4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
24 * Copyright 2017 Joyent, Inc.
27 #include <sys/param.h>
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/strsubr.h>
31 #include <sys/strsun.h>
32 #include <sys/stropts.h>
34 #include <sys/vnode.h>
35 #include <sys/sysmacros.h>
36 #define _SUN_TPI_VERSION 2
37 #include <sys/tihdr.h>
38 #include <sys/timod.h>
40 #include <sys/sunddi.h>
41 #include <sys/mkdev.h>
42 #include <sys/debug.h>
44 #include <sys/cmn_err.h>
45 #include <sys/suntpi.h>
46 #include <sys/policy.h>
49 #include <sys/socket.h>
50 #include <netinet/in.h>
51 #include <net/pfkeyv2.h>
52 #include <net/pfpolicy.h>
54 #include <inet/common.h>
55 #include <netinet/ip6.h>
59 #include <inet/proto_set.h>
61 #include <inet/ip_if.h>
62 #include <inet/optcom.h>
63 #include <inet/ipsec_impl.h>
64 #include <inet/spdsock.h>
65 #include <inet/sadb.h>
66 #include <inet/iptun.h>
67 #include <inet/iptun/iptun_impl.h>
69 #include <sys/isa_defs.h>
74 * This is a transport provider for the PF_POLICY IPsec policy
75 * management socket, which provides a management interface into the
76 * SPD, allowing policy rules to be added, deleted, and queried.
78 * This effectively replaces the old private SIOC*IPSECONFIG ioctls
79 * with an extensible interface which will hopefully be public some
82 * See <net/pfpolicy.h> for more details on the protocol.
84 * We link against drv/ip and call directly into it to manipulate the
85 * SPD; see ipsec_impl.h for the policy data structures and spd.c for
86 * the code which maintains them.
88 * The MT model of this is QPAIR with the addition of some explicit
89 * locking to protect system-wide policy data structures.
92 static vmem_t
*spdsock_vmem
; /* for minor numbers. */
94 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
96 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
97 static struct T_info_ack spdsock_g_t_info_ack
= {
99 T_INFINITE
, /* TSDU_size. Maximum size messages. */
100 T_INVALID
, /* ETSDU_size. No expedited data. */
101 T_INVALID
, /* CDATA_size. No connect data. */
102 T_INVALID
, /* DDATA_size. No disconnect data. */
104 0, /* OPT_size. No user-settable options */
105 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */
106 T_COTS
, /* SERV_type. spdsock supports connection oriented. */
107 TS_UNBND
, /* CURRENT_state. This is set from spdsock_state. */
108 (XPG4_1
) /* Provider flags */
111 /* Named Dispatch Parameter Management Structure */
112 typedef struct spdsockparam_s
{
113 uint_t spdsock_param_min
;
114 uint_t spdsock_param_max
;
115 uint_t spdsock_param_value
;
116 char *spdsock_param_name
;
120 * Table of NDD variables supported by spdsock. These are loaded into
121 * spdsock_g_nd in spdsock_init_nd.
122 * All of these are alterable, within the min/max values given, at run time.
124 static spdsockparam_t lcl_param_arr
[] = {
125 /* min max value name */
126 { 4096, 65536, 8192, "spdsock_xmit_hiwat"},
127 { 0, 65536, 1024, "spdsock_xmit_lowat"},
128 { 4096, 65536, 8192, "spdsock_recv_hiwat"},
129 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"},
130 { 0, 3, 0, "spdsock_debug"},
132 #define spds_xmit_hiwat spds_params[0].spdsock_param_value
133 #define spds_xmit_lowat spds_params[1].spdsock_param_value
134 #define spds_recv_hiwat spds_params[2].spdsock_param_value
135 #define spds_max_buf spds_params[3].spdsock_param_value
136 #define spds_debug spds_params[4].spdsock_param_value
138 #define ss0dbg(a) printf a
139 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
140 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a
141 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a
142 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a
144 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
145 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
146 (ss)->spdsock_dump_head = (iph); \
147 (ss)->spdsock_dump_gen = (iph)->iph_gen; \
148 (ss)->spdsock_dump_cur_type = 0; \
149 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
150 (ss)->spdsock_dump_cur_rule = NULL; \
151 (ss)->spdsock_dump_count = 0; \
152 (ss)->spdsock_dump_cur_chain = 0; \
155 static int spdsock_close(queue_t
*);
156 static int spdsock_open(queue_t
*, dev_t
*, int, int, cred_t
*);
157 static void spdsock_wput(queue_t
*, mblk_t
*);
158 static void spdsock_wsrv(queue_t
*);
159 static void spdsock_rsrv(queue_t
*);
160 static void *spdsock_stack_init(netstackid_t stackid
, netstack_t
*ns
);
161 static void spdsock_stack_shutdown(netstackid_t stackid
, void *arg
);
162 static void spdsock_stack_fini(netstackid_t stackid
, void *arg
);
163 static void spdsock_loadcheck(void *);
164 static void spdsock_merge_algs(spd_stack_t
*);
165 static void spdsock_flush_one(ipsec_policy_head_t
*, netstack_t
*);
166 static mblk_t
*spdsock_dump_next_record(spdsock_t
*);
167 static void update_iptun_policy(ipsec_tun_pol_t
*);
169 static struct module_info info
= {
170 5138, "spdsock", 1, INFPSZ
, 512, 128
173 static struct qinit rinit
= {
174 NULL
, (pfi_t
)spdsock_rsrv
, spdsock_open
, spdsock_close
,
178 static struct qinit winit
= {
179 (pfi_t
)spdsock_wput
, (pfi_t
)spdsock_wsrv
, NULL
, NULL
, NULL
, &info
182 struct streamtab spdsockinfo
= {
186 /* mapping from alg type to protocol number, as per RFC 2407 */
187 static const uint_t algproto
[] = {
192 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0]))
194 /* mapping from kernel exec mode to spdsock exec mode */
195 static const uint_t execmodes
[] = {
196 SPD_ALG_EXEC_MODE_SYNC
,
197 SPD_ALG_EXEC_MODE_ASYNC
200 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0]))
202 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
203 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
205 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
215 spdsockparam_t
*spdsockpa
= (spdsockparam_t
*)cp
;
217 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
218 spd_stack_t
*spds
= ss
->spdsock_spds
;
220 mutex_enter(&spds
->spds_param_lock
);
221 value
= spdsockpa
->spdsock_param_value
;
222 mutex_exit(&spds
->spds_param_lock
);
224 (void) mi_mpprintf(mp
, "%u", value
);
228 /* This routine sets an NDD variable in a spdsockparam_t structure. */
239 spdsockparam_t
*spdsockpa
= (spdsockparam_t
*)cp
;
240 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
241 spd_stack_t
*spds
= ss
->spdsock_spds
;
243 /* Convert the value from a string into a long integer. */
244 if (ddi_strtoul(value
, NULL
, 10, &new_value
) != 0)
247 mutex_enter(&spds
->spds_param_lock
);
249 * Fail the request if the new value does not lie within the
252 if (new_value
< spdsockpa
->spdsock_param_min
||
253 new_value
> spdsockpa
->spdsock_param_max
) {
254 mutex_exit(&spds
->spds_param_lock
);
258 /* Set the new value */
259 spdsockpa
->spdsock_param_value
= new_value
;
260 mutex_exit(&spds
->spds_param_lock
);
266 * Initialize at module load time
269 spdsock_ddi_init(void)
271 spdsock_max_optsize
= optcom_max_optsize(
272 spdsock_opt_obj
.odb_opt_des_arr
, spdsock_opt_obj
.odb_opt_arr_cnt
);
274 spdsock_vmem
= vmem_create("spdsock", (void *)1, MAXMIN
, 1,
275 NULL
, NULL
, NULL
, 1, VM_SLEEP
| VMC_IDENTIFIER
);
278 * We want to be informed each time a stack is created or
279 * destroyed in the kernel, so we can maintain the
280 * set of spd_stack_t's.
282 netstack_register(NS_SPDSOCK
, spdsock_stack_init
,
283 spdsock_stack_shutdown
, spdsock_stack_fini
);
289 * Walk through the param array specified registering each element with the
290 * named dispatch handler.
293 spdsock_param_register(IDP
*ndp
, spdsockparam_t
*ssp
, int cnt
)
295 for (; cnt
-- > 0; ssp
++) {
296 if (ssp
->spdsock_param_name
!= NULL
&&
297 ssp
->spdsock_param_name
[0]) {
299 ssp
->spdsock_param_name
,
300 spdsock_param_get
, spdsock_param_set
,
311 * Initialize for each stack instance
315 spdsock_stack_init(netstackid_t stackid
, netstack_t
*ns
)
320 spds
= (spd_stack_t
*)kmem_zalloc(sizeof (*spds
), KM_SLEEP
);
321 spds
->spds_netstack
= ns
;
323 ASSERT(spds
->spds_g_nd
== NULL
);
325 ssp
= (spdsockparam_t
*)kmem_alloc(sizeof (lcl_param_arr
), KM_SLEEP
);
326 spds
->spds_params
= ssp
;
327 bcopy(lcl_param_arr
, ssp
, sizeof (lcl_param_arr
));
329 (void) spdsock_param_register(&spds
->spds_g_nd
, ssp
,
330 A_CNT(lcl_param_arr
));
332 mutex_init(&spds
->spds_param_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
333 mutex_init(&spds
->spds_alg_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
339 spdsock_ddi_destroy(void)
341 vmem_destroy(spdsock_vmem
);
343 netstack_unregister(NS_SPDSOCK
);
347 * Do pre-removal cleanup.
351 spdsock_stack_shutdown(netstackid_t stackid
, void *arg
)
353 spd_stack_t
*spds
= (spd_stack_t
*)arg
;
355 if (spds
->spds_mp_algs
!= NULL
) {
356 freemsg(spds
->spds_mp_algs
);
357 spds
->spds_mp_algs
= NULL
;
363 spdsock_stack_fini(netstackid_t stackid
, void *arg
)
365 spd_stack_t
*spds
= (spd_stack_t
*)arg
;
367 ASSERT(spds
->spds_mp_algs
== NULL
);
368 mutex_destroy(&spds
->spds_param_lock
);
369 mutex_destroy(&spds
->spds_alg_lock
);
370 nd_free(&spds
->spds_g_nd
);
371 kmem_free(spds
->spds_params
, sizeof (lcl_param_arr
));
372 spds
->spds_params
= NULL
;
374 kmem_free(spds
, sizeof (*spds
));
378 * NOTE: large quantities of this should be shared with keysock.
379 * Would be nice to combine some of this into a common module, but
380 * not possible given time pressures.
384 * High-level reality checking of extensions.
386 /* ARGSUSED */ /* XXX */
388 ext_check(spd_ext_t
*ext
)
390 spd_if_t
*tunname
= (spd_if_t
*)ext
;
394 if (ext
->spd_ext_type
== SPD_EXT_TUN_NAME
) {
395 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */
398 * Make sure the strings in these identities are
399 * null-terminated. Let's "proactively" null-terminate the
400 * string at the last byte if it's not terminated sooner.
402 i
= SPD_64TO8(tunname
->spd_if_len
) - sizeof (spd_if_t
);
403 idstr
= (char *)(tunname
+ 1);
404 while (*idstr
!= '\0' && i
> 0) {
410 * I.e., if the bozo user didn't NULL-terminate the
417 return (B_TRUE
); /* For now... */
422 /* Return values for spdsock_get_ext(). */
430 * Parse basic extension headers and return in the passed-in pointer vector.
431 * Return values include:
433 * KGE_OK Everything's nice and parsed out.
434 * If there are no extensions, place NULL in extv[0].
435 * KGE_DUP There is a duplicate extension.
436 * First instance in appropriate bin. First duplicate in
438 * KGE_UNK Unknown extension type encountered. extv[0] contains
440 * KGE_LEN Extension length error.
441 * KGE_CHK High-level reality check failed on specific extension.
443 * My apologies for some of the pointer arithmetic in here. I'm thinking
444 * like an assembly programmer, yet trying to make the compiler happy.
447 spdsock_get_ext(spd_ext_t
*extv
[], spd_msg_t
*basehdr
, uint_t msgsize
)
449 bzero(extv
, sizeof (spd_ext_t
*) * (SPD_EXT_MAX
+ 1));
451 /* Use extv[0] as the "current working pointer". */
453 extv
[0] = (spd_ext_t
*)(basehdr
+ 1);
455 while (extv
[0] < (spd_ext_t
*)(((uint8_t *)basehdr
) + msgsize
)) {
456 /* Check for unknown headers. */
457 if (extv
[0]->spd_ext_type
== 0 ||
458 extv
[0]->spd_ext_type
> SPD_EXT_MAX
)
462 * Check length. Use uint64_t because extlen is in units
463 * of 64-bit words. If length goes beyond the msgsize,
464 * return an error. (Zero length also qualifies here.)
466 if (extv
[0]->spd_ext_len
== 0 ||
467 (void *)((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
) >
468 (void *)((uint8_t *)basehdr
+ msgsize
))
471 /* Check for redundant headers. */
472 if (extv
[extv
[0]->spd_ext_type
] != NULL
)
476 * Reality check the extension if possible at the spdsock
479 if (!ext_check(extv
[0]))
482 /* If I make it here, assign the appropriate bin. */
483 extv
[extv
[0]->spd_ext_type
] = extv
[0];
485 /* Advance pointer (See above for uint64_t ptr reasoning.) */
486 extv
[0] = (spd_ext_t
*)
487 ((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
);
490 /* Everything's cool. */
493 * If extv[0] == NULL, then there are no extension headers in this
494 * message. Ensure that this is the case.
496 if (extv
[0] == (spd_ext_t
*)(basehdr
+ 1))
502 static const int bad_ext_diag
[] = {
503 SPD_DIAGNOSTIC_MALFORMED_LCLPORT
,
504 SPD_DIAGNOSTIC_MALFORMED_REMPORT
,
505 SPD_DIAGNOSTIC_MALFORMED_PROTO
,
506 SPD_DIAGNOSTIC_MALFORMED_LCLADDR
,
507 SPD_DIAGNOSTIC_MALFORMED_REMADDR
,
508 SPD_DIAGNOSTIC_MALFORMED_ACTION
,
509 SPD_DIAGNOSTIC_MALFORMED_RULE
,
510 SPD_DIAGNOSTIC_MALFORMED_RULESET
,
511 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
514 static const int dup_ext_diag
[] = {
515 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT
,
516 SPD_DIAGNOSTIC_DUPLICATE_REMPORT
,
517 SPD_DIAGNOSTIC_DUPLICATE_PROTO
,
518 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR
,
519 SPD_DIAGNOSTIC_DUPLICATE_REMADDR
,
520 SPD_DIAGNOSTIC_DUPLICATE_ACTION
,
521 SPD_DIAGNOSTIC_DUPLICATE_RULE
,
522 SPD_DIAGNOSTIC_DUPLICATE_RULESET
,
523 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
527 * Transmit a PF_POLICY error message to the instance either pointed to
528 * by ks, the instance with serial number serial, or more, depending.
