4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/stropts.h>
29 #include <sys/errno.h>
31 #include <sys/debug.h>
32 #include <sys/cmn_err.h>
33 #include <sys/stream.h>
34 #include <sys/strlog.h>
36 #include <sys/sunddi.h>
37 #include <sys/tihdr.h>
38 #include <sys/atomic.h>
39 #include <sys/socket.h>
40 #include <sys/sysmacros.h>
41 #include <sys/crypto/common.h>
42 #include <sys/crypto/api.h>
44 #include <netinet/in.h>
46 #include <net/pfkeyv2.h>
47 #include <inet/common.h>
48 #include <netinet/ip6.h>
50 #include <inet/ip_ire.h>
52 #include <inet/ipsec_info.h>
54 #include <inet/sadb.h>
55 #include <inet/ipsec_impl.h>
56 #include <inet/ipsecah.h>
57 #include <inet/ipsecesp.h>
58 #include <sys/random.h>
60 #include <sys/iphada.h>
61 #include <inet/ip_if.h>
62 #include <inet/ipdrop.h>
63 #include <inet/ipclassifier.h>
64 #include <inet/sctp_ip.h>
68 * This source file contains Security Association Database (SADB) common
69 * routines. They are linked in with the AH module. Since AH has no chance
70 * of falling under export control, it was safe to link it in there.
73 static mblk_t
*sadb_extended_acquire(ipsec_selector_t
*, ipsec_policy_t
*,
74 ipsec_action_t
*, boolean_t
, uint32_t, uint32_t, netstack_t
*);
75 static void sadb_ill_df(ill_t
*, mblk_t
*, isaf_t
*, int, boolean_t
);
76 static ipsa_t
*sadb_torch_assoc(isaf_t
*, ipsa_t
*, boolean_t
, mblk_t
**);
77 static void sadb_drain_torchq(queue_t
*, mblk_t
*);
78 static void sadb_destroy_acqlist(iacqf_t
**, uint_t
, boolean_t
,
80 static void sadb_destroy(sadb_t
*, netstack_t
*);
81 static mblk_t
*sadb_sa2msg(ipsa_t
*, sadb_msg_t
*);
83 static time_t sadb_add_time(time_t, uint64_t);
84 static void lifetime_fuzz(ipsa_t
*);
85 static void age_pair_peer_list(templist_t
*, sadb_t
*, boolean_t
);
86 static void ipsa_set_replay(ipsa_t
*ipsa
, uint32_t offset
);
88 extern void (*cl_inet_getspi
)(uint8_t protocol
, uint8_t *ptr
, size_t len
);
89 extern int (*cl_inet_checkspi
)(uint8_t protocol
, uint32_t spi
);
90 extern void (*cl_inet_deletespi
)(uint8_t protocol
, uint32_t spi
);
93 * ipsacq_maxpackets is defined here to make it tunable
96 extern uint64_t ipsacq_maxpackets
;
98 #define SET_EXPIRE(sa, delta, exp) { \
99 if (((sa)->ipsa_ ## delta) != 0) { \
100 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \
101 (sa)->ipsa_ ## delta); \
105 #define UPDATE_EXPIRE(sa, delta, exp) { \
106 if (((sa)->ipsa_ ## delta) != 0) { \
107 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \
108 (sa)->ipsa_ ## delta); \
109 if (((sa)->ipsa_ ## exp) == 0) \
110 (sa)->ipsa_ ## exp = tmp; \
112 (sa)->ipsa_ ## exp = \
113 MIN((sa)->ipsa_ ## exp, tmp); \
118 /* wrap the macro so we can pass it as a function pointer */
120 sadb_sa_refrele(void *target
)
122 IPSA_REFRELE(((ipsa_t
*)target
));
126 * We presume that sizeof (long) == sizeof (time_t) and that time_t is
129 #define TIME_MAX LONG_MAX
132 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that
133 * time_t is defined to be a signed type with the same range as
134 * "long". On ILP32 systems, we thus run the risk of wrapping around
135 * at end of time, as well as "overwrapping" the clock back around
136 * into a seemingly valid but incorrect future date earlier than the
137 * desired expiration.
139 * In order to avoid odd behavior (either negative lifetimes or loss
140 * of high order bits) when someone asks for bizarrely long SA
141 * lifetimes, we do a saturating add for expire times.
143 * We presume that ILP32 systems will be past end of support life when
144 * the 32-bit time_t overflows (a dangerous assumption, mind you..).
146 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we
147 * will hopefully have figured out clever ways to avoid the use of
148 * fixed-sized integers in computation.
151 sadb_add_time(time_t base
, uint64_t delta
)
156 * Clip delta to the maximum possible time_t value to
157 * prevent "overwrapping" back into a shorter-than-desired
160 if (delta
> TIME_MAX
)
163 * This sum may still overflow.
168 * .. so if the result is less than the base, we overflowed.
177 * Callers of this function have already created a working security
178 * association, and have found the appropriate table & hash chain. All this
179 * function does is check duplicates, and insert the SA. The caller needs to
180 * hold the hash bucket lock and increment the refcnt before insertion.
182 * Return 0 if success, EEXIST if collision.
184 #define SA_UNIQUE_MATCH(sa1, sa2) \
185 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \
186 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask))
189 sadb_insertassoc(ipsa_t
*ipsa
, isaf_t
*bucket
)
191 ipsa_t
**ptpn
= NULL
;
195 ASSERT(MUTEX_HELD(&bucket
->isaf_lock
));
197 unspecsrc
= IPSA_IS_ADDR_UNSPEC(ipsa
->ipsa_srcaddr
, ipsa
->ipsa_addrfam
);
199 walker
= bucket
->isaf_ipsa
;
200 ASSERT(walker
== NULL
|| ipsa
->ipsa_addrfam
== walker
->ipsa_addrfam
);
203 * Find insertion point (pointed to with **ptpn). Insert at the head
204 * of the list unless there's an unspecified source address, then
205 * insert it after the last SA with a specified source address.
207 * BTW, you'll have to walk the whole chain, matching on {DST, SPI}
208 * checking for collisions.
211 while (walker
!= NULL
) {
212 if (IPSA_ARE_ADDR_EQUAL(walker
->ipsa_dstaddr
,
213 ipsa
->ipsa_dstaddr
, ipsa
->ipsa_addrfam
)) {
214 if (walker
->ipsa_spi
== ipsa
->ipsa_spi
)
217 mutex_enter(&walker
->ipsa_lock
);
218 if (ipsa
->ipsa_state
== IPSA_STATE_MATURE
&&
219 (walker
->ipsa_flags
& IPSA_F_USED
) &&
220 SA_UNIQUE_MATCH(walker
, ipsa
)) {
221 walker
->ipsa_flags
|= IPSA_F_CINVALID
;
223 mutex_exit(&walker
->ipsa_lock
);
226 if (ptpn
== NULL
&& unspecsrc
) {
227 if (IPSA_IS_ADDR_UNSPEC(walker
->ipsa_srcaddr
,
228 walker
->ipsa_addrfam
))
229 ptpn
= walker
->ipsa_ptpn
;
230 else if (walker
->ipsa_next
== NULL
)
231 ptpn
= &walker
->ipsa_next
;
234 walker
= walker
->ipsa_next
;
238 ptpn
= &bucket
->isaf_ipsa
;
239 ipsa
->ipsa_next
= *ptpn
;
240 ipsa
->ipsa_ptpn
= ptpn
;
241 if (ipsa
->ipsa_next
!= NULL
)
242 ipsa
->ipsa_next
->ipsa_ptpn
= &ipsa
->ipsa_next
;
244 ipsa
->ipsa_linklock
= &bucket
->isaf_lock
;
248 #undef SA_UNIQUE_MATCH
251 * Free a security association. Its reference count is 0, which means
252 * I must free it. The SA must be unlocked and must not be linked into
256 sadb_freeassoc(ipsa_t
*ipsa
)
258 ipsec_stack_t
*ipss
= ipsa
->ipsa_netstack
->netstack_ipsec
;
260 ASSERT(ipss
!= NULL
);
261 ASSERT(MUTEX_NOT_HELD(&ipsa
->ipsa_lock
));
262 ASSERT(ipsa
->ipsa_refcnt
== 0);
263 ASSERT(ipsa
->ipsa_next
== NULL
);
264 ASSERT(ipsa
->ipsa_ptpn
== NULL
);
266 ip_drop_packet(sadb_clear_lpkt(ipsa
), B_TRUE
, NULL
, NULL
,
267 DROPPER(ipss
, ipds_sadb_inlarval_timeout
),
268 &ipss
->ipsec_sadb_dropper
);
270 mutex_enter(&ipsa
->ipsa_lock
);
271 ipsec_destroy_ctx_tmpl(ipsa
, IPSEC_ALG_AUTH
);
272 ipsec_destroy_ctx_tmpl(ipsa
, IPSEC_ALG_ENCR
);
273 mutex_exit(&ipsa
->ipsa_lock
);
275 /* bzero() these fields for paranoia's sake. */
276 if (ipsa
->ipsa_authkey
!= NULL
) {
277 bzero(ipsa
->ipsa_authkey
, ipsa
->ipsa_authkeylen
);
278 kmem_free(ipsa
->ipsa_authkey
, ipsa
->ipsa_authkeylen
);
280 if (ipsa
->ipsa_encrkey
!= NULL
) {
281 bzero(ipsa
->ipsa_encrkey
, ipsa
->ipsa_encrkeylen
);
282 kmem_free(ipsa
->ipsa_encrkey
, ipsa
->ipsa_encrkeylen
);
284 if (ipsa
->ipsa_src_cid
!= NULL
) {
285 IPSID_REFRELE(ipsa
->ipsa_src_cid
);
287 if (ipsa
->ipsa_dst_cid
!= NULL
) {
288 IPSID_REFRELE(ipsa
->ipsa_dst_cid
);
290 if (ipsa
->ipsa_integ
!= NULL
)
291 kmem_free(ipsa
->ipsa_integ
, ipsa
->ipsa_integlen
);
292 if (ipsa
->ipsa_sens
!= NULL
)
293 kmem_free(ipsa
->ipsa_sens
, ipsa
->ipsa_senslen
);
295 mutex_destroy(&ipsa
->ipsa_lock
);
296 kmem_free(ipsa
, sizeof (*ipsa
));
300 * Unlink a security association from a hash bucket. Assume the hash bucket
301 * lock is held, but the association's lock is not.
303 * Note that we do not bump the bucket's generation number here because
304 * we might not be making a visible change to the set of visible SA's.
305 * All callers MUST bump the bucket's generation number before they unlock
306 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which
307 * was present in the bucket at the time it was locked.
310 sadb_unlinkassoc(ipsa_t
*ipsa
)
312 ASSERT(ipsa
->ipsa_linklock
!= NULL
);
313 ASSERT(MUTEX_HELD(ipsa
->ipsa_linklock
));
315 /* These fields are protected by the link lock. */
316 *(ipsa
->ipsa_ptpn
) = ipsa
->ipsa_next
;
317 if (ipsa
->ipsa_next
!= NULL
) {
318 ipsa
->ipsa_next
->ipsa_ptpn
= ipsa
->ipsa_ptpn
;
319 ipsa
->ipsa_next
= NULL
;
322 ipsa
->ipsa_ptpn
= NULL
;
324 /* This may destroy the SA. */
329 sadb_delete_cluster(ipsa_t
*assoc
)
333 if (cl_inet_deletespi
&&
334 ((assoc
->ipsa_state
== IPSA_STATE_LARVAL
) ||
335 (assoc
->ipsa_state
== IPSA_STATE_MATURE
))) {
336 protocol
= (assoc
->ipsa_type
== SADB_SATYPE_AH
) ?
337 IPPROTO_AH
: IPPROTO_ESP
;
338 cl_inet_deletespi(protocol
, assoc
->ipsa_spi
);
343 * Create a larval security association with the specified SPI. All other
347 sadb_makelarvalassoc(uint32_t spi
, uint32_t *src
, uint32_t *dst
, int addrfam
,
356 newbie
= (ipsa_t
*)kmem_zalloc(sizeof (ipsa_t
), KM_NOSLEEP
);
357 if (newbie
== NULL
) {
358 /* Can't make new larval SA. */
362 /* Assigned requested SPI, assume caller does SPI allocation magic. */
363 newbie
->ipsa_spi
= spi
;
364 newbie
->ipsa_netstack
= ns
; /* No netstack_hold */
370 IPSA_COPY_ADDR(newbie
->ipsa_srcaddr
, src
, addrfam
);
371 IPSA_COPY_ADDR(newbie
->ipsa_dstaddr
, dst
, addrfam
);
373 newbie
->ipsa_addrfam
= addrfam
;
376 * Set common initialization values, including refcnt.
378 mutex_init(&newbie
->ipsa_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
379 newbie
->ipsa_state
= IPSA_STATE_LARVAL
;
380 newbie
->ipsa_refcnt
= 1;
381 newbie
->ipsa_freefunc
= sadb_freeassoc
;
384 * There aren't a lot of other common initialization values, as
385 * they are copied in from the PF_KEY message.
392 * Call me to initialize a security association fanout.
395 sadb_init_fanout(isaf_t
**tablep
, uint_t size
, int kmflag
)
400 table
= (isaf_t
*)kmem_alloc(size
* sizeof (*table
), kmflag
);
406 for (i
= 0; i
< size
; i
++) {
407 mutex_init(&(table
[i
].isaf_lock
), NULL
, MUTEX_DEFAULT
, NULL
);
408 table
[i
].isaf_ipsa
= NULL
;
409 table
[i
].isaf_gen
= 0;
416 * Call me to initialize an acquire fanout
419 sadb_init_acfanout(iacqf_t
**tablep
, uint_t size
, int kmflag
)
424 table
= (iacqf_t
*)kmem_alloc(size
* sizeof (*table
), kmflag
);
430 for (i
= 0; i
< size
; i
++) {
431 mutex_init(&(table
[i
].iacqf_lock
), NULL
, MUTEX_DEFAULT
, NULL
);
432 table
[i
].iacqf_ipsacq
= NULL
;
439 * Attempt to initialize an SADB instance. On failure, return ENOMEM;
440 * caller must clean up partial allocations.
443 sadb_init_trial(sadb_t
*sp
, uint_t size
, int kmflag
)
445 ASSERT(sp
->sdb_of
== NULL
);
446 ASSERT(sp
->sdb_if
== NULL
);
447 ASSERT(sp
->sdb_acq
== NULL
);
449 sp
->sdb_hashsize
= size
;
450 if (sadb_init_fanout(&sp
->sdb_of
, size
, kmflag
) != 0)
452 if (sadb_init_fanout(&sp
->sdb_if
, size
, kmflag
) != 0)
454 if (sadb_init_acfanout(&sp
->sdb_acq
, size
, kmflag
) != 0)
461 * Call me to initialize an SADB instance; fall back to default size on failure.
464 sadb_init(const char *name
, sadb_t
*sp
, uint_t size
, uint_t ver
,
467 ASSERT(sp
->sdb_of
== NULL
);
468 ASSERT(sp
->sdb_if
== NULL
);
469 ASSERT(sp
->sdb_acq
== NULL
);
471 if (size
< IPSEC_DEFAULT_HASH_SIZE
)
472 size
= IPSEC_DEFAULT_HASH_SIZE
;
474 if (sadb_init_trial(sp
, size
, KM_NOSLEEP
) != 0) {
477 "Unable to allocate %u entry IPv%u %s SADB hash table",
480 sadb_destroy(sp
, ns
);
481 size
= IPSEC_DEFAULT_HASH_SIZE
;
482 cmn_err(CE_WARN
, "Falling back to %d entries", size
);
483 (void) sadb_init_trial(sp
, size
, KM_SLEEP
);
489 * Initialize an SADB-pair.
492 sadbp_init(const char *name
, sadbp_t
*sp
, int type
, int size
, netstack_t
*ns
)
494 sadb_init(name
, &sp
->s_v4
, size
, 4, ns
);
495 sadb_init(name
, &sp
->s_v6
, size
, 6, ns
);
499 ASSERT((type
== SADB_SATYPE_AH
) || (type
== SADB_SATYPE_ESP
));
500 if (type
== SADB_SATYPE_AH
) {
501 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
503 ip_drop_register(&ipss
->ipsec_sadb_dropper
, "IPsec SADB");
504 sp
->s_addflags
= AH_ADD_SETTABLE_FLAGS
;
505 sp
->s_updateflags
= AH_UPDATE_SETTABLE_FLAGS
;
507 sp
->s_addflags
= ESP_ADD_SETTABLE_FLAGS
;
508 sp
->s_updateflags
= ESP_UPDATE_SETTABLE_FLAGS
;
513 * Deliver a single SADB_DUMP message representing a single SA. This is
514 * called many times by sadb_dump().
516 * If the return value of this is ENOBUFS (not the same as ENOMEM), then
517 * the caller should take that as a hint that dupb() on the "original answer"
518 * failed, and that perhaps the caller should try again with a copyb()ed
522 sadb_dump_deliver(queue_t
*pfkey_q
, mblk_t
*original_answer
, ipsa_t
*ipsa
,
527 answer
= dupb(original_answer
);
530 answer
->b_cont
= sadb_sa2msg(ipsa
, samsg
);
531 if (answer
->b_cont
== NULL
) {
536 /* Just do a putnext, and let keysock deal with flow control. */
537 putnext(pfkey_q
, answer
);
542 * Common function to allocate and prepare a keysock_out_t M_CTL message.
545 sadb_keysock_out(minor_t serial
)
550 mp
= allocb(sizeof (ipsec_info_t
), BPRI_HI
);
552 mp
->b_datap
->db_type
= M_CTL
;
553 mp
->b_wptr
+= sizeof (ipsec_info_t
);
554 kso
= (keysock_out_t
*)mp
->b_rptr
;
555 kso
->ks_out_type
= KEYSOCK_OUT
;
556 kso
->ks_out_len
= sizeof (*kso
);
557 kso
->ks_out_serial
= serial
;
564 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts
568 sadb_dump_fanout(queue_t
*pfkey_q
, mblk_t
*mp
, minor_t serial
, isaf_t
*fanout
,
569 int num_entries
, boolean_t do_peers
, time_t active_time
)
572 mblk_t
*original_answer
;
578 * For each IPSA hash bucket do:
580 * - Walk each entry, doing an sadb_dump_deliver() on it.
582 ASSERT(mp
->b_cont
!= NULL
);
583 samsg
= (sadb_msg_t
*)mp
->b_cont
->b_rptr
;
585 original_answer
= sadb_keysock_out(serial
);
586 if (original_answer
== NULL
)
589 current
= gethrestime_sec();
590 for (i
= 0; i
< num_entries
; i
++) {
591 mutex_enter(&fanout
[i
].isaf_lock
);
592 for (walker
= fanout
[i
].isaf_ipsa
; walker
!= NULL
;
593 walker
= walker
->ipsa_next
) {
594 if (!do_peers
&& walker
->ipsa_haspeer
)
596 if ((active_time
!= 0) &&
597 ((current
- walker
->ipsa_lastuse
) > active_time
))
599 error
= sadb_dump_deliver(pfkey_q
, original_answer
,
601 if (error
== ENOBUFS
) {
602 mblk_t
*new_original_answer
;
604 /* Ran out of dupb's. Try a copyb. */
605 new_original_answer
= copyb(original_answer
);
606 if (new_original_answer
== NULL
) {
609 freeb(original_answer
);
610 original_answer
= new_original_answer
;
611 error
= sadb_dump_deliver(pfkey_q
,
612 original_answer
, walker
, samsg
);
616 break; /* out of for loop. */
618 mutex_exit(&fanout
[i
].isaf_lock
);
620 break; /* out of for loop. */
623 freeb(original_answer
);
628 * Dump an entire SADB; outbound first, then inbound.
632 sadb_dump(queue_t
*pfkey_q
, mblk_t
*mp
, keysock_in_t
*ksi
, sadb_t
*sp
)
635 time_t active_time
= 0;
636 sadb_x_edump_t
*edump
=
637 (sadb_x_edump_t
*)ksi
->ks_in_extv
[SADB_X_EXT_EDUMP
];
640 active_time
= edump
->sadb_x_edump_timeout
;
644 error
= sadb_dump_fanout(pfkey_q
, mp
, ksi
->ks_in_serial
, sp
->sdb_of
,
645 sp
->sdb_hashsize
, B_TRUE
, active_time
);
650 return sadb_dump_fanout(pfkey_q
, mp
, ksi
->ks_in_serial
, sp
->sdb_if
,
651 sp
->sdb_hashsize
, B_FALSE
, active_time
);
655 * Generic sadb table walker.
657 * Call "walkfn" for each SA in each bucket in "table"; pass the
658 * bucket, the entry and "cookie" to the callback function.
659 * Take care to ensure that walkfn can delete the SA without screwing
662 * The bucket is locked for the duration of the callback, both so that the
663 * callback can just call sadb_unlinkassoc() when it wants to delete something,
664 * and so that no new entries are added while we're walking the list.
667 sadb_walker(isaf_t
*table
, uint_t numentries
,
668 void (*walkfn
)(isaf_t
*head
, ipsa_t
*entry
, void *cookie
),
672 for (i
= 0; i
< numentries
; i
++) {
673 ipsa_t
*entry
, *next
;
675 mutex_enter(&table
[i
].isaf_lock
);
677 for (entry
= table
[i
].isaf_ipsa
; entry
!= NULL
;
679 next
= entry
->ipsa_next
;
680 (*walkfn
)(&table
[i
], entry
, cookie
);
682 mutex_exit(&table
[i
].isaf_lock
);
687 * From the given SA, construct a dl_ct_ipsec_key and
688 * a dl_ct_ipsec structures to be sent to the adapter as part
689 * of a DL_CONTROL_REQ.
691 * ct_sa must point to the storage allocated for the key
692 * structure and must be followed by storage allocated
693 * for the SA information that must be sent to the driver
694 * as part of the DL_CONTROL_REQ request.
696 * The is_inbound boolean indicates whether the specified
697 * SA is part of an inbound SA table.
699 * Returns B_TRUE if the corresponding SA must be passed to
700 * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE.
703 sadb_req_from_sa(ipsa_t
*sa
, mblk_t
*mp
, boolean_t is_inbound
)
705 dl_ct_ipsec_key_t
*keyp
;
707 void *ct_sa
= mp
->b_wptr
;
709 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
711 keyp
= (dl_ct_ipsec_key_t
*)(ct_sa
);
712 sap
= (dl_ct_ipsec_t
*)(keyp
+ 1);
714 IPSECHW_DEBUG(IPSECHW_CAPAB
, ("sadb_req_from_sa: "
715 "is_inbound = %d\n", is_inbound
));
717 /* initialize flag */
718 sap
->sadb_sa_flags
= 0;
720 sap
->sadb_sa_flags
|= DL_CT_IPSEC_INBOUND
;
722 * If an inbound SA has a peer, then mark it has being
723 * an outbound SA as well.
725 if (sa
->ipsa_haspeer
)
726 sap
->sadb_sa_flags
|= DL_CT_IPSEC_OUTBOUND
;
729 * If an outbound SA has a peer, then don't send it,
730 * since we will send the copy from the inbound table.
732 if (sa
->ipsa_haspeer
) {
736 sap
->sadb_sa_flags
|= DL_CT_IPSEC_OUTBOUND
;
739 keyp
->dl_key_spi
= sa
->ipsa_spi
;
740 bcopy(sa
->ipsa_dstaddr
, keyp
->dl_key_dest_addr
,
741 DL_CTL_IPSEC_ADDR_LEN
);
742 keyp
->dl_key_addr_family
= sa
->ipsa_addrfam
;
744 sap
->sadb_sa_auth
= sa
->ipsa_auth_alg
;
745 sap
->sadb_sa_encrypt
= sa
->ipsa_encr_alg
;
747 sap
->sadb_key_len_a
= sa
->ipsa_authkeylen
;
748 sap
->sadb_key_bits_a
= sa
->ipsa_authkeybits
;
749 bcopy(sa
->ipsa_authkey
,
750 sap
->sadb_key_data_a
, sap
->sadb_key_len_a
);
752 sap
->sadb_key_len_e
= sa
->ipsa_encrkeylen
;
753 sap
->sadb_key_bits_e
= sa
->ipsa_encrkeybits
;
754 bcopy(sa
->ipsa_encrkey
,
755 sap
->sadb_key_data_e
, sap
->sadb_key_len_e
);
757 mp
->b_wptr
+= sizeof (dl_ct_ipsec_t
) + sizeof (dl_ct_ipsec_key_t
);
762 * Called from AH or ESP to format a message which will be used to inform
763 * IPsec-acceleration-capable ills of a SADB change.
764 * (It is not possible to send the message to IP directly from this function
765 * since the SA, if any, is locked during the call).
767 * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc)
768 * sa_type: identifies whether the operation applies to AH or ESP
769 * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP)
770 * sa: Pointer to an SA. Must be non-NULL and locked
771 * for ADD, DELETE, GET, and UPDATE operations.
772 * This function returns an mblk chain that must be passed to IP
773 * for forwarding to the IPsec capable providers.
776 sadb_fmt_sa_req(uint_t dl_operation
, uint_t sa_type
, ipsa_t
*sa
,
777 boolean_t is_inbound
)
780 dl_control_req_t
*ctrl
;
781 boolean_t need_key
= B_FALSE
;
782 mblk_t
*ctl_mp
= NULL
;
786 * 1 allocate and initialize DL_CONTROL_REQ M_PROTO
787 * 2 if a key is needed for the operation
789 * 2.2 if a full SA is needed for the operation
790 * 2.2.1 initialize full SA info
791 * 3 return message; caller will call ill_ipsec_capab_send_all()
792 * to send the resulting message to IPsec capable ills.
795 ASSERT(sa_type
== SADB_SATYPE_AH
|| sa_type
== SADB_SATYPE_ESP
);
798 * Allocate DL_CONTROL_REQ M_PROTO
799 * We allocate room for the SA even if it's not needed
800 * by some of the operations (for example flush)
802 mp
= allocb(sizeof (dl_control_req_t
) +
803 sizeof (dl_ct_ipsec_key_t
) + sizeof (dl_ct_ipsec_t
), BPRI_HI
);
806 mp
->b_datap
->db_type
= M_PROTO
;
808 /* initialize dl_control_req_t */
809 ctrl
= (dl_control_req_t
*)mp
->b_wptr
;
810 ctrl
->dl_primitive
= DL_CONTROL_REQ
;
811 ctrl
->dl_operation
= dl_operation
;
812 ctrl
->dl_type
= sa_type
== SADB_SATYPE_AH
? DL_CT_IPSEC_AH
:
814 ctrl
->dl_key_offset
= sizeof (dl_control_req_t
);
815 ctrl
->dl_key_length
= sizeof (dl_ct_ipsec_key_t
);
816 ctrl
->dl_data_offset
= sizeof (dl_control_req_t
) +
817 sizeof (dl_ct_ipsec_key_t
);
818 ctrl
->dl_data_length
= sizeof (dl_ct_ipsec_t
);
819 mp
->b_wptr
+= sizeof (dl_control_req_t
);
821 if ((dl_operation
== DL_CO_SET
) || (dl_operation
== DL_CO_DELETE
)) {
823 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
828 * Initialize key and SA data. Note that for some
829 * operations the SA data is ignored by the provider
832 if (!sadb_req_from_sa(sa
, mp
, is_inbound
))
836 /* construct control message */
837 ctl_mp
= allocb(sizeof (ipsec_ctl_t
), BPRI_HI
);
838 if (ctl_mp
== NULL
) {
839 cmn_err(CE_WARN
, "sadb_fmt_sa_req: allocb failed\n");
844 ctl_mp
->b_datap
->db_type
= M_CTL
;
845 ctl_mp
->b_wptr
+= sizeof (ipsec_ctl_t
);
848 ctl
= (ipsec_ctl_t
*)ctl_mp
->b_rptr
;
849 ctl
->ipsec_ctl_type
= IPSEC_CTL
;
850 ctl
->ipsec_ctl_len
= sizeof (ipsec_ctl_t
);
851 ctl
->ipsec_ctl_sa_type
= sa_type
;
855 * Keep an additional reference on SA, since it will be
856 * needed by IP to send control messages corresponding
857 * to that SA from its perimeter. IP will do a
858 * IPSA_REFRELE when done with the request.
860 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
862 ctl
->ipsec_ctl_sa
= sa
;
864 ctl
->ipsec_ctl_sa
= NULL
;
871 * Called by sadb_ill_download() to dump the entries for a specific
872 * fanout table. For each SA entry in the table passed as argument,
873 * use mp as a template and constructs a full DL_CONTROL message, and
874 * call ill_dlpi_send(), provided by IP, to send the resulting
875 * messages to the ill.
878 sadb_ill_df(ill_t
*ill
, mblk_t
*mp
, isaf_t
*fanout
, int num_entries
,
879 boolean_t is_inbound
)
882 mblk_t
*nmp
, *salist
;
884 ip_stack_t
*ipst
= ill
->ill_ipst
;
885 netstack_t
*ns
= ipst
->ips_netstack
;
887 IPSECHW_DEBUG(IPSECHW_SADB
, ("sadb_ill_df: fanout at 0x%p ne=%d\n",
888 (void *)fanout
, num_entries
));
890 * For each IPSA hash bucket do:
892 * - Walk each entry, sending a corresponding request to IP
895 ASSERT(mp
->b_datap
->db_type
== M_PROTO
);
897 for (i
= 0; i
< num_entries
; i
++) {
898 mutex_enter(&fanout
[i
].isaf_lock
);
901 for (walker
= fanout
[i
].isaf_ipsa
; walker
!= NULL
;
902 walker
= walker
->ipsa_next
) {
903 IPSECHW_DEBUG(IPSECHW_SADB
,
904 ("sadb_ill_df: sending SA to ill via IP \n"));
906 * Duplicate the template mp passed and
907 * complete DL_CONTROL_REQ data.
908 * To be more memory efficient, we could use
909 * dupb() for the M_CTL and copyb() for the M_PROTO
910 * as the M_CTL, since the M_CTL is the same for
911 * every SA entry passed down to IP for the same ill.
913 * Note that copymsg/copyb ensure that the new mblk
914 * is at least as large as the source mblk even if it's
915 * not using all its storage -- therefore, nmp
916 * has trailing space for sadb_req_from_sa to add
917 * the SA-specific bits.
919 mutex_enter(&walker
->ipsa_lock
);
920 if (ipsec_capab_match(ill
,
921 ill
->ill_phyint
->phyint_ifindex
, ill
->ill_isv6
,
925 IPSECHW_DEBUG(IPSECHW_SADB
,
926 ("sadb_ill_df: alloc error\n"));
928 mutex_exit(&walker
->ipsa_lock
);
931 if (sadb_req_from_sa(walker
, nmp
, is_inbound
)) {
932 nmp
->b_next
= salist
;
936 mutex_exit(&walker
->ipsa_lock
);
938 mutex_exit(&fanout
[i
].isaf_lock
);
939 while (salist
!= NULL
) {
941 salist
= nmp
->b_next
;
943 ill_dlpi_send(ill
, nmp
);
946 break; /* out of for loop. */
951 * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of
952 * the type specified by sa_type to the specified ill.
954 * We call for each fanout table defined by the SADB (one per
955 * protocol). sadb_ill_df() finally calls ill_dlpi_send() for
956 * each SADB entry in order to send a corresponding DL_CONTROL_REQ
957 * message to the ill.
960 sadb_ill_download(ill_t
*ill
, uint_t sa_type
)
962 mblk_t
*protomp
; /* prototype message */
963 dl_control_req_t
*ctrl
;
967 ip_stack_t
*ipst
= ill
->ill_ipst
;
968 netstack_t
*ns
= ipst
->ips_netstack
;
970 ASSERT(sa_type
== SADB_SATYPE_AH
|| sa_type
== SADB_SATYPE_ESP
);
973 * Allocate and initialize prototype answer. A duplicate for
974 * each SA is sent down to the interface.
