if (((union T_primitives *)mp->b_rptr)->type == 3372 T_SVR4_OPTMGMT_REQ) { 3373 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj); 3374 } else { 3375 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj); 3376 } 3377 break; 3378 case T_DATA_REQ: 3379 case T_EXDATA_REQ: 3380 case T_ORDREL_REQ: 3381 /* Illegal for spdsock. */ 3382 freemsg(mp); 3383 (void) putnextctl1(RD(q), M_ERROR, EPROTO); 3384 break; 3385 default: 3386 /* Not supported by spdsock. */ 3387 spdsock_err_ack(q, mp, TNOTSUPPORT, 0); 3388 break; 3389 } 3390 return; 3391 case M_IOCTL: 3392 iocp = (struct iocblk *)mp->b_rptr; 3393 error = EINVAL; 3394 3395 switch (iocp->ioc_cmd) { 3396 case ND_SET: 3397 case ND_GET: 3398 if (nd_getset(q, spds->spds_g_nd, mp)) { 3399 qreply(q, mp); 3400 return; 3401 } else 3402 error = ENOENT; 3403 /* FALLTHRU */ 3404 default: 3405 miocnak(q, mp, 0, error); 3406 return; 3407 } 3408 case M_FLUSH: 3409 if (*mp->b_rptr & FLUSHW) { 3410 flushq(q, FLUSHALL); 3411 *mp->b_rptr &= ~FLUSHW; 3412 } 3413 if (*mp->b_rptr & FLUSHR) { 3414 qreply(q, mp); 3415 return; 3416 } 3417 /* Else FALLTHRU */ 3418 } 3419 3420 /* If fell through, just black-hole the message. */ 3421 freemsg(mp); 3422 } 3423 3424 static void 3425 spdsock_wput(queue_t *q, mblk_t *mp) 3426 { 3427 uint8_t *rptr = mp->b_rptr; 3428 mblk_t *mp1; 3429 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3430 spd_stack_t *spds = ss->spdsock_spds; 3431 3432 /* 3433 * If we're dumping, defer processing other messages until the 3434 * dump completes. 3435 */ 3436 if (ss->spdsock_dump_req != NULL) { 3437 if (!putq(q, mp)) 3438 freemsg(mp); 3439 return; 3440 } 3441 3442 switch (mp->b_datap->db_type) { 3443 case M_DATA: 3444 /* 3445 * Silently discard. 3446 */ 3447 ss2dbg(spds, ("raw M_DATA in spdsock.\n")); 3448 freemsg(mp); 3449 return; 3450 case M_PROTO: 3451 case M_PCPROTO: 3452 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) { 3453 if (((union T_primitives *)rptr)->type == T_DATA_REQ) { 3454 if ((mp1 = mp->b_cont) == NULL) { 3455 /* No data after T_DATA_REQ. */ 3456 ss2dbg(spds, 3457 ("No data after DATA_REQ.\n")); 3458 freemsg(mp); 3459 return; 3460 } 3461 freeb(mp); 3462 mp = mp1; 3463 ss2dbg(spds, ("T_DATA_REQ\n")); 3464 break; /* Out of switch. */ 3465 } 3466 } 3467 /* FALLTHRU */ 3468 default: 3469 ss3dbg(spds, ("In default wput case (%d %d).\n", 3470 mp->b_datap->db_type, ((union T_primitives *)rptr)->type)); 3471 spdsock_wput_other(q, mp); 3472 return; 3473 } 3474 3475 /* I now have a PF_POLICY message in an M_DATA block. */ 3476 spdsock_parse(q, mp); 3477 } 3478 3479 /* 3480 * Device open procedure, called when new queue pair created. 3481 * We are passed the read-side queue. 3482 */ 3483 /* ARGSUSED */ 3484 static int 3485 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp) 3486 { 3487 spdsock_t *ss; 3488 queue_t *oq = OTHERQ(q); 3489 minor_t ssminor; 3490 netstack_t *ns; 3491 spd_stack_t *spds; 3492 3493 if (secpolicy_ip_config(credp, B_FALSE) != 0) 3494 return (EPERM); 3495 3496 if (q->q_ptr != NULL) 3497 return (0); /* Re-open of an already open instance. */ 3498 3499 if (sflag & MODOPEN) 3500 return (EINVAL); 3501 3502 ns = netstack_find_by_cred(credp); 3503 ASSERT(ns != NULL); 3504 spds = ns->netstack_spdsock; 3505 ASSERT(spds != NULL); 3506 