1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved. 24 */ 25 26 #include <sys/param.h> 27 #include <sys/types.h> 28 #include <sys/stream.h> 29 #include <sys/strsubr.h> 30 #include <sys/strsun.h> 31 #include <sys/stropts.h> 32 #include <sys/zone.h> 33 #include <sys/vnode.h> 34 #include <sys/sysmacros.h> 35 #define _SUN_TPI_VERSION 2 36 #include <sys/tihdr.h> 37 #include <sys/ddi.h> 38 #include <sys/sunddi.h> 39 #include <sys/mkdev.h> 40 #include <sys/debug.h> 41 #include <sys/kmem.h> 42 #include <sys/cmn_err.h> 43 #include <sys/suntpi.h> 44 #include <sys/policy.h> 45 #include <sys/dls.h> 46 47 #include <sys/socket.h> 48 #include <netinet/in.h> 49 #include <net/pfkeyv2.h> 50 #include <net/pfpolicy.h> 51 52 #include <inet/common.h> 53 #include <netinet/ip6.h> 54 #include <inet/ip.h> 55 #include <inet/ip6.h> 56 #include <inet/mi.h> 57 #include <inet/proto_set.h> 58 #include <inet/nd.h> 59 #include <inet/ip_if.h> 60 #include <inet/optcom.h> 61 #include <inet/ipsec_impl.h> 62 #include <inet/spdsock.h> 63 #include <inet/sadb.h> 64 #include <inet/iptun.h> 65 #include <inet/iptun/iptun_impl.h> 66 67 #include <sys/isa_defs.h> 68 69 #include <c2/audit.h> 70 71 /* 72 * This is a transport provider for the PF_POLICY IPsec policy 73 * management socket, which provides a management interface into the 74 * SPD, allowing policy rules to be added, deleted, and queried. 75 * 76 * This effectively replaces the old private SIOC*IPSECONFIG ioctls 77 * with an extensible interface which will hopefully be public some 78 * day. 79 * 80 * See <net/pfpolicy.h> for more details on the protocol. 81 * 82 * We link against drv/ip and call directly into it to manipulate the 83 * SPD; see ipsec_impl.h for the policy data structures and spd.c for 84 * the code which maintains them. 85 * 86 * The MT model of this is QPAIR with the addition of some explicit 87 * locking to protect system-wide policy data structures. 88 */ 89 90 static vmem_t *spdsock_vmem; /* for minor numbers. */ 91 92 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t)) 93 94 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */ 95 static struct T_info_ack spdsock_g_t_info_ack = { 96 T_INFO_ACK, 97 T_INFINITE, /* TSDU_size. Maximum size messages. */ 98 T_INVALID, /* ETSDU_size. No expedited data. */ 99 T_INVALID, /* CDATA_size. No connect data. */ 100 T_INVALID, /* DDATA_size. No disconnect data. */ 101 0, /* ADDR_size. */ 102 0, /* OPT_size. No user-settable options */ 103 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */ 104 T_COTS, /* SERV_type. spdsock supports connection oriented. */ 105 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */ 106 (XPG4_1) /* Provider flags */ 107 }; 108 109 /* Named Dispatch Parameter Management Structure */ 110 typedef struct spdsockparam_s { 111 uint_t spdsock_param_min; 112 uint_t spdsock_param_max; 113 uint_t spdsock_param_value; 114 char *spdsock_param_name; 115 } spdsockparam_t; 116 117 /* 118 * Table of NDD variables supported by spdsock. These are loaded into 119 * spdsock_g_nd in spdsock_init_nd. 120 * All of these are alterable, within the min/max values given, at run time. 121 */ 122 static spdsockparam_t lcl_param_arr[] = { 123 /* min max value name */ 124 { 4096, 65536, 8192, "spdsock_xmit_hiwat"}, 125 { 0, 65536, 1024, "spdsock_xmit_lowat"}, 126 { 4096, 65536, 8192, "spdsock_recv_hiwat"}, 127 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"}, 128 { 0, 3, 0, "spdsock_debug"}, 129 }; 130 #define spds_xmit_hiwat spds_params[0].spdsock_param_value 131 #define spds_xmit_lowat spds_params[1].spdsock_param_value 132 #define spds_recv_hiwat spds_params[2].spdsock_param_value 133 #define spds_max_buf spds_params[3].spdsock_param_value 134 #define spds_debug spds_params[4].spdsock_param_value 135 136 #define ss0dbg(a) printf a 137 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */ 138 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a 139 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a 140 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a 141 142 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \ 143 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \ 144 (ss)->spdsock_dump_head = (iph); \ 145 (ss)->spdsock_dump_gen = (iph)->iph_gen; \ 146 (ss)->spdsock_dump_cur_type = 0; \ 147 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \ 148 (ss)->spdsock_dump_cur_rule = NULL; \ 149 (ss)->spdsock_dump_count = 0; \ 150 (ss)->spdsock_dump_cur_chain = 0; \ 151 } 152 153 static int spdsock_close(queue_t *); 154 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *); 155 static void spdsock_wput(queue_t *, mblk_t *); 156 static void spdsock_wsrv(queue_t *); 157 static void spdsock_rsrv(queue_t *); 158 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns); 159 static void spdsock_stack_shutdown(netstackid_t stackid, void *arg); 160 static void spdsock_stack_fini(netstackid_t stackid, void *arg); 161 static void spdsock_loadcheck(void *); 162 static void spdsock_merge_algs(spd_stack_t *); 163 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *); 164 static mblk_t *spdsock_dump_next_record(spdsock_t *); 165 static void update_iptun_policy(ipsec_tun_pol_t *); 166 167 static struct module_info info = { 168 5138, "spdsock", 1, INFPSZ, 512, 128 169 }; 170 171 static struct qinit rinit = { 172 NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close, 173 NULL, &info 174 }; 175 176 static struct qinit winit = { 177 (pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info 178 }; 179 180 struct streamtab spdsockinfo = { 181 &rinit, &winit 182 }; 183 184 /* mapping from alg type to protocol number, as per RFC 2407 */ 185 static const uint_t algproto[] = { 186 PROTO_IPSEC_AH, 187 PROTO_IPSEC_ESP, 188 }; 189 190 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0])) 191 192 /* mapping from kernel exec mode to spdsock exec mode */ 193 static const uint_t execmodes[] = { 194 SPD_ALG_EXEC_MODE_SYNC, 195 SPD_ALG_EXEC_MODE_ASYNC 196 }; 197 198 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0])) 199 200 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1) 201 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2) 202 203 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL) 204 205 /* ARGSUSED */ 206 static int 207 spdsock_param_get( 208 queue_t *q, 209 mblk_t *mp, 210 caddr_t cp, 211 cred_t *cr) 212 { 213 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 214 uint_t value; 215 spdsock_t *ss = (spdsock_t *)q->q_ptr; 216 spd_stack_t *spds = ss->spdsock_spds; 217 218 mutex_enter(&spds->spds_param_lock); 219 value = spdsockpa->spdsock_param_value; 220 mutex_exit(&spds->spds_param_lock); 221 222 (void) mi_mpprintf(mp, "%u", value); 223 return (0); 224 } 225 226 /* This routine sets an NDD variable in a spdsockparam_t structure. */ 227 /* ARGSUSED */ 228 static int 229 spdsock_param_set( 230 queue_t *q, 231 mblk_t *mp, 232 char *value, 233 caddr_t cp, 234 cred_t *cr) 235 { 236 ulong_t new_value; 237 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 238 spdsock_t *ss = (spdsock_t *)q->q_ptr; 239 spd_stack_t *spds = ss->spdsock_spds; 240 241 /* Convert the value from a string into a long integer. */ 242 if (ddi_strtoul(value, NULL, 10, &new_value) != 0) 243 return (EINVAL); 244 245 mutex_enter(&spds->spds_param_lock); 246 /* 247 * Fail the request if the new value does not lie within the 248 * required bounds. 249 */ 250 if (new_value < spdsockpa->spdsock_param_min || 251 new_value > spdsockpa->spdsock_param_max) { 252 mutex_exit(&spds->spds_param_lock); 253 return (EINVAL); 254 } 255 256 /* Set the new value */ 257 spdsockpa->spdsock_param_value = new_value; 258 mutex_exit(&spds->spds_param_lock); 259 260 return (0); 261 } 262 263 /* 264 * Initialize at module load time 265 */ 266 boolean_t 267 spdsock_ddi_init(void) 268 { 269 spdsock_max_optsize = optcom_max_optsize( 270 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt); 271 272 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1, 273 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER); 274 275 /* 276 * We want to be informed each time a stack is created or 277 * destroyed in the kernel, so we can maintain the 278 * set of spd_stack_t's. 279 */ 280 netstack_register(NS_SPDSOCK, spdsock_stack_init, 281 spdsock_stack_shutdown, spdsock_stack_fini); 282 283 return (B_TRUE); 284 } 285 286 /* 287 * Walk through the param array specified registering each element with the 288 * named dispatch handler. 289 */ 290 static boolean_t 291 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt) 292 { 293 for (; cnt-- > 0; ssp++) { 294 if (ssp->spdsock_param_name != NULL && 295 ssp->spdsock_param_name[0]) { 296 if (!nd_load(ndp, 297 ssp->spdsock_param_name, 298 spdsock_param_get, spdsock_param_set, 299 (caddr_t)ssp)) { 300 nd_free(ndp); 301 return (B_FALSE); 302 } 303 } 304 } 305 return (B_TRUE); 306 } 307 308 /* 309 * Initialize for each stack instance 310 */ 311 /* ARGSUSED */ 312 static void * 313 spdsock_stack_init(netstackid_t stackid, netstack_t *ns) 314 { 315 spd_stack_t *spds; 316 spdsockparam_t *ssp; 317 318 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP); 319 spds->spds_netstack = ns; 320 321 ASSERT(spds->spds_g_nd == NULL); 322 323 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP); 324 spds->spds_params = ssp; 325 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr)); 326 327 (void) spdsock_param_register(&spds->spds_g_nd, ssp, 328 A_CNT(lcl_param_arr)); 329 330 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL); 331 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL); 332 333 return (spds); 334 } 335 336 void 337 spdsock_ddi_destroy(void) 338 { 339 vmem_destroy(spdsock_vmem); 340 341 netstack_unregister(NS_SPDSOCK); 342 } 343 344 /* 345 * Do pre-removal cleanup. 346 */ 347 /* ARGSUSED */ 348 static void 349 spdsock_stack_shutdown(netstackid_t stackid, void *arg) 350 { 351 spd_stack_t *spds = (spd_stack_t *)arg; 352 353 if (spds->spds_mp_algs != NULL) { 354 freemsg(spds->spds_mp_algs); 355 spds->spds_mp_algs = NULL; 356 } 357 } 358 359 /* ARGSUSED */ 360 static void 361 spdsock_stack_fini(netstackid_t stackid, void *arg) 362 { 363 spd_stack_t *spds = (spd_stack_t *)arg; 364 365 ASSERT(spds->spds_mp_algs == NULL); 366 mutex_destroy(&spds->spds_param_lock); 367 mutex_destroy(&spds->spds_alg_lock); 368 nd_free(&spds->spds_g_nd); 369 kmem_free(spds->spds_params, sizeof (lcl_param_arr)); 370 spds->spds_params = NULL; 371 372 kmem_free(spds, sizeof (*spds)); 373 } 374 375 /* 376 * NOTE: large quantities of this should be shared with keysock. 377 * Would be nice to combine some of this into a common module, but 378 * not possible given time pressures. 379 */ 380 381 /* 382 * High-level reality checking of extensions. 383 */ 384 /* ARGSUSED */ /* XXX */ 385 static boolean_t 386 ext_check(spd_ext_t *ext) 387 { 388 spd_if_t *tunname = (spd_if_t *)ext; 389 int i; 390 char *idstr; 391 392 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) { 393 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */ 394 395 /* 396 * Make sure the strings in these identities are 397 * null-terminated. Let's "proactively" null-terminate the 398 * string at the last byte if it's not terminated sooner. 399 */ 400 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t); 401 idstr = (char *)(tunname + 1); 402 while (*idstr != '\0' && i > 0) { 403 i--; 404 idstr++; 405 } 406 if (i == 0) { 407 /* 408 * I.e., if the bozo user didn't NULL-terminate the 409 * string... 410 */ 411 idstr--; 412 *idstr = '\0'; 413 } 414 } 415 return (B_TRUE); /* For now... */ 416 } 417 418 419 420 /* Return values for spdsock_get_ext(). */ 421 #define KGE_OK 0 422 #define KGE_DUP 1 423 #define KGE_UNK 2 424 #define KGE_LEN 3 425 #define KGE_CHK 4 426 427 /* 428 * Parse basic extension headers and return in the passed-in pointer vector. 429 * Return values include: 430 * 431 * KGE_OK Everything's nice and parsed out. 432 * If there are no extensions, place NULL in extv[0]. 433 * KGE_DUP There is a duplicate extension. 434 * First instance in appropriate bin. First duplicate in 435 * extv[0]. 436 * KGE_UNK Unknown extension type encountered. extv[0] contains 437 * unknown header. 438 * KGE_LEN Extension length error. 439 * KGE_CHK High-level reality check failed on specific extension. 440 * 441 * My apologies for some of the pointer arithmetic in here. I'm thinking 442 * like an assembly programmer, yet trying to make the compiler happy. 443 */ 444 static int 445 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize) 446 { 447 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 448 449 /* Use extv[0] as the "current working pointer". */ 450 451 extv[0] = (spd_ext_t *)(basehdr + 1); 452 453 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) { 454 /* Check for unknown headers. */ 455 if (extv[0]->spd_ext_type == 0 || 456 extv[0]->spd_ext_type > SPD_EXT_MAX) 457 return (KGE_UNK); 458 459 /* 460 * Check length. Use uint64_t because extlen is in units 461 * of 64-bit words. If length goes beyond the msgsize, 462 * return an error. (Zero length also qualifies here.) 463 */ 464 if (extv[0]->spd_ext_len == 0 || 465 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) > 466 (void *)((uint8_t *)basehdr + msgsize)) 467 return (KGE_LEN); 468 469 /* Check for redundant headers. */ 470 if (extv[extv[0]->spd_ext_type] != NULL) 471 return (KGE_DUP); 472 473 /* 474 * Reality check the extension if possible at the spdsock 475 * level. 