977 /* DL_CONTROL_REQ M_PROTO mblk_t */
978 protomp
= allocb(sizeof (dl_control_req_t
) +
979 sizeof (dl_ct_ipsec_key_t
) + sizeof (dl_ct_ipsec_t
), BPRI_HI
);
982 protomp
->b_datap
->db_type
= M_PROTO
;
984 dlt
= (sa_type
== SADB_SATYPE_AH
) ? DL_CT_IPSEC_AH
: DL_CT_IPSEC_ESP
;
985 if (sa_type
== SADB_SATYPE_ESP
) {
986 ipsecesp_stack_t
*espstack
= ns
->netstack_ipsecesp
;
988 spp
= &espstack
->esp_sadb
;
990 ipsecah_stack_t
*ahstack
= ns
->netstack_ipsecah
;
992 spp
= &ahstack
->ah_sadb
;
995 ctrl
= (dl_control_req_t
*)protomp
->b_wptr
;
996 ctrl
->dl_primitive
= DL_CONTROL_REQ
;
997 ctrl
->dl_operation
= DL_CO_SET
;
999 ctrl
->dl_key_offset
= sizeof (dl_control_req_t
);
1000 ctrl
->dl_key_length
= sizeof (dl_ct_ipsec_key_t
);
1001 ctrl
->dl_data_offset
= sizeof (dl_control_req_t
) +
1002 sizeof (dl_ct_ipsec_key_t
);
1003 ctrl
->dl_data_length
= sizeof (dl_ct_ipsec_t
);
1004 protomp
->b_wptr
+= sizeof (dl_control_req_t
);
1007 * then for each SADB entry, we fill out the dl_ct_ipsec_key_t
1010 sp
= ill
->ill_isv6
? &(spp
->s_v6
) : &(spp
->s_v4
);
1011 sadb_ill_df(ill
, protomp
, sp
->sdb_of
, sp
->sdb_hashsize
, B_FALSE
);
1012 sadb_ill_df(ill
, protomp
, sp
->sdb_if
, sp
->sdb_hashsize
, B_TRUE
);
1017 * Call me to free up a security association fanout. Use the forever
1018 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g.
1019 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE,
1020 * when a module is unloaded).
1023 sadb_destroyer(isaf_t
**tablep
, uint_t numentries
, boolean_t forever
,
1027 isaf_t
*table
= *tablep
;
1033 for (i
= 0; i
< numentries
; i
++) {
1034 mutex_enter(&table
[i
].isaf_lock
);
1035 while (table
[i
].isaf_ipsa
!= NULL
) {
1036 if (inbound
&& cl_inet_deletespi
&&
1037 (table
[i
].isaf_ipsa
->ipsa_state
!=
1038 IPSA_STATE_ACTIVE_ELSEWHERE
) &&
1039 (table
[i
].isaf_ipsa
->ipsa_state
!=
1041 protocol
= (table
[i
].isaf_ipsa
->ipsa_type
==
1042 SADB_SATYPE_AH
) ? IPPROTO_AH
: IPPROTO_ESP
;
1043 cl_inet_deletespi(protocol
,
1044 table
[i
].isaf_ipsa
->ipsa_spi
);
1046 sadb_unlinkassoc(table
[i
].isaf_ipsa
);
1048 table
[i
].isaf_gen
++;
1049 mutex_exit(&table
[i
].isaf_lock
);
1051 mutex_destroy(&(table
[i
].isaf_lock
));
1056 kmem_free(table
, numentries
* sizeof (*table
));
1061 * Entry points to sadb_destroyer().
1064 sadb_flush(sadb_t
*sp
, netstack_t
*ns
)
1067 * Flush out each bucket, one at a time. Were it not for keysock's
1068 * enforcement, there would be a subtlety where I could add on the
1069 * heels of a flush. With keysock's enforcement, however, this
1070 * makes ESP's job easy.
1072 sadb_destroyer(&sp
->sdb_of
, sp
->sdb_hashsize
, B_FALSE
, B_FALSE
);
1073 sadb_destroyer(&sp
->sdb_if
, sp
->sdb_hashsize
, B_FALSE
, B_TRUE
);
1075 /* For each acquire, destroy it; leave the bucket mutex alone. */
1076 sadb_destroy_acqlist(&sp
->sdb_acq
, sp
->sdb_hashsize
, B_FALSE
, ns
);
1080 sadb_destroy(sadb_t
*sp
, netstack_t
*ns
)
1082 sadb_destroyer(&sp
->sdb_of
, sp
->sdb_hashsize
, B_TRUE
, B_FALSE
);
1083 sadb_destroyer(&sp
->sdb_if
, sp
->sdb_hashsize
, B_TRUE
, B_TRUE
);
1085 /* For each acquire, destroy it, including the bucket mutex. */
1086 sadb_destroy_acqlist(&sp
->sdb_acq
, sp
->sdb_hashsize
, B_TRUE
, ns
);
1088 ASSERT(sp
->sdb_of
== NULL
);
1089 ASSERT(sp
->sdb_if
== NULL
);
1090 ASSERT(sp
->sdb_acq
== NULL
);
1094 sadb_send_flush_req(sadbp_t
*spp
)
1099 * we've been unplumbed, or never were plumbed; don't go there.
1101 if (spp
->s_ip_q
== NULL
)
1104 /* have IP send a flush msg to the IPsec accelerators */
1105 ctl_mp
= sadb_fmt_sa_req(DL_CO_FLUSH
, spp
->s_satype
, NULL
, B_TRUE
);
1107 putnext(spp
->s_ip_q
, ctl_mp
);
1111 sadbp_flush(sadbp_t
*spp
, netstack_t
*ns
)
1113 sadb_flush(&spp
->s_v4
, ns
);
1114 sadb_flush(&spp
->s_v6
, ns
);
1116 sadb_send_flush_req(spp
);
1120 sadbp_destroy(sadbp_t
*spp
, netstack_t
*ns
)
1122 sadb_destroy(&spp
->s_v4
, ns
);
1123 sadb_destroy(&spp
->s_v6
, ns
);
1125 sadb_send_flush_req(spp
);
1126 if (spp
->s_satype
== SADB_SATYPE_AH
) {
1127 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
1129 ip_drop_unregister(&ipss
->ipsec_sadb_dropper
);
1135 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g.
1136 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for
1140 sadb_hardsoftchk(sadb_lifetime_t
*hard
, sadb_lifetime_t
*soft
,
1141 sadb_lifetime_t
*idle
)
1143 if (hard
== NULL
|| soft
== NULL
)
1146 if (hard
->sadb_lifetime_allocations
!= 0 &&
1147 soft
->sadb_lifetime_allocations
!= 0 &&
1148 hard
->sadb_lifetime_allocations
< soft
->sadb_lifetime_allocations
)
1149 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR
);
1151 if (hard
->sadb_lifetime_bytes
!= 0 &&
1152 soft
->sadb_lifetime_bytes
!= 0 &&
1153 hard
->sadb_lifetime_bytes
< soft
->sadb_lifetime_bytes
)
1154 return (SADB_X_DIAGNOSTIC_BYTES_HSERR
);
1156 if (hard
->sadb_lifetime_addtime
!= 0 &&
1157 soft
->sadb_lifetime_addtime
!= 0 &&
1158 hard
->sadb_lifetime_addtime
< soft
->sadb_lifetime_addtime
)
1159 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR
);
1161 if (hard
->sadb_lifetime_usetime
!= 0 &&
1162 soft
->sadb_lifetime_usetime
!= 0 &&
1163 hard
->sadb_lifetime_usetime
< soft
->sadb_lifetime_usetime
)
1164 return (SADB_X_DIAGNOSTIC_USETIME_HSERR
);
1167 if (hard
->sadb_lifetime_addtime
!= 0 &&
1168 idle
->sadb_lifetime_addtime
!= 0 &&
1169 hard
->sadb_lifetime_addtime
< idle
->sadb_lifetime_addtime
)
1170 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR
);
1172 if (soft
->sadb_lifetime_addtime
!= 0 &&
1173 idle
->sadb_lifetime_addtime
!= 0 &&
1174 soft
->sadb_lifetime_addtime
< idle
->sadb_lifetime_addtime
)
1175 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR
);
1177 if (hard
->sadb_lifetime_usetime
!= 0 &&
1178 idle
->sadb_lifetime_usetime
!= 0 &&
1179 hard
->sadb_lifetime_usetime
< idle
->sadb_lifetime_usetime
)
1180 return (SADB_X_DIAGNOSTIC_USETIME_HSERR
);
1182 if (soft
->sadb_lifetime_usetime
!= 0 &&
1183 idle
->sadb_lifetime_usetime
!= 0 &&
1184 soft
->sadb_lifetime_usetime
< idle
->sadb_lifetime_usetime
)
1185 return (SADB_X_DIAGNOSTIC_USETIME_HSERR
);
1192 * Clone a security association for the purposes of inserting a single SA
1193 * into inbound and outbound tables respectively. This function should only
1194 * be called from sadb_common_add().
1197 sadb_cloneassoc(ipsa_t
*ipsa
)
1200 boolean_t error
= B_FALSE
;
1202 ASSERT(MUTEX_NOT_HELD(&(ipsa
->ipsa_lock
)));
1204 newbie
= kmem_alloc(sizeof (ipsa_t
), KM_NOSLEEP
);
1208 /* Copy over what we can. */
1211 /* bzero and initialize locks, in case *_init() allocates... */
1212 mutex_init(&newbie
->ipsa_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
1215 * While somewhat dain-bramaged, the most graceful way to
1216 * recover from errors is to keep plowing through the
1217 * allocations, and getting what I can. It's easier to call
1218 * sadb_freeassoc() on the stillborn clone when all the
1219 * pointers aren't pointing to the parent's data.
1222 if (ipsa
->ipsa_authkey
!= NULL
) {
1223 newbie
->ipsa_authkey
= kmem_alloc(newbie
->ipsa_authkeylen
,
1225 if (newbie
->ipsa_authkey
== NULL
) {
1228 bcopy(ipsa
->ipsa_authkey
, newbie
->ipsa_authkey
,
1229 newbie
->ipsa_authkeylen
);
1231 newbie
->ipsa_kcfauthkey
.ck_data
=
1232 newbie
->ipsa_authkey
;
1235 if (newbie
->ipsa_amech
.cm_param
!= NULL
) {
1236 newbie
->ipsa_amech
.cm_param
=
1237 (char *)&newbie
->ipsa_mac_len
;
1241 if (ipsa
->ipsa_encrkey
!= NULL
) {
1242 newbie
->ipsa_encrkey
= kmem_alloc(newbie
->ipsa_encrkeylen
,
1244 if (newbie
->ipsa_encrkey
== NULL
) {
1247 bcopy(ipsa
->ipsa_encrkey
, newbie
->ipsa_encrkey
,
1248 newbie
->ipsa_encrkeylen
);
1250 newbie
->ipsa_kcfencrkey
.ck_data
=
1251 newbie
->ipsa_encrkey
;
1255 newbie
->ipsa_authtmpl
= NULL
;
1256 newbie
->ipsa_encrtmpl
= NULL
;
1257 newbie
->ipsa_haspeer
= B_TRUE
;
1259 if (ipsa
->ipsa_integ
!= NULL
) {
1260 newbie
->ipsa_integ
= kmem_alloc(newbie
->ipsa_integlen
,
1262 if (newbie
->ipsa_integ
== NULL
) {
1265 bcopy(ipsa
->ipsa_integ
, newbie
->ipsa_integ
,
1266 newbie
->ipsa_integlen
);
1270 if (ipsa
->ipsa_sens
!= NULL
) {
1271 newbie
->ipsa_sens
= kmem_alloc(newbie
->ipsa_senslen
,
1273 if (newbie
->ipsa_sens
== NULL
) {
1276 bcopy(ipsa
->ipsa_sens
, newbie
->ipsa_sens
,
1277 newbie
->ipsa_senslen
);
1281 if (ipsa
->ipsa_src_cid
!= NULL
) {
1282 newbie
->ipsa_src_cid
= ipsa
->ipsa_src_cid
;
1283 IPSID_REFHOLD(ipsa
->ipsa_src_cid
);
1286 if (ipsa
->ipsa_dst_cid
!= NULL
) {
1287 newbie
->ipsa_dst_cid
= ipsa
->ipsa_dst_cid
;
1288 IPSID_REFHOLD(ipsa
->ipsa_dst_cid
);
1292 sadb_freeassoc(newbie
);
1300 * Initialize a SADB address extension at the address specified by addrext.
1301 * Return a pointer to the end of the new address extension.
1304 sadb_make_addr_ext(uint8_t *start
, uint8_t *end
, uint16_t exttype
,
1305 sa_family_t af
, uint32_t *addr
, uint16_t port
, uint8_t proto
, int prefix
)
1307 struct sockaddr_in
*sin
;
1308 struct sockaddr_in6
*sin6
;
1309 uint8_t *cur
= start
;
1312 sadb_address_t
*addrext
= (sadb_address_t
*)cur
;
1317 cur
+= sizeof (*addrext
);
1321 addrext
->sadb_address_proto
= proto
;
1322 addrext
->sadb_address_prefixlen
= prefix
;
1323 addrext
->sadb_address_reserved
= 0;
1324 addrext
->sadb_address_exttype
= exttype
;
1328 sin
= (struct sockaddr_in
*)cur
;
1329 sin_len
= sizeof (*sin
);
1334 sin
->sin_family
= af
;
1335 bzero(sin
->sin_zero
, sizeof (sin
->sin_zero
));
1336 sin
->sin_port
= port
;
1337 IPSA_COPY_ADDR(&sin
->sin_addr
, addr
, af
);
1340 sin6
= (struct sockaddr_in6
*)cur
;
1341 sin_len
= sizeof (*sin6
);
1346 bzero(sin6
, sizeof (*sin6
));
1347 sin6
->sin6_family
= af
;
1348 sin6
->sin6_port
= port
;
1349 IPSA_COPY_ADDR(&sin6
->sin6_addr
, addr
, af
);
1353 addrext_len
= roundup(cur
- start
, sizeof (uint64_t));
1354 addrext
->sadb_address_len
= SADB_8TO64(addrext_len
);
1356 cur
= start
+ addrext_len
;
1364 * Construct a key management cookie extension.
1368 sadb_make_kmc_ext(uint8_t *cur
, uint8_t *end
, uint32_t kmp
, uint32_t kmc
)
1370 sadb_x_kmc_t
*kmcext
= (sadb_x_kmc_t
*)cur
;
1375 cur
+= sizeof (*kmcext
);
1380 kmcext
->sadb_x_kmc_len
= SADB_8TO64(sizeof (*kmcext
));
1381 kmcext
->sadb_x_kmc_exttype
= SADB_X_EXT_KM_COOKIE
;
1382 kmcext
->sadb_x_kmc_proto
= kmp
;
1383 kmcext
->sadb_x_kmc_cookie
= kmc
;
1384 kmcext
->sadb_x_kmc_reserved
= 0;
1390 * Given an original message header with sufficient space following it, and an
1391 * SA, construct a full PF_KEY message with all of the relevant extensions.
1392 * This is mostly used for SADB_GET, and SADB_DUMP.
1395 sadb_sa2msg(ipsa_t
*ipsa
, sadb_msg_t
*samsg
)
1397 int alloclen
, addrsize
, paddrsize
, authsize
, encrsize
;
1398 int srcidsize
, dstidsize
;
1399 sa_family_t fam
, pfam
; /* Address family for SADB_EXT_ADDRESS */
1400 /* src/dst and proxy sockaddrs. */
1402 * The following are pointers into the PF_KEY message this PF_KEY
1405 sadb_msg_t
*newsamsg
;
1407 sadb_lifetime_t
*lt
;
1409 sadb_ident_t
*ident
;
1411 sadb_ext_t
*walker
; /* For when we need a generic ext. pointer. */
1412 sadb_x_replay_ctr_t
*repl_ctr
;
1413 sadb_x_pair_t
*pair_ext
;
1418 /* These indicate the presence of the above extension fields. */
1419 boolean_t soft
, hard
, isrc
, idst
, auth
, encr
, sensinteg
, srcid
, dstid
;
1424 /* First off, figure out the allocation length for this message. */
1427 * Constant stuff. This includes base, SA, address (src, dst),
1428 * and lifetime (current).
1430 alloclen
= sizeof (sadb_msg_t
) + sizeof (sadb_sa_t
) +
1431 sizeof (sadb_lifetime_t
);
1433 fam
= ipsa
->ipsa_addrfam
;
1436 addrsize
= roundup(sizeof (struct sockaddr_in
) +
1437 sizeof (sadb_address_t
), sizeof (uint64_t));
1440 addrsize
= roundup(sizeof (struct sockaddr_in6
) +
1441 sizeof (sadb_address_t
), sizeof (uint64_t));
1447 * Allocate TWO address extensions, for source and destination.
1450 alloclen
+= addrsize
* 2;
1451 if (ipsa
->ipsa_flags
& IPSA_F_NATT_REM
)
1452 alloclen
+= addrsize
;
1453 if (ipsa
->ipsa_flags
& IPSA_F_NATT_LOC
)
1454 alloclen
+= addrsize
;
1456 if (ipsa
->ipsa_flags
& IPSA_F_PAIRED
) {
1458 alloclen
+= sizeof (sadb_x_pair_t
);
1459 otherspi
= ipsa
->ipsa_otherspi
;
1464 /* How 'bout other lifetimes? */
1465 if (ipsa
->ipsa_softaddlt
!= 0 || ipsa
->ipsa_softuselt
!= 0 ||
1466 ipsa
->ipsa_softbyteslt
!= 0 || ipsa
->ipsa_softalloc
!= 0) {
1467 alloclen
+= sizeof (sadb_lifetime_t
);
1473 if (ipsa
->ipsa_hardaddlt
!= 0 || ipsa
->ipsa_harduselt
!= 0 ||
1474 ipsa
->ipsa_hardbyteslt
!= 0 || ipsa
->ipsa_hardalloc
!= 0) {
1475 alloclen
+= sizeof (sadb_lifetime_t
);
1481 if (ipsa
->ipsa_idleaddlt
!= 0 || ipsa
->ipsa_idleuselt
!= 0) {
1482 alloclen
+= sizeof (sadb_lifetime_t
);
1488 /* Inner addresses. */
1489 if (ipsa
->ipsa_innerfam
== 0) {
1493 pfam
= ipsa
->ipsa_innerfam
;
1496 paddrsize
= roundup(sizeof (struct sockaddr_in6
) +
1497 sizeof (sadb_address_t
), sizeof (uint64_t));
1500 paddrsize
= roundup(sizeof (struct sockaddr_in
) +
1501 sizeof (sadb_address_t
), sizeof (uint64_t));
1505 "IPsec SADB: Proxy length failure.\n");
1510 alloclen
+= 2 * paddrsize
;
1513 /* For the following fields, assume that length != 0 ==> stuff */
1514 if (ipsa
->ipsa_authkeylen
!= 0) {
1515 authsize
= roundup(sizeof (sadb_key_t
) + ipsa
->ipsa_authkeylen
,
1517 alloclen
+= authsize
;
1523 if (ipsa
->ipsa_encrkeylen
!= 0) {
1524 encrsize
= roundup(sizeof (sadb_key_t
) + ipsa
->ipsa_encrkeylen
,
1526 alloclen
+= encrsize
;
1532 /* No need for roundup on sens and integ. */
1533 if (ipsa
->ipsa_integlen
!= 0 || ipsa
->ipsa_senslen
!= 0) {
1534 alloclen
+= sizeof (sadb_key_t
) + ipsa
->ipsa_integlen
+
1538 sensinteg
= B_FALSE
;
1542 * Must use strlen() here for lengths. Identities use NULL
1543 * pointers to indicate their nonexistence.
1545 if (ipsa
->ipsa_src_cid
!= NULL
) {
1546 srcidsize
= roundup(sizeof (sadb_ident_t
) +
1547 strlen(ipsa
->ipsa_src_cid
->ipsid_cid
) + 1,
1549 alloclen
+= srcidsize
;
1555 if (ipsa
->ipsa_dst_cid
!= NULL
) {
1556 dstidsize
= roundup(sizeof (sadb_ident_t
) +
1557 strlen(ipsa
->ipsa_dst_cid
->ipsid_cid
) + 1,
1559 alloclen
+= dstidsize
;
1565 if ((ipsa
->ipsa_kmp
!= 0) || (ipsa
->ipsa_kmc
!= 0))
1566 alloclen
+= sizeof (sadb_x_kmc_t
);
1568 if (ipsa
->ipsa_replay
!= 0) {
1569 alloclen
+= sizeof (sadb_x_replay_ctr_t
);
1572 /* Make sure the allocation length is a multiple of 8 bytes. */
1573 ASSERT((alloclen
& 0x7) == 0);
1575 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */
1576 mp
= allocb(alloclen
, BPRI_HI
);
1580 mp
->b_wptr
+= alloclen
;
1582 newsamsg
= (sadb_msg_t
*)mp
->b_rptr
;
1584 newsamsg
->sadb_msg_len
= (uint16_t)SADB_8TO64(alloclen
);
1586 mutex_enter(&ipsa
->ipsa_lock
); /* Since I'm grabbing SA fields... */
1588 newsamsg
->sadb_msg_satype
= ipsa
->ipsa_type
;
1590 assoc
= (sadb_sa_t
*)(newsamsg
+ 1);
1591 assoc
->sadb_sa_len
= SADB_8TO64(sizeof (*assoc
));
1592 assoc
->sadb_sa_exttype
= SADB_EXT_SA
;
1593 assoc
->sadb_sa_spi
= ipsa
->ipsa_spi
;
1594 assoc
->sadb_sa_replay
= ipsa
->ipsa_replay_wsize
;
1595 assoc
->sadb_sa_state
= ipsa
->ipsa_state
;
1596 assoc
->sadb_sa_auth
= ipsa
->ipsa_auth_alg
;
1597 assoc
->sadb_sa_encrypt
= ipsa
->ipsa_encr_alg
;
1598 assoc
->sadb_sa_flags
= ipsa
->ipsa_flags
;
1600 lt
= (sadb_lifetime_t
*)(assoc
+ 1);
1601 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1602 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
1603 /* We do not support the concept. */
1604 lt
->sadb_lifetime_allocations
= 0;
1605 lt
->sadb_lifetime_bytes
= ipsa
->ipsa_bytes
;
1606 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_addtime
;
1607 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_usetime
;
1611 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1612 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
1613 lt
->sadb_lifetime_allocations
= ipsa
->ipsa_hardalloc
;
1614 lt
->sadb_lifetime_bytes
= ipsa
->ipsa_hardbyteslt
;
1615 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_hardaddlt
;
1616 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_harduselt
;
1621 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1622 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_SOFT
;
1623 lt
->sadb_lifetime_allocations
= ipsa
->ipsa_softalloc
;
1624 lt
->sadb_lifetime_bytes
= ipsa
->ipsa_softbyteslt
;
1625 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_softaddlt
;
1626 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_softuselt
;
1631 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1632 lt
->sadb_lifetime_exttype
= SADB_X_EXT_LIFETIME_IDLE
;
1633 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_idleaddlt
;
1634 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_idleuselt
;
1637 cur
= (uint8_t *)(lt
+ 1);
1639 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */
1640 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_SRC
, fam
,
1641 ipsa
->ipsa_srcaddr
, (!isrc
&& !idst
) ? SA_SRCPORT(ipsa
) : 0,
1649 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_DST
, fam
,
1650 ipsa
->ipsa_dstaddr
, (!isrc
&& !idst
) ? SA_DSTPORT(ipsa
) : 0,
1658 if (ipsa
->ipsa_flags
& IPSA_F_NATT_LOC
) {
1659 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_NATT_LOC
,
1660 fam
, &ipsa
->ipsa_natt_addr_loc
, ipsa
->ipsa_local_nat_port
,
1669 if (ipsa
->ipsa_flags
& IPSA_F_NATT_REM
) {
1670 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_NATT_REM
,
1671 fam
, &ipsa
->ipsa_natt_addr_rem
, ipsa
->ipsa_remote_nat_port
,
1680 /* If we are a tunnel-mode SA, fill in the inner-selectors. */
1682 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_SRC
,
1683 pfam
, ipsa
->ipsa_innersrc
, SA_SRCPORT(ipsa
),
1684 SA_IPROTO(ipsa
), ipsa
->ipsa_innersrcpfx
);
1693 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_DST
,
1694 pfam
, ipsa
->ipsa_innerdst
, SA_DSTPORT(ipsa
),
1695 SA_IPROTO(ipsa
), ipsa
->ipsa_innerdstpfx
);
1703 if ((ipsa
->ipsa_kmp
!= 0) || (ipsa
->ipsa_kmc
!= 0)) {
1704 cur
= sadb_make_kmc_ext(cur
, end
,
1705 ipsa
->ipsa_kmp
, ipsa
->ipsa_kmc
);
1713 walker
= (sadb_ext_t
*)cur
;
1715 key
= (sadb_key_t
*)walker
;
1716 key
->sadb_key_len
= SADB_8TO64(authsize
);
1717 key
->sadb_key_exttype
= SADB_EXT_KEY_AUTH
;
1718 key
->sadb_key_bits
= ipsa
->ipsa_authkeybits
;
1719 key
->sadb_key_reserved
= 0;
1720 bcopy(ipsa
->ipsa_authkey
, key
+ 1, ipsa
->ipsa_authkeylen
);
1721 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1722 walker
->sadb_ext_len
);
1726 key
= (sadb_key_t
*)walker
;
1727 key
->sadb_key_len
= SADB_8TO64(encrsize
);
1728 key
->sadb_key_exttype
= SADB_EXT_KEY_ENCRYPT
;
1729 key
->sadb_key_bits
= ipsa
->ipsa_encrkeybits
;
1730 key
->sadb_key_reserved
= 0;
1731 bcopy(ipsa
->ipsa_encrkey
, key
+ 1, ipsa
->ipsa_encrkeylen
);
1732 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1733 walker
->sadb_ext_len
);
1737 ident
= (sadb_ident_t
*)walker
;
1738 ident
->sadb_ident_len
= SADB_8TO64(srcidsize
);
1739 ident
->sadb_ident_exttype
= SADB_EXT_IDENTITY_SRC
;
1740 ident
->sadb_ident_type
= ipsa
->ipsa_src_cid
->ipsid_type
;
1741 ident
->sadb_ident_id
= 0;
1742 ident
->sadb_ident_reserved
= 0;
1743 (void) strcpy((char *)(ident
+ 1),
1744 ipsa
->ipsa_src_cid
->ipsid_cid
);
1745 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1746 walker
->sadb_ext_len
);
1750 ident
= (sadb_ident_t
*)walker
;
1751 ident
->sadb_ident_len
= SADB_8TO64(dstidsize
);
1752 ident
->sadb_ident_exttype
= SADB_EXT_IDENTITY_DST
;
1753 ident
->sadb_ident_type
= ipsa
->ipsa_dst_cid
->ipsid_type
;
1754 ident
->sadb_ident_id
= 0;
1755 ident
->sadb_ident_reserved
= 0;
1756 (void) strcpy((char *)(ident
+ 1),
1757 ipsa
->ipsa_dst_cid
->ipsid_cid
);
1758 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1759 walker
->sadb_ext_len
);
1763 sens
= (sadb_sens_t
*)walker
;
1764 sens
->sadb_sens_len
= SADB_8TO64(sizeof (sadb_sens_t
*) +
1765 ipsa
->ipsa_senslen
+ ipsa
->ipsa_integlen
);
1766 sens
->sadb_sens_dpd
= ipsa
->ipsa_dpd
;
1767 sens
->sadb_sens_sens_level
= ipsa
->ipsa_senslevel
;
1768 sens
->sadb_sens_integ_level
= ipsa
->ipsa_integlevel
;
1769 sens
->sadb_sens_sens_len
= SADB_8TO64(ipsa
->ipsa_senslen
);
1770 sens
->sadb_sens_integ_len
= SADB_8TO64(ipsa
->ipsa_integlen
);
1771 sens
->sadb_sens_reserved
= 0;
1772 bitmap
= (uint64_t *)(sens
+ 1);
1773 if (ipsa
->ipsa_sens
!= NULL
) {
1774 bcopy(ipsa
->ipsa_sens
, bitmap
, ipsa
->ipsa_senslen
);
1775 bitmap
+= sens
->sadb_sens_sens_len
;
1777 if (ipsa
->ipsa_integ
!= NULL
)
1778 bcopy(ipsa
->ipsa_integ
, bitmap
, ipsa
->ipsa_integlen
);
1779 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1780 walker
->sadb_ext_len
);
1784 pair_ext
= (sadb_x_pair_t
*)walker
;
1786 pair_ext
->sadb_x_pair_len
= SADB_8TO64(sizeof (sadb_x_pair_t
));
1787 pair_ext
->sadb_x_pair_exttype
= SADB_X_EXT_PAIR
;
1788 pair_ext
->sadb_x_pair_spi
= otherspi
;
1790 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1791 walker
->sadb_ext_len
);
1794 if (ipsa
->ipsa_replay
!= 0) {
1795 repl_ctr
= (sadb_x_replay_ctr_t
*)walker
;
1796 repl_ctr
->sadb_x_rc_len
= SADB_8TO64(sizeof (*repl_ctr
));
1797 repl_ctr
->sadb_x_rc_exttype
= SADB_X_EXT_REPLAY_VALUE
;
1798 repl_ctr
->sadb_x_rc_replay32
= ipsa
->ipsa_replay
;
1799 repl_ctr
->sadb_x_rc_replay64
= 0;
1800 walker
= (sadb_ext_t
*)(repl_ctr
+ 1);
1804 /* Pardon any delays... */
1805 mutex_exit(&ipsa
->ipsa_lock
);
1811 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN)
1812 * and adjust base message accordingly.
1814 * Assume message is pulled up in one piece of contiguous memory.
1816 * Say if we start off with:
1818 * +------+----+-------------+-----------+---------------+---------------+
1819 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime |
1820 * +------+----+-------------+-----------+---------------+---------------+
1822 * we will end up with
1824 * +------+----+-------------+-----------+---------------+
1825 * | base | SA | source addr | dest addr | soft lifetime |
1826 * +------+----+-------------+-----------+---------------+
1829 sadb_strip(sadb_msg_t
*samsg
)
1832 uint8_t *target
= NULL
;
1834 int sofar
= SADB_8TO64(sizeof (*samsg
));
1837 ext
= (sadb_ext_t
*)(samsg
+ 1);
1838 msgend
= (uint8_t *)samsg
;
1839 msgend
+= SADB_64TO8(samsg
->sadb_msg_len
);
1840 while ((uint8_t *)ext
< msgend
) {
1841 if (ext
->sadb_ext_type
== SADB_EXT_RESERVED
||
1842 ext
->sadb_ext_type
== SADB_EXT_KEY_AUTH
||
1843 ext
->sadb_ext_type
== SADB_X_EXT_EDUMP
||
1844 ext
->sadb_ext_type
== SADB_EXT_KEY_ENCRYPT
) {
1846 * Aha! I found a header to be erased.
1849 if (target
!= NULL
) {
1851 * If I had a previous header to be erased,
1852 * copy over it. I can get away with just
1853 * copying backwards because the target will
1854 * always be 8 bytes behind the source.
1856 copylen
= ((uint8_t *)ext
) - (target
+
1858 ((sadb_ext_t
*)target
)->sadb_ext_len
));
1859 ovbcopy(((uint8_t *)ext
- copylen
), target
,
1862 ((sadb_ext_t
*)target
)->sadb_ext_len
=
1863 SADB_8TO64(((uint8_t *)ext
) - target
+
1864 SADB_64TO8(ext
->sadb_ext_len
));
1866 target
= (uint8_t *)ext
;
1869 sofar
+= ext
->sadb_ext_len
;
1872 ext
= (sadb_ext_t
*)(((uint64_t *)ext
) + ext
->sadb_ext_len
);
1875 ASSERT((uint8_t *)ext
== msgend
);
1877 if (target
!= NULL
) {
1878 copylen
= ((uint8_t *)ext
) - (target
+
1879 SADB_64TO8(((sadb_ext_t
*)target
)->sadb_ext_len
));
1881 ovbcopy(((uint8_t *)ext
- copylen
), target
, copylen
);
1885 samsg
->sadb_msg_len
= (uint16_t)sofar
;
1887 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */
1891 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL
1892 * followed by an M_DATA with a PF_KEY message in it. The serial of
1893 * the sending keysock instance is included.
1896 sadb_pfkey_error(queue_t
*pfkey_q
, mblk_t
*mp
, int error
, int diagnostic
,
1899 mblk_t
*msg
= mp
->b_cont
;
1904 * Enough functions call this to merit a NULL queue check.
1906 if (pfkey_q
== NULL
) {
1911 ASSERT(msg
!= NULL
);
1912 ASSERT((mp
->b_wptr
- mp
->b_rptr
) == sizeof (ipsec_info_t
));
1913 ASSERT((msg
->b_wptr
- msg
->b_rptr
) >= sizeof (sadb_msg_t
));
1914 samsg
= (sadb_msg_t
*)msg
->b_rptr
;
1915 kso
= (keysock_out_t
*)mp
->b_rptr
;
1917 kso
->ks_out_type
= KEYSOCK_OUT
;
1918 kso
->ks_out_len
= sizeof (*kso
);
1919 kso
->ks_out_serial
= serial
;
1922 * Only send the base message up in the event of an error.
