1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved. 25 * Copyright (c) 2017 Joyent, Inc. 26 */ 27 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/stropts.h> 31 #include <sys/strsubr.h> 32 #include <sys/errno.h> 33 #include <sys/ddi.h> 34 #include <sys/debug.h> 35 #include <sys/cmn_err.h> 36 #include <sys/stream.h> 37 #include <sys/strlog.h> 38 #include <sys/kmem.h> 39 #include <sys/sunddi.h> 40 #include <sys/tihdr.h> 41 #include <sys/atomic.h> 42 #include <sys/socket.h> 43 #include <sys/sysmacros.h> 44 #include <sys/crypto/common.h> 45 #include <sys/crypto/api.h> 46 #include <sys/zone.h> 47 #include <netinet/in.h> 48 #include <net/if.h> 49 #include <net/pfkeyv2.h> 50 #include <net/pfpolicy.h> 51 #include <inet/common.h> 52 #include <netinet/ip6.h> 53 #include <inet/ip.h> 54 #include <inet/ip_ire.h> 55 #include <inet/ip6.h> 56 #include <inet/ipsec_info.h> 57 #include <inet/tcp.h> 58 #include <inet/sadb.h> 59 #include <inet/ipsec_impl.h> 60 #include <inet/ipsecah.h> 61 #include <inet/ipsecesp.h> 62 #include <sys/random.h> 63 #include <sys/dlpi.h> 64 #include <sys/strsun.h> 65 #include <sys/strsubr.h> 66 #include <inet/ip_if.h> 67 #include <inet/ipdrop.h> 68 #include <inet/ipclassifier.h> 69 #include <inet/sctp_ip.h> 70 #include <sys/tsol/tnet.h> 71 72 /* 73 * This source file contains Security Association Database (SADB) common 74 * routines. They are linked in with the AH module. Since AH has no chance 75 * of falling under export control, it was safe to link it in there. 76 */ 77 78 static uint8_t *sadb_action_to_ecomb(uint8_t *, uint8_t *, ipsec_action_t *, 79 netstack_t *); 80 static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *); 81 static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t, 82 netstack_t *); 83 static void sadb_destroy(sadb_t *, netstack_t *); 84 static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *); 85 static ts_label_t *sadb_label_from_sens(sadb_sens_t *, uint64_t *); 86 87 static time_t sadb_add_time(time_t, uint64_t); 88 static void lifetime_fuzz(ipsa_t *); 89 static void age_pair_peer_list(templist_t *, sadb_t *, boolean_t); 90 static int get_ipsa_pair(ipsa_query_t *, ipsap_t *, int *); 91 static void init_ipsa_pair(ipsap_t *); 92 static void destroy_ipsa_pair(ipsap_t *); 93 static int update_pairing(ipsap_t *, ipsa_query_t *, keysock_in_t *, int *); 94 static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset); 95 96 /* 97 * ipsacq_maxpackets is defined here to make it tunable 98 * from /etc/system. 99 */ 100 extern uint64_t ipsacq_maxpackets; 101 102 #define SET_EXPIRE(sa, delta, exp) { \ 103 if (((sa)->ipsa_ ## delta) != 0) { \ 104 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \ 105 (sa)->ipsa_ ## delta); \ 106 } \ 107 } 108 109 #define UPDATE_EXPIRE(sa, delta, exp) { \ 110 if (((sa)->ipsa_ ## delta) != 0) { \ 111 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \ 112 (sa)->ipsa_ ## delta); \ 113 if (((sa)->ipsa_ ## exp) == 0) \ 114 (sa)->ipsa_ ## exp = tmp; \ 115 else \ 116 (sa)->ipsa_ ## exp = \ 117 MIN((sa)->ipsa_ ## exp, tmp); \ 118 } \ 119 } 120 121 122 /* wrap the macro so we can pass it as a function pointer */ 123 void 124 sadb_sa_refrele(void *target) 125 { 126 IPSA_REFRELE(((ipsa_t *)target)); 127 } 128 129 /* 130 * We presume that sizeof (long) == sizeof (time_t) and that time_t is 131 * a signed type. 132 */ 133 #define TIME_MAX LONG_MAX 134 135 /* 136 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that 137 * time_t is defined to be a signed type with the same range as 138 * "long". On ILP32 systems, we thus run the risk of wrapping around 139 * at end of time, as well as "overwrapping" the clock back around 140 * into a seemingly valid but incorrect future date earlier than the 141 * desired expiration. 142 * 143 * In order to avoid odd behavior (either negative lifetimes or loss 144 * of high order bits) when someone asks for bizarrely long SA 145 * lifetimes, we do a saturating add for expire times. 146 * 147 * We presume that ILP32 systems will be past end of support life when 148 * the 32-bit time_t overflows (a dangerous assumption, mind you..). 149 * 150 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we 151 * will hopefully have figured out clever ways to avoid the use of 152 * fixed-sized integers in computation. 153 */ 154 static time_t 155 sadb_add_time(time_t base, uint64_t delta) 156 { 157 time_t sum; 158 159 /* 160 * Clip delta to the maximum possible time_t value to 161 * prevent "overwrapping" back into a shorter-than-desired 162 * future time. 163 */ 164 if (delta > TIME_MAX) 165 delta = TIME_MAX; 166 /* 167 * This sum may still overflow. 168 */ 169 sum = base + delta; 170 171 /* 172 * .. so if the result is less than the base, we overflowed. 173 */ 174 if (sum < base) 175 sum = TIME_MAX; 176 177 return (sum); 178 } 179 180 /* 181 * Callers of this function have already created a working security 182 * association, and have found the appropriate table & hash chain. All this 183 * function does is check duplicates, and insert the SA. The caller needs to 184 * hold the hash bucket lock and increment the refcnt before insertion. 185 * 186 * Return 0 if success, EEXIST if collision. 187 */ 188 #define SA_UNIQUE_MATCH(sa1, sa2) \ 189 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \ 190 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask)) 191 192 int 193 sadb_insertassoc(ipsa_t *ipsa, isaf_t *bucket) 194 { 195 ipsa_t **ptpn = NULL; 196 ipsa_t *walker; 197 boolean_t unspecsrc; 198 199 ASSERT(MUTEX_HELD(&bucket->isaf_lock)); 200 201 unspecsrc = IPSA_IS_ADDR_UNSPEC(ipsa->ipsa_srcaddr, ipsa->ipsa_addrfam); 202 203 walker = bucket->isaf_ipsa; 204 ASSERT(walker == NULL || ipsa->ipsa_addrfam == walker->ipsa_addrfam); 205 206 /* 207 * Find insertion point (pointed to with **ptpn). Insert at the head 208 * of the list unless there's an unspecified source address, then 209 * insert it after the last SA with a specified source address. 210 * 211 * BTW, you'll have to walk the whole chain, matching on {DST, SPI} 212 * checking for collisions. 213 */ 214 215 while (walker != NULL) { 216 if (IPSA_ARE_ADDR_EQUAL(walker->ipsa_dstaddr, 217 ipsa->ipsa_dstaddr, ipsa->ipsa_addrfam)) { 218 if (walker->ipsa_spi == ipsa->ipsa_spi) 219 return (EEXIST); 220 221 mutex_enter(&walker->ipsa_lock); 222 if (ipsa->ipsa_state == IPSA_STATE_MATURE && 223 (walker->ipsa_flags & IPSA_F_USED) && 224 SA_UNIQUE_MATCH(walker, ipsa)) { 225 walker->ipsa_flags |= IPSA_F_CINVALID; 226 } 227 mutex_exit(&walker->ipsa_lock); 228 } 229 230 if (ptpn == NULL && unspecsrc) { 231 if (IPSA_IS_ADDR_UNSPEC(walker->ipsa_srcaddr, 232 walker->ipsa_addrfam)) 233 ptpn = walker->ipsa_ptpn; 234 else if (walker->ipsa_next == NULL) 235 ptpn = &walker->ipsa_next; 236 } 237 238 walker = walker->ipsa_next; 239 } 240 241 if (ptpn == NULL) 242 ptpn = &bucket->isaf_ipsa; 243 ipsa->ipsa_next = *ptpn; 244 ipsa->ipsa_ptpn = ptpn; 245 if (ipsa->ipsa_next != NULL) 246 ipsa->ipsa_next->ipsa_ptpn = &ipsa->ipsa_next; 247 *ptpn = ipsa; 248 ipsa->ipsa_linklock = &bucket->isaf_lock; 249 250 return (0); 251 } 252 #undef SA_UNIQUE_MATCH 253 254 /* 255 * Free a security association. Its reference count is 0, which means 256 * I must free it. The SA must be unlocked and must not be linked into 257 * any fanout list. 258 */ 259 static void 260 sadb_freeassoc(ipsa_t *ipsa) 261 { 262 ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec; 263 mblk_t *asyncmp, *mp; 264 265 ASSERT(ipss != NULL); 266 ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock)); 267 ASSERT(ipsa->ipsa_refcnt == 0); 268 ASSERT(ipsa->ipsa_next == NULL); 269 ASSERT(ipsa->ipsa_ptpn == NULL); 270 271 272 asyncmp = sadb_clear_lpkt(ipsa); 273 if (asyncmp != NULL) { 274 mp = ip_recv_attr_free_mblk(asyncmp); 275 ip_drop_packet(mp, B_TRUE, NULL, 276 DROPPER(ipss, ipds_sadb_inlarval_timeout), 277 &ipss->ipsec_sadb_dropper); 278 } 279 mutex_enter(&ipsa->ipsa_lock); 280 281 if (ipsa->ipsa_tsl != NULL) { 282 label_rele(ipsa->ipsa_tsl); 283 ipsa->ipsa_tsl = NULL; 284 } 285 286 if (ipsa->ipsa_otsl != NULL) { 287 label_rele(ipsa->ipsa_otsl); 288 ipsa->ipsa_otsl = NULL; 289 } 290 291 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH); 292 ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_ENCR); 293 mutex_exit(&ipsa->ipsa_lock); 294 295 /* bzero() these fields for paranoia's sake. */ 296 if (ipsa->ipsa_authkey != NULL) { 297 bzero(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 298 kmem_free(ipsa->ipsa_authkey, ipsa->ipsa_authkeylen); 299 } 300 if (ipsa->ipsa_encrkey != NULL) { 301 bzero(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 302 kmem_free(ipsa->ipsa_encrkey, ipsa->ipsa_encrkeylen); 303 } 304 if (ipsa->ipsa_nonce_buf != NULL) { 305 bzero(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); 306 kmem_free(ipsa->ipsa_nonce_buf, sizeof (ipsec_nonce_t)); 307 } 308 if (ipsa->ipsa_src_cid != NULL) { 309 IPSID_REFRELE(ipsa->ipsa_src_cid); 310 } 311 if (ipsa->ipsa_dst_cid != NULL) { 312 IPSID_REFRELE(ipsa->ipsa_dst_cid); 313 } 314 if (ipsa->ipsa_emech.cm_param != NULL) 315 kmem_free(ipsa->ipsa_emech.cm_param, 316 ipsa->ipsa_emech.cm_param_len); 317 318 mutex_destroy(&ipsa->ipsa_lock); 319 kmem_free(ipsa, sizeof (*ipsa)); 320 } 321 322 /* 323 * Unlink a security association from a hash bucket. Assume the hash bucket 324 * lock is held, but the association's lock is not. 325 * 326 * Note that we do not bump the bucket's generation number here because 327 * we might not be making a visible change to the set of visible SA's. 328 * All callers MUST bump the bucket's generation number before they unlock 329 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which 330 * was present in the bucket at the time it was locked. 331 */ 332 void 333 sadb_unlinkassoc(ipsa_t *ipsa) 334 { 335 ASSERT(ipsa->ipsa_linklock != NULL); 336 ASSERT(MUTEX_HELD(ipsa->ipsa_linklock)); 337 338 /* These fields are protected by the link lock. */ 339 *(ipsa->ipsa_ptpn) = ipsa->ipsa_next; 340 if (ipsa->ipsa_next != NULL) { 341 ipsa->ipsa_next->ipsa_ptpn = ipsa->ipsa_ptpn; 342 ipsa->ipsa_next = NULL; 343 } 344 345 ipsa->ipsa_ptpn = NULL; 346 347 /* This may destroy the SA. */ 348 IPSA_REFRELE(ipsa); 349 } 350 351 void 352 sadb_delete_cluster(ipsa_t *assoc) 353 { 354 uint8_t protocol; 355 356 if (cl_inet_deletespi && 357 ((assoc->ipsa_state == IPSA_STATE_LARVAL) || 358 (assoc->ipsa_state == IPSA_STATE_MATURE))) { 359 protocol = (assoc->ipsa_type == SADB_SATYPE_AH) ? 360 IPPROTO_AH : IPPROTO_ESP; 361 cl_inet_deletespi(assoc->ipsa_netstack->netstack_stackid, 362 protocol, assoc->ipsa_spi, NULL); 363 } 364 } 365 366 /* 367 * Create a larval security association with the specified SPI. All other 368 * fields are zeroed. 369 */ 370 static ipsa_t * 371 sadb_makelarvalassoc(uint32_t spi, uint32_t *src, uint32_t *dst, int addrfam, 372 netstack_t *ns) 373 { 374 ipsa_t *newbie; 375 376 /* 377 * Allocate... 378 */ 379 380 newbie = (ipsa_t *)kmem_zalloc(sizeof (ipsa_t), KM_NOSLEEP); 381 if (newbie == NULL) { 382 /* Can't make new larval SA. */ 383 return (NULL); 384 } 385 386 /* Assigned requested SPI, assume caller does SPI allocation magic. */ 387 newbie->ipsa_spi = spi; 388 newbie->ipsa_netstack = ns; /* No netstack_hold */ 389 390 /* 391 * Copy addresses... 392 */ 393 394 IPSA_COPY_ADDR(newbie->ipsa_srcaddr, src, addrfam); 395 IPSA_COPY_ADDR(newbie->ipsa_dstaddr, dst, addrfam); 396 397 newbie->ipsa_addrfam = addrfam; 398 399 /* 400 * Set common initialization values, including refcnt. 401 */ 402 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 403 newbie->ipsa_state = IPSA_STATE_LARVAL; 404 newbie->ipsa_refcnt = 1; 405 newbie->ipsa_freefunc = sadb_freeassoc; 406 407 /* 408 * There aren't a lot of other common initialization values, as 409 * they are copied in from the PF_KEY message. 410 */ 411 412 return (newbie); 413 } 414 415 /* 416 * Call me to initialize a security association fanout. 417 */ 418 static int 419 sadb_init_fanout(isaf_t **tablep, uint_t size, int kmflag) 420 { 421 isaf_t *table; 422 int i; 423 424 table = (isaf_t *)kmem_alloc(size * sizeof (*table), kmflag); 425 *tablep = table; 426 427 if (table == NULL) 428 return (ENOMEM); 429 430 for (i = 0; i < size; i++) { 431 mutex_init(&(table[i].isaf_lock), NULL, MUTEX_DEFAULT, NULL); 432 table[i].isaf_ipsa = NULL; 433 table[i].isaf_gen = 0; 434 } 435 436 return (0); 437 } 438 439 /* 440 * Call me to initialize an acquire fanout 441 */ 442 static int 443 sadb_init_acfanout(iacqf_t **tablep, uint_t size, int kmflag) 444 { 445 iacqf_t *table; 446 int i; 447 448 table = (iacqf_t *)kmem_alloc(size * sizeof (*table), kmflag); 449 *tablep = table; 450 451 if (table == NULL) 452 return (ENOMEM); 453 454 for (i = 0; i < size; i++) { 455 mutex_init(&(table[i].iacqf_lock), NULL, MUTEX_DEFAULT, NULL); 456 table[i].iacqf_ipsacq = NULL; 457 } 458 459 return (0); 460 } 461 462 /* 463 * Attempt to initialize an SADB instance. On failure, return ENOMEM; 464 * caller must clean up partial allocations. 465 */ 466 static int 467 sadb_init_trial(sadb_t *sp, uint_t size, int kmflag) 468 { 469 ASSERT(sp->sdb_of == NULL); 470 ASSERT(sp->sdb_if == NULL); 471 ASSERT(sp->sdb_acq == NULL); 472 473 sp->sdb_hashsize = size; 474 if (sadb_init_fanout(&sp->sdb_of, size, kmflag) != 0) 475 return (ENOMEM); 476 if (sadb_init_fanout(&sp->sdb_if, size, kmflag) != 0) 477 return (ENOMEM); 478 if (sadb_init_acfanout(&sp->sdb_acq, size, kmflag) != 0) 479 return (ENOMEM); 480 481 return (0); 482 } 483 484 /* 485 * Call me to initialize an SADB instance; fall back to default size on failure. 486 */ 487 static void 488 sadb_init(const char *name, sadb_t *sp, uint_t size, uint_t ver, 489 netstack_t *ns) 490 { 491 ASSERT(sp->sdb_of == NULL); 492 ASSERT(sp->sdb_if == NULL); 493 ASSERT(sp->sdb_acq == NULL); 494 495 if (size < IPSEC_DEFAULT_HASH_SIZE) 496 size = IPSEC_DEFAULT_HASH_SIZE; 497 498 if (sadb_init_trial(sp, size, KM_NOSLEEP) != 0) { 499 500 cmn_err(CE_WARN, 501 "Unable to allocate %u entry IPv%u %s SADB hash table", 502 size, ver, name); 503 504 sadb_destroy(sp, ns); 505 size = IPSEC_DEFAULT_HASH_SIZE; 506 cmn_err(CE_WARN, "Falling back to %d entries", size); 507 (void) sadb_init_trial(sp, size, KM_SLEEP); 508 } 509 } 510 511 512 /* 513 * Initialize an SADB-pair. 514 */ 515 void 516 sadbp_init(const char *name, sadbp_t *sp, int type, int size, netstack_t *ns) 517 { 518 sadb_init(name, &sp->s_v4, size, 4, ns); 519 sadb_init(name, &sp->s_v6, size, 6, ns); 520 521 sp->s_satype = type; 522 523 ASSERT((type == SADB_SATYPE_AH) || (type == SADB_SATYPE_ESP)); 524 if (type == SADB_SATYPE_AH) { 525 ipsec_stack_t *ipss = ns->netstack_ipsec; 526 527 ip_drop_register(&ipss->ipsec_sadb_dropper, "IPsec SADB"); 528 sp->s_addflags = AH_ADD_SETTABLE_FLAGS; 529 sp->s_updateflags = AH_UPDATE_SETTABLE_FLAGS; 530 } else { 531 sp->s_addflags = ESP_ADD_SETTABLE_FLAGS; 532 sp->s_updateflags = ESP_UPDATE_SETTABLE_FLAGS; 533 } 534 } 535 536 /* 537 * Deliver a single SADB_DUMP message representing a single SA. This is 538 * called many times by sadb_dump(). 539 * 540 * If the return value of this is ENOBUFS (not the same as ENOMEM), then 541 * the caller should take that as a hint that dupb() on the "original answer" 542 * failed, and that perhaps the caller should try again with a copyb()ed 543 * "original answer". 544 */ 545 static int 546 sadb_dump_deliver(queue_t *pfkey_q, mblk_t *original_answer, ipsa_t *ipsa, 547 sadb_msg_t *samsg) 548 { 549 mblk_t *answer; 550 551 answer = dupb(original_answer); 552 if (answer == NULL) 553 return (ENOBUFS); 554 answer->b_cont = sadb_sa2msg(ipsa, samsg); 555 if (answer->b_cont == NULL) { 556 freeb(answer); 557 return (ENOMEM); 558 } 559 560 /* Just do a putnext, and let keysock deal with flow control. */ 561 putnext(pfkey_q, answer); 562 return (0); 563 } 564 565 /* 566 * Common function to allocate and prepare a keysock_out_t M_CTL message. 567 */ 568 mblk_t * 569 sadb_keysock_out(minor_t serial) 570 { 571 mblk_t *mp; 572 keysock_out_t *kso; 573 574 mp = allocb(sizeof (ipsec_info_t), BPRI_HI); 575 if (mp != NULL) { 576 mp->b_datap->db_type = M_CTL; 577 mp->b_wptr += sizeof (ipsec_info_t); 578 kso = (keysock_out_t *)mp->b_rptr; 579 kso->ks_out_type = KEYSOCK_OUT; 580 kso->ks_out_len = sizeof (*kso); 581 kso->ks_out_serial = serial; 582 } 583 584 return (mp); 585 } 586 587 /* 588 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts 589 * to keysock. 590 */ 591 static int 592 sadb_dump_fanout(queue_t *pfkey_q, mblk_t *mp, minor_t serial, isaf_t *fanout, 593 int num_entries, boolean_t do_peers, time_t active_time) 594 { 595 int i, error = 0; 596 mblk_t *original_answer; 597 ipsa_t *walker; 598 sadb_msg_t *samsg; 599 time_t current; 600 601 /* 602 * For each IPSA hash bucket do: 603 * - Hold the mutex 604 * - Walk each entry, doing an sadb_dump_deliver() on it. 605 */ 606 ASSERT(mp->b_cont != NULL); 607 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 608 609 original_answer = sadb_keysock_out(serial); 610 if (original_answer == NULL) 611 return (ENOMEM); 612 613 current = gethrestime_sec(); 614 for (i = 0; i < num_entries; i++) { 615 mutex_enter(&fanout[i].isaf_lock); 616 for (walker = fanout[i].isaf_ipsa; walker != NULL; 617 walker = walker->ipsa_next) { 618 if (!do_peers && walker->ipsa_haspeer) 619 continue; 620 if ((active_time != 0) && 621 ((current - walker->ipsa_lastuse) > active_time)) 622 continue; 623 error = sadb_dump_deliver(pfkey_q, original_answer, 624 walker, samsg); 625 if (error == ENOBUFS) { 626 mblk_t *new_original_answer; 627 628 /* Ran out of dupb's. Try a copyb. */ 629 new_original_answer = copyb(original_answer); 630 if (new_original_answer == NULL) { 631 error = ENOMEM; 632 } else { 633 freeb(original_answer); 634 original_answer = new_original_answer; 635 error = sadb_dump_deliver(pfkey_q, 636 original_answer, walker, samsg); 637 } 638 } 639 if (error != 0) 640 break; /* out of for loop. */ 641 } 642 mutex_exit(&fanout[i].isaf_lock); 643 if (error != 0) 644 break; /* out of for loop. */ 645 } 646 647 freeb(original_answer); 648 return (error); 649 } 650 651 /* 652 * Dump an entire SADB; outbound first, then inbound. 653 */ 654 655 int 656 sadb_dump(queue_t *pfkey_q, mblk_t *mp, keysock_in_t *ksi, sadb_t *sp) 657 { 658 int error; 659 time_t active_time = 0; 660 sadb_x_edump_t *edump = 661 (sadb_x_edump_t *)ksi->ks_in_extv[SADB_X_EXT_EDUMP]; 662 663 if (edump != NULL) { 664 active_time = edump->sadb_x_edump_timeout; 665 } 666 667 /* Dump outbound */ 668 error = sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_of, 669 sp->sdb_hashsize, B_TRUE, active_time); 670 if (error) 671 return (error); 672 673 /* Dump inbound */ 674 return sadb_dump_fanout(pfkey_q, mp, ksi->ks_in_serial, sp->sdb_if, 675 sp->sdb_hashsize, B_FALSE, active_time); 676 } 677 678 /* 679 * Generic sadb table walker. 680 * 681 * Call "walkfn" for each SA in each bucket in "table"; pass the 682 * bucket, the entry and "cookie" to the callback function. 683 * Take care to ensure that walkfn can delete the SA without screwing 684 * up our traverse. 685 * 686 * The bucket is locked for the duration of the callback, both so that the 687 * callback can just call sadb_unlinkassoc() when it wants to delete something, 688 * and so that no new entries are added while we're walking the list. 689 */ 690 static void 691 sadb_walker(isaf_t *table, uint_t numentries, 692 void (*walkfn)(isaf_t *head, ipsa_t *entry, void *cookie), 693 void *cookie) 694 { 695 int i; 696 for (i = 0; i < numentries; i++) { 697 ipsa_t *entry, *next; 698 699 mutex_enter(&table[i].isaf_lock); 700 701 for (entry = table[i].isaf_ipsa; entry != NULL; 702 entry = next) { 703 next = entry->ipsa_next; 704 (*walkfn)(&table[i], entry, cookie); 705 } 706 mutex_exit(&table[i].isaf_lock); 707 } 708 } 709 710 /* 711 * Call me to free up a security association fanout. Use the forever 712 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g. 713 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE, 714 * when a module is unloaded). 715 */ 716 static void 717 sadb_destroyer(isaf_t **tablep, uint_t numentries, boolean_t forever, 718 boolean_t inbound) 719 { 720 int i; 721 isaf_t *table = *tablep; 722 uint8_t protocol; 723 ipsa_t *sa; 724 netstackid_t sid; 725 726 if (table == NULL) 727 return; 728 729 for (i = 0; i < numentries; i++) { 730 mutex_enter(&table[i].isaf_lock); 731 while ((sa = table[i].isaf_ipsa) != NULL) { 732 if (inbound && cl_inet_deletespi && 733 (sa->ipsa_state != IPSA_STATE_ACTIVE_ELSEWHERE) && 734 (sa->ipsa_state != IPSA_STATE_IDLE)) { 735 protocol = (sa->ipsa_type == SADB_SATYPE_AH) ? 736 IPPROTO_AH : IPPROTO_ESP; 737 sid = sa->ipsa_netstack->netstack_stackid; 738 cl_inet_deletespi(sid, protocol, sa->ipsa_spi, 739 NULL); 740 } 741 sadb_unlinkassoc(sa); 742 } 743 table[i].isaf_gen++; 744 mutex_exit(&table[i].isaf_lock); 745 if (forever) 746 mutex_destroy(&(table[i].isaf_lock)); 747 } 748 749 if (forever) { 750 *tablep = NULL; 751 kmem_free(table, numentries * sizeof (*table)); 752 } 753 } 754 755 /* 756 * Entry points to sadb_destroyer(). 757 */ 758 static void 759 sadb_flush(sadb_t *sp, netstack_t *ns) 760 { 761 /* 762 * Flush out each bucket, one at a time. Were it not for keysock's 763 * enforcement, there would be a subtlety where I could add on the 764 * heels of a flush. With keysock's enforcement, however, this 765 * makes ESP's job easy. 766 */ 767 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_FALSE, B_FALSE); 768 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_FALSE, B_TRUE); 769 770 /* For each acquire, destroy it; leave the bucket mutex alone. */ 771 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_FALSE, ns); 772 } 773 774 static void 775 sadb_destroy(sadb_t *sp, netstack_t *ns) 776 { 777 sadb_destroyer(&sp->sdb_of, sp->sdb_hashsize, B_TRUE, B_FALSE); 778 sadb_destroyer(&sp->sdb_if, sp->sdb_hashsize, B_TRUE, B_TRUE); 779 780 /* For each acquire, destroy it, including the bucket mutex. */ 781 sadb_destroy_acqlist(&sp->sdb_acq, sp->sdb_hashsize, B_TRUE, ns); 782 783 ASSERT(sp->sdb_of == NULL); 784 ASSERT(sp->sdb_if == NULL); 785 ASSERT(sp->sdb_acq == NULL); 786 } 787 788 void 789 sadbp_flush(sadbp_t *spp, netstack_t *ns) 790 { 791 sadb_flush(&spp->s_v4, ns); 792 sadb_flush(&spp->s_v6, ns); 793 } 794 795 void 796 sadbp_destroy(sadbp_t *spp, netstack_t *ns) 797 { 798 sadb_destroy(&spp->s_v4, ns); 799 sadb_destroy(&spp->s_v6, ns); 800 801 if (spp->s_satype == SADB_SATYPE_AH) { 802 ipsec_stack_t *ipss = ns->netstack_ipsec; 803 804 ip_drop_unregister(&ipss->ipsec_sadb_dropper); 805 } 806 } 807 808 809 /* 810 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g. 811 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for 812 * EINVAL. 813 */ 814 int 815 sadb_hardsoftchk(sadb_lifetime_t *hard, sadb_lifetime_t *soft, 816 sadb_lifetime_t *idle) 817 { 818 if (hard == NULL || soft == NULL) 819 return (0); 820 821 if (hard->sadb_lifetime_allocations != 0 && 822 soft->sadb_lifetime_allocations != 0 && 823 hard->sadb_lifetime_allocations < soft->sadb_lifetime_allocations) 824 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR); 825 826 if (hard->sadb_lifetime_bytes != 0 && 827 soft->sadb_lifetime_bytes != 0 && 828 hard->sadb_lifetime_bytes < soft->sadb_lifetime_bytes) 829 return (SADB_X_DIAGNOSTIC_BYTES_HSERR); 830 831 if (hard->sadb_lifetime_addtime != 0 && 832 soft->sadb_lifetime_addtime != 0 && 833 hard->sadb_lifetime_addtime < soft->sadb_lifetime_addtime) 834 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 835 836 if (hard->sadb_lifetime_usetime != 0 && 837 soft->sadb_lifetime_usetime != 0 && 838 hard->sadb_lifetime_usetime < soft->sadb_lifetime_usetime) 839 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 840 841 if (idle != NULL) { 842 if (hard->sadb_lifetime_addtime != 0 && 843 idle->sadb_lifetime_addtime != 0 && 844 hard->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 845 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 846 847 if (soft->sadb_lifetime_addtime != 0 && 848 idle->sadb_lifetime_addtime != 0 && 849 soft->sadb_lifetime_addtime < idle->sadb_lifetime_addtime) 850 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR); 851 852 if (hard->sadb_lifetime_usetime != 0 && 853 idle->sadb_lifetime_usetime != 0 && 854 hard->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 855 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 856 857 if (soft->sadb_lifetime_usetime != 0 && 858 idle->sadb_lifetime_usetime != 0 && 859 soft->sadb_lifetime_usetime < idle->sadb_lifetime_usetime) 860 return (SADB_X_DIAGNOSTIC_USETIME_HSERR); 861 } 862 863 return (0); 864 } 865 866 /* 867 * Sanity check sensitivity labels. 868 * 869 * For now, just reject labels on unlabeled systems. 870 */ 871 int 872 sadb_labelchk(keysock_in_t *ksi) 873 { 874 if (!is_system_labeled()) { 875 if (ksi->ks_in_extv[SADB_EXT_SENSITIVITY] != NULL) 876 return (SADB_X_DIAGNOSTIC_BAD_LABEL); 877 878 if (ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS] != NULL) 879 return (SADB_X_DIAGNOSTIC_BAD_LABEL); 880 } 881 882 return (0); 883 } 884 885 /* 886 * Clone a security association for the purposes of inserting a single SA 887 * into inbound and outbound tables respectively. This function should only 888 * be called from sadb_common_add(). 889 */ 890 static ipsa_t * 891 sadb_cloneassoc(ipsa_t *ipsa) 892 { 893 ipsa_t *newbie; 894 boolean_t error = B_FALSE; 895 896 ASSERT(MUTEX_NOT_HELD(&(ipsa->ipsa_lock))); 897 898 newbie = kmem_alloc(sizeof (ipsa_t), KM_NOSLEEP); 899 if (newbie == NULL) 900 return (NULL); 901 902 /* Copy over what we can. */ 903 *newbie = *ipsa; 904 905 /* bzero and initialize locks, in case *_init() allocates... */ 906 mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL); 907 908 if (newbie->ipsa_tsl != NULL) 909 label_hold(newbie->ipsa_tsl); 910 911 if (newbie->ipsa_otsl != NULL) 912 label_hold(newbie->ipsa_otsl); 913 914 /* 915 * While somewhat dain-bramaged, the most graceful way to 916 * recover from errors is to keep plowing through the 917 * allocations, and getting what I can. It's easier to call 918 * sadb_freeassoc() on the stillborn clone when all the 919 * pointers aren't pointing to the parent's data. 920 */ 921 922 if (ipsa->ipsa_authkey != NULL) { 923 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 924 KM_NOSLEEP); 925 if (newbie->ipsa_authkey == NULL) { 926 error = B_TRUE; 927 } else { 928 bcopy(ipsa->ipsa_authkey, newbie->ipsa_authkey, 929 newbie->ipsa_authkeylen); 930 931 newbie->ipsa_kcfauthkey.ck_data = 932 newbie->ipsa_authkey; 933 } 934 935 if (newbie->ipsa_amech.cm_param != NULL) { 936 newbie->ipsa_amech.cm_param = 937 (char *)&newbie->ipsa_mac_len; 938 } 939 } 940 941 if (ipsa->ipsa_encrkey != NULL) { 942 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 943 KM_NOSLEEP); 944 if (newbie->ipsa_encrkey == NULL) { 945 error = B_TRUE; 946 } else { 947 bcopy(ipsa->ipsa_encrkey, newbie->ipsa_encrkey, 948 newbie->ipsa_encrkeylen); 949 950 newbie->ipsa_kcfencrkey.ck_data = 951 newbie->ipsa_encrkey; 952 } 953 } 954 955 newbie->ipsa_authtmpl = NULL; 956 newbie->ipsa_encrtmpl = NULL; 957 newbie->ipsa_haspeer = B_TRUE; 958 959 if (ipsa->ipsa_src_cid != NULL) { 960 newbie->ipsa_src_cid = ipsa->ipsa_src_cid; 961 IPSID_REFHOLD(ipsa->ipsa_src_cid); 962 } 963 964 if (ipsa->ipsa_dst_cid != NULL) { 965 newbie->ipsa_dst_cid = ipsa->ipsa_dst_cid; 966 IPSID_REFHOLD(ipsa->ipsa_dst_cid); 967 } 968 969 if (error) { 970 sadb_freeassoc(newbie); 971 return (NULL); 972 } 973 974 return (newbie); 975 } 976 977 /* 978 * Initialize a SADB address extension at the address specified by addrext. 979 * Return a pointer to the end of the new address extension. 980 */ 981 static uint8_t * 982 sadb_make_addr_ext(uint8_t *start, uint8_t *end, uint16_t exttype, 983 sa_family_t af, uint32_t *addr, uint16_t port, uint8_t proto, int prefix) 984 { 985 struct sockaddr_in *sin; 986 struct sockaddr_in6 *sin6; 987 uint8_t *cur = start; 988 int addrext_len; 989 int sin_len; 990 sadb_address_t *addrext = (sadb_address_t *)cur; 991 992 if (cur == NULL) 993 return (NULL); 994 995 cur += sizeof (*addrext); 996 if (cur > end) 997 return (NULL); 998 999 addrext->sadb_address_proto = proto; 1000 addrext->sadb_address_prefixlen = prefix; 1001 addrext->sadb_address_reserved = 0; 1002 addrext->sadb_address_exttype = exttype; 1003 1004 switch (af) { 1005 case AF_INET: 1006 sin = (struct sockaddr_in *)cur; 1007 sin_len = sizeof (*sin); 1008 cur += sin_len; 1009 if (cur > end) 1010 return (NULL); 1011 1012 sin->sin_family = af; 1013 bzero(sin->sin_zero, sizeof (sin->sin_zero)); 1014 sin->sin_port = port; 1015 IPSA_COPY_ADDR(&sin->sin_addr, addr, af); 1016 break; 1017 case AF_INET6: 1018 sin6 = (struct sockaddr_in6 *)cur; 1019 sin_len = sizeof (*sin6); 1020 cur += sin_len; 1021 if (cur > end) 1022 return (NULL); 1023 1024 bzero(sin6, sizeof (*sin6)); 1025 sin6->sin6_family = af; 1026 sin6->sin6_port = port; 1027 IPSA_COPY_ADDR(&sin6->sin6_addr, addr, af); 1028 break; 1029 } 1030 1031 addrext_len = roundup(cur - start, sizeof (uint64_t)); 1032 addrext->sadb_address_len = SADB_8TO64(addrext_len); 1033 1034 cur = start + addrext_len; 1035 if (cur > end) 1036 cur = NULL; 1037 1038 return (cur); 1039 } 1040 1041 /* 1042 * Construct a key management cookie extension. 1043 */ 1044 1045 static uint8_t * 1046 sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc) 1047 { 1048 sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur; 1049 1050 if (cur == NULL) 1051 return (NULL); 1052 1053 cur += sizeof (*kmcext); 1054 1055 if (cur > end) 1056 return (NULL); 1057 1058 kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext)); 1059 kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE; 1060 kmcext->sadb_x_kmc_proto = kmp; 1061 kmcext->sadb_x_kmc_cookie = kmc; 1062 kmcext->sadb_x_kmc_reserved = 0; 1063 1064 return (cur); 1065 } 1066 1067 /* 1068 * Given an original message header with sufficient space following it, and an 1069 * SA, construct a full PF_KEY message with all of the relevant extensions. 1070 * This is mostly used for SADB_GET, and SADB_DUMP. 1071 */ 1072 static mblk_t * 1073 sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg) 1074 { 1075 int alloclen, addrsize, paddrsize, authsize, encrsize; 1076 int srcidsize, dstidsize, senslen, osenslen; 1077 sa_family_t fam, pfam; /* Address family for SADB_EXT_ADDRESS */ 1078 /* src/dst and proxy sockaddrs. */ 1079 /* 1080 * The following are pointers into the PF_KEY message this PF_KEY 1081 * message creates. 1082 */ 1083 sadb_msg_t *newsamsg; 1084 sadb_sa_t *assoc; 1085 sadb_lifetime_t *lt; 1086 sadb_key_t *key; 1087 sadb_ident_t *ident; 1088 sadb_sens_t *sens; 1089 sadb_ext_t *walker; /* For when we need a generic ext. pointer. */ 1090 sadb_x_replay_ctr_t *repl_ctr; 1091 sadb_x_pair_t *pair_ext; 1092 1093 mblk_t *mp; 1094 uint8_t *cur, *end; 1095 /* These indicate the presence of the above extension fields. */ 1096 boolean_t soft = B_FALSE, hard = B_FALSE; 1097 boolean_t isrc = B_FALSE, idst = B_FALSE; 1098 boolean_t auth = B_FALSE, encr = B_FALSE; 1099 boolean_t sensinteg = B_FALSE, osensinteg = B_FALSE; 1100 boolean_t srcid = B_FALSE, dstid = B_FALSE; 1101 boolean_t idle; 1102 boolean_t paired; 1103 uint32_t otherspi; 1104 1105 /* First off, figure out the allocation length for this message. */ 1106 /* 1107 * Constant stuff. This includes base, SA, address (src, dst), 1108 * and lifetime (current). 