1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/stropts.h> 31 #include <sys/ddi.h> 32 #include <sys/debug.h> 33 #include <sys/cmn_err.h> 34 #include <sys/stream.h> 35 #include <sys/strlog.h> 36 #include <sys/kmem.h> 37 #include <sys/sunddi.h> 38 #include <sys/tihdr.h> 39 #include <sys/atomic.h> 40 #include <sys/socket.h> 41 #include <sys/sysmacros.h> 42 #include <sys/crypto/common.h> 43 #include <sys/crypto/api.h> 44 #include <sys/zone.h> 45 #include <netinet/in.h> 46 #include <net/if.h> 47 #include <net/pfkeyv2.h> 48 #include <inet/common.h> 49 #include <netinet/ip6.h> 50 #include <inet/ip.h> 51 #include <inet/ip6.h> 52 #include <inet/ipsec_info.h> 53 #include <inet/ipsec_impl.h> 54 #include <inet/tcp.h> 55 #include <inet/sadb.h> 56 #include <inet/ipsecah.h> 57 #include <inet/ipsecesp.h> 58 #include <sys/random.h> 59 #include <sys/dlpi.h> 60 #include <sys/iphada.h> 61 #include <inet/ip_if.h> 62 #include <inet/ipdrop.h> 63 #include <inet/ipclassifier.h> 64 #include <inet/sctp_ip.h> 65 66 /* 67 * This source file contains Security Association Database (SADB) common 68 * routines. They are linked in with the AH module. Since AH has no chance 69 * of falling under export control, it was safe to link it in there. 70 */ 71 72 /* Packet dropper for generic SADB drops. */ 73 static ipdropper_t sadb_dropper; 74 75 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *, 76 ipsec_action_t *, uint32_t, uint32_t); 77 static void sadb_ill_df(ill_t *, mblk_t *, isaf_t *, int, boolean_t); 78 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *, boolean_t, mblk_t **); 79 static void sadb_drain_torchq(queue_t *q, mblk_t *); 80 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t); 81 static void sadb_destroy(sadb_t *sp); 82 83 static time_t sadb_add_time(time_t base, uint64_t delta); 84 85 /* 86 * ipsacq_maxpackets is defined here to make it tunable 87 * from /etc/system. 88 */ 89 extern uint64_t ipsacq_maxpackets; 90 91 #define SET_EXPIRE(sa, delta, exp) { \ 92 if (((sa)->ipsa_ ## delta) != 0) { \ 93 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 94 (sa)->ipsa_ ## delta); \ 95 } \ 96 } 97 98 #define UPDATE_EXPIRE(sa, delta, exp) { \ 99 if (((sa)->ipsa_ ## delta) != 0) { \ 100 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 101 (sa)->ipsa_ ## delta); \ 102 if (((sa)->ipsa_ ## exp) == 0) \ 103 (sa)->ipsa_ ## exp = tmp; \ 104 else \ 105 (sa)->ipsa_ ## exp = \ 106 MIN((sa)->ipsa_ ## exp, tmp); \ 107 } \ 108 } 109 110 111 /* wrap the macro so we can pass it as a function pointer */ 112 void 113 sadb_sa_refrele(void *target) 114 { 115 IPSA_REFRELE(((ipsa_t *)target)); 116 } 117 118 /* 119 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 120 * a signed type. 121 */ 122 #define TIME_MAX LONG_MAX 123 124 /* 125 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 126 * time_t is defined to be a signed type with the same range as 127 * "long". On ILP32 systems, we thus run the risk of wrapping around 128 * at end of time, as well as "overwrapping" the clock back around 129 * into a seemingly valid but incorrect future date earlier than the 130 * desired expiration. 131 * 132 * In order to avoid odd behavior (either negative lifetimes or loss 133 * of high order bits) when someone asks for bizarrely long SA 134 * lifetimes, we do a saturating add for expire times. 135 * 136 * We presume that ILP32 systems will be past end of support life when 137 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 138 * 139 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 140 * will hopefully have figured out clever ways to avoid the use of 141 * fixed-sized integers in computation. 142 */ 143 static time_t 144 sadb_add_time(time_t base, uint64_t delta) 145 { 146 time_t sum; 147 148 /* 149 * Clip delta to the maximum possible time_t value to 150 * prevent "overwrapping" back into a shorter-than-desired 151 * future time. 152 */ 153 if (delta > TIME_MAX) 154 delta = TIME_MAX; 155 /* 156 * This sum may still overflow. 157 */ 158 sum = base + delta; 159 160 /* 161 * .. so if the result is less than the base, we overflowed. 162 */ 163 if (sum < base) 164 sum = TIME_MAX; 165 166 return (sum); 167 } 168 169 /* 170 * Callers of this function have already created a working security 171 * association, and have found the appropriate table & hash chain. All this 172 * function does is check duplicates, and insert the SA. The caller needs to 173 * hold the hash bucket lock and increment the refcnt before insertion. 174 * 175 * Return 0 if success, EEXIST if collision. 176 */ 177 int 178 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 179 { 180 ipsa_t **ptpn = NULL; 181 ipsa_t *walker; 182 boolean_t unspecsrc; 183 184 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 185 186 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 187 188 walker = bucket->isaf_ipsa; 189 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 190 191 /* 192 * Find insertion point (pointed to with **ptpn). Insert at the head 193 * of the list unless there's an unspecified source address, then 194 * insert it after the last SA with a specified source address. 195 * 196 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 197 * checking for collisions. 198 */ 199 200 while (walker != NULL) { 201 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 202 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 203 if (walker->ipsa_spi == ipsa->ipsa_spi) 204 return (EEXIST); 205 206 mutex_enter(&walker->ipsa_lock); 207 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 208 (walker->ipsa_flags & IPSA_F_USED) && 209 ((walker->ipsa_unique_id & 210 walker->ipsa_unique_mask) == 211 (ipsa->ipsa_unique_id & 212 ipsa->ipsa_unique_mask))) { 213 walker->ipsa_flags |= IPSA_F_CINVALID; 214 } 215 mutex_exit(&walker->ipsa_lock); 216 } 217 218 if (ptpn == NULL && unspecsrc) { 219 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 220 walker->ipsa_addrfam)) 221 ptpn = walker->ipsa_ptpn; 222 else if (walker->ipsa_next == NULL) 223 ptpn = &walker->ipsa_next; 224 } 225 226 walker = walker->ipsa_next; 227 } 228 229 if (ptpn == NULL) 230 ptpn = &bucket->isaf_ipsa; 231 ipsa->ipsa_next = *ptpn; 232 ipsa->ipsa_ptpn = ptpn; 233 if (ipsa->ipsa_next != NULL) 234 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 235 *ptpn = ipsa; 236 ipsa->ipsa_linklock = &bucket->isaf_lock; 237 238 return (0); 239 } 240 241 /* 242 * Free a security association. Its reference count is 0, which means 243 * I must free it. The SA must be unlocked and must not be linked into 244 * any fanout list. 245 */ 246 static void 247 sadb_freeassoc(ipsa_t *ipsa) 248 { 249 ASSERT(!MUTEX_HELD(&ipsa->ipsa_lock)); 250 ASSERT(ipsa->ipsa_refcnt == 0); 251 ASSERT(ipsa->ipsa_next == NULL); 252 ASSERT(ipsa->ipsa_ptpn == NULL); 253 254 ip_drop_packet(sadb_clear_lpkt(ipsa), B_TRUE, NULL, NULL, 255 &ipdrops_sadb_inlarval_timeout, &sadb_dropper); 256 257 mutex_enter(&ipsa->ipsa_lock); 258 259 if (ipsa->ipsa_natt_ka_timer != 0) 260 (void) quntimeout(ipsa->ipsa_natt_q, ipsa->ipsa_natt_ka_timer); 261 262 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 263 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 264 mutex_exit(&ipsa->ipsa_lock); 265 266 /* bzero() these fields for paranoia's sake. */ 267 if (ipsa->ipsa_authkey != NULL) { 268 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 269 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 270 } 271 if (ipsa->ipsa_encrkey != NULL) { 272 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 273 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 274 } 275 if (ipsa->ipsa_src_cid != NULL) { 276 IPSID_REFRELE(ipsa->ipsa_src_cid); 277 } 278 if (ipsa->ipsa_dst_cid != NULL) { 279 IPSID_REFRELE(ipsa->ipsa_dst_cid); 280 } 281 if (ipsa->ipsa_proxy_cid != NULL) { 282 IPSID_REFRELE(ipsa->ipsa_proxy_cid); 283 } 284 if (ipsa->ipsa_integ != NULL) 285 kmem_free(ipsa->ipsa_integ, ipsa->ipsa_integlen); 286 if (ipsa->ipsa_sens != NULL) 287 kmem_free(ipsa->ipsa_sens, ipsa->ipsa_senslen); 288 289 mutex_destroy(&ipsa->ipsa_lock); 290 kmem_free(ipsa, sizeof (*ipsa)); 291 } 292 293 /* 294 * Unlink a security association from a hash bucket. Assume the hash bucket 295 * lock is held, but the association's lock is not. 296 * 297 * Note that we do not bump the bucket's generation number here because 298 * we might not be making a visible change to the set of visible SA's. 299 * All callers MUST bump the bucket's generation number before they unlock 300 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 301 * was present in the bucket at the time it was locked. 302 */ 303 void 304 sadb_unlinkassoc(ipsa_t *ipsa) 305 { 306 ASSERT(ipsa->ipsa_linklock != NULL); 307 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 308 309 /* These fields are protected by the link lock. */ 310 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 311 if (ipsa->ipsa_next != NULL) { 312 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 313 ipsa->ipsa_next = NULL; 314 } 315 316 ipsa->ipsa_ptpn = NULL; 317 318 /* This may destroy the SA. */ 319 IPSA_REFRELE(ipsa); 320 } 321 322 /* 323 * Create a larval security association with the specified SPI. All other 324 * fields are zeroed. 325 */ 326 static ipsa_t * 327 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam) 328 { 329 ipsa_t *newbie; 330 331 /* 332 * Allocate... 333 */ 334 335 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 336 if (newbie == NULL) { 337 /* Can't make new larval SA. */ 338 return (NULL); 339 } 340 341 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 342 newbie->ipsa_spi = spi; 343 344 /* 345 * Copy addresses... 346 */ 347 348 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 349 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 350 351 newbie->ipsa_addrfam = addrfam; 352 353 /* 354 * Set common initialization values, including refcnt. 355 */ 356 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 357 newbie->ipsa_state = IPSA_STATE_LARVAL; 358 newbie->ipsa_refcnt = 1; 359 newbie->ipsa_freefunc = sadb_freeassoc; 360 361 /* 362 * There aren't a lot of other common initialization values, as 363 * they are copied in from the PF_KEY message. 364 */ 365 366 return (newbie); 367 } 368 369 /* 370 * Call me to initialize a security association fanout. 371 */ 372 static int 373 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 374 { 375 isaf_t *table; 376 int i; 377 378 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 379 *tablep = table; 380 381 if (table == NULL) 382 return (ENOMEM); 383 384 for (i = 0; i < size; i++) { 385 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 386 table[i].isaf_ipsa = NULL; 387 table[i].isaf_gen = 0; 388 } 389 390 return (0); 391 } 392 393 /* 394 * Call me to initialize an acquire fanout 395 */ 396 static int 397 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 398 { 399 iacqf_t *table; 400 int i; 401 402 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 403 *tablep = table; 404 405 if (table == NULL) 406 return (ENOMEM); 407 408 for (i = 0; i < size; i++) { 409 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 410 table[i].iacqf_ipsacq = NULL; 411 } 412 413 return (0); 414 } 415 416 /* 417 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 418 * caller must clean up partial allocations. 419 */ 420 static int 421 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 422 { 423 ASSERT(sp->sdb_of == NULL); 424 ASSERT(sp->sdb_if == NULL); 425 ASSERT(sp->sdb_acq == NULL); 426 427 sp->sdb_hashsize = size; 428 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 429 return (ENOMEM); 430 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 431 return (ENOMEM); 432 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 433 return (ENOMEM); 434 435 return (0); 436 } 437 438 /* 439 * Call me to initialize an SADB instance; fall back to default size on failure. 440 */ 441 static void 442 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver) 443 { 444 ASSERT(sp->sdb_of == NULL); 445 ASSERT(sp->sdb_if == NULL); 446 ASSERT(sp->sdb_acq == NULL); 447 448 if (size < IPSEC_DEFAULT_HASH_SIZE) 449 size = IPSEC_DEFAULT_HASH_SIZE; 450 451 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 452 453 cmn_err(CE_WARN, 454 "Unable to allocate %u entry IPv%u %s SADB hash table", 455 size, ver, name); 456 457 sadb_destroy(sp); 458 size = IPSEC_DEFAULT_HASH_SIZE; 459 cmn_err(CE_WARN, "Falling back to %d entries", size); 460 (void) sadb_init_trial(sp, size, KM_SLEEP); 461 } 462 } 463 464 465 /* 466 * Initialize an SADB-pair. 467 */ 468 void 469 sadbp_init(const char *name, sadbp_t *sp, int type, int size) 470 { 471 sadb_init(name, &sp->s_v4, size, 4); 472 sadb_init(name, &sp->s_v6, size, 6); 473 474 sp->s_satype = type; 475 476 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 477 if (type == SADB_SATYPE_AH) 478 ip_drop_register(&sadb_dropper, "IPsec SADB"); 479 } 480 481 /* 482 * Deliver a single SADB_DUMP message representing a single SA. This is 483 * called many times by sadb_dump(). 484 * 485 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 486 * the caller should take that as a hint that dupb() on the "original answer" 487 * failed, and that perhaps the caller should try again with a copyb()ed 488 * "original answer". 489 */ 490 static int 491 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 492 sadb_msg_t *samsg) 493 { 494 mblk_t *answer; 495 496 answer = dupb(original_answer); 497 if (answer == NULL) 498 return (ENOBUFS); 499 answer->b_cont = sadb_sa2msg(ipsa, samsg); 500 if (answer->b_cont == NULL) { 501 freeb(answer); 502 return (ENOMEM); 503 } 504 505 /* Just do a putnext, and let keysock deal with flow control. */ 506 putnext(pfkey_q, answer); 507 return (0); 508 } 509 510 /* 511 * Common function to allocate and prepare a keysock_out_t M_CTL message. 512 */ 513 mblk_t * 514 sadb_keysock_out(minor_t serial) 515 { 516 mblk_t *mp; 517 keysock_out_t *kso; 518 519 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 520 if (mp != NULL) { 521 mp->b_datap->db_type = M_CTL; 522 mp->b_wptr += sizeof (ipsec_info_t); 523 kso = (keysock_out_t *)mp->b_rptr; 524 kso->ks_out_type = KEYSOCK_OUT; 525 kso->ks_out_len = sizeof (*kso); 526 kso->ks_out_serial = serial; 527 } 528 529 return (mp); 530 } 531 532 /* 533 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 534 * to keysock. 535 */ 536 static int 537 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 538 int num_entries, boolean_t do_peers) 539 { 540 int i, error = 0; 541 mblk_t *original_answer; 542 ipsa_t *walker; 543 sadb_msg_t *samsg; 544 545 /* 546 * For each IPSA hash bucket do: 547 * - Hold the mutex 548 * - Walk each entry, doing an sadb_dump_deliver() on it. 549 */ 550 ASSERT(mp->b_cont != NULL); 551 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 552 553 original_answer = sadb_keysock_out(serial); 554 if (original_answer == NULL) 555 return (ENOMEM); 556 557 for (i = 0; i < num_entries; i++) { 558 mutex_enter(&fanout[i].isaf_lock); 559 for (walker = fanout[i].isaf_ipsa; walker != NULL; 560 walker = walker->ipsa_next) { 561 if (!do_peers && walker->ipsa_haspeer) 562 continue; 563 error = sadb_dump_deliver(pfkey_q, original_answer, 564 walker, samsg); 565 if (error == ENOBUFS) { 566 mblk_t *new_original_answer; 567 568 /* Ran out of dupb's. Try a copyb. */ 569 new_original_answer = copyb(original_answer); 570 if (new_original_answer == NULL) { 571 error = ENOMEM; 572 } else { 573 freeb(original_answer); 574 original_answer = new_original_answer; 575 error = sadb_dump_deliver(pfkey_q, 576 original_answer, walker, samsg); 577 } 578 } 579 if (error != 0) 580 break; /* out of for loop. */ 581 } 582 mutex_exit(&fanout[i].isaf_lock); 583 if (error != 0) 584 break; /* out of for loop. */ 585 } 586 587 freeb(original_answer); 588 return (error); 589 } 590 591 /* 592 * Dump an entire SADB; outbound first, then inbound. 593 */ 594 595 int 596 sadb_dump(queue_t *pfkey_q, mblk_t *mp, minor_t serial, sadb_t *sp) 597 { 598 int error; 599 600 /* Dump outbound */ 601 error = sadb_dump_fanout(pfkey_q, mp, serial, sp->sdb_of, 602 sp->sdb_hashsize, B_TRUE); 603 if (error) 604 return (error); 605 606 /* Dump inbound */ 607 return sadb_dump_fanout(pfkey_q, mp, serial, sp->sdb_if, 608 sp->sdb_hashsize, B_FALSE); 609 } 610 611 /* 612 * Generic sadb table walker. 613 * 614 * Call "walkfn" for each SA in each bucket in "table"; pass the 615 * bucket, the entry and "cookie" to the callback function. 616 * Take care to ensure that walkfn can delete the SA without screwing 617 * up our traverse. 618 * 619 * The bucket is locked for the duration of the callback, both so that the 620 * callback can just call sadb_unlinkassoc() when it wants to delete something, 621 * and so that no new entries are added while we're walking the list. 622 */ 623 static void 624 sadb_walker(isaf_t *table, uint_t numentries, 625 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 626 void *cookie) 627 { 628 int i; 629 for (i = 0; i < numentries; i++) { 630 ipsa_t *entry, *next; 631 632 mutex_enter(&table[i].isaf_lock); 633 634 for (entry = table[i].isaf_ipsa; entry != NULL; 635 entry = next) { 636 next = entry->ipsa_next; 637 (*walkfn)(&table[i], entry, cookie); 638 } 639 mutex_exit(&table[i].isaf_lock); 640 } 641 } 642 643 /* 644 * From the given SA, construct a dl_ct_ipsec_key and 645 * a dl_ct_ipsec structures to be sent to the adapter as part 646 * of a DL_CONTROL_REQ. 647 * 648 * ct_sa must point to the storage allocated for the key 649 * structure and must be followed by storage allocated 650 * for the SA information that must be sent to the driver 651 * as part of the DL_CONTROL_REQ request. 652 * 653 * The is_inbound boolean indicates whether the specified 654 * SA is part of an inbound SA table. 655 * 656 * Returns B_TRUE if the corresponding SA must be passed to 657 * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE. 658 */ 659 static boolean_t 660 sadb_req_from_sa(ipsa_t *sa, mblk_t *mp, boolean_t is_inbound) 661 { 662 dl_ct_ipsec_key_t *keyp; 663 dl_ct_ipsec_t *sap; 664 void *ct_sa = mp->b_wptr; 665 666 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 667 668 keyp = (dl_ct_ipsec_key_t *)(ct_sa); 669 sap = (dl_ct_ipsec_t *)(keyp + 1); 670 671 IPSECHW_DEBUG(IPSECHW_CAPAB, ("sadb_req_from_sa: " 672 "is_inbound = %d\n", is_inbound)); 673 674 /* initialize flag */ 675 sap->sadb_sa_flags = 0; 676 if (is_inbound) { 677 sap->sadb_sa_flags |= DL_CT_IPSEC_INBOUND; 678 /* 679 * If an inbound SA has a peer, then mark it has being 680 * an outbound SA as well. 681 */ 682 if (sa->ipsa_haspeer) 683 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 684 } else { 685 /* 686 * If an outbound SA has a peer, then don't send it, 687 * since we will send the copy from the inbound table. 688 */ 689 if (sa->ipsa_haspeer) { 690 freemsg(mp); 691 return (B_FALSE); 692 } 693 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 694 } 695 696 keyp->dl_key_spi = sa->ipsa_spi; 697 bcopy(sa->ipsa_dstaddr, keyp->dl_key_dest_addr, 698 DL_CTL_IPSEC_ADDR_LEN); 699 keyp->dl_key_addr_family = sa->ipsa_addrfam; 700 701 sap->sadb_sa_auth = sa->ipsa_auth_alg; 702 sap->sadb_sa_encrypt = sa->ipsa_encr_alg; 703 704 sap->sadb_key_len_a = sa->ipsa_authkeylen; 705 sap->sadb_key_bits_a = sa->ipsa_authkeybits; 706 bcopy(sa->ipsa_authkey, 707 sap->sadb_key_data_a, sap->sadb_key_len_a); 708 709 sap->sadb_key_len_e = sa->ipsa_encrkeylen; 710 sap->sadb_key_bits_e = sa->ipsa_encrkeybits; 711 bcopy(sa->ipsa_encrkey, 712 sap->sadb_key_data_e, sap->sadb_key_len_e); 713 714 mp->b_wptr += sizeof (dl_ct_ipsec_t) + sizeof (dl_ct_ipsec_key_t); 715 return (B_TRUE); 716 } 717 718 /* 719 * Called from AH or ESP to format a message which will be used to inform 720 * IPsec-acceleration-capable ills of a SADB change. 721 * (It is not possible to send the message to IP directly from this function 722 * since the SA, if any, is locked during the call). 723 * 724 * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc) 725 * sa_type: identifies whether the operation applies to AH or ESP 726 * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP) 727 * sa: Pointer to an SA. Must be non-NULL and locked 728 * for ADD, DELETE, GET, and UPDATE operations. 729 * This function returns an mblk chain that must be passed to IP 730 * for forwarding to the IPsec capable providers. 