search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
6877528 flushing tunnel policy doesn't bump tunnel link MTU
[illumos-gate.git] / usr / src / uts / common / inet / ip / spdsock.c
blob1ff0cff31d11a16a064185595aeb02dc83180bc0
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <sys/param.h>
27 #include <sys/types.h>
28 #include <sys/stream.h>
29 #include <sys/strsubr.h>
30 #include <sys/strsun.h>
31 #include <sys/stropts.h>
32 #include <sys/zone.h>
33 #include <sys/vnode.h>
34 #include <sys/sysmacros.h>
35 #define _SUN_TPI_VERSION 2
36 #include <sys/tihdr.h>
37 #include <sys/ddi.h>
38 #include <sys/sunddi.h>
39 #include <sys/mkdev.h>
40 #include <sys/debug.h>
41 #include <sys/kmem.h>
42 #include <sys/cmn_err.h>
43 #include <sys/suntpi.h>
44 #include <sys/policy.h>
45 #include <sys/dls.h>
46
47 #include <sys/socket.h>
48 #include <netinet/in.h>
49 #include <net/pfkeyv2.h>
50 #include <net/pfpolicy.h>
51
52 #include <inet/common.h>
53 #include <netinet/ip6.h>
54 #include <inet/ip.h>
55 #include <inet/ip6.h>
56 #include <inet/mi.h>
57 #include <inet/proto_set.h>
58 #include <inet/nd.h>
59 #include <inet/ip_if.h>
60 #include <inet/optcom.h>
61 #include <inet/ipsec_impl.h>
62 #include <inet/spdsock.h>
63 #include <inet/sadb.h>
64 #include <inet/iptun.h>
65 #include <inet/iptun/iptun_impl.h>
66
67 #include <sys/isa_defs.h>
68
69 #include <c2/audit.h>
70
71 /*
72 * This is a transport provider for the PF_POLICY IPsec policy
73 * management socket, which provides a management interface into the
74 * SPD, allowing policy rules to be added, deleted, and queried.
75 *
76 * This effectively replaces the old private SIOC*IPSECONFIG ioctls
77 * with an extensible interface which will hopefully be public some
78 * day.
79 *
80 * See <net/pfpolicy.h> for more details on the protocol.
81 *
82 * We link against drv/ip and call directly into it to manipulate the
83 * SPD; see ipsec_impl.h for the policy data structures and spd.c for
84 * the code which maintains them.
85 *
86 * The MT model of this is QPAIR with the addition of some explicit
87 * locking to protect system-wide policy data structures.
88 */
89
90 static vmem_t *spdsock_vmem; /* for minor numbers. */
91
92 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
93
94 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
95 static struct T_info_ack spdsock_g_t_info_ack = {
96 T_INFO_ACK,
97 T_INFINITE, /* TSDU_size. Maximum size messages. */
98 T_INVALID, /* ETSDU_size. No expedited data. */
99 T_INVALID, /* CDATA_size. No connect data. */
100 T_INVALID, /* DDATA_size. No disconnect data. */
101 0, /* ADDR_size. */
102 0, /* OPT_size. No user-settable options */
103 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */
104 T_COTS, /* SERV_type. spdsock supports connection oriented. */
105 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */
106 (XPG4_1) /* Provider flags */
107 };
108
109 /* Named Dispatch Parameter Management Structure */
110 typedef struct spdsockparam_s {
111 uint_t spdsock_param_min;
112 uint_t spdsock_param_max;
113 uint_t spdsock_param_value;
114 char *spdsock_param_name;
115 } spdsockparam_t;
116
117 /*
118 * Table of NDD variables supported by spdsock. These are loaded into
119 * spdsock_g_nd in spdsock_init_nd.
120 * All of these are alterable, within the min/max values given, at run time.
121 */
122 static spdsockparam_t lcl_param_arr[] = {
123 /* min max value name */
124 { 4096, 65536, 8192, "spdsock_xmit_hiwat"},
125 { 0, 65536, 1024, "spdsock_xmit_lowat"},
126 { 4096, 65536, 8192, "spdsock_recv_hiwat"},
127 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"},
128 { 0, 3, 0, "spdsock_debug"},
129 };
130 #define spds_xmit_hiwat spds_params[0].spdsock_param_value
131 #define spds_xmit_lowat spds_params[1].spdsock_param_value
132 #define spds_recv_hiwat spds_params[2].spdsock_param_value
133 #define spds_max_buf spds_params[3].spdsock_param_value
134 #define spds_debug spds_params[4].spdsock_param_value
135
136 #define ss0dbg(a) printf a
137 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
138 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a
139 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a
140 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a
141
142 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
143 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
144 (ss)->spdsock_dump_head = (iph); \
145 (ss)->spdsock_dump_gen = (iph)->iph_gen; \
146 (ss)->spdsock_dump_cur_type = 0; \
147 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
148 (ss)->spdsock_dump_cur_rule = NULL; \
149 (ss)->spdsock_dump_count = 0; \
150 (ss)->spdsock_dump_cur_chain = 0; \
151 }
152
153 static int spdsock_close(queue_t *);
154 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *);
155 static void spdsock_wput(queue_t *, mblk_t *);
156 static void spdsock_wsrv(queue_t *);
157 static void spdsock_rsrv(queue_t *);
158 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns);
159 static void spdsock_stack_fini(netstackid_t stackid, void *arg);
160 static void spdsock_loadcheck(void *);
161 static void spdsock_merge_algs(spd_stack_t *);
162 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *);
163 static mblk_t *spdsock_dump_next_record(spdsock_t *);
164 static void update_iptun_policy(ipsec_tun_pol_t *);
165
166 static struct module_info info = {
167 5138, "spdsock", 1, INFPSZ, 512, 128
168 };
169
170 static struct qinit rinit = {
171 NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close,
172 NULL, &info
173 };
174
175 static struct qinit winit = {
176 (pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info
177 };
178
179 struct streamtab spdsockinfo = {
180 &rinit, &winit
181 };
182
183 /* mapping from alg type to protocol number, as per RFC 2407 */
184 static const uint_t algproto[] = {
185 PROTO_IPSEC_AH,
186 PROTO_IPSEC_ESP,
187 };
188
189 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0]))
190
191 /* mapping from kernel exec mode to spdsock exec mode */
192 static const uint_t execmodes[] = {
193 SPD_ALG_EXEC_MODE_SYNC,
194 SPD_ALG_EXEC_MODE_ASYNC
195 };
196
197 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0]))
198
199 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
200 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
201
202 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
203
204 /* ARGSUSED */
205 static int
206 spdsock_param_get(q, mp, cp, cr)
207 queue_t *q;
208 mblk_t *mp;
209 caddr_t cp;
210 cred_t *cr;
211 {
212 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp;
213 uint_t value;
214 spdsock_t *ss = (spdsock_t *)q->q_ptr;
215 spd_stack_t *spds = ss->spdsock_spds;
216
217 mutex_enter(&spds->spds_param_lock);
218 value = spdsockpa->spdsock_param_value;
219 mutex_exit(&spds->spds_param_lock);
220
221 (void) mi_mpprintf(mp, "%u", value);
222 return (0);
223 }
224
225 /* This routine sets an NDD variable in a spdsockparam_t structure. */
226 /* ARGSUSED */
227 static int
228 spdsock_param_set(q, mp, value, cp, cr)
229 queue_t *q;
230 mblk_t *mp;
231 char *value;
232 caddr_t cp;
233 cred_t *cr;
234 {
235 ulong_t new_value;
236 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp;
237 spdsock_t *ss = (spdsock_t *)q->q_ptr;
238 spd_stack_t *spds = ss->spdsock_spds;
239
240 /* Convert the value from a string into a long integer. */
241 if (ddi_strtoul(value, NULL, 10, &new_value) != 0)
242 return (EINVAL);
243
244 mutex_enter(&spds->spds_param_lock);
245 /*
246 * Fail the request if the new value does not lie within the
247 * required bounds.
248 */
249 if (new_value < spdsockpa->spdsock_param_min ||
250 new_value > spdsockpa->spdsock_param_max) {
251 mutex_exit(&spds->spds_param_lock);
252 return (EINVAL);
253 }
254
255 /* Set the new value */
256 spdsockpa->spdsock_param_value = new_value;
257 mutex_exit(&spds->spds_param_lock);
258
259 return (0);
260 }
261
262 /*
263 * Initialize at module load time
264 */
265 boolean_t
266 spdsock_ddi_init(void)
267 {
268 spdsock_max_optsize = optcom_max_optsize(
269 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt);
270
271 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1,
272 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER);
273
274 /*
275 * We want to be informed each time a stack is created or
276 * destroyed in the kernel, so we can maintain the
277 * set of spd_stack_t's.
278 */
279 netstack_register(NS_SPDSOCK, spdsock_stack_init, NULL,
280 spdsock_stack_fini);
281
282 return (B_TRUE);
283 }
284
285 /*
286 * Walk through the param array specified registering each element with the
287 * named dispatch handler.
288 */
289 static boolean_t
290 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt)
291 {
292 for (; cnt-- > 0; ssp++) {
293 if (ssp->spdsock_param_name != NULL &&
294 ssp->spdsock_param_name[0]) {
295 if (!nd_load(ndp,
296 ssp->spdsock_param_name,
297 spdsock_param_get, spdsock_param_set,
298 (caddr_t)ssp)) {
299 nd_free(ndp);
300 return (B_FALSE);
301 }
302 }
303 }
304 return (B_TRUE);
305 }
306
307 /*
308 * Initialize for each stack instance
309 */
310 /* ARGSUSED */
311 static void *
312 spdsock_stack_init(netstackid_t stackid, netstack_t *ns)
313 {
314 spd_stack_t *spds;
315 spdsockparam_t *ssp;
316
317 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP);
318 spds->spds_netstack = ns;
319
320 ASSERT(spds->spds_g_nd == NULL);
321
322 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
323 spds->spds_params = ssp;
324 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr));
325
326 (void) spdsock_param_register(&spds->spds_g_nd, ssp,
327 A_CNT(lcl_param_arr));
328
329 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL);
330 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL);
331
332 return (spds);
333 }
334
335 void
336 spdsock_ddi_destroy(void)
337 {
338 vmem_destroy(spdsock_vmem);
339
340 netstack_unregister(NS_SPDSOCK);
341 }
342
343 /* ARGSUSED */
344 static void
345 spdsock_stack_fini(netstackid_t stackid, void *arg)
346 {
347 spd_stack_t *spds = (spd_stack_t *)arg;
348
349 freemsg(spds->spds_mp_algs);
350 mutex_destroy(&spds->spds_param_lock);
351 mutex_destroy(&spds->spds_alg_lock);
352 nd_free(&spds->spds_g_nd);
353 kmem_free(spds->spds_params, sizeof (lcl_param_arr));
354 spds->spds_params = NULL;
355
356 kmem_free(spds, sizeof (*spds));
357 }
358
359 /*
360 * NOTE: large quantities of this should be shared with keysock.
361 * Would be nice to combine some of this into a common module, but
362 * not possible given time pressures.
363 */
364
365 /*
366 * High-level reality checking of extensions.
367 */
368 /* ARGSUSED */ /* XXX */
369 static boolean_t
370 ext_check(spd_ext_t *ext)
371 {
372 spd_if_t *tunname = (spd_if_t *)ext;
373 int i;
374 char *idstr;
375
376 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) {
377 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */
378
379 /*
380 * Make sure the strings in these identities are
381 * null-terminated. Let's "proactively" null-terminate the
382 * string at the last byte if it's not terminated sooner.
383 */
384 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t);
385 idstr = (char *)(tunname + 1);
386 while (*idstr != '\0' && i > 0) {
387 i--;
388 idstr++;
389 }
390 if (i == 0) {
391 /*
392 * I.e., if the bozo user didn't NULL-terminate the
393 * string...
394 */
395 idstr--;
396 *idstr = '\0';
397 }
398 }
399 return (B_TRUE); /* For now... */
400 }
401
402
403
404 /* Return values for spdsock_get_ext(). */
405 #define KGE_OK 0
406 #define KGE_DUP 1
407 #define KGE_UNK 2
408 #define KGE_LEN 3
409 #define KGE_CHK 4
410
411 /*
412 * Parse basic extension headers and return in the passed-in pointer vector.
413 * Return values include:
414 *
415 * KGE_OK Everything's nice and parsed out.
416 * If there are no extensions, place NULL in extv[0].
417 * KGE_DUP There is a duplicate extension.
418 * First instance in appropriate bin. First duplicate in
419 * extv[0].
420 * KGE_UNK Unknown extension type encountered. extv[0] contains
421 * unknown header.
422 * KGE_LEN Extension length error.
423 * KGE_CHK High-level reality check failed on specific extension.
424 *
425 * My apologies for some of the pointer arithmetic in here. I'm thinking
426 * like an assembly programmer, yet trying to make the compiler happy.
427 */
428 static int
429 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize)
430 {
431 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
432
433 /* Use extv[0] as the "current working pointer". */
434
435 extv[0] = (spd_ext_t *)(basehdr + 1);
436
437 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) {
438 /* Check for unknown headers. */
439 if (extv[0]->spd_ext_type == 0 ||
440 extv[0]->spd_ext_type > SPD_EXT_MAX)
441 return (KGE_UNK);
442
443 /*
444 * Check length. Use uint64_t because extlen is in units
445 * of 64-bit words. If length goes beyond the msgsize,
446 * return an error. (Zero length also qualifies here.)
447 */
448 if (extv[0]->spd_ext_len == 0 ||
449 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
450 (void *)((uint8_t *)basehdr + msgsize))
451 return (KGE_LEN);
452
453 /* Check for redundant headers. */
454 if (extv[extv[0]->spd_ext_type] != NULL)
455 return (KGE_DUP);
456
457 /*
458 * Reality check the extension if possible at the spdsock
459 * level.
460 */
461 if (!ext_check(extv[0]))
462 return (KGE_CHK);
463
464 /* If I make it here, assign the appropriate bin. */
465 extv[extv[0]->spd_ext_type] = extv[0];
466
467 /* Advance pointer (See above for uint64_t ptr reasoning.) */
468 extv[0] = (spd_ext_t *)
469 ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
470 }
471
472 /* Everything's cool. */
473
474 /*
475 * If extv[0] == NULL, then there are no extension headers in this
476 * message. Ensure that this is the case.
