4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #include <sys/param.h>
27 #include <sys/types.h>
28 #include <sys/stream.h>
29 #include <sys/strsubr.h>
30 #include <sys/strsun.h>
31 #include <sys/stropts.h>
33 #include <sys/vnode.h>
34 #include <sys/sysmacros.h>
35 #define _SUN_TPI_VERSION 2
36 #include <sys/tihdr.h>
38 #include <sys/sunddi.h>
39 #include <sys/mkdev.h>
40 #include <sys/debug.h>
42 #include <sys/cmn_err.h>
43 #include <sys/suntpi.h>
44 #include <sys/policy.h>
47 #include <sys/socket.h>
48 #include <netinet/in.h>
49 #include <net/pfkeyv2.h>
50 #include <net/pfpolicy.h>
52 #include <inet/common.h>
53 #include <netinet/ip6.h>
57 #include <inet/proto_set.h>
59 #include <inet/ip_if.h>
60 #include <inet/optcom.h>
61 #include <inet/ipsec_impl.h>
62 #include <inet/spdsock.h>
63 #include <inet/sadb.h>
64 #include <inet/iptun.h>
65 #include <inet/iptun/iptun_impl.h>
67 #include <sys/isa_defs.h>
72 * This is a transport provider for the PF_POLICY IPsec policy
73 * management socket, which provides a management interface into the
74 * SPD, allowing policy rules to be added, deleted, and queried.
76 * This effectively replaces the old private SIOC*IPSECONFIG ioctls
77 * with an extensible interface which will hopefully be public some
80 * See <net/pfpolicy.h> for more details on the protocol.
82 * We link against drv/ip and call directly into it to manipulate the
83 * SPD; see ipsec_impl.h for the policy data structures and spd.c for
84 * the code which maintains them.
86 * The MT model of this is QPAIR with the addition of some explicit
87 * locking to protect system-wide policy data structures.
90 static vmem_t
*spdsock_vmem
; /* for minor numbers. */
92 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
94 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
95 static struct T_info_ack spdsock_g_t_info_ack
= {
97 T_INFINITE
, /* TSDU_size. Maximum size messages. */
98 T_INVALID
, /* ETSDU_size. No expedited data. */
99 T_INVALID
, /* CDATA_size. No connect data. */
100 T_INVALID
, /* DDATA_size. No disconnect data. */
102 0, /* OPT_size. No user-settable options */
103 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */
104 T_COTS
, /* SERV_type. spdsock supports connection oriented. */
105 TS_UNBND
, /* CURRENT_state. This is set from spdsock_state. */
106 (XPG4_1
) /* Provider flags */
109 /* Named Dispatch Parameter Management Structure */
110 typedef struct spdsockparam_s
{
111 uint_t spdsock_param_min
;
112 uint_t spdsock_param_max
;
113 uint_t spdsock_param_value
;
114 char *spdsock_param_name
;
118 * Table of NDD variables supported by spdsock. These are loaded into
119 * spdsock_g_nd in spdsock_init_nd.
120 * All of these are alterable, within the min/max values given, at run time.
122 static spdsockparam_t lcl_param_arr
[] = {
123 /* min max value name */
124 { 4096, 65536, 8192, "spdsock_xmit_hiwat"},
125 { 0, 65536, 1024, "spdsock_xmit_lowat"},
126 { 4096, 65536, 8192, "spdsock_recv_hiwat"},
127 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"},
128 { 0, 3, 0, "spdsock_debug"},
130 #define spds_xmit_hiwat spds_params[0].spdsock_param_value
131 #define spds_xmit_lowat spds_params[1].spdsock_param_value
132 #define spds_recv_hiwat spds_params[2].spdsock_param_value
133 #define spds_max_buf spds_params[3].spdsock_param_value
134 #define spds_debug spds_params[4].spdsock_param_value
136 #define ss0dbg(a) printf a
137 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
138 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a
139 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a
140 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a
142 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
143 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
144 (ss)->spdsock_dump_head = (iph); \
145 (ss)->spdsock_dump_gen = (iph)->iph_gen; \
146 (ss)->spdsock_dump_cur_type = 0; \
147 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
148 (ss)->spdsock_dump_cur_rule = NULL; \
149 (ss)->spdsock_dump_count = 0; \
150 (ss)->spdsock_dump_cur_chain = 0; \
153 static int spdsock_close(queue_t
*);
154 static int spdsock_open(queue_t
*, dev_t
*, int, int, cred_t
*);
155 static void spdsock_wput(queue_t
*, mblk_t
*);
156 static void spdsock_wsrv(queue_t
*);
157 static void spdsock_rsrv(queue_t
*);
158 static void *spdsock_stack_init(netstackid_t stackid
, netstack_t
*ns
);
159 static void spdsock_stack_fini(netstackid_t stackid
, void *arg
);
160 static void spdsock_loadcheck(void *);
161 static void spdsock_merge_algs(spd_stack_t
*);
162 static void spdsock_flush_one(ipsec_policy_head_t
*, netstack_t
*);
163 static mblk_t
*spdsock_dump_next_record(spdsock_t
*);
164 static void update_iptun_policy(ipsec_tun_pol_t
*);
166 static struct module_info info
= {
167 5138, "spdsock", 1, INFPSZ
, 512, 128
170 static struct qinit rinit
= {
171 NULL
, (pfi_t
)spdsock_rsrv
, spdsock_open
, spdsock_close
,
175 static struct qinit winit
= {
176 (pfi_t
)spdsock_wput
, (pfi_t
)spdsock_wsrv
, NULL
, NULL
, NULL
, &info
179 struct streamtab spdsockinfo
= {
183 /* mapping from alg type to protocol number, as per RFC 2407 */
184 static const uint_t algproto
[] = {
189 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0]))
191 /* mapping from kernel exec mode to spdsock exec mode */
192 static const uint_t execmodes
[] = {
193 SPD_ALG_EXEC_MODE_SYNC
,
194 SPD_ALG_EXEC_MODE_ASYNC
197 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0]))
199 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
200 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
202 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
206 spdsock_param_get(q
, mp
, cp
, cr
)
212 spdsockparam_t
*spdsockpa
= (spdsockparam_t
*)cp
;
214 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
215 spd_stack_t
*spds
= ss
->spdsock_spds
;
217 mutex_enter(&spds
->spds_param_lock
);
218 value
= spdsockpa
->spdsock_param_value
;
219 mutex_exit(&spds
->spds_param_lock
);
221 (void) mi_mpprintf(mp
, "%u", value
);
225 /* This routine sets an NDD variable in a spdsockparam_t structure. */
228 spdsock_param_set(q
, mp
, value
, cp
, cr
)
236 spdsockparam_t
*spdsockpa
= (spdsockparam_t
*)cp
;
237 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
238 spd_stack_t
*spds
= ss
->spdsock_spds
;
240 /* Convert the value from a string into a long integer. */
241 if (ddi_strtoul(value
, NULL
, 10, &new_value
) != 0)
244 mutex_enter(&spds
->spds_param_lock
);
246 * Fail the request if the new value does not lie within the
249 if (new_value
< spdsockpa
->spdsock_param_min
||
250 new_value
> spdsockpa
->spdsock_param_max
) {
251 mutex_exit(&spds
->spds_param_lock
);
255 /* Set the new value */
256 spdsockpa
->spdsock_param_value
= new_value
;
257 mutex_exit(&spds
->spds_param_lock
);
263 * Initialize at module load time
266 spdsock_ddi_init(void)
268 spdsock_max_optsize
= optcom_max_optsize(
269 spdsock_opt_obj
.odb_opt_des_arr
, spdsock_opt_obj
.odb_opt_arr_cnt
);
271 spdsock_vmem
= vmem_create("spdsock", (void *)1, MAXMIN
, 1,
272 NULL
, NULL
, NULL
, 1, VM_SLEEP
| VMC_IDENTIFIER
);
275 * We want to be informed each time a stack is created or
276 * destroyed in the kernel, so we can maintain the
277 * set of spd_stack_t's.
279 netstack_register(NS_SPDSOCK
, spdsock_stack_init
, NULL
,
286 * Walk through the param array specified registering each element with the
287 * named dispatch handler.
290 spdsock_param_register(IDP
*ndp
, spdsockparam_t
*ssp
, int cnt
)
292 for (; cnt
-- > 0; ssp
++) {
293 if (ssp
->spdsock_param_name
!= NULL
&&
294 ssp
->spdsock_param_name
[0]) {
296 ssp
->spdsock_param_name
,
297 spdsock_param_get
, spdsock_param_set
,
308 * Initialize for each stack instance
312 spdsock_stack_init(netstackid_t stackid
, netstack_t
*ns
)
317 spds
= (spd_stack_t
*)kmem_zalloc(sizeof (*spds
), KM_SLEEP
);
318 spds
->spds_netstack
= ns
;
320 ASSERT(spds
->spds_g_nd
== NULL
);
322 ssp
= (spdsockparam_t
*)kmem_alloc(sizeof (lcl_param_arr
), KM_SLEEP
);
323 spds
->spds_params
= ssp
;
324 bcopy(lcl_param_arr
, ssp
, sizeof (lcl_param_arr
));
326 (void) spdsock_param_register(&spds
->spds_g_nd
, ssp
,
327 A_CNT(lcl_param_arr
));
329 mutex_init(&spds
->spds_param_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
330 mutex_init(&spds
->spds_alg_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
336 spdsock_ddi_destroy(void)
338 vmem_destroy(spdsock_vmem
);
340 netstack_unregister(NS_SPDSOCK
);
345 spdsock_stack_fini(netstackid_t stackid
, void *arg
)
347 spd_stack_t
*spds
= (spd_stack_t
*)arg
;
349 freemsg(spds
->spds_mp_algs
);
350 mutex_destroy(&spds
->spds_param_lock
);
351 mutex_destroy(&spds
->spds_alg_lock
);
352 nd_free(&spds
->spds_g_nd
);
353 kmem_free(spds
->spds_params
, sizeof (lcl_param_arr
));
354 spds
->spds_params
= NULL
;
356 kmem_free(spds
, sizeof (*spds
));
360 * NOTE: large quantities of this should be shared with keysock.
361 * Would be nice to combine some of this into a common module, but
362 * not possible given time pressures.
366 * High-level reality checking of extensions.
368 /* ARGSUSED */ /* XXX */
370 ext_check(spd_ext_t
*ext
)
372 spd_if_t
*tunname
= (spd_if_t
*)ext
;
376 if (ext
->spd_ext_type
== SPD_EXT_TUN_NAME
) {
377 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */
380 * Make sure the strings in these identities are
381 * null-terminated. Let's "proactively" null-terminate the
382 * string at the last byte if it's not terminated sooner.
384 i
= SPD_64TO8(tunname
->spd_if_len
) - sizeof (spd_if_t
);
385 idstr
= (char *)(tunname
+ 1);
386 while (*idstr
!= '\0' && i
> 0) {
392 * I.e., if the bozo user didn't NULL-terminate the
399 return (B_TRUE
); /* For now... */
404 /* Return values for spdsock_get_ext(). */
412 * Parse basic extension headers and return in the passed-in pointer vector.
413 * Return values include:
415 * KGE_OK Everything's nice and parsed out.
416 * If there are no extensions, place NULL in extv[0].
417 * KGE_DUP There is a duplicate extension.
418 * First instance in appropriate bin. First duplicate in
420 * KGE_UNK Unknown extension type encountered. extv[0] contains
422 * KGE_LEN Extension length error.
423 * KGE_CHK High-level reality check failed on specific extension.
425 * My apologies for some of the pointer arithmetic in here. I'm thinking
426 * like an assembly programmer, yet trying to make the compiler happy.
429 spdsock_get_ext(spd_ext_t
*extv
[], spd_msg_t
*basehdr
, uint_t msgsize
)
431 bzero(extv
, sizeof (spd_ext_t
*) * (SPD_EXT_MAX
+ 1));
433 /* Use extv[0] as the "current working pointer". */
435 extv
[0] = (spd_ext_t
*)(basehdr
+ 1);
437 while (extv
[0] < (spd_ext_t
*)(((uint8_t *)basehdr
) + msgsize
)) {
438 /* Check for unknown headers. */
439 if (extv
[0]->spd_ext_type
== 0 ||
440 extv
[0]->spd_ext_type
> SPD_EXT_MAX
)
444 * Check length. Use uint64_t because extlen is in units
445 * of 64-bit words. If length goes beyond the msgsize,
446 * return an error. (Zero length also qualifies here.)
448 if (extv
[0]->spd_ext_len
== 0 ||
449 (void *)((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
) >
450 (void *)((uint8_t *)basehdr
+ msgsize
))
453 /* Check for redundant headers. */
454 if (extv
[extv
[0]->spd_ext_type
] != NULL
)
458 * Reality check the extension if possible at the spdsock
461 if (!ext_check(extv
[0]))
464 /* If I make it here, assign the appropriate bin. */
465 extv
[extv
[0]->spd_ext_type
] = extv
[0];
467 /* Advance pointer (See above for uint64_t ptr reasoning.) */
468 extv
[0] = (spd_ext_t
*)
469 ((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
);
472 /* Everything's cool. */
475 * If extv[0] == NULL, then there are no extension headers in this
476 * message. Ensure that this is the case.
478 if (extv
[0] == (spd_ext_t
*)(basehdr
+ 1))
484 static const int bad_ext_diag
[] = {
485 SPD_DIAGNOSTIC_MALFORMED_LCLPORT
,
486 SPD_DIAGNOSTIC_MALFORMED_REMPORT
,
487 SPD_DIAGNOSTIC_MALFORMED_PROTO
,
488 SPD_DIAGNOSTIC_MALFORMED_LCLADDR
,
489 SPD_DIAGNOSTIC_MALFORMED_REMADDR
,
490 SPD_DIAGNOSTIC_MALFORMED_ACTION
,
491 SPD_DIAGNOSTIC_MALFORMED_RULE
,
492 SPD_DIAGNOSTIC_MALFORMED_RULESET
,
493 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
496 static const int dup_ext_diag
[] = {
497 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT
,
498 SPD_DIAGNOSTIC_DUPLICATE_REMPORT
,
499 SPD_DIAGNOSTIC_DUPLICATE_PROTO
,
500 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR
,
501 SPD_DIAGNOSTIC_DUPLICATE_REMADDR
,
502 SPD_DIAGNOSTIC_DUPLICATE_ACTION
,
503 SPD_DIAGNOSTIC_DUPLICATE_RULE
,
504 SPD_DIAGNOSTIC_DUPLICATE_RULESET
,
505 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
509 * Transmit a PF_POLICY error message to the instance either pointed to
510 * by ks, the instance with serial number serial, or more, depending.
