4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright (c) 2017 Joyent, Inc.
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/stropts.h>
31 #include <sys/strsubr.h>
32 #include <sys/errno.h>
34 #include <sys/debug.h>
35 #include <sys/cmn_err.h>
36 #include <sys/stream.h>
37 #include <sys/strlog.h>
39 #include <sys/sunddi.h>
40 #include <sys/tihdr.h>
41 #include <sys/atomic.h>
42 #include <sys/socket.h>
43 #include <sys/sysmacros.h>
44 #include <sys/crypto/common.h>
45 #include <sys/crypto/api.h>
47 #include <netinet/in.h>
49 #include <net/pfkeyv2.h>
50 #include <net/pfpolicy.h>
51 #include <inet/common.h>
52 #include <netinet/ip6.h>
54 #include <inet/ip_ire.h>
56 #include <inet/ipsec_info.h>
58 #include <inet/sadb.h>
59 #include <inet/ipsec_impl.h>
60 #include <inet/ipsecah.h>
61 #include <inet/ipsecesp.h>
62 #include <sys/random.h>
64 #include <sys/strsun.h>
65 #include <sys/strsubr.h>
66 #include <inet/ip_if.h>
67 #include <inet/ipdrop.h>
68 #include <inet/ipclassifier.h>
69 #include <inet/sctp_ip.h>
70 #include <sys/tsol/tnet.h>
73 * This source file contains Security Association Database (SADB) common
74 * routines. They are linked in with the AH module. Since AH has no chance
75 * of falling under export control, it was safe to link it in there.
78 static uint8_t *sadb_action_to_ecomb(uint8_t *, uint8_t *, ipsec_action_t
*,
80 static ipsa_t
*sadb_torch_assoc(isaf_t
*, ipsa_t
*);
81 static void sadb_destroy_acqlist(iacqf_t
**, uint_t
, boolean_t
,
83 static void sadb_destroy(sadb_t
*, netstack_t
*);
84 static mblk_t
*sadb_sa2msg(ipsa_t
*, sadb_msg_t
*);
85 static ts_label_t
*sadb_label_from_sens(sadb_sens_t
*, uint64_t *);
87 static time_t sadb_add_time(time_t, uint64_t);
88 static void lifetime_fuzz(ipsa_t
*);
89 static void age_pair_peer_list(templist_t
*, sadb_t
*, boolean_t
);
90 static int get_ipsa_pair(ipsa_query_t
*, ipsap_t
*, int *);
91 static void init_ipsa_pair(ipsap_t
*);
92 static void destroy_ipsa_pair(ipsap_t
*);
93 static int update_pairing(ipsap_t
*, ipsa_query_t
*, keysock_in_t
*, int *);
94 static void ipsa_set_replay(ipsa_t
*ipsa
, uint32_t offset
);
97 * ipsacq_maxpackets is defined here to make it tunable
100 extern uint64_t ipsacq_maxpackets
;
102 #define SET_EXPIRE(sa, delta, exp) { \
103 if (((sa)->ipsa_ ## delta) != 0) { \
104 (sa)->ipsa_ ## exp = sadb_add_time((sa)->ipsa_addtime, \
105 (sa)->ipsa_ ## delta); \
109 #define UPDATE_EXPIRE(sa, delta, exp) { \
110 if (((sa)->ipsa_ ## delta) != 0) { \
111 time_t tmp = sadb_add_time((sa)->ipsa_usetime, \
112 (sa)->ipsa_ ## delta); \
113 if (((sa)->ipsa_ ## exp) == 0) \
114 (sa)->ipsa_ ## exp = tmp; \
116 (sa)->ipsa_ ## exp = \
117 MIN((sa)->ipsa_ ## exp, tmp); \
122 /* wrap the macro so we can pass it as a function pointer */
124 sadb_sa_refrele(void *target
)
126 IPSA_REFRELE(((ipsa_t
*)target
));
130 * We presume that sizeof (long) == sizeof (time_t) and that time_t is
133 #define TIME_MAX LONG_MAX
136 * PF_KEY gives us lifetimes in uint64_t seconds. We presume that
137 * time_t is defined to be a signed type with the same range as
138 * "long". On ILP32 systems, we thus run the risk of wrapping around
139 * at end of time, as well as "overwrapping" the clock back around
140 * into a seemingly valid but incorrect future date earlier than the
141 * desired expiration.
143 * In order to avoid odd behavior (either negative lifetimes or loss
144 * of high order bits) when someone asks for bizarrely long SA
145 * lifetimes, we do a saturating add for expire times.
147 * We presume that ILP32 systems will be past end of support life when
148 * the 32-bit time_t overflows (a dangerous assumption, mind you..).
150 * On LP64, 2^64 seconds are about 5.8e11 years, at which point we
151 * will hopefully have figured out clever ways to avoid the use of
152 * fixed-sized integers in computation.
155 sadb_add_time(time_t base
, uint64_t delta
)
160 * Clip delta to the maximum possible time_t value to
161 * prevent "overwrapping" back into a shorter-than-desired
164 if (delta
> TIME_MAX
)
167 * This sum may still overflow.
172 * .. so if the result is less than the base, we overflowed.
181 * Callers of this function have already created a working security
182 * association, and have found the appropriate table & hash chain. All this
183 * function does is check duplicates, and insert the SA. The caller needs to
184 * hold the hash bucket lock and increment the refcnt before insertion.
186 * Return 0 if success, EEXIST if collision.
188 #define SA_UNIQUE_MATCH(sa1, sa2) \
189 (((sa1)->ipsa_unique_id & (sa1)->ipsa_unique_mask) == \
190 ((sa2)->ipsa_unique_id & (sa2)->ipsa_unique_mask))
193 sadb_insertassoc(ipsa_t
*ipsa
, isaf_t
*bucket
)
195 ipsa_t
**ptpn
= NULL
;
199 ASSERT(MUTEX_HELD(&bucket
->isaf_lock
));
201 unspecsrc
= IPSA_IS_ADDR_UNSPEC(ipsa
->ipsa_srcaddr
, ipsa
->ipsa_addrfam
);
203 walker
= bucket
->isaf_ipsa
;
204 ASSERT(walker
== NULL
|| ipsa
->ipsa_addrfam
== walker
->ipsa_addrfam
);
207 * Find insertion point (pointed to with **ptpn). Insert at the head
208 * of the list unless there's an unspecified source address, then
209 * insert it after the last SA with a specified source address.
211 * BTW, you'll have to walk the whole chain, matching on {DST, SPI}
212 * checking for collisions.
215 while (walker
!= NULL
) {
216 if (IPSA_ARE_ADDR_EQUAL(walker
->ipsa_dstaddr
,
217 ipsa
->ipsa_dstaddr
, ipsa
->ipsa_addrfam
)) {
218 if (walker
->ipsa_spi
== ipsa
->ipsa_spi
)
221 mutex_enter(&walker
->ipsa_lock
);
222 if (ipsa
->ipsa_state
== IPSA_STATE_MATURE
&&
223 (walker
->ipsa_flags
& IPSA_F_USED
) &&
224 SA_UNIQUE_MATCH(walker
, ipsa
)) {
225 walker
->ipsa_flags
|= IPSA_F_CINVALID
;
227 mutex_exit(&walker
->ipsa_lock
);
230 if (ptpn
== NULL
&& unspecsrc
) {
231 if (IPSA_IS_ADDR_UNSPEC(walker
->ipsa_srcaddr
,
232 walker
->ipsa_addrfam
))
233 ptpn
= walker
->ipsa_ptpn
;
234 else if (walker
->ipsa_next
== NULL
)
235 ptpn
= &walker
->ipsa_next
;
238 walker
= walker
->ipsa_next
;
242 ptpn
= &bucket
->isaf_ipsa
;
243 ipsa
->ipsa_next
= *ptpn
;
244 ipsa
->ipsa_ptpn
= ptpn
;
245 if (ipsa
->ipsa_next
!= NULL
)
246 ipsa
->ipsa_next
->ipsa_ptpn
= &ipsa
->ipsa_next
;
248 ipsa
->ipsa_linklock
= &bucket
->isaf_lock
;
252 #undef SA_UNIQUE_MATCH
255 * Free a security association. Its reference count is 0, which means
256 * I must free it. The SA must be unlocked and must not be linked into
260 sadb_freeassoc(ipsa_t
*ipsa
)
262 ipsec_stack_t
*ipss
= ipsa
->ipsa_netstack
->netstack_ipsec
;
263 mblk_t
*asyncmp
, *mp
;
265 ASSERT(ipss
!= NULL
);
266 ASSERT(MUTEX_NOT_HELD(&ipsa
->ipsa_lock
));
267 ASSERT(ipsa
->ipsa_refcnt
== 0);
268 ASSERT(ipsa
->ipsa_next
== NULL
);
269 ASSERT(ipsa
->ipsa_ptpn
== NULL
);
272 asyncmp
= sadb_clear_lpkt(ipsa
);
273 if (asyncmp
!= NULL
) {
274 mp
= ip_recv_attr_free_mblk(asyncmp
);
275 ip_drop_packet(mp
, B_TRUE
, NULL
,
276 DROPPER(ipss
, ipds_sadb_inlarval_timeout
),
277 &ipss
->ipsec_sadb_dropper
);
279 mutex_enter(&ipsa
->ipsa_lock
);
281 if (ipsa
->ipsa_tsl
!= NULL
) {
282 label_rele(ipsa
->ipsa_tsl
);
283 ipsa
->ipsa_tsl
= NULL
;
286 if (ipsa
->ipsa_otsl
!= NULL
) {
287 label_rele(ipsa
->ipsa_otsl
);
288 ipsa
->ipsa_otsl
= NULL
;
291 ipsec_destroy_ctx_tmpl(ipsa
, IPSEC_ALG_AUTH
);
292 ipsec_destroy_ctx_tmpl(ipsa
, IPSEC_ALG_ENCR
);
293 mutex_exit(&ipsa
->ipsa_lock
);
295 /* bzero() these fields for paranoia's sake. */
296 if (ipsa
->ipsa_authkey
!= NULL
) {
297 bzero(ipsa
->ipsa_authkey
, ipsa
->ipsa_authkeylen
);
298 kmem_free(ipsa
->ipsa_authkey
, ipsa
->ipsa_authkeylen
);
300 if (ipsa
->ipsa_encrkey
!= NULL
) {
301 bzero(ipsa
->ipsa_encrkey
, ipsa
->ipsa_encrkeylen
);
302 kmem_free(ipsa
->ipsa_encrkey
, ipsa
->ipsa_encrkeylen
);
304 if (ipsa
->ipsa_nonce_buf
!= NULL
) {
305 bzero(ipsa
->ipsa_nonce_buf
, sizeof (ipsec_nonce_t
));
306 kmem_free(ipsa
->ipsa_nonce_buf
, sizeof (ipsec_nonce_t
));
308 if (ipsa
->ipsa_src_cid
!= NULL
) {
309 IPSID_REFRELE(ipsa
->ipsa_src_cid
);
311 if (ipsa
->ipsa_dst_cid
!= NULL
) {
312 IPSID_REFRELE(ipsa
->ipsa_dst_cid
);
314 if (ipsa
->ipsa_emech
.cm_param
!= NULL
)
315 kmem_free(ipsa
->ipsa_emech
.cm_param
,
316 ipsa
->ipsa_emech
.cm_param_len
);
318 mutex_destroy(&ipsa
->ipsa_lock
);
319 kmem_free(ipsa
, sizeof (*ipsa
));
323 * Unlink a security association from a hash bucket. Assume the hash bucket
324 * lock is held, but the association's lock is not.