731 */ 732 mblk_t * 733 sadb_fmt_sa_req(uint_t dl_operation, uint_t sa_type, ipsa_t *sa, 734 boolean_t is_inbound) 735 { 736 mblk_t *mp; 737 dl_control_req_t *ctrl; 738 boolean_t need_key = B_FALSE; 739 mblk_t *ctl_mp = NULL; 740 ipsec_ctl_t *ctl; 741 742 /* 743 * 1 allocate and initialize DL_CONTROL_REQ M_PROTO 744 * 2 if a key is needed for the operation 745 * 2.1 initialize key 746 * 2.2 if a full SA is needed for the operation 747 * 2.2.1 initialize full SA info 748 * 3 return message; caller will call ill_ipsec_capab_send_all() 749 * to send the resulting message to IPsec capable ills. 750 */ 751 752 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 753 754 /* 755 * Allocate DL_CONTROL_REQ M_PROTO 756 * We allocate room for the SA even if it's not needed 757 * by some of the operations (for example flush) 758 */ 759 mp = allocb(sizeof (dl_control_req_t) + 760 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 761 if (mp == NULL) 762 return (NULL); 763 mp->b_datap->db_type = M_PROTO; 764 765 /* initialize dl_control_req_t */ 766 ctrl = (dl_control_req_t *)mp->b_wptr; 767 ctrl->dl_primitive = DL_CONTROL_REQ; 768 ctrl->dl_operation = dl_operation; 769 ctrl->dl_type = sa_type == SADB_SATYPE_AH ? DL_CT_IPSEC_AH : 770 DL_CT_IPSEC_ESP; 771 ctrl->dl_key_offset = sizeof (dl_control_req_t); 772 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 773 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 774 sizeof (dl_ct_ipsec_key_t); 775 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 776 mp->b_wptr += sizeof (dl_control_req_t); 777 778 if ((dl_operation == DL_CO_SET) || (dl_operation == DL_CO_DELETE)) { 779 ASSERT(sa != NULL); 780 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 781 782 need_key = B_TRUE; 783 784 /* 785 * Initialize key and SA data. Note that for some 786 * operations the SA data is ignored by the provider 787 * (delete, etc.) 788 */ 789 if (!sadb_req_from_sa(sa, mp, is_inbound)) 790 return (NULL); 791 } 792 793 /* construct control message */ 794 ctl_mp = allocb(sizeof (ipsec_ctl_t), BPRI_HI); 795 if (ctl_mp == NULL) { 796 cmn_err(CE_WARN, "sadb_fmt_sa_req: allocb failed\n"); 797 freemsg(mp); 798 return (NULL); 799 } 800 801 ctl_mp->b_datap->db_type = M_CTL; 802 ctl_mp->b_wptr += sizeof (ipsec_ctl_t); 803 ctl_mp->b_cont = mp; 804 805 ctl = (ipsec_ctl_t *)ctl_mp->b_rptr; 806 ctl->ipsec_ctl_type = IPSEC_CTL; 807 ctl->ipsec_ctl_len = sizeof (ipsec_ctl_t); 808 ctl->ipsec_ctl_sa_type = sa_type; 809 810 if (need_key) { 811 /* 812 * Keep an additional reference on SA, since it will be 813 * needed by IP to send control messages corresponding 814 * to that SA from its perimeter. IP will do a 815 * IPSA_REFRELE when done with the request. 816 */ 817 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 818 IPSA_REFHOLD(sa); 819 ctl->ipsec_ctl_sa = sa; 820 } else 821 ctl->ipsec_ctl_sa = NULL; 822 823 return (ctl_mp); 824 } 825 826 827 /* 828 * Called by sadb_ill_download() to dump the entries for a specific 829 * fanout table. For each SA entry in the table passed as argument, 830 * use mp as a template and constructs a full DL_CONTROL message, and 831 * call ill_dlpi_send(), provided by IP, to send the resulting 832 * messages to the ill. 833 */ 834 static void 835 sadb_ill_df(ill_t *ill, mblk_t *mp, isaf_t *fanout, int num_entries, 836 boolean_t is_inbound) 837 { 838 ipsa_t *walker; 839 mblk_t *nmp, *salist; 840 int i, error = 0; 841 842 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_ill_df: fanout at 0x%p ne=%d\n", 843 (void *)fanout, num_entries)); 844 /* 845 * For each IPSA hash bucket do: 846 * - Hold the mutex 847 * - Walk each entry, sending a corresponding request to IP 848 * for it. 849 */ 850 ASSERT(mp->b_datap->db_type == M_PROTO); 851 852 for (i = 0; i < num_entries; i++) { 853 mutex_enter(&fanout[i].isaf_lock); 854 salist = NULL; 855 856 for (walker = fanout[i].isaf_ipsa; walker != NULL; 857 walker = walker->ipsa_next) { 858 IPSECHW_DEBUG(IPSECHW_SADB, 859 ("sadb_ill_df: sending SA to ill via IP \n")); 860 /* 861 * Duplicate the template mp passed and 862 * complete DL_CONTROL_REQ data. 863 * To be more memory efficient, we could use 864 * dupb() for the M_CTL and copyb() for the M_PROTO 865 * as the M_CTL, since the M_CTL is the same for 866 * every SA entry passed down to IP for the same ill. 867 * 868 * Note that copymsg/copyb ensure that the new mblk 869 * is at least as large as the source mblk even if it's 870 * not using all its storage -- therefore, nmp 871 * has trailing space for sadb_req_from_sa to add 872 * the SA-specific bits. 873 */ 874 mutex_enter(&walker->ipsa_lock); 875 if (ipsec_capab_match(ill, 876 ill->ill_phyint->phyint_ifindex, ill->ill_isv6, 877 walker)) { 878 nmp = copymsg(mp); 879 if (nmp == NULL) { 880 IPSECHW_DEBUG(IPSECHW_SADB, 881 ("sadb_ill_df: alloc error\n")); 882 error = ENOMEM; 883 mutex_exit(&walker->ipsa_lock); 884 break; 885 } 886 if (sadb_req_from_sa(walker, nmp, is_inbound)) { 887 nmp->b_next = salist; 888 salist = nmp; 889 } 890 } 891 mutex_exit(&walker->ipsa_lock); 892 } 893 mutex_exit(&fanout[i].isaf_lock); 894 while (salist != NULL) { 895 nmp = salist; 896 salist = nmp->b_next; 897 nmp->b_next = NULL; 898 ill_dlpi_send(ill, nmp); 899 } 900 if (error != 0) 901 break; /* out of for loop. */ 902 } 903 } 904 905 /* 906 * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of 907 * the type specified by sa_type to the specified ill. 908 * 909 * We call for each fanout table defined by the SADB (one per 910 * protocol). sadb_ill_df() finally calls ill_dlpi_send() for 911 * each SADB entry in order to send a corresponding DL_CONTROL_REQ 912 * message to the ill. 913 */ 914 void 915 sadb_ill_download(ill_t *ill, uint_t sa_type) 916 { 917 mblk_t *protomp; /* prototype message */ 918 dl_control_req_t *ctrl; 919 sadbp_t *spp; 920 sadb_t *sp; 921 int dlt; 922 923 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 924 925 /* 926 * Allocate and initialize prototype answer. A duplicate for 927 * each SA is sent down to the interface. 928 */ 929 930 /* DL_CONTROL_REQ M_PROTO mblk_t */ 931 protomp = allocb(sizeof (dl_control_req_t) + 932 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 933 if (protomp == NULL) 934 return; 935 protomp->b_datap->db_type = M_PROTO; 936 937 dlt = (sa_type == SADB_SATYPE_AH) ? DL_CT_IPSEC_AH : DL_CT_IPSEC_ESP; 938 spp = (sa_type == SADB_SATYPE_ESP) ? &esp_sadb : &ah_sadb; 939 940 ctrl = (dl_control_req_t *)protomp->b_wptr; 941 ctrl->dl_primitive = DL_CONTROL_REQ; 942 ctrl->dl_operation = DL_CO_SET; 943 ctrl->dl_type = dlt; 944 ctrl->dl_key_offset = sizeof (dl_control_req_t); 945 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 946 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 947 sizeof (dl_ct_ipsec_key_t); 948 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 949 protomp->b_wptr += sizeof (dl_control_req_t); 950 951 /* 952 * then for each SADB entry, we fill out the dl_ct_ipsec_key_t 953 * and dl_ct_ipsec_t 954 */ 955 sp = ill->ill_isv6 ? &(spp->s_v6) : &(spp->s_v4); 956 sadb_ill_df(ill, protomp, sp->sdb_of, sp->sdb_hashsize, B_FALSE); 957 sadb_ill_df(ill, protomp, sp->sdb_if, sp->sdb_hashsize, B_TRUE); 958 freemsg(protomp); 959 } 960 961 /* 962 * Call me to free up a security association fanout. Use the forever 963 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 964 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 965 * when a module is unloaded). 966 */ 967 static void 968 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever) 969 { 970 int i; 971 isaf_t *table = *tablep; 972 973 if (table == NULL) 974 return; 975 976 for (i = 0; i < numentries; i++) { 977 mutex_enter(&table[i].isaf_lock); 978 while (table[i].isaf_ipsa != NULL) 979 sadb_unlinkassoc(table[i].isaf_ipsa); 980 table[i].isaf_gen++; 981 mutex_exit(&table[i].isaf_lock); 982 if (forever) 983 mutex_destroy(&(table[i].isaf_lock)); 984 } 985 986 if (forever) { 987 *tablep = NULL; 988 kmem_free(table, numentries * sizeof (*table)); 989 } 990 } 991 992 /* 993 * Entry points to sadb_destroyer(). 994 */ 995 static void 996 sadb_flush(sadb_t *sp) 997 { 998 /* 999 * Flush out each bucket, one at a time. Were it not for keysock's 1000 * enforcement, there would be a subtlety where I could add on the 1001 * heels of a flush. With keysock's enforcement, however, this 1002 * makes ESP's job easy. 1003 */ 1004 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE); 1005 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE); 1006 1007 /* For each acquire, destroy it; leave the bucket mutex alone. */ 1008 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE); 1009 } 1010 1011 static void 1012 sadb_destroy(sadb_t *sp) 1013 { 1014 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE); 1015 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE); 1016 1017 /* For each acquire, destroy it, including the bucket mutex. */ 1018 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE); 1019 1020 ASSERT(sp->sdb_of == NULL); 1021 ASSERT(sp->sdb_if == NULL); 1022 ASSERT(sp->sdb_acq == NULL); 1023 } 1024 1025 static void 1026 sadb_send_flush_req(sadbp_t *spp) 1027 { 1028 mblk_t *ctl_mp; 1029 1030 /* 1031 * we've been unplumbed, or never were plumbed; don't go there. 1032 */ 1033 if (spp->s_ip_q == NULL) 1034 return; 1035 1036 /* have IP send a flush msg to the IPsec accelerators */ 1037 ctl_mp = sadb_fmt_sa_req(DL_CO_FLUSH, spp->s_satype, NULL, B_TRUE); 1038 if (ctl_mp != NULL) 1039 putnext(spp->s_ip_q, ctl_mp); 1040 } 1041 1042 void 1043 sadbp_flush(sadbp_t *spp) 1044 { 1045 sadb_flush(&spp->s_v4); 1046 sadb_flush(&spp->s_v6); 1047 1048 sadb_send_flush_req(spp); 1049 } 1050 1051 void 1052 sadbp_destroy(sadbp_t *spp) 1053 { 1054 sadb_destroy(&spp->s_v4); 1055 sadb_destroy(&spp->s_v6); 1056 1057 sadb_send_flush_req(spp); 1058 if (spp->s_satype == SADB_SATYPE_AH) 1059 ip_drop_unregister(&sadb_dropper); 1060 } 1061 1062 1063 /* 1064 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 1065 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 1066 * EINVAL. 1067 */ 1068 int 1069 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft) 1070 { 1071 if (hard == NULL || soft == NULL) 1072 return (0); 1073 1074 if (hard->sadb_lifetime_allocations != 0 && 1075 soft->sadb_lifetime_allocations != 0 && 1076 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 1077 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 1078 1079 if (hard->sadb_lifetime_bytes != 0 && 1080 soft->sadb_lifetime_bytes != 0 && 1081 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 1082 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 1083 1084 if (hard->sadb_lifetime_addtime != 0 && 1085 soft->sadb_lifetime_addtime != 0 && 1086 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 1087 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1088 1089 if (hard->sadb_lifetime_usetime != 0 && 1090 soft->sadb_lifetime_usetime != 0 && 1091 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 1092 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1093 1094 return (0); 1095 } 1096 1097 /* 1098 * Clone a security association for the purposes of inserting a single SA 1099 * into inbound and outbound tables respectively. 1100 */ 1101 static ipsa_t * 1102 sadb_cloneassoc(ipsa_t *ipsa) 1103 { 1104 ipsa_t *newbie; 1105 boolean_t error = B_FALSE; 1106 1107 ASSERT(!MUTEX_HELD(&(ipsa->ipsa_lock))); 1108 1109 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 1110 if (newbie == NULL) 1111 return (NULL); 1112 1113 /* Copy over what we can. */ 1114 *newbie = *ipsa; 1115 1116 /* bzero and initialize locks, in case *_init() allocates... */ 1117 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 1118 1119 /* 1120 * While somewhat dain-bramaged, the most graceful way to 1121 * recover from errors is to keep plowing through the 1122 * allocations, and getting what I can. It's easier to call 1123 * sadb_freeassoc() on the stillborn clone when all the 1124 * pointers aren't pointing to the parent's data. 1125 */ 1126 1127 if (ipsa->ipsa_authkey != NULL) { 1128 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 1129 KM_NOSLEEP); 1130 if (newbie->ipsa_authkey == NULL) { 1131 error = B_TRUE; 1132 } else { 1133 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 1134 newbie->ipsa_authkeylen); 1135 1136 newbie->ipsa_kcfauthkey.ck_data = 1137 newbie->ipsa_authkey; 1138 } 1139 1140 if (newbie->ipsa_amech.cm_param != NULL) { 1141 newbie->ipsa_amech.cm_param = 1142 (char *)&newbie->ipsa_mac_len; 1143 } 1144 } 1145 1146 if (ipsa->ipsa_encrkey != NULL) { 1147 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 1148 KM_NOSLEEP); 1149 if (newbie->ipsa_encrkey == NULL) { 1150 error = B_TRUE; 1151 } else { 1152 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 1153 newbie->ipsa_encrkeylen); 1154 1155 newbie->ipsa_kcfencrkey.ck_data = 1156 newbie->ipsa_encrkey; 1157 } 1158 } 1159 1160 newbie->ipsa_authtmpl = NULL; 1161 newbie->ipsa_encrtmpl = NULL; 1162 1163 if (ipsa->ipsa_integ != NULL) { 1164 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 1165 KM_NOSLEEP); 1166 if (newbie->ipsa_integ == NULL) { 1167 error = B_TRUE; 1168 } else { 1169 bcopy(ipsa->ipsa_integ, newbie->ipsa_integ, 1170 newbie->ipsa_integlen); 1171 } 1172 } 1173 1174 if (ipsa->ipsa_sens != NULL) { 1175 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 1176 KM_NOSLEEP); 1177 if (newbie->ipsa_sens == NULL) { 1178 error = B_TRUE; 1179 } else { 1180 bcopy(ipsa->ipsa_sens, newbie->ipsa_sens, 1181 newbie->ipsa_senslen); 1182 } 1183 } 1184 1185 if (ipsa->ipsa_src_cid != NULL) { 1186 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 1187 IPSID_REFHOLD(ipsa->ipsa_src_cid); 1188 } 1189 1190 if (ipsa->ipsa_dst_cid != NULL) { 1191 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 1192 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 1193 } 1194 1195 #if 0 /* XXX PROXY - Proxy identities not supported yet. */ 1196 if (ipsa->ipsa_proxy_cid != NULL) { 1197 newbie->ipsa_proxy_cid = ipsa->ipsa_proxy_cid; 1198 IPSID_REFHOLD(ipsa->ipsa_proxy_cid); 1199 } 1200 #endif /* XXX PROXY */ 1201 1202 if (error) { 1203 sadb_freeassoc(newbie); 1204 return (NULL); 1205 } 1206 1207 return (newbie); 1208 } 1209 1210 /* 1211 * Initialize a SADB address extension at the address specified by addrext. 1212 * Return a pointer to the end of the new address extension. 1213 */ 1214 static uint8_t * 1215 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 1216 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto) 1217 { 1218 struct sockaddr_in *sin; 1219 struct sockaddr_in6 *sin6; 1220 uint8_t *cur = start; 1221 int addrext_len; 1222 int sin_len; 1223 sadb_address_t *addrext = (sadb_address_t *)cur; 1224 1225 if (cur == NULL) 1226 return (NULL); 1227 1228 cur += sizeof (*addrext); 1229 if (cur > end) 1230 return (NULL); 1231 1232 addrext->sadb_address_proto = proto; 1233 addrext->sadb_address_prefixlen = 0; 1234 addrext->sadb_address_reserved = 0; 1235 addrext->sadb_address_exttype = exttype; 1236 1237 switch (af) { 1238 case AF_INET: 1239 sin = (struct sockaddr_in *)cur; 1240 sin_len = sizeof (*sin); 1241 cur += sin_len; 1242 if (cur > end) 1243 return (NULL); 1244 1245 sin->sin_family = af; 1246 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1247 sin->sin_port = port; 1248 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1249 break; 1250 case AF_INET6: 1251 sin6 = (struct sockaddr_in6 *)cur; 1252 sin_len = sizeof (*sin6); 1253 cur += sin_len; 1254 if (cur > end) 1255 return (NULL); 1256 1257 bzero(sin6, sizeof (*sin6)); 1258 sin6->sin6_family = af; 1259 sin6->sin6_port = port; 1260 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1261 break; 1262 } 1263 1264 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1265 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1266 1267 cur = start + addrext_len; 1268 if (cur > end) 1269 cur = NULL; 1270 1271 return (cur); 1272 } 1273 1274 /* 1275 * Construct a key management cookie extension. 1276 */ 1277 1278 static uint8_t * 1279 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1280 { 1281 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1282 1283 if (cur == NULL) 1284 return (NULL); 1285 1286 cur += sizeof (*kmcext); 1287 1288 if (cur > end) 1289 return (NULL); 1290 1291 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1292 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1293 kmcext->sadb_x_kmc_proto = kmp; 1294 kmcext->sadb_x_kmc_cookie = kmc; 1295 kmcext->sadb_x_kmc_reserved = 0; 1296 1297 return (cur); 1298 } 1299 1300 /* 1301 * Given an original message header with sufficient space following it, and an 1302 * SA, construct a full PF_KEY message with all of the relevant extensions. 1303 * This is mostly used for SADB_GET, and SADB_DUMP. 1304 */ 1305 mblk_t * 1306 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1307 { 1308 int alloclen, addrsize, paddrsize, authsize, encrsize; 1309 int srcidsize, dstidsize; 1310 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1311 /* src/dst and proxy sockaddrs. */ 1312 /* 1313 * The following are pointers into the PF_KEY message this PF_KEY 1314 * message creates. 1315 */ 1316 sadb_msg_t *newsamsg; 1317 sadb_sa_t *assoc; 1318 sadb_lifetime_t *lt; 1319 sadb_key_t *key; 1320 sadb_ident_t *ident; 1321 sadb_sens_t *sens; 1322 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1323 mblk_t *mp; 1324 uint64_t *bitmap; 1325 uint8_t *cur, *end; 1326 /* These indicate the presence of the above extension fields. */ 1327 boolean_t soft, hard, proxy, auth, encr, sensinteg, srcid, dstid; 1328 #if 0 /* XXX PROXY see below... */ 1329 boolean_t proxyid, iv; 1330 int proxyidsize, ivsize; 1331 #endif /* XXX PROXY */ 1332 1333 /* First off, figure out the allocation length for this message. */ 1334 1335 /* 1336 * Constant stuff. This includes base, SA, address (src, dst), 1337 * and lifetime (current). 1338 */ 1339 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1340 sizeof (sadb_lifetime_t); 1341 1342 fam = ipsa->ipsa_addrfam; 1343 switch (fam) { 1344 case AF_INET: 1345 addrsize = roundup(sizeof (struct sockaddr_in) + 1346 sizeof (sadb_address_t), sizeof (uint64_t)); 1347 break; 1348 case AF_INET6: 1349 addrsize = roundup(sizeof (struct sockaddr_in6) + 1350 sizeof (sadb_address_t), sizeof (uint64_t)); 1351 break; 1352 default: 1353 return (NULL); 1354 } 1355 /* 1356 * Allocate TWO address extensions, for source and destination. 1357 * (Thus, the * 2.) 1358 */ 1359 alloclen += addrsize * 2; 1360 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1361 alloclen += addrsize; 1362 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1363 alloclen += addrsize; 1364 1365 1366 /* How 'bout other lifetimes? */ 1367 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1368 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1369 alloclen += sizeof (sadb_lifetime_t); 1370 soft = B_TRUE; 1371 } else { 1372 soft = B_FALSE; 1373 } 1374 1375 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1376 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1377 alloclen += sizeof (sadb_lifetime_t); 1378 hard = B_TRUE; 1379 } else { 1380 hard = B_FALSE; 1381 } 1382 1383 /* Proxy address? */ 1384 if (!IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_proxysrc, ipsa->ipsa_proxyfam)) { 1385 pfam = ipsa->ipsa_proxyfam; 1386 switch (pfam) { 1387 case AF_INET6: 1388 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1389 sizeof (sadb_address_t), sizeof (uint64_t)); 1390 break; 1391 case AF_INET: 1392 paddrsize = roundup(sizeof (struct sockaddr_in) + 1393 sizeof (sadb_address_t), sizeof (uint64_t)); 1394 break; 1395 default: 1396 cmn_err(CE_PANIC, 1397 "IPsec SADB: Proxy length failure.\n"); 1398 break; 1399 } 1400 proxy = B_TRUE; 1401 alloclen += paddrsize; 1402 } else { 1403 proxy = B_FALSE; 1404 } 1405 1406 /* For the following fields, assume that length != 0 ==> stuff */ 1407 if (ipsa->ipsa_authkeylen != 0) { 1408 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1409 sizeof (uint64_t)); 1410 alloclen += authsize; 1411 auth = B_TRUE; 1412 } else { 1413 auth = B_FALSE; 1414 } 1415 1416 if (ipsa->ipsa_encrkeylen != 0) { 1417 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen, 1418 sizeof (uint64_t)); 1419 alloclen += encrsize; 1420 encr = B_TRUE; 1421 } else { 1422 encr = B_FALSE; 1423 } 1424 1425 /* No need for roundup on sens and integ. */ 1426 if (ipsa->ipsa_integlen != 0 || ipsa->ipsa_senslen != 0) { 1427 alloclen += sizeof (sadb_key_t) + ipsa->ipsa_integlen + 1428 ipsa->ipsa_senslen; 1429 sensinteg = B_TRUE; 1430 } else { 1431 sensinteg = B_FALSE; 1432 } 1433 1434 /* 1435 * Must use strlen() here for lengths. Identities use NULL 1436 * pointers to indicate their nonexistence. 