1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/stropts.h> 31 #include <sys/ddi.h> 32 #include <sys/debug.h> 33 #include <sys/cmn_err.h> 34 #include <sys/stream.h> 35 #include <sys/strlog.h> 36 #include <sys/kmem.h> 37 #include <sys/sunddi.h> 38 #include <sys/tihdr.h> 39 #include <sys/atomic.h> 40 #include <sys/socket.h> 41 #include <sys/sysmacros.h> 42 #include <sys/crypto/common.h> 43 #include <sys/crypto/api.h> 44 #include <sys/zone.h> 45 #include <netinet/in.h> 46 #include <net/if.h> 47 #include <net/pfkeyv2.h> 48 #include <inet/common.h> 49 #include <netinet/ip6.h> 50 #include <inet/ip.h> 51 #include <inet/ip6.h> 52 #include <inet/ipsec_info.h> 53 #include <inet/ipsec_impl.h> 54 #include <inet/tcp.h> 55 #include <inet/sadb.h> 56 #include <inet/ipsecah.h> 57 #include <inet/ipsecesp.h> 58 #include <sys/random.h> 59 #include <sys/dlpi.h> 60 #include <sys/iphada.h> 61 #include <inet/ip_if.h> 62 #include <inet/ipdrop.h> 63 #include <inet/ipclassifier.h> 64 #include <inet/sctp_ip.h> 65 66 /* 67 * This source file contains Security Association Database (SADB) common 68 * routines. They are linked in with the AH module. Since AH has no chance 69 * of falling under export control, it was safe to link it in there. 70 */ 71 72 /* Packet dropper for generic SADB drops. */ 73 static ipdropper_t sadb_dropper; 74 75 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *, 76 ipsec_action_t *, uint32_t, uint32_t); 77 static void sadb_ill_df(ill_t *, mblk_t *, isaf_t *, int, boolean_t); 78 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *, boolean_t, mblk_t **); 79 static void sadb_drain_torchq(queue_t *q, mblk_t *); 80 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t); 81 static void sadb_destroy(sadb_t *sp); 82 83 static time_t sadb_add_time(time_t base, uint64_t delta); 84 85 /* 86 * ipsacq_maxpackets is defined here to make it tunable 87 * from /etc/system. 88 */ 89 extern uint64_t ipsacq_maxpackets; 90 91 #define SET_EXPIRE(sa, delta, exp) { \ 92 if (((sa)->ipsa_ ## delta) != 0) { \ 93 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 94 (sa)->ipsa_ ## delta); \ 95 } \ 96 } 97 98 #define UPDATE_EXPIRE(sa, delta, exp) { \ 99 if (((sa)->ipsa_ ## delta) != 0) { \ 100 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 101 (sa)->ipsa_ ## delta); \ 102 if (((sa)->ipsa_ ## exp) == 0) \ 103 (sa)->ipsa_ ## exp = tmp; \ 104 else \ 105 (sa)->ipsa_ ## exp = \ 106 MIN((sa)->ipsa_ ## exp, tmp); \ 107 } \ 108 } 109 110 111 /* wrap the macro so we can pass it as a function pointer */ 112 void 113 sadb_sa_refrele(void *target) 114 { 115 IPSA_REFRELE(((ipsa_t *)target)); 116 } 117 118 /* 119 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 120 * a signed type. 121 */ 122 #define TIME_MAX LONG_MAX 123 124 /* 125 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 126 * time_t is defined to be a signed type with the same range as 127 * "long". On ILP32 systems, we thus run the risk of wrapping around 128 * at end of time, as well as "overwrapping" the clock back around 129 * into a seemingly valid but incorrect future date earlier than the 130 * desired expiration. 131 * 132 * In order to avoid odd behavior (either negative lifetimes or loss 133 * of high order bits) when someone asks for bizarrely long SA 134 * lifetimes, we do a saturating add for expire times. 135 * 136 * We presume that ILP32 systems will be past end of support life when 137 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 138 * 139 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 140 * will hopefully have figured out clever ways to avoid the use of 141 * fixed-sized integers in computation. 142 */ 143 static time_t 144 sadb_add_time(time_t base, uint64_t delta) 145 { 146 time_t sum; 147 148 /* 149 * Clip delta to the maximum possible time_t value to 150 * prevent "overwrapping" back into a shorter-than-desired 151 * future time. 152 */ 153 if (delta > TIME_MAX) 154 delta = TIME_MAX; 155 /* 156 * This sum may still overflow. 157 */ 158 sum = base + delta; 159 160 /* 161 * .. so if the result is less than the base, we overflowed. 162 */ 163 if (sum < base) 164 sum = TIME_MAX; 165 166 return (sum); 167 } 168 169 /* 170 * Callers of this function have already created a working security 171 * association, and have found the appropriate table & hash chain. All this 172 * function does is check duplicates, and insert the SA. The caller needs to 173 * hold the hash bucket lock and increment the refcnt before insertion. 174 * 175 * Return 0 if success, EEXIST if collision. 176 */ 177 int 178 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 179 { 180 ipsa_t **ptpn = NULL; 181 ipsa_t *walker; 182 boolean_t unspecsrc; 183 184 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 185 186 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 187 188 walker = bucket->isaf_ipsa; 189 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 190 191 /* 192 * Find insertion point (pointed to with **ptpn). Insert at the head 193 * of the list unless there's an unspecified source address, then 194 * insert it after the last SA with a specified source address. 195 * 196 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 197 * checking for collisions. 198 */ 199 200 while (walker != NULL) { 201 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 202 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 203 if (walker->ipsa_spi == ipsa->ipsa_spi) 204 return (EEXIST); 205 206 mutex_enter(&walker->ipsa_lock); 207 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 208 (walker->ipsa_flags & IPSA_F_USED) && 209 ((walker->ipsa_unique_id & 210 walker->ipsa_unique_mask) == 211 (ipsa->ipsa_unique_id & 212 ipsa->ipsa_unique_mask))) { 213 walker->ipsa_flags |= IPSA_F_CINVALID; 214 } 215 mutex_exit(&walker->ipsa_lock); 216 } 217 218 if (ptpn == NULL && unspecsrc) { 219 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 220 walker->ipsa_addrfam)) 221 ptpn = walker->ipsa_ptpn; 222 else if (walker->ipsa_next == NULL) 223 ptpn = &walker->ipsa_next; 224 } 225 226 walker = walker->ipsa_next; 227 } 228 229 if (ptpn == NULL) 230 ptpn = &bucket->isaf_ipsa; 231 ipsa->ipsa_next = *ptpn; 232 ipsa->ipsa_ptpn = ptpn; 233 if (ipsa->ipsa_next != NULL) 234 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 235 *ptpn = ipsa; 236 ipsa->ipsa_linklock = &bucket->isaf_lock; 237 238 return (0); 239 } 240 241 /* 242 * Free a security association. Its reference count is 0, which means 243 * I must free it. The SA must be unlocked and must not be linked into 244 * any fanout list. 245 */ 246 static void 247 sadb_freeassoc(ipsa_t *ipsa) 248 { 249 ASSERT(!MUTEX_HELD(&ipsa->ipsa_lock)); 250 ASSERT(ipsa->ipsa_refcnt == 0); 251 ASSERT(ipsa->ipsa_next == NULL); 252 ASSERT(ipsa->ipsa_ptpn == NULL); 253 254 ip_drop_packet(sadb_clear_lpkt(ipsa), B_TRUE, NULL, NULL, 255 &ipdrops_sadb_inlarval_timeout, &sadb_dropper); 256 257 mutex_enter(&ipsa->ipsa_lock); 258 259 if (ipsa->ipsa_natt_ka_timer != 0) 260 (void) quntimeout(ipsa->ipsa_natt_q, ipsa->ipsa_natt_ka_timer); 261 262 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 263 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 264 mutex_exit(&ipsa->ipsa_lock); 265 266 /* bzero() these fields for paranoia's sake. */ 267 if (ipsa->ipsa_authkey != NULL) { 268 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 269 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 270 } 271 if (ipsa->ipsa_encrkey != NULL) { 272 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 273 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 274 } 275 if (ipsa->ipsa_src_cid != NULL) { 276 IPSID_REFRELE(ipsa->ipsa_src_cid); 277 } 278 if (ipsa->ipsa_dst_cid != NULL) { 279 IPSID_REFRELE(ipsa->ipsa_dst_cid); 280 } 281 if (ipsa->ipsa_proxy_cid != NULL) { 282 IPSID_REFRELE(ipsa->ipsa_proxy_cid); 283 } 284 if (ipsa->ipsa_integ != NULL) 285 kmem_free(ipsa->ipsa_integ, ipsa->ipsa_integlen); 286 if (ipsa->ipsa_sens != NULL) 287 kmem_free(ipsa->ipsa_sens, ipsa->ipsa_senslen); 288 289 mutex_destroy(&ipsa->ipsa_lock); 290 kmem_free(ipsa, sizeof (*ipsa)); 291 } 292 293 /* 294 * Unlink a security association from a hash bucket. Assume the hash bucket 295 * lock is held, but the association's lock is not. 296 * 297 * Note that we do not bump the bucket's generation number here because 298 * we might not be making a visible change to the set of visible SA's. 299 * All callers MUST bump the bucket's generation number before they unlock 300 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 301 * was present in the bucket at the time it was locked. 302 */ 303 void 304 sadb_unlinkassoc(ipsa_t *ipsa) 305 { 306 ASSERT(ipsa->ipsa_linklock != NULL); 307 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 308 309 /* These fields are protected by the link lock. */ 310 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 311 if (ipsa->ipsa_next != NULL) { 312 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 313 ipsa->ipsa_next = NULL; 314 } 315 316 ipsa->ipsa_ptpn = NULL; 317 318 /* This may destroy the SA. */ 319 IPSA_REFRELE(ipsa); 320 } 321 322 /* 323 * Create a larval security association with the specified SPI. All other 324 * fields are zeroed. 325 */ 326 static ipsa_t * 327 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam) 328 { 329 ipsa_t *newbie; 330 331 /* 332 * Allocate... 333 */ 334 335 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 336 if (newbie == NULL) { 337 /* Can't make new larval SA. */ 338 return (NULL); 339 } 340 341 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 342 newbie->ipsa_spi = spi; 343 344 /* 345 * Copy addresses... 346 */ 347 348 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 349 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 350 351 newbie->ipsa_addrfam = addrfam; 352 353 /* 354 * Set common initialization values, including refcnt. 355 */ 356 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 357 newbie->ipsa_state = IPSA_STATE_LARVAL; 358 newbie->ipsa_refcnt = 1; 359 newbie->ipsa_freefunc = sadb_freeassoc; 360 361 /* 362 * There aren't a lot of other common initialization values, as 363 * they are copied in from the PF_KEY message. 364 */ 365 366 return (newbie); 367 } 368 369 /* 370 * Call me to initialize a security association fanout. 371 */ 372 static int 373 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 374 { 375 isaf_t *table; 376 int i; 377 378 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 379 *tablep = table; 380 381 if (table == NULL) 382 return (ENOMEM); 383 384 for (i = 0; i < size; i++) { 385 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 386 table[i].isaf_ipsa = NULL; 387 table[i].isaf_gen = 0; 388 } 389 390 return (0); 391 } 392 393 /* 394 * Call me to initialize an acquire fanout 395 */ 396 static int 397 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 398 { 399 iacqf_t *table; 400 int i; 401 402 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 403 *tablep = table; 404 405 if (table == NULL) 406 return (ENOMEM); 407 408 for (i = 0; i < size; i++) { 409 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 410 table[i].iacqf_ipsacq = NULL; 411 } 412 413 return (0); 414 } 415 416 /* 417 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 418 * caller must clean up partial allocations. 419 */ 420 static int 421 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 422 { 423 ASSERT(sp->sdb_of == NULL); 424 ASSERT(sp->sdb_if == NULL); 425 ASSERT(sp->sdb_acq == NULL); 426 427 sp->sdb_hashsize = size; 428 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 429 return (ENOMEM); 430 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 431 return (ENOMEM); 432 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 433 return (ENOMEM); 434 435 return (0); 436 } 437 438 /* 439 * Call me to initialize an SADB instance; fall back to default size on failure. 440 */ 441 static void 442 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver) 443 { 444 ASSERT(sp->sdb_of == NULL); 445 ASSERT(sp->sdb_if == NULL); 446 ASSERT(sp->sdb_acq == NULL); 447 448 if (size < IPSEC_DEFAULT_HASH_SIZE) 449 size = IPSEC_DEFAULT_HASH_SIZE; 450 451 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 452 453 cmn_err(CE_WARN, 454 "Unable to allocate %u entry IPv%u %s SADB hash table", 455 size, ver, name); 456 457 sadb_destroy(sp); 458 size = IPSEC_DEFAULT_HASH_SIZE; 459 cmn_err(CE_WARN, "Falling back to %d entries", size); 460 (void) sadb_init_trial(sp, size, KM_SLEEP); 461 } 462 } 463 464 465 /* 466 * Initialize an SADB-pair. 467 */ 468 void 469 sadbp_init(const char *name, sadbp_t *sp, int type, int size) 470 { 471 sadb_init(name, &sp->s_v4, size, 4); 472 sadb_init(name, &sp->s_v6, size, 6); 473 474 sp->s_satype = type; 475 476 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 477 if (type == SADB_SATYPE_AH) 478 ip_drop_register(&sadb_dropper, "IPsec SADB"); 479 } 480 481 /* 482 * Deliver a single SADB_DUMP message representing a single SA. This is 483 * called many times by sadb_dump(). 484 * 485 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 486 * the caller should take that as a hint that dupb() on the "original answer" 487 * failed, and that perhaps the caller should try again with a copyb()ed 488 * "original answer". 489 */ 490 static int 491 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 492 sadb_msg_t *samsg) 493 { 494 mblk_t *answer; 495 496 answer = dupb(original_answer); 497 if (answer == NULL) 498 return (ENOBUFS); 499 answer->b_cont = sadb_sa2msg(ipsa, samsg); 500 if (answer->b_cont == NULL) { 501 freeb(answer); 502 return (ENOMEM); 503 } 504 505 /* Just do a putnext, and let keysock deal with flow control. */ 506 putnext(pfkey_q, answer); 507 return (0); 508 } 509 510 /* 511 * Common function to allocate and prepare a keysock_out_t M_CTL message. 512 */ 513 mblk_t * 514 sadb_keysock_out(minor_t serial) 515 { 516 mblk_t *mp; 517 keysock_out_t *kso; 518 519 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 520 if (mp != NULL) { 521 mp->b_datap->db_type = M_CTL; 522 mp->b_wptr += sizeof (ipsec_info_t); 523 kso = (keysock_out_t *)mp->b_rptr; 524 kso->ks_out_type = KEYSOCK_OUT; 525 kso->ks_out_len = sizeof (*kso); 526 kso->ks_out_serial = serial; 527 } 528 529 return (mp); 530 } 531 532 /* 533 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 534 * to keysock. 535 */ 536 static int 537 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 538 int num_entries, boolean_t do_peers) 539 { 540 int i, error = 0; 541 mblk_t *original_answer; 542 ipsa_t *walker; 543 sadb_msg_t *samsg; 544 545 /* 546 * For each IPSA hash bucket do: 547 * - Hold the mutex 548 * - Walk each entry, doing an sadb_dump_deliver() on it. 549 */ 550 ASSERT(mp->b_cont != NULL); 551 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 552 553 original_answer = sadb_keysock_out(serial); 554 if (original_answer == NULL) 555 return (ENOMEM); 556 557 for (i = 0; i < num_entries; i++) { 558 mutex_enter(&fanout[i].isaf_lock); 559 for (walker = fanout[i].isaf_ipsa; walker != NULL; 560 walker = walker->ipsa_next) { 561 if (!do_peers && walker->ipsa_haspeer) 562 continue; 563 error = sadb_dump_deliver(pfkey_q, original_answer, 564 walker, samsg); 565 if (error == ENOBUFS) { 566 mblk_t *new_original_answer; 567 568 /* Ran out of dupb's. Try a copyb. */ 569 new_original_answer = copyb(original_answer); 570 if (new_original_answer == NULL) { 571 error = ENOMEM; 572 } else { 573 freeb(original_answer); 574 original_answer = new_original_answer; 575 error = sadb_dump_deliver(pfkey_q, 576 original_answer, walker, samsg); 577 } 578 } 579 if (error != 0) 580 break; /* out of for loop. */ 581 } 582 mutex_exit(&fanout[i].isaf_lock); 583 if (error != 0) 584 break; /* out of for loop. */ 585 } 586 587 freeb(original_answer); 588 return (error); 589 } 590 591 /* 592 * Dump an entire SADB; outbound first, then inbound. 593 */ 594 595 int 596 sadb_dump(queue_t *pfkey_q, mblk_t *mp, minor_t serial, sadb_t *sp) 597 { 598 int error; 599 600 /* Dump outbound */ 601 error = sadb_dump_fanout(pfkey_q, mp, serial, sp->sdb_of, 602 sp->sdb_hashsize, B_TRUE); 603 if (error) 604 return (error); 605 606 /* Dump inbound */ 607 return sadb_dump_fanout(pfkey_q, mp, serial, sp->sdb_if, 608 sp->sdb_hashsize, B_FALSE); 609 } 610 611 /* 612 * Generic sadb table walker. 613 * 614 * Call "walkfn" for each SA in each bucket in "table"; pass the 615 * bucket, the entry and "cookie" to the callback function. 616 * Take care to ensure that walkfn can delete the SA without screwing 617 * up our traverse. 618 * 619 * The bucket is locked for the duration of the callback, both so that the 620 * callback can just call sadb_unlinkassoc() when it wants to delete something, 621 * and so that no new entries are added while we're walking the list. 622 */ 623 static void 624 sadb_walker(isaf_t *table, uint_t numentries, 625 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 626 void *cookie) 627 { 628 int i; 629 for (i = 0; i < numentries; i++) { 630 ipsa_t *entry, *next; 631 632 mutex_enter(&table[i].isaf_lock); 633 634 for (entry = table[i].isaf_ipsa; entry != NULL; 635 entry = next) { 636 next = entry->ipsa_next; 637 (*walkfn)(&table[i], entry, cookie); 638 } 639 mutex_exit(&table[i].isaf_lock); 640 } 641 } 642 643 /* 644 * From the given SA, construct a dl_ct_ipsec_key and 645 * a dl_ct_ipsec structures to be sent to the adapter as part 646 * of a DL_CONTROL_REQ. 647 * 648 * ct_sa must point to the storage allocated for the key 649 * structure and must be followed by storage allocated 650 * for the SA information that must be sent to the driver 651 * as part of the DL_CONTROL_REQ request. 652 * 653 * The is_inbound boolean indicates whether the specified 654 * SA is part of an inbound SA table. 655 * 656 * Returns B_TRUE if the corresponding SA must be passed to 657 * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE. 658 */ 659 static boolean_t 660 sadb_req_from_sa(ipsa_t *sa, mblk_t *mp, boolean_t is_inbound) 661 { 662 dl_ct_ipsec_key_t *keyp; 663 dl_ct_ipsec_t *sap; 664 void *ct_sa = mp->b_wptr; 665 666 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 667 668 keyp = (dl_ct_ipsec_key_t *)(ct_sa); 669 sap = (dl_ct_ipsec_t *)(keyp + 1); 670 671 IPSECHW_DEBUG(IPSECHW_CAPAB, ("sadb_req_from_sa: " 672 "is_inbound = %d\n", is_inbound)); 673 674 /* initialize flag */ 675 sap->sadb_sa_flags = 0; 676 if (is_inbound) { 677 sap->sadb_sa_flags |= DL_CT_IPSEC_INBOUND; 678 /* 679 * If an inbound SA has a peer, then mark it has being 680 * an outbound SA as well. 681 */ 682 if (sa->ipsa_haspeer) 683 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 684 } else { 685 /* 686 * If an outbound SA has a peer, then don't send it, 687 * since we will send the copy from the inbound table. 688 */ 689 if (sa->ipsa_haspeer) { 690 freemsg(mp); 691 return (B_FALSE); 692 } 693 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 694 } 695 696 keyp->dl_key_spi = sa->ipsa_spi; 697 bcopy(sa->ipsa_dstaddr, keyp->dl_key_dest_addr, 698 DL_CTL_IPSEC_ADDR_LEN); 699 keyp->dl_key_addr_family = sa->ipsa_addrfam; 700 701 sap->sadb_sa_auth = sa->ipsa_auth_alg; 702 sap->sadb_sa_encrypt = sa->ipsa_encr_alg; 703 704 sap->sadb_key_len_a = sa->ipsa_authkeylen; 705 sap->sadb_key_bits_a = sa->ipsa_authkeybits; 706 bcopy(sa->ipsa_authkey, 707 sap->sadb_key_data_a, sap->sadb_key_len_a); 708 709 sap->sadb_key_len_e = sa->ipsa_encrkeylen; 710 sap->sadb_key_bits_e = sa->ipsa_encrkeybits; 711 bcopy(sa->ipsa_encrkey, 712 sap->sadb_key_data_e, sap->sadb_key_len_e); 713 714 mp->b_wptr += sizeof (dl_ct_ipsec_t) + sizeof (dl_ct_ipsec_key_t); 715 return (B_TRUE); 716 } 717 718 /* 719 * Called from AH or ESP to format a message which will be used to inform 720 * IPsec-acceleration-capable ills of a SADB change. 721 * (It is not possible to send the message to IP directly from this function 722 * since the SA, if any, is locked during the call). 723 * 724 * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc) 725 * sa_type: identifies whether the operation applies to AH or ESP 726 * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP) 727 * sa: Pointer to an SA. Must be non-NULL and locked 728 * for ADD, DELETE, GET, and UPDATE operations. 729 * This function returns an mblk chain that must be passed to IP 730 * for forwarding to the IPsec capable providers. 