326 * Note that we do not bump the bucket's generation number here because
327 * we might not be making a visible change to the set of visible SA's.
328 * All callers MUST bump the bucket's generation number before they unlock
329 * the bucket if they use sadb_unlinkassoc to permanetly remove an SA which
330 * was present in the bucket at the time it was locked.
333 sadb_unlinkassoc(ipsa_t
*ipsa
)
335 ASSERT(ipsa
->ipsa_linklock
!= NULL
);
336 ASSERT(MUTEX_HELD(ipsa
->ipsa_linklock
));
338 /* These fields are protected by the link lock. */
339 *(ipsa
->ipsa_ptpn
) = ipsa
->ipsa_next
;
340 if (ipsa
->ipsa_next
!= NULL
) {
341 ipsa
->ipsa_next
->ipsa_ptpn
= ipsa
->ipsa_ptpn
;
342 ipsa
->ipsa_next
= NULL
;
345 ipsa
->ipsa_ptpn
= NULL
;
347 /* This may destroy the SA. */
352 sadb_delete_cluster(ipsa_t
*assoc
)
356 if (cl_inet_deletespi
&&
357 ((assoc
->ipsa_state
== IPSA_STATE_LARVAL
) ||
358 (assoc
->ipsa_state
== IPSA_STATE_MATURE
))) {
359 protocol
= (assoc
->ipsa_type
== SADB_SATYPE_AH
) ?
360 IPPROTO_AH
: IPPROTO_ESP
;
361 cl_inet_deletespi(assoc
->ipsa_netstack
->netstack_stackid
,
362 protocol
, assoc
->ipsa_spi
, NULL
);
367 * Create a larval security association with the specified SPI. All other
371 sadb_makelarvalassoc(uint32_t spi
, uint32_t *src
, uint32_t *dst
, int addrfam
,
380 newbie
= (ipsa_t
*)kmem_zalloc(sizeof (ipsa_t
), KM_NOSLEEP
);
381 if (newbie
== NULL
) {
382 /* Can't make new larval SA. */
386 /* Assigned requested SPI, assume caller does SPI allocation magic. */
387 newbie
->ipsa_spi
= spi
;
388 newbie
->ipsa_netstack
= ns
; /* No netstack_hold */
394 IPSA_COPY_ADDR(newbie
->ipsa_srcaddr
, src
, addrfam
);
395 IPSA_COPY_ADDR(newbie
->ipsa_dstaddr
, dst
, addrfam
);
397 newbie
->ipsa_addrfam
= addrfam
;
400 * Set common initialization values, including refcnt.
402 mutex_init(&newbie
->ipsa_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
403 newbie
->ipsa_state
= IPSA_STATE_LARVAL
;
404 newbie
->ipsa_refcnt
= 1;
405 newbie
->ipsa_freefunc
= sadb_freeassoc
;
408 * There aren't a lot of other common initialization values, as
409 * they are copied in from the PF_KEY message.
416 * Call me to initialize a security association fanout.
419 sadb_init_fanout(isaf_t
**tablep
, uint_t size
, int kmflag
)
424 table
= (isaf_t
*)kmem_alloc(size
* sizeof (*table
), kmflag
);
430 for (i
= 0; i
< size
; i
++) {
431 mutex_init(&(table
[i
].isaf_lock
), NULL
, MUTEX_DEFAULT
, NULL
);
432 table
[i
].isaf_ipsa
= NULL
;
433 table
[i
].isaf_gen
= 0;
440 * Call me to initialize an acquire fanout
443 sadb_init_acfanout(iacqf_t
**tablep
, uint_t size
, int kmflag
)
448 table
= (iacqf_t
*)kmem_alloc(size
* sizeof (*table
), kmflag
);
454 for (i
= 0; i
< size
; i
++) {
455 mutex_init(&(table
[i
].iacqf_lock
), NULL
, MUTEX_DEFAULT
, NULL
);
456 table
[i
].iacqf_ipsacq
= NULL
;
463 * Attempt to initialize an SADB instance. On failure, return ENOMEM;
464 * caller must clean up partial allocations.
467 sadb_init_trial(sadb_t
*sp
, uint_t size
, int kmflag
)
469 ASSERT(sp
->sdb_of
== NULL
);
470 ASSERT(sp
->sdb_if
== NULL
);
471 ASSERT(sp
->sdb_acq
== NULL
);
473 sp
->sdb_hashsize
= size
;
474 if (sadb_init_fanout(&sp
->sdb_of
, size
, kmflag
) != 0)
476 if (sadb_init_fanout(&sp
->sdb_if
, size
, kmflag
) != 0)
478 if (sadb_init_acfanout(&sp
->sdb_acq
, size
, kmflag
) != 0)
485 * Call me to initialize an SADB instance; fall back to default size on failure.
488 sadb_init(const char *name
, sadb_t
*sp
, uint_t size
, uint_t ver
,
491 ASSERT(sp
->sdb_of
== NULL
);
492 ASSERT(sp
->sdb_if
== NULL
);
493 ASSERT(sp
->sdb_acq
== NULL
);
495 if (size
< IPSEC_DEFAULT_HASH_SIZE
)
496 size
= IPSEC_DEFAULT_HASH_SIZE
;
498 if (sadb_init_trial(sp
, size
, KM_NOSLEEP
) != 0) {
501 "Unable to allocate %u entry IPv%u %s SADB hash table",
504 sadb_destroy(sp
, ns
);
505 size
= IPSEC_DEFAULT_HASH_SIZE
;
506 cmn_err(CE_WARN
, "Falling back to %d entries", size
);
507 (void) sadb_init_trial(sp
, size
, KM_SLEEP
);
513 * Initialize an SADB-pair.
516 sadbp_init(const char *name
, sadbp_t
*sp
, int type
, int size
, netstack_t
*ns
)
518 sadb_init(name
, &sp
->s_v4
, size
, 4, ns
);
519 sadb_init(name
, &sp
->s_v6
, size
, 6, ns
);
523 ASSERT((type
== SADB_SATYPE_AH
) || (type
== SADB_SATYPE_ESP
));
524 if (type
== SADB_SATYPE_AH
) {
525 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
527 ip_drop_register(&ipss
->ipsec_sadb_dropper
, "IPsec SADB");
528 sp
->s_addflags
= AH_ADD_SETTABLE_FLAGS
;
529 sp
->s_updateflags
= AH_UPDATE_SETTABLE_FLAGS
;
531 sp
->s_addflags
= ESP_ADD_SETTABLE_FLAGS
;
532 sp
->s_updateflags
= ESP_UPDATE_SETTABLE_FLAGS
;
537 * Deliver a single SADB_DUMP message representing a single SA. This is
538 * called many times by sadb_dump().
540 * If the return value of this is ENOBUFS (not the same as ENOMEM), then
541 * the caller should take that as a hint that dupb() on the "original answer"
542 * failed, and that perhaps the caller should try again with a copyb()ed
546 sadb_dump_deliver(queue_t
*pfkey_q
, mblk_t
*original_answer
, ipsa_t
*ipsa
,
551 answer
= dupb(original_answer
);
554 answer
->b_cont
= sadb_sa2msg(ipsa
, samsg
);
555 if (answer
->b_cont
== NULL
) {
560 /* Just do a putnext, and let keysock deal with flow control. */
561 putnext(pfkey_q
, answer
);
566 * Common function to allocate and prepare a keysock_out_t M_CTL message.
569 sadb_keysock_out(minor_t serial
)
574 mp
= allocb(sizeof (ipsec_info_t
), BPRI_HI
);
576 mp
->b_datap
->db_type
= M_CTL
;
577 mp
->b_wptr
+= sizeof (ipsec_info_t
);
578 kso
= (keysock_out_t
*)mp
->b_rptr
;
579 kso
->ks_out_type
= KEYSOCK_OUT
;
580 kso
->ks_out_len
= sizeof (*kso
);
581 kso
->ks_out_serial
= serial
;
588 * Perform an SADB_DUMP, spewing out every SA in an array of SA fanouts
592 sadb_dump_fanout(queue_t
*pfkey_q
, mblk_t
*mp
, minor_t serial
, isaf_t
*fanout
,
593 int num_entries
, boolean_t do_peers
, time_t active_time
)
596 mblk_t
*original_answer
;
602 * For each IPSA hash bucket do:
604 * - Walk each entry, doing an sadb_dump_deliver() on it.
606 ASSERT(mp
->b_cont
!= NULL
);
607 samsg
= (sadb_msg_t
*)mp
->b_cont
->b_rptr
;
609 original_answer
= sadb_keysock_out(serial
);
610 if (original_answer
== NULL
)
613 current
= gethrestime_sec();
614 for (i
= 0; i
< num_entries
; i
++) {
615 mutex_enter(&fanout
[i
].isaf_lock
);
616 for (walker
= fanout
[i
].isaf_ipsa
; walker
!= NULL
;
617 walker
= walker
->ipsa_next
) {
618 if (!do_peers
&& walker
->ipsa_haspeer
)
620 if ((active_time
!= 0) &&
621 ((current
- walker
->ipsa_lastuse
) > active_time
))
623 error
= sadb_dump_deliver(pfkey_q
, original_answer
,
625 if (error
== ENOBUFS
) {
626 mblk_t
*new_original_answer
;
628 /* Ran out of dupb's. Try a copyb. */
629 new_original_answer
= copyb(original_answer
);
630 if (new_original_answer
== NULL
) {
633 freeb(original_answer
);
634 original_answer
= new_original_answer
;
635 error
= sadb_dump_deliver(pfkey_q
,
636 original_answer
, walker
, samsg
);
640 break; /* out of for loop. */
642 mutex_exit(&fanout
[i
].isaf_lock
);
644 break; /* out of for loop. */
647 freeb(original_answer
);
652 * Dump an entire SADB; outbound first, then inbound.
656 sadb_dump(queue_t
*pfkey_q
, mblk_t
*mp
, keysock_in_t
*ksi
, sadb_t
*sp
)
659 time_t active_time
= 0;
660 sadb_x_edump_t
*edump
=
661 (sadb_x_edump_t
*)ksi
->ks_in_extv
[SADB_X_EXT_EDUMP
];
664 active_time
= edump
->sadb_x_edump_timeout
;
668 error
= sadb_dump_fanout(pfkey_q
, mp
, ksi
->ks_in_serial
, sp
->sdb_of
,
669 sp
->sdb_hashsize
, B_TRUE
, active_time
);
674 return sadb_dump_fanout(pfkey_q
, mp
, ksi
->ks_in_serial
, sp
->sdb_if
,
675 sp
->sdb_hashsize
, B_FALSE
, active_time
);
679 * Generic sadb table walker.
681 * Call "walkfn" for each SA in each bucket in "table"; pass the
682 * bucket, the entry and "cookie" to the callback function.
683 * Take care to ensure that walkfn can delete the SA without screwing
686 * The bucket is locked for the duration of the callback, both so that the
687 * callback can just call sadb_unlinkassoc() when it wants to delete something,
688 * and so that no new entries are added while we're walking the list.