530 * The faulty message (or a reasonable facsimile thereof) is in mp.
531 * This function will free mp or recycle it for delivery, thereby causing
532 * the stream head to free it.
535 spdsock_error(queue_t
*q
, mblk_t
*mp
, int error
, int diagnostic
)
537 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
539 ASSERT(mp
->b_datap
->db_type
== M_DATA
);
541 if (spmsg
->spd_msg_type
< SPD_MIN
||
542 spmsg
->spd_msg_type
> SPD_MAX
)
543 spmsg
->spd_msg_type
= SPD_RESERVED
;
546 * Strip out extension headers.
548 ASSERT(mp
->b_rptr
+ sizeof (*spmsg
) <= mp
->b_datap
->db_lim
);
549 mp
->b_wptr
= mp
->b_rptr
+ sizeof (*spmsg
);
550 spmsg
->spd_msg_len
= SPD_8TO64(sizeof (spd_msg_t
));
551 spmsg
->spd_msg_errno
= (uint8_t)error
;
552 spmsg
->spd_msg_diagnostic
= (uint16_t)diagnostic
;
558 spdsock_diag(queue_t
*q
, mblk_t
*mp
, int diagnostic
)
560 spdsock_error(q
, mp
, EINVAL
, diagnostic
);
564 spd_echo(queue_t
*q
, mblk_t
*mp
)
570 * Do NOT consume a reference to itp.
574 spdsock_flush_node(ipsec_tun_pol_t
*itp
, void *cookie
, netstack_t
*ns
)
576 boolean_t active
= (boolean_t
)cookie
;
577 ipsec_policy_head_t
*iph
;
579 iph
= active
? itp
->itp_policy
: itp
->itp_inactive
;
581 mutex_enter(&itp
->itp_lock
);
582 spdsock_flush_one(iph
, ns
); /* Releases iph refhold. */
584 itp
->itp_flags
&= ~ITPF_PFLAGS
;
586 itp
->itp_flags
&= ~ITPF_IFLAGS
;
587 mutex_exit(&itp
->itp_lock
);
588 /* SPD_FLUSH is worth a tunnel MTU check. */
589 update_iptun_policy(itp
);
593 * Clear out one polhead.
596 spdsock_flush_one(ipsec_policy_head_t
*iph
, netstack_t
*ns
)
598 rw_enter(&iph
->iph_lock
, RW_WRITER
);
599 ipsec_polhead_flush(iph
, ns
);
600 rw_exit(&iph
->iph_lock
);
601 IPPH_REFRELE(iph
, ns
);
605 spdsock_flush(queue_t
*q
, ipsec_policy_head_t
*iph
, ipsec_tun_pol_t
*itp
,
609 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
610 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
611 uint32_t auditing
= AU_AUDITING();
613 if (iph
!= ALL_ACTIVE_POLHEADS
&& iph
!= ALL_INACTIVE_POLHEADS
) {
614 spdsock_flush_one(iph
, ns
);
616 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
620 cr
= msg_getcred(mp
, &cpid
);
621 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
622 audit_pf_policy(SPD_FLUSH
, cr
, ns
,
623 ITP_NAME(itp
), active
, 0, cpid
);
626 active
= (iph
== ALL_ACTIVE_POLHEADS
);
628 /* First flush the global policy. */
629 spdsock_flush_one(active
? ipsec_system_policy(ns
) :
630 ipsec_inactive_policy(ns
), ns
);
635 cr
= msg_getcred(mp
, &cpid
);
636 audit_pf_policy(SPD_FLUSH
, cr
, ns
, NULL
,
639 /* Then flush every tunnel's appropriate one. */
640 itp_walk(spdsock_flush_node
, (void *)active
, ns
);
645 cr
= msg_getcred(mp
, &cpid
);
646 audit_pf_policy(SPD_FLUSH
, cr
, ns
,
647 "all tunnels", active
, 0, cpid
);
655 spdsock_ext_to_sel(spd_ext_t
**extv
, ipsec_selkey_t
*sel
, int *diag
)
657 bzero(sel
, sizeof (*sel
));
659 if (extv
[SPD_EXT_PROTO
] != NULL
) {
660 struct spd_proto
*pr
=
661 (struct spd_proto
*)extv
[SPD_EXT_PROTO
];
662 sel
->ipsl_proto
= pr
->spd_proto_number
;
663 sel
->ipsl_valid
|= IPSL_PROTOCOL
;
665 if (extv
[SPD_EXT_LCLPORT
] != NULL
) {
666 struct spd_portrange
*pr
=
667 (struct spd_portrange
*)extv
[SPD_EXT_LCLPORT
];
668 sel
->ipsl_lport
= pr
->spd_ports_minport
;
669 sel
->ipsl_valid
|= IPSL_LOCAL_PORT
;
671 if (extv
[SPD_EXT_REMPORT
] != NULL
) {
672 struct spd_portrange
*pr
=
673 (struct spd_portrange
*)extv
[SPD_EXT_REMPORT
];
674 sel
->ipsl_rport
= pr
->spd_ports_minport
;
675 sel
->ipsl_valid
|= IPSL_REMOTE_PORT
;
678 if (extv
[SPD_EXT_ICMP_TYPECODE
] != NULL
) {
679 struct spd_typecode
*tc
=
680 (struct spd_typecode
*)extv
[SPD_EXT_ICMP_TYPECODE
];
682 sel
->ipsl_valid
|= IPSL_ICMP_TYPE
;
683 sel
->ipsl_icmp_type
= tc
->spd_typecode_type
;
684 if (tc
->spd_typecode_type_end
< tc
->spd_typecode_type
)
685 sel
->ipsl_icmp_type_end
= tc
->spd_typecode_type
;
687 sel
->ipsl_icmp_type_end
= tc
->spd_typecode_type_end
;
689 if (tc
->spd_typecode_code
!= 255) {
690 sel
->ipsl_valid
|= IPSL_ICMP_CODE
;
691 sel
->ipsl_icmp_code
= tc
->spd_typecode_code
;
692 if (tc
->spd_typecode_code_end
< tc
->spd_typecode_code
)
693 sel
->ipsl_icmp_code_end
= tc
->spd_typecode_code
;
695 sel
->ipsl_icmp_code_end
=
696 tc
->spd_typecode_code_end
;
699 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \
700 if ((extv)[(extn)] != NULL) { \
702 struct spd_address *ap = \
703 (struct spd_address *)((extv)[(extn)]); \
704 addrlen = (ap->spd_address_af == AF_INET6) ? \
705 IPV6_ADDR_LEN : IP_ADDR_LEN; \
706 if (SPD_64TO8(ap->spd_address_len) < \
707 (addrlen + sizeof (*ap))) { \
708 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \
711 bcopy((ap+1), &((sel)->field), addrlen); \
712 (sel)->pfield = ap->spd_address_prefixlen; \
713 (sel)->ipsl_valid |= (bit); \
714 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \
715 IPSL_IPV6 : IPSL_IPV4; \
718 ADDR2SEL(sel
, extv
, ipsl_local
, ipsl_local_pfxlen
,
719 SPD_EXT_LCLADDR
, IPSL_LOCAL_ADDR
);
720 ADDR2SEL(sel
, extv
, ipsl_remote
, ipsl_remote_pfxlen
,
721 SPD_EXT_REMADDR
, IPSL_REMOTE_ADDR
);
723 if ((sel
->ipsl_valid
& (IPSL_IPV6
|IPSL_IPV4
)) ==
724 (IPSL_IPV6
|IPSL_IPV4
)) {
725 *diag
= SPD_DIAGNOSTIC_MIXED_AF
;
735 spd_convert_type(uint32_t type
, ipsec_act_t
*act
)
738 case SPD_ACTTYPE_DROP
:
739 act
->ipa_type
= IPSEC_ACT_DISCARD
;
742 case SPD_ACTTYPE_PASS
:
743 act
->ipa_type
= IPSEC_ACT_CLEAR
;
746 case SPD_ACTTYPE_IPSEC
:
747 act
->ipa_type
= IPSEC_ACT_APPLY
;
754 spd_convert_flags(uint32_t flags
, ipsec_act_t
*act
)
757 * Note use of !! for boolean canonicalization.
759 act
->ipa_apply
.ipp_use_ah
= !!(flags
& SPD_APPLY_AH
);
760 act
->ipa_apply
.ipp_use_esp
= !!(flags
& SPD_APPLY_ESP
);
761 act
->ipa_apply
.ipp_use_espa
= !!(flags
& SPD_APPLY_ESPA
);
762 act
->ipa_apply
.ipp_use_se
= !!(flags
& SPD_APPLY_SE
);
763 act
->ipa_apply
.ipp_use_unique
= !!(flags
& SPD_APPLY_UNIQUE
);
768 spdsock_reset_act(ipsec_act_t
*act
)
770 bzero(act
, sizeof (*act
));
771 act
->ipa_apply
.ipp_espe_maxbits
= IPSEC_MAX_KEYBITS
;
772 act
->ipa_apply
.ipp_espa_maxbits
= IPSEC_MAX_KEYBITS
;
773 act
->ipa_apply
.ipp_ah_maxbits
= IPSEC_MAX_KEYBITS
;
777 * Sanity check action against reality, and shrink-wrap key sizes..
780 spdsock_check_action(ipsec_act_t
*act
, boolean_t tunnel_polhead
, int *diag
,
783 if (tunnel_polhead
&& act
->ipa_apply
.ipp_use_unique
) {
784 *diag
= SPD_DIAGNOSTIC_ADD_INCON_FLAGS
;
787 if ((act
->ipa_type
!= IPSEC_ACT_APPLY
) &&
788 (act
->ipa_apply
.ipp_use_ah
||
789 act
->ipa_apply
.ipp_use_esp
||
790 act
->ipa_apply
.ipp_use_espa
||
791 act
->ipa_apply
.ipp_use_se
||
792 act
->ipa_apply
.ipp_use_unique
)) {
793 *diag
= SPD_DIAGNOSTIC_ADD_INCON_FLAGS
;
796 if ((act
->ipa_type
== IPSEC_ACT_APPLY
) &&
797 !act
->ipa_apply
.ipp_use_ah
&&
798 !act
->ipa_apply
.ipp_use_esp
) {
799 *diag
= SPD_DIAGNOSTIC_ADD_INCON_FLAGS
;
802 return (ipsec_check_action(act
, diag
, spds
->spds_netstack
));
806 * We may be short a few error checks here..
809 spdsock_ext_to_actvec(spd_ext_t
**extv
, ipsec_act_t
**actpp
, uint_t
*nactp
,
810 int *diag
, spd_stack_t
*spds
)
812 struct spd_ext_actions
*sactp
=
813 (struct spd_ext_actions
*)extv
[SPD_EXT_ACTION
];
814 ipsec_act_t act
, *actp
, *endactp
;
815 struct spd_attribute
*attrp
, *endattrp
;
818 boolean_t tunnel_polhead
;
820 tunnel_polhead
= (extv
[SPD_EXT_TUN_NAME
] != NULL
&&
821 (((struct spd_rule
*)extv
[SPD_EXT_RULE
])->spd_rule_flags
&
822 SPD_RULE_FLAG_TUNNEL
));
828 *diag
= SPD_DIAGNOSTIC_NO_ACTION_EXT
;
833 * Parse the "action" extension and convert into an action chain.
836 nact
= sactp
->spd_actions_count
;
838 endp
= (uint64_t *)sactp
;
839 endp
+= sactp
->spd_actions_len
;
840 endattrp
= (struct spd_attribute
*)endp
;
842 actp
= kmem_alloc(sizeof (*actp
) * nact
, KM_NOSLEEP
);
844 *diag
= SPD_DIAGNOSTIC_ADD_NO_MEM
;
849 endactp
= actp
+ nact
;
851 spdsock_reset_act(&act
);
852 attrp
= (struct spd_attribute
*)(&sactp
[1]);
854 for (; attrp
< endattrp
; attrp
++) {
855 switch (attrp
->spd_attr_tag
) {
860 spdsock_reset_act(&act
);
867 if (actp
>= endactp
) {
868 *diag
= SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT
;
871 if (!spdsock_check_action(&act
, tunnel_polhead
,
875 spdsock_reset_act(&act
);
879 if (!spd_convert_type(attrp
->spd_attr_value
, &act
)) {
880 *diag
= SPD_DIAGNOSTIC_ADD_BAD_TYPE
;
886 if (!tunnel_polhead
&& extv
[SPD_EXT_TUN_NAME
] != NULL
) {
888 * Set "sa unique" for transport-mode
889 * tunnels whether we want to or not.
