1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/stream.h> 28 #include <sys/stropts.h> 29 #include <sys/strsubr.h> 30 #include <sys/errno.h> 31 #include <sys/ddi.h> 32 #include <sys/debug.h> 33 #include <sys/cmn_err.h> 34 #include <sys/stream.h> 35 #include <sys/strlog.h> 36 #include <sys/kmem.h> 37 #include <sys/sunddi.h> 38 #include <sys/tihdr.h> 39 #include <sys/atomic.h> 40 #include <sys/socket.h> 41 #include <sys/sysmacros.h> 42 #include <sys/crypto/common.h> 43 #include <sys/crypto/api.h> 44 #include <sys/zone.h> 45 #include <netinet/in.h> 46 #include <net/if.h> 47 #include <net/pfkeyv2.h> 48 #include <net/pfpolicy.h> 49 #include <inet/common.h> 50 #include <netinet/ip6.h> 51 #include <inet/ip.h> 52 #include <inet/ip_ire.h> 53 #include <inet/ip6.h> 54 #include <inet/ipsec_info.h> 55 #include <inet/tcp.h> 56 #include <inet/sadb.h> 57 #include <inet/ipsec_impl.h> 58 #include <inet/ipsecah.h> 59 #include <inet/ipsecesp.h> 60 #include <sys/random.h> 61 #include <sys/dlpi.h> 62 #include <sys/iphada.h> 63 #include <sys/strsun.h> 64 #include <sys/strsubr.h> 65 #include <inet/ip_if.h> 66 #include <inet/ipdrop.h> 67 #include <inet/ipclassifier.h> 68 #include <inet/sctp_ip.h> 69 #include <sys/tsol/tnet.h> 70 71 /* 72 * This source file contains Security Association Database (SADB) common 73 * routines. They are linked in with the AH module. Since AH has no chance 74 * of falling under export control, it was safe to link it in there. 75 */ 76 77 static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *, 78 ipsec_action_t *, boolean_t, uint32_t, uint32_t, sadb_sens_t *, 79 netstack_t *); 80 static void sadb_ill_df(ill_t *, mblk_t *, isaf_t *, int, boolean_t); 81 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *, boolean_t, mblk_t **); 82 static void sadb_drain_torchq(queue_t *, mblk_t *); 83 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t, 84 netstack_t *); 85 static void sadb_destroy(sadb_t *, netstack_t *); 86 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *); 87 static cred_t *sadb_cred_from_sens(sadb_sens_t *, uint64_t *); 88 static sadb_sens_t *sadb_make_sens_ext(cred_t *cr, int *len); 89 90 static time_t sadb_add_time(time_t, uint64_t); 91 static void lifetime_fuzz(ipsa_t *); 92 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t); 93 static int get_ipsa_pair(ipsa_query_t *, ipsap_t *, int *); 94 static void init_ipsa_pair(ipsap_t *); 95 static void destroy_ipsa_pair(ipsap_t *); 96 static int update_pairing(ipsap_t *, ipsa_query_t *, keysock_in_t *, int *); 97 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset); 98 99 extern void (*cl_inet_getspi)(netstackid_t stack_id, uint8_t protocol, 100 uint8_t *ptr, size_t len, void *args); 101 extern int (*cl_inet_checkspi)(netstackid_t stack_id, uint8_t protocol, 102 uint32_t spi, void *args); 103 extern void (*cl_inet_deletespi)(netstackid_t stack_id, uint8_t protocol, 104 uint32_t spi, void *args); 105 /* 106 * ipsacq_maxpackets is defined here to make it tunable 107 * from /etc/system. 108 */ 109 extern uint64_t ipsacq_maxpackets; 110 111 #define SET_EXPIRE(sa, delta, exp) { \ 112 if (((sa)->ipsa_ ## delta) != 0) { \ 113 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 114 (sa)->ipsa_ ## delta); \ 115 } \ 116 } 117 118 #define UPDATE_EXPIRE(sa, delta, exp) { \ 119 if (((sa)->ipsa_ ## delta) != 0) { \ 120 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 121 (sa)->ipsa_ ## delta); \ 122 if (((sa)->ipsa_ ## exp) == 0) \ 123 (sa)->ipsa_ ## exp = tmp; \ 124 else \ 125 (sa)->ipsa_ ## exp = \ 126 MIN((sa)->ipsa_ ## exp, tmp); \ 127 } \ 128 } 129 130 131 /* wrap the macro so we can pass it as a function pointer */ 132 void 133 sadb_sa_refrele(void *target) 134 { 135 IPSA_REFRELE(((ipsa_t *)target)); 136 } 137 138 /* 139 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 140 * a signed type. 141 */ 142 #define TIME_MAX LONG_MAX 143 144 /* 145 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 146 * time_t is defined to be a signed type with the same range as 147 * "long". On ILP32 systems, we thus run the risk of wrapping around 148 * at end of time, as well as "overwrapping" the clock back around 149 * into a seemingly valid but incorrect future date earlier than the 150 * desired expiration. 151 * 152 * In order to avoid odd behavior (either negative lifetimes or loss 153 * of high order bits) when someone asks for bizarrely long SA 154 * lifetimes, we do a saturating add for expire times. 155 * 156 * We presume that ILP32 systems will be past end of support life when 157 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 158 * 159 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 160 * will hopefully have figured out clever ways to avoid the use of 161 * fixed-sized integers in computation. 162 */ 163 static time_t 164 sadb_add_time(time_t base, uint64_t delta) 165 { 166 time_t sum; 167 168 /* 169 * Clip delta to the maximum possible time_t value to 170 * prevent "overwrapping" back into a shorter-than-desired 171 * future time. 172 */ 173 if (delta > TIME_MAX) 174 delta = TIME_MAX; 175 /* 176 * This sum may still overflow. 177 */ 178 sum = base + delta; 179 180 /* 181 * .. so if the result is less than the base, we overflowed. 182 */ 183 if (sum < base) 184 sum = TIME_MAX; 185 186 return (sum); 187 } 188 189 /* 190 * Callers of this function have already created a working security 191 * association, and have found the appropriate table & hash chain. All this 192 * function does is check duplicates, and insert the SA. The caller needs to 193 * hold the hash bucket lock and increment the refcnt before insertion. 194 * 195 * Return 0 if success, EEXIST if collision. 196 */ 197 #define SA_UNIQUE_MATCH(sa1, sa2) \ 198 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \ 199 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask)) 200 201 int 202 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 203 { 204 ipsa_t **ptpn = NULL; 205 ipsa_t *walker; 206 boolean_t unspecsrc; 207 208 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 209 210 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 211 212 walker = bucket->isaf_ipsa; 213 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 214 215 /* 216 * Find insertion point (pointed to with **ptpn). Insert at the head 217 * of the list unless there's an unspecified source address, then 218 * insert it after the last SA with a specified source address. 219 * 220 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 221 * checking for collisions. 222 */ 223 224 while (walker != NULL) { 225 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 226 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 227 if (walker->ipsa_spi == ipsa->ipsa_spi) 228 return (EEXIST); 229 230 mutex_enter(&walker->ipsa_lock); 231 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 232 (walker->ipsa_flags & IPSA_F_USED) && 233 SA_UNIQUE_MATCH(walker, ipsa)) { 234 walker->ipsa_flags |= IPSA_F_CINVALID; 235 } 236 mutex_exit(&walker->ipsa_lock); 237 } 238 239 if (ptpn == NULL && unspecsrc) { 240 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 241 walker->ipsa_addrfam)) 242 ptpn = walker->ipsa_ptpn; 243 else if (walker->ipsa_next == NULL) 244 ptpn = &walker->ipsa_next; 245 } 246 247 walker = walker->ipsa_next; 248 } 249 250 if (ptpn == NULL) 251 ptpn = &bucket->isaf_ipsa; 252 ipsa->ipsa_next = *ptpn; 253 ipsa->ipsa_ptpn = ptpn; 254 if (ipsa->ipsa_next != NULL) 255 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 256 *ptpn = ipsa; 257 ipsa->ipsa_linklock = &bucket->isaf_lock; 258 259 return (0); 260 } 261 #undef SA_UNIQUE_MATCH 262 263 /* 264 * Free a security association. Its reference count is 0, which means 265 * I must free it. The SA must be unlocked and must not be linked into 266 * any fanout list. 267 */ 268 static void 269 sadb_freeassoc(ipsa_t *ipsa) 270 { 271 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec; 272 273 ASSERT(ipss != NULL); 274 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock)); 275 ASSERT(ipsa->ipsa_refcnt == 0); 276 ASSERT(ipsa->ipsa_next == NULL); 277 ASSERT(ipsa->ipsa_ptpn == NULL); 278 279 mutex_enter(&ipsa->ipsa_lock); 280 /* Don't call sadb_clear_lpkt() since we hold the ipsa_lock anyway. */ 281 ip_drop_packet(ipsa->ipsa_lpkt, B_TRUE, NULL, NULL, 282 DROPPER(ipss, ipds_sadb_inlarval_timeout), 283 &ipss->ipsec_sadb_dropper); 284 285 if (ipsa->ipsa_cred != NULL) { 286 crfree(ipsa->ipsa_cred); 287 ipsa->ipsa_cred = NULL; 288 } 289 290 if (ipsa->ipsa_ocred != NULL) { 291 crfree(ipsa->ipsa_ocred); 292 ipsa->ipsa_ocred = NULL; 293 } 294 295 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 296 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 297 mutex_exit(&ipsa->ipsa_lock); 298 299 /* bzero() these fields for paranoia's sake. */ 300 if (ipsa->ipsa_authkey != NULL) { 301 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 302 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 303 } 304 if (ipsa->ipsa_encrkey != NULL) { 305 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 306 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 307 } 308 if (ipsa->ipsa_nonce_buf != NULL) { 309 bzero(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); 310 kmem_free(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); 311 } 312 if (ipsa->ipsa_src_cid != NULL) { 313 IPSID_REFRELE(ipsa->ipsa_src_cid); 314 } 315 if (ipsa->ipsa_dst_cid != NULL) { 316 IPSID_REFRELE(ipsa->ipsa_dst_cid); 317 } 318 if (ipsa->ipsa_emech.cm_param != NULL) 319 kmem_free(ipsa->ipsa_emech.cm_param, 320 ipsa->ipsa_emech.cm_param_len); 321 322 mutex_destroy(&ipsa->ipsa_lock); 323 kmem_free(ipsa, sizeof (*ipsa)); 324 } 325 326 /* 327 * Unlink a security association from a hash bucket. Assume the hash bucket 328 * lock is held, but the association's lock is not. 329 * 330 * Note that we do not bump the bucket's generation number here because 331 * we might not be making a visible change to the set of visible SA's. 332 * All callers MUST bump the bucket's generation number before they unlock 333 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 334 * was present in the bucket at the time it was locked. 335 */ 336 void 337 sadb_unlinkassoc(ipsa_t *ipsa) 338 { 339 ASSERT(ipsa->ipsa_linklock != NULL); 340 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 341 342 /* These fields are protected by the link lock. */ 343 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 344 if (ipsa->ipsa_next != NULL) { 345 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 346 ipsa->ipsa_next = NULL; 347 } 348 349 ipsa->ipsa_ptpn = NULL; 350 351 /* This may destroy the SA. */ 352 IPSA_REFRELE(ipsa); 353 } 354 355 void 356 sadb_delete_cluster(ipsa_t *assoc) 357 { 358 uint8_t protocol; 359 360 if (cl_inet_deletespi && 361 ((assoc->ipsa_state == IPSA_STATE_LARVAL) || 362 (assoc->ipsa_state == IPSA_STATE_MATURE))) { 363 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ? 364 IPPROTO_AH : IPPROTO_ESP; 365 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid, 366 protocol, assoc->ipsa_spi, NULL); 367 } 368 } 369 370 /* 371 * Create a larval security association with the specified SPI. All other 372 * fields are zeroed. 373 */ 374 static ipsa_t * 375 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam, 376 netstack_t *ns) 377 { 378 ipsa_t *newbie; 379 380 /* 381 * Allocate... 382 */ 383 384 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 385 if (newbie == NULL) { 386 /* Can't make new larval SA. */ 387 return (NULL); 388 } 389 390 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 391 newbie->ipsa_spi = spi; 392 newbie->ipsa_netstack = ns; /* No netstack_hold */ 393 394 /* 395 * Copy addresses... 396 */ 397 398 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 399 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 400 401 newbie->ipsa_addrfam = addrfam; 402 403 /* 404 * Set common initialization values, including refcnt. 405 */ 406 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 407 newbie->ipsa_state = IPSA_STATE_LARVAL; 408 newbie->ipsa_refcnt = 1; 409 newbie->ipsa_freefunc = sadb_freeassoc; 410 411 /* 412 * There aren't a lot of other common initialization values, as 413 * they are copied in from the PF_KEY message. 414 */ 415 416 return (newbie); 417 } 418 419 /* 420 * Call me to initialize a security association fanout. 421 */ 422 static int 423 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 424 { 425 isaf_t *table; 426 int i; 427 428 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 429 *tablep = table; 430 431 if (table == NULL) 432 return (ENOMEM); 433 434 for (i = 0; i < size; i++) { 435 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 436 table[i].isaf_ipsa = NULL; 437 table[i].isaf_gen = 0; 438 } 439 440 return (0); 441 } 442 443 /* 444 * Call me to initialize an acquire fanout 445 */ 446 static int 447 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 448 { 449 iacqf_t *table; 450 int i; 451 452 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 453 *tablep = table; 454 455 if (table == NULL) 456 return (ENOMEM); 457 458 for (i = 0; i < size; i++) { 459 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 460 table[i].iacqf_ipsacq = NULL; 461 } 462 463 return (0); 464 } 465 466 /* 467 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 468 * caller must clean up partial allocations. 469 */ 470 static int 471 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 472 { 473 ASSERT(sp->sdb_of == NULL); 474 ASSERT(sp->sdb_if == NULL); 475 ASSERT(sp->sdb_acq == NULL); 476 477 sp->sdb_hashsize = size; 478 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 479 return (ENOMEM); 480 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 481 return (ENOMEM); 482 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 483 return (ENOMEM); 484 485 return (0); 486 } 487 488 /* 489 * Call me to initialize an SADB instance; fall back to default size on failure. 490 */ 491 static void 492 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver, 493 netstack_t *ns) 494 { 495 ASSERT(sp->sdb_of == NULL); 496 ASSERT(sp->sdb_if == NULL); 497 ASSERT(sp->sdb_acq == NULL); 498 499 if (size < IPSEC_DEFAULT_HASH_SIZE) 500 size = IPSEC_DEFAULT_HASH_SIZE; 501 502 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 503 504 cmn_err(CE_WARN, 505 "Unable to allocate %u entry IPv%u %s SADB hash table", 506 size, ver, name); 507 508 sadb_destroy(sp, ns); 509 size = IPSEC_DEFAULT_HASH_SIZE; 510 cmn_err(CE_WARN, "Falling back to %d entries", size); 511 (void) sadb_init_trial(sp, size, KM_SLEEP); 512 } 513 } 514 515 516 /* 517 * Initialize an SADB-pair. 518 */ 519 void 520 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns) 521 { 522 sadb_init(name, &sp->s_v4, size, 4, ns); 523 sadb_init(name, &sp->s_v6, size, 6, ns); 524 525 sp->s_satype = type; 526 527 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 528 if (type == SADB_SATYPE_AH) { 529 ipsec_stack_t *ipss = ns->netstack_ipsec; 530 531 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB"); 532 sp->s_addflags = AH_ADD_SETTABLE_FLAGS; 533 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS; 534 } else { 535 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS; 536 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS; 537 } 538 } 539 540 /* 541 * Deliver a single SADB_DUMP message representing a single SA. This is 542 * called many times by sadb_dump(). 543 * 544 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 545 * the caller should take that as a hint that dupb() on the "original answer" 546 * failed, and that perhaps the caller should try again with a copyb()ed 547 * "original answer". 548 */ 549 static int 550 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 551 sadb_msg_t *samsg) 552 { 553 mblk_t *answer; 554 555 answer = dupb(original_answer); 556 if (answer == NULL) 557 return (ENOBUFS); 558 answer->b_cont = sadb_sa2msg(ipsa, samsg); 559 if (answer->b_cont == NULL) { 560 freeb(answer); 561 return (ENOMEM); 562 } 563 564 /* Just do a putnext, and let keysock deal with flow control. */ 565 putnext(pfkey_q, answer); 566 return (0); 567 } 568 569 /* 570 * Common function to allocate and prepare a keysock_out_t M_CTL message. 571 */ 572 mblk_t * 573 sadb_keysock_out(minor_t serial) 574 { 575 mblk_t *mp; 576 keysock_out_t *kso; 577 578 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 579 if (mp != NULL) { 580 mp->b_datap->db_type = M_CTL; 581 mp->b_wptr += sizeof (ipsec_info_t); 582 kso = (keysock_out_t *)mp->b_rptr; 583 kso->ks_out_type = KEYSOCK_OUT; 584 kso->ks_out_len = sizeof (*kso); 585 kso->ks_out_serial = serial; 586 } 587 588 return (mp); 589 } 590 591 /* 592 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 593 * to keysock. 594 */ 595 static int 596 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 597 int num_entries, boolean_t do_peers, time_t active_time) 598 { 599 int i, error = 0; 600 mblk_t *original_answer; 601 ipsa_t *walker; 602 sadb_msg_t *samsg; 603 time_t current; 604 605 /* 606 * For each IPSA hash bucket do: 607 * - Hold the mutex 608 * - Walk each entry, doing an sadb_dump_deliver() on it. 609 */ 610 ASSERT(mp->b_cont != NULL); 611 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 612 613 original_answer = sadb_keysock_out(serial); 614 if (original_answer == NULL) 615 return (ENOMEM); 616 617 current = gethrestime_sec(); 618 for (i = 0; i < num_entries; i++) { 619 mutex_enter(&fanout[i].isaf_lock); 620 for (walker = fanout[i].isaf_ipsa; walker != NULL; 621 walker = walker->ipsa_next) { 622 if (!do_peers && walker->ipsa_haspeer) 623 continue; 624 if ((active_time != 0) && 625 ((current - walker->ipsa_lastuse) > active_time)) 626 continue; 627 error = sadb_dump_deliver(pfkey_q, original_answer, 628 walker, samsg); 629 if (error == ENOBUFS) { 630 mblk_t *new_original_answer; 631 632 /* Ran out of dupb's. Try a copyb. */ 633 new_original_answer = copyb(original_answer); 634 if (new_original_answer == NULL) { 635 error = ENOMEM; 636 } else { 637 freeb(original_answer); 638 original_answer = new_original_answer; 639 error = sadb_dump_deliver(pfkey_q, 640 original_answer, walker, samsg); 641 } 642 } 643 if (error != 0) 644 break; /* out of for loop. */ 645 } 646 mutex_exit(&fanout[i].isaf_lock); 647 if (error != 0) 648 break; /* out of for loop. */ 649 } 650 651 freeb(original_answer); 652 return (error); 653 } 654 655 /* 656 * Dump an entire SADB; outbound first, then inbound. 657 */ 658 659 int 660 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp) 661 { 662 int error; 663 time_t active_time = 0; 664 sadb_x_edump_t *edump = 665 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP]; 666 667 if (edump != NULL) { 668 active_time = edump->sadb_x_edump_timeout; 669 } 670 671 /* Dump outbound */ 672 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of, 673 sp->sdb_hashsize, B_TRUE, active_time); 674 if (error) 675 return (error); 676 677 /* Dump inbound */ 678 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if, 679 sp->sdb_hashsize, B_FALSE, active_time); 680 } 681 682 /* 683 * Generic sadb table walker. 684 * 685 * Call "walkfn" for each SA in each bucket in "table"; pass the 686 * bucket, the entry and "cookie" to the callback function. 687 * Take care to ensure that walkfn can delete the SA without screwing 688 * up our traverse. 689 * 690 * The bucket is locked for the duration of the callback, both so that the 691 * callback can just call sadb_unlinkassoc() when it wants to delete something, 692 * and so that no new entries are added while we're walking the list. 693 */ 694 static void 695 sadb_walker(isaf_t *table, uint_t numentries, 696 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 697 void *cookie) 698 { 699 int i; 700 for (i = 0; i < numentries; i++) { 701 ipsa_t *entry, *next; 702 703 mutex_enter(&table[i].isaf_lock); 704 705 for (entry = table[i].isaf_ipsa; entry != NULL; 706 entry = next) { 707 next = entry->ipsa_next; 708 (*walkfn)(&table[i], entry, cookie); 709 } 710 mutex_exit(&table[i].isaf_lock); 711 } 712 } 713 714 /* 715 * From the given SA, construct a dl_ct_ipsec_key and 716 * a dl_ct_ipsec structures to be sent to the adapter as part 717 * of a DL_CONTROL_REQ. 718 * 719 * ct_sa must point to the storage allocated for the key 720 * structure and must be followed by storage allocated 721 * for the SA information that must be sent to the driver 722 * as part of the DL_CONTROL_REQ request. 723 * 724 * The is_inbound boolean indicates whether the specified 725 * SA is part of an inbound SA table. 726 * 727 * Returns B_TRUE if the corresponding SA must be passed to 728 * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE. 729 */ 730 static boolean_t 731 sadb_req_from_sa(ipsa_t *sa, mblk_t *mp, boolean_t is_inbound) 732 { 733 dl_ct_ipsec_key_t *keyp; 734 dl_ct_ipsec_t *sap; 735 void *ct_sa = mp->b_wptr; 736 737 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 738 739 keyp = (dl_ct_ipsec_key_t *)(ct_sa); 740 sap = (dl_ct_ipsec_t *)(keyp + 1); 741 742 IPSECHW_DEBUG(IPSECHW_CAPAB, ("sadb_req_from_sa: " 743 "is_inbound = %d\n", is_inbound)); 744 745 /* initialize flag */ 746 sap->sadb_sa_flags = 0; 747 if (is_inbound) { 748 sap->sadb_sa_flags |= DL_CT_IPSEC_INBOUND; 749 /* 750 * If an inbound SA has a peer, then mark it has being 751 * an outbound SA as well. 752 */ 753 if (sa->ipsa_haspeer) 754 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 755 } else { 756 /* 757 * If an outbound SA has a peer, then don't send it, 758 * since we will send the copy from the inbound table. 759 */ 760 if (sa->ipsa_haspeer) { 761 freemsg(mp); 762 return (B_FALSE); 763 } 764 sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND; 765 } 766 767 keyp->dl_key_spi = sa->ipsa_spi; 768 bcopy(sa->ipsa_dstaddr, keyp->dl_key_dest_addr, 769 DL_CTL_IPSEC_ADDR_LEN); 770 keyp->dl_key_addr_family = sa->ipsa_addrfam; 771 772 sap->sadb_sa_auth = sa->ipsa_auth_alg; 773 sap->sadb_sa_encrypt = sa->ipsa_encr_alg; 774 775 sap->sadb_key_len_a = sa->ipsa_authkeylen; 776 sap->sadb_key_bits_a = sa->ipsa_authkeybits; 777 bcopy(sa->ipsa_authkey, 778 sap->sadb_key_data_a, sap->sadb_key_len_a); 779 780 sap->sadb_key_len_e = sa->ipsa_encrkeylen; 781 sap->sadb_key_bits_e = sa->ipsa_encrkeybits; 782 bcopy(sa->ipsa_encrkey, 783 sap->sadb_key_data_e, sap->sadb_key_len_e); 784 785 mp->b_wptr += sizeof (dl_ct_ipsec_t) + sizeof (dl_ct_ipsec_key_t); 786 return (B_TRUE); 787 } 788 789 /* 790 * Called from AH or ESP to format a message which will be used to inform 791 * IPsec-acceleration-capable ills of a SADB change. 792 * (It is not possible to send the message to IP directly from this function 793 * since the SA, if any, is locked during the call). 794 * 795 * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc) 796 * sa_type: identifies whether the operation applies to AH or ESP 797 * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP) 798 * sa: Pointer to an SA. Must be non-NULL and locked 799 * for ADD, DELETE, GET, and UPDATE operations. 800 * This function returns an mblk chain that must be passed to IP 801 * for forwarding to the IPsec capable providers. 802 */ 803 mblk_t * 804 sadb_fmt_sa_req(uint_t dl_operation, uint_t sa_type, ipsa_t *sa, 805 boolean_t is_inbound) 806 { 807 mblk_t *mp; 808 dl_control_req_t *ctrl; 809 boolean_t need_key = B_FALSE; 810 mblk_t *ctl_mp = NULL; 811 ipsec_ctl_t *ctl; 812 813 /* 814 * 1 allocate and initialize DL_CONTROL_REQ M_PROTO 815 * 2 if a key is needed for the operation 816 * 2.1 initialize key 817 * 2.2 if a full SA is needed for the operation 818 * 2.2.1 initialize full SA info 819 * 3 return message; caller will call ill_ipsec_capab_send_all() 820 * to send the resulting message to IPsec capable ills. 821 */ 822 823 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 824 825 /* 826 * Allocate DL_CONTROL_REQ M_PROTO 827 * We allocate room for the SA even if it's not needed 828 * by some of the operations (for example flush) 829 */ 830 mp = allocb(sizeof (dl_control_req_t) + 831 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 832 if (mp == NULL) 833 return (NULL); 834 mp->b_datap->db_type = M_PROTO; 835 836 /* initialize dl_control_req_t */ 837 ctrl = (dl_control_req_t *)mp->b_wptr; 838 ctrl->dl_primitive = DL_CONTROL_REQ; 839 ctrl->dl_operation = dl_operation; 840 ctrl->dl_type = sa_type == SADB_SATYPE_AH ? DL_CT_IPSEC_AH : 841 DL_CT_IPSEC_ESP; 842 ctrl->dl_key_offset = sizeof (dl_control_req_t); 843 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 844 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 845 sizeof (dl_ct_ipsec_key_t); 846 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 847 mp->b_wptr += sizeof (dl_control_req_t); 848 849 if ((dl_operation == DL_CO_SET) || (dl_operation == DL_CO_DELETE)) { 850 ASSERT(sa != NULL); 851 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 852 853 need_key = B_TRUE; 854 855 /* 856 * Initialize key and SA data. Note that for some 857 * operations the SA data is ignored by the provider 858 * (delete, etc.) 859 */ 860 if (!sadb_req_from_sa(sa, mp, is_inbound)) 861 return (NULL); 862 } 863 864 /* construct control message */ 865 ctl_mp = allocb(sizeof (ipsec_ctl_t), BPRI_HI); 866 if (ctl_mp == NULL) { 867 cmn_err(CE_WARN, "sadb_fmt_sa_req: allocb failed\n"); 868 freemsg(mp); 869 return (NULL); 870 } 871 872 ctl_mp->b_datap->db_type = M_CTL; 873 ctl_mp->b_wptr += sizeof (ipsec_ctl_t); 874 ctl_mp->b_cont = mp; 875 876 ctl = (ipsec_ctl_t *)ctl_mp->b_rptr; 877 ctl->ipsec_ctl_type = IPSEC_CTL; 878 ctl->ipsec_ctl_len = sizeof (ipsec_ctl_t); 879 ctl->ipsec_ctl_sa_type = sa_type; 880 881 if (need_key) { 882 /* 883 * Keep an additional reference on SA, since it will be 884 * needed by IP to send control messages corresponding 885 * to that SA from its perimeter. IP will do a 886 * IPSA_REFRELE when done with the request. 887 */ 888 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 889 IPSA_REFHOLD(sa); 890 ctl->ipsec_ctl_sa = sa; 891 } else 892 ctl->ipsec_ctl_sa = NULL; 893 894 return (ctl_mp); 895 } 896 897 898 /* 899 * Called by sadb_ill_download() to dump the entries for a specific 900 * fanout table. For each SA entry in the table passed as argument, 901 * use mp as a template and constructs a full DL_CONTROL message, and 902 * call ill_dlpi_send(), provided by IP, to send the resulting 903 * messages to the ill. 904 */ 905 static void 906 sadb_ill_df(ill_t *ill, mblk_t *mp, isaf_t *fanout, int num_entries, 907 boolean_t is_inbound) 908 { 909 ipsa_t *walker; 910 mblk_t *nmp, *salist; 911 int i, error = 0; 912 ip_stack_t *ipst = ill->ill_ipst; 913 netstack_t *ns = ipst->ips_netstack; 914 915 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_ill_df: fanout at 0x%p ne=%d\n", 916 (void *)fanout, num_entries)); 917 /* 918 * For each IPSA hash bucket do: 919 * - Hold the mutex 920 * - Walk each entry, sending a corresponding request to IP 921 * for it. 922 */ 923 ASSERT(mp->b_datap->db_type == M_PROTO); 924 925 for (i = 0; i < num_entries; i++) { 926 mutex_enter(&fanout[i].isaf_lock); 927 salist = NULL; 928 929 for (walker = fanout[i].isaf_ipsa; walker != NULL; 930 walker = walker->ipsa_next) { 931 IPSECHW_DEBUG(IPSECHW_SADB, 932 ("sadb_ill_df: sending SA to ill via IP \n")); 933 /* 934 * Duplicate the template mp passed and 935 * complete DL_CONTROL_REQ data. 936 * To be more memory efficient, we could use 937 * dupb() for the M_CTL and copyb() for the M_PROTO 938 * as the M_CTL, since the M_CTL is the same for 939 * every SA entry passed down to IP for the same ill. 940 * 941 * Note that copymsg/copyb ensure that the new mblk 942 * is at least as large as the source mblk even if it's 943 * not using all its storage -- therefore, nmp 944 * has trailing space for sadb_req_from_sa to add 945 * the SA-specific bits. 946 */ 947 mutex_enter(&walker->ipsa_lock); 948 if (ipsec_capab_match(ill, 949 ill->ill_phyint->phyint_ifindex, ill->ill_isv6, 950 walker, ns)) { 951 nmp = copymsg(mp); 952 if (nmp == NULL) { 953 IPSECHW_DEBUG(IPSECHW_SADB, 954 ("sadb_ill_df: alloc error\n")); 955 error = ENOMEM; 956 mutex_exit(&walker->ipsa_lock); 957 break; 958 } 959 if (sadb_req_from_sa(walker, nmp, is_inbound)) { 960 nmp->b_next = salist; 961 salist = nmp; 962 } 963 } 964 mutex_exit(&walker->ipsa_lock); 965 } 966 mutex_exit(&fanout[i].isaf_lock); 967 while (salist != NULL) { 968 nmp = salist; 969 salist = nmp->b_next; 970 nmp->b_next = NULL; 971 ill_dlpi_send(ill, nmp); 972 } 973 if (error != 0) 974 break; /* out of for loop. */ 975 } 976 } 977 978 /* 979 * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of 980 * the type specified by sa_type to the specified ill. 981 * 982 * We call for each fanout table defined by the SADB (one per 983 * protocol). sadb_ill_df() finally calls ill_dlpi_send() for 984 * each SADB entry in order to send a corresponding DL_CONTROL_REQ 985 * message to the ill. 986 */ 987 void 988 sadb_ill_download(ill_t *ill, uint_t sa_type) 989 { 990 mblk_t *protomp; /* prototype message */ 991 dl_control_req_t *ctrl; 992 sadbp_t *spp; 993 sadb_t *sp; 994 int dlt; 995 ip_stack_t *ipst = ill->ill_ipst; 996 netstack_t *ns = ipst->ips_netstack; 997 998 ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP); 999 1000 /* 1001 * Allocate and initialize prototype answer. A duplicate for 1002 * each SA is sent down to the interface. 1003 */ 1004 1005 /* DL_CONTROL_REQ M_PROTO mblk_t */ 1006 protomp = allocb(sizeof (dl_control_req_t) + 1007 sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI); 1008 if (protomp == NULL) 1009 return; 1010 protomp->b_datap->db_type = M_PROTO; 1011 1012 dlt = (sa_type == SADB_SATYPE_AH) ? DL_CT_IPSEC_AH : DL_CT_IPSEC_ESP; 1013 if (sa_type == SADB_SATYPE_ESP) { 1014 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 1015 1016 spp = &espstack->esp_sadb; 1017 } else { 1018 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 1019 1020 spp = &ahstack->ah_sadb; 1021 } 1022 1023 ctrl = (dl_control_req_t *)protomp->b_wptr; 1024 ctrl->dl_primitive = DL_CONTROL_REQ; 1025 ctrl->dl_operation = DL_CO_SET; 1026 ctrl->dl_type = dlt; 1027 ctrl->dl_key_offset = sizeof (dl_control_req_t); 1028 ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t); 1029 ctrl->dl_data_offset = sizeof (dl_control_req_t) + 1030 sizeof (dl_ct_ipsec_key_t); 1031 ctrl->dl_data_length = sizeof (dl_ct_ipsec_t); 1032 protomp->b_wptr += sizeof (dl_control_req_t); 1033 1034 /* 1035 * then for each SADB entry, we fill out the dl_ct_ipsec_key_t 1036 * and dl_ct_ipsec_t 1037 */ 1038 sp = ill->ill_isv6 ? &(spp->s_v6) : &(spp->s_v4); 1039 sadb_ill_df(ill, protomp, sp->sdb_of, sp->sdb_hashsize, B_FALSE); 1040 sadb_ill_df(ill, protomp, sp->sdb_if, sp->sdb_hashsize, B_TRUE); 1041 freemsg(protomp); 1042 } 1043 1044 /* 1045 * Call me to free up a security association fanout. Use the forever 1046 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 1047 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 1048 * when a module is unloaded). 1049 */ 1050 static void 1051 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever, 1052 boolean_t inbound) 1053 { 1054 int i; 1055 isaf_t *table = *tablep; 1056 uint8_t protocol; 1057 ipsa_t *sa; 1058 netstackid_t sid; 1059 1060 if (table == NULL) 1061 return; 1062 1063 for (i = 0; i < numentries; i++) { 1064 mutex_enter(&table[i].isaf_lock); 1065 while ((sa = table[i].isaf_ipsa) != NULL) { 1066 if (inbound && cl_inet_deletespi && 1067 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) && 1068 (sa->ipsa_state != IPSA_STATE_IDLE)) { 1069 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ? 