1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/param.h> 27 #include <sys/types.h> 28 #include <sys/stream.h> 29 #include <sys/strsubr.h> 30 #include <sys/strsun.h> 31 #include <sys/stropts.h> 32 #include <sys/zone.h> 33 #include <sys/vnode.h> 34 #include <sys/sysmacros.h> 35 #define _SUN_TPI_VERSION 2 36 #include <sys/tihdr.h> 37 #include <sys/ddi.h> 38 #include <sys/sunddi.h> 39 #include <sys/mkdev.h> 40 #include <sys/debug.h> 41 #include <sys/kmem.h> 42 #include <sys/cmn_err.h> 43 #include <sys/suntpi.h> 44 #include <sys/policy.h> 45 #include <sys/dls.h> 46 47 #include <sys/socket.h> 48 #include <netinet/in.h> 49 #include <net/pfkeyv2.h> 50 #include <net/pfpolicy.h> 51 52 #include <inet/common.h> 53 #include <netinet/ip6.h> 54 #include <inet/ip.h> 55 #include <inet/ip6.h> 56 #include <inet/mi.h> 57 #include <inet/proto_set.h> 58 #include <inet/nd.h> 59 #include <inet/ip_if.h> 60 #include <inet/optcom.h> 61 #include <inet/ipsec_impl.h> 62 #include <inet/spdsock.h> 63 #include <inet/sadb.h> 64 #include <inet/iptun.h> 65 #include <inet/iptun/iptun_impl.h> 66 67 #include <sys/isa_defs.h> 68 69 #include <c2/audit.h> 70 71 /* 72 * This is a transport provider for the PF_POLICY IPsec policy 73 * management socket, which provides a management interface into the 74 * SPD, allowing policy rules to be added, deleted, and queried. 75 * 76 * This effectively replaces the old private SIOC*IPSECONFIG ioctls 77 * with an extensible interface which will hopefully be public some 78 * day. 79 * 80 * See <net/pfpolicy.h> for more details on the protocol. 81 * 82 * We link against drv/ip and call directly into it to manipulate the 83 * SPD; see ipsec_impl.h for the policy data structures and spd.c for 84 * the code which maintains them. 85 * 86 * The MT model of this is QPAIR with the addition of some explicit 87 * locking to protect system-wide policy data structures. 88 */ 89 90 static vmem_t *spdsock_vmem; /* for minor numbers. */ 91 92 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t)) 93 94 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */ 95 static struct T_info_ack spdsock_g_t_info_ack = { 96 T_INFO_ACK, 97 T_INFINITE, /* TSDU_size. Maximum size messages. */ 98 T_INVALID, /* ETSDU_size. No expedited data. */ 99 T_INVALID, /* CDATA_size. No connect data. */ 100 T_INVALID, /* DDATA_size. No disconnect data. */ 101 0, /* ADDR_size. */ 102 0, /* OPT_size. No user-settable options */ 103 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */ 104 T_COTS, /* SERV_type. spdsock supports connection oriented. */ 105 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */ 106 (XPG4_1) /* Provider flags */ 107 }; 108 109 /* Named Dispatch Parameter Management Structure */ 110 typedef struct spdsockparam_s { 111 uint_t spdsock_param_min; 112 uint_t spdsock_param_max; 113 uint_t spdsock_param_value; 114 char *spdsock_param_name; 115 } spdsockparam_t; 116 117 /* 118 * Table of NDD variables supported by spdsock. These are loaded into 119 * spdsock_g_nd in spdsock_init_nd. 120 * All of these are alterable, within the min/max values given, at run time. 121 */ 122 static spdsockparam_t lcl_param_arr[] = { 123 /* min max value name */ 124 { 4096, 65536, 8192, "spdsock_xmit_hiwat"}, 125 { 0, 65536, 1024, "spdsock_xmit_lowat"}, 126 { 4096, 65536, 8192, "spdsock_recv_hiwat"}, 127 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"}, 128 { 0, 3, 0, "spdsock_debug"}, 129 }; 130 #define spds_xmit_hiwat spds_params[0].spdsock_param_value 131 #define spds_xmit_lowat spds_params[1].spdsock_param_value 132 #define spds_recv_hiwat spds_params[2].spdsock_param_value 133 #define spds_max_buf spds_params[3].spdsock_param_value 134 #define spds_debug spds_params[4].spdsock_param_value 135 136 #define ss0dbg(a) printf a 137 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */ 138 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a 139 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a 140 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a 141 142 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \ 143 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \ 144 (ss)->spdsock_dump_head = (iph); \ 145 (ss)->spdsock_dump_gen = (iph)->iph_gen; \ 146 (ss)->spdsock_dump_cur_type = 0; \ 147 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \ 148 (ss)->spdsock_dump_cur_rule = NULL; \ 149 (ss)->spdsock_dump_count = 0; \ 150 (ss)->spdsock_dump_cur_chain = 0; \ 151 } 152 153 static int spdsock_close(queue_t *); 154 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *); 155 static void spdsock_wput(queue_t *, mblk_t *); 156 static void spdsock_wsrv(queue_t *); 157 static void spdsock_rsrv(queue_t *); 158 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns); 159 static void spdsock_stack_fini(netstackid_t stackid, void *arg); 160 static void spdsock_loadcheck(void *); 161 static void spdsock_merge_algs(spd_stack_t *); 162 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *); 163 static mblk_t *spdsock_dump_next_record(spdsock_t *); 164 165 static struct module_info info = { 166 5138, "spdsock", 1, INFPSZ, 512, 128 167 }; 168 169 static struct qinit rinit = { 170 NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close, 171 NULL, &info 172 }; 173 174 static struct qinit winit = { 175 (pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info 176 }; 177 178 struct streamtab spdsockinfo = { 179 &rinit, &winit 180 }; 181 182 /* mapping from alg type to protocol number, as per RFC 2407 */ 183 static const uint_t algproto[] = { 184 PROTO_IPSEC_AH, 185 PROTO_IPSEC_ESP, 186 }; 187 188 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0])) 189 190 /* mapping from kernel exec mode to spdsock exec mode */ 191 static const uint_t execmodes[] = { 192 SPD_ALG_EXEC_MODE_SYNC, 193 SPD_ALG_EXEC_MODE_ASYNC 194 }; 195 196 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0])) 197 198 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1) 199 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2) 200 201 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL) 202 203 /* ARGSUSED */ 204 static int 205 spdsock_param_get(q, mp, cp, cr) 206 queue_t *q; 207 mblk_t *mp; 208 caddr_t cp; 209 cred_t *cr; 210 { 211 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 212 uint_t value; 213 spdsock_t *ss = (spdsock_t *)q->q_ptr; 214 spd_stack_t *spds = ss->spdsock_spds; 215 216 mutex_enter(&spds->spds_param_lock); 217 value = spdsockpa->spdsock_param_value; 218 mutex_exit(&spds->spds_param_lock); 219 220 (void) mi_mpprintf(mp, "%u", value); 221 return (0); 222 } 223 224 /* This routine sets an NDD variable in a spdsockparam_t structure. */ 225 /* ARGSUSED */ 226 static int 227 spdsock_param_set(q, mp, value, cp, cr) 228 queue_t *q; 229 mblk_t *mp; 230 char *value; 231 caddr_t cp; 232 cred_t *cr; 233 { 234 ulong_t new_value; 235 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 236 spdsock_t *ss = (spdsock_t *)q->q_ptr; 237 spd_stack_t *spds = ss->spdsock_spds; 238 239 /* Convert the value from a string into a long integer. */ 240 if (ddi_strtoul(value, NULL, 10, &new_value) != 0) 241 return (EINVAL); 242 243 mutex_enter(&spds->spds_param_lock); 244 /* 245 * Fail the request if the new value does not lie within the 246 * required bounds. 247 */ 248 if (new_value < spdsockpa->spdsock_param_min || 249 new_value > spdsockpa->spdsock_param_max) { 250 mutex_exit(&spds->spds_param_lock); 251 return (EINVAL); 252 } 253 254 /* Set the new value */ 255 spdsockpa->spdsock_param_value = new_value; 256 mutex_exit(&spds->spds_param_lock); 257 258 return (0); 259 } 260 261 /* 262 * Initialize at module load time 263 */ 264 boolean_t 265 spdsock_ddi_init(void) 266 { 267 spdsock_max_optsize = optcom_max_optsize( 268 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt); 269 270 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1, 271 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER); 272 273 /* 274 * We want to be informed each time a stack is created or 275 * destroyed in the kernel, so we can maintain the 276 * set of spd_stack_t's. 277 */ 278 netstack_register(NS_SPDSOCK, spdsock_stack_init, NULL, 279 spdsock_stack_fini); 280 281 return (B_TRUE); 282 } 283 284 /* 285 * Walk through the param array specified registering each element with the 286 * named dispatch handler. 287 */ 288 static boolean_t 289 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt) 290 { 291 for (; cnt-- > 0; ssp++) { 292 if (ssp->spdsock_param_name != NULL && 293 ssp->spdsock_param_name[0]) { 294 if (!nd_load(ndp, 295 ssp->spdsock_param_name, 296 spdsock_param_get, spdsock_param_set, 297 (caddr_t)ssp)) { 298 nd_free(ndp); 299 return (B_FALSE); 300 } 301 } 302 } 303 return (B_TRUE); 304 } 305 306 /* 307 * Initialize for each stack instance 308 */ 309 /* ARGSUSED */ 310 static void * 311 spdsock_stack_init(netstackid_t stackid, netstack_t *ns) 312 { 313 spd_stack_t *spds; 314 spdsockparam_t *ssp; 315 316 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP); 317 spds->spds_netstack = ns; 318 319 ASSERT(spds->spds_g_nd == NULL); 320 321 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP); 322 spds->spds_params = ssp; 323 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr)); 324 325 (void) spdsock_param_register(&spds->spds_g_nd, ssp, 326 A_CNT(lcl_param_arr)); 327 328 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL); 329 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL); 330 331 return (spds); 332 } 333 334 void 335 spdsock_ddi_destroy(void) 336 { 337 vmem_destroy(spdsock_vmem); 338 339 netstack_unregister(NS_SPDSOCK); 340 } 341 342 /* ARGSUSED */ 343 static void 344 spdsock_stack_fini(netstackid_t stackid, void *arg) 345 { 346 spd_stack_t *spds = (spd_stack_t *)arg; 347 348 freemsg(spds->spds_mp_algs); 349 mutex_destroy(&spds->spds_param_lock); 350 mutex_destroy(&spds->spds_alg_lock); 351 nd_free(&spds->spds_g_nd); 352 kmem_free(spds->spds_params, sizeof (lcl_param_arr)); 353 spds->spds_params = NULL; 354 355 kmem_free(spds, sizeof (*spds)); 356 } 357 358 /* 359 * NOTE: large quantities of this should be shared with keysock. 360 * Would be nice to combine some of this into a common module, but 361 * not possible given time pressures. 362 */ 363 364 /* 365 * High-level reality checking of extensions. 366 */ 367 /* ARGSUSED */ /* XXX */ 368 static boolean_t 369 ext_check(spd_ext_t *ext) 370 { 371 spd_if_t *tunname = (spd_if_t *)ext; 372 int i; 373 char *idstr; 374 375 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) { 376 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */ 377 378 /* 379 * Make sure the strings in these identities are 380 * null-terminated. Let's "proactively" null-terminate the 381 * string at the last byte if it's not terminated sooner. 382 */ 383 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t); 384 idstr = (char *)(tunname + 1); 385 while (*idstr != '\0' && i > 0) { 386 i--; 387 idstr++; 388 } 389 if (i == 0) { 390 /* 391 * I.e., if the bozo user didn't NULL-terminate the 392 * string... 393 */ 394 idstr--; 395 *idstr = '\0'; 396 } 397 } 398 return (B_TRUE); /* For now... */ 399 } 400 401 402 403 /* Return values for spdsock_get_ext(). */ 404 #define KGE_OK 0 405 #define KGE_DUP 1 406 #define KGE_UNK 2 407 #define KGE_LEN 3 408 #define KGE_CHK 4 409 410 /* 411 * Parse basic extension headers and return in the passed-in pointer vector. 412 * Return values include: 413 * 414 * KGE_OK Everything's nice and parsed out. 415 * If there are no extensions, place NULL in extv[0]. 416 * KGE_DUP There is a duplicate extension. 417 * First instance in appropriate bin. First duplicate in 418 * extv[0]. 419 * KGE_UNK Unknown extension type encountered. extv[0] contains 420 * unknown header. 421 * KGE_LEN Extension length error. 422 * KGE_CHK High-level reality check failed on specific extension. 423 * 424 * My apologies for some of the pointer arithmetic in here. I'm thinking 425 * like an assembly programmer, yet trying to make the compiler happy. 426 */ 427 static int 428 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize) 429 { 430 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 431 432 /* Use extv[0] as the "current working pointer". */ 433 434 extv[0] = (spd_ext_t *)(basehdr + 1); 435 436 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) { 437 /* Check for unknown headers. */ 438 if (extv[0]->spd_ext_type == 0 || 439 extv[0]->spd_ext_type > SPD_EXT_MAX) 440 return (KGE_UNK); 441 442 /* 443 * Check length. Use uint64_t because extlen is in units 444 * of 64-bit words. If length goes beyond the msgsize, 445 * return an error. (Zero length also qualifies here.) 446 */ 447 if (extv[0]->spd_ext_len == 0 || 448 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) > 449 (void *)((uint8_t *)basehdr + msgsize)) 450 return (KGE_LEN); 451 452 /* Check for redundant headers. */ 453 if (extv[extv[0]->spd_ext_type] != NULL) 454 return (KGE_DUP); 455 456 /* 457 * Reality check the extension if possible at the spdsock 458 * level. 