731 */ 732 mblk_t * 733 sadb_fmt_sa_req(uint_t dl_operation, uint_t sa_type, ipsa_t *sa, 734 boolean_t is_inbound) 735 { 736 mblk_t *mp; 737 dl_control_req_t *ctrl; 738 boolean_t need_key = B_FALSE; 739 mblk_t *ctl_mp = NULL; 740 ipsec_ctl_t *ctl; 741 742 /* 743 * 1 allocate and initialize DL_CONTROL_REQ M_PROTO 744 * 2 if a key is needed for the operation 745 * 2.1 initialize key 746 * 2.2 if a full SA is needed for the operation 747 * 2.2.1 initialize full SA info 748 * 3 return message; caller will call ill_ipsec_capab_send_all() 749 * to send the resulting message to IPsec capable ills. 750 */ 751 752 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 753 754 /* 755 * Allocate DL_CONTROL_REQ M_PROTO 756 * We allocate room for the SA even if it's not needed 757 * by some of the operations (for example flush) 758 */ 759 mp = allocb(sizeof (dl_control_req_t) + 760 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 761 if (mp == NULL) 762 return (NULL); 763 mp->b_datap->db_type = M_PROTO; 764 765 /* initialize dl_control_req_t */ 766 ctrl = (dl_control_req_t *)mp->b_wptr; 767 ctrl->dl_primitive = DL_CONTROL_REQ; 768 ctrl->dl_operation = dl_operation; 769 ctrl->dl_type = sa_type == SADB_SATYPE_AH ? DL_CT_IPSEC_AH : 770 DL_CT_IPSEC_ESP; 771 ctrl->dl_key_offset = sizeof (dl_control_req_t); 772 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 773 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 774 sizeof (dl_ct_ipsec_key_t); 775 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 776 mp->b_wptr += sizeof (dl_control_req_t); 777 778 if ((dl_operation == DL_CO_SET) || (dl_operation == DL_CO_DELETE)) { 779 ASSERT(sa != NULL); 780 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 781 782 need_key = B_TRUE; 783 784 /* 785 * Initialize key and SA data. Note that for some 786 * operations the SA data is ignored by the provider 787 * (delete, etc.) 788 */ 789 if (!sadb_req_from_sa(sa, mp, is_inbound)) 790 return (NULL); 791 } 792 793 /* construct control message */ 794 ctl_mp = allocb(sizeof (ipsec_ctl_t), BPRI_HI); 795 if (ctl_mp == NULL) { 796 cmn_err(CE_WARN, "sadb_fmt_sa_req: allocb failed\n"); 797 freemsg(mp); 798 return (NULL); 799 } 800 801 ctl_mp->b_datap->db_type = M_CTL; 802 ctl_mp->b_wptr += sizeof (ipsec_ctl_t); 803 ctl_mp->b_cont = mp; 804 805 ctl = (ipsec_ctl_t *)ctl_mp->b_rptr; 806 ctl->ipsec_ctl_type = IPSEC_CTL; 807 ctl->ipsec_ctl_len = sizeof (ipsec_ctl_t); 808 ctl->ipsec_ctl_sa_type = sa_type; 809 810 if (need_key) { 811 /* 812 * Keep an additional reference on SA, since it will be 813 * needed by IP to send control messages corresponding 814 * to that SA from its perimeter. IP will do a 815 * IPSA_REFRELE when done with the request. 816 */ 817 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 818 IPSA_REFHOLD(sa); 819 ctl->ipsec_ctl_sa = sa; 820 } else 821 ctl->ipsec_ctl_sa = NULL; 822 823 return (ctl_mp); 824 } 825 826 827 /* 828 * Called by sadb_ill_download() to dump the entries for a specific 829 * fanout table. For each SA entry in the table passed as argument, 830 * use mp as a template and constructs a full DL_CONTROL message, and 831 * call ill_dlpi_send(), provided by IP, to send the resulting 832 * messages to the ill. 833 */ 834 static void 835 sadb_ill_df(ill_t *ill, mblk_t *mp, isaf_t *fanout, int num_entries, 836 boolean_t is_inbound) 837 { 838 ipsa_t *walker; 839 mblk_t *nmp, *salist; 840 int i, error = 0; 841 842 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_ill_df: fanout at 0x%p ne=%d\n", 843 (void *)fanout, num_entries)); 844 /* 845 * For each IPSA hash bucket do: 846 * - Hold the mutex 847 * - Walk each entry, sending a corresponding request to IP 848 * for it. 849 */ 850 ASSERT(mp->b_datap->db_type == M_PROTO); 851 852 for (i = 0; i < num_entries; i++) { 853 mutex_enter(&fanout[i].isaf_lock); 854 salist = NULL; 855 856 for (walker = fanout[i].isaf_ipsa; walker != NULL; 857 walker = walker->ipsa_next) { 858 IPSECHW_DEBUG(IPSECHW_SADB, 859 ("sadb_ill_df: sending SA to ill via IP \n")); 860 /* 861 * Duplicate the template mp passed and 862 * complete DL_CONTROL_REQ data. 863 * To be more memory efficient, we could use 864 * dupb() for the M_CTL and copyb() for the M_PROTO 865 * as the M_CTL, since the M_CTL is the same for 866 * every SA entry passed down to IP for the same ill. 867 * 868 * Note that copymsg/copyb ensure that the new mblk 869 * is at least as large as the source mblk even if it's 870 * not using all its storage -- therefore, nmp 871 * has trailing space for sadb_req_from_sa to add 872 * the SA-specific bits. 873 */ 874 mutex_enter(&walker->ipsa_lock); 875 if (ipsec_capab_match(ill, 876 ill->ill_phyint->phyint_ifindex, ill->ill_isv6, 877 walker)) { 878 nmp = copymsg(mp); 879 if (nmp == NULL) { 880 IPSECHW_DEBUG(IPSECHW_SADB, 881 ("sadb_ill_df: alloc error\n")); 882 error = ENOMEM; 883 mutex_exit(&walker->ipsa_lock); 884 break; 885 } 886 if (sadb_req_from_sa(walker, nmp, is_inbound)) { 887 nmp->b_next = salist; 888 salist = nmp; 889 } 890 } 891 mutex_exit(&walker->ipsa_lock); 892 } 893 mutex_exit(&fanout[i].isaf_lock); 894 while (salist != NULL) { 895 nmp = salist; 896 salist = nmp->b_next; 897 nmp->b_next = NULL; 898 ill_dlpi_send(ill, nmp); 899 } 900 if (error != 0) 901 break; /* out of for loop. */ 902 } 903 } 904 905 /* 906 * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of 907 * the type specified by sa_type to the specified ill. 908 * 909 * We call for each fanout table defined by the SADB (one per 910 * protocol). sadb_ill_df() finally calls ill_dlpi_send() for 911 * each SADB entry in order to send a corresponding DL_CONTROL_REQ 912 * message to the ill. 913 */ 914 void 915 sadb_ill_download(ill_t *ill, uint_t sa_type) 916 { 917 mblk_t *protomp; /* prototype message */ 918 dl_control_req_t *ctrl; 919 sadbp_t *spp; 920 sadb_t *sp; 921 int dlt; 922 923 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 924 925 /* 926 * Allocate and initialize prototype answer. A duplicate for 927 * each SA is sent down to the interface. 928 */ 929 930 /* DL_CONTROL_REQ M_PROTO mblk_t */ 931 protomp = allocb(sizeof (dl_control_req_t) + 932 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 933 if (protomp == NULL) 934 return; 935 protomp->b_datap->db_type = M_PROTO; 936 937 dlt = (sa_type == SADB_SATYPE_AH) ? DL_CT_IPSEC_AH : DL_CT_IPSEC_ESP; 938 spp = (sa_type == SADB_SATYPE_ESP) ? &esp_sadb : &ah_sadb; 939 940 ctrl = (dl_control_req_t *)protomp->b_wptr; 941 ctrl->dl_primitive = DL_CONTROL_REQ; 942 ctrl->dl_operation = DL_CO_SET; 943 ctrl->dl_type = dlt; 944 ctrl->dl_key_offset = sizeof (dl_control_req_t); 945 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 946 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 947 sizeof (dl_ct_ipsec_key_t); 948 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 949 protomp->b_wptr += sizeof (dl_control_req_t); 950 951 /* 952 * then for each SADB entry, we fill out the dl_ct_ipsec_key_t 953 * and dl_ct_ipsec_t 954 */ 955 sp = ill->ill_isv6 ? &(spp->s_v6) : &(spp->s_v4); 956 sadb_ill_df(ill, protomp, sp->sdb_of, sp->sdb_hashsize, B_FALSE); 957 sadb_ill_df(ill, protomp, sp->sdb_if, sp->sdb_hashsize, B_TRUE); 958 freemsg(protomp); 959 } 960 961 /* 962 * Call me to free up a security association fanout. Use the forever 963 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 964 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 965 * when a module is unloaded). 966 */ 967 static void 968 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever) 969 { 970 int i; 971 isaf_t *table = *tablep; 972 973 if (table == NULL) 974 return; 975 976 for (i = 0; i < numentries; i++) { 977 mutex_enter(&table[i].isaf_lock); 978 while (table[i].isaf_ipsa != NULL) 979 sadb_unlinkassoc(table[i].isaf_ipsa); 980 table[i].isaf_gen++; 981 mutex_exit(&table[i].isaf_lock); 982 if (forever) 983 mutex_destroy(&(table[i].isaf_lock)); 984 } 985 986 if (forever) { 987 *tablep = NULL; 988 kmem_free(table, numentries * sizeof (*table)); 989 } 990 } 991 992 /* 993 * Entry points to sadb_destroyer(). 994 */ 995 static void 996 sadb_flush(sadb_t *sp) 997 { 998 /* 999 * Flush out each bucket, one at a time. Were it not for keysock's 1000 * enforcement, there would be a subtlety where I could add on the 1001 * heels of a flush. With keysock's enforcement, however, this 1002 * makes ESP's job easy. 1003 */ 1004 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE); 1005 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE); 1006 1007 /* For each acquire, destroy it; leave the bucket mutex alone. */ 1008 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE); 1009 } 1010 1011 static void 1012 sadb_destroy(sadb_t *sp) 1013 { 1014 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE); 1015 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE); 1016 1017 /* For each acquire, destroy it, including the bucket mutex. */ 1018 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE); 1019 1020 ASSERT(sp->sdb_of == NULL); 1021 ASSERT(sp->sdb_if == NULL); 1022 ASSERT(sp->sdb_acq == NULL); 1023 } 1024 1025 static void 1026 sadb_send_flush_req(sadbp_t *spp) 1027 { 1028 mblk_t *ctl_mp; 1029 1030 /* 1031 * we've been unplumbed, or never were plumbed; don't go there. 1032 */ 1033 if (spp->s_ip_q == NULL) 1034 return; 1035 1036 /* have IP send a flush msg to the IPsec accelerators */ 1037 ctl_mp = sadb_fmt_sa_req(DL_CO_FLUSH, spp->s_satype, NULL, B_TRUE); 1038 if (ctl_mp != NULL) 1039 putnext(spp->s_ip_q, ctl_mp); 1040 } 1041 1042 void 1043 sadbp_flush(sadbp_t *spp) 1044 { 1045 sadb_flush(&spp->s_v4); 1046 sadb_flush(&spp->s_v6); 1047 1048 sadb_send_flush_req(spp); 1049 } 1050 1051 void 1052 sadbp_destroy(sadbp_t *spp) 1053 { 1054 sadb_destroy(&spp->s_v4); 1055 sadb_destroy(&spp->s_v6); 1056 1057 sadb_send_flush_req(spp); 1058 if (spp->s_satype == SADB_SATYPE_AH) 1059 ip_drop_unregister(&sadb_dropper); 1060 } 1061 1062 1063 /* 1064 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 1065 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 1066 * EINVAL. 1067 */ 1068 int 1069 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft) 1070 { 1071 if (hard == NULL || soft == NULL) 1072 return (0); 1073 1074 if (hard->sadb_lifetime_allocations != 0 && 1075 soft->sadb_lifetime_allocations != 0 && 1076 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 1077 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 1078 1079 if (hard->sadb_lifetime_bytes != 0 && 1080 soft->sadb_lifetime_bytes != 0 && 1081 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 1082 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 1083 1084 if (hard->sadb_lifetime_addtime != 0 && 1085 soft->sadb_lifetime_addtime != 0 && 1086 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 1087 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1088 1089 if (hard->sadb_lifetime_usetime != 0 && 1090 soft->sadb_lifetime_usetime != 0 && 1091 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 1092 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1093 1094 return (0); 1095 } 1096 1097 /* 1098 * Clone a security association for the purposes of inserting a single SA 1099 * into inbound and outbound tables respectively. 1100 */ 1101 static ipsa_t * 1102 sadb_cloneassoc(ipsa_t *ipsa) 1103 { 1104 ipsa_t *newbie; 1105 boolean_t error = B_FALSE; 1106 1107 ASSERT(!MUTEX_HELD(&(ipsa->ipsa_lock))); 1108 1109 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 1110 if (newbie == NULL) 1111 return (NULL); 1112 1113 /* Copy over what we can. */ 1114 *newbie = *ipsa; 1115 1116 /* bzero and initialize locks, in case *_init() allocates... */ 1117 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 1118 1119 /* 1120 * While somewhat dain-bramaged, the most graceful way to 1121 * recover from errors is to keep plowing through the 1122 * allocations, and getting what I can. It's easier to call 1123 * sadb_freeassoc() on the stillborn clone when all the 1124 * pointers aren't pointing to the parent's data. 1125 */ 1126 1127 if (ipsa->ipsa_authkey != NULL) { 1128 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 1129 KM_NOSLEEP); 1130 if (newbie->ipsa_authkey == NULL) { 1131 error = B_TRUE; 1132 } else { 1133 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 1134 newbie->ipsa_authkeylen); 1135 1136 newbie->ipsa_kcfauthkey.ck_data = 1137 newbie->ipsa_authkey; 1138 } 1139 1140 if (newbie->ipsa_amech.cm_param != NULL) { 1141 newbie->ipsa_amech.cm_param = 1142 (char *)&newbie->ipsa_mac_len; 1143 } 1144 } 1145 1146 if (ipsa->ipsa_encrkey != NULL) { 1147 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 1148 KM_NOSLEEP); 1149 if (newbie->ipsa_encrkey == NULL) { 1150 error = B_TRUE; 1151 } else { 1152 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 1153 newbie->ipsa_encrkeylen); 1154 1155 newbie->ipsa_kcfencrkey.ck_data = 1156 newbie->ipsa_encrkey; 1157 } 1158 } 1159 1160 newbie->ipsa_authtmpl = NULL; 1161 newbie->ipsa_encrtmpl = NULL; 1162 1163 if (ipsa->ipsa_integ != NULL) { 1164 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 1165 KM_NOSLEEP); 1166 if (newbie->ipsa_integ == NULL) { 1167 error = B_TRUE; 1168 } else { 1169 bcopy(ipsa->ipsa_integ, newbie->ipsa_integ, 1170 newbie->ipsa_integlen); 1171 } 1172 } 1173 1174 if (ipsa->ipsa_sens != NULL) { 1175 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 1176 KM_NOSLEEP); 1177 if (newbie->ipsa_sens == NULL) { 1178 error = B_TRUE; 1179 } else { 1180 bcopy(ipsa->ipsa_sens, newbie->ipsa_sens, 1181 newbie->ipsa_senslen); 1182 } 1183 } 1184 1185 if (ipsa->ipsa_src_cid != NULL) { 1186 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 1187 IPSID_REFHOLD(ipsa->ipsa_src_cid); 1188 } 1189 1190 if (ipsa->ipsa_dst_cid != NULL) { 1191 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 1192 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 1193 } 1194 1195 #if 0 /* XXX PROXY - Proxy identities not supported yet. */ 1196 if (ipsa->ipsa_proxy_cid != NULL) { 1197 newbie->ipsa_proxy_cid = ipsa->ipsa_proxy_cid; 1198 IPSID_REFHOLD(ipsa->ipsa_proxy_cid); 1199 } 1200 #endif /* XXX PROXY */ 1201 1202 if (error) { 1203 sadb_freeassoc(newbie); 1204 return (NULL); 1205 } 1206 1207 return (newbie); 1208 } 1209 1210 /* 1211 * Initialize a SADB address extension at the address specified by addrext. 1212 * Return a pointer to the end of the new address extension. 1213 */ 1214 static uint8_t * 1215 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 1216 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto) 1217 { 1218 struct sockaddr_in *sin; 1219 struct sockaddr_in6 *sin6; 1220 uint8_t *cur = start; 1221 int addrext_len; 1222 int sin_len; 1223 sadb_address_t *addrext = (sadb_address_t *)cur; 1224 1225 if (cur == NULL) 1226 return (NULL); 1227 1228 cur += sizeof (*addrext); 1229 if (cur > end) 1230 return (NULL); 1231 1232 addrext->sadb_address_proto = proto; 1233 addrext->sadb_address_prefixlen = 0; 1234 addrext->sadb_address_reserved = 0; 1235 addrext->sadb_address_exttype = exttype; 1236 1237 switch (af) { 1238 case AF_INET: 1239 sin = (struct sockaddr_in *)cur; 1240 sin_len = sizeof (*sin); 1241 cur += sin_len; 1242 if (cur > end) 1243 return (NULL); 1244 1245 sin->sin_family = af; 1246 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1247 sin->sin_port = port; 1248 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1249 break; 1250 case AF_INET6: 1251 sin6 = (struct sockaddr_in6 *)cur; 1252 sin_len = sizeof (*sin6); 1253 cur += sin_len; 1254 if (cur > end) 1255 return (NULL); 1256 1257 bzero(sin6, sizeof (*sin6)); 1258 sin6->sin6_family = af; 1259 sin6->sin6_port = port; 1260 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1261 break; 1262 } 1263 1264 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1265 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1266 1267 cur = start + addrext_len; 1268 if (cur > end) 1269 cur = NULL; 1270 1271 return (cur); 1272 } 1273 1274 /* 1275 * Construct a key management cookie extension. 1276 */ 1277 1278 static uint8_t * 1279 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1280 { 1281 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1282 1283 if (cur == NULL) 1284 return (NULL); 1285 1286 cur += sizeof (*kmcext); 1287 1288 if (cur > end) 1289 return (NULL); 1290 1291 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1292 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1293 kmcext->sadb_x_kmc_proto = kmp; 1294 kmcext->sadb_x_kmc_cookie = kmc; 1295 kmcext->sadb_x_kmc_reserved = 0; 1296 1297 return (cur); 1298 } 1299 1300 /* 1301 * Given an original message header with sufficient space following it, and an 1302 * SA, construct a full PF_KEY message with all of the relevant extensions. 1303 * This is mostly used for SADB_GET, and SADB_DUMP. 1304 */ 1305 mblk_t * 1306 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1307 { 1308 int alloclen, addrsize, paddrsize, authsize, encrsize; 1309 int srcidsize, dstidsize; 1310 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1311 /* src/dst and proxy sockaddrs. */ 1312 /* 1313 * The following are pointers into the PF_KEY message this PF_KEY 1314 * message creates. 1315 */ 1316 sadb_msg_t *newsamsg; 1317 sadb_sa_t *assoc; 1318 sadb_lifetime_t *lt; 1319 sadb_key_t *key; 1320 sadb_ident_t *ident; 1321 sadb_sens_t *sens; 1322 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1323 mblk_t *mp; 1324 uint64_t *bitmap; 1325 uint8_t *cur, *end; 1326 /* These indicate the presence of the above extension fields. */ 1327 boolean_t soft, hard, proxy, auth, encr, sensinteg, srcid, dstid; 1328 #if 0 /* XXX PROXY see below... */ 1329 boolean_t proxyid, iv; 1330 int proxyidsize, ivsize; 1331 #endif /* XXX PROXY */ 1332 1333 /* First off, figure out the allocation length for this message. */ 1334 1335 /* 1336 * Constant stuff. This includes base, SA, address (src, dst), 1337 * and lifetime (current). 1338 */ 1339 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1340 sizeof (sadb_lifetime_t); 1341 1342 fam = ipsa->ipsa_addrfam; 1343 switch (fam) { 1344 case AF_INET: 1345 addrsize = roundup(sizeof (struct sockaddr_in) + 1346 sizeof (sadb_address_t), sizeof (uint64_t)); 1347 break; 1348 case AF_INET6: 1349 addrsize = roundup(sizeof (struct sockaddr_in6) + 1350 sizeof (sadb_address_t), sizeof (uint64_t)); 1351 break; 1352 default: 1353 return (NULL); 1354 } 1355 /* 1356 * Allocate TWO address extensions, for source and destination. 1357 * (Thus, the * 2.) 1358 */ 1359 alloclen += addrsize * 2; 1360 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1361 alloclen += addrsize; 1362 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1363 alloclen += addrsize; 1364 1365 1366 /* How 'bout other lifetimes? */ 1367 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1368 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1369 alloclen += sizeof (sadb_lifetime_t); 1370 soft = B_TRUE; 1371 } else { 1372 soft = B_FALSE; 1373 } 1374 1375 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1376 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1377 alloclen += sizeof (sadb_lifetime_t); 1378 hard = B_TRUE; 1379 } else { 1380 hard = B_FALSE; 1381 } 1382 1383 /* Proxy address? */ 1384 if (!IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_proxysrc, ipsa->ipsa_proxyfam)) { 1385 pfam = ipsa->ipsa_proxyfam; 1386 switch (pfam) { 1387 case AF_INET6: 1388 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1389 sizeof (sadb_address_t), sizeof (uint64_t)); 1390 break; 1391 case AF_INET: 1392 paddrsize = roundup(sizeof (struct sockaddr_in) + 1393 sizeof (sadb_address_t), sizeof (uint64_t)); 1394 break; 1395 default: 1396 cmn_err(CE_PANIC, 1397 "IPsec SADB: Proxy length failure.\n"); 1398 break; 1399 } 1400 proxy = B_TRUE; 1401 alloclen += paddrsize; 1402 } else { 1403 proxy = B_FALSE; 1404 } 1405 1406 /* For the following fields, assume that length != 0 ==> stuff */ 1407 if (ipsa->ipsa_authkeylen != 0) { 1408 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1409 sizeof (uint64_t)); 1410 alloclen += authsize; 1411 auth = B_TRUE; 1412 } else { 1413 auth = B_FALSE; 1414 } 1415 1416 if (ipsa->ipsa_encrkeylen != 0) { 1417 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen, 1418 sizeof (uint64_t)); 1419 alloclen += encrsize; 1420 encr = B_TRUE; 1421 } else { 1422 encr = B_FALSE; 1423 } 1424 1425 /* No need for roundup on sens and integ. */ 1426 if (ipsa->ipsa_integlen != 0 || ipsa->ipsa_senslen != 0) { 1427 alloclen += sizeof (sadb_key_t) + ipsa->ipsa_integlen + 1428 ipsa->ipsa_senslen; 1429 sensinteg = B_TRUE; 1430 } else { 1431 sensinteg = B_FALSE; 1432 } 1433 1434 /* 1435 * Must use strlen() here for lengths. Identities use NULL 1436 * pointers to indicate their nonexistence. 