476 */ 477 if (!ext_check(extv[0])) 478 return (KGE_CHK); 479 480 /* If I make it here, assign the appropriate bin. */ 481 extv[extv[0]->spd_ext_type] = extv[0]; 482 483 /* Advance pointer (See above for uint64_t ptr reasoning.) */ 484 extv[0] = (spd_ext_t *) 485 ((uint64_t *)extv[0] + extv[0]->spd_ext_len); 486 } 487 488 /* Everything's cool. */ 489 490 /* 491 * If extv[0] == NULL, then there are no extension headers in this 492 * message. Ensure that this is the case. 493 */ 494 if (extv[0] == (spd_ext_t *)(basehdr + 1)) 495 extv[0] = NULL; 496 497 return (KGE_OK); 498 } 499 500 static const int bad_ext_diag[] = { 501 SPD_DIAGNOSTIC_MALFORMED_LCLPORT, 502 SPD_DIAGNOSTIC_MALFORMED_REMPORT, 503 SPD_DIAGNOSTIC_MALFORMED_PROTO, 504 SPD_DIAGNOSTIC_MALFORMED_LCLADDR, 505 SPD_DIAGNOSTIC_MALFORMED_REMADDR, 506 SPD_DIAGNOSTIC_MALFORMED_ACTION, 507 SPD_DIAGNOSTIC_MALFORMED_RULE, 508 SPD_DIAGNOSTIC_MALFORMED_RULESET, 509 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE 510 }; 511 512 static const int dup_ext_diag[] = { 513 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT, 514 SPD_DIAGNOSTIC_DUPLICATE_REMPORT, 515 SPD_DIAGNOSTIC_DUPLICATE_PROTO, 516 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR, 517 SPD_DIAGNOSTIC_DUPLICATE_REMADDR, 518 SPD_DIAGNOSTIC_DUPLICATE_ACTION, 519 SPD_DIAGNOSTIC_DUPLICATE_RULE, 520 SPD_DIAGNOSTIC_DUPLICATE_RULESET, 521 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE 522 }; 523 524 /* 525 * Transmit a PF_POLICY error message to the instance either pointed to 526 * by ks, the instance with serial number serial, or more, depending. 527 * 528 * The faulty message (or a reasonable facsimile thereof) is in mp. 529 * This function will free mp or recycle it for delivery, thereby causing 530 * the stream head to free it. 531 */ 532 static void 533 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic) 534 { 535 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 536 537 ASSERT(mp->b_datap->db_type == M_DATA); 538 539 if (spmsg->spd_msg_type < SPD_MIN || 540 spmsg->spd_msg_type > SPD_MAX) 541 spmsg->spd_msg_type = SPD_RESERVED; 542 543 /* 544 * Strip out extension headers. 545 */ 546 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim); 547 mp->b_wptr = mp->b_rptr + sizeof (*spmsg); 548 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t)); 549 spmsg->spd_msg_errno = (uint8_t)error; 550 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic; 551 552 qreply(q, mp); 553 } 554 555 static void 556 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic) 557 { 558 spdsock_error(q, mp, EINVAL, diagnostic); 559 } 560 561 static void 562 spd_echo(queue_t *q, mblk_t *mp) 563 { 564 qreply(q, mp); 565 } 566 567 /* 568 * Do NOT consume a reference to itp. 569 */ 570 /*ARGSUSED*/ 571 static void 572 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns) 573 { 574 boolean_t active = (boolean_t)cookie; 575 ipsec_policy_head_t *iph; 576 577 iph = active ? itp->itp_policy : itp->itp_inactive; 578 IPPH_REFHOLD(iph); 579 mutex_enter(&itp->itp_lock); 580 spdsock_flush_one(iph, ns); /* Releases iph refhold. */ 581 if (active) 582 itp->itp_flags &= ~ITPF_PFLAGS; 583 else 584 itp->itp_flags &= ~ITPF_IFLAGS; 585 mutex_exit(&itp->itp_lock); 586 /* SPD_FLUSH is worth a tunnel MTU check. */ 587 update_iptun_policy(itp); 588 } 589 590 /* 591 * Clear out one polhead. 592 */ 593 static void 594 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns) 595 { 596 rw_enter(&iph->iph_lock, RW_WRITER); 597 ipsec_polhead_flush(iph, ns); 598 rw_exit(&iph->iph_lock); 599 IPPH_REFRELE(iph, ns); 600 } 601 602 static void 603 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp, 604 mblk_t *mp) 605 { 606 boolean_t active; 607 spdsock_t *ss = (spdsock_t *)q->q_ptr; 608 netstack_t *ns = ss->spdsock_spds->spds_netstack; 609 uint32_t auditing = AU_AUDITING(); 610 611 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) { 612 spdsock_flush_one(iph, ns); 613 if (auditing) { 614 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 615 cred_t *cr; 616 pid_t cpid; 617 618 cr = msg_getcred(mp, &cpid); 619 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 620 audit_pf_policy(SPD_FLUSH, cr, ns, 621 ITP_NAME(itp), active, 0, cpid); 622 } 623 } else { 624 active = (iph == ALL_ACTIVE_POLHEADS); 625 626 /* First flush the global policy. */ 627 spdsock_flush_one(active ? ipsec_system_policy(ns) : 628 ipsec_inactive_policy(ns), ns); 629 if (auditing) { 630 cred_t *cr; 631 pid_t cpid; 632 633 cr = msg_getcred(mp, &cpid); 634 audit_pf_policy(SPD_FLUSH, cr, ns, NULL, 635 active, 0, cpid); 636 } 637 /* Then flush every tunnel's appropriate one. */ 638 itp_walk(spdsock_flush_node, (void *)active, ns); 639 if (auditing) { 640 cred_t *cr; 641 pid_t cpid; 642 643 cr = msg_getcred(mp, &cpid); 644 audit_pf_policy(SPD_FLUSH, cr, ns, 645 "all tunnels", active, 0, cpid); 646 } 647 } 648 649 spd_echo(q, mp); 650 } 651 652 static boolean_t 653 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag) 654 { 655 bzero(sel, sizeof (*sel)); 656 657 if (extv[SPD_EXT_PROTO] != NULL) { 658 struct spd_proto *pr = 659 (struct spd_proto *)extv[SPD_EXT_PROTO]; 660 sel->ipsl_proto = pr->spd_proto_number; 661 sel->ipsl_valid |= IPSL_PROTOCOL; 662 } 663 if (extv[SPD_EXT_LCLPORT] != NULL) { 664 struct spd_portrange *pr = 665 (struct spd_portrange *)extv[SPD_EXT_LCLPORT]; 666 sel->ipsl_lport = pr->spd_ports_minport; 667 sel->ipsl_valid |= IPSL_LOCAL_PORT; 668 } 669 if (extv[SPD_EXT_REMPORT] != NULL) { 670 struct spd_portrange *pr = 671 (struct spd_portrange *)extv[SPD_EXT_REMPORT]; 672 sel->ipsl_rport = pr->spd_ports_minport; 673 sel->ipsl_valid |= IPSL_REMOTE_PORT; 674 } 675 676 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) { 677 struct spd_typecode *tc= 678 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE]; 679 680 sel->ipsl_valid |= IPSL_ICMP_TYPE; 681 sel->ipsl_icmp_type = tc->spd_typecode_type; 682 if (tc->spd_typecode_type_end < tc->spd_typecode_type) 683 sel->ipsl_icmp_type_end = tc->spd_typecode_type; 684 else 685 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end; 686 687 if (tc->spd_typecode_code != 255) { 688 sel->ipsl_valid |= IPSL_ICMP_CODE; 689 sel->ipsl_icmp_code = tc->spd_typecode_code; 690 if (tc->spd_typecode_code_end < tc->spd_typecode_code) 691 sel->ipsl_icmp_code_end = tc->spd_typecode_code; 692 else 693 sel->ipsl_icmp_code_end = 694 tc->spd_typecode_code_end; 695 } 696 } 697 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \ 698 if ((extv)[(extn)] != NULL) { \ 699 uint_t addrlen; \ 700 struct spd_address *ap = \ 701 (struct spd_address *)((extv)[(extn)]); \ 702 addrlen = (ap->spd_address_af == AF_INET6) ? \ 703 IPV6_ADDR_LEN : IP_ADDR_LEN; \ 704 if (SPD_64TO8(ap->spd_address_len) < \ 705 (addrlen + sizeof (*ap))) { \ 706 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \ 707 return (B_FALSE); \ 708 } \ 709 bcopy((ap+1), &((sel)->field), addrlen); \ 710 (sel)->pfield = ap->spd_address_prefixlen; \ 711 (sel)->ipsl_valid |= (bit); \ 712 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \ 713 IPSL_IPV6 : IPSL_IPV4; \ 714 } 715 716 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen, 717 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR); 718 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen, 719 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR); 720 721 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) == 722 (IPSL_IPV6|IPSL_IPV4)) { 723 *diag = SPD_DIAGNOSTIC_MIXED_AF; 724 return (B_FALSE); 725 } 726 727 #undef ADDR2SEL 728 729 return (B_TRUE); 730 } 731 732 static boolean_t 733 spd_convert_type(uint32_t type, ipsec_act_t *act) 734 { 735 switch (type) { 736 case SPD_ACTTYPE_DROP: 737 act->ipa_type = IPSEC_ACT_DISCARD; 738 return (B_TRUE); 739 740 case SPD_ACTTYPE_PASS: 741 act->ipa_type = IPSEC_ACT_CLEAR; 742 return (B_TRUE); 743 744 case SPD_ACTTYPE_IPSEC: 745 act->ipa_type = IPSEC_ACT_APPLY; 746 return (B_TRUE); 747 } 748 return (B_FALSE); 749 } 750 751 static boolean_t 752 spd_convert_flags(uint32_t flags, ipsec_act_t *act) 753 { 754 /* 755 * Note use of !! for boolean canonicalization. 756 */ 757 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH); 758 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP); 759 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA); 760 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE); 761 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE); 762 return (B_TRUE); 763 } 764 765 static void 766 spdsock_reset_act(ipsec_act_t *act) 767 { 768 bzero(act, sizeof (*act)); 769 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS; 770 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS; 771 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS; 772 } 773 774 /* 775 * Sanity check action against reality, and shrink-wrap key sizes.. 776 */ 777 static boolean_t 778 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag, 779 spd_stack_t *spds) 780 { 781 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) { 782 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 783 return (B_FALSE); 784 } 785 if ((act->ipa_type != IPSEC_ACT_APPLY) && 786 (act->ipa_apply.ipp_use_ah || 787 act->ipa_apply.ipp_use_esp || 788 act->ipa_apply.ipp_use_espa || 789 act->ipa_apply.ipp_use_se || 790 act->ipa_apply.ipp_use_unique)) { 791 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 792 return (B_FALSE); 793 } 794 if ((act->ipa_type == IPSEC_ACT_APPLY) && 795 !act->ipa_apply.ipp_use_ah && 796 !act->ipa_apply.ipp_use_esp) { 797 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 798 return (B_FALSE); 799 } 800 return (ipsec_check_action(act, diag, spds->spds_netstack)); 801 } 802 803 /* 804 * We may be short a few error checks here.. 805 */ 806 static boolean_t 807 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp, 808 int *diag, spd_stack_t *spds) 809 { 810 struct spd_ext_actions *sactp = 811 (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 812 ipsec_act_t act, *actp, *endactp; 813 struct spd_attribute *attrp, *endattrp; 814 uint64_t *endp; 815 int nact; 816 boolean_t tunnel_polhead; 817 818 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL && 819 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags & 820 SPD_RULE_FLAG_TUNNEL)); 821 822 *actpp = NULL; 823 *nactp = 0; 824 825 if (sactp == NULL) { 826 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT; 827 return (B_FALSE); 828 } 829 830 /* 831 * Parse the "action" extension and convert into an action chain. 832 */ 833 834 nact = sactp->spd_actions_count; 835 836 endp = (uint64_t *)sactp; 837 endp += sactp->spd_actions_len; 838 endattrp = (struct spd_attribute *)endp; 839 840 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP); 841 if (actp == NULL) { 842 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM; 843 return (B_FALSE); 844 } 845 *actpp = actp; 846 *nactp = nact; 847 endactp = actp + nact; 848 849 spdsock_reset_act(&act); 850 attrp = (struct spd_attribute *)(&sactp[1]); 851 852 for (; attrp < endattrp; attrp++) { 853 switch (attrp->spd_attr_tag) { 854 case SPD_ATTR_NOP: 855 break; 856 857 case SPD_ATTR_EMPTY: 858 spdsock_reset_act(&act); 859 break; 860 861 case SPD_ATTR_END: 862 attrp = endattrp; 863 /* FALLTHRU */ 864 case SPD_ATTR_NEXT: 865 if (actp >= endactp) { 866 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 867 goto fail; 868 } 869 if (!spdsock_check_action(&act, tunnel_polhead, 870 diag, spds)) 871 goto fail; 872 *actp++ = act; 873 spdsock_reset_act(&act); 874 break; 875 876 case SPD_ATTR_TYPE: 877 if (!spd_convert_type(attrp->spd_attr_value, &act)) { 878 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE; 879 goto fail; 880 } 881 break; 882 883 case SPD_ATTR_FLAGS: 884 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) { 885 /* 886 * Set "sa unique" for transport-mode 887 * tunnels whether we want to or not. 888 */ 889 attrp->spd_attr_value |= SPD_APPLY_UNIQUE; 890 } 891 if (!spd_convert_flags(attrp->spd_attr_value, &act)) { 892 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS; 893 goto fail; 894 } 895 break; 896 897 case SPD_ATTR_AH_AUTH: 898 if (attrp->spd_attr_value == 0) { 899 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG; 900 goto fail; 901 } 902 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value; 903 break; 904 905 case SPD_ATTR_ESP_ENCR: 906 if (attrp->spd_attr_value == 0) { 907 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG; 908 goto fail; 909 } 910 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value; 911 break; 912 913 case SPD_ATTR_ESP_AUTH: 914 if (attrp->spd_attr_value == 0) { 915 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG; 916 goto fail; 917 } 918 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value; 919 break; 920 921 case SPD_ATTR_ENCR_MINBITS: 922 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value; 923 break; 924 925 