4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/stropts.h>
29 #include <sys/strsubr.h>
30 #include <sys/errno.h>
32 #include <sys/debug.h>
33 #include <sys/cmn_err.h>
34 #include <sys/stream.h>
35 #include <sys/strlog.h>
37 #include <sys/sunddi.h>
38 #include <sys/tihdr.h>
39 #include <sys/atomic.h>
40 #include <sys/socket.h>
41 #include <sys/sysmacros.h>
42 #include <sys/crypto/common.h>
43 #include <sys/crypto/api.h>
45 #include <netinet/in.h>
47 #include <net/pfkeyv2.h>
48 #include <net/pfpolicy.h>
49 #include <inet/common.h>
50 #include <netinet/ip6.h>
52 #include <inet/ip_ire.h>
54 #include <inet/ipsec_info.h>
56 #include <inet/sadb.h>
57 #include <inet/ipsec_impl.h>
58 #include <inet/ipsecah.h>
59 #include <inet/ipsecesp.h>
60 #include <sys/random.h>
62 #include <sys/strsun.h>
63 #include <sys/strsubr.h>
64 #include <inet/ip_if.h>
65 #include <inet/ipdrop.h>
66 #include <inet/ipclassifier.h>
67 #include <inet/sctp_ip.h>
68 #include <sys/tsol/tnet.h>
71 * This source file contains Security Association Database (SADB) common
72 * routines. They are linked in with the AH module. Since AH has no chance
73 * of falling under export control, it was safe to link it in there.
76 static mblk_t
*sadb_extended_acquire(ipsec_selector_t
*, ipsec_policy_t
*,
77 ipsec_action_t
*, boolean_t
, uint32_t, uint32_t, sadb_sens_t
*,
79 static ipsa_t
*sadb_torch_assoc(isaf_t
*, ipsa_t
*);
80 static void sadb_destroy_acqlist(iacqf_t
**, uint_t
, boolean_t
,
82 static void sadb_destroy(sadb_t
*, netstack_t
*);
83 static mblk_t
*sadb_sa2msg(ipsa_t
*, sadb_msg_t
*);
84 static ts_label_t
*sadb_label_from_sens(sadb_sens_t
*, uint64_t *);
85 static sadb_sens_t
*sadb_make_sens_ext(ts_label_t
*tsl
, int *len
);
87 static time_t sadb_add_time(time_t, uint64_t);
88 static void lifetime_fuzz(ipsa_t
*);
89 static void age_pair_peer_list(templist_t
*, sadb_t
*, boolean_t
);
90 static int get_ipsa_pair(ipsa_query_t
*, ipsap_t
*, int *);
91 static void init_ipsa_pair(ipsap_t
*);
92 static void destroy_ipsa_pair(ipsap_t
*);
93 static int update_pairing(ipsap_t
*, ipsa_query_t
*, keysock_in_t
*, int *);
94 static void ipsa_set_replay(ipsa_t
*ipsa
, uint32_t offset
);
97 * ipsacq_maxpackets is defined here to make it tunable
100 extern uint64_t ipsacq_maxpackets
;
102 #define SET_EXPIRE(sa, delta, exp) { \
103 if (((sa)->ipsa_ ## delta) != 0) { \
104 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \
105 (sa)->ipsa_ ## delta); \
109 #define UPDATE_EXPIRE(sa, delta, exp) { \
110 if (((sa)->ipsa_ ## delta) != 0) { \
111 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \
112 (sa)->ipsa_ ## delta); \
113 if (((sa)->ipsa_ ## exp) == 0) \
114 (sa)->ipsa_ ## exp = tmp; \
116 (sa)->ipsa_ ## exp = \
117 MIN((sa)->ipsa_ ## exp, tmp); \
122 /* wrap the macro so we can pass it as a function pointer */
124 sadb_sa_refrele(void *target
)
126 IPSA_REFRELE(((ipsa_t
*)target
));
130 * We presume that sizeof (long) == sizeof (time_t) and that time_t is
133 #define TIME_MAX LONG_MAX
136 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that
137 * time_t is defined to be a signed type with the same range as
138 * "long". On ILP32 systems, we thus run the risk of wrapping around
139 * at end of time, as well as "overwrapping" the clock back around
140 * into a seemingly valid but incorrect future date earlier than the
141 * desired expiration.
143 * In order to avoid odd behavior (either negative lifetimes or loss
144 * of high order bits) when someone asks for bizarrely long SA
145 * lifetimes, we do a saturating add for expire times.
147 * We presume that ILP32 systems will be past end of support life when
148 * the 32-bit time_t overflows (a dangerous assumption, mind you..).
150 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we
151 * will hopefully have figured out clever ways to avoid the use of
152 * fixed-sized integers in computation.
155 sadb_add_time(time_t base
, uint64_t delta
)
160 * Clip delta to the maximum possible time_t value to
161 * prevent "overwrapping" back into a shorter-than-desired
164 if (delta
> TIME_MAX
)
167 * This sum may still overflow.
172 * .. so if the result is less than the base, we overflowed.
181 * Callers of this function have already created a working security
182 * association, and have found the appropriate table & hash chain. All this
183 * function does is check duplicates, and insert the SA. The caller needs to
184 * hold the hash bucket lock and increment the refcnt before insertion.
186 * Return 0 if success, EEXIST if collision.
188 #define SA_UNIQUE_MATCH(sa1, sa2) \
189 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \
190 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask))
193 sadb_insertassoc(ipsa_t
*ipsa
, isaf_t
*bucket
)
195 ipsa_t
**ptpn
= NULL
;
199 ASSERT(MUTEX_HELD(&bucket
->isaf_lock
));
201 unspecsrc
= IPSA_IS_ADDR_UNSPEC(ipsa
->ipsa_srcaddr
, ipsa
->ipsa_addrfam
);
203 walker
= bucket
->isaf_ipsa
;
204 ASSERT(walker
== NULL
|| ipsa
->ipsa_addrfam
== walker
->ipsa_addrfam
);
207 * Find insertion point (pointed to with **ptpn). Insert at the head
208 * of the list unless there's an unspecified source address, then
209 * insert it after the last SA with a specified source address.
211 * BTW, you'll have to walk the whole chain, matching on {DST, SPI}
212 * checking for collisions.
215 while (walker
!= NULL
) {
216 if (IPSA_ARE_ADDR_EQUAL(walker
->ipsa_dstaddr
,
217 ipsa
->ipsa_dstaddr
, ipsa
->ipsa_addrfam
)) {
218 if (walker
->ipsa_spi
== ipsa
->ipsa_spi
)
221 mutex_enter(&walker
->ipsa_lock
);
222 if (ipsa
->ipsa_state
== IPSA_STATE_MATURE
&&
223 (walker
->ipsa_flags
& IPSA_F_USED
) &&
224 SA_UNIQUE_MATCH(walker
, ipsa
)) {
225 walker
->ipsa_flags
|= IPSA_F_CINVALID
;
227 mutex_exit(&walker
->ipsa_lock
);
230 if (ptpn
== NULL
&& unspecsrc
) {
231 if (IPSA_IS_ADDR_UNSPEC(walker
->ipsa_srcaddr
,
232 walker
->ipsa_addrfam
))
233 ptpn
= walker
->ipsa_ptpn
;
234 else if (walker
->ipsa_next
== NULL
)
235 ptpn
= &walker
->ipsa_next
;
238 walker
= walker
->ipsa_next
;
242 ptpn
= &bucket
->isaf_ipsa
;
243 ipsa
->ipsa_next
= *ptpn
;
244 ipsa
->ipsa_ptpn
= ptpn
;
245 if (ipsa
->ipsa_next
!= NULL
)
246 ipsa
->ipsa_next
->ipsa_ptpn
= &ipsa
->ipsa_next
;
248 ipsa
->ipsa_linklock
= &bucket
->isaf_lock
;
252 #undef SA_UNIQUE_MATCH
255 * Free a security association. Its reference count is 0, which means
256 * I must free it. The SA must be unlocked and must not be linked into
260 sadb_freeassoc(ipsa_t
*ipsa
)
262 ipsec_stack_t
*ipss
= ipsa
->ipsa_netstack
->netstack_ipsec
;
263 mblk_t
*asyncmp
, *mp
;
265 ASSERT(ipss
!= NULL
);
266 ASSERT(MUTEX_NOT_HELD(&ipsa
->ipsa_lock
));
267 ASSERT(ipsa
->ipsa_refcnt
== 0);
268 ASSERT(ipsa
->ipsa_next
== NULL
);
269 ASSERT(ipsa
->ipsa_ptpn
== NULL
);
272 asyncmp
= sadb_clear_lpkt(ipsa
);
273 if (asyncmp
!= NULL
) {
274 mp
= ip_recv_attr_free_mblk(asyncmp
);
275 ip_drop_packet(mp
, B_TRUE
, NULL
,
276 DROPPER(ipss
, ipds_sadb_inlarval_timeout
),
277 &ipss
->ipsec_sadb_dropper
);
279 mutex_enter(&ipsa
->ipsa_lock
);
281 if (ipsa
->ipsa_tsl
!= NULL
) {
282 label_rele(ipsa
->ipsa_tsl
);
283 ipsa
->ipsa_tsl
= NULL
;
286 if (ipsa
->ipsa_otsl
!= NULL
) {
287 label_rele(ipsa
->ipsa_otsl
);
288 ipsa
->ipsa_otsl
= NULL
;
291 ipsec_destroy_ctx_tmpl(ipsa
, IPSEC_ALG_AUTH
);
292 ipsec_destroy_ctx_tmpl(ipsa
, IPSEC_ALG_ENCR
);
293 mutex_exit(&ipsa
->ipsa_lock
);
295 /* bzero() these fields for paranoia's sake. */
296 if (ipsa
->ipsa_authkey
!= NULL
) {
297 bzero(ipsa
->ipsa_authkey
, ipsa
->ipsa_authkeylen
);
298 kmem_free(ipsa
->ipsa_authkey
, ipsa
->ipsa_authkeylen
);
300 if (ipsa
->ipsa_encrkey
!= NULL
) {
301 bzero(ipsa
->ipsa_encrkey
, ipsa
->ipsa_encrkeylen
);
302 kmem_free(ipsa
->ipsa_encrkey
, ipsa
->ipsa_encrkeylen
);
304 if (ipsa
->ipsa_nonce_buf
!= NULL
) {
305 bzero(ipsa
->ipsa_nonce_buf
, sizeof (ipsec_nonce_t
));
306 kmem_free(ipsa
->ipsa_nonce_buf
, sizeof (ipsec_nonce_t
));
308 if (ipsa
->ipsa_src_cid
!= NULL
) {
309 IPSID_REFRELE(ipsa
->ipsa_src_cid
);
311 if (ipsa
->ipsa_dst_cid
!= NULL
) {
312 IPSID_REFRELE(ipsa
->ipsa_dst_cid
);
314 if (ipsa
->ipsa_emech
.cm_param
!= NULL
)
315 kmem_free(ipsa
->ipsa_emech
.cm_param
,
316 ipsa
->ipsa_emech
.cm_param_len
);
318 mutex_destroy(&ipsa
->ipsa_lock
);
319 kmem_free(ipsa
, sizeof (*ipsa
));
323 * Unlink a security association from a hash bucket. Assume the hash bucket
324 * lock is held, but the association's lock is not.
326 * Note that we do not bump the bucket's generation number here because
327 * we might not be making a visible change to the set of visible SA's.
328 * All callers MUST bump the bucket's generation number before they unlock
329 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which
330 * was present in the bucket at the time it was locked.
333 sadb_unlinkassoc(ipsa_t
*ipsa
)
335 ASSERT(ipsa
->ipsa_linklock
!= NULL
);
336 ASSERT(MUTEX_HELD(ipsa
->ipsa_linklock
));
338 /* These fields are protected by the link lock. */
339 *(ipsa
->ipsa_ptpn
) = ipsa
->ipsa_next
;
340 if (ipsa
->ipsa_next
!= NULL
) {
341 ipsa
->ipsa_next
->ipsa_ptpn
= ipsa
->ipsa_ptpn
;
342 ipsa
->ipsa_next
= NULL
;
345 ipsa
->ipsa_ptpn
= NULL
;
347 /* This may destroy the SA. */
352 sadb_delete_cluster(ipsa_t
*assoc
)
356 if (cl_inet_deletespi
&&
357 ((assoc
->ipsa_state
== IPSA_STATE_LARVAL
) ||
358 (assoc
->ipsa_state
== IPSA_STATE_MATURE
))) {
359 protocol
= (assoc
->ipsa_type
== SADB_SATYPE_AH
) ?
360 IPPROTO_AH
: IPPROTO_ESP
;
361 cl_inet_deletespi(assoc
->ipsa_netstack
->netstack_stackid
,
362 protocol
, assoc
->ipsa_spi
, NULL
);
367 * Create a larval security association with the specified SPI. All other
371 sadb_makelarvalassoc(uint32_t spi
, uint32_t *src
, uint32_t *dst
, int addrfam
,
380 newbie
= (ipsa_t
*)kmem_zalloc(sizeof (ipsa_t
), KM_NOSLEEP
);
381 if (newbie
== NULL
) {
382 /* Can't make new larval SA. */
386 /* Assigned requested SPI, assume caller does SPI allocation magic. */
387 newbie
->ipsa_spi
= spi
;
388 newbie
->ipsa_netstack
= ns
; /* No netstack_hold */
394 IPSA_COPY_ADDR(newbie
->ipsa_srcaddr
, src
, addrfam
);
395 IPSA_COPY_ADDR(newbie
->ipsa_dstaddr
, dst
, addrfam
);
397 newbie
->ipsa_addrfam
= addrfam
;
400 * Set common initialization values, including refcnt.
402 mutex_init(&newbie
->ipsa_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
403 newbie
->ipsa_state
= IPSA_STATE_LARVAL
;
404 newbie
->ipsa_refcnt
= 1;
405 newbie
->ipsa_freefunc
= sadb_freeassoc
;
408 * There aren't a lot of other common initialization values, as
409 * they are copied in from the PF_KEY message.
416 * Call me to initialize a security association fanout.
419 sadb_init_fanout(isaf_t
**tablep
, uint_t size
, int kmflag
)
424 table
= (isaf_t
*)kmem_alloc(size
* sizeof (*table
), kmflag
);
430 for (i
= 0; i
< size
; i
++) {
431 mutex_init(&(table
[i
].isaf_lock
), NULL
, MUTEX_DEFAULT
, NULL
);
432 table
[i
].isaf_ipsa
= NULL
;
433 table
[i
].isaf_gen
= 0;
440 * Call me to initialize an acquire fanout
443 sadb_init_acfanout(iacqf_t
**tablep
, uint_t size
, int kmflag
)
448 table
= (iacqf_t
*)kmem_alloc(size
* sizeof (*table
), kmflag
);
454 for (i
= 0; i
< size
; i
++) {
455 mutex_init(&(table
[i
].iacqf_lock
), NULL
, MUTEX_DEFAULT
, NULL
);
456 table
[i
].iacqf_ipsacq
= NULL
;
463 * Attempt to initialize an SADB instance. On failure, return ENOMEM;
464 * caller must clean up partial allocations.
467 sadb_init_trial(sadb_t
*sp
, uint_t size
, int kmflag
)
469 ASSERT(sp
->sdb_of
== NULL
);
470 ASSERT(sp
->sdb_if
== NULL
);
471 ASSERT(sp
->sdb_acq
== NULL
);
473 sp
->sdb_hashsize
= size
;
474 if (sadb_init_fanout(&sp
->sdb_of
, size
, kmflag
) != 0)
476 if (sadb_init_fanout(&sp
->sdb_if
, size
, kmflag
) != 0)
478 if (sadb_init_acfanout(&sp
->sdb_acq
, size
, kmflag
) != 0)
485 * Call me to initialize an SADB instance; fall back to default size on failure.
488 sadb_init(const char *name
, sadb_t
*sp
, uint_t size
, uint_t ver
,
491 ASSERT(sp
->sdb_of
== NULL
);
492 ASSERT(sp
->sdb_if
== NULL
);
493 ASSERT(sp
->sdb_acq
== NULL
);
495 if (size
< IPSEC_DEFAULT_HASH_SIZE
)
496 size
= IPSEC_DEFAULT_HASH_SIZE
;
498 if (sadb_init_trial(sp
, size
, KM_NOSLEEP
) != 0) {
501 "Unable to allocate %u entry IPv%u %s SADB hash table",
504 sadb_destroy(sp
, ns
);
505 size
= IPSEC_DEFAULT_HASH_SIZE
;
506 cmn_err(CE_WARN
, "Falling back to %d entries", size
);
507 (void) sadb_init_trial(sp
, size
, KM_SLEEP
);
513 * Initialize an SADB-pair.
516 sadbp_init(const char *name
, sadbp_t
*sp
, int type
, int size
, netstack_t
*ns
)
518 sadb_init(name
, &sp
->s_v4
, size
, 4, ns
);
519 sadb_init(name
, &sp
->s_v6
, size
, 6, ns
);
523 ASSERT((type
== SADB_SATYPE_AH
) || (type
== SADB_SATYPE_ESP
));
524 if (type
== SADB_SATYPE_AH
) {
525 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
527 ip_drop_register(&ipss
->ipsec_sadb_dropper
, "IPsec SADB");
528 sp
->s_addflags
= AH_ADD_SETTABLE_FLAGS
;
529 sp
->s_updateflags
= AH_UPDATE_SETTABLE_FLAGS
;
531 sp
->s_addflags
= ESP_ADD_SETTABLE_FLAGS
;
532 sp
->s_updateflags
= ESP_UPDATE_SETTABLE_FLAGS
;
537 * Deliver a single SADB_DUMP message representing a single SA. This is
538 * called many times by sadb_dump().
540 * If the return value of this is ENOBUFS (not the same as ENOMEM), then
541 * the caller should take that as a hint that dupb() on the "original answer"
542 * failed, and that perhaps the caller should try again with a copyb()ed
546 sadb_dump_deliver(queue_t
*pfkey_q
, mblk_t
*original_answer
, ipsa_t
*ipsa
,
551 answer
= dupb(original_answer
);
554 answer
->b_cont
= sadb_sa2msg(ipsa
, samsg
);
555 if (answer
->b_cont
== NULL
) {
560 /* Just do a putnext, and let keysock deal with flow control. */
561 putnext(pfkey_q
, answer
);
566 * Common function to allocate and prepare a keysock_out_t M_CTL message.
569 sadb_keysock_out(minor_t serial
)
574 mp
= allocb(sizeof (ipsec_info_t
), BPRI_HI
);
576 mp
->b_datap
->db_type
= M_CTL
;
577 mp
->b_wptr
+= sizeof (ipsec_info_t
);
578 kso
= (keysock_out_t
*)mp
->b_rptr
;
579 kso
->ks_out_type
= KEYSOCK_OUT
;
580 kso
->ks_out_len
= sizeof (*kso
);
581 kso
->ks_out_serial
= serial
;
588 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts
592 sadb_dump_fanout(queue_t
*pfkey_q
, mblk_t
*mp
, minor_t serial
, isaf_t
*fanout
,
593 int num_entries
, boolean_t do_peers
, time_t active_time
)
596 mblk_t
*original_answer
;
602 * For each IPSA hash bucket do:
604 * - Walk each entry, doing an sadb_dump_deliver() on it.
606 ASSERT(mp
->b_cont
!= NULL
);
607 samsg
= (sadb_msg_t
*)mp
->b_cont
->b_rptr
;
609 original_answer
= sadb_keysock_out(serial
);
610 if (original_answer
== NULL
)
613 current
= gethrestime_sec();
614 for (i
= 0; i
< num_entries
; i
++) {
615 mutex_enter(&fanout
[i
].isaf_lock
);
616 for (walker
= fanout
[i
].isaf_ipsa
; walker
!= NULL
;
617 walker
= walker
->ipsa_next
) {
618 if (!do_peers
&& walker
->ipsa_haspeer
)
620 if ((active_time
!= 0) &&
621 ((current
- walker
->ipsa_lastuse
) > active_time
))
623 error
= sadb_dump_deliver(pfkey_q
, original_answer
,
625 if (error
== ENOBUFS
) {
626 mblk_t
*new_original_answer
;
628 /* Ran out of dupb's. Try a copyb. */
629 new_original_answer
= copyb(original_answer
);
630 if (new_original_answer
== NULL
) {
633 freeb(original_answer
);
634 original_answer
= new_original_answer
;
635 error
= sadb_dump_deliver(pfkey_q
,
636 original_answer
, walker
, samsg
);
640 break; /* out of for loop. */
642 mutex_exit(&fanout
[i
].isaf_lock
);
644 break; /* out of for loop. */
647 freeb(original_answer
);
652 * Dump an entire SADB; outbound first, then inbound.
656 sadb_dump(queue_t
*pfkey_q
, mblk_t
*mp
, keysock_in_t
*ksi
, sadb_t
*sp
)
659 time_t active_time
= 0;
660 sadb_x_edump_t
*edump
=
661 (sadb_x_edump_t
*)ksi
->ks_in_extv
[SADB_X_EXT_EDUMP
];
664 active_time
= edump
->sadb_x_edump_timeout
;
668 error
= sadb_dump_fanout(pfkey_q
, mp
, ksi
->ks_in_serial
, sp
->sdb_of
,
669 sp
->sdb_hashsize
, B_TRUE
, active_time
);
674 return sadb_dump_fanout(pfkey_q
, mp
, ksi
->ks_in_serial
, sp
->sdb_if
,
675 sp
->sdb_hashsize
, B_FALSE
, active_time
);
679 * Generic sadb table walker.
681 * Call "walkfn" for each SA in each bucket in "table"; pass the
682 * bucket, the entry and "cookie" to the callback function.
683 * Take care to ensure that walkfn can delete the SA without screwing
686 * The bucket is locked for the duration of the callback, both so that the
687 * callback can just call sadb_unlinkassoc() when it wants to delete something,
688 * and so that no new entries are added while we're walking the list.
691 sadb_walker(isaf_t
*table
, uint_t numentries
,
692 void (*walkfn
)(isaf_t
*head
, ipsa_t
*entry
, void *cookie
),
696 for (i
= 0; i
< numentries
; i
++) {
697 ipsa_t
*entry
, *next
;
699 mutex_enter(&table
[i
].isaf_lock
);
701 for (entry
= table
[i
].isaf_ipsa
; entry
!= NULL
;
703 next
= entry
->ipsa_next
;
704 (*walkfn
)(&table
[i
], entry
, cookie
);
706 mutex_exit(&table
[i
].isaf_lock
);
711 * Call me to free up a security association fanout. Use the forever
712 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g.
713 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE,
714 * when a module is unloaded).
717 sadb_destroyer(isaf_t
**tablep
, uint_t numentries
, boolean_t forever
,
721 isaf_t
*table
= *tablep
;
729 for (i
= 0; i
< numentries
; i
++) {
730 mutex_enter(&table
[i
].isaf_lock
);
731 while ((sa
= table
[i
].isaf_ipsa
) != NULL
) {
732 if (inbound
&& cl_inet_deletespi
&&
733 (sa
->ipsa_state
!= IPSA_STATE_ACTIVE_ELSEWHERE
) &&
734 (sa
->ipsa_state
!= IPSA_STATE_IDLE
)) {
735 protocol
= (sa
->ipsa_type
== SADB_SATYPE_AH
) ?
736 IPPROTO_AH
: IPPROTO_ESP
;
737 sid
= sa
->ipsa_netstack
->netstack_stackid
;
738 cl_inet_deletespi(sid
, protocol
, sa
->ipsa_spi
,
741 sadb_unlinkassoc(sa
);
744 mutex_exit(&table
[i
].isaf_lock
);
746 mutex_destroy(&(table
[i
].isaf_lock
));
751 kmem_free(table
, numentries
* sizeof (*table
));
756 * Entry points to sadb_destroyer().
759 sadb_flush(sadb_t
*sp
, netstack_t
*ns
)
762 * Flush out each bucket, one at a time. Were it not for keysock's
763 * enforcement, there would be a subtlety where I could add on the
764 * heels of a flush. With keysock's enforcement, however, this
765 * makes ESP's job easy.
767 sadb_destroyer(&sp
->sdb_of
, sp
->sdb_hashsize
, B_FALSE
, B_FALSE
);
768 sadb_destroyer(&sp
->sdb_if
, sp
->sdb_hashsize
, B_FALSE
, B_TRUE
);
770 /* For each acquire, destroy it; leave the bucket mutex alone. */
771 sadb_destroy_acqlist(&sp
->sdb_acq
, sp
->sdb_hashsize
, B_FALSE
, ns
);
775 sadb_destroy(sadb_t
*sp
, netstack_t
*ns
)
777 sadb_destroyer(&sp
->sdb_of
, sp
->sdb_hashsize
, B_TRUE
, B_FALSE
);
778 sadb_destroyer(&sp
->sdb_if
, sp
->sdb_hashsize
, B_TRUE
, B_TRUE
);
780 /* For each acquire, destroy it, including the bucket mutex. */
781 sadb_destroy_acqlist(&sp
->sdb_acq
, sp
->sdb_hashsize
, B_TRUE
, ns
);
783 ASSERT(sp
->sdb_of
== NULL
);
784 ASSERT(sp
->sdb_if
== NULL
);
785 ASSERT(sp
->sdb_acq
== NULL
);
789 sadbp_flush(sadbp_t
*spp
, netstack_t
*ns
)
791 sadb_flush(&spp
->s_v4
, ns
);
792 sadb_flush(&spp
->s_v6
, ns
);
796 sadbp_destroy(sadbp_t
*spp
, netstack_t
*ns
)
798 sadb_destroy(&spp
->s_v4
, ns
);
799 sadb_destroy(&spp
->s_v6
, ns
);
801 if (spp
->s_satype
== SADB_SATYPE_AH
) {
802 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
804 ip_drop_unregister(&ipss
->ipsec_sadb_dropper
);
810 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g.
811 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for
815 sadb_hardsoftchk(sadb_lifetime_t
*hard
, sadb_lifetime_t
*soft
,
816 sadb_lifetime_t
*idle
)
818 if (hard
== NULL
|| soft
== NULL
)
821 if (hard
->sadb_lifetime_allocations
!= 0 &&
822 soft
->sadb_lifetime_allocations
!= 0 &&
823 hard
->sadb_lifetime_allocations
< soft
->sadb_lifetime_allocations
)
824 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR
);
826 if (hard
->sadb_lifetime_bytes
!= 0 &&
827 soft
->sadb_lifetime_bytes
!= 0 &&
828 hard
->sadb_lifetime_bytes
< soft
->sadb_lifetime_bytes
)
829 return (SADB_X_DIAGNOSTIC_BYTES_HSERR
);
831 if (hard
->sadb_lifetime_addtime
!= 0 &&
832 soft
->sadb_lifetime_addtime
!= 0 &&
833 hard
->sadb_lifetime_addtime
< soft
->sadb_lifetime_addtime
)
834 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR
);
836 if (hard
->sadb_lifetime_usetime
!= 0 &&
837 soft
->sadb_lifetime_usetime
!= 0 &&
838 hard
->sadb_lifetime_usetime
< soft
->sadb_lifetime_usetime
)
839 return (SADB_X_DIAGNOSTIC_USETIME_HSERR
);
842 if (hard
->sadb_lifetime_addtime
!= 0 &&
843 idle
->sadb_lifetime_addtime
!= 0 &&
844 hard
->sadb_lifetime_addtime
< idle
->sadb_lifetime_addtime
)
845 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR
);
847 if (soft
->sadb_lifetime_addtime
!= 0 &&
848 idle
->sadb_lifetime_addtime
!= 0 &&
849 soft
->sadb_lifetime_addtime
< idle
->sadb_lifetime_addtime
)
850 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR
);
852 if (hard
->sadb_lifetime_usetime
!= 0 &&
853 idle
->sadb_lifetime_usetime
!= 0 &&
854 hard
->sadb_lifetime_usetime
< idle
->sadb_lifetime_usetime
)
855 return (SADB_X_DIAGNOSTIC_USETIME_HSERR
);
857 if (soft
->sadb_lifetime_usetime
!= 0 &&
858 idle
->sadb_lifetime_usetime
!= 0 &&
859 soft
->sadb_lifetime_usetime
< idle
->sadb_lifetime_usetime
)
860 return (SADB_X_DIAGNOSTIC_USETIME_HSERR
);
867 * Sanity check sensitivity labels.
869 * For now, just reject labels on unlabeled systems.
872 sadb_labelchk(keysock_in_t
*ksi
)
874 if (!is_system_labeled()) {
875 if (ksi
->ks_in_extv
[SADB_EXT_SENSITIVITY
] != NULL
)
876 return (SADB_X_DIAGNOSTIC_BAD_LABEL
);
878 if (ksi
->ks_in_extv
[SADB_X_EXT_OUTER_SENS
] != NULL
)
879 return (SADB_X_DIAGNOSTIC_BAD_LABEL
);
886 * Clone a security association for the purposes of inserting a single SA
887 * into inbound and outbound tables respectively. This function should only
888 * be called from sadb_common_add().
891 sadb_cloneassoc(ipsa_t
*ipsa
)
894 boolean_t error
= B_FALSE
;
896 ASSERT(MUTEX_NOT_HELD(&(ipsa
->ipsa_lock
)));
898 newbie
= kmem_alloc(sizeof (ipsa_t
), KM_NOSLEEP
);
902 /* Copy over what we can. */
905 /* bzero and initialize locks, in case *_init() allocates... */
906 mutex_init(&newbie
->ipsa_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
908 if (newbie
->ipsa_tsl
!= NULL
)
909 label_hold(newbie
->ipsa_tsl
);
911 if (newbie
->ipsa_otsl
!= NULL
)
912 label_hold(newbie
->ipsa_otsl
);
915 * While somewhat dain-bramaged, the most graceful way to
916 * recover from errors is to keep plowing through the
917 * allocations, and getting what I can. It's easier to call
918 * sadb_freeassoc() on the stillborn clone when all the
919 * pointers aren't pointing to the parent's data.
922 if (ipsa
->ipsa_authkey
!= NULL
) {
923 newbie
->ipsa_authkey
= kmem_alloc(newbie
->ipsa_authkeylen
,
925 if (newbie
->ipsa_authkey
== NULL
) {
928 bcopy(ipsa
->ipsa_authkey
, newbie
->ipsa_authkey
,
929 newbie
->ipsa_authkeylen
);
931 newbie
->ipsa_kcfauthkey
.ck_data
=
932 newbie
->ipsa_authkey
;
935 if (newbie
->ipsa_amech
.cm_param
!= NULL
) {
936 newbie
->ipsa_amech
.cm_param
=
937 (char *)&newbie
->ipsa_mac_len
;
941 if (ipsa
->ipsa_encrkey
!= NULL
) {
942 newbie
->ipsa_encrkey
= kmem_alloc(newbie
->ipsa_encrkeylen
,
944 if (newbie
->ipsa_encrkey
== NULL
) {
947 bcopy(ipsa
->ipsa_encrkey
, newbie
->ipsa_encrkey
,
948 newbie
->ipsa_encrkeylen
);
950 newbie
->ipsa_kcfencrkey
.ck_data
=
951 newbie
->ipsa_encrkey
;
955 newbie
->ipsa_authtmpl
= NULL
;
956 newbie
->ipsa_encrtmpl
= NULL
;
957 newbie
->ipsa_haspeer
= B_TRUE
;
959 if (ipsa
->ipsa_src_cid
!= NULL
) {
960 newbie
->ipsa_src_cid
= ipsa
->ipsa_src_cid
;
961 IPSID_REFHOLD(ipsa
->ipsa_src_cid
);
964 if (ipsa
->ipsa_dst_cid
!= NULL
) {
965 newbie
->ipsa_dst_cid
= ipsa
->ipsa_dst_cid
;
966 IPSID_REFHOLD(ipsa
->ipsa_dst_cid
);
970 sadb_freeassoc(newbie
);
978 * Initialize a SADB address extension at the address specified by addrext.
979 * Return a pointer to the end of the new address extension.
982 sadb_make_addr_ext(uint8_t *start
, uint8_t *end
, uint16_t exttype
,
983 sa_family_t af
, uint32_t *addr
, uint16_t port
, uint8_t proto
, int prefix
)
985 struct sockaddr_in
*sin
;
986 struct sockaddr_in6
*sin6
;
987 uint8_t *cur
= start
;
990 sadb_address_t
*addrext
= (sadb_address_t
*)cur
;
995 cur
+= sizeof (*addrext
);
999 addrext
->sadb_address_proto
= proto
;
1000 addrext
->sadb_address_prefixlen
= prefix
;
1001 addrext
->sadb_address_reserved
= 0;
1002 addrext
->sadb_address_exttype
= exttype
;
1006 sin
= (struct sockaddr_in
*)cur
;
1007 sin_len
= sizeof (*sin
);
1012 sin
->sin_family
= af
;
1013 bzero(sin
->sin_zero
, sizeof (sin
->sin_zero
));
1014 sin
->sin_port
= port
;
1015 IPSA_COPY_ADDR(&sin
->sin_addr
, addr
, af
);
1018 sin6
= (struct sockaddr_in6
*)cur
;
1019 sin_len
= sizeof (*sin6
);
1024 bzero(sin6
, sizeof (*sin6
));
1025 sin6
->sin6_family
= af
;
1026 sin6
->sin6_port
= port
;
1027 IPSA_COPY_ADDR(&sin6
->sin6_addr
, addr
, af
);
1031 addrext_len
= roundup(cur
- start
, sizeof (uint64_t));
1032 addrext
->sadb_address_len
= SADB_8TO64(addrext_len
);
1034 cur
= start
+ addrext_len
;
1042 * Construct a key management cookie extension.
1046 sadb_make_kmc_ext(uint8_t *cur
, uint8_t *end
, uint32_t kmp
, uint32_t kmc
)
1048 sadb_x_kmc_t
*kmcext
= (sadb_x_kmc_t
*)cur
;
1053 cur
+= sizeof (*kmcext
);
1058 kmcext
->sadb_x_kmc_len
= SADB_8TO64(sizeof (*kmcext
));
1059 kmcext
->sadb_x_kmc_exttype
= SADB_X_EXT_KM_COOKIE
;
1060 kmcext
->sadb_x_kmc_proto
= kmp
;
1061 kmcext
->sadb_x_kmc_cookie
= kmc
;
1062 kmcext
->sadb_x_kmc_reserved
= 0;
1068 * Given an original message header with sufficient space following it, and an
1069 * SA, construct a full PF_KEY message with all of the relevant extensions.
1070 * This is mostly used for SADB_GET, and SADB_DUMP.
