1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/stream.h> 28 #include <sys/stropts.h> 29 #include <sys/strsubr.h> 30 #include <sys/errno.h> 31 #include <sys/ddi.h> 32 #include <sys/debug.h> 33 #include <sys/cmn_err.h> 34 #include <sys/stream.h> 35 #include <sys/strlog.h> 36 #include <sys/kmem.h> 37 #include <sys/sunddi.h> 38 #include <sys/tihdr.h> 39 #include <sys/atomic.h> 40 #include <sys/socket.h> 41 #include <sys/sysmacros.h> 42 #include <sys/crypto/common.h> 43 #include <sys/crypto/api.h> 44 #include <sys/zone.h> 45 #include <netinet/in.h> 46 #include <net/if.h> 47 #include <net/pfkeyv2.h> 48 #include <inet/common.h> 49 #include <netinet/ip6.h> 50 #include <inet/ip.h> 51 #include <inet/ip_ire.h> 52 #include <inet/ip6.h> 53 #include <inet/ipsec_info.h> 54 #include <inet/tcp.h> 55 #include <inet/sadb.h> 56 #include <inet/ipsec_impl.h> 57 #include <inet/ipsecah.h> 58 #include <inet/ipsecesp.h> 59 #include <sys/random.h> 60 #include <sys/dlpi.h> 61 #include <sys/iphada.h> 62 #include <inet/ip_if.h> 63 #include <inet/ipdrop.h> 64 #include <inet/ipclassifier.h> 65 #include <inet/sctp_ip.h> 66 #include <inet/tun.h> 67 68 /* 69 * This source file contains Security Association Database (SADB) common 70 * routines. They are linked in with the AH module. Since AH has no chance 71 * of falling under export control, it was safe to link it in there. 72 */ 73 74 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *, 75 ipsec_action_t *, boolean_t, uint32_t, uint32_t, netstack_t *); 76 static void sadb_ill_df(ill_t *, mblk_t *, isaf_t *, int, boolean_t); 77 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *, boolean_t, mblk_t **); 78 static void sadb_drain_torchq(queue_t *, mblk_t *); 79 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t, 80 netstack_t *); 81 static void sadb_destroy(sadb_t *, netstack_t *); 82 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *); 83 84 static time_t sadb_add_time(time_t, uint64_t); 85 static void lifetime_fuzz(ipsa_t *); 86 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t); 87 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset); 88 89 extern void (*cl_inet_getspi)(netstackid_t stack_id, uint8_t protocol, 90 uint8_t *ptr, size_t len, void *args); 91 extern int (*cl_inet_checkspi)(netstackid_t stack_id, uint8_t protocol, 92 uint32_t spi, void *args); 93 extern void (*cl_inet_deletespi)(netstackid_t stack_id, uint8_t protocol, 94 uint32_t spi, void *args); 95 96 /* 97 * ipsacq_maxpackets is defined here to make it tunable 98 * from /etc/system. 99 */ 100 extern uint64_t ipsacq_maxpackets; 101 102 #define SET_EXPIRE(sa, delta, exp) { \ 103 if (((sa)->ipsa_ ## delta) != 0) { \ 104 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 105 (sa)->ipsa_ ## delta); \ 106 } \ 107 } 108 109 #define UPDATE_EXPIRE(sa, delta, exp) { \ 110 if (((sa)->ipsa_ ## delta) != 0) { \ 111 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 112 (sa)->ipsa_ ## delta); \ 113 if (((sa)->ipsa_ ## exp) == 0) \ 114 (sa)->ipsa_ ## exp = tmp; \ 115 else \ 116 (sa)->ipsa_ ## exp = \ 117 MIN((sa)->ipsa_ ## exp, tmp); \ 118 } \ 119 } 120 121 122 /* wrap the macro so we can pass it as a function pointer */ 123 void 124 sadb_sa_refrele(void *target) 125 { 126 IPSA_REFRELE(((ipsa_t *)target)); 127 } 128 129 /* 130 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 131 * a signed type. 132 */ 133 #define TIME_MAX LONG_MAX 134 135 /* 136 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 137 * time_t is defined to be a signed type with the same range as 138 * "long". On ILP32 systems, we thus run the risk of wrapping around 139 * at end of time, as well as "overwrapping" the clock back around 140 * into a seemingly valid but incorrect future date earlier than the 141 * desired expiration. 142 * 143 * In order to avoid odd behavior (either negative lifetimes or loss 144 * of high order bits) when someone asks for bizarrely long SA 145 * lifetimes, we do a saturating add for expire times. 146 * 147 * We presume that ILP32 systems will be past end of support life when 148 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 149 * 150 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 151 * will hopefully have figured out clever ways to avoid the use of 152 * fixed-sized integers in computation. 153 */ 154 static time_t 155 sadb_add_time(time_t base, uint64_t delta) 156 { 157 time_t sum; 158 159 /* 160 * Clip delta to the maximum possible time_t value to 161 * prevent "overwrapping" back into a shorter-than-desired 162 * future time. 163 */ 164 if (delta > TIME_MAX) 165 delta = TIME_MAX; 166 /* 167 * This sum may still overflow. 168 */ 169 sum = base + delta; 170 171 /* 172 * .. so if the result is less than the base, we overflowed. 173 */ 174 if (sum < base) 175 sum = TIME_MAX; 176 177 return (sum); 178 } 179 180 /* 181 * Callers of this function have already created a working security 182 * association, and have found the appropriate table & hash chain. All this 183 * function does is check duplicates, and insert the SA. The caller needs to 184 * hold the hash bucket lock and increment the refcnt before insertion. 185 * 186 * Return 0 if success, EEXIST if collision. 187 */ 188 #define SA_UNIQUE_MATCH(sa1, sa2) \ 189 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \ 190 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask)) 191 192 int 193 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 194 { 195 ipsa_t **ptpn = NULL; 196 ipsa_t *walker; 197 boolean_t unspecsrc; 198 199 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 200 201 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 202 203 walker = bucket->isaf_ipsa; 204 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 205 206 /* 207 * Find insertion point (pointed to with **ptpn). Insert at the head 208 * of the list unless there's an unspecified source address, then 209 * insert it after the last SA with a specified source address. 210 * 211 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 212 * checking for collisions. 213 */ 214 215 while (walker != NULL) { 216 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 217 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 218 if (walker->ipsa_spi == ipsa->ipsa_spi) 219 return (EEXIST); 220 221 mutex_enter(&walker->ipsa_lock); 222 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 223 (walker->ipsa_flags & IPSA_F_USED) && 224 SA_UNIQUE_MATCH(walker, ipsa)) { 225 walker->ipsa_flags |= IPSA_F_CINVALID; 226 } 227 mutex_exit(&walker->ipsa_lock); 228 } 229 230 if (ptpn == NULL && unspecsrc) { 231 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 232 walker->ipsa_addrfam)) 233 ptpn = walker->ipsa_ptpn; 234 else if (walker->ipsa_next == NULL) 235 ptpn = &walker->ipsa_next; 236 } 237 238 walker = walker->ipsa_next; 239 } 240 241 if (ptpn == NULL) 242 ptpn = &bucket->isaf_ipsa; 243 ipsa->ipsa_next = *ptpn; 244 ipsa->ipsa_ptpn = ptpn; 245 if (ipsa->ipsa_next != NULL) 246 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 247 *ptpn = ipsa; 248 ipsa->ipsa_linklock = &bucket->isaf_lock; 249 250 return (0); 251 } 252 #undef SA_UNIQUE_MATCH 253 254 /* 255 * Free a security association. Its reference count is 0, which means 256 * I must free it. The SA must be unlocked and must not be linked into 257 * any fanout list. 258 */ 259 static void 260 sadb_freeassoc(ipsa_t *ipsa) 261 { 262 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec; 263 264 ASSERT(ipss != NULL); 265 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock)); 266 ASSERT(ipsa->ipsa_refcnt == 0); 267 ASSERT(ipsa->ipsa_next == NULL); 268 ASSERT(ipsa->ipsa_ptpn == NULL); 269 270 mutex_enter(&ipsa->ipsa_lock); 271 /* Don't call sadb_clear_lpkt() since we hold the ipsa_lock anyway. */ 272 ip_drop_packet(ipsa->ipsa_lpkt, B_TRUE, NULL, NULL, 273 DROPPER(ipss, ipds_sadb_inlarval_timeout), 274 &ipss->ipsec_sadb_dropper); 275 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 276 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 277 mutex_exit(&ipsa->ipsa_lock); 278 279 /* bzero() these fields for paranoia's sake. */ 280 if (ipsa->ipsa_authkey != NULL) { 281 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 282 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 283 } 284 if (ipsa->ipsa_encrkey != NULL) { 285 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 286 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 287 } 288 if (ipsa->ipsa_src_cid != NULL) { 289 IPSID_REFRELE(ipsa->ipsa_src_cid); 290 } 291 if (ipsa->ipsa_dst_cid != NULL) { 292 IPSID_REFRELE(ipsa->ipsa_dst_cid); 293 } 294 if (ipsa->ipsa_integ != NULL) 295 kmem_free(ipsa->ipsa_integ, ipsa->ipsa_integlen); 296 if (ipsa->ipsa_sens != NULL) 297 kmem_free(ipsa->ipsa_sens, ipsa->ipsa_senslen); 298 299 mutex_destroy(&ipsa->ipsa_lock); 300 kmem_free(ipsa, sizeof (*ipsa)); 301 } 302 303 /* 304 * Unlink a security association from a hash bucket. Assume the hash bucket 305 * lock is held, but the association's lock is not. 306 * 307 * Note that we do not bump the bucket's generation number here because 308 * we might not be making a visible change to the set of visible SA's. 309 * All callers MUST bump the bucket's generation number before they unlock 310 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 311 * was present in the bucket at the time it was locked. 312 */ 313 void 314 sadb_unlinkassoc(ipsa_t *ipsa) 315 { 316 ASSERT(ipsa->ipsa_linklock != NULL); 317 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 318 319 /* These fields are protected by the link lock. */ 320 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 321 if (ipsa->ipsa_next != NULL) { 322 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 323 ipsa->ipsa_next = NULL; 324 } 325 326 ipsa->ipsa_ptpn = NULL; 327 328 /* This may destroy the SA. */ 329 IPSA_REFRELE(ipsa); 330 } 331 332 void 333 sadb_delete_cluster(ipsa_t *assoc) 334 { 335 uint8_t protocol; 336 337 if (cl_inet_deletespi && 338 ((assoc->ipsa_state == IPSA_STATE_LARVAL) || 339 (assoc->ipsa_state == IPSA_STATE_MATURE))) { 340 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ? 341 IPPROTO_AH : IPPROTO_ESP; 342 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid, 343 protocol, assoc->ipsa_spi, NULL); 344 } 345 } 346 347 /* 348 * Create a larval security association with the specified SPI. All other 349 * fields are zeroed. 350 */ 351 static ipsa_t * 352 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam, 353 netstack_t *ns) 354 { 355 ipsa_t *newbie; 356 357 /* 358 * Allocate... 359 */ 360 361 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 362 if (newbie == NULL) { 363 /* Can't make new larval SA. */ 364 return (NULL); 365 } 366 367 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 368 newbie->ipsa_spi = spi; 369 newbie->ipsa_netstack = ns; /* No netstack_hold */ 370 371 /* 372 * Copy addresses... 373 */ 374 375 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 376 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 377 378 newbie->ipsa_addrfam = addrfam; 379 380 /* 381 * Set common initialization values, including refcnt. 382 */ 383 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 384 newbie->ipsa_state = IPSA_STATE_LARVAL; 385 newbie->ipsa_refcnt = 1; 386 newbie->ipsa_freefunc = sadb_freeassoc; 387 388 /* 389 * There aren't a lot of other common initialization values, as 390 * they are copied in from the PF_KEY message. 391 */ 392 393 return (newbie); 394 } 395 396 /* 397 * Call me to initialize a security association fanout. 398 */ 399 static int 400 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 401 { 402 isaf_t *table; 403 int i; 404 405 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 406 *tablep = table; 407 408 if (table == NULL) 409 return (ENOMEM); 410 411 for (i = 0; i < size; i++) { 412 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 413 table[i].isaf_ipsa = NULL; 414 table[i].isaf_gen = 0; 415 } 416 417 return (0); 418 } 419 420 /* 421 * Call me to initialize an acquire fanout 422 */ 423 static int 424 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 425 { 426 iacqf_t *table; 427 int i; 428 429 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 430 *tablep = table; 431 432 if (table == NULL) 433 return (ENOMEM); 434 435 for (i = 0; i < size; i++) { 436 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 437 table[i].iacqf_ipsacq = NULL; 438 } 439 440 return (0); 441 } 442 443 /* 444 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 445 * caller must clean up partial allocations. 446 */ 447 static int 448 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 449 { 450 ASSERT(sp->sdb_of == NULL); 451 ASSERT(sp->sdb_if == NULL); 452 ASSERT(sp->sdb_acq == NULL); 453 454 sp->sdb_hashsize = size; 455 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 456 return (ENOMEM); 457 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 458 return (ENOMEM); 459 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 460 return (ENOMEM); 461 462 return (0); 463 } 464 465 /* 466 * Call me to initialize an SADB instance; fall back to default size on failure. 467 */ 468 static void 469 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver, 470 netstack_t *ns) 471 { 472 ASSERT(sp->sdb_of == NULL); 473 ASSERT(sp->sdb_if == NULL); 474 ASSERT(sp->sdb_acq == NULL); 475 476 if (size < IPSEC_DEFAULT_HASH_SIZE) 477 size = IPSEC_DEFAULT_HASH_SIZE; 478 479 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 480 481 cmn_err(CE_WARN, 482 "Unable to allocate %u entry IPv%u %s SADB hash table", 483 size, ver, name); 484 485 sadb_destroy(sp, ns); 486 size = IPSEC_DEFAULT_HASH_SIZE; 487 cmn_err(CE_WARN, "Falling back to %d entries", size); 488 (void) sadb_init_trial(sp, size, KM_SLEEP); 489 } 490 } 491 492 493 /* 494 * Initialize an SADB-pair. 495 */ 496 void 497 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns) 498 { 499 sadb_init(name, &sp->s_v4, size, 4, ns); 500 sadb_init(name, &sp->s_v6, size, 6, ns); 501 502 sp->s_satype = type; 503 504 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 505 if (type == SADB_SATYPE_AH) { 506 ipsec_stack_t *ipss = ns->netstack_ipsec; 507 508 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB"); 509 sp->s_addflags = AH_ADD_SETTABLE_FLAGS; 510 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS; 511 } else { 512 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS; 513 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS; 514 } 515 } 516 517 /* 518 * Deliver a single SADB_DUMP message representing a single SA. This is 519 * called many times by sadb_dump(). 520 * 521 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 522 * the caller should take that as a hint that dupb() on the "original answer" 523 * failed, and that perhaps the caller should try again with a copyb()ed 524 * "original answer". 525 */ 526 static int 527 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 528 sadb_msg_t *samsg) 529 { 530 mblk_t *answer; 531 532 answer = dupb(original_answer); 533 if (answer == NULL) 534 return (ENOBUFS); 535 answer->b_cont = sadb_sa2msg(ipsa, samsg); 536 if (answer->b_cont == NULL) { 537 freeb(answer); 538 return (ENOMEM); 539 } 540 541 /* Just do a putnext, and let keysock deal with flow control. */ 542 putnext(pfkey_q, answer); 543 return (0); 544 } 545 546 /* 547 * Common function to allocate and prepare a keysock_out_t M_CTL message. 548 */ 549 mblk_t * 550 sadb_keysock_out(minor_t serial) 551 { 552 mblk_t *mp; 553 keysock_out_t *kso; 554 555 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 556 if (mp != NULL) { 557 mp->b_datap->db_type = M_CTL; 558 mp->b_wptr += sizeof (ipsec_info_t); 559 kso = (keysock_out_t *)mp->b_rptr; 560 kso->ks_out_type = KEYSOCK_OUT; 561 kso->ks_out_len = sizeof (*kso); 562 kso->ks_out_serial = serial; 563 } 564 565 return (mp); 566 } 567 568 /* 569 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 570 * to keysock. 571 */ 572 static int 573 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 574 int num_entries, boolean_t do_peers, time_t active_time) 575 { 576 int i, error = 0; 577 mblk_t *original_answer; 578 ipsa_t *walker; 579 sadb_msg_t *samsg; 580 time_t current; 581 582 /* 583 * For each IPSA hash bucket do: 584 * - Hold the mutex 585 * - Walk each entry, doing an sadb_dump_deliver() on it. 586 */ 587 ASSERT(mp->b_cont != NULL); 588 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 589 590 original_answer = sadb_keysock_out(serial); 591 if (original_answer == NULL) 592 return (ENOMEM); 593 594 current = gethrestime_sec(); 595 for (i = 0; i < num_entries; i++) { 596 mutex_enter(&fanout[i].isaf_lock); 597 for (walker = fanout[i].isaf_ipsa; walker != NULL; 598 walker = walker->ipsa_next) { 599 if (!do_peers && walker->ipsa_haspeer) 600 continue; 601 if ((active_time != 0) && 602 ((current - walker->ipsa_lastuse) > active_time)) 603 continue; 604 error = sadb_dump_deliver(pfkey_q, original_answer, 605 walker, samsg); 606 if (error == ENOBUFS) { 607 mblk_t *new_original_answer; 608 609 /* Ran out of dupb's. Try a copyb. */ 610 new_original_answer = copyb(original_answer); 611 if (new_original_answer == NULL) { 612 error = ENOMEM; 613 } else { 614 freeb(original_answer); 615 original_answer = new_original_answer; 616 error = sadb_dump_deliver(pfkey_q, 617 original_answer, walker, samsg); 618 } 619 } 620 if (error != 0) 621 break; /* out of for loop. */ 622 } 623 mutex_exit(&fanout[i].isaf_lock); 624 if (error != 0) 625 break; /* out of for loop. */ 626 } 627 628 freeb(original_answer); 629 return (error); 630 } 631 632 /* 633 * Dump an entire SADB; outbound first, then inbound. 634 */ 635 636 int 637 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp) 638 { 639 int error; 640 time_t active_time = 0; 641 sadb_x_edump_t *edump = 642 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP]; 643 644 if (edump != NULL) { 645 active_time = edump->sadb_x_edump_timeout; 646 } 647 648 /* Dump outbound */ 649 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of, 650 sp->sdb_hashsize, B_TRUE, active_time); 651 if (error) 652 return (error); 653 654 /* Dump inbound */ 655 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if, 656 sp->sdb_hashsize, B_FALSE, active_time); 657 } 658 659 /* 660 * Generic sadb table walker. 661 * 662 * Call "walkfn" for each SA in each bucket in "table"; pass the 663 * bucket, the entry and "cookie" to the callback function. 664 * Take care to ensure that walkfn can delete the SA without screwing 665 * up our traverse. 666 * 667 * The bucket is locked for the duration of the callback, both so that the 668 * callback can just call sadb_unlinkassoc() when it wants to delete something, 669 * and so that no new entries are added while we're walking the list. 670 */ 671 static void 672 sadb_walker(isaf_t *table, uint_t numentries, 673 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 674 void *cookie) 675 { 676 int i; 677 for (i = 0; i < numentries; i++) { 678 ipsa_t *entry, *next; 679 680 mutex_enter(&table[i].isaf_lock); 681 682 for (entry = table[i].isaf_ipsa; entry != NULL; 683 entry = next) { 684 next = entry->ipsa_next; 685 (*walkfn)(&table[i], entry, cookie); 686 } 687 mutex_exit(&table[i].isaf_lock); 688 } 689 } 690 691 /* 692 * From the given SA, construct a dl_ct_ipsec_key and 693 * a dl_ct_ipsec structures to be sent to the adapter as part 694 * of a DL_CONTROL_REQ. 695 * 696 * ct_sa must point to the storage allocated for the key 697 * structure and must be followed by storage allocated 698 * for the SA information that must be sent to the driver 699 * as part of the DL_CONTROL_REQ request. 700 * 701 * The is_inbound boolean indicates whether the specified 702 * SA is part of an inbound SA table. 703 * 704 * Returns B_TRUE if the corresponding SA must be passed to 705 * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE. 706 */ 707 static boolean_t 708 sadb_req_from_sa(ipsa_t *sa, mblk_t *mp, boolean_t is_inbound) 709 { 710 dl_ct_ipsec_key_t *keyp; 711 dl_ct_ipsec_t *sap; 712 void *ct_sa = mp->b_wptr; 713 714 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 715 716 keyp = (dl_ct_ipsec_key_t *)(ct_sa); 717 sap = (dl_ct_ipsec_t *)(keyp + 1); 718 719 IPSECHW_DEBUG(IPSECHW_CAPAB, ("sadb_req_from_sa: " 720 "is_inbound = %d\n", is_inbound)); 721 722 /* initialize flag */ 723 sap->sadb_sa_flags = 0; 724 if (is_inbound) { 725 sap->sadb_sa_flags |= DL_CT_IPSEC_INBOUND; 726 /* 727 * If an inbound SA has a peer, then mark it has being 728 * an outbound SA as well. 729 */ 730 if (sa->ipsa_haspeer) 731 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 732 } else { 733 /* 734 * If an outbound SA has a peer, then don't send it, 735 * since we will send the copy from the inbound table. 736 */ 737 if (sa->ipsa_haspeer) { 738 freemsg(mp); 739 return (B_FALSE); 740 } 741 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 742 } 743 744 keyp->dl_key_spi = sa->ipsa_spi; 745 bcopy(sa->ipsa_dstaddr, keyp->dl_key_dest_addr, 746 DL_CTL_IPSEC_ADDR_LEN); 747 keyp->dl_key_addr_family = sa->ipsa_addrfam; 748 749 sap->sadb_sa_auth = sa->ipsa_auth_alg; 750 sap->sadb_sa_encrypt = sa->ipsa_encr_alg; 751 752 sap->sadb_key_len_a = sa->ipsa_authkeylen; 753 sap->sadb_key_bits_a = sa->ipsa_authkeybits; 754 bcopy(sa->ipsa_authkey, 755 sap->sadb_key_data_a, sap->sadb_key_len_a); 756 757 sap->sadb_key_len_e = sa->ipsa_encrkeylen; 758 sap->sadb_key_bits_e = sa->ipsa_encrkeybits; 759 bcopy(sa->ipsa_encrkey, 760 sap->sadb_key_data_e, sap->sadb_key_len_e); 761 762 mp->b_wptr += sizeof (dl_ct_ipsec_t) + sizeof (dl_ct_ipsec_key_t); 763 return (B_TRUE); 764 } 765 766 /* 767 * Called from AH or ESP to format a message which will be used to inform 768 * IPsec-acceleration-capable ills of a SADB change. 769 * (It is not possible to send the message to IP directly from this function 770 * since the SA, if any, is locked during the call). 771 * 772 * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc) 773 * sa_type: identifies whether the operation applies to AH or ESP 774 * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP) 775 * sa: Pointer to an SA. Must be non-NULL and locked 776 * for ADD, DELETE, GET, and UPDATE operations. 777 * This function returns an mblk chain that must be passed to IP 778 * for forwarding to the IPsec capable providers. 779 */ 780 mblk_t * 781 sadb_fmt_sa_req(uint_t dl_operation, uint_t sa_type, ipsa_t *sa, 782 boolean_t is_inbound) 783 { 784 mblk_t *mp; 785 dl_control_req_t *ctrl; 786 boolean_t need_key = B_FALSE; 787 mblk_t *ctl_mp = NULL; 788 ipsec_ctl_t *ctl; 789 790 /* 791 * 1 allocate and initialize DL_CONTROL_REQ M_PROTO 792 * 2 if a key is needed for the operation 793 * 2.1 initialize key 794 * 2.2 if a full SA is needed for the operation 795 * 2.2.1 initialize full SA info 796 * 3 return message; caller will call ill_ipsec_capab_send_all() 797 * to send the resulting message to IPsec capable ills. 798 */ 799 800 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 801 802 /* 803 * Allocate DL_CONTROL_REQ M_PROTO 804 * We allocate room for the SA even if it's not needed 805 * by some of the operations (for example flush) 806 */ 807 mp = allocb(sizeof (dl_control_req_t) + 808 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 809 if (mp == NULL) 810 return (NULL); 811 mp->b_datap->db_type = M_PROTO; 812 813 /* initialize dl_control_req_t */ 814 ctrl = (dl_control_req_t *)mp->b_wptr; 815 ctrl->dl_primitive = DL_CONTROL_REQ; 816 ctrl->dl_operation = dl_operation; 817 ctrl->dl_type = sa_type == SADB_SATYPE_AH ? DL_CT_IPSEC_AH : 818 DL_CT_IPSEC_ESP; 819 ctrl->dl_key_offset = sizeof (dl_control_req_t); 820 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 821 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 822 sizeof (dl_ct_ipsec_key_t); 823 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 824 mp->b_wptr += sizeof (dl_control_req_t); 825 826 if ((dl_operation == DL_CO_SET) || (dl_operation == DL_CO_DELETE)) { 827 ASSERT(sa != NULL); 828 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 829 830 need_key = B_TRUE; 831 832 /* 833 * Initialize key and SA data. Note that for some 834 * operations the SA data is ignored by the provider 835 * (delete, etc.) 836 */ 837 if (!sadb_req_from_sa(sa, mp, is_inbound)) 838 return (NULL); 839 } 840 841 /* construct control message */ 842 ctl_mp = allocb(sizeof (ipsec_ctl_t), BPRI_HI); 843 if (ctl_mp == NULL) { 844 cmn_err(CE_WARN, "sadb_fmt_sa_req: allocb failed\n"); 845 freemsg(mp); 846 return (NULL); 847 } 848 849 ctl_mp->b_datap->db_type = M_CTL; 850 ctl_mp->b_wptr += sizeof (ipsec_ctl_t); 851 ctl_mp->b_cont = mp; 852 853 ctl = (ipsec_ctl_t *)ctl_mp->b_rptr; 854 ctl->ipsec_ctl_type = IPSEC_CTL; 855 ctl->ipsec_ctl_len = sizeof (ipsec_ctl_t); 856 ctl->ipsec_ctl_sa_type = sa_type; 857 858 if (need_key) { 859 /* 860 * Keep an additional reference on SA, since it will be 861 * needed by IP to send control messages corresponding 862 * to that SA from its perimeter. IP will do a 863 * IPSA_REFRELE when done with the request. 864 */ 865 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 866 IPSA_REFHOLD(sa); 867 ctl->ipsec_ctl_sa = sa; 868 } else 869 ctl->ipsec_ctl_sa = NULL; 870 871 return (ctl_mp); 872 } 873 874 875 /* 876 * Called by sadb_ill_download() to dump the entries for a specific 877 * fanout table. For each SA entry in the table passed as argument, 878 * use mp as a template and constructs a full DL_CONTROL message, and 879 * call ill_dlpi_send(), provided by IP, to send the resulting 880 * messages to the ill. 881 */ 882 static void 883 sadb_ill_df(ill_t *ill, mblk_t *mp, isaf_t *fanout, int num_entries, 884 boolean_t is_inbound) 885 { 886 ipsa_t *walker; 887 mblk_t *nmp, *salist; 888 int i, error = 0; 889 ip_stack_t *ipst = ill->ill_ipst; 890 netstack_t *ns = ipst->ips_netstack; 891 892 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_ill_df: fanout at 0x%p ne=%d\n", 893 (void *)fanout, num_entries)); 894 /* 895 * For each IPSA hash bucket do: 896 * - Hold the mutex 897 * - Walk each entry, sending a corresponding request to IP 898 * for it. 899 */ 900 ASSERT(mp->b_datap->db_type == M_PROTO); 901 902 for (i = 0; i < num_entries; i++) { 903 mutex_enter(&fanout[i].isaf_lock); 904 salist = NULL; 905 906 for (walker = fanout[i].isaf_ipsa; walker != NULL; 907 walker = walker->ipsa_next) { 908 IPSECHW_DEBUG(IPSECHW_SADB, 909 ("sadb_ill_df: sending SA to ill via IP \n")); 910 /* 911 * Duplicate the template mp passed and 912 * complete DL_CONTROL_REQ data. 913 * To be more memory efficient, we could use 914 * dupb() for the M_CTL and copyb() for the M_PROTO 915 * as the M_CTL, since the M_CTL is the same for 916 * every SA entry passed down to IP for the same ill. 917 * 918 * Note that copymsg/copyb ensure that the new mblk 919 * is at least as large as the source mblk even if it's 920 * not using all its storage -- therefore, nmp 921 * has trailing space for sadb_req_from_sa to add 922 * the SA-specific bits. 923 */ 924 mutex_enter(&walker->ipsa_lock); 925 if (ipsec_capab_match(ill, 926 ill->ill_phyint->phyint_ifindex, ill->ill_isv6, 927 walker, ns)) { 928 nmp = copymsg(mp); 929 if (nmp == NULL) { 930 IPSECHW_DEBUG(IPSECHW_SADB, 931 ("sadb_ill_df: alloc error\n")); 932 error = ENOMEM; 933 mutex_exit(&walker->ipsa_lock); 934 break; 935 } 936 if (sadb_req_from_sa(walker, nmp, is_inbound)) { 937 nmp->b_next = salist; 938 salist = nmp; 939 } 940 } 941 mutex_exit(&walker->ipsa_lock); 942 } 943 mutex_exit(&fanout[i].isaf_lock); 944 while (salist != NULL) { 945 nmp = salist; 946 salist = nmp->b_next; 947 nmp->b_next = NULL; 948 ill_dlpi_send(ill, nmp); 949 } 950 if (error != 0) 951 break; /* out of for loop. */ 952 } 953 } 954 955 /* 956 * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of 957 * the type specified by sa_type to the specified ill. 958 * 959 * We call for each fanout table defined by the SADB (one per 960 * protocol). sadb_ill_df() finally calls ill_dlpi_send() for 961 * each SADB entry in order to send a corresponding DL_CONTROL_REQ 962 * message to the ill. 963 */ 964 void 965 sadb_ill_download(ill_t *ill, uint_t sa_type) 966 { 967 mblk_t *protomp; /* prototype message */ 968 dl_control_req_t *ctrl; 969 sadbp_t *spp; 970 sadb_t *sp; 971 int dlt; 972 ip_stack_t *ipst = ill->ill_ipst; 973 netstack_t *ns = ipst->ips_netstack; 974 975 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 976 977 /* 978 * Allocate and initialize prototype answer. A duplicate for 979 * each SA is sent down to the interface. 