1923 * Don't worry about bzero()-ing, because it was probably bogus
1926 msg
->b_wptr
= msg
->b_rptr
+ sizeof (*samsg
);
1927 samsg
= (sadb_msg_t
*)msg
->b_rptr
;
1928 samsg
->sadb_msg_len
= SADB_8TO64(sizeof (*samsg
));
1929 samsg
->sadb_msg_errno
= (uint8_t)error
;
1930 if (diagnostic
!= SADB_X_DIAGNOSTIC_PRESET
)
1931 samsg
->sadb_x_msg_diagnostic
= (uint16_t)diagnostic
;
1933 putnext(pfkey_q
, mp
);
1937 * Send a successful return packet back to keysock via the queue in pfkey_q.
1939 * Often, an SA is associated with the reply message, it's passed in if needed,
1940 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held,
1941 * and the caller will release said refcnt.
1944 sadb_pfkey_echo(queue_t
*pfkey_q
, mblk_t
*mp
, sadb_msg_t
*samsg
,
1945 keysock_in_t
*ksi
, ipsa_t
*ipsa
)
1949 sadb_msg_t
*newsamsg
;
1952 ASSERT((mp
->b_cont
!= NULL
) &&
1953 ((void *)samsg
== (void *)mp
->b_cont
->b_rptr
) &&
1954 ((void *)mp
->b_rptr
== (void *)ksi
));
1956 switch (samsg
->sadb_msg_type
) {
1959 case SADB_X_UPDATEPAIR
:
1960 case SADB_X_DELPAIR_STATE
:
1964 * I have all of the message already. I just need to strip
1965 * out the keying material and echo the message back.
1967 * NOTE: for SADB_DUMP, the function sadb_dump() did the
1968 * work. When DUMP reaches here, it should only be a base
1972 if (ksi
->ks_in_extv
[SADB_EXT_KEY_AUTH
] != NULL
||
1973 ksi
->ks_in_extv
[SADB_EXT_KEY_ENCRYPT
] != NULL
||
1974 ksi
->ks_in_extv
[SADB_X_EXT_EDUMP
] != NULL
) {
1976 /* Assume PF_KEY message is contiguous. */
1977 ASSERT(mp
->b_cont
->b_cont
== NULL
);
1978 oldend
= mp
->b_cont
->b_wptr
;
1979 mp
->b_cont
->b_wptr
= mp
->b_cont
->b_rptr
+
1980 SADB_64TO8(samsg
->sadb_msg_len
);
1981 bzero(mp
->b_cont
->b_wptr
, oldend
- mp
->b_cont
->b_wptr
);
1986 * Do a lot of work here, because of the ipsa I just found.
1987 * First construct the new PF_KEY message, then abandon
1990 mp1
= sadb_sa2msg(ipsa
, samsg
);
1992 sadb_pfkey_error(pfkey_q
, mp
, ENOMEM
,
1993 SADB_X_DIAGNOSTIC_NONE
, ksi
->ks_in_serial
);
1996 freemsg(mp
->b_cont
);
2000 case SADB_X_DELPAIR
:
2004 * Because listening KMds may require more info, treat
2005 * DELETE like a special case of GET.
2007 mp1
= sadb_sa2msg(ipsa
, samsg
);
2009 sadb_pfkey_error(pfkey_q
, mp
, ENOMEM
,
2010 SADB_X_DIAGNOSTIC_NONE
, ksi
->ks_in_serial
);
2013 newsamsg
= (sadb_msg_t
*)mp1
->b_rptr
;
2014 sadb_strip(newsamsg
);
2015 oldend
= mp1
->b_wptr
;
2016 mp1
->b_wptr
= mp1
->b_rptr
+ SADB_64TO8(newsamsg
->sadb_msg_len
);
2017 bzero(mp1
->b_wptr
, oldend
- mp1
->b_wptr
);
2018 freemsg(mp
->b_cont
);
2027 /* ksi is now null and void. */
2028 kso
= (keysock_out_t
*)ksi
;
2029 kso
->ks_out_type
= KEYSOCK_OUT
;
2030 kso
->ks_out_len
= sizeof (*kso
);
2031 kso
->ks_out_serial
= ksi
->ks_in_serial
;
2032 /* We're ready to send... */
2033 putnext(pfkey_q
, mp
);
2037 * Set up a global pfkey_q instance for AH, ESP, or some other consumer.
2040 sadb_keysock_hello(queue_t
**pfkey_qp
, queue_t
*q
, mblk_t
*mp
,
2041 void (*ager
)(void *), void *agerarg
, timeout_id_t
*top
, int satype
)
2043 keysock_hello_ack_t
*kha
;
2046 ASSERT(OTHERQ(q
) != NULL
);
2049 * First, check atomically that I'm the first and only keysock
2052 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp),
2053 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY
2057 oldq
= casptr((void **)pfkey_qp
, NULL
, OTHERQ(q
));
2060 cmn_err(CE_WARN
, "Danger! Multiple keysocks on top of %s.\n",
2061 (satype
== SADB_SATYPE_ESP
)? "ESP" : "AH or other");
2066 kha
= (keysock_hello_ack_t
*)mp
->b_rptr
;
2067 kha
->ks_hello_len
= sizeof (keysock_hello_ack_t
);
2068 kha
->ks_hello_type
= KEYSOCK_HELLO_ACK
;
2069 kha
->ks_hello_satype
= (uint8_t)satype
;
2072 * If we made it past the casptr, then we have "exclusive" access
2073 * to the timeout handle. Fire it off in 4 seconds, because it
2074 * just seems like a good interval.
2076 *top
= qtimeout(*pfkey_qp
, ager
, agerarg
, drv_usectohz(4000000));
2078 putnext(*pfkey_qp
, mp
);
2082 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate.
2084 * Check addresses themselves for wildcard or multicast.
2085 * Check ire table for local/non-local/broadcast.
2088 sadb_addrcheck(queue_t
*pfkey_q
, mblk_t
*mp
, sadb_ext_t
*ext
, uint_t serial
,
2091 sadb_address_t
*addr
= (sadb_address_t
*)ext
;
2092 struct sockaddr_in
*sin
;
2093 struct sockaddr_in6
*sin6
;
2095 int diagnostic
, type
;
2096 boolean_t normalized
= B_FALSE
;
2098 ASSERT(ext
!= NULL
);
2099 ASSERT((ext
->sadb_ext_type
== SADB_EXT_ADDRESS_SRC
) ||
2100 (ext
->sadb_ext_type
== SADB_EXT_ADDRESS_DST
) ||
2101 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_SRC
) ||
2102 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_DST
) ||
2103 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_NATT_LOC
) ||
2104 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_NATT_REM
));
2106 /* Assign both sockaddrs, the compiler will do the right thing. */
2107 sin
= (struct sockaddr_in
*)(addr
+ 1);
2108 sin6
= (struct sockaddr_in6
*)(addr
+ 1);
2110 if (sin6
->sin6_family
== AF_INET6
) {
2111 if (IN6_IS_ADDR_V4MAPPED(&sin6
->sin6_addr
)) {
2113 * Convert to an AF_INET sockaddr. This means the
2114 * return messages will have the extra space, but have
2115 * AF_INET sockaddrs instead of AF_INET6.
2117 * Yes, RFC 2367 isn't clear on what to do here w.r.t.
2118 * mapped addresses, but since AF_INET6 ::ffff:<v4> is
2119 * equal to AF_INET <v4>, it shouldnt be a huge
2122 sin
->sin_family
= AF_INET
;
2123 IN6_V4MAPPED_TO_INADDR(&sin6
->sin6_addr
,
2125 bzero(&sin
->sin_zero
, sizeof (sin
->sin_zero
));
2126 normalized
= B_TRUE
;
2128 } else if (sin
->sin_family
!= AF_INET
) {
2129 switch (ext
->sadb_ext_type
) {
2130 case SADB_EXT_ADDRESS_SRC
:
2131 diagnostic
= SADB_X_DIAGNOSTIC_BAD_SRC_AF
;
2133 case SADB_EXT_ADDRESS_DST
:
2134 diagnostic
= SADB_X_DIAGNOSTIC_BAD_DST_AF
;
2136 case SADB_X_EXT_ADDRESS_INNER_SRC
:
2137 diagnostic
= SADB_X_DIAGNOSTIC_BAD_PROXY_AF
;
2139 case SADB_X_EXT_ADDRESS_INNER_DST
:
2140 diagnostic
= SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF
;
2142 case SADB_X_EXT_ADDRESS_NATT_LOC
:
2143 diagnostic
= SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF
;
2145 case SADB_X_EXT_ADDRESS_NATT_REM
:
2146 diagnostic
= SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF
;
2148 /* There is no default, see above ASSERT. */
2151 if (pfkey_q
!= NULL
) {
2152 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
, diagnostic
,
2156 * Scribble in sadb_msg that we got passed in.
2157 * Overload "mp" to be an sadb_msg pointer.
2159 sadb_msg_t
*samsg
= (sadb_msg_t
*)mp
;
2161 samsg
->sadb_msg_errno
= EINVAL
;
2162 samsg
->sadb_x_msg_diagnostic
= diagnostic
;
2164 return (KS_IN_ADDR_UNKNOWN
);
2167 if (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_SRC
||
2168 ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_DST
) {
2170 * We need only check for prefix issues.
2173 /* Set diagnostic now, in case we need it later. */
2175 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_SRC
) ?
2176 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC
:
2177 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST
;
2180 addr
->sadb_address_prefixlen
-= 96;
2183 * Verify and mask out inner-addresses based on prefix length.
2185 if (sin
->sin_family
== AF_INET
) {
2186 if (addr
->sadb_address_prefixlen
> 32)
2188 sin
->sin_addr
.s_addr
&=
2189 ip_plen_to_mask(addr
->sadb_address_prefixlen
);
2193 ASSERT(sin
->sin_family
== AF_INET6
);
2195 * ip_plen_to_mask_v6() returns NULL if the value in
2196 * question is out of range.
2198 if (ip_plen_to_mask_v6(addr
->sadb_address_prefixlen
,
2201 sin6
->sin6_addr
.s6_addr32
[0] &= mask
.s6_addr32
[0];
2202 sin6
->sin6_addr
.s6_addr32
[1] &= mask
.s6_addr32
[1];
2203 sin6
->sin6_addr
.s6_addr32
[2] &= mask
.s6_addr32
[2];
2204 sin6
->sin6_addr
.s6_addr32
[3] &= mask
.s6_addr32
[3];
2207 /* We don't care in these cases. */
2208 return (KS_IN_ADDR_DONTCARE
);
2211 if (sin
->sin_family
== AF_INET6
) {
2212 /* Check the easy ones now. */
2213 if (IN6_IS_ADDR_MULTICAST(&sin6
->sin6_addr
))
2214 return (KS_IN_ADDR_MBCAST
);
2215 if (IN6_IS_ADDR_UNSPECIFIED(&sin6
->sin6_addr
))
2216 return (KS_IN_ADDR_UNSPEC
);
2218 * At this point, we're a unicast IPv6 address.
2220 * A ctable lookup for local is sufficient here. If we're
2221 * local, return KS_IN_ADDR_ME, otherwise KS_IN_ADDR_NOTME.
2223 * XXX Zones alert -> me/notme decision needs to be tempered
2224 * by what zone we're in when we go to zone-aware IPsec.
2226 ire
= ire_ctable_lookup_v6(&sin6
->sin6_addr
, NULL
,
2227 IRE_LOCAL
, NULL
, ALL_ZONES
, NULL
, MATCH_IRE_TYPE
,
2230 /* Hey hey, it's local. */
2232 return (KS_IN_ADDR_ME
);
2235 ASSERT(sin
->sin_family
== AF_INET
);
2236 if (sin
->sin_addr
.s_addr
== INADDR_ANY
)
2237 return (KS_IN_ADDR_UNSPEC
);
2238 if (CLASSD(sin
->sin_addr
.s_addr
))
2239 return (KS_IN_ADDR_MBCAST
);
2241 * At this point we're a unicast or broadcast IPv4 address.
2243 * Lookup on the ctable for IRE_BROADCAST or IRE_LOCAL.
2244 * A NULL return value is NOTME, otherwise, look at the
2245 * returned ire for broadcast or not and return accordingly.
2247 * XXX Zones alert -> me/notme decision needs to be tempered
2248 * by what zone we're in when we go to zone-aware IPsec.
2250 ire
= ire_ctable_lookup(sin
->sin_addr
.s_addr
, 0,
2251 IRE_LOCAL
| IRE_BROADCAST
, NULL
, ALL_ZONES
, NULL
,
2252 MATCH_IRE_TYPE
, ns
->netstack_ip
);
2254 /* Check for local or broadcast */
2255 type
= ire
->ire_type
;
2257 ASSERT(type
== IRE_LOCAL
|| type
== IRE_BROADCAST
);
2258 return ((type
== IRE_LOCAL
) ? KS_IN_ADDR_ME
:
2263 return (KS_IN_ADDR_NOTME
);
2267 * Address normalizations and reality checks for inbound PF_KEY messages.
2269 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert
2270 * the source to AF_INET. Do the same for the inner sources.
2273 sadb_addrfix(keysock_in_t
*ksi
, queue_t
*pfkey_q
, mblk_t
*mp
, netstack_t
*ns
)
2275 struct sockaddr_in
*src
, *isrc
;
2276 struct sockaddr_in6
*dst
, *idst
;
2277 sadb_address_t
*srcext
, *dstext
;
2279 sadb_ext_t
**extv
= ksi
->ks_in_extv
;
2282 if (extv
[SADB_EXT_ADDRESS_SRC
] != NULL
) {
2283 rc
= sadb_addrcheck(pfkey_q
, mp
, extv
[SADB_EXT_ADDRESS_SRC
],
2284 ksi
->ks_in_serial
, ns
);
2285 if (rc
== KS_IN_ADDR_UNKNOWN
)
2287 if (rc
== KS_IN_ADDR_MBCAST
) {
2288 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2289 SADB_X_DIAGNOSTIC_BAD_SRC
, ksi
->ks_in_serial
);
2292 ksi
->ks_in_srctype
= rc
;
2295 if (extv
[SADB_EXT_ADDRESS_DST
] != NULL
) {
2296 rc
= sadb_addrcheck(pfkey_q
, mp
, extv
[SADB_EXT_ADDRESS_DST
],
2297 ksi
->ks_in_serial
, ns
);
2298 if (rc
== KS_IN_ADDR_UNKNOWN
)
2300 if (rc
== KS_IN_ADDR_UNSPEC
) {
2301 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2302 SADB_X_DIAGNOSTIC_BAD_DST
, ksi
->ks_in_serial
);
2305 ksi
->ks_in_dsttype
= rc
;
2309 * NAT-Traversal addrs are simple enough to not require all of
2310 * the checks in sadb_addrcheck(). Just normalize or reject if not
2313 if (extv
[SADB_X_EXT_ADDRESS_NATT_LOC
] != NULL
) {
2314 rc
= sadb_addrcheck(pfkey_q
, mp
,
2315 extv
[SADB_X_EXT_ADDRESS_NATT_LOC
], ksi
->ks_in_serial
, ns
);
2318 * Local NAT-T addresses never use an IRE_LOCAL, so it should
2319 * always be NOTME, or UNSPEC (to handle both tunnel mode
2320 * AND local-port flexibility).
2322 if (rc
!= KS_IN_ADDR_NOTME
&& rc
!= KS_IN_ADDR_UNSPEC
) {
2323 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2324 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC
,
2328 src
= (struct sockaddr_in
*)
2329 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_NATT_LOC
]) + 1);
2330 if (src
->sin_family
!= AF_INET
) {
2331 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2332 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF
,
2338 if (extv
[SADB_X_EXT_ADDRESS_NATT_REM
] != NULL
) {
2339 rc
= sadb_addrcheck(pfkey_q
, mp
,
2340 extv
[SADB_X_EXT_ADDRESS_NATT_REM
], ksi
->ks_in_serial
, ns
);
2343 * Remote NAT-T addresses never use an IRE_LOCAL, so it should
2344 * always be NOTME, or UNSPEC if it's a tunnel-mode SA.
2346 if (rc
!= KS_IN_ADDR_NOTME
&&
2347 !(extv
[SADB_X_EXT_ADDRESS_INNER_SRC
] != NULL
&&
2348 rc
== KS_IN_ADDR_UNSPEC
)) {
2349 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2350 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM
,
2354 src
= (struct sockaddr_in
*)
2355 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_NATT_REM
]) + 1);
2356 if (src
->sin_family
!= AF_INET
) {
2357 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2358 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF
,
2364 if (extv
[SADB_X_EXT_ADDRESS_INNER_SRC
] != NULL
) {
2365 if (extv
[SADB_X_EXT_ADDRESS_INNER_DST
] == NULL
) {
2366 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2367 SADB_X_DIAGNOSTIC_MISSING_INNER_DST
,
2372 if (sadb_addrcheck(pfkey_q
, mp
,
2373 extv
[SADB_X_EXT_ADDRESS_INNER_DST
], ksi
->ks_in_serial
, ns
)
2374 == KS_IN_ADDR_UNKNOWN
||
2375 sadb_addrcheck(pfkey_q
, mp
,
2376 extv
[SADB_X_EXT_ADDRESS_INNER_SRC
], ksi
->ks_in_serial
, ns
)
2377 == KS_IN_ADDR_UNKNOWN
)
2380 isrc
= (struct sockaddr_in
*)
2381 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_SRC
]) +
2383 idst
= (struct sockaddr_in6
*)
2384 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_DST
]) +
2386 if (isrc
->sin_family
!= idst
->sin6_family
) {
2387 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2388 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
,
2392 } else if (extv
[SADB_X_EXT_ADDRESS_INNER_DST
] != NULL
) {
2393 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2394 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
,
2398 isrc
= NULL
; /* For inner/outer port check below. */
2401 dstext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_DST
];
2402 srcext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_SRC
];
2404 if (dstext
== NULL
|| srcext
== NULL
)
2407 dst
= (struct sockaddr_in6
*)(dstext
+ 1);
2408 src
= (struct sockaddr_in
*)(srcext
+ 1);
2411 (isrc
->sin_port
!= 0 || idst
->sin6_port
!= 0) &&
2412 (src
->sin_port
!= 0 || dst
->sin6_port
!= 0)) {
2413 /* Can't set inner and outer ports in one SA. */
2414 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2415 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS
,
2420 if (dst
->sin6_family
== src
->sin_family
)
2423 if (srcext
->sadb_address_proto
!= dstext
->sadb_address_proto
) {
2424 if (srcext
->sadb_address_proto
== 0) {
2425 srcext
->sadb_address_proto
= dstext
->sadb_address_proto
;
2426 } else if (dstext
->sadb_address_proto
== 0) {
2427 dstext
->sadb_address_proto
= srcext
->sadb_address_proto
;
2429 /* Inequal protocols, neither were 0. Report error. */
2430 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2431 SADB_X_DIAGNOSTIC_PROTO_MISMATCH
,
2438 * With the exception of an unspec IPv6 source and an IPv4
2439 * destination, address families MUST me matched.
2441 if (src
->sin_family
== AF_INET
||
2442 ksi
->ks_in_srctype
!= KS_IN_ADDR_UNSPEC
) {
2443 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2444 SADB_X_DIAGNOSTIC_AF_MISMATCH
, ksi
->ks_in_serial
);
2449 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being
2450 * in the same place for sockaddr_in and sockaddr_in6.
2452 sport
= src
->sin_port
;
2453 bzero(src
, sizeof (*src
));
2454 src
->sin_family
= AF_INET
;
2455 src
->sin_port
= sport
;
2461 * Set the results in "addrtype", given an IRE as requested by
2465 sadb_addrset(ire_t
*ire
)
2467 if ((ire
->ire_type
& IRE_BROADCAST
) ||
2468 (ire
->ire_ipversion
== IPV4_VERSION
&& CLASSD(ire
->ire_addr
)) ||
2469 (ire
->ire_ipversion
== IPV6_VERSION
&&
2470 IN6_IS_ADDR_MULTICAST(&(ire
->ire_addr_v6
))))
2471 return (KS_IN_ADDR_MBCAST
);
2472 if (ire
->ire_type
& (IRE_LOCAL
| IRE_LOOPBACK
))
2473 return (KS_IN_ADDR_ME
);
2474 return (KS_IN_ADDR_NOTME
);
2479 * Walker callback function to delete sa's based on src/dst address.
2480 * Assumes that we're called with *head locked, no other locks held;
2481 * Conveniently, and not coincidentally, this is both what sadb_walker
2482 * gives us and also what sadb_unlinkassoc expects.
2485 struct sadb_purge_state
2496 uint8_t sadb_sa_state
;
2502 sadb_purge_cb(isaf_t
*head
, ipsa_t
*entry
, void *cookie
)
2504 struct sadb_purge_state
*ps
= (struct sadb_purge_state
*)cookie
;
2506 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
2508 mutex_enter(&entry
->ipsa_lock
);
2510 if ((entry
->ipsa_state
== IPSA_STATE_LARVAL
) ||
2512 !IPSA_ARE_ADDR_EQUAL(entry
->ipsa_srcaddr
, ps
->src
, ps
->af
)) ||
2514 !IPSA_ARE_ADDR_EQUAL(entry
->ipsa_dstaddr
, ps
->dst
, ps
->af
)) ||
2515 (ps
->didstr
!= NULL
&& (entry
->ipsa_dst_cid
!= NULL
) &&
2516 !(ps
->didtype
== entry
->ipsa_dst_cid
->ipsid_type
&&
2517 strcmp(ps
->didstr
, entry
->ipsa_dst_cid
->ipsid_cid
) == 0)) ||
2518 (ps
->sidstr
!= NULL
&& (entry
->ipsa_src_cid
!= NULL
) &&
2519 !(ps
->sidtype
== entry
->ipsa_src_cid
->ipsid_type
&&
2520 strcmp(ps
->sidstr
, entry
->ipsa_src_cid
->ipsid_cid
) == 0)) ||
2521 (ps
->kmproto
<= SADB_X_KMP_MAX
&& ps
->kmproto
!= entry
->ipsa_kmp
)) {
2522 mutex_exit(&entry
->ipsa_lock
);
2527 sadb_delete_cluster(entry
);
2529 entry
->ipsa_state
= IPSA_STATE_DEAD
;
2530 (void) sadb_torch_assoc(head
, entry
, ps
->inbnd
, &ps
->mq
);
2534 * Common code to purge an SA with a matching src or dst address.
2535 * Don't kill larval SA's in such a purge.
2538 sadb_purge_sa(mblk_t
*mp
, keysock_in_t
*ksi
, sadb_t
*sp
, queue_t
*pfkey_q
,
2541 sadb_address_t
*dstext
=
2542 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
2543 sadb_address_t
*srcext
=
2544 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
];
2545 sadb_ident_t
*dstid
=
2546 (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_DST
];
2547 sadb_ident_t
*srcid
=
2548 (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_SRC
];
2550 (sadb_x_kmc_t
*)ksi
->ks_in_extv
[SADB_X_EXT_KM_COOKIE
];
2551 struct sockaddr_in
*src
, *dst
;
2552 struct sockaddr_in6
*src6
, *dst6
;
2553 struct sadb_purge_state ps
;
2556 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck()
2557 * takes care of them.
2560 /* enforced by caller */
2561 ASSERT((dstext
!= NULL
) || (srcext
!= NULL
));
2566 ps
.af
= (sa_family_t
)-1;
2571 ps
.kmproto
= SADB_X_KMP_MAX
+ 1;
2573 if (dstext
!= NULL
) {
2574 dst
= (struct sockaddr_in
*)(dstext
+ 1);
2575 ps
.af
= dst
->sin_family
;
2576 if (dst
->sin_family
== AF_INET6
) {
2577 dst6
= (struct sockaddr_in6
*)dst
;
2578 ps
.dst
= (uint32_t *)&dst6
->sin6_addr
;
2580 ps
.dst
= (uint32_t *)&dst
->sin_addr
;
2584 if (srcext
!= NULL
) {
2585 src
= (struct sockaddr_in
*)(srcext
+ 1);
2586 ps
.af
= src
->sin_family
;
2587 if (src
->sin_family
== AF_INET6
) {
2588 src6
= (struct sockaddr_in6
*)(srcext
+ 1);
2589 ps
.src
= (uint32_t *)&src6
->sin6_addr
;
2591 ps
.src
= (uint32_t *)&src
->sin_addr
;
2593 ASSERT(dstext
== NULL
|| src
->sin_family
== dst
->sin_family
);
2596 ASSERT(ps
.af
!= (sa_family_t
)-1);
2598 if (dstid
!= NULL
) {
2600 * NOTE: May need to copy string in the future
2601 * if the inbound keysock message disappears for some strange
2604 ps
.didstr
= (char *)(dstid
+ 1);
2605 ps
.didtype
= dstid
->sadb_ident_type
;
2608 if (srcid
!= NULL
) {
2610 * NOTE: May need to copy string in the future
2611 * if the inbound keysock message disappears for some strange
2614 ps
.sidstr
= (char *)(srcid
+ 1);
2615 ps
.sidtype
= srcid
->sadb_ident_type
;
2619 ps
.kmproto
= kmc
->sadb_x_kmc_proto
;
2622 * This is simple, crude, and effective.
2623 * Unimplemented optimizations (TBD):
2624 * - we can limit how many places we search based on where we
2625 * think the SA is filed.
2626 * - if we get a dst address, we can hash based on dst addr to find
2627 * the correct bucket in the outbound table.
2630 sadb_walker(sp
->sdb_if
, sp
->sdb_hashsize
, sadb_purge_cb
, &ps
);
2632 sadb_walker(sp
->sdb_of
, sp
->sdb_hashsize
, sadb_purge_cb
, &ps
);
2635 sadb_drain_torchq(ip_q
, ps
.mq
);
2637 ASSERT(mp
->b_cont
!= NULL
);
2638 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
, ksi
,
2644 sadb_delpair_state(isaf_t
*head
, ipsa_t
*entry
, void *cookie
)
2646 struct sadb_purge_state
*ps
= (struct sadb_purge_state
*)cookie
;
2647 isaf_t
*inbound_bucket
;
2650 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
2652 mutex_enter(&entry
->ipsa_lock
);
2654 if ((entry
->ipsa_state
!= ps
->sadb_sa_state
) ||
2655 ((ps
->src
!= NULL
) &&
2656 !IPSA_ARE_ADDR_EQUAL(entry
->ipsa_srcaddr
, ps
->src
, ps
->af
))) {
2657 mutex_exit(&entry
->ipsa_lock
);
2662 * The isaf_t *, which is passed in , is always an outbound bucket,
2663 * and we are preserving the outbound-then-inbound hash-bucket lock
2664 * ordering. The sadb_walker() which triggers this function is called
2665 * only on the outbound fanout, and the corresponding inbound bucket
2666 * lock is safe to acquire here.
2669 if (entry
->ipsa_haspeer
) {
2670 inbound_bucket
= INBOUND_BUCKET(ps
->sp
, entry
->ipsa_spi
);
2671 mutex_enter(&inbound_bucket
->isaf_lock
);
2672 peer_assoc
= ipsec_getassocbyspi(inbound_bucket
,
2673 entry
->ipsa_spi
, entry
->ipsa_srcaddr
,
2674 entry
->ipsa_dstaddr
, entry
->ipsa_addrfam
);
2676 inbound_bucket
= INBOUND_BUCKET(ps
->sp
, entry
->ipsa_otherspi
);
2677 mutex_enter(&inbound_bucket
->isaf_lock
);
2678 peer_assoc
= ipsec_getassocbyspi(inbound_bucket
,
2679 entry
->ipsa_otherspi
, entry
->ipsa_dstaddr
,
2680 entry
->ipsa_srcaddr
, entry
->ipsa_addrfam
);
2683 entry
->ipsa_state
= IPSA_STATE_DEAD
;
2684 (void) sadb_torch_assoc(head
, entry
, B_FALSE
, &ps
->mq
);
2685 if (peer_assoc
!= NULL
) {
2686 mutex_enter(&peer_assoc
->ipsa_lock
);
2687 peer_assoc
->ipsa_state
= IPSA_STATE_DEAD
;
2688 (void) sadb_torch_assoc(inbound_bucket
, peer_assoc
,
2691 mutex_exit(&inbound_bucket
->isaf_lock
);
2695 * Common code to delete/get an SA.
2698 sadb_delget_sa(mblk_t
*mp
, keysock_in_t
*ksi
, sadbp_t
*spp
,
2699 int *diagnostic
, queue_t
*pfkey_q
, uint8_t sadb_msg_type
)
2701 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
2702 sadb_address_t
*srcext
=
2703 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
];
2704 sadb_address_t
*dstext
=
2705 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
2706 ipsa_t
*echo_target
= NULL
;
2708 mblk_t
*torchq
= NULL
;
2711 if (assoc
== NULL
) {
2712 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SA
;
2716 if (sadb_msg_type
== SADB_X_DELPAIR_STATE
) {
2717 struct sockaddr_in
*src
;
2718 struct sockaddr_in6
*src6
;
2719 struct sadb_purge_state ps
;
2721 if (srcext
== NULL
) {
2722 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
2727 src
= (struct sockaddr_in
*)(srcext
+ 1);
2728 ps
.af
= src
->sin_family
;
2729 if (src
->sin_family
== AF_INET6
) {
2730 src6
= (struct sockaddr_in6
*)(srcext
+ 1);
2731 ps
.src
= (uint32_t *)&src6
->sin6_addr
;
2734 ps
.src
= (uint32_t *)&src
->sin_addr
;
2738 ps
.sadb_sa_state
= assoc
->sadb_sa_state
;
2739 sadb_walker(ps
.sp
->sdb_of
, ps
.sp
->sdb_hashsize
,
2740 sadb_delpair_state
, &ps
);
2743 sadb_drain_torchq(pfkey_q
, ps
.mq
);
2745 ASSERT(mp
->b_cont
!= NULL
);
2746 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
,
2751 if (dstext
== NULL
) {
2752 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
2756 ipsapp
= get_ipsa_pair(assoc
, srcext
, dstext
, spp
);
2757 if (ipsapp
== NULL
) {
2758 *diagnostic
= SADB_X_DIAGNOSTIC_SA_NOTFOUND
;
2762 echo_target
= ipsapp
->ipsap_sa_ptr
;
2763 if (echo_target
== NULL
)
2764 echo_target
= ipsapp
->ipsap_psa_ptr
;
2766 if (sadb_msg_type
== SADB_DELETE
|| sadb_msg_type
== SADB_X_DELPAIR
) {
2768 * Bucket locks will be required if SA is actually unlinked.
2769 * get_ipsa_pair() returns valid hash bucket pointers even
2770 * if it can't find a pair SA pointer.
2772 mutex_enter(&ipsapp
->ipsap_bucket
->isaf_lock
);
2773 mutex_enter(&ipsapp
->ipsap_pbucket
->isaf_lock
);
2775 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
2776 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2777 if (ipsapp
->ipsap_sa_ptr
->ipsa_flags
& IPSA_F_INBOUND
) {
2778 sadb_delete_cluster(ipsapp
->ipsap_sa_ptr
);
2780 ipsapp
->ipsap_sa_ptr
->ipsa_state
= IPSA_STATE_DEAD
;
2781 (void) sadb_torch_assoc(ipsapp
->ipsap_bucket
,
2782 ipsapp
->ipsap_sa_ptr
, B_FALSE
, &torchq
);
2784 * sadb_torch_assoc() releases the ipsa_lock
2785 * and calls sadb_unlinkassoc() which does a
2789 if (ipsapp
->ipsap_psa_ptr
!= NULL
) {
2790 mutex_enter(&ipsapp
->ipsap_psa_ptr
->ipsa_lock
);
2791 if (sadb_msg_type
== SADB_X_DELPAIR
) {
2792 if (ipsapp
->ipsap_psa_ptr
->ipsa_flags
&
2794 sadb_delete_cluster(
2795 ipsapp
->ipsap_psa_ptr
);
2797 ipsapp
->ipsap_psa_ptr
->ipsa_state
=
2799 (void) sadb_torch_assoc(ipsapp
->ipsap_pbucket
,
2800 ipsapp
->ipsap_psa_ptr
, B_FALSE
, &torchq
);
2803 * Only half of the "pair" has been deleted.
2804 * Update the remaining SA and remove references
2805 * to its pair SA, which is now gone.