1109 */ 1110 alloclen = sizeof (sadb_msg_t) + sizeof (sadb_sa_t) + 1111 sizeof (sadb_lifetime_t); 1112 1113 fam = ipsa->ipsa_addrfam; 1114 switch (fam) { 1115 case AF_INET: 1116 addrsize = roundup(sizeof (struct sockaddr_in) + 1117 sizeof (sadb_address_t), sizeof (uint64_t)); 1118 break; 1119 case AF_INET6: 1120 addrsize = roundup(sizeof (struct sockaddr_in6) + 1121 sizeof (sadb_address_t), sizeof (uint64_t)); 1122 break; 1123 default: 1124 return (NULL); 1125 } 1126 /* 1127 * Allocate TWO address extensions, for source and destination. 1128 * (Thus, the * 2.) 1129 */ 1130 alloclen += addrsize * 2; 1131 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) 1132 alloclen += addrsize; 1133 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) 1134 alloclen += addrsize; 1135 1136 if (ipsa->ipsa_flags & IPSA_F_PAIRED) { 1137 paired = B_TRUE; 1138 alloclen += sizeof (sadb_x_pair_t); 1139 otherspi = ipsa->ipsa_otherspi; 1140 } else { 1141 paired = B_FALSE; 1142 } 1143 1144 /* How 'bout other lifetimes? */ 1145 if (ipsa->ipsa_softaddlt != 0 || ipsa->ipsa_softuselt != 0 || 1146 ipsa->ipsa_softbyteslt != 0 || ipsa->ipsa_softalloc != 0) { 1147 alloclen += sizeof (sadb_lifetime_t); 1148 soft = B_TRUE; 1149 } 1150 1151 if (ipsa->ipsa_hardaddlt != 0 || ipsa->ipsa_harduselt != 0 || 1152 ipsa->ipsa_hardbyteslt != 0 || ipsa->ipsa_hardalloc != 0) { 1153 alloclen += sizeof (sadb_lifetime_t); 1154 hard = B_TRUE; 1155 } 1156 1157 if (ipsa->ipsa_idleaddlt != 0 || ipsa->ipsa_idleuselt != 0) { 1158 alloclen += sizeof (sadb_lifetime_t); 1159 idle = B_TRUE; 1160 } else { 1161 idle = B_FALSE; 1162 } 1163 1164 /* Inner addresses. */ 1165 if (ipsa->ipsa_innerfam != 0) { 1166 pfam = ipsa->ipsa_innerfam; 1167 switch (pfam) { 1168 case AF_INET6: 1169 paddrsize = roundup(sizeof (struct sockaddr_in6) + 1170 sizeof (sadb_address_t), sizeof (uint64_t)); 1171 break; 1172 case AF_INET: 1173 paddrsize = roundup(sizeof (struct sockaddr_in) + 1174 sizeof (sadb_address_t), sizeof (uint64_t)); 1175 break; 1176 default: 1177 cmn_err(CE_PANIC, 1178 "IPsec SADB: Proxy length failure.\n"); 1179 break; 1180 } 1181 isrc = B_TRUE; 1182 idst = B_TRUE; 1183 alloclen += 2 * paddrsize; 1184 } 1185 1186 /* For the following fields, assume that length != 0 ==> stuff */ 1187 if (ipsa->ipsa_authkeylen != 0) { 1188 authsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_authkeylen, 1189 sizeof (uint64_t)); 1190 alloclen += authsize; 1191 auth = B_TRUE; 1192 } 1193 1194 if (ipsa->ipsa_encrkeylen != 0) { 1195 encrsize = roundup(sizeof (sadb_key_t) + ipsa->ipsa_encrkeylen + 1196 ipsa->ipsa_nonce_len, sizeof (uint64_t)); 1197 alloclen += encrsize; 1198 encr = B_TRUE; 1199 } else { 1200 encr = B_FALSE; 1201 } 1202 1203 if (ipsa->ipsa_tsl != NULL) { 1204 senslen = sadb_sens_len_from_label(ipsa->ipsa_tsl); 1205 alloclen += senslen; 1206 sensinteg = B_TRUE; 1207 } 1208 1209 if (ipsa->ipsa_otsl != NULL) { 1210 osenslen = sadb_sens_len_from_label(ipsa->ipsa_otsl); 1211 alloclen += osenslen; 1212 osensinteg = B_TRUE; 1213 } 1214 1215 /* 1216 * Must use strlen() here for lengths. Identities use NULL 1217 * pointers to indicate their nonexistence. 1218 */ 1219 if (ipsa->ipsa_src_cid != NULL) { 1220 srcidsize = roundup(sizeof (sadb_ident_t) + 1221 strlen(ipsa->ipsa_src_cid->ipsid_cid) + 1, 1222 sizeof (uint64_t)); 1223 alloclen += srcidsize; 1224 srcid = B_TRUE; 1225 } 1226 1227 if (ipsa->ipsa_dst_cid != NULL) { 1228 dstidsize = roundup(sizeof (sadb_ident_t) + 1229 strlen(ipsa->ipsa_dst_cid->ipsid_cid) + 1, 1230 sizeof (uint64_t)); 1231 alloclen += dstidsize; 1232 dstid = B_TRUE; 1233 } 1234 1235 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) 1236 alloclen += sizeof (sadb_x_kmc_t); 1237 1238 if (ipsa->ipsa_replay != 0) { 1239 alloclen += sizeof (sadb_x_replay_ctr_t); 1240 } 1241 1242 /* Make sure the allocation length is a multiple of 8 bytes. */ 1243 ASSERT((alloclen & 0x7) == 0); 1244 1245 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */ 1246 mp = allocb(alloclen, BPRI_HI); 1247 if (mp == NULL) 1248 return (NULL); 1249 bzero(mp->b_rptr, alloclen); 1250 1251 mp->b_wptr += alloclen; 1252 end = mp->b_wptr; 1253 newsamsg = (sadb_msg_t *)mp->b_rptr; 1254 *newsamsg = *samsg; 1255 newsamsg->sadb_msg_len = (uint16_t)SADB_8TO64(alloclen); 1256 1257 mutex_enter(&ipsa->ipsa_lock); /* Since I'm grabbing SA fields... */ 1258 1259 newsamsg->sadb_msg_satype = ipsa->ipsa_type; 1260 1261 assoc = (sadb_sa_t *)(newsamsg + 1); 1262 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 1263 assoc->sadb_sa_exttype = SADB_EXT_SA; 1264 assoc->sadb_sa_spi = ipsa->ipsa_spi; 1265 assoc->sadb_sa_replay = ipsa->ipsa_replay_wsize; 1266 assoc->sadb_sa_state = ipsa->ipsa_state; 1267 assoc->sadb_sa_auth = ipsa->ipsa_auth_alg; 1268 assoc->sadb_sa_encrypt = ipsa->ipsa_encr_alg; 1269 assoc->sadb_sa_flags = ipsa->ipsa_flags; 1270 1271 lt = (sadb_lifetime_t *)(assoc + 1); 1272 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1273 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 1274 /* We do not support the concept. */ 1275 lt->sadb_lifetime_allocations = 0; 1276 lt->sadb_lifetime_bytes = ipsa->ipsa_bytes; 1277 lt->sadb_lifetime_addtime = ipsa->ipsa_addtime; 1278 lt->sadb_lifetime_usetime = ipsa->ipsa_usetime; 1279 1280 if (hard) { 1281 lt++; 1282 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1283 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1284 lt->sadb_lifetime_allocations = ipsa->ipsa_hardalloc; 1285 lt->sadb_lifetime_bytes = ipsa->ipsa_hardbyteslt; 1286 lt->sadb_lifetime_addtime = ipsa->ipsa_hardaddlt; 1287 lt->sadb_lifetime_usetime = ipsa->ipsa_harduselt; 1288 } 1289 1290 if (soft) { 1291 lt++; 1292 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1293 lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1294 lt->sadb_lifetime_allocations = ipsa->ipsa_softalloc; 1295 lt->sadb_lifetime_bytes = ipsa->ipsa_softbyteslt; 1296 lt->sadb_lifetime_addtime = ipsa->ipsa_softaddlt; 1297 lt->sadb_lifetime_usetime = ipsa->ipsa_softuselt; 1298 } 1299 1300 if (idle) { 1301 lt++; 1302 lt->sadb_lifetime_len = SADB_8TO64(sizeof (*lt)); 1303 lt->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 1304 lt->sadb_lifetime_addtime = ipsa->ipsa_idleaddlt; 1305 lt->sadb_lifetime_usetime = ipsa->ipsa_idleuselt; 1306 } 1307 1308 cur = (uint8_t *)(lt + 1); 1309 1310 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */ 1311 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, fam, 1312 ipsa->ipsa_srcaddr, (!isrc && !idst) ? SA_SRCPORT(ipsa) : 0, 1313 SA_PROTO(ipsa), 0); 1314 if (cur == NULL) { 1315 freemsg(mp); 1316 mp = NULL; 1317 goto bail; 1318 } 1319 1320 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, fam, 1321 ipsa->ipsa_dstaddr, (!isrc && !idst) ? SA_DSTPORT(ipsa) : 0, 1322 SA_PROTO(ipsa), 0); 1323 if (cur == NULL) { 1324 freemsg(mp); 1325 mp = NULL; 1326 goto bail; 1327 } 1328 1329 if (ipsa->ipsa_flags & IPSA_F_NATT_LOC) { 1330 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_LOC, 1331 fam, &ipsa->ipsa_natt_addr_loc, ipsa->ipsa_local_nat_port, 1332 IPPROTO_UDP, 0); 1333 if (cur == NULL) { 1334 freemsg(mp); 1335 mp = NULL; 1336 goto bail; 1337 } 1338 } 1339 1340 if (ipsa->ipsa_flags & IPSA_F_NATT_REM) { 1341 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_NATT_REM, 1342 fam, &ipsa->ipsa_natt_addr_rem, ipsa->ipsa_remote_nat_port, 1343 IPPROTO_UDP, 0); 1344 if (cur == NULL) { 1345 freemsg(mp); 1346 mp = NULL; 1347 goto bail; 1348 } 1349 } 1350 1351 /* If we are a tunnel-mode SA, fill in the inner-selectors. */ 1352 if (isrc) { 1353 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 1354 pfam, ipsa->ipsa_innersrc, SA_SRCPORT(ipsa), 1355 SA_IPROTO(ipsa), ipsa->ipsa_innersrcpfx); 1356 if (cur == NULL) { 1357 freemsg(mp); 1358 mp = NULL; 1359 goto bail; 1360 } 1361 } 1362 1363 if (idst) { 1364 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 1365 pfam, ipsa->ipsa_innerdst, SA_DSTPORT(ipsa), 1366 SA_IPROTO(ipsa), ipsa->ipsa_innerdstpfx); 1367 if (cur == NULL) { 1368 freemsg(mp); 1369 mp = NULL; 1370 goto bail; 1371 } 1372 } 1373 1374 if ((ipsa->ipsa_kmp != 0) || (ipsa->ipsa_kmc != 0)) { 1375 cur = sadb_make_kmc_ext(cur, end, 1376 ipsa->ipsa_kmp, ipsa->ipsa_kmc); 1377 if (cur == NULL) { 1378 freemsg(mp); 1379 mp = NULL; 1380 goto bail; 1381 } 1382 } 1383 1384 walker = (sadb_ext_t *)cur; 1385 if (auth) { 1386 key = (sadb_key_t *)walker; 1387 key->sadb_key_len = SADB_8TO64(authsize); 1388 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1389 key->sadb_key_bits = ipsa->ipsa_authkeybits; 1390 key->sadb_key_reserved = 0; 1391 bcopy(ipsa->ipsa_authkey, key + 1, ipsa->ipsa_authkeylen); 1392 walker = (sadb_ext_t *)((uint64_t *)walker + 1393 walker->sadb_ext_len); 1394 } 1395 1396 if (encr) { 1397 uint8_t *buf_ptr; 1398 key = (sadb_key_t *)walker; 1399 key->sadb_key_len = SADB_8TO64(encrsize); 1400 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1401 key->sadb_key_bits = ipsa->ipsa_encrkeybits; 1402 key->sadb_key_reserved = ipsa->ipsa_saltbits; 1403 buf_ptr = (uint8_t *)(key + 1); 1404 bcopy(ipsa->ipsa_encrkey, buf_ptr, ipsa->ipsa_encrkeylen); 1405 if (ipsa->ipsa_salt != NULL) { 1406 buf_ptr += ipsa->ipsa_encrkeylen; 1407 bcopy(ipsa->ipsa_salt, buf_ptr, ipsa->ipsa_saltlen); 1408 } 1409 walker = (sadb_ext_t *)((uint64_t *)walker + 1410 walker->sadb_ext_len); 1411 } 1412 1413 if (srcid) { 1414 ident = (sadb_ident_t *)walker; 1415 ident->sadb_ident_len = SADB_8TO64(srcidsize); 1416 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1417 ident->sadb_ident_type = ipsa->ipsa_src_cid->ipsid_type; 1418 ident->sadb_ident_id = 0; 1419 ident->sadb_ident_reserved = 0; 1420 (void) strcpy((char *)(ident + 1), 1421 ipsa->ipsa_src_cid->ipsid_cid); 1422 walker = (sadb_ext_t *)((uint64_t *)walker + 1423 walker->sadb_ext_len); 1424 } 1425 1426 if (dstid) { 1427 ident = (sadb_ident_t *)walker; 1428 ident->sadb_ident_len = SADB_8TO64(dstidsize); 1429 ident->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1430 ident->sadb_ident_type = ipsa->ipsa_dst_cid->ipsid_type; 1431 ident->sadb_ident_id = 0; 1432 ident->sadb_ident_reserved = 0; 1433 (void) strcpy((char *)(ident + 1), 1434 ipsa->ipsa_dst_cid->ipsid_cid); 1435 walker = (sadb_ext_t *)((uint64_t *)walker + 1436 walker->sadb_ext_len); 1437 } 1438 1439 if (sensinteg) { 1440 sens = (sadb_sens_t *)walker; 1441 sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY, 1442 ipsa->ipsa_tsl, senslen); 1443 1444 walker = (sadb_ext_t *)((uint64_t *)walker + 1445 walker->sadb_ext_len); 1446 } 1447 1448 if (osensinteg) { 1449 sens = (sadb_sens_t *)walker; 1450 1451 sadb_sens_from_label(sens, SADB_X_EXT_OUTER_SENS, 1452 ipsa->ipsa_otsl, osenslen); 1453 if (ipsa->ipsa_mac_exempt) 1454 sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT; 1455 1456 walker = (sadb_ext_t *)((uint64_t *)walker + 1457 walker->sadb_ext_len); 1458 } 1459 1460 if (paired) { 1461 pair_ext = (sadb_x_pair_t *)walker; 1462 1463 pair_ext->sadb_x_pair_len = SADB_8TO64(sizeof (sadb_x_pair_t)); 1464 pair_ext->sadb_x_pair_exttype = SADB_X_EXT_PAIR; 1465 pair_ext->sadb_x_pair_spi = otherspi; 1466 1467 walker = (sadb_ext_t *)((uint64_t *)walker + 1468 walker->sadb_ext_len); 1469 } 1470 1471 if (ipsa->ipsa_replay != 0) { 1472 repl_ctr = (sadb_x_replay_ctr_t *)walker; 1473 repl_ctr->sadb_x_rc_len = SADB_8TO64(sizeof (*repl_ctr)); 1474 repl_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; 1475 repl_ctr->sadb_x_rc_replay32 = ipsa->ipsa_replay; 1476 repl_ctr->sadb_x_rc_replay64 = 0; 1477 walker = (sadb_ext_t *)(repl_ctr + 1); 1478 } 1479 1480 bail: 1481 /* Pardon any delays... */ 1482 mutex_exit(&ipsa->ipsa_lock); 1483 1484 return (mp); 1485 } 1486 1487 /* 1488 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN) 1489 * and adjust base message accordingly. 1490 * 1491 * Assume message is pulled up in one piece of contiguous memory. 1492 * 1493 * Say if we start off with: 1494 * 1495 * +------+----+-------------+-----------+---------------+---------------+ 1496 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime | 1497 * +------+----+-------------+-----------+---------------+---------------+ 1498 * 1499 * we will end up with 1500 * 1501 * +------+----+-------------+-----------+---------------+ 1502 * | base | SA | source addr | dest addr | soft lifetime | 1503 * +------+----+-------------+-----------+---------------+ 1504 */ 1505 static void 1506 sadb_strip(sadb_msg_t *samsg) 1507 { 1508 sadb_ext_t *ext; 1509 uint8_t *target = NULL; 1510 uint8_t *msgend; 1511 int sofar = SADB_8TO64(sizeof (*samsg)); 1512 int copylen; 1513 1514 ext = (sadb_ext_t *)(samsg + 1); 1515 msgend = (uint8_t *)samsg; 1516 msgend += SADB_64TO8(samsg->sadb_msg_len); 1517 while ((uint8_t *)ext < msgend) { 1518 if (ext->sadb_ext_type == SADB_EXT_RESERVED || 1519 ext->sadb_ext_type == SADB_EXT_KEY_AUTH || 1520 ext->sadb_ext_type == SADB_X_EXT_EDUMP || 1521 ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) { 1522 /* 1523 * Aha! I found a header to be erased. 1524 */ 1525 1526 if (target != NULL) { 1527 /* 1528 * If I had a previous header to be erased, 1529 * copy over it. I can get away with just 1530 * copying backwards because the target will 1531 * always be 8 bytes behind the source. 1532 */ 1533 copylen = ((uint8_t *)ext) - (target + 1534 SADB_64TO8( 1535 ((sadb_ext_t *)target)->sadb_ext_len)); 1536 ovbcopy(((uint8_t *)ext - copylen), target, 1537 copylen); 1538 target += copylen; 1539 ((sadb_ext_t *)target)->sadb_ext_len = 1540 SADB_8TO64(((uint8_t *)ext) - target + 1541 SADB_64TO8(ext->sadb_ext_len)); 1542 } else { 1543 target = (uint8_t *)ext; 1544 } 1545 } else { 1546 sofar += ext->sadb_ext_len; 1547 } 1548 1549 ext = (sadb_ext_t *)(((uint64_t *)ext) + ext->sadb_ext_len); 1550 } 1551 1552 ASSERT((uint8_t *)ext == msgend); 1553 1554 if (target != NULL) { 1555 copylen = ((uint8_t *)ext) - (target + 1556 SADB_64TO8(((sadb_ext_t *)target)->sadb_ext_len)); 1557 if (copylen != 0) 1558 ovbcopy(((uint8_t *)ext - copylen), target, copylen); 1559 } 1560 1561 /* Adjust samsg. */ 1562 samsg->sadb_msg_len = (uint16_t)sofar; 1563 1564 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */ 1565 } 1566 1567 /* 1568 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL 1569 * followed by an M_DATA with a PF_KEY message in it. The serial of 1570 * the sending keysock instance is included. 1571 */ 1572 void 1573 sadb_pfkey_error(queue_t *pfkey_q, mblk_t *mp, int error, int diagnostic, 1574 uint_t serial) 1575 { 1576 mblk_t *msg = mp->b_cont; 1577 sadb_msg_t *samsg; 1578 keysock_out_t *kso; 1579 1580 /* 1581 * Enough functions call this to merit a NULL queue check. 1582 */ 1583 if (pfkey_q == NULL) { 1584 freemsg(mp); 1585 return; 1586 } 1587 1588 ASSERT(msg != NULL); 1589 ASSERT((mp->b_wptr - mp->b_rptr) == sizeof (ipsec_info_t)); 1590 ASSERT((msg->b_wptr - msg->b_rptr) >= sizeof (sadb_msg_t)); 1591 samsg = (sadb_msg_t *)msg->b_rptr; 1592 kso = (keysock_out_t *)mp->b_rptr; 1593 1594 kso->ks_out_type = KEYSOCK_OUT; 1595 kso->ks_out_len = sizeof (*kso); 1596 kso->ks_out_serial = serial; 1597 1598 /* 1599 * Only send the base message up in the event of an error. 1600 * Don't worry about bzero()-ing, because it was probably bogus 1601 * anyway. 1602 */ 1603 msg->b_wptr = msg->b_rptr + sizeof (*samsg); 1604 samsg = (sadb_msg_t *)msg->b_rptr; 1605 samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg)); 1606 samsg->sadb_msg_errno = (uint8_t)error; 1607 if (diagnostic != SADB_X_DIAGNOSTIC_PRESET) 1608 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 1609 1610 putnext(pfkey_q, mp); 1611 } 1612 1613 /* 1614 * Send a successful return packet back to keysock via the queue in pfkey_q. 1615 * 1616 * Often, an SA is associated with the reply message, it's passed in if needed, 1617 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held, 1618 * and the caller will release said refcnt. 1619 */ 1620 void 1621 sadb_pfkey_echo(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 1622 keysock_in_t *ksi, ipsa_t *ipsa) 1623 { 1624 keysock_out_t *kso; 1625 mblk_t *mp1; 1626 sadb_msg_t *newsamsg; 1627 uint8_t *oldend; 1628 1629 ASSERT((mp->b_cont != NULL) && 1630 ((void *)samsg == (void *)mp->b_cont->b_rptr) && 1631 ((void *)mp->b_rptr == (void *)ksi)); 1632 1633 switch (samsg->sadb_msg_type) { 1634 case SADB_ADD: 1635 case SADB_UPDATE: 1636 case SADB_X_UPDATEPAIR: 1637 case SADB_X_DELPAIR_STATE: 1638 case SADB_FLUSH: 1639 case SADB_DUMP: 1640 /* 1641 * I have all of the message already. I just need to strip 1642 * out the keying material and echo the message back. 1643 * 1644 * NOTE: for SADB_DUMP, the function sadb_dump() did the 1645 * work. When DUMP reaches here, it should only be a base 1646 * message. 1647 */ 1648 justecho: 1649 if (ksi->ks_in_extv[SADB_EXT_KEY_AUTH] != NULL || 1650 ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT] != NULL || 1651 ksi->ks_in_extv[SADB_X_EXT_EDUMP] != NULL) { 1652 sadb_strip(samsg); 1653 /* Assume PF_KEY message is contiguous. */ 1654 ASSERT(mp->b_cont->b_cont == NULL); 1655 oldend = mp->b_cont->b_wptr; 1656 mp->b_cont->b_wptr = mp->b_cont->b_rptr + 1657 SADB_64TO8(samsg->sadb_msg_len); 1658 bzero(mp->b_cont->b_wptr, oldend - mp->b_cont->b_wptr); 1659 } 1660 break; 1661 case SADB_GET: 1662 /* 1663 * Do a lot of work here, because of the ipsa I just found. 1664 * First construct the new PF_KEY message, then abandon 1665 * the old one. 1666 */ 1667 mp1 = sadb_sa2msg(ipsa, samsg); 1668 if (mp1 == NULL) { 1669 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1670 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1671 return; 1672 } 1673 freemsg(mp->b_cont); 1674 mp->b_cont = mp1; 1675 break; 1676 case SADB_DELETE: 1677 case SADB_X_DELPAIR: 1678 if (ipsa == NULL) 1679 goto justecho; 1680 /* 1681 * Because listening KMds may require more info, treat 1682 * DELETE like a special case of GET. 1683 */ 1684 mp1 = sadb_sa2msg(ipsa, samsg); 1685 if (mp1 == NULL) { 1686 sadb_pfkey_error(pfkey_q, mp, ENOMEM, 1687 SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial); 1688 return; 1689 } 1690 newsamsg = (sadb_msg_t *)mp1->b_rptr; 1691 sadb_strip(newsamsg); 1692 oldend = mp1->b_wptr; 1693 mp1->b_wptr = mp1->b_rptr + SADB_64TO8(newsamsg->sadb_msg_len); 1694 bzero(mp1->b_wptr, oldend - mp1->b_wptr); 1695 freemsg(mp->b_cont); 1696 mp->b_cont = mp1; 1697 break; 1698 default: 1699 if (mp != NULL) 1700 freemsg(mp); 1701 return; 1702 } 1703 1704 /* ksi is now null and void. */ 1705 kso = (keysock_out_t *)ksi; 1706 kso->ks_out_type = KEYSOCK_OUT; 1707 kso->ks_out_len = sizeof (*kso); 1708 kso->ks_out_serial = ksi->ks_in_serial; 1709 /* We're ready to send... */ 1710 putnext(pfkey_q, mp); 1711 } 1712 1713 /* 1714 * Set up a global pfkey_q instance for AH, ESP, or some other consumer. 1715 */ 1716 void 1717 sadb_keysock_hello(queue_t **pfkey_qp, queue_t *q, mblk_t *mp, 1718 void (*ager)(void *), void *agerarg, timeout_id_t *top, int satype) 1719 { 1720 keysock_hello_ack_t *kha; 1721 queue_t *oldq; 1722 1723 ASSERT(OTHERQ(q) != NULL); 1724 1725 /* 1726 * First, check atomically that I'm the first and only keysock 1727 * instance. 1728 * 1729 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp), 1730 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY 1731 * messages. 1732 */ 1733 1734 oldq = atomic_cas_ptr((void **)pfkey_qp, NULL, OTHERQ(q)); 1735 if (oldq != NULL) { 1736 ASSERT(oldq != q); 1737 cmn_err(CE_WARN, "Danger! Multiple keysocks on top of %s.\n", 1738 (satype == SADB_SATYPE_ESP)? "ESP" : "AH or other"); 1739 freemsg(mp); 1740 return; 1741 } 1742 1743 kha = (keysock_hello_ack_t *)mp->b_rptr; 1744 kha->ks_hello_len = sizeof (keysock_hello_ack_t); 1745 kha->ks_hello_type = KEYSOCK_HELLO_ACK; 1746 kha->ks_hello_satype = (uint8_t)satype; 1747 1748 /* 1749 * If we made it past the atomic_cas_ptr, then we have "exclusive" 1750 * access to the timeout handle. Fire it off after the default ager 1751 * interval. 1752 */ 1753 *top = qtimeout(*pfkey_qp, ager, agerarg, 1754 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT * 1000)); 1755 1756 putnext(*pfkey_qp, mp); 1757 } 1758 1759 /* 1760 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate. 1761 * 1762 * Check addresses themselves for wildcard or multicast. 1763 * Check ire table for local/non-local/broadcast. 1764 */ 1765 int 1766 sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial, 1767 netstack_t *ns) 1768 { 1769 sadb_address_t *addr = (sadb_address_t *)ext; 1770 struct sockaddr_in *sin; 1771 struct sockaddr_in6 *sin6; 1772 int diagnostic, type; 1773 boolean_t normalized = B_FALSE; 1774 1775 ASSERT(ext != NULL); 1776 ASSERT((ext->sadb_ext_type == SADB_EXT_ADDRESS_SRC) || 1777 (ext->sadb_ext_type == SADB_EXT_ADDRESS_DST) || 1778 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) || 1779 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) || 1780 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_LOC) || 1781 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_NATT_REM)); 1782 1783 /* Assign both sockaddrs, the compiler will do the right thing. */ 1784 sin = (struct sockaddr_in *)(addr + 1); 1785 sin6 = (struct sockaddr_in6 *)(addr + 1); 1786 1787 if (sin6->sin6_family == AF_INET6) { 1788 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 1789 /* 1790 * Convert to an AF_INET sockaddr. This means the 1791 * return messages will have the extra space, but have 1792 * AF_INET sockaddrs instead of AF_INET6. 1793 * 1794 * Yes, RFC 2367 isn't clear on what to do here w.r.t. 1795 * mapped addresses, but since AF_INET6 ::ffff:<v4> is 1796 * equal to AF_INET <v4>, it shouldnt be a huge 1797 * problem. 1798 */ 1799 sin->sin_family = AF_INET; 1800 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, 1801 &sin->sin_addr); 1802 bzero(&sin->sin_zero, sizeof (sin->sin_zero)); 1803 normalized = B_TRUE; 1804 } 1805 } else if (sin->sin_family != AF_INET) { 1806 switch (ext->sadb_ext_type) { 1807 case SADB_EXT_ADDRESS_SRC: 1808 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC_AF; 1809 break; 1810 case SADB_EXT_ADDRESS_DST: 1811 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 1812 break; 1813 case SADB_X_EXT_ADDRESS_INNER_SRC: 1814 diagnostic = SADB_X_DIAGNOSTIC_BAD_PROXY_AF; 1815 break; 1816 case SADB_X_EXT_ADDRESS_INNER_DST: 1817 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF; 1818 break; 1819 case SADB_X_EXT_ADDRESS_NATT_LOC: 1820 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF; 1821 break; 1822 case SADB_X_EXT_ADDRESS_NATT_REM: 1823 diagnostic = SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF; 1824 break; 1825 /* There is no default, see above ASSERT. */ 1826 } 1827 bail: 1828 if (pfkey_q != NULL) { 1829 sadb_pfkey_error(pfkey_q, mp, EINVAL, diagnostic, 1830 serial); 1831 } else { 1832 /* 1833 * Scribble in sadb_msg that we got passed in. 1834 * Overload "mp" to be an sadb_msg pointer. 1835 */ 1836 sadb_msg_t *samsg = (sadb_msg_t *)mp; 1837 1838 samsg->sadb_msg_errno = EINVAL; 1839 samsg->sadb_x_msg_diagnostic = diagnostic; 1840 } 1841 return (KS_IN_ADDR_UNKNOWN); 1842 } 1843 1844 if (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC || 1845 ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_DST) { 1846 /* 1847 * We need only check for prefix issues. 1848 */ 1849 1850 /* Set diagnostic now, in case we need it later. */ 1851 diagnostic = 1852 (ext->sadb_ext_type == SADB_X_EXT_ADDRESS_INNER_SRC) ? 1853 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC : 1854 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST; 1855 1856 if (normalized) 1857 addr->sadb_address_prefixlen -= 96; 1858 1859 /* 1860 * Verify and mask out inner-addresses based on prefix length. 1861 */ 1862 if (sin->sin_family == AF_INET) { 1863 if (addr->sadb_address_prefixlen > 32) 1864 goto bail; 1865 sin->sin_addr.s_addr &= 1866 ip_plen_to_mask(addr->sadb_address_prefixlen); 1867 } else { 1868 in6_addr_t mask; 1869 1870 ASSERT(sin->sin_family == AF_INET6); 1871 /* 1872 * ip_plen_to_mask_v6() returns NULL if the value in 1873 * question is out of range. 1874 */ 1875 if (ip_plen_to_mask_v6(addr->sadb_address_prefixlen, 1876 &mask) == NULL) 1877 goto bail; 1878 sin6->sin6_addr.s6_addr32[0] &= mask.s6_addr32[0]; 1879 sin6->sin6_addr.s6_addr32[1] &= mask.s6_addr32[1]; 1880 sin6->sin6_addr.s6_addr32[2] &= mask.s6_addr32[2]; 1881 sin6->sin6_addr.s6_addr32[3] &= mask.s6_addr32[3]; 1882 } 1883 1884 /* We don't care in these cases. */ 1885 return (KS_IN_ADDR_DONTCARE); 1886 } 1887 1888 if (sin->sin_family == AF_INET6) { 1889 /* Check the easy ones now. */ 1890 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) 1891 return (KS_IN_ADDR_MBCAST); 1892 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) 1893 return (KS_IN_ADDR_UNSPEC); 1894 /* 1895 * At this point, we're a unicast IPv6 address. 1896 * 1897 * XXX Zones alert -> me/notme decision needs to be tempered 1898 * by what zone we're in when we go to zone-aware IPsec. 1899 */ 1900 if (ip_type_v6(&sin6->sin6_addr, ns->netstack_ip) == 1901 IRE_LOCAL) { 1902 /* Hey hey, it's local. */ 1903 return (KS_IN_ADDR_ME); 1904 } 1905 } else { 1906 ASSERT(sin->sin_family == AF_INET); 1907 if (sin->sin_addr.s_addr == INADDR_ANY) 1908 return (KS_IN_ADDR_UNSPEC); 1909 if (CLASSD(sin->sin_addr.s_addr)) 1910 return (KS_IN_ADDR_MBCAST); 1911 /* 1912 * At this point we're a unicast or broadcast IPv4 address. 1913 * 1914 * Check if the address is IRE_BROADCAST or IRE_LOCAL. 1915 * 1916 * XXX Zones alert -> me/notme decision needs to be tempered 1917 * by what zone we're in when we go to zone-aware IPsec. 1918 */ 1919 type = ip_type_v4(sin->sin_addr.s_addr, ns->netstack_ip); 1920 switch (type) { 1921 case IRE_LOCAL: 1922 return (KS_IN_ADDR_ME); 1923 case IRE_BROADCAST: 1924 return (KS_IN_ADDR_MBCAST); 1925 } 1926 } 1927 1928 return (KS_IN_ADDR_NOTME); 1929 } 1930 1931 /* 1932 * Address normalizations and reality checks for inbound PF_KEY messages. 1933 * 1934 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert 1935 * the source to AF_INET. Do the same for the inner sources. 1936 */ 1937 boolean_t 1938 sadb_addrfix(keysock_in_t *ksi, queue_t *pfkey_q, mblk_t *mp, netstack_t *ns) 1939 { 1940 struct sockaddr_in *src, *isrc; 1941 struct sockaddr_in6 *dst, *idst; 1942 sadb_address_t *srcext, *dstext; 1943 uint16_t sport; 1944 sadb_ext_t **extv = ksi->ks_in_extv; 1945 int rc; 1946 1947 if (extv[SADB_EXT_ADDRESS_SRC] != NULL) { 1948 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_SRC], 1949 ksi->ks_in_serial, ns); 1950 if (rc == KS_IN_ADDR_UNKNOWN) 1951 return (B_FALSE); 1952 if (rc == KS_IN_ADDR_MBCAST) { 1953 sadb_pfkey_error(pfkey_q, mp, EINVAL, 1954 SADB_X_DIAGNOSTIC_BAD_SRC, ksi->ks_in_serial); 1955 return (B_FALSE); 1956 } 1957 ksi->ks_in_srctype = rc; 1958 } 1959 1960 if (extv[SADB_EXT_ADDRESS_DST] != NULL) { 1961 rc = sadb_addrcheck(pfkey_q, mp, extv[SADB_EXT_ADDRESS_DST], 1962 ksi->ks_in_serial, ns); 1963 if (rc == KS_IN_ADDR_UNKNOWN) 1964 return (B_FALSE); 1965 if (rc == KS_IN_ADDR_UNSPEC) { 1966 sadb_pfkey_error(pfkey_q, mp, EINVAL, 1967 SADB_X_DIAGNOSTIC_BAD_DST, ksi->ks_in_serial); 1968 return (B_FALSE); 1969 } 1970 ksi->ks_in_dsttype = rc; 1971 } 1972 1973 /* 1974 * NAT-Traversal addrs are simple enough to not require all of 1975 * the checks in sadb_addrcheck(). Just normalize or reject if not 1976 * AF_INET. 1977 */ 1978 if (extv[SADB_X_EXT_ADDRESS_NATT_LOC] != NULL) { 1979 rc = sadb_addrcheck(pfkey_q, mp, 1980 extv[SADB_X_EXT_ADDRESS_NATT_LOC], ksi->ks_in_serial, ns); 1981 1982 /* 1983 * Local NAT-T addresses never use an IRE_LOCAL, so it should 1984 * always be NOTME, or UNSPEC (to handle both tunnel mode 1985 * AND local-port flexibility). 1986 */ 1987 if (rc != KS_IN_ADDR_NOTME && rc != KS_IN_ADDR_UNSPEC) { 1988 sadb_pfkey_error(pfkey_q, mp, EINVAL, 1989 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC, 1990 ksi->ks_in_serial); 1991 return (B_FALSE); 1992 } 1993 src = (struct sockaddr_in *) 1994 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_LOC]) + 1); 1995 if (src->sin_family != AF_INET) { 1996 sadb_pfkey_error(pfkey_q, mp, EINVAL, 1997 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF, 1998 ksi->ks_in_serial); 1999 return (B_FALSE); 2000 } 2001 } 2002 2003 if (extv[SADB_X_EXT_ADDRESS_NATT_REM] != NULL) { 2004 rc = sadb_addrcheck(pfkey_q, mp, 2005 extv[SADB_X_EXT_ADDRESS_NATT_REM], ksi->ks_in_serial, ns); 2006 2007 /* 2008 * Remote NAT-T addresses never use an IRE_LOCAL, so it should 2009 * always be NOTME, or UNSPEC if it's a tunnel-mode SA. 2010 */ 2011 if (rc != KS_IN_ADDR_NOTME && 2012 !(extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL && 2013 rc == KS_IN_ADDR_UNSPEC)) { 2014 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2015 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM, 2016 ksi->ks_in_serial); 2017 return (B_FALSE); 2018 } 2019 src = (struct sockaddr_in *) 2020 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_NATT_REM]) + 1); 2021 if (src->sin_family != AF_INET) { 2022 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2023 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF, 2024 ksi->ks_in_serial); 2025 return (B_FALSE); 2026 } 2027 } 2028 2029 if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL) { 2030 if (extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) { 2031 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2032 SADB_X_DIAGNOSTIC_MISSING_INNER_DST, 2033 ksi->ks_in_serial); 2034 return (B_FALSE); 2035 } 2036 2037 if (sadb_addrcheck(pfkey_q, mp, 2038 extv[SADB_X_EXT_ADDRESS_INNER_DST], ksi->ks_in_serial, ns) 2039 == KS_IN_ADDR_UNKNOWN || 2040 sadb_addrcheck(pfkey_q, mp, 2041 extv[SADB_X_EXT_ADDRESS_INNER_SRC], ksi->ks_in_serial, ns) 2042 == KS_IN_ADDR_UNKNOWN) 2043 return (B_FALSE); 2044 2045 isrc = (struct sockaddr_in *) 2046 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC]) + 2047 1); 2048 idst = (struct sockaddr_in6 *) 2049 (((sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]) + 2050 1); 2051 if (isrc->sin_family != idst->sin6_family) { 2052 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2053 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH, 2054 ksi->ks_in_serial); 2055 return (B_FALSE); 2056 } 2057 } else if (extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) { 2058 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2059 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC, 2060 ksi->ks_in_serial); 2061 return (B_FALSE); 2062 } else { 2063 isrc = NULL; /* For inner/outer port check below. */ 2064 } 2065 2066 dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST]; 2067 srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC]; 2068 2069 if (dstext == NULL || srcext == NULL) 2070 return (B_TRUE); 2071 2072 dst = (struct sockaddr_in6 *)(dstext + 1); 2073 src = (struct sockaddr_in *)(srcext + 1); 2074 2075 if (isrc != NULL && 2076 (isrc->sin_port != 0 || idst->sin6_port != 0) && 2077 (src->sin_port != 0 || dst->sin6_port != 0)) { 2078 /* Can't set inner and outer ports in one SA. */ 2079 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2080 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS, 2081 ksi->ks_in_serial); 2082 return (B_FALSE); 2083 } 2084 2085 if (dst->sin6_family == src->sin_family) 2086 return (B_TRUE); 2087 2088 if (srcext->sadb_address_proto != dstext->sadb_address_proto) { 2089 if (srcext->sadb_address_proto == 0) { 2090 srcext->sadb_address_proto = dstext->sadb_address_proto; 2091 } else if (dstext->sadb_address_proto == 0) { 2092 dstext->sadb_address_proto = srcext->sadb_address_proto; 2093 } else { 2094 /* Inequal protocols, neither were 0. Report error. */ 2095 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2096 SADB_X_DIAGNOSTIC_PROTO_MISMATCH, 2097 ksi->ks_in_serial); 2098 return (B_FALSE); 2099 } 2100 } 2101 2102 /* 2103 * With the exception of an unspec IPv6 source and an IPv4 2104 * destination, address families MUST me matched. 