980 */ 981 982 /* DL_CONTROL_REQ M_PROTO mblk_t */ 983 protomp = allocb(sizeof (dl_control_req_t) + 984 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 985 if (protomp == NULL) 986 return; 987 protomp->b_datap->db_type = M_PROTO; 988 989 dlt = (sa_type == SADB_SATYPE_AH) ? DL_CT_IPSEC_AH : DL_CT_IPSEC_ESP; 990 if (sa_type == SADB_SATYPE_ESP) { 991 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 992 993 spp = &espstack->esp_sadb; 994 } else { 995 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 996 997 spp = &ahstack->ah_sadb; 998 } 999 1000 ctrl = (dl_control_req_t *)protomp->b_wptr; 1001 ctrl->dl_primitive = DL_CONTROL_REQ; 1002 ctrl->dl_operation = DL_CO_SET; 1003 ctrl->dl_type = dlt; 1004 ctrl->dl_key_offset = sizeof (dl_control_req_t); 1005 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 1006 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 1007 sizeof (dl_ct_ipsec_key_t); 1008 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 1009 protomp->b_wptr += sizeof (dl_control_req_t); 1010 1011 /* 1012 * then for each SADB entry, we fill out the dl_ct_ipsec_key_t 1013 * and dl_ct_ipsec_t 1014 */ 1015 sp = ill->ill_isv6 ? &(spp->s_v6) : &(spp->s_v4); 1016 sadb_ill_df(ill, protomp, sp->sdb_of, sp->sdb_hashsize, B_FALSE); 1017 sadb_ill_df(ill, protomp, sp->sdb_if, sp->sdb_hashsize, B_TRUE); 1018 freemsg(protomp); 1019 } 1020 1021 /* 1022 * Call me to free up a security association fanout. Use the forever 1023 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 1024 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 1025 * when a module is unloaded). 1026 */ 1027 static void 1028 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever, 1029 boolean_t inbound) 1030 { 1031 int i; 1032 isaf_t *table = *tablep; 1033 uint8_t protocol; 1034 ipsa_t *sa; 1035 netstackid_t sid; 1036 1037 if (table == NULL) 1038 return; 1039 1040 for (i = 0; i < numentries; i++) { 1041 mutex_enter(&table[i].isaf_lock); 1042 while ((sa = table[i].isaf_ipsa) != NULL) { 1043 if (inbound && cl_inet_deletespi && 1044 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) && 1045 (sa->ipsa_state != IPSA_STATE_IDLE)) { 1046 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ? 1047 IPPROTO_AH : IPPROTO_ESP; 1048 sid = sa->ipsa_netstack->netstack_stackid; 1049 cl_inet_deletespi(sid, protocol, sa->ipsa_spi, 1050 NULL); 1051 } 1052 sadb_unlinkassoc(sa); 1053 } 1054 table[i].isaf_gen++; 1055 mutex_exit(&table[i].isaf_lock); 1056 if (forever) 1057 mutex_destroy(&(table[i].isaf_lock)); 1058 } 1059 1060 if (forever) { 1061 *tablep = NULL; 1062 kmem_free(table, numentries * sizeof (*table)); 1063 } 1064 } 1065 1066 /* 1067 * Entry points to sadb_destroyer(). 1068 */ 1069 static void 1070 sadb_flush(sadb_t *sp, netstack_t *ns) 1071 { 1072 /* 1073 * Flush out each bucket, one at a time. Were it not for keysock's 1074 * enforcement, there would be a subtlety where I could add on the 1075 * heels of a flush. With keysock's enforcement, however, this 1076 * makes ESP's job easy. 1077 */ 1078 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE); 1079 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE); 1080 1081 /* For each acquire, destroy it; leave the bucket mutex alone. */ 1082 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns); 1083 } 1084 1085 static void 1086 sadb_destroy(sadb_t *sp, netstack_t *ns) 1087 { 1088 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE); 1089 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE); 1090 1091 /* For each acquire, destroy it, including the bucket mutex. */ 1092 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns); 1093 1094 ASSERT(sp->sdb_of == NULL); 1095 ASSERT(sp->sdb_if == NULL); 1096 ASSERT(sp->sdb_acq == NULL); 1097 } 1098 1099 static void 1100 sadb_send_flush_req(sadbp_t *spp) 1101 { 1102 mblk_t *ctl_mp; 1103 1104 /* 1105 * we've been unplumbed, or never were plumbed; don't go there. 1106 */ 1107 if (spp->s_ip_q == NULL) 1108 return; 1109 1110 /* have IP send a flush msg to the IPsec accelerators */ 1111 ctl_mp = sadb_fmt_sa_req(DL_CO_FLUSH, spp->s_satype, NULL, B_TRUE); 1112 if (ctl_mp != NULL) 1113 putnext(spp->s_ip_q, ctl_mp); 1114 } 1115 1116 void 1117 sadbp_flush(sadbp_t *spp, netstack_t *ns) 1118 { 1119 sadb_flush(&spp->s_v4, ns); 1120 sadb_flush(&spp->s_v6, ns); 1121 1122 sadb_send_flush_req(spp); 1123 } 1124 1125 void 1126 sadbp_destroy(sadbp_t *spp, netstack_t *ns) 1127 { 1128 sadb_destroy(&spp->s_v4, ns); 1129 sadb_destroy(&spp->s_v6, ns); 1130 1131 sadb_send_flush_req(spp); 1132 if (spp->s_satype == SADB_SATYPE_AH) { 1133 ipsec_stack_t *ipss = ns->netstack_ipsec; 1134 1135 ip_drop_unregister(&ipss->ipsec_sadb_dropper); 1136 } 1137 } 1138 1139 1140 /* 1141 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 1142 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 1143 * EINVAL. 1144 */ 1145 int 1146 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft, 1147 sadb_lifetime_t *idle) 1148 { 1149 if (hard == NULL || soft == NULL) 1150 return (0); 1151 1152 if (hard->sadb_lifetime_allocations != 0 && 1153 soft->sadb_lifetime_allocations != 0 && 1154 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 1155 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 1156 1157 if (hard->sadb_lifetime_bytes != 0 && 1158 soft->sadb_lifetime_bytes != 0 && 1159 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 1160 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 1161 1162 if (hard->sadb_lifetime_addtime != 0 && 1163 soft->sadb_lifetime_addtime != 0 && 1164 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 1165 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1166 1167 if (hard->sadb_lifetime_usetime != 0 && 1168 soft->sadb_lifetime_usetime != 0 && 1169 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 1170 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1171 1172 if (idle != NULL) { 1173 if (hard->sadb_lifetime_addtime != 0 && 1174 idle->sadb_lifetime_addtime != 0 && 1175 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1176 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1177 1178 if (soft->sadb_lifetime_addtime != 0 && 1179 idle->sadb_lifetime_addtime != 0 && 1180 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1181 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1182 1183 if (hard->sadb_lifetime_usetime != 0 && 1184 idle->sadb_lifetime_usetime != 0 && 1185 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1186 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1187 1188 if (soft->sadb_lifetime_usetime != 0 && 1189 idle->sadb_lifetime_usetime != 0 && 1190 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1191 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1192 } 1193 1194 return (0); 1195 } 1196 1197 /* 1198 * Clone a security association for the purposes of inserting a single SA 1199 * into inbound and outbound tables respectively. This function should only 1200 * be called from sadb_common_add(). 1201 */ 1202 static ipsa_t * 1203 sadb_cloneassoc(ipsa_t *ipsa) 1204 { 1205 ipsa_t *newbie; 1206 boolean_t error = B_FALSE; 1207 1208 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock))); 1209 1210 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 1211 if (newbie == NULL) 1212 return (NULL); 1213 1214 /* Copy over what we can. */ 1215 *newbie = *ipsa; 1216 1217 /* bzero and initialize locks, in case *_init() allocates... */ 1218 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 1219 1220 /* 1221 * While somewhat dain-bramaged, the most graceful way to 1222 * recover from errors is to keep plowing through the 1223 * allocations, and getting what I can. It's easier to call 1224 * sadb_freeassoc() on the stillborn clone when all the 1225 * pointers aren't pointing to the parent's data. 1226 */ 1227 1228 if (ipsa->ipsa_authkey != NULL) { 1229 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 1230 KM_NOSLEEP); 1231 if (newbie->ipsa_authkey == NULL) { 1232 error = B_TRUE; 1233 } else { 1234 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 1235 newbie->ipsa_authkeylen); 1236 1237 newbie->ipsa_kcfauthkey.ck_data = 1238 newbie->ipsa_authkey; 1239 } 1240 1241 if (newbie->ipsa_amech.cm_param != NULL) { 1242 newbie->ipsa_amech.cm_param = 1243 (char *)&newbie->ipsa_mac_len; 1244 } 1245 } 1246 1247 if (ipsa->ipsa_encrkey != NULL) { 1248 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 1249 KM_NOSLEEP); 1250 if (newbie->ipsa_encrkey == NULL) { 1251 error = B_TRUE; 1252 } else { 1253 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 1254 newbie->ipsa_encrkeylen); 1255 1256 newbie->ipsa_kcfencrkey.ck_data = 1257 newbie->ipsa_encrkey; 1258 } 1259 } 1260 1261 newbie->ipsa_authtmpl = NULL; 1262 newbie->ipsa_encrtmpl = NULL; 1263 newbie->ipsa_haspeer = B_TRUE; 1264 1265 if (ipsa->ipsa_integ != NULL) { 1266 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 1267 KM_NOSLEEP); 1268 if (newbie->ipsa_integ == NULL) { 1269 error = B_TRUE; 1270 } else { 1271 bcopy(ipsa->ipsa_integ, newbie->ipsa_integ, 1272 newbie->ipsa_integlen); 1273 } 1274 } 1275 1276 if (ipsa->ipsa_sens != NULL) { 1277 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 1278 KM_NOSLEEP); 1279 if (newbie->ipsa_sens == NULL) { 1280 error = B_TRUE; 1281 } else { 1282 bcopy(ipsa->ipsa_sens, newbie->ipsa_sens, 1283 newbie->ipsa_senslen); 1284 } 1285 } 1286 1287 if (ipsa->ipsa_src_cid != NULL) { 1288 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 1289 IPSID_REFHOLD(ipsa->ipsa_src_cid); 1290 } 1291 1292 if (ipsa->ipsa_dst_cid != NULL) { 1293 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 1294 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 1295 } 1296 1297 if (error) { 1298 sadb_freeassoc(newbie); 1299 return (NULL); 1300 } 1301 1302 return (newbie); 1303 } 1304 1305 /* 1306 * Initialize a SADB address extension at the address specified by addrext. 1307 * Return a pointer to the end of the new address extension. 1308 */ 1309 static uint8_t * 1310 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 1311 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix) 1312 { 1313 struct sockaddr_in *sin; 1314 struct sockaddr_in6 *sin6; 1315 uint8_t *cur = start; 1316 int addrext_len; 1317 int sin_len; 1318 sadb_address_t *addrext = (sadb_address_t *)cur; 1319 1320 if (cur == NULL) 1321 return (NULL); 1322 1323 cur += sizeof (*addrext); 1324 if (cur > end) 1325 return (NULL); 1326 1327 addrext->sadb_address_proto = proto; 1328 addrext->sadb_address_prefixlen = prefix; 1329 addrext->sadb_address_reserved = 0; 1330 addrext->sadb_address_exttype = exttype; 1331 1332 switch (af) { 1333 case AF_INET: 1334 sin = (struct sockaddr_in *)cur; 1335 sin_len = sizeof (*sin); 1336 cur += sin_len; 1337 if (cur > end) 1338 return (NULL); 1339 1340 sin->sin_family = af; 1341 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1342 sin->sin_port = port; 1343 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1344 break; 1345 case AF_INET6: 1346 sin6 = (struct sockaddr_in6 *)cur; 1347 sin_len = sizeof (*sin6); 1348 cur += sin_len; 1349 if (cur > end) 1350 return (NULL); 1351 1352 bzero(sin6, sizeof (*sin6)); 1353 sin6->sin6_family = af; 1354 sin6->sin6_port = port; 1355 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1356 break; 1357 } 1358 1359 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1360 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1361 1362 cur = start + addrext_len; 1363 if (cur > end) 1364 cur = NULL; 1365 1366 return (cur); 1367 } 1368 1369 /* 1370 * Construct a key management cookie extension. 1371 */ 1372 1373 static uint8_t * 1374 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1375 { 1376 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1377 1378 if (cur == NULL) 1379 return (NULL); 1380 1381 cur += sizeof (*kmcext); 1382 1383 if (cur > end) 1384 return (NULL); 1385 1386 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1387 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1388 kmcext->sadb_x_kmc_proto = kmp; 1389 kmcext->sadb_x_kmc_cookie = kmc; 1390 kmcext->sadb_x_kmc_reserved = 0; 1391 1392 return (cur); 1393 } 1394 1395 /* 1396 * Given an original message header with sufficient space following it, and an 1397 * SA, construct a full PF_KEY message with all of the relevant extensions. 1398 * This is mostly used for SADB_GET, and SADB_DUMP. 1399 */ 1400 static mblk_t * 1401 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1402 { 1403 int alloclen, addrsize, paddrsize, authsize, encrsize; 1404 int srcidsize, dstidsize; 1405 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1406 /* src/dst and proxy sockaddrs. */ 1407 /* 1408 * The following are pointers into the PF_KEY message this PF_KEY 1409 * message creates. 1410 */ 1411 sadb_msg_t *newsamsg; 1412 sadb_sa_t *assoc; 1413 sadb_lifetime_t *lt; 1414 sadb_key_t *key; 1415 sadb_ident_t *ident; 1416 sadb_sens_t *sens; 1417 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1418 sadb_x_replay_ctr_t *repl_ctr; 1419 sadb_x_pair_t *pair_ext; 1420 1421 mblk_t *mp; 1422 uint64_t *bitmap; 1423 uint8_t *cur, *end; 1424 /* These indicate the presence of the above extension fields. */ 1425 boolean_t soft, hard, isrc, idst, auth, encr, sensinteg, srcid, dstid; 1426 boolean_t idle; 1427 boolean_t paired; 1428 uint32_t otherspi; 1429 1430 /* First off, figure out the allocation length for this message. */ 1431 1432 /* 1433 * Constant stuff. This includes base, SA, address (src, dst), 1434 * and lifetime (current). 1435 */ 1436 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1437 sizeof (sadb_lifetime_t); 1438 1439 fam = ipsa->ipsa_addrfam; 1440 switch (fam) { 1441 case AF_INET: 1442 addrsize = roundup(sizeof (struct sockaddr_in) + 1443 sizeof (sadb_address_t), sizeof (uint64_t)); 1444 break; 1445 case AF_INET6: 1446 addrsize = roundup(sizeof (struct sockaddr_in6) + 1447 sizeof (sadb_address_t), sizeof (uint64_t)); 1448 break; 1449 default: 1450 return (NULL); 1451 } 1452 /* 1453 * Allocate TWO address extensions, for source and destination. 1454 * (Thus, the * 2.) 1455 */ 1456 alloclen += addrsize * 2; 1457 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1458 alloclen += addrsize; 1459 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1460 alloclen += addrsize; 1461 1462 if (ipsa->ipsa_flags & IPSA_F_PAIRED) { 1463 paired = B_TRUE; 1464 alloclen += sizeof (sadb_x_pair_t); 1465 otherspi = ipsa->ipsa_otherspi; 1466 } else { 1467 paired = B_FALSE; 1468 } 1469 1470 /* How 'bout other lifetimes? */ 1471 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1472 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1473 alloclen += sizeof (sadb_lifetime_t); 1474 soft = B_TRUE; 1475 } else { 1476 soft = B_FALSE; 1477 } 1478 1479 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1480 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1481 alloclen += sizeof (sadb_lifetime_t); 1482 hard = B_TRUE; 1483 } else { 1484 hard = B_FALSE; 1485 } 1486 1487 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) { 1488 alloclen += sizeof (sadb_lifetime_t); 1489 idle = B_TRUE; 1490 } else { 1491 idle = B_FALSE; 1492 } 1493 1494 /* Inner addresses. */ 1495 if (ipsa->ipsa_innerfam == 0) { 1496 isrc = B_FALSE; 1497 idst = B_FALSE; 1498 } else { 1499 pfam = ipsa->ipsa_innerfam; 1500 switch (pfam) { 1501 case AF_INET6: 1502 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1503 sizeof (sadb_address_t), sizeof (uint64_t)); 1504 break; 1505 case AF_INET: 1506 paddrsize = roundup(sizeof (struct sockaddr_in) + 1507 sizeof (sadb_address_t), sizeof (uint64_t)); 1508 break; 1509 default: 1510 cmn_err(CE_PANIC, 1511 "IPsec SADB: Proxy length failure.\n"); 1512 break; 1513 } 1514 isrc = B_TRUE; 1515 idst = B_TRUE; 1516 alloclen += 2 * paddrsize; 1517 } 1518 1519 /* For the following fields, assume that length != 0 ==> stuff */ 1520 if (ipsa->ipsa_authkeylen != 0) { 1521 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1522 sizeof (uint64_t)); 1523 alloclen += authsize; 1524 auth = B_TRUE; 1525 } else { 1526 auth = B_FALSE; 1527 } 1528 1529 if (ipsa->ipsa_encrkeylen != 0) { 1530 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen, 1531 sizeof (uint64_t)); 1532 alloclen += encrsize; 1533 encr = B_TRUE; 1534 } else { 1535 encr = B_FALSE; 1536 } 1537 1538 /* No need for roundup on sens and integ. */ 1539 if (ipsa->ipsa_integlen != 0 || ipsa->ipsa_senslen != 0) { 1540 alloclen += sizeof (sadb_key_t) + ipsa->ipsa_integlen + 1541 ipsa->ipsa_senslen; 1542 sensinteg = B_TRUE; 1543 } else { 1544 sensinteg = B_FALSE; 1545 } 1546 1547 /* 1548 * Must use strlen() here for lengths. Identities use NULL 1549 * pointers to indicate their nonexistence. 1550 */ 1551 if (ipsa->ipsa_src_cid != NULL) { 1552 srcidsize = roundup(sizeof (sadb_ident_t) + 1553 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1554 sizeof (uint64_t)); 1555 alloclen += srcidsize; 1556 srcid = B_TRUE; 1557 } else { 1558 srcid = B_FALSE; 1559 } 1560 1561 if (ipsa->ipsa_dst_cid != NULL) { 1562 dstidsize = roundup(sizeof (sadb_ident_t) + 1563 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1564 sizeof (uint64_t)); 1565 alloclen += dstidsize; 1566 dstid = B_TRUE; 1567 } else { 1568 dstid = B_FALSE; 1569 } 1570 1571 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1572 alloclen += sizeof (sadb_x_kmc_t); 1573 1574 if (ipsa->ipsa_replay != 0) { 1575 alloclen += sizeof (sadb_x_replay_ctr_t); 1576 } 1577 1578 /* Make sure the allocation length is a multiple of 8 bytes. */ 1579 ASSERT((alloclen & 0x7) == 0); 1580 1581 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1582 mp = allocb(alloclen, BPRI_HI); 1583 if (mp == NULL) 1584 return (NULL); 1585 1586 mp->b_wptr += alloclen; 1587 end = mp->b_wptr; 1588 newsamsg = (sadb_msg_t *)mp->b_rptr; 1589 *newsamsg = *samsg; 1590 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1591 1592 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1593 1594 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1595 1596 assoc = (sadb_sa_t *)(newsamsg + 1); 1597 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1598 assoc->sadb_sa_exttype = SADB_EXT_SA; 1599 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1600 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1601 assoc->sadb_sa_state = ipsa->ipsa_state; 1602 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1603 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1604 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1605 1606 lt = (sadb_lifetime_t *)(assoc + 1); 1607 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1608 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1609 /* We do not support the concept. */ 1610 lt->sadb_lifetime_allocations = 0; 1611 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1612 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1613 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1614 1615 if (hard) { 1616 lt++; 1617 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1618 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1619 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1620 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1621 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1622 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1623 } 1624 1625 if (soft) { 1626 lt++; 1627 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1628 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1629 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1630 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1631 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1632 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1633 } 1634 1635 if (idle) { 1636 lt++; 1637 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1638 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 1639 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt; 1640 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt; 1641 } 1642 1643 cur = (uint8_t *)(lt + 1); 1644 1645 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */ 1646 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1647 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0, 1648 SA_PROTO(ipsa), 0); 1649 if (cur == NULL) { 1650 freemsg(mp); 1651 mp = NULL; 1652 goto bail; 1653 } 1654 1655 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1656 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0, 1657 SA_PROTO(ipsa), 0); 1658 if (cur == NULL) { 1659 freemsg(mp); 1660 mp = NULL; 1661 goto bail; 1662 } 1663 1664 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1665 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1666 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port, 1667 IPPROTO_UDP, 0); 1668 if (cur == NULL) { 1669 freemsg(mp); 1670 mp = NULL; 1671 goto bail; 1672 } 1673 } 1674 1675 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1676 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1677 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port, 1678 IPPROTO_UDP, 0); 1679 if (cur == NULL) { 1680 freemsg(mp); 1681 mp = NULL; 1682 goto bail; 1683 } 1684 } 1685 1686 /* If we are a tunnel-mode SA, fill in the inner-selectors. */ 1687 if (isrc) { 1688 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 1689 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa), 1690 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx); 1691 if (cur == NULL) { 1692 freemsg(mp); 1693 mp = NULL; 1694 goto bail; 1695 } 1696 } 1697 1698 if (idst) { 1699 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 1700 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa), 1701 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx); 1702 if (cur == NULL) { 1703 freemsg(mp); 1704 mp = NULL; 1705 goto bail; 1706 } 1707 } 1708 1709 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1710 cur = sadb_make_kmc_ext(cur, end, 1711 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1712 if (cur == NULL) { 1713 freemsg(mp); 1714 mp = NULL; 1715 goto bail; 1716 } 1717 } 1718 1719 walker = (sadb_ext_t *)cur; 1720 if (auth) { 1721 key = (sadb_key_t *)walker; 1722 key->sadb_key_len = SADB_8TO64(authsize); 1723 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1724 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1725 key->sadb_key_reserved = 0; 1726 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1727 walker = (sadb_ext_t *)((uint64_t *)walker + 1728 walker->sadb_ext_len); 1729 } 1730 1731 if (encr) { 1732 key = (sadb_key_t *)walker; 1733 key->sadb_key_len = SADB_8TO64(encrsize); 1734 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1735 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1736 key->sadb_key_reserved = 0; 1737 bcopy(ipsa->ipsa_encrkey, key + 1, ipsa->ipsa_encrkeylen); 1738 walker = (sadb_ext_t *)((uint64_t *)walker + 1739 walker->sadb_ext_len); 1740 } 1741 1742 if (srcid) { 1743 ident = (sadb_ident_t *)walker; 1744 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1745 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1746 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1747 ident->sadb_ident_id = 0; 1748 ident->sadb_ident_reserved = 0; 1749 (void) strcpy((char *)(ident + 1), 1750 ipsa->ipsa_src_cid->ipsid_cid); 1751 walker = (sadb_ext_t *)((uint64_t *)walker + 1752 walker->sadb_ext_len); 1753 } 1754 1755 if (dstid) { 1756 ident = (sadb_ident_t *)walker; 1757 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1758 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1759 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1760 ident->sadb_ident_id = 0; 1761 ident->sadb_ident_reserved = 0; 1762 (void) strcpy((char *)(ident + 1), 1763 ipsa->ipsa_dst_cid->ipsid_cid); 1764 walker = (sadb_ext_t *)((uint64_t *)walker + 1765 walker->sadb_ext_len); 1766 } 1767 1768 if (sensinteg) { 1769 sens = (sadb_sens_t *)walker; 1770 sens->sadb_sens_len = SADB_8TO64(sizeof (sadb_sens_t *) + 1771 ipsa->ipsa_senslen + ipsa->ipsa_integlen); 1772 sens->sadb_sens_dpd = ipsa->ipsa_dpd; 1773 sens->sadb_sens_sens_level = ipsa->ipsa_senslevel; 1774 sens->sadb_sens_integ_level = ipsa->ipsa_integlevel; 1775 sens->sadb_sens_sens_len = SADB_8TO64(ipsa->ipsa_senslen); 1776 sens->sadb_sens_integ_len = SADB_8TO64(ipsa->ipsa_integlen); 1777 sens->sadb_sens_reserved = 0; 1778 bitmap = (uint64_t *)(sens + 1); 1779 if (ipsa->ipsa_sens != NULL) { 1780 bcopy(ipsa->ipsa_sens, bitmap, ipsa->ipsa_senslen); 1781 bitmap += sens->sadb_sens_sens_len; 1782 } 1783 if (ipsa->ipsa_integ != NULL) 1784 bcopy(ipsa->ipsa_integ, bitmap, ipsa->ipsa_integlen); 1785 walker = (sadb_ext_t *)((uint64_t *)walker + 1786 walker->sadb_ext_len); 1787 } 1788 1789 if (paired) { 1790 pair_ext = (sadb_x_pair_t *)walker; 1791 1792 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t)); 1793 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR; 1794 pair_ext->sadb_x_pair_spi = otherspi; 1795 1796 walker = (sadb_ext_t *)((uint64_t *)walker + 1797 walker->sadb_ext_len); 1798 } 1799 1800 if (ipsa->ipsa_replay != 0) { 1801 repl_ctr = (sadb_x_replay_ctr_t *)walker; 1802 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr)); 1803 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; 1804 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay; 1805 repl_ctr->sadb_x_rc_replay64 = 0; 1806 walker = (sadb_ext_t *)(repl_ctr + 1); 1807 } 1808 1809 bail: 1810 /* Pardon any delays... */ 1811 mutex_exit(&ipsa->ipsa_lock); 1812 1813 return (mp); 1814 } 1815 1816 /* 1817 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1818 * and adjust base message accordingly. 1819 * 1820 * Assume message is pulled up in one piece of contiguous memory. 1821 * 1822 * Say if we start off with: 1823 * 1824 * +------+----+-------------+-----------+---------------+---------------+ 1825 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1826 * +------+----+-------------+-----------+---------------+---------------+ 1827 * 1828 * we will end up with 1829 * 1830 * +------+----+-------------+-----------+---------------+ 1831 * | base | SA | source addr | dest addr | soft lifetime | 1832 * +------+----+-------------+-----------+---------------+ 1833 */ 1834 static void 1835 sadb_strip(sadb_msg_t *samsg) 1836 { 1837 sadb_ext_t *ext; 1838 uint8_t *target = NULL; 1839 uint8_t *msgend; 1840 int sofar = SADB_8TO64(sizeof (*samsg)); 1841 int copylen; 1842 1843 ext = (sadb_ext_t *)(samsg + 1); 1844 msgend = (uint8_t *)samsg; 1845 msgend += SADB_64TO8(samsg->sadb_msg_len); 1846 while ((uint8_t *)ext < msgend) { 1847 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1848 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1849 ext->sadb_ext_type == SADB_X_EXT_EDUMP || 1850 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1851 /* 1852 * Aha! I found a header to be erased. 1853 */ 1854 1855 if (target != NULL) { 1856 /* 1857 * If I had a previous header to be erased, 1858 * copy over it. I can get away with just 1859 * copying backwards because the target will 1860 * always be 8 bytes behind the source. 1861 */ 1862 copylen = ((uint8_t *)ext) - (target + 1863 SADB_64TO8( 1864 ((sadb_ext_t *)target)->sadb_ext_len)); 1865 ovbcopy(((uint8_t *)ext - copylen), target, 1866 copylen); 1867 target += copylen; 1868 ((sadb_ext_t *)target)->sadb_ext_len = 1869 SADB_8TO64(((uint8_t *)ext) - target + 1870 SADB_64TO8(ext->sadb_ext_len)); 1871 } else { 1872 target = (uint8_t *)ext; 1873 } 1874 } else { 1875 sofar += ext->sadb_ext_len; 1876 } 1877 1878 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1879 } 1880 1881 ASSERT((uint8_t *)ext == msgend); 1882 1883 if (target != NULL) { 1884 copylen = ((uint8_t *)ext) - (target + 1885 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1886 if (copylen != 0) 1887 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1888 } 1889 1890 /* Adjust samsg. */ 1891 samsg->sadb_msg_len = (uint16_t)sofar; 1892 1893 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1894 } 1895 1896 /* 1897 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1898 * followed by an M_DATA with a PF_KEY message in it. The serial of 1899 * the sending keysock instance is included. 1900 */ 1901 void 1902 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1903 uint_t serial) 1904 { 1905 mblk_t *msg = mp->b_cont; 1906 sadb_msg_t *samsg; 1907 keysock_out_t *kso; 1908 1909 /* 1910 * Enough functions call this to merit a NULL queue check. 1911 */ 1912 if (pfkey_q == NULL) { 1913 freemsg(mp); 1914 return; 1915 } 1916 1917 ASSERT(msg != NULL); 1918 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1919 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1920 samsg = (sadb_msg_t *)msg->b_rptr; 1921 kso = (keysock_out_t *)mp->b_rptr; 1922 1923 kso->ks_out_type = KEYSOCK_OUT; 1924 kso->ks_out_len = sizeof (*kso); 1925 kso->ks_out_serial = serial; 1926 1927 /* 1928 * Only send the base message up in the event of an error. 1929 * Don't worry about bzero()-ing, because it was probably bogus 1930 * anyway. 1931 */ 1932 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1933 samsg = (sadb_msg_t *)msg->b_rptr; 1934 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1935 samsg->sadb_msg_errno = (uint8_t)error; 1936 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1937 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1938 1939 putnext(pfkey_q, mp); 1940 } 1941 1942 /* 1943 * Send a successful return packet back to keysock via the queue in pfkey_q. 1944 * 1945 * Often, an SA is associated with the reply message, it's passed in if needed, 1946 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1947 * and the caller will release said refcnt. 