477 */
478 if (extv[0] == (spd_ext_t *)(basehdr + 1))
479 extv[0] = NULL;
480
481 return (KGE_OK);
482 }
483
484 static const int bad_ext_diag[] = {
485 SPD_DIAGNOSTIC_MALFORMED_LCLPORT,
486 SPD_DIAGNOSTIC_MALFORMED_REMPORT,
487 SPD_DIAGNOSTIC_MALFORMED_PROTO,
488 SPD_DIAGNOSTIC_MALFORMED_LCLADDR,
489 SPD_DIAGNOSTIC_MALFORMED_REMADDR,
490 SPD_DIAGNOSTIC_MALFORMED_ACTION,
491 SPD_DIAGNOSTIC_MALFORMED_RULE,
492 SPD_DIAGNOSTIC_MALFORMED_RULESET,
493 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
494 };
495
496 static const int dup_ext_diag[] = {
497 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT,
498 SPD_DIAGNOSTIC_DUPLICATE_REMPORT,
499 SPD_DIAGNOSTIC_DUPLICATE_PROTO,
500 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR,
501 SPD_DIAGNOSTIC_DUPLICATE_REMADDR,
502 SPD_DIAGNOSTIC_DUPLICATE_ACTION,
503 SPD_DIAGNOSTIC_DUPLICATE_RULE,
504 SPD_DIAGNOSTIC_DUPLICATE_RULESET,
505 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
506 };
507
508 /*
509 * Transmit a PF_POLICY error message to the instance either pointed to
510 * by ks, the instance with serial number serial, or more, depending.
511 *
512 * The faulty message (or a reasonable facsimile thereof) is in mp.
513 * This function will free mp or recycle it for delivery, thereby causing
514 * the stream head to free it.
515 */
516 static void
517 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic)
518 {
519 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
520
521 ASSERT(mp->b_datap->db_type == M_DATA);
522
523 if (spmsg->spd_msg_type < SPD_MIN ||
524 spmsg->spd_msg_type > SPD_MAX)
525 spmsg->spd_msg_type = SPD_RESERVED;
526
527 /*
528 * Strip out extension headers.
529 */
530 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim);
531 mp->b_wptr = mp->b_rptr + sizeof (*spmsg);
532 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t));
533 spmsg->spd_msg_errno = (uint8_t)error;
534 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic;
535
536 qreply(q, mp);
537 }
538
539 static void
540 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic)
541 {
542 spdsock_error(q, mp, EINVAL, diagnostic);
543 }
544
545 static void
546 spd_echo(queue_t *q, mblk_t *mp)
547 {
548 qreply(q, mp);
549 }
550
551 /*
552 * Do NOT consume a reference to itp.
553 */
554 /*ARGSUSED*/
555 static void
556 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns)
557 {
558 boolean_t active = (boolean_t)cookie;
559 ipsec_policy_head_t *iph;
560
561 iph = active ? itp->itp_policy : itp->itp_inactive;
562 IPPH_REFHOLD(iph);
563 mutex_enter(&itp->itp_lock);
564 spdsock_flush_one(iph, ns); /* Releases iph refhold. */
565 if (active)
566 itp->itp_flags &= ~ITPF_PFLAGS;
567 else
568 itp->itp_flags &= ~ITPF_IFLAGS;
569 mutex_exit(&itp->itp_lock);
570 /* SPD_FLUSH is worth a tunnel MTU check. */
571 update_iptun_policy(itp);
572 }
573
574 /*
575 * Clear out one polhead.
576 */
577 static void
578 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns)
579 {
580 rw_enter(&iph->iph_lock, RW_WRITER);
581 ipsec_polhead_flush(iph, ns);
582 rw_exit(&iph->iph_lock);
583 IPPH_REFRELE(iph, ns);
584 }
585
586 static void
587 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp,
588 mblk_t *mp)
589 {
590 boolean_t active;
591 spdsock_t *ss = (spdsock_t *)q->q_ptr;
592 netstack_t *ns = ss->spdsock_spds->spds_netstack;
593
594 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) {
595 spdsock_flush_one(iph, ns);
596 if (audit_active) {
597 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
598 cred_t *cr;
599 pid_t cpid;
600
601 cr = msg_getcred(mp, &cpid);
602 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
603 audit_pf_policy(SPD_FLUSH, cr, ns,
604 ITP_NAME(itp), active, 0, cpid);
605 }
606 } else {
607 active = (iph == ALL_ACTIVE_POLHEADS);
608
609 /* First flush the global policy. */
610 spdsock_flush_one(active ? ipsec_system_policy(ns) :
611 ipsec_inactive_policy(ns), ns);
612 if (audit_active) {
613 cred_t *cr;
614 pid_t cpid;
615
616 cr = msg_getcred(mp, &cpid);
617 audit_pf_policy(SPD_FLUSH, cr, ns, NULL,
618 active, 0, cpid);
619 }
620 /* Then flush every tunnel's appropriate one. */
621 itp_walk(spdsock_flush_node, (void *)active, ns);
622 if (audit_active) {
623 cred_t *cr;
624 pid_t cpid;
625
626 cr = msg_getcred(mp, &cpid);
627 audit_pf_policy(SPD_FLUSH, cr, ns,
628 "all tunnels", active, 0, cpid);
629 }
630 }
631
632 spd_echo(q, mp);
633 }
634
635 static boolean_t
636 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag)
637 {
638 bzero(sel, sizeof (*sel));
639
640 if (extv[SPD_EXT_PROTO] != NULL) {
641 struct spd_proto *pr =
642 (struct spd_proto *)extv[SPD_EXT_PROTO];
643 sel->ipsl_proto = pr->spd_proto_number;
644 sel->ipsl_valid |= IPSL_PROTOCOL;
645 }
646 if (extv[SPD_EXT_LCLPORT] != NULL) {
647 struct spd_portrange *pr =
648 (struct spd_portrange *)extv[SPD_EXT_LCLPORT];
649 sel->ipsl_lport = pr->spd_ports_minport;
650 sel->ipsl_valid |= IPSL_LOCAL_PORT;
651 }
652 if (extv[SPD_EXT_REMPORT] != NULL) {
653 struct spd_portrange *pr =
654 (struct spd_portrange *)extv[SPD_EXT_REMPORT];
655 sel->ipsl_rport = pr->spd_ports_minport;
656 sel->ipsl_valid |= IPSL_REMOTE_PORT;
657 }
658
659 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) {
660 struct spd_typecode *tc=
661 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE];
662
663 sel->ipsl_valid |= IPSL_ICMP_TYPE;
664 sel->ipsl_icmp_type = tc->spd_typecode_type;
665 if (tc->spd_typecode_type_end < tc->spd_typecode_type)
666 sel->ipsl_icmp_type_end = tc->spd_typecode_type;
667 else
668 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end;
669
670 if (tc->spd_typecode_code != 255) {
671 sel->ipsl_valid |= IPSL_ICMP_CODE;
672 sel->ipsl_icmp_code = tc->spd_typecode_code;
673 if (tc->spd_typecode_code_end < tc->spd_typecode_code)
674 sel->ipsl_icmp_code_end = tc->spd_typecode_code;
675 else
676 sel->ipsl_icmp_code_end =
677 tc->spd_typecode_code_end;
678 }
679 }
680 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \
681 if ((extv)[(extn)] != NULL) { \
682 uint_t addrlen; \
683 struct spd_address *ap = \
684 (struct spd_address *)((extv)[(extn)]); \
685 addrlen = (ap->spd_address_af == AF_INET6) ? \
686 IPV6_ADDR_LEN : IP_ADDR_LEN; \
687 if (SPD_64TO8(ap->spd_address_len) < \
688 (addrlen + sizeof (*ap))) { \
689 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \
690 return (B_FALSE); \
691 } \
692 bcopy((ap+1), &((sel)->field), addrlen); \
693 (sel)->pfield = ap->spd_address_prefixlen; \
694 (sel)->ipsl_valid |= (bit); \
695 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \
696 IPSL_IPV6 : IPSL_IPV4; \
697 }
698
699 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen,
700 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR);
701 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen,
702 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR);
703
704 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) ==
705 (IPSL_IPV6|IPSL_IPV4)) {
706 *diag = SPD_DIAGNOSTIC_MIXED_AF;
707 return (B_FALSE);
708 }
709
710 #undef ADDR2SEL
711
712 return (B_TRUE);
713 }
714
715 static boolean_t
716 spd_convert_type(uint32_t type, ipsec_act_t *act)
717 {
718 switch (type) {
719 case SPD_ACTTYPE_DROP:
720 act->ipa_type = IPSEC_ACT_DISCARD;
721 return (B_TRUE);
722
723 case SPD_ACTTYPE_PASS:
724 act->ipa_type = IPSEC_ACT_CLEAR;
725 return (B_TRUE);
726
727 case SPD_ACTTYPE_IPSEC:
728 act->ipa_type = IPSEC_ACT_APPLY;
729 return (B_TRUE);
730 }
731 return (B_FALSE);
732 }
733
734 static boolean_t
735 spd_convert_flags(uint32_t flags, ipsec_act_t *act)
736 {
737 /*
738 * Note use of !! for boolean canonicalization.
739 */
740 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH);
741 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP);
742 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA);
743 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE);
744 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE);
745 return (B_TRUE);
746 }
747
748 static void
749 spdsock_reset_act(ipsec_act_t *act)
750 {
751 bzero(act, sizeof (*act));
752 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS;
753 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS;
754 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS;
755 }
756
757 /*
758 * Sanity check action against reality, and shrink-wrap key sizes..
759 */
760 static boolean_t
761 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag,
762 spd_stack_t *spds)
763 {
764 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) {
765 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
766 return (B_FALSE);
767 }
768 if ((act->ipa_type != IPSEC_ACT_APPLY) &&
769 (act->ipa_apply.ipp_use_ah ||
770 act->ipa_apply.ipp_use_esp ||
771 act->ipa_apply.ipp_use_espa ||
772 act->ipa_apply.ipp_use_se ||
773 act->ipa_apply.ipp_use_unique)) {
774 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
775 return (B_FALSE);
776 }
777 if ((act->ipa_type == IPSEC_ACT_APPLY) &&
778 !act->ipa_apply.ipp_use_ah &&
779 !act->ipa_apply.ipp_use_esp) {
780 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
781 return (B_FALSE);
782 }
783 return (ipsec_check_action(act, diag, spds->spds_netstack));
784 }
785
786 /*
787 * We may be short a few error checks here..
788 */
789 static boolean_t
790 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp,
791 int *diag, spd_stack_t *spds)
792 {
793 struct spd_ext_actions *sactp =
794 (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
795 ipsec_act_t act, *actp, *endactp;
796 struct spd_attribute *attrp, *endattrp;
797 uint64_t *endp;
798 int nact;
799 boolean_t tunnel_polhead;
800
801 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL &&
802 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags &
803 SPD_RULE_FLAG_TUNNEL));
804
805 *actpp = NULL;
806 *nactp = 0;
807
808 if (sactp == NULL) {
809 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT;
810 return (B_FALSE);
811 }
812
813 /*
814 * Parse the "action" extension and convert into an action chain.
815 */
816
817 nact = sactp->spd_actions_count;
818
819 endp = (uint64_t *)sactp;
820 endp += sactp->spd_actions_len;
821 endattrp = (struct spd_attribute *)endp;
822
823 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP);
824 if (actp == NULL) {
825 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM;
826 return (B_FALSE);
827 }
828 *actpp = actp;
829 *nactp = nact;
830 endactp = actp + nact;
831
832 spdsock_reset_act(&act);
833 attrp = (struct spd_attribute *)(&sactp[1]);
834
835 for (; attrp < endattrp; attrp++) {
836 switch (attrp->spd_attr_tag) {
837 case SPD_ATTR_NOP:
838 break;
839
840 case SPD_ATTR_EMPTY:
841 spdsock_reset_act(&act);
842 break;
843
844 case SPD_ATTR_END:
845 attrp = endattrp;
846 /* FALLTHRU */
847 case SPD_ATTR_NEXT:
848 if (actp >= endactp) {
849 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
850 goto fail;
851 }
852 if (!spdsock_check_action(&act, tunnel_polhead,
853 diag, spds))
854 goto fail;
855 *actp++ = act;
856 spdsock_reset_act(&act);
857 break;
858
859 case SPD_ATTR_TYPE:
860 if (!spd_convert_type(attrp->spd_attr_value, &act)) {
861 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE;
862 goto fail;
863 }
864 break;
865
866 case SPD_ATTR_FLAGS:
867 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) {
868 /*
869 * Set "sa unique" for transport-mode
870 * tunnels whether we want to or not.