1073 sadb_sa2msg(ipsa_t
*ipsa
, sadb_msg_t
*samsg
)
1075 int alloclen
, addrsize
, paddrsize
, authsize
, encrsize
;
1076 int srcidsize
, dstidsize
, senslen
, osenslen
;
1077 sa_family_t fam
, pfam
; /* Address family for SADB_EXT_ADDRESS */
1078 /* src/dst and proxy sockaddrs. */
1080 * The following are pointers into the PF_KEY message this PF_KEY
1083 sadb_msg_t
*newsamsg
;
1085 sadb_lifetime_t
*lt
;
1087 sadb_ident_t
*ident
;
1089 sadb_ext_t
*walker
; /* For when we need a generic ext. pointer. */
1090 sadb_x_replay_ctr_t
*repl_ctr
;
1091 sadb_x_pair_t
*pair_ext
;
1095 /* These indicate the presence of the above extension fields. */
1096 boolean_t soft
= B_FALSE
, hard
= B_FALSE
;
1097 boolean_t isrc
= B_FALSE
, idst
= B_FALSE
;
1098 boolean_t auth
= B_FALSE
, encr
= B_FALSE
;
1099 boolean_t sensinteg
= B_FALSE
, osensinteg
= B_FALSE
;
1100 boolean_t srcid
= B_FALSE
, dstid
= B_FALSE
;
1105 /* First off, figure out the allocation length for this message. */
1107 * Constant stuff. This includes base, SA, address (src, dst),
1108 * and lifetime (current).
1110 alloclen
= sizeof (sadb_msg_t
) + sizeof (sadb_sa_t
) +
1111 sizeof (sadb_lifetime_t
);
1113 fam
= ipsa
->ipsa_addrfam
;
1116 addrsize
= roundup(sizeof (struct sockaddr_in
) +
1117 sizeof (sadb_address_t
), sizeof (uint64_t));
1120 addrsize
= roundup(sizeof (struct sockaddr_in6
) +
1121 sizeof (sadb_address_t
), sizeof (uint64_t));
1127 * Allocate TWO address extensions, for source and destination.
1130 alloclen
+= addrsize
* 2;
1131 if (ipsa
->ipsa_flags
& IPSA_F_NATT_REM
)
1132 alloclen
+= addrsize
;
1133 if (ipsa
->ipsa_flags
& IPSA_F_NATT_LOC
)
1134 alloclen
+= addrsize
;
1136 if (ipsa
->ipsa_flags
& IPSA_F_PAIRED
) {
1138 alloclen
+= sizeof (sadb_x_pair_t
);
1139 otherspi
= ipsa
->ipsa_otherspi
;
1144 /* How 'bout other lifetimes? */
1145 if (ipsa
->ipsa_softaddlt
!= 0 || ipsa
->ipsa_softuselt
!= 0 ||
1146 ipsa
->ipsa_softbyteslt
!= 0 || ipsa
->ipsa_softalloc
!= 0) {
1147 alloclen
+= sizeof (sadb_lifetime_t
);
1151 if (ipsa
->ipsa_hardaddlt
!= 0 || ipsa
->ipsa_harduselt
!= 0 ||
1152 ipsa
->ipsa_hardbyteslt
!= 0 || ipsa
->ipsa_hardalloc
!= 0) {
1153 alloclen
+= sizeof (sadb_lifetime_t
);
1157 if (ipsa
->ipsa_idleaddlt
!= 0 || ipsa
->ipsa_idleuselt
!= 0) {
1158 alloclen
+= sizeof (sadb_lifetime_t
);
1164 /* Inner addresses. */
1165 if (ipsa
->ipsa_innerfam
!= 0) {
1166 pfam
= ipsa
->ipsa_innerfam
;
1169 paddrsize
= roundup(sizeof (struct sockaddr_in6
) +
1170 sizeof (sadb_address_t
), sizeof (uint64_t));
1173 paddrsize
= roundup(sizeof (struct sockaddr_in
) +
1174 sizeof (sadb_address_t
), sizeof (uint64_t));
1178 "IPsec SADB: Proxy length failure.\n");
1183 alloclen
+= 2 * paddrsize
;
1186 /* For the following fields, assume that length != 0 ==> stuff */
1187 if (ipsa
->ipsa_authkeylen
!= 0) {
1188 authsize
= roundup(sizeof (sadb_key_t
) + ipsa
->ipsa_authkeylen
,
1190 alloclen
+= authsize
;
1194 if (ipsa
->ipsa_encrkeylen
!= 0) {
1195 encrsize
= roundup(sizeof (sadb_key_t
) + ipsa
->ipsa_encrkeylen
+
1196 ipsa
->ipsa_nonce_len
, sizeof (uint64_t));
1197 alloclen
+= encrsize
;
1203 if (ipsa
->ipsa_tsl
!= NULL
) {
1204 senslen
= sadb_sens_len_from_label(ipsa
->ipsa_tsl
);
1205 alloclen
+= senslen
;
1209 if (ipsa
->ipsa_otsl
!= NULL
) {
1210 osenslen
= sadb_sens_len_from_label(ipsa
->ipsa_otsl
);
1211 alloclen
+= osenslen
;
1212 osensinteg
= B_TRUE
;
1216 * Must use strlen() here for lengths. Identities use NULL
1217 * pointers to indicate their nonexistence.
1219 if (ipsa
->ipsa_src_cid
!= NULL
) {
1220 srcidsize
= roundup(sizeof (sadb_ident_t
) +
1221 strlen(ipsa
->ipsa_src_cid
->ipsid_cid
) + 1,
1223 alloclen
+= srcidsize
;
1227 if (ipsa
->ipsa_dst_cid
!= NULL
) {
1228 dstidsize
= roundup(sizeof (sadb_ident_t
) +
1229 strlen(ipsa
->ipsa_dst_cid
->ipsid_cid
) + 1,
1231 alloclen
+= dstidsize
;
1235 if ((ipsa
->ipsa_kmp
!= 0) || (ipsa
->ipsa_kmc
!= 0))
1236 alloclen
+= sizeof (sadb_x_kmc_t
);
1238 if (ipsa
->ipsa_replay
!= 0) {
1239 alloclen
+= sizeof (sadb_x_replay_ctr_t
);
1242 /* Make sure the allocation length is a multiple of 8 bytes. */
1243 ASSERT((alloclen
& 0x7) == 0);
1245 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */
1246 mp
= allocb(alloclen
, BPRI_HI
);
1249 bzero(mp
->b_rptr
, alloclen
);
1251 mp
->b_wptr
+= alloclen
;
1253 newsamsg
= (sadb_msg_t
*)mp
->b_rptr
;
1255 newsamsg
->sadb_msg_len
= (uint16_t)SADB_8TO64(alloclen
);
1257 mutex_enter(&ipsa
->ipsa_lock
); /* Since I'm grabbing SA fields... */
1259 newsamsg
->sadb_msg_satype
= ipsa
->ipsa_type
;
1261 assoc
= (sadb_sa_t
*)(newsamsg
+ 1);
1262 assoc
->sadb_sa_len
= SADB_8TO64(sizeof (*assoc
));
1263 assoc
->sadb_sa_exttype
= SADB_EXT_SA
;
1264 assoc
->sadb_sa_spi
= ipsa
->ipsa_spi
;
1265 assoc
->sadb_sa_replay
= ipsa
->ipsa_replay_wsize
;
1266 assoc
->sadb_sa_state
= ipsa
->ipsa_state
;
1267 assoc
->sadb_sa_auth
= ipsa
->ipsa_auth_alg
;
1268 assoc
->sadb_sa_encrypt
= ipsa
->ipsa_encr_alg
;
1269 assoc
->sadb_sa_flags
= ipsa
->ipsa_flags
;
1271 lt
= (sadb_lifetime_t
*)(assoc
+ 1);
1272 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1273 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
1274 /* We do not support the concept. */
1275 lt
->sadb_lifetime_allocations
= 0;
1276 lt
->sadb_lifetime_bytes
= ipsa
->ipsa_bytes
;
1277 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_addtime
;
1278 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_usetime
;
1282 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1283 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
1284 lt
->sadb_lifetime_allocations
= ipsa
->ipsa_hardalloc
;
1285 lt
->sadb_lifetime_bytes
= ipsa
->ipsa_hardbyteslt
;
1286 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_hardaddlt
;
1287 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_harduselt
;
1292 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1293 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_SOFT
;
1294 lt
->sadb_lifetime_allocations
= ipsa
->ipsa_softalloc
;
1295 lt
->sadb_lifetime_bytes
= ipsa
->ipsa_softbyteslt
;
1296 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_softaddlt
;
1297 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_softuselt
;
1302 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1303 lt
->sadb_lifetime_exttype
= SADB_X_EXT_LIFETIME_IDLE
;
1304 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_idleaddlt
;
1305 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_idleuselt
;
1308 cur
= (uint8_t *)(lt
+ 1);
1310 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */
1311 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_SRC
, fam
,
1312 ipsa
->ipsa_srcaddr
, (!isrc
&& !idst
) ? SA_SRCPORT(ipsa
) : 0,
1320 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_DST
, fam
,
1321 ipsa
->ipsa_dstaddr
, (!isrc
&& !idst
) ? SA_DSTPORT(ipsa
) : 0,
1329 if (ipsa
->ipsa_flags
& IPSA_F_NATT_LOC
) {
1330 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_NATT_LOC
,
1331 fam
, &ipsa
->ipsa_natt_addr_loc
, ipsa
->ipsa_local_nat_port
,
1340 if (ipsa
->ipsa_flags
& IPSA_F_NATT_REM
) {
1341 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_NATT_REM
,
1342 fam
, &ipsa
->ipsa_natt_addr_rem
, ipsa
->ipsa_remote_nat_port
,
1351 /* If we are a tunnel-mode SA, fill in the inner-selectors. */
1353 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_SRC
,
1354 pfam
, ipsa
->ipsa_innersrc
, SA_SRCPORT(ipsa
),
1355 SA_IPROTO(ipsa
), ipsa
->ipsa_innersrcpfx
);
1364 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_DST
,
1365 pfam
, ipsa
->ipsa_innerdst
, SA_DSTPORT(ipsa
),
1366 SA_IPROTO(ipsa
), ipsa
->ipsa_innerdstpfx
);
1374 if ((ipsa
->ipsa_kmp
!= 0) || (ipsa
->ipsa_kmc
!= 0)) {
1375 cur
= sadb_make_kmc_ext(cur
, end
,
1376 ipsa
->ipsa_kmp
, ipsa
->ipsa_kmc
);
1384 walker
= (sadb_ext_t
*)cur
;
1386 key
= (sadb_key_t
*)walker
;
1387 key
->sadb_key_len
= SADB_8TO64(authsize
);
1388 key
->sadb_key_exttype
= SADB_EXT_KEY_AUTH
;
1389 key
->sadb_key_bits
= ipsa
->ipsa_authkeybits
;
1390 key
->sadb_key_reserved
= 0;
1391 bcopy(ipsa
->ipsa_authkey
, key
+ 1, ipsa
->ipsa_authkeylen
);
1392 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1393 walker
->sadb_ext_len
);
1398 key
= (sadb_key_t
*)walker
;
1399 key
->sadb_key_len
= SADB_8TO64(encrsize
);
1400 key
->sadb_key_exttype
= SADB_EXT_KEY_ENCRYPT
;
1401 key
->sadb_key_bits
= ipsa
->ipsa_encrkeybits
;
1402 key
->sadb_key_reserved
= ipsa
->ipsa_saltbits
;
1403 buf_ptr
= (uint8_t *)(key
+ 1);
1404 bcopy(ipsa
->ipsa_encrkey
, buf_ptr
, ipsa
->ipsa_encrkeylen
);
1405 if (ipsa
->ipsa_salt
!= NULL
) {
1406 buf_ptr
+= ipsa
->ipsa_encrkeylen
;
1407 bcopy(ipsa
->ipsa_salt
, buf_ptr
, ipsa
->ipsa_saltlen
);
1409 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1410 walker
->sadb_ext_len
);
1414 ident
= (sadb_ident_t
*)walker
;
1415 ident
->sadb_ident_len
= SADB_8TO64(srcidsize
);
1416 ident
->sadb_ident_exttype
= SADB_EXT_IDENTITY_SRC
;
1417 ident
->sadb_ident_type
= ipsa
->ipsa_src_cid
->ipsid_type
;
1418 ident
->sadb_ident_id
= 0;
1419 ident
->sadb_ident_reserved
= 0;
1420 (void) strcpy((char *)(ident
+ 1),
1421 ipsa
->ipsa_src_cid
->ipsid_cid
);
1422 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1423 walker
->sadb_ext_len
);
1427 ident
= (sadb_ident_t
*)walker
;
1428 ident
->sadb_ident_len
= SADB_8TO64(dstidsize
);
1429 ident
->sadb_ident_exttype
= SADB_EXT_IDENTITY_DST
;
1430 ident
->sadb_ident_type
= ipsa
->ipsa_dst_cid
->ipsid_type
;
1431 ident
->sadb_ident_id
= 0;
1432 ident
->sadb_ident_reserved
= 0;
1433 (void) strcpy((char *)(ident
+ 1),
1434 ipsa
->ipsa_dst_cid
->ipsid_cid
);
1435 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1436 walker
->sadb_ext_len
);
1440 sens
= (sadb_sens_t
*)walker
;
1441 sadb_sens_from_label(sens
, SADB_EXT_SENSITIVITY
,
1442 ipsa
->ipsa_tsl
, senslen
);
1444 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1445 walker
->sadb_ext_len
);
1449 sens
= (sadb_sens_t
*)walker
;
1451 sadb_sens_from_label(sens
, SADB_X_EXT_OUTER_SENS
,
1452 ipsa
->ipsa_otsl
, osenslen
);
1453 if (ipsa
->ipsa_mac_exempt
)
1454 sens
->sadb_x_sens_flags
= SADB_X_SENS_IMPLICIT
;
1456 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1457 walker
->sadb_ext_len
);
1461 pair_ext
= (sadb_x_pair_t
*)walker
;
1463 pair_ext
->sadb_x_pair_len
= SADB_8TO64(sizeof (sadb_x_pair_t
));
1464 pair_ext
->sadb_x_pair_exttype
= SADB_X_EXT_PAIR
;
1465 pair_ext
->sadb_x_pair_spi
= otherspi
;
1467 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1468 walker
->sadb_ext_len
);
1471 if (ipsa
->ipsa_replay
!= 0) {
1472 repl_ctr
= (sadb_x_replay_ctr_t
*)walker
;
1473 repl_ctr
->sadb_x_rc_len
= SADB_8TO64(sizeof (*repl_ctr
));
1474 repl_ctr
->sadb_x_rc_exttype
= SADB_X_EXT_REPLAY_VALUE
;
1475 repl_ctr
->sadb_x_rc_replay32
= ipsa
->ipsa_replay
;
1476 repl_ctr
->sadb_x_rc_replay64
= 0;
1477 walker
= (sadb_ext_t
*)(repl_ctr
+ 1);
1481 /* Pardon any delays... */
1482 mutex_exit(&ipsa
->ipsa_lock
);
1488 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN)
1489 * and adjust base message accordingly.
1491 * Assume message is pulled up in one piece of contiguous memory.
1493 * Say if we start off with:
1495 * +------+----+-------------+-----------+---------------+---------------+
1496 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime |
1497 * +------+----+-------------+-----------+---------------+---------------+
1499 * we will end up with
1501 * +------+----+-------------+-----------+---------------+
1502 * | base | SA | source addr | dest addr | soft lifetime |
1503 * +------+----+-------------+-----------+---------------+
1506 sadb_strip(sadb_msg_t
*samsg
)
1509 uint8_t *target
= NULL
;
1511 int sofar
= SADB_8TO64(sizeof (*samsg
));
1514 ext
= (sadb_ext_t
*)(samsg
+ 1);
1515 msgend
= (uint8_t *)samsg
;
1516 msgend
+= SADB_64TO8(samsg
->sadb_msg_len
);
1517 while ((uint8_t *)ext
< msgend
) {
1518 if (ext
->sadb_ext_type
== SADB_EXT_RESERVED
||
1519 ext
->sadb_ext_type
== SADB_EXT_KEY_AUTH
||
1520 ext
->sadb_ext_type
== SADB_X_EXT_EDUMP
||
1521 ext
->sadb_ext_type
== SADB_EXT_KEY_ENCRYPT
) {
1523 * Aha! I found a header to be erased.
1526 if (target
!= NULL
) {
1528 * If I had a previous header to be erased,
1529 * copy over it. I can get away with just
1530 * copying backwards because the target will
1531 * always be 8 bytes behind the source.
1533 copylen
= ((uint8_t *)ext
) - (target
+
1535 ((sadb_ext_t
*)target
)->sadb_ext_len
));
1536 ovbcopy(((uint8_t *)ext
- copylen
), target
,
1539 ((sadb_ext_t
*)target
)->sadb_ext_len
=
1540 SADB_8TO64(((uint8_t *)ext
) - target
+
1541 SADB_64TO8(ext
->sadb_ext_len
));
1543 target
= (uint8_t *)ext
;
1546 sofar
+= ext
->sadb_ext_len
;
1549 ext
= (sadb_ext_t
*)(((uint64_t *)ext
) + ext
->sadb_ext_len
);
1552 ASSERT((uint8_t *)ext
== msgend
);
1554 if (target
!= NULL
) {
1555 copylen
= ((uint8_t *)ext
) - (target
+
1556 SADB_64TO8(((sadb_ext_t
*)target
)->sadb_ext_len
));
1558 ovbcopy(((uint8_t *)ext
- copylen
), target
, copylen
);
1562 samsg
->sadb_msg_len
= (uint16_t)sofar
;
1564 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */
1568 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL
1569 * followed by an M_DATA with a PF_KEY message in it. The serial of
1570 * the sending keysock instance is included.
1573 sadb_pfkey_error(queue_t
*pfkey_q
, mblk_t
*mp
, int error
, int diagnostic
,
1576 mblk_t
*msg
= mp
->b_cont
;
1581 * Enough functions call this to merit a NULL queue check.
1583 if (pfkey_q
== NULL
) {
1588 ASSERT(msg
!= NULL
);
1589 ASSERT((mp
->b_wptr
- mp
->b_rptr
) == sizeof (ipsec_info_t
));
1590 ASSERT((msg
->b_wptr
- msg
->b_rptr
) >= sizeof (sadb_msg_t
));
1591 samsg
= (sadb_msg_t
*)msg
->b_rptr
;
1592 kso
= (keysock_out_t
*)mp
->b_rptr
;
1594 kso
->ks_out_type
= KEYSOCK_OUT
;
1595 kso
->ks_out_len
= sizeof (*kso
);
1596 kso
->ks_out_serial
= serial
;
1599 * Only send the base message up in the event of an error.
1600 * Don't worry about bzero()-ing, because it was probably bogus
1603 msg
->b_wptr
= msg
->b_rptr
+ sizeof (*samsg
);
1604 samsg
= (sadb_msg_t
*)msg
->b_rptr
;
1605 samsg
->sadb_msg_len
= SADB_8TO64(sizeof (*samsg
));
1606 samsg
->sadb_msg_errno
= (uint8_t)error
;
1607 if (diagnostic
!= SADB_X_DIAGNOSTIC_PRESET
)
1608 samsg
->sadb_x_msg_diagnostic
= (uint16_t)diagnostic
;
1610 putnext(pfkey_q
, mp
);
1614 * Send a successful return packet back to keysock via the queue in pfkey_q.
1616 * Often, an SA is associated with the reply message, it's passed in if needed,
1617 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held,
1618 * and the caller will release said refcnt.
1621 sadb_pfkey_echo(queue_t
*pfkey_q
, mblk_t
*mp
, sadb_msg_t
*samsg
,
1622 keysock_in_t
*ksi
, ipsa_t
*ipsa
)
1626 sadb_msg_t
*newsamsg
;
1629 ASSERT((mp
->b_cont
!= NULL
) &&
1630 ((void *)samsg
== (void *)mp
->b_cont
->b_rptr
) &&
1631 ((void *)mp
->b_rptr
== (void *)ksi
));
1633 switch (samsg
->sadb_msg_type
) {
1636 case SADB_X_UPDATEPAIR
:
1637 case SADB_X_DELPAIR_STATE
:
1641 * I have all of the message already. I just need to strip
1642 * out the keying material and echo the message back.
1644 * NOTE: for SADB_DUMP, the function sadb_dump() did the
1645 * work. When DUMP reaches here, it should only be a base
1649 if (ksi
->ks_in_extv
[SADB_EXT_KEY_AUTH
] != NULL
||
1650 ksi
->ks_in_extv
[SADB_EXT_KEY_ENCRYPT
] != NULL
||
1651 ksi
->ks_in_extv
[SADB_X_EXT_EDUMP
] != NULL
) {
1653 /* Assume PF_KEY message is contiguous. */
1654 ASSERT(mp
->b_cont
->b_cont
== NULL
);
1655 oldend
= mp
->b_cont
->b_wptr
;
1656 mp
->b_cont
->b_wptr
= mp
->b_cont
->b_rptr
+
1657 SADB_64TO8(samsg
->sadb_msg_len
);
1658 bzero(mp
->b_cont
->b_wptr
, oldend
- mp
->b_cont
->b_wptr
);
1663 * Do a lot of work here, because of the ipsa I just found.
1664 * First construct the new PF_KEY message, then abandon
1667 mp1
= sadb_sa2msg(ipsa
, samsg
);
1669 sadb_pfkey_error(pfkey_q
, mp
, ENOMEM
,
1670 SADB_X_DIAGNOSTIC_NONE
, ksi
->ks_in_serial
);
1673 freemsg(mp
->b_cont
);
1677 case SADB_X_DELPAIR
:
1681 * Because listening KMds may require more info, treat
1682 * DELETE like a special case of GET.
1684 mp1
= sadb_sa2msg(ipsa
, samsg
);
1686 sadb_pfkey_error(pfkey_q
, mp
, ENOMEM
,
1687 SADB_X_DIAGNOSTIC_NONE
, ksi
->ks_in_serial
);
1690 newsamsg
= (sadb_msg_t
*)mp1
->b_rptr
;
1691 sadb_strip(newsamsg
);
1692 oldend
= mp1
->b_wptr
;
1693 mp1
->b_wptr
= mp1
->b_rptr
+ SADB_64TO8(newsamsg
->sadb_msg_len
);
1694 bzero(mp1
->b_wptr
, oldend
- mp1
->b_wptr
);
1695 freemsg(mp
->b_cont
);
1704 /* ksi is now null and void. */
1705 kso
= (keysock_out_t
*)ksi
;
1706 kso
->ks_out_type
= KEYSOCK_OUT
;
1707 kso
->ks_out_len
= sizeof (*kso
);
1708 kso
->ks_out_serial
= ksi
->ks_in_serial
;
1709 /* We're ready to send... */
1710 putnext(pfkey_q
, mp
);
1714 * Set up a global pfkey_q instance for AH, ESP, or some other consumer.
1717 sadb_keysock_hello(queue_t
**pfkey_qp
, queue_t
*q
, mblk_t
*mp
,
1718 void (*ager
)(void *), void *agerarg
, timeout_id_t
*top
, int satype
)
1720 keysock_hello_ack_t
*kha
;
1723 ASSERT(OTHERQ(q
) != NULL
);
1726 * First, check atomically that I'm the first and only keysock
1729 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp),
1730 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY
1734 oldq
= casptr((void **)pfkey_qp
, NULL
, OTHERQ(q
));
1737 cmn_err(CE_WARN
, "Danger! Multiple keysocks on top of %s.\n",
1738 (satype
== SADB_SATYPE_ESP
)? "ESP" : "AH or other");
1743 kha
= (keysock_hello_ack_t
*)mp
->b_rptr
;
1744 kha
->ks_hello_len
= sizeof (keysock_hello_ack_t
);
1745 kha
->ks_hello_type
= KEYSOCK_HELLO_ACK
;
1746 kha
->ks_hello_satype
= (uint8_t)satype
;
1749 * If we made it past the casptr, then we have "exclusive" access
1750 * to the timeout handle. Fire it off after the default ager
1753 *top
= qtimeout(*pfkey_qp
, ager
, agerarg
,
1754 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT
* 1000));
1756 putnext(*pfkey_qp
, mp
);
1760 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate.
1762 * Check addresses themselves for wildcard or multicast.
1763 * Check ire table for local/non-local/broadcast.
1766 sadb_addrcheck(queue_t
*pfkey_q
, mblk_t
*mp
, sadb_ext_t
*ext
, uint_t serial
,
1769 sadb_address_t
*addr
= (sadb_address_t
*)ext
;
1770 struct sockaddr_in
*sin
;
1771 struct sockaddr_in6
*sin6
;
1772 int diagnostic
, type
;
1773 boolean_t normalized
= B_FALSE
;
1775 ASSERT(ext
!= NULL
);
1776 ASSERT((ext
->sadb_ext_type
== SADB_EXT_ADDRESS_SRC
) ||
1777 (ext
->sadb_ext_type
== SADB_EXT_ADDRESS_DST
) ||
1778 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_SRC
) ||
1779 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_DST
) ||
1780 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_NATT_LOC
) ||
1781 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_NATT_REM
));
1783 /* Assign both sockaddrs, the compiler will do the right thing. */
1784 sin
= (struct sockaddr_in
*)(addr
+ 1);
1785 sin6
= (struct sockaddr_in6
*)(addr
+ 1);
1787 if (sin6
->sin6_family
== AF_INET6
) {
1788 if (IN6_IS_ADDR_V4MAPPED(&sin6
->sin6_addr
)) {
1790 * Convert to an AF_INET sockaddr. This means the
1791 * return messages will have the extra space, but have
1792 * AF_INET sockaddrs instead of AF_INET6.
1794 * Yes, RFC 2367 isn't clear on what to do here w.r.t.
1795 * mapped addresses, but since AF_INET6 ::ffff:<v4> is
1796 * equal to AF_INET <v4>, it shouldnt be a huge
1799 sin
->sin_family
= AF_INET
;
1800 IN6_V4MAPPED_TO_INADDR(&sin6
->sin6_addr
,
1802 bzero(&sin
->sin_zero
, sizeof (sin
->sin_zero
));
1803 normalized
= B_TRUE
;
1805 } else if (sin
->sin_family
!= AF_INET
) {
1806 switch (ext
->sadb_ext_type
) {
1807 case SADB_EXT_ADDRESS_SRC
:
1808 diagnostic
= SADB_X_DIAGNOSTIC_BAD_SRC_AF
;
1810 case SADB_EXT_ADDRESS_DST
:
1811 diagnostic
= SADB_X_DIAGNOSTIC_BAD_DST_AF
;
1813 case SADB_X_EXT_ADDRESS_INNER_SRC
:
1814 diagnostic
= SADB_X_DIAGNOSTIC_BAD_PROXY_AF
;
1816 case SADB_X_EXT_ADDRESS_INNER_DST
:
1817 diagnostic
= SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF
;
1819 case SADB_X_EXT_ADDRESS_NATT_LOC
:
1820 diagnostic
= SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF
;
1822 case SADB_X_EXT_ADDRESS_NATT_REM
:
1823 diagnostic
= SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF
;
1825 /* There is no default, see above ASSERT. */
1828 if (pfkey_q
!= NULL
) {
1829 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
, diagnostic
,
1833 * Scribble in sadb_msg that we got passed in.
1834 * Overload "mp" to be an sadb_msg pointer.
1836 sadb_msg_t
*samsg
= (sadb_msg_t
*)mp
;
1838 samsg
->sadb_msg_errno
= EINVAL
;
1839 samsg
->sadb_x_msg_diagnostic
= diagnostic
;
1841 return (KS_IN_ADDR_UNKNOWN
);
1844 if (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_SRC
||
1845 ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_DST
) {
1847 * We need only check for prefix issues.
1850 /* Set diagnostic now, in case we need it later. */
1852 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_SRC
) ?
1853 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC
:
1854 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST
;
1857 addr
->sadb_address_prefixlen
-= 96;
1860 * Verify and mask out inner-addresses based on prefix length.
1862 if (sin
->sin_family
== AF_INET
) {
1863 if (addr
->sadb_address_prefixlen
> 32)
1865 sin
->sin_addr
.s_addr
&=
1866 ip_plen_to_mask(addr
->sadb_address_prefixlen
);
1870 ASSERT(sin
->sin_family
== AF_INET6
);
1872 * ip_plen_to_mask_v6() returns NULL if the value in
1873 * question is out of range.
1875 if (ip_plen_to_mask_v6(addr
->sadb_address_prefixlen
,
1878 sin6
->sin6_addr
.s6_addr32
[0] &= mask
.s6_addr32
[0];
1879 sin6
->sin6_addr
.s6_addr32
[1] &= mask
.s6_addr32
[1];
1880 sin6
->sin6_addr
.s6_addr32
[2] &= mask
.s6_addr32
[2];
1881 sin6
->sin6_addr
.s6_addr32
[3] &= mask
.s6_addr32
[3];
1884 /* We don't care in these cases. */
1885 return (KS_IN_ADDR_DONTCARE
);
1888 if (sin
->sin_family
== AF_INET6
) {
1889 /* Check the easy ones now. */
1890 if (IN6_IS_ADDR_MULTICAST(&sin6
->sin6_addr
))
1891 return (KS_IN_ADDR_MBCAST
);
1892 if (IN6_IS_ADDR_UNSPECIFIED(&sin6
->sin6_addr
))
1893 return (KS_IN_ADDR_UNSPEC
);
1895 * At this point, we're a unicast IPv6 address.
1897 * XXX Zones alert -> me/notme decision needs to be tempered
1898 * by what zone we're in when we go to zone-aware IPsec.
1900 if (ip_type_v6(&sin6
->sin6_addr
, ns
->netstack_ip
) ==
1902 /* Hey hey, it's local. */
1903 return (KS_IN_ADDR_ME
);
1906 ASSERT(sin
->sin_family
== AF_INET
);
1907 if (sin
->sin_addr
.s_addr
== INADDR_ANY
)
1908 return (KS_IN_ADDR_UNSPEC
);
1909 if (CLASSD(sin
->sin_addr
.s_addr
))
1910 return (KS_IN_ADDR_MBCAST
);
1912 * At this point we're a unicast or broadcast IPv4 address.
1914 * Check if the address is IRE_BROADCAST or IRE_LOCAL.
1916 * XXX Zones alert -> me/notme decision needs to be tempered
1917 * by what zone we're in when we go to zone-aware IPsec.
1919 type
= ip_type_v4(sin
->sin_addr
.s_addr
, ns
->netstack_ip
);
1922 return (KS_IN_ADDR_ME
);
1924 return (KS_IN_ADDR_MBCAST
);
1928 return (KS_IN_ADDR_NOTME
);
1932 * Address normalizations and reality checks for inbound PF_KEY messages.
1934 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert
1935 * the source to AF_INET. Do the same for the inner sources.
1938 sadb_addrfix(keysock_in_t
*ksi
, queue_t
*pfkey_q
, mblk_t
*mp
, netstack_t
*ns
)
1940 struct sockaddr_in
*src
, *isrc
;
1941 struct sockaddr_in6
*dst
, *idst
;
1942 sadb_address_t
*srcext
, *dstext
;
1944 sadb_ext_t
**extv
= ksi
->ks_in_extv
;
1947 if (extv
[SADB_EXT_ADDRESS_SRC
] != NULL
) {
1948 rc
= sadb_addrcheck(pfkey_q
, mp
, extv
[SADB_EXT_ADDRESS_SRC
],
1949 ksi
->ks_in_serial
, ns
);
1950 if (rc
== KS_IN_ADDR_UNKNOWN
)
1952 if (rc
== KS_IN_ADDR_MBCAST
) {
1953 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
1954 SADB_X_DIAGNOSTIC_BAD_SRC
, ksi
->ks_in_serial
);
1957 ksi
->ks_in_srctype
= rc
;
1960 if (extv
[SADB_EXT_ADDRESS_DST
] != NULL
) {
1961 rc
= sadb_addrcheck(pfkey_q
, mp
, extv
[SADB_EXT_ADDRESS_DST
],
1962 ksi
->ks_in_serial
, ns
);
1963 if (rc
== KS_IN_ADDR_UNKNOWN
)
1965 if (rc
== KS_IN_ADDR_UNSPEC
) {
1966 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
1967 SADB_X_DIAGNOSTIC_BAD_DST
, ksi
->ks_in_serial
);
1970 ksi
->ks_in_dsttype
= rc
;
1974 * NAT-Traversal addrs are simple enough to not require all of
1975 * the checks in sadb_addrcheck(). Just normalize or reject if not
1978 if (extv
[SADB_X_EXT_ADDRESS_NATT_LOC
] != NULL
) {
1979 rc
= sadb_addrcheck(pfkey_q
, mp
,
1980 extv
[SADB_X_EXT_ADDRESS_NATT_LOC
], ksi
->ks_in_serial
, ns
);
1983 * Local NAT-T addresses never use an IRE_LOCAL, so it should
1984 * always be NOTME, or UNSPEC (to handle both tunnel mode
1985 * AND local-port flexibility).
1987 if (rc
!= KS_IN_ADDR_NOTME
&& rc
!= KS_IN_ADDR_UNSPEC
) {
1988 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
1989 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC
,
1993 src
= (struct sockaddr_in
*)
1994 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_NATT_LOC
]) + 1);
1995 if (src
->sin_family
!= AF_INET
) {
1996 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
1997 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF
,
2003 if (extv
[SADB_X_EXT_ADDRESS_NATT_REM
] != NULL
) {
2004 rc
= sadb_addrcheck(pfkey_q
, mp
,
2005 extv
[SADB_X_EXT_ADDRESS_NATT_REM
], ksi
->ks_in_serial
, ns
);
2008 * Remote NAT-T addresses never use an IRE_LOCAL, so it should
2009 * always be NOTME, or UNSPEC if it's a tunnel-mode SA.
2011 if (rc
!= KS_IN_ADDR_NOTME
&&
2012 !(extv
[SADB_X_EXT_ADDRESS_INNER_SRC
] != NULL
&&
2013 rc
== KS_IN_ADDR_UNSPEC
)) {
2014 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2015 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM
,
2019 src
= (struct sockaddr_in
*)
2020 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_NATT_REM
]) + 1);
2021 if (src
->sin_family
!= AF_INET
) {
2022 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2023 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF
,
2029 if (extv
[SADB_X_EXT_ADDRESS_INNER_SRC
] != NULL
) {
2030 if (extv
[SADB_X_EXT_ADDRESS_INNER_DST
] == NULL
) {
2031 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2032 SADB_X_DIAGNOSTIC_MISSING_INNER_DST
,
2037 if (sadb_addrcheck(pfkey_q
, mp
,
2038 extv
[SADB_X_EXT_ADDRESS_INNER_DST
], ksi
->ks_in_serial
, ns
)
2039 == KS_IN_ADDR_UNKNOWN
||
2040 sadb_addrcheck(pfkey_q
, mp
,
2041 extv
[SADB_X_EXT_ADDRESS_INNER_SRC
], ksi
->ks_in_serial
, ns
)
2042 == KS_IN_ADDR_UNKNOWN
)
2045 isrc
= (struct sockaddr_in
*)
2046 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_SRC
]) +
2048 idst
= (struct sockaddr_in6
*)
2049 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_DST
]) +
2051 if (isrc
->sin_family
!= idst
->sin6_family
) {
2052 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2053 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
,
2057 } else if (extv
[SADB_X_EXT_ADDRESS_INNER_DST
] != NULL
) {
2058 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2059 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
,
2063 isrc
= NULL
; /* For inner/outer port check below. */
2066 dstext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_DST
];
2067 srcext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_SRC
];
2069 if (dstext
== NULL
|| srcext
== NULL
)
2072 dst
= (struct sockaddr_in6
*)(dstext
+ 1);
2073 src
= (struct sockaddr_in
*)(srcext
+ 1);
2076 (isrc
->sin_port
!= 0 || idst
->sin6_port
!= 0) &&
2077 (src
->sin_port
!= 0 || dst
->sin6_port
!= 0)) {
2078 /* Can't set inner and outer ports in one SA. */
2079 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2080 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS
,
2085 if (dst
->sin6_family
== src
->sin_family
)
2088 if (srcext
->sadb_address_proto
!= dstext
->sadb_address_proto
) {
2089 if (srcext
->sadb_address_proto
== 0) {
2090 srcext
->sadb_address_proto
= dstext
->sadb_address_proto
;
2091 } else if (dstext
->sadb_address_proto
== 0) {
2092 dstext
->sadb_address_proto
= srcext
->sadb_address_proto
;
2094 /* Inequal protocols, neither were 0. Report error. */
2095 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2096 SADB_X_DIAGNOSTIC_PROTO_MISMATCH
,
2103 * With the exception of an unspec IPv6 source and an IPv4
2104 * destination, address families MUST me matched.