459 */ 460 if (!ext_check(extv[0])) 461 return (KGE_CHK); 462 463 /* If I make it here, assign the appropriate bin. */ 464 extv[extv[0]->spd_ext_type] = extv[0]; 465 466 /* Advance pointer (See above for uint64_t ptr reasoning.) */ 467 extv[0] = (spd_ext_t *) 468 ((uint64_t *)extv[0] + extv[0]->spd_ext_len); 469 } 470 471 /* Everything's cool. */ 472 473 /* 474 * If extv[0] == NULL, then there are no extension headers in this 475 * message. Ensure that this is the case. 476 */ 477 if (extv[0] == (spd_ext_t *)(basehdr + 1)) 478 extv[0] = NULL; 479 480 return (KGE_OK); 481 } 482 483 static const int bad_ext_diag[] = { 484 SPD_DIAGNOSTIC_MALFORMED_LCLPORT, 485 SPD_DIAGNOSTIC_MALFORMED_REMPORT, 486 SPD_DIAGNOSTIC_MALFORMED_PROTO, 487 SPD_DIAGNOSTIC_MALFORMED_LCLADDR, 488 SPD_DIAGNOSTIC_MALFORMED_REMADDR, 489 SPD_DIAGNOSTIC_MALFORMED_ACTION, 490 SPD_DIAGNOSTIC_MALFORMED_RULE, 491 SPD_DIAGNOSTIC_MALFORMED_RULESET, 492 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE 493 }; 494 495 static const int dup_ext_diag[] = { 496 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT, 497 SPD_DIAGNOSTIC_DUPLICATE_REMPORT, 498 SPD_DIAGNOSTIC_DUPLICATE_PROTO, 499 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR, 500 SPD_DIAGNOSTIC_DUPLICATE_REMADDR, 501 SPD_DIAGNOSTIC_DUPLICATE_ACTION, 502 SPD_DIAGNOSTIC_DUPLICATE_RULE, 503 SPD_DIAGNOSTIC_DUPLICATE_RULESET, 504 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE 505 }; 506 507 /* 508 * Transmit a PF_POLICY error message to the instance either pointed to 509 * by ks, the instance with serial number serial, or more, depending. 510 * 511 * The faulty message (or a reasonable facsimile thereof) is in mp. 512 * This function will free mp or recycle it for delivery, thereby causing 513 * the stream head to free it. 514 */ 515 static void 516 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic) 517 { 518 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 519 520 ASSERT(mp->b_datap->db_type == M_DATA); 521 522 if (spmsg->spd_msg_type < SPD_MIN || 523 spmsg->spd_msg_type > SPD_MAX) 524 spmsg->spd_msg_type = SPD_RESERVED; 525 526 /* 527 * Strip out extension headers. 528 */ 529 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim); 530 mp->b_wptr = mp->b_rptr + sizeof (*spmsg); 531 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t)); 532 spmsg->spd_msg_errno = (uint8_t)error; 533 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic; 534 535 qreply(q, mp); 536 } 537 538 static void 539 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic) 540 { 541 spdsock_error(q, mp, EINVAL, diagnostic); 542 } 543 544 static void 545 spd_echo(queue_t *q, mblk_t *mp) 546 { 547 qreply(q, mp); 548 } 549 550 /* 551 * Do NOT consume a reference to itp. 552 */ 553 /*ARGSUSED*/ 554 static void 555 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns) 556 { 557 boolean_t active = (boolean_t)cookie; 558 ipsec_policy_head_t *iph; 559 560 iph = active ? itp->itp_policy : itp->itp_inactive; 561 IPPH_REFHOLD(iph); 562 mutex_enter(&itp->itp_lock); 563 spdsock_flush_one(iph, ns); 564 if (active) 565 itp->itp_flags &= ~ITPF_PFLAGS; 566 else 567 itp->itp_flags &= ~ITPF_IFLAGS; 568 mutex_exit(&itp->itp_lock); 569 } 570 571 /* 572 * Clear out one polhead. 573 */ 574 static void 575 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns) 576 { 577 rw_enter(&iph->iph_lock, RW_WRITER); 578 ipsec_polhead_flush(iph, ns); 579 rw_exit(&iph->iph_lock); 580 IPPH_REFRELE(iph, ns); 581 } 582 583 static void 584 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp, 585 mblk_t *mp) 586 { 587 boolean_t active; 588 spdsock_t *ss = (spdsock_t *)q->q_ptr; 589 netstack_t *ns = ss->spdsock_spds->spds_netstack; 590 591 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) { 592 spdsock_flush_one(iph, ns); 593 if (audit_active) { 594 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 595 cred_t *cr; 596 pid_t cpid; 597 598 cr = msg_getcred(mp, &cpid); 599 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 600 audit_pf_policy(SPD_FLUSH, cr, ns, 601 ITP_NAME(itp), active, 0, cpid); 602 } 603 } else { 604 active = (iph == ALL_ACTIVE_POLHEADS); 605 606 /* First flush the global policy. */ 607 spdsock_flush_one(active ? ipsec_system_policy(ns) : 608 ipsec_inactive_policy(ns), ns); 609 if (audit_active) { 610 cred_t *cr; 611 pid_t cpid; 612 613 cr = msg_getcred(mp, &cpid); 614 audit_pf_policy(SPD_FLUSH, cr, ns, NULL, 615 active, 0, cpid); 616 } 617 /* Then flush every tunnel's appropriate one. */ 618 itp_walk(spdsock_flush_node, (void *)active, ns); 619 if (audit_active) { 620 cred_t *cr; 621 pid_t cpid; 622 623 cr = msg_getcred(mp, &cpid); 624 audit_pf_policy(SPD_FLUSH, cr, ns, 625 "all tunnels", active, 0, cpid); 626 } 627 } 628 629 spd_echo(q, mp); 630 } 631 632 static boolean_t 633 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag) 634 { 635 bzero(sel, sizeof (*sel)); 636 637 if (extv[SPD_EXT_PROTO] != NULL) { 638 struct spd_proto *pr = 639 (struct spd_proto *)extv[SPD_EXT_PROTO]; 640 sel->ipsl_proto = pr->spd_proto_number; 641 sel->ipsl_valid |= IPSL_PROTOCOL; 642 } 643 if (extv[SPD_EXT_LCLPORT] != NULL) { 644 struct spd_portrange *pr = 645 (struct spd_portrange *)extv[SPD_EXT_LCLPORT]; 646 sel->ipsl_lport = pr->spd_ports_minport; 647 sel->ipsl_valid |= IPSL_LOCAL_PORT; 648 } 649 if (extv[SPD_EXT_REMPORT] != NULL) { 650 struct spd_portrange *pr = 651 (struct spd_portrange *)extv[SPD_EXT_REMPORT]; 652 sel->ipsl_rport = pr->spd_ports_minport; 653 sel->ipsl_valid |= IPSL_REMOTE_PORT; 654 } 655 656 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) { 657 struct spd_typecode *tc= 658 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE]; 659 660 sel->ipsl_valid |= IPSL_ICMP_TYPE; 661 sel->ipsl_icmp_type = tc->spd_typecode_type; 662 if (tc->spd_typecode_type_end < tc->spd_typecode_type) 663 sel->ipsl_icmp_type_end = tc->spd_typecode_type; 664 else 665 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end; 666 667 if (tc->spd_typecode_code != 255) { 668 sel->ipsl_valid |= IPSL_ICMP_CODE; 669 sel->ipsl_icmp_code = tc->spd_typecode_code; 670 if (tc->spd_typecode_code_end < tc->spd_typecode_code) 671 sel->ipsl_icmp_code_end = tc->spd_typecode_code; 672 else 673 sel->ipsl_icmp_code_end = 674 tc->spd_typecode_code_end; 675 } 676 } 677 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \ 678 if ((extv)[(extn)] != NULL) { \ 679 uint_t addrlen; \ 680 struct spd_address *ap = \ 681 (struct spd_address *)((extv)[(extn)]); \ 682 addrlen = (ap->spd_address_af == AF_INET6) ? \ 683 IPV6_ADDR_LEN : IP_ADDR_LEN; \ 684 if (SPD_64TO8(ap->spd_address_len) < \ 685 (addrlen + sizeof (*ap))) { \ 686 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \ 687 return (B_FALSE); \ 688 } \ 689 bcopy((ap+1), &((sel)->field), addrlen); \ 690 (sel)->pfield = ap->spd_address_prefixlen; \ 691 (sel)->ipsl_valid |= (bit); \ 692 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \ 693 IPSL_IPV6 : IPSL_IPV4; \ 694 } 695 696 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen, 697 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR); 698 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen, 699 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR); 700 701 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) == 702 (IPSL_IPV6|IPSL_IPV4)) { 703 *diag = SPD_DIAGNOSTIC_MIXED_AF; 704 return (B_FALSE); 705 } 706 707 #undef ADDR2SEL 708 709 return (B_TRUE); 710 } 711 712 static boolean_t 713 spd_convert_type(uint32_t type, ipsec_act_t *act) 714 { 715 switch (type) { 716 case SPD_ACTTYPE_DROP: 717 act->ipa_type = IPSEC_ACT_DISCARD; 718 return (B_TRUE); 719 720 case SPD_ACTTYPE_PASS: 721 act->ipa_type = IPSEC_ACT_CLEAR; 722 return (B_TRUE); 723 724 case SPD_ACTTYPE_IPSEC: 725 act->ipa_type = IPSEC_ACT_APPLY; 726 return (B_TRUE); 727 } 728 return (B_FALSE); 729 } 730 731 static boolean_t 732 spd_convert_flags(uint32_t flags, ipsec_act_t *act) 733 { 734 /* 735 * Note use of !! for boolean canonicalization. 736 */ 737 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH); 738 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP); 739 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA); 740 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE); 741 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE); 742 return (B_TRUE); 743 } 744 745 static void 746 spdsock_reset_act(ipsec_act_t *act) 747 { 748 bzero(act, sizeof (*act)); 749 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS; 750 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS; 751 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS; 752 } 753 754 /* 755 * Sanity check action against reality, and shrink-wrap key sizes.. 756 */ 757 static boolean_t 758 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag, 759 spd_stack_t *spds) 760 { 761 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) { 762 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 763 return (B_FALSE); 764 } 765 if ((act->ipa_type != IPSEC_ACT_APPLY) && 766 (act->ipa_apply.ipp_use_ah || 767 act->ipa_apply.ipp_use_esp || 768 act->ipa_apply.ipp_use_espa || 769 act->ipa_apply.ipp_use_se || 770 act->ipa_apply.ipp_use_unique)) { 771 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 772 return (B_FALSE); 773 } 774 if ((act->ipa_type == IPSEC_ACT_APPLY) && 775 !act->ipa_apply.ipp_use_ah && 776 !act->ipa_apply.ipp_use_esp) { 777 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 778 return (B_FALSE); 779 } 780 return (ipsec_check_action(act, diag, spds->spds_netstack)); 781 } 782 783 /* 784 * We may be short a few error checks here.. 785 */ 786 static boolean_t 787 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp, 788 int *diag, spd_stack_t *spds) 789 { 790 struct spd_ext_actions *sactp = 791 (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 792 ipsec_act_t act, *actp, *endactp; 793 struct spd_attribute *attrp, *endattrp; 794 uint64_t *endp; 795 int nact; 796 boolean_t tunnel_polhead; 797 798 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL && 799 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags & 800 SPD_RULE_FLAG_TUNNEL)); 801 802 *actpp = NULL; 803 *nactp = 0; 804 805 if (sactp == NULL) { 806 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT; 807 return (B_FALSE); 808 } 809 810 /* 811 * Parse the "action" extension and convert into an action chain. 812 */ 813 814 nact = sactp->spd_actions_count; 815 816 endp = (uint64_t *)sactp; 817 endp += sactp->spd_actions_len; 818 endattrp = (struct spd_attribute *)endp; 819 820 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP); 821 if (actp == NULL) { 822 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM; 823 return (B_FALSE); 824 } 825 *actpp = actp; 826 *nactp = nact; 827 endactp = actp + nact; 828 829 spdsock_reset_act(&act); 830 attrp = (struct spd_attribute *)(&sactp[1]); 831 832 for (; attrp < endattrp; attrp++) { 833 switch (attrp->spd_attr_tag) { 834 case SPD_ATTR_NOP: 835 break; 836 837 case SPD_ATTR_EMPTY: 838 spdsock_reset_act(&act); 839 break; 840 841 case SPD_ATTR_END: 842 attrp = endattrp; 843 /* FALLTHRU */ 844 case SPD_ATTR_NEXT: 845 if (actp >= endactp) { 846 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 847 goto fail; 848 } 849 if (!spdsock_check_action(&act, tunnel_polhead, 850 diag, spds)) 851 goto fail; 852 *actp++ = act; 853 spdsock_reset_act(&act); 854 break; 855 856 case SPD_ATTR_TYPE: 857 if (!spd_convert_type(attrp->spd_attr_value, &act)) { 858 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE; 859 goto fail; 860 } 861 break; 862 863 case SPD_ATTR_FLAGS: 864 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) { 865 /* 866 * Set "sa unique" for transport-mode 867 * tunnels whether we want to or not. 868 */ 869 attrp->spd_attr_value |= SPD_APPLY_UNIQUE; 870 } 871 if (!spd_convert_flags(attrp->spd_attr_value, &act)) { 872 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS; 873 goto fail; 874 } 875 break; 876 877 case SPD_ATTR_AH_AUTH: 878 if (attrp->spd_attr_value == 0) { 879 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG; 880 goto fail; 881 } 882 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value; 883 break; 884 885 case SPD_ATTR_ESP_ENCR: 886 if (attrp->spd_attr_value == 0) { 887 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG; 888 goto fail; 889 } 890 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value; 891 break; 892 893 case SPD_ATTR_ESP_AUTH: 894 if (attrp->spd_attr_value == 0) { 895 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG; 896 goto fail; 897 } 898 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value; 899 break; 900 901 case SPD_ATTR_ENCR_MINBITS: 902 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value; 903 break; 904 905 case SPD_ATTR_ENCR_MAXBITS: 906 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value; 907 break; 908 909 case SPD_ATTR_AH_MINBITS: 910 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value; 911 break; 912 913 case