691 sadb_walker(isaf_t
*table
, uint_t numentries
,
692 void (*walkfn
)(isaf_t
*head
, ipsa_t
*entry
, void *cookie
),
696 for (i
= 0; i
< numentries
; i
++) {
697 ipsa_t
*entry
, *next
;
699 mutex_enter(&table
[i
].isaf_lock
);
701 for (entry
= table
[i
].isaf_ipsa
; entry
!= NULL
;
703 next
= entry
->ipsa_next
;
704 (*walkfn
)(&table
[i
], entry
, cookie
);
706 mutex_exit(&table
[i
].isaf_lock
);
711 * Call me to free up a security association fanout. Use the forever
712 * variable to indicate freeing up the SAs (forever == B_FALSE, e.g.
713 * an SADB_FLUSH message), or destroying everything (forever == B_TRUE,
714 * when a module is unloaded).
717 sadb_destroyer(isaf_t
**tablep
, uint_t numentries
, boolean_t forever
,
721 isaf_t
*table
= *tablep
;
729 for (i
= 0; i
< numentries
; i
++) {
730 mutex_enter(&table
[i
].isaf_lock
);
731 while ((sa
= table
[i
].isaf_ipsa
) != NULL
) {
732 if (inbound
&& cl_inet_deletespi
&&
733 (sa
->ipsa_state
!= IPSA_STATE_ACTIVE_ELSEWHERE
) &&
734 (sa
->ipsa_state
!= IPSA_STATE_IDLE
)) {
735 protocol
= (sa
->ipsa_type
== SADB_SATYPE_AH
) ?
736 IPPROTO_AH
: IPPROTO_ESP
;
737 sid
= sa
->ipsa_netstack
->netstack_stackid
;
738 cl_inet_deletespi(sid
, protocol
, sa
->ipsa_spi
,
741 sadb_unlinkassoc(sa
);
744 mutex_exit(&table
[i
].isaf_lock
);
746 mutex_destroy(&(table
[i
].isaf_lock
));
751 kmem_free(table
, numentries
* sizeof (*table
));
756 * Entry points to sadb_destroyer().
759 sadb_flush(sadb_t
*sp
, netstack_t
*ns
)
762 * Flush out each bucket, one at a time. Were it not for keysock's
763 * enforcement, there would be a subtlety where I could add on the
764 * heels of a flush. With keysock's enforcement, however, this
765 * makes ESP's job easy.
767 sadb_destroyer(&sp
->sdb_of
, sp
->sdb_hashsize
, B_FALSE
, B_FALSE
);
768 sadb_destroyer(&sp
->sdb_if
, sp
->sdb_hashsize
, B_FALSE
, B_TRUE
);
770 /* For each acquire, destroy it; leave the bucket mutex alone. */
771 sadb_destroy_acqlist(&sp
->sdb_acq
, sp
->sdb_hashsize
, B_FALSE
, ns
);
775 sadb_destroy(sadb_t
*sp
, netstack_t
*ns
)
777 sadb_destroyer(&sp
->sdb_of
, sp
->sdb_hashsize
, B_TRUE
, B_FALSE
);
778 sadb_destroyer(&sp
->sdb_if
, sp
->sdb_hashsize
, B_TRUE
, B_TRUE
);
780 /* For each acquire, destroy it, including the bucket mutex. */
781 sadb_destroy_acqlist(&sp
->sdb_acq
, sp
->sdb_hashsize
, B_TRUE
, ns
);
783 ASSERT(sp
->sdb_of
== NULL
);
784 ASSERT(sp
->sdb_if
== NULL
);
785 ASSERT(sp
->sdb_acq
== NULL
);
789 sadbp_flush(sadbp_t
*spp
, netstack_t
*ns
)
791 sadb_flush(&spp
->s_v4
, ns
);
792 sadb_flush(&spp
->s_v6
, ns
);
796 sadbp_destroy(sadbp_t
*spp
, netstack_t
*ns
)
798 sadb_destroy(&spp
->s_v4
, ns
);
799 sadb_destroy(&spp
->s_v6
, ns
);
801 if (spp
->s_satype
== SADB_SATYPE_AH
) {
802 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
804 ip_drop_unregister(&ipss
->ipsec_sadb_dropper
);
810 * Check hard vs. soft lifetimes. If there's a reality mismatch (e.g.
811 * soft lifetimes > hard lifetimes) return an appropriate diagnostic for
815 sadb_hardsoftchk(sadb_lifetime_t
*hard
, sadb_lifetime_t
*soft
,
816 sadb_lifetime_t
*idle
)
818 if (hard
== NULL
|| soft
== NULL
)
821 if (hard
->sadb_lifetime_allocations
!= 0 &&
822 soft
->sadb_lifetime_allocations
!= 0 &&
823 hard
->sadb_lifetime_allocations
< soft
->sadb_lifetime_allocations
)
824 return (SADB_X_DIAGNOSTIC_ALLOC_HSERR
);
826 if (hard
->sadb_lifetime_bytes
!= 0 &&
827 soft
->sadb_lifetime_bytes
!= 0 &&
828 hard
->sadb_lifetime_bytes
< soft
->sadb_lifetime_bytes
)
829 return (SADB_X_DIAGNOSTIC_BYTES_HSERR
);
831 if (hard
->sadb_lifetime_addtime
!= 0 &&
832 soft
->sadb_lifetime_addtime
!= 0 &&
833 hard
->sadb_lifetime_addtime
< soft
->sadb_lifetime_addtime
)
834 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR
);
836 if (hard
->sadb_lifetime_usetime
!= 0 &&
837 soft
->sadb_lifetime_usetime
!= 0 &&
838 hard
->sadb_lifetime_usetime
< soft
->sadb_lifetime_usetime
)
839 return (SADB_X_DIAGNOSTIC_USETIME_HSERR
);
842 if (hard
->sadb_lifetime_addtime
!= 0 &&
843 idle
->sadb_lifetime_addtime
!= 0 &&
844 hard
->sadb_lifetime_addtime
< idle
->sadb_lifetime_addtime
)
845 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR
);
847 if (soft
->sadb_lifetime_addtime
!= 0 &&
848 idle
->sadb_lifetime_addtime
!= 0 &&
849 soft
->sadb_lifetime_addtime
< idle
->sadb_lifetime_addtime
)
850 return (SADB_X_DIAGNOSTIC_ADDTIME_HSERR
);
852 if (hard
->sadb_lifetime_usetime
!= 0 &&
853 idle
->sadb_lifetime_usetime
!= 0 &&
854 hard
->sadb_lifetime_usetime
< idle
->sadb_lifetime_usetime
)
855 return (SADB_X_DIAGNOSTIC_USETIME_HSERR
);
857 if (soft
->sadb_lifetime_usetime
!= 0 &&
858 idle
->sadb_lifetime_usetime
!= 0 &&
859 soft
->sadb_lifetime_usetime
< idle
->sadb_lifetime_usetime
)
860 return (SADB_X_DIAGNOSTIC_USETIME_HSERR
);
867 * Sanity check sensitivity labels.
869 * For now, just reject labels on unlabeled systems.
872 sadb_labelchk(keysock_in_t
*ksi
)
874 if (!is_system_labeled()) {
875 if (ksi
->ks_in_extv
[SADB_EXT_SENSITIVITY
] != NULL
)
876 return (SADB_X_DIAGNOSTIC_BAD_LABEL
);
878 if (ksi
->ks_in_extv
[SADB_X_EXT_OUTER_SENS
] != NULL
)
879 return (SADB_X_DIAGNOSTIC_BAD_LABEL
);
886 * Clone a security association for the purposes of inserting a single SA
887 * into inbound and outbound tables respectively. This function should only
888 * be called from sadb_common_add().
891 sadb_cloneassoc(ipsa_t
*ipsa
)
894 boolean_t error
= B_FALSE
;
896 ASSERT(MUTEX_NOT_HELD(&(ipsa
->ipsa_lock
)));
898 newbie
= kmem_alloc(sizeof (ipsa_t
), KM_NOSLEEP
);
902 /* Copy over what we can. */
905 /* bzero and initialize locks, in case *_init() allocates... */
906 mutex_init(&newbie
->ipsa_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
908 if (newbie
->ipsa_tsl
!= NULL
)
909 label_hold(newbie
->ipsa_tsl
);
911 if (newbie
->ipsa_otsl
!= NULL
)
912 label_hold(newbie
->ipsa_otsl
);
915 * While somewhat dain-bramaged, the most graceful way to
916 * recover from errors is to keep plowing through the
917 * allocations, and getting what I can. It's easier to call
918 * sadb_freeassoc() on the stillborn clone when all the
919 * pointers aren't pointing to the parent's data.
922 if (ipsa
->ipsa_authkey
!= NULL
) {
923 newbie
->ipsa_authkey
= kmem_alloc(newbie
->ipsa_authkeylen
,
925 if (newbie
->ipsa_authkey
== NULL
) {
928 bcopy(ipsa
->ipsa_authkey
, newbie
->ipsa_authkey
,
929 newbie
->ipsa_authkeylen
);
931 newbie
->ipsa_kcfauthkey
.ck_data
=
932 newbie
->ipsa_authkey
;
935 if (newbie
->ipsa_amech
.cm_param
!= NULL
) {
936 newbie
->ipsa_amech
.cm_param
=
937 (char *)&newbie
->ipsa_mac_len
;
941 if (ipsa
->ipsa_encrkey
!= NULL
) {
942 newbie
->ipsa_encrkey
= kmem_alloc(newbie
->ipsa_encrkeylen
,
944 if (newbie
->ipsa_encrkey
== NULL
) {
947 bcopy(ipsa
->ipsa_encrkey
, newbie
->ipsa_encrkey
,
948 newbie
->ipsa_encrkeylen
);
950 newbie
->ipsa_kcfencrkey
.ck_data
=
951 newbie
->ipsa_encrkey
;
955 newbie
->ipsa_authtmpl
= NULL
;
956 newbie
->ipsa_encrtmpl
= NULL
;
957 newbie
->ipsa_haspeer
= B_TRUE
;
959 if (ipsa
->ipsa_src_cid
!= NULL
) {
960 newbie
->ipsa_src_cid
= ipsa
->ipsa_src_cid
;
961 IPSID_REFHOLD(ipsa
->ipsa_src_cid
);
964 if (ipsa
->ipsa_dst_cid
!= NULL
) {
965 newbie
->ipsa_dst_cid
= ipsa
->ipsa_dst_cid
;
966 IPSID_REFHOLD(ipsa
->ipsa_dst_cid
);
970 sadb_freeassoc(newbie
);
978 * Initialize a SADB address extension at the address specified by addrext.
979 * Return a pointer to the end of the new address extension.
982 sadb_make_addr_ext(uint8_t *start
, uint8_t *end
, uint16_t exttype
,
983 sa_family_t af
, uint32_t *addr
, uint16_t port
, uint8_t proto
, int prefix
)
985 struct sockaddr_in
*sin
;
986 struct sockaddr_in6
*sin6
;
987 uint8_t *cur
= start
;
990 sadb_address_t
*addrext
= (sadb_address_t
*)cur
;
995 cur
+= sizeof (*addrext
);
999 addrext
->sadb_address_proto
= proto
;
1000 addrext
->sadb_address_prefixlen
= prefix
;
1001 addrext
->sadb_address_reserved
= 0;
1002 addrext
->sadb_address_exttype
= exttype
;
1006 sin
= (struct sockaddr_in
*)cur
;
1007 sin_len
= sizeof (*sin
);
1012 sin
->sin_family
= af
;
1013 bzero(sin
->sin_zero
, sizeof (sin
->sin_zero
));
1014 sin
->sin_port
= port
;
1015 IPSA_COPY_ADDR(&sin
->sin_addr
, addr
, af
);
1018 sin6
= (struct sockaddr_in6
*)cur
;
1019 sin_len
= sizeof (*sin6
);
1024 bzero(sin6
, sizeof (*sin6
));
1025 sin6
->sin6_family
= af
;
1026 sin6
->sin6_port
= port
;
1027 IPSA_COPY_ADDR(&sin6
->sin6_addr
, addr
, af
);
1031 addrext_len
= roundup(cur
- start
, sizeof (uint64_t));
1032 addrext
->sadb_address_len
= SADB_8TO64(addrext_len
);
1034 cur
= start
+ addrext_len
;
1042 * Construct a key management cookie extension.