1437 */ 1438 if (ipsa->ipsa_src_cid != NULL) { 1439 srcidsize = roundup(sizeof (sadb_ident_t) + 1440 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1441 sizeof (uint64_t)); 1442 alloclen += srcidsize; 1443 srcid = B_TRUE; 1444 } else { 1445 srcid = B_FALSE; 1446 } 1447 1448 if (ipsa->ipsa_dst_cid != NULL) { 1449 dstidsize = roundup(sizeof (sadb_ident_t) + 1450 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1451 sizeof (uint64_t)); 1452 alloclen += dstidsize; 1453 dstid = B_TRUE; 1454 } else { 1455 dstid = B_FALSE; 1456 } 1457 1458 #if 0 /* XXX PROXY not yet. */ 1459 if (ipsa->ipsa_proxy_cid != NULL) { 1460 proxyidsize = roundup(sizeof (sadb_ident_t) + 1461 strlen(ipsa->ipsa_proxy_cid->ipsid_cid) + 1, 1462 sizeof (uint64_t)); 1463 alloclen += proxyidsize; 1464 proxyid = B_TRUE; 1465 } else { 1466 proxyid = B_FALSE; 1467 } 1468 #endif /* XXX PROXY */ 1469 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1470 alloclen += sizeof (sadb_x_kmc_t); 1471 1472 /* Make sure the allocation length is a multiple of 8 bytes. */ 1473 ASSERT((alloclen & 0x7) == 0); 1474 1475 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1476 mp = allocb(alloclen, BPRI_HI); 1477 if (mp == NULL) 1478 return (NULL); 1479 1480 mp->b_wptr += alloclen; 1481 end = mp->b_wptr; 1482 newsamsg = (sadb_msg_t *)mp->b_rptr; 1483 *newsamsg = *samsg; 1484 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1485 1486 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1487 1488 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1489 1490 assoc = (sadb_sa_t *)(newsamsg + 1); 1491 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1492 assoc->sadb_sa_exttype = SADB_EXT_SA; 1493 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1494 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1495 assoc->sadb_sa_state = ipsa->ipsa_state; 1496 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1497 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1498 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1499 1500 lt = (sadb_lifetime_t *)(assoc + 1); 1501 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1502 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1503 lt->sadb_lifetime_allocations = ipsa->ipsa_alloc; 1504 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1505 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1506 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1507 1508 if (hard) { 1509 lt++; 1510 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1511 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1512 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1513 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1514 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1515 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1516 } 1517 1518 if (soft) { 1519 lt++; 1520 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1521 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1522 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1523 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1524 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1525 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1526 } 1527 1528 cur = (uint8_t *)(lt + 1); 1529 1530 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1531 ipsa->ipsa_srcaddr, SA_SRCPORT(ipsa), SA_PROTO(ipsa)); 1532 if (cur == NULL) { 1533 freemsg(mp); 1534 mp = NULL; 1535 goto bail; 1536 } 1537 1538 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1539 ipsa->ipsa_dstaddr, SA_DSTPORT(ipsa), SA_PROTO(ipsa)); 1540 if (cur == NULL) { 1541 freemsg(mp); 1542 mp = NULL; 1543 goto bail; 1544 } 1545 1546 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1547 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1548 fam, ipsa->ipsa_natt_addr_loc, 0, 0); 1549 if (cur == NULL) { 1550 freemsg(mp); 1551 mp = NULL; 1552 goto bail; 1553 } 1554 } 1555 1556 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1557 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1558 fam, ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_port, 1559 IPPROTO_UDP); 1560 if (cur == NULL) { 1561 freemsg(mp); 1562 mp = NULL; 1563 goto bail; 1564 } 1565 } 1566 1567 if (proxy) { 1568 /* 1569 * XXX PROXY When we expand the definition of proxy to include 1570 * both inner and outer IP addresses, this will have to 1571 * be expanded. 1572 */ 1573 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_PROXY, 1574 pfam, ipsa->ipsa_proxysrc, 0, 0); 1575 if (cur == NULL) { 1576 freemsg(mp); 1577 mp = NULL; 1578 goto bail; 1579 } 1580 } 1581 1582 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1583 cur = sadb_make_kmc_ext(cur, end, 1584 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1585 if (cur == NULL) { 1586 freemsg(mp); 1587 mp = NULL; 1588 goto bail; 1589 } 1590 } 1591 1592 walker = (sadb_ext_t *)cur; 1593 if (auth) { 1594 key = (sadb_key_t *)walker; 1595 key->sadb_key_len = SADB_8TO64(authsize); 1596 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1597 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1598 key->sadb_key_reserved = 0; 1599 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1600 walker = (sadb_ext_t *)((uint64_t *)walker + 1601 walker->sadb_ext_len); 1602 } 1603 1604 if (encr) { 1605 key = (sadb_key_t *)walker; 1606 key->sadb_key_len = SADB_8TO64(encrsize); 1607 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1608 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1609 key->sadb_key_reserved = 0; 1610 bcopy(ipsa->ipsa_encrkey, key + 1, ipsa->ipsa_encrkeylen); 1611 walker = (sadb_ext_t *)((uint64_t *)walker + 1612 walker->sadb_ext_len); 1613 } 1614 1615 if (srcid) { 1616 ident = (sadb_ident_t *)walker; 1617 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1618 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1619 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1620 ident->sadb_ident_id = 0; 1621 ident->sadb_ident_reserved = 0; 1622 (void) strcpy((char *)(ident + 1), 1623 ipsa->ipsa_src_cid->ipsid_cid); 1624 walker = (sadb_ext_t *)((uint64_t *)walker + 1625 walker->sadb_ext_len); 1626 } 1627 1628 if (dstid) { 1629 ident = (sadb_ident_t *)walker; 1630 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1631 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1632 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1633 ident->sadb_ident_id = 0; 1634 ident->sadb_ident_reserved = 0; 1635 (void) strcpy((char *)(ident + 1), 1636 ipsa->ipsa_dst_cid->ipsid_cid); 1637 walker = (sadb_ext_t *)((uint64_t *)walker + 1638 walker->sadb_ext_len); 1639 } 1640 1641 #if 0 /* XXX PROXY not yet */ 1642 if (proxyid) { 1643 ident = (sadb_ident_t *)walker; 1644 ident->sadb_ident_len = SADB_8TO64(proxyidsize); 1645 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_PROXY; 1646 ident->sadb_ident_type = ipsa->ipsa_pcid_type; 1647 ident->sadb_ident_id = 0; 1648 ident->sadb_ident_reserved = 0; 1649 (void) strcpy((char *)(ident + 1), ipsa->ipsa_proxy_cid); 1650 walker = (sadb_ext_t *)((uint64_t *)walker + 1651 walker->sadb_ext_len); 1652 } 1653 #endif /* XXX PROXY */ 1654 1655 if (sensinteg) { 1656 sens = (sadb_sens_t *)walker; 1657 sens->sadb_sens_len = SADB_8TO64(sizeof (sadb_sens_t *) + 1658 ipsa->ipsa_senslen + ipsa->ipsa_integlen); 1659 sens->sadb_sens_dpd = ipsa->ipsa_dpd; 1660 sens->sadb_sens_sens_level = ipsa->ipsa_senslevel; 1661 sens->sadb_sens_integ_level = ipsa->ipsa_integlevel; 1662 sens->sadb_sens_sens_len = SADB_8TO64(ipsa->ipsa_senslen); 1663 sens->sadb_sens_integ_len = SADB_8TO64(ipsa->ipsa_integlen); 1664 sens->sadb_sens_reserved = 0; 1665 bitmap = (uint64_t *)(sens + 1); 1666 if (ipsa->ipsa_sens != NULL) { 1667 bcopy(ipsa->ipsa_sens, bitmap, ipsa->ipsa_senslen); 1668 bitmap += sens->sadb_sens_sens_len; 1669 } 1670 if (ipsa->ipsa_integ != NULL) 1671 bcopy(ipsa->ipsa_integ, bitmap, ipsa->ipsa_integlen); 1672 walker = (sadb_ext_t *)((uint64_t *)walker + 1673 walker->sadb_ext_len); 1674 } 1675 1676 bail: 1677 /* Pardon any delays... */ 1678 mutex_exit(&ipsa->ipsa_lock); 1679 1680 return (mp); 1681 } 1682 1683 /* 1684 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1685 * and adjust base message accordingly. 1686 * 1687 * Assume message is pulled up in one piece of contiguous memory. 1688 * 1689 * Say if we start off with: 1690 * 1691 * +------+----+-------------+-----------+---------------+---------------+ 1692 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1693 * +------+----+-------------+-----------+---------------+---------------+ 1694 * 1695 * we will end up with 1696 * 1697 * +------+----+-------------+-----------+---------------+ 1698 * | base | SA | source addr | dest addr | soft lifetime | 1699 * +------+----+-------------+-----------+---------------+ 1700 */ 1701 static void 1702 sadb_strip(sadb_msg_t *samsg) 1703 { 1704 sadb_ext_t *ext; 1705 uint8_t *target = NULL; 1706 uint8_t *msgend; 1707 int sofar = SADB_8TO64(sizeof (*samsg)); 1708 int copylen; 1709 1710 ext = (sadb_ext_t *)(samsg + 1); 1711 msgend = (uint8_t *)samsg; 1712 msgend += SADB_64TO8(samsg->sadb_msg_len); 1713 while ((uint8_t *)ext < msgend) { 1714 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1715 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1716 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1717 /* 1718 * Aha! I found a header to be erased. 1719 */ 1720 1721 if (target != NULL) { 1722 /* 1723 * If I had a previous header to be erased, 1724 * copy over it. I can get away with just 1725 * copying backwards because the target will 1726 * always be 8 bytes behind the source. 1727 */ 1728 copylen = ((uint8_t *)ext) - (target + 1729 SADB_64TO8( 1730 ((sadb_ext_t *)target)->sadb_ext_len)); 1731 ovbcopy(((uint8_t *)ext - copylen), target, 1732 copylen); 1733 target += copylen; 1734 ((sadb_ext_t *)target)->sadb_ext_len = 1735 SADB_8TO64(((uint8_t *)ext) - target + 1736 SADB_64TO8(ext->sadb_ext_len)); 1737 } else { 1738 target = (uint8_t *)ext; 1739 } 1740 } else { 1741 sofar += ext->sadb_ext_len; 1742 } 1743 1744 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1745 } 1746 1747 ASSERT((uint8_t *)ext == msgend); 1748 1749 if (target != NULL) { 1750 copylen = ((uint8_t *)ext) - (target + 1751 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1752 if (copylen != 0) 1753 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1754 } 1755 1756 /* Adjust samsg. */ 1757 samsg->sadb_msg_len = (uint16_t)sofar; 1758 1759 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1760 } 1761 1762 /* 1763 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1764 * followed by an M_DATA with a PF_KEY message in it. The serial of 1765 * the sending keysock instance is included. 1766 */ 1767 void 1768 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1769 uint_t serial) 1770 { 1771 mblk_t *msg = mp->b_cont; 1772 sadb_msg_t *samsg; 1773 keysock_out_t *kso; 1774 1775 /* 1776 * Enough functions call this to merit a NULL queue check. 1777 */ 1778 if (pfkey_q == NULL) { 1779 freemsg(mp); 1780 return; 1781 } 1782 1783 ASSERT(msg != NULL); 1784 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1785 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1786 samsg = (sadb_msg_t *)msg->b_rptr; 1787 kso = (keysock_out_t *)mp->b_rptr; 1788 1789 kso->ks_out_type = KEYSOCK_OUT; 1790 kso->ks_out_len = sizeof (*kso); 1791 kso->ks_out_serial = serial; 1792 1793 /* 1794 * Only send the base message up in the event of an error. 1795 * Don't worry about bzero()-ing, because it was probably bogus 1796 * anyway. 1797 */ 1798 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1799 samsg = (sadb_msg_t *)msg->b_rptr; 1800 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1801 samsg->sadb_msg_errno = (uint8_t)error; 1802 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1803 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1804 1805 putnext(pfkey_q, mp); 1806 } 1807 1808 /* 1809 * Send a successful return packet back to keysock via the queue in pfkey_q. 1810 * 1811 * Often, an SA is associated with the reply message, it's passed in if needed, 1812 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1813 * and the caller will release said refcnt. 1814 */ 1815 void 1816 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1817 keysock_in_t *ksi, ipsa_t *ipsa) 1818 { 1819 keysock_out_t *kso; 1820 mblk_t *mp1; 1821 sadb_msg_t *newsamsg; 1822 uint8_t *oldend; 1823 1824 ASSERT((mp->b_cont != NULL) && 1825 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1826 ((void *)mp->b_rptr == (void *)ksi)); 1827 1828 switch (samsg->sadb_msg_type) { 1829 case SADB_ADD: 1830 case SADB_UPDATE: 1831 case SADB_FLUSH: 1832 case SADB_DUMP: 1833 /* 1834 * I have all of the message already. I just need to strip 1835 * out the keying material and echo the message back. 1836 * 1837 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1838 * work. When DUMP reaches here, it should only be a base 1839 * message. 1840 */ 1841 justecho: 1842 ASSERT(samsg->sadb_msg_type != SADB_DUMP || 1843 samsg->sadb_msg_len == SADB_8TO64(sizeof (sadb_msg_t))); 1844 1845 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 1846 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL) { 1847 sadb_strip(samsg); 1848 /* Assume PF_KEY message is contiguous. */ 1849 ASSERT(mp->b_cont->b_cont == NULL); 1850 oldend = mp->b_cont->b_wptr; 1851 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 1852 SADB_64TO8(samsg->sadb_msg_len); 1853 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 1854 } 1855 break; 1856 case SADB_GET: 1857 /* 1858 * Do a lot of work here, because of the ipsa I just found. 1859 * First abandon the PF_KEY message, then construct 1860 * the new one. 1861 */ 1862 mp1 = sadb_sa2msg(ipsa, samsg); 1863 if (mp1 == NULL) { 1864 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1865 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1866 return; 1867 } 1868 freemsg(mp->b_cont); 1869 mp->b_cont = mp1; 1870 break; 1871 case SADB_DELETE: 1872 if (ipsa == NULL) 1873 goto justecho; 1874 /* 1875 * Because listening KMds may require more info, treat 1876 * DELETE like a special case of GET. 1877 */ 1878 mp1 = sadb_sa2msg(ipsa, samsg); 1879 if (mp1 == NULL) { 1880 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1881 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1882 return; 1883 } 1884 newsamsg = (sadb_msg_t *)mp1->b_rptr; 1885 sadb_strip(newsamsg); 1886 oldend = mp1->b_wptr; 1887 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 1888 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 1889 freemsg(mp->b_cont); 1890 mp->b_cont = mp1; 1891 break; 1892 default: 1893 if (mp != NULL) 1894 freemsg(mp); 1895 return; 1896 } 1897 1898 /* ksi is now null and void. */ 1899 kso = (keysock_out_t *)ksi; 1900 kso->ks_out_type = KEYSOCK_OUT; 1901 kso->ks_out_len = sizeof (*kso); 1902 kso->ks_out_serial = ksi->ks_in_serial; 1903 /* We're ready to send... */ 1904 putnext(pfkey_q, mp); 1905 } 1906 1907 /* 1908 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 1909 */ 1910 void 1911 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 1912 void (*ager)(void *), timeout_id_t *top, int satype) 1913 { 1914 keysock_hello_ack_t *kha; 1915 queue_t *oldq; 1916 1917 ASSERT(OTHERQ(q) != NULL); 1918 1919 /* 1920 * First, check atomically that I'm the first and only keysock 1921 * instance. 1922 * 1923 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 1924 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 1925 * messages. 1926 */ 1927 1928 oldq = casptr((void **)pfkey_qp, NULL, OTHERQ(q)); 1929 if (oldq != NULL) { 1930 ASSERT(oldq != q); 1931 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 1932 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 1933 freemsg(mp); 1934 return; 1935 } 1936 1937 kha = (keysock_hello_ack_t *)mp->b_rptr; 1938 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 1939 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 1940 kha->ks_hello_satype = (uint8_t)satype; 1941 1942 /* 1943 * If we made it past the casptr, then we have "exclusive" access 1944 * to the timeout handle. Fire it off in 4 seconds, because it 1945 * just seems like a good interval. 1946 */ 1947 *top = qtimeout(*pfkey_qp, ager, NULL, drv_usectohz(4000000)); 1948 1949 putnext(*pfkey_qp, mp); 1950 } 1951 1952 /* 1953 * Send IRE_DB_REQ down to IP to get properties of address. 1954 * If I can determine the address, return the proper type. If an error 1955 * occurs, or if I have to send down an IRE_DB_REQ, return UNKNOWN, and 1956 * the caller will just let go of mp w/o freeing it. 1957 * 1958 * To handle the compatible IPv6 addresses (i.e. ::FFFF:<v4-address>), 1959 * this function will also convert such AF_INET6 addresses into AF_INET 1960 * addresses. 1961 * 1962 * Whomever called the function will handle the return message that IP sends 1963 * in response to the message this function generates. 1964 */ 1965 int 1966 sadb_addrcheck(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, 1967 uint_t serial) 1968 { 1969 sadb_address_t *addr = (sadb_address_t *)ext; 1970 struct sockaddr_in *sin; 1971 struct sockaddr_in6 *sin6; 1972 mblk_t *ire_db_req_mp; 1973 ire_t *ire; 1974 int diagnostic; 1975 1976 ASSERT(ext != NULL); 1977 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 1978 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 1979 (ext->sadb_ext_type == SADB_EXT_ADDRESS_PROXY)); 1980 1981 ire_db_req_mp = allocb(sizeof (ire_t), BPRI_HI); 1982 if (ire_db_req_mp == NULL) { 1983 /* cmn_err(CE_WARN, "sadb_addrcheck: allocb() failed.\n"); */ 1984 sadb_pfkey_error(pfkey_q, mp, ENOMEM, SADB_X_DIAGNOSTIC_NONE, 1985 serial); 1986 return (KS_IN_ADDR_UNKNOWN); 1987 } 1988 1989 ire_db_req_mp->b_datap->db_type = IRE_DB_REQ_TYPE; 1990 ire_db_req_mp->b_wptr += sizeof (ire_t); 1991 ire = (ire_t *)ire_db_req_mp->b_rptr; 1992 1993 /* Assign both sockaddrs, the compiler will do the right thing. */ 1994 sin = (struct sockaddr_in *)(addr + 1); 1995 sin6 = (struct sockaddr_in6 *)(addr + 1); 1996 1997 switch (sin->sin_family) { 1998 case AF_INET6: 1999 /* Because of the longer IPv6 addrs, do check first. */ 2000 if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 2001 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) { 2002 freemsg(ire_db_req_mp); 2003 return (KS_IN_ADDR_MBCAST); 2004 } 2005 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) { 2006 freemsg(ire_db_req_mp); 2007 return (KS_IN_ADDR_UNSPEC); 2008 } 2009 ire->ire_ipversion = IPV6_VERSION; 2010 ire->ire_addr_v6 = sin6->sin6_addr; 2011 break; /* Out of switch. */ 2012 } 2013 /* 2014 * Convert to an AF_INET sockaddr. This means 2015 * the return messages will have the extra space, but 2016 * have AF_INET sockaddrs instead of AF_INET6. 2017 * 2018 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 2019 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 2020 * equal to AF_INET <v4>, it shouldnt be a huge 2021 * problem. 2022 */ 2023 ASSERT(&sin->sin_port == &sin6->sin6_port); 2024 sin->sin_family = AF_INET; 2025 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, &sin->sin_addr); 2026 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 2027 /* FALLTHRU */ 2028 case AF_INET: 2029 ire->ire_ipversion = IPV4_VERSION; 2030 ire->ire_addr = sin->sin_addr.s_addr; 2031 if (ire->ire_addr == INADDR_ANY) { 2032 freemsg(ire_db_req_mp); 2033 return (KS_IN_ADDR_UNSPEC); 2034 } 2035 if (CLASSD(ire->ire_addr)) { 2036 freemsg(ire_db_req_mp); 2037 return (KS_IN_ADDR_MBCAST); 2038 } 2039 break; 2040 default: 2041 freemsg(ire_db_req_mp); 2042 2043 switch (ext->sadb_ext_type) { 2044 case SADB_EXT_ADDRESS_SRC: 2045 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 2046 break; 2047 case SADB_EXT_ADDRESS_DST: 2048 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 2049 break; 2050 case SADB_EXT_ADDRESS_PROXY: 2051 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 2052 break; 2053 /* There is no default, see above ASSERT. */ 2054 } 2055 2056 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, serial); 2057 return (KS_IN_ADDR_UNKNOWN); 2058 } 2059 ire_db_req_mp->b_cont = mp; 2060 2061 ASSERT(ip_q != NULL); 2062 putnext(ip_q, ire_db_req_mp); 2063 return (KS_IN_ADDR_UNKNOWN); 2064 } 2065 2066 /* 2067 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 2068 * the source to AF_INET. 2069 */ 2070 void 2071 sadb_srcaddrfix(keysock_in_t *ksi) 2072 { 2073 struct sockaddr_in *src; 2074 struct sockaddr_in6 *dst; 2075 sadb_address_t *srcext, *dstext; 2076 uint16_t sport; 2077 2078 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC || 2079 ksi->ks_in_dsttype == KS_IN_ADDR_NOTTHERE) 2080 return; 2081 2082 dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2083 dst = (struct sockaddr_in6 *)(dstext + 1); 2084 srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2085 src = (struct sockaddr_in *)(srcext + 1); 2086 2087 /* 2088 * If unspecified IPv4 source, but an IPv6 dest, don't bother 2089 * fixing, as it should be an error. 2090 */ 2091 if (dst->sin6_family == src->sin_family || 2092 src->sin_family == AF_INET) 2093 return; 2094 2095 /* 2096 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2097 * in the same place for sockaddr_in and sockaddr_in6. 2098 */ 2099 sport = src->sin_port; 2100 bzero(src, sizeof (*src)); 2101 src->sin_family = AF_INET; 2102 src->sin_port = sport; 2103 } 2104 2105 /* 2106 * Set the results in "addrtype", given an IRE as requested by 2107 * sadb_addrcheck(). 2108 */ 2109 int 2110 sadb_addrset(ire_t *ire) 2111 { 2112 if ((ire->ire_type & IRE_BROADCAST) || 2113 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2114 (ire->ire_ipversion == IPV6_VERSION && 2115 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2116 return (KS_IN_ADDR_MBCAST); 2117 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2118 return (KS_IN_ADDR_ME); 2119 return (KS_IN_ADDR_NOTME); 2120 } 2121 2122 2123 /* 2124 * Walker callback function to delete sa's based on src/dst address. 2125 * Assumes that we're called with *head locked, no other locks held; 2126 * Conveniently, and not coincidentally, this is both what sadb_walker 2127 * gives us and also what sadb_unlinkassoc expects. 