1070 IPPROTO_AH : IPPROTO_ESP; 1071 sid = sa->ipsa_netstack->netstack_stackid; 1072 cl_inet_deletespi(sid, protocol, sa->ipsa_spi, 1073 NULL); 1074 } 1075 sadb_unlinkassoc(sa); 1076 } 1077 table[i].isaf_gen++; 1078 mutex_exit(&table[i].isaf_lock); 1079 if (forever) 1080 mutex_destroy(&(table[i].isaf_lock)); 1081 } 1082 1083 if (forever) { 1084 *tablep = NULL; 1085 kmem_free(table, numentries * sizeof (*table)); 1086 } 1087 } 1088 1089 /* 1090 * Entry points to sadb_destroyer(). 1091 */ 1092 static void 1093 sadb_flush(sadb_t *sp, netstack_t *ns) 1094 { 1095 /* 1096 * Flush out each bucket, one at a time. Were it not for keysock's 1097 * enforcement, there would be a subtlety where I could add on the 1098 * heels of a flush. With keysock's enforcement, however, this 1099 * makes ESP's job easy. 1100 */ 1101 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE); 1102 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE); 1103 1104 /* For each acquire, destroy it; leave the bucket mutex alone. */ 1105 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns); 1106 } 1107 1108 static void 1109 sadb_destroy(sadb_t *sp, netstack_t *ns) 1110 { 1111 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE); 1112 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE); 1113 1114 /* For each acquire, destroy it, including the bucket mutex. */ 1115 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns); 1116 1117 ASSERT(sp->sdb_of == NULL); 1118 ASSERT(sp->sdb_if == NULL); 1119 ASSERT(sp->sdb_acq == NULL); 1120 } 1121 1122 static void 1123 sadb_send_flush_req(sadbp_t *spp) 1124 { 1125 mblk_t *ctl_mp; 1126 1127 /* 1128 * we've been unplumbed, or never were plumbed; don't go there. 1129 */ 1130 if (spp->s_ip_q == NULL) 1131 return; 1132 1133 /* have IP send a flush msg to the IPsec accelerators */ 1134 ctl_mp = sadb_fmt_sa_req(DL_CO_FLUSH, spp->s_satype, NULL, B_TRUE); 1135 if (ctl_mp != NULL) 1136 putnext(spp->s_ip_q, ctl_mp); 1137 } 1138 1139 void 1140 sadbp_flush(sadbp_t *spp, netstack_t *ns) 1141 { 1142 sadb_flush(&spp->s_v4, ns); 1143 sadb_flush(&spp->s_v6, ns); 1144 1145 sadb_send_flush_req(spp); 1146 } 1147 1148 void 1149 sadbp_destroy(sadbp_t *spp, netstack_t *ns) 1150 { 1151 sadb_destroy(&spp->s_v4, ns); 1152 sadb_destroy(&spp->s_v6, ns); 1153 1154 sadb_send_flush_req(spp); 1155 if (spp->s_satype == SADB_SATYPE_AH) { 1156 ipsec_stack_t *ipss = ns->netstack_ipsec; 1157 1158 ip_drop_unregister(&ipss->ipsec_sadb_dropper); 1159 } 1160 } 1161 1162 1163 /* 1164 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 1165 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 1166 * EINVAL. 1167 */ 1168 int 1169 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft, 1170 sadb_lifetime_t *idle) 1171 { 1172 if (hard == NULL || soft == NULL) 1173 return (0); 1174 1175 if (hard->sadb_lifetime_allocations != 0 && 1176 soft->sadb_lifetime_allocations != 0 && 1177 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 1178 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 1179 1180 if (hard->sadb_lifetime_bytes != 0 && 1181 soft->sadb_lifetime_bytes != 0 && 1182 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 1183 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 1184 1185 if (hard->sadb_lifetime_addtime != 0 && 1186 soft->sadb_lifetime_addtime != 0 && 1187 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 1188 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1189 1190 if (hard->sadb_lifetime_usetime != 0 && 1191 soft->sadb_lifetime_usetime != 0 && 1192 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 1193 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1194 1195 if (idle != NULL) { 1196 if (hard->sadb_lifetime_addtime != 0 && 1197 idle->sadb_lifetime_addtime != 0 && 1198 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1199 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1200 1201 if (soft->sadb_lifetime_addtime != 0 && 1202 idle->sadb_lifetime_addtime != 0 && 1203 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 1204 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 1205 1206 if (hard->sadb_lifetime_usetime != 0 && 1207 idle->sadb_lifetime_usetime != 0 && 1208 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1209 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1210 1211 if (soft->sadb_lifetime_usetime != 0 && 1212 idle->sadb_lifetime_usetime != 0 && 1213 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 1214 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 1215 } 1216 1217 return (0); 1218 } 1219 1220 /* 1221 * Sanity check sensitivity labels. 1222 * 1223 * For now, just reject labels on unlabeled systems. 1224 */ 1225 int 1226 sadb_labelchk(keysock_in_t *ksi) 1227 { 1228 if (!is_system_labeled()) { 1229 if (ksi->ks_in_extv[SADB_EXT_SENSITIVITY] != NULL) 1230 return (SADB_X_DIAGNOSTIC_BAD_LABEL); 1231 1232 if (ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS] != NULL) 1233 return (SADB_X_DIAGNOSTIC_BAD_LABEL); 1234 } 1235 1236 return (0); 1237 } 1238 1239 /* 1240 * Clone a security association for the purposes of inserting a single SA 1241 * into inbound and outbound tables respectively. This function should only 1242 * be called from sadb_common_add(). 1243 */ 1244 static ipsa_t * 1245 sadb_cloneassoc(ipsa_t *ipsa) 1246 { 1247 ipsa_t *newbie; 1248 boolean_t error = B_FALSE; 1249 1250 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock))); 1251 1252 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 1253 if (newbie == NULL) 1254 return (NULL); 1255 1256 /* Copy over what we can. */ 1257 *newbie = *ipsa; 1258 1259 /* bzero and initialize locks, in case *_init() allocates... */ 1260 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 1261 1262 if (newbie->ipsa_cred != NULL) 1263 crhold(newbie->ipsa_cred); 1264 1265 if (newbie->ipsa_ocred != NULL) 1266 crhold(newbie->ipsa_ocred); 1267 1268 /* 1269 * While somewhat dain-bramaged, the most graceful way to 1270 * recover from errors is to keep plowing through the 1271 * allocations, and getting what I can. It's easier to call 1272 * sadb_freeassoc() on the stillborn clone when all the 1273 * pointers aren't pointing to the parent's data. 1274 */ 1275 1276 if (ipsa->ipsa_authkey != NULL) { 1277 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 1278 KM_NOSLEEP); 1279 if (newbie->ipsa_authkey == NULL) { 1280 error = B_TRUE; 1281 } else { 1282 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 1283 newbie->ipsa_authkeylen); 1284 1285 newbie->ipsa_kcfauthkey.ck_data = 1286 newbie->ipsa_authkey; 1287 } 1288 1289 if (newbie->ipsa_amech.cm_param != NULL) { 1290 newbie->ipsa_amech.cm_param = 1291 (char *)&newbie->ipsa_mac_len; 1292 } 1293 } 1294 1295 if (ipsa->ipsa_encrkey != NULL) { 1296 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 1297 KM_NOSLEEP); 1298 if (newbie->ipsa_encrkey == NULL) { 1299 error = B_TRUE; 1300 } else { 1301 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 1302 newbie->ipsa_encrkeylen); 1303 1304 newbie->ipsa_kcfencrkey.ck_data = 1305 newbie->ipsa_encrkey; 1306 } 1307 } 1308 1309 newbie->ipsa_authtmpl = NULL; 1310 newbie->ipsa_encrtmpl = NULL; 1311 newbie->ipsa_haspeer = B_TRUE; 1312 1313 if (ipsa->ipsa_src_cid != NULL) { 1314 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 1315 IPSID_REFHOLD(ipsa->ipsa_src_cid); 1316 } 1317 1318 if (ipsa->ipsa_dst_cid != NULL) { 1319 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 1320 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 1321 } 1322 1323 if (error) { 1324 sadb_freeassoc(newbie); 1325 return (NULL); 1326 } 1327 1328 return (newbie); 1329 } 1330 1331 /* 1332 * Initialize a SADB address extension at the address specified by addrext. 1333 * Return a pointer to the end of the new address extension. 1334 */ 1335 static uint8_t * 1336 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 1337 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix) 1338 { 1339 struct sockaddr_in *sin; 1340 struct sockaddr_in6 *sin6; 1341 uint8_t *cur = start; 1342 int addrext_len; 1343 int sin_len; 1344 sadb_address_t *addrext = (sadb_address_t *)cur; 1345 1346 if (cur == NULL) 1347 return (NULL); 1348 1349 cur += sizeof (*addrext); 1350 if (cur > end) 1351 return (NULL); 1352 1353 addrext->sadb_address_proto = proto; 1354 addrext->sadb_address_prefixlen = prefix; 1355 addrext->sadb_address_reserved = 0; 1356 addrext->sadb_address_exttype = exttype; 1357 1358 switch (af) { 1359 case AF_INET: 1360 sin = (struct sockaddr_in *)cur; 1361 sin_len = sizeof (*sin); 1362 cur += sin_len; 1363 if (cur > end) 1364 return (NULL); 1365 1366 sin->sin_family = af; 1367 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1368 sin->sin_port = port; 1369 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1370 break; 1371 case AF_INET6: 1372 sin6 = (struct sockaddr_in6 *)cur; 1373 sin_len = sizeof (*sin6); 1374 cur += sin_len; 1375 if (cur > end) 1376 return (NULL); 1377 1378 bzero(sin6, sizeof (*sin6)); 1379 sin6->sin6_family = af; 1380 sin6->sin6_port = port; 1381 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1382 break; 1383 } 1384 1385 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1386 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1387 1388 cur = start + addrext_len; 1389 if (cur > end) 1390 cur = NULL; 1391 1392 return (cur); 1393 } 1394 1395 /* 1396 * Construct a key management cookie extension. 1397 */ 1398 1399 static uint8_t * 1400 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1401 { 1402 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1403 1404 if (cur == NULL) 1405 return (NULL); 1406 1407 cur += sizeof (*kmcext); 1408 1409 if (cur > end) 1410 return (NULL); 1411 1412 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1413 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1414 kmcext->sadb_x_kmc_proto = kmp; 1415 kmcext->sadb_x_kmc_cookie = kmc; 1416 kmcext->sadb_x_kmc_reserved = 0; 1417 1418 return (cur); 1419 } 1420 1421 /* 1422 * Given an original message header with sufficient space following it, and an 1423 * SA, construct a full PF_KEY message with all of the relevant extensions. 1424 * This is mostly used for SADB_GET, and SADB_DUMP. 1425 */ 1426 static mblk_t * 1427 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1428 { 1429 int alloclen, addrsize, paddrsize, authsize, encrsize; 1430 int srcidsize, dstidsize, senslen, osenslen; 1431 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1432 /* src/dst and proxy sockaddrs. */ 1433 /* 1434 * The following are pointers into the PF_KEY message this PF_KEY 1435 * message creates. 1436 */ 1437 sadb_msg_t *newsamsg; 1438 sadb_sa_t *assoc; 1439 sadb_lifetime_t *lt; 1440 sadb_key_t *key; 1441 sadb_ident_t *ident; 1442 sadb_sens_t *sens; 1443 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1444 sadb_x_replay_ctr_t *repl_ctr; 1445 sadb_x_pair_t *pair_ext; 1446 1447 mblk_t *mp; 1448 uint8_t *cur, *end; 1449 /* These indicate the presence of the above extension fields. */ 1450 boolean_t soft = B_FALSE, hard = B_FALSE; 1451 boolean_t isrc = B_FALSE, idst = B_FALSE; 1452 boolean_t auth = B_FALSE, encr = B_FALSE; 1453 boolean_t sensinteg = B_FALSE, osensinteg = B_FALSE; 1454 boolean_t srcid = B_FALSE, dstid = B_FALSE; 1455 boolean_t idle; 1456 boolean_t paired; 1457 uint32_t otherspi; 1458 1459 /* First off, figure out the allocation length for this message. */ 1460 /* 1461 * Constant stuff. This includes base, SA, address (src, dst), 1462 * and lifetime (current). 1463 */ 1464 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1465 sizeof (sadb_lifetime_t); 1466 1467 fam = ipsa->ipsa_addrfam; 1468 switch (fam) { 1469 case AF_INET: 1470 addrsize = roundup(sizeof (struct sockaddr_in) + 1471 sizeof (sadb_address_t), sizeof (uint64_t)); 1472 break; 1473 case AF_INET6: 1474 addrsize = roundup(sizeof (struct sockaddr_in6) + 1475 sizeof (sadb_address_t), sizeof (uint64_t)); 1476 break; 1477 default: 1478 return (NULL); 1479 } 1480 /* 1481 * Allocate TWO address extensions, for source and destination. 1482 * (Thus, the * 2.) 1483 */ 1484 alloclen += addrsize * 2; 1485 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1486 alloclen += addrsize; 1487 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1488 alloclen += addrsize; 1489 1490 if (ipsa->ipsa_flags & IPSA_F_PAIRED) { 1491 paired = B_TRUE; 1492 alloclen += sizeof (sadb_x_pair_t); 1493 otherspi = ipsa->ipsa_otherspi; 1494 } else { 1495 paired = B_FALSE; 1496 } 1497 1498 /* How 'bout other lifetimes? */ 1499 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1500 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1501 alloclen += sizeof (sadb_lifetime_t); 1502 soft = B_TRUE; 1503 } 1504 1505 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1506 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1507 alloclen += sizeof (sadb_lifetime_t); 1508 hard = B_TRUE; 1509 } 1510 1511 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) { 1512 alloclen += sizeof (sadb_lifetime_t); 1513 idle = B_TRUE; 1514 } else { 1515 idle = B_FALSE; 1516 } 1517 1518 /* Inner addresses. */ 1519 if (ipsa->ipsa_innerfam != 0) { 1520 pfam = ipsa->ipsa_innerfam; 1521 switch (pfam) { 1522 case AF_INET6: 1523 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1524 sizeof (sadb_address_t), sizeof (uint64_t)); 1525 break; 1526 case AF_INET: 1527 paddrsize = roundup(sizeof (struct sockaddr_in) + 1528 sizeof (sadb_address_t), sizeof (uint64_t)); 1529 break; 1530 default: 1531 cmn_err(CE_PANIC, 1532 "IPsec SADB: Proxy length failure.\n"); 1533 break; 1534 } 1535 isrc = B_TRUE; 1536 idst = B_TRUE; 1537 alloclen += 2 * paddrsize; 1538 } 1539 1540 /* For the following fields, assume that length != 0 ==> stuff */ 1541 if (ipsa->ipsa_authkeylen != 0) { 1542 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1543 sizeof (uint64_t)); 1544 alloclen += authsize; 1545 auth = B_TRUE; 1546 } 1547 1548 if (ipsa->ipsa_encrkeylen != 0) { 1549 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen + 1550 ipsa->ipsa_nonce_len, sizeof (uint64_t)); 1551 alloclen += encrsize; 1552 encr = B_TRUE; 1553 } else { 1554 encr = B_FALSE; 1555 } 1556 1557 if (ipsa->ipsa_cred != NULL) { 1558 senslen = sadb_sens_len_from_cred(ipsa->ipsa_cred); 1559 alloclen += senslen; 1560 sensinteg = B_TRUE; 1561 } 1562 1563 if (ipsa->ipsa_ocred != NULL) { 1564 osenslen = sadb_sens_len_from_cred(ipsa->ipsa_ocred); 1565 alloclen += osenslen; 1566 osensinteg = B_TRUE; 1567 } 1568 1569 /* 1570 * Must use strlen() here for lengths. Identities use NULL 1571 * pointers to indicate their nonexistence. 1572 */ 1573 if (ipsa->ipsa_src_cid != NULL) { 1574 srcidsize = roundup(sizeof (sadb_ident_t) + 1575 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1576 sizeof (uint64_t)); 1577 alloclen += srcidsize; 1578 srcid = B_TRUE; 1579 } 1580 1581 if (ipsa->ipsa_dst_cid != NULL) { 1582 dstidsize = roundup(sizeof (sadb_ident_t) + 1583 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1584 sizeof (uint64_t)); 1585 alloclen += dstidsize; 1586 dstid = B_TRUE; 1587 } 1588 1589 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1590 alloclen += sizeof (sadb_x_kmc_t); 1591 1592 if (ipsa->ipsa_replay != 0) { 1593 alloclen += sizeof (sadb_x_replay_ctr_t); 1594 } 1595 1596 /* Make sure the allocation length is a multiple of 8 bytes. */ 1597 ASSERT((alloclen & 0x7) == 0); 1598 1599 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1600 mp = allocb(alloclen, BPRI_HI); 1601 if (mp == NULL) 1602 return (NULL); 1603 bzero(mp->b_rptr, alloclen); 1604 1605 mp->b_wptr += alloclen; 1606 end = mp->b_wptr; 1607 newsamsg = (sadb_msg_t *)mp->b_rptr; 1608 *newsamsg = *samsg; 1609 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1610 1611 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1612 1613 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1614 1615 assoc = (sadb_sa_t *)(newsamsg + 1); 1616 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1617 assoc->sadb_sa_exttype = SADB_EXT_SA; 1618 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1619 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1620 assoc->sadb_sa_state = ipsa->ipsa_state; 1621 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1622 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1623 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1624 1625 lt = (sadb_lifetime_t *)(assoc + 1); 1626 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1627 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1628 /* We do not support the concept. */ 1629 lt->sadb_lifetime_allocations = 0; 1630 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1631 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1632 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1633 1634 if (hard) { 1635 lt++; 1636 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1637 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1638 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1639 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1640 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1641 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1642 } 1643 1644 if (soft) { 1645 lt++; 1646 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1647 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1648 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1649 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1650 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1651 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1652 } 1653 1654 if (idle) { 1655 lt++; 1656 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1657 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 1658 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt; 1659 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt; 1660 } 1661 1662 cur = (uint8_t *)(lt + 1); 1663 1664 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */ 1665 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1666 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0, 1667 SA_PROTO(ipsa), 0); 1668 if (cur == NULL) { 1669 freemsg(mp); 1670 mp = NULL; 1671 goto bail; 1672 } 1673 1674 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1675 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0, 1676 SA_PROTO(ipsa), 0); 1677 if (cur == NULL) { 1678 freemsg(mp); 1679 mp = NULL; 1680 goto bail; 1681 } 1682 1683 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1684 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1685 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port, 1686 IPPROTO_UDP, 0); 1687 if (cur == NULL) { 1688 freemsg(mp); 1689 mp = NULL; 1690 goto bail; 1691 } 1692 } 1693 1694 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1695 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1696 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port, 1697 IPPROTO_UDP, 0); 1698 if (cur == NULL) { 1699 freemsg(mp); 1700 mp = NULL; 1701 goto bail; 1702 } 1703 } 1704 1705 /* If we are a tunnel-mode SA, fill in the inner-selectors. */ 1706 if (isrc) { 1707 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 1708 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa), 1709 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx); 1710 if (cur == NULL) { 1711 freemsg(mp); 1712 mp = NULL; 1713 goto bail; 1714 } 1715 } 1716 1717 if (idst) { 1718 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 1719 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa), 1720 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx); 1721 if (cur == NULL) { 1722 freemsg(mp); 1723 mp = NULL; 1724 goto bail; 1725 } 1726 } 1727 1728 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1729 cur = sadb_make_kmc_ext(cur, end, 1730 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1731 if (cur == NULL) { 1732 freemsg(mp); 1733 mp = NULL; 1734 goto bail; 1735 } 1736 } 1737 1738 walker = (sadb_ext_t *)cur; 1739 if (auth) { 1740 key = (sadb_key_t *)walker; 1741 key->sadb_key_len = SADB_8TO64(authsize); 1742 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1743 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1744 key->sadb_key_reserved = 0; 1745 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1746 walker = (sadb_ext_t *)((uint64_t *)walker + 1747 walker->sadb_ext_len); 1748 } 1749 1750 if (encr) { 1751 uint8_t *buf_ptr; 1752 key = (sadb_key_t *)walker; 1753 key->sadb_key_len = SADB_8TO64(encrsize); 1754 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1755 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1756 key->sadb_key_reserved = ipsa->ipsa_saltbits; 1757 buf_ptr = (uint8_t *)(key + 1); 1758 bcopy(ipsa->ipsa_encrkey, buf_ptr, ipsa->ipsa_encrkeylen); 1759 if (ipsa->ipsa_salt != NULL) { 1760 buf_ptr += ipsa->ipsa_encrkeylen; 1761 bcopy(ipsa->ipsa_salt, buf_ptr, ipsa->ipsa_saltlen); 1762 } 1763 walker = (sadb_ext_t *)((uint64_t *)walker + 1764 walker->sadb_ext_len); 1765 } 1766 1767 if (srcid) { 1768 ident = (sadb_ident_t *)walker; 1769 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1770 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1771 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1772 ident->sadb_ident_id = 0; 1773 ident->sadb_ident_reserved = 0; 1774 (void) strcpy((char *)(ident + 1), 1775 ipsa->ipsa_src_cid->ipsid_cid); 1776 walker = (sadb_ext_t *)((uint64_t *)walker + 1777 walker->sadb_ext_len); 1778 } 1779 1780 if (dstid) { 1781 ident = (sadb_ident_t *)walker; 1782 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1783 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1784 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1785 ident->sadb_ident_id = 0; 1786 ident->sadb_ident_reserved = 0; 1787 (void) strcpy((char *)(ident + 1), 1788 ipsa->ipsa_dst_cid->ipsid_cid); 1789 walker = (sadb_ext_t *)((uint64_t *)walker + 1790 walker->sadb_ext_len); 1791 } 1792 1793 if (sensinteg) { 1794 sens = (sadb_sens_t *)walker; 1795 sadb_sens_from_cred(sens, SADB_EXT_SENSITIVITY, 1796 ipsa->ipsa_cred, senslen); 1797 1798 walker = (sadb_ext_t *)((uint64_t *)walker + 1799 walker->sadb_ext_len); 1800 } 1801 1802 if (osensinteg) { 1803 sens = (sadb_sens_t *)walker; 1804 1805 sadb_sens_from_cred(sens, SADB_X_EXT_OUTER_SENS, 1806 ipsa->ipsa_ocred, osenslen); 1807 if (ipsa->ipsa_mac_exempt) 1808 sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT; 1809 1810 walker = (sadb_ext_t *)((uint64_t *)walker + 1811 walker->sadb_ext_len); 1812 } 1813 1814 if (paired) { 1815 pair_ext = (sadb_x_pair_t *)walker; 1816 1817 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t)); 1818 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR; 1819 pair_ext->sadb_x_pair_spi = otherspi; 1820 1821 walker = (sadb_ext_t *)((uint64_t *)walker + 1822 walker->sadb_ext_len); 1823 } 1824 1825 if (ipsa->ipsa_replay != 0) { 1826 repl_ctr = (sadb_x_replay_ctr_t *)walker; 1827 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr)); 1828 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; 1829 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay; 1830 repl_ctr->sadb_x_rc_replay64 = 0; 1831 walker = (sadb_ext_t *)(repl_ctr + 1); 1832 } 1833 1834 bail: 1835 /* Pardon any delays... */ 1836 mutex_exit(&ipsa->ipsa_lock); 1837 1838 return (mp); 1839 } 1840 1841 /* 1842 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1843 * and adjust base message accordingly. 1844 * 1845 * Assume message is pulled up in one piece of contiguous memory. 1846 * 1847 * Say if we start off with: 1848 * 1849 * +------+----+-------------+-----------+---------------+---------------+ 1850 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1851 * +------+----+-------------+-----------+---------------+---------------+ 1852 * 1853 * we will end up with 1854 * 1855 * +------+----+-------------+-----------+---------------+ 1856 * | base | SA | source addr | dest addr | soft lifetime | 1857 * +------+----+-------------+-----------+---------------+ 1858 */ 1859 static void 1860 sadb_strip(sadb_msg_t *samsg) 1861 { 1862 sadb_ext_t *ext; 1863 uint8_t *target = NULL; 1864 uint8_t *msgend; 1865 int sofar = SADB_8TO64(sizeof (*samsg)); 1866 int copylen; 1867 1868 ext = (sadb_ext_t *)(samsg + 1); 1869 msgend = (uint8_t *)samsg; 1870 msgend += SADB_64TO8(samsg->sadb_msg_len); 1871 while ((uint8_t *)ext < msgend) { 1872 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1873 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1874 ext->sadb_ext_type == SADB_X_EXT_EDUMP || 1875 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1876 /* 1877 * Aha! I found a header to be erased. 1878 */ 1879 1880 if (target != NULL) { 1881 /* 1882 * If I had a previous header to be erased, 1883 * copy over it. I can get away with just 1884 * copying backwards because the target will 1885 * always be 8 bytes behind the source. 1886 */ 1887 copylen = ((uint8_t *)ext) - (target + 1888 SADB_64TO8( 1889 ((sadb_ext_t *)target)->sadb_ext_len)); 1890 ovbcopy(((uint8_t *)ext - copylen), target, 1891 copylen); 1892 target += copylen; 1893 ((sadb_ext_t *)target)->sadb_ext_len = 1894 SADB_8TO64(((uint8_t *)ext) - target + 1895 SADB_64TO8(ext->sadb_ext_len)); 1896 } else { 1897 target = (uint8_t *)ext; 1898 } 1899 } else { 1900 sofar += ext->sadb_ext_len; 1901 } 1902 1903 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1904 } 1905 1906 ASSERT((uint8_t *)ext == msgend); 1907 1908 if (target != NULL) { 1909 copylen = ((uint8_t *)ext) - (target + 1910 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1911 if (copylen != 0) 1912 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1913 } 1914 1915 /* Adjust samsg. */ 1916 samsg->sadb_msg_len = (uint16_t)sofar; 1917 1918 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1919 } 1920 1921 /* 1922 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1923 * followed by an M_DATA with a PF_KEY message in it. The serial of 1924 * the sending keysock instance is included. 1925 */ 1926 void 1927 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1928 uint_t serial) 1929 { 1930 mblk_t *msg = mp->b_cont; 1931 sadb_msg_t *samsg; 1932 keysock_out_t *kso; 1933 1934 /* 1935 * Enough functions call this to merit a NULL queue check. 1936 */ 1937 if (pfkey_q == NULL) { 1938 freemsg(mp); 1939 return; 1940 } 1941 1942 ASSERT(msg != NULL); 1943 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1944 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1945 samsg = (sadb_msg_t *)msg->b_rptr; 1946 kso = (keysock_out_t *)mp->b_rptr; 1947 1948 kso->ks_out_type = KEYSOCK_OUT; 1949 kso->ks_out_len = sizeof (*kso); 1950 kso->ks_out_serial = serial; 1951 1952 /* 1953 * Only send the base message up in the event of an error. 1954 * Don't worry about bzero()-ing, because it was probably bogus 1955 * anyway. 1956 */ 1957 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1958 samsg = (sadb_msg_t *)msg->b_rptr; 1959 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1960 samsg->sadb_msg_errno = (uint8_t)error; 1961 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1962 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1963 1964 putnext(pfkey_q, mp); 1965 } 1966 1967 /* 1968 * Send a successful return packet back to keysock via the queue in pfkey_q. 1969 * 1970 * Often, an SA is associated with the reply message, it's passed in if needed, 1971 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1972 * and the caller will release said refcnt. 1973 */ 1974 void 1975 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1976 keysock_in_t *ksi, ipsa_t *ipsa) 1977 { 1978 keysock_out_t *kso; 1979 mblk_t *mp1; 1980 sadb_msg_t *newsamsg; 1981 uint8_t *oldend; 1982 1983 ASSERT((mp->b_cont != NULL) && 1984 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1985 ((void *)mp->b_rptr == (void *)ksi)); 1986 1987 switch (samsg->sadb_msg_type) { 1988 case SADB_ADD: 1989 case SADB_UPDATE: 1990 case SADB_X_UPDATEPAIR: 1991 case SADB_X_DELPAIR_STATE: 1992 case SADB_FLUSH: 1993 case SADB_DUMP: 1994 /* 1995 * I have all of the message already. I just need to strip 1996 * out the keying material and echo the message back. 1997 * 1998 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1999 * work. When DUMP reaches here, it should only be a base 2000 * message. 2001 */ 2002 justecho: 2003 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 2004 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL || 2005 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) { 2006 sadb_strip(samsg); 2007 /* Assume PF_KEY message is contiguous. */ 2008 ASSERT(mp->b_cont->b_cont == NULL); 2009 oldend = mp->b_cont->b_wptr; 2010 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 2011 SADB_64TO8(samsg->sadb_msg_len); 2012 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 2013 } 2014 break; 2015 case SADB_GET: 2016 /* 2017 * Do a lot of work here, because of the ipsa I just found. 2018 * First construct the new PF_KEY message, then abandon 2019 * the old one. 2020 */ 2021 mp1 = sadb_sa2msg(ipsa, samsg); 2022 if (mp1 == NULL) { 2023 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 2024 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 2025 return; 2026 } 2027 freemsg(mp->b_cont); 2028 mp->b_cont = mp1; 2029 break; 2030 case SADB_DELETE: 2031 case SADB_X_DELPAIR: 2032 if (ipsa == NULL) 2033 goto justecho; 2034 /* 2035 * Because listening KMds may require more info, treat 2036 * DELETE like a special case of GET. 2037 */ 2038 mp1 = sadb_sa2msg(ipsa, samsg); 2039 if (mp1 == NULL) { 2040 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 2041 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 2042 return; 2043 } 2044 newsamsg = (sadb_msg_t *)mp1->b_rptr; 2045 sadb_strip(newsamsg); 2046 oldend = mp1->b_wptr; 2047 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 2048 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 2049 freemsg(mp->b_cont); 2050 mp->b_cont = mp1; 2051 break; 2052 default: 2053 if (mp != NULL) 2054 freemsg(mp); 2055 return; 2056 } 2057 2058 /* ksi is now null and void. */ 2059 kso = (keysock_out_t *)ksi; 2060 kso->ks_out_type = KEYSOCK_OUT; 2061 kso->ks_out_len = sizeof (*kso); 2062 kso->ks_out_serial = ksi->ks_in_serial; 2063 /* We're ready to send... */ 2064 putnext(pfkey_q, mp); 2065 } 2066 2067 /* 2068 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 2069 */ 2070 void 2071 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 2072 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype) 2073 { 2074 keysock_hello_ack_t *kha; 2075 queue_t *oldq; 2076 2077 ASSERT(OTHERQ(q) != NULL); 2078 2079 /* 2080 * First, check atomically that I'm the first and only keysock 2081 * instance. 2082 * 2083 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 2084 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 2085 * messages. 2086 */ 2087 2088 oldq = casptr((void **)pfkey_qp, NULL, OTHERQ(q)); 2089 if (oldq != NULL) { 2090 ASSERT(oldq != q); 2091 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 2092 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 2093 freemsg(mp); 2094 return; 2095 } 2096 2097 kha = (keysock_hello_ack_t *)mp->b_rptr; 2098 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 2099 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 2100 kha->ks_hello_satype = (uint8_t)satype; 2101 2102 /* 2103 * If we made it past the casptr, then we have "exclusive" access 2104 * to the timeout handle. Fire it off after the default ager 2105 * interval. 2106 */ 2107 *top = qtimeout(*pfkey_qp, ager, agerarg, 2108 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT * 1000)); 2109 2110 putnext(*pfkey_qp, mp); 2111 } 2112 2113 /* 2114 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate. 2115 * 2116 * Check addresses themselves for wildcard or multicast. 2117 * Check ire table for local/non-local/broadcast. 