2106 if (src
->sin_family
== AF_INET
||
2107 ksi
->ks_in_srctype
!= KS_IN_ADDR_UNSPEC
) {
2108 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2109 SADB_X_DIAGNOSTIC_AF_MISMATCH
, ksi
->ks_in_serial
);
2114 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being
2115 * in the same place for sockaddr_in and sockaddr_in6.
2117 sport
= src
->sin_port
;
2118 bzero(src
, sizeof (*src
));
2119 src
->sin_family
= AF_INET
;
2120 src
->sin_port
= sport
;
2126 * Set the results in "addrtype", given an IRE as requested by
2130 sadb_addrset(ire_t
*ire
)
2132 if ((ire
->ire_type
& IRE_BROADCAST
) ||
2133 (ire
->ire_ipversion
== IPV4_VERSION
&& CLASSD(ire
->ire_addr
)) ||
2134 (ire
->ire_ipversion
== IPV6_VERSION
&&
2135 IN6_IS_ADDR_MULTICAST(&(ire
->ire_addr_v6
))))
2136 return (KS_IN_ADDR_MBCAST
);
2137 if (ire
->ire_type
& (IRE_LOCAL
| IRE_LOOPBACK
))
2138 return (KS_IN_ADDR_ME
);
2139 return (KS_IN_ADDR_NOTME
);
2143 * Match primitives..
2144 * !!! TODO: short term: inner selectors
2145 * ipv6 scope id (ifindex)
2146 * longer term: zone id. sensitivity label. uid.
2149 sadb_match_spi(ipsa_query_t
*sq
, ipsa_t
*sa
)
2151 return (sq
->spi
== sa
->ipsa_spi
);
2155 sadb_match_dst_v6(ipsa_query_t
*sq
, ipsa_t
*sa
)
2157 return (IPSA_ARE_ADDR_EQUAL(sa
->ipsa_dstaddr
, sq
->dstaddr
, AF_INET6
));
2161 sadb_match_src_v6(ipsa_query_t
*sq
, ipsa_t
*sa
)
2163 return (IPSA_ARE_ADDR_EQUAL(sa
->ipsa_srcaddr
, sq
->srcaddr
, AF_INET6
));
2167 sadb_match_dst_v4(ipsa_query_t
*sq
, ipsa_t
*sa
)
2169 return (sq
->dstaddr
[0] == sa
->ipsa_dstaddr
[0]);
2173 sadb_match_src_v4(ipsa_query_t
*sq
, ipsa_t
*sa
)
2175 return (sq
->srcaddr
[0] == sa
->ipsa_srcaddr
[0]);
2179 sadb_match_dstid(ipsa_query_t
*sq
, ipsa_t
*sa
)
2181 return ((sa
->ipsa_dst_cid
!= NULL
) &&
2182 (sq
->didtype
== sa
->ipsa_dst_cid
->ipsid_type
) &&
2183 (strcmp(sq
->didstr
, sa
->ipsa_dst_cid
->ipsid_cid
) == 0));
2187 sadb_match_srcid(ipsa_query_t
*sq
, ipsa_t
*sa
)
2189 return ((sa
->ipsa_src_cid
!= NULL
) &&
2190 (sq
->sidtype
== sa
->ipsa_src_cid
->ipsid_type
) &&
2191 (strcmp(sq
->sidstr
, sa
->ipsa_src_cid
->ipsid_cid
) == 0));
2195 sadb_match_kmc(ipsa_query_t
*sq
, ipsa_t
*sa
)
2197 #define M(a, b) (((a) == 0) || ((b) == 0) || ((a) == (b)))
2199 return (M(sq
->kmc
, sa
->ipsa_kmc
) && M(sq
->kmp
, sa
->ipsa_kmp
));
2205 * Common function which extracts several PF_KEY extensions for ease of
2208 * XXX TODO: weed out ipsa_query_t fields not used during matching
2212 sadb_form_query(keysock_in_t
*ksi
, uint32_t req
, uint32_t match
,
2213 ipsa_query_t
*sq
, int *diagnostic
)
2216 ipsa_match_fn_t
*mfpp
= &(sq
->matchers
[0]);
2218 for (i
= 0; i
< IPSA_NMATCH
; i
++)
2219 sq
->matchers
[i
] = NULL
;
2221 ASSERT((req
& ~match
) == 0);
2224 sq
->dstext
= (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
2225 sq
->srcext
= (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
];
2226 sq
->assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
2228 if ((req
& IPSA_Q_DST
) && (sq
->dstext
== NULL
)) {
2229 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
2232 if ((req
& IPSA_Q_SRC
) && (sq
->srcext
== NULL
)) {
2233 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
2236 if ((req
& IPSA_Q_SA
) && (sq
->assoc
== NULL
)) {
2237 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SA
;
2241 if (match
& IPSA_Q_SA
) {
2242 *mfpp
++ = sadb_match_spi
;
2243 sq
->spi
= sq
->assoc
->sadb_sa_spi
;
2246 if (sq
->dstext
!= NULL
)
2247 sq
->dst
= (struct sockaddr_in
*)(sq
->dstext
+ 1);
2254 if (sq
->srcext
!= NULL
)
2255 sq
->src
= (struct sockaddr_in
*)(sq
->srcext
+ 1);
2262 if (sq
->dst
!= NULL
)
2263 sq
->af
= sq
->dst
->sin_family
;
2264 else if (sq
->src
!= NULL
)
2265 sq
->af
= sq
->src
->sin_family
;
2269 if (sq
->af
== AF_INET6
) {
2270 if ((match
& IPSA_Q_DST
) && (sq
->dstext
!= NULL
)) {
2271 *mfpp
++ = sadb_match_dst_v6
;
2272 sq
->dst6
= (struct sockaddr_in6
*)sq
->dst
;
2273 sq
->dstaddr
= (uint32_t *)&(sq
->dst6
->sin6_addr
);
2275 match
&= ~IPSA_Q_DST
;
2276 sq
->dstaddr
= ALL_ZEROES_PTR
;
2279 if ((match
& IPSA_Q_SRC
) && (sq
->srcext
!= NULL
)) {
2280 sq
->src6
= (struct sockaddr_in6
*)(sq
->srcext
+ 1);
2281 sq
->srcaddr
= (uint32_t *)&sq
->src6
->sin6_addr
;
2282 if (sq
->src6
->sin6_family
!= AF_INET6
) {
2283 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
2286 *mfpp
++ = sadb_match_src_v6
;
2288 match
&= ~IPSA_Q_SRC
;
2289 sq
->srcaddr
= ALL_ZEROES_PTR
;
2292 sq
->src6
= sq
->dst6
= NULL
;
2293 if ((match
& IPSA_Q_DST
) && (sq
->dstext
!= NULL
)) {
2294 *mfpp
++ = sadb_match_dst_v4
;
2295 sq
->dstaddr
= (uint32_t *)&sq
->dst
->sin_addr
;
2297 match
&= ~IPSA_Q_DST
;
2298 sq
->dstaddr
= ALL_ZEROES_PTR
;
2300 if ((match
& IPSA_Q_SRC
) && (sq
->srcext
!= NULL
)) {
2301 sq
->srcaddr
= (uint32_t *)&sq
->src
->sin_addr
;
2302 if (sq
->src
->sin_family
!= AF_INET
) {
2303 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
2306 *mfpp
++ = sadb_match_src_v4
;
2308 match
&= ~IPSA_Q_SRC
;
2309 sq
->srcaddr
= ALL_ZEROES_PTR
;
2313 sq
->dstid
= (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_DST
];
2314 if ((match
& IPSA_Q_DSTID
) && (sq
->dstid
!= NULL
)) {
2315 sq
->didstr
= (char *)(sq
->dstid
+ 1);
2316 sq
->didtype
= sq
->dstid
->sadb_ident_type
;
2317 *mfpp
++ = sadb_match_dstid
;
2320 sq
->srcid
= (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_SRC
];
2322 if ((match
& IPSA_Q_SRCID
) && (sq
->srcid
!= NULL
)) {
2323 sq
->sidstr
= (char *)(sq
->srcid
+ 1);
2324 sq
->sidtype
= sq
->srcid
->sadb_ident_type
;
2325 *mfpp
++ = sadb_match_srcid
;
2328 sq
->kmcext
= (sadb_x_kmc_t
*)ksi
->ks_in_extv
[SADB_X_EXT_KM_COOKIE
];
2332 if ((match
& IPSA_Q_KMC
) && (sq
->kmcext
)) {
2333 sq
->kmc
= sq
->kmcext
->sadb_x_kmc_cookie
;
2334 sq
->kmp
= sq
->kmcext
->sadb_x_kmc_proto
;
2335 *mfpp
++ = sadb_match_kmc
;
2338 if (match
& (IPSA_Q_INBOUND
|IPSA_Q_OUTBOUND
)) {
2339 if (sq
->af
== AF_INET6
)
2340 sq
->sp
= &sq
->spp
->s_v6
;
2342 sq
->sp
= &sq
->spp
->s_v4
;
2347 if (match
& IPSA_Q_INBOUND
) {
2348 sq
->inhash
= INBOUND_HASH(sq
->sp
, sq
->assoc
->sadb_sa_spi
);
2349 sq
->inbound
= &sq
->sp
->sdb_if
[sq
->inhash
];
2355 if (match
& IPSA_Q_OUTBOUND
) {
2356 if (sq
->af
== AF_INET6
) {
2357 sq
->outhash
= OUTBOUND_HASH_V6(sq
->sp
, *(sq
->dstaddr
));
2359 sq
->outhash
= OUTBOUND_HASH_V4(sq
->sp
, *(sq
->dstaddr
));
2361 sq
->outbound
= &sq
->sp
->sdb_of
[sq
->outhash
];
2364 sq
->outbound
= NULL
;
2371 * Match an initialized query structure with a security association;
2372 * return B_TRUE on a match, B_FALSE on a miss.
2373 * Applies match functions set up by sadb_form_query() until one returns false.
2376 sadb_match_query(ipsa_query_t
*sq
, ipsa_t
*sa
)
2378 ipsa_match_fn_t
*mfpp
= &(sq
->matchers
[0]);
2379 ipsa_match_fn_t mfp
;
2381 for (mfp
= *mfpp
++; mfp
!= NULL
; mfp
= *mfpp
++) {
2389 * Walker callback function to delete sa's based on src/dst address.
2390 * Assumes that we're called with *head locked, no other locks held;
2391 * Conveniently, and not coincidentally, this is both what sadb_walker
2392 * gives us and also what sadb_unlinkassoc expects.
2394 struct sadb_purge_state
2398 uint8_t sadb_sa_state
;
2402 sadb_purge_cb(isaf_t
*head
, ipsa_t
*entry
, void *cookie
)
2404 struct sadb_purge_state
*ps
= (struct sadb_purge_state
*)cookie
;
2406 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
2408 mutex_enter(&entry
->ipsa_lock
);
2410 if (entry
->ipsa_state
== IPSA_STATE_LARVAL
||
2411 !sadb_match_query(&ps
->sq
, entry
)) {
2412 mutex_exit(&entry
->ipsa_lock
);
2417 sadb_delete_cluster(entry
);
2419 entry
->ipsa_state
= IPSA_STATE_DEAD
;
2420 (void) sadb_torch_assoc(head
, entry
);
2424 * Common code to purge an SA with a matching src or dst address.
2425 * Don't kill larval SA's in such a purge.
2428 sadb_purge_sa(mblk_t
*mp
, keysock_in_t
*ksi
, sadb_t
*sp
,
2429 int *diagnostic
, queue_t
*pfkey_q
)
2431 struct sadb_purge_state ps
;
2432 int error
= sadb_form_query(ksi
, 0,
2433 IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SRCID
|IPSA_Q_DSTID
|IPSA_Q_KMC
,
2434 &ps
.sq
, diagnostic
);
2440 * This is simple, crude, and effective.
2441 * Unimplemented optimizations (TBD):
2442 * - we can limit how many places we search based on where we
2443 * think the SA is filed.
2444 * - if we get a dst address, we can hash based on dst addr to find
2445 * the correct bucket in the outbound table.
2448 sadb_walker(sp
->sdb_if
, sp
->sdb_hashsize
, sadb_purge_cb
, &ps
);
2450 sadb_walker(sp
->sdb_of
, sp
->sdb_hashsize
, sadb_purge_cb
, &ps
);
2452 ASSERT(mp
->b_cont
!= NULL
);
2453 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
, ksi
,
2459 sadb_delpair_state_one(isaf_t
*head
, ipsa_t
*entry
, void *cookie
)
2461 struct sadb_purge_state
*ps
= (struct sadb_purge_state
*)cookie
;
2462 isaf_t
*inbound_bucket
;
2464 ipsa_query_t
*sq
= &ps
->sq
;
2466 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
2468 mutex_enter(&entry
->ipsa_lock
);
2470 if ((entry
->ipsa_state
!= ps
->sadb_sa_state
) ||
2471 ((sq
->srcaddr
!= NULL
) &&
2472 !IPSA_ARE_ADDR_EQUAL(entry
->ipsa_srcaddr
, sq
->srcaddr
, sq
->af
))) {
2473 mutex_exit(&entry
->ipsa_lock
);
2478 * The isaf_t *, which is passed in , is always an outbound bucket,
2479 * and we are preserving the outbound-then-inbound hash-bucket lock
2480 * ordering. The sadb_walker() which triggers this function is called
2481 * only on the outbound fanout, and the corresponding inbound bucket
2482 * lock is safe to acquire here.
2485 if (entry
->ipsa_haspeer
) {
2486 inbound_bucket
= INBOUND_BUCKET(sq
->sp
, entry
->ipsa_spi
);
2487 mutex_enter(&inbound_bucket
->isaf_lock
);
2488 peer_assoc
= ipsec_getassocbyspi(inbound_bucket
,
2489 entry
->ipsa_spi
, entry
->ipsa_srcaddr
,
2490 entry
->ipsa_dstaddr
, entry
->ipsa_addrfam
);
2492 inbound_bucket
= INBOUND_BUCKET(sq
->sp
, entry
->ipsa_otherspi
);
2493 mutex_enter(&inbound_bucket
->isaf_lock
);
2494 peer_assoc
= ipsec_getassocbyspi(inbound_bucket
,
2495 entry
->ipsa_otherspi
, entry
->ipsa_dstaddr
,
2496 entry
->ipsa_srcaddr
, entry
->ipsa_addrfam
);
2499 entry
->ipsa_state
= IPSA_STATE_DEAD
;
2500 (void) sadb_torch_assoc(head
, entry
);
2501 if (peer_assoc
!= NULL
) {
2502 mutex_enter(&peer_assoc
->ipsa_lock
);
2503 peer_assoc
->ipsa_state
= IPSA_STATE_DEAD
;
2504 (void) sadb_torch_assoc(inbound_bucket
, peer_assoc
);
2506 mutex_exit(&inbound_bucket
->isaf_lock
);
2510 sadb_delpair_state(mblk_t
*mp
, keysock_in_t
*ksi
, sadbp_t
*spp
,
2511 int *diagnostic
, queue_t
*pfkey_q
)
2513 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
2514 struct sadb_purge_state ps
;
2517 ps
.sq
.spp
= spp
; /* XXX param */
2519 error
= sadb_form_query(ksi
, IPSA_Q_DST
|IPSA_Q_SRC
,
2520 IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SRCID
|IPSA_Q_DSTID
|IPSA_Q_KMC
,
2521 &ps
.sq
, diagnostic
);
2526 ps
.sadb_sa_state
= assoc
->sadb_sa_state
;
2527 sadb_walker(ps
.sq
.sp
->sdb_of
, ps
.sq
.sp
->sdb_hashsize
,
2528 sadb_delpair_state_one
, &ps
);
2530 ASSERT(mp
->b_cont
!= NULL
);
2531 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
,
2537 * Common code to delete/get an SA.
2540 sadb_delget_sa(mblk_t
*mp
, keysock_in_t
*ksi
, sadbp_t
*spp
,
2541 int *diagnostic
, queue_t
*pfkey_q
, uint8_t sadb_msg_type
)
2544 ipsa_t
*echo_target
= NULL
;
2548 if (sadb_msg_type
== SADB_X_DELPAIR_STATE
)
2549 return (sadb_delpair_state(mp
, ksi
, spp
, diagnostic
, pfkey_q
));
2551 sq
.spp
= spp
; /* XXX param */
2552 error
= sadb_form_query(ksi
, IPSA_Q_DST
|IPSA_Q_SA
,
2553 IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SA
|IPSA_Q_INBOUND
|IPSA_Q_OUTBOUND
,
2558 error
= get_ipsa_pair(&sq
, &ipsapp
, diagnostic
);
2563 echo_target
= ipsapp
.ipsap_sa_ptr
;
2564 if (echo_target
== NULL
)
2565 echo_target
= ipsapp
.ipsap_psa_ptr
;
2567 if (sadb_msg_type
== SADB_DELETE
|| sadb_msg_type
== SADB_X_DELPAIR
) {
2569 * Bucket locks will be required if SA is actually unlinked.
2570 * get_ipsa_pair() returns valid hash bucket pointers even
2571 * if it can't find a pair SA pointer. To prevent a potential
2572 * deadlock, always lock the outbound bucket before the inbound.
2574 if (ipsapp
.in_inbound_table
) {
2575 mutex_enter(&ipsapp
.ipsap_pbucket
->isaf_lock
);
2576 mutex_enter(&ipsapp
.ipsap_bucket
->isaf_lock
);
2578 mutex_enter(&ipsapp
.ipsap_bucket
->isaf_lock
);
2579 mutex_enter(&ipsapp
.ipsap_pbucket
->isaf_lock
);
2582 if (ipsapp
.ipsap_sa_ptr
!= NULL
) {
2583 mutex_enter(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
2584 if (ipsapp
.ipsap_sa_ptr
->ipsa_flags
& IPSA_F_INBOUND
) {
2585 sadb_delete_cluster(ipsapp
.ipsap_sa_ptr
);
2587 ipsapp
.ipsap_sa_ptr
->ipsa_state
= IPSA_STATE_DEAD
;
2588 (void) sadb_torch_assoc(ipsapp
.ipsap_bucket
,
2589 ipsapp
.ipsap_sa_ptr
);
2591 * sadb_torch_assoc() releases the ipsa_lock
2592 * and calls sadb_unlinkassoc() which does a
2596 if (ipsapp
.ipsap_psa_ptr
!= NULL
) {
2597 mutex_enter(&ipsapp
.ipsap_psa_ptr
->ipsa_lock
);
2598 if (sadb_msg_type
== SADB_X_DELPAIR
||
2599 ipsapp
.ipsap_psa_ptr
->ipsa_haspeer
) {
2600 if (ipsapp
.ipsap_psa_ptr
->ipsa_flags
&
2603 (ipsapp
.ipsap_psa_ptr
);
2605 ipsapp
.ipsap_psa_ptr
->ipsa_state
=
2607 (void) sadb_torch_assoc(ipsapp
.ipsap_pbucket
,
2608 ipsapp
.ipsap_psa_ptr
);
2611 * Only half of the "pair" has been deleted.
2612 * Update the remaining SA and remove references
2613 * to its pair SA, which is now gone.
2615 ipsapp
.ipsap_psa_ptr
->ipsa_otherspi
= 0;
2616 ipsapp
.ipsap_psa_ptr
->ipsa_flags
&=
2618 mutex_exit(&ipsapp
.ipsap_psa_ptr
->ipsa_lock
);
2620 } else if (sadb_msg_type
== SADB_X_DELPAIR
) {
2621 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
;
2624 mutex_exit(&ipsapp
.ipsap_bucket
->isaf_lock
);
2625 mutex_exit(&ipsapp
.ipsap_pbucket
->isaf_lock
);
2628 ASSERT(mp
->b_cont
!= NULL
);
2631 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)
2632 mp
->b_cont
->b_rptr
, ksi
, echo_target
);
2634 destroy_ipsa_pair(&ipsapp
);
2640 * This function takes a sadb_sa_t and finds the ipsa_t structure
2641 * and the isaf_t (hash bucket) that its stored under. If the security
2642 * association has a peer, the ipsa_t structure and bucket for that security
2643 * association are also searched for. The "pair" of ipsa_t's and isaf_t's
2644 * are returned as a ipsap_t.
2646 * The hash buckets are returned for convenience, if the calling function
2647 * needs to use the hash bucket locks, say to remove the SA's, it should
2648 * take care to observe the convention of locking outbound bucket then
2649 * inbound bucket. The flag in_inbound_table provides direction.
2651 * Note that a "pair" is defined as one (but not both) of the following:
2653 * A security association which has a soft reference to another security
2654 * association via its SPI.
2656 * A security association that is not obviously "inbound" or "outbound" so
2657 * it appears in both hash tables, the "peer" being the same security
2658 * association in the other hash table.
2660 * This function will return NULL if the ipsa_t can't be found in the
2661 * inbound or outbound hash tables (not found). If only one ipsa_t is
2662 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid
2663 * provided at least one ipsa_t is found.
2666 get_ipsa_pair(ipsa_query_t
*sq
, ipsap_t
*ipsapp
, int *diagnostic
)
2668 uint32_t pair_srcaddr
[IPSA_MAX_ADDRLEN
];
2669 uint32_t pair_dstaddr
[IPSA_MAX_ADDRLEN
];
2672 init_ipsa_pair(ipsapp
);
2674 ipsapp
->in_inbound_table
= B_FALSE
;
2676 /* Lock down both buckets. */
2677 mutex_enter(&sq
->outbound
->isaf_lock
);
2678 mutex_enter(&sq
->inbound
->isaf_lock
);
2680 if (sq
->assoc
->sadb_sa_flags
& IPSA_F_INBOUND
) {
2681 ipsapp
->ipsap_sa_ptr
= ipsec_getassocbyspi(sq
->inbound
,
2682 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
, sq
->af
);
2683 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
2684 ipsapp
->ipsap_bucket
= sq
->inbound
;
2685 ipsapp
->ipsap_pbucket
= sq
->outbound
;
2686 ipsapp
->in_inbound_table
= B_TRUE
;
2688 ipsapp
->ipsap_sa_ptr
= ipsec_getassocbyspi(sq
->outbound
,
2689 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
,
2691 ipsapp
->ipsap_bucket
= sq
->outbound
;
2692 ipsapp
->ipsap_pbucket
= sq
->inbound
;
2695 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */
2696 ipsapp
->ipsap_sa_ptr
=
2697 ipsec_getassocbyspi(sq
->outbound
,
2698 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
, sq
->af
);
2699 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
2700 ipsapp
->ipsap_bucket
= sq
->outbound
;
2701 ipsapp
->ipsap_pbucket
= sq
->inbound
;
2703 ipsapp
->ipsap_sa_ptr
= ipsec_getassocbyspi(sq
->inbound
,
2704 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
,
2706 ipsapp
->ipsap_bucket
= sq
->inbound
;
2707 ipsapp
->ipsap_pbucket
= sq
->outbound
;
2708 if (ipsapp
->ipsap_sa_ptr
!= NULL
)
2709 ipsapp
->in_inbound_table
= B_TRUE
;
2713 if (ipsapp
->ipsap_sa_ptr
== NULL
) {
2714 mutex_exit(&sq
->outbound
->isaf_lock
);
2715 mutex_exit(&sq
->inbound
->isaf_lock
);
2716 *diagnostic
= SADB_X_DIAGNOSTIC_SA_NOTFOUND
;
2720 if ((ipsapp
->ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_LARVAL
) &&
2721 ipsapp
->in_inbound_table
) {
2722 mutex_exit(&sq
->outbound
->isaf_lock
);
2723 mutex_exit(&sq
->inbound
->isaf_lock
);
2727 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2728 if (ipsapp
->ipsap_sa_ptr
->ipsa_haspeer
) {
2730 * haspeer implies no sa_pairing, look for same spi
2731 * in other hashtable.
2733 ipsapp
->ipsap_psa_ptr
=
2734 ipsec_getassocbyspi(ipsapp
->ipsap_pbucket
,
2735 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
, sq
->af
);
2736 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2737 mutex_exit(&sq
->outbound
->isaf_lock
);
2738 mutex_exit(&sq
->inbound
->isaf_lock
);
2741 pair_spi
= ipsapp
->ipsap_sa_ptr
->ipsa_otherspi
;
2742 IPSA_COPY_ADDR(&pair_srcaddr
,
2743 ipsapp
->ipsap_sa_ptr
->ipsa_srcaddr
, sq
->af
);
2744 IPSA_COPY_ADDR(&pair_dstaddr
,
2745 ipsapp
->ipsap_sa_ptr
->ipsa_dstaddr
, sq
->af
);
2746 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2747 mutex_exit(&sq
->inbound
->isaf_lock
);
2748 mutex_exit(&sq
->outbound
->isaf_lock
);
2750 if (pair_spi
== 0) {
2751 ASSERT(ipsapp
->ipsap_bucket
!= NULL
);
2752 ASSERT(ipsapp
->ipsap_pbucket
!= NULL
);
2756 /* found sa in outbound sadb, peer should be inbound */
2758 if (ipsapp
->in_inbound_table
) {
2759 /* Found SA in inbound table, pair will be in outbound. */
2760 if (sq
->af
== AF_INET6
) {
2761 ipsapp
->ipsap_pbucket
= OUTBOUND_BUCKET_V6(sq
->sp
,
2762 *(uint32_t *)pair_srcaddr
);
2764 ipsapp
->ipsap_pbucket
= OUTBOUND_BUCKET_V4(sq
->sp
,
2765 *(uint32_t *)pair_srcaddr
);
2768 ipsapp
->ipsap_pbucket
= INBOUND_BUCKET(sq
->sp
, pair_spi
);
2770 mutex_enter(&ipsapp
->ipsap_pbucket
->isaf_lock
);
2771 ipsapp
->ipsap_psa_ptr
= ipsec_getassocbyspi(ipsapp
->ipsap_pbucket
,
2772 pair_spi
, pair_dstaddr
, pair_srcaddr
, sq
->af
);
2773 mutex_exit(&ipsapp
->ipsap_pbucket
->isaf_lock
);
2774 ASSERT(ipsapp
->ipsap_bucket
!= NULL
);
2775 ASSERT(ipsapp
->ipsap_pbucket
!= NULL
);
2780 * Perform NAT-traversal cached checksum offset calculations here.
2783 sadb_nat_calculations(ipsa_t
*newbie
, sadb_address_t
*natt_loc_ext
,
2784 sadb_address_t
*natt_rem_ext
, uint32_t *src_addr_ptr
,
2785 uint32_t *dst_addr_ptr
)
2787 struct sockaddr_in
*natt_loc
, *natt_rem
;
2788 uint32_t *natt_loc_ptr
= NULL
, *natt_rem_ptr
= NULL
;
2789 uint32_t running_sum
= 0;
2791 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16)
2793 if (natt_rem_ext
!= NULL
) {
2797 natt_rem
= (struct sockaddr_in
*)(natt_rem_ext
+ 1);
2799 /* Ensured by sadb_addrfix(). */
2800 ASSERT(natt_rem
->sin_family
== AF_INET
);
2802 natt_rem_ptr
= (uint32_t *)(&natt_rem
->sin_addr
);
2803 newbie
->ipsa_remote_nat_port
= natt_rem
->sin_port
;
2804 l_src
= *src_addr_ptr
;
2805 l_rem
= *natt_rem_ptr
;
2807 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2808 newbie
->ipsa_natt_addr_rem
= *natt_rem_ptr
;
2810 l_src
= ntohl(l_src
);
2813 l_rem
= ntohl(l_rem
);
2818 * We're 1's complement for checksums, so check for wraparound
2824 running_sum
+= l_src
- l_rem
;
2826 DOWN_SUM(running_sum
);
2827 DOWN_SUM(running_sum
);
2830 if (natt_loc_ext
!= NULL
) {
2831 natt_loc
= (struct sockaddr_in
*)(natt_loc_ext
+ 1);
2833 /* Ensured by sadb_addrfix(). */
2834 ASSERT(natt_loc
->sin_family
== AF_INET
);
2836 natt_loc_ptr
= (uint32_t *)(&natt_loc
->sin_addr
);
2837 newbie
->ipsa_local_nat_port
= natt_loc
->sin_port
;
2839 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2840 newbie
->ipsa_natt_addr_loc
= *natt_loc_ptr
;
2843 * NAT-T port agility means we may have natt_loc_ext, but
2844 * only for a local-port change.
2846 if (natt_loc
->sin_addr
.s_addr
!= INADDR_ANY
) {
2847 uint32_t l_dst
= ntohl(*dst_addr_ptr
);
2848 uint32_t l_loc
= ntohl(*natt_loc_ptr
);
2856 * We're 1's complement for checksums, so check for
2862 running_sum
+= l_dst
- l_loc
;
2863 DOWN_SUM(running_sum
);
2864 DOWN_SUM(running_sum
);
2868 newbie
->ipsa_inbound_cksum
= running_sum
;
2873 * This function is called from consumers that need to insert a fully-grown
2874 * security association into its tables. This function takes into account that
2875 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary"
2876 * hash bucket parameters are set in order of what the SA will be most of the
2877 * time. (For example, an SA with an unspecified source, and a multicast
2878 * destination will primarily be an outbound SA. OTOH, if that destination
2879 * is unicast for this node, then the SA will primarily be inbound.)
2881 * It takes a lot of parameters because even if clone is B_FALSE, this needs
2882 * to check both buckets for purposes of collision.
2884 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for
2885 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic
2886 * with additional diagnostic information because there is at least one EINVAL
2890 sadb_common_add(queue_t
*pfkey_q
, mblk_t
*mp
, sadb_msg_t
*samsg
,
2891 keysock_in_t
*ksi
, isaf_t
*primary
, isaf_t
*secondary
,
2892 ipsa_t
*newbie
, boolean_t clone
, boolean_t is_inbound
, int *diagnostic
,
2893 netstack_t
*ns
, sadbp_t
*spp
)
2895 ipsa_t
*newbie_clone
= NULL
, *scratch
;
2897 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
2898 sadb_address_t
*srcext
=
2899 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
];
2900 sadb_address_t
*dstext
=
2901 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
2902 sadb_address_t
*isrcext
=
2903 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_INNER_SRC
];
2904 sadb_address_t
*idstext
=
2905 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_INNER_DST
];
2906 sadb_x_kmc_t
*kmcext
=
2907 (sadb_x_kmc_t
*)ksi
->ks_in_extv
[SADB_X_EXT_KM_COOKIE
];
2908 sadb_key_t
*akey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_AUTH
];
2909 sadb_key_t
*ekey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_ENCRYPT
];
2911 (sadb_sens_t
*)ksi
->ks_in_extv
[SADB_EXT_SENSITIVITY
];
2912 sadb_sens_t
*osens
=
2913 (sadb_sens_t
*)ksi
->ks_in_extv
[SADB_X_EXT_OUTER_SENS
];
2914 sadb_x_pair_t
*pair_ext
=
2915 (sadb_x_pair_t
*)ksi
->ks_in_extv
[SADB_X_EXT_PAIR
];
2916 sadb_x_replay_ctr_t
*replayext
=
2917 (sadb_x_replay_ctr_t
*)ksi
->ks_in_extv
[SADB_X_EXT_REPLAY_VALUE
];
2919 (samsg
->sadb_msg_satype
== SADB_SATYPE_AH
) ? IPPROTO_AH
:IPPROTO_ESP
;
2922 struct sockaddr_in
*src
, *dst
, *isrc
, *idst
;
2923 struct sockaddr_in6
*src6
, *dst6
, *isrc6
, *idst6
;
2924 sadb_lifetime_t
*soft
=
2925 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_SOFT
];
2926 sadb_lifetime_t
*hard
=
2927 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_HARD
];
2928 sadb_lifetime_t
*idle
=
2929 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_X_EXT_LIFETIME_IDLE
];
2932 boolean_t isupdate
= (newbie
!= NULL
);
2933 uint32_t *src_addr_ptr
, *dst_addr_ptr
, *isrc_addr_ptr
, *idst_addr_ptr
;
2934 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2935 ip_stack_t
*ipst
= ns
->netstack_ip
;
2936 ipsec_alginfo_t
*alg
;
2938 boolean_t async
= B_FALSE
;
2940 init_ipsa_pair(&ipsapp
);
2942 if (srcext
== NULL
) {
2943 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
2946 if (dstext
== NULL
) {
2947 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
2950 if (assoc
== NULL
) {
2951 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SA
;
2955 src
= (struct sockaddr_in
*)(srcext
+ 1);
2956 src6
= (struct sockaddr_in6
*)(srcext
+ 1);
2957 dst
= (struct sockaddr_in
*)(dstext
+ 1);
2958 dst6
= (struct sockaddr_in6
*)(dstext
+ 1);
2959 if (isrcext
!= NULL
) {
2960 isrc
= (struct sockaddr_in
*)(isrcext
+ 1);
2961 isrc6
= (struct sockaddr_in6
*)(isrcext
+ 1);
2962 ASSERT(idstext
!= NULL
);
2963 idst
= (struct sockaddr_in
*)(idstext
+ 1);
2964 idst6
= (struct sockaddr_in6
*)(idstext
+ 1);
2970 af
= src
->sin_family
;
2972 if (af
== AF_INET
) {
2973 src_addr_ptr
= (uint32_t *)&src
->sin_addr
;
2974 dst_addr_ptr
= (uint32_t *)&dst
->sin_addr
;
2976 ASSERT(af
== AF_INET6
);
2977 src_addr_ptr
= (uint32_t *)&src6
->sin6_addr
;
2978 dst_addr_ptr
= (uint32_t *)&dst6
->sin6_addr
;
2981 if (!isupdate
&& (clone
== B_TRUE
|| is_inbound
== B_TRUE
) &&
2983 (assoc
->sadb_sa_state
!= SADB_X_SASTATE_ACTIVE_ELSEWHERE
)) {
2984 rcode
= cl_inet_checkspi(ns
->netstack_stackid
, protocol
,
2985 assoc
->sadb_sa_spi
, NULL
);
2992 * Check to see if the new SA will be cloned AND paired. The
2993 * reason a SA will be cloned is the source or destination addresses
2994 * are not specific enough to determine if the SA goes in the outbound
2995 * or the inbound hash table, so its cloned and put in both. If
2996 * the SA is paired, it's soft linked to another SA for the other
2997 * direction. Keeping track and looking up SA's that are direction
2998 * unspecific and linked is too hard.