2128 */ 2129 2130 struct sadb_purge_state 2131 { 2132 uint32_t *src; 2133 uint32_t *dst; 2134 sa_family_t af; 2135 boolean_t inbnd; 2136 char *sidstr; 2137 char *didstr; 2138 uint16_t sidtype; 2139 uint16_t didtype; 2140 uint32_t kmproto; 2141 mblk_t *mq; 2142 }; 2143 2144 static void 2145 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2146 { 2147 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2148 2149 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2150 2151 mutex_enter(&entry->ipsa_lock); 2152 2153 if ((entry->ipsa_state == IPSA_STATE_LARVAL) || 2154 (ps->src != NULL && 2155 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, ps->src, ps->af)) || 2156 (ps->dst != NULL && 2157 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_dstaddr, ps->dst, ps->af)) || 2158 (ps->didstr != NULL && 2159 (entry->ipsa_dst_cid != NULL) && 2160 !(ps->didtype == entry->ipsa_dst_cid->ipsid_type && 2161 strcmp(ps->didstr, entry->ipsa_dst_cid->ipsid_cid) == 0)) || 2162 (ps->sidstr != NULL && 2163 (entry->ipsa_src_cid != NULL) && 2164 !(ps->sidtype == entry->ipsa_src_cid->ipsid_type && 2165 strcmp(ps->sidstr, entry->ipsa_src_cid->ipsid_cid) == 0)) || 2166 (ps->kmproto <= SADB_X_KMP_MAX && ps->kmproto != entry->ipsa_kmp)) { 2167 mutex_exit(&entry->ipsa_lock); 2168 return; 2169 } 2170 2171 entry->ipsa_state = IPSA_STATE_DEAD; 2172 (void) sadb_torch_assoc(head, entry, ps->inbnd, &ps->mq); 2173 } 2174 2175 /* 2176 * Common code to purge an SA with a matching src or dst address. 2177 * Don't kill larval SA's in such a purge. 2178 */ 2179 int 2180 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, 2181 int *diagnostic, queue_t *pfkey_q, queue_t *ip_q) 2182 { 2183 sadb_address_t *dstext = 2184 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2185 sadb_address_t *srcext = 2186 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2187 sadb_ident_t *dstid = 2188 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2189 sadb_ident_t *srcid = 2190 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2191 sadb_x_kmc_t *kmc = 2192 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2193 struct sockaddr_in *src, *dst; 2194 struct sockaddr_in6 *src6, *dst6; 2195 struct sadb_purge_state ps; 2196 2197 /* 2198 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2199 * takes care of them. 2200 */ 2201 2202 /* enforced by caller */ 2203 ASSERT((dstext != NULL) || (srcext != NULL)); 2204 2205 ps.src = NULL; 2206 ps.dst = NULL; 2207 #ifdef DEBUG 2208 ps.af = (sa_family_t)-1; 2209 #endif 2210 ps.mq = NULL; 2211 ps.sidstr = NULL; 2212 ps.didstr = NULL; 2213 ps.kmproto = SADB_X_KMP_MAX + 1; 2214 2215 if (dstext != NULL) { 2216 dst = (struct sockaddr_in *)(dstext + 1); 2217 ps.af = dst->sin_family; 2218 if (dst->sin_family == AF_INET6) { 2219 dst6 = (struct sockaddr_in6 *)dst; 2220 ps.dst = (uint32_t *)&dst6->sin6_addr; 2221 } else { 2222 ps.dst = (uint32_t *)&dst->sin_addr; 2223 } 2224 } 2225 2226 if (srcext != NULL) { 2227 src = (struct sockaddr_in *)(srcext + 1); 2228 ps.af = src->sin_family; 2229 if (src->sin_family == AF_INET6) { 2230 src6 = (struct sockaddr_in6 *)(srcext + 1); 2231 ps.src = (uint32_t *)&src6->sin6_addr; 2232 } else { 2233 ps.src = (uint32_t *)&src->sin_addr; 2234 } 2235 2236 if (dstext != NULL) { 2237 if (src->sin_family != dst->sin_family) { 2238 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2239 return (EINVAL); 2240 } 2241 } 2242 } 2243 ASSERT(ps.af != (sa_family_t)-1); 2244 2245 if (dstid != NULL) { 2246 /* 2247 * NOTE: May need to copy string in the future 2248 * if the inbound keysock message disappears for some strange 2249 * reason. 2250 */ 2251 ps.didstr = (char *)(dstid + 1); 2252 ps.didtype = dstid->sadb_ident_type; 2253 } 2254 2255 if (srcid != NULL) { 2256 /* 2257 * NOTE: May need to copy string in the future 2258 * if the inbound keysock message disappears for some strange 2259 * reason. 2260 */ 2261 ps.sidstr = (char *)(srcid + 1); 2262 ps.sidtype = srcid->sadb_ident_type; 2263 } 2264 2265 if (kmc != NULL) 2266 ps.kmproto = kmc->sadb_x_kmc_proto; 2267 2268 /* 2269 * This is simple, crude, and effective. 2270 * Unimplemented optimizations (TBD): 2271 * - we can limit how many places we search based on where we 2272 * think the SA is filed. 2273 * - if we get a dst address, we can hash based on dst addr to find 2274 * the correct bucket in the outbound table. 2275 */ 2276 ps.inbnd = B_TRUE; 2277 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2278 ps.inbnd = B_FALSE; 2279 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2280 2281 if (ps.mq != NULL) 2282 sadb_drain_torchq(ip_q, ps.mq); 2283 2284 ASSERT(mp->b_cont != NULL); 2285 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2286 NULL); 2287 return (0); 2288 } 2289 2290 /* 2291 * Common code to delete/get an SA. 2292 */ 2293 int 2294 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2295 int *diagnostic, queue_t *pfkey_q, boolean_t delete) 2296 { 2297 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2298 sadb_address_t *srcext = 2299 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2300 sadb_address_t *dstext = 2301 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2302 struct sockaddr_in *src, *dst; 2303 struct sockaddr_in6 *src6, *dst6; 2304 sadb_t *sp; 2305 ipsa_t *outbound_target, *inbound_target; 2306 isaf_t *inbound, *outbound; 2307 uint32_t *srcaddr, *dstaddr; 2308 mblk_t *torchq = NULL; 2309 sa_family_t af; 2310 2311 if (dstext == NULL) { 2312 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2313 return (EINVAL); 2314 } 2315 if (assoc == NULL) { 2316 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2317 return (EINVAL); 2318 } 2319 2320 /* 2321 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck() 2322 * takes care of them. 2323 */ 2324 2325 dst = (struct sockaddr_in *)(dstext + 1); 2326 af = dst->sin_family; 2327 if (af == AF_INET6) { 2328 sp = &spp->s_v6; 2329 dst6 = (struct sockaddr_in6 *)dst; 2330 dstaddr = (uint32_t *)&dst6->sin6_addr; 2331 if (srcext != NULL) { 2332 src6 = (struct sockaddr_in6 *)(srcext + 1); 2333 srcaddr = (uint32_t *)&src6->sin6_addr; 2334 if (src6->sin6_family != AF_INET6) { 2335 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2336 return (EINVAL); 2337 } 2338 } else { 2339 srcaddr = ALL_ZEROES_PTR; 2340 } 2341 2342 outbound = OUTBOUND_BUCKET_V6(sp, *(uint32_t *)dstaddr); 2343 } else { 2344 sp = &spp->s_v4; 2345 dstaddr = (uint32_t *)&dst->sin_addr; 2346 if (srcext != NULL) { 2347 src = (struct sockaddr_in *)(srcext + 1); 2348 srcaddr = (uint32_t *)&src->sin_addr; 2349 if (src->sin_family != AF_INET) { 2350 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2351 return (EINVAL); 2352 } 2353 } else { 2354 srcaddr = ALL_ZEROES_PTR; 2355 } 2356 outbound = OUTBOUND_BUCKET_V4(sp, *(uint32_t *)dstaddr); 2357 } 2358 2359 inbound = INBOUND_BUCKET(sp, assoc->sadb_sa_spi); 2360 2361 /* Lock down both buckets. */ 2362 mutex_enter(&outbound->isaf_lock); 2363 mutex_enter(&inbound->isaf_lock); 2364 2365 /* Try outbound first. */ 2366 outbound_target = ipsec_getassocbyspi(outbound, assoc->sadb_sa_spi, 2367 srcaddr, dstaddr, af); 2368 2369 if (outbound_target == NULL || outbound_target->ipsa_haspeer) { 2370 inbound_target = ipsec_getassocbyspi(inbound, 2371 assoc->sadb_sa_spi, srcaddr, dstaddr, af); 2372 } else { 2373 inbound_target = NULL; 2374 } 2375 2376 if (outbound_target == NULL && inbound_target == NULL) { 2377 mutex_exit(&inbound->isaf_lock); 2378 mutex_exit(&outbound->isaf_lock); 2379 return (ESRCH); 2380 } 2381 2382 if (delete) { 2383 /* At this point, I have one or two SAs to be deleted. */ 2384 if (outbound_target != NULL) { 2385 mutex_enter(&outbound_target->ipsa_lock); 2386 outbound_target->ipsa_state = IPSA_STATE_DEAD; 2387 (void) sadb_torch_assoc(outbound, outbound_target, 2388 B_FALSE, &torchq); 2389 } 2390 2391 if (inbound_target != NULL) { 2392 mutex_enter(&inbound_target->ipsa_lock); 2393 inbound_target->ipsa_state = IPSA_STATE_DEAD; 2394 (void) sadb_torch_assoc(inbound, inbound_target, 2395 B_TRUE, &torchq); 2396 } 2397 } 2398 2399 mutex_exit(&inbound->isaf_lock); 2400 mutex_exit(&outbound->isaf_lock); 2401 2402 if (torchq != NULL) 2403 sadb_drain_torchq(spp->s_ip_q, torchq); 2404 2405 /* 2406 * Because of the multi-line macro nature of IPSA_REFRELE, keep 2407 * them in { }. 2408 */ 2409 ASSERT(mp->b_cont != NULL); 2410 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2411 (outbound_target != NULL ? outbound_target : inbound_target)); 2412 2413 if (outbound_target != NULL) { 2414 IPSA_REFRELE(outbound_target); 2415 } 2416 if (inbound_target != NULL) { 2417 IPSA_REFRELE(inbound_target); 2418 } 2419 2420 return (0); 2421 } 2422 2423 /* 2424 * Initialize the mechanism parameters associated with an SA. 2425 * These parameters can be shared by multiple packets, which saves 2426 * us from the overhead of consulting the algorithm table for 2427 * each packet. 2428 */ 2429 static void 2430 sadb_init_alginfo(ipsa_t *sa) 2431 { 2432 ipsec_alginfo_t *alg; 2433 2434 mutex_enter(&alg_lock); 2435 2436 if (sa->ipsa_encrkey != NULL) { 2437 alg = ipsec_alglists[IPSEC_ALG_ENCR][sa->ipsa_encr_alg]; 2438 if (alg != NULL && ALG_VALID(alg)) { 2439 sa->ipsa_emech.cm_type = alg->alg_mech_type; 2440 sa->ipsa_emech.cm_param = NULL; 2441 sa->ipsa_emech.cm_param_len = 0; 2442 sa->ipsa_iv_len = alg->alg_datalen; 2443 } else 2444 sa->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 2445 } 2446 2447 if (sa->ipsa_authkey != NULL) { 2448 alg = ipsec_alglists[IPSEC_ALG_AUTH][sa->ipsa_auth_alg]; 2449 if (alg != NULL && ALG_VALID(alg)) { 2450 sa->ipsa_amech.cm_type = alg->alg_mech_type; 2451 sa->ipsa_amech.cm_param = (char *)&sa->ipsa_mac_len; 2452 sa->ipsa_amech.cm_param_len = sizeof (size_t); 2453 sa->ipsa_mac_len = (size_t)alg->alg_datalen; 2454 } else 2455 sa->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 2456 } 2457 2458 mutex_exit(&alg_lock); 2459 } 2460 2461 2462 /* 2463 * This function is called from consumers that need to insert a fully-grown 2464 * security association into its tables. This function takes into account that 2465 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 2466 * hash bucket parameters are set in order of what the SA will be most of the 2467 * time. (For example, an SA with an unspecified source, and a multicast 2468 * destination will primarily be an outbound SA. OTOH, if that destination 2469 * is unicast for this node, then the SA will primarily be inbound.) 2470 * 2471 * It takes a lot of parameters because even if clone is B_FALSE, this needs 2472 * to check both buckets for purposes of collision. 2473 * 2474 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 2475 * various error conditions. No need to set samsg->sadb_x_msg_diagnostic with 2476 * additional diagnostic information because ENOMEM and EEXIST are self- 2477 * explanitory. 2478 */ 2479 int 2480 sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 2481 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 2482 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound) 2483 { 2484 ipsa_t *newbie_clone = NULL, *scratch; 2485 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2486 sadb_address_t *srcext = 2487 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2488 sadb_address_t *dstext = 2489 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2490 sadb_address_t *proxyext = 2491 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_PROXY]; 2492 sadb_address_t *natt_loc_ext = 2493 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC]; 2494 sadb_address_t *natt_rem_ext = 2495 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM]; 2496 sadb_x_kmc_t *kmcext = 2497 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2498 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 2499 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 2500 #if 0 2501 /* 2502 * XXXMLS - When Trusted Solaris or Multi-Level Secure functionality 2503 * comes to ON, examine these if 0'ed fragments. Look for XXXMLS. 2504 */ 2505 sadb_sens_t *sens = (sadb_sens_t *); 2506 #endif 2507 struct sockaddr_in *src, *dst, *proxy, *natt_loc, *natt_rem; 2508 struct sockaddr_in6 *src6, *dst6, *proxy6, *natt_loc6, *natt_rem6; 2509 sadb_lifetime_t *soft = 2510 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 2511 sadb_lifetime_t *hard = 2512 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 2513 sa_family_t af; 2514 int error = 0; 2515 boolean_t isupdate = (newbie != NULL); 2516 uint32_t *src_addr_ptr, *dst_addr_ptr, *proxy_addr_ptr; 2517 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 2518 uint32_t running_sum = 0; 2519 mblk_t *ctl_mp = NULL; 2520 2521 src = (struct sockaddr_in *)(srcext + 1); 2522 src6 = (struct sockaddr_in6 *)(srcext + 1); 2523 dst = (struct sockaddr_in *)(dstext + 1); 2524 dst6 = (struct sockaddr_in6 *)(dstext + 1); 2525 if (proxyext != NULL) { 2526 proxy = (struct sockaddr_in *)(proxyext + 1); 2527 proxy6 = (struct sockaddr_in6 *)(proxyext + 1); 2528 } else { 2529 proxy = NULL; 2530 proxy6 = NULL; 2531 } 2532 2533 af = src->sin_family; 2534 2535 if (af == AF_INET) { 2536 src_addr_ptr = (uint32_t *)&src->sin_addr; 2537 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 2538 } else { 2539 ASSERT(af == AF_INET6); 2540 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 2541 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 2542 } 2543 2544 if (!isupdate) { 2545 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 2546 src_addr_ptr, dst_addr_ptr, af); 2547 if (newbie == NULL) 2548 return (ENOMEM); 2549 } 2550 2551 mutex_enter(&newbie->ipsa_lock); 2552 2553 if (proxy != NULL) { 2554 if (proxy->sin_family == AF_INET) { 2555 proxy_addr_ptr = (uint32_t *)&proxy->sin_addr; 2556 } else { 2557 ASSERT(proxy->sin_family == AF_INET6); 2558 proxy_addr_ptr = (uint32_t *)&proxy6->sin6_addr; 2559 } 2560 newbie->ipsa_proxyfam = proxy->sin_family; 2561 2562 IPSA_COPY_ADDR(newbie->ipsa_proxysrc, proxy_addr_ptr, 2563 newbie->ipsa_proxyfam); 2564 } 2565 2566 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 2567 2568 2569 if (natt_rem_ext != NULL) { 2570 uint32_t l_src; 2571 uint32_t l_rem; 2572 2573 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 2574 natt_rem6 = (struct sockaddr_in6 *)(natt_rem_ext + 1); 2575 2576 if (natt_rem->sin_family == AF_INET) { 2577 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 2578 newbie->ipsa_remote_port = natt_rem->sin_port; 2579 l_src = *src_addr_ptr; 2580 l_rem = *natt_rem_ptr; 2581 } else { 2582 if (!IN6_IS_ADDR_V4MAPPED(&natt_rem6->sin6_addr)) { 2583 goto error; 2584 } 2585 ASSERT(natt_rem->sin_family == AF_INET6); 2586 2587 natt_rem_ptr = ((uint32_t *) 2588 (&natt_rem6->sin6_addr)) + 3; 2589 newbie->ipsa_remote_port = natt_rem6->sin6_port; 2590 l_src = *src_addr_ptr; 2591 l_rem = *natt_rem_ptr; 2592 } 2593 IPSA_COPY_ADDR(newbie->ipsa_natt_addr_rem, natt_rem_ptr, af); 2594 2595 l_src = ntohl(l_src); 2596 DOWN_SUM(l_src); 2597 DOWN_SUM(l_src); 2598 l_rem = ntohl(l_rem); 2599 DOWN_SUM(l_rem); 2600 DOWN_SUM(l_rem); 2601 2602 /* 2603 * We're 1's complement for checksums, so check for wraparound 2604 * here. 2605 */ 2606 if (l_rem > l_src) 2607 l_src--; 2608 2609 running_sum += l_src - l_rem; 2610 2611 DOWN_SUM(running_sum); 2612 DOWN_SUM(running_sum); 2613 } 2614 2615 if (natt_loc_ext != NULL) { 2616 uint32_t l_dst; 2617 uint32_t l_loc; 2618 2619 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 2620 natt_loc6 = (struct sockaddr_in6 *)(natt_loc_ext + 1); 2621 2622 if (natt_loc->sin_family == AF_INET) { 2623 natt_loc_ptr = (uint32_t *)&natt_loc->sin_addr; 2624 l_dst = *dst_addr_ptr; 2625 l_loc = *natt_loc_ptr; 2626 2627 } else { 2628 if (!IN6_IS_ADDR_V4MAPPED(&natt_loc6->sin6_addr)) { 2629 goto error; 2630 } 2631 ASSERT(natt_loc->sin_family == AF_INET6); 2632 natt_loc_ptr = ((uint32_t *)&natt_loc6->sin6_addr) + 3; 2633 l_dst = *dst_addr_ptr; 2634 l_loc = *natt_loc_ptr; 2635 2636 } 2637 IPSA_COPY_ADDR(newbie->ipsa_natt_addr_loc, natt_loc_ptr, af); 2638 2639 l_loc = ntohl(l_loc); 2640 DOWN_SUM(l_loc); 2641 DOWN_SUM(l_loc); 2642 l_dst = ntohl(l_dst); 2643 DOWN_SUM(l_dst); 2644 DOWN_SUM(l_dst); 2645 2646 /* 2647 * We're 1's complement for checksums, so check for wraparound 2648 * here. 2649 */ 2650 if (l_loc > l_dst) 2651 l_dst--; 2652 2653 running_sum += l_dst - l_loc; 2654 DOWN_SUM(running_sum); 2655 DOWN_SUM(running_sum); 2656 } 2657 2658 newbie->ipsa_inbound_cksum = running_sum; 2659 #undef DOWN_SUM 2660 2661 newbie->ipsa_type = samsg->sadb_msg_satype; 2662 ASSERT(assoc->sadb_sa_state == SADB_SASTATE_MATURE); 2663 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 2664 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 2665 newbie->ipsa_flags = assoc->sadb_sa_flags; 2666 /* 2667 * If unspecified source address, force replay_wsize to 0. 2668 * This is because an SA that has multiple sources of secure 2669 * traffic cannot enforce a replay counter w/o synchronizing the 2670 * senders. 2671 */ 2672 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 2673 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 2674 else 2675 newbie->ipsa_replay_wsize = 0; 2676 2677 (void) drv_getparm(TIME, &newbie->ipsa_addtime); 2678 2679 /* Set unique value */ 2680 newbie->ipsa_unique_id = SA_UNIQUE_ID((uint16_t)src->sin_port, 2681 (uint16_t)dst->sin_port, dstext->sadb_address_proto); 2682 newbie->ipsa_unique_mask = SA_UNIQUE_MASK((uint16_t)src->sin_port, 2683 (uint16_t)dst->sin_port, dstext->sadb_address_proto); 2684 2685 if (newbie->ipsa_unique_mask != 0) 2686 newbie->ipsa_flags |= IPSA_F_UNIQUE; 2687 2688 if (kmcext != NULL) { 2689 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 2690 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 2691 } 2692 2693 /* 2694 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 2695 * The spec says that one can update current lifetimes, but 2696 * that seems impractical, especially in the larval-to-mature 2697 * update that this function performs. 2698 */ 2699 if (soft != NULL) { 2700 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 2701 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 2702 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 2703 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 2704 SET_EXPIRE(newbie, softaddlt, softexpiretime); 2705 } 2706 if (hard != NULL) { 2707 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 2708 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 2709 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 2710 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 2711 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 2712 } 2713 2714 newbie->ipsa_authtmpl = NULL; 2715 newbie->ipsa_encrtmpl = NULL; 2716 2717 if (akey != NULL) { 2718 newbie->ipsa_authkeybits = akey->sadb_key_bits; 2719 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 2720 /* In case we have to round up to the next byte... */ 2721 if ((akey->sadb_key_bits & 0x7) != 0) 2722 newbie->ipsa_authkeylen++; 2723 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 2724 KM_NOSLEEP); 2725 if (newbie->ipsa_authkey == NULL) { 2726 error = ENOMEM; 2727 mutex_exit(&newbie->ipsa_lock); 2728 goto error; 2729 } 2730 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 2731 bzero(akey + 1, newbie->ipsa_authkeylen); 2732 2733 /* 2734 * Pre-initialize the kernel crypto framework key 2735 * structure. 2736 */ 2737 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 2738 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 2739 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 2740 2741 mutex_enter(&alg_lock); 2742 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 2743 mutex_exit(&alg_lock); 2744 if (error != 0) { 2745 mutex_exit(&newbie->ipsa_lock); 2746 goto error; 2747 } 2748 } 2749 2750 if (ekey != NULL) { 2751 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 2752 newbie->ipsa_encrkeylen = SADB_1TO8(ekey->sadb_key_bits); 2753 /* In case we have to round up to the next byte... */ 2754 if ((ekey->sadb_key_bits & 0x7) != 0) 2755 newbie->ipsa_encrkeylen++; 2756 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 2757 KM_NOSLEEP); 2758 if (newbie->ipsa_encrkey == NULL) { 2759 error = ENOMEM; 2760 mutex_exit(&newbie->ipsa_lock); 2761 goto error; 2762 } 2763 bcopy(ekey + 1, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 2764 /* XXX is this safe w.r.t db_ref, etc? */ 2765 bzero(ekey + 1, newbie->ipsa_encrkeylen); 2766 2767 /* 2768 * Pre-initialize the kernel crypto framework key 2769 * structure. 2770 */ 2771 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 2772 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 2773 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 2774 2775 mutex_enter(&alg_lock); 2776 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 2777 mutex_exit(&alg_lock); 2778 if (error != 0) { 2779 mutex_exit(&newbie->ipsa_lock); 2780 goto error; 2781 } 2782 } 2783 2784 sadb_init_alginfo(newbie); 2785 2786 /* 2787 * Ptrs to processing functions. 2788 */ 2789 if (newbie->ipsa_type == SADB_SATYPE_ESP) 2790 ipsecesp_init_funcs(newbie); 2791 else 2792 ipsecah_init_funcs(newbie); 2793 ASSERT(newbie->ipsa_output_func != NULL && 2794 newbie->ipsa_input_func != NULL); 2795 2796 /* 2797 * Certificate ID stuff. 