4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #include <sys/param.h>
27 #include <sys/types.h>
28 #include <sys/stream.h>
29 #include <sys/strsubr.h>
30 #include <sys/strsun.h>
31 #include <sys/stropts.h>
33 #include <sys/vnode.h>
34 #include <sys/sysmacros.h>
35 #define _SUN_TPI_VERSION 2
36 #include <sys/tihdr.h>
38 #include <sys/sunddi.h>
39 #include <sys/mkdev.h>
40 #include <sys/debug.h>
42 #include <sys/cmn_err.h>
43 #include <sys/suntpi.h>
44 #include <sys/policy.h>
47 #include <sys/socket.h>
48 #include <netinet/in.h>
49 #include <net/pfkeyv2.h>
50 #include <net/pfpolicy.h>
52 #include <inet/common.h>
53 #include <netinet/ip6.h>
57 #include <inet/proto_set.h>
59 #include <inet/ip_if.h>
60 #include <inet/optcom.h>
61 #include <inet/ipsec_info.h>
62 #include <inet/ipsec_impl.h>
63 #include <inet/spdsock.h>
64 #include <inet/sadb.h>
65 #include <inet/iptun.h>
66 #include <inet/iptun/iptun_impl.h>
68 #include <sys/isa_defs.h>
73 * This is a transport provider for the PF_POLICY IPsec policy
74 * management socket, which provides a management interface into the
75 * SPD, allowing policy rules to be added, deleted, and queried.
77 * This effectively replaces the old private SIOC*IPSECONFIG ioctls
78 * with an extensible interface which will hopefully be public some
81 * See <net/pfpolicy.h> for more details on the protocol.
83 * We link against drv/ip and call directly into it to manipulate the
84 * SPD; see ipsec_impl.h for the policy data structures and spd.c for
85 * the code which maintains them.
87 * The MT model of this is QPAIR with the addition of some explicit
88 * locking to protect system-wide policy data structures.
91 static vmem_t
*spdsock_vmem
; /* for minor numbers. */
93 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
95 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
96 static struct T_info_ack spdsock_g_t_info_ack
= {
98 T_INFINITE
, /* TSDU_size. Maximum size messages. */
99 T_INVALID
, /* ETSDU_size. No expedited data. */
100 T_INVALID
, /* CDATA_size. No connect data. */
101 T_INVALID
, /* DDATA_size. No disconnect data. */
103 0, /* OPT_size. No user-settable options */
104 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */
105 T_COTS
, /* SERV_type. spdsock supports connection oriented. */
106 TS_UNBND
, /* CURRENT_state. This is set from spdsock_state. */
107 (XPG4_1
) /* Provider flags */
110 /* Named Dispatch Parameter Management Structure */
111 typedef struct spdsockparam_s
{
112 uint_t spdsock_param_min
;
113 uint_t spdsock_param_max
;
114 uint_t spdsock_param_value
;
115 char *spdsock_param_name
;
119 * Table of NDD variables supported by spdsock. These are loaded into
120 * spdsock_g_nd in spdsock_init_nd.
121 * All of these are alterable, within the min/max values given, at run time.
123 static spdsockparam_t lcl_param_arr
[] = {
124 /* min max value name */
125 { 4096, 65536, 8192, "spdsock_xmit_hiwat"},
126 { 0, 65536, 1024, "spdsock_xmit_lowat"},
127 { 4096, 65536, 8192, "spdsock_recv_hiwat"},
128 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"},
129 { 0, 3, 0, "spdsock_debug"},
131 #define spds_xmit_hiwat spds_params[0].spdsock_param_value
132 #define spds_xmit_lowat spds_params[1].spdsock_param_value
133 #define spds_recv_hiwat spds_params[2].spdsock_param_value
134 #define spds_max_buf spds_params[3].spdsock_param_value
135 #define spds_debug spds_params[4].spdsock_param_value
137 #define ss0dbg(a) printf a
138 /* NOTE: != 0 instead of > 0 so lint doesn't complain. */
139 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a
140 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a
141 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a
143 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
144 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
145 (ss)->spdsock_dump_head = (iph); \
146 (ss)->spdsock_dump_gen = (iph)->iph_gen; \
147 (ss)->spdsock_dump_cur_type = 0; \
148 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
149 (ss)->spdsock_dump_cur_rule = NULL; \
150 (ss)->spdsock_dump_count = 0; \
151 (ss)->spdsock_dump_cur_chain = 0; \
154 static int spdsock_close(queue_t
*);
155 static int spdsock_open(queue_t
*, dev_t
*, int, int, cred_t
*);
156 static void spdsock_wput(queue_t
*, mblk_t
*);
157 static void spdsock_wsrv(queue_t
*);
158 static void spdsock_rsrv(queue_t
*);
159 static void *spdsock_stack_init(netstackid_t stackid
, netstack_t
*ns
);
160 static void spdsock_stack_fini(netstackid_t stackid
, void *arg
);
161 static void spdsock_loadcheck(void *);
162 static void spdsock_merge_algs(spd_stack_t
*);
163 static void spdsock_flush_one(ipsec_policy_head_t
*, netstack_t
*);
164 static mblk_t
*spdsock_dump_next_record(spdsock_t
*);
166 static struct module_info info
= {
167 5138, "spdsock", 1, INFPSZ
, 512, 128
170 static struct qinit rinit
= {
171 NULL
, (pfi_t
)spdsock_rsrv
, spdsock_open
, spdsock_close
,
175 static struct qinit winit
= {
176 (pfi_t
)spdsock_wput
, (pfi_t
)spdsock_wsrv
, NULL
, NULL
, NULL
, &info
179 struct streamtab spdsockinfo
= {
183 /* mapping from alg type to protocol number, as per RFC 2407 */
184 static const uint_t algproto
[] = {
189 #define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0]))
191 /* mapping from kernel exec mode to spdsock exec mode */
192 static const uint_t execmodes
[] = {
193 SPD_ALG_EXEC_MODE_SYNC
,
194 SPD_ALG_EXEC_MODE_ASYNC
197 #define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0]))
199 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
200 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
202 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
206 spdsock_param_get(q
, mp
, cp
, cr
)
212 spdsockparam_t
*spdsockpa
= (spdsockparam_t
*)cp
;
214 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
215 spd_stack_t
*spds
= ss
->spdsock_spds
;
217 mutex_enter(&spds
->spds_param_lock
);
218 value
= spdsockpa
->spdsock_param_value
;
219 mutex_exit(&spds
->spds_param_lock
);
221 (void) mi_mpprintf(mp
, "%u", value
);
225 /* This routine sets an NDD variable in a spdsockparam_t structure. */
228 spdsock_param_set(q
, mp
, value
, cp
, cr
)
236 spdsockparam_t
*spdsockpa
= (spdsockparam_t
*)cp
;
237 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
238 spd_stack_t
*spds
= ss
->spdsock_spds
;
240 /* Convert the value from a string into a long integer. */
241 if (ddi_strtoul(value
, NULL
, 10, &new_value
) != 0)
244 mutex_enter(&spds
->spds_param_lock
);
246 * Fail the request if the new value does not lie within the
249 if (new_value
< spdsockpa
->spdsock_param_min
||
250 new_value
> spdsockpa
->spdsock_param_max
) {
251 mutex_exit(&spds
->spds_param_lock
);
255 /* Set the new value */
256 spdsockpa
->spdsock_param_value
= new_value
;
257 mutex_exit(&spds
->spds_param_lock
);
263 * Initialize at module load time
266 spdsock_ddi_init(void)
268 spdsock_max_optsize
= optcom_max_optsize(
269 spdsock_opt_obj
.odb_opt_des_arr
, spdsock_opt_obj
.odb_opt_arr_cnt
);
271 spdsock_vmem
= vmem_create("spdsock", (void *)1, MAXMIN
, 1,
272 NULL
, NULL
, NULL
, 1, VM_SLEEP
| VMC_IDENTIFIER
);
275 * We want to be informed each time a stack is created or
276 * destroyed in the kernel, so we can maintain the
277 * set of spd_stack_t's.
279 netstack_register(NS_SPDSOCK
, spdsock_stack_init
, NULL
,
286 * Walk through the param array specified registering each element with the
287 * named dispatch handler.
290 spdsock_param_register(IDP
*ndp
, spdsockparam_t
*ssp
, int cnt
)
292 for (; cnt
-- > 0; ssp
++) {
293 if (ssp
->spdsock_param_name
!= NULL
&&
294 ssp
->spdsock_param_name
[0]) {
296 ssp
->spdsock_param_name
,
297 spdsock_param_get
, spdsock_param_set
,
308 * Initialize for each stack instance
312 spdsock_stack_init(netstackid_t stackid
, netstack_t
*ns
)
317 spds
= (spd_stack_t
*)kmem_zalloc(sizeof (*spds
), KM_SLEEP
);
318 spds
->spds_netstack
= ns
;
320 ASSERT(spds
->spds_g_nd
== NULL
);
322 ssp
= (spdsockparam_t
*)kmem_alloc(sizeof (lcl_param_arr
), KM_SLEEP
);
323 spds
->spds_params
= ssp
;
324 bcopy(lcl_param_arr
, ssp
, sizeof (lcl_param_arr
));
326 (void) spdsock_param_register(&spds
->spds_g_nd
, ssp
,
327 A_CNT(lcl_param_arr
));
329 mutex_init(&spds
->spds_param_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
330 mutex_init(&spds
->spds_alg_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
336 spdsock_ddi_destroy(void)
338 vmem_destroy(spdsock_vmem
);
340 netstack_unregister(NS_SPDSOCK
);
345 spdsock_stack_fini(netstackid_t stackid
, void *arg
)
347 spd_stack_t
*spds
= (spd_stack_t
*)arg
;
349 freemsg(spds
->spds_mp_algs
);
350 mutex_destroy(&spds
->spds_param_lock
);
351 mutex_destroy(&spds
->spds_alg_lock
);
352 nd_free(&spds
->spds_g_nd
);
353 kmem_free(spds
->spds_params
, sizeof (lcl_param_arr
));
354 spds
->spds_params
= NULL
;
356 kmem_free(spds
, sizeof (*spds
));
360 * NOTE: large quantities of this should be shared with keysock.
361 * Would be nice to combine some of this into a common module, but
362 * not possible given time pressures.
366 * High-level reality checking of extensions.
368 /* ARGSUSED */ /* XXX */
370 ext_check(spd_ext_t
*ext
)
372 spd_if_t
*tunname
= (spd_if_t
*)ext
;
376 if (ext
->spd_ext_type
== SPD_EXT_TUN_NAME
) {
377 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */
380 * Make sure the strings in these identities are
381 * null-terminated. Let's "proactively" null-terminate the
382 * string at the last byte if it's not terminated sooner.
384 i
= SPD_64TO8(tunname
->spd_if_len
) - sizeof (spd_if_t
);
385 idstr
= (char *)(tunname
+ 1);
386 while (*idstr
!= '\0' && i
> 0) {
392 * I.e., if the bozo user didn't NULL-terminate the
399 return (B_TRUE
); /* For now... */
404 /* Return values for spdsock_get_ext(). */
412 * Parse basic extension headers and return in the passed-in pointer vector.
413 * Return values include:
415 * KGE_OK Everything's nice and parsed out.
416 * If there are no extensions, place NULL in extv[0].
417 * KGE_DUP There is a duplicate extension.
418 * First instance in appropriate bin. First duplicate in
420 * KGE_UNK Unknown extension type encountered. extv[0] contains
422 * KGE_LEN Extension length error.
423 * KGE_CHK High-level reality check failed on specific extension.
425 * My apologies for some of the pointer arithmetic in here. I'm thinking
426 * like an assembly programmer, yet trying to make the compiler happy.
429 spdsock_get_ext(spd_ext_t
*extv
[], spd_msg_t
*basehdr
, uint_t msgsize
)
431 bzero(extv
, sizeof (spd_ext_t
*) * (SPD_EXT_MAX
+ 1));
433 /* Use extv[0] as the "current working pointer". */
435 extv
[0] = (spd_ext_t
*)(basehdr
+ 1);
437 while (extv
[0] < (spd_ext_t
*)(((uint8_t *)basehdr
) + msgsize
)) {
438 /* Check for unknown headers. */
439 if (extv
[0]->spd_ext_type
== 0 ||
440 extv
[0]->spd_ext_type
> SPD_EXT_MAX
)
444 * Check length. Use uint64_t because extlen is in units
445 * of 64-bit words. If length goes beyond the msgsize,
446 * return an error. (Zero length also qualifies here.)
448 if (extv
[0]->spd_ext_len
== 0 ||
449 (void *)((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
) >
450 (void *)((uint8_t *)basehdr
+ msgsize
))
453 /* Check for redundant headers. */
454 if (extv
[extv
[0]->spd_ext_type
] != NULL
)
458 * Reality check the extension if possible at the spdsock
461 if (!ext_check(extv
[0]))
464 /* If I make it here, assign the appropriate bin. */
465 extv
[extv
[0]->spd_ext_type
] = extv
[0];
467 /* Advance pointer (See above for uint64_t ptr reasoning.) */
468 extv
[0] = (spd_ext_t
*)
469 ((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
);
472 /* Everything's cool. */
475 * If extv[0] == NULL, then there are no extension headers in this
476 * message. Ensure that this is the case.
478 if (extv
[0] == (spd_ext_t
*)(basehdr
+ 1))
484 static const int bad_ext_diag
[] = {
485 SPD_DIAGNOSTIC_MALFORMED_LCLPORT
,
486 SPD_DIAGNOSTIC_MALFORMED_REMPORT
,
487 SPD_DIAGNOSTIC_MALFORMED_PROTO
,
488 SPD_DIAGNOSTIC_MALFORMED_LCLADDR
,
489 SPD_DIAGNOSTIC_MALFORMED_REMADDR
,
490 SPD_DIAGNOSTIC_MALFORMED_ACTION
,
491 SPD_DIAGNOSTIC_MALFORMED_RULE
,
492 SPD_DIAGNOSTIC_MALFORMED_RULESET
,
493 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
496 static const int dup_ext_diag
[] = {
497 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT
,
498 SPD_DIAGNOSTIC_DUPLICATE_REMPORT
,
499 SPD_DIAGNOSTIC_DUPLICATE_PROTO
,
500 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR
,
501 SPD_DIAGNOSTIC_DUPLICATE_REMADDR
,
502 SPD_DIAGNOSTIC_DUPLICATE_ACTION
,
503 SPD_DIAGNOSTIC_DUPLICATE_RULE
,
504 SPD_DIAGNOSTIC_DUPLICATE_RULESET
,
505 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
509 * Transmit a PF_POLICY error message to the instance either pointed to
510 * by ks, the instance with serial number serial, or more, depending.