512 * The faulty message (or a reasonable facsimile thereof) is in mp.
513 * This function will free mp or recycle it for delivery, thereby causing
514 * the stream head to free it.
517 spdsock_error(queue_t
*q
, mblk_t
*mp
, int error
, int diagnostic
)
519 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
521 ASSERT(mp
->b_datap
->db_type
== M_DATA
);
523 if (spmsg
->spd_msg_type
< SPD_MIN
||
524 spmsg
->spd_msg_type
> SPD_MAX
)
525 spmsg
->spd_msg_type
= SPD_RESERVED
;
528 * Strip out extension headers.
530 ASSERT(mp
->b_rptr
+ sizeof (*spmsg
) <= mp
->b_datap
->db_lim
);
531 mp
->b_wptr
= mp
->b_rptr
+ sizeof (*spmsg
);
532 spmsg
->spd_msg_len
= SPD_8TO64(sizeof (spd_msg_t
));
533 spmsg
->spd_msg_errno
= (uint8_t)error
;
534 spmsg
->spd_msg_diagnostic
= (uint16_t)diagnostic
;
540 spdsock_diag(queue_t
*q
, mblk_t
*mp
, int diagnostic
)
542 spdsock_error(q
, mp
, EINVAL
, diagnostic
);
546 spd_echo(queue_t
*q
, mblk_t
*mp
)
552 * Do NOT consume a reference to itp.
556 spdsock_flush_node(ipsec_tun_pol_t
*itp
, void *cookie
, netstack_t
*ns
)
558 boolean_t active
= (boolean_t
)cookie
;
559 ipsec_policy_head_t
*iph
;
561 iph
= active
? itp
->itp_policy
: itp
->itp_inactive
;
563 mutex_enter(&itp
->itp_lock
);
564 spdsock_flush_one(iph
, ns
); /* Releases iph refhold. */
566 itp
->itp_flags
&= ~ITPF_PFLAGS
;
568 itp
->itp_flags
&= ~ITPF_IFLAGS
;
569 mutex_exit(&itp
->itp_lock
);
570 /* SPD_FLUSH is worth a tunnel MTU check. */
571 update_iptun_policy(itp
);
575 * Clear out one polhead.
578 spdsock_flush_one(ipsec_policy_head_t
*iph
, netstack_t
*ns
)
580 rw_enter(&iph
->iph_lock
, RW_WRITER
);
581 ipsec_polhead_flush(iph
, ns
);
582 rw_exit(&iph
->iph_lock
);
583 IPPH_REFRELE(iph
, ns
);
587 spdsock_flush(queue_t
*q
, ipsec_policy_head_t
*iph
, ipsec_tun_pol_t
*itp
,
591 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
592 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
594 if (iph
!= ALL_ACTIVE_POLHEADS
&& iph
!= ALL_INACTIVE_POLHEADS
) {
595 spdsock_flush_one(iph
, ns
);
597 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
601 cr
= msg_getcred(mp
, &cpid
);
602 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
603 audit_pf_policy(SPD_FLUSH
, cr
, ns
,
604 ITP_NAME(itp
), active
, 0, cpid
);
607 active
= (iph
== ALL_ACTIVE_POLHEADS
);
609 /* First flush the global policy. */
610 spdsock_flush_one(active
? ipsec_system_policy(ns
) :
611 ipsec_inactive_policy(ns
), ns
);
616 cr
= msg_getcred(mp
, &cpid
);
617 audit_pf_policy(SPD_FLUSH
, cr
, ns
, NULL
,
620 /* Then flush every tunnel's appropriate one. */
621 itp_walk(spdsock_flush_node
, (void *)active
, ns
);
626 cr
= msg_getcred(mp
, &cpid
);
627 audit_pf_policy(SPD_FLUSH
, cr
, ns
,
628 "all tunnels", active
, 0, cpid
);
636 spdsock_ext_to_sel(spd_ext_t
**extv
, ipsec_selkey_t
*sel
, int *diag
)
638 bzero(sel
, sizeof (*sel
));
640 if (extv
[SPD_EXT_PROTO
] != NULL
) {
641 struct spd_proto
*pr
=
642 (struct spd_proto
*)extv
[SPD_EXT_PROTO
];
643 sel
->ipsl_proto
= pr
->spd_proto_number
;
644 sel
->ipsl_valid
|= IPSL_PROTOCOL
;
646 if (extv
[SPD_EXT_LCLPORT
] != NULL
) {
647 struct spd_portrange
*pr
=
648 (struct spd_portrange
*)extv
[SPD_EXT_LCLPORT
];
649 sel
->ipsl_lport
= pr
->spd_ports_minport
;
650 sel
->ipsl_valid
|= IPSL_LOCAL_PORT
;
652 if (extv
[SPD_EXT_REMPORT
] != NULL
) {
653 struct spd_portrange
*pr
=
654 (struct spd_portrange
*)extv
[SPD_EXT_REMPORT
];
655 sel
->ipsl_rport
= pr
->spd_ports_minport
;
656 sel
->ipsl_valid
|= IPSL_REMOTE_PORT
;
659 if (extv
[SPD_EXT_ICMP_TYPECODE
] != NULL
) {
660 struct spd_typecode
*tc
=
661 (struct spd_typecode
*)extv
[SPD_EXT_ICMP_TYPECODE
];
663 sel
->ipsl_valid
|= IPSL_ICMP_TYPE
;
664 sel
->ipsl_icmp_type
= tc
->spd_typecode_type
;
665 if (tc
->spd_typecode_type_end
< tc
->spd_typecode_type
)
666 sel
->ipsl_icmp_type_end
= tc
->spd_typecode_type
;
668 sel
->ipsl_icmp_type_end
= tc
->spd_typecode_type_end
;
670 if (tc
->spd_typecode_code
!= 255) {
671 sel
->ipsl_valid
|= IPSL_ICMP_CODE
;
672 sel
->ipsl_icmp_code
= tc
->spd_typecode_code
;
673 if (tc
->spd_typecode_code_end
< tc
->spd_typecode_code
)
674 sel
->ipsl_icmp_code_end
= tc
->spd_typecode_code
;
676 sel
->ipsl_icmp_code_end
=
677 tc
->spd_typecode_code_end
;
680 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \
681 if ((extv)[(extn)] != NULL) { \
683 struct spd_address *ap = \
684 (struct spd_address *)((extv)[(extn)]); \
685 addrlen = (ap->spd_address_af == AF_INET6) ? \
686 IPV6_ADDR_LEN : IP_ADDR_LEN; \
687 if (SPD_64TO8(ap->spd_address_len) < \
688 (addrlen + sizeof (*ap))) { \
689 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \
692 bcopy((ap+1), &((sel)->field), addrlen); \
693 (sel)->pfield = ap->spd_address_prefixlen; \
694 (sel)->ipsl_valid |= (bit); \
695 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \
696 IPSL_IPV6 : IPSL_IPV4; \
699 ADDR2SEL(sel
, extv
, ipsl_local
, ipsl_local_pfxlen
,
700 SPD_EXT_LCLADDR
, IPSL_LOCAL_ADDR
);
701 ADDR2SEL(sel
, extv
, ipsl_remote
, ipsl_remote_pfxlen
,
702 SPD_EXT_REMADDR
, IPSL_REMOTE_ADDR
);
704 if ((sel
->ipsl_valid
& (IPSL_IPV6
|IPSL_IPV4
)) ==
705 (IPSL_IPV6
|IPSL_IPV4
)) {
706 *diag
= SPD_DIAGNOSTIC_MIXED_AF
;
716 spd_convert_type(uint32_t type
, ipsec_act_t
*act
)
719 case SPD_ACTTYPE_DROP
:
720 act
->ipa_type
= IPSEC_ACT_DISCARD
;
723 case SPD_ACTTYPE_PASS
:
724 act
->ipa_type
= IPSEC_ACT_CLEAR
;
727 case SPD_ACTTYPE_IPSEC
:
728 act
->ipa_type
= IPSEC_ACT_APPLY
;
735 spd_convert_flags(uint32_t flags
, ipsec_act_t
*act
)
738 * Note use of !! for boolean canonicalization.
740 act
->ipa_apply
.ipp_use_ah
= !!(flags
& SPD_APPLY_AH
);
741 act
->ipa_apply
.ipp_use_esp
= !!(flags
& SPD_APPLY_ESP
);
742 act
->ipa_apply
.ipp_use_espa
= !!(flags
& SPD_APPLY_ESPA
);
743 act
->ipa_apply
.ipp_use_se
= !!(flags
& SPD_APPLY_SE
);
744 act
->ipa_apply
.ipp_use_unique
= !!(flags
& SPD_APPLY_UNIQUE
);
749 spdsock_reset_act(ipsec_act_t
*act
)
751 bzero(act
, sizeof (*act
));
752 act
->ipa_apply
.ipp_espe_maxbits
= IPSEC_MAX_KEYBITS
;
753 act
->ipa_apply
.ipp_espa_maxbits
= IPSEC_MAX_KEYBITS
;
754 act
->ipa_apply
.ipp_ah_maxbits
= IPSEC_MAX_KEYBITS
;
758 * Sanity check action against reality, and shrink-wrap key sizes..
761 spdsock_check_action(ipsec_act_t
*act
, boolean_t tunnel_polhead
, int *diag
,
764 if (tunnel_polhead
&& act
->ipa_apply
.ipp_use_unique
) {
765 *diag
= SPD_DIAGNOSTIC_ADD_INCON_FLAGS
;
768 if ((act
->ipa_type
!= IPSEC_ACT_APPLY
) &&
769 (act
->ipa_apply
.ipp_use_ah
||
770 act
->ipa_apply
.ipp_use_esp
||
771 act
->ipa_apply
.ipp_use_espa
||
772 act
->ipa_apply
.ipp_use_se
||
773 act
->ipa_apply
.ipp_use_unique
)) {
774 *diag
= SPD_DIAGNOSTIC_ADD_INCON_FLAGS
;
777 if ((act
->ipa_type
== IPSEC_ACT_APPLY
) &&
778 !act
->ipa_apply
.ipp_use_ah
&&
779 !act
->ipa_apply
.ipp_use_esp
) {
780 *diag
= SPD_DIAGNOSTIC_ADD_INCON_FLAGS
;
783 return (ipsec_check_action(act
, diag
, spds
->spds_netstack
));
787 * We may be short a few error checks here..
790 spdsock_ext_to_actvec(spd_ext_t
**extv
, ipsec_act_t
**actpp
, uint_t
*nactp
,
791 int *diag
, spd_stack_t
*spds
)
793 struct spd_ext_actions
*sactp
=
794 (struct spd_ext_actions
*)extv
[SPD_EXT_ACTION
];
795 ipsec_act_t act
, *actp
, *endactp
;
796 struct spd_attribute
*attrp
, *endattrp
;
799 boolean_t tunnel_polhead
;
801 tunnel_polhead
= (extv
[SPD_EXT_TUN_NAME
] != NULL
&&
802 (((struct spd_rule
*)extv
[SPD_EXT_RULE
])->spd_rule_flags
&
803 SPD_RULE_FLAG_TUNNEL
));
809 *diag
= SPD_DIAGNOSTIC_NO_ACTION_EXT
;
814 * Parse the "action" extension and convert into an action chain.
817 nact
= sactp
->spd_actions_count
;
819 endp
= (uint64_t *)sactp
;
820 endp
+= sactp
->spd_actions_len
;
821 endattrp
= (struct spd_attribute
*)endp
;
823 actp
= kmem_alloc(sizeof (*actp
) * nact
, KM_NOSLEEP
);
825 *diag
= SPD_DIAGNOSTIC_ADD_NO_MEM
;
830 endactp
= actp
+ nact
;
832 spdsock_reset_act(&act
);
833 attrp
= (struct spd_attribute
*)(&sactp
[1]);
835 for (; attrp
< endattrp
; attrp
++) {
836 switch (attrp
->spd_attr_tag
) {
841 spdsock_reset_act(&act
);
848 if (actp
>= endactp
) {
849 *diag
= SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT
;
852 if (!spdsock_check_action(&act
, tunnel_polhead
,
856 spdsock_reset_act(&act
);
860 if (!spd_convert_type(attrp
->spd_attr_value
, &act
)) {
861 *diag
= SPD_DIAGNOSTIC_ADD_BAD_TYPE
;
867 if (!tunnel_polhead
&& extv
[SPD_EXT_TUN_NAME
] != NULL
) {
869 * Set "sa unique" for transport-mode
870 * tunnels whether we want to or not.