2798 */ 2799 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 2800 sadb_ident_t *id = 2801 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2802 2803 /* 2804 * Can assume strlen() will return okay because ext_check() in 2805 * keysock.c prepares the string for us. 2806 */ 2807 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 2808 (char *)(id+1)); 2809 if (newbie->ipsa_src_cid == NULL) { 2810 error = ENOMEM; 2811 mutex_exit(&newbie->ipsa_lock); 2812 goto error; 2813 } 2814 } 2815 2816 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 2817 sadb_ident_t *id = 2818 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2819 2820 /* 2821 * Can assume strlen() will return okay because ext_check() in 2822 * keysock.c prepares the string for us. 2823 */ 2824 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 2825 (char *)(id+1)); 2826 if (newbie->ipsa_dst_cid == NULL) { 2827 error = ENOMEM; 2828 mutex_exit(&newbie->ipsa_lock); 2829 goto error; 2830 } 2831 } 2832 2833 #if 0 2834 /* XXXMLS SENSITIVITY handling code. */ 2835 if (sens != NULL) { 2836 int i; 2837 uint64_t *bitmap = (uint64_t *)(sens + 1); 2838 2839 newbie->ipsa_dpd = sens->sadb_sens_dpd; 2840 newbie->ipsa_senslevel = sens->sadb_sens_sens_level; 2841 newbie->ipsa_integlevel = sens->sadb_sens_integ_level; 2842 newbie->ipsa_senslen = SADB_64TO8(sens->sadb_sens_sens_len); 2843 newbie->ipsa_integlen = SADB_64TO8(sens->sadb_sens_integ_len); 2844 newbie->ipsa_integ = kmem_alloc(newbie->ipsa_integlen, 2845 KM_NOSLEEP); 2846 if (newbie->ipsa_integ == NULL) { 2847 error = ENOMEM; 2848 mutex_exit(&newbie->ipsa_lock); 2849 goto error; 2850 } 2851 newbie->ipsa_sens = kmem_alloc(newbie->ipsa_senslen, 2852 KM_NOSLEEP); 2853 if (newbie->ipsa_sens == NULL) { 2854 error = ENOMEM; 2855 mutex_exit(&newbie->ipsa_lock); 2856 goto error; 2857 } 2858 for (i = 0; i < sens->sadb_sens_sens_len; i++) { 2859 newbie->ipsa_sens[i] = *bitmap; 2860 bitmap++; 2861 } 2862 for (i = 0; i < sens->sadb_sens_integ_len; i++) { 2863 newbie->ipsa_integ[i] = *bitmap; 2864 bitmap++; 2865 } 2866 } 2867 2868 #endif 2869 2870 /* now that the SA has been updated, set its new state */ 2871 newbie->ipsa_state = assoc->sadb_sa_state; 2872 2873 /* 2874 * The less locks I hold when doing an insertion and possible cloning, 2875 * the better! 2876 */ 2877 mutex_exit(&newbie->ipsa_lock); 2878 2879 if (clone) { 2880 newbie_clone = sadb_cloneassoc(newbie); 2881 2882 if (newbie_clone == NULL) { 2883 error = ENOMEM; 2884 goto error; 2885 } 2886 newbie->ipsa_haspeer = B_TRUE; 2887 newbie_clone->ipsa_haspeer = B_TRUE; 2888 } 2889 2890 /* 2891 * Enter the bucket locks. The order of entry is outbound, 2892 * inbound. We map "primary" and "secondary" into outbound and inbound 2893 * based on the destination address type. If the destination address 2894 * type is for a node that isn't mine (or potentially mine), the 2895 * "primary" bucket is the outbound one. 2896 */ 2897 if (ksi->ks_in_dsttype == KS_IN_ADDR_NOTME) { 2898 /* primary == outbound */ 2899 mutex_enter(&primary->isaf_lock); 2900 mutex_enter(&secondary->isaf_lock); 2901 } else { 2902 /* primary == inbound */ 2903 mutex_enter(&secondary->isaf_lock); 2904 mutex_enter(&primary->isaf_lock); 2905 } 2906 2907 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_common_add: spi = 0x%x\n", 2908 newbie->ipsa_spi)); 2909 2910 /* 2911 * sadb_insertassoc() doesn't increment the reference 2912 * count. We therefore have to increment the 2913 * reference count one more time to reflect the 2914 * pointers of the table that reference this SA. 2915 */ 2916 IPSA_REFHOLD(newbie); 2917 2918 if (isupdate) { 2919 /* 2920 * Unlink from larval holding cell in the "inbound" fanout. 2921 */ 2922 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 2923 newbie->ipsa_linklock == &secondary->isaf_lock); 2924 sadb_unlinkassoc(newbie); 2925 } 2926 2927 mutex_enter(&newbie->ipsa_lock); 2928 error = sadb_insertassoc(newbie, primary); 2929 if (error == 0) { 2930 ctl_mp = sadb_fmt_sa_req(DL_CO_SET, newbie->ipsa_type, newbie, 2931 is_inbound); 2932 } 2933 mutex_exit(&newbie->ipsa_lock); 2934 2935 if (error != 0) { 2936 /* 2937 * Since sadb_insertassoc() failed, we must decrement the 2938 * refcount again so the cleanup code will actually free 2939 * the offending SA. 2940 */ 2941 IPSA_REFRELE(newbie); 2942 goto error_unlock; 2943 } 2944 2945 if (newbie_clone != NULL) { 2946 mutex_enter(&newbie_clone->ipsa_lock); 2947 error = sadb_insertassoc(newbie_clone, secondary); 2948 mutex_exit(&newbie_clone->ipsa_lock); 2949 if (error != 0) { 2950 /* Collision in secondary table. */ 2951 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 2952 goto error_unlock; 2953 } 2954 IPSA_REFHOLD(newbie_clone); 2955 } else { 2956 ASSERT(primary != secondary); 2957 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 2958 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 2959 if (scratch != NULL) { 2960 /* Collision in secondary table. */ 2961 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 2962 /* Set the error, since ipsec_getassocbyspi() can't. */ 2963 error = EEXIST; 2964 goto error_unlock; 2965 } 2966 } 2967 2968 /* OKAY! So let's do some reality check assertions. */ 2969 2970 ASSERT(!MUTEX_HELD(&newbie->ipsa_lock)); 2971 ASSERT(newbie_clone == NULL || (!MUTEX_HELD(&newbie_clone->ipsa_lock))); 2972 /* 2973 * If hardware acceleration could happen, send it. 2974 */ 2975 if (ctl_mp != NULL) { 2976 putnext(ip_q, ctl_mp); 2977 ctl_mp = NULL; 2978 } 2979 2980 error_unlock: 2981 2982 /* 2983 * We can exit the locks in any order. Only entrance needs to 2984 * follow any protocol. 2985 */ 2986 mutex_exit(&secondary->isaf_lock); 2987 mutex_exit(&primary->isaf_lock); 2988 2989 /* Common error point for this routine. */ 2990 error: 2991 if (newbie != NULL) { 2992 IPSA_REFRELE(newbie); 2993 } 2994 if (newbie_clone != NULL) { 2995 IPSA_REFRELE(newbie_clone); 2996 } 2997 if (ctl_mp != NULL) 2998 freemsg(ctl_mp); 2999 3000 if (error == 0) { 3001 /* 3002 * Construct favorable PF_KEY return message and send to 3003 * keysock. (Q: Do I need to pass "newbie"? If I do, 3004 * make sure to REFHOLD, call, then REFRELE.) 3005 */ 3006 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 3007 } 3008 3009 return (error); 3010 } 3011 3012 /* 3013 * Set the time of first use for a security association. Update any 3014 * expiration times as a result. 3015 */ 3016 void 3017 sadb_set_usetime(ipsa_t *assoc) 3018 { 3019 mutex_enter(&assoc->ipsa_lock); 3020 /* 3021 * Caller does check usetime before calling me usually, and 3022 * double-checking is better than a mutex_enter/exit hit. 3023 */ 3024 if (assoc->ipsa_usetime == 0) { 3025 /* 3026 * This is redundant for outbound SA's, as 3027 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 3028 * Inbound SAs, however, have no such protection. 3029 */ 3030 assoc->ipsa_flags |= IPSA_F_USED; 3031 3032 (void) drv_getparm(TIME, &assoc->ipsa_usetime); 3033 3034 /* 3035 * After setting the use time, see if we have a use lifetime 3036 * that would cause the actual SA expiration time to shorten. 3037 */ 3038 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 3039 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 3040 } 3041 mutex_exit(&assoc->ipsa_lock); 3042 } 3043 3044 /* 3045 * Send up a PF_KEY expire message for this association. 3046 */ 3047 static void 3048 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 3049 { 3050 mblk_t *mp, *mp1; 3051 int alloclen, af; 3052 sadb_msg_t *samsg; 3053 sadb_lifetime_t *current, *expire; 3054 sadb_sa_t *saext; 3055 uint8_t *end; 3056 3057 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3058 3059 /* Don't bother sending if there's no queue. */ 3060 if (pfkey_q == NULL) 3061 return; 3062 3063 mp = sadb_keysock_out(0); 3064 if (mp == NULL) { 3065 /* cmn_err(CE_WARN, */ 3066 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 3067 return; 3068 } 3069 3070 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 3071 2*sizeof (sadb_address_t) + sizeof (*saext); 3072 3073 af = assoc->ipsa_addrfam; 3074 switch (af) { 3075 case AF_INET: 3076 alloclen += 2 * sizeof (struct sockaddr_in); 3077 break; 3078 case AF_INET6: 3079 alloclen += 2 * sizeof (struct sockaddr_in6); 3080 break; 3081 default: 3082 /* Won't happen unless there's a kernel bug. */ 3083 freeb(mp); 3084 cmn_err(CE_WARN, 3085 "sadb_expire_assoc: Unknown address length.\n"); 3086 return; 3087 } 3088 3089 mp->b_cont = allocb(alloclen, BPRI_HI); 3090 if (mp->b_cont == NULL) { 3091 freeb(mp); 3092 /* cmn_err(CE_WARN, */ 3093 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 3094 return; 3095 } 3096 3097 mp1 = mp; 3098 mp = mp->b_cont; 3099 end = mp->b_wptr + alloclen; 3100 3101 samsg = (sadb_msg_t *)mp->b_wptr; 3102 mp->b_wptr += sizeof (*samsg); 3103 samsg->sadb_msg_version = PF_KEY_V2; 3104 samsg->sadb_msg_type = SADB_EXPIRE; 3105 samsg->sadb_msg_errno = 0; 3106 samsg->sadb_msg_satype = assoc->ipsa_type; 3107 samsg->sadb_msg_len = SADB_8TO64(alloclen); 3108 samsg->sadb_msg_reserved = 0; 3109 samsg->sadb_msg_seq = 0; 3110 samsg->sadb_msg_pid = 0; 3111 3112 saext = (sadb_sa_t *)mp->b_wptr; 3113 mp->b_wptr += sizeof (*saext); 3114 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 3115 saext->sadb_sa_exttype = SADB_EXT_SA; 3116 saext->sadb_sa_spi = assoc->ipsa_spi; 3117 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 3118 saext->sadb_sa_state = assoc->ipsa_state; 3119 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 3120 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 3121 saext->sadb_sa_flags = assoc->ipsa_flags; 3122 3123 current = (sadb_lifetime_t *)mp->b_wptr; 3124 mp->b_wptr += sizeof (sadb_lifetime_t); 3125 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 3126 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3127 current->sadb_lifetime_allocations = assoc->ipsa_alloc; 3128 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 3129 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 3130 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 3131 3132 expire = (sadb_lifetime_t *)mp->b_wptr; 3133 mp->b_wptr += sizeof (*expire); 3134 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 3135 3136 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 3137 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 3138 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 3139 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 3140 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 3141 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 3142 } else { 3143 ASSERT(assoc->ipsa_state == IPSA_STATE_DYING); 3144 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 3145 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 3146 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 3147 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 3148 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 3149 } 3150 3151 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 3152 af, assoc->ipsa_srcaddr, SA_SRCPORT(assoc), SA_PROTO(assoc)); 3153 ASSERT(mp->b_wptr != NULL); 3154 3155 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 3156 af, assoc->ipsa_dstaddr, SA_DSTPORT(assoc), SA_PROTO(assoc)); 3157 ASSERT(mp->b_wptr != NULL); 3158 3159 /* Can just putnext, we're ready to go! */ 3160 putnext(pfkey_q, mp1); 3161 } 3162 3163 /* 3164 * "Age" the SA with the number of bytes that was used to protect traffic. 3165 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 3166 * enough "charge" left in the SA to protect the data. Return B_FALSE 3167 * otherwise. (If B_FALSE is returned, the association either was, or became 3168 * DEAD.) 3169 */ 3170 boolean_t 3171 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 3172 boolean_t sendmsg) 3173 { 3174 boolean_t rc = B_TRUE; 3175 uint64_t newtotal; 3176 3177 mutex_enter(&assoc->ipsa_lock); 3178 newtotal = assoc->ipsa_bytes + bytes; 3179 if (assoc->ipsa_hardbyteslt != 0 && 3180 newtotal >= assoc->ipsa_hardbyteslt) { 3181 if (assoc->ipsa_state < IPSA_STATE_DEAD) { 3182 /* 3183 * Send EXPIRE message to PF_KEY. May wish to pawn 3184 * this off on another non-interrupt thread. Also 3185 * unlink this SA immediately. 3186 */ 3187 assoc->ipsa_state = IPSA_STATE_DEAD; 3188 if (sendmsg) 3189 sadb_expire_assoc(pfkey_q, assoc); 3190 /* 3191 * Set non-zero expiration time so sadb_age_assoc() 3192 * will work when reaping. 3193 */ 3194 assoc->ipsa_hardexpiretime = (time_t)1; 3195 } /* Else someone beat me to it! */ 3196 rc = B_FALSE; 3197 } else if (assoc->ipsa_softbyteslt != 0 && 3198 (newtotal >= assoc->ipsa_softbyteslt)) { 3199 if (assoc->ipsa_state < IPSA_STATE_DYING) { 3200 /* 3201 * Send EXPIRE message to PF_KEY. May wish to pawn 3202 * this off on another non-interrupt thread. 3203 */ 3204 assoc->ipsa_state = IPSA_STATE_DYING; 3205 assoc->ipsa_bytes = newtotal; 3206 if (sendmsg) 3207 sadb_expire_assoc(pfkey_q, assoc); 3208 } /* Else someone beat me to it! */ 3209 } 3210 if (rc == B_TRUE) 3211 assoc->ipsa_bytes = newtotal; 3212 mutex_exit(&assoc->ipsa_lock); 3213 return (rc); 3214 } 3215 3216 /* 3217 * Push one or more DL_CO_DELETE messages queued up by 3218 * sadb_torch_assoc down to the underlying driver now that it's a 3219 * convenient time for it (i.e., ipsa bucket locks not held). 3220 */ 3221 static void 3222 sadb_drain_torchq(queue_t *q, mblk_t *mp) 3223 { 3224 while (mp != NULL) { 3225 mblk_t *next = mp->b_next; 3226 mp->b_next = NULL; 3227 if (q != NULL) 3228 putnext(q, mp); 3229 else 3230 freemsg(mp); 3231 mp = next; 3232 } 3233 } 3234 3235 /* 3236 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 3237 * sadb_age_assoc(). 3238 * 3239 * If SA is hardware-accelerated, and we can't allocate the mblk 3240 * containing the DL_CO_DELETE, just return; it will remain in the 3241 * table and be swept up by sadb_ager() in a subsequent pass. 3242 */ 3243 static ipsa_t * 3244 sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq) 3245 { 3246 mblk_t *mp; 3247 3248 ASSERT(MUTEX_HELD(&head->isaf_lock)); 3249 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 3250 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 3251 3252 /* 3253 * Force cached SAs to be revalidated.. 3254 */ 3255 head->isaf_gen++; 3256 3257 if (sa->ipsa_flags & IPSA_F_HW) { 3258 mp = sadb_fmt_sa_req(DL_CO_DELETE, sa->ipsa_type, sa, inbnd); 3259 if (mp == NULL) { 3260 mutex_exit(&sa->ipsa_lock); 3261 return (NULL); 3262 } 3263 mp->b_next = *mq; 3264 *mq = mp; 3265 } 3266 mutex_exit(&sa->ipsa_lock); 3267 sadb_unlinkassoc(sa); 3268 3269 return (NULL); 3270 } 3271 3272 /* 3273 * Return "assoc" iff haspeer is true and I send an expire. This allows 3274 * the consumers' aging functions to tidy up an expired SA's peer. 3275 */ 3276 static ipsa_t * 3277 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 3278 time_t current, int reap_delay, boolean_t inbnd, mblk_t **mq) 3279 { 3280 ipsa_t *retval = NULL; 3281 3282 ASSERT(MUTEX_HELD(&head->isaf_lock)); 3283 3284 mutex_enter(&assoc->ipsa_lock); 3285 3286 if ((assoc->ipsa_state == IPSA_STATE_LARVAL) && 3287 (assoc->ipsa_hardexpiretime <= current)) { 3288 assoc->ipsa_state = IPSA_STATE_DEAD; 3289 return (sadb_torch_assoc(head, assoc, inbnd, mq)); 3290 } 3291 3292 /* 3293 * Check lifetimes. Fortunately, SA setup is done 3294 * such that there are only two times to look at, 3295 * softexpiretime, and hardexpiretime. 3296 * 3297 * Check hard first. 3298 */ 3299 3300 if (assoc->ipsa_hardexpiretime != 0 && 3301 assoc->ipsa_hardexpiretime <= current) { 3302 if (assoc->ipsa_state == IPSA_STATE_DEAD) 3303 return (sadb_torch_assoc(head, assoc, inbnd, mq)); 3304 3305 /* 3306 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 3307 */ 3308 assoc->ipsa_state = IPSA_STATE_DEAD; 3309 if (assoc->ipsa_haspeer) { 3310 /* 3311 * If I return assoc, I have to bump up its 3312 * reference count to keep with the ipsa_t reference 3313 * count semantics. 3314 */ 3315 IPSA_REFHOLD(assoc); 3316 retval = assoc; 3317 } 3318 sadb_expire_assoc(pfkey_q, assoc); 3319 assoc->ipsa_hardexpiretime = current + reap_delay; 3320 } else if (assoc->ipsa_softexpiretime != 0 && 3321 assoc->ipsa_softexpiretime <= current && 3322 assoc->ipsa_state < IPSA_STATE_DYING) { 3323 /* 3324 * Send EXPIRE message to PF_KEY. May wish to pawn 3325 * this off on another non-interrupt thread. 3326 */ 3327 assoc->ipsa_state = IPSA_STATE_DYING; 3328 if (assoc->ipsa_haspeer) { 3329 /* 3330 * If I return assoc, I have to bump up its 3331 * reference count to keep with the ipsa_t reference 3332 * count semantics. 3333 */ 3334 IPSA_REFHOLD(assoc); 3335 retval = assoc; 3336 } 3337 sadb_expire_assoc(pfkey_q, assoc); 3338 } 3339 3340 mutex_exit(&assoc->ipsa_lock); 3341 return (retval); 3342 } 3343 3344 /* 3345 * Called by a consumer protocol to do ther dirty work of reaping dead 3346 * Security Associations. 3347 */ 3348 void 3349 sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay) 3350 { 3351 int i; 3352 isaf_t *bucket; 3353 ipsa_t *assoc, *spare; 3354 iacqf_t *acqlist; 3355 ipsacq_t *acqrec, *spareacq; 3356 struct templist { 3357 ipsa_t *ipsa; 3358 struct templist *next; 3359 } *haspeerlist = NULL, *newbie; 3360 time_t current; 3361 int outhash; 3362 mblk_t *mq = NULL; 3363 3364 /* 3365 * Do my dirty work. This includes aging real entries, aging 3366 * larvals, and aging outstanding ACQUIREs. 3367 * 3368 * I hope I don't tie up resources for too long. 3369 */ 3370 3371 /* Snapshot current time now. */ 3372 (void) drv_getparm(TIME, ¤t); 3373 3374 /* Age acquires. */ 3375 3376 for (i = 0; i < sp->sdb_hashsize; i++) { 3377 acqlist = &sp->sdb_acq[i]; 3378 mutex_enter(&acqlist->iacqf_lock); 3379 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 3380 acqrec = spareacq) { 3381 spareacq = acqrec->ipsacq_next; 3382 if (current > acqrec->ipsacq_expire) 3383 sadb_destroy_acquire(acqrec); 3384 } 3385 mutex_exit(&acqlist->iacqf_lock); 3386 } 3387 3388 /* Age inbound associations. */ 3389 for (i = 0; i < sp->sdb_hashsize; i++) { 3390 bucket = &(sp->sdb_if[i]); 3391 mutex_enter(&bucket->isaf_lock); 3392 for (assoc = bucket->isaf_ipsa; assoc != NULL; 3393 assoc = spare) { 3394 spare = assoc->ipsa_next; 3395 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 3396 reap_delay, B_TRUE, &mq) != NULL) { 3397 /* 3398 * sadb_age_assoc() increments the refcnt, 3399 * effectively doing an IPSA_REFHOLD(). 3400 */ 3401 newbie = kmem_alloc(sizeof (*newbie), 3402 KM_NOSLEEP); 3403 if (newbie == NULL) { 3404 /* 3405 * Don't forget to REFRELE(). 3406 */ 3407 IPSA_REFRELE(assoc); 3408 continue; /* for loop... */ 3409 } 3410 newbie->next = haspeerlist; 3411 newbie->ipsa = assoc; 3412 haspeerlist = newbie; 3413 } 3414 } 3415 mutex_exit(&bucket->isaf_lock); 3416 } 3417 3418 if (mq != NULL) { 3419 sadb_drain_torchq(ip_q, mq); 3420 mq = NULL; 3421 } 3422 /* 3423 * Haspeer cases will contain both IPv4 and IPv6. This code 3424 * is address independent. 3425 */ 3426 while (haspeerlist != NULL) { 3427 /* "spare" contains the SA that has a peer. */ 3428 spare = haspeerlist->ipsa; 3429 newbie = haspeerlist; 3430 haspeerlist = newbie->next; 3431 kmem_free(newbie, sizeof (*newbie)); 3432 /* 3433 * Pick peer bucket based on addrfam. 3434 */ 3435 if (spare->ipsa_addrfam == AF_INET6) { 3436 outhash = OUTBOUND_HASH_V6(sp, 3437 *((in6_addr_t *)&spare->ipsa_dstaddr)); 3438 } else { 3439 outhash = OUTBOUND_HASH_V4(sp, 3440 *((ipaddr_t *)&spare->ipsa_dstaddr)); 3441 } 3442 bucket = &(sp->sdb_of[outhash]); 3443 3444 mutex_enter(&bucket->isaf_lock); 3445 assoc = ipsec_getassocbyspi(bucket, spare->ipsa_spi, 3446 spare->ipsa_srcaddr, spare->ipsa_dstaddr, 3447 spare->ipsa_addrfam); 3448 mutex_exit(&bucket->isaf_lock); 3449 if (assoc != NULL) { 3450 mutex_enter(&assoc->ipsa_lock); 3451 mutex_enter(&spare->ipsa_lock); 3452 assoc->ipsa_state = spare->ipsa_state; 3453 if (assoc->ipsa_state == IPSA_STATE_DEAD) 3454 assoc->ipsa_hardexpiretime = 1; 3455 mutex_exit(&spare->ipsa_lock); 3456 mutex_exit(&assoc->ipsa_lock); 3457 IPSA_REFRELE(assoc); 3458 } 3459 IPSA_REFRELE(spare); 3460 } 3461 3462 /* Age outbound associations. */ 3463 for (i = 0; i < sp->sdb_hashsize; i++) { 3464 bucket = &(sp->sdb_of[i]); 3465 mutex_enter(&bucket->isaf_lock); 3466 for (assoc = bucket->isaf_ipsa; assoc != NULL; 3467 assoc = spare) { 3468 spare = assoc->ipsa_next; 3469 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 3470 reap_delay, B_FALSE, &mq) != NULL) { 3471 /* 3472 * sadb_age_assoc() increments the refcnt, 3473 * effectively doing an IPSA_REFHOLD(). 3474 */ 3475 newbie = kmem_alloc(sizeof (*newbie), 3476 KM_NOSLEEP); 3477 if (newbie == NULL) { 3478 /* 3479 * Don't forget to REFRELE(). 3480 */ 3481 IPSA_REFRELE(assoc); 3482 continue; /* for loop... */ 3483 } 3484 newbie->next = haspeerlist; 3485 newbie->ipsa = assoc; 3486 haspeerlist = newbie; 3487 } 3488 } 3489 mutex_exit(&bucket->isaf_lock); 3490 } 3491 if (mq != NULL) { 3492 sadb_drain_torchq(ip_q, mq); 3493 mq = NULL; 3494 } 3495 /* 3496 * Haspeer cases will contain both IPv4 and IPv6. This code 3497 * is address independent. 3498 */ 3499 while (haspeerlist != NULL) { 3500 /* "spare" contains the SA that has a peer. */ 3501 spare = haspeerlist->ipsa; 3502 newbie = haspeerlist; 3503 haspeerlist = newbie->next; 3504 kmem_free(newbie, sizeof (*newbie)); 3505 /* 3506 * Pick peer bucket based on addrfam. 