2105 */ 2106 if (src->sin_family == AF_INET || 2107 ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) { 2108 sadb_pfkey_error(pfkey_q, mp, EINVAL, 2109 SADB_X_DIAGNOSTIC_AF_MISMATCH, ksi->ks_in_serial); 2110 return (B_FALSE); 2111 } 2112 2113 /* 2114 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being 2115 * in the same place for sockaddr_in and sockaddr_in6. 2116 */ 2117 sport = src->sin_port; 2118 bzero(src, sizeof (*src)); 2119 src->sin_family = AF_INET; 2120 src->sin_port = sport; 2121 2122 return (B_TRUE); 2123 } 2124 2125 /* 2126 * Set the results in "addrtype", given an IRE as requested by 2127 * sadb_addrcheck(). 2128 */ 2129 int 2130 sadb_addrset(ire_t *ire) 2131 { 2132 if ((ire->ire_type & IRE_BROADCAST) || 2133 (ire->ire_ipversion == IPV4_VERSION && CLASSD(ire->ire_addr)) || 2134 (ire->ire_ipversion == IPV6_VERSION && 2135 IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6)))) 2136 return (KS_IN_ADDR_MBCAST); 2137 if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) 2138 return (KS_IN_ADDR_ME); 2139 return (KS_IN_ADDR_NOTME); 2140 } 2141 2142 /* 2143 * Match primitives.. 2144 * !!! TODO: short term: inner selectors 2145 * ipv6 scope id (ifindex) 2146 * longer term: zone id. sensitivity label. uid. 2147 */ 2148 boolean_t 2149 sadb_match_spi(ipsa_query_t *sq, ipsa_t *sa) 2150 { 2151 return (sq->spi == sa->ipsa_spi); 2152 } 2153 2154 boolean_t 2155 sadb_match_dst_v6(ipsa_query_t *sq, ipsa_t *sa) 2156 { 2157 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_dstaddr, sq->dstaddr, AF_INET6)); 2158 } 2159 2160 boolean_t 2161 sadb_match_src_v6(ipsa_query_t *sq, ipsa_t *sa) 2162 { 2163 return (IPSA_ARE_ADDR_EQUAL(sa->ipsa_srcaddr, sq->srcaddr, AF_INET6)); 2164 } 2165 2166 boolean_t 2167 sadb_match_dst_v4(ipsa_query_t *sq, ipsa_t *sa) 2168 { 2169 return (sq->dstaddr[0] == sa->ipsa_dstaddr[0]); 2170 } 2171 2172 boolean_t 2173 sadb_match_src_v4(ipsa_query_t *sq, ipsa_t *sa) 2174 { 2175 return (sq->srcaddr[0] == sa->ipsa_srcaddr[0]); 2176 } 2177 2178 boolean_t 2179 sadb_match_dstid(ipsa_query_t *sq, ipsa_t *sa) 2180 { 2181 return ((sa->ipsa_dst_cid != NULL) && 2182 (sq->didtype == sa->ipsa_dst_cid->ipsid_type) && 2183 (strcmp(sq->didstr, sa->ipsa_dst_cid->ipsid_cid) == 0)); 2184 2185 } 2186 boolean_t 2187 sadb_match_srcid(ipsa_query_t *sq, ipsa_t *sa) 2188 { 2189 return ((sa->ipsa_src_cid != NULL) && 2190 (sq->sidtype == sa->ipsa_src_cid->ipsid_type) && 2191 (strcmp(sq->sidstr, sa->ipsa_src_cid->ipsid_cid) == 0)); 2192 } 2193 2194 boolean_t 2195 sadb_match_kmc(ipsa_query_t *sq, ipsa_t *sa) 2196 { 2197 #define M(a, b) (((a) == 0) || ((b) == 0) || ((a) == (b))) 2198 2199 return (M(sq->kmc, sa->ipsa_kmc) && M(sq->kmp, sa->ipsa_kmp)); 2200 2201 #undef M 2202 } 2203 2204 /* 2205 * Common function which extracts several PF_KEY extensions for ease of 2206 * SADB matching. 2207 * 2208 * XXX TODO: weed out ipsa_query_t fields not used during matching 2209 * or afterwards? 2210 */ 2211 int 2212 sadb_form_query(keysock_in_t *ksi, uint32_t req, uint32_t match, 2213 ipsa_query_t *sq, int *diagnostic) 2214 { 2215 int i; 2216 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); 2217 2218 for (i = 0; i < IPSA_NMATCH; i++) 2219 sq->matchers[i] = NULL; 2220 2221 ASSERT((req & ~match) == 0); 2222 2223 sq->req = req; 2224 sq->dstext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2225 sq->srcext = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2226 sq->assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2227 2228 if ((req & IPSA_Q_DST) && (sq->dstext == NULL)) { 2229 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2230 return (EINVAL); 2231 } 2232 if ((req & IPSA_Q_SRC) && (sq->srcext == NULL)) { 2233 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 2234 return (EINVAL); 2235 } 2236 if ((req & IPSA_Q_SA) && (sq->assoc == NULL)) { 2237 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2238 return (EINVAL); 2239 } 2240 2241 if (match & IPSA_Q_SA) { 2242 *mfpp++ = sadb_match_spi; 2243 sq->spi = sq->assoc->sadb_sa_spi; 2244 } 2245 2246 if (sq->dstext != NULL) 2247 sq->dst = (struct sockaddr_in *)(sq->dstext + 1); 2248 else { 2249 sq->dst = NULL; 2250 sq->dst6 = NULL; 2251 sq->dstaddr = NULL; 2252 } 2253 2254 if (sq->srcext != NULL) 2255 sq->src = (struct sockaddr_in *)(sq->srcext + 1); 2256 else { 2257 sq->src = NULL; 2258 sq->src6 = NULL; 2259 sq->srcaddr = NULL; 2260 } 2261 2262 if (sq->dst != NULL) 2263 sq->af = sq->dst->sin_family; 2264 else if (sq->src != NULL) 2265 sq->af = sq->src->sin_family; 2266 else 2267 sq->af = AF_INET; 2268 2269 if (sq->af == AF_INET6) { 2270 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { 2271 *mfpp++ = sadb_match_dst_v6; 2272 sq->dst6 = (struct sockaddr_in6 *)sq->dst; 2273 sq->dstaddr = (uint32_t *)&(sq->dst6->sin6_addr); 2274 } else { 2275 match &= ~IPSA_Q_DST; 2276 sq->dstaddr = ALL_ZEROES_PTR; 2277 } 2278 2279 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { 2280 sq->src6 = (struct sockaddr_in6 *)(sq->srcext + 1); 2281 sq->srcaddr = (uint32_t *)&sq->src6->sin6_addr; 2282 if (sq->src6->sin6_family != AF_INET6) { 2283 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2284 return (EINVAL); 2285 } 2286 *mfpp++ = sadb_match_src_v6; 2287 } else { 2288 match &= ~IPSA_Q_SRC; 2289 sq->srcaddr = ALL_ZEROES_PTR; 2290 } 2291 } else { 2292 sq->src6 = sq->dst6 = NULL; 2293 if ((match & IPSA_Q_DST) && (sq->dstext != NULL)) { 2294 *mfpp++ = sadb_match_dst_v4; 2295 sq->dstaddr = (uint32_t *)&sq->dst->sin_addr; 2296 } else { 2297 match &= ~IPSA_Q_DST; 2298 sq->dstaddr = ALL_ZEROES_PTR; 2299 } 2300 if ((match & IPSA_Q_SRC) && (sq->srcext != NULL)) { 2301 sq->srcaddr = (uint32_t *)&sq->src->sin_addr; 2302 if (sq->src->sin_family != AF_INET) { 2303 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 2304 return (EINVAL); 2305 } 2306 *mfpp++ = sadb_match_src_v4; 2307 } else { 2308 match &= ~IPSA_Q_SRC; 2309 sq->srcaddr = ALL_ZEROES_PTR; 2310 } 2311 } 2312 2313 sq->dstid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 2314 if ((match & IPSA_Q_DSTID) && (sq->dstid != NULL)) { 2315 sq->didstr = (char *)(sq->dstid + 1); 2316 sq->didtype = sq->dstid->sadb_ident_type; 2317 *mfpp++ = sadb_match_dstid; 2318 } 2319 2320 sq->srcid = (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 2321 2322 if ((match & IPSA_Q_SRCID) && (sq->srcid != NULL)) { 2323 sq->sidstr = (char *)(sq->srcid + 1); 2324 sq->sidtype = sq->srcid->sadb_ident_type; 2325 *mfpp++ = sadb_match_srcid; 2326 } 2327 2328 sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2329 sq->kmc = 0; 2330 sq->kmp = 0; 2331 2332 if ((match & IPSA_Q_KMC) && (sq->kmcext)) { 2333 sq->kmc = sq->kmcext->sadb_x_kmc_cookie; 2334 sq->kmp = sq->kmcext->sadb_x_kmc_proto; 2335 *mfpp++ = sadb_match_kmc; 2336 } 2337 2338 if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) { 2339 if (sq->af == AF_INET6) 2340 sq->sp = &sq->spp->s_v6; 2341 else 2342 sq->sp = &sq->spp->s_v4; 2343 } else { 2344 sq->sp = NULL; 2345 } 2346 2347 if (match & IPSA_Q_INBOUND) { 2348 sq->inhash = INBOUND_HASH(sq->sp, sq->assoc->sadb_sa_spi); 2349 sq->inbound = &sq->sp->sdb_if[sq->inhash]; 2350 } else { 2351 sq->inhash = 0; 2352 sq->inbound = NULL; 2353 } 2354 2355 if (match & IPSA_Q_OUTBOUND) { 2356 if (sq->af == AF_INET6) { 2357 sq->outhash = OUTBOUND_HASH_V6(sq->sp, *(sq->dstaddr)); 2358 } else { 2359 sq->outhash = OUTBOUND_HASH_V4(sq->sp, *(sq->dstaddr)); 2360 } 2361 sq->outbound = &sq->sp->sdb_of[sq->outhash]; 2362 } else { 2363 sq->outhash = 0; 2364 sq->outbound = NULL; 2365 } 2366 sq->match = match; 2367 return (0); 2368 } 2369 2370 /* 2371 * Match an initialized query structure with a security association; 2372 * return B_TRUE on a match, B_FALSE on a miss. 2373 * Applies match functions set up by sadb_form_query() until one returns false. 2374 */ 2375 boolean_t 2376 sadb_match_query(ipsa_query_t *sq, ipsa_t *sa) 2377 { 2378 ipsa_match_fn_t *mfpp = &(sq->matchers[0]); 2379 ipsa_match_fn_t mfp; 2380 2381 for (mfp = *mfpp++; mfp != NULL; mfp = *mfpp++) { 2382 if (!mfp(sq, sa)) 2383 return (B_FALSE); 2384 } 2385 return (B_TRUE); 2386 } 2387 2388 /* 2389 * Walker callback function to delete sa's based on src/dst address. 2390 * Assumes that we're called with *head locked, no other locks held; 2391 * Conveniently, and not coincidentally, this is both what sadb_walker 2392 * gives us and also what sadb_unlinkassoc expects. 2393 */ 2394 struct sadb_purge_state 2395 { 2396 ipsa_query_t sq; 2397 boolean_t inbnd; 2398 uint8_t sadb_sa_state; 2399 }; 2400 2401 static void 2402 sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie) 2403 { 2404 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2405 2406 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2407 2408 mutex_enter(&entry->ipsa_lock); 2409 2410 if (entry->ipsa_state == IPSA_STATE_LARVAL || 2411 !sadb_match_query(&ps->sq, entry)) { 2412 mutex_exit(&entry->ipsa_lock); 2413 return; 2414 } 2415 2416 if (ps->inbnd) { 2417 sadb_delete_cluster(entry); 2418 } 2419 entry->ipsa_state = IPSA_STATE_DEAD; 2420 (void) sadb_torch_assoc(head, entry); 2421 } 2422 2423 /* 2424 * Common code to purge an SA with a matching src or dst address. 2425 * Don't kill larval SA's in such a purge. 2426 */ 2427 int 2428 sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp, 2429 int *diagnostic, queue_t *pfkey_q) 2430 { 2431 struct sadb_purge_state ps; 2432 int error = sadb_form_query(ksi, 0, 2433 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC, 2434 &ps.sq, diagnostic); 2435 2436 if (error != 0) 2437 return (error); 2438 2439 /* 2440 * This is simple, crude, and effective. 2441 * Unimplemented optimizations (TBD): 2442 * - we can limit how many places we search based on where we 2443 * think the SA is filed. 2444 * - if we get a dst address, we can hash based on dst addr to find 2445 * the correct bucket in the outbound table. 2446 */ 2447 ps.inbnd = B_TRUE; 2448 sadb_walker(sp->sdb_if, sp->sdb_hashsize, sadb_purge_cb, &ps); 2449 ps.inbnd = B_FALSE; 2450 sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps); 2451 2452 ASSERT(mp->b_cont != NULL); 2453 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi, 2454 NULL); 2455 return (0); 2456 } 2457 2458 static void 2459 sadb_delpair_state_one(isaf_t *head, ipsa_t *entry, void *cookie) 2460 { 2461 struct sadb_purge_state *ps = (struct sadb_purge_state *)cookie; 2462 isaf_t *inbound_bucket; 2463 ipsa_t *peer_assoc; 2464 ipsa_query_t *sq = &ps->sq; 2465 2466 ASSERT(MUTEX_HELD(&head->isaf_lock)); 2467 2468 mutex_enter(&entry->ipsa_lock); 2469 2470 if ((entry->ipsa_state != ps->sadb_sa_state) || 2471 ((sq->srcaddr != NULL) && 2472 !IPSA_ARE_ADDR_EQUAL(entry->ipsa_srcaddr, sq->srcaddr, sq->af))) { 2473 mutex_exit(&entry->ipsa_lock); 2474 return; 2475 } 2476 2477 /* 2478 * The isaf_t *, which is passed in , is always an outbound bucket, 2479 * and we are preserving the outbound-then-inbound hash-bucket lock 2480 * ordering. The sadb_walker() which triggers this function is called 2481 * only on the outbound fanout, and the corresponding inbound bucket 2482 * lock is safe to acquire here. 2483 */ 2484 2485 if (entry->ipsa_haspeer) { 2486 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_spi); 2487 mutex_enter(&inbound_bucket->isaf_lock); 2488 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2489 entry->ipsa_spi, entry->ipsa_srcaddr, 2490 entry->ipsa_dstaddr, entry->ipsa_addrfam); 2491 } else { 2492 inbound_bucket = INBOUND_BUCKET(sq->sp, entry->ipsa_otherspi); 2493 mutex_enter(&inbound_bucket->isaf_lock); 2494 peer_assoc = ipsec_getassocbyspi(inbound_bucket, 2495 entry->ipsa_otherspi, entry->ipsa_dstaddr, 2496 entry->ipsa_srcaddr, entry->ipsa_addrfam); 2497 } 2498 2499 entry->ipsa_state = IPSA_STATE_DEAD; 2500 (void) sadb_torch_assoc(head, entry); 2501 if (peer_assoc != NULL) { 2502 mutex_enter(&peer_assoc->ipsa_lock); 2503 peer_assoc->ipsa_state = IPSA_STATE_DEAD; 2504 (void) sadb_torch_assoc(inbound_bucket, peer_assoc); 2505 } 2506 mutex_exit(&inbound_bucket->isaf_lock); 2507 } 2508 2509 static int 2510 sadb_delpair_state(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2511 int *diagnostic, queue_t *pfkey_q) 2512 { 2513 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2514 struct sadb_purge_state ps; 2515 int error; 2516 2517 ps.sq.spp = spp; /* XXX param */ 2518 2519 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SRC, 2520 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC, 2521 &ps.sq, diagnostic); 2522 if (error != 0) 2523 return (error); 2524 2525 ps.inbnd = B_FALSE; 2526 ps.sadb_sa_state = assoc->sadb_sa_state; 2527 sadb_walker(ps.sq.sp->sdb_of, ps.sq.sp->sdb_hashsize, 2528 sadb_delpair_state_one, &ps); 2529 2530 ASSERT(mp->b_cont != NULL); 2531 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 2532 ksi, NULL); 2533 return (0); 2534 } 2535 2536 /* 2537 * Common code to delete/get an SA. 2538 */ 2539 int 2540 sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp, 2541 int *diagnostic, queue_t *pfkey_q, uint8_t sadb_msg_type) 2542 { 2543 ipsa_query_t sq; 2544 ipsa_t *echo_target = NULL; 2545 ipsap_t ipsapp; 2546 uint_t error = 0; 2547 2548 if (sadb_msg_type == SADB_X_DELPAIR_STATE) 2549 return (sadb_delpair_state(mp, ksi, spp, diagnostic, pfkey_q)); 2550 2551 sq.spp = spp; /* XXX param */ 2552 error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SA, 2553 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, 2554 &sq, diagnostic); 2555 if (error != 0) 2556 return (error); 2557 2558 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 2559 if (error != 0) { 2560 return (error); 2561 } 2562 2563 echo_target = ipsapp.ipsap_sa_ptr; 2564 if (echo_target == NULL) 2565 echo_target = ipsapp.ipsap_psa_ptr; 2566 2567 if (sadb_msg_type == SADB_DELETE || sadb_msg_type == SADB_X_DELPAIR) { 2568 /* 2569 * Bucket locks will be required if SA is actually unlinked. 2570 * get_ipsa_pair() returns valid hash bucket pointers even 2571 * if it can't find a pair SA pointer. To prevent a potential 2572 * deadlock, always lock the outbound bucket before the inbound. 2573 */ 2574 if (ipsapp.in_inbound_table) { 2575 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); 2576 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); 2577 } else { 2578 mutex_enter(&ipsapp.ipsap_bucket->isaf_lock); 2579 mutex_enter(&ipsapp.ipsap_pbucket->isaf_lock); 2580 } 2581 2582 if (ipsapp.ipsap_sa_ptr != NULL) { 2583 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 2584 if (ipsapp.ipsap_sa_ptr->ipsa_flags & IPSA_F_INBOUND) { 2585 sadb_delete_cluster(ipsapp.ipsap_sa_ptr); 2586 } 2587 ipsapp.ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD; 2588 (void) sadb_torch_assoc(ipsapp.ipsap_bucket, 2589 ipsapp.ipsap_sa_ptr); 2590 /* 2591 * sadb_torch_assoc() releases the ipsa_lock 2592 * and calls sadb_unlinkassoc() which does a 2593 * IPSA_REFRELE. 2594 */ 2595 } 2596 if (ipsapp.ipsap_psa_ptr != NULL) { 2597 mutex_enter(&ipsapp.ipsap_psa_ptr->ipsa_lock); 2598 if (sadb_msg_type == SADB_X_DELPAIR || 2599 ipsapp.ipsap_psa_ptr->ipsa_haspeer) { 2600 if (ipsapp.ipsap_psa_ptr->ipsa_flags & 2601 IPSA_F_INBOUND) { 2602 sadb_delete_cluster 2603 (ipsapp.ipsap_psa_ptr); 2604 } 2605 ipsapp.ipsap_psa_ptr->ipsa_state = 2606 IPSA_STATE_DEAD; 2607 (void) sadb_torch_assoc(ipsapp.ipsap_pbucket, 2608 ipsapp.ipsap_psa_ptr); 2609 } else { 2610 /* 2611 * Only half of the "pair" has been deleted. 2612 * Update the remaining SA and remove references 2613 * to its pair SA, which is now gone. 2614 */ 2615 ipsapp.ipsap_psa_ptr->ipsa_otherspi = 0; 2616 ipsapp.ipsap_psa_ptr->ipsa_flags &= 2617 ~IPSA_F_PAIRED; 2618 mutex_exit(&ipsapp.ipsap_psa_ptr->ipsa_lock); 2619 } 2620 } else if (sadb_msg_type == SADB_X_DELPAIR) { 2621 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 2622 error = ESRCH; 2623 } 2624 mutex_exit(&ipsapp.ipsap_bucket->isaf_lock); 2625 mutex_exit(&ipsapp.ipsap_pbucket->isaf_lock); 2626 } 2627 2628 ASSERT(mp->b_cont != NULL); 2629 2630 if (error == 0) 2631 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *) 2632 mp->b_cont->b_rptr, ksi, echo_target); 2633 2634 destroy_ipsa_pair(&ipsapp); 2635 2636 return (error); 2637 } 2638 2639 /* 2640 * This function takes a sadb_sa_t and finds the ipsa_t structure 2641 * and the isaf_t (hash bucket) that its stored under. If the security 2642 * association has a peer, the ipsa_t structure and bucket for that security 2643 * association are also searched for. The "pair" of ipsa_t's and isaf_t's 2644 * are returned as a ipsap_t. 2645 * 2646 * The hash buckets are returned for convenience, if the calling function 2647 * needs to use the hash bucket locks, say to remove the SA's, it should 2648 * take care to observe the convention of locking outbound bucket then 2649 * inbound bucket. The flag in_inbound_table provides direction. 2650 * 2651 * Note that a "pair" is defined as one (but not both) of the following: 2652 * 2653 * A security association which has a soft reference to another security 2654 * association via its SPI. 2655 * 2656 * A security association that is not obviously "inbound" or "outbound" so 2657 * it appears in both hash tables, the "peer" being the same security 2658 * association in the other hash table. 2659 * 2660 * This function will return NULL if the ipsa_t can't be found in the 2661 * inbound or outbound hash tables (not found). If only one ipsa_t is 2662 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid 2663 * provided at least one ipsa_t is found. 2664 */ 2665 static int 2666 get_ipsa_pair(ipsa_query_t *sq, ipsap_t *ipsapp, int *diagnostic) 2667 { 2668 uint32_t pair_srcaddr[IPSA_MAX_ADDRLEN]; 2669 uint32_t pair_dstaddr[IPSA_MAX_ADDRLEN]; 2670 uint32_t pair_spi; 2671 2672 init_ipsa_pair(ipsapp); 2673 2674 ipsapp->in_inbound_table = B_FALSE; 2675 2676 /* Lock down both buckets. */ 2677 mutex_enter(&sq->outbound->isaf_lock); 2678 mutex_enter(&sq->inbound->isaf_lock); 2679 2680 if (sq->assoc->sadb_sa_flags & IPSA_F_INBOUND) { 2681 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, 2682 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 2683 if (ipsapp->ipsap_sa_ptr != NULL) { 2684 ipsapp->ipsap_bucket = sq->inbound; 2685 ipsapp->ipsap_pbucket = sq->outbound; 2686 ipsapp->in_inbound_table = B_TRUE; 2687 } else { 2688 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->outbound, 2689 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, 2690 sq->af); 2691 ipsapp->ipsap_bucket = sq->outbound; 2692 ipsapp->ipsap_pbucket = sq->inbound; 2693 } 2694 } else { 2695 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */ 2696 ipsapp->ipsap_sa_ptr = 2697 ipsec_getassocbyspi(sq->outbound, 2698 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 2699 if (ipsapp->ipsap_sa_ptr != NULL) { 2700 ipsapp->ipsap_bucket = sq->outbound; 2701 ipsapp->ipsap_pbucket = sq->inbound; 2702 } else { 2703 ipsapp->ipsap_sa_ptr = ipsec_getassocbyspi(sq->inbound, 2704 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, 2705 sq->af); 2706 ipsapp->ipsap_bucket = sq->inbound; 2707 ipsapp->ipsap_pbucket = sq->outbound; 2708 if (ipsapp->ipsap_sa_ptr != NULL) 2709 ipsapp->in_inbound_table = B_TRUE; 2710 } 2711 } 2712 2713 if (ipsapp->ipsap_sa_ptr == NULL) { 2714 mutex_exit(&sq->outbound->isaf_lock); 2715 mutex_exit(&sq->inbound->isaf_lock); 2716 *diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND; 2717 return (ESRCH); 2718 } 2719 2720 if ((ipsapp->ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) && 2721 ipsapp->in_inbound_table) { 2722 mutex_exit(&sq->outbound->isaf_lock); 2723 mutex_exit(&sq->inbound->isaf_lock); 2724 return (0); 2725 } 2726 2727 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2728 if (ipsapp->ipsap_sa_ptr->ipsa_haspeer) { 2729 /* 2730 * haspeer implies no sa_pairing, look for same spi 2731 * in other hashtable. 2732 */ 2733 ipsapp->ipsap_psa_ptr = 2734 ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 2735 sq->assoc->sadb_sa_spi, sq->srcaddr, sq->dstaddr, sq->af); 2736 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2737 mutex_exit(&sq->outbound->isaf_lock); 2738 mutex_exit(&sq->inbound->isaf_lock); 2739 return (0); 2740 } 2741 pair_spi = ipsapp->ipsap_sa_ptr->ipsa_otherspi; 2742 IPSA_COPY_ADDR(&pair_srcaddr, 2743 ipsapp->ipsap_sa_ptr->ipsa_srcaddr, sq->af); 2744 IPSA_COPY_ADDR(&pair_dstaddr, 2745 ipsapp->ipsap_sa_ptr->ipsa_dstaddr, sq->af); 2746 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 2747 mutex_exit(&sq->inbound->isaf_lock); 2748 mutex_exit(&sq->outbound->isaf_lock); 2749 2750 if (pair_spi == 0) { 2751 ASSERT(ipsapp->ipsap_bucket != NULL); 2752 ASSERT(ipsapp->ipsap_pbucket != NULL); 2753 return (0); 2754 } 2755 2756 /* found sa in outbound sadb, peer should be inbound */ 2757 2758 if (ipsapp->in_inbound_table) { 2759 /* Found SA in inbound table, pair will be in outbound. */ 2760 if (sq->af == AF_INET6) { 2761 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V6(sq->sp, 2762 *(uint32_t *)pair_srcaddr); 2763 } else { 2764 ipsapp->ipsap_pbucket = OUTBOUND_BUCKET_V4(sq->sp, 2765 *(uint32_t *)pair_srcaddr); 2766 } 2767 } else { 2768 ipsapp->ipsap_pbucket = INBOUND_BUCKET(sq->sp, pair_spi); 2769 } 2770 mutex_enter(&ipsapp->ipsap_pbucket->isaf_lock); 2771 ipsapp->ipsap_psa_ptr = ipsec_getassocbyspi(ipsapp->ipsap_pbucket, 2772 pair_spi, pair_dstaddr, pair_srcaddr, sq->af); 2773 mutex_exit(&ipsapp->ipsap_pbucket->isaf_lock); 2774 ASSERT(ipsapp->ipsap_bucket != NULL); 2775 ASSERT(ipsapp->ipsap_pbucket != NULL); 2776 return (0); 2777 } 2778 2779 /* 2780 * Perform NAT-traversal cached checksum offset calculations here. 2781 */ 2782 static void 2783 sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext, 2784 sadb_address_t *natt_rem_ext, uint32_t *src_addr_ptr, 2785 uint32_t *dst_addr_ptr) 2786 { 2787 struct sockaddr_in *natt_loc, *natt_rem; 2788 uint32_t *natt_loc_ptr = NULL, *natt_rem_ptr = NULL; 2789 uint32_t running_sum = 0; 2790 2791 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16) 2792 2793 if (natt_rem_ext != NULL) { 2794 uint32_t l_src; 2795 uint32_t l_rem; 2796 2797 natt_rem = (struct sockaddr_in *)(natt_rem_ext + 1); 2798 2799 /* Ensured by sadb_addrfix(). */ 2800 ASSERT(natt_rem->sin_family == AF_INET); 2801 2802 natt_rem_ptr = (uint32_t *)(&natt_rem->sin_addr); 2803 newbie->ipsa_remote_nat_port = natt_rem->sin_port; 2804 l_src = *src_addr_ptr; 2805 l_rem = *natt_rem_ptr; 2806 2807 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 2808 newbie->ipsa_natt_addr_rem = *natt_rem_ptr; 2809 2810 l_src = ntohl(l_src); 2811 DOWN_SUM(l_src); 2812 DOWN_SUM(l_src); 2813 l_rem = ntohl(l_rem); 2814 DOWN_SUM(l_rem); 2815 DOWN_SUM(l_rem); 2816 2817 /* 2818 * We're 1's complement for checksums, so check for wraparound 2819 * here. 2820 */ 2821 if (l_rem > l_src) 2822 l_src--; 2823 2824 running_sum += l_src - l_rem; 2825 2826 DOWN_SUM(running_sum); 2827 DOWN_SUM(running_sum); 2828 } 2829 2830 if (natt_loc_ext != NULL) { 2831 natt_loc = (struct sockaddr_in *)(natt_loc_ext + 1); 2832 2833 /* Ensured by sadb_addrfix(). */ 2834 ASSERT(natt_loc->sin_family == AF_INET); 2835 2836 natt_loc_ptr = (uint32_t *)(&natt_loc->sin_addr); 2837 newbie->ipsa_local_nat_port = natt_loc->sin_port; 2838 2839 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */ 2840 newbie->ipsa_natt_addr_loc = *natt_loc_ptr; 2841 2842 /* 2843 * NAT-T port agility means we may have natt_loc_ext, but 2844 * only for a local-port change. 2845 */ 2846 if (natt_loc->sin_addr.s_addr != INADDR_ANY) { 2847 uint32_t l_dst = ntohl(*dst_addr_ptr); 2848 uint32_t l_loc = ntohl(*natt_loc_ptr); 2849 2850 DOWN_SUM(l_loc); 2851 DOWN_SUM(l_loc); 2852 DOWN_SUM(l_dst); 2853 DOWN_SUM(l_dst); 2854 2855 /* 2856 * We're 1's complement for checksums, so check for 2857 * wraparound here. 2858 */ 2859 if (l_loc > l_dst) 2860 l_dst--; 2861 2862 running_sum += l_dst - l_loc; 2863 DOWN_SUM(running_sum); 2864 DOWN_SUM(running_sum); 2865 } 2866 } 2867 2868 newbie->ipsa_inbound_cksum = running_sum; 2869 #undef DOWN_SUM 2870 } 2871 2872 /* 2873 * This function is called from consumers that need to insert a fully-grown 2874 * security association into its tables. This function takes into account that 2875 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary" 2876 * hash bucket parameters are set in order of what the SA will be most of the 2877 * time. (For example, an SA with an unspecified source, and a multicast 2878 * destination will primarily be an outbound SA. OTOH, if that destination 2879 * is unicast for this node, then the SA will primarily be inbound.) 2880 * 2881 * It takes a lot of parameters because even if clone is B_FALSE, this needs 2882 * to check both buckets for purposes of collision. 2883 * 2884 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for 2885 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic 2886 * with additional diagnostic information because there is at least one EINVAL 2887 * case here. 2888 */ 2889 int 2890 sadb_common_add(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg, 2891 keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary, 2892 ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic, 2893 netstack_t *ns, sadbp_t *spp) 2894 { 2895 ipsa_t *newbie_clone = NULL, *scratch; 2896 ipsap_t ipsapp; 2897 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 2898 sadb_address_t *srcext = 2899 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC]; 2900 sadb_address_t *dstext = 2901 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 2902 sadb_address_t *isrcext = 2903 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC]; 2904 sadb_address_t *idstext = 2905 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST]; 2906 sadb_x_kmc_t *kmcext = 2907 (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE]; 2908 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 2909 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 2910 sadb_sens_t *sens = 2911 (sadb_sens_t *)ksi->ks_in_extv[SADB_EXT_SENSITIVITY]; 2912 sadb_sens_t *osens = 2913 (sadb_sens_t *)ksi->ks_in_extv[SADB_X_EXT_OUTER_SENS]; 2914 sadb_x_pair_t *pair_ext = 2915 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 2916 sadb_x_replay_ctr_t *replayext = 2917 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 2918 uint8_t protocol = 2919 (samsg->sadb_msg_satype == SADB_SATYPE_AH) ? IPPROTO_AH:IPPROTO_ESP; 2920 int salt_offset; 2921 uint8_t *buf_ptr; 2922 struct sockaddr_in *src, *dst, *isrc, *idst; 2923 struct sockaddr_in6 *src6, *dst6, *isrc6, *idst6; 2924 sadb_lifetime_t *soft = 2925 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 2926 sadb_lifetime_t *hard = 2927 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 2928 sadb_lifetime_t *idle = 2929 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 2930 sa_family_t af; 2931 int error = 0; 2932 boolean_t isupdate = (newbie != NULL); 2933 uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr; 2934 ipsec_stack_t *ipss = ns->netstack_ipsec; 2935 ip_stack_t *ipst = ns->netstack_ip; 2936 ipsec_alginfo_t *alg; 2937 int rcode; 2938 boolean_t async = B_FALSE; 2939 2940 init_ipsa_pair(&ipsapp); 2941 2942 if (srcext == NULL) { 2943 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 2944 return (EINVAL); 2945 } 2946 if (dstext == NULL) { 2947 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 2948 return (EINVAL); 2949 } 2950 if (assoc == NULL) { 2951 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA; 2952 return (EINVAL); 2953 } 2954 2955 src = (struct sockaddr_in *)(srcext + 1); 2956 src6 = (struct sockaddr_in6 *)(srcext + 1); 2957 dst = (struct sockaddr_in *)(dstext + 1); 2958 dst6 = (struct sockaddr_in6 *)(dstext + 1); 2959 if (isrcext != NULL) { 2960 isrc = (struct sockaddr_in *)(isrcext + 1); 2961 isrc6 = (struct sockaddr_in6 *)(isrcext + 1); 2962 ASSERT(idstext != NULL); 2963 idst = (struct sockaddr_in *)(idstext + 1); 2964 idst6 = (struct sockaddr_in6 *)(idstext + 1); 2965 } else { 2966 isrc = NULL; 2967 isrc6 = NULL; 2968 } 2969 2970 af = src->sin_family; 2971 2972 if (af == AF_INET) { 2973 src_addr_ptr = (uint32_t *)&src->sin_addr; 2974 dst_addr_ptr = (uint32_t *)&dst->sin_addr; 2975 } else { 2976 ASSERT(af == AF_INET6); 2977 src_addr_ptr = (uint32_t *)&src6->sin6_addr; 2978 dst_addr_ptr = (uint32_t *)&dst6->sin6_addr; 2979 } 2980 2981 if (!isupdate && (clone == B_TRUE || is_inbound == B_TRUE) && 2982 cl_inet_checkspi && 2983 (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) { 2984 rcode = cl_inet_checkspi(ns->netstack_stackid, protocol, 2985 assoc->sadb_sa_spi, NULL); 2986 if (rcode == -1) { 2987 return (EEXIST); 2988 } 2989 } 2990 2991 /* 2992 * Check to see if the new SA will be cloned AND paired. The 2993 * reason a SA will be cloned is the source or destination addresses 2994 * are not specific enough to determine if the SA goes in the outbound 2995 * or the inbound hash table, so its cloned and put in both. If 2996 * the SA is paired, it's soft linked to another SA for the other 2997 * direction. Keeping track and looking up SA's that are direction 2998 * unspecific and linked is too hard. 2999 */ 3000 if (clone && (pair_ext != NULL)) { 3001 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 3002 return (EINVAL); 3003 } 3004 3005 if (!isupdate) { 3006 newbie = sadb_makelarvalassoc(assoc->sadb_sa_spi, 3007 src_addr_ptr, dst_addr_ptr, af, ns); 3008 if (newbie == NULL) 3009 return (ENOMEM); 3010 } 3011 3012 mutex_enter(&newbie->ipsa_lock); 3013 3014 if (isrc != NULL) { 3015 if (isrc->sin_family == AF_INET) { 3016 if (srcext->sadb_address_proto != IPPROTO_ENCAP) { 3017 if (srcext->sadb_address_proto != 0) { 3018 /* 3019 * Mismatched outer-packet protocol 3020 * and inner-packet address family. 3021 */ 3022 mutex_exit(&newbie->ipsa_lock); 3023 error = EPROTOTYPE; 3024 *diagnostic = 3025 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3026 goto error; 3027 } else { 3028 /* Fill in with explicit protocol. */ 3029 srcext->sadb_address_proto = 3030 IPPROTO_ENCAP; 3031 dstext->sadb_address_proto = 3032 IPPROTO_ENCAP; 3033 } 3034 } 3035 isrc_addr_ptr = (uint32_t *)&isrc->sin_addr; 3036 idst_addr_ptr = (uint32_t *)&idst->sin_addr; 3037 } else { 3038 ASSERT(isrc->sin_family == AF_INET6); 3039 if (srcext->sadb_address_proto != IPPROTO_IPV6) { 3040 if (srcext->sadb_address_proto != 0) { 3041 /* 3042 * Mismatched outer-packet protocol 3043 * and inner-packet address family. 