2118 */ 2119 int 2120 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial, 2121 netstack_t *ns) 2122 { 2123 sadb_address_t *addr = (sadb_address_t *)ext; 2124 struct sockaddr_in *sin; 2125 struct sockaddr_in6 *sin6; 2126 ire_t *ire; 2127 int diagnostic, type; 2128 boolean_t normalized = B_FALSE; 2129 2130 ASSERT(ext != NULL); 2131 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 2132 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 2133 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) || 2134 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) || 2135 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) || 2136 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM)); 2137 2138 /* Assign both sockaddrs, the compiler will do the right thing. */ 2139 sin = (struct sockaddr_in *)(addr + 1); 2140 sin6 = (struct sockaddr_in6 *)(addr + 1); 2141 2142 if (sin6->sin6_family == AF_INET6) { 2143 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 2144 /* 2145 * Convert to an AF_INET sockaddr. This means the 2146 * return messages will have the extra space, but have 2147 * AF_INET sockaddrs instead of AF_INET6. 2148 * 2149 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 2150 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 2151 * equal to AF_INET <v4>, it shouldnt be a huge 2152 * problem. 2153 */ 2154 sin->sin_family = AF_INET; 2155 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, 2156 &sin->sin_addr); 2157 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 2158 normalized = B_TRUE; 2159 } 2160 } else if (sin->sin_family != AF_INET) { 2161 switch (ext->sadb_ext_type) { 2162 case SADB_EXT_ADDRESS_SRC: 2163 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 2164 break; 2165 case SADB_EXT_ADDRESS_DST: 2166 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 2167 break; 2168 case SADB_X_EXT_ADDRESS_INNER_SRC: 2169 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 2170 break; 2171 case SADB_X_EXT_ADDRESS_INNER_DST: 2172 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF; 2173 break; 2174 case SADB_X_EXT_ADDRESS_NATT_LOC: 2175 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF; 2176 break; 2177 case SADB_X_EXT_ADDRESS_NATT_REM: 2178 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF; 2179 break; 2180 /* There is no default, see above ASSERT. */ 2181 } 2182 bail: 2183 if (pfkey_q != NULL) { 2184 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, 2185 serial); 2186 } else { 2187 /* 2188 * Scribble in sadb_msg that we got passed in. 2189 * Overload "mp" to be an sadb_msg pointer. 2190 */ 2191 sadb_msg_t *samsg = (sadb_msg_t *)mp; 2192 2193 samsg->sadb_msg_errno = EINVAL; 2194 samsg->sadb_x_msg_diagnostic = diagnostic; 2195 } 2196 return (KS_IN_ADDR_UNKNOWN); 2197 } 2198 2199 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC || 2200 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) { 2201 /* 2202 * We need only check for prefix issues. 2203 */ 2204 2205 /* Set diagnostic now, in case we need it later. */ 2206 diagnostic = 2207 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ? 2208 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC : 2209 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST; 2210 2211 if (normalized) 2212 addr->sadb_address_prefixlen -= 96; 2213 2214 /* 2215 * Verify and mask out inner-addresses based on prefix length. 2216 */ 2217 if (sin->sin_family == AF_INET) { 2218 if (addr->sadb_address_prefixlen > 32) 2219 goto bail; 2220 sin->sin_addr.s_addr &= 2221 ip_plen_to_mask(addr->sadb_address_prefixlen); 2222 } else { 2223 in6_addr_t mask; 2224 2225 ASSERT(sin->sin_family == AF_INET6); 2226 /* 2227 * ip_plen_to_mask_v6() returns NULL if the value in 2228 * question is out of range. 2229 */ 2230 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen, 2231 &mask) == NULL) 2232 goto bail; 2233 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0]; 2234 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1]; 2235 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2]; 2236 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3]; 2237 } 2238 2239 /* We don't care in these cases. */ 2240 return (KS_IN_ADDR_DONTCARE); 2241 } 2242 2243 if (sin->sin_family == AF_INET6) { 2244 /* Check the easy ones now. */ 2245 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) 2246 return (KS_IN_ADDR_MBCAST); 2247 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) 2248 return (KS_IN_ADDR_UNSPEC); 2249 /* 2250 * At this point, we're a unicast IPv6 address. 2251 * 2252 * A ctable lookup for local is sufficient here. If we're 2253 * local, return KS_IN_ADDR_ME, otherwise KS_IN_ADDR_NOTME. 2254 * 2255 * XXX Zones alert -> me/notme decision needs to be tempered 2256 * by what zone we're in when we go to zone-aware IPsec. 2257 */ 2258 ire = ire_ctable_lookup_v6(&sin6->sin6_addr, NULL, 2259 IRE_LOCAL, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 2260 ns->netstack_ip); 2261 if (ire != NULL) { 2262 /* Hey hey, it's local. */ 2263 IRE_REFRELE(ire); 2264 return (KS_IN_ADDR_ME); 2265 } 2266 } else { 2267 ASSERT(sin->sin_family == AF_INET); 2268 if (sin->sin_addr.s_addr == INADDR_ANY) 2269 return (KS_IN_ADDR_UNSPEC); 2270 if (CLASSD(sin->sin_addr.s_addr)) 2271 return (KS_IN_ADDR_MBCAST); 2272 /* 2273 * At this point we're a unicast or broadcast IPv4 address. 2274 * 2275 * Lookup on the ctable for IRE_BROADCAST or IRE_LOCAL. 2276 * A NULL return value is NOTME, otherwise, look at the 2277 * returned ire for broadcast or not and return accordingly. 2278 * 2279 * XXX Zones alert -> me/notme decision needs to be tempered 2280 * by what zone we're in when we go to zone-aware IPsec. 2281 */ 2282 ire = ire_ctable_lookup(sin->sin_addr.s_addr, 0, 2283 IRE_LOCAL | IRE_BROADCAST, NULL, ALL_ZONES, NULL, 2284 MATCH_IRE_TYPE, ns->netstack_ip); 2285 if (ire != NULL) { 2286 /* Check for local or broadcast */ 2287 type = ire->ire_type; 2288 IRE_REFRELE(ire); 2289 ASSERT(type == IRE_LOCAL || type == IRE_BROADCAST); 2290 return ((type == IRE_LOCAL) ? KS_IN_ADDR_ME : 2291 KS_IN_ADDR_MBCAST); 2292 } 2293 } 2294 2295 return (KS_IN_ADDR_NOTME); 2296 } 2297 2298 /* 2299 * Address normalizations and reality checks for inbound PF_KEY messages. 2300 * 2301 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 2302 * the source to AF_INET. Do the same for the inner sources. 2303 */ 2304 boolean_t 2305 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns) 2306 { 2307 struct sockaddr_in *src, *isrc; 2308 struct sockaddr_in6 *dst, *idst; 2309 sadb_address_t *srcext, *dstext; 2310 uint16_t sport; 2311 sadb_ext_t **extv = ksi->ks_in_extv; 2312 int rc; 2313 2314 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) { 2315 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC], 2316 ksi->ks_in_serial, ns); 2317 if (rc == KS_IN_ADDR_UNKNOWN) 2318 return (B_FALSE); 2319 if (rc == KS_IN_ADDR_MBCAST) { 2320 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2321 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial); 2322 return (B_FALSE); 2323 } 2324 ksi->ks_in_srctype = rc; 2325 } 2326 2327 if (extv[SADB_EXT_ADDRESS_DST] != NULL) { 2328 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST], 2329 ksi->ks_in_serial, ns); 2330 if (rc == KS_IN_ADDR_UNKNOWN) 2331 return (B_FALSE); 2332 if (rc == KS_IN_ADDR_UNSPEC) { 2333 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2334 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial); 2335 return (B_FALSE); 2336 } 2337 ksi->ks_in_dsttype = rc; 2338 } 2339 2340 /* 2341 * NAT-Traversal addrs are simple enough to not require all of 2342 * the checks in sadb_addrcheck(). Just normalize or reject if not 2343 * AF_INET. 2344 */ 2345 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) { 2346 rc = sadb_addrcheck(pfkey_q, mp, 2347 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns); 2348 2349 /* 2350 * Local NAT-T addresses never use an IRE_LOCAL, so it should 2351 * always be NOTME, or UNSPEC (to handle both tunnel mode 2352 * AND local-port flexibility). 2353 */ 2354 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) { 2355 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2356 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC, 2357 ksi->ks_in_serial); 2358 return (B_FALSE); 2359 } 2360 src = (struct sockaddr_in *) 2361 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1); 2362 if (src->sin_family != AF_INET) { 2363 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2364 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF, 2365 ksi->ks_in_serial); 2366 return (B_FALSE); 2367 } 2368 } 2369 2370 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) { 2371 rc = sadb_addrcheck(pfkey_q, mp, 2372 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns); 2373 2374 /* 2375 * Remote NAT-T addresses never use an IRE_LOCAL, so it should 2376 * always be NOTME, or UNSPEC if it's a tunnel-mode SA. 2377 */ 2378 if (rc != KS_IN_ADDR_NOTME && 2379 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL && 2380 rc == KS_IN_ADDR_UNSPEC)) { 2381 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2382 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM, 2383 ksi->ks_in_serial); 2384 return (B_FALSE); 2385 } 2386 src = (struct sockaddr_in *) 2387 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1); 2388 if (src->sin_family != AF_INET) { 2389 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2390 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF, 2391 ksi->ks_in_serial); 2392 return (B_FALSE); 2393 } 2394 } 2395 2396 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) { 2397 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) { 2398 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2399 SADB_X_DIAGNOSTIC_MISSING_INNER_DST, 2400 ksi->ks_in_serial); 2401 return (B_FALSE); 2402 } 2403 2404 if (sadb_addrcheck(pfkey_q, mp, 2405 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns) 2406 == KS_IN_ADDR_UNKNOWN || 2407 sadb_addrcheck(pfkey_q, mp, 2408 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns) 2409 == KS_IN_ADDR_UNKNOWN) 2410 return (B_FALSE); 2411 2412 isrc = (struct sockaddr_in *) 2413 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) + 2414 1); 2415 idst = (struct sockaddr_in6 *) 2416 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) + 2417 1); 2418 if (isrc->sin_family != idst->sin6_family) { 2419 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2420 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH, 2421 ksi->ks_in_serial); 2422 return (B_FALSE); 2423 } 2424 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) { 2425 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2426 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC, 2427 ksi->ks_in_serial); 2428 return (B_FALSE); 2429 } else { 2430 isrc = NULL; /* For inner/outer port check below. */ 2431 } 2432 2433 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 2434 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC]; 2435 2436 if (dstext == NULL || srcext == NULL) 2437 return (B_TRUE); 2438 2439 dst = (struct sockaddr_in6 *)(dstext + 1); 2440 src = (struct sockaddr_in *)(srcext + 1); 2441 2442 if (isrc != NULL && 2443 (isrc->sin_port != 0 || idst->sin6_port != 0) && 2444 (src->sin_port != 0 || dst->sin6_port != 0)) { 2445 /* Can't set inner and outer ports in one SA. */ 2446 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2447 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS, 2448 ksi->ks_in_serial); 2449 return (B_FALSE); 2450 } 2451 2452 if (dst->sin6_family == src->sin_family) 2453 return (B_TRUE); 2454 2455 if (srcext->sadb_address_proto != dstext->sadb_address_proto) { 2456 if (srcext->sadb_address_proto == 0) { 2457 srcext->sadb_address_proto = dstext->sadb_address_proto; 2458 } else if (dstext->sadb_address_proto == 0) { 2459 dstext->sadb_address_proto = srcext->sadb_address_proto; 2460 } else { 2461 /* Inequal protocols, neither were 0. Report error. */ 2462 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2463 SADB_X_DIAGNOSTIC_PROTO_MISMATCH, 2464 ksi->ks_in_serial); 2465 return (B_FALSE); 2466 } 2467 } 2468 2469 /* 2470 * With the exception of an unspec IPv6 source and an IPv4 2471 * destination, address families MUST me matched. 2472 */ 2473 if (src->sin_family == AF_INET || 2474 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) { 2475 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2476 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial); 2477 return (B_FALSE); 2478 } 2479 2480 /* 2481 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2482 * in the same place for sockaddr_in and sockaddr_in6. 2483 */ 2484 sport = src->sin_port; 2485 bzero(src, sizeof (*src)); 2486 src->sin_family = AF_INET; 2487 src->sin_port = sport; 2488 2489 return (B_TRUE); 2490 } 2491 2492 /* 2493 * Set the results in "addrtype", given an IRE as requested by 2494 * sadb_addrcheck(). 2495 */ 2496 int 2497 sadb_addrset(ire_t *ire) 2498 { 2499 if ((ire->ire_type & IRE_BROADCAST) || 2500 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2501 (ire->ire_ipversion == IPV6_VERSION && 2502 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2503 return (KS_IN_ADDR_MBCAST); 2504 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2505 return (KS_IN_ADDR_ME); 2506 return (KS_IN_ADDR_NOTME); 2507 } 2508 2509 /* 2510 * Match primitives.. 2511 * !!! TODO: short term: inner selectors 2512 * ipv6 scope id (ifindex) 2513 * longer term: zone id. sensitivity label. uid. 2514 */ 2515 boolean_t 2516 sadb_match_spi(ipsa_query_t *sq, ipsa_t *sa) 2517 { 2518 return (sq->spi == sa->ipsa_spi); 2519 } 2520 2521 boolean_t 2522 sadb_match_dst_v6(ipsa_query_t *sq, ipsa_t *sa) 2523 { 2524 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_dstaddr, sq->dstaddr, AF_INET6)); 2525 } 2526 2527 boolean_t 2528 sadb_match_src_v6(ipsa_query_t *sq, ipsa_t *sa) 2529 { 2530 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_srcaddr, sq->srcaddr, AF_INET6)); 2531 } 2532 2533 boolean_t 2534 sadb_match_dst_v4(ipsa_query_t *sq, ipsa_t *sa) 2535 { 2536 return (sq->dstaddr[0] == sa->ipsa_dstaddr[0]); 2537 } 2538 2539 boolean_t 2540 sadb_match_src_v4(ipsa_query_t *sq, ipsa_t *sa) 2541 { 2542 return (sq->srcaddr[0] == sa->ipsa_srcaddr[0]); 2543 } 2544 2545 boolean_t 2546 sadb_match_dstid(ipsa_query_t *sq, ipsa_t *sa) 2547 { 2548 return ((sa->ipsa_dst_cid != NULL) && 2549 (sq->didtype == sa->ipsa_dst_cid->ipsid_type) && 2550 (strcmp(sq->didstr, sa->ipsa_dst_cid->ipsid_cid) == 0)); 2551 2552 } 2553 boolean_t 2554 sadb_match_srcid(ipsa_query_t *sq, ipsa_t *sa) 2555 { 2556 return ((sa->ipsa_src_cid != NULL) && 2557 (sq->sidtype == sa->ipsa_src_cid->ipsid_type) && 2558 (strcmp(sq->sidstr, sa->ipsa_src_cid->ipsid_cid) == 0)); 2559 } 2560 2561 boolean_t 2562 sadb_match_kmc(ipsa_query_t *sq, ipsa_t *sa) 2563 { 2564 #define M(a, b) (((a) == 0) || ((b) == 0) || ((a) == (b))) 2565 2566 return (M(sq->kmc, sa->ipsa_kmc) && M(sq->kmp, sa->ipsa_kmp)); 2567 2568 #undef M 2569 } 2570 2571 /* 2572 * Common function which extracts several PF_KEY extensions for ease of 2573 * SADB matching. 2574 * 2575 * XXX TODO: weed out ipsa_query_t fields not used during matching 2576 * or afterwards? 2577 */ 2578 int 2579 sadb_form_query(keysock_in_t *ksi, uint32_t req, uint32_t match, 2580 ipsa_query_t *sq, int *diagnostic) 2581 { 2582 int i; 2583 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); 2584 2585 for (i = 0; i < IPSA_NMATCH; i++) 2586 sq->matchers[i] = NULL; 2587 2588 ASSERT((req & ~match) == 0); 2589 2590 sq->req = req; 2591 sq->dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2592 sq->srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2593 sq->assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2594 2595 if ((req & IPSA_Q_DST) && (sq->dstext == NULL)) { 2596 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2597 return (EINVAL); 2598 } 2599 if ((req & IPSA_Q_SRC) && (sq->srcext == NULL)) { 2600 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 2601 return (EINVAL); 2602 } 2603 if ((req & IPSA_Q_SA) && (sq->assoc == NULL)) { 2604 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2605 return (EINVAL); 2606 } 2607 2608 if (match & IPSA_Q_SA) { 2609 *mfpp++ = sadb_match_spi; 2610 sq->spi = sq->assoc->sadb_sa_spi; 2611 } 2612 2613 if (sq->dstext != NULL) 2614 sq->dst = (struct sockaddr_in *)(sq->dstext + 1); 2615 else { 2616 sq->dst = NULL; 2617 sq->dst6 = NULL; 2618 sq->dstaddr = NULL; 2619 } 2620 2621 if (sq->srcext != NULL) 2622 sq->src = (struct sockaddr_in *)(sq->srcext + 1); 2623 else { 2624 sq->src = NULL; 2625 sq->src6 = NULL; 2626 sq->srcaddr = NULL; 2627 } 2628 2629 if (sq->dst != NULL) 2630 sq->af = sq->dst->sin_family; 2631 else if (sq->src != NULL) 2632 sq->af = sq->src->sin_family; 2633 else 2634 sq->af = AF_INET; 2635 2636 if (sq->af == AF_INET6) { 2637 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { 2638 *mfpp++ = sadb_match_dst_v6; 2639 sq->dst6 = (struct sockaddr_in6 *)sq->dst; 2640 sq->dstaddr = (uint32_t *)&(sq->dst6->sin6_addr); 2641 } else { 2642 match &= ~IPSA_Q_DST; 2643 sq->dstaddr = ALL_ZEROES_PTR; 2644 } 2645 2646 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { 2647 sq->src6 = (struct sockaddr_in6 *)(sq->srcext + 1); 2648 sq->srcaddr = (uint32_t *)&sq->src6->sin6_addr; 2649 if (sq->src6->sin6_family != AF_INET6) { 2650 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2651 return (EINVAL); 2652 } 2653 *mfpp++ = sadb_match_src_v6; 2654 } else { 2655 match &= ~IPSA_Q_SRC; 2656 sq->srcaddr = ALL_ZEROES_PTR; 2657 } 2658 } else { 2659 sq->src6 = sq->dst6 = NULL; 2660 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { 2661 *mfpp++ = sadb_match_dst_v4; 2662 sq->dstaddr = (uint32_t *)&sq->dst->sin_addr; 2663 } else { 2664 match &= ~IPSA_Q_DST; 2665 sq->dstaddr = ALL_ZEROES_PTR; 2666 } 2667 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { 2668 sq->srcaddr = (uint32_t *)&sq->src->sin_addr; 2669 if (sq->src->sin_family != AF_INET) { 2670 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2671 return (EINVAL); 2672 } 2673 *mfpp++ = sadb_match_src_v4; 2674 } else { 2675 match &= ~IPSA_Q_SRC; 2676 sq->srcaddr = ALL_ZEROES_PTR; 2677 } 2678 } 2679 2680 sq->dstid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2681 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) { 2682 sq->didstr = (char *)(sq->dstid + 1); 2683 sq->didtype = sq->dstid->sadb_ident_type; 2684 *mfpp++ = sadb_match_dstid; 2685 } 2686 2687 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2688 2689 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) { 2690 sq->sidstr = (char *)(sq->srcid + 1); 2691 sq->sidtype = sq->srcid->sadb_ident_type; 2692 *mfpp++ = sadb_match_srcid; 2693 } 2694 2695 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2696 sq->kmc = 0; 2697 sq->kmp = 0; 2698 2699 if ((match & IPSA_Q_KMC) && (sq->kmcext)) { 2700 sq->kmc = sq->kmcext->sadb_x_kmc_cookie; 2701 sq->kmp = sq->kmcext->sadb_x_kmc_proto; 2702 *mfpp++ = sadb_match_kmc; 2703 } 2704 2705 if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) { 2706 if (sq->af == AF_INET6) 2707 sq->sp = &sq->spp->s_v6; 2708 else 2709 sq->sp = &sq->spp->s_v4; 2710 } else { 2711 sq->sp = NULL; 2712 } 2713 2714 if (match & IPSA_Q_INBOUND) { 2715 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi); 2716 sq->inbound = &sq->sp->sdb_if[sq->inhash]; 2717 } else { 2718 sq->inhash = 0; 2719 sq->inbound = NULL; 2720 } 2721 2722 if (match & IPSA_Q_OUTBOUND) { 2723 if (sq->af == AF_INET6) { 2724 sq->outhash = OUTBOUND_HASH_V6(sq->sp, *(sq->dstaddr)); 2725 } else { 2726 sq->outhash = OUTBOUND_HASH_V4(sq->sp, *(sq->dstaddr)); 2727 } 2728 sq->outbound = &sq->sp->sdb_of[sq->outhash]; 2729 } else { 2730 sq->outhash = 0; 2731 sq->outbound = NULL; 2732 } 2733 sq->match = match; 2734 return (0); 2735 } 2736 2737 /* 2738 * Match an initialized query structure with a security association; 2739 * return B_TRUE on a match, B_FALSE on a miss. 2740 * Applies match functions set up by sadb_form_query() until one returns false. 2741 */ 2742 boolean_t 2743 sadb_match_query(ipsa_query_t *sq, ipsa_t *sa) 2744 { 2745 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); 2746 ipsa_match_fn_t mfp; 2747 2748 for (mfp = *mfpp++; mfp != NULL; mfp = *mfpp++) { 2749 if (!mfp(sq, sa)) 2750 return (B_FALSE); 2751 } 2752 return (B_TRUE); 2753 } 2754 2755 /* 2756 * Walker callback function to delete sa's based on src/dst address. 2757 * Assumes that we're called with *head locked, no other locks held; 2758 * Conveniently, and not coincidentally, this is both what sadb_walker 2759 * gives us and also what sadb_unlinkassoc expects. 2760 */ 2761 struct sadb_purge_state 2762 { 2763 ipsa_query_t sq; 2764 boolean_t inbnd; 2765 uint8_t sadb_sa_state; 2766 mblk_t *mq; 2767 }; 2768 2769 static void 2770 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2771 { 2772 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2773 2774 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2775 2776 mutex_enter(&entry->ipsa_lock); 2777 2778 if (entry->ipsa_state == IPSA_STATE_LARVAL || 2779 !sadb_match_query(&ps->sq, entry)) { 2780 mutex_exit(&entry->ipsa_lock); 2781 return; 2782 } 2783 2784 if (ps->inbnd) { 2785 sadb_delete_cluster(entry); 2786 } 2787 entry->ipsa_state = IPSA_STATE_DEAD; 2788 (void) sadb_torch_assoc(head, entry, ps->inbnd, &ps->mq); 2789 } 2790 2791 /* 2792 * Common code to purge an SA with a matching src or dst address. 2793 * Don't kill larval SA's in such a purge. 2794 */ 2795 int 2796 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, 2797 int *diagnostic, queue_t *pfkey_q, queue_t *ip_q) 2798 { 2799 struct sadb_purge_state ps; 2800 int error = sadb_form_query(ksi, 0, 2801 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC, 2802 &ps.sq, diagnostic); 2803 2804 ps.mq = NULL; 2805 2806 if (error != 0) 2807 return (error); 2808 2809 /* 2810 * This is simple, crude, and effective. 2811 * Unimplemented optimizations (TBD): 2812 * - we can limit how many places we search based on where we 2813 * think the SA is filed. 2814 * - if we get a dst address, we can hash based on dst addr to find 2815 * the correct bucket in the outbound table. 2816 */ 2817 ps.inbnd = B_TRUE; 2818 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2819 ps.inbnd = B_FALSE; 2820 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2821 2822 if (ps.mq != NULL) 2823 sadb_drain_torchq(ip_q, ps.mq); 2824 2825 ASSERT(mp->b_cont != NULL); 2826 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2827 NULL); 2828 return (0); 2829 } 2830 2831 static void 2832 sadb_delpair_state_one(isaf_t *head, ipsa_t *entry, void *cookie) 2833 { 2834 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2835 isaf_t *inbound_bucket; 2836 ipsa_t *peer_assoc; 2837 ipsa_query_t *sq = &ps->sq; 2838 2839 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2840 2841 mutex_enter(&entry->ipsa_lock); 2842 2843 if ((entry->ipsa_state != ps->sadb_sa_state) || 2844 ((sq->srcaddr != NULL) && 2845 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, sq->srcaddr, sq->af))) { 2846 mutex_exit(&entry->ipsa_lock); 2847 return; 2848 } 2849 2850 /* 2851 * The isaf_t *, which is passed in , is always an outbound bucket, 2852 * and we are preserving the outbound-then-inbound hash-bucket lock 2853 * ordering. The sadb_walker() which triggers this function is called 2854 * only on the outbound fanout, and the corresponding inbound bucket 2855 * lock is safe to acquire here. 2856 */ 2857 2858 if (entry->ipsa_haspeer) { 2859 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_spi); 2860 mutex_enter(&inbound_bucket->isaf_lock); 2861 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2862 entry->ipsa_spi, entry->ipsa_srcaddr, 2863 entry->ipsa_dstaddr, entry->ipsa_addrfam); 2864 } else { 2865 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_otherspi); 2866 mutex_enter(&inbound_bucket->isaf_lock); 2867 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2868 entry->ipsa_otherspi, entry->ipsa_dstaddr, 2869 entry->ipsa_srcaddr, entry->ipsa_addrfam); 2870 } 2871 2872 entry->ipsa_state = IPSA_STATE_DEAD; 2873 (void) sadb_torch_assoc(head, entry, B_FALSE, &ps->mq); 2874 if (peer_assoc != NULL) { 2875 mutex_enter(&peer_assoc->ipsa_lock); 2876 peer_assoc->ipsa_state = IPSA_STATE_DEAD; 2877 (void) sadb_torch_assoc(inbound_bucket, peer_assoc, 2878 B_FALSE, &ps->mq); 2879 } 2880 mutex_exit(&inbound_bucket->isaf_lock); 2881 } 2882 2883 static int 2884 sadb_delpair_state(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2885 int *diagnostic, queue_t *pfkey_q) 2886 { 2887 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2888 struct sadb_purge_state ps; 2889 int error; 2890 2891 ps.sq.spp = spp; /* XXX param */ 2892 ps.mq = NULL; 2893 2894 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SRC, 2895 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC, 2896 &ps.sq, diagnostic); 2897 if (error != 0) 2898 return (error); 2899 2900 ps.inbnd = B_FALSE; 2901 ps.sadb_sa_state = assoc->sadb_sa_state; 2902 sadb_walker(ps.sq.sp->sdb_of, ps.sq.sp->sdb_hashsize, 2903 sadb_delpair_state_one, &ps); 2904 2905 if (ps.mq != NULL) 2906 sadb_drain_torchq(pfkey_q, ps.mq); 2907 2908 ASSERT(mp->b_cont != NULL); 2909 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 2910 ksi, NULL); 2911 return (0); 2912 } 2913 2914 /* 2915 * Common code to delete/get an SA. 2916 */ 2917 int 2918 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2919 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type) 2920 { 2921 ipsa_query_t sq; 2922 ipsa_t *echo_target = NULL; 2923 ipsap_t ipsapp; 2924 mblk_t *torchq = NULL; 2925 uint_t error = 0; 2926 2927 if (sadb_msg_type == SADB_X_DELPAIR_STATE) 2928 return (sadb_delpair_state(mp, ksi, spp, diagnostic, pfkey_q)); 2929 2930 sq.spp = spp; /* XXX param */ 2931 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SA, 2932 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, 2933 &sq, diagnostic); 2934 if (error != 0) 2935 return (error); 2936 2937 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 2938 if (error != 0) { 2939 return (error); 2940 } 2941 2942 echo_target = ipsapp.ipsap_sa_ptr; 2943 if (echo_target == NULL) 2944 echo_target = ipsapp.ipsap_psa_ptr; 2945 2946 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) { 2947 /* 2948 * Bucket locks will be required if SA is actually unlinked. 2949 * get_ipsa_pair() returns valid hash bucket pointers even 2950 * if it can't find a pair SA pointer. To prevent a potential 2951 * deadlock, always lock the outbound bucket before the inbound. 2952 */ 2953 if (ipsapp.in_inbound_table) { 2954 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); 2955 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); 2956 } else { 2957 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); 2958 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); 2959 } 2960 2961 if (ipsapp.ipsap_sa_ptr != NULL) { 2962 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 2963 if (ipsapp.ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) { 2964 sadb_delete_cluster(ipsapp.ipsap_sa_ptr); 2965 } 2966 ipsapp.ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD; 2967 (void) sadb_torch_assoc(ipsapp.ipsap_bucket, 2968 ipsapp.ipsap_sa_ptr, B_FALSE, &torchq); 2969 /* 2970 * sadb_torch_assoc() releases the ipsa_lock 2971 * and calls sadb_unlinkassoc() which does a 2972 * IPSA_REFRELE. 2973 */ 2974 } 2975 if (ipsapp.ipsap_psa_ptr != NULL) { 2976 mutex_enter(&ipsapp.ipsap_psa_ptr->ipsa_lock); 2977 if (sadb_msg_type == SADB_X_DELPAIR || 2978 ipsapp.ipsap_psa_ptr->ipsa_haspeer) { 2979 if (ipsapp.ipsap_psa_ptr->ipsa_flags & 2980 IPSA_F_INBOUND) { 2981 sadb_delete_cluster 2982 (ipsapp.ipsap_psa_ptr); 2983 } 2984 ipsapp.ipsap_psa_ptr->ipsa_state = 2985 IPSA_STATE_DEAD; 2986 (void) sadb_torch_assoc(ipsapp.ipsap_pbucket, 2987 ipsapp.ipsap_psa_ptr, B_FALSE, &torchq); 2988 } else { 2989 /* 2990 * Only half of the "pair" has been deleted. 2991 * Update the remaining SA and remove references 2992 * to its pair SA, which is now gone. 2993 */ 2994 ipsapp.ipsap_psa_ptr->ipsa_otherspi = 0; 2995 ipsapp.ipsap_psa_ptr->ipsa_flags &= 2996 ~IPSA_F_PAIRED; 2997 mutex_exit(&ipsapp.ipsap_psa_ptr->ipsa_lock); 2998 } 2999 } else if (sadb_msg_type == SADB_X_DELPAIR) { 3000 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 3001 error = ESRCH; 3002 } 3003 mutex_exit(&ipsapp.ipsap_bucket->isaf_lock); 3004 mutex_exit(&ipsapp.ipsap_pbucket->isaf_lock); 3005 } 3006 3007 if (torchq != NULL) 3008 sadb_drain_torchq(spp->s_ip_q, torchq); 3009 3010 ASSERT(mp->b_cont != NULL); 3011 3012 if (error == 0) 3013 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *) 3014 mp->b_cont->b_rptr, ksi, echo_target); 3015 3016 destroy_ipsa_pair(&ipsapp); 3017 3018 return (error); 3019 } 3020 3021 /* 3022 * This function takes a sadb_sa_t and finds the ipsa_t structure 3023 * and the isaf_t (hash bucket) that its stored under. If the security 3024 * association has a peer, the ipsa_t structure and bucket for that security 3025 * association are also searched for. The "pair" of ipsa_t's and isaf_t's 3026 * are returned as a ipsap_t. 3027 * 3028 * The hash buckets are returned for convenience, if the calling function 3029 * needs to use the hash bucket locks, say to remove the SA's, it should 3030 * take care to observe the convention of locking outbound bucket then 3031 * inbound bucket. The flag in_inbound_table provides direction. 3032 * 3033 * Note that a "pair" is defined as one (but not both) of the following: 3034 * 3035 * A security association which has a soft reference to another security 3036 * association via its SPI. 3037 * 3038 * A security association that is not obviously "inbound" or "outbound" so 3039 * it appears in both hash tables, the "peer" being the same security 3040 * association in the other hash table. 3041 * 3042 * This function will return NULL if the ipsa_t can't be found in the 3043 * inbound or outbound hash tables (not found). If only one ipsa_t is 3044 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid 3045 * provided at least one ipsa_t is found. 3046 */ 3047 static int 3048 get_ipsa_pair(ipsa_query_t *sq, ipsap_t *ipsapp, int *diagnostic) 3049 { 3050 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN]; 3051 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN]; 3052 uint32_t pair_spi; 3053 3054 init_ipsa_pair(ipsapp); 3055 3056 ipsapp->in_inbound_table = B_FALSE; 3057 3058 /* Lock down both buckets. */ 3059 mutex_enter(&sq->outbound->isaf_lock); 3060 mutex_enter(&sq->inbound->isaf_lock); 3061 3062 if (sq->assoc->sadb_sa_flags & IPSA_F_INBOUND) { 3063 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, 3064 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 3065 if (ipsapp->ipsap_sa_ptr != NULL) { 3066 ipsapp->ipsap_bucket = sq->inbound; 3067 ipsapp->ipsap_pbucket = sq->outbound; 3068 ipsapp->in_inbound_table = B_TRUE; 3069 } else { 3070 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->outbound, 3071 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, 3072 sq->af); 3073 ipsapp->ipsap_bucket = sq->outbound; 3074 ipsapp->ipsap_pbucket = sq->inbound; 3075 } 3076 } else { 3077 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */ 3078 ipsapp->ipsap_sa_ptr = 3079 ipsec_getassocbyspi(sq->outbound, 3080 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 3081 if (ipsapp->ipsap_sa_ptr != NULL) { 3082 ipsapp->ipsap_bucket = sq->outbound; 3083 ipsapp->ipsap_pbucket = sq->inbound; 3084 } else { 3085 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, 3086 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, 3087 sq->af); 3088 ipsapp->ipsap_bucket = sq->inbound; 3089 ipsapp->ipsap_pbucket = sq->outbound; 3090 if (ipsapp->ipsap_sa_ptr != NULL) 3091 ipsapp->in_inbound_table = B_TRUE; 3092 } 3093 } 3094 3095 if (ipsapp->ipsap_sa_ptr == NULL) { 3096 mutex_exit(&sq->outbound->isaf_lock); 3097 mutex_exit(&sq->inbound->isaf_lock); 3098 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 3099 return (ESRCH); 3100 } 3101 3102 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) && 3103 ipsapp->in_inbound_table) { 3104 mutex_exit(&sq->outbound->isaf_lock); 3105 mutex_exit(&sq->inbound->isaf_lock); 3106 return (0); 3107 } 3108 3109 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 3110 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) { 3111 /* 3112 * haspeer implies no sa_pairing, look for same spi 3113 * in other hashtable. 