512 * The faulty message (or a reasonable facsimile thereof) is in mp.
513 * This function will free mp or recycle it for delivery, thereby causing
514 * the stream head to free it.
517 spdsock_error(queue_t
*q
, mblk_t
*mp
, int error
, int diagnostic
)
519 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
521 ASSERT(mp
->b_datap
->db_type
== M_DATA
);
523 if (spmsg
->spd_msg_type
< SPD_MIN
||
524 spmsg
->spd_msg_type
> SPD_MAX
)
525 spmsg
->spd_msg_type
= SPD_RESERVED
;
528 * Strip out extension headers.
530 ASSERT(mp
->b_rptr
+ sizeof (*spmsg
) <= mp
->b_datap
->db_lim
);
531 mp
->b_wptr
= mp
->b_rptr
+ sizeof (*spmsg
);
532 spmsg
->spd_msg_len
= SPD_8TO64(sizeof (spd_msg_t
));
533 spmsg
->spd_msg_errno
= (uint8_t)error
;
534 spmsg
->spd_msg_diagnostic
= (uint16_t)diagnostic
;
540 spdsock_diag(queue_t
*q
, mblk_t
*mp
, int diagnostic
)
542 spdsock_error(q
, mp
, EINVAL
, diagnostic
);
546 spd_echo(queue_t
*q
, mblk_t
*mp
)
552 * Do NOT consume a reference to itp.
556 spdsock_flush_node(ipsec_tun_pol_t
*itp
, void *cookie
, netstack_t
*ns
)
558 boolean_t active
= (boolean_t
)cookie
;
559 ipsec_policy_head_t
*iph
;
561 iph
= active
? itp
->itp_policy
: itp
->itp_inactive
;
563 mutex_enter(&itp
->itp_lock
);
564 spdsock_flush_one(iph
, ns
);
566 itp
->itp_flags
&= ~ITPF_PFLAGS
;
568 itp
->itp_flags
&= ~ITPF_IFLAGS
;
569 mutex_exit(&itp
->itp_lock
);
573 * Clear out one polhead.
576 spdsock_flush_one(ipsec_policy_head_t
*iph
, netstack_t
*ns
)
578 rw_enter(&iph
->iph_lock
, RW_WRITER
);
579 ipsec_polhead_flush(iph
, ns
);
580 rw_exit(&iph
->iph_lock
);
581 IPPH_REFRELE(iph
, ns
);
585 spdsock_flush(queue_t
*q
, ipsec_policy_head_t
*iph
, ipsec_tun_pol_t
*itp
,
589 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
590 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
592 if (iph
!= ALL_ACTIVE_POLHEADS
&& iph
!= ALL_INACTIVE_POLHEADS
) {
593 spdsock_flush_one(iph
, ns
);
595 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
599 cr
= msg_getcred(mp
, &cpid
);
600 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
601 audit_pf_policy(SPD_FLUSH
, cr
, ns
,
602 ITP_NAME(itp
), active
, 0, cpid
);
605 active
= (iph
== ALL_ACTIVE_POLHEADS
);
607 /* First flush the global policy. */
608 spdsock_flush_one(active
? ipsec_system_policy(ns
) :
609 ipsec_inactive_policy(ns
), ns
);
614 cr
= msg_getcred(mp
, &cpid
);
615 audit_pf_policy(SPD_FLUSH
, cr
, ns
, NULL
,
618 /* Then flush every tunnel's appropriate one. */
619 itp_walk(spdsock_flush_node
, (void *)active
, ns
);
624 cr
= msg_getcred(mp
, &cpid
);
625 audit_pf_policy(SPD_FLUSH
, cr
, ns
,
626 "all tunnels", active
, 0, cpid
);
634 spdsock_ext_to_sel(spd_ext_t
**extv
, ipsec_selkey_t
*sel
, int *diag
)
636 bzero(sel
, sizeof (*sel
));
638 if (extv
[SPD_EXT_PROTO
] != NULL
) {
639 struct spd_proto
*pr
=
640 (struct spd_proto
*)extv
[SPD_EXT_PROTO
];
641 sel
->ipsl_proto
= pr
->spd_proto_number
;
642 sel
->ipsl_valid
|= IPSL_PROTOCOL
;
644 if (extv
[SPD_EXT_LCLPORT
] != NULL
) {
645 struct spd_portrange
*pr
=
646 (struct spd_portrange
*)extv
[SPD_EXT_LCLPORT
];
647 sel
->ipsl_lport
= pr
->spd_ports_minport
;
648 sel
->ipsl_valid
|= IPSL_LOCAL_PORT
;
650 if (extv
[SPD_EXT_REMPORT
] != NULL
) {
651 struct spd_portrange
*pr
=
652 (struct spd_portrange
*)extv
[SPD_EXT_REMPORT
];
653 sel
->ipsl_rport
= pr
->spd_ports_minport
;
654 sel
->ipsl_valid
|= IPSL_REMOTE_PORT
;
657 if (extv
[SPD_EXT_ICMP_TYPECODE
] != NULL
) {
658 struct spd_typecode
*tc
=
659 (struct spd_typecode
*)extv
[SPD_EXT_ICMP_TYPECODE
];
661 sel
->ipsl_valid
|= IPSL_ICMP_TYPE
;
662 sel
->ipsl_icmp_type
= tc
->spd_typecode_type
;
663 if (tc
->spd_typecode_type_end
< tc
->spd_typecode_type
)
664 sel
->ipsl_icmp_type_end
= tc
->spd_typecode_type
;
666 sel
->ipsl_icmp_type_end
= tc
->spd_typecode_type_end
;
668 if (tc
->spd_typecode_code
!= 255) {
669 sel
->ipsl_valid
|= IPSL_ICMP_CODE
;
670 sel
->ipsl_icmp_code
= tc
->spd_typecode_code
;
671 if (tc
->spd_typecode_code_end
< tc
->spd_typecode_code
)
672 sel
->ipsl_icmp_code_end
= tc
->spd_typecode_code
;
674 sel
->ipsl_icmp_code_end
=
675 tc
->spd_typecode_code_end
;
678 #define ADDR2SEL(sel, extv, field, pfield, extn, bit) \
679 if ((extv)[(extn)] != NULL) { \
681 struct spd_address *ap = \
682 (struct spd_address *)((extv)[(extn)]); \
683 addrlen = (ap->spd_address_af == AF_INET6) ? \
684 IPV6_ADDR_LEN : IP_ADDR_LEN; \
685 if (SPD_64TO8(ap->spd_address_len) < \
686 (addrlen + sizeof (*ap))) { \
687 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \
690 bcopy((ap+1), &((sel)->field), addrlen); \
691 (sel)->pfield = ap->spd_address_prefixlen; \
692 (sel)->ipsl_valid |= (bit); \
693 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \
694 IPSL_IPV6 : IPSL_IPV4; \
697 ADDR2SEL(sel
, extv
, ipsl_local
, ipsl_local_pfxlen
,
698 SPD_EXT_LCLADDR
, IPSL_LOCAL_ADDR
);
699 ADDR2SEL(sel
, extv
, ipsl_remote
, ipsl_remote_pfxlen
,
700 SPD_EXT_REMADDR
, IPSL_REMOTE_ADDR
);
702 if ((sel
->ipsl_valid
& (IPSL_IPV6
|IPSL_IPV4
)) ==
703 (IPSL_IPV6
|IPSL_IPV4
)) {
704 *diag
= SPD_DIAGNOSTIC_MIXED_AF
;
714 spd_convert_type(uint32_t type
, ipsec_act_t
*act
)
717 case SPD_ACTTYPE_DROP
:
718 act
->ipa_type
= IPSEC_ACT_DISCARD
;
721 case SPD_ACTTYPE_PASS
:
722 act
->ipa_type
= IPSEC_ACT_CLEAR
;
725 case SPD_ACTTYPE_IPSEC
:
726 act
->ipa_type
= IPSEC_ACT_APPLY
;
733 spd_convert_flags(uint32_t flags
, ipsec_act_t
*act
)
736 * Note use of !! for boolean canonicalization.
738 act
->ipa_apply
.ipp_use_ah
= !!(flags
& SPD_APPLY_AH
);
739 act
->ipa_apply
.ipp_use_esp
= !!(flags
& SPD_APPLY_ESP
);
740 act
->ipa_apply
.ipp_use_espa
= !!(flags
& SPD_APPLY_ESPA
);
741 act
->ipa_apply
.ipp_use_se
= !!(flags
& SPD_APPLY_SE
);
742 act
->ipa_apply
.ipp_use_unique
= !!(flags
& SPD_APPLY_UNIQUE
);
747 spdsock_reset_act(ipsec_act_t
*act
)
749 bzero(act
, sizeof (*act
));
750 act
->ipa_apply
.ipp_espe_maxbits
= IPSEC_MAX_KEYBITS
;
751 act
->ipa_apply
.ipp_espa_maxbits
= IPSEC_MAX_KEYBITS
;
752 act
->ipa_apply
.ipp_ah_maxbits
= IPSEC_MAX_KEYBITS
;
756 * Sanity check action against reality, and shrink-wrap key sizes..
759 spdsock_check_action(ipsec_act_t
*act
, boolean_t tunnel_polhead
, int *diag
,
762 if (tunnel_polhead
&& act
->ipa_apply
.ipp_use_unique
) {
763 *diag
= SPD_DIAGNOSTIC_ADD_INCON_FLAGS
;
766 if ((act
->ipa_type
!= IPSEC_ACT_APPLY
) &&
767 (act
->ipa_apply
.ipp_use_ah
||
768 act
->ipa_apply
.ipp_use_esp
||
769 act
->ipa_apply
.ipp_use_espa
||
770 act
->ipa_apply
.ipp_use_se
||
771 act
->ipa_apply
.ipp_use_unique
)) {
772 *diag
= SPD_DIAGNOSTIC_ADD_INCON_FLAGS
;
775 if ((act
->ipa_type
== IPSEC_ACT_APPLY
) &&
776 !act
->ipa_apply
.ipp_use_ah
&&
777 !act
->ipa_apply
.ipp_use_esp
) {
778 *diag
= SPD_DIAGNOSTIC_ADD_INCON_FLAGS
;
781 return (ipsec_check_action(act
, diag
, spds
->spds_netstack
));
785 * We may be short a few error checks here..
788 spdsock_ext_to_actvec(spd_ext_t
**extv
, ipsec_act_t
**actpp
, uint_t
*nactp
,
789 int *diag
, spd_stack_t
*spds
)
791 struct spd_ext_actions
*sactp
=
792 (struct spd_ext_actions
*)extv
[SPD_EXT_ACTION
];
793 ipsec_act_t act
, *actp
, *endactp
;
794 struct spd_attribute
*attrp
, *endattrp
;
797 boolean_t tunnel_polhead
;
799 tunnel_polhead
= (extv
[SPD_EXT_TUN_NAME
] != NULL
&&
800 (((struct spd_rule
*)extv
[SPD_EXT_RULE
])->spd_rule_flags
&
801 SPD_RULE_FLAG_TUNNEL
));
807 *diag
= SPD_DIAGNOSTIC_NO_ACTION_EXT
;
812 * Parse the "action" extension and convert into an action chain.
815 nact
= sactp
->spd_actions_count
;
817 endp
= (uint64_t *)sactp
;
818 endp
+= sactp
->spd_actions_len
;
819 endattrp
= (struct spd_attribute
*)endp
;
821 actp
= kmem_alloc(sizeof (*actp
) * nact
, KM_NOSLEEP
);
823 *diag
= SPD_DIAGNOSTIC_ADD_NO_MEM
;
828 endactp
= actp
+ nact
;
830 spdsock_reset_act(&act
);
831 attrp
= (struct spd_attribute
*)(&sactp
[1]);
833 for (; attrp
< endattrp
; attrp
++) {
834 switch (attrp
->spd_attr_tag
) {
839 spdsock_reset_act(&act
);
846 if (actp
>= endactp
) {
847 *diag
= SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT
;
850 if (!spdsock_check_action(&act
, tunnel_polhead
,
854 spdsock_reset_act(&act
);
858 if (!spd_convert_type(attrp
->spd_attr_value
, &act
)) {
859 *diag
= SPD_DIAGNOSTIC_ADD_BAD_TYPE
;
865 if (!tunnel_polhead
&& extv
[SPD_EXT_TUN_NAME
] != NULL
) {
867 * Set "sa unique" for transport-mode
868 * tunnels whether we want to or not.