3507 */ 3508 bucket = INBOUND_BUCKET(sp, spare->ipsa_spi); 3509 mutex_enter(&bucket->isaf_lock); 3510 assoc = ipsec_getassocbyspi(bucket, spare->ipsa_spi, 3511 spare->ipsa_srcaddr, spare->ipsa_dstaddr, 3512 spare->ipsa_addrfam); 3513 mutex_exit(&bucket->isaf_lock); 3514 if (assoc != NULL) { 3515 mutex_enter(&assoc->ipsa_lock); 3516 mutex_enter(&spare->ipsa_lock); 3517 assoc->ipsa_state = spare->ipsa_state; 3518 if (assoc->ipsa_state == IPSA_STATE_DEAD) 3519 assoc->ipsa_hardexpiretime = 1; 3520 mutex_exit(&spare->ipsa_lock); 3521 mutex_exit(&assoc->ipsa_lock); 3522 IPSA_REFRELE(assoc); 3523 } 3524 IPSA_REFRELE(spare); 3525 } 3526 /* 3527 * Run a GC pass to clean out dead identities. 3528 */ 3529 ipsid_gc(); 3530 } 3531 3532 /* 3533 * Figure out when to reschedule the ager. 3534 */ 3535 timeout_id_t 3536 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 3537 uint_t *intp, uint_t intmax, short mid) 3538 { 3539 hrtime_t end = gethrtime(); 3540 uint_t interval = *intp; 3541 3542 /* 3543 * See how long this took. If it took too long, increase the 3544 * aging interval. 3545 */ 3546 if ((end - begin) > interval * 1000000) { 3547 if (interval >= intmax) { 3548 /* XXX Rate limit this? Or recommend flush? */ 3549 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 3550 "Too many SA's to age out in %d msec.\n", 3551 intmax); 3552 } else { 3553 /* Double by shifting by one bit. */ 3554 interval <<= 1; 3555 interval = min(interval, intmax); 3556 } 3557 } else if ((end - begin) <= interval * 500000 && 3558 interval > SADB_AGE_INTERVAL_DEFAULT) { 3559 /* 3560 * If I took less than half of the interval, then I should 3561 * ratchet the interval back down. Never automatically 3562 * shift below the default aging interval. 3563 * 3564 * NOTE:This even overrides manual setting of the age 3565 * interval using NDD. 3566 */ 3567 /* Halve by shifting one bit. */ 3568 interval >>= 1; 3569 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 3570 } 3571 *intp = interval; 3572 return (qtimeout(pfkey_q, ager, NULL, interval * drv_usectohz(1000))); 3573 } 3574 3575 3576 /* 3577 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 3578 * message takes when updating a MATURE or DYING SA. 3579 */ 3580 static void 3581 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 3582 sadb_lifetime_t *soft) 3583 { 3584 mutex_enter(&assoc->ipsa_lock); 3585 3586 assoc->ipsa_state = IPSA_STATE_MATURE; 3587 3588 /* 3589 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 3590 * passed in during an update message. We currently don't handle 3591 * these. 3592 */ 3593 3594 if (hard != NULL) { 3595 if (hard->sadb_lifetime_bytes != 0) 3596 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3597 if (hard->sadb_lifetime_usetime != 0) 3598 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 3599 if (hard->sadb_lifetime_addtime != 0) 3600 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3601 if (assoc->ipsa_hardaddlt != 0) { 3602 assoc->ipsa_hardexpiretime = 3603 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 3604 } 3605 if (assoc->ipsa_harduselt != 0) { 3606 if (assoc->ipsa_hardexpiretime != 0) { 3607 assoc->ipsa_hardexpiretime = 3608 min(assoc->ipsa_hardexpiretime, 3609 assoc->ipsa_usetime + 3610 assoc->ipsa_harduselt); 3611 } else { 3612 assoc->ipsa_hardexpiretime = 3613 assoc->ipsa_usetime + assoc->ipsa_harduselt; 3614 } 3615 } 3616 3617 if (hard->sadb_lifetime_allocations != 0) 3618 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3619 } 3620 3621 if (soft != NULL) { 3622 if (soft->sadb_lifetime_bytes != 0) 3623 assoc->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3624 if (soft->sadb_lifetime_usetime != 0) 3625 assoc->ipsa_softuselt = soft->sadb_lifetime_usetime; 3626 if (soft->sadb_lifetime_addtime != 0) 3627 assoc->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3628 if (assoc->ipsa_softaddlt != 0) { 3629 assoc->ipsa_softexpiretime = 3630 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 3631 } 3632 if (assoc->ipsa_softuselt != 0) { 3633 if (assoc->ipsa_softexpiretime != 0) { 3634 assoc->ipsa_softexpiretime = 3635 min(assoc->ipsa_softexpiretime, 3636 assoc->ipsa_usetime + 3637 assoc->ipsa_softuselt); 3638 } else { 3639 assoc->ipsa_softexpiretime = 3640 assoc->ipsa_usetime + assoc->ipsa_softuselt; 3641 } 3642 } 3643 3644 if (soft->sadb_lifetime_allocations != 0) 3645 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 3646 } 3647 3648 mutex_exit(&assoc->ipsa_lock); 3649 } 3650 3651 /* 3652 * Common code to update an SA. 3653 */ 3654 3655 int 3656 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, 3657 sadb_t *sp, int *diagnostic, queue_t *pfkey_q, 3658 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *)) 3659 { 3660 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3661 sadb_address_t *srcext = 3662 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3663 sadb_address_t *dstext = 3664 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3665 sadb_x_kmc_t *kmcext = 3666 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 3667 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 3668 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 3669 struct sockaddr_in *src, *dst; 3670 struct sockaddr_in6 *src6, *dst6; 3671 sadb_lifetime_t *soft = 3672 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 3673 sadb_lifetime_t *hard = 3674 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 3675 isaf_t *inbound, *outbound; 3676 ipsa_t *outbound_target = NULL, *inbound_target = NULL; 3677 int error = 0; 3678 uint32_t *srcaddr, *dstaddr; 3679 sa_family_t af; 3680 uint32_t kmp = 0, kmc = 0; 3681 3682 /* I need certain extensions present for either UPDATE message. */ 3683 if (srcext == NULL) { 3684 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 3685 return (EINVAL); 3686 } 3687 if (dstext == NULL) { 3688 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3689 return (EINVAL); 3690 } 3691 if (assoc == NULL) { 3692 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3693 return (EINVAL); 3694 } 3695 3696 if (kmcext != NULL) { 3697 kmp = kmcext->sadb_x_kmc_proto; 3698 kmc = kmcext->sadb_x_kmc_cookie; 3699 } 3700 3701 dst = (struct sockaddr_in *)(dstext + 1); 3702 src = (struct sockaddr_in *)(srcext + 1); 3703 af = dst->sin_family; 3704 if (af == AF_INET6) { 3705 dst6 = (struct sockaddr_in6 *)dst; 3706 src6 = (struct sockaddr_in6 *)src; 3707 3708 srcaddr = (uint32_t *)&src6->sin6_addr; 3709 dstaddr = (uint32_t *)&dst6->sin6_addr; 3710 outbound = OUTBOUND_BUCKET_V6(sp, *(uint32_t *)dstaddr); 3711 #if 0 3712 /* Not used for now... */ 3713 if (proxyext != NULL) 3714 proxy6 = (struct sockaddr_in6 *)(proxyext + 1); 3715 #endif 3716 } else { 3717 srcaddr = (uint32_t *)&src->sin_addr; 3718 dstaddr = (uint32_t *)&dst->sin_addr; 3719 outbound = OUTBOUND_BUCKET_V4(sp, *(uint32_t *)dstaddr); 3720 } 3721 inbound = INBOUND_BUCKET(sp, assoc->sadb_sa_spi); 3722 3723 /* Lock down both buckets. */ 3724 mutex_enter(&outbound->isaf_lock); 3725 mutex_enter(&inbound->isaf_lock); 3726 3727 /* Try outbound first. */ 3728 outbound_target = ipsec_getassocbyspi(outbound, assoc->sadb_sa_spi, 3729 srcaddr, dstaddr, af); 3730 inbound_target = ipsec_getassocbyspi(inbound, assoc->sadb_sa_spi, 3731 srcaddr, dstaddr, af); 3732 3733 mutex_exit(&inbound->isaf_lock); 3734 mutex_exit(&outbound->isaf_lock); 3735 3736 if (outbound_target == NULL) { 3737 if (inbound_target == NULL) { 3738 return (ESRCH); 3739 } else if (inbound_target->ipsa_state == IPSA_STATE_LARVAL) { 3740 /* 3741 * REFRELE the target and let the add_sa_func() 3742 * deal with updating a larval SA. 3743 */ 3744 IPSA_REFRELE(inbound_target); 3745 return (add_sa_func(mp, ksi, diagnostic)); 3746 } 3747 } 3748 3749 /* 3750 * Reality checks for updates of active associations. 3751 * Sundry first-pass UPDATE-specific reality checks. 3752 * Have to do the checks here, because it's after the add_sa code. 3753 * XXX STATS : logging/stats here? 3754 */ 3755 3756 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) { 3757 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 3758 error = EINVAL; 3759 goto bail; 3760 } 3761 if (assoc->sadb_sa_flags & ~(SADB_SAFLAGS_NOREPLAY | 3762 SADB_X_SAFLAGS_NATT_LOC | SADB_X_SAFLAGS_NATT_REM)) { 3763 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 3764 error = EINVAL; 3765 goto bail; 3766 } 3767 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 3768 error = EOPNOTSUPP; 3769 goto bail; 3770 } 3771 if ((*diagnostic = sadb_hardsoftchk(hard, soft)) != 0) { 3772 error = EINVAL; 3773 goto bail; 3774 } 3775 if (src->sin_family != dst->sin_family) { 3776 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 3777 error = EINVAL; 3778 goto bail; 3779 } 3780 if (akey != NULL) { 3781 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 3782 error = EINVAL; 3783 goto bail; 3784 } 3785 if (ekey != NULL) { 3786 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 3787 error = EINVAL; 3788 goto bail; 3789 } 3790 3791 if (outbound_target != NULL) { 3792 if (outbound_target->ipsa_state == IPSA_STATE_DEAD) { 3793 error = ESRCH; /* DEAD == Not there, in this case. */ 3794 goto bail; 3795 } 3796 if ((kmp != 0) && 3797 ((outbound_target->ipsa_kmp != 0) || 3798 (outbound_target->ipsa_kmp != kmp))) { 3799 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 3800 error = EINVAL; 3801 goto bail; 3802 } 3803 if ((kmc != 0) && 3804 ((outbound_target->ipsa_kmc != 0) || 3805 (outbound_target->ipsa_kmc != kmc))) { 3806 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 3807 error = EINVAL; 3808 goto bail; 3809 } 3810 } 3811 3812 if (inbound_target != NULL) { 3813 if (inbound_target->ipsa_state == IPSA_STATE_DEAD) { 3814 error = ESRCH; /* DEAD == Not there, in this case. */ 3815 goto bail; 3816 } 3817 if ((kmp != 0) && 3818 ((inbound_target->ipsa_kmp != 0) || 3819 (inbound_target->ipsa_kmp != kmp))) { 3820 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 3821 error = EINVAL; 3822 goto bail; 3823 } 3824 if ((kmc != 0) && 3825 ((inbound_target->ipsa_kmc != 0) || 3826 (inbound_target->ipsa_kmc != kmc))) { 3827 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 3828 error = EINVAL; 3829 goto bail; 3830 } 3831 } 3832 3833 if (outbound_target != NULL) { 3834 sadb_update_lifetimes(outbound_target, hard, soft); 3835 if (kmp != 0) 3836 outbound_target->ipsa_kmp = kmp; 3837 if (kmc != 0) 3838 outbound_target->ipsa_kmc = kmc; 3839 } 3840 3841 if (inbound_target != NULL) { 3842 sadb_update_lifetimes(inbound_target, hard, soft); 3843 if (kmp != 0) 3844 inbound_target->ipsa_kmp = kmp; 3845 if (kmc != 0) 3846 inbound_target->ipsa_kmc = kmc; 3847 } 3848 3849 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 3850 ksi, (outbound_target == NULL) ? inbound_target : outbound_target); 3851 3852 bail: 3853 /* 3854 * Because of the multi-line macro nature of IPSA_REFRELE, keep 3855 * them in { }. 3856 */ 3857 if (outbound_target != NULL) { 3858 IPSA_REFRELE(outbound_target); 3859 } 3860 if (inbound_target != NULL) { 3861 IPSA_REFRELE(inbound_target); 3862 } 3863 3864 return (error); 3865 } 3866 3867 /* 3868 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 3869 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 3870 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 3871 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 3872 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 3873 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 3874 * other direction's SA. 3875 */ 3876 3877 /* 3878 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 3879 * grab it, lock it, and return it. Otherwise return NULL. 3880 */ 3881 static ipsacq_t * 3882 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 3883 uint32_t *src, uint32_t *dst, uint64_t unique_id) 3884 { 3885 ipsacq_t *walker; 3886 sa_family_t fam; 3887 3888 /* 3889 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 3890 * 3891 * XXX May need search for duplicates based on other things too! 3892 */ 3893 for (walker = bucket->iacqf_ipsacq; walker != NULL; 3894 walker = walker->ipsacq_next) { 3895 mutex_enter(&walker->ipsacq_lock); 3896 fam = walker->ipsacq_addrfam; 3897 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 3898 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 3899 /* XXX PROXY should check for proxy addr here */ 3900 (ap == walker->ipsacq_act) && 3901 (pp == walker->ipsacq_policy) && 3902 /* XXX do deep compares of ap/pp? */ 3903 (unique_id == walker->ipsacq_unique_id)) 3904 break; /* everything matched */ 3905 mutex_exit(&walker->ipsacq_lock); 3906 } 3907 3908 return (walker); 3909 } 3910 3911 /* 3912 * For this mblk, insert a new acquire record. Assume bucket contains addrs 3913 * of all of the same length. Give up (and drop) if memory 3914 * cannot be allocated for a new one; otherwise, invoke callback to 3915 * send the acquire up.. 3916 * 3917 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 3918 * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t 3919 * and handle this case specially. 3920 */ 3921 void 3922 sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp) 3923 { 3924 sadbp_t *spp; 3925 sadb_t *sp; 3926 ipsacq_t *newbie; 3927 iacqf_t *bucket; 3928 mblk_t *datamp = mp->b_cont; 3929 mblk_t *extended; 3930 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 3931 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 3932 uint32_t *src, *dst; 3933 ipsec_policy_t *pp = io->ipsec_out_policy; 3934 ipsec_action_t *ap = io->ipsec_out_act; 3935 sa_family_t af; 3936 int hashoffset; 3937 uint32_t seq; 3938 uint64_t unique_id = 0; 3939 ipsec_selector_t sel; 3940 3941 ASSERT((pp != NULL) || (ap != NULL)); 3942 3943 ASSERT(need_ah != NULL || need_esp != NULL); 3944 /* Assign sadb pointers */ 3945 spp = need_esp ? &esp_sadb : &ah_sadb; /* ESP for AH+ESP */ 3946 sp = io->ipsec_out_v4 ? &spp->s_v4 : &spp->s_v6; 3947 3948 if (ap == NULL) 3949 ap = pp->ipsp_act; 3950 3951 ASSERT(ap != NULL); 3952 3953 if (ap->ipa_act.ipa_apply.ipp_use_unique) 3954 unique_id = SA_FORM_UNIQUE_ID(io); 3955 3956 /* 3957 * Set up an ACQUIRE record. 3958 * 3959 * Will eventually want to pull the PROXY source address from 3960 * either the inner IP header, or from a future extension to the 3961 * IPSEC_OUT message. 3962 * 3963 * Actually, we'll also want to check for duplicates. 3964 * 3965 * Immediately, make sure the ACQUIRE sequence number doesn't slip 3966 * below the lowest point allowed in the kernel. (In other words, 3967 * make sure the high bit on the sequence number is set.) 3968 */ 3969 3970 seq = keysock_next_seq() | IACQF_LOWEST_SEQ; 3971 3972 sel.ips_isv4 = io->ipsec_out_v4; 3973 sel.ips_protocol = io->ipsec_out_proto; 3974 sel.ips_local_port = io->ipsec_out_src_port; 3975 sel.ips_remote_port = io->ipsec_out_dst_port; 3976 sel.ips_icmp_type = io->ipsec_out_icmp_type; 3977 sel.ips_icmp_code = io->ipsec_out_icmp_code; 3978 sel.ips_is_icmp_inv_acq = 0; 3979 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 3980 src = (uint32_t *)&ipha->ipha_src; 3981 dst = (uint32_t *)&ipha->ipha_dst; 3982 /* No compiler dain-bramage (4438087) for IPv4 addresses. */ 3983 sel.ips_local_addr_v4 = ipha->ipha_src; 3984 sel.ips_remote_addr_v4 = ipha->ipha_dst; 3985 af = AF_INET; 3986 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 3987 ASSERT(io->ipsec_out_v4 == B_TRUE); 3988 } else { 3989 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 3990 src = (uint32_t *)&ip6h->ip6_src; 3991 dst = (uint32_t *)&ip6h->ip6_dst; 3992 sel.ips_local_addr_v6 = ip6h->ip6_src; 3993 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 3994 af = AF_INET6; 3995 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 3996 ASSERT(io->ipsec_out_v4 == B_FALSE); 3997 } 3998 3999 /* 4000 * Check buckets to see if there is an existing entry. If so, 4001 * grab it. sadb_checkacquire locks newbie if found. 4002 */ 4003 bucket = &(sp->sdb_acq[hashoffset]); 4004 mutex_enter(&bucket->iacqf_lock); 4005 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, unique_id); 4006 4007 if (newbie == NULL) { 4008 /* 4009 * Otherwise, allocate a new one. 4010 */ 4011 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 4012 if (newbie == NULL) { 4013 mutex_exit(&bucket->iacqf_lock); 4014 ip_drop_packet(mp, B_FALSE, NULL, NULL, 4015 &ipdrops_sadb_acquire_nomem, &sadb_dropper); 4016 return; 4017 } 4018 newbie->ipsacq_policy = pp; 4019 if (pp != NULL) { 4020 IPPOL_REFHOLD(pp); 4021 } 4022 IPACT_REFHOLD(ap); 4023 newbie->ipsacq_act = ap; 4024 newbie->ipsacq_linklock = &bucket->iacqf_lock; 4025 newbie->ipsacq_next = bucket->iacqf_ipsacq; 4026 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 4027 if (newbie->ipsacq_next != NULL) 4028 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 4029 bucket->iacqf_ipsacq = newbie; 4030 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 4031 mutex_enter(&newbie->ipsacq_lock); 4032 } 4033 4034 mutex_exit(&bucket->iacqf_lock); 4035 4036 /* 4037 * This assert looks silly for now, but we may need to enter newbie's 4038 * mutex during a search. 4039 */ 4040 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 4041 4042 mp->b_next = NULL; 4043 /* Queue up packet. Use b_next. */ 4044 if (newbie->ipsacq_numpackets == 0) { 4045 /* First one. */ 4046 newbie->ipsacq_mp = mp; 4047 newbie->ipsacq_numpackets = 1; 4048 (void) drv_getparm(TIME, &newbie->ipsacq_expire); 4049 /* 4050 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 4051 * value. 4052 */ 4053 newbie->ipsacq_expire += *spp->s_acquire_timeout; 4054 newbie->ipsacq_seq = seq; 4055 newbie->ipsacq_addrfam = af; 4056 4057 newbie->ipsacq_srcport = io->ipsec_out_src_port; 4058 newbie->ipsacq_dstport = io->ipsec_out_dst_port; 4059 newbie->ipsacq_icmp_type = io->ipsec_out_icmp_type; 4060 newbie->ipsacq_icmp_code = io->ipsec_out_icmp_code; 4061 newbie->ipsacq_proto = io->ipsec_out_proto; 4062 newbie->ipsacq_unique_id = unique_id; 4063 } else { 4064 /* Scan to the end of the list & insert. */ 4065 mblk_t *lastone = newbie->ipsacq_mp; 4066 4067 while (lastone->b_next != NULL) 4068 lastone = lastone->b_next; 4069 lastone->b_next = mp; 4070 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) { 4071 newbie->ipsacq_numpackets = ipsacq_maxpackets; 4072 lastone = newbie->ipsacq_mp; 4073 newbie->ipsacq_mp = lastone->b_next; 4074 lastone->b_next = NULL; 4075 ip_drop_packet(lastone, B_FALSE, NULL, NULL, 4076 &ipdrops_sadb_acquire_toofull, &sadb_dropper); 4077 } else { 4078 IP_ACQUIRE_STAT(qhiwater, newbie->ipsacq_numpackets); 4079 } 4080 } 4081 4082 /* 4083 * Reset addresses. Set them to the most recently added mblk chain, 4084 * so that the address pointers in the acquire record will point 4085 * at an mblk still attached to the acquire list. 4086 */ 4087 4088 newbie->ipsacq_srcaddr = src; 4089 newbie->ipsacq_dstaddr = dst; 4090 4091 /* 4092 * If the acquire record has more than one queued packet, we've 4093 * already sent an ACQUIRE, and don't need to repeat ourself. 4094 */ 4095 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 4096 /* I have an acquire outstanding already! */ 4097 mutex_exit(&newbie->ipsacq_lock); 4098 return; 4099 } 4100 4101 if (keysock_extended_reg()) { 4102 /* 4103 * Construct an extended ACQUIRE. There are logging 4104 * opportunities here in failure cases. 4105 */ 4106 4107 extended = sadb_keysock_out(0); 4108 if (extended != NULL) { 4109 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, 4110 seq, 0); 4111 if (extended->b_cont == NULL) { 4112 freeb(extended); 4113 extended = NULL; 4114 } 4115 } 4116 } else 4117 extended = NULL; 4118 4119 /* 4120 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on 4121 * this new record. The send-acquire callback assumes that acqrec is 4122 * already locked. 4123 */ 4124 (*spp->s_acqfn)(newbie, extended); 4125 } 4126 4127 /* 4128 * Unlink and free an acquire record. 4129 */ 4130 void 4131 sadb_destroy_acquire(ipsacq_t *acqrec) 4132 { 4133 mblk_t *mp; 4134 4135 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 4136 4137 if (acqrec->ipsacq_policy != NULL) { 4138 IPPOL_REFRELE(acqrec->ipsacq_policy); 4139 } 4140 if (acqrec->ipsacq_act != NULL) { 4141 IPACT_REFRELE(acqrec->ipsacq_act); 4142 } 4143 4144 /* Unlink */ 4145 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 4146 if (acqrec->ipsacq_next != NULL) 4147 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 4148 4149 /* 4150 * Free hanging mp's. 4151 * 4152 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 4153 */ 4154 4155 mutex_enter(&acqrec->ipsacq_lock); 4156 while (acqrec->ipsacq_mp != NULL) { 4157 mp = acqrec->ipsacq_mp; 4158 acqrec->ipsacq_mp = mp->b_next; 4159 mp->b_next = NULL; 4160 ip_drop_packet(mp, B_FALSE, NULL, NULL, 4161 &ipdrops_sadb_acquire_timeout, &sadb_dropper); 4162 } 4163 mutex_exit(&acqrec->ipsacq_lock); 4164 4165 /* Free */ 4166 mutex_destroy(&acqrec->ipsacq_lock); 4167 kmem_free(acqrec, sizeof (*acqrec)); 4168 } 4169 4170 /* 4171 * Destroy an acquire list fanout. 