891 attrp
->spd_attr_value
|= SPD_APPLY_UNIQUE
;
893 if (!spd_convert_flags(attrp
->spd_attr_value
, &act
)) {
894 *diag
= SPD_DIAGNOSTIC_ADD_BAD_FLAGS
;
899 case SPD_ATTR_AH_AUTH
:
900 if (attrp
->spd_attr_value
== 0) {
901 *diag
= SPD_DIAGNOSTIC_UNSUPP_AH_ALG
;
904 act
.ipa_apply
.ipp_auth_alg
= attrp
->spd_attr_value
;
907 case SPD_ATTR_ESP_ENCR
:
908 if (attrp
->spd_attr_value
== 0) {
909 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG
;
912 act
.ipa_apply
.ipp_encr_alg
= attrp
->spd_attr_value
;
915 case SPD_ATTR_ESP_AUTH
:
916 if (attrp
->spd_attr_value
== 0) {
917 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG
;
920 act
.ipa_apply
.ipp_esp_auth_alg
= attrp
->spd_attr_value
;
923 case SPD_ATTR_ENCR_MINBITS
:
924 act
.ipa_apply
.ipp_espe_minbits
= attrp
->spd_attr_value
;
927 case SPD_ATTR_ENCR_MAXBITS
:
928 act
.ipa_apply
.ipp_espe_maxbits
= attrp
->spd_attr_value
;
931 case SPD_ATTR_AH_MINBITS
:
932 act
.ipa_apply
.ipp_ah_minbits
= attrp
->spd_attr_value
;
935 case SPD_ATTR_AH_MAXBITS
:
936 act
.ipa_apply
.ipp_ah_maxbits
= attrp
->spd_attr_value
;
939 case SPD_ATTR_ESPA_MINBITS
:
940 act
.ipa_apply
.ipp_espa_minbits
= attrp
->spd_attr_value
;
943 case SPD_ATTR_ESPA_MAXBITS
:
944 act
.ipa_apply
.ipp_espa_maxbits
= attrp
->spd_attr_value
;
947 case SPD_ATTR_LIFE_SOFT_TIME
:
948 case SPD_ATTR_LIFE_HARD_TIME
:
949 case SPD_ATTR_LIFE_SOFT_BYTES
:
950 case SPD_ATTR_LIFE_HARD_BYTES
:
953 case SPD_ATTR_KM_PROTO
:
954 act
.ipa_apply
.ipp_km_proto
= attrp
->spd_attr_value
;
957 case SPD_ATTR_KM_COOKIE
:
958 act
.ipa_apply
.ipp_km_cookie
= attrp
->spd_attr_value
;
961 case SPD_ATTR_REPLAY_DEPTH
:
962 act
.ipa_apply
.ipp_replay_depth
= attrp
->spd_attr_value
;
966 if (actp
!= endactp
) {
967 *diag
= SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT
;
973 ipsec_actvec_free(*actpp
, nact
);
985 mkrule(ipsec_policy_head_t
*iph
, struct spd_rule
*rule
,
986 ipsec_selkey_t
*sel
, ipsec_act_t
*actp
, int nact
, uint_t dir
, uint_t af
,
987 tmprule_t
**rp
, uint64_t *index
, spd_stack_t
*spds
)
991 sel
->ipsl_valid
&= ~(IPSL_IPV6
|IPSL_IPV4
);
992 sel
->ipsl_valid
|= af
;
994 pol
= ipsec_policy_create(sel
, actp
, nact
, rule
->spd_rule_priority
,
995 index
, spds
->spds_netstack
);
1003 if (!ipsec_check_policy(iph
, pol
, dir
))
1006 rule
->spd_rule_index
= pol
->ipsp_index
;
1011 mkrulepair(ipsec_policy_head_t
*iph
, struct spd_rule
*rule
,
1012 ipsec_selkey_t
*sel
, ipsec_act_t
*actp
, int nact
, uint_t dir
, uint_t afs
,
1013 tmprule_t
**rp
, uint64_t *index
, spd_stack_t
*spds
)
1017 if (afs
& IPSL_IPV4
) {
1018 error
= mkrule(iph
, rule
, sel
, actp
, nact
, dir
, IPSL_IPV4
, rp
,
1023 if (afs
& IPSL_IPV6
) {
1024 error
= mkrule(iph
, rule
, sel
, actp
, nact
, dir
, IPSL_IPV6
, rp
,
1034 spdsock_addrule(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
,
1035 spd_ext_t
**extv
, ipsec_tun_pol_t
*itp
)
1040 int diag
= 0, error
, afs
;
1041 struct spd_rule
*rule
= (struct spd_rule
*)extv
[SPD_EXT_RULE
];
1042 tmprule_t rules
[4], *rulep
= &rules
[0];
1043 boolean_t tunnel_mode
, empty_itp
, active
;
1044 uint64_t *index
= (itp
== NULL
) ? NULL
: &itp
->itp_next_policy_index
;
1045 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
1046 spd_stack_t
*spds
= ss
->spdsock_spds
;
1047 uint32_t auditing
= AU_AUDITING();
1050 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_NO_RULE_EXT
);
1052 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1056 cr
= msg_getcred(mp
, &cpid
);
1057 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1058 audit_pf_policy(SPD_ADDRULE
, cr
,
1059 spds
->spds_netstack
, ITP_NAME(itp
), active
,
1060 SPD_DIAGNOSTIC_NO_RULE_EXT
, cpid
);
1065 tunnel_mode
= (rule
->spd_rule_flags
& SPD_RULE_FLAG_TUNNEL
);
1068 mutex_enter(&itp
->itp_lock
);
1069 ASSERT(itp
->itp_policy
== iph
|| itp
->itp_inactive
== iph
);
1070 active
= (itp
->itp_policy
== iph
);
1071 if (ITP_P_ISACTIVE(itp
, iph
)) {
1072 /* Check for mix-and-match of tunnel/transport. */
1073 if ((tunnel_mode
&& !ITP_P_ISTUNNEL(itp
, iph
)) ||
1074 (!tunnel_mode
&& ITP_P_ISTUNNEL(itp
, iph
))) {
1075 mutex_exit(&itp
->itp_lock
);
1076 spdsock_error(q
, mp
, EBUSY
, 0);
1079 empty_itp
= B_FALSE
;
1082 itp
->itp_flags
= active
? ITPF_P_ACTIVE
: ITPF_I_ACTIVE
;
1084 itp
->itp_flags
|= active
? ITPF_P_TUNNEL
:
1088 empty_itp
= B_FALSE
;
1091 if (rule
->spd_rule_index
!= 0) {
1092 diag
= SPD_DIAGNOSTIC_INVALID_RULE_INDEX
;
1097 if (!spdsock_ext_to_sel(extv
, &sel
, &diag
)) {
1104 if (sel
.ipsl_valid
&
1105 (IPSL_REMOTE_PORT
| IPSL_LOCAL_PORT
)) {
1106 itp
->itp_flags
|= active
?
1107 ITPF_P_PER_PORT_SECURITY
:
1108 ITPF_I_PER_PORT_SECURITY
;
1112 * For now, we don't allow transport-mode on a tunnel
1113 * with ANY specific selectors. Bail if we have such
1116 if (sel
.ipsl_valid
& IPSL_WILDCARD
) {
1117 diag
= SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS
;
1124 if (!spdsock_ext_to_actvec(extv
, &actp
, &nact
, &diag
, spds
)) {
1129 * If no addresses were specified, add both.
1131 afs
= sel
.ipsl_valid
& (IPSL_IPV6
|IPSL_IPV4
);
1133 afs
= (IPSL_IPV6
|IPSL_IPV4
);
1135 rw_enter(&iph
->iph_lock
, RW_WRITER
);
1137 if (rule
->spd_rule_flags
& SPD_RULE_FLAG_OUTBOUND
) {
1138 error
= mkrulepair(iph
, rule
, &sel
, actp
, nact
,
1139 IPSEC_TYPE_OUTBOUND
, afs
, &rulep
, index
, spds
);
1144 if (rule
->spd_rule_flags
& SPD_RULE_FLAG_INBOUND
) {
1145 error
= mkrulepair(iph
, rule
, &sel
, actp
, nact
,
1146 IPSEC_TYPE_INBOUND
, afs
, &rulep
, index
, spds
);
1151 while ((--rulep
) >= &rules
[0]) {
1152 ipsec_enter_policy(iph
, rulep
->pol
, rulep
->dir
,
1153 spds
->spds_netstack
);
1155 rw_exit(&iph
->iph_lock
);
1157 mutex_exit(&itp
->itp_lock
);
1159 ipsec_actvec_free(actp
, nact
);
1162 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1166 cr
= msg_getcred(mp
, &cpid
);
1167 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1168 audit_pf_policy(SPD_ADDRULE
, cr
, spds
->spds_netstack
,
1169 ITP_NAME(itp
), active
, 0, cpid
);
1174 rw_exit(&iph
->iph_lock
);
1175 while ((--rulep
) >= &rules
[0])
1176 IPPOL_REFRELE(rulep
->pol
);
1177 ipsec_actvec_free(actp
, nact
);
1182 mutex_exit(&itp
->itp_lock
);
1184 spdsock_error(q
, mp
, error
, diag
);
1186 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1190 cr
= msg_getcred(mp
, &cpid
);
1191 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1192 audit_pf_policy(SPD_ADDRULE
, cr
, spds
->spds_netstack
,
1193 ITP_NAME(itp
), active
, error
, cpid
);
1198 spdsock_deleterule(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
,
1199 spd_ext_t
**extv
, ipsec_tun_pol_t
*itp
)
1202 struct spd_rule
*rule
= (struct spd_rule
*)extv
[SPD_EXT_RULE
];
1204 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
1205 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1206 uint32_t auditing
= AU_AUDITING();
1209 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_NO_RULE_EXT
);
1212 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1216 cr
= msg_getcred(mp
, &cpid
);
1217 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1218 audit_pf_policy(SPD_DELETERULE
, cr
, ns
,
1219 ITP_NAME(itp
), active
, SPD_DIAGNOSTIC_NO_RULE_EXT
,
1226 * Must enter itp_lock first to avoid deadlock. See tun.c's
1227 * set_sec_simple() for the other case of itp_lock and iph_lock.
1230 mutex_enter(&itp
->itp_lock
);
1232 if (rule
->spd_rule_index
!= 0) {
1233 if (ipsec_policy_delete_index(iph
, rule
->spd_rule_index
, ns
) !=
1239 if (!spdsock_ext_to_sel(extv
, &sel
, &diag
)) {
1240 err
= EINVAL
; /* diag already set... */
1244 if ((rule
->spd_rule_flags
& SPD_RULE_FLAG_INBOUND
) &&
1245 !ipsec_policy_delete(iph
, &sel
, IPSEC_TYPE_INBOUND
, ns
)) {
1250 if ((rule
->spd_rule_flags
& SPD_RULE_FLAG_OUTBOUND
) &&
1251 !ipsec_policy_delete(iph
, &sel
, IPSEC_TYPE_OUTBOUND
, ns
)) {
1258 ASSERT(iph
== itp
->itp_policy
|| iph
== itp
->itp_inactive
);
1259 rw_enter(&iph
->iph_lock
, RW_READER
);
1260 if (avl_numnodes(&iph
->iph_rulebyid
) == 0) {
1261 if (iph
== itp
->itp_policy
)
1262 itp
->itp_flags
&= ~ITPF_PFLAGS
;
1264 itp
->itp_flags
&= ~ITPF_IFLAGS
;
1266 /* Can exit locks in any order. */
1267 rw_exit(&iph
->iph_lock
);
1268 mutex_exit(&itp
->itp_lock
);
1273 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1277 cr
= msg_getcred(mp
, &cpid
);
1278 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1279 audit_pf_policy(SPD_DELETERULE
, cr
, ns
, ITP_NAME(itp
),
1285 mutex_exit(&itp
->itp_lock
);
1286 spdsock_error(q
, mp
, err
, diag
);
1289 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1293 cr
= msg_getcred(mp
, &cpid
);
1294 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1295 audit_pf_policy(SPD_DELETERULE
, cr
, ns
, ITP_NAME(itp
),
1300 /* Do NOT consume a reference to itp. */
1303 spdsock_flip_node(ipsec_tun_pol_t
*itp
, void *ignoreme
, netstack_t
*ns
)
1305 mutex_enter(&itp
->itp_lock
);
1306 ITPF_SWAP(itp
->itp_flags
);
1307 ipsec_swap_policy(itp
->itp_policy
, itp
->itp_inactive
, ns
);
1308 mutex_exit(&itp
->itp_lock
);
1309 /* SPD_FLIP is worth a tunnel MTU check. */
1310 update_iptun_policy(itp
);
1314 spdsock_flip(queue_t
*q
, mblk_t
*mp
, spd_if_t
*tunname
)
1317 ipsec_tun_pol_t
*itp
;
1318 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
1319 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1320 uint32_t auditing
= AU_AUDITING();
1322 if (tunname
!= NULL
) {
1323 tname
= (char *)tunname
->spd_if_name
;
1324 if (*tname
== '\0') {
1326 ipsec_swap_global_policy(ns
);
1329 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1333 cr
= msg_getcred(mp
, &cpid
);
1334 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1335 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1336 NULL
, active
, 0, cpid
);
1338 itp_walk(spdsock_flip_node
, NULL
, ns
);
1341 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1345 cr
= msg_getcred(mp
, &cpid
);
1346 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1347 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1348 "all tunnels", active
, 0, cpid
);
1351 itp
= get_tunnel_policy(tname
, ns
);
1353 /* Better idea for "tunnel not found"? */
1354 spdsock_error(q
, mp
, ESRCH
, 0);
1358 (spd_msg_t
*)mp
->b_rptr
;
1362 cr
= msg_getcred(mp
, &cpid
);
1363 active
= (spmsg
->spd_msg_spdid
==
1365 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1366 ITP_NAME(itp
), active
,
1371 spdsock_flip_node(itp
, NULL
, ns
);
1374 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1378 cr
= msg_getcred(mp
, &cpid
);
1379 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1380 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1381 ITP_NAME(itp
), active
, 0, cpid
);
1383 ITP_REFRELE(itp
, ns
);
1386 ipsec_swap_global_policy(ns
); /* can't fail */
1389 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1393 cr
= msg_getcred(mp
, &cpid
);
1394 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1395 audit_pf_policy(SPD_FLIP
, cr
,
1396 ns
, NULL
, active
, 0, cpid
);
1403 * Unimplemented feature
1407 spdsock_lookup(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
,
1408 spd_ext_t
**extv
, ipsec_tun_pol_t
*itp
)
1410 spdsock_error(q
, mp
, EINVAL
, 0);
1415 spdsock_dump_ruleset(mblk_t
*req
, ipsec_policy_head_t
*iph
,
1416 uint32_t count
, uint16_t error
)
1418 size_t len
= sizeof (spd_ruleset_ext_t
) + sizeof (spd_msg_t
);
1420 spd_ruleset_ext_t
*ruleset
;
1421 mblk_t
*m
= allocb(len
, BPRI_HI
);
1423 ASSERT(RW_READ_HELD(&iph
->iph_lock
));
1428 msg
= (spd_msg_t
*)m
->b_rptr
;
1429 ruleset
= (spd_ruleset_ext_t
*)(&msg
[1]);
1431 m
->b_wptr
= (uint8_t *)&ruleset
[1];
1433 *msg
= *(spd_msg_t
*)(req
->b_rptr
);
1434 msg
->spd_msg_len
= SPD_8TO64(len
);
1435 msg
->spd_msg_errno
= error
;
1437 ruleset
->spd_ruleset_len
= SPD_8TO64(sizeof (*ruleset
));
1438 ruleset
->spd_ruleset_type
= SPD_EXT_RULESET
;
1439 ruleset
->spd_ruleset_count
= count
;
1440 ruleset
->spd_ruleset_version
= iph
->iph_gen
;
1445 spdsock_dump_finish(spdsock_t
*ss
, int error
)
1448 ipsec_policy_head_t
*iph
= ss
->spdsock_dump_head
;
1449 mblk_t
*req
= ss
->spdsock_dump_req
;
1450 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1452 rw_enter(&iph
->iph_lock
, RW_READER
);
1453 m
= spdsock_dump_ruleset(req
, iph
, ss
->spdsock_dump_count
, error
);
1454 rw_exit(&iph
->iph_lock
);
1455 IPPH_REFRELE(iph
, ns
);
1456 if (ss
->spdsock_itp
!= NULL
) {
1457 ITP_REFRELE(ss
->spdsock_itp
, ns
);
1458 ss
->spdsock_itp
= NULL
;
1460 ss
->spdsock_dump_req
= NULL
;
1467 * Rule encoding functions.