871 */
872 attrp->spd_attr_value |= SPD_APPLY_UNIQUE;
873 }
874 if (!spd_convert_flags(attrp->spd_attr_value, &act)) {
875 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS;
876 goto fail;
877 }
878 break;
879
880 case SPD_ATTR_AH_AUTH:
881 if (attrp->spd_attr_value == 0) {
882 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
883 goto fail;
884 }
885 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value;
886 break;
887
888 case SPD_ATTR_ESP_ENCR:
889 if (attrp->spd_attr_value == 0) {
890 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
891 goto fail;
892 }
893 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value;
894 break;
895
896 case SPD_ATTR_ESP_AUTH:
897 if (attrp->spd_attr_value == 0) {
898 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
899 goto fail;
900 }
901 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value;
902 break;
903
904 case SPD_ATTR_ENCR_MINBITS:
905 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value;
906 break;
907
908 case SPD_ATTR_ENCR_MAXBITS:
909 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value;
910 break;
911
912 case SPD_ATTR_AH_MINBITS:
913 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value;
914 break;
915
916 case SPD_ATTR_AH_MAXBITS:
917 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value;
918 break;
919
920 case SPD_ATTR_ESPA_MINBITS:
921 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value;
922 break;
923
924 case SPD_ATTR_ESPA_MAXBITS:
925 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value;
926 break;
927
928 case SPD_ATTR_LIFE_SOFT_TIME:
929 case SPD_ATTR_LIFE_HARD_TIME:
930 case SPD_ATTR_LIFE_SOFT_BYTES:
931 case SPD_ATTR_LIFE_HARD_BYTES:
932 break;
933
934 case SPD_ATTR_KM_PROTO:
935 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value;
936 break;
937
938 case SPD_ATTR_KM_COOKIE:
939 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value;
940 break;
941
942 case SPD_ATTR_REPLAY_DEPTH:
943 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value;
944 break;
945 }
946 }
947 if (actp != endactp) {
948 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
949 goto fail;
950 }
951
952 return (B_TRUE);
953 fail:
954 ipsec_actvec_free(*actpp, nact);
955 *actpp = NULL;
956 return (B_FALSE);
957 }
958
959 typedef struct
960 {
961 ipsec_policy_t *pol;
962 int dir;
963 } tmprule_t;
964
965 static int
966 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule,
967 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af,
968 tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
969 {
970 ipsec_policy_t *pol;
971
972 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4);
973 sel->ipsl_valid |= af;
974
975 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority,
976 index, spds->spds_netstack);
977 if (pol == NULL)
978 return (ENOMEM);
979
980 (*rp)->pol = pol;
981 (*rp)->dir = dir;
982 (*rp)++;
983
984 if (!ipsec_check_policy(iph, pol, dir))
985 return (EEXIST);
986
987 rule->spd_rule_index = pol->ipsp_index;
988 return (0);
989 }
990
991 static int
992 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule,
993 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs,
994 tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
995 {
996 int error;
997
998 if (afs & IPSL_IPV4) {
999 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp,
1000 index, spds);
1001 if (error != 0)
1002 return (error);
1003 }
1004 if (afs & IPSL_IPV6) {
1005 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp,
1006 index, spds);
1007 if (error != 0)
1008 return (error);
1009 }
1010 return (0);
1011 }
1012
1013
1014 static void
1015 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1016 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1017 {
1018 ipsec_selkey_t sel;
1019 ipsec_act_t *actp;
1020 uint_t nact;
1021 int diag = 0, error, afs;
1022 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1023 tmprule_t rules[4], *rulep = &rules[0];
1024 boolean_t tunnel_mode, empty_itp, active;
1025 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index;
1026 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1027 spd_stack_t *spds = ss->spdsock_spds;
1028
1029 if (rule == NULL) {
1030 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1031 if (audit_active) {
1032 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1033 cred_t *cr;
1034 pid_t cpid;
1035
1036 cr = msg_getcred(mp, &cpid);
1037 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1038 audit_pf_policy(SPD_ADDRULE, cr,
1039 spds->spds_netstack, ITP_NAME(itp), active,
1040 SPD_DIAGNOSTIC_NO_RULE_EXT, cpid);
1041 }
1042 return;
1043 }
1044
1045 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL);
1046
1047 if (itp != NULL) {
1048 mutex_enter(&itp->itp_lock);
1049 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph);
1050 active = (itp->itp_policy == iph);
1051 if (ITP_P_ISACTIVE(itp, iph)) {
1052 /* Check for mix-and-match of tunnel/transport. */
1053 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) ||
1054 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) {
1055 mutex_exit(&itp->itp_lock);
1056 spdsock_error(q, mp, EBUSY, 0);
1057 return;
1058 }
1059 empty_itp = B_FALSE;
1060 } else {
1061 empty_itp = B_TRUE;
1062 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE;
1063 if (tunnel_mode)
1064 itp->itp_flags |= active ? ITPF_P_TUNNEL :
1065 ITPF_I_TUNNEL;
1066 }
1067 } else {
1068 empty_itp = B_FALSE;
1069 }
1070
1071 if (rule->spd_rule_index != 0) {
1072 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX;
1073 error = EINVAL;
1074 goto fail2;
1075 }
1076
1077 if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1078 error = EINVAL;
1079 goto fail2;
1080 }
1081
1082 if (itp != NULL) {
1083 if (tunnel_mode) {
1084 if (sel.ipsl_valid &
1085 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) {
1086 itp->itp_flags |= active ?
1087 ITPF_P_PER_PORT_SECURITY :
1088 ITPF_I_PER_PORT_SECURITY;
1089 }
1090 } else {
1091 /*
1092 * For now, we don't allow transport-mode on a tunnel
1093 * with ANY specific selectors. Bail if we have such
1094 * a request.
1095 */
1096 if (sel.ipsl_valid & IPSL_WILDCARD) {
1097 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS;
1098 error = EINVAL;
1099 goto fail2;
1100 }
1101 }
1102 }
1103
1104 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) {
1105 error = EINVAL;
1106 goto fail2;
1107 }
1108 /*
1109 * If no addresses were specified, add both.
1110 */
1111 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4);
1112 if (afs == 0)
1113 afs = (IPSL_IPV6|IPSL_IPV4);
1114
1115 rw_enter(&iph->iph_lock, RW_WRITER);
1116
1117 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) {
1118 error = mkrulepair(iph, rule, &sel, actp, nact,
1119 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds);
1120 if (error != 0)
1121 goto fail;
1122 }
1123
1124 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) {
1125 error = mkrulepair(iph, rule, &sel, actp, nact,
1126 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds);
1127 if (error != 0)
1128 goto fail;
1129 }
1130
1131 while ((--rulep) >= &rules[0]) {
1132 ipsec_enter_policy(iph, rulep->pol, rulep->dir,
1133 spds->spds_netstack);
1134 }
1135 rw_exit(&iph->iph_lock);
1136 if (itp != NULL)
1137 mutex_exit(&itp->itp_lock);
1138
1139 ipsec_actvec_free(actp, nact);
1140 spd_echo(q, mp);
1141 if (audit_active) {
1142 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1143 cred_t *cr;
1144 pid_t cpid;
1145
1146 cr = msg_getcred(mp, &cpid);
1147 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1148 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1149 ITP_NAME(itp), active, 0, cpid);
1150 }
1151 return;
1152
1153 fail:
1154 rw_exit(&iph->iph_lock);
1155 while ((--rulep) >= &rules[0])
1156 IPPOL_REFRELE(rulep->pol);
1157 ipsec_actvec_free(actp, nact);
1158 fail2:
1159 if (itp != NULL) {
1160 if (empty_itp)
1161 itp->itp_flags = 0;
1162 mutex_exit(&itp->itp_lock);
1163 }
1164 spdsock_error(q, mp, error, diag);
1165 if (audit_active) {
1166 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1167 cred_t *cr;
1168 pid_t cpid;
1169
1170 cr = msg_getcred(mp, &cpid);
1171 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1172 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1173 ITP_NAME(itp), active, error, cpid);
1174 }
1175 }
1176
1177 void
1178 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1179 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1180 {
1181 ipsec_selkey_t sel;
1182 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1183 int err, diag = 0;
1184 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1185 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1186
1187 if (rule == NULL) {
1188 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1189 if (audit_active) {
1190 boolean_t active;
1191 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1192 cred_t *cr;
1193 pid_t cpid;
1194
1195 cr = msg_getcred(mp, &cpid);
1196 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1197 audit_pf_policy(SPD_DELETERULE, cr, ns,
1198 ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT,
1199 cpid);
1200 }
1201 return;
1202 }
1203
1204 /*
1205 * Must enter itp_lock first to avoid deadlock. See tun.c's
1206 * set_sec_simple() for the other case of itp_lock and iph_lock.
1207 */
1208 if (itp != NULL)
1209 mutex_enter(&itp->itp_lock);
1210
1211 if (rule->spd_rule_index != 0) {
1212 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) !=
1213 0) {
1214 err = ESRCH;
1215 goto fail;
1216 }
1217 } else {
1218 if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1219 err = EINVAL; /* diag already set... */
1220 goto fail;
1221 }
1222
1223 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) &&
1224 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) {
1225 err = ESRCH;
1226 goto fail;
1227 }
1228
1229 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) &&
1230 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) {
1231 err = ESRCH;
1232 goto fail;
1233 }
1234 }
1235
1236 if (itp != NULL) {
1237 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive);
1238 rw_enter(&iph->iph_lock, RW_READER);
1239 if (avl_numnodes(&iph->iph_rulebyid) == 0) {
1240 if (iph == itp->itp_policy)
1241 itp->itp_flags &= ~ITPF_PFLAGS;
1242 else
1243 itp->itp_flags &= ~ITPF_IFLAGS;
1244 }
1245 /* Can exit locks in any order. */
1246 rw_exit(&iph->iph_lock);
1247 mutex_exit(&itp->itp_lock);
1248 }
1249 spd_echo(q, mp);
1250 if (audit_active) {
1251 boolean_t active;
1252 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1253 cred_t *cr;
1254 pid_t cpid;
1255
1256 cr = msg_getcred(mp, &cpid);
1257 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1258 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1259 active, 0, cpid);
1260 }
1261 return;
1262 fail:
1263 if (itp != NULL)
1264 mutex_exit(&itp->itp_lock);
1265 spdsock_error(q, mp, err, diag);
1266 if (audit_active) {
1267 boolean_t active;
1268 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1269 cred_t *cr;
1270 pid_t cpid;
1271
1272 cr = msg_getcred(mp, &cpid);
1273 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1274 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1275 active, err, cpid);
1276 }
1277 }
1278
1279 /* Do NOT consume a reference to itp. */
1280 /* ARGSUSED */
1281 static void
1282 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns)
1283 {
1284 mutex_enter(&itp->itp_lock);
1285 ITPF_SWAP(itp->itp_flags);
1286 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns);
1287 mutex_exit(&itp->itp_lock);
1288 /* SPD_FLIP is worth a tunnel MTU check. */
1289 update_iptun_policy(itp);
1290 }
1291
1292 void
1293 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname)
1294 {
1295 char *tname;
1296 ipsec_tun_pol_t *itp;
1297 spdsock_t *ss = (spdsock_t *)q->q_ptr;
1298 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1299
1300 if (tunname != NULL) {
1301 tname = (char *)tunname->spd_if_name;
1302 if (*tname == '\0') {
1303 /* can't fail */
1304 ipsec_swap_global_policy(ns);
1305 if (audit_active) {
1306 boolean_t active;
1307 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1308 cred_t *cr;
1309 pid_t cpid;
1310
1311 cr = msg_getcred(mp, &cpid);
1312 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1313 audit_pf_policy(SPD_FLIP, cr, ns,
1314 NULL, active, 0, cpid);
1315 }
1316 itp_walk(spdsock_flip_node, NULL, ns);
1317 if (audit_active) {
1318 boolean_t active;
1319 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1320 cred_t *cr;
1321 pid_t cpid;
1322
1323 cr = msg_getcred(mp, &cpid);
1324 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1325 audit_pf_policy(SPD_FLIP, cr, ns,
1326 "all tunnels", active, 0, cpid);
1327 }
1328 } else {
1329 itp = get_tunnel_policy(tname, ns);
1330 if (itp == NULL) {
1331 /* Better idea for "tunnel not found"? */
1332 spdsock_error(q, mp, ESRCH, 0);
1333 if (audit_active) {
1334 boolean_t active;
1335 spd_msg_t *spmsg =
1336 (spd_msg_t *)mp->b_rptr;
1337 cred_t *cr;
1338 pid_t cpid;
1339
1340 cr = msg_getcred(mp, &cpid);
1341 active = (spmsg->spd_msg_spdid ==
1342 SPD_ACTIVE);
1343 audit_pf_policy(SPD_FLIP, cr, ns,
1344 ITP_NAME(itp), active,
1345 ESRCH, cpid);
1346 }
1347 return;
1348 }
1349 spdsock_flip_node(itp, NULL, ns);
1350 if (audit_active) {
1351 boolean_t active;
1352 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1353 cred_t *cr;
1354 pid_t cpid;
1355
1356 cr = msg_getcred(mp, &cpid);
1357 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1358 audit_pf_policy(SPD_FLIP, cr, ns,
1359 ITP_NAME(itp), active, 0, cpid);
1360 }
1361 ITP_REFRELE(itp, ns);
1362 }
1363 } else {
1364 ipsec_swap_global_policy(ns); /* can't fail */
1365 if (audit_active) {
1366 boolean_t active;
1367 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1368 cred_t *cr;
1369 pid_t cpid;
1370
1371 cr = msg_getcred(mp, &cpid);
1372 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1373 audit_pf_policy(SPD_FLIP, cr,
1374 ns, NULL, active, 0, cpid);
1375 }
1376 }
1377 spd_echo(q, mp);
1378 }
1379
1380 /*
1381 * Unimplemented feature
1382 */
1383 /* ARGSUSED */
1384 static void
1385 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1386 spd_ext_t **extv, ipsec_tun_pol_t *itp)
1387 {
1388 spdsock_error(q, mp, EINVAL, 0);
1389 }
1390
1391
1392 static mblk_t *
1393 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph,
1394 uint32_t count, uint16_t error)
1395 {
1396 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t);
1397 spd_msg_t *msg;
1398 spd_ruleset_ext_t *ruleset;
1399 mblk_t *m = allocb(len, BPRI_HI);
1400
1401 ASSERT(RW_READ_HELD(&iph->iph_lock));
1402
1403 if (m == NULL) {
1404 return (NULL);
1405 }
1406 msg = (spd_msg_t *)m->b_rptr;
1407 ruleset = (spd_ruleset_ext_t *)(&msg[1]);
1408
1409 m->b_wptr = (uint8_t *)&ruleset[1];
1410
1411 *msg = *(spd_msg_t *)(req->b_rptr);
1412 msg->spd_msg_len = SPD_8TO64(len);
1413 msg->spd_msg_errno = error;
1414
1415 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset));
1416 ruleset->spd_ruleset_type = SPD_EXT_RULESET;
1417 ruleset->spd_ruleset_count = count;
1418 ruleset->spd_ruleset_version = iph->iph_gen;
1419 return (m);
1420 }
1421
1422 static mblk_t *
1423 spdsock_dump_finish(spdsock_t *ss, int error)
1424 {
1425 mblk_t *m;
1426 ipsec_policy_head_t *iph = ss->spdsock_dump_head;
1427 mblk_t *req = ss->spdsock_dump_req;
1428 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1429
1430 rw_enter(&iph->iph_lock, RW_READER);
1431 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error);
1432 rw_exit(&iph->iph_lock);
1433 IPPH_REFRELE(iph, ns);
1434 if (ss->spdsock_itp != NULL) {
1435 ITP_REFRELE(ss->spdsock_itp, ns);
1436 ss->spdsock_itp = NULL;
1437 }
1438 ss->spdsock_dump_req = NULL;
1439 freemsg(req);
1440
1441 return (m);
1442 }
1443
1444 /*
1445 * Rule encoding functions.
1446 * We do a two-pass encode.
1447 * If base != NULL, fill in encoded rule part starting at base+offset.
1448 * Always return "offset" plus length of to-be-encoded data.