870 attrp
->spd_attr_value
|= SPD_APPLY_UNIQUE
;
872 if (!spd_convert_flags(attrp
->spd_attr_value
, &act
)) {
873 *diag
= SPD_DIAGNOSTIC_ADD_BAD_FLAGS
;
878 case SPD_ATTR_AH_AUTH
:
879 if (attrp
->spd_attr_value
== 0) {
880 *diag
= SPD_DIAGNOSTIC_UNSUPP_AH_ALG
;
883 act
.ipa_apply
.ipp_auth_alg
= attrp
->spd_attr_value
;
886 case SPD_ATTR_ESP_ENCR
:
887 if (attrp
->spd_attr_value
== 0) {
888 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG
;
891 act
.ipa_apply
.ipp_encr_alg
= attrp
->spd_attr_value
;
894 case SPD_ATTR_ESP_AUTH
:
895 if (attrp
->spd_attr_value
== 0) {
896 *diag
= SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG
;
899 act
.ipa_apply
.ipp_esp_auth_alg
= attrp
->spd_attr_value
;
902 case SPD_ATTR_ENCR_MINBITS
:
903 act
.ipa_apply
.ipp_espe_minbits
= attrp
->spd_attr_value
;
906 case SPD_ATTR_ENCR_MAXBITS
:
907 act
.ipa_apply
.ipp_espe_maxbits
= attrp
->spd_attr_value
;
910 case SPD_ATTR_AH_MINBITS
:
911 act
.ipa_apply
.ipp_ah_minbits
= attrp
->spd_attr_value
;
914 case SPD_ATTR_AH_MAXBITS
:
915 act
.ipa_apply
.ipp_ah_maxbits
= attrp
->spd_attr_value
;
918 case SPD_ATTR_ESPA_MINBITS
:
919 act
.ipa_apply
.ipp_espa_minbits
= attrp
->spd_attr_value
;
922 case SPD_ATTR_ESPA_MAXBITS
:
923 act
.ipa_apply
.ipp_espa_maxbits
= attrp
->spd_attr_value
;
926 case SPD_ATTR_LIFE_SOFT_TIME
:
927 case SPD_ATTR_LIFE_HARD_TIME
:
928 case SPD_ATTR_LIFE_SOFT_BYTES
:
929 case SPD_ATTR_LIFE_HARD_BYTES
:
932 case SPD_ATTR_KM_PROTO
:
933 act
.ipa_apply
.ipp_km_proto
= attrp
->spd_attr_value
;
936 case SPD_ATTR_KM_COOKIE
:
937 act
.ipa_apply
.ipp_km_cookie
= attrp
->spd_attr_value
;
940 case SPD_ATTR_REPLAY_DEPTH
:
941 act
.ipa_apply
.ipp_replay_depth
= attrp
->spd_attr_value
;
945 if (actp
!= endactp
) {
946 *diag
= SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT
;
952 ipsec_actvec_free(*actpp
, nact
);
964 mkrule(ipsec_policy_head_t
*iph
, struct spd_rule
*rule
,
965 ipsec_selkey_t
*sel
, ipsec_act_t
*actp
, int nact
, uint_t dir
, uint_t af
,
966 tmprule_t
**rp
, uint64_t *index
, spd_stack_t
*spds
)
970 sel
->ipsl_valid
&= ~(IPSL_IPV6
|IPSL_IPV4
);
971 sel
->ipsl_valid
|= af
;
973 pol
= ipsec_policy_create(sel
, actp
, nact
, rule
->spd_rule_priority
,
974 index
, spds
->spds_netstack
);
982 if (!ipsec_check_policy(iph
, pol
, dir
))
985 rule
->spd_rule_index
= pol
->ipsp_index
;
990 mkrulepair(ipsec_policy_head_t
*iph
, struct spd_rule
*rule
,
991 ipsec_selkey_t
*sel
, ipsec_act_t
*actp
, int nact
, uint_t dir
, uint_t afs
,
992 tmprule_t
**rp
, uint64_t *index
, spd_stack_t
*spds
)
996 if (afs
& IPSL_IPV4
) {
997 error
= mkrule(iph
, rule
, sel
, actp
, nact
, dir
, IPSL_IPV4
, rp
,
1002 if (afs
& IPSL_IPV6
) {
1003 error
= mkrule(iph
, rule
, sel
, actp
, nact
, dir
, IPSL_IPV6
, rp
,
1013 spdsock_addrule(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
,
1014 spd_ext_t
**extv
, ipsec_tun_pol_t
*itp
)
1019 int diag
= 0, error
, afs
;
1020 struct spd_rule
*rule
= (struct spd_rule
*)extv
[SPD_EXT_RULE
];
1021 tmprule_t rules
[4], *rulep
= &rules
[0];
1022 boolean_t tunnel_mode
, empty_itp
, active
;
1023 uint64_t *index
= (itp
== NULL
) ? NULL
: &itp
->itp_next_policy_index
;
1024 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
1025 spd_stack_t
*spds
= ss
->spdsock_spds
;
1028 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_NO_RULE_EXT
);
1030 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1034 cr
= msg_getcred(mp
, &cpid
);
1035 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1036 audit_pf_policy(SPD_ADDRULE
, cr
,
1037 spds
->spds_netstack
, ITP_NAME(itp
), active
,
1038 SPD_DIAGNOSTIC_NO_RULE_EXT
, cpid
);
1043 tunnel_mode
= (rule
->spd_rule_flags
& SPD_RULE_FLAG_TUNNEL
);
1046 mutex_enter(&itp
->itp_lock
);
1047 ASSERT(itp
->itp_policy
== iph
|| itp
->itp_inactive
== iph
);
1048 active
= (itp
->itp_policy
== iph
);
1049 if (ITP_P_ISACTIVE(itp
, iph
)) {
1050 /* Check for mix-and-match of tunnel/transport. */
1051 if ((tunnel_mode
&& !ITP_P_ISTUNNEL(itp
, iph
)) ||
1052 (!tunnel_mode
&& ITP_P_ISTUNNEL(itp
, iph
))) {
1053 mutex_exit(&itp
->itp_lock
);
1054 spdsock_error(q
, mp
, EBUSY
, 0);
1057 empty_itp
= B_FALSE
;
1060 itp
->itp_flags
= active
? ITPF_P_ACTIVE
: ITPF_I_ACTIVE
;
1062 itp
->itp_flags
|= active
? ITPF_P_TUNNEL
:
1066 empty_itp
= B_FALSE
;
1069 if (rule
->spd_rule_index
!= 0) {
1070 diag
= SPD_DIAGNOSTIC_INVALID_RULE_INDEX
;
1075 if (!spdsock_ext_to_sel(extv
, &sel
, &diag
)) {
1082 if (sel
.ipsl_valid
&
1083 (IPSL_REMOTE_PORT
| IPSL_LOCAL_PORT
)) {
1084 itp
->itp_flags
|= active
?
1085 ITPF_P_PER_PORT_SECURITY
:
1086 ITPF_I_PER_PORT_SECURITY
;
1090 * For now, we don't allow transport-mode on a tunnel
1091 * with ANY specific selectors. Bail if we have such
1094 if (sel
.ipsl_valid
& IPSL_WILDCARD
) {
1095 diag
= SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS
;
1102 if (!spdsock_ext_to_actvec(extv
, &actp
, &nact
, &diag
, spds
)) {
1107 * If no addresses were specified, add both.
1109 afs
= sel
.ipsl_valid
& (IPSL_IPV6
|IPSL_IPV4
);
1111 afs
= (IPSL_IPV6
|IPSL_IPV4
);
1113 rw_enter(&iph
->iph_lock
, RW_WRITER
);
1115 if (rule
->spd_rule_flags
& SPD_RULE_FLAG_OUTBOUND
) {
1116 error
= mkrulepair(iph
, rule
, &sel
, actp
, nact
,
1117 IPSEC_TYPE_OUTBOUND
, afs
, &rulep
, index
, spds
);
1122 if (rule
->spd_rule_flags
& SPD_RULE_FLAG_INBOUND
) {
1123 error
= mkrulepair(iph
, rule
, &sel
, actp
, nact
,
1124 IPSEC_TYPE_INBOUND
, afs
, &rulep
, index
, spds
);
1129 while ((--rulep
) >= &rules
[0]) {
1130 ipsec_enter_policy(iph
, rulep
->pol
, rulep
->dir
,
1131 spds
->spds_netstack
);
1133 rw_exit(&iph
->iph_lock
);
1135 mutex_exit(&itp
->itp_lock
);
1137 ipsec_actvec_free(actp
, nact
);
1140 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1144 cr
= msg_getcred(mp
, &cpid
);
1145 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1146 audit_pf_policy(SPD_ADDRULE
, cr
, spds
->spds_netstack
,
1147 ITP_NAME(itp
), active
, 0, cpid
);
1152 rw_exit(&iph
->iph_lock
);
1153 while ((--rulep
) >= &rules
[0]) {
1154 IPPOL_REFRELE(rulep
->pol
, spds
->spds_netstack
);
1156 ipsec_actvec_free(actp
, nact
);
1161 mutex_exit(&itp
->itp_lock
);
1163 spdsock_error(q
, mp
, error
, diag
);
1165 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1169 cr
= msg_getcred(mp
, &cpid
);
1170 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1171 audit_pf_policy(SPD_ADDRULE
, cr
, spds
->spds_netstack
,
1172 ITP_NAME(itp
), active
, error
, cpid
);
1177 spdsock_deleterule(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
,
1178 spd_ext_t
**extv
, ipsec_tun_pol_t
*itp
)
1181 struct spd_rule
*rule
= (struct spd_rule
*)extv
[SPD_EXT_RULE
];
1183 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
1184 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1187 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_NO_RULE_EXT
);
1190 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1194 cr
= msg_getcred(mp
, &cpid
);
1195 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1196 audit_pf_policy(SPD_DELETERULE
, cr
, ns
,
1197 ITP_NAME(itp
), active
, SPD_DIAGNOSTIC_NO_RULE_EXT
,
1204 * Must enter itp_lock first to avoid deadlock. See tun.c's
1205 * set_sec_simple() for the other case of itp_lock and iph_lock.
1208 mutex_enter(&itp
->itp_lock
);
1210 if (rule
->spd_rule_index
!= 0) {
1211 if (ipsec_policy_delete_index(iph
, rule
->spd_rule_index
, ns
) !=
1217 if (!spdsock_ext_to_sel(extv
, &sel
, &diag
)) {
1218 err
= EINVAL
; /* diag already set... */
1222 if ((rule
->spd_rule_flags
& SPD_RULE_FLAG_INBOUND
) &&
1223 !ipsec_policy_delete(iph
, &sel
, IPSEC_TYPE_INBOUND
, ns
)) {
1228 if ((rule
->spd_rule_flags
& SPD_RULE_FLAG_OUTBOUND
) &&
1229 !ipsec_policy_delete(iph
, &sel
, IPSEC_TYPE_OUTBOUND
, ns
)) {
1236 ASSERT(iph
== itp
->itp_policy
|| iph
== itp
->itp_inactive
);
1237 rw_enter(&iph
->iph_lock
, RW_READER
);
1238 if (avl_numnodes(&iph
->iph_rulebyid
) == 0) {
1239 if (iph
== itp
->itp_policy
)
1240 itp
->itp_flags
&= ~ITPF_PFLAGS
;
1242 itp
->itp_flags
&= ~ITPF_IFLAGS
;
1244 /* Can exit locks in any order. */
1245 rw_exit(&iph
->iph_lock
);
1246 mutex_exit(&itp
->itp_lock
);
1251 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1255 cr
= msg_getcred(mp
, &cpid
);
1256 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1257 audit_pf_policy(SPD_DELETERULE
, cr
, ns
, ITP_NAME(itp
),
1263 mutex_exit(&itp
->itp_lock
);
1264 spdsock_error(q
, mp
, err
, diag
);
1267 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1271 cr
= msg_getcred(mp
, &cpid
);
1272 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1273 audit_pf_policy(SPD_DELETERULE
, cr
, ns
, ITP_NAME(itp
),
1278 /* Do NOT consume a reference to itp. */
1281 spdsock_flip_node(ipsec_tun_pol_t
*itp
, void *ignoreme
, netstack_t
*ns
)
1283 mutex_enter(&itp
->itp_lock
);
1284 ITPF_SWAP(itp
->itp_flags
);
1285 ipsec_swap_policy(itp
->itp_policy
, itp
->itp_inactive
, ns
);
1286 mutex_exit(&itp
->itp_lock
);
1290 spdsock_flip(queue_t
*q
, mblk_t
*mp
, spd_if_t
*tunname
)
1293 ipsec_tun_pol_t
*itp
;
1294 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
1295 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1297 if (tunname
!= NULL
) {
1298 tname
= (char *)tunname
->spd_if_name
;
1299 if (*tname
== '\0') {
1301 ipsec_swap_global_policy(ns
);
1304 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1308 cr
= msg_getcred(mp
, &cpid
);
1309 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1310 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1311 NULL
, active
, 0, cpid
);
1313 itp_walk(spdsock_flip_node
, NULL
, ns
);
1316 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1320 cr
= msg_getcred(mp
, &cpid
);
1321 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1322 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1323 "all tunnels", active
, 0, cpid
);
1326 itp
= get_tunnel_policy(tname
, ns
);
1328 /* Better idea for "tunnel not found"? */
1329 spdsock_error(q
, mp
, ESRCH
, 0);
1333 (spd_msg_t
*)mp
->b_rptr
;
1337 cr
= msg_getcred(mp
, &cpid
);
1338 active
= (spmsg
->spd_msg_spdid
==
1340 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1341 ITP_NAME(itp
), active
,
1346 spdsock_flip_node(itp
, NULL
, NULL
);
1349 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1353 cr
= msg_getcred(mp
, &cpid
);
1354 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1355 audit_pf_policy(SPD_FLIP
, cr
, ns
,
1356 ITP_NAME(itp
), active
, 0, cpid
);
1358 ITP_REFRELE(itp
, ns
);
1361 ipsec_swap_global_policy(ns
); /* can't fail */
1364 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
1368 cr
= msg_getcred(mp
, &cpid
);
1369 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
1370 audit_pf_policy(SPD_FLIP
, cr
,
1371 ns
, NULL
, active
, 0, cpid
);
1378 * Unimplemented feature
1382 spdsock_lookup(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
,
1383 spd_ext_t
**extv
, ipsec_tun_pol_t
*itp
)
1385 spdsock_error(q
, mp
, EINVAL
, 0);
1390 spdsock_dump_ruleset(mblk_t
*req
, ipsec_policy_head_t
*iph
,
1391 uint32_t count
, uint16_t error
)
1393 size_t len
= sizeof (spd_ruleset_ext_t
) + sizeof (spd_msg_t
);
1395 spd_ruleset_ext_t
*ruleset
;
1396 mblk_t
*m
= allocb(len
, BPRI_HI
);
1398 ASSERT(RW_READ_HELD(&iph
->iph_lock
));
1403 msg
= (spd_msg_t
*)m
->b_rptr
;
1404 ruleset
= (spd_ruleset_ext_t
*)(&msg
[1]);
1406 m
->b_wptr
= (uint8_t *)&ruleset
[1];
1408 *msg
= *(spd_msg_t
*)(req
->b_rptr
);
1409 msg
->spd_msg_len
= SPD_8TO64(len
);
1410 msg
->spd_msg_errno
= error
;
1412 ruleset
->spd_ruleset_len
= SPD_8TO64(sizeof (*ruleset
));
1413 ruleset
->spd_ruleset_type
= SPD_EXT_RULESET
;
1414 ruleset
->spd_ruleset_count
= count
;
1415 ruleset
->spd_ruleset_version
= iph
->iph_gen
;
1420 spdsock_dump_finish(spdsock_t
*ss
, int error
)
1423 ipsec_policy_head_t
*iph
= ss
->spdsock_dump_head
;
1424 mblk_t
*req
= ss
->spdsock_dump_req
;
1425 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1427 rw_enter(&iph
->iph_lock
, RW_READER
);
1428 m
= spdsock_dump_ruleset(req
, iph
, ss
->spdsock_dump_count
, error
);
1429 rw_exit(&iph
->iph_lock
);
1430 IPPH_REFRELE(iph
, ns
);
1431 if (ss
->spdsock_itp
!= NULL
) {
1432 ITP_REFRELE(ss
->spdsock_itp
, ns
);
1433 ss
->spdsock_itp
= NULL
;
1435 ss
->spdsock_dump_req
= NULL
;
1442 * Rule encoding functions.