SPD_ATTR_AH_MAXBITS: 914 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value; 915 break; 916 917 case SPD_ATTR_ESPA_MINBITS: 918 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value; 919 break; 920 921 case SPD_ATTR_ESPA_MAXBITS: 922 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value; 923 break; 924 925 case SPD_ATTR_LIFE_SOFT_TIME: 926 case SPD_ATTR_LIFE_HARD_TIME: 927 case SPD_ATTR_LIFE_SOFT_BYTES: 928 case SPD_ATTR_LIFE_HARD_BYTES: 929 break; 930 931 case SPD_ATTR_KM_PROTO: 932 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value; 933 break; 934 935 case SPD_ATTR_KM_COOKIE: 936 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value; 937 break; 938 939 case SPD_ATTR_REPLAY_DEPTH: 940 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value; 941 break; 942 } 943 } 944 if (actp != endactp) { 945 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 946 goto fail; 947 } 948 949 return (B_TRUE); 950 fail: 951 ipsec_actvec_free(*actpp, nact); 952 *actpp = NULL; 953 return (B_FALSE); 954 } 955 956 typedef struct 957 { 958 ipsec_policy_t *pol; 959 int dir; 960 } tmprule_t; 961 962 static int 963 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule, 964 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af, 965 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 966 { 967 ipsec_policy_t *pol; 968 969 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4); 970 sel->ipsl_valid |= af; 971 972 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority, 973 index, spds->spds_netstack); 974 if (pol == NULL) 975 return (ENOMEM); 976 977 (*rp)->pol = pol; 978 (*rp)->dir = dir; 979 (*rp)++; 980 981 if (!ipsec_check_policy(iph, pol, dir)) 982 return (EEXIST); 983 984 rule->spd_rule_index = pol->ipsp_index; 985 return (0); 986 } 987 988 static int 989 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule, 990 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs, 991 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 992 { 993 int error; 994 995 if (afs & IPSL_IPV4) { 996 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp, 997 index, spds); 998 if (error != 0) 999 return (error); 1000 } 1001 if (afs & IPSL_IPV6) { 1002 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp, 1003 index, spds); 1004 if (error != 0) 1005 return (error); 1006 } 1007 return (0); 1008 } 1009 1010 1011 static void 1012 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1013 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1014 { 1015 ipsec_selkey_t sel; 1016 ipsec_act_t *actp; 1017 uint_t nact; 1018 int diag = 0, error, afs; 1019 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1020 tmprule_t rules[4], *rulep = &rules[0]; 1021 boolean_t tunnel_mode, empty_itp, active; 1022 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index; 1023 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1024 spd_stack_t *spds = ss->spdsock_spds; 1025 1026 if (rule == NULL) { 1027 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1028 if (audit_active) { 1029 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1030 cred_t *cr; 1031 pid_t cpid; 1032 1033 cr = msg_getcred(mp, &cpid); 1034 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1035 audit_pf_policy(SPD_ADDRULE, cr, 1036 spds->spds_netstack, ITP_NAME(itp), active, 1037 SPD_DIAGNOSTIC_NO_RULE_EXT, cpid); 1038 } 1039 return; 1040 } 1041 1042 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL); 1043 1044 if (itp != NULL) { 1045 mutex_enter(&itp->itp_lock); 1046 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph); 1047 active = (itp->itp_policy == iph); 1048 if (ITP_P_ISACTIVE(itp, iph)) { 1049 /* Check for mix-and-match of tunnel/transport. */ 1050 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) || 1051 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) { 1052 mutex_exit(&itp->itp_lock); 1053 spdsock_error(q, mp, EBUSY, 0); 1054 return; 1055 } 1056 empty_itp = B_FALSE; 1057 } else { 1058 empty_itp = B_TRUE; 1059 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE; 1060 if (tunnel_mode) 1061 itp->itp_flags |= active ? ITPF_P_TUNNEL : 1062 ITPF_I_TUNNEL; 1063 } 1064 } else { 1065 empty_itp = B_FALSE; 1066 } 1067 1068 if (rule->spd_rule_index != 0) { 1069 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX; 1070 error = EINVAL; 1071 goto fail2; 1072 } 1073 1074 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1075 error = EINVAL; 1076 goto fail2; 1077 } 1078 1079 if (itp != NULL) { 1080 if (tunnel_mode) { 1081 if (sel.ipsl_valid & 1082 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) { 1083 itp->itp_flags |= active ? 1084 ITPF_P_PER_PORT_SECURITY : 1085 ITPF_I_PER_PORT_SECURITY; 1086 } 1087 } else { 1088 /* 1089 * For now, we don't allow transport-mode on a tunnel 1090 * with ANY specific selectors. Bail if we have such 1091 * a request. 1092 */ 1093 if (sel.ipsl_valid & IPSL_WILDCARD) { 1094 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS; 1095 error = EINVAL; 1096 goto fail2; 1097 } 1098 } 1099 } 1100 1101 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) { 1102 error = EINVAL; 1103 goto fail2; 1104 } 1105 /* 1106 * If no addresses were specified, add both. 1107 */ 1108 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4); 1109 if (afs == 0) 1110 afs = (IPSL_IPV6|IPSL_IPV4); 1111 1112 rw_enter(&iph->iph_lock, RW_WRITER); 1113 1114 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) { 1115 error = mkrulepair(iph, rule, &sel, actp, nact, 1116 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds); 1117 if (error != 0) 1118 goto fail; 1119 } 1120 1121 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) { 1122 error = mkrulepair(iph, rule, &sel, actp, nact, 1123 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds); 1124 if (error != 0) 1125 goto fail; 1126 } 1127 1128 while ((--rulep) >= &rules[0]) { 1129 ipsec_enter_policy(iph, rulep->pol, rulep->dir, 1130 spds->spds_netstack); 1131 } 1132 rw_exit(&iph->iph_lock); 1133 if (itp != NULL) 1134 mutex_exit(&itp->itp_lock); 1135 1136 ipsec_actvec_free(actp, nact); 1137 spd_echo(q, mp); 1138 if (audit_active) { 1139 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1140 cred_t *cr; 1141 pid_t cpid; 1142 1143 cr = msg_getcred(mp, &cpid); 1144 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1145 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1146 ITP_NAME(itp), active, 0, cpid); 1147 } 1148 return; 1149 1150 fail: 1151 rw_exit(&iph->iph_lock); 1152 while ((--rulep) >= &rules[0]) 1153 IPPOL_REFRELE(rulep->pol); 1154 ipsec_actvec_free(actp, nact); 1155 fail2: 1156 if (itp != NULL) { 1157 if (empty_itp) 1158 itp->itp_flags = 0; 1159 mutex_exit(&itp->itp_lock); 1160 } 1161 spdsock_error(q, mp, error, diag); 1162 if (audit_active) { 1163 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1164 cred_t *cr; 1165 pid_t cpid; 1166 1167 cr = msg_getcred(mp, &cpid); 1168 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1169 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1170 ITP_NAME(itp), active, error, cpid); 1171 } 1172 } 1173 1174 void 1175 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1176 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1177 { 1178 ipsec_selkey_t sel; 1179 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1180 int err, diag = 0; 1181 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1182 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1183 1184 if (rule == NULL) { 1185 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1186 if (audit_active) { 1187 boolean_t active; 1188 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1189 cred_t *cr; 1190 pid_t cpid; 1191 1192 cr = msg_getcred(mp, &cpid); 1193 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1194 audit_pf_policy(SPD_DELETERULE, cr, ns, 1195 ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT, 1196 cpid); 1197 } 1198 return; 1199 } 1200 1201 /* 1202 * Must enter itp_lock first to avoid deadlock. See tun.c's 1203 * set_sec_simple() for the other case of itp_lock and iph_lock. 1204 */ 1205 if (itp != NULL) 1206 mutex_enter(&itp->itp_lock); 1207 1208 if (rule->spd_rule_index != 0) { 1209 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) != 1210 0) { 1211 err = ESRCH; 1212 goto fail; 1213 } 1214 } else { 1215 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1216 err = EINVAL; /* diag already set... */ 1217 goto fail; 1218 } 1219 1220 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) && 1221 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) { 1222 err = ESRCH; 1223 goto fail; 1224 } 1225 1226 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) && 1227 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) { 1228 err = ESRCH; 1229 goto fail; 1230 } 1231 } 1232 1233 if (itp != NULL) { 1234 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive); 1235 rw_enter(&iph->iph_lock, RW_READER); 1236 if (avl_numnodes(&iph->iph_rulebyid) == 0) { 1237 if (iph == itp->itp_policy) 1238 itp->itp_flags &= ~ITPF_PFLAGS; 1239 else 1240 itp->itp_flags &= ~ITPF_IFLAGS; 1241 } 1242 /* Can exit locks in any order. */ 1243 rw_exit(&iph->iph_lock); 1244 mutex_exit(&itp->itp_lock); 1245 } 1246 spd_echo(q, mp); 1247 if (audit_active) { 1248 boolean_t active; 1249 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1250 cred_t *cr; 1251 pid_t cpid; 1252 1253 cr = msg_getcred(mp, &cpid); 1254 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1255 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1256 active, 0, cpid); 1257 } 1258 return; 1259 fail: 1260 if (itp != NULL) 1261 mutex_exit(&itp->itp_lock); 1262 spdsock_error(q, mp, err, diag); 1263 if (audit_active) { 1264 boolean_t active; 1265 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1266 cred_t *cr; 1267 pid_t cpid; 1268 1269 cr = msg_getcred(mp, &cpid); 1270 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1271 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1272 active, err, cpid); 1273 } 1274 } 1275 1276 /* Do NOT consume a reference to itp. */ 1277 /* ARGSUSED */ 1278 static void 1279 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns) 1280 { 1281 mutex_enter(&itp->itp_lock); 1282 ITPF_SWAP(itp->itp_flags); 1283 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns); 1284 mutex_exit(&itp->itp_lock); 1285 } 1286 1287 void 1288 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname) 1289 { 1290 char *tname; 1291 ipsec_tun_pol_t *itp; 1292 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1293 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1294 1295 if (tunname != NULL) { 1296 tname = (char *)tunname->spd_if_name; 1297 if (*tname == '\0') { 1298 /* can't fail */ 1299 ipsec_swap_global_policy(ns); 1300 if (audit_active) { 1301 boolean_t active; 1302 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1303 cred_t *cr; 1304 pid_t cpid; 1305 1306 cr = msg_getcred(mp, &cpid); 1307 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1308 audit_pf_policy(SPD_FLIP, cr, ns, 1309 NULL, active, 0, cpid); 1310 } 1311 itp_walk(spdsock_flip_node, NULL, ns); 1312 if (audit_active) { 1313 boolean_t active; 1314 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1315 cred_t *cr; 1316 pid_t cpid; 1317 1318 cr = msg_getcred(mp, &cpid); 1319 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1320 audit_pf_policy(SPD_FLIP, cr, ns, 1321 "all tunnels", active, 0, cpid); 1322 } 1323 } else { 1324 itp = get_tunnel_policy(tname, ns); 1325 if (itp == NULL) { 1326 /* Better idea for "tunnel not found"? */ 1327 spdsock_error(q, mp, ESRCH, 0); 1328 if (audit_active) { 1329 boolean_t active; 1330 spd_msg_t *spmsg = 1331 (spd_msg_t *)mp->b_rptr; 1332 cred_t *cr; 1333 pid_t cpid; 1334 1335 cr = msg_getcred(mp, &cpid); 1336 active = (spmsg->spd_msg_spdid == 1337 SPD_ACTIVE); 1338 audit_pf_policy(SPD_FLIP, cr, ns, 1339 ITP_NAME(itp), active, 1340 ESRCH, cpid); 1341 } 1342 return; 1343 } 1344 spdsock_flip_node(itp, NULL, NULL); 1345 if (audit_active) { 1346 boolean_t active; 1347 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1348 cred_t *cr; 1349 pid_t cpid; 1350 1351 cr = msg_getcred(mp, &cpid); 1352 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1353 audit_pf_policy(SPD_FLIP, cr, ns, 1354 ITP_NAME(itp), active, 0, cpid); 1355 } 1356 ITP_REFRELE(itp, ns); 1357 } 1358 } else { 1359 ipsec_swap_global_policy(ns); /* can't fail */ 1360 if (audit_active) { 1361 boolean_t active; 1362 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1363 cred_t *cr; 1364 pid_t cpid; 1365 1366 cr = msg_getcred(mp, &cpid); 1367 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1368 audit_pf_policy(SPD_FLIP, cr, 1369 ns, NULL, active, 0, cpid); 1370 } 1371 } 1372 spd_echo(q, mp); 1373 } 1374 1375 /* 1376 * Unimplemented feature 1377 */ 1378 /* ARGSUSED */ 1379 static void 1380 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1381 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1382 { 1383 spdsock_error(q, mp, EINVAL, 0); 1384 } 1385 1386 1387 static mblk_t * 1388 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph, 1389 uint32_t count, uint16_t error) 1390 { 1391 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t); 1392 spd_msg_t *msg; 1393 spd_ruleset_ext_t *ruleset; 1394 mblk_t *m = allocb(len, BPRI_HI); 1395 1396 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1397 1398 if (m == NULL) { 1399 return (NULL); 1400 } 1401 msg = (spd_msg_t *)m->b_rptr; 1402 ruleset = (spd_ruleset_ext_t *)(&msg[1]); 1403 1404 m->b_wptr = (uint8_t *)&ruleset[1]; 1405 1406 *msg = *(spd_msg_t *)(req->b_rptr); 1407 msg->spd_msg_len = SPD_8TO64(len); 1408 msg->spd_msg_errno = error; 1409 1410 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset)); 1411 ruleset->spd_ruleset_type = SPD_EXT_RULESET; 1412 ruleset->spd_ruleset_count = count; 1413 ruleset->spd_ruleset_version = iph->iph_gen; 1414 return (m); 1415 } 1416 1417 static mblk_t * 1418 spdsock_dump_finish(spdsock_t *ss, int error) 1419 { 1420 mblk_t *m; 1421 ipsec_policy_head_t *iph = ss->spdsock_dump_head; 1422 mblk_t *req = ss->spdsock_dump_req; 1423 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1424 1425 rw_enter(&iph->iph_lock, RW_READER); 1426 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error); 1427 rw_exit(&iph->iph_lock); 1428 IPPH_REFRELE(iph, ns); 1429 if (ss->spdsock_itp != NULL) { 1430 ITP_REFRELE(ss->spdsock_itp, ns); 1431 ss->spdsock_itp = NULL; 1432 } 1433 ss->spdsock_dump_req = NULL; 1434 freemsg(req); 1435 1436 return (m); 1437 } 1438 1439 /* 1440 * Rule encoding functions. 