2807 ipsapp
->ipsap_psa_ptr
->ipsa_otherspi
= 0;
2808 ipsapp
->ipsap_psa_ptr
->ipsa_flags
&=
2810 mutex_exit(&ipsapp
->ipsap_psa_ptr
->ipsa_lock
);
2812 } else if (sadb_msg_type
== SADB_X_DELPAIR
) {
2813 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
;
2816 mutex_exit(&ipsapp
->ipsap_bucket
->isaf_lock
);
2817 mutex_exit(&ipsapp
->ipsap_pbucket
->isaf_lock
);
2821 sadb_drain_torchq(spp
->s_ip_q
, torchq
);
2823 ASSERT(mp
->b_cont
!= NULL
);
2826 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)
2827 mp
->b_cont
->b_rptr
, ksi
, echo_target
);
2829 destroy_ipsa_pair(ipsapp
);
2835 * This function takes a sadb_sa_t and finds the ipsa_t structure
2836 * and the isaf_t (hash bucket) that its stored under. If the security
2837 * association has a peer, the ipsa_t structure and bucket for that security
2838 * association are also searched for. The "pair" of ipsa_t's and isaf_t's
2839 * are returned as a ipsap_t.
2841 * Note that a "pair" is defined as one (but not both) of the following:
2843 * A security association which has a soft reference to another security
2844 * association via its SPI.
2846 * A security association that is not obviously "inbound" or "outbound" so
2847 * it appears in both hash tables, the "peer" being the same security
2848 * association in the other hash table.
2850 * This function will return NULL if the ipsa_t can't be found in the
2851 * inbound or outbound hash tables (not found). If only one ipsa_t is
2852 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid
2853 * provided at least one ipsa_t is found.
2856 get_ipsa_pair(sadb_sa_t
*assoc
, sadb_address_t
*srcext
, sadb_address_t
*dstext
,
2859 struct sockaddr_in
*src
, *dst
;
2860 struct sockaddr_in6
*src6
, *dst6
;
2862 uint32_t *srcaddr
, *dstaddr
;
2863 isaf_t
*outbound_bucket
, *inbound_bucket
;
2864 boolean_t in_inbound_table
= B_FALSE
;
2868 uint32_t pair_srcaddr
[IPSA_MAX_ADDRLEN
];
2869 uint32_t pair_dstaddr
[IPSA_MAX_ADDRLEN
];
2872 ipsapp
= kmem_zalloc(sizeof (*ipsapp
), KM_NOSLEEP
);
2877 * Don't worry about IPv6 v4-mapped addresses, sadb_addrcheck()
2878 * takes care of them.
2881 dst
= (struct sockaddr_in
*)(dstext
+ 1);
2882 af
= dst
->sin_family
;
2883 if (af
== AF_INET6
) {
2885 dst6
= (struct sockaddr_in6
*)dst
;
2886 dstaddr
= (uint32_t *)&dst6
->sin6_addr
;
2887 if (srcext
!= NULL
) {
2888 src6
= (struct sockaddr_in6
*)(srcext
+ 1);
2889 srcaddr
= (uint32_t *)&src6
->sin6_addr
;
2890 ASSERT(src6
->sin6_family
== af
);
2891 ASSERT(src6
->sin6_family
== AF_INET6
);
2893 srcaddr
= ALL_ZEROES_PTR
;
2895 outbound_bucket
= OUTBOUND_BUCKET_V6(sp
,
2896 *(uint32_t *)dstaddr
);
2899 dstaddr
= (uint32_t *)&dst
->sin_addr
;
2900 if (srcext
!= NULL
) {
2901 src
= (struct sockaddr_in
*)(srcext
+ 1);
2902 srcaddr
= (uint32_t *)&src
->sin_addr
;
2903 ASSERT(src
->sin_family
== af
);
2904 ASSERT(src
->sin_family
== AF_INET
);
2906 srcaddr
= ALL_ZEROES_PTR
;
2908 outbound_bucket
= OUTBOUND_BUCKET_V4(sp
,
2909 *(uint32_t *)dstaddr
);
2912 inbound_bucket
= INBOUND_BUCKET(sp
, assoc
->sadb_sa_spi
);
2914 /* Lock down both buckets. */
2915 mutex_enter(&outbound_bucket
->isaf_lock
);
2916 mutex_enter(&inbound_bucket
->isaf_lock
);
2918 if (assoc
->sadb_sa_flags
& IPSA_F_INBOUND
) {
2919 ipsapp
->ipsap_sa_ptr
= ipsec_getassocbyspi(inbound_bucket
,
2920 assoc
->sadb_sa_spi
, srcaddr
, dstaddr
, af
);
2921 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
2922 ipsapp
->ipsap_bucket
= inbound_bucket
;
2923 ipsapp
->ipsap_pbucket
= outbound_bucket
;
2924 in_inbound_table
= B_TRUE
;
2926 ipsapp
->ipsap_sa_ptr
=
2927 ipsec_getassocbyspi(outbound_bucket
,
2928 assoc
->sadb_sa_spi
, srcaddr
, dstaddr
, af
);
2929 ipsapp
->ipsap_bucket
= outbound_bucket
;
2930 ipsapp
->ipsap_pbucket
= inbound_bucket
;
2933 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */
2934 ipsapp
->ipsap_sa_ptr
=
2935 ipsec_getassocbyspi(outbound_bucket
,
2936 assoc
->sadb_sa_spi
, srcaddr
, dstaddr
, af
);
2937 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
2938 ipsapp
->ipsap_bucket
= outbound_bucket
;
2939 ipsapp
->ipsap_pbucket
= inbound_bucket
;
2941 ipsapp
->ipsap_sa_ptr
=
2942 ipsec_getassocbyspi(inbound_bucket
,
2943 assoc
->sadb_sa_spi
, srcaddr
, dstaddr
, af
);
2944 ipsapp
->ipsap_bucket
= inbound_bucket
;
2945 ipsapp
->ipsap_pbucket
= outbound_bucket
;
2946 if (ipsapp
->ipsap_sa_ptr
!= NULL
)
2947 in_inbound_table
= B_TRUE
;
2951 if (ipsapp
->ipsap_sa_ptr
== NULL
) {
2952 mutex_exit(&outbound_bucket
->isaf_lock
);
2953 mutex_exit(&inbound_bucket
->isaf_lock
);
2954 kmem_free(ipsapp
, sizeof (*ipsapp
));
2958 if ((ipsapp
->ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_LARVAL
) &&
2960 mutex_exit(&outbound_bucket
->isaf_lock
);
2961 mutex_exit(&inbound_bucket
->isaf_lock
);
2965 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2966 if (ipsapp
->ipsap_sa_ptr
->ipsa_haspeer
) {
2968 * haspeer implies no sa_pairing, look for same spi
2969 * in other hashtable.
2971 ipsapp
->ipsap_psa_ptr
=
2972 ipsec_getassocbyspi(ipsapp
->ipsap_pbucket
,
2973 assoc
->sadb_sa_spi
, srcaddr
, dstaddr
, af
);
2974 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2975 mutex_exit(&outbound_bucket
->isaf_lock
);
2976 mutex_exit(&inbound_bucket
->isaf_lock
);
2979 pair_spi
= ipsapp
->ipsap_sa_ptr
->ipsa_otherspi
;
2980 IPSA_COPY_ADDR(&pair_srcaddr
,
2981 ipsapp
->ipsap_sa_ptr
->ipsa_srcaddr
, af
);
2982 IPSA_COPY_ADDR(&pair_dstaddr
,
2983 ipsapp
->ipsap_sa_ptr
->ipsa_dstaddr
, af
);
2984 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2985 mutex_exit(&outbound_bucket
->isaf_lock
);
2986 mutex_exit(&inbound_bucket
->isaf_lock
);
2988 if (pair_spi
== 0) {
2989 ASSERT(ipsapp
->ipsap_bucket
!= NULL
);
2990 ASSERT(ipsapp
->ipsap_pbucket
!= NULL
);
2994 /* found sa in outbound sadb, peer should be inbound */
2996 if (in_inbound_table
) {
2997 /* Found SA in inbound table, pair will be in outbound. */
2998 if (af
== AF_INET6
) {
2999 ipsapp
->ipsap_pbucket
= OUTBOUND_BUCKET_V6(sp
,
3000 *(uint32_t *)pair_srcaddr
);
3002 ipsapp
->ipsap_pbucket
= OUTBOUND_BUCKET_V4(sp
,
3003 *(uint32_t *)pair_srcaddr
);
3006 ipsapp
->ipsap_pbucket
= INBOUND_BUCKET(sp
, pair_spi
);
3008 mutex_enter(&ipsapp
->ipsap_pbucket
->isaf_lock
);
3009 ipsapp
->ipsap_psa_ptr
= ipsec_getassocbyspi(ipsapp
->ipsap_pbucket
,
3010 pair_spi
, pair_dstaddr
, pair_srcaddr
, af
);
3011 mutex_exit(&ipsapp
->ipsap_pbucket
->isaf_lock
);
3012 ASSERT(ipsapp
->ipsap_bucket
!= NULL
);
3013 ASSERT(ipsapp
->ipsap_pbucket
!= NULL
);
3018 * Initialize the mechanism parameters associated with an SA.
3019 * These parameters can be shared by multiple packets, which saves
3020 * us from the overhead of consulting the algorithm table for
3024 sadb_init_alginfo(ipsa_t
*sa
)
3026 ipsec_alginfo_t
*alg
;
3027 ipsec_stack_t
*ipss
= sa
->ipsa_netstack
->netstack_ipsec
;
3029 mutex_enter(&ipss
->ipsec_alg_lock
);
3031 if (sa
->ipsa_encrkey
!= NULL
) {
3032 alg
= ipss
->ipsec_alglists
[IPSEC_ALG_ENCR
][sa
->ipsa_encr_alg
];
3033 if (alg
!= NULL
&& ALG_VALID(alg
)) {
3034 sa
->ipsa_emech
.cm_type
= alg
->alg_mech_type
;
3035 sa
->ipsa_emech
.cm_param
= NULL
;
3036 sa
->ipsa_emech
.cm_param_len
= 0;
3037 sa
->ipsa_iv_len
= alg
->alg_datalen
;
3039 sa
->ipsa_emech
.cm_type
= CRYPTO_MECHANISM_INVALID
;
3042 if (sa
->ipsa_authkey
!= NULL
) {
3043 alg
= ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
][sa
->ipsa_auth_alg
];
3044 if (alg
!= NULL
&& ALG_VALID(alg
)) {
3045 sa
->ipsa_amech
.cm_type
= alg
->alg_mech_type
;
3046 sa
->ipsa_amech
.cm_param
= (char *)&sa
->ipsa_mac_len
;
3047 sa
->ipsa_amech
.cm_param_len
= sizeof (size_t);
3048 sa
->ipsa_mac_len
= (size_t)alg
->alg_datalen
;
3050 sa
->ipsa_amech
.cm_type
= CRYPTO_MECHANISM_INVALID
;
3053 mutex_exit(&ipss
->ipsec_alg_lock
);
3057 * Perform NAT-traversal cached checksum offset calculations here.
3060 sadb_nat_calculations(ipsa_t
*newbie
, sadb_address_t
*natt_loc_ext
,
3061 sadb_address_t
*natt_rem_ext
, uint32_t *src_addr_ptr
,
3062 uint32_t *dst_addr_ptr
)
3064 struct sockaddr_in
*natt_loc
, *natt_rem
;
3065 uint32_t *natt_loc_ptr
= NULL
, *natt_rem_ptr
= NULL
;
3066 uint32_t running_sum
= 0;
3068 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16)
3070 if (natt_rem_ext
!= NULL
) {
3074 natt_rem
= (struct sockaddr_in
*)(natt_rem_ext
+ 1);
3076 /* Ensured by sadb_addrfix(). */
3077 ASSERT(natt_rem
->sin_family
== AF_INET
);
3079 natt_rem_ptr
= (uint32_t *)(&natt_rem
->sin_addr
);
3080 newbie
->ipsa_remote_nat_port
= natt_rem
->sin_port
;
3081 l_src
= *src_addr_ptr
;
3082 l_rem
= *natt_rem_ptr
;
3084 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
3085 newbie
->ipsa_natt_addr_rem
= *natt_rem_ptr
;
3087 l_src
= ntohl(l_src
);
3090 l_rem
= ntohl(l_rem
);
3095 * We're 1's complement for checksums, so check for wraparound
3101 running_sum
+= l_src
- l_rem
;
3103 DOWN_SUM(running_sum
);
3104 DOWN_SUM(running_sum
);
3107 if (natt_loc_ext
!= NULL
) {
3108 natt_loc
= (struct sockaddr_in
*)(natt_loc_ext
+ 1);
3110 /* Ensured by sadb_addrfix(). */
3111 ASSERT(natt_loc
->sin_family
== AF_INET
);
3113 natt_loc_ptr
= (uint32_t *)(&natt_loc
->sin_addr
);
3114 newbie
->ipsa_local_nat_port
= natt_loc
->sin_port
;
3116 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
3117 newbie
->ipsa_natt_addr_loc
= *natt_loc_ptr
;
3120 * NAT-T port agility means we may have natt_loc_ext, but
3121 * only for a local-port change.
3123 if (natt_loc
->sin_addr
.s_addr
!= INADDR_ANY
) {
3124 uint32_t l_dst
= ntohl(*dst_addr_ptr
);
3125 uint32_t l_loc
= ntohl(*natt_loc_ptr
);
3133 * We're 1's complement for checksums, so check for
3139 running_sum
+= l_dst
- l_loc
;
3140 DOWN_SUM(running_sum
);
3141 DOWN_SUM(running_sum
);
3145 newbie
->ipsa_inbound_cksum
= running_sum
;
3150 * This function is called from consumers that need to insert a fully-grown
3151 * security association into its tables. This function takes into account that
3152 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary"
3153 * hash bucket parameters are set in order of what the SA will be most of the
3154 * time. (For example, an SA with an unspecified source, and a multicast
3155 * destination will primarily be an outbound SA. OTOH, if that destination
3156 * is unicast for this node, then the SA will primarily be inbound.)
3158 * It takes a lot of parameters because even if clone is B_FALSE, this needs
3159 * to check both buckets for purposes of collision.
3161 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for
3162 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic
3163 * with additional diagnostic information because there is at least one EINVAL
3167 sadb_common_add(queue_t
*ip_q
, queue_t
*pfkey_q
, mblk_t
*mp
, sadb_msg_t
*samsg
,
3168 keysock_in_t
*ksi
, isaf_t
*primary
, isaf_t
*secondary
,
3169 ipsa_t
*newbie
, boolean_t clone
, boolean_t is_inbound
, int *diagnostic
,
3170 netstack_t
*ns
, sadbp_t
*spp
)
3172 ipsa_t
*newbie_clone
= NULL
, *scratch
;
3173 ipsap_t
*ipsapp
= NULL
;
3174 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
3175 sadb_address_t
*srcext
=
3176 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
];
3177 sadb_address_t
*dstext
=
3178 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
3179 sadb_address_t
*isrcext
=
3180 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_INNER_SRC
];
3181 sadb_address_t
*idstext
=
3182 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_INNER_DST
];
3183 sadb_x_kmc_t
*kmcext
=
3184 (sadb_x_kmc_t
*)ksi
->ks_in_extv
[SADB_X_EXT_KM_COOKIE
];
3185 sadb_key_t
*akey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_AUTH
];
3186 sadb_key_t
*ekey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_ENCRYPT
];
3187 sadb_x_pair_t
*pair_ext
=
3188 (sadb_x_pair_t
*)ksi
->ks_in_extv
[SADB_X_EXT_PAIR
];
3189 sadb_x_replay_ctr_t
*replayext
=
3190 (sadb_x_replay_ctr_t
*)ksi
->ks_in_extv
[SADB_X_EXT_REPLAY_VALUE
];
3192 (samsg
->sadb_msg_satype
== SADB_SATYPE_AH
) ? IPPROTO_AH
:IPPROTO_ESP
;
3195 * XXXMLS - When Trusted Solaris or Multi-Level Secure functionality
3196 * comes to ON, examine these if 0'ed fragments. Look for XXXMLS.
3198 sadb_sens_t
*sens
= (sadb_sens_t
*);
3200 struct sockaddr_in
*src
, *dst
, *isrc
, *idst
;
3201 struct sockaddr_in6
*src6
, *dst6
, *isrc6
, *idst6
;
3202 sadb_lifetime_t
*soft
=
3203 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_SOFT
];
3204 sadb_lifetime_t
*hard
=
3205 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_HARD
];
3206 sadb_lifetime_t
*idle
=
3207 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_X_EXT_LIFETIME_IDLE
];
3210 boolean_t isupdate
= (newbie
!= NULL
);
3211 uint32_t *src_addr_ptr
, *dst_addr_ptr
, *isrc_addr_ptr
, *idst_addr_ptr
;
3212 mblk_t
*ctl_mp
= NULL
;
3213 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
3216 if (srcext
== NULL
) {
3217 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
3220 if (dstext
== NULL
) {
3221 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
3224 if (assoc
== NULL
) {
3225 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SA
;
3229 src
= (struct sockaddr_in
*)(srcext
+ 1);
3230 src6
= (struct sockaddr_in6
*)(srcext
+ 1);
3231 dst
= (struct sockaddr_in
*)(dstext
+ 1);
3232 dst6
= (struct sockaddr_in6
*)(dstext
+ 1);
3233 if (isrcext
!= NULL
) {
3234 isrc
= (struct sockaddr_in
*)(isrcext
+ 1);
3235 isrc6
= (struct sockaddr_in6
*)(isrcext
+ 1);
3236 ASSERT(idstext
!= NULL
);
3237 idst
= (struct sockaddr_in
*)(idstext
+ 1);
3238 idst6
= (struct sockaddr_in6
*)(idstext
+ 1);
3244 af
= src
->sin_family
;
3246 if (af
== AF_INET
) {
3247 src_addr_ptr
= (uint32_t *)&src
->sin_addr
;
3248 dst_addr_ptr
= (uint32_t *)&dst
->sin_addr
;
3250 ASSERT(af
== AF_INET6
);
3251 src_addr_ptr
= (uint32_t *)&src6
->sin6_addr
;
3252 dst_addr_ptr
= (uint32_t *)&dst6
->sin6_addr
;
3255 if (!isupdate
&& (clone
== B_TRUE
|| is_inbound
== B_TRUE
) &&
3257 (assoc
->sadb_sa_state
!= SADB_X_SASTATE_ACTIVE_ELSEWHERE
)) {
3258 rcode
= cl_inet_checkspi(protocol
, assoc
->sadb_sa_spi
);
3265 * Check to see if the new SA will be cloned AND paired. The
3266 * reason a SA will be cloned is the source or destination addresses
3267 * are not specific enough to determine if the SA goes in the outbound
3268 * or the inbound hash table, so its cloned and put in both. If
3269 * the SA is paired, it's soft linked to another SA for the other
3270 * direction. Keeping track and looking up SA's that are direction
3271 * unspecific and linked is too hard.
3273 if (clone
&& (pair_ext
!= NULL
)) {
3274 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
3279 newbie
= sadb_makelarvalassoc(assoc
->sadb_sa_spi
,
3280 src_addr_ptr
, dst_addr_ptr
, af
, ns
);
3285 mutex_enter(&newbie
->ipsa_lock
);
3288 if (isrc
->sin_family
== AF_INET
) {
3289 if (srcext
->sadb_address_proto
!= IPPROTO_ENCAP
) {
3290 if (srcext
->sadb_address_proto
!= 0) {
3292 * Mismatched outer-packet protocol
3293 * and inner-packet address family.
3295 mutex_exit(&newbie
->ipsa_lock
);
3299 /* Fill in with explicit protocol. */
3300 srcext
->sadb_address_proto
=
3302 dstext
->sadb_address_proto
=
3306 isrc_addr_ptr
= (uint32_t *)&isrc
->sin_addr
;
3307 idst_addr_ptr
= (uint32_t *)&idst
->sin_addr
;
3309 ASSERT(isrc
->sin_family
== AF_INET6
);
3310 if (srcext
->sadb_address_proto
!= IPPROTO_IPV6
) {
3311 if (srcext
->sadb_address_proto
!= 0) {
3313 * Mismatched outer-packet protocol
3314 * and inner-packet address family.
3316 mutex_exit(&newbie
->ipsa_lock
);
3320 /* Fill in with explicit protocol. */
3321 srcext
->sadb_address_proto
=
3323 dstext
->sadb_address_proto
=
3327 isrc_addr_ptr
= (uint32_t *)&isrc6
->sin6_addr
;
3328 idst_addr_ptr
= (uint32_t *)&idst6
->sin6_addr
;
3330 newbie
->ipsa_innerfam
= isrc
->sin_family
;
3332 IPSA_COPY_ADDR(newbie
->ipsa_innersrc
, isrc_addr_ptr
,
3333 newbie
->ipsa_innerfam
);
3334 IPSA_COPY_ADDR(newbie
->ipsa_innerdst
, idst_addr_ptr
,
3335 newbie
->ipsa_innerfam
);
3336 newbie
->ipsa_innersrcpfx
= isrcext
->sadb_address_prefixlen
;
3337 newbie
->ipsa_innerdstpfx
= idstext
->sadb_address_prefixlen
;
3339 /* Unique value uses inner-ports for Tunnel Mode... */
3340 newbie
->ipsa_unique_id
= SA_UNIQUE_ID(isrc
->sin_port
,
3341 idst
->sin_port
, dstext
->sadb_address_proto
,
3342 idstext
->sadb_address_proto
);
3343 newbie
->ipsa_unique_mask
= SA_UNIQUE_MASK(isrc
->sin_port
,
3344 idst
->sin_port
, dstext
->sadb_address_proto
,
3345 idstext
->sadb_address_proto
);
3347 /* ... and outer-ports for Transport Mode. */
3348 newbie
->ipsa_unique_id
= SA_UNIQUE_ID(src
->sin_port
,
3349 dst
->sin_port
, dstext
->sadb_address_proto
, 0);
3350 newbie
->ipsa_unique_mask
= SA_UNIQUE_MASK(src
->sin_port
,
3351 dst
->sin_port
, dstext
->sadb_address_proto
, 0);
3353 if (newbie
->ipsa_unique_mask
!= (uint64_t)0)
3354 newbie
->ipsa_flags
|= IPSA_F_UNIQUE
;
3356 sadb_nat_calculations(newbie
,
3357 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_LOC
],
3358 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_REM
],
3359 src_addr_ptr
, dst_addr_ptr
);
3361 newbie
->ipsa_type
= samsg
->sadb_msg_satype
;
3362 ASSERT((assoc
->sadb_sa_state
== SADB_SASTATE_MATURE
) ||
3363 (assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
));
3364 newbie
->ipsa_auth_alg
= assoc
->sadb_sa_auth
;
3365 newbie
->ipsa_encr_alg
= assoc
->sadb_sa_encrypt
;
3367 newbie
->ipsa_flags
|= assoc
->sadb_sa_flags
;
3368 if ((newbie
->ipsa_flags
& SADB_X_SAFLAGS_NATT_LOC
&&
3369 ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_LOC
] == NULL
) ||
3370 (newbie
->ipsa_flags
& SADB_X_SAFLAGS_NATT_REM
&&
3371 ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_REM
] == NULL
) ||
3372 (newbie
->ipsa_flags
& SADB_X_SAFLAGS_TUNNEL
&&
3373 ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_INNER_SRC
] == NULL
)) {
3374 mutex_exit(&newbie
->ipsa_lock
);
3375 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SAFLAGS
;
3380 * If unspecified source address, force replay_wsize to 0.
3381 * This is because an SA that has multiple sources of secure
3382 * traffic cannot enforce a replay counter w/o synchronizing the
3385 if (ksi
->ks_in_srctype
!= KS_IN_ADDR_UNSPEC
)
3386 newbie
->ipsa_replay_wsize
= assoc
->sadb_sa_replay
;
3388 newbie
->ipsa_replay_wsize
= 0;
3390 newbie
->ipsa_addtime
= gethrestime_sec();
3392 if (kmcext
!= NULL
) {
3393 newbie
->ipsa_kmp
= kmcext
->sadb_x_kmc_proto
;
3394 newbie
->ipsa_kmc
= kmcext
->sadb_x_kmc_cookie
;
3398 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
3399 * The spec says that one can update current lifetimes, but
3400 * that seems impractical, especially in the larval-to-mature
3401 * update that this function performs.
3404 newbie
->ipsa_softaddlt
= soft
->sadb_lifetime_addtime
;
3405 newbie
->ipsa_softuselt
= soft
->sadb_lifetime_usetime
;
3406 newbie
->ipsa_softbyteslt
= soft
->sadb_lifetime_bytes
;
3407 newbie
->ipsa_softalloc
= soft
->sadb_lifetime_allocations
;
3408 SET_EXPIRE(newbie
, softaddlt
, softexpiretime
);
3411 newbie
->ipsa_hardaddlt
= hard
->sadb_lifetime_addtime
;
3412 newbie
->ipsa_harduselt
= hard
->sadb_lifetime_usetime
;
3413 newbie
->ipsa_hardbyteslt
= hard
->sadb_lifetime_bytes
;
3414 newbie
->ipsa_hardalloc
= hard
->sadb_lifetime_allocations
;
3415 SET_EXPIRE(newbie
, hardaddlt
, hardexpiretime
);
3418 newbie
->ipsa_idleaddlt
= idle
->sadb_lifetime_addtime
;
3419 newbie
->ipsa_idleuselt
= idle
->sadb_lifetime_usetime
;
3420 newbie
->ipsa_idleexpiretime
= newbie
->ipsa_addtime
+
3421 newbie
->ipsa_idleaddlt
;
3422 newbie
->ipsa_idletime
= newbie
->ipsa_idleaddlt
;
3425 newbie
->ipsa_authtmpl
= NULL
;
3426 newbie
->ipsa_encrtmpl
= NULL
;
3429 newbie
->ipsa_authkeybits
= akey
->sadb_key_bits
;
3430 newbie
->ipsa_authkeylen
= SADB_1TO8(akey
->sadb_key_bits
);
3431 /* In case we have to round up to the next byte... */
3432 if ((akey
->sadb_key_bits
& 0x7) != 0)
3433 newbie
->ipsa_authkeylen
++;
3434 newbie
->ipsa_authkey
= kmem_alloc(newbie
->ipsa_authkeylen
,
3436 if (newbie
->ipsa_authkey
== NULL
) {
3438 mutex_exit(&newbie
->ipsa_lock
);
3441 bcopy(akey
+ 1, newbie
->ipsa_authkey
, newbie
->ipsa_authkeylen
);
3442 bzero(akey
+ 1, newbie
->ipsa_authkeylen
);
3445 * Pre-initialize the kernel crypto framework key
3448 newbie
->ipsa_kcfauthkey
.ck_format
= CRYPTO_KEY_RAW
;
3449 newbie
->ipsa_kcfauthkey
.ck_length
= newbie
->ipsa_authkeybits
;
3450 newbie
->ipsa_kcfauthkey
.ck_data
= newbie
->ipsa_authkey
;
3452 mutex_enter(&ipss
->ipsec_alg_lock
);
3453 error
= ipsec_create_ctx_tmpl(newbie
, IPSEC_ALG_AUTH
);
3454 mutex_exit(&ipss
->ipsec_alg_lock
);
3456 mutex_exit(&newbie
->ipsa_lock
);
3462 newbie
->ipsa_encrkeybits
= ekey
->sadb_key_bits
;
3463 newbie
->ipsa_encrkeylen
= SADB_1TO8(ekey
->sadb_key_bits
);
3464 /* In case we have to round up to the next byte... */
3465 if ((ekey
->sadb_key_bits
& 0x7) != 0)
3466 newbie
->ipsa_encrkeylen
++;
3467 newbie
->ipsa_encrkey
= kmem_alloc(newbie
->ipsa_encrkeylen
,
3469 if (newbie
->ipsa_encrkey
== NULL
) {
3471 mutex_exit(&newbie
->ipsa_lock
);
3474 bcopy(ekey
+ 1, newbie
->ipsa_encrkey
, newbie
->ipsa_encrkeylen
);
3475 /* XXX is this safe w.r.t db_ref, etc? */
3476 bzero(ekey
+ 1, newbie
->ipsa_encrkeylen
);
3479 * Pre-initialize the kernel crypto framework key
3482 newbie
->ipsa_kcfencrkey
.ck_format
= CRYPTO_KEY_RAW
;
3483 newbie
->ipsa_kcfencrkey
.ck_length
= newbie
->ipsa_encrkeybits
;
3484 newbie
->ipsa_kcfencrkey
.ck_data
= newbie
->ipsa_encrkey
;
3486 mutex_enter(&ipss
->ipsec_alg_lock
);
3487 error
= ipsec_create_ctx_tmpl(newbie
, IPSEC_ALG_ENCR
);
3488 mutex_exit(&ipss
->ipsec_alg_lock
);
3490 mutex_exit(&newbie
->ipsa_lock
);
3495 sadb_init_alginfo(newbie
);
3498 * Ptrs to processing functions.
3500 if (newbie
->ipsa_type
== SADB_SATYPE_ESP
)
3501 ipsecesp_init_funcs(newbie
);
3503 ipsecah_init_funcs(newbie
);
3504 ASSERT(newbie
->ipsa_output_func
!= NULL
&&
3505 newbie
->ipsa_input_func
!= NULL
);
3508 * Certificate ID stuff.
3510 if (ksi
->ks_in_extv
[SADB_EXT_IDENTITY_SRC
] != NULL
) {
3512 (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_SRC
];
3515 * Can assume strlen() will return okay because ext_check() in
3516 * keysock.c prepares the string for us.
3518 newbie
->ipsa_src_cid
= ipsid_lookup(id
->sadb_ident_type
,
3519 (char *)(id
+1), ns
);
3520 if (newbie
->ipsa_src_cid
== NULL
) {
3522 mutex_exit(&newbie
->ipsa_lock
);
3527 if (ksi
->ks_in_extv
[SADB_EXT_IDENTITY_DST
] != NULL
) {
3529 (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_DST
];
3532 * Can assume strlen() will return okay because ext_check() in
3533 * keysock.c prepares the string for us.
3535 newbie
->ipsa_dst_cid
= ipsid_lookup(id
->sadb_ident_type
,
3536 (char *)(id
+1), ns
);
3537 if (newbie
->ipsa_dst_cid
== NULL
) {
3539 mutex_exit(&newbie
->ipsa_lock
);
3545 /* XXXMLS SENSITIVITY handling code. */
3548 uint64_t *bitmap
= (uint64_t *)(sens
+ 1);
3550 newbie
->ipsa_dpd
= sens
->sadb_sens_dpd
;
3551 newbie
->ipsa_senslevel
= sens
->sadb_sens_sens_level
;
3552 newbie
->ipsa_integlevel
= sens
->sadb_sens_integ_level
;
3553 newbie
->ipsa_senslen
= SADB_64TO8(sens
->sadb_sens_sens_len
);
3554 newbie
->ipsa_integlen
= SADB_64TO8(sens
->sadb_sens_integ_len
);
3555 newbie
->ipsa_integ
= kmem_alloc(newbie
->ipsa_integlen
,
3557 if (newbie
->ipsa_integ
== NULL
) {
3559 mutex_exit(&newbie
->ipsa_lock
);
3562 newbie
->ipsa_sens
= kmem_alloc(newbie
->ipsa_senslen
,
3564 if (newbie
->ipsa_sens
== NULL
) {
3566 mutex_exit(&newbie
->ipsa_lock
);
3569 for (i
= 0; i
< sens
->sadb_sens_sens_len
; i
++) {
3570 newbie
->ipsa_sens
[i
] = *bitmap
;
3573 for (i
= 0; i
< sens
->sadb_sens_integ_len
; i
++) {
3574 newbie
->ipsa_integ
[i
] = *bitmap
;
3581 if (replayext
!= NULL
) {
3582 if ((replayext
->sadb_x_rc_replay32
== 0) &&
3583 (replayext
->sadb_x_rc_replay64
!= 0)) {
3585 mutex_exit(&newbie
->ipsa_lock
);
3588 newbie
->ipsa_replay
= replayext
->sadb_x_rc_replay32
;
3591 /* now that the SA has been updated, set its new state */
3592 newbie
->ipsa_state
= assoc
->sadb_sa_state
;
3595 newbie
->ipsa_haspeer
= B_TRUE
;
3598 lifetime_fuzz(newbie
);
3602 * The less locks I hold when doing an insertion and possible cloning,
3605 mutex_exit(&newbie
->ipsa_lock
);
3608 newbie_clone
= sadb_cloneassoc(newbie
);
3610 if (newbie_clone
== NULL
) {
3617 * Enter the bucket locks. The order of entry is outbound,
3618 * inbound. We map "primary" and "secondary" into outbound and inbound
3619 * based on the destination address type. If the destination address
3620 * type is for a node that isn't mine (or potentially mine), the
3621 * "primary" bucket is the outbound one.