1449 */
1450 static uint_t
1451 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type,
1452 uint8_t type_end, uint8_t code, uint8_t code_end)
1453 {
1454 struct spd_typecode *tcp;
1455
1456 ASSERT(ALIGNED64(offset));
1457
1458 if (base != NULL) {
1459 tcp = (struct spd_typecode *)(base + offset);
1460 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp));
1461 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE;
1462 tcp->spd_typecode_code = code;
1463 tcp->spd_typecode_type = type;
1464 tcp->spd_typecode_type_end = type_end;
1465 tcp->spd_typecode_code_end = code_end;
1466 }
1467 offset += sizeof (*tcp);
1468
1469 ASSERT(ALIGNED64(offset));
1470
1471 return (offset);
1472 }
1473
1474 static uint_t
1475 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto)
1476 {
1477 struct spd_proto *spp;
1478
1479 ASSERT(ALIGNED64(offset));
1480
1481 if (base != NULL) {
1482 spp = (struct spd_proto *)(base + offset);
1483 spp->spd_proto_len = SPD_8TO64(sizeof (*spp));
1484 spp->spd_proto_exttype = SPD_EXT_PROTO;
1485 spp->spd_proto_number = proto;
1486 spp->spd_proto_reserved1 = 0;
1487 spp->spd_proto_reserved2 = 0;
1488 }
1489 offset += sizeof (*spp);
1490
1491 ASSERT(ALIGNED64(offset));
1492
1493 return (offset);
1494 }
1495
1496 static uint_t
1497 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port)
1498 {
1499 struct spd_portrange *spp;
1500
1501 ASSERT(ALIGNED64(offset));
1502
1503 if (base != NULL) {
1504 spp = (struct spd_portrange *)(base + offset);
1505 spp->spd_ports_len = SPD_8TO64(sizeof (*spp));
1506 spp->spd_ports_exttype = ext;
1507 spp->spd_ports_minport = port;
1508 spp->spd_ports_maxport = port;
1509 }
1510 offset += sizeof (*spp);
1511
1512 ASSERT(ALIGNED64(offset));
1513
1514 return (offset);
1515 }
1516
1517 static uint_t
1518 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext,
1519 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen)
1520 {
1521 struct spd_address *sae;
1522 ipsec_addr_t *spdaddr;
1523 uint_t start = offset;
1524 uint_t addrlen;
1525 uint_t af;
1526
1527 if (sel->ipsl_valid & IPSL_IPV4) {
1528 af = AF_INET;
1529 addrlen = IP_ADDR_LEN;
1530 } else {
1531 af = AF_INET6;
1532 addrlen = IPV6_ADDR_LEN;
1533 }
1534
1535 ASSERT(ALIGNED64(offset));
1536
1537 if (base != NULL) {
1538 sae = (struct spd_address *)(base + offset);
1539 sae->spd_address_exttype = ext;
1540 sae->spd_address_af = af;
1541 sae->spd_address_prefixlen = pfxlen;
1542 sae->spd_address_reserved2 = 0;
1543
1544 spdaddr = (ipsec_addr_t *)(&sae[1]);
1545 bcopy(addr, spdaddr, addrlen);
1546 }
1547 offset += sizeof (*sae);
1548 addrlen = roundup(addrlen, sizeof (uint64_t));
1549 offset += addrlen;
1550
1551 ASSERT(ALIGNED64(offset));
1552
1553 if (base != NULL)
1554 sae->spd_address_len = SPD_8TO64(offset - start);
1555 return (offset);
1556 }
1557
1558 static uint_t
1559 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel)
1560 {
1561 const ipsec_selkey_t *selkey = &sel->ipsl_key;
1562
1563 if (selkey->ipsl_valid & IPSL_PROTOCOL)
1564 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto);
1565 if (selkey->ipsl_valid & IPSL_LOCAL_PORT)
1566 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT,
1567 selkey->ipsl_lport);
1568 if (selkey->ipsl_valid & IPSL_REMOTE_PORT)
1569 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT,
1570 selkey->ipsl_rport);
1571 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR)
1572 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR,
1573 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen);
1574 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR)
1575 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR,
1576 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen);
1577 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) {
1578 offset = spdsock_encode_typecode(base, offset,
1579 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end,
1580 (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1581 selkey->ipsl_icmp_code : 255,
1582 (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1583 selkey->ipsl_icmp_code_end : 255);
1584 }
1585 return (offset);
1586 }
1587
1588 static uint_t
1589 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag,
1590 uint32_t value)
1591 {
1592 struct spd_attribute *attr;
1593
1594 ASSERT(ALIGNED64(offset));
1595
1596 if (base != NULL) {
1597 attr = (struct spd_attribute *)(base + offset);
1598 attr->spd_attr_tag = tag;
1599 attr->spd_attr_value = value;
1600 }
1601 offset += sizeof (struct spd_attribute);
1602
1603 ASSERT(ALIGNED64(offset));
1604
1605 return (offset);
1606 }
1607
1608
1609 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1610
1611 static uint_t
1612 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap)
1613 {
1614 const struct ipsec_act *act = &(ap->ipa_act);
1615 uint_t flags;
1616
1617 EMIT(SPD_ATTR_EMPTY, 0);
1618 switch (act->ipa_type) {
1619 case IPSEC_ACT_DISCARD:
1620 case IPSEC_ACT_REJECT:
1621 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP);
1622 break;
1623 case IPSEC_ACT_BYPASS:
1624 case IPSEC_ACT_CLEAR:
1625 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS);
1626 break;
1627
1628 case IPSEC_ACT_APPLY:
1629 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC);
1630 flags = 0;
1631 if (act->ipa_apply.ipp_use_ah)
1632 flags |= SPD_APPLY_AH;
1633 if (act->ipa_apply.ipp_use_esp)
1634 flags |= SPD_APPLY_ESP;
1635 if (act->ipa_apply.ipp_use_espa)
1636 flags |= SPD_APPLY_ESPA;
1637 if (act->ipa_apply.ipp_use_se)
1638 flags |= SPD_APPLY_SE;
1639 if (act->ipa_apply.ipp_use_unique)
1640 flags |= SPD_APPLY_UNIQUE;
1641 EMIT(SPD_ATTR_FLAGS, flags);
1642 if (flags & SPD_APPLY_AH) {
1643 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg);
1644 EMIT(SPD_ATTR_AH_MINBITS,
1645 act->ipa_apply.ipp_ah_minbits);
1646 EMIT(SPD_ATTR_AH_MAXBITS,
1647 act->ipa_apply.ipp_ah_maxbits);
1648 }
1649 if (flags & SPD_APPLY_ESP) {
1650 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg);
1651 EMIT(SPD_ATTR_ENCR_MINBITS,
1652 act->ipa_apply.ipp_espe_minbits);
1653 EMIT(SPD_ATTR_ENCR_MAXBITS,
1654 act->ipa_apply.ipp_espe_maxbits);
1655 if (flags & SPD_APPLY_ESPA) {
1656 EMIT(SPD_ATTR_ESP_AUTH,
1657 act->ipa_apply.ipp_esp_auth_alg);
1658 EMIT(SPD_ATTR_ESPA_MINBITS,
1659 act->ipa_apply.ipp_espa_minbits);
1660 EMIT(SPD_ATTR_ESPA_MAXBITS,
1661 act->ipa_apply.ipp_espa_maxbits);
1662 }
1663 }
1664 if (act->ipa_apply.ipp_km_proto != 0)
1665 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto);
1666 if (act->ipa_apply.ipp_km_cookie != 0)
1667 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie);
1668 if (act->ipa_apply.ipp_replay_depth != 0)
1669 EMIT(SPD_ATTR_REPLAY_DEPTH,
1670 act->ipa_apply.ipp_replay_depth);
1671 /* Add more here */
1672 break;
1673 }
1674
1675 return (offset);
1676 }
1677
1678 static uint_t
1679 spdsock_encode_action_list(uint8_t *base, uint_t offset,
1680 const ipsec_action_t *ap)
1681 {
1682 struct spd_ext_actions *act;
1683 uint_t nact = 0;
1684 uint_t start = offset;
1685
1686 ASSERT(ALIGNED64(offset));
1687
1688 if (base != NULL) {
1689 act = (struct spd_ext_actions *)(base + offset);
1690 act->spd_actions_len = 0;
1691 act->spd_actions_exttype = SPD_EXT_ACTION;
1692 act->spd_actions_count = 0;
1693 act->spd_actions_reserved = 0;
1694 }
1695
1696 offset += sizeof (*act);
1697
1698 ASSERT(ALIGNED64(offset));
1699
1700 while (ap != NULL) {
1701 offset = spdsock_encode_action(base, offset, ap);
1702 ap = ap->ipa_next;
1703 nact++;
1704 if (ap != NULL) {
1705 EMIT(SPD_ATTR_NEXT, 0);
1706 }
1707 }
1708 EMIT(SPD_ATTR_END, 0);
1709
1710 ASSERT(ALIGNED64(offset));
1711
1712 if (base != NULL) {
1713 act->spd_actions_count = nact;
1714 act->spd_actions_len = SPD_8TO64(offset - start);
1715 }
1716
1717 return (offset);
1718 }
1719
1720 #undef EMIT
1721
1722 /* ARGSUSED */
1723 static uint_t
1724 spdsock_rule_flags(uint_t dir, uint_t af)
1725 {
1726 uint_t flags = 0;
1727
1728 if (dir == IPSEC_TYPE_INBOUND)
1729 flags |= SPD_RULE_FLAG_INBOUND;
1730 if (dir == IPSEC_TYPE_OUTBOUND)
1731 flags |= SPD_RULE_FLAG_OUTBOUND;
1732
1733 return (flags);
1734 }
1735
1736
1737 static uint_t
1738 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req,
1739 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name,
1740 boolean_t tunnel)
1741 {
1742 struct spd_msg *spmsg;
1743 struct spd_rule *spr;
1744 spd_if_t *sid;
1745
1746 uint_t start = offset;
1747
1748 ASSERT(ALIGNED64(offset));
1749
1750 if (base != NULL) {
1751 spmsg = (struct spd_msg *)(base + offset);
1752 bzero(spmsg, sizeof (*spmsg));
1753 spmsg->spd_msg_version = PF_POLICY_V1;
1754 spmsg->spd_msg_type = SPD_DUMP;
1755 spmsg->spd_msg_seq = req->spd_msg_seq;
1756 spmsg->spd_msg_pid = req->spd_msg_pid;
1757 }
1758 offset += sizeof (struct spd_msg);
1759
1760 ASSERT(ALIGNED64(offset));
1761
1762 if (base != NULL) {
1763 spr = (struct spd_rule *)(base + offset);
1764 spr->spd_rule_type = SPD_EXT_RULE;
1765 spr->spd_rule_priority = rule->ipsp_prio;
1766 spr->spd_rule_flags = spdsock_rule_flags(dir, af);
1767 if (tunnel)
1768 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL;
1769 spr->spd_rule_unused = 0;
1770 spr->spd_rule_len = SPD_8TO64(sizeof (*spr));
1771 spr->spd_rule_index = rule->ipsp_index;
1772 }
1773 offset += sizeof (struct spd_rule);
1774
1775 /*
1776 * If we have an interface name (i.e. if this policy head came from
1777 * a tunnel), add the SPD_EXT_TUN_NAME extension.
1778 */
1779 if (name != NULL) {
1780
1781 ASSERT(ALIGNED64(offset));
1782
1783 if (base != NULL) {
1784 sid = (spd_if_t *)(base + offset);
1785 sid->spd_if_exttype = SPD_EXT_TUN_NAME;
1786 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) +
1787 roundup((strlen(name) - 4), 8));
1788 (void) strlcpy((char *)sid->spd_if_name, name,
1789 LIFNAMSIZ);
1790 }
1791
1792 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8);
1793 }
1794
1795 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel);
1796 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act);
1797
1798 ASSERT(ALIGNED64(offset));
1799
1800 if (base != NULL) {
1801 spmsg->spd_msg_len = SPD_8TO64(offset - start);
1802 }
1803 return (offset);
1804 }
1805
1806 /* ARGSUSED */
1807 static mblk_t *
1808 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule,
1809 uint_t dir, uint_t af, char *name, boolean_t tunnel)
1810 {
1811 mblk_t *m;
1812 uint_t len;
1813 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr;
1814
1815 /*
1816 * Figure out how much space we'll need.
1817 */
1818 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name,
1819 tunnel);
1820
1821 /*
1822 * Allocate mblk.
1823 */
1824 m = allocb(len, BPRI_HI);
1825 if (m == NULL)
1826 return (NULL);
1827
1828 /*
1829 * Fill it in..
1830 */
1831 m->b_wptr = m->b_rptr + len;
1832 bzero(m->b_rptr, len);
1833 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af,
1834 name, tunnel);
1835 return (m);
1836 }
1837
1838 static ipsec_policy_t *
1839 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph,
1840 ipsec_policy_t *cur)
1841 {
1842 ASSERT(RW_READ_HELD(&iph->iph_lock));
1843
1844 ss->spdsock_dump_count++;
1845 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next;
1846 return (cur);
1847 }
1848
1849 static ipsec_policy_t *
1850 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph)
1851 {
1852 ipsec_policy_t *cur;
1853 ipsec_policy_root_t *ipr;
1854 int chain, nchains, type, af;
1855
1856 ASSERT(RW_READ_HELD(&iph->iph_lock));
1857
1858 cur = ss->spdsock_dump_cur_rule;
1859
1860 if (cur != NULL)
1861 return (spdsock_dump_next_in_chain(ss, iph, cur));
1862
1863 type = ss->spdsock_dump_cur_type;
1864
1865 next:
1866 chain = ss->spdsock_dump_cur_chain;
1867 ipr = &iph->iph_root[type];
1868 nchains = ipr->ipr_nchains;
1869
1870 while (chain < nchains) {
1871 cur = ipr->ipr_hash[chain].hash_head;
1872 chain++;
1873 if (cur != NULL) {
1874 ss->spdsock_dump_cur_chain = chain;
1875 return (spdsock_dump_next_in_chain(ss, iph, cur));
1876 }
1877 }
1878 ss->spdsock_dump_cur_chain = nchains;
1879
1880 af = ss->spdsock_dump_cur_af;
1881 while (af < IPSEC_NAF) {
1882 cur = ipr->ipr_nonhash[af];
1883 af++;
1884 if (cur != NULL) {
1885 ss->spdsock_dump_cur_af = af;
1886 return (spdsock_dump_next_in_chain(ss, iph, cur));
1887 }
1888 }
1889
1890 type++;
1891 if (type >= IPSEC_NTYPES)
1892 return (NULL);
1893
1894 ss->spdsock_dump_cur_chain = 0;
1895 ss->spdsock_dump_cur_type = type;
1896 ss->spdsock_dump_cur_af = IPSEC_AF_V4;
1897 goto next;
1898
1899 }
1900
1901 /*
1902 * If we're done with one policy head, but have more to go, we iterate through
1903 * another IPsec tunnel policy head (itp). Return NULL if it is an error
1904 * worthy of returning EAGAIN via PF_POLICY.