1468 * We do a two-pass encode.
1469 * If base != NULL, fill in encoded rule part starting at base+offset.
1470 * Always return "offset" plus length of to-be-encoded data.
1473 spdsock_encode_typecode(uint8_t *base
, uint_t offset
, uint8_t type
,
1474 uint8_t type_end
, uint8_t code
, uint8_t code_end
)
1476 struct spd_typecode
*tcp
;
1478 ASSERT(ALIGNED64(offset
));
1481 tcp
= (struct spd_typecode
*)(base
+ offset
);
1482 tcp
->spd_typecode_len
= SPD_8TO64(sizeof (*tcp
));
1483 tcp
->spd_typecode_exttype
= SPD_EXT_ICMP_TYPECODE
;
1484 tcp
->spd_typecode_code
= code
;
1485 tcp
->spd_typecode_type
= type
;
1486 tcp
->spd_typecode_type_end
= type_end
;
1487 tcp
->spd_typecode_code_end
= code_end
;
1489 offset
+= sizeof (*tcp
);
1491 ASSERT(ALIGNED64(offset
));
1497 spdsock_encode_proto(uint8_t *base
, uint_t offset
, uint8_t proto
)
1499 struct spd_proto
*spp
;
1501 ASSERT(ALIGNED64(offset
));
1504 spp
= (struct spd_proto
*)(base
+ offset
);
1505 spp
->spd_proto_len
= SPD_8TO64(sizeof (*spp
));
1506 spp
->spd_proto_exttype
= SPD_EXT_PROTO
;
1507 spp
->spd_proto_number
= proto
;
1508 spp
->spd_proto_reserved1
= 0;
1509 spp
->spd_proto_reserved2
= 0;
1511 offset
+= sizeof (*spp
);
1513 ASSERT(ALIGNED64(offset
));
1519 spdsock_encode_port(uint8_t *base
, uint_t offset
, uint16_t ext
, uint16_t port
)
1521 struct spd_portrange
*spp
;
1523 ASSERT(ALIGNED64(offset
));
1526 spp
= (struct spd_portrange
*)(base
+ offset
);
1527 spp
->spd_ports_len
= SPD_8TO64(sizeof (*spp
));
1528 spp
->spd_ports_exttype
= ext
;
1529 spp
->spd_ports_minport
= port
;
1530 spp
->spd_ports_maxport
= port
;
1532 offset
+= sizeof (*spp
);
1534 ASSERT(ALIGNED64(offset
));
1540 spdsock_encode_addr(uint8_t *base
, uint_t offset
, uint16_t ext
,
1541 const ipsec_selkey_t
*sel
, const ipsec_addr_t
*addr
, uint_t pfxlen
)
1543 struct spd_address
*sae
;
1544 ipsec_addr_t
*spdaddr
;
1545 uint_t start
= offset
;
1549 if (sel
->ipsl_valid
& IPSL_IPV4
) {
1551 addrlen
= IP_ADDR_LEN
;
1554 addrlen
= IPV6_ADDR_LEN
;
1557 ASSERT(ALIGNED64(offset
));
1560 sae
= (struct spd_address
*)(base
+ offset
);
1561 sae
->spd_address_exttype
= ext
;
1562 sae
->spd_address_af
= af
;
1563 sae
->spd_address_prefixlen
= pfxlen
;
1564 sae
->spd_address_reserved2
= 0;
1566 spdaddr
= (ipsec_addr_t
*)(&sae
[1]);
1567 bcopy(addr
, spdaddr
, addrlen
);
1569 offset
+= sizeof (*sae
);
1570 addrlen
= roundup(addrlen
, sizeof (uint64_t));
1573 ASSERT(ALIGNED64(offset
));
1576 sae
->spd_address_len
= SPD_8TO64(offset
- start
);
1581 spdsock_encode_sel(uint8_t *base
, uint_t offset
, const ipsec_sel_t
*sel
)
1583 const ipsec_selkey_t
*selkey
= &sel
->ipsl_key
;
1585 if (selkey
->ipsl_valid
& IPSL_PROTOCOL
)
1586 offset
= spdsock_encode_proto(base
, offset
, selkey
->ipsl_proto
);
1587 if (selkey
->ipsl_valid
& IPSL_LOCAL_PORT
)
1588 offset
= spdsock_encode_port(base
, offset
, SPD_EXT_LCLPORT
,
1589 selkey
->ipsl_lport
);
1590 if (selkey
->ipsl_valid
& IPSL_REMOTE_PORT
)
1591 offset
= spdsock_encode_port(base
, offset
, SPD_EXT_REMPORT
,
1592 selkey
->ipsl_rport
);
1593 if (selkey
->ipsl_valid
& IPSL_REMOTE_ADDR
)
1594 offset
= spdsock_encode_addr(base
, offset
, SPD_EXT_REMADDR
,
1595 selkey
, &selkey
->ipsl_remote
, selkey
->ipsl_remote_pfxlen
);
1596 if (selkey
->ipsl_valid
& IPSL_LOCAL_ADDR
)
1597 offset
= spdsock_encode_addr(base
, offset
, SPD_EXT_LCLADDR
,
1598 selkey
, &selkey
->ipsl_local
, selkey
->ipsl_local_pfxlen
);
1599 if (selkey
->ipsl_valid
& IPSL_ICMP_TYPE
) {
1600 offset
= spdsock_encode_typecode(base
, offset
,
1601 selkey
->ipsl_icmp_type
, selkey
->ipsl_icmp_type_end
,
1602 (selkey
->ipsl_valid
& IPSL_ICMP_CODE
) ?
1603 selkey
->ipsl_icmp_code
: 255,
1604 (selkey
->ipsl_valid
& IPSL_ICMP_CODE
) ?
1605 selkey
->ipsl_icmp_code_end
: 255);
1611 spdsock_encode_actattr(uint8_t *base
, uint_t offset
, uint32_t tag
,
1614 struct spd_attribute
*attr
;
1616 ASSERT(ALIGNED64(offset
));
1619 attr
= (struct spd_attribute
*)(base
+ offset
);
1620 attr
->spd_attr_tag
= tag
;
1621 attr
->spd_attr_value
= value
;
1623 offset
+= sizeof (struct spd_attribute
);
1625 ASSERT(ALIGNED64(offset
));
1631 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1634 spdsock_encode_action(uint8_t *base
, uint_t offset
, const ipsec_action_t
*ap
)
1636 const struct ipsec_act
*act
= &(ap
->ipa_act
);
1639 EMIT(SPD_ATTR_EMPTY
, 0);
1640 switch (act
->ipa_type
) {
1641 case IPSEC_ACT_DISCARD
:
1642 case IPSEC_ACT_REJECT
:
1643 EMIT(SPD_ATTR_TYPE
, SPD_ACTTYPE_DROP
);
1645 case IPSEC_ACT_BYPASS
:
1646 case IPSEC_ACT_CLEAR
:
1647 EMIT(SPD_ATTR_TYPE
, SPD_ACTTYPE_PASS
);
1650 case IPSEC_ACT_APPLY
:
1651 EMIT(SPD_ATTR_TYPE
, SPD_ACTTYPE_IPSEC
);
1653 if (act
->ipa_apply
.ipp_use_ah
)
1654 flags
|= SPD_APPLY_AH
;
1655 if (act
->ipa_apply
.ipp_use_esp
)
1656 flags
|= SPD_APPLY_ESP
;
1657 if (act
->ipa_apply
.ipp_use_espa
)
1658 flags
|= SPD_APPLY_ESPA
;
1659 if (act
->ipa_apply
.ipp_use_se
)
1660 flags
|= SPD_APPLY_SE
;
1661 if (act
->ipa_apply
.ipp_use_unique
)
1662 flags
|= SPD_APPLY_UNIQUE
;
1663 EMIT(SPD_ATTR_FLAGS
, flags
);
1664 if (flags
& SPD_APPLY_AH
) {
1665 EMIT(SPD_ATTR_AH_AUTH
, act
->ipa_apply
.ipp_auth_alg
);
1666 EMIT(SPD_ATTR_AH_MINBITS
,
1667 act
->ipa_apply
.ipp_ah_minbits
);
1668 EMIT(SPD_ATTR_AH_MAXBITS
,
1669 act
->ipa_apply
.ipp_ah_maxbits
);
1671 if (flags
& SPD_APPLY_ESP
) {
1672 EMIT(SPD_ATTR_ESP_ENCR
, act
->ipa_apply
.ipp_encr_alg
);
1673 EMIT(SPD_ATTR_ENCR_MINBITS
,
1674 act
->ipa_apply
.ipp_espe_minbits
);
1675 EMIT(SPD_ATTR_ENCR_MAXBITS
,
1676 act
->ipa_apply
.ipp_espe_maxbits
);
1677 if (flags
& SPD_APPLY_ESPA
) {
1678 EMIT(SPD_ATTR_ESP_AUTH
,
1679 act
->ipa_apply
.ipp_esp_auth_alg
);
1680 EMIT(SPD_ATTR_ESPA_MINBITS
,
1681 act
->ipa_apply
.ipp_espa_minbits
);
1682 EMIT(SPD_ATTR_ESPA_MAXBITS
,
1683 act
->ipa_apply
.ipp_espa_maxbits
);
1686 if (act
->ipa_apply
.ipp_km_proto
!= 0)
1687 EMIT(SPD_ATTR_KM_PROTO
, act
->ipa_apply
.ipp_km_proto
);
1688 if (act
->ipa_apply
.ipp_km_cookie
!= 0)
1689 EMIT(SPD_ATTR_KM_PROTO
, act
->ipa_apply
.ipp_km_cookie
);
1690 if (act
->ipa_apply
.ipp_replay_depth
!= 0)
1691 EMIT(SPD_ATTR_REPLAY_DEPTH
,
1692 act
->ipa_apply
.ipp_replay_depth
);
1701 spdsock_encode_action_list(uint8_t *base
, uint_t offset
,
1702 const ipsec_action_t
*ap
)
1704 struct spd_ext_actions
*act
;
1706 uint_t start
= offset
;
1708 ASSERT(ALIGNED64(offset
));
1711 act
= (struct spd_ext_actions
*)(base
+ offset
);
1712 act
->spd_actions_len
= 0;
1713 act
->spd_actions_exttype
= SPD_EXT_ACTION
;
1714 act
->spd_actions_count
= 0;
1715 act
->spd_actions_reserved
= 0;
1718 offset
+= sizeof (*act
);
1720 ASSERT(ALIGNED64(offset
));
1722 while (ap
!= NULL
) {
1723 offset
= spdsock_encode_action(base
, offset
, ap
);
1727 EMIT(SPD_ATTR_NEXT
, 0);
1730 EMIT(SPD_ATTR_END
, 0);
1732 ASSERT(ALIGNED64(offset
));
1735 act
->spd_actions_count
= nact
;
1736 act
->spd_actions_len
= SPD_8TO64(offset
- start
);
1746 spdsock_rule_flags(uint_t dir
, uint_t af
)
1750 if (dir
== IPSEC_TYPE_INBOUND
)
1751 flags
|= SPD_RULE_FLAG_INBOUND
;
1752 if (dir
== IPSEC_TYPE_OUTBOUND
)
1753 flags
|= SPD_RULE_FLAG_OUTBOUND
;
1760 spdsock_encode_rule_head(uint8_t *base
, uint_t offset
, spd_msg_t
*req
,
1761 const ipsec_policy_t
*rule
, uint_t dir
, uint_t af
, char *name
,
1764 struct spd_msg
*spmsg
;
1765 struct spd_rule
*spr
;
1768 uint_t start
= offset
;
1770 ASSERT(ALIGNED64(offset
));
1773 spmsg
= (struct spd_msg
*)(base
+ offset
);
1774 bzero(spmsg
, sizeof (*spmsg
));
1775 spmsg
->spd_msg_version
= PF_POLICY_V1
;
1776 spmsg
->spd_msg_type
= SPD_DUMP
;
1777 spmsg
->spd_msg_seq
= req
->spd_msg_seq
;
1778 spmsg
->spd_msg_pid
= req
->spd_msg_pid
;
1780 offset
+= sizeof (struct spd_msg
);
1782 ASSERT(ALIGNED64(offset
));
1785 spr
= (struct spd_rule
*)(base
+ offset
);
1786 spr
->spd_rule_type
= SPD_EXT_RULE
;
1787 spr
->spd_rule_priority
= rule
->ipsp_prio
;
1788 spr
->spd_rule_flags
= spdsock_rule_flags(dir
, af
);
1790 spr
->spd_rule_flags
|= SPD_RULE_FLAG_TUNNEL
;
1791 spr
->spd_rule_unused
= 0;
1792 spr
->spd_rule_len
= SPD_8TO64(sizeof (*spr
));
1793 spr
->spd_rule_index
= rule
->ipsp_index
;
1795 offset
+= sizeof (struct spd_rule
);
1798 * If we have an interface name (i.e. if this policy head came from
1799 * a tunnel), add the SPD_EXT_TUN_NAME extension.
1803 ASSERT(ALIGNED64(offset
));
1806 sid
= (spd_if_t
*)(base
+ offset
);
1807 sid
->spd_if_exttype
= SPD_EXT_TUN_NAME
;
1808 sid
->spd_if_len
= SPD_8TO64(sizeof (spd_if_t
) +
1809 roundup((strlen(name
) - 4), 8));
1810 (void) strlcpy((char *)sid
->spd_if_name
, name
,
1814 offset
+= sizeof (spd_if_t
) + roundup((strlen(name
) - 4), 8);
1817 offset
= spdsock_encode_sel(base
, offset
, rule
->ipsp_sel
);
1818 offset
= spdsock_encode_action_list(base
, offset
, rule
->ipsp_act
);
1820 ASSERT(ALIGNED64(offset
));
1823 spmsg
->spd_msg_len
= SPD_8TO64(offset
- start
);
1830 spdsock_encode_rule(mblk_t
*req
, const ipsec_policy_t
*rule
,
1831 uint_t dir
, uint_t af
, char *name
, boolean_t tunnel
)
1835 spd_msg_t
*mreq
= (spd_msg_t
*)req
->b_rptr
;
1838 * Figure out how much space we'll need.