3624 /* primary == outbound */
3625 mutex_enter(&primary
->isaf_lock
);
3626 mutex_enter(&secondary
->isaf_lock
);
3628 /* primary == inbound */
3629 mutex_enter(&secondary
->isaf_lock
);
3630 mutex_enter(&primary
->isaf_lock
);
3633 IPSECHW_DEBUG(IPSECHW_SADB
, ("sadb_common_add: spi = 0x%x\n",
3637 * sadb_insertassoc() doesn't increment the reference
3638 * count. We therefore have to increment the
3639 * reference count one more time to reflect the
3640 * pointers of the table that reference this SA.
3642 IPSA_REFHOLD(newbie
);
3646 * Unlink from larval holding cell in the "inbound" fanout.
3648 ASSERT(newbie
->ipsa_linklock
== &primary
->isaf_lock
||
3649 newbie
->ipsa_linklock
== &secondary
->isaf_lock
);
3650 sadb_unlinkassoc(newbie
);
3653 mutex_enter(&newbie
->ipsa_lock
);
3654 error
= sadb_insertassoc(newbie
, primary
);
3656 ctl_mp
= sadb_fmt_sa_req(DL_CO_SET
, newbie
->ipsa_type
, newbie
,
3659 mutex_exit(&newbie
->ipsa_lock
);
3663 * Since sadb_insertassoc() failed, we must decrement the
3664 * refcount again so the cleanup code will actually free
3667 IPSA_REFRELE(newbie
);
3671 if (newbie_clone
!= NULL
) {
3672 mutex_enter(&newbie_clone
->ipsa_lock
);
3673 error
= sadb_insertassoc(newbie_clone
, secondary
);
3674 mutex_exit(&newbie_clone
->ipsa_lock
);
3676 /* Collision in secondary table. */
3677 sadb_unlinkassoc(newbie
); /* This does REFRELE. */
3680 IPSA_REFHOLD(newbie_clone
);
3682 ASSERT(primary
!= secondary
);
3683 scratch
= ipsec_getassocbyspi(secondary
, newbie
->ipsa_spi
,
3684 ALL_ZEROES_PTR
, newbie
->ipsa_dstaddr
, af
);
3685 if (scratch
!= NULL
) {
3686 /* Collision in secondary table. */
3687 sadb_unlinkassoc(newbie
); /* This does REFRELE. */
3688 /* Set the error, since ipsec_getassocbyspi() can't. */
3694 /* OKAY! So let's do some reality check assertions. */
3696 ASSERT(MUTEX_NOT_HELD(&newbie
->ipsa_lock
));
3697 ASSERT(newbie_clone
== NULL
||
3698 (MUTEX_NOT_HELD(&newbie_clone
->ipsa_lock
)));
3700 * If hardware acceleration could happen, send it.
3702 if (ctl_mp
!= NULL
) {
3703 putnext(ip_q
, ctl_mp
);
3710 * We can exit the locks in any order. Only entrance needs to
3711 * follow any protocol.
3713 mutex_exit(&secondary
->isaf_lock
);
3714 mutex_exit(&primary
->isaf_lock
);
3716 if (pair_ext
!= NULL
&& error
== 0) {
3717 /* update pair_spi if it exists. */
3718 ipsapp
= get_ipsa_pair(assoc
, srcext
, dstext
, spp
);
3719 if (ipsapp
== NULL
) {
3721 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
;
3722 } else if (ipsapp
->ipsap_psa_ptr
!= NULL
) {
3723 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_ALREADY
;
3726 /* update_pairing() sets diagnostic */
3727 error
= update_pairing(ipsapp
, ksi
, diagnostic
, spp
);
3730 /* Common error point for this routine. */
3732 if (newbie
!= NULL
) {
3734 /* This SA is broken, let the reaper clean up. */
3735 mutex_enter(&newbie
->ipsa_lock
);
3736 newbie
->ipsa_state
= IPSA_STATE_DEAD
;
3737 newbie
->ipsa_hardexpiretime
= 1;
3738 mutex_exit(&newbie
->ipsa_lock
);
3740 IPSA_REFRELE(newbie
);
3742 if (newbie_clone
!= NULL
) {
3743 IPSA_REFRELE(newbie_clone
);
3750 * Construct favorable PF_KEY return message and send to
3751 * keysock. Update the flags in the original keysock message
3752 * to reflect the actual flags in the new SA.
3753 * (Q: Do I need to pass "newbie"? If I do,
3754 * make sure to REFHOLD, call, then REFRELE.)
3756 assoc
->sadb_sa_flags
= newbie
->ipsa_flags
;
3757 sadb_pfkey_echo(pfkey_q
, mp
, samsg
, ksi
, NULL
);
3760 destroy_ipsa_pair(ipsapp
);
3765 * Set the time of first use for a security association. Update any
3766 * expiration times as a result.
3769 sadb_set_usetime(ipsa_t
*assoc
)
3771 time_t snapshot
= gethrestime_sec();
3773 mutex_enter(&assoc
->ipsa_lock
);
3774 assoc
->ipsa_lastuse
= snapshot
;
3775 assoc
->ipsa_idleexpiretime
= snapshot
+ assoc
->ipsa_idletime
;
3778 * Caller does check usetime before calling me usually, and
3779 * double-checking is better than a mutex_enter/exit hit.
3781 if (assoc
->ipsa_usetime
== 0) {
3783 * This is redundant for outbound SA's, as
3784 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already.
3785 * Inbound SAs, however, have no such protection.
3787 assoc
->ipsa_flags
|= IPSA_F_USED
;
3788 assoc
->ipsa_usetime
= snapshot
;
3791 * After setting the use time, see if we have a use lifetime
3792 * that would cause the actual SA expiration time to shorten.
3794 UPDATE_EXPIRE(assoc
, softuselt
, softexpiretime
);
3795 UPDATE_EXPIRE(assoc
, harduselt
, hardexpiretime
);
3797 mutex_exit(&assoc
->ipsa_lock
);
3801 * Send up a PF_KEY expire message for this association.
3804 sadb_expire_assoc(queue_t
*pfkey_q
, ipsa_t
*assoc
)
3809 sadb_lifetime_t
*current
, *expire
;
3812 boolean_t tunnel_mode
;
3814 ASSERT(MUTEX_HELD(&assoc
->ipsa_lock
));
3816 /* Don't bother sending if there's no queue. */
3817 if (pfkey_q
== NULL
)
3820 /* If the SA is one of a pair, only SOFT expire the OUTBOUND SA */
3821 if (assoc
->ipsa_state
== IPSA_STATE_DYING
&&
3822 (assoc
->ipsa_flags
& IPSA_F_PAIRED
) &&
3823 !(assoc
->ipsa_flags
& IPSA_F_OUTBOUND
)) {
3827 mp
= sadb_keysock_out(0);
3829 /* cmn_err(CE_WARN, */
3830 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */
3834 alloclen
= sizeof (*samsg
) + sizeof (*current
) + sizeof (*expire
) +
3835 2 * sizeof (sadb_address_t
) + sizeof (*saext
);
3837 af
= assoc
->ipsa_addrfam
;
3840 alloclen
+= 2 * sizeof (struct sockaddr_in
);
3843 alloclen
+= 2 * sizeof (struct sockaddr_in6
);
3846 /* Won't happen unless there's a kernel bug. */
3849 "sadb_expire_assoc: Unknown address length.\n");
3853 tunnel_mode
= (assoc
->ipsa_flags
& IPSA_F_TUNNEL
);
3855 alloclen
+= 2 * sizeof (sadb_address_t
);
3856 switch (assoc
->ipsa_innerfam
) {
3858 alloclen
+= 2 * sizeof (struct sockaddr_in
);
3861 alloclen
+= 2 * sizeof (struct sockaddr_in6
);
3864 /* Won't happen unless there's a kernel bug. */
3866 cmn_err(CE_WARN
, "sadb_expire_assoc: "
3867 "Unknown inner address length.\n");
3872 mp
->b_cont
= allocb(alloclen
, BPRI_HI
);
3873 if (mp
->b_cont
== NULL
) {
3875 /* cmn_err(CE_WARN, */
3876 /* "sadb_expire_assoc: Can't allocate message.\n"); */
3882 end
= mp
->b_wptr
+ alloclen
;
3884 samsg
= (sadb_msg_t
*)mp
->b_wptr
;
3885 mp
->b_wptr
+= sizeof (*samsg
);
3886 samsg
->sadb_msg_version
= PF_KEY_V2
;
3887 samsg
->sadb_msg_type
= SADB_EXPIRE
;
3888 samsg
->sadb_msg_errno
= 0;
3889 samsg
->sadb_msg_satype
= assoc
->ipsa_type
;
3890 samsg
->sadb_msg_len
= SADB_8TO64(alloclen
);
3891 samsg
->sadb_msg_reserved
= 0;
3892 samsg
->sadb_msg_seq
= 0;
3893 samsg
->sadb_msg_pid
= 0;
3895 saext
= (sadb_sa_t
*)mp
->b_wptr
;
3896 mp
->b_wptr
+= sizeof (*saext
);
3897 saext
->sadb_sa_len
= SADB_8TO64(sizeof (*saext
));
3898 saext
->sadb_sa_exttype
= SADB_EXT_SA
;
3899 saext
->sadb_sa_spi
= assoc
->ipsa_spi
;
3900 saext
->sadb_sa_replay
= assoc
->ipsa_replay_wsize
;
3901 saext
->sadb_sa_state
= assoc
->ipsa_state
;
3902 saext
->sadb_sa_auth
= assoc
->ipsa_auth_alg
;
3903 saext
->sadb_sa_encrypt
= assoc
->ipsa_encr_alg
;
3904 saext
->sadb_sa_flags
= assoc
->ipsa_flags
;
3906 current
= (sadb_lifetime_t
*)mp
->b_wptr
;
3907 mp
->b_wptr
+= sizeof (sadb_lifetime_t
);
3908 current
->sadb_lifetime_len
= SADB_8TO64(sizeof (*current
));
3909 current
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
3910 /* We do not support the concept. */
3911 current
->sadb_lifetime_allocations
= 0;
3912 current
->sadb_lifetime_bytes
= assoc
->ipsa_bytes
;
3913 current
->sadb_lifetime_addtime
= assoc
->ipsa_addtime
;
3914 current
->sadb_lifetime_usetime
= assoc
->ipsa_usetime
;
3916 expire
= (sadb_lifetime_t
*)mp
->b_wptr
;
3917 mp
->b_wptr
+= sizeof (*expire
);
3918 expire
->sadb_lifetime_len
= SADB_8TO64(sizeof (*expire
));
3920 if (assoc
->ipsa_state
== IPSA_STATE_DEAD
) {
3921 expire
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
3922 expire
->sadb_lifetime_allocations
= assoc
->ipsa_hardalloc
;
3923 expire
->sadb_lifetime_bytes
= assoc
->ipsa_hardbyteslt
;
3924 expire
->sadb_lifetime_addtime
= assoc
->ipsa_hardaddlt
;
3925 expire
->sadb_lifetime_usetime
= assoc
->ipsa_harduselt
;
3926 } else if (assoc
->ipsa_state
== IPSA_STATE_DYING
) {
3927 expire
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_SOFT
;
3928 expire
->sadb_lifetime_allocations
= assoc
->ipsa_softalloc
;
3929 expire
->sadb_lifetime_bytes
= assoc
->ipsa_softbyteslt
;
3930 expire
->sadb_lifetime_addtime
= assoc
->ipsa_softaddlt
;
3931 expire
->sadb_lifetime_usetime
= assoc
->ipsa_softuselt
;
3933 ASSERT(assoc
->ipsa_state
== IPSA_STATE_MATURE
);
3934 expire
->sadb_lifetime_exttype
= SADB_X_EXT_LIFETIME_IDLE
;
3935 expire
->sadb_lifetime_allocations
= 0;
3936 expire
->sadb_lifetime_bytes
= 0;
3937 expire
->sadb_lifetime_addtime
= assoc
->ipsa_idleaddlt
;
3938 expire
->sadb_lifetime_usetime
= assoc
->ipsa_idleuselt
;
3941 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
, SADB_EXT_ADDRESS_SRC
,
3942 af
, assoc
->ipsa_srcaddr
, tunnel_mode
? 0 : SA_SRCPORT(assoc
),
3943 SA_PROTO(assoc
), 0);
3944 ASSERT(mp
->b_wptr
!= NULL
);
3946 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
, SADB_EXT_ADDRESS_DST
,
3947 af
, assoc
->ipsa_dstaddr
, tunnel_mode
? 0 : SA_DSTPORT(assoc
),
3948 SA_PROTO(assoc
), 0);
3949 ASSERT(mp
->b_wptr
!= NULL
);
3952 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
,
3953 SADB_X_EXT_ADDRESS_INNER_SRC
, assoc
->ipsa_innerfam
,
3954 assoc
->ipsa_innersrc
, SA_SRCPORT(assoc
), SA_IPROTO(assoc
),
3955 assoc
->ipsa_innersrcpfx
);
3956 ASSERT(mp
->b_wptr
!= NULL
);
3957 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
,
3958 SADB_X_EXT_ADDRESS_INNER_DST
, assoc
->ipsa_innerfam
,
3959 assoc
->ipsa_innerdst
, SA_DSTPORT(assoc
), SA_IPROTO(assoc
),
3960 assoc
->ipsa_innerdstpfx
);
3961 ASSERT(mp
->b_wptr
!= NULL
);
3964 /* Can just putnext, we're ready to go! */
3965 putnext(pfkey_q
, mp1
);
3969 * "Age" the SA with the number of bytes that was used to protect traffic.
3970 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was
3971 * enough "charge" left in the SA to protect the data. Return B_FALSE
3972 * otherwise. (If B_FALSE is returned, the association either was, or became
3976 sadb_age_bytes(queue_t
*pfkey_q
, ipsa_t
*assoc
, uint64_t bytes
,
3979 boolean_t rc
= B_TRUE
;
3982 mutex_enter(&assoc
->ipsa_lock
);
3983 newtotal
= assoc
->ipsa_bytes
+ bytes
;
3984 if (assoc
->ipsa_hardbyteslt
!= 0 &&
3985 newtotal
>= assoc
->ipsa_hardbyteslt
) {
3986 if (assoc
->ipsa_state
!= IPSA_STATE_DEAD
) {
3987 sadb_delete_cluster(assoc
);
3989 * Send EXPIRE message to PF_KEY. May wish to pawn
3990 * this off on another non-interrupt thread. Also
3991 * unlink this SA immediately.
3993 assoc
->ipsa_state
= IPSA_STATE_DEAD
;
3995 sadb_expire_assoc(pfkey_q
, assoc
);
3997 * Set non-zero expiration time so sadb_age_assoc()
3998 * will work when reaping.
4000 assoc
->ipsa_hardexpiretime
= (time_t)1;
4001 } /* Else someone beat me to it! */
4003 } else if (assoc
->ipsa_softbyteslt
!= 0 &&
4004 (newtotal
>= assoc
->ipsa_softbyteslt
)) {
4005 if (assoc
->ipsa_state
< IPSA_STATE_DYING
) {
4007 * Send EXPIRE message to PF_KEY. May wish to pawn
4008 * this off on another non-interrupt thread.
4010 assoc
->ipsa_state
= IPSA_STATE_DYING
;
4011 assoc
->ipsa_bytes
= newtotal
;
4013 sadb_expire_assoc(pfkey_q
, assoc
);
4014 } /* Else someone beat me to it! */
4017 assoc
->ipsa_bytes
= newtotal
;
4018 mutex_exit(&assoc
->ipsa_lock
);
4023 * Push one or more DL_CO_DELETE messages queued up by
4024 * sadb_torch_assoc down to the underlying driver now that it's a
4025 * convenient time for it (i.e., ipsa bucket locks not held).
4028 sadb_drain_torchq(queue_t
*q
, mblk_t
*mp
)
4030 while (mp
!= NULL
) {
4031 mblk_t
*next
= mp
->b_next
;
4042 * "Torch" an individual SA. Returns NULL, so it can be tail-called from
4045 * If SA is hardware-accelerated, and we can't allocate the mblk
4046 * containing the DL_CO_DELETE, just return; it will remain in the
4047 * table and be swept up by sadb_ager() in a subsequent pass.
4050 sadb_torch_assoc(isaf_t
*head
, ipsa_t
*sa
, boolean_t inbnd
, mblk_t
**mq
)
4054 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
4055 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
4056 ASSERT(sa
->ipsa_state
== IPSA_STATE_DEAD
);
4059 * Force cached SAs to be revalidated..
4063 if (sa
->ipsa_flags
& IPSA_F_HW
) {
4064 mp
= sadb_fmt_sa_req(DL_CO_DELETE
, sa
->ipsa_type
, sa
, inbnd
);
4066 mutex_exit(&sa
->ipsa_lock
);
4072 mutex_exit(&sa
->ipsa_lock
);
4073 sadb_unlinkassoc(sa
);
4079 * Do various SA-is-idle activities depending on delta (the number of idle
4080 * seconds on the SA) and/or other properties of the SA.
4082 * Return B_TRUE if I've sent a packet, because I have to drop the
4083 * association's mutex before sending a packet out the wire.
4087 sadb_idle_activities(ipsa_t
*assoc
, time_t delta
, boolean_t inbound
)
4089 ipsecesp_stack_t
*espstack
= assoc
->ipsa_netstack
->netstack_ipsecesp
;
4090 int nat_t_interval
= espstack
->ipsecesp_nat_keepalive_interval
;
4092 ASSERT(MUTEX_HELD(&assoc
->ipsa_lock
));
4094 if (!inbound
&& (assoc
->ipsa_flags
& IPSA_F_NATT_LOC
) &&
4095 delta
>= nat_t_interval
&&
4096 gethrestime_sec() - assoc
->ipsa_last_nat_t_ka
>= nat_t_interval
) {
4097 ASSERT(assoc
->ipsa_type
== SADB_SATYPE_ESP
);
4098 assoc
->ipsa_last_nat_t_ka
= gethrestime_sec();
4099 mutex_exit(&assoc
->ipsa_lock
);
4100 ipsecesp_send_keepalive(assoc
);
4107 * Return "assoc" if haspeer is true and I send an expire. This allows
4108 * the consumers' aging functions to tidy up an expired SA's peer.
4111 sadb_age_assoc(isaf_t
*head
, queue_t
*pfkey_q
, ipsa_t
*assoc
,
4112 time_t current
, int reap_delay
, boolean_t inbound
, mblk_t
**mq
)
4114 ipsa_t
*retval
= NULL
;
4115 boolean_t dropped_mutex
= B_FALSE
;
4117 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
4119 mutex_enter(&assoc
->ipsa_lock
);
4121 if (((assoc
->ipsa_state
== IPSA_STATE_LARVAL
) ||
4122 ((assoc
->ipsa_state
== IPSA_STATE_IDLE
) ||
4123 (assoc
->ipsa_state
== IPSA_STATE_ACTIVE_ELSEWHERE
) &&
4124 (assoc
->ipsa_hardexpiretime
!= 0))) &&
4125 (assoc
->ipsa_hardexpiretime
<= current
)) {
4126 assoc
->ipsa_state
= IPSA_STATE_DEAD
;
4127 return (sadb_torch_assoc(head
, assoc
, inbound
, mq
));
4131 * Check lifetimes. Fortunately, SA setup is done
4132 * such that there are only two times to look at,
4133 * softexpiretime, and hardexpiretime.
4138 if (assoc
->ipsa_hardexpiretime
!= 0 &&
4139 assoc
->ipsa_hardexpiretime
<= current
) {
4140 if (assoc
->ipsa_state
== IPSA_STATE_DEAD
)
4141 return (sadb_torch_assoc(head
, assoc
, inbound
, mq
));
4144 sadb_delete_cluster(assoc
);
4148 * Send SADB_EXPIRE with hard lifetime, delay for unlinking.
4150 assoc
->ipsa_state
= IPSA_STATE_DEAD
;
4151 if (assoc
->ipsa_haspeer
|| assoc
->ipsa_otherspi
!= 0) {
4153 * If the SA is paired or peered with another, put
4154 * a copy on a list which can be processed later, the
4155 * pair/peer SA needs to be updated so the both die
4158 * If I return assoc, I have to bump up its reference
4159 * count to keep with the ipsa_t reference count
4162 IPSA_REFHOLD(assoc
);
4165 sadb_expire_assoc(pfkey_q
, assoc
);
4166 assoc
->ipsa_hardexpiretime
= current
+ reap_delay
;
4167 } else if (assoc
->ipsa_softexpiretime
!= 0 &&
4168 assoc
->ipsa_softexpiretime
<= current
&&
4169 assoc
->ipsa_state
< IPSA_STATE_DYING
) {
4171 * Send EXPIRE message to PF_KEY. May wish to pawn
4172 * this off on another non-interrupt thread.
4174 assoc
->ipsa_state
= IPSA_STATE_DYING
;
4175 if (assoc
->ipsa_haspeer
) {
4177 * If the SA has a peer, update the peer's state
4178 * on SOFT_EXPIRE, this is mostly to prevent two
4179 * expire messages from effectively the same SA.
4181 * Don't care about paired SA's, then can (and should)
4182 * be able to soft expire at different times.
4184 * If I return assoc, I have to bump up its
4185 * reference count to keep with the ipsa_t reference
4188 IPSA_REFHOLD(assoc
);
4191 sadb_expire_assoc(pfkey_q
, assoc
);
4192 } else if (assoc
->ipsa_idletime
!= 0 &&
4193 assoc
->ipsa_idleexpiretime
<= current
) {
4194 if (assoc
->ipsa_state
== IPSA_STATE_ACTIVE_ELSEWHERE
) {
4195 assoc
->ipsa_state
= IPSA_STATE_IDLE
;
4199 * Need to handle Mature case
4201 if (assoc
->ipsa_state
== IPSA_STATE_MATURE
&& !inbound
) {
4202 sadb_expire_assoc(pfkey_q
, assoc
);
4205 /* Check idle time activities. */
4206 dropped_mutex
= sadb_idle_activities(assoc
,
4207 current
- assoc
->ipsa_lastuse
, inbound
);
4211 mutex_exit(&assoc
->ipsa_lock
);
4216 * Called by a consumer protocol to do ther dirty work of reaping dead
4217 * Security Associations.
4219 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed
4220 * SA's that are already marked DEAD, so expired SA's are only reaped
4221 * the second time sadb_ager() runs.
4224 sadb_ager(sadb_t
*sp
, queue_t
*pfkey_q
, queue_t
*ip_q
, int reap_delay
,
4229 ipsa_t
*assoc
, *spare
;
4231 ipsacq_t
*acqrec
, *spareacq
;
4232 templist_t
*haspeerlist
, *newbie
;
4233 /* Snapshot current time now. */
4234 time_t current
= gethrestime_sec();
4239 * Do my dirty work. This includes aging real entries, aging
4240 * larvals, and aging outstanding ACQUIREs.
4242 * I hope I don't tie up resources for too long.
4247 for (i
= 0; i
< sp
->sdb_hashsize
; i
++) {
4248 acqlist
= &sp
->sdb_acq
[i
];
4249 mutex_enter(&acqlist
->iacqf_lock
);
4250 for (acqrec
= acqlist
->iacqf_ipsacq
; acqrec
!= NULL
;
4251 acqrec
= spareacq
) {
4252 spareacq
= acqrec
->ipsacq_next
;
4253 if (current
> acqrec
->ipsacq_expire
)
4254 sadb_destroy_acquire(acqrec
, ns
);
4256 mutex_exit(&acqlist
->iacqf_lock
);
4259 /* Age inbound associations. */
4260 for (i
= 0; i
< sp
->sdb_hashsize
; i
++) {
4261 bucket
= &(sp
->sdb_if
[i
]);
4262 mutex_enter(&bucket
->isaf_lock
);
4263 for (assoc
= bucket
->isaf_ipsa
; assoc
!= NULL
;
4265 spare
= assoc
->ipsa_next
;
4266 if (sadb_age_assoc(bucket
, pfkey_q
, assoc
, current
,
4267 reap_delay
, B_TRUE
, &mq
) != NULL
) {
4269 * Put SA's which have a peer or SA's which
4270 * are paired on a list for processing after
4271 * all the hash tables have been walked.
4273 * sadb_age_assoc() increments the refcnt,
4274 * effectively doing an IPSA_REFHOLD().
4276 newbie
= kmem_alloc(sizeof (*newbie
),
4278 if (newbie
== NULL
) {
4280 * Don't forget to REFRELE().
4282 IPSA_REFRELE(assoc
);
4283 continue; /* for loop... */
4285 newbie
->next
= haspeerlist
;
4286 newbie
->ipsa
= assoc
;
4287 haspeerlist
= newbie
;
4290 mutex_exit(&bucket
->isaf_lock
);
4294 sadb_drain_torchq(ip_q
, mq
);
4297 age_pair_peer_list(haspeerlist
, sp
, B_FALSE
);
4300 /* Age outbound associations. */
4301 for (i
= 0; i
< sp
->sdb_hashsize
; i
++) {
4302 bucket
= &(sp
->sdb_of
[i
]);
4303 mutex_enter(&bucket
->isaf_lock
);
4304 for (assoc
= bucket
->isaf_ipsa
; assoc
!= NULL
;
4306 spare
= assoc
->ipsa_next
;
4307 if (sadb_age_assoc(bucket
, pfkey_q
, assoc
, current
,
4308 reap_delay
, B_FALSE
, &mq
) != NULL
) {
4310 * sadb_age_assoc() increments the refcnt,
4311 * effectively doing an IPSA_REFHOLD().
4313 newbie
= kmem_alloc(sizeof (*newbie
),
4315 if (newbie
== NULL
) {
4317 * Don't forget to REFRELE().
4319 IPSA_REFRELE(assoc
);
4320 continue; /* for loop... */
4322 newbie
->next
= haspeerlist
;
4323 newbie
->ipsa
= assoc
;
4324 haspeerlist
= newbie
;
4327 mutex_exit(&bucket
->isaf_lock
);
4330 sadb_drain_torchq(ip_q
, mq
);
4334 age_pair_peer_list(haspeerlist
, sp
, B_TRUE
);
4337 * Run a GC pass to clean out dead identities.
4343 * Figure out when to reschedule the ager.
4346 sadb_retimeout(hrtime_t begin
, queue_t
*pfkey_q
, void (*ager
)(void *),
4347 void *agerarg
, uint_t
*intp
, uint_t intmax
, short mid
)
4349 hrtime_t end
= gethrtime();
4350 uint_t interval
= *intp
;
4353 * See how long this took. If it took too long, increase the
4356 if ((end
- begin
) > interval
* 1000000) {
4357 if (interval
>= intmax
) {
4358 /* XXX Rate limit this? Or recommend flush? */
4359 (void) strlog(mid
, 0, 0, SL_ERROR
| SL_WARN
,
4360 "Too many SA's to age out in %d msec.\n",
4363 /* Double by shifting by one bit. */
4365 interval
= min(interval
, intmax
);
4367 } else if ((end
- begin
) <= interval
* 500000 &&
4368 interval
> SADB_AGE_INTERVAL_DEFAULT
) {
4370 * If I took less than half of the interval, then I should
4371 * ratchet the interval back down. Never automatically
4372 * shift below the default aging interval.
4374 * NOTE:This even overrides manual setting of the age
4375 * interval using NDD.
4377 /* Halve by shifting one bit. */
4379 interval
= max(interval
, SADB_AGE_INTERVAL_DEFAULT
);
4382 return (qtimeout(pfkey_q
, ager
, agerarg
,
4383 interval
* drv_usectohz(1000)));
4388 * Update the lifetime values of an SA. This is the path an SADB_UPDATE
4389 * message takes when updating a MATURE or DYING SA.
4392 sadb_update_lifetimes(ipsa_t
*assoc
, sadb_lifetime_t
*hard
,
4393 sadb_lifetime_t
*soft
, sadb_lifetime_t
*idle
, boolean_t outbound
)
4395 mutex_enter(&assoc
->ipsa_lock
);
4398 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be
4399 * passed in during an update message. We currently don't handle
4404 if (hard
->sadb_lifetime_bytes
!= 0)
4405 assoc
->ipsa_hardbyteslt
= hard
->sadb_lifetime_bytes
;
4406 if (hard
->sadb_lifetime_usetime
!= 0)
4407 assoc
->ipsa_harduselt
= hard
->sadb_lifetime_usetime
;
4408 if (hard
->sadb_lifetime_addtime
!= 0)
4409 assoc
->ipsa_hardaddlt
= hard
->sadb_lifetime_addtime
;
4410 if (assoc
->ipsa_hardaddlt
!= 0) {
4411 assoc
->ipsa_hardexpiretime
=
4412 assoc
->ipsa_addtime
+ assoc
->ipsa_hardaddlt
;
4414 if (assoc
->ipsa_harduselt
!= 0 &&
4415 assoc
->ipsa_flags
& IPSA_F_USED
) {
4416 UPDATE_EXPIRE(assoc
, harduselt
, hardexpiretime
);
4418 if (hard
->sadb_lifetime_allocations
!= 0)
4419 assoc
->ipsa_hardalloc
= hard
->sadb_lifetime_allocations
;
4423 if (soft
->sadb_lifetime_bytes
!= 0) {
4424 if (soft
->sadb_lifetime_bytes
>
4425 assoc
->ipsa_hardbyteslt
) {
4426 assoc
->ipsa_softbyteslt
=
4427 assoc
->ipsa_hardbyteslt
;
4429 assoc
->ipsa_softbyteslt
=
4430 soft
->sadb_lifetime_bytes
;
4433 if (soft
->sadb_lifetime_usetime
!= 0) {
4434 if (soft
->sadb_lifetime_usetime
>
4435 assoc
->ipsa_harduselt
) {
4436 assoc
->ipsa_softuselt
=
4437 assoc
->ipsa_harduselt
;
4439 assoc
->ipsa_softuselt
=
4440 soft
->sadb_lifetime_usetime
;
4443 if (soft
->sadb_lifetime_addtime
!= 0) {
4444 if (soft
->sadb_lifetime_addtime
>
4445 assoc
->ipsa_hardexpiretime
) {
4446 assoc
->ipsa_softexpiretime
=
4447 assoc
->ipsa_hardexpiretime
;
4449 assoc
->ipsa_softaddlt
=
4450 soft
->sadb_lifetime_addtime
;
4453 if (assoc
->ipsa_softaddlt
!= 0) {
4454 assoc
->ipsa_softexpiretime
=
4455 assoc
->ipsa_addtime
+ assoc
->ipsa_softaddlt
;
4457 if (assoc
->ipsa_softuselt
!= 0 &&
4458 assoc
->ipsa_flags
& IPSA_F_USED
) {
4459 UPDATE_EXPIRE(assoc
, softuselt
, softexpiretime
);
4461 if (outbound
&& assoc
->ipsa_softexpiretime
!= 0) {
4462 if (assoc
->ipsa_state
== IPSA_STATE_MATURE
)
4463 lifetime_fuzz(assoc
);
4466 if (soft
->sadb_lifetime_allocations
!= 0)
4467 assoc
->ipsa_softalloc
= soft
->sadb_lifetime_allocations
;
4471 time_t current
= gethrestime_sec();
4472 if ((assoc
->ipsa_idleexpiretime
<= current
) &&
4473 (assoc
->ipsa_idleaddlt
== idle
->sadb_lifetime_addtime
)) {
4474 assoc
->ipsa_idleexpiretime
=
4475 current
+ assoc
->ipsa_idleaddlt
;
4477 if (idle
->sadb_lifetime_addtime
!= 0)
4478 assoc
->ipsa_idleaddlt
= idle
->sadb_lifetime_addtime
;
4479 if (idle
->sadb_lifetime_usetime
!= 0)
4480 assoc
->ipsa_idleuselt
= idle
->sadb_lifetime_usetime
;
4481 if (assoc
->ipsa_idleaddlt
!= 0) {
4482 assoc
->ipsa_idleexpiretime
=
4483 current
+ idle
->sadb_lifetime_addtime
;
4484 assoc
->ipsa_idletime
= idle
->sadb_lifetime_addtime
;
4486 if (assoc
->ipsa_idleuselt
!= 0) {
4487 if (assoc
->ipsa_idletime
!= 0) {
4488 assoc
->ipsa_idletime
= min(assoc
->ipsa_idletime
,
4489 assoc
->ipsa_idleuselt
);
4490 assoc
->ipsa_idleexpiretime
=
4491 current
+ assoc
->ipsa_idletime
;
4493 assoc
->ipsa_idleexpiretime
=
4494 current
+ assoc
->ipsa_idleuselt
;
4495 assoc
->ipsa_idletime
= assoc
->ipsa_idleuselt
;
4499 mutex_exit(&assoc
->ipsa_lock
);
4503 sadb_update_state(ipsa_t
*assoc
, uint_t new_state
, mblk_t
**ipkt_lst
)
4506 time_t current
= gethrestime_sec();
4508 mutex_enter(&assoc
->ipsa_lock
);
4510 switch (new_state
) {
4511 case SADB_X_SASTATE_ACTIVE_ELSEWHERE
:
4512 if (assoc
->ipsa_state
== SADB_X_SASTATE_IDLE
) {
4513 assoc
->ipsa_state
= IPSA_STATE_ACTIVE_ELSEWHERE
;
4514 assoc
->ipsa_idleexpiretime
=
4515 current
+ assoc
->ipsa_idletime
;
4518 case SADB_X_SASTATE_IDLE
:
4519 if (assoc
->ipsa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
) {
4520 assoc
->ipsa_state
= IPSA_STATE_IDLE
;
4521 assoc
->ipsa_idleexpiretime
=
4522 current
+ assoc
->ipsa_idletime
;
4528 case SADB_X_SASTATE_ACTIVE
:
4529 if (assoc
->ipsa_state
!= SADB_X_SASTATE_IDLE
) {
4533 assoc
->ipsa_state
= IPSA_STATE_MATURE
;
4534 assoc
->ipsa_idleexpiretime
= current
+ assoc
->ipsa_idletime
;
4536 if (ipkt_lst
== NULL
) {
4540 if (assoc
->ipsa_bpkt_head
!= NULL
) {
4541 *ipkt_lst
= assoc
->ipsa_bpkt_head
;
4542 assoc
->ipsa_bpkt_head
= assoc
->ipsa_bpkt_tail
= NULL
;
4543 assoc
->ipsa_mblkcnt
= 0;
4553 mutex_exit(&assoc
->ipsa_lock
);
4558 * Common code to update an SA.