1046 sadb_make_kmc_ext(uint8_t *cur
, uint8_t *end
, uint32_t kmp
, uint64_t kmc
)
1048 sadb_x_kmc_t
*kmcext
= (sadb_x_kmc_t
*)cur
;
1053 cur
+= sizeof (*kmcext
);
1058 kmcext
->sadb_x_kmc_len
= SADB_8TO64(sizeof (*kmcext
));
1059 kmcext
->sadb_x_kmc_exttype
= SADB_X_EXT_KM_COOKIE
;
1060 kmcext
->sadb_x_kmc_proto
= kmp
;
1061 kmcext
->sadb_x_kmc_cookie64
= kmc
;
1067 * Given an original message header with sufficient space following it, and an
1068 * SA, construct a full PF_KEY message with all of the relevant extensions.
1069 * This is mostly used for SADB_GET, and SADB_DUMP.
1072 sadb_sa2msg(ipsa_t
*ipsa
, sadb_msg_t
*samsg
)
1074 int alloclen
, addrsize
, paddrsize
, authsize
, encrsize
;
1075 int srcidsize
, dstidsize
, senslen
, osenslen
;
1076 sa_family_t fam
, pfam
; /* Address family for SADB_EXT_ADDRESS */
1077 /* src/dst and proxy sockaddrs. */
1079 * The following are pointers into the PF_KEY message this PF_KEY
1082 sadb_msg_t
*newsamsg
;
1084 sadb_lifetime_t
*lt
;
1086 sadb_ident_t
*ident
;
1088 sadb_ext_t
*walker
; /* For when we need a generic ext. pointer. */
1089 sadb_x_replay_ctr_t
*repl_ctr
;
1090 sadb_x_pair_t
*pair_ext
;
1094 /* These indicate the presence of the above extension fields. */
1095 boolean_t soft
= B_FALSE
, hard
= B_FALSE
;
1096 boolean_t isrc
= B_FALSE
, idst
= B_FALSE
;
1097 boolean_t auth
= B_FALSE
, encr
= B_FALSE
;
1098 boolean_t sensinteg
= B_FALSE
, osensinteg
= B_FALSE
;
1099 boolean_t srcid
= B_FALSE
, dstid
= B_FALSE
;
1104 /* First off, figure out the allocation length for this message. */
1106 * Constant stuff. This includes base, SA, address (src, dst),
1107 * and lifetime (current).
1109 alloclen
= sizeof (sadb_msg_t
) + sizeof (sadb_sa_t
) +
1110 sizeof (sadb_lifetime_t
);
1112 fam
= ipsa
->ipsa_addrfam
;
1115 addrsize
= roundup(sizeof (struct sockaddr_in
) +
1116 sizeof (sadb_address_t
), sizeof (uint64_t));
1119 addrsize
= roundup(sizeof (struct sockaddr_in6
) +
1120 sizeof (sadb_address_t
), sizeof (uint64_t));
1126 * Allocate TWO address extensions, for source and destination.
1129 alloclen
+= addrsize
* 2;
1130 if (ipsa
->ipsa_flags
& IPSA_F_NATT_REM
)
1131 alloclen
+= addrsize
;
1132 if (ipsa
->ipsa_flags
& IPSA_F_NATT_LOC
)
1133 alloclen
+= addrsize
;
1135 if (ipsa
->ipsa_flags
& IPSA_F_PAIRED
) {
1137 alloclen
+= sizeof (sadb_x_pair_t
);
1138 otherspi
= ipsa
->ipsa_otherspi
;
1143 /* How 'bout other lifetimes? */
1144 if (ipsa
->ipsa_softaddlt
!= 0 || ipsa
->ipsa_softuselt
!= 0 ||
1145 ipsa
->ipsa_softbyteslt
!= 0 || ipsa
->ipsa_softalloc
!= 0) {
1146 alloclen
+= sizeof (sadb_lifetime_t
);
1150 if (ipsa
->ipsa_hardaddlt
!= 0 || ipsa
->ipsa_harduselt
!= 0 ||
1151 ipsa
->ipsa_hardbyteslt
!= 0 || ipsa
->ipsa_hardalloc
!= 0) {
1152 alloclen
+= sizeof (sadb_lifetime_t
);
1156 if (ipsa
->ipsa_idleaddlt
!= 0 || ipsa
->ipsa_idleuselt
!= 0) {
1157 alloclen
+= sizeof (sadb_lifetime_t
);
1163 /* Inner addresses. */
1164 if (ipsa
->ipsa_innerfam
!= 0) {
1165 pfam
= ipsa
->ipsa_innerfam
;
1168 paddrsize
= roundup(sizeof (struct sockaddr_in6
) +
1169 sizeof (sadb_address_t
), sizeof (uint64_t));
1172 paddrsize
= roundup(sizeof (struct sockaddr_in
) +
1173 sizeof (sadb_address_t
), sizeof (uint64_t));
1177 "IPsec SADB: Proxy length failure.\n");
1182 alloclen
+= 2 * paddrsize
;
1185 /* For the following fields, assume that length != 0 ==> stuff */
1186 if (ipsa
->ipsa_authkeylen
!= 0) {
1187 authsize
= roundup(sizeof (sadb_key_t
) + ipsa
->ipsa_authkeylen
,
1189 alloclen
+= authsize
;
1193 if (ipsa
->ipsa_encrkeylen
!= 0) {
1194 encrsize
= roundup(sizeof (sadb_key_t
) + ipsa
->ipsa_encrkeylen
+
1195 ipsa
->ipsa_nonce_len
, sizeof (uint64_t));
1196 alloclen
+= encrsize
;
1202 if (ipsa
->ipsa_tsl
!= NULL
) {
1203 senslen
= sadb_sens_len_from_label(ipsa
->ipsa_tsl
);
1204 alloclen
+= senslen
;
1208 if (ipsa
->ipsa_otsl
!= NULL
) {
1209 osenslen
= sadb_sens_len_from_label(ipsa
->ipsa_otsl
);
1210 alloclen
+= osenslen
;
1211 osensinteg
= B_TRUE
;
1215 * Must use strlen() here for lengths. Identities use NULL
1216 * pointers to indicate their nonexistence.
1218 if (ipsa
->ipsa_src_cid
!= NULL
) {
1219 srcidsize
= roundup(sizeof (sadb_ident_t
) +
1220 strlen(ipsa
->ipsa_src_cid
->ipsid_cid
) + 1,
1222 alloclen
+= srcidsize
;
1226 if (ipsa
->ipsa_dst_cid
!= NULL
) {
1227 dstidsize
= roundup(sizeof (sadb_ident_t
) +
1228 strlen(ipsa
->ipsa_dst_cid
->ipsid_cid
) + 1,
1230 alloclen
+= dstidsize
;
1234 if ((ipsa
->ipsa_kmp
!= 0) || (ipsa
->ipsa_kmc
!= 0))
1235 alloclen
+= sizeof (sadb_x_kmc_t
);
1237 if (ipsa
->ipsa_replay
!= 0) {
1238 alloclen
+= sizeof (sadb_x_replay_ctr_t
);
1241 /* Make sure the allocation length is a multiple of 8 bytes. */
1242 ASSERT((alloclen
& 0x7) == 0);
1244 /* XXX Possibly make it esballoc, with a bzero-ing free_ftn. */
1245 mp
= allocb(alloclen
, BPRI_HI
);
1248 bzero(mp
->b_rptr
, alloclen
);
1250 mp
->b_wptr
+= alloclen
;
1252 newsamsg
= (sadb_msg_t
*)mp
->b_rptr
;
1254 newsamsg
->sadb_msg_len
= (uint16_t)SADB_8TO64(alloclen
);
1256 mutex_enter(&ipsa
->ipsa_lock
); /* Since I'm grabbing SA fields... */
1258 newsamsg
->sadb_msg_satype
= ipsa
->ipsa_type
;
1260 assoc
= (sadb_sa_t
*)(newsamsg
+ 1);
1261 assoc
->sadb_sa_len
= SADB_8TO64(sizeof (*assoc
));
1262 assoc
->sadb_sa_exttype
= SADB_EXT_SA
;
1263 assoc
->sadb_sa_spi
= ipsa
->ipsa_spi
;
1264 assoc
->sadb_sa_replay
= ipsa
->ipsa_replay_wsize
;
1265 assoc
->sadb_sa_state
= ipsa
->ipsa_state
;
1266 assoc
->sadb_sa_auth
= ipsa
->ipsa_auth_alg
;
1267 assoc
->sadb_sa_encrypt
= ipsa
->ipsa_encr_alg
;
1268 assoc
->sadb_sa_flags
= ipsa
->ipsa_flags
;
1270 lt
= (sadb_lifetime_t
*)(assoc
+ 1);
1271 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1272 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
1273 /* We do not support the concept. */
1274 lt
->sadb_lifetime_allocations
= 0;
1275 lt
->sadb_lifetime_bytes
= ipsa
->ipsa_bytes
;
1276 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_addtime
;
1277 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_usetime
;
1281 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1282 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
1283 lt
->sadb_lifetime_allocations
= ipsa
->ipsa_hardalloc
;
1284 lt
->sadb_lifetime_bytes
= ipsa
->ipsa_hardbyteslt
;
1285 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_hardaddlt
;
1286 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_harduselt
;
1291 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1292 lt
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_SOFT
;
1293 lt
->sadb_lifetime_allocations
= ipsa
->ipsa_softalloc
;
1294 lt
->sadb_lifetime_bytes
= ipsa
->ipsa_softbyteslt
;
1295 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_softaddlt
;
1296 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_softuselt
;
1301 lt
->sadb_lifetime_len
= SADB_8TO64(sizeof (*lt
));
1302 lt
->sadb_lifetime_exttype
= SADB_X_EXT_LIFETIME_IDLE
;
1303 lt
->sadb_lifetime_addtime
= ipsa
->ipsa_idleaddlt
;
1304 lt
->sadb_lifetime_usetime
= ipsa
->ipsa_idleuselt
;
1307 cur
= (uint8_t *)(lt
+ 1);
1309 /* NOTE: Don't fill in ports here if we are a tunnel-mode SA. */
1310 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_SRC
, fam
,
1311 ipsa
->ipsa_srcaddr
, (!isrc
&& !idst
) ? SA_SRCPORT(ipsa
) : 0,
1319 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_DST
, fam
,
1320 ipsa
->ipsa_dstaddr
, (!isrc
&& !idst
) ? SA_DSTPORT(ipsa
) : 0,
1328 if (ipsa
->ipsa_flags
& IPSA_F_NATT_LOC
) {
1329 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_NATT_LOC
,
1330 fam
, &ipsa
->ipsa_natt_addr_loc
, ipsa
->ipsa_local_nat_port
,
1339 if (ipsa
->ipsa_flags
& IPSA_F_NATT_REM
) {
1340 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_NATT_REM
,
1341 fam
, &ipsa
->ipsa_natt_addr_rem
, ipsa
->ipsa_remote_nat_port
,
1350 /* If we are a tunnel-mode SA, fill in the inner-selectors. */