872 attrp
->spd_attr_value
|= SPD_APPLY_UNIQUE
;
874 if (!spd_convert_flags(attrp
->spd_attr_value
, &act
)) {
875 *diag
= SPD_DIAGNOSTIC_ADD_BAD_FLAGS
;
880 case SPD_ATTR_AH_AUTH
:
881 if (attrp
->spd_attr_value
== 0) {
882 *diag
= SPD_DIAGNOSTIC_UNSUPP_AH_ALG
;
885 act
.ipa_apply
.ipp_auth_alg
= attrp
->spd_attr_value
;
888 case SPD_ATTR_ESP_ENCR
:
889 if (attrp
->spd_attr_value
== 0) {
890 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG
;
893 act
.ipa_apply
.ipp_encr_alg
= attrp
->spd_attr_value
;
896 case SPD_ATTR_ESP_AUTH
:
897 if (attrp
->spd_attr_value
== 0) {
898 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG
;
901 act
.ipa_apply
.ipp_esp_auth_alg
= attrp
->spd_attr_value
;
904 case SPD_ATTR_ENCR_MINBITS
:
905 act
.ipa_apply
.ipp_espe_minbits
= attrp
->spd_attr_value
;
908 case SPD_ATTR_ENCR_MAXBITS
:
909 act
.ipa_apply
.ipp_espe_maxbits
= attrp
->spd_attr_value
;
912 case SPD_ATTR_AH_MINBITS
:
913 act
.ipa_apply
.ipp_ah_minbits
= attrp
->spd_attr_value
;
916 case SPD_ATTR_AH_MAXBITS
:
917 act
.ipa_apply
.ipp_ah_maxbits
= attrp
->spd_attr_value
;
920 case SPD_ATTR_ESPA_MINBITS
:
921 act
.ipa_apply
.ipp_espa_minbits
= attrp
->spd_attr_value
;
924 case SPD_ATTR_ESPA_MAXBITS
:
925 act
.ipa_apply
.ipp_espa_maxbits
= attrp
->spd_attr_value
;
928 case SPD_ATTR_LIFE_SOFT_TIME
:
929 case SPD_ATTR_LIFE_HARD_TIME
:
930 case SPD_ATTR_LIFE_SOFT_BYTES
:
931 case SPD_ATTR_LIFE_HARD_BYTES
:
934 case SPD_ATTR_KM_PROTO
:
935 act
.ipa_apply
.ipp_km_proto
= attrp
->spd_attr_value
;
938 case SPD_ATTR_KM_COOKIE
:
939 act
.ipa_apply
.ipp_km_cookie
= attrp
->spd_attr_value
;
942 case SPD_ATTR_REPLAY_DEPTH
:
943 act
.ipa_apply
.ipp_replay_depth
= attrp
->spd_attr_value
;
947 if (actp
!= endactp
) {
948 *diag
= SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT
;
954 ipsec_actvec_free(*actpp
, nact
);
966 mkrule(ipsec_policy_head_t
*iph
, struct spd_rule
*rule
,
967 ipsec_selkey_t
*sel
, ipsec_act_t
*actp
, int nact
, uint_t dir
, uint_t af
,
968 tmprule_t
**rp
, uint64_t *index
, spd_stack_t
*spds
)
972 sel
->ipsl_valid
&= ~(IPSL_IPV6
|IPSL_IPV4
);
973 sel
->ipsl_valid
|= af
;
975 pol
= ipsec_policy_create(sel
, actp
, nact
, rule
->spd_rule_priority
,
976 index
, spds
->spds_netstack
);
984 if (!ipsec_check_policy(iph
, pol
, dir
))
987 rule
->spd_rule_index
= pol
->ipsp_index
;
992 mkrulepair(ipsec_policy_head_t
*iph
, struct spd_rule
*rule
,
993 ipsec_selkey_t
*sel
, ipsec_act_t
*actp
, int nact
, uint_t dir
, uint_t afs
,
994 tmprule_t
**rp
, uint64_t *index
, spd_stack_t
*spds
)
998 if (afs
& IPSL_IPV4
) {
999 error
= mkrule(iph
, rule
, sel
, actp
, nact
, dir
, IPSL_IPV4
, rp
,
1004 if (afs
& IPSL_IPV6
) {
1005 error
= mkrule(iph
, rule
, sel
, actp
, nact
, dir
, IPSL_IPV6
, rp
,
1015 spdsock_addrule(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
,
1016 spd_ext_t
**extv
, ipsec_tun_pol_t
*itp
)
1021 int diag
= 0, error
, afs
;
1022 struct spd_rule
*rule
= (struct spd_rule
*)extv
[SPD_EXT_RULE
];
1023 tmprule_t rules
[4], *rulep
= &rules
[0];
1024 boolean_t tunnel_mode
, empty_itp
, active
;
1025 uint64_t *index
= (itp
== NULL
) ? NULL
: &itp
->itp_next_policy_index
;
1026 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
1027 spd_stack_t
*spds
= ss
->spdsock_spds
;
1030 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_NO_RULE_EXT
);
1032 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1036 cr
= msg_getcred(mp
, &cpid
);
1037 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1038 audit_pf_policy(SPD_ADDRULE
, cr
,
1039 spds
->spds_netstack
, ITP_NAME(itp
), active
,
1040 SPD_DIAGNOSTIC_NO_RULE_EXT
, cpid
);
1045 tunnel_mode
= (rule
->spd_rule_flags
& SPD_RULE_FLAG_TUNNEL
);
1048 mutex_enter(&itp
->itp_lock
);
1049 ASSERT(itp
->itp_policy
== iph
|| itp
->itp_inactive
== iph
);
1050 active
= (itp
->itp_policy
== iph
);
1051 if (ITP_P_ISACTIVE(itp
, iph
)) {
1052 /* Check for mix-and-match of tunnel/transport. */
1053 if ((tunnel_mode
&& !ITP_P_ISTUNNEL(itp
, iph
)) ||
1054 (!tunnel_mode
&& ITP_P_ISTUNNEL(itp
, iph
))) {
1055 mutex_exit(&itp
->itp_lock
);
1056 spdsock_error(q
, mp
, EBUSY
, 0);
1059 empty_itp
= B_FALSE
;
1062 itp
->itp_flags
= active
? ITPF_P_ACTIVE
: ITPF_I_ACTIVE
;
1064 itp
->itp_flags
|= active
? ITPF_P_TUNNEL
:
1068 empty_itp
= B_FALSE
;
1071 if (rule
->spd_rule_index
!= 0) {
1072 diag
= SPD_DIAGNOSTIC_INVALID_RULE_INDEX
;
1077 if (!spdsock_ext_to_sel(extv
, &sel
, &diag
)) {
1084 if (sel
.ipsl_valid
&
1085 (IPSL_REMOTE_PORT
| IPSL_LOCAL_PORT
)) {
1086 itp
->itp_flags
|= active
?
1087 ITPF_P_PER_PORT_SECURITY
:
1088 ITPF_I_PER_PORT_SECURITY
;
1092 * For now, we don't allow transport-mode on a tunnel
1093 * with ANY specific selectors. Bail if we have such
1096 if (sel
.ipsl_valid
& IPSL_WILDCARD
) {
1097 diag
= SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS
;
1104 if (!spdsock_ext_to_actvec(extv
, &actp
, &nact
, &diag
, spds
)) {
1109 * If no addresses were specified, add both.
1111 afs
= sel
.ipsl_valid
& (IPSL_IPV6
|IPSL_IPV4
);
1113 afs
= (IPSL_IPV6
|IPSL_IPV4
);
1115 rw_enter(&iph
->iph_lock
, RW_WRITER
);
1117 if (rule
->spd_rule_flags
& SPD_RULE_FLAG_OUTBOUND
) {
1118 error
= mkrulepair(iph
, rule
, &sel
, actp
, nact
,
1119 IPSEC_TYPE_OUTBOUND
, afs
, &rulep
, index
, spds
);
1124 if (rule
->spd_rule_flags
& SPD_RULE_FLAG_INBOUND
) {
1125 error
= mkrulepair(iph
, rule
, &sel
, actp
, nact
,
1126 IPSEC_TYPE_INBOUND
, afs
, &rulep
, index
, spds
);
1131 while ((--rulep
) >= &rules
[0]) {
1132 ipsec_enter_policy(iph
, rulep
->pol
, rulep
->dir
,
1133 spds
->spds_netstack
);
1135 rw_exit(&iph
->iph_lock
);
1137 mutex_exit(&itp
->itp_lock
);
1139 ipsec_actvec_free(actp
, nact
);
1142 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1146 cr
= msg_getcred(mp
, &cpid
);
1147 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1148 audit_pf_policy(SPD_ADDRULE
, cr
, spds
->spds_netstack
,
1149 ITP_NAME(itp
), active
, 0, cpid
);
1154 rw_exit(&iph
->iph_lock
);
1155 while ((--rulep
) >= &rules
[0])
1156 IPPOL_REFRELE(rulep
->pol
);
1157 ipsec_actvec_free(actp
, nact
);
1162 mutex_exit(&itp
->itp_lock
);
1164 spdsock_error(q
, mp
, error
, diag
);
1166 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1170 cr
= msg_getcred(mp
, &cpid
);
1171 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1172 audit_pf_policy(SPD_ADDRULE
, cr
, spds
->spds_netstack
,
1173 ITP_NAME(itp
), active
, error
, cpid
);
1178 spdsock_deleterule(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
,
1179 spd_ext_t
**extv
, ipsec_tun_pol_t
*itp
)
1182 struct spd_rule
*rule
= (struct spd_rule
*)extv
[SPD_EXT_RULE
];
1184 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
1185 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1188 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_NO_RULE_EXT
);
1191 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1195 cr
= msg_getcred(mp
, &cpid
);
1196 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1197 audit_pf_policy(SPD_DELETERULE
, cr
, ns
,
1198 ITP_NAME(itp
), active
, SPD_DIAGNOSTIC_NO_RULE_EXT
,
1205 * Must enter itp_lock first to avoid deadlock. See tun.c's
1206 * set_sec_simple() for the other case of itp_lock and iph_lock.
1209 mutex_enter(&itp
->itp_lock
);
1211 if (rule
->spd_rule_index
!= 0) {
1212 if (ipsec_policy_delete_index(iph
, rule
->spd_rule_index
, ns
) !=
1218 if (!spdsock_ext_to_sel(extv
, &sel
, &diag
)) {
1219 err
= EINVAL
; /* diag already set... */
1223 if ((rule
->spd_rule_flags
& SPD_RULE_FLAG_INBOUND
) &&
1224 !ipsec_policy_delete(iph
, &sel
, IPSEC_TYPE_INBOUND
, ns
)) {
1229 if ((rule
->spd_rule_flags
& SPD_RULE_FLAG_OUTBOUND
) &&
1230 !ipsec_policy_delete(iph
, &sel
, IPSEC_TYPE_OUTBOUND
, ns
)) {
1237 ASSERT(iph
== itp
->itp_policy
|| iph
== itp
->itp_inactive
);
1238 rw_enter(&iph
->iph_lock
, RW_READER
);
1239 if (avl_numnodes(&iph
->iph_rulebyid
) == 0) {
1240 if (iph
== itp
->itp_policy
)
1241 itp
->itp_flags
&= ~ITPF_PFLAGS
;
1243 itp
->itp_flags
&= ~ITPF_IFLAGS
;
1245 /* Can exit locks in any order. */
1246 rw_exit(&iph
->iph_lock
);
1247 mutex_exit(&itp
->itp_lock
);
1252 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1256 cr
= msg_getcred(mp
, &cpid
);
1257 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1258 audit_pf_policy(SPD_DELETERULE
, cr
, ns
, ITP_NAME(itp
),
1264 mutex_exit(&itp
->itp_lock
);
1265 spdsock_error(q
, mp
, err
, diag
);
1268 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1272 cr
= msg_getcred(mp
, &cpid
);
1273 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1274 audit_pf_policy(SPD_DELETERULE
, cr
, ns
, ITP_NAME(itp
),
1279 /* Do NOT consume a reference to itp. */
1282 spdsock_flip_node(ipsec_tun_pol_t
*itp
, void *ignoreme
, netstack_t
*ns
)
1284 mutex_enter(&itp
->itp_lock
);
1285 ITPF_SWAP(itp
->itp_flags
);
1286 ipsec_swap_policy(itp
->itp_policy
, itp
->itp_inactive
, ns
);
1287 mutex_exit(&itp
->itp_lock
);
1288 /* SPD_FLIP is worth a tunnel MTU check. */
1289 update_iptun_policy(itp
);
1293 spdsock_flip(queue_t
*q
, mblk_t
*mp
, spd_if_t
*tunname
)
1296 ipsec_tun_pol_t
*itp
;
1297 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
1298 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1300 if (tunname
!= NULL
) {
1301 tname
= (char *)tunname
->spd_if_name
;
1302 if (*tname
== '\0') {
1304 ipsec_swap_global_policy(ns
);
1307 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1311 cr
= msg_getcred(mp
, &cpid
);
1312 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1313 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1314 NULL
, active
, 0, cpid
);
1316 itp_walk(spdsock_flip_node
, NULL
, ns
);
1319 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1323 cr
= msg_getcred(mp
, &cpid
);
1324 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1325 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1326 "all tunnels", active
, 0, cpid
);
1329 itp
= get_tunnel_policy(tname
, ns
);
1331 /* Better idea for "tunnel not found"? */
1332 spdsock_error(q
, mp
, ESRCH
, 0);
1336 (spd_msg_t
*)mp
->b_rptr
;
1340 cr
= msg_getcred(mp
, &cpid
);
1341 active
= (spmsg
->spd_msg_spdid
==
1343 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1344 ITP_NAME(itp
), active
,
1349 spdsock_flip_node(itp
, NULL
, ns
);
1352 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1356 cr
= msg_getcred(mp
, &cpid
);
1357 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1358 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1359 ITP_NAME(itp
), active
, 0, cpid
);
1361 ITP_REFRELE(itp
, ns
);
1364 ipsec_swap_global_policy(ns
); /* can't fail */
1367 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1371 cr
= msg_getcred(mp
, &cpid
);
1372 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1373 audit_pf_policy(SPD_FLIP
, cr
,
1374 ns
, NULL
, active
, 0, cpid
);
1381 * Unimplemented feature
1385 spdsock_lookup(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
,
1386 spd_ext_t
**extv
, ipsec_tun_pol_t
*itp
)
1388 spdsock_error(q
, mp
, EINVAL
, 0);
1393 spdsock_dump_ruleset(mblk_t
*req
, ipsec_policy_head_t
*iph
,
1394 uint32_t count
, uint16_t error
)
1396 size_t len
= sizeof (spd_ruleset_ext_t
) + sizeof (spd_msg_t
);
1398 spd_ruleset_ext_t
*ruleset
;
1399 mblk_t
*m
= allocb(len
, BPRI_HI
);
1401 ASSERT(RW_READ_HELD(&iph
->iph_lock
));
1406 msg
= (spd_msg_t
*)m
->b_rptr
;
1407 ruleset
= (spd_ruleset_ext_t
*)(&msg
[1]);
1409 m
->b_wptr
= (uint8_t *)&ruleset
[1];
1411 *msg
= *(spd_msg_t
*)(req
->b_rptr
);
1412 msg
->spd_msg_len
= SPD_8TO64(len
);
1413 msg
->spd_msg_errno
= error
;
1415 ruleset
->spd_ruleset_len
= SPD_8TO64(sizeof (*ruleset
));
1416 ruleset
->spd_ruleset_type
= SPD_EXT_RULESET
;
1417 ruleset
->spd_ruleset_count
= count
;
1418 ruleset
->spd_ruleset_version
= iph
->iph_gen
;
1423 spdsock_dump_finish(spdsock_t
*ss
, int error
)
1426 ipsec_policy_head_t
*iph
= ss
->spdsock_dump_head
;
1427 mblk_t
*req
= ss
->spdsock_dump_req
;
1428 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1430 rw_enter(&iph
->iph_lock
, RW_READER
);
1431 m
= spdsock_dump_ruleset(req
, iph
, ss
->spdsock_dump_count
, error
);
1432 rw_exit(&iph
->iph_lock
);
1433 IPPH_REFRELE(iph
, ns
);
1434 if (ss
->spdsock_itp
!= NULL
) {
1435 ITP_REFRELE(ss
->spdsock_itp
, ns
);
1436 ss
->spdsock_itp
= NULL
;
1438 ss
->spdsock_dump_req
= NULL
;
1445 * Rule encoding functions.