4562 sadb_update_sa(mblk_t
*mp
, keysock_in_t
*ksi
, mblk_t
**ipkt_lst
,
4563 sadbp_t
*spp
, int *diagnostic
, queue_t
*pfkey_q
,
4564 int (*add_sa_func
)(mblk_t
*, keysock_in_t
*, int *, netstack_t
*),
4565 netstack_t
*ns
, uint8_t sadb_msg_type
)
4567 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
4568 sadb_address_t
*srcext
=
4569 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
];
4570 sadb_address_t
*dstext
=
4571 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
4572 sadb_x_kmc_t
*kmcext
=
4573 (sadb_x_kmc_t
*)ksi
->ks_in_extv
[SADB_X_EXT_KM_COOKIE
];
4574 sadb_key_t
*akey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_AUTH
];
4575 sadb_key_t
*ekey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_ENCRYPT
];
4576 sadb_x_replay_ctr_t
*replext
=
4577 (sadb_x_replay_ctr_t
*)ksi
->ks_in_extv
[SADB_X_EXT_REPLAY_VALUE
];
4578 sadb_lifetime_t
*soft
=
4579 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_SOFT
];
4580 sadb_lifetime_t
*hard
=
4581 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_HARD
];
4582 sadb_lifetime_t
*idle
=
4583 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_X_EXT_LIFETIME_IDLE
];
4584 sadb_x_pair_t
*pair_ext
=
4585 (sadb_x_pair_t
*)ksi
->ks_in_extv
[SADB_X_EXT_PAIR
];
4586 ipsa_t
*echo_target
= NULL
;
4588 ipsap_t
*ipsapp
= NULL
;
4589 uint32_t kmp
= 0, kmc
= 0;
4590 time_t current
= gethrestime_sec();
4593 /* I need certain extensions present for either UPDATE message. */
4594 if (srcext
== NULL
) {
4595 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
4598 if (dstext
== NULL
) {
4599 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
4602 if (assoc
== NULL
) {
4603 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SA
;
4607 if (kmcext
!= NULL
) {
4608 kmp
= kmcext
->sadb_x_kmc_proto
;
4609 kmc
= kmcext
->sadb_x_kmc_cookie
;
4612 ipsapp
= get_ipsa_pair(assoc
, srcext
, dstext
, spp
);
4613 if (ipsapp
== NULL
) {
4614 *diagnostic
= SADB_X_DIAGNOSTIC_SA_NOTFOUND
;
4618 if (ipsapp
->ipsap_psa_ptr
== NULL
&& ipsapp
->ipsap_sa_ptr
!= NULL
) {
4619 if (ipsapp
->ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_LARVAL
) {
4621 * REFRELE the target and let the add_sa_func()
4622 * deal with updating a larval SA.
4624 destroy_ipsa_pair(ipsapp
);
4625 return (add_sa_func(mp
, ksi
, diagnostic
, ns
));
4629 if (assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
) {
4630 if (ipsapp
->ipsap_sa_ptr
!= NULL
&&
4631 ipsapp
->ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_IDLE
) {
4632 if ((error
= sadb_update_state(ipsapp
->ipsap_sa_ptr
,
4633 assoc
->sadb_sa_state
, NULL
)) != 0) {
4634 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4638 if (ipsapp
->ipsap_psa_ptr
!= NULL
&&
4639 ipsapp
->ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_IDLE
) {
4640 if ((error
= sadb_update_state(ipsapp
->ipsap_psa_ptr
,
4641 assoc
->sadb_sa_state
, NULL
)) != 0) {
4642 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4647 if (assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE
) {
4648 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
4649 error
= sadb_update_state(ipsapp
->ipsap_sa_ptr
,
4650 assoc
->sadb_sa_state
,
4651 (ipsapp
->ipsap_sa_ptr
->ipsa_flags
&
4652 IPSA_F_INBOUND
) ? ipkt_lst
: NULL
);
4654 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4658 if (ipsapp
->ipsap_psa_ptr
!= NULL
) {
4659 error
= sadb_update_state(ipsapp
->ipsap_psa_ptr
,
4660 assoc
->sadb_sa_state
,
4661 (ipsapp
->ipsap_psa_ptr
->ipsa_flags
&
4662 IPSA_F_INBOUND
) ? ipkt_lst
: NULL
);
4664 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4668 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
,
4674 * Reality checks for updates of active associations.
4675 * Sundry first-pass UPDATE-specific reality checks.
4676 * Have to do the checks here, because it's after the add_sa code.
4677 * XXX STATS : logging/stats here?
4680 if (!((assoc
->sadb_sa_state
== SADB_SASTATE_MATURE
) ||
4681 (assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
))) {
4682 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4687 if (assoc
->sadb_sa_flags
& ~spp
->s_updateflags
) {
4688 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SAFLAGS
;
4693 if (ksi
->ks_in_extv
[SADB_EXT_LIFETIME_CURRENT
] != NULL
) {
4698 if ((*diagnostic
= sadb_hardsoftchk(hard
, soft
, idle
)) != 0) {
4703 *diagnostic
= SADB_X_DIAGNOSTIC_AKEY_PRESENT
;
4708 *diagnostic
= SADB_X_DIAGNOSTIC_EKEY_PRESENT
;
4713 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
4714 if (ipsapp
->ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_DEAD
) {
4715 error
= ESRCH
; /* DEAD == Not there, in this case. */
4716 *diagnostic
= SADB_X_DIAGNOSTIC_SA_EXPIRED
;
4720 ((ipsapp
->ipsap_sa_ptr
->ipsa_kmp
!= 0) ||
4721 (ipsapp
->ipsap_sa_ptr
->ipsa_kmp
!= kmp
))) {
4722 *diagnostic
= SADB_X_DIAGNOSTIC_DUPLICATE_KMP
;
4727 ((ipsapp
->ipsap_sa_ptr
->ipsa_kmc
!= 0) ||
4728 (ipsapp
->ipsap_sa_ptr
->ipsa_kmc
!= kmc
))) {
4729 *diagnostic
= SADB_X_DIAGNOSTIC_DUPLICATE_KMC
;
4734 * Do not allow replay value change for MATURE or LARVAL SA.
4737 if ((replext
!= NULL
) &&
4738 ((ipsapp
->ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_LARVAL
) ||
4739 (ipsapp
->ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_MATURE
))) {
4740 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4746 if (ipsapp
->ipsap_psa_ptr
!= NULL
) {
4747 if (ipsapp
->ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_DEAD
) {
4748 *diagnostic
= SADB_X_DIAGNOSTIC_SA_EXPIRED
;
4749 error
= ESRCH
; /* DEAD == Not there, in this case. */
4753 ((ipsapp
->ipsap_psa_ptr
->ipsa_kmp
!= 0) ||
4754 (ipsapp
->ipsap_psa_ptr
->ipsa_kmp
!= kmp
))) {
4755 *diagnostic
= SADB_X_DIAGNOSTIC_DUPLICATE_KMP
;
4760 ((ipsapp
->ipsap_psa_ptr
->ipsa_kmc
!= 0) ||
4761 (ipsapp
->ipsap_psa_ptr
->ipsa_kmc
!= kmc
))) {
4762 *diagnostic
= SADB_X_DIAGNOSTIC_DUPLICATE_KMC
;
4768 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
4769 sadb_update_lifetimes(ipsapp
->ipsap_sa_ptr
, hard
, soft
,
4772 ipsapp
->ipsap_sa_ptr
->ipsa_kmp
= kmp
;
4774 ipsapp
->ipsap_sa_ptr
->ipsa_kmc
= kmc
;
4775 if ((replext
!= NULL
) &&
4776 (ipsapp
->ipsap_sa_ptr
->ipsa_replay_wsize
!= 0)) {
4778 * If an inbound SA, update the replay counter
4779 * and check off all the other sequence number
4781 if (ksi
->ks_in_dsttype
== KS_IN_ADDR_ME
) {
4782 if (!sadb_replay_check(ipsapp
->ipsap_sa_ptr
,
4783 replext
->sadb_x_rc_replay32
)) {
4787 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4788 ipsapp
->ipsap_sa_ptr
->ipsa_idleexpiretime
=
4790 ipsapp
->ipsap_sa_ptr
->ipsa_idletime
;
4791 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4793 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4794 ipsapp
->ipsap_sa_ptr
->ipsa_replay
=
4795 replext
->sadb_x_rc_replay32
;
4796 ipsapp
->ipsap_sa_ptr
->ipsa_idleexpiretime
=
4798 ipsapp
->ipsap_sa_ptr
->ipsa_idletime
;
4799 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4804 if (sadb_msg_type
== SADB_X_UPDATEPAIR
) {
4805 if (ipsapp
->ipsap_psa_ptr
!= NULL
) {
4806 sadb_update_lifetimes(ipsapp
->ipsap_psa_ptr
, hard
, soft
,
4809 ipsapp
->ipsap_psa_ptr
->ipsa_kmp
= kmp
;
4811 ipsapp
->ipsap_psa_ptr
->ipsa_kmc
= kmc
;
4813 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
;
4819 if (pair_ext
!= NULL
)
4820 error
= update_pairing(ipsapp
, ksi
, diagnostic
, spp
);
4823 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
,
4827 destroy_ipsa_pair(ipsapp
);
4834 update_pairing(ipsap_t
*ipsapp
, keysock_in_t
*ksi
, int *diagnostic
,
4837 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
4838 sadb_address_t
*srcext
=
4839 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
];
4840 sadb_address_t
*dstext
=
4841 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
4842 sadb_x_pair_t
*pair_ext
=
4843 (sadb_x_pair_t
*)ksi
->ks_in_extv
[SADB_X_EXT_PAIR
];
4845 ipsap_t
*oipsapp
= NULL
;
4846 boolean_t undo_pair
= B_FALSE
;
4847 uint32_t ipsa_flags
;
4849 if (pair_ext
->sadb_x_pair_spi
== 0 || pair_ext
->sadb_x_pair_spi
==
4850 assoc
->sadb_sa_spi
) {
4851 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4856 * Assume for now that the spi value provided in the SADB_UPDATE
4857 * message was valid, update the SA with its pair spi value.
4858 * If the spi turns out to be bogus or the SA no longer exists
4859 * then this will be detected when the reverse update is made
4862 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4863 ipsapp
->ipsap_sa_ptr
->ipsa_flags
|= IPSA_F_PAIRED
;
4864 ipsapp
->ipsap_sa_ptr
->ipsa_otherspi
= pair_ext
->sadb_x_pair_spi
;
4865 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4868 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair()
4869 * should now return pointers to the SA *AND* its pair, if this is not
4870 * the case, the "otherspi" either did not exist or was deleted. Also
4871 * check that "otherspi" is not already paired. If everything looks
4872 * good, complete the update. IPSA_REFRELE the first pair_pointer
4873 * after this update to ensure its not deleted until we are done.
4875 oipsapp
= get_ipsa_pair(assoc
, srcext
, dstext
, spp
);
4876 if (oipsapp
== NULL
) {
4878 * This should never happen, calling function still has
4879 * IPSA_REFHELD on the SA we just updated.
4881 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
;
4885 if (oipsapp
->ipsap_psa_ptr
== NULL
) {
4886 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4889 ipsa_flags
= oipsapp
->ipsap_psa_ptr
->ipsa_flags
;
4890 if ((oipsapp
->ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_DEAD
) ||
4891 (oipsapp
->ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_DYING
)) {
4893 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4895 } else if ((ipsa_flags
& (IPSA_F_OUTBOUND
| IPSA_F_INBOUND
)) ==
4896 (IPSA_F_OUTBOUND
| IPSA_F_INBOUND
)) {
4897 /* This SA is in both hashtables. */
4898 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4900 } else if (ipsa_flags
& IPSA_F_PAIRED
) {
4901 /* This SA is already paired with another. */
4902 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_ALREADY
;
4908 /* The pair SA does not exist. */
4909 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4910 ipsapp
->ipsap_sa_ptr
->ipsa_flags
&= ~IPSA_F_PAIRED
;
4911 ipsapp
->ipsap_sa_ptr
->ipsa_otherspi
= 0;
4912 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4915 mutex_enter(&oipsapp
->ipsap_psa_ptr
->ipsa_lock
);
4916 oipsapp
->ipsap_psa_ptr
->ipsa_otherspi
= assoc
->sadb_sa_spi
;
4917 oipsapp
->ipsap_psa_ptr
->ipsa_flags
|= IPSA_F_PAIRED
;
4918 mutex_exit(&oipsapp
->ipsap_psa_ptr
->ipsa_lock
);
4921 destroy_ipsa_pair(oipsapp
);
4926 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is
4927 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails
4928 * for an outbound datagram, that datagram is queued up on an ACQUIRE record,
4929 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key
4930 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve
4931 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the
4932 * other direction's SA.
4936 * Check the ACQUIRE lists. If there's an existing ACQUIRE record,
4937 * grab it, lock it, and return it. Otherwise return NULL.
4940 sadb_checkacquire(iacqf_t
*bucket
, ipsec_action_t
*ap
, ipsec_policy_t
*pp
,
4941 uint32_t *src
, uint32_t *dst
, uint32_t *isrc
, uint32_t *idst
,
4946 uint32_t blank_address
[4] = {0, 0, 0, 0};
4949 ASSERT(idst
== NULL
);
4950 isrc
= idst
= blank_address
;
4954 * Scan list for duplicates. Check for UNIQUE, src/dest, policy.
4956 * XXX May need search for duplicates based on other things too!
4958 for (walker
= bucket
->iacqf_ipsacq
; walker
!= NULL
;
4959 walker
= walker
->ipsacq_next
) {
4960 mutex_enter(&walker
->ipsacq_lock
);
4961 fam
= walker
->ipsacq_addrfam
;
4962 if (IPSA_ARE_ADDR_EQUAL(dst
, walker
->ipsacq_dstaddr
, fam
) &&
4963 IPSA_ARE_ADDR_EQUAL(src
, walker
->ipsacq_srcaddr
, fam
) &&
4964 ip_addr_match((uint8_t *)isrc
, walker
->ipsacq_innersrcpfx
,
4965 (in6_addr_t
*)walker
->ipsacq_innersrc
) &&
4966 ip_addr_match((uint8_t *)idst
, walker
->ipsacq_innerdstpfx
,
4967 (in6_addr_t
*)walker
->ipsacq_innerdst
) &&
4968 (ap
== walker
->ipsacq_act
) &&
4969 (pp
== walker
->ipsacq_policy
) &&
4970 /* XXX do deep compares of ap/pp? */
4971 (unique_id
== walker
->ipsacq_unique_id
))
4972 break; /* everything matched */
4973 mutex_exit(&walker
->ipsacq_lock
);
4980 * For this mblk, insert a new acquire record. Assume bucket contains addrs
4981 * of all of the same length. Give up (and drop) if memory
4982 * cannot be allocated for a new one; otherwise, invoke callback to
4983 * send the acquire up..
4985 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE
4986 * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t
4987 * and handle this case specially.
4990 sadb_acquire(mblk_t
*mp
, ipsec_out_t
*io
, boolean_t need_ah
, boolean_t need_esp
)
4996 mblk_t
*datamp
= mp
->b_cont
;
4998 ipha_t
*ipha
= (ipha_t
*)datamp
->b_rptr
;
4999 ip6_t
*ip6h
= (ip6_t
*)datamp
->b_rptr
;
5000 uint32_t *src
, *dst
, *isrc
, *idst
;
5001 ipsec_policy_t
*pp
= io
->ipsec_out_policy
;
5002 ipsec_action_t
*ap
= io
->ipsec_out_act
;
5006 uint64_t unique_id
= 0;
5007 ipsec_selector_t sel
;
5008 boolean_t tunnel_mode
= io
->ipsec_out_tunnel
;
5009 netstack_t
*ns
= io
->ipsec_out_ns
;
5010 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5012 ASSERT((pp
!= NULL
) || (ap
!= NULL
));
5014 ASSERT(need_ah
!= NULL
|| need_esp
!= NULL
);
5015 /* Assign sadb pointers */
5016 if (need_esp
) { /* ESP for AH+ESP */
5017 ipsecesp_stack_t
*espstack
= ns
->netstack_ipsecesp
;
5019 spp
= &espstack
->esp_sadb
;
5021 ipsecah_stack_t
*ahstack
= ns
->netstack_ipsecah
;
5023 spp
= &ahstack
->ah_sadb
;
5025 sp
= io
->ipsec_out_v4
? &spp
->s_v4
: &spp
->s_v6
;
5032 if (ap
->ipa_act
.ipa_apply
.ipp_use_unique
|| tunnel_mode
)
5033 unique_id
= SA_FORM_UNIQUE_ID(io
);
5036 * Set up an ACQUIRE record.
5038 * Immediately, make sure the ACQUIRE sequence number doesn't slip
5039 * below the lowest point allowed in the kernel. (In other words,
5040 * make sure the high bit on the sequence number is set.)
5043 seq
= keysock_next_seq(ns
) | IACQF_LOWEST_SEQ
;
5045 if (IPH_HDR_VERSION(ipha
) == IP_VERSION
) {
5046 src
= (uint32_t *)&ipha
->ipha_src
;
5047 dst
= (uint32_t *)&ipha
->ipha_dst
;
5049 hashoffset
= OUTBOUND_HASH_V4(sp
, ipha
->ipha_dst
);
5050 ASSERT(io
->ipsec_out_v4
== B_TRUE
);
5052 ASSERT(IPH_HDR_VERSION(ipha
) == IPV6_VERSION
);
5053 src
= (uint32_t *)&ip6h
->ip6_src
;
5054 dst
= (uint32_t *)&ip6h
->ip6_dst
;
5056 hashoffset
= OUTBOUND_HASH_V6(sp
, ip6h
->ip6_dst
);
5057 ASSERT(io
->ipsec_out_v4
== B_FALSE
);
5061 /* Snag inner addresses. */
5062 isrc
= io
->ipsec_out_insrc
;
5063 idst
= io
->ipsec_out_indst
;
5069 * Check buckets to see if there is an existing entry. If so,
5070 * grab it. sadb_checkacquire locks newbie if found.
5072 bucket
= &(sp
->sdb_acq
[hashoffset
]);
5073 mutex_enter(&bucket
->iacqf_lock
);
5074 newbie
= sadb_checkacquire(bucket
, ap
, pp
, src
, dst
, isrc
, idst
,
5077 if (newbie
== NULL
) {
5079 * Otherwise, allocate a new one.
5081 newbie
= kmem_zalloc(sizeof (*newbie
), KM_NOSLEEP
);
5082 if (newbie
== NULL
) {
5083 mutex_exit(&bucket
->iacqf_lock
);
5084 ip_drop_packet(mp
, B_FALSE
, NULL
, NULL
,
5085 DROPPER(ipss
, ipds_sadb_acquire_nomem
),
5086 &ipss
->ipsec_sadb_dropper
);
5089 newbie
->ipsacq_policy
= pp
;
5094 newbie
->ipsacq_act
= ap
;
5095 newbie
->ipsacq_linklock
= &bucket
->iacqf_lock
;
5096 newbie
->ipsacq_next
= bucket
->iacqf_ipsacq
;
5097 newbie
->ipsacq_ptpn
= &bucket
->iacqf_ipsacq
;
5098 if (newbie
->ipsacq_next
!= NULL
)
5099 newbie
->ipsacq_next
->ipsacq_ptpn
= &newbie
->ipsacq_next
;
5100 bucket
->iacqf_ipsacq
= newbie
;
5101 mutex_init(&newbie
->ipsacq_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
5102 mutex_enter(&newbie
->ipsacq_lock
);
5105 mutex_exit(&bucket
->iacqf_lock
);
5108 * This assert looks silly for now, but we may need to enter newbie's
5109 * mutex during a search.
5111 ASSERT(MUTEX_HELD(&newbie
->ipsacq_lock
));
5114 /* Queue up packet. Use b_next. */
5115 if (newbie
->ipsacq_numpackets
== 0) {
5117 newbie
->ipsacq_mp
= mp
;
5118 newbie
->ipsacq_numpackets
= 1;
5119 newbie
->ipsacq_expire
= gethrestime_sec();
5121 * Extended ACQUIRE with both AH+ESP will use ESP's timeout
5124 newbie
->ipsacq_expire
+= *spp
->s_acquire_timeout
;
5125 newbie
->ipsacq_seq
= seq
;
5126 newbie
->ipsacq_addrfam
= af
;
5128 newbie
->ipsacq_srcport
= io
->ipsec_out_src_port
;
5129 newbie
->ipsacq_dstport
= io
->ipsec_out_dst_port
;
5130 newbie
->ipsacq_icmp_type
= io
->ipsec_out_icmp_type
;
5131 newbie
->ipsacq_icmp_code
= io
->ipsec_out_icmp_code
;
5133 newbie
->ipsacq_inneraddrfam
= io
->ipsec_out_inaf
;
5134 newbie
->ipsacq_proto
= io
->ipsec_out_inaf
== AF_INET6
?
5135 IPPROTO_IPV6
: IPPROTO_ENCAP
;
5136 newbie
->ipsacq_innersrcpfx
= io
->ipsec_out_insrcpfx
;
5137 newbie
->ipsacq_innerdstpfx
= io
->ipsec_out_indstpfx
;
5138 IPSA_COPY_ADDR(newbie
->ipsacq_innersrc
,
5139 io
->ipsec_out_insrc
, io
->ipsec_out_inaf
);
5140 IPSA_COPY_ADDR(newbie
->ipsacq_innerdst
,
5141 io
->ipsec_out_indst
, io
->ipsec_out_inaf
);
5143 newbie
->ipsacq_proto
= io
->ipsec_out_proto
;
5145 newbie
->ipsacq_unique_id
= unique_id
;
5147 /* Scan to the end of the list & insert. */
5148 mblk_t
*lastone
= newbie
->ipsacq_mp
;
5150 while (lastone
->b_next
!= NULL
)
5151 lastone
= lastone
->b_next
;
5152 lastone
->b_next
= mp
;
5153 if (newbie
->ipsacq_numpackets
++ == ipsacq_maxpackets
) {
5154 newbie
->ipsacq_numpackets
= ipsacq_maxpackets
;
5155 lastone
= newbie
->ipsacq_mp
;
5156 newbie
->ipsacq_mp
= lastone
->b_next
;
5157 lastone
->b_next
= NULL
;
5158 ip_drop_packet(lastone
, B_FALSE
, NULL
, NULL
,
5159 DROPPER(ipss
, ipds_sadb_acquire_toofull
),
5160 &ipss
->ipsec_sadb_dropper
);
5162 IP_ACQUIRE_STAT(ipss
, qhiwater
,
5163 newbie
->ipsacq_numpackets
);
5168 * Reset addresses. Set them to the most recently added mblk chain,
5169 * so that the address pointers in the acquire record will point
5170 * at an mblk still attached to the acquire list.
5173 newbie
->ipsacq_srcaddr
= src
;
5174 newbie
->ipsacq_dstaddr
= dst
;
5177 * If the acquire record has more than one queued packet, we've
5178 * already sent an ACQUIRE, and don't need to repeat ourself.
5180 if (newbie
->ipsacq_seq
!= seq
|| newbie
->ipsacq_numpackets
> 1) {
5181 /* I have an acquire outstanding already! */
5182 mutex_exit(&newbie
->ipsacq_lock
);
5186 if (keysock_extended_reg(ns
)) {
5188 * Construct an extended ACQUIRE. There are logging
5189 * opportunities here in failure cases.
5192 (void) memset(&sel
, 0, sizeof (sel
));
5193 sel
.ips_isv4
= io
->ipsec_out_v4
;
5195 sel
.ips_protocol
= (io
->ipsec_out_inaf
== AF_INET
) ?
5196 IPPROTO_ENCAP
: IPPROTO_IPV6
;
5198 sel
.ips_protocol
= io
->ipsec_out_proto
;
5199 sel
.ips_local_port
= io
->ipsec_out_src_port
;
5200 sel
.ips_remote_port
= io
->ipsec_out_dst_port
;
5202 sel
.ips_icmp_type
= io
->ipsec_out_icmp_type
;
5203 sel
.ips_icmp_code
= io
->ipsec_out_icmp_code
;
5204 sel
.ips_is_icmp_inv_acq
= 0;
5205 if (af
== AF_INET
) {
5206 sel
.ips_local_addr_v4
= ipha
->ipha_src
;
5207 sel
.ips_remote_addr_v4
= ipha
->ipha_dst
;
5209 sel
.ips_local_addr_v6
= ip6h
->ip6_src
;
5210 sel
.ips_remote_addr_v6
= ip6h
->ip6_dst
;
5213 extended
= sadb_keysock_out(0);
5214 if (extended
!= NULL
) {
5215 extended
->b_cont
= sadb_extended_acquire(&sel
, pp
, ap
,
5216 tunnel_mode
, seq
, 0, ns
);
5217 if (extended
->b_cont
== NULL
) {
5226 * Send an ACQUIRE message (and possible an extended ACQUIRE) based on
5227 * this new record. The send-acquire callback assumes that acqrec is
5230 (*spp
->s_acqfn
)(newbie
, extended
, ns
);
5234 * Unlink and free an acquire record.
5237 sadb_destroy_acquire(ipsacq_t
*acqrec
, netstack_t
*ns
)
5240 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5242 ASSERT(MUTEX_HELD(acqrec
->ipsacq_linklock
));
5244 if (acqrec
->ipsacq_policy
!= NULL
) {
5245 IPPOL_REFRELE(acqrec
->ipsacq_policy
, ns
);
5247 if (acqrec
->ipsacq_act
!= NULL
) {
5248 IPACT_REFRELE(acqrec
->ipsacq_act
);
5252 *(acqrec
->ipsacq_ptpn
) = acqrec
->ipsacq_next
;
5253 if (acqrec
->ipsacq_next
!= NULL
)
5254 acqrec
->ipsacq_next
->ipsacq_ptpn
= acqrec
->ipsacq_ptpn
;
5257 * Free hanging mp's.
5259 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED.
5262 mutex_enter(&acqrec
->ipsacq_lock
);
5263 while (acqrec
->ipsacq_mp
!= NULL
) {
5264 mp
= acqrec
->ipsacq_mp
;
5265 acqrec
->ipsacq_mp
= mp
->b_next
;
5267 ip_drop_packet(mp
, B_FALSE
, NULL
, NULL
,
5268 DROPPER(ipss
, ipds_sadb_acquire_timeout
),
5269 &ipss
->ipsec_sadb_dropper
);
5271 mutex_exit(&acqrec
->ipsacq_lock
);
5274 mutex_destroy(&acqrec
->ipsacq_lock
);
5275 kmem_free(acqrec
, sizeof (*acqrec
));
5279 * Destroy an acquire list fanout.
5282 sadb_destroy_acqlist(iacqf_t
**listp
, uint_t numentries
, boolean_t forever
,
5286 iacqf_t
*list
= *listp
;
5291 for (i
= 0; i
< numentries
; i
++) {
5292 mutex_enter(&(list
[i
].iacqf_lock
));
5293 while (list
[i
].iacqf_ipsacq
!= NULL
)
5294 sadb_destroy_acquire(list
[i
].iacqf_ipsacq
, ns
);
5295 mutex_exit(&(list
[i
].iacqf_lock
));
5297 mutex_destroy(&(list
[i
].iacqf_lock
));
5302 kmem_free(list
, numentries
* sizeof (*list
));
5307 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto
5308 * framework's view of reality vs. IPsec's. EF's wins, BTW.
5311 sadb_new_algdesc(uint8_t *start
, uint8_t *limit
,
5312 sadb_x_ecomb_t
*ecomb
, uint8_t satype
, uint8_t algtype
,
5313 uint8_t alg
, uint16_t minbits
, uint16_t maxbits
, ipsec_stack_t
*ipss
)
5315 uint8_t *cur
= start
;
5316 ipsec_alginfo_t
*algp
;
5317 sadb_x_algdesc_t
*algdesc
= (sadb_x_algdesc_t
*)cur
;
5319 cur
+= sizeof (*algdesc
);
5323 ecomb
->sadb_x_ecomb_numalgs
++;
5326 * Normalize vs. crypto framework's limits. This way, you can specify
5327 * a stronger policy, and when the framework loads a stronger version,
5328 * you can just keep plowing w/o rewhacking your SPD.
5330 mutex_enter(&ipss
->ipsec_alg_lock
);
5331 algp
= ipss
->ipsec_alglists
[(algtype
== SADB_X_ALGTYPE_AUTH
) ?
5332 IPSEC_ALG_AUTH
: IPSEC_ALG_ENCR
][alg
];
5334 mutex_exit(&ipss
->ipsec_alg_lock
);
5335 return (NULL
); /* Algorithm doesn't exist. Fail gracefully. */
5337 if (minbits
< algp
->alg_ef_minbits
)
5338 minbits
= algp
->alg_ef_minbits
;
5339 if (maxbits
> algp
->alg_ef_maxbits
)
5340 maxbits
= algp
->alg_ef_maxbits
;
5341 mutex_exit(&ipss
->ipsec_alg_lock
);
5343 algdesc
->sadb_x_algdesc_satype
= satype
;
5344 algdesc
->sadb_x_algdesc_algtype
= algtype
;
5345 algdesc
->sadb_x_algdesc_alg
= alg
;
5346 algdesc
->sadb_x_algdesc_minbits
= minbits
;
5347 algdesc
->sadb_x_algdesc_maxbits
= maxbits
;
5348 algdesc
->sadb_x_algdesc_reserved
= 0;
5353 * Convert the given ipsec_action_t into an ecomb starting at *ecomb
5354 * which must fit before *limit
5356 * return NULL if we ran out of room or a pointer to the end of the ecomb.
5359 sadb_action_to_ecomb(uint8_t *start
, uint8_t *limit
, ipsec_action_t
*act
,
5362 uint8_t *cur
= start
;
5363 sadb_x_ecomb_t
*ecomb
= (sadb_x_ecomb_t
*)cur
;
5365 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5367 cur
+= sizeof (*ecomb
);
5371 ASSERT(act
->ipa_act
.ipa_type
== IPSEC_ACT_APPLY
);
5373 ipp
= &act
->ipa_act
.ipa_apply
;
5375 ecomb
->sadb_x_ecomb_numalgs
= 0;
5376 ecomb
->sadb_x_ecomb_reserved
= 0;
5377 ecomb
->sadb_x_ecomb_reserved2
= 0;
5379 * No limits on allocations, since we really don't support that
5380 * concept currently.
5382 ecomb
->sadb_x_ecomb_soft_allocations
= 0;
5383 ecomb
->sadb_x_ecomb_hard_allocations
= 0;
5386 * XXX TBD: Policy or global parameters will eventually be
5387 * able to fill in some of these.