4172 */ 4173 static void 4174 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever) 4175 { 4176 int i; 4177 iacqf_t *list = *listp; 4178 4179 if (list == NULL) 4180 return; 4181 4182 for (i = 0; i < numentries; i++) { 4183 mutex_enter(&(list[i].iacqf_lock)); 4184 while (list[i].iacqf_ipsacq != NULL) 4185 sadb_destroy_acquire(list[i].iacqf_ipsacq); 4186 mutex_exit(&(list[i].iacqf_lock)); 4187 if (forever) 4188 mutex_destroy(&(list[i].iacqf_lock)); 4189 } 4190 4191 if (forever) { 4192 *listp = NULL; 4193 kmem_free(list, numentries * sizeof (*list)); 4194 } 4195 } 4196 4197 /* 4198 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto 4199 * framework's view of reality vs. IPsec's. EF's wins, BTW. 4200 */ 4201 static uint8_t * 4202 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 4203 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 4204 uint8_t alg, uint16_t minbits, uint16_t maxbits) 4205 { 4206 uint8_t *cur = start; 4207 ipsec_alginfo_t *algp; 4208 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 4209 4210 cur += sizeof (*algdesc); 4211 if (cur >= limit) 4212 return (NULL); 4213 4214 ecomb->sadb_x_ecomb_numalgs++; 4215 4216 /* 4217 * Normalize vs. crypto framework's limits. This way, you can specify 4218 * a stronger policy, and when the framework loads a stronger version, 4219 * you can just keep plowing w/o rewhacking your SPD. 4220 */ 4221 mutex_enter(&alg_lock); 4222 algp = ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ? 4223 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg]; 4224 if (minbits < algp->alg_ef_minbits) 4225 minbits = algp->alg_ef_minbits; 4226 if (maxbits > algp->alg_ef_maxbits) 4227 maxbits = algp->alg_ef_maxbits; 4228 mutex_exit(&alg_lock); 4229 4230 algdesc->sadb_x_algdesc_satype = satype; 4231 algdesc->sadb_x_algdesc_algtype = algtype; 4232 algdesc->sadb_x_algdesc_alg = alg; 4233 algdesc->sadb_x_algdesc_minbits = minbits; 4234 algdesc->sadb_x_algdesc_maxbits = maxbits; 4235 algdesc->sadb_x_algdesc_reserved = 0; 4236 return (cur); 4237 } 4238 4239 /* 4240 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 4241 * which must fit before *limit 4242 * 4243 * return NULL if we ran out of room or a pointer to the end of the ecomb. 4244 */ 4245 static uint8_t * 4246 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act) 4247 { 4248 uint8_t *cur = start; 4249 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 4250 ipsec_prot_t *ipp; 4251 4252 cur += sizeof (*ecomb); 4253 if (cur >= limit) 4254 return (NULL); 4255 4256 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 4257 4258 ipp = &act->ipa_act.ipa_apply; 4259 4260 ecomb->sadb_x_ecomb_numalgs = 0; 4261 ecomb->sadb_x_ecomb_reserved = 0; 4262 ecomb->sadb_x_ecomb_reserved2 = 0; 4263 /* 4264 * No limits on allocations, since we really don't support that 4265 * concept currently. 4266 */ 4267 ecomb->sadb_x_ecomb_soft_allocations = 0; 4268 ecomb->sadb_x_ecomb_hard_allocations = 0; 4269 4270 /* 4271 * XXX TBD: Policy or global parameters will eventually be 4272 * able to fill in some of these. 4273 */ 4274 ecomb->sadb_x_ecomb_flags = 0; 4275 ecomb->sadb_x_ecomb_soft_bytes = 0; 4276 ecomb->sadb_x_ecomb_hard_bytes = 0; 4277 ecomb->sadb_x_ecomb_soft_addtime = 0; 4278 ecomb->sadb_x_ecomb_hard_addtime = 0; 4279 ecomb->sadb_x_ecomb_soft_usetime = 0; 4280 ecomb->sadb_x_ecomb_hard_usetime = 0; 4281 4282 if (ipp->ipp_use_ah) { 4283 cur = sadb_new_algdesc(cur, limit, ecomb, 4284 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 4285 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits); 4286 if (cur == NULL) 4287 return (NULL); 4288 ipsecah_fill_defs(ecomb); 4289 } 4290 4291 if (ipp->ipp_use_esp) { 4292 if (ipp->ipp_use_espa) { 4293 cur = sadb_new_algdesc(cur, limit, ecomb, 4294 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 4295 ipp->ipp_esp_auth_alg, 4296 ipp->ipp_espa_minbits, 4297 ipp->ipp_espa_maxbits); 4298 if (cur == NULL) 4299 return (NULL); 4300 } 4301 4302 cur = sadb_new_algdesc(cur, limit, ecomb, 4303 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 4304 ipp->ipp_encr_alg, 4305 ipp->ipp_espe_minbits, 4306 ipp->ipp_espe_maxbits); 4307 if (cur == NULL) 4308 return (NULL); 4309 /* Fill in lifetimes if and only if AH didn't already... */ 4310 if (!ipp->ipp_use_ah) 4311 ipsecesp_fill_defs(ecomb); 4312 } 4313 4314 return (cur); 4315 } 4316 4317 /* 4318 * Construct an extended ACQUIRE message based on a selector and the resulting 4319 * IPsec action. 4320 * 4321 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE 4322 * generation. As a consequence, expect this function to evolve 4323 * rapidly. 4324 */ 4325 static mblk_t * 4326 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol, 4327 ipsec_action_t *act, uint32_t seq, uint32_t pid) 4328 { 4329 mblk_t *mp; 4330 sadb_msg_t *samsg; 4331 uint8_t *start, *cur, *end; 4332 uint32_t *saddrptr, *daddrptr; 4333 sa_family_t af; 4334 sadb_prop_t *eprop; 4335 ipsec_action_t *ap, *an; 4336 uint8_t proto; 4337 uint16_t lport, rport; 4338 uint32_t kmp, kmc; 4339 4340 /* 4341 * Find the action we want sooner rather than later.. 4342 */ 4343 an = NULL; 4344 if (pol == NULL) { 4345 ap = act; 4346 } else { 4347 ap = pol->ipsp_act; 4348 4349 if (ap != NULL) 4350 an = ap->ipa_next; 4351 } 4352 4353 /* 4354 * Just take a swag for the allocation for now. We can always 4355 * alter it later. 4356 */ 4357 #define SADB_EXTENDED_ACQUIRE_SIZE 2048 4358 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI); 4359 if (mp == NULL) 4360 return (NULL); 4361 if (sel->ips_isv4) { 4362 af = AF_INET; 4363 saddrptr = (uint32_t *)(&sel->ips_local_addr_v4); 4364 daddrptr = (uint32_t *)(&sel->ips_remote_addr_v4); 4365 } else { 4366 af = AF_INET6; 4367 saddrptr = (uint32_t *)(&sel->ips_local_addr_v6); 4368 daddrptr = (uint32_t *)(&sel->ips_remote_addr_v6); 4369 } 4370 4371 start = mp->b_rptr; 4372 end = start + SADB_EXTENDED_ACQUIRE_SIZE; 4373 4374 cur = start; 4375 4376 samsg = (sadb_msg_t *)cur; 4377 cur += sizeof (*samsg); 4378 4379 samsg->sadb_msg_version = PF_KEY_V2; 4380 samsg->sadb_msg_type = SADB_ACQUIRE; 4381 samsg->sadb_msg_errno = 0; 4382 samsg->sadb_msg_reserved = 0; 4383 samsg->sadb_msg_satype = 0; 4384 samsg->sadb_msg_seq = seq; 4385 samsg->sadb_msg_pid = pid; 4386 4387 proto = sel->ips_protocol; 4388 lport = sel->ips_local_port; 4389 rport = sel->ips_remote_port; 4390 4391 /* 4392 * Unless our policy says "sa unique", drop port/proto 4393 * selectors, then add them back if policy rule includes them.. 4394 */ 4395 4396 if ((ap != NULL) && (!ap->ipa_want_unique)) { 4397 proto = 0; 4398 lport = 0; 4399 rport = 0; 4400 if (pol != NULL) { 4401 ipsec_selkey_t *psel = &pol->ipsp_sel->ipsl_key; 4402 if (psel->ipsl_valid & IPSL_PROTOCOL) 4403 proto = psel->ipsl_proto; 4404 if (psel->ipsl_valid & IPSL_REMOTE_PORT) 4405 rport = psel->ipsl_rport; 4406 if (psel->ipsl_valid & IPSL_LOCAL_PORT) 4407 lport = psel->ipsl_lport; 4408 } 4409 } 4410 4411 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 4412 saddrptr, lport, proto); 4413 4414 if (cur == NULL) { 4415 freeb(mp); 4416 return (NULL); 4417 } 4418 4419 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 4420 daddrptr, rport, proto); 4421 4422 if (cur == NULL) { 4423 freeb(mp); 4424 return (NULL); 4425 } 4426 4427 /* 4428 * This section will change a lot as policy evolves. 4429 * For now, it'll be relatively simple. 4430 */ 4431 eprop = (sadb_prop_t *)cur; 4432 cur += sizeof (*eprop); 4433 if (cur > end) { 4434 /* no space left */ 4435 freeb(mp); 4436 return (NULL); 4437 } 4438 4439 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 4440 eprop->sadb_x_prop_ereserved = 0; 4441 eprop->sadb_x_prop_numecombs = 0; 4442 eprop->sadb_prop_replay = 32; /* default */ 4443 4444 kmc = kmp = 0; 4445 4446 for (; ap != NULL; ap = an) { 4447 an = (pol != NULL) ? ap->ipa_next : NULL; 4448 4449 /* 4450 * Skip non-IPsec policies 4451 */ 4452 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY) 4453 continue; 4454 4455 if (ap->ipa_act.ipa_apply.ipp_km_proto) 4456 kmp = ap->ipa_act.ipa_apply.ipp_km_proto; 4457 if (ap->ipa_act.ipa_apply.ipp_km_cookie) 4458 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie; 4459 if (ap->ipa_act.ipa_apply.ipp_replay_depth) { 4460 eprop->sadb_prop_replay = 4461 ap->ipa_act.ipa_apply.ipp_replay_depth; 4462 } 4463 4464 cur = sadb_action_to_ecomb(cur, end, ap); 4465 if (cur == NULL) { /* no space */ 4466 freeb(mp); 4467 return (NULL); 4468 } 4469 eprop->sadb_x_prop_numecombs++; 4470 } 4471 4472 if (eprop->sadb_x_prop_numecombs == 0) { 4473 /* 4474 * This will happen if we fail to find a policy 4475 * allowing for IPsec processing. 4476 * Construct an error message. 4477 */ 4478 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 4479 samsg->sadb_msg_errno = ENOENT; 4480 samsg->sadb_x_msg_diagnostic = 0; 4481 return (mp); 4482 } 4483 4484 if ((kmp != 0) || (kmc != 0)) { 4485 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 4486 if (cur == NULL) { 4487 freeb(mp); 4488 return (NULL); 4489 } 4490 } 4491 4492 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop); 4493 samsg->sadb_msg_len = SADB_8TO64(cur-start); 4494 mp->b_wptr = cur; 4495 4496 return (mp); 4497 } 4498 4499 /* 4500 * Generic setup of an ACQUIRE message. Caller sets satype. 4501 */ 4502 uint8_t * 4503 sadb_setup_acquire(uint8_t *start, uint8_t *end, ipsacq_t *acqrec) 4504 { 4505 sa_family_t af; 4506 uint8_t *cur = start; 4507 sadb_msg_t *samsg = (sadb_msg_t *)cur; 4508 uint16_t sport_typecode; 4509 uint16_t dport_typecode; 4510 uint8_t check_proto; 4511 4512 cur += sizeof (sadb_msg_t); 4513 if (cur > end) 4514 return (NULL); 4515 4516 /* use the address length to find the address family */ 4517 af = acqrec->ipsacq_addrfam; 4518 switch (af) { 4519 case AF_INET: 4520 check_proto = IPPROTO_ICMP; 4521 break; 4522 case AF_INET6: 4523 check_proto = IPPROTO_ICMPV6; 4524 break; 4525 default: 4526 /* This should never happen unless we have kernel bugs. */ 4527 cmn_err(CE_WARN, 4528 "sadb_setup_acquire: corrupt ACQUIRE record.\n"); 4529 ASSERT(0); 4530 return (NULL); 4531 } 4532 4533 samsg->sadb_msg_version = PF_KEY_V2; 4534 samsg->sadb_msg_type = SADB_ACQUIRE; 4535 samsg->sadb_msg_errno = 0; 4536 samsg->sadb_msg_pid = 0; 4537 samsg->sadb_msg_reserved = 0; 4538 samsg->sadb_msg_seq = acqrec->ipsacq_seq; 4539 4540 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 4541 4542 if (acqrec->ipsacq_proto == check_proto) { 4543 sport_typecode = dport_typecode = 0; 4544 } else { 4545 sport_typecode = acqrec->ipsacq_srcport; 4546 dport_typecode = acqrec->ipsacq_dstport; 4547 } 4548 4549 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 4550 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto); 4551 4552 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 4553 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto); 4554 4555 if (cur != NULL) 4556 samsg->sadb_msg_len = SADB_8TO64(cur - start); 4557 4558 return (cur); 4559 } 4560 4561 /* 4562 * Given an SADB_GETSPI message, find an appropriately ranged SA and 4563 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 4564 * If there was a memory allocation error, return NULL. (Assume NULL != 4565 * (ipsa_t *)-1). 4566 * 4567 * master_spi is passed in host order. 4568 */ 4569 ipsa_t * 4570 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic) 4571 { 4572 sadb_address_t *src = 4573 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 4574 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 4575 sadb_spirange_t *range = 4576 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 4577 struct sockaddr_in *ssa, *dsa; 4578 struct sockaddr_in6 *ssa6, *dsa6; 4579 uint32_t *srcaddr, *dstaddr; 4580 sa_family_t af; 4581 uint32_t add, min, max; 4582 4583 if (src == NULL) { 4584 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 4585 return ((ipsa_t *)-1); 4586 } 4587 if (dst == NULL) { 4588 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 4589 return ((ipsa_t *)-1); 4590 } 4591 if (range == NULL) { 4592 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 4593 return ((ipsa_t *)-1); 4594 } 4595 4596 min = ntohl(range->sadb_spirange_min); 4597 max = ntohl(range->sadb_spirange_max); 4598 dsa = (struct sockaddr_in *)(dst + 1); 4599 dsa6 = (struct sockaddr_in6 *)dsa; 4600 4601 ssa = (struct sockaddr_in *)(src + 1); 4602 ssa6 = (struct sockaddr_in6 *)ssa; 4603 if (dsa->sin_family != ssa->sin_family) { 4604 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 4605 return ((ipsa_t *)-1); 4606 } 4607 4608 srcaddr = ALL_ZEROES_PTR; 4609 af = dsa->sin_family; 4610 switch (af) { 4611 case AF_INET: 4612 if (src != NULL) 4613 srcaddr = (uint32_t *)(&ssa->sin_addr); 4614 dstaddr = (uint32_t *)(&dsa->sin_addr); 4615 break; 4616 case AF_INET6: 4617 if (src != NULL) 4618 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 4619 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 4620 break; 4621 default: 4622 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 4623 return ((ipsa_t *)-1); 4624 } 4625 4626 if (master_spi < min || master_spi > max) { 4627 /* Return a random value in the range. */ 4628 (void) random_get_pseudo_bytes((uint8_t *)&add, sizeof (add)); 4629 master_spi = min + (add % (max - min + 1)); 4630 } 4631 4632 /* 4633 * Since master_spi is passed in host order, we need to htonl() it 4634 * for the purposes of creating a new SA. 4635 */ 4636 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af)); 4637 } 4638 4639 /* 4640 * 4641 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 4642 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 4643 * and scan for the sequence number in question. I may wish to accept an 4644 * address pair with it, for easier searching. 4645 * 4646 * Caller frees the message, so we don't have to here. 4647 * 4648 * NOTE: The ip_q parameter may be used in the future for ACQUIRE 4649 * failures. 4650 */ 4651 /* ARGSUSED */ 4652 void 4653 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *ip_q) 4654 { 4655 int i; 4656 ipsacq_t *acqrec; 4657 iacqf_t *bucket; 4658 4659 /* 4660 * I only accept the base header for this! 4661 * Though to be honest, requiring the dst address would help 4662 * immensely. 4663 * 4664 * XXX There are already cases where I can get the dst address. 4665 */ 4666 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 4667 return; 4668 4669 /* 4670 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 4671 * (and in the future send a message to IP with the appropriate error 4672 * number). 4673 * 4674 * Q: Do I want to reject if pid != 0? 4675 */ 4676 4677 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 4678 bucket = &sp->s_v4.sdb_acq[i]; 4679 mutex_enter(&bucket->iacqf_lock); 4680 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 4681 acqrec = acqrec->ipsacq_next) { 4682 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 4683 break; /* for acqrec... loop. */ 4684 } 4685 if (acqrec != NULL) 4686 break; /* for i = 0... loop. */ 4687 4688 mutex_exit(&bucket->iacqf_lock); 4689 } 4690 4691 if (acqrec == NULL) { 4692 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 4693 bucket = &sp->s_v6.sdb_acq[i]; 4694 mutex_enter(&bucket->iacqf_lock); 4695 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 4696 acqrec = acqrec->ipsacq_next) { 4697 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 4698 break; /* for acqrec... loop. */ 4699 } 4700 if (acqrec != NULL) 4701 break; /* for i = 0... loop. */ 4702 4703 mutex_exit(&bucket->iacqf_lock); 4704 } 4705 } 4706 4707 4708 if (acqrec == NULL) 4709 return; 4710 4711 /* 4712 * What do I do with the errno and IP? I may need mp's services a 4713 * little more. See sadb_destroy_acquire() for future directions 4714 * beyond free the mblk chain on the acquire record. 4715 */ 4716 4717 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 4718 sadb_destroy_acquire(acqrec); 4719 /* Have to exit mutex here, because of breaking out of for loop. */ 4720 mutex_exit(&bucket->iacqf_lock); 4721 } 4722 4723 /* 4724 * The following functions work with the replay windows of an SA. They assume 4725 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 4726 * represents the highest sequence number packet received, and back 4727 * (ipsa->ipsa_replay_wsize) packets. 4728 */ 4729 4730 /* 4731 * Is the replay bit set? 4732 */ 4733 static boolean_t 4734 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 4735 { 4736 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 4737 4738 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 4739 } 4740 4741 /* 4742 * Shift the bits of the replay window over. 4743 */ 4744 static void 4745 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 4746 { 4747 int i; 4748 int jump = ((shift - 1) >> 6) + 1; 4749 4750 if (shift == 0) 4751 return; 4752 4753 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 4754 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 4755 ipsa->ipsa_replay_arr[i + jump] |= 4756 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 4757 } 4758 ipsa->ipsa_replay_arr[i] <<= shift; 4759 } 4760 } 4761 4762 /* 4763 * Set a bit in the bit vector. 4764 */ 4765 static void 4766 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 4767 { 4768 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 4769 4770 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 4771 } 4772 4773 #define SADB_MAX_REPLAY_VALUE 0xffffffff 4774 4775 /* 4776 * Assume caller has NOT done ntohl() already on seq. Check to see 4777 * if replay sequence number "seq" has been seen already. 4778 */ 4779 boolean_t 4780 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 4781 { 4782 boolean_t rc; 4783 uint32_t diff; 4784 4785 if (ipsa->ipsa_replay_wsize == 0) 4786 return (B_TRUE); 4787 4788 /* 4789 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 4790 */ 4791 4792 /* Convert sequence number into host order before holding the mutex. */ 4793 seq = ntohl(seq); 4794 4795 mutex_enter(&ipsa->ipsa_lock); 4796 4797 /* Initialize inbound SA's ipsa_replay field to last one received. */ 4798 if (ipsa->ipsa_replay == 0) 4799 ipsa->ipsa_replay = 1; 4800 4801 if (seq > ipsa->ipsa_replay) { 4802 /* 4803 * I have received a new "highest value received". Shift 4804 * the replay window over. 4805 */ 4806 diff = seq - ipsa->ipsa_replay; 4807 if (diff < ipsa->ipsa_replay_wsize) { 4808 /* In replay window, shift bits over. */ 4809 ipsa_shift_replay(ipsa, diff); 4810 } else { 4811 /* WAY FAR AHEAD, clear bits and start again. */ 4812 bzero(ipsa->ipsa_replay_arr, 4813 sizeof (ipsa->ipsa_replay_arr)); 4814 } 4815 ipsa_set_replay(ipsa, 0); 4816 ipsa->ipsa_replay = seq; 4817 rc = B_TRUE; 4818 goto done; 4819 } 4820 diff = ipsa->ipsa_replay - seq; 4821 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 4822 rc = B_FALSE; 4823 goto done; 4824 } 4825 /* Set this packet as seen. */ 4826 ipsa_set_replay(ipsa, diff); 4827 4828 rc = B_TRUE; 4829 done: 4830 mutex_exit(&ipsa->ipsa_lock); 4831 return (rc); 4832 } 4833 4834 /* 4835 * "Peek" and see if we should even bother going through the effort of 4836 * running an authentication check on the sequence number passed in. 4837 * this takes into account packets that are below the replay window, 4838 * and collisions with already replayed packets. Return B_TRUE if it 4839 * is okay to proceed, B_FALSE if this packet should be dropped immeidately. 4840 * Assume same byte-ordering as sadb_replay_check. 4841 */ 4842 boolean_t 4843 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 4844 { 4845 boolean_t rc = B_FALSE; 4846 uint32_t diff; 4847 4848 if (ipsa->ipsa_replay_wsize == 0) 4849 return (B_TRUE); 4850 4851 /* 4852 * 0 is 0, regardless of byte order... :) 4853 * 4854 * If I get 0 on the wire (and there is a replay window) then the 4855 * sender most likely wrapped. This ipsa may need to be marked or 4856 * something. 4857 */ 4858 if (seq == 0) 4859 return (B_FALSE); 4860 4861 seq = ntohl(seq); 4862 mutex_enter(&ipsa->ipsa_lock); 4863 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 4864 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 4865 goto done; 4866 4867 /* 4868 * If I've hit 0xffffffff, then quite honestly, I don't need to 4869 * bother with formalities. I'm not accepting any more packets 4870 * on this SA. 4871 */ 4872 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 4873 /* 4874 * Since we're already holding the lock, update the 4875 * expire time ala. sadb_replay_delete() and return. 4876 */ 4877 ipsa->ipsa_hardexpiretime = (time_t)1; 4878 goto done; 4879 } 4880 4881 if (seq <= ipsa->ipsa_replay) { 4882 /* 4883 * This seq is in the replay window. I'm not below it, 4884 * because I already checked for that above! 4885 */ 4886 diff = ipsa->ipsa_replay - seq; 4887 if (ipsa_is_replay_set(ipsa, diff)) 4888 goto done; 4889 } 4890 /* Else return B_TRUE, I'm going to advance the window. */ 4891 4892 rc = B_TRUE; 4893 done: 4894 mutex_exit(&ipsa->ipsa_lock); 4895 return (rc); 4896 } 4897 4898 /* 4899 * Delete a single SA. 4900 * 4901 * For now, use the quick-and-dirty trick of making the association's 4902 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 4903 */ 4904 void 4905 sadb_replay_delete(ipsa_t *assoc) 4906 { 4907 mutex_enter(&assoc->ipsa_lock); 4908 assoc->ipsa_hardexpiretime = (time_t)1; 4909 mutex_exit(&assoc->ipsa_lock); 4910 } 4911 4912 /* 4913 * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_ 4914 * down. The caller will handle the T_BIND_ACK locally. 