case SPD_ATTR_ENCR_MAXBITS: 926 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value; 927 break; 928 929 case SPD_ATTR_AH_MINBITS: 930 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value; 931 break; 932 933 case SPD_ATTR_AH_MAXBITS: 934 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value; 935 break; 936 937 case SPD_ATTR_ESPA_MINBITS: 938 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value; 939 break; 940 941 case SPD_ATTR_ESPA_MAXBITS: 942 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value; 943 break; 944 945 case SPD_ATTR_LIFE_SOFT_TIME: 946 case SPD_ATTR_LIFE_HARD_TIME: 947 case SPD_ATTR_LIFE_SOFT_BYTES: 948 case SPD_ATTR_LIFE_HARD_BYTES: 949 break; 950 951 case SPD_ATTR_KM_PROTO: 952 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value; 953 break; 954 955 case SPD_ATTR_KM_COOKIE: 956 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value; 957 break; 958 959 case SPD_ATTR_REPLAY_DEPTH: 960 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value; 961 break; 962 } 963 } 964 if (actp != endactp) { 965 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 966 goto fail; 967 } 968 969 return (B_TRUE); 970 fail: 971 ipsec_actvec_free(*actpp, nact); 972 *actpp = NULL; 973 return (B_FALSE); 974 } 975 976 typedef struct 977 { 978 ipsec_policy_t *pol; 979 int dir; 980 } tmprule_t; 981 982 static int 983 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule, 984 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af, 985 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 986 { 987 ipsec_policy_t *pol; 988 989 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4); 990 sel->ipsl_valid |= af; 991 992 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority, 993 index, spds->spds_netstack); 994 if (pol == NULL) 995 return (ENOMEM); 996 997 (*rp)->pol = pol; 998 (*rp)->dir = dir; 999 (*rp)++; 1000 1001 if (!ipsec_check_policy(iph, pol, dir)) 1002 return (EEXIST); 1003 1004 rule->spd_rule_index = pol->ipsp_index; 1005 return (0); 1006 } 1007 1008 static int 1009 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule, 1010 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs, 1011 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 1012 { 1013 int error; 1014 1015 if (afs & IPSL_IPV4) { 1016 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp, 1017 index, spds); 1018 if (error != 0) 1019 return (error); 1020 } 1021 if (afs & IPSL_IPV6) { 1022 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp, 1023 index, spds); 1024 if (error != 0) 1025 return (error); 1026 } 1027 return (0); 1028 } 1029 1030 1031 static void 1032 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1033 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1034 { 1035 ipsec_selkey_t sel; 1036 ipsec_act_t *actp; 1037 uint_t nact; 1038 int diag = 0, error, afs; 1039 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1040 tmprule_t rules[4], *rulep = &rules[0]; 1041 boolean_t tunnel_mode, empty_itp, active; 1042 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index; 1043 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1044 spd_stack_t *spds = ss->spdsock_spds; 1045 uint32_t auditing = AU_AUDITING(); 1046 1047 if (rule == NULL) { 1048 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1049 if (auditing) { 1050 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1051 cred_t *cr; 1052 pid_t cpid; 1053 1054 cr = msg_getcred(mp, &cpid); 1055 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1056 audit_pf_policy(SPD_ADDRULE, cr, 1057 spds->spds_netstack, ITP_NAME(itp), active, 1058 SPD_DIAGNOSTIC_NO_RULE_EXT, cpid); 1059 } 1060 return; 1061 } 1062 1063 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL); 1064 1065 if (itp != NULL) { 1066 mutex_enter(&itp->itp_lock); 1067 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph); 1068 active = (itp->itp_policy == iph); 1069 if (ITP_P_ISACTIVE(itp, iph)) { 1070 /* Check for mix-and-match of tunnel/transport. */ 1071 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) || 1072 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) { 1073 mutex_exit(&itp->itp_lock); 1074 spdsock_error(q, mp, EBUSY, 0); 1075 return; 1076 } 1077 empty_itp = B_FALSE; 1078 } else { 1079 empty_itp = B_TRUE; 1080 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE; 1081 if (tunnel_mode) 1082 itp->itp_flags |= active ? ITPF_P_TUNNEL : 1083 ITPF_I_TUNNEL; 1084 } 1085 } else { 1086 empty_itp = B_FALSE; 1087 } 1088 1089 if (rule->spd_rule_index != 0) { 1090 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX; 1091 error = EINVAL; 1092 goto fail2; 1093 } 1094 1095 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1096 error = EINVAL; 1097 goto fail2; 1098 } 1099 1100 if (itp != NULL) { 1101 if (tunnel_mode) { 1102 if (sel.ipsl_valid & 1103 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) { 1104 itp->itp_flags |= active ? 1105 ITPF_P_PER_PORT_SECURITY : 1106 ITPF_I_PER_PORT_SECURITY; 1107 } 1108 } else { 1109 /* 1110 * For now, we don't allow transport-mode on a tunnel 1111 * with ANY specific selectors. Bail if we have such 1112 * a request. 1113 */ 1114 if (sel.ipsl_valid & IPSL_WILDCARD) { 1115 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS; 1116 error = EINVAL; 1117 goto fail2; 1118 } 1119 } 1120 } 1121 1122 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) { 1123 error = EINVAL; 1124 goto fail2; 1125 } 1126 /* 1127 * If no addresses were specified, add both. 1128 */ 1129 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4); 1130 if (afs == 0) 1131 afs = (IPSL_IPV6|IPSL_IPV4); 1132 1133 rw_enter(&iph->iph_lock, RW_WRITER); 1134 1135 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) { 1136 error = mkrulepair(iph, rule, &sel, actp, nact, 1137 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds); 1138 if (error != 0) 1139 goto fail; 1140 } 1141 1142 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) { 1143 error = mkrulepair(iph, rule, &sel, actp, nact, 1144 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds); 1145 if (error != 0) 1146 goto fail; 1147 } 1148 1149 while ((--rulep) >= &rules[0]) { 1150 ipsec_enter_policy(iph, rulep->pol, rulep->dir, 1151 spds->spds_netstack); 1152 } 1153 rw_exit(&iph->iph_lock); 1154 if (itp != NULL) 1155 mutex_exit(&itp->itp_lock); 1156 1157 ipsec_actvec_free(actp, nact); 1158 spd_echo(q, mp); 1159 if (auditing) { 1160 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1161 cred_t *cr; 1162 pid_t cpid; 1163 1164 cr = msg_getcred(mp, &cpid); 1165 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1166 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1167 ITP_NAME(itp), active, 0, cpid); 1168 } 1169 return; 1170 1171 fail: 1172 rw_exit(&iph->iph_lock); 1173 while ((--rulep) >= &rules[0]) 1174 IPPOL_REFRELE(rulep->pol); 1175 ipsec_actvec_free(actp, nact); 1176 fail2: 1177 if (itp != NULL) { 1178 if (empty_itp) 1179 itp->itp_flags = 0; 1180 mutex_exit(&itp->itp_lock); 1181 } 1182 spdsock_error(q, mp, error, diag); 1183 if (auditing) { 1184 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1185 cred_t *cr; 1186 pid_t cpid; 1187 1188 cr = msg_getcred(mp, &cpid); 1189 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1190 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1191 ITP_NAME(itp), active, error, cpid); 1192 } 1193 } 1194 1195 void 1196 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1197 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1198 { 1199 ipsec_selkey_t sel; 1200 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1201 int err, diag = 0; 1202 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1203 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1204 uint32_t auditing = AU_AUDITING(); 1205 1206 if (rule == NULL) { 1207 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1208 if (auditing) { 1209 boolean_t active; 1210 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1211 cred_t *cr; 1212 pid_t cpid; 1213 1214 cr = msg_getcred(mp, &cpid); 1215 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1216 audit_pf_policy(SPD_DELETERULE, cr, ns, 1217 ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT, 1218 cpid); 1219 } 1220 return; 1221 } 1222 1223 /* 1224 * Must enter itp_lock first to avoid deadlock. See tun.c's 1225 * set_sec_simple() for the other case of itp_lock and iph_lock. 1226 */ 1227 if (itp != NULL) 1228 mutex_enter(&itp->itp_lock); 1229 1230 if (rule->spd_rule_index != 0) { 1231 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) != 1232 0) { 1233 err = ESRCH; 1234 goto fail; 1235 } 1236 } else { 1237 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1238 err = EINVAL; /* diag already set... */ 1239 goto fail; 1240 } 1241 1242 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) && 1243 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) { 1244 err = ESRCH; 1245 goto fail; 1246 } 1247 1248 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) && 1249 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) { 1250 err = ESRCH; 1251 goto fail; 1252 } 1253 } 1254 1255 if (itp != NULL) { 1256 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive); 1257 rw_enter(&iph->iph_lock, RW_READER); 1258 if (avl_numnodes(&iph->iph_rulebyid) == 0) { 1259 if (iph == itp->itp_policy) 1260 itp->itp_flags &= ~ITPF_PFLAGS; 1261 else 1262 itp->itp_flags &= ~ITPF_IFLAGS; 1263 } 1264 /* Can exit locks in any order. */ 1265 rw_exit(&iph->iph_lock); 1266 mutex_exit(&itp->itp_lock); 1267 } 1268 spd_echo(q, mp); 1269 if (auditing) { 1270 boolean_t active; 1271 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1272 cred_t *cr; 1273 pid_t cpid; 1274 1275 cr = msg_getcred(mp, &cpid); 1276 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1277 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1278 active, 0, cpid); 1279 } 1280 return; 1281 fail: 1282 if (itp != NULL) 1283 mutex_exit(&itp->itp_lock); 1284 spdsock_error(q, mp, err, diag); 1285 if (auditing) { 1286 boolean_t active; 1287 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1288 cred_t *cr; 1289 pid_t cpid; 1290 1291 cr = msg_getcred(mp, &cpid); 1292 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1293 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1294 active, err, cpid); 1295 } 1296 } 1297 1298 /* Do NOT consume a reference to itp. */ 1299 /* ARGSUSED */ 1300 static void 1301 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns) 1302 { 1303 mutex_enter(&itp->itp_lock); 1304 ITPF_SWAP(itp->itp_flags); 1305 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns); 1306 mutex_exit(&itp->itp_lock); 1307 /* SPD_FLIP is worth a tunnel MTU check. */ 1308 update_iptun_policy(itp); 1309 } 1310 1311 void 1312 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname) 1313 { 1314 char *tname; 1315 ipsec_tun_pol_t *itp; 1316 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1317 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1318 uint32_t auditing = AU_AUDITING(); 1319 1320 if (tunname != NULL) { 1321 tname = (char *)tunname->spd_if_name; 1322 if (*tname == '\0') { 1323 /* can't fail */ 1324 ipsec_swap_global_policy(ns); 1325 if (auditing) { 1326 boolean_t active; 1327 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1328 cred_t *cr; 1329 pid_t cpid; 1330 1331 cr = msg_getcred(mp, &cpid); 1332 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1333 audit_pf_policy(SPD_FLIP, cr, ns, 1334 NULL, active, 0, cpid); 1335 } 1336 itp_walk(spdsock_flip_node, NULL, ns); 1337 if (auditing) { 1338 boolean_t active; 1339 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1340 cred_t *cr; 1341 pid_t cpid; 1342 1343 cr = msg_getcred(mp, &cpid); 1344 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1345 audit_pf_policy(SPD_FLIP, cr, ns, 1346 "all tunnels", active, 0, cpid); 1347 } 1348 } else { 1349 itp = get_tunnel_policy(tname, ns); 1350 if (itp == NULL) { 1351 /* Better idea for "tunnel not found"? */ 1352 spdsock_error(q, mp, ESRCH, 0); 1353 if (auditing) { 1354 boolean_t active; 1355 spd_msg_t *spmsg = 1356 (spd_msg_t *)mp->b_rptr; 1357 cred_t *cr; 1358 pid_t cpid; 1359 1360 cr = msg_getcred(mp, &cpid); 1361 active = (spmsg->spd_msg_spdid == 1362 SPD_ACTIVE); 1363 audit_pf_policy(SPD_FLIP, cr, ns, 1364 ITP_NAME(itp), active, 1365 ESRCH, cpid); 1366 } 1367 return; 1368 } 1369 spdsock_flip_node(itp, NULL, ns); 1370 if (auditing) { 1371 boolean_t active; 1372 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1373 cred_t *cr; 1374 pid_t cpid; 1375 1376 cr = msg_getcred(mp, &cpid); 1377 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1378 audit_pf_policy(SPD_FLIP, cr, ns, 1379 ITP_NAME(itp), active, 0, cpid); 1380 } 1381 ITP_REFRELE(itp, ns); 1382 } 1383 } else { 1384 ipsec_swap_global_policy(ns); /* can't fail */ 1385 if (auditing) { 1386 boolean_t active; 1387 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1388 cred_t *cr; 1389 pid_t cpid; 1390 1391 cr = msg_getcred(mp, &cpid); 1392 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1393 audit_pf_policy(SPD_FLIP, cr, 1394 ns, NULL, active, 0, cpid); 1395 } 1396 } 1397 spd_echo(q, mp); 1398 } 1399 1400 /* 1401 * Unimplemented feature 1402 */ 1403 /* ARGSUSED */ 1404 static void 1405 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1406 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1407 { 1408 spdsock_error(q, mp, EINVAL, 0); 1409 } 1410 1411 1412 static mblk_t * 1413 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph, 1414 uint32_t count, uint16_t error) 1415 { 1416 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t); 1417 spd_msg_t *msg; 1418 spd_ruleset_ext_t *ruleset; 1419 mblk_t *m = allocb(len, BPRI_HI); 1420 1421 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1422 1423 if (m == NULL) { 1424 return (NULL); 1425 } 1426 msg = (spd_msg_t *)m->b_rptr; 1427 ruleset = (spd_ruleset_ext_t *)(&msg[1]); 1428 1429 m->b_wptr = (uint8_t *)&ruleset[1]; 1430 1431 *msg = *(spd_msg_t *)(req->b_rptr); 1432 msg->spd_msg_len = SPD_8TO64(len); 1433 msg->spd_msg_errno = error; 1434 1435 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset)); 1436 ruleset->spd_ruleset_type = SPD_EXT_RULESET; 1437 ruleset->spd_ruleset_count = count; 1438 ruleset->spd_ruleset_version = iph->iph_gen; 1439 return (m); 1440 } 1441 1442 static mblk_t * 1443 spdsock_dump_finish(spdsock_t *ss, int error) 1444 { 1445 mblk_t *m; 1446 ipsec_policy_head_t *iph = ss->spdsock_dump_head; 1447 mblk_t *req = ss->spdsock_dump_req; 1448 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1449 1450 rw_enter(&iph->iph_lock, RW_READER); 1451 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error); 1452 rw_exit(&iph->iph_lock); 1453 IPPH_REFRELE(iph, ns); 1454 if (ss->spdsock_itp != NULL) { 1455 ITP_REFRELE(ss->spdsock_itp, ns); 1456 ss->spdsock_itp = NULL; 1457 } 1458 ss->spdsock_dump_req = NULL; 1459 freemsg(req); 1460 1461 return (m); 1462 } 1463 1464 /* 1465 * Rule encoding functions. 