1948 */ 1949 void 1950 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1951 keysock_in_t *ksi, ipsa_t *ipsa) 1952 { 1953 keysock_out_t *kso; 1954 mblk_t *mp1; 1955 sadb_msg_t *newsamsg; 1956 uint8_t *oldend; 1957 1958 ASSERT((mp->b_cont != NULL) && 1959 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1960 ((void *)mp->b_rptr == (void *)ksi)); 1961 1962 switch (samsg->sadb_msg_type) { 1963 case SADB_ADD: 1964 case SADB_UPDATE: 1965 case SADB_X_UPDATEPAIR: 1966 case SADB_X_DELPAIR_STATE: 1967 case SADB_FLUSH: 1968 case SADB_DUMP: 1969 /* 1970 * I have all of the message already. I just need to strip 1971 * out the keying material and echo the message back. 1972 * 1973 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1974 * work. When DUMP reaches here, it should only be a base 1975 * message. 1976 */ 1977 justecho: 1978 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 1979 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL || 1980 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) { 1981 sadb_strip(samsg); 1982 /* Assume PF_KEY message is contiguous. */ 1983 ASSERT(mp->b_cont->b_cont == NULL); 1984 oldend = mp->b_cont->b_wptr; 1985 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 1986 SADB_64TO8(samsg->sadb_msg_len); 1987 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 1988 } 1989 break; 1990 case SADB_GET: 1991 /* 1992 * Do a lot of work here, because of the ipsa I just found. 1993 * First construct the new PF_KEY message, then abandon 1994 * the old one. 1995 */ 1996 mp1 = sadb_sa2msg(ipsa, samsg); 1997 if (mp1 == NULL) { 1998 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1999 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 2000 return; 2001 } 2002 freemsg(mp->b_cont); 2003 mp->b_cont = mp1; 2004 break; 2005 case SADB_DELETE: 2006 case SADB_X_DELPAIR: 2007 if (ipsa == NULL) 2008 goto justecho; 2009 /* 2010 * Because listening KMds may require more info, treat 2011 * DELETE like a special case of GET. 2012 */ 2013 mp1 = sadb_sa2msg(ipsa, samsg); 2014 if (mp1 == NULL) { 2015 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 2016 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 2017 return; 2018 } 2019 newsamsg = (sadb_msg_t *)mp1->b_rptr; 2020 sadb_strip(newsamsg); 2021 oldend = mp1->b_wptr; 2022 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 2023 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 2024 freemsg(mp->b_cont); 2025 mp->b_cont = mp1; 2026 break; 2027 default: 2028 if (mp != NULL) 2029 freemsg(mp); 2030 return; 2031 } 2032 2033 /* ksi is now null and void. */ 2034 kso = (keysock_out_t *)ksi; 2035 kso->ks_out_type = KEYSOCK_OUT; 2036 kso->ks_out_len = sizeof (*kso); 2037 kso->ks_out_serial = ksi->ks_in_serial; 2038 /* We're ready to send... */ 2039 putnext(pfkey_q, mp); 2040 } 2041 2042 /* 2043 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 2044 */ 2045 void 2046 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 2047 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype) 2048 { 2049 keysock_hello_ack_t *kha; 2050 queue_t *oldq; 2051 2052 ASSERT(OTHERQ(q) != NULL); 2053 2054 /* 2055 * First, check atomically that I'm the first and only keysock 2056 * instance. 2057 * 2058 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 2059 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 2060 * messages. 2061 */ 2062 2063 oldq = casptr((void **)pfkey_qp, NULL, OTHERQ(q)); 2064 if (oldq != NULL) { 2065 ASSERT(oldq != q); 2066 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 2067 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 2068 freemsg(mp); 2069 return; 2070 } 2071 2072 kha = (keysock_hello_ack_t *)mp->b_rptr; 2073 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 2074 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 2075 kha->ks_hello_satype = (uint8_t)satype; 2076 2077 /* 2078 * If we made it past the casptr, then we have "exclusive" access 2079 * to the timeout handle. Fire it off after the default ager 2080 * interval. 2081 */ 2082 *top = qtimeout(*pfkey_qp, ager, agerarg, 2083 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT * 1000)); 2084 2085 putnext(*pfkey_qp, mp); 2086 } 2087 2088 /* 2089 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate. 2090 * 2091 * Check addresses themselves for wildcard or multicast. 2092 * Check ire table for local/non-local/broadcast. 2093 */ 2094 int 2095 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial, 2096 netstack_t *ns) 2097 { 2098 sadb_address_t *addr = (sadb_address_t *)ext; 2099 struct sockaddr_in *sin; 2100 struct sockaddr_in6 *sin6; 2101 ire_t *ire; 2102 int diagnostic, type; 2103 boolean_t normalized = B_FALSE; 2104 2105 ASSERT(ext != NULL); 2106 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 2107 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 2108 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) || 2109 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) || 2110 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) || 2111 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM)); 2112 2113 /* Assign both sockaddrs, the compiler will do the right thing. */ 2114 sin = (struct sockaddr_in *)(addr + 1); 2115 sin6 = (struct sockaddr_in6 *)(addr + 1); 2116 2117 if (sin6->sin6_family == AF_INET6) { 2118 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 2119 /* 2120 * Convert to an AF_INET sockaddr. This means the 2121 * return messages will have the extra space, but have 2122 * AF_INET sockaddrs instead of AF_INET6. 2123 * 2124 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 2125 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 2126 * equal to AF_INET <v4>, it shouldnt be a huge 2127 * problem. 2128 */ 2129 sin->sin_family = AF_INET; 2130 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, 2131 &sin->sin_addr); 2132 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 2133 normalized = B_TRUE; 2134 } 2135 } else if (sin->sin_family != AF_INET) { 2136 switch (ext->sadb_ext_type) { 2137 case SADB_EXT_ADDRESS_SRC: 2138 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 2139 break; 2140 case SADB_EXT_ADDRESS_DST: 2141 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 2142 break; 2143 case SADB_X_EXT_ADDRESS_INNER_SRC: 2144 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 2145 break; 2146 case SADB_X_EXT_ADDRESS_INNER_DST: 2147 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF; 2148 break; 2149 case SADB_X_EXT_ADDRESS_NATT_LOC: 2150 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF; 2151 break; 2152 case SADB_X_EXT_ADDRESS_NATT_REM: 2153 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF; 2154 break; 2155 /* There is no default, see above ASSERT. */ 2156 } 2157 bail: 2158 if (pfkey_q != NULL) { 2159 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, 2160 serial); 2161 } else { 2162 /* 2163 * Scribble in sadb_msg that we got passed in. 2164 * Overload "mp" to be an sadb_msg pointer. 2165 */ 2166 sadb_msg_t *samsg = (sadb_msg_t *)mp; 2167 2168 samsg->sadb_msg_errno = EINVAL; 2169 samsg->sadb_x_msg_diagnostic = diagnostic; 2170 } 2171 return (KS_IN_ADDR_UNKNOWN); 2172 } 2173 2174 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC || 2175 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) { 2176 /* 2177 * We need only check for prefix issues. 2178 */ 2179 2180 /* Set diagnostic now, in case we need it later. */ 2181 diagnostic = 2182 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ? 2183 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC : 2184 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST; 2185 2186 if (normalized) 2187 addr->sadb_address_prefixlen -= 96; 2188 2189 /* 2190 * Verify and mask out inner-addresses based on prefix length. 2191 */ 2192 if (sin->sin_family == AF_INET) { 2193 if (addr->sadb_address_prefixlen > 32) 2194 goto bail; 2195 sin->sin_addr.s_addr &= 2196 ip_plen_to_mask(addr->sadb_address_prefixlen); 2197 } else { 2198 in6_addr_t mask; 2199 2200 ASSERT(sin->sin_family == AF_INET6); 2201 /* 2202 * ip_plen_to_mask_v6() returns NULL if the value in 2203 * question is out of range. 2204 */ 2205 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen, 2206 &mask) == NULL) 2207 goto bail; 2208 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0]; 2209 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1]; 2210 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2]; 2211 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3]; 2212 } 2213 2214 /* We don't care in these cases. */ 2215 return (KS_IN_ADDR_DONTCARE); 2216 } 2217 2218 if (sin->sin_family == AF_INET6) { 2219 /* Check the easy ones now. */ 2220 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) 2221 return (KS_IN_ADDR_MBCAST); 2222 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) 2223 return (KS_IN_ADDR_UNSPEC); 2224 /* 2225 * At this point, we're a unicast IPv6 address. 2226 * 2227 * A ctable lookup for local is sufficient here. If we're 2228 * local, return KS_IN_ADDR_ME, otherwise KS_IN_ADDR_NOTME. 2229 * 2230 * XXX Zones alert -> me/notme decision needs to be tempered 2231 * by what zone we're in when we go to zone-aware IPsec. 2232 */ 2233 ire = ire_ctable_lookup_v6(&sin6->sin6_addr, NULL, 2234 IRE_LOCAL, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 2235 ns->netstack_ip); 2236 if (ire != NULL) { 2237 /* Hey hey, it's local. */ 2238 IRE_REFRELE(ire); 2239 return (KS_IN_ADDR_ME); 2240 } 2241 } else { 2242 ASSERT(sin->sin_family == AF_INET); 2243 if (sin->sin_addr.s_addr == INADDR_ANY) 2244 return (KS_IN_ADDR_UNSPEC); 2245 if (CLASSD(sin->sin_addr.s_addr)) 2246 return (KS_IN_ADDR_MBCAST); 2247 /* 2248 * At this point we're a unicast or broadcast IPv4 address. 2249 * 2250 * Lookup on the ctable for IRE_BROADCAST or IRE_LOCAL. 2251 * A NULL return value is NOTME, otherwise, look at the 2252 * returned ire for broadcast or not and return accordingly. 2253 * 2254 * XXX Zones alert -> me/notme decision needs to be tempered 2255 * by what zone we're in when we go to zone-aware IPsec. 2256 */ 2257 ire = ire_ctable_lookup(sin->sin_addr.s_addr, 0, 2258 IRE_LOCAL | IRE_BROADCAST, NULL, ALL_ZONES, NULL, 2259 MATCH_IRE_TYPE, ns->netstack_ip); 2260 if (ire != NULL) { 2261 /* Check for local or broadcast */ 2262 type = ire->ire_type; 2263 IRE_REFRELE(ire); 2264 ASSERT(type == IRE_LOCAL || type == IRE_BROADCAST); 2265 return ((type == IRE_LOCAL) ? KS_IN_ADDR_ME : 2266 KS_IN_ADDR_MBCAST); 2267 } 2268 } 2269 2270 return (KS_IN_ADDR_NOTME); 2271 } 2272 2273 /* 2274 * Address normalizations and reality checks for inbound PF_KEY messages. 2275 * 2276 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 2277 * the source to AF_INET. Do the same for the inner sources. 2278 */ 2279 boolean_t 2280 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns) 2281 { 2282 struct sockaddr_in *src, *isrc; 2283 struct sockaddr_in6 *dst, *idst; 2284 sadb_address_t *srcext, *dstext; 2285 uint16_t sport; 2286 sadb_ext_t **extv = ksi->ks_in_extv; 2287 int rc; 2288 2289 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) { 2290 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC], 2291 ksi->ks_in_serial, ns); 2292 if (rc == KS_IN_ADDR_UNKNOWN) 2293 return (B_FALSE); 2294 if (rc == KS_IN_ADDR_MBCAST) { 2295 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2296 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial); 2297 return (B_FALSE); 2298 } 2299 ksi->ks_in_srctype = rc; 2300 } 2301 2302 if (extv[SADB_EXT_ADDRESS_DST] != NULL) { 2303 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST], 2304 ksi->ks_in_serial, ns); 2305 if (rc == KS_IN_ADDR_UNKNOWN) 2306 return (B_FALSE); 2307 if (rc == KS_IN_ADDR_UNSPEC) { 2308 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2309 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial); 2310 return (B_FALSE); 2311 } 2312 ksi->ks_in_dsttype = rc; 2313 } 2314 2315 /* 2316 * NAT-Traversal addrs are simple enough to not require all of 2317 * the checks in sadb_addrcheck(). Just normalize or reject if not 2318 * AF_INET. 2319 */ 2320 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) { 2321 rc = sadb_addrcheck(pfkey_q, mp, 2322 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns); 2323 2324 /* 2325 * Local NAT-T addresses never use an IRE_LOCAL, so it should 2326 * always be NOTME, or UNSPEC (to handle both tunnel mode 2327 * AND local-port flexibility). 2328 */ 2329 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) { 2330 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2331 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC, 2332 ksi->ks_in_serial); 2333 return (B_FALSE); 2334 } 2335 src = (struct sockaddr_in *) 2336 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1); 2337 if (src->sin_family != AF_INET) { 2338 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2339 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF, 2340 ksi->ks_in_serial); 2341 return (B_FALSE); 2342 } 2343 } 2344 2345 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) { 2346 rc = sadb_addrcheck(pfkey_q, mp, 2347 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns); 2348 2349 /* 2350 * Remote NAT-T addresses never use an IRE_LOCAL, so it should 2351 * always be NOTME, or UNSPEC if it's a tunnel-mode SA. 2352 */ 2353 if (rc != KS_IN_ADDR_NOTME && 2354 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL && 2355 rc == KS_IN_ADDR_UNSPEC)) { 2356 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2357 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM, 2358 ksi->ks_in_serial); 2359 return (B_FALSE); 2360 } 2361 src = (struct sockaddr_in *) 2362 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1); 2363 if (src->sin_family != AF_INET) { 2364 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2365 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF, 2366 ksi->ks_in_serial); 2367 return (B_FALSE); 2368 } 2369 } 2370 2371 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) { 2372 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) { 2373 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2374 SADB_X_DIAGNOSTIC_MISSING_INNER_DST, 2375 ksi->ks_in_serial); 2376 return (B_FALSE); 2377 } 2378 2379 if (sadb_addrcheck(pfkey_q, mp, 2380 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns) 2381 == KS_IN_ADDR_UNKNOWN || 2382 sadb_addrcheck(pfkey_q, mp, 2383 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns) 2384 == KS_IN_ADDR_UNKNOWN) 2385 return (B_FALSE); 2386 2387 isrc = (struct sockaddr_in *) 2388 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) + 2389 1); 2390 idst = (struct sockaddr_in6 *) 2391 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) + 2392 1); 2393 if (isrc->sin_family != idst->sin6_family) { 2394 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2395 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH, 2396 ksi->ks_in_serial); 2397 return (B_FALSE); 2398 } 2399 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) { 2400 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2401 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC, 2402 ksi->ks_in_serial); 2403 return (B_FALSE); 2404 } else { 2405 isrc = NULL; /* For inner/outer port check below. */ 2406 } 2407 2408 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 2409 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC]; 2410 2411 if (dstext == NULL || srcext == NULL) 2412 return (B_TRUE); 2413 2414 dst = (struct sockaddr_in6 *)(dstext + 1); 2415 src = (struct sockaddr_in *)(srcext + 1); 2416 2417 if (isrc != NULL && 2418 (isrc->sin_port != 0 || idst->sin6_port != 0) && 2419 (src->sin_port != 0 || dst->sin6_port != 0)) { 2420 /* Can't set inner and outer ports in one SA. */ 2421 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2422 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS, 2423 ksi->ks_in_serial); 2424 return (B_FALSE); 2425 } 2426 2427 if (dst->sin6_family == src->sin_family) 2428 return (B_TRUE); 2429 2430 if (srcext->sadb_address_proto != dstext->sadb_address_proto) { 2431 if (srcext->sadb_address_proto == 0) { 2432 srcext->sadb_address_proto = dstext->sadb_address_proto; 2433 } else if (dstext->sadb_address_proto == 0) { 2434 dstext->sadb_address_proto = srcext->sadb_address_proto; 2435 } else { 2436 /* Inequal protocols, neither were 0. Report error. */ 2437 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2438 SADB_X_DIAGNOSTIC_PROTO_MISMATCH, 2439 ksi->ks_in_serial); 2440 return (B_FALSE); 2441 } 2442 } 2443 2444 /* 2445 * With the exception of an unspec IPv6 source and an IPv4 2446 * destination, address families MUST me matched. 2447 */ 2448 if (src->sin_family == AF_INET || 2449 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) { 2450 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2451 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial); 2452 return (B_FALSE); 2453 } 2454 2455 /* 2456 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2457 * in the same place for sockaddr_in and sockaddr_in6. 2458 */ 2459 sport = src->sin_port; 2460 bzero(src, sizeof (*src)); 2461 src->sin_family = AF_INET; 2462 src->sin_port = sport; 2463 2464 return (B_TRUE); 2465 } 2466 2467 /* 2468 * Set the results in "addrtype", given an IRE as requested by 2469 * sadb_addrcheck(). 2470 */ 2471 int 2472 sadb_addrset(ire_t *ire) 2473 { 2474 if ((ire->ire_type & IRE_BROADCAST) || 2475 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2476 (ire->ire_ipversion == IPV6_VERSION && 2477 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2478 return (KS_IN_ADDR_MBCAST); 2479 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2480 return (KS_IN_ADDR_ME); 2481 return (KS_IN_ADDR_NOTME); 2482 } 2483 2484 2485 /* 2486 * Walker callback function to delete sa's based on src/dst address. 2487 * Assumes that we're called with *head locked, no other locks held; 2488 * Conveniently, and not coincidentally, this is both what sadb_walker 2489 * gives us and also what sadb_unlinkassoc expects. 2490 */ 2491 2492 struct sadb_purge_state 2493 { 2494 uint32_t *src; 2495 uint32_t *dst; 2496 sa_family_t af; 2497 boolean_t inbnd; 2498 char *sidstr; 2499 char *didstr; 2500 uint16_t sidtype; 2501 uint16_t didtype; 2502 uint32_t kmproto; 2503 uint8_t sadb_sa_state; 2504 mblk_t *mq; 2505 sadb_t *sp; 2506 }; 2507 2508 static void 2509 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2510 { 2511 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2512 2513 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2514 2515 mutex_enter(&entry->ipsa_lock); 2516 2517 if ((entry->ipsa_state == IPSA_STATE_LARVAL) || 2518 (ps->src != NULL && 2519 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, ps->src, ps->af)) || 2520 (ps->dst != NULL && 2521 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_dstaddr, ps->dst, ps->af)) || 2522 (ps->didstr != NULL && (entry->ipsa_dst_cid != NULL) && 2523 !(ps->didtype == entry->ipsa_dst_cid->ipsid_type && 2524 strcmp(ps->didstr, entry->ipsa_dst_cid->ipsid_cid) == 0)) || 2525 (ps->sidstr != NULL && (entry->ipsa_src_cid != NULL) && 2526 !(ps->sidtype == entry->ipsa_src_cid->ipsid_type && 2527 strcmp(ps->sidstr, entry->ipsa_src_cid->ipsid_cid) == 0)) || 2528 (ps->kmproto <= SADB_X_KMP_MAX && ps->kmproto != entry->ipsa_kmp)) { 2529 mutex_exit(&entry->ipsa_lock); 2530 return; 2531 } 2532 2533 if (ps->inbnd) { 2534 sadb_delete_cluster(entry); 2535 } 2536 entry->ipsa_state = IPSA_STATE_DEAD; 2537 (void) sadb_torch_assoc(head, entry, ps->inbnd, &ps->mq); 2538 } 2539 2540 /* 2541 * Common code to purge an SA with a matching src or dst address. 2542 * Don't kill larval SA's in such a purge. 2543 */ 2544 int 2545 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, queue_t *pfkey_q, 2546 queue_t *ip_q) 2547 { 2548 sadb_address_t *dstext = 2549 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2550 sadb_address_t *srcext = 2551 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2552 sadb_ident_t *dstid = 2553 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2554 sadb_ident_t *srcid = 2555 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2556 sadb_x_kmc_t *kmc = 2557 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2558 struct sockaddr_in *src, *dst; 2559 struct sockaddr_in6 *src6, *dst6; 2560 struct sadb_purge_state ps; 2561 2562 /* 2563 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2564 * takes care of them. 2565 */ 2566 2567 /* enforced by caller */ 2568 ASSERT((dstext != NULL) || (srcext != NULL)); 2569 2570 ps.src = NULL; 2571 ps.dst = NULL; 2572 #ifdef DEBUG 2573 ps.af = (sa_family_t)-1; 2574 #endif 2575 ps.mq = NULL; 2576 ps.sidstr = NULL; 2577 ps.didstr = NULL; 2578 ps.kmproto = SADB_X_KMP_MAX + 1; 2579 2580 if (dstext != NULL) { 2581 dst = (struct sockaddr_in *)(dstext + 1); 2582 ps.af = dst->sin_family; 2583 if (dst->sin_family == AF_INET6) { 2584 dst6 = (struct sockaddr_in6 *)dst; 2585 ps.dst = (uint32_t *)&dst6->sin6_addr; 2586 } else { 2587 ps.dst = (uint32_t *)&dst->sin_addr; 2588 } 2589 } 2590 2591 if (srcext != NULL) { 2592 src = (struct sockaddr_in *)(srcext + 1); 2593 ps.af = src->sin_family; 2594 if (src->sin_family == AF_INET6) { 2595 src6 = (struct sockaddr_in6 *)(srcext + 1); 2596 ps.src = (uint32_t *)&src6->sin6_addr; 2597 } else { 2598 ps.src = (uint32_t *)&src->sin_addr; 2599 } 2600 ASSERT(dstext == NULL || src->sin_family == dst->sin_family); 2601 } 2602 2603 ASSERT(ps.af != (sa_family_t)-1); 2604 2605 if (dstid != NULL) { 2606 /* 2607 * NOTE: May need to copy string in the future 2608 * if the inbound keysock message disappears for some strange 2609 * reason. 2610 */ 2611 ps.didstr = (char *)(dstid + 1); 2612 ps.didtype = dstid->sadb_ident_type; 2613 } 2614 2615 if (srcid != NULL) { 2616 /* 2617 * NOTE: May need to copy string in the future 2618 * if the inbound keysock message disappears for some strange 2619 * reason. 2620 */ 2621 ps.sidstr = (char *)(srcid + 1); 2622 ps.sidtype = srcid->sadb_ident_type; 2623 } 2624 2625 if (kmc != NULL) 2626 ps.kmproto = kmc->sadb_x_kmc_proto; 2627 2628 /* 2629 * This is simple, crude, and effective. 2630 * Unimplemented optimizations (TBD): 2631 * - we can limit how many places we search based on where we 2632 * think the SA is filed. 2633 * - if we get a dst address, we can hash based on dst addr to find 2634 * the correct bucket in the outbound table. 2635 */ 2636 ps.inbnd = B_TRUE; 2637 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2638 ps.inbnd = B_FALSE; 2639 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2640 2641 if (ps.mq != NULL) 2642 sadb_drain_torchq(ip_q, ps.mq); 2643 2644 ASSERT(mp->b_cont != NULL); 2645 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2646 NULL); 2647 return (0); 2648 } 2649 2650 static void 2651 sadb_delpair_state(isaf_t *head, ipsa_t *entry, void *cookie) 2652 { 2653 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2654 isaf_t *inbound_bucket; 2655 ipsa_t *peer_assoc; 2656 2657 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2658 2659 mutex_enter(&entry->ipsa_lock); 2660 2661 if ((entry->ipsa_state != ps->sadb_sa_state) || 2662 ((ps->src != NULL) && 2663 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, ps->src, ps->af))) { 2664 mutex_exit(&entry->ipsa_lock); 2665 return; 2666 } 2667 2668 /* 2669 * The isaf_t *, which is passed in , is always an outbound bucket, 2670 * and we are preserving the outbound-then-inbound hash-bucket lock 2671 * ordering. The sadb_walker() which triggers this function is called 2672 * only on the outbound fanout, and the corresponding inbound bucket 2673 * lock is safe to acquire here. 2674 */ 2675 2676 if (entry->ipsa_haspeer) { 2677 inbound_bucket = INBOUND_BUCKET(ps->sp, entry->ipsa_spi); 2678 mutex_enter(&inbound_bucket->isaf_lock); 2679 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2680 entry->ipsa_spi, entry->ipsa_srcaddr, 2681 entry->ipsa_dstaddr, entry->ipsa_addrfam); 2682 } else { 2683 inbound_bucket = INBOUND_BUCKET(ps->sp, entry->ipsa_otherspi); 2684 mutex_enter(&inbound_bucket->isaf_lock); 2685 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2686 entry->ipsa_otherspi, entry->ipsa_dstaddr, 2687 entry->ipsa_srcaddr, entry->ipsa_addrfam); 2688 } 2689 2690 entry->ipsa_state = IPSA_STATE_DEAD; 2691 (void) sadb_torch_assoc(head, entry, B_FALSE, &ps->mq); 2692 if (peer_assoc != NULL) { 2693 mutex_enter(&peer_assoc->ipsa_lock); 2694 peer_assoc->ipsa_state = IPSA_STATE_DEAD; 2695 (void) sadb_torch_assoc(inbound_bucket, peer_assoc, 2696 B_FALSE, &ps->mq); 2697 } 2698 mutex_exit(&inbound_bucket->isaf_lock); 2699 } 2700 2701 /* 2702 * Common code to delete/get an SA. 2703 */ 2704 int 2705 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2706 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type) 2707 { 2708 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2709 sadb_address_t *srcext = 2710 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2711 sadb_address_t *dstext = 2712 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2713 ipsa_t *echo_target = NULL; 2714 ipsap_t *ipsapp; 2715 mblk_t *torchq = NULL; 2716 uint_t error = 0; 2717 2718 if (assoc == NULL) { 2719 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2720 return (EINVAL); 2721 } 2722 2723 if (sadb_msg_type == SADB_X_DELPAIR_STATE) { 2724 struct sockaddr_in *src; 2725 struct sockaddr_in6 *src6; 2726 struct sadb_purge_state ps; 2727 2728 if (srcext == NULL) { 2729 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 2730 return (EINVAL); 2731 } 2732 ps.src = NULL; 2733 ps.mq = NULL; 2734 src = (struct sockaddr_in *)(srcext + 1); 2735 ps.af = src->sin_family; 2736 if (src->sin_family == AF_INET6) { 2737 src6 = (struct sockaddr_in6 *)(srcext + 1); 2738 ps.src = (uint32_t *)&src6->sin6_addr; 2739 ps.sp = &spp->s_v6; 2740 } else { 2741 ps.src = (uint32_t *)&src->sin_addr; 2742 ps.sp = &spp->s_v4; 2743 } 2744 ps.inbnd = B_FALSE; 2745 ps.sadb_sa_state = assoc->sadb_sa_state; 2746 sadb_walker(ps.sp->sdb_of, ps.sp->sdb_hashsize, 2747 sadb_delpair_state, &ps); 2748 2749 if (ps.mq != NULL) 2750 sadb_drain_torchq(pfkey_q, ps.mq); 2751 2752 ASSERT(mp->b_cont != NULL); 2753 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 2754 ksi, NULL); 2755 return (0); 2756 } 2757 2758 if (dstext == NULL) { 2759 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2760 return (EINVAL); 2761 } 2762 2763 ipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 2764 if (ipsapp == NULL) { 2765 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 2766 return (ESRCH); 2767 } 2768 2769 echo_target = ipsapp->ipsap_sa_ptr; 2770 if (echo_target == NULL) 2771 echo_target = ipsapp->ipsap_psa_ptr; 2772 2773 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) { 2774 /* 2775 * Bucket locks will be required if SA is actually unlinked. 2776 * get_ipsa_pair() returns valid hash bucket pointers even 2777 * if it can't find a pair SA pointer. To prevent a potential 2778 * deadlock, always lock the outbound bucket before the inbound. 2779 */ 2780 if (ipsapp->in_inbound_table) { 2781 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 2782 mutex_enter(&ipsapp->ipsap_bucket->isaf_lock); 2783 } else { 2784 mutex_enter(&ipsapp->ipsap_bucket->isaf_lock); 2785 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 2786 } 2787 2788 if (ipsapp->ipsap_sa_ptr != NULL) { 2789 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2790 if (ipsapp->ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) { 2791 sadb_delete_cluster(ipsapp->ipsap_sa_ptr); 2792 } 2793 ipsapp->ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD; 2794 (void) sadb_torch_assoc(ipsapp->ipsap_bucket, 2795 ipsapp->ipsap_sa_ptr, B_FALSE, &torchq); 2796 /* 2797 * sadb_torch_assoc() releases the ipsa_lock 2798 * and calls sadb_unlinkassoc() which does a 2799 * IPSA_REFRELE. 2800 */ 2801 } 2802 if (ipsapp->ipsap_psa_ptr != NULL) { 2803 mutex_enter(&ipsapp->ipsap_psa_ptr->ipsa_lock); 2804 if (sadb_msg_type == SADB_X_DELPAIR || 2805 ipsapp->ipsap_psa_ptr->ipsa_haspeer) { 2806 if (ipsapp->ipsap_psa_ptr->ipsa_flags & 2807 IPSA_F_INBOUND) { 2808 sadb_delete_cluster( 2809 ipsapp->ipsap_psa_ptr); 2810 } 2811 ipsapp->ipsap_psa_ptr->ipsa_state = 2812 IPSA_STATE_DEAD; 2813 (void) sadb_torch_assoc(ipsapp->ipsap_pbucket, 2814 ipsapp->ipsap_psa_ptr, B_FALSE, &torchq); 2815 } else { 2816 /* 2817 * Only half of the "pair" has been deleted. 2818 * Update the remaining SA and remove references 2819 * to its pair SA, which is now gone. 2820 */ 2821 ipsapp->ipsap_psa_ptr->ipsa_otherspi = 0; 2822 ipsapp->ipsap_psa_ptr->ipsa_flags &= 2823 ~IPSA_F_PAIRED; 2824 mutex_exit(&ipsapp->ipsap_psa_ptr->ipsa_lock); 2825 } 2826 } else if (sadb_msg_type == SADB_X_DELPAIR) { 2827 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 2828 error = ESRCH; 2829 } 2830 mutex_exit(&ipsapp->ipsap_bucket->isaf_lock); 2831 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 2832 } 2833 2834 if (torchq != NULL) 2835 sadb_drain_torchq(spp->s_ip_q, torchq); 2836 2837 ASSERT(mp->b_cont != NULL); 2838 2839 if (error == 0) 2840 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *) 2841 mp->b_cont->b_rptr, ksi, echo_target); 2842 2843 destroy_ipsa_pair(ipsapp); 2844 2845 return (error); 2846 } 2847 2848 /* 2849 * This function takes a sadb_sa_t and finds the ipsa_t structure 2850 * and the isaf_t (hash bucket) that its stored under. If the security 2851 * association has a peer, the ipsa_t structure and bucket for that security 2852 * association are also searched for. The "pair" of ipsa_t's and isaf_t's 2853 * are returned as a ipsap_t. 2854 * 2855 * The hash buckets are returned for convenience, if the calling function 2856 * needs to use the hash bucket locks, say to remove the SA's, it should 2857 * take care to observe the convention of locking outbound bucket then 2858 * inbound bucket. The flag in_inbound_table provides direction. 