4915 */ 4916 boolean_t 4917 sadb_t_bind_req(queue_t *q, int proto) 4918 { 4919 struct T_bind_req *tbr; 4920 mblk_t *mp; 4921 4922 mp = allocb(sizeof (struct T_bind_req) + 1, BPRI_HI); 4923 if (mp == NULL) { 4924 /* cmn_err(CE_WARN, */ 4925 /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */ 4926 return (B_FALSE); 4927 } 4928 mp->b_datap->db_type = M_PCPROTO; 4929 tbr = (struct T_bind_req *)mp->b_rptr; 4930 mp->b_wptr += sizeof (struct T_bind_req); 4931 tbr->PRIM_type = T_BIND_REQ; 4932 tbr->ADDR_length = 0; 4933 tbr->ADDR_offset = 0; 4934 tbr->CONIND_number = 0; 4935 *mp->b_wptr = (uint8_t)proto; 4936 mp->b_wptr++; 4937 4938 putnext(q, mp); 4939 return (B_TRUE); 4940 } 4941 4942 /* 4943 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 4944 * this is designed to take only a format string with "* %x * %s *", so 4945 * that "spi" is printed first, then "addr" is converted using inet_pton(). 4946 * 4947 * This is abstracted out to save the stack space for only when inet_pton() 4948 * is called. Make sure "spi" is in network order; it usually is when this 4949 * would get called. 4950 */ 4951 void 4952 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 4953 uint32_t spi, void *addr, int af) 4954 { 4955 char buf[INET6_ADDRSTRLEN]; 4956 4957 ASSERT(af == AF_INET6 || af == AF_INET); 4958 4959 ipsec_rl_strlog(mid, sid, level, sl, fmt, ntohl(spi), 4960 inet_ntop(af, addr, buf, sizeof (buf))); 4961 } 4962 4963 /* 4964 * Fills in a reference to the policy, if any, from the conn, in *ppp 4965 * Releases a reference to the passed conn_t. 4966 */ 4967 4968 /* ARGSUSED */ 4969 static void 4970 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp, 4971 ipsec_action_t **app) 4972 { 4973 ipsec_policy_t *pp; 4974 ipsec_latch_t *ipl = connp->conn_latch; 4975 4976 if ((ipl != NULL) && (ipl->ipl_out_policy != NULL)) { 4977 pp = ipl->ipl_out_policy; 4978 IPPOL_REFHOLD(pp); 4979 } else { 4980 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel); 4981 } 4982 *ppp = pp; 4983 CONN_DEC_REF(connp); 4984 } 4985 4986 /* 4987 * The following functions scan through active conn_t structures 4988 * and return a reference to the best-matching policy it can find. 4989 * Caller must release the reference. 4990 */ 4991 static void 4992 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ipsec_action_t **app) 4993 { 4994 connf_t *connfp; 4995 conn_t *connp = NULL; 4996 ipsec_selector_t portonly; 4997 4998 bzero((void*)&portonly, sizeof (portonly)); 4999 5000 if (sel->ips_local_port == 0) 5001 return; 5002 5003 connfp = &ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port)]; 5004 mutex_enter(&connfp->connf_lock); 5005 5006 if (sel->ips_isv4) { 5007 connp = connfp->connf_head; 5008 while (connp != NULL) { 5009 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 5010 sel->ips_local_addr_v4, sel->ips_remote_port, 5011 sel->ips_remote_addr_v4)) 5012 break; 5013 connp = connp->conn_next; 5014 } 5015 5016 if (connp == NULL) { 5017 /* Try port-only match in IPv6. */ 5018 portonly.ips_local_port = sel->ips_local_port; 5019 sel = &portonly; 5020 } 5021 } 5022 5023 if (connp == NULL) { 5024 connp = connfp->connf_head; 5025 while (connp != NULL) { 5026 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 5027 sel->ips_local_addr_v6, sel->ips_remote_port, 5028 sel->ips_remote_addr_v6)) 5029 break; 5030 connp = connp->conn_next; 5031 } 5032 5033 if (connp == NULL) { 5034 mutex_exit(&connfp->connf_lock); 5035 return; 5036 } 5037 } 5038 5039 CONN_INC_REF(connp); 5040 mutex_exit(&connfp->connf_lock); 5041 5042 ipsec_conn_pol(sel, connp, ppp, app); 5043 } 5044 5045 static conn_t * 5046 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel) 5047 { 5048 connf_t *connfp; 5049 conn_t *connp = NULL; 5050 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 5051 5052 if (sel->ips_local_port == 0) 5053 return (NULL); 5054 5055 connfp = &ipcl_bind_fanout[IPCL_BIND_HASH(sel->ips_local_port)]; 5056 mutex_enter(&connfp->connf_lock); 5057 5058 if (sel->ips_isv4) { 5059 connp = connfp->connf_head; 5060 while (connp != NULL) { 5061 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 5062 sel->ips_local_addr_v4, pptr[1])) 5063 break; 5064 connp = connp->conn_next; 5065 } 5066 5067 if (connp == NULL) { 5068 /* Match to all-zeroes. */ 5069 v6addrmatch = &ipv6_all_zeros; 5070 } 5071 } 5072 5073 if (connp == NULL) { 5074 connp = connfp->connf_head; 5075 while (connp != NULL) { 5076 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 5077 *v6addrmatch, pptr[1])) 5078 break; 5079 connp = connp->conn_next; 5080 } 5081 5082 if (connp == NULL) { 5083 mutex_exit(&connfp->connf_lock); 5084 return (NULL); 5085 } 5086 } 5087 5088 CONN_INC_REF(connp); 5089 mutex_exit(&connfp->connf_lock); 5090 return (connp); 5091 } 5092 5093 static void 5094 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ipsec_action_t **app) 5095 { 5096 connf_t *connfp; 5097 conn_t *connp; 5098 uint32_t ports; 5099 uint16_t *pptr = (uint16_t *)&ports; 5100 5101 /* 5102 * Find TCP state in the following order: 5103 * 1.) Connected conns. 5104 * 2.) Listeners. 5105 * 5106 * Even though #2 will be the common case for inbound traffic, only 5107 * following this order insures correctness. 5108 */ 5109 5110 if (sel->ips_local_port == 0) 5111 return; 5112 5113 /* 5114 * 0 should be fport, 1 should be lport. SRC is the local one here. 5115 * See ipsec_construct_inverse_acquire() for details. 5116 */ 5117 pptr[0] = sel->ips_remote_port; 5118 pptr[1] = sel->ips_local_port; 5119 5120 connfp = &ipcl_conn_fanout[IPCL_CONN_HASH(sel->ips_remote_addr_v4, 5121 ports)]; 5122 mutex_enter(&connfp->connf_lock); 5123 connp = connfp->connf_head; 5124 5125 if (sel->ips_isv4) { 5126 while (connp != NULL) { 5127 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 5128 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 5129 ports)) 5130 break; 5131 connp = connp->conn_next; 5132 } 5133 } else { 5134 while (connp != NULL) { 5135 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 5136 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 5137 ports)) 5138 break; 5139 connp = connp->conn_next; 5140 } 5141 } 5142 5143 if (connp != NULL) { 5144 CONN_INC_REF(connp); 5145 mutex_exit(&connfp->connf_lock); 5146 } else { 5147 mutex_exit(&connfp->connf_lock); 5148 5149 /* Try the listen hash. */ 5150 if ((connp = ipsec_find_listen_conn(pptr, sel)) == NULL) 5151 return; 5152 } 5153 5154 ipsec_conn_pol(sel, connp, ppp, app); 5155 } 5156 5157 static void 5158 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 5159 ipsec_action_t **app) 5160 { 5161 conn_t *connp; 5162 uint32_t ports; 5163 uint16_t *pptr = (uint16_t *)&ports; 5164 5165 /* 5166 * Find SCP state in the following order: 5167 * 1.) Connected conns. 5168 * 2.) Listeners. 5169 * 5170 * Even though #2 will be the common case for inbound traffic, only 5171 * following this order insures correctness. 5172 */ 5173 5174 if (sel->ips_local_port == 0) 5175 return; 5176 5177 /* 5178 * 0 should be fport, 1 should be lport. SRC is the local one here. 5179 * See ipsec_construct_inverse_acquire() for details. 5180 */ 5181 pptr[0] = sel->ips_remote_port; 5182 pptr[1] = sel->ips_local_port; 5183 5184 if (sel->ips_isv4) { 5185 in6_addr_t src, dst; 5186 5187 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 5188 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 5189 connp = sctp_find_conn(&dst, &src, ports, 0, ALL_ZONES); 5190 } else { 5191 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 5192 &sel->ips_local_addr_v6, ports, 0, ALL_ZONES); 5193 } 5194 if (connp == NULL) 5195 return; 5196 ipsec_conn_pol(sel, connp, ppp, app); 5197 } 5198 5199 static void 5200 ipsec_oth_pol(ipsec_selector_t *sel, 5201 ipsec_policy_t **ppp, ipsec_action_t **app) 5202 { 5203 boolean_t isv4 = sel->ips_isv4; 5204 connf_t *connfp; 5205 conn_t *connp; 5206 5207 if (isv4) { 5208 connfp = &ipcl_proto_fanout[sel->ips_protocol]; 5209 } else { 5210 connfp = &ipcl_proto_fanout_v6[sel->ips_protocol]; 5211 } 5212 5213 mutex_enter(&connfp->connf_lock); 5214 for (connp = connfp->connf_head; connp != NULL; 5215 connp = connp->conn_next) { 5216 if (!((isv4 && !((connp->conn_src == 0 || 5217 connp->conn_src == sel->ips_local_addr_v4) && 5218 (connp->conn_rem == 0 || 5219 connp->conn_rem == sel->ips_remote_addr_v4))) || 5220 (!isv4 && !((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) || 5221 IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6, 5222 &sel->ips_local_addr_v6)) && 5223 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) || 5224 IN6_ARE_ADDR_EQUAL(&connp->conn_remv6, 5225 &sel->ips_remote_addr_v6)))))) { 5226 break; 5227 } 5228 } 5229 if (connp == NULL) { 5230 mutex_exit(&connfp->connf_lock); 5231 return; 5232 } 5233 5234 CONN_INC_REF(connp); 5235 mutex_exit(&connfp->connf_lock); 5236 5237 ipsec_conn_pol(sel, connp, ppp, app); 5238 } 5239 5240 /* 5241 * Construct an inverse ACQUIRE reply based on: 5242 * 5243 * 1.) Current global policy. 5244 * 2.) An conn_t match depending on what all was passed in the extv[]. 5245 * ... 5246 * N.) Other stuff TBD (e.g. identities) 5247 * 5248 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 5249 * in this function so the caller can extract them where appropriately. 5250 * 5251 * The SRC address is the local one - just like an outbound ACQUIRE message. 5252 */ 5253 mblk_t * 5254 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[]) 5255 { 5256 int err; 5257 int diagnostic; 5258 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 5259 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 5260 struct sockaddr_in *src, *dst; 5261 struct sockaddr_in6 *src6, *dst6; 5262 ipsec_policy_t *pp; 5263 ipsec_action_t *ap; 5264 ipsec_selector_t sel; 5265 mblk_t *retmp; 5266 5267 bzero(&sel, sizeof (sel)); 5268 sel.ips_protocol = srcext->sadb_address_proto; 5269 dst = (struct sockaddr_in *)(dstext + 1); 5270 if (dst->sin_family == AF_INET6) { 5271 dst6 = (struct sockaddr_in6 *)dst; 5272 src6 = (struct sockaddr_in6 *)(srcext + 1); 5273 if (src6->sin6_family != AF_INET6) { 5274 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 5275 err = EINVAL; 5276 goto bail; 5277 } 5278 sel.ips_remote_addr_v6 = dst6->sin6_addr; 5279 sel.ips_local_addr_v6 = src6->sin6_addr; 5280 if (sel.ips_protocol == IPPROTO_ICMPV6) { 5281 sel.ips_is_icmp_inv_acq = 1; 5282 } else { 5283 sel.ips_remote_port = dst6->sin6_port; 5284 sel.ips_local_port = src6->sin6_port; 5285 } 5286 sel.ips_isv4 = B_FALSE; 5287 } else { 5288 src = (struct sockaddr_in *)(srcext + 1); 5289 if (src->sin_family != AF_INET) { 5290 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 5291 err = EINVAL; 5292 goto bail; 5293 } 5294 sel.ips_remote_addr_v4 = dst->sin_addr.s_addr; 5295 sel.ips_local_addr_v4 = src->sin_addr.s_addr; 5296 if (sel.ips_protocol == IPPROTO_ICMP) { 5297 sel.ips_is_icmp_inv_acq = 1; 5298 } else { 5299 sel.ips_remote_port = dst->sin_port; 5300 sel.ips_local_port = src->sin_port; 5301 } 5302 sel.ips_isv4 = B_TRUE; 5303 } 5304 5305 /* 5306 * Okay, we have the addresses and other selector information. 5307 * Let's first find a conn... 5308 */ 5309 pp = NULL; ap = NULL; 5310 switch (sel.ips_protocol) { 5311 case IPPROTO_TCP: 5312 ipsec_tcp_pol(&sel, &pp, &ap); 5313 break; 5314 case IPPROTO_UDP: 5315 ipsec_udp_pol(&sel, &pp, &ap); 5316 break; 5317 case IPPROTO_SCTP: 5318 ipsec_sctp_pol(&sel, &pp, &ap); 5319 break; 5320 default: 5321 ipsec_oth_pol(&sel, &pp, &ap); 5322 break; 5323 } 5324 5325 /* 5326 * If we didn't find a matching conn_t, take a look in the global 5327 * policy. 5328 */ 5329 if ((pp == NULL) && (ap == NULL)) { 5330 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, NULL, &sel); 5331 if (pp == NULL) { 5332 /* There's no global policy. */ 5333 err = ENOENT; 5334 diagnostic = 0; 5335 goto bail; 5336 } 5337 } 5338 5339 /* 5340 * Now that we have a policy entry/widget, construct an ACQUIRE 5341 * message based on that, fix fields where appropriate, 5342 * and return the message. 5343 */ 5344 retmp = sadb_extended_acquire(&sel, pp, ap, samsg->sadb_msg_seq, 5345 samsg->sadb_msg_pid); 5346 if (pp != NULL) { 5347 IPPOL_REFRELE(pp); 5348 } 5349 if (ap != NULL) { 5350 IPACT_REFRELE(ap); 5351 } 5352 if (retmp != NULL) { 5353 return (retmp); 5354 } else { 5355 err = ENOMEM; 5356 diagnostic = 0; 5357 bail: 5358 samsg->sadb_msg_errno = (uint8_t)err; 5359 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 5360 return (NULL); 5361 } 5362 } 5363 5364 /* 5365 * ipsa_lpkt is a one-element queue, only manipulated by casptr within 5366 * the next two functions. 5367 * 5368 * These functions loop calling casptr() until the swap "happens", 5369 * turning a compare-and-swap op into an atomic swap operation. 5370 */ 5371 5372 /* 5373 * sadb_set_lpkt: Atomically swap in a value to ipsa->ipsa_lpkt and 5374 * freemsg the previous value. free clue: freemsg(NULL) is safe. 5375 */ 5376 5377 void 5378 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt) 5379 { 5380 mblk_t *opkt; 5381 5382 membar_producer(); 5383 do 5384 opkt = ipsa->ipsa_lpkt; 5385 while (casptr(&ipsa->ipsa_lpkt, opkt, npkt) != opkt); 5386 5387 ip_drop_packet(opkt, B_TRUE, NULL, NULL, &ipdrops_sadb_inlarval_replace, 5388 &sadb_dropper); 5389 } 5390 5391 /* 5392 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 5393 * previous value. 5394 */ 5395 5396 mblk_t * 5397 sadb_clear_lpkt(ipsa_t *ipsa) 5398 { 5399 mblk_t *opkt; 5400 5401 do 5402 opkt = ipsa->ipsa_lpkt; 5403 while (casptr(&ipsa->ipsa_lpkt, opkt, NULL) != opkt); 5404 5405 return (opkt); 5406 } 5407 5408 /* 5409 * Walker callback used by sadb_alg_update() to free/create crypto 5410 * context template when a crypto software provider is removed or 5411 * added. 5412 */ 5413 5414 struct sadb_update_alg_state { 5415 ipsec_algtype_t alg_type; 5416 uint8_t alg_id; 5417 boolean_t is_added; 5418 }; 5419 5420 static void 5421 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 5422 { 5423 struct sadb_update_alg_state *update_state = 5424 (struct sadb_update_alg_state *)cookie; 5425 crypto_ctx_template_t *ctx_tmpl = NULL; 5426 5427 ASSERT(MUTEX_HELD(&head->isaf_lock)); 5428 5429 if (entry->ipsa_state == IPSA_STATE_LARVAL) 5430 return; 5431 5432 mutex_enter(&entry->ipsa_lock); 5433 5434 switch (update_state->alg_type) { 5435 case IPSEC_ALG_AUTH: 5436 if (entry->ipsa_auth_alg == update_state->alg_id) 5437 ctx_tmpl = &entry->ipsa_authtmpl; 5438 break; 5439 case IPSEC_ALG_ENCR: 5440 if (entry->ipsa_encr_alg == update_state->alg_id) 5441 ctx_tmpl = &entry->ipsa_encrtmpl; 5442 break; 5443 default: 5444 ctx_tmpl = NULL; 5445 } 5446 5447 if (ctx_tmpl == NULL) { 5448 mutex_exit(&entry->ipsa_lock); 5449 return; 5450 } 5451 5452 /* 5453 * The context template of the SA may be affected by the change 5454 * of crypto provider. 5455 */ 5456 if (update_state->is_added) { 5457 /* create the context template if not already done */ 5458 if (*ctx_tmpl == NULL) { 5459 (void) ipsec_create_ctx_tmpl(entry, 5460 update_state->alg_type); 5461 } 5462 } else { 5463 /* 5464 * The crypto provider was removed. If the context template 5465 * exists but it is no longer valid, free it. 5466 */ 5467 if (*ctx_tmpl != NULL) 5468 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 5469 } 5470 5471 mutex_exit(&entry->ipsa_lock); 5472 } 5473 5474 /* 5475 * Invoked by IP when an software crypto provider has been updated. 5476 * The type and id of the corresponding algorithm is passed as argument. 5477 * is_added is B_TRUE if the provider was added, B_FALSE if it was 5478 * removed. The function updates the SADB and free/creates the 5479 * context templates associated with SAs if needed. 5480 */ 5481 5482 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 5483 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 5484 &update_state) 5485 5486 void 5487 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added) 5488 { 5489 struct sadb_update_alg_state update_state; 5490 5491 update_state.alg_type = alg_type; 5492 update_state.alg_id = alg_id; 5493 update_state.is_added = is_added; 5494 5495 if (alg_type == IPSEC_ALG_AUTH) { 5496 /* walk the AH tables only for auth. algorithm changes */ 5497 SADB_ALG_UPDATE_WALK(ah_sadb.s_v4, sdb_of); 5498 SADB_ALG_UPDATE_WALK(ah_sadb.s_v4, sdb_if); 5499 SADB_ALG_UPDATE_WALK(ah_sadb.s_v6, sdb_of); 5500 SADB_ALG_UPDATE_WALK(ah_sadb.s_v6, sdb_if); 5501 } 5502 5503 /* walk the ESP tables */ 5504 SADB_ALG_UPDATE_WALK(esp_sadb.s_v4, sdb_of); 5505 SADB_ALG_UPDATE_WALK(esp_sadb.s_v4, sdb_if); 5506 SADB_ALG_UPDATE_WALK(esp_sadb.s_v6, sdb_of); 5507 SADB_ALG_UPDATE_WALK(esp_sadb.s_v6, sdb_if); 5508 } 5509 5510 /* 5511 * Creates a context template for the specified SA. This function 5512 * is called when an SA is created and when a context template needs 5513 * to be created due to a change of software provider. 5514 */ 5515 int 5516 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 5517 { 5518 ipsec_alginfo_t *alg; 5519 crypto_mechanism_t mech; 5520 crypto_key_t *key; 5521 crypto_ctx_template_t *sa_tmpl; 5522 int rv; 5523 5524 ASSERT(MUTEX_HELD(&alg_lock)); 5525 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 5526 5527 /* get pointers to the algorithm info, context template, and key */ 5528 switch (alg_type) { 5529 case IPSEC_ALG_AUTH: 5530 key = &sa->ipsa_kcfauthkey; 5531 sa_tmpl = &sa->ipsa_authtmpl; 5532 alg = ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 5533 break; 5534 case IPSEC_ALG_ENCR: 5535 key = &sa->ipsa_kcfencrkey; 5536 sa_tmpl = &sa->ipsa_encrtmpl; 5537 alg = ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 5538 break; 5539 default: 5540 alg = NULL; 5541 } 5542 5543 if (alg == NULL || !ALG_VALID(alg)) 5544 return (EINVAL); 5545 5546 /* initialize the mech info structure for the framework */ 5547 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 5548 mech.cm_type = alg->alg_mech_type; 5549 mech.cm_param = NULL; 5550 mech.cm_param_len = 0; 5551 5552 /* create a new context template */ 5553 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 5554 5555 /* 5556 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 5557 * providers are available for that mechanism. In that case 5558 * we don't fail, and will generate the context template from 5559 * the framework callback when a software provider for that 5560 * mechanism registers. 5561 * 5562 * The context template is assigned the special value 5563 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 5564 * lack of memory. No attempt will be made to use 5565 * the context template if it is set to this value. 5566 */ 5567 if (rv == CRYPTO_HOST_MEMORY) { 5568 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 5569 } else if (rv != CRYPTO_SUCCESS) { 5570 *sa_tmpl = NULL; 5571 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 5572 return (EINVAL); 5573 } 5574 5575 return (0); 5576 } 5577 5578 /* 5579 * Destroy the context template of the specified algorithm type 5580 * of the specified SA. Must be called while holding the SA lock. 5581 */ 5582 void 5583 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 5584 { 5585 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 5586 5587 if (alg_type == IPSEC_ALG_AUTH) { 5588 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 5589 sa->ipsa_authtmpl = NULL; 5590 else if (sa->ipsa_authtmpl != NULL) { 5591 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 5592 sa->ipsa_authtmpl = NULL; 5593 } 5594 } else { 5595 ASSERT(alg_type == IPSEC_ALG_ENCR); 5596 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 5597 sa->ipsa_encrtmpl = NULL; 5598 else if (sa->ipsa_encrtmpl != NULL) { 5599 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 5600 sa->ipsa_encrtmpl = NULL; 5601 } 5602 } 5603 } 5604 5605 /* 5606 * Use the kernel crypto framework to check the validity of a key received 5607 * via keysock. Returns 0 if the key is OK, -1 otherwise. 5608 */ 5609 int 5610 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 5611 boolean_t is_auth, int *diag) 5612 { 5613 crypto_mechanism_t mech; 5614 crypto_key_t crypto_key; 5615 int crypto_rc; 5616 5617 mech.cm_type = mech_type; 5618 mech.cm_param = NULL; 5619 mech.cm_param_len = 0; 5620 5621 crypto_key.ck_format = CRYPTO_KEY_RAW; 5622 crypto_key.ck_data = sadb_key + 1; 5623 crypto_key.ck_length = sadb_key->sadb_key_bits; 5624 5625 crypto_rc = crypto_key_check(&mech, &crypto_key); 5626 5627 switch (crypto_rc) { 5628 case CRYPTO_SUCCESS: 5629 return (0); 5630 case CRYPTO_MECHANISM_INVALID: 5631 case CRYPTO_MECH_NOT_SUPPORTED: 5632 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 5633 SADB_X_DIAGNOSTIC_BAD_EALG; 5634 break; 5635 case CRYPTO_KEY_SIZE_RANGE: 5636 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 5637 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 5638 break; 5639 case CRYPTO_WEAK_KEY: 5640 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 5641 SADB_X_DIAGNOSTIC_WEAK_EKEY; 5642 break; 5643 } 5644 5645 return (-1); 5646 } 5647 5648 /* ARGSUSED */ 5649 static void 5650 sadb_clear_timeouts_walker(isaf_t *head, ipsa_t *ipsa, void *q) 5651 { 5652 if (!(ipsa->ipsa_flags & IPSA_F_NATT)) 5653 return; 5654 5655 mutex_enter(&ipsa->ipsa_lock); 5656 if (ipsa->ipsa_natt_q != q) { 5657 mutex_exit(&ipsa->ipsa_lock); 5658 return; 5659 } 5660 5661 (void) quntimeout(ipsa->ipsa_natt_q, ipsa->ipsa_natt_ka_timer); 5662 5663 ipsa->ipsa_natt_ka_timer = 0; 5664 ipsa->ipsa_natt_q = NULL; 5665 mutex_exit(&ipsa->ipsa_lock); 5666 } 5667 5668 void 5669 sadb_clear_timeouts(queue_t *q) 5670 { 5671 sadb_t *sp = &esp_sadb.s_v4; 5672 5673 sadb_walker(sp->sdb_if, sp->sdb_hashsize, 5674 sadb_clear_timeouts_walker, q); 5675 } 5676