1352 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_SRC
,
1353 pfam
, ipsa
->ipsa_innersrc
, SA_SRCPORT(ipsa
),
1354 SA_IPROTO(ipsa
), ipsa
->ipsa_innersrcpfx
);
1363 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_DST
,
1364 pfam
, ipsa
->ipsa_innerdst
, SA_DSTPORT(ipsa
),
1365 SA_IPROTO(ipsa
), ipsa
->ipsa_innerdstpfx
);
1373 if ((ipsa
->ipsa_kmp
!= 0) || (ipsa
->ipsa_kmc
!= 0)) {
1374 cur
= sadb_make_kmc_ext(cur
, end
,
1375 ipsa
->ipsa_kmp
, ipsa
->ipsa_kmc
);
1383 walker
= (sadb_ext_t
*)cur
;
1385 key
= (sadb_key_t
*)walker
;
1386 key
->sadb_key_len
= SADB_8TO64(authsize
);
1387 key
->sadb_key_exttype
= SADB_EXT_KEY_AUTH
;
1388 key
->sadb_key_bits
= ipsa
->ipsa_authkeybits
;
1389 key
->sadb_key_reserved
= 0;
1390 bcopy(ipsa
->ipsa_authkey
, key
+ 1, ipsa
->ipsa_authkeylen
);
1391 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1392 walker
->sadb_ext_len
);
1397 key
= (sadb_key_t
*)walker
;
1398 key
->sadb_key_len
= SADB_8TO64(encrsize
);
1399 key
->sadb_key_exttype
= SADB_EXT_KEY_ENCRYPT
;
1400 key
->sadb_key_bits
= ipsa
->ipsa_encrkeybits
;
1401 key
->sadb_key_reserved
= ipsa
->ipsa_saltbits
;
1402 buf_ptr
= (uint8_t *)(key
+ 1);
1403 bcopy(ipsa
->ipsa_encrkey
, buf_ptr
, ipsa
->ipsa_encrkeylen
);
1404 if (ipsa
->ipsa_salt
!= NULL
) {
1405 buf_ptr
+= ipsa
->ipsa_encrkeylen
;
1406 bcopy(ipsa
->ipsa_salt
, buf_ptr
, ipsa
->ipsa_saltlen
);
1408 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1409 walker
->sadb_ext_len
);
1413 ident
= (sadb_ident_t
*)walker
;
1414 ident
->sadb_ident_len
= SADB_8TO64(srcidsize
);
1415 ident
->sadb_ident_exttype
= SADB_EXT_IDENTITY_SRC
;
1416 ident
->sadb_ident_type
= ipsa
->ipsa_src_cid
->ipsid_type
;
1417 ident
->sadb_ident_id
= 0;
1418 ident
->sadb_ident_reserved
= 0;
1419 (void) strcpy((char *)(ident
+ 1),
1420 ipsa
->ipsa_src_cid
->ipsid_cid
);
1421 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1422 walker
->sadb_ext_len
);
1426 ident
= (sadb_ident_t
*)walker
;
1427 ident
->sadb_ident_len
= SADB_8TO64(dstidsize
);
1428 ident
->sadb_ident_exttype
= SADB_EXT_IDENTITY_DST
;
1429 ident
->sadb_ident_type
= ipsa
->ipsa_dst_cid
->ipsid_type
;
1430 ident
->sadb_ident_id
= 0;
1431 ident
->sadb_ident_reserved
= 0;
1432 (void) strcpy((char *)(ident
+ 1),
1433 ipsa
->ipsa_dst_cid
->ipsid_cid
);
1434 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1435 walker
->sadb_ext_len
);
1439 sens
= (sadb_sens_t
*)walker
;
1440 sadb_sens_from_label(sens
, SADB_EXT_SENSITIVITY
,
1441 ipsa
->ipsa_tsl
, senslen
);
1443 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1444 walker
->sadb_ext_len
);
1448 sens
= (sadb_sens_t
*)walker
;
1450 sadb_sens_from_label(sens
, SADB_X_EXT_OUTER_SENS
,
1451 ipsa
->ipsa_otsl
, osenslen
);
1452 if (ipsa
->ipsa_mac_exempt
)
1453 sens
->sadb_x_sens_flags
= SADB_X_SENS_IMPLICIT
;
1455 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1456 walker
->sadb_ext_len
);
1460 pair_ext
= (sadb_x_pair_t
*)walker
;
1462 pair_ext
->sadb_x_pair_len
= SADB_8TO64(sizeof (sadb_x_pair_t
));
1463 pair_ext
->sadb_x_pair_exttype
= SADB_X_EXT_PAIR
;
1464 pair_ext
->sadb_x_pair_spi
= otherspi
;
1466 walker
= (sadb_ext_t
*)((uint64_t *)walker
+
1467 walker
->sadb_ext_len
);
1470 if (ipsa
->ipsa_replay
!= 0) {
1471 repl_ctr
= (sadb_x_replay_ctr_t
*)walker
;
1472 repl_ctr
->sadb_x_rc_len
= SADB_8TO64(sizeof (*repl_ctr
));
1473 repl_ctr
->sadb_x_rc_exttype
= SADB_X_EXT_REPLAY_VALUE
;
1474 repl_ctr
->sadb_x_rc_replay32
= ipsa
->ipsa_replay
;
1475 repl_ctr
->sadb_x_rc_replay64
= 0;
1476 walker
= (sadb_ext_t
*)(repl_ctr
+ 1);
1480 /* Pardon any delays... */
1481 mutex_exit(&ipsa
->ipsa_lock
);
1487 * Strip out key headers or unmarked headers (SADB_EXT_KEY_*, SADB_EXT_UNKNOWN)
1488 * and adjust base message accordingly.
1490 * Assume message is pulled up in one piece of contiguous memory.
1492 * Say if we start off with:
1494 * +------+----+-------------+-----------+---------------+---------------+
1495 * | base | SA | source addr | dest addr | rsrvd. or key | soft lifetime |
1496 * +------+----+-------------+-----------+---------------+---------------+
1498 * we will end up with
1500 * +------+----+-------------+-----------+---------------+
1501 * | base | SA | source addr | dest addr | soft lifetime |
1502 * +------+----+-------------+-----------+---------------+
1505 sadb_strip(sadb_msg_t
*samsg
)
1508 uint8_t *target
= NULL
;
1510 int sofar
= SADB_8TO64(sizeof (*samsg
));
1513 ext
= (sadb_ext_t
*)(samsg
+ 1);
1514 msgend
= (uint8_t *)samsg
;
1515 msgend
+= SADB_64TO8(samsg
->sadb_msg_len
);
1516 while ((uint8_t *)ext
< msgend
) {
1517 if (ext
->sadb_ext_type
== SADB_EXT_RESERVED
||
1518 ext
->sadb_ext_type
== SADB_EXT_KEY_AUTH
||
1519 ext
->sadb_ext_type
== SADB_X_EXT_EDUMP
||
1520 ext
->sadb_ext_type
== SADB_EXT_KEY_ENCRYPT
) {
1522 * Aha! I found a header to be erased.
1525 if (target
!= NULL
) {
1527 * If I had a previous header to be erased,
1528 * copy over it. I can get away with just
1529 * copying backwards because the target will
1530 * always be 8 bytes behind the source.
1532 copylen
= ((uint8_t *)ext
) - (target
+
1534 ((sadb_ext_t
*)target
)->sadb_ext_len
));
1535 ovbcopy(((uint8_t *)ext
- copylen
), target
,
1538 ((sadb_ext_t
*)target
)->sadb_ext_len
=
1539 SADB_8TO64(((uint8_t *)ext
) - target
+
1540 SADB_64TO8(ext
->sadb_ext_len
));
1542 target
= (uint8_t *)ext
;
1545 sofar
+= ext
->sadb_ext_len
;
1548 ext
= (sadb_ext_t
*)(((uint64_t *)ext
) + ext
->sadb_ext_len
);
1551 ASSERT((uint8_t *)ext
== msgend
);
1553 if (target
!= NULL
) {
1554 copylen
= ((uint8_t *)ext
) - (target
+
1555 SADB_64TO8(((sadb_ext_t
*)target
)->sadb_ext_len
));
1557 ovbcopy(((uint8_t *)ext
- copylen
), target
, copylen
);
1561 samsg
->sadb_msg_len
= (uint16_t)sofar
;
1563 /* Assume all of the rest is cleared by caller in sadb_pfkey_echo(). */
1567 * AH needs to send an error to PF_KEY. Assume mp points to an M_CTL
1568 * followed by an M_DATA with a PF_KEY message in it. The serial of
1569 * the sending keysock instance is included.
1572 sadb_pfkey_error(queue_t
*pfkey_q
, mblk_t
*mp
, int error
, int diagnostic
,
1575 mblk_t
*msg
= mp
->b_cont
;
1580 * Enough functions call this to merit a NULL queue check.
1582 if (pfkey_q
== NULL
) {
1587 ASSERT(msg
!= NULL
);
1588 ASSERT((mp
->b_wptr
- mp
->b_rptr
) == sizeof (ipsec_info_t
));
1589 ASSERT((msg
->b_wptr
- msg
->b_rptr
) >= sizeof (sadb_msg_t
));
1590 samsg
= (sadb_msg_t
*)msg
->b_rptr
;
1591 kso
= (keysock_out_t
*)mp
->b_rptr
;
1593 kso
->ks_out_type
= KEYSOCK_OUT
;
1594 kso
->ks_out_len
= sizeof (*kso
);
1595 kso
->ks_out_serial
= serial
;
1598 * Only send the base message up in the event of an error.
1599 * Don't worry about bzero()-ing, because it was probably bogus
1602 msg
->b_wptr
= msg
->b_rptr
+ sizeof (*samsg
);
1603 samsg
= (sadb_msg_t
*)msg
->b_rptr
;
1604 samsg
->sadb_msg_len
= SADB_8TO64(sizeof (*samsg
));
1605 samsg
->sadb_msg_errno
= (uint8_t)error
;
1606 if (diagnostic
!= SADB_X_DIAGNOSTIC_PRESET
)
1607 samsg
->sadb_x_msg_diagnostic
= (uint16_t)diagnostic
;
1609 putnext(pfkey_q
, mp
);
1613 * Send a successful return packet back to keysock via the queue in pfkey_q.
1615 * Often, an SA is associated with the reply message, it's passed in if needed,
1616 * and NULL if not. BTW, that ipsa will have its refcnt appropriately held,
1617 * and the caller will release said refcnt.
1620 sadb_pfkey_echo(queue_t
*pfkey_q
, mblk_t
*mp
, sadb_msg_t
*samsg
,
1621 keysock_in_t
*ksi
, ipsa_t
*ipsa
)
1625 sadb_msg_t
*newsamsg
;
1628 ASSERT((mp
->b_cont
!= NULL
) &&
1629 ((void *)samsg
== (void *)mp
->b_cont
->b_rptr
) &&
1630 ((void *)mp
->b_rptr
== (void *)ksi
));
1632 switch (samsg
->sadb_msg_type
) {
1635 case SADB_X_UPDATEPAIR
:
1636 case SADB_X_DELPAIR_STATE
:
1640 * I have all of the message already. I just need to strip
1641 * out the keying material and echo the message back.