1446 * We do a two-pass encode.
1447 * If base != NULL, fill in encoded rule part starting at base+offset.
1448 * Always return "offset" plus length of to-be-encoded data.
1451 spdsock_encode_typecode(uint8_t *base
, uint_t offset
, uint8_t type
,
1452 uint8_t type_end
, uint8_t code
, uint8_t code_end
)
1454 struct spd_typecode
*tcp
;
1456 ASSERT(ALIGNED64(offset
));
1459 tcp
= (struct spd_typecode
*)(base
+ offset
);
1460 tcp
->spd_typecode_len
= SPD_8TO64(sizeof (*tcp
));
1461 tcp
->spd_typecode_exttype
= SPD_EXT_ICMP_TYPECODE
;
1462 tcp
->spd_typecode_code
= code
;
1463 tcp
->spd_typecode_type
= type
;
1464 tcp
->spd_typecode_type_end
= type_end
;
1465 tcp
->spd_typecode_code_end
= code_end
;
1467 offset
+= sizeof (*tcp
);
1469 ASSERT(ALIGNED64(offset
));
1475 spdsock_encode_proto(uint8_t *base
, uint_t offset
, uint8_t proto
)
1477 struct spd_proto
*spp
;
1479 ASSERT(ALIGNED64(offset
));
1482 spp
= (struct spd_proto
*)(base
+ offset
);
1483 spp
->spd_proto_len
= SPD_8TO64(sizeof (*spp
));
1484 spp
->spd_proto_exttype
= SPD_EXT_PROTO
;
1485 spp
->spd_proto_number
= proto
;
1486 spp
->spd_proto_reserved1
= 0;
1487 spp
->spd_proto_reserved2
= 0;
1489 offset
+= sizeof (*spp
);
1491 ASSERT(ALIGNED64(offset
));
1497 spdsock_encode_port(uint8_t *base
, uint_t offset
, uint16_t ext
, uint16_t port
)
1499 struct spd_portrange
*spp
;
1501 ASSERT(ALIGNED64(offset
));
1504 spp
= (struct spd_portrange
*)(base
+ offset
);
1505 spp
->spd_ports_len
= SPD_8TO64(sizeof (*spp
));
1506 spp
->spd_ports_exttype
= ext
;
1507 spp
->spd_ports_minport
= port
;
1508 spp
->spd_ports_maxport
= port
;
1510 offset
+= sizeof (*spp
);
1512 ASSERT(ALIGNED64(offset
));
1518 spdsock_encode_addr(uint8_t *base
, uint_t offset
, uint16_t ext
,
1519 const ipsec_selkey_t
*sel
, const ipsec_addr_t
*addr
, uint_t pfxlen
)
1521 struct spd_address
*sae
;
1522 ipsec_addr_t
*spdaddr
;
1523 uint_t start
= offset
;
1527 if (sel
->ipsl_valid
& IPSL_IPV4
) {
1529 addrlen
= IP_ADDR_LEN
;
1532 addrlen
= IPV6_ADDR_LEN
;
1535 ASSERT(ALIGNED64(offset
));
1538 sae
= (struct spd_address
*)(base
+ offset
);
1539 sae
->spd_address_exttype
= ext
;
1540 sae
->spd_address_af
= af
;
1541 sae
->spd_address_prefixlen
= pfxlen
;
1542 sae
->spd_address_reserved2
= 0;
1544 spdaddr
= (ipsec_addr_t
*)(&sae
[1]);
1545 bcopy(addr
, spdaddr
, addrlen
);
1547 offset
+= sizeof (*sae
);
1548 addrlen
= roundup(addrlen
, sizeof (uint64_t));
1551 ASSERT(ALIGNED64(offset
));
1554 sae
->spd_address_len
= SPD_8TO64(offset
- start
);
1559 spdsock_encode_sel(uint8_t *base
, uint_t offset
, const ipsec_sel_t
*sel
)
1561 const ipsec_selkey_t
*selkey
= &sel
->ipsl_key
;
1563 if (selkey
->ipsl_valid
& IPSL_PROTOCOL
)
1564 offset
= spdsock_encode_proto(base
, offset
, selkey
->ipsl_proto
);
1565 if (selkey
->ipsl_valid
& IPSL_LOCAL_PORT
)
1566 offset
= spdsock_encode_port(base
, offset
, SPD_EXT_LCLPORT
,
1567 selkey
->ipsl_lport
);
1568 if (selkey
->ipsl_valid
& IPSL_REMOTE_PORT
)
1569 offset
= spdsock_encode_port(base
, offset
, SPD_EXT_REMPORT
,
1570 selkey
->ipsl_rport
);
1571 if (selkey
->ipsl_valid
& IPSL_REMOTE_ADDR
)
1572 offset
= spdsock_encode_addr(base
, offset
, SPD_EXT_REMADDR
,
1573 selkey
, &selkey
->ipsl_remote
, selkey
->ipsl_remote_pfxlen
);
1574 if (selkey
->ipsl_valid
& IPSL_LOCAL_ADDR
)
1575 offset
= spdsock_encode_addr(base
, offset
, SPD_EXT_LCLADDR
,
1576 selkey
, &selkey
->ipsl_local
, selkey
->ipsl_local_pfxlen
);
1577 if (selkey
->ipsl_valid
& IPSL_ICMP_TYPE
) {
1578 offset
= spdsock_encode_typecode(base
, offset
,
1579 selkey
->ipsl_icmp_type
, selkey
->ipsl_icmp_type_end
,
1580 (selkey
->ipsl_valid
& IPSL_ICMP_CODE
) ?
1581 selkey
->ipsl_icmp_code
: 255,
1582 (selkey
->ipsl_valid
& IPSL_ICMP_CODE
) ?
1583 selkey
->ipsl_icmp_code_end
: 255);
1589 spdsock_encode_actattr(uint8_t *base
, uint_t offset
, uint32_t tag
,
1592 struct spd_attribute
*attr
;
1594 ASSERT(ALIGNED64(offset
));
1597 attr
= (struct spd_attribute
*)(base
+ offset
);
1598 attr
->spd_attr_tag
= tag
;
1599 attr
->spd_attr_value
= value
;
1601 offset
+= sizeof (struct spd_attribute
);
1603 ASSERT(ALIGNED64(offset
));
1609 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1612 spdsock_encode_action(uint8_t *base
, uint_t offset
, const ipsec_action_t
*ap
)
1614 const struct ipsec_act
*act
= &(ap
->ipa_act
);
1617 EMIT(SPD_ATTR_EMPTY
, 0);
1618 switch (act
->ipa_type
) {
1619 case IPSEC_ACT_DISCARD
:
1620 case IPSEC_ACT_REJECT
:
1621 EMIT(SPD_ATTR_TYPE
, SPD_ACTTYPE_DROP
);
1623 case IPSEC_ACT_BYPASS
:
1624 case IPSEC_ACT_CLEAR
:
1625 EMIT(SPD_ATTR_TYPE
, SPD_ACTTYPE_PASS
);
1628 case IPSEC_ACT_APPLY
:
1629 EMIT(SPD_ATTR_TYPE
, SPD_ACTTYPE_IPSEC
);
1631 if (act
->ipa_apply
.ipp_use_ah
)
1632 flags
|= SPD_APPLY_AH
;
1633 if (act
->ipa_apply
.ipp_use_esp
)
1634 flags
|= SPD_APPLY_ESP
;
1635 if (act
->ipa_apply
.ipp_use_espa
)
1636 flags
|= SPD_APPLY_ESPA
;
1637 if (act
->ipa_apply
.ipp_use_se
)
1638 flags
|= SPD_APPLY_SE
;
1639 if (act
->ipa_apply
.ipp_use_unique
)
1640 flags
|= SPD_APPLY_UNIQUE
;
1641 EMIT(SPD_ATTR_FLAGS
, flags
);
1642 if (flags
& SPD_APPLY_AH
) {
1643 EMIT(SPD_ATTR_AH_AUTH
, act
->ipa_apply
.ipp_auth_alg
);
1644 EMIT(SPD_ATTR_AH_MINBITS
,
1645 act
->ipa_apply
.ipp_ah_minbits
);
1646 EMIT(SPD_ATTR_AH_MAXBITS
,
1647 act
->ipa_apply
.ipp_ah_maxbits
);
1649 if (flags
& SPD_APPLY_ESP
) {
1650 EMIT(SPD_ATTR_ESP_ENCR
, act
->ipa_apply
.ipp_encr_alg
);
1651 EMIT(SPD_ATTR_ENCR_MINBITS
,
1652 act
->ipa_apply
.ipp_espe_minbits
);
1653 EMIT(SPD_ATTR_ENCR_MAXBITS
,
1654 act
->ipa_apply
.ipp_espe_maxbits
);
1655 if (flags
& SPD_APPLY_ESPA
) {
1656 EMIT(SPD_ATTR_ESP_AUTH
,
1657 act
->ipa_apply
.ipp_esp_auth_alg
);
1658 EMIT(SPD_ATTR_ESPA_MINBITS
,
1659 act
->ipa_apply
.ipp_espa_minbits
);
1660 EMIT(SPD_ATTR_ESPA_MAXBITS
,
1661 act
->ipa_apply
.ipp_espa_maxbits
);
1664 if (act
->ipa_apply
.ipp_km_proto
!= 0)
1665 EMIT(SPD_ATTR_KM_PROTO
, act
->ipa_apply
.ipp_km_proto
);
1666 if (act
->ipa_apply
.ipp_km_cookie
!= 0)
1667 EMIT(SPD_ATTR_KM_PROTO
, act
->ipa_apply
.ipp_km_cookie
);
1668 if (act
->ipa_apply
.ipp_replay_depth
!= 0)
1669 EMIT(SPD_ATTR_REPLAY_DEPTH
,
1670 act
->ipa_apply
.ipp_replay_depth
);
1679 spdsock_encode_action_list(uint8_t *base
, uint_t offset
,
1680 const ipsec_action_t
*ap
)
1682 struct spd_ext_actions
*act
;
1684 uint_t start
= offset
;
1686 ASSERT(ALIGNED64(offset
));
1689 act
= (struct spd_ext_actions
*)(base
+ offset
);
1690 act
->spd_actions_len
= 0;
1691 act
->spd_actions_exttype
= SPD_EXT_ACTION
;
1692 act
->spd_actions_count
= 0;
1693 act
->spd_actions_reserved
= 0;
1696 offset
+= sizeof (*act
);
1698 ASSERT(ALIGNED64(offset
));
1700 while (ap
!= NULL
) {
1701 offset
= spdsock_encode_action(base
, offset
, ap
);
1705 EMIT(SPD_ATTR_NEXT
, 0);
1708 EMIT(SPD_ATTR_END
, 0);
1710 ASSERT(ALIGNED64(offset
));
1713 act
->spd_actions_count
= nact
;
1714 act
->spd_actions_len
= SPD_8TO64(offset
- start
);
1724 spdsock_rule_flags(uint_t dir
, uint_t af
)
1728 if (dir
== IPSEC_TYPE_INBOUND
)
1729 flags
|= SPD_RULE_FLAG_INBOUND
;
1730 if (dir
== IPSEC_TYPE_OUTBOUND
)
1731 flags
|= SPD_RULE_FLAG_OUTBOUND
;
1738 spdsock_encode_rule_head(uint8_t *base
, uint_t offset
, spd_msg_t
*req
,
1739 const ipsec_policy_t
*rule
, uint_t dir
, uint_t af
, char *name
,
1742 struct spd_msg
*spmsg
;
1743 struct spd_rule
*spr
;
1746 uint_t start
= offset
;
1748 ASSERT(ALIGNED64(offset
));
1751 spmsg
= (struct spd_msg
*)(base
+ offset
);
1752 bzero(spmsg
, sizeof (*spmsg
));
1753 spmsg
->spd_msg_version
= PF_POLICY_V1
;
1754 spmsg
->spd_msg_type
= SPD_DUMP
;
1755 spmsg
->spd_msg_seq
= req
->spd_msg_seq
;
1756 spmsg
->spd_msg_pid
= req
->spd_msg_pid
;
1758 offset
+= sizeof (struct spd_msg
);
1760 ASSERT(ALIGNED64(offset
));
1763 spr
= (struct spd_rule
*)(base
+ offset
);
1764 spr
->spd_rule_type
= SPD_EXT_RULE
;
1765 spr
->spd_rule_priority
= rule
->ipsp_prio
;
1766 spr
->spd_rule_flags
= spdsock_rule_flags(dir
, af
);
1768 spr
->spd_rule_flags
|= SPD_RULE_FLAG_TUNNEL
;
1769 spr
->spd_rule_unused
= 0;
1770 spr
->spd_rule_len
= SPD_8TO64(sizeof (*spr
));
1771 spr
->spd_rule_index
= rule
->ipsp_index
;
1773 offset
+= sizeof (struct spd_rule
);
1776 * If we have an interface name (i.e. if this policy head came from
1777 * a tunnel), add the SPD_EXT_TUN_NAME extension.
1781 ASSERT(ALIGNED64(offset
));
1784 sid
= (spd_if_t
*)(base
+ offset
);
1785 sid
->spd_if_exttype
= SPD_EXT_TUN_NAME
;
1786 sid
->spd_if_len
= SPD_8TO64(sizeof (spd_if_t
) +
1787 roundup((strlen(name
) - 4), 8));
1788 (void) strlcpy((char *)sid
->spd_if_name
, name
,
1792 offset
+= sizeof (spd_if_t
) + roundup((strlen(name
) - 4), 8);
1795 offset
= spdsock_encode_sel(base
, offset
, rule
->ipsp_sel
);
1796 offset
= spdsock_encode_action_list(base
, offset
, rule
->ipsp_act
);
1798 ASSERT(ALIGNED64(offset
));
1801 spmsg
->spd_msg_len
= SPD_8TO64(offset
- start
);
1808 spdsock_encode_rule(mblk_t
*req
, const ipsec_policy_t
*rule
,
1809 uint_t dir
, uint_t af
, char *name
, boolean_t tunnel
)
1813 spd_msg_t
*mreq
= (spd_msg_t
*)req
->b_rptr
;
1816 * Figure out how much space we'll need.