3114 */ 3115 ipsapp->ipsap_psa_ptr = 3116 ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 3117 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 3118 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 3119 mutex_exit(&sq->outbound->isaf_lock); 3120 mutex_exit(&sq->inbound->isaf_lock); 3121 return (0); 3122 } 3123 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi; 3124 IPSA_COPY_ADDR(&pair_srcaddr, 3125 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, sq->af); 3126 IPSA_COPY_ADDR(&pair_dstaddr, 3127 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, sq->af); 3128 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 3129 mutex_exit(&sq->inbound->isaf_lock); 3130 mutex_exit(&sq->outbound->isaf_lock); 3131 3132 if (pair_spi == 0) { 3133 ASSERT(ipsapp->ipsap_bucket != NULL); 3134 ASSERT(ipsapp->ipsap_pbucket != NULL); 3135 return (0); 3136 } 3137 3138 /* found sa in outbound sadb, peer should be inbound */ 3139 3140 if (ipsapp->in_inbound_table) { 3141 /* Found SA in inbound table, pair will be in outbound. */ 3142 if (sq->af == AF_INET6) { 3143 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sq->sp, 3144 *(uint32_t *)pair_srcaddr); 3145 } else { 3146 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sq->sp, 3147 *(uint32_t *)pair_srcaddr); 3148 } 3149 } else { 3150 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sq->sp, pair_spi); 3151 } 3152 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 3153 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 3154 pair_spi, pair_dstaddr, pair_srcaddr, sq->af); 3155 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 3156 ASSERT(ipsapp->ipsap_bucket != NULL); 3157 ASSERT(ipsapp->ipsap_pbucket != NULL); 3158 return (0); 3159 } 3160 3161 /* 3162 * Perform NAT-traversal cached checksum offset calculations here. 3163 */ 3164 static void 3165 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext, 3166 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr, 3167 uint32_t *dst_addr_ptr) 3168 { 3169 struct sockaddr_in *natt_loc, *natt_rem; 3170 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 3171 uint32_t running_sum = 0; 3172 3173 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 3174 3175 if (natt_rem_ext != NULL) { 3176 uint32_t l_src; 3177 uint32_t l_rem; 3178 3179 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 3180 3181 /* Ensured by sadb_addrfix(). */ 3182 ASSERT(natt_rem->sin_family == AF_INET); 3183 3184 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 3185 newbie->ipsa_remote_nat_port = natt_rem->sin_port; 3186 l_src = *src_addr_ptr; 3187 l_rem = *natt_rem_ptr; 3188 3189 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3190 newbie->ipsa_natt_addr_rem = *natt_rem_ptr; 3191 3192 l_src = ntohl(l_src); 3193 DOWN_SUM(l_src); 3194 DOWN_SUM(l_src); 3195 l_rem = ntohl(l_rem); 3196 DOWN_SUM(l_rem); 3197 DOWN_SUM(l_rem); 3198 3199 /* 3200 * We're 1's complement for checksums, so check for wraparound 3201 * here. 3202 */ 3203 if (l_rem > l_src) 3204 l_src--; 3205 3206 running_sum += l_src - l_rem; 3207 3208 DOWN_SUM(running_sum); 3209 DOWN_SUM(running_sum); 3210 } 3211 3212 if (natt_loc_ext != NULL) { 3213 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 3214 3215 /* Ensured by sadb_addrfix(). */ 3216 ASSERT(natt_loc->sin_family == AF_INET); 3217 3218 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr); 3219 newbie->ipsa_local_nat_port = natt_loc->sin_port; 3220 3221 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 3222 newbie->ipsa_natt_addr_loc = *natt_loc_ptr; 3223 3224 /* 3225 * NAT-T port agility means we may have natt_loc_ext, but 3226 * only for a local-port change. 3227 */ 3228 if (natt_loc->sin_addr.s_addr != INADDR_ANY) { 3229 uint32_t l_dst = ntohl(*dst_addr_ptr); 3230 uint32_t l_loc = ntohl(*natt_loc_ptr); 3231 3232 DOWN_SUM(l_loc); 3233 DOWN_SUM(l_loc); 3234 DOWN_SUM(l_dst); 3235 DOWN_SUM(l_dst); 3236 3237 /* 3238 * We're 1's complement for checksums, so check for 3239 * wraparound here. 3240 */ 3241 if (l_loc > l_dst) 3242 l_dst--; 3243 3244 running_sum += l_dst - l_loc; 3245 DOWN_SUM(running_sum); 3246 DOWN_SUM(running_sum); 3247 } 3248 } 3249 3250 newbie->ipsa_inbound_cksum = running_sum; 3251 #undef DOWN_SUM 3252 } 3253 3254 /* 3255 * This function is called from consumers that need to insert a fully-grown 3256 * security association into its tables. This function takes into account that 3257 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 3258 * hash bucket parameters are set in order of what the SA will be most of the 3259 * time. (For example, an SA with an unspecified source, and a multicast 3260 * destination will primarily be an outbound SA. OTOH, if that destination 3261 * is unicast for this node, then the SA will primarily be inbound.) 3262 * 3263 * It takes a lot of parameters because even if clone is B_FALSE, this needs 3264 * to check both buckets for purposes of collision. 3265 * 3266 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 3267 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic 3268 * with additional diagnostic information because there is at least one EINVAL 3269 * case here. 3270 */ 3271 int 3272 sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 3273 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 3274 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic, 3275 netstack_t *ns, sadbp_t *spp) 3276 { 3277 ipsa_t *newbie_clone = NULL, *scratch; 3278 ipsap_t ipsapp; 3279 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 3280 sadb_address_t *srcext = 3281 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 3282 sadb_address_t *dstext = 3283 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 3284 sadb_address_t *isrcext = 3285 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC]; 3286 sadb_address_t *idstext = 3287 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST]; 3288 sadb_x_kmc_t *kmcext = 3289 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 3290 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 3291 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 3292 sadb_sens_t *sens = 3293 (sadb_sens_t *)ksi->ks_in_extv[SADB_EXT_SENSITIVITY]; 3294 sadb_sens_t *osens = 3295 (sadb_sens_t *)ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS]; 3296 sadb_x_pair_t *pair_ext = 3297 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 3298 sadb_x_replay_ctr_t *replayext = 3299 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 3300 uint8_t protocol = 3301 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP; 3302 int salt_offset; 3303 uint8_t *buf_ptr; 3304 struct sockaddr_in *src, *dst, *isrc, *idst; 3305 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6; 3306 sadb_lifetime_t *soft = 3307 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 3308 sadb_lifetime_t *hard = 3309 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 3310 sadb_lifetime_t *idle = 3311 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 3312 sa_family_t af; 3313 int error = 0; 3314 boolean_t isupdate = (newbie != NULL); 3315 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr; 3316 mblk_t *ctl_mp = NULL; 3317 ipsec_stack_t *ipss = ns->netstack_ipsec; 3318 ip_stack_t *ipst = ns->netstack_ip; 3319 ipsec_alginfo_t *alg; 3320 int rcode; 3321 3322 init_ipsa_pair(&ipsapp); 3323 3324 if (srcext == NULL) { 3325 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 3326 return (EINVAL); 3327 } 3328 if (dstext == NULL) { 3329 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 3330 return (EINVAL); 3331 } 3332 if (assoc == NULL) { 3333 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 3334 return (EINVAL); 3335 } 3336 3337 src = (struct sockaddr_in *)(srcext + 1); 3338 src6 = (struct sockaddr_in6 *)(srcext + 1); 3339 dst = (struct sockaddr_in *)(dstext + 1); 3340 dst6 = (struct sockaddr_in6 *)(dstext + 1); 3341 if (isrcext != NULL) { 3342 isrc = (struct sockaddr_in *)(isrcext + 1); 3343 isrc6 = (struct sockaddr_in6 *)(isrcext + 1); 3344 ASSERT(idstext != NULL); 3345 idst = (struct sockaddr_in *)(idstext + 1); 3346 idst6 = (struct sockaddr_in6 *)(idstext + 1); 3347 } else { 3348 isrc = NULL; 3349 isrc6 = NULL; 3350 } 3351 3352 af = src->sin_family; 3353 3354 if (af == AF_INET) { 3355 src_addr_ptr = (uint32_t *)&src->sin_addr; 3356 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 3357 } else { 3358 ASSERT(af == AF_INET6); 3359 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 3360 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 3361 } 3362 3363 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) && 3364 cl_inet_checkspi && 3365 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) { 3366 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol, 3367 assoc->sadb_sa_spi, NULL); 3368 if (rcode == -1) { 3369 return (EEXIST); 3370 } 3371 } 3372 3373 /* 3374 * Check to see if the new SA will be cloned AND paired. The 3375 * reason a SA will be cloned is the source or destination addresses 3376 * are not specific enough to determine if the SA goes in the outbound 3377 * or the inbound hash table, so its cloned and put in both. If 3378 * the SA is paired, it's soft linked to another SA for the other 3379 * direction. Keeping track and looking up SA's that are direction 3380 * unspecific and linked is too hard. 3381 */ 3382 if (clone && (pair_ext != NULL)) { 3383 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 3384 return (EINVAL); 3385 } 3386 3387 if (!isupdate) { 3388 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 3389 src_addr_ptr, dst_addr_ptr, af, ns); 3390 if (newbie == NULL) 3391 return (ENOMEM); 3392 } 3393 3394 mutex_enter(&newbie->ipsa_lock); 3395 3396 if (isrc != NULL) { 3397 if (isrc->sin_family == AF_INET) { 3398 if (srcext->sadb_address_proto != IPPROTO_ENCAP) { 3399 if (srcext->sadb_address_proto != 0) { 3400 /* 3401 * Mismatched outer-packet protocol 3402 * and inner-packet address family. 3403 */ 3404 mutex_exit(&newbie->ipsa_lock); 3405 error = EPROTOTYPE; 3406 *diagnostic = 3407 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3408 goto error; 3409 } else { 3410 /* Fill in with explicit protocol. */ 3411 srcext->sadb_address_proto = 3412 IPPROTO_ENCAP; 3413 dstext->sadb_address_proto = 3414 IPPROTO_ENCAP; 3415 } 3416 } 3417 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr; 3418 idst_addr_ptr = (uint32_t *)&idst->sin_addr; 3419 } else { 3420 ASSERT(isrc->sin_family == AF_INET6); 3421 if (srcext->sadb_address_proto != IPPROTO_IPV6) { 3422 if (srcext->sadb_address_proto != 0) { 3423 /* 3424 * Mismatched outer-packet protocol 3425 * and inner-packet address family. 3426 */ 3427 mutex_exit(&newbie->ipsa_lock); 3428 error = EPROTOTYPE; 3429 *diagnostic = 3430 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3431 goto error; 3432 } else { 3433 /* Fill in with explicit protocol. */ 3434 srcext->sadb_address_proto = 3435 IPPROTO_IPV6; 3436 dstext->sadb_address_proto = 3437 IPPROTO_IPV6; 3438 } 3439 } 3440 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr; 3441 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr; 3442 } 3443 newbie->ipsa_innerfam = isrc->sin_family; 3444 3445 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr, 3446 newbie->ipsa_innerfam); 3447 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr, 3448 newbie->ipsa_innerfam); 3449 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen; 3450 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen; 3451 3452 /* Unique value uses inner-ports for Tunnel Mode... */ 3453 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port, 3454 idst->sin_port, dstext->sadb_address_proto, 3455 idstext->sadb_address_proto); 3456 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port, 3457 idst->sin_port, dstext->sadb_address_proto, 3458 idstext->sadb_address_proto); 3459 } else { 3460 /* ... and outer-ports for Transport Mode. */ 3461 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port, 3462 dst->sin_port, dstext->sadb_address_proto, 0); 3463 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port, 3464 dst->sin_port, dstext->sadb_address_proto, 0); 3465 } 3466 if (newbie->ipsa_unique_mask != (uint64_t)0) 3467 newbie->ipsa_flags |= IPSA_F_UNIQUE; 3468 3469 sadb_nat_calculations(newbie, 3470 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC], 3471 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM], 3472 src_addr_ptr, dst_addr_ptr); 3473 3474 newbie->ipsa_type = samsg->sadb_msg_satype; 3475 3476 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 3477 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE)); 3478 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 3479 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 3480 3481 newbie->ipsa_flags |= assoc->sadb_sa_flags; 3482 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC && 3483 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) { 3484 mutex_exit(&newbie->ipsa_lock); 3485 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC; 3486 error = EINVAL; 3487 goto error; 3488 } 3489 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM && 3490 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) { 3491 mutex_exit(&newbie->ipsa_lock); 3492 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM; 3493 error = EINVAL; 3494 goto error; 3495 } 3496 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL && 3497 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) { 3498 mutex_exit(&newbie->ipsa_lock); 3499 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 3500 error = EINVAL; 3501 goto error; 3502 } 3503 /* 3504 * If unspecified source address, force replay_wsize to 0. 3505 * This is because an SA that has multiple sources of secure 3506 * traffic cannot enforce a replay counter w/o synchronizing the 3507 * senders. 3508 */ 3509 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 3510 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 3511 else 3512 newbie->ipsa_replay_wsize = 0; 3513 3514 newbie->ipsa_addtime = gethrestime_sec(); 3515 3516 if (kmcext != NULL) { 3517 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 3518 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 3519 } 3520 3521 /* 3522 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 3523 * The spec says that one can update current lifetimes, but 3524 * that seems impractical, especially in the larval-to-mature 3525 * update that this function performs. 3526 */ 3527 if (soft != NULL) { 3528 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3529 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 3530 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3531 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 3532 SET_EXPIRE(newbie, softaddlt, softexpiretime); 3533 } 3534 if (hard != NULL) { 3535 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3536 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 3537 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3538 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3539 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 3540 } 3541 if (idle != NULL) { 3542 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 3543 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime; 3544 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime + 3545 newbie->ipsa_idleaddlt; 3546 newbie->ipsa_idletime = newbie->ipsa_idleaddlt; 3547 } 3548 3549 newbie->ipsa_authtmpl = NULL; 3550 newbie->ipsa_encrtmpl = NULL; 3551 3552 if (akey != NULL) { 3553 newbie->ipsa_authkeybits = akey->sadb_key_bits; 3554 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 3555 /* In case we have to round up to the next byte... */ 3556 if ((akey->sadb_key_bits & 0x7) != 0) 3557 newbie->ipsa_authkeylen++; 3558 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 3559 KM_NOSLEEP); 3560 if (newbie->ipsa_authkey == NULL) { 3561 error = ENOMEM; 3562 mutex_exit(&newbie->ipsa_lock); 3563 goto error; 3564 } 3565 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 3566 bzero(akey + 1, newbie->ipsa_authkeylen); 3567 3568 /* 3569 * Pre-initialize the kernel crypto framework key 3570 * structure. 3571 */ 3572 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 3573 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 3574 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 3575 3576 mutex_enter(&ipss->ipsec_alg_lock); 3577 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH] 3578 [newbie->ipsa_auth_alg]; 3579 if (alg != NULL && ALG_VALID(alg)) { 3580 newbie->ipsa_amech.cm_type = alg->alg_mech_type; 3581 newbie->ipsa_amech.cm_param = 3582 (char *)&newbie->ipsa_mac_len; 3583 newbie->ipsa_amech.cm_param_len = sizeof (size_t); 3584 newbie->ipsa_mac_len = (size_t)alg->alg_datalen; 3585 } else { 3586 newbie->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 3587 } 3588 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 3589 mutex_exit(&ipss->ipsec_alg_lock); 3590 if (error != 0) { 3591 mutex_exit(&newbie->ipsa_lock); 3592 /* 3593 * An error here indicates that alg is the wrong type 3594 * (IE: not authentication) or its not in the alg tables 3595 * created by ipsecalgs(1m), or Kcf does not like the 3596 * parameters passed in with this algorithm, which is 3597 * probably a coding error! 3598 */ 3599 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3600 3601 goto error; 3602 } 3603 } 3604 3605 if (ekey != NULL) { 3606 mutex_enter(&ipss->ipsec_alg_lock); 3607 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR] 3608 [newbie->ipsa_encr_alg]; 3609 3610 if (alg != NULL && ALG_VALID(alg)) { 3611 newbie->ipsa_emech.cm_type = alg->alg_mech_type; 3612 newbie->ipsa_datalen = alg->alg_datalen; 3613 if (alg->alg_flags & ALG_FLAG_COUNTERMODE) 3614 newbie->ipsa_flags |= IPSA_F_COUNTERMODE; 3615 3616 if (alg->alg_flags & ALG_FLAG_COMBINED) { 3617 newbie->ipsa_flags |= IPSA_F_COMBINED; 3618 newbie->ipsa_mac_len = alg->alg_icvlen; 3619 } 3620 3621 if (alg->alg_flags & ALG_FLAG_CCM) 3622 newbie->ipsa_noncefunc = ccm_params_init; 3623 else if (alg->alg_flags & ALG_FLAG_GCM) 3624 newbie->ipsa_noncefunc = gcm_params_init; 3625 else newbie->ipsa_noncefunc = cbc_params_init; 3626 3627 newbie->ipsa_saltlen = alg->alg_saltlen; 3628 newbie->ipsa_saltbits = SADB_8TO1(newbie->ipsa_saltlen); 3629 newbie->ipsa_iv_len = alg->alg_ivlen; 3630 newbie->ipsa_nonce_len = newbie->ipsa_saltlen + 3631 newbie->ipsa_iv_len; 3632 newbie->ipsa_emech.cm_param = NULL; 3633 newbie->ipsa_emech.cm_param_len = 0; 3634 } else { 3635 newbie->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 3636 } 3637 mutex_exit(&ipss->ipsec_alg_lock); 3638 3639 /* 3640 * The byte stream following the sadb_key_t is made up of: 3641 * key bytes, [salt bytes], [IV initial value] 3642 * All of these have variable length. The IV is typically 3643 * randomly generated by this function and not passed in. 3644 * By supporting the injection of a known IV, the whole 3645 * IPsec subsystem and the underlying crypto subsystem 3646 * can be tested with known test vectors. 3647 * 3648 * The keying material has been checked by ext_check() 3649 * and ipsec_valid_key_size(), after removing salt/IV 3650 * bits, whats left is the encryption key. If this is too 3651 * short, ipsec_create_ctx_tmpl() will fail and the SA 3652 * won't get created. 3653 * 3654 * set ipsa_encrkeylen to length of key only. 3655 */ 3656 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 3657 newbie->ipsa_encrkeybits -= ekey->sadb_key_reserved; 3658 newbie->ipsa_encrkeybits -= newbie->ipsa_saltbits; 3659 newbie->ipsa_encrkeylen = SADB_1TO8(newbie->ipsa_encrkeybits); 3660 3661 /* In case we have to round up to the next byte... */ 3662 if ((ekey->sadb_key_bits & 0x7) != 0) 3663 newbie->ipsa_encrkeylen++; 3664 3665 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 3666 KM_NOSLEEP); 3667 if (newbie->ipsa_encrkey == NULL) { 3668 error = ENOMEM; 3669 mutex_exit(&newbie->ipsa_lock); 3670 goto error; 3671 } 3672 3673 buf_ptr = (uint8_t *)(ekey + 1); 3674 bcopy(buf_ptr, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 3675 3676 if (newbie->ipsa_flags & IPSA_F_COMBINED) { 3677 /* 3678 * Combined mode algs need a nonce. Copy the salt and 3679 * IV into a buffer. The ipsa_nonce is a pointer into 3680 * this buffer, some bytes at the start of the buffer 3681 * may be unused, depends on the salt length. The IV 3682 * is 64 bit aligned so it can be incremented as a 3683 * uint64_t. Zero out key in samsg_t before freeing. 3684 */ 3685 3686 newbie->ipsa_nonce_buf = kmem_alloc( 3687 sizeof (ipsec_nonce_t), KM_NOSLEEP); 3688 if (newbie->ipsa_nonce_buf == NULL) { 3689 error = ENOMEM; 3690 mutex_exit(&newbie->ipsa_lock); 3691 goto error; 3692 } 3693 /* 3694 * Initialize nonce and salt pointers to point 3695 * to the nonce buffer. This is just in case we get 3696 * bad data, the pointers will be valid, the data 3697 * won't be. 3698 * 3699 * See sadb.h for layout of nonce. 3700 */ 3701 newbie->ipsa_iv = &newbie->ipsa_nonce_buf->iv; 3702 newbie->ipsa_salt = (uint8_t *)newbie->ipsa_nonce_buf; 3703 newbie->ipsa_nonce = newbie->ipsa_salt; 3704 if (newbie->ipsa_saltlen != 0) { 3705 salt_offset = MAXSALTSIZE - 3706 newbie->ipsa_saltlen; 3707 newbie->ipsa_salt = (uint8_t *) 3708 &newbie->ipsa_nonce_buf->salt[salt_offset]; 3709 newbie->ipsa_nonce = newbie->ipsa_salt; 3710 buf_ptr += newbie->ipsa_encrkeylen; 3711 bcopy(buf_ptr, newbie->ipsa_salt, 3712 newbie->ipsa_saltlen); 3713 } 3714 /* 3715 * The IV for CCM/GCM mode increments, it should not 3716 * repeat. Get a random value for the IV, make a 3717 * copy, the SA will expire when/if the IV ever 3718 * wraps back to the initial value. If an Initial IV 3719 * is passed in via PF_KEY, save this in the SA. 3720 * Initialising IV for inbound is pointless as its 3721 * taken from the inbound packet. 3722 */ 3723 if (!is_inbound) { 3724 if (ekey->sadb_key_reserved != 0) { 3725 buf_ptr += newbie->ipsa_saltlen; 3726 bcopy(buf_ptr, (uint8_t *)newbie-> 3727 ipsa_iv, SADB_1TO8(ekey-> 3728 sadb_key_reserved)); 3729 } else { 3730 (void) random_get_pseudo_bytes( 3731 (uint8_t *)newbie->ipsa_iv, 3732 newbie->ipsa_iv_len); 3733 } 3734 newbie->ipsa_iv_softexpire = 3735 (*newbie->ipsa_iv) << 9; 3736 newbie->ipsa_iv_hardexpire = *newbie->ipsa_iv; 3737 } 3738 } 3739 bzero((ekey + 1), SADB_1TO8(ekey->sadb_key_bits)); 3740 3741 /* 3742 * Pre-initialize the kernel crypto framework key 3743 * structure. 3744 */ 3745 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 3746 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 3747 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 3748 3749 mutex_enter(&ipss->ipsec_alg_lock); 3750 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 3751 mutex_exit(&ipss->ipsec_alg_lock); 3752 if (error != 0) { 3753 mutex_exit(&newbie->ipsa_lock); 3754 /* See above for error explanation. */ 3755 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3756 goto error; 3757 } 3758 } 3759 3760 /* 3761 * Ptrs to processing functions. 3762 */ 3763 if (newbie->ipsa_type == SADB_SATYPE_ESP) 3764 ipsecesp_init_funcs(newbie); 3765 else 3766 ipsecah_init_funcs(newbie); 3767 ASSERT(newbie->ipsa_output_func != NULL && 3768 newbie->ipsa_input_func != NULL); 3769 3770 /* 3771 * Certificate ID stuff. 3772 */ 3773 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 3774 sadb_ident_t *id = 3775 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 3776 3777 /* 3778 * Can assume strlen() will return okay because ext_check() in 3779 * keysock.c prepares the string for us. 3780 */ 3781 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 3782 (char *)(id+1), ns); 3783 if (newbie->ipsa_src_cid == NULL) { 3784 error = ENOMEM; 3785 mutex_exit(&newbie->ipsa_lock); 3786 goto error; 3787 } 3788 } 3789 3790 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 3791 sadb_ident_t *id = 3792 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 3793 3794 /* 3795 * Can assume strlen() will return okay because ext_check() in 3796 * keysock.c prepares the string for us. 3797 */ 3798 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 3799 (char *)(id+1), ns); 3800 if (newbie->ipsa_dst_cid == NULL) { 3801 error = ENOMEM; 3802 mutex_exit(&newbie->ipsa_lock); 3803 goto error; 3804 } 3805 } 3806 3807 /* 3808 * sensitivity label handling code: 3809 * Convert sens + bitmap into cred_t, and associate it 3810 * with the new SA. 3811 */ 3812 if (sens != NULL) { 3813 uint64_t *bitmap = (uint64_t *)(sens + 1); 3814 3815 newbie->ipsa_cred = sadb_cred_from_sens(sens, bitmap); 3816 } 3817 3818 /* 3819 * Likewise for outer sensitivity. 3820 */ 3821 if (osens != NULL) { 3822 uint64_t *bitmap = (uint64_t *)(osens + 1); 3823 cred_t *cred, *effective_cred; 3824 uint32_t *peer_addr_ptr; 3825 3826 peer_addr_ptr = is_inbound ? src_addr_ptr : dst_addr_ptr; 3827 3828 cred = sadb_cred_from_sens(osens, bitmap); 3829 newbie->ipsa_mac_exempt = CONN_MAC_DEFAULT; 3830 3831 if (osens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) { 3832 newbie->ipsa_mac_exempt = CONN_MAC_IMPLICIT; 3833 } 3834 3835 error = tsol_check_dest(cred, peer_addr_ptr, 3836 (af == AF_INET6)?IPV6_VERSION:IPV4_VERSION, 3837 newbie->ipsa_mac_exempt, &effective_cred); 3838 if (error != 0) { 3839 crfree(cred); 3840 mutex_exit(&newbie->ipsa_lock); 3841 goto error; 3842 } 3843 3844 if (effective_cred != NULL) { 3845 crfree(cred); 3846 cred = effective_cred; 3847 } 3848 3849 newbie->ipsa_ocred = cred; 3850 3851 if (af == AF_INET6) { 3852 tsol_compute_label_v6(cred, (in6_addr_t *)peer_addr_ptr, 3853 newbie->ipsa_opt_storage, ipst); 3854 } else { 3855 tsol_compute_label(cred, *peer_addr_ptr, 3856 newbie->ipsa_opt_storage, ipst); 3857 } 3858 } 3859 3860 3861 if (replayext != NULL) { 3862 if ((replayext->sadb_x_rc_replay32 == 0) && 3863 (replayext->sadb_x_rc_replay64 != 0)) { 3864 error = EOPNOTSUPP; 3865 *diagnostic = SADB_X_DIAGNOSTIC_INVALID_REPLAY; 3866 mutex_exit(&newbie->ipsa_lock); 3867 goto error; 3868 } 3869 newbie->ipsa_replay = replayext->sadb_x_rc_replay32; 3870 } 3871 3872 /* now that the SA has been updated, set its new state */ 3873 newbie->ipsa_state = assoc->sadb_sa_state; 3874 3875 if (clone) { 3876 newbie->ipsa_haspeer = B_TRUE; 3877 } else { 3878 if (!is_inbound) { 3879 lifetime_fuzz(newbie); 3880 } 3881 } 3882 /* 3883 * The less locks I hold when doing an insertion and possible cloning, 3884 * the better! 3885 */ 3886 mutex_exit(&newbie->ipsa_lock); 3887 3888 if (clone) { 3889 newbie_clone = sadb_cloneassoc(newbie); 3890 3891 if (newbie_clone == NULL) { 3892 error = ENOMEM; 3893 goto error; 3894 } 3895 } 3896 3897 /* 3898 * Enter the bucket locks. The order of entry is outbound, 3899 * inbound. We map "primary" and "secondary" into outbound and inbound 3900 * based on the destination address type. If the destination address 3901 * type is for a node that isn't mine (or potentially mine), the 3902 * "primary" bucket is the outbound one. 3903 */ 3904 if (!is_inbound) { 3905 /* primary == outbound */ 3906 mutex_enter(&primary->isaf_lock); 3907 mutex_enter(&secondary->isaf_lock); 3908 } else { 3909 /* primary == inbound */ 3910 mutex_enter(&secondary->isaf_lock); 3911 mutex_enter(&primary->isaf_lock); 3912 } 3913 3914 IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_common_add: spi = 0x%x\n", 3915 newbie->ipsa_spi)); 3916 3917 /* 3918 * sadb_insertassoc() doesn't increment the reference 3919 * count. We therefore have to increment the 3920 * reference count one more time to reflect the 3921 * pointers of the table that reference this SA. 3922 */ 3923 IPSA_REFHOLD(newbie); 3924 3925 if (isupdate) { 3926 /* 3927 * Unlink from larval holding cell in the "inbound" fanout. 3928 */ 3929 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 3930 newbie->ipsa_linklock == &secondary->isaf_lock); 3931 sadb_unlinkassoc(newbie); 3932 } 3933 3934 mutex_enter(&newbie->ipsa_lock); 3935 error = sadb_insertassoc(newbie, primary); 3936 if (error == 0) { 3937 ctl_mp = sadb_fmt_sa_req(DL_CO_SET, newbie->ipsa_type, newbie, 3938 is_inbound); 3939 } 3940 mutex_exit(&newbie->ipsa_lock); 3941 3942 if (error != 0) { 3943 /* 3944 * Since sadb_insertassoc() failed, we must decrement the 3945 * refcount again so the cleanup code will actually free 3946 * the offending SA. 3947 */ 3948 IPSA_REFRELE(newbie); 3949 goto error_unlock; 3950 } 3951 3952 if (newbie_clone != NULL) { 3953 mutex_enter(&newbie_clone->ipsa_lock); 3954 error = sadb_insertassoc(newbie_clone, secondary); 3955 mutex_exit(&newbie_clone->ipsa_lock); 3956 if (error != 0) { 3957 /* Collision in secondary table. */ 3958 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3959 goto error_unlock; 3960 } 3961 IPSA_REFHOLD(newbie_clone); 3962 } else { 3963 ASSERT(primary != secondary); 3964 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 3965 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 3966 if (scratch != NULL) { 3967 /* Collision in secondary table. */ 3968 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3969 /* Set the error, since ipsec_getassocbyspi() can't. */ 3970 error = EEXIST; 3971 goto error_unlock; 3972 } 3973 } 3974 3975 /* OKAY! So let's do some reality check assertions. */ 3976 3977 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock)); 3978 ASSERT(newbie_clone == NULL || 3979 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock))); 3980 /* 3981 * If hardware acceleration could happen, send it. 3982 */ 3983 if (ctl_mp != NULL) { 3984 putnext(ip_q, ctl_mp); 3985 ctl_mp = NULL; 3986 } 3987 3988 error_unlock: 3989 3990 /* 3991 * We can exit the locks in any order. Only entrance needs to 3992 * follow any protocol. 3993 */ 3994 mutex_exit(&secondary->isaf_lock); 3995 mutex_exit(&primary->isaf_lock); 3996 3997 if (pair_ext != NULL && error == 0) { 3998 /* update pair_spi if it exists. */ 3999 ipsa_query_t sq; 4000 4001 sq.spp = spp; /* XXX param */ 4002 error = sadb_form_query(ksi, IPSA_Q_DST, IPSA_Q_SRC|IPSA_Q_DST| 4003 IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, &sq, diagnostic); 4004 if (error) 4005 return (error); 4006 4007 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 4008 4009 if (error != 0) 4010 goto error; 4011 4012 if (ipsapp.ipsap_psa_ptr != NULL) { 4013 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 4014 error = EINVAL; 4015 } else { 4016 /* update_pairing() sets diagnostic */ 4017 error = update_pairing(&ipsapp, &sq, ksi, diagnostic); 4018 } 4019 } 4020 /* Common error point for this routine. */ 4021 error: 4022 if (newbie != NULL) { 4023 if (error != 0) { 4024 /* This SA is broken, let the reaper clean up. */ 4025 mutex_enter(&newbie->ipsa_lock); 4026 newbie->ipsa_state = IPSA_STATE_DEAD; 4027 newbie->ipsa_hardexpiretime = 1; 4028 mutex_exit(&newbie->ipsa_lock); 4029 } 4030 IPSA_REFRELE(newbie); 4031 } 4032 if (newbie_clone != NULL) { 4033 IPSA_REFRELE(newbie_clone); 4034 } 4035 if (ctl_mp != NULL) 4036 freemsg(ctl_mp); 4037 4038 if (error == 0) { 4039 /* 4040 * Construct favorable PF_KEY return message and send to 4041 * keysock. Update the flags in the original keysock message 4042 * to reflect the actual flags in the new SA. 4043 * (Q: Do I need to pass "newbie"? If I do, 4044 * make sure to REFHOLD, call, then REFRELE.) 