1441 * We do a two-pass encode. 1442 * If base != NULL, fill in encoded rule part starting at base+offset. 1443 * Always return "offset" plus length of to-be-encoded data. 1444 */ 1445 static uint_t 1446 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type, 1447 uint8_t type_end, uint8_t code, uint8_t code_end) 1448 { 1449 struct spd_typecode *tcp; 1450 1451 ASSERT(ALIGNED64(offset)); 1452 1453 if (base != NULL) { 1454 tcp = (struct spd_typecode *)(base + offset); 1455 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp)); 1456 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE; 1457 tcp->spd_typecode_code = code; 1458 tcp->spd_typecode_type = type; 1459 tcp->spd_typecode_type_end = type_end; 1460 tcp->spd_typecode_code_end = code_end; 1461 } 1462 offset += sizeof (*tcp); 1463 1464 ASSERT(ALIGNED64(offset)); 1465 1466 return (offset); 1467 } 1468 1469 static uint_t 1470 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto) 1471 { 1472 struct spd_proto *spp; 1473 1474 ASSERT(ALIGNED64(offset)); 1475 1476 if (base != NULL) { 1477 spp = (struct spd_proto *)(base + offset); 1478 spp->spd_proto_len = SPD_8TO64(sizeof (*spp)); 1479 spp->spd_proto_exttype = SPD_EXT_PROTO; 1480 spp->spd_proto_number = proto; 1481 spp->spd_proto_reserved1 = 0; 1482 spp->spd_proto_reserved2 = 0; 1483 } 1484 offset += sizeof (*spp); 1485 1486 ASSERT(ALIGNED64(offset)); 1487 1488 return (offset); 1489 } 1490 1491 static uint_t 1492 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port) 1493 { 1494 struct spd_portrange *spp; 1495 1496 ASSERT(ALIGNED64(offset)); 1497 1498 if (base != NULL) { 1499 spp = (struct spd_portrange *)(base + offset); 1500 spp->spd_ports_len = SPD_8TO64(sizeof (*spp)); 1501 spp->spd_ports_exttype = ext; 1502 spp->spd_ports_minport = port; 1503 spp->spd_ports_maxport = port; 1504 } 1505 offset += sizeof (*spp); 1506 1507 ASSERT(ALIGNED64(offset)); 1508 1509 return (offset); 1510 } 1511 1512 static uint_t 1513 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext, 1514 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen) 1515 { 1516 struct spd_address *sae; 1517 ipsec_addr_t *spdaddr; 1518 uint_t start = offset; 1519 uint_t addrlen; 1520 uint_t af; 1521 1522 if (sel->ipsl_valid & IPSL_IPV4) { 1523 af = AF_INET; 1524 addrlen = IP_ADDR_LEN; 1525 } else { 1526 af = AF_INET6; 1527 addrlen = IPV6_ADDR_LEN; 1528 } 1529 1530 ASSERT(ALIGNED64(offset)); 1531 1532 if (base != NULL) { 1533 sae = (struct spd_address *)(base + offset); 1534 sae->spd_address_exttype = ext; 1535 sae->spd_address_af = af; 1536 sae->spd_address_prefixlen = pfxlen; 1537 sae->spd_address_reserved2 = 0; 1538 1539 spdaddr = (ipsec_addr_t *)(&sae[1]); 1540 bcopy(addr, spdaddr, addrlen); 1541 } 1542 offset += sizeof (*sae); 1543 addrlen = roundup(addrlen, sizeof (uint64_t)); 1544 offset += addrlen; 1545 1546 ASSERT(ALIGNED64(offset)); 1547 1548 if (base != NULL) 1549 sae->spd_address_len = SPD_8TO64(offset - start); 1550 return (offset); 1551 } 1552 1553 static uint_t 1554 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel) 1555 { 1556 const ipsec_selkey_t *selkey = &sel->ipsl_key; 1557 1558 if (selkey->ipsl_valid & IPSL_PROTOCOL) 1559 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto); 1560 if (selkey->ipsl_valid & IPSL_LOCAL_PORT) 1561 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT, 1562 selkey->ipsl_lport); 1563 if (selkey->ipsl_valid & IPSL_REMOTE_PORT) 1564 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT, 1565 selkey->ipsl_rport); 1566 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR) 1567 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR, 1568 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen); 1569 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR) 1570 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR, 1571 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen); 1572 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) { 1573 offset = spdsock_encode_typecode(base, offset, 1574 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end, 1575 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1576 selkey->ipsl_icmp_code : 255, 1577 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1578 selkey->ipsl_icmp_code_end : 255); 1579 } 1580 return (offset); 1581 } 1582 1583 static uint_t 1584 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag, 1585 uint32_t value) 1586 { 1587 struct spd_attribute *attr; 1588 1589 ASSERT(ALIGNED64(offset)); 1590 1591 if (base != NULL) { 1592 attr = (struct spd_attribute *)(base + offset); 1593 attr->spd_attr_tag = tag; 1594 attr->spd_attr_value = value; 1595 } 1596 offset += sizeof (struct spd_attribute); 1597 1598 ASSERT(ALIGNED64(offset)); 1599 1600 return (offset); 1601 } 1602 1603 1604 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v)) 1605 1606 static uint_t 1607 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap) 1608 { 1609 const struct ipsec_act *act = &(ap->ipa_act); 1610 uint_t flags; 1611 1612 EMIT(SPD_ATTR_EMPTY, 0); 1613 switch (act->ipa_type) { 1614 case IPSEC_ACT_DISCARD: 1615 case IPSEC_ACT_REJECT: 1616 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP); 1617 break; 1618 case IPSEC_ACT_BYPASS: 1619 case IPSEC_ACT_CLEAR: 1620 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS); 1621 break; 1622 1623 case IPSEC_ACT_APPLY: 1624 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC); 1625 flags = 0; 1626 if (act->ipa_apply.ipp_use_ah) 1627 flags |= SPD_APPLY_AH; 1628 if (act->ipa_apply.ipp_use_esp) 1629 flags |= SPD_APPLY_ESP; 1630 if (act->ipa_apply.ipp_use_espa) 1631 flags |= SPD_APPLY_ESPA; 1632 if (act->ipa_apply.ipp_use_se) 1633 flags |= SPD_APPLY_SE; 1634 if (act->ipa_apply.ipp_use_unique) 1635 flags |= SPD_APPLY_UNIQUE; 1636 EMIT(SPD_ATTR_FLAGS, flags); 1637 if (flags & SPD_APPLY_AH) { 1638 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg); 1639 EMIT(SPD_ATTR_AH_MINBITS, 1640 act->ipa_apply.ipp_ah_minbits); 1641 EMIT(SPD_ATTR_AH_MAXBITS, 1642 act->ipa_apply.ipp_ah_maxbits); 1643 } 1644 if (flags & SPD_APPLY_ESP) { 1645 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg); 1646 EMIT(SPD_ATTR_ENCR_MINBITS, 1647 act->ipa_apply.ipp_espe_minbits); 1648 EMIT(SPD_ATTR_ENCR_MAXBITS, 1649 act->ipa_apply.ipp_espe_maxbits); 1650 if (flags & SPD_APPLY_ESPA) { 1651 EMIT(SPD_ATTR_ESP_AUTH, 1652 act->ipa_apply.ipp_esp_auth_alg); 1653 EMIT(SPD_ATTR_ESPA_MINBITS, 1654 act->ipa_apply.ipp_espa_minbits); 1655 EMIT(SPD_ATTR_ESPA_MAXBITS, 1656 act->ipa_apply.ipp_espa_maxbits); 1657 } 1658 } 1659 if (act->ipa_apply.ipp_km_proto != 0) 1660 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto); 1661 if (act->ipa_apply.ipp_km_cookie != 0) 1662 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie); 1663 if (act->ipa_apply.ipp_replay_depth != 0) 1664 EMIT(SPD_ATTR_REPLAY_DEPTH, 1665 act->ipa_apply.ipp_replay_depth); 1666 /* Add more here */ 1667 break; 1668 } 1669 1670 return (offset); 1671 } 1672 1673 static uint_t 1674 spdsock_encode_action_list(uint8_t *base, uint_t offset, 1675 const ipsec_action_t *ap) 1676 { 1677 struct spd_ext_actions *act; 1678 uint_t nact = 0; 1679 uint_t start = offset; 1680 1681 ASSERT(ALIGNED64(offset)); 1682 1683 if (base != NULL) { 1684 act = (struct spd_ext_actions *)(base + offset); 1685 act->spd_actions_len = 0; 1686 act->spd_actions_exttype = SPD_EXT_ACTION; 1687 act->spd_actions_count = 0; 1688 act->spd_actions_reserved = 0; 1689 } 1690 1691 offset += sizeof (*act); 1692 1693 ASSERT(ALIGNED64(offset)); 1694 1695 while (ap != NULL) { 1696 offset = spdsock_encode_action(base, offset, ap); 1697 ap = ap->ipa_next; 1698 nact++; 1699 if (ap != NULL) { 1700 EMIT(SPD_ATTR_NEXT, 0); 1701 } 1702 } 1703 EMIT(SPD_ATTR_END, 0); 1704 1705 ASSERT(ALIGNED64(offset)); 1706 1707 if (base != NULL) { 1708 act->spd_actions_count = nact; 1709 act->spd_actions_len = SPD_8TO64(offset - start); 1710 } 1711 1712 return (offset); 1713 } 1714 1715 #undef EMIT 1716 1717 /* ARGSUSED */ 1718 static uint_t 1719 spdsock_rule_flags(uint_t dir, uint_t af) 1720 { 1721 uint_t flags = 0; 1722 1723 if (dir == IPSEC_TYPE_INBOUND) 1724 flags |= SPD_RULE_FLAG_INBOUND; 1725 if (dir == IPSEC_TYPE_OUTBOUND) 1726 flags |= SPD_RULE_FLAG_OUTBOUND; 1727 1728 return (flags); 1729 } 1730 1731 1732 static uint_t 1733 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req, 1734 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name, 1735 boolean_t tunnel) 1736 { 1737 struct spd_msg *spmsg; 1738 struct spd_rule *spr; 1739 spd_if_t *sid; 1740 1741 uint_t start = offset; 1742 1743 ASSERT(ALIGNED64(offset)); 1744 1745 if (base != NULL) { 1746 spmsg = (struct spd_msg *)(base + offset); 1747 bzero(spmsg, sizeof (*spmsg)); 1748 spmsg->spd_msg_version = PF_POLICY_V1; 1749 spmsg->spd_msg_type = SPD_DUMP; 1750 spmsg->spd_msg_seq = req->spd_msg_seq; 1751 spmsg->spd_msg_pid = req->spd_msg_pid; 1752 } 1753 offset += sizeof (struct spd_msg); 1754 1755 ASSERT(ALIGNED64(offset)); 1756 1757 if (base != NULL) { 1758 spr = (struct spd_rule *)(base + offset); 1759 spr->spd_rule_type = SPD_EXT_RULE; 1760 spr->spd_rule_priority = rule->ipsp_prio; 1761 spr->spd_rule_flags = spdsock_rule_flags(dir, af); 1762 if (tunnel) 1763 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL; 1764 spr->spd_rule_unused = 0; 1765 spr->spd_rule_len = SPD_8TO64(sizeof (*spr)); 1766 spr->spd_rule_index = rule->ipsp_index; 1767 } 1768 offset += sizeof (struct spd_rule); 1769 1770 /* 1771 * If we have an interface name (i.e. if this policy head came from 1772 * a tunnel), add the SPD_EXT_TUN_NAME extension. 1773 */ 1774 if (name != NULL) { 1775 1776 ASSERT(ALIGNED64(offset)); 1777 1778 if (base != NULL) { 1779 sid = (spd_if_t *)(base + offset); 1780 sid->spd_if_exttype = SPD_EXT_TUN_NAME; 1781 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) + 1782 roundup((strlen(name) - 4), 8)); 1783 (void) strlcpy((char *)sid->spd_if_name, name, 1784 LIFNAMSIZ); 1785 } 1786 1787 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8); 1788 } 1789 1790 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel); 1791 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act); 1792 1793 ASSERT(ALIGNED64(offset)); 1794 1795 if (base != NULL) { 1796 spmsg->spd_msg_len = SPD_8TO64(offset - start); 1797 } 1798 return (offset); 1799 } 1800 1801 /* ARGSUSED */ 1802 static mblk_t * 1803 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule, 1804 uint_t dir, uint_t af, char *name, boolean_t tunnel) 1805 { 1806 mblk_t *m; 1807 uint_t len; 1808 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr; 1809 1810 /* 1811 * Figure out how much space we'll need. 1812 */ 1813 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name, 1814 tunnel); 1815 1816 /* 1817 * Allocate mblk. 1818 */ 1819 m = allocb(len, BPRI_HI); 1820 if (m == NULL) 1821 return (NULL); 1822 1823 /* 1824 * Fill it in.. 1825 */ 1826 m->b_wptr = m->b_rptr + len; 1827 bzero(m->b_rptr, len); 1828 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af, 1829 name, tunnel); 1830 return (m); 1831 } 1832 1833 static ipsec_policy_t * 1834 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph, 1835 ipsec_policy_t *cur) 1836 { 1837 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1838 1839 ss->spdsock_dump_count++; 1840 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next; 1841 return (cur); 1842 } 1843 1844 static ipsec_policy_t * 1845 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph) 1846 { 1847 ipsec_policy_t *cur; 1848 ipsec_policy_root_t *ipr; 1849 int chain, nchains, type, af; 1850 1851 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1852 1853 cur = ss->spdsock_dump_cur_rule; 1854 1855 if (cur != NULL) 1856 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1857 1858 type = ss->spdsock_dump_cur_type; 1859 1860 next: 1861 chain = ss->spdsock_dump_cur_chain; 1862 ipr = &iph->iph_root[type]; 1863 nchains = ipr->ipr_nchains; 1864 1865 while (chain < nchains) { 1866 cur = ipr->ipr_hash[chain].hash_head; 1867 chain++; 1868 if (cur != NULL) { 1869 ss->spdsock_dump_cur_chain = chain; 1870 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1871 } 1872 } 1873 ss->spdsock_dump_cur_chain = nchains; 1874 1875 af = ss->spdsock_dump_cur_af; 1876 while (af < IPSEC_NAF) { 1877 cur = ipr->ipr_nonhash[af]; 1878 af++; 1879 if (cur != NULL) { 1880 ss->spdsock_dump_cur_af = af; 1881 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1882 } 1883 } 1884 1885 type++; 1886 if (type >= IPSEC_NTYPES) 1887 return (NULL); 1888 1889 ss->spdsock_dump_cur_chain = 0; 1890 ss->spdsock_dump_cur_type = type; 1891 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 1892 goto next; 1893 1894 } 1895 1896 /* 1897 * If we're done with one policy head, but have more to go, we iterate through 1898 * another IPsec tunnel policy head (itp). Return NULL if it is an error 1899 * worthy of returning EAGAIN via PF_POLICY. 