1437 */ 1438 if (ipsa->ipsa_src_cid != NULL) { 1439 srcidsize = roundup(sizeof (sadb_ident_t) + 1440 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1441 sizeof (uint64_t)); 1442 alloclen += srcidsize; 1443 srcid = B_TRUE; 1444 } else { 1445 srcid = B_FALSE; 1446 } 1447 1448 if (ipsa->ipsa_dst_cid != NULL) { 1449 dstidsize = roundup(sizeof (sadb_ident_t) + 1450 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1451 sizeof (uint64_t)); 1452 alloclen += dstidsize; 1453 dstid = B_TRUE; 1454 } else { 1455 dstid = B_FALSE; 1456 } 1457 1458 #if 0 /* XXX PROXY not yet. */ 1459 if (ipsa->ipsa_proxy_cid != NULL) { 1460 proxyidsize = roundup(sizeof (sadb_ident_t) + 1461 strlen(ipsa->ipsa_proxy_cid->ipsid_cid) + 1, 1462 sizeof (uint64_t)); 1463 alloclen += proxyidsize; 1464 proxyid = B_TRUE; 1465 } else { 1466 proxyid = B_FALSE; 1467 } 1468 #endif /* XXX PROXY */ 1469 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1470 alloclen += sizeof (sadb_x_kmc_t); 1471 1472 /* Make sure the allocation length is a multiple of 8 bytes. */ 1473 ASSERT((alloclen & 0x7) == 0); 1474 1475 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1476 mp = allocb(alloclen, BPRI_HI); 1477 if (mp == NULL) 1478 return (NULL); 1479 1480 mp->b_wptr += alloclen; 1481 end = mp->b_wptr; 1482 newsamsg = (sadb_msg_t *)mp->b_rptr; 1483 *newsamsg = *samsg; 1484 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1485 1486 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1487 1488 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1489 1490 assoc = (sadb_sa_t *)(newsamsg + 1); 1491 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1492 assoc->sadb_sa_exttype = SADB_EXT_SA; 1493 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1494 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1495 assoc->sadb_sa_state = ipsa->ipsa_state; 1496 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1497 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1498 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1499 1500 lt = (sadb_lifetime_t *)(assoc + 1); 1501 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1502 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1503 lt->sadb_lifetime_allocations = ipsa->ipsa_alloc; 1504 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1505 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1506 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1507 1508 if (hard) { 1509 lt++; 1510 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1511 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1512 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1513 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1514 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1515 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1516 } 1517 1518 if (soft) { 1519 lt++; 1520 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1521 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1522 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1523 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1524 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1525 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1526 } 1527 1528 cur = (uint8_t *)(lt + 1); 1529 1530 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1531 ipsa->ipsa_srcaddr, SA_SRCPORT(ipsa), SA_PROTO(ipsa)); 1532 if (cur == NULL) { 1533 freemsg(mp); 1534 mp = NULL; 1535 goto bail; 1536 } 1537 1538 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1539 ipsa->ipsa_dstaddr, SA_DSTPORT(ipsa), SA_PROTO(ipsa)); 1540 if (cur == NULL) { 1541 freemsg(mp); 1542 mp = NULL; 1543 goto bail; 1544 } 1545 1546 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1547 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1548 fam, ipsa->ipsa_natt_addr_loc, 0, 0); 1549 if (cur == NULL) { 1550 freemsg(mp); 1551 mp = NULL; 1552 goto bail; 1553 } 1554 } 1555 1556 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1557 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1558 fam, ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_port, 1559 IPPROTO_UDP); 1560 if (cur == NULL) { 1561 freemsg(mp); 1562 mp = NULL; 1563 goto bail; 1564 } 1565 } 1566 1567 if (proxy) { 1568 /* 1569 * XXX PROXY When we expand the definition of proxy to include 1570 * both inner and outer IP addresses, this will have to 1571 * be expanded. 1572 */ 1573 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_PROXY, 1574 pfam, ipsa->ipsa_proxysrc, 0, 0); 1575 if (cur == NULL) { 1576 freemsg(mp); 1577 mp = NULL; 1578 goto bail; 1579 } 1580 } 1581 1582 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1583 cur = sadb_make_kmc_ext(cur, end, 1584 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1585 if (cur == NULL) { 1586 freemsg(mp); 1587 mp = NULL; 1588 goto bail; 1589 } 1590 } 1591 1592 walker = (sadb_ext_t *)cur; 1593 if (auth) { 1594 key = (sadb_key_t *)walker; 1595 key->sadb_key_len = SADB_8TO64(authsize); 1596 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1597 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1598 key->sadb_key_reserved = 0; 1599 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1600 walker = (sadb_ext_t *)((uint64_t *)walker + 1601 walker->sadb_ext_len); 1602 } 1603 1604 if (encr) { 1605 key = (sadb_key_t *)walker; 1606 key->sadb_key_len = SADB_8TO64(encrsize); 1607 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1608 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1609 key->sadb_key_reserved = 0; 1610 bcopy(ipsa->ipsa_encrkey, key + 1, ipsa->ipsa_encrkeylen); 1611 walker = (sadb_ext_t *)((uint64_t *)walker + 1612 walker->sadb_ext_len); 1613 } 1614 1615 if (srcid) { 1616 ident = (sadb_ident_t *)walker; 1617 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1618 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1619 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1620 ident->sadb_ident_id = 0; 1621 ident->sadb_ident_reserved = 0; 1622 (void) strcpy((char *)(ident + 1), 1623 ipsa->ipsa_src_cid->ipsid_cid); 1624 walker = (sadb_ext_t *)((uint64_t *)walker + 1625 walker->sadb_ext_len); 1626 } 1627 1628 if (dstid) { 1629 ident = (sadb_ident_t *)walker; 1630 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1631 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1632 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1633 ident->sadb_ident_id = 0; 1634 ident->sadb_ident_reserved = 0; 1635 (void) strcpy((char *)(ident + 1), 1636 ipsa->ipsa_dst_cid->ipsid_cid); 1637 walker = (sadb_ext_t *)((uint64_t *)walker + 1638 walker->sadb_ext_len); 1639 } 1640 1641 #if 0 /* XXX PROXY not yet */ 1642 if (proxyid) { 1643 ident = (sadb_ident_t *)walker; 1644 ident->sadb_ident_len = SADB_8TO64(proxyidsize); 1645 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_PROXY; 1646 ident->sadb_ident_type = ipsa->ipsa_pcid_type; 1647 ident->sadb_ident_id = 0; 1648 ident->sadb_ident_reserved = 0; 1649 (void) strcpy((char *)(ident + 1), ipsa->ipsa_proxy_cid); 1650 walker = (sadb_ext_t *)((uint64_t *)walker + 1651 walker->sadb_ext_len); 1652 } 1653 #endif /* XXX PROXY */ 1654 1655 if (sensinteg) { 1656 sens = (sadb_sens_t *)walker; 1657 sens->sadb_sens_len = SADB_8TO64(sizeof (sadb_sens_t *) + 1658 ipsa->ipsa_senslen + ipsa->ipsa_integlen); 1659 sens->sadb_sens_dpd = ipsa->ipsa_dpd; 1660 sens->sadb_sens_sens_level = ipsa->ipsa_senslevel; 1661 sens->sadb_sens_integ_level = ipsa->ipsa_integlevel; 1662 sens->sadb_sens_sens_len = SADB_8TO64(ipsa->ipsa_senslen); 1663 sens->sadb_sens_integ_len = SADB_8TO64(ipsa->ipsa_integlen); 1664 sens->sadb_sens_reserved = 0; 1665 bitmap = (uint64_t *)(sens + 1); 1666 if (ipsa->ipsa_sens != NULL) { 1667 bcopy(ipsa->ipsa_sens, bitmap, ipsa->ipsa_senslen); 1668 bitmap += sens->sadb_sens_sens_len; 1669 } 1670 if (ipsa->ipsa_integ != NULL) 1671 bcopy(ipsa->ipsa_integ, bitmap, ipsa->ipsa_integlen); 1672 walker = (sadb_ext_t *)((uint64_t *)walker + 1673 walker->sadb_ext_len); 1674 } 1675 1676 bail: 1677 /* Pardon any delays... */ 1678 mutex_exit(&ipsa->ipsa_lock); 1679 1680 return (mp); 1681 } 1682 1683 /* 1684 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1685 * and adjust base message accordingly. 1686 * 1687 * Assume message is pulled up in one piece of contiguous memory. 1688 * 1689 * Say if we start off with: 1690 * 1691 * +------+----+-------------+-----------+---------------+---------------+ 1692 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1693 * +------+----+-------------+-----------+---------------+---------------+ 1694 * 1695 * we will end up with 1696 * 1697 * +------+----+-------------+-----------+---------------+ 1698 * | base | SA | source addr | dest addr | soft lifetime | 1699 * +------+----+-------------+-----------+---------------+ 1700 */ 1701 static void 1702 sadb_strip(sadb_msg_t *samsg) 1703 { 1704 sadb_ext_t *ext; 1705 uint8_t *target = NULL; 1706 uint8_t *msgend; 1707 int sofar = SADB_8TO64(sizeof (*samsg)); 1708 int copylen; 1709 1710 ext = (sadb_ext_t *)(samsg + 1); 1711 msgend = (uint8_t *)samsg; 1712 msgend += SADB_64TO8(samsg->sadb_msg_len); 1713 while ((uint8_t *)ext < msgend) { 1714 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1715 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1716 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1717 /* 1718 * Aha! I found a header to be erased. 1719 */ 1720 1721 if (target != NULL) { 1722 /* 1723 * If I had a previous header to be erased, 1724 * copy over it. I can get away with just 1725 * copying backwards because the target will 1726 * always be 8 bytes behind the source. 1727 */ 1728 copylen = ((uint8_t *)ext) - (target + 1729 SADB_64TO8( 1730 ((sadb_ext_t *)target)->sadb_ext_len)); 1731 ovbcopy(((uint8_t *)ext - copylen), target, 1732 copylen); 1733 target += copylen; 1734 ((sadb_ext_t *)target)->sadb_ext_len = 1735 SADB_8TO64(((uint8_t *)ext) - target + 1736 SADB_64TO8(ext->sadb_ext_len)); 1737 } else { 1738 target = (uint8_t *)ext; 1739 } 1740 } else { 1741 sofar += ext->sadb_ext_len; 1742 } 1743 1744 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1745 } 1746 1747 ASSERT((uint8_t *)ext == msgend); 1748 1749 if (target != NULL) { 1750 copylen = ((uint8_t *)ext) - (target + 1751 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1752 if (copylen != 0) 1753 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1754 } 1755 1756 /* Adjust samsg. */ 1757 samsg->sadb_msg_len = (uint16_t)sofar; 1758 1759 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1760 } 1761 1762 /* 1763 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1764 * followed by an M_DATA with a PF_KEY message in it. The serial of 1765 * the sending keysock instance is included. 1766 */ 1767 void 1768 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1769 uint_t serial) 1770 { 1771 mblk_t *msg = mp->b_cont; 1772 sadb_msg_t *samsg; 1773 keysock_out_t *kso; 1774 1775 /* 1776 * Enough functions call this to merit a NULL queue check. 1777 */ 1778 if (pfkey_q == NULL) { 1779 freemsg(mp); 1780 return; 1781 } 1782 1783 ASSERT(msg != NULL); 1784 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1785 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1786 samsg = (sadb_msg_t *)msg->b_rptr; 1787 kso = (keysock_out_t *)mp->b_rptr; 1788 1789 kso->ks_out_type = KEYSOCK_OUT; 1790 kso->ks_out_len = sizeof (*kso); 1791 kso->ks_out_serial = serial; 1792 1793 /* 1794 * Only send the base message up in the event of an error. 1795 * Don't worry about bzero()-ing, because it was probably bogus 1796 * anyway. 1797 */ 1798 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1799 samsg = (sadb_msg_t *)msg->b_rptr; 1800 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1801 samsg->sadb_msg_errno = (uint8_t)error; 1802 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1803 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1804 1805 putnext(pfkey_q, mp); 1806 } 1807 1808 /* 1809 * Send a successful return packet back to keysock via the queue in pfkey_q. 1810 * 1811 * Often, an SA is associated with the reply message, it's passed in if needed, 1812 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1813 * and the caller will release said refcnt. 1814 */ 1815 void 1816 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1817 keysock_in_t *ksi, ipsa_t *ipsa) 1818 { 1819 keysock_out_t *kso; 1820 mblk_t *mp1; 1821 sadb_msg_t *newsamsg; 1822 uint8_t *oldend; 1823 1824 ASSERT((mp->b_cont != NULL) && 1825 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1826 ((void *)mp->b_rptr == (void *)ksi)); 1827 1828 switch (samsg->sadb_msg_type) { 1829 case SADB_ADD: 1830 case SADB_UPDATE: 1831 case SADB_FLUSH: 1832 case SADB_DUMP: 1833 /* 1834 * I have all of the message already. I just need to strip 1835 * out the keying material and echo the message back. 1836 * 1837 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1838 * work. When DUMP reaches here, it should only be a base 1839 * message. 1840 */ 1841 justecho: 1842 ASSERT(samsg->sadb_msg_type != SADB_DUMP || 1843 samsg->sadb_msg_len == SADB_8TO64(sizeof (sadb_msg_t))); 1844 1845 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 1846 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL) { 1847 sadb_strip(samsg); 1848 /* Assume PF_KEY message is contiguous. */ 1849 ASSERT(mp->b_cont->b_cont == NULL); 1850 oldend = mp->b_cont->b_wptr; 1851 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 1852 SADB_64TO8(samsg->sadb_msg_len); 1853 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 1854 } 1855 break; 1856 case SADB_GET: 1857 /* 1858 * Do a lot of work here, because of the ipsa I just found. 1859 * First abandon the PF_KEY message, then construct 1860 * the new one. 1861 */ 1862 mp1 = sadb_sa2msg(ipsa, samsg); 1863 if (mp1 == NULL) { 1864 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1865 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1866 return; 1867 } 1868 freemsg(mp->b_cont); 1869 mp->b_cont = mp1; 1870 break; 1871 case SADB_DELETE: 1872 if (ipsa == NULL) 1873 goto justecho; 1874 /* 1875 * Because listening KMds may require more info, treat 1876 * DELETE like a special case of GET. 1877 */ 1878 mp1 = sadb_sa2msg(ipsa, samsg); 1879 if (mp1 == NULL) { 1880 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1881 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1882 return; 1883 } 1884 newsamsg = (sadb_msg_t *)mp1->b_rptr; 1885 sadb_strip(newsamsg); 1886 oldend = mp1->b_wptr; 1887 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 1888 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 1889 freemsg(mp->b_cont); 1890 mp->b_cont = mp1; 1891 break; 1892 default: 1893 if (mp != NULL) 1894 freemsg(mp); 1895 return; 1896 } 1897 1898 /* ksi is now null and void. */ 1899 kso = (keysock_out_t *)ksi; 1900 kso->ks_out_type = KEYSOCK_OUT; 1901 kso->ks_out_len = sizeof (*kso); 1902 kso->ks_out_serial = ksi->ks_in_serial; 1903 /* We're ready to send... */ 1904 putnext(pfkey_q, mp); 1905 } 1906 1907 /* 1908 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 1909 */ 1910 void 1911 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 1912 void (*ager)(void *), timeout_id_t *top, int satype) 1913 { 1914 keysock_hello_ack_t *kha; 1915 queue_t *oldq; 1916 1917 ASSERT(OTHERQ(q) != NULL); 1918 1919 /* 1920 * First, check atomically that I'm the first and only keysock 1921 * instance. 1922 * 1923 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 1924 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 1925 * messages. 1926 */ 1927 1928 oldq = casptr((void **)pfkey_qp, NULL, OTHERQ(q)); 1929 if (oldq != NULL) { 1930 ASSERT(oldq != q); 1931 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 1932 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 1933 freemsg(mp); 1934 return; 1935 } 1936 1937 kha = (keysock_hello_ack_t *)mp->b_rptr; 1938 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 1939 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 1940 kha->ks_hello_satype = (uint8_t)satype; 1941 1942 /* 1943 * If we made it past the casptr, then we have "exclusive" access 1944 * to the timeout handle. Fire it off in 4 seconds, because it 1945 * just seems like a good interval. 1946 */ 1947 *top = qtimeout(*pfkey_qp, ager, NULL, drv_usectohz(4000000)); 1948 1949 putnext(*pfkey_qp, mp); 1950 } 1951 1952 /* 1953 * Send IRE_DB_REQ down to IP to get properties of address. 1954 * If I can determine the address, return the proper type. If an error 1955 * occurs, or if I have to send down an IRE_DB_REQ, return UNKNOWN, and 1956 * the caller will just let go of mp w/o freeing it. 1957 * 1958 * To handle the compatible IPv6 addresses (i.e. ::FFFF:<v4-address>), 1959 * this function will also convert such AF_INET6 addresses into AF_INET 1960 * addresses. 1961 * 1962 * Whomever called the function will handle the return message that IP sends 1963 * in response to the message this function generates. 1964 */ 1965 int 1966 sadb_addrcheck(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, 1967 uint_t serial) 1968 { 1969 sadb_address_t *addr = (sadb_address_t *)ext; 1970 struct sockaddr_in *sin; 1971 struct sockaddr_in6 *sin6; 1972 mblk_t *ire_db_req_mp; 1973 ire_t *ire; 1974 int diagnostic; 1975 1976 ASSERT(ext != NULL); 1977 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 1978 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 1979 (ext->sadb_ext_type == SADB_EXT_ADDRESS_PROXY)); 1980 1981 ire_db_req_mp = allocb(sizeof (ire_t), BPRI_HI); 1982 if (ire_db_req_mp == NULL) { 1983 /* cmn_err(CE_WARN, "sadb_addrcheck: allocb() failed.\n"); */ 1984 sadb_pfkey_error(pfkey_q, mp, ENOMEM, SADB_X_DIAGNOSTIC_NONE, 1985 serial); 1986 return (KS_IN_ADDR_UNKNOWN); 1987 } 1988 1989 ire_db_req_mp->b_datap->db_type = IRE_DB_REQ_TYPE; 1990 ire_db_req_mp->b_wptr += sizeof (ire_t); 1991 ire = (ire_t *)ire_db_req_mp->b_rptr; 1992 1993 /* Assign both sockaddrs, the compiler will do the right thing. */ 1994 sin = (struct sockaddr_in *)(addr + 1); 1995 sin6 = (struct sockaddr_in6 *)(addr + 1); 1996 1997 switch (sin->sin_family) { 1998 case AF_INET6: 1999 /* Because of the longer IPv6 addrs, do check first. */ 2000 if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 2001 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) { 2002 freemsg(ire_db_req_mp); 2003 return (KS_IN_ADDR_MBCAST); 2004 } 2005 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) { 2006 freemsg(ire_db_req_mp); 2007 return (KS_IN_ADDR_UNSPEC); 2008 } 2009 ire->ire_ipversion = IPV6_VERSION; 2010 ire->ire_addr_v6 = sin6->sin6_addr; 2011 break; /* Out of switch. */ 2012 } 2013 /* 2014 * Convert to an AF_INET sockaddr. This means 2015 * the return messages will have the extra space, but 2016 * have AF_INET sockaddrs instead of AF_INET6. 2017 * 2018 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 2019 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 2020 * equal to AF_INET <v4>, it shouldnt be a huge 2021 * problem. 2022 */ 2023 ASSERT(&sin->sin_port == &sin6->sin6_port); 2024 sin->sin_family = AF_INET; 2025 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, &sin->sin_addr); 2026 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 2027 /* FALLTHRU */ 2028 case AF_INET: 2029 ire->ire_ipversion = IPV4_VERSION; 2030 ire->ire_addr = sin->sin_addr.s_addr; 2031 if (ire->ire_addr == INADDR_ANY) { 2032 freemsg(ire_db_req_mp); 2033 return (KS_IN_ADDR_UNSPEC); 2034 } 2035 if (CLASSD(ire->ire_addr)) { 2036 freemsg(ire_db_req_mp); 2037 return (KS_IN_ADDR_MBCAST); 2038 } 2039 break; 2040 default: 2041 freemsg(ire_db_req_mp); 2042 2043 switch (ext->sadb_ext_type) { 2044 case SADB_EXT_ADDRESS_SRC: 2045 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 2046 break; 2047 case SADB_EXT_ADDRESS_DST: 2048 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 2049 break; 2050 case SADB_EXT_ADDRESS_PROXY: 2051 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 2052 break; 2053 /* There is no default, see above ASSERT. */ 2054 } 2055 2056 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, serial); 2057 return (KS_IN_ADDR_UNKNOWN); 2058 } 2059 ire_db_req_mp->b_cont = mp; 2060 2061 ASSERT(ip_q != NULL); 2062 putnext(ip_q, ire_db_req_mp); 2063 return (KS_IN_ADDR_UNKNOWN); 2064 } 2065 2066 /* 2067 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 2068 * the source to AF_INET. 2069 */ 2070 void 2071 sadb_srcaddrfix(keysock_in_t *ksi) 2072 { 2073 struct sockaddr_in *src; 2074 struct sockaddr_in6 *dst; 2075 sadb_address_t *srcext, *dstext; 2076 uint16_t sport; 2077 2078 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC || 2079 ksi->ks_in_dsttype == KS_IN_ADDR_NOTTHERE) 2080 return; 2081 2082 dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2083 dst = (struct sockaddr_in6 *)(dstext + 1); 2084 srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2085 src = (struct sockaddr_in *)(srcext + 1); 2086 2087 /* 2088 * If unspecified IPv4 source, but an IPv6 dest, don't bother 2089 * fixing, as it should be an error. 2090 */ 2091 if (dst->sin6_family == src->sin_family || 2092 src->sin_family == AF_INET) 2093 return; 2094 2095 /* 2096 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2097 * in the same place for sockaddr_in and sockaddr_in6. 2098 */ 2099 sport = src->sin_port; 2100 bzero(src, sizeof (*src)); 2101 src->sin_family = AF_INET; 2102 src->sin_port = sport; 2103 } 2104 2105 /* 2106 * Set the results in "addrtype", given an IRE as requested by 2107 * sadb_addrcheck(). 2108 */ 2109 int 2110 sadb_addrset(ire_t *ire) 2111 { 2112 if ((ire->ire_type & IRE_BROADCAST) || 2113 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2114 (ire->ire_ipversion == IPV6_VERSION && 2115 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2116 return (KS_IN_ADDR_MBCAST); 2117 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2118 return (KS_IN_ADDR_ME); 2119 return (KS_IN_ADDR_NOTME); 2120 } 2121 2122 2123 /* 2124 * Walker callback function to delete sa's based on src/dst address. 2125 * Assumes that we're called with *head locked, no other locks held; 2126 * Conveniently, and not coincidentally, this is both what sadb_walker 2127 * gives us and also what sadb_unlinkassoc expects. 