4045 */ 4046 assoc->sadb_sa_flags = newbie->ipsa_flags; 4047 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 4048 } 4049 4050 destroy_ipsa_pair(&ipsapp); 4051 return (error); 4052 } 4053 4054 /* 4055 * Set the time of first use for a security association. Update any 4056 * expiration times as a result. 4057 */ 4058 void 4059 sadb_set_usetime(ipsa_t *assoc) 4060 { 4061 time_t snapshot = gethrestime_sec(); 4062 4063 mutex_enter(&assoc->ipsa_lock); 4064 assoc->ipsa_lastuse = snapshot; 4065 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime; 4066 4067 /* 4068 * Caller does check usetime before calling me usually, and 4069 * double-checking is better than a mutex_enter/exit hit. 4070 */ 4071 if (assoc->ipsa_usetime == 0) { 4072 /* 4073 * This is redundant for outbound SA's, as 4074 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 4075 * Inbound SAs, however, have no such protection. 4076 */ 4077 assoc->ipsa_flags |= IPSA_F_USED; 4078 assoc->ipsa_usetime = snapshot; 4079 4080 /* 4081 * After setting the use time, see if we have a use lifetime 4082 * that would cause the actual SA expiration time to shorten. 4083 */ 4084 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 4085 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 4086 } 4087 mutex_exit(&assoc->ipsa_lock); 4088 } 4089 4090 /* 4091 * Send up a PF_KEY expire message for this association. 4092 */ 4093 static void 4094 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 4095 { 4096 mblk_t *mp, *mp1; 4097 int alloclen, af; 4098 sadb_msg_t *samsg; 4099 sadb_lifetime_t *current, *expire; 4100 sadb_sa_t *saext; 4101 uint8_t *end; 4102 boolean_t tunnel_mode; 4103 4104 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 4105 4106 /* Don't bother sending if there's no queue. */ 4107 if (pfkey_q == NULL) 4108 return; 4109 4110 /* If the SA is one of a pair, only SOFT expire the OUTBOUND SA */ 4111 if (assoc->ipsa_state == IPSA_STATE_DYING && 4112 (assoc->ipsa_flags & IPSA_F_PAIRED) && 4113 !(assoc->ipsa_flags & IPSA_F_OUTBOUND)) { 4114 return; 4115 } 4116 4117 mp = sadb_keysock_out(0); 4118 if (mp == NULL) { 4119 /* cmn_err(CE_WARN, */ 4120 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 4121 return; 4122 } 4123 4124 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 4125 2 * sizeof (sadb_address_t) + sizeof (*saext); 4126 4127 af = assoc->ipsa_addrfam; 4128 switch (af) { 4129 case AF_INET: 4130 alloclen += 2 * sizeof (struct sockaddr_in); 4131 break; 4132 case AF_INET6: 4133 alloclen += 2 * sizeof (struct sockaddr_in6); 4134 break; 4135 default: 4136 /* Won't happen unless there's a kernel bug. */ 4137 freeb(mp); 4138 cmn_err(CE_WARN, 4139 "sadb_expire_assoc: Unknown address length.\n"); 4140 return; 4141 } 4142 4143 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL); 4144 if (tunnel_mode) { 4145 alloclen += 2 * sizeof (sadb_address_t); 4146 switch (assoc->ipsa_innerfam) { 4147 case AF_INET: 4148 alloclen += 2 * sizeof (struct sockaddr_in); 4149 break; 4150 case AF_INET6: 4151 alloclen += 2 * sizeof (struct sockaddr_in6); 4152 break; 4153 default: 4154 /* Won't happen unless there's a kernel bug. */ 4155 freeb(mp); 4156 cmn_err(CE_WARN, "sadb_expire_assoc: " 4157 "Unknown inner address length.\n"); 4158 return; 4159 } 4160 } 4161 4162 mp->b_cont = allocb(alloclen, BPRI_HI); 4163 if (mp->b_cont == NULL) { 4164 freeb(mp); 4165 /* cmn_err(CE_WARN, */ 4166 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 4167 return; 4168 } 4169 4170 mp1 = mp; 4171 mp = mp->b_cont; 4172 end = mp->b_wptr + alloclen; 4173 4174 samsg = (sadb_msg_t *)mp->b_wptr; 4175 mp->b_wptr += sizeof (*samsg); 4176 samsg->sadb_msg_version = PF_KEY_V2; 4177 samsg->sadb_msg_type = SADB_EXPIRE; 4178 samsg->sadb_msg_errno = 0; 4179 samsg->sadb_msg_satype = assoc->ipsa_type; 4180 samsg->sadb_msg_len = SADB_8TO64(alloclen); 4181 samsg->sadb_msg_reserved = 0; 4182 samsg->sadb_msg_seq = 0; 4183 samsg->sadb_msg_pid = 0; 4184 4185 saext = (sadb_sa_t *)mp->b_wptr; 4186 mp->b_wptr += sizeof (*saext); 4187 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 4188 saext->sadb_sa_exttype = SADB_EXT_SA; 4189 saext->sadb_sa_spi = assoc->ipsa_spi; 4190 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 4191 saext->sadb_sa_state = assoc->ipsa_state; 4192 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 4193 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 4194 saext->sadb_sa_flags = assoc->ipsa_flags; 4195 4196 current = (sadb_lifetime_t *)mp->b_wptr; 4197 mp->b_wptr += sizeof (sadb_lifetime_t); 4198 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 4199 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 4200 /* We do not support the concept. */ 4201 current->sadb_lifetime_allocations = 0; 4202 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 4203 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 4204 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 4205 4206 expire = (sadb_lifetime_t *)mp->b_wptr; 4207 mp->b_wptr += sizeof (*expire); 4208 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 4209 4210 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 4211 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 4212 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 4213 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 4214 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 4215 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 4216 } else if (assoc->ipsa_state == IPSA_STATE_DYING) { 4217 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 4218 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 4219 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 4220 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 4221 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 4222 } else { 4223 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE); 4224 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 4225 expire->sadb_lifetime_allocations = 0; 4226 expire->sadb_lifetime_bytes = 0; 4227 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt; 4228 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt; 4229 } 4230 4231 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 4232 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc), 4233 SA_PROTO(assoc), 0); 4234 ASSERT(mp->b_wptr != NULL); 4235 4236 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 4237 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc), 4238 SA_PROTO(assoc), 0); 4239 ASSERT(mp->b_wptr != NULL); 4240 4241 if (tunnel_mode) { 4242 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 4243 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam, 4244 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc), 4245 assoc->ipsa_innersrcpfx); 4246 ASSERT(mp->b_wptr != NULL); 4247 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 4248 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam, 4249 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc), 4250 assoc->ipsa_innerdstpfx); 4251 ASSERT(mp->b_wptr != NULL); 4252 } 4253 4254 /* Can just putnext, we're ready to go! */ 4255 putnext(pfkey_q, mp1); 4256 } 4257 4258 /* 4259 * "Age" the SA with the number of bytes that was used to protect traffic. 4260 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 4261 * enough "charge" left in the SA to protect the data. Return B_FALSE 4262 * otherwise. (If B_FALSE is returned, the association either was, or became 4263 * DEAD.) 4264 */ 4265 boolean_t 4266 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 4267 boolean_t sendmsg) 4268 { 4269 boolean_t rc = B_TRUE; 4270 uint64_t newtotal; 4271 4272 mutex_enter(&assoc->ipsa_lock); 4273 newtotal = assoc->ipsa_bytes + bytes; 4274 if (assoc->ipsa_hardbyteslt != 0 && 4275 newtotal >= assoc->ipsa_hardbyteslt) { 4276 if (assoc->ipsa_state != IPSA_STATE_DEAD) { 4277 sadb_delete_cluster(assoc); 4278 /* 4279 * Send EXPIRE message to PF_KEY. May wish to pawn 4280 * this off on another non-interrupt thread. Also 4281 * unlink this SA immediately. 4282 */ 4283 assoc->ipsa_state = IPSA_STATE_DEAD; 4284 if (sendmsg) 4285 sadb_expire_assoc(pfkey_q, assoc); 4286 /* 4287 * Set non-zero expiration time so sadb_age_assoc() 4288 * will work when reaping. 4289 */ 4290 assoc->ipsa_hardexpiretime = (time_t)1; 4291 } /* Else someone beat me to it! */ 4292 rc = B_FALSE; 4293 } else if (assoc->ipsa_softbyteslt != 0 && 4294 (newtotal >= assoc->ipsa_softbyteslt)) { 4295 if (assoc->ipsa_state < IPSA_STATE_DYING) { 4296 /* 4297 * Send EXPIRE message to PF_KEY. May wish to pawn 4298 * this off on another non-interrupt thread. 4299 */ 4300 assoc->ipsa_state = IPSA_STATE_DYING; 4301 assoc->ipsa_bytes = newtotal; 4302 if (sendmsg) 4303 sadb_expire_assoc(pfkey_q, assoc); 4304 } /* Else someone beat me to it! */ 4305 } 4306 if (rc == B_TRUE) 4307 assoc->ipsa_bytes = newtotal; 4308 mutex_exit(&assoc->ipsa_lock); 4309 return (rc); 4310 } 4311 4312 /* 4313 * Push one or more DL_CO_DELETE messages queued up by 4314 * sadb_torch_assoc down to the underlying driver now that it's a 4315 * convenient time for it (i.e., ipsa bucket locks not held). 4316 */ 4317 static void 4318 sadb_drain_torchq(queue_t *q, mblk_t *mp) 4319 { 4320 while (mp != NULL) { 4321 mblk_t *next = mp->b_next; 4322 mp->b_next = NULL; 4323 if (q != NULL) 4324 putnext(q, mp); 4325 else 4326 freemsg(mp); 4327 mp = next; 4328 } 4329 } 4330 4331 /* 4332 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 4333 * sadb_age_assoc(). 4334 * 4335 * If SA is hardware-accelerated, and we can't allocate the mblk 4336 * containing the DL_CO_DELETE, just return; it will remain in the 4337 * table and be swept up by sadb_ager() in a subsequent pass. 4338 */ 4339 static ipsa_t * 4340 sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq) 4341 { 4342 mblk_t *mp; 4343 4344 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4345 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 4346 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 4347 4348 /* 4349 * Force cached SAs to be revalidated.. 4350 */ 4351 head->isaf_gen++; 4352 4353 if (sa->ipsa_flags & IPSA_F_HW) { 4354 mp = sadb_fmt_sa_req(DL_CO_DELETE, sa->ipsa_type, sa, inbnd); 4355 if (mp == NULL) { 4356 mutex_exit(&sa->ipsa_lock); 4357 return (NULL); 4358 } 4359 mp->b_next = *mq; 4360 *mq = mp; 4361 } 4362 mutex_exit(&sa->ipsa_lock); 4363 sadb_unlinkassoc(sa); 4364 4365 return (NULL); 4366 } 4367 4368 /* 4369 * Do various SA-is-idle activities depending on delta (the number of idle 4370 * seconds on the SA) and/or other properties of the SA. 4371 * 4372 * Return B_TRUE if I've sent a packet, because I have to drop the 4373 * association's mutex before sending a packet out the wire. 4374 */ 4375 /* ARGSUSED */ 4376 static boolean_t 4377 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound) 4378 { 4379 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp; 4380 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval; 4381 4382 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 4383 4384 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) && 4385 delta >= nat_t_interval && 4386 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) { 4387 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP); 4388 assoc->ipsa_last_nat_t_ka = gethrestime_sec(); 4389 mutex_exit(&assoc->ipsa_lock); 4390 ipsecesp_send_keepalive(assoc); 4391 return (B_TRUE); 4392 } 4393 return (B_FALSE); 4394 } 4395 4396 /* 4397 * Return "assoc" if haspeer is true and I send an expire. This allows 4398 * the consumers' aging functions to tidy up an expired SA's peer. 4399 */ 4400 static ipsa_t * 4401 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 4402 time_t current, int reap_delay, boolean_t inbound, mblk_t **mq) 4403 { 4404 ipsa_t *retval = NULL; 4405 boolean_t dropped_mutex = B_FALSE; 4406 4407 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4408 4409 mutex_enter(&assoc->ipsa_lock); 4410 4411 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) || 4412 ((assoc->ipsa_state == IPSA_STATE_IDLE) || 4413 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) && 4414 (assoc->ipsa_hardexpiretime != 0))) && 4415 (assoc->ipsa_hardexpiretime <= current)) { 4416 assoc->ipsa_state = IPSA_STATE_DEAD; 4417 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4418 } 4419 4420 /* 4421 * Check lifetimes. Fortunately, SA setup is done 4422 * such that there are only two times to look at, 4423 * softexpiretime, and hardexpiretime. 4424 * 4425 * Check hard first. 4426 */ 4427 4428 if (assoc->ipsa_hardexpiretime != 0 && 4429 assoc->ipsa_hardexpiretime <= current) { 4430 if (assoc->ipsa_state == IPSA_STATE_DEAD) 4431 return (sadb_torch_assoc(head, assoc, inbound, mq)); 4432 4433 if (inbound) { 4434 sadb_delete_cluster(assoc); 4435 } 4436 4437 /* 4438 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 4439 */ 4440 assoc->ipsa_state = IPSA_STATE_DEAD; 4441 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) { 4442 /* 4443 * If the SA is paired or peered with another, put 4444 * a copy on a list which can be processed later, the 4445 * pair/peer SA needs to be updated so the both die 4446 * at the same time. 4447 * 4448 * If I return assoc, I have to bump up its reference 4449 * count to keep with the ipsa_t reference count 4450 * semantics. 4451 */ 4452 IPSA_REFHOLD(assoc); 4453 retval = assoc; 4454 } 4455 sadb_expire_assoc(pfkey_q, assoc); 4456 assoc->ipsa_hardexpiretime = current + reap_delay; 4457 } else if (assoc->ipsa_softexpiretime != 0 && 4458 assoc->ipsa_softexpiretime <= current && 4459 assoc->ipsa_state < IPSA_STATE_DYING) { 4460 /* 4461 * Send EXPIRE message to PF_KEY. May wish to pawn 4462 * this off on another non-interrupt thread. 4463 */ 4464 assoc->ipsa_state = IPSA_STATE_DYING; 4465 if (assoc->ipsa_haspeer) { 4466 /* 4467 * If the SA has a peer, update the peer's state 4468 * on SOFT_EXPIRE, this is mostly to prevent two 4469 * expire messages from effectively the same SA. 4470 * 4471 * Don't care about paired SA's, then can (and should) 4472 * be able to soft expire at different times. 4473 * 4474 * If I return assoc, I have to bump up its 4475 * reference count to keep with the ipsa_t reference 4476 * count semantics. 4477 */ 4478 IPSA_REFHOLD(assoc); 4479 retval = assoc; 4480 } 4481 sadb_expire_assoc(pfkey_q, assoc); 4482 } else if (assoc->ipsa_idletime != 0 && 4483 assoc->ipsa_idleexpiretime <= current) { 4484 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) { 4485 assoc->ipsa_state = IPSA_STATE_IDLE; 4486 } 4487 4488 /* 4489 * Need to handle Mature case 4490 */ 4491 if (assoc->ipsa_state == IPSA_STATE_MATURE) { 4492 sadb_expire_assoc(pfkey_q, assoc); 4493 } 4494 } else { 4495 /* Check idle time activities. */ 4496 dropped_mutex = sadb_idle_activities(assoc, 4497 current - assoc->ipsa_lastuse, inbound); 4498 } 4499 4500 if (!dropped_mutex) 4501 mutex_exit(&assoc->ipsa_lock); 4502 return (retval); 4503 } 4504 4505 /* 4506 * Called by a consumer protocol to do ther dirty work of reaping dead 4507 * Security Associations. 4508 * 4509 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed 4510 * SA's that are already marked DEAD, so expired SA's are only reaped 4511 * the second time sadb_ager() runs. 4512 */ 4513 void 4514 sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay, 4515 netstack_t *ns) 4516 { 4517 int i; 4518 isaf_t *bucket; 4519 ipsa_t *assoc, *spare; 4520 iacqf_t *acqlist; 4521 ipsacq_t *acqrec, *spareacq; 4522 templist_t *haspeerlist, *newbie; 4523 /* Snapshot current time now. */ 4524 time_t current = gethrestime_sec(); 4525 mblk_t *mq = NULL; 4526 haspeerlist = NULL; 4527 4528 /* 4529 * Do my dirty work. This includes aging real entries, aging 4530 * larvals, and aging outstanding ACQUIREs. 4531 * 4532 * I hope I don't tie up resources for too long. 4533 */ 4534 4535 /* Age acquires. */ 4536 4537 for (i = 0; i < sp->sdb_hashsize; i++) { 4538 acqlist = &sp->sdb_acq[i]; 4539 mutex_enter(&acqlist->iacqf_lock); 4540 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 4541 acqrec = spareacq) { 4542 spareacq = acqrec->ipsacq_next; 4543 if (current > acqrec->ipsacq_expire) 4544 sadb_destroy_acquire(acqrec, ns); 4545 } 4546 mutex_exit(&acqlist->iacqf_lock); 4547 } 4548 4549 /* Age inbound associations. */ 4550 for (i = 0; i < sp->sdb_hashsize; i++) { 4551 bucket = &(sp->sdb_if[i]); 4552 mutex_enter(&bucket->isaf_lock); 4553 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4554 assoc = spare) { 4555 spare = assoc->ipsa_next; 4556 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4557 reap_delay, B_TRUE, &mq) != NULL) { 4558 /* 4559 * Put SA's which have a peer or SA's which 4560 * are paired on a list for processing after 4561 * all the hash tables have been walked. 4562 * 4563 * sadb_age_assoc() increments the refcnt, 4564 * effectively doing an IPSA_REFHOLD(). 4565 */ 4566 newbie = kmem_alloc(sizeof (*newbie), 4567 KM_NOSLEEP); 4568 if (newbie == NULL) { 4569 /* 4570 * Don't forget to REFRELE(). 4571 */ 4572 IPSA_REFRELE(assoc); 4573 continue; /* for loop... */ 4574 } 4575 newbie->next = haspeerlist; 4576 newbie->ipsa = assoc; 4577 haspeerlist = newbie; 4578 } 4579 } 4580 mutex_exit(&bucket->isaf_lock); 4581 } 4582 4583 if (mq != NULL) { 4584 sadb_drain_torchq(ip_q, mq); 4585 mq = NULL; 4586 } 4587 age_pair_peer_list(haspeerlist, sp, B_FALSE); 4588 haspeerlist = NULL; 4589 4590 /* Age outbound associations. */ 4591 for (i = 0; i < sp->sdb_hashsize; i++) { 4592 bucket = &(sp->sdb_of[i]); 4593 mutex_enter(&bucket->isaf_lock); 4594 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4595 assoc = spare) { 4596 spare = assoc->ipsa_next; 4597 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4598 reap_delay, B_FALSE, &mq) != NULL) { 4599 /* 4600 * sadb_age_assoc() increments the refcnt, 4601 * effectively doing an IPSA_REFHOLD(). 4602 */ 4603 newbie = kmem_alloc(sizeof (*newbie), 4604 KM_NOSLEEP); 4605 if (newbie == NULL) { 4606 /* 4607 * Don't forget to REFRELE(). 4608 */ 4609 IPSA_REFRELE(assoc); 4610 continue; /* for loop... */ 4611 } 4612 newbie->next = haspeerlist; 4613 newbie->ipsa = assoc; 4614 haspeerlist = newbie; 4615 } 4616 } 4617 mutex_exit(&bucket->isaf_lock); 4618 } 4619 if (mq != NULL) { 4620 sadb_drain_torchq(ip_q, mq); 4621 mq = NULL; 4622 } 4623 4624 age_pair_peer_list(haspeerlist, sp, B_TRUE); 4625 4626 /* 4627 * Run a GC pass to clean out dead identities. 4628 */ 4629 ipsid_gc(ns); 4630 } 4631 4632 /* 4633 * Figure out when to reschedule the ager. 4634 */ 4635 timeout_id_t 4636 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 4637 void *agerarg, uint_t *intp, uint_t intmax, short mid) 4638 { 4639 hrtime_t end = gethrtime(); 4640 uint_t interval = *intp; 4641 4642 /* 4643 * See how long this took. If it took too long, increase the 4644 * aging interval. 4645 */ 4646 if ((end - begin) > (hrtime_t)interval * (hrtime_t)1000000) { 4647 if (interval >= intmax) { 4648 /* XXX Rate limit this? Or recommend flush? */ 4649 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 4650 "Too many SA's to age out in %d msec.\n", 4651 intmax); 4652 } else { 4653 /* Double by shifting by one bit. */ 4654 interval <<= 1; 4655 interval = min(interval, intmax); 4656 } 4657 } else if ((end - begin) <= (hrtime_t)interval * (hrtime_t)500000 && 4658 interval > SADB_AGE_INTERVAL_DEFAULT) { 4659 /* 4660 * If I took less than half of the interval, then I should 4661 * ratchet the interval back down. Never automatically 4662 * shift below the default aging interval. 4663 * 4664 * NOTE:This even overrides manual setting of the age 4665 * interval using NDD to lower the setting past the 4666 * default. In other words, if you set the interval 4667 * lower than the default, and your SADB gets too big, 4668 * the interval will only self-lower back to the default. 4669 */ 4670 /* Halve by shifting one bit. */ 4671 interval >>= 1; 4672 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 4673 } 4674 *intp = interval; 4675 return (qtimeout(pfkey_q, ager, agerarg, 4676 drv_usectohz(interval * 1000))); 4677 } 4678 4679 4680 /* 4681 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 4682 * message takes when updating a MATURE or DYING SA. 4683 */ 4684 static void 4685 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 4686 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound) 4687 { 4688 mutex_enter(&assoc->ipsa_lock); 4689 4690 /* 4691 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 4692 * passed in during an update message. We currently don't handle 4693 * these. 4694 */ 4695 4696 if (hard != NULL) { 4697 if (hard->sadb_lifetime_bytes != 0) 4698 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 4699 if (hard->sadb_lifetime_usetime != 0) 4700 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 4701 if (hard->sadb_lifetime_addtime != 0) 4702 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 4703 if (assoc->ipsa_hardaddlt != 0) { 4704 assoc->ipsa_hardexpiretime = 4705 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 4706 } 4707 if (assoc->ipsa_harduselt != 0 && 4708 assoc->ipsa_flags & IPSA_F_USED) { 4709 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 4710 } 4711 if (hard->sadb_lifetime_allocations != 0) 4712 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 4713 } 4714 4715 if (soft != NULL) { 4716 if (soft->sadb_lifetime_bytes != 0) { 4717 if (soft->sadb_lifetime_bytes > 4718 assoc->ipsa_hardbyteslt) { 4719 assoc->ipsa_softbyteslt = 4720 assoc->ipsa_hardbyteslt; 4721 } else { 4722 assoc->ipsa_softbyteslt = 4723 soft->sadb_lifetime_bytes; 4724 } 4725 } 4726 if (soft->sadb_lifetime_usetime != 0) { 4727 if (soft->sadb_lifetime_usetime > 4728 assoc->ipsa_harduselt) { 4729 assoc->ipsa_softuselt = 4730 assoc->ipsa_harduselt; 4731 } else { 4732 assoc->ipsa_softuselt = 4733 soft->sadb_lifetime_usetime; 4734 } 4735 } 4736 if (soft->sadb_lifetime_addtime != 0) { 4737 if (soft->sadb_lifetime_addtime > 4738 assoc->ipsa_hardexpiretime) { 4739 assoc->ipsa_softexpiretime = 4740 assoc->ipsa_hardexpiretime; 4741 } else { 4742 assoc->ipsa_softaddlt = 4743 soft->sadb_lifetime_addtime; 4744 } 4745 } 4746 if (assoc->ipsa_softaddlt != 0) { 4747 assoc->ipsa_softexpiretime = 4748 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 4749 } 4750 if (assoc->ipsa_softuselt != 0 && 4751 assoc->ipsa_flags & IPSA_F_USED) { 4752 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 4753 } 4754 if (outbound && assoc->ipsa_softexpiretime != 0) { 4755 if (assoc->ipsa_state == IPSA_STATE_MATURE) 4756 lifetime_fuzz(assoc); 4757 } 4758 4759 if (soft->sadb_lifetime_allocations != 0) 4760 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 4761 } 4762 4763 if (idle != NULL) { 4764 time_t current = gethrestime_sec(); 4765 if ((assoc->ipsa_idleexpiretime <= current) && 4766 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) { 4767 assoc->ipsa_idleexpiretime = 4768 current + assoc->ipsa_idleaddlt; 4769 } 4770 if (idle->sadb_lifetime_addtime != 0) 4771 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 4772 if (idle->sadb_lifetime_usetime != 0) 4773 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime; 4774 if (assoc->ipsa_idleaddlt != 0) { 4775 assoc->ipsa_idleexpiretime = 4776 current + idle->sadb_lifetime_addtime; 4777 assoc->ipsa_idletime = idle->sadb_lifetime_addtime; 4778 } 4779 if (assoc->ipsa_idleuselt != 0) { 4780 if (assoc->ipsa_idletime != 0) { 4781 assoc->ipsa_idletime = min(assoc->ipsa_idletime, 4782 assoc->ipsa_idleuselt); 4783 assoc->ipsa_idleexpiretime = 4784 current + assoc->ipsa_idletime; 4785 } else { 4786 assoc->ipsa_idleexpiretime = 4787 current + assoc->ipsa_idleuselt; 4788 assoc->ipsa_idletime = assoc->ipsa_idleuselt; 4789 } 4790 } 4791 } 4792 mutex_exit(&assoc->ipsa_lock); 4793 } 4794 4795 static int 4796 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst) 4797 { 4798 int rcode = 0; 4799 time_t current = gethrestime_sec(); 4800 4801 mutex_enter(&assoc->ipsa_lock); 4802 4803 switch (new_state) { 4804 case SADB_X_SASTATE_ACTIVE_ELSEWHERE: 4805 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) { 4806 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE; 4807 assoc->ipsa_idleexpiretime = 4808 current + assoc->ipsa_idletime; 4809 } 4810 break; 4811 case SADB_X_SASTATE_IDLE: 4812 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4813 assoc->ipsa_state = IPSA_STATE_IDLE; 4814 assoc->ipsa_idleexpiretime = 4815 current + assoc->ipsa_idletime; 4816 } else { 4817 rcode = EINVAL; 4818 } 4819 break; 4820 4821 case SADB_X_SASTATE_ACTIVE: 4822 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) { 4823 rcode = EINVAL; 4824 break; 4825 } 4826 assoc->ipsa_state = IPSA_STATE_MATURE; 4827 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime; 4828 4829 if (ipkt_lst == NULL) { 4830 break; 4831 } 4832 4833 if (assoc->ipsa_bpkt_head != NULL) { 4834 *ipkt_lst = assoc->ipsa_bpkt_head; 4835 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL; 4836 assoc->ipsa_mblkcnt = 0; 4837 } else { 4838 *ipkt_lst = NULL; 4839 } 4840 break; 4841 default: 4842 rcode = EINVAL; 4843 break; 4844 } 4845 4846 mutex_exit(&assoc->ipsa_lock); 4847 return (rcode); 4848 } 4849 4850 /* 4851 * Check a proposed KMC update for sanity. 4852 */ 4853 static int 4854 sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic) 4855 { 4856 uint32_t kmp = sq->kmp; 4857 uint32_t kmc = sq->kmc; 4858 4859 if (sa == NULL) 4860 return (0); 4861 4862 if (sa->ipsa_state == IPSA_STATE_DEAD) 4863 return (ESRCH); /* DEAD == Not there, in this case. */ 4864 4865 if ((kmp != 0) && ((sa->ipsa_kmp != 0) || (sa->ipsa_kmp != kmp))) { 4866 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4867 return (EINVAL); 4868 } 4869 4870 if ((kmc != 0) && ((sa->ipsa_kmc != 0) || (sa->ipsa_kmc != kmc))) { 4871 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4872 return (EINVAL); 4873 } 4874 4875 return (0); 4876 } 4877 4878 /* 4879 * Actually update the KMC info. 4880 */ 4881 static void 4882 sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa) 4883 { 4884 uint32_t kmp = sq->kmp; 4885 uint32_t kmc = sq->kmc; 4886 4887 if (kmp != 0) 4888 sa->ipsa_kmp = kmp; 4889 if (kmc != 0) 4890 sa->ipsa_kmc = kmc; 4891 } 4892 4893 /* 4894 * Common code to update an SA. 4895 */ 4896 4897 int 4898 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst, 4899 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q, 4900 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *), 4901 netstack_t *ns, uint8_t sadb_msg_type) 4902 { 4903 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 4904 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 4905 sadb_x_replay_ctr_t *replext = 4906 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 4907 sadb_lifetime_t *soft = 4908 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 4909 sadb_lifetime_t *hard = 4910 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 4911 sadb_lifetime_t *idle = 4912 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 4913 sadb_x_pair_t *pair_ext = 4914 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4915 ipsa_t *echo_target = NULL; 4916 ipsap_t ipsapp; 4917 ipsa_query_t sq; 4918 time_t current = gethrestime_sec(); 4919 4920 sq.spp = spp; /* XXX param */ 4921 int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA, 4922 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, 4923 &sq, diagnostic); 4924 4925 if (error != 0) 4926 return (error); 4927 4928 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 4929 if (error != 0) 4930 return (error); 4931 4932 if (ipsapp.ipsap_psa_ptr == NULL && ipsapp.ipsap_sa_ptr != NULL) { 4933 if (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) { 4934 /* 4935 * REFRELE the target and let the add_sa_func() 4936 * deal with updating a larval SA. 4937 */ 4938 destroy_ipsa_pair(&ipsapp); 4939 return (add_sa_func(mp, ksi, diagnostic, ns)); 4940 } 4941 } 4942 4943 /* 4944 * At this point we have an UPDATE to a MATURE SA. There should 4945 * not be any keying material present. 4946 */ 4947 if (akey != NULL) { 4948 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 4949 error = EINVAL; 4950 goto bail; 4951 } 4952 if (ekey != NULL) { 4953 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 4954 error = EINVAL; 4955 goto bail; 4956 } 4957 4958 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4959 if (ipsapp.ipsap_sa_ptr != NULL && 4960 ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4961 if ((error = sadb_update_state(ipsapp.ipsap_sa_ptr, 4962 sq.assoc->sadb_sa_state, NULL)) != 0) { 4963 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4964 goto bail; 4965 } 4966 } 4967 if (ipsapp.ipsap_psa_ptr != NULL && 4968 ipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4969 if ((error = sadb_update_state(ipsapp.ipsap_psa_ptr, 4970 sq.assoc->sadb_sa_state, NULL)) != 0) { 4971 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4972 goto bail; 4973 } 4974 } 4975 } 4976 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) { 4977 if (ipsapp.ipsap_sa_ptr != NULL) { 4978 error = sadb_update_state(ipsapp.ipsap_sa_ptr, 4979 sq.assoc->sadb_sa_state, 4980 (ipsapp.ipsap_sa_ptr->ipsa_flags & 4981 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4982 if (error) { 4983 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4984 goto bail; 4985 } 4986 } 4987 if (ipsapp.ipsap_psa_ptr != NULL) { 4988 error = sadb_update_state(ipsapp.ipsap_psa_ptr, 4989 sq.assoc->sadb_sa_state, 4990 (ipsapp.ipsap_psa_ptr->ipsa_flags & 4991 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4992 if (error) { 4993 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4994 goto bail; 4995 } 4996 } 4997 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4998 ksi, echo_target); 4999 goto bail; 5000 } 5001 5002 /* 5003 * Reality checks for updates of active associations. 5004 * Sundry first-pass UPDATE-specific reality checks. 5005 * Have to do the checks here, because it's after the add_sa code. 5006 * XXX STATS : logging/stats here? 5007 */ 5008 5009 if (!