1900 */ 1901 static ipsec_tun_pol_t * 1902 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss) 1903 { 1904 ipsec_tun_pol_t *itp; 1905 1906 ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock)); 1907 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) { 1908 /* Oops, state of the tunnel polheads changed. */ 1909 itp = NULL; 1910 } else if (ss->spdsock_itp == NULL) { 1911 /* Just finished global, find first node. */ 1912 itp = avl_first(&ipss->ipsec_tunnel_policies); 1913 } else { 1914 /* We just finished current polhead, find the next one. */ 1915 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp); 1916 } 1917 if (itp != NULL) { 1918 ITP_REFHOLD(itp); 1919 } 1920 if (ss->spdsock_itp != NULL) { 1921 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack); 1922 } 1923 ss->spdsock_itp = itp; 1924 return (itp); 1925 } 1926 1927 static mblk_t * 1928 spdsock_dump_next_record(spdsock_t *ss) 1929 { 1930 ipsec_policy_head_t *iph; 1931 ipsec_policy_t *rule; 1932 mblk_t *m; 1933 ipsec_tun_pol_t *itp; 1934 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1935 ipsec_stack_t *ipss = ns->netstack_ipsec; 1936 1937 iph = ss->spdsock_dump_head; 1938 1939 ASSERT(iph != NULL); 1940 1941 rw_enter(&iph->iph_lock, RW_READER); 1942 1943 if (iph->iph_gen != ss->spdsock_dump_gen) { 1944 rw_exit(&iph->iph_lock); 1945 return (spdsock_dump_finish(ss, EAGAIN)); 1946 } 1947 1948 while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) { 1949 rw_exit(&iph->iph_lock); 1950 if (--(ss->spdsock_dump_remaining_polheads) == 0) 1951 return (spdsock_dump_finish(ss, 0)); 1952 1953 1954 /* 1955 * If we reach here, we have more policy heads (tunnel 1956 * entries) to dump. Let's reset to a new policy head 1957 * and get some more rules. 1958 * 1959 * An empty policy head will have spdsock_dump_next_rule() 1960 * return NULL, and we loop (while dropping the number of 1961 * remaining polheads). If we loop to 0, we finish. We 1962 * keep looping until we hit 0 or until we have a rule to 1963 * encode. 1964 * 1965 * NOTE: No need for ITP_REF*() macros here as we're only 1966 * going after and refholding the policy head itself. 1967 */ 1968 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 1969 itp = spdsock_dump_iterate_next_tunnel(ss, ipss); 1970 if (itp == NULL) { 1971 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1972 return (spdsock_dump_finish(ss, EAGAIN)); 1973 } 1974 1975 /* Reset other spdsock_dump thingies. */ 1976 IPPH_REFRELE(ss->spdsock_dump_head, ns); 1977 if (ss->spdsock_dump_active) { 1978 ss->spdsock_dump_tunnel = 1979 itp->itp_flags & ITPF_P_TUNNEL; 1980 iph = itp->itp_policy; 1981 } else { 1982 ss->spdsock_dump_tunnel = 1983 itp->itp_flags & ITPF_I_TUNNEL; 1984 iph = itp->itp_inactive; 1985 } 1986 IPPH_REFHOLD(iph); 1987 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1988 1989 rw_enter(&iph->iph_lock, RW_READER); 1990 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 1991 } 1992 1993 m = spdsock_encode_rule(ss->spdsock_dump_req, rule, 1994 ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af, 1995 (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name, 1996 ss->spdsock_dump_tunnel); 1997 rw_exit(&iph->iph_lock); 1998 1999 if (m == NULL) 2000 return (spdsock_dump_finish(ss, ENOMEM)); 2001 return (m); 2002 } 2003 2004 /* 2005 * Dump records until we run into flow-control back-pressure. 2006 */ 2007 static void 2008 spdsock_dump_some(queue_t *q, spdsock_t *ss) 2009 { 2010 mblk_t *m, *dataind; 2011 2012 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) { 2013 m = spdsock_dump_next_record(ss); 2014 if (m == NULL) 2015 return; 2016 dataind = allocb(sizeof (struct T_data_req), BPRI_HI); 2017 if (dataind == NULL) { 2018 freemsg(m); 2019 return; 2020 } 2021 dataind->b_cont = m; 2022 dataind->b_wptr += sizeof (struct T_data_req); 2023 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND; 2024 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0; 2025 dataind->b_datap->db_type = M_PROTO; 2026 putnext(q, dataind); 2027 } 2028 } 2029 2030 /* 2031 * Start dumping. 2032 * Format a start-of-dump record, and set up the stream and kick the rsrv 2033 * procedure to continue the job.. 2034 */ 2035 /* ARGSUSED */ 2036 static void 2037 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp) 2038 { 2039 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2040 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2041 ipsec_stack_t *ipss = ns->netstack_ipsec; 2042 mblk_t *mr; 2043 2044 /* spdsock_open() already set spdsock_itp to NULL. */ 2045 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 2046 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 2047 ss->spdsock_dump_remaining_polheads = 1 + 2048 avl_numnodes(&ipss->ipsec_tunnel_policies); 2049 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen; 2050 rw_exit(&ipss->ipsec_tunnel_policy_lock); 2051 if (iph == ALL_ACTIVE_POLHEADS) { 2052 iph = ipsec_system_policy(ns); 2053 ss->spdsock_dump_active = B_TRUE; 2054 } else { 2055 iph = ipsec_inactive_policy(ns); 2056 ss->spdsock_dump_active = B_FALSE; 2057 } 2058 ASSERT(ss->spdsock_itp == NULL); 2059 } else { 2060 ss->spdsock_dump_remaining_polheads = 1; 2061 } 2062 2063 rw_enter(&iph->iph_lock, RW_READER); 2064 2065 mr = spdsock_dump_ruleset(mp, iph, 0, 0); 2066 2067 if (!mr) { 2068 rw_exit(&iph->iph_lock); 2069 spdsock_error(q, mp, ENOMEM, 0); 2070 return; 2071 } 2072 2073 ss->spdsock_dump_req = mp; 2074 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 2075 2076 rw_exit(&iph->iph_lock); 2077 2078 qreply(q, mr); 2079 qenable(OTHERQ(q)); 2080 } 2081 2082 /* Do NOT consume a reference to ITP. */ 2083 void 2084 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns) 2085 { 2086 int *errptr = (int *)ep; 2087 2088 if (*errptr != 0) 2089 return; /* We've failed already for some reason. */ 2090 mutex_enter(&itp->itp_lock); 2091 ITPF_CLONE(itp->itp_flags); 2092 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns); 2093 mutex_exit(&itp->itp_lock); 2094 } 2095 2096 void 2097 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname) 2098 { 2099 int error; 2100 char *tname; 2101 ipsec_tun_pol_t *itp; 2102 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2103 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2104 2105 if (tunname != NULL) { 2106 tname = (char *)tunname->spd_if_name; 2107 if (*tname == '\0') { 2108 error = ipsec_clone_system_policy(ns); 2109 if (audit_active) { 2110 boolean_t active; 2111 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2112 cred_t *cr; 2113 pid_t cpid; 2114 2115 cr = msg_getcred(mp, &cpid); 2116 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2117 audit_pf_policy(SPD_CLONE, cr, ns, 2118 NULL, active, error, cpid); 2119 } 2120 if (error == 0) { 2121 itp_walk(spdsock_clone_node, &error, ns); 2122 if (audit_active) { 2123 boolean_t active; 2124 spd_msg_t *spmsg = 2125 (spd_msg_t *)mp->b_rptr; 2126 cred_t *cr; 2127 pid_t cpid; 2128 2129 cr = msg_getcred(mp, &cpid); 2130 active = (spmsg->spd_msg_spdid == 2131 SPD_ACTIVE); 2132 audit_pf_policy(SPD_CLONE, cr, 2133 ns, "all tunnels", active, 0, 2134 cpid); 2135 } 2136 } 2137 } else { 2138 itp = get_tunnel_policy(tname, ns); 2139 if (itp == NULL) { 2140 spdsock_error(q, mp, ENOENT, 0); 2141 if (audit_active) { 2142 boolean_t active; 2143 spd_msg_t *spmsg = 2144 (spd_msg_t *)mp->b_rptr; 2145 cred_t *cr; 2146 pid_t cpid; 2147 2148 cr = msg_getcred(mp, &cpid); 2149 active = (spmsg->spd_msg_spdid == 2150 SPD_ACTIVE); 2151 audit_pf_policy(SPD_CLONE, cr, 2152 ns, NULL, active, ENOENT, cpid); 2153 } 2154 return; 2155 } 2156 spdsock_clone_node(itp, &error, NULL); 2157 if (audit_active) { 2158 boolean_t active; 2159 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2160 cred_t *cr; 2161 pid_t cpid; 2162 2163 cr = msg_getcred(mp, &cpid); 2164 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2165 audit_pf_policy(SPD_CLONE, cr, ns, 2166 ITP_NAME(itp), active, error, cpid); 2167 } 2168 ITP_REFRELE(itp, ns); 2169 } 2170 } else { 2171 error = ipsec_clone_system_policy(ns); 2172 if (audit_active) { 2173 boolean_t active; 2174 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2175 cred_t *cr; 2176 pid_t cpid; 2177 2178 cr = msg_getcred(mp, &cpid); 2179 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2180 audit_pf_policy(SPD_CLONE, cr, ns, NULL, 2181 active, error, cpid); 2182 } 2183 } 2184 2185 if (error != 0) 2186 spdsock_error(q, mp, error, 0); 2187 else 2188 spd_echo(q, mp); 2189 } 2190 2191 /* 2192 * Process a SPD_ALGLIST request. The caller expects separate alg entries 2193 * for AH authentication, ESP authentication, and ESP encryption. 2194 * The same distinction is then used when setting the min and max key 2195 * sizes when defining policies. 2196 */ 2197 2198 #define SPDSOCK_AH_AUTH 0 2199 #define SPDSOCK_ESP_AUTH 1 2200 #define SPDSOCK_ESP_ENCR 2 2201 #define SPDSOCK_NTYPES 3 2202 2203 static const uint_t algattr[SPDSOCK_NTYPES] = { 2204 SPD_ATTR_AH_AUTH, 2205 SPD_ATTR_ESP_AUTH, 2206 SPD_ATTR_ESP_ENCR 2207 }; 2208 static const uint_t minbitsattr[SPDSOCK_NTYPES] = { 2209 SPD_ATTR_AH_MINBITS, 2210 SPD_ATTR_ESPA_MINBITS, 2211 SPD_ATTR_ENCR_MINBITS 2212 }; 2213 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = { 2214 SPD_ATTR_AH_MAXBITS, 2215 SPD_ATTR_ESPA_MAXBITS, 2216 SPD_ATTR_ENCR_MAXBITS 2217 }; 2218 static const uint_t defbitsattr[SPDSOCK_NTYPES] = { 2219 SPD_ATTR_AH_DEFBITS, 2220 SPD_ATTR_ESPA_DEFBITS, 2221 SPD_ATTR_ENCR_DEFBITS 2222 }; 2223 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = { 2224 SPD_ATTR_AH_INCRBITS, 2225 SPD_ATTR_ESPA_INCRBITS, 2226 SPD_ATTR_ENCR_INCRBITS 2227 }; 2228 2229 #define ATTRPERALG 6 /* fixed attributes per algs */ 2230 2231 void 2232 spdsock_alglist(queue_t *q, mblk_t *mp) 2233 { 2234 uint_t algtype; 2235 uint_t algidx; 2236 uint_t algcount; 2237 uint_t size; 2238 mblk_t *m; 2239 uint8_t *cur; 2240 spd_msg_t *msg; 2241 struct spd_ext_actions *act; 2242 struct spd_attribute *attr; 2243 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2244 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2245 2246 mutex_enter(&ipss->ipsec_alg_lock); 2247 /* 2248 * The SPD client expects to receive separate entries for 2249 * AH authentication and ESP authentication supported algorithms. 2250 * 2251 * Don't return the "any" algorithms, if defined, as no 2252 * kernel policies can be set for these algorithms. 