2859 * 2860 * Note that a "pair" is defined as one (but not both) of the following: 2861 * 2862 * A security association which has a soft reference to another security 2863 * association via its SPI. 2864 * 2865 * A security association that is not obviously "inbound" or "outbound" so 2866 * it appears in both hash tables, the "peer" being the same security 2867 * association in the other hash table. 2868 * 2869 * This function will return NULL if the ipsa_t can't be found in the 2870 * inbound or outbound hash tables (not found). If only one ipsa_t is 2871 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid 2872 * provided at least one ipsa_t is found. 2873 */ 2874 ipsap_t * 2875 get_ipsa_pair(sadb_sa_t *assoc, sadb_address_t *srcext, sadb_address_t *dstext, 2876 sadbp_t *spp) 2877 { 2878 struct sockaddr_in *src, *dst; 2879 struct sockaddr_in6 *src6, *dst6; 2880 sadb_t *sp; 2881 uint32_t *srcaddr, *dstaddr; 2882 isaf_t *outbound_bucket, *inbound_bucket; 2883 ipsap_t *ipsapp; 2884 sa_family_t af; 2885 2886 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN]; 2887 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN]; 2888 uint32_t pair_spi; 2889 2890 ipsapp = kmem_zalloc(sizeof (*ipsapp), KM_NOSLEEP); 2891 if (ipsapp == NULL) 2892 return (NULL); 2893 2894 ipsapp->in_inbound_table = B_FALSE; 2895 2896 /* 2897 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2898 * takes care of them. 2899 */ 2900 2901 dst = (struct sockaddr_in *)(dstext + 1); 2902 af = dst->sin_family; 2903 if (af == AF_INET6) { 2904 sp = &spp->s_v6; 2905 dst6 = (struct sockaddr_in6 *)dst; 2906 dstaddr = (uint32_t *)&dst6->sin6_addr; 2907 if (srcext != NULL) { 2908 src6 = (struct sockaddr_in6 *)(srcext + 1); 2909 srcaddr = (uint32_t *)&src6->sin6_addr; 2910 ASSERT(src6->sin6_family == af); 2911 ASSERT(src6->sin6_family == AF_INET6); 2912 } else { 2913 srcaddr = ALL_ZEROES_PTR; 2914 } 2915 outbound_bucket = OUTBOUND_BUCKET_V6(sp, 2916 *(uint32_t *)dstaddr); 2917 } else { 2918 sp = &spp->s_v4; 2919 dstaddr = (uint32_t *)&dst->sin_addr; 2920 if (srcext != NULL) { 2921 src = (struct sockaddr_in *)(srcext + 1); 2922 srcaddr = (uint32_t *)&src->sin_addr; 2923 ASSERT(src->sin_family == af); 2924 ASSERT(src->sin_family == AF_INET); 2925 } else { 2926 srcaddr = ALL_ZEROES_PTR; 2927 } 2928 outbound_bucket = OUTBOUND_BUCKET_V4(sp, 2929 *(uint32_t *)dstaddr); 2930 } 2931 2932 inbound_bucket = INBOUND_BUCKET(sp, assoc->sadb_sa_spi); 2933 2934 /* Lock down both buckets. */ 2935 mutex_enter(&outbound_bucket->isaf_lock); 2936 mutex_enter(&inbound_bucket->isaf_lock); 2937 2938 if (assoc->sadb_sa_flags & IPSA_F_INBOUND) { 2939 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(inbound_bucket, 2940 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2941 if (ipsapp->ipsap_sa_ptr != NULL) { 2942 ipsapp->ipsap_bucket = inbound_bucket; 2943 ipsapp->ipsap_pbucket = outbound_bucket; 2944 ipsapp->in_inbound_table = B_TRUE; 2945 } else { 2946 ipsapp->ipsap_sa_ptr = 2947 ipsec_getassocbyspi(outbound_bucket, 2948 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2949 ipsapp->ipsap_bucket = outbound_bucket; 2950 ipsapp->ipsap_pbucket = inbound_bucket; 2951 } 2952 } else { 2953 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */ 2954 ipsapp->ipsap_sa_ptr = 2955 ipsec_getassocbyspi(outbound_bucket, 2956 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2957 if (ipsapp->ipsap_sa_ptr != NULL) { 2958 ipsapp->ipsap_bucket = outbound_bucket; 2959 ipsapp->ipsap_pbucket = inbound_bucket; 2960 } else { 2961 ipsapp->ipsap_sa_ptr = 2962 ipsec_getassocbyspi(inbound_bucket, 2963 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2964 ipsapp->ipsap_bucket = inbound_bucket; 2965 ipsapp->ipsap_pbucket = outbound_bucket; 2966 if (ipsapp->ipsap_sa_ptr != NULL) 2967 ipsapp->in_inbound_table = B_TRUE; 2968 } 2969 } 2970 2971 if (ipsapp->ipsap_sa_ptr == NULL) { 2972 mutex_exit(&outbound_bucket->isaf_lock); 2973 mutex_exit(&inbound_bucket->isaf_lock); 2974 kmem_free(ipsapp, sizeof (*ipsapp)); 2975 return (NULL); 2976 } 2977 2978 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) && 2979 ipsapp->in_inbound_table) { 2980 mutex_exit(&outbound_bucket->isaf_lock); 2981 mutex_exit(&inbound_bucket->isaf_lock); 2982 return (ipsapp); 2983 } 2984 2985 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2986 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) { 2987 /* 2988 * haspeer implies no sa_pairing, look for same spi 2989 * in other hashtable. 2990 */ 2991 ipsapp->ipsap_psa_ptr = 2992 ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 2993 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2994 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2995 mutex_exit(&outbound_bucket->isaf_lock); 2996 mutex_exit(&inbound_bucket->isaf_lock); 2997 return (ipsapp); 2998 } 2999 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi; 3000 IPSA_COPY_ADDR(&pair_srcaddr, 3001 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, af); 3002 IPSA_COPY_ADDR(&pair_dstaddr, 3003 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, af); 3004 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 3005 mutex_exit(&outbound_bucket->isaf_lock); 3006 mutex_exit(&inbound_bucket->isaf_lock); 3007 3008 if (pair_spi == 0) { 3009 ASSERT(ipsapp->ipsap_bucket != NULL); 3010 ASSERT(ipsapp->ipsap_pbucket != NULL); 3011 return (ipsapp); 3012 } 3013 3014 /* found sa in outbound sadb, peer should be inbound */ 3015 3016 if (ipsapp->in_inbound_table) { 3017 /* Found SA in inbound table, pair will be in outbound. */ 3018 if (af == AF_INET6) { 3019 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sp, 3020 *(uint32_t *)pair_srcaddr); 3021 } else { 3022 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sp, 3023 *(uint32_t *)pair_srcaddr); 3024 } 3025 } else { 3026 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sp, pair_spi); 3027 } 3028 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 3029 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 3030 pair_spi, pair_dstaddr, pair_srcaddr, af); 3031 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 3032 ASSERT(ipsapp->ipsap_bucket != NULL); 3033 ASSERT(ipsapp->ipsap_pbucket != NULL); 3034 return (ipsapp); 3035 } 3036 3037 /* 3038 * Initialize the mechanism parameters associated with an SA. 3039 * These parameters can be shared by multiple packets, which saves 3040 * us from the overhead of consulting the algorithm table for 3041 * each packet. 3042 */ 3043 static void 3044 sadb_init_alginfo(ipsa_t *sa) 3045 { 3046 ipsec_alginfo_t *alg; 3047 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 3048 3049 mutex_enter(&ipss->ipsec_alg_lock); 3050 3051 if (sa->ipsa_encrkey != NULL) { 3052 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR][sa->ipsa_encr_alg]; 3053 if (alg != NULL && ALG_VALID(alg)) { 3054 sa->ipsa_emech.cm_type = alg->alg_mech_type; 3055 sa->ipsa_emech.cm_param = NULL; 3056 sa->ipsa_emech.cm_param_len = 0; 3057 sa->ipsa_iv_len = alg->alg_datalen; 3058 } else 3059 sa->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 3060 } 3061 3062 if (sa->ipsa_authkey != NULL) { 3063 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH][sa->ipsa_auth_alg]; 3064 if (alg != NULL && ALG_VALID(alg)) { 3065 sa->ipsa_amech.cm_type = alg->alg_mech_type; 3066 sa->ipsa_amech.cm_param = (char *)&sa->ipsa_mac_len; 3067 sa->ipsa_amech.cm_param_len = sizeof (size_t); 3068 sa->ipsa_mac_len = (size_t)alg->alg_datalen; 3069 } else 3070 sa->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 3071 } 3072 3073 mutex_exit(&ipss->ipsec_alg_lock); 3074 } 3075 3076 /* 3077 * Perform NAT-traversal cached checksum offset calculations here. 3078 */ 3079 static void 3080 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext, 3081 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr, 3082 uint32_t *dst_addr_ptr) 3083 { 3084 struct sockaddr_in *natt_loc, *natt_rem; 3085 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 3086 uint32_t running_sum = 0; 3087 3088 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 3089 3090 if (natt_rem_ext != NULL) { 3091 uint32_t l_src; 3092 uint32_t l_rem; 3093 3094 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 3095 3096 /* Ensured by sadb_addrfix(). */ 3097 ASSERT(natt_rem->sin_family == AF_INET); 3098 3099 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 3100 newbie->ipsa_remote_nat_port = natt_rem->sin_port; 3101 l_src = *src_addr_ptr; 3102 l_rem = *natt_rem_ptr; 3103 3104 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3105 newbie->ipsa_natt_addr_rem = *natt_rem_ptr; 3106 3107 l_src = ntohl(l_src); 3108 DOWN_SUM(l_src); 3109 DOWN_SUM(l_src); 3110 l_rem = ntohl(l_rem); 3111 DOWN_SUM(l_rem); 3112 DOWN_SUM(l_rem); 3113 3114 /* 3115 * We're 1's complement for checksums, so check for wraparound 3116 * here. 3117 */ 3118 if (l_rem > l_src) 3119 l_src--; 3120 3121 running_sum += l_src - l_rem; 3122 3123 DOWN_SUM(running_sum); 3124 DOWN_SUM(running_sum); 3125 } 3126 3127 if (natt_loc_ext != NULL) { 3128 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 3129 3130 /* Ensured by sadb_addrfix(). */ 3131 ASSERT(natt_loc->sin_family == AF_INET); 3132 3133 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr); 3134 newbie->ipsa_local_nat_port = natt_loc->sin_port; 3135 3136 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3137 newbie->ipsa_natt_addr_loc = *natt_loc_ptr; 3138 3139 /* 3140 * NAT-T port agility means we may have natt_loc_ext, but 3141 * only for a local-port change. 3142 */ 3143 if (natt_loc->sin_addr.s_addr != INADDR_ANY) { 3144 uint32_t l_dst = ntohl(*dst_addr_ptr); 3145 uint32_t l_loc = ntohl(*natt_loc_ptr); 3146 3147 DOWN_SUM(l_loc); 3148 DOWN_SUM(l_loc); 3149 DOWN_SUM(l_dst); 3150 DOWN_SUM(l_dst); 3151 3152 /* 3153 * We're 1's complement for checksums, so check for 3154 * wraparound here. 3155 */ 3156 if (l_loc > l_dst) 3157 l_dst--; 3158 3159 running_sum += l_dst - l_loc; 3160 DOWN_SUM(running_sum); 3161 DOWN_SUM(running_sum); 3162 } 3163 } 3164 3165 newbie->ipsa_inbound_cksum = running_sum; 3166 #undef DOWN_SUM 3167 } 3168 3169 /* 3170 * This function is called from consumers that need to insert a fully-grown 3171 * security association into its tables. This function takes into account that 3172 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 3173 * hash bucket parameters are set in order of what the SA will be most of the 3174 * time. (For example, an SA with an unspecified source, and a multicast 3175 * destination will primarily be an outbound SA. OTOH, if that destination 3176 * is unicast for this node, then the SA will primarily be inbound.) 3177 * 3178 * It takes a lot of parameters because even if clone is B_FALSE, this needs 3179 * to check both buckets for purposes of collision. 3180 * 3181 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 3182 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic 3183 * with additional diagnostic information because there is at least one EINVAL 3184 * case here. 3185 */ 3186 int 3187 sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 3188 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 3189 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic, 3190 netstack_t *ns, sadbp_t *spp) 3191 { 3192 ipsa_t *newbie_clone = NULL, *scratch; 3193 ipsap_t *ipsapp = NULL; 3194 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3195 sadb_address_t *srcext = 3196 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3197 sadb_address_t *dstext = 3198 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3199 sadb_address_t *isrcext = 3200 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC]; 3201 sadb_address_t *idstext = 3202 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST]; 3203 sadb_x_kmc_t *kmcext = 3204 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 3205 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 3206 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 3207 sadb_x_pair_t *pair_ext = 3208 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 3209 sadb_x_replay_ctr_t *replayext = 3210 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 3211 uint8_t protocol = 3212 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP; 3213 #if 0 3214 /* 3215 * XXXMLS - When Trusted Solaris or Multi-Level Secure functionality 3216 * comes to ON, examine these if 0'ed fragments. Look for XXXMLS. 3217 */ 3218 sadb_sens_t *sens = (sadb_sens_t *); 3219 #endif 3220 struct sockaddr_in *src, *dst, *isrc, *idst; 3221 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6; 3222 sadb_lifetime_t *soft = 3223 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 3224 sadb_lifetime_t *hard = 3225 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 3226 sadb_lifetime_t *idle = 3227 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 3228 sa_family_t af; 3229 int error = 0; 3230 boolean_t isupdate = (newbie != NULL); 3231 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr; 3232 mblk_t *ctl_mp = NULL; 3233 ipsec_stack_t *ipss = ns->netstack_ipsec; 3234 int rcode; 3235 3236 if (srcext == NULL) { 3237 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 3238 return (EINVAL); 3239 } 3240 if (dstext == NULL) { 3241 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3242 return (EINVAL); 3243 } 3244 if (assoc == NULL) { 3245 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3246 return (EINVAL); 3247 } 3248 3249 src = (struct sockaddr_in *)(srcext + 1); 3250 src6 = (struct sockaddr_in6 *)(srcext + 1); 3251 dst = (struct sockaddr_in *)(dstext + 1); 3252 dst6 = (struct sockaddr_in6 *)(dstext + 1); 3253 if (isrcext != NULL) { 3254 isrc = (struct sockaddr_in *)(isrcext + 1); 3255 isrc6 = (struct sockaddr_in6 *)(isrcext + 1); 3256 ASSERT(idstext != NULL); 3257 idst = (struct sockaddr_in *)(idstext + 1); 3258 idst6 = (struct sockaddr_in6 *)(idstext + 1); 3259 } else { 3260 isrc = NULL; 3261 isrc6 = NULL; 3262 } 3263 3264 af = src->sin_family; 3265 3266 if (af == AF_INET) { 3267 src_addr_ptr = (uint32_t *)&src->sin_addr; 3268 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 3269 } else { 3270 ASSERT(af == AF_INET6); 3271 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 3272 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 3273 } 3274 3275 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) && 3276 cl_inet_checkspi && 3277 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) { 3278 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol, 3279 assoc->sadb_sa_spi, NULL); 3280 if (rcode == -1) { 3281 return (EEXIST); 3282 } 3283 } 3284 3285 /* 3286 * Check to see if the new SA will be cloned AND paired. The 3287 * reason a SA will be cloned is the source or destination addresses 3288 * are not specific enough to determine if the SA goes in the outbound 3289 * or the inbound hash table, so its cloned and put in both. If 3290 * the SA is paired, it's soft linked to another SA for the other 3291 * direction. Keeping track and looking up SA's that are direction 3292 * unspecific and linked is too hard. 3293 */ 3294 if (clone && (pair_ext != NULL)) { 3295 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 3296 return (EINVAL); 3297 } 3298 3299 if (!isupdate) { 3300 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 3301 src_addr_ptr, dst_addr_ptr, af, ns); 3302 if (newbie == NULL) 3303 return (ENOMEM); 3304 } 3305 3306 mutex_enter(&newbie->ipsa_lock); 3307 3308 if (isrc != NULL) { 3309 if (isrc->sin_family == AF_INET) { 3310 if (srcext->sadb_address_proto != IPPROTO_ENCAP) { 3311 if (srcext->sadb_address_proto != 0) { 3312 /* 3313 * Mismatched outer-packet protocol 3314 * and inner-packet address family. 3315 */ 3316 mutex_exit(&newbie->ipsa_lock); 3317 error = EPROTOTYPE; 3318 *diagnostic = 3319 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3320 goto error; 3321 } else { 3322 /* Fill in with explicit protocol. */ 3323 srcext->sadb_address_proto = 3324 IPPROTO_ENCAP; 3325 dstext->sadb_address_proto = 3326 IPPROTO_ENCAP; 3327 } 3328 } 3329 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr; 3330 idst_addr_ptr = (uint32_t *)&idst->sin_addr; 3331 } else { 3332 ASSERT(isrc->sin_family == AF_INET6); 3333 if (srcext->sadb_address_proto != IPPROTO_IPV6) { 3334 if (srcext->sadb_address_proto != 0) { 3335 /* 3336 * Mismatched outer-packet protocol 3337 * and inner-packet address family. 3338 */ 3339 mutex_exit(&newbie->ipsa_lock); 3340 error = EPROTOTYPE; 3341 *diagnostic = 3342 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3343 goto error; 3344 } else { 3345 /* Fill in with explicit protocol. */ 3346 srcext->sadb_address_proto = 3347 IPPROTO_IPV6; 3348 dstext->sadb_address_proto = 3349 IPPROTO_IPV6; 3350 } 3351 } 3352 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr; 3353 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr; 3354 } 3355 newbie->ipsa_innerfam = isrc->sin_family; 3356 3357 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr, 3358 newbie->ipsa_innerfam); 3359 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr, 3360 newbie->ipsa_innerfam); 3361 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen; 3362 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen; 3363 3364 /* Unique value uses inner-ports for Tunnel Mode... */ 3365 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port, 3366 idst->sin_port, dstext->sadb_address_proto, 3367 idstext->sadb_address_proto); 3368 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port, 3369 idst->sin_port, dstext->sadb_address_proto, 3370 idstext->sadb_address_proto); 3371 } else { 3372 /* ... and outer-ports for Transport Mode. */ 3373 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port, 3374 dst->sin_port, dstext->sadb_address_proto, 0); 3375 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port, 3376 dst->sin_port, dstext->sadb_address_proto, 0); 3377 } 3378 if (newbie->ipsa_unique_mask != (uint64_t)0) 3379 newbie->ipsa_flags |= IPSA_F_UNIQUE; 3380 3381 sadb_nat_calculations(newbie, 3382 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC], 3383 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM], 3384 src_addr_ptr, dst_addr_ptr); 3385 3386 newbie->ipsa_type = samsg->sadb_msg_satype; 3387 3388 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 3389 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE)); 3390 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 3391 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 3392 3393 newbie->ipsa_flags |= assoc->sadb_sa_flags; 3394 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC && 3395 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) { 3396 mutex_exit(&newbie->ipsa_lock); 3397 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC; 3398 error = EINVAL; 3399 goto error; 3400 } 3401 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM && 3402 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) { 3403 mutex_exit(&newbie->ipsa_lock); 3404 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM; 3405 error = EINVAL; 3406 goto error; 3407 } 3408 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL && 3409 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) { 3410 mutex_exit(&newbie->ipsa_lock); 3411 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 3412 error = EINVAL; 3413 goto error; 3414 } 3415 /* 3416 * If unspecified source address, force replay_wsize to 0. 3417 * This is because an SA that has multiple sources of secure 3418 * traffic cannot enforce a replay counter w/o synchronizing the 3419 * senders. 3420 */ 3421 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 3422 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 3423 else 3424 newbie->ipsa_replay_wsize = 0; 3425 3426 newbie->ipsa_addtime = gethrestime_sec(); 3427 3428 if (kmcext != NULL) { 3429 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 3430 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 3431 } 3432 3433 /* 3434 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 3435 * The spec says that one can update current lifetimes, but 3436 * that seems impractical, especially in the larval-to-mature 3437 * update that this function performs. 3438 */ 3439 if (soft != NULL) { 3440 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3441 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 3442 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3443 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 3444 SET_EXPIRE(newbie, softaddlt, softexpiretime); 3445 } 3446 if (hard != NULL) { 3447 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3448 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 3449 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3450 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3451 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 3452 } 3453 if (idle != NULL) { 3454 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 3455 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime; 3456 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime + 3457 newbie->ipsa_idleaddlt; 3458 newbie->ipsa_idletime = newbie->ipsa_idleaddlt; 3459 } 3460 3461 newbie->ipsa_authtmpl = NULL; 3462 newbie->ipsa_encrtmpl = NULL; 3463 3464 if (akey != NULL) { 3465 newbie->ipsa_authkeybits = akey->sadb_key_bits; 3466 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 3467 /* In case we have to round up to the next byte... */ 3468 if ((akey->sadb_key_bits & 0x7) != 0) 3469 newbie->ipsa_authkeylen++; 3470 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 3471 KM_NOSLEEP); 3472 if (newbie->ipsa_authkey == NULL) { 3473 error = ENOMEM; 3474 mutex_exit(&newbie->ipsa_lock); 3475 goto error; 3476 } 3477 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 3478 bzero(akey + 1, newbie->ipsa_authkeylen); 3479 3480 /* 3481 * Pre-initialize the kernel crypto framework key 3482 * structure. 3483 */ 3484 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 3485 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 3486 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 3487 3488 mutex_enter(&ipss->ipsec_alg_lock); 3489 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 3490 mutex_exit(&ipss->ipsec_alg_lock); 3491 if (error != 0) { 3492 mutex_exit(&newbie->ipsa_lock); 3493 /* 3494 * An error here indicates that alg is the wrong type 3495 * (IE: not authentication) or its not in the alg tables 3496 * created by ipsecalgs(1m), or Kcf does not like the 3497 * parameters passed in with this algorithm, which is 3498 * probably a coding error! 3499 */ 3500 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3501 goto error; 3502 } 3503 } 3504 3505 if (ekey != NULL) { 3506 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 3507 newbie->ipsa_encrkeylen = SADB_1TO8(ekey->sadb_key_bits); 3508 /* In case we have to round up to the next byte... */ 3509 if ((ekey->sadb_key_bits & 0x7) != 0) 3510 newbie->ipsa_encrkeylen++; 3511 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 3512 KM_NOSLEEP); 3513 if (newbie->ipsa_encrkey == NULL) { 3514 error = ENOMEM; 3515 mutex_exit(&newbie->ipsa_lock); 3516 goto error; 3517 } 3518 bcopy(ekey + 1, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 3519 /* XXX is this safe w.r.t db_ref, etc? */ 3520 bzero(ekey + 1, newbie->ipsa_encrkeylen); 3521 3522 /* 3523 * Pre-initialize the kernel crypto framework key 3524 * structure. 3525 */ 3526 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 3527 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 3528 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 3529 3530 mutex_enter(&ipss->ipsec_alg_lock); 3531 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 3532 mutex_exit(&ipss->ipsec_alg_lock); 3533 if (error != 0) { 3534 mutex_exit(&newbie->ipsa_lock); 3535 /* See above for error explanation. */ 3536 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3537 goto error; 3538 } 3539 } 3540 3541 sadb_init_alginfo(newbie); 3542 3543 /* 3544 * Ptrs to processing functions. 3545 */ 3546 if (newbie->ipsa_type == SADB_SATYPE_ESP) 3547 ipsecesp_init_funcs(newbie); 3548 else 3549 ipsecah_init_funcs(newbie); 3550 ASSERT(newbie->ipsa_output_func != NULL && 3551 newbie->ipsa_input_func != NULL); 3552 3553 /* 3554 * Certificate ID stuff. 3555 */ 3556 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 3557 sadb_ident_t *id = 3558 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 3559 3560 /* 3561 * Can assume strlen() will return okay because ext_check() in 3562 * keysock.c prepares the string for us. 3563 */ 3564 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 3565 (char *)(id+1), ns); 3566 if (newbie->ipsa_src_cid == NULL) { 3567 error = ENOMEM; 3568 mutex_exit(&newbie->ipsa_lock); 3569 goto error; 3570 } 3571 } 3572 3573 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 3574 sadb_ident_t *id = 3575 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 3576 3577 /* 3578 * Can assume strlen() will return okay because ext_check() in 3579 * keysock.c prepares the string for us. 3580 */ 3581 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 3582 (char *)(id+1), ns); 3583 if (newbie->ipsa_dst_cid == NULL) { 3584 error = ENOMEM; 3585 mutex_exit(&newbie->ipsa_lock); 3586 goto error; 3587 } 3588 } 3589 3590 #if 0 3591 /* XXXMLS SENSITIVITY handling code. */ 3592 if (sens != NULL) { 3593 int i; 3594 uint64_t *bitmap = (uint64_t *)(sens + 1); 3595 3596 newbie->ipsa_dpd = sens->sadb_sens_dpd; 3597 newbie->ipsa_senslevel = sens->sadb_sens_sens_level; 3598 newbie->ipsa_integlevel = sens->sadb_sens_integ_level; 3599 newbie->ipsa_senslen = SADB_64TO8(sens->sadb_sens_sens_len); 3600 newbie->ipsa_integlen = SADB_64TO8(sens->sadb_sens_integ_len); 3601 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 3602 KM_NOSLEEP); 3603 if (newbie->ipsa_integ == NULL) { 3604 error = ENOMEM; 3605 mutex_exit(&newbie->ipsa_lock); 3606 goto error; 3607 } 3608 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 3609 KM_NOSLEEP); 3610 if (newbie->ipsa_sens == NULL) { 3611 error = ENOMEM; 3612 mutex_exit(&newbie->ipsa_lock); 3613 goto error; 3614 } 3615 for (i = 0; i < sens->sadb_sens_sens_len; i++) { 3616 newbie->ipsa_sens[i] = *bitmap; 3617 bitmap++; 3618 } 3619 for (i = 0; i < sens->sadb_sens_integ_len; i++) { 3620 newbie->ipsa_integ[i] = *bitmap; 3621 bitmap++; 3622 } 3623 } 3624 3625 #endif 3626 3627 if (replayext != NULL) { 3628 if ((replayext->sadb_x_rc_replay32 == 0) && 3629 (replayext->sadb_x_rc_replay64 != 0)) { 3630 error = EOPNOTSUPP; 3631 *diagnostic = SADB_X_DIAGNOSTIC_INVALID_REPLAY; 3632 mutex_exit(&newbie->ipsa_lock); 3633 goto error; 3634 } 3635 newbie->ipsa_replay = replayext->sadb_x_rc_replay32; 3636 } 3637 3638 /* now that the SA has been updated, set its new state */ 3639 newbie->ipsa_state = assoc->sadb_sa_state; 3640 3641 if (clone) { 3642 newbie->ipsa_haspeer = B_TRUE; 3643 } else { 3644 if (!is_inbound) { 3645 lifetime_fuzz(newbie); 3646 } 3647 } 3648 /* 3649 * The less locks I hold when doing an insertion and possible cloning, 3650 * the better! 3651 */ 3652 mutex_exit(&newbie->ipsa_lock); 3653 3654 if (clone) { 3655 newbie_clone = sadb_cloneassoc(newbie); 3656 3657 if (newbie_clone == NULL) { 3658 error = ENOMEM; 3659 goto error; 3660 } 3661 } 3662 3663 /* 3664 * Enter the bucket locks. The order of entry is outbound, 3665 * inbound. We map "primary" and "secondary" into outbound and inbound 3666 * based on the destination address type. If the destination address 3667 * type is for a node that isn't mine (or potentially mine), the 3668 * "primary" bucket is the outbound one. 3669 */ 3670 if (!is_inbound) { 3671 /* primary == outbound */ 3672 mutex_enter(&primary->isaf_lock); 3673 mutex_enter(&secondary->isaf_lock); 3674 } else { 3675 /* primary == inbound */ 3676 mutex_enter(&secondary->isaf_lock); 3677 mutex_enter(&primary->isaf_lock); 3678 } 3679 3680 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_common_add: spi = 0x%x\n", 3681 newbie->ipsa_spi)); 3682 3683 /* 3684 * sadb_insertassoc() doesn't increment the reference 3685 * count. We therefore have to increment the 3686 * reference count one more time to reflect the 3687 * pointers of the table that reference this SA. 3688 */ 3689 IPSA_REFHOLD(newbie); 3690 3691 if (isupdate) { 3692 /* 3693 * Unlink from larval holding cell in the "inbound" fanout. 