1905 */
1906 static ipsec_tun_pol_t *
1907 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss)
1908 {
1909 ipsec_tun_pol_t *itp;
1910
1911 ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock));
1912 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) {
1913 /* Oops, state of the tunnel polheads changed. */
1914 itp = NULL;
1915 } else if (ss->spdsock_itp == NULL) {
1916 /* Just finished global, find first node. */
1917 itp = avl_first(&ipss->ipsec_tunnel_policies);
1918 } else {
1919 /* We just finished current polhead, find the next one. */
1920 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp);
1921 }
1922 if (itp != NULL) {
1923 ITP_REFHOLD(itp);
1924 }
1925 if (ss->spdsock_itp != NULL) {
1926 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack);
1927 }
1928 ss->spdsock_itp = itp;
1929 return (itp);
1930 }
1931
1932 static mblk_t *
1933 spdsock_dump_next_record(spdsock_t *ss)
1934 {
1935 ipsec_policy_head_t *iph;
1936 ipsec_policy_t *rule;
1937 mblk_t *m;
1938 ipsec_tun_pol_t *itp;
1939 netstack_t *ns = ss->spdsock_spds->spds_netstack;
1940 ipsec_stack_t *ipss = ns->netstack_ipsec;
1941
1942 iph = ss->spdsock_dump_head;
1943
1944 ASSERT(iph != NULL);
1945
1946 rw_enter(&iph->iph_lock, RW_READER);
1947
1948 if (iph->iph_gen != ss->spdsock_dump_gen) {
1949 rw_exit(&iph->iph_lock);
1950 return (spdsock_dump_finish(ss, EAGAIN));
1951 }
1952
1953 while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) {
1954 rw_exit(&iph->iph_lock);
1955 if (--(ss->spdsock_dump_remaining_polheads) == 0)
1956 return (spdsock_dump_finish(ss, 0));
1957
1958
1959 /*
1960 * If we reach here, we have more policy heads (tunnel
1961 * entries) to dump. Let's reset to a new policy head
1962 * and get some more rules.
1963 *
1964 * An empty policy head will have spdsock_dump_next_rule()
1965 * return NULL, and we loop (while dropping the number of
1966 * remaining polheads). If we loop to 0, we finish. We
1967 * keep looping until we hit 0 or until we have a rule to
1968 * encode.
1969 *
1970 * NOTE: No need for ITP_REF*() macros here as we're only
1971 * going after and refholding the policy head itself.
1972 */
1973 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
1974 itp = spdsock_dump_iterate_next_tunnel(ss, ipss);
1975 if (itp == NULL) {
1976 rw_exit(&ipss->ipsec_tunnel_policy_lock);
1977 return (spdsock_dump_finish(ss, EAGAIN));
1978 }
1979
1980 /* Reset other spdsock_dump thingies. */
1981 IPPH_REFRELE(ss->spdsock_dump_head, ns);
1982 if (ss->spdsock_dump_active) {
1983 ss->spdsock_dump_tunnel =
1984 itp->itp_flags & ITPF_P_TUNNEL;
1985 iph = itp->itp_policy;
1986 } else {
1987 ss->spdsock_dump_tunnel =
1988 itp->itp_flags & ITPF_I_TUNNEL;
1989 iph = itp->itp_inactive;
1990 }
1991 IPPH_REFHOLD(iph);
1992 rw_exit(&ipss->ipsec_tunnel_policy_lock);
1993
1994 rw_enter(&iph->iph_lock, RW_READER);
1995 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
1996 }
1997
1998 m = spdsock_encode_rule(ss->spdsock_dump_req, rule,
1999 ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af,
2000 (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name,
2001 ss->spdsock_dump_tunnel);
2002 rw_exit(&iph->iph_lock);
2003
2004 if (m == NULL)
2005 return (spdsock_dump_finish(ss, ENOMEM));
2006 return (m);
2007 }
2008
2009 /*
2010 * Dump records until we run into flow-control back-pressure.
2011 */
2012 static void
2013 spdsock_dump_some(queue_t *q, spdsock_t *ss)
2014 {
2015 mblk_t *m, *dataind;
2016
2017 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) {
2018 m = spdsock_dump_next_record(ss);
2019 if (m == NULL)
2020 return;
2021 dataind = allocb(sizeof (struct T_data_req), BPRI_HI);
2022 if (dataind == NULL) {
2023 freemsg(m);
2024 return;
2025 }
2026 dataind->b_cont = m;
2027 dataind->b_wptr += sizeof (struct T_data_req);
2028 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND;
2029 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0;
2030 dataind->b_datap->db_type = M_PROTO;
2031 putnext(q, dataind);
2032 }
2033 }
2034
2035 /*
2036 * Start dumping.
2037 * Format a start-of-dump record, and set up the stream and kick the rsrv
2038 * procedure to continue the job..
2039 */
2040 /* ARGSUSED */
2041 static void
2042 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp)
2043 {
2044 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2045 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2046 ipsec_stack_t *ipss = ns->netstack_ipsec;
2047 mblk_t *mr;
2048
2049 /* spdsock_open() already set spdsock_itp to NULL. */
2050 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
2051 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
2052 ss->spdsock_dump_remaining_polheads = 1 +
2053 avl_numnodes(&ipss->ipsec_tunnel_policies);
2054 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen;
2055 rw_exit(&ipss->ipsec_tunnel_policy_lock);
2056 if (iph == ALL_ACTIVE_POLHEADS) {
2057 iph = ipsec_system_policy(ns);
2058 ss->spdsock_dump_active = B_TRUE;
2059 } else {
2060 iph = ipsec_inactive_policy(ns);
2061 ss->spdsock_dump_active = B_FALSE;
2062 }
2063 ASSERT(ss->spdsock_itp == NULL);
2064 } else {
2065 ss->spdsock_dump_remaining_polheads = 1;
2066 }
2067
2068 rw_enter(&iph->iph_lock, RW_READER);
2069
2070 mr = spdsock_dump_ruleset(mp, iph, 0, 0);
2071
2072 if (!mr) {
2073 rw_exit(&iph->iph_lock);
2074 spdsock_error(q, mp, ENOMEM, 0);
2075 return;
2076 }
2077
2078 ss->spdsock_dump_req = mp;
2079 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2080
2081 rw_exit(&iph->iph_lock);
2082
2083 qreply(q, mr);
2084 qenable(OTHERQ(q));
2085 }
2086
2087 /* Do NOT consume a reference to ITP. */
2088 void
2089 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns)
2090 {
2091 int *errptr = (int *)ep;
2092
2093 if (*errptr != 0)
2094 return; /* We've failed already for some reason. */
2095 mutex_enter(&itp->itp_lock);
2096 ITPF_CLONE(itp->itp_flags);
2097 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns);
2098 mutex_exit(&itp->itp_lock);
2099 }
2100
2101 void
2102 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname)
2103 {
2104 int error;
2105 char *tname;
2106 ipsec_tun_pol_t *itp;
2107 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2108 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2109
2110 if (tunname != NULL) {
2111 tname = (char *)tunname->spd_if_name;
2112 if (*tname == '\0') {
2113 error = ipsec_clone_system_policy(ns);
2114 if (audit_active) {
2115 boolean_t active;
2116 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2117 cred_t *cr;
2118 pid_t cpid;
2119
2120 cr = msg_getcred(mp, &cpid);
2121 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2122 audit_pf_policy(SPD_CLONE, cr, ns,
2123 NULL, active, error, cpid);
2124 }
2125 if (error == 0) {
2126 itp_walk(spdsock_clone_node, &error, ns);
2127 if (audit_active) {
2128 boolean_t active;
2129 spd_msg_t *spmsg =
2130 (spd_msg_t *)mp->b_rptr;
2131 cred_t *cr;
2132 pid_t cpid;
2133
2134 cr = msg_getcred(mp, &cpid);
2135 active = (spmsg->spd_msg_spdid ==
2136 SPD_ACTIVE);
2137 audit_pf_policy(SPD_CLONE, cr,
2138 ns, "all tunnels", active, 0,
2139 cpid);
2140 }
2141 }
2142 } else {
2143 itp = get_tunnel_policy(tname, ns);
2144 if (itp == NULL) {
2145 spdsock_error(q, mp, ENOENT, 0);
2146 if (audit_active) {
2147 boolean_t active;
2148 spd_msg_t *spmsg =
2149 (spd_msg_t *)mp->b_rptr;
2150 cred_t *cr;
2151 pid_t cpid;
2152
2153 cr = msg_getcred(mp, &cpid);
2154 active = (spmsg->spd_msg_spdid ==
2155 SPD_ACTIVE);
2156 audit_pf_policy(SPD_CLONE, cr,
2157 ns, NULL, active, ENOENT, cpid);
2158 }
2159 return;
2160 }
2161 spdsock_clone_node(itp, &error, NULL);
2162 if (audit_active) {
2163 boolean_t active;
2164 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2165 cred_t *cr;
2166 pid_t cpid;
2167
2168 cr = msg_getcred(mp, &cpid);
2169 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2170 audit_pf_policy(SPD_CLONE, cr, ns,
2171 ITP_NAME(itp), active, error, cpid);
2172 }
2173 ITP_REFRELE(itp, ns);
2174 }
2175 } else {
2176 error = ipsec_clone_system_policy(ns);
2177 if (audit_active) {
2178 boolean_t active;
2179 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2180 cred_t *cr;
2181 pid_t cpid;
2182
2183 cr = msg_getcred(mp, &cpid);
2184 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2185 audit_pf_policy(SPD_CLONE, cr, ns, NULL,
2186 active, error, cpid);
2187 }
2188 }
2189
2190 if (error != 0)
2191 spdsock_error(q, mp, error, 0);
2192 else
2193 spd_echo(q, mp);
2194 }
2195
2196 /*
2197 * Process a SPD_ALGLIST request. The caller expects separate alg entries
2198 * for AH authentication, ESP authentication, and ESP encryption.
2199 * The same distinction is then used when setting the min and max key
2200 * sizes when defining policies.
2201 */
2202
2203 #define SPDSOCK_AH_AUTH 0
2204 #define SPDSOCK_ESP_AUTH 1
2205 #define SPDSOCK_ESP_ENCR 2
2206 #define SPDSOCK_NTYPES 3
2207
2208 static const uint_t algattr[SPDSOCK_NTYPES] = {
2209 SPD_ATTR_AH_AUTH,
2210 SPD_ATTR_ESP_AUTH,
2211 SPD_ATTR_ESP_ENCR
2212 };
2213 static const uint_t minbitsattr[SPDSOCK_NTYPES] = {
2214 SPD_ATTR_AH_MINBITS,
2215 SPD_ATTR_ESPA_MINBITS,
2216 SPD_ATTR_ENCR_MINBITS
2217 };
2218 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = {
2219 SPD_ATTR_AH_MAXBITS,
2220 SPD_ATTR_ESPA_MAXBITS,
2221 SPD_ATTR_ENCR_MAXBITS
2222 };
2223 static const uint_t defbitsattr[SPDSOCK_NTYPES] = {
2224 SPD_ATTR_AH_DEFBITS,
2225 SPD_ATTR_ESPA_DEFBITS,
2226 SPD_ATTR_ENCR_DEFBITS
2227 };
2228 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = {
2229 SPD_ATTR_AH_INCRBITS,
2230 SPD_ATTR_ESPA_INCRBITS,
2231 SPD_ATTR_ENCR_INCRBITS
2232 };
2233
2234 #define ATTRPERALG 6 /* fixed attributes per algs */
2235
2236 void
2237 spdsock_alglist(queue_t *q, mblk_t *mp)
2238 {
2239 uint_t algtype;
2240 uint_t algidx;
2241 uint_t algcount;
2242 uint_t size;
2243 mblk_t *m;
2244 uint8_t *cur;
2245 spd_msg_t *msg;
2246 struct spd_ext_actions *act;
2247 struct spd_attribute *attr;
2248 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2249 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2250
2251 mutex_enter(&ipss->ipsec_alg_lock);
2252 /*
2253 * The SPD client expects to receive separate entries for
2254 * AH authentication and ESP authentication supported algorithms.
2255 *
2256 * Don't return the "any" algorithms, if defined, as no
2257 * kernel policies can be set for these algorithms.
2258 */
2259 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2260 ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2261
2262 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL)
2263 algcount--;
2264 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL)
2265 algcount--;
2266
2267 /*
2268 * For each algorithm, we encode:
2269 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2270 */
2271
2272 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) +
2273 ATTRPERALG * sizeof (struct spd_attribute) * algcount;
2274
2275 ASSERT(ALIGNED64(size));
2276
2277 m = allocb(size, BPRI_HI);
2278 if (m == NULL) {
2279 mutex_exit(&ipss->ipsec_alg_lock);
2280 spdsock_error(q, mp, ENOMEM, 0);
2281 return;
2282 }
2283
2284 m->b_wptr = m->b_rptr + size;
2285 cur = m->b_rptr;
2286
2287 msg = (spd_msg_t *)cur;
2288 bcopy(mp->b_rptr, cur, sizeof (*msg));
2289
2290 msg->spd_msg_len = SPD_8TO64(size);
2291 msg->spd_msg_errno = 0;
2292 msg->spd_msg_diagnostic = 0;
2293
2294 cur += sizeof (*msg);
2295
2296 act = (struct spd_ext_actions *)cur;
2297 cur += sizeof (*act);
2298
2299 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2300 act->spd_actions_exttype = SPD_EXT_ACTION;
2301 act->spd_actions_count = algcount;
2302 act->spd_actions_reserved = 0;
2303
2304 attr = (struct spd_attribute *)cur;
2305
2306 #define EMIT(tag, value) { \
2307 attr->spd_attr_tag = (tag); \
2308 attr->spd_attr_value = (value); \
2309 attr++; \
2310 }
2311
2312 /*
2313 * If you change the number of EMIT's here, change
2314 * ATTRPERALG above to match
2315 */
2316 #define EMITALGATTRS(_type) { \
2317 EMIT(algattr[_type], algid); /* 1 */ \
2318 EMIT(minbitsattr[_type], minbits); /* 2 */ \
2319 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \
2320 EMIT(defbitsattr[_type], defbits); /* 4 */ \
2321 EMIT(incrbitsattr[_type], incr); /* 5 */ \
2322 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \
2323 }
2324
2325 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2326 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2327 algidx++) {
2328 int algid = ipss->ipsec_sortlist[algtype][algidx];
2329 ipsec_alginfo_t *alg =
2330 ipss->ipsec_alglists[algtype][algid];
2331 uint_t minbits = alg->alg_minbits;
2332 uint_t maxbits = alg->alg_maxbits;
2333 uint_t defbits = alg->alg_default_bits;
2334 uint_t incr = alg->alg_increment;
2335
2336 if (algtype == IPSEC_ALG_AUTH) {
2337 if (algid == SADB_AALG_NONE)
2338 continue;
2339 EMITALGATTRS(SPDSOCK_AH_AUTH);
2340 EMITALGATTRS(SPDSOCK_ESP_AUTH);
2341 } else {
2342 if (algid == SADB_EALG_NONE)
2343 continue;
2344 ASSERT(algtype == IPSEC_ALG_ENCR);
2345 EMITALGATTRS(SPDSOCK_ESP_ENCR);
2346 }
2347 }
2348 }
2349
2350 mutex_exit(&ipss->ipsec_alg_lock);
2351
2352 #undef EMITALGATTRS
2353 #undef EMIT
2354 #undef ATTRPERALG
2355
2356 attr--;
2357 attr->spd_attr_tag = SPD_ATTR_END;
2358
2359 freemsg(mp);
2360 qreply(q, m);
2361 }
2362
2363 /*
2364 * Process a SPD_DUMPALGS request.