1466 * We do a two-pass encode. 1467 * If base != NULL, fill in encoded rule part starting at base+offset. 1468 * Always return "offset" plus length of to-be-encoded data. 1469 */ 1470 static uint_t 1471 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type, 1472 uint8_t type_end, uint8_t code, uint8_t code_end) 1473 { 1474 struct spd_typecode *tcp; 1475 1476 ASSERT(ALIGNED64(offset)); 1477 1478 if (base != NULL) { 1479 tcp = (struct spd_typecode *)(base + offset); 1480 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp)); 1481 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE; 1482 tcp->spd_typecode_code = code; 1483 tcp->spd_typecode_type = type; 1484 tcp->spd_typecode_type_end = type_end; 1485 tcp->spd_typecode_code_end = code_end; 1486 } 1487 offset += sizeof (*tcp); 1488 1489 ASSERT(ALIGNED64(offset)); 1490 1491 return (offset); 1492 } 1493 1494 static uint_t 1495 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto) 1496 { 1497 struct spd_proto *spp; 1498 1499 ASSERT(ALIGNED64(offset)); 1500 1501 if (base != NULL) { 1502 spp = (struct spd_proto *)(base + offset); 1503 spp->spd_proto_len = SPD_8TO64(sizeof (*spp)); 1504 spp->spd_proto_exttype = SPD_EXT_PROTO; 1505 spp->spd_proto_number = proto; 1506 spp->spd_proto_reserved1 = 0; 1507 spp->spd_proto_reserved2 = 0; 1508 } 1509 offset += sizeof (*spp); 1510 1511 ASSERT(ALIGNED64(offset)); 1512 1513 return (offset); 1514 } 1515 1516 static uint_t 1517 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port) 1518 { 1519 struct spd_portrange *spp; 1520 1521 ASSERT(ALIGNED64(offset)); 1522 1523 if (base != NULL) { 1524 spp = (struct spd_portrange *)(base + offset); 1525 spp->spd_ports_len = SPD_8TO64(sizeof (*spp)); 1526 spp->spd_ports_exttype = ext; 1527 spp->spd_ports_minport = port; 1528 spp->spd_ports_maxport = port; 1529 } 1530 offset += sizeof (*spp); 1531 1532 ASSERT(ALIGNED64(offset)); 1533 1534 return (offset); 1535 } 1536 1537 static uint_t 1538 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext, 1539 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen) 1540 { 1541 struct spd_address *sae; 1542 ipsec_addr_t *spdaddr; 1543 uint_t start = offset; 1544 uint_t addrlen; 1545 uint_t af; 1546 1547 if (sel->ipsl_valid & IPSL_IPV4) { 1548 af = AF_INET; 1549 addrlen = IP_ADDR_LEN; 1550 } else { 1551 af = AF_INET6; 1552 addrlen = IPV6_ADDR_LEN; 1553 } 1554 1555 ASSERT(ALIGNED64(offset)); 1556 1557 if (base != NULL) { 1558 sae = (struct spd_address *)(base + offset); 1559 sae->spd_address_exttype = ext; 1560 sae->spd_address_af = af; 1561 sae->spd_address_prefixlen = pfxlen; 1562 sae->spd_address_reserved2 = 0; 1563 1564 spdaddr = (ipsec_addr_t *)(&sae[1]); 1565 bcopy(addr, spdaddr, addrlen); 1566 } 1567 offset += sizeof (*sae); 1568 addrlen = roundup(addrlen, sizeof (uint64_t)); 1569 offset += addrlen; 1570 1571 ASSERT(ALIGNED64(offset)); 1572 1573 if (base != NULL) 1574 sae->spd_address_len = SPD_8TO64(offset - start); 1575 return (offset); 1576 } 1577 1578 static uint_t 1579 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel) 1580 { 1581 const ipsec_selkey_t *selkey = &sel->ipsl_key; 1582 1583 if (selkey->ipsl_valid & IPSL_PROTOCOL) 1584 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto); 1585 if (selkey->ipsl_valid & IPSL_LOCAL_PORT) 1586 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT, 1587 selkey->ipsl_lport); 1588 if (selkey->ipsl_valid & IPSL_REMOTE_PORT) 1589 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT, 1590 selkey->ipsl_rport); 1591 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR) 1592 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR, 1593 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen); 1594 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR) 1595 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR, 1596 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen); 1597 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) { 1598 offset = spdsock_encode_typecode(base, offset, 1599 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end, 1600 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1601 selkey->ipsl_icmp_code : 255, 1602 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1603 selkey->ipsl_icmp_code_end : 255); 1604 } 1605 return (offset); 1606 } 1607 1608 static uint_t 1609 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag, 1610 uint32_t value) 1611 { 1612 struct spd_attribute *attr; 1613 1614 ASSERT(ALIGNED64(offset)); 1615 1616 if (base != NULL) { 1617 attr = (struct spd_attribute *)(base + offset); 1618 attr->spd_attr_tag = tag; 1619 attr->spd_attr_value = value; 1620 } 1621 offset += sizeof (struct spd_attribute); 1622 1623 ASSERT(ALIGNED64(offset)); 1624 1625 return (offset); 1626 } 1627 1628 1629 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v)) 1630 1631 static uint_t 1632 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap) 1633 { 1634 const struct ipsec_act *act = &(ap->ipa_act); 1635 uint_t flags; 1636 1637 EMIT(SPD_ATTR_EMPTY, 0); 1638 switch (act->ipa_type) { 1639 case IPSEC_ACT_DISCARD: 1640 case IPSEC_ACT_REJECT: 1641 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP); 1642 break; 1643 case IPSEC_ACT_BYPASS: 1644 case IPSEC_ACT_CLEAR: 1645 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS); 1646 break; 1647 1648 case IPSEC_ACT_APPLY: 1649 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC); 1650 flags = 0; 1651 if (act->ipa_apply.ipp_use_ah) 1652 flags |= SPD_APPLY_AH; 1653 if (act->ipa_apply.ipp_use_esp) 1654 flags |= SPD_APPLY_ESP; 1655 if (act->ipa_apply.ipp_use_espa) 1656 flags |= SPD_APPLY_ESPA; 1657 if (act->ipa_apply.ipp_use_se) 1658 flags |= SPD_APPLY_SE; 1659 if (act->ipa_apply.ipp_use_unique) 1660 flags |= SPD_APPLY_UNIQUE; 1661 EMIT(SPD_ATTR_FLAGS, flags); 1662 if (flags & SPD_APPLY_AH) { 1663 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg); 1664 EMIT(SPD_ATTR_AH_MINBITS, 1665 act->ipa_apply.ipp_ah_minbits); 1666 EMIT(SPD_ATTR_AH_MAXBITS, 1667 act->ipa_apply.ipp_ah_maxbits); 1668 } 1669 if (flags & SPD_APPLY_ESP) { 1670 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg); 1671 EMIT(SPD_ATTR_ENCR_MINBITS, 1672 act->ipa_apply.ipp_espe_minbits); 1673 EMIT(SPD_ATTR_ENCR_MAXBITS, 1674 act->ipa_apply.ipp_espe_maxbits); 1675 if (flags & SPD_APPLY_ESPA) { 1676 EMIT(SPD_ATTR_ESP_AUTH, 1677 act->ipa_apply.ipp_esp_auth_alg); 1678 EMIT(SPD_ATTR_ESPA_MINBITS, 1679 act->ipa_apply.ipp_espa_minbits); 1680 EMIT(SPD_ATTR_ESPA_MAXBITS, 1681 act->ipa_apply.ipp_espa_maxbits); 1682 } 1683 } 1684 if (act->ipa_apply.ipp_km_proto != 0) 1685 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto); 1686 if (act->ipa_apply.ipp_km_cookie != 0) 1687 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie); 1688 if (act->ipa_apply.ipp_replay_depth != 0) 1689 EMIT(SPD_ATTR_REPLAY_DEPTH, 1690 act->ipa_apply.ipp_replay_depth); 1691 /* Add more here */ 1692 break; 1693 } 1694 1695 return (offset); 1696 } 1697 1698 static uint_t 1699 spdsock_encode_action_list(uint8_t *base, uint_t offset, 1700 const ipsec_action_t *ap) 1701 { 1702 struct spd_ext_actions *act; 1703 uint_t nact = 0; 1704 uint_t start = offset; 1705 1706 ASSERT(ALIGNED64(offset)); 1707 1708 if (base != NULL) { 1709 act = (struct spd_ext_actions *)(base + offset); 1710 act->spd_actions_len = 0; 1711 act->spd_actions_exttype = SPD_EXT_ACTION; 1712 act->spd_actions_count = 0; 1713 act->spd_actions_reserved = 0; 1714 } 1715 1716 offset += sizeof (*act); 1717 1718 ASSERT(ALIGNED64(offset)); 1719 1720 while (ap != NULL) { 1721 offset = spdsock_encode_action(base, offset, ap); 1722 ap = ap->ipa_next; 1723 nact++; 1724 if (ap != NULL) { 1725 EMIT(SPD_ATTR_NEXT, 0); 1726 } 1727 } 1728 EMIT(SPD_ATTR_END, 0); 1729 1730 ASSERT(ALIGNED64(offset)); 1731 1732 if (base != NULL) { 1733 act->spd_actions_count = nact; 1734 act->spd_actions_len = SPD_8TO64(offset - start); 1735 } 1736 1737 return (offset); 1738 } 1739 1740 #undef EMIT 1741 1742 /* ARGSUSED */ 1743 static uint_t 1744 spdsock_rule_flags(uint_t dir, uint_t af) 1745 { 1746 uint_t flags = 0; 1747 1748 if (dir == IPSEC_TYPE_INBOUND) 1749 flags |= SPD_RULE_FLAG_INBOUND; 1750 if (dir == IPSEC_TYPE_OUTBOUND) 1751 flags |= SPD_RULE_FLAG_OUTBOUND; 1752 1753 return (flags); 1754 } 1755 1756 1757 static uint_t 1758 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req, 1759 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name, 1760 boolean_t tunnel) 1761 { 1762 struct spd_msg *spmsg; 1763 struct spd_rule *spr; 1764 spd_if_t *sid; 1765 1766 uint_t start = offset; 1767 1768 ASSERT(ALIGNED64(offset)); 1769 1770 if (base != NULL) { 1771 spmsg = (struct spd_msg *)(base + offset); 1772 bzero(spmsg, sizeof (*spmsg)); 1773 spmsg->spd_msg_version = PF_POLICY_V1; 1774 spmsg->spd_msg_type = SPD_DUMP; 1775 spmsg->spd_msg_seq = req->spd_msg_seq; 1776 spmsg->spd_msg_pid = req->spd_msg_pid; 1777 } 1778 offset += sizeof (struct spd_msg); 1779 1780 ASSERT(ALIGNED64(offset)); 1781 1782 if (base != NULL) { 1783 spr = (struct spd_rule *)(base + offset); 1784 spr->spd_rule_type = SPD_EXT_RULE; 1785 spr->spd_rule_priority = rule->ipsp_prio; 1786 spr->spd_rule_flags = spdsock_rule_flags(dir, af); 1787 if (tunnel) 1788 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL; 1789 spr->spd_rule_unused = 0; 1790 spr->spd_rule_len = SPD_8TO64(sizeof (*spr)); 1791 spr->spd_rule_index = rule->ipsp_index; 1792 } 1793 offset += sizeof (struct spd_rule); 1794 1795 /* 1796 * If we have an interface name (i.e. if this policy head came from 1797 * a tunnel), add the SPD_EXT_TUN_NAME extension. 1798 */ 1799 if (name != NULL) { 1800 1801 ASSERT(ALIGNED64(offset)); 1802 1803 if (base != NULL) { 1804 sid = (spd_if_t *)(base + offset); 1805 sid->spd_if_exttype = SPD_EXT_TUN_NAME; 1806 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) + 1807 roundup((strlen(name) - 4), 8)); 1808 (void) strlcpy((char *)sid->spd_if_name, name, 1809 LIFNAMSIZ); 1810 } 1811 1812 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8); 1813 } 1814 1815 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel); 1816 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act); 1817 1818 ASSERT(ALIGNED64(offset)); 1819 1820 if (base != NULL) { 1821 spmsg->spd_msg_len = SPD_8TO64(offset - start); 1822 } 1823 return (offset); 1824 } 1825 1826 /* ARGSUSED */ 1827 static mblk_t * 1828 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule, 1829 uint_t dir, uint_t af, char *name, boolean_t tunnel) 1830 { 1831 mblk_t *m; 1832 uint_t len; 1833 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr; 1834 1835 /* 1836 * Figure out how much space we'll need. 1837 */ 1838 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name, 1839 tunnel); 1840 1841 /* 1842 * Allocate mblk. 1843 */ 1844 m = allocb(len, BPRI_HI); 1845 if (m == NULL) 1846 return (NULL); 1847 1848 /* 1849 * Fill it in.. 1850 */ 1851 m->b_wptr = m->b_rptr + len; 1852 bzero(m->b_rptr, len); 1853 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af, 1854 name, tunnel); 1855 return (m); 1856 } 1857 1858 static ipsec_policy_t * 1859 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph, 1860 ipsec_policy_t *cur) 1861 { 1862 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1863 1864 ss->spdsock_dump_count++; 1865 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next; 1866 return (cur); 1867 } 1868 1869 static ipsec_policy_t * 1870 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph) 1871 { 1872 ipsec_policy_t *cur; 1873 ipsec_policy_root_t *ipr; 1874 int chain, nchains, type, af; 1875 1876 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1877 1878 cur = ss->spdsock_dump_cur_rule; 1879 1880 if (cur != NULL) 1881 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1882 1883 type = ss->spdsock_dump_cur_type; 1884 1885 next: 1886 chain = ss->spdsock_dump_cur_chain; 1887 ipr = &iph->iph_root[type]; 1888 nchains = ipr->ipr_nchains; 1889 1890 while (chain < nchains) { 1891 cur = ipr->ipr_hash[chain].hash_head; 1892 chain++; 1893 if (cur != NULL) { 1894 ss->spdsock_dump_cur_chain = chain; 1895 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1896 } 1897 } 1898 ss->spdsock_dump_cur_chain = nchains; 1899 1900 af = ss->spdsock_dump_cur_af; 1901 while (af < IPSEC_NAF) { 1902 cur = ipr->ipr_nonhash[af]; 1903 af++; 1904 if (cur != NULL) { 1905 ss->spdsock_dump_cur_af = af; 1906 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1907 } 1908 } 1909 1910 type++; 1911 if (type >= IPSEC_NTYPES) 1912 return (NULL); 1913 1914 ss->spdsock_dump_cur_chain = 0; 1915 ss->spdsock_dump_cur_type = type; 1916 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 1917 goto next; 1918 1919 } 1920 1921 /* 1922 * If we're done with one policy head, but have more to go, we iterate through 1923 * another IPsec tunnel policy head (itp). Return NULL if it is an error 1924 * worthy of returning EAGAIN via PF_POLICY. 