3694 */ 3695 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 3696 newbie->ipsa_linklock == &secondary->isaf_lock); 3697 sadb_unlinkassoc(newbie); 3698 } 3699 3700 mutex_enter(&newbie->ipsa_lock); 3701 error = sadb_insertassoc(newbie, primary); 3702 if (error == 0) { 3703 ctl_mp = sadb_fmt_sa_req(DL_CO_SET, newbie->ipsa_type, newbie, 3704 is_inbound); 3705 } 3706 mutex_exit(&newbie->ipsa_lock); 3707 3708 if (error != 0) { 3709 /* 3710 * Since sadb_insertassoc() failed, we must decrement the 3711 * refcount again so the cleanup code will actually free 3712 * the offending SA. 3713 */ 3714 IPSA_REFRELE(newbie); 3715 goto error_unlock; 3716 } 3717 3718 if (newbie_clone != NULL) { 3719 mutex_enter(&newbie_clone->ipsa_lock); 3720 error = sadb_insertassoc(newbie_clone, secondary); 3721 mutex_exit(&newbie_clone->ipsa_lock); 3722 if (error != 0) { 3723 /* Collision in secondary table. */ 3724 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3725 goto error_unlock; 3726 } 3727 IPSA_REFHOLD(newbie_clone); 3728 } else { 3729 ASSERT(primary != secondary); 3730 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 3731 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 3732 if (scratch != NULL) { 3733 /* Collision in secondary table. */ 3734 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3735 /* Set the error, since ipsec_getassocbyspi() can't. */ 3736 error = EEXIST; 3737 goto error_unlock; 3738 } 3739 } 3740 3741 /* OKAY! So let's do some reality check assertions. */ 3742 3743 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock)); 3744 ASSERT(newbie_clone == NULL || 3745 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock))); 3746 /* 3747 * If hardware acceleration could happen, send it. 3748 */ 3749 if (ctl_mp != NULL) { 3750 putnext(ip_q, ctl_mp); 3751 ctl_mp = NULL; 3752 } 3753 3754 error_unlock: 3755 3756 /* 3757 * We can exit the locks in any order. Only entrance needs to 3758 * follow any protocol. 3759 */ 3760 mutex_exit(&secondary->isaf_lock); 3761 mutex_exit(&primary->isaf_lock); 3762 3763 if (pair_ext != NULL && error == 0) { 3764 /* update pair_spi if it exists. */ 3765 ipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 3766 if (ipsapp == NULL) { 3767 error = ESRCH; 3768 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 3769 } else if (ipsapp->ipsap_psa_ptr != NULL) { 3770 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 3771 error = EINVAL; 3772 } else { 3773 /* update_pairing() sets diagnostic */ 3774 error = update_pairing(ipsapp, ksi, diagnostic, spp); 3775 } 3776 } 3777 /* Common error point for this routine. */ 3778 error: 3779 if (newbie != NULL) { 3780 if (error != 0) { 3781 /* This SA is broken, let the reaper clean up. */ 3782 mutex_enter(&newbie->ipsa_lock); 3783 newbie->ipsa_state = IPSA_STATE_DEAD; 3784 newbie->ipsa_hardexpiretime = 1; 3785 mutex_exit(&newbie->ipsa_lock); 3786 } 3787 IPSA_REFRELE(newbie); 3788 } 3789 if (newbie_clone != NULL) { 3790 IPSA_REFRELE(newbie_clone); 3791 } 3792 if (ctl_mp != NULL) 3793 freemsg(ctl_mp); 3794 3795 if (error == 0) { 3796 /* 3797 * Construct favorable PF_KEY return message and send to 3798 * keysock. Update the flags in the original keysock message 3799 * to reflect the actual flags in the new SA. 3800 * (Q: Do I need to pass "newbie"? If I do, 3801 * make sure to REFHOLD, call, then REFRELE.) 3802 */ 3803 assoc->sadb_sa_flags = newbie->ipsa_flags; 3804 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 3805 } 3806 3807 destroy_ipsa_pair(ipsapp); 3808 return (error); 3809 } 3810 3811 /* 3812 * Set the time of first use for a security association. Update any 3813 * expiration times as a result. 3814 */ 3815 void 3816 sadb_set_usetime(ipsa_t *assoc) 3817 { 3818 time_t snapshot = gethrestime_sec(); 3819 3820 mutex_enter(&assoc->ipsa_lock); 3821 assoc->ipsa_lastuse = snapshot; 3822 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime; 3823 3824 /* 3825 * Caller does check usetime before calling me usually, and 3826 * double-checking is better than a mutex_enter/exit hit. 3827 */ 3828 if (assoc->ipsa_usetime == 0) { 3829 /* 3830 * This is redundant for outbound SA's, as 3831 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 3832 * Inbound SAs, however, have no such protection. 3833 */ 3834 assoc->ipsa_flags |= IPSA_F_USED; 3835 assoc->ipsa_usetime = snapshot; 3836 3837 /* 3838 * After setting the use time, see if we have a use lifetime 3839 * that would cause the actual SA expiration time to shorten. 3840 */ 3841 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 3842 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 3843 } 3844 mutex_exit(&assoc->ipsa_lock); 3845 } 3846 3847 /* 3848 * Send up a PF_KEY expire message for this association. 3849 */ 3850 static void 3851 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 3852 { 3853 mblk_t *mp, *mp1; 3854 int alloclen, af; 3855 sadb_msg_t *samsg; 3856 sadb_lifetime_t *current, *expire; 3857 sadb_sa_t *saext; 3858 uint8_t *end; 3859 boolean_t tunnel_mode; 3860 3861 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3862 3863 /* Don't bother sending if there's no queue. */ 3864 if (pfkey_q == NULL) 3865 return; 3866 3867 /* If the SA is one of a pair, only SOFT expire the OUTBOUND SA */ 3868 if (assoc->ipsa_state == IPSA_STATE_DYING && 3869 (assoc->ipsa_flags & IPSA_F_PAIRED) && 3870 !(assoc->ipsa_flags & IPSA_F_OUTBOUND)) { 3871 return; 3872 } 3873 3874 mp = sadb_keysock_out(0); 3875 if (mp == NULL) { 3876 /* cmn_err(CE_WARN, */ 3877 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 3878 return; 3879 } 3880 3881 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 3882 2 * sizeof (sadb_address_t) + sizeof (*saext); 3883 3884 af = assoc->ipsa_addrfam; 3885 switch (af) { 3886 case AF_INET: 3887 alloclen += 2 * sizeof (struct sockaddr_in); 3888 break; 3889 case AF_INET6: 3890 alloclen += 2 * sizeof (struct sockaddr_in6); 3891 break; 3892 default: 3893 /* Won't happen unless there's a kernel bug. */ 3894 freeb(mp); 3895 cmn_err(CE_WARN, 3896 "sadb_expire_assoc: Unknown address length.\n"); 3897 return; 3898 } 3899 3900 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL); 3901 if (tunnel_mode) { 3902 alloclen += 2 * sizeof (sadb_address_t); 3903 switch (assoc->ipsa_innerfam) { 3904 case AF_INET: 3905 alloclen += 2 * sizeof (struct sockaddr_in); 3906 break; 3907 case AF_INET6: 3908 alloclen += 2 * sizeof (struct sockaddr_in6); 3909 break; 3910 default: 3911 /* Won't happen unless there's a kernel bug. */ 3912 freeb(mp); 3913 cmn_err(CE_WARN, "sadb_expire_assoc: " 3914 "Unknown inner address length.\n"); 3915 return; 3916 } 3917 } 3918 3919 mp->b_cont = allocb(alloclen, BPRI_HI); 3920 if (mp->b_cont == NULL) { 3921 freeb(mp); 3922 /* cmn_err(CE_WARN, */ 3923 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 3924 return; 3925 } 3926 3927 mp1 = mp; 3928 mp = mp->b_cont; 3929 end = mp->b_wptr + alloclen; 3930 3931 samsg = (sadb_msg_t *)mp->b_wptr; 3932 mp->b_wptr += sizeof (*samsg); 3933 samsg->sadb_msg_version = PF_KEY_V2; 3934 samsg->sadb_msg_type = SADB_EXPIRE; 3935 samsg->sadb_msg_errno = 0; 3936 samsg->sadb_msg_satype = assoc->ipsa_type; 3937 samsg->sadb_msg_len = SADB_8TO64(alloclen); 3938 samsg->sadb_msg_reserved = 0; 3939 samsg->sadb_msg_seq = 0; 3940 samsg->sadb_msg_pid = 0; 3941 3942 saext = (sadb_sa_t *)mp->b_wptr; 3943 mp->b_wptr += sizeof (*saext); 3944 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 3945 saext->sadb_sa_exttype = SADB_EXT_SA; 3946 saext->sadb_sa_spi = assoc->ipsa_spi; 3947 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 3948 saext->sadb_sa_state = assoc->ipsa_state; 3949 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 3950 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 3951 saext->sadb_sa_flags = assoc->ipsa_flags; 3952 3953 current = (sadb_lifetime_t *)mp->b_wptr; 3954 mp->b_wptr += sizeof (sadb_lifetime_t); 3955 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 3956 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3957 /* We do not support the concept. */ 3958 current->sadb_lifetime_allocations = 0; 3959 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 3960 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 3961 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 3962 3963 expire = (sadb_lifetime_t *)mp->b_wptr; 3964 mp->b_wptr += sizeof (*expire); 3965 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 3966 3967 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 3968 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 3969 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 3970 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 3971 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 3972 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 3973 } else if (assoc->ipsa_state == IPSA_STATE_DYING) { 3974 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 3975 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 3976 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 3977 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 3978 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 3979 } else { 3980 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE); 3981 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 3982 expire->sadb_lifetime_allocations = 0; 3983 expire->sadb_lifetime_bytes = 0; 3984 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt; 3985 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt; 3986 } 3987 3988 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 3989 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc), 3990 SA_PROTO(assoc), 0); 3991 ASSERT(mp->b_wptr != NULL); 3992 3993 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 3994 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc), 3995 SA_PROTO(assoc), 0); 3996 ASSERT(mp->b_wptr != NULL); 3997 3998 if (tunnel_mode) { 3999 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 4000 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam, 4001 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc), 4002 assoc->ipsa_innersrcpfx); 4003 ASSERT(mp->b_wptr != NULL); 4004 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 4005 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam, 4006 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc), 4007 assoc->ipsa_innerdstpfx); 4008 ASSERT(mp->b_wptr != NULL); 4009 } 4010 4011 /* Can just putnext, we're ready to go! */ 4012 putnext(pfkey_q, mp1); 4013 } 4014 4015 /* 4016 * "Age" the SA with the number of bytes that was used to protect traffic. 4017 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 4018 * enough "charge" left in the SA to protect the data. Return B_FALSE 4019 * otherwise. (If B_FALSE is returned, the association either was, or became 4020 * DEAD.) 4021 */ 4022 boolean_t 4023 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 4024 boolean_t sendmsg) 4025 { 4026 boolean_t rc = B_TRUE; 4027 uint64_t newtotal; 4028 4029 mutex_enter(&assoc->ipsa_lock); 4030 newtotal = assoc->ipsa_bytes + bytes; 4031 if (assoc->ipsa_hardbyteslt != 0 && 4032 newtotal >= assoc->ipsa_hardbyteslt) { 4033 if (assoc->ipsa_state != IPSA_STATE_DEAD) { 4034 sadb_delete_cluster(assoc); 4035 /* 4036 * Send EXPIRE message to PF_KEY. May wish to pawn 4037 * this off on another non-interrupt thread. Also 4038 * unlink this SA immediately. 4039 */ 4040 assoc->ipsa_state = IPSA_STATE_DEAD; 4041 if (sendmsg) 4042 sadb_expire_assoc(pfkey_q, assoc); 4043 /* 4044 * Set non-zero expiration time so sadb_age_assoc() 4045 * will work when reaping. 4046 */ 4047 assoc->ipsa_hardexpiretime = (time_t)1; 4048 } /* Else someone beat me to it! */ 4049 rc = B_FALSE; 4050 } else if (assoc->ipsa_softbyteslt != 0 && 4051 (newtotal >= assoc->ipsa_softbyteslt)) { 4052 if (assoc->ipsa_state < IPSA_STATE_DYING) { 4053 /* 4054 * Send EXPIRE message to PF_KEY. May wish to pawn 4055 * this off on another non-interrupt thread. 4056 */ 4057 assoc->ipsa_state = IPSA_STATE_DYING; 4058 assoc->ipsa_bytes = newtotal; 4059 if (sendmsg) 4060 sadb_expire_assoc(pfkey_q, assoc); 4061 } /* Else someone beat me to it! */ 4062 } 4063 if (rc == B_TRUE) 4064 assoc->ipsa_bytes = newtotal; 4065 mutex_exit(&assoc->ipsa_lock); 4066 return (rc); 4067 } 4068 4069 /* 4070 * Push one or more DL_CO_DELETE messages queued up by 4071 * sadb_torch_assoc down to the underlying driver now that it's a 4072 * convenient time for it (i.e., ipsa bucket locks not held). 4073 */ 4074 static void 4075 sadb_drain_torchq(queue_t *q, mblk_t *mp) 4076 { 4077 while (mp != NULL) { 4078 mblk_t *next = mp->b_next; 4079 mp->b_next = NULL; 4080 if (q != NULL) 4081 putnext(q, mp); 4082 else 4083 freemsg(mp); 4084 mp = next; 4085 } 4086 } 4087 4088 /* 4089 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 4090 * sadb_age_assoc(). 4091 * 4092 * If SA is hardware-accelerated, and we can't allocate the mblk 4093 * containing the DL_CO_DELETE, just return; it will remain in the 4094 * table and be swept up by sadb_ager() in a subsequent pass. 4095 */ 4096 static ipsa_t * 4097 sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq) 4098 { 4099 mblk_t *mp; 4100 4101 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4102 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 4103 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 4104 4105 /* 4106 * Force cached SAs to be revalidated.. 4107 */ 4108 head->isaf_gen++; 4109 4110 if (sa->ipsa_flags & IPSA_F_HW) { 4111 mp = sadb_fmt_sa_req(DL_CO_DELETE, sa->ipsa_type, sa, inbnd); 4112 if (mp == NULL) { 4113 mutex_exit(&sa->ipsa_lock); 4114 return (NULL); 4115 } 4116 mp->b_next = *mq; 4117 *mq = mp; 4118 } 4119 mutex_exit(&sa->ipsa_lock); 4120 sadb_unlinkassoc(sa); 4121 4122 return (NULL); 4123 } 4124 4125 /* 4126 * Do various SA-is-idle activities depending on delta (the number of idle 4127 * seconds on the SA) and/or other properties of the SA. 4128 * 4129 * Return B_TRUE if I've sent a packet, because I have to drop the 4130 * association's mutex before sending a packet out the wire. 4131 */ 4132 /* ARGSUSED */ 4133 static boolean_t 4134 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound) 4135 { 4136 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp; 4137 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval; 4138 4139 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 4140 4141 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) && 4142 delta >= nat_t_interval && 4143 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) { 4144 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP); 4145 assoc->ipsa_last_nat_t_ka = gethrestime_sec(); 4146 mutex_exit(&assoc->ipsa_lock); 4147 ipsecesp_send_keepalive(assoc); 4148 return (B_TRUE); 4149 } 4150 return (B_FALSE); 4151 } 4152 4153 /* 4154 * Return "assoc" if haspeer is true and I send an expire. This allows 4155 * the consumers' aging functions to tidy up an expired SA's peer. 4156 */ 4157 static ipsa_t * 4158 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 4159 time_t current, int reap_delay, boolean_t inbound, mblk_t **mq) 4160 { 4161 ipsa_t *retval = NULL; 4162 boolean_t dropped_mutex = B_FALSE; 4163 4164 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4165 4166 mutex_enter(&assoc->ipsa_lock); 4167 4168 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) || 4169 ((assoc->ipsa_state == IPSA_STATE_IDLE) || 4170 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) && 4171 (assoc->ipsa_hardexpiretime != 0))) && 4172 (assoc->ipsa_hardexpiretime <= current)) { 4173 assoc->ipsa_state = IPSA_STATE_DEAD; 4174 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4175 } 4176 4177 /* 4178 * Check lifetimes. Fortunately, SA setup is done 4179 * such that there are only two times to look at, 4180 * softexpiretime, and hardexpiretime. 4181 * 4182 * Check hard first. 4183 */ 4184 4185 if (assoc->ipsa_hardexpiretime != 0 && 4186 assoc->ipsa_hardexpiretime <= current) { 4187 if (assoc->ipsa_state == IPSA_STATE_DEAD) 4188 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4189 4190 if (inbound) { 4191 sadb_delete_cluster(assoc); 4192 } 4193 4194 /* 4195 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 4196 */ 4197 assoc->ipsa_state = IPSA_STATE_DEAD; 4198 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) { 4199 /* 4200 * If the SA is paired or peered with another, put 4201 * a copy on a list which can be processed later, the 4202 * pair/peer SA needs to be updated so the both die 4203 * at the same time. 4204 * 4205 * If I return assoc, I have to bump up its reference 4206 * count to keep with the ipsa_t reference count 4207 * semantics. 4208 */ 4209 IPSA_REFHOLD(assoc); 4210 retval = assoc; 4211 } 4212 sadb_expire_assoc(pfkey_q, assoc); 4213 assoc->ipsa_hardexpiretime = current + reap_delay; 4214 } else if (assoc->ipsa_softexpiretime != 0 && 4215 assoc->ipsa_softexpiretime <= current && 4216 assoc->ipsa_state < IPSA_STATE_DYING) { 4217 /* 4218 * Send EXPIRE message to PF_KEY. May wish to pawn 4219 * this off on another non-interrupt thread. 4220 */ 4221 assoc->ipsa_state = IPSA_STATE_DYING; 4222 if (assoc->ipsa_haspeer) { 4223 /* 4224 * If the SA has a peer, update the peer's state 4225 * on SOFT_EXPIRE, this is mostly to prevent two 4226 * expire messages from effectively the same SA. 4227 * 4228 * Don't care about paired SA's, then can (and should) 4229 * be able to soft expire at different times. 4230 * 4231 * If I return assoc, I have to bump up its 4232 * reference count to keep with the ipsa_t reference 4233 * count semantics. 4234 */ 4235 IPSA_REFHOLD(assoc); 4236 retval = assoc; 4237 } 4238 sadb_expire_assoc(pfkey_q, assoc); 4239 } else if (assoc->ipsa_idletime != 0 && 4240 assoc->ipsa_idleexpiretime <= current) { 4241 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) { 4242 assoc->ipsa_state = IPSA_STATE_IDLE; 4243 } 4244 4245 /* 4246 * Need to handle Mature case 4247 */ 4248 if (assoc->ipsa_state == IPSA_STATE_MATURE) { 4249 sadb_expire_assoc(pfkey_q, assoc); 4250 } 4251 } else { 4252 /* Check idle time activities. */ 4253 dropped_mutex = sadb_idle_activities(assoc, 4254 current - assoc->ipsa_lastuse, inbound); 4255 } 4256 4257 if (!dropped_mutex) 4258 mutex_exit(&assoc->ipsa_lock); 4259 return (retval); 4260 } 4261 4262 /* 4263 * Called by a consumer protocol to do ther dirty work of reaping dead 4264 * Security Associations. 4265 * 4266 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed 4267 * SA's that are already marked DEAD, so expired SA's are only reaped 4268 * the second time sadb_ager() runs. 4269 */ 4270 void 4271 sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay, 4272 netstack_t *ns) 4273 { 4274 int i; 4275 isaf_t *bucket; 4276 ipsa_t *assoc, *spare; 4277 iacqf_t *acqlist; 4278 ipsacq_t *acqrec, *spareacq; 4279 templist_t *haspeerlist, *newbie; 4280 /* Snapshot current time now. */ 4281 time_t current = gethrestime_sec(); 4282 mblk_t *mq = NULL; 4283 haspeerlist = NULL; 4284 4285 /* 4286 * Do my dirty work. This includes aging real entries, aging 4287 * larvals, and aging outstanding ACQUIREs. 4288 * 4289 * I hope I don't tie up resources for too long. 4290 */ 4291 4292 /* Age acquires. */ 4293 4294 for (i = 0; i < sp->sdb_hashsize; i++) { 4295 acqlist = &sp->sdb_acq[i]; 4296 mutex_enter(&acqlist->iacqf_lock); 4297 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 4298 acqrec = spareacq) { 4299 spareacq = acqrec->ipsacq_next; 4300 if (current > acqrec->ipsacq_expire) 4301 sadb_destroy_acquire(acqrec, ns); 4302 } 4303 mutex_exit(&acqlist->iacqf_lock); 4304 } 4305 4306 /* Age inbound associations. */ 4307 for (i = 0; i < sp->sdb_hashsize; i++) { 4308 bucket = &(sp->sdb_if[i]); 4309 mutex_enter(&bucket->isaf_lock); 4310 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4311 assoc = spare) { 4312 spare = assoc->ipsa_next; 4313 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4314 reap_delay, B_TRUE, &mq) != NULL) { 4315 /* 4316 * Put SA's which have a peer or SA's which 4317 * are paired on a list for processing after 4318 * all the hash tables have been walked. 4319 * 4320 * sadb_age_assoc() increments the refcnt, 4321 * effectively doing an IPSA_REFHOLD(). 4322 */ 4323 newbie = kmem_alloc(sizeof (*newbie), 4324 KM_NOSLEEP); 4325 if (newbie == NULL) { 4326 /* 4327 * Don't forget to REFRELE(). 4328 */ 4329 IPSA_REFRELE(assoc); 4330 continue; /* for loop... */ 4331 } 4332 newbie->next = haspeerlist; 4333 newbie->ipsa = assoc; 4334 haspeerlist = newbie; 4335 } 4336 } 4337 mutex_exit(&bucket->isaf_lock); 4338 } 4339 4340 if (mq != NULL) { 4341 sadb_drain_torchq(ip_q, mq); 4342 mq = NULL; 4343 } 4344 age_pair_peer_list(haspeerlist, sp, B_FALSE); 4345 haspeerlist = NULL; 4346 4347 /* Age outbound associations. */ 4348 for (i = 0; i < sp->sdb_hashsize; i++) { 4349 bucket = &(sp->sdb_of[i]); 4350 mutex_enter(&bucket->isaf_lock); 4351 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4352 assoc = spare) { 4353 spare = assoc->ipsa_next; 4354 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4355 reap_delay, B_FALSE, &mq) != NULL) { 4356 /* 4357 * sadb_age_assoc() increments the refcnt, 4358 * effectively doing an IPSA_REFHOLD(). 4359 */ 4360 newbie = kmem_alloc(sizeof (*newbie), 4361 KM_NOSLEEP); 4362 if (newbie == NULL) { 4363 /* 4364 * Don't forget to REFRELE(). 4365 */ 4366 IPSA_REFRELE(assoc); 4367 continue; /* for loop... */ 4368 } 4369 newbie->next = haspeerlist; 4370 newbie->ipsa = assoc; 4371 haspeerlist = newbie; 4372 } 4373 } 4374 mutex_exit(&bucket->isaf_lock); 4375 } 4376 if (mq != NULL) { 4377 sadb_drain_torchq(ip_q, mq); 4378 mq = NULL; 4379 } 4380 4381 age_pair_peer_list(haspeerlist, sp, B_TRUE); 4382 4383 /* 4384 * Run a GC pass to clean out dead identities. 4385 */ 4386 ipsid_gc(ns); 4387 } 4388 4389 /* 4390 * Figure out when to reschedule the ager. 4391 */ 4392 timeout_id_t 4393 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 4394 void *agerarg, uint_t *intp, uint_t intmax, short mid) 4395 { 4396 hrtime_t end = gethrtime(); 4397 uint_t interval = *intp; 4398 4399 /* 4400 * See how long this took. If it took too long, increase the 4401 * aging interval. 4402 */ 4403 if ((end - begin) > (hrtime_t)interval * (hrtime_t)1000000) { 4404 if (interval >= intmax) { 4405 /* XXX Rate limit this? Or recommend flush? */ 4406 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 4407 "Too many SA's to age out in %d msec.\n", 4408 intmax); 4409 } else { 4410 /* Double by shifting by one bit. */ 4411 interval <<= 1; 4412 interval = min(interval, intmax); 4413 } 4414 } else if ((end - begin) <= (hrtime_t)interval * (hrtime_t)500000 && 4415 interval > SADB_AGE_INTERVAL_DEFAULT) { 4416 /* 4417 * If I took less than half of the interval, then I should 4418 * ratchet the interval back down. Never automatically 4419 * shift below the default aging interval. 4420 * 4421 * NOTE:This even overrides manual setting of the age 4422 * interval using NDD to lower the setting past the 4423 * default. In other words, if you set the interval 4424 * lower than the default, and your SADB gets too big, 4425 * the interval will only self-lower back to the default. 4426 */ 4427 /* Halve by shifting one bit. */ 4428 interval >>= 1; 4429 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 4430 } 4431 *intp = interval; 4432 return (qtimeout(pfkey_q, ager, agerarg, 4433 drv_usectohz(interval * 1000))); 4434 } 4435 4436 4437 /* 4438 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 4439 * message takes when updating a MATURE or DYING SA. 4440 */ 4441 static void 4442 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 4443 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound) 4444 { 4445 mutex_enter(&assoc->ipsa_lock); 4446 4447 /* 4448 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 4449 * passed in during an update message. We currently don't handle 4450 * these. 4451 */ 4452 4453 if (hard != NULL) { 4454 if (hard->sadb_lifetime_bytes != 0) 4455 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 4456 if (hard->sadb_lifetime_usetime != 0) 4457 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 4458 if (hard->sadb_lifetime_addtime != 0) 4459 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 4460 if (assoc->ipsa_hardaddlt != 0) { 4461 assoc->ipsa_hardexpiretime = 4462 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 4463 } 4464 if (assoc->ipsa_harduselt != 0 && 4465 assoc->ipsa_flags & IPSA_F_USED) { 4466 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 4467 } 4468 if (hard->sadb_lifetime_allocations != 0) 4469 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 4470 } 4471 4472 if (soft != NULL) { 4473 if (soft->sadb_lifetime_bytes != 0) { 4474 if (soft->sadb_lifetime_bytes > 4475 assoc->ipsa_hardbyteslt) { 4476 assoc->ipsa_softbyteslt = 4477 assoc->ipsa_hardbyteslt; 4478 } else { 4479 assoc->ipsa_softbyteslt = 4480 soft->sadb_lifetime_bytes; 4481 } 4482 } 4483 if (soft->sadb_lifetime_usetime != 0) { 4484 if (soft->sadb_lifetime_usetime > 4485 assoc->ipsa_harduselt) { 4486 assoc->ipsa_softuselt = 4487 assoc->ipsa_harduselt; 4488 } else { 4489 assoc->ipsa_softuselt = 4490 soft->sadb_lifetime_usetime; 4491 } 4492 } 4493 if (soft->sadb_lifetime_addtime != 0) { 4494 if (soft->sadb_lifetime_addtime > 4495 assoc->ipsa_hardexpiretime) { 4496 assoc->ipsa_softexpiretime = 4497 assoc->ipsa_hardexpiretime; 4498 } else { 4499 assoc->ipsa_softaddlt = 4500 soft->sadb_lifetime_addtime; 4501 } 4502 } 4503 if (assoc->ipsa_softaddlt != 0) { 4504 assoc->ipsa_softexpiretime = 4505 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 4506 } 4507 if (assoc->ipsa_softuselt != 0 && 4508 assoc->ipsa_flags & IPSA_F_USED) { 4509 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 4510 } 4511 if (outbound && assoc->ipsa_softexpiretime != 0) { 4512 if (assoc->ipsa_state == IPSA_STATE_MATURE) 4513 lifetime_fuzz(assoc); 4514 } 4515 4516 if (soft->sadb_lifetime_allocations != 0) 4517 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 4518 } 4519 4520 if (idle != NULL) { 4521 time_t current = gethrestime_sec(); 4522 if ((assoc->ipsa_idleexpiretime <= current) && 4523 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) { 4524 assoc->ipsa_idleexpiretime = 4525 current + assoc->ipsa_idleaddlt; 4526 } 4527 if (idle->sadb_lifetime_addtime != 0) 4528 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 4529 if (idle->sadb_lifetime_usetime != 0) 4530 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime; 4531 if (assoc->ipsa_idleaddlt != 0) { 4532 assoc->ipsa_idleexpiretime = 4533 current + idle->sadb_lifetime_addtime; 4534 assoc->ipsa_idletime = idle->sadb_lifetime_addtime; 4535 } 4536 if (assoc->ipsa_idleuselt != 0) { 4537 if (assoc->ipsa_idletime != 0) { 4538 assoc->ipsa_idletime = min(assoc->ipsa_idletime, 4539 assoc->ipsa_idleuselt); 4540 assoc->ipsa_idleexpiretime = 4541 current + assoc->ipsa_idletime; 4542 } else { 4543 assoc->ipsa_idleexpiretime = 4544 current + assoc->ipsa_idleuselt; 4545 assoc->ipsa_idletime = assoc->ipsa_idleuselt; 4546 } 4547 } 4548 } 4549 mutex_exit(&assoc->ipsa_lock); 4550 } 4551 4552 static int 4553 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst) 4554 { 4555 int rcode = 0; 4556 time_t current = gethrestime_sec(); 4557 4558 mutex_enter(&assoc->ipsa_lock); 4559 4560 switch (new_state) { 4561 case SADB_X_SASTATE_ACTIVE_ELSEWHERE: 4562 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) { 4563 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE; 4564 assoc->ipsa_idleexpiretime = 4565 current + assoc->ipsa_idletime; 4566 } 4567 break; 4568 case SADB_X_SASTATE_IDLE: 4569 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4570 assoc->ipsa_state = IPSA_STATE_IDLE; 4571 assoc->ipsa_idleexpiretime = 4572 current + assoc->ipsa_idletime; 4573 } else { 4574 rcode = EINVAL; 4575 } 4576 break; 4577 4578 case SADB_X_SASTATE_ACTIVE: 4579 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) { 4580 rcode = EINVAL; 4581 break; 4582 } 4583 assoc->ipsa_state = IPSA_STATE_MATURE; 4584 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime; 4585 4586 if (ipkt_lst == NULL) { 4587 break; 4588 } 4589 4590 if (assoc->ipsa_bpkt_head != NULL) { 4591 *ipkt_lst = assoc->ipsa_bpkt_head; 4592 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL; 4593 assoc->ipsa_mblkcnt = 0; 4594 } else { 4595 *ipkt_lst = NULL; 4596 } 4597 break; 4598 default: 4599 rcode = EINVAL; 4600 break; 4601 } 4602 4603 mutex_exit(&assoc->ipsa_lock); 4604 return (rcode); 4605 } 4606 4607 /* 4608 * Common code to update an SA. 4609 */ 4610 4611 int 4612 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst, 4613 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q, 4614 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *), 4615 netstack_t *ns, uint8_t sadb_msg_type) 4616 { 4617 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 4618 sadb_address_t *srcext = 4619 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 4620 sadb_address_t *dstext = 4621 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 4622 sadb_x_kmc_t *kmcext = 4623 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 4624 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 4625 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 4626 sadb_x_replay_ctr_t *replext = 4627 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 4628 sadb_lifetime_t *soft = 4629 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 4630 sadb_lifetime_t *hard = 4631 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 4632 sadb_lifetime_t *idle = 4633 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 4634 sadb_x_pair_t *pair_ext = 4635 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4636 ipsa_t *echo_target = NULL; 4637 int error = 0; 4638 ipsap_t *ipsapp = NULL; 4639 uint32_t kmp = 0, kmc = 0; 4640 time_t current = gethrestime_sec(); 4641 4642 4643 /* I need certain extensions present for either UPDATE message. */ 4644 if (srcext == NULL) { 4645 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 4646 return (EINVAL); 4647 } 4648 if (dstext == NULL) { 4649 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 4650 return (EINVAL); 4651 } 4652 if (assoc == NULL) { 4653 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 4654 return (EINVAL); 4655 } 4656 4657 if (kmcext != NULL) { 4658 kmp = kmcext->sadb_x_kmc_proto; 4659 kmc = kmcext->sadb_x_kmc_cookie; 4660 } 4661 4662 ipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 4663 if (ipsapp == NULL) { 4664 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 4665 return (ESRCH); 4666 } 4667 4668 if (ipsapp->ipsap_psa_ptr == NULL && ipsapp->ipsap_sa_ptr != NULL) { 4669 if (ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) { 4670 /* 4671 * REFRELE the target and let the add_sa_func() 4672 * deal with updating a larval SA. 4673 */ 4674 destroy_ipsa_pair(ipsapp); 4675 return (add_sa_func(mp, ksi, diagnostic, ns)); 4676 } 4677 } 4678 4679 /* 4680 * At this point we have an UPDATE to a MATURE SA. There should 4681 * not be any keying material present. 