((sq.assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 5010 (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) { 5011 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 5012 error = EINVAL; 5013 goto bail; 5014 } 5015 if (sq.assoc->sadb_sa_flags & ~spp->s_updateflags) { 5016 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 5017 error = EINVAL; 5018 goto bail; 5019 } 5020 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 5021 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_LIFETIME; 5022 error = EOPNOTSUPP; 5023 goto bail; 5024 } 5025 5026 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) { 5027 error = EINVAL; 5028 goto bail; 5029 } 5030 5031 if ((*diagnostic = sadb_labelchk(ksi)) != 0) 5032 return (EINVAL); 5033 5034 error = sadb_check_kmc(&sq, ipsapp.ipsap_sa_ptr, diagnostic); 5035 if (error != 0) 5036 goto bail; 5037 5038 error = sadb_check_kmc(&sq, ipsapp.ipsap_psa_ptr, diagnostic); 5039 if (error != 0) 5040 goto bail; 5041 5042 5043 if (ipsapp.ipsap_sa_ptr != NULL) { 5044 /* 5045 * Do not allow replay value change for MATURE or LARVAL SA. 5046 */ 5047 5048 if ((replext != NULL) && 5049 ((ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) || 5050 (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) { 5051 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 5052 error = EINVAL; 5053 goto bail; 5054 } 5055 } 5056 5057 5058 if (ipsapp.ipsap_sa_ptr != NULL) { 5059 sadb_update_lifetimes(ipsapp.ipsap_sa_ptr, hard, soft, 5060 idle, B_TRUE); 5061 sadb_update_kmc(&sq, ipsapp.ipsap_sa_ptr); 5062 if ((replext != NULL) && 5063 (ipsapp.ipsap_sa_ptr->ipsa_replay_wsize != 0)) { 5064 /* 5065 * If an inbound SA, update the replay counter 5066 * and check off all the other sequence number 5067 */ 5068 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) { 5069 if (!sadb_replay_check(ipsapp.ipsap_sa_ptr, 5070 replext->sadb_x_rc_replay32)) { 5071 *diagnostic = 5072 SADB_X_DIAGNOSTIC_INVALID_REPLAY; 5073 error = EINVAL; 5074 goto bail; 5075 } 5076 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 5077 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime = 5078 current + 5079 ipsapp.ipsap_sa_ptr->ipsa_idletime; 5080 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock); 5081 } else { 5082 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 5083 ipsapp.ipsap_sa_ptr->ipsa_replay = 5084 replext->sadb_x_rc_replay32; 5085 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime = 5086 current + 5087 ipsapp.ipsap_sa_ptr->ipsa_idletime; 5088 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock); 5089 } 5090 } 5091 } 5092 5093 if (sadb_msg_type == SADB_X_UPDATEPAIR) { 5094 if (ipsapp.ipsap_psa_ptr != NULL) { 5095 sadb_update_lifetimes(ipsapp.ipsap_psa_ptr, hard, soft, 5096 idle, B_FALSE); 5097 sadb_update_kmc(&sq, ipsapp.ipsap_psa_ptr); 5098 } else { 5099 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 5100 error = ESRCH; 5101 goto bail; 5102 } 5103 } 5104 5105 if (pair_ext != NULL) 5106 error = update_pairing(&ipsapp, &sq, ksi, diagnostic); 5107 5108 if (error == 0) 5109 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 5110 ksi, echo_target); 5111 bail: 5112 5113 destroy_ipsa_pair(&ipsapp); 5114 5115 return (error); 5116 } 5117 5118 5119 static int 5120 update_pairing(ipsap_t *ipsapp, ipsa_query_t *sq, keysock_in_t *ksi, 5121 int *diagnostic) 5122 { 5123 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 5124 sadb_x_pair_t *pair_ext = 5125 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 5126 int error = 0; 5127 ipsap_t oipsapp; 5128 boolean_t undo_pair = B_FALSE; 5129 uint32_t ipsa_flags; 5130 5131 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi == 5132 assoc->sadb_sa_spi) { 5133 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 5134 return (EINVAL); 5135 } 5136 5137 /* 5138 * Assume for now that the spi value provided in the SADB_UPDATE 5139 * message was valid, update the SA with its pair spi value. 5140 * If the spi turns out to be bogus or the SA no longer exists 5141 * then this will be detected when the reverse update is made 5142 * below. 5143 */ 5144 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 5145 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED; 5146 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi; 5147 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 5148 5149 /* 5150 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair() 5151 * should now return pointers to the SA *AND* its pair, if this is not 5152 * the case, the "otherspi" either did not exist or was deleted. Also 5153 * check that "otherspi" is not already paired. If everything looks 5154 * good, complete the update. IPSA_REFRELE the first pair_pointer 5155 * after this update to ensure its not deleted until we are done. 5156 */ 5157 error = get_ipsa_pair(sq, &oipsapp, diagnostic); 5158 if (error != 0) { 5159 /* 5160 * This should never happen, calling function still has 5161 * IPSA_REFHELD on the SA we just updated. 5162 */ 5163 return (error); /* XXX EINVAL instead of ESRCH? */ 5164 } 5165 5166 if (oipsapp.ipsap_psa_ptr == NULL) { 5167 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 5168 error = EINVAL; 5169 undo_pair = B_TRUE; 5170 } else { 5171 ipsa_flags = oipsapp.ipsap_psa_ptr->ipsa_flags; 5172 if ((oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) || 5173 (oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) { 5174 /* Its dead Jim! */ 5175 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 5176 undo_pair = B_TRUE; 5177 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) == 5178 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) { 5179 /* This SA is in both hashtables. */ 5180 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 5181 undo_pair = B_TRUE; 5182 } else if (ipsa_flags & IPSA_F_PAIRED) { 5183 /* This SA is already paired with another. */ 5184 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 5185 undo_pair = B_TRUE; 5186 } 5187 } 5188 5189 if (undo_pair) { 5190 /* The pair SA does not exist. */ 5191 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 5192 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED; 5193 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0; 5194 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 5195 } else { 5196 mutex_enter(&oipsapp.ipsap_psa_ptr->ipsa_lock); 5197 oipsapp.ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi; 5198 oipsapp.ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED; 5199 mutex_exit(&oipsapp.ipsap_psa_ptr->ipsa_lock); 5200 } 5201 5202 destroy_ipsa_pair(&oipsapp); 5203 return (error); 5204 } 5205 5206 /* 5207 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 5208 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 5209 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 5210 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 5211 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 5212 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 5213 * other direction's SA. 5214 */ 5215 5216 /* 5217 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 5218 * grab it, lock it, and return it. Otherwise return NULL. 5219 * 5220 * XXX MLS number of arguments getting unwieldy here 5221 */ 5222 static ipsacq_t * 5223 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 5224 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst, 5225 uint64_t unique_id, cred_t *cr) 5226 { 5227 ipsacq_t *walker; 5228 sa_family_t fam; 5229 uint32_t blank_address[4] = {0, 0, 0, 0}; 5230 5231 if (isrc == NULL) { 5232 ASSERT(idst == NULL); 5233 isrc = idst = blank_address; 5234 } 5235 5236 /* 5237 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 5238 * 5239 * XXX May need search for duplicates based on other things too! 5240 */ 5241 for (walker = bucket->iacqf_ipsacq; walker != NULL; 5242 walker = walker->ipsacq_next) { 5243 mutex_enter(&walker->ipsacq_lock); 5244 fam = walker->ipsacq_addrfam; 5245 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 5246 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 5247 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx, 5248 (in6_addr_t *)walker->ipsacq_innersrc) && 5249 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx, 5250 (in6_addr_t *)walker->ipsacq_innerdst) && 5251 (ap == walker->ipsacq_act) && 5252 (pp == walker->ipsacq_policy) && 5253 /* XXX do deep compares of ap/pp? */ 5254 (unique_id == walker->ipsacq_unique_id) && 5255 (ipsec_label_match(cr, walker->ipsacq_cred))) 5256 break; /* everything matched */ 5257 mutex_exit(&walker->ipsacq_lock); 5258 } 5259 5260 return (walker); 5261 } 5262 5263 /* 5264 * For this mblk, insert a new acquire record. Assume bucket contains addrs 5265 * of all of the same length. Give up (and drop) if memory 5266 * cannot be allocated for a new one; otherwise, invoke callback to 5267 * send the acquire up.. 5268 * 5269 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 5270 * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t 5271 * and handle this case specially. 5272 */ 5273 void 5274 sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp) 5275 { 5276 sadbp_t *spp; 5277 sadb_t *sp; 5278 ipsacq_t *newbie; 5279 iacqf_t *bucket; 5280 mblk_t *datamp = mp->b_cont; 5281 mblk_t *extended; 5282 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 5283 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 5284 uint32_t *src, *dst, *isrc, *idst; 5285 ipsec_policy_t *pp = io->ipsec_out_policy; 5286 ipsec_action_t *ap = io->ipsec_out_act; 5287 sa_family_t af; 5288 int hashoffset; 5289 uint32_t seq; 5290 uint64_t unique_id = 0; 5291 ipsec_selector_t sel; 5292 boolean_t tunnel_mode = io->ipsec_out_tunnel; 5293 cred_t *cr = NULL; 5294 netstack_t *ns = io->ipsec_out_ns; 5295 ipsec_stack_t *ipss = ns->netstack_ipsec; 5296 sadb_sens_t *sens = NULL; 5297 int sens_len; 5298 5299 ASSERT((pp != NULL) || (ap != NULL)); 5300 5301 ASSERT(need_ah != NULL || need_esp != NULL); 5302 5303 /* Assign sadb pointers */ 5304 if (need_esp) { /* ESP for AH+ESP */ 5305 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 5306 5307 spp = &espstack->esp_sadb; 5308 } else { 5309 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 5310 5311 spp = &ahstack->ah_sadb; 5312 } 5313 sp = io->ipsec_out_v4 ? &spp->s_v4 : &spp->s_v6; 5314 5315 ASSERT(mp->b_cont != NULL); 5316 5317 if (is_system_labeled()) 5318 cr = msg_getcred(mp->b_cont, NULL); 5319 5320 if (ap == NULL) 5321 ap = pp->ipsp_act; 5322 5323 ASSERT(ap != NULL); 5324 5325 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode) 5326 unique_id = SA_FORM_UNIQUE_ID(io); 5327 5328 /* 5329 * Set up an ACQUIRE record. 5330 * 5331 * Immediately, make sure the ACQUIRE sequence number doesn't slip 5332 * below the lowest point allowed in the kernel. (In other words, 5333 * make sure the high bit on the sequence number is set.) 5334 */ 5335 5336 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ; 5337 5338 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 5339 src = (uint32_t *)&ipha->ipha_src; 5340 dst = (uint32_t *)&ipha->ipha_dst; 5341 af = AF_INET; 5342 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 5343 ASSERT(io->ipsec_out_v4 == B_TRUE); 5344 } else { 5345 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 5346 src = (uint32_t *)&ip6h->ip6_src; 5347 dst = (uint32_t *)&ip6h->ip6_dst; 5348 af = AF_INET6; 5349 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 5350 ASSERT(io->ipsec_out_v4 == B_FALSE); 5351 } 5352 5353 if (tunnel_mode) { 5354 if (pp == NULL) { 5355 /* 5356 * Tunnel mode with no policy pointer means this is a 5357 * reflected ICMP (like a ECHO REQUEST) that came in 5358 * with self-encapsulated protection. Until we better 5359 * support this, drop the packet. 5360 */ 5361 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5362 DROPPER(ipss, ipds_spd_got_selfencap), 5363 &ipss->ipsec_spd_dropper); 5364 return; 5365 } 5366 /* Snag inner addresses. */ 5367 isrc = io->ipsec_out_insrc; 5368 idst = io->ipsec_out_indst; 5369 } else { 5370 isrc = idst = NULL; 5371 } 5372 5373 /* 5374 * Check buckets to see if there is an existing entry. If so, 5375 * grab it. sadb_checkacquire locks newbie if found. 5376 */ 5377 bucket = &(sp->sdb_acq[hashoffset]); 5378 mutex_enter(&bucket->iacqf_lock); 5379 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst, 5380 unique_id, cr); 5381 5382 if (newbie == NULL) { 5383 /* 5384 * Otherwise, allocate a new one. 5385 */ 5386 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 5387 if (newbie == NULL) { 5388 mutex_exit(&bucket->iacqf_lock); 5389 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5390 DROPPER(ipss, ipds_sadb_acquire_nomem), 5391 &ipss->ipsec_sadb_dropper); 5392 return; 5393 } 5394 newbie->ipsacq_policy = pp; 5395 if (pp != NULL) { 5396 IPPOL_REFHOLD(pp); 5397 } 5398 IPACT_REFHOLD(ap); 5399 newbie->ipsacq_act = ap; 5400 newbie->ipsacq_linklock = &bucket->iacqf_lock; 5401 newbie->ipsacq_next = bucket->iacqf_ipsacq; 5402 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 5403 if (newbie->ipsacq_next != NULL) 5404 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 5405 5406 bucket->iacqf_ipsacq = newbie; 5407 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 5408 mutex_enter(&newbie->ipsacq_lock); 5409 } 5410 5411 /* 5412 * XXX MLS does it actually help us to drop the bucket lock here? 5413 * we have inserted a half-built, locked acquire record into the 5414 * bucket. any competing thread will now be able to lock the bucket 5415 * to scan it, but will immediately pile up on the new acquire 5416 * record's lock; I don't think we gain anything here other than to 5417 * disperse blame for lock contention. 5418 * 5419 * we might be able to dispense with acquire record locks entirely.. 5420 * just use the bucket locks.. 5421 */ 5422 5423 mutex_exit(&bucket->iacqf_lock); 5424 5425 /* 5426 * This assert looks silly for now, but we may need to enter newbie's 5427 * mutex during a search. 5428 */ 5429 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 5430 5431 mp->b_next = NULL; 5432 /* Queue up packet. Use b_next. */ 5433 if (newbie->ipsacq_numpackets == 0) { 5434 /* First one. */ 5435 newbie->ipsacq_mp = mp; 5436 newbie->ipsacq_numpackets = 1; 5437 newbie->ipsacq_expire = gethrestime_sec(); 5438 /* 5439 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 5440 * value. 5441 */ 5442 newbie->ipsacq_expire += *spp->s_acquire_timeout; 5443 newbie->ipsacq_seq = seq; 5444 newbie->ipsacq_addrfam = af; 5445 5446 newbie->ipsacq_srcport = io->ipsec_out_src_port; 5447 newbie->ipsacq_dstport = io->ipsec_out_dst_port; 5448 newbie->ipsacq_icmp_type = io->ipsec_out_icmp_type; 5449 newbie->ipsacq_icmp_code = io->ipsec_out_icmp_code; 5450 if (tunnel_mode) { 5451 newbie->ipsacq_inneraddrfam = io->ipsec_out_inaf; 5452 newbie->ipsacq_proto = io->ipsec_out_inaf == AF_INET6 ? 5453 IPPROTO_IPV6 : IPPROTO_ENCAP; 5454 newbie->ipsacq_innersrcpfx = io->ipsec_out_insrcpfx; 5455 newbie->ipsacq_innerdstpfx = io->ipsec_out_indstpfx; 5456 IPSA_COPY_ADDR(newbie->ipsacq_innersrc, 5457 io->ipsec_out_insrc, io->ipsec_out_inaf); 5458 IPSA_COPY_ADDR(newbie->ipsacq_innerdst, 5459 io->ipsec_out_indst, io->ipsec_out_inaf); 5460 } else { 5461 newbie->ipsacq_proto = io->ipsec_out_proto; 5462 } 5463 newbie->ipsacq_unique_id = unique_id; 5464 5465 if (cr != NULL) { 5466 crhold(cr); 5467 newbie->ipsacq_cred = cr; 5468 } 5469 } else { 5470 /* Scan to the end of the list & insert. */ 5471 mblk_t *lastone = newbie->ipsacq_mp; 5472 5473 while (lastone->b_next != NULL) 5474 lastone = lastone->b_next; 5475 lastone->b_next = mp; 5476 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) { 5477 newbie->ipsacq_numpackets = ipsacq_maxpackets; 5478 lastone = newbie->ipsacq_mp; 5479 newbie->ipsacq_mp = lastone->b_next; 5480 lastone->b_next = NULL; 5481 ip_drop_packet(lastone, B_FALSE, NULL, NULL, 5482 DROPPER(ipss, ipds_sadb_acquire_toofull), 5483 &ipss->ipsec_sadb_dropper); 5484 } else { 5485 IP_ACQUIRE_STAT(ipss, qhiwater, 5486 newbie->ipsacq_numpackets); 5487 } 5488 } 5489 5490 /* 5491 * Reset addresses. Set them to the most recently added mblk chain, 5492 * so that the address pointers in the acquire record will point 5493 * at an mblk still attached to the acquire list. 5494 */ 5495 5496 newbie->ipsacq_srcaddr = src; 5497 newbie->ipsacq_dstaddr = dst; 5498 5499 /* 5500 * If the acquire record has more than one queued packet, we've 5501 * already sent an ACQUIRE, and don't need to repeat ourself. 5502 */ 5503 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 5504 /* I have an acquire outstanding already! */ 5505 mutex_exit(&newbie->ipsacq_lock); 5506 return; 5507 } 5508 5509 if (!keysock_extended_reg(ns)) 5510 goto punt_extended; 5511 /* 5512 * Construct an extended ACQUIRE. There are logging 5513 * opportunities here in failure cases. 5514 */ 5515 (void) memset(&sel, 0, sizeof (sel)); 5516 sel.ips_isv4 = io->ipsec_out_v4; 5517 if (tunnel_mode) { 5518 sel.ips_protocol = (io->ipsec_out_inaf == AF_INET) ? 5519 IPPROTO_ENCAP : IPPROTO_IPV6; 5520 } else { 5521 sel.ips_protocol = io->ipsec_out_proto; 5522 sel.ips_local_port = io->ipsec_out_src_port; 5523 sel.ips_remote_port = io->ipsec_out_dst_port; 5524 } 5525 sel.ips_icmp_type = io->ipsec_out_icmp_type; 5526 sel.ips_icmp_code = io->ipsec_out_icmp_code; 5527 sel.ips_is_icmp_inv_acq = 0; 5528 if (af == AF_INET) { 5529 sel.ips_local_addr_v4 = ipha->ipha_src; 5530 sel.ips_remote_addr_v4 = ipha->ipha_dst; 5531 } else { 5532 sel.ips_local_addr_v6 = ip6h->ip6_src; 5533 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 5534 } 5535 5536 extended = sadb_keysock_out(0); 5537 if (extended == NULL) 5538 goto punt_extended; 5539 5540 if (cr != NULL) { 5541 /* 5542 * XXX MLS correct condition here? 5543 * XXX MLS other credential attributes in acquire? 5544 * XXX malloc failure? don't fall back to original? 5545 */ 5546 sens = sadb_make_sens_ext(cr, &sens_len); 5547 5548 if (sens == NULL) { 5549 freeb(extended); 5550 goto punt_extended; 5551 } 5552 } 5553 5554 extended->b_cont = sadb_extended_acquire(&sel, pp, ap, tunnel_mode, 5555 seq, 0, sens, ns); 5556 5557 if (sens != NULL) 5558 kmem_free(sens, sens_len); 5559 5560 if (extended->b_cont == NULL) { 5561 freeb(extended); 5562 goto punt_extended; 5563 } 5564 5565 /* 5566 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on 5567 * this new record. The send-acquire callback assumes that acqrec is 5568 * already locked. 5569 */ 5570 (*spp->s_acqfn)(newbie, extended, ns); 5571 return; 5572 5573 punt_extended: 5574 (*spp->s_acqfn)(newbie, NULL, ns); 5575 } 5576 5577 /* 5578 * Unlink and free an acquire record. 5579 */ 5580 void 5581 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns) 5582 { 5583 mblk_t *mp; 5584 ipsec_stack_t *ipss = ns->netstack_ipsec; 5585 5586 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 5587 5588 if (acqrec->ipsacq_policy != NULL) { 5589 IPPOL_REFRELE(acqrec->ipsacq_policy, ns); 5590 } 5591 if (acqrec->ipsacq_act != NULL) { 5592 IPACT_REFRELE(acqrec->ipsacq_act); 5593 } 5594 5595 /* Unlink */ 5596 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 5597 if (acqrec->ipsacq_next != NULL) 5598 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 5599 5600 if (acqrec->ipsacq_cred) { 5601 crfree(acqrec->ipsacq_cred); 5602 acqrec->ipsacq_cred = NULL; 5603 } 5604 5605 /* 5606 * Free hanging mp's. 5607 * 5608 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 5609 */ 5610 5611 mutex_enter(&acqrec->ipsacq_lock); 5612 while (acqrec->ipsacq_mp != NULL) { 5613 mp = acqrec->ipsacq_mp; 5614 acqrec->ipsacq_mp = mp->b_next; 5615 mp->b_next = NULL; 5616 ip_drop_packet(mp, B_FALSE, NULL, NULL, 5617 DROPPER(ipss, ipds_sadb_acquire_timeout), 5618 &ipss->ipsec_sadb_dropper); 5619 } 5620 mutex_exit(&acqrec->ipsacq_lock); 5621 5622 /* Free */ 5623 mutex_destroy(&acqrec->ipsacq_lock); 5624 kmem_free(acqrec, sizeof (*acqrec)); 5625 } 5626 5627 /* 5628 * Destroy an acquire list fanout. 5629 */ 5630 static void 5631 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever, 5632 netstack_t *ns) 5633 { 5634 int i; 5635 iacqf_t *list = *listp; 5636 5637 if (list == NULL) 5638 return; 5639 5640 for (i = 0; i < numentries; i++) { 5641 mutex_enter(&(list[i].iacqf_lock)); 5642 while (list[i].iacqf_ipsacq != NULL) 5643 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns); 5644 mutex_exit(&(list[i].iacqf_lock)); 5645 if (forever) 5646 mutex_destroy(&(list[i].iacqf_lock)); 5647 } 5648 5649 if (forever) { 5650 *listp = NULL; 5651 kmem_free(list, numentries * sizeof (*list)); 5652 } 5653 } 5654 5655 /* 5656 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto 5657 * framework's view of reality vs. IPsec's. EF's wins, BTW. 5658 */ 5659 static uint8_t * 5660 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 5661 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 5662 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss) 5663 { 5664 uint8_t *cur = start; 5665 ipsec_alginfo_t *algp; 5666 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 5667 5668 cur += sizeof (*algdesc); 5669 if (cur >= limit) 5670 return (NULL); 5671 5672 ecomb->sadb_x_ecomb_numalgs++; 5673 5674 /* 5675 * Normalize vs. crypto framework's limits. This way, you can specify 5676 * a stronger policy, and when the framework loads a stronger version, 5677 * you can just keep plowing w/o rewhacking your SPD. 5678 */ 5679 mutex_enter(&ipss->ipsec_alg_lock); 5680 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ? 5681 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg]; 5682 if (algp == NULL) { 5683 mutex_exit(&ipss->ipsec_alg_lock); 5684 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */ 5685 } 5686 if (minbits < algp->alg_ef_minbits) 5687 minbits = algp->alg_ef_minbits; 5688 if (maxbits > algp->alg_ef_maxbits) 5689 maxbits = algp->alg_ef_maxbits; 5690 mutex_exit(&ipss->ipsec_alg_lock); 5691 5692 algdesc->sadb_x_algdesc_reserved = SADB_8TO1(algp->alg_saltlen); 5693 algdesc->sadb_x_algdesc_satype = satype; 5694 algdesc->sadb_x_algdesc_algtype = algtype; 5695 algdesc->sadb_x_algdesc_alg = alg; 5696 algdesc->sadb_x_algdesc_minbits = minbits; 5697 algdesc->sadb_x_algdesc_maxbits = maxbits; 5698 5699 return (cur); 5700 } 5701 5702 /* 5703 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 5704 * which must fit before *limit 5705 * 5706 * return NULL if we ran out of room or a pointer to the end of the ecomb. 5707 */ 5708 static uint8_t * 5709 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act, 5710 netstack_t *ns) 5711 { 5712 uint8_t *cur = start; 5713 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 5714 ipsec_prot_t *ipp; 5715 ipsec_stack_t *ipss = ns->netstack_ipsec; 5716 5717 cur += sizeof (*ecomb); 5718 if (cur >= limit) 5719 return (NULL); 5720 5721 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 5722 5723 ipp = &act->ipa_act.ipa_apply; 5724 5725 ecomb->sadb_x_ecomb_numalgs = 0; 5726 ecomb->sadb_x_ecomb_reserved = 0; 5727 ecomb->sadb_x_ecomb_reserved2 = 0; 5728 /* 5729 * No limits on allocations, since we really don't support that 5730 * concept currently. 5731 */ 5732 ecomb->sadb_x_ecomb_soft_allocations = 0; 5733 ecomb->sadb_x_ecomb_hard_allocations = 0; 5734 5735 /* 5736 * XXX TBD: Policy or global parameters will eventually be 5737 * able to fill in some of these. 5738 */ 5739 ecomb->sadb_x_ecomb_flags = 0; 5740 ecomb->sadb_x_ecomb_soft_bytes = 0; 5741 ecomb->sadb_x_ecomb_hard_bytes = 0; 5742 ecomb->sadb_x_ecomb_soft_addtime = 0; 5743 ecomb->sadb_x_ecomb_hard_addtime = 0; 5744 ecomb->sadb_x_ecomb_soft_usetime = 0; 5745 ecomb->sadb_x_ecomb_hard_usetime = 0; 5746 5747 if (ipp->ipp_use_ah) { 5748 cur = sadb_new_algdesc(cur, limit, ecomb, 5749 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 5750 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss); 5751 if (cur == NULL) 5752 return (NULL); 5753 ipsecah_fill_defs(ecomb, ns); 5754 } 5755 5756 if (ipp->ipp_use_esp) { 5757 if (ipp->ipp_use_espa) { 5758 cur = sadb_new_algdesc(cur, limit, ecomb, 5759 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 5760 ipp->ipp_esp_auth_alg, 5761 ipp->ipp_espa_minbits, 5762 ipp->ipp_espa_maxbits, ipss); 5763 if (cur == NULL) 5764 return (NULL); 5765 } 5766 5767 cur = sadb_new_algdesc(cur, limit, ecomb, 5768 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 5769 ipp->ipp_encr_alg, 5770 ipp->ipp_espe_minbits, 5771 ipp->ipp_espe_maxbits, ipss); 5772 if (cur == NULL) 5773 return (NULL); 5774 /* Fill in lifetimes if and only if AH didn't already... */ 5775 if (!ipp->ipp_use_ah) 5776 ipsecesp_fill_defs(ecomb, ns); 5777 } 5778 5779 return (cur); 5780 } 5781 5782 #include <sys/tsol/label_macro.h> /* XXX should not need this */ 5783 5784 /* 5785 * From a cred_t, construct a sensitivity label extension 5786 * 5787 * We send up a fixed-size sensitivity label bitmap, and are perhaps 5788 * overly chummy with the underlying data structures here. 5789 */ 5790 5791 /* ARGSUSED */ 5792 int 5793 sadb_sens_len_from_cred(cred_t *cr) 5794 { 5795 int baselen = sizeof (sadb_sens_t) + _C_LEN * 4; 5796 return (roundup(baselen, sizeof (uint64_t))); 5797 } 5798 5799 void 5800 sadb_sens_from_cred(sadb_sens_t *sens, int exttype, cred_t *cr, int senslen) 5801 { 5802 uint8_t *bitmap; 5803 bslabel_t *sl; 5804 ts_label_t *tsl; 5805 5806 /* LINTED */ 5807 ASSERT((_C_LEN & 1) == 0); 5808 ASSERT((senslen & 7) == 0); 5809 5810 tsl = crgetlabel(cr); 5811 sl = label2bslabel(tsl); 5812 5813 sens->sadb_sens_exttype = exttype; 5814 sens->sadb_sens_len = SADB_8TO64(senslen); 5815 5816 sens->sadb_sens_dpd = tsl->tsl_doi; 5817 sens->sadb_sens_sens_level = LCLASS(sl); 5818 sens->sadb_sens_integ_level = 0; /* TBD */ 5819 sens->sadb_sens_sens_len = _C_LEN >> 1; 5820 sens->sadb_sens_integ_len = 0; /* TBD */ 5821 sens->sadb_x_sens_flags = 0; 5822 5823 bitmap = (uint8_t *)(sens + 1); 5824 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4); 5825 } 5826 5827 static sadb_sens_t * 5828 sadb_make_sens_ext(cred_t *cr, int *len) 5829 { 5830 /* XXX allocation failure? */ 5831 int sens_len = sadb_sens_len_from_cred(cr); 5832 5833 sadb_sens_t *sens = kmem_alloc(sens_len, KM_SLEEP); 5834 5835 sadb_sens_from_cred(sens, SADB_EXT_SENSITIVITY, cr, sens_len); 5836 5837 *len = sens_len; 5838 5839 return (sens); 5840 } 5841 5842 /* 5843 * Okay, how do we report errors/invalid labels from this? 5844 * With a special designated "not a label" cred_t ? 5845 */ 5846 /* ARGSUSED */ 5847 cred_t * 5848 sadb_cred_from_sens(sadb_sens_t *sens, uint64_t *bitmap) 5849 { 5850 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len); 5851 bslabel_t sl; 5852 cred_t *cr; 5853 5854 if (sens->sadb_sens_integ_level != 0) 5855 return (NULL); 5856 if (sens->sadb_sens_integ_len != 0) 5857 return (NULL); 5858 if (bitmap_len > _C_LEN * 4) 5859 return (NULL); 5860 5861 bsllow(&sl); 5862 LCLASS_SET((_bslabel_impl_t *)&sl, sens->sadb_sens_sens_level); 5863 bcopy(bitmap, &((_bslabel_impl_t *)&sl)->compartments, 5864 bitmap_len); 5865 5866 cr = newcred_from_bslabel(&sl, sens->sadb_sens_dpd, KM_NOSLEEP); 5867 if (cr == NULL) 5868 return (cr); 5869 5870 if (sens->sadb_x_sens_flags & SADB_X_SENS_UNLABELED) 5871 crgetlabel(cr)->tsl_flags |= TSLF_UNLABELED; 5872 return (cr); 5873 } 5874 5875 /* End XXX label-library-leakage */ 5876 5877 /* 5878 * Construct an extended ACQUIRE message based on a selector and the resulting 5879 * IPsec action. 5880 * 5881 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE 5882 * generation. As a consequence, expect this function to evolve 5883 * rapidly. 5884 */ 5885 static mblk_t * 5886 sadb_extended_acquire(ipsec_selector_t *sel, ipsec_policy_t *pol, 5887 ipsec_action_t *act, boolean_t tunnel_mode, uint32_t seq, uint32_t pid, 5888 sadb_sens_t *sens, netstack_t *ns) 5889 { 5890 mblk_t *mp; 5891 sadb_msg_t *samsg; 5892 uint8_t *start, *cur, *end; 5893 uint32_t *saddrptr, *daddrptr; 5894 sa_family_t af; 5895 sadb_prop_t *eprop; 5896 ipsec_action_t *ap, *an; 5897 ipsec_selkey_t *ipsl; 5898 uint8_t proto, pfxlen; 5899 uint16_t lport, rport; 5900 uint32_t kmp, kmc; 5901 5902 /* 5903 * Find the action we want sooner rather than later.. 5904 */ 5905 an = NULL; 5906 if (pol == NULL) { 5907 ap = act; 5908 } else { 5909 ap = pol->ipsp_act; 5910 5911 if (ap != NULL) 5912 an = ap->ipa_next; 5913 } 5914 5915 /* 5916 * Just take a swag for the allocation for now. We can always 5917 * alter it later. 5918 */ 5919 #define SADB_EXTENDED_ACQUIRE_SIZE 4096 5920 mp = allocb(SADB_EXTENDED_ACQUIRE_SIZE, BPRI_HI); 5921 if (mp == NULL) 5922 return (NULL); 5923 5924 start = mp->b_rptr; 5925 end = start + SADB_EXTENDED_ACQUIRE_SIZE; 5926 5927 cur = start; 5928 5929 samsg = (sadb_msg_t *)cur; 5930 cur += sizeof (*samsg); 5931 5932 samsg->sadb_msg_version = PF_KEY_V2; 5933 samsg->sadb_msg_type = SADB_ACQUIRE; 5934 samsg->sadb_msg_errno = 0; 5935 samsg->sadb_msg_reserved = 0; 5936 samsg->sadb_msg_satype = 0; 5937 samsg->sadb_msg_seq = seq; 5938 samsg->sadb_msg_pid = pid; 5939 5940 if (tunnel_mode) { 5941 /* 5942 * Form inner address extensions based NOT on the inner 5943 * selectors (i.e. the packet data), but on the policy's 5944 * selector key (i.e. the policy's selector information). 5945 * 5946 * NOTE: The position of IPv4 and IPv6 addresses is the 5947 * same in ipsec_selkey_t (unless the compiler does very 5948 * strange things with unions, consult your local C language 5949 * lawyer for details). 5950 */ 5951 ASSERT(pol != NULL); 5952 5953 ipsl = &(pol->ipsp_sel->ipsl_key); 5954 if (ipsl->ipsl_valid & IPSL_IPV4) { 5955 af = AF_INET; 5956 ASSERT(sel->ips_protocol == IPPROTO_ENCAP); 5957 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6)); 5958 } else { 5959 af = AF_INET6; 5960 ASSERT(sel->ips_protocol == IPPROTO_IPV6); 5961 ASSERT(ipsl->ipsl_valid & IPSL_IPV6); 5962 } 5963 5964 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) { 5965 saddrptr = (uint32_t *)(&ipsl->ipsl_local); 5966 pfxlen = ipsl->ipsl_local_pfxlen; 5967 } else { 5968 saddrptr = (uint32_t *)(&ipv6_all_zeros); 5969 pfxlen = 0; 5970 } 5971 /* XXX What about ICMP type/code? */ 5972 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ? 5973 ipsl->ipsl_lport : 0; 5974 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ? 5975 ipsl->ipsl_proto : 0; 5976 5977 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 5978 af, saddrptr, lport, proto, pfxlen); 5979 if (cur == NULL) { 5980 freeb(mp); 5981 return (NULL); 5982 } 5983 5984 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) { 5985 daddrptr = (uint32_t *)(&ipsl->ipsl_remote); 5986 pfxlen = ipsl->ipsl_remote_pfxlen; 5987 } else { 5988 daddrptr = (uint32_t *)(&ipv6_all_zeros); 5989 pfxlen = 0; 5990 } 5991 /* XXX What about ICMP type/code? */ 5992 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ? 5993 ipsl->ipsl_rport : 0; 5994 5995 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5996 af, daddrptr, rport, proto, pfxlen); 5997 if (cur == NULL) { 5998 freeb(mp); 5999 return (NULL); 6000 } 6001 /* 6002 * TODO - if we go to 3408's dream of transport mode IP-in-IP 6003 * _with_ inner-packet address selectors, we'll need to further 6004 * distinguish tunnel mode here. For now, having inner 6005 * addresses and/or ports is sufficient. 6006 * 6007 * Meanwhile, whack proto/ports to reflect IP-in-IP for the 6008 * outer addresses. 6009 */ 6010 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */ 6011 lport = rport = 0; 6012 } else if ((ap != NULL) && (!ap->ipa_want_unique)) { 6013 proto = 0; 6014 lport = 0; 6015 rport = 0; 6016 if (pol != NULL) { 6017 ipsl = &(pol->ipsp_sel->ipsl_key); 6018 if (ipsl->ipsl_valid & IPSL_PROTOCOL) 6019 proto = ipsl->ipsl_proto; 6020 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT) 6021 rport = ipsl->ipsl_rport; 6022 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT) 6023 lport = ipsl->ipsl_lport; 6024 } 6025 } else { 6026 proto = sel->ips_protocol; 6027 lport = sel->ips_local_port; 6028 rport = sel->ips_remote_port; 6029 } 6030 6031 af = sel->ips_isv4 ? AF_INET : AF_INET6; 6032 6033 /* 6034 * NOTE: The position of IPv4 and IPv6 addresses is the same in 6035 * ipsec_selector_t. 6036 */ 6037 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 6038 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0); 6039 6040 if (cur == NULL) { 6041 freeb(mp); 6042 return (NULL); 6043 } 6044 6045 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 6046 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0); 6047 6048 if (cur == NULL) { 6049 freeb(mp); 6050 return (NULL); 6051 } 6052 6053 if (sens != NULL) { 6054 uint8_t *sensext = cur; 6055 int senslen = SADB_64TO8(sens->sadb_sens_len); 6056 6057 cur += senslen; 6058 if (cur > end) { 6059 freeb(mp); 6060 return (NULL); 6061 } 6062 bcopy(sens, sensext, senslen); 6063 } 6064 6065 /* 6066 * This section will change a lot as policy evolves. 6067 * For now, it'll be relatively simple. 