3044 */ 3045 mutex_exit(&newbie->ipsa_lock); 3046 error = EPROTOTYPE; 3047 *diagnostic = 3048 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 3049 goto error; 3050 } else { 3051 /* Fill in with explicit protocol. */ 3052 srcext->sadb_address_proto = 3053 IPPROTO_IPV6; 3054 dstext->sadb_address_proto = 3055 IPPROTO_IPV6; 3056 } 3057 } 3058 isrc_addr_ptr = (uint32_t *)&isrc6->sin6_addr; 3059 idst_addr_ptr = (uint32_t *)&idst6->sin6_addr; 3060 } 3061 newbie->ipsa_innerfam = isrc->sin_family; 3062 3063 IPSA_COPY_ADDR(newbie->ipsa_innersrc, isrc_addr_ptr, 3064 newbie->ipsa_innerfam); 3065 IPSA_COPY_ADDR(newbie->ipsa_innerdst, idst_addr_ptr, 3066 newbie->ipsa_innerfam); 3067 newbie->ipsa_innersrcpfx = isrcext->sadb_address_prefixlen; 3068 newbie->ipsa_innerdstpfx = idstext->sadb_address_prefixlen; 3069 3070 /* Unique value uses inner-ports for Tunnel Mode... */ 3071 newbie->ipsa_unique_id = SA_UNIQUE_ID(isrc->sin_port, 3072 idst->sin_port, dstext->sadb_address_proto, 3073 idstext->sadb_address_proto); 3074 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(isrc->sin_port, 3075 idst->sin_port, dstext->sadb_address_proto, 3076 idstext->sadb_address_proto); 3077 } else { 3078 /* ... and outer-ports for Transport Mode. */ 3079 newbie->ipsa_unique_id = SA_UNIQUE_ID(src->sin_port, 3080 dst->sin_port, dstext->sadb_address_proto, 0); 3081 newbie->ipsa_unique_mask = SA_UNIQUE_MASK(src->sin_port, 3082 dst->sin_port, dstext->sadb_address_proto, 0); 3083 } 3084 if (newbie->ipsa_unique_mask != (uint64_t)0) 3085 newbie->ipsa_flags |= IPSA_F_UNIQUE; 3086 3087 sadb_nat_calculations(newbie, 3088 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC], 3089 (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM], 3090 src_addr_ptr, dst_addr_ptr); 3091 3092 newbie->ipsa_type = samsg->sadb_msg_satype; 3093 3094 ASSERT((assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 3095 (assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE)); 3096 newbie->ipsa_auth_alg = assoc->sadb_sa_auth; 3097 newbie->ipsa_encr_alg = assoc->sadb_sa_encrypt; 3098 3099 newbie->ipsa_flags |= assoc->sadb_sa_flags; 3100 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_LOC && 3101 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC] == NULL) { 3102 mutex_exit(&newbie->ipsa_lock); 3103 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC; 3104 error = EINVAL; 3105 goto error; 3106 } 3107 if (newbie->ipsa_flags & SADB_X_SAFLAGS_NATT_REM && 3108 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM] == NULL) { 3109 mutex_exit(&newbie->ipsa_lock); 3110 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM; 3111 error = EINVAL; 3112 goto error; 3113 } 3114 if (newbie->ipsa_flags & SADB_X_SAFLAGS_TUNNEL && 3115 ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL) { 3116 mutex_exit(&newbie->ipsa_lock); 3117 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 3118 error = EINVAL; 3119 goto error; 3120 } 3121 /* 3122 * If unspecified source address, force replay_wsize to 0. 3123 * This is because an SA that has multiple sources of secure 3124 * traffic cannot enforce a replay counter w/o synchronizing the 3125 * senders. 3126 */ 3127 if (ksi->ks_in_srctype != KS_IN_ADDR_UNSPEC) 3128 newbie->ipsa_replay_wsize = assoc->sadb_sa_replay; 3129 else 3130 newbie->ipsa_replay_wsize = 0; 3131 3132 newbie->ipsa_addtime = gethrestime_sec(); 3133 3134 if (kmcext != NULL) { 3135 newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto; 3136 newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie; 3137 } 3138 3139 /* 3140 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE. 3141 * The spec says that one can update current lifetimes, but 3142 * that seems impractical, especially in the larval-to-mature 3143 * update that this function performs. 3144 */ 3145 if (soft != NULL) { 3146 newbie->ipsa_softaddlt = soft->sadb_lifetime_addtime; 3147 newbie->ipsa_softuselt = soft->sadb_lifetime_usetime; 3148 newbie->ipsa_softbyteslt = soft->sadb_lifetime_bytes; 3149 newbie->ipsa_softalloc = soft->sadb_lifetime_allocations; 3150 SET_EXPIRE(newbie, softaddlt, softexpiretime); 3151 } 3152 if (hard != NULL) { 3153 newbie->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 3154 newbie->ipsa_harduselt = hard->sadb_lifetime_usetime; 3155 newbie->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 3156 newbie->ipsa_hardalloc = hard->sadb_lifetime_allocations; 3157 SET_EXPIRE(newbie, hardaddlt, hardexpiretime); 3158 } 3159 if (idle != NULL) { 3160 newbie->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 3161 newbie->ipsa_idleuselt = idle->sadb_lifetime_usetime; 3162 newbie->ipsa_idleexpiretime = newbie->ipsa_addtime + 3163 newbie->ipsa_idleaddlt; 3164 newbie->ipsa_idletime = newbie->ipsa_idleaddlt; 3165 } 3166 3167 newbie->ipsa_authtmpl = NULL; 3168 newbie->ipsa_encrtmpl = NULL; 3169 3170 #ifdef IPSEC_LATENCY_TEST 3171 if (akey != NULL && newbie->ipsa_auth_alg != SADB_AALG_NONE) { 3172 #else 3173 if (akey != NULL) { 3174 #endif 3175 async = (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] == 3176 IPSEC_ALGS_EXEC_ASYNC); 3177 3178 newbie->ipsa_authkeybits = akey->sadb_key_bits; 3179 newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits); 3180 /* In case we have to round up to the next byte... */ 3181 if ((akey->sadb_key_bits & 0x7) != 0) 3182 newbie->ipsa_authkeylen++; 3183 newbie->ipsa_authkey = kmem_alloc(newbie->ipsa_authkeylen, 3184 KM_NOSLEEP); 3185 if (newbie->ipsa_authkey == NULL) { 3186 error = ENOMEM; 3187 mutex_exit(&newbie->ipsa_lock); 3188 goto error; 3189 } 3190 bcopy(akey + 1, newbie->ipsa_authkey, newbie->ipsa_authkeylen); 3191 bzero(akey + 1, newbie->ipsa_authkeylen); 3192 3193 /* 3194 * Pre-initialize the kernel crypto framework key 3195 * structure. 3196 */ 3197 newbie->ipsa_kcfauthkey.ck_format = CRYPTO_KEY_RAW; 3198 newbie->ipsa_kcfauthkey.ck_length = newbie->ipsa_authkeybits; 3199 newbie->ipsa_kcfauthkey.ck_data = newbie->ipsa_authkey; 3200 3201 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 3202 alg = ipss->ipsec_alglists[IPSEC_ALG_AUTH] 3203 [newbie->ipsa_auth_alg]; 3204 if (alg != NULL && ALG_VALID(alg)) { 3205 newbie->ipsa_amech.cm_type = alg->alg_mech_type; 3206 newbie->ipsa_amech.cm_param = 3207 (char *)&newbie->ipsa_mac_len; 3208 newbie->ipsa_amech.cm_param_len = sizeof (size_t); 3209 newbie->ipsa_mac_len = (size_t)alg->alg_datalen; 3210 } else { 3211 newbie->ipsa_amech.cm_type = CRYPTO_MECHANISM_INVALID; 3212 } 3213 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_AUTH); 3214 rw_exit(&ipss->ipsec_alg_lock); 3215 if (error != 0) { 3216 mutex_exit(&newbie->ipsa_lock); 3217 /* 3218 * An error here indicates that alg is the wrong type 3219 * (IE: not authentication) or its not in the alg tables 3220 * created by ipsecalgs(1m), or Kcf does not like the 3221 * parameters passed in with this algorithm, which is 3222 * probably a coding error! 3223 */ 3224 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3225 3226 goto error; 3227 } 3228 } 3229 3230 if (ekey != NULL) { 3231 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 3232 async = async || (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] == 3233 IPSEC_ALGS_EXEC_ASYNC); 3234 alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR] 3235 [newbie->ipsa_encr_alg]; 3236 3237 if (alg != NULL && ALG_VALID(alg)) { 3238 newbie->ipsa_emech.cm_type = alg->alg_mech_type; 3239 newbie->ipsa_datalen = alg->alg_datalen; 3240 if (alg->alg_flags & ALG_FLAG_COUNTERMODE) 3241 newbie->ipsa_flags |= IPSA_F_COUNTERMODE; 3242 3243 if (alg->alg_flags & ALG_FLAG_COMBINED) { 3244 newbie->ipsa_flags |= IPSA_F_COMBINED; 3245 newbie->ipsa_mac_len = alg->alg_icvlen; 3246 } 3247 3248 if (alg->alg_flags & ALG_FLAG_CCM) 3249 newbie->ipsa_noncefunc = ccm_params_init; 3250 else if (alg->alg_flags & ALG_FLAG_GCM) 3251 newbie->ipsa_noncefunc = gcm_params_init; 3252 else newbie->ipsa_noncefunc = cbc_params_init; 3253 3254 newbie->ipsa_saltlen = alg->alg_saltlen; 3255 newbie->ipsa_saltbits = SADB_8TO1(newbie->ipsa_saltlen); 3256 newbie->ipsa_iv_len = alg->alg_ivlen; 3257 newbie->ipsa_nonce_len = newbie->ipsa_saltlen + 3258 newbie->ipsa_iv_len; 3259 newbie->ipsa_emech.cm_param = NULL; 3260 newbie->ipsa_emech.cm_param_len = 0; 3261 } else { 3262 newbie->ipsa_emech.cm_type = CRYPTO_MECHANISM_INVALID; 3263 } 3264 rw_exit(&ipss->ipsec_alg_lock); 3265 3266 /* 3267 * The byte stream following the sadb_key_t is made up of: 3268 * key bytes, [salt bytes], [IV initial value] 3269 * All of these have variable length. The IV is typically 3270 * randomly generated by this function and not passed in. 3271 * By supporting the injection of a known IV, the whole 3272 * IPsec subsystem and the underlying crypto subsystem 3273 * can be tested with known test vectors. 3274 * 3275 * The keying material has been checked by ext_check() 3276 * and ipsec_valid_key_size(), after removing salt/IV 3277 * bits, whats left is the encryption key. If this is too 3278 * short, ipsec_create_ctx_tmpl() will fail and the SA 3279 * won't get created. 3280 * 3281 * set ipsa_encrkeylen to length of key only. 3282 */ 3283 newbie->ipsa_encrkeybits = ekey->sadb_key_bits; 3284 newbie->ipsa_encrkeybits -= ekey->sadb_key_reserved; 3285 newbie->ipsa_encrkeybits -= newbie->ipsa_saltbits; 3286 newbie->ipsa_encrkeylen = SADB_1TO8(newbie->ipsa_encrkeybits); 3287 3288 /* In case we have to round up to the next byte... */ 3289 if ((ekey->sadb_key_bits & 0x7) != 0) 3290 newbie->ipsa_encrkeylen++; 3291 3292 newbie->ipsa_encrkey = kmem_alloc(newbie->ipsa_encrkeylen, 3293 KM_NOSLEEP); 3294 if (newbie->ipsa_encrkey == NULL) { 3295 error = ENOMEM; 3296 mutex_exit(&newbie->ipsa_lock); 3297 goto error; 3298 } 3299 3300 buf_ptr = (uint8_t *)(ekey + 1); 3301 bcopy(buf_ptr, newbie->ipsa_encrkey, newbie->ipsa_encrkeylen); 3302 3303 if (newbie->ipsa_flags & IPSA_F_COMBINED) { 3304 /* 3305 * Combined mode algs need a nonce. Copy the salt and 3306 * IV into a buffer. The ipsa_nonce is a pointer into 3307 * this buffer, some bytes at the start of the buffer 3308 * may be unused, depends on the salt length. The IV 3309 * is 64 bit aligned so it can be incremented as a 3310 * uint64_t. Zero out key in samsg_t before freeing. 3311 */ 3312 3313 newbie->ipsa_nonce_buf = kmem_alloc( 3314 sizeof (ipsec_nonce_t), KM_NOSLEEP); 3315 if (newbie->ipsa_nonce_buf == NULL) { 3316 error = ENOMEM; 3317 mutex_exit(&newbie->ipsa_lock); 3318 goto error; 3319 } 3320 /* 3321 * Initialize nonce and salt pointers to point 3322 * to the nonce buffer. This is just in case we get 3323 * bad data, the pointers will be valid, the data 3324 * won't be. 3325 * 3326 * See sadb.h for layout of nonce. 3327 */ 3328 newbie->ipsa_iv = &newbie->ipsa_nonce_buf->iv; 3329 newbie->ipsa_salt = (uint8_t *)newbie->ipsa_nonce_buf; 3330 newbie->ipsa_nonce = newbie->ipsa_salt; 3331 if (newbie->ipsa_saltlen != 0) { 3332 salt_offset = MAXSALTSIZE - 3333 newbie->ipsa_saltlen; 3334 newbie->ipsa_salt = (uint8_t *) 3335 &newbie->ipsa_nonce_buf->salt[salt_offset]; 3336 newbie->ipsa_nonce = newbie->ipsa_salt; 3337 buf_ptr += newbie->ipsa_encrkeylen; 3338 bcopy(buf_ptr, newbie->ipsa_salt, 3339 newbie->ipsa_saltlen); 3340 } 3341 /* 3342 * The IV for CCM/GCM mode increments, it should not 3343 * repeat. Get a random value for the IV, make a 3344 * copy, the SA will expire when/if the IV ever 3345 * wraps back to the initial value. If an Initial IV 3346 * is passed in via PF_KEY, save this in the SA. 3347 * Initialising IV for inbound is pointless as its 3348 * taken from the inbound packet. 3349 */ 3350 if (!is_inbound) { 3351 if (ekey->sadb_key_reserved != 0) { 3352 buf_ptr += newbie->ipsa_saltlen; 3353 bcopy(buf_ptr, (uint8_t *)newbie-> 3354 ipsa_iv, SADB_1TO8(ekey-> 3355 sadb_key_reserved)); 3356 } else { 3357 (void) random_get_pseudo_bytes( 3358 (uint8_t *)newbie->ipsa_iv, 3359 newbie->ipsa_iv_len); 3360 } 3361 newbie->ipsa_iv_softexpire = 3362 (*newbie->ipsa_iv) << 9; 3363 newbie->ipsa_iv_hardexpire = *newbie->ipsa_iv; 3364 } 3365 } 3366 bzero((ekey + 1), SADB_1TO8(ekey->sadb_key_bits)); 3367 3368 /* 3369 * Pre-initialize the kernel crypto framework key 3370 * structure. 3371 */ 3372 newbie->ipsa_kcfencrkey.ck_format = CRYPTO_KEY_RAW; 3373 newbie->ipsa_kcfencrkey.ck_length = newbie->ipsa_encrkeybits; 3374 newbie->ipsa_kcfencrkey.ck_data = newbie->ipsa_encrkey; 3375 3376 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 3377 error = ipsec_create_ctx_tmpl(newbie, IPSEC_ALG_ENCR); 3378 rw_exit(&ipss->ipsec_alg_lock); 3379 if (error != 0) { 3380 mutex_exit(&newbie->ipsa_lock); 3381 /* See above for error explanation. */ 3382 *diagnostic = SADB_X_DIAGNOSTIC_BAD_CTX; 3383 goto error; 3384 } 3385 } 3386 3387 if (async) 3388 newbie->ipsa_flags |= IPSA_F_ASYNC; 3389 3390 /* 3391 * Ptrs to processing functions. 3392 */ 3393 if (newbie->ipsa_type == SADB_SATYPE_ESP) 3394 ipsecesp_init_funcs(newbie); 3395 else 3396 ipsecah_init_funcs(newbie); 3397 ASSERT(newbie->ipsa_output_func != NULL && 3398 newbie->ipsa_input_func != NULL); 3399 3400 /* 3401 * Certificate ID stuff. 3402 */ 3403 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC] != NULL) { 3404 sadb_ident_t *id = 3405 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_SRC]; 3406 3407 /* 3408 * Can assume strlen() will return okay because ext_check() in 3409 * keysock.c prepares the string for us. 3410 */ 3411 newbie->ipsa_src_cid = ipsid_lookup(id->sadb_ident_type, 3412 (char *)(id+1), ns); 3413 if (newbie->ipsa_src_cid == NULL) { 3414 error = ENOMEM; 3415 mutex_exit(&newbie->ipsa_lock); 3416 goto error; 3417 } 3418 } 3419 3420 if (ksi->ks_in_extv[SADB_EXT_IDENTITY_DST] != NULL) { 3421 sadb_ident_t *id = 3422 (sadb_ident_t *)ksi->ks_in_extv[SADB_EXT_IDENTITY_DST]; 3423 3424 /* 3425 * Can assume strlen() will return okay because ext_check() in 3426 * keysock.c prepares the string for us. 3427 */ 3428 newbie->ipsa_dst_cid = ipsid_lookup(id->sadb_ident_type, 3429 (char *)(id+1), ns); 3430 if (newbie->ipsa_dst_cid == NULL) { 3431 error = ENOMEM; 3432 mutex_exit(&newbie->ipsa_lock); 3433 goto error; 3434 } 3435 } 3436 3437 /* 3438 * sensitivity label handling code: 3439 * Convert sens + bitmap into cred_t, and associate it 3440 * with the new SA. 3441 */ 3442 if (sens != NULL) { 3443 uint64_t *bitmap = (uint64_t *)(sens + 1); 3444 3445 newbie->ipsa_tsl = sadb_label_from_sens(sens, bitmap); 3446 } 3447 3448 /* 3449 * Likewise for outer sensitivity. 3450 */ 3451 if (osens != NULL) { 3452 uint64_t *bitmap = (uint64_t *)(osens + 1); 3453 ts_label_t *tsl, *effective_tsl; 3454 uint32_t *peer_addr_ptr; 3455 zoneid_t zoneid = GLOBAL_ZONEID; 3456 zone_t *zone; 3457 3458 peer_addr_ptr = is_inbound ? src_addr_ptr : dst_addr_ptr; 3459 3460 tsl = sadb_label_from_sens(osens, bitmap); 3461 newbie->ipsa_mac_exempt = CONN_MAC_DEFAULT; 3462 3463 if (osens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) { 3464 newbie->ipsa_mac_exempt = CONN_MAC_IMPLICIT; 3465 } 3466 3467 error = tsol_check_dest(tsl, peer_addr_ptr, 3468 (af == AF_INET6)?IPV6_VERSION:IPV4_VERSION, 3469 newbie->ipsa_mac_exempt, B_TRUE, &effective_tsl); 3470 if (error != 0) { 3471 label_rele(tsl); 3472 mutex_exit(&newbie->ipsa_lock); 3473 goto error; 3474 } 3475 3476 if (effective_tsl != NULL) { 3477 label_rele(tsl); 3478 tsl = effective_tsl; 3479 } 3480 3481 newbie->ipsa_otsl = tsl; 3482 3483 zone = zone_find_by_label(tsl); 3484 if (zone != NULL) { 3485 zoneid = zone->zone_id; 3486 zone_rele(zone); 3487 } 3488 /* 3489 * For exclusive stacks we set the zoneid to zero to operate 3490 * as if in the global zone for tsol_compute_label_v4/v6 3491 */ 3492 if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID) 3493 zoneid = GLOBAL_ZONEID; 3494 3495 if (af == AF_INET6) { 3496 error = tsol_compute_label_v6(tsl, zoneid, 3497 (in6_addr_t *)peer_addr_ptr, 3498 newbie->ipsa_opt_storage, ipst); 3499 } else { 3500 error = tsol_compute_label_v4(tsl, zoneid, 3501 *peer_addr_ptr, newbie->ipsa_opt_storage, ipst); 3502 } 3503 if (error != 0) { 3504 mutex_exit(&newbie->ipsa_lock); 3505 goto error; 3506 } 3507 } 3508 3509 3510 if (replayext != NULL) { 3511 if ((replayext->sadb_x_rc_replay32 == 0) && 3512 (replayext->sadb_x_rc_replay64 != 0)) { 3513 error = EOPNOTSUPP; 3514 *diagnostic = SADB_X_DIAGNOSTIC_INVALID_REPLAY; 3515 mutex_exit(&newbie->ipsa_lock); 3516 goto error; 3517 } 3518 newbie->ipsa_replay = replayext->sadb_x_rc_replay32; 3519 } 3520 3521 /* now that the SA has been updated, set its new state */ 3522 newbie->ipsa_state = assoc->sadb_sa_state; 3523 3524 if (clone) { 3525 newbie->ipsa_haspeer = B_TRUE; 3526 } else { 3527 if (!is_inbound) { 3528 lifetime_fuzz(newbie); 3529 } 3530 } 3531 /* 3532 * The less locks I hold when doing an insertion and possible cloning, 3533 * the better! 3534 */ 3535 mutex_exit(&newbie->ipsa_lock); 3536 3537 if (clone) { 3538 newbie_clone = sadb_cloneassoc(newbie); 3539 3540 if (newbie_clone == NULL) { 3541 error = ENOMEM; 3542 goto error; 3543 } 3544 } 3545 3546 /* 3547 * Enter the bucket locks. The order of entry is outbound, 3548 * inbound. We map "primary" and "secondary" into outbound and inbound 3549 * based on the destination address type. If the destination address 3550 * type is for a node that isn't mine (or potentially mine), the 3551 * "primary" bucket is the outbound one. 3552 */ 3553 if (!is_inbound) { 3554 /* primary == outbound */ 3555 mutex_enter(&primary->isaf_lock); 3556 mutex_enter(&secondary->isaf_lock); 3557 } else { 3558 /* primary == inbound */ 3559 mutex_enter(&secondary->isaf_lock); 3560 mutex_enter(&primary->isaf_lock); 3561 } 3562 3563 /* 3564 * sadb_insertassoc() doesn't increment the reference 3565 * count. We therefore have to increment the 3566 * reference count one more time to reflect the 3567 * pointers of the table that reference this SA. 3568 */ 3569 IPSA_REFHOLD(newbie); 3570 3571 if (isupdate) { 3572 /* 3573 * Unlink from larval holding cell in the "inbound" fanout. 3574 */ 3575 ASSERT(newbie->ipsa_linklock == &primary->isaf_lock || 3576 newbie->ipsa_linklock == &secondary->isaf_lock); 3577 sadb_unlinkassoc(newbie); 3578 } 3579 3580 mutex_enter(&newbie->ipsa_lock); 3581 error = sadb_insertassoc(newbie, primary); 3582 mutex_exit(&newbie->ipsa_lock); 3583 3584 if (error != 0) { 3585 /* 3586 * Since sadb_insertassoc() failed, we must decrement the 3587 * refcount again so the cleanup code will actually free 3588 * the offending SA. 3589 */ 3590 IPSA_REFRELE(newbie); 3591 goto error_unlock; 3592 } 3593 3594 if (newbie_clone != NULL) { 3595 mutex_enter(&newbie_clone->ipsa_lock); 3596 error = sadb_insertassoc(newbie_clone, secondary); 3597 mutex_exit(&newbie_clone->ipsa_lock); 3598 if (error != 0) { 3599 /* Collision in secondary table. */ 3600 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3601 goto error_unlock; 3602 } 3603 IPSA_REFHOLD(newbie_clone); 3604 } else { 3605 ASSERT(primary != secondary); 3606 scratch = ipsec_getassocbyspi(secondary, newbie->ipsa_spi, 3607 ALL_ZEROES_PTR, newbie->ipsa_dstaddr, af); 3608 if (scratch != NULL) { 3609 /* Collision in secondary table. */ 3610 sadb_unlinkassoc(newbie); /* This does REFRELE. */ 3611 /* Set the error, since ipsec_getassocbyspi() can't. */ 3612 error = EEXIST; 3613 goto error_unlock; 3614 } 3615 } 3616 3617 /* OKAY! So let's do some reality check assertions. */ 3618 3619 ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock)); 3620 ASSERT(newbie_clone == NULL || 3621 (MUTEX_NOT_HELD(&newbie_clone->ipsa_lock))); 3622 3623 error_unlock: 3624 3625 /* 3626 * We can exit the locks in any order. Only entrance needs to 3627 * follow any protocol. 3628 */ 3629 mutex_exit(&secondary->isaf_lock); 3630 mutex_exit(&primary->isaf_lock); 3631 3632 if (pair_ext != NULL && error == 0) { 3633 /* update pair_spi if it exists. */ 3634 ipsa_query_t sq; 3635 3636 sq.spp = spp; /* XXX param */ 3637 error = sadb_form_query(ksi, IPSA_Q_DST, IPSA_Q_SRC|IPSA_Q_DST| 3638 IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, &sq, diagnostic); 3639 if (error) 3640 return (error); 3641 3642 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 3643 3644 if (error != 0) 3645 goto error; 3646 3647 if (ipsapp.ipsap_psa_ptr != NULL) { 3648 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 3649 error = EINVAL; 3650 } else { 3651 /* update_pairing() sets diagnostic */ 3652 error = update_pairing(&ipsapp, &sq, ksi, diagnostic); 3653 } 3654 } 3655 /* Common error point for this routine. */ 3656 error: 3657 if (newbie != NULL) { 3658 if (error != 0) { 3659 /* This SA is broken, let the reaper clean up. */ 3660 mutex_enter(&newbie->ipsa_lock); 3661 newbie->ipsa_state = IPSA_STATE_DEAD; 3662 newbie->ipsa_hardexpiretime = 1; 3663 mutex_exit(&newbie->ipsa_lock); 3664 } 3665 IPSA_REFRELE(newbie); 3666 } 3667 if (newbie_clone != NULL) { 3668 IPSA_REFRELE(newbie_clone); 3669 } 3670 3671 if (error == 0) { 3672 /* 3673 * Construct favorable PF_KEY return message and send to 3674 * keysock. Update the flags in the original keysock message 3675 * to reflect the actual flags in the new SA. 3676 * (Q: Do I need to pass "newbie"? If I do, 3677 * make sure to REFHOLD, call, then REFRELE.) 3678 */ 3679 assoc->sadb_sa_flags = newbie->ipsa_flags; 3680 sadb_pfkey_echo(pfkey_q, mp, samsg, ksi, NULL); 3681 } 3682 3683 destroy_ipsa_pair(&ipsapp); 3684 return (error); 3685 } 3686 3687 /* 3688 * Set the time of first use for a security association. Update any 3689 * expiration times as a result. 3690 */ 3691 void 3692 sadb_set_usetime(ipsa_t *assoc) 3693 { 3694 time_t snapshot = gethrestime_sec(); 3695 3696 mutex_enter(&assoc->ipsa_lock); 3697 assoc->ipsa_lastuse = snapshot; 3698 assoc->ipsa_idleexpiretime = snapshot + assoc->ipsa_idletime; 3699 3700 /* 3701 * Caller does check usetime before calling me usually, and 3702 * double-checking is better than a mutex_enter/exit hit. 3703 */ 3704 if (assoc->ipsa_usetime == 0) { 3705 /* 3706 * This is redundant for outbound SA's, as 3707 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already. 3708 * Inbound SAs, however, have no such protection. 3709 */ 3710 assoc->ipsa_flags |= IPSA_F_USED; 3711 assoc->ipsa_usetime = snapshot; 3712 3713 /* 3714 * After setting the use time, see if we have a use lifetime 3715 * that would cause the actual SA expiration time to shorten. 3716 */ 3717 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 3718 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 3719 } 3720 mutex_exit(&assoc->ipsa_lock); 3721 } 3722 3723 /* 3724 * Send up a PF_KEY expire message for this association. 3725 */ 3726 static void 3727 sadb_expire_assoc(queue_t *pfkey_q, ipsa_t *assoc) 3728 { 3729 mblk_t *mp, *mp1; 3730 int alloclen, af; 3731 sadb_msg_t *samsg; 3732 sadb_lifetime_t *current, *expire; 3733 sadb_sa_t *saext; 3734 uint8_t *end; 3735 boolean_t tunnel_mode; 3736 3737 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3738 3739 /* Don't bother sending if there's no queue. */ 3740 if (pfkey_q == NULL) 3741 return; 3742 3743 mp = sadb_keysock_out(0); 3744 if (mp == NULL) { 3745 /* cmn_err(CE_WARN, */ 3746 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */ 3747 return; 3748 } 3749 3750 alloclen = sizeof (*samsg) + sizeof (*current) + sizeof (*expire) + 3751 2 * sizeof (sadb_address_t) + sizeof (*saext); 3752 3753 af = assoc->ipsa_addrfam; 3754 switch (af) { 3755 case AF_INET: 3756 alloclen += 2 * sizeof (struct sockaddr_in); 3757 break; 3758 case AF_INET6: 3759 alloclen += 2 * sizeof (struct sockaddr_in6); 3760 break; 3761 default: 3762 /* Won't happen unless there's a kernel bug. */ 3763 freeb(mp); 3764 cmn_err(CE_WARN, 3765 "sadb_expire_assoc: Unknown address length.\n"); 3766 return; 3767 } 3768 3769 tunnel_mode = (assoc->ipsa_flags & IPSA_F_TUNNEL); 3770 if (tunnel_mode) { 3771 alloclen += 2 * sizeof (sadb_address_t); 3772 switch (assoc->ipsa_innerfam) { 3773 case AF_INET: 3774 alloclen += 2 * sizeof (struct sockaddr_in); 3775 break; 3776 case AF_INET6: 3777 alloclen += 2 * sizeof (struct sockaddr_in6); 3778 break; 3779 default: 3780 /* Won't happen unless there's a kernel bug. */ 3781 freeb(mp); 3782 cmn_err(CE_WARN, "sadb_expire_assoc: " 3783 "Unknown inner address length.\n"); 3784 return; 3785 } 3786 } 3787 3788 mp->b_cont = allocb(alloclen, BPRI_HI); 3789 if (mp->b_cont == NULL) { 3790 freeb(mp); 3791 /* cmn_err(CE_WARN, */ 3792 /* "sadb_expire_assoc: Can't allocate message.\n"); */ 3793 return; 3794 } 3795 3796 mp1 = mp; 3797 mp = mp->b_cont; 3798 end = mp->b_wptr + alloclen; 3799 3800 samsg = (sadb_msg_t *)mp->b_wptr; 3801 mp->b_wptr += sizeof (*samsg); 3802 samsg->sadb_msg_version = PF_KEY_V2; 3803 samsg->sadb_msg_type = SADB_EXPIRE; 3804 samsg->sadb_msg_errno = 0; 3805 samsg->sadb_msg_satype = assoc->ipsa_type; 3806 samsg->sadb_msg_len = SADB_8TO64(alloclen); 3807 samsg->sadb_msg_reserved = 0; 3808 samsg->sadb_msg_seq = 0; 3809 samsg->sadb_msg_pid = 0; 3810 3811 saext = (sadb_sa_t *)mp->b_wptr; 3812 mp->b_wptr += sizeof (*saext); 3813 saext->sadb_sa_len = SADB_8TO64(sizeof (*saext)); 3814 saext->sadb_sa_exttype = SADB_EXT_SA; 3815 saext->sadb_sa_spi = assoc->ipsa_spi; 3816 saext->sadb_sa_replay = assoc->ipsa_replay_wsize; 3817 saext->sadb_sa_state = assoc->ipsa_state; 3818 saext->sadb_sa_auth = assoc->ipsa_auth_alg; 3819 saext->sadb_sa_encrypt = assoc->ipsa_encr_alg; 3820 saext->sadb_sa_flags = assoc->ipsa_flags; 3821 3822 current = (sadb_lifetime_t *)mp->b_wptr; 3823 mp->b_wptr += sizeof (sadb_lifetime_t); 3824 current->sadb_lifetime_len = SADB_8TO64(sizeof (*current)); 3825 current->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; 3826 /* We do not support the concept. */ 3827 current->sadb_lifetime_allocations = 0; 3828 current->sadb_lifetime_bytes = assoc->ipsa_bytes; 3829 current->sadb_lifetime_addtime = assoc->ipsa_addtime; 3830 current->sadb_lifetime_usetime = assoc->ipsa_usetime; 3831 3832 expire = (sadb_lifetime_t *)mp->b_wptr; 3833 mp->b_wptr += sizeof (*expire); 3834 expire->sadb_lifetime_len = SADB_8TO64(sizeof (*expire)); 3835 3836 if (assoc->ipsa_state == IPSA_STATE_DEAD) { 3837 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 3838 expire->sadb_lifetime_allocations = assoc->ipsa_hardalloc; 3839 expire->sadb_lifetime_bytes = assoc->ipsa_hardbyteslt; 3840 expire->sadb_lifetime_addtime = assoc->ipsa_hardaddlt; 3841 expire->sadb_lifetime_usetime = assoc->ipsa_harduselt; 3842 } else if (assoc->ipsa_state == IPSA_STATE_DYING) { 3843 expire->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 3844 expire->sadb_lifetime_allocations = assoc->ipsa_softalloc; 3845 expire->sadb_lifetime_bytes = assoc->ipsa_softbyteslt; 3846 expire->sadb_lifetime_addtime = assoc->ipsa_softaddlt; 3847 expire->sadb_lifetime_usetime = assoc->ipsa_softuselt; 3848 } else { 3849 ASSERT(assoc->ipsa_state == IPSA_STATE_MATURE); 3850 expire->sadb_lifetime_exttype = SADB_X_EXT_LIFETIME_IDLE; 3851 expire->sadb_lifetime_allocations = 0; 3852 expire->sadb_lifetime_bytes = 0; 3853 expire->sadb_lifetime_addtime = assoc->ipsa_idleaddlt; 3854 expire->sadb_lifetime_usetime = assoc->ipsa_idleuselt; 3855 } 3856 3857 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_SRC, 3858 af, assoc->ipsa_srcaddr, tunnel_mode ? 0 : SA_SRCPORT(assoc), 3859 SA_PROTO(assoc), 0); 3860 ASSERT(mp->b_wptr != NULL); 3861 3862 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, SADB_EXT_ADDRESS_DST, 3863 af, assoc->ipsa_dstaddr, tunnel_mode ? 0 : SA_DSTPORT(assoc), 3864 SA_PROTO(assoc), 0); 3865 ASSERT(mp->b_wptr != NULL); 3866 3867 if (tunnel_mode) { 3868 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 3869 SADB_X_EXT_ADDRESS_INNER_SRC, assoc->ipsa_innerfam, 3870 assoc->ipsa_innersrc, SA_SRCPORT(assoc), SA_IPROTO(assoc), 3871 assoc->ipsa_innersrcpfx); 3872 ASSERT(mp->b_wptr != NULL); 3873 mp->b_wptr = sadb_make_addr_ext(mp->b_wptr, end, 3874 SADB_X_EXT_ADDRESS_INNER_DST, assoc->ipsa_innerfam, 3875 assoc->ipsa_innerdst, SA_DSTPORT(assoc), SA_IPROTO(assoc), 3876 assoc->ipsa_innerdstpfx); 3877 ASSERT(mp->b_wptr != NULL); 3878 } 3879 3880 /* Can just putnext, we're ready to go! */ 3881 putnext(pfkey_q, mp1); 3882 } 3883 3884 /* 3885 * "Age" the SA with the number of bytes that was used to protect traffic. 3886 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was 3887 * enough "charge" left in the SA to protect the data. Return B_FALSE 3888 * otherwise. (If B_FALSE is returned, the association either was, or became 3889 * DEAD.) 3890 */ 3891 boolean_t 3892 sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes, 3893 boolean_t sendmsg) 3894 { 3895 boolean_t rc = B_TRUE; 3896 uint64_t newtotal; 3897 3898 mutex_enter(&assoc->ipsa_lock); 3899 newtotal = assoc->ipsa_bytes + bytes; 3900 if (assoc->ipsa_hardbyteslt != 0 && 3901 newtotal >= assoc->ipsa_hardbyteslt) { 3902 if (assoc->ipsa_state != IPSA_STATE_DEAD) { 3903 sadb_delete_cluster(assoc); 3904 /* 3905 * Send EXPIRE message to PF_KEY. May wish to pawn 3906 * this off on another non-interrupt thread. Also 3907 * unlink this SA immediately. 3908 */ 3909 assoc->ipsa_state = IPSA_STATE_DEAD; 3910 if (sendmsg) 3911 sadb_expire_assoc(pfkey_q, assoc); 3912 /* 3913 * Set non-zero expiration time so sadb_age_assoc() 3914 * will work when reaping. 3915 */ 3916 assoc->ipsa_hardexpiretime = (time_t)1; 3917 } /* Else someone beat me to it! */ 3918 rc = B_FALSE; 3919 } else if (assoc->ipsa_softbyteslt != 0 && 3920 (newtotal >= assoc->ipsa_softbyteslt)) { 3921 if (assoc->ipsa_state < IPSA_STATE_DYING) { 3922 /* 3923 * Send EXPIRE message to PF_KEY. May wish to pawn 3924 * this off on another non-interrupt thread. 3925 */ 3926 assoc->ipsa_state = IPSA_STATE_DYING; 3927 assoc->ipsa_bytes = newtotal; 3928 if (sendmsg) 3929 sadb_expire_assoc(pfkey_q, assoc); 3930 } /* Else someone beat me to it! */ 3931 } 3932 if (rc == B_TRUE) 3933 assoc->ipsa_bytes = newtotal; 3934 mutex_exit(&assoc->ipsa_lock); 3935 return (rc); 3936 } 3937 3938 /* 3939 * "Torch" an individual SA. Returns NULL, so it can be tail-called from 3940 * sadb_age_assoc(). 3941 */ 3942 static ipsa_t * 3943 sadb_torch_assoc(isaf_t *head, ipsa_t *sa) 3944 { 3945 ASSERT(MUTEX_HELD(&head->isaf_lock)); 3946 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 3947 ASSERT(sa->ipsa_state == IPSA_STATE_DEAD); 3948 3949 /* 3950 * Force cached SAs to be revalidated.. 3951 */ 3952 head->isaf_gen++; 3953 3954 mutex_exit(&sa->ipsa_lock); 3955 sadb_unlinkassoc(sa); 3956 3957 return (NULL); 3958 } 3959 3960 /* 3961 * Do various SA-is-idle activities depending on delta (the number of idle 3962 * seconds on the SA) and/or other properties of the SA. 3963 * 3964 * Return B_TRUE if I've sent a packet, because I have to drop the 3965 * association's mutex before sending a packet out the wire. 3966 */ 3967 /* ARGSUSED */ 3968 static boolean_t 3969 sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound) 3970 { 3971 ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp; 3972 int nat_t_interval = espstack->ipsecesp_nat_keepalive_interval; 3973 3974 ASSERT(MUTEX_HELD(&assoc->ipsa_lock)); 3975 3976 if (!inbound && (assoc->ipsa_flags & IPSA_F_NATT_LOC) && 3977 delta >= nat_t_interval && 3978 gethrestime_sec() - assoc->ipsa_last_nat_t_ka >= nat_t_interval) { 3979 ASSERT(assoc->ipsa_type == SADB_SATYPE_ESP); 3980 assoc->ipsa_last_nat_t_ka = gethrestime_sec(); 3981 mutex_exit(&assoc->ipsa_lock); 3982 ipsecesp_send_keepalive(assoc); 3983 return (B_TRUE); 3984 } 3985 return (B_FALSE); 3986 } 3987 3988 /* 3989 * Return "assoc" if haspeer is true and I send an expire. This allows 3990 * the consumers' aging functions to tidy up an expired SA's peer. 3991 */ 3992 static ipsa_t * 3993 sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc, 3994 time_t current, int reap_delay, boolean_t inbound) 3995 { 3996 ipsa_t *retval = NULL; 3997 boolean_t dropped_mutex = B_FALSE; 3998 3999 ASSERT(MUTEX_HELD(&head->isaf_lock)); 4000 4001 mutex_enter(&assoc->ipsa_lock); 4002 4003 if (((assoc->ipsa_state == IPSA_STATE_LARVAL) || 4004 ((assoc->ipsa_state == IPSA_STATE_IDLE) || 4005 (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) && 4006 (assoc->ipsa_hardexpiretime != 0))) && 4007 (assoc->ipsa_hardexpiretime <= current)) { 4008 assoc->ipsa_state = IPSA_STATE_DEAD; 4009 return (sadb_torch_assoc(head, assoc)); 4010 } 4011 4012 /* 4013 * Check lifetimes. Fortunately, SA setup is done 4014 * such that there are only two times to look at, 4015 * softexpiretime, and hardexpiretime. 