1443 * We do a two-pass encode.
1444 * If base != NULL, fill in encoded rule part starting at base+offset.
1445 * Always return "offset" plus length of to-be-encoded data.
1448 spdsock_encode_typecode(uint8_t *base
, uint_t offset
, uint8_t type
,
1449 uint8_t type_end
, uint8_t code
, uint8_t code_end
)
1451 struct spd_typecode
*tcp
;
1453 ASSERT(ALIGNED64(offset
));
1456 tcp
= (struct spd_typecode
*)(base
+ offset
);
1457 tcp
->spd_typecode_len
= SPD_8TO64(sizeof (*tcp
));
1458 tcp
->spd_typecode_exttype
= SPD_EXT_ICMP_TYPECODE
;
1459 tcp
->spd_typecode_code
= code
;
1460 tcp
->spd_typecode_type
= type
;
1461 tcp
->spd_typecode_type_end
= type_end
;
1462 tcp
->spd_typecode_code_end
= code_end
;
1464 offset
+= sizeof (*tcp
);
1466 ASSERT(ALIGNED64(offset
));
1472 spdsock_encode_proto(uint8_t *base
, uint_t offset
, uint8_t proto
)
1474 struct spd_proto
*spp
;
1476 ASSERT(ALIGNED64(offset
));
1479 spp
= (struct spd_proto
*)(base
+ offset
);
1480 spp
->spd_proto_len
= SPD_8TO64(sizeof (*spp
));
1481 spp
->spd_proto_exttype
= SPD_EXT_PROTO
;
1482 spp
->spd_proto_number
= proto
;
1483 spp
->spd_proto_reserved1
= 0;
1484 spp
->spd_proto_reserved2
= 0;
1486 offset
+= sizeof (*spp
);
1488 ASSERT(ALIGNED64(offset
));
1494 spdsock_encode_port(uint8_t *base
, uint_t offset
, uint16_t ext
, uint16_t port
)
1496 struct spd_portrange
*spp
;
1498 ASSERT(ALIGNED64(offset
));
1501 spp
= (struct spd_portrange
*)(base
+ offset
);
1502 spp
->spd_ports_len
= SPD_8TO64(sizeof (*spp
));
1503 spp
->spd_ports_exttype
= ext
;
1504 spp
->spd_ports_minport
= port
;
1505 spp
->spd_ports_maxport
= port
;
1507 offset
+= sizeof (*spp
);
1509 ASSERT(ALIGNED64(offset
));
1515 spdsock_encode_addr(uint8_t *base
, uint_t offset
, uint16_t ext
,
1516 const ipsec_selkey_t
*sel
, const ipsec_addr_t
*addr
, uint_t pfxlen
)
1518 struct spd_address
*sae
;
1519 ipsec_addr_t
*spdaddr
;
1520 uint_t start
= offset
;
1524 if (sel
->ipsl_valid
& IPSL_IPV4
) {
1526 addrlen
= IP_ADDR_LEN
;
1529 addrlen
= IPV6_ADDR_LEN
;
1532 ASSERT(ALIGNED64(offset
));
1535 sae
= (struct spd_address
*)(base
+ offset
);
1536 sae
->spd_address_exttype
= ext
;
1537 sae
->spd_address_af
= af
;
1538 sae
->spd_address_prefixlen
= pfxlen
;
1539 sae
->spd_address_reserved2
= 0;
1541 spdaddr
= (ipsec_addr_t
*)(&sae
[1]);
1542 bcopy(addr
, spdaddr
, addrlen
);
1544 offset
+= sizeof (*sae
);
1545 addrlen
= roundup(addrlen
, sizeof (uint64_t));
1548 ASSERT(ALIGNED64(offset
));
1551 sae
->spd_address_len
= SPD_8TO64(offset
- start
);
1556 spdsock_encode_sel(uint8_t *base
, uint_t offset
, const ipsec_sel_t
*sel
)
1558 const ipsec_selkey_t
*selkey
= &sel
->ipsl_key
;
1560 if (selkey
->ipsl_valid
& IPSL_PROTOCOL
)
1561 offset
= spdsock_encode_proto(base
, offset
, selkey
->ipsl_proto
);
1562 if (selkey
->ipsl_valid
& IPSL_LOCAL_PORT
)
1563 offset
= spdsock_encode_port(base
, offset
, SPD_EXT_LCLPORT
,
1564 selkey
->ipsl_lport
);
1565 if (selkey
->ipsl_valid
& IPSL_REMOTE_PORT
)
1566 offset
= spdsock_encode_port(base
, offset
, SPD_EXT_REMPORT
,
1567 selkey
->ipsl_rport
);
1568 if (selkey
->ipsl_valid
& IPSL_REMOTE_ADDR
)
1569 offset
= spdsock_encode_addr(base
, offset
, SPD_EXT_REMADDR
,
1570 selkey
, &selkey
->ipsl_remote
, selkey
->ipsl_remote_pfxlen
);
1571 if (selkey
->ipsl_valid
& IPSL_LOCAL_ADDR
)
1572 offset
= spdsock_encode_addr(base
, offset
, SPD_EXT_LCLADDR
,
1573 selkey
, &selkey
->ipsl_local
, selkey
->ipsl_local_pfxlen
);
1574 if (selkey
->ipsl_valid
& IPSL_ICMP_TYPE
) {
1575 offset
= spdsock_encode_typecode(base
, offset
,
1576 selkey
->ipsl_icmp_type
, selkey
->ipsl_icmp_type_end
,
1577 (selkey
->ipsl_valid
& IPSL_ICMP_CODE
) ?
1578 selkey
->ipsl_icmp_code
: 255,
1579 (selkey
->ipsl_valid
& IPSL_ICMP_CODE
) ?
1580 selkey
->ipsl_icmp_code_end
: 255);
1586 spdsock_encode_actattr(uint8_t *base
, uint_t offset
, uint32_t tag
,
1589 struct spd_attribute
*attr
;
1591 ASSERT(ALIGNED64(offset
));
1594 attr
= (struct spd_attribute
*)(base
+ offset
);
1595 attr
->spd_attr_tag
= tag
;
1596 attr
->spd_attr_value
= value
;
1598 offset
+= sizeof (struct spd_attribute
);
1600 ASSERT(ALIGNED64(offset
));
1606 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1609 spdsock_encode_action(uint8_t *base
, uint_t offset
, const ipsec_action_t
*ap
)
1611 const struct ipsec_act
*act
= &(ap
->ipa_act
);
1614 EMIT(SPD_ATTR_EMPTY
, 0);
1615 switch (act
->ipa_type
) {
1616 case IPSEC_ACT_DISCARD
:
1617 case IPSEC_ACT_REJECT
:
1618 EMIT(SPD_ATTR_TYPE
, SPD_ACTTYPE_DROP
);
1620 case IPSEC_ACT_BYPASS
:
1621 case IPSEC_ACT_CLEAR
:
1622 EMIT(SPD_ATTR_TYPE
, SPD_ACTTYPE_PASS
);
1625 case IPSEC_ACT_APPLY
:
1626 EMIT(SPD_ATTR_TYPE
, SPD_ACTTYPE_IPSEC
);
1628 if (act
->ipa_apply
.ipp_use_ah
)
1629 flags
|= SPD_APPLY_AH
;
1630 if (act
->ipa_apply
.ipp_use_esp
)
1631 flags
|= SPD_APPLY_ESP
;
1632 if (act
->ipa_apply
.ipp_use_espa
)
1633 flags
|= SPD_APPLY_ESPA
;
1634 if (act
->ipa_apply
.ipp_use_se
)
1635 flags
|= SPD_APPLY_SE
;
1636 if (act
->ipa_apply
.ipp_use_unique
)
1637 flags
|= SPD_APPLY_UNIQUE
;
1638 EMIT(SPD_ATTR_FLAGS
, flags
);
1639 if (flags
& SPD_APPLY_AH
) {
1640 EMIT(SPD_ATTR_AH_AUTH
, act
->ipa_apply
.ipp_auth_alg
);
1641 EMIT(SPD_ATTR_AH_MINBITS
,
1642 act
->ipa_apply
.ipp_ah_minbits
);
1643 EMIT(SPD_ATTR_AH_MAXBITS
,
1644 act
->ipa_apply
.ipp_ah_maxbits
);
1646 if (flags
& SPD_APPLY_ESP
) {
1647 EMIT(SPD_ATTR_ESP_ENCR
, act
->ipa_apply
.ipp_encr_alg
);
1648 EMIT(SPD_ATTR_ENCR_MINBITS
,
1649 act
->ipa_apply
.ipp_espe_minbits
);
1650 EMIT(SPD_ATTR_ENCR_MAXBITS
,
1651 act
->ipa_apply
.ipp_espe_maxbits
);
1652 if (flags
& SPD_APPLY_ESPA
) {
1653 EMIT(SPD_ATTR_ESP_AUTH
,
1654 act
->ipa_apply
.ipp_esp_auth_alg
);
1655 EMIT(SPD_ATTR_ESPA_MINBITS
,
1656 act
->ipa_apply
.ipp_espa_minbits
);
1657 EMIT(SPD_ATTR_ESPA_MAXBITS
,
1658 act
->ipa_apply
.ipp_espa_maxbits
);
1661 if (act
->ipa_apply
.ipp_km_proto
!= 0)
1662 EMIT(SPD_ATTR_KM_PROTO
, act
->ipa_apply
.ipp_km_proto
);
1663 if (act
->ipa_apply
.ipp_km_cookie
!= 0)
1664 EMIT(SPD_ATTR_KM_PROTO
, act
->ipa_apply
.ipp_km_cookie
);
1665 if (act
->ipa_apply
.ipp_replay_depth
!= 0)
1666 EMIT(SPD_ATTR_REPLAY_DEPTH
,
1667 act
->ipa_apply
.ipp_replay_depth
);
1676 spdsock_encode_action_list(uint8_t *base
, uint_t offset
,
1677 const ipsec_action_t
*ap
)
1679 struct spd_ext_actions
*act
;
1681 uint_t start
= offset
;
1683 ASSERT(ALIGNED64(offset
));
1686 act
= (struct spd_ext_actions
*)(base
+ offset
);
1687 act
->spd_actions_len
= 0;
1688 act
->spd_actions_exttype
= SPD_EXT_ACTION
;
1689 act
->spd_actions_count
= 0;
1690 act
->spd_actions_reserved
= 0;
1693 offset
+= sizeof (*act
);
1695 ASSERT(ALIGNED64(offset
));
1697 while (ap
!= NULL
) {
1698 offset
= spdsock_encode_action(base
, offset
, ap
);
1702 EMIT(SPD_ATTR_NEXT
, 0);
1705 EMIT(SPD_ATTR_END
, 0);
1707 ASSERT(ALIGNED64(offset
));
1710 act
->spd_actions_count
= nact
;
1711 act
->spd_actions_len
= SPD_8TO64(offset
- start
);
1721 spdsock_rule_flags(uint_t dir
, uint_t af
)
1725 if (dir
== IPSEC_TYPE_INBOUND
)
1726 flags
|= SPD_RULE_FLAG_INBOUND
;
1727 if (dir
== IPSEC_TYPE_OUTBOUND
)
1728 flags
|= SPD_RULE_FLAG_OUTBOUND
;
1735 spdsock_encode_rule_head(uint8_t *base
, uint_t offset
, spd_msg_t
*req
,
1736 const ipsec_policy_t
*rule
, uint_t dir
, uint_t af
, char *name
,
1739 struct spd_msg
*spmsg
;
1740 struct spd_rule
*spr
;
1743 uint_t start
= offset
;
1745 ASSERT(ALIGNED64(offset
));
1748 spmsg
= (struct spd_msg
*)(base
+ offset
);
1749 bzero(spmsg
, sizeof (*spmsg
));
1750 spmsg
->spd_msg_version
= PF_POLICY_V1
;
1751 spmsg
->spd_msg_type
= SPD_DUMP
;
1752 spmsg
->spd_msg_seq
= req
->spd_msg_seq
;
1753 spmsg
->spd_msg_pid
= req
->spd_msg_pid
;
1755 offset
+= sizeof (struct spd_msg
);
1757 ASSERT(ALIGNED64(offset
));
1760 spr
= (struct spd_rule
*)(base
+ offset
);
1761 spr
->spd_rule_type
= SPD_EXT_RULE
;
1762 spr
->spd_rule_priority
= rule
->ipsp_prio
;
1763 spr
->spd_rule_flags
= spdsock_rule_flags(dir
, af
);
1765 spr
->spd_rule_flags
|= SPD_RULE_FLAG_TUNNEL
;
1766 spr
->spd_rule_unused
= 0;
1767 spr
->spd_rule_len
= SPD_8TO64(sizeof (*spr
));
1768 spr
->spd_rule_index
= rule
->ipsp_index
;
1770 offset
+= sizeof (struct spd_rule
);
1773 * If we have an interface name (i.e. if this policy head came from
1774 * a tunnel), add the SPD_EXT_TUN_NAME extension.