2128 */ 2129 2130 struct sadb_purge_state 2131 { 2132 uint32_t *src; 2133 uint32_t *dst; 2134 sa_family_t af; 2135 boolean_t inbnd; 2136 char *sidstr; 2137 char *didstr; 2138 uint16_t sidtype; 2139 uint16_t didtype; 2140 uint32_t kmproto; 2141 mblk_t *mq; 2142 }; 2143 2144 static void 2145 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2146 { 2147 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2148 2149 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2150 2151 mutex_enter(&entry->ipsa_lock); 2152 2153 if ((entry->ipsa_state == IPSA_STATE_LARVAL) || 2154 (ps->src != NULL && 2155 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, ps->src, ps->af)) || 2156 (ps->dst != NULL && 2157 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_dstaddr, ps->dst, ps->af)) || 2158 (ps->didstr != NULL && 2159 (entry->ipsa_dst_cid != NULL) && 2160 !(ps->didtype == entry->ipsa_dst_cid->ipsid_type && 2161 strcmp(ps->didstr, entry->ipsa_dst_cid->ipsid_cid) == 0)) || 2162 (ps->sidstr != NULL && 2163 (entry->ipsa_src_cid != NULL) && 2164 !(ps->sidtype == entry->ipsa_src_cid->ipsid_type && 2165 strcmp(ps->sidstr, entry->ipsa_src_cid->ipsid_cid) == 0)) || 2166 (ps->kmproto <= SADB_X_KMP_MAX && ps->kmproto != entry->ipsa_kmp)) { 2167 mutex_exit(&entry->ipsa_lock); 2168 return; 2169 } 2170 2171 entry->ipsa_state = IPSA_STATE_DEAD; 2172 (void) sadb_torch_assoc(head, entry, ps->inbnd, &ps->mq); 2173 } 2174 2175 /* 2176 * Common code to purge an SA with a matching src or dst address. 2177 * Don't kill larval SA's in such a purge. 2178 */ 2179 int 2180 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, 2181 int *diagnostic, queue_t *pfkey_q, queue_t *ip_q) 2182 { 2183 sadb_address_t *dstext = 2184 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2185 sadb_address_t *srcext = 2186 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2187 sadb_ident_t *dstid = 2188 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2189 sadb_ident_t *srcid = 2190 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2191 sadb_x_kmc_t *kmc = 2192 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2193 struct sockaddr_in *src, *dst; 2194 struct sockaddr_in6 *src6, *dst6; 2195 struct sadb_purge_state ps; 2196 2197 /* 2198 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2199 * takes care of them. 2200 */ 2201 2202 /* enforced by caller */ 2203 ASSERT((dstext != NULL) || (srcext != NULL)); 2204 2205 ps.src = NULL; 2206 ps.dst = NULL; 2207 #ifdef DEBUG 2208 ps.af = (sa_family_t)-1; 2209 #endif 2210 ps.mq = NULL; 2211 ps.sidstr = NULL; 2212 ps.didstr = NULL; 2213 ps.kmproto = SADB_X_KMP_MAX + 1; 2214 2215 if (dstext != NULL) { 2216 dst = (struct sockaddr_in *)(dstext + 1); 2217 ps.af = dst->sin_family; 2218 if (dst->sin_family == AF_INET6) { 2219 dst6 = (struct sockaddr_in6 *)dst; 2220 ps.dst = (uint32_t *)&dst6->sin6_addr; 2221 } else { 2222 ps.dst = (uint32_t *)&dst->sin_addr; 2223 } 2224 } 2225 2226 if (srcext != NULL) { 2227 src = (struct sockaddr_in *)(srcext + 1); 2228 ps.af = src->sin_family; 2229 if (src->sin_family == AF_INET6) { 2230 src6 = (struct sockaddr_in6 *)(srcext + 1); 2231 ps.src = (uint32_t *)&src6->sin6_addr; 2232 } else { 2233 ps.src = (uint32_t *)&src->sin_addr; 2234 } 2235 2236 if (dstext != NULL) { 2237 if (src->sin_family != dst->sin_family) { 2238 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2239 return (EINVAL); 2240 } 2241 } 2242 } 2243 ASSERT(ps.af != (sa_family_t)-1); 2244 2245 if (dstid != NULL) { 2246 /* 2247 * NOTE: May need to copy string in the future 2248 * if the inbound keysock message disappears for some strange 2249 * reason. 2250 */ 2251 ps.didstr = (char *)(dstid + 1); 2252 ps.didtype = dstid->sadb_ident_type; 2253 } 2254 2255 if (srcid != NULL) { 2256 /* 2257 * NOTE: May need to copy string in the future 2258 * if the inbound keysock message disappears for some strange 2259 * reason. 2260 */ 2261 ps.sidstr = (char *)(srcid + 1); 2262 ps.sidtype = srcid->sadb_ident_type; 2263 } 2264 2265 if (kmc != NULL) 2266 ps.kmproto = kmc->sadb_x_kmc_proto; 2267 2268 /* 2269 * This is simple, crude, and effective. 2270 * Unimplemented optimizations (TBD): 2271 * - we can limit how many places we search based on where we 2272 * think the SA is filed. 2273 * - if we get a dst address, we can hash based on dst addr to find 2274 * the correct bucket in the outbound table. 2275 */ 2276 ps.inbnd = B_TRUE; 2277 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2278 ps.inbnd = B_FALSE; 2279 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2280 2281 if (ps.mq != NULL) 2282 sadb_drain_torchq(ip_q, ps.mq); 2283 2284 ASSERT(mp->b_cont != NULL); 2285 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2286 NULL); 2287 return (0); 2288 } 2289 2290 /* 2291 * Common code to delete/get an SA. 2292 */ 2293 int 2294 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2295 int *diagnostic, queue_t *pfkey_q, boolean_t delete) 2296 { 2297 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2298 sadb_address_t *srcext = 2299 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2300 sadb_address_t *dstext = 2301 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2302 struct sockaddr_in *src, *dst; 2303 struct sockaddr_in6 *src6, *dst6; 2304 sadb_t *sp; 2305 ipsa_t *outbound_target, *inbound_target; 2306 isaf_t *inbound, *outbound; 2307 uint32_t *srcaddr, *dstaddr; 2308 mblk_t *torchq = NULL; 2309 sa_family_t af; 2310 2311 if (dstext == NULL) { 2312 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2313 return (EINVAL); 2314 } 2315 if (assoc == NULL) { 2316 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2317 return (EINVAL); 2318 } 2319 2320 /* 2321 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2322 * takes care of them. 2323 */ 2324 2325 dst = (struct sockaddr_in *)(dstext + 1); 2326 af = dst->sin_family; 2327 if (af == AF_INET6) { 2328 sp = &spp->s_v6; 2329 dst6 = (struct sockaddr_in6 *)dst; 2330 dstaddr = (uint32_t *)&dst6->sin6_addr; 2331 if (srcext != NULL) { 2332 src6 = (struct sockaddr_in6 *)(srcext + 1); 2333 srcaddr = (uint32_t *)&src6->sin6_addr; 2334 if (src6->sin6_family != AF_INET6) { 2335 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2336 return (EINVAL); 2337 } 2338 } else { 2339 srcaddr = ALL_ZEROES_PTR; 2340 } 2341 2342 outbound = OUTBOUND_BUCKET_V6(sp, *(uint32_t *)dstaddr); 2343 } else { 2344 sp = &spp->s_v4; 2345 dstaddr = (uint32_t *)&dst->sin_addr; 2346 if (srcext != NULL) { 2347 src = (struct sockaddr_in *)(srcext + 1); 2348 srcaddr = (uint32_t *)&src->sin_addr; 2349 if (src->sin_family != AF_INET) { 2350 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2351 return (EINVAL); 2352 } 2353 } else { 2354 srcaddr = ALL_ZEROES_PTR; 2355 } 2356 outbound = OUTBOUND_BUCKET_V4(sp, *(uint32_t *)dstaddr); 2357 } 2358 2359 inbound = INBOUND_BUCKET(sp, assoc->sadb_sa_spi); 2360 2361 /* Lock down both buckets. */ 2362 mutex_enter(&outbound->isaf_lock); 2363 mutex_enter(&inbound->isaf_lock); 2364 2365 /* Try outbound first. */ 2366 outbound_target = ipsec_getassocbyspi(outbound, assoc->sadb_sa_spi, 2367 srcaddr, dstaddr, af); 2368 2369 if (outbound_target == NULL || outbound_target->ipsa_haspeer) { 2370 inbound_target = ipsec_getassocbyspi(inbound, 2371 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2372 } else { 2373 inbound_target = NULL; 2374 } 2375 2376 if (outbound_target == NULL && inbound_target == NULL) { 2377 mutex_exit(&inbound->isaf_lock); 2378 mutex_exit(&outbound->isaf_lock); 2379 return (ESRCH); 2380 } 2381 2382 if (delete) { 2383 /* At this point, I have one or two SAs to be deleted. */ 2384 if (outbound_target != NULL) { 2385 mutex_enter(&outbound_target->ipsa_lock); 2386 outbound_target->ipsa_state = IPSA_STATE_DEAD; 2387 (void) sadb_torch_assoc(outbound, outbound_target, 2388 B_FALSE, &torchq); 2389 } 2390 2391 if (inbound_target != NULL) { 2392 mutex_enter(&inbound_target->ipsa_lock); 2393 inbound_target->ipsa_state = IPSA_STATE_DEAD; 2394 (void) sadb_torch_assoc(inbound, inbound_target, 2395 B_TRUE, &torchq); 2396 } 2397 } 2398 2399 mutex_exit(&inbound->isaf_lock); 2400 mutex_exit(&outbound->isaf_lock); 2401 2402 if (torchq != NULL) 2403 sadb_drain_torchq(spp->s_ip_q, torchq); 2404 2405 /* 2406 * Because of the multi-line macro nature of IPSA_REFRELE, keep 2407 * them in { }. 2408 */ 2409 ASSERT(mp->b_cont != NULL); 2410 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2411 (outbound_target != NULL ? outbound_target : inbound_target)); 2412 2413 if (outbound_target != NULL) { 2414 IPSA_REFRELE(outbound_target); 2415 } 2416 if (inbound_target != NULL) { 2417 IPSA_REFRELE(inbound_target); 2418 } 2419 2420 return (0); 2421 } 2422 2423 /* 2424 * Common code to set ipsa_unique_id; used from both add and update paths. 2425 */ 2426 static void 2427 sadb_set_unique(ipsa_t *sa, uint8_t proto, 2428 struct sockaddr_in *src, struct sockaddr_in *dst) 2429 { 2430 /* Assume that ports are in the same place for INET and INET6 */ 2431 uint16_t srcport = src->sin_port; 2432 uint16_t dstport = dst->sin_port; 2433 2434 sa->ipsa_unique_id = SA_UNIQUE_ID(srcport, dstport, proto); 2435 sa->ipsa_unique_mask = SA_UNIQUE_MASK(srcport, dstport, proto); 2436 if (sa->ipsa_unique_mask != 0) 2437 sa->ipsa_flags |= IPSA_F_UNIQUE; 2438 } 2439 2440 2441 /* 2442 * Initialize the mechanism parameters associated with an SA. 2443 * These parameters can be shared by multiple packets, which saves 2444 * us from the overhead of consulting the algorithm table for 2445 * each packet. 2446 */ 2447 static void 2448 sadb_init_alginfo(ipsa_t *sa) 2449 { 2450 ipsec_alginfo_t *alg; 2451 2452 mutex_enter(&alg_lock); 2453 2454 if (sa->ipsa_encrkey != NULL) { 2455 alg = ipsec_alglists[IPSEC_ALG_ENCR][sa->ipsa_encr_alg]; 2456 if (alg != NULL && ALG_VALID(alg)) { 2457 sa->ipsa_emech.cm_type = alg->alg_mech_type; 2458 sa->ipsa_emech.cm_param = NULL; 2459 sa->ipsa_emech.cm_param_len = 0; 2460 sa->ipsa_iv_len = alg->alg_datalen; 2461 } else 2462 sa->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 2463 } 2464 2465 if (sa->ipsa_authkey != NULL) { 2466 alg = ipsec_alglists[IPSEC_ALG_AUTH][sa->ipsa_auth_alg]; 2467 if (alg != NULL && ALG_VALID(alg)) { 2468 sa->ipsa_amech.cm_type = alg->alg_mech_type; 2469 sa->ipsa_amech.cm_param = (char *)&sa->ipsa_mac_len; 2470 sa->ipsa_amech.cm_param_len = sizeof (size_t); 2471 sa->ipsa_mac_len = (size_t)alg->alg_datalen; 2472 } else 2473 sa->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 2474 } 2475 2476 mutex_exit(&alg_lock); 2477 } 2478 2479 2480 /* 2481 * This function is called from consumers that need to insert a fully-grown 2482 * security association into its tables. This function takes into account that 2483 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 2484 * hash bucket parameters are set in order of what the SA will be most of the 2485 * time. (For example, an SA with an unspecified source, and a multicast 2486 * destination will primarily be an outbound SA. OTOH, if that destination 2487 * is unicast for this node, then the SA will primarily be inbound.) 2488 * 2489 * It takes a lot of parameters because even if clone is B_FALSE, this needs 2490 * to check both buckets for purposes of collision. 2491 * 2492 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 2493 * various error conditions. No need to set samsg->sadb_x_msg_diagnostic with 2494 * additional diagnostic information because ENOMEM and EEXIST are self- 2495 * explanitory. 2496 */ 2497 int 2498 sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 2499 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 2500 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound) 2501 { 2502 ipsa_t *newbie_clone = NULL, *scratch; 2503 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2504 sadb_address_t *srcext = 2505 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2506 sadb_address_t *dstext = 2507 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2508 sadb_address_t *proxyext = 2509 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_PROXY]; 2510 sadb_address_t *natt_loc_ext = 2511 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC]; 2512 sadb_address_t *natt_rem_ext = 2513 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM]; 2514 sadb_x_kmc_t *kmcext = 2515 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2516 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 2517 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 2518 #if 0 2519 /* 2520 * XXXMLS - When Trusted Solaris or Multi-Level Secure functionality 2521 * comes to ON, examine these if 0'ed fragments. Look for XXXMLS. 2522 */ 2523 sadb_sens_t *sens = (sadb_sens_t *); 2524 #endif 2525 struct sockaddr_in *src, *dst, *proxy, *natt_loc, *natt_rem; 2526 struct sockaddr_in6 *src6, *dst6, *proxy6, *natt_loc6, *natt_rem6; 2527 sadb_lifetime_t *soft = 2528 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 2529 sadb_lifetime_t *hard = 2530 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 2531 sa_family_t af; 2532 int error = 0; 2533 boolean_t isupdate = (newbie != NULL); 2534 uint32_t *src_addr_ptr, *dst_addr_ptr, *proxy_addr_ptr; 2535 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 2536 uint32_t running_sum = 0; 2537 mblk_t *ctl_mp = NULL; 2538 2539 src = (struct sockaddr_in *)(srcext + 1); 2540 src6 = (struct sockaddr_in6 *)(srcext + 1); 2541 dst = (struct sockaddr_in *)(dstext + 1); 2542 dst6 = (struct sockaddr_in6 *)(dstext + 1); 2543 if (proxyext != NULL) { 2544 proxy = (struct sockaddr_in *)(proxyext + 1); 2545 proxy6 = (struct sockaddr_in6 *)(proxyext + 1); 2546 } else { 2547 proxy = NULL; 2548 proxy6 = NULL; 2549 } 2550 2551 af = src->sin_family; 2552 2553 if (af == AF_INET) { 2554 src_addr_ptr = (uint32_t *)&src->sin_addr; 2555 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 2556 } else { 2557 ASSERT(af == AF_INET6); 2558 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 2559 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 2560 } 2561 2562 if (!isupdate) { 2563 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 2564 src_addr_ptr, dst_addr_ptr, af); 2565 if (newbie == NULL) 2566 return (ENOMEM); 2567 } 2568 2569 mutex_enter(&newbie->ipsa_lock); 2570 2571 if (proxy != NULL) { 2572 if (proxy->sin_family == AF_INET) { 2573 proxy_addr_ptr = (uint32_t *)&proxy->sin_addr; 2574 } else { 2575 ASSERT(proxy->sin_family == AF_INET6); 2576 proxy_addr_ptr = (uint32_t *)&proxy6->sin6_addr; 2577 } 2578 newbie->ipsa_proxyfam = proxy->sin_family; 2579 2580 IPSA_COPY_ADDR(newbie->ipsa_proxysrc, proxy_addr_ptr, 2581 newbie->ipsa_proxyfam); 2582 } 2583 2584 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 2585 2586 2587 if (natt_rem_ext != NULL) { 2588 uint32_t l_src; 2589 uint32_t l_rem; 2590 2591 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 2592 natt_rem6 = (struct sockaddr_in6 *)(natt_rem_ext + 1); 2593 2594 if (natt_rem->sin_family == AF_INET) { 2595 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 2596 newbie->ipsa_remote_port = natt_rem->sin_port; 2597 l_src = *src_addr_ptr; 2598 l_rem = *natt_rem_ptr; 2599 } else { 2600 if (!IN6_IS_ADDR_V4MAPPED(&natt_rem6->sin6_addr)) { 2601 goto error; 2602 } 2603 ASSERT(natt_rem->sin_family == AF_INET6); 2604 2605 natt_rem_ptr = ((uint32_t *) 2606 (&natt_rem6->sin6_addr)) + 3; 2607 newbie->ipsa_remote_port = natt_rem6->sin6_port; 2608 l_src = *src_addr_ptr; 2609 l_rem = *natt_rem_ptr; 2610 } 2611 IPSA_COPY_ADDR(newbie->ipsa_natt_addr_rem, natt_rem_ptr, af); 2612 2613 l_src = ntohl(l_src); 2614 DOWN_SUM(l_src); 2615 DOWN_SUM(l_src); 2616 l_rem = ntohl(l_rem); 2617 DOWN_SUM(l_rem); 2618 DOWN_SUM(l_rem); 2619 2620 /* 2621 * We're 1's complement for checksums, so check for wraparound 2622 * here. 2623 */ 2624 if (l_rem > l_src) 2625 l_src--; 2626 2627 running_sum += l_src - l_rem; 2628 2629 DOWN_SUM(running_sum); 2630 DOWN_SUM(running_sum); 2631 } 2632 2633 if (natt_loc_ext != NULL) { 2634 uint32_t l_dst; 2635 uint32_t l_loc; 2636 2637 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 2638 natt_loc6 = (struct sockaddr_in6 *)(natt_loc_ext + 1); 2639 2640 if (natt_loc->sin_family == AF_INET) { 2641 natt_loc_ptr = (uint32_t *)&natt_loc->sin_addr; 2642 l_dst = *dst_addr_ptr; 2643 l_loc = *natt_loc_ptr; 2644 2645 } else { 2646 if (!IN6_IS_ADDR_V4MAPPED(&natt_loc6->sin6_addr)) { 2647 goto error; 2648 } 2649 ASSERT(natt_loc->sin_family == AF_INET6); 2650 natt_loc_ptr = ((uint32_t *)&natt_loc6->sin6_addr) + 3; 2651 l_dst = *dst_addr_ptr; 2652 l_loc = *natt_loc_ptr; 2653 2654 } 2655 IPSA_COPY_ADDR(newbie->ipsa_natt_addr_loc, natt_loc_ptr, af); 2656 2657 l_loc = ntohl(l_loc); 2658 DOWN_SUM(l_loc); 2659 DOWN_SUM(l_loc); 2660 l_dst = ntohl(l_dst); 2661 DOWN_SUM(l_dst); 2662 DOWN_SUM(l_dst); 2663 2664 /* 2665 * We're 1's complement for checksums, so check for wraparound 2666 * here. 2667 */ 2668 if (l_loc > l_dst) 2669 l_dst--; 2670 2671 running_sum += l_dst - l_loc; 2672 DOWN_SUM(running_sum); 2673 DOWN_SUM(running_sum); 2674 } 2675 2676 newbie->ipsa_inbound_cksum = running_sum; 2677 #undef DOWN_SUM 2678 2679 newbie->ipsa_type = samsg->sadb_msg_satype; 2680 ASSERT(assoc->sadb_sa_state == SADB_SASTATE_MATURE); 2681 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 2682 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 2683 newbie->ipsa_flags = assoc->sadb_sa_flags; 2684 /* 2685 * If unspecified source address, force replay_wsize to 0. 2686 * This is because an SA that has multiple sources of secure 2687 * traffic cannot enforce a replay counter w/o synchronizing the 2688 * senders. 2689 */ 2690 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 2691 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 2692 else 2693 newbie->ipsa_replay_wsize = 0; 2694 2695 (void) drv_getparm(TIME, &newbie->ipsa_addtime); 2696 2697 /* Set unique value */ 2698 sadb_set_unique(newbie, dstext->sadb_address_proto, src, dst); 2699 2700 if (kmcext != NULL) { 2701 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 2702 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 2703 } 2704 2705 /* 2706 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 2707 * The spec says that one can update current lifetimes, but 2708 * that seems impractical, especially in the larval-to-mature 2709 * update that this function performs. 2710 */ 2711 if (soft != NULL) { 2712 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 2713 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 2714 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 2715 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 2716 SET_EXPIRE(newbie, softaddlt, softexpiretime); 2717 } 2718 if (hard != NULL) { 2719 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 2720 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 2721 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 2722 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 2723 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 2724 } 2725 2726 newbie->ipsa_authtmpl = NULL; 2727 newbie->ipsa_encrtmpl = NULL; 2728 2729 if (akey != NULL) { 2730 newbie->ipsa_authkeybits = akey->sadb_key_bits; 2731 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 2732 /* In case we have to round up to the next byte... */ 2733 if ((akey->sadb_key_bits & 0x7) != 0) 2734 newbie->ipsa_authkeylen++; 2735 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 2736 KM_NOSLEEP); 2737 if (newbie->ipsa_authkey == NULL) { 2738 error = ENOMEM; 2739 mutex_exit(&newbie->ipsa_lock); 2740 goto error; 2741 } 2742 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 2743 bzero(akey + 1, newbie->ipsa_authkeylen); 2744 2745 /* 2746 * Pre-initialize the kernel crypto framework key 2747 * structure. 2748 */ 2749 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 2750 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 2751 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 2752 2753 mutex_enter(&alg_lock); 2754 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 2755 mutex_exit(&alg_lock); 2756 if (error != 0) { 2757 mutex_exit(&newbie->ipsa_lock); 2758 goto error; 2759 } 2760 } 2761 2762 if (ekey != NULL) { 2763 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 2764 newbie->ipsa_encrkeylen = SADB_1TO8(ekey->sadb_key_bits); 2765 /* In case we have to round up to the next byte... */ 2766 if ((ekey->sadb_key_bits & 0x7) != 0) 2767 newbie->ipsa_encrkeylen++; 2768 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 2769 KM_NOSLEEP); 2770 if (newbie->ipsa_encrkey == NULL) { 2771 error = ENOMEM; 2772 mutex_exit(&newbie->ipsa_lock); 2773 goto error; 2774 } 2775 bcopy(ekey + 1, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 2776 /* XXX is this safe w.r.t db_ref, etc? */ 2777 bzero(ekey + 1, newbie->ipsa_encrkeylen); 2778 2779 /* 2780 * Pre-initialize the kernel crypto framework key 2781 * structure. 2782 */ 2783 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 2784 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 2785 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 2786 2787 mutex_enter(&alg_lock); 2788 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 2789 mutex_exit(&alg_lock); 2790 if (error != 0) { 2791 mutex_exit(&newbie->ipsa_lock); 2792 goto error; 2793 } 2794 } 2795 2796 sadb_init_alginfo(newbie); 2797 2798 /* 2799 * Ptrs to processing functions. 2800 */ 2801 if (newbie->ipsa_type == SADB_SATYPE_ESP) 2802 ipsecesp_init_funcs(newbie); 2803 else 2804 ipsecah_init_funcs(newbie); 2805 ASSERT(newbie->ipsa_output_func != NULL && 2806 newbie->ipsa_input_func != NULL); 2807 2808 /* 2809 * Certificate ID stuff. 