2365 */
2366
2367 #define ATTRPERALG 9 /* fixed attributes per algs */
2368
2369 void
2370 spdsock_dumpalgs(queue_t *q, mblk_t *mp)
2371 {
2372 uint_t algtype;
2373 uint_t algidx;
2374 uint_t size;
2375 mblk_t *m;
2376 uint8_t *cur;
2377 spd_msg_t *msg;
2378 struct spd_ext_actions *act;
2379 struct spd_attribute *attr;
2380 ipsec_alginfo_t *alg;
2381 uint_t algid;
2382 uint_t i;
2383 uint_t alg_size;
2384 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2385 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2386
2387 mutex_enter(&ipss->ipsec_alg_lock);
2388
2389 /*
2390 * For each algorithm, we encode:
2391 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2392 *
2393 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2394 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* /
2395 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT}
2396 */
2397
2398 /*
2399 * Compute the size of the SPD message.
2400 */
2401 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions);
2402
2403 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2404 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2405 algidx++) {
2406 algid = ipss->ipsec_sortlist[algtype][algidx];
2407 alg = ipss->ipsec_alglists[algtype][algid];
2408 alg_size = sizeof (struct spd_attribute) *
2409 (ATTRPERALG + alg->alg_nkey_sizes +
2410 alg->alg_nblock_sizes + alg->alg_nparams) +
2411 CRYPTO_MAX_MECH_NAME;
2412 size += alg_size;
2413 }
2414 }
2415
2416 ASSERT(ALIGNED64(size));
2417
2418 m = allocb(size, BPRI_HI);
2419 if (m == NULL) {
2420 mutex_exit(&ipss->ipsec_alg_lock);
2421 spdsock_error(q, mp, ENOMEM, 0);
2422 return;
2423 }
2424
2425 m->b_wptr = m->b_rptr + size;
2426 cur = m->b_rptr;
2427
2428 msg = (spd_msg_t *)cur;
2429 bcopy(mp->b_rptr, cur, sizeof (*msg));
2430
2431 msg->spd_msg_len = SPD_8TO64(size);
2432 msg->spd_msg_errno = 0;
2433 msg->spd_msg_type = SPD_ALGLIST;
2434
2435 msg->spd_msg_diagnostic = 0;
2436
2437 cur += sizeof (*msg);
2438
2439 act = (struct spd_ext_actions *)cur;
2440 cur += sizeof (*act);
2441
2442 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2443 act->spd_actions_exttype = SPD_EXT_ACTION;
2444 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2445 ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2446 act->spd_actions_reserved = 0;
2447
2448 /*
2449 * If there aren't any algorithms registered, return an empty message.
2450 * spdsock_get_ext() knows how to deal with this.
2451 */
2452 if (act->spd_actions_count == 0) {
2453 act->spd_actions_len = 0;
2454 mutex_exit(&ipss->ipsec_alg_lock);
2455 goto error;
2456 }
2457
2458 attr = (struct spd_attribute *)cur;
2459
2460 #define EMIT(tag, value) { \
2461 attr->spd_attr_tag = (tag); \
2462 attr->spd_attr_value = (value); \
2463 attr++; \
2464 }
2465
2466 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2467 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2468 algidx++) {
2469
2470 algid = ipss->ipsec_sortlist[algtype][algidx];
2471 alg = ipss->ipsec_alglists[algtype][algid];
2472
2473 /*
2474 * If you change the number of EMIT's here, change
2475 * ATTRPERALG above to match
2476 */
2477 EMIT(SPD_ATTR_ALG_ID, algid);
2478 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]);
2479 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment);
2480 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes);
2481 for (i = 0; i < alg->alg_nkey_sizes; i++)
2482 EMIT(SPD_ATTR_ALG_KEYSIZE,
2483 alg->alg_key_sizes[i]);
2484
2485 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes);
2486 for (i = 0; i < alg->alg_nblock_sizes; i++)
2487 EMIT(SPD_ATTR_ALG_BLOCKSIZE,
2488 alg->alg_block_sizes[i]);
2489
2490 EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams);
2491 for (i = 0; i < alg->alg_nparams; i++)
2492 EMIT(SPD_ATTR_ALG_PARAMS,
2493 alg->alg_params[i]);
2494
2495 EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags);
2496
2497 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME);
2498 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME);
2499 attr = (struct spd_attribute *)((char *)attr +
2500 CRYPTO_MAX_MECH_NAME);
2501
2502 EMIT(SPD_ATTR_NEXT, 0);
2503 }
2504 }
2505
2506 mutex_exit(&ipss->ipsec_alg_lock);
2507
2508 #undef EMITALGATTRS
2509 #undef EMIT
2510 #undef ATTRPERALG
2511
2512 attr--;
2513 attr->spd_attr_tag = SPD_ATTR_END;
2514
2515 error:
2516 freemsg(mp);
2517 qreply(q, m);
2518 }
2519
2520 /*
2521 * Do the actual work of processing an SPD_UPDATEALGS request. Can
2522 * be invoked either once IPsec is loaded on a cached request, or
2523 * when a request is received while IPsec is loaded.
2524 */
2525 static int
2526 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds)
2527 {
2528 struct spd_ext_actions *actp;
2529 struct spd_attribute *attr, *endattr;
2530 uint64_t *start, *end;
2531 ipsec_alginfo_t *alg = NULL;
2532 ipsec_algtype_t alg_type = 0;
2533 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE;
2534 uint_t i, cur_key, cur_block, algid;
2535 int diag = -1;
2536
2537 ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
2538
2539 /* parse the message, building the list of algorithms */
2540
2541 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
2542 if (actp == NULL)
2543 return (SPD_DIAGNOSTIC_NO_ACTION_EXT);
2544
2545 start = (uint64_t *)actp;
2546 end = (start + actp->spd_actions_len);
2547 endattr = (struct spd_attribute *)end;
2548 attr = (struct spd_attribute *)&actp[1];
2549
2550 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS *
2551 sizeof (ipsec_alginfo_t *));
2552
2553 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2554
2555 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2556 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2557 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t))
2558
2559 while (attr < endattr) {
2560 switch (attr->spd_attr_tag) {
2561 case SPD_ATTR_NOP:
2562 case SPD_ATTR_EMPTY:
2563 break;
2564 case SPD_ATTR_END:
2565 attr = endattr;
2566 /* FALLTHRU */
2567 case SPD_ATTR_NEXT:
2568 if (doing_proto) {
2569 doing_proto = B_FALSE;
2570 break;
2571 }
2572 if (skip_alg) {
2573 ipsec_alg_free(alg);
2574 } else {
2575 ipsec_alg_free(
2576 spds->spds_algs[alg_type][alg->alg_id]);
2577 spds->spds_algs[alg_type][alg->alg_id] =
2578 alg;
2579 }
2580 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2581 break;
2582
2583 case SPD_ATTR_ALG_ID:
2584 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) {
2585 ss1dbg(spds, ("spdsock_do_updatealg: "
2586 "invalid alg id %d\n",
2587 attr->spd_attr_value));
2588 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE;
2589 goto bail;
2590 }
2591 alg->alg_id = attr->spd_attr_value;
2592 break;
2593
2594 case SPD_ATTR_ALG_PROTO:
2595 /* find the alg type */
2596 for (i = 0; i < NALGPROTOS; i++)
2597 if (algproto[i] == attr->spd_attr_value)
2598 break;
2599 skip_alg = (i == NALGPROTOS);
2600 if (!skip_alg)
2601 alg_type = i;
2602 break;
2603
2604 case SPD_ATTR_ALG_INCRBITS:
2605 alg->alg_increment = attr->spd_attr_value;
2606 break;
2607
2608 case SPD_ATTR_ALG_NKEYSIZES:
2609 if (alg->alg_key_sizes != NULL) {
2610 kmem_free(alg->alg_key_sizes,
2611 ALG_KEY_SIZES(alg));
2612 }
2613 alg->alg_nkey_sizes = attr->spd_attr_value;
2614 /*
2615 * Allocate room for the trailing zero key size
2616 * value as well.
2617 */
2618 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg),
2619 KM_SLEEP);
2620 cur_key = 0;
2621 break;
2622
2623 case SPD_ATTR_ALG_KEYSIZE:
2624 if (alg->alg_key_sizes == NULL ||
2625 cur_key >= alg->alg_nkey_sizes) {
2626 ss1dbg(spds, ("spdsock_do_updatealg: "
2627 "too many key sizes\n"));
2628 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES;
2629 goto bail;
2630 }
2631 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value;
2632 break;
2633
2634 case SPD_ATTR_ALG_FLAGS:
2635 /*
2636 * Flags (bit mask). The alg_flags element of
2637 * ipsecalg_flags_t is only 8 bits wide. The
2638 * user can set the VALID bit, but we will ignore it
2639 * and make the decision is the algorithm is valid.
2640 */
2641 alg->alg_flags |= (uint8_t)attr->spd_attr_value;
2642 break;
2643
2644 case SPD_ATTR_ALG_NBLOCKSIZES:
2645 if (alg->alg_block_sizes != NULL) {
2646 kmem_free(alg->alg_block_sizes,
2647 ALG_BLOCK_SIZES(alg));
2648 }
2649 alg->alg_nblock_sizes = attr->spd_attr_value;
2650 /*
2651 * Allocate room for the trailing zero block size
2652 * value as well.
2653 */
2654 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg),
2655 KM_SLEEP);
2656 cur_block = 0;
2657 break;
2658
2659 case SPD_ATTR_ALG_BLOCKSIZE:
2660 if (alg->alg_block_sizes == NULL ||
2661 cur_block >= alg->alg_nblock_sizes) {
2662 ss1dbg(spds, ("spdsock_do_updatealg: "
2663 "too many block sizes\n"));
2664 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2665 goto bail;
2666 }
2667 alg->alg_block_sizes[cur_block++] =
2668 attr->spd_attr_value;
2669 break;
2670
2671 case SPD_ATTR_ALG_NPARAMS:
2672 if (alg->alg_params != NULL) {
2673 kmem_free(alg->alg_params,
2674 ALG_PARAM_SIZES(alg));
2675 }
2676 alg->alg_nparams = attr->spd_attr_value;
2677 /*
2678 * Allocate room for the trailing zero block size
2679 * value as well.
2680 */
2681 alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg),
2682 KM_SLEEP);
2683 cur_block = 0;
2684 break;
2685
2686 case SPD_ATTR_ALG_PARAMS:
2687 if (alg->alg_params == NULL ||
2688 cur_block >= alg->alg_nparams) {
2689 ss1dbg(spds, ("spdsock_do_updatealg: "
2690 "too many params\n"));
2691 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2692 goto bail;
2693 }
2694 /*
2695 * Array contains: iv_len, icv_len, salt_len
2696 * Any additional parameters are currently ignored.
2697 */
2698 alg->alg_params[cur_block++] =
2699 attr->spd_attr_value;
2700 break;
2701
2702 case SPD_ATTR_ALG_MECHNAME: {
2703 char *mech_name;
2704
2705 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) {
2706 ss1dbg(spds, ("spdsock_do_updatealg: "
2707 "mech name too long\n"));
2708 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN;
2709 goto bail;
2710 }
2711 mech_name = (char *)(attr + 1);
2712 bcopy(mech_name, alg->alg_mech_name,
2713 attr->spd_attr_value);
2714 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0';
2715 attr = (struct spd_attribute *)((char *)attr +
2716 attr->spd_attr_value);
2717 break;
2718 }
2719
2720 case SPD_ATTR_PROTO_ID:
2721 doing_proto = B_TRUE;
2722 for (i = 0; i < NALGPROTOS; i++) {
2723 if (algproto[i] == attr->spd_attr_value) {
2724 alg_type = i;
2725 break;
2726 }
2727 }
2728 break;
2729
2730 case SPD_ATTR_PROTO_EXEC_MODE:
2731 if (!doing_proto)
2732 break;
2733 for (i = 0; i < NEXECMODES; i++) {
2734 if (execmodes[i] == attr->spd_attr_value) {
2735 spds->spds_algs_exec_mode[alg_type] = i;
2736 break;
2737 }
2738 }
2739 break;
2740 }
2741 attr++;
2742 }
2743
2744 #undef ALG_KEY_SIZES
2745 #undef ALG_BLOCK_SIZES
2746 #undef ALG_PARAM_SIZES
2747
2748 /* update the algorithm tables */
2749 spdsock_merge_algs(spds);
2750 bail:
2751 /* cleanup */
2752 ipsec_alg_free(alg);
2753 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++)
2754 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++)
2755 if (spds->spds_algs[alg_type][algid] != NULL)
2756 ipsec_alg_free(spds->spds_algs[alg_type][algid]);
2757 return (diag);
2758 }
2759
2760 /*
2761 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2762 * the request until IPsec loads. If IPsec is loaded, act on it
2763 * immediately.
2764 */
2765
2766 static void
2767 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
2768 {
2769 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2770 spd_stack_t *spds = ss->spdsock_spds;
2771 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec;
2772
2773 if (!ipsec_loaded(ipss)) {
2774 /*
2775 * IPsec is not loaded, save request and return nicely,
2776 * the message will be processed once IPsec loads.
2777 */
2778 mblk_t *new_mp;
2779
2780 /* last update message wins */
2781 if ((new_mp = copymsg(mp)) == NULL) {
2782 spdsock_error(q, mp, ENOMEM, 0);
2783 return;
2784 }
2785 mutex_enter(&spds->spds_alg_lock);
2786 bcopy(extv, spds->spds_extv_algs,
2787 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
2788 if (spds->spds_mp_algs != NULL)
2789 freemsg(spds->spds_mp_algs);
2790 spds->spds_mp_algs = mp;
2791 spds->spds_algs_pending = B_TRUE;
2792 mutex_exit(&spds->spds_alg_lock);
2793 if (audit_active) {
2794 cred_t *cr;
2795 pid_t cpid;
2796
2797 cr = msg_getcred(mp, &cpid);
2798 audit_pf_policy(SPD_UPDATEALGS, cr,
2799 spds->spds_netstack, NULL, B_TRUE, EAGAIN,
2800 cpid);
2801 }
2802 spd_echo(q, new_mp);
2803 } else {
2804 /*
2805 * IPsec is loaded, act on the message immediately.