1643 * NOTE: for SADB_DUMP, the function sadb_dump() did the
1644 * work. When DUMP reaches here, it should only be a base
1648 if (ksi
->ks_in_extv
[SADB_EXT_KEY_AUTH
] != NULL
||
1649 ksi
->ks_in_extv
[SADB_EXT_KEY_ENCRYPT
] != NULL
||
1650 ksi
->ks_in_extv
[SADB_X_EXT_EDUMP
] != NULL
) {
1652 /* Assume PF_KEY message is contiguous. */
1653 ASSERT(mp
->b_cont
->b_cont
== NULL
);
1654 oldend
= mp
->b_cont
->b_wptr
;
1655 mp
->b_cont
->b_wptr
= mp
->b_cont
->b_rptr
+
1656 SADB_64TO8(samsg
->sadb_msg_len
);
1657 bzero(mp
->b_cont
->b_wptr
, oldend
- mp
->b_cont
->b_wptr
);
1662 * Do a lot of work here, because of the ipsa I just found.
1663 * First construct the new PF_KEY message, then abandon
1666 mp1
= sadb_sa2msg(ipsa
, samsg
);
1668 sadb_pfkey_error(pfkey_q
, mp
, ENOMEM
,
1669 SADB_X_DIAGNOSTIC_NONE
, ksi
->ks_in_serial
);
1672 freemsg(mp
->b_cont
);
1676 case SADB_X_DELPAIR
:
1680 * Because listening KMds may require more info, treat
1681 * DELETE like a special case of GET.
1683 mp1
= sadb_sa2msg(ipsa
, samsg
);
1685 sadb_pfkey_error(pfkey_q
, mp
, ENOMEM
,
1686 SADB_X_DIAGNOSTIC_NONE
, ksi
->ks_in_serial
);
1689 newsamsg
= (sadb_msg_t
*)mp1
->b_rptr
;
1690 sadb_strip(newsamsg
);
1691 oldend
= mp1
->b_wptr
;
1692 mp1
->b_wptr
= mp1
->b_rptr
+ SADB_64TO8(newsamsg
->sadb_msg_len
);
1693 bzero(mp1
->b_wptr
, oldend
- mp1
->b_wptr
);
1694 freemsg(mp
->b_cont
);
1703 /* ksi is now null and void. */
1704 kso
= (keysock_out_t
*)ksi
;
1705 kso
->ks_out_type
= KEYSOCK_OUT
;
1706 kso
->ks_out_len
= sizeof (*kso
);
1707 kso
->ks_out_serial
= ksi
->ks_in_serial
;
1708 /* We're ready to send... */
1709 putnext(pfkey_q
, mp
);
1713 * Set up a global pfkey_q instance for AH, ESP, or some other consumer.
1716 sadb_keysock_hello(queue_t
**pfkey_qp
, queue_t
*q
, mblk_t
*mp
,
1717 void (*ager
)(void *), void *agerarg
, timeout_id_t
*top
, int satype
)
1719 keysock_hello_ack_t
*kha
;
1722 ASSERT(OTHERQ(q
) != NULL
);
1725 * First, check atomically that I'm the first and only keysock
1728 * Use OTHERQ(q), because qreply(q, mp) == putnext(OTHERQ(q), mp),
1729 * and I want this module to say putnext(*_pfkey_q, mp) for PF_KEY
1733 oldq
= atomic_cas_ptr((void **)pfkey_qp
, NULL
, OTHERQ(q
));
1736 cmn_err(CE_WARN
, "Danger! Multiple keysocks on top of %s.\n",
1737 (satype
== SADB_SATYPE_ESP
)? "ESP" : "AH or other");
1742 kha
= (keysock_hello_ack_t
*)mp
->b_rptr
;
1743 kha
->ks_hello_len
= sizeof (keysock_hello_ack_t
);
1744 kha
->ks_hello_type
= KEYSOCK_HELLO_ACK
;
1745 kha
->ks_hello_satype
= (uint8_t)satype
;
1748 * If we made it past the atomic_cas_ptr, then we have "exclusive"
1749 * access to the timeout handle. Fire it off after the default ager
1752 *top
= qtimeout(*pfkey_qp
, ager
, agerarg
,
1753 drv_usectohz(SADB_AGE_INTERVAL_DEFAULT
* 1000));
1755 putnext(*pfkey_qp
, mp
);
1759 * Normalize IPv4-mapped IPv6 addresses (and prefixes) as appropriate.
1761 * Check addresses themselves for wildcard or multicast.
1762 * Check ire table for local/non-local/broadcast.
1765 sadb_addrcheck(queue_t
*pfkey_q
, mblk_t
*mp
, sadb_ext_t
*ext
, uint_t serial
,
1768 sadb_address_t
*addr
= (sadb_address_t
*)ext
;
1769 struct sockaddr_in
*sin
;
1770 struct sockaddr_in6
*sin6
;
1771 int diagnostic
, type
;
1772 boolean_t normalized
= B_FALSE
;
1774 ASSERT(ext
!= NULL
);
1775 ASSERT((ext
->sadb_ext_type
== SADB_EXT_ADDRESS_SRC
) ||
1776 (ext
->sadb_ext_type
== SADB_EXT_ADDRESS_DST
) ||
1777 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_SRC
) ||
1778 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_DST
) ||
1779 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_NATT_LOC
) ||
1780 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_NATT_REM
));
1782 /* Assign both sockaddrs, the compiler will do the right thing. */
1783 sin
= (struct sockaddr_in
*)(addr
+ 1);
1784 sin6
= (struct sockaddr_in6
*)(addr
+ 1);
1786 if (sin6
->sin6_family
== AF_INET6
) {
1787 if (IN6_IS_ADDR_V4MAPPED(&sin6
->sin6_addr
)) {
1789 * Convert to an AF_INET sockaddr. This means the
1790 * return messages will have the extra space, but have
1791 * AF_INET sockaddrs instead of AF_INET6.
1793 * Yes, RFC 2367 isn't clear on what to do here w.r.t.
1794 * mapped addresses, but since AF_INET6 ::ffff:<v4> is
1795 * equal to AF_INET <v4>, it shouldnt be a huge
1798 sin
->sin_family
= AF_INET
;
1799 IN6_V4MAPPED_TO_INADDR(&sin6
->sin6_addr
,
1801 bzero(&sin
->sin_zero
, sizeof (sin
->sin_zero
));
1802 normalized
= B_TRUE
;
1804 } else if (sin
->sin_family
!= AF_INET
) {
1805 switch (ext
->sadb_ext_type
) {
1806 case SADB_EXT_ADDRESS_SRC
:
1807 diagnostic
= SADB_X_DIAGNOSTIC_BAD_SRC_AF
;
1809 case SADB_EXT_ADDRESS_DST
:
1810 diagnostic
= SADB_X_DIAGNOSTIC_BAD_DST_AF
;
1812 case SADB_X_EXT_ADDRESS_INNER_SRC
:
1813 diagnostic
= SADB_X_DIAGNOSTIC_BAD_PROXY_AF
;
1815 case SADB_X_EXT_ADDRESS_INNER_DST
:
1816 diagnostic
= SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF
;
1818 case SADB_X_EXT_ADDRESS_NATT_LOC
:
1819 diagnostic
= SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF
;
1821 case SADB_X_EXT_ADDRESS_NATT_REM
:
1822 diagnostic
= SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF
;
1824 /* There is no default, see above ASSERT. */
1827 if (pfkey_q
!= NULL
) {
1828 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
, diagnostic
,
1832 * Scribble in sadb_msg that we got passed in.
1833 * Overload "mp" to be an sadb_msg pointer.
1835 sadb_msg_t
*samsg
= (sadb_msg_t
*)mp
;
1837 samsg
->sadb_msg_errno
= EINVAL
;
1838 samsg
->sadb_x_msg_diagnostic
= diagnostic
;
1840 return (KS_IN_ADDR_UNKNOWN
);
1843 if (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_SRC
||
1844 ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_DST
) {
1846 * We need only check for prefix issues.
1849 /* Set diagnostic now, in case we need it later. */
1851 (ext
->sadb_ext_type
== SADB_X_EXT_ADDRESS_INNER_SRC
) ?
1852 SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC
:
1853 SADB_X_DIAGNOSTIC_PREFIX_INNER_DST
;
1856 addr
->sadb_address_prefixlen
-= 96;
1859 * Verify and mask out inner-addresses based on prefix length.
1861 if (sin
->sin_family
== AF_INET
) {
1862 if (addr
->sadb_address_prefixlen
> 32)
1864 sin
->sin_addr
.s_addr
&=
1865 ip_plen_to_mask(addr
->sadb_address_prefixlen
);
1869 ASSERT(sin
->sin_family
== AF_INET6
);
1871 * ip_plen_to_mask_v6() returns NULL if the value in
1872 * question is out of range.
1874 if (ip_plen_to_mask_v6(addr
->sadb_address_prefixlen
,
1877 sin6
->sin6_addr
.s6_addr32
[0] &= mask
.s6_addr32
[0];
1878 sin6
->sin6_addr
.s6_addr32
[1] &= mask
.s6_addr32
[1];
1879 sin6
->sin6_addr
.s6_addr32
[2] &= mask
.s6_addr32
[2];
1880 sin6
->sin6_addr
.s6_addr32
[3] &= mask
.s6_addr32
[3];
1883 /* We don't care in these cases. */
1884 return (KS_IN_ADDR_DONTCARE
);
1887 if (sin
->sin_family
== AF_INET6
) {
1888 /* Check the easy ones now. */
1889 if (IN6_IS_ADDR_MULTICAST(&sin6
->sin6_addr
))
1890 return (KS_IN_ADDR_MBCAST
);
1891 if (IN6_IS_ADDR_UNSPECIFIED(&sin6
->sin6_addr
))
1892 return (KS_IN_ADDR_UNSPEC
);
1894 * At this point, we're a unicast IPv6 address.
1896 * XXX Zones alert -> me/notme decision needs to be tempered
1897 * by what zone we're in when we go to zone-aware IPsec.
1899 if (ip_type_v6(&sin6
->sin6_addr
, ns
->netstack_ip
) ==
1901 /* Hey hey, it's local. */
1902 return (KS_IN_ADDR_ME
);
1905 ASSERT(sin
->sin_family
== AF_INET
);
1906 if (sin
->sin_addr
.s_addr
== INADDR_ANY
)
1907 return (KS_IN_ADDR_UNSPEC
);
1908 if (CLASSD(sin
->sin_addr
.s_addr
))
1909 return (KS_IN_ADDR_MBCAST
);
1911 * At this point we're a unicast or broadcast IPv4 address.
1913 * Check if the address is IRE_BROADCAST or IRE_LOCAL.
1915 * XXX Zones alert -> me/notme decision needs to be tempered
1916 * by what zone we're in when we go to zone-aware IPsec.
1918 type
= ip_type_v4(sin
->sin_addr
.s_addr
, ns
->netstack_ip
);
1921 return (KS_IN_ADDR_ME
);
1923 return (KS_IN_ADDR_MBCAST
);
1927 return (KS_IN_ADDR_NOTME
);
1931 * Address normalizations and reality checks for inbound PF_KEY messages.
1933 * For the case of src == unspecified AF_INET6, and dst == AF_INET, convert
1934 * the source to AF_INET. Do the same for the inner sources.