1840 len
= spdsock_encode_rule_head(NULL
, 0, mreq
, rule
, dir
, af
, name
,
1846 m
= allocb(len
, BPRI_HI
);
1853 m
->b_wptr
= m
->b_rptr
+ len
;
1854 bzero(m
->b_rptr
, len
);
1855 (void) spdsock_encode_rule_head(m
->b_rptr
, 0, mreq
, rule
, dir
, af
,
1860 static ipsec_policy_t
*
1861 spdsock_dump_next_in_chain(spdsock_t
*ss
, ipsec_policy_head_t
*iph
,
1862 ipsec_policy_t
*cur
)
1864 ASSERT(RW_READ_HELD(&iph
->iph_lock
));
1866 ss
->spdsock_dump_count
++;
1867 ss
->spdsock_dump_cur_rule
= cur
->ipsp_hash
.hash_next
;
1871 static ipsec_policy_t
*
1872 spdsock_dump_next_rule(spdsock_t
*ss
, ipsec_policy_head_t
*iph
)
1874 ipsec_policy_t
*cur
;
1875 ipsec_policy_root_t
*ipr
;
1876 int chain
, nchains
, type
, af
;
1878 ASSERT(RW_READ_HELD(&iph
->iph_lock
));
1880 cur
= ss
->spdsock_dump_cur_rule
;
1883 return (spdsock_dump_next_in_chain(ss
, iph
, cur
));
1885 type
= ss
->spdsock_dump_cur_type
;
1888 chain
= ss
->spdsock_dump_cur_chain
;
1889 ipr
= &iph
->iph_root
[type
];
1890 nchains
= ipr
->ipr_nchains
;
1892 while (chain
< nchains
) {
1893 cur
= ipr
->ipr_hash
[chain
].hash_head
;
1896 ss
->spdsock_dump_cur_chain
= chain
;
1897 return (spdsock_dump_next_in_chain(ss
, iph
, cur
));
1900 ss
->spdsock_dump_cur_chain
= nchains
;
1902 af
= ss
->spdsock_dump_cur_af
;
1903 while (af
< IPSEC_NAF
) {
1904 cur
= ipr
->ipr_nonhash
[af
];
1907 ss
->spdsock_dump_cur_af
= af
;
1908 return (spdsock_dump_next_in_chain(ss
, iph
, cur
));
1913 if (type
>= IPSEC_NTYPES
)
1916 ss
->spdsock_dump_cur_chain
= 0;
1917 ss
->spdsock_dump_cur_type
= type
;
1918 ss
->spdsock_dump_cur_af
= IPSEC_AF_V4
;
1924 * If we're done with one policy head, but have more to go, we iterate through
1925 * another IPsec tunnel policy head (itp). Return NULL if it is an error
1926 * worthy of returning EAGAIN via PF_POLICY.
1928 static ipsec_tun_pol_t
*
1929 spdsock_dump_iterate_next_tunnel(spdsock_t
*ss
, ipsec_stack_t
*ipss
)
1931 ipsec_tun_pol_t
*itp
;
1933 ASSERT(RW_READ_HELD(&ipss
->ipsec_tunnel_policy_lock
));
1934 if (ipss
->ipsec_tunnel_policy_gen
> ss
->spdsock_dump_tun_gen
) {
1935 /* Oops, state of the tunnel polheads changed. */
1937 } else if (ss
->spdsock_itp
== NULL
) {
1938 /* Just finished global, find first node. */
1939 itp
= avl_first(&ipss
->ipsec_tunnel_policies
);
1941 /* We just finished current polhead, find the next one. */
1942 itp
= AVL_NEXT(&ipss
->ipsec_tunnel_policies
, ss
->spdsock_itp
);
1947 if (ss
->spdsock_itp
!= NULL
) {
1948 ITP_REFRELE(ss
->spdsock_itp
, ipss
->ipsec_netstack
);
1950 ss
->spdsock_itp
= itp
;
1955 spdsock_dump_next_record(spdsock_t
*ss
)
1957 ipsec_policy_head_t
*iph
;
1958 ipsec_policy_t
*rule
;
1960 ipsec_tun_pol_t
*itp
;
1961 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1962 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1964 iph
= ss
->spdsock_dump_head
;
1966 ASSERT(iph
!= NULL
);
1968 rw_enter(&iph
->iph_lock
, RW_READER
);
1970 if (iph
->iph_gen
!= ss
->spdsock_dump_gen
) {
1971 rw_exit(&iph
->iph_lock
);
1972 return (spdsock_dump_finish(ss
, EAGAIN
));
1975 while ((rule
= spdsock_dump_next_rule(ss
, iph
)) == NULL
) {
1976 rw_exit(&iph
->iph_lock
);
1977 if (--(ss
->spdsock_dump_remaining_polheads
) == 0)
1978 return (spdsock_dump_finish(ss
, 0));
1982 * If we reach here, we have more policy heads (tunnel
1983 * entries) to dump. Let's reset to a new policy head
1984 * and get some more rules.
1986 * An empty policy head will have spdsock_dump_next_rule()
1987 * return NULL, and we loop (while dropping the number of
1988 * remaining polheads). If we loop to 0, we finish. We
1989 * keep looping until we hit 0 or until we have a rule to
1992 * NOTE: No need for ITP_REF*() macros here as we're only
1993 * going after and refholding the policy head itself.
1995 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_READER
);
1996 itp
= spdsock_dump_iterate_next_tunnel(ss
, ipss
);
1998 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
1999 return (spdsock_dump_finish(ss
, EAGAIN
));
2002 /* Reset other spdsock_dump thingies. */
2003 IPPH_REFRELE(ss
->spdsock_dump_head
, ns
);
2004 if (ss
->spdsock_dump_active
) {
2005 ss
->spdsock_dump_tunnel
=
2006 itp
->itp_flags
& ITPF_P_TUNNEL
;
2007 iph
= itp
->itp_policy
;
2009 ss
->spdsock_dump_tunnel
=
2010 itp
->itp_flags
& ITPF_I_TUNNEL
;
2011 iph
= itp
->itp_inactive
;
2014 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
2016 rw_enter(&iph
->iph_lock
, RW_READER
);
2017 RESET_SPDSOCK_DUMP_POLHEAD(ss
, iph
);
2020 m
= spdsock_encode_rule(ss
->spdsock_dump_req
, rule
,
2021 ss
->spdsock_dump_cur_type
, ss
->spdsock_dump_cur_af
,
2022 (ss
->spdsock_itp
== NULL
) ? NULL
: ss
->spdsock_itp
->itp_name
,
2023 ss
->spdsock_dump_tunnel
);
2024 rw_exit(&iph
->iph_lock
);
2027 return (spdsock_dump_finish(ss
, ENOMEM
));
2032 * Dump records until we run into flow-control back-pressure.
2035 spdsock_dump_some(queue_t
*q
, spdsock_t
*ss
)
2037 mblk_t
*m
, *dataind
;
2039 while ((ss
->spdsock_dump_req
!= NULL
) && canputnext(q
)) {
2040 m
= spdsock_dump_next_record(ss
);
2043 dataind
= allocb(sizeof (struct T_data_req
), BPRI_HI
);
2044 if (dataind
== NULL
) {
2048 dataind
->b_cont
= m
;
2049 dataind
->b_wptr
+= sizeof (struct T_data_req
);
2050 ((struct T_data_ind
*)dataind
->b_rptr
)->PRIM_type
= T_DATA_IND
;
2051 ((struct T_data_ind
*)dataind
->b_rptr
)->MORE_flag
= 0;
2052 dataind
->b_datap
->db_type
= M_PROTO
;
2053 putnext(q
, dataind
);
2059 * Format a start-of-dump record, and set up the stream and kick the rsrv
2060 * procedure to continue the job..
2064 spdsock_dump(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
)
2066 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2067 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
2068 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2071 /* spdsock_open() already set spdsock_itp to NULL. */
2072 if (iph
== ALL_ACTIVE_POLHEADS
|| iph
== ALL_INACTIVE_POLHEADS
) {
2073 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_READER
);
2074 ss
->spdsock_dump_remaining_polheads
= 1 +
2075 avl_numnodes(&ipss
->ipsec_tunnel_policies
);
2076 ss
->spdsock_dump_tun_gen
= ipss
->ipsec_tunnel_policy_gen
;
2077 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
2078 if (iph
== ALL_ACTIVE_POLHEADS
) {
2079 iph
= ipsec_system_policy(ns
);
2080 ss
->spdsock_dump_active
= B_TRUE
;
2082 iph
= ipsec_inactive_policy(ns
);
2083 ss
->spdsock_dump_active
= B_FALSE
;
2085 ASSERT(ss
->spdsock_itp
== NULL
);
2087 ss
->spdsock_dump_remaining_polheads
= 1;
2090 rw_enter(&iph
->iph_lock
, RW_READER
);
2092 mr
= spdsock_dump_ruleset(mp
, iph
, 0, 0);
2095 rw_exit(&iph
->iph_lock
);
2096 spdsock_error(q
, mp
, ENOMEM
, 0);
2100 ss
->spdsock_dump_req
= mp
;
2101 RESET_SPDSOCK_DUMP_POLHEAD(ss
, iph
);
2103 rw_exit(&iph
->iph_lock
);
2109 /* Do NOT consume a reference to ITP. */
2111 spdsock_clone_node(ipsec_tun_pol_t
*itp
, void *ep
, netstack_t
*ns
)
2113 int *errptr
= (int *)ep
;
2116 return; /* We've failed already for some reason. */
2117 mutex_enter(&itp
->itp_lock
);
2118 ITPF_CLONE(itp
->itp_flags
);
2119 *errptr
= ipsec_copy_polhead(itp
->itp_policy
, itp
->itp_inactive
, ns
);
2120 mutex_exit(&itp
->itp_lock
);
2124 spdsock_clone(queue_t
*q
, mblk_t
*mp
, spd_if_t
*tunname
)
2128 ipsec_tun_pol_t
*itp
;
2129 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2130 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
2131 uint32_t auditing
= AU_AUDITING();
2133 if (tunname
!= NULL
) {
2134 tname
= (char *)tunname
->spd_if_name
;
2135 if (*tname
== '\0') {
2136 error
= ipsec_clone_system_policy(ns
);
2139 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2143 cr
= msg_getcred(mp
, &cpid
);
2144 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
2145 audit_pf_policy(SPD_CLONE
, cr
, ns
,
2146 NULL
, active
, error
, cpid
);
2149 itp_walk(spdsock_clone_node
, &error
, ns
);
2153 (spd_msg_t
*)mp
->b_rptr
;
2157 cr
= msg_getcred(mp
, &cpid
);
2158 active
= (spmsg
->spd_msg_spdid
==
2160 audit_pf_policy(SPD_CLONE
, cr
,
2161 ns
, "all tunnels", active
, 0,
2166 itp
= get_tunnel_policy(tname
, ns
);
2168 spdsock_error(q
, mp
, ENOENT
, 0);
2172 (spd_msg_t
*)mp
->b_rptr
;
2176 cr
= msg_getcred(mp
, &cpid
);
2177 active
= (spmsg
->spd_msg_spdid
==
2179 audit_pf_policy(SPD_CLONE
, cr
,
2180 ns
, NULL
, active
, ENOENT
, cpid
);
2184 spdsock_clone_node(itp
, &error
, NULL
);
2187 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2191 cr
= msg_getcred(mp
, &cpid
);
2192 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
2193 audit_pf_policy(SPD_CLONE
, cr
, ns
,
2194 ITP_NAME(itp
), active
, error
, cpid
);
2196 ITP_REFRELE(itp
, ns
);
2199 error
= ipsec_clone_system_policy(ns
);
2202 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2206 cr
= msg_getcred(mp
, &cpid
);
2207 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
2208 audit_pf_policy(SPD_CLONE
, cr
, ns
, NULL
,
2209 active
, error
, cpid
);
2214 spdsock_error(q
, mp
, error
, 0);
2220 * Process a SPD_ALGLIST request. The caller expects separate alg entries
2221 * for AH authentication, ESP authentication, and ESP encryption.
2222 * The same distinction is then used when setting the min and max key
2223 * sizes when defining policies.
2226 #define SPDSOCK_AH_AUTH 0
2227 #define SPDSOCK_ESP_AUTH 1
2228 #define SPDSOCK_ESP_ENCR 2
2229 #define SPDSOCK_NTYPES 3
2231 static const uint_t algattr
[SPDSOCK_NTYPES
] = {
2236 static const uint_t minbitsattr
[SPDSOCK_NTYPES
] = {
2237 SPD_ATTR_AH_MINBITS
,
2238 SPD_ATTR_ESPA_MINBITS
,
2239 SPD_ATTR_ENCR_MINBITS
2241 static const uint_t maxbitsattr
[SPDSOCK_NTYPES
] = {
2242 SPD_ATTR_AH_MAXBITS
,
2243 SPD_ATTR_ESPA_MAXBITS
,
2244 SPD_ATTR_ENCR_MAXBITS
2246 static const uint_t defbitsattr
[SPDSOCK_NTYPES
] = {
2247 SPD_ATTR_AH_DEFBITS
,
2248 SPD_ATTR_ESPA_DEFBITS
,
2249 SPD_ATTR_ENCR_DEFBITS
2251 static const uint_t incrbitsattr
[SPDSOCK_NTYPES
] = {
2252 SPD_ATTR_AH_INCRBITS
,
2253 SPD_ATTR_ESPA_INCRBITS
,
2254 SPD_ATTR_ENCR_INCRBITS
2257 #define ATTRPERALG 6 /* fixed attributes per algs */
2260 spdsock_alglist(queue_t
*q
, mblk_t
*mp
)
2269 struct spd_ext_actions
*act
;
2270 struct spd_attribute
*attr
;
2271 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2272 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
2274 rw_enter(&ipss
->ipsec_alg_lock
, RW_READER
);
2276 * The SPD client expects to receive separate entries for
2277 * AH authentication and ESP authentication supported algorithms.
2279 * Don't return the "any" algorithms, if defined, as no
2280 * kernel policies can be set for these algorithms.