2806 */
2807 int diag;
2808
2809 mutex_enter(&spds->spds_alg_lock);
2810 diag = spdsock_do_updatealg(extv, spds);
2811 if (diag == -1) {
2812 /* Keep the lock held while we walk the SA tables. */
2813 sadb_alg_update(IPSEC_ALG_ALL, 0, 0,
2814 spds->spds_netstack);
2815 mutex_exit(&spds->spds_alg_lock);
2816 spd_echo(q, mp);
2817 if (audit_active) {
2818 cred_t *cr;
2819 pid_t cpid;
2820
2821 cr = msg_getcred(mp, &cpid);
2822 audit_pf_policy(SPD_UPDATEALGS, cr,
2823 spds->spds_netstack, NULL, B_TRUE, 0,
2824 cpid);
2825 }
2826 } else {
2827 mutex_exit(&spds->spds_alg_lock);
2828 spdsock_diag(q, mp, diag);
2829 if (audit_active) {
2830 cred_t *cr;
2831 pid_t cpid;
2832
2833 cr = msg_getcred(mp, &cpid);
2834 audit_pf_policy(SPD_UPDATEALGS, cr,
2835 spds->spds_netstack, NULL, B_TRUE, diag,
2836 cpid);
2837 }
2838 }
2839 }
2840 }
2841
2842 /*
2843 * Find a tunnel instance (using the name to link ID mapping), and
2844 * update it after an IPsec change. We need to do this always in case
2845 * we add policy AFTER plumbing a tunnel. We also need to do this
2846 * because, as a side-effect, the tunnel's MTU is updated to reflect
2847 * any IPsec overhead in the itp's policy.
2848 */
2849 static void
2850 update_iptun_policy(ipsec_tun_pol_t *itp)
2851 {
2852 datalink_id_t linkid;
2853
2854 if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0)
2855 iptun_set_policy(linkid, itp);
2856 }
2857
2858 /*
2859 * Sort through the mess of polhead options to retrieve an appropriate one.
2860 * Returns NULL if we send an spdsock error. Returns a valid pointer if we
2861 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2862 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2863 * act on ALL policy heads.
2864 */
2865 static ipsec_policy_head_t *
2866 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid,
2867 int msgtype, ipsec_tun_pol_t **itpp)
2868 {
2869 ipsec_tun_pol_t *itp;
2870 ipsec_policy_head_t *iph;
2871 int errno;
2872 char *tname;
2873 boolean_t active;
2874 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2875 netstack_t *ns = ss->spdsock_spds->spds_netstack;
2876 uint64_t gen; /* Placeholder */
2877
2878 active = (spdid == SPD_ACTIVE);
2879 *itpp = NULL;
2880 if (!active && spdid != SPD_STANDBY) {
2881 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID);
2882 return (NULL);
2883 }
2884
2885 if (tunname != NULL) {
2886 /* Acting on a tunnel's SPD. */
2887 tname = (char *)tunname->spd_if_name;
2888 if (*tname == '\0') {
2889 /* Handle all-polhead cases here. */
2890 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) {
2891 spdsock_diag(q, mp,
2892 SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
2893 return (NULL);
2894 }
2895 return (active ? ALL_ACTIVE_POLHEADS :
2896 ALL_INACTIVE_POLHEADS);
2897 }
2898
2899 itp = get_tunnel_policy(tname, ns);
2900 if (itp == NULL) {
2901 if (msgtype != SPD_ADDRULE) {
2902 /* "Tunnel not found" */
2903 spdsock_error(q, mp, ENOENT, 0);
2904 return (NULL);
2905 }
2906
2907 errno = 0;
2908 itp = create_tunnel_policy(tname, &errno, &gen, ns);
2909 if (itp == NULL) {
2910 /*
2911 * Something very bad happened, most likely
2912 * ENOMEM. Return an indicator.
2913 */
2914 spdsock_error(q, mp, errno, 0);
2915 return (NULL);
2916 }
2917 }
2918
2919 /* Match up the itp to an iptun instance. */
2920 update_iptun_policy(itp);
2921
2922 *itpp = itp;
2923 /* For spdsock dump state, set the polhead's name. */
2924 if (msgtype == SPD_DUMP) {
2925 ITP_REFHOLD(itp);
2926 ss->spdsock_itp = itp;
2927 ss->spdsock_dump_tunnel = itp->itp_flags &
2928 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL);
2929 }
2930 } else {
2931 itp = NULL;
2932 /* For spdsock dump state, indicate it's global policy. */
2933 if (msgtype == SPD_DUMP)
2934 ss->spdsock_itp = NULL;
2935 }
2936
2937 if (active)
2938 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy;
2939 else
2940 iph = (itp == NULL) ? ipsec_inactive_policy(ns) :
2941 itp->itp_inactive;
2942
2943 ASSERT(iph != NULL);
2944 if (itp != NULL) {
2945 IPPH_REFHOLD(iph);
2946 }
2947
2948 return (iph);
2949 }
2950
2951 static void
2952 spdsock_parse(queue_t *q, mblk_t *mp)
2953 {
2954 spd_msg_t *spmsg;
2955 spd_ext_t *extv[SPD_EXT_MAX + 1];
2956 uint_t msgsize;
2957 ipsec_policy_head_t *iph;
2958 ipsec_tun_pol_t *itp;
2959 spd_if_t *tunname;
2960 spdsock_t *ss = (spdsock_t *)q->q_ptr;
2961 spd_stack_t *spds = ss->spdsock_spds;
2962 netstack_t *ns = spds->spds_netstack;
2963 ipsec_stack_t *ipss = ns->netstack_ipsec;
2964
2965 /* Make sure nothing's below me. */
2966 ASSERT(WR(q)->q_next == NULL);
2967
2968 spmsg = (spd_msg_t *)mp->b_rptr;
2969
2970 msgsize = SPD_64TO8(spmsg->spd_msg_len);
2971
2972 if (msgdsize(mp) != msgsize) {
2973 /*
2974 * Message len incorrect w.r.t. actual size. Send an error
2975 * (EMSGSIZE). It may be necessary to massage things a
2976 * bit. For example, if the spd_msg_type is hosed,
2977 * I need to set it to SPD_RESERVED to get delivery to
2978 * do the right thing. Then again, maybe just letting
2979 * the error delivery do the right thing.
2980 */
2981 ss2dbg(spds,
2982 ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
2983 msgdsize(mp), msgsize));
2984 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE);
2985 return;
2986 }
2987
2988 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) {
2989 /* Get all message into one mblk. */
2990 if (pullupmsg(mp, -1) == 0) {
2991 /*
2992 * Something screwy happened.
2993 */
2994 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n"));
2995 return;
2996 } else {
2997 spmsg = (spd_msg_t *)mp->b_rptr;
2998 }
2999 }
3000
3001 switch (spdsock_get_ext(extv, spmsg, msgsize)) {
3002 case KGE_DUP:
3003 /* Handle duplicate extension. */
3004 ss1dbg(spds, ("Got duplicate extension of type %d.\n",
3005 extv[0]->spd_ext_type));
3006 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]);
3007 return;
3008 case KGE_UNK:
3009 /* Handle unknown extension. */
3010 ss1dbg(spds, ("Got unknown extension of type %d.\n",
3011 extv[0]->spd_ext_type));
3012 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT);
3013 return;
3014 case KGE_LEN:
3015 /* Length error. */
3016 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n",
3017 extv[0]->spd_ext_len, extv[0]->spd_ext_type));
3018 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN);
3019 return;
3020 case KGE_CHK:
3021 /* Reality check failed. */
3022 ss1dbg(spds, ("Reality check failed on extension type %d.\n",
3023 extv[0]->spd_ext_type));
3024 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]);
3025 return;
3026 default:
3027 /* Default case is no errors. */
3028 break;
3029 }
3030
3031 /*
3032 * Special-case SPD_UPDATEALGS so as not to load IPsec.
3033 */
3034 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) {
3035 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3036
3037 ASSERT(ss != NULL);
3038 ipsec_loader_loadnow(ipss);
3039 ss->spdsock_timeout_arg = mp;
3040 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck,
3041 q, LOADCHECK_INTERVAL);
3042 return;
3043 }
3044
3045 /* First check for messages that need no polheads at all. */
3046 switch (spmsg->spd_msg_type) {
3047 case SPD_UPDATEALGS:
3048 spdsock_updatealg(q, mp, extv);
3049 return;
3050 case SPD_ALGLIST:
3051 spdsock_alglist(q, mp);
3052 return;
3053 case SPD_DUMPALGS:
3054 spdsock_dumpalgs(q, mp);
3055 return;
3056 }
3057
3058 /*
3059 * Then check for ones that need both primary/secondary polheads,
3060 * finding the appropriate tunnel policy if need be.
3061 */
3062 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME];
3063 switch (spmsg->spd_msg_type) {
3064 case SPD_FLIP:
3065 spdsock_flip(q, mp, tunname);
3066 return;
3067 case SPD_CLONE:
3068 spdsock_clone(q, mp, tunname);
3069 return;
3070 }
3071
3072 /*
3073 * Finally, find ones that operate on exactly one polhead, or
3074 * "all polheads" of a given type (active/inactive).
3075 */
3076 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid,
3077 spmsg->spd_msg_type, &itp);
3078 if (iph == NULL)
3079 return;
3080
3081 /* All-polheads-ready operations. */
3082 switch (spmsg->spd_msg_type) {
3083 case SPD_FLUSH:
3084 if (itp != NULL) {
3085 mutex_enter(&itp->itp_lock);
3086 if (spmsg->spd_msg_spdid == SPD_ACTIVE)
3087 itp->itp_flags &= ~ITPF_PFLAGS;
3088 else
3089 itp->itp_flags &= ~ITPF_IFLAGS;
3090 mutex_exit(&itp->itp_lock);
3091 }
3092
3093 spdsock_flush(q, iph, itp, mp);
3094
3095 if (itp != NULL) {
3096 /* SPD_FLUSH is worth a tunnel MTU check. */
3097 update_iptun_policy(itp);
3098 ITP_REFRELE(itp, ns);
3099 }
3100 return;
3101 case SPD_DUMP:
3102 if (itp != NULL)
3103 ITP_REFRELE(itp, ns);
3104 spdsock_dump(q, iph, mp);
3105 return;
3106 }
3107
3108 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
3109 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
3110 return;
3111 }
3112
3113 /* Single-polhead-only operations. */
3114 switch (spmsg->spd_msg_type) {
3115 case SPD_ADDRULE:
3116 spdsock_addrule(q, iph, mp, extv, itp);
3117 break;
3118 case SPD_DELETERULE:
3119 spdsock_deleterule(q, iph, mp, extv, itp);
3120 break;
3121 case SPD_LOOKUP:
3122 spdsock_lookup(q, iph, mp, extv, itp);
3123 break;
3124 default:
3125 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE);
3126 break;
3127 }
3128
3129 IPPH_REFRELE(iph, ns);
3130 if (itp != NULL) {
3131 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */
3132 if (spmsg->spd_msg_type == SPD_ADDRULE ||
3133 spmsg->spd_msg_type == SPD_DELETERULE)
3134 update_iptun_policy(itp);
3135 ITP_REFRELE(itp, ns);
3136 }
3137 }
3138
3139 /*
3140 * If an algorithm mapping was received before IPsec was loaded, process it.
3141 * Called from the IPsec loader.
3142 */
3143 void
3144 spdsock_update_pending_algs(netstack_t *ns)
3145 {
3146 spd_stack_t *spds = ns->netstack_spdsock;
3147
3148 mutex_enter(&spds->spds_alg_lock);
3149 if (spds->spds_algs_pending) {
3150 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds);
3151 spds->spds_algs_pending = B_FALSE;
3152 }
3153 mutex_exit(&spds->spds_alg_lock);
3154 }
3155
3156 static void
3157 spdsock_loadcheck(void *arg)
3158 {
3159 queue_t *q = (queue_t *)arg;
3160 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3161 mblk_t *mp;
3162 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3163
3164 ASSERT(ss != NULL);
3165
3166 ss->spdsock_timeout = 0;
3167 mp = ss->spdsock_timeout_arg;
3168 ASSERT(mp != NULL);
3169 ss->spdsock_timeout_arg = NULL;
3170 if (ipsec_failed(ipss))
3171 spdsock_error(q, mp, EPROTONOSUPPORT, 0);
3172 else
3173 spdsock_parse(q, mp);
3174 }
3175
3176 /*
3177 * Copy relevant state bits.
3178 */
3179 static void
3180 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss)
3181 {
3182 *tap = spdsock_g_t_info_ack;
3183 tap->CURRENT_state = ss->spdsock_state;
3184 tap->OPT_size = spdsock_max_optsize;
3185 }
3186
3187 /*
3188 * This routine responds to T_CAPABILITY_REQ messages. It is called by
3189 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from
3190 * spdsock_g_t_info_ack. The current state of the stream is copied from
3191 * spdsock_state.
3192 */
3193 static void
3194 spdsock_capability_req(queue_t *q, mblk_t *mp)
3195 {
3196 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3197 t_uscalar_t cap_bits1;
3198 struct T_capability_ack *tcap;
3199
3200 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
3201
3202 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
3203 mp->b_datap->db_type, T_CAPABILITY_ACK);
3204 if (mp == NULL)
3205 return;
3206
3207 tcap = (struct T_capability_ack *)mp->b_rptr;
3208 tcap->CAP_bits1 = 0;
3209
3210 if (cap_bits1 & TC1_INFO) {
3211 spdsock_copy_info(&tcap->INFO_ack, ss);
3212 tcap->CAP_bits1 |= TC1_INFO;
3213 }
3214
3215 qreply(q, mp);
3216 }
3217
3218 /*
3219 * This routine responds to T_INFO_REQ messages. It is called by
3220 * spdsock_wput_other.
3221 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3222 * The current state of the stream is copied from spdsock_state.
3223 */
3224 static void
3225 spdsock_info_req(q, mp)
3226 queue_t *q;
3227 mblk_t *mp;
3228 {
3229 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
3230 T_INFO_ACK);
3231 if (mp == NULL)
3232 return;
3233 spdsock_copy_info((struct T_info_ack *)mp->b_rptr,
3234 (spdsock_t *)q->q_ptr);
3235 qreply(q, mp);
3236 }
3237
3238 /*
3239 * spdsock_err_ack. This routine creates a
3240 * T_ERROR_ACK message and passes it
3241 * upstream.
3242 */
3243 static void
3244 spdsock_err_ack(q, mp, t_error, sys_error)
3245 queue_t *q;
3246 mblk_t *mp;
3247 int t_error;
3248 int sys_error;
3249 {
3250 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
3251 qreply(q, mp);
3252 }
3253
3254 /*
3255 * This routine retrieves the current status of socket options.
3256 * It returns the size of the option retrieved.
3257 */
3258 /* ARGSUSED */
3259 int
3260 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
3261 {
3262 int *i1 = (int *)ptr;
3263
3264 switch (level) {
3265 case SOL_SOCKET:
3266 switch (name) {
3267 case SO_TYPE:
3268 *i1 = SOCK_RAW;
3269 break;
3270 /*
3271 * The following two items can be manipulated,
3272 * but changing them should do nothing.