4016 * 4017 * Check hard first. 4018 */ 4019 4020 if (assoc->ipsa_hardexpiretime != 0 && 4021 assoc->ipsa_hardexpiretime <= current) { 4022 if (assoc->ipsa_state == IPSA_STATE_DEAD) 4023 return (sadb_torch_assoc(head, assoc)); 4024 4025 if (inbound) { 4026 sadb_delete_cluster(assoc); 4027 } 4028 4029 /* 4030 * Send SADB_EXPIRE with hard lifetime, delay for unlinking. 4031 */ 4032 assoc->ipsa_state = IPSA_STATE_DEAD; 4033 if (assoc->ipsa_haspeer || assoc->ipsa_otherspi != 0) { 4034 /* 4035 * If the SA is paired or peered with another, put 4036 * a copy on a list which can be processed later, the 4037 * pair/peer SA needs to be updated so the both die 4038 * at the same time. 4039 * 4040 * If I return assoc, I have to bump up its reference 4041 * count to keep with the ipsa_t reference count 4042 * semantics. 4043 */ 4044 IPSA_REFHOLD(assoc); 4045 retval = assoc; 4046 } 4047 sadb_expire_assoc(pfkey_q, assoc); 4048 assoc->ipsa_hardexpiretime = current + reap_delay; 4049 } else if (assoc->ipsa_softexpiretime != 0 && 4050 assoc->ipsa_softexpiretime <= current && 4051 assoc->ipsa_state < IPSA_STATE_DYING) { 4052 /* 4053 * Send EXPIRE message to PF_KEY. May wish to pawn 4054 * this off on another non-interrupt thread. 4055 */ 4056 assoc->ipsa_state = IPSA_STATE_DYING; 4057 if (assoc->ipsa_haspeer) { 4058 /* 4059 * If the SA has a peer, update the peer's state 4060 * on SOFT_EXPIRE, this is mostly to prevent two 4061 * expire messages from effectively the same SA. 4062 * 4063 * Don't care about paired SA's, then can (and should) 4064 * be able to soft expire at different times. 4065 * 4066 * If I return assoc, I have to bump up its 4067 * reference count to keep with the ipsa_t reference 4068 * count semantics. 4069 */ 4070 IPSA_REFHOLD(assoc); 4071 retval = assoc; 4072 } 4073 sadb_expire_assoc(pfkey_q, assoc); 4074 } else if (assoc->ipsa_idletime != 0 && 4075 assoc->ipsa_idleexpiretime <= current) { 4076 if (assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) { 4077 assoc->ipsa_state = IPSA_STATE_IDLE; 4078 } 4079 4080 /* 4081 * Need to handle Mature case 4082 */ 4083 if (assoc->ipsa_state == IPSA_STATE_MATURE) { 4084 sadb_expire_assoc(pfkey_q, assoc); 4085 } 4086 } else { 4087 /* Check idle time activities. */ 4088 dropped_mutex = sadb_idle_activities(assoc, 4089 current - assoc->ipsa_lastuse, inbound); 4090 } 4091 4092 if (!dropped_mutex) 4093 mutex_exit(&assoc->ipsa_lock); 4094 return (retval); 4095 } 4096 4097 /* 4098 * Called by a consumer protocol to do ther dirty work of reaping dead 4099 * Security Associations. 4100 * 4101 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed 4102 * SA's that are already marked DEAD, so expired SA's are only reaped 4103 * the second time sadb_ager() runs. 4104 */ 4105 void 4106 sadb_ager(sadb_t *sp, queue_t *pfkey_q, int reap_delay, netstack_t *ns) 4107 { 4108 int i; 4109 isaf_t *bucket; 4110 ipsa_t *assoc, *spare; 4111 iacqf_t *acqlist; 4112 ipsacq_t *acqrec, *spareacq; 4113 templist_t *haspeerlist, *newbie; 4114 /* Snapshot current time now. */ 4115 time_t current = gethrestime_sec(); 4116 haspeerlist = NULL; 4117 4118 /* 4119 * Do my dirty work. This includes aging real entries, aging 4120 * larvals, and aging outstanding ACQUIREs. 4121 * 4122 * I hope I don't tie up resources for too long. 4123 */ 4124 4125 /* Age acquires. */ 4126 4127 for (i = 0; i < sp->sdb_hashsize; i++) { 4128 acqlist = &sp->sdb_acq[i]; 4129 mutex_enter(&acqlist->iacqf_lock); 4130 for (acqrec = acqlist->iacqf_ipsacq; acqrec != NULL; 4131 acqrec = spareacq) { 4132 spareacq = acqrec->ipsacq_next; 4133 if (current > acqrec->ipsacq_expire) 4134 sadb_destroy_acquire(acqrec, ns); 4135 } 4136 mutex_exit(&acqlist->iacqf_lock); 4137 } 4138 4139 /* Age inbound associations. */ 4140 for (i = 0; i < sp->sdb_hashsize; i++) { 4141 bucket = &(sp->sdb_if[i]); 4142 mutex_enter(&bucket->isaf_lock); 4143 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4144 assoc = spare) { 4145 spare = assoc->ipsa_next; 4146 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4147 reap_delay, B_TRUE) != NULL) { 4148 /* 4149 * Put SA's which have a peer or SA's which 4150 * are paired on a list for processing after 4151 * all the hash tables have been walked. 4152 * 4153 * sadb_age_assoc() increments the refcnt, 4154 * effectively doing an IPSA_REFHOLD(). 4155 */ 4156 newbie = kmem_alloc(sizeof (*newbie), 4157 KM_NOSLEEP); 4158 if (newbie == NULL) { 4159 /* 4160 * Don't forget to REFRELE(). 4161 */ 4162 IPSA_REFRELE(assoc); 4163 continue; /* for loop... */ 4164 } 4165 newbie->next = haspeerlist; 4166 newbie->ipsa = assoc; 4167 haspeerlist = newbie; 4168 } 4169 } 4170 mutex_exit(&bucket->isaf_lock); 4171 } 4172 4173 age_pair_peer_list(haspeerlist, sp, B_FALSE); 4174 haspeerlist = NULL; 4175 4176 /* Age outbound associations. */ 4177 for (i = 0; i < sp->sdb_hashsize; i++) { 4178 bucket = &(sp->sdb_of[i]); 4179 mutex_enter(&bucket->isaf_lock); 4180 for (assoc = bucket->isaf_ipsa; assoc != NULL; 4181 assoc = spare) { 4182 spare = assoc->ipsa_next; 4183 if (sadb_age_assoc(bucket, pfkey_q, assoc, current, 4184 reap_delay, B_FALSE) != NULL) { 4185 /* 4186 * sadb_age_assoc() increments the refcnt, 4187 * effectively doing an IPSA_REFHOLD(). 4188 */ 4189 newbie = kmem_alloc(sizeof (*newbie), 4190 KM_NOSLEEP); 4191 if (newbie == NULL) { 4192 /* 4193 * Don't forget to REFRELE(). 4194 */ 4195 IPSA_REFRELE(assoc); 4196 continue; /* for loop... */ 4197 } 4198 newbie->next = haspeerlist; 4199 newbie->ipsa = assoc; 4200 haspeerlist = newbie; 4201 } 4202 } 4203 mutex_exit(&bucket->isaf_lock); 4204 } 4205 4206 age_pair_peer_list(haspeerlist, sp, B_TRUE); 4207 4208 /* 4209 * Run a GC pass to clean out dead identities. 4210 */ 4211 ipsid_gc(ns); 4212 } 4213 4214 /* 4215 * Figure out when to reschedule the ager. 4216 */ 4217 timeout_id_t 4218 sadb_retimeout(hrtime_t begin, queue_t *pfkey_q, void (*ager)(void *), 4219 void *agerarg, uint_t *intp, uint_t intmax, short mid) 4220 { 4221 hrtime_t end = gethrtime(); 4222 uint_t interval = *intp; /* "interval" is in ms. */ 4223 4224 /* 4225 * See how long this took. If it took too long, increase the 4226 * aging interval. 4227 */ 4228 if ((end - begin) > MSEC2NSEC(interval)) { 4229 if (interval >= intmax) { 4230 /* XXX Rate limit this? Or recommend flush? */ 4231 (void) strlog(mid, 0, 0, SL_ERROR | SL_WARN, 4232 "Too many SA's to age out in %d msec.\n", 4233 intmax); 4234 } else { 4235 /* Double by shifting by one bit. */ 4236 interval <<= 1; 4237 interval = min(interval, intmax); 4238 } 4239 } else if ((end - begin) <= (MSEC2NSEC(interval) / 2) && 4240 interval > SADB_AGE_INTERVAL_DEFAULT) { 4241 /* 4242 * If I took less than half of the interval, then I should 4243 * ratchet the interval back down. Never automatically 4244 * shift below the default aging interval. 4245 * 4246 * NOTE:This even overrides manual setting of the age 4247 * interval using NDD to lower the setting past the 4248 * default. In other words, if you set the interval 4249 * lower than the default, and your SADB gets too big, 4250 * the interval will only self-lower back to the default. 4251 */ 4252 /* Halve by shifting one bit. */ 4253 interval >>= 1; 4254 interval = max(interval, SADB_AGE_INTERVAL_DEFAULT); 4255 } 4256 *intp = interval; 4257 return (qtimeout(pfkey_q, ager, agerarg, 4258 drv_usectohz(interval * (MICROSEC / MILLISEC)))); 4259 } 4260 4261 4262 /* 4263 * Update the lifetime values of an SA. This is the path an SADB_UPDATE 4264 * message takes when updating a MATURE or DYING SA. 4265 */ 4266 static void 4267 sadb_update_lifetimes(ipsa_t *assoc, sadb_lifetime_t *hard, 4268 sadb_lifetime_t *soft, sadb_lifetime_t *idle, boolean_t outbound) 4269 { 4270 mutex_enter(&assoc->ipsa_lock); 4271 4272 /* 4273 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be 4274 * passed in during an update message. We currently don't handle 4275 * these. 4276 */ 4277 4278 if (hard != NULL) { 4279 if (hard->sadb_lifetime_bytes != 0) 4280 assoc->ipsa_hardbyteslt = hard->sadb_lifetime_bytes; 4281 if (hard->sadb_lifetime_usetime != 0) 4282 assoc->ipsa_harduselt = hard->sadb_lifetime_usetime; 4283 if (hard->sadb_lifetime_addtime != 0) 4284 assoc->ipsa_hardaddlt = hard->sadb_lifetime_addtime; 4285 if (assoc->ipsa_hardaddlt != 0) { 4286 assoc->ipsa_hardexpiretime = 4287 assoc->ipsa_addtime + assoc->ipsa_hardaddlt; 4288 } 4289 if (assoc->ipsa_harduselt != 0 && 4290 assoc->ipsa_flags & IPSA_F_USED) { 4291 UPDATE_EXPIRE(assoc, harduselt, hardexpiretime); 4292 } 4293 if (hard->sadb_lifetime_allocations != 0) 4294 assoc->ipsa_hardalloc = hard->sadb_lifetime_allocations; 4295 } 4296 4297 if (soft != NULL) { 4298 if (soft->sadb_lifetime_bytes != 0) { 4299 if (soft->sadb_lifetime_bytes > 4300 assoc->ipsa_hardbyteslt) { 4301 assoc->ipsa_softbyteslt = 4302 assoc->ipsa_hardbyteslt; 4303 } else { 4304 assoc->ipsa_softbyteslt = 4305 soft->sadb_lifetime_bytes; 4306 } 4307 } 4308 if (soft->sadb_lifetime_usetime != 0) { 4309 if (soft->sadb_lifetime_usetime > 4310 assoc->ipsa_harduselt) { 4311 assoc->ipsa_softuselt = 4312 assoc->ipsa_harduselt; 4313 } else { 4314 assoc->ipsa_softuselt = 4315 soft->sadb_lifetime_usetime; 4316 } 4317 } 4318 if (soft->sadb_lifetime_addtime != 0) { 4319 if (soft->sadb_lifetime_addtime > 4320 assoc->ipsa_hardexpiretime) { 4321 assoc->ipsa_softexpiretime = 4322 assoc->ipsa_hardexpiretime; 4323 } else { 4324 assoc->ipsa_softaddlt = 4325 soft->sadb_lifetime_addtime; 4326 } 4327 } 4328 if (assoc->ipsa_softaddlt != 0) { 4329 assoc->ipsa_softexpiretime = 4330 assoc->ipsa_addtime + assoc->ipsa_softaddlt; 4331 } 4332 if (assoc->ipsa_softuselt != 0 && 4333 assoc->ipsa_flags & IPSA_F_USED) { 4334 UPDATE_EXPIRE(assoc, softuselt, softexpiretime); 4335 } 4336 if (outbound && assoc->ipsa_softexpiretime != 0) { 4337 if (assoc->ipsa_state == IPSA_STATE_MATURE) 4338 lifetime_fuzz(assoc); 4339 } 4340 4341 if (soft->sadb_lifetime_allocations != 0) 4342 assoc->ipsa_softalloc = soft->sadb_lifetime_allocations; 4343 } 4344 4345 if (idle != NULL) { 4346 time_t current = gethrestime_sec(); 4347 if ((assoc->ipsa_idleexpiretime <= current) && 4348 (assoc->ipsa_idleaddlt == idle->sadb_lifetime_addtime)) { 4349 assoc->ipsa_idleexpiretime = 4350 current + assoc->ipsa_idleaddlt; 4351 } 4352 if (idle->sadb_lifetime_addtime != 0) 4353 assoc->ipsa_idleaddlt = idle->sadb_lifetime_addtime; 4354 if (idle->sadb_lifetime_usetime != 0) 4355 assoc->ipsa_idleuselt = idle->sadb_lifetime_usetime; 4356 if (assoc->ipsa_idleaddlt != 0) { 4357 assoc->ipsa_idleexpiretime = 4358 current + idle->sadb_lifetime_addtime; 4359 assoc->ipsa_idletime = idle->sadb_lifetime_addtime; 4360 } 4361 if (assoc->ipsa_idleuselt != 0) { 4362 if (assoc->ipsa_idletime != 0) { 4363 assoc->ipsa_idletime = min(assoc->ipsa_idletime, 4364 assoc->ipsa_idleuselt); 4365 assoc->ipsa_idleexpiretime = 4366 current + assoc->ipsa_idletime; 4367 } else { 4368 assoc->ipsa_idleexpiretime = 4369 current + assoc->ipsa_idleuselt; 4370 assoc->ipsa_idletime = assoc->ipsa_idleuselt; 4371 } 4372 } 4373 } 4374 mutex_exit(&assoc->ipsa_lock); 4375 } 4376 4377 static int 4378 sadb_update_state(ipsa_t *assoc, uint_t new_state, mblk_t **ipkt_lst) 4379 { 4380 int rcode = 0; 4381 time_t current = gethrestime_sec(); 4382 4383 mutex_enter(&assoc->ipsa_lock); 4384 4385 switch (new_state) { 4386 case SADB_X_SASTATE_ACTIVE_ELSEWHERE: 4387 if (assoc->ipsa_state == SADB_X_SASTATE_IDLE) { 4388 assoc->ipsa_state = IPSA_STATE_ACTIVE_ELSEWHERE; 4389 assoc->ipsa_idleexpiretime = 4390 current + assoc->ipsa_idletime; 4391 } 4392 break; 4393 case SADB_X_SASTATE_IDLE: 4394 if (assoc->ipsa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4395 assoc->ipsa_state = IPSA_STATE_IDLE; 4396 assoc->ipsa_idleexpiretime = 4397 current + assoc->ipsa_idletime; 4398 } else { 4399 rcode = EINVAL; 4400 } 4401 break; 4402 4403 case SADB_X_SASTATE_ACTIVE: 4404 if (assoc->ipsa_state != SADB_X_SASTATE_IDLE) { 4405 rcode = EINVAL; 4406 break; 4407 } 4408 assoc->ipsa_state = IPSA_STATE_MATURE; 4409 assoc->ipsa_idleexpiretime = current + assoc->ipsa_idletime; 4410 4411 if (ipkt_lst == NULL) { 4412 break; 4413 } 4414 4415 if (assoc->ipsa_bpkt_head != NULL) { 4416 *ipkt_lst = assoc->ipsa_bpkt_head; 4417 assoc->ipsa_bpkt_head = assoc->ipsa_bpkt_tail = NULL; 4418 assoc->ipsa_mblkcnt = 0; 4419 } else { 4420 *ipkt_lst = NULL; 4421 } 4422 break; 4423 default: 4424 rcode = EINVAL; 4425 break; 4426 } 4427 4428 mutex_exit(&assoc->ipsa_lock); 4429 return (rcode); 4430 } 4431 4432 /* 4433 * Check a proposed KMC update for sanity. 4434 */ 4435 static int 4436 sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic) 4437 { 4438 uint32_t kmp = sq->kmp; 4439 uint32_t kmc = sq->kmc; 4440 4441 if (sa == NULL) 4442 return (0); 4443 4444 if (sa->ipsa_state == IPSA_STATE_DEAD) 4445 return (ESRCH); /* DEAD == Not there, in this case. */ 4446 4447 if ((kmp != 0) && ((sa->ipsa_kmp != 0) || (sa->ipsa_kmp != kmp))) { 4448 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP; 4449 return (EINVAL); 4450 } 4451 4452 if ((kmc != 0) && ((sa->ipsa_kmc != 0) || (sa->ipsa_kmc != kmc))) { 4453 *diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC; 4454 return (EINVAL); 4455 } 4456 4457 return (0); 4458 } 4459 4460 /* 4461 * Actually update the KMC info. 4462 */ 4463 static void 4464 sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa) 4465 { 4466 uint32_t kmp = sq->kmp; 4467 uint32_t kmc = sq->kmc; 4468 4469 if (kmp != 0) 4470 sa->ipsa_kmp = kmp; 4471 if (kmc != 0) 4472 sa->ipsa_kmc = kmc; 4473 } 4474 4475 /* 4476 * Common code to update an SA. 4477 */ 4478 4479 int 4480 sadb_update_sa(mblk_t *mp, keysock_in_t *ksi, mblk_t **ipkt_lst, 4481 sadbp_t *spp, int *diagnostic, queue_t *pfkey_q, 4482 int (*add_sa_func)(mblk_t *, keysock_in_t *, int *, netstack_t *), 4483 netstack_t *ns, uint8_t sadb_msg_type) 4484 { 4485 sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH]; 4486 sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT]; 4487 sadb_x_replay_ctr_t *replext = 4488 (sadb_x_replay_ctr_t *)ksi->ks_in_extv[SADB_X_EXT_REPLAY_VALUE]; 4489 sadb_lifetime_t *soft = 4490 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT]; 4491 sadb_lifetime_t *hard = 4492 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD]; 4493 sadb_lifetime_t *idle = 4494 (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE]; 4495 sadb_x_pair_t *pair_ext = 4496 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4497 ipsa_t *echo_target = NULL; 4498 ipsap_t ipsapp; 4499 ipsa_query_t sq; 4500 time_t current = gethrestime_sec(); 4501 4502 sq.spp = spp; /* XXX param */ 4503 int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA, 4504 IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND, 4505 &sq, diagnostic); 4506 4507 if (error != 0) 4508 return (error); 4509 4510 error = get_ipsa_pair(&sq, &ipsapp, diagnostic); 4511 if (error != 0) 4512 return (error); 4513 4514 if (ipsapp.ipsap_psa_ptr == NULL && ipsapp.ipsap_sa_ptr != NULL) { 4515 if (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) { 4516 /* 4517 * REFRELE the target and let the add_sa_func() 4518 * deal with updating a larval SA. 4519 */ 4520 destroy_ipsa_pair(&ipsapp); 4521 return (add_sa_func(mp, ksi, diagnostic, ns)); 4522 } 4523 } 4524 4525 /* 4526 * At this point we have an UPDATE to a MATURE SA. There should 4527 * not be any keying material present. 4528 */ 4529 if (akey != NULL) { 4530 *diagnostic = SADB_X_DIAGNOSTIC_AKEY_PRESENT; 4531 error = EINVAL; 4532 goto bail; 4533 } 4534 if (ekey != NULL) { 4535 *diagnostic = SADB_X_DIAGNOSTIC_EKEY_PRESENT; 4536 error = EINVAL; 4537 goto bail; 4538 } 4539 4540 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE) { 4541 if (ipsapp.ipsap_sa_ptr != NULL && 4542 ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4543 if ((error = sadb_update_state(ipsapp.ipsap_sa_ptr, 4544 sq.assoc->sadb_sa_state, NULL)) != 0) { 4545 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4546 goto bail; 4547 } 4548 } 4549 if (ipsapp.ipsap_psa_ptr != NULL && 4550 ipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_IDLE) { 4551 if ((error = sadb_update_state(ipsapp.ipsap_psa_ptr, 4552 sq.assoc->sadb_sa_state, NULL)) != 0) { 4553 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4554 goto bail; 4555 } 4556 } 4557 } 4558 if (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE) { 4559 if (ipsapp.ipsap_sa_ptr != NULL) { 4560 error = sadb_update_state(ipsapp.ipsap_sa_ptr, 4561 sq.assoc->sadb_sa_state, 4562 (ipsapp.ipsap_sa_ptr->ipsa_flags & 4563 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4564 if (error) { 4565 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4566 goto bail; 4567 } 4568 } 4569 if (ipsapp.ipsap_psa_ptr != NULL) { 4570 error = sadb_update_state(ipsapp.ipsap_psa_ptr, 4571 sq.assoc->sadb_sa_state, 4572 (ipsapp.ipsap_psa_ptr->ipsa_flags & 4573 IPSA_F_INBOUND) ? ipkt_lst : NULL); 4574 if (error) { 4575 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4576 goto bail; 4577 } 4578 } 4579 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4580 ksi, echo_target); 4581 goto bail; 4582 } 4583 4584 /* 4585 * Reality checks for updates of active associations. 4586 * Sundry first-pass UPDATE-specific reality checks. 4587 * Have to do the checks here, because it's after the add_sa code. 4588 * XXX STATS : logging/stats here? 4589 */ 4590 4591 if (!((sq.assoc->sadb_sa_state == SADB_SASTATE_MATURE) || 4592 (sq.assoc->sadb_sa_state == SADB_X_SASTATE_ACTIVE_ELSEWHERE))) { 4593 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4594 error = EINVAL; 4595 goto bail; 4596 } 4597 if (sq.assoc->sadb_sa_flags & ~spp->s_updateflags) { 4598 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS; 4599 error = EINVAL; 4600 goto bail; 4601 } 4602 if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL) { 4603 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_LIFETIME; 4604 error = EOPNOTSUPP; 4605 goto bail; 4606 } 4607 4608 if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) { 4609 error = EINVAL; 4610 goto bail; 4611 } 4612 4613 if ((*diagnostic = sadb_labelchk(ksi)) != 0) 4614 return (EINVAL); 4615 4616 error = sadb_check_kmc(&sq, ipsapp.ipsap_sa_ptr, diagnostic); 4617 if (error != 0) 4618 goto bail; 4619 4620 error = sadb_check_kmc(&sq, ipsapp.ipsap_psa_ptr, diagnostic); 4621 if (error != 0) 4622 goto bail; 4623 4624 4625 if (ipsapp.ipsap_sa_ptr != NULL) { 4626 /* 4627 * Do not allow replay value change for MATURE or LARVAL SA. 4628 */ 4629 4630 if ((replext != NULL) && 4631 ((ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_LARVAL) || 4632 (ipsapp.ipsap_sa_ptr->ipsa_state == IPSA_STATE_MATURE))) { 4633 *diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE; 4634 error = EINVAL; 4635 goto bail; 4636 } 4637 } 4638 4639 4640 if (ipsapp.ipsap_sa_ptr != NULL) { 4641 sadb_update_lifetimes(ipsapp.ipsap_sa_ptr, hard, soft, 4642 idle, B_TRUE); 4643 sadb_update_kmc(&sq, ipsapp.ipsap_sa_ptr); 4644 if ((replext != NULL) && 4645 (ipsapp.ipsap_sa_ptr->ipsa_replay_wsize != 0)) { 4646 /* 4647 * If an inbound SA, update the replay counter 4648 * and check off all the other sequence number 4649 */ 4650 if (ksi->ks_in_dsttype == KS_IN_ADDR_ME) { 4651 if (!sadb_replay_check(ipsapp.ipsap_sa_ptr, 4652 replext->sadb_x_rc_replay32)) { 4653 *diagnostic = 4654 SADB_X_DIAGNOSTIC_INVALID_REPLAY; 4655 error = EINVAL; 4656 goto bail; 4657 } 4658 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 4659 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime = 4660 current + 4661 ipsapp.ipsap_sa_ptr->ipsa_idletime; 4662 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock); 4663 } else { 4664 mutex_enter(&ipsapp.ipsap_sa_ptr->ipsa_lock); 4665 ipsapp.ipsap_sa_ptr->ipsa_replay = 4666 replext->sadb_x_rc_replay32; 4667 ipsapp.ipsap_sa_ptr->ipsa_idleexpiretime = 4668 current + 4669 ipsapp.ipsap_sa_ptr->ipsa_idletime; 4670 mutex_exit(&ipsapp.ipsap_sa_ptr->ipsa_lock); 4671 } 4672 } 4673 } 4674 4675 if (sadb_msg_type == SADB_X_UPDATEPAIR) { 4676 if (ipsapp.ipsap_psa_ptr != NULL) { 4677 sadb_update_lifetimes(ipsapp.ipsap_psa_ptr, hard, soft, 4678 idle, B_FALSE); 4679 sadb_update_kmc(&sq, ipsapp.ipsap_psa_ptr); 4680 } else { 4681 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND; 4682 error = ESRCH; 4683 goto bail; 4684 } 4685 } 4686 4687 if (pair_ext != NULL) 4688 error = update_pairing(&ipsapp, &sq, ksi, diagnostic); 4689 4690 if (error == 0) 4691 sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, 4692 ksi, echo_target); 4693 bail: 4694 4695 destroy_ipsa_pair(&ipsapp); 4696 4697 return (error); 4698 } 4699 4700 4701 static int 4702 update_pairing(ipsap_t *ipsapp, ipsa_query_t *sq, keysock_in_t *ksi, 4703 int *diagnostic) 4704 { 4705 sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA]; 4706 sadb_x_pair_t *pair_ext = 4707 (sadb_x_pair_t *)ksi->ks_in_extv[SADB_X_EXT_PAIR]; 4708 int error = 0; 4709 ipsap_t oipsapp; 4710 boolean_t undo_pair = B_FALSE; 4711 uint32_t ipsa_flags; 4712 4713 if (pair_ext->sadb_x_pair_spi == 0 || pair_ext->sadb_x_pair_spi == 4714 assoc->sadb_sa_spi) { 4715 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4716 return (EINVAL); 4717 } 4718 4719 /* 4720 * Assume for now that the spi value provided in the SADB_UPDATE 4721 * message was valid, update the SA with its pair spi value. 4722 * If the spi turns out to be bogus or the SA no longer exists 4723 * then this will be detected when the reverse update is made 4724 * below. 4725 */ 4726 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4727 ipsapp->ipsap_sa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4728 ipsapp->ipsap_sa_ptr->ipsa_otherspi = pair_ext->sadb_x_pair_spi; 4729 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4730 4731 /* 4732 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair() 4733 * should now return pointers to the SA *AND* its pair, if this is not 4734 * the case, the "otherspi" either did not exist or was deleted. Also 4735 * check that "otherspi" is not already paired. If everything looks 4736 * good, complete the update. IPSA_REFRELE the first pair_pointer 4737 * after this update to ensure its not deleted until we are done. 4738 */ 4739 error = get_ipsa_pair(sq, &oipsapp, diagnostic); 4740 if (error != 0) { 4741 /* 4742 * This should never happen, calling function still has 4743 * IPSA_REFHELD on the SA we just updated. 4744 */ 4745 return (error); /* XXX EINVAL instead of ESRCH? */ 4746 } 4747 4748 if (oipsapp.ipsap_psa_ptr == NULL) { 4749 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4750 error = EINVAL; 4751 undo_pair = B_TRUE; 4752 } else { 4753 ipsa_flags = oipsapp.ipsap_psa_ptr->ipsa_flags; 4754 if ((oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DEAD) || 4755 (oipsapp.ipsap_psa_ptr->ipsa_state == IPSA_STATE_DYING)) { 4756 /* Its dead Jim! */ 4757 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4758 undo_pair = B_TRUE; 4759 } else if ((ipsa_flags & (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) == 4760 (IPSA_F_OUTBOUND | IPSA_F_INBOUND)) { 4761 /* This SA is in both hashtables. */ 4762 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE; 4763 undo_pair = B_TRUE; 4764 } else if (ipsa_flags & IPSA_F_PAIRED) { 4765 /* This SA is already paired with another. */ 4766 *diagnostic = SADB_X_DIAGNOSTIC_PAIR_ALREADY; 4767 undo_pair = B_TRUE; 4768 } 4769 } 4770 4771 if (undo_pair) { 4772 /* The pair SA does not exist. */ 4773 mutex_enter(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4774 ipsapp->ipsap_sa_ptr->ipsa_flags &= ~IPSA_F_PAIRED; 4775 ipsapp->ipsap_sa_ptr->ipsa_otherspi = 0; 4776 mutex_exit(&ipsapp->ipsap_sa_ptr->ipsa_lock); 4777 } else { 4778 mutex_enter(&oipsapp.ipsap_psa_ptr->ipsa_lock); 4779 oipsapp.ipsap_psa_ptr->ipsa_otherspi = assoc->sadb_sa_spi; 4780 oipsapp.ipsap_psa_ptr->ipsa_flags |= IPSA_F_PAIRED; 4781 mutex_exit(&oipsapp.ipsap_psa_ptr->ipsa_lock); 4782 } 4783 4784 destroy_ipsa_pair(&oipsapp); 4785 return (error); 4786 } 4787 4788 /* 4789 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is 4790 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails 4791 * for an outbound datagram, that datagram is queued up on an ACQUIRE record, 4792 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key 4793 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve 4794 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the 4795 * other direction's SA. 4796 */ 4797 4798 /* 4799 * Check the ACQUIRE lists. If there's an existing ACQUIRE record, 4800 * grab it, lock it, and return it. Otherwise return NULL. 4801 * 4802 * XXX MLS number of arguments getting unwieldy here 4803 */ 4804 static ipsacq_t * 4805 sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp, 4806 uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst, 4807 uint64_t unique_id, ts_label_t *tsl) 4808 { 4809 ipsacq_t *walker; 4810 sa_family_t fam; 4811 uint32_t blank_address[4] = {0, 0, 0, 0}; 4812 4813 if (isrc == NULL) { 4814 ASSERT(idst == NULL); 4815 isrc = idst = blank_address; 4816 } 4817 4818 /* 4819 * Scan list for duplicates. Check for UNIQUE, src/dest, policy. 4820 * 4821 * XXX May need search for duplicates based on other things too! 4822 */ 4823 for (walker = bucket->iacqf_ipsacq; walker != NULL; 4824 walker = walker->ipsacq_next) { 4825 mutex_enter(&walker->ipsacq_lock); 4826 fam = walker->ipsacq_addrfam; 4827 if (IPSA_ARE_ADDR_EQUAL(dst, walker->ipsacq_dstaddr, fam) && 4828 IPSA_ARE_ADDR_EQUAL(src, walker->ipsacq_srcaddr, fam) && 4829 ip_addr_match((uint8_t *)isrc, walker->ipsacq_innersrcpfx, 4830 (in6_addr_t *)walker->ipsacq_innersrc) && 4831 ip_addr_match((uint8_t *)idst, walker->ipsacq_innerdstpfx, 4832 (in6_addr_t *)walker->ipsacq_innerdst) && 4833 (ap == walker->ipsacq_act) && 4834 (pp == walker->ipsacq_policy) && 4835 /* XXX do deep compares of ap/pp? */ 4836 (unique_id == walker->ipsacq_unique_id) && 4837 (ipsec_label_match(tsl, walker->ipsacq_tsl))) 4838 break; /* everything matched */ 4839 mutex_exit(&walker->ipsacq_lock); 4840 } 4841 4842 return (walker); 4843 } 4844 4845 /* 4846 * Generate an SADB_ACQUIRE base message mblk, including KEYSOCK_OUT metadata. 4847 * In other words, this will return, upon success, a two-mblk chain. 4848 */ 4849 static inline mblk_t * 4850 sadb_acquire_msg_base(minor_t serial, uint8_t satype, uint32_t seq, pid_t pid) 4851 { 4852 mblk_t *mp; 4853 sadb_msg_t *samsg; 4854 4855 mp = sadb_keysock_out(serial); 4856 if (mp == NULL) 4857 return (NULL); 4858 mp->b_cont = allocb(sizeof (sadb_msg_t), BPRI_HI); 4859 if (mp->b_cont == NULL) { 4860 freeb(mp); 4861 return (NULL); 4862 } 4863 4864 samsg = (sadb_msg_t *)mp->b_cont->b_rptr; 4865 mp->b_cont->b_wptr += sizeof (*samsg); 4866 samsg->sadb_msg_version = PF_KEY_V2; 4867 samsg->sadb_msg_type = SADB_ACQUIRE; 4868 samsg->sadb_msg_errno = 0; 4869 samsg->sadb_msg_reserved = 0; 4870 samsg->sadb_msg_satype = satype; 4871 samsg->sadb_msg_seq = seq; 4872 samsg->sadb_msg_pid = pid; 4873 4874 return (mp); 4875 } 4876 4877 /* 4878 * Generate address and TX/MLS sensitivity label PF_KEY extensions that are 4879 * common to both regular and extended ACQUIREs. 4880 */ 4881 static mblk_t * 4882 sadb_acquire_msg_common(ipsec_selector_t *sel, ipsec_policy_t *pp, 4883 ipsec_action_t *ap, boolean_t tunnel_mode, ts_label_t *tsl, 4884 sadb_sens_t *sens) 4885 { 4886 size_t len; 4887 mblk_t *mp; 4888 uint8_t *start, *cur, *end; 4889 uint32_t *saddrptr, *daddrptr; 4890 sa_family_t af; 4891 ipsec_action_t *oldap; 4892 ipsec_selkey_t *ipsl; 4893 uint8_t proto, pfxlen; 4894 uint16_t lport, rport; 4895 int senslen = 0; 4896 4897 /* 4898 * Get action pointer set if it isn't already. 4899 */ 4900 oldap = ap; 4901 if (pp != NULL) { 4902 ap = pp->ipsp_act; 4903 if (ap == NULL) 4904 ap = oldap; 4905 } 4906 4907 /* 4908 * Biggest-case scenario: 4909 * 4x (sadb_address_t + struct sockaddr_in6) 4910 * (src, dst, isrc, idst) 4911 * (COMING SOON, 6x, because of triggering-packet contents.) 4912 * sadb_x_kmc_t 4913 * sadb_sens_t 4914 * And wiggle room for label bitvectors. Luckily there are 4915 * programmatic ways to find it. 4916 */ 4917 len = 4 * (sizeof (sadb_address_t) + sizeof (struct sockaddr_in6)); 4918 4919 /* Figure out full and proper length of sensitivity labels. */ 4920 if (sens != NULL) { 4921 ASSERT(tsl == NULL); 4922 senslen = SADB_64TO8(sens->sadb_sens_len); 4923 } else if (tsl != NULL) { 4924 senslen = sadb_sens_len_from_label(tsl); 4925 } 4926 #ifdef DEBUG 4927 else { 4928 ASSERT(senslen == 0); 4929 } 4930 #endif /* DEBUG */ 4931 len += senslen; 4932 4933 mp = allocb(len, BPRI_HI); 4934 if (mp == NULL) 4935 return (NULL); 4936 4937 start = mp->b_rptr; 4938 end = start + len; 4939 cur = start; 4940 4941 /* 4942 * Address extensions first, from most-recently-defined to least. 4943 * (This should immediately trigger surprise or verify robustness on 4944 * older apps, like in.iked.) 4945 */ 4946 if (tunnel_mode) { 4947 /* 4948 * Form inner address extensions based NOT on the inner 4949 * selectors (i.e. the packet data), but on the policy's 4950 * selector key (i.e. the policy's selector information). 4951 * 4952 * NOTE: The position of IPv4 and IPv6 addresses is the 4953 * same in ipsec_selkey_t (unless the compiler does very 4954 * strange things with unions, consult your local C language 4955 * lawyer for details). 4956 */ 4957 ASSERT(pp != NULL); 4958 4959 ipsl = &(pp->ipsp_sel->ipsl_key); 4960 if (ipsl->ipsl_valid & IPSL_IPV4) { 4961 af = AF_INET; 4962 ASSERT(sel->ips_protocol == IPPROTO_ENCAP); 4963 ASSERT(!(ipsl->ipsl_valid & IPSL_IPV6)); 4964 } else { 4965 af = AF_INET6; 4966 ASSERT(sel->ips_protocol == IPPROTO_IPV6); 4967 ASSERT(ipsl->ipsl_valid & IPSL_IPV6); 4968 } 4969 4970 if (ipsl->ipsl_valid & IPSL_LOCAL_ADDR) { 4971 saddrptr = (uint32_t *)(&ipsl->ipsl_local); 4972 pfxlen = ipsl->ipsl_local_pfxlen; 4973 } else { 4974 saddrptr = (uint32_t *)(&ipv6_all_zeros); 4975 pfxlen = 0; 4976 } 4977 /* XXX What about ICMP type/code? */ 4978 lport = (ipsl->ipsl_valid & IPSL_LOCAL_PORT) ? 4979 ipsl->ipsl_lport : 0; 4980 proto = (ipsl->ipsl_valid & IPSL_PROTOCOL) ? 4981 ipsl->ipsl_proto : 0; 4982 4983 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_SRC, 4984 af, saddrptr, lport, proto, pfxlen); 4985 if (cur == NULL) { 4986 freeb(mp); 4987 return (NULL); 4988 } 4989 4990 if (ipsl->ipsl_valid & IPSL_REMOTE_ADDR) { 4991 daddrptr = (uint32_t *)(&ipsl->ipsl_remote); 4992 pfxlen = ipsl->ipsl_remote_pfxlen; 4993 } else { 4994 daddrptr = (uint32_t *)(&ipv6_all_zeros); 4995 pfxlen = 0; 4996 } 4997 /* XXX What about ICMP type/code? */ 4998 rport = (ipsl->ipsl_valid & IPSL_REMOTE_PORT) ? 4999 ipsl->ipsl_rport : 0; 5000 5001 cur = sadb_make_addr_ext(cur, end, SADB_X_EXT_ADDRESS_INNER_DST, 5002 af, daddrptr, rport, proto, pfxlen); 5003 if (cur == NULL) { 5004 freeb(mp); 5005 return (NULL); 5006 } 5007 /* 5008 * TODO - if we go to 3884's dream of transport mode IP-in-IP 5009 * _with_ inner-packet address selectors, we'll need to further 5010 * distinguish tunnel mode here. For now, having inner 5011 * addresses and/or ports is sufficient. 5012 * 5013 * Meanwhile, whack proto/ports to reflect IP-in-IP for the 5014 * outer addresses. 5015 */ 5016 proto = sel->ips_protocol; /* Either _ENCAP or _IPV6 */ 5017 lport = rport = 0; 5018 } else if ((ap != NULL) && (!ap->ipa_want_unique)) { 5019 /* 5020 * For cases when the policy calls out specific ports (or not). 