1778 ASSERT(ALIGNED64(offset
));
1781 sid
= (spd_if_t
*)(base
+ offset
);
1782 sid
->spd_if_exttype
= SPD_EXT_TUN_NAME
;
1783 sid
->spd_if_len
= SPD_8TO64(sizeof (spd_if_t
) +
1784 roundup((strlen(name
) - 4), 8));
1785 (void) strlcpy((char *)sid
->spd_if_name
, name
,
1789 offset
+= sizeof (spd_if_t
) + roundup((strlen(name
) - 4), 8);
1792 offset
= spdsock_encode_sel(base
, offset
, rule
->ipsp_sel
);
1793 offset
= spdsock_encode_action_list(base
, offset
, rule
->ipsp_act
);
1795 ASSERT(ALIGNED64(offset
));
1798 spmsg
->spd_msg_len
= SPD_8TO64(offset
- start
);
1805 spdsock_encode_rule(mblk_t
*req
, const ipsec_policy_t
*rule
,
1806 uint_t dir
, uint_t af
, char *name
, boolean_t tunnel
)
1810 spd_msg_t
*mreq
= (spd_msg_t
*)req
->b_rptr
;
1813 * Figure out how much space we'll need.
1815 len
= spdsock_encode_rule_head(NULL
, 0, mreq
, rule
, dir
, af
, name
,
1821 m
= allocb(len
, BPRI_HI
);
1828 m
->b_wptr
= m
->b_rptr
+ len
;
1829 bzero(m
->b_rptr
, len
);
1830 (void) spdsock_encode_rule_head(m
->b_rptr
, 0, mreq
, rule
, dir
, af
,
1835 static ipsec_policy_t
*
1836 spdsock_dump_next_in_chain(spdsock_t
*ss
, ipsec_policy_head_t
*iph
,
1837 ipsec_policy_t
*cur
)
1839 ASSERT(RW_READ_HELD(&iph
->iph_lock
));
1841 ss
->spdsock_dump_count
++;
1842 ss
->spdsock_dump_cur_rule
= cur
->ipsp_hash
.hash_next
;
1846 static ipsec_policy_t
*
1847 spdsock_dump_next_rule(spdsock_t
*ss
, ipsec_policy_head_t
*iph
)
1849 ipsec_policy_t
*cur
;
1850 ipsec_policy_root_t
*ipr
;
1851 int chain
, nchains
, type
, af
;
1853 ASSERT(RW_READ_HELD(&iph
->iph_lock
));
1855 cur
= ss
->spdsock_dump_cur_rule
;
1858 return (spdsock_dump_next_in_chain(ss
, iph
, cur
));
1860 type
= ss
->spdsock_dump_cur_type
;
1863 chain
= ss
->spdsock_dump_cur_chain
;
1864 ipr
= &iph
->iph_root
[type
];
1865 nchains
= ipr
->ipr_nchains
;
1867 while (chain
< nchains
) {
1868 cur
= ipr
->ipr_hash
[chain
].hash_head
;
1871 ss
->spdsock_dump_cur_chain
= chain
;
1872 return (spdsock_dump_next_in_chain(ss
, iph
, cur
));
1875 ss
->spdsock_dump_cur_chain
= nchains
;
1877 af
= ss
->spdsock_dump_cur_af
;
1878 while (af
< IPSEC_NAF
) {
1879 cur
= ipr
->ipr_nonhash
[af
];
1882 ss
->spdsock_dump_cur_af
= af
;
1883 return (spdsock_dump_next_in_chain(ss
, iph
, cur
));
1888 if (type
>= IPSEC_NTYPES
)
1891 ss
->spdsock_dump_cur_chain
= 0;
1892 ss
->spdsock_dump_cur_type
= type
;
1893 ss
->spdsock_dump_cur_af
= IPSEC_AF_V4
;
1899 * If we're done with one policy head, but have more to go, we iterate through
1900 * another IPsec tunnel policy head (itp). Return NULL if it is an error
1901 * worthy of returning EAGAIN via PF_POLICY.
1903 static ipsec_tun_pol_t
*
1904 spdsock_dump_iterate_next_tunnel(spdsock_t
*ss
, ipsec_stack_t
*ipss
)
1906 ipsec_tun_pol_t
*itp
;
1908 ASSERT(RW_READ_HELD(&ipss
->ipsec_tunnel_policy_lock
));
1909 if (ipss
->ipsec_tunnel_policy_gen
> ss
->spdsock_dump_tun_gen
) {
1910 /* Oops, state of the tunnel polheads changed. */
1912 } else if (ss
->spdsock_itp
== NULL
) {
1913 /* Just finished global, find first node. */
1914 itp
= avl_first(&ipss
->ipsec_tunnel_policies
);
1916 /* We just finished current polhead, find the next one. */
1917 itp
= AVL_NEXT(&ipss
->ipsec_tunnel_policies
, ss
->spdsock_itp
);
1922 if (ss
->spdsock_itp
!= NULL
) {
1923 ITP_REFRELE(ss
->spdsock_itp
, ipss
->ipsec_netstack
);
1925 ss
->spdsock_itp
= itp
;
1930 spdsock_dump_next_record(spdsock_t
*ss
)
1932 ipsec_policy_head_t
*iph
;
1933 ipsec_policy_t
*rule
;
1935 ipsec_tun_pol_t
*itp
;
1936 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
1937 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1939 iph
= ss
->spdsock_dump_head
;
1941 ASSERT(iph
!= NULL
);
1943 rw_enter(&iph
->iph_lock
, RW_READER
);
1945 if (iph
->iph_gen
!= ss
->spdsock_dump_gen
) {
1946 rw_exit(&iph
->iph_lock
);
1947 return (spdsock_dump_finish(ss
, EAGAIN
));
1950 while ((rule
= spdsock_dump_next_rule(ss
, iph
)) == NULL
) {
1951 rw_exit(&iph
->iph_lock
);
1952 if (--(ss
->spdsock_dump_remaining_polheads
) == 0)
1953 return (spdsock_dump_finish(ss
, 0));
1957 * If we reach here, we have more policy heads (tunnel
1958 * entries) to dump. Let's reset to a new policy head
1959 * and get some more rules.
1961 * An empty policy head will have spdsock_dump_next_rule()
1962 * return NULL, and we loop (while dropping the number of
1963 * remaining polheads). If we loop to 0, we finish. We
1964 * keep looping until we hit 0 or until we have a rule to
1967 * NOTE: No need for ITP_REF*() macros here as we're only
1968 * going after and refholding the policy head itself.
1970 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_READER
);
1971 itp
= spdsock_dump_iterate_next_tunnel(ss
, ipss
);
1973 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
1974 return (spdsock_dump_finish(ss
, EAGAIN
));
1977 /* Reset other spdsock_dump thingies. */
1978 IPPH_REFRELE(ss
->spdsock_dump_head
, ns
);
1979 if (ss
->spdsock_dump_active
) {
1980 ss
->spdsock_dump_tunnel
=
1981 itp
->itp_flags
& ITPF_P_TUNNEL
;
1982 iph
= itp
->itp_policy
;
1984 ss
->spdsock_dump_tunnel
=
1985 itp
->itp_flags
& ITPF_I_TUNNEL
;
1986 iph
= itp
->itp_inactive
;
1989 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
1991 rw_enter(&iph
->iph_lock
, RW_READER
);
1992 RESET_SPDSOCK_DUMP_POLHEAD(ss
, iph
);
1995 m
= spdsock_encode_rule(ss
->spdsock_dump_req
, rule
,
1996 ss
->spdsock_dump_cur_type
, ss
->spdsock_dump_cur_af
,
1997 (ss
->spdsock_itp
== NULL
) ? NULL
: ss
->spdsock_itp
->itp_name
,
1998 ss
->spdsock_dump_tunnel
);
1999 rw_exit(&iph
->iph_lock
);
2002 return (spdsock_dump_finish(ss
, ENOMEM
));
2007 * Dump records until we run into flow-control back-pressure.
2010 spdsock_dump_some(queue_t
*q
, spdsock_t
*ss
)
2012 mblk_t
*m
, *dataind
;
2014 while ((ss
->spdsock_dump_req
!= NULL
) && canputnext(q
)) {
2015 m
= spdsock_dump_next_record(ss
);
2018 dataind
= allocb(sizeof (struct T_data_req
), BPRI_HI
);
2019 if (dataind
== NULL
) {
2023 dataind
->b_cont
= m
;
2024 dataind
->b_wptr
+= sizeof (struct T_data_req
);
2025 ((struct T_data_ind
*)dataind
->b_rptr
)->PRIM_type
= T_DATA_IND
;
2026 ((struct T_data_ind
*)dataind
->b_rptr
)->MORE_flag
= 0;
2027 dataind
->b_datap
->db_type
= M_PROTO
;
2028 putnext(q
, dataind
);
2034 * Format a start-of-dump record, and set up the stream and kick the rsrv
2035 * procedure to continue the job..
2039 spdsock_dump(queue_t
*q
, ipsec_policy_head_t
*iph
, mblk_t
*mp
)
2041 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2042 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
2043 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2046 /* spdsock_open() already set spdsock_itp to NULL. */
2047 if (iph
== ALL_ACTIVE_POLHEADS
|| iph
== ALL_INACTIVE_POLHEADS
) {
2048 rw_enter(&ipss
->ipsec_tunnel_policy_lock
, RW_READER
);
2049 ss
->spdsock_dump_remaining_polheads
= 1 +
2050 avl_numnodes(&ipss
->ipsec_tunnel_policies
);
2051 ss
->spdsock_dump_tun_gen
= ipss
->ipsec_tunnel_policy_gen
;
2052 rw_exit(&ipss
->ipsec_tunnel_policy_lock
);
2053 if (iph
== ALL_ACTIVE_POLHEADS
) {
2054 iph
= ipsec_system_policy(ns
);
2055 ss
->spdsock_dump_active
= B_TRUE
;
2057 iph
= ipsec_inactive_policy(ns
);
2058 ss
->spdsock_dump_active
= B_FALSE
;
2060 ASSERT(ss
->spdsock_itp
== NULL
);
2062 ss
->spdsock_dump_remaining_polheads
= 1;
2065 rw_enter(&iph
->iph_lock
, RW_READER
);
2067 mr
= spdsock_dump_ruleset(mp
, iph
, 0, 0);
2070 rw_exit(&iph
->iph_lock
);
2071 spdsock_error(q
, mp
, ENOMEM
, 0);
2075 ss
->spdsock_dump_req
= mp
;
2076 RESET_SPDSOCK_DUMP_POLHEAD(ss
, iph
);
2078 rw_exit(&iph
->iph_lock
);
2084 /* Do NOT consume a reference to ITP. */
2086 spdsock_clone_node(ipsec_tun_pol_t
*itp
, void *ep
, netstack_t
*ns
)
2088 int *errptr
= (int *)ep
;
2091 return; /* We've failed already for some reason. */
2092 mutex_enter(&itp
->itp_lock
);
2093 ITPF_CLONE(itp
->itp_flags
);
2094 *errptr
= ipsec_copy_polhead(itp
->itp_policy
, itp
->itp_inactive
, ns
);
2095 mutex_exit(&itp
->itp_lock
);
2099 spdsock_clone(queue_t
*q
, mblk_t
*mp
, spd_if_t
*tunname
)
2103 ipsec_tun_pol_t
*itp
;
2104 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2105 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
2107 if (tunname
!= NULL
) {
2108 tname
= (char *)tunname
->spd_if_name
;
2109 if (*tname
== '\0') {
2110 error
= ipsec_clone_system_policy(ns
);
2113 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2117 cr
= msg_getcred(mp
, &cpid
);
2118 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
2119 audit_pf_policy(SPD_CLONE
, cr
, ns
,
2120 NULL
, active
, error
, cpid
);
2123 itp_walk(spdsock_clone_node
, &error
, ns
);
2127 (spd_msg_t
*)mp
->b_rptr
;
2131 cr
= msg_getcred(mp
, &cpid
);
2132 active
= (spmsg
->spd_msg_spdid
==
2134 audit_pf_policy(SPD_CLONE
, cr
,
2135 ns
, "all tunnels", active
, 0,
2140 itp
= get_tunnel_policy(tname
, ns
);
2142 spdsock_error(q
, mp
, ENOENT
, 0);
2146 (spd_msg_t
*)mp
->b_rptr
;
2150 cr
= msg_getcred(mp
, &cpid
);
2151 active
= (spmsg
->spd_msg_spdid
==
2153 audit_pf_policy(SPD_CLONE
, cr
,
2154 ns
, NULL
, active
, ENOENT
, cpid
);
2158 spdsock_clone_node(itp
, &error
, NULL
);
2161 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2165 cr
= msg_getcred(mp
, &cpid
);
2166 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
2167 audit_pf_policy(SPD_CLONE
, cr
, ns
,
2168 ITP_NAME(itp
), active
, error
, cpid
);
2170 ITP_REFRELE(itp
, ns
);
2173 error
= ipsec_clone_system_policy(ns
);
2176 spd_msg_t
*spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2180 cr
= msg_getcred(mp
, &cpid
);
2181 active
= (spmsg
->spd_msg_spdid
== SPD_ACTIVE
);
2182 audit_pf_policy(SPD_CLONE
, cr
, ns
, NULL
,
2183 active
, error
, cpid
);
2188 spdsock_error(q
, mp
, error
, 0);
2194 * Process a SPD_ALGLIST request. The caller expects separate alg entries
2195 * for AH authentication, ESP authentication, and ESP encryption.
2196 * The same distinction is then used when setting the min and max key
2197 * sizes when defining policies.
2200 #define SPDSOCK_AH_AUTH 0
2201 #define SPDSOCK_ESP_AUTH 1
2202 #define SPDSOCK_ESP_ENCR 2
2203 #define SPDSOCK_NTYPES 3
2205 static const uint_t algattr
[SPDSOCK_NTYPES
] = {
2210 static const uint_t minbitsattr
[SPDSOCK_NTYPES
] = {
2211 SPD_ATTR_AH_MINBITS
,
2212 SPD_ATTR_ESPA_MINBITS
,
2213 SPD_ATTR_ENCR_MINBITS
2215 static const uint_t maxbitsattr
[SPDSOCK_NTYPES
] = {
2216 SPD_ATTR_AH_MAXBITS
,
2217 SPD_ATTR_ESPA_MAXBITS
,
2218 SPD_ATTR_ENCR_MAXBITS
2220 static const uint_t defbitsattr
[SPDSOCK_NTYPES
] = {
2221 SPD_ATTR_AH_DEFBITS
,
2222 SPD_ATTR_ESPA_DEFBITS
,
2223 SPD_ATTR_ENCR_DEFBITS
2225 static const uint_t incrbitsattr
[SPDSOCK_NTYPES
] = {
2226 SPD_ATTR_AH_INCRBITS
,
2227 SPD_ATTR_ESPA_INCRBITS
,
2228 SPD_ATTR_ENCR_INCRBITS
2231 #define ATTRPERALG 6 /* fixed attributes per algs */
2234 spdsock_alglist(queue_t
*q
, mblk_t
*mp
)
2243 struct spd_ext_actions
*act
;
2244 struct spd_attribute
*attr
;
2245 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2246 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
2248 mutex_enter(&ipss
->ipsec_alg_lock
);
2250 * The SPD client expects to receive separate entries for
2251 * AH authentication and ESP authentication supported algorithms.