3507 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n")); 3508 3509 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP); 3510 if (ssminor == 0) { 3511 netstack_rele(spds->spds_netstack); 3512 return (ENOMEM); 3513 } 3514 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP); 3515 if (ss == NULL) { 3516 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1); 3517 netstack_rele(spds->spds_netstack); 3518 return (ENOMEM); 3519 } 3520 3521 ss->spdsock_minor = ssminor; 3522 ss->spdsock_state = TS_UNBND; 3523 ss->spdsock_dump_req = NULL; 3524 3525 ss->spdsock_spds = spds; 3526 3527 q->q_ptr = ss; 3528 oq->q_ptr = ss; 3529 3530 q->q_hiwat = spds->spds_recv_hiwat; 3531 3532 oq->q_hiwat = spds->spds_xmit_hiwat; 3533 oq->q_lowat = spds->spds_xmit_lowat; 3534 3535 qprocson(q); 3536 (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat); 3537 3538 *devp = makedevice(getmajor(*devp), ss->spdsock_minor); 3539 return (0); 3540 } 3541 3542 /* 3543 * Read-side service procedure, invoked when we get back-enabled 3544 * when buffer space becomes available. 3545 * 3546 * Dump another chunk if we were dumping before; when we finish, kick 3547 * the write-side queue in case it's waiting for read queue space. 3548 */ 3549 void 3550 spdsock_rsrv(queue_t *q) 3551 { 3552 spdsock_t *ss = q->q_ptr; 3553 3554 if (ss->spdsock_dump_req != NULL) 3555 spdsock_dump_some(q, ss); 3556 3557 if (ss->spdsock_dump_req == NULL) 3558 qenable(OTHERQ(q)); 3559 } 3560 3561 /* 3562 * Write-side service procedure, invoked when we defer processing 3563 * if another message is received while a dump is in progress. 3564 */ 3565 void 3566 spdsock_wsrv(queue_t *q) 3567 { 3568 spdsock_t *ss = q->q_ptr; 3569 mblk_t *mp; 3570 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3571 3572 if (ss->spdsock_dump_req != NULL) { 3573 qenable(OTHERQ(q)); 3574 return; 3575 } 3576 3577 while ((mp = getq(q)) != NULL) { 3578 if (ipsec_loaded(ipss)) { 3579 spdsock_wput(q, mp); 3580 if (ss->spdsock_dump_req != NULL) 3581 return; 3582 } else if (!ipsec_failed(ipss)) { 3583 (void) putq(q, mp); 3584 } else { 3585 spdsock_error(q, mp, EPFNOSUPPORT, 0); 3586 } 3587 } 3588 } 3589 3590 static int 3591 spdsock_close(queue_t *q) 3592 { 3593 spdsock_t *ss = q->q_ptr; 3594 spd_stack_t *spds = ss->spdsock_spds; 3595 3596 qprocsoff(q); 3597 3598 /* Safe assumption. */ 3599 ASSERT(ss != NULL); 3600 3601 if (ss->spdsock_timeout != 0) 3602 (void) quntimeout(q, ss->spdsock_timeout); 3603 3604 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n")); 3605 3606 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1); 3607 netstack_rele(ss->spdsock_spds->spds_netstack); 3608 3609 kmem_free(ss, sizeof (spdsock_t)); 3610 return (0); 3611 } 3612 3613 /* 3614 * Merge the IPsec algorithms tables with the received algorithm information. 3615 */ 3616 void 3617 spdsock_merge_algs(spd_stack_t *spds) 3618 { 3619 ipsec_alginfo_t *alg, *oalg; 3620 ipsec_algtype_t algtype; 3621 uint_t algidx, algid, nalgs; 3622 crypto_mech_name_t *mechs; 3623 uint_t mech_count, mech_idx; 3624 netstack_t *ns = spds->spds_netstack; 3625 ipsec_stack_t *ipss = ns->netstack_ipsec; 3626 3627 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 3628 3629 /* 3630 * Get the list of supported mechanisms from the crypto framework. 