4682 */ 4683 if (akey != NULL) { 4684 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 4685 error = EINVAL; 4686 goto bail; 4687 } 4688 if (ekey != NULL) { 4689 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 4690 error = EINVAL; 4691 goto bail; 4692 } 4693 4694 if (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4695 if (ipsapp->ipsap_sa_ptr != NULL && 4696 ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4697 if ((error = sadb_update_state(ipsapp->ipsap_sa_ptr, 4698 assoc->sadb_sa_state, NULL)) != 0) { 4699 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4700 goto bail; 4701 } 4702 } 4703 if (ipsapp->ipsap_psa_ptr != NULL && 4704 ipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4705 if ((error = sadb_update_state(ipsapp->ipsap_psa_ptr, 4706 assoc->sadb_sa_state, NULL)) != 0) { 4707 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4708 goto bail; 4709 } 4710 } 4711 } 4712 if (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) { 4713 if (ipsapp->ipsap_sa_ptr != NULL) { 4714 error = sadb_update_state(ipsapp->ipsap_sa_ptr, 4715 assoc->sadb_sa_state, 4716 (ipsapp->ipsap_sa_ptr->ipsa_flags & 4717 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4718 if (error) { 4719 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4720 goto bail; 4721 } 4722 } 4723 if (ipsapp->ipsap_psa_ptr != NULL) { 4724 error = sadb_update_state(ipsapp->ipsap_psa_ptr, 4725 assoc->sadb_sa_state, 4726 (ipsapp->ipsap_psa_ptr->ipsa_flags & 4727 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4728 if (error) { 4729 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4730 goto bail; 4731 } 4732 } 4733 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4734 ksi, echo_target); 4735 goto bail; 4736 } 4737 4738 /* 4739 * Reality checks for updates of active associations. 4740 * Sundry first-pass UPDATE-specific reality checks. 4741 * Have to do the checks here, because it's after the add_sa code. 4742 * XXX STATS : logging/stats here? 4743 */ 4744 4745 if (!((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 4746 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) { 4747 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4748 error = EINVAL; 4749 goto bail; 4750 } 4751 4752 if (assoc->sadb_sa_flags & ~spp->s_updateflags) { 4753 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 4754 error = EINVAL; 4755 goto bail; 4756 } 4757 4758 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 4759 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_LIFETIME; 4760 error = EOPNOTSUPP; 4761 goto bail; 4762 } 4763 4764 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) { 4765 error = EINVAL; 4766 goto bail; 4767 } 4768 4769 if (ipsapp->ipsap_sa_ptr != NULL) { 4770 if (ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_DEAD) { 4771 error = ESRCH; /* DEAD == Not there, in this case. */ 4772 *diagnostic = SADB_X_DIAGNOSTIC_SA_EXPIRED; 4773 goto bail; 4774 } 4775 if ((kmp != 0) && 4776 ((ipsapp->ipsap_sa_ptr->ipsa_kmp != 0) || 4777 (ipsapp->ipsap_sa_ptr->ipsa_kmp != kmp))) { 4778 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4779 error = EINVAL; 4780 goto bail; 4781 } 4782 if ((kmc != 0) && 4783 ((ipsapp->ipsap_sa_ptr->ipsa_kmc != 0) || 4784 (ipsapp->ipsap_sa_ptr->ipsa_kmc != kmc))) { 4785 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4786 error = EINVAL; 4787 goto bail; 4788 } 4789 /* 4790 * Do not allow replay value change for MATURE or LARVAL SA. 4791 */ 4792 4793 if ((replext != NULL) && 4794 ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) || 4795 (ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) { 4796 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4797 error = EINVAL; 4798 goto bail; 4799 } 4800 } 4801 4802 if (ipsapp->ipsap_psa_ptr != NULL) { 4803 if (ipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) { 4804 *diagnostic = SADB_X_DIAGNOSTIC_SA_EXPIRED; 4805 error = ESRCH; /* DEAD == Not there, in this case. */ 4806 goto bail; 4807 } 4808 if ((kmp != 0) && 4809 ((ipsapp->ipsap_psa_ptr->ipsa_kmp != 0) || 4810 (ipsapp->ipsap_psa_ptr->ipsa_kmp != kmp))) { 4811 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4812 error = EINVAL; 4813 goto bail; 4814 } 4815 if ((kmc != 0) && 4816 ((ipsapp->ipsap_psa_ptr->ipsa_kmc != 0) || 4817 (ipsapp->ipsap_psa_ptr->ipsa_kmc != kmc))) { 4818 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4819 error = EINVAL; 4820 goto bail; 4821 } 4822 } 4823 4824 if (ipsapp->ipsap_sa_ptr != NULL) { 4825 sadb_update_lifetimes(ipsapp->ipsap_sa_ptr, hard, soft, 4826 idle, B_TRUE); 4827 if (kmp != 0) 4828 ipsapp->ipsap_sa_ptr->ipsa_kmp = kmp; 4829 if (kmc != 0) 4830 ipsapp->ipsap_sa_ptr->ipsa_kmc = kmc; 4831 if ((replext != NULL) && 4832 (ipsapp->ipsap_sa_ptr->ipsa_replay_wsize != 0)) { 4833 /* 4834 * If an inbound SA, update the replay counter 4835 * and check off all the other sequence number 4836 */ 4837 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) { 4838 if (!sadb_replay_check(ipsapp->ipsap_sa_ptr, 4839 replext->sadb_x_rc_replay32)) { 4840 *diagnostic = 4841 SADB_X_DIAGNOSTIC_INVALID_REPLAY; 4842 error = EINVAL; 4843 goto bail; 4844 } 4845 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4846 ipsapp->ipsap_sa_ptr->ipsa_idleexpiretime = 4847 current + 4848 ipsapp->ipsap_sa_ptr->ipsa_idletime; 4849 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4850 } else { 4851 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4852 ipsapp->ipsap_sa_ptr->ipsa_replay = 4853 replext->sadb_x_rc_replay32; 4854 ipsapp->ipsap_sa_ptr->ipsa_idleexpiretime = 4855 current + 4856 ipsapp->ipsap_sa_ptr->ipsa_idletime; 4857 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4858 } 4859 } 4860 } 4861 4862 if (sadb_msg_type == SADB_X_UPDATEPAIR) { 4863 if (ipsapp->ipsap_psa_ptr != NULL) { 4864 sadb_update_lifetimes(ipsapp->ipsap_psa_ptr, hard, soft, 4865 idle, B_FALSE); 4866 if (kmp != 0) 4867 ipsapp->ipsap_psa_ptr->ipsa_kmp = kmp; 4868 if (kmc != 0) 4869 ipsapp->ipsap_psa_ptr->ipsa_kmc = kmc; 4870 } else { 4871 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 4872 error = ESRCH; 4873 goto bail; 4874 } 4875 } 4876 4877 if (pair_ext != NULL) 4878 error = update_pairing(ipsapp, ksi, diagnostic, spp); 4879 4880 if (error == 0) 4881 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4882 ksi, echo_target); 4883 bail: 4884 4885 destroy_ipsa_pair(ipsapp); 4886 4887 return (error); 4888 } 4889 4890 4891 int 4892 update_pairing(ipsap_t *ipsapp, keysock_in_t *ksi, int *diagnostic, 4893 sadbp_t *spp) 4894 { 4895 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 4896 sadb_address_t *srcext = 4897 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 4898 sadb_address_t *dstext = 4899 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 4900 sadb_x_pair_t *pair_ext = 4901 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4902 int error = 0; 4903 ipsap_t *oipsapp = NULL; 4904 boolean_t undo_pair = B_FALSE; 4905 uint32_t ipsa_flags; 4906 4907 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi == 4908 assoc->sadb_sa_spi) { 4909 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4910 return (EINVAL); 4911 } 4912 4913 /* 4914 * Assume for now that the spi value provided in the SADB_UPDATE 4915 * message was valid, update the SA with its pair spi value. 4916 * If the spi turns out to be bogus or the SA no longer exists 4917 * then this will be detected when the reverse update is made 4918 * below. 4919 */ 4920 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4921 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4922 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi; 4923 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4924 4925 /* 4926 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair() 4927 * should now return pointers to the SA *AND* its pair, if this is not 4928 * the case, the "otherspi" either did not exist or was deleted. Also 4929 * check that "otherspi" is not already paired. If everything looks 4930 * good, complete the update. IPSA_REFRELE the first pair_pointer 4931 * after this update to ensure its not deleted until we are done. 4932 */ 4933 oipsapp = get_ipsa_pair(assoc, srcext, dstext, spp); 4934 if (oipsapp == NULL) { 4935 /* 4936 * This should never happen, calling function still has 4937 * IPSA_REFHELD on the SA we just updated. 4938 */ 4939 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 4940 return (EINVAL); 4941 } 4942 4943 if (oipsapp->ipsap_psa_ptr == NULL) { 4944 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4945 error = EINVAL; 4946 undo_pair = B_TRUE; 4947 } else { 4948 ipsa_flags = oipsapp->ipsap_psa_ptr->ipsa_flags; 4949 if ((oipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) || 4950 (oipsapp->ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) { 4951 /* Its dead Jim! */ 4952 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4953 undo_pair = B_TRUE; 4954 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) == 4955 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) { 4956 /* This SA is in both hashtables. */ 4957 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4958 undo_pair = B_TRUE; 4959 } else if (ipsa_flags & IPSA_F_PAIRED) { 4960 /* This SA is already paired with another. */ 4961 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 4962 undo_pair = B_TRUE; 4963 } 4964 } 4965 4966 if (undo_pair) { 4967 /* The pair SA does not exist. */ 4968 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4969 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED; 4970 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0; 4971 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4972 } else { 4973 mutex_enter(&oipsapp->ipsap_psa_ptr->ipsa_lock); 4974 oipsapp->ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi; 4975 oipsapp->ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4976 mutex_exit(&oipsapp->ipsap_psa_ptr->ipsa_lock); 4977 } 4978 4979 destroy_ipsa_pair(oipsapp); 4980 return (error); 4981 } 4982 4983 /* 4984 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 4985 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 4986 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 4987 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 4988 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 4989 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 4990 * other direction's SA. 4991 */ 4992 4993 /* 4994 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 4995 * grab it, lock it, and return it. Otherwise return NULL. 4996 */ 4997 static ipsacq_t * 4998 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 4999 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst, 5000 uint64_t unique_id) 5001 { 5002 ipsacq_t *walker; 5003 sa_family_t fam; 5004 uint32_t blank_address[4] = {0, 0, 0, 0}; 5005 5006 if (isrc == NULL) { 5007 ASSERT(idst == NULL); 5008 isrc = idst = blank_address; 5009 } 5010 5011 /* 5012 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 5013 * 5014 * XXX May need search for duplicates based on other things too! 5015 */ 5016 for (walker = bucket->iacqf_ipsacq; walker != NULL; 5017 walker = walker->ipsacq_next) { 5018 mutex_enter(&walker->ipsacq_lock); 5019 fam = walker->ipsacq_addrfam; 5020 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 5021 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 5022 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx, 5023 (in6_addr_t *)walker->ipsacq_innersrc) && 5024 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx, 5025 (in6_addr_t *)walker->ipsacq_innerdst) && 5026 (ap == walker->ipsacq_act) && 5027 (pp == walker->ipsacq_policy) && 5028 /* XXX do deep compares of ap/pp? */ 5029 (unique_id == walker->ipsacq_unique_id)) 5030 break; /* everything matched */ 5031 mutex_exit(&walker->ipsacq_lock); 5032 } 5033 5034 return (walker); 5035 } 5036 5037 /* 5038 * For this mblk, insert a new acquire record. Assume bucket contains addrs 5039 * of all of the same length. Give up (and drop) if memory 5040 * cannot be allocated for a new one; otherwise, invoke callback to 5041 * send the acquire up.. 5042 * 5043 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 5044 * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t 5045 * and handle this case specially. 5046 */ 5047 void 5048 sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp) 5049 { 5050 sadbp_t *spp; 5051 sadb_t *sp; 5052 ipsacq_t *newbie; 5053 iacqf_t *bucket; 5054 mblk_t *datamp = mp->b_cont; 5055 mblk_t *extended; 5056 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 5057 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 5058 uint32_t *src, *dst, *isrc, *idst; 5059 ipsec_policy_t *pp = io->ipsec_out_policy; 5060 ipsec_action_t *ap = io->ipsec_out_act; 5061 sa_family_t af; 5062 int hashoffset; 5063 uint32_t seq; 5064 uint64_t unique_id = 0; 5065 ipsec_selector_t sel; 5066 boolean_t tunnel_mode = io->ipsec_out_tunnel; 5067 netstack_t *ns = io->ipsec_out_ns; 5068 ipsec_stack_t *ipss = ns->netstack_ipsec; 5069 5070 ASSERT((pp != NULL) || (ap != NULL)); 5071 5072 ASSERT(need_ah != NULL || need_esp != NULL); 5073 /* Assign sadb pointers */ 5074 if (need_esp) { /* ESP for AH+ESP */ 5075 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 5076 5077 spp = &espstack->esp_sadb; 5078 } else { 5079 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 5080 5081 spp = &ahstack->ah_sadb; 5082 } 5083 sp = io->ipsec_out_v4 ? &spp->s_v4 : &spp->s_v6; 5084 5085 if (ap == NULL) 5086 ap = pp->ipsp_act; 5087 5088 ASSERT(ap != NULL); 5089 5090 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode) 5091 unique_id = SA_FORM_UNIQUE_ID(io); 5092 5093 /* 5094 * Set up an ACQUIRE record. 5095 * 5096 * Immediately, make sure the ACQUIRE sequence number doesn't slip 5097 * below the lowest point allowed in the kernel. (In other words, 5098 * make sure the high bit on the sequence number is set.) 5099 */ 5100 5101 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ; 5102 5103 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 5104 src = (uint32_t *)&ipha->ipha_src; 5105 dst = (uint32_t *)&ipha->ipha_dst; 5106 af = AF_INET; 5107 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 5108 ASSERT(io->ipsec_out_v4 == B_TRUE); 5109 } else { 5110 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 5111 src = (uint32_t *)&ip6h->ip6_src; 5112 dst = (uint32_t *)&ip6h->ip6_dst; 5113 af = AF_INET6; 5114 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 5115 ASSERT(io->ipsec_out_v4 == B_FALSE); 5116 } 5117 5118 if (tunnel_mode) { 5119 if (pp == NULL) { 5120 /* 5121 * Tunnel mode with no policy pointer means this is a 5122 * reflected ICMP (like a ECHO REQUEST) that came in 5123 * with self-encapsulated protection. Until we better 5124 * support this, drop the packet. 5125 */ 5126 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5127 DROPPER(ipss, ipds_spd_got_selfencap), 5128 &ipss->ipsec_spd_dropper); 5129 return; 5130 } 5131 /* Snag inner addresses. */ 5132 isrc = io->ipsec_out_insrc; 5133 idst = io->ipsec_out_indst; 5134 } else { 5135 isrc = idst = NULL; 5136 } 5137 5138 /* 5139 * Check buckets to see if there is an existing entry. If so, 5140 * grab it. sadb_checkacquire locks newbie if found. 5141 */ 5142 bucket = &(sp->sdb_acq[hashoffset]); 5143 mutex_enter(&bucket->iacqf_lock); 5144 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst, 5145 unique_id); 5146 5147 if (newbie == NULL) { 5148 /* 5149 * Otherwise, allocate a new one. 5150 */ 5151 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 5152 if (newbie == NULL) { 5153 mutex_exit(&bucket->iacqf_lock); 5154 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5155 DROPPER(ipss, ipds_sadb_acquire_nomem), 5156 &ipss->ipsec_sadb_dropper); 5157 return; 5158 } 5159 newbie->ipsacq_policy = pp; 5160 if (pp != NULL) { 5161 IPPOL_REFHOLD(pp); 5162 } 5163 IPACT_REFHOLD(ap); 5164 newbie->ipsacq_act = ap; 5165 newbie->ipsacq_linklock = &bucket->iacqf_lock; 5166 newbie->ipsacq_next = bucket->iacqf_ipsacq; 5167 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 5168 if (newbie->ipsacq_next != NULL) 5169 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 5170 bucket->iacqf_ipsacq = newbie; 5171 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 5172 mutex_enter(&newbie->ipsacq_lock); 5173 } 5174 5175 mutex_exit(&bucket->iacqf_lock); 5176 5177 /* 5178 * This assert looks silly for now, but we may need to enter newbie's 5179 * mutex during a search. 5180 */ 5181 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 5182 5183 mp->b_next = NULL; 5184 /* Queue up packet. Use b_next. */ 5185 if (newbie->ipsacq_numpackets == 0) { 5186 /* First one. */ 5187 newbie->ipsacq_mp = mp; 5188 newbie->ipsacq_numpackets = 1; 5189 newbie->ipsacq_expire = gethrestime_sec(); 5190 /* 5191 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 5192 * value. 5193 */ 5194 newbie->ipsacq_expire += *spp->s_acquire_timeout; 5195 newbie->ipsacq_seq = seq; 5196 newbie->ipsacq_addrfam = af; 5197 5198 newbie->ipsacq_srcport = io->ipsec_out_src_port; 5199 newbie->ipsacq_dstport = io->ipsec_out_dst_port; 5200 newbie->ipsacq_icmp_type = io->ipsec_out_icmp_type; 5201 newbie->ipsacq_icmp_code = io->ipsec_out_icmp_code; 5202 if (tunnel_mode) { 5203 newbie->ipsacq_inneraddrfam = io->ipsec_out_inaf; 5204 newbie->ipsacq_proto = io->ipsec_out_inaf == AF_INET6 ? 5205 IPPROTO_IPV6 : IPPROTO_ENCAP; 5206 newbie->ipsacq_innersrcpfx = io->ipsec_out_insrcpfx; 5207 newbie->ipsacq_innerdstpfx = io->ipsec_out_indstpfx; 5208 IPSA_COPY_ADDR(newbie->ipsacq_innersrc, 5209 io->ipsec_out_insrc, io->ipsec_out_inaf); 5210 IPSA_COPY_ADDR(newbie->ipsacq_innerdst, 5211 io->ipsec_out_indst, io->ipsec_out_inaf); 5212 } else { 5213 newbie->ipsacq_proto = io->ipsec_out_proto; 5214 } 5215 newbie->ipsacq_unique_id = unique_id; 5216 } else { 5217 /* Scan to the end of the list & insert. */ 5218 mblk_t *lastone = newbie->ipsacq_mp; 5219 5220 while (lastone->b_next != NULL) 5221 lastone = lastone->b_next; 5222 lastone->b_next = mp; 5223 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) { 5224 newbie->ipsacq_numpackets = ipsacq_maxpackets; 5225 lastone = newbie->ipsacq_mp; 5226 newbie->ipsacq_mp = lastone->b_next; 5227 lastone->b_next = NULL; 5228 ip_drop_packet(lastone, B_FALSE, NULL, NULL, 5229 DROPPER(ipss, ipds_sadb_acquire_toofull), 5230 &ipss->ipsec_sadb_dropper); 5231 } else { 5232 IP_ACQUIRE_STAT(ipss, qhiwater, 5233 newbie->ipsacq_numpackets); 5234 } 5235 } 5236 5237 /* 5238 * Reset addresses. Set them to the most recently added mblk chain, 5239 * so that the address pointers in the acquire record will point 5240 * at an mblk still attached to the acquire list. 5241 */ 5242 5243 newbie->ipsacq_srcaddr = src; 5244 newbie->ipsacq_dstaddr = dst; 5245 5246 /* 5247 * If the acquire record has more than one queued packet, we've 5248 * already sent an ACQUIRE, and don't need to repeat ourself. 5249 */ 5250 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 5251 /* I have an acquire outstanding already! */ 5252 mutex_exit(&newbie->ipsacq_lock); 5253 return; 5254 } 5255 5256 if (keysock_extended_reg(ns)) { 5257 /* 5258 * Construct an extended ACQUIRE. There are logging 5259 * opportunities here in failure cases. 5260 */ 5261 5262 (void) memset(&sel, 0, sizeof (sel)); 5263 sel.ips_isv4 = io->ipsec_out_v4; 5264 if (tunnel_mode) { 5265 sel.ips_protocol = (io->ipsec_out_inaf == AF_INET) ? 5266 IPPROTO_ENCAP : IPPROTO_IPV6; 5267 } else { 5268 sel.ips_protocol = io->ipsec_out_proto; 5269 sel.ips_local_port = io->ipsec_out_src_port; 5270 sel.ips_remote_port = io->ipsec_out_dst_port; 5271 } 5272 sel.ips_icmp_type = io->ipsec_out_icmp_type; 5273 sel.ips_icmp_code = io->ipsec_out_icmp_code; 5274 sel.ips_is_icmp_inv_acq = 0; 5275 if (af == AF_INET) { 5276 sel.ips_local_addr_v4 = ipha->ipha_src; 5277 sel.ips_remote_addr_v4 = ipha->ipha_dst; 5278 } else { 5279 sel.ips_local_addr_v6 = ip6h->ip6_src; 5280 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 5281 } 5282 5283 extended = sadb_keysock_out(0); 5284 if (extended != NULL) { 5285 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, 5286 tunnel_mode, seq, 0, ns); 5287 if (extended->b_cont == NULL) { 5288 freeb(extended); 5289 extended = NULL; 5290 } 5291 } 5292 } else 5293 extended = NULL; 5294 5295 /* 5296 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on 5297 * this new record. The send-acquire callback assumes that acqrec is 5298 * already locked. 5299 */ 5300 (*spp->s_acqfn)(newbie, extended, ns); 5301 } 5302 5303 /* 5304 * Unlink and free an acquire record. 5305 */ 5306 void 5307 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns) 5308 { 5309 mblk_t *mp; 5310 ipsec_stack_t *ipss = ns->netstack_ipsec; 5311 5312 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 5313 5314 if (acqrec->ipsacq_policy != NULL) { 5315 IPPOL_REFRELE(acqrec->ipsacq_policy, ns); 5316 } 5317 if (acqrec->ipsacq_act != NULL) { 5318 IPACT_REFRELE(acqrec->ipsacq_act); 5319 } 5320 5321 /* Unlink */ 5322 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 5323 if (acqrec->ipsacq_next != NULL) 5324 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 5325 5326 /* 5327 * Free hanging mp's. 5328 * 5329 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 5330 */ 5331 5332 mutex_enter(&acqrec->ipsacq_lock); 5333 while (acqrec->ipsacq_mp != NULL) { 5334 mp = acqrec->ipsacq_mp; 5335 acqrec->ipsacq_mp = mp->b_next; 5336 mp->b_next = NULL; 5337 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5338 DROPPER(ipss, ipds_sadb_acquire_timeout), 5339 &ipss->ipsec_sadb_dropper); 5340 } 5341 mutex_exit(&acqrec->ipsacq_lock); 5342 5343 /* Free */ 5344 mutex_destroy(&acqrec->ipsacq_lock); 5345 kmem_free(acqrec, sizeof (*acqrec)); 5346 } 5347 5348 /* 5349 * Destroy an acquire list fanout. 5350 */ 5351 static void 5352 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever, 5353 netstack_t *ns) 5354 { 5355 int i; 5356 iacqf_t *list = *listp; 5357 5358 if (list == NULL) 5359 return; 5360 5361 for (i = 0; i < numentries; i++) { 5362 mutex_enter(&(list[i].iacqf_lock)); 5363 while (list[i].iacqf_ipsacq != NULL) 5364 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns); 5365 mutex_exit(&(list[i].iacqf_lock)); 5366 if (forever) 5367 mutex_destroy(&(list[i].iacqf_lock)); 5368 } 5369 5370 if (forever) { 5371 *listp = NULL; 5372 kmem_free(list, numentries * sizeof (*list)); 5373 } 5374 } 5375 5376 /* 5377 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto 5378 * framework's view of reality vs. IPsec's. EF's wins, BTW. 5379 */ 5380 static uint8_t * 5381 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 5382 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 5383 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss) 5384 { 5385 uint8_t *cur = start; 5386 ipsec_alginfo_t *algp; 5387 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 5388 5389 cur += sizeof (*algdesc); 5390 if (cur >= limit) 5391 return (NULL); 5392 5393 ecomb->sadb_x_ecomb_numalgs++; 5394 5395 /* 5396 * Normalize vs. crypto framework's limits. This way, you can specify 5397 * a stronger policy, and when the framework loads a stronger version, 5398 * you can just keep plowing w/o rewhacking your SPD. 5399 */ 5400 mutex_enter(&ipss->ipsec_alg_lock); 5401 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ? 5402 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg]; 5403 if (algp == NULL) { 5404 mutex_exit(&ipss->ipsec_alg_lock); 5405 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */ 5406 } 5407 if (minbits < algp->alg_ef_minbits) 5408 minbits = algp->alg_ef_minbits; 5409 if (maxbits > algp->alg_ef_maxbits) 5410 maxbits = algp->alg_ef_maxbits; 5411 mutex_exit(&ipss->ipsec_alg_lock); 5412 5413 algdesc->sadb_x_algdesc_satype = satype; 5414 algdesc->sadb_x_algdesc_algtype = algtype; 5415 algdesc->sadb_x_algdesc_alg = alg; 5416 algdesc->sadb_x_algdesc_minbits = minbits; 5417 algdesc->sadb_x_algdesc_maxbits = maxbits; 5418 algdesc->sadb_x_algdesc_reserved = 0; 5419 return (cur); 5420 } 5421 5422 /* 5423 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 5424 * which must fit before *limit 5425 * 5426 * return NULL if we ran out of room or a pointer to the end of the ecomb. 5427 */ 5428 static uint8_t * 5429 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act, 5430 netstack_t *ns) 5431 { 5432 uint8_t *cur = start; 5433 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 5434 ipsec_prot_t *ipp; 5435 ipsec_stack_t *ipss = ns->netstack_ipsec; 5436 5437 cur += sizeof (*ecomb); 5438 if (cur >= limit) 5439 return (NULL); 5440 5441 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 5442 5443 ipp = &act->ipa_act.ipa_apply; 5444 5445 ecomb->sadb_x_ecomb_numalgs = 0; 5446 ecomb->sadb_x_ecomb_reserved = 0; 5447 ecomb->sadb_x_ecomb_reserved2 = 0; 5448 /* 5449 * No limits on allocations, since we really don't support that 5450 * concept currently. 5451 */ 5452 ecomb->sadb_x_ecomb_soft_allocations = 0; 5453 ecomb->sadb_x_ecomb_hard_allocations = 0; 5454 5455 /* 5456 * XXX TBD: Policy or global parameters will eventually be 5457 * able to fill in some of these. 5458 */ 5459 ecomb->sadb_x_ecomb_flags = 0; 5460 ecomb->sadb_x_ecomb_soft_bytes = 0; 5461 ecomb->sadb_x_ecomb_hard_bytes = 0; 5462 ecomb->sadb_x_ecomb_soft_addtime = 0; 5463 ecomb->sadb_x_ecomb_hard_addtime = 0; 5464 ecomb->sadb_x_ecomb_soft_usetime = 0; 5465 ecomb->sadb_x_ecomb_hard_usetime = 0; 5466 5467 if (ipp->ipp_use_ah) { 5468 cur = sadb_new_algdesc(cur, limit, ecomb, 5469 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 5470 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss); 5471 if (cur == NULL) 5472 return (NULL); 5473 ipsecah_fill_defs(ecomb, ns); 5474 } 5475 5476 if (ipp->ipp_use_esp) { 5477 if (ipp->ipp_use_espa) { 5478 cur = sadb_new_algdesc(cur, limit, ecomb, 5479 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 5480 ipp->ipp_esp_auth_alg, 5481 ipp->ipp_espa_minbits, 5482 ipp->ipp_espa_maxbits, ipss); 5483 if (cur == NULL) 5484 return (NULL); 5485 } 5486 5487 cur = sadb_new_algdesc(cur, limit, ecomb, 5488 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 5489 ipp->ipp_encr_alg, 5490 ipp->ipp_espe_minbits, 5491 ipp->ipp_espe_maxbits, ipss); 5492 if (cur == NULL) 5493 return (NULL); 5494 /* Fill in lifetimes if and only if AH didn't already... */ 5495 if (!ipp->ipp_use_ah) 5496 ipsecesp_fill_defs(ecomb, ns); 5497 } 5498 5499 return (cur); 5500 } 5501 5502 /* 5503 * Construct an extended ACQUIRE message based on a selector and the resulting 5504 * IPsec action. 5505 * 5506 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE 5507 * generation. As a consequence, expect this function to evolve 5508 * rapidly. 5509 */ 5510 static mblk_t * 5511 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol, 5512 ipsec_action_t *act, boolean_t tunnel_mode, uint32_t seq, uint32_t pid, 5513 netstack_t *ns) 5514 { 5515 mblk_t *mp; 5516 sadb_msg_t *samsg; 5517 uint8_t *start, *cur, *end; 5518 uint32_t *saddrptr, *daddrptr; 5519 sa_family_t af; 5520 sadb_prop_t *eprop; 5521 ipsec_action_t *ap, *an; 5522 ipsec_selkey_t *ipsl; 5523 uint8_t proto, pfxlen; 5524 uint16_t lport, rport; 5525 uint32_t kmp, kmc; 5526 5527 /* 5528 * Find the action we want sooner rather than later.. 