3000 if (clone
&& (pair_ext
!= NULL
)) {
3001 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
3006 newbie
= sadb_makelarvalassoc(assoc
->sadb_sa_spi
,
3007 src_addr_ptr
, dst_addr_ptr
, af
, ns
);
3012 mutex_enter(&newbie
->ipsa_lock
);
3015 if (isrc
->sin_family
== AF_INET
) {
3016 if (srcext
->sadb_address_proto
!= IPPROTO_ENCAP
) {
3017 if (srcext
->sadb_address_proto
!= 0) {
3019 * Mismatched outer-packet protocol
3020 * and inner-packet address family.
3022 mutex_exit(&newbie
->ipsa_lock
);
3025 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
;
3028 /* Fill in with explicit protocol. */
3029 srcext
->sadb_address_proto
=
3031 dstext
->sadb_address_proto
=
3035 isrc_addr_ptr
= (uint32_t *)&isrc
->sin_addr
;
3036 idst_addr_ptr
= (uint32_t *)&idst
->sin_addr
;
3038 ASSERT(isrc
->sin_family
== AF_INET6
);
3039 if (srcext
->sadb_address_proto
!= IPPROTO_IPV6
) {
3040 if (srcext
->sadb_address_proto
!= 0) {
3042 * Mismatched outer-packet protocol
3043 * and inner-packet address family.
3045 mutex_exit(&newbie
->ipsa_lock
);
3048 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
;
3051 /* Fill in with explicit protocol. */
3052 srcext
->sadb_address_proto
=
3054 dstext
->sadb_address_proto
=
3058 isrc_addr_ptr
= (uint32_t *)&isrc6
->sin6_addr
;
3059 idst_addr_ptr
= (uint32_t *)&idst6
->sin6_addr
;
3061 newbie
->ipsa_innerfam
= isrc
->sin_family
;
3063 IPSA_COPY_ADDR(newbie
->ipsa_innersrc
, isrc_addr_ptr
,
3064 newbie
->ipsa_innerfam
);
3065 IPSA_COPY_ADDR(newbie
->ipsa_innerdst
, idst_addr_ptr
,
3066 newbie
->ipsa_innerfam
);
3067 newbie
->ipsa_innersrcpfx
= isrcext
->sadb_address_prefixlen
;
3068 newbie
->ipsa_innerdstpfx
= idstext
->sadb_address_prefixlen
;
3070 /* Unique value uses inner-ports for Tunnel Mode... */
3071 newbie
->ipsa_unique_id
= SA_UNIQUE_ID(isrc
->sin_port
,
3072 idst
->sin_port
, dstext
->sadb_address_proto
,
3073 idstext
->sadb_address_proto
);
3074 newbie
->ipsa_unique_mask
= SA_UNIQUE_MASK(isrc
->sin_port
,
3075 idst
->sin_port
, dstext
->sadb_address_proto
,
3076 idstext
->sadb_address_proto
);
3078 /* ... and outer-ports for Transport Mode. */
3079 newbie
->ipsa_unique_id
= SA_UNIQUE_ID(src
->sin_port
,
3080 dst
->sin_port
, dstext
->sadb_address_proto
, 0);
3081 newbie
->ipsa_unique_mask
= SA_UNIQUE_MASK(src
->sin_port
,
3082 dst
->sin_port
, dstext
->sadb_address_proto
, 0);
3084 if (newbie
->ipsa_unique_mask
!= (uint64_t)0)
3085 newbie
->ipsa_flags
|= IPSA_F_UNIQUE
;
3087 sadb_nat_calculations(newbie
,
3088 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_LOC
],
3089 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_REM
],
3090 src_addr_ptr
, dst_addr_ptr
);
3092 newbie
->ipsa_type
= samsg
->sadb_msg_satype
;
3094 ASSERT((assoc
->sadb_sa_state
== SADB_SASTATE_MATURE
) ||
3095 (assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
));
3096 newbie
->ipsa_auth_alg
= assoc
->sadb_sa_auth
;
3097 newbie
->ipsa_encr_alg
= assoc
->sadb_sa_encrypt
;
3099 newbie
->ipsa_flags
|= assoc
->sadb_sa_flags
;
3100 if (newbie
->ipsa_flags
& SADB_X_SAFLAGS_NATT_LOC
&&
3101 ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_LOC
] == NULL
) {
3102 mutex_exit(&newbie
->ipsa_lock
);
3103 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_NATT_LOC
;
3107 if (newbie
->ipsa_flags
& SADB_X_SAFLAGS_NATT_REM
&&
3108 ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_REM
] == NULL
) {
3109 mutex_exit(&newbie
->ipsa_lock
);
3110 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_NATT_REM
;
3114 if (newbie
->ipsa_flags
& SADB_X_SAFLAGS_TUNNEL
&&
3115 ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_INNER_SRC
] == NULL
) {
3116 mutex_exit(&newbie
->ipsa_lock
);
3117 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
;
3122 * If unspecified source address, force replay_wsize to 0.
3123 * This is because an SA that has multiple sources of secure
3124 * traffic cannot enforce a replay counter w/o synchronizing the
3127 if (ksi
->ks_in_srctype
!= KS_IN_ADDR_UNSPEC
)
3128 newbie
->ipsa_replay_wsize
= assoc
->sadb_sa_replay
;
3130 newbie
->ipsa_replay_wsize
= 0;
3132 newbie
->ipsa_addtime
= gethrestime_sec();
3134 if (kmcext
!= NULL
) {
3135 newbie
->ipsa_kmp
= kmcext
->sadb_x_kmc_proto
;
3136 newbie
->ipsa_kmc
= kmcext
->sadb_x_kmc_cookie
;
3140 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
3141 * The spec says that one can update current lifetimes, but
3142 * that seems impractical, especially in the larval-to-mature
3143 * update that this function performs.
3146 newbie
->ipsa_softaddlt
= soft
->sadb_lifetime_addtime
;
3147 newbie
->ipsa_softuselt
= soft
->sadb_lifetime_usetime
;
3148 newbie
->ipsa_softbyteslt
= soft
->sadb_lifetime_bytes
;
3149 newbie
->ipsa_softalloc
= soft
->sadb_lifetime_allocations
;
3150 SET_EXPIRE(newbie
, softaddlt
, softexpiretime
);
3153 newbie
->ipsa_hardaddlt
= hard
->sadb_lifetime_addtime
;
3154 newbie
->ipsa_harduselt
= hard
->sadb_lifetime_usetime
;
3155 newbie
->ipsa_hardbyteslt
= hard
->sadb_lifetime_bytes
;
3156 newbie
->ipsa_hardalloc
= hard
->sadb_lifetime_allocations
;
3157 SET_EXPIRE(newbie
, hardaddlt
, hardexpiretime
);
3160 newbie
->ipsa_idleaddlt
= idle
->sadb_lifetime_addtime
;
3161 newbie
->ipsa_idleuselt
= idle
->sadb_lifetime_usetime
;
3162 newbie
->ipsa_idleexpiretime
= newbie
->ipsa_addtime
+
3163 newbie
->ipsa_idleaddlt
;
3164 newbie
->ipsa_idletime
= newbie
->ipsa_idleaddlt
;
3167 newbie
->ipsa_authtmpl
= NULL
;
3168 newbie
->ipsa_encrtmpl
= NULL
;
3170 #ifdef IPSEC_LATENCY_TEST
3171 if (akey
!= NULL
&& newbie
->ipsa_auth_alg
!= SADB_AALG_NONE
) {
3175 async
= (ipss
->ipsec_algs_exec_mode
[IPSEC_ALG_AUTH
] ==
3176 IPSEC_ALGS_EXEC_ASYNC
);
3178 newbie
->ipsa_authkeybits
= akey
->sadb_key_bits
;
3179 newbie
->ipsa_authkeylen
= SADB_1TO8(akey
->sadb_key_bits
);
3180 /* In case we have to round up to the next byte... */
3181 if ((akey
->sadb_key_bits
& 0x7) != 0)
3182 newbie
->ipsa_authkeylen
++;
3183 newbie
->ipsa_authkey
= kmem_alloc(newbie
->ipsa_authkeylen
,
3185 if (newbie
->ipsa_authkey
== NULL
) {
3187 mutex_exit(&newbie
->ipsa_lock
);
3190 bcopy(akey
+ 1, newbie
->ipsa_authkey
, newbie
->ipsa_authkeylen
);
3191 bzero(akey
+ 1, newbie
->ipsa_authkeylen
);
3194 * Pre-initialize the kernel crypto framework key
3197 newbie
->ipsa_kcfauthkey
.ck_format
= CRYPTO_KEY_RAW
;
3198 newbie
->ipsa_kcfauthkey
.ck_length
= newbie
->ipsa_authkeybits
;
3199 newbie
->ipsa_kcfauthkey
.ck_data
= newbie
->ipsa_authkey
;
3201 mutex_enter(&ipss
->ipsec_alg_lock
);
3202 alg
= ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
]
3203 [newbie
->ipsa_auth_alg
];
3204 if (alg
!= NULL
&& ALG_VALID(alg
)) {
3205 newbie
->ipsa_amech
.cm_type
= alg
->alg_mech_type
;
3206 newbie
->ipsa_amech
.cm_param
=
3207 (char *)&newbie
->ipsa_mac_len
;
3208 newbie
->ipsa_amech
.cm_param_len
= sizeof (size_t);
3209 newbie
->ipsa_mac_len
= (size_t)alg
->alg_datalen
;
3211 newbie
->ipsa_amech
.cm_type
= CRYPTO_MECHANISM_INVALID
;
3213 error
= ipsec_create_ctx_tmpl(newbie
, IPSEC_ALG_AUTH
);
3214 mutex_exit(&ipss
->ipsec_alg_lock
);
3216 mutex_exit(&newbie
->ipsa_lock
);
3218 * An error here indicates that alg is the wrong type
3219 * (IE: not authentication) or its not in the alg tables
3220 * created by ipsecalgs(1m), or Kcf does not like the
3221 * parameters passed in with this algorithm, which is
3222 * probably a coding error!
3224 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_CTX
;
3231 mutex_enter(&ipss
->ipsec_alg_lock
);
3232 async
= async
|| (ipss
->ipsec_algs_exec_mode
[IPSEC_ALG_ENCR
] ==
3233 IPSEC_ALGS_EXEC_ASYNC
);
3234 alg
= ipss
->ipsec_alglists
[IPSEC_ALG_ENCR
]
3235 [newbie
->ipsa_encr_alg
];
3237 if (alg
!= NULL
&& ALG_VALID(alg
)) {
3238 newbie
->ipsa_emech
.cm_type
= alg
->alg_mech_type
;
3239 newbie
->ipsa_datalen
= alg
->alg_datalen
;
3240 if (alg
->alg_flags
& ALG_FLAG_COUNTERMODE
)
3241 newbie
->ipsa_flags
|= IPSA_F_COUNTERMODE
;
3243 if (alg
->alg_flags
& ALG_FLAG_COMBINED
) {
3244 newbie
->ipsa_flags
|= IPSA_F_COMBINED
;
3245 newbie
->ipsa_mac_len
= alg
->alg_icvlen
;
3248 if (alg
->alg_flags
& ALG_FLAG_CCM
)
3249 newbie
->ipsa_noncefunc
= ccm_params_init
;
3250 else if (alg
->alg_flags
& ALG_FLAG_GCM
)
3251 newbie
->ipsa_noncefunc
= gcm_params_init
;
3252 else newbie
->ipsa_noncefunc
= cbc_params_init
;
3254 newbie
->ipsa_saltlen
= alg
->alg_saltlen
;
3255 newbie
->ipsa_saltbits
= SADB_8TO1(newbie
->ipsa_saltlen
);
3256 newbie
->ipsa_iv_len
= alg
->alg_ivlen
;
3257 newbie
->ipsa_nonce_len
= newbie
->ipsa_saltlen
+
3258 newbie
->ipsa_iv_len
;
3259 newbie
->ipsa_emech
.cm_param
= NULL
;
3260 newbie
->ipsa_emech
.cm_param_len
= 0;
3262 newbie
->ipsa_emech
.cm_type
= CRYPTO_MECHANISM_INVALID
;
3264 mutex_exit(&ipss
->ipsec_alg_lock
);
3267 * The byte stream following the sadb_key_t is made up of:
3268 * key bytes, [salt bytes], [IV initial value]
3269 * All of these have variable length. The IV is typically
3270 * randomly generated by this function and not passed in.
3271 * By supporting the injection of a known IV, the whole
3272 * IPsec subsystem and the underlying crypto subsystem
3273 * can be tested with known test vectors.
3275 * The keying material has been checked by ext_check()
3276 * and ipsec_valid_key_size(), after removing salt/IV
3277 * bits, whats left is the encryption key. If this is too
3278 * short, ipsec_create_ctx_tmpl() will fail and the SA
3279 * won't get created.
3281 * set ipsa_encrkeylen to length of key only.
3283 newbie
->ipsa_encrkeybits
= ekey
->sadb_key_bits
;
3284 newbie
->ipsa_encrkeybits
-= ekey
->sadb_key_reserved
;
3285 newbie
->ipsa_encrkeybits
-= newbie
->ipsa_saltbits
;
3286 newbie
->ipsa_encrkeylen
= SADB_1TO8(newbie
->ipsa_encrkeybits
);
3288 /* In case we have to round up to the next byte... */
3289 if ((ekey
->sadb_key_bits
& 0x7) != 0)
3290 newbie
->ipsa_encrkeylen
++;
3292 newbie
->ipsa_encrkey
= kmem_alloc(newbie
->ipsa_encrkeylen
,
3294 if (newbie
->ipsa_encrkey
== NULL
) {
3296 mutex_exit(&newbie
->ipsa_lock
);
3300 buf_ptr
= (uint8_t *)(ekey
+ 1);
3301 bcopy(buf_ptr
, newbie
->ipsa_encrkey
, newbie
->ipsa_encrkeylen
);
3303 if (newbie
->ipsa_flags
& IPSA_F_COMBINED
) {
3305 * Combined mode algs need a nonce. Copy the salt and
3306 * IV into a buffer. The ipsa_nonce is a pointer into
3307 * this buffer, some bytes at the start of the buffer
3308 * may be unused, depends on the salt length. The IV
3309 * is 64 bit aligned so it can be incremented as a
3310 * uint64_t. Zero out key in samsg_t before freeing.
3313 newbie
->ipsa_nonce_buf
= kmem_alloc(
3314 sizeof (ipsec_nonce_t
), KM_NOSLEEP
);
3315 if (newbie
->ipsa_nonce_buf
== NULL
) {
3317 mutex_exit(&newbie
->ipsa_lock
);
3321 * Initialize nonce and salt pointers to point
3322 * to the nonce buffer. This is just in case we get
3323 * bad data, the pointers will be valid, the data
3326 * See sadb.h for layout of nonce.
3328 newbie
->ipsa_iv
= &newbie
->ipsa_nonce_buf
->iv
;
3329 newbie
->ipsa_salt
= (uint8_t *)newbie
->ipsa_nonce_buf
;
3330 newbie
->ipsa_nonce
= newbie
->ipsa_salt
;
3331 if (newbie
->ipsa_saltlen
!= 0) {
3332 salt_offset
= MAXSALTSIZE
-
3333 newbie
->ipsa_saltlen
;
3334 newbie
->ipsa_salt
= (uint8_t *)
3335 &newbie
->ipsa_nonce_buf
->salt
[salt_offset
];
3336 newbie
->ipsa_nonce
= newbie
->ipsa_salt
;
3337 buf_ptr
+= newbie
->ipsa_encrkeylen
;
3338 bcopy(buf_ptr
, newbie
->ipsa_salt
,
3339 newbie
->ipsa_saltlen
);
3342 * The IV for CCM/GCM mode increments, it should not
3343 * repeat. Get a random value for the IV, make a
3344 * copy, the SA will expire when/if the IV ever
3345 * wraps back to the initial value. If an Initial IV
3346 * is passed in via PF_KEY, save this in the SA.
3347 * Initialising IV for inbound is pointless as its
3348 * taken from the inbound packet.
3351 if (ekey
->sadb_key_reserved
!= 0) {
3352 buf_ptr
+= newbie
->ipsa_saltlen
;
3353 bcopy(buf_ptr
, (uint8_t *)newbie
->
3354 ipsa_iv
, SADB_1TO8(ekey
->
3355 sadb_key_reserved
));
3357 (void) random_get_pseudo_bytes(
3358 (uint8_t *)newbie
->ipsa_iv
,
3359 newbie
->ipsa_iv_len
);
3361 newbie
->ipsa_iv_softexpire
=
3362 (*newbie
->ipsa_iv
) << 9;
3363 newbie
->ipsa_iv_hardexpire
= *newbie
->ipsa_iv
;
3366 bzero((ekey
+ 1), SADB_1TO8(ekey
->sadb_key_bits
));
3369 * Pre-initialize the kernel crypto framework key
3372 newbie
->ipsa_kcfencrkey
.ck_format
= CRYPTO_KEY_RAW
;
3373 newbie
->ipsa_kcfencrkey
.ck_length
= newbie
->ipsa_encrkeybits
;
3374 newbie
->ipsa_kcfencrkey
.ck_data
= newbie
->ipsa_encrkey
;
3376 mutex_enter(&ipss
->ipsec_alg_lock
);
3377 error
= ipsec_create_ctx_tmpl(newbie
, IPSEC_ALG_ENCR
);
3378 mutex_exit(&ipss
->ipsec_alg_lock
);
3380 mutex_exit(&newbie
->ipsa_lock
);
3381 /* See above for error explanation. */
3382 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_CTX
;
3388 newbie
->ipsa_flags
|= IPSA_F_ASYNC
;
3391 * Ptrs to processing functions.
3393 if (newbie
->ipsa_type
== SADB_SATYPE_ESP
)
3394 ipsecesp_init_funcs(newbie
);
3396 ipsecah_init_funcs(newbie
);
3397 ASSERT(newbie
->ipsa_output_func
!= NULL
&&
3398 newbie
->ipsa_input_func
!= NULL
);
3401 * Certificate ID stuff.
3403 if (ksi
->ks_in_extv
[SADB_EXT_IDENTITY_SRC
] != NULL
) {
3405 (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_SRC
];
3408 * Can assume strlen() will return okay because ext_check() in
3409 * keysock.c prepares the string for us.
3411 newbie
->ipsa_src_cid
= ipsid_lookup(id
->sadb_ident_type
,
3412 (char *)(id
+1), ns
);
3413 if (newbie
->ipsa_src_cid
== NULL
) {
3415 mutex_exit(&newbie
->ipsa_lock
);
3420 if (ksi
->ks_in_extv
[SADB_EXT_IDENTITY_DST
] != NULL
) {
3422 (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_DST
];
3425 * Can assume strlen() will return okay because ext_check() in
3426 * keysock.c prepares the string for us.
3428 newbie
->ipsa_dst_cid
= ipsid_lookup(id
->sadb_ident_type
,
3429 (char *)(id
+1), ns
);
3430 if (newbie
->ipsa_dst_cid
== NULL
) {
3432 mutex_exit(&newbie
->ipsa_lock
);
3438 * sensitivity label handling code:
3439 * Convert sens + bitmap into cred_t, and associate it
3443 uint64_t *bitmap
= (uint64_t *)(sens
+ 1);
3445 newbie
->ipsa_tsl
= sadb_label_from_sens(sens
, bitmap
);
3449 * Likewise for outer sensitivity.
3451 if (osens
!= NULL
) {
3452 uint64_t *bitmap
= (uint64_t *)(osens
+ 1);
3453 ts_label_t
*tsl
, *effective_tsl
;
3454 uint32_t *peer_addr_ptr
;
3455 zoneid_t zoneid
= GLOBAL_ZONEID
;
3458 peer_addr_ptr
= is_inbound
? src_addr_ptr
: dst_addr_ptr
;
3460 tsl
= sadb_label_from_sens(osens
, bitmap
);
3461 newbie
->ipsa_mac_exempt
= CONN_MAC_DEFAULT
;
3463 if (osens
->sadb_x_sens_flags
& SADB_X_SENS_IMPLICIT
) {
3464 newbie
->ipsa_mac_exempt
= CONN_MAC_IMPLICIT
;
3467 error
= tsol_check_dest(tsl
, peer_addr_ptr
,
3468 (af
== AF_INET6
)?IPV6_VERSION
:IPV4_VERSION
,
3469 newbie
->ipsa_mac_exempt
, B_TRUE
, &effective_tsl
);
3472 mutex_exit(&newbie
->ipsa_lock
);
3476 if (effective_tsl
!= NULL
) {
3478 tsl
= effective_tsl
;
3481 newbie
->ipsa_otsl
= tsl
;
3483 zone
= zone_find_by_label(tsl
);
3485 zoneid
= zone
->zone_id
;
3489 * For exclusive stacks we set the zoneid to zero to operate
3490 * as if in the global zone for tsol_compute_label_v4/v6
3492 if (ipst
->ips_netstack
->netstack_stackid
!= GLOBAL_NETSTACKID
)
3493 zoneid
= GLOBAL_ZONEID
;
3495 if (af
== AF_INET6
) {
3496 error
= tsol_compute_label_v6(tsl
, zoneid
,
3497 (in6_addr_t
*)peer_addr_ptr
,
3498 newbie
->ipsa_opt_storage
, ipst
);
3500 error
= tsol_compute_label_v4(tsl
, zoneid
,
3501 *peer_addr_ptr
, newbie
->ipsa_opt_storage
, ipst
);
3504 mutex_exit(&newbie
->ipsa_lock
);
3510 if (replayext
!= NULL
) {
3511 if ((replayext
->sadb_x_rc_replay32
== 0) &&
3512 (replayext
->sadb_x_rc_replay64
!= 0)) {
3514 *diagnostic
= SADB_X_DIAGNOSTIC_INVALID_REPLAY
;
3515 mutex_exit(&newbie
->ipsa_lock
);
3518 newbie
->ipsa_replay
= replayext
->sadb_x_rc_replay32
;
3521 /* now that the SA has been updated, set its new state */
3522 newbie
->ipsa_state
= assoc
->sadb_sa_state
;
3525 newbie
->ipsa_haspeer
= B_TRUE
;
3528 lifetime_fuzz(newbie
);
3532 * The less locks I hold when doing an insertion and possible cloning,
3535 mutex_exit(&newbie
->ipsa_lock
);
3538 newbie_clone
= sadb_cloneassoc(newbie
);
3540 if (newbie_clone
== NULL
) {
3547 * Enter the bucket locks. The order of entry is outbound,
3548 * inbound. We map "primary" and "secondary" into outbound and inbound
3549 * based on the destination address type. If the destination address
3550 * type is for a node that isn't mine (or potentially mine), the
3551 * "primary" bucket is the outbound one.
3554 /* primary == outbound */
3555 mutex_enter(&primary
->isaf_lock
);
3556 mutex_enter(&secondary
->isaf_lock
);
3558 /* primary == inbound */
3559 mutex_enter(&secondary
->isaf_lock
);
3560 mutex_enter(&primary
->isaf_lock
);
3564 * sadb_insertassoc() doesn't increment the reference
3565 * count. We therefore have to increment the
3566 * reference count one more time to reflect the
3567 * pointers of the table that reference this SA.
3569 IPSA_REFHOLD(newbie
);
3573 * Unlink from larval holding cell in the "inbound" fanout.
3575 ASSERT(newbie
->ipsa_linklock
== &primary
->isaf_lock
||
3576 newbie
->ipsa_linklock
== &secondary
->isaf_lock
);
3577 sadb_unlinkassoc(newbie
);
3580 mutex_enter(&newbie
->ipsa_lock
);
3581 error
= sadb_insertassoc(newbie
, primary
);
3582 mutex_exit(&newbie
->ipsa_lock
);
3586 * Since sadb_insertassoc() failed, we must decrement the
3587 * refcount again so the cleanup code will actually free
3590 IPSA_REFRELE(newbie
);
3594 if (newbie_clone
!= NULL
) {
3595 mutex_enter(&newbie_clone
->ipsa_lock
);
3596 error
= sadb_insertassoc(newbie_clone
, secondary
);
3597 mutex_exit(&newbie_clone
->ipsa_lock
);
3599 /* Collision in secondary table. */
3600 sadb_unlinkassoc(newbie
); /* This does REFRELE. */
3603 IPSA_REFHOLD(newbie_clone
);
3605 ASSERT(primary
!= secondary
);
3606 scratch
= ipsec_getassocbyspi(secondary
, newbie
->ipsa_spi
,
3607 ALL_ZEROES_PTR
, newbie
->ipsa_dstaddr
, af
);
3608 if (scratch
!= NULL
) {
3609 /* Collision in secondary table. */
3610 sadb_unlinkassoc(newbie
); /* This does REFRELE. */
3611 /* Set the error, since ipsec_getassocbyspi() can't. */
3617 /* OKAY! So let's do some reality check assertions. */
3619 ASSERT(MUTEX_NOT_HELD(&newbie
->ipsa_lock
));
3620 ASSERT(newbie_clone
== NULL
||
3621 (MUTEX_NOT_HELD(&newbie_clone
->ipsa_lock
)));
3626 * We can exit the locks in any order. Only entrance needs to
3627 * follow any protocol.
3629 mutex_exit(&secondary
->isaf_lock
);
3630 mutex_exit(&primary
->isaf_lock
);
3632 if (pair_ext
!= NULL
&& error
== 0) {
3633 /* update pair_spi if it exists. */
3636 sq
.spp
= spp
; /* XXX param */
3637 error
= sadb_form_query(ksi
, IPSA_Q_DST
, IPSA_Q_SRC
|IPSA_Q_DST
|
3638 IPSA_Q_SA
|IPSA_Q_INBOUND
|IPSA_Q_OUTBOUND
, &sq
, diagnostic
);
3642 error
= get_ipsa_pair(&sq
, &ipsapp
, diagnostic
);
3647 if (ipsapp
.ipsap_psa_ptr
!= NULL
) {
3648 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_ALREADY
;
3651 /* update_pairing() sets diagnostic */
3652 error
= update_pairing(&ipsapp
, &sq
, ksi
, diagnostic
);
3655 /* Common error point for this routine. */
3657 if (newbie
!= NULL
) {
3659 /* This SA is broken, let the reaper clean up. */
3660 mutex_enter(&newbie
->ipsa_lock
);
3661 newbie
->ipsa_state
= IPSA_STATE_DEAD
;
3662 newbie
->ipsa_hardexpiretime
= 1;
3663 mutex_exit(&newbie
->ipsa_lock
);
3665 IPSA_REFRELE(newbie
);
3667 if (newbie_clone
!= NULL
) {
3668 IPSA_REFRELE(newbie_clone
);
3673 * Construct favorable PF_KEY return message and send to
3674 * keysock. Update the flags in the original keysock message
3675 * to reflect the actual flags in the new SA.
3676 * (Q: Do I need to pass "newbie"? If I do,
3677 * make sure to REFHOLD, call, then REFRELE.)
3679 assoc
->sadb_sa_flags
= newbie
->ipsa_flags
;
3680 sadb_pfkey_echo(pfkey_q
, mp
, samsg
, ksi
, NULL
);
3683 destroy_ipsa_pair(&ipsapp
);
3688 * Set the time of first use for a security association. Update any
3689 * expiration times as a result.
3692 sadb_set_usetime(ipsa_t
*assoc
)
3694 time_t snapshot
= gethrestime_sec();
3696 mutex_enter(&assoc
->ipsa_lock
);
3697 assoc
->ipsa_lastuse
= snapshot
;
3698 assoc
->ipsa_idleexpiretime
= snapshot
+ assoc
->ipsa_idletime
;
3701 * Caller does check usetime before calling me usually, and
3702 * double-checking is better than a mutex_enter/exit hit.
3704 if (assoc
->ipsa_usetime
== 0) {
3706 * This is redundant for outbound SA's, as
3707 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already.
3708 * Inbound SAs, however, have no such protection.
3710 assoc
->ipsa_flags
|= IPSA_F_USED
;
3711 assoc
->ipsa_usetime
= snapshot
;
3714 * After setting the use time, see if we have a use lifetime
3715 * that would cause the actual SA expiration time to shorten.
3717 UPDATE_EXPIRE(assoc
, softuselt
, softexpiretime
);
3718 UPDATE_EXPIRE(assoc
, harduselt
, hardexpiretime
);
3720 mutex_exit(&assoc
->ipsa_lock
);
3724 * Send up a PF_KEY expire message for this association.
3727 sadb_expire_assoc(queue_t
*pfkey_q
, ipsa_t
*assoc
)
3732 sadb_lifetime_t
*current
, *expire
;
3735 boolean_t tunnel_mode
;
3737 ASSERT(MUTEX_HELD(&assoc
->ipsa_lock
));
3739 /* Don't bother sending if there's no queue. */
3740 if (pfkey_q
== NULL
)
3743 mp
= sadb_keysock_out(0);
3745 /* cmn_err(CE_WARN, */
3746 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */
3750 alloclen
= sizeof (*samsg
) + sizeof (*current
) + sizeof (*expire
) +
3751 2 * sizeof (sadb_address_t
) + sizeof (*saext
);
3753 af
= assoc
->ipsa_addrfam
;
3756 alloclen
+= 2 * sizeof (struct sockaddr_in
);
3759 alloclen
+= 2 * sizeof (struct sockaddr_in6
);
3762 /* Won't happen unless there's a kernel bug. */
3765 "sadb_expire_assoc: Unknown address length.\n");
3769 tunnel_mode
= (assoc
->ipsa_flags
& IPSA_F_TUNNEL
);
3771 alloclen
+= 2 * sizeof (sadb_address_t
);
3772 switch (assoc
->ipsa_innerfam
) {
3774 alloclen
+= 2 * sizeof (struct sockaddr_in
);
3777 alloclen
+= 2 * sizeof (struct sockaddr_in6
);
3780 /* Won't happen unless there's a kernel bug. */
3782 cmn_err(CE_WARN
, "sadb_expire_assoc: "
3783 "Unknown inner address length.\n");
3788 mp
->b_cont
= allocb(alloclen
, BPRI_HI
);
3789 if (mp
->b_cont
== NULL
) {
3791 /* cmn_err(CE_WARN, */
3792 /* "sadb_expire_assoc: Can't allocate message.\n"); */
3798 end
= mp
->b_wptr
+ alloclen
;
3800 samsg
= (sadb_msg_t
*)mp
->b_wptr
;
3801 mp
->b_wptr
+= sizeof (*samsg
);
3802 samsg
->sadb_msg_version
= PF_KEY_V2
;
3803 samsg
->sadb_msg_type
= SADB_EXPIRE
;
3804 samsg
->sadb_msg_errno
= 0;
3805 samsg
->sadb_msg_satype
= assoc
->ipsa_type
;
3806 samsg
->sadb_msg_len
= SADB_8TO64(alloclen
);
3807 samsg
->sadb_msg_reserved
= 0;
3808 samsg
->sadb_msg_seq
= 0;
3809 samsg
->sadb_msg_pid
= 0;
3811 saext
= (sadb_sa_t
*)mp
->b_wptr
;
3812 mp
->b_wptr
+= sizeof (*saext
);
3813 saext
->sadb_sa_len
= SADB_8TO64(sizeof (*saext
));
3814 saext
->sadb_sa_exttype
= SADB_EXT_SA
;
3815 saext
->sadb_sa_spi
= assoc
->ipsa_spi
;
3816 saext
->sadb_sa_replay
= assoc
->ipsa_replay_wsize
;
3817 saext
->sadb_sa_state
= assoc
->ipsa_state
;
3818 saext
->sadb_sa_auth
= assoc
->ipsa_auth_alg
;
3819 saext
->sadb_sa_encrypt
= assoc
->ipsa_encr_alg
;
3820 saext
->sadb_sa_flags
= assoc
->ipsa_flags
;
3822 current
= (sadb_lifetime_t
*)mp
->b_wptr
;
3823 mp
->b_wptr
+= sizeof (sadb_lifetime_t
);
3824 current
->sadb_lifetime_len
= SADB_8TO64(sizeof (*current
));
3825 current
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
3826 /* We do not support the concept. */
3827 current
->sadb_lifetime_allocations
= 0;
3828 current
->sadb_lifetime_bytes
= assoc
->ipsa_bytes
;
3829 current
->sadb_lifetime_addtime
= assoc
->ipsa_addtime
;
3830 current
->sadb_lifetime_usetime
= assoc
->ipsa_usetime
;
3832 expire
= (sadb_lifetime_t
*)mp
->b_wptr
;
3833 mp
->b_wptr
+= sizeof (*expire
);
3834 expire
->sadb_lifetime_len
= SADB_8TO64(sizeof (*expire
));
3836 if (assoc
->ipsa_state
== IPSA_STATE_DEAD
) {
3837 expire
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
3838 expire
->sadb_lifetime_allocations
= assoc
->ipsa_hardalloc
;
3839 expire
->sadb_lifetime_bytes
= assoc
->ipsa_hardbyteslt
;
3840 expire
->sadb_lifetime_addtime
= assoc
->ipsa_hardaddlt
;
3841 expire
->sadb_lifetime_usetime
= assoc
->ipsa_harduselt
;
3842 } else if (assoc
->ipsa_state
== IPSA_STATE_DYING
) {
3843 expire
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_SOFT
;
3844 expire
->sadb_lifetime_allocations
= assoc
->ipsa_softalloc
;
3845 expire
->sadb_lifetime_bytes
= assoc
->ipsa_softbyteslt
;
3846 expire
->sadb_lifetime_addtime
= assoc
->ipsa_softaddlt
;
3847 expire
->sadb_lifetime_usetime
= assoc
->ipsa_softuselt
;
3849 ASSERT(assoc
->ipsa_state
== IPSA_STATE_MATURE
);
3850 expire
->sadb_lifetime_exttype
= SADB_X_EXT_LIFETIME_IDLE
;
3851 expire
->sadb_lifetime_allocations
= 0;
3852 expire
->sadb_lifetime_bytes
= 0;
3853 expire
->sadb_lifetime_addtime
= assoc
->ipsa_idleaddlt
;
3854 expire
->sadb_lifetime_usetime
= assoc
->ipsa_idleuselt
;
3857 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
, SADB_EXT_ADDRESS_SRC
,
3858 af
, assoc
->ipsa_srcaddr
, tunnel_mode
? 0 : SA_SRCPORT(assoc
),
3859 SA_PROTO(assoc
), 0);
3860 ASSERT(mp
->b_wptr
!= NULL
);
3862 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
, SADB_EXT_ADDRESS_DST
,
3863 af
, assoc
->ipsa_dstaddr
, tunnel_mode
? 0 : SA_DSTPORT(assoc
),
3864 SA_PROTO(assoc
), 0);
3865 ASSERT(mp
->b_wptr
!= NULL
);
3868 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
,
3869 SADB_X_EXT_ADDRESS_INNER_SRC
, assoc
->ipsa_innerfam
,
3870 assoc
->ipsa_innersrc
, SA_SRCPORT(assoc
), SA_IPROTO(assoc
),
3871 assoc
->ipsa_innersrcpfx
);
3872 ASSERT(mp
->b_wptr
!= NULL
);
3873 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
,
3874 SADB_X_EXT_ADDRESS_INNER_DST
, assoc
->ipsa_innerfam
,
3875 assoc
->ipsa_innerdst
, SA_DSTPORT(assoc
), SA_IPROTO(assoc
),
3876 assoc
->ipsa_innerdstpfx
);
3877 ASSERT(mp
->b_wptr
!= NULL
);
3880 /* Can just putnext, we're ready to go! */
3881 putnext(pfkey_q
, mp1
);
3885 * "Age" the SA with the number of bytes that was used to protect traffic.