2253 * Don't return the "any" algorithms, if defined, as no
2254 * kernel policies can be set for these algorithms.
2256 algcount
= 2 * ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
] +
2257 ipss
->ipsec_nalgs
[IPSEC_ALG_ENCR
];
2259 if (ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
][SADB_AALG_NONE
] != NULL
)
2261 if (ipss
->ipsec_alglists
[IPSEC_ALG_ENCR
][SADB_EALG_NONE
] != NULL
)
2265 * For each algorithm, we encode:
2266 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2269 size
= sizeof (spd_msg_t
) + sizeof (struct spd_ext_actions
) +
2270 ATTRPERALG
* sizeof (struct spd_attribute
) * algcount
;
2272 ASSERT(ALIGNED64(size
));
2274 m
= allocb(size
, BPRI_HI
);
2276 mutex_exit(&ipss
->ipsec_alg_lock
);
2277 spdsock_error(q
, mp
, ENOMEM
, 0);
2281 m
->b_wptr
= m
->b_rptr
+ size
;
2284 msg
= (spd_msg_t
*)cur
;
2285 bcopy(mp
->b_rptr
, cur
, sizeof (*msg
));
2287 msg
->spd_msg_len
= SPD_8TO64(size
);
2288 msg
->spd_msg_errno
= 0;
2289 msg
->spd_msg_diagnostic
= 0;
2291 cur
+= sizeof (*msg
);
2293 act
= (struct spd_ext_actions
*)cur
;
2294 cur
+= sizeof (*act
);
2296 act
->spd_actions_len
= SPD_8TO64(size
- sizeof (spd_msg_t
));
2297 act
->spd_actions_exttype
= SPD_EXT_ACTION
;
2298 act
->spd_actions_count
= algcount
;
2299 act
->spd_actions_reserved
= 0;
2301 attr
= (struct spd_attribute
*)cur
;
2303 #define EMIT(tag, value) { \
2304 attr->spd_attr_tag = (tag); \
2305 attr->spd_attr_value = (value); \
2310 * If you change the number of EMIT's here, change
2311 * ATTRPERALG above to match
2313 #define EMITALGATTRS(_type) { \
2314 EMIT(algattr[_type], algid); /* 1 */ \
2315 EMIT(minbitsattr[_type], minbits); /* 2 */ \
2316 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \
2317 EMIT(defbitsattr[_type], defbits); /* 4 */ \
2318 EMIT(incrbitsattr[_type], incr); /* 5 */ \
2319 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \
2322 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
2323 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
2325 int algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
2326 ipsec_alginfo_t
*alg
=
2327 ipss
->ipsec_alglists
[algtype
][algid
];
2328 uint_t minbits
= alg
->alg_minbits
;
2329 uint_t maxbits
= alg
->alg_maxbits
;
2330 uint_t defbits
= alg
->alg_default_bits
;
2331 uint_t incr
= alg
->alg_increment
;
2333 if (algtype
== IPSEC_ALG_AUTH
) {
2334 if (algid
== SADB_AALG_NONE
)
2336 EMITALGATTRS(SPDSOCK_AH_AUTH
);
2337 EMITALGATTRS(SPDSOCK_ESP_AUTH
);
2339 if (algid
== SADB_EALG_NONE
)
2341 ASSERT(algtype
== IPSEC_ALG_ENCR
);
2342 EMITALGATTRS(SPDSOCK_ESP_ENCR
);
2347 mutex_exit(&ipss
->ipsec_alg_lock
);
2354 attr
->spd_attr_tag
= SPD_ATTR_END
;
2361 * Process a SPD_DUMPALGS request.
2364 #define ATTRPERALG 7 /* fixed attributes per algs */
2367 spdsock_dumpalgs(queue_t
*q
, mblk_t
*mp
)
2375 struct spd_ext_actions
*act
;
2376 struct spd_attribute
*attr
;
2377 ipsec_alginfo_t
*alg
;
2381 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2382 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
2384 mutex_enter(&ipss
->ipsec_alg_lock
);
2387 * For each algorithm, we encode:
2388 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2390 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2391 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_MECHNAME / {END, NEXT}
2395 * Compute the size of the SPD message.
2397 size
= sizeof (spd_msg_t
) + sizeof (struct spd_ext_actions
);
2399 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
2400 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
2402 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
2403 alg
= ipss
->ipsec_alglists
[algtype
][algid
];
2404 alg_size
= sizeof (struct spd_attribute
) *
2405 (ATTRPERALG
+ alg
->alg_nkey_sizes
+
2406 alg
->alg_nblock_sizes
) + CRYPTO_MAX_MECH_NAME
;
2411 ASSERT(ALIGNED64(size
));
2413 m
= allocb(size
, BPRI_HI
);
2415 mutex_exit(&ipss
->ipsec_alg_lock
);
2416 spdsock_error(q
, mp
, ENOMEM
, 0);
2420 m
->b_wptr
= m
->b_rptr
+ size
;
2423 msg
= (spd_msg_t
*)cur
;
2424 bcopy(mp
->b_rptr
, cur
, sizeof (*msg
));
2426 msg
->spd_msg_len
= SPD_8TO64(size
);
2427 msg
->spd_msg_errno
= 0;
2428 msg
->spd_msg_type
= SPD_ALGLIST
;
2430 msg
->spd_msg_diagnostic
= 0;
2432 cur
+= sizeof (*msg
);
2434 act
= (struct spd_ext_actions
*)cur
;
2435 cur
+= sizeof (*act
);
2437 act
->spd_actions_len
= SPD_8TO64(size
- sizeof (spd_msg_t
));
2438 act
->spd_actions_exttype
= SPD_EXT_ACTION
;
2439 act
->spd_actions_count
= ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
] +
2440 ipss
->ipsec_nalgs
[IPSEC_ALG_ENCR
];
2441 act
->spd_actions_reserved
= 0;
2444 * If there aren't any algorithms registered, return an empty message.
2445 * spdsock_get_ext() knows how to deal with this.
2447 if (act
->spd_actions_count
== 0) {
2448 act
->spd_actions_len
= 0;
2449 mutex_exit(&ipss
->ipsec_alg_lock
);
2453 attr
= (struct spd_attribute
*)cur
;
2455 #define EMIT(tag, value) { \
2456 attr->spd_attr_tag = (tag); \
2457 attr->spd_attr_value = (value); \
2461 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
2462 for (algidx
= 0; algidx
< ipss
->ipsec_nalgs
[algtype
];
2465 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
2466 alg
= ipss
->ipsec_alglists
[algtype
][algid
];
2469 * If you change the number of EMIT's here, change
2470 * ATTRPERALG above to match
2472 EMIT(SPD_ATTR_ALG_ID
, algid
);
2473 EMIT(SPD_ATTR_ALG_PROTO
, algproto
[algtype
]);
2474 EMIT(SPD_ATTR_ALG_INCRBITS
, alg
->alg_increment
);
2476 EMIT(SPD_ATTR_ALG_NKEYSIZES
, alg
->alg_nkey_sizes
);
2477 for (i
= 0; i
< alg
->alg_nkey_sizes
; i
++)
2478 EMIT(SPD_ATTR_ALG_KEYSIZE
,
2479 alg
->alg_key_sizes
[i
]);
2481 EMIT(SPD_ATTR_ALG_NBLOCKSIZES
, alg
->alg_nblock_sizes
);
2482 for (i
= 0; i
< alg
->alg_nblock_sizes
; i
++)
2483 EMIT(SPD_ATTR_ALG_BLOCKSIZE
,
2484 alg
->alg_block_sizes
[i
]);
2486 EMIT(SPD_ATTR_ALG_MECHNAME
, CRYPTO_MAX_MECH_NAME
);
2487 bcopy(alg
->alg_mech_name
, attr
, CRYPTO_MAX_MECH_NAME
);
2488 attr
= (struct spd_attribute
*)((char *)attr
+
2489 CRYPTO_MAX_MECH_NAME
);
2491 EMIT(SPD_ATTR_NEXT
, 0);
2495 mutex_exit(&ipss
->ipsec_alg_lock
);
2502 attr
->spd_attr_tag
= SPD_ATTR_END
;
2510 * Do the actual work of processing an SPD_UPDATEALGS request. Can
2511 * be invoked either once IPsec is loaded on a cached request, or
2512 * when a request is received while IPsec is loaded.
2515 spdsock_do_updatealg(spd_ext_t
*extv
[], int *diag
, spd_stack_t
*spds
)
2517 struct spd_ext_actions
*actp
;
2518 struct spd_attribute
*attr
, *endattr
;
2519 uint64_t *start
, *end
;
2520 ipsec_alginfo_t
*alg
= NULL
;
2521 ipsec_algtype_t alg_type
= 0;
2522 boolean_t skip_alg
= B_TRUE
, doing_proto
= B_FALSE
;
2523 uint_t i
, cur_key
, cur_block
, algid
;
2526 ASSERT(MUTEX_HELD(&spds
->spds_alg_lock
));
2528 /* parse the message, building the list of algorithms */
2530 actp
= (struct spd_ext_actions
*)extv
[SPD_EXT_ACTION
];
2532 *diag
= SPD_DIAGNOSTIC_NO_ACTION_EXT
;
2536 start
= (uint64_t *)actp
;
2537 end
= (start
+ actp
->spd_actions_len
);
2538 endattr
= (struct spd_attribute
*)end
;
2539 attr
= (struct spd_attribute
*)&actp
[1];
2541 bzero(spds
->spds_algs
, IPSEC_NALGTYPES
* IPSEC_MAX_ALGS
*
2542 sizeof (ipsec_alginfo_t
*));
2544 alg
= kmem_zalloc(sizeof (*alg
), KM_SLEEP
);
2546 #define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2547 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2549 while (attr
< endattr
) {
2550 switch (attr
->spd_attr_tag
) {
2552 case SPD_ATTR_EMPTY
:
2559 doing_proto
= B_FALSE
;
2563 ipsec_alg_free(alg
);
2566 spds
->spds_algs
[alg_type
][alg
->alg_id
]);
2567 spds
->spds_algs
[alg_type
][alg
->alg_id
] =
2570 alg
= kmem_zalloc(sizeof (*alg
), KM_SLEEP
);
2573 case SPD_ATTR_ALG_ID
:
2574 if (attr
->spd_attr_value
>= IPSEC_MAX_ALGS
) {
2575 ss1dbg(spds
, ("spdsock_do_updatealg: "
2576 "invalid alg id %d\n",
2577 attr
->spd_attr_value
));
2578 *diag
= SPD_DIAGNOSTIC_ALG_ID_RANGE
;
2581 alg
->alg_id
= attr
->spd_attr_value
;
2584 case SPD_ATTR_ALG_PROTO
:
2585 /* find the alg type */
2586 for (i
= 0; i
< NALGPROTOS
; i
++)
2587 if (algproto
[i
] == attr
->spd_attr_value
)
2589 skip_alg
= (i
== NALGPROTOS
);
2594 case SPD_ATTR_ALG_INCRBITS
:
2595 alg
->alg_increment
= attr
->spd_attr_value
;
2598 case SPD_ATTR_ALG_NKEYSIZES
:
2599 if (alg
->alg_key_sizes
!= NULL
) {
2600 kmem_free(alg
->alg_key_sizes
,
2601 ALG_KEY_SIZES(alg
));
2603 alg
->alg_nkey_sizes
= attr
->spd_attr_value
;
2605 * Allocate room for the trailing zero key size
2608 alg
->alg_key_sizes
= kmem_zalloc(ALG_KEY_SIZES(alg
),
2613 case SPD_ATTR_ALG_KEYSIZE
:
2614 if (alg
->alg_key_sizes
== NULL
||
2615 cur_key
>= alg
->alg_nkey_sizes
) {
2616 ss1dbg(spds
, ("spdsock_do_updatealg: "
2617 "too many key sizes\n"));
2618 *diag
= SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES
;
2621 alg
->alg_key_sizes
[cur_key
++] = attr
->spd_attr_value
;
2624 case SPD_ATTR_ALG_NBLOCKSIZES
:
2625 if (alg
->alg_block_sizes
!= NULL
) {
2626 kmem_free(alg
->alg_block_sizes
,
2627 ALG_BLOCK_SIZES(alg
));
2629 alg
->alg_nblock_sizes
= attr
->spd_attr_value
;
2631 * Allocate room for the trailing zero block size
2634 alg
->alg_block_sizes
= kmem_zalloc(ALG_BLOCK_SIZES(alg
),
2639 case SPD_ATTR_ALG_BLOCKSIZE
:
2640 if (alg
->alg_block_sizes
== NULL
||
2641 cur_block
>= alg
->alg_nblock_sizes
) {
2642 ss1dbg(spds
, ("spdsock_do_updatealg: "
2643 "too many block sizes\n"));
2644 *diag
= SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES
;
2647 alg
->alg_block_sizes
[cur_block
++] =
2648 attr
->spd_attr_value
;
2651 case SPD_ATTR_ALG_MECHNAME
: {
2654 if (attr
->spd_attr_value
> CRYPTO_MAX_MECH_NAME
) {
2655 ss1dbg(spds
, ("spdsock_do_updatealg: "
2656 "mech name too long\n"));
2657 *diag
= SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN
;
2660 mech_name
= (char *)(attr
+ 1);
2661 bcopy(mech_name
, alg
->alg_mech_name
,
2662 attr
->spd_attr_value
);
2663 alg
->alg_mech_name
[CRYPTO_MAX_MECH_NAME
-1] = '\0';
2664 attr
= (struct spd_attribute
*)((char *)attr
+
2665 attr
->spd_attr_value
);
2669 case SPD_ATTR_PROTO_ID
:
2670 doing_proto
= B_TRUE
;
2671 for (i
= 0; i
< NALGPROTOS
; i
++) {
2672 if (algproto
[i
] == attr
->spd_attr_value
) {
2679 case SPD_ATTR_PROTO_EXEC_MODE
:
2682 for (i
= 0; i
< NEXECMODES
; i
++) {
2683 if (execmodes
[i
] == attr
->spd_attr_value
) {
2684 spds
->spds_algs_exec_mode
[alg_type
] = i
;
2693 #undef ALG_KEY_SIZES
2694 #undef ALG_BLOCK_SIZES
2696 /* update the algorithm tables */
2697 spdsock_merge_algs(spds
);
2700 ipsec_alg_free(alg
);
2701 for (alg_type
= 0; alg_type
< IPSEC_NALGTYPES
; alg_type
++)
2702 for (algid
= 0; algid
< IPSEC_MAX_ALGS
; algid
++)
2703 if (spds
->spds_algs
[alg_type
][algid
] != NULL
)
2704 ipsec_alg_free(spds
->spds_algs
[alg_type
][algid
]);
2708 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2709 * the request until IPsec loads. If IPsec is loaded, act on it
2714 spdsock_updatealg(queue_t
*q
, mblk_t
*mp
, spd_ext_t
*extv
[])
2716 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2717 spd_stack_t
*spds
= ss
->spdsock_spds
;
2718 ipsec_stack_t
*ipss
= spds
->spds_netstack
->netstack_ipsec
;
2720 if (!ipsec_loaded(ipss
)) {
2722 * IPsec is not loaded, save request and return nicely,
2723 * the message will be processed once IPsec loads.