5389 ecomb
->sadb_x_ecomb_flags
= 0;
5390 ecomb
->sadb_x_ecomb_soft_bytes
= 0;
5391 ecomb
->sadb_x_ecomb_hard_bytes
= 0;
5392 ecomb
->sadb_x_ecomb_soft_addtime
= 0;
5393 ecomb
->sadb_x_ecomb_hard_addtime
= 0;
5394 ecomb
->sadb_x_ecomb_soft_usetime
= 0;
5395 ecomb
->sadb_x_ecomb_hard_usetime
= 0;
5397 if (ipp
->ipp_use_ah
) {
5398 cur
= sadb_new_algdesc(cur
, limit
, ecomb
,
5399 SADB_SATYPE_AH
, SADB_X_ALGTYPE_AUTH
, ipp
->ipp_auth_alg
,
5400 ipp
->ipp_ah_minbits
, ipp
->ipp_ah_maxbits
, ipss
);
5403 ipsecah_fill_defs(ecomb
, ns
);
5406 if (ipp
->ipp_use_esp
) {
5407 if (ipp
->ipp_use_espa
) {
5408 cur
= sadb_new_algdesc(cur
, limit
, ecomb
,
5409 SADB_SATYPE_ESP
, SADB_X_ALGTYPE_AUTH
,
5410 ipp
->ipp_esp_auth_alg
,
5411 ipp
->ipp_espa_minbits
,
5412 ipp
->ipp_espa_maxbits
, ipss
);
5417 cur
= sadb_new_algdesc(cur
, limit
, ecomb
,
5418 SADB_SATYPE_ESP
, SADB_X_ALGTYPE_CRYPT
,
5420 ipp
->ipp_espe_minbits
,
5421 ipp
->ipp_espe_maxbits
, ipss
);
5424 /* Fill in lifetimes if and only if AH didn't already... */
5425 if (!ipp
->ipp_use_ah
)
5426 ipsecesp_fill_defs(ecomb
, ns
);
5433 * Construct an extended ACQUIRE message based on a selector and the resulting
5436 * NOTE: This is used by both inverse ACQUIRE and actual ACQUIRE
5437 * generation. As a consequence, expect this function to evolve
5441 sadb_extended_acquire(ipsec_selector_t
*sel
, ipsec_policy_t
*pol
,
5442 ipsec_action_t
*act
, boolean_t tunnel_mode
, uint32_t seq
, uint32_t pid
,
5447 uint8_t *start
, *cur
, *end
;
5448 uint32_t *saddrptr
, *daddrptr
;
5451 ipsec_action_t
*ap
, *an
;
5452 ipsec_selkey_t
*ipsl
;
5453 uint8_t proto
, pfxlen
;
5454 uint16_t lport
, rport
;
5458 * Find the action we want sooner rather than later..
5471 * Just take a swag for the allocation for now. We can always
5474 #define SADB_EXTENDED_ACQUIRE_SIZE 4096
5475 mp
= allocb(SADB_EXTENDED_ACQUIRE_SIZE
, BPRI_HI
);
5480 end
= start
+ SADB_EXTENDED_ACQUIRE_SIZE
;
5484 samsg
= (sadb_msg_t
*)cur
;
5485 cur
+= sizeof (*samsg
);
5487 samsg
->sadb_msg_version
= PF_KEY_V2
;
5488 samsg
->sadb_msg_type
= SADB_ACQUIRE
;
5489 samsg
->sadb_msg_errno
= 0;
5490 samsg
->sadb_msg_reserved
= 0;
5491 samsg
->sadb_msg_satype
= 0;
5492 samsg
->sadb_msg_seq
= seq
;
5493 samsg
->sadb_msg_pid
= pid
;
5497 * Form inner address extensions based NOT on the inner
5498 * selectors (i.e. the packet data), but on the policy's
5499 * selector key (i.e. the policy's selector information).
5501 * NOTE: The position of IPv4 and IPv6 addresses is the
5502 * same in ipsec_selkey_t (unless the compiler does very
5503 * strange things with unions, consult your local C language
5504 * lawyer for details).
5506 ipsl
= &(pol
->ipsp_sel
->ipsl_key
);
5507 if (ipsl
->ipsl_valid
& IPSL_IPV4
) {
5509 ASSERT(sel
->ips_protocol
== IPPROTO_ENCAP
);
5510 ASSERT(!(ipsl
->ipsl_valid
& IPSL_IPV6
));
5513 ASSERT(sel
->ips_protocol
== IPPROTO_IPV6
);
5514 ASSERT(ipsl
->ipsl_valid
& IPSL_IPV6
);
5517 if (ipsl
->ipsl_valid
& IPSL_LOCAL_ADDR
) {
5518 saddrptr
= (uint32_t *)(&ipsl
->ipsl_local
);
5519 pfxlen
= ipsl
->ipsl_local_pfxlen
;
5521 saddrptr
= (uint32_t *)(&ipv6_all_zeros
);
5524 /* XXX What about ICMP type/code? */
5525 lport
= (ipsl
->ipsl_valid
& IPSL_LOCAL_PORT
) ?
5526 ipsl
->ipsl_lport
: 0;
5527 proto
= (ipsl
->ipsl_valid
& IPSL_PROTOCOL
) ?
5528 ipsl
->ipsl_proto
: 0;
5530 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_SRC
,
5531 af
, saddrptr
, lport
, proto
, pfxlen
);
5537 if (ipsl
->ipsl_valid
& IPSL_REMOTE_ADDR
) {
5538 daddrptr
= (uint32_t *)(&ipsl
->ipsl_remote
);
5539 pfxlen
= ipsl
->ipsl_remote_pfxlen
;
5541 daddrptr
= (uint32_t *)(&ipv6_all_zeros
);
5544 /* XXX What about ICMP type/code? */
5545 rport
= (ipsl
->ipsl_valid
& IPSL_REMOTE_PORT
) ?
5546 ipsl
->ipsl_rport
: 0;
5548 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_DST
,
5549 af
, daddrptr
, rport
, proto
, pfxlen
);
5555 * TODO - if we go to 3408's dream of transport mode IP-in-IP
5556 * _with_ inner-packet address selectors, we'll need to further
5557 * distinguish tunnel mode here. For now, having inner
5558 * addresses and/or ports is sufficient.
5560 * Meanwhile, whack proto/ports to reflect IP-in-IP for the
5563 proto
= sel
->ips_protocol
; /* Either _ENCAP or _IPV6 */
5565 } else if ((ap
!= NULL
) && (!ap
->ipa_want_unique
)) {
5570 ipsl
= &(pol
->ipsp_sel
->ipsl_key
);
5571 if (ipsl
->ipsl_valid
& IPSL_PROTOCOL
)
5572 proto
= ipsl
->ipsl_proto
;
5573 if (ipsl
->ipsl_valid
& IPSL_REMOTE_PORT
)
5574 rport
= ipsl
->ipsl_rport
;
5575 if (ipsl
->ipsl_valid
& IPSL_LOCAL_PORT
)
5576 lport
= ipsl
->ipsl_lport
;
5579 proto
= sel
->ips_protocol
;
5580 lport
= sel
->ips_local_port
;
5581 rport
= sel
->ips_remote_port
;
5584 af
= sel
->ips_isv4
? AF_INET
: AF_INET6
;
5587 * NOTE: The position of IPv4 and IPv6 addresses is the same in
5590 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_SRC
, af
,
5591 (uint32_t *)(&sel
->ips_local_addr_v6
), lport
, proto
, 0);
5598 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_DST
, af
,
5599 (uint32_t *)(&sel
->ips_remote_addr_v6
), rport
, proto
, 0);
5607 * This section will change a lot as policy evolves.
5608 * For now, it'll be relatively simple.
5610 eprop
= (sadb_prop_t
*)cur
;
5611 cur
+= sizeof (*eprop
);
5618 eprop
->sadb_prop_exttype
= SADB_X_EXT_EPROP
;
5619 eprop
->sadb_x_prop_ereserved
= 0;
5620 eprop
->sadb_x_prop_numecombs
= 0;
5621 eprop
->sadb_prop_replay
= 32; /* default */
5625 for (; ap
!= NULL
; ap
= an
) {
5626 an
= (pol
!= NULL
) ? ap
->ipa_next
: NULL
;
5629 * Skip non-IPsec policies
5631 if (ap
->ipa_act
.ipa_type
!= IPSEC_ACT_APPLY
)
5634 if (ap
->ipa_act
.ipa_apply
.ipp_km_proto
)
5635 kmp
= ap
->ipa_act
.ipa_apply
.ipp_km_proto
;
5636 if (ap
->ipa_act
.ipa_apply
.ipp_km_cookie
)
5637 kmc
= ap
->ipa_act
.ipa_apply
.ipp_km_cookie
;
5638 if (ap
->ipa_act
.ipa_apply
.ipp_replay_depth
) {
5639 eprop
->sadb_prop_replay
=
5640 ap
->ipa_act
.ipa_apply
.ipp_replay_depth
;
5643 cur
= sadb_action_to_ecomb(cur
, end
, ap
, ns
);
5644 if (cur
== NULL
) { /* no space */
5648 eprop
->sadb_x_prop_numecombs
++;
5651 if (eprop
->sadb_x_prop_numecombs
== 0) {
5653 * This will happen if we fail to find a policy
5654 * allowing for IPsec processing.
5655 * Construct an error message.
5657 samsg
->sadb_msg_len
= SADB_8TO64(sizeof (*samsg
));
5658 samsg
->sadb_msg_errno
= ENOENT
;
5659 samsg
->sadb_x_msg_diagnostic
= 0;
5663 if ((kmp
!= 0) || (kmc
!= 0)) {
5664 cur
= sadb_make_kmc_ext(cur
, end
, kmp
, kmc
);
5671 eprop
->sadb_prop_len
= SADB_8TO64(cur
- (uint8_t *)eprop
);
5672 samsg
->sadb_msg_len
= SADB_8TO64(cur
- start
);
5679 * Generic setup of an RFC 2367 ACQUIRE message. Caller sets satype.
5681 * NOTE: This function acquires alg_lock as a side-effect if-and-only-if we
5682 * succeed (i.e. return non-NULL). Caller MUST release it. This is to
5683 * maximize code consolidation while preventing algorithm changes from messing
5684 * with the callers finishing touches on the ACQUIRE itself.
5687 sadb_setup_acquire(ipsacq_t
*acqrec
, uint8_t satype
, ipsec_stack_t
*ipss
)
5690 mblk_t
*pfkeymp
, *msgmp
;
5694 uint16_t sport_typecode
;
5695 uint16_t dport_typecode
;
5696 uint8_t check_proto
;
5697 boolean_t tunnel_mode
= (acqrec
->ipsacq_inneraddrfam
!= 0);
5699 ASSERT(MUTEX_HELD(&acqrec
->ipsacq_lock
));
5701 pfkeymp
= sadb_keysock_out(0);
5702 if (pfkeymp
== NULL
)
5706 * First, allocate a basic ACQUIRE message
5708 allocsize
= sizeof (sadb_msg_t
) + sizeof (sadb_address_t
) +
5709 sizeof (sadb_address_t
) + sizeof (sadb_prop_t
);
5711 /* Make sure there's enough to cover both AF_INET and AF_INET6. */
5712 allocsize
+= 2 * sizeof (struct sockaddr_in6
);
5714 mutex_enter(&ipss
->ipsec_alg_lock
);
5715 /* NOTE: The lock is now held through to this function's return. */
5716 allocsize
+= ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
] *
5717 ipss
->ipsec_nalgs
[IPSEC_ALG_ENCR
] * sizeof (sadb_comb_t
);
5721 allocsize
+= 2 * sizeof (sadb_address_t
);
5722 /* Enough to cover both AF_INET and AF_INET6. */
5723 allocsize
+= 2 * sizeof (struct sockaddr_in6
);
5726 msgmp
= allocb(allocsize
, BPRI_HI
);
5727 if (msgmp
== NULL
) {
5729 mutex_exit(&ipss
->ipsec_alg_lock
);
5733 pfkeymp
->b_cont
= msgmp
;
5734 cur
= msgmp
->b_rptr
;
5735 end
= cur
+ allocsize
;
5736 samsg
= (sadb_msg_t
*)cur
;
5737 cur
+= sizeof (sadb_msg_t
);
5739 af
= acqrec
->ipsacq_addrfam
;
5742 check_proto
= IPPROTO_ICMP
;
5745 check_proto
= IPPROTO_ICMPV6
;
5748 /* This should never happen unless we have kernel bugs. */
5750 "sadb_setup_acquire: corrupt ACQUIRE record.\n");
5752 mutex_exit(&ipss
->ipsec_alg_lock
);
5756 samsg
->sadb_msg_version
= PF_KEY_V2
;
5757 samsg
->sadb_msg_type
= SADB_ACQUIRE
;
5758 samsg
->sadb_msg_satype
= satype
;
5759 samsg
->sadb_msg_errno
= 0;
5760 samsg
->sadb_msg_pid
= 0;
5761 samsg
->sadb_msg_reserved
= 0;
5762 samsg
->sadb_msg_seq
= acqrec
->ipsacq_seq
;
5764 ASSERT(MUTEX_HELD(&acqrec
->ipsacq_lock
));
5766 if ((acqrec
->ipsacq_proto
== check_proto
) || tunnel_mode
) {
5767 sport_typecode
= dport_typecode
= 0;
5769 sport_typecode
= acqrec
->ipsacq_srcport
;
5770 dport_typecode
= acqrec
->ipsacq_dstport
;
5773 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_SRC
, af
,
5774 acqrec
->ipsacq_srcaddr
, sport_typecode
, acqrec
->ipsacq_proto
, 0);
5776 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_DST
, af
,
5777 acqrec
->ipsacq_dstaddr
, dport_typecode
, acqrec
->ipsacq_proto
, 0);
5780 sport_typecode
= acqrec
->ipsacq_srcport
;
5781 dport_typecode
= acqrec
->ipsacq_dstport
;
5782 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_SRC
,
5783 acqrec
->ipsacq_inneraddrfam
, acqrec
->ipsacq_innersrc
,
5784 sport_typecode
, acqrec
->ipsacq_inner_proto
,
5785 acqrec
->ipsacq_innersrcpfx
);
5786 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_DST
,
5787 acqrec
->ipsacq_inneraddrfam
, acqrec
->ipsacq_innerdst
,
5788 dport_typecode
, acqrec
->ipsacq_inner_proto
,
5789 acqrec
->ipsacq_innerdstpfx
);
5792 /* XXX Insert identity information here. */
5794 /* XXXMLS Insert sensitivity information here. */
5797 samsg
->sadb_msg_len
= SADB_8TO64(cur
- msgmp
->b_rptr
);
5799 mutex_exit(&ipss
->ipsec_alg_lock
);
5805 * Given an SADB_GETSPI message, find an appropriately ranged SA and
5806 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1.
5807 * If there was a memory allocation error, return NULL. (Assume NULL !=
5810 * master_spi is passed in host order.
5813 sadb_getspi(keysock_in_t
*ksi
, uint32_t master_spi
, int *diagnostic
,
5814 netstack_t
*ns
, uint_t sa_type
)
5816 sadb_address_t
*src
=
5817 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
],
5818 *dst
= (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
5819 sadb_spirange_t
*range
=
5820 (sadb_spirange_t
*)ksi
->ks_in_extv
[SADB_EXT_SPIRANGE
];
5821 struct sockaddr_in
*ssa
, *dsa
;
5822 struct sockaddr_in6
*ssa6
, *dsa6
;
5823 uint32_t *srcaddr
, *dstaddr
;
5825 uint32_t add
, min
, max
;
5827 (sa_type
== SADB_SATYPE_AH
) ? IPPROTO_AH
: IPPROTO_ESP
;
5830 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
5831 return ((ipsa_t
*)-1);
5834 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
5835 return ((ipsa_t
*)-1);
5837 if (range
== NULL
) {
5838 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_RANGE
;
5839 return ((ipsa_t
*)-1);
5842 min
= ntohl(range
->sadb_spirange_min
);
5843 max
= ntohl(range
->sadb_spirange_max
);
5844 dsa
= (struct sockaddr_in
*)(dst
+ 1);
5845 dsa6
= (struct sockaddr_in6
*)dsa
;
5847 ssa
= (struct sockaddr_in
*)(src
+ 1);
5848 ssa6
= (struct sockaddr_in6
*)ssa
;
5849 ASSERT(dsa
->sin_family
== ssa
->sin_family
);
5851 srcaddr
= ALL_ZEROES_PTR
;
5852 af
= dsa
->sin_family
;
5856 srcaddr
= (uint32_t *)(&ssa
->sin_addr
);
5857 dstaddr
= (uint32_t *)(&dsa
->sin_addr
);
5861 srcaddr
= (uint32_t *)(&ssa6
->sin6_addr
);
5862 dstaddr
= (uint32_t *)(&dsa6
->sin6_addr
);
5865 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_DST_AF
;
5866 return ((ipsa_t
*)-1);
5869 if (master_spi
< min
|| master_spi
> max
) {
5870 /* Return a random value in the range. */
5871 if (cl_inet_getspi
) {
5872 cl_inet_getspi(protocol
, (uint8_t *)&add
, sizeof (add
));
5874 (void) random_get_pseudo_bytes((uint8_t *)&add
,
5877 master_spi
= min
+ (add
% (max
- min
+ 1));
5881 * Since master_spi is passed in host order, we need to htonl() it
5882 * for the purposes of creating a new SA.
5884 return (sadb_makelarvalassoc(htonl(master_spi
), srcaddr
, dstaddr
, af
,
5890 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the
5891 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list
5892 * and scan for the sequence number in question. I may wish to accept an
5893 * address pair with it, for easier searching.
5895 * Caller frees the message, so we don't have to here.
5897 * NOTE: The ip_q parameter may be used in the future for ACQUIRE
5902 sadb_in_acquire(sadb_msg_t
*samsg
, sadbp_t
*sp
, queue_t
*ip_q
, netstack_t
*ns
)
5909 * I only accept the base header for this!
5910 * Though to be honest, requiring the dst address would help
5913 * XXX There are already cases where I can get the dst address.
5915 if (samsg
->sadb_msg_len
> SADB_8TO64(sizeof (*samsg
)))
5919 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it,
5920 * (and in the future send a message to IP with the appropriate error
5923 * Q: Do I want to reject if pid != 0?
5926 for (i
= 0; i
< sp
->s_v4
.sdb_hashsize
; i
++) {
5927 bucket
= &sp
->s_v4
.sdb_acq
[i
];
5928 mutex_enter(&bucket
->iacqf_lock
);
5929 for (acqrec
= bucket
->iacqf_ipsacq
; acqrec
!= NULL
;
5930 acqrec
= acqrec
->ipsacq_next
) {
5931 if (samsg
->sadb_msg_seq
== acqrec
->ipsacq_seq
)
5932 break; /* for acqrec... loop. */
5935 break; /* for i = 0... loop. */
5937 mutex_exit(&bucket
->iacqf_lock
);
5940 if (acqrec
== NULL
) {
5941 for (i
= 0; i
< sp
->s_v6
.sdb_hashsize
; i
++) {
5942 bucket
= &sp
->s_v6
.sdb_acq
[i
];
5943 mutex_enter(&bucket
->iacqf_lock
);
5944 for (acqrec
= bucket
->iacqf_ipsacq
; acqrec
!= NULL
;
5945 acqrec
= acqrec
->ipsacq_next
) {
5946 if (samsg
->sadb_msg_seq
== acqrec
->ipsacq_seq
)
5947 break; /* for acqrec... loop. */
5950 break; /* for i = 0... loop. */
5952 mutex_exit(&bucket
->iacqf_lock
);
5961 * What do I do with the errno and IP? I may need mp's services a
5962 * little more. See sadb_destroy_acquire() for future directions
5963 * beyond free the mblk chain on the acquire record.
5966 ASSERT(&bucket
->iacqf_lock
== acqrec
->ipsacq_linklock
);
5967 sadb_destroy_acquire(acqrec
, ns
);
5968 /* Have to exit mutex here, because of breaking out of for loop. */
5969 mutex_exit(&bucket
->iacqf_lock
);
5973 * The following functions work with the replay windows of an SA. They assume
5974 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector
5975 * represents the highest sequence number packet received, and back
5976 * (ipsa->ipsa_replay_wsize) packets.
5980 * Is the replay bit set?
5983 ipsa_is_replay_set(ipsa_t
*ipsa
, uint32_t offset
)
5985 uint64_t bit
= (uint64_t)1 << (uint64_t)(offset
& 63);
5987 return ((bit
& ipsa
->ipsa_replay_arr
[offset
>> 6]) ? B_TRUE
: B_FALSE
);
5991 * Shift the bits of the replay window over.
5994 ipsa_shift_replay(ipsa_t
*ipsa
, uint32_t shift
)
5997 int jump
= ((shift
- 1) >> 6) + 1;
6002 for (i
= (ipsa
->ipsa_replay_wsize
- 1) >> 6; i
>= 0; i
--) {
6003 if (i
+ jump
<= (ipsa
->ipsa_replay_wsize
- 1) >> 6) {
6004 ipsa
->ipsa_replay_arr
[i
+ jump
] |=
6005 ipsa
->ipsa_replay_arr
[i
] >> (64 - (shift
& 63));
6007 ipsa
->ipsa_replay_arr
[i
] <<= shift
;
6012 * Set a bit in the bit vector.
6015 ipsa_set_replay(ipsa_t
*ipsa
, uint32_t offset
)
6017 uint64_t bit
= (uint64_t)1 << (uint64_t)(offset
& 63);
6019 ipsa
->ipsa_replay_arr
[offset
>> 6] |= bit
;
6022 #define SADB_MAX_REPLAY_VALUE 0xffffffff
6025 * Assume caller has NOT done ntohl() already on seq. Check to see
6026 * if replay sequence number "seq" has been seen already.
6029 sadb_replay_check(ipsa_t
*ipsa
, uint32_t seq
)
6034 if (ipsa
->ipsa_replay_wsize
== 0)
6038 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek().
6041 /* Convert sequence number into host order before holding the mutex. */
6044 mutex_enter(&ipsa
->ipsa_lock
);
6046 /* Initialize inbound SA's ipsa_replay field to last one received. */
6047 if (ipsa
->ipsa_replay
== 0)
6048 ipsa
->ipsa_replay
= 1;
6050 if (seq
> ipsa
->ipsa_replay
) {
6052 * I have received a new "highest value received". Shift
6053 * the replay window over.
6055 diff
= seq
- ipsa
->ipsa_replay
;
6056 if (diff
< ipsa
->ipsa_replay_wsize
) {
6057 /* In replay window, shift bits over. */
6058 ipsa_shift_replay(ipsa
, diff
);
6060 /* WAY FAR AHEAD, clear bits and start again. */
6061 bzero(ipsa
->ipsa_replay_arr
,
6062 sizeof (ipsa
->ipsa_replay_arr
));
6064 ipsa_set_replay(ipsa
, 0);
6065 ipsa
->ipsa_replay
= seq
;
6069 diff
= ipsa
->ipsa_replay
- seq
;
6070 if (diff
>= ipsa
->ipsa_replay_wsize
|| ipsa_is_replay_set(ipsa
, diff
)) {
6074 /* Set this packet as seen. */
6075 ipsa_set_replay(ipsa
, diff
);
6079 mutex_exit(&ipsa
->ipsa_lock
);
6084 * "Peek" and see if we should even bother going through the effort of
6085 * running an authentication check on the sequence number passed in.
6086 * this takes into account packets that are below the replay window,
6087 * and collisions with already replayed packets. Return B_TRUE if it
6088 * is okay to proceed, B_FALSE if this packet should be dropped immediately.
6089 * Assume same byte-ordering as sadb_replay_check.
6092 sadb_replay_peek(ipsa_t
*ipsa
, uint32_t seq
)
6094 boolean_t rc
= B_FALSE
;
6097 if (ipsa
->ipsa_replay_wsize
== 0)
6101 * 0 is 0, regardless of byte order... :)
6103 * If I get 0 on the wire (and there is a replay window) then the
6104 * sender most likely wrapped. This ipsa may need to be marked or
6111 mutex_enter(&ipsa
->ipsa_lock
);
6112 if (seq
< ipsa
->ipsa_replay
- ipsa
->ipsa_replay_wsize
&&
6113 ipsa
->ipsa_replay
>= ipsa
->ipsa_replay_wsize
)
6117 * If I've hit 0xffffffff, then quite honestly, I don't need to
6118 * bother with formalities. I'm not accepting any more packets
6121 if (ipsa
->ipsa_replay
== SADB_MAX_REPLAY_VALUE
) {
6123 * Since we're already holding the lock, update the
6124 * expire time ala. sadb_replay_delete() and return.
6126 ipsa
->ipsa_hardexpiretime
= (time_t)1;
6130 if (seq
<= ipsa
->ipsa_replay
) {
6132 * This seq is in the replay window. I'm not below it,
6133 * because I already checked for that above!
6135 diff
= ipsa
->ipsa_replay
- seq
;
6136 if (ipsa_is_replay_set(ipsa
, diff
))
6139 /* Else return B_TRUE, I'm going to advance the window. */
6143 mutex_exit(&ipsa
->ipsa_lock
);
6148 * Delete a single SA.
6150 * For now, use the quick-and-dirty trick of making the association's
6151 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager().
6154 sadb_replay_delete(ipsa_t
*assoc
)
6156 mutex_enter(&assoc
->ipsa_lock
);
6157 assoc
->ipsa_hardexpiretime
= (time_t)1;
6158 mutex_exit(&assoc
->ipsa_lock
);
6162 * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_
6163 * down. The caller will handle the T_BIND_ACK locally.
6166 sadb_t_bind_req(queue_t
*q
, int proto
)
6168 struct T_bind_req
*tbr
;
6171 mp
= allocb(sizeof (struct T_bind_req
) + 1, BPRI_HI
);
6173 /* cmn_err(CE_WARN, */
6174 /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */
6177 mp
->b_datap
->db_type
= M_PCPROTO
;
6178 tbr
= (struct T_bind_req
*)mp
->b_rptr
;
6179 mp
->b_wptr
+= sizeof (struct T_bind_req
);
6180 tbr
->PRIM_type
= T_BIND_REQ
;
6181 tbr
->ADDR_length
= 0;
6182 tbr
->ADDR_offset
= 0;
6183 tbr
->CONIND_number
= 0;
6184 *mp
->b_wptr
= (uint8_t)proto
;
6192 * Special front-end to ipsec_rl_strlog() dealing with SA failure.
6193 * this is designed to take only a format string with "* %x * %s *", so
6194 * that "spi" is printed first, then "addr" is converted using inet_pton().
6196 * This is abstracted out to save the stack space for only when inet_pton()
6197 * is called. Make sure "spi" is in network order; it usually is when this
6201 ipsec_assocfailure(short mid
, short sid
, char level
, ushort_t sl
, char *fmt
,
6202 uint32_t spi
, void *addr
, int af
, netstack_t
*ns
)
6204 char buf
[INET6_ADDRSTRLEN
];
6206 ASSERT(af
== AF_INET6
|| af
== AF_INET
);
6208 ipsec_rl_strlog(ns
, mid
, sid
, level
, sl
, fmt
, ntohl(spi
),
6209 inet_ntop(af
, addr
, buf
, sizeof (buf
)));
6213 * Fills in a reference to the policy, if any, from the conn, in *ppp
6214 * Releases a reference to the passed conn_t.
6217 ipsec_conn_pol(ipsec_selector_t
*sel
, conn_t
*connp
, ipsec_policy_t
**ppp
)
6220 ipsec_latch_t
*ipl
= connp
->conn_latch
;
6222 if ((ipl
!= NULL
) && (ipl
->ipl_out_policy
!= NULL
)) {
6223 pp
= ipl
->ipl_out_policy
;
6226 pp
= ipsec_find_policy(IPSEC_TYPE_OUTBOUND
, connp
, NULL
, sel
,
6227 connp
->conn_netstack
);
6230 CONN_DEC_REF(connp
);
6234 * The following functions scan through active conn_t structures
6235 * and return a reference to the best-matching policy it can find.
6236 * Caller must release the reference.
6239 ipsec_udp_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
, ip_stack_t
*ipst
)
6242 conn_t
*connp
= NULL
;
6243 ipsec_selector_t portonly
;
6245 bzero((void *)&portonly
, sizeof (portonly
));
6247 if (sel
->ips_local_port
== 0)
6250 connfp
= &ipst
->ips_ipcl_udp_fanout
[IPCL_UDP_HASH(sel
->ips_local_port
,
6252 mutex_enter(&connfp
->connf_lock
);
6254 if (sel
->ips_isv4
) {
6255 connp
= connfp
->connf_head
;
6256 while (connp
!= NULL
) {
6257 if (IPCL_UDP_MATCH(connp
, sel
->ips_local_port
,
6258 sel
->ips_local_addr_v4
, sel
->ips_remote_port
,
6259 sel
->ips_remote_addr_v4
))
6261 connp
= connp
->conn_next
;
6264 if (connp
== NULL
) {
6265 /* Try port-only match in IPv6. */
6266 portonly
.ips_local_port
= sel
->ips_local_port
;
6271 if (connp
== NULL
) {
6272 connp
= connfp
->connf_head
;
6273 while (connp
!= NULL
) {
6274 if (IPCL_UDP_MATCH_V6(connp
, sel
->ips_local_port
,
6275 sel
->ips_local_addr_v6
, sel
->ips_remote_port
,
6276 sel
->ips_remote_addr_v6
))
6278 connp
= connp
->conn_next
;
6281 if (connp
== NULL
) {
6282 mutex_exit(&connfp
->connf_lock
);
6287 CONN_INC_REF(connp
);
6288 mutex_exit(&connfp
->connf_lock
);
6290 ipsec_conn_pol(sel
, connp
, ppp
);
6294 ipsec_find_listen_conn(uint16_t *pptr
, ipsec_selector_t
*sel
, ip_stack_t
*ipst
)
6297 conn_t
*connp
= NULL
;
6298 const in6_addr_t
*v6addrmatch
= &sel
->ips_local_addr_v6
;
6300 if (sel
->ips_local_port
== 0)
6303 connfp
= &ipst
->ips_ipcl_bind_fanout
[
6304 IPCL_BIND_HASH(sel
->ips_local_port
, ipst
)];
6305 mutex_enter(&connfp
->connf_lock
);
6307 if (sel
->ips_isv4
) {
6308 connp
= connfp
->connf_head
;
6309 while (connp
!= NULL
) {
6310 if (IPCL_BIND_MATCH(connp
, IPPROTO_TCP
,
6311 sel
->ips_local_addr_v4
, pptr
[1]))
6313 connp
= connp
->conn_next
;
6316 if (connp
== NULL
) {
6317 /* Match to all-zeroes. */
6318 v6addrmatch
= &ipv6_all_zeros
;
6322 if (connp
== NULL
) {
6323 connp
= connfp
->connf_head
;
6324 while (connp
!= NULL
) {
6325 if (IPCL_BIND_MATCH_V6(connp
, IPPROTO_TCP
,
6326 *v6addrmatch
, pptr
[1]))
6328 connp
= connp
->conn_next
;
6331 if (connp
== NULL
) {
6332 mutex_exit(&connfp
->connf_lock
);
6337 CONN_INC_REF(connp
);
6338 mutex_exit(&connfp
->connf_lock
);
6343 ipsec_tcp_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
, ip_stack_t
*ipst
)
6348 uint16_t *pptr
= (uint16_t *)&ports
;
6351 * Find TCP state in the following order:
6352 * 1.) Connected conns.
6355 * Even though #2 will be the common case for inbound traffic, only
6356 * following this order insures correctness.
6359 if (sel
->ips_local_port
== 0)
6363 * 0 should be fport, 1 should be lport. SRC is the local one here.
6364 * See ipsec_construct_inverse_acquire() for details.
6366 pptr
[0] = sel
->ips_remote_port
;
6367 pptr
[1] = sel
->ips_local_port
;
6369 connfp
= &ipst
->ips_ipcl_conn_fanout
[
6370 IPCL_CONN_HASH(sel
->ips_remote_addr_v4
, ports
, ipst
)];
6371 mutex_enter(&connfp
->connf_lock
);
6372 connp
= connfp
->connf_head
;
6374 if (sel
->ips_isv4
) {
6375 while (connp
!= NULL
) {
6376 if (IPCL_CONN_MATCH(connp
, IPPROTO_TCP
,
6377 sel
->ips_remote_addr_v4
, sel
->ips_local_addr_v4
,
6380 connp
= connp
->conn_next
;
6383 while (connp
!= NULL
) {
6384 if (IPCL_CONN_MATCH_V6(connp
, IPPROTO_TCP
,
6385 sel
->ips_remote_addr_v6
, sel
->ips_local_addr_v6
,
6388 connp
= connp
->conn_next
;
6392 if (connp
!= NULL
) {
6393 CONN_INC_REF(connp
);
6394 mutex_exit(&connfp
->connf_lock
);
6396 mutex_exit(&connfp
->connf_lock
);
6398 /* Try the listen hash. */
6399 if ((connp
= ipsec_find_listen_conn(pptr
, sel
, ipst
)) == NULL
)
6403 ipsec_conn_pol(sel
, connp
, ppp
);
6407 ipsec_sctp_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
,
6412 uint16_t *pptr
= (uint16_t *)&ports
;
6415 * Find SCP state in the following order:
6416 * 1.) Connected conns.