5021 */ 5022 proto = 0; 5023 lport = 0; 5024 rport = 0; 5025 if (pp != NULL) { 5026 ipsl = &(pp->ipsp_sel->ipsl_key); 5027 if (ipsl->ipsl_valid & IPSL_PROTOCOL) 5028 proto = ipsl->ipsl_proto; 5029 if (ipsl->ipsl_valid & IPSL_REMOTE_PORT) 5030 rport = ipsl->ipsl_rport; 5031 if (ipsl->ipsl_valid & IPSL_LOCAL_PORT) 5032 lport = ipsl->ipsl_lport; 5033 } 5034 } else { 5035 /* 5036 * For require-unique-SA policies. 5037 */ 5038 proto = sel->ips_protocol; 5039 lport = sel->ips_local_port; 5040 rport = sel->ips_remote_port; 5041 } 5042 5043 /* 5044 * Regular addresses. These are outer-packet ones for tunnel mode. 5045 * Or for transport mode, the regulard address & port information. 5046 */ 5047 af = sel->ips_isv4 ? AF_INET : AF_INET6; 5048 5049 /* 5050 * NOTE: The position of IPv4 and IPv6 addresses is the same in 5051 * ipsec_selector_t. 5052 */ 5053 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_SRC, af, 5054 (uint32_t *)(&sel->ips_local_addr_v6), lport, proto, 0); 5055 if (cur == NULL) { 5056 freeb(mp); 5057 return (NULL); 5058 } 5059 5060 cur = sadb_make_addr_ext(cur, end, SADB_EXT_ADDRESS_DST, af, 5061 (uint32_t *)(&sel->ips_remote_addr_v6), rport, proto, 0); 5062 if (cur == NULL) { 5063 freeb(mp); 5064 return (NULL); 5065 } 5066 5067 /* 5068 * If present, generate a sensitivity label. 5069 */ 5070 if (cur + senslen > end) { 5071 freeb(mp); 5072 return (NULL); 5073 } 5074 if (sens != NULL) { 5075 /* Explicit sadb_sens_t, usually from inverse-ACQUIRE. */ 5076 bcopy(sens, cur, senslen); 5077 } else if (tsl != NULL) { 5078 /* Generate sadb_sens_t from ACQUIRE source. */ 5079 sadb_sens_from_label((sadb_sens_t *)cur, SADB_EXT_SENSITIVITY, 5080 tsl, senslen); 5081 } 5082 #ifdef DEBUG 5083 else { 5084 ASSERT(senslen == 0); 5085 } 5086 #endif /* DEBUG */ 5087 cur += senslen; 5088 mp->b_wptr = cur; 5089 5090 return (mp); 5091 } 5092 5093 /* 5094 * Generate a regular ACQUIRE's proposal extension and KMC information.. 5095 */ 5096 static mblk_t * 5097 sadb_acquire_prop(ipsec_action_t *ap, netstack_t *ns, boolean_t do_esp) 5098 { 5099 ipsec_stack_t *ipss = ns->netstack_ipsec; 5100 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 5101 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 5102 mblk_t *mp = NULL; 5103 sadb_prop_t *prop; 5104 sadb_comb_t *comb; 5105 ipsec_action_t *walker; 5106 int ncombs, allocsize, ealgid, aalgid, aminbits, amaxbits, eminbits, 5107 emaxbits, replay; 5108 uint64_t softbytes, hardbytes, softaddtime, hardaddtime, softusetime, 5109 hardusetime; 5110 uint32_t kmc = 0, kmp = 0; 5111 5112 /* 5113 * Since it's an rwlock read, AND writing to the IPsec algorithms is 5114 * rare, just acquire it once up top, and drop it upon return. 5115 */ 5116 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 5117 if (do_esp) { 5118 uint64_t num_aalgs, num_ealgs; 5119 5120 if (espstack->esp_kstats == NULL) 5121 goto bail; 5122 5123 num_aalgs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH]; 5124 num_ealgs = ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 5125 if (num_ealgs == 0) 5126 goto bail; /* IPsec not loaded yet, apparently. */ 5127 num_aalgs++; /* No-auth or self-auth-crypto ESP. */ 5128 5129 /* Use netstack's maximum loaded algorithms... */ 5130 ncombs = num_ealgs * num_aalgs; 5131 replay = espstack->ipsecesp_replay_size; 5132 } else { 5133 if (ahstack->ah_kstats == NULL) 5134 goto bail; 5135 5136 ncombs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH]; 5137 5138 if (ncombs == 0) 5139 goto bail; /* IPsec not loaded yet, apparently. */ 5140 replay = ahstack->ipsecah_replay_size; 5141 } 5142 5143 allocsize = sizeof (*prop) + ncombs * sizeof (*comb) + 5144 sizeof (sadb_x_kmc_t); 5145 mp = allocb(allocsize, BPRI_HI); 5146 if (mp == NULL) 5147 goto bail; 5148 prop = (sadb_prop_t *)mp->b_rptr; 5149 mp->b_wptr += sizeof (*prop); 5150 comb = (sadb_comb_t *)mp->b_wptr; 5151 /* Decrement allocsize, if it goes to or below 0, stop. */ 5152 allocsize -= sizeof (*prop); 5153 prop->sadb_prop_exttype = SADB_EXT_PROPOSAL; 5154 prop->sadb_prop_len = SADB_8TO64(sizeof (*prop)); 5155 *(uint32_t *)(&prop->sadb_prop_replay) = 0; /* Quick zero-out! */ 5156 prop->sadb_prop_replay = replay; 5157 5158 /* 5159 * Based upon algorithm properties, and what-not, prioritize a 5160 * proposal, based on the ordering of the ESP algorithms in the 5161 * alternatives in the policy rule or socket that was placed 5162 * in the acquire record. 5163 * 5164 * For each action in policy list 5165 * Add combination. 5166 * I should not hit it, but if I've hit limit, return. 5167 */ 5168 5169 for (walker = ap; walker != NULL; walker = walker->ipa_next) { 5170 ipsec_alginfo_t *ealg, *aalg; 5171 ipsec_prot_t *prot; 5172 5173 if (walker->ipa_act.ipa_type != IPSEC_POLICY_APPLY) 5174 continue; 5175 5176 prot = &walker->ipa_act.ipa_apply; 5177 if (walker->ipa_act.ipa_apply.ipp_km_proto != 0) 5178 kmp = walker->ipa_act.ipa_apply.ipp_km_proto; 5179 if (walker->ipa_act.ipa_apply.ipp_km_cookie != 0) 5180 kmc = walker->ipa_act.ipa_apply.ipp_km_cookie; 5181 if (walker->ipa_act.ipa_apply.ipp_replay_depth) { 5182 prop->sadb_prop_replay = 5183 walker->ipa_act.ipa_apply.ipp_replay_depth; 5184 } 5185 5186 if (do_esp) { 5187 if (!prot->ipp_use_esp) 5188 continue; 5189 5190 if (prot->ipp_esp_auth_alg != 0) { 5191 aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH] 5192 [prot->ipp_esp_auth_alg]; 5193 if (aalg == NULL || !ALG_VALID(aalg)) 5194 continue; 5195 } else 5196 aalg = NULL; 5197 5198 ASSERT(prot->ipp_encr_alg > 0); 5199 ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR] 5200 [prot->ipp_encr_alg]; 5201 if (ealg == NULL || !ALG_VALID(ealg)) 5202 continue; 5203 5204 /* 5205 * These may want to come from policy rule.. 5206 */ 5207 softbytes = espstack->ipsecesp_default_soft_bytes; 5208 hardbytes = espstack->ipsecesp_default_hard_bytes; 5209 softaddtime = espstack->ipsecesp_default_soft_addtime; 5210 hardaddtime = espstack->ipsecesp_default_hard_addtime; 5211 softusetime = espstack->ipsecesp_default_soft_usetime; 5212 hardusetime = espstack->ipsecesp_default_hard_usetime; 5213 } else { 5214 if (!prot->ipp_use_ah) 5215 continue; 5216 ealg = NULL; 5217 aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH] 5218 [prot->ipp_auth_alg]; 5219 if (aalg == NULL || !ALG_VALID(aalg)) 5220 continue; 5221 5222 /* 5223 * These may want to come from policy rule.. 5224 */ 5225 softbytes = ahstack->ipsecah_default_soft_bytes; 5226 hardbytes = ahstack->ipsecah_default_hard_bytes; 5227 softaddtime = ahstack->ipsecah_default_soft_addtime; 5228 hardaddtime = ahstack->ipsecah_default_hard_addtime; 5229 softusetime = ahstack->ipsecah_default_soft_usetime; 5230 hardusetime = ahstack->ipsecah_default_hard_usetime; 5231 } 5232 5233 if (ealg == NULL) { 5234 ealgid = eminbits = emaxbits = 0; 5235 } else { 5236 ealgid = ealg->alg_id; 5237 eminbits = 5238 MAX(prot->ipp_espe_minbits, ealg->alg_ef_minbits); 5239 emaxbits = 5240 MIN(prot->ipp_espe_maxbits, ealg->alg_ef_maxbits); 5241 } 5242 5243 if (aalg == NULL) { 5244 aalgid = aminbits = amaxbits = 0; 5245 } else { 5246 aalgid = aalg->alg_id; 5247 aminbits = MAX(prot->ipp_espa_minbits, 5248 aalg->alg_ef_minbits); 5249 amaxbits = MIN(prot->ipp_espa_maxbits, 5250 aalg->alg_ef_maxbits); 5251 } 5252 5253 comb->sadb_comb_flags = 0; 5254 comb->sadb_comb_reserved = 0; 5255 comb->sadb_comb_encrypt = ealgid; 5256 comb->sadb_comb_encrypt_minbits = eminbits; 5257 comb->sadb_comb_encrypt_maxbits = emaxbits; 5258 comb->sadb_comb_auth = aalgid; 5259 comb->sadb_comb_auth_minbits = aminbits; 5260 comb->sadb_comb_auth_maxbits = amaxbits; 5261 comb->sadb_comb_soft_allocations = 0; 5262 comb->sadb_comb_hard_allocations = 0; 5263 comb->sadb_comb_soft_bytes = softbytes; 5264 comb->sadb_comb_hard_bytes = hardbytes; 5265 comb->sadb_comb_soft_addtime = softaddtime; 5266 comb->sadb_comb_hard_addtime = hardaddtime; 5267 comb->sadb_comb_soft_usetime = softusetime; 5268 comb->sadb_comb_hard_usetime = hardusetime; 5269 5270 prop->sadb_prop_len += SADB_8TO64(sizeof (*comb)); 5271 mp->b_wptr += sizeof (*comb); 5272 allocsize -= sizeof (*comb); 5273 /* Should never dip BELOW sizeof (KM cookie extension). */ 5274 ASSERT3S(allocsize, >=, sizeof (sadb_x_kmc_t)); 5275 if (allocsize <= sizeof (sadb_x_kmc_t)) 5276 break; /* out of space.. */ 5277 comb++; 5278 } 5279 5280 /* Don't include KMC extension if there's no room. */ 5281 if (((kmp != 0) || (kmc != 0)) && allocsize >= sizeof (sadb_x_kmc_t)) { 5282 if (sadb_make_kmc_ext(mp->b_wptr, 5283 mp->b_wptr + sizeof (sadb_x_kmc_t), kmp, kmc) == NULL) { 5284 freeb(mp); 5285 mp = NULL; 5286 goto bail; 5287 } 5288 mp->b_wptr += sizeof (sadb_x_kmc_t); 5289 prop->sadb_prop_len += SADB_8TO64(sizeof (sadb_x_kmc_t)); 5290 } 5291 5292 bail: 5293 rw_exit(&ipss->ipsec_alg_lock); 5294 return (mp); 5295 } 5296 5297 /* 5298 * Generate an extended ACQUIRE's extended-proposal extension. 5299 */ 5300 /* ARGSUSED */ 5301 static mblk_t * 5302 sadb_acquire_extended_prop(ipsec_action_t *ap, netstack_t *ns) 5303 { 5304 sadb_prop_t *eprop; 5305 uint8_t *cur, *end; 5306 mblk_t *mp; 5307 int allocsize, numecombs = 0, numalgdescs = 0; 5308 uint32_t kmc = 0, kmp = 0, replay = 0; 5309 ipsec_action_t *walker; 5310 5311 allocsize = sizeof (*eprop); 5312 5313 /* 5314 * Going to walk through the action list twice. Once for allocation 5315 * measurement, and once for actual construction. 5316 */ 5317 for (walker = ap; walker != NULL; walker = walker->ipa_next) { 5318 ipsec_prot_t *ipp; 5319 5320 /* 5321 * Skip non-IPsec policies 5322 */ 5323 if (walker->ipa_act.ipa_type != IPSEC_ACT_APPLY) 5324 continue; 5325 5326 ipp = &walker->ipa_act.ipa_apply; 5327 5328 if (walker->ipa_act.ipa_apply.ipp_km_proto) 5329 kmp = ipp->ipp_km_proto; 5330 if (walker->ipa_act.ipa_apply.ipp_km_cookie) 5331 kmc = ipp->ipp_km_cookie; 5332 if (walker->ipa_act.ipa_apply.ipp_replay_depth) 5333 replay = ipp->ipp_replay_depth; 5334 5335 if (ipp->ipp_use_ah) 5336 numalgdescs++; 5337 if (ipp->ipp_use_esp) { 5338 numalgdescs++; 5339 if (ipp->ipp_use_espa) 5340 numalgdescs++; 5341 } 5342 5343 numecombs++; 5344 } 5345 ASSERT(numecombs > 0); 5346 5347 allocsize += numecombs * sizeof (sadb_x_ecomb_t) + 5348 numalgdescs * sizeof (sadb_x_algdesc_t) + sizeof (sadb_x_kmc_t); 5349 mp = allocb(allocsize, BPRI_HI); 5350 if (mp == NULL) 5351 return (NULL); 5352 eprop = (sadb_prop_t *)mp->b_rptr; 5353 end = mp->b_rptr + allocsize; 5354 cur = mp->b_rptr + sizeof (*eprop); 5355 5356 eprop->sadb_prop_exttype = SADB_X_EXT_EPROP; 5357 eprop->sadb_x_prop_ereserved = 0; 5358 eprop->sadb_x_prop_numecombs = 0; 5359 *(uint32_t *)(&eprop->sadb_prop_replay) = 0; /* Quick zero-out! */ 5360 /* Pick ESP's replay default if need be. */ 5361 eprop->sadb_prop_replay = (replay == 0) ? 5362 ns->netstack_ipsecesp->ipsecesp_replay_size : replay; 5363 5364 /* This time, walk through and actually allocate. */ 5365 for (walker = ap; walker != NULL; walker = walker->ipa_next) { 5366 /* 5367 * Skip non-IPsec policies 5368 */ 5369 if (walker->ipa_act.ipa_type != IPSEC_ACT_APPLY) 5370 continue; 5371 cur = sadb_action_to_ecomb(cur, end, walker, ns); 5372 if (cur == NULL) { 5373 /* NOTE: inverse-ACQUIRE should note this as ENOMEM. */ 5374 freeb(mp); 5375 return (NULL); 5376 } 5377 eprop->sadb_x_prop_numecombs++; 5378 } 5379 5380 ASSERT(end - cur >= sizeof (sadb_x_kmc_t)); 5381 if ((kmp != 0) || (kmc != 0)) { 5382 cur = sadb_make_kmc_ext(cur, end, kmp, kmc); 5383 if (cur == NULL) { 5384 freeb(mp); 5385 return (NULL); 5386 } 5387 } 5388 mp->b_wptr = cur; 5389 eprop->sadb_prop_len = SADB_8TO64(cur - mp->b_rptr); 5390 5391 return (mp); 5392 } 5393 5394 /* 5395 * For this mblk, insert a new acquire record. Assume bucket contains addrs 5396 * of all of the same length. Give up (and drop) if memory 5397 * cannot be allocated for a new one; otherwise, invoke callback to 5398 * send the acquire up.. 5399 * 5400 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE 5401 * list. The ah_add_sa_finish() routines can look at the packet's attached 5402 * attributes and handle this case specially. 5403 */ 5404 void 5405 sadb_acquire(mblk_t *datamp, ip_xmit_attr_t *ixa, boolean_t need_ah, 5406 boolean_t need_esp) 5407 { 5408 mblk_t *asyncmp, *regular, *extended, *common, *prop, *eprop; 5409 sadbp_t *spp; 5410 sadb_t *sp; 5411 ipsacq_t *newbie; 5412 iacqf_t *bucket; 5413 ipha_t *ipha = (ipha_t *)datamp->b_rptr; 5414 ip6_t *ip6h = (ip6_t *)datamp->b_rptr; 5415 uint32_t *src, *dst, *isrc, *idst; 5416 ipsec_policy_t *pp = ixa->ixa_ipsec_policy; 5417 ipsec_action_t *ap = ixa->ixa_ipsec_action; 5418 sa_family_t af; 5419 int hashoffset; 5420 uint32_t seq; 5421 uint64_t unique_id = 0; 5422 boolean_t tunnel_mode = (ixa->ixa_flags & IXAF_IPSEC_TUNNEL) != 0; 5423 ts_label_t *tsl; 5424 netstack_t *ns = ixa->ixa_ipst->ips_netstack; 5425 ipsec_stack_t *ipss = ns->netstack_ipsec; 5426 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 5427 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 5428 ipsec_selector_t sel; 5429 queue_t *q; 5430 5431 ASSERT((pp != NULL) || (ap != NULL)); 5432 5433 ASSERT(need_ah || need_esp); 5434 5435 /* Assign sadb pointers */ 5436 if (need_esp) { 5437 /* 5438 * ESP happens first if we need both AH and ESP. 5439 */ 5440 spp = &espstack->esp_sadb; 5441 } else { 5442 spp = &ahstack->ah_sadb; 5443 } 5444 sp = (ixa->ixa_flags & IXAF_IS_IPV4) ? &spp->s_v4 : &spp->s_v6; 5445 5446 if (is_system_labeled()) 5447 tsl = ixa->ixa_tsl; 5448 else 5449 tsl = NULL; 5450 5451 if (ap == NULL) 5452 ap = pp->ipsp_act; 5453 ASSERT(ap != NULL); 5454 5455 if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode) 5456 unique_id = SA_FORM_UNIQUE_ID(ixa); 5457 5458 /* 5459 * Set up an ACQUIRE record. 5460 * 5461 * Immediately, make sure the ACQUIRE sequence number doesn't slip 5462 * below the lowest point allowed in the kernel. (In other words, 5463 * make sure the high bit on the sequence number is set.) 5464 */ 5465 5466 seq = keysock_next_seq(ns) | IACQF_LOWEST_SEQ; 5467 5468 if (IPH_HDR_VERSION(ipha) == IP_VERSION) { 5469 src = (uint32_t *)&ipha->ipha_src; 5470 dst = (uint32_t *)&ipha->ipha_dst; 5471 af = AF_INET; 5472 hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst); 5473 ASSERT(ixa->ixa_flags & IXAF_IS_IPV4); 5474 } else { 5475 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION); 5476 src = (uint32_t *)&ip6h->ip6_src; 5477 dst = (uint32_t *)&ip6h->ip6_dst; 5478 af = AF_INET6; 5479 hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst); 5480 ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4)); 5481 } 5482 5483 if (tunnel_mode) { 5484 if (pp == NULL) { 5485 /* 5486 * Tunnel mode with no policy pointer means this is a 5487 * reflected ICMP (like a ECHO REQUEST) that came in 5488 * with self-encapsulated protection. Until we better 5489 * support this, drop the packet. 5490 */ 5491 ip_drop_packet(datamp, B_FALSE, NULL, 5492 DROPPER(ipss, ipds_spd_got_selfencap), 5493 &ipss->ipsec_spd_dropper); 5494 return; 5495 } 5496 /* Snag inner addresses. */ 5497 isrc = ixa->ixa_ipsec_insrc; 5498 idst = ixa->ixa_ipsec_indst; 5499 } else { 5500 isrc = idst = NULL; 5501 } 5502 5503 /* 5504 * Check buckets to see if there is an existing entry. If so, 5505 * grab it. sadb_checkacquire locks newbie if found. 5506 */ 5507 bucket = &(sp->sdb_acq[hashoffset]); 5508 mutex_enter(&bucket->iacqf_lock); 5509 newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst, 5510 unique_id, tsl); 5511 5512 if (newbie == NULL) { 5513 /* 5514 * Otherwise, allocate a new one. 5515 */ 5516 newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP); 5517 if (newbie == NULL) { 5518 mutex_exit(&bucket->iacqf_lock); 5519 ip_drop_packet(datamp, B_FALSE, NULL, 5520 DROPPER(ipss, ipds_sadb_acquire_nomem), 5521 &ipss->ipsec_sadb_dropper); 5522 return; 5523 } 5524 newbie->ipsacq_policy = pp; 5525 if (pp != NULL) { 5526 IPPOL_REFHOLD(pp); 5527 } 5528 IPACT_REFHOLD(ap); 5529 newbie->ipsacq_act = ap; 5530 newbie->ipsacq_linklock = &bucket->iacqf_lock; 5531 newbie->ipsacq_next = bucket->iacqf_ipsacq; 5532 newbie->ipsacq_ptpn = &bucket->iacqf_ipsacq; 5533 if (newbie->ipsacq_next != NULL) 5534 newbie->ipsacq_next->ipsacq_ptpn = &newbie->ipsacq_next; 5535 5536 bucket->iacqf_ipsacq = newbie; 5537 mutex_init(&newbie->ipsacq_lock, NULL, MUTEX_DEFAULT, NULL); 5538 mutex_enter(&newbie->ipsacq_lock); 5539 } 5540 5541 /* 5542 * XXX MLS does it actually help us to drop the bucket lock here? 5543 * we have inserted a half-built, locked acquire record into the 5544 * bucket. any competing thread will now be able to lock the bucket 5545 * to scan it, but will immediately pile up on the new acquire 5546 * record's lock; I don't think we gain anything here other than to 5547 * disperse blame for lock contention. 5548 * 5549 * we might be able to dispense with acquire record locks entirely.. 5550 * just use the bucket locks.. 5551 */ 5552 5553 mutex_exit(&bucket->iacqf_lock); 5554 5555 /* 5556 * This assert looks silly for now, but we may need to enter newbie's 5557 * mutex during a search. 5558 */ 5559 ASSERT(MUTEX_HELD(&newbie->ipsacq_lock)); 5560 5561 /* 5562 * Make the ip_xmit_attr_t into something we can queue. 5563 * If no memory it frees datamp. 5564 */ 5565 asyncmp = ip_xmit_attr_to_mblk(ixa); 5566 if (asyncmp != NULL) 5567 linkb(asyncmp, datamp); 5568 5569 /* Queue up packet. Use b_next. */ 5570 5571 if (asyncmp == NULL) { 5572 /* Statistics for allocation failure */ 5573 if (ixa->ixa_flags & IXAF_IS_IPV4) { 5574 BUMP_MIB(&ixa->ixa_ipst->ips_ip_mib, 5575 ipIfStatsOutDiscards); 5576 } else { 5577 BUMP_MIB(&ixa->ixa_ipst->ips_ip6_mib, 5578 ipIfStatsOutDiscards); 5579 } 5580 ip_drop_output("No memory for asyncmp", datamp, NULL); 5581 freemsg(datamp); 5582 /* 5583 * The acquire record will be freed quickly if it's new 5584 * (ipsacq_expire == 0), and will proceed as if no packet 5585 * showed up if not. 5586 */ 5587 mutex_exit(&newbie->ipsacq_lock); 5588 return; 5589 } else if (newbie->ipsacq_numpackets == 0) { 5590 /* First one. */ 5591 newbie->ipsacq_mp = asyncmp; 5592 newbie->ipsacq_numpackets = 1; 5593 newbie->ipsacq_expire = gethrestime_sec(); 5594 /* 5595 * Extended ACQUIRE with both AH+ESP will use ESP's timeout 5596 * value. 5597 */ 5598 newbie->ipsacq_expire += *spp->s_acquire_timeout; 5599 newbie->ipsacq_seq = seq; 5600 newbie->ipsacq_addrfam = af; 5601 5602 newbie->ipsacq_srcport = ixa->ixa_ipsec_src_port; 5603 newbie->ipsacq_dstport = ixa->ixa_ipsec_dst_port; 5604 newbie->ipsacq_icmp_type = ixa->ixa_ipsec_icmp_type; 5605 newbie->ipsacq_icmp_code = ixa->ixa_ipsec_icmp_code; 5606 if (tunnel_mode) { 5607 newbie->ipsacq_inneraddrfam = ixa->ixa_ipsec_inaf; 5608 newbie->ipsacq_proto = ixa->ixa_ipsec_inaf == AF_INET6 ? 5609 IPPROTO_IPV6 : IPPROTO_ENCAP; 5610 newbie->ipsacq_innersrcpfx = ixa->ixa_ipsec_insrcpfx; 5611 newbie->ipsacq_innerdstpfx = ixa->ixa_ipsec_indstpfx; 5612 IPSA_COPY_ADDR(newbie->ipsacq_innersrc, 5613 ixa->ixa_ipsec_insrc, ixa->ixa_ipsec_inaf); 5614 IPSA_COPY_ADDR(newbie->ipsacq_innerdst, 5615 ixa->ixa_ipsec_indst, ixa->ixa_ipsec_inaf); 5616 } else { 5617 newbie->ipsacq_proto = ixa->ixa_ipsec_proto; 5618 } 5619 newbie->ipsacq_unique_id = unique_id; 5620 5621 if (tsl != NULL) { 5622 label_hold(tsl); 5623 newbie->ipsacq_tsl = tsl; 5624 } 5625 } else { 5626 /* Scan to the end of the list & insert. */ 5627 mblk_t *lastone = newbie->ipsacq_mp; 5628 5629 while (lastone->b_next != NULL) 5630 lastone = lastone->b_next; 5631 lastone->b_next = asyncmp; 5632 if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) { 5633 newbie->ipsacq_numpackets = ipsacq_maxpackets; 5634 lastone = newbie->ipsacq_mp; 5635 newbie->ipsacq_mp = lastone->b_next; 5636 lastone->b_next = NULL; 5637 5638 /* Freeing the async message */ 5639 lastone = ip_xmit_attr_free_mblk(lastone); 5640 ip_drop_packet(lastone, B_FALSE, NULL, 5641 DROPPER(ipss, ipds_sadb_acquire_toofull), 5642 &ipss->ipsec_sadb_dropper); 5643 } else { 5644 IP_ACQUIRE_STAT(ipss, qhiwater, 5645 newbie->ipsacq_numpackets); 5646 } 5647 } 5648 5649 /* 5650 * Reset addresses. Set them to the most recently added mblk chain, 5651 * so that the address pointers in the acquire record will point 5652 * at an mblk still attached to the acquire list. 5653 */ 5654 5655 newbie->ipsacq_srcaddr = src; 5656 newbie->ipsacq_dstaddr = dst; 5657 5658 /* 5659 * If the acquire record has more than one queued packet, we've 5660 * already sent an ACQUIRE, and don't need to repeat ourself. 5661 */ 5662 if (newbie->ipsacq_seq != seq || newbie->ipsacq_numpackets > 1) { 5663 /* I have an acquire outstanding already! */ 5664 mutex_exit(&newbie->ipsacq_lock); 5665 return; 5666 } 5667 5668 if (need_esp) { 5669 ESP_BUMP_STAT(espstack, acquire_requests); 5670 q = espstack->esp_pfkey_q; 5671 } else { 5672 /* 5673 * Two cases get us here: 5674 * 1.) AH-only policy. 5675 * 5676 * 2.) A continuation of an AH+ESP policy, and this is the 5677 * post-ESP, AH-needs-to-send-a-regular-ACQUIRE case. 5678 * (i.e. called from esp_do_outbound_ah().) 5679 */ 5680 AH_BUMP_STAT(ahstack, acquire_requests); 5681 q = ahstack->ah_pfkey_q; 5682 } 5683 5684 /* 5685 * Get selectors and other policy-expression bits needed for an 5686 * ACQUIRE. 5687 */ 5688 bzero(&sel, sizeof (sel)); 5689 sel.ips_isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0; 5690 if (tunnel_mode) { 5691 sel.ips_protocol = (ixa->ixa_ipsec_inaf == AF_INET) ? 5692 IPPROTO_ENCAP : IPPROTO_IPV6; 5693 } else { 5694 sel.ips_protocol = ixa->ixa_ipsec_proto; 5695 sel.ips_local_port = ixa->ixa_ipsec_src_port; 5696 sel.ips_remote_port = ixa->ixa_ipsec_dst_port; 5697 } 5698 sel.ips_icmp_type = ixa->ixa_ipsec_icmp_type; 5699 sel.ips_icmp_code = ixa->ixa_ipsec_icmp_code; 5700 sel.ips_is_icmp_inv_acq = 0; 5701 if (af == AF_INET) { 5702 sel.ips_local_addr_v4 = ipha->ipha_src; 5703 sel.ips_remote_addr_v4 = ipha->ipha_dst; 5704 } else { 5705 sel.ips_local_addr_v6 = ip6h->ip6_src; 5706 sel.ips_remote_addr_v6 = ip6h->ip6_dst; 5707 } 5708 5709 5710 /* 5711 * 1. Generate addresses, kmc, and sensitivity. These are "common" 5712 * and should be an mblk pointed to by common. TBD -- eventually it 5713 * will include triggering packet contents as more address extensions. 5714 * 5715 * 2. Generate ACQUIRE & KEYSOCK_OUT and single-protocol proposal. 5716 * These are "regular" and "prop". String regular->b_cont->b_cont = 5717 * common, common->b_cont = prop. 5718 * 5719 * 3. If extended register got turned on, generate EXT_ACQUIRE & 5720 * KEYSOCK_OUT and multi-protocol eprop. These are "extended" and 5721 * "eprop". String extended->b_cont->b_cont = dupb(common) and 5722 * extended->b_cont->b_cont->b_cont = prop. 5723 * 5724 * 4. Deliver: putnext(q, regular) and if there, putnext(q, extended). 5725 */ 5726 5727 regular = extended = prop = eprop = NULL; 5728 5729 common = sadb_acquire_msg_common(&sel, pp, ap, tunnel_mode, tsl, NULL); 5730 if (common == NULL) 5731 goto bail; 5732 5733 regular = sadb_acquire_msg_base(0, (need_esp ? 5734 SADB_SATYPE_ESP : SADB_SATYPE_AH), newbie->ipsacq_seq, 0); 5735 if (regular == NULL) 5736 goto bail; 5737 5738 /* 5739 * Pardon the boolean cleverness. At least one of need_* must be true. 5740 * If they are equal, it's an AH & ESP policy and ESP needs to go 5741 * first. If they aren't, just check the contents of need_esp. 5742 */ 5743 prop = sadb_acquire_prop(ap, ns, need_esp); 5744 if (prop == NULL) 5745 goto bail; 5746 5747 /* Link the parts together. */ 5748 regular->b_cont->b_cont = common; 5749 common->b_cont = prop; 5750 /* 5751 * Prop is now linked, so don't freemsg() it if the extended 5752 * construction goes off the rails. 5753 */ 5754 prop = NULL; 5755 5756 ((sadb_msg_t *)(regular->b_cont->b_rptr))->sadb_msg_len = 5757 SADB_8TO64(msgsize(regular->b_cont)); 5758 5759 /* 5760 * If we need an extended ACQUIRE, build it here. 5761 */ 5762 if (keysock_extended_reg(ns)) { 5763 /* NOTE: "common" still points to what we need. */ 5764 extended = sadb_acquire_msg_base(0, 0, newbie->ipsacq_seq, 0); 5765 if (extended == NULL) { 5766 common = NULL; 5767 goto bail; 5768 } 5769 5770 extended->b_cont->b_cont = dupb(common); 5771 common = NULL; 5772 if (extended->b_cont->b_cont == NULL) 5773 goto bail; 5774 5775 eprop = sadb_acquire_extended_prop(ap, ns); 5776 if (eprop == NULL) 5777 goto bail; 5778 extended->b_cont->b_cont->b_cont = eprop; 5779 5780 ((sadb_msg_t *)(extended->b_cont->b_rptr))->sadb_msg_len = 5781 SADB_8TO64(msgsize(extended->b_cont)); 5782 } 5783 5784 /* So we don't hold a lock across putnext()... */ 5785 mutex_exit(&newbie->ipsacq_lock); 5786 5787 if (extended != NULL) 5788 putnext(q, extended); 5789 ASSERT(regular != NULL); 5790 putnext(q, regular); 5791 return; 5792 5793 bail: 5794 /* Make this acquire record go away quickly... */ 5795 newbie->ipsacq_expire = 0; 5796 /* Exploit freemsg(NULL) being legal for fun & profit. */ 5797 freemsg(common); 5798 freemsg(prop); 5799 freemsg(extended); 5800 freemsg(regular); 5801 mutex_exit(&newbie->ipsacq_lock); 5802 } 5803 5804 /* 5805 * Unlink and free an acquire record. 5806 */ 5807 void 5808 sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns) 5809 { 5810 mblk_t *mp; 5811 ipsec_stack_t *ipss = ns->netstack_ipsec; 5812 5813 ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock)); 5814 5815 if (acqrec->ipsacq_policy != NULL) { 5816 IPPOL_REFRELE(acqrec->ipsacq_policy); 5817 } 5818 if (acqrec->ipsacq_act != NULL) { 5819 IPACT_REFRELE(acqrec->ipsacq_act); 5820 } 5821 5822 /* Unlink */ 5823 *(acqrec->ipsacq_ptpn) = acqrec->ipsacq_next; 5824 if (acqrec->ipsacq_next != NULL) 5825 acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn; 5826 5827 if (acqrec->ipsacq_tsl != NULL) { 5828 label_rele(acqrec->ipsacq_tsl); 5829 acqrec->ipsacq_tsl = NULL; 5830 } 5831 5832 /* 5833 * Free hanging mp's. 5834 * 5835 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED. 5836 */ 5837 5838 mutex_enter(&acqrec->ipsacq_lock); 5839 while (acqrec->ipsacq_mp != NULL) { 5840 mp = acqrec->ipsacq_mp; 5841 acqrec->ipsacq_mp = mp->b_next; 5842 mp->b_next = NULL; 5843 /* Freeing the async message */ 5844 mp = ip_xmit_attr_free_mblk(mp); 5845 ip_drop_packet(mp, B_FALSE, NULL, 5846 DROPPER(ipss, ipds_sadb_acquire_timeout), 5847 &ipss->ipsec_sadb_dropper); 5848 } 5849 mutex_exit(&acqrec->ipsacq_lock); 5850 5851 /* Free */ 5852 mutex_destroy(&acqrec->ipsacq_lock); 5853 kmem_free(acqrec, sizeof (*acqrec)); 5854 } 5855 5856 /* 5857 * Destroy an acquire list fanout. 5858 */ 5859 static void 5860 sadb_destroy_acqlist(iacqf_t **listp, uint_t numentries, boolean_t forever, 5861 netstack_t *ns) 5862 { 5863 int i; 5864 iacqf_t *list = *listp; 5865 5866 if (list == NULL) 5867 return; 5868 5869 for (i = 0; i < numentries; i++) { 5870 mutex_enter(&(list[i].iacqf_lock)); 5871 while (list[i].iacqf_ipsacq != NULL) 5872 sadb_destroy_acquire(list[i].iacqf_ipsacq, ns); 5873 mutex_exit(&(list[i].iacqf_lock)); 5874 if (forever) 5875 mutex_destroy(&(list[i].iacqf_lock)); 5876 } 5877 5878 if (forever) { 5879 *listp = NULL; 5880 kmem_free(list, numentries * sizeof (*list)); 5881 } 5882 } 5883 5884 /* 5885 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto 5886 * framework's view of reality vs. IPsec's. EF's wins, BTW. 5887 */ 5888 static uint8_t * 5889 sadb_new_algdesc(uint8_t *start, uint8_t *limit, 5890 sadb_x_ecomb_t *ecomb, uint8_t satype, uint8_t algtype, 5891 uint8_t alg, uint16_t minbits, uint16_t maxbits, ipsec_stack_t *ipss) 5892 { 5893 uint8_t *cur = start; 5894 ipsec_alginfo_t *algp; 5895 sadb_x_algdesc_t *algdesc = (sadb_x_algdesc_t *)cur; 5896 5897 cur += sizeof (*algdesc); 5898 if (cur >= limit) 5899 return (NULL); 5900 5901 ecomb->sadb_x_ecomb_numalgs++; 5902 5903 /* 5904 * Normalize vs. crypto framework's limits. This way, you can specify 5905 * a stronger policy, and when the framework loads a stronger version, 5906 * you can just keep plowing w/o rewhacking your SPD. 5907 */ 5908 rw_enter(&ipss->ipsec_alg_lock, RW_READER); 5909 algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ? 5910 IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg]; 5911 if (algp == NULL) { 5912 rw_exit(&ipss->ipsec_alg_lock); 5913 return (NULL); /* Algorithm doesn't exist. Fail gracefully. */ 5914 } 5915 if (minbits < algp->alg_ef_minbits) 5916 minbits = algp->alg_ef_minbits; 5917 if (maxbits > algp->alg_ef_maxbits) 5918 maxbits = algp->alg_ef_maxbits; 5919 rw_exit(&ipss->ipsec_alg_lock); 5920 5921 algdesc->sadb_x_algdesc_reserved = SADB_8TO1(algp->alg_saltlen); 5922 algdesc->sadb_x_algdesc_satype = satype; 5923 algdesc->sadb_x_algdesc_algtype = algtype; 5924 algdesc->sadb_x_algdesc_alg = alg; 5925 algdesc->sadb_x_algdesc_minbits = minbits; 5926 algdesc->sadb_x_algdesc_maxbits = maxbits; 5927 5928 return (cur); 5929 } 5930 5931 /* 5932 * Convert the given ipsec_action_t into an ecomb starting at *ecomb 5933 * which must fit before *limit 5934 * 5935 * return NULL if we ran out of room or a pointer to the end of the ecomb. 5936 */ 5937 static uint8_t * 5938 sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act, 5939 netstack_t *ns) 5940 { 5941 uint8_t *cur = start; 5942 sadb_x_ecomb_t *ecomb = (sadb_x_ecomb_t *)cur; 5943 ipsec_prot_t *ipp; 5944 ipsec_stack_t *ipss = ns->netstack_ipsec; 5945 5946 cur += sizeof (*ecomb); 5947 if (cur >= limit) 5948 return (NULL); 5949 5950 ASSERT(act->ipa_act.ipa_type == IPSEC_ACT_APPLY); 5951 5952 ipp = &act->ipa_act.ipa_apply; 5953 5954 ecomb->sadb_x_ecomb_numalgs = 0; 5955 ecomb->sadb_x_ecomb_reserved = 0; 5956 ecomb->sadb_x_ecomb_reserved2 = 0; 5957 /* 5958 * No limits on allocations, since we really don't support that 5959 * concept currently. 5960 */ 5961 ecomb->sadb_x_ecomb_soft_allocations = 0; 5962 ecomb->sadb_x_ecomb_hard_allocations = 0; 5963 5964 /* 5965 * XXX TBD: Policy or global parameters will eventually be 5966 * able to fill in some of these. 5967 */ 5968 ecomb->sadb_x_ecomb_flags = 0; 5969 ecomb->sadb_x_ecomb_soft_bytes = 0; 5970 ecomb->sadb_x_ecomb_hard_bytes = 0; 5971 ecomb->sadb_x_ecomb_soft_addtime = 0; 5972 ecomb->sadb_x_ecomb_hard_addtime = 0; 5973 ecomb->sadb_x_ecomb_soft_usetime = 0; 5974 ecomb->sadb_x_ecomb_hard_usetime = 0; 5975 5976 if (ipp->ipp_use_ah) { 5977 cur = sadb_new_algdesc(cur, limit, ecomb, 5978 SADB_SATYPE_AH, SADB_X_ALGTYPE_AUTH, ipp->ipp_auth_alg, 5979 ipp->ipp_ah_minbits, ipp->ipp_ah_maxbits, ipss); 5980 if (cur == NULL) 5981 return (NULL); 5982 ipsecah_fill_defs(ecomb, ns); 5983 } 5984 5985 if (ipp->ipp_use_esp) { 5986 if (ipp->ipp_use_espa) { 5987 cur = sadb_new_algdesc(cur, limit, ecomb, 5988 SADB_SATYPE_ESP, SADB_X_ALGTYPE_AUTH, 5989 ipp->ipp_esp_auth_alg, 5990 ipp->ipp_espa_minbits, 5991 ipp->ipp_espa_maxbits, ipss); 5992 if (cur == NULL) 5993 return (NULL); 5994 } 5995 5996 cur = sadb_new_algdesc(cur, limit, ecomb, 5997 SADB_SATYPE_ESP, SADB_X_ALGTYPE_CRYPT, 5998 ipp->ipp_encr_alg, 5999 ipp->ipp_espe_minbits, 6000 ipp->ipp_espe_maxbits, ipss); 6001 if (cur == NULL) 6002 return (NULL); 6003 /* Fill in lifetimes if and only if AH didn't already... */ 6004 if (!ipp->ipp_use_ah) 6005 ipsecesp_fill_defs(ecomb, ns); 6006 } 6007 6008 return (cur); 6009 } 6010 6011 #include <sys/tsol/label_macro.h> /* XXX should not need this */ 6012 6013 /* 6014 * From a cred_t, construct a sensitivity label extension 6015 * 6016 * We send up a fixed-size sensitivity label bitmap, and are perhaps 6017 * overly chummy with the underlying data structures here. 6018 */ 6019 6020 /* ARGSUSED */ 6021 int 6022 sadb_sens_len_from_label(ts_label_t *tsl) 6023 { 6024 int baselen = sizeof (sadb_sens_t) + _C_LEN * 4; 6025 return (roundup(baselen, sizeof (uint64_t))); 6026 } 6027 6028 void 6029 sadb_sens_from_label(sadb_sens_t *sens, int exttype, ts_label_t *tsl, 6030 int senslen) 6031 { 6032 uint8_t *bitmap; 6033 bslabel_t *sl; 6034 6035 /* LINTED */ 6036 ASSERT((_C_LEN & 1) == 0); 6037 ASSERT((senslen & 7) == 0); 6038 6039 sl = label2bslabel(tsl); 6040 6041 sens->sadb_sens_exttype = exttype; 6042 sens->sadb_sens_len = SADB_8TO64(senslen); 6043 6044 sens->sadb_sens_dpd = tsl->tsl_doi; 6045 sens->sadb_sens_sens_level = LCLASS(sl); 6046 sens->sadb_sens_integ_level = 0; /* TBD */ 6047 sens->sadb_sens_sens_len = _C_LEN >> 1; 6048 sens->sadb_sens_integ_len = 0; /* TBD */ 6049 sens->sadb_x_sens_flags = 0; 6050 6051 bitmap = (uint8_t *)(sens + 1); 6052 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4); 6053 } 6054 6055 /* 6056 * Okay, how do we report errors/invalid labels from this? 6057 * With a special designated "not a label" cred_t ? 