1818 len
= spdsock_encode_rule_head(NULL
, 0, mreq
, rule
, dir
, af
, name
,
1824 m
= allocb(len
, BPRI_HI
);
1831 m
->b_wptr
= m
->b_rptr
+ len
;
1832 bzero(m
->b_rptr
, len
);
1833 (void) spdsock_encode_rule_head(m
->b_rptr
, 0, mreq
, rule
, dir
, af
,
1838 static ipsec_policy_t
*
1839 spdsock_dump_next_in_chain(spdsock_t
*ss
, ipsec_policy_head_t
*iph
,
1840 ipsec_policy_t
*cur
)
1842 ASSERT(RW_READ_HELD(&iph
->iph_lock
));
1844 ss
->spdsock_dump_count
++;
1845 ss
->spdsock_dump_cur_rule
= cur
->ipsp_hash
.hash_next
;
1849 static ipsec_policy_t
*
1850 spdsock_dump_next_rule(spdsock_t
*ss
, ipsec_policy_head_t
*iph
)
1852 ipsec_policy_t
*cur
;
1853 ipsec_policy_root_t
*ipr
;
1854 int chain
, nchains
, type
, af
;
1856 ASSERT(RW_READ_HELD(&iph
->iph_lock
));
1858 cur
= ss
->spdsock_dump_cur_rule
;
1861 return (spdsock_dump_next_in_chain(ss
, iph
, cur
));
1863 type
= ss
->spdsock_dump_cur_type
;
1866 chain
= ss
->spdsock_dump_cur_chain
;
1867 ipr
= &iph
->iph_root
[type
];
1868 nchains
= ipr
->ipr_nchains
;
1870 while (chain
< nchains
) {
1871 cur
= ipr
->ipr_hash
[chain
].hash_head
;
1874 ss
->spdsock_dump_cur_chain
= chain
;
1875 return (spdsock_dump_next_in_chain(ss
, iph
, cur
));
1878 ss
->spdsock_dump_cur_chain
= nchains
;
1880 af
= ss
->spdsock_dump_cur_af
;
1881 while (af
< IPSEC_NAF
) {
1882 cur
= ipr
->ipr_nonhash
[af
];
1885 ss
->spdsock_dump_cur_af
= af
;
1886 return (spdsock_dump_next_in_chain(ss
, iph
, cur
));
1891 if (type
>= IPSEC_NTYPES
)
1894 ss
->spdsock_dump_cur_chain
= 0;
1895 ss
->spdsock_dump_cur_type
= type
;
1896 ss
->spdsock_dump_cur_af
= IPSEC_AF_V4
;
1902 * If we're done with one policy head, but have more to go, we iterate through
1903 * another IPsec tunnel policy head (itp). Return NULL if it is an error
1904 * worthy of returning EAGAIN via PF_POLICY.
1906 static ipsec_tun_pol_t
*
1907 spdsock_dump_iterate_next_tunnel(spdsock_t
*ss
, ipsec_stack_t
*ipss
)
1909 ipsec_tun_pol_t
*itp
;
1911 ASSERT(RW_READ_HELD(&ipss
->ipsec_tunnel_policy_lock
));
1912 if (ipss
->ipsec_tunnel_policy_gen
> ss
->spdsock_dump_tun_gen
) {
1913 /* Oops, state of the tunnel polheads changed. */
1915 } else if (ss
->spdsock_itp
== NULL
) {
1916 /* Just finished global, find first node. */
1917 itp
= avl_first(&ipss
->ipsec_tunnel_policies
);
1919 /* We just finished current polhead, find the next one. */
1920 itp
= AVL_NEXT(&ipss
->ipsec_tunnel_policies
, ss
->spdsock_itp
);
1925 if (ss
->spdsock_itp
!= NULL
) {
1926 ITP_REFRELE(ss
->spdsock_itp
, ipss
->ipsec_netstack
);
1928 ss
->spdsock_itp
= itp
;
1933 spdsock_dump_next_record(spdsock_t
*ss
)
1935 ipsec_policy_head_t
*iph
;
1936 ipsec_policy_t
*rule
;
1938 ipsec_tun_pol_t
*itp
;
1939 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1940 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1942 iph
= ss
->spdsock_dump_head
;
1944 ASSERT(iph
!= NULL
);
1946 rw_enter(&iph
->iph_lock
, RW_READER
);
1948 if (iph
->iph_gen
!= ss
->spdsock_dump_gen
) {
1949 rw_exit(&iph
->iph_lock
);
1950 return (spdsock_dump_finish(ss
, EAGAIN
));
1953 while ((rule
= spdsock_dump_next_rule(ss
, iph
)) == NULL
) {
1954 rw_exit(&iph
->iph_lock
);
1955 if (--(ss
->spdsock_dump_remaining_polheads
) == 0)
1956 return (spdsock_dump_finish(ss
, 0));
1960 * If we reach here, we have more policy heads (tunnel
1961 * entries) to dump. Let's reset to a new policy head
1962 * and get some more rules.
1964 * An empty policy head will have spdsock_dump_next_rule()
1965 * return NULL, and we loop (while dropping the number of
1966 * remaining polheads). If we loop to 0, we finish. We
1967 * keep looping until we hit 0 or until we have a rule to
1970 * NOTE: No need for ITP_REF*() macros here as we're only
1971 * going after and refholding the policy head itself.
1973 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_READER
);
1974 itp
= spdsock_dump_iterate_next_tunnel(ss
, ipss
);
1976 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
1977 return (spdsock_dump_finish(ss
, EAGAIN
));
1980 /* Reset other spdsock_dump thingies. */
1981 IPPH_REFRELE(ss
->spdsock_dump_head
, ns
);
1982 if (ss
->spdsock_dump_active
) {
1983 ss
->spdsock_dump_tunnel
=
1984 itp
->itp_flags
& ITPF_P_TUNNEL
;
1985 iph
= itp
->itp_policy
;
1987 ss
->spdsock_dump_tunnel
=
1988 itp
->itp_flags
& ITPF_I_TUNNEL
;
1989 iph
= itp
->itp_inactive
;
1992 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
1994 rw_enter(&iph
->iph_lock
, RW_READER
);
1995 RESET_SPDSOCK_DUMP_POLHEAD(ss
, iph
);
1998 m
= spdsock_encode_rule(ss
->spdsock_dump_req
, rule
,
1999 ss
->spdsock_dump_cur_type
, ss
->spdsock_dump_cur_af
,
2000 (ss
->spdsock_itp
== NULL
) ? NULL
: ss
->spdsock_itp
->itp_name
,
2001 ss
->spdsock_dump_tunnel
);
2002 rw_exit(&iph
->iph_lock
);
2005 return (spdsock_dump_finish(ss
, ENOMEM
));
2010 * Dump records until we run into flow-control back-pressure.
2013 spdsock_dump_some(queue_t
*q
, spdsock_t
*ss
)
2015 mblk_t
*m
, *dataind
;
2017 while ((ss
->spdsock_dump_req
!= NULL
) && canputnext(q
)) {
2018 m
= spdsock_dump_next_record(ss
);
2021 dataind
= allocb(sizeof (struct T_data_req
), BPRI_HI
);
2022 if (dataind
== NULL
) {
2026 dataind
->b_cont
= m
;
2027 dataind
->b_wptr
+= sizeof (struct T_data_req
);
2028 ((struct T_data_ind
*)dataind
->b_rptr
)->PRIM_type
= T_DATA_IND
;
2029 ((struct T_data_ind
*)dataind
->b_rptr
)->MORE_flag
= 0;
2030 dataind
->b_datap
->db_type
= M_PROTO
;
2031 putnext(q
, dataind
);
2037 * Format a start-of-dump record, and set up the stream and kick the rsrv
2038 * procedure to continue the job..
2042 spdsock_dump(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
)
2044 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2045 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
2046 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2049 /* spdsock_open() already set spdsock_itp to NULL. */
2050 if (iph
== ALL_ACTIVE_POLHEADS
|| iph
== ALL_INACTIVE_POLHEADS
) {
2051 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_READER
);
2052 ss
->spdsock_dump_remaining_polheads
= 1 +
2053 avl_numnodes(&ipss
->ipsec_tunnel_policies
);
2054 ss
->spdsock_dump_tun_gen
= ipss
->ipsec_tunnel_policy_gen
;
2055 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
2056 if (iph
== ALL_ACTIVE_POLHEADS
) {
2057 iph
= ipsec_system_policy(ns
);
2058 ss
->spdsock_dump_active
= B_TRUE
;
2060 iph
= ipsec_inactive_policy(ns
);
2061 ss
->spdsock_dump_active
= B_FALSE
;
2063 ASSERT(ss
->spdsock_itp
== NULL
);
2065 ss
->spdsock_dump_remaining_polheads
= 1;
2068 rw_enter(&iph
->iph_lock
, RW_READER
);
2070 mr
= spdsock_dump_ruleset(mp
, iph
, 0, 0);
2073 rw_exit(&iph
->iph_lock
);
2074 spdsock_error(q
, mp
, ENOMEM
, 0);
2078 ss
->spdsock_dump_req
= mp
;
2079 RESET_SPDSOCK_DUMP_POLHEAD(ss
, iph
);
2081 rw_exit(&iph
->iph_lock
);
2087 /* Do NOT consume a reference to ITP. */
2089 spdsock_clone_node(ipsec_tun_pol_t
*itp
, void *ep
, netstack_t
*ns
)
2091 int *errptr
= (int *)ep
;
2094 return; /* We've failed already for some reason. */
2095 mutex_enter(&itp
->itp_lock
);
2096 ITPF_CLONE(itp
->itp_flags
);
2097 *errptr
= ipsec_copy_polhead(itp
->itp_policy
, itp
->itp_inactive
, ns
);
2098 mutex_exit(&itp
->itp_lock
);
2102 spdsock_clone(queue_t
*q
, mblk_t
*mp
, spd_if_t
*tunname
)
2106 ipsec_tun_pol_t
*itp
;
2107 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2108 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
2110 if (tunname
!= NULL
) {
2111 tname
= (char *)tunname
->spd_if_name
;
2112 if (*tname
== '\0') {
2113 error
= ipsec_clone_system_policy(ns
);
2116 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2120 cr
= msg_getcred(mp
, &cpid
);
2121 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
2122 audit_pf_policy(SPD_CLONE
, cr
, ns
,
2123 NULL
, active
, error
, cpid
);
2126 itp_walk(spdsock_clone_node
, &error
, ns
);
2130 (spd_msg_t
*)mp
->b_rptr
;
2134 cr
= msg_getcred(mp
, &cpid
);
2135 active
= (spmsg
->spd_msg_spdid
==
2137 audit_pf_policy(SPD_CLONE
, cr
,
2138 ns
, "all tunnels", active
, 0,
2143 itp
= get_tunnel_policy(tname
, ns
);
2145 spdsock_error(q
, mp
, ENOENT
, 0);
2149 (spd_msg_t
*)mp
->b_rptr
;
2153 cr
= msg_getcred(mp
, &cpid
);
2154 active
= (spmsg
->spd_msg_spdid
==
2156 audit_pf_policy(SPD_CLONE
, cr
,
2157 ns
, NULL
, active
, ENOENT
, cpid
);
2161 spdsock_clone_node(itp
, &error
, NULL
);
2164 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2168 cr
= msg_getcred(mp
, &cpid
);
2169 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
2170 audit_pf_policy(SPD_CLONE
, cr
, ns
,
2171 ITP_NAME(itp
), active
, error
, cpid
);
2173 ITP_REFRELE(itp
, ns
);
2176 error
= ipsec_clone_system_policy(ns
);
2179 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2183 cr
= msg_getcred(mp
, &cpid
);
2184 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
2185 audit_pf_policy(SPD_CLONE
, cr
, ns
, NULL
,
2186 active
, error
, cpid
);
2191 spdsock_error(q
, mp
, error
, 0);
2197 * Process a SPD_ALGLIST request. The caller expects separate alg entries
2198 * for AH authentication, ESP authentication, and ESP encryption.
2199 * The same distinction is then used when setting the min and max key
2200 * sizes when defining policies.
2203 #define SPDSOCK_AH_AUTH 0
2204 #define SPDSOCK_ESP_AUTH 1
2205 #define SPDSOCK_ESP_ENCR 2
2206 #define SPDSOCK_NTYPES 3
2208 static const uint_t algattr
[SPDSOCK_NTYPES
] = {
2213 static const uint_t minbitsattr
[SPDSOCK_NTYPES
] = {
2214 SPD_ATTR_AH_MINBITS
,
2215 SPD_ATTR_ESPA_MINBITS
,
2216 SPD_ATTR_ENCR_MINBITS
2218 static const uint_t maxbitsattr
[SPDSOCK_NTYPES
] = {
2219 SPD_ATTR_AH_MAXBITS
,
2220 SPD_ATTR_ESPA_MAXBITS
,
2221 SPD_ATTR_ENCR_MAXBITS
2223 static const uint_t defbitsattr
[SPDSOCK_NTYPES
] = {
2224 SPD_ATTR_AH_DEFBITS
,
2225 SPD_ATTR_ESPA_DEFBITS
,
2226 SPD_ATTR_ENCR_DEFBITS
2228 static const uint_t incrbitsattr
[SPDSOCK_NTYPES
] = {
2229 SPD_ATTR_AH_INCRBITS
,
2230 SPD_ATTR_ESPA_INCRBITS
,
2231 SPD_ATTR_ENCR_INCRBITS
2234 #define ATTRPERALG 6 /* fixed attributes per algs */
2237 spdsock_alglist(queue_t
*q
, mblk_t
*mp
)
2246 struct spd_ext_actions
*act
;
2247 struct spd_attribute
*attr
;
2248 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2249 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
2251 mutex_enter(&ipss
->ipsec_alg_lock
);
2253 * The SPD client expects to receive separate entries for
2254 * AH authentication and ESP authentication supported algorithms.
2256 * Don't return the "any" algorithms, if defined, as no
2257 * kernel policies can be set for these algorithms.