3886 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was
3887 * enough "charge" left in the SA to protect the data. Return B_FALSE
3888 * otherwise. (If B_FALSE is returned, the association either was, or became
3892 sadb_age_bytes(queue_t
*pfkey_q
, ipsa_t
*assoc
, uint64_t bytes
,
3895 boolean_t rc
= B_TRUE
;
3898 mutex_enter(&assoc
->ipsa_lock
);
3899 newtotal
= assoc
->ipsa_bytes
+ bytes
;
3900 if (assoc
->ipsa_hardbyteslt
!= 0 &&
3901 newtotal
>= assoc
->ipsa_hardbyteslt
) {
3902 if (assoc
->ipsa_state
!= IPSA_STATE_DEAD
) {
3903 sadb_delete_cluster(assoc
);
3905 * Send EXPIRE message to PF_KEY. May wish to pawn
3906 * this off on another non-interrupt thread. Also
3907 * unlink this SA immediately.
3909 assoc
->ipsa_state
= IPSA_STATE_DEAD
;
3911 sadb_expire_assoc(pfkey_q
, assoc
);
3913 * Set non-zero expiration time so sadb_age_assoc()
3914 * will work when reaping.
3916 assoc
->ipsa_hardexpiretime
= (time_t)1;
3917 } /* Else someone beat me to it! */
3919 } else if (assoc
->ipsa_softbyteslt
!= 0 &&
3920 (newtotal
>= assoc
->ipsa_softbyteslt
)) {
3921 if (assoc
->ipsa_state
< IPSA_STATE_DYING
) {
3923 * Send EXPIRE message to PF_KEY. May wish to pawn
3924 * this off on another non-interrupt thread.
3926 assoc
->ipsa_state
= IPSA_STATE_DYING
;
3927 assoc
->ipsa_bytes
= newtotal
;
3929 sadb_expire_assoc(pfkey_q
, assoc
);
3930 } /* Else someone beat me to it! */
3933 assoc
->ipsa_bytes
= newtotal
;
3934 mutex_exit(&assoc
->ipsa_lock
);
3939 * "Torch" an individual SA. Returns NULL, so it can be tail-called from
3943 sadb_torch_assoc(isaf_t
*head
, ipsa_t
*sa
)
3945 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
3946 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
3947 ASSERT(sa
->ipsa_state
== IPSA_STATE_DEAD
);
3950 * Force cached SAs to be revalidated..
3954 mutex_exit(&sa
->ipsa_lock
);
3955 sadb_unlinkassoc(sa
);
3961 * Do various SA-is-idle activities depending on delta (the number of idle
3962 * seconds on the SA) and/or other properties of the SA.
3964 * Return B_TRUE if I've sent a packet, because I have to drop the
3965 * association's mutex before sending a packet out the wire.
3969 sadb_idle_activities(ipsa_t
*assoc
, time_t delta
, boolean_t inbound
)
3971 ipsecesp_stack_t
*espstack
= assoc
->ipsa_netstack
->netstack_ipsecesp
;
3972 int nat_t_interval
= espstack
->ipsecesp_nat_keepalive_interval
;
3974 ASSERT(MUTEX_HELD(&assoc
->ipsa_lock
));
3976 if (!inbound
&& (assoc
->ipsa_flags
& IPSA_F_NATT_LOC
) &&
3977 delta
>= nat_t_interval
&&
3978 gethrestime_sec() - assoc
->ipsa_last_nat_t_ka
>= nat_t_interval
) {
3979 ASSERT(assoc
->ipsa_type
== SADB_SATYPE_ESP
);
3980 assoc
->ipsa_last_nat_t_ka
= gethrestime_sec();
3981 mutex_exit(&assoc
->ipsa_lock
);
3982 ipsecesp_send_keepalive(assoc
);
3989 * Return "assoc" if haspeer is true and I send an expire. This allows
3990 * the consumers' aging functions to tidy up an expired SA's peer.
3993 sadb_age_assoc(isaf_t
*head
, queue_t
*pfkey_q
, ipsa_t
*assoc
,
3994 time_t current
, int reap_delay
, boolean_t inbound
)
3996 ipsa_t
*retval
= NULL
;
3997 boolean_t dropped_mutex
= B_FALSE
;
3999 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
4001 mutex_enter(&assoc
->ipsa_lock
);
4003 if (((assoc
->ipsa_state
== IPSA_STATE_LARVAL
) ||
4004 ((assoc
->ipsa_state
== IPSA_STATE_IDLE
) ||
4005 (assoc
->ipsa_state
== IPSA_STATE_ACTIVE_ELSEWHERE
) &&
4006 (assoc
->ipsa_hardexpiretime
!= 0))) &&
4007 (assoc
->ipsa_hardexpiretime
<= current
)) {
4008 assoc
->ipsa_state
= IPSA_STATE_DEAD
;
4009 return (sadb_torch_assoc(head
, assoc
));
4013 * Check lifetimes. Fortunately, SA setup is done
4014 * such that there are only two times to look at,
4015 * softexpiretime, and hardexpiretime.
4020 if (assoc
->ipsa_hardexpiretime
!= 0 &&
4021 assoc
->ipsa_hardexpiretime
<= current
) {
4022 if (assoc
->ipsa_state
== IPSA_STATE_DEAD
)
4023 return (sadb_torch_assoc(head
, assoc
));
4026 sadb_delete_cluster(assoc
);
4030 * Send SADB_EXPIRE with hard lifetime, delay for unlinking.
4032 assoc
->ipsa_state
= IPSA_STATE_DEAD
;
4033 if (assoc
->ipsa_haspeer
|| assoc
->ipsa_otherspi
!= 0) {
4035 * If the SA is paired or peered with another, put
4036 * a copy on a list which can be processed later, the
4037 * pair/peer SA needs to be updated so the both die
4040 * If I return assoc, I have to bump up its reference
4041 * count to keep with the ipsa_t reference count
4044 IPSA_REFHOLD(assoc
);
4047 sadb_expire_assoc(pfkey_q
, assoc
);
4048 assoc
->ipsa_hardexpiretime
= current
+ reap_delay
;
4049 } else if (assoc
->ipsa_softexpiretime
!= 0 &&
4050 assoc
->ipsa_softexpiretime
<= current
&&
4051 assoc
->ipsa_state
< IPSA_STATE_DYING
) {
4053 * Send EXPIRE message to PF_KEY. May wish to pawn
4054 * this off on another non-interrupt thread.
4056 assoc
->ipsa_state
= IPSA_STATE_DYING
;
4057 if (assoc
->ipsa_haspeer
) {
4059 * If the SA has a peer, update the peer's state
4060 * on SOFT_EXPIRE, this is mostly to prevent two
4061 * expire messages from effectively the same SA.
4063 * Don't care about paired SA's, then can (and should)
4064 * be able to soft expire at different times.
4066 * If I return assoc, I have to bump up its
4067 * reference count to keep with the ipsa_t reference
4070 IPSA_REFHOLD(assoc
);
4073 sadb_expire_assoc(pfkey_q
, assoc
);
4074 } else if (assoc
->ipsa_idletime
!= 0 &&
4075 assoc
->ipsa_idleexpiretime
<= current
) {
4076 if (assoc
->ipsa_state
== IPSA_STATE_ACTIVE_ELSEWHERE
) {
4077 assoc
->ipsa_state
= IPSA_STATE_IDLE
;
4081 * Need to handle Mature case
4083 if (assoc
->ipsa_state
== IPSA_STATE_MATURE
) {
4084 sadb_expire_assoc(pfkey_q
, assoc
);
4087 /* Check idle time activities. */
4088 dropped_mutex
= sadb_idle_activities(assoc
,
4089 current
- assoc
->ipsa_lastuse
, inbound
);
4093 mutex_exit(&assoc
->ipsa_lock
);
4098 * Called by a consumer protocol to do ther dirty work of reaping dead
4099 * Security Associations.
4101 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed
4102 * SA's that are already marked DEAD, so expired SA's are only reaped
4103 * the second time sadb_ager() runs.
4106 sadb_ager(sadb_t
*sp
, queue_t
*pfkey_q
, int reap_delay
, netstack_t
*ns
)
4110 ipsa_t
*assoc
, *spare
;
4112 ipsacq_t
*acqrec
, *spareacq
;
4113 templist_t
*haspeerlist
, *newbie
;
4114 /* Snapshot current time now. */
4115 time_t current
= gethrestime_sec();
4119 * Do my dirty work. This includes aging real entries, aging
4120 * larvals, and aging outstanding ACQUIREs.
4122 * I hope I don't tie up resources for too long.
4127 for (i
= 0; i
< sp
->sdb_hashsize
; i
++) {
4128 acqlist
= &sp
->sdb_acq
[i
];
4129 mutex_enter(&acqlist
->iacqf_lock
);
4130 for (acqrec
= acqlist
->iacqf_ipsacq
; acqrec
!= NULL
;
4131 acqrec
= spareacq
) {
4132 spareacq
= acqrec
->ipsacq_next
;
4133 if (current
> acqrec
->ipsacq_expire
)
4134 sadb_destroy_acquire(acqrec
, ns
);
4136 mutex_exit(&acqlist
->iacqf_lock
);
4139 /* Age inbound associations. */
4140 for (i
= 0; i
< sp
->sdb_hashsize
; i
++) {
4141 bucket
= &(sp
->sdb_if
[i
]);
4142 mutex_enter(&bucket
->isaf_lock
);
4143 for (assoc
= bucket
->isaf_ipsa
; assoc
!= NULL
;
4145 spare
= assoc
->ipsa_next
;
4146 if (sadb_age_assoc(bucket
, pfkey_q
, assoc
, current
,
4147 reap_delay
, B_TRUE
) != NULL
) {
4149 * Put SA's which have a peer or SA's which
4150 * are paired on a list for processing after
4151 * all the hash tables have been walked.
4153 * sadb_age_assoc() increments the refcnt,
4154 * effectively doing an IPSA_REFHOLD().
4156 newbie
= kmem_alloc(sizeof (*newbie
),
4158 if (newbie
== NULL
) {
4160 * Don't forget to REFRELE().
4162 IPSA_REFRELE(assoc
);
4163 continue; /* for loop... */
4165 newbie
->next
= haspeerlist
;
4166 newbie
->ipsa
= assoc
;
4167 haspeerlist
= newbie
;
4170 mutex_exit(&bucket
->isaf_lock
);
4173 age_pair_peer_list(haspeerlist
, sp
, B_FALSE
);
4176 /* Age outbound associations. */
4177 for (i
= 0; i
< sp
->sdb_hashsize
; i
++) {
4178 bucket
= &(sp
->sdb_of
[i
]);
4179 mutex_enter(&bucket
->isaf_lock
);
4180 for (assoc
= bucket
->isaf_ipsa
; assoc
!= NULL
;
4182 spare
= assoc
->ipsa_next
;
4183 if (sadb_age_assoc(bucket
, pfkey_q
, assoc
, current
,
4184 reap_delay
, B_FALSE
) != NULL
) {
4186 * sadb_age_assoc() increments the refcnt,
4187 * effectively doing an IPSA_REFHOLD().
4189 newbie
= kmem_alloc(sizeof (*newbie
),
4191 if (newbie
== NULL
) {
4193 * Don't forget to REFRELE().
4195 IPSA_REFRELE(assoc
);
4196 continue; /* for loop... */
4198 newbie
->next
= haspeerlist
;
4199 newbie
->ipsa
= assoc
;
4200 haspeerlist
= newbie
;
4203 mutex_exit(&bucket
->isaf_lock
);
4206 age_pair_peer_list(haspeerlist
, sp
, B_TRUE
);
4209 * Run a GC pass to clean out dead identities.
4215 * Figure out when to reschedule the ager.
4218 sadb_retimeout(hrtime_t begin
, queue_t
*pfkey_q
, void (*ager
)(void *),
4219 void *agerarg
, uint_t
*intp
, uint_t intmax
, short mid
)
4221 hrtime_t end
= gethrtime();
4222 uint_t interval
= *intp
;
4225 * See how long this took. If it took too long, increase the
4228 if ((end
- begin
) > (hrtime_t
)interval
* (hrtime_t
)1000000) {
4229 if (interval
>= intmax
) {
4230 /* XXX Rate limit this? Or recommend flush? */
4231 (void) strlog(mid
, 0, 0, SL_ERROR
| SL_WARN
,
4232 "Too many SA's to age out in %d msec.\n",
4235 /* Double by shifting by one bit. */
4237 interval
= min(interval
, intmax
);
4239 } else if ((end
- begin
) <= (hrtime_t
)interval
* (hrtime_t
)500000 &&
4240 interval
> SADB_AGE_INTERVAL_DEFAULT
) {
4242 * If I took less than half of the interval, then I should
4243 * ratchet the interval back down. Never automatically
4244 * shift below the default aging interval.
4246 * NOTE:This even overrides manual setting of the age
4247 * interval using NDD to lower the setting past the
4248 * default. In other words, if you set the interval
4249 * lower than the default, and your SADB gets too big,
4250 * the interval will only self-lower back to the default.
4252 /* Halve by shifting one bit. */
4254 interval
= max(interval
, SADB_AGE_INTERVAL_DEFAULT
);
4257 return (qtimeout(pfkey_q
, ager
, agerarg
,
4258 drv_usectohz(interval
* 1000)));
4263 * Update the lifetime values of an SA. This is the path an SADB_UPDATE
4264 * message takes when updating a MATURE or DYING SA.
4267 sadb_update_lifetimes(ipsa_t
*assoc
, sadb_lifetime_t
*hard
,
4268 sadb_lifetime_t
*soft
, sadb_lifetime_t
*idle
, boolean_t outbound
)
4270 mutex_enter(&assoc
->ipsa_lock
);
4273 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be
4274 * passed in during an update message. We currently don't handle
4279 if (hard
->sadb_lifetime_bytes
!= 0)
4280 assoc
->ipsa_hardbyteslt
= hard
->sadb_lifetime_bytes
;
4281 if (hard
->sadb_lifetime_usetime
!= 0)
4282 assoc
->ipsa_harduselt
= hard
->sadb_lifetime_usetime
;
4283 if (hard
->sadb_lifetime_addtime
!= 0)
4284 assoc
->ipsa_hardaddlt
= hard
->sadb_lifetime_addtime
;
4285 if (assoc
->ipsa_hardaddlt
!= 0) {
4286 assoc
->ipsa_hardexpiretime
=
4287 assoc
->ipsa_addtime
+ assoc
->ipsa_hardaddlt
;
4289 if (assoc
->ipsa_harduselt
!= 0 &&
4290 assoc
->ipsa_flags
& IPSA_F_USED
) {
4291 UPDATE_EXPIRE(assoc
, harduselt
, hardexpiretime
);
4293 if (hard
->sadb_lifetime_allocations
!= 0)
4294 assoc
->ipsa_hardalloc
= hard
->sadb_lifetime_allocations
;
4298 if (soft
->sadb_lifetime_bytes
!= 0) {
4299 if (soft
->sadb_lifetime_bytes
>
4300 assoc
->ipsa_hardbyteslt
) {
4301 assoc
->ipsa_softbyteslt
=
4302 assoc
->ipsa_hardbyteslt
;
4304 assoc
->ipsa_softbyteslt
=
4305 soft
->sadb_lifetime_bytes
;
4308 if (soft
->sadb_lifetime_usetime
!= 0) {
4309 if (soft
->sadb_lifetime_usetime
>
4310 assoc
->ipsa_harduselt
) {
4311 assoc
->ipsa_softuselt
=
4312 assoc
->ipsa_harduselt
;
4314 assoc
->ipsa_softuselt
=
4315 soft
->sadb_lifetime_usetime
;
4318 if (soft
->sadb_lifetime_addtime
!= 0) {
4319 if (soft
->sadb_lifetime_addtime
>
4320 assoc
->ipsa_hardexpiretime
) {
4321 assoc
->ipsa_softexpiretime
=
4322 assoc
->ipsa_hardexpiretime
;
4324 assoc
->ipsa_softaddlt
=
4325 soft
->sadb_lifetime_addtime
;
4328 if (assoc
->ipsa_softaddlt
!= 0) {
4329 assoc
->ipsa_softexpiretime
=
4330 assoc
->ipsa_addtime
+ assoc
->ipsa_softaddlt
;
4332 if (assoc
->ipsa_softuselt
!= 0 &&
4333 assoc
->ipsa_flags
& IPSA_F_USED
) {
4334 UPDATE_EXPIRE(assoc
, softuselt
, softexpiretime
);
4336 if (outbound
&& assoc
->ipsa_softexpiretime
!= 0) {
4337 if (assoc
->ipsa_state
== IPSA_STATE_MATURE
)
4338 lifetime_fuzz(assoc
);
4341 if (soft
->sadb_lifetime_allocations
!= 0)
4342 assoc
->ipsa_softalloc
= soft
->sadb_lifetime_allocations
;
4346 time_t current
= gethrestime_sec();
4347 if ((assoc
->ipsa_idleexpiretime
<= current
) &&
4348 (assoc
->ipsa_idleaddlt
== idle
->sadb_lifetime_addtime
)) {
4349 assoc
->ipsa_idleexpiretime
=
4350 current
+ assoc
->ipsa_idleaddlt
;
4352 if (idle
->sadb_lifetime_addtime
!= 0)
4353 assoc
->ipsa_idleaddlt
= idle
->sadb_lifetime_addtime
;
4354 if (idle
->sadb_lifetime_usetime
!= 0)
4355 assoc
->ipsa_idleuselt
= idle
->sadb_lifetime_usetime
;
4356 if (assoc
->ipsa_idleaddlt
!= 0) {
4357 assoc
->ipsa_idleexpiretime
=
4358 current
+ idle
->sadb_lifetime_addtime
;
4359 assoc
->ipsa_idletime
= idle
->sadb_lifetime_addtime
;
4361 if (assoc
->ipsa_idleuselt
!= 0) {
4362 if (assoc
->ipsa_idletime
!= 0) {
4363 assoc
->ipsa_idletime
= min(assoc
->ipsa_idletime
,
4364 assoc
->ipsa_idleuselt
);
4365 assoc
->ipsa_idleexpiretime
=
4366 current
+ assoc
->ipsa_idletime
;
4368 assoc
->ipsa_idleexpiretime
=
4369 current
+ assoc
->ipsa_idleuselt
;
4370 assoc
->ipsa_idletime
= assoc
->ipsa_idleuselt
;
4374 mutex_exit(&assoc
->ipsa_lock
);
4378 sadb_update_state(ipsa_t
*assoc
, uint_t new_state
, mblk_t
**ipkt_lst
)
4381 time_t current
= gethrestime_sec();
4383 mutex_enter(&assoc
->ipsa_lock
);
4385 switch (new_state
) {
4386 case SADB_X_SASTATE_ACTIVE_ELSEWHERE
:
4387 if (assoc
->ipsa_state
== SADB_X_SASTATE_IDLE
) {
4388 assoc
->ipsa_state
= IPSA_STATE_ACTIVE_ELSEWHERE
;
4389 assoc
->ipsa_idleexpiretime
=
4390 current
+ assoc
->ipsa_idletime
;
4393 case SADB_X_SASTATE_IDLE
:
4394 if (assoc
->ipsa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
) {
4395 assoc
->ipsa_state
= IPSA_STATE_IDLE
;
4396 assoc
->ipsa_idleexpiretime
=
4397 current
+ assoc
->ipsa_idletime
;
4403 case SADB_X_SASTATE_ACTIVE
:
4404 if (assoc
->ipsa_state
!= SADB_X_SASTATE_IDLE
) {
4408 assoc
->ipsa_state
= IPSA_STATE_MATURE
;
4409 assoc
->ipsa_idleexpiretime
= current
+ assoc
->ipsa_idletime
;
4411 if (ipkt_lst
== NULL
) {
4415 if (assoc
->ipsa_bpkt_head
!= NULL
) {
4416 *ipkt_lst
= assoc
->ipsa_bpkt_head
;
4417 assoc
->ipsa_bpkt_head
= assoc
->ipsa_bpkt_tail
= NULL
;
4418 assoc
->ipsa_mblkcnt
= 0;
4428 mutex_exit(&assoc
->ipsa_lock
);
4433 * Check a proposed KMC update for sanity.
4436 sadb_check_kmc(ipsa_query_t
*sq
, ipsa_t
*sa
, int *diagnostic
)
4438 uint32_t kmp
= sq
->kmp
;
4439 uint32_t kmc
= sq
->kmc
;
4444 if (sa
->ipsa_state
== IPSA_STATE_DEAD
)
4445 return (ESRCH
); /* DEAD == Not there, in this case. */
4447 if ((kmp
!= 0) && ((sa
->ipsa_kmp
!= 0) || (sa
->ipsa_kmp
!= kmp
))) {
4448 *diagnostic
= SADB_X_DIAGNOSTIC_DUPLICATE_KMP
;
4452 if ((kmc
!= 0) && ((sa
->ipsa_kmc
!= 0) || (sa
->ipsa_kmc
!= kmc
))) {
4453 *diagnostic
= SADB_X_DIAGNOSTIC_DUPLICATE_KMC
;
4461 * Actually update the KMC info.
4464 sadb_update_kmc(ipsa_query_t
*sq
, ipsa_t
*sa
)
4466 uint32_t kmp
= sq
->kmp
;
4467 uint32_t kmc
= sq
->kmc
;
4476 * Common code to update an SA.
4480 sadb_update_sa(mblk_t
*mp
, keysock_in_t
*ksi
, mblk_t
**ipkt_lst
,
4481 sadbp_t
*spp
, int *diagnostic
, queue_t
*pfkey_q
,
4482 int (*add_sa_func
)(mblk_t
*, keysock_in_t
*, int *, netstack_t
*),
4483 netstack_t
*ns
, uint8_t sadb_msg_type
)
4485 sadb_key_t
*akey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_AUTH
];
4486 sadb_key_t
*ekey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_ENCRYPT
];
4487 sadb_x_replay_ctr_t
*replext
=
4488 (sadb_x_replay_ctr_t
*)ksi
->ks_in_extv
[SADB_X_EXT_REPLAY_VALUE
];
4489 sadb_lifetime_t
*soft
=
4490 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_SOFT
];
4491 sadb_lifetime_t
*hard
=
4492 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_HARD
];
4493 sadb_lifetime_t
*idle
=
4494 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_X_EXT_LIFETIME_IDLE
];
4495 sadb_x_pair_t
*pair_ext
=
4496 (sadb_x_pair_t
*)ksi
->ks_in_extv
[SADB_X_EXT_PAIR
];
4497 ipsa_t
*echo_target
= NULL
;
4500 time_t current
= gethrestime_sec();
4502 sq
.spp
= spp
; /* XXX param */
4503 int error
= sadb_form_query(ksi
, IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SA
,
4504 IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SA
|IPSA_Q_INBOUND
|IPSA_Q_OUTBOUND
,
4510 error
= get_ipsa_pair(&sq
, &ipsapp
, diagnostic
);
4514 if (ipsapp
.ipsap_psa_ptr
== NULL
&& ipsapp
.ipsap_sa_ptr
!= NULL
) {
4515 if (ipsapp
.ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_LARVAL
) {
4517 * REFRELE the target and let the add_sa_func()
4518 * deal with updating a larval SA.
4520 destroy_ipsa_pair(&ipsapp
);
4521 return (add_sa_func(mp
, ksi
, diagnostic
, ns
));
4526 * At this point we have an UPDATE to a MATURE SA. There should
4527 * not be any keying material present.
4530 *diagnostic
= SADB_X_DIAGNOSTIC_AKEY_PRESENT
;
4535 *diagnostic
= SADB_X_DIAGNOSTIC_EKEY_PRESENT
;
4540 if (sq
.assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
) {
4541 if (ipsapp
.ipsap_sa_ptr
!= NULL
&&
4542 ipsapp
.ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_IDLE
) {
4543 if ((error
= sadb_update_state(ipsapp
.ipsap_sa_ptr
,
4544 sq
.assoc
->sadb_sa_state
, NULL
)) != 0) {
4545 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4549 if (ipsapp
.ipsap_psa_ptr
!= NULL
&&
4550 ipsapp
.ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_IDLE
) {
4551 if ((error
= sadb_update_state(ipsapp
.ipsap_psa_ptr
,
4552 sq
.assoc
->sadb_sa_state
, NULL
)) != 0) {
4553 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4558 if (sq
.assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE
) {
4559 if (ipsapp
.ipsap_sa_ptr
!= NULL
) {
4560 error
= sadb_update_state(ipsapp
.ipsap_sa_ptr
,
4561 sq
.assoc
->sadb_sa_state
,
4562 (ipsapp
.ipsap_sa_ptr
->ipsa_flags
&
4563 IPSA_F_INBOUND
) ? ipkt_lst
: NULL
);
4565 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4569 if (ipsapp
.ipsap_psa_ptr
!= NULL
) {
4570 error
= sadb_update_state(ipsapp
.ipsap_psa_ptr
,
4571 sq
.assoc
->sadb_sa_state
,
4572 (ipsapp
.ipsap_psa_ptr
->ipsa_flags
&
4573 IPSA_F_INBOUND
) ? ipkt_lst
: NULL
);
4575 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4579 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
,
4585 * Reality checks for updates of active associations.
4586 * Sundry first-pass UPDATE-specific reality checks.
4587 * Have to do the checks here, because it's after the add_sa code.
4588 * XXX STATS : logging/stats here?
4591 if (!((sq
.assoc
->sadb_sa_state
== SADB_SASTATE_MATURE
) ||
4592 (sq
.assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
))) {
4593 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4597 if (sq
.assoc
->sadb_sa_flags
& ~spp
->s_updateflags
) {
4598 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SAFLAGS
;
4602 if (ksi
->ks_in_extv
[SADB_EXT_LIFETIME_CURRENT
] != NULL
) {
4603 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_LIFETIME
;
4608 if ((*diagnostic
= sadb_hardsoftchk(hard
, soft
, idle
)) != 0) {
4613 if ((*diagnostic
= sadb_labelchk(ksi
)) != 0)
4616 error
= sadb_check_kmc(&sq
, ipsapp
.ipsap_sa_ptr
, diagnostic
);
4620 error
= sadb_check_kmc(&sq
, ipsapp
.ipsap_psa_ptr
, diagnostic
);
4625 if (ipsapp
.ipsap_sa_ptr
!= NULL
) {
4627 * Do not allow replay value change for MATURE or LARVAL SA.
4630 if ((replext
!= NULL
) &&
4631 ((ipsapp
.ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_LARVAL
) ||
4632 (ipsapp
.ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_MATURE
))) {
4633 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4640 if (ipsapp
.ipsap_sa_ptr
!= NULL
) {
4641 sadb_update_lifetimes(ipsapp
.ipsap_sa_ptr
, hard
, soft
,
4643 sadb_update_kmc(&sq
, ipsapp
.ipsap_sa_ptr
);
4644 if ((replext
!= NULL
) &&
4645 (ipsapp
.ipsap_sa_ptr
->ipsa_replay_wsize
!= 0)) {
4647 * If an inbound SA, update the replay counter
4648 * and check off all the other sequence number
4650 if (ksi
->ks_in_dsttype
== KS_IN_ADDR_ME
) {
4651 if (!sadb_replay_check(ipsapp
.ipsap_sa_ptr
,
4652 replext
->sadb_x_rc_replay32
)) {
4654 SADB_X_DIAGNOSTIC_INVALID_REPLAY
;
4658 mutex_enter(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
4659 ipsapp
.ipsap_sa_ptr
->ipsa_idleexpiretime
=
4661 ipsapp
.ipsap_sa_ptr
->ipsa_idletime
;
4662 mutex_exit(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
4664 mutex_enter(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
4665 ipsapp
.ipsap_sa_ptr
->ipsa_replay
=
4666 replext
->sadb_x_rc_replay32
;
4667 ipsapp
.ipsap_sa_ptr
->ipsa_idleexpiretime
=
4669 ipsapp
.ipsap_sa_ptr
->ipsa_idletime
;
4670 mutex_exit(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
4675 if (sadb_msg_type
== SADB_X_UPDATEPAIR
) {
4676 if (ipsapp
.ipsap_psa_ptr
!= NULL
) {
4677 sadb_update_lifetimes(ipsapp
.ipsap_psa_ptr
, hard
, soft
,
4679 sadb_update_kmc(&sq
, ipsapp
.ipsap_psa_ptr
);
4681 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
;
4687 if (pair_ext
!= NULL
)
4688 error
= update_pairing(&ipsapp
, &sq
, ksi
, diagnostic
);
4691 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
,
4695 destroy_ipsa_pair(&ipsapp
);
4702 update_pairing(ipsap_t
*ipsapp
, ipsa_query_t
*sq
, keysock_in_t
*ksi
,
4705 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
4706 sadb_x_pair_t
*pair_ext
=
4707 (sadb_x_pair_t
*)ksi
->ks_in_extv
[SADB_X_EXT_PAIR
];
4710 boolean_t undo_pair
= B_FALSE
;
4711 uint32_t ipsa_flags
;
4713 if (pair_ext
->sadb_x_pair_spi
== 0 || pair_ext
->sadb_x_pair_spi
==
4714 assoc
->sadb_sa_spi
) {
4715 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4720 * Assume for now that the spi value provided in the SADB_UPDATE
4721 * message was valid, update the SA with its pair spi value.
4722 * If the spi turns out to be bogus or the SA no longer exists
4723 * then this will be detected when the reverse update is made
4726 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4727 ipsapp
->ipsap_sa_ptr
->ipsa_flags
|= IPSA_F_PAIRED
;
4728 ipsapp
->ipsap_sa_ptr
->ipsa_otherspi
= pair_ext
->sadb_x_pair_spi
;
4729 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4732 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair()
4733 * should now return pointers to the SA *AND* its pair, if this is not
4734 * the case, the "otherspi" either did not exist or was deleted. Also
4735 * check that "otherspi" is not already paired. If everything looks
4736 * good, complete the update. IPSA_REFRELE the first pair_pointer
4737 * after this update to ensure its not deleted until we are done.
4739 error
= get_ipsa_pair(sq
, &oipsapp
, diagnostic
);
4742 * This should never happen, calling function still has
4743 * IPSA_REFHELD on the SA we just updated.
4745 return (error
); /* XXX EINVAL instead of ESRCH? */
4748 if (oipsapp
.ipsap_psa_ptr
== NULL
) {
4749 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4753 ipsa_flags
= oipsapp
.ipsap_psa_ptr
->ipsa_flags
;
4754 if ((oipsapp
.ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_DEAD
) ||
4755 (oipsapp
.ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_DYING
)) {
4757 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4759 } else if ((ipsa_flags
& (IPSA_F_OUTBOUND
| IPSA_F_INBOUND
)) ==
4760 (IPSA_F_OUTBOUND
| IPSA_F_INBOUND
)) {
4761 /* This SA is in both hashtables. */
4762 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4764 } else if (ipsa_flags
& IPSA_F_PAIRED
) {
4765 /* This SA is already paired with another. */
4766 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_ALREADY
;
4772 /* The pair SA does not exist. */
4773 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4774 ipsapp
->ipsap_sa_ptr
->ipsa_flags
&= ~IPSA_F_PAIRED
;
4775 ipsapp
->ipsap_sa_ptr
->ipsa_otherspi
= 0;
4776 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4778 mutex_enter(&oipsapp
.ipsap_psa_ptr
->ipsa_lock
);
4779 oipsapp
.ipsap_psa_ptr
->ipsa_otherspi
= assoc
->sadb_sa_spi
;
4780 oipsapp
.ipsap_psa_ptr
->ipsa_flags
|= IPSA_F_PAIRED
;
4781 mutex_exit(&oipsapp
.ipsap_psa_ptr
->ipsa_lock
);
4784 destroy_ipsa_pair(&oipsapp
);
4789 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is
4790 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails
4791 * for an outbound datagram, that datagram is queued up on an ACQUIRE record,
4792 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key
4793 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve
4794 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the
4795 * other direction's SA.
4799 * Check the ACQUIRE lists. If there's an existing ACQUIRE record,
4800 * grab it, lock it, and return it. Otherwise return NULL.
4802 * XXX MLS number of arguments getting unwieldy here
4805 sadb_checkacquire(iacqf_t
*bucket
, ipsec_action_t
*ap
, ipsec_policy_t
*pp
,
4806 uint32_t *src
, uint32_t *dst
, uint32_t *isrc
, uint32_t *idst
,
4807 uint64_t unique_id
, ts_label_t
*tsl
)
4811 uint32_t blank_address
[4] = {0, 0, 0, 0};
4814 ASSERT(idst
== NULL
);
4815 isrc
= idst
= blank_address
;
4819 * Scan list for duplicates. Check for UNIQUE, src/dest, policy.
4821 * XXX May need search for duplicates based on other things too!
4823 for (walker
= bucket
->iacqf_ipsacq
; walker
!= NULL
;
4824 walker
= walker
->ipsacq_next
) {
4825 mutex_enter(&walker
->ipsacq_lock
);
4826 fam
= walker
->ipsacq_addrfam
;
4827 if (IPSA_ARE_ADDR_EQUAL(dst
, walker
->ipsacq_dstaddr
, fam
) &&
4828 IPSA_ARE_ADDR_EQUAL(src
, walker
->ipsacq_srcaddr
, fam
) &&
4829 ip_addr_match((uint8_t *)isrc
, walker
->ipsacq_innersrcpfx
,
4830 (in6_addr_t
*)walker
->ipsacq_innersrc
) &&
4831 ip_addr_match((uint8_t *)idst
, walker
->ipsacq_innerdstpfx
,
4832 (in6_addr_t
*)walker
->ipsacq_innerdst
) &&
4833 (ap
== walker
->ipsacq_act
) &&
4834 (pp
== walker
->ipsacq_policy
) &&
4835 /* XXX do deep compares of ap/pp? */
4836 (unique_id
== walker
->ipsacq_unique_id
) &&
4837 (ipsec_label_match(tsl
, walker
->ipsacq_tsl
)))
4838 break; /* everything matched */
4839 mutex_exit(&walker
->ipsacq_lock
);
4846 * For this mblk, insert a new acquire record. Assume bucket contains addrs
4847 * of all of the same length. Give up (and drop) if memory
4848 * cannot be allocated for a new one; otherwise, invoke callback to
4849 * send the acquire up..
4851 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE
4852 * list. The ah_add_sa_finish() routines can look at the packet's attached
4853 * attributes and handle this case specially.