1925 */ 1926 static ipsec_tun_pol_t * 1927 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss) 1928 { 1929 ipsec_tun_pol_t *itp; 1930 1931 ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock)); 1932 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) { 1933 /* Oops, state of the tunnel polheads changed. */ 1934 itp = NULL; 1935 } else if (ss->spdsock_itp == NULL) { 1936 /* Just finished global, find first node. */ 1937 itp = avl_first(&ipss->ipsec_tunnel_policies); 1938 } else { 1939 /* We just finished current polhead, find the next one. */ 1940 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp); 1941 } 1942 if (itp != NULL) { 1943 ITP_REFHOLD(itp); 1944 } 1945 if (ss->spdsock_itp != NULL) { 1946 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack); 1947 } 1948 ss->spdsock_itp = itp; 1949 return (itp); 1950 } 1951 1952 static mblk_t * 1953 spdsock_dump_next_record(spdsock_t *ss) 1954 { 1955 ipsec_policy_head_t *iph; 1956 ipsec_policy_t *rule; 1957 mblk_t *m; 1958 ipsec_tun_pol_t *itp; 1959 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1960 ipsec_stack_t *ipss = ns->netstack_ipsec; 1961 1962 iph = ss->spdsock_dump_head; 1963 1964 ASSERT(iph != NULL); 1965 1966 rw_enter(&iph->iph_lock, RW_READER); 1967 1968 if (iph->iph_gen != ss->spdsock_dump_gen) { 1969 rw_exit(&iph->iph_lock); 1970 return (spdsock_dump_finish(ss, EAGAIN)); 1971 } 1972 1973 while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) { 1974 rw_exit(&iph->iph_lock); 1975 if (--(ss->spdsock_dump_remaining_polheads) == 0) 1976 return (spdsock_dump_finish(ss, 0)); 1977 1978 1979 /* 1980 * If we reach here, we have more policy heads (tunnel 1981 * entries) to dump. Let's reset to a new policy head 1982 * and get some more rules. 1983 * 1984 * An empty policy head will have spdsock_dump_next_rule() 1985 * return NULL, and we loop (while dropping the number of 1986 * remaining polheads). If we loop to 0, we finish. We 1987 * keep looping until we hit 0 or until we have a rule to 1988 * encode. 1989 * 1990 * NOTE: No need for ITP_REF*() macros here as we're only 1991 * going after and refholding the policy head itself. 1992 */ 1993 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 1994 itp = spdsock_dump_iterate_next_tunnel(ss, ipss); 1995 if (itp == NULL) { 1996 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1997 return (spdsock_dump_finish(ss, EAGAIN)); 1998 } 1999 2000 /* Reset other spdsock_dump thingies. */ 2001 IPPH_REFRELE(ss->spdsock_dump_head, ns); 2002 if (ss->spdsock_dump_active) { 2003 ss->spdsock_dump_tunnel = 2004 itp->itp_flags & ITPF_P_TUNNEL; 2005 iph = itp->itp_policy; 2006 } else { 2007 ss->spdsock_dump_tunnel = 2008 itp->itp_flags & ITPF_I_TUNNEL; 2009 iph = itp->itp_inactive; 2010 } 2011 IPPH_REFHOLD(iph); 2012 rw_exit(&ipss->ipsec_tunnel_policy_lock); 2013 2014 rw_enter(&iph->iph_lock, RW_READER); 2015 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 2016 } 2017 2018 m = spdsock_encode_rule(ss->spdsock_dump_req, rule, 2019 ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af, 2020 (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name, 2021 ss->spdsock_dump_tunnel); 2022 rw_exit(&iph->iph_lock); 2023 2024 if (m == NULL) 2025 return (spdsock_dump_finish(ss, ENOMEM)); 2026 return (m); 2027 } 2028 2029 /* 2030 * Dump records until we run into flow-control back-pressure. 2031 */ 2032 static void 2033 spdsock_dump_some(queue_t *q, spdsock_t *ss) 2034 { 2035 mblk_t *m, *dataind; 2036 2037 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) { 2038 m = spdsock_dump_next_record(ss); 2039 if (m == NULL) 2040 return; 2041 dataind = allocb(sizeof (struct T_data_req), BPRI_HI); 2042 if (dataind == NULL) { 2043 freemsg(m); 2044 return; 2045 } 2046 dataind->b_cont = m; 2047 dataind->b_wptr += sizeof (struct T_data_req); 2048 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND; 2049 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0; 2050 dataind->b_datap->db_type = M_PROTO; 2051 putnext(q, dataind); 2052 } 2053 } 2054 2055 /* 2056 * Start dumping. 2057 * Format a start-of-dump record, and set up the stream and kick the rsrv 2058 * procedure to continue the job.. 2059 */ 2060 /* ARGSUSED */ 2061 static void 2062 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp) 2063 { 2064 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2065 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2066 ipsec_stack_t *ipss = ns->netstack_ipsec; 2067 mblk_t *mr; 2068 2069 /* spdsock_open() already set spdsock_itp to NULL. */ 2070 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 2071 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 2072 ss->spdsock_dump_remaining_polheads = 1 + 2073 avl_numnodes(&ipss->ipsec_tunnel_policies); 2074 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen; 2075 rw_exit(&ipss->ipsec_tunnel_policy_lock); 2076 if (iph == ALL_ACTIVE_POLHEADS) { 2077 iph = ipsec_system_policy(ns); 2078 ss->spdsock_dump_active = B_TRUE; 2079 } else { 2080 iph = ipsec_inactive_policy(ns); 2081 ss->spdsock_dump_active = B_FALSE; 2082 } 2083 ASSERT(ss->spdsock_itp == NULL); 2084 } else { 2085 ss->spdsock_dump_remaining_polheads = 1; 2086 } 2087 2088 rw_enter(&iph->iph_lock, RW_READER); 2089 2090 mr = spdsock_dump_ruleset(mp, iph, 0, 0); 2091 2092 if (!mr) { 2093 rw_exit(&iph->iph_lock); 2094 spdsock_error(q, mp, ENOMEM, 0); 2095 return; 2096 } 2097 2098 ss->spdsock_dump_req = mp; 2099 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 2100 2101 rw_exit(&iph->iph_lock); 2102 2103 qreply(q, mr); 2104 qenable(OTHERQ(q)); 2105 } 2106 2107 /* Do NOT consume a reference to ITP. */ 2108 void 2109 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns) 2110 { 2111 int *errptr = (int *)ep; 2112 2113 if (*errptr != 0) 2114 return; /* We've failed already for some reason. */ 2115 mutex_enter(&itp->itp_lock); 2116 ITPF_CLONE(itp->itp_flags); 2117 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns); 2118 mutex_exit(&itp->itp_lock); 2119 } 2120 2121 void 2122 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname) 2123 { 2124 int error; 2125 char *tname; 2126 ipsec_tun_pol_t *itp; 2127 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2128 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2129 uint32_t auditing = AU_AUDITING(); 2130 2131 if (tunname != NULL) { 2132 tname = (char *)tunname->spd_if_name; 2133 if (*tname == '\0') { 2134 error = ipsec_clone_system_policy(ns); 2135 if (auditing) { 2136 boolean_t active; 2137 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2138 cred_t *cr; 2139 pid_t cpid; 2140 2141 cr = msg_getcred(mp, &cpid); 2142 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2143 audit_pf_policy(SPD_CLONE, cr, ns, 2144 NULL, active, error, cpid); 2145 } 2146 if (error == 0) { 2147 itp_walk(spdsock_clone_node, &error, ns); 2148 if (auditing) { 2149 boolean_t active; 2150 spd_msg_t *spmsg = 2151 (spd_msg_t *)mp->b_rptr; 2152 cred_t *cr; 2153 pid_t cpid; 2154 2155 cr = msg_getcred(mp, &cpid); 2156 active = (spmsg->spd_msg_spdid == 2157 SPD_ACTIVE); 2158 audit_pf_policy(SPD_CLONE, cr, 2159 ns, "all tunnels", active, 0, 2160 cpid); 2161 } 2162 } 2163 } else { 2164 itp = get_tunnel_policy(tname, ns); 2165 if (itp == NULL) { 2166 spdsock_error(q, mp, ENOENT, 0); 2167 if (auditing) { 2168 boolean_t active; 2169 spd_msg_t *spmsg = 2170 (spd_msg_t *)mp->b_rptr; 2171 cred_t *cr; 2172 pid_t cpid; 2173 2174 cr = msg_getcred(mp, &cpid); 2175 active = (spmsg->spd_msg_spdid == 2176 SPD_ACTIVE); 2177 audit_pf_policy(SPD_CLONE, cr, 2178 ns, NULL, active, ENOENT, cpid); 2179 } 2180 return; 2181 } 2182 spdsock_clone_node(itp, &error, NULL); 2183 if (auditing) { 2184 boolean_t active; 2185 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2186 cred_t *cr; 2187 pid_t cpid; 2188 2189 cr = msg_getcred(mp, &cpid); 2190 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2191 audit_pf_policy(SPD_CLONE, cr, ns, 2192 ITP_NAME(itp), active, error, cpid); 2193 } 2194 ITP_REFRELE(itp, ns); 2195 } 2196 } else { 2197 error = ipsec_clone_system_policy(ns); 2198 if (auditing) { 2199 boolean_t active; 2200 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2201 cred_t *cr; 2202 pid_t cpid; 2203 2204 cr = msg_getcred(mp, &cpid); 2205 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2206 audit_pf_policy(SPD_CLONE, cr, ns, NULL, 2207 active, error, cpid); 2208 } 2209 } 2210 2211 if (error != 0) 2212 spdsock_error(q, mp, error, 0); 2213 else 2214 spd_echo(q, mp); 2215 } 2216 2217 /* 2218 * Process a SPD_ALGLIST request. The caller expects separate alg entries 2219 * for AH authentication, ESP authentication, and ESP encryption. 2220 * The same distinction is then used when setting the min and max key 2221 * sizes when defining policies. 2222 */ 2223 2224 #define SPDSOCK_AH_AUTH 0 2225 #define SPDSOCK_ESP_AUTH 1 2226 #define SPDSOCK_ESP_ENCR 2 2227 #define SPDSOCK_NTYPES 3 2228 2229 static const uint_t algattr[SPDSOCK_NTYPES] = { 2230 SPD_ATTR_AH_AUTH, 2231 SPD_ATTR_ESP_AUTH, 2232 SPD_ATTR_ESP_ENCR 2233 }; 2234 static const uint_t minbitsattr[SPDSOCK_NTYPES] = { 2235 SPD_ATTR_AH_MINBITS, 2236 SPD_ATTR_ESPA_MINBITS, 2237 SPD_ATTR_ENCR_MINBITS 2238 }; 2239 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = { 2240 SPD_ATTR_AH_MAXBITS, 2241 SPD_ATTR_ESPA_MAXBITS, 2242 SPD_ATTR_ENCR_MAXBITS 2243 }; 2244 static const uint_t defbitsattr[SPDSOCK_NTYPES] = { 2245 SPD_ATTR_AH_DEFBITS, 2246 SPD_ATTR_ESPA_DEFBITS, 2247 SPD_ATTR_ENCR_DEFBITS 2248 }; 2249 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = { 2250 SPD_ATTR_AH_INCRBITS, 2251 SPD_ATTR_ESPA_INCRBITS, 2252 SPD_ATTR_ENCR_INCRBITS 2253 }; 2254 2255 #define ATTRPERALG 6 /* fixed attributes per algs */ 2256 2257 void 2258 spdsock_alglist(queue_t *q, mblk_t *mp) 2259 { 2260 uint_t algtype; 2261 uint_t algidx; 2262 uint_t algcount; 2263 uint_t size; 2264 mblk_t *m; 2265 uint8_t *cur; 2266 spd_msg_t *msg; 2267 struct spd_ext_actions *act; 2268 struct spd_attribute *attr; 2269 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2270 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2271 2272 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 2273 /* 2274 * The SPD client expects to receive separate entries for 2275 * AH authentication and ESP authentication supported algorithms. 2276 * 2277 * Don't return the "any" algorithms, if defined, as no 2278 * kernel policies can be set for these algorithms. 