2253 */ 2254 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2255 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2256 2257 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL) 2258 algcount--; 2259 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL) 2260 algcount--; 2261 2262 /* 2263 * For each algorithm, we encode: 2264 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2265 */ 2266 2267 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) + 2268 ATTRPERALG * sizeof (struct spd_attribute) * algcount; 2269 2270 ASSERT(ALIGNED64(size)); 2271 2272 m = allocb(size, BPRI_HI); 2273 if (m == NULL) { 2274 mutex_exit(&ipss->ipsec_alg_lock); 2275 spdsock_error(q, mp, ENOMEM, 0); 2276 return; 2277 } 2278 2279 m->b_wptr = m->b_rptr + size; 2280 cur = m->b_rptr; 2281 2282 msg = (spd_msg_t *)cur; 2283 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2284 2285 msg->spd_msg_len = SPD_8TO64(size); 2286 msg->spd_msg_errno = 0; 2287 msg->spd_msg_diagnostic = 0; 2288 2289 cur += sizeof (*msg); 2290 2291 act = (struct spd_ext_actions *)cur; 2292 cur += sizeof (*act); 2293 2294 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2295 act->spd_actions_exttype = SPD_EXT_ACTION; 2296 act->spd_actions_count = algcount; 2297 act->spd_actions_reserved = 0; 2298 2299 attr = (struct spd_attribute *)cur; 2300 2301 #define EMIT(tag, value) { \ 2302 attr->spd_attr_tag = (tag); \ 2303 attr->spd_attr_value = (value); \ 2304 attr++; \ 2305 } 2306 2307 /* 2308 * If you change the number of EMIT's here, change 2309 * ATTRPERALG above to match 2310 */ 2311 #define EMITALGATTRS(_type) { \ 2312 EMIT(algattr[_type], algid); /* 1 */ \ 2313 EMIT(minbitsattr[_type], minbits); /* 2 */ \ 2314 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \ 2315 EMIT(defbitsattr[_type], defbits); /* 4 */ \ 2316 EMIT(incrbitsattr[_type], incr); /* 5 */ \ 2317 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \ 2318 } 2319 2320 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2321 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2322 algidx++) { 2323 int algid = ipss->ipsec_sortlist[algtype][algidx]; 2324 ipsec_alginfo_t *alg = 2325 ipss->ipsec_alglists[algtype][algid]; 2326 uint_t minbits = alg->alg_minbits; 2327 uint_t maxbits = alg->alg_maxbits; 2328 uint_t defbits = alg->alg_default_bits; 2329 uint_t incr = alg->alg_increment; 2330 2331 if (algtype == IPSEC_ALG_AUTH) { 2332 if (algid == SADB_AALG_NONE) 2333 continue; 2334 EMITALGATTRS(SPDSOCK_AH_AUTH); 2335 EMITALGATTRS(SPDSOCK_ESP_AUTH); 2336 } else { 2337 if (algid == SADB_EALG_NONE) 2338 continue; 2339 ASSERT(algtype == IPSEC_ALG_ENCR); 2340 EMITALGATTRS(SPDSOCK_ESP_ENCR); 2341 } 2342 } 2343 } 2344 2345 mutex_exit(&ipss->ipsec_alg_lock); 2346 2347 #undef EMITALGATTRS 2348 #undef EMIT 2349 #undef ATTRPERALG 2350 2351 attr--; 2352 attr->spd_attr_tag = SPD_ATTR_END; 2353 2354 freemsg(mp); 2355 qreply(q, m); 2356 } 2357 2358 /* 2359 * Process a SPD_DUMPALGS request. 2360 */ 2361 2362 #define ATTRPERALG 9 /* fixed attributes per algs */ 2363 2364 void 2365 spdsock_dumpalgs(queue_t *q, mblk_t *mp) 2366 { 2367 uint_t algtype; 2368 uint_t algidx; 2369 uint_t size; 2370 mblk_t *m; 2371 uint8_t *cur; 2372 spd_msg_t *msg; 2373 struct spd_ext_actions *act; 2374 struct spd_attribute *attr; 2375 ipsec_alginfo_t *alg; 2376 uint_t algid; 2377 uint_t i; 2378 uint_t alg_size; 2379 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2380 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2381 2382 mutex_enter(&ipss->ipsec_alg_lock); 2383 2384 /* 2385 * For each algorithm, we encode: 2386 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2387 * 2388 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE* 2389 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* / 2390 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT} 2391 */ 2392 2393 /* 2394 * Compute the size of the SPD message. 2395 */ 2396 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions); 2397 2398 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2399 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2400 algidx++) { 2401 algid = ipss->ipsec_sortlist[algtype][algidx]; 2402 alg = ipss->ipsec_alglists[algtype][algid]; 2403 alg_size = sizeof (struct spd_attribute) * 2404 (ATTRPERALG + alg->alg_nkey_sizes + 2405 alg->alg_nblock_sizes + alg->alg_nparams) + 2406 CRYPTO_MAX_MECH_NAME; 2407 size += alg_size; 2408 } 2409 } 2410 2411 ASSERT(ALIGNED64(size)); 2412 2413 m = allocb(size, BPRI_HI); 2414 if (m == NULL) { 2415 mutex_exit(&ipss->ipsec_alg_lock); 2416 spdsock_error(q, mp, ENOMEM, 0); 2417 return; 2418 } 2419 2420 m->b_wptr = m->b_rptr + size; 2421 cur = m->b_rptr; 2422 2423 msg = (spd_msg_t *)cur; 2424 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2425 2426 msg->spd_msg_len = SPD_8TO64(size); 2427 msg->spd_msg_errno = 0; 2428 msg->spd_msg_type = SPD_ALGLIST; 2429 2430 msg->spd_msg_diagnostic = 0; 2431 2432 cur += sizeof (*msg); 2433 2434 act = (struct spd_ext_actions *)cur; 2435 cur += sizeof (*act); 2436 2437 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2438 act->spd_actions_exttype = SPD_EXT_ACTION; 2439 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2440 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2441 act->spd_actions_reserved = 0; 2442 2443 /* 2444 * If there aren't any algorithms registered, return an empty message. 2445 * spdsock_get_ext() knows how to deal with this. 2446 */ 2447 if (act->spd_actions_count == 0) { 2448 act->spd_actions_len = 0; 2449 mutex_exit(&ipss->ipsec_alg_lock); 2450 goto error; 2451 } 2452 2453 attr = (struct spd_attribute *)cur; 2454 2455 #define EMIT(tag, value) { \ 2456 attr->spd_attr_tag = (tag); \ 2457 attr->spd_attr_value = (value); \ 2458 attr++; \ 2459 } 2460 2461 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2462 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2463 algidx++) { 2464 2465 algid = ipss->ipsec_sortlist[algtype][algidx]; 2466 alg = ipss->ipsec_alglists[algtype][algid]; 2467 2468 /* 2469 * If you change the number of EMIT's here, change 2470 * ATTRPERALG above to match 2471 */ 2472 EMIT(SPD_ATTR_ALG_ID, algid); 2473 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]); 2474 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment); 2475 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes); 2476 for (i = 0; i < alg->alg_nkey_sizes; i++) 2477 EMIT(SPD_ATTR_ALG_KEYSIZE, 2478 alg->alg_key_sizes[i]); 2479 2480 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes); 2481 for (i = 0; i < alg->alg_nblock_sizes; i++) 2482 EMIT(SPD_ATTR_ALG_BLOCKSIZE, 2483 alg->alg_block_sizes[i]); 2484 2485 EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams); 2486 for (i = 0; i < alg->alg_nparams; i++) 2487 EMIT(SPD_ATTR_ALG_PARAMS, 2488 alg->alg_params[i]); 2489 2490 EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags); 2491 2492 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME); 2493 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME); 2494 attr = (struct spd_attribute *)((char *)attr + 2495 CRYPTO_MAX_MECH_NAME); 2496 2497 EMIT(SPD_ATTR_NEXT, 0); 2498 } 2499 } 2500 2501 mutex_exit(&ipss->ipsec_alg_lock); 2502 2503 #undef EMITALGATTRS 2504 #undef EMIT 2505 #undef ATTRPERALG 2506 2507 attr--; 2508 attr->spd_attr_tag = SPD_ATTR_END; 2509 2510 error: 2511 freemsg(mp); 2512 qreply(q, m); 2513 } 2514 2515 /* 2516 * Do the actual work of processing an SPD_UPDATEALGS request. Can 2517 * be invoked either once IPsec is loaded on a cached request, or 2518 * when a request is received while IPsec is loaded. 2519 */ 2520 static int 2521 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds) 2522 { 2523 struct spd_ext_actions *actp; 2524 struct spd_attribute *attr, *endattr; 2525 uint64_t *start, *end; 2526 ipsec_alginfo_t *alg = NULL; 2527 ipsec_algtype_t alg_type = 0; 2528 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE; 2529 uint_t i, cur_key, cur_block, algid; 2530 int diag = -1; 2531 2532 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 2533 2534 /* parse the message, building the list of algorithms */ 2535 2536 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 2537 if (actp == NULL) 2538 return (SPD_DIAGNOSTIC_NO_ACTION_EXT); 2539 2540 start = (uint64_t *)actp; 2541 end = (start + actp->spd_actions_len); 2542 endattr = (struct spd_attribute *)end; 2543 attr = (struct spd_attribute *)&actp[1]; 2544 2545 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS * 2546 sizeof (ipsec_alginfo_t *)); 2547 2548 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2549 2550 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t)) 2551 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t)) 2552 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t)) 2553 2554 while (attr < endattr) { 2555 switch (attr->spd_attr_tag) { 2556 case SPD_ATTR_NOP: 2557 case SPD_ATTR_EMPTY: 2558 break; 2559 case SPD_ATTR_END: 2560 attr = endattr; 2561 /* FALLTHRU */ 2562 case SPD_ATTR_NEXT: 2563 if (doing_proto) { 2564 doing_proto = B_FALSE; 2565 break; 2566 } 2567 if (skip_alg) { 2568 ipsec_alg_free(alg); 2569 } else { 2570 ipsec_alg_free( 2571 spds->spds_algs[alg_type][alg->alg_id]); 2572 spds->spds_algs[alg_type][alg->alg_id] = 2573 alg; 2574 } 2575 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2576 break; 2577 2578 case SPD_ATTR_ALG_ID: 2579 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) { 2580 ss1dbg(spds, ("spdsock_do_updatealg: " 2581 "invalid alg id %d\n", 2582 attr->spd_attr_value)); 2583 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE; 2584 goto bail; 2585 } 2586 alg->alg_id = attr->spd_attr_value; 2587 break; 2588 2589 case SPD_ATTR_ALG_PROTO: 2590 /* find the alg type */ 2591 for (i = 0; i < NALGPROTOS; i++) 2592 if (algproto[i] == attr->spd_attr_value) 2593 break; 2594 skip_alg = (i == NALGPROTOS); 2595 if (!skip_alg) 2596 alg_type = i; 2597 break; 2598 2599 case SPD_ATTR_ALG_INCRBITS: 2600 alg->alg_increment = attr->spd_attr_value; 2601 break; 2602 2603 case SPD_ATTR_ALG_NKEYSIZES: 2604 if (alg->alg_key_sizes != NULL) { 2605 kmem_free(alg->alg_key_sizes, 2606 ALG_KEY_SIZES(alg)); 2607 } 2608 alg->alg_nkey_sizes = attr->spd_attr_value; 2609 /* 2610 * Allocate room for the trailing zero key size 2611 * value as well. 2612 */ 2613 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg), 2614 KM_SLEEP); 2615 cur_key = 0; 2616 break; 2617 2618 case SPD_ATTR_ALG_KEYSIZE: 2619 if (alg->alg_key_sizes == NULL || 2620 cur_key >= alg->alg_nkey_sizes) { 2621 ss1dbg(spds, ("spdsock_do_updatealg: " 2622 "too many key sizes\n")); 2623 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES; 2624 goto bail; 2625 } 2626 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value; 2627 break; 2628 2629 case SPD_ATTR_ALG_FLAGS: 2630 /* 2631 * Flags (bit mask). The alg_flags element of 2632 * ipsecalg_flags_t is only 8 bits wide. The 2633 * user can set the VALID bit, but we will ignore it 2634 * and make the decision is the algorithm is valid. 2635 */ 2636 alg->alg_flags |= (uint8_t)attr->spd_attr_value; 2637 break; 2638 2639 case SPD_ATTR_ALG_NBLOCKSIZES: 2640 if (alg->alg_block_sizes != NULL) { 2641 kmem_free(alg->alg_block_sizes, 2642 ALG_BLOCK_SIZES(alg)); 2643 } 2644 alg->alg_nblock_sizes = attr->spd_attr_value; 2645 /* 2646 * Allocate room for the trailing zero block size 2647 * value as well. 2648 */ 2649 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg), 2650 KM_SLEEP); 2651 cur_block = 0; 2652 break; 2653 2654 case SPD_ATTR_ALG_BLOCKSIZE: 2655 if (alg->alg_block_sizes == NULL || 2656 cur_block >= alg->alg_nblock_sizes) { 2657 ss1dbg(spds, ("spdsock_do_updatealg: " 2658 "too many block sizes\n")); 2659 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2660 goto bail; 2661 } 2662 alg->alg_block_sizes[cur_block++] = 2663 attr->spd_attr_value; 2664 break; 2665 2666 case SPD_ATTR_ALG_NPARAMS: 2667 if (alg->alg_params != NULL) { 2668 kmem_free(alg->alg_params, 2669 ALG_PARAM_SIZES(alg)); 2670 } 2671 alg->alg_nparams = attr->spd_attr_value; 2672 /* 2673 * Allocate room for the trailing zero block size 2674 * value as well. 2675 */ 2676 alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg), 2677 KM_SLEEP); 2678 cur_block = 0; 2679 break; 2680 2681 case SPD_ATTR_ALG_PARAMS: 2682 if (alg->alg_params == NULL || 2683 cur_block >= alg->alg_nparams) { 2684 ss1dbg(spds, ("spdsock_do_updatealg: " 2685 "too many params\n")); 2686 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2687 goto bail; 2688 } 2689 /* 2690 * Array contains: iv_len, icv_len, salt_len 2691 * Any additional parameters are currently ignored. 2692 */ 2693 alg->alg_params[cur_block++] = 2694 attr->spd_attr_value; 2695 break; 2696 2697 case SPD_ATTR_ALG_MECHNAME: { 2698 char *mech_name; 2699 2700 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) { 2701 ss1dbg(spds, ("spdsock_do_updatealg: " 2702 "mech name too long\n")); 2703 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN; 2704 goto bail; 2705 } 2706 mech_name = (char *)(attr + 1); 2707 bcopy(mech_name, alg->alg_mech_name, 2708 attr->spd_attr_value); 2709 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; 2710 attr = (struct spd_attribute *)((char *)attr + 2711 attr->spd_attr_value); 2712 break; 2713 } 2714 2715 case SPD_ATTR_PROTO_ID: 2716 doing_proto = B_TRUE; 2717 for (i = 0; i < NALGPROTOS; i++) { 2718 if (algproto[i] == attr->spd_attr_value) { 2719 alg_type = i; 2720 break; 2721 } 2722 } 2723 break; 2724 2725 case SPD_ATTR_PROTO_EXEC_MODE: 2726 if (!doing_proto) 2727 break; 2728 for (i = 0; i < NEXECMODES; i++) { 2729 if (execmodes[i] == attr->spd_attr_value) { 2730 spds->spds_algs_exec_mode[alg_type] = i; 2731 break; 2732 } 2733 } 2734 break; 2735 } 2736 attr++; 2737 } 2738 2739 #undef ALG_KEY_SIZES 2740 #undef ALG_BLOCK_SIZES 2741 #undef ALG_PARAM_SIZES 2742 2743 /* update the algorithm tables */ 2744 spdsock_merge_algs(spds); 2745 bail: 2746 /* cleanup */ 2747 ipsec_alg_free(alg); 2748 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++) 2749 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) 2750 if (spds->spds_algs[alg_type][algid] != NULL) 2751 ipsec_alg_free(spds->spds_algs[alg_type][algid]); 2752 return (diag); 2753 } 2754 2755 /* 2756 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue 2757 * the request until IPsec loads. If IPsec is loaded, act on it 2758 * immediately. 