4856 sadb_acquire(mblk_t
*datamp
, ip_xmit_attr_t
*ixa
, boolean_t need_ah
,
4865 ipha_t
*ipha
= (ipha_t
*)datamp
->b_rptr
;
4866 ip6_t
*ip6h
= (ip6_t
*)datamp
->b_rptr
;
4867 uint32_t *src
, *dst
, *isrc
, *idst
;
4868 ipsec_policy_t
*pp
= ixa
->ixa_ipsec_policy
;
4869 ipsec_action_t
*ap
= ixa
->ixa_ipsec_action
;
4873 uint64_t unique_id
= 0;
4874 ipsec_selector_t sel
;
4875 boolean_t tunnel_mode
= (ixa
->ixa_flags
& IXAF_IPSEC_TUNNEL
) != 0;
4876 ts_label_t
*tsl
= NULL
;
4877 netstack_t
*ns
= ixa
->ixa_ipst
->ips_netstack
;
4878 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
4879 sadb_sens_t
*sens
= NULL
;
4882 ASSERT((pp
!= NULL
) || (ap
!= NULL
));
4884 ASSERT(need_ah
!= NULL
|| need_esp
!= NULL
);
4886 /* Assign sadb pointers */
4887 if (need_esp
) { /* ESP for AH+ESP */
4888 ipsecesp_stack_t
*espstack
= ns
->netstack_ipsecesp
;
4890 spp
= &espstack
->esp_sadb
;
4892 ipsecah_stack_t
*ahstack
= ns
->netstack_ipsecah
;
4894 spp
= &ahstack
->ah_sadb
;
4896 sp
= (ixa
->ixa_flags
& IXAF_IS_IPV4
) ? &spp
->s_v4
: &spp
->s_v6
;
4898 if (is_system_labeled())
4906 if (ap
->ipa_act
.ipa_apply
.ipp_use_unique
|| tunnel_mode
)
4907 unique_id
= SA_FORM_UNIQUE_ID(ixa
);
4910 * Set up an ACQUIRE record.
4912 * Immediately, make sure the ACQUIRE sequence number doesn't slip
4913 * below the lowest point allowed in the kernel. (In other words,
4914 * make sure the high bit on the sequence number is set.)
4917 seq
= keysock_next_seq(ns
) | IACQF_LOWEST_SEQ
;
4919 if (IPH_HDR_VERSION(ipha
) == IP_VERSION
) {
4920 src
= (uint32_t *)&ipha
->ipha_src
;
4921 dst
= (uint32_t *)&ipha
->ipha_dst
;
4923 hashoffset
= OUTBOUND_HASH_V4(sp
, ipha
->ipha_dst
);
4924 ASSERT(ixa
->ixa_flags
& IXAF_IS_IPV4
);
4926 ASSERT(IPH_HDR_VERSION(ipha
) == IPV6_VERSION
);
4927 src
= (uint32_t *)&ip6h
->ip6_src
;
4928 dst
= (uint32_t *)&ip6h
->ip6_dst
;
4930 hashoffset
= OUTBOUND_HASH_V6(sp
, ip6h
->ip6_dst
);
4931 ASSERT(!(ixa
->ixa_flags
& IXAF_IS_IPV4
));
4937 * Tunnel mode with no policy pointer means this is a
4938 * reflected ICMP (like a ECHO REQUEST) that came in
4939 * with self-encapsulated protection. Until we better
4940 * support this, drop the packet.
4942 ip_drop_packet(datamp
, B_FALSE
, NULL
,
4943 DROPPER(ipss
, ipds_spd_got_selfencap
),
4944 &ipss
->ipsec_spd_dropper
);
4947 /* Snag inner addresses. */
4948 isrc
= ixa
->ixa_ipsec_insrc
;
4949 idst
= ixa
->ixa_ipsec_indst
;
4955 * Check buckets to see if there is an existing entry. If so,
4956 * grab it. sadb_checkacquire locks newbie if found.
4958 bucket
= &(sp
->sdb_acq
[hashoffset
]);
4959 mutex_enter(&bucket
->iacqf_lock
);
4960 newbie
= sadb_checkacquire(bucket
, ap
, pp
, src
, dst
, isrc
, idst
,
4963 if (newbie
== NULL
) {
4965 * Otherwise, allocate a new one.
4967 newbie
= kmem_zalloc(sizeof (*newbie
), KM_NOSLEEP
);
4968 if (newbie
== NULL
) {
4969 mutex_exit(&bucket
->iacqf_lock
);
4970 ip_drop_packet(datamp
, B_FALSE
, NULL
,
4971 DROPPER(ipss
, ipds_sadb_acquire_nomem
),
4972 &ipss
->ipsec_sadb_dropper
);
4975 newbie
->ipsacq_policy
= pp
;
4980 newbie
->ipsacq_act
= ap
;
4981 newbie
->ipsacq_linklock
= &bucket
->iacqf_lock
;
4982 newbie
->ipsacq_next
= bucket
->iacqf_ipsacq
;
4983 newbie
->ipsacq_ptpn
= &bucket
->iacqf_ipsacq
;
4984 if (newbie
->ipsacq_next
!= NULL
)
4985 newbie
->ipsacq_next
->ipsacq_ptpn
= &newbie
->ipsacq_next
;
4987 bucket
->iacqf_ipsacq
= newbie
;
4988 mutex_init(&newbie
->ipsacq_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
4989 mutex_enter(&newbie
->ipsacq_lock
);
4993 * XXX MLS does it actually help us to drop the bucket lock here?
4994 * we have inserted a half-built, locked acquire record into the
4995 * bucket. any competing thread will now be able to lock the bucket
4996 * to scan it, but will immediately pile up on the new acquire
4997 * record's lock; I don't think we gain anything here other than to
4998 * disperse blame for lock contention.
5000 * we might be able to dispense with acquire record locks entirely..
5001 * just use the bucket locks..
5004 mutex_exit(&bucket
->iacqf_lock
);
5007 * This assert looks silly for now, but we may need to enter newbie's
5008 * mutex during a search.
5010 ASSERT(MUTEX_HELD(&newbie
->ipsacq_lock
));
5013 * Make the ip_xmit_attr_t into something we can queue.
5014 * If no memory it frees datamp.
5016 asyncmp
= ip_xmit_attr_to_mblk(ixa
);
5017 if (asyncmp
!= NULL
)
5018 linkb(asyncmp
, datamp
);
5020 /* Queue up packet. Use b_next. */
5022 if (asyncmp
== NULL
) {
5023 /* Statistics for allocation failure */
5024 if (ixa
->ixa_flags
& IXAF_IS_IPV4
) {
5025 BUMP_MIB(&ixa
->ixa_ipst
->ips_ip_mib
,
5026 ipIfStatsOutDiscards
);
5028 BUMP_MIB(&ixa
->ixa_ipst
->ips_ip6_mib
,
5029 ipIfStatsOutDiscards
);
5031 ip_drop_output("No memory for asyncmp", datamp
, NULL
);
5033 } else if (newbie
->ipsacq_numpackets
== 0) {
5035 newbie
->ipsacq_mp
= asyncmp
;
5036 newbie
->ipsacq_numpackets
= 1;
5037 newbie
->ipsacq_expire
= gethrestime_sec();
5039 * Extended ACQUIRE with both AH+ESP will use ESP's timeout
5042 newbie
->ipsacq_expire
+= *spp
->s_acquire_timeout
;
5043 newbie
->ipsacq_seq
= seq
;
5044 newbie
->ipsacq_addrfam
= af
;
5046 newbie
->ipsacq_srcport
= ixa
->ixa_ipsec_src_port
;
5047 newbie
->ipsacq_dstport
= ixa
->ixa_ipsec_dst_port
;
5048 newbie
->ipsacq_icmp_type
= ixa
->ixa_ipsec_icmp_type
;
5049 newbie
->ipsacq_icmp_code
= ixa
->ixa_ipsec_icmp_code
;
5051 newbie
->ipsacq_inneraddrfam
= ixa
->ixa_ipsec_inaf
;
5052 newbie
->ipsacq_proto
= ixa
->ixa_ipsec_inaf
== AF_INET6
?
5053 IPPROTO_IPV6
: IPPROTO_ENCAP
;
5054 newbie
->ipsacq_innersrcpfx
= ixa
->ixa_ipsec_insrcpfx
;
5055 newbie
->ipsacq_innerdstpfx
= ixa
->ixa_ipsec_indstpfx
;
5056 IPSA_COPY_ADDR(newbie
->ipsacq_innersrc
,
5057 ixa
->ixa_ipsec_insrc
, ixa
->ixa_ipsec_inaf
);
5058 IPSA_COPY_ADDR(newbie
->ipsacq_innerdst
,
5059 ixa
->ixa_ipsec_indst
, ixa
->ixa_ipsec_inaf
);
5061 newbie
->ipsacq_proto
= ixa
->ixa_ipsec_proto
;
5063 newbie
->ipsacq_unique_id
= unique_id
;
5065 if (ixa
->ixa_tsl
!= NULL
) {
5066 label_hold(ixa
->ixa_tsl
);
5067 newbie
->ipsacq_tsl
= ixa
->ixa_tsl
;
5070 /* Scan to the end of the list & insert. */
5071 mblk_t
*lastone
= newbie
->ipsacq_mp
;
5073 while (lastone
->b_next
!= NULL
)
5074 lastone
= lastone
->b_next
;
5075 lastone
->b_next
= asyncmp
;
5076 if (newbie
->ipsacq_numpackets
++ == ipsacq_maxpackets
) {
5077 newbie
->ipsacq_numpackets
= ipsacq_maxpackets
;
5078 lastone
= newbie
->ipsacq_mp
;
5079 newbie
->ipsacq_mp
= lastone
->b_next
;
5080 lastone
->b_next
= NULL
;
5082 /* Freeing the async message */
5083 lastone
= ip_xmit_attr_free_mblk(lastone
);
5084 ip_drop_packet(lastone
, B_FALSE
, NULL
,
5085 DROPPER(ipss
, ipds_sadb_acquire_toofull
),
5086 &ipss
->ipsec_sadb_dropper
);
5088 IP_ACQUIRE_STAT(ipss
, qhiwater
,
5089 newbie
->ipsacq_numpackets
);
5094 * Reset addresses. Set them to the most recently added mblk chain,
5095 * so that the address pointers in the acquire record will point
5096 * at an mblk still attached to the acquire list.
5099 newbie
->ipsacq_srcaddr
= src
;
5100 newbie
->ipsacq_dstaddr
= dst
;
5103 * If the acquire record has more than one queued packet, we've
5104 * already sent an ACQUIRE, and don't need to repeat ourself.
5106 if (newbie
->ipsacq_seq
!= seq
|| newbie
->ipsacq_numpackets
> 1) {
5107 /* I have an acquire outstanding already! */
5108 mutex_exit(&newbie
->ipsacq_lock
);
5112 if (!keysock_extended_reg(ns
))
5115 * Construct an extended ACQUIRE. There are logging
5116 * opportunities here in failure cases.
5118 bzero(&sel
, sizeof (sel
));
5119 sel
.ips_isv4
= (ixa
->ixa_flags
& IXAF_IS_IPV4
) != 0;
5121 sel
.ips_protocol
= (ixa
->ixa_ipsec_inaf
== AF_INET
) ?
5122 IPPROTO_ENCAP
: IPPROTO_IPV6
;
5124 sel
.ips_protocol
= ixa
->ixa_ipsec_proto
;
5125 sel
.ips_local_port
= ixa
->ixa_ipsec_src_port
;
5126 sel
.ips_remote_port
= ixa
->ixa_ipsec_dst_port
;
5128 sel
.ips_icmp_type
= ixa
->ixa_ipsec_icmp_type
;
5129 sel
.ips_icmp_code
= ixa
->ixa_ipsec_icmp_code
;
5130 sel
.ips_is_icmp_inv_acq
= 0;
5131 if (af
== AF_INET
) {
5132 sel
.ips_local_addr_v4
= ipha
->ipha_src
;
5133 sel
.ips_remote_addr_v4
= ipha
->ipha_dst
;
5135 sel
.ips_local_addr_v6
= ip6h
->ip6_src
;
5136 sel
.ips_remote_addr_v6
= ip6h
->ip6_dst
;
5139 extended
= sadb_keysock_out(0);
5140 if (extended
== NULL
)
5143 if (ixa
->ixa_tsl
!= NULL
) {
5145 * XXX MLS correct condition here?
5146 * XXX MLS other credential attributes in acquire?
5147 * XXX malloc failure? don't fall back to original?
5149 sens
= sadb_make_sens_ext(ixa
->ixa_tsl
, &sens_len
);
5157 extended
->b_cont
= sadb_extended_acquire(&sel
, pp
, ap
, tunnel_mode
,
5161 kmem_free(sens
, sens_len
);
5163 if (extended
->b_cont
== NULL
) {
5169 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on
5170 * this new record. The send-acquire callback assumes that acqrec is
5173 (*spp
->s_acqfn
)(newbie
, extended
, ns
);
5177 (*spp
->s_acqfn
)(newbie
, NULL
, ns
);
5181 * Unlink and free an acquire record.
5184 sadb_destroy_acquire(ipsacq_t
*acqrec
, netstack_t
*ns
)
5187 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5189 ASSERT(MUTEX_HELD(acqrec
->ipsacq_linklock
));
5191 if (acqrec
->ipsacq_policy
!= NULL
) {
5192 IPPOL_REFRELE(acqrec
->ipsacq_policy
);
5194 if (acqrec
->ipsacq_act
!= NULL
) {
5195 IPACT_REFRELE(acqrec
->ipsacq_act
);
5199 *(acqrec
->ipsacq_ptpn
) = acqrec
->ipsacq_next
;
5200 if (acqrec
->ipsacq_next
!= NULL
)
5201 acqrec
->ipsacq_next
->ipsacq_ptpn
= acqrec
->ipsacq_ptpn
;
5203 if (acqrec
->ipsacq_tsl
!= NULL
) {
5204 label_rele(acqrec
->ipsacq_tsl
);
5205 acqrec
->ipsacq_tsl
= NULL
;
5209 * Free hanging mp's.
5211 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED.
5214 mutex_enter(&acqrec
->ipsacq_lock
);
5215 while (acqrec
->ipsacq_mp
!= NULL
) {
5216 mp
= acqrec
->ipsacq_mp
;
5217 acqrec
->ipsacq_mp
= mp
->b_next
;
5219 /* Freeing the async message */
5220 mp
= ip_xmit_attr_free_mblk(mp
);
5221 ip_drop_packet(mp
, B_FALSE
, NULL
,
5222 DROPPER(ipss
, ipds_sadb_acquire_timeout
),
5223 &ipss
->ipsec_sadb_dropper
);
5225 mutex_exit(&acqrec
->ipsacq_lock
);
5228 mutex_destroy(&acqrec
->ipsacq_lock
);
5229 kmem_free(acqrec
, sizeof (*acqrec
));
5233 * Destroy an acquire list fanout.
5236 sadb_destroy_acqlist(iacqf_t
**listp
, uint_t numentries
, boolean_t forever
,
5240 iacqf_t
*list
= *listp
;
5245 for (i
= 0; i
< numentries
; i
++) {
5246 mutex_enter(&(list
[i
].iacqf_lock
));
5247 while (list
[i
].iacqf_ipsacq
!= NULL
)
5248 sadb_destroy_acquire(list
[i
].iacqf_ipsacq
, ns
);
5249 mutex_exit(&(list
[i
].iacqf_lock
));
5251 mutex_destroy(&(list
[i
].iacqf_lock
));
5256 kmem_free(list
, numentries
* sizeof (*list
));
5261 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto
5262 * framework's view of reality vs. IPsec's. EF's wins, BTW.
5265 sadb_new_algdesc(uint8_t *start
, uint8_t *limit
,
5266 sadb_x_ecomb_t
*ecomb
, uint8_t satype
, uint8_t algtype
,
5267 uint8_t alg
, uint16_t minbits
, uint16_t maxbits
, ipsec_stack_t
*ipss
)
5269 uint8_t *cur
= start
;
5270 ipsec_alginfo_t
*algp
;
5271 sadb_x_algdesc_t
*algdesc
= (sadb_x_algdesc_t
*)cur
;
5273 cur
+= sizeof (*algdesc
);
5277 ecomb
->sadb_x_ecomb_numalgs
++;
5280 * Normalize vs. crypto framework's limits. This way, you can specify
5281 * a stronger policy, and when the framework loads a stronger version,
5282 * you can just keep plowing w/o rewhacking your SPD.
5284 mutex_enter(&ipss
->ipsec_alg_lock
);
5285 algp
= ipss
->ipsec_alglists
[(algtype
== SADB_X_ALGTYPE_AUTH
) ?
5286 IPSEC_ALG_AUTH
: IPSEC_ALG_ENCR
][alg
];
5288 mutex_exit(&ipss
->ipsec_alg_lock
);
5289 return (NULL
); /* Algorithm doesn't exist. Fail gracefully. */
5291 if (minbits
< algp
->alg_ef_minbits
)
5292 minbits
= algp
->alg_ef_minbits
;
5293 if (maxbits
> algp
->alg_ef_maxbits
)
5294 maxbits
= algp
->alg_ef_maxbits
;
5295 mutex_exit(&ipss
->ipsec_alg_lock
);
5297 algdesc
->sadb_x_algdesc_reserved
= SADB_8TO1(algp
->alg_saltlen
);
5298 algdesc
->sadb_x_algdesc_satype
= satype
;
5299 algdesc
->sadb_x_algdesc_algtype
= algtype
;
5300 algdesc
->sadb_x_algdesc_alg
= alg
;
5301 algdesc
->sadb_x_algdesc_minbits
= minbits
;
5302 algdesc
->sadb_x_algdesc_maxbits
= maxbits
;
5308 * Convert the given ipsec_action_t into an ecomb starting at *ecomb
5309 * which must fit before *limit
5311 * return NULL if we ran out of room or a pointer to the end of the ecomb.
5314 sadb_action_to_ecomb(uint8_t *start
, uint8_t *limit
, ipsec_action_t
*act
,
5317 uint8_t *cur
= start
;
5318 sadb_x_ecomb_t
*ecomb
= (sadb_x_ecomb_t
*)cur
;
5320 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5322 cur
+= sizeof (*ecomb
);
5326 ASSERT(act
->ipa_act
.ipa_type
== IPSEC_ACT_APPLY
);
5328 ipp
= &act
->ipa_act
.ipa_apply
;
5330 ecomb
->sadb_x_ecomb_numalgs
= 0;
5331 ecomb
->sadb_x_ecomb_reserved
= 0;
5332 ecomb
->sadb_x_ecomb_reserved2
= 0;
5334 * No limits on allocations, since we really don't support that
5335 * concept currently.
5337 ecomb
->sadb_x_ecomb_soft_allocations
= 0;
5338 ecomb
->sadb_x_ecomb_hard_allocations
= 0;
5341 * XXX TBD: Policy or global parameters will eventually be
5342 * able to fill in some of these.
5344 ecomb
->sadb_x_ecomb_flags
= 0;
5345 ecomb
->sadb_x_ecomb_soft_bytes
= 0;
5346 ecomb
->sadb_x_ecomb_hard_bytes
= 0;
5347 ecomb
->sadb_x_ecomb_soft_addtime
= 0;
5348 ecomb
->sadb_x_ecomb_hard_addtime
= 0;
5349 ecomb
->sadb_x_ecomb_soft_usetime
= 0;
5350 ecomb
->sadb_x_ecomb_hard_usetime
= 0;
5352 if (ipp
->ipp_use_ah
) {
5353 cur
= sadb_new_algdesc(cur
, limit
, ecomb
,
5354 SADB_SATYPE_AH
, SADB_X_ALGTYPE_AUTH
, ipp
->ipp_auth_alg
,
5355 ipp
->ipp_ah_minbits
, ipp
->ipp_ah_maxbits
, ipss
);
5358 ipsecah_fill_defs(ecomb
, ns
);
5361 if (ipp
->ipp_use_esp
) {
5362 if (ipp
->ipp_use_espa
) {
5363 cur
= sadb_new_algdesc(cur
, limit
, ecomb
,
5364 SADB_SATYPE_ESP
, SADB_X_ALGTYPE_AUTH
,
5365 ipp
->ipp_esp_auth_alg
,
5366 ipp
->ipp_espa_minbits
,
5367 ipp
->ipp_espa_maxbits
, ipss
);
5372 cur
= sadb_new_algdesc(cur
, limit
, ecomb
,
5373 SADB_SATYPE_ESP
, SADB_X_ALGTYPE_CRYPT
,
5375 ipp
->ipp_espe_minbits
,
5376 ipp
->ipp_espe_maxbits
, ipss
);
5379 /* Fill in lifetimes if and only if AH didn't already... */
5380 if (!ipp
->ipp_use_ah
)
5381 ipsecesp_fill_defs(ecomb
, ns
);
5387 #include <sys/tsol/label_macro.h> /* XXX should not need this */
5390 * From a cred_t, construct a sensitivity label extension
5392 * We send up a fixed-size sensitivity label bitmap, and are perhaps
5393 * overly chummy with the underlying data structures here.
5398 sadb_sens_len_from_label(ts_label_t
*tsl
)
5400 int baselen
= sizeof (sadb_sens_t
) + _C_LEN
* 4;
5401 return (roundup(baselen
, sizeof (uint64_t)));
5405 sadb_sens_from_label(sadb_sens_t
*sens
, int exttype
, ts_label_t
*tsl
,
5412 ASSERT((_C_LEN
& 1) == 0);
5413 ASSERT((senslen
& 7) == 0);
5415 sl
= label2bslabel(tsl
);
5417 sens
->sadb_sens_exttype
= exttype
;
5418 sens
->sadb_sens_len
= SADB_8TO64(senslen
);
5420 sens
->sadb_sens_dpd
= tsl
->tsl_doi
;
5421 sens
->sadb_sens_sens_level
= LCLASS(sl
);
5422 sens
->sadb_sens_integ_level
= 0; /* TBD */
5423 sens
->sadb_sens_sens_len
= _C_LEN
>> 1;
5424 sens
->sadb_sens_integ_len
= 0; /* TBD */
5425 sens
->sadb_x_sens_flags
= 0;
5427 bitmap
= (uint8_t *)(sens
+ 1);
5428 bcopy(&(((_bslabel_impl_t
*)sl
)->compartments
), bitmap
, _C_LEN
* 4);
5431 static sadb_sens_t
*
5432 sadb_make_sens_ext(ts_label_t
*tsl
, int *len
)
5434 /* XXX allocation failure? */
5435 int sens_len
= sadb_sens_len_from_label(tsl
);
5437 sadb_sens_t
*sens
= kmem_alloc(sens_len
, KM_SLEEP
);
5439 sadb_sens_from_label(sens
, SADB_EXT_SENSITIVITY
, tsl
, sens_len
);
5447 * Okay, how do we report errors/invalid labels from this?
5448 * With a special designated "not a label" cred_t ?
5452 sadb_label_from_sens(sadb_sens_t
*sens
, uint64_t *bitmap
)
5454 int bitmap_len
= SADB_64TO8(sens
->sadb_sens_sens_len
);
5458 if (sens
->sadb_sens_integ_level
!= 0)
5460 if (sens
->sadb_sens_integ_len
!= 0)
5462 if (bitmap_len
> _C_LEN
* 4)
5466 LCLASS_SET((_bslabel_impl_t
*)&sl
, sens
->sadb_sens_sens_level
);
5467 bcopy(bitmap
, &((_bslabel_impl_t
*)&sl
)->compartments
,
5470 tsl
= labelalloc(&sl
, sens
->sadb_sens_dpd
, KM_NOSLEEP
);
5474 if (sens
->sadb_x_sens_flags
& SADB_X_SENS_UNLABELED
)
5475 tsl
->tsl_flags
|= TSLF_UNLABELED
;
5479 /* End XXX label-library-leakage */
5482 * Construct an extended ACQUIRE message based on a selector and the resulting
5485 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE
5486 * generation. As a consequence, expect this function to evolve
5490 sadb_extended_acquire(ipsec_selector_t
*sel
, ipsec_policy_t
*pol
,
5491 ipsec_action_t
*act
, boolean_t tunnel_mode
, uint32_t seq
, uint32_t pid
,
5492 sadb_sens_t
*sens
, netstack_t
*ns
)
5496 uint8_t *start
, *cur
, *end
;
5497 uint32_t *saddrptr
, *daddrptr
;
5500 ipsec_action_t
*ap
, *an
;
5501 ipsec_selkey_t
*ipsl
;
5502 uint8_t proto
, pfxlen
;
5503 uint16_t lport
, rport
;
5507 * Find the action we want sooner rather than later..
5520 * Just take a swag for the allocation for now. We can always
5523 #define SADB_EXTENDED_ACQUIRE_SIZE 4096
5524 mp
= allocb(SADB_EXTENDED_ACQUIRE_SIZE
, BPRI_HI
);
5529 end
= start
+ SADB_EXTENDED_ACQUIRE_SIZE
;
5533 samsg
= (sadb_msg_t
*)cur
;
5534 cur
+= sizeof (*samsg
);
5536 samsg
->sadb_msg_version
= PF_KEY_V2
;
5537 samsg
->sadb_msg_type
= SADB_ACQUIRE
;
5538 samsg
->sadb_msg_errno
= 0;
5539 samsg
->sadb_msg_reserved
= 0;
5540 samsg
->sadb_msg_satype
= 0;
5541 samsg
->sadb_msg_seq
= seq
;
5542 samsg
->sadb_msg_pid
= pid
;
5546 * Form inner address extensions based NOT on the inner
5547 * selectors (i.e. the packet data), but on the policy's
5548 * selector key (i.e. the policy's selector information).
5550 * NOTE: The position of IPv4 and IPv6 addresses is the
5551 * same in ipsec_selkey_t (unless the compiler does very
5552 * strange things with unions, consult your local C language
5553 * lawyer for details).
5555 ASSERT(pol
!= NULL
);
5557 ipsl
= &(pol
->ipsp_sel
->ipsl_key
);
5558 if (ipsl
->ipsl_valid
& IPSL_IPV4
) {
5560 ASSERT(sel
->ips_protocol
== IPPROTO_ENCAP
);
5561 ASSERT(!(ipsl
->ipsl_valid
& IPSL_IPV6
));
5564 ASSERT(sel
->ips_protocol
== IPPROTO_IPV6
);
5565 ASSERT(ipsl
->ipsl_valid
& IPSL_IPV6
);
5568 if (ipsl
->ipsl_valid
& IPSL_LOCAL_ADDR
) {
5569 saddrptr
= (uint32_t *)(&ipsl
->ipsl_local
);
5570 pfxlen
= ipsl
->ipsl_local_pfxlen
;
5572 saddrptr
= (uint32_t *)(&ipv6_all_zeros
);
5575 /* XXX What about ICMP type/code? */
5576 lport
= (ipsl
->ipsl_valid
& IPSL_LOCAL_PORT
) ?
5577 ipsl
->ipsl_lport
: 0;
5578 proto
= (ipsl
->ipsl_valid
& IPSL_PROTOCOL
) ?
5579 ipsl
->ipsl_proto
: 0;
5581 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_SRC
,
5582 af
, saddrptr
, lport
, proto
, pfxlen
);
5588 if (ipsl
->ipsl_valid
& IPSL_REMOTE_ADDR
) {
5589 daddrptr
= (uint32_t *)(&ipsl
->ipsl_remote
);
5590 pfxlen
= ipsl
->ipsl_remote_pfxlen
;
5592 daddrptr
= (uint32_t *)(&ipv6_all_zeros
);
5595 /* XXX What about ICMP type/code? */
5596 rport
= (ipsl
->ipsl_valid
& IPSL_REMOTE_PORT
) ?
5597 ipsl
->ipsl_rport
: 0;
5599 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_DST
,
5600 af
, daddrptr
, rport
, proto
, pfxlen
);
5606 * TODO - if we go to 3408's dream of transport mode IP-in-IP
5607 * _with_ inner-packet address selectors, we'll need to further
5608 * distinguish tunnel mode here. For now, having inner
5609 * addresses and/or ports is sufficient.
5611 * Meanwhile, whack proto/ports to reflect IP-in-IP for the
5614 proto
= sel
->ips_protocol
; /* Either _ENCAP or _IPV6 */
5616 } else if ((ap
!= NULL
) && (!ap
->ipa_want_unique
)) {
5621 ipsl
= &(pol
->ipsp_sel
->ipsl_key
);
5622 if (ipsl
->ipsl_valid
& IPSL_PROTOCOL
)
5623 proto
= ipsl
->ipsl_proto
;
5624 if (ipsl
->ipsl_valid
& IPSL_REMOTE_PORT
)
5625 rport
= ipsl
->ipsl_rport
;
5626 if (ipsl
->ipsl_valid
& IPSL_LOCAL_PORT
)
5627 lport
= ipsl
->ipsl_lport
;
5630 proto
= sel
->ips_protocol
;
5631 lport
= sel
->ips_local_port
;
5632 rport
= sel
->ips_remote_port
;
5635 af
= sel
->ips_isv4
? AF_INET
: AF_INET6
;
5638 * NOTE: The position of IPv4 and IPv6 addresses is the same in
5641 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_SRC
, af
,
5642 (uint32_t *)(&sel
->ips_local_addr_v6
), lport
, proto
, 0);
5649 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_DST
, af
,
5650 (uint32_t *)(&sel
->ips_remote_addr_v6
), rport
, proto
, 0);
5658 uint8_t *sensext
= cur
;
5659 int senslen
= SADB_64TO8(sens
->sadb_sens_len
);
5666 bcopy(sens
, sensext
, senslen
);
5670 * This section will change a lot as policy evolves.
5671 * For now, it'll be relatively simple.
5673 eprop
= (sadb_prop_t
*)cur
;
5674 cur
+= sizeof (*eprop
);
5681 eprop
->sadb_prop_exttype
= SADB_X_EXT_EPROP
;
5682 eprop
->sadb_x_prop_ereserved
= 0;
5683 eprop
->sadb_x_prop_numecombs
= 0;
5684 eprop
->sadb_prop_replay
= 32; /* default */
5688 for (; ap
!= NULL
; ap
= an
) {
5689 an
= (pol
!= NULL
) ? ap
->ipa_next
: NULL
;
5692 * Skip non-IPsec policies
5694 if (ap
->ipa_act
.ipa_type
!= IPSEC_ACT_APPLY
)
5697 if (ap
->ipa_act
.ipa_apply
.ipp_km_proto
)
5698 kmp
= ap
->ipa_act
.ipa_apply
.ipp_km_proto
;
5699 if (ap
->ipa_act
.ipa_apply
.ipp_km_cookie
)
5700 kmc
= ap
->ipa_act
.ipa_apply
.ipp_km_cookie
;
5701 if (ap
->ipa_act
.ipa_apply
.ipp_replay_depth
) {
5702 eprop
->sadb_prop_replay
=
5703 ap
->ipa_act
.ipa_apply
.ipp_replay_depth
;
5706 cur
= sadb_action_to_ecomb(cur
, end
, ap
, ns
);
5707 if (cur
== NULL
) { /* no space */
5711 eprop
->sadb_x_prop_numecombs
++;
5714 if (eprop
->sadb_x_prop_numecombs
== 0) {
5716 * This will happen if we fail to find a policy
5717 * allowing for IPsec processing.
5718 * Construct an error message.
5720 samsg
->sadb_msg_len
= SADB_8TO64(sizeof (*samsg
));
5721 samsg
->sadb_msg_errno
= ENOENT
;
5722 samsg
->sadb_x_msg_diagnostic
= 0;
5726 if ((kmp
!= 0) || (kmc
!= 0)) {
5727 cur
= sadb_make_kmc_ext(cur
, end
, kmp
, kmc
);
5734 eprop
->sadb_prop_len
= SADB_8TO64(cur
- (uint8_t *)eprop
);
5735 samsg
->sadb_msg_len
= SADB_8TO64(cur
- start
);
5742 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype.
5744 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we
5745 * succeed (i.e. return non-NULL). Caller MUST release it. This is to
5746 * maximize code consolidation while preventing algorithm changes from messing
5747 * with the callers finishing touches on the ACQUIRE itself.
5750 sadb_setup_acquire(ipsacq_t
*acqrec
, uint8_t satype
, ipsec_stack_t
*ipss
)
5753 mblk_t
*pfkeymp
, *msgmp
;
5757 uint16_t sport_typecode
;
5758 uint16_t dport_typecode
;
5759 uint8_t check_proto
;
5760 boolean_t tunnel_mode
= (acqrec
->ipsacq_inneraddrfam
!= 0);
5762 ASSERT(MUTEX_HELD(&acqrec
->ipsacq_lock
));
5764 pfkeymp
= sadb_keysock_out(0);
5765 if (pfkeymp
== NULL
)
5769 * First, allocate a basic ACQUIRE message
5771 allocsize
= sizeof (sadb_msg_t
) + sizeof (sadb_address_t
) +
5772 sizeof (sadb_address_t
) + sizeof (sadb_prop_t
);
5774 /* Make sure there's enough to cover both AF_INET and AF_INET6. */
5775 allocsize
+= 2 * sizeof (struct sockaddr_in6
);
5777 mutex_enter(&ipss
->ipsec_alg_lock
);
5778 /* NOTE: The lock is now held through to this function's return. */
5779 allocsize
+= ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
] *
5780 ipss
->ipsec_nalgs
[IPSEC_ALG_ENCR
] * sizeof (sadb_comb_t
);
5784 allocsize
+= 2 * sizeof (sadb_address_t
);
5785 /* Enough to cover both AF_INET and AF_INET6. */
5786 allocsize
+= 2 * sizeof (struct sockaddr_in6
);
5789 msgmp
= allocb(allocsize
, BPRI_HI
);
5790 if (msgmp
== NULL
) {
5792 mutex_exit(&ipss
->ipsec_alg_lock
);
5796 pfkeymp
->b_cont
= msgmp
;
5797 cur
= msgmp
->b_rptr
;
5798 end
= cur
+ allocsize
;
5799 samsg
= (sadb_msg_t
*)cur
;
5800 cur
+= sizeof (sadb_msg_t
);
5802 af
= acqrec
->ipsacq_addrfam
;
5805 check_proto
= IPPROTO_ICMP
;
5808 check_proto
= IPPROTO_ICMPV6
;
5811 /* This should never happen unless we have kernel bugs. */
5813 "sadb_setup_acquire: corrupt ACQUIRE record.\n");
5815 mutex_exit(&ipss
->ipsec_alg_lock
);
5819 samsg
->sadb_msg_version
= PF_KEY_V2
;
5820 samsg
->sadb_msg_type
= SADB_ACQUIRE
;
5821 samsg
->sadb_msg_satype
= satype
;
5822 samsg
->sadb_msg_errno
= 0;
5823 samsg
->sadb_msg_pid
= 0;
5824 samsg
->sadb_msg_reserved
= 0;
5825 samsg
->sadb_msg_seq
= acqrec
->ipsacq_seq
;
5827 ASSERT(MUTEX_HELD(&acqrec
->ipsacq_lock
));
5829 if ((acqrec
->ipsacq_proto
== check_proto
) || tunnel_mode
) {
5830 sport_typecode
= dport_typecode
= 0;
5832 sport_typecode
= acqrec
->ipsacq_srcport
;
5833 dport_typecode
= acqrec
->ipsacq_dstport
;
5836 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_SRC
, af
,
5837 acqrec
->ipsacq_srcaddr
, sport_typecode
, acqrec
->ipsacq_proto
, 0);
5839 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_DST
, af
,
5840 acqrec
->ipsacq_dstaddr
, dport_typecode
, acqrec
->ipsacq_proto
, 0);
5843 sport_typecode
= acqrec
->ipsacq_srcport
;
5844 dport_typecode
= acqrec
->ipsacq_dstport
;
5845 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_SRC
,
5846 acqrec
->ipsacq_inneraddrfam
, acqrec
->ipsacq_innersrc
,
5847 sport_typecode
, acqrec
->ipsacq_inner_proto
,
5848 acqrec
->ipsacq_innersrcpfx
);
5849 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_DST
,
5850 acqrec
->ipsacq_inneraddrfam
, acqrec
->ipsacq_innerdst
,
5851 dport_typecode
, acqrec
->ipsacq_inner_proto
,
5852 acqrec
->ipsacq_innerdstpfx
);
5855 /* XXX Insert identity information here. */
5857 /* XXXMLS Insert sensitivity information here. */
5860 samsg
->sadb_msg_len
= SADB_8TO64(cur
- msgmp
->b_rptr
);
5862 mutex_exit(&ipss
->ipsec_alg_lock
);
5868 * Given an SADB_GETSPI message, find an appropriately ranged SA and
5869 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1.