2259 algcount
= 2 * ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
] +
2260 ipss
->ipsec_nalgs
[IPSEC_ALG_ENCR
];
2262 if (ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
][SADB_AALG_NONE
] != NULL
)
2264 if (ipss
->ipsec_alglists
[IPSEC_ALG_ENCR
][SADB_EALG_NONE
] != NULL
)
2268 * For each algorithm, we encode:
2269 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2272 size
= sizeof (spd_msg_t
) + sizeof (struct spd_ext_actions
) +
2273 ATTRPERALG
* sizeof (struct spd_attribute
) * algcount
;
2275 ASSERT(ALIGNED64(size
));
2277 m
= allocb(size
, BPRI_HI
);
2279 mutex_exit(&ipss
->ipsec_alg_lock
);
2280 spdsock_error(q
, mp
, ENOMEM
, 0);
2284 m
->b_wptr
= m
->b_rptr
+ size
;
2287 msg
= (spd_msg_t
*)cur
;
2288 bcopy(mp
->b_rptr
, cur
, sizeof (*msg
));
2290 msg
->spd_msg_len
= SPD_8TO64(size
);
2291 msg
->spd_msg_errno
= 0;
2292 msg
->spd_msg_diagnostic
= 0;
2294 cur
+= sizeof (*msg
);
2296 act
= (struct spd_ext_actions
*)cur
;
2297 cur
+= sizeof (*act
);
2299 act
->spd_actions_len
= SPD_8TO64(size
- sizeof (spd_msg_t
));
2300 act
->spd_actions_exttype
= SPD_EXT_ACTION
;
2301 act
->spd_actions_count
= algcount
;
2302 act
->spd_actions_reserved
= 0;
2304 attr
= (struct spd_attribute
*)cur
;
2306 #define EMIT(tag, value) { \
2307 attr->spd_attr_tag = (tag); \
2308 attr->spd_attr_value = (value); \
2313 * If you change the number of EMIT's here, change
2314 * ATTRPERALG above to match
2316 #define EMITALGATTRS(_type) { \
2317 EMIT(algattr[_type], algid); /* 1 */ \
2318 EMIT(minbitsattr[_type], minbits); /* 2 */ \
2319 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \
2320 EMIT(defbitsattr[_type], defbits); /* 4 */ \
2321 EMIT(incrbitsattr[_type], incr); /* 5 */ \
2322 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \
2325 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
2326 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
2328 int algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
2329 ipsec_alginfo_t
*alg
=
2330 ipss
->ipsec_alglists
[algtype
][algid
];
2331 uint_t minbits
= alg
->alg_minbits
;
2332 uint_t maxbits
= alg
->alg_maxbits
;
2333 uint_t defbits
= alg
->alg_default_bits
;
2334 uint_t incr
= alg
->alg_increment
;
2336 if (algtype
== IPSEC_ALG_AUTH
) {
2337 if (algid
== SADB_AALG_NONE
)
2339 EMITALGATTRS(SPDSOCK_AH_AUTH
);
2340 EMITALGATTRS(SPDSOCK_ESP_AUTH
);
2342 if (algid
== SADB_EALG_NONE
)
2344 ASSERT(algtype
== IPSEC_ALG_ENCR
);
2345 EMITALGATTRS(SPDSOCK_ESP_ENCR
);
2350 mutex_exit(&ipss
->ipsec_alg_lock
);
2357 attr
->spd_attr_tag
= SPD_ATTR_END
;
2364 * Process a SPD_DUMPALGS request.
2367 #define ATTRPERALG 9 /* fixed attributes per algs */
2370 spdsock_dumpalgs(queue_t
*q
, mblk_t
*mp
)
2378 struct spd_ext_actions
*act
;
2379 struct spd_attribute
*attr
;
2380 ipsec_alginfo_t
*alg
;
2384 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2385 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
2387 mutex_enter(&ipss
->ipsec_alg_lock
);
2390 * For each algorithm, we encode:
2391 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2393 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2394 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* /
2395 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT}
2399 * Compute the size of the SPD message.
2401 size
= sizeof (spd_msg_t
) + sizeof (struct spd_ext_actions
);
2403 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
2404 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
2406 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
2407 alg
= ipss
->ipsec_alglists
[algtype
][algid
];
2408 alg_size
= sizeof (struct spd_attribute
) *
2409 (ATTRPERALG
+ alg
->alg_nkey_sizes
+
2410 alg
->alg_nblock_sizes
+ alg
->alg_nparams
) +
2411 CRYPTO_MAX_MECH_NAME
;
2416 ASSERT(ALIGNED64(size
));
2418 m
= allocb(size
, BPRI_HI
);
2420 mutex_exit(&ipss
->ipsec_alg_lock
);
2421 spdsock_error(q
, mp
, ENOMEM
, 0);
2425 m
->b_wptr
= m
->b_rptr
+ size
;
2428 msg
= (spd_msg_t
*)cur
;
2429 bcopy(mp
->b_rptr
, cur
, sizeof (*msg
));
2431 msg
->spd_msg_len
= SPD_8TO64(size
);
2432 msg
->spd_msg_errno
= 0;
2433 msg
->spd_msg_type
= SPD_ALGLIST
;
2435 msg
->spd_msg_diagnostic
= 0;
2437 cur
+= sizeof (*msg
);
2439 act
= (struct spd_ext_actions
*)cur
;
2440 cur
+= sizeof (*act
);
2442 act
->spd_actions_len
= SPD_8TO64(size
- sizeof (spd_msg_t
));
2443 act
->spd_actions_exttype
= SPD_EXT_ACTION
;
2444 act
->spd_actions_count
= ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
] +
2445 ipss
->ipsec_nalgs
[IPSEC_ALG_ENCR
];
2446 act
->spd_actions_reserved
= 0;
2449 * If there aren't any algorithms registered, return an empty message.
2450 * spdsock_get_ext() knows how to deal with this.
2452 if (act
->spd_actions_count
== 0) {
2453 act
->spd_actions_len
= 0;
2454 mutex_exit(&ipss
->ipsec_alg_lock
);
2458 attr
= (struct spd_attribute
*)cur
;
2460 #define EMIT(tag, value) { \
2461 attr->spd_attr_tag = (tag); \
2462 attr->spd_attr_value = (value); \
2466 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
2467 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
2470 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
2471 alg
= ipss
->ipsec_alglists
[algtype
][algid
];
2474 * If you change the number of EMIT's here, change
2475 * ATTRPERALG above to match
2477 EMIT(SPD_ATTR_ALG_ID
, algid
);
2478 EMIT(SPD_ATTR_ALG_PROTO
, algproto
[algtype
]);
2479 EMIT(SPD_ATTR_ALG_INCRBITS
, alg
->alg_increment
);
2480 EMIT(SPD_ATTR_ALG_NKEYSIZES
, alg
->alg_nkey_sizes
);
2481 for (i
= 0; i
< alg
->alg_nkey_sizes
; i
++)
2482 EMIT(SPD_ATTR_ALG_KEYSIZE
,
2483 alg
->alg_key_sizes
[i
]);
2485 EMIT(SPD_ATTR_ALG_NBLOCKSIZES
, alg
->alg_nblock_sizes
);
2486 for (i
= 0; i
< alg
->alg_nblock_sizes
; i
++)
2487 EMIT(SPD_ATTR_ALG_BLOCKSIZE
,
2488 alg
->alg_block_sizes
[i
]);
2490 EMIT(SPD_ATTR_ALG_NPARAMS
, alg
->alg_nparams
);
2491 for (i
= 0; i
< alg
->alg_nparams
; i
++)
2492 EMIT(SPD_ATTR_ALG_PARAMS
,
2493 alg
->alg_params
[i
]);
2495 EMIT(SPD_ATTR_ALG_FLAGS
, alg
->alg_flags
);
2497 EMIT(SPD_ATTR_ALG_MECHNAME
, CRYPTO_MAX_MECH_NAME
);
2498 bcopy(alg
->alg_mech_name
, attr
, CRYPTO_MAX_MECH_NAME
);
2499 attr
= (struct spd_attribute
*)((char *)attr
+
2500 CRYPTO_MAX_MECH_NAME
);
2502 EMIT(SPD_ATTR_NEXT
, 0);
2506 mutex_exit(&ipss
->ipsec_alg_lock
);
2513 attr
->spd_attr_tag
= SPD_ATTR_END
;
2521 * Do the actual work of processing an SPD_UPDATEALGS request. Can
2522 * be invoked either once IPsec is loaded on a cached request, or
2523 * when a request is received while IPsec is loaded.
2526 spdsock_do_updatealg(spd_ext_t
*extv
[], spd_stack_t
*spds
)
2528 struct spd_ext_actions
*actp
;
2529 struct spd_attribute
*attr
, *endattr
;
2530 uint64_t *start
, *end
;
2531 ipsec_alginfo_t
*alg
= NULL
;
2532 ipsec_algtype_t alg_type
= 0;
2533 boolean_t skip_alg
= B_TRUE
, doing_proto
= B_FALSE
;
2534 uint_t i
, cur_key
, cur_block
, algid
;
2537 ASSERT(MUTEX_HELD(&spds
->spds_alg_lock
));
2539 /* parse the message, building the list of algorithms */
2541 actp
= (struct spd_ext_actions
*)extv
[SPD_EXT_ACTION
];
2543 return (SPD_DIAGNOSTIC_NO_ACTION_EXT
);
2545 start
= (uint64_t *)actp
;
2546 end
= (start
+ actp
->spd_actions_len
);
2547 endattr
= (struct spd_attribute
*)end
;
2548 attr
= (struct spd_attribute
*)&actp
[1];
2550 bzero(spds
->spds_algs
, IPSEC_NALGTYPES
* IPSEC_MAX_ALGS
*
2551 sizeof (ipsec_alginfo_t
*));
2553 alg
= kmem_zalloc(sizeof (*alg
), KM_SLEEP
);
2555 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2556 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2557 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t))
2559 while (attr
< endattr
) {
2560 switch (attr
->spd_attr_tag
) {
2562 case SPD_ATTR_EMPTY
:
2569 doing_proto
= B_FALSE
;
2573 ipsec_alg_free(alg
);
2576 spds
->spds_algs
[alg_type
][alg
->alg_id
]);
2577 spds
->spds_algs
[alg_type
][alg
->alg_id
] =
2580 alg
= kmem_zalloc(sizeof (*alg
), KM_SLEEP
);
2583 case SPD_ATTR_ALG_ID
:
2584 if (attr
->spd_attr_value
>= IPSEC_MAX_ALGS
) {
2585 ss1dbg(spds
, ("spdsock_do_updatealg: "
2586 "invalid alg id %d\n",
2587 attr
->spd_attr_value
));
2588 diag
= SPD_DIAGNOSTIC_ALG_ID_RANGE
;
2591 alg
->alg_id
= attr
->spd_attr_value
;
2594 case SPD_ATTR_ALG_PROTO
:
2595 /* find the alg type */
2596 for (i
= 0; i
< NALGPROTOS
; i
++)
2597 if (algproto
[i
] == attr
->spd_attr_value
)
2599 skip_alg
= (i
== NALGPROTOS
);
2604 case SPD_ATTR_ALG_INCRBITS
:
2605 alg
->alg_increment
= attr
->spd_attr_value
;
2608 case SPD_ATTR_ALG_NKEYSIZES
:
2609 if (alg
->alg_key_sizes
!= NULL
) {
2610 kmem_free(alg
->alg_key_sizes
,
2611 ALG_KEY_SIZES(alg
));
2613 alg
->alg_nkey_sizes
= attr
->spd_attr_value
;
2615 * Allocate room for the trailing zero key size
2618 alg
->alg_key_sizes
= kmem_zalloc(ALG_KEY_SIZES(alg
),
2623 case SPD_ATTR_ALG_KEYSIZE
:
2624 if (alg
->alg_key_sizes
== NULL
||
2625 cur_key
>= alg
->alg_nkey_sizes
) {
2626 ss1dbg(spds
, ("spdsock_do_updatealg: "
2627 "too many key sizes\n"));
2628 diag
= SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES
;
2631 alg
->alg_key_sizes
[cur_key
++] = attr
->spd_attr_value
;
2634 case SPD_ATTR_ALG_FLAGS
:
2636 * Flags (bit mask). The alg_flags element of
2637 * ipsecalg_flags_t is only 8 bits wide. The
2638 * user can set the VALID bit, but we will ignore it
2639 * and make the decision is the algorithm is valid.
2641 alg
->alg_flags
|= (uint8_t)attr
->spd_attr_value
;
2644 case SPD_ATTR_ALG_NBLOCKSIZES
:
2645 if (alg
->alg_block_sizes
!= NULL
) {
2646 kmem_free(alg
->alg_block_sizes
,
2647 ALG_BLOCK_SIZES(alg
));
2649 alg
->alg_nblock_sizes
= attr
->spd_attr_value
;
2651 * Allocate room for the trailing zero block size
2654 alg
->alg_block_sizes
= kmem_zalloc(ALG_BLOCK_SIZES(alg
),
2659 case SPD_ATTR_ALG_BLOCKSIZE
:
2660 if (alg
->alg_block_sizes
== NULL
||
2661 cur_block
>= alg
->alg_nblock_sizes
) {
2662 ss1dbg(spds
, ("spdsock_do_updatealg: "
2663 "too many block sizes\n"));
2664 diag
= SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES
;
2667 alg
->alg_block_sizes
[cur_block
++] =
2668 attr
->spd_attr_value
;
2671 case SPD_ATTR_ALG_NPARAMS
:
2672 if (alg
->alg_params
!= NULL
) {
2673 kmem_free(alg
->alg_params
,
2674 ALG_PARAM_SIZES(alg
));
2676 alg
->alg_nparams
= attr
->spd_attr_value
;
2678 * Allocate room for the trailing zero block size
2681 alg
->alg_params
= kmem_zalloc(ALG_PARAM_SIZES(alg
),
2686 case SPD_ATTR_ALG_PARAMS
:
2687 if (alg
->alg_params
== NULL
||
2688 cur_block
>= alg
->alg_nparams
) {
2689 ss1dbg(spds
, ("spdsock_do_updatealg: "
2690 "too many params\n"));
2691 diag
= SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES
;
2695 * Array contains: iv_len, icv_len, salt_len
2696 * Any additional parameters are currently ignored.