5529 */ 5530 an = NULL; 5531 if (pol == NULL) { 5532 ap = act; 5533 } else { 5534 ap = pol->ipsp_act; 5535 5536 if (ap != NULL) 5537 an = ap->ipa_next; 5538 } 5539 5540 /* 5541 * Just take a swag for the allocation for now. We can always 5542 * alter it later. 5543 */ 5544 #define SADB_EXTENDED_ACQUIRE_SIZE 4096 5545 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI); 5546 if (mp == NULL) 5547 return (NULL); 5548 5549 start = mp->b_rptr; 5550 end = start + SADB_EXTENDED_ACQUIRE_SIZE; 5551 5552 cur = start; 5553 5554 samsg = (sadb_msg_t *)cur; 5555 cur += sizeof (*samsg); 5556 5557 samsg->sadb_msg_version = PF_KEY_V2; 5558 samsg->sadb_msg_type = SADB_ACQUIRE; 5559 samsg->sadb_msg_errno = 0; 5560 samsg->sadb_msg_reserved = 0; 5561 samsg->sadb_msg_satype = 0; 5562 samsg->sadb_msg_seq = seq; 5563 samsg->sadb_msg_pid = pid; 5564 5565 if (tunnel_mode) { 5566 /* 5567 * Form inner address extensions based NOT on the inner 5568 * selectors (i.e. the packet data), but on the policy's 5569 * selector key (i.e. the policy's selector information). 5570 * 5571 * NOTE: The position of IPv4 and IPv6 addresses is the 5572 * same in ipsec_selkey_t (unless the compiler does very 5573 * strange things with unions, consult your local C language 5574 * lawyer for details). 5575 */ 5576 ASSERT(pol != NULL); 5577 5578 ipsl = &(pol->ipsp_sel->ipsl_key); 5579 if (ipsl->ipsl_valid & IPSL_IPV4) { 5580 af = AF_INET; 5581 ASSERT(sel->ips_protocol == IPPROTO_ENCAP); 5582 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6)); 5583 } else { 5584 af = AF_INET6; 5585 ASSERT(sel->ips_protocol == IPPROTO_IPV6); 5586 ASSERT(ipsl->ipsl_valid & IPSL_IPV6); 5587 } 5588 5589 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) { 5590 saddrptr = (uint32_t *)(&ipsl->ipsl_local); 5591 pfxlen = ipsl->ipsl_local_pfxlen; 5592 } else { 5593 saddrptr = (uint32_t *)(&ipv6_all_zeros); 5594 pfxlen = 0; 5595 } 5596 /* XXX What about ICMP type/code? */ 5597 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ? 5598 ipsl->ipsl_lport : 0; 5599 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ? 5600 ipsl->ipsl_proto : 0; 5601 5602 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5603 af, saddrptr, lport, proto, pfxlen); 5604 if (cur == NULL) { 5605 freeb(mp); 5606 return (NULL); 5607 } 5608 5609 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) { 5610 daddrptr = (uint32_t *)(&ipsl->ipsl_remote); 5611 pfxlen = ipsl->ipsl_remote_pfxlen; 5612 } else { 5613 daddrptr = (uint32_t *)(&ipv6_all_zeros); 5614 pfxlen = 0; 5615 } 5616 /* XXX What about ICMP type/code? */ 5617 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ? 5618 ipsl->ipsl_rport : 0; 5619 5620 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5621 af, daddrptr, rport, proto, pfxlen); 5622 if (cur == NULL) { 5623 freeb(mp); 5624 return (NULL); 5625 } 5626 /* 5627 * TODO - if we go to 3408's dream of transport mode IP-in-IP 5628 * _with_ inner-packet address selectors, we'll need to further 5629 * distinguish tunnel mode here. For now, having inner 5630 * addresses and/or ports is sufficient. 5631 * 5632 * Meanwhile, whack proto/ports to reflect IP-in-IP for the 5633 * outer addresses. 5634 */ 5635 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */ 5636 lport = rport = 0; 5637 } else if ((ap != NULL) && (!ap->ipa_want_unique)) { 5638 proto = 0; 5639 lport = 0; 5640 rport = 0; 5641 if (pol != NULL) { 5642 ipsl = &(pol->ipsp_sel->ipsl_key); 5643 if (ipsl->ipsl_valid & IPSL_PROTOCOL) 5644 proto = ipsl->ipsl_proto; 5645 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT) 5646 rport = ipsl->ipsl_rport; 5647 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT) 5648 lport = ipsl->ipsl_lport; 5649 } 5650 } else { 5651 proto = sel->ips_protocol; 5652 lport = sel->ips_local_port; 5653 rport = sel->ips_remote_port; 5654 } 5655 5656 af = sel->ips_isv4 ? AF_INET : AF_INET6; 5657 5658 /* 5659 * NOTE: The position of IPv4 and IPv6 addresses is the same in 5660 * ipsec_selector_t. 5661 */ 5662 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 5663 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0); 5664 5665 if (cur == NULL) { 5666 freeb(mp); 5667 return (NULL); 5668 } 5669 5670 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 5671 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0); 5672 5673 if (cur == NULL) { 5674 freeb(mp); 5675 return (NULL); 5676 } 5677 5678 /* 5679 * This section will change a lot as policy evolves. 5680 * For now, it'll be relatively simple. 5681 */ 5682 eprop = (sadb_prop_t *)cur; 5683 cur += sizeof (*eprop); 5684 if (cur > end) { 5685 /* no space left */ 5686 freeb(mp); 5687 return (NULL); 5688 } 5689 5690 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 5691 eprop->sadb_x_prop_ereserved = 0; 5692 eprop->sadb_x_prop_numecombs = 0; 5693 eprop->sadb_prop_replay = 32; /* default */ 5694 5695 kmc = kmp = 0; 5696 5697 for (; ap != NULL; ap = an) { 5698 an = (pol != NULL) ? ap->ipa_next : NULL; 5699 5700 /* 5701 * Skip non-IPsec policies 5702 */ 5703 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY) 5704 continue; 5705 5706 if (ap->ipa_act.ipa_apply.ipp_km_proto) 5707 kmp = ap->ipa_act.ipa_apply.ipp_km_proto; 5708 if (ap->ipa_act.ipa_apply.ipp_km_cookie) 5709 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie; 5710 if (ap->ipa_act.ipa_apply.ipp_replay_depth) { 5711 eprop->sadb_prop_replay = 5712 ap->ipa_act.ipa_apply.ipp_replay_depth; 5713 } 5714 5715 cur = sadb_action_to_ecomb(cur, end, ap, ns); 5716 if (cur == NULL) { /* no space */ 5717 freeb(mp); 5718 return (NULL); 5719 } 5720 eprop->sadb_x_prop_numecombs++; 5721 } 5722 5723 if (eprop->sadb_x_prop_numecombs == 0) { 5724 /* 5725 * This will happen if we fail to find a policy 5726 * allowing for IPsec processing. 5727 * Construct an error message. 5728 */ 5729 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 5730 samsg->sadb_msg_errno = ENOENT; 5731 samsg->sadb_x_msg_diagnostic = 0; 5732 return (mp); 5733 } 5734 5735 if ((kmp != 0) || (kmc != 0)) { 5736 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 5737 if (cur == NULL) { 5738 freeb(mp); 5739 return (NULL); 5740 } 5741 } 5742 5743 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop); 5744 samsg->sadb_msg_len = SADB_8TO64(cur - start); 5745 mp->b_wptr = cur; 5746 5747 return (mp); 5748 } 5749 5750 /* 5751 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype. 5752 * 5753 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we 5754 * succeed (i.e. return non-NULL). Caller MUST release it. This is to 5755 * maximize code consolidation while preventing algorithm changes from messing 5756 * with the callers finishing touches on the ACQUIRE itself. 5757 */ 5758 mblk_t * 5759 sadb_setup_acquire(ipsacq_t *acqrec, uint8_t satype, ipsec_stack_t *ipss) 5760 { 5761 uint_t allocsize; 5762 mblk_t *pfkeymp, *msgmp; 5763 sa_family_t af; 5764 uint8_t *cur, *end; 5765 sadb_msg_t *samsg; 5766 uint16_t sport_typecode; 5767 uint16_t dport_typecode; 5768 uint8_t check_proto; 5769 boolean_t tunnel_mode = (acqrec->ipsacq_inneraddrfam != 0); 5770 5771 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 5772 5773 pfkeymp = sadb_keysock_out(0); 5774 if (pfkeymp == NULL) 5775 return (NULL); 5776 5777 /* 5778 * First, allocate a basic ACQUIRE message 5779 */ 5780 allocsize = sizeof (sadb_msg_t) + sizeof (sadb_address_t) + 5781 sizeof (sadb_address_t) + sizeof (sadb_prop_t); 5782 5783 /* Make sure there's enough to cover both AF_INET and AF_INET6. */ 5784 allocsize += 2 * sizeof (struct sockaddr_in6); 5785 5786 mutex_enter(&ipss->ipsec_alg_lock); 5787 /* NOTE: The lock is now held through to this function's return. */ 5788 allocsize += ipss->ipsec_nalgs[IPSEC_ALG_AUTH] * 5789 ipss->ipsec_nalgs[IPSEC_ALG_ENCR] * sizeof (sadb_comb_t); 5790 5791 if (tunnel_mode) { 5792 /* Tunnel mode! */ 5793 allocsize += 2 * sizeof (sadb_address_t); 5794 /* Enough to cover both AF_INET and AF_INET6. */ 5795 allocsize += 2 * sizeof (struct sockaddr_in6); 5796 } 5797 5798 msgmp = allocb(allocsize, BPRI_HI); 5799 if (msgmp == NULL) { 5800 freeb(pfkeymp); 5801 mutex_exit(&ipss->ipsec_alg_lock); 5802 return (NULL); 5803 } 5804 5805 pfkeymp->b_cont = msgmp; 5806 cur = msgmp->b_rptr; 5807 end = cur + allocsize; 5808 samsg = (sadb_msg_t *)cur; 5809 cur += sizeof (sadb_msg_t); 5810 5811 af = acqrec->ipsacq_addrfam; 5812 switch (af) { 5813 case AF_INET: 5814 check_proto = IPPROTO_ICMP; 5815 break; 5816 case AF_INET6: 5817 check_proto = IPPROTO_ICMPV6; 5818 break; 5819 default: 5820 /* This should never happen unless we have kernel bugs. */ 5821 cmn_err(CE_WARN, 5822 "sadb_setup_acquire: corrupt ACQUIRE record.\n"); 5823 ASSERT(0); 5824 mutex_exit(&ipss->ipsec_alg_lock); 5825 return (NULL); 5826 } 5827 5828 samsg->sadb_msg_version = PF_KEY_V2; 5829 samsg->sadb_msg_type = SADB_ACQUIRE; 5830 samsg->sadb_msg_satype = satype; 5831 samsg->sadb_msg_errno = 0; 5832 samsg->sadb_msg_pid = 0; 5833 samsg->sadb_msg_reserved = 0; 5834 samsg->sadb_msg_seq = acqrec->ipsacq_seq; 5835 5836 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 5837 5838 if ((acqrec->ipsacq_proto == check_proto) || tunnel_mode) { 5839 sport_typecode = dport_typecode = 0; 5840 } else { 5841 sport_typecode = acqrec->ipsacq_srcport; 5842 dport_typecode = acqrec->ipsacq_dstport; 5843 } 5844 5845 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 5846 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto, 0); 5847 5848 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 5849 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto, 0); 5850 5851 if (tunnel_mode) { 5852 sport_typecode = acqrec->ipsacq_srcport; 5853 dport_typecode = acqrec->ipsacq_dstport; 5854 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5855 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innersrc, 5856 sport_typecode, acqrec->ipsacq_inner_proto, 5857 acqrec->ipsacq_innersrcpfx); 5858 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5859 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innerdst, 5860 dport_typecode, acqrec->ipsacq_inner_proto, 5861 acqrec->ipsacq_innerdstpfx); 5862 } 5863 5864 /* XXX Insert identity information here. */ 5865 5866 /* XXXMLS Insert sensitivity information here. */ 5867 5868 if (cur != NULL) 5869 samsg->sadb_msg_len = SADB_8TO64(cur - msgmp->b_rptr); 5870 else 5871 mutex_exit(&ipss->ipsec_alg_lock); 5872 5873 return (pfkeymp); 5874 } 5875 5876 /* 5877 * Given an SADB_GETSPI message, find an appropriately ranged SA and 5878 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 5879 * If there was a memory allocation error, return NULL. (Assume NULL != 5880 * (ipsa_t *)-1). 5881 * 5882 * master_spi is passed in host order. 5883 */ 5884 ipsa_t * 5885 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic, 5886 netstack_t *ns, uint_t sa_type) 5887 { 5888 sadb_address_t *src = 5889 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 5890 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 5891 sadb_spirange_t *range = 5892 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 5893 struct sockaddr_in *ssa, *dsa; 5894 struct sockaddr_in6 *ssa6, *dsa6; 5895 uint32_t *srcaddr, *dstaddr; 5896 sa_family_t af; 5897 uint32_t add, min, max; 5898 uint8_t protocol = 5899 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP; 5900 5901 if (src == NULL) { 5902 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 5903 return ((ipsa_t *)-1); 5904 } 5905 if (dst == NULL) { 5906 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 5907 return ((ipsa_t *)-1); 5908 } 5909 if (range == NULL) { 5910 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 5911 return ((ipsa_t *)-1); 5912 } 5913 5914 min = ntohl(range->sadb_spirange_min); 5915 max = ntohl(range->sadb_spirange_max); 5916 dsa = (struct sockaddr_in *)(dst + 1); 5917 dsa6 = (struct sockaddr_in6 *)dsa; 5918 5919 ssa = (struct sockaddr_in *)(src + 1); 5920 ssa6 = (struct sockaddr_in6 *)ssa; 5921 ASSERT(dsa->sin_family == ssa->sin_family); 5922 5923 srcaddr = ALL_ZEROES_PTR; 5924 af = dsa->sin_family; 5925 switch (af) { 5926 case AF_INET: 5927 if (src != NULL) 5928 srcaddr = (uint32_t *)(&ssa->sin_addr); 5929 dstaddr = (uint32_t *)(&dsa->sin_addr); 5930 break; 5931 case AF_INET6: 5932 if (src != NULL) 5933 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 5934 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 5935 break; 5936 default: 5937 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 5938 return ((ipsa_t *)-1); 5939 } 5940 5941 if (master_spi < min || master_spi > max) { 5942 /* Return a random value in the range. */ 5943 if (cl_inet_getspi) { 5944 cl_inet_getspi(ns->netstack_stackid, protocol, 5945 (uint8_t *)&add, sizeof (add), NULL); 5946 } else { 5947 (void) random_get_pseudo_bytes((uint8_t *)&add, 5948 sizeof (add)); 5949 } 5950 master_spi = min + (add % (max - min + 1)); 5951 } 5952 5953 /* 5954 * Since master_spi is passed in host order, we need to htonl() it 5955 * for the purposes of creating a new SA. 5956 */ 5957 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af, 5958 ns)); 5959 } 5960 5961 /* 5962 * 5963 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 5964 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 5965 * and scan for the sequence number in question. I may wish to accept an 5966 * address pair with it, for easier searching. 5967 * 5968 * Caller frees the message, so we don't have to here. 5969 * 5970 * NOTE: The ip_q parameter may be used in the future for ACQUIRE 5971 * failures. 5972 */ 5973 /* ARGSUSED */ 5974 void 5975 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *ip_q, netstack_t *ns) 5976 { 5977 int i; 5978 ipsacq_t *acqrec; 5979 iacqf_t *bucket; 5980 5981 /* 5982 * I only accept the base header for this! 5983 * Though to be honest, requiring the dst address would help 5984 * immensely. 5985 * 5986 * XXX There are already cases where I can get the dst address. 5987 */ 5988 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 5989 return; 5990 5991 /* 5992 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 5993 * (and in the future send a message to IP with the appropriate error 5994 * number). 5995 * 5996 * Q: Do I want to reject if pid != 0? 5997 */ 5998 5999 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 6000 bucket = &sp->s_v4.sdb_acq[i]; 6001 mutex_enter(&bucket->iacqf_lock); 6002 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6003 acqrec = acqrec->ipsacq_next) { 6004 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6005 break; /* for acqrec... loop. */ 6006 } 6007 if (acqrec != NULL) 6008 break; /* for i = 0... loop. */ 6009 6010 mutex_exit(&bucket->iacqf_lock); 6011 } 6012 6013 if (acqrec == NULL) { 6014 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 6015 bucket = &sp->s_v6.sdb_acq[i]; 6016 mutex_enter(&bucket->iacqf_lock); 6017 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6018 acqrec = acqrec->ipsacq_next) { 6019 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6020 break; /* for acqrec... loop. */ 6021 } 6022 if (acqrec != NULL) 6023 break; /* for i = 0... loop. */ 6024 6025 mutex_exit(&bucket->iacqf_lock); 6026 } 6027 } 6028 6029 6030 if (acqrec == NULL) 6031 return; 6032 6033 /* 6034 * What do I do with the errno and IP? I may need mp's services a 6035 * little more. See sadb_destroy_acquire() for future directions 6036 * beyond free the mblk chain on the acquire record. 6037 */ 6038 6039 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 6040 sadb_destroy_acquire(acqrec, ns); 6041 /* Have to exit mutex here, because of breaking out of for loop. */ 6042 mutex_exit(&bucket->iacqf_lock); 6043 } 6044 6045 /* 6046 * The following functions work with the replay windows of an SA. They assume 6047 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 6048 * represents the highest sequence number packet received, and back 6049 * (ipsa->ipsa_replay_wsize) packets. 6050 */ 6051 6052 /* 6053 * Is the replay bit set? 6054 */ 6055 static boolean_t 6056 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 6057 { 6058 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6059 6060 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 6061 } 6062 6063 /* 6064 * Shift the bits of the replay window over. 6065 */ 6066 static void 6067 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 6068 { 6069 int i; 6070 int jump = ((shift - 1) >> 6) + 1; 6071 6072 if (shift == 0) 6073 return; 6074 6075 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 6076 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 6077 ipsa->ipsa_replay_arr[i + jump] |= 6078 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 6079 } 6080 ipsa->ipsa_replay_arr[i] <<= shift; 6081 } 6082 } 6083 6084 /* 6085 * Set a bit in the bit vector. 6086 */ 6087 static void 6088 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 6089 { 6090 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6091 6092 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 6093 } 6094 6095 #define SADB_MAX_REPLAY_VALUE 0xffffffff 6096 6097 /* 6098 * Assume caller has NOT done ntohl() already on seq. Check to see 6099 * if replay sequence number "seq" has been seen already. 6100 */ 6101 boolean_t 6102 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 6103 { 6104 boolean_t rc; 6105 uint32_t diff; 6106 6107 if (ipsa->ipsa_replay_wsize == 0) 6108 return (B_TRUE); 6109 6110 /* 6111 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 6112 */ 6113 6114 /* Convert sequence number into host order before holding the mutex. */ 6115 seq = ntohl(seq); 6116 6117 mutex_enter(&ipsa->ipsa_lock); 6118 6119 /* Initialize inbound SA's ipsa_replay field to last one received. */ 6120 if (ipsa->ipsa_replay == 0) 6121 ipsa->ipsa_replay = 1; 6122 6123 if (seq > ipsa->ipsa_replay) { 6124 /* 6125 * I have received a new "highest value received". Shift 6126 * the replay window over. 6127 */ 6128 diff = seq - ipsa->ipsa_replay; 6129 if (diff < ipsa->ipsa_replay_wsize) { 6130 /* In replay window, shift bits over. */ 6131 ipsa_shift_replay(ipsa, diff); 6132 } else { 6133 /* WAY FAR AHEAD, clear bits and start again. */ 6134 bzero(ipsa->ipsa_replay_arr, 6135 sizeof (ipsa->ipsa_replay_arr)); 6136 } 6137 ipsa_set_replay(ipsa, 0); 6138 ipsa->ipsa_replay = seq; 6139 rc = B_TRUE; 6140 goto done; 6141 } 6142 diff = ipsa->ipsa_replay - seq; 6143 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 6144 rc = B_FALSE; 6145 goto done; 6146 } 6147 /* Set this packet as seen. */ 6148 ipsa_set_replay(ipsa, diff); 6149 6150 rc = B_TRUE; 6151 done: 6152 mutex_exit(&ipsa->ipsa_lock); 6153 return (rc); 6154 } 6155 6156 /* 6157 * "Peek" and see if we should even bother going through the effort of 6158 * running an authentication check on the sequence number passed in. 6159 * this takes into account packets that are below the replay window, 6160 * and collisions with already replayed packets. Return B_TRUE if it 6161 * is okay to proceed, B_FALSE if this packet should be dropped immediately. 6162 * Assume same byte-ordering as sadb_replay_check. 6163 */ 6164 boolean_t 6165 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 6166 { 6167 boolean_t rc = B_FALSE; 6168 uint32_t diff; 6169 6170 if (ipsa->ipsa_replay_wsize == 0) 6171 return (B_TRUE); 6172 6173 /* 6174 * 0 is 0, regardless of byte order... :) 6175 * 6176 * If I get 0 on the wire (and there is a replay window) then the 6177 * sender most likely wrapped. This ipsa may need to be marked or 6178 * something. 6179 */ 6180 if (seq == 0) 6181 return (B_FALSE); 6182 6183 seq = ntohl(seq); 6184 mutex_enter(&ipsa->ipsa_lock); 6185 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 6186 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 6187 goto done; 6188 6189 /* 6190 * If I've hit 0xffffffff, then quite honestly, I don't need to 6191 * bother with formalities. I'm not accepting any more packets 6192 * on this SA. 6193 */ 6194 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 6195 /* 6196 * Since we're already holding the lock, update the 6197 * expire time ala. sadb_replay_delete() and return. 6198 */ 6199 ipsa->ipsa_hardexpiretime = (time_t)1; 6200 goto done; 6201 } 6202 6203 if (seq <= ipsa->ipsa_replay) { 6204 /* 6205 * This seq is in the replay window. I'm not below it, 6206 * because I already checked for that above! 6207 */ 6208 diff = ipsa->ipsa_replay - seq; 6209 if (ipsa_is_replay_set(ipsa, diff)) 6210 goto done; 6211 } 6212 /* Else return B_TRUE, I'm going to advance the window. */ 6213 6214 rc = B_TRUE; 6215 done: 6216 mutex_exit(&ipsa->ipsa_lock); 6217 return (rc); 6218 } 6219 6220 /* 6221 * Delete a single SA. 6222 * 6223 * For now, use the quick-and-dirty trick of making the association's 6224 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 6225 */ 6226 void 6227 sadb_replay_delete(ipsa_t *assoc) 6228 { 6229 mutex_enter(&assoc->ipsa_lock); 6230 assoc->ipsa_hardexpiretime = (time_t)1; 6231 mutex_exit(&assoc->ipsa_lock); 6232 } 6233 6234 /* 6235 * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_ 6236 * down. The caller will handle the T_BIND_ACK locally. 6237 */ 6238 boolean_t 6239 sadb_t_bind_req(queue_t *q, int proto) 6240 { 6241 struct T_bind_req *tbr; 6242 mblk_t *mp; 6243 6244 mp = allocb_cred(sizeof (struct T_bind_req) + 1, kcred, NOPID); 6245 if (mp == NULL) { 6246 /* cmn_err(CE_WARN, */ 6247 /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */ 6248 return (B_FALSE); 6249 } 6250 mp->b_datap->db_type = M_PCPROTO; 6251 tbr = (struct T_bind_req *)mp->b_rptr; 6252 mp->b_wptr += sizeof (struct T_bind_req); 6253 tbr->PRIM_type = T_BIND_REQ; 6254 tbr->ADDR_length = 0; 6255 tbr->ADDR_offset = 0; 6256 tbr->CONIND_number = 0; 6257 *mp->b_wptr = (uint8_t)proto; 6258 mp->b_wptr++; 6259 6260 putnext(q, mp); 6261 return (B_TRUE); 6262 } 6263 6264 /* 6265 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 6266 * this is designed to take only a format string with "* %x * %s *", so 6267 * that "spi" is printed first, then "addr" is converted using inet_pton(). 6268 * 6269 * This is abstracted out to save the stack space for only when inet_pton() 6270 * is called. Make sure "spi" is in network order; it usually is when this 6271 * would get called. 6272 */ 6273 void 6274 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 6275 uint32_t spi, void *addr, int af, netstack_t *ns) 6276 { 6277 char buf[INET6_ADDRSTRLEN]; 6278 6279 ASSERT(af == AF_INET6 || af == AF_INET); 6280 6281 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi), 6282 inet_ntop(af, addr, buf, sizeof (buf))); 6283 } 6284 6285 /* 6286 * Fills in a reference to the policy, if any, from the conn, in *ppp 6287 * Releases a reference to the passed conn_t. 6288 */ 6289 static void 6290 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp) 6291 { 6292 ipsec_policy_t *pp; 6293 ipsec_latch_t *ipl = connp->conn_latch; 6294 6295 if ((ipl != NULL) && (ipl->ipl_out_policy != NULL)) { 6296 pp = ipl->ipl_out_policy; 6297 IPPOL_REFHOLD(pp); 6298 } else { 6299 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel, 6300 connp->conn_netstack); 6301 } 6302 *ppp = pp; 6303 CONN_DEC_REF(connp); 6304 } 6305 6306 /* 6307 * The following functions scan through active conn_t structures 6308 * and return a reference to the best-matching policy it can find. 6309 * Caller must release the reference. 6310 */ 6311 static void 6312 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6313 { 6314 connf_t *connfp; 6315 conn_t *connp = NULL; 6316 ipsec_selector_t portonly; 6317 6318 bzero((void *)&portonly, sizeof (portonly)); 6319 6320 if (sel->ips_local_port == 0) 6321 return; 6322 6323 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port, 6324 ipst)]; 6325 mutex_enter(&connfp->connf_lock); 6326 6327 if (sel->ips_isv4) { 6328 connp = connfp->connf_head; 6329 while (connp != NULL) { 6330 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 6331 sel->ips_local_addr_v4, sel->ips_remote_port, 6332 sel->ips_remote_addr_v4)) 6333 break; 6334 connp = connp->conn_next; 6335 } 6336 6337 if (connp == NULL) { 6338 /* Try port-only match in IPv6. */ 6339 portonly.ips_local_port = sel->ips_local_port; 6340 sel = &portonly; 6341 } 6342 } 6343 6344 if (connp == NULL) { 6345 connp = connfp->connf_head; 6346 while (connp != NULL) { 6347 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 6348 sel->ips_local_addr_v6, sel->ips_remote_port, 6349 sel->ips_remote_addr_v6)) 6350 break; 6351 connp = connp->conn_next; 6352 } 6353 6354 if (connp == NULL) { 6355 mutex_exit(&connfp->connf_lock); 6356 return; 6357 } 6358 } 6359 6360 CONN_INC_REF(connp); 6361 mutex_exit(&connfp->connf_lock); 6362 6363 ipsec_conn_pol(sel, connp, ppp); 6364 } 6365 6366 static conn_t * 6367 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst) 6368 { 6369 connf_t *connfp; 6370 conn_t *connp = NULL; 6371 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 6372 6373 if (sel->ips_local_port == 0) 6374 return (NULL); 6375 6376 connfp = &ipst->ips_ipcl_bind_fanout[ 6377 IPCL_BIND_HASH(sel->ips_local_port, ipst)]; 6378 mutex_enter(&connfp->connf_lock); 6379 6380 if (sel->ips_isv4) { 6381 connp = connfp->connf_head; 6382 while (connp != NULL) { 6383 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 6384 sel->ips_local_addr_v4, pptr[1])) 6385 break; 6386 connp = connp->conn_next; 6387 } 6388 6389 if (connp == NULL) { 6390 /* Match to all-zeroes. */ 6391 v6addrmatch = &ipv6_all_zeros; 6392 } 6393 } 6394 6395 if (connp == NULL) { 6396 connp = connfp->connf_head; 6397 while (connp != NULL) { 6398 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 6399 *v6addrmatch, pptr[1])) 6400 break; 6401 connp = connp->conn_next; 6402 } 6403 6404 if (connp == NULL) { 6405 mutex_exit(&connfp->connf_lock); 6406 return (NULL); 6407 } 6408 } 6409 6410 CONN_INC_REF(connp); 6411 mutex_exit(&connfp->connf_lock); 6412 return (connp); 6413 } 6414 6415 static void 6416 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6417 { 6418 connf_t *connfp; 6419 conn_t *connp; 6420 uint32_t ports; 6421 uint16_t *pptr = (uint16_t *)&ports; 6422 6423 /* 6424 * Find TCP state in the following order: 6425 * 1.) Connected conns. 6426 * 2.) Listeners. 6427 * 6428 * Even though #2 will be the common case for inbound traffic, only 6429 * following this order insures correctness. 6430 */ 6431 6432 if (sel->ips_local_port == 0) 6433 return; 6434 6435 /* 6436 * 0 should be fport, 1 should be lport. SRC is the local one here. 6437 * See ipsec_construct_inverse_acquire() for details. 6438 */ 6439 pptr[0] = sel->ips_remote_port; 6440 pptr[1] = sel->ips_local_port; 6441 6442 connfp = &ipst->ips_ipcl_conn_fanout[ 6443 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)]; 6444 mutex_enter(&connfp->connf_lock); 6445 connp = connfp->connf_head; 6446 6447 if (sel->ips_isv4) { 6448 while (connp != NULL) { 6449 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 6450 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 6451 ports)) 6452 break; 6453 connp = connp->conn_next; 6454 } 6455 } else { 6456 while (connp != NULL) { 6457 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 6458 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 6459 ports)) 6460 break; 6461 connp = connp->conn_next; 6462 } 6463 } 6464 6465 if (connp != NULL) { 6466 CONN_INC_REF(connp); 6467 mutex_exit(&connfp->connf_lock); 6468 } else { 6469 mutex_exit(&connfp->connf_lock); 6470 6471 /* Try the listen hash. */ 6472 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL) 6473 return; 6474 } 6475 6476 ipsec_conn_pol(sel, connp, ppp); 6477 } 6478 6479 static void 6480 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6481 ip_stack_t *ipst) 6482 { 6483 conn_t *connp; 6484 uint32_t ports; 6485 uint16_t *pptr = (uint16_t *)&ports; 6486 6487 /* 6488 * Find SCP state in the following order: 6489 * 1.) Connected conns. 6490 * 2.) Listeners. 6491 * 6492 * Even though #2 will be the common case for inbound traffic, only 6493 * following this order insures correctness. 6494 */ 6495 6496 if (sel->ips_local_port == 0) 6497 return; 6498 6499 /* 6500 * 0 should be fport, 1 should be lport. SRC is the local one here. 6501 * See ipsec_construct_inverse_acquire() for details. 6502 */ 6503 pptr[0] = sel->ips_remote_port; 6504 pptr[1] = sel->ips_local_port; 6505 6506 if (sel->ips_isv4) { 6507 in6_addr_t src, dst; 6508 6509 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 6510 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 6511 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES, 6512 ipst->ips_netstack->netstack_sctp); 6513 } else { 6514 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 6515 &sel->ips_local_addr_v6, ports, ALL_ZONES, 6516 ipst->ips_netstack->netstack_sctp); 6517 } 6518 if (connp == NULL) 6519 return; 6520 ipsec_conn_pol(sel, connp, ppp); 6521 } 6522 6523 /* 6524 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions. 6525 * Returns 0 or errno, and always sets *diagnostic to something appropriate 6526 * to PF_KEY. 6527 * 6528 * NOTE: For right now, this function (and ipsec_selector_t for that matter), 6529 * ignore prefix lengths in the address extension. Since we match on first- 6530 * entered policies, this shouldn't matter. Also, since we normalize prefix- 6531 * set addresses to mask out the lower bits, we should get a suitable search 6532 * key for the SPD anyway. This is the function to change if the assumption 6533 * about suitable search keys is wrong. 