5870 * If there was a memory allocation error, return NULL. (Assume NULL !=
5873 * master_spi is passed in host order.
5876 sadb_getspi(keysock_in_t
*ksi
, uint32_t master_spi
, int *diagnostic
,
5877 netstack_t
*ns
, uint_t sa_type
)
5879 sadb_address_t
*src
=
5880 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
],
5881 *dst
= (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
5882 sadb_spirange_t
*range
=
5883 (sadb_spirange_t
*)ksi
->ks_in_extv
[SADB_EXT_SPIRANGE
];
5884 struct sockaddr_in
*ssa
, *dsa
;
5885 struct sockaddr_in6
*ssa6
, *dsa6
;
5886 uint32_t *srcaddr
, *dstaddr
;
5888 uint32_t add
, min
, max
;
5890 (sa_type
== SADB_SATYPE_AH
) ? IPPROTO_AH
: IPPROTO_ESP
;
5893 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
5894 return ((ipsa_t
*)-1);
5897 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
5898 return ((ipsa_t
*)-1);
5900 if (range
== NULL
) {
5901 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_RANGE
;
5902 return ((ipsa_t
*)-1);
5905 min
= ntohl(range
->sadb_spirange_min
);
5906 max
= ntohl(range
->sadb_spirange_max
);
5907 dsa
= (struct sockaddr_in
*)(dst
+ 1);
5908 dsa6
= (struct sockaddr_in6
*)dsa
;
5910 ssa
= (struct sockaddr_in
*)(src
+ 1);
5911 ssa6
= (struct sockaddr_in6
*)ssa
;
5912 ASSERT(dsa
->sin_family
== ssa
->sin_family
);
5914 srcaddr
= ALL_ZEROES_PTR
;
5915 af
= dsa
->sin_family
;
5919 srcaddr
= (uint32_t *)(&ssa
->sin_addr
);
5920 dstaddr
= (uint32_t *)(&dsa
->sin_addr
);
5924 srcaddr
= (uint32_t *)(&ssa6
->sin6_addr
);
5925 dstaddr
= (uint32_t *)(&dsa6
->sin6_addr
);
5928 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_DST_AF
;
5929 return ((ipsa_t
*)-1);
5932 if (master_spi
< min
|| master_spi
> max
) {
5933 /* Return a random value in the range. */
5934 if (cl_inet_getspi
) {
5935 cl_inet_getspi(ns
->netstack_stackid
, protocol
,
5936 (uint8_t *)&add
, sizeof (add
), NULL
);
5938 (void) random_get_pseudo_bytes((uint8_t *)&add
,
5941 master_spi
= min
+ (add
% (max
- min
+ 1));
5945 * Since master_spi is passed in host order, we need to htonl() it
5946 * for the purposes of creating a new SA.
5948 return (sadb_makelarvalassoc(htonl(master_spi
), srcaddr
, dstaddr
, af
,
5954 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the
5955 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list
5956 * and scan for the sequence number in question. I may wish to accept an
5957 * address pair with it, for easier searching.
5959 * Caller frees the message, so we don't have to here.
5961 * NOTE: The pfkey_q parameter may be used in the future for ACQUIRE
5966 sadb_in_acquire(sadb_msg_t
*samsg
, sadbp_t
*sp
, queue_t
*pfkey_q
,
5974 * I only accept the base header for this!
5975 * Though to be honest, requiring the dst address would help
5978 * XXX There are already cases where I can get the dst address.
5980 if (samsg
->sadb_msg_len
> SADB_8TO64(sizeof (*samsg
)))
5984 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it,
5985 * (and in the future send a message to IP with the appropriate error
5988 * Q: Do I want to reject if pid != 0?
5991 for (i
= 0; i
< sp
->s_v4
.sdb_hashsize
; i
++) {
5992 bucket
= &sp
->s_v4
.sdb_acq
[i
];
5993 mutex_enter(&bucket
->iacqf_lock
);
5994 for (acqrec
= bucket
->iacqf_ipsacq
; acqrec
!= NULL
;
5995 acqrec
= acqrec
->ipsacq_next
) {
5996 if (samsg
->sadb_msg_seq
== acqrec
->ipsacq_seq
)
5997 break; /* for acqrec... loop. */
6000 break; /* for i = 0... loop. */
6002 mutex_exit(&bucket
->iacqf_lock
);
6005 if (acqrec
== NULL
) {
6006 for (i
= 0; i
< sp
->s_v6
.sdb_hashsize
; i
++) {
6007 bucket
= &sp
->s_v6
.sdb_acq
[i
];
6008 mutex_enter(&bucket
->iacqf_lock
);
6009 for (acqrec
= bucket
->iacqf_ipsacq
; acqrec
!= NULL
;
6010 acqrec
= acqrec
->ipsacq_next
) {
6011 if (samsg
->sadb_msg_seq
== acqrec
->ipsacq_seq
)
6012 break; /* for acqrec... loop. */
6015 break; /* for i = 0... loop. */
6017 mutex_exit(&bucket
->iacqf_lock
);
6026 * What do I do with the errno and IP? I may need mp's services a
6027 * little more. See sadb_destroy_acquire() for future directions
6028 * beyond free the mblk chain on the acquire record.
6031 ASSERT(&bucket
->iacqf_lock
== acqrec
->ipsacq_linklock
);
6032 sadb_destroy_acquire(acqrec
, ns
);
6033 /* Have to exit mutex here, because of breaking out of for loop. */
6034 mutex_exit(&bucket
->iacqf_lock
);
6038 * The following functions work with the replay windows of an SA. They assume
6039 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector
6040 * represents the highest sequence number packet received, and back
6041 * (ipsa->ipsa_replay_wsize) packets.
6045 * Is the replay bit set?
6048 ipsa_is_replay_set(ipsa_t
*ipsa
, uint32_t offset
)
6050 uint64_t bit
= (uint64_t)1 << (uint64_t)(offset
& 63);
6052 return ((bit
& ipsa
->ipsa_replay_arr
[offset
>> 6]) ? B_TRUE
: B_FALSE
);
6056 * Shift the bits of the replay window over.
6059 ipsa_shift_replay(ipsa_t
*ipsa
, uint32_t shift
)
6062 int jump
= ((shift
- 1) >> 6) + 1;
6067 for (i
= (ipsa
->ipsa_replay_wsize
- 1) >> 6; i
>= 0; i
--) {
6068 if (i
+ jump
<= (ipsa
->ipsa_replay_wsize
- 1) >> 6) {
6069 ipsa
->ipsa_replay_arr
[i
+ jump
] |=
6070 ipsa
->ipsa_replay_arr
[i
] >> (64 - (shift
& 63));
6072 ipsa
->ipsa_replay_arr
[i
] <<= shift
;
6077 * Set a bit in the bit vector.
6080 ipsa_set_replay(ipsa_t
*ipsa
, uint32_t offset
)
6082 uint64_t bit
= (uint64_t)1 << (uint64_t)(offset
& 63);
6084 ipsa
->ipsa_replay_arr
[offset
>> 6] |= bit
;
6087 #define SADB_MAX_REPLAY_VALUE 0xffffffff
6090 * Assume caller has NOT done ntohl() already on seq. Check to see
6091 * if replay sequence number "seq" has been seen already.
6094 sadb_replay_check(ipsa_t
*ipsa
, uint32_t seq
)
6099 if (ipsa
->ipsa_replay_wsize
== 0)
6103 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek().
6106 /* Convert sequence number into host order before holding the mutex. */
6109 mutex_enter(&ipsa
->ipsa_lock
);
6111 /* Initialize inbound SA's ipsa_replay field to last one received. */
6112 if (ipsa
->ipsa_replay
== 0)
6113 ipsa
->ipsa_replay
= 1;
6115 if (seq
> ipsa
->ipsa_replay
) {
6117 * I have received a new "highest value received". Shift
6118 * the replay window over.
6120 diff
= seq
- ipsa
->ipsa_replay
;
6121 if (diff
< ipsa
->ipsa_replay_wsize
) {
6122 /* In replay window, shift bits over. */
6123 ipsa_shift_replay(ipsa
, diff
);
6125 /* WAY FAR AHEAD, clear bits and start again. */
6126 bzero(ipsa
->ipsa_replay_arr
,
6127 sizeof (ipsa
->ipsa_replay_arr
));
6129 ipsa_set_replay(ipsa
, 0);
6130 ipsa
->ipsa_replay
= seq
;
6134 diff
= ipsa
->ipsa_replay
- seq
;
6135 if (diff
>= ipsa
->ipsa_replay_wsize
|| ipsa_is_replay_set(ipsa
, diff
)) {
6139 /* Set this packet as seen. */
6140 ipsa_set_replay(ipsa
, diff
);
6144 mutex_exit(&ipsa
->ipsa_lock
);
6149 * "Peek" and see if we should even bother going through the effort of
6150 * running an authentication check on the sequence number passed in.
6151 * this takes into account packets that are below the replay window,
6152 * and collisions with already replayed packets. Return B_TRUE if it
6153 * is okay to proceed, B_FALSE if this packet should be dropped immediately.
6154 * Assume same byte-ordering as sadb_replay_check.
6157 sadb_replay_peek(ipsa_t
*ipsa
, uint32_t seq
)
6159 boolean_t rc
= B_FALSE
;
6162 if (ipsa
->ipsa_replay_wsize
== 0)
6166 * 0 is 0, regardless of byte order... :)
6168 * If I get 0 on the wire (and there is a replay window) then the
6169 * sender most likely wrapped. This ipsa may need to be marked or
6176 mutex_enter(&ipsa
->ipsa_lock
);
6177 if (seq
< ipsa
->ipsa_replay
- ipsa
->ipsa_replay_wsize
&&
6178 ipsa
->ipsa_replay
>= ipsa
->ipsa_replay_wsize
)
6182 * If I've hit 0xffffffff, then quite honestly, I don't need to
6183 * bother with formalities. I'm not accepting any more packets
6186 if (ipsa
->ipsa_replay
== SADB_MAX_REPLAY_VALUE
) {
6188 * Since we're already holding the lock, update the
6189 * expire time ala. sadb_replay_delete() and return.
6191 ipsa
->ipsa_hardexpiretime
= (time_t)1;
6195 if (seq
<= ipsa
->ipsa_replay
) {
6197 * This seq is in the replay window. I'm not below it,
6198 * because I already checked for that above!
6200 diff
= ipsa
->ipsa_replay
- seq
;
6201 if (ipsa_is_replay_set(ipsa
, diff
))
6204 /* Else return B_TRUE, I'm going to advance the window. */
6208 mutex_exit(&ipsa
->ipsa_lock
);
6213 * Delete a single SA.
6215 * For now, use the quick-and-dirty trick of making the association's
6216 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager().
6219 sadb_replay_delete(ipsa_t
*assoc
)
6221 mutex_enter(&assoc
->ipsa_lock
);
6222 assoc
->ipsa_hardexpiretime
= (time_t)1;
6223 mutex_exit(&assoc
->ipsa_lock
);
6227 * Special front-end to ipsec_rl_strlog() dealing with SA failure.
6228 * this is designed to take only a format string with "* %x * %s *", so
6229 * that "spi" is printed first, then "addr" is converted using inet_pton().
6231 * This is abstracted out to save the stack space for only when inet_pton()
6232 * is called. Make sure "spi" is in network order; it usually is when this
6236 ipsec_assocfailure(short mid
, short sid
, char level
, ushort_t sl
, char *fmt
,
6237 uint32_t spi
, void *addr
, int af
, netstack_t
*ns
)
6239 char buf
[INET6_ADDRSTRLEN
];
6241 ASSERT(af
== AF_INET6
|| af
== AF_INET
);
6243 ipsec_rl_strlog(ns
, mid
, sid
, level
, sl
, fmt
, ntohl(spi
),
6244 inet_ntop(af
, addr
, buf
, sizeof (buf
)));
6248 * Fills in a reference to the policy, if any, from the conn, in *ppp
6251 ipsec_conn_pol(ipsec_selector_t
*sel
, conn_t
*connp
, ipsec_policy_t
**ppp
)
6254 ipsec_latch_t
*ipl
= connp
->conn_latch
;
6256 if ((ipl
!= NULL
) && (connp
->conn_ixa
->ixa_ipsec_policy
!= NULL
)) {
6257 pp
= connp
->conn_ixa
->ixa_ipsec_policy
;
6260 pp
= ipsec_find_policy(IPSEC_TYPE_OUTBOUND
, connp
, sel
,
6261 connp
->conn_netstack
);
6267 * The following functions scan through active conn_t structures
6268 * and return a reference to the best-matching policy it can find.
6269 * Caller must release the reference.
6272 ipsec_udp_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
, ip_stack_t
*ipst
)
6275 conn_t
*connp
= NULL
;
6276 ipsec_selector_t portonly
;
6278 bzero((void *)&portonly
, sizeof (portonly
));
6280 if (sel
->ips_local_port
== 0)
6283 connfp
= &ipst
->ips_ipcl_udp_fanout
[IPCL_UDP_HASH(sel
->ips_local_port
,
6285 mutex_enter(&connfp
->connf_lock
);
6287 if (sel
->ips_isv4
) {
6288 connp
= connfp
->connf_head
;
6289 while (connp
!= NULL
) {
6290 if (IPCL_UDP_MATCH(connp
, sel
->ips_local_port
,
6291 sel
->ips_local_addr_v4
, sel
->ips_remote_port
,
6292 sel
->ips_remote_addr_v4
))
6294 connp
= connp
->conn_next
;
6297 if (connp
== NULL
) {
6298 /* Try port-only match in IPv6. */
6299 portonly
.ips_local_port
= sel
->ips_local_port
;
6304 if (connp
== NULL
) {
6305 connp
= connfp
->connf_head
;
6306 while (connp
!= NULL
) {
6307 if (IPCL_UDP_MATCH_V6(connp
, sel
->ips_local_port
,
6308 sel
->ips_local_addr_v6
, sel
->ips_remote_port
,
6309 sel
->ips_remote_addr_v6
))
6311 connp
= connp
->conn_next
;
6314 if (connp
== NULL
) {
6315 mutex_exit(&connfp
->connf_lock
);
6320 CONN_INC_REF(connp
);
6321 mutex_exit(&connfp
->connf_lock
);
6323 ipsec_conn_pol(sel
, connp
, ppp
);
6324 CONN_DEC_REF(connp
);
6328 ipsec_find_listen_conn(uint16_t *pptr
, ipsec_selector_t
*sel
, ip_stack_t
*ipst
)
6331 conn_t
*connp
= NULL
;
6332 const in6_addr_t
*v6addrmatch
= &sel
->ips_local_addr_v6
;
6334 if (sel
->ips_local_port
== 0)
6337 connfp
= &ipst
->ips_ipcl_bind_fanout
[
6338 IPCL_BIND_HASH(sel
->ips_local_port
, ipst
)];
6339 mutex_enter(&connfp
->connf_lock
);
6341 if (sel
->ips_isv4
) {
6342 connp
= connfp
->connf_head
;
6343 while (connp
!= NULL
) {
6344 if (IPCL_BIND_MATCH(connp
, IPPROTO_TCP
,
6345 sel
->ips_local_addr_v4
, pptr
[1]))
6347 connp
= connp
->conn_next
;
6350 if (connp
== NULL
) {
6351 /* Match to all-zeroes. */
6352 v6addrmatch
= &ipv6_all_zeros
;
6356 if (connp
== NULL
) {
6357 connp
= connfp
->connf_head
;
6358 while (connp
!= NULL
) {
6359 if (IPCL_BIND_MATCH_V6(connp
, IPPROTO_TCP
,
6360 *v6addrmatch
, pptr
[1]))
6362 connp
= connp
->conn_next
;
6365 if (connp
== NULL
) {
6366 mutex_exit(&connfp
->connf_lock
);
6371 CONN_INC_REF(connp
);
6372 mutex_exit(&connfp
->connf_lock
);
6377 ipsec_tcp_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
, ip_stack_t
*ipst
)
6382 uint16_t *pptr
= (uint16_t *)&ports
;
6385 * Find TCP state in the following order:
6386 * 1.) Connected conns.
6389 * Even though #2 will be the common case for inbound traffic, only
6390 * following this order insures correctness.
6393 if (sel
->ips_local_port
== 0)
6397 * 0 should be fport, 1 should be lport. SRC is the local one here.
6398 * See ipsec_construct_inverse_acquire() for details.
6400 pptr
[0] = sel
->ips_remote_port
;
6401 pptr
[1] = sel
->ips_local_port
;
6403 connfp
= &ipst
->ips_ipcl_conn_fanout
[
6404 IPCL_CONN_HASH(sel
->ips_remote_addr_v4
, ports
, ipst
)];
6405 mutex_enter(&connfp
->connf_lock
);
6406 connp
= connfp
->connf_head
;
6408 if (sel
->ips_isv4
) {
6409 while (connp
!= NULL
) {
6410 if (IPCL_CONN_MATCH(connp
, IPPROTO_TCP
,
6411 sel
->ips_remote_addr_v4
, sel
->ips_local_addr_v4
,
6414 connp
= connp
->conn_next
;
6417 while (connp
!= NULL
) {
6418 if (IPCL_CONN_MATCH_V6(connp
, IPPROTO_TCP
,
6419 sel
->ips_remote_addr_v6
, sel
->ips_local_addr_v6
,
6422 connp
= connp
->conn_next
;
6426 if (connp
!= NULL
) {
6427 CONN_INC_REF(connp
);
6428 mutex_exit(&connfp
->connf_lock
);
6430 mutex_exit(&connfp
->connf_lock
);
6432 /* Try the listen hash. */
6433 if ((connp
= ipsec_find_listen_conn(pptr
, sel
, ipst
)) == NULL
)
6437 ipsec_conn_pol(sel
, connp
, ppp
);
6438 CONN_DEC_REF(connp
);
6442 ipsec_sctp_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
,
6447 uint16_t *pptr
= (uint16_t *)&ports
;
6450 * Find SCP state in the following order:
6451 * 1.) Connected conns.
6454 * Even though #2 will be the common case for inbound traffic, only
6455 * following this order insures correctness.
6458 if (sel
->ips_local_port
== 0)
6462 * 0 should be fport, 1 should be lport. SRC is the local one here.
6463 * See ipsec_construct_inverse_acquire() for details.
6465 pptr
[0] = sel
->ips_remote_port
;
6466 pptr
[1] = sel
->ips_local_port
;
6469 * For labeled systems, there's no need to check the
6470 * label here. It's known to be good as we checked
6471 * before allowing the connection to become bound.
6473 if (sel
->ips_isv4
) {
6474 in6_addr_t src
, dst
;
6476 IN6_IPADDR_TO_V4MAPPED(sel
->ips_remote_addr_v4
, &dst
);
6477 IN6_IPADDR_TO_V4MAPPED(sel
->ips_local_addr_v4
, &src
);
6478 connp
= sctp_find_conn(&dst
, &src
, ports
, ALL_ZONES
,
6479 0, ipst
->ips_netstack
->netstack_sctp
);
6481 connp
= sctp_find_conn(&sel
->ips_remote_addr_v6
,
6482 &sel
->ips_local_addr_v6
, ports
, ALL_ZONES
,
6483 0, ipst
->ips_netstack
->netstack_sctp
);
6487 ipsec_conn_pol(sel
, connp
, ppp
);
6488 CONN_DEC_REF(connp
);
6492 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions.
6493 * Returns 0 or errno, and always sets *diagnostic to something appropriate
6496 * NOTE: For right now, this function (and ipsec_selector_t for that matter),
6497 * ignore prefix lengths in the address extension. Since we match on first-
6498 * entered policies, this shouldn't matter. Also, since we normalize prefix-
6499 * set addresses to mask out the lower bits, we should get a suitable search
6500 * key for the SPD anyway. This is the function to change if the assumption
6501 * about suitable search keys is wrong.
6504 ipsec_get_inverse_acquire_sel(ipsec_selector_t
*sel
, sadb_address_t
*srcext
,
6505 sadb_address_t
*dstext
, int *diagnostic
)
6507 struct sockaddr_in
*src
, *dst
;
6508 struct sockaddr_in6
*src6
, *dst6
;
6512 bzero(sel
, sizeof (*sel
));
6513 sel
->ips_protocol
= srcext
->sadb_address_proto
;
6514 dst
= (struct sockaddr_in
*)(dstext
+ 1);
6515 if (dst
->sin_family
== AF_INET6
) {
6516 dst6
= (struct sockaddr_in6
*)dst
;
6517 src6
= (struct sockaddr_in6
*)(srcext
+ 1);
6518 if (src6
->sin6_family
!= AF_INET6
) {
6519 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
6522 sel
->ips_remote_addr_v6
= dst6
->sin6_addr
;
6523 sel
->ips_local_addr_v6
= src6
->sin6_addr
;
6524 if (sel
->ips_protocol
== IPPROTO_ICMPV6
) {
6525 sel
->ips_is_icmp_inv_acq
= 1;
6527 sel
->ips_remote_port
= dst6
->sin6_port
;
6528 sel
->ips_local_port
= src6
->sin6_port
;
6530 sel
->ips_isv4
= B_FALSE
;
6532 src
= (struct sockaddr_in
*)(srcext
+ 1);
6533 if (src
->sin_family
!= AF_INET
) {
6534 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
6537 sel
->ips_remote_addr_v4
= dst
->sin_addr
.s_addr
;
6538 sel
->ips_local_addr_v4
= src
->sin_addr
.s_addr
;
6539 if (sel
->ips_protocol
== IPPROTO_ICMP
) {
6540 sel
->ips_is_icmp_inv_acq
= 1;
6542 sel
->ips_remote_port
= dst
->sin_port
;
6543 sel
->ips_local_port
= src
->sin_port
;
6545 sel
->ips_isv4
= B_TRUE
;
6551 * We have encapsulation.
6552 * - Lookup tun_t by address and look for an associated
6554 * - If there are inner selectors
6555 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE
6556 * - Look up tunnel policy based on selectors
6558 * - Sanity check the negotation
6559 * - If appropriate, fall through to global policy
6562 ipsec_tun_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
,
6563 sadb_address_t
*innsrcext
, sadb_address_t
*inndstext
, ipsec_tun_pol_t
*itp
,
6567 ipsec_policy_head_t
*polhead
;
6571 /* Check for inner selectors and act appropriately */
6573 if (innsrcext
!= NULL
) {
6574 /* Inner selectors present */
6575 ASSERT(inndstext
!= NULL
);
6576 if ((itp
== NULL
) ||
6577 (itp
->itp_flags
& (ITPF_P_ACTIVE
| ITPF_P_TUNNEL
)) !=
6578 (ITPF_P_ACTIVE
| ITPF_P_TUNNEL
)) {
6580 * If inner packet selectors, we must have negotiate
6581 * tunnel and active policy. If the tunnel has
6582 * transport-mode policy set on it, or has no policy,
6588 * Reset "sel" to indicate inner selectors. Pass
6589 * inner PF_KEY address extensions for this to happen.
6591 if ((err
= ipsec_get_inverse_acquire_sel(sel
,
6592 innsrcext
, inndstext
, diagnostic
)) != 0)
6595 * Now look for a tunnel policy based on those inner
6596 * selectors. (Common code is below.)
6600 /* No inner selectors present */
6601 if ((itp
== NULL
) || !(itp
->itp_flags
& ITPF_P_ACTIVE
)) {
6603 * Transport mode negotiation with no tunnel policy
6604 * configured - return to indicate a global policy
6608 } else if (itp
->itp_flags
& ITPF_P_TUNNEL
) {
6609 /* Tunnel mode set with no inner selectors. */
6613 * Else, this is a tunnel policy configured with ifconfig(1m)
6614 * or "negotiate transport" with ipsecconf(1m). We have an
6615 * itp with policy set based on any match, so don't bother
6616 * changing fields in "sel".
6620 ASSERT(itp
!= NULL
);
6621 polhead
= itp
->itp_policy
;
6622 ASSERT(polhead
!= NULL
);
6623 rw_enter(&polhead
->iph_lock
, RW_READER
);
6624 *ppp
= ipsec_find_policy_head(NULL
, polhead
, IPSEC_TYPE_INBOUND
, sel
);
6625 rw_exit(&polhead
->iph_lock
);
6628 * Don't default to global if we didn't find a matching policy entry.
6629 * Instead, send ENOENT, just like if we hit a transport-mode tunnel.
6638 * For sctp conn_faddr is the primary address, hence this is of limited
6642 ipsec_oth_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
,
6645 boolean_t isv4
= sel
->ips_isv4
;
6650 connfp
= &ipst
->ips_ipcl_proto_fanout_v4
[sel
->ips_protocol
];
6652 connfp
= &ipst
->ips_ipcl_proto_fanout_v6
[sel
->ips_protocol
];
6655 mutex_enter(&connfp
->connf_lock
);
6656 for (connp
= connfp
->connf_head
; connp
!= NULL
;
6657 connp
= connp
->conn_next
) {
6659 if ((connp
->conn_laddr_v4
== INADDR_ANY
||
6660 connp
->conn_laddr_v4
== sel
->ips_local_addr_v4
) &&
6661 (connp
->conn_faddr_v4
== INADDR_ANY
||
6662 connp
->conn_faddr_v4
== sel
->ips_remote_addr_v4
))
6665 if ((IN6_IS_ADDR_UNSPECIFIED(&connp
->conn_laddr_v6
) ||
6666 IN6_ARE_ADDR_EQUAL(&connp
->conn_laddr_v6
,
6667 &sel
->ips_local_addr_v6
)) &&
6668 (IN6_IS_ADDR_UNSPECIFIED(&connp
->conn_faddr_v6
) ||
6669 IN6_ARE_ADDR_EQUAL(&connp
->conn_faddr_v6
,
6670 &sel
->ips_remote_addr_v6
)))
6674 if (connp
== NULL
) {
6675 mutex_exit(&connfp
->connf_lock
);
6679 CONN_INC_REF(connp
);
6680 mutex_exit(&connfp
->connf_lock
);
6682 ipsec_conn_pol(sel
, connp
, ppp
);
6683 CONN_DEC_REF(connp
);
6687 * Construct an inverse ACQUIRE reply based on:
6689 * 1.) Current global policy.
6690 * 2.) An conn_t match depending on what all was passed in the extv[].
6691 * 3.) A tunnel's policy head.
6693 * N.) Other stuff TBD (e.g. identities)
6695 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic
6696 * in this function so the caller can extract them where appropriately.
6698 * The SRC address is the local one - just like an outbound ACQUIRE message.
6700 * XXX MLS: key management supplies a label which we just reflect back up
6701 * again. clearly we need to involve the label in the rest of the checks.
6704 ipsec_construct_inverse_acquire(sadb_msg_t
*samsg
, sadb_ext_t
*extv
[],
6709 sadb_address_t
*srcext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_SRC
],
6710 *dstext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_DST
],
6711 *innsrcext
= (sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_SRC
],
6712 *inndstext
= (sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_DST
];
6713 sadb_sens_t
*sens
= (sadb_sens_t
*)extv
[SADB_EXT_SENSITIVITY
];
6714 struct sockaddr_in6
*src
, *dst
;
6715 struct sockaddr_in6
*isrc
, *idst
;
6716 ipsec_tun_pol_t
*itp
= NULL
;
6717 ipsec_policy_t
*pp
= NULL
;
6718 ipsec_selector_t sel
, isel
;
6719 mblk_t
*retmp
= NULL
;
6720 ip_stack_t
*ipst
= ns
->netstack_ip
;
6723 /* Normalize addresses */
6724 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
, (sadb_ext_t
*)srcext
, 0, ns
)
6725 == KS_IN_ADDR_UNKNOWN
) {
6727 diagnostic
= SADB_X_DIAGNOSTIC_BAD_SRC
;
6730 src
= (struct sockaddr_in6
*)(srcext
+ 1);
6731 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
, (sadb_ext_t
*)dstext
, 0, ns
)
6732 == KS_IN_ADDR_UNKNOWN
) {
6734 diagnostic
= SADB_X_DIAGNOSTIC_BAD_DST
;
6737 dst
= (struct sockaddr_in6
*)(dstext
+ 1);
6738 if (src
->sin6_family
!= dst
->sin6_family
) {
6740 diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
6744 /* Check for tunnel mode and act appropriately */
6745 if (innsrcext
!= NULL
) {
6746 if (inndstext
== NULL
) {
6748 diagnostic
= SADB_X_DIAGNOSTIC_MISSING_INNER_DST
;
6751 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
,
6752 (sadb_ext_t
*)innsrcext
, 0, ns
) == KS_IN_ADDR_UNKNOWN
) {
6754 diagnostic
= SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC
;
6757 isrc
= (struct sockaddr_in6
*)(innsrcext
+ 1);
6758 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
,
6759 (sadb_ext_t
*)inndstext
, 0, ns
) == KS_IN_ADDR_UNKNOWN
) {
6761 diagnostic
= SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST
;
6764 idst
= (struct sockaddr_in6
*)(inndstext
+ 1);
6765 if (isrc
->sin6_family
!= idst
->sin6_family
) {
6767 diagnostic
= SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
;
6770 if (isrc
->sin6_family
!= AF_INET
&&
6771 isrc
->sin6_family
!= AF_INET6
) {
6773 diagnostic
= SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF
;
6776 } else if (inndstext
!= NULL
) {
6778 diagnostic
= SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
;
6782 /* Get selectors first, based on outer addresses */
6783 err
= ipsec_get_inverse_acquire_sel(&sel
, srcext
, dstext
, &diagnostic
);
6787 /* Check for tunnel mode mismatches. */
6788 if (innsrcext
!= NULL
&&
6789 ((isrc
->sin6_family
== AF_INET
&&
6790 sel
.ips_protocol
!= IPPROTO_ENCAP
&& sel
.ips_protocol
!= 0) ||
6791 (isrc
->sin6_family
== AF_INET6
&&
6792 sel
.ips_protocol
!= IPPROTO_IPV6
&& sel
.ips_protocol
!= 0))) {
6798 * Okay, we have the addresses and other selector information.
6799 * Let's first find a conn...
6802 switch (sel
.ips_protocol
) {
6804 ipsec_tcp_pol(&sel
, &pp
, ipst
);
6807 ipsec_udp_pol(&sel
, &pp
, ipst
);
6810 ipsec_sctp_pol(&sel
, &pp
, ipst
);
6815 * Assume sel.ips_remote_addr_* has the right address at
6816 * that exact position.
6818 itp
= itp_get_byaddr((uint32_t *)(&sel
.ips_local_addr_v6
),
6819 (uint32_t *)(&sel
.ips_remote_addr_v6
), src
->sin6_family
,
6822 if (innsrcext
== NULL
) {
6824 * Transport-mode tunnel, make sure we fake out isel
6825 * to contain something based on the outer protocol.
6827 bzero(&isel
, sizeof (isel
));
6828 isel
.ips_isv4
= (sel
.ips_protocol
== IPPROTO_ENCAP
);
6829 } /* Else isel is initialized by ipsec_tun_pol(). */
6830 err
= ipsec_tun_pol(&isel
, &pp
, innsrcext
, inndstext
, itp
,
6833 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it
6840 ipsec_oth_pol(&sel
, &pp
, ipst
);
6845 * If we didn't find a matching conn_t or other policy head, take a
6846 * look in the global policy.
6849 pp
= ipsec_find_policy(IPSEC_TYPE_OUTBOUND
, NULL
, &sel
, ns
);
6851 /* There's no global policy. */
6859 * Now that we have a policy entry/widget, construct an ACQUIRE
6860 * message based on that, fix fields where appropriate,
6861 * and return the message.
6863 retmp
= sadb_extended_acquire(&sel
, pp
, NULL
,
6864 (itp
!= NULL
&& (itp
->itp_flags
& ITPF_P_TUNNEL
)),
6865 samsg
->sadb_msg_seq
, samsg
->sadb_msg_pid
, sens
, ns
);
6869 ASSERT(err
== 0 && diagnostic
== 0);
6874 ITP_REFRELE(itp
, ns
);
6876 samsg
->sadb_msg_errno
= (uint8_t)err
;
6877 samsg
->sadb_x_msg_diagnostic
= (uint16_t)diagnostic
;
6882 * ipsa_lpkt is a one-element queue, only manipulated by the next two
6883 * functions. They have to hold the ipsa_lock because of potential races
6884 * between key management using SADB_UPDATE, and inbound packets that may
6885 * queue up on the larval SA (hence the 'l' in "lpkt").
6891 * Returns the passed-in packet if the SA is no longer larval.
6893 * Returns NULL if the SA is larval, and needs to be swapped into the SA for
6894 * processing after an SADB_UPDATE.
6897 sadb_set_lpkt(ipsa_t
*ipsa
, mblk_t
*npkt
, ip_recv_attr_t
*ira
)
6901 mutex_enter(&ipsa
->ipsa_lock
);
6902 opkt
= ipsa
->ipsa_lpkt
;
6903 if (ipsa
->ipsa_state
== IPSA_STATE_LARVAL
) {
6905 * Consume npkt and place it in the LARVAL SA's inbound
6910 attrmp
= ip_recv_attr_to_mblk(ira
);
6911 if (attrmp
== NULL
) {
6912 ill_t
*ill
= ira
->ira_ill
;
6914 BUMP_MIB(ill
->ill_ip_mib
, ipIfStatsInDiscards
);
6915 ip_drop_input("ipIfStatsInDiscards", npkt
, ill
);
6919 ASSERT(attrmp
->b_cont
== NULL
);
6920 attrmp
->b_cont
= npkt
;
6921 ipsa
->ipsa_lpkt
= attrmp
;
6926 * If not larval, we lost the race. NOTE: ipsa_lpkt may still
6927 * have been non-NULL in the non-larval case, because of
6928 * inbound packets arriving prior to sadb_common_add()
6929 * transferring the SA completely out of larval state, but
6930 * after lpkt was grabbed by the AH/ESP-specific add routines.