2279 */ 2280 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2281 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2282 2283 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL) 2284 algcount--; 2285 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL) 2286 algcount--; 2287 2288 /* 2289 * For each algorithm, we encode: 2290 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2291 */ 2292 2293 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) + 2294 ATTRPERALG * sizeof (struct spd_attribute) * algcount; 2295 2296 ASSERT(ALIGNED64(size)); 2297 2298 m = allocb(size, BPRI_HI); 2299 if (m == NULL) { 2300 rw_exit(&ipss->ipsec_alg_lock); 2301 spdsock_error(q, mp, ENOMEM, 0); 2302 return; 2303 } 2304 2305 m->b_wptr = m->b_rptr + size; 2306 cur = m->b_rptr; 2307 2308 msg = (spd_msg_t *)cur; 2309 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2310 2311 msg->spd_msg_len = SPD_8TO64(size); 2312 msg->spd_msg_errno = 0; 2313 msg->spd_msg_diagnostic = 0; 2314 2315 cur += sizeof (*msg); 2316 2317 act = (struct spd_ext_actions *)cur; 2318 cur += sizeof (*act); 2319 2320 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2321 act->spd_actions_exttype = SPD_EXT_ACTION; 2322 act->spd_actions_count = algcount; 2323 act->spd_actions_reserved = 0; 2324 2325 attr = (struct spd_attribute *)cur; 2326 2327 #define EMIT(tag, value) { \ 2328 attr->spd_attr_tag = (tag); \ 2329 attr->spd_attr_value = (value); \ 2330 attr++; \ 2331 } 2332 2333 /* 2334 * If you change the number of EMIT's here, change 2335 * ATTRPERALG above to match 2336 */ 2337 #define EMITALGATTRS(_type) { \ 2338 EMIT(algattr[_type], algid); /* 1 */ \ 2339 EMIT(minbitsattr[_type], minbits); /* 2 */ \ 2340 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \ 2341 EMIT(defbitsattr[_type], defbits); /* 4 */ \ 2342 EMIT(incrbitsattr[_type], incr); /* 5 */ \ 2343 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \ 2344 } 2345 2346 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2347 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2348 algidx++) { 2349 int algid = ipss->ipsec_sortlist[algtype][algidx]; 2350 ipsec_alginfo_t *alg = 2351 ipss->ipsec_alglists[algtype][algid]; 2352 uint_t minbits = alg->alg_minbits; 2353 uint_t maxbits = alg->alg_maxbits; 2354 uint_t defbits = alg->alg_default_bits; 2355 uint_t incr = alg->alg_increment; 2356 2357 if (algtype == IPSEC_ALG_AUTH) { 2358 if (algid == SADB_AALG_NONE) 2359 continue; 2360 EMITALGATTRS(SPDSOCK_AH_AUTH); 2361 EMITALGATTRS(SPDSOCK_ESP_AUTH); 2362 } else { 2363 if (algid == SADB_EALG_NONE) 2364 continue; 2365 ASSERT(algtype == IPSEC_ALG_ENCR); 2366 EMITALGATTRS(SPDSOCK_ESP_ENCR); 2367 } 2368 } 2369 } 2370 2371 rw_exit(&ipss->ipsec_alg_lock); 2372 2373 #undef EMITALGATTRS 2374 #undef EMIT 2375 #undef ATTRPERALG 2376 2377 attr--; 2378 attr->spd_attr_tag = SPD_ATTR_END; 2379 2380 freemsg(mp); 2381 qreply(q, m); 2382 } 2383 2384 /* 2385 * Process a SPD_DUMPALGS request. 2386 */ 2387 2388 #define ATTRPERALG 9 /* fixed attributes per algs */ 2389 2390 void 2391 spdsock_dumpalgs(queue_t *q, mblk_t *mp) 2392 { 2393 uint_t algtype; 2394 uint_t algidx; 2395 uint_t size; 2396 mblk_t *m; 2397 uint8_t *cur; 2398 spd_msg_t *msg; 2399 struct spd_ext_actions *act; 2400 struct spd_attribute *attr; 2401 ipsec_alginfo_t *alg; 2402 uint_t algid; 2403 uint_t i; 2404 uint_t alg_size; 2405 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2406 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2407 2408 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 2409 2410 /* 2411 * For each algorithm, we encode: 2412 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2413 * 2414 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE* 2415 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* / 2416 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT} 2417 */ 2418 2419 /* 2420 * Compute the size of the SPD message. 2421 */ 2422 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions); 2423 2424 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2425 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2426 algidx++) { 2427 algid = ipss->ipsec_sortlist[algtype][algidx]; 2428 alg = ipss->ipsec_alglists[algtype][algid]; 2429 alg_size = sizeof (struct spd_attribute) * 2430 (ATTRPERALG + alg->alg_nkey_sizes + 2431 alg->alg_nblock_sizes + alg->alg_nparams) + 2432 CRYPTO_MAX_MECH_NAME; 2433 size += alg_size; 2434 } 2435 } 2436 2437 ASSERT(ALIGNED64(size)); 2438 2439 m = allocb(size, BPRI_HI); 2440 if (m == NULL) { 2441 rw_exit(&ipss->ipsec_alg_lock); 2442 spdsock_error(q, mp, ENOMEM, 0); 2443 return; 2444 } 2445 2446 m->b_wptr = m->b_rptr + size; 2447 cur = m->b_rptr; 2448 2449 msg = (spd_msg_t *)cur; 2450 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2451 2452 msg->spd_msg_len = SPD_8TO64(size); 2453 msg->spd_msg_errno = 0; 2454 msg->spd_msg_type = SPD_ALGLIST; 2455 2456 msg->spd_msg_diagnostic = 0; 2457 2458 cur += sizeof (*msg); 2459 2460 act = (struct spd_ext_actions *)cur; 2461 cur += sizeof (*act); 2462 2463 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2464 act->spd_actions_exttype = SPD_EXT_ACTION; 2465 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2466 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2467 act->spd_actions_reserved = 0; 2468 2469 /* 2470 * If there aren't any algorithms registered, return an empty message. 2471 * spdsock_get_ext() knows how to deal with this. 2472 */ 2473 if (act->spd_actions_count == 0) { 2474 act->spd_actions_len = 0; 2475 rw_exit(&ipss->ipsec_alg_lock); 2476 goto error; 2477 } 2478 2479 attr = (struct spd_attribute *)cur; 2480 2481 #define EMIT(tag, value) { \ 2482 attr->spd_attr_tag = (tag); \ 2483 attr->spd_attr_value = (value); \ 2484 attr++; \ 2485 } 2486 2487 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2488 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2489 algidx++) { 2490 2491 algid = ipss->ipsec_sortlist[algtype][algidx]; 2492 alg = ipss->ipsec_alglists[algtype][algid]; 2493 2494 /* 2495 * If you change the number of EMIT's here, change 2496 * ATTRPERALG above to match 2497 */ 2498 EMIT(SPD_ATTR_ALG_ID, algid); 2499 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]); 2500 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment); 2501 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes); 2502 for (i = 0; i < alg->alg_nkey_sizes; i++) 2503 EMIT(SPD_ATTR_ALG_KEYSIZE, 2504 alg->alg_key_sizes[i]); 2505 2506 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes); 2507 for (i = 0; i < alg->alg_nblock_sizes; i++) 2508 EMIT(SPD_ATTR_ALG_BLOCKSIZE, 2509 alg->alg_block_sizes[i]); 2510 2511 EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams); 2512 for (i = 0; i < alg->alg_nparams; i++) 2513 EMIT(SPD_ATTR_ALG_PARAMS, 2514 alg->alg_params[i]); 2515 2516 EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags); 2517 2518 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME); 2519 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME); 2520 attr = (struct spd_attribute *)((char *)attr + 2521 CRYPTO_MAX_MECH_NAME); 2522 2523 EMIT(SPD_ATTR_NEXT, 0); 2524 } 2525 } 2526 2527 rw_exit(&ipss->ipsec_alg_lock); 2528 2529 #undef EMITALGATTRS 2530 #undef EMIT 2531 #undef ATTRPERALG 2532 2533 attr--; 2534 attr->spd_attr_tag = SPD_ATTR_END; 2535 2536 error: 2537 freemsg(mp); 2538 qreply(q, m); 2539 } 2540 2541 /* 2542 * Do the actual work of processing an SPD_UPDATEALGS request. Can 2543 * be invoked either once IPsec is loaded on a cached request, or 2544 * when a request is received while IPsec is loaded. 2545 */ 2546 static int 2547 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds) 2548 { 2549 struct spd_ext_actions *actp; 2550 struct spd_attribute *attr, *endattr; 2551 uint64_t *start, *end; 2552 ipsec_alginfo_t *alg = NULL; 2553 ipsec_algtype_t alg_type = 0; 2554 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE; 2555 uint_t i, cur_key, cur_block, algid; 2556 int diag = -1; 2557 2558 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 2559 2560 /* parse the message, building the list of algorithms */ 2561 2562 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 2563 if (actp == NULL) 2564 return (SPD_DIAGNOSTIC_NO_ACTION_EXT); 2565 2566 start = (uint64_t *)actp; 2567 end = (start + actp->spd_actions_len); 2568 endattr = (struct spd_attribute *)end; 2569 attr = (struct spd_attribute *)&actp[1]; 2570 2571 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS * 2572 sizeof (ipsec_alginfo_t *)); 2573 2574 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2575 2576 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t)) 2577 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t)) 2578 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t)) 2579 2580 while (attr < endattr) { 2581 switch (attr->spd_attr_tag) { 2582 case SPD_ATTR_NOP: 2583 case SPD_ATTR_EMPTY: 2584 break; 2585 case SPD_ATTR_END: 2586 attr = endattr; 2587 /* FALLTHRU */ 2588 case SPD_ATTR_NEXT: 2589 if (doing_proto) { 2590 doing_proto = B_FALSE; 2591 break; 2592 } 2593 if (skip_alg) { 2594 ipsec_alg_free(alg); 2595 } else { 2596 ipsec_alg_free( 2597 spds->spds_algs[alg_type][alg->alg_id]); 2598 spds->spds_algs[alg_type][alg->alg_id] = 2599 alg; 2600 } 2601 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2602 break; 2603 2604 case SPD_ATTR_ALG_ID: 2605 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) { 2606 ss1dbg(spds, ("spdsock_do_updatealg: " 2607 "invalid alg id %d\n", 2608 attr->spd_attr_value)); 2609 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE; 2610 goto bail; 2611 } 2612 alg->alg_id = attr->spd_attr_value; 2613 break; 2614 2615 case SPD_ATTR_ALG_PROTO: 2616 /* find the alg type */ 2617 for (i = 0; i < NALGPROTOS; i++) 2618 if (algproto[i] == attr->spd_attr_value) 2619 break; 2620 skip_alg = (i == NALGPROTOS); 2621 if (!skip_alg) 2622 alg_type = i; 2623 break; 2624 2625 case SPD_ATTR_ALG_INCRBITS: 2626 alg->alg_increment = attr->spd_attr_value; 2627 break; 2628 2629 case SPD_ATTR_ALG_NKEYSIZES: 2630 if (alg->alg_key_sizes != NULL) { 2631 kmem_free(alg->alg_key_sizes, 2632 ALG_KEY_SIZES(alg)); 2633 } 2634 alg->alg_nkey_sizes = attr->spd_attr_value; 2635 /* 2636 * Allocate room for the trailing zero key size 2637 * value as well. 2638 */ 2639 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg), 2640 KM_SLEEP); 2641 cur_key = 0; 2642 break; 2643 2644 case SPD_ATTR_ALG_KEYSIZE: 2645 if (alg->alg_key_sizes == NULL || 2646 cur_key >= alg->alg_nkey_sizes) { 2647 ss1dbg(spds, ("spdsock_do_updatealg: " 2648 "too many key sizes\n")); 2649 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES; 2650 goto bail; 2651 } 2652 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value; 2653 break; 2654 2655 case SPD_ATTR_ALG_FLAGS: 2656 /* 2657 * Flags (bit mask). The alg_flags element of 2658 * ipsecalg_flags_t is only 8 bits wide. The 2659 * user can set the VALID bit, but we will ignore it 2660 * and make the decision is the algorithm is valid. 2661 */ 2662 alg->alg_flags |= (uint8_t)attr->spd_attr_value; 2663 break; 2664 2665 case SPD_ATTR_ALG_NBLOCKSIZES: 2666 if (alg->alg_block_sizes != NULL) { 2667 kmem_free(alg->alg_block_sizes, 2668 ALG_BLOCK_SIZES(alg)); 2669 } 2670 alg->alg_nblock_sizes = attr->spd_attr_value; 2671 /* 2672 * Allocate room for the trailing zero block size 2673 * value as well. 2674 */ 2675 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg), 2676 KM_SLEEP); 2677 cur_block = 0; 2678 break; 2679 2680 case SPD_ATTR_ALG_BLOCKSIZE: 2681 if (alg->alg_block_sizes == NULL || 2682 cur_block >= alg->alg_nblock_sizes) { 2683 ss1dbg(spds, ("spdsock_do_updatealg: " 2684 "too many block sizes\n")); 2685 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2686 goto bail; 2687 } 2688 alg->alg_block_sizes[cur_block++] = 2689 attr->spd_attr_value; 2690 break; 2691 2692 case SPD_ATTR_ALG_NPARAMS: 2693 if (alg->alg_params != NULL) { 2694 kmem_free(alg->alg_params, 2695 ALG_PARAM_SIZES(alg)); 2696 } 2697 alg->alg_nparams = attr->spd_attr_value; 2698 /* 2699 * Allocate room for the trailing zero block size 2700 * value as well. 2701 */ 2702 alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg), 2703 KM_SLEEP); 2704 cur_block = 0; 2705 break; 2706 2707 case SPD_ATTR_ALG_PARAMS: 2708 if (alg->alg_params == NULL || 2709 cur_block >= alg->alg_nparams) { 2710 ss1dbg(spds, ("spdsock_do_updatealg: " 2711 "too many params\n")); 2712 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2713 goto bail; 2714 } 2715 /* 2716 * Array contains: iv_len, icv_len, salt_len 2717 * Any additional parameters are currently ignored. 2718 */ 2719 alg->alg_params[cur_block++] = 2720 attr->spd_attr_value; 2721 break; 2722 2723 case SPD_ATTR_ALG_MECHNAME: { 2724 char *mech_name; 2725 2726 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) { 2727 ss1dbg(spds, ("spdsock_do_updatealg: " 2728 "mech name too long\n")); 2729 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN; 2730 goto bail; 2731 } 2732 mech_name = (char *)(attr + 1); 2733 bcopy(mech_name, alg->alg_mech_name, 2734 attr->spd_attr_value); 2735 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; 2736 attr = (struct spd_attribute *)((char *)attr + 2737 attr->spd_attr_value); 2738 break; 2739 } 2740 2741 case SPD_ATTR_PROTO_ID: 2742 doing_proto = B_TRUE; 2743 for (i = 0; i < NALGPROTOS; i++) { 2744 if (algproto[i] == attr->spd_attr_value) { 2745 alg_type = i; 2746 break; 2747 } 2748 } 2749 break; 2750 2751 case SPD_ATTR_PROTO_EXEC_MODE: 2752 if (!doing_proto) 2753 break; 2754 for (i = 0; i < NEXECMODES; i++) { 2755 if (execmodes[i] == attr->spd_attr_value) { 2756 spds->spds_algs_exec_mode[alg_type] = i; 2757 break; 2758 } 2759 } 2760 break; 2761 } 2762 attr++; 2763 } 2764 2765 #undef ALG_KEY_SIZES 2766 #undef ALG_BLOCK_SIZES 2767 #undef ALG_PARAM_SIZES 2768 2769 /* update the algorithm tables */ 2770 spdsock_merge_algs(spds); 2771 bail: 2772 /* cleanup */ 2773 ipsec_alg_free(alg); 2774 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++) 2775 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) 2776 if (spds->spds_algs[alg_type][algid] != NULL) 2777 ipsec_alg_free(spds->spds_algs[alg_type][algid]); 2778 return (diag); 2779 } 2780 2781 /* 2782 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue 2783 * the request until IPsec loads. If IPsec is loaded, act on it 2784 * immediately. 