6058 */ 6059 /* ARGSUSED */ 6060 ts_label_t * 6061 sadb_label_from_sens(sadb_sens_t *sens, uint64_t *bitmap) 6062 { 6063 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len); 6064 bslabel_t sl; 6065 ts_label_t *tsl; 6066 6067 if (sens->sadb_sens_integ_level != 0) 6068 return (NULL); 6069 if (sens->sadb_sens_integ_len != 0) 6070 return (NULL); 6071 if (bitmap_len > _C_LEN * 4) 6072 return (NULL); 6073 6074 bsllow(&sl); 6075 LCLASS_SET((_bslabel_impl_t *)&sl, sens->sadb_sens_sens_level); 6076 bcopy(bitmap, &((_bslabel_impl_t *)&sl)->compartments, 6077 bitmap_len); 6078 6079 tsl = labelalloc(&sl, sens->sadb_sens_dpd, KM_NOSLEEP); 6080 if (tsl == NULL) 6081 return (NULL); 6082 6083 if (sens->sadb_x_sens_flags & SADB_X_SENS_UNLABELED) 6084 tsl->tsl_flags |= TSLF_UNLABELED; 6085 return (tsl); 6086 } 6087 6088 /* End XXX label-library-leakage */ 6089 6090 /* 6091 * Given an SADB_GETSPI message, find an appropriately ranged SA and 6092 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1. 6093 * If there was a memory allocation error, return NULL. (Assume NULL != 6094 * (ipsa_t *)-1). 6095 * 6096 * master_spi is passed in host order. 6097 */ 6098 ipsa_t * 6099 sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic, 6100 netstack_t *ns, uint_t sa_type) 6101 { 6102 sadb_address_t *src = 6103 (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC], 6104 *dst = (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST]; 6105 sadb_spirange_t *range = 6106 (sadb_spirange_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE]; 6107 struct sockaddr_in *ssa, *dsa; 6108 struct sockaddr_in6 *ssa6, *dsa6; 6109 uint32_t *srcaddr, *dstaddr; 6110 sa_family_t af; 6111 uint32_t add, min, max; 6112 uint8_t protocol = 6113 (sa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP; 6114 6115 if (src == NULL) { 6116 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC; 6117 return ((ipsa_t *)-1); 6118 } 6119 if (dst == NULL) { 6120 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST; 6121 return ((ipsa_t *)-1); 6122 } 6123 if (range == NULL) { 6124 *diagnostic = SADB_X_DIAGNOSTIC_MISSING_RANGE; 6125 return ((ipsa_t *)-1); 6126 } 6127 6128 min = ntohl(range->sadb_spirange_min); 6129 max = ntohl(range->sadb_spirange_max); 6130 dsa = (struct sockaddr_in *)(dst + 1); 6131 dsa6 = (struct sockaddr_in6 *)dsa; 6132 6133 ssa = (struct sockaddr_in *)(src + 1); 6134 ssa6 = (struct sockaddr_in6 *)ssa; 6135 ASSERT(dsa->sin_family == ssa->sin_family); 6136 6137 srcaddr = ALL_ZEROES_PTR; 6138 af = dsa->sin_family; 6139 switch (af) { 6140 case AF_INET: 6141 if (src != NULL) 6142 srcaddr = (uint32_t *)(&ssa->sin_addr); 6143 dstaddr = (uint32_t *)(&dsa->sin_addr); 6144 break; 6145 case AF_INET6: 6146 if (src != NULL) 6147 srcaddr = (uint32_t *)(&ssa6->sin6_addr); 6148 dstaddr = (uint32_t *)(&dsa6->sin6_addr); 6149 break; 6150 default: 6151 *diagnostic = SADB_X_DIAGNOSTIC_BAD_DST_AF; 6152 return ((ipsa_t *)-1); 6153 } 6154 6155 if (master_spi < min || master_spi > max) { 6156 /* Return a random value in the range. */ 6157 if (cl_inet_getspi) { 6158 cl_inet_getspi(ns->netstack_stackid, protocol, 6159 (uint8_t *)&add, sizeof (add), NULL); 6160 } else { 6161 (void) random_get_pseudo_bytes((uint8_t *)&add, 6162 sizeof (add)); 6163 } 6164 master_spi = min + (add % (max - min + 1)); 6165 } 6166 6167 /* 6168 * Since master_spi is passed in host order, we need to htonl() it 6169 * for the purposes of creating a new SA. 6170 */ 6171 return (sadb_makelarvalassoc(htonl(master_spi), srcaddr, dstaddr, af, 6172 ns)); 6173 } 6174 6175 /* 6176 * 6177 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the 6178 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list 6179 * and scan for the sequence number in question. I may wish to accept an 6180 * address pair with it, for easier searching. 6181 * 6182 * Caller frees the message, so we don't have to here. 6183 * 6184 * NOTE: The pfkey_q parameter may be used in the future for ACQUIRE 6185 * failures. 6186 */ 6187 /* ARGSUSED */ 6188 void 6189 sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *pfkey_q, 6190 netstack_t *ns) 6191 { 6192 int i; 6193 ipsacq_t *acqrec; 6194 iacqf_t *bucket; 6195 6196 /* 6197 * I only accept the base header for this! 6198 * Though to be honest, requiring the dst address would help 6199 * immensely. 6200 * 6201 * XXX There are already cases where I can get the dst address. 6202 */ 6203 if (samsg->sadb_msg_len > SADB_8TO64(sizeof (*samsg))) 6204 return; 6205 6206 /* 6207 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it, 6208 * (and in the future send a message to IP with the appropriate error 6209 * number). 6210 * 6211 * Q: Do I want to reject if pid != 0? 6212 */ 6213 6214 for (i = 0; i < sp->s_v4.sdb_hashsize; i++) { 6215 bucket = &sp->s_v4.sdb_acq[i]; 6216 mutex_enter(&bucket->iacqf_lock); 6217 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6218 acqrec = acqrec->ipsacq_next) { 6219 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6220 break; /* for acqrec... loop. */ 6221 } 6222 if (acqrec != NULL) 6223 break; /* for i = 0... loop. */ 6224 6225 mutex_exit(&bucket->iacqf_lock); 6226 } 6227 6228 if (acqrec == NULL) { 6229 for (i = 0; i < sp->s_v6.sdb_hashsize; i++) { 6230 bucket = &sp->s_v6.sdb_acq[i]; 6231 mutex_enter(&bucket->iacqf_lock); 6232 for (acqrec = bucket->iacqf_ipsacq; acqrec != NULL; 6233 acqrec = acqrec->ipsacq_next) { 6234 if (samsg->sadb_msg_seq == acqrec->ipsacq_seq) 6235 break; /* for acqrec... loop. */ 6236 } 6237 if (acqrec != NULL) 6238 break; /* for i = 0... loop. */ 6239 6240 mutex_exit(&bucket->iacqf_lock); 6241 } 6242 } 6243 6244 6245 if (acqrec == NULL) 6246 return; 6247 6248 /* 6249 * What do I do with the errno and IP? I may need mp's services a 6250 * little more. See sadb_destroy_acquire() for future directions 6251 * beyond free the mblk chain on the acquire record. 6252 */ 6253 6254 ASSERT(&bucket->iacqf_lock == acqrec->ipsacq_linklock); 6255 sadb_destroy_acquire(acqrec, ns); 6256 /* Have to exit mutex here, because of breaking out of for loop. */ 6257 mutex_exit(&bucket->iacqf_lock); 6258 } 6259 6260 /* 6261 * The following functions work with the replay windows of an SA. They assume 6262 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector 6263 * represents the highest sequence number packet received, and back 6264 * (ipsa->ipsa_replay_wsize) packets. 6265 */ 6266 6267 /* 6268 * Is the replay bit set? 6269 */ 6270 static boolean_t 6271 ipsa_is_replay_set(ipsa_t *ipsa, uint32_t offset) 6272 { 6273 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6274 6275 return ((bit & ipsa->ipsa_replay_arr[offset >> 6]) ? B_TRUE : B_FALSE); 6276 } 6277 6278 /* 6279 * Shift the bits of the replay window over. 6280 */ 6281 static void 6282 ipsa_shift_replay(ipsa_t *ipsa, uint32_t shift) 6283 { 6284 int i; 6285 int jump = ((shift - 1) >> 6) + 1; 6286 6287 if (shift == 0) 6288 return; 6289 6290 for (i = (ipsa->ipsa_replay_wsize - 1) >> 6; i >= 0; i--) { 6291 if (i + jump <= (ipsa->ipsa_replay_wsize - 1) >> 6) { 6292 ipsa->ipsa_replay_arr[i + jump] |= 6293 ipsa->ipsa_replay_arr[i] >> (64 - (shift & 63)); 6294 } 6295 ipsa->ipsa_replay_arr[i] <<= shift; 6296 } 6297 } 6298 6299 /* 6300 * Set a bit in the bit vector. 6301 */ 6302 static void 6303 ipsa_set_replay(ipsa_t *ipsa, uint32_t offset) 6304 { 6305 uint64_t bit = (uint64_t)1 << (uint64_t)(offset & 63); 6306 6307 ipsa->ipsa_replay_arr[offset >> 6] |= bit; 6308 } 6309 6310 #define SADB_MAX_REPLAY_VALUE 0xffffffff 6311 6312 /* 6313 * Assume caller has NOT done ntohl() already on seq. Check to see 6314 * if replay sequence number "seq" has been seen already. 6315 */ 6316 boolean_t 6317 sadb_replay_check(ipsa_t *ipsa, uint32_t seq) 6318 { 6319 boolean_t rc; 6320 uint32_t diff; 6321 6322 if (ipsa->ipsa_replay_wsize == 0) 6323 return (B_TRUE); 6324 6325 /* 6326 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek(). 6327 */ 6328 6329 /* Convert sequence number into host order before holding the mutex. */ 6330 seq = ntohl(seq); 6331 6332 mutex_enter(&ipsa->ipsa_lock); 6333 6334 /* Initialize inbound SA's ipsa_replay field to last one received. */ 6335 if (ipsa->ipsa_replay == 0) 6336 ipsa->ipsa_replay = 1; 6337 6338 if (seq > ipsa->ipsa_replay) { 6339 /* 6340 * I have received a new "highest value received". Shift 6341 * the replay window over. 6342 */ 6343 diff = seq - ipsa->ipsa_replay; 6344 if (diff < ipsa->ipsa_replay_wsize) { 6345 /* In replay window, shift bits over. */ 6346 ipsa_shift_replay(ipsa, diff); 6347 } else { 6348 /* WAY FAR AHEAD, clear bits and start again. */ 6349 bzero(ipsa->ipsa_replay_arr, 6350 sizeof (ipsa->ipsa_replay_arr)); 6351 } 6352 ipsa_set_replay(ipsa, 0); 6353 ipsa->ipsa_replay = seq; 6354 rc = B_TRUE; 6355 goto done; 6356 } 6357 diff = ipsa->ipsa_replay - seq; 6358 if (diff >= ipsa->ipsa_replay_wsize || ipsa_is_replay_set(ipsa, diff)) { 6359 rc = B_FALSE; 6360 goto done; 6361 } 6362 /* Set this packet as seen. */ 6363 ipsa_set_replay(ipsa, diff); 6364 6365 rc = B_TRUE; 6366 done: 6367 mutex_exit(&ipsa->ipsa_lock); 6368 return (rc); 6369 } 6370 6371 /* 6372 * "Peek" and see if we should even bother going through the effort of 6373 * running an authentication check on the sequence number passed in. 6374 * this takes into account packets that are below the replay window, 6375 * and collisions with already replayed packets. Return B_TRUE if it 6376 * is okay to proceed, B_FALSE if this packet should be dropped immediately. 6377 * Assume same byte-ordering as sadb_replay_check. 6378 */ 6379 boolean_t 6380 sadb_replay_peek(ipsa_t *ipsa, uint32_t seq) 6381 { 6382 boolean_t rc = B_FALSE; 6383 uint32_t diff; 6384 6385 if (ipsa->ipsa_replay_wsize == 0) 6386 return (B_TRUE); 6387 6388 /* 6389 * 0 is 0, regardless of byte order... :) 6390 * 6391 * If I get 0 on the wire (and there is a replay window) then the 6392 * sender most likely wrapped. This ipsa may need to be marked or 6393 * something. 6394 */ 6395 if (seq == 0) 6396 return (B_FALSE); 6397 6398 seq = ntohl(seq); 6399 mutex_enter(&ipsa->ipsa_lock); 6400 if (seq < ipsa->ipsa_replay - ipsa->ipsa_replay_wsize && 6401 ipsa->ipsa_replay >= ipsa->ipsa_replay_wsize) 6402 goto done; 6403 6404 /* 6405 * If I've hit 0xffffffff, then quite honestly, I don't need to 6406 * bother with formalities. I'm not accepting any more packets 6407 * on this SA. 6408 */ 6409 if (ipsa->ipsa_replay == SADB_MAX_REPLAY_VALUE) { 6410 /* 6411 * Since we're already holding the lock, update the 6412 * expire time ala. sadb_replay_delete() and return. 6413 */ 6414 ipsa->ipsa_hardexpiretime = (time_t)1; 6415 goto done; 6416 } 6417 6418 if (seq <= ipsa->ipsa_replay) { 6419 /* 6420 * This seq is in the replay window. I'm not below it, 6421 * because I already checked for that above! 6422 */ 6423 diff = ipsa->ipsa_replay - seq; 6424 if (ipsa_is_replay_set(ipsa, diff)) 6425 goto done; 6426 } 6427 /* Else return B_TRUE, I'm going to advance the window. */ 6428 6429 rc = B_TRUE; 6430 done: 6431 mutex_exit(&ipsa->ipsa_lock); 6432 return (rc); 6433 } 6434 6435 /* 6436 * Delete a single SA. 6437 * 6438 * For now, use the quick-and-dirty trick of making the association's 6439 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager(). 6440 */ 6441 void 6442 sadb_replay_delete(ipsa_t *assoc) 6443 { 6444 mutex_enter(&assoc->ipsa_lock); 6445 assoc->ipsa_hardexpiretime = (time_t)1; 6446 mutex_exit(&assoc->ipsa_lock); 6447 } 6448 6449 /* 6450 * Special front-end to ipsec_rl_strlog() dealing with SA failure. 6451 * this is designed to take only a format string with "* %x * %s *", so 6452 * that "spi" is printed first, then "addr" is converted using inet_pton(). 6453 * 6454 * This is abstracted out to save the stack space for only when inet_pton() 6455 * is called. Make sure "spi" is in network order; it usually is when this 6456 * would get called. 6457 */ 6458 void 6459 ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt, 6460 uint32_t spi, void *addr, int af, netstack_t *ns) 6461 { 6462 char buf[INET6_ADDRSTRLEN]; 6463 6464 ASSERT(af == AF_INET6 || af == AF_INET); 6465 6466 ipsec_rl_strlog(ns, mid, sid, level, sl, fmt, ntohl(spi), 6467 inet_ntop(af, addr, buf, sizeof (buf))); 6468 } 6469 6470 /* 6471 * Fills in a reference to the policy, if any, from the conn, in *ppp 6472 */ 6473 static void 6474 ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp) 6475 { 6476 ipsec_policy_t *pp; 6477 ipsec_latch_t *ipl = connp->conn_latch; 6478 6479 if ((ipl != NULL) && (connp->conn_ixa->ixa_ipsec_policy != NULL)) { 6480 pp = connp->conn_ixa->ixa_ipsec_policy; 6481 IPPOL_REFHOLD(pp); 6482 } else { 6483 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, sel, 6484 connp->conn_netstack); 6485 } 6486 *ppp = pp; 6487 } 6488 6489 /* 6490 * The following functions scan through active conn_t structures 6491 * and return a reference to the best-matching policy it can find. 6492 * Caller must release the reference. 6493 */ 6494 static void 6495 ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6496 { 6497 connf_t *connfp; 6498 conn_t *connp = NULL; 6499 ipsec_selector_t portonly; 6500 6501 bzero((void *)&portonly, sizeof (portonly)); 6502 6503 if (sel->ips_local_port == 0) 6504 return; 6505 6506 connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(sel->ips_local_port, 6507 ipst)]; 6508 mutex_enter(&connfp->connf_lock); 6509 6510 if (sel->ips_isv4) { 6511 connp = connfp->connf_head; 6512 while (connp != NULL) { 6513 if (IPCL_UDP_MATCH(connp, sel->ips_local_port, 6514 sel->ips_local_addr_v4, sel->ips_remote_port, 6515 sel->ips_remote_addr_v4)) 6516 break; 6517 connp = connp->conn_next; 6518 } 6519 6520 if (connp == NULL) { 6521 /* Try port-only match in IPv6. */ 6522 portonly.ips_local_port = sel->ips_local_port; 6523 sel = &portonly; 6524 } 6525 } 6526 6527 if (connp == NULL) { 6528 connp = connfp->connf_head; 6529 while (connp != NULL) { 6530 if (IPCL_UDP_MATCH_V6(connp, sel->ips_local_port, 6531 sel->ips_local_addr_v6, sel->ips_remote_port, 6532 sel->ips_remote_addr_v6)) 6533 break; 6534 connp = connp->conn_next; 6535 } 6536 6537 if (connp == NULL) { 6538 mutex_exit(&connfp->connf_lock); 6539 return; 6540 } 6541 } 6542 6543 CONN_INC_REF(connp); 6544 mutex_exit(&connfp->connf_lock); 6545 6546 ipsec_conn_pol(sel, connp, ppp); 6547 CONN_DEC_REF(connp); 6548 } 6549 6550 static conn_t * 6551 ipsec_find_listen_conn(uint16_t *pptr, ipsec_selector_t *sel, ip_stack_t *ipst) 6552 { 6553 connf_t *connfp; 6554 conn_t *connp = NULL; 6555 const in6_addr_t *v6addrmatch = &sel->ips_local_addr_v6; 6556 6557 if (sel->ips_local_port == 0) 6558 return (NULL); 6559 6560 connfp = &ipst->ips_ipcl_bind_fanout[ 6561 IPCL_BIND_HASH(sel->ips_local_port, ipst)]; 6562 mutex_enter(&connfp->connf_lock); 6563 6564 if (sel->ips_isv4) { 6565 connp = connfp->connf_head; 6566 while (connp != NULL) { 6567 if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, 6568 sel->ips_local_addr_v4, pptr[1])) 6569 break; 6570 connp = connp->conn_next; 6571 } 6572 6573 if (connp == NULL) { 6574 /* Match to all-zeroes. */ 6575 v6addrmatch = &ipv6_all_zeros; 6576 } 6577 } 6578 6579 if (connp == NULL) { 6580 connp = connfp->connf_head; 6581 while (connp != NULL) { 6582 if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, 6583 *v6addrmatch, pptr[1])) 6584 break; 6585 connp = connp->conn_next; 6586 } 6587 6588 if (connp == NULL) { 6589 mutex_exit(&connfp->connf_lock); 6590 return (NULL); 6591 } 6592 } 6593 6594 CONN_INC_REF(connp); 6595 mutex_exit(&connfp->connf_lock); 6596 return (connp); 6597 } 6598 6599 static void 6600 ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst) 6601 { 6602 connf_t *connfp; 6603 conn_t *connp; 6604 uint32_t ports; 6605 uint16_t *pptr = (uint16_t *)&ports; 6606 6607 /* 6608 * Find TCP state in the following order: 6609 * 1.) Connected conns. 6610 * 2.) Listeners. 6611 * 6612 * Even though #2 will be the common case for inbound traffic, only 6613 * following this order insures correctness. 6614 */ 6615 6616 if (sel->ips_local_port == 0) 6617 return; 6618 6619 /* 6620 * 0 should be fport, 1 should be lport. SRC is the local one here. 6621 * See ipsec_construct_inverse_acquire() for details. 6622 */ 6623 pptr[0] = sel->ips_remote_port; 6624 pptr[1] = sel->ips_local_port; 6625 6626 connfp = &ipst->ips_ipcl_conn_fanout[ 6627 IPCL_CONN_HASH(sel->ips_remote_addr_v4, ports, ipst)]; 6628 mutex_enter(&connfp->connf_lock); 6629 connp = connfp->connf_head; 6630 6631 if (sel->ips_isv4) { 6632 while (connp != NULL) { 6633 if (IPCL_CONN_MATCH(connp, IPPROTO_TCP, 6634 sel->ips_remote_addr_v4, sel->ips_local_addr_v4, 6635 ports)) 6636 break; 6637 connp = connp->conn_next; 6638 } 6639 } else { 6640 while (connp != NULL) { 6641 if (IPCL_CONN_MATCH_V6(connp, IPPROTO_TCP, 6642 sel->ips_remote_addr_v6, sel->ips_local_addr_v6, 6643 ports)) 6644 break; 6645 connp = connp->conn_next; 6646 } 6647 } 6648 6649 if (connp != NULL) { 6650 CONN_INC_REF(connp); 6651 mutex_exit(&connfp->connf_lock); 6652 } else { 6653 mutex_exit(&connfp->connf_lock); 6654 6655 /* Try the listen hash. */ 6656 if ((connp = ipsec_find_listen_conn(pptr, sel, ipst)) == NULL) 6657 return; 6658 } 6659 6660 ipsec_conn_pol(sel, connp, ppp); 6661 CONN_DEC_REF(connp); 6662 } 6663 6664 static void 6665 ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6666 ip_stack_t *ipst) 6667 { 6668 conn_t *connp; 6669 uint32_t ports; 6670 uint16_t *pptr = (uint16_t *)&ports; 6671 6672 /* 6673 * Find SCP state in the following order: 6674 * 1.) Connected conns. 6675 * 2.) Listeners. 6676 * 6677 * Even though #2 will be the common case for inbound traffic, only 6678 * following this order insures correctness. 6679 */ 6680 6681 if (sel->ips_local_port == 0) 6682 return; 6683 6684 /* 6685 * 0 should be fport, 1 should be lport. SRC is the local one here. 6686 * See ipsec_construct_inverse_acquire() for details. 6687 */ 6688 pptr[0] = sel->ips_remote_port; 6689 pptr[1] = sel->ips_local_port; 6690 6691 /* 6692 * For labeled systems, there's no need to check the 6693 * label here. It's known to be good as we checked 6694 * before allowing the connection to become bound. 6695 */ 6696 if (sel->ips_isv4) { 6697 in6_addr_t src, dst; 6698 6699 IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst); 6700 IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src); 6701 connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES, 6702 0, ipst->ips_netstack->netstack_sctp); 6703 } else { 6704 connp = sctp_find_conn(&sel->ips_remote_addr_v6, 6705 &sel->ips_local_addr_v6, ports, ALL_ZONES, 6706 0, ipst->ips_netstack->netstack_sctp); 6707 } 6708 if (connp == NULL) 6709 return; 6710 ipsec_conn_pol(sel, connp, ppp); 6711 CONN_DEC_REF(connp); 6712 } 6713 6714 /* 6715 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions. 6716 * Returns 0 or errno, and always sets *diagnostic to something appropriate 6717 * to PF_KEY. 6718 * 6719 * NOTE: For right now, this function (and ipsec_selector_t for that matter), 6720 * ignore prefix lengths in the address extension. Since we match on first- 6721 * entered policies, this shouldn't matter. Also, since we normalize prefix- 6722 * set addresses to mask out the lower bits, we should get a suitable search 6723 * key for the SPD anyway. This is the function to change if the assumption 6724 * about suitable search keys is wrong. 6725 */ 6726 static int 6727 ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext, 6728 sadb_address_t *dstext, int *diagnostic) 6729 { 6730 struct sockaddr_in *src, *dst; 6731 struct sockaddr_in6 *src6, *dst6; 6732 6733 *diagnostic = 0; 6734 6735 bzero(sel, sizeof (*sel)); 6736 sel->ips_protocol = srcext->sadb_address_proto; 6737 dst = (struct sockaddr_in *)(dstext + 1); 6738 if (dst->sin_family == AF_INET6) { 6739 dst6 = (struct sockaddr_in6 *)dst; 6740 src6 = (struct sockaddr_in6 *)(srcext + 1); 6741 if (src6->sin6_family != AF_INET6) { 6742 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6743 return (EINVAL); 6744 } 6745 sel->ips_remote_addr_v6 = dst6->sin6_addr; 6746 sel->ips_local_addr_v6 = src6->sin6_addr; 6747 if (sel->ips_protocol == IPPROTO_ICMPV6) { 6748 sel->ips_is_icmp_inv_acq = 1; 6749 } else { 6750 sel->ips_remote_port = dst6->sin6_port; 6751 sel->ips_local_port = src6->sin6_port; 6752 } 6753 sel->ips_isv4 = B_FALSE; 6754 } else { 6755 src = (struct sockaddr_in *)(srcext + 1); 6756 if (src->sin_family != AF_INET) { 6757 *diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6758 return (EINVAL); 6759 } 6760 sel->ips_remote_addr_v4 = dst->sin_addr.s_addr; 6761 sel->ips_local_addr_v4 = src->sin_addr.s_addr; 6762 if (sel->ips_protocol == IPPROTO_ICMP) { 6763 sel->ips_is_icmp_inv_acq = 1; 6764 } else { 6765 sel->ips_remote_port = dst->sin_port; 6766 sel->ips_local_port = src->sin_port; 6767 } 6768 sel->ips_isv4 = B_TRUE; 6769 } 6770 return (0); 6771 } 6772 6773 /* 6774 * We have encapsulation. 6775 * - Lookup tun_t by address and look for an associated 6776 * tunnel policy 6777 * - If there are inner selectors 6778 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE 6779 * - Look up tunnel policy based on selectors 6780 * - Else 6781 * - Sanity check the negotation 6782 * - If appropriate, fall through to global policy 6783 */ 6784 static int 6785 ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6786 sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp, 6787 int *diagnostic) 6788 { 6789 int err; 6790 ipsec_policy_head_t *polhead; 6791 6792 *diagnostic = 0; 6793 6794 /* Check for inner selectors and act appropriately */ 6795 6796 if (innsrcext != NULL) { 6797 /* Inner selectors present */ 6798 ASSERT(inndstext != NULL); 6799 if ((itp == NULL) || 6800 (itp->itp_flags & (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) != 6801 (ITPF_P_ACTIVE | ITPF_P_TUNNEL)) { 6802 /* 6803 * If inner packet selectors, we must have negotiate 6804 * tunnel and active policy. If the tunnel has 6805 * transport-mode policy set on it, or has no policy, 6806 * fail. 6807 */ 6808 return (ENOENT); 6809 } else { 6810 /* 6811 * Reset "sel" to indicate inner selectors. Pass 6812 * inner PF_KEY address extensions for this to happen. 6813 */ 6814 if ((err = ipsec_get_inverse_acquire_sel(sel, 6815 innsrcext, inndstext, diagnostic)) != 0) 6816 return (err); 6817 /* 6818 * Now look for a tunnel policy based on those inner 6819 * selectors. (Common code is below.) 6820 */ 6821 } 6822 } else { 6823 /* No inner selectors present */ 6824 if ((itp == NULL) || !(itp->itp_flags & ITPF_P_ACTIVE)) { 6825 /* 6826 * Transport mode negotiation with no tunnel policy 6827 * configured - return to indicate a global policy 6828 * check is needed. 6829 */ 6830 return (0); 6831 } else if (itp->itp_flags & ITPF_P_TUNNEL) { 6832 /* Tunnel mode set with no inner selectors. */ 6833 return (ENOENT); 6834 } 6835 /* 6836 * Else, this is a tunnel policy configured with ifconfig(1m) 6837 * or "negotiate transport" with ipsecconf(1m). We have an 6838 * itp with policy set based on any match, so don't bother 6839 * changing fields in "sel". 6840 */ 6841 } 6842 6843 ASSERT(itp != NULL); 6844 polhead = itp->itp_policy; 6845 ASSERT(polhead != NULL); 6846 rw_enter(&polhead->iph_lock, RW_READER); 6847 *ppp = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND, sel); 6848 rw_exit(&polhead->iph_lock); 6849 6850 /* 6851 * Don't default to global if we didn't find a matching policy entry. 6852 * Instead, send ENOENT, just like if we hit a transport-mode tunnel. 6853 */ 6854 if (*ppp == NULL) 6855 return (ENOENT); 6856 6857 return (0); 6858 } 6859 6860 /* 6861 * For sctp conn_faddr is the primary address, hence this is of limited 6862 * use for sctp. 6863 */ 6864 static void 6865 ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, 6866 ip_stack_t *ipst) 6867 { 6868 boolean_t isv4 = sel->ips_isv4; 6869 connf_t *connfp; 6870 conn_t *connp; 6871 6872 if (isv4) { 6873 connfp = &ipst->ips_ipcl_proto_fanout_v4[sel->ips_protocol]; 6874 } else { 6875 connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol]; 6876 } 6877 6878 mutex_enter(&connfp->connf_lock); 6879 for (connp = connfp->connf_head; connp != NULL; 6880 connp = connp->conn_next) { 6881 if (isv4) { 6882 if ((connp->conn_laddr_v4 == INADDR_ANY || 6883 connp->conn_laddr_v4 == sel->ips_local_addr_v4) && 6884 (connp->conn_faddr_v4 == INADDR_ANY || 6885 connp->conn_faddr_v4 == sel->ips_remote_addr_v4)) 6886 break; 6887 } else { 6888 if ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) || 6889 IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6, 6890 &sel->ips_local_addr_v6)) && 6891 (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) || 6892 IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6, 6893 &sel->ips_remote_addr_v6))) 6894 break; 6895 } 6896 } 6897 if (connp == NULL) { 6898 mutex_exit(&connfp->connf_lock); 6899 return; 6900 } 6901 6902 CONN_INC_REF(connp); 6903 mutex_exit(&connfp->connf_lock); 6904 6905 ipsec_conn_pol(sel, connp, ppp); 6906 CONN_DEC_REF(connp); 6907 } 6908 6909 /* 6910 * Construct an inverse ACQUIRE reply based on: 6911 * 6912 * 1.) Current global policy. 6913 * 2.) An conn_t match depending on what all was passed in the extv[]. 6914 * 3.) A tunnel's policy head. 6915 * ... 6916 * N.) Other stuff TBD (e.g. identities) 6917 * 6918 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic 6919 * in this function so the caller can extract them where appropriately. 6920 * 6921 * The SRC address is the local one - just like an outbound ACQUIRE message. 6922 * 6923 * XXX MLS: key management supplies a label which we just reflect back up 6924 * again. clearly we need to involve the label in the rest of the checks. 6925 */ 6926 mblk_t * 6927 ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[], 6928 netstack_t *ns) 6929 { 6930 int err; 6931 int diagnostic; 6932 sadb_address_t *srcext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_SRC], 6933 *dstext = (sadb_address_t *)extv[SADB_EXT_ADDRESS_DST], 6934 *innsrcext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_SRC], 6935 *inndstext = (sadb_address_t *)extv[SADB_X_EXT_ADDRESS_INNER_DST]; 6936 sadb_sens_t *sens = (sadb_sens_t *)extv[SADB_EXT_SENSITIVITY]; 6937 struct sockaddr_in6 *src, *dst; 6938 struct sockaddr_in6 *isrc, *idst; 6939 ipsec_tun_pol_t *itp = NULL; 6940 ipsec_policy_t *pp = NULL; 6941 ipsec_selector_t sel, isel; 6942 mblk_t *retmp = NULL; 6943 ip_stack_t *ipst = ns->netstack_ip; 6944 6945 6946 /* Normalize addresses */ 6947 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)srcext, 0, ns) 6948 == KS_IN_ADDR_UNKNOWN) { 6949 err = EINVAL; 6950 diagnostic = SADB_X_DIAGNOSTIC_BAD_SRC; 6951 goto bail; 6952 } 6953 src = (struct sockaddr_in6 *)(srcext + 1); 6954 if (sadb_addrcheck(NULL, (mblk_t *)samsg, (sadb_ext_t *)dstext, 0, ns) 6955 == KS_IN_ADDR_UNKNOWN) { 6956 err = EINVAL; 6957 diagnostic = SADB_X_DIAGNOSTIC_BAD_DST; 6958 goto bail; 6959 } 6960 dst = (struct sockaddr_in6 *)(dstext + 1); 6961 if (src->sin6_family != dst->sin6_family) { 6962 err = EINVAL; 6963 diagnostic = SADB_X_DIAGNOSTIC_AF_MISMATCH; 6964 goto bail; 6965 } 6966 6967 /* Check for tunnel mode and act appropriately */ 6968 if (innsrcext != NULL) { 6969 if (inndstext == NULL) { 6970 err = EINVAL; 6971 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST; 6972 goto bail; 6973 } 6974 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6975 (sadb_ext_t *)innsrcext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6976 err = EINVAL; 6977 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC; 6978 goto bail; 6979 } 6980 isrc = (struct sockaddr_in6 *)(innsrcext + 1); 6981 if (sadb_addrcheck(NULL, (mblk_t *)samsg, 6982 (sadb_ext_t *)inndstext, 0, ns) == KS_IN_ADDR_UNKNOWN) { 6983 err = EINVAL; 6984 diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST; 6985 goto bail; 6986 } 6987 idst = (struct sockaddr_in6 *)(inndstext + 1); 6988 if (isrc->sin6_family != idst->sin6_family) { 6989 err = EINVAL; 6990 diagnostic = SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH; 6991 goto bail; 6992 } 6993 if (isrc->sin6_family != AF_INET && 6994 isrc->sin6_family != AF_INET6) { 6995 err = EINVAL; 6996 diagnostic = SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF; 6997 goto bail; 6998 } 6999 } else if (inndstext != NULL) { 7000 err = EINVAL; 7001 diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC; 7002 goto bail; 7003 } 7004 7005 /* Get selectors first, based on outer addresses */ 7006 err = ipsec_get_inverse_acquire_sel(&sel, srcext, dstext, &diagnostic); 7007 if (err != 0) 7008 goto bail; 7009 7010 /* Check for tunnel mode mismatches. */ 7011 if (innsrcext != NULL && 7012 ((isrc->sin6_family == AF_INET && 7013 sel.ips_protocol != IPPROTO_ENCAP && sel.ips_protocol != 0) || 7014 (isrc->sin6_family == AF_INET6 && 7015 sel.ips_protocol != IPPROTO_IPV6 && sel.ips_protocol != 0))) { 7016 err = EPROTOTYPE; 7017 goto bail; 7018 } 7019 7020 /* 7021 * Okay, we have the addresses and other selector information. 7022 * Let's first find a conn... 7023 */ 7024 pp = NULL; 7025 switch (sel.ips_protocol) { 7026 case IPPROTO_TCP: 7027 ipsec_tcp_pol(&sel, &pp, ipst); 7028 break; 7029 case IPPROTO_UDP: 7030 ipsec_udp_pol(&sel, &pp, ipst); 7031 break; 7032 case IPPROTO_SCTP: 7033 ipsec_sctp_pol(&sel, &pp, ipst); 7034 break; 7035 case IPPROTO_ENCAP: 7036 case IPPROTO_IPV6: 7037 /* 7038 * Assume sel.ips_remote_addr_* has the right address at 7039 * that exact position. 7040 */ 7041 itp = itp_get_byaddr((uint32_t *)(&sel.ips_local_addr_v6), 7042 (uint32_t *)(&sel.ips_remote_addr_v6), src->sin6_family, 7043 ipst); 7044 7045 if (innsrcext == NULL) { 7046 /* 7047 * Transport-mode tunnel, make sure we fake out isel 7048 * to contain something based on the outer protocol. 7049 */ 7050 bzero(&isel, sizeof (isel)); 7051 isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP); 7052 } /* Else isel is initialized by ipsec_tun_pol(). */ 7053 err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp, 7054 &diagnostic); 7055 /* 7056 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it 7057 * may be. 7058 */ 7059 if (err != 0) 7060 goto bail; 7061 break; 7062 default: 7063 ipsec_oth_pol(&sel, &pp, ipst); 7064 break; 7065 } 7066 7067 /* 7068 * If we didn't find a matching conn_t or other policy head, take a 7069 * look in the global policy. 