3631 * If a mechanism is supported by KCF, resolve its mechanism 3632 * id and mark it as being valid. This operation must be done 3633 * without holding alg_lock, since it can cause a provider 3634 * module to be loaded and the provider notification callback to 3635 * be invoked. 3636 */ 3637 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 3638 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3639 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3640 int algflags = 0; 3641 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID; 3642 3643 alg = spds->spds_algs[algtype][algid]; 3644 if (alg == NULL) 3645 continue; 3646 3647 /* 3648 * The NULL encryption algorithm is a special 3649 * case because there are no mechanisms, yet 3650 * the algorithm is still valid. 3651 */ 3652 if (alg->alg_id == SADB_EALG_NULL) { 3653 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID; 3654 alg->alg_flags |= ALG_FLAG_VALID; 3655 continue; 3656 } 3657 3658 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) { 3659 if (strncmp(alg->alg_mech_name, mechs[mech_idx], 3660 CRYPTO_MAX_MECH_NAME) == 0) { 3661 mt = crypto_mech2id(alg->alg_mech_name); 3662 ASSERT(mt != CRYPTO_MECHANISM_INVALID); 3663 algflags = ALG_FLAG_VALID; 3664 break; 3665 } 3666 } 3667 alg->alg_mech_type = mt; 3668 alg->alg_flags |= algflags; 3669 } 3670 } 3671 3672 mutex_enter(&ipss->ipsec_alg_lock); 3673 3674 /* 3675 * For each algorithm currently defined, check if it is 3676 * present in the new tables created from the SPD_UPDATEALGS 3677 * message received from user-space. 3678 * Delete the algorithm entries that are currently defined 3679 * but not part of the new tables. 3680 */ 3681 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3682 nalgs = ipss->ipsec_nalgs[algtype]; 3683 for (algidx = 0; algidx < nalgs; algidx++) { 3684 algid = ipss->ipsec_sortlist[algtype][algidx]; 3685 if (spds->spds_algs[algtype][algid] == NULL) 3686 ipsec_alg_unreg(algtype, algid, ns); 3687 } 3688 } 3689 3690 /* 3691 * For each algorithm we just received, check if it is 3692 * present in the currently defined tables. If it is, swap 3693 * the entry with the one we just allocated. 3694 * If the new algorithm is not in the current tables, 3695 * add it. 3696 */ 3697 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3698 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3699 alg = spds->spds_algs[algtype][algid]; 3700 if (alg == NULL) 3701 continue; 3702 3703 if ((oalg = ipss->ipsec_alglists[algtype][algid]) == 3704 NULL) { 3705 /* 3706 * New algorithm, add it to the algorithm 3707 * table. 3708 */ 3709 ipsec_alg_reg(algtype, alg, ns); 3710 } else { 3711 /* 3712 * Algorithm is already in the table. Swap 3713 * the existing entry with the new one. 3714 */ 3715 ipsec_alg_fix_min_max(alg, algtype, ns); 3716 ipss->ipsec_alglists[algtype][algid] = alg; 3717 ipsec_alg_free(oalg); 3718 } 3719 spds->spds_algs[algtype][algid] = NULL; 3720 } 3721 } 3722 3723 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3724 ipss->ipsec_algs_exec_mode[algtype] = 3725 spds->spds_algs_exec_mode[algtype]; 3726 } 3727 3728 mutex_exit(&ipss->ipsec_alg_lock); 3729 3730 crypto_free_mech_list(mechs, mech_count); 3731 3732 ipsecah_algs_changed(ns); 3733 ipsecesp_algs_changed(ns); 3734 } 3735