2282 algcount
= 2 * ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
] +
2283 ipss
->ipsec_nalgs
[IPSEC_ALG_ENCR
];
2285 if (ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
][SADB_AALG_NONE
] != NULL
)
2287 if (ipss
->ipsec_alglists
[IPSEC_ALG_ENCR
][SADB_EALG_NONE
] != NULL
)
2291 * For each algorithm, we encode:
2292 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2295 size
= sizeof (spd_msg_t
) + sizeof (struct spd_ext_actions
) +
2296 ATTRPERALG
* sizeof (struct spd_attribute
) * algcount
;
2298 ASSERT(ALIGNED64(size
));
2300 m
= allocb(size
, BPRI_HI
);
2302 rw_exit(&ipss
->ipsec_alg_lock
);
2303 spdsock_error(q
, mp
, ENOMEM
, 0);
2307 m
->b_wptr
= m
->b_rptr
+ size
;
2310 msg
= (spd_msg_t
*)cur
;
2311 bcopy(mp
->b_rptr
, cur
, sizeof (*msg
));
2313 msg
->spd_msg_len
= SPD_8TO64(size
);
2314 msg
->spd_msg_errno
= 0;
2315 msg
->spd_msg_diagnostic
= 0;
2317 cur
+= sizeof (*msg
);
2319 act
= (struct spd_ext_actions
*)cur
;
2320 cur
+= sizeof (*act
);
2322 act
->spd_actions_len
= SPD_8TO64(size
- sizeof (spd_msg_t
));
2323 act
->spd_actions_exttype
= SPD_EXT_ACTION
;
2324 act
->spd_actions_count
= algcount
;
2325 act
->spd_actions_reserved
= 0;
2327 attr
= (struct spd_attribute
*)cur
;
2329 #define EMIT(tag, value) { \
2330 attr->spd_attr_tag = (tag); \
2331 attr->spd_attr_value = (value); \
2336 * If you change the number of EMIT's here, change
2337 * ATTRPERALG above to match
2339 #define EMITALGATTRS(_type) { \
2340 EMIT(algattr[_type], algid); /* 1 */ \
2341 EMIT(minbitsattr[_type], minbits); /* 2 */ \
2342 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \
2343 EMIT(defbitsattr[_type], defbits); /* 4 */ \
2344 EMIT(incrbitsattr[_type], incr); /* 5 */ \
2345 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \
2348 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
2349 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
2351 int algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
2352 ipsec_alginfo_t
*alg
=
2353 ipss
->ipsec_alglists
[algtype
][algid
];
2354 uint_t minbits
= alg
->alg_minbits
;
2355 uint_t maxbits
= alg
->alg_maxbits
;
2356 uint_t defbits
= alg
->alg_default_bits
;
2357 uint_t incr
= alg
->alg_increment
;
2359 if (algtype
== IPSEC_ALG_AUTH
) {
2360 if (algid
== SADB_AALG_NONE
)
2362 EMITALGATTRS(SPDSOCK_AH_AUTH
);
2363 EMITALGATTRS(SPDSOCK_ESP_AUTH
);
2365 if (algid
== SADB_EALG_NONE
)
2367 ASSERT(algtype
== IPSEC_ALG_ENCR
);
2368 EMITALGATTRS(SPDSOCK_ESP_ENCR
);
2373 rw_exit(&ipss
->ipsec_alg_lock
);
2380 attr
->spd_attr_tag
= SPD_ATTR_END
;
2387 * Process a SPD_DUMPALGS request.
2390 #define ATTRPERALG 9 /* fixed attributes per algs */
2393 spdsock_dumpalgs(queue_t
*q
, mblk_t
*mp
)
2401 struct spd_ext_actions
*act
;
2402 struct spd_attribute
*attr
;
2403 ipsec_alginfo_t
*alg
;
2407 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2408 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
2410 rw_enter(&ipss
->ipsec_alg_lock
, RW_READER
);
2413 * For each algorithm, we encode:
2414 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2416 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2417 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* /
2418 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT}
2422 * Compute the size of the SPD message.
2424 size
= sizeof (spd_msg_t
) + sizeof (struct spd_ext_actions
);
2426 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
2427 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
2429 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
2430 alg
= ipss
->ipsec_alglists
[algtype
][algid
];
2431 alg_size
= sizeof (struct spd_attribute
) *
2432 (ATTRPERALG
+ alg
->alg_nkey_sizes
+
2433 alg
->alg_nblock_sizes
+ alg
->alg_nparams
) +
2434 CRYPTO_MAX_MECH_NAME
;
2439 ASSERT(ALIGNED64(size
));
2441 m
= allocb(size
, BPRI_HI
);
2443 rw_exit(&ipss
->ipsec_alg_lock
);
2444 spdsock_error(q
, mp
, ENOMEM
, 0);
2448 m
->b_wptr
= m
->b_rptr
+ size
;
2451 msg
= (spd_msg_t
*)cur
;
2452 bcopy(mp
->b_rptr
, cur
, sizeof (*msg
));
2454 msg
->spd_msg_len
= SPD_8TO64(size
);
2455 msg
->spd_msg_errno
= 0;
2456 msg
->spd_msg_type
= SPD_ALGLIST
;
2458 msg
->spd_msg_diagnostic
= 0;
2460 cur
+= sizeof (*msg
);
2462 act
= (struct spd_ext_actions
*)cur
;
2463 cur
+= sizeof (*act
);
2465 act
->spd_actions_len
= SPD_8TO64(size
- sizeof (spd_msg_t
));
2466 act
->spd_actions_exttype
= SPD_EXT_ACTION
;
2467 act
->spd_actions_count
= ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
] +
2468 ipss
->ipsec_nalgs
[IPSEC_ALG_ENCR
];
2469 act
->spd_actions_reserved
= 0;
2472 * If there aren't any algorithms registered, return an empty message.
2473 * spdsock_get_ext() knows how to deal with this.
2475 if (act
->spd_actions_count
== 0) {
2476 act
->spd_actions_len
= 0;
2477 rw_exit(&ipss
->ipsec_alg_lock
);
2481 attr
= (struct spd_attribute
*)cur
;
2483 #define EMIT(tag, value) { \
2484 attr->spd_attr_tag = (tag); \
2485 attr->spd_attr_value = (value); \
2489 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
2490 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
2493 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
2494 alg
= ipss
->ipsec_alglists
[algtype
][algid
];
2497 * If you change the number of EMIT's here, change
2498 * ATTRPERALG above to match
2500 EMIT(SPD_ATTR_ALG_ID
, algid
);
2501 EMIT(SPD_ATTR_ALG_PROTO
, algproto
[algtype
]);
2502 EMIT(SPD_ATTR_ALG_INCRBITS
, alg
->alg_increment
);
2503 EMIT(SPD_ATTR_ALG_NKEYSIZES
, alg
->alg_nkey_sizes
);
2504 for (i
= 0; i
< alg
->alg_nkey_sizes
; i
++)
2505 EMIT(SPD_ATTR_ALG_KEYSIZE
,
2506 alg
->alg_key_sizes
[i
]);
2508 EMIT(SPD_ATTR_ALG_NBLOCKSIZES
, alg
->alg_nblock_sizes
);
2509 for (i
= 0; i
< alg
->alg_nblock_sizes
; i
++)
2510 EMIT(SPD_ATTR_ALG_BLOCKSIZE
,
2511 alg
->alg_block_sizes
[i
]);
2513 EMIT(SPD_ATTR_ALG_NPARAMS
, alg
->alg_nparams
);
2514 for (i
= 0; i
< alg
->alg_nparams
; i
++)
2515 EMIT(SPD_ATTR_ALG_PARAMS
,
2516 alg
->alg_params
[i
]);
2518 EMIT(SPD_ATTR_ALG_FLAGS
, alg
->alg_flags
);
2520 EMIT(SPD_ATTR_ALG_MECHNAME
, CRYPTO_MAX_MECH_NAME
);
2521 bcopy(alg
->alg_mech_name
, attr
, CRYPTO_MAX_MECH_NAME
);
2522 attr
= (struct spd_attribute
*)((char *)attr
+
2523 CRYPTO_MAX_MECH_NAME
);
2525 EMIT(SPD_ATTR_NEXT
, 0);
2529 rw_exit(&ipss
->ipsec_alg_lock
);
2536 attr
->spd_attr_tag
= SPD_ATTR_END
;
2544 * Do the actual work of processing an SPD_UPDATEALGS request. Can
2545 * be invoked either once IPsec is loaded on a cached request, or
2546 * when a request is received while IPsec is loaded.
2549 spdsock_do_updatealg(spd_ext_t
*extv
[], spd_stack_t
*spds
)
2551 struct spd_ext_actions
*actp
;
2552 struct spd_attribute
*attr
, *endattr
;
2553 uint64_t *start
, *end
;
2554 ipsec_alginfo_t
*alg
= NULL
;
2555 ipsec_algtype_t alg_type
= 0;
2556 boolean_t skip_alg
= B_TRUE
, doing_proto
= B_FALSE
;
2557 uint_t i
, cur_key
, cur_block
, algid
;
2560 ASSERT(MUTEX_HELD(&spds
->spds_alg_lock
));
2562 /* parse the message, building the list of algorithms */
2564 actp
= (struct spd_ext_actions
*)extv
[SPD_EXT_ACTION
];
2566 return (SPD_DIAGNOSTIC_NO_ACTION_EXT
);
2568 start
= (uint64_t *)actp
;
2569 end
= (start
+ actp
->spd_actions_len
);
2570 endattr
= (struct spd_attribute
*)end
;
2571 attr
= (struct spd_attribute
*)&actp
[1];
2573 bzero(spds
->spds_algs
, IPSEC_NALGTYPES
* IPSEC_MAX_ALGS
*
2574 sizeof (ipsec_alginfo_t
*));
2576 alg
= kmem_zalloc(sizeof (*alg
), KM_SLEEP
);
2578 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2579 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2580 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t))
2582 while (attr
< endattr
) {
2583 switch (attr
->spd_attr_tag
) {
2585 case SPD_ATTR_EMPTY
:
2592 doing_proto
= B_FALSE
;
2596 ipsec_alg_free(alg
);
2599 spds
->spds_algs
[alg_type
][alg
->alg_id
]);
2600 spds
->spds_algs
[alg_type
][alg
->alg_id
] =
2603 alg
= kmem_zalloc(sizeof (*alg
), KM_SLEEP
);
2606 case SPD_ATTR_ALG_ID
:
2607 if (attr
->spd_attr_value
>= IPSEC_MAX_ALGS
) {
2608 ss1dbg(spds
, ("spdsock_do_updatealg: "
2609 "invalid alg id %d\n",
2610 attr
->spd_attr_value
));
2611 diag
= SPD_DIAGNOSTIC_ALG_ID_RANGE
;
2614 alg
->alg_id
= attr
->spd_attr_value
;
2617 case SPD_ATTR_ALG_PROTO
:
2618 /* find the alg type */
2619 for (i
= 0; i
< NALGPROTOS
; i
++)
2620 if (algproto
[i
] == attr
->spd_attr_value
)
2622 skip_alg
= (i
== NALGPROTOS
);
2627 case SPD_ATTR_ALG_INCRBITS
:
2628 alg
->alg_increment
= attr
->spd_attr_value
;
2631 case SPD_ATTR_ALG_NKEYSIZES
:
2632 if (alg
->alg_key_sizes
!= NULL
) {
2633 kmem_free(alg
->alg_key_sizes
,
2634 ALG_KEY_SIZES(alg
));
2636 alg
->alg_nkey_sizes
= attr
->spd_attr_value
;
2638 * Allocate room for the trailing zero key size
2641 alg
->alg_key_sizes
= kmem_zalloc(ALG_KEY_SIZES(alg
),
2646 case SPD_ATTR_ALG_KEYSIZE
:
2647 if (alg
->alg_key_sizes
== NULL
||
2648 cur_key
>= alg
->alg_nkey_sizes
) {
2649 ss1dbg(spds
, ("spdsock_do_updatealg: "
2650 "too many key sizes\n"));
2651 diag
= SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES
;
2654 alg
->alg_key_sizes
[cur_key
++] = attr
->spd_attr_value
;
2657 case SPD_ATTR_ALG_FLAGS
:
2659 * Flags (bit mask). The alg_flags element of
2660 * ipsecalg_flags_t is only 8 bits wide. The
2661 * user can set the VALID bit, but we will ignore it
2662 * and make the decision is the algorithm is valid.
2664 alg
->alg_flags
|= (uint8_t)attr
->spd_attr_value
;
2667 case SPD_ATTR_ALG_NBLOCKSIZES
:
2668 if (alg
->alg_block_sizes
!= NULL
) {
2669 kmem_free(alg
->alg_block_sizes
,
2670 ALG_BLOCK_SIZES(alg
));
2672 alg
->alg_nblock_sizes
= attr
->spd_attr_value
;
2674 * Allocate room for the trailing zero block size
2677 alg
->alg_block_sizes
= kmem_zalloc(ALG_BLOCK_SIZES(alg
),
2682 case SPD_ATTR_ALG_BLOCKSIZE
:
2683 if (alg
->alg_block_sizes
== NULL
||
2684 cur_block
>= alg
->alg_nblock_sizes
) {
2685 ss1dbg(spds
, ("spdsock_do_updatealg: "
2686 "too many block sizes\n"));
2687 diag
= SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES
;
2690 alg
->alg_block_sizes
[cur_block
++] =
2691 attr
->spd_attr_value
;
2694 case SPD_ATTR_ALG_NPARAMS
:
2695 if (alg
->alg_params
!= NULL
) {
2696 kmem_free(alg
->alg_params
,
2697 ALG_PARAM_SIZES(alg
));
2699 alg
->alg_nparams
= attr
->spd_attr_value
;
2701 * Allocate room for the trailing zero block size
2704 alg
->alg_params
= kmem_zalloc(ALG_PARAM_SIZES(alg
),
2709 case SPD_ATTR_ALG_PARAMS
:
2710 if (alg
->alg_params
== NULL
||
2711 cur_block
>= alg
->alg_nparams
) {
2712 ss1dbg(spds
, ("spdsock_do_updatealg: "
2713 "too many params\n"));
2714 diag
= SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES
;
2718 * Array contains: iv_len, icv_len, salt_len
2719 * Any additional parameters are currently ignored.