7070 */ 7071 if (pp == NULL) { 7072 pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, &sel, ns); 7073 if (pp == NULL) { 7074 /* There's no global policy. */ 7075 err = ENOENT; 7076 diagnostic = 0; 7077 goto bail; 7078 } 7079 } 7080 7081 ASSERT(pp != NULL); 7082 retmp = sadb_acquire_msg_base(0, 0, samsg->sadb_msg_seq, 7083 samsg->sadb_msg_pid); 7084 if (retmp != NULL) { 7085 /* Remove KEYSOCK_OUT, because caller constructs it instead. */ 7086 mblk_t *kso = retmp; 7087 7088 retmp = retmp->b_cont; 7089 freeb(kso); 7090 /* Append addresses... */ 7091 retmp->b_cont = sadb_acquire_msg_common(&sel, pp, NULL, 7092 (itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)), NULL, 7093 sens); 7094 if (retmp->b_cont == NULL) { 7095 freemsg(retmp); 7096 retmp = NULL; 7097 } 7098 /* And the policy result. */ 7099 retmp->b_cont->b_cont = 7100 sadb_acquire_extended_prop(pp->ipsp_act, ns); 7101 if (retmp->b_cont->b_cont == NULL) { 7102 freemsg(retmp); 7103 retmp = NULL; 7104 } 7105 ((sadb_msg_t *)retmp->b_rptr)->sadb_msg_len = 7106 SADB_8TO64(msgsize(retmp)); 7107 } 7108 7109 if (pp != NULL) { 7110 IPPOL_REFRELE(pp); 7111 } 7112 ASSERT(err == 0 && diagnostic == 0); 7113 if (retmp == NULL) 7114 err = ENOMEM; 7115 bail: 7116 if (itp != NULL) { 7117 ITP_REFRELE(itp, ns); 7118 } 7119 samsg->sadb_msg_errno = (uint8_t)err; 7120 samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic; 7121 return (retmp); 7122 } 7123 7124 /* 7125 * ipsa_lpkt is a one-element queue, only manipulated by the next two 7126 * functions. They have to hold the ipsa_lock because of potential races 7127 * between key management using SADB_UPDATE, and inbound packets that may 7128 * queue up on the larval SA (hence the 'l' in "lpkt"). 7129 */ 7130 7131 /* 7132 * sadb_set_lpkt: 7133 * 7134 * Returns the passed-in packet if the SA is no longer larval. 7135 * 7136 * Returns NULL if the SA is larval, and needs to be swapped into the SA for 7137 * processing after an SADB_UPDATE. 7138 */ 7139 mblk_t * 7140 sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, ip_recv_attr_t *ira) 7141 { 7142 mblk_t *opkt; 7143 7144 mutex_enter(&ipsa->ipsa_lock); 7145 opkt = ipsa->ipsa_lpkt; 7146 if (ipsa->ipsa_state == IPSA_STATE_LARVAL) { 7147 /* 7148 * Consume npkt and place it in the LARVAL SA's inbound 7149 * packet slot. 7150 */ 7151 mblk_t *attrmp; 7152 7153 attrmp = ip_recv_attr_to_mblk(ira); 7154 if (attrmp == NULL) { 7155 ill_t *ill = ira->ira_ill; 7156 7157 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards); 7158 ip_drop_input("ipIfStatsInDiscards", npkt, ill); 7159 freemsg(npkt); 7160 opkt = NULL; 7161 } else { 7162 ASSERT(attrmp->b_cont == NULL); 7163 attrmp->b_cont = npkt; 7164 ipsa->ipsa_lpkt = attrmp; 7165 } 7166 npkt = NULL; 7167 } else { 7168 /* 7169 * If not larval, we lost the race. NOTE: ipsa_lpkt may still 7170 * have been non-NULL in the non-larval case, because of 7171 * inbound packets arriving prior to sadb_common_add() 7172 * transferring the SA completely out of larval state, but 7173 * after lpkt was grabbed by the AH/ESP-specific add routines. 7174 * We should clear the old ipsa_lpkt in this case to make sure 7175 * that it doesn't linger on the now-MATURE IPsec SA, or get 7176 * picked up as an out-of-order packet. 7177 */ 7178 ipsa->ipsa_lpkt = NULL; 7179 } 7180 mutex_exit(&ipsa->ipsa_lock); 7181 7182 if (opkt != NULL) { 7183 ipsec_stack_t *ipss; 7184 7185 ipss = ira->ira_ill->ill_ipst->ips_netstack->netstack_ipsec; 7186 opkt = ip_recv_attr_free_mblk(opkt); 7187 ip_drop_packet(opkt, B_TRUE, ira->ira_ill, 7188 DROPPER(ipss, ipds_sadb_inlarval_replace), 7189 &ipss->ipsec_sadb_dropper); 7190 } 7191 return (npkt); 7192 } 7193 7194 /* 7195 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the 7196 * previous value. 7197 */ 7198 mblk_t * 7199 sadb_clear_lpkt(ipsa_t *ipsa) 7200 { 7201 mblk_t *opkt; 7202 7203 mutex_enter(&ipsa->ipsa_lock); 7204 opkt = ipsa->ipsa_lpkt; 7205 ipsa->ipsa_lpkt = NULL; 7206 mutex_exit(&ipsa->ipsa_lock); 7207 return (opkt); 7208 } 7209 7210 /* 7211 * Buffer a packet that's in IDLE state as set by Solaris Clustering. 7212 */ 7213 void 7214 sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, ip_recv_attr_t *ira) 7215 { 7216 netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack; 7217 ipsec_stack_t *ipss = ns->netstack_ipsec; 7218 in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr); 7219 in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr); 7220 mblk_t *mp; 7221 7222 ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE); 7223 7224 if (cl_inet_idlesa == NULL) { 7225 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill, 7226 DROPPER(ipss, ipds_sadb_inidle_overflow), 7227 &ipss->ipsec_sadb_dropper); 7228 return; 7229 } 7230 7231 cl_inet_idlesa(ns->netstack_stackid, 7232 (ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP, 7233 ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL); 7234 7235 mp = ip_recv_attr_to_mblk(ira); 7236 if (mp == NULL) { 7237 ip_drop_packet(bpkt, B_TRUE, ira->ira_ill, 7238 DROPPER(ipss, ipds_sadb_inidle_overflow), 7239 &ipss->ipsec_sadb_dropper); 7240 return; 7241 } 7242 linkb(mp, bpkt); 7243 7244 mutex_enter(&ipsa->ipsa_lock); 7245 ipsa->ipsa_mblkcnt++; 7246 if (ipsa->ipsa_bpkt_head == NULL) { 7247 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_tail = bpkt; 7248 } else { 7249 ipsa->ipsa_bpkt_tail->b_next = bpkt; 7250 ipsa->ipsa_bpkt_tail = bpkt; 7251 if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) { 7252 mblk_t *tmp; 7253 7254 tmp = ipsa->ipsa_bpkt_head; 7255 ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next; 7256 tmp = ip_recv_attr_free_mblk(tmp); 7257 ip_drop_packet(tmp, B_TRUE, NULL, 7258 DROPPER(ipss, ipds_sadb_inidle_overflow), 7259 &ipss->ipsec_sadb_dropper); 7260 ipsa->ipsa_mblkcnt --; 7261 } 7262 } 7263 mutex_exit(&ipsa->ipsa_lock); 7264 } 7265 7266 /* 7267 * Stub function that taskq_dispatch() invokes to take the mblk (in arg) 7268 * and put into STREAMS again. 7269 */ 7270 void 7271 sadb_clear_buf_pkt(void *ipkt) 7272 { 7273 mblk_t *tmp, *buf_pkt; 7274 ip_recv_attr_t iras; 7275 7276 buf_pkt = (mblk_t *)ipkt; 7277 7278 while (buf_pkt != NULL) { 7279 mblk_t *data_mp; 7280 7281 tmp = buf_pkt->b_next; 7282 buf_pkt->b_next = NULL; 7283 7284 data_mp = buf_pkt->b_cont; 7285 buf_pkt->b_cont = NULL; 7286 if (!ip_recv_attr_from_mblk(buf_pkt, &iras)) { 7287 /* The ill or ip_stack_t disappeared on us. */ 7288 ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL); 7289 freemsg(data_mp); 7290 } else { 7291 ip_input_post_ipsec(data_mp, &iras); 7292 } 7293 ira_cleanup(&iras, B_TRUE); 7294 buf_pkt = tmp; 7295 } 7296 } 7297 /* 7298 * Walker callback used by sadb_alg_update() to free/create crypto 7299 * context template when a crypto software provider is removed or 7300 * added. 7301 */ 7302 7303 struct sadb_update_alg_state { 7304 ipsec_algtype_t alg_type; 7305 uint8_t alg_id; 7306 boolean_t is_added; 7307 boolean_t async_auth; 7308 boolean_t async_encr; 7309 }; 7310 7311 static void 7312 sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie) 7313 { 7314 struct sadb_update_alg_state *update_state = 7315 (struct sadb_update_alg_state *)cookie; 7316 crypto_ctx_template_t *ctx_tmpl = NULL; 7317 7318 ASSERT(MUTEX_HELD(&head->isaf_lock)); 7319 7320 if (entry->ipsa_state == IPSA_STATE_LARVAL) 7321 return; 7322 7323 mutex_enter(&entry->ipsa_lock); 7324 7325 if ((entry->ipsa_encr_alg != SADB_EALG_NONE && entry->ipsa_encr_alg != 7326 SADB_EALG_NULL && update_state->async_encr) || 7327 (entry->ipsa_auth_alg != SADB_AALG_NONE && 7328 update_state->async_auth)) { 7329 entry->ipsa_flags |= IPSA_F_ASYNC; 7330 } else { 7331 entry->ipsa_flags &= ~IPSA_F_ASYNC; 7332 } 7333 7334 switch (update_state->alg_type) { 7335 case IPSEC_ALG_AUTH: 7336 if (entry->ipsa_auth_alg == update_state->alg_id) 7337 ctx_tmpl = &entry->ipsa_authtmpl; 7338 break; 7339 case IPSEC_ALG_ENCR: 7340 if (entry->ipsa_encr_alg == update_state->alg_id) 7341 ctx_tmpl = &entry->ipsa_encrtmpl; 7342 break; 7343 default: 7344 ctx_tmpl = NULL; 7345 } 7346 7347 if (ctx_tmpl == NULL) { 7348 mutex_exit(&entry->ipsa_lock); 7349 return; 7350 } 7351 7352 /* 7353 * The context template of the SA may be affected by the change 7354 * of crypto provider. 7355 */ 7356 if (update_state->is_added) { 7357 /* create the context template if not already done */ 7358 if (*ctx_tmpl == NULL) { 7359 (void) ipsec_create_ctx_tmpl(entry, 7360 update_state->alg_type); 7361 } 7362 } else { 7363 /* 7364 * The crypto provider was removed. If the context template 7365 * exists but it is no longer valid, free it. 7366 */ 7367 if (*ctx_tmpl != NULL) 7368 ipsec_destroy_ctx_tmpl(entry, update_state->alg_type); 7369 } 7370 7371 mutex_exit(&entry->ipsa_lock); 7372 } 7373 7374 /* 7375 * Invoked by IP when an software crypto provider has been updated, or if 7376 * the crypto synchrony changes. The type and id of the corresponding 7377 * algorithm is passed as argument. The type is set to ALL in the case of 7378 * a synchrony change. 7379 * 7380 * is_added is B_TRUE if the provider was added, B_FALSE if it was 7381 * removed. The function updates the SADB and free/creates the 7382 * context templates associated with SAs if needed. 7383 */ 7384 7385 #define SADB_ALG_UPDATE_WALK(sadb, table) \ 7386 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \ 7387 &update_state) 7388 7389 void 7390 sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added, 7391 netstack_t *ns) 7392 { 7393 struct sadb_update_alg_state update_state; 7394 ipsecah_stack_t *ahstack = ns->netstack_ipsecah; 7395 ipsecesp_stack_t *espstack = ns->netstack_ipsecesp; 7396 ipsec_stack_t *ipss = ns->netstack_ipsec; 7397 7398 update_state.alg_type = alg_type; 7399 update_state.alg_id = alg_id; 7400 update_state.is_added = is_added; 7401 update_state.async_auth = ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] == 7402 IPSEC_ALGS_EXEC_ASYNC; 7403 update_state.async_encr = ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] == 7404 IPSEC_ALGS_EXEC_ASYNC; 7405 7406 if (alg_type == IPSEC_ALG_AUTH || alg_type == IPSEC_ALG_ALL) { 7407 /* walk the AH tables only for auth. algorithm changes */ 7408 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of); 7409 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if); 7410 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_of); 7411 SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v6, sdb_if); 7412 } 7413 7414 /* walk the ESP tables */ 7415 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_of); 7416 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v4, sdb_if); 7417 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_of); 7418 SADB_ALG_UPDATE_WALK(espstack->esp_sadb.s_v6, sdb_if); 7419 } 7420 7421 /* 7422 * Creates a context template for the specified SA. This function 7423 * is called when an SA is created and when a context template needs 7424 * to be created due to a change of software provider. 7425 */ 7426 int 7427 ipsec_create_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7428 { 7429 ipsec_alginfo_t *alg; 7430 crypto_mechanism_t mech; 7431 crypto_key_t *key; 7432 crypto_ctx_template_t *sa_tmpl; 7433 int rv; 7434 ipsec_stack_t *ipss = sa->ipsa_netstack->netstack_ipsec; 7435 7436 ASSERT(RW_READ_HELD(&ipss->ipsec_alg_lock)); 7437 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7438 7439 /* get pointers to the algorithm info, context template, and key */ 7440 switch (alg_type) { 7441 case IPSEC_ALG_AUTH: 7442 key = &sa->ipsa_kcfauthkey; 7443 sa_tmpl = &sa->ipsa_authtmpl; 7444 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_auth_alg]; 7445 break; 7446 case IPSEC_ALG_ENCR: 7447 key = &sa->ipsa_kcfencrkey; 7448 sa_tmpl = &sa->ipsa_encrtmpl; 7449 alg = ipss->ipsec_alglists[alg_type][sa->ipsa_encr_alg]; 7450 break; 7451 default: 7452 alg = NULL; 7453 } 7454 7455 if (alg == NULL || !ALG_VALID(alg)) 7456 return (EINVAL); 7457 7458 /* initialize the mech info structure for the framework */ 7459 ASSERT(alg->alg_mech_type != CRYPTO_MECHANISM_INVALID); 7460 mech.cm_type = alg->alg_mech_type; 7461 mech.cm_param = NULL; 7462 mech.cm_param_len = 0; 7463 7464 /* create a new context template */ 7465 rv = crypto_create_ctx_template(&mech, key, sa_tmpl, KM_NOSLEEP); 7466 7467 /* 7468 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware 7469 * providers are available for that mechanism. In that case 7470 * we don't fail, and will generate the context template from 7471 * the framework callback when a software provider for that 7472 * mechanism registers. 7473 * 7474 * The context template is assigned the special value 7475 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a 7476 * lack of memory. No attempt will be made to use 7477 * the context template if it is set to this value. 7478 */ 7479 if (rv == CRYPTO_HOST_MEMORY) { 7480 *sa_tmpl = IPSEC_CTX_TMPL_ALLOC; 7481 } else if (rv != CRYPTO_SUCCESS) { 7482 *sa_tmpl = NULL; 7483 if (rv != CRYPTO_MECH_NOT_SUPPORTED) 7484 return (EINVAL); 7485 } 7486 7487 return (0); 7488 } 7489 7490 /* 7491 * Destroy the context template of the specified algorithm type 7492 * of the specified SA. Must be called while holding the SA lock. 7493 */ 7494 void 7495 ipsec_destroy_ctx_tmpl(ipsa_t *sa, ipsec_algtype_t alg_type) 7496 { 7497 ASSERT(MUTEX_HELD(&sa->ipsa_lock)); 7498 7499 if (alg_type == IPSEC_ALG_AUTH) { 7500 if (sa->ipsa_authtmpl == IPSEC_CTX_TMPL_ALLOC) 7501 sa->ipsa_authtmpl = NULL; 7502 else if (sa->ipsa_authtmpl != NULL) { 7503 crypto_destroy_ctx_template(sa->ipsa_authtmpl); 7504 sa->ipsa_authtmpl = NULL; 7505 } 7506 } else { 7507 ASSERT(alg_type == IPSEC_ALG_ENCR); 7508 if (sa->ipsa_encrtmpl == IPSEC_CTX_TMPL_ALLOC) 7509 sa->ipsa_encrtmpl = NULL; 7510 else if (sa->ipsa_encrtmpl != NULL) { 7511 crypto_destroy_ctx_template(sa->ipsa_encrtmpl); 7512 sa->ipsa_encrtmpl = NULL; 7513 } 7514 } 7515 } 7516 7517 /* 7518 * Use the kernel crypto framework to check the validity of a key received 7519 * via keysock. Returns 0 if the key is OK, -1 otherwise. 7520 */ 7521 int 7522 ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key, 7523 boolean_t is_auth, int *diag) 7524 { 7525 crypto_mechanism_t mech; 7526 crypto_key_t crypto_key; 7527 int crypto_rc; 7528 7529 mech.cm_type = mech_type; 7530 mech.cm_param = NULL; 7531 mech.cm_param_len = 0; 7532 7533 crypto_key.ck_format = CRYPTO_KEY_RAW; 7534 crypto_key.ck_data = sadb_key + 1; 7535 crypto_key.ck_length = sadb_key->sadb_key_bits; 7536 7537 crypto_rc = crypto_key_check(&mech, &crypto_key); 7538 7539 switch (crypto_rc) { 7540 case CRYPTO_SUCCESS: 7541 return (0); 7542 case CRYPTO_MECHANISM_INVALID: 7543 case CRYPTO_MECH_NOT_SUPPORTED: 7544 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AALG : 7545 SADB_X_DIAGNOSTIC_BAD_EALG; 7546 break; 7547 case CRYPTO_KEY_SIZE_RANGE: 7548 *diag = is_auth ? SADB_X_DIAGNOSTIC_BAD_AKEYBITS : 7549 SADB_X_DIAGNOSTIC_BAD_EKEYBITS; 7550 break; 7551 case CRYPTO_WEAK_KEY: 7552 *diag = is_auth ? SADB_X_DIAGNOSTIC_WEAK_AKEY : 7553 SADB_X_DIAGNOSTIC_WEAK_EKEY; 7554 break; 7555 } 7556 7557 return (-1); 7558 } 7559 7560 /* 7561 * Whack options in the outer IP header when ipsec changes the outer label 7562 * 7563 * This is inelegant and really could use refactoring. 7564 */ 7565 mblk_t * 7566 sadb_whack_label_v4(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter, 7567 ipdropper_t *dropper) 7568 { 7569 int delta; 7570 int plen; 7571 dblk_t *db; 7572 int hlen; 7573 uint8_t *opt_storage = assoc->ipsa_opt_storage; 7574 ipha_t *ipha = (ipha_t *)mp->b_rptr; 7575 7576 plen = ntohs(ipha->ipha_length); 7577 7578 delta = tsol_remove_secopt(ipha, MBLKL(mp)); 7579 mp->b_wptr += delta; 7580 plen += delta; 7581 7582 /* XXX XXX code copied from tsol_check_label */ 7583 7584 /* Make sure we have room for the worst-case addition */ 7585 hlen = IPH_HDR_LENGTH(ipha) + opt_storage[IPOPT_OLEN]; 7586 hlen = (hlen + 3) & ~3; 7587 if (hlen > IP_MAX_HDR_LENGTH) 7588 hlen = IP_MAX_HDR_LENGTH; 7589 hlen -= IPH_HDR_LENGTH(ipha); 7590 7591 db = mp->b_datap; 7592 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) { 7593 int copylen; 7594 mblk_t *new_mp; 7595 7596 /* allocate enough to be meaningful, but not *too* much */ 7597 copylen = MBLKL(mp); 7598 if (copylen > 256) 7599 copylen = 256; 7600 new_mp = allocb_tmpl(hlen + copylen + 7601 (mp->b_rptr - mp->b_datap->db_base), mp); 7602 7603 if (new_mp == NULL) { 7604 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper); 7605 return (NULL); 7606 } 7607 7608 /* keep the bias */ 7609 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base; 7610 new_mp->b_wptr = new_mp->b_rptr + copylen; 7611 bcopy(mp->b_rptr, new_mp->b_rptr, copylen); 7612 new_mp->b_cont = mp; 7613 if ((mp->b_rptr += copylen) >= mp->b_wptr) { 7614 new_mp->b_cont = mp->b_cont; 7615 freeb(mp); 7616 } 7617 mp = new_mp; 7618 ipha = (ipha_t *)mp->b_rptr; 7619 } 7620 7621 delta = tsol_prepend_option(assoc->ipsa_opt_storage, ipha, MBLKL(mp)); 7622 7623 ASSERT(delta != -1); 7624 7625 plen += delta; 7626 mp->b_wptr += delta; 7627 7628 /* 7629 * Paranoia 7630 */ 7631 db = mp->b_datap; 7632 7633 ASSERT3P(mp->b_wptr, <=, db->db_lim); 7634 ASSERT3P(mp->b_rptr, <=, db->db_lim); 7635 7636 ASSERT3P(mp->b_wptr, >=, db->db_base); 7637 ASSERT3P(mp->b_rptr, >=, db->db_base); 7638 /* End paranoia */ 7639 7640 ipha->ipha_length = htons(plen); 7641 7642 return (mp); 7643 } 7644 7645 mblk_t * 7646 sadb_whack_label_v6(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter, 7647 ipdropper_t *dropper) 7648 { 7649 int delta; 7650 int plen; 7651 dblk_t *db; 7652 int hlen; 7653 uint8_t *opt_storage = assoc->ipsa_opt_storage; 7654 uint_t sec_opt_len; /* label option length not including type, len */ 7655 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 7656 7657 plen = ntohs(ip6h->ip6_plen); 7658 7659 delta = tsol_remove_secopt_v6(ip6h, MBLKL(mp)); 7660 mp->b_wptr += delta; 7661 plen += delta; 7662 7663 /* XXX XXX code copied from tsol_check_label_v6 */ 7664 /* 7665 * Make sure we have room for the worst-case addition. Add 2 bytes for 7666 * the hop-by-hop ext header's next header and length fields. Add 7667 * another 2 bytes for the label option type, len and then round 7668 * up to the next 8-byte multiple. 7669 */ 7670 sec_opt_len = opt_storage[1]; 7671 7672 db = mp->b_datap; 7673 hlen = (4 + sec_opt_len + 7) & ~7; 7674 7675 if ((db->db_ref != 1) || (mp->b_wptr + hlen > db->db_lim)) { 7676 int copylen; 7677 mblk_t *new_mp; 7678 uint16_t hdr_len; 7679 7680 hdr_len = ip_hdr_length_v6(mp, ip6h); 7681 /* 7682 * Allocate enough to be meaningful, but not *too* much. 7683 * Also all the IPv6 extension headers must be in the same mblk 7684 */ 7685 copylen = MBLKL(mp); 7686 if (copylen > 256) 7687 copylen = 256; 7688 if (copylen < hdr_len) 7689 copylen = hdr_len; 7690 new_mp = allocb_tmpl(hlen + copylen + 7691 (mp->b_rptr - mp->b_datap->db_base), mp); 7692 if (new_mp == NULL) { 7693 ip_drop_packet(mp, B_FALSE, NULL, counter, dropper); 7694 return (NULL); 7695 } 7696 7697 /* keep the bias */ 7698 new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base; 7699 new_mp->b_wptr = new_mp->b_rptr + copylen; 7700 bcopy(mp->b_rptr, new_mp->b_rptr, copylen); 7701 new_mp->b_cont = mp; 7702 if ((mp->b_rptr += copylen) >= mp->b_wptr) { 7703 new_mp->b_cont = mp->b_cont; 7704 freeb(mp); 7705 } 7706 mp = new_mp; 7707 ip6h = (ip6_t *)mp->b_rptr; 7708 } 7709 7710 delta = tsol_prepend_option_v6(assoc->ipsa_opt_storage, 7711 ip6h, MBLKL(mp)); 7712 7713 ASSERT(delta != -1); 7714 7715 plen += delta; 7716 mp->b_wptr += delta; 7717 7718 /* 7719 * Paranoia 7720 */ 7721 db = mp->b_datap; 7722 7723 ASSERT3P(mp->b_wptr, <=, db->db_lim); 7724 ASSERT3P(mp->b_rptr, <=, db->db_lim); 7725 7726 ASSERT3P(mp->b_wptr, >=, db->db_base); 7727 ASSERT3P(mp->b_rptr, >=, db->db_base); 7728 /* End paranoia */ 7729 7730 ip6h->ip6_plen = htons(plen); 7731 7732 return (mp); 7733 } 7734 7735 /* Whack the labels and update ip_xmit_attr_t as needed */ 7736 mblk_t * 7737 sadb_whack_label(mblk_t *mp, ipsa_t *assoc, ip_xmit_attr_t *ixa, 7738 kstat_named_t *counter, ipdropper_t *dropper) 7739 { 7740 int adjust; 7741 int iplen; 7742 7743 if (ixa->ixa_flags & IXAF_IS_IPV4) { 7744 ipha_t *ipha = (ipha_t *)mp->b_rptr; 7745 7746 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION); 7747 iplen = ntohs(ipha->ipha_length); 7748 mp = sadb_whack_label_v4(mp, assoc, counter, dropper); 7749 if (mp == NULL) 7750 return (NULL); 7751 7752 ipha = (ipha_t *)mp->b_rptr; 7753 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION); 7754 adjust = (int)ntohs(ipha->ipha_length) - iplen; 7755 } else { 7756 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 7757 7758 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION); 7759 iplen = ntohs(ip6h->ip6_plen); 7760 mp = sadb_whack_label_v6(mp, assoc, counter, dropper); 7761 if (mp == NULL) 7762 return (NULL); 7763 7764 ip6h = (ip6_t *)mp->b_rptr; 7765 ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION); 7766 adjust = (int)ntohs(ip6h->ip6_plen) - iplen; 7767 } 7768 ixa->ixa_pktlen += adjust; 7769 ixa->ixa_ip_hdr_length += adjust; 7770 return (mp); 7771 } 7772 7773 /* 7774 * If this is an outgoing SA then add some fuzz to the 7775 * SOFT EXPIRE time. The reason for this is to stop 7776 * peers trying to renegotiate SOFT expiring SA's at 7777 * the same time. The amount of fuzz needs to be at 7778 * least 8 seconds which is the typical interval 7779 * sadb_ager(), although this is only a guide as it 7780 * selftunes. 7781 */ 7782 static void 7783 lifetime_fuzz(ipsa_t *assoc) 7784 { 7785 uint8_t rnd; 7786 7787 if (assoc->ipsa_softaddlt == 0) 7788 return; 7789 7790 (void) random_get_pseudo_bytes(&rnd, sizeof (rnd)); 7791 rnd = (rnd & 0xF) + 8; 7792 assoc->ipsa_softexpiretime -= rnd; 7793 assoc->ipsa_softaddlt -= rnd; 7794 } 7795 7796 static void 7797 destroy_ipsa_pair(ipsap_t *ipsapp) 7798 { 7799 /* 7800 * Because of the multi-line macro nature of IPSA_REFRELE, keep 7801 * them in { }. 7802 */ 7803 if (ipsapp->ipsap_sa_ptr != NULL) { 7804 IPSA_REFRELE(ipsapp->ipsap_sa_ptr); 7805 } 7806 if (ipsapp->ipsap_psa_ptr != NULL) { 7807 IPSA_REFRELE(ipsapp->ipsap_psa_ptr); 7808 } 7809 init_ipsa_pair(ipsapp); 7810 } 7811 7812 static void 7813 init_ipsa_pair(ipsap_t *ipsapp) 7814 { 7815 ipsapp->ipsap_bucket = NULL; 7816 ipsapp->ipsap_sa_ptr = NULL; 7817 ipsapp->ipsap_pbucket = NULL; 7818 ipsapp->ipsap_psa_ptr = NULL; 7819 } 7820 7821 /* 7822 * The sadb_ager() function walks through the hash tables of SA's and ages 7823 * them, if the SA expires as a result, its marked as DEAD and will be reaped 7824 * the next time sadb_ager() runs. SA's which are paired or have a peer (same 7825 * SA appears in both the inbound and outbound tables because its not possible 7826 * to determine its direction) are placed on a list when they expire. This is 7827 * to ensure that pair/peer SA's are reaped at the same time, even if they 7828 * expire at different times. 7829 * 7830 * This function is called twice by sadb_ager(), one after processing the 7831 * inbound table, then again after processing the outbound table. 7832 */ 7833 void 7834 age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound) 7835 { 7836 templist_t *listptr; 7837 int outhash; 7838 isaf_t *bucket; 7839 boolean_t haspeer; 7840 ipsa_t *peer_assoc, *dying; 7841 /* 7842 * Haspeer cases will contain both IPv4 and IPv6. This code 7843 * is address independent. 7844 */ 7845 while (haspeerlist != NULL) { 7846 /* "dying" contains the SA that has a peer. */ 7847 dying = haspeerlist->ipsa; 7848 haspeer = (dying->ipsa_haspeer); 7849 listptr = haspeerlist; 7850 haspeerlist = listptr->next; 7851 kmem_free(listptr, sizeof (*listptr)); 7852 /* 7853 * Pick peer bucket based on addrfam. 7854 */ 7855 if (outbound) { 7856 if (haspeer) 7857 bucket = INBOUND_BUCKET(sp, dying->ipsa_spi); 7858 else 7859 bucket = INBOUND_BUCKET(sp, 7860 dying->ipsa_otherspi); 7861 } else { /* inbound */ 7862 if (haspeer) { 7863 if (dying->ipsa_addrfam == AF_INET6) { 7864 outhash = OUTBOUND_HASH_V6(sp, 7865 *((in6_addr_t *)&dying-> 7866 ipsa_dstaddr)); 7867 } else { 7868 outhash = OUTBOUND_HASH_V4(sp, 7869 *((ipaddr_t *)&dying-> 7870 ipsa_dstaddr)); 7871 } 7872 } else if (dying->ipsa_addrfam == AF_INET6) { 7873 outhash = OUTBOUND_HASH_V6(sp, 7874 *((in6_addr_t *)&dying-> 7875 ipsa_srcaddr)); 7876 } else { 7877 outhash = OUTBOUND_HASH_V4(sp, 7878 *((ipaddr_t *)&dying-> 7879 ipsa_srcaddr)); 7880 } 7881 bucket = &(sp->sdb_of[outhash]); 7882 } 7883 7884 mutex_enter(&bucket->isaf_lock); 7885 /* 7886 * "haspeer" SA's have the same src/dst address ordering, 7887 * "paired" SA's have the src/dst addresses reversed. 7888 */ 7889 if (haspeer) { 7890 peer_assoc = ipsec_getassocbyspi(bucket, 7891 dying->ipsa_spi, dying->ipsa_srcaddr, 7892 dying->ipsa_dstaddr, dying->ipsa_addrfam); 7893 } else { 7894 peer_assoc = ipsec_getassocbyspi(bucket, 7895 dying->ipsa_otherspi, dying->ipsa_dstaddr, 7896 dying->ipsa_srcaddr, dying->ipsa_addrfam); 7897 } 7898 7899 mutex_exit(&bucket->isaf_lock); 7900 if (peer_assoc != NULL) { 7901 mutex_enter(&peer_assoc->ipsa_lock); 7902 mutex_enter(&dying->ipsa_lock); 7903 if (!haspeer) { 7904 /* 7905 * Only SA's which have a "peer" or are 7906 * "paired" end up on this list, so this 7907 * must be a "paired" SA, update the flags 7908 * to break the pair. 7909 */ 7910 peer_assoc->ipsa_otherspi = 0; 7911 peer_assoc->ipsa_flags &= ~IPSA_F_PAIRED; 7912 dying->ipsa_otherspi = 0; 7913 dying->ipsa_flags &= ~IPSA_F_PAIRED; 7914 } 7915 if (haspeer || outbound) { 7916 /* 7917 * Update the state of the "inbound" SA when 7918 * the "outbound" SA has expired. Don't update 7919 * the "outbound" SA when the "inbound" SA 7920 * SA expires because setting the hard_addtime 7921 * below will cause this to happen. 7922 */ 7923 peer_assoc->ipsa_state = dying->ipsa_state; 7924 } 7925 if (dying->ipsa_state == IPSA_STATE_DEAD) 7926 peer_assoc->ipsa_hardexpiretime = 1; 7927 7928 mutex_exit(&dying->ipsa_lock); 7929 mutex_exit(&peer_assoc->ipsa_lock); 7930 IPSA_REFRELE(peer_assoc); 7931 } 7932 IPSA_REFRELE(dying); 7933 } 7934 } 7935 7936 /* 7937 * Ensure that the IV used for CCM mode never repeats. The IV should 7938 * only be updated by this function. Also check to see if the IV 7939 * is about to wrap and generate a SOFT Expire. This function is only 7940 * called for outgoing packets, the IV for incomming packets is taken 7941 * from the wire. If the outgoing SA needs to be expired, update 7942 * the matching incomming SA. 7943 */ 7944 boolean_t 7945 update_iv(uint8_t *iv_ptr, queue_t *pfkey_q, ipsa_t *assoc, 7946 ipsecesp_stack_t *espstack) 7947 { 7948 boolean_t rc = B_TRUE; 7949 isaf_t *inbound_bucket; 7950 sadb_t *sp; 7951 ipsa_t *pair_sa = NULL; 7952 int sa_new_state = 0; 7953 7954 /* For non counter modes, the IV is random data. */ 7955 if (!(assoc->ipsa_flags & IPSA_F_COUNTERMODE)) { 7956 (void) random_get_pseudo_bytes(iv_ptr, assoc->ipsa_iv_len); 7957 return (rc); 7958 } 7959 7960 mutex_enter(&assoc->ipsa_lock); 7961 7962 (*assoc->ipsa_iv)++; 7963 7964 if (*assoc->ipsa_iv == assoc->ipsa_iv_hardexpire) { 7965 sa_new_state = IPSA_STATE_DEAD; 7966 rc = B_FALSE; 7967 } else if (*assoc->ipsa_iv == assoc->ipsa_iv_softexpire) { 7968 if (assoc->ipsa_state != IPSA_STATE_DYING) { 7969 /* 7970 * This SA may have already been expired when its 7971 * PAIR_SA expired. 7972 */ 7973 sa_new_state = IPSA_STATE_DYING; 7974 } 7975 } 7976 if (sa_new_state) { 7977 /* 7978 * If there is a state change, we need to update this SA 7979 * and its "pair", we can find the bucket for the "pair" SA 7980 * while holding the ipsa_t mutex, but we won't actually 7981 * update anything untill the ipsa_t mutex has been released 7982 * for _this_ SA. 7983 */ 7984 assoc->ipsa_state = sa_new_state; 7985 if (assoc->ipsa_addrfam == AF_INET6) { 7986 sp = &espstack->esp_sadb.s_v6; 7987 } else { 7988 sp = &espstack->esp_sadb.s_v4; 7989 } 7990 inbound_bucket = INBOUND_BUCKET(sp, assoc->ipsa_otherspi); 7991 sadb_expire_assoc(pfkey_q, assoc); 7992 } 7993 if (rc == B_TRUE) 7994 bcopy(assoc->ipsa_iv, iv_ptr, assoc->ipsa_iv_len); 7995 7996 mutex_exit(&assoc->ipsa_lock); 7997 7998 if (sa_new_state) { 7999 /* Find the inbound SA, need to lock hash bucket. */ 8000 mutex_enter(&inbound_bucket->isaf_lock); 8001 pair_sa = ipsec_getassocbyspi(inbound_bucket, 8002 assoc->ipsa_otherspi, assoc->ipsa_dstaddr, 8003 assoc->ipsa_srcaddr, assoc->ipsa_addrfam); 8004 mutex_exit(&inbound_bucket->isaf_lock); 8005 if (pair_sa != NULL) { 8006 mutex_enter(&pair_sa->ipsa_lock); 8007 pair_sa->ipsa_state = sa_new_state; 8008 mutex_exit(&pair_sa->ipsa_lock); 8009 IPSA_REFRELE(pair_sa); 8010 } 8011 } 8012 8013 return (rc); 8014 } 8015 8016 void 8017 ccm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 8018 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 8019 { 8020 uchar_t *nonce; 8021 crypto_mechanism_t *combined_mech; 8022 CK_AES_CCM_PARAMS *params; 8023 8024 combined_mech = (crypto_mechanism_t *)cm_mech; 8025 params = (CK_AES_CCM_PARAMS *)(combined_mech + 1); 8026 nonce = (uchar_t *)(params + 1); 8027 params->ulMACSize = assoc->ipsa_mac_len; 8028 params->ulNonceSize = assoc->ipsa_nonce_len; 8029 params->ulAuthDataSize = sizeof (esph_t); 8030 params->ulDataSize = data_len; 8031 params->nonce = nonce; 8032 params->authData = esph; 8033 8034 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 8035 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_CCM_PARAMS); 8036 cm_mech->combined_mech.cm_param = (caddr_t)params; 8037 /* See gcm_params_init() for comments. */ 8038 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen); 8039 nonce += assoc->ipsa_saltlen; 8040 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len); 8041 crypto_data->cd_miscdata = NULL; 8042 } 8043 8044 /* ARGSUSED */ 8045 void 8046 cbc_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 8047 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 8048 { 8049 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 8050 cm_mech->combined_mech.cm_param_len = 0; 8051 cm_mech->combined_mech.cm_param = NULL; 8052 crypto_data->cd_miscdata = (char *)iv_ptr; 8053 } 8054 8055 /* ARGSUSED */ 8056 void 8057 gcm_params_init(ipsa_t *assoc, uchar_t *esph, uint_t data_len, uchar_t *iv_ptr, 8058 ipsa_cm_mech_t *cm_mech, crypto_data_t *crypto_data) 8059 { 8060 uchar_t *nonce; 8061 crypto_mechanism_t *combined_mech; 8062 CK_AES_GCM_PARAMS *params; 8063 8064 combined_mech = (crypto_mechanism_t *)cm_mech; 8065 params = (CK_AES_GCM_PARAMS *)(combined_mech + 1); 8066 nonce = (uchar_t *)(params + 1); 8067 8068 params->pIv = nonce; 8069 params->ulIvLen = assoc->ipsa_nonce_len; 8070 params->ulIvBits = SADB_8TO1(assoc->ipsa_nonce_len); 8071 params->pAAD = esph; 8072 params->ulAADLen = sizeof (esph_t); 8073 params->ulTagBits = SADB_8TO1(assoc->ipsa_mac_len); 8074 8075 cm_mech->combined_mech.cm_type = assoc->ipsa_emech.cm_type; 8076 cm_mech->combined_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 8077 cm_mech->combined_mech.cm_param = (caddr_t)params; 8078 /* 8079 * Create the nonce, which is made up of the salt and the IV. 8080 * Copy the salt from the SA and the IV from the packet. 8081 * For inbound packets we copy the IV from the packet because it 8082 * was set by the sending system, for outbound packets we copy the IV 8083 * from the packet because the IV in the SA may be changed by another 8084 * thread, the IV in the packet was created while holding a mutex. 8085 */ 8086 bcopy(assoc->ipsa_nonce, nonce, assoc->ipsa_saltlen); 8087 nonce += assoc->ipsa_saltlen; 8088 bcopy(iv_ptr, nonce, assoc->ipsa_iv_len); 8089 crypto_data->cd_miscdata = NULL; 8090 } 8091