2727 /* last update message wins */
2728 if ((new_mp
= copymsg(mp
)) == NULL
) {
2729 spdsock_error(q
, mp
, ENOMEM
, 0);
2732 mutex_enter(&spds
->spds_alg_lock
);
2733 bcopy(extv
, spds
->spds_extv_algs
,
2734 sizeof (spd_ext_t
*) * (SPD_EXT_MAX
+ 1));
2735 if (spds
->spds_mp_algs
!= NULL
)
2736 freemsg(spds
->spds_mp_algs
);
2737 spds
->spds_mp_algs
= mp
;
2738 spds
->spds_algs_pending
= B_TRUE
;
2739 mutex_exit(&spds
->spds_alg_lock
);
2744 cr
= msg_getcred(mp
, &cpid
);
2745 audit_pf_policy(SPD_UPDATEALGS
, cr
,
2746 spds
->spds_netstack
, NULL
, B_TRUE
, EAGAIN
,
2749 spd_echo(q
, new_mp
);
2752 * IPsec is loaded, act on the message immediately.
2756 mutex_enter(&spds
->spds_alg_lock
);
2757 spdsock_do_updatealg(extv
, &diag
, spds
);
2758 mutex_exit(&spds
->spds_alg_lock
);
2765 cr
= msg_getcred(mp
, &cpid
);
2766 audit_pf_policy(SPD_UPDATEALGS
, cr
,
2767 spds
->spds_netstack
, NULL
, B_TRUE
, 0,
2771 spdsock_diag(q
, mp
, diag
);
2776 cr
= msg_getcred(mp
, &cpid
);
2777 audit_pf_policy(SPD_UPDATEALGS
, cr
,
2778 spds
->spds_netstack
, NULL
, B_TRUE
, diag
,
2786 * Sort through the mess of polhead options to retrieve an appropriate one.
2787 * Returns NULL if we send an spdsock error. Returns a valid pointer if we
2788 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2789 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2790 * act on ALL policy heads.
2792 static ipsec_policy_head_t
*
2793 get_appropriate_polhead(queue_t
*q
, mblk_t
*mp
, spd_if_t
*tunname
, int spdid
,
2794 int msgtype
, ipsec_tun_pol_t
**itpp
)
2796 ipsec_tun_pol_t
*itp
;
2797 ipsec_policy_head_t
*iph
;
2801 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2802 netstack_t
*ns
= ss
->spdsock_spds
->spds_netstack
;
2803 uint64_t gen
; /* Placeholder */
2804 datalink_id_t linkid
;
2806 active
= (spdid
== SPD_ACTIVE
);
2808 if (!active
&& spdid
!= SPD_STANDBY
) {
2809 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_BAD_SPDID
);
2813 if (tunname
!= NULL
) {
2814 /* Acting on a tunnel's SPD. */
2815 tname
= (char *)tunname
->spd_if_name
;
2816 if (*tname
== '\0') {
2817 /* Handle all-polhead cases here. */
2818 if (msgtype
!= SPD_FLUSH
&& msgtype
!= SPD_DUMP
) {
2820 SPD_DIAGNOSTIC_NOT_GLOBAL_OP
);
2823 return (active
? ALL_ACTIVE_POLHEADS
:
2824 ALL_INACTIVE_POLHEADS
);
2827 itp
= get_tunnel_policy(tname
, ns
);
2829 if (msgtype
!= SPD_ADDRULE
) {
2830 /* "Tunnel not found" */
2831 spdsock_error(q
, mp
, ENOENT
, 0);
2836 itp
= create_tunnel_policy(tname
, &errno
, &gen
, ns
);
2839 * Something very bad happened, most likely
2840 * ENOMEM. Return an indicator.
2842 spdsock_error(q
, mp
, errno
, 0);
2847 * Troll the plumbed tunnels and see if we have a match. We
2848 * need to do this always in case we add policy AFTER plumbing
2851 if (dls_mgmt_get_linkid(tname
, &linkid
) == 0)
2852 iptun_set_policy(linkid
, itp
);
2855 /* For spdsock dump state, set the polhead's name. */
2856 if (msgtype
== SPD_DUMP
) {
2858 ss
->spdsock_itp
= itp
;
2859 ss
->spdsock_dump_tunnel
= itp
->itp_flags
&
2860 (active
? ITPF_P_TUNNEL
: ITPF_I_TUNNEL
);
2864 /* For spdsock dump state, indicate it's global policy. */
2865 if (msgtype
== SPD_DUMP
)
2866 ss
->spdsock_itp
= NULL
;
2870 iph
= (itp
== NULL
) ? ipsec_system_policy(ns
) : itp
->itp_policy
;
2872 iph
= (itp
== NULL
) ? ipsec_inactive_policy(ns
) :
2875 ASSERT(iph
!= NULL
);
2884 spdsock_parse(queue_t
*q
, mblk_t
*mp
)
2887 spd_ext_t
*extv
[SPD_EXT_MAX
+ 1];
2889 ipsec_policy_head_t
*iph
;
2890 ipsec_tun_pol_t
*itp
;
2892 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2893 spd_stack_t
*spds
= ss
->spdsock_spds
;
2894 netstack_t
*ns
= spds
->spds_netstack
;
2895 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2897 /* Make sure nothing's below me. */
2898 ASSERT(WR(q
)->q_next
== NULL
);
2900 spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2902 msgsize
= SPD_64TO8(spmsg
->spd_msg_len
);
2904 if (msgdsize(mp
) != msgsize
) {
2906 * Message len incorrect w.r.t. actual size. Send an error
2907 * (EMSGSIZE). It may be necessary to massage things a
2908 * bit. For example, if the spd_msg_type is hosed,
2909 * I need to set it to SPD_RESERVED to get delivery to
2910 * do the right thing. Then again, maybe just letting
2911 * the error delivery do the right thing.
2914 ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
2915 msgdsize(mp
), msgsize
));
2916 spdsock_error(q
, mp
, EMSGSIZE
, SPD_DIAGNOSTIC_NONE
);
2920 if (msgsize
> (uint_t
)(mp
->b_wptr
- mp
->b_rptr
)) {
2921 /* Get all message into one mblk. */
2922 if (pullupmsg(mp
, -1) == 0) {
2924 * Something screwy happened.
2926 ss3dbg(spds
, ("spdsock_parse: pullupmsg() failed.\n"));
2929 spmsg
= (spd_msg_t
*)mp
->b_rptr
;
2933 switch (spdsock_get_ext(extv
, spmsg
, msgsize
)) {
2935 /* Handle duplicate extension. */
2936 ss1dbg(spds
, ("Got duplicate extension of type %d.\n",
2937 extv
[0]->spd_ext_type
));
2938 spdsock_diag(q
, mp
, dup_ext_diag
[extv
[0]->spd_ext_type
]);
2941 /* Handle unknown extension. */
2942 ss1dbg(spds
, ("Got unknown extension of type %d.\n",
2943 extv
[0]->spd_ext_type
));
2944 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_UNKNOWN_EXT
);
2948 ss1dbg(spds
, ("Length %d on extension type %d overrun or 0.\n",
2949 extv
[0]->spd_ext_len
, extv
[0]->spd_ext_type
));
2950 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_BAD_EXTLEN
);
2953 /* Reality check failed. */
2954 ss1dbg(spds
, ("Reality check failed on extension type %d.\n",
2955 extv
[0]->spd_ext_type
));
2956 spdsock_diag(q
, mp
, bad_ext_diag
[extv
[0]->spd_ext_type
]);
2959 /* Default case is no errors. */
2964 * Special-case SPD_UPDATEALGS so as not to load IPsec.
2966 if (!ipsec_loaded(ipss
) && spmsg
->spd_msg_type
!= SPD_UPDATEALGS
) {
2967 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
2970 ipsec_loader_loadnow(ipss
);
2971 ss
->spdsock_timeout_arg
= mp
;
2972 ss
->spdsock_timeout
= qtimeout(q
, spdsock_loadcheck
,
2973 q
, LOADCHECK_INTERVAL
);
2977 /* First check for messages that need no polheads at all. */
2978 switch (spmsg
->spd_msg_type
) {
2979 case SPD_UPDATEALGS
:
2980 spdsock_updatealg(q
, mp
, extv
);
2983 spdsock_alglist(q
, mp
);
2986 spdsock_dumpalgs(q
, mp
);
2991 * Then check for ones that need both primary/secondary polheads,
2992 * finding the appropriate tunnel policy if need be.
2994 tunname
= (spd_if_t
*)extv
[SPD_EXT_TUN_NAME
];
2995 switch (spmsg
->spd_msg_type
) {
2997 spdsock_flip(q
, mp
, tunname
);
3000 spdsock_clone(q
, mp
, tunname
);
3005 * Finally, find ones that operate on exactly one polhead, or
3006 * "all polheads" of a given type (active/inactive).
3008 iph
= get_appropriate_polhead(q
, mp
, tunname
, spmsg
->spd_msg_spdid
,
3009 spmsg
->spd_msg_type
, &itp
);
3013 /* All-polheads-ready operations. */
3014 switch (spmsg
->spd_msg_type
) {
3017 mutex_enter(&itp
->itp_lock
);
3018 if (spmsg
->spd_msg_spdid
== SPD_ACTIVE
)
3019 itp
->itp_flags
&= ~ITPF_PFLAGS
;
3021 itp
->itp_flags
&= ~ITPF_IFLAGS
;
3022 mutex_exit(&itp
->itp_lock
);
3023 ITP_REFRELE(itp
, ns
);
3025 spdsock_flush(q
, iph
, itp
, mp
);
3029 ITP_REFRELE(itp
, ns
);
3030 spdsock_dump(q
, iph
, mp
);
3034 if (iph
== ALL_ACTIVE_POLHEADS
|| iph
== ALL_INACTIVE_POLHEADS
) {
3035 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_NOT_GLOBAL_OP
);
3039 /* Single-polhead-only operations. */
3040 switch (spmsg
->spd_msg_type
) {
3042 spdsock_addrule(q
, iph
, mp
, extv
, itp
);
3044 case SPD_DELETERULE
:
3045 spdsock_deleterule(q
, iph
, mp
, extv
, itp
);
3048 spdsock_lookup(q
, iph
, mp
, extv
, itp
);
3051 spdsock_diag(q
, mp
, SPD_DIAGNOSTIC_BAD_MSG_TYPE
);
3055 IPPH_REFRELE(iph
, ns
);
3057 ITP_REFRELE(itp
, ns
);
3061 * If an algorithm mapping was received before IPsec was loaded, process it.
3062 * Called from the IPsec loader.
3065 spdsock_update_pending_algs(netstack_t
*ns
)
3067 spd_stack_t
*spds
= ns
->netstack_spdsock
;
3069 mutex_enter(&spds
->spds_alg_lock
);
3070 if (spds
->spds_algs_pending
) {
3073 spdsock_do_updatealg(spds
->spds_extv_algs
, &diag
,
3075 spds
->spds_algs_pending
= B_FALSE
;
3077 mutex_exit(&spds
->spds_alg_lock
);
3081 spdsock_loadcheck(void *arg
)
3083 queue_t
*q
= (queue_t
*)arg
;
3084 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3086 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
3090 ss
->spdsock_timeout
= 0;
3091 mp
= ss
->spdsock_timeout_arg
;
3093 ss
->spdsock_timeout_arg
= NULL
;
3094 if (ipsec_failed(ipss
))
3095 spdsock_error(q
, mp
, EPROTONOSUPPORT
, 0);
3097 spdsock_parse(q
, mp
);
3101 * Copy relevant state bits.
3104 spdsock_copy_info(struct T_info_ack
*tap
, spdsock_t
*ss
)
3106 *tap
= spdsock_g_t_info_ack
;
3107 tap
->CURRENT_state
= ss
->spdsock_state
;
3108 tap
->OPT_size
= spdsock_max_optsize
;
3112 * This routine responds to T_CAPABILITY_REQ messages. It is called by
3113 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from
3114 * spdsock_g_t_info_ack. The current state of the stream is copied from
3118 spdsock_capability_req(queue_t
*q
, mblk_t
*mp
)
3120 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3121 t_uscalar_t cap_bits1
;
3122 struct T_capability_ack
*tcap
;
3124 cap_bits1
= ((struct T_capability_req
*)mp
->b_rptr
)->CAP_bits1
;
3126 mp
= tpi_ack_alloc(mp
, sizeof (struct T_capability_ack
),
3127 mp
->b_datap
->db_type
, T_CAPABILITY_ACK
);
3131 tcap
= (struct T_capability_ack
*)mp
->b_rptr
;
3132 tcap
->CAP_bits1
= 0;
3134 if (cap_bits1
& TC1_INFO
) {
3135 spdsock_copy_info(&tcap
->INFO_ack
, ss
);
3136 tcap
->CAP_bits1
|= TC1_INFO
;
3143 * This routine responds to T_INFO_REQ messages. It is called by
3144 * spdsock_wput_other.