2698 alg
->alg_params
[cur_block
++] =
2699 attr
->spd_attr_value
;
2702 case SPD_ATTR_ALG_MECHNAME
: {
2705 if (attr
->spd_attr_value
> CRYPTO_MAX_MECH_NAME
) {
2706 ss1dbg(spds
, ("spdsock_do_updatealg: "
2707 "mech name too long\n"));
2708 diag
= SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN
;
2711 mech_name
= (char *)(attr
+ 1);
2712 bcopy(mech_name
, alg
->alg_mech_name
,
2713 attr
->spd_attr_value
);
2714 alg
->alg_mech_name
[CRYPTO_MAX_MECH_NAME
-1] = '\0';
2715 attr
= (struct spd_attribute
*)((char *)attr
+
2716 attr
->spd_attr_value
);
2720 case SPD_ATTR_PROTO_ID
:
2721 doing_proto
= B_TRUE
;
2722 for (i
= 0; i
< NALGPROTOS
; i
++) {
2723 if (algproto
[i
] == attr
->spd_attr_value
) {
2730 case SPD_ATTR_PROTO_EXEC_MODE
:
2733 for (i
= 0; i
< NEXECMODES
; i
++) {
2734 if (execmodes
[i
] == attr
->spd_attr_value
) {
2735 spds
->spds_algs_exec_mode
[alg_type
] = i
;
2744 #undef ALG_KEY_SIZES
2745 #undef ALG_BLOCK_SIZES
2746 #undef ALG_PARAM_SIZES
2748 /* update the algorithm tables */
2749 spdsock_merge_algs(spds
);
2752 ipsec_alg_free(alg
);
2753 for (alg_type
= 0; alg_type
< IPSEC_NALGTYPES
; alg_type
++)
2754 for (algid
= 0; algid
< IPSEC_MAX_ALGS
; algid
++)
2755 if (spds
->spds_algs
[alg_type
][algid
] != NULL
)
2756 ipsec_alg_free(spds
->spds_algs
[alg_type
][algid
]);
2761 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2762 * the request until IPsec loads. If IPsec is loaded, act on it
2767 spdsock_updatealg(queue_t
*q
, mblk_t
*mp
, spd_ext_t
*extv
[])
2769 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2770 spd_stack_t
*spds
= ss
->spdsock_spds
;
2771 ipsec_stack_t
*ipss
= spds
->spds_netstack
->netstack_ipsec
;
2773 if (!ipsec_loaded(ipss
)) {
2775 * IPsec is not loaded, save request and return nicely,
2776 * the message will be processed once IPsec loads.
2780 /* last update message wins */
2781 if ((new_mp
= copymsg(mp
)) == NULL
) {
2782 spdsock_error(q
, mp
, ENOMEM
, 0);
2785 mutex_enter(&spds
->spds_alg_lock
);
2786 bcopy(extv
, spds
->spds_extv_algs
,
2787 sizeof (spd_ext_t
*) * (SPD_EXT_MAX
+ 1));
2788 if (spds
->spds_mp_algs
!= NULL
)
2789 freemsg(spds
->spds_mp_algs
);
2790 spds
->spds_mp_algs
= mp
;
2791 spds
->spds_algs_pending
= B_TRUE
;
2792 mutex_exit(&spds
->spds_alg_lock
);
2797 cr
= msg_getcred(mp
, &cpid
);
2798 audit_pf_policy(SPD_UPDATEALGS
, cr
,
2799 spds
->spds_netstack
, NULL
, B_TRUE
, EAGAIN
,
2802 spd_echo(q
, new_mp
);
2805 * IPsec is loaded, act on the message immediately.
2809 mutex_enter(&spds
->spds_alg_lock
);
2810 diag
= spdsock_do_updatealg(extv
, spds
);
2812 /* Keep the lock held while we walk the SA tables. */
2813 sadb_alg_update(IPSEC_ALG_ALL
, 0, 0,
2814 spds
->spds_netstack
);
2815 mutex_exit(&spds
->spds_alg_lock
);
2821 cr
= msg_getcred(mp
, &cpid
);
2822 audit_pf_policy(SPD_UPDATEALGS
, cr
,
2823 spds
->spds_netstack
, NULL
, B_TRUE
, 0,
2827 mutex_exit(&spds
->spds_alg_lock
);
2828 spdsock_diag(q
, mp
, diag
);
2833 cr
= msg_getcred(mp
, &cpid
);
2834 audit_pf_policy(SPD_UPDATEALGS
, cr
,
2835 spds
->spds_netstack
, NULL
, B_TRUE
, diag
,
2843 * Find a tunnel instance (using the name to link ID mapping), and
2844 * update it after an IPsec change. We need to do this always in case
2845 * we add policy AFTER plumbing a tunnel. We also need to do this
2846 * because, as a side-effect, the tunnel's MTU is updated to reflect
2847 * any IPsec overhead in the itp's policy.
2850 update_iptun_policy(ipsec_tun_pol_t
*itp
)
2852 datalink_id_t linkid
;
2854 if (dls_mgmt_get_linkid(itp
->itp_name
, &linkid
) == 0)
2855 iptun_set_policy(linkid
, itp
);
2859 * Sort through the mess of polhead options to retrieve an appropriate one.
2860 * Returns NULL if we send an spdsock error. Returns a valid pointer if we
2861 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2862 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2863 * act on ALL policy heads.
2865 static ipsec_policy_head_t
*
2866 get_appropriate_polhead(queue_t
*q
, mblk_t
*mp
, spd_if_t
*tunname
, int spdid
,
2867 int msgtype
, ipsec_tun_pol_t
**itpp
)
2869 ipsec_tun_pol_t
*itp
;
2870 ipsec_policy_head_t
*iph
;
2874 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2875 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
2876 uint64_t gen
; /* Placeholder */
2878 active
= (spdid
== SPD_ACTIVE
);
2880 if (!active
&& spdid
!= SPD_STANDBY
) {
2881 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_BAD_SPDID
);
2885 if (tunname
!= NULL
) {
2886 /* Acting on a tunnel's SPD. */
2887 tname
= (char *)tunname
->spd_if_name
;
2888 if (*tname
== '\0') {
2889 /* Handle all-polhead cases here. */
2890 if (msgtype
!= SPD_FLUSH
&& msgtype
!= SPD_DUMP
) {
2892 SPD_DIAGNOSTIC_NOT_GLOBAL_OP
);
2895 return (active
? ALL_ACTIVE_POLHEADS
:
2896 ALL_INACTIVE_POLHEADS
);
2899 itp
= get_tunnel_policy(tname
, ns
);
2901 if (msgtype
!= SPD_ADDRULE
) {
2902 /* "Tunnel not found" */
2903 spdsock_error(q
, mp
, ENOENT
, 0);
2908 itp
= create_tunnel_policy(tname
, &errno
, &gen
, ns
);
2911 * Something very bad happened, most likely
2912 * ENOMEM. Return an indicator.
2914 spdsock_error(q
, mp
, errno
, 0);
2919 /* Match up the itp to an iptun instance. */
2920 update_iptun_policy(itp
);
2923 /* For spdsock dump state, set the polhead's name. */
2924 if (msgtype
== SPD_DUMP
) {
2926 ss
->spdsock_itp
= itp
;
2927 ss
->spdsock_dump_tunnel
= itp
->itp_flags
&
2928 (active
? ITPF_P_TUNNEL
: ITPF_I_TUNNEL
);
2932 /* For spdsock dump state, indicate it's global policy. */
2933 if (msgtype
== SPD_DUMP
)
2934 ss
->spdsock_itp
= NULL
;
2938 iph
= (itp
== NULL
) ? ipsec_system_policy(ns
) : itp
->itp_policy
;
2940 iph
= (itp
== NULL
) ? ipsec_inactive_policy(ns
) :
2943 ASSERT(iph
!= NULL
);
2952 spdsock_parse(queue_t
*q
, mblk_t
*mp
)
2955 spd_ext_t
*extv
[SPD_EXT_MAX
+ 1];
2957 ipsec_policy_head_t
*iph
;
2958 ipsec_tun_pol_t
*itp
;
2960 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2961 spd_stack_t
*spds
= ss
->spdsock_spds
;
2962 netstack_t
*ns
= spds
->spds_netstack
;
2963 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2965 /* Make sure nothing's below me. */
2966 ASSERT(WR(q
)->q_next
== NULL
);
2968 spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2970 msgsize
= SPD_64TO8(spmsg
->spd_msg_len
);
2972 if (msgdsize(mp
) != msgsize
) {
2974 * Message len incorrect w.r.t. actual size. Send an error
2975 * (EMSGSIZE). It may be necessary to massage things a
2976 * bit. For example, if the spd_msg_type is hosed,
2977 * I need to set it to SPD_RESERVED to get delivery to
2978 * do the right thing. Then again, maybe just letting
2979 * the error delivery do the right thing.
2982 ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
2983 msgdsize(mp
), msgsize
));
2984 spdsock_error(q
, mp
, EMSGSIZE
, SPD_DIAGNOSTIC_NONE
);
2988 if (msgsize
> (uint_t
)(mp
->b_wptr
- mp
->b_rptr
)) {
2989 /* Get all message into one mblk. */
2990 if (pullupmsg(mp
, -1) == 0) {
2992 * Something screwy happened.
2994 ss3dbg(spds
, ("spdsock_parse: pullupmsg() failed.\n"));
2997 spmsg
= (spd_msg_t
*)mp
->b_rptr
;
3001 switch (spdsock_get_ext(extv
, spmsg
, msgsize
)) {
3003 /* Handle duplicate extension. */
3004 ss1dbg(spds
, ("Got duplicate extension of type %d.\n",
3005 extv
[0]->spd_ext_type
));
3006 spdsock_diag(q
, mp
, dup_ext_diag
[extv
[0]->spd_ext_type
]);
3009 /* Handle unknown extension. */
3010 ss1dbg(spds
, ("Got unknown extension of type %d.\n",
3011 extv
[0]->spd_ext_type
));
3012 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_UNKNOWN_EXT
);
3016 ss1dbg(spds
, ("Length %d on extension type %d overrun or 0.\n",
3017 extv
[0]->spd_ext_len
, extv
[0]->spd_ext_type
));
3018 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_BAD_EXTLEN
);
3021 /* Reality check failed. */
3022 ss1dbg(spds
, ("Reality check failed on extension type %d.\n",
3023 extv
[0]->spd_ext_type
));
3024 spdsock_diag(q
, mp
, bad_ext_diag
[extv
[0]->spd_ext_type
]);
3027 /* Default case is no errors. */
3032 * Special-case SPD_UPDATEALGS so as not to load IPsec.
3034 if (!ipsec_loaded(ipss
) && spmsg
->spd_msg_type
!= SPD_UPDATEALGS
) {
3035 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3038 ipsec_loader_loadnow(ipss
);
3039 ss
->spdsock_timeout_arg
= mp
;
3040 ss
->spdsock_timeout
= qtimeout(q
, spdsock_loadcheck
,
3041 q
, LOADCHECK_INTERVAL
);
3045 /* First check for messages that need no polheads at all. */
3046 switch (spmsg
->spd_msg_type
) {
3047 case SPD_UPDATEALGS
:
3048 spdsock_updatealg(q
, mp
, extv
);
3051 spdsock_alglist(q
, mp
);
3054 spdsock_dumpalgs(q
, mp
);
3059 * Then check for ones that need both primary/secondary polheads,
3060 * finding the appropriate tunnel policy if need be.
3062 tunname
= (spd_if_t
*)extv
[SPD_EXT_TUN_NAME
];
3063 switch (spmsg
->spd_msg_type
) {
3065 spdsock_flip(q
, mp
, tunname
);
3068 spdsock_clone(q
, mp
, tunname
);
3073 * Finally, find ones that operate on exactly one polhead, or
3074 * "all polheads" of a given type (active/inactive).
3076 iph
= get_appropriate_polhead(q
, mp
, tunname
, spmsg
->spd_msg_spdid
,
3077 spmsg
->spd_msg_type
, &itp
);
3081 /* All-polheads-ready operations. */
3082 switch (spmsg
->spd_msg_type
) {
3085 mutex_enter(&itp
->itp_lock
);
3086 if (spmsg
->spd_msg_spdid
== SPD_ACTIVE
)
3087 itp
->itp_flags
&= ~ITPF_PFLAGS
;
3089 itp
->itp_flags
&= ~ITPF_IFLAGS
;
3090 mutex_exit(&itp
->itp_lock
);
3093 spdsock_flush(q
, iph
, itp
, mp
);
3096 /* SPD_FLUSH is worth a tunnel MTU check. */
3097 update_iptun_policy(itp
);
3098 ITP_REFRELE(itp
, ns
);
3103 ITP_REFRELE(itp
, ns
);
3104 spdsock_dump(q
, iph
, mp
);
3108 if (iph
== ALL_ACTIVE_POLHEADS
|| iph
== ALL_INACTIVE_POLHEADS
) {
3109 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_NOT_GLOBAL_OP
);
3113 /* Single-polhead-only operations. */
3114 switch (spmsg
->spd_msg_type
) {
3116 spdsock_addrule(q
, iph
, mp
, extv
, itp
);
3118 case SPD_DELETERULE
:
3119 spdsock_deleterule(q
, iph
, mp
, extv
, itp
);
3122 spdsock_lookup(q
, iph
, mp
, extv
, itp
);
3125 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_BAD_MSG_TYPE
);
3129 IPPH_REFRELE(iph
, ns
);
3131 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */
3132 if (spmsg
->spd_msg_type
== SPD_ADDRULE
||
3133 spmsg
->spd_msg_type
== SPD_DELETERULE
)
3134 update_iptun_policy(itp
);
3135 ITP_REFRELE(itp
, ns
);
3140 * If an algorithm mapping was received before IPsec was loaded, process it.
3141 * Called from the IPsec loader.
3144 spdsock_update_pending_algs(netstack_t
*ns
)
3146 spd_stack_t
*spds
= ns
->netstack_spdsock
;
3148 mutex_enter(&spds
->spds_alg_lock
);
3149 if (spds
->spds_algs_pending
) {
3150 (void) spdsock_do_updatealg(spds
->spds_extv_algs
, spds
);
3151 spds
->spds_algs_pending
= B_FALSE
;
3153 mutex_exit(&spds
->spds_alg_lock
);
3157 spdsock_loadcheck(void *arg
)
3159 queue_t
*q
= (queue_t
*)arg
;
3160 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3162 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
3166 ss
->spdsock_timeout
= 0;
3167 mp
= ss
->spdsock_timeout_arg
;
3169 ss
->spdsock_timeout_arg
= NULL
;
3170 if (ipsec_failed(ipss
))
3171 spdsock_error(q
, mp
, EPROTONOSUPPORT
, 0);
3173 spdsock_parse(q
, mp
);
3177 * Copy relevant state bits.