2785 */ 2786 2787 static void 2788 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[]) 2789 { 2790 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2791 spd_stack_t *spds = ss->spdsock_spds; 2792 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 2793 uint32_t auditing = AU_AUDITING(); 2794 2795 if (!ipsec_loaded(ipss)) { 2796 /* 2797 * IPsec is not loaded, save request and return nicely, 2798 * the message will be processed once IPsec loads. 2799 */ 2800 mblk_t *new_mp; 2801 2802 /* last update message wins */ 2803 if ((new_mp = copymsg(mp)) == NULL) { 2804 spdsock_error(q, mp, ENOMEM, 0); 2805 return; 2806 } 2807 mutex_enter(&spds->spds_alg_lock); 2808 bcopy(extv, spds->spds_extv_algs, 2809 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 2810 if (spds->spds_mp_algs != NULL) 2811 freemsg(spds->spds_mp_algs); 2812 spds->spds_mp_algs = mp; 2813 mutex_exit(&spds->spds_alg_lock); 2814 if (auditing) { 2815 cred_t *cr; 2816 pid_t cpid; 2817 2818 cr = msg_getcred(mp, &cpid); 2819 audit_pf_policy(SPD_UPDATEALGS, cr, 2820 spds->spds_netstack, NULL, B_TRUE, EAGAIN, 2821 cpid); 2822 } 2823 spd_echo(q, new_mp); 2824 } else { 2825 /* 2826 * IPsec is loaded, act on the message immediately. 2827 */ 2828 int diag; 2829 2830 mutex_enter(&spds->spds_alg_lock); 2831 diag = spdsock_do_updatealg(extv, spds); 2832 if (diag == -1) { 2833 /* Keep the lock held while we walk the SA tables. */ 2834 sadb_alg_update(IPSEC_ALG_ALL, 0, 0, 2835 spds->spds_netstack); 2836 mutex_exit(&spds->spds_alg_lock); 2837 spd_echo(q, mp); 2838 if (auditing) { 2839 cred_t *cr; 2840 pid_t cpid; 2841 2842 cr = msg_getcred(mp, &cpid); 2843 audit_pf_policy(SPD_UPDATEALGS, cr, 2844 spds->spds_netstack, NULL, B_TRUE, 0, 2845 cpid); 2846 } 2847 } else { 2848 mutex_exit(&spds->spds_alg_lock); 2849 spdsock_diag(q, mp, diag); 2850 if (auditing) { 2851 cred_t *cr; 2852 pid_t cpid; 2853 2854 cr = msg_getcred(mp, &cpid); 2855 audit_pf_policy(SPD_UPDATEALGS, cr, 2856 spds->spds_netstack, NULL, B_TRUE, diag, 2857 cpid); 2858 } 2859 } 2860 } 2861 } 2862 2863 /* 2864 * Find a tunnel instance (using the name to link ID mapping), and 2865 * update it after an IPsec change. We need to do this always in case 2866 * we add policy AFTER plumbing a tunnel. We also need to do this 2867 * because, as a side-effect, the tunnel's MTU is updated to reflect 2868 * any IPsec overhead in the itp's policy. 2869 */ 2870 static void 2871 update_iptun_policy(ipsec_tun_pol_t *itp) 2872 { 2873 datalink_id_t linkid; 2874 2875 if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0) 2876 iptun_set_policy(linkid, itp); 2877 } 2878 2879 /* 2880 * Sort through the mess of polhead options to retrieve an appropriate one. 2881 * Returns NULL if we send an spdsock error. Returns a valid pointer if we 2882 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or 2883 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to 2884 * act on ALL policy heads. 2885 */ 2886 static ipsec_policy_head_t * 2887 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid, 2888 int msgtype, ipsec_tun_pol_t **itpp) 2889 { 2890 ipsec_tun_pol_t *itp; 2891 ipsec_policy_head_t *iph; 2892 int errno; 2893 char *tname; 2894 boolean_t active; 2895 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2896 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2897 uint64_t gen; /* Placeholder */ 2898 2899 active = (spdid == SPD_ACTIVE); 2900 *itpp = NULL; 2901 if (!active && spdid != SPD_STANDBY) { 2902 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID); 2903 return (NULL); 2904 } 2905 2906 if (tunname != NULL) { 2907 /* Acting on a tunnel's SPD. */ 2908 tname = (char *)tunname->spd_if_name; 2909 if (*tname == '\0') { 2910 /* Handle all-polhead cases here. */ 2911 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) { 2912 spdsock_diag(q, mp, 2913 SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 2914 return (NULL); 2915 } 2916 return (active ? ALL_ACTIVE_POLHEADS : 2917 ALL_INACTIVE_POLHEADS); 2918 } 2919 2920 itp = get_tunnel_policy(tname, ns); 2921 if (itp == NULL) { 2922 if (msgtype != SPD_ADDRULE) { 2923 /* "Tunnel not found" */ 2924 spdsock_error(q, mp, ENOENT, 0); 2925 return (NULL); 2926 } 2927 2928 errno = 0; 2929 itp = create_tunnel_policy(tname, &errno, &gen, ns); 2930 if (itp == NULL) { 2931 /* 2932 * Something very bad happened, most likely 2933 * ENOMEM. Return an indicator. 2934 */ 2935 spdsock_error(q, mp, errno, 0); 2936 return (NULL); 2937 } 2938 } 2939 2940 /* Match up the itp to an iptun instance. */ 2941 update_iptun_policy(itp); 2942 2943 *itpp = itp; 2944 /* For spdsock dump state, set the polhead's name. */ 2945 if (msgtype == SPD_DUMP) { 2946 ITP_REFHOLD(itp); 2947 ss->spdsock_itp = itp; 2948 ss->spdsock_dump_tunnel = itp->itp_flags & 2949 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL); 2950 } 2951 } else { 2952 itp = NULL; 2953 /* For spdsock dump state, indicate it's global policy. */ 2954 if (msgtype == SPD_DUMP) 2955 ss->spdsock_itp = NULL; 2956 } 2957 2958 if (active) 2959 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy; 2960 else 2961 iph = (itp == NULL) ? ipsec_inactive_policy(ns) : 2962 itp->itp_inactive; 2963 2964 ASSERT(iph != NULL); 2965 if (itp != NULL) { 2966 IPPH_REFHOLD(iph); 2967 } 2968 2969 return (iph); 2970 } 2971 2972 static void 2973 spdsock_parse(queue_t *q, mblk_t *mp) 2974 { 2975 spd_msg_t *spmsg; 2976 spd_ext_t *extv[SPD_EXT_MAX + 1]; 2977 uint_t msgsize; 2978 ipsec_policy_head_t *iph; 2979 ipsec_tun_pol_t *itp; 2980 spd_if_t *tunname; 2981 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2982 spd_stack_t *spds = ss->spdsock_spds; 2983 netstack_t *ns = spds->spds_netstack; 2984 ipsec_stack_t *ipss = ns->netstack_ipsec; 2985 2986 /* Make sure nothing's below me. */ 2987 ASSERT(WR(q)->q_next == NULL); 2988 2989 spmsg = (spd_msg_t *)mp->b_rptr; 2990 2991 msgsize = SPD_64TO8(spmsg->spd_msg_len); 2992 2993 if (msgdsize(mp) != msgsize) { 2994 /* 2995 * Message len incorrect w.r.t. actual size. Send an error 2996 * (EMSGSIZE). It may be necessary to massage things a 2997 * bit. For example, if the spd_msg_type is hosed, 2998 * I need to set it to SPD_RESERVED to get delivery to 2999 * do the right thing. Then again, maybe just letting 3000 * the error delivery do the right thing. 3001 */ 3002 ss2dbg(spds, 3003 ("mblk (%lu) and base (%d) message sizes don't jibe.\n", 3004 msgdsize(mp), msgsize)); 3005 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE); 3006 return; 3007 } 3008 3009 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) { 3010 /* Get all message into one mblk. */ 3011 if (pullupmsg(mp, -1) == 0) { 3012 /* 3013 * Something screwy happened. 3014 */ 3015 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n")); 3016 return; 3017 } else { 3018 spmsg = (spd_msg_t *)mp->b_rptr; 3019 } 3020 } 3021 3022 switch (spdsock_get_ext(extv, spmsg, msgsize)) { 3023 case KGE_DUP: 3024 /* Handle duplicate extension. */ 3025 ss1dbg(spds, ("Got duplicate extension of type %d.\n", 3026 extv[0]->spd_ext_type)); 3027 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]); 3028 return; 3029 case KGE_UNK: 3030 /* Handle unknown extension. */ 3031 ss1dbg(spds, ("Got unknown extension of type %d.\n", 3032 extv[0]->spd_ext_type)); 3033 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT); 3034 return; 3035 case KGE_LEN: 3036 /* Length error. */ 3037 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n", 3038 extv[0]->spd_ext_len, extv[0]->spd_ext_type)); 3039 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN); 3040 return; 3041 case KGE_CHK: 3042 /* Reality check failed. */ 3043 ss1dbg(spds, ("Reality check failed on extension type %d.\n", 3044 extv[0]->spd_ext_type)); 3045 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]); 3046 return; 3047 default: 3048 /* Default case is no errors. */ 3049 break; 3050 } 3051 3052 /* 3053 * Special-case SPD_UPDATEALGS so as not to load IPsec. 3054 */ 3055 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) { 3056 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3057 3058 ASSERT(ss != NULL); 3059 ipsec_loader_loadnow(ipss); 3060 ss->spdsock_timeout_arg = mp; 3061 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck, 3062 q, LOADCHECK_INTERVAL); 3063 return; 3064 } 3065 3066 /* First check for messages that need no polheads at all. */ 3067 switch (spmsg->spd_msg_type) { 3068 case SPD_UPDATEALGS: 3069 spdsock_updatealg(q, mp, extv); 3070 return; 3071 case SPD_ALGLIST: 3072 spdsock_alglist(q, mp); 3073 return; 3074 case SPD_DUMPALGS: 3075 spdsock_dumpalgs(q, mp); 3076 return; 3077 } 3078 3079 /* 3080 * Then check for ones that need both primary/secondary polheads, 3081 * finding the appropriate tunnel policy if need be. 3082 */ 3083 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME]; 3084 switch (spmsg->spd_msg_type) { 3085 case SPD_FLIP: 3086 spdsock_flip(q, mp, tunname); 3087 return; 3088 case SPD_CLONE: 3089 spdsock_clone(q, mp, tunname); 3090 return; 3091 } 3092 3093 /* 3094 * Finally, find ones that operate on exactly one polhead, or 3095 * "all polheads" of a given type (active/inactive). 3096 */ 3097 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid, 3098 spmsg->spd_msg_type, &itp); 3099 if (iph == NULL) 3100 return; 3101 3102 /* All-polheads-ready operations. */ 3103 switch (spmsg->spd_msg_type) { 3104 case SPD_FLUSH: 3105 if (itp != NULL) { 3106 mutex_enter(&itp->itp_lock); 3107 if (spmsg->spd_msg_spdid == SPD_ACTIVE) 3108 itp->itp_flags &= ~ITPF_PFLAGS; 3109 else 3110 itp->itp_flags &= ~ITPF_IFLAGS; 3111 mutex_exit(&itp->itp_lock); 3112 } 3113 3114 spdsock_flush(q, iph, itp, mp); 3115 3116 if (itp != NULL) { 3117 /* SPD_FLUSH is worth a tunnel MTU check. */ 3118 update_iptun_policy(itp); 3119 ITP_REFRELE(itp, ns); 3120 } 3121 return; 3122 case SPD_DUMP: 3123 if (itp != NULL) 3124 ITP_REFRELE(itp, ns); 3125 spdsock_dump(q, iph, mp); 3126 return; 3127 } 3128 3129 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 3130 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 3131 return; 3132 } 3133 3134 /* Single-polhead-only operations. */ 3135 switch (spmsg->spd_msg_type) { 3136 case SPD_ADDRULE: 3137 spdsock_addrule(q, iph, mp, extv, itp); 3138 break; 3139 case SPD_DELETERULE: 3140 spdsock_deleterule(q, iph, mp, extv, itp); 3141 break; 3142 case SPD_LOOKUP: 3143 spdsock_lookup(q, iph, mp, extv, itp); 3144 break; 3145 default: 3146 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE); 3147 break; 3148 } 3149 3150 IPPH_REFRELE(iph, ns); 3151 if (itp != NULL) { 3152 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */ 3153 if (spmsg->spd_msg_type == SPD_ADDRULE || 3154 spmsg->spd_msg_type == SPD_DELETERULE) 3155 update_iptun_policy(itp); 3156 ITP_REFRELE(itp, ns); 3157 } 3158 } 3159 3160 /* 3161 * If an algorithm mapping was received before IPsec was loaded, process it. 3162 * Called from the IPsec loader. 3163 */ 3164 void 3165 spdsock_update_pending_algs(netstack_t *ns) 3166 { 3167 spd_stack_t *spds = ns->netstack_spdsock; 3168 3169 mutex_enter(&spds->spds_alg_lock); 3170 if (spds->spds_mp_algs != NULL) { 3171 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds); 3172 freemsg(spds->spds_mp_algs); 3173 spds->spds_mp_algs = NULL; 3174 } 3175 mutex_exit(&spds->spds_alg_lock); 3176 } 3177 3178 static void 3179 spdsock_loadcheck(void *arg) 3180 { 3181 queue_t *q = (queue_t *)arg; 3182 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3183 mblk_t *mp; 3184 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3185 3186 ASSERT(ss != NULL); 3187 3188 ss->spdsock_timeout = 0; 3189 mp = ss->spdsock_timeout_arg; 3190 ASSERT(mp != NULL); 3191 ss->spdsock_timeout_arg = NULL; 3192 if (ipsec_failed(ipss)) 3193 spdsock_error(q, mp, EPROTONOSUPPORT, 0); 3194 else 3195 spdsock_parse(q, mp); 3196 } 3197 3198 /* 3199 * Copy relevant state bits. 3200 */ 3201 static void 3202 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss) 3203 { 3204 *tap = spdsock_g_t_info_ack; 3205 tap->CURRENT_state = ss->spdsock_state; 3206 tap->OPT_size = spdsock_max_optsize; 3207 } 3208 3209 /* 3210 * This routine responds to T_CAPABILITY_REQ messages. It is called by 3211 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from 3212 * spdsock_g_t_info_ack. The current state of the stream is copied from 3213 * spdsock_state. 3214 */ 3215 static void 3216 spdsock_capability_req(queue_t *q, mblk_t *mp) 3217 { 3218 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3219 t_uscalar_t cap_bits1; 3220 struct T_capability_ack *tcap; 3221 3222 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1; 3223 3224 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack), 3225 mp->b_datap->db_type, T_CAPABILITY_ACK); 3226 if (mp == NULL) 3227 return; 3228 3229 tcap = (struct T_capability_ack *)mp->b_rptr; 3230 tcap->CAP_bits1 = 0; 3231 3232 if (cap_bits1 & TC1_INFO) { 3233 spdsock_copy_info(&tcap->INFO_ack, ss); 3234 tcap->CAP_bits1 |= TC1_INFO; 3235 } 3236 3237 qreply(q, mp); 3238 } 3239 3240 /* 3241 * This routine responds to T_INFO_REQ messages. It is called by 3242 * spdsock_wput_other. 3243 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack. 3244 * The current state of the stream is copied from spdsock_state. 