6068 */ 6069 eprop = (sadb_prop_t *)cur; 6070 cur += sizeof (*eprop); 6071 if (cur > end) { 6072 /* no space left */ 6073 freeb(mp); 6074 return (NULL); 6075 } 6076 6077 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 6078 eprop->sadb_x_prop_ereserved = 0; 6079 eprop->sadb_x_prop_numecombs = 0; 6080 eprop->sadb_prop_replay = 32; /* default */ 6081 6082 kmc = kmp = 0; 6083 6084 for (; ap != NULL; ap = an) { 6085 an = (pol != NULL) ? ap->ipa_next : NULL; 6086 6087 /* 6088 * Skip non-IPsec policies 6089 */ 6090 if (ap->ipa_act.ipa_type != IPSEC_ACT_APPLY) 6091 continue; 6092 6093 if (ap->ipa_act.ipa_apply.ipp_km_proto) 6094 kmp = ap->ipa_act.ipa_apply.ipp_km_proto; 6095 if (ap->ipa_act.ipa_apply.ipp_km_cookie) 6096 kmc = ap->ipa_act.ipa_apply.ipp_km_cookie; 6097 if (ap->ipa_act.ipa_apply.ipp_replay_depth) { 6098 eprop->sadb_prop_replay = 6099 ap->ipa_act.ipa_apply.ipp_replay_depth; 6100 } 6101 6102 cur = sadb_action_to_ecomb(cur, end, ap, ns); 6103 if (cur == NULL) { /* no space */ 6104 freeb(mp); 6105 return (NULL); 6106 } 6107 eprop->sadb_x_prop_numecombs++; 6108 } 6109 6110 if (eprop->sadb_x_prop_numecombs == 0) { 6111 /* 6112 * This will happen if we fail to find a policy 6113 * allowing for IPsec processing. 6114 * Construct an error message. 6115 */ 6116 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 6117 samsg->sadb_msg_errno = ENOENT; 6118 samsg->sadb_x_msg_diagnostic = 0; 6119 return (mp); 6120 } 6121 6122 if ((kmp != 0) || (kmc != 0)) { 6123 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 6124 if (cur == NULL) { 6125 freeb(mp); 6126 return (NULL); 6127 } 6128 } 6129 6130 eprop->sadb_prop_len = SADB_8TO64(cur - (uint8_t *)eprop); 6131 samsg->sadb_msg_len = SADB_8TO64(cur - start); 6132 mp->b_wptr = cur; 6133 6134 return (mp); 6135 } 6136 6137 /* 6138 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype. 6139 * 6140 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we 6141 * succeed (i.e. return non-NULL). Caller MUST release it. This is to 6142 * maximize code consolidation while preventing algorithm changes from messing 6143 * with the callers finishing touches on the ACQUIRE itself. 6144 */ 6145 mblk_t * 6146 sadb_setup_acquire(ipsacq_t *acqrec, uint8_t satype, ipsec_stack_t *ipss) 6147 { 6148 uint_t allocsize; 6149 mblk_t *pfkeymp, *msgmp; 6150 sa_family_t af; 6151 uint8_t *cur, *end; 6152 sadb_msg_t *samsg; 6153 uint16_t sport_typecode; 6154 uint16_t dport_typecode; 6155 uint8_t check_proto; 6156 boolean_t tunnel_mode = (acqrec->ipsacq_inneraddrfam != 0); 6157 6158 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 6159 6160 pfkeymp = sadb_keysock_out(0); 6161 if (pfkeymp == NULL) 6162 return (NULL); 6163 6164 /* 6165 * First, allocate a basic ACQUIRE message 6166 */ 6167 allocsize = sizeof (sadb_msg_t) + sizeof (sadb_address_t) + 6168 sizeof (sadb_address_t) + sizeof (sadb_prop_t); 6169 6170 /* Make sure there's enough to cover both AF_INET and AF_INET6. */ 6171 allocsize += 2 * sizeof (struct sockaddr_in6); 6172 6173 mutex_enter(&ipss->ipsec_alg_lock); 6174 /* NOTE: The lock is now held through to this function's return. */ 6175 allocsize += ipss->ipsec_nalgs[IPSEC_ALG_AUTH] * 6176 ipss->ipsec_nalgs[IPSEC_ALG_ENCR] * sizeof (sadb_comb_t); 6177 6178 if (tunnel_mode) { 6179 /* Tunnel mode! */ 6180 allocsize += 2 * sizeof (sadb_address_t); 6181 /* Enough to cover both AF_INET and AF_INET6. */ 6182 allocsize += 2 * sizeof (struct sockaddr_in6); 6183 } 6184 6185 msgmp = allocb(allocsize, BPRI_HI); 6186 if (msgmp == NULL) { 6187 freeb(pfkeymp); 6188 mutex_exit(&ipss->ipsec_alg_lock); 6189 return (NULL); 6190 } 6191 6192 pfkeymp->b_cont = msgmp; 6193 cur = msgmp->b_rptr; 6194 end = cur + allocsize; 6195 samsg = (sadb_msg_t *)cur; 6196 cur += sizeof (sadb_msg_t); 6197 6198 af = acqrec->ipsacq_addrfam; 6199 switch (af) { 6200 case AF_INET: 6201 check_proto = IPPROTO_ICMP; 6202 break; 6203 case AF_INET6: 6204 check_proto = IPPROTO_ICMPV6; 6205 break; 6206 default: 6207 /* This should never happen unless we have kernel bugs. */ 6208 cmn_err(CE_WARN, 6209 "sadb_setup_acquire: corrupt ACQUIRE record.\n"); 6210 ASSERT(0); 6211 mutex_exit(&ipss->ipsec_alg_lock); 6212 return (NULL); 6213 } 6214 6215 samsg->sadb_msg_version = PF_KEY_V2; 6216 samsg->sadb_msg_type = SADB_ACQUIRE; 6217 samsg->sadb_msg_satype = satype; 6218 samsg->sadb_msg_errno = 0; 6219 samsg->sadb_msg_pid = 0; 6220 samsg->sadb_msg_reserved = 0; 6221 samsg->sadb_msg_seq = acqrec->ipsacq_seq; 6222 6223 ASSERT(MUTEX_HELD(&acqrec->ipsacq_lock)); 6224 6225 if ((acqrec->ipsacq_proto == check_proto) || tunnel_mode) { 6226 sport_typecode = dport_typecode = 0; 6227 } else { 6228 sport_typecode = acqrec->ipsacq_srcport; 6229 dport_typecode = acqrec->ipsacq_dstport; 6230 } 6231 6232 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 6233 acqrec->ipsacq_srcaddr, sport_typecode, acqrec->ipsacq_proto, 0); 6234 6235 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 6236 acqrec->ipsacq_dstaddr, dport_typecode, acqrec->ipsacq_proto, 0); 6237 6238 if (tunnel_mode) { 6239 sport_typecode = acqrec->ipsacq_srcport; 6240 dport_typecode = acqrec->ipsacq_dstport; 6241 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 6242 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innersrc, 6243 sport_typecode, acqrec->ipsacq_inner_proto, 6244 acqrec->ipsacq_innersrcpfx); 6245 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 6246 acqrec->ipsacq_inneraddrfam, acqrec->ipsacq_innerdst, 6247 dport_typecode, acqrec->ipsacq_inner_proto, 6248 acqrec->ipsacq_innerdstpfx); 6249 } 6250 6251 /* XXX Insert identity information here. */ 6252 6253 /* XXXMLS Insert sensitivity information here. */ 6254 6255 if (cur != NULL) 6256 samsg->sadb_msg_len = SADB_8TO64(cur - msgmp->b_rptr); 6257 else 6258 mutex_exit(&ipss->ipsec_alg_lock); 6259 6260 return (pfkeymp); 6261 } 6262 6263 /* 6264 * Given an SADB_GETSPI message, find an appropriately ranged SA and 6265 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 6266 * If there was a memory allocation error, return NULL. (Assume NULL != 6267 * (ipsa_t *)-1). 6268 * 6269 * master_spi is passed in host order. 6270 */ 6271 ipsa_t * 6272 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic, 6273 netstack_t *ns, uint_t sa_type) 6274 { 6275 sadb_address_t *src = 6276 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 6277 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 6278 sadb_spirange_t *range = 6279 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 6280 struct sockaddr_in *ssa, *dsa; 6281 struct sockaddr_in6 *ssa6, *dsa6; 6282 uint32_t *srcaddr, *dstaddr; 6283 sa_family_t af; 6284 uint32_t add, min, max; 6285 uint8_t protocol = 6286 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP; 6287 6288 if (src == NULL) { 6289 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 6290 return ((ipsa_t *)-1); 6291 } 6292 if (dst == NULL) { 6293 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 6294 return ((ipsa_t *)-1); 6295 } 6296 if (range == NULL) { 6297 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 6298 return ((ipsa_t *)-1); 6299 } 6300 6301 min = ntohl(range->sadb_spirange_min); 6302 max = ntohl(range->sadb_spirange_max); 6303 dsa = (struct sockaddr_in *)(dst + 1); 6304 dsa6 = (struct sockaddr_in6 *)dsa; 6305 6306 ssa = (struct sockaddr_in *)(src + 1); 6307 ssa6 = (struct sockaddr_in6 *)ssa; 6308 ASSERT(dsa->sin_family == ssa->sin_family); 6309 6310 srcaddr = ALL_ZEROES_PTR; 6311 af = dsa->sin_family; 6312 switch (af) { 6313 case AF_INET: 6314 if (src != NULL) 6315 srcaddr = (uint32_t *)(&ssa->sin_addr); 6316 dstaddr = (uint32_t *)(&dsa->sin_addr); 6317 break; 6318 case AF_INET6: 6319 if (src != NULL) 6320 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 6321 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 6322 break; 6323 default: 6324 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 6325 return ((ipsa_t *)-1); 6326 } 6327 6328 if (master_spi < min || master_spi > max) { 6329 /* Return a random value in the range. */ 6330 if (cl_inet_getspi) { 6331 cl_inet_getspi(ns->netstack_stackid, protocol, 6332 (uint8_t *)&add, sizeof (add), NULL); 6333 } else { 6334 (void) random_get_pseudo_bytes((uint8_t *)&add, 6335 sizeof (add)); 6336 } 6337 master_spi = min + (add % (max - min + 1)); 6338 } 6339 6340 /* 6341 * Since master_spi is passed in host order, we need to htonl() it 6342 * for the purposes of creating a new SA. 6343 */ 6344 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af, 6345 ns)); 6346 } 6347 6348 /* 6349 * 6350 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 6351 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 6352 * and scan for the sequence number in question. I may wish to accept an 6353 * address pair with it, for easier searching. 6354 * 6355 * Caller frees the message, so we don't have to here. 6356 * 6357 * NOTE: The ip_q parameter may be used in the future for ACQUIRE 6358 * failures. 6359 */ 6360 /* ARGSUSED */ 6361 void 6362 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *ip_q, netstack_t *ns) 6363 { 6364 int i; 6365 ipsacq_t *acqrec; 6366 iacqf_t *bucket; 6367 6368 /* 6369 * I only accept the base header for this! 6370 * Though to be honest, requiring the dst address would help 6371 * immensely. 6372 * 6373 * XXX There are already cases where I can get the dst address. 6374 */ 6375 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 6376 return; 6377 6378 /* 6379 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 6380 * (and in the future send a message to IP with the appropriate error 6381 * number). 6382 * 6383 * Q: Do I want to reject if pid != 0? 6384 */ 6385 6386 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 6387 bucket = &sp->s_v4.sdb_acq[i]; 6388 mutex_enter(&bucket->iacqf_lock); 6389 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6390 acqrec = acqrec->ipsacq_next) { 6391 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6392 break; /* for acqrec... loop. */ 6393 } 6394 if (acqrec != NULL) 6395 break; /* for i = 0... loop. */ 6396 6397 mutex_exit(&bucket->iacqf_lock); 6398 } 6399 6400 if (acqrec == NULL) { 6401 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 6402 bucket = &sp->s_v6.sdb_acq[i]; 6403 mutex_enter(&bucket->iacqf_lock); 6404 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6405 acqrec = acqrec->ipsacq_next) { 6406 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6407 break; /* for acqrec... loop. */ 6408 } 6409 if (acqrec != NULL) 6410 break; /* for i = 0... loop. */ 6411 6412 mutex_exit(&bucket->iacqf_lock); 6413 } 6414 } 6415 6416 6417 if (acqrec == NULL) 6418 return; 6419 6420 /* 6421 * What do I do with the errno and IP? I may need mp's services a 6422 * little more. See sadb_destroy_acquire() for future directions 6423 * beyond free the mblk chain on the acquire record. 6424 */ 6425 6426 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 6427 sadb_destroy_acquire(acqrec, ns); 6428 /* Have to exit mutex here, because of breaking out of for loop. */ 6429 mutex_exit(&bucket->iacqf_lock); 6430 } 6431 6432 /* 6433 * The following functions work with the replay windows of an SA. They assume 6434 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 6435 * represents the highest sequence number packet received, and back 6436 * (ipsa->ipsa_replay_wsize) packets. 6437 */ 6438 6439 /* 6440 * Is the replay bit set? 6441 */ 6442 static boolean_t 6443 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 6444 { 6445 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6446 6447 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 6448 } 6449 6450 /* 6451 * Shift the bits of the replay window over. 6452 */ 6453 static void 6454 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 6455 { 6456 int i; 6457 int jump = ((shift - 1) >> 6) + 1; 6458 6459 if (shift == 0) 6460 return; 6461 6462 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 6463 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 6464 ipsa->ipsa_replay_arr[i + jump] |= 6465 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 6466 } 6467 ipsa->ipsa_replay_arr[i] <<= shift; 6468 } 6469 } 6470 6471 /* 6472 * Set a bit in the bit vector. 6473 */ 6474 static void 6475 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 6476 { 6477 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6478 6479 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 6480 } 6481 6482 #define SADB_MAX_REPLAY_VALUE 0xffffffff 6483 6484 /* 6485 * Assume caller has NOT done ntohl() already on seq. Check to see 6486 * if replay sequence number "seq" has been seen already. 6487 */ 6488 boolean_t 6489 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 6490 { 6491 boolean_t rc; 6492 uint32_t diff; 6493 6494 if (ipsa->ipsa_replay_wsize == 0) 6495 return (B_TRUE); 6496 6497 /* 6498 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 6499 */ 6500 6501 /* Convert sequence number into host order before holding the mutex. */ 6502 seq = ntohl(seq); 6503 6504 mutex_enter(&ipsa->ipsa_lock); 6505 6506 /* Initialize inbound SA's ipsa_replay field to last one received. */ 6507 if (ipsa->ipsa_replay == 0) 6508 ipsa->ipsa_replay = 1; 6509 6510 if (seq > ipsa->ipsa_replay) { 6511 /* 6512 * I have received a new "highest value received". Shift 6513 * the replay window over. 6514 */ 6515 diff = seq - ipsa->ipsa_replay; 6516 if (diff < ipsa->ipsa_replay_wsize) { 6517 /* In replay window, shift bits over. */ 6518 ipsa_shift_replay(ipsa, diff); 6519 } else { 6520 /* WAY FAR AHEAD, clear bits and start again. */ 6521 bzero(ipsa->ipsa_replay_arr, 6522 sizeof (ipsa->ipsa_replay_arr)); 6523 } 6524 ipsa_set_replay(ipsa, 0); 6525 ipsa->ipsa_replay = seq; 6526 rc = B_TRUE; 6527 goto done; 6528 } 6529 diff = ipsa->ipsa_replay - seq; 6530 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 6531 rc = B_FALSE; 6532 goto done; 6533 } 6534 /* Set this packet as seen. */ 6535 ipsa_set_replay(ipsa, diff); 6536 6537 rc = B_TRUE; 6538 done: 6539 mutex_exit(&ipsa->ipsa_lock); 6540 return (rc); 6541 } 6542 6543 /* 6544 * "Peek" and see if we should even bother going through the effort of 6545 * running an authentication check on the sequence number passed in. 6546 * this takes into account packets that are below the replay window, 6547 * and collisions with already replayed packets. Return B_TRUE if it 6548 * is okay to proceed, B_FALSE if this packet should be dropped immediately. 6549 * Assume same byte-ordering as sadb_replay_check. 6550 */ 6551 boolean_t 6552 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 6553 { 6554 boolean_t rc = B_FALSE; 6555 uint32_t diff; 6556 6557 if (ipsa->ipsa_replay_wsize == 0) 6558 return (B_TRUE); 6559 6560 /* 6561 * 0 is 0, regardless of byte order... :) 6562 * 6563 * If I get 0 on the wire (and there is a replay window) then the 6564 * sender most likely wrapped. This ipsa may need to be marked or 6565 * something. 6566 */ 6567 if (seq == 0) 6568 return (B_FALSE); 6569 6570 seq = ntohl(seq); 6571 mutex_enter(&ipsa->ipsa_lock); 6572 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 6573 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 6574 goto done; 6575 6576 /* 6577 * If I've hit 0xffffffff, then quite honestly, I don't need to 6578 * bother with formalities. I'm not accepting any more packets 6579 * on this SA. 6580 */ 6581 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 6582 /* 6583 * Since we're already holding the lock, update the 6584 * expire time ala. sadb_replay_delete() and return. 6585 */ 6586 ipsa->ipsa_hardexpiretime = (time_t)1; 6587 goto done; 6588 } 6589 6590 if (seq <= ipsa->ipsa_replay) { 6591 /* 6592 * This seq is in the replay window. I'm not below it, 6593 * because I already checked for that above! 6594 */ 6595 diff = ipsa->ipsa_replay - seq; 6596 if (ipsa_is_replay_set(ipsa, diff)) 6597 goto done; 6598 } 6599 /* Else return B_TRUE, I'm going to advance the window. */ 6600 6601 rc = B_TRUE; 6602 done: 6603 mutex_exit(&ipsa->ipsa_lock); 6604 return (rc); 6605 } 6606 6607 /* 6608 * Delete a single SA. 6609 * 6610 * For now, use the quick-and-dirty trick of making the association's 6611 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 6612 */ 6613 void 6614 sadb_replay_delete(ipsa_t *assoc) 6615 { 6616 mutex_enter(&assoc->ipsa_lock); 6617 assoc->ipsa_hardexpiretime = (time_t)1; 6618 mutex_exit(&assoc->ipsa_lock); 6619 } 6620 6621 /* 6622 * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_ 6623 * down. The caller will handle the T_BIND_ACK locally. 6624 */ 6625 boolean_t 6626 sadb_t_bind_req(queue_t *q, int proto) 6627 { 6628 struct T_bind_req *tbr; 6629 mblk_t *mp; 6630 6631 mp = allocb_cred(sizeof (struct T_bind_req) + 1, kcred, NOPID); 6632 if (mp == NULL) { 6633 /* cmn_err(CE_WARN, */ 6634 /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */ 6635 return (B_FALSE); 6636 } 6637 mp->b_datap->db_type = M_PCPROTO; 6638 tbr = (struct T_bind_req *)mp->b_rptr; 6639 mp->b_wptr += sizeof (struct T_bind_req); 6640 tbr->PRIM_type = T_BIND_REQ; 6641 tbr->ADDR_length = 0; 6642 tbr->ADDR_offset = 0; 6643 tbr->CONIND_number = 0; 6644 *mp->b_wptr = (uint8_t)proto; 6645 mp->b_wptr++; 6646 6647 putnext(q, mp); 6648 return (B_TRUE); 6649 } 6650 6651 /* 6652 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 6653 * this is designed to take only a format string with "* %x * %s *", so 6654 * that "spi" is printed first, then "addr" is converted using inet_pton(). 6655 * 6656 * This is abstracted out to save the stack space for only when inet_pton() 6657 * is called. Make sure "spi" is in network order; it usually is when this 6658 * would get called. 6659 */ 6660 void 6661 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 6662 uint32_t spi, void *addr, int af, netstack_t *ns) 6663 { 6664 char buf[INET6_ADDRSTRLEN]; 6665 6666 ASSERT(af == AF_INET6 || af == AF_INET); 6667 6668 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi), 6669 inet_ntop(af, addr, buf, sizeof (buf))); 6670 } 6671 6672 /* 6673 * Fills in a reference to the policy, if any, from the conn, in *ppp 6674 * Releases a reference to the passed conn_t. 6675 */ 6676 static void 6677 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp) 6678 { 6679 ipsec_policy_t *pp; 6680 ipsec_latch_t *ipl = connp->conn_latch; 6681 6682 if ((ipl != NULL) && (ipl->ipl_out_policy != NULL)) { 6683 pp = ipl->ipl_out_policy; 6684 IPPOL_REFHOLD(pp); 6685 } else { 6686 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel, 6687 connp->conn_netstack); 6688 } 6689 *ppp = pp; 6690 CONN_DEC_REF(connp); 6691 } 6692 6693 /* 6694 * The following functions scan through active conn_t structures 6695 * and return a reference to the best-matching policy it can find. 6696 * Caller must release the reference. 6697 */ 6698 static void 6699 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6700 { 6701 connf_t *connfp; 6702 conn_t *connp = NULL; 6703 ipsec_selector_t portonly; 6704 6705 bzero((void *)&portonly, sizeof (portonly)); 6706 6707 if (sel->ips_local_port == 0) 6708 return; 6709 6710 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port, 6711 ipst)]; 6712 mutex_enter(&connfp->connf_lock); 6713 6714 if (sel->ips_isv4) { 6715 connp = connfp->connf_head; 6716 while (connp != NULL) { 6717 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 6718 sel->ips_local_addr_v4, sel->ips_remote_port, 6719 sel->ips_remote_addr_v4)) 6720 break; 6721 connp = connp->conn_next; 6722 } 6723 6724 if (connp == NULL) { 6725 /* Try port-only match in IPv6. */ 6726 portonly.ips_local_port = sel->ips_local_port; 6727 sel = &portonly; 6728 } 6729 } 6730 6731 if (connp == NULL) { 6732 connp = connfp->connf_head; 6733 while (connp != NULL) { 6734 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 6735 sel->ips_local_addr_v6, sel->ips_remote_port, 6736 sel->ips_remote_addr_v6)) 6737 break; 6738 connp = connp->conn_next; 6739 } 6740 6741 if (connp == NULL) { 6742 mutex_exit(&connfp->connf_lock); 6743 return; 6744 } 6745 } 6746 6747 CONN_INC_REF(connp); 6748 mutex_exit(&connfp->connf_lock); 6749 6750 ipsec_conn_pol(sel, connp, ppp); 6751 } 6752 6753 static conn_t * 6754 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst) 6755 { 6756 connf_t *connfp; 6757 conn_t *connp = NULL; 6758 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 6759 6760 if (sel->ips_local_port == 0) 6761 return (NULL); 6762 6763 connfp = &ipst->ips_ipcl_bind_fanout[ 6764 IPCL_BIND_HASH(sel->ips_local_port, ipst)]; 6765 mutex_enter(&connfp->connf_lock); 6766 6767 if (sel->ips_isv4) { 6768 connp = connfp->connf_head; 6769 while (connp != NULL) { 6770 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 6771 sel->ips_local_addr_v4, pptr[1])) 6772 break; 6773 connp = connp->conn_next; 6774 } 6775 6776 if (connp == NULL) { 6777 /* Match to all-zeroes. */ 6778 v6addrmatch = &ipv6_all_zeros; 6779 } 6780 } 6781 6782 if (connp == NULL) { 6783 connp = connfp->connf_head; 6784 while (connp != NULL) { 6785 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 6786 *v6addrmatch, pptr[1])) 6787 break; 6788 connp = connp->conn_next; 6789 } 6790 6791 if (connp == NULL) { 6792 mutex_exit(&connfp->connf_lock); 6793 return (NULL); 6794 } 6795 } 6796 6797 CONN_INC_REF(connp); 6798 mutex_exit(&connfp->connf_lock); 6799 return (connp); 6800 } 6801 6802 static void 6803 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6804 { 6805 connf_t *connfp; 6806 conn_t *connp; 6807 uint32_t ports; 6808 uint16_t *pptr = (uint16_t *)&ports; 6809 6810 /* 6811 * Find TCP state in the following order: 6812 * 1.) Connected conns. 6813 * 2.) Listeners. 6814 * 6815 * Even though #2 will be the common case for inbound traffic, only 6816 * following this order insures correctness. 6817 */ 6818 6819 if (sel->ips_local_port == 0) 6820 return; 6821 6822 /* 6823 * 0 should be fport, 1 should be lport. SRC is the local one here. 6824 * See ipsec_construct_inverse_acquire() for details. 6825 */ 6826 pptr[0] = sel->ips_remote_port; 6827 pptr[1] = sel->ips_local_port; 6828 6829 connfp = &ipst->ips_ipcl_conn_fanout[ 6830 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)]; 6831 mutex_enter(&connfp->connf_lock); 6832 connp = connfp->connf_head; 6833 6834 if (sel->ips_isv4) { 6835 while (connp != NULL) { 6836 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 6837 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 6838 ports)) 6839 break; 6840 connp = connp->conn_next; 6841 } 6842 } else { 6843 while (connp != NULL) { 6844 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 6845 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 6846 ports)) 6847 break; 6848 connp = connp->conn_next; 6849 } 6850 } 6851 6852 if (connp != NULL) { 6853 CONN_INC_REF(connp); 6854 mutex_exit(&connfp->connf_lock); 6855 } else { 6856 mutex_exit(&connfp->connf_lock); 6857 6858 /* Try the listen hash. */ 6859 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL) 6860 return; 6861 } 6862 6863 ipsec_conn_pol(sel, connp, ppp); 6864 } 6865 6866 static void 6867 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6868 ip_stack_t *ipst) 6869 { 6870 conn_t *connp; 6871 uint32_t ports; 6872 uint16_t *pptr = (uint16_t *)&ports; 6873 6874 /* 6875 * Find SCP state in the following order: 6876 * 1.) Connected conns. 6877 * 2.) Listeners. 6878 * 6879 * Even though #2 will be the common case for inbound traffic, only 6880 * following this order insures correctness. 6881 */ 6882 6883 if (sel->ips_local_port == 0) 6884 return; 6885 6886 /* 6887 * 0 should be fport, 1 should be lport. SRC is the local one here. 6888 * See ipsec_construct_inverse_acquire() for details. 6889 */ 6890 pptr[0] = sel->ips_remote_port; 6891 pptr[1] = sel->ips_local_port; 6892 6893 if (sel->ips_isv4) { 6894 in6_addr_t src, dst; 6895 6896 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 6897 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 6898 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES, 6899 ipst->ips_netstack->netstack_sctp); 6900 } else { 6901 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 6902 &sel->ips_local_addr_v6, ports, ALL_ZONES, 6903 ipst->ips_netstack->netstack_sctp); 6904 } 6905 if (connp == NULL) 6906 return; 6907 ipsec_conn_pol(sel, connp, ppp); 6908 } 6909 6910 /* 6911 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions. 6912 * Returns 0 or errno, and always sets *diagnostic to something appropriate 6913 * to PF_KEY. 6914 * 6915 * NOTE: For right now, this function (and ipsec_selector_t for that matter), 6916 * ignore prefix lengths in the address extension. Since we match on first- 6917 * entered policies, this shouldn't matter. Also, since we normalize prefix- 6918 * set addresses to mask out the lower bits, we should get a suitable search 6919 * key for the SPD anyway. This is the function to change if the assumption 6920 * about suitable search keys is wrong. 6921 */ 6922 static int 6923 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext, 6924 sadb_address_t *dstext, int *diagnostic) 6925 { 6926 struct sockaddr_in *src, *dst; 6927 struct sockaddr_in6 *src6, *dst6; 6928 6929 *diagnostic = 0; 6930 6931 bzero(sel, sizeof (*sel)); 6932 sel->ips_protocol = srcext->sadb_address_proto; 6933 dst = (struct sockaddr_in *)(dstext + 1); 6934 if (dst->sin_family == AF_INET6) { 6935 dst6 = (struct sockaddr_in6 *)dst; 6936 src6 = (struct sockaddr_in6 *)(srcext + 1); 6937 if (src6->sin6_family != AF_INET6) { 6938 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6939 return (EINVAL); 6940 } 6941 sel->ips_remote_addr_v6 = dst6->sin6_addr; 6942 sel->ips_local_addr_v6 = src6->sin6_addr; 6943 if (sel->ips_protocol == IPPROTO_ICMPV6) { 6944 sel->ips_is_icmp_inv_acq = 1; 6945 } else { 6946 sel->ips_remote_port = dst6->sin6_port; 6947 sel->ips_local_port = src6->sin6_port; 6948 } 6949 sel->ips_isv4 = B_FALSE; 6950 } else { 6951 src = (struct sockaddr_in *)(srcext + 1); 6952 if (src->sin_family != AF_INET) { 6953 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6954 return (EINVAL); 6955 } 6956 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr; 6957 sel->ips_local_addr_v4 = src->sin_addr.s_addr; 6958 if (sel->ips_protocol == IPPROTO_ICMP) { 6959 sel->ips_is_icmp_inv_acq = 1; 6960 } else { 6961 sel->ips_remote_port = dst->sin_port; 6962 sel->ips_local_port = src->sin_port; 6963 } 6964 sel->ips_isv4 = B_TRUE; 6965 } 6966 return (0); 6967 } 6968 6969 /* 6970 * We have encapsulation. 6971 * - Lookup tun_t by address and look for an associated 6972 * tunnel policy 6973 * - If there are inner selectors 6974 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE 6975 * - Look up tunnel policy based on selectors 6976 * - Else 6977 * - Sanity check the negotation 6978 * - If appropriate, fall through to global policy 6979 */ 6980 static int 6981 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6982 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp, 6983 int *diagnostic, netstack_t *ns) 6984 { 6985 int err; 6986 ipsec_policy_head_t *polhead; 6987 6988 *diagnostic = 0; 6989 6990 /* Check for inner selectors and act appropriately */ 6991 6992 if (innsrcext != NULL) { 6993 /* Inner selectors present */ 6994 ASSERT(inndstext != NULL); 6995 if ((itp == NULL) || 6996 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) != 6997 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) { 6998 /* 6999 * If inner packet selectors, we must have negotiate 7000 * tunnel and active policy. If the tunnel has 7001 * transport-mode policy set on it, or has no policy, 7002 * fail. 7003 */ 7004 return (ENOENT); 7005 } else { 7006 /* 7007 * Reset "sel" to indicate inner selectors. Pass 7008 * inner PF_KEY address extensions for this to happen. 7009 */ 7010 if ((err = ipsec_get_inverse_acquire_sel(sel, 7011 innsrcext, inndstext, diagnostic)) != 0) 7012 return (err); 7013 /* 7014 * Now look for a tunnel policy based on those inner 7015 * selectors. (Common code is below.) 7016 */ 7017 } 7018 } else { 7019 /* No inner selectors present */ 7020 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) { 7021 /* 7022 * Transport mode negotiation with no tunnel policy 7023 * configured - return to indicate a global policy 7024 * check is needed. 7025 */ 7026 return (0); 7027 } else if (itp->itp_flags & ITPF_P_TUNNEL) { 7028 /* Tunnel mode set with no inner selectors. */ 7029 return (ENOENT); 7030 } 7031 /* 7032 * Else, this is a tunnel policy configured with ifconfig(1m) 7033 * or "negotiate transport" with ipsecconf(1m). We have an 7034 * itp with policy set based on any match, so don't bother 7035 * changing fields in "sel". 7036 */ 7037 } 7038 7039 ASSERT(itp != NULL); 7040 polhead = itp->itp_policy; 7041 ASSERT(polhead != NULL); 7042 rw_enter(&polhead->iph_lock, RW_READER); 7043 *ppp = ipsec_find_policy_head(NULL, polhead, 7044 IPSEC_TYPE_INBOUND, sel, ns); 7045 rw_exit(&polhead->iph_lock); 7046 7047 /* 7048 * Don't default to global if we didn't find a matching policy entry. 7049 * Instead, send ENOENT, just like if we hit a transport-mode tunnel. 7050 */ 7051 if (*ppp == NULL) 7052 return (ENOENT); 7053 7054 return (0); 7055 } 7056 7057 static void 7058 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 7059 ip_stack_t *ipst) 7060 { 7061 boolean_t isv4 = sel->ips_isv4; 7062 connf_t *connfp; 7063 conn_t *connp; 7064 7065 if (isv4) { 7066 connfp = &ipst->ips_ipcl_proto_fanout[sel->ips_protocol]; 7067 } else { 7068 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol]; 7069 } 7070 7071 mutex_enter(&connfp->connf_lock); 7072 for (connp = connfp->connf_head; connp != NULL; 7073 connp = connp->conn_next) { 7074 if (!((isv4 && !((connp->conn_src == 0 || 7075 connp->conn_src == sel->ips_local_addr_v4) && 7076 (connp->conn_rem == 0 || 7077 connp->conn_rem == sel->ips_remote_addr_v4))) || 7078 (!isv4 && !((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) || 7079 IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6, 7080 &sel->ips_local_addr_v6)) && 7081 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) || 7082 IN6_ARE_ADDR_EQUAL(&connp->conn_remv6, 7083 &sel->ips_remote_addr_v6)))))) { 7084 break; 7085 } 7086 } 7087 if (connp == NULL) { 7088 mutex_exit(&connfp->connf_lock); 7089 return; 7090 } 7091 7092 CONN_INC_REF(connp); 7093 mutex_exit(&connfp->connf_lock); 7094 7095 ipsec_conn_pol(sel, connp, ppp); 7096 } 7097 7098 /* 7099 * Construct an inverse ACQUIRE reply based on: 7100 * 7101 * 1.) Current global policy. 7102 * 2.) An conn_t match depending on what all was passed in the extv[]. 7103 * 3.) A tunnel's policy head. 7104 * ... 7105 * N.) Other stuff TBD (e.g. identities) 7106 * 7107 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 7108 * in this function so the caller can extract them where appropriately. 7109 * 7110 * The SRC address is the local one - just like an outbound ACQUIRE message. 7111 * 7112 * XXX MLS: key management supplies a label which we just reflect back up 7113 * again. clearly we need to involve the label in the rest of the checks. 