3180 spdsock_copy_info(struct T_info_ack
*tap
, spdsock_t
*ss
)
3182 *tap
= spdsock_g_t_info_ack
;
3183 tap
->CURRENT_state
= ss
->spdsock_state
;
3184 tap
->OPT_size
= spdsock_max_optsize
;
3188 * This routine responds to T_CAPABILITY_REQ messages. It is called by
3189 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from
3190 * spdsock_g_t_info_ack. The current state of the stream is copied from
3194 spdsock_capability_req(queue_t
*q
, mblk_t
*mp
)
3196 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3197 t_uscalar_t cap_bits1
;
3198 struct T_capability_ack
*tcap
;
3200 cap_bits1
= ((struct T_capability_req
*)mp
->b_rptr
)->CAP_bits1
;
3202 mp
= tpi_ack_alloc(mp
, sizeof (struct T_capability_ack
),
3203 mp
->b_datap
->db_type
, T_CAPABILITY_ACK
);
3207 tcap
= (struct T_capability_ack
*)mp
->b_rptr
;
3208 tcap
->CAP_bits1
= 0;
3210 if (cap_bits1
& TC1_INFO
) {
3211 spdsock_copy_info(&tcap
->INFO_ack
, ss
);
3212 tcap
->CAP_bits1
|= TC1_INFO
;
3219 * This routine responds to T_INFO_REQ messages. It is called by
3220 * spdsock_wput_other.
3221 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3222 * The current state of the stream is copied from spdsock_state.
3225 spdsock_info_req(q
, mp
)
3229 mp
= tpi_ack_alloc(mp
, sizeof (struct T_info_ack
), M_PCPROTO
,
3233 spdsock_copy_info((struct T_info_ack
*)mp
->b_rptr
,
3234 (spdsock_t
*)q
->q_ptr
);
3239 * spdsock_err_ack. This routine creates a
3240 * T_ERROR_ACK message and passes it
3244 spdsock_err_ack(q
, mp
, t_error
, sys_error
)
3250 if ((mp
= mi_tpi_err_ack_alloc(mp
, t_error
, sys_error
)) != NULL
)
3255 * This routine retrieves the current status of socket options.
3256 * It returns the size of the option retrieved.
3260 spdsock_opt_get(queue_t
*q
, int level
, int name
, uchar_t
*ptr
)
3262 int *i1
= (int *)ptr
;
3271 * The following two items can be manipulated,
3272 * but changing them should do nothing.
3275 *i1
= (int)q
->q_hiwat
;
3278 *i1
= (int)(RD(q
)->q_hiwat
);
3285 return (sizeof (int));
3289 * This routine sets socket options.
3293 spdsock_opt_set(queue_t
*q
, uint_t mgmt_flags
, int level
, int name
,
3294 uint_t inlen
, uchar_t
*invalp
, uint_t
*outlenp
, uchar_t
*outvalp
,
3295 void *thisdg_attrs
, cred_t
*cr
)
3297 int *i1
= (int *)invalp
;
3298 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3299 spd_stack_t
*spds
= ss
->spdsock_spds
;
3305 if (*i1
> spds
->spds_max_buf
)
3310 if (*i1
> spds
->spds_max_buf
)
3312 RD(q
)->q_hiwat
= *i1
;
3313 (void) proto_set_rx_hiwat(RD(q
), NULL
, *i1
);
3323 * Handle STREAMS messages.
3326 spdsock_wput_other(queue_t
*q
, mblk_t
*mp
)
3328 struct iocblk
*iocp
;
3330 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3331 spd_stack_t
*spds
= ss
->spdsock_spds
;
3334 switch (mp
->b_datap
->db_type
) {
3337 if ((mp
->b_wptr
- mp
->b_rptr
) < sizeof (long)) {
3339 "spdsock_wput_other: Not big enough M_PROTO\n"));
3343 switch (((union T_primitives
*)mp
->b_rptr
)->type
) {
3344 case T_CAPABILITY_REQ
:
3345 spdsock_capability_req(q
, mp
);
3348 spdsock_info_req(q
, mp
);
3350 case T_SVR4_OPTMGMT_REQ
:
3353 * All Solaris components should pass a db_credp
3354 * for this TPI message, hence we ASSERT.
3355 * But in case there is some other M_PROTO that looks
3356 * like a TPI message sent by some other kernel
3357 * component, we check and return an error.
3359 cr
= msg_getcred(mp
, NULL
);
3362 spdsock_err_ack(q
, mp
, TSYSERR
, EINVAL
);
3365 if (((union T_primitives
*)mp
->b_rptr
)->type
==
3366 T_SVR4_OPTMGMT_REQ
) {
3367 svr4_optcom_req(q
, mp
, cr
, &spdsock_opt_obj
);
3369 tpi_optcom_req(q
, mp
, cr
, &spdsock_opt_obj
);
3375 /* Illegal for spdsock. */
3377 (void) putnextctl1(RD(q
), M_ERROR
, EPROTO
);
3380 /* Not supported by spdsock. */
3381 spdsock_err_ack(q
, mp
, TNOTSUPPORT
, 0);
3386 iocp
= (struct iocblk
*)mp
->b_rptr
;
3389 switch (iocp
->ioc_cmd
) {
3392 if (nd_getset(q
, spds
->spds_g_nd
, mp
)) {
3399 miocnak(q
, mp
, 0, error
);
3403 if (*mp
->b_rptr
& FLUSHW
) {
3404 flushq(q
, FLUSHALL
);
3405 *mp
->b_rptr
&= ~FLUSHW
;
3407 if (*mp
->b_rptr
& FLUSHR
) {
3414 /* If fell through, just black-hole the message. */
3419 spdsock_wput(queue_t
*q
, mblk_t
*mp
)
3421 uint8_t *rptr
= mp
->b_rptr
;
3423 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3424 spd_stack_t
*spds
= ss
->spdsock_spds
;
3427 * If we're dumping, defer processing other messages until the
3430 if (ss
->spdsock_dump_req
!= NULL
) {
3436 switch (mp
->b_datap
->db_type
) {
3441 ss2dbg(spds
, ("raw M_DATA in spdsock.\n"));
3446 if ((mp
->b_wptr
- rptr
) >= sizeof (struct T_data_req
)) {
3447 if (((union T_primitives
*)rptr
)->type
== T_DATA_REQ
) {
3448 if ((mp1
= mp
->b_cont
) == NULL
) {
3449 /* No data after T_DATA_REQ. */
3451 ("No data after DATA_REQ.\n"));
3457 ss2dbg(spds
, ("T_DATA_REQ\n"));
3458 break; /* Out of switch. */
3463 ss3dbg(spds
, ("In default wput case (%d %d).\n",
3464 mp
->b_datap
->db_type
, ((union T_primitives
*)rptr
)->type
));
3465 spdsock_wput_other(q
, mp
);
3469 /* I now have a PF_POLICY message in an M_DATA block. */
3470 spdsock_parse(q
, mp
);
3474 * Device open procedure, called when new queue pair created.
3475 * We are passed the read-side queue.
3479 spdsock_open(queue_t
*q
, dev_t
*devp
, int flag
, int sflag
, cred_t
*credp
)
3482 queue_t
*oq
= OTHERQ(q
);
3487 if (secpolicy_ip_config(credp
, B_FALSE
) != 0)
3490 if (q
->q_ptr
!= NULL
)
3491 return (0); /* Re-open of an already open instance. */
3493 if (sflag
& MODOPEN
)
3496 ns
= netstack_find_by_cred(credp
);
3498 spds
= ns
->netstack_spdsock
;
3499 ASSERT(spds
!= NULL
);
3501 ss2dbg(spds
, ("Made it into PF_POLICY socket open.\n"));
3503 ssminor
= (minor_t
)(uintptr_t)vmem_alloc(spdsock_vmem
, 1, VM_NOSLEEP
);
3505 netstack_rele(spds
->spds_netstack
);
3508 ss
= kmem_zalloc(sizeof (spdsock_t
), KM_NOSLEEP
);
3510 vmem_free(spdsock_vmem
, (void *)(uintptr_t)ssminor
, 1);
3511 netstack_rele(spds
->spds_netstack
);
3515 ss
->spdsock_minor
= ssminor
;
3516 ss
->spdsock_state
= TS_UNBND
;
3517 ss
->spdsock_dump_req
= NULL
;
3519 ss
->spdsock_spds
= spds
;
3524 q
->q_hiwat
= spds
->spds_recv_hiwat
;
3526 oq
->q_hiwat
= spds
->spds_xmit_hiwat
;
3527 oq
->q_lowat
= spds
->spds_xmit_lowat
;
3530 (void) proto_set_rx_hiwat(q
, NULL
, spds
->spds_recv_hiwat
);
3532 *devp
= makedevice(getmajor(*devp
), ss
->spdsock_minor
);
3537 * Read-side service procedure, invoked when we get back-enabled
3538 * when buffer space becomes available.
3540 * Dump another chunk if we were dumping before; when we finish, kick
3541 * the write-side queue in case it's waiting for read queue space.
3544 spdsock_rsrv(queue_t
*q
)
3546 spdsock_t
*ss
= q
->q_ptr
;
3548 if (ss
->spdsock_dump_req
!= NULL
)
3549 spdsock_dump_some(q
, ss
);
3551 if (ss
->spdsock_dump_req
== NULL
)
3556 * Write-side service procedure, invoked when we defer processing
3557 * if another message is received while a dump is in progress.
3560 spdsock_wsrv(queue_t
*q
)
3562 spdsock_t
*ss
= q
->q_ptr
;
3564 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
3566 if (ss
->spdsock_dump_req
!= NULL
) {
3571 while ((mp
= getq(q
)) != NULL
) {
3572 if (ipsec_loaded(ipss
)) {
3573 spdsock_wput(q
, mp
);
3574 if (ss
->spdsock_dump_req
!= NULL
)
3576 } else if (!ipsec_failed(ipss
)) {
3579 spdsock_error(q
, mp
, EPFNOSUPPORT
, 0);
3585 spdsock_close(queue_t
*q
)
3587 spdsock_t
*ss
= q
->q_ptr
;
3588 spd_stack_t
*spds
= ss
->spdsock_spds
;
3592 /* Safe assumption. */
3595 if (ss
->spdsock_timeout
!= 0)
3596 (void) quntimeout(q
, ss
->spdsock_timeout
);
3598 ss3dbg(spds
, ("Driver close, PF_POLICY socket is going away.\n"));
3600 vmem_free(spdsock_vmem
, (void *)(uintptr_t)ss
->spdsock_minor
, 1);
3601 netstack_rele(ss
->spdsock_spds
->spds_netstack
);
3603 kmem_free(ss
, sizeof (spdsock_t
));
3608 * Merge the IPsec algorithms tables with the received algorithm information.
3611 spdsock_merge_algs(spd_stack_t
*spds
)
3613 ipsec_alginfo_t
*alg
, *oalg
;
3614 ipsec_algtype_t algtype
;
3615 uint_t algidx
, algid
, nalgs
;
3616 crypto_mech_name_t
*mechs
;
3617 uint_t mech_count
, mech_idx
;
3618 netstack_t
*ns
= spds
->spds_netstack
;
3619 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
3621 ASSERT(MUTEX_HELD(&spds
->spds_alg_lock
));
3624 * Get the list of supported mechanisms from the crypto framework.
3625 * If a mechanism is supported by KCF, resolve its mechanism
3626 * id and mark it as being valid. This operation must be done
3627 * without holding alg_lock, since it can cause a provider
3628 * module to be loaded and the provider notification callback to
3631 mechs
= crypto_get_mech_list(&mech_count
, KM_SLEEP
);
3632 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3633 for (algid
= 0; algid
< IPSEC_MAX_ALGS
; algid
++) {
3635 crypto_mech_type_t mt
= CRYPTO_MECHANISM_INVALID
;
3637 alg
= spds
->spds_algs
[algtype
][algid
];
3642 * The NULL encryption algorithm is a special
3643 * case because there are no mechanisms, yet
3644 * the algorithm is still valid.
3646 if (alg
->alg_id
== SADB_EALG_NULL
) {
3647 alg
->alg_mech_type
= CRYPTO_MECHANISM_INVALID
;
3648 alg
->alg_flags
|= ALG_FLAG_VALID
;
3652 for (mech_idx
= 0; mech_idx
< mech_count
; mech_idx
++) {
3653 if (strncmp(alg
->alg_mech_name
, mechs
[mech_idx
],
3654 CRYPTO_MAX_MECH_NAME
) == 0) {
3655 mt
= crypto_mech2id(alg
->alg_mech_name
);
3656 ASSERT(mt
!= CRYPTO_MECHANISM_INVALID
);
3657 algflags
= ALG_FLAG_VALID
;
3661 alg
->alg_mech_type
= mt
;
3662 alg
->alg_flags
|= algflags
;
3666 mutex_enter(&ipss
->ipsec_alg_lock
);
3669 * For each algorithm currently defined, check if it is
3670 * present in the new tables created from the SPD_UPDATEALGS
3671 * message received from user-space.
3672 * Delete the algorithm entries that are currently defined
3673 * but not part of the new tables.
3675 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3676 nalgs
= ipss
->ipsec_nalgs
[algtype
];
3677 for (algidx
= 0; algidx
< nalgs
; algidx
++) {
3678 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
3679 if (spds
->spds_algs
[algtype
][algid
] == NULL
)
3680 ipsec_alg_unreg(algtype
, algid
, ns
);
3685 * For each algorithm we just received, check if it is
3686 * present in the currently defined tables. If it is, swap
3687 * the entry with the one we just allocated.
3688 * If the new algorithm is not in the current tables,
3691 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3692 for (algid
= 0; algid
< IPSEC_MAX_ALGS
; algid
++) {
3693 alg
= spds
->spds_algs
[algtype
][algid
];
3697 if ((oalg
= ipss
->ipsec_alglists
[algtype
][algid
]) ==
3700 * New algorithm, add it to the algorithm
3703 ipsec_alg_reg(algtype
, alg
, ns
);
3706 * Algorithm is already in the table. Swap
3707 * the existing entry with the new one.
3709 ipsec_alg_fix_min_max(alg
, algtype
, ns
);
3710 ipss
->ipsec_alglists
[algtype
][algid
] = alg
;
3711 ipsec_alg_free(oalg
);
3713 spds
->spds_algs
[algtype
][algid
] = NULL
;
3717 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3718 ipss
->ipsec_algs_exec_mode
[algtype
] =
3719 spds
->spds_algs_exec_mode
[algtype
];
3722 mutex_exit(&ipss
->ipsec_alg_lock
);
3724 crypto_free_mech_list(mechs
, mech_count
);
3726 ipsecah_algs_changed(ns
);
3727 ipsecesp_algs_changed(ns
);