1937 sadb_addrfix(keysock_in_t
*ksi
, queue_t
*pfkey_q
, mblk_t
*mp
, netstack_t
*ns
)
1939 struct sockaddr_in
*src
, *isrc
;
1940 struct sockaddr_in6
*dst
, *idst
;
1941 sadb_address_t
*srcext
, *dstext
;
1943 sadb_ext_t
**extv
= ksi
->ks_in_extv
;
1946 if (extv
[SADB_EXT_ADDRESS_SRC
] != NULL
) {
1947 rc
= sadb_addrcheck(pfkey_q
, mp
, extv
[SADB_EXT_ADDRESS_SRC
],
1948 ksi
->ks_in_serial
, ns
);
1949 if (rc
== KS_IN_ADDR_UNKNOWN
)
1951 if (rc
== KS_IN_ADDR_MBCAST
) {
1952 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
1953 SADB_X_DIAGNOSTIC_BAD_SRC
, ksi
->ks_in_serial
);
1956 ksi
->ks_in_srctype
= rc
;
1959 if (extv
[SADB_EXT_ADDRESS_DST
] != NULL
) {
1960 rc
= sadb_addrcheck(pfkey_q
, mp
, extv
[SADB_EXT_ADDRESS_DST
],
1961 ksi
->ks_in_serial
, ns
);
1962 if (rc
== KS_IN_ADDR_UNKNOWN
)
1964 if (rc
== KS_IN_ADDR_UNSPEC
) {
1965 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
1966 SADB_X_DIAGNOSTIC_BAD_DST
, ksi
->ks_in_serial
);
1969 ksi
->ks_in_dsttype
= rc
;
1973 * NAT-Traversal addrs are simple enough to not require all of
1974 * the checks in sadb_addrcheck(). Just normalize or reject if not
1977 if (extv
[SADB_X_EXT_ADDRESS_NATT_LOC
] != NULL
) {
1978 rc
= sadb_addrcheck(pfkey_q
, mp
,
1979 extv
[SADB_X_EXT_ADDRESS_NATT_LOC
], ksi
->ks_in_serial
, ns
);
1982 * Local NAT-T addresses never use an IRE_LOCAL, so it should
1983 * always be NOTME, or UNSPEC (to handle both tunnel mode
1984 * AND local-port flexibility).
1986 if (rc
!= KS_IN_ADDR_NOTME
&& rc
!= KS_IN_ADDR_UNSPEC
) {
1987 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
1988 SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC
,
1992 src
= (struct sockaddr_in
*)
1993 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_NATT_LOC
]) + 1);
1994 if (src
->sin_family
!= AF_INET
) {
1995 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
1996 SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF
,
2002 if (extv
[SADB_X_EXT_ADDRESS_NATT_REM
] != NULL
) {
2003 rc
= sadb_addrcheck(pfkey_q
, mp
,
2004 extv
[SADB_X_EXT_ADDRESS_NATT_REM
], ksi
->ks_in_serial
, ns
);
2007 * Remote NAT-T addresses never use an IRE_LOCAL, so it should
2008 * always be NOTME, or UNSPEC if it's a tunnel-mode SA.
2010 if (rc
!= KS_IN_ADDR_NOTME
&&
2011 !(extv
[SADB_X_EXT_ADDRESS_INNER_SRC
] != NULL
&&
2012 rc
== KS_IN_ADDR_UNSPEC
)) {
2013 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2014 SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM
,
2018 src
= (struct sockaddr_in
*)
2019 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_NATT_REM
]) + 1);
2020 if (src
->sin_family
!= AF_INET
) {
2021 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2022 SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF
,
2028 if (extv
[SADB_X_EXT_ADDRESS_INNER_SRC
] != NULL
) {
2029 if (extv
[SADB_X_EXT_ADDRESS_INNER_DST
] == NULL
) {
2030 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2031 SADB_X_DIAGNOSTIC_MISSING_INNER_DST
,
2036 if (sadb_addrcheck(pfkey_q
, mp
,
2037 extv
[SADB_X_EXT_ADDRESS_INNER_DST
], ksi
->ks_in_serial
, ns
)
2038 == KS_IN_ADDR_UNKNOWN
||
2039 sadb_addrcheck(pfkey_q
, mp
,
2040 extv
[SADB_X_EXT_ADDRESS_INNER_SRC
], ksi
->ks_in_serial
, ns
)
2041 == KS_IN_ADDR_UNKNOWN
)
2044 isrc
= (struct sockaddr_in
*)
2045 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_SRC
]) +
2047 idst
= (struct sockaddr_in6
*)
2048 (((sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_DST
]) +
2050 if (isrc
->sin_family
!= idst
->sin6_family
) {
2051 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2052 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
,
2056 } else if (extv
[SADB_X_EXT_ADDRESS_INNER_DST
] != NULL
) {
2057 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2058 SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
,
2062 isrc
= NULL
; /* For inner/outer port check below. */
2065 dstext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_DST
];
2066 srcext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_SRC
];
2068 if (dstext
== NULL
|| srcext
== NULL
)
2071 dst
= (struct sockaddr_in6
*)(dstext
+ 1);
2072 src
= (struct sockaddr_in
*)(srcext
+ 1);
2075 (isrc
->sin_port
!= 0 || idst
->sin6_port
!= 0) &&
2076 (src
->sin_port
!= 0 || dst
->sin6_port
!= 0)) {
2077 /* Can't set inner and outer ports in one SA. */
2078 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2079 SADB_X_DIAGNOSTIC_DUAL_PORT_SETS
,
2084 if (dst
->sin6_family
== src
->sin_family
)
2087 if (srcext
->sadb_address_proto
!= dstext
->sadb_address_proto
) {
2088 if (srcext
->sadb_address_proto
== 0) {
2089 srcext
->sadb_address_proto
= dstext
->sadb_address_proto
;
2090 } else if (dstext
->sadb_address_proto
== 0) {
2091 dstext
->sadb_address_proto
= srcext
->sadb_address_proto
;
2093 /* Inequal protocols, neither were 0. Report error. */
2094 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2095 SADB_X_DIAGNOSTIC_PROTO_MISMATCH
,
2102 * With the exception of an unspec IPv6 source and an IPv4
2103 * destination, address families MUST me matched.
2105 if (src
->sin_family
== AF_INET
||
2106 ksi
->ks_in_srctype
!= KS_IN_ADDR_UNSPEC
) {
2107 sadb_pfkey_error(pfkey_q
, mp
, EINVAL
,
2108 SADB_X_DIAGNOSTIC_AF_MISMATCH
, ksi
->ks_in_serial
);
2113 * Convert "src" to AF_INET INADDR_ANY. We rely on sin_port being
2114 * in the same place for sockaddr_in and sockaddr_in6.
2116 sport
= src
->sin_port
;
2117 bzero(src
, sizeof (*src
));
2118 src
->sin_family
= AF_INET
;
2119 src
->sin_port
= sport
;
2125 * Set the results in "addrtype", given an IRE as requested by
2129 sadb_addrset(ire_t
*ire
)
2131 if ((ire
->ire_type
& IRE_BROADCAST
) ||
2132 (ire
->ire_ipversion
== IPV4_VERSION
&& CLASSD(ire
->ire_addr
)) ||
2133 (ire
->ire_ipversion
== IPV6_VERSION
&&
2134 IN6_IS_ADDR_MULTICAST(&(ire
->ire_addr_v6
))))
2135 return (KS_IN_ADDR_MBCAST
);
2136 if (ire
->ire_type
& (IRE_LOCAL
| IRE_LOOPBACK
))
2137 return (KS_IN_ADDR_ME
);
2138 return (KS_IN_ADDR_NOTME
);
2142 * Match primitives..
2143 * !!! TODO: short term: inner selectors
2144 * ipv6 scope id (ifindex)
2145 * longer term: zone id. sensitivity label. uid.
2148 sadb_match_spi(ipsa_query_t
*sq
, ipsa_t
*sa
)
2150 return (sq
->spi
== sa
->ipsa_spi
);
2154 sadb_match_dst_v6(ipsa_query_t
*sq
, ipsa_t
*sa
)
2156 return (IPSA_ARE_ADDR_EQUAL(sa
->ipsa_dstaddr
, sq
->dstaddr
, AF_INET6
));
2160 sadb_match_src_v6(ipsa_query_t
*sq
, ipsa_t
*sa
)
2162 return (IPSA_ARE_ADDR_EQUAL(sa
->ipsa_srcaddr
, sq
->srcaddr
, AF_INET6
));
2166 sadb_match_dst_v4(ipsa_query_t
*sq
, ipsa_t
*sa
)
2168 return (sq
->dstaddr
[0] == sa
->ipsa_dstaddr
[0]);
2172 sadb_match_src_v4(ipsa_query_t
*sq
, ipsa_t
*sa
)
2174 return (sq
->srcaddr
[0] == sa
->ipsa_srcaddr
[0]);
2178 sadb_match_dstid(ipsa_query_t
*sq
, ipsa_t
*sa
)
2180 return ((sa
->ipsa_dst_cid
!= NULL
) &&
2181 (sq
->didtype
== sa
->ipsa_dst_cid
->ipsid_type
) &&
2182 (strcmp(sq
->didstr
, sa
->ipsa_dst_cid
->ipsid_cid
) == 0));
2186 sadb_match_srcid(ipsa_query_t
*sq
, ipsa_t
*sa
)
2188 return ((sa
->ipsa_src_cid
!= NULL
) &&
2189 (sq
->sidtype
== sa
->ipsa_src_cid
->ipsid_type
) &&
2190 (strcmp(sq
->sidstr
, sa
->ipsa_src_cid
->ipsid_cid
) == 0));
2194 sadb_match_kmc(ipsa_query_t
*sq
, ipsa_t
*sa
)
2196 #define M(a, b) (((a) == 0) || ((b) == 0) || ((a) == (b)))
2198 return (M(sq
->kmc
, sa
->ipsa_kmc
) && M(sq
->kmp
, sa
->ipsa_kmp
));
2204 * Common function which extracts several PF_KEY extensions for ease of
2207 * XXX TODO: weed out ipsa_query_t fields not used during matching
2211 sadb_form_query(keysock_in_t
*ksi
, uint32_t req
, uint32_t match
,
2212 ipsa_query_t
*sq
, int *diagnostic
)
2215 ipsa_match_fn_t
*mfpp
= &(sq
->matchers
[0]);
2217 for (i
= 0; i
< IPSA_NMATCH
; i
++)
2218 sq
->matchers
[i
] = NULL
;
2220 ASSERT((req
& ~match
) == 0);
2223 sq
->dstext
= (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
2224 sq
->srcext
= (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
];
2225 sq
->assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
2227 if ((req
& IPSA_Q_DST
) && (sq
->dstext
== NULL
)) {
2228 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
2231 if ((req
& IPSA_Q_SRC
) && (sq
->srcext
== NULL
)) {
2232 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
2235 if ((req
& IPSA_Q_SA
) && (sq
->assoc
== NULL
)) {
2236 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SA