6419 * Even though #2 will be the common case for inbound traffic, only
6420 * following this order insures correctness.
6423 if (sel
->ips_local_port
== 0)
6427 * 0 should be fport, 1 should be lport. SRC is the local one here.
6428 * See ipsec_construct_inverse_acquire() for details.
6430 pptr
[0] = sel
->ips_remote_port
;
6431 pptr
[1] = sel
->ips_local_port
;
6433 if (sel
->ips_isv4
) {
6434 in6_addr_t src
, dst
;
6436 IN6_IPADDR_TO_V4MAPPED(sel
->ips_remote_addr_v4
, &dst
);
6437 IN6_IPADDR_TO_V4MAPPED(sel
->ips_local_addr_v4
, &src
);
6438 connp
= sctp_find_conn(&dst
, &src
, ports
, ALL_ZONES
,
6439 ipst
->ips_netstack
->netstack_sctp
);
6441 connp
= sctp_find_conn(&sel
->ips_remote_addr_v6
,
6442 &sel
->ips_local_addr_v6
, ports
, ALL_ZONES
,
6443 ipst
->ips_netstack
->netstack_sctp
);
6447 ipsec_conn_pol(sel
, connp
, ppp
);
6451 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions.
6452 * Returns 0 or errno, and always sets *diagnostic to something appropriate
6455 * NOTE: For right now, this function (and ipsec_selector_t for that matter),
6456 * ignore prefix lengths in the address extension. Since we match on first-
6457 * entered policies, this shouldn't matter. Also, since we normalize prefix-
6458 * set addresses to mask out the lower bits, we should get a suitable search
6459 * key for the SPD anyway. This is the function to change if the assumption
6460 * about suitable search keys is wrong.
6463 ipsec_get_inverse_acquire_sel(ipsec_selector_t
*sel
, sadb_address_t
*srcext
,
6464 sadb_address_t
*dstext
, int *diagnostic
)
6466 struct sockaddr_in
*src
, *dst
;
6467 struct sockaddr_in6
*src6
, *dst6
;
6471 bzero(sel
, sizeof (*sel
));
6472 sel
->ips_protocol
= srcext
->sadb_address_proto
;
6473 dst
= (struct sockaddr_in
*)(dstext
+ 1);
6474 if (dst
->sin_family
== AF_INET6
) {
6475 dst6
= (struct sockaddr_in6
*)dst
;
6476 src6
= (struct sockaddr_in6
*)(srcext
+ 1);
6477 if (src6
->sin6_family
!= AF_INET6
) {
6478 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
6481 sel
->ips_remote_addr_v6
= dst6
->sin6_addr
;
6482 sel
->ips_local_addr_v6
= src6
->sin6_addr
;
6483 if (sel
->ips_protocol
== IPPROTO_ICMPV6
) {
6484 sel
->ips_is_icmp_inv_acq
= 1;
6486 sel
->ips_remote_port
= dst6
->sin6_port
;
6487 sel
->ips_local_port
= src6
->sin6_port
;
6489 sel
->ips_isv4
= B_FALSE
;
6491 src
= (struct sockaddr_in
*)(srcext
+ 1);
6492 if (src
->sin_family
!= AF_INET
) {
6493 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
6496 sel
->ips_remote_addr_v4
= dst
->sin_addr
.s_addr
;
6497 sel
->ips_local_addr_v4
= src
->sin_addr
.s_addr
;
6498 if (sel
->ips_protocol
== IPPROTO_ICMP
) {
6499 sel
->ips_is_icmp_inv_acq
= 1;
6501 sel
->ips_remote_port
= dst
->sin_port
;
6502 sel
->ips_local_port
= src
->sin_port
;
6504 sel
->ips_isv4
= B_TRUE
;
6510 * We have encapsulation.
6511 * - Lookup tun_t by address and look for an associated
6513 * - If there are inner selectors
6514 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE
6515 * - Look up tunnel policy based on selectors
6517 * - Sanity check the negotation
6518 * - If appropriate, fall through to global policy
6521 ipsec_tun_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
,
6522 sadb_address_t
*innsrcext
, sadb_address_t
*inndstext
, ipsec_tun_pol_t
*itp
,
6523 int *diagnostic
, netstack_t
*ns
)
6526 ipsec_policy_head_t
*polhead
;
6528 /* Check for inner selectors and act appropriately */
6530 if (innsrcext
!= NULL
) {
6531 /* Inner selectors present */
6532 ASSERT(inndstext
!= NULL
);
6533 if ((itp
== NULL
) ||
6534 (itp
->itp_flags
& (ITPF_P_ACTIVE
| ITPF_P_TUNNEL
)) !=
6535 (ITPF_P_ACTIVE
| ITPF_P_TUNNEL
)) {
6537 * If inner packet selectors, we must have negotiate
6538 * tunnel and active policy. If the tunnel has
6539 * transport-mode policy set on it, or has no policy,
6545 * Reset "sel" to indicate inner selectors. Pass
6546 * inner PF_KEY address extensions for this to happen.
6548 err
= ipsec_get_inverse_acquire_sel(sel
,
6549 innsrcext
, inndstext
, diagnostic
);
6551 ITP_REFRELE(itp
, ns
);
6555 * Now look for a tunnel policy based on those inner
6556 * selectors. (Common code is below.)
6560 /* No inner selectors present */
6561 if ((itp
== NULL
) || !(itp
->itp_flags
& ITPF_P_ACTIVE
)) {
6563 * Transport mode negotiation with no tunnel policy
6564 * configured - return to indicate a global policy
6568 ITP_REFRELE(itp
, ns
);
6571 } else if (itp
->itp_flags
& ITPF_P_TUNNEL
) {
6572 /* Tunnel mode set with no inner selectors. */
6573 ITP_REFRELE(itp
, ns
);
6577 * Else, this is a tunnel policy configured with ifconfig(1m)
6578 * or "negotiate transport" with ipsecconf(1m). We have an
6579 * itp with policy set based on any match, so don't bother
6580 * changing fields in "sel".
6584 ASSERT(itp
!= NULL
);
6585 polhead
= itp
->itp_policy
;
6586 ASSERT(polhead
!= NULL
);
6587 rw_enter(&polhead
->iph_lock
, RW_READER
);
6588 *ppp
= ipsec_find_policy_head(NULL
, polhead
,
6589 IPSEC_TYPE_INBOUND
, sel
, ns
);
6590 rw_exit(&polhead
->iph_lock
);
6591 ITP_REFRELE(itp
, ns
);
6594 * Don't default to global if we didn't find a matching policy entry.
6595 * Instead, send ENOENT, just like if we hit a transport-mode tunnel.
6604 ipsec_oth_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
,
6607 boolean_t isv4
= sel
->ips_isv4
;
6612 connfp
= &ipst
->ips_ipcl_proto_fanout
[sel
->ips_protocol
];
6614 connfp
= &ipst
->ips_ipcl_proto_fanout_v6
[sel
->ips_protocol
];
6617 mutex_enter(&connfp
->connf_lock
);
6618 for (connp
= connfp
->connf_head
; connp
!= NULL
;
6619 connp
= connp
->conn_next
) {
6620 if (!((isv4
&& !((connp
->conn_src
== 0 ||
6621 connp
->conn_src
== sel
->ips_local_addr_v4
) &&
6622 (connp
->conn_rem
== 0 ||
6623 connp
->conn_rem
== sel
->ips_remote_addr_v4
))) ||
6624 (!isv4
&& !((IN6_IS_ADDR_UNSPECIFIED(&connp
->conn_srcv6
) ||
6625 IN6_ARE_ADDR_EQUAL(&connp
->conn_srcv6
,
6626 &sel
->ips_local_addr_v6
)) &&
6627 (IN6_IS_ADDR_UNSPECIFIED(&connp
->conn_remv6
) ||
6628 IN6_ARE_ADDR_EQUAL(&connp
->conn_remv6
,
6629 &sel
->ips_remote_addr_v6
)))))) {
6633 if (connp
== NULL
) {
6634 mutex_exit(&connfp
->connf_lock
);
6638 CONN_INC_REF(connp
);
6639 mutex_exit(&connfp
->connf_lock
);
6641 ipsec_conn_pol(sel
, connp
, ppp
);
6645 * Construct an inverse ACQUIRE reply based on:
6647 * 1.) Current global policy.
6648 * 2.) An conn_t match depending on what all was passed in the extv[].
6649 * 3.) A tunnel's policy head.
6651 * N.) Other stuff TBD (e.g. identities)
6653 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic
6654 * in this function so the caller can extract them where appropriately.
6656 * The SRC address is the local one - just like an outbound ACQUIRE message.
6659 ipsec_construct_inverse_acquire(sadb_msg_t
*samsg
, sadb_ext_t
*extv
[],
6664 sadb_address_t
*srcext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_SRC
],
6665 *dstext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_DST
],
6666 *innsrcext
= (sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_SRC
],
6667 *inndstext
= (sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_DST
];
6668 struct sockaddr_in6
*src
, *dst
;
6669 struct sockaddr_in6
*isrc
, *idst
;
6670 ipsec_tun_pol_t
*itp
= NULL
;
6671 ipsec_policy_t
*pp
= NULL
;
6672 ipsec_selector_t sel
, isel
;
6674 ip_stack_t
*ipst
= ns
->netstack_ip
;
6675 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
6677 /* Normalize addresses */
6678 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
, (sadb_ext_t
*)srcext
, 0, ns
)
6679 == KS_IN_ADDR_UNKNOWN
) {
6681 diagnostic
= SADB_X_DIAGNOSTIC_BAD_SRC
;
6684 src
= (struct sockaddr_in6
*)(srcext
+ 1);
6685 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
, (sadb_ext_t
*)dstext
, 0, ns
)
6686 == KS_IN_ADDR_UNKNOWN
) {
6688 diagnostic
= SADB_X_DIAGNOSTIC_BAD_DST
;
6691 dst
= (struct sockaddr_in6
*)(dstext
+ 1);
6692 if (src
->sin6_family
!= dst
->sin6_family
) {
6694 diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
6698 /* Check for tunnel mode and act appropriately */
6699 if (innsrcext
!= NULL
) {
6700 if (inndstext
== NULL
) {
6702 diagnostic
= SADB_X_DIAGNOSTIC_MISSING_INNER_DST
;
6705 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
,
6706 (sadb_ext_t
*)innsrcext
, 0, ns
) == KS_IN_ADDR_UNKNOWN
) {
6708 diagnostic
= SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC
;
6711 isrc
= (struct sockaddr_in6
*)(innsrcext
+ 1);
6712 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
,
6713 (sadb_ext_t
*)inndstext
, 0, ns
) == KS_IN_ADDR_UNKNOWN
) {
6715 diagnostic
= SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST
;
6718 idst
= (struct sockaddr_in6
*)(inndstext
+ 1);
6719 if (isrc
->sin6_family
!= idst
->sin6_family
) {
6721 diagnostic
= SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
;
6724 if (isrc
->sin6_family
!= AF_INET
&&
6725 isrc
->sin6_family
!= AF_INET6
) {
6727 diagnostic
= SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF
;
6730 } else if (inndstext
!= NULL
) {
6732 diagnostic
= SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
;
6736 /* Get selectors first, based on outer addresses */
6737 err
= ipsec_get_inverse_acquire_sel(&sel
, srcext
, dstext
, &diagnostic
);
6741 /* Check for tunnel mode mismatches. */
6742 if (innsrcext
!= NULL
&&
6743 ((isrc
->sin6_family
== AF_INET
&&
6744 sel
.ips_protocol
!= IPPROTO_ENCAP
&& sel
.ips_protocol
!= 0) ||
6745 (isrc
->sin6_family
== AF_INET6
&&
6746 sel
.ips_protocol
!= IPPROTO_IPV6
&& sel
.ips_protocol
!= 0))) {
6752 * Okay, we have the addresses and other selector information.
6753 * Let's first find a conn...
6756 switch (sel
.ips_protocol
) {
6758 ipsec_tcp_pol(&sel
, &pp
, ipst
);
6761 ipsec_udp_pol(&sel
, &pp
, ipst
);
6764 ipsec_sctp_pol(&sel
, &pp
, ipst
);
6768 rw_enter(&ipss
->ipsec_itp_get_byaddr_rw_lock
, RW_READER
);
6770 * Assume sel.ips_remote_addr_* has the right address at
6771 * that exact position.
6773 itp
= ipss
->ipsec_itp_get_byaddr(
6774 (uint32_t *)(&sel
.ips_local_addr_v6
),
6775 (uint32_t *)(&sel
.ips_remote_addr_v6
),
6776 src
->sin6_family
, ns
);
6777 rw_exit(&ipss
->ipsec_itp_get_byaddr_rw_lock
);
6778 if (innsrcext
== NULL
) {
6780 * Transport-mode tunnel, make sure we fake out isel
6781 * to contain something based on the outer protocol.
6783 bzero(&isel
, sizeof (isel
));
6784 isel
.ips_isv4
= (sel
.ips_protocol
== IPPROTO_ENCAP
);
6785 } /* Else isel is initialized by ipsec_tun_pol(). */
6786 err
= ipsec_tun_pol(&isel
, &pp
, innsrcext
, inndstext
, itp
,
6789 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it
6796 ipsec_oth_pol(&sel
, &pp
, ipst
);
6801 * If we didn't find a matching conn_t or other policy head, take a
6802 * look in the global policy.
6805 pp
= ipsec_find_policy(IPSEC_TYPE_OUTBOUND
, NULL
, NULL
, &sel
,
6808 /* There's no global policy. */
6816 * Now that we have a policy entry/widget, construct an ACQUIRE
6817 * message based on that, fix fields where appropriate,
6818 * and return the message.
6820 retmp
= sadb_extended_acquire(&sel
, pp
, NULL
,
6821 (itp
!= NULL
&& (itp
->itp_flags
& ITPF_P_TUNNEL
)),
6822 samsg
->sadb_msg_seq
, samsg
->sadb_msg_pid
, ns
);
6824 IPPOL_REFRELE(pp
, ns
);
6826 if (retmp
!= NULL
) {
6833 samsg
->sadb_msg_errno
= (uint8_t)err
;
6834 samsg
->sadb_x_msg_diagnostic
= (uint16_t)diagnostic
;
6839 * ipsa_lpkt is a one-element queue, only manipulated by casptr within
6840 * the next two functions.
6842 * These functions loop calling casptr() until the swap "happens",
6843 * turning a compare-and-swap op into an atomic swap operation.
6847 * sadb_set_lpkt: Atomically swap in a value to ipsa->ipsa_lpkt and
6848 * freemsg the previous value. free clue: freemsg(NULL) is safe.
6852 sadb_set_lpkt(ipsa_t
*ipsa
, mblk_t
*npkt
, netstack_t
*ns
)
6855 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
6857 ASSERT(ipsa
->ipsa_state
== IPSA_STATE_LARVAL
);
6861 opkt
= ipsa
->ipsa_lpkt
;
6862 } while (casptr(&ipsa
->ipsa_lpkt
, opkt
, npkt
) != opkt
);
6864 ip_drop_packet(opkt
, B_TRUE
, NULL
, NULL
,
6865 DROPPER(ipss
, ipds_sadb_inlarval_replace
),
6866 &ipss
->ipsec_sadb_dropper
);
6870 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the
6875 sadb_clear_lpkt(ipsa_t
*ipsa
)
6880 opkt
= ipsa
->ipsa_lpkt
;
6881 } while (casptr(&ipsa
->ipsa_lpkt
, opkt
, NULL
) != opkt
);
6887 * Buffer a packet that's in IDLE state as set by Solaris Clustering.
6890 sadb_buf_pkt(ipsa_t
*ipsa
, mblk_t
*bpkt
, netstack_t
*ns
)
6892 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
6893 extern void (*cl_inet_idlesa
)(uint8_t, uint32_t, sa_family_t
,
6894 in6_addr_t
, in6_addr_t
);
6895 in6_addr_t
*srcaddr
= (in6_addr_t
*)(&ipsa
->ipsa_srcaddr
);
6896 in6_addr_t
*dstaddr
= (in6_addr_t
*)(&ipsa
->ipsa_dstaddr
);
6898 ASSERT(ipsa
->ipsa_state
== IPSA_STATE_IDLE
);
6900 if (cl_inet_idlesa
== NULL
) {
6901 ip_drop_packet(bpkt
, B_TRUE
, NULL
, NULL
,
6902 DROPPER(ipss
, ipds_sadb_inidle_overflow
),
6903 &ipss
->ipsec_sadb_dropper
);
6907 cl_inet_idlesa((ipsa
->ipsa_type
== SADB_SATYPE_AH
) ?
6908 IPPROTO_AH
: IPPROTO_ESP
, ipsa
->ipsa_spi
, ipsa
->ipsa_addrfam
,
6909 *srcaddr
, *dstaddr
);
6911 mutex_enter(&ipsa
->ipsa_lock
);
6912 ipsa
->ipsa_mblkcnt
++;
6913 if (ipsa
->ipsa_bpkt_head
== NULL
) {
6914 ipsa
->ipsa_bpkt_head
= ipsa
->ipsa_bpkt_tail
= bpkt
;
6916 ipsa
->ipsa_bpkt_tail
->b_next
= bpkt
;
6917 ipsa
->ipsa_bpkt_tail
= bpkt
;
6918 if (ipsa
->ipsa_mblkcnt
> SADB_MAX_IDLEPKTS
) {
6920 tmp
= ipsa
->ipsa_bpkt_head
;
6921 ipsa
->ipsa_bpkt_head
= ipsa
->ipsa_bpkt_head
->b_next
;
6922 ip_drop_packet(tmp
, B_TRUE
, NULL
, NULL
,
6923 DROPPER(ipss
, ipds_sadb_inidle_overflow
),
6924 &ipss
->ipsec_sadb_dropper
);
6925 ipsa
->ipsa_mblkcnt
--;
6928 mutex_exit(&ipsa
->ipsa_lock
);
6933 * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
6934 * and put into STREAMS again.
6937 sadb_clear_buf_pkt(void *ipkt
)
6939 mblk_t
*tmp
, *buf_pkt
;
6941 buf_pkt
= (mblk_t
*)ipkt
;
6943 while (buf_pkt
!= NULL
) {
6944 tmp
= buf_pkt
->b_next
;
6945 buf_pkt
->b_next
= NULL
;
6946 ip_fanout_proto_again(buf_pkt
, NULL
, NULL
, NULL
);
6951 * Walker callback used by sadb_alg_update() to free/create crypto
6952 * context template when a crypto software provider is removed or
6956 struct sadb_update_alg_state
{
6957 ipsec_algtype_t alg_type
;
6963 sadb_alg_update_cb(isaf_t
*head
, ipsa_t
*entry
, void *cookie
)
6965 struct sadb_update_alg_state
*update_state
=
6966 (struct sadb_update_alg_state
*)cookie
;
6967 crypto_ctx_template_t
*ctx_tmpl
= NULL
;
6969 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
6971 if (entry
->ipsa_state
== IPSA_STATE_LARVAL
)
6974 mutex_enter(&entry
->ipsa_lock
);
6976 switch (update_state
->alg_type
) {
6977 case IPSEC_ALG_AUTH
:
6978 if (entry
->ipsa_auth_alg
== update_state
->alg_id
)
6979 ctx_tmpl
= &entry
->ipsa_authtmpl
;
6981 case IPSEC_ALG_ENCR
:
6982 if (entry
->ipsa_encr_alg
== update_state
->alg_id
)
6983 ctx_tmpl
= &entry
->ipsa_encrtmpl
;
6989 if (ctx_tmpl
== NULL
) {
6990 mutex_exit(&entry
->ipsa_lock
);
6995 * The context template of the SA may be affected by the change
6996 * of crypto provider.
6998 if (update_state
->is_added
) {
6999 /* create the context template if not already done */
7000 if (*ctx_tmpl
== NULL
) {
7001 (void) ipsec_create_ctx_tmpl(entry
,
7002 update_state
->alg_type
);
7006 * The crypto provider was removed. If the context template
7007 * exists but it is no longer valid, free it.
7009 if (*ctx_tmpl
!= NULL
)
7010 ipsec_destroy_ctx_tmpl(entry
, update_state
->alg_type
);
7013 mutex_exit(&entry
->ipsa_lock
);
7017 * Invoked by IP when an software crypto provider has been updated.
7018 * The type and id of the corresponding algorithm is passed as argument.
7019 * is_added is B_TRUE if the provider was added, B_FALSE if it was
7020 * removed. The function updates the SADB and free/creates the
7021 * context templates associated with SAs if needed.
7024 #define SADB_ALG_UPDATE_WALK(sadb, table) \
7025 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \
7029 sadb_alg_update(ipsec_algtype_t alg_type
, uint8_t alg_id
, boolean_t is_added
,
7032 struct sadb_update_alg_state update_state
;
7033 ipsecah_stack_t
*ahstack
= ns
->netstack_ipsecah
;
7034 ipsecesp_stack_t
*espstack
= ns
->netstack_ipsecesp
;
7036 update_state
.alg_type
= alg_type
;
7037 update_state
.alg_id
= alg_id
;
7038 update_state
.is_added
= is_added
;
7040 if (alg_type
== IPSEC_ALG_AUTH
) {
7041 /* walk the AH tables only for auth. algorithm changes */
7042 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v4
, sdb_of
);
7043 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v4
, sdb_if
);
7044 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v6
, sdb_of
);
7045 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v6
, sdb_if
);
7048 /* walk the ESP tables */
7049 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v4
, sdb_of
);
7050 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v4
, sdb_if
);
7051 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v6
, sdb_of
);
7052 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v6
, sdb_if
);
7056 * Creates a context template for the specified SA. This function
7057 * is called when an SA is created and when a context template needs
7058 * to be created due to a change of software provider.
7061 ipsec_create_ctx_tmpl(ipsa_t
*sa
, ipsec_algtype_t alg_type
)
7063 ipsec_alginfo_t
*alg
;
7064 crypto_mechanism_t mech
;
7066 crypto_ctx_template_t
*sa_tmpl
;
7068 ipsec_stack_t
*ipss
= sa
->ipsa_netstack
->netstack_ipsec
;
7070 ASSERT(MUTEX_HELD(&ipss
->ipsec_alg_lock
));
7071 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
7073 /* get pointers to the algorithm info, context template, and key */
7075 case IPSEC_ALG_AUTH
:
7076 key
= &sa
->ipsa_kcfauthkey
;
7077 sa_tmpl
= &sa
->ipsa_authtmpl
;
7078 alg
= ipss
->ipsec_alglists
[alg_type
][sa
->ipsa_auth_alg
];
7080 case IPSEC_ALG_ENCR
:
7081 key
= &sa
->ipsa_kcfencrkey
;
7082 sa_tmpl
= &sa
->ipsa_encrtmpl
;
7083 alg
= ipss
->ipsec_alglists
[alg_type
][sa
->ipsa_encr_alg
];
7089 if (alg
== NULL
|| !ALG_VALID(alg
))
7092 /* initialize the mech info structure for the framework */
7093 ASSERT(alg
->alg_mech_type
!= CRYPTO_MECHANISM_INVALID
);
7094 mech
.cm_type
= alg
->alg_mech_type
;
7095 mech
.cm_param
= NULL
;
7096 mech
.cm_param_len
= 0;
7098 /* create a new context template */
7099 rv
= crypto_create_ctx_template(&mech
, key
, sa_tmpl
, KM_NOSLEEP
);
7102 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware
7103 * providers are available for that mechanism. In that case
7104 * we don't fail, and will generate the context template from
7105 * the framework callback when a software provider for that
7106 * mechanism registers.
7108 * The context template is assigned the special value
7109 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a
7110 * lack of memory. No attempt will be made to use
7111 * the context template if it is set to this value.
7113 if (rv
== CRYPTO_HOST_MEMORY
) {
7114 *sa_tmpl
= IPSEC_CTX_TMPL_ALLOC
;
7115 } else if (rv
!= CRYPTO_SUCCESS
) {
7117 if (rv
!= CRYPTO_MECH_NOT_SUPPORTED
)
7125 * Destroy the context template of the specified algorithm type
7126 * of the specified SA. Must be called while holding the SA lock.
7129 ipsec_destroy_ctx_tmpl(ipsa_t
*sa
, ipsec_algtype_t alg_type
)
7131 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
7133 if (alg_type
== IPSEC_ALG_AUTH
) {
7134 if (sa
->ipsa_authtmpl
== IPSEC_CTX_TMPL_ALLOC
)
7135 sa
->ipsa_authtmpl
= NULL
;
7136 else if (sa
->ipsa_authtmpl
!= NULL
) {
7137 crypto_destroy_ctx_template(sa
->ipsa_authtmpl
);
7138 sa
->ipsa_authtmpl
= NULL
;
7141 ASSERT(alg_type
== IPSEC_ALG_ENCR
);
7142 if (sa
->ipsa_encrtmpl
== IPSEC_CTX_TMPL_ALLOC
)
7143 sa
->ipsa_encrtmpl
= NULL
;
7144 else if (sa
->ipsa_encrtmpl
!= NULL
) {
7145 crypto_destroy_ctx_template(sa
->ipsa_encrtmpl
);
7146 sa
->ipsa_encrtmpl
= NULL
;
7152 * Use the kernel crypto framework to check the validity of a key received
7153 * via keysock. Returns 0 if the key is OK, -1 otherwise.
7156 ipsec_check_key(crypto_mech_type_t mech_type
, sadb_key_t
*sadb_key
,
7157 boolean_t is_auth
, int *diag
)
7159 crypto_mechanism_t mech
;
7160 crypto_key_t crypto_key
;
7163 mech
.cm_type
= mech_type
;
7164 mech
.cm_param
= NULL
;
7165 mech
.cm_param_len
= 0;
7167 crypto_key
.ck_format
= CRYPTO_KEY_RAW
;
7168 crypto_key
.ck_data
= sadb_key
+ 1;
7169 crypto_key
.ck_length
= sadb_key
->sadb_key_bits
;
7171 crypto_rc
= crypto_key_check(&mech
, &crypto_key
);
7173 switch (crypto_rc
) {
7174 case CRYPTO_SUCCESS
:
7176 case CRYPTO_MECHANISM_INVALID
:
7177 case CRYPTO_MECH_NOT_SUPPORTED
:
7178 *diag
= is_auth
? SADB_X_DIAGNOSTIC_BAD_AALG
:
7179 SADB_X_DIAGNOSTIC_BAD_EALG
;
7181 case CRYPTO_KEY_SIZE_RANGE
:
7182 *diag
= is_auth
? SADB_X_DIAGNOSTIC_BAD_AKEYBITS
:
7183 SADB_X_DIAGNOSTIC_BAD_EKEYBITS
;
7185 case CRYPTO_WEAK_KEY
:
7186 *diag
= is_auth
? SADB_X_DIAGNOSTIC_WEAK_AKEY
:
7187 SADB_X_DIAGNOSTIC_WEAK_EKEY
;
7194 * If this is an outgoing SA then add some fuzz to the
7195 * SOFT EXPIRE time. The reason for this is to stop
7196 * peers trying to renegotiate SOFT expiring SA's at
7197 * the same time. The amount of fuzz needs to be at
7198 * least 10 seconds which is the typical interval
7199 * sadb_ager(), although this is only a guide as it
7203 lifetime_fuzz(ipsa_t
*assoc
)
7207 if (assoc
->ipsa_softaddlt
== 0)
7210 (void) random_get_pseudo_bytes(&rnd
, sizeof (rnd
));
7211 rnd
= (rnd
& 0xF) + 10;
7212 assoc
->ipsa_softexpiretime
-= rnd
;
7213 assoc
->ipsa_softaddlt
-= rnd
;
7216 destroy_ipsa_pair(ipsap_t
*ipsapp
)
7222 * Because of the multi-line macro nature of IPSA_REFRELE, keep
7225 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
7226 IPSA_REFRELE(ipsapp
->ipsap_sa_ptr
);
7228 if (ipsapp
->ipsap_psa_ptr
!= NULL
) {
7229 IPSA_REFRELE(ipsapp
->ipsap_psa_ptr
);
7232 kmem_free(ipsapp
, sizeof (*ipsapp
));
7236 * The sadb_ager() function walks through the hash tables of SA's and ages
7237 * them, if the SA expires as a result, its marked as DEAD and will be reaped
7238 * the next time sadb_ager() runs. SA's which are paired or have a peer (same
7239 * SA appears in both the inbound and outbound tables because its not possible
7240 * to determine its direction) are placed on a list when they expire. This is
7241 * to ensure that pair/peer SA's are reaped at the same time, even if they
7242 * expire at different times.
7244 * This function is called twice by sadb_ager(), one after processing the
7245 * inbound table, then again after processing the outbound table.
7248 age_pair_peer_list(templist_t
*haspeerlist
, sadb_t
*sp
, boolean_t outbound
)
7250 templist_t
*listptr
;
7254 ipsa_t
*peer_assoc
, *dying
;
7256 * Haspeer cases will contain both IPv4 and IPv6. This code
7257 * is address independent.
7259 while (haspeerlist
!= NULL
) {
7260 /* "dying" contains the SA that has a peer. */
7261 dying
= haspeerlist
->ipsa
;
7262 haspeer
= (dying
->ipsa_haspeer
);
7263 listptr
= haspeerlist
;
7264 haspeerlist
= listptr
->next
;
7265 kmem_free(listptr
, sizeof (*listptr
));
7267 * Pick peer bucket based on addrfam.
7271 bucket
= INBOUND_BUCKET(sp
, dying
->ipsa_spi
);
7273 bucket
= INBOUND_BUCKET(sp
,
7274 dying
->ipsa_otherspi
);
7275 } else { /* inbound */
7277 if (dying
->ipsa_addrfam
== AF_INET6
) {
7278 outhash
= OUTBOUND_HASH_V6(sp
,
7279 *((in6_addr_t
*)&dying
->
7282 outhash
= OUTBOUND_HASH_V4(sp
,
7283 *((ipaddr_t
*)&dying
->
7286 } else if (dying
->ipsa_addrfam
== AF_INET6
) {
7287 outhash
= OUTBOUND_HASH_V6(sp
,
7288 *((in6_addr_t
*)&dying
->
7291 outhash
= OUTBOUND_HASH_V4(sp
,
7292 *((ipaddr_t
*)&dying
->
7295 bucket
= &(sp
->sdb_of
[outhash
]);
7298 mutex_enter(&bucket
->isaf_lock
);
7300 * "haspeer" SA's have the same src/dst address ordering,
7301 * "paired" SA's have the src/dst addresses reversed.
7304 peer_assoc
= ipsec_getassocbyspi(bucket
,
7305 dying
->ipsa_spi
, dying
->ipsa_srcaddr
,
7306 dying
->ipsa_dstaddr
, dying
->ipsa_addrfam
);
7308 peer_assoc
= ipsec_getassocbyspi(bucket
,
7309 dying
->ipsa_otherspi
, dying
->ipsa_dstaddr
,
7310 dying
->ipsa_srcaddr
, dying
->ipsa_addrfam
);
7313 mutex_exit(&bucket
->isaf_lock
);
7314 if (peer_assoc
!= NULL
) {
7315 mutex_enter(&peer_assoc
->ipsa_lock
);
7316 mutex_enter(&dying
->ipsa_lock
);
7319 * Only SA's which have a "peer" or are
7320 * "paired" end up on this list, so this
7321 * must be a "paired" SA, update the flags
7322 * to break the pair.
7324 peer_assoc
->ipsa_otherspi
= 0;
7325 peer_assoc
->ipsa_flags
&= ~IPSA_F_PAIRED
;
7326 dying
->ipsa_otherspi
= 0;
7327 dying
->ipsa_flags
&= ~IPSA_F_PAIRED
;
7329 if (haspeer
|| outbound
) {
7331 * Update the state of the "inbound" SA when
7332 * the "outbound" SA has expired. Don't update
7333 * the "outbound" SA when the "inbound" SA
7334 * SA expires because setting the hard_addtime
7335 * below will cause this to happen.
7337 peer_assoc
->ipsa_state
= dying
->ipsa_state
;
7339 if (dying
->ipsa_state
== IPSA_STATE_DEAD
)
7340 peer_assoc
->ipsa_hardexpiretime
= 1;
7342 mutex_exit(&dying
->ipsa_lock
);
7343 mutex_exit(&peer_assoc
->ipsa_lock
);
7344 IPSA_REFRELE(peer_assoc
);
7346 IPSA_REFRELE(dying
);