2759 */ 2760 2761 static void 2762 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[]) 2763 { 2764 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2765 spd_stack_t *spds = ss->spdsock_spds; 2766 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 2767 2768 if (!ipsec_loaded(ipss)) { 2769 /* 2770 * IPsec is not loaded, save request and return nicely, 2771 * the message will be processed once IPsec loads. 2772 */ 2773 mblk_t *new_mp; 2774 2775 /* last update message wins */ 2776 if ((new_mp = copymsg(mp)) == NULL) { 2777 spdsock_error(q, mp, ENOMEM, 0); 2778 return; 2779 } 2780 mutex_enter(&spds->spds_alg_lock); 2781 bcopy(extv, spds->spds_extv_algs, 2782 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 2783 if (spds->spds_mp_algs != NULL) 2784 freemsg(spds->spds_mp_algs); 2785 spds->spds_mp_algs = mp; 2786 spds->spds_algs_pending = B_TRUE; 2787 mutex_exit(&spds->spds_alg_lock); 2788 if (audit_active) { 2789 cred_t *cr; 2790 pid_t cpid; 2791 2792 cr = msg_getcred(mp, &cpid); 2793 audit_pf_policy(SPD_UPDATEALGS, cr, 2794 spds->spds_netstack, NULL, B_TRUE, EAGAIN, 2795 cpid); 2796 } 2797 spd_echo(q, new_mp); 2798 } else { 2799 /* 2800 * IPsec is loaded, act on the message immediately. 2801 */ 2802 int diag; 2803 2804 mutex_enter(&spds->spds_alg_lock); 2805 diag = spdsock_do_updatealg(extv, spds); 2806 if (diag == -1) { 2807 /* Keep the lock held while we walk the SA tables. */ 2808 sadb_alg_update(IPSEC_ALG_ALL, 0, 0, 2809 spds->spds_netstack); 2810 mutex_exit(&spds->spds_alg_lock); 2811 spd_echo(q, mp); 2812 if (audit_active) { 2813 cred_t *cr; 2814 pid_t cpid; 2815 2816 cr = msg_getcred(mp, &cpid); 2817 audit_pf_policy(SPD_UPDATEALGS, cr, 2818 spds->spds_netstack, NULL, B_TRUE, 0, 2819 cpid); 2820 } 2821 } else { 2822 mutex_exit(&spds->spds_alg_lock); 2823 spdsock_diag(q, mp, diag); 2824 if (audit_active) { 2825 cred_t *cr; 2826 pid_t cpid; 2827 2828 cr = msg_getcred(mp, &cpid); 2829 audit_pf_policy(SPD_UPDATEALGS, cr, 2830 spds->spds_netstack, NULL, B_TRUE, diag, 2831 cpid); 2832 } 2833 } 2834 } 2835 } 2836 2837 /* 2838 * Sort through the mess of polhead options to retrieve an appropriate one. 2839 * Returns NULL if we send an spdsock error. Returns a valid pointer if we 2840 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or 2841 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to 2842 * act on ALL policy heads. 2843 */ 2844 static ipsec_policy_head_t * 2845 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid, 2846 int msgtype, ipsec_tun_pol_t **itpp) 2847 { 2848 ipsec_tun_pol_t *itp; 2849 ipsec_policy_head_t *iph; 2850 int errno; 2851 char *tname; 2852 boolean_t active; 2853 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2854 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2855 uint64_t gen; /* Placeholder */ 2856 datalink_id_t linkid; 2857 2858 active = (spdid == SPD_ACTIVE); 2859 *itpp = NULL; 2860 if (!active && spdid != SPD_STANDBY) { 2861 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID); 2862 return (NULL); 2863 } 2864 2865 if (tunname != NULL) { 2866 /* Acting on a tunnel's SPD. */ 2867 tname = (char *)tunname->spd_if_name; 2868 if (*tname == '\0') { 2869 /* Handle all-polhead cases here. */ 2870 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) { 2871 spdsock_diag(q, mp, 2872 SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 2873 return (NULL); 2874 } 2875 return (active ? ALL_ACTIVE_POLHEADS : 2876 ALL_INACTIVE_POLHEADS); 2877 } 2878 2879 itp = get_tunnel_policy(tname, ns); 2880 if (itp == NULL) { 2881 if (msgtype != SPD_ADDRULE) { 2882 /* "Tunnel not found" */ 2883 spdsock_error(q, mp, ENOENT, 0); 2884 return (NULL); 2885 } 2886 2887 errno = 0; 2888 itp = create_tunnel_policy(tname, &errno, &gen, ns); 2889 if (itp == NULL) { 2890 /* 2891 * Something very bad happened, most likely 2892 * ENOMEM. Return an indicator. 2893 */ 2894 spdsock_error(q, mp, errno, 0); 2895 return (NULL); 2896 } 2897 } 2898 /* 2899 * Troll the plumbed tunnels and see if we have a match. We 2900 * need to do this always in case we add policy AFTER plumbing 2901 * a tunnel. 2902 */ 2903 if (dls_mgmt_get_linkid(tname, &linkid) == 0) 2904 iptun_set_policy(linkid, itp); 2905 2906 *itpp = itp; 2907 /* For spdsock dump state, set the polhead's name. */ 2908 if (msgtype == SPD_DUMP) { 2909 ITP_REFHOLD(itp); 2910 ss->spdsock_itp = itp; 2911 ss->spdsock_dump_tunnel = itp->itp_flags & 2912 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL); 2913 } 2914 } else { 2915 itp = NULL; 2916 /* For spdsock dump state, indicate it's global policy. */ 2917 if (msgtype == SPD_DUMP) 2918 ss->spdsock_itp = NULL; 2919 } 2920 2921 if (active) 2922 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy; 2923 else 2924 iph = (itp == NULL) ? ipsec_inactive_policy(ns) : 2925 itp->itp_inactive; 2926 2927 ASSERT(iph != NULL); 2928 if (itp != NULL) { 2929 IPPH_REFHOLD(iph); 2930 } 2931 2932 return (iph); 2933 } 2934 2935 static void 2936 spdsock_parse(queue_t *q, mblk_t *mp) 2937 { 2938 spd_msg_t *spmsg; 2939 spd_ext_t *extv[SPD_EXT_MAX + 1]; 2940 uint_t msgsize; 2941 ipsec_policy_head_t *iph; 2942 ipsec_tun_pol_t *itp; 2943 spd_if_t *tunname; 2944 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2945 spd_stack_t *spds = ss->spdsock_spds; 2946 netstack_t *ns = spds->spds_netstack; 2947 ipsec_stack_t *ipss = ns->netstack_ipsec; 2948 2949 /* Make sure nothing's below me. */ 2950 ASSERT(WR(q)->q_next == NULL); 2951 2952 spmsg = (spd_msg_t *)mp->b_rptr; 2953 2954 msgsize = SPD_64TO8(spmsg->spd_msg_len); 2955 2956 if (msgdsize(mp) != msgsize) { 2957 /* 2958 * Message len incorrect w.r.t. actual size. Send an error 2959 * (EMSGSIZE). It may be necessary to massage things a 2960 * bit. For example, if the spd_msg_type is hosed, 2961 * I need to set it to SPD_RESERVED to get delivery to 2962 * do the right thing. Then again, maybe just letting 2963 * the error delivery do the right thing. 2964 */ 2965 ss2dbg(spds, 2966 ("mblk (%lu) and base (%d) message sizes don't jibe.\n", 2967 msgdsize(mp), msgsize)); 2968 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE); 2969 return; 2970 } 2971 2972 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) { 2973 /* Get all message into one mblk. */ 2974 if (pullupmsg(mp, -1) == 0) { 2975 /* 2976 * Something screwy happened. 2977 */ 2978 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n")); 2979 return; 2980 } else { 2981 spmsg = (spd_msg_t *)mp->b_rptr; 2982 } 2983 } 2984 2985 switch (spdsock_get_ext(extv, spmsg, msgsize)) { 2986 case KGE_DUP: 2987 /* Handle duplicate extension. */ 2988 ss1dbg(spds, ("Got duplicate extension of type %d.\n", 2989 extv[0]->spd_ext_type)); 2990 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]); 2991 return; 2992 case KGE_UNK: 2993 /* Handle unknown extension. */ 2994 ss1dbg(spds, ("Got unknown extension of type %d.\n", 2995 extv[0]->spd_ext_type)); 2996 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT); 2997 return; 2998 case KGE_LEN: 2999 /* Length error. */ 3000 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n", 3001 extv[0]->spd_ext_len, extv[0]->spd_ext_type)); 3002 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN); 3003 return; 3004 case KGE_CHK: 3005 /* Reality check failed. */ 3006 ss1dbg(spds, ("Reality check failed on extension type %d.\n", 3007 extv[0]->spd_ext_type)); 3008 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]); 3009 return; 3010 default: 3011 /* Default case is no errors. */ 3012 break; 3013 } 3014 3015 /* 3016 * Special-case SPD_UPDATEALGS so as not to load IPsec. 3017 */ 3018 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) { 3019 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3020 3021 ASSERT(ss != NULL); 3022 ipsec_loader_loadnow(ipss); 3023 ss->spdsock_timeout_arg = mp; 3024 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck, 3025 q, LOADCHECK_INTERVAL); 3026 return; 3027 } 3028 3029 /* First check for messages that need no polheads at all. */ 3030 switch (spmsg->spd_msg_type) { 3031 case SPD_UPDATEALGS: 3032 spdsock_updatealg(q, mp, extv); 3033 return; 3034 case SPD_ALGLIST: 3035 spdsock_alglist(q, mp); 3036 return; 3037 case SPD_DUMPALGS: 3038 spdsock_dumpalgs(q, mp); 3039 return; 3040 } 3041 3042 /* 3043 * Then check for ones that need both primary/secondary polheads, 3044 * finding the appropriate tunnel policy if need be. 3045 */ 3046 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME]; 3047 switch (spmsg->spd_msg_type) { 3048 case SPD_FLIP: 3049 spdsock_flip(q, mp, tunname); 3050 return; 3051 case SPD_CLONE: 3052 spdsock_clone(q, mp, tunname); 3053 return; 3054 } 3055 3056 /* 3057 * Finally, find ones that operate on exactly one polhead, or 3058 * "all polheads" of a given type (active/inactive). 3059 */ 3060 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid, 3061 spmsg->spd_msg_type, &itp); 3062 if (iph == NULL) 3063 return; 3064 3065 /* All-polheads-ready operations. */ 3066 switch (spmsg->spd_msg_type) { 3067 case SPD_FLUSH: 3068 if (itp != NULL) { 3069 mutex_enter(&itp->itp_lock); 3070 if (spmsg->spd_msg_spdid == SPD_ACTIVE) 3071 itp->itp_flags &= ~ITPF_PFLAGS; 3072 else 3073 itp->itp_flags &= ~ITPF_IFLAGS; 3074 mutex_exit(&itp->itp_lock); 3075 ITP_REFRELE(itp, ns); 3076 } 3077 spdsock_flush(q, iph, itp, mp); 3078 return; 3079 case SPD_DUMP: 3080 if (itp != NULL) 3081 ITP_REFRELE(itp, ns); 3082 spdsock_dump(q, iph, mp); 3083 return; 3084 } 3085 3086 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 3087 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 3088 return; 3089 } 3090 3091 /* Single-polhead-only operations. */ 3092 switch (spmsg->spd_msg_type) { 3093 case SPD_ADDRULE: 3094 spdsock_addrule(q, iph, mp, extv, itp); 3095 break; 3096 case SPD_DELETERULE: 3097 spdsock_deleterule(q, iph, mp, extv, itp); 3098 break; 3099 case SPD_LOOKUP: 3100 spdsock_lookup(q, iph, mp, extv, itp); 3101 break; 3102 default: 3103 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE); 3104 break; 3105 } 3106 3107 IPPH_REFRELE(iph, ns); 3108 if (itp != NULL) 3109 ITP_REFRELE(itp, ns); 3110 } 3111 3112 /* 3113 * If an algorithm mapping was received before IPsec was loaded, process it. 3114 * Called from the IPsec loader. 3115 */ 3116 void 3117 spdsock_update_pending_algs(netstack_t *ns) 3118 { 3119 spd_stack_t *spds = ns->netstack_spdsock; 3120 3121 mutex_enter(&spds->spds_alg_lock); 3122 if (spds->spds_algs_pending) { 3123 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds); 3124 spds->spds_algs_pending = B_FALSE; 3125 } 3126 mutex_exit(&spds->spds_alg_lock); 3127 } 3128 3129 static void 3130 spdsock_loadcheck(void *arg) 3131 { 3132 queue_t *q = (queue_t *)arg; 3133 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3134 mblk_t *mp; 3135 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3136 3137 ASSERT(ss != NULL); 3138 3139 ss->spdsock_timeout = 0; 3140 mp = ss->spdsock_timeout_arg; 3141 ASSERT(mp != NULL); 3142 ss->spdsock_timeout_arg = NULL; 3143 if (ipsec_failed(ipss)) 3144 spdsock_error(q, mp, EPROTONOSUPPORT, 0); 3145 else 3146 spdsock_parse(q, mp); 3147 } 3148 3149 /* 3150 * Copy relevant state bits. 3151 */ 3152 static void 3153 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss) 3154 { 3155 *tap = spdsock_g_t_info_ack; 3156 tap->CURRENT_state = ss->spdsock_state; 3157 tap->OPT_size = spdsock_max_optsize; 3158 } 3159 3160 /* 3161 * This routine responds to T_CAPABILITY_REQ messages. It is called by 3162 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from 3163 * spdsock_g_t_info_ack. The current state of the stream is copied from 3164 * spdsock_state. 3165 */ 3166 static void 3167 spdsock_capability_req(queue_t *q, mblk_t *mp) 3168 { 3169 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3170 t_uscalar_t cap_bits1; 3171 struct T_capability_ack *tcap; 3172 3173 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1; 3174 3175 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack), 3176 mp->b_datap->db_type, T_CAPABILITY_ACK); 3177 if (mp == NULL) 3178 return; 3179 3180 tcap = (struct T_capability_ack *)mp->b_rptr; 3181 tcap->CAP_bits1 = 0; 3182 3183 if (cap_bits1 & TC1_INFO) { 3184 spdsock_copy_info(&tcap->INFO_ack, ss); 3185 tcap->CAP_bits1 |= TC1_INFO; 3186 } 3187 3188 qreply(q, mp); 3189 } 3190 3191 /* 3192 * This routine responds to T_INFO_REQ messages. It is called by 3193 * spdsock_wput_other. 3194 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack. 3195 * The current state of the stream is copied from spdsock_state. 3196 */ 3197 static void 3198 spdsock_info_req(q, mp) 3199 queue_t *q; 3200 mblk_t *mp; 3201 { 3202 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO, 3203 T_INFO_ACK); 3204 if (mp == NULL) 3205 return; 3206 spdsock_copy_info((struct T_info_ack *)mp->b_rptr, 3207 (spdsock_t *)q->q_ptr); 3208 qreply(q, mp); 3209 } 3210 3211 /* 3212 * spdsock_err_ack. This routine creates a 3213 * T_ERROR_ACK message and passes it 3214 * upstream. 