7114 */ 7115 mblk_t * 7116 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[], 7117 netstack_t *ns) 7118 { 7119 int err; 7120 int diagnostic; 7121 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 7122 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST], 7123 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC], 7124 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]; 7125 sadb_sens_t *sens = (sadb_sens_t *)extv[SADB_EXT_SENSITIVITY]; 7126 struct sockaddr_in6 *src, *dst; 7127 struct sockaddr_in6 *isrc, *idst; 7128 ipsec_tun_pol_t *itp = NULL; 7129 ipsec_policy_t *pp = NULL; 7130 ipsec_selector_t sel, isel; 7131 mblk_t *retmp = NULL; 7132 ip_stack_t *ipst = ns->netstack_ip; 7133 7134 7135 /* Normalize addresses */ 7136 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns) 7137 == KS_IN_ADDR_UNKNOWN) { 7138 err = EINVAL; 7139 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC; 7140 goto bail; 7141 } 7142 src = (struct sockaddr_in6 *)(srcext + 1); 7143 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns) 7144 == KS_IN_ADDR_UNKNOWN) { 7145 err = EINVAL; 7146 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST; 7147 goto bail; 7148 } 7149 dst = (struct sockaddr_in6 *)(dstext + 1); 7150 if (src->sin6_family != dst->sin6_family) { 7151 err = EINVAL; 7152 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 7153 goto bail; 7154 } 7155 7156 /* Check for tunnel mode and act appropriately */ 7157 if (innsrcext != NULL) { 7158 if (inndstext == NULL) { 7159 err = EINVAL; 7160 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST; 7161 goto bail; 7162 } 7163 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 7164 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 7165 err = EINVAL; 7166 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC; 7167 goto bail; 7168 } 7169 isrc = (struct sockaddr_in6 *)(innsrcext + 1); 7170 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 7171 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 7172 err = EINVAL; 7173 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST; 7174 goto bail; 7175 } 7176 idst = (struct sockaddr_in6 *)(inndstext + 1); 7177 if (isrc->sin6_family != idst->sin6_family) { 7178 err = EINVAL; 7179 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 7180 goto bail; 7181 } 7182 if (isrc->sin6_family != AF_INET && 7183 isrc->sin6_family != AF_INET6) { 7184 err = EINVAL; 7185 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF; 7186 goto bail; 7187 } 7188 } else if (inndstext != NULL) { 7189 err = EINVAL; 7190 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 7191 goto bail; 7192 } 7193 7194 /* Get selectors first, based on outer addresses */ 7195 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic); 7196 if (err != 0) 7197 goto bail; 7198 7199 /* Check for tunnel mode mismatches. */ 7200 if (innsrcext != NULL && 7201 ((isrc->sin6_family == AF_INET && 7202 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) || 7203 (isrc->sin6_family == AF_INET6 && 7204 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) { 7205 err = EPROTOTYPE; 7206 goto bail; 7207 } 7208 7209 /* 7210 * Okay, we have the addresses and other selector information. 7211 * Let's first find a conn... 7212 */ 7213 pp = NULL; 7214 switch (sel.ips_protocol) { 7215 case IPPROTO_TCP: 7216 ipsec_tcp_pol(&sel, &pp, ipst); 7217 break; 7218 case IPPROTO_UDP: 7219 ipsec_udp_pol(&sel, &pp, ipst); 7220 break; 7221 case IPPROTO_SCTP: 7222 ipsec_sctp_pol(&sel, &pp, ipst); 7223 break; 7224 case IPPROTO_ENCAP: 7225 case IPPROTO_IPV6: 7226 /* 7227 * Assume sel.ips_remote_addr_* has the right address at 7228 * that exact position. 7229 */ 7230 itp = itp_get_byaddr((uint32_t *)(&sel.ips_local_addr_v6), 7231 (uint32_t *)(&sel.ips_remote_addr_v6), src->sin6_family, 7232 ipst); 7233 7234 if (innsrcext == NULL) { 7235 /* 7236 * Transport-mode tunnel, make sure we fake out isel 7237 * to contain something based on the outer protocol. 7238 */ 7239 bzero(&isel, sizeof (isel)); 7240 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP); 7241 } /* Else isel is initialized by ipsec_tun_pol(). */ 7242 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp, 7243 &diagnostic, ns); 7244 /* 7245 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it 7246 * may be. 7247 */ 7248 if (err != 0) 7249 goto bail; 7250 break; 7251 default: 7252 ipsec_oth_pol(&sel, &pp, ipst); 7253 break; 7254 } 7255 7256 /* 7257 * If we didn't find a matching conn_t or other policy head, take a 7258 * look in the global policy. 7259 */ 7260 if (pp == NULL) { 7261 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, NULL, &sel, 7262 ns); 7263 if (pp == NULL) { 7264 /* There's no global policy. */ 7265 err = ENOENT; 7266 diagnostic = 0; 7267 goto bail; 7268 } 7269 } 7270 7271 /* 7272 * Now that we have a policy entry/widget, construct an ACQUIRE 7273 * message based on that, fix fields where appropriate, 7274 * and return the message. 7275 */ 7276 retmp = sadb_extended_acquire(&sel, pp, NULL, 7277 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)), 7278 samsg->sadb_msg_seq, samsg->sadb_msg_pid, sens, ns); 7279 if (pp != NULL) { 7280 IPPOL_REFRELE(pp, ns); 7281 } 7282 ASSERT(err == 0 && diagnostic == 0); 7283 if (retmp == NULL) 7284 err = ENOMEM; 7285 bail: 7286 if (itp != NULL) { 7287 ITP_REFRELE(itp, ns); 7288 } 7289 samsg->sadb_msg_errno = (uint8_t)err; 7290 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 7291 return (retmp); 7292 } 7293 7294 /* 7295 * ipsa_lpkt is a one-element queue, only manipulated by the next two 7296 * functions. They have to hold the ipsa_lock because of potential races 7297 * between key management using SADB_UPDATE, and inbound packets that may 7298 * queue up on the larval SA (hence the 'l' in "lpkt"). 7299 */ 7300 7301 /* 7302 * sadb_set_lpkt: Return TRUE if we can swap in a value to ipsa->ipsa_lpkt and 7303 * freemsg the previous value. Return FALSE if we lost the race and the SA is 7304 * in a non-LARVAL state. free clue: ip_drop_packet(NULL) is safe. 7305 */ 7306 boolean_t 7307 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, netstack_t *ns) 7308 { 7309 mblk_t *opkt; 7310 ipsec_stack_t *ipss = ns->netstack_ipsec; 7311 boolean_t is_larval; 7312 7313 /* 7314 * Check the packet's netstack id in case we go asynch with a 7315 * taskq_dispatch. 7316 */ 7317 ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_type == IPSEC_IN); 7318 ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_stackid == 7319 ns->netstack_stackid); 7320 7321 mutex_enter(&ipsa->ipsa_lock); 7322 is_larval = (ipsa->ipsa_state == IPSA_STATE_LARVAL); 7323 if (is_larval) { 7324 opkt = ipsa->ipsa_lpkt; 7325 ipsa->ipsa_lpkt = npkt; 7326 } else { 7327 /* We lost the race. */ 7328 opkt = NULL; 7329 } 7330 mutex_exit(&ipsa->ipsa_lock); 7331 7332 ip_drop_packet(opkt, B_TRUE, NULL, NULL, 7333 DROPPER(ipss, ipds_sadb_inlarval_replace), 7334 &ipss->ipsec_sadb_dropper); 7335 return (is_larval); 7336 } 7337 7338 /* 7339 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 7340 * previous value. 7341 */ 7342 mblk_t * 7343 sadb_clear_lpkt(ipsa_t *ipsa) 7344 { 7345 mblk_t *opkt; 7346 7347 mutex_enter(&ipsa->ipsa_lock); 7348 opkt = ipsa->ipsa_lpkt; 7349 ipsa->ipsa_lpkt = NULL; 7350 mutex_exit(&ipsa->ipsa_lock); 7351 7352 return (opkt); 7353 } 7354 7355 /* 7356 * Buffer a packet that's in IDLE state as set by Solaris Clustering. 7357 */ 7358 void 7359 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, netstack_t *ns) 7360 { 7361 ipsec_stack_t *ipss = ns->netstack_ipsec; 7362 extern void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, 7363 sa_family_t, in6_addr_t, in6_addr_t, void *); 7364 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr); 7365 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr); 7366 7367 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE); 7368 7369 if (cl_inet_idlesa == NULL) { 7370 ip_drop_packet(bpkt, B_TRUE, NULL, NULL, 7371 DROPPER(ipss, ipds_sadb_inidle_overflow), 7372 &ipss->ipsec_sadb_dropper); 7373 return; 7374 } 7375 7376 cl_inet_idlesa(ns->netstack_stackid, 7377 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP, 7378 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL); 7379 7380 /* 7381 * Check the packet's netstack id in case we go asynch with a 7382 * taskq_dispatch. 7383 */ 7384 ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_type == IPSEC_IN); 7385 ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_stackid == 7386 ns->netstack_stackid); 7387 7388 mutex_enter(&ipsa->ipsa_lock); 7389 ipsa->ipsa_mblkcnt++; 7390 if (ipsa->ipsa_bpkt_head == NULL) { 7391 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt; 7392 } else { 7393 ipsa->ipsa_bpkt_tail->b_next = bpkt; 7394 ipsa->ipsa_bpkt_tail = bpkt; 7395 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) { 7396 mblk_t *tmp; 7397 tmp = ipsa->ipsa_bpkt_head; 7398 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next; 7399 ip_drop_packet(tmp, B_TRUE, NULL, NULL, 7400 DROPPER(ipss, ipds_sadb_inidle_overflow), 7401 &ipss->ipsec_sadb_dropper); 7402 ipsa->ipsa_mblkcnt --; 7403 } 7404 } 7405 mutex_exit(&ipsa->ipsa_lock); 7406 7407 } 7408 7409 /* 7410 * Stub function that taskq_dispatch() invokes to take the mblk (in arg) 7411 * and put into STREAMS again. 7412 */ 7413 void 7414 sadb_clear_buf_pkt(void *ipkt) 7415 { 7416 mblk_t *tmp, *buf_pkt; 7417 netstack_t *ns; 7418 ipsec_in_t *ii; 7419 7420 buf_pkt = (mblk_t *)ipkt; 7421 7422 ii = (ipsec_in_t *)buf_pkt->b_rptr; 7423 ASSERT(ii->ipsec_in_type == IPSEC_IN); 7424 ns = netstack_find_by_stackid(ii->ipsec_in_stackid); 7425 if (ns != NULL && ns != ii->ipsec_in_ns) { 7426 netstack_rele(ns); 7427 ns = NULL; /* For while-loop below. */ 7428 } 7429 7430 while (buf_pkt != NULL) { 7431 tmp = buf_pkt->b_next; 7432 buf_pkt->b_next = NULL; 7433 if (ns != NULL) 7434 ip_fanout_proto_again(buf_pkt, NULL, NULL, NULL); 7435 else 7436 freemsg(buf_pkt); 7437 buf_pkt = tmp; 7438 } 7439 if (ns != NULL) 7440 netstack_rele(ns); 7441 } 7442 /* 7443 * Walker callback used by sadb_alg_update() to free/create crypto 7444 * context template when a crypto software provider is removed or 7445 * added. 7446 */ 7447 7448 struct sadb_update_alg_state { 7449 ipsec_algtype_t alg_type; 7450 uint8_t alg_id; 7451 boolean_t is_added; 7452 }; 7453 7454 static void 7455 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 7456 { 7457 struct sadb_update_alg_state *update_state = 7458 (struct sadb_update_alg_state *)cookie; 7459 crypto_ctx_template_t *ctx_tmpl = NULL; 7460 7461 ASSERT(MUTEX_HELD(&head->isaf_lock)); 7462 7463 if (entry->ipsa_state == IPSA_STATE_LARVAL) 7464 return; 7465 7466 mutex_enter(&entry->ipsa_lock); 7467 7468 switch (update_state->alg_type) { 7469 case IPSEC_ALG_AUTH: 7470 if (entry->ipsa_auth_alg == update_state->alg_id) 7471 ctx_tmpl = &entry->ipsa_authtmpl; 7472 break; 7473 case IPSEC_ALG_ENCR: 7474 if (entry->ipsa_encr_alg == update_state->alg_id) 7475 ctx_tmpl = &entry->ipsa_encrtmpl; 7476 break; 7477 default: 7478 ctx_tmpl = NULL; 7479 } 7480 7481 if (ctx_tmpl == NULL) { 7482 mutex_exit(&entry->ipsa_lock); 7483 return; 7484 } 7485 7486 /* 7487 * The context template of the SA may be affected by the change 7488 * of crypto provider. 7489 */ 7490 if (update_state->is_added) { 7491 /* create the context template if not already done */ 7492 if (*ctx_tmpl == NULL) { 7493 (void) ipsec_create_ctx_tmpl(entry, 7494 update_state->alg_type); 7495 } 7496 } else { 7497 /* 7498 * The crypto provider was removed. If the context template 7499 * exists but it is no longer valid, free it. 7500 */ 7501 if (*ctx_tmpl != NULL) 7502 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 7503 } 7504 7505 mutex_exit(&entry->ipsa_lock); 7506 } 7507 7508 /* 7509 * Invoked by IP when an software crypto provider has been updated. 7510 * The type and id of the corresponding algorithm is passed as argument. 7511 * is_added is B_TRUE if the provider was added, B_FALSE if it was 7512 * removed. The function updates the SADB and free/creates the 7513 * context templates associated with SAs if needed. 7514 */ 7515 7516 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 7517 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 7518 &update_state) 7519 7520 void 7521 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added, 7522 netstack_t *ns) 7523 { 7524 struct sadb_update_alg_state update_state; 7525 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 7526 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 7527 7528 update_state.alg_type = alg_type; 7529 update_state.alg_id = alg_id; 7530 update_state.is_added = is_added; 7531 7532 if (alg_type == IPSEC_ALG_AUTH) { 7533 /* walk the AH tables only for auth. algorithm changes */ 7534 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of); 7535 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if); 7536 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of); 7537 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if); 7538 } 7539 7540 /* walk the ESP tables */ 7541 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of); 7542 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if); 7543 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of); 7544 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if); 7545 } 7546 7547 /* 7548 * Creates a context template for the specified SA. This function 7549 * is called when an SA is created and when a context template needs 7550 * to be created due to a change of software provider. 7551 */ 7552 int 7553 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7554 { 7555 ipsec_alginfo_t *alg; 7556 crypto_mechanism_t mech; 7557 crypto_key_t *key; 7558 crypto_ctx_template_t *sa_tmpl; 7559 int rv; 7560 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 7561 7562 ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock)); 7563 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7564 7565 /* get pointers to the algorithm info, context template, and key */ 7566 switch (alg_type) { 7567 case IPSEC_ALG_AUTH: 7568 key = &sa->ipsa_kcfauthkey; 7569 sa_tmpl = &sa->ipsa_authtmpl; 7570 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 7571 break; 7572 case IPSEC_ALG_ENCR: 7573 key = &sa->ipsa_kcfencrkey; 7574 sa_tmpl = &sa->ipsa_encrtmpl; 7575 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 7576 break; 7577 default: 7578 alg = NULL; 7579 } 7580 7581 if (alg == NULL || !ALG_VALID(alg)) 7582 return (EINVAL); 7583 7584 /* initialize the mech info structure for the framework */ 7585 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 7586 mech.cm_type = alg->alg_mech_type; 7587 mech.cm_param = NULL; 7588 mech.cm_param_len = 0; 7589 7590 /* create a new context template */ 7591 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 7592 7593 /* 7594 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 7595 * providers are available for that mechanism. In that case 7596 * we don't fail, and will generate the context template from 7597 * the framework callback when a software provider for that 7598 * mechanism registers. 7599 * 7600 * The context template is assigned the special value 7601 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 7602 * lack of memory. No attempt will be made to use 7603 * the context template if it is set to this value. 7604 */ 7605 if (rv == CRYPTO_HOST_MEMORY) { 7606 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 7607 } else if (rv != CRYPTO_SUCCESS) { 7608 *sa_tmpl = NULL; 7609 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 7610 return (EINVAL); 7611 } 7612 7613 return (0); 7614 } 7615 7616 /* 7617 * Destroy the context template of the specified algorithm type 7618 * of the specified SA. Must be called while holding the SA lock. 7619 */ 7620 void 7621 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7622 { 7623 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7624 7625 if (alg_type == IPSEC_ALG_AUTH) { 7626 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 7627 sa->ipsa_authtmpl = NULL; 7628 else if (sa->ipsa_authtmpl != NULL) { 7629 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 7630 sa->ipsa_authtmpl = NULL; 7631 } 7632 } else { 7633 ASSERT(alg_type == IPSEC_ALG_ENCR); 7634 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 7635 sa->ipsa_encrtmpl = NULL; 7636 else if (sa->ipsa_encrtmpl != NULL) { 7637 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 7638 sa->ipsa_encrtmpl = NULL; 7639 } 7640 } 7641 } 7642 7643 /* 7644 * Use the kernel crypto framework to check the validity of a key received 7645 * via keysock. Returns 0 if the key is OK, -1 otherwise. 7646 */ 7647 int 7648 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 7649 boolean_t is_auth, int *diag) 7650 { 7651 crypto_mechanism_t mech; 7652 crypto_key_t crypto_key; 7653 int crypto_rc; 7654 7655 mech.cm_type = mech_type; 7656 mech.cm_param = NULL; 7657 mech.cm_param_len = 0; 7658 7659 crypto_key.ck_format = CRYPTO_KEY_RAW; 7660 crypto_key.ck_data = sadb_key + 1; 7661 crypto_key.ck_length = sadb_key->sadb_key_bits; 7662 7663 crypto_rc = crypto_key_check(&mech, &crypto_key); 7664 7665 switch (crypto_rc) { 7666 case CRYPTO_SUCCESS: 7667 return (0); 7668 case CRYPTO_MECHANISM_INVALID: 7669 case CRYPTO_MECH_NOT_SUPPORTED: 7670 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 7671 SADB_X_DIAGNOSTIC_BAD_EALG; 7672 break; 7673 case CRYPTO_KEY_SIZE_RANGE: 7674 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 7675 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 7676 break; 7677 case CRYPTO_WEAK_KEY: 7678 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 7679 SADB_X_DIAGNOSTIC_WEAK_EKEY; 7680 break; 7681 } 7682 7683 return (-1); 7684 } 7685 7686 /* 7687 * Whack options in the outer IP header when ipsec changes the outer label 7688 * 7689 * This is inelegant and really could use refactoring. 7690 */ 7691 int 7692 sadb_whack_label(mblk_t **mpp, ipsa_t *assoc) 7693 { 7694 int delta; 7695 int plen; 7696 dblk_t *db; 7697 int hlen; 7698 uint8_t *opt_storage = assoc->ipsa_opt_storage; 7699 mblk_t *mp = *mpp; 7700 ipha_t *ipha = (ipha_t *)mp->b_rptr; 7701 7702 plen = ntohs(ipha->ipha_length); 7703 7704 delta = tsol_remove_secopt(ipha, MBLKL(mp)); 7705 mp->b_wptr += delta; 7706 plen += delta; 7707 7708 /* XXX XXX code copied from tsol_check_label */ 7709 7710 /* Make sure we have room for the worst-case addition */ 7711 hlen = IPH_HDR_LENGTH(ipha) + opt_storage[IPOPT_OLEN]; 7712 hlen = (hlen + 3) & ~3; 7713 if (hlen > IP_MAX_HDR_LENGTH) 7714 hlen = IP_MAX_HDR_LENGTH; 7715 hlen -= IPH_HDR_LENGTH(ipha); 7716 7717 db = mp->b_datap; 7718 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) { 7719 int copylen; 7720 mblk_t *new_mp; 7721 7722 /* allocate enough to be meaningful, but not *too* much */ 7723 copylen = MBLKL(mp); 7724 if (copylen > 256) 7725 copylen = 256; 7726 new_mp = allocb_tmpl(hlen + copylen + 7727 (mp->b_rptr - mp->b_datap->db_base), mp); 7728 7729 if (new_mp == NULL) 7730 return (ENOMEM); 7731 7732 /* keep the bias */ 7733 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base; 7734 new_mp->b_wptr = new_mp->b_rptr + copylen; 7735 bcopy(mp->b_rptr, new_mp->b_rptr, copylen); 7736 new_mp->b_cont = mp; 7737 if ((mp->b_rptr += copylen) >= mp->b_wptr) { 7738 new_mp->b_cont = mp->b_cont; 7739 freeb(mp); 7740 } 7741 *mpp = mp = new_mp; 7742 ipha = (ipha_t *)mp->b_rptr; 7743 } 7744 7745 delta = tsol_prepend_option(assoc->ipsa_opt_storage, ipha, MBLKL(mp)); 7746 7747 ASSERT(delta != -1); 7748 7749 plen += delta; 7750 mp->b_wptr += delta; 7751 7752 /* 7753 * Paranoia 7754 */ 7755 db = mp->b_datap; 7756 7757 ASSERT3P(mp->b_wptr, <=, db->db_lim); 7758 ASSERT3P(mp->b_rptr, <=, db->db_lim); 7759 7760 ASSERT3P(mp->b_wptr, >=, db->db_base); 7761 ASSERT3P(mp->b_rptr, >=, db->db_base); 7762 /* End paranoia */ 7763 7764 ipha->ipha_length = htons(plen); 7765 7766 return (0); 7767 } 7768 7769 int 7770 sadb_whack_label_v6(mblk_t **mpp, ipsa_t *assoc) 7771 { 7772 int delta; 7773 int plen; 7774 dblk_t *db; 7775 int hlen; 7776 uint8_t *opt_storage = assoc->ipsa_opt_storage; 7777 uint_t sec_opt_len; /* label option length not including type, len */ 7778 mblk_t *mp = *mpp; 7779 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 7780 7781 plen = ntohs(ip6h->ip6_plen); 7782 7783 delta = tsol_remove_secopt_v6(ip6h, MBLKL(mp)); 7784 mp->b_wptr += delta; 7785 plen += delta; 7786 7787 /* XXX XXX code copied from tsol_check_label_v6 */ 7788 /* 7789 * Make sure we have room for the worst-case addition. Add 2 bytes for 7790 * the hop-by-hop ext header's next header and length fields. Add 7791 * another 2 bytes for the label option type, len and then round 7792 * up to the next 8-byte multiple. 7793 */ 7794 sec_opt_len = opt_storage[1]; 7795 7796 db = mp->b_datap; 7797 hlen = (4 + sec_opt_len + 7) & ~7; 7798 7799 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) { 7800 int copylen; 7801 mblk_t *new_mp; 7802 uint16_t hdr_len; 7803 7804 hdr_len = ip_hdr_length_v6(mp, ip6h); 7805 /* 7806 * Allocate enough to be meaningful, but not *too* much. 7807 * Also all the IPv6 extension headers must be in the same mblk 7808 */ 7809 copylen = MBLKL(mp); 7810 if (copylen > 256) 7811 copylen = 256; 7812 if (copylen < hdr_len) 7813 copylen = hdr_len; 7814 new_mp = allocb_tmpl(hlen + copylen + 7815 (mp->b_rptr - mp->b_datap->db_base), mp); 7816 if (new_mp == NULL) 7817 return (ENOMEM); 7818 7819 /* keep the bias */ 7820 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base; 7821 new_mp->b_wptr = new_mp->b_rptr + copylen; 7822 bcopy(mp->b_rptr, new_mp->b_rptr, copylen); 7823 new_mp->b_cont = mp; 7824 if ((mp->b_rptr += copylen) >= mp->b_wptr) { 7825 new_mp->b_cont = mp->b_cont; 7826 freeb(mp); 7827 } 7828 *mpp = mp = new_mp; 7829 ip6h = (ip6_t *)mp->b_rptr; 7830 } 7831 7832 delta = tsol_prepend_option_v6(assoc->ipsa_opt_storage, 7833 ip6h, MBLKL(mp)); 7834 7835 ASSERT(delta != -1); 7836 7837 plen += delta; 7838 mp->b_wptr += delta; 7839 7840 /* 7841 * Paranoia 7842 */ 7843 db = mp->b_datap; 7844 7845 ASSERT3P(mp->b_wptr, <=, db->db_lim); 7846 ASSERT3P(mp->b_rptr, <=, db->db_lim); 7847 7848 ASSERT3P(mp->b_wptr, >=, db->db_base); 7849 ASSERT3P(mp->b_rptr, >=, db->db_base); 7850 /* End paranoia */ 7851 7852 ip6h->ip6_plen = htons(plen); 7853 7854 return (0); 7855 } 7856 7857 7858 7859 /* 7860 * If this is an outgoing SA then add some fuzz to the 7861 * SOFT EXPIRE time. The reason for this is to stop 7862 * peers trying to renegotiate SOFT expiring SA's at 7863 * the same time. The amount of fuzz needs to be at 7864 * least 8 seconds which is the typical interval 7865 * sadb_ager(), although this is only a guide as it 7866 * selftunes. 7867 */ 7868 static void 7869 lifetime_fuzz(ipsa_t *assoc) 7870 { 7871 uint8_t rnd; 7872 7873 if (assoc->ipsa_softaddlt == 0) 7874 return; 7875 7876 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd)); 7877 rnd = (rnd & 0xF) + 8; 7878 assoc->ipsa_softexpiretime -= rnd; 7879 assoc->ipsa_softaddlt -= rnd; 7880 } 7881 7882 static void 7883 destroy_ipsa_pair(ipsap_t *ipsapp) 7884 { 7885 /* 7886 * Because of the multi-line macro nature of IPSA_REFRELE, keep 7887 * them in { }. 7888 */ 7889 if (ipsapp->ipsap_sa_ptr != NULL) { 7890 IPSA_REFRELE(ipsapp->ipsap_sa_ptr); 7891 } 7892 if (ipsapp->ipsap_psa_ptr != NULL) { 7893 IPSA_REFRELE(ipsapp->ipsap_psa_ptr); 7894 } 7895 init_ipsa_pair(ipsapp); 7896 } 7897 7898 static void 7899 init_ipsa_pair(ipsap_t *ipsapp) 7900 { 7901 ipsapp->ipsap_bucket = NULL; 7902 ipsapp->ipsap_sa_ptr = NULL; 7903 ipsapp->ipsap_pbucket = NULL; 7904 ipsapp->ipsap_psa_ptr = NULL; 7905 } 7906 7907 /* 7908 * The sadb_ager() function walks through the hash tables of SA's and ages 7909 * them, if the SA expires as a result, its marked as DEAD and will be reaped 7910 * the next time sadb_ager() runs. SA's which are paired or have a peer (same 7911 * SA appears in both the inbound and outbound tables because its not possible 7912 * to determine its direction) are placed on a list when they expire. This is 7913 * to ensure that pair/peer SA's are reaped at the same time, even if they 7914 * expire at different times. 7915 * 7916 * This function is called twice by sadb_ager(), one after processing the 7917 * inbound table, then again after processing the outbound table. 7918 */ 7919 void 7920 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound) 7921 { 7922 templist_t *listptr; 7923 int outhash; 7924 isaf_t *bucket; 7925 boolean_t haspeer; 7926 ipsa_t *peer_assoc, *dying; 7927 /* 7928 * Haspeer cases will contain both IPv4 and IPv6. This code 7929 * is address independent. 7930 */ 7931 while (haspeerlist != NULL) { 7932 /* "dying" contains the SA that has a peer. */ 7933 dying = haspeerlist->ipsa; 7934 haspeer = (dying->ipsa_haspeer); 7935 listptr = haspeerlist; 7936 haspeerlist = listptr->next; 7937 kmem_free(listptr, sizeof (*listptr)); 7938 /* 7939 * Pick peer bucket based on addrfam. 7940 */ 7941 if (outbound) { 7942 if (haspeer) 7943 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi); 7944 else 7945 bucket = INBOUND_BUCKET(sp, 7946 dying->ipsa_otherspi); 7947 } else { /* inbound */ 7948 if (haspeer) { 7949 if (dying->ipsa_addrfam == AF_INET6) { 7950 outhash = OUTBOUND_HASH_V6(sp, 7951 *((in6_addr_t *)&dying-> 7952 ipsa_dstaddr)); 7953 } else { 7954 outhash = OUTBOUND_HASH_V4(sp, 7955 *((ipaddr_t *)&dying-> 7956 ipsa_dstaddr)); 7957 } 7958 } else if (dying->ipsa_addrfam == AF_INET6) { 7959 outhash = OUTBOUND_HASH_V6(sp, 7960 *((in6_addr_t *)&dying-> 7961 ipsa_srcaddr)); 7962 } else { 7963 outhash = OUTBOUND_HASH_V4(sp, 7964 *((ipaddr_t *)&dying-> 7965 ipsa_srcaddr)); 7966 } 7967 bucket = &(sp->sdb_of[outhash]); 7968 } 7969 7970 mutex_enter(&bucket->isaf_lock); 7971 /* 7972 * "haspeer" SA's have the same src/dst address ordering, 7973 * "paired" SA's have the src/dst addresses reversed. 7974 */ 7975 if (haspeer) { 7976 peer_assoc = ipsec_getassocbyspi(bucket, 7977 dying->ipsa_spi, dying->ipsa_srcaddr, 7978 dying->ipsa_dstaddr, dying->ipsa_addrfam); 7979 } else { 7980 peer_assoc = ipsec_getassocbyspi(bucket, 7981 dying->ipsa_otherspi, dying->ipsa_dstaddr, 7982 dying->ipsa_srcaddr, dying->ipsa_addrfam); 7983 } 7984 7985 mutex_exit(&bucket->isaf_lock); 7986 if (peer_assoc != NULL) { 7987 mutex_enter(&peer_assoc->ipsa_lock); 7988 mutex_enter(&dying->ipsa_lock); 7989 if (!haspeer) { 7990 /* 7991 * Only SA's which have a "peer" or are 7992 * "paired" end up on this list, so this 7993 * must be a "paired" SA, update the flags 7994 * to break the pair. 7995 */ 7996 peer_assoc->ipsa_otherspi = 0; 7997 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED; 7998 dying->ipsa_otherspi = 0; 7999 dying->ipsa_flags &= ~IPSA_F_PAIRED; 8000 } 8001 if (haspeer || outbound) { 8002 /* 8003 * Update the state of the "inbound" SA when 8004 * the "outbound" SA has expired. Don't update 8005 * the "outbound" SA when the "inbound" SA 8006 * SA expires because setting the hard_addtime 8007 * below will cause this to happen. 8008 */ 8009 peer_assoc->ipsa_state = dying->ipsa_state; 8010 } 8011 if (dying->ipsa_state == IPSA_STATE_DEAD) 8012 peer_assoc->ipsa_hardexpiretime = 1; 8013 8014 mutex_exit(&dying->ipsa_lock); 8015 mutex_exit(&peer_assoc->ipsa_lock); 8016 IPSA_REFRELE(peer_assoc); 8017 } 8018 IPSA_REFRELE(dying); 8019 } 8020 } 8021 8022 /* 8023 * Ensure that the IV used for CCM mode never repeats. The IV should 8024 * only be updated by this function. Also check to see if the IV 8025 * is about to wrap and generate a SOFT Expire. This function is only 8026 * called for outgoing packets, the IV for incomming packets is taken 8027 * from the wire. If the outgoing SA needs to be expired, update 8028 * the matching incomming SA. 8029 */ 8030 boolean_t 8031 update_iv(uint8_t *iv_ptr, queue_t *pfkey_q, ipsa_t *assoc, 8032 ipsecesp_stack_t *espstack) 8033 { 8034 boolean_t rc = B_TRUE; 8035 isaf_t *inbound_bucket; 8036 sadb_t *sp; 8037 ipsa_t *pair_sa = NULL; 8038 int sa_new_state = 0; 8039 8040 /* For non counter modes, the IV is random data. */ 8041 if (!(assoc->ipsa_flags & IPSA_F_COUNTERMODE)) { 8042 (void) random_get_pseudo_bytes(iv_ptr, assoc->ipsa_iv_len); 8043 return (rc); 8044 } 8045 8046 mutex_enter(&assoc->ipsa_lock); 8047 8048 (*assoc->ipsa_iv)++; 8049 8050 if (*assoc->ipsa_iv == assoc->ipsa_iv_hardexpire) { 8051 sa_new_state = IPSA_STATE_DEAD; 8052 rc = B_FALSE; 8053 } else if (*assoc->ipsa_iv == assoc->ipsa_iv_softexpire) { 8054 if (assoc->ipsa_state != IPSA_STATE_DYING) { 8055 /* 8056 * This SA may have already been expired when its 8057 * PAIR_SA expired. 8058 */ 8059 sa_new_state = IPSA_STATE_DYING; 8060 } 8061 } 8062 if (sa_new_state) { 8063 /* 8064 * If there is a state change, we need to update this SA 8065 * and its "pair", we can find the bucket for the "pair" SA 8066 * while holding the ipsa_t mutex, but we won't actually 8067 * update anything untill the ipsa_t mutex has been released 8068 * for _this_ SA. 8069 */ 8070 assoc->ipsa_state = sa_new_state; 8071 if (assoc->ipsa_addrfam == AF_INET6) { 8072 sp = &espstack->esp_sadb.s_v6; 8073 } else { 8074 sp = &espstack->esp_sadb.s_v4; 8075 } 8076 inbound_bucket = INBOUND_BUCKET(sp, assoc->ipsa_otherspi); 8077 sadb_expire_assoc(pfkey_q, assoc); 8078 } 8079 if (rc == B_TRUE) 8080 bcopy(assoc->ipsa_iv, iv_ptr, assoc->ipsa_iv_len); 8081 8082 mutex_exit(&assoc->ipsa_lock); 8083 8084 if (sa_new_state) { 8085 /* Find the inbound SA, need to lock hash bucket. */ 8086 mutex_enter(&inbound_bucket->isaf_lock); 8087 pair_sa = ipsec_getassocbyspi(inbound_bucket, 8088 assoc->ipsa_otherspi, assoc->ipsa_dstaddr, 8089 assoc->ipsa_srcaddr, assoc->ipsa_addrfam); 8090 mutex_exit(&inbound_bucket->isaf_lock); 8091 if (pair_sa != NULL) { 8092 mutex_enter(&pair_sa->ipsa_lock); 8093 pair_sa->ipsa_state = sa_new_state; 8094 mutex_exit(&pair_sa->ipsa_lock); 8095 IPSA_REFRELE(pair_sa); 8096 } 8097 } 8098 8099 return (rc); 8100 } 8101 8102 void 8103 ccm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 8104 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 8105 { 8106 uchar_t *nonce; 8107 crypto_mechanism_t *combined_mech; 8108 CK_AES_CCM_PARAMS *params; 8109 8110 combined_mech = (crypto_mechanism_t *)cm_mech; 8111 params = (CK_AES_CCM_PARAMS *)(combined_mech + 1); 8112 nonce = (uchar_t *)(params + 1); 8113 params->ulMACSize = assoc->ipsa_mac_len; 8114 params->ulNonceSize = assoc->ipsa_nonce_len; 8115 params->ulAuthDataSize = sizeof (esph_t); 8116 params->ulDataSize = data_len; 8117 params->nonce = nonce; 8118 params->authData = esph; 8119 8120 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 8121 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_CCM_PARAMS); 8122 cm_mech->combined_mech.cm_param = (caddr_t)params; 8123 /* See gcm_params_init() for comments. */ 8124 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen); 8125 nonce += assoc->ipsa_saltlen; 8126 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len); 8127 crypto_data->cd_miscdata = NULL; 8128 } 8129 8130 /* ARGSUSED */ 8131 void 8132 cbc_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 8133 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 8134 { 8135 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 8136 cm_mech->combined_mech.cm_param_len = 0; 8137 cm_mech->combined_mech.cm_param = NULL; 8138 crypto_data->cd_miscdata = (char *)iv_ptr; 8139 } 8140 8141 /* ARGSUSED */ 8142 void 8143 gcm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 8144 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 8145 { 8146 uchar_t *nonce; 8147 crypto_mechanism_t *combined_mech; 8148 CK_AES_GCM_PARAMS *params; 8149 8150 combined_mech = (crypto_mechanism_t *)cm_mech; 8151 params = (CK_AES_GCM_PARAMS *)(combined_mech + 1); 8152 nonce = (uchar_t *)(params + 1); 8153 8154 params->pIv = nonce; 8155 params->ulIvLen = assoc->ipsa_nonce_len; 8156 params->ulIvBits = SADB_8TO1(assoc->ipsa_nonce_len); 8157 params->pAAD = esph; 8158 params->ulAADLen = sizeof (esph_t); 8159 params->ulTagBits = SADB_8TO1(assoc->ipsa_mac_len); 8160 8161 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 8162 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 8163 cm_mech->combined_mech.cm_param = (caddr_t)params; 8164 /* 8165 * Create the nonce, which is made up of the salt and the IV. 8166 * Copy the salt from the SA and the IV from the packet. 8167 * For inbound packets we copy the IV from the packet because it 8168 * was set by the sending system, for outbound packets we copy the IV 8169 * from the packet because the IV in the SA may be changed by another 8170 * thread, the IV in the packet was created while holding a mutex. 8171 */ 8172 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen); 8173 nonce += assoc->ipsa_saltlen; 8174 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len); 8175 crypto_data->cd_miscdata = NULL; 8176 } 8177