2721 alg
->alg_params
[cur_block
++] =
2722 attr
->spd_attr_value
;
2725 case SPD_ATTR_ALG_MECHNAME
: {
2728 if (attr
->spd_attr_value
> CRYPTO_MAX_MECH_NAME
) {
2729 ss1dbg(spds
, ("spdsock_do_updatealg: "
2730 "mech name too long\n"));
2731 diag
= SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN
;
2734 mech_name
= (char *)(attr
+ 1);
2735 bcopy(mech_name
, alg
->alg_mech_name
,
2736 attr
->spd_attr_value
);
2737 alg
->alg_mech_name
[CRYPTO_MAX_MECH_NAME
-1] = '\0';
2738 attr
= (struct spd_attribute
*)((char *)attr
+
2739 attr
->spd_attr_value
);
2743 case SPD_ATTR_PROTO_ID
:
2744 doing_proto
= B_TRUE
;
2745 for (i
= 0; i
< NALGPROTOS
; i
++) {
2746 if (algproto
[i
] == attr
->spd_attr_value
) {
2753 case SPD_ATTR_PROTO_EXEC_MODE
:
2756 for (i
= 0; i
< NEXECMODES
; i
++) {
2757 if (execmodes
[i
] == attr
->spd_attr_value
) {
2758 spds
->spds_algs_exec_mode
[alg_type
] = i
;
2767 #undef ALG_KEY_SIZES
2768 #undef ALG_BLOCK_SIZES
2769 #undef ALG_PARAM_SIZES
2771 /* update the algorithm tables */
2772 spdsock_merge_algs(spds
);
2775 ipsec_alg_free(alg
);
2776 for (alg_type
= 0; alg_type
< IPSEC_NALGTYPES
; alg_type
++)
2777 for (algid
= 0; algid
< IPSEC_MAX_ALGS
; algid
++)
2778 if (spds
->spds_algs
[alg_type
][algid
] != NULL
)
2779 ipsec_alg_free(spds
->spds_algs
[alg_type
][algid
]);
2784 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2785 * the request until IPsec loads. If IPsec is loaded, act on it
2790 spdsock_updatealg(queue_t
*q
, mblk_t
*mp
, spd_ext_t
*extv
[])
2792 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2793 spd_stack_t
*spds
= ss
->spdsock_spds
;
2794 ipsec_stack_t
*ipss
= spds
->spds_netstack
->netstack_ipsec
;
2795 uint32_t auditing
= AU_AUDITING();
2797 if (!ipsec_loaded(ipss
)) {
2799 * IPsec is not loaded, save request and return nicely,
2800 * the message will be processed once IPsec loads.
2804 /* last update message wins */
2805 if ((new_mp
= copymsg(mp
)) == NULL
) {
2806 spdsock_error(q
, mp
, ENOMEM
, 0);
2809 mutex_enter(&spds
->spds_alg_lock
);
2810 bcopy(extv
, spds
->spds_extv_algs
,
2811 sizeof (spd_ext_t
*) * (SPD_EXT_MAX
+ 1));
2812 if (spds
->spds_mp_algs
!= NULL
)
2813 freemsg(spds
->spds_mp_algs
);
2814 spds
->spds_mp_algs
= mp
;
2815 mutex_exit(&spds
->spds_alg_lock
);
2820 cr
= msg_getcred(mp
, &cpid
);
2821 audit_pf_policy(SPD_UPDATEALGS
, cr
,
2822 spds
->spds_netstack
, NULL
, B_TRUE
, EAGAIN
,
2825 spd_echo(q
, new_mp
);
2828 * IPsec is loaded, act on the message immediately.
2832 mutex_enter(&spds
->spds_alg_lock
);
2833 diag
= spdsock_do_updatealg(extv
, spds
);
2835 /* Keep the lock held while we walk the SA tables. */
2836 sadb_alg_update(IPSEC_ALG_ALL
, 0, 0,
2837 spds
->spds_netstack
);
2838 mutex_exit(&spds
->spds_alg_lock
);
2844 cr
= msg_getcred(mp
, &cpid
);
2845 audit_pf_policy(SPD_UPDATEALGS
, cr
,
2846 spds
->spds_netstack
, NULL
, B_TRUE
, 0,
2850 mutex_exit(&spds
->spds_alg_lock
);
2851 spdsock_diag(q
, mp
, diag
);
2856 cr
= msg_getcred(mp
, &cpid
);
2857 audit_pf_policy(SPD_UPDATEALGS
, cr
,
2858 spds
->spds_netstack
, NULL
, B_TRUE
, diag
,
2866 * Find a tunnel instance (using the name to link ID mapping), and
2867 * update it after an IPsec change. We need to do this always in case
2868 * we add policy AFTER plumbing a tunnel. We also need to do this
2869 * because, as a side-effect, the tunnel's MTU is updated to reflect
2870 * any IPsec overhead in the itp's policy.
2873 update_iptun_policy(ipsec_tun_pol_t
*itp
)
2875 datalink_id_t linkid
;
2877 if (dls_mgmt_get_linkid(itp
->itp_name
, &linkid
) == 0)
2878 iptun_set_policy(linkid
, itp
);
2882 * Sort through the mess of polhead options to retrieve an appropriate one.
2883 * Returns NULL if we send an spdsock error. Returns a valid pointer if we
2884 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2885 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2886 * act on ALL policy heads.
2888 static ipsec_policy_head_t
*
2889 get_appropriate_polhead(queue_t
*q
, mblk_t
*mp
, spd_if_t
*tunname
, int spdid
,
2890 int msgtype
, ipsec_tun_pol_t
**itpp
)
2892 ipsec_tun_pol_t
*itp
;
2893 ipsec_policy_head_t
*iph
;
2897 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2898 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
2899 uint64_t gen
; /* Placeholder */
2901 active
= (spdid
== SPD_ACTIVE
);
2903 if (!active
&& spdid
!= SPD_STANDBY
) {
2904 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_BAD_SPDID
);
2908 if (tunname
!= NULL
) {
2909 /* Acting on a tunnel's SPD. */
2910 tname
= (char *)tunname
->spd_if_name
;
2911 if (*tname
== '\0') {
2912 /* Handle all-polhead cases here. */
2913 if (msgtype
!= SPD_FLUSH
&& msgtype
!= SPD_DUMP
) {
2915 SPD_DIAGNOSTIC_NOT_GLOBAL_OP
);
2918 return (active
? ALL_ACTIVE_POLHEADS
:
2919 ALL_INACTIVE_POLHEADS
);
2922 itp
= get_tunnel_policy(tname
, ns
);
2924 if (msgtype
!= SPD_ADDRULE
) {
2925 /* "Tunnel not found" */
2926 spdsock_error(q
, mp
, ENOENT
, 0);
2931 itp
= create_tunnel_policy(tname
, &errno
, &gen
, ns
);
2934 * Something very bad happened, most likely
2935 * ENOMEM. Return an indicator.
2937 spdsock_error(q
, mp
, errno
, 0);
2942 /* Match up the itp to an iptun instance. */
2943 update_iptun_policy(itp
);
2946 /* For spdsock dump state, set the polhead's name. */
2947 if (msgtype
== SPD_DUMP
) {
2949 ss
->spdsock_itp
= itp
;
2950 ss
->spdsock_dump_tunnel
= itp
->itp_flags
&
2951 (active
? ITPF_P_TUNNEL
: ITPF_I_TUNNEL
);
2955 /* For spdsock dump state, indicate it's global policy. */
2956 if (msgtype
== SPD_DUMP
)
2957 ss
->spdsock_itp
= NULL
;
2961 iph
= (itp
== NULL
) ? ipsec_system_policy(ns
) : itp
->itp_policy
;
2963 iph
= (itp
== NULL
) ? ipsec_inactive_policy(ns
) :
2966 ASSERT(iph
!= NULL
);
2975 spdsock_parse(queue_t
*q
, mblk_t
*mp
)
2978 spd_ext_t
*extv
[SPD_EXT_MAX
+ 1];
2980 ipsec_policy_head_t
*iph
;
2981 ipsec_tun_pol_t
*itp
;
2983 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2984 spd_stack_t
*spds
= ss
->spdsock_spds
;
2985 netstack_t
*ns
= spds
->spds_netstack
;
2986 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2988 /* Make sure nothing's below me. */
2989 ASSERT(WR(q
)->q_next
== NULL
);
2991 spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2993 msgsize
= SPD_64TO8(spmsg
->spd_msg_len
);
2995 if (msgdsize(mp
) != msgsize
) {
2997 * Message len incorrect w.r.t. actual size. Send an error
2998 * (EMSGSIZE). It may be necessary to massage things a
2999 * bit. For example, if the spd_msg_type is hosed,
3000 * I need to set it to SPD_RESERVED to get delivery to
3001 * do the right thing. Then again, maybe just letting
3002 * the error delivery do the right thing.
3005 ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
3006 msgdsize(mp
), msgsize
));
3007 spdsock_error(q
, mp
, EMSGSIZE
, SPD_DIAGNOSTIC_NONE
);
3011 if (msgsize
> (uint_t
)(mp
->b_wptr
- mp
->b_rptr
)) {
3012 /* Get all message into one mblk. */
3013 if (pullupmsg(mp
, -1) == 0) {
3015 * Something screwy happened.
3017 ss3dbg(spds
, ("spdsock_parse: pullupmsg() failed.\n"));
3020 spmsg
= (spd_msg_t
*)mp
->b_rptr
;
3024 switch (spdsock_get_ext(extv
, spmsg
, msgsize
)) {
3026 /* Handle duplicate extension. */
3027 ss1dbg(spds
, ("Got duplicate extension of type %d.\n",
3028 extv
[0]->spd_ext_type
));
3029 spdsock_diag(q
, mp
, dup_ext_diag
[extv
[0]->spd_ext_type
]);
3032 /* Handle unknown extension. */
3033 ss1dbg(spds
, ("Got unknown extension of type %d.\n",
3034 extv
[0]->spd_ext_type
));
3035 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_UNKNOWN_EXT
);
3039 ss1dbg(spds
, ("Length %d on extension type %d overrun or 0.\n",
3040 extv
[0]->spd_ext_len
, extv
[0]->spd_ext_type
));
3041 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_BAD_EXTLEN
);
3044 /* Reality check failed. */
3045 ss1dbg(spds
, ("Reality check failed on extension type %d.\n",
3046 extv
[0]->spd_ext_type
));
3047 spdsock_diag(q
, mp
, bad_ext_diag
[extv
[0]->spd_ext_type
]);
3050 /* Default case is no errors. */
3055 * Special-case SPD_UPDATEALGS so as not to load IPsec.
3057 if (!ipsec_loaded(ipss
) && spmsg
->spd_msg_type
!= SPD_UPDATEALGS
) {
3058 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3061 ipsec_loader_loadnow(ipss
);
3062 ss
->spdsock_timeout_arg
= mp
;
3063 ss
->spdsock_timeout
= qtimeout(q
, spdsock_loadcheck
,
3064 q
, LOADCHECK_INTERVAL
);
3068 /* First check for messages that need no polheads at all. */
3069 switch (spmsg
->spd_msg_type
) {
3070 case SPD_UPDATEALGS
:
3071 spdsock_updatealg(q
, mp
, extv
);
3074 spdsock_alglist(q
, mp
);
3077 spdsock_dumpalgs(q
, mp
);
3082 * Then check for ones that need both primary/secondary polheads,
3083 * finding the appropriate tunnel policy if need be.
3085 tunname
= (spd_if_t
*)extv
[SPD_EXT_TUN_NAME
];
3086 switch (spmsg
->spd_msg_type
) {
3088 spdsock_flip(q
, mp
, tunname
);
3091 spdsock_clone(q
, mp
, tunname
);
3096 * Finally, find ones that operate on exactly one polhead, or
3097 * "all polheads" of a given type (active/inactive).
3099 iph
= get_appropriate_polhead(q
, mp
, tunname
, spmsg
->spd_msg_spdid
,
3100 spmsg
->spd_msg_type
, &itp
);
3104 /* All-polheads-ready operations. */
3105 switch (spmsg
->spd_msg_type
) {
3108 mutex_enter(&itp
->itp_lock
);
3109 if (spmsg
->spd_msg_spdid
== SPD_ACTIVE
)
3110 itp
->itp_flags
&= ~ITPF_PFLAGS
;
3112 itp
->itp_flags
&= ~ITPF_IFLAGS
;
3113 mutex_exit(&itp
->itp_lock
);
3116 spdsock_flush(q
, iph
, itp
, mp
);
3119 /* SPD_FLUSH is worth a tunnel MTU check. */
3120 update_iptun_policy(itp
);
3121 ITP_REFRELE(itp
, ns
);
3126 ITP_REFRELE(itp
, ns
);
3127 spdsock_dump(q
, iph
, mp
);
3131 if (iph
== ALL_ACTIVE_POLHEADS
|| iph
== ALL_INACTIVE_POLHEADS
) {
3132 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_NOT_GLOBAL_OP
);
3136 /* Single-polhead-only operations. */
3137 switch (spmsg
->spd_msg_type
) {
3139 spdsock_addrule(q
, iph
, mp
, extv
, itp
);
3141 case SPD_DELETERULE
:
3142 spdsock_deleterule(q
, iph
, mp
, extv
, itp
);
3145 spdsock_lookup(q
, iph
, mp
, extv
, itp
);
3148 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_BAD_MSG_TYPE
);
3152 IPPH_REFRELE(iph
, ns
);
3154 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */
3155 if (spmsg
->spd_msg_type
== SPD_ADDRULE
||
3156 spmsg
->spd_msg_type
== SPD_DELETERULE
)
3157 update_iptun_policy(itp
);
3158 ITP_REFRELE(itp
, ns
);
3163 * If an algorithm mapping was received before IPsec was loaded, process it.
3164 * Called from the IPsec loader.
3167 spdsock_update_pending_algs(netstack_t
*ns
)
3169 spd_stack_t
*spds
= ns
->netstack_spdsock
;
3171 mutex_enter(&spds
->spds_alg_lock
);
3172 if (spds
->spds_mp_algs
!= NULL
) {
3173 (void) spdsock_do_updatealg(spds
->spds_extv_algs
, spds
);
3174 freemsg(spds
->spds_mp_algs
);
3175 spds
->spds_mp_algs
= NULL
;
3177 mutex_exit(&spds
->spds_alg_lock
);
3181 spdsock_loadcheck(void *arg
)
3183 queue_t
*q
= (queue_t
*)arg
;
3184 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3186 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
3190 ss
->spdsock_timeout
= 0;
3191 mp
= ss
->spdsock_timeout_arg
;
3193 ss
->spdsock_timeout_arg
= NULL
;
3194 if (ipsec_failed(ipss
))
3195 spdsock_error(q
, mp
, EPROTONOSUPPORT
, 0);
3197 spdsock_parse(q
, mp
);
3201 * Copy relevant state bits.