2810 */ 2811 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 2812 sadb_ident_t *id = 2813 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2814 2815 /* 2816 * Can assume strlen() will return okay because ext_check() in 2817 * keysock.c prepares the string for us. 2818 */ 2819 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 2820 (char *)(id+1)); 2821 if (newbie->ipsa_src_cid == NULL) { 2822 error = ENOMEM; 2823 mutex_exit(&newbie->ipsa_lock); 2824 goto error; 2825 } 2826 } 2827 2828 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 2829 sadb_ident_t *id = 2830 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2831 2832 /* 2833 * Can assume strlen() will return okay because ext_check() in 2834 * keysock.c prepares the string for us. 2835 */ 2836 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 2837 (char *)(id+1)); 2838 if (newbie->ipsa_dst_cid == NULL) { 2839 error = ENOMEM; 2840 mutex_exit(&newbie->ipsa_lock); 2841 goto error; 2842 } 2843 } 2844 2845 #if 0 2846 /* XXXMLS SENSITIVITY handling code. */ 2847 if (sens != NULL) { 2848 int i; 2849 uint64_t *bitmap = (uint64_t *)(sens + 1); 2850 2851 newbie->ipsa_dpd = sens->sadb_sens_dpd; 2852 newbie->ipsa_senslevel = sens->sadb_sens_sens_level; 2853 newbie->ipsa_integlevel = sens->sadb_sens_integ_level; 2854 newbie->ipsa_senslen = SADB_64TO8(sens->sadb_sens_sens_len); 2855 newbie->ipsa_integlen = SADB_64TO8(sens->sadb_sens_integ_len); 2856 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 2857 KM_NOSLEEP); 2858 if (newbie->ipsa_integ == NULL) { 2859 error = ENOMEM; 2860 mutex_exit(&newbie->ipsa_lock); 2861 goto error; 2862 } 2863 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 2864 KM_NOSLEEP); 2865 if (newbie->ipsa_sens == NULL) { 2866 error = ENOMEM; 2867 mutex_exit(&newbie->ipsa_lock); 2868 goto error; 2869 } 2870 for (i = 0; i < sens->sadb_sens_sens_len; i++) { 2871 newbie->ipsa_sens[i] = *bitmap; 2872 bitmap++; 2873 } 2874 for (i = 0; i < sens->sadb_sens_integ_len; i++) { 2875 newbie->ipsa_integ[i] = *bitmap; 2876 bitmap++; 2877 } 2878 } 2879 2880 #endif 2881 2882 /* now that the SA has been updated, set its new state */ 2883 newbie->ipsa_state = assoc->sadb_sa_state; 2884 2885 /* 2886 * The less locks I hold when doing an insertion and possible cloning, 2887 * the better! 2888 */ 2889 mutex_exit(&newbie->ipsa_lock); 2890 2891 if (clone) { 2892 newbie_clone = sadb_cloneassoc(newbie); 2893 2894 if (newbie_clone == NULL) { 2895 error = ENOMEM; 2896 goto error; 2897 } 2898 newbie->ipsa_haspeer = B_TRUE; 2899 newbie_clone->ipsa_haspeer = B_TRUE; 2900 } 2901 2902 /* 2903 * Enter the bucket locks. The order of entry is outbound, 2904 * inbound. We map "primary" and "secondary" into outbound and inbound 2905 * based on the destination address type. If the destination address 2906 * type is for a node that isn't mine (or potentially mine), the 2907 * "primary" bucket is the outbound one. 2908 */ 2909 if (ksi->ks_in_dsttype == KS_IN_ADDR_NOTME) { 2910 /* primary == outbound */ 2911 mutex_enter(&primary->isaf_lock); 2912 mutex_enter(&secondary->isaf_lock); 2913 } else { 2914 /* primary == inbound */ 2915 mutex_enter(&secondary->isaf_lock); 2916 mutex_enter(&primary->isaf_lock); 2917 } 2918 2919 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_common_add: spi = 0x%x\n", 2920 newbie->ipsa_spi)); 2921 2922 /* 2923 * sadb_insertassoc() doesn't increment the reference 2924 * count. We therefore have to increment the 2925 * reference count one more time to reflect the 2926 * pointers of the table that reference this SA. 2927 */ 2928 IPSA_REFHOLD(newbie); 2929 2930 if (isupdate) { 2931 /* 2932 * Unlink from larval holding cell in the "inbound" fanout. 2933 */ 2934 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 2935 newbie->ipsa_linklock == &secondary->isaf_lock); 2936 sadb_unlinkassoc(newbie); 2937 } 2938 2939 mutex_enter(&newbie->ipsa_lock); 2940 error = sadb_insertassoc(newbie, primary); 2941 if (error == 0) { 2942 ctl_mp = sadb_fmt_sa_req(DL_CO_SET, newbie->ipsa_type, newbie, 2943 is_inbound); 2944 } 2945 mutex_exit(&newbie->ipsa_lock); 2946 2947 if (error != 0) { 2948 /* 2949 * Since sadb_insertassoc() failed, we must decrement the 2950 * refcount again so the cleanup code will actually free 2951 * the offending SA. 2952 */ 2953 IPSA_REFRELE(newbie); 2954 goto error_unlock; 2955 } 2956 2957 if (newbie_clone != NULL) { 2958 mutex_enter(&newbie_clone->ipsa_lock); 2959 error = sadb_insertassoc(newbie_clone, secondary); 2960 mutex_exit(&newbie_clone->ipsa_lock); 2961 if (error != 0) { 2962 /* Collision in secondary table. */ 2963 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 2964 goto error_unlock; 2965 } 2966 IPSA_REFHOLD(newbie_clone); 2967 } else { 2968 ASSERT(primary != secondary); 2969 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 2970 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 2971 if (scratch != NULL) { 2972 /* Collision in secondary table. */ 2973 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 2974 /* Set the error, since ipsec_getassocbyspi() can't. */ 2975 error = EEXIST; 2976 goto error_unlock; 2977 } 2978 } 2979 2980 /* OKAY! So let's do some reality check assertions. */ 2981 2982 ASSERT(!MUTEX_HELD(&newbie->ipsa_lock)); 2983 ASSERT(newbie_clone == NULL || (!MUTEX_HELD(&newbie_clone->ipsa_lock))); 2984 /* 2985 * If hardware acceleration could happen, send it. 2986 */ 2987 if (ctl_mp != NULL) { 2988 putnext(ip_q, ctl_mp); 2989 ctl_mp = NULL; 2990 } 2991 2992 error_unlock: 2993 2994 /* 2995 * We can exit the locks in any order. Only entrance needs to 2996 * follow any protocol. 2997 */ 2998 mutex_exit(&secondary->isaf_lock); 2999 mutex_exit(&primary->isaf_lock); 3000 3001 /* Common error point for this routine. */ 3002 error: 3003 if (newbie != NULL) { 3004 IPSA_REFRELE(newbie); 3005 } 3006 if (newbie_clone != NULL) { 3007 IPSA_REFRELE(newbie_clone); 3008 } 3009 if (ctl_mp != NULL) 3010 freemsg(ctl_mp); 3011 3012 if (error == 0) { 3013 /* 3014 * Construct favorable PF_KEY return message and send to 3015 * keysock. (Q: Do I need to pass "newbie"? If I do, 3016 * make sure to REFHOLD, call, then REFRELE.) 3017 */ 3018 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 3019 } 3020 3021 return (error); 3022 } 3023 3024 /* 3025 * Set the time of first use for a security association. Update any 3026 * expiration times as a result. 3027 */ 3028 void 3029 sadb_set_usetime(ipsa_t *assoc) 3030 { 3031 mutex_enter(&assoc->ipsa_lock); 3032 /* 3033 * Caller does check usetime before calling me usually, and 3034 * double-checking is better than a mutex_enter/exit hit. 3035 */ 3036 if (assoc->ipsa_usetime == 0) { 3037 /* 3038 * This is redundant for outbound SA's, as 3039 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 3040 * Inbound SAs, however, have no such protection. 3041 */ 3042 assoc->ipsa_flags |= IPSA_F_USED; 3043 3044 (void) drv_getparm(TIME, &assoc->ipsa_usetime); 3045 3046 /* 3047 * After setting the use time, see if we have a use lifetime 3048 * that would cause the actual SA expiration time to shorten. 3049 */ 3050 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 3051 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 3052 } 3053 mutex_exit(&assoc->ipsa_lock); 3054 } 3055 3056 /* 3057 * Send up a PF_KEY expire message for this association. 3058 */ 3059 static void 3060 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 3061 { 3062 mblk_t *mp, *mp1; 3063 int alloclen, af; 3064 sadb_msg_t *samsg; 3065 sadb_lifetime_t *current, *expire; 3066 sadb_sa_t *saext; 3067 uint8_t *end; 3068 3069 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3070 3071 /* Don't bother sending if there's no queue. */ 3072 if (pfkey_q == NULL) 3073 return; 3074 3075 mp = sadb_keysock_out(0); 3076 if (mp == NULL) { 3077 /* cmn_err(CE_WARN, */ 3078 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 3079 return; 3080 } 3081 3082 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 3083 2*sizeof (sadb_address_t) + sizeof (*saext); 3084 3085 af = assoc->ipsa_addrfam; 3086 switch (af) { 3087 case AF_INET: 3088 alloclen += 2 * sizeof (struct sockaddr_in); 3089 break; 3090 case AF_INET6: 3091 alloclen += 2 * sizeof (struct sockaddr_in6); 3092 break; 3093 default: 3094 /* Won't happen unless there's a kernel bug. */ 3095 freeb(mp); 3096 cmn_err(CE_WARN, 3097 "sadb_expire_assoc: Unknown address length.\n"); 3098 return; 3099 } 3100 3101 mp->b_cont = allocb(alloclen, BPRI_HI); 3102 if (mp->b_cont == NULL) { 3103 freeb(mp); 3104 /* cmn_err(CE_WARN, */ 3105 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 3106 return; 3107 } 3108 3109 mp1 = mp; 3110 mp = mp->b_cont; 3111 end = mp->b_wptr + alloclen; 3112 3113 samsg = (sadb_msg_t *)mp->b_wptr; 3114 mp->b_wptr += sizeof (*samsg); 3115 samsg->sadb_msg_version = PF_KEY_V2; 3116 samsg->sadb_msg_type = SADB_EXPIRE; 3117 samsg->sadb_msg_errno = 0; 3118 samsg->sadb_msg_satype = assoc->ipsa_type; 3119 samsg->sadb_msg_len = SADB_8TO64(alloclen); 3120 samsg->sadb_msg_reserved = 0; 3121 samsg->sadb_msg_seq = 0; 3122 samsg->sadb_msg_pid = 0; 3123 3124 saext = (sadb_sa_t *)mp->b_wptr; 3125 mp->b_wptr += sizeof (*saext); 3126 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 3127 saext->sadb_sa_exttype = SADB_EXT_SA; 3128 saext->sadb_sa_spi = assoc->ipsa_spi; 3129 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 3130 saext->sadb_sa_state = assoc->ipsa_state; 3131 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 3132 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 3133 saext->sadb_sa_flags = assoc->ipsa_flags; 3134 3135 current = (sadb_lifetime_t *)mp->b_wptr; 3136 mp->b_wptr += sizeof (sadb_lifetime_t); 3137 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 3138 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3139 current->sadb_lifetime_allocations = assoc->ipsa_alloc; 3140 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 3141 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 3142 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 3143 3144 expire = (sadb_lifetime_t *)mp->b_wptr; 3145 mp->b_wptr += sizeof (*expire); 3146 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 3147 3148 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 3149 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 3150 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 3151 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 3152 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 3153 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 3154 } else { 3155 ASSERT(assoc->ipsa_state == IPSA_STATE_DYING); 3156 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 3157 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 3158 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 3159 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 3160 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 3161 } 3162 3163 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 3164 af, assoc->ipsa_srcaddr, SA_SRCPORT(assoc), SA_PROTO(assoc)); 3165 ASSERT(mp->b_wptr != NULL); 3166 3167 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 3168 af, assoc->ipsa_dstaddr, SA_DSTPORT(assoc), SA_PROTO(assoc)); 3169 ASSERT(mp->b_wptr != NULL); 3170 3171 /* Can just putnext, we're ready to go! */ 3172 putnext(pfkey_q, mp1); 3173 } 3174 3175 /* 3176 * "Age" the SA with the number of bytes that was used to protect traffic. 3177 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 3178 * enough "charge" left in the SA to protect the data. Return B_FALSE 3179 * otherwise. (If B_FALSE is returned, the association either was, or became 3180 * DEAD.) 3181 */ 3182 boolean_t 3183 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 3184 boolean_t sendmsg) 3185 { 3186 boolean_t rc = B_TRUE; 3187 uint64_t newtotal; 3188 3189 mutex_enter(&assoc->ipsa_lock); 3190 newtotal = assoc->ipsa_bytes + bytes; 3191 if (assoc->ipsa_hardbyteslt != 0 && 3192 newtotal >= assoc->ipsa_hardbyteslt) { 3193 if (assoc->ipsa_state < IPSA_STATE_DEAD) { 3194 /* 3195 * Send EXPIRE message to PF_KEY. May wish to pawn 3196 * this off on another non-interrupt thread. Also 3197 * unlink this SA immediately. 3198 */ 3199 assoc->ipsa_state = IPSA_STATE_DEAD; 3200 if (sendmsg) 3201 sadb_expire_assoc(pfkey_q, assoc); 3202 /* 3203 * Set non-zero expiration time so sadb_age_assoc() 3204 * will work when reaping. 3205 */ 3206 assoc->ipsa_hardexpiretime = (time_t)1; 3207 } /* Else someone beat me to it! */ 3208 rc = B_FALSE; 3209 } else if (assoc->ipsa_softbyteslt != 0 && 3210 (newtotal >= assoc->ipsa_softbyteslt)) { 3211 if (assoc->ipsa_state < IPSA_STATE_DYING) { 3212 /* 3213 * Send EXPIRE message to PF_KEY. May wish to pawn 3214 * this off on another non-interrupt thread. 3215 */ 3216 assoc->ipsa_state = IPSA_STATE_DYING; 3217 assoc->ipsa_bytes = newtotal; 3218 if (sendmsg) 3219 sadb_expire_assoc(pfkey_q, assoc); 3220 } /* Else someone beat me to it! */ 3221 } 3222 if (rc == B_TRUE) 3223 assoc->ipsa_bytes = newtotal; 3224 mutex_exit(&assoc->ipsa_lock); 3225 return (rc); 3226 } 3227 3228 /* 3229 * Push one or more DL_CO_DELETE messages queued up by 3230 * sadb_torch_assoc down to the underlying driver now that it's a 3231 * convenient time for it (i.e., ipsa bucket locks not held). 3232 */ 3233 static void 3234 sadb_drain_torchq(queue_t *q, mblk_t *mp) 3235 { 3236 while (mp != NULL) { 3237 mblk_t *next = mp->b_next; 3238 mp->b_next = NULL; 3239 if (q != NULL) 3240 putnext(q, mp); 3241 else 3242 freemsg(mp); 3243 mp = next; 3244 } 3245 } 3246 3247 /* 3248 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 3249 * sadb_age_assoc(). 3250 * 3251 * If SA is hardware-accelerated, and we can't allocate the mblk 3252 * containing the DL_CO_DELETE, just return; it will remain in the 3253 * table and be swept up by sadb_ager() in a subsequent pass. 3254 */ 3255 static ipsa_t * 3256 sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq) 3257 { 3258 mblk_t *mp; 3259 3260 ASSERT(MUTEX_HELD(&head->isaf_lock)); 3261 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 3262 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 3263 3264 /* 3265 * Force cached SAs to be revalidated.. 3266 */ 3267 head->isaf_gen++; 3268 3269 if (sa->ipsa_flags & IPSA_F_HW) { 3270 mp = sadb_fmt_sa_req(DL_CO_DELETE, sa->ipsa_type, sa, inbnd); 3271 if (mp == NULL) { 3272 mutex_exit(&sa->ipsa_lock); 3273 return (NULL); 3274 } 3275 mp->b_next = *mq; 3276 *mq = mp; 3277 } 3278 mutex_exit(&sa->ipsa_lock); 3279 sadb_unlinkassoc(sa); 3280 3281 return (NULL); 3282 } 3283 3284 /* 3285 * Return "assoc" iff haspeer is true and I send an expire. This allows 3286 * the consumers' aging functions to tidy up an expired SA's peer. 3287 */ 3288 static ipsa_t * 3289 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 3290 time_t current, int reap_delay, boolean_t inbnd, mblk_t **mq) 3291 { 3292 ipsa_t *retval = NULL; 3293 3294 ASSERT(MUTEX_HELD(&head->isaf_lock)); 3295 3296 mutex_enter(&assoc->ipsa_lock); 3297 3298 if ((assoc->ipsa_state == IPSA_STATE_LARVAL) && 3299 (assoc->ipsa_hardexpiretime <= current)) { 3300 assoc->ipsa_state = IPSA_STATE_DEAD; 3301 return (sadb_torch_assoc(head, assoc, inbnd, mq)); 3302 } 3303 3304 /* 3305 * Check lifetimes. Fortunately, SA setup is done 3306 * such that there are only two times to look at, 3307 * softexpiretime, and hardexpiretime. 3308 * 3309 * Check hard first. 3310 */ 3311 3312 if (assoc->ipsa_hardexpiretime != 0 && 3313 assoc->ipsa_hardexpiretime <= current) { 3314 if (assoc->ipsa_state == IPSA_STATE_DEAD) 3315 return (sadb_torch_assoc(head, assoc, inbnd, mq)); 3316 3317 /* 3318 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 3319 */ 3320 assoc->ipsa_state = IPSA_STATE_DEAD; 3321 if (assoc->ipsa_haspeer) { 3322 /* 3323 * If I return assoc, I have to bump up its 3324 * reference count to keep with the ipsa_t reference 3325 * count semantics. 3326 */ 3327 IPSA_REFHOLD(assoc); 3328 retval = assoc; 3329 } 3330 sadb_expire_assoc(pfkey_q, assoc); 3331 assoc->ipsa_hardexpiretime = current + reap_delay; 3332 } else if (assoc->ipsa_softexpiretime != 0 && 3333 assoc->ipsa_softexpiretime <= current && 3334 assoc->ipsa_state < IPSA_STATE_DYING) { 3335 /* 3336 * Send EXPIRE message to PF_KEY. May wish to pawn 3337 * this off on another non-interrupt thread. 3338 */ 3339 assoc->ipsa_state = IPSA_STATE_DYING; 3340 if (assoc->ipsa_haspeer) { 3341 /* 3342 * If I return assoc, I have to bump up its 3343 * reference count to keep with the ipsa_t reference 3344 * count semantics. 3345 */ 3346 IPSA_REFHOLD(assoc); 3347 retval = assoc; 3348 } 3349 sadb_expire_assoc(pfkey_q, assoc); 3350 } 3351 3352 mutex_exit(&assoc->ipsa_lock); 3353 return (retval); 3354 } 3355 3356 /* 3357 * Called by a consumer protocol to do ther dirty work of reaping dead 3358 * Security Associations. 3359 */ 3360 void 3361 sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay) 3362 { 3363 int i; 3364 isaf_t *bucket; 3365 ipsa_t *assoc, *spare; 3366 iacqf_t *acqlist; 3367 ipsacq_t *acqrec, *spareacq; 3368 struct templist { 3369 ipsa_t *ipsa; 3370 struct templist *next; 3371 } *haspeerlist = NULL, *newbie; 3372 time_t current; 3373 int outhash; 3374 mblk_t *mq = NULL; 3375 3376 /* 3377 * Do my dirty work. This includes aging real entries, aging 3378 * larvals, and aging outstanding ACQUIREs. 3379 * 3380 * I hope I don't tie up resources for too long. 3381 */ 3382 3383 /* Snapshot current time now. */ 3384 (void) drv_getparm(TIME, ¤t); 3385 3386 /* Age acquires. */ 3387 3388 for (i = 0; i < sp->sdb_hashsize; i++) { 3389 acqlist = &sp->sdb_acq[i]; 3390 mutex_enter(&acqlist->iacqf_lock); 3391 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 3392 acqrec = spareacq) { 3393 spareacq = acqrec->ipsacq_next; 3394 if (current > acqrec->ipsacq_expire) 3395 sadb_destroy_acquire(acqrec); 3396 } 3397 mutex_exit(&acqlist->iacqf_lock); 3398 } 3399 3400 /* Age inbound associations. */ 3401 for (i = 0; i < sp->sdb_hashsize; i++) { 3402 bucket = &(sp->sdb_if[i]); 3403 mutex_enter(&bucket->isaf_lock); 3404 for (assoc = bucket->isaf_ipsa; assoc != NULL; 3405 assoc = spare) { 3406 spare = assoc->ipsa_next; 3407 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 3408 reap_delay, B_TRUE, &mq) != NULL) { 3409 /* 3410 * sadb_age_assoc() increments the refcnt, 3411 * effectively doing an IPSA_REFHOLD(). 3412 */ 3413 newbie = kmem_alloc(sizeof (*newbie), 3414 KM_NOSLEEP); 3415 if (newbie == NULL) { 3416 /* 3417 * Don't forget to REFRELE(). 3418 */ 3419 IPSA_REFRELE(assoc); 3420 continue; /* for loop... */ 3421 } 3422 newbie->next = haspeerlist; 3423 newbie->ipsa = assoc; 3424 haspeerlist = newbie; 3425 } 3426 } 3427 mutex_exit(&bucket->isaf_lock); 3428 } 3429 3430 if (mq != NULL) { 3431 sadb_drain_torchq(ip_q, mq); 3432 mq = NULL; 3433 } 3434 /* 3435 * Haspeer cases will contain both IPv4 and IPv6. This code 3436 * is address independent. 3437 */ 3438 while (haspeerlist != NULL) { 3439 /* "spare" contains the SA that has a peer. */ 3440 spare = haspeerlist->ipsa; 3441 newbie = haspeerlist; 3442 haspeerlist = newbie->next; 3443 kmem_free(newbie, sizeof (*newbie)); 3444 /* 3445 * Pick peer bucket based on addrfam. 3446 */ 3447 if (spare->ipsa_addrfam == AF_INET6) { 3448 outhash = OUTBOUND_HASH_V6(sp, 3449 *((in6_addr_t *)&spare->ipsa_dstaddr)); 3450 } else { 3451 outhash = OUTBOUND_HASH_V4(sp, 3452 *((ipaddr_t *)&spare->ipsa_dstaddr)); 3453 } 3454 bucket = &(sp->sdb_of[outhash]); 3455 3456 mutex_enter(&bucket->isaf_lock); 3457 assoc = ipsec_getassocbyspi(bucket, spare->ipsa_spi, 3458 spare->ipsa_srcaddr, spare->ipsa_dstaddr, 3459 spare->ipsa_addrfam); 3460 mutex_exit(&bucket->isaf_lock); 3461 if (assoc != NULL) { 3462 mutex_enter(&assoc->ipsa_lock); 3463 mutex_enter(&spare->ipsa_lock); 3464 assoc->ipsa_state = spare->ipsa_state; 3465 if (assoc->ipsa_state == IPSA_STATE_DEAD) 3466 assoc->ipsa_hardexpiretime = 1; 3467 mutex_exit(&spare->ipsa_lock); 3468 mutex_exit(&assoc->ipsa_lock); 3469 IPSA_REFRELE(assoc); 3470 } 3471 IPSA_REFRELE(spare); 3472 } 3473 3474 /* Age outbound associations. */ 3475 for (i = 0; i < sp->sdb_hashsize; i++) { 3476 bucket = &(sp->sdb_of[i]); 3477 mutex_enter(&bucket->isaf_lock); 3478 for (assoc = bucket->isaf_ipsa; assoc != NULL; 3479 assoc = spare) { 3480 spare = assoc->ipsa_next; 3481 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 3482 reap_delay, B_FALSE, &mq) != NULL) { 3483 /* 3484 * sadb_age_assoc() increments the refcnt, 3485 * effectively doing an IPSA_REFHOLD(). 3486 */ 3487 newbie = kmem_alloc(sizeof (*newbie), 3488 KM_NOSLEEP); 3489 if (newbie == NULL) { 3490 /* 3491 * Don't forget to REFRELE(). 3492 */ 3493 IPSA_REFRELE(assoc); 3494 continue; /* for loop... */ 3495 } 3496 newbie->next = haspeerlist; 3497 newbie->ipsa = assoc; 3498 haspeerlist = newbie; 3499 } 3500 } 3501 mutex_exit(&bucket->isaf_lock); 3502 } 3503 if (mq != NULL) { 3504 sadb_drain_torchq(ip_q, mq); 3505 mq = NULL; 3506 } 3507 /* 3508 * Haspeer cases will contain both IPv4 and IPv6. This code 3509 * is address independent. 