3245 */ 3246 static void 3247 spdsock_info_req( 3248 queue_t *q, 3249 mblk_t *mp) 3250 { 3251 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO, 3252 T_INFO_ACK); 3253 if (mp == NULL) 3254 return; 3255 spdsock_copy_info((struct T_info_ack *)mp->b_rptr, 3256 (spdsock_t *)q->q_ptr); 3257 qreply(q, mp); 3258 } 3259 3260 /* 3261 * spdsock_err_ack. This routine creates a 3262 * T_ERROR_ACK message and passes it 3263 * upstream. 3264 */ 3265 static void 3266 spdsock_err_ack( 3267 queue_t *q, 3268 mblk_t *mp, 3269 int t_error, 3270 int sys_error) 3271 { 3272 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL) 3273 qreply(q, mp); 3274 } 3275 3276 /* 3277 * This routine retrieves the current status of socket options. 3278 * It returns the size of the option retrieved. 3279 */ 3280 /* ARGSUSED */ 3281 int 3282 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr) 3283 { 3284 int *i1 = (int *)ptr; 3285 3286 switch (level) { 3287 case SOL_SOCKET: 3288 switch (name) { 3289 case SO_TYPE: 3290 *i1 = SOCK_RAW; 3291 break; 3292 /* 3293 * The following two items can be manipulated, 3294 * but changing them should do nothing. 3295 */ 3296 case SO_SNDBUF: 3297 *i1 = (int)q->q_hiwat; 3298 break; 3299 case SO_RCVBUF: 3300 *i1 = (int)(RD(q)->q_hiwat); 3301 break; 3302 } 3303 break; 3304 default: 3305 return (0); 3306 } 3307 return (sizeof (int)); 3308 } 3309 3310 /* 3311 * This routine sets socket options. 3312 */ 3313 /* ARGSUSED */ 3314 int 3315 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name, 3316 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp, 3317 void *thisdg_attrs, cred_t *cr) 3318 { 3319 int *i1 = (int *)invalp; 3320 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3321 spd_stack_t *spds = ss->spdsock_spds; 3322 3323 switch (level) { 3324 case SOL_SOCKET: 3325 switch (name) { 3326 case SO_SNDBUF: 3327 if (*i1 > spds->spds_max_buf) 3328 return (ENOBUFS); 3329 q->q_hiwat = *i1; 3330 break; 3331 case SO_RCVBUF: 3332 if (*i1 > spds->spds_max_buf) 3333 return (ENOBUFS); 3334 RD(q)->q_hiwat = *i1; 3335 (void) proto_set_rx_hiwat(RD(q), NULL, *i1); 3336 break; 3337 } 3338 break; 3339 } 3340 return (0); 3341 } 3342 3343 3344 /* 3345 * Handle STREAMS messages. 3346 */ 3347 static void 3348 spdsock_wput_other(queue_t *q, mblk_t *mp) 3349 { 3350 struct iocblk *iocp; 3351 int error; 3352 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3353 spd_stack_t *spds = ss->spdsock_spds; 3354 cred_t *cr; 3355 3356 switch (mp->b_datap->db_type) { 3357 case M_PROTO: 3358 case M_PCPROTO: 3359 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) { 3360 ss3dbg(spds, ( 3361 "spdsock_wput_other: Not big enough M_PROTO\n")); 3362 freemsg(mp); 3363 return; 3364 } 3365 switch (((union T_primitives *)mp->b_rptr)->type) { 3366 case T_CAPABILITY_REQ: 3367 spdsock_capability_req(q, mp); 3368 break; 3369 case T_INFO_REQ: 3370 spdsock_info_req(q, mp); 3371 break; 3372 case T_SVR4_OPTMGMT_REQ: 3373 case T_OPTMGMT_REQ: 3374 /* 3375 * All Solaris components should pass a db_credp 3376 * for this TPI message, hence we ASSERT. 3377 * But in case there is some other M_PROTO that looks 3378 * like a TPI message sent by some other kernel 3379 * component, we check and return an error. 3380 */ 3381 cr = msg_getcred(mp, NULL); 3382 ASSERT(cr != NULL); 3383 if (cr == NULL) { 3384 spdsock_err_ack(q, mp, TSYSERR, EINVAL); 3385 return; 3386 } 3387 if (((union T_primitives *)mp->b_rptr)->type == 3388 T_SVR4_OPTMGMT_REQ) { 3389 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj); 3390 } else { 3391 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj); 3392 } 3393 break; 3394 case T_DATA_REQ: 3395 case T_EXDATA_REQ: 3396 case T_ORDREL_REQ: 3397 /* Illegal for spdsock. */ 3398 freemsg(mp); 3399 (void) putnextctl1(RD(q), M_ERROR, EPROTO); 3400 break; 3401 default: 3402 /* Not supported by spdsock. */ 3403 spdsock_err_ack(q, mp, TNOTSUPPORT, 0); 3404 break; 3405 } 3406 return; 3407 case M_IOCTL: 3408 iocp = (struct iocblk *)mp->b_rptr; 3409 error = EINVAL; 3410 3411 switch (iocp->ioc_cmd) { 3412 case ND_SET: 3413 case ND_GET: 3414 if (nd_getset(q, spds->spds_g_nd, mp)) { 3415 qreply(q, mp); 3416 return; 3417 } else 3418 error = ENOENT; 3419 /* FALLTHRU */ 3420 default: 3421 miocnak(q, mp, 0, error); 3422 return; 3423 } 3424 case M_FLUSH: 3425 if (*mp->b_rptr & FLUSHW) { 3426 flushq(q, FLUSHALL); 3427 *mp->b_rptr &= ~FLUSHW; 3428 } 3429 if (*mp->b_rptr & FLUSHR) { 3430 qreply(q, mp); 3431 return; 3432 } 3433 /* Else FALLTHRU */ 3434 } 3435 3436 /* If fell through, just black-hole the message. */ 3437 freemsg(mp); 3438 } 3439 3440 static void 3441 spdsock_wput(queue_t *q, mblk_t *mp) 3442 { 3443 uint8_t *rptr = mp->b_rptr; 3444 mblk_t *mp1; 3445 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3446 spd_stack_t *spds = ss->spdsock_spds; 3447 3448 /* 3449 * If we're dumping, defer processing other messages until the 3450 * dump completes. 3451 */ 3452 if (ss->spdsock_dump_req != NULL) { 3453 if (!putq(q, mp)) 3454 freemsg(mp); 3455 return; 3456 } 3457 3458 switch (mp->b_datap->db_type) { 3459 case M_DATA: 3460 /* 3461 * Silently discard. 3462 */ 3463 ss2dbg(spds, ("raw M_DATA in spdsock.\n")); 3464 freemsg(mp); 3465 return; 3466 case M_PROTO: 3467 case M_PCPROTO: 3468 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) { 3469 if (((union T_primitives *)rptr)->type == T_DATA_REQ) { 3470 if ((mp1 = mp->b_cont) == NULL) { 3471 /* No data after T_DATA_REQ. */ 3472 ss2dbg(spds, 3473 ("No data after DATA_REQ.\n")); 3474 freemsg(mp); 3475 return; 3476 } 3477 freeb(mp); 3478 mp = mp1; 3479 ss2dbg(spds, ("T_DATA_REQ\n")); 3480 break; /* Out of switch. */ 3481 } 3482 } 3483 /* FALLTHRU */ 3484 default: 3485 ss3dbg(spds, ("In default wput case (%d %d).\n", 3486 mp->b_datap->db_type, ((union T_primitives *)rptr)->type)); 3487 spdsock_wput_other(q, mp); 3488 return; 3489 } 3490 3491 /* I now have a PF_POLICY message in an M_DATA block. */ 3492 spdsock_parse(q, mp); 3493 } 3494 3495 /* 3496 * Device open procedure, called when new queue pair created. 3497 * We are passed the read-side queue. 3498 */ 3499 /* ARGSUSED */ 3500 static int 3501 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp) 3502 { 3503 spdsock_t *ss; 3504 queue_t *oq = OTHERQ(q); 3505 minor_t ssminor; 3506 netstack_t *ns; 3507 spd_stack_t *spds; 3508 3509 if (secpolicy_ip_config(credp, B_FALSE) != 0) 3510 return (EPERM); 3511 3512 if (q->q_ptr != NULL) 3513 return (0); /* Re-open of an already open instance. */ 3514 3515 if (sflag & MODOPEN) 3516 return (EINVAL); 3517 3518 ns = netstack_find_by_cred(credp); 3519 ASSERT(ns != NULL); 3520 spds = ns->netstack_spdsock; 3521 ASSERT(spds != NULL); 3522 3523 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n")); 3524 3525 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP); 3526 if (ssminor == 0) { 3527 netstack_rele(spds->spds_netstack); 3528 return (ENOMEM); 3529 } 3530 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP); 3531 if (ss == NULL) { 3532 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1); 3533 netstack_rele(spds->spds_netstack); 3534 return (ENOMEM); 3535 } 3536 3537 ss->spdsock_minor = ssminor; 3538 ss->spdsock_state = TS_UNBND; 3539 ss->spdsock_dump_req = NULL; 3540 3541 ss->spdsock_spds = spds; 3542 3543 q->q_ptr = ss; 3544 oq->q_ptr = ss; 3545 3546 q->q_hiwat = spds->spds_recv_hiwat; 3547 3548 oq->q_hiwat = spds->spds_xmit_hiwat; 3549 oq->q_lowat = spds->spds_xmit_lowat; 3550 3551 qprocson(q); 3552 (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat); 3553 3554 *devp = makedevice(getmajor(*devp), ss->spdsock_minor); 3555 return (0); 3556 } 3557 3558 /* 3559 * Read-side service procedure, invoked when we get back-enabled 3560 * when buffer space becomes available. 3561 * 3562 * Dump another chunk if we were dumping before; when we finish, kick 3563 * the write-side queue in case it's waiting for read queue space. 3564 */ 3565 void 3566 spdsock_rsrv(queue_t *q) 3567 { 3568 spdsock_t *ss = q->q_ptr; 3569 3570 if (ss->spdsock_dump_req != NULL) 3571 spdsock_dump_some(q, ss); 3572 3573 if (ss->spdsock_dump_req == NULL) 3574 qenable(OTHERQ(q)); 3575 } 3576 3577 /* 3578 * Write-side service procedure, invoked when we defer processing 3579 * if another message is received while a dump is in progress. 3580 */ 3581 void 3582 spdsock_wsrv(queue_t *q) 3583 { 3584 spdsock_t *ss = q->q_ptr; 3585 mblk_t *mp; 3586 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3587 3588 if (ss->spdsock_dump_req != NULL) { 3589 qenable(OTHERQ(q)); 3590 return; 3591 } 3592 3593 while ((mp = getq(q)) != NULL) { 3594 if (ipsec_loaded(ipss)) { 3595 spdsock_wput(q, mp); 3596 if (ss->spdsock_dump_req != NULL) 3597 return; 3598 } else if (!ipsec_failed(ipss)) { 3599 (void) putq(q, mp); 3600 } else { 3601 spdsock_error(q, mp, EPFNOSUPPORT, 0); 3602 } 3603 } 3604 } 3605 3606 static int 3607 spdsock_close(queue_t *q) 3608 { 3609 spdsock_t *ss = q->q_ptr; 3610 spd_stack_t *spds = ss->spdsock_spds; 3611 3612 qprocsoff(q); 3613 3614 /* Safe assumption. */ 3615 ASSERT(ss != NULL); 3616 3617 if (ss->spdsock_timeout != 0) 3618 (void) quntimeout(q, ss->spdsock_timeout); 3619 3620 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n")); 3621 3622 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1); 3623 netstack_rele(ss->spdsock_spds->spds_netstack); 3624 3625 kmem_free(ss, sizeof (spdsock_t)); 3626 return (0); 3627 } 3628 3629 /* 3630 * Merge the IPsec algorithms tables with the received algorithm information. 3631 */ 3632 void 3633 spdsock_merge_algs(spd_stack_t *spds) 3634 { 3635 ipsec_alginfo_t *alg, *oalg; 3636 ipsec_algtype_t algtype; 3637 uint_t algidx, algid, nalgs; 3638 crypto_mech_name_t *mechs; 3639 uint_t mech_count, mech_idx; 3640 netstack_t *ns = spds->spds_netstack; 3641 ipsec_stack_t *ipss = ns->netstack_ipsec; 3642 3643 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 3644 3645 /* 3646 * Get the list of supported mechanisms from the crypto framework. 3647 * If a mechanism is supported by KCF, resolve its mechanism 3648 * id and mark it as being valid. This operation must be done 3649 * without holding alg_lock, since it can cause a provider 3650 * module to be loaded and the provider notification callback to 3651 * be invoked. 3652 */ 3653 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 3654 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3655 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3656 int algflags = 0; 3657 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID; 3658 3659 alg = spds->spds_algs[algtype][algid]; 3660 if (alg == NULL) 3661 continue; 3662 3663 /* 3664 * The NULL encryption algorithm is a special 3665 * case because there are no mechanisms, yet 3666 * the algorithm is still valid. 3667 */ 3668 if (alg->alg_id == SADB_EALG_NULL) { 3669 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID; 3670 alg->alg_flags |= ALG_FLAG_VALID; 3671 continue; 3672 } 3673 3674 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) { 3675 if (strncmp(alg->alg_mech_name, mechs[mech_idx], 3676 CRYPTO_MAX_MECH_NAME) == 0) { 3677 mt = crypto_mech2id(alg->alg_mech_name); 3678 ASSERT(mt != CRYPTO_MECHANISM_INVALID); 3679 algflags = ALG_FLAG_VALID; 3680 break; 3681 } 3682 } 3683 alg->alg_mech_type = mt; 3684 alg->alg_flags |= algflags; 3685 } 3686 } 3687 3688 rw_enter(&ipss->ipsec_alg_lock, RW_WRITER); 3689 3690 /* 3691 * For each algorithm currently defined, check if it is 3692 * present in the new tables created from the SPD_UPDATEALGS 3693 * message received from user-space. 3694 * Delete the algorithm entries that are currently defined 3695 * but not part of the new tables. 3696 */ 3697 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3698 nalgs = ipss->ipsec_nalgs[algtype]; 3699 for (algidx = 0; algidx < nalgs; algidx++) { 3700 algid = ipss->ipsec_sortlist[algtype][algidx]; 3701 if (spds->spds_algs[algtype][algid] == NULL) 3702 ipsec_alg_unreg(algtype, algid, ns); 3703 } 3704 } 3705 3706 /* 3707 * For each algorithm we just received, check if it is 3708 * present in the currently defined tables. If it is, swap 3709 * the entry with the one we just allocated. 3710 * If the new algorithm is not in the current tables, 3711 * add it. 3712 */ 3713 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3714 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3715 alg = spds->spds_algs[algtype][algid]; 3716 if (alg == NULL) 3717 continue; 3718 3719 if ((oalg = ipss->ipsec_alglists[algtype][algid]) == 3720 NULL) { 3721 /* 3722 * New algorithm, add it to the algorithm 3723 * table. 3724 */ 3725 ipsec_alg_reg(algtype, alg, ns); 3726 } else { 3727 /* 3728 * Algorithm is already in the table. Swap 3729 * the existing entry with the new one. 3730 */ 3731 ipsec_alg_fix_min_max(alg, algtype, ns); 3732 ipss->ipsec_alglists[algtype][algid] = alg; 3733 ipsec_alg_free(oalg); 3734 } 3735 spds->spds_algs[algtype][algid] = NULL; 3736 } 3737 } 3738 3739 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3740 ipss->ipsec_algs_exec_mode[algtype] = 3741 spds->spds_algs_exec_mode[algtype]; 3742 } 3743 3744 rw_exit(&ipss->ipsec_alg_lock); 3745 3746 crypto_free_mech_list(mechs, mech_count); 3747 3748 ipsecah_algs_changed(ns); 3749 ipsecesp_algs_changed(ns); 3750 } 3751