3215 */ 3216 static void 3217 spdsock_err_ack(q, mp, t_error, sys_error) 3218 queue_t *q; 3219 mblk_t *mp; 3220 int t_error; 3221 int sys_error; 3222 { 3223 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL) 3224 qreply(q, mp); 3225 } 3226 3227 /* 3228 * This routine retrieves the current status of socket options. 3229 * It returns the size of the option retrieved. 3230 */ 3231 /* ARGSUSED */ 3232 int 3233 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr) 3234 { 3235 int *i1 = (int *)ptr; 3236 3237 switch (level) { 3238 case SOL_SOCKET: 3239 switch (name) { 3240 case SO_TYPE: 3241 *i1 = SOCK_RAW; 3242 break; 3243 /* 3244 * The following two items can be manipulated, 3245 * but changing them should do nothing. 3246 */ 3247 case SO_SNDBUF: 3248 *i1 = (int)q->q_hiwat; 3249 break; 3250 case SO_RCVBUF: 3251 *i1 = (int)(RD(q)->q_hiwat); 3252 break; 3253 } 3254 break; 3255 default: 3256 return (0); 3257 } 3258 return (sizeof (int)); 3259 } 3260 3261 /* 3262 * This routine sets socket options. 3263 */ 3264 /* ARGSUSED */ 3265 int 3266 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name, 3267 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp, 3268 void *thisdg_attrs, cred_t *cr) 3269 { 3270 int *i1 = (int *)invalp; 3271 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3272 spd_stack_t *spds = ss->spdsock_spds; 3273 3274 switch (level) { 3275 case SOL_SOCKET: 3276 switch (name) { 3277 case SO_SNDBUF: 3278 if (*i1 > spds->spds_max_buf) 3279 return (ENOBUFS); 3280 q->q_hiwat = *i1; 3281 break; 3282 case SO_RCVBUF: 3283 if (*i1 > spds->spds_max_buf) 3284 return (ENOBUFS); 3285 RD(q)->q_hiwat = *i1; 3286 (void) proto_set_rx_hiwat(RD(q), NULL, *i1); 3287 break; 3288 } 3289 break; 3290 } 3291 return (0); 3292 } 3293 3294 3295 /* 3296 * Handle STREAMS messages. 3297 */ 3298 static void 3299 spdsock_wput_other(queue_t *q, mblk_t *mp) 3300 { 3301 struct iocblk *iocp; 3302 int error; 3303 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3304 spd_stack_t *spds = ss->spdsock_spds; 3305 cred_t *cr; 3306 3307 switch (mp->b_datap->db_type) { 3308 case M_PROTO: 3309 case M_PCPROTO: 3310 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) { 3311 ss3dbg(spds, ( 3312 "spdsock_wput_other: Not big enough M_PROTO\n")); 3313 freemsg(mp); 3314 return; 3315 } 3316 switch (((union T_primitives *)mp->b_rptr)->type) { 3317 case T_CAPABILITY_REQ: 3318 spdsock_capability_req(q, mp); 3319 break; 3320 case T_INFO_REQ: 3321 spdsock_info_req(q, mp); 3322 break; 3323 case T_SVR4_OPTMGMT_REQ: 3324 case T_OPTMGMT_REQ: 3325 /* 3326 * All Solaris components should pass a db_credp 3327 * for this TPI message, hence we ASSERT. 3328 * But in case there is some other M_PROTO that looks 3329 * like a TPI message sent by some other kernel 3330 * component, we check and return an error. 3331 */ 3332 cr = msg_getcred(mp, NULL); 3333 ASSERT(cr != NULL); 3334 if (cr == NULL) { 3335 spdsock_err_ack(q, mp, TSYSERR, EINVAL); 3336 return; 3337 } 3338 if (((union T_primitives *)mp->b_rptr)->type == 3339 T_SVR4_OPTMGMT_REQ) { 3340 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj); 3341 } else { 3342 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj); 3343 } 3344 break; 3345 case T_DATA_REQ: 3346 case T_EXDATA_REQ: 3347 case T_ORDREL_REQ: 3348 /* Illegal for spdsock. */ 3349 freemsg(mp); 3350 (void) putnextctl1(RD(q), M_ERROR, EPROTO); 3351 break; 3352 default: 3353 /* Not supported by spdsock. */ 3354 spdsock_err_ack(q, mp, TNOTSUPPORT, 0); 3355 break; 3356 } 3357 return; 3358 case M_IOCTL: 3359 iocp = (struct iocblk *)mp->b_rptr; 3360 error = EINVAL; 3361 3362 switch (iocp->ioc_cmd) { 3363 case ND_SET: 3364 case ND_GET: 3365 if (nd_getset(q, spds->spds_g_nd, mp)) { 3366 qreply(q, mp); 3367 return; 3368 } else 3369 error = ENOENT; 3370 /* FALLTHRU */ 3371 default: 3372 miocnak(q, mp, 0, error); 3373 return; 3374 } 3375 case M_FLUSH: 3376 if (*mp->b_rptr & FLUSHW) { 3377 flushq(q, FLUSHALL); 3378 *mp->b_rptr &= ~FLUSHW; 3379 } 3380 if (*mp->b_rptr & FLUSHR) { 3381 qreply(q, mp); 3382 return; 3383 } 3384 /* Else FALLTHRU */ 3385 } 3386 3387 /* If fell through, just black-hole the message. */ 3388 freemsg(mp); 3389 } 3390 3391 static void 3392 spdsock_wput(queue_t *q, mblk_t *mp) 3393 { 3394 uint8_t *rptr = mp->b_rptr; 3395 mblk_t *mp1; 3396 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3397 spd_stack_t *spds = ss->spdsock_spds; 3398 3399 /* 3400 * If we're dumping, defer processing other messages until the 3401 * dump completes. 3402 */ 3403 if (ss->spdsock_dump_req != NULL) { 3404 if (!putq(q, mp)) 3405 freemsg(mp); 3406 return; 3407 } 3408 3409 switch (mp->b_datap->db_type) { 3410 case M_DATA: 3411 /* 3412 * Silently discard. 3413 */ 3414 ss2dbg(spds, ("raw M_DATA in spdsock.\n")); 3415 freemsg(mp); 3416 return; 3417 case M_PROTO: 3418 case M_PCPROTO: 3419 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) { 3420 if (((union T_primitives *)rptr)->type == T_DATA_REQ) { 3421 if ((mp1 = mp->b_cont) == NULL) { 3422 /* No data after T_DATA_REQ. */ 3423 ss2dbg(spds, 3424 ("No data after DATA_REQ.\n")); 3425 freemsg(mp); 3426 return; 3427 } 3428 freeb(mp); 3429 mp = mp1; 3430 ss2dbg(spds, ("T_DATA_REQ\n")); 3431 break; /* Out of switch. */ 3432 } 3433 } 3434 /* FALLTHRU */ 3435 default: 3436 ss3dbg(spds, ("In default wput case (%d %d).\n", 3437 mp->b_datap->db_type, ((union T_primitives *)rptr)->type)); 3438 spdsock_wput_other(q, mp); 3439 return; 3440 } 3441 3442 /* I now have a PF_POLICY message in an M_DATA block. */ 3443 spdsock_parse(q, mp); 3444 } 3445 3446 /* 3447 * Device open procedure, called when new queue pair created. 3448 * We are passed the read-side queue. 3449 */ 3450 /* ARGSUSED */ 3451 static int 3452 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp) 3453 { 3454 spdsock_t *ss; 3455 queue_t *oq = OTHERQ(q); 3456 minor_t ssminor; 3457 netstack_t *ns; 3458 spd_stack_t *spds; 3459 3460 if (secpolicy_ip_config(credp, B_FALSE) != 0) 3461 return (EPERM); 3462 3463 if (q->q_ptr != NULL) 3464 return (0); /* Re-open of an already open instance. */ 3465 3466 if (sflag & MODOPEN) 3467 return (EINVAL); 3468 3469 ns = netstack_find_by_cred(credp); 3470 ASSERT(ns != NULL); 3471 spds = ns->netstack_spdsock; 3472 ASSERT(spds != NULL); 3473 3474 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n")); 3475 3476 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP); 3477 if (ssminor == 0) { 3478 netstack_rele(spds->spds_netstack); 3479 return (ENOMEM); 3480 } 3481 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP); 3482 if (ss == NULL) { 3483 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1); 3484 netstack_rele(spds->spds_netstack); 3485 return (ENOMEM); 3486 } 3487 3488 ss->spdsock_minor = ssminor; 3489 ss->spdsock_state = TS_UNBND; 3490 ss->spdsock_dump_req = NULL; 3491 3492 ss->spdsock_spds = spds; 3493 3494 q->q_ptr = ss; 3495 oq->q_ptr = ss; 3496 3497 q->q_hiwat = spds->spds_recv_hiwat; 3498 3499 oq->q_hiwat = spds->spds_xmit_hiwat; 3500 oq->q_lowat = spds->spds_xmit_lowat; 3501 3502 qprocson(q); 3503 (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat); 3504 3505 *devp = makedevice(getmajor(*devp), ss->spdsock_minor); 3506 return (0); 3507 } 3508 3509 /* 3510 * Read-side service procedure, invoked when we get back-enabled 3511 * when buffer space becomes available. 3512 * 3513 * Dump another chunk if we were dumping before; when we finish, kick 3514 * the write-side queue in case it's waiting for read queue space. 3515 */ 3516 void 3517 spdsock_rsrv(queue_t *q) 3518 { 3519 spdsock_t *ss = q->q_ptr; 3520 3521 if (ss->spdsock_dump_req != NULL) 3522 spdsock_dump_some(q, ss); 3523 3524 if (ss->spdsock_dump_req == NULL) 3525 qenable(OTHERQ(q)); 3526 } 3527 3528 /* 3529 * Write-side service procedure, invoked when we defer processing 3530 * if another message is received while a dump is in progress. 3531 */ 3532 void 3533 spdsock_wsrv(queue_t *q) 3534 { 3535 spdsock_t *ss = q->q_ptr; 3536 mblk_t *mp; 3537 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3538 3539 if (ss->spdsock_dump_req != NULL) { 3540 qenable(OTHERQ(q)); 3541 return; 3542 } 3543 3544 while ((mp = getq(q)) != NULL) { 3545 if (ipsec_loaded(ipss)) { 3546 spdsock_wput(q, mp); 3547 if (ss->spdsock_dump_req != NULL) 3548 return; 3549 } else if (!ipsec_failed(ipss)) { 3550 (void) putq(q, mp); 3551 } else { 3552 spdsock_error(q, mp, EPFNOSUPPORT, 0); 3553 } 3554 } 3555 } 3556 3557 static int 3558 spdsock_close(queue_t *q) 3559 { 3560 spdsock_t *ss = q->q_ptr; 3561 spd_stack_t *spds = ss->spdsock_spds; 3562 3563 qprocsoff(q); 3564 3565 /* Safe assumption. */ 3566 ASSERT(ss != NULL); 3567 3568 if (ss->spdsock_timeout != 0) 3569 (void) quntimeout(q, ss->spdsock_timeout); 3570 3571 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n")); 3572 3573 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1); 3574 netstack_rele(ss->spdsock_spds->spds_netstack); 3575 3576 kmem_free(ss, sizeof (spdsock_t)); 3577 return (0); 3578 } 3579 3580 /* 3581 * Merge the IPsec algorithms tables with the received algorithm information. 3582 */ 3583 void 3584 spdsock_merge_algs(spd_stack_t *spds) 3585 { 3586 ipsec_alginfo_t *alg, *oalg; 3587 ipsec_algtype_t algtype; 3588 uint_t algidx, algid, nalgs; 3589 crypto_mech_name_t *mechs; 3590 uint_t mech_count, mech_idx; 3591 netstack_t *ns = spds->spds_netstack; 3592 ipsec_stack_t *ipss = ns->netstack_ipsec; 3593 3594 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 3595 3596 /* 3597 * Get the list of supported mechanisms from the crypto framework. 3598 * If a mechanism is supported by KCF, resolve its mechanism 3599 * id and mark it as being valid. This operation must be done 3600 * without holding alg_lock, since it can cause a provider 3601 * module to be loaded and the provider notification callback to 3602 * be invoked. 3603 */ 3604 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 3605 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3606 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3607 int algflags = 0; 3608 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID; 3609 3610 alg = spds->spds_algs[algtype][algid]; 3611 if (alg == NULL) 3612 continue; 3613 3614 /* 3615 * The NULL encryption algorithm is a special 3616 * case because there are no mechanisms, yet 3617 * the algorithm is still valid. 3618 */ 3619 if (alg->alg_id == SADB_EALG_NULL) { 3620 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID; 3621 alg->alg_flags |= ALG_FLAG_VALID; 3622 continue; 3623 } 3624 3625 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) { 3626 if (strncmp(alg->alg_mech_name, mechs[mech_idx], 3627 CRYPTO_MAX_MECH_NAME) == 0) { 3628 mt = crypto_mech2id(alg->alg_mech_name); 3629 ASSERT(mt != CRYPTO_MECHANISM_INVALID); 3630 algflags = ALG_FLAG_VALID; 3631 break; 3632 } 3633 } 3634 alg->alg_mech_type = mt; 3635 alg->alg_flags |= algflags; 3636 } 3637 } 3638 3639 mutex_enter(&ipss->ipsec_alg_lock); 3640 3641 /* 3642 * For each algorithm currently defined, check if it is 3643 * present in the new tables created from the SPD_UPDATEALGS 3644 * message received from user-space. 3645 * Delete the algorithm entries that are currently defined 3646 * but not part of the new tables. 3647 */ 3648 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3649 nalgs = ipss->ipsec_nalgs[algtype]; 3650 for (algidx = 0; algidx < nalgs; algidx++) { 3651 algid = ipss->ipsec_sortlist[algtype][algidx]; 3652 if (spds->spds_algs[algtype][algid] == NULL) 3653 ipsec_alg_unreg(algtype, algid, ns); 3654 } 3655 } 3656 3657 /* 3658 * For each algorithm we just received, check if it is 3659 * present in the currently defined tables. If it is, swap 3660 * the entry with the one we just allocated. 3661 * If the new algorithm is not in the current tables, 3662 * add it. 3663 */ 3664 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3665 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3666 alg = spds->spds_algs[algtype][algid]; 3667 if (alg == NULL) 3668 continue; 3669 3670 if ((oalg = ipss->ipsec_alglists[algtype][algid]) == 3671 NULL) { 3672 /* 3673 * New algorithm, add it to the algorithm 3674 * table. 3675 */ 3676 ipsec_alg_reg(algtype, alg, ns); 3677 } else { 3678 /* 3679 * Algorithm is already in the table. Swap 3680 * the existing entry with the new one. 3681 */ 3682 ipsec_alg_fix_min_max(alg, algtype, ns); 3683 ipss->ipsec_alglists[algtype][algid] = alg; 3684 ipsec_alg_free(oalg); 3685 } 3686 spds->spds_algs[algtype][algid] = NULL; 3687 } 3688 } 3689 3690 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3691 ipss->ipsec_algs_exec_mode[algtype] = 3692 spds->spds_algs_exec_mode[algtype]; 3693 } 3694 3695 mutex_exit(&ipss->ipsec_alg_lock); 3696 3697 crypto_free_mech_list(mechs, mech_count); 3698 3699 ipsecah_algs_changed(ns); 3700 ipsecesp_algs_changed(ns); 3701 } 3702