3510 */ 3511 while (haspeerlist != NULL) { 3512 /* "spare" contains the SA that has a peer. */ 3513 spare = haspeerlist->ipsa; 3514 newbie = haspeerlist; 3515 haspeerlist = newbie->next; 3516 kmem_free(newbie, sizeof (*newbie)); 3517 /* 3518 * Pick peer bucket based on addrfam. 3519 */ 3520 bucket = INBOUND_BUCKET(sp, spare->ipsa_spi); 3521 mutex_enter(&bucket->isaf_lock); 3522 assoc = ipsec_getassocbyspi(bucket, spare->ipsa_spi, 3523 spare->ipsa_srcaddr, spare->ipsa_dstaddr, 3524 spare->ipsa_addrfam); 3525 mutex_exit(&bucket->isaf_lock); 3526 if (assoc != NULL) { 3527 mutex_enter(&assoc->ipsa_lock); 3528 mutex_enter(&spare->ipsa_lock); 3529 assoc->ipsa_state = spare->ipsa_state; 3530 if (assoc->ipsa_state == IPSA_STATE_DEAD) 3531 assoc->ipsa_hardexpiretime = 1; 3532 mutex_exit(&spare->ipsa_lock); 3533 mutex_exit(&assoc->ipsa_lock); 3534 IPSA_REFRELE(assoc); 3535 } 3536 IPSA_REFRELE(spare); 3537 } 3538 /* 3539 * Run a GC pass to clean out dead identities. 3540 */ 3541 ipsid_gc(); 3542 } 3543 3544 /* 3545 * Figure out when to reschedule the ager. 3546 */ 3547 timeout_id_t 3548 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 3549 uint_t *intp, uint_t intmax, short mid) 3550 { 3551 hrtime_t end = gethrtime(); 3552 uint_t interval = *intp; 3553 3554 /* 3555 * See how long this took. If it took too long, increase the 3556 * aging interval. 3557 */ 3558 if ((end - begin) > interval * 1000000) { 3559 if (interval >= intmax) { 3560 /* XXX Rate limit this? Or recommend flush? */ 3561 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 3562 "Too many SA's to age out in %d msec.\n", 3563 intmax); 3564 } else { 3565 /* Double by shifting by one bit. */ 3566 interval <<= 1; 3567 interval = min(interval, intmax); 3568 } 3569 } else if ((end - begin) <= interval * 500000 && 3570 interval > SADB_AGE_INTERVAL_DEFAULT) { 3571 /* 3572 * If I took less than half of the interval, then I should 3573 * ratchet the interval back down. Never automatically 3574 * shift below the default aging interval. 3575 * 3576 * NOTE:This even overrides manual setting of the age 3577 * interval using NDD. 3578 */ 3579 /* Halve by shifting one bit. */ 3580 interval >>= 1; 3581 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 3582 } 3583 *intp = interval; 3584 return (qtimeout(pfkey_q, ager, NULL, interval * drv_usectohz(1000))); 3585 } 3586 3587 3588 /* 3589 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 3590 * message takes when updating a MATURE or DYING SA. 3591 */ 3592 static void 3593 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 3594 sadb_lifetime_t *soft) 3595 { 3596 mutex_enter(&assoc->ipsa_lock); 3597 3598 assoc->ipsa_state = IPSA_STATE_MATURE; 3599 3600 /* 3601 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 3602 * passed in during an update message. We currently don't handle 3603 * these. 3604 */ 3605 3606 if (hard != NULL) { 3607 if (hard->sadb_lifetime_bytes != 0) 3608 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3609 if (hard->sadb_lifetime_usetime != 0) 3610 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 3611 if (hard->sadb_lifetime_addtime != 0) 3612 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3613 if (assoc->ipsa_hardaddlt != 0) { 3614 assoc->ipsa_hardexpiretime = 3615 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 3616 } 3617 if (assoc->ipsa_harduselt != 0) { 3618 if (assoc->ipsa_hardexpiretime != 0) { 3619 assoc->ipsa_hardexpiretime = 3620 min(assoc->ipsa_hardexpiretime, 3621 assoc->ipsa_usetime + 3622 assoc->ipsa_harduselt); 3623 } else { 3624 assoc->ipsa_hardexpiretime = 3625 assoc->ipsa_usetime + assoc->ipsa_harduselt; 3626 } 3627 } 3628 3629 if (hard->sadb_lifetime_allocations != 0) 3630 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3631 } 3632 3633 if (soft != NULL) { 3634 if (soft->sadb_lifetime_bytes != 0) 3635 assoc->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3636 if (soft->sadb_lifetime_usetime != 0) 3637 assoc->ipsa_softuselt = soft->sadb_lifetime_usetime; 3638 if (soft->sadb_lifetime_addtime != 0) 3639 assoc->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3640 if (assoc->ipsa_softaddlt != 0) { 3641 assoc->ipsa_softexpiretime = 3642 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 3643 } 3644 if (assoc->ipsa_softuselt != 0) { 3645 if (assoc->ipsa_softexpiretime != 0) { 3646 assoc->ipsa_softexpiretime = 3647 min(assoc->ipsa_softexpiretime, 3648 assoc->ipsa_usetime + 3649 assoc->ipsa_softuselt); 3650 } else { 3651 assoc->ipsa_softexpiretime = 3652 assoc->ipsa_usetime + assoc->ipsa_softuselt; 3653 } 3654 } 3655 3656 if (soft->sadb_lifetime_allocations != 0) 3657 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 3658 } 3659 3660 mutex_exit(&assoc->ipsa_lock); 3661 } 3662 3663 /* 3664 * Common code to update an SA. 3665 */ 3666 3667 int 3668 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, 3669 sadb_t *sp, int *diagnostic, queue_t *pfkey_q, 3670 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *)) 3671 { 3672 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3673 sadb_address_t *srcext = 3674 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3675 sadb_address_t *dstext = 3676 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3677 sadb_x_kmc_t *kmcext = 3678 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 3679 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 3680 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 3681 struct sockaddr_in *src, *dst; 3682 struct sockaddr_in6 *src6, *dst6; 3683 sadb_lifetime_t *soft = 3684 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 3685 sadb_lifetime_t *hard = 3686 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 3687 isaf_t *inbound, *outbound; 3688 ipsa_t *outbound_target = NULL, *inbound_target = NULL; 3689 int error = 0; 3690 uint32_t *srcaddr, *dstaddr; 3691 sa_family_t af; 3692 uint32_t kmp = 0, kmc = 0; 3693 3694 /* I need certain extensions present for either UPDATE message. */ 3695 if (srcext == NULL) { 3696 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 3697 return (EINVAL); 3698 } 3699 if (dstext == NULL) { 3700 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3701 return (EINVAL); 3702 } 3703 if (assoc == NULL) { 3704 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3705 return (EINVAL); 3706 } 3707 3708 if (kmcext != NULL) { 3709 kmp = kmcext->sadb_x_kmc_proto; 3710 kmc = kmcext->sadb_x_kmc_cookie; 3711 } 3712 3713 dst = (struct sockaddr_in *)(dstext + 1); 3714 src = (struct sockaddr_in *)(srcext + 1); 3715 af = dst->sin_family; 3716 if (af == AF_INET6) { 3717 dst6 = (struct sockaddr_in6 *)dst; 3718 src6 = (struct sockaddr_in6 *)src; 3719 3720 srcaddr = (uint32_t *)&src6->sin6_addr; 3721 dstaddr = (uint32_t *)&dst6->sin6_addr; 3722 outbound = OUTBOUND_BUCKET_V6(sp, *(uint32_t *)dstaddr); 3723 #if 0 3724 /* Not used for now... */ 3725 if (proxyext != NULL) 3726 proxy6 = (struct sockaddr_in6 *)(proxyext + 1); 3727 #endif 3728 } else { 3729 srcaddr = (uint32_t *)&src->sin_addr; 3730 dstaddr = (uint32_t *)&dst->sin_addr; 3731 outbound = OUTBOUND_BUCKET_V4(sp, *(uint32_t *)dstaddr); 3732 } 3733 inbound = INBOUND_BUCKET(sp, assoc->sadb_sa_spi); 3734 3735 /* Lock down both buckets. */ 3736 mutex_enter(&outbound->isaf_lock); 3737 mutex_enter(&inbound->isaf_lock); 3738 3739 /* Try outbound first. */ 3740 outbound_target = ipsec_getassocbyspi(outbound, assoc->sadb_sa_spi, 3741 srcaddr, dstaddr, af); 3742 inbound_target = ipsec_getassocbyspi(inbound, assoc->sadb_sa_spi, 3743 srcaddr, dstaddr, af); 3744 3745 mutex_exit(&inbound->isaf_lock); 3746 mutex_exit(&outbound->isaf_lock); 3747 3748 if (outbound_target == NULL) { 3749 if (inbound_target == NULL) { 3750 return (ESRCH); 3751 } else if (inbound_target->ipsa_state == IPSA_STATE_LARVAL) { 3752 /* 3753 * REFRELE the target and let the add_sa_func() 3754 * deal with updating a larval SA. 3755 */ 3756 IPSA_REFRELE(inbound_target); 3757 return (add_sa_func(mp, ksi, diagnostic)); 3758 } 3759 } 3760 3761 /* 3762 * Reality checks for updates of active associations. 3763 * Sundry first-pass UPDATE-specific reality checks. 3764 * Have to do the checks here, because it's after the add_sa code. 3765 * XXX STATS : logging/stats here? 3766 */ 3767 3768 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) { 3769 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 3770 error = EINVAL; 3771 goto bail; 3772 } 3773 if (assoc->sadb_sa_flags & ~(SADB_SAFLAGS_NOREPLAY | 3774 SADB_X_SAFLAGS_NATT_LOC | SADB_X_SAFLAGS_NATT_REM)) { 3775 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 3776 error = EINVAL; 3777 goto bail; 3778 } 3779 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 3780 error = EOPNOTSUPP; 3781 goto bail; 3782 } 3783 if ((*diagnostic = sadb_hardsoftchk(hard, soft)) != 0) { 3784 error = EINVAL; 3785 goto bail; 3786 } 3787 if (src->sin_family != dst->sin_family) { 3788 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 3789 error = EINVAL; 3790 goto bail; 3791 } 3792 if (akey != NULL) { 3793 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 3794 error = EINVAL; 3795 goto bail; 3796 } 3797 if (ekey != NULL) { 3798 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 3799 error = EINVAL; 3800 goto bail; 3801 } 3802 3803 if (outbound_target != NULL) { 3804 if (outbound_target->ipsa_state == IPSA_STATE_DEAD) { 3805 error = ESRCH; /* DEAD == Not there, in this case. */ 3806 goto bail; 3807 } 3808 if ((kmp != 0) && 3809 ((outbound_target->ipsa_kmp != 0) || 3810 (outbound_target->ipsa_kmp != kmp))) { 3811 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 3812 error = EINVAL; 3813 goto bail; 3814 } 3815 if ((kmc != 0) && 3816 ((outbound_target->ipsa_kmc != 0) || 3817 (outbound_target->ipsa_kmc != kmc))) { 3818 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 3819 error = EINVAL; 3820 goto bail; 3821 } 3822 } 3823 3824 if (inbound_target != NULL) { 3825 if (inbound_target->ipsa_state == IPSA_STATE_DEAD) { 3826 error = ESRCH; /* DEAD == Not there, in this case. */ 3827 goto bail; 3828 } 3829 if ((kmp != 0) && 3830 ((inbound_target->ipsa_kmp != 0) || 3831 (inbound_target->ipsa_kmp != kmp))) { 3832 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 3833 error = EINVAL; 3834 goto bail; 3835 } 3836 if ((kmc != 0) && 3837 ((inbound_target->ipsa_kmc != 0) || 3838 (inbound_target->ipsa_kmc != kmc))) { 3839 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 3840 error = EINVAL; 3841 goto bail; 3842 } 3843 } 3844 3845 if (outbound_target != NULL) { 3846 sadb_set_unique(outbound_target, dstext->sadb_address_proto, 3847 src, dst); 3848 sadb_update_lifetimes(outbound_target, hard, soft); 3849 if (kmp != 0) 3850 outbound_target->ipsa_kmp = kmp; 3851 if (kmc != 0) 3852 outbound_target->ipsa_kmc = kmc; 3853 } 3854 3855 if (inbound_target != NULL) { 3856 sadb_set_unique(inbound_target, dstext->sadb_address_proto, 3857 src, dst); 3858 sadb_update_lifetimes(inbound_target, hard, soft); 3859 if (kmp != 0) 3860 inbound_target->ipsa_kmp = kmp; 3861 if (kmc != 0) 3862 inbound_target->ipsa_kmc = kmc; 3863 } 3864 3865 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 3866 ksi, (outbound_target == NULL) ? inbound_target : outbound_target); 3867 3868 bail: 3869 /* 3870 * Because of the multi-line macro nature of IPSA_REFRELE, keep 3871 * them in { }. 3872 */ 3873 if (outbound_target != NULL) { 3874 IPSA_REFRELE(outbound_target); 3875 } 3876 if (inbound_target != NULL) { 3877 IPSA_REFRELE(inbound_target); 3878 } 3879 3880 return (error); 3881 } 3882 3883 /* 3884 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 3885 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 3886 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 3887 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 3888 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 3889 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 3890 * other direction's SA. 3891 */ 3892 3893 /* 3894 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 3895 * grab it, lock it, and return it. Otherwise return NULL. 3896 */ 3897 static ipsacq_t * 3898 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 3899 uint32_t *src, uint32_t *dst, uint64_t unique_id) 3900 { 3901 ipsacq_t *walker; 3902 sa_family_t fam; 3903 3904 /* 3905 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 3906 * 3907 * XXX May need search for duplicates based on other things too! 3908 */ 3909 for (walker = bucket->iacqf_ipsacq; walker != NULL; 3910 walker = walker->ipsacq_next) { 3911 mutex_enter(&walker->ipsacq_lock); 3912 fam = walker->ipsacq_addrfam; 3913 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 3914 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 3915 /* XXX PROXY should check for proxy addr here */ 3916 (ap == walker->ipsacq_act) && 3917 (pp == walker->ipsacq_policy) && 3918 /* XXX do deep compares of ap/pp? */ 3919 (unique_id == walker->ipsacq_unique_id)) 3920 break; /* everything matched */ 3921 mutex_exit(&walker->ipsacq_lock); 3922 } 3923 3924 return (walker); 3925 } 3926 3927 /* 3928 * For this mblk, insert a new acquire record. Assume bucket contains addrs 3929 * of all of the same length. Give up (and drop) if memory 3930 * cannot be allocated for a new one; otherwise, invoke callback to 3931 * send the acquire up.. 3932 * 3933 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 3934 * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t 3935 * and handle this case specially. 3936 */ 3937 void 3938 sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp) 3939 { 3940 sadbp_t *spp; 3941 sadb_t *sp; 3942 ipsacq_t *newbie; 3943 iacqf_t *bucket; 3944 mblk_t *datamp = mp->b_cont; 3945 mblk_t *extended; 3946 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 3947 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 3948 uint32_t *src, *dst; 3949 ipsec_policy_t *pp = io->ipsec_out_policy; 3950 ipsec_action_t *ap = io->ipsec_out_act; 3951 sa_family_t af; 3952 int hashoffset; 3953 uint32_t seq; 3954 uint64_t unique_id = 0; 3955 ipsec_selector_t sel; 3956 3957 ASSERT((pp != NULL) || (ap != NULL)); 3958 3959 ASSERT(need_ah != NULL || need_esp != NULL); 3960 /* Assign sadb pointers */ 3961 spp = need_esp ? &esp_sadb : &ah_sadb; /* ESP for AH+ESP */ 3962 sp = io->ipsec_out_v4 ? &spp->s_v4 : &spp->s_v6; 3963 3964 if (ap == NULL) 3965 ap = pp->ipsp_act; 3966 3967 ASSERT(ap != NULL); 3968 3969 if (ap->ipa_act.ipa_apply.ipp_use_unique) 3970 unique_id = SA_FORM_UNIQUE_ID(io); 3971 3972 /* 3973 * Set up an ACQUIRE record. 3974 * 3975 * Will eventually want to pull the PROXY source address from 3976 * either the inner IP header, or from a future extension to the 3977 * IPSEC_OUT message. 3978 * 3979 * Actually, we'll also want to check for duplicates. 3980 * 3981 * Immediately, make sure the ACQUIRE sequence number doesn't slip 3982 * below the lowest point allowed in the kernel. (In other words, 3983 * make sure the high bit on the sequence number is set.) 3984 */ 3985 3986 seq = keysock_next_seq() | IACQF_LOWEST_SEQ; 3987 3988 sel.ips_isv4 = io->ipsec_out_v4; 3989 sel.ips_protocol = io->ipsec_out_proto; 3990 sel.ips_local_port = io->ipsec_out_src_port; 3991 sel.ips_remote_port = io->ipsec_out_dst_port; 3992 sel.ips_icmp_type = io->ipsec_out_icmp_type; 3993 sel.ips_icmp_code = io->ipsec_out_icmp_code; 3994 sel.ips_is_icmp_inv_acq = 0; 3995 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 3996 src = (uint32_t *)&ipha->ipha_src; 3997 dst = (uint32_t *)&ipha->ipha_dst; 3998 /* No compiler dain-bramage (4438087) for IPv4 addresses. */ 3999 sel.ips_local_addr_v4 = ipha->ipha_src; 4000 sel.ips_remote_addr_v4 = ipha->ipha_dst; 4001 af = AF_INET; 4002 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 4003 ASSERT(io->ipsec_out_v4 == B_TRUE); 4004 } else { 4005 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 4006 src = (uint32_t *)&ip6h->ip6_src; 4007 dst = (uint32_t *)&ip6h->ip6_dst; 4008 sel.ips_local_addr_v6 = ip6h->ip6_src; 4009 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 4010 af = AF_INET6; 4011 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 4012 ASSERT(io->ipsec_out_v4 == B_FALSE); 4013 } 4014 4015 /* 4016 * Check buckets to see if there is an existing entry. If so, 4017 * grab it. sadb_checkacquire locks newbie if found. 4018 */ 4019 bucket = &(sp->sdb_acq[hashoffset]); 4020 mutex_enter(&bucket->iacqf_lock); 4021 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, unique_id); 4022 4023 if (newbie == NULL) { 4024 /* 4025 * Otherwise, allocate a new one. 4026 */ 4027 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 4028 if (newbie == NULL) { 4029 mutex_exit(&bucket->iacqf_lock); 4030 ip_drop_packet(mp, B_FALSE, NULL, NULL, 4031 &ipdrops_sadb_acquire_nomem, &sadb_dropper); 4032 return; 4033 } 4034 newbie->ipsacq_policy = pp; 4035 if (pp != NULL) { 4036 IPPOL_REFHOLD(pp); 4037 } 4038 IPACT_REFHOLD(ap); 4039 newbie->ipsacq_act = ap; 4040 newbie->ipsacq_linklock = &bucket->iacqf_lock; 4041 newbie->ipsacq_next = bucket->iacqf_ipsacq; 4042 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 4043 if (newbie->ipsacq_next != NULL) 4044 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 4045 bucket->iacqf_ipsacq = newbie; 4046 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 4047 mutex_enter(&newbie->ipsacq_lock); 4048 } 4049 4050 mutex_exit(&bucket->iacqf_lock); 4051 4052 /* 4053 * This assert looks silly for now, but we may need to enter newbie's 4054 * mutex during a search. 4055 */ 4056 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 4057 4058 mp->b_next = NULL; 4059 /* Queue up packet. Use b_next. */ 4060 if (newbie->ipsacq_numpackets == 0) { 4061 /* First one. */ 4062 newbie->ipsacq_mp = mp; 4063 newbie->ipsacq_numpackets = 1; 4064 (void) drv_getparm(TIME, &newbie->ipsacq_expire); 4065 /* 4066 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 4067 * value. 4068 */ 4069 newbie->ipsacq_expire += *spp->s_acquire_timeout; 4070 newbie->ipsacq_seq = seq; 4071 newbie->ipsacq_addrfam = af; 4072 4073 newbie->ipsacq_srcport = io->ipsec_out_src_port; 4074 newbie->ipsacq_dstport = io->ipsec_out_dst_port; 4075 newbie->ipsacq_icmp_type = io->ipsec_out_icmp_type; 4076 newbie->ipsacq_icmp_code = io->ipsec_out_icmp_code; 4077 newbie->ipsacq_proto = io->ipsec_out_proto; 4078 newbie->ipsacq_unique_id = unique_id; 4079 } else { 4080 /* Scan to the end of the list & insert. */ 4081 mblk_t *lastone = newbie->ipsacq_mp; 4082 4083 while (lastone->b_next != NULL) 4084 lastone = lastone->b_next; 4085 lastone->b_next = mp; 4086 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) { 4087 newbie->ipsacq_numpackets = ipsacq_maxpackets; 4088 lastone = newbie->ipsacq_mp; 4089 newbie->ipsacq_mp = lastone->b_next; 4090 lastone->b_next = NULL; 4091 ip_drop_packet(lastone, B_FALSE, NULL, NULL, 4092 &ipdrops_sadb_acquire_toofull, &sadb_dropper); 4093 } else { 4094 IP_ACQUIRE_STAT(qhiwater, newbie->ipsacq_numpackets); 4095 } 4096 } 4097 4098 /* 4099 * Reset addresses. Set them to the most recently added mblk chain, 4100 * so that the address pointers in the acquire record will point 4101 * at an mblk still attached to the acquire list. 4102 */ 4103 4104 newbie->ipsacq_srcaddr = src; 4105 newbie->ipsacq_dstaddr = dst; 4106 4107 /* 4108 * If the acquire record has more than one queued packet, we've 4109 * already sent an ACQUIRE, and don't need to repeat ourself. 4110 */ 4111 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 4112 /* I have an acquire outstanding already! */ 4113 mutex_exit(&newbie->ipsacq_lock); 4114 return; 4115 } 4116 4117 if (keysock_extended_reg()) { 4118 /* 4119 * Construct an extended ACQUIRE. There are logging 4120 * opportunities here in failure cases. 4121 */ 4122 4123 extended = sadb_keysock_out(0); 4124 if (extended != NULL) { 4125 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, 4126 seq, 0); 4127 if (extended->b_cont == NULL) { 4128 freeb(extended); 4129 extended = NULL; 4130 } 4131 } 4132 } else 4133 extended = NULL; 4134 4135 /* 4136 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on 4137 * this new record. The send-acquire callback assumes that acqrec is 4138 * already locked. 4139 */ 4140 (*spp->s_acqfn)(newbie, extended); 4141 } 4142 4143 /* 4144 * Unlink and free an acquire record. 4145 */ 4146 void 4147 sadb_destroy_acquire(ipsacq_t *acqrec) 4148 { 4149 mblk_t *mp; 4150 4151 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 4152 4153 if (acqrec->ipsacq_policy != NULL) { 4154 IPPOL_REFRELE(acqrec->ipsacq_policy); 4155 } 4156 if (acqrec->ipsacq_act != NULL) { 4157 IPACT_REFRELE(acqrec->ipsacq_act); 4158 } 4159 4160 /* Unlink */ 4161 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 4162 if (acqrec->ipsacq_next != NULL) 4163 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 4164 4165 /* 4166 * Free hanging mp's. 4167 * 4168 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 4169 */ 4170 4171 mutex_enter(&acqrec->ipsacq_lock); 4172 while (acqrec->ipsacq_mp != NULL) { 4173 mp = acqrec->ipsacq_mp; 4174 acqrec->ipsacq_mp = mp->b_next; 4175 mp->b_next = NULL; 4176 ip_drop_packet(mp, B_FALSE, NULL, NULL, 4177 &ipdrops_sadb_acquire_timeout, &sadb_dropper); 4178 } 4179 mutex_exit(&acqrec->ipsacq_lock); 4180 4181 /* Free */ 4182 mutex_destroy(&acqrec->ipsacq_lock); 4183 kmem_free(acqrec, sizeof (*acqrec)); 4184 } 4185 4186 /* 4187 * Destroy an acquire list fanout. 