3145 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3146 * The current state of the stream is copied from spdsock_state.
3149 spdsock_info_req(q
, mp
)
3153 mp
= tpi_ack_alloc(mp
, sizeof (struct T_info_ack
), M_PCPROTO
,
3157 spdsock_copy_info((struct T_info_ack
*)mp
->b_rptr
,
3158 (spdsock_t
*)q
->q_ptr
);
3163 * spdsock_err_ack. This routine creates a
3164 * T_ERROR_ACK message and passes it
3168 spdsock_err_ack(q
, mp
, t_error
, sys_error
)
3174 if ((mp
= mi_tpi_err_ack_alloc(mp
, t_error
, sys_error
)) != NULL
)
3179 * This routine retrieves the current status of socket options.
3180 * It returns the size of the option retrieved.
3184 spdsock_opt_get(queue_t
*q
, int level
, int name
, uchar_t
*ptr
)
3186 int *i1
= (int *)ptr
;
3195 * The following two items can be manipulated,
3196 * but changing them should do nothing.
3199 *i1
= (int)q
->q_hiwat
;
3202 *i1
= (int)(RD(q
)->q_hiwat
);
3209 return (sizeof (int));
3213 * This routine sets socket options.
3217 spdsock_opt_set(queue_t
*q
, uint_t mgmt_flags
, int level
, int name
,
3218 uint_t inlen
, uchar_t
*invalp
, uint_t
*outlenp
, uchar_t
*outvalp
,
3219 void *thisdg_attrs
, cred_t
*cr
, mblk_t
*mblk
)
3221 int *i1
= (int *)invalp
;
3222 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3223 spd_stack_t
*spds
= ss
->spdsock_spds
;
3229 if (*i1
> spds
->spds_max_buf
)
3234 if (*i1
> spds
->spds_max_buf
)
3236 RD(q
)->q_hiwat
= *i1
;
3237 (void) proto_set_rx_hiwat(RD(q
), NULL
, *i1
);
3247 * Handle STREAMS messages.
3250 spdsock_wput_other(queue_t
*q
, mblk_t
*mp
)
3252 struct iocblk
*iocp
;
3254 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3255 spd_stack_t
*spds
= ss
->spdsock_spds
;
3258 switch (mp
->b_datap
->db_type
) {
3261 if ((mp
->b_wptr
- mp
->b_rptr
) < sizeof (long)) {
3263 "spdsock_wput_other: Not big enough M_PROTO\n"));
3267 switch (((union T_primitives
*)mp
->b_rptr
)->type
) {
3268 case T_CAPABILITY_REQ
:
3269 spdsock_capability_req(q
, mp
);
3272 spdsock_info_req(q
, mp
);
3274 case T_SVR4_OPTMGMT_REQ
:
3277 * All Solaris components should pass a db_credp
3278 * for this TPI message, hence we ASSERT.
3279 * But in case there is some other M_PROTO that looks
3280 * like a TPI message sent by some other kernel
3281 * component, we check and return an error.
3283 cr
= msg_getcred(mp
, NULL
);
3286 spdsock_err_ack(q
, mp
, TSYSERR
, EINVAL
);
3289 if (((union T_primitives
*)mp
->b_rptr
)->type
==
3290 T_SVR4_OPTMGMT_REQ
) {
3291 (void) svr4_optcom_req(q
, mp
, cr
,
3292 &spdsock_opt_obj
, B_FALSE
);
3294 (void) tpi_optcom_req(q
, mp
, cr
,
3295 &spdsock_opt_obj
, B_FALSE
);
3301 /* Illegal for spdsock. */
3303 (void) putnextctl1(RD(q
), M_ERROR
, EPROTO
);
3306 /* Not supported by spdsock. */
3307 spdsock_err_ack(q
, mp
, TNOTSUPPORT
, 0);
3312 iocp
= (struct iocblk
*)mp
->b_rptr
;
3315 switch (iocp
->ioc_cmd
) {
3318 if (nd_getset(q
, spds
->spds_g_nd
, mp
)) {
3325 miocnak(q
, mp
, 0, error
);
3329 if (*mp
->b_rptr
& FLUSHW
) {
3330 flushq(q
, FLUSHALL
);
3331 *mp
->b_rptr
&= ~FLUSHW
;
3333 if (*mp
->b_rptr
& FLUSHR
) {
3340 /* If fell through, just black-hole the message. */
3345 spdsock_wput(queue_t
*q
, mblk_t
*mp
)
3347 uint8_t *rptr
= mp
->b_rptr
;
3349 spdsock_t
*ss
= (spdsock_t
*)q
->q_ptr
;
3350 spd_stack_t
*spds
= ss
->spdsock_spds
;
3353 * If we're dumping, defer processing other messages until the
3356 if (ss
->spdsock_dump_req
!= NULL
) {
3362 switch (mp
->b_datap
->db_type
) {
3367 ss2dbg(spds
, ("raw M_DATA in spdsock.\n"));
3372 if ((mp
->b_wptr
- rptr
) >= sizeof (struct T_data_req
)) {
3373 if (((union T_primitives
*)rptr
)->type
== T_DATA_REQ
) {
3374 if ((mp1
= mp
->b_cont
) == NULL
) {
3375 /* No data after T_DATA_REQ. */
3377 ("No data after DATA_REQ.\n"));
3383 ss2dbg(spds
, ("T_DATA_REQ\n"));
3384 break; /* Out of switch. */
3389 ss3dbg(spds
, ("In default wput case (%d %d).\n",
3390 mp
->b_datap
->db_type
, ((union T_primitives
*)rptr
)->type
));
3391 spdsock_wput_other(q
, mp
);
3395 /* I now have a PF_POLICY message in an M_DATA block. */
3396 spdsock_parse(q
, mp
);
3400 * Device open procedure, called when new queue pair created.
3401 * We are passed the read-side queue.
3405 spdsock_open(queue_t
*q
, dev_t
*devp
, int flag
, int sflag
, cred_t
*credp
)
3408 queue_t
*oq
= OTHERQ(q
);
3413 if (secpolicy_ip_config(credp
, B_FALSE
) != 0)
3416 if (q
->q_ptr
!= NULL
)
3417 return (0); /* Re-open of an already open instance. */
3419 if (sflag
& MODOPEN
)
3422 ns
= netstack_find_by_cred(credp
);
3424 spds
= ns
->netstack_spdsock
;
3425 ASSERT(spds
!= NULL
);
3427 ss2dbg(spds
, ("Made it into PF_POLICY socket open.\n"));
3429 ssminor
= (minor_t
)(uintptr_t)vmem_alloc(spdsock_vmem
, 1, VM_NOSLEEP
);
3431 netstack_rele(spds
->spds_netstack
);
3434 ss
= kmem_zalloc(sizeof (spdsock_t
), KM_NOSLEEP
);
3436 vmem_free(spdsock_vmem
, (void *)(uintptr_t)ssminor
, 1);
3437 netstack_rele(spds
->spds_netstack
);
3441 ss
->spdsock_minor
= ssminor
;
3442 ss
->spdsock_state
= TS_UNBND
;
3443 ss
->spdsock_dump_req
= NULL
;
3445 ss
->spdsock_spds
= spds
;
3450 q
->q_hiwat
= spds
->spds_recv_hiwat
;
3452 oq
->q_hiwat
= spds
->spds_xmit_hiwat
;
3453 oq
->q_lowat
= spds
->spds_xmit_lowat
;
3456 (void) proto_set_rx_hiwat(q
, NULL
, spds
->spds_recv_hiwat
);
3458 *devp
= makedevice(getmajor(*devp
), ss
->spdsock_minor
);
3463 * Read-side service procedure, invoked when we get back-enabled
3464 * when buffer space becomes available.
3466 * Dump another chunk if we were dumping before; when we finish, kick
3467 * the write-side queue in case it's waiting for read queue space.
3470 spdsock_rsrv(queue_t
*q
)
3472 spdsock_t
*ss
= q
->q_ptr
;
3474 if (ss
->spdsock_dump_req
!= NULL
)
3475 spdsock_dump_some(q
, ss
);
3477 if (ss
->spdsock_dump_req
== NULL
)
3482 * Write-side service procedure, invoked when we defer processing
3483 * if another message is received while a dump is in progress.
3486 spdsock_wsrv(queue_t
*q
)
3488 spdsock_t
*ss
= q
->q_ptr
;
3490 ipsec_stack_t
*ipss
= ss
->spdsock_spds
->spds_netstack
->netstack_ipsec
;
3492 if (ss
->spdsock_dump_req
!= NULL
) {
3497 while ((mp
= getq(q
)) != NULL
) {
3498 if (ipsec_loaded(ipss
)) {
3499 spdsock_wput(q
, mp
);
3500 if (ss
->spdsock_dump_req
!= NULL
)
3502 } else if (!ipsec_failed(ipss
)) {
3505 spdsock_error(q
, mp
, EPFNOSUPPORT
, 0);
3511 spdsock_close(queue_t
*q
)
3513 spdsock_t
*ss
= q
->q_ptr
;
3514 spd_stack_t
*spds
= ss
->spdsock_spds
;
3518 /* Safe assumption. */
3521 if (ss
->spdsock_timeout
!= 0)
3522 (void) quntimeout(q
, ss
->spdsock_timeout
);
3524 ss3dbg(spds
, ("Driver close, PF_POLICY socket is going away.\n"));
3526 vmem_free(spdsock_vmem
, (void *)(uintptr_t)ss
->spdsock_minor
, 1);
3527 netstack_rele(ss
->spdsock_spds
->spds_netstack
);
3529 kmem_free(ss
, sizeof (spdsock_t
));
3534 * Merge the IPsec algorithms tables with the received algorithm information.
3537 spdsock_merge_algs(spd_stack_t
*spds
)
3539 ipsec_alginfo_t
*alg
, *oalg
;
3540 ipsec_algtype_t algtype
;
3541 uint_t algidx
, algid
, nalgs
;
3542 crypto_mech_name_t
*mechs
;
3543 uint_t mech_count
, mech_idx
;
3544 netstack_t
*ns
= spds
->spds_netstack
;
3545 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
3547 ASSERT(MUTEX_HELD(&spds
->spds_alg_lock
));
3550 * Get the list of supported mechanisms from the crypto framework.
3551 * If a mechanism is supported by KCF, resolve its mechanism
3552 * id and mark it as being valid. This operation must be done
3553 * without holding alg_lock, since it can cause a provider
3554 * module to be loaded and the provider notification callback to
3557 mechs
= crypto_get_mech_list(&mech_count
, KM_SLEEP
);
3558 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3559 for (algid
= 0; algid
< IPSEC_MAX_ALGS
; algid
++) {
3561 crypto_mech_type_t mt
= CRYPTO_MECHANISM_INVALID
;
3563 alg
= spds
->spds_algs
[algtype
][algid
];
3568 * The NULL encryption algorithm is a special
3569 * case because there are no mechanisms, yet
3570 * the algorithm is still valid.
3572 if (alg
->alg_id
== SADB_EALG_NULL
) {
3573 alg
->alg_mech_type
= CRYPTO_MECHANISM_INVALID
;
3574 alg
->alg_flags
= ALG_FLAG_VALID
;
3578 for (mech_idx
= 0; mech_idx
< mech_count
; mech_idx
++) {
3579 if (strncmp(alg
->alg_mech_name
, mechs
[mech_idx
],
3580 CRYPTO_MAX_MECH_NAME
) == 0) {
3581 mt
= crypto_mech2id(alg
->alg_mech_name
);
3582 ASSERT(mt
!= CRYPTO_MECHANISM_INVALID
);
3583 algflags
= ALG_FLAG_VALID
;
3587 alg
->alg_mech_type
= mt
;
3588 alg
->alg_flags
= algflags
;
3592 mutex_enter(&ipss
->ipsec_alg_lock
);
3595 * For each algorithm currently defined, check if it is
3596 * present in the new tables created from the SPD_UPDATEALGS
3597 * message received from user-space.
3598 * Delete the algorithm entries that are currently defined
3599 * but not part of the new tables.
3601 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3602 nalgs
= ipss
->ipsec_nalgs
[algtype
];
3603 for (algidx
= 0; algidx
< nalgs
; algidx
++) {
3604 algid
= ipss
->ipsec_sortlist
[algtype
][algidx
];
3605 if (spds
->spds_algs
[algtype
][algid
] == NULL
)
3606 ipsec_alg_unreg(algtype
, algid
, ns
);
3611 * For each algorithm we just received, check if it is
3612 * present in the currently defined tables. If it is, swap
3613 * the entry with the one we just allocated.
3614 * If the new algorithm is not in the current tables,
3617 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3618 for (algid
= 0; algid
< IPSEC_MAX_ALGS
; algid
++) {
3619 alg
= spds
->spds_algs
[algtype
][algid
];
3623 if ((oalg
= ipss
->ipsec_alglists
[algtype
][algid
]) ==
3626 * New algorithm, add it to the algorithm
3629 ipsec_alg_reg(algtype
, alg
, ns
);
3632 * Algorithm is already in the table. Swap
3633 * the existing entry with the new one.
3635 ipsec_alg_fix_min_max(alg
, algtype
, ns
);
3636 ipss
->ipsec_alglists
[algtype
][algid
] = alg
;
3637 ipsec_alg_free(oalg
);
3639 spds
->spds_algs
[algtype
][algid
] = NULL
;
3643 for (algtype
= 0; algtype
< IPSEC_NALGTYPES
; algtype
++) {
3644 ipss
->ipsec_algs_exec_mode
[algtype
] =
3645 spds
->spds_algs_exec_mode
[algtype
];
3648 mutex_exit(&ipss
->ipsec_alg_lock
);
3650 crypto_free_mech_list(mechs
, mech_count
);
3652 ipsecah_algs_changed(ns
);
3653 ipsecesp_algs_changed(ns
);