6931 * We should clear the old ipsa_lpkt in this case to make sure
6932 * that it doesn't linger on the now-MATURE IPsec SA, or get
6933 * picked up as an out-of-order packet.
6935 ipsa
->ipsa_lpkt
= NULL
;
6937 mutex_exit(&ipsa
->ipsa_lock
);
6940 ipsec_stack_t
*ipss
;
6942 ipss
= ira
->ira_ill
->ill_ipst
->ips_netstack
->netstack_ipsec
;
6943 opkt
= ip_recv_attr_free_mblk(opkt
);
6944 ip_drop_packet(opkt
, B_TRUE
, ira
->ira_ill
,
6945 DROPPER(ipss
, ipds_sadb_inlarval_replace
),
6946 &ipss
->ipsec_sadb_dropper
);
6952 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the
6956 sadb_clear_lpkt(ipsa_t
*ipsa
)
6960 mutex_enter(&ipsa
->ipsa_lock
);
6961 opkt
= ipsa
->ipsa_lpkt
;
6962 ipsa
->ipsa_lpkt
= NULL
;
6963 mutex_exit(&ipsa
->ipsa_lock
);
6968 * Buffer a packet that's in IDLE state as set by Solaris Clustering.
6971 sadb_buf_pkt(ipsa_t
*ipsa
, mblk_t
*bpkt
, ip_recv_attr_t
*ira
)
6973 netstack_t
*ns
= ira
->ira_ill
->ill_ipst
->ips_netstack
;
6974 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
6975 in6_addr_t
*srcaddr
= (in6_addr_t
*)(&ipsa
->ipsa_srcaddr
);
6976 in6_addr_t
*dstaddr
= (in6_addr_t
*)(&ipsa
->ipsa_dstaddr
);
6979 ASSERT(ipsa
->ipsa_state
== IPSA_STATE_IDLE
);
6981 if (cl_inet_idlesa
== NULL
) {
6982 ip_drop_packet(bpkt
, B_TRUE
, ira
->ira_ill
,
6983 DROPPER(ipss
, ipds_sadb_inidle_overflow
),
6984 &ipss
->ipsec_sadb_dropper
);
6988 cl_inet_idlesa(ns
->netstack_stackid
,
6989 (ipsa
->ipsa_type
== SADB_SATYPE_AH
) ? IPPROTO_AH
: IPPROTO_ESP
,
6990 ipsa
->ipsa_spi
, ipsa
->ipsa_addrfam
, *srcaddr
, *dstaddr
, NULL
);
6992 mp
= ip_recv_attr_to_mblk(ira
);
6994 ip_drop_packet(bpkt
, B_TRUE
, ira
->ira_ill
,
6995 DROPPER(ipss
, ipds_sadb_inidle_overflow
),
6996 &ipss
->ipsec_sadb_dropper
);
7001 mutex_enter(&ipsa
->ipsa_lock
);
7002 ipsa
->ipsa_mblkcnt
++;
7003 if (ipsa
->ipsa_bpkt_head
== NULL
) {
7004 ipsa
->ipsa_bpkt_head
= ipsa
->ipsa_bpkt_tail
= bpkt
;
7006 ipsa
->ipsa_bpkt_tail
->b_next
= bpkt
;
7007 ipsa
->ipsa_bpkt_tail
= bpkt
;
7008 if (ipsa
->ipsa_mblkcnt
> SADB_MAX_IDLEPKTS
) {
7011 tmp
= ipsa
->ipsa_bpkt_head
;
7012 ipsa
->ipsa_bpkt_head
= ipsa
->ipsa_bpkt_head
->b_next
;
7013 tmp
= ip_recv_attr_free_mblk(tmp
);
7014 ip_drop_packet(tmp
, B_TRUE
, NULL
,
7015 DROPPER(ipss
, ipds_sadb_inidle_overflow
),
7016 &ipss
->ipsec_sadb_dropper
);
7017 ipsa
->ipsa_mblkcnt
--;
7020 mutex_exit(&ipsa
->ipsa_lock
);
7024 * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
7025 * and put into STREAMS again.
7028 sadb_clear_buf_pkt(void *ipkt
)
7030 mblk_t
*tmp
, *buf_pkt
;
7031 ip_recv_attr_t iras
;
7033 buf_pkt
= (mblk_t
*)ipkt
;
7035 while (buf_pkt
!= NULL
) {
7038 tmp
= buf_pkt
->b_next
;
7039 buf_pkt
->b_next
= NULL
;
7041 data_mp
= buf_pkt
->b_cont
;
7042 buf_pkt
->b_cont
= NULL
;
7043 if (!ip_recv_attr_from_mblk(buf_pkt
, &iras
)) {
7044 /* The ill or ip_stack_t disappeared on us. */
7045 ip_drop_input("ip_recv_attr_from_mblk", data_mp
, NULL
);
7048 ip_input_post_ipsec(data_mp
, &iras
);
7050 ira_cleanup(&iras
, B_TRUE
);
7055 * Walker callback used by sadb_alg_update() to free/create crypto
7056 * context template when a crypto software provider is removed or
7060 struct sadb_update_alg_state
{
7061 ipsec_algtype_t alg_type
;
7064 boolean_t async_auth
;
7065 boolean_t async_encr
;
7069 sadb_alg_update_cb(isaf_t
*head
, ipsa_t
*entry
, void *cookie
)
7071 struct sadb_update_alg_state
*update_state
=
7072 (struct sadb_update_alg_state
*)cookie
;
7073 crypto_ctx_template_t
*ctx_tmpl
= NULL
;
7075 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
7077 if (entry
->ipsa_state
== IPSA_STATE_LARVAL
)
7080 mutex_enter(&entry
->ipsa_lock
);
7082 if ((entry
->ipsa_encr_alg
!= SADB_EALG_NONE
&& entry
->ipsa_encr_alg
!=
7083 SADB_EALG_NULL
&& update_state
->async_encr
) ||
7084 (entry
->ipsa_auth_alg
!= SADB_AALG_NONE
&&
7085 update_state
->async_auth
)) {
7086 entry
->ipsa_flags
|= IPSA_F_ASYNC
;
7088 entry
->ipsa_flags
&= ~IPSA_F_ASYNC
;
7091 switch (update_state
->alg_type
) {
7092 case IPSEC_ALG_AUTH
:
7093 if (entry
->ipsa_auth_alg
== update_state
->alg_id
)
7094 ctx_tmpl
= &entry
->ipsa_authtmpl
;
7096 case IPSEC_ALG_ENCR
:
7097 if (entry
->ipsa_encr_alg
== update_state
->alg_id
)
7098 ctx_tmpl
= &entry
->ipsa_encrtmpl
;
7104 if (ctx_tmpl
== NULL
) {
7105 mutex_exit(&entry
->ipsa_lock
);
7110 * The context template of the SA may be affected by the change
7111 * of crypto provider.
7113 if (update_state
->is_added
) {
7114 /* create the context template if not already done */
7115 if (*ctx_tmpl
== NULL
) {
7116 (void) ipsec_create_ctx_tmpl(entry
,
7117 update_state
->alg_type
);
7121 * The crypto provider was removed. If the context template
7122 * exists but it is no longer valid, free it.
7124 if (*ctx_tmpl
!= NULL
)
7125 ipsec_destroy_ctx_tmpl(entry
, update_state
->alg_type
);
7128 mutex_exit(&entry
->ipsa_lock
);
7132 * Invoked by IP when an software crypto provider has been updated, or if
7133 * the crypto synchrony changes. The type and id of the corresponding
7134 * algorithm is passed as argument. The type is set to ALL in the case of
7135 * a synchrony change.
7137 * is_added is B_TRUE if the provider was added, B_FALSE if it was
7138 * removed. The function updates the SADB and free/creates the
7139 * context templates associated with SAs if needed.
7142 #define SADB_ALG_UPDATE_WALK(sadb, table) \
7143 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \
7147 sadb_alg_update(ipsec_algtype_t alg_type
, uint8_t alg_id
, boolean_t is_added
,
7150 struct sadb_update_alg_state update_state
;
7151 ipsecah_stack_t
*ahstack
= ns
->netstack_ipsecah
;
7152 ipsecesp_stack_t
*espstack
= ns
->netstack_ipsecesp
;
7153 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
7155 update_state
.alg_type
= alg_type
;
7156 update_state
.alg_id
= alg_id
;
7157 update_state
.is_added
= is_added
;
7158 update_state
.async_auth
= ipss
->ipsec_algs_exec_mode
[IPSEC_ALG_AUTH
] ==
7159 IPSEC_ALGS_EXEC_ASYNC
;
7160 update_state
.async_encr
= ipss
->ipsec_algs_exec_mode
[IPSEC_ALG_ENCR
] ==
7161 IPSEC_ALGS_EXEC_ASYNC
;
7163 if (alg_type
== IPSEC_ALG_AUTH
|| alg_type
== IPSEC_ALG_ALL
) {
7164 /* walk the AH tables only for auth. algorithm changes */
7165 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v4
, sdb_of
);
7166 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v4
, sdb_if
);
7167 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v6
, sdb_of
);
7168 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v6
, sdb_if
);
7171 /* walk the ESP tables */
7172 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v4
, sdb_of
);
7173 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v4
, sdb_if
);
7174 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v6
, sdb_of
);
7175 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v6
, sdb_if
);
7179 * Creates a context template for the specified SA. This function
7180 * is called when an SA is created and when a context template needs
7181 * to be created due to a change of software provider.
7184 ipsec_create_ctx_tmpl(ipsa_t
*sa
, ipsec_algtype_t alg_type
)
7186 ipsec_alginfo_t
*alg
;
7187 crypto_mechanism_t mech
;
7189 crypto_ctx_template_t
*sa_tmpl
;
7191 ipsec_stack_t
*ipss
= sa
->ipsa_netstack
->netstack_ipsec
;
7193 ASSERT(MUTEX_HELD(&ipss
->ipsec_alg_lock
));
7194 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
7196 /* get pointers to the algorithm info, context template, and key */
7198 case IPSEC_ALG_AUTH
:
7199 key
= &sa
->ipsa_kcfauthkey
;
7200 sa_tmpl
= &sa
->ipsa_authtmpl
;
7201 alg
= ipss
->ipsec_alglists
[alg_type
][sa
->ipsa_auth_alg
];
7203 case IPSEC_ALG_ENCR
:
7204 key
= &sa
->ipsa_kcfencrkey
;
7205 sa_tmpl
= &sa
->ipsa_encrtmpl
;
7206 alg
= ipss
->ipsec_alglists
[alg_type
][sa
->ipsa_encr_alg
];
7212 if (alg
== NULL
|| !ALG_VALID(alg
))
7215 /* initialize the mech info structure for the framework */
7216 ASSERT(alg
->alg_mech_type
!= CRYPTO_MECHANISM_INVALID
);
7217 mech
.cm_type
= alg
->alg_mech_type
;
7218 mech
.cm_param
= NULL
;
7219 mech
.cm_param_len
= 0;
7221 /* create a new context template */
7222 rv
= crypto_create_ctx_template(&mech
, key
, sa_tmpl
, KM_NOSLEEP
);
7225 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware
7226 * providers are available for that mechanism. In that case
7227 * we don't fail, and will generate the context template from
7228 * the framework callback when a software provider for that
7229 * mechanism registers.
7231 * The context template is assigned the special value
7232 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a
7233 * lack of memory. No attempt will be made to use
7234 * the context template if it is set to this value.
7236 if (rv
== CRYPTO_HOST_MEMORY
) {
7237 *sa_tmpl
= IPSEC_CTX_TMPL_ALLOC
;
7238 } else if (rv
!= CRYPTO_SUCCESS
) {
7240 if (rv
!= CRYPTO_MECH_NOT_SUPPORTED
)
7248 * Destroy the context template of the specified algorithm type
7249 * of the specified SA. Must be called while holding the SA lock.
7252 ipsec_destroy_ctx_tmpl(ipsa_t
*sa
, ipsec_algtype_t alg_type
)
7254 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
7256 if (alg_type
== IPSEC_ALG_AUTH
) {
7257 if (sa
->ipsa_authtmpl
== IPSEC_CTX_TMPL_ALLOC
)
7258 sa
->ipsa_authtmpl
= NULL
;
7259 else if (sa
->ipsa_authtmpl
!= NULL
) {
7260 crypto_destroy_ctx_template(sa
->ipsa_authtmpl
);
7261 sa
->ipsa_authtmpl
= NULL
;
7264 ASSERT(alg_type
== IPSEC_ALG_ENCR
);
7265 if (sa
->ipsa_encrtmpl
== IPSEC_CTX_TMPL_ALLOC
)
7266 sa
->ipsa_encrtmpl
= NULL
;
7267 else if (sa
->ipsa_encrtmpl
!= NULL
) {
7268 crypto_destroy_ctx_template(sa
->ipsa_encrtmpl
);
7269 sa
->ipsa_encrtmpl
= NULL
;
7275 * Use the kernel crypto framework to check the validity of a key received
7276 * via keysock. Returns 0 if the key is OK, -1 otherwise.
7279 ipsec_check_key(crypto_mech_type_t mech_type
, sadb_key_t
*sadb_key
,
7280 boolean_t is_auth
, int *diag
)
7282 crypto_mechanism_t mech
;
7283 crypto_key_t crypto_key
;
7286 mech
.cm_type
= mech_type
;
7287 mech
.cm_param
= NULL
;
7288 mech
.cm_param_len
= 0;
7290 crypto_key
.ck_format
= CRYPTO_KEY_RAW
;
7291 crypto_key
.ck_data
= sadb_key
+ 1;
7292 crypto_key
.ck_length
= sadb_key
->sadb_key_bits
;
7294 crypto_rc
= crypto_key_check(&mech
, &crypto_key
);
7296 switch (crypto_rc
) {
7297 case CRYPTO_SUCCESS
:
7299 case CRYPTO_MECHANISM_INVALID
:
7300 case CRYPTO_MECH_NOT_SUPPORTED
:
7301 *diag
= is_auth
? SADB_X_DIAGNOSTIC_BAD_AALG
:
7302 SADB_X_DIAGNOSTIC_BAD_EALG
;
7304 case CRYPTO_KEY_SIZE_RANGE
:
7305 *diag
= is_auth
? SADB_X_DIAGNOSTIC_BAD_AKEYBITS
:
7306 SADB_X_DIAGNOSTIC_BAD_EKEYBITS
;
7308 case CRYPTO_WEAK_KEY
:
7309 *diag
= is_auth
? SADB_X_DIAGNOSTIC_WEAK_AKEY
:
7310 SADB_X_DIAGNOSTIC_WEAK_EKEY
;
7318 * Whack options in the outer IP header when ipsec changes the outer label
7320 * This is inelegant and really could use refactoring.
7323 sadb_whack_label_v4(mblk_t
*mp
, ipsa_t
*assoc
, kstat_named_t
*counter
,
7324 ipdropper_t
*dropper
)
7330 uint8_t *opt_storage
= assoc
->ipsa_opt_storage
;
7331 ipha_t
*ipha
= (ipha_t
*)mp
->b_rptr
;
7333 plen
= ntohs(ipha
->ipha_length
);
7335 delta
= tsol_remove_secopt(ipha
, MBLKL(mp
));
7336 mp
->b_wptr
+= delta
;
7339 /* XXX XXX code copied from tsol_check_label */
7341 /* Make sure we have room for the worst-case addition */
7342 hlen
= IPH_HDR_LENGTH(ipha
) + opt_storage
[IPOPT_OLEN
];
7343 hlen
= (hlen
+ 3) & ~3;
7344 if (hlen
> IP_MAX_HDR_LENGTH
)
7345 hlen
= IP_MAX_HDR_LENGTH
;
7346 hlen
-= IPH_HDR_LENGTH(ipha
);
7349 if ((db
->db_ref
!= 1) || (mp
->b_wptr
+ hlen
> db
->db_lim
)) {
7353 /* allocate enough to be meaningful, but not *too* much */
7354 copylen
= MBLKL(mp
);
7357 new_mp
= allocb_tmpl(hlen
+ copylen
+
7358 (mp
->b_rptr
- mp
->b_datap
->db_base
), mp
);
7360 if (new_mp
== NULL
) {
7361 ip_drop_packet(mp
, B_FALSE
, NULL
, counter
, dropper
);
7366 new_mp
->b_rptr
+= mp
->b_rptr
- mp
->b_datap
->db_base
;
7367 new_mp
->b_wptr
= new_mp
->b_rptr
+ copylen
;
7368 bcopy(mp
->b_rptr
, new_mp
->b_rptr
, copylen
);
7369 new_mp
->b_cont
= mp
;
7370 if ((mp
->b_rptr
+= copylen
) >= mp
->b_wptr
) {
7371 new_mp
->b_cont
= mp
->b_cont
;
7375 ipha
= (ipha_t
*)mp
->b_rptr
;
7378 delta
= tsol_prepend_option(assoc
->ipsa_opt_storage
, ipha
, MBLKL(mp
));
7380 ASSERT(delta
!= -1);
7383 mp
->b_wptr
+= delta
;
7390 ASSERT3P(mp
->b_wptr
, <=, db
->db_lim
);
7391 ASSERT3P(mp
->b_rptr
, <=, db
->db_lim
);
7393 ASSERT3P(mp
->b_wptr
, >=, db
->db_base
);
7394 ASSERT3P(mp
->b_rptr
, >=, db
->db_base
);
7397 ipha
->ipha_length
= htons(plen
);
7403 sadb_whack_label_v6(mblk_t
*mp
, ipsa_t
*assoc
, kstat_named_t
*counter
,
7404 ipdropper_t
*dropper
)
7410 uint8_t *opt_storage
= assoc
->ipsa_opt_storage
;
7411 uint_t sec_opt_len
; /* label option length not including type, len */
7412 ip6_t
*ip6h
= (ip6_t
*)mp
->b_rptr
;
7414 plen
= ntohs(ip6h
->ip6_plen
);
7416 delta
= tsol_remove_secopt_v6(ip6h
, MBLKL(mp
));
7417 mp
->b_wptr
+= delta
;
7420 /* XXX XXX code copied from tsol_check_label_v6 */
7422 * Make sure we have room for the worst-case addition. Add 2 bytes for
7423 * the hop-by-hop ext header's next header and length fields. Add
7424 * another 2 bytes for the label option type, len and then round
7425 * up to the next 8-byte multiple.
7427 sec_opt_len
= opt_storage
[1];
7430 hlen
= (4 + sec_opt_len
+ 7) & ~7;
7432 if ((db
->db_ref
!= 1) || (mp
->b_wptr
+ hlen
> db
->db_lim
)) {
7437 hdr_len
= ip_hdr_length_v6(mp
, ip6h
);
7439 * Allocate enough to be meaningful, but not *too* much.
7440 * Also all the IPv6 extension headers must be in the same mblk
7442 copylen
= MBLKL(mp
);
7445 if (copylen
< hdr_len
)
7447 new_mp
= allocb_tmpl(hlen
+ copylen
+
7448 (mp
->b_rptr
- mp
->b_datap
->db_base
), mp
);
7449 if (new_mp
== NULL
) {
7450 ip_drop_packet(mp
, B_FALSE
, NULL
, counter
, dropper
);
7455 new_mp
->b_rptr
+= mp
->b_rptr
- mp
->b_datap
->db_base
;
7456 new_mp
->b_wptr
= new_mp
->b_rptr
+ copylen
;
7457 bcopy(mp
->b_rptr
, new_mp
->b_rptr
, copylen
);
7458 new_mp
->b_cont
= mp
;
7459 if ((mp
->b_rptr
+= copylen
) >= mp
->b_wptr
) {
7460 new_mp
->b_cont
= mp
->b_cont
;
7464 ip6h
= (ip6_t
*)mp
->b_rptr
;
7467 delta
= tsol_prepend_option_v6(assoc
->ipsa_opt_storage
,
7470 ASSERT(delta
!= -1);
7473 mp
->b_wptr
+= delta
;
7480 ASSERT3P(mp
->b_wptr
, <=, db
->db_lim
);
7481 ASSERT3P(mp
->b_rptr
, <=, db
->db_lim
);
7483 ASSERT3P(mp
->b_wptr
, >=, db
->db_base
);
7484 ASSERT3P(mp
->b_rptr
, >=, db
->db_base
);
7487 ip6h
->ip6_plen
= htons(plen
);
7492 /* Whack the labels and update ip_xmit_attr_t as needed */
7494 sadb_whack_label(mblk_t
*mp
, ipsa_t
*assoc
, ip_xmit_attr_t
*ixa
,
7495 kstat_named_t
*counter
, ipdropper_t
*dropper
)
7500 if (ixa
->ixa_flags
& IXAF_IS_IPV4
) {
7501 ipha_t
*ipha
= (ipha_t
*)mp
->b_rptr
;
7503 ASSERT(IPH_HDR_VERSION(ipha
) == IPV4_VERSION
);
7504 iplen
= ntohs(ipha
->ipha_length
);
7505 mp
= sadb_whack_label_v4(mp
, assoc
, counter
, dropper
);
7509 ipha
= (ipha_t
*)mp
->b_rptr
;
7510 ASSERT(IPH_HDR_VERSION(ipha
) == IPV4_VERSION
);
7511 adjust
= (int)ntohs(ipha
->ipha_length
) - iplen
;
7513 ip6_t
*ip6h
= (ip6_t
*)mp
->b_rptr
;
7515 ASSERT(IPH_HDR_VERSION(ip6h
) == IPV6_VERSION
);
7516 iplen
= ntohs(ip6h
->ip6_plen
);
7517 mp
= sadb_whack_label_v6(mp
, assoc
, counter
, dropper
);
7521 ip6h
= (ip6_t
*)mp
->b_rptr
;
7522 ASSERT(IPH_HDR_VERSION(ip6h
) == IPV6_VERSION
);
7523 adjust
= (int)ntohs(ip6h
->ip6_plen
) - iplen
;
7525 ixa
->ixa_pktlen
+= adjust
;
7526 ixa
->ixa_ip_hdr_length
+= adjust
;
7531 * If this is an outgoing SA then add some fuzz to the
7532 * SOFT EXPIRE time. The reason for this is to stop
7533 * peers trying to renegotiate SOFT expiring SA's at
7534 * the same time. The amount of fuzz needs to be at
7535 * least 8 seconds which is the typical interval
7536 * sadb_ager(), although this is only a guide as it
7540 lifetime_fuzz(ipsa_t
*assoc
)
7544 if (assoc
->ipsa_softaddlt
== 0)
7547 (void) random_get_pseudo_bytes(&rnd
, sizeof (rnd
));
7548 rnd
= (rnd
& 0xF) + 8;
7549 assoc
->ipsa_softexpiretime
-= rnd
;
7550 assoc
->ipsa_softaddlt
-= rnd
;
7554 destroy_ipsa_pair(ipsap_t
*ipsapp
)
7557 * Because of the multi-line macro nature of IPSA_REFRELE, keep
7560 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
7561 IPSA_REFRELE(ipsapp
->ipsap_sa_ptr
);
7563 if (ipsapp
->ipsap_psa_ptr
!= NULL
) {
7564 IPSA_REFRELE(ipsapp
->ipsap_psa_ptr
);
7566 init_ipsa_pair(ipsapp
);
7570 init_ipsa_pair(ipsap_t
*ipsapp
)
7572 ipsapp
->ipsap_bucket
= NULL
;
7573 ipsapp
->ipsap_sa_ptr
= NULL
;
7574 ipsapp
->ipsap_pbucket
= NULL
;
7575 ipsapp
->ipsap_psa_ptr
= NULL
;
7579 * The sadb_ager() function walks through the hash tables of SA's and ages
7580 * them, if the SA expires as a result, its marked as DEAD and will be reaped
7581 * the next time sadb_ager() runs. SA's which are paired or have a peer (same
7582 * SA appears in both the inbound and outbound tables because its not possible
7583 * to determine its direction) are placed on a list when they expire. This is
7584 * to ensure that pair/peer SA's are reaped at the same time, even if they
7585 * expire at different times.
7587 * This function is called twice by sadb_ager(), one after processing the
7588 * inbound table, then again after processing the outbound table.
7591 age_pair_peer_list(templist_t
*haspeerlist
, sadb_t
*sp
, boolean_t outbound
)
7593 templist_t
*listptr
;
7597 ipsa_t
*peer_assoc
, *dying
;
7599 * Haspeer cases will contain both IPv4 and IPv6. This code
7600 * is address independent.
7602 while (haspeerlist
!= NULL
) {
7603 /* "dying" contains the SA that has a peer. */
7604 dying
= haspeerlist
->ipsa
;
7605 haspeer
= (dying
->ipsa_haspeer
);
7606 listptr
= haspeerlist
;
7607 haspeerlist
= listptr
->next
;
7608 kmem_free(listptr
, sizeof (*listptr
));
7610 * Pick peer bucket based on addrfam.
7614 bucket
= INBOUND_BUCKET(sp
, dying
->ipsa_spi
);
7616 bucket
= INBOUND_BUCKET(sp
,
7617 dying
->ipsa_otherspi
);
7618 } else { /* inbound */
7620 if (dying
->ipsa_addrfam
== AF_INET6
) {
7621 outhash
= OUTBOUND_HASH_V6(sp
,
7622 *((in6_addr_t
*)&dying
->
7625 outhash
= OUTBOUND_HASH_V4(sp
,
7626 *((ipaddr_t
*)&dying
->
7629 } else if (dying
->ipsa_addrfam
== AF_INET6
) {
7630 outhash
= OUTBOUND_HASH_V6(sp
,
7631 *((in6_addr_t
*)&dying
->
7634 outhash
= OUTBOUND_HASH_V4(sp
,
7635 *((ipaddr_t
*)&dying
->
7638 bucket
= &(sp
->sdb_of
[outhash
]);
7641 mutex_enter(&bucket
->isaf_lock
);
7643 * "haspeer" SA's have the same src/dst address ordering,
7644 * "paired" SA's have the src/dst addresses reversed.
7647 peer_assoc
= ipsec_getassocbyspi(bucket
,
7648 dying
->ipsa_spi
, dying
->ipsa_srcaddr
,
7649 dying
->ipsa_dstaddr
, dying
->ipsa_addrfam
);
7651 peer_assoc
= ipsec_getassocbyspi(bucket
,
7652 dying
->ipsa_otherspi
, dying
->ipsa_dstaddr
,
7653 dying
->ipsa_srcaddr
, dying
->ipsa_addrfam
);
7656 mutex_exit(&bucket
->isaf_lock
);
7657 if (peer_assoc
!= NULL
) {
7658 mutex_enter(&peer_assoc
->ipsa_lock
);
7659 mutex_enter(&dying
->ipsa_lock
);
7662 * Only SA's which have a "peer" or are
7663 * "paired" end up on this list, so this
7664 * must be a "paired" SA, update the flags
7665 * to break the pair.
7667 peer_assoc
->ipsa_otherspi
= 0;
7668 peer_assoc
->ipsa_flags
&= ~IPSA_F_PAIRED
;
7669 dying
->ipsa_otherspi
= 0;
7670 dying
->ipsa_flags
&= ~IPSA_F_PAIRED
;
7672 if (haspeer
|| outbound
) {
7674 * Update the state of the "inbound" SA when
7675 * the "outbound" SA has expired. Don't update
7676 * the "outbound" SA when the "inbound" SA
7677 * SA expires because setting the hard_addtime
7678 * below will cause this to happen.
7680 peer_assoc
->ipsa_state
= dying
->ipsa_state
;
7682 if (dying
->ipsa_state
== IPSA_STATE_DEAD
)
7683 peer_assoc
->ipsa_hardexpiretime
= 1;
7685 mutex_exit(&dying
->ipsa_lock
);
7686 mutex_exit(&peer_assoc
->ipsa_lock
);
7687 IPSA_REFRELE(peer_assoc
);
7689 IPSA_REFRELE(dying
);
7694 * Ensure that the IV used for CCM mode never repeats. The IV should
7695 * only be updated by this function. Also check to see if the IV
7696 * is about to wrap and generate a SOFT Expire. This function is only
7697 * called for outgoing packets, the IV for incomming packets is taken
7698 * from the wire. If the outgoing SA needs to be expired, update
7699 * the matching incomming SA.
7702 update_iv(uint8_t *iv_ptr
, queue_t
*pfkey_q
, ipsa_t
*assoc
,
7703 ipsecesp_stack_t
*espstack
)
7705 boolean_t rc
= B_TRUE
;
7706 isaf_t
*inbound_bucket
;
7708 ipsa_t
*pair_sa
= NULL
;
7709 int sa_new_state
= 0;
7711 /* For non counter modes, the IV is random data. */
7712 if (!(assoc
->ipsa_flags
& IPSA_F_COUNTERMODE
)) {
7713 (void) random_get_pseudo_bytes(iv_ptr
, assoc
->ipsa_iv_len
);
7717 mutex_enter(&assoc
->ipsa_lock
);
7719 (*assoc
->ipsa_iv
)++;
7721 if (*assoc
->ipsa_iv
== assoc
->ipsa_iv_hardexpire
) {
7722 sa_new_state
= IPSA_STATE_DEAD
;
7724 } else if (*assoc
->ipsa_iv
== assoc
->ipsa_iv_softexpire
) {
7725 if (assoc
->ipsa_state
!= IPSA_STATE_DYING
) {
7727 * This SA may have already been expired when its
7730 sa_new_state
= IPSA_STATE_DYING
;
7735 * If there is a state change, we need to update this SA
7736 * and its "pair", we can find the bucket for the "pair" SA
7737 * while holding the ipsa_t mutex, but we won't actually
7738 * update anything untill the ipsa_t mutex has been released
7741 assoc
->ipsa_state
= sa_new_state
;
7742 if (assoc
->ipsa_addrfam
== AF_INET6
) {
7743 sp
= &espstack
->esp_sadb
.s_v6
;
7745 sp
= &espstack
->esp_sadb
.s_v4
;
7747 inbound_bucket
= INBOUND_BUCKET(sp
, assoc
->ipsa_otherspi
);
7748 sadb_expire_assoc(pfkey_q
, assoc
);
7751 bcopy(assoc
->ipsa_iv
, iv_ptr
, assoc
->ipsa_iv_len
);
7753 mutex_exit(&assoc
->ipsa_lock
);
7756 /* Find the inbound SA, need to lock hash bucket. */
7757 mutex_enter(&inbound_bucket
->isaf_lock
);
7758 pair_sa
= ipsec_getassocbyspi(inbound_bucket
,
7759 assoc
->ipsa_otherspi
, assoc
->ipsa_dstaddr
,
7760 assoc
->ipsa_srcaddr
, assoc
->ipsa_addrfam
);
7761 mutex_exit(&inbound_bucket
->isaf_lock
);
7762 if (pair_sa
!= NULL
) {
7763 mutex_enter(&pair_sa
->ipsa_lock
);
7764 pair_sa
->ipsa_state
= sa_new_state
;
7765 mutex_exit(&pair_sa
->ipsa_lock
);
7766 IPSA_REFRELE(pair_sa
);
7774 ccm_params_init(ipsa_t
*assoc
, uchar_t
*esph
, uint_t data_len
, uchar_t
*iv_ptr
,
7775 ipsa_cm_mech_t
*cm_mech
, crypto_data_t
*crypto_data
)
7778 crypto_mechanism_t
*combined_mech
;
7779 CK_AES_CCM_PARAMS
*params
;
7781 combined_mech
= (crypto_mechanism_t
*)cm_mech
;
7782 params
= (CK_AES_CCM_PARAMS
*)(combined_mech
+ 1);
7783 nonce
= (uchar_t
*)(params
+ 1);
7784 params
->ulMACSize
= assoc
->ipsa_mac_len
;
7785 params
->ulNonceSize
= assoc
->ipsa_nonce_len
;
7786 params
->ulAuthDataSize
= sizeof (esph_t
);
7787 params
->ulDataSize
= data_len
;
7788 params
->nonce
= nonce
;
7789 params
->authData
= esph
;
7791 cm_mech
->combined_mech
.cm_type
= assoc
->ipsa_emech
.cm_type
;
7792 cm_mech
->combined_mech
.cm_param_len
= sizeof (CK_AES_CCM_PARAMS
);
7793 cm_mech
->combined_mech
.cm_param
= (caddr_t
)params
;
7794 /* See gcm_params_init() for comments. */
7795 bcopy(assoc
->ipsa_nonce
, nonce
, assoc
->ipsa_saltlen
);
7796 nonce
+= assoc
->ipsa_saltlen
;
7797 bcopy(iv_ptr
, nonce
, assoc
->ipsa_iv_len
);
7798 crypto_data
->cd_miscdata
= NULL
;
7803 cbc_params_init(ipsa_t
*assoc
, uchar_t
*esph
, uint_t data_len
, uchar_t
*iv_ptr
,
7804 ipsa_cm_mech_t
*cm_mech
, crypto_data_t
*crypto_data
)
7806 cm_mech
->combined_mech
.cm_type
= assoc
->ipsa_emech
.cm_type
;
7807 cm_mech
->combined_mech
.cm_param_len
= 0;
7808 cm_mech
->combined_mech
.cm_param
= NULL
;
7809 crypto_data
->cd_miscdata
= (char *)iv_ptr
;
7814 gcm_params_init(ipsa_t
*assoc
, uchar_t
*esph
, uint_t data_len
, uchar_t
*iv_ptr
,
7815 ipsa_cm_mech_t
*cm_mech
, crypto_data_t
*crypto_data
)
7818 crypto_mechanism_t
*combined_mech
;
7819 CK_AES_GCM_PARAMS
*params
;
7821 combined_mech
= (crypto_mechanism_t
*)cm_mech
;
7822 params
= (CK_AES_GCM_PARAMS
*)(combined_mech
+ 1);
7823 nonce
= (uchar_t
*)(params
+ 1);
7825 params
->pIv
= nonce
;
7826 params
->ulIvLen
= assoc
->ipsa_nonce_len
;
7827 params
->ulIvBits
= SADB_8TO1(assoc
->ipsa_nonce_len
);
7828 params
->pAAD
= esph
;
7829 params
->ulAADLen
= sizeof (esph_t
);
7830 params
->ulTagBits
= SADB_8TO1(assoc
->ipsa_mac_len
);
7832 cm_mech
->combined_mech
.cm_type
= assoc
->ipsa_emech
.cm_type
;
7833 cm_mech
->combined_mech
.cm_param_len
= sizeof (CK_AES_GCM_PARAMS
);
7834 cm_mech
->combined_mech
.cm_param
= (caddr_t
)params
;
7836 * Create the nonce, which is made up of the salt and the IV.
7837 * Copy the salt from the SA and the IV from the packet.
7838 * For inbound packets we copy the IV from the packet because it
7839 * was set by the sending system, for outbound packets we copy the IV
7840 * from the packet because the IV in the SA may be changed by another
7841 * thread, the IV in the packet was created while holding a mutex.
7843 bcopy(assoc
->ipsa_nonce
, nonce
, assoc
->ipsa_saltlen
);
7844 nonce
+= assoc
->ipsa_saltlen
;
7845 bcopy(iv_ptr
, nonce
, assoc
->ipsa_iv_len
);
7846 crypto_data
->cd_miscdata
= NULL
;