4188 */ 4189 static void 4190 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever) 4191 { 4192 int i; 4193 iacqf_t *list = *listp; 4194 4195 if (list == NULL) 4196 return; 4197 4198 for (i = 0; i < numentries; i++) { 4199 mutex_enter(&(list[i].iacqf_lock)); 4200 while (list[i].iacqf_ipsacq != NULL) 4201 sadb_destroy_acquire(list[i].iacqf_ipsacq); 4202 mutex_exit(&(list[i].iacqf_lock)); 4203 if (forever) 4204 mutex_destroy(&(list[i].iacqf_lock)); 4205 } 4206 4207 if (forever) { 4208 *listp = NULL; 4209 kmem_free(list, numentries * sizeof (*list)); 4210 } 4211 } 4212 4213 static uint8_t * 4214 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 4215 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 4216 uint8_t alg, uint16_t minbits, uint16_t maxbits) 4217 { 4218 uint8_t *cur = start; 4219 4220 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 4221 cur += sizeof (*algdesc); 4222 if (cur >= limit) 4223 return (NULL); 4224 4225 ecomb->sadb_x_ecomb_numalgs++; 4226 4227 algdesc->sadb_x_algdesc_satype = satype; 4228 algdesc->sadb_x_algdesc_algtype = algtype; 4229 algdesc->sadb_x_algdesc_alg = alg; 4230 algdesc->sadb_x_algdesc_minbits = minbits; 4231 algdesc->sadb_x_algdesc_maxbits = maxbits; 4232 algdesc->sadb_x_algdesc_reserved = 0; 4233 return (cur); 4234 } 4235 4236 /* 4237 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 4238 * which must fit before *limit 4239 * 4240 * return NULL if we ran out of room or a pointer to the end of the ecomb. 4241 */ 4242 static uint8_t * 4243 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act) 4244 { 4245 uint8_t *cur = start; 4246 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 4247 ipsec_prot_t *ipp; 4248 4249 cur += sizeof (*ecomb); 4250 if (cur >= limit) 4251 return (NULL); 4252 4253 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 4254 4255 ipp = &act->ipa_act.ipa_apply; 4256 4257 ecomb->sadb_x_ecomb_numalgs = 0; 4258 ecomb->sadb_x_ecomb_reserved = 0; 4259 ecomb->sadb_x_ecomb_reserved2 = 0; 4260 /* 4261 * No limits on allocations, since we really don't support that 4262 * concept currently. 4263 */ 4264 ecomb->sadb_x_ecomb_soft_allocations = 0; 4265 ecomb->sadb_x_ecomb_hard_allocations = 0; 4266 4267 /* 4268 * XXX TBD: Policy or global parameters will eventually be 4269 * able to fill in some of these. 4270 */ 4271 ecomb->sadb_x_ecomb_flags = 0; 4272 ecomb->sadb_x_ecomb_soft_bytes = 0; 4273 ecomb->sadb_x_ecomb_hard_bytes = 0; 4274 ecomb->sadb_x_ecomb_soft_addtime = 0; 4275 ecomb->sadb_x_ecomb_hard_addtime = 0; 4276 ecomb->sadb_x_ecomb_soft_usetime = 0; 4277 ecomb->sadb_x_ecomb_hard_usetime = 0; 4278 4279 if (ipp->ipp_use_ah) { 4280 cur = sadb_new_algdesc(cur, limit, ecomb, 4281 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 4282 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits); 4283 if (cur == NULL) 4284 return (NULL); 4285 ipsecah_fill_defs(ecomb); 4286 } 4287 4288 if (ipp->ipp_use_esp) { 4289 if (ipp->ipp_use_espa) { 4290 cur = sadb_new_algdesc(cur, limit, ecomb, 4291 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 4292 ipp->ipp_esp_auth_alg, 4293 ipp->ipp_espa_minbits, 4294 ipp->ipp_espa_maxbits); 4295 if (cur == NULL) 4296 return (NULL); 4297 } 4298 4299 cur = sadb_new_algdesc(cur, limit, ecomb, 4300 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 4301 ipp->ipp_encr_alg, 4302 ipp->ipp_espe_minbits, 4303 ipp->ipp_espe_maxbits); 4304 if (cur == NULL) 4305 return (NULL); 4306 /* Fill in lifetimes if and only if AH didn't already... */ 4307 if (!ipp->ipp_use_ah) 4308 ipsecesp_fill_defs(ecomb); 4309 } 4310 4311 return (cur); 4312 } 4313 4314 /* 4315 * Construct an extended ACQUIRE message based on a selector and the resulting 4316 * IPsec action. 4317 * 4318 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE 4319 * generation. As a consequence, expect this function to evolve 4320 * rapidly. 4321 */ 4322 static mblk_t * 4323 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol, 4324 ipsec_action_t *act, uint32_t seq, uint32_t pid) 4325 { 4326 mblk_t *mp; 4327 sadb_msg_t *samsg; 4328 uint8_t *start, *cur, *end; 4329 uint32_t *saddrptr, *daddrptr; 4330 sa_family_t af; 4331 sadb_prop_t *eprop; 4332 ipsec_action_t *ap, *an; 4333 uint8_t proto; 4334 uint16_t lport, rport; 4335 uint32_t kmp, kmc; 4336 4337 /* 4338 * Find the action we want sooner rather than later.. 4339 */ 4340 an = NULL; 4341 if (pol == NULL) { 4342 ap = act; 4343 } else { 4344 ap = pol->ipsp_act; 4345 4346 if (ap != NULL) 4347 an = ap->ipa_next; 4348 } 4349 4350 /* 4351 * Just take a swag for the allocation for now. We can always 4352 * alter it later. 4353 */ 4354 #define SADB_EXTENDED_ACQUIRE_SIZE 2048 4355 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI); 4356 if (mp == NULL) 4357 return (NULL); 4358 if (sel->ips_isv4) { 4359 af = AF_INET; 4360 saddrptr = (uint32_t *)(&sel->ips_local_addr_v4); 4361 daddrptr = (uint32_t *)(&sel->ips_remote_addr_v4); 4362 } else { 4363 af = AF_INET6; 4364 saddrptr = (uint32_t *)(&sel->ips_local_addr_v6); 4365 daddrptr = (uint32_t *)(&sel->ips_remote_addr_v6); 4366 } 4367 4368 start = mp->b_rptr; 4369 end = start + SADB_EXTENDED_ACQUIRE_SIZE; 4370 4371 cur = start; 4372 4373 samsg = (sadb_msg_t *)cur; 4374 cur += sizeof (*samsg); 4375 4376 samsg->sadb_msg_version = PF_KEY_V2; 4377 samsg->sadb_msg_type = SADB_ACQUIRE; 4378 samsg->sadb_msg_errno = 0; 4379 samsg->sadb_msg_reserved = 0; 4380 samsg->sadb_msg_satype = 0; 4381 samsg->sadb_msg_seq = seq; 4382 samsg->sadb_msg_pid = pid; 4383 4384 proto = sel->ips_protocol; 4385 lport = sel->ips_local_port; 4386 rport = sel->ips_remote_port; 4387 4388 /* 4389 * Unless our policy says "sa unique", drop port/proto 4390 * selectors, then add them back if policy rule includes them.. 4391 */ 4392 4393 if ((ap != NULL) && (!ap->ipa_want_unique)) { 4394 proto = 0; 4395 lport = 0; 4396 rport = 0; 4397 if (pol != NULL) { 4398 ipsec_selkey_t *psel = &pol->ipsp_sel->ipsl_key; 4399 if (psel->ipsl_valid & IPSL_PROTOCOL) 4400 proto = psel->ipsl_proto; 4401 if (psel->ipsl_valid & IPSL_REMOTE_PORT) 4402 rport = psel->ipsl_rport; 4403 if (psel->ipsl_valid & IPSL_LOCAL_PORT) 4404 lport = psel->ipsl_lport; 4405 } 4406 } 4407 4408 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 4409 saddrptr, lport, proto); 4410 4411 if (cur == NULL) { 4412 freeb(mp); 4413 return (NULL); 4414 } 4415 4416 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 4417 daddrptr, rport, proto); 4418 4419 if (cur == NULL) { 4420 freeb(mp); 4421 return (NULL); 4422 } 4423 4424 /* 4425 * This section will change a lot as policy evolves. 4426 * For now, it'll be relatively simple. 4427 */ 4428 eprop = (sadb_prop_t *)cur; 4429 cur += sizeof (*eprop); 4430 if (cur > end) { 4431 /* no space left */ 4432 freeb(mp); 4433 return (NULL); 4434 } 4435 4436 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 4437 eprop->sadb_x_prop_ereserved = 0; 4438 eprop->sadb_x_prop_numecombs = 0; 4439 eprop->sadb_prop_replay = 32; /* default */ 4440 4441 kmc = kmp = 0; 4442 4443 for (; ap != NULL; ap = an) { 4444 an = (pol != NULL) ? ap->ipa_next : NULL; 4445 4446 /* 4447 * Skip non-IPsec policies 4448 */ 4449 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY) 4450 continue; 4451 4452 if (ap->ipa_act.ipa_apply.ipp_km_proto) 4453 kmp = ap->ipa_act.ipa_apply.ipp_km_proto; 4454 if (ap->ipa_act.ipa_apply.ipp_km_cookie) 4455 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie; 4456 if (ap->ipa_act.ipa_apply.ipp_replay_depth) { 4457 eprop->sadb_prop_replay = 4458 ap->ipa_act.ipa_apply.ipp_replay_depth; 4459 } 4460 4461 cur = sadb_action_to_ecomb(cur, end, ap); 4462 if (cur == NULL) { /* no space */ 4463 freeb(mp); 4464 return (NULL); 4465 } 4466 eprop->sadb_x_prop_numecombs++; 4467 } 4468 4469 if (eprop->sadb_x_prop_numecombs == 0) { 4470 /* 4471 * This will happen if we fail to find a policy 4472 * allowing for IPsec processing. 4473 * Construct an error message. 4474 */ 4475 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 4476 samsg->sadb_msg_errno = ENOENT; 4477 samsg->sadb_x_msg_diagnostic = 0; 4478 return (mp); 4479 } 4480 4481 if ((kmp != 0) || (kmc != 0)) { 4482 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 4483 if (cur == NULL) { 4484 freeb(mp); 4485 return (NULL); 4486 } 4487 } 4488 4489 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop); 4490 samsg->sadb_msg_len = SADB_8TO64(cur-start); 4491 mp->b_wptr = cur; 4492 4493 return (mp); 4494 } 4495 4496 /* 4497 * Generic setup of an ACQUIRE message. Caller sets satype. 4498 */ 4499 uint8_t * 4500 sadb_setup_acquire(uint8_t *start, uint8_t *end, ipsacq_t *acqrec) 4501 { 4502 sa_family_t af; 4503 uint8_t *cur = start; 4504 sadb_msg_t *samsg = (sadb_msg_t *)cur; 4505 uint16_t sport_typecode; 4506 uint16_t dport_typecode; 4507 uint8_t check_proto; 4508 4509 cur += sizeof (sadb_msg_t); 4510 if (cur > end) 4511 return (NULL); 4512 4513 /* use the address length to find the address family */ 4514 af = acqrec->ipsacq_addrfam; 4515 switch (af) { 4516 case AF_INET: 4517 check_proto = IPPROTO_ICMP; 4518 break; 4519 case AF_INET6: 4520 check_proto = IPPROTO_ICMPV6; 4521 break; 4522 default: 4523 /* This should never happen unless we have kernel bugs. */ 4524 cmn_err(CE_WARN, 4525 "sadb_setup_acquire: corrupt ACQUIRE record.\n"); 4526 ASSERT(0); 4527 return (NULL); 4528 } 4529 4530 samsg->sadb_msg_version = PF_KEY_V2; 4531 samsg->sadb_msg_type = SADB_ACQUIRE; 4532 samsg->sadb_msg_errno = 0; 4533 samsg->sadb_msg_pid = 0; 4534 samsg->sadb_msg_reserved = 0; 4535 samsg->sadb_msg_seq = acqrec->ipsacq_seq; 4536 4537 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 4538 4539 if (acqrec->ipsacq_proto == check_proto) { 4540 sport_typecode = dport_typecode = 0; 4541 } else { 4542 sport_typecode = acqrec->ipsacq_srcport; 4543 dport_typecode = acqrec->ipsacq_dstport; 4544 } 4545 4546 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 4547 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto); 4548 4549 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 4550 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto); 4551 4552 if (cur != NULL) 4553 samsg->sadb_msg_len = SADB_8TO64(cur - start); 4554 4555 return (cur); 4556 } 4557 4558 /* 4559 * Given an SADB_GETSPI message, find an appropriately ranged SA and 4560 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 4561 * If there was a memory allocation error, return NULL. (Assume NULL != 4562 * (ipsa_t *)-1). 4563 * 4564 * master_spi is passed in host order. 4565 */ 4566 ipsa_t * 4567 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic) 4568 { 4569 sadb_address_t *src = 4570 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 4571 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 4572 sadb_spirange_t *range = 4573 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 4574 struct sockaddr_in *ssa, *dsa; 4575 struct sockaddr_in6 *ssa6, *dsa6; 4576 uint32_t *srcaddr, *dstaddr; 4577 sa_family_t af; 4578 uint32_t add, min, max; 4579 4580 if (src == NULL) { 4581 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 4582 return ((ipsa_t *)-1); 4583 } 4584 if (dst == NULL) { 4585 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 4586 return ((ipsa_t *)-1); 4587 } 4588 if (range == NULL) { 4589 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 4590 return ((ipsa_t *)-1); 4591 } 4592 4593 min = ntohl(range->sadb_spirange_min); 4594 max = ntohl(range->sadb_spirange_max); 4595 dsa = (struct sockaddr_in *)(dst + 1); 4596 dsa6 = (struct sockaddr_in6 *)dsa; 4597 4598 ssa = (struct sockaddr_in *)(src + 1); 4599 ssa6 = (struct sockaddr_in6 *)ssa; 4600 if (dsa->sin_family != ssa->sin_family) { 4601 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 4602 return ((ipsa_t *)-1); 4603 } 4604 4605 srcaddr = ALL_ZEROES_PTR; 4606 af = dsa->sin_family; 4607 switch (af) { 4608 case AF_INET: 4609 if (src != NULL) 4610 srcaddr = (uint32_t *)(&ssa->sin_addr); 4611 dstaddr = (uint32_t *)(&dsa->sin_addr); 4612 break; 4613 case AF_INET6: 4614 if (src != NULL) 4615 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 4616 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 4617 break; 4618 default: 4619 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 4620 return ((ipsa_t *)-1); 4621 } 4622 4623 if (master_spi < min || master_spi > max) { 4624 /* Return a random value in the range. */ 4625 (void) random_get_pseudo_bytes((uint8_t *)&add, sizeof (add)); 4626 master_spi = min + (add % (max - min + 1)); 4627 } 4628 4629 /* 4630 * Since master_spi is passed in host order, we need to htonl() it 4631 * for the purposes of creating a new SA. 4632 */ 4633 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af)); 4634 } 4635 4636 /* 4637 * 4638 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 4639 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 4640 * and scan for the sequence number in question. I may wish to accept an 4641 * address pair with it, for easier searching. 4642 * 4643 * Caller frees the message, so we don't have to here. 4644 * 4645 * NOTE: The ip_q parameter may be used in the future for ACQUIRE 4646 * failures. 4647 */ 4648 /* ARGSUSED */ 4649 void 4650 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *ip_q) 4651 { 4652 int i; 4653 ipsacq_t *acqrec; 4654 iacqf_t *bucket; 4655 4656 /* 4657 * I only accept the base header for this! 4658 * Though to be honest, requiring the dst address would help 4659 * immensely. 4660 * 4661 * XXX There are already cases where I can get the dst address. 4662 */ 4663 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 4664 return; 4665 4666 /* 4667 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 4668 * (and in the future send a message to IP with the appropriate error 4669 * number). 4670 * 4671 * Q: Do I want to reject if pid != 0? 4672 */ 4673 4674 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 4675 bucket = &sp->s_v4.sdb_acq[i]; 4676 mutex_enter(&bucket->iacqf_lock); 4677 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 4678 acqrec = acqrec->ipsacq_next) { 4679 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 4680 break; /* for acqrec... loop. */ 4681 } 4682 if (acqrec != NULL) 4683 break; /* for i = 0... loop. */ 4684 4685 mutex_exit(&bucket->iacqf_lock); 4686 } 4687 4688 if (acqrec == NULL) { 4689 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 4690 bucket = &sp->s_v6.sdb_acq[i]; 4691 mutex_enter(&bucket->iacqf_lock); 4692 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 4693 acqrec = acqrec->ipsacq_next) { 4694 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 4695 break; /* for acqrec... loop. */ 4696 } 4697 if (acqrec != NULL) 4698 break; /* for i = 0... loop. */ 4699 4700 mutex_exit(&bucket->iacqf_lock); 4701 } 4702 } 4703 4704 4705 if (acqrec == NULL) 4706 return; 4707 4708 /* 4709 * What do I do with the errno and IP? I may need mp's services a 4710 * little more. See sadb_destroy_acquire() for future directions 4711 * beyond free the mblk chain on the acquire record. 4712 */ 4713 4714 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 4715 sadb_destroy_acquire(acqrec); 4716 /* Have to exit mutex here, because of breaking out of for loop. */ 4717 mutex_exit(&bucket->iacqf_lock); 4718 } 4719 4720 /* 4721 * The following functions work with the replay windows of an SA. They assume 4722 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 4723 * represents the highest sequence number packet received, and back 4724 * (ipsa->ipsa_replay_wsize) packets. 4725 */ 4726 4727 /* 4728 * Is the replay bit set? 4729 */ 4730 static boolean_t 4731 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 4732 { 4733 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 4734 4735 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 4736 } 4737 4738 /* 4739 * Shift the bits of the replay window over. 4740 */ 4741 static void 4742 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 4743 { 4744 int i; 4745 int jump = ((shift - 1) >> 6) + 1; 4746 4747 if (shift == 0) 4748 return; 4749 4750 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 4751 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 4752 ipsa->ipsa_replay_arr[i + jump] |= 4753 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 4754 } 4755 ipsa->ipsa_replay_arr[i] <<= shift; 4756 } 4757 } 4758 4759 /* 4760 * Set a bit in the bit vector. 4761 */ 4762 static void 4763 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 4764 { 4765 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 4766 4767 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 4768 } 4769 4770 #define SADB_MAX_REPLAY_VALUE 0xffffffff 4771 4772 /* 4773 * Assume caller has NOT done ntohl() already on seq. Check to see 4774 * if replay sequence number "seq" has been seen already. 4775 */ 4776 boolean_t 4777 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 4778 { 4779 boolean_t rc; 4780 uint32_t diff; 4781 4782 if (ipsa->ipsa_replay_wsize == 0) 4783 return (B_TRUE); 4784 4785 /* 4786 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 4787 */ 4788 4789 /* Convert sequence number into host order before holding the mutex. */ 4790 seq = ntohl(seq); 4791 4792 mutex_enter(&ipsa->ipsa_lock); 4793 4794 /* Initialize inbound SA's ipsa_replay field to last one received. */ 4795 if (ipsa->ipsa_replay == 0) 4796 ipsa->ipsa_replay = 1; 4797 4798 if (seq > ipsa->ipsa_replay) { 4799 /* 4800 * I have received a new "highest value received". Shift 4801 * the replay window over. 4802 */ 4803 diff = seq - ipsa->ipsa_replay; 4804 if (diff < ipsa->ipsa_replay_wsize) { 4805 /* In replay window, shift bits over. */ 4806 ipsa_shift_replay(ipsa, diff); 4807 } else { 4808 /* WAY FAR AHEAD, clear bits and start again. */ 4809 bzero(ipsa->ipsa_replay_arr, 4810 sizeof (ipsa->ipsa_replay_arr)); 4811 } 4812 ipsa_set_replay(ipsa, 0); 4813 ipsa->ipsa_replay = seq; 4814 rc = B_TRUE; 4815 goto done; 4816 } 4817 diff = ipsa->ipsa_replay - seq; 4818 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 4819 rc = B_FALSE; 4820 goto done; 4821 } 4822 /* Set this packet as seen. */ 4823 ipsa_set_replay(ipsa, diff); 4824 4825 rc = B_TRUE; 4826 done: 4827 mutex_exit(&ipsa->ipsa_lock); 4828 return (rc); 4829 } 4830 4831 /* 4832 * "Peek" and see if we should even bother going through the effort of 4833 * running an authentication check on the sequence number passed in. 4834 * this takes into account packets that are below the replay window, 4835 * and collisions with already replayed packets. Return B_TRUE if it 4836 * is okay to proceed, B_FALSE if this packet should be dropped immeidately. 4837 * Assume same byte-ordering as sadb_replay_check. 4838 */ 4839 boolean_t 4840 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 4841 { 4842 boolean_t rc = B_FALSE; 4843 uint32_t diff; 4844 4845 if (ipsa->ipsa_replay_wsize == 0) 4846 return (B_TRUE); 4847 4848 /* 4849 * 0 is 0, regardless of byte order... :) 4850 * 4851 * If I get 0 on the wire (and there is a replay window) then the 4852 * sender most likely wrapped. This ipsa may need to be marked or 4853 * something. 4854 */ 4855 if (seq == 0) 4856 return (B_FALSE); 4857 4858 seq = ntohl(seq); 4859 mutex_enter(&ipsa->ipsa_lock); 4860 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 4861 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 4862 goto done; 4863 4864 /* 4865 * If I've hit 0xffffffff, then quite honestly, I don't need to 4866 * bother with formalities. I'm not accepting any more packets 4867 * on this SA. 4868 */ 4869 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 4870 /* 4871 * Since we're already holding the lock, update the 4872 * expire time ala. sadb_replay_delete() and return. 4873 */ 4874 ipsa->ipsa_hardexpiretime = (time_t)1; 4875 goto done; 4876 } 4877 4878 if (seq <= ipsa->ipsa_replay) { 4879 /* 4880 * This seq is in the replay window. I'm not below it, 4881 * because I already checked for that above! 4882 */ 4883 diff = ipsa->ipsa_replay - seq; 4884 if (ipsa_is_replay_set(ipsa, diff)) 4885 goto done; 4886 } 4887 /* Else return B_TRUE, I'm going to advance the window. */ 4888 4889 rc = B_TRUE; 4890 done: 4891 mutex_exit(&ipsa->ipsa_lock); 4892 return (rc); 4893 } 4894 4895 /* 4896 * Delete a single SA. 4897 * 4898 * For now, use the quick-and-dirty trick of making the association's 4899 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 4900 */ 4901 void 4902 sadb_replay_delete(ipsa_t *assoc) 4903 { 4904 mutex_enter(&assoc->ipsa_lock); 4905 assoc->ipsa_hardexpiretime = (time_t)1; 4906 mutex_exit(&assoc->ipsa_lock); 4907 } 4908 4909 /* 4910 * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_ 4911 * down. The caller will handle the T_BIND_ACK locally. 