3204 spdsock_copy_info(struct T_info_ack
*tap
, spdsock_t
*ss
)
3206 *tap
= spdsock_g_t_info_ack
;
3207 tap
->CURRENT_state
= ss
->spdsock_state
;
3208 tap
->OPT_size
= spdsock_max_optsize
;
3212 * This routine responds to T_CAPABILITY_REQ messages. It is called by
3213 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from
3214 * spdsock_g_t_info_ack. The current state of the stream is copied from
3218 spdsock_capability_req(queue_t
*q
, mblk_t
*mp
)
3220 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3221 t_uscalar_t cap_bits1
;
3222 struct T_capability_ack
*tcap
;
3224 cap_bits1
= ((struct T_capability_req
*)mp
->b_rptr
)->CAP_bits1
;
3226 mp
= tpi_ack_alloc(mp
, sizeof (struct T_capability_ack
),
3227 mp
->b_datap
->db_type
, T_CAPABILITY_ACK
);
3231 tcap
= (struct T_capability_ack
*)mp
->b_rptr
;
3232 tcap
->CAP_bits1
= 0;
3234 if (cap_bits1
& TC1_INFO
) {
3235 spdsock_copy_info(&tcap
->INFO_ack
, ss
);
3236 tcap
->CAP_bits1
|= TC1_INFO
;
3243 * This routine responds to T_INFO_REQ messages. It is called by
3244 * spdsock_wput_other.
3245 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3246 * The current state of the stream is copied from spdsock_state.
3253 mp
= tpi_ack_alloc(mp
, sizeof (struct T_info_ack
), M_PCPROTO
,
3257 spdsock_copy_info((struct T_info_ack
*)mp
->b_rptr
,
3258 (spdsock_t
*)q
->q_ptr
);
3263 * spdsock_err_ack. This routine creates a
3264 * T_ERROR_ACK message and passes it
3274 if ((mp
= mi_tpi_err_ack_alloc(mp
, t_error
, sys_error
)) != NULL
)
3279 * This routine retrieves the current status of socket options.
3280 * It returns the size of the option retrieved.
3284 spdsock_opt_get(queue_t
*q
, int level
, int name
, uchar_t
*ptr
)
3286 int *i1
= (int *)ptr
;
3295 * The following two items can be manipulated,
3296 * but changing them should do nothing.
3299 *i1
= (int)q
->q_hiwat
;
3302 *i1
= (int)(RD(q
)->q_hiwat
);
3309 return (sizeof (int));
3313 * This routine sets socket options.
3317 spdsock_opt_set(queue_t
*q
, uint_t mgmt_flags
, int level
, int name
,
3318 uint_t inlen
, uchar_t
*invalp
, uint_t
*outlenp
, uchar_t
*outvalp
,
3319 void *thisdg_attrs
, cred_t
*cr
)
3321 int *i1
= (int *)invalp
;
3322 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3323 spd_stack_t
*spds
= ss
->spdsock_spds
;
3329 if (*i1
> spds
->spds_max_buf
)
3334 if (*i1
> spds
->spds_max_buf
)
3336 RD(q
)->q_hiwat
= *i1
;
3337 (void) proto_set_rx_hiwat(RD(q
), NULL
, *i1
);
3347 * Handle STREAMS messages.
3350 spdsock_wput_other(queue_t
*q
, mblk_t
*mp
)
3352 struct iocblk
*iocp
;
3354 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3355 spd_stack_t
*spds
= ss
->spdsock_spds
;
3358 switch (mp
->b_datap
->db_type
) {
3361 if ((mp
->b_wptr
- mp
->b_rptr
) < sizeof (long)) {
3363 "spdsock_wput_other: Not big enough M_PROTO\n"));
3367 switch (((union T_primitives
*)mp
->b_rptr
)->type
) {
3368 case T_CAPABILITY_REQ
:
3369 spdsock_capability_req(q
, mp
);
3372 spdsock_info_req(q
, mp
);
3374 case T_SVR4_OPTMGMT_REQ
:
3377 * All Solaris components should pass a db_credp
3378 * for this TPI message, hence we ASSERT.
3379 * But in case there is some other M_PROTO that looks
3380 * like a TPI message sent by some other kernel
3381 * component, we check and return an error.
3383 cr
= msg_getcred(mp
, NULL
);
3386 spdsock_err_ack(q
, mp
, TSYSERR
, EINVAL
);
3389 if (((union T_primitives
*)mp
->b_rptr
)->type
==
3390 T_SVR4_OPTMGMT_REQ
) {
3391 svr4_optcom_req(q
, mp
, cr
, &spdsock_opt_obj
);
3393 tpi_optcom_req(q
, mp
, cr
, &spdsock_opt_obj
);
3399 /* Illegal for spdsock. */
3401 (void) putnextctl1(RD(q
), M_ERROR
, EPROTO
);
3404 /* Not supported by spdsock. */
3405 spdsock_err_ack(q
, mp
, TNOTSUPPORT
, 0);
3410 keysock_spdsock_wput_iocdata(q
, mp
, PF_POLICY
);
3413 iocp
= (struct iocblk
*)mp
->b_rptr
;
3416 switch (iocp
->ioc_cmd
) {
3418 case TI_GETPEERNAME
:
3420 * For pfiles(1) observability with getsockname().
3421 * See keysock_spdsock_wput_iocdata() for the rest of
3424 mi_copyin(q
, mp
, NULL
,
3425 SIZEOF_STRUCT(strbuf
, iocp
->ioc_flag
));
3429 if (nd_getset(q
, spds
->spds_g_nd
, mp
)) {
3436 miocnak(q
, mp
, 0, error
);
3440 if (*mp
->b_rptr
& FLUSHW
) {
3441 flushq(q
, FLUSHALL
);
3442 *mp
->b_rptr
&= ~FLUSHW
;
3444 if (*mp
->b_rptr
& FLUSHR
) {
3451 /* If fell through, just black-hole the message. */
3456 spdsock_wput(queue_t
*q
, mblk_t
*mp
)
3458 uint8_t *rptr
= mp
->b_rptr
;
3460 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3461 spd_stack_t
*spds
= ss
->spdsock_spds
;
3464 * If we're dumping, defer processing other messages until the
3467 if (ss
->spdsock_dump_req
!= NULL
) {
3473 switch (mp
->b_datap
->db_type
) {
3478 ss2dbg(spds
, ("raw M_DATA in spdsock.\n"));
3483 if ((mp
->b_wptr
- rptr
) >= sizeof (struct T_data_req
)) {
3484 if (((union T_primitives
*)rptr
)->type
== T_DATA_REQ
) {
3485 if ((mp1
= mp
->b_cont
) == NULL
) {
3486 /* No data after T_DATA_REQ. */
3488 ("No data after DATA_REQ.\n"));
3494 ss2dbg(spds
, ("T_DATA_REQ\n"));
3495 break; /* Out of switch. */
3500 ss3dbg(spds
, ("In default wput case (%d %d).\n",
3501 mp
->b_datap
->db_type
, ((union T_primitives
*)rptr
)->type
));
3502 spdsock_wput_other(q
, mp
);
3506 /* I now have a PF_POLICY message in an M_DATA block. */
3507 spdsock_parse(q
, mp
);
3511 * Device open procedure, called when new queue pair created.
3512 * We are passed the read-side queue.
3516 spdsock_open(queue_t
*q
, dev_t
*devp
, int flag
, int sflag
, cred_t
*credp
)
3519 queue_t
*oq
= OTHERQ(q
);
3524 if (secpolicy_ip_config(credp
, B_FALSE
) != 0)
3527 if (q
->q_ptr
!= NULL
)
3528 return (0); /* Re-open of an already open instance. */
3530 if (sflag
& MODOPEN
)
3533 ns
= netstack_find_by_cred(credp
);
3535 spds
= ns
->netstack_spdsock
;
3536 ASSERT(spds
!= NULL
);
3538 ss2dbg(spds
, ("Made it into PF_POLICY socket open.\n"));
3540 ssminor
= (minor_t
)(uintptr_t)vmem_alloc(spdsock_vmem
, 1, VM_NOSLEEP
);
3542 netstack_rele(spds
->spds_netstack
);
3545 ss
= kmem_zalloc(sizeof (spdsock_t
), KM_NOSLEEP
);
3547 vmem_free(spdsock_vmem
, (void *)(uintptr_t)ssminor
, 1);
3548 netstack_rele(spds
->spds_netstack
);
3552 ss
->spdsock_minor
= ssminor
;
3553 ss
->spdsock_state
= TS_UNBND
;
3554 ss
->spdsock_dump_req
= NULL
;
3556 ss
->spdsock_spds
= spds
;
3561 q
->q_hiwat
= spds
->spds_recv_hiwat
;
3563 oq
->q_hiwat
= spds
->spds_xmit_hiwat
;
3564 oq
->q_lowat
= spds
->spds_xmit_lowat
;
3567 (void) proto_set_rx_hiwat(q
, NULL
, spds
->spds_recv_hiwat
);
3569 *devp
= makedevice(getmajor(*devp
), ss
->spdsock_minor
);
3574 * Read-side service procedure, invoked when we get back-enabled
3575 * when buffer space becomes available.
3577 * Dump another chunk if we were dumping before; when we finish, kick
3578 * the write-side queue in case it's waiting for read queue space.
3581 spdsock_rsrv(queue_t
*q
)
3583 spdsock_t
*ss
= q
->q_ptr
;
3585 if (ss
->spdsock_dump_req
!= NULL
)
3586 spdsock_dump_some(q
, ss
);
3588 if (ss
->spdsock_dump_req
== NULL
)
3593 * Write-side service procedure, invoked when we defer processing
3594 * if another message is received while a dump is in progress.
3597 spdsock_wsrv(queue_t
*q
)
3599 spdsock_t
*ss
= q
->q_ptr
;
3601 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
3603 if (ss
->spdsock_dump_req
!= NULL
) {
3608 while ((mp
= getq(q
)) != NULL
) {
3609 if (ipsec_loaded(ipss
)) {
3610 spdsock_wput(q
, mp
);
3611 if (ss
->spdsock_dump_req
!= NULL
)
3613 } else if (!ipsec_failed(ipss
)) {
3616 spdsock_error(q
, mp
, EPFNOSUPPORT
, 0);
3622 spdsock_close(queue_t
*q
)
3624 spdsock_t
*ss
= q
->q_ptr
;
3625 spd_stack_t
*spds
= ss
->spdsock_spds
;
3629 /* Safe assumption. */
3632 if (ss
->spdsock_timeout
!= 0)
3633 (void) quntimeout(q
, ss
->spdsock_timeout
);
3635 ss3dbg(spds
, ("Driver close, PF_POLICY socket is going away.\n"));
3637 vmem_free(spdsock_vmem
, (void *)(uintptr_t)ss
->spdsock_minor
, 1);
3638 netstack_rele(ss
->spdsock_spds
->spds_netstack
);
3640 kmem_free(ss
, sizeof (spdsock_t
));
3645 * Merge the IPsec algorithms tables with the received algorithm information.
3648 spdsock_merge_algs(spd_stack_t
*spds
)
3650 ipsec_alginfo_t
*alg
, *oalg
;
3651 ipsec_algtype_t algtype
;
3652 uint_t algidx
, algid
, nalgs
;
3653 crypto_mech_name_t
*mechs
;
3654 uint_t mech_count
, mech_idx
;
3655 netstack_t
*ns
= spds
->spds_netstack
;
3656 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
3658 ASSERT(MUTEX_HELD(&spds
->spds_alg_lock
));
3661 * Get the list of supported mechanisms from the crypto framework.
3662 * If a mechanism is supported by KCF, resolve its mechanism
3663 * id and mark it as being valid. This operation must be done
3664 * without holding alg_lock, since it can cause a provider
3665 * module to be loaded and the provider notification callback to
3668 mechs
= crypto_get_mech_list(&mech_count
, KM_SLEEP
);
3669 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3670 for (algid
= 0; algid
< IPSEC_MAX_ALGS
; algid
++) {
3672 crypto_mech_type_t mt
= CRYPTO_MECHANISM_INVALID
;
3674 alg
= spds
->spds_algs
[algtype
][algid
];
3679 * The NULL encryption algorithm is a special
3680 * case because there are no mechanisms, yet
3681 * the algorithm is still valid.
3683 if (alg
->alg_id
== SADB_EALG_NULL
) {
3684 alg
->alg_mech_type
= CRYPTO_MECHANISM_INVALID
;
3685 alg
->alg_flags
|= ALG_FLAG_VALID
;
3689 for (mech_idx
= 0; mech_idx
< mech_count
; mech_idx
++) {
3690 if (strncmp(alg
->alg_mech_name
, mechs
[mech_idx
],
3691 CRYPTO_MAX_MECH_NAME
) == 0) {
3692 mt
= crypto_mech2id(alg
->alg_mech_name
);
3693 ASSERT(mt
!= CRYPTO_MECHANISM_INVALID
);
3694 algflags
= ALG_FLAG_VALID
;
3698 alg
->alg_mech_type
= mt
;
3699 alg
->alg_flags
|= algflags
;
3703 rw_enter(&ipss
->ipsec_alg_lock
, RW_WRITER
);
3706 * For each algorithm currently defined, check if it is
3707 * present in the new tables created from the SPD_UPDATEALGS
3708 * message received from user-space.
3709 * Delete the algorithm entries that are currently defined
3710 * but not part of the new tables.
3712 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3713 nalgs
= ipss
->ipsec_nalgs
[algtype
];
3714 for (algidx
= 0; algidx
< nalgs
; algidx
++) {
3715 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
3716 if (spds
->spds_algs
[algtype
][algid
] == NULL
)
3717 ipsec_alg_unreg(algtype
, algid
, ns
);
3722 * For each algorithm we just received, check if it is
3723 * present in the currently defined tables. If it is, swap
3724 * the entry with the one we just allocated.
3725 * If the new algorithm is not in the current tables,
3728 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3729 for (algid
= 0; algid
< IPSEC_MAX_ALGS
; algid
++) {
3730 alg
= spds
->spds_algs
[algtype
][algid
];
3734 if ((oalg
= ipss
->ipsec_alglists
[algtype
][algid
]) ==
3737 * New algorithm, add it to the algorithm
3740 ipsec_alg_reg(algtype
, alg
, ns
);
3743 * Algorithm is already in the table. Swap
3744 * the existing entry with the new one.
3746 ipsec_alg_fix_min_max(alg
, algtype
, ns
);
3747 ipss
->ipsec_alglists
[algtype
][algid
] = alg
;
3748 ipsec_alg_free(oalg
);
3750 spds
->spds_algs
[algtype
][algid
] = NULL
;
3754 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3755 ipss
->ipsec_algs_exec_mode
[algtype
] =
3756 spds
->spds_algs_exec_mode
[algtype
];
3759 rw_exit(&ipss
->ipsec_alg_lock
);
3761 crypto_free_mech_list(mechs
, mech_count
);
3763 ipsecah_algs_changed(ns
);
3764 ipsecesp_algs_changed(ns
);