6534 */ 6535 static int 6536 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext, 6537 sadb_address_t *dstext, int *diagnostic) 6538 { 6539 struct sockaddr_in *src, *dst; 6540 struct sockaddr_in6 *src6, *dst6; 6541 6542 *diagnostic = 0; 6543 6544 bzero(sel, sizeof (*sel)); 6545 sel->ips_protocol = srcext->sadb_address_proto; 6546 dst = (struct sockaddr_in *)(dstext + 1); 6547 if (dst->sin_family == AF_INET6) { 6548 dst6 = (struct sockaddr_in6 *)dst; 6549 src6 = (struct sockaddr_in6 *)(srcext + 1); 6550 if (src6->sin6_family != AF_INET6) { 6551 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6552 return (EINVAL); 6553 } 6554 sel->ips_remote_addr_v6 = dst6->sin6_addr; 6555 sel->ips_local_addr_v6 = src6->sin6_addr; 6556 if (sel->ips_protocol == IPPROTO_ICMPV6) { 6557 sel->ips_is_icmp_inv_acq = 1; 6558 } else { 6559 sel->ips_remote_port = dst6->sin6_port; 6560 sel->ips_local_port = src6->sin6_port; 6561 } 6562 sel->ips_isv4 = B_FALSE; 6563 } else { 6564 src = (struct sockaddr_in *)(srcext + 1); 6565 if (src->sin_family != AF_INET) { 6566 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6567 return (EINVAL); 6568 } 6569 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr; 6570 sel->ips_local_addr_v4 = src->sin_addr.s_addr; 6571 if (sel->ips_protocol == IPPROTO_ICMP) { 6572 sel->ips_is_icmp_inv_acq = 1; 6573 } else { 6574 sel->ips_remote_port = dst->sin_port; 6575 sel->ips_local_port = src->sin_port; 6576 } 6577 sel->ips_isv4 = B_TRUE; 6578 } 6579 return (0); 6580 } 6581 6582 /* 6583 * We have encapsulation. 6584 * - Lookup tun_t by address and look for an associated 6585 * tunnel policy 6586 * - If there are inner selectors 6587 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE 6588 * - Look up tunnel policy based on selectors 6589 * - Else 6590 * - Sanity check the negotation 6591 * - If appropriate, fall through to global policy 6592 */ 6593 static int 6594 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6595 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp, 6596 int *diagnostic, netstack_t *ns) 6597 { 6598 int err; 6599 ipsec_policy_head_t *polhead; 6600 6601 /* Check for inner selectors and act appropriately */ 6602 6603 if (innsrcext != NULL) { 6604 /* Inner selectors present */ 6605 ASSERT(inndstext != NULL); 6606 if ((itp == NULL) || 6607 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) != 6608 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) { 6609 /* 6610 * If inner packet selectors, we must have negotiate 6611 * tunnel and active policy. If the tunnel has 6612 * transport-mode policy set on it, or has no policy, 6613 * fail. 6614 */ 6615 return (ENOENT); 6616 } else { 6617 /* 6618 * Reset "sel" to indicate inner selectors. Pass 6619 * inner PF_KEY address extensions for this to happen. 6620 */ 6621 err = ipsec_get_inverse_acquire_sel(sel, 6622 innsrcext, inndstext, diagnostic); 6623 if (err != 0) { 6624 ITP_REFRELE(itp, ns); 6625 return (err); 6626 } 6627 /* 6628 * Now look for a tunnel policy based on those inner 6629 * selectors. (Common code is below.) 6630 */ 6631 } 6632 } else { 6633 /* No inner selectors present */ 6634 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) { 6635 /* 6636 * Transport mode negotiation with no tunnel policy 6637 * configured - return to indicate a global policy 6638 * check is needed. 6639 */ 6640 if (itp != NULL) { 6641 ITP_REFRELE(itp, ns); 6642 } 6643 return (0); 6644 } else if (itp->itp_flags & ITPF_P_TUNNEL) { 6645 /* Tunnel mode set with no inner selectors. */ 6646 ITP_REFRELE(itp, ns); 6647 return (ENOENT); 6648 } 6649 /* 6650 * Else, this is a tunnel policy configured with ifconfig(1m) 6651 * or "negotiate transport" with ipsecconf(1m). We have an 6652 * itp with policy set based on any match, so don't bother 6653 * changing fields in "sel". 6654 */ 6655 } 6656 6657 ASSERT(itp != NULL); 6658 polhead = itp->itp_policy; 6659 ASSERT(polhead != NULL); 6660 rw_enter(&polhead->iph_lock, RW_READER); 6661 *ppp = ipsec_find_policy_head(NULL, polhead, 6662 IPSEC_TYPE_INBOUND, sel, ns); 6663 rw_exit(&polhead->iph_lock); 6664 ITP_REFRELE(itp, ns); 6665 6666 /* 6667 * Don't default to global if we didn't find a matching policy entry. 6668 * Instead, send ENOENT, just like if we hit a transport-mode tunnel. 6669 */ 6670 if (*ppp == NULL) 6671 return (ENOENT); 6672 6673 return (0); 6674 } 6675 6676 static void 6677 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6678 ip_stack_t *ipst) 6679 { 6680 boolean_t isv4 = sel->ips_isv4; 6681 connf_t *connfp; 6682 conn_t *connp; 6683 6684 if (isv4) { 6685 connfp = &ipst->ips_ipcl_proto_fanout[sel->ips_protocol]; 6686 } else { 6687 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol]; 6688 } 6689 6690 mutex_enter(&connfp->connf_lock); 6691 for (connp = connfp->connf_head; connp != NULL; 6692 connp = connp->conn_next) { 6693 if (!((isv4 && !((connp->conn_src == 0 || 6694 connp->conn_src == sel->ips_local_addr_v4) && 6695 (connp->conn_rem == 0 || 6696 connp->conn_rem == sel->ips_remote_addr_v4))) || 6697 (!isv4 && !((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) || 6698 IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6, 6699 &sel->ips_local_addr_v6)) && 6700 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) || 6701 IN6_ARE_ADDR_EQUAL(&connp->conn_remv6, 6702 &sel->ips_remote_addr_v6)))))) { 6703 break; 6704 } 6705 } 6706 if (connp == NULL) { 6707 mutex_exit(&connfp->connf_lock); 6708 return; 6709 } 6710 6711 CONN_INC_REF(connp); 6712 mutex_exit(&connfp->connf_lock); 6713 6714 ipsec_conn_pol(sel, connp, ppp); 6715 } 6716 6717 /* 6718 * Construct an inverse ACQUIRE reply based on: 6719 * 6720 * 1.) Current global policy. 6721 * 2.) An conn_t match depending on what all was passed in the extv[]. 6722 * 3.) A tunnel's policy head. 6723 * ... 6724 * N.) Other stuff TBD (e.g. identities) 6725 * 6726 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 6727 * in this function so the caller can extract them where appropriately. 6728 * 6729 * The SRC address is the local one - just like an outbound ACQUIRE message. 6730 */ 6731 mblk_t * 6732 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[], 6733 netstack_t *ns) 6734 { 6735 int err; 6736 int diagnostic; 6737 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 6738 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST], 6739 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC], 6740 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]; 6741 struct sockaddr_in6 *src, *dst; 6742 struct sockaddr_in6 *isrc, *idst; 6743 ipsec_tun_pol_t *itp = NULL; 6744 ipsec_policy_t *pp = NULL; 6745 ipsec_selector_t sel, isel; 6746 mblk_t *retmp; 6747 ip_stack_t *ipst = ns->netstack_ip; 6748 ipsec_stack_t *ipss = ns->netstack_ipsec; 6749 6750 /* Normalize addresses */ 6751 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns) 6752 == KS_IN_ADDR_UNKNOWN) { 6753 err = EINVAL; 6754 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC; 6755 goto bail; 6756 } 6757 src = (struct sockaddr_in6 *)(srcext + 1); 6758 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns) 6759 == KS_IN_ADDR_UNKNOWN) { 6760 err = EINVAL; 6761 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST; 6762 goto bail; 6763 } 6764 dst = (struct sockaddr_in6 *)(dstext + 1); 6765 if (src->sin6_family != dst->sin6_family) { 6766 err = EINVAL; 6767 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6768 goto bail; 6769 } 6770 6771 /* Check for tunnel mode and act appropriately */ 6772 if (innsrcext != NULL) { 6773 if (inndstext == NULL) { 6774 err = EINVAL; 6775 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST; 6776 goto bail; 6777 } 6778 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6779 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6780 err = EINVAL; 6781 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC; 6782 goto bail; 6783 } 6784 isrc = (struct sockaddr_in6 *)(innsrcext + 1); 6785 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6786 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6787 err = EINVAL; 6788 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST; 6789 goto bail; 6790 } 6791 idst = (struct sockaddr_in6 *)(inndstext + 1); 6792 if (isrc->sin6_family != idst->sin6_family) { 6793 err = EINVAL; 6794 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 6795 goto bail; 6796 } 6797 if (isrc->sin6_family != AF_INET && 6798 isrc->sin6_family != AF_INET6) { 6799 err = EINVAL; 6800 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF; 6801 goto bail; 6802 } 6803 } else if (inndstext != NULL) { 6804 err = EINVAL; 6805 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 6806 goto bail; 6807 } 6808 6809 /* Get selectors first, based on outer addresses */ 6810 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic); 6811 if (err != 0) 6812 goto bail; 6813 6814 /* Check for tunnel mode mismatches. */ 6815 if (innsrcext != NULL && 6816 ((isrc->sin6_family == AF_INET && 6817 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) || 6818 (isrc->sin6_family == AF_INET6 && 6819 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) { 6820 err = EPROTOTYPE; 6821 goto bail; 6822 } 6823 6824 /* 6825 * Okay, we have the addresses and other selector information. 6826 * Let's first find a conn... 6827 */ 6828 pp = NULL; 6829 switch (sel.ips_protocol) { 6830 case IPPROTO_TCP: 6831 ipsec_tcp_pol(&sel, &pp, ipst); 6832 break; 6833 case IPPROTO_UDP: 6834 ipsec_udp_pol(&sel, &pp, ipst); 6835 break; 6836 case IPPROTO_SCTP: 6837 ipsec_sctp_pol(&sel, &pp, ipst); 6838 break; 6839 case IPPROTO_ENCAP: 6840 case IPPROTO_IPV6: 6841 rw_enter(&ipss->ipsec_itp_get_byaddr_rw_lock, RW_READER); 6842 /* 6843 * Assume sel.ips_remote_addr_* has the right address at 6844 * that exact position. 6845 */ 6846 itp = ipss->ipsec_itp_get_byaddr( 6847 (uint32_t *)(&sel.ips_local_addr_v6), 6848 (uint32_t *)(&sel.ips_remote_addr_v6), 6849 src->sin6_family, ns); 6850 rw_exit(&ipss->ipsec_itp_get_byaddr_rw_lock); 6851 if (innsrcext == NULL) { 6852 /* 6853 * Transport-mode tunnel, make sure we fake out isel 6854 * to contain something based on the outer protocol. 6855 */ 6856 bzero(&isel, sizeof (isel)); 6857 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP); 6858 } /* Else isel is initialized by ipsec_tun_pol(). */ 6859 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp, 6860 &diagnostic, ns); 6861 /* 6862 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it 6863 * may be. 6864 */ 6865 if (err != 0) 6866 goto bail; 6867 break; 6868 default: 6869 ipsec_oth_pol(&sel, &pp, ipst); 6870 break; 6871 } 6872 6873 /* 6874 * If we didn't find a matching conn_t or other policy head, take a 6875 * look in the global policy. 6876 */ 6877 if (pp == NULL) { 6878 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, NULL, &sel, 6879 ns); 6880 if (pp == NULL) { 6881 /* There's no global policy. */ 6882 err = ENOENT; 6883 diagnostic = 0; 6884 goto bail; 6885 } 6886 } 6887 6888 /* 6889 * Now that we have a policy entry/widget, construct an ACQUIRE 6890 * message based on that, fix fields where appropriate, 6891 * and return the message. 6892 */ 6893 retmp = sadb_extended_acquire(&sel, pp, NULL, 6894 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)), 6895 samsg->sadb_msg_seq, samsg->sadb_msg_pid, ns); 6896 if (pp != NULL) { 6897 IPPOL_REFRELE(pp, ns); 6898 } 6899 if (retmp != NULL) { 6900 return (retmp); 6901 } else { 6902 err = ENOMEM; 6903 diagnostic = 0; 6904 } 6905 bail: 6906 samsg->sadb_msg_errno = (uint8_t)err; 6907 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 6908 return (NULL); 6909 } 6910 6911 /* 6912 * ipsa_lpkt is a one-element queue, only manipulated by the next two 6913 * functions. They have to hold the ipsa_lock because of potential races 6914 * between key management using SADB_UPDATE, and inbound packets that may 6915 * queue up on the larval SA (hence the 'l' in "lpkt"). 6916 */ 6917 6918 /* 6919 * sadb_set_lpkt: Return TRUE if we can swap in a value to ipsa->ipsa_lpkt and 6920 * freemsg the previous value. Return FALSE if we lost the race and the SA is 6921 * in a non-LARVAL state. free clue: ip_drop_packet(NULL) is safe. 6922 */ 6923 boolean_t 6924 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, netstack_t *ns) 6925 { 6926 mblk_t *opkt; 6927 ipsec_stack_t *ipss = ns->netstack_ipsec; 6928 boolean_t is_larval; 6929 6930 /* 6931 * Check the packet's netstack id in case we go asynch with a 6932 * taskq_dispatch. 6933 */ 6934 ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_type == IPSEC_IN); 6935 ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_stackid == 6936 ns->netstack_stackid); 6937 6938 mutex_enter(&ipsa->ipsa_lock); 6939 is_larval = (ipsa->ipsa_state == IPSA_STATE_LARVAL); 6940 if (is_larval) { 6941 opkt = ipsa->ipsa_lpkt; 6942 ipsa->ipsa_lpkt = npkt; 6943 } else { 6944 /* We lost the race. */ 6945 opkt = NULL; 6946 ASSERT(ipsa->ipsa_lpkt == NULL); 6947 } 6948 mutex_exit(&ipsa->ipsa_lock); 6949 6950 ip_drop_packet(opkt, B_TRUE, NULL, NULL, 6951 DROPPER(ipss, ipds_sadb_inlarval_replace), 6952 &ipss->ipsec_sadb_dropper); 6953 return (is_larval); 6954 } 6955 6956 /* 6957 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 6958 * previous value. 6959 */ 6960 mblk_t * 6961 sadb_clear_lpkt(ipsa_t *ipsa) 6962 { 6963 mblk_t *opkt; 6964 6965 mutex_enter(&ipsa->ipsa_lock); 6966 opkt = ipsa->ipsa_lpkt; 6967 ipsa->ipsa_lpkt = NULL; 6968 mutex_exit(&ipsa->ipsa_lock); 6969 6970 return (opkt); 6971 } 6972 6973 /* 6974 * Buffer a packet that's in IDLE state as set by Solaris Clustering. 6975 */ 6976 void 6977 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, netstack_t *ns) 6978 { 6979 ipsec_stack_t *ipss = ns->netstack_ipsec; 6980 extern void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, 6981 sa_family_t, in6_addr_t, in6_addr_t, void *); 6982 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr); 6983 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr); 6984 6985 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE); 6986 6987 if (cl_inet_idlesa == NULL) { 6988 ip_drop_packet(bpkt, B_TRUE, NULL, NULL, 6989 DROPPER(ipss, ipds_sadb_inidle_overflow), 6990 &ipss->ipsec_sadb_dropper); 6991 return; 6992 } 6993 6994 cl_inet_idlesa(ns->netstack_stackid, 6995 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP, 6996 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL); 6997 6998 /* 6999 * Check the packet's netstack id in case we go asynch with a 7000 * taskq_dispatch. 7001 */ 7002 ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_type == IPSEC_IN); 7003 ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_stackid == 7004 ns->netstack_stackid); 7005 7006 mutex_enter(&ipsa->ipsa_lock); 7007 ipsa->ipsa_mblkcnt++; 7008 if (ipsa->ipsa_bpkt_head == NULL) { 7009 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt; 7010 } else { 7011 ipsa->ipsa_bpkt_tail->b_next = bpkt; 7012 ipsa->ipsa_bpkt_tail = bpkt; 7013 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) { 7014 mblk_t *tmp; 7015 tmp = ipsa->ipsa_bpkt_head; 7016 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next; 7017 ip_drop_packet(tmp, B_TRUE, NULL, NULL, 7018 DROPPER(ipss, ipds_sadb_inidle_overflow), 7019 &ipss->ipsec_sadb_dropper); 7020 ipsa->ipsa_mblkcnt --; 7021 } 7022 } 7023 mutex_exit(&ipsa->ipsa_lock); 7024 7025 } 7026 7027 /* 7028 * Stub function that taskq_dispatch() invokes to take the mblk (in arg) 7029 * and put into STREAMS again. 7030 */ 7031 void 7032 sadb_clear_buf_pkt(void *ipkt) 7033 { 7034 mblk_t *tmp, *buf_pkt; 7035 netstack_t *ns; 7036 ipsec_in_t *ii; 7037 7038 buf_pkt = (mblk_t *)ipkt; 7039 7040 ii = (ipsec_in_t *)buf_pkt->b_rptr; 7041 ASSERT(ii->ipsec_in_type == IPSEC_IN); 7042 ns = netstack_find_by_stackid(ii->ipsec_in_stackid); 7043 if (ns != NULL && ns != ii->ipsec_in_ns) { 7044 netstack_rele(ns); 7045 ns = NULL; /* For while-loop below. */ 7046 } 7047 7048 while (buf_pkt != NULL) { 7049 tmp = buf_pkt->b_next; 7050 buf_pkt->b_next = NULL; 7051 if (ns != NULL) 7052 ip_fanout_proto_again(buf_pkt, NULL, NULL, NULL); 7053 else 7054 freemsg(buf_pkt); 7055 buf_pkt = tmp; 7056 } 7057 if (ns != NULL) 7058 netstack_rele(ns); 7059 } 7060 /* 7061 * Walker callback used by sadb_alg_update() to free/create crypto 7062 * context template when a crypto software provider is removed or 7063 * added. 7064 */ 7065 7066 struct sadb_update_alg_state { 7067 ipsec_algtype_t alg_type; 7068 uint8_t alg_id; 7069 boolean_t is_added; 7070 }; 7071 7072 static void 7073 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 7074 { 7075 struct sadb_update_alg_state *update_state = 7076 (struct sadb_update_alg_state *)cookie; 7077 crypto_ctx_template_t *ctx_tmpl = NULL; 7078 7079 ASSERT(MUTEX_HELD(&head->isaf_lock)); 7080 7081 if (entry->ipsa_state == IPSA_STATE_LARVAL) 7082 return; 7083 7084 mutex_enter(&entry->ipsa_lock); 7085 7086 switch (update_state->alg_type) { 7087 case IPSEC_ALG_AUTH: 7088 if (entry->ipsa_auth_alg == update_state->alg_id) 7089 ctx_tmpl = &entry->ipsa_authtmpl; 7090 break; 7091 case IPSEC_ALG_ENCR: 7092 if (entry->ipsa_encr_alg == update_state->alg_id) 7093 ctx_tmpl = &entry->ipsa_encrtmpl; 7094 break; 7095 default: 7096 ctx_tmpl = NULL; 7097 } 7098 7099 if (ctx_tmpl == NULL) { 7100 mutex_exit(&entry->ipsa_lock); 7101 return; 7102 } 7103 7104 /* 7105 * The context template of the SA may be affected by the change 7106 * of crypto provider. 7107 */ 7108 if (update_state->is_added) { 7109 /* create the context template if not already done */ 7110 if (*ctx_tmpl == NULL) { 7111 (void) ipsec_create_ctx_tmpl(entry, 7112 update_state->alg_type); 7113 } 7114 } else { 7115 /* 7116 * The crypto provider was removed. If the context template 7117 * exists but it is no longer valid, free it. 7118 */ 7119 if (*ctx_tmpl != NULL) 7120 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 7121 } 7122 7123 mutex_exit(&entry->ipsa_lock); 7124 } 7125 7126 /* 7127 * Invoked by IP when an software crypto provider has been updated. 7128 * The type and id of the corresponding algorithm is passed as argument. 7129 * is_added is B_TRUE if the provider was added, B_FALSE if it was 7130 * removed. The function updates the SADB and free/creates the 7131 * context templates associated with SAs if needed. 7132 */ 7133 7134 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 7135 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 7136 &update_state) 7137 7138 void 7139 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added, 7140 netstack_t *ns) 7141 { 7142 struct sadb_update_alg_state update_state; 7143 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 7144 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 7145 7146 update_state.alg_type = alg_type; 7147 update_state.alg_id = alg_id; 7148 update_state.is_added = is_added; 7149 7150 if (alg_type == IPSEC_ALG_AUTH) { 7151 /* walk the AH tables only for auth. algorithm changes */ 7152 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of); 7153 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if); 7154 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of); 7155 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if); 7156 } 7157 7158 /* walk the ESP tables */ 7159 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of); 7160 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if); 7161 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of); 7162 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if); 7163 } 7164 7165 /* 7166 * Creates a context template for the specified SA. This function 7167 * is called when an SA is created and when a context template needs 7168 * to be created due to a change of software provider. 7169 */ 7170 int 7171 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7172 { 7173 ipsec_alginfo_t *alg; 7174 crypto_mechanism_t mech; 7175 crypto_key_t *key; 7176 crypto_ctx_template_t *sa_tmpl; 7177 int rv; 7178 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 7179 7180 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock)); 7181 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7182 7183 /* get pointers to the algorithm info, context template, and key */ 7184 switch (alg_type) { 7185 case IPSEC_ALG_AUTH: 7186 key = &sa->ipsa_kcfauthkey; 7187 sa_tmpl = &sa->ipsa_authtmpl; 7188 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 7189 break; 7190 case IPSEC_ALG_ENCR: 7191 key = &sa->ipsa_kcfencrkey; 7192 sa_tmpl = &sa->ipsa_encrtmpl; 7193 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 7194 break; 7195 default: 7196 alg = NULL; 7197 } 7198 7199 if (alg == NULL || !ALG_VALID(alg)) 7200 return (EINVAL); 7201 7202 /* initialize the mech info structure for the framework */ 7203 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 7204 mech.cm_type = alg->alg_mech_type; 7205 mech.cm_param = NULL; 7206 mech.cm_param_len = 0; 7207 7208 /* create a new context template */ 7209 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 7210 7211 /* 7212 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 7213 * providers are available for that mechanism. In that case 7214 * we don't fail, and will generate the context template from 7215 * the framework callback when a software provider for that 7216 * mechanism registers. 7217 * 7218 * The context template is assigned the special value 7219 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 7220 * lack of memory. No attempt will be made to use 7221 * the context template if it is set to this value. 7222 */ 7223 if (rv == CRYPTO_HOST_MEMORY) { 7224 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 7225 } else if (rv != CRYPTO_SUCCESS) { 7226 *sa_tmpl = NULL; 7227 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 7228 return (EINVAL); 7229 } 7230 7231 return (0); 7232 } 7233 7234 /* 7235 * Destroy the context template of the specified algorithm type 7236 * of the specified SA. Must be called while holding the SA lock. 7237 */ 7238 void 7239 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7240 { 7241 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7242 7243 if (alg_type == IPSEC_ALG_AUTH) { 7244 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 7245 sa->ipsa_authtmpl = NULL; 7246 else if (sa->ipsa_authtmpl != NULL) { 7247 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 7248 sa->ipsa_authtmpl = NULL; 7249 } 7250 } else { 7251 ASSERT(alg_type == IPSEC_ALG_ENCR); 7252 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 7253 sa->ipsa_encrtmpl = NULL; 7254 else if (sa->ipsa_encrtmpl != NULL) { 7255 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 7256 sa->ipsa_encrtmpl = NULL; 7257 } 7258 } 7259 } 7260 7261 /* 7262 * Use the kernel crypto framework to check the validity of a key received 7263 * via keysock. Returns 0 if the key is OK, -1 otherwise. 7264 */ 7265 int 7266 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 7267 boolean_t is_auth, int *diag) 7268 { 7269 crypto_mechanism_t mech; 7270 crypto_key_t crypto_key; 7271 int crypto_rc; 7272 7273 mech.cm_type = mech_type; 7274 mech.cm_param = NULL; 7275 mech.cm_param_len = 0; 7276 7277 crypto_key.ck_format = CRYPTO_KEY_RAW; 7278 crypto_key.ck_data = sadb_key + 1; 7279 crypto_key.ck_length = sadb_key->sadb_key_bits; 7280 7281 crypto_rc = crypto_key_check(&mech, &crypto_key); 7282 7283 switch (crypto_rc) { 7284 case CRYPTO_SUCCESS: 7285 return (0); 7286 case CRYPTO_MECHANISM_INVALID: 7287 case CRYPTO_MECH_NOT_SUPPORTED: 7288 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 7289 SADB_X_DIAGNOSTIC_BAD_EALG; 7290 break; 7291 case CRYPTO_KEY_SIZE_RANGE: 7292 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 7293 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 7294 break; 7295 case CRYPTO_WEAK_KEY: 7296 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 7297 SADB_X_DIAGNOSTIC_WEAK_EKEY; 7298 break; 7299 } 7300 7301 return (-1); 7302 } 7303 /* 7304 * If this is an outgoing SA then add some fuzz to the 7305 * SOFT EXPIRE time. The reason for this is to stop 7306 * peers trying to renegotiate SOFT expiring SA's at 7307 * the same time. The amount of fuzz needs to be at 7308 * least 8 seconds which is the typical interval 7309 * sadb_ager(), although this is only a guide as it 7310 * selftunes. 7311 */ 7312 void 7313 lifetime_fuzz(ipsa_t *assoc) 7314 { 7315 uint8_t rnd; 7316 7317 if (assoc->ipsa_softaddlt == 0) 7318 return; 7319 7320 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd)); 7321 rnd = (rnd & 0xF) + 8; 7322 assoc->ipsa_softexpiretime -= rnd; 7323 assoc->ipsa_softaddlt -= rnd; 7324 } 7325 void 7326 destroy_ipsa_pair(ipsap_t *ipsapp) 7327 { 7328 if (ipsapp == NULL) 7329 return; 7330 7331 /* 7332 * Because of the multi-line macro nature of IPSA_REFRELE, keep 7333 * them in { }. 7334 */ 7335 if (ipsapp->ipsap_sa_ptr != NULL) { 7336 IPSA_REFRELE(ipsapp->ipsap_sa_ptr); 7337 } 7338 if (ipsapp->ipsap_psa_ptr != NULL) { 7339 IPSA_REFRELE(ipsapp->ipsap_psa_ptr); 7340 } 7341 7342 kmem_free(ipsapp, sizeof (*ipsapp)); 7343 } 7344 7345 /* 7346 * The sadb_ager() function walks through the hash tables of SA's and ages 7347 * them, if the SA expires as a result, its marked as DEAD and will be reaped 7348 * the next time sadb_ager() runs. SA's which are paired or have a peer (same 7349 * SA appears in both the inbound and outbound tables because its not possible 7350 * to determine its direction) are placed on a list when they expire. This is 7351 * to ensure that pair/peer SA's are reaped at the same time, even if they 7352 * expire at different times. 7353 * 7354 * This function is called twice by sadb_ager(), one after processing the 7355 * inbound table, then again after processing the outbound table. 7356 */ 7357 void 7358 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound) 7359 { 7360 templist_t *listptr; 7361 int outhash; 7362 isaf_t *bucket; 7363 boolean_t haspeer; 7364 ipsa_t *peer_assoc, *dying; 7365 /* 7366 * Haspeer cases will contain both IPv4 and IPv6. This code 7367 * is address independent. 7368 */ 7369 while (haspeerlist != NULL) { 7370 /* "dying" contains the SA that has a peer. */ 7371 dying = haspeerlist->ipsa; 7372 haspeer = (dying->ipsa_haspeer); 7373 listptr = haspeerlist; 7374 haspeerlist = listptr->next; 7375 kmem_free(listptr, sizeof (*listptr)); 7376 /* 7377 * Pick peer bucket based on addrfam. 7378 */ 7379 if (outbound) { 7380 if (haspeer) 7381 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi); 7382 else 7383 bucket = INBOUND_BUCKET(sp, 7384 dying->ipsa_otherspi); 7385 } else { /* inbound */ 7386 if (haspeer) { 7387 if (dying->ipsa_addrfam == AF_INET6) { 7388 outhash = OUTBOUND_HASH_V6(sp, 7389 *((in6_addr_t *)&dying-> 7390 ipsa_dstaddr)); 7391 } else { 7392 outhash = OUTBOUND_HASH_V4(sp, 7393 *((ipaddr_t *)&dying-> 7394 ipsa_dstaddr)); 7395 } 7396 } else if (dying->ipsa_addrfam == AF_INET6) { 7397 outhash = OUTBOUND_HASH_V6(sp, 7398 *((in6_addr_t *)&dying-> 7399 ipsa_srcaddr)); 7400 } else { 7401 outhash = OUTBOUND_HASH_V4(sp, 7402 *((ipaddr_t *)&dying-> 7403 ipsa_srcaddr)); 7404 } 7405 bucket = &(sp->sdb_of[outhash]); 7406 } 7407 7408 mutex_enter(&bucket->isaf_lock); 7409 /* 7410 * "haspeer" SA's have the same src/dst address ordering, 7411 * "paired" SA's have the src/dst addresses reversed. 7412 */ 7413 if (haspeer) { 7414 peer_assoc = ipsec_getassocbyspi(bucket, 7415 dying->ipsa_spi, dying->ipsa_srcaddr, 7416 dying->ipsa_dstaddr, dying->ipsa_addrfam); 7417 } else { 7418 peer_assoc = ipsec_getassocbyspi(bucket, 7419 dying->ipsa_otherspi, dying->ipsa_dstaddr, 7420 dying->ipsa_srcaddr, dying->ipsa_addrfam); 7421 } 7422 7423 mutex_exit(&bucket->isaf_lock); 7424 if (peer_assoc != NULL) { 7425 mutex_enter(&peer_assoc->ipsa_lock); 7426 mutex_enter(&dying->ipsa_lock); 7427 if (!haspeer) { 7428 /* 7429 * Only SA's which have a "peer" or are 7430 * "paired" end up on this list, so this 7431 * must be a "paired" SA, update the flags 7432 * to break the pair. 7433 */ 7434 peer_assoc->ipsa_otherspi = 0; 7435 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED; 7436 dying->ipsa_otherspi = 0; 7437 dying->ipsa_flags &= ~IPSA_F_PAIRED; 7438 } 7439 if (haspeer || outbound) { 7440 /* 7441 * Update the state of the "inbound" SA when 7442 * the "outbound" SA has expired. Don't update 7443 * the "outbound" SA when the "inbound" SA 7444 * SA expires because setting the hard_addtime 7445 * below will cause this to happen. 7446 */ 7447 peer_assoc->ipsa_state = dying->ipsa_state; 7448 } 7449 if (dying->ipsa_state == IPSA_STATE_DEAD) 7450 peer_assoc->ipsa_hardexpiretime = 1; 7451 7452 mutex_exit(&dying->ipsa_lock); 7453 mutex_exit(&peer_assoc->ipsa_lock); 7454 IPSA_REFRELE(peer_assoc); 7455 } 7456 IPSA_REFRELE(dying); 7457 } 7458 } 7459