4912 */ 4913 boolean_t 4914 sadb_t_bind_req(queue_t *q, int proto) 4915 { 4916 struct T_bind_req *tbr; 4917 mblk_t *mp; 4918 4919 mp = allocb(sizeof (struct T_bind_req) + 1, BPRI_HI); 4920 if (mp == NULL) { 4921 /* cmn_err(CE_WARN, */ 4922 /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */ 4923 return (B_FALSE); 4924 } 4925 mp->b_datap->db_type = M_PCPROTO; 4926 tbr = (struct T_bind_req *)mp->b_rptr; 4927 mp->b_wptr += sizeof (struct T_bind_req); 4928 tbr->PRIM_type = T_BIND_REQ; 4929 tbr->ADDR_length = 0; 4930 tbr->ADDR_offset = 0; 4931 tbr->CONIND_number = 0; 4932 *mp->b_wptr = (uint8_t)proto; 4933 mp->b_wptr++; 4934 4935 putnext(q, mp); 4936 return (B_TRUE); 4937 } 4938 4939 /* 4940 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 4941 * this is designed to take only a format string with "* %x * %s *", so 4942 * that "spi" is printed first, then "addr" is converted using inet_pton(). 4943 * 4944 * This is abstracted out to save the stack space for only when inet_pton() 4945 * is called. Make sure "spi" is in network order; it usually is when this 4946 * would get called. 4947 */ 4948 void 4949 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 4950 uint32_t spi, void *addr, int af) 4951 { 4952 char buf[INET6_ADDRSTRLEN]; 4953 4954 ASSERT(af == AF_INET6 || af == AF_INET); 4955 4956 ipsec_rl_strlog(mid, sid, level, sl, fmt, ntohl(spi), 4957 inet_ntop(af, addr, buf, sizeof (buf))); 4958 } 4959 4960 /* 4961 * Fills in a reference to the policy, if any, from the conn, in *ppp 4962 * Releases a reference to the passed conn_t. 4963 */ 4964 4965 /* ARGSUSED */ 4966 static void 4967 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp, 4968 ipsec_action_t **app) 4969 { 4970 ipsec_policy_t *pp; 4971 ipsec_latch_t *ipl = connp->conn_latch; 4972 4973 if ((ipl != NULL) && (ipl->ipl_out_policy != NULL)) { 4974 pp = ipl->ipl_out_policy; 4975 IPPOL_REFHOLD(pp); 4976 } else { 4977 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel); 4978 } 4979 *ppp = pp; 4980 CONN_DEC_REF(connp); 4981 } 4982 4983 /* 4984 * The following functions scan through active conn_t structures 4985 * and return a reference to the best-matching policy it can find. 4986 * Caller must release the reference. 4987 */ 4988 static void 4989 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ipsec_action_t **app) 4990 { 4991 connf_t *connfp; 4992 conn_t *connp = NULL; 4993 ipsec_selector_t portonly; 4994 4995 bzero((void*)&portonly, sizeof (portonly)); 4996 4997 if (sel->ips_local_port == 0) 4998 return; 4999 5000 connfp = &ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port)]; 5001 mutex_enter(&connfp->connf_lock); 5002 5003 if (sel->ips_isv4) { 5004 connp = connfp->connf_head; 5005 while (connp != NULL) { 5006 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 5007 sel->ips_local_addr_v4, sel->ips_remote_port, 5008 sel->ips_remote_addr_v4)) 5009 break; 5010 connp = connp->conn_next; 5011 } 5012 5013 if (connp == NULL) { 5014 /* Try port-only match in IPv6. */ 5015 portonly.ips_local_port = sel->ips_local_port; 5016 sel = &portonly; 5017 } 5018 } 5019 5020 if (connp == NULL) { 5021 connp = connfp->connf_head; 5022 while (connp != NULL) { 5023 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 5024 sel->ips_local_addr_v6, sel->ips_remote_port, 5025 sel->ips_remote_addr_v6)) 5026 break; 5027 connp = connp->conn_next; 5028 } 5029 5030 if (connp == NULL) { 5031 mutex_exit(&connfp->connf_lock); 5032 return; 5033 } 5034 } 5035 5036 CONN_INC_REF(connp); 5037 mutex_exit(&connfp->connf_lock); 5038 5039 ipsec_conn_pol(sel, connp, ppp, app); 5040 } 5041 5042 static conn_t * 5043 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel) 5044 { 5045 connf_t *connfp; 5046 conn_t *connp = NULL; 5047 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 5048 5049 if (sel->ips_local_port == 0) 5050 return (NULL); 5051 5052 connfp = &ipcl_bind_fanout[IPCL_BIND_HASH(sel->ips_local_port)]; 5053 mutex_enter(&connfp->connf_lock); 5054 5055 if (sel->ips_isv4) { 5056 connp = connfp->connf_head; 5057 while (connp != NULL) { 5058 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 5059 sel->ips_local_addr_v4, pptr[1])) 5060 break; 5061 connp = connp->conn_next; 5062 } 5063 5064 if (connp == NULL) { 5065 /* Match to all-zeroes. */ 5066 v6addrmatch = &ipv6_all_zeros; 5067 } 5068 } 5069 5070 if (connp == NULL) { 5071 connp = connfp->connf_head; 5072 while (connp != NULL) { 5073 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 5074 *v6addrmatch, pptr[1])) 5075 break; 5076 connp = connp->conn_next; 5077 } 5078 5079 if (connp == NULL) { 5080 mutex_exit(&connfp->connf_lock); 5081 return (NULL); 5082 } 5083 } 5084 5085 CONN_INC_REF(connp); 5086 mutex_exit(&connfp->connf_lock); 5087 return (connp); 5088 } 5089 5090 static void 5091 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ipsec_action_t **app) 5092 { 5093 connf_t *connfp; 5094 conn_t *connp; 5095 uint32_t ports; 5096 uint16_t *pptr = (uint16_t *)&ports; 5097 5098 /* 5099 * Find TCP state in the following order: 5100 * 1.) Connected conns. 5101 * 2.) Listeners. 5102 * 5103 * Even though #2 will be the common case for inbound traffic, only 5104 * following this order insures correctness. 5105 */ 5106 5107 if (sel->ips_local_port == 0) 5108 return; 5109 5110 /* 5111 * 0 should be fport, 1 should be lport. SRC is the local one here. 5112 * See ipsec_construct_inverse_acquire() for details. 5113 */ 5114 pptr[0] = sel->ips_remote_port; 5115 pptr[1] = sel->ips_local_port; 5116 5117 connfp = &ipcl_conn_fanout[IPCL_CONN_HASH(sel->ips_remote_addr_v4, 5118 ports)]; 5119 mutex_enter(&connfp->connf_lock); 5120 connp = connfp->connf_head; 5121 5122 if (sel->ips_isv4) { 5123 while (connp != NULL) { 5124 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 5125 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 5126 ports)) 5127 break; 5128 connp = connp->conn_next; 5129 } 5130 } else { 5131 while (connp != NULL) { 5132 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 5133 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 5134 ports)) 5135 break; 5136 connp = connp->conn_next; 5137 } 5138 } 5139 5140 if (connp != NULL) { 5141 CONN_INC_REF(connp); 5142 mutex_exit(&connfp->connf_lock); 5143 } else { 5144 mutex_exit(&connfp->connf_lock); 5145 5146 /* Try the listen hash. */ 5147 if ((connp = ipsec_find_listen_conn(pptr, sel)) == NULL) 5148 return; 5149 } 5150 5151 ipsec_conn_pol(sel, connp, ppp, app); 5152 } 5153 5154 static void 5155 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 5156 ipsec_action_t **app) 5157 { 5158 conn_t *connp; 5159 uint32_t ports; 5160 uint16_t *pptr = (uint16_t *)&ports; 5161 5162 /* 5163 * Find SCP state in the following order: 5164 * 1.) Connected conns. 5165 * 2.) Listeners. 5166 * 5167 * Even though #2 will be the common case for inbound traffic, only 5168 * following this order insures correctness. 5169 */ 5170 5171 if (sel->ips_local_port == 0) 5172 return; 5173 5174 /* 5175 * 0 should be fport, 1 should be lport. SRC is the local one here. 5176 * See ipsec_construct_inverse_acquire() for details. 5177 */ 5178 pptr[0] = sel->ips_remote_port; 5179 pptr[1] = sel->ips_local_port; 5180 5181 if (sel->ips_isv4) { 5182 in6_addr_t src, dst; 5183 5184 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 5185 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 5186 connp = sctp_find_conn(&dst, &src, ports, 0, ALL_ZONES); 5187 } else { 5188 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 5189 &sel->ips_local_addr_v6, ports, 0, ALL_ZONES); 5190 } 5191 if (connp == NULL) 5192 return; 5193 ipsec_conn_pol(sel, connp, ppp, app); 5194 } 5195 5196 static void 5197 ipsec_oth_pol(ipsec_selector_t *sel, 5198 ipsec_policy_t **ppp, ipsec_action_t **app) 5199 { 5200 boolean_t isv4 = sel->ips_isv4; 5201 connf_t *connfp; 5202 conn_t *connp; 5203 5204 if (isv4) { 5205 connfp = &ipcl_proto_fanout[sel->ips_protocol]; 5206 } else { 5207 connfp = &ipcl_proto_fanout_v6[sel->ips_protocol]; 5208 } 5209 5210 mutex_enter(&connfp->connf_lock); 5211 for (connp = connfp->connf_head; connp != NULL; 5212 connp = connp->conn_next) { 5213 if (!((isv4 && !((connp->conn_src == 0 || 5214 connp->conn_src == sel->ips_local_addr_v4) && 5215 (connp->conn_rem == 0 || 5216 connp->conn_rem == sel->ips_remote_addr_v4))) || 5217 (!isv4 && !((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) || 5218 IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6, 5219 &sel->ips_local_addr_v6)) && 5220 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) || 5221 IN6_ARE_ADDR_EQUAL(&connp->conn_remv6, 5222 &sel->ips_remote_addr_v6)))))) { 5223 break; 5224 } 5225 } 5226 if (connp == NULL) { 5227 mutex_exit(&connfp->connf_lock); 5228 return; 5229 } 5230 5231 CONN_INC_REF(connp); 5232 mutex_exit(&connfp->connf_lock); 5233 5234 ipsec_conn_pol(sel, connp, ppp, app); 5235 } 5236 5237 /* 5238 * Construct an inverse ACQUIRE reply based on: 5239 * 5240 * 1.) Current global policy. 5241 * 2.) An conn_t match depending on what all was passed in the extv[]. 5242 * ... 5243 * N.) Other stuff TBD (e.g. identities) 5244 * 5245 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 5246 * in this function so the caller can extract them where appropriately. 5247 * 5248 * The SRC address is the local one - just like an outbound ACQUIRE message. 5249 */ 5250 mblk_t * 5251 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[]) 5252 { 5253 int err; 5254 int diagnostic; 5255 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 5256 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 5257 struct sockaddr_in *src, *dst; 5258 struct sockaddr_in6 *src6, *dst6; 5259 ipsec_policy_t *pp; 5260 ipsec_action_t *ap; 5261 ipsec_selector_t sel; 5262 mblk_t *retmp; 5263 5264 bzero(&sel, sizeof (sel)); 5265 sel.ips_protocol = srcext->sadb_address_proto; 5266 dst = (struct sockaddr_in *)(dstext + 1); 5267 if (dst->sin_family == AF_INET6) { 5268 dst6 = (struct sockaddr_in6 *)dst; 5269 src6 = (struct sockaddr_in6 *)(srcext + 1); 5270 if (src6->sin6_family != AF_INET6) { 5271 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 5272 err = EINVAL; 5273 goto bail; 5274 } 5275 sel.ips_remote_addr_v6 = dst6->sin6_addr; 5276 sel.ips_local_addr_v6 = src6->sin6_addr; 5277 if (sel.ips_protocol == IPPROTO_ICMPV6) { 5278 sel.ips_is_icmp_inv_acq = 1; 5279 } else { 5280 sel.ips_remote_port = dst6->sin6_port; 5281 sel.ips_local_port = src6->sin6_port; 5282 } 5283 sel.ips_isv4 = B_FALSE; 5284 } else { 5285 src = (struct sockaddr_in *)(srcext + 1); 5286 if (src->sin_family != AF_INET) { 5287 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 5288 err = EINVAL; 5289 goto bail; 5290 } 5291 sel.ips_remote_addr_v4 = dst->sin_addr.s_addr; 5292 sel.ips_local_addr_v4 = src->sin_addr.s_addr; 5293 if (sel.ips_protocol == IPPROTO_ICMP) { 5294 sel.ips_is_icmp_inv_acq = 1; 5295 } else { 5296 sel.ips_remote_port = dst->sin_port; 5297 sel.ips_local_port = src->sin_port; 5298 } 5299 sel.ips_isv4 = B_TRUE; 5300 } 5301 5302 /* 5303 * Okay, we have the addresses and other selector information. 5304 * Let's first find a conn... 5305 */ 5306 pp = NULL; ap = NULL; 5307 switch (sel.ips_protocol) { 5308 case IPPROTO_TCP: 5309 ipsec_tcp_pol(&sel, &pp, &ap); 5310 break; 5311 case IPPROTO_UDP: 5312 ipsec_udp_pol(&sel, &pp, &ap); 5313 break; 5314 case IPPROTO_SCTP: 5315 ipsec_sctp_pol(&sel, &pp, &ap); 5316 break; 5317 default: 5318 ipsec_oth_pol(&sel, &pp, &ap); 5319 break; 5320 } 5321 5322 /* 5323 * If we didn't find a matching conn_t, take a look in the global 5324 * policy. 5325 */ 5326 if ((pp == NULL) && (ap == NULL)) { 5327 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, NULL, &sel); 5328 if (pp == NULL) { 5329 /* There's no global policy. */ 5330 err = ENOENT; 5331 diagnostic = 0; 5332 goto bail; 5333 } 5334 } 5335 5336 /* 5337 * Now that we have a policy entry/widget, construct an ACQUIRE 5338 * message based on that, fix fields where appropriate, 5339 * and return the message. 5340 */ 5341 retmp = sadb_extended_acquire(&sel, pp, ap, samsg->sadb_msg_seq, 5342 samsg->sadb_msg_pid); 5343 if (pp != NULL) { 5344 IPPOL_REFRELE(pp); 5345 } 5346 if (ap != NULL) { 5347 IPACT_REFRELE(ap); 5348 } 5349 if (retmp != NULL) { 5350 return (retmp); 5351 } else { 5352 err = ENOMEM; 5353 diagnostic = 0; 5354 bail: 5355 samsg->sadb_msg_errno = (uint8_t)err; 5356 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 5357 return (NULL); 5358 } 5359 } 5360 5361 /* 5362 * ipsa_lpkt is a one-element queue, only manipulated by casptr within 5363 * the next two functions. 5364 * 5365 * These functions loop calling casptr() until the swap "happens", 5366 * turning a compare-and-swap op into an atomic swap operation. 5367 */ 5368 5369 /* 5370 * sadb_set_lpkt: Atomically swap in a value to ipsa->ipsa_lpkt and 5371 * freemsg the previous value. free clue: freemsg(NULL) is safe. 5372 */ 5373 5374 void 5375 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt) 5376 { 5377 mblk_t *opkt; 5378 5379 membar_producer(); 5380 do 5381 opkt = ipsa->ipsa_lpkt; 5382 while (casptr(&ipsa->ipsa_lpkt, opkt, npkt) != opkt); 5383 5384 ip_drop_packet(opkt, B_TRUE, NULL, NULL, &ipdrops_sadb_inlarval_replace, 5385 &sadb_dropper); 5386 } 5387 5388 /* 5389 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 5390 * previous value. 5391 */ 5392 5393 mblk_t * 5394 sadb_clear_lpkt(ipsa_t *ipsa) 5395 { 5396 mblk_t *opkt; 5397 5398 do 5399 opkt = ipsa->ipsa_lpkt; 5400 while (casptr(&ipsa->ipsa_lpkt, opkt, NULL) != opkt); 5401 5402 return (opkt); 5403 } 5404 5405 /* 5406 * Walker callback used by sadb_alg_update() to free/create crypto 5407 * context template when a crypto software provider is removed or 5408 * added. 5409 */ 5410 5411 struct sadb_update_alg_state { 5412 ipsec_algtype_t alg_type; 5413 uint8_t alg_id; 5414 boolean_t is_added; 5415 }; 5416 5417 static void 5418 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 5419 { 5420 struct sadb_update_alg_state *update_state = 5421 (struct sadb_update_alg_state *)cookie; 5422 crypto_ctx_template_t *ctx_tmpl = NULL; 5423 5424 ASSERT(MUTEX_HELD(&head->isaf_lock)); 5425 5426 if (entry->ipsa_state == IPSA_STATE_LARVAL) 5427 return; 5428 5429 mutex_enter(&entry->ipsa_lock); 5430 5431 switch (update_state->alg_type) { 5432 case IPSEC_ALG_AUTH: 5433 if (entry->ipsa_auth_alg == update_state->alg_id) 5434 ctx_tmpl = &entry->ipsa_authtmpl; 5435 break; 5436 case IPSEC_ALG_ENCR: 5437 if (entry->ipsa_encr_alg == update_state->alg_id) 5438 ctx_tmpl = &entry->ipsa_encrtmpl; 5439 break; 5440 default: 5441 ctx_tmpl = NULL; 5442 } 5443 5444 if (ctx_tmpl == NULL) { 5445 mutex_exit(&entry->ipsa_lock); 5446 return; 5447 } 5448 5449 /* 5450 * The context template of the SA may be affected by the change 5451 * of crypto provider. 5452 */ 5453 if (update_state->is_added) { 5454 /* create the context template if not already done */ 5455 if (*ctx_tmpl == NULL) { 5456 (void) ipsec_create_ctx_tmpl(entry, 5457 update_state->alg_type); 5458 } 5459 } else { 5460 /* 5461 * The crypto provider was removed. If the context template 5462 * exists but it is no longer valid, free it. 5463 */ 5464 if (*ctx_tmpl != NULL) 5465 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 5466 } 5467 5468 mutex_exit(&entry->ipsa_lock); 5469 } 5470 5471 /* 5472 * Invoked by IP when an software crypto provider has been updated. 5473 * The type and id of the corresponding algorithm is passed as argument. 5474 * is_added is B_TRUE if the provider was added, B_FALSE if it was 5475 * removed. The function updates the SADB and free/creates the 5476 * context templates associated with SAs if needed. 5477 */ 5478 5479 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 5480 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 5481 &update_state) 5482 5483 void 5484 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added) 5485 { 5486 struct sadb_update_alg_state update_state; 5487 5488 update_state.alg_type = alg_type; 5489 update_state.alg_id = alg_id; 5490 update_state.is_added = is_added; 5491 5492 if (alg_type == IPSEC_ALG_AUTH) { 5493 /* walk the AH tables only for auth. algorithm changes */ 5494 SADB_ALG_UPDATE_WALK(ah_sadb.s_v4, sdb_of); 5495 SADB_ALG_UPDATE_WALK(ah_sadb.s_v4, sdb_if); 5496 SADB_ALG_UPDATE_WALK(ah_sadb.s_v6, sdb_of); 5497 SADB_ALG_UPDATE_WALK(ah_sadb.s_v6, sdb_if); 5498 } 5499 5500 /* walk the ESP tables */ 5501 SADB_ALG_UPDATE_WALK(esp_sadb.s_v4, sdb_of); 5502 SADB_ALG_UPDATE_WALK(esp_sadb.s_v4, sdb_if); 5503 SADB_ALG_UPDATE_WALK(esp_sadb.s_v6, sdb_of); 5504 SADB_ALG_UPDATE_WALK(esp_sadb.s_v6, sdb_if); 5505 } 5506 5507 /* 5508 * Creates a context template for the specified SA. This function 5509 * is called when an SA is created and when a context template needs 5510 * to be created due to a change of software provider. 5511 */ 5512 int 5513 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 5514 { 5515 ipsec_alginfo_t *alg; 5516 crypto_mechanism_t mech; 5517 crypto_key_t *key; 5518 crypto_ctx_template_t *sa_tmpl; 5519 int rv; 5520 5521 ASSERT(MUTEX_HELD(&alg_lock)); 5522 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 5523 5524 /* get pointers to the algorithm info, context template, and key */ 5525 switch (alg_type) { 5526 case IPSEC_ALG_AUTH: 5527 key = &sa->ipsa_kcfauthkey; 5528 sa_tmpl = &sa->ipsa_authtmpl; 5529 alg = ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 5530 break; 5531 case IPSEC_ALG_ENCR: 5532 key = &sa->ipsa_kcfencrkey; 5533 sa_tmpl = &sa->ipsa_encrtmpl; 5534 alg = ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 5535 break; 5536 default: 5537 alg = NULL; 5538 } 5539 5540 if (alg == NULL || !ALG_VALID(alg)) 5541 return (EINVAL); 5542 5543 /* initialize the mech info structure for the framework */ 5544 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 5545 mech.cm_type = alg->alg_mech_type; 5546 mech.cm_param = NULL; 5547 mech.cm_param_len = 0; 5548 5549 /* create a new context template */ 5550 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 5551 5552 /* 5553 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 5554 * providers are available for that mechanism. In that case 5555 * we don't fail, and will generate the context template from 5556 * the framework callback when a software provider for that 5557 * mechanism registers. 5558 * 5559 * The context template is assigned the special value 5560 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 5561 * lack of memory. No attempt will be made to use 5562 * the context template if it is set to this value. 5563 */ 5564 if (rv == CRYPTO_HOST_MEMORY) { 5565 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 5566 } else if (rv != CRYPTO_SUCCESS) { 5567 *sa_tmpl = NULL; 5568 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 5569 return (EINVAL); 5570 } 5571 5572 return (0); 5573 } 5574 5575 /* 5576 * Destroy the context template of the specified algorithm type 5577 * of the specified SA. Must be called while holding the SA lock. 5578 */ 5579 void 5580 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 5581 { 5582 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 5583 5584 if (alg_type == IPSEC_ALG_AUTH) { 5585 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 5586 sa->ipsa_authtmpl = NULL; 5587 else if (sa->ipsa_authtmpl != NULL) { 5588 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 5589 sa->ipsa_authtmpl = NULL; 5590 } 5591 } else { 5592 ASSERT(alg_type == IPSEC_ALG_ENCR); 5593 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 5594 sa->ipsa_encrtmpl = NULL; 5595 else if (sa->ipsa_encrtmpl != NULL) { 5596 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 5597 sa->ipsa_encrtmpl = NULL; 5598 } 5599 } 5600 } 5601 5602 /* 5603 * Use the kernel crypto framework to check the validity of a key received 5604 * via keysock. Returns 0 if the key is OK, -1 otherwise. 5605 */ 5606 int 5607 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 5608 boolean_t is_auth, int *diag) 5609 { 5610 crypto_mechanism_t mech; 5611 crypto_key_t crypto_key; 5612 int crypto_rc; 5613 5614 mech.cm_type = mech_type; 5615 mech.cm_param = NULL; 5616 mech.cm_param_len = 0; 5617 5618 crypto_key.ck_format = CRYPTO_KEY_RAW; 5619 crypto_key.ck_data = sadb_key + 1; 5620 crypto_key.ck_length = sadb_key->sadb_key_bits; 5621 5622 crypto_rc = crypto_key_check(&mech, &crypto_key); 5623 5624 switch (crypto_rc) { 5625 case CRYPTO_SUCCESS: 5626 return (0); 5627 case CRYPTO_MECHANISM_INVALID: 5628 case CRYPTO_MECH_NOT_SUPPORTED: 5629 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 5630 SADB_X_DIAGNOSTIC_BAD_EALG; 5631 break; 5632 case CRYPTO_KEY_SIZE_RANGE: 5633 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 5634 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 5635 break; 5636 case CRYPTO_WEAK_KEY: 5637 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 5638 SADB_X_DIAGNOSTIC_WEAK_EKEY; 5639 break; 5640 } 5641 5642 return (-1); 5643 } 5644 5645 /* ARGSUSED */ 5646 static void 5647 sadb_clear_timeouts_walker(isaf_t *head, ipsa_t *ipsa, void *q) 5648 { 5649 if (!(ipsa->ipsa_flags & IPSA_F_NATT)) 5650 return; 5651 5652 mutex_enter(&ipsa->ipsa_lock); 5653 if (ipsa->ipsa_natt_q != q) { 5654 mutex_exit(&ipsa->ipsa_lock); 5655 return; 5656 } 5657 5658 (void) quntimeout(ipsa->ipsa_natt_q, ipsa->ipsa_natt_ka_timer); 5659 5660 ipsa->ipsa_natt_ka_timer = 0; 5661 ipsa->ipsa_natt_q = NULL; 5662 mutex_exit(&ipsa->ipsa_lock); 5663 } 5664 5665 void 5666 sadb_clear_timeouts(queue_t *q) 5667 { 5668 sadb_t *sp = &esp_sadb.s_v4; 5669 5670 sadb_walker(sp->sdb_if, sp->sdb_hashsize, 5671 sadb_clear_timeouts_walker, q); 5672 } 5673