3273 */
3274 case SO_SNDBUF:
3275 *i1 = (int)q->q_hiwat;
3276 break;
3277 case SO_RCVBUF:
3278 *i1 = (int)(RD(q)->q_hiwat);
3279 break;
3280 }
3281 break;
3282 default:
3283 return (0);
3284 }
3285 return (sizeof (int));
3286 }
3287
3288 /*
3289 * This routine sets socket options.
3290 */
3291 /* ARGSUSED */
3292 int
3293 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name,
3294 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
3295 void *thisdg_attrs, cred_t *cr)
3296 {
3297 int *i1 = (int *)invalp;
3298 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3299 spd_stack_t *spds = ss->spdsock_spds;
3300
3301 switch (level) {
3302 case SOL_SOCKET:
3303 switch (name) {
3304 case SO_SNDBUF:
3305 if (*i1 > spds->spds_max_buf)
3306 return (ENOBUFS);
3307 q->q_hiwat = *i1;
3308 break;
3309 case SO_RCVBUF:
3310 if (*i1 > spds->spds_max_buf)
3311 return (ENOBUFS);
3312 RD(q)->q_hiwat = *i1;
3313 (void) proto_set_rx_hiwat(RD(q), NULL, *i1);
3314 break;
3315 }
3316 break;
3317 }
3318 return (0);
3319 }
3320
3321
3322 /*
3323 * Handle STREAMS messages.
3324 */
3325 static void
3326 spdsock_wput_other(queue_t *q, mblk_t *mp)
3327 {
3328 struct iocblk *iocp;
3329 int error;
3330 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3331 spd_stack_t *spds = ss->spdsock_spds;
3332 cred_t *cr;
3333
3334 switch (mp->b_datap->db_type) {
3335 case M_PROTO:
3336 case M_PCPROTO:
3337 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) {
3338 ss3dbg(spds, (
3339 "spdsock_wput_other: Not big enough M_PROTO\n"));
3340 freemsg(mp);
3341 return;
3342 }
3343 switch (((union T_primitives *)mp->b_rptr)->type) {
3344 case T_CAPABILITY_REQ:
3345 spdsock_capability_req(q, mp);
3346 break;
3347 case T_INFO_REQ:
3348 spdsock_info_req(q, mp);
3349 break;
3350 case T_SVR4_OPTMGMT_REQ:
3351 case T_OPTMGMT_REQ:
3352 /*
3353 * All Solaris components should pass a db_credp
3354 * for this TPI message, hence we ASSERT.
3355 * But in case there is some other M_PROTO that looks
3356 * like a TPI message sent by some other kernel
3357 * component, we check and return an error.
3358 */
3359 cr = msg_getcred(mp, NULL);
3360 ASSERT(cr != NULL);
3361 if (cr == NULL) {
3362 spdsock_err_ack(q, mp, TSYSERR, EINVAL);
3363 return;
3364 }
3365 if (((union T_primitives *)mp->b_rptr)->type ==
3366 T_SVR4_OPTMGMT_REQ) {
3367 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj);
3368 } else {
3369 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj);
3370 }
3371 break;
3372 case T_DATA_REQ:
3373 case T_EXDATA_REQ:
3374 case T_ORDREL_REQ:
3375 /* Illegal for spdsock. */
3376 freemsg(mp);
3377 (void) putnextctl1(RD(q), M_ERROR, EPROTO);
3378 break;
3379 default:
3380 /* Not supported by spdsock. */
3381 spdsock_err_ack(q, mp, TNOTSUPPORT, 0);
3382 break;
3383 }
3384 return;
3385 case M_IOCTL:
3386 iocp = (struct iocblk *)mp->b_rptr;
3387 error = EINVAL;
3388
3389 switch (iocp->ioc_cmd) {
3390 case ND_SET:
3391 case ND_GET:
3392 if (nd_getset(q, spds->spds_g_nd, mp)) {
3393 qreply(q, mp);
3394 return;
3395 } else
3396 error = ENOENT;
3397 /* FALLTHRU */
3398 default:
3399 miocnak(q, mp, 0, error);
3400 return;
3401 }
3402 case M_FLUSH:
3403 if (*mp->b_rptr & FLUSHW) {
3404 flushq(q, FLUSHALL);
3405 *mp->b_rptr &= ~FLUSHW;
3406 }
3407 if (*mp->b_rptr & FLUSHR) {
3408 qreply(q, mp);
3409 return;
3410 }
3411 /* Else FALLTHRU */
3412 }
3413
3414 /* If fell through, just black-hole the message. */
3415 freemsg(mp);
3416 }
3417
3418 static void
3419 spdsock_wput(queue_t *q, mblk_t *mp)
3420 {
3421 uint8_t *rptr = mp->b_rptr;
3422 mblk_t *mp1;
3423 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3424 spd_stack_t *spds = ss->spdsock_spds;
3425
3426 /*
3427 * If we're dumping, defer processing other messages until the
3428 * dump completes.
3429 */
3430 if (ss->spdsock_dump_req != NULL) {
3431 if (!putq(q, mp))
3432 freemsg(mp);
3433 return;
3434 }
3435
3436 switch (mp->b_datap->db_type) {
3437 case M_DATA:
3438 /*
3439 * Silently discard.
3440 */
3441 ss2dbg(spds, ("raw M_DATA in spdsock.\n"));
3442 freemsg(mp);
3443 return;
3444 case M_PROTO:
3445 case M_PCPROTO:
3446 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) {
3447 if (((union T_primitives *)rptr)->type == T_DATA_REQ) {
3448 if ((mp1 = mp->b_cont) == NULL) {
3449 /* No data after T_DATA_REQ. */
3450 ss2dbg(spds,
3451 ("No data after DATA_REQ.\n"));
3452 freemsg(mp);
3453 return;
3454 }
3455 freeb(mp);
3456 mp = mp1;
3457 ss2dbg(spds, ("T_DATA_REQ\n"));
3458 break; /* Out of switch. */
3459 }
3460 }
3461 /* FALLTHRU */
3462 default:
3463 ss3dbg(spds, ("In default wput case (%d %d).\n",
3464 mp->b_datap->db_type, ((union T_primitives *)rptr)->type));
3465 spdsock_wput_other(q, mp);
3466 return;
3467 }
3468
3469 /* I now have a PF_POLICY message in an M_DATA block. */
3470 spdsock_parse(q, mp);
3471 }
3472
3473 /*
3474 * Device open procedure, called when new queue pair created.
3475 * We are passed the read-side queue.
3476 */
3477 /* ARGSUSED */
3478 static int
3479 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
3480 {
3481 spdsock_t *ss;
3482 queue_t *oq = OTHERQ(q);
3483 minor_t ssminor;
3484 netstack_t *ns;
3485 spd_stack_t *spds;
3486
3487 if (secpolicy_ip_config(credp, B_FALSE) != 0)
3488 return (EPERM);
3489
3490 if (q->q_ptr != NULL)
3491 return (0); /* Re-open of an already open instance. */
3492
3493 if (sflag & MODOPEN)
3494 return (EINVAL);
3495
3496 ns = netstack_find_by_cred(credp);
3497 ASSERT(ns != NULL);
3498 spds = ns->netstack_spdsock;
3499 ASSERT(spds != NULL);
3500
3501 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n"));
3502
3503 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP);
3504 if (ssminor == 0) {
3505 netstack_rele(spds->spds_netstack);
3506 return (ENOMEM);
3507 }
3508 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP);
3509 if (ss == NULL) {
3510 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1);
3511 netstack_rele(spds->spds_netstack);
3512 return (ENOMEM);
3513 }
3514
3515 ss->spdsock_minor = ssminor;
3516 ss->spdsock_state = TS_UNBND;
3517 ss->spdsock_dump_req = NULL;
3518
3519 ss->spdsock_spds = spds;
3520
3521 q->q_ptr = ss;
3522 oq->q_ptr = ss;
3523
3524 q->q_hiwat = spds->spds_recv_hiwat;
3525
3526 oq->q_hiwat = spds->spds_xmit_hiwat;
3527 oq->q_lowat = spds->spds_xmit_lowat;
3528
3529 qprocson(q);
3530 (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat);
3531
3532 *devp = makedevice(getmajor(*devp), ss->spdsock_minor);
3533 return (0);
3534 }
3535
3536 /*
3537 * Read-side service procedure, invoked when we get back-enabled
3538 * when buffer space becomes available.
3539 *
3540 * Dump another chunk if we were dumping before; when we finish, kick
3541 * the write-side queue in case it's waiting for read queue space.
3542 */
3543 void
3544 spdsock_rsrv(queue_t *q)
3545 {
3546 spdsock_t *ss = q->q_ptr;
3547
3548 if (ss->spdsock_dump_req != NULL)
3549 spdsock_dump_some(q, ss);
3550
3551 if (ss->spdsock_dump_req == NULL)
3552 qenable(OTHERQ(q));
3553 }
3554
3555 /*
3556 * Write-side service procedure, invoked when we defer processing
3557 * if another message is received while a dump is in progress.
3558 */
3559 void
3560 spdsock_wsrv(queue_t *q)
3561 {
3562 spdsock_t *ss = q->q_ptr;
3563 mblk_t *mp;
3564 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3565
3566 if (ss->spdsock_dump_req != NULL) {
3567 qenable(OTHERQ(q));
3568 return;
3569 }
3570
3571 while ((mp = getq(q)) != NULL) {
3572 if (ipsec_loaded(ipss)) {
3573 spdsock_wput(q, mp);
3574 if (ss->spdsock_dump_req != NULL)
3575 return;
3576 } else if (!ipsec_failed(ipss)) {
3577 (void) putq(q, mp);
3578 } else {
3579 spdsock_error(q, mp, EPFNOSUPPORT, 0);
3580 }
3581 }
3582 }
3583
3584 static int
3585 spdsock_close(queue_t *q)
3586 {
3587 spdsock_t *ss = q->q_ptr;
3588 spd_stack_t *spds = ss->spdsock_spds;
3589
3590 qprocsoff(q);
3591
3592 /* Safe assumption. */
3593 ASSERT(ss != NULL);
3594
3595 if (ss->spdsock_timeout != 0)
3596 (void) quntimeout(q, ss->spdsock_timeout);
3597
3598 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n"));
3599
3600 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1);
3601 netstack_rele(ss->spdsock_spds->spds_netstack);
3602
3603 kmem_free(ss, sizeof (spdsock_t));
3604 return (0);
3605 }
3606
3607 /*
3608 * Merge the IPsec algorithms tables with the received algorithm information.
3609 */
3610 void
3611 spdsock_merge_algs(spd_stack_t *spds)
3612 {
3613 ipsec_alginfo_t *alg, *oalg;
3614 ipsec_algtype_t algtype;
3615 uint_t algidx, algid, nalgs;
3616 crypto_mech_name_t *mechs;
3617 uint_t mech_count, mech_idx;
3618 netstack_t *ns = spds->spds_netstack;
3619 ipsec_stack_t *ipss = ns->netstack_ipsec;
3620
3621 ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
3622
3623 /*
3624 * Get the list of supported mechanisms from the crypto framework.
3625 * If a mechanism is supported by KCF, resolve its mechanism
3626 * id and mark it as being valid. This operation must be done
3627 * without holding alg_lock, since it can cause a provider
3628 * module to be loaded and the provider notification callback to
3629 * be invoked.
3630 */
3631 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
3632 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3633 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3634 int algflags = 0;
3635 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID;
3636
3637 alg = spds->spds_algs[algtype][algid];
3638 if (alg == NULL)
3639 continue;
3640
3641 /*
3642 * The NULL encryption algorithm is a special
3643 * case because there are no mechanisms, yet
3644 * the algorithm is still valid.
3645 */
3646 if (alg->alg_id == SADB_EALG_NULL) {
3647 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID;
3648 alg->alg_flags |= ALG_FLAG_VALID;
3649 continue;
3650 }
3651
3652 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) {
3653 if (strncmp(alg->alg_mech_name, mechs[mech_idx],
3654 CRYPTO_MAX_MECH_NAME) == 0) {
3655 mt = crypto_mech2id(alg->alg_mech_name);
3656 ASSERT(mt != CRYPTO_MECHANISM_INVALID);
3657 algflags = ALG_FLAG_VALID;
3658 break;
3659 }
3660 }
3661 alg->alg_mech_type = mt;
3662 alg->alg_flags |= algflags;
3663 }
3664 }
3665
3666 mutex_enter(&ipss->ipsec_alg_lock);
3667
3668 /*
3669 * For each algorithm currently defined, check if it is
3670 * present in the new tables created from the SPD_UPDATEALGS
3671 * message received from user-space.
3672 * Delete the algorithm entries that are currently defined
3673 * but not part of the new tables.
3674 */
3675 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3676 nalgs = ipss->ipsec_nalgs[algtype];
3677 for (algidx = 0; algidx < nalgs; algidx++) {
3678 algid = ipss->ipsec_sortlist[algtype][algidx];
3679 if (spds->spds_algs[algtype][algid] == NULL)
3680 ipsec_alg_unreg(algtype, algid, ns);
3681 }
3682 }
3683
3684 /*
3685 * For each algorithm we just received, check if it is
3686 * present in the currently defined tables. If it is, swap
3687 * the entry with the one we just allocated.
3688 * If the new algorithm is not in the current tables,
3689 * add it.
3690 */
3691 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3692 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3693 alg = spds->spds_algs[algtype][algid];
3694 if (alg == NULL)
3695 continue;
3696
3697 if ((oalg = ipss->ipsec_alglists[algtype][algid]) ==
3698 NULL) {
3699 /*
3700 * New algorithm, add it to the algorithm
3701 * table.
3702 */
3703 ipsec_alg_reg(algtype, alg, ns);
3704 } else {
3705 /*
3706 * Algorithm is already in the table. Swap
3707 * the existing entry with the new one.
3708 */
3709 ipsec_alg_fix_min_max(alg, algtype, ns);
3710 ipss->ipsec_alglists[algtype][algid] = alg;
3711 ipsec_alg_free(oalg);
3712 }
3713 spds->spds_algs[algtype][algid] = NULL;
3714 }
3715 }
3716
3717 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3718 ipss->ipsec_algs_exec_mode[algtype] =
3719 spds->spds_algs_exec_mode[algtype];
3720 }
3721
3722 mutex_exit(&ipss->ipsec_alg_lock);
3723
3724 crypto_free_mech_list(mechs, mech_count);
3725
3726 ipsecah_algs_changed(ns);
3727 ipsecesp_algs_changed(ns);
3728 }
Community developed and maintained version of the OS/Net consolidation