;
2240 if (match
& IPSA_Q_SA
) {
2241 *mfpp
++ = sadb_match_spi
;
2242 sq
->spi
= sq
->assoc
->sadb_sa_spi
;
2245 if (sq
->dstext
!= NULL
)
2246 sq
->dst
= (struct sockaddr_in
*)(sq
->dstext
+ 1);
2253 if (sq
->srcext
!= NULL
)
2254 sq
->src
= (struct sockaddr_in
*)(sq
->srcext
+ 1);
2261 if (sq
->dst
!= NULL
)
2262 sq
->af
= sq
->dst
->sin_family
;
2263 else if (sq
->src
!= NULL
)
2264 sq
->af
= sq
->src
->sin_family
;
2268 if (sq
->af
== AF_INET6
) {
2269 if ((match
& IPSA_Q_DST
) && (sq
->dstext
!= NULL
)) {
2270 *mfpp
++ = sadb_match_dst_v6
;
2271 sq
->dst6
= (struct sockaddr_in6
*)sq
->dst
;
2272 sq
->dstaddr
= (uint32_t *)&(sq
->dst6
->sin6_addr
);
2274 match
&= ~IPSA_Q_DST
;
2275 sq
->dstaddr
= ALL_ZEROES_PTR
;
2278 if ((match
& IPSA_Q_SRC
) && (sq
->srcext
!= NULL
)) {
2279 sq
->src6
= (struct sockaddr_in6
*)(sq
->srcext
+ 1);
2280 sq
->srcaddr
= (uint32_t *)&sq
->src6
->sin6_addr
;
2281 if (sq
->src6
->sin6_family
!= AF_INET6
) {
2282 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
2285 *mfpp
++ = sadb_match_src_v6
;
2287 match
&= ~IPSA_Q_SRC
;
2288 sq
->srcaddr
= ALL_ZEROES_PTR
;
2291 sq
->src6
= sq
->dst6
= NULL
;
2292 if ((match
& IPSA_Q_DST
) && (sq
->dstext
!= NULL
)) {
2293 *mfpp
++ = sadb_match_dst_v4
;
2294 sq
->dstaddr
= (uint32_t *)&sq
->dst
->sin_addr
;
2296 match
&= ~IPSA_Q_DST
;
2297 sq
->dstaddr
= ALL_ZEROES_PTR
;
2299 if ((match
& IPSA_Q_SRC
) && (sq
->srcext
!= NULL
)) {
2300 sq
->srcaddr
= (uint32_t *)&sq
->src
->sin_addr
;
2301 if (sq
->src
->sin_family
!= AF_INET
) {
2302 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
2305 *mfpp
++ = sadb_match_src_v4
;
2307 match
&= ~IPSA_Q_SRC
;
2308 sq
->srcaddr
= ALL_ZEROES_PTR
;
2312 sq
->dstid
= (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_DST
];
2313 if ((match
& IPSA_Q_DSTID
) && (sq
->dstid
!= NULL
)) {
2314 sq
->didstr
= (char *)(sq
->dstid
+ 1);
2315 sq
->didtype
= sq
->dstid
->sadb_ident_type
;
2316 *mfpp
++ = sadb_match_dstid
;
2319 sq
->srcid
= (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_SRC
];
2321 if ((match
& IPSA_Q_SRCID
) && (sq
->srcid
!= NULL
)) {
2322 sq
->sidstr
= (char *)(sq
->srcid
+ 1);
2323 sq
->sidtype
= sq
->srcid
->sadb_ident_type
;
2324 *mfpp
++ = sadb_match_srcid
;
2327 sq
->kmcext
= (sadb_x_kmc_t
*)ksi
->ks_in_extv
[SADB_X_EXT_KM_COOKIE
];
2331 if ((match
& IPSA_Q_KMC
) && (sq
->kmcext
)) {
2332 sq
->kmp
= sq
->kmcext
->sadb_x_kmc_proto
;
2333 /* Be liberal in what we receive. Special-case IKEv1. */
2334 if (sq
->kmp
== SADB_X_KMP_IKE
) {
2335 /* Just in case in.iked is misbehaving... */
2336 sq
->kmcext
->sadb_x_kmc_reserved
= 0;
2338 sq
->kmc
= sq
->kmcext
->sadb_x_kmc_cookie64
;
2339 *mfpp
++ = sadb_match_kmc
;
2342 if (match
& (IPSA_Q_INBOUND
|IPSA_Q_OUTBOUND
)) {
2343 if (sq
->af
== AF_INET6
)
2344 sq
->sp
= &sq
->spp
->s_v6
;
2346 sq
->sp
= &sq
->spp
->s_v4
;
2351 if (match
& IPSA_Q_INBOUND
) {
2352 sq
->inhash
= INBOUND_HASH(sq
->sp
, sq
->assoc
->sadb_sa_spi
);
2353 sq
->inbound
= &sq
->sp
->sdb_if
[sq
->inhash
];
2359 if (match
& IPSA_Q_OUTBOUND
) {
2360 if (sq
->af
== AF_INET6
) {
2361 sq
->outhash
= OUTBOUND_HASH_V6(sq
->sp
, *(sq
->dstaddr
));
2363 sq
->outhash
= OUTBOUND_HASH_V4(sq
->sp
, *(sq
->dstaddr
));
2365 sq
->outbound
= &sq
->sp
->sdb_of
[sq
->outhash
];
2368 sq
->outbound
= NULL
;
2375 * Match an initialized query structure with a security association;
2376 * return B_TRUE on a match, B_FALSE on a miss.
2377 * Applies match functions set up by sadb_form_query() until one returns false.
2380 sadb_match_query(ipsa_query_t
*sq
, ipsa_t
*sa
)
2382 ipsa_match_fn_t
*mfpp
= &(sq
->matchers
[0]);
2383 ipsa_match_fn_t mfp
;
2385 for (mfp
= *mfpp
++; mfp
!= NULL
; mfp
= *mfpp
++) {
2393 * Walker callback function to delete sa's based on src/dst address.
2394 * Assumes that we're called with *head locked, no other locks held;
2395 * Conveniently, and not coincidentally, this is both what sadb_walker
2396 * gives us and also what sadb_unlinkassoc expects.
2398 struct sadb_purge_state
2402 uint8_t sadb_sa_state
;
2406 sadb_purge_cb(isaf_t
*head
, ipsa_t
*entry
, void *cookie
)
2408 struct sadb_purge_state
*ps
= (struct sadb_purge_state
*)cookie
;
2410 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
2412 mutex_enter(&entry
->ipsa_lock
);
2414 if (entry
->ipsa_state
== IPSA_STATE_LARVAL
||
2415 !sadb_match_query(&ps
->sq
, entry
)) {
2416 mutex_exit(&entry
->ipsa_lock
);
2421 sadb_delete_cluster(entry
);
2423 entry
->ipsa_state
= IPSA_STATE_DEAD
;
2424 (void) sadb_torch_assoc(head
, entry
);
2428 * Common code to purge an SA with a matching src or dst address.
2429 * Don't kill larval SA's in such a purge.
2432 sadb_purge_sa(mblk_t
*mp
, keysock_in_t
*ksi
, sadb_t
*sp
,
2433 int *diagnostic
, queue_t
*pfkey_q
)
2435 struct sadb_purge_state ps
;
2436 int error
= sadb_form_query(ksi
, 0,
2437 IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SRCID
|IPSA_Q_DSTID
|IPSA_Q_KMC
,
2438 &ps
.sq
, diagnostic
);
2444 * This is simple, crude, and effective.
2445 * Unimplemented optimizations (TBD):
2446 * - we can limit how many places we search based on where we
2447 * think the SA is filed.
2448 * - if we get a dst address, we can hash based on dst addr to find
2449 * the correct bucket in the outbound table.
2452 sadb_walker(sp
->sdb_if
, sp
->sdb_hashsize
, sadb_purge_cb
, &ps
);
2454 sadb_walker(sp
->sdb_of
, sp
->sdb_hashsize
, sadb_purge_cb
, &ps
);
2456 ASSERT(mp
->b_cont
!= NULL
);
2457 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
, ksi
,
2463 sadb_delpair_state_one(isaf_t
*head
, ipsa_t
*entry
, void *cookie
)
2465 struct sadb_purge_state
*ps
= (struct sadb_purge_state
*)cookie
;
2466 isaf_t
*inbound_bucket
;
2468 ipsa_query_t
*sq
= &ps
->sq
;
2470 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
2472 mutex_enter(&entry
->ipsa_lock
);
2474 if ((entry
->ipsa_state
!= ps
->sadb_sa_state
) ||
2475 ((sq
->srcaddr
!= NULL
) &&
2476 !IPSA_ARE_ADDR_EQUAL(entry
->ipsa_srcaddr
, sq
->srcaddr
, sq
->af
))) {
2477 mutex_exit(&entry
->ipsa_lock
);
2482 * The isaf_t *, which is passed in , is always an outbound bucket,
2483 * and we are preserving the outbound-then-inbound hash-bucket lock
2484 * ordering. The sadb_walker() which triggers this function is called
2485 * only on the outbound fanout, and the corresponding inbound bucket
2486 * lock is safe to acquire here.
2489 if (entry
->ipsa_haspeer
) {
2490 inbound_bucket
= INBOUND_BUCKET(sq
->sp
, entry
->ipsa_spi
);
2491 mutex_enter(&inbound_bucket
->isaf_lock
);
2492 peer_assoc
= ipsec_getassocbyspi(inbound_bucket
,
2493 entry
->ipsa_spi
, entry
->ipsa_srcaddr
,
2494 entry
->ipsa_dstaddr
, entry
->ipsa_addrfam
);
2496 inbound_bucket
= INBOUND_BUCKET(sq
->sp
, entry
->ipsa_otherspi
);
2497 mutex_enter(&inbound_bucket
->isaf_lock
);
2498 peer_assoc
= ipsec_getassocbyspi(inbound_bucket
,
2499 entry
->ipsa_otherspi
, entry
->ipsa_dstaddr
,
2500 entry
->ipsa_srcaddr
, entry
->ipsa_addrfam
);
2503 entry
->ipsa_state
= IPSA_STATE_DEAD
;
2504 (void) sadb_torch_assoc(head
, entry
);
2505 if (peer_assoc
!= NULL
) {
2506 mutex_enter(&peer_assoc
->ipsa_lock
);
2507 peer_assoc
->ipsa_state
= IPSA_STATE_DEAD
;
2508 (void) sadb_torch_assoc(inbound_bucket
, peer_assoc
);
2510 mutex_exit(&inbound_bucket
->isaf_lock
);
2514 sadb_delpair_state(mblk_t
*mp
, keysock_in_t
*ksi
, sadbp_t
*spp
,
2515 int *diagnostic
, queue_t
*pfkey_q
)
2517 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
2518 struct sadb_purge_state ps
;
2521 ps
.sq
.spp
= spp
; /* XXX param */
2523 error
= sadb_form_query(ksi
, IPSA_Q_DST
|IPSA_Q_SRC
,
2524 IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SRCID
|IPSA_Q_DSTID
|IPSA_Q_KMC
,
2525 &ps
.sq
, diagnostic
);
2530 ps
.sadb_sa_state
= assoc
->sadb_sa_state
;
2531 sadb_walker(ps
.sq
.sp
->sdb_of
, ps
.sq
.sp
->sdb_hashsize
,
2532 sadb_delpair_state_one
, &ps
);
2534 ASSERT(mp
->b_cont
!= NULL
);
2535 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
,
2541 * Common code to delete/get an SA.
2544 sadb_delget_sa(mblk_t
*mp
, keysock_in_t
*ksi
, sadbp_t
*spp
,
2545 int *diagnostic
, queue_t
*pfkey_q
, uint8_t sadb_msg_type
)
2548 ipsa_t
*echo_target
= NULL
;
2552 if (sadb_msg_type
== SADB_X_DELPAIR_STATE
)
2553 return (sadb_delpair_state(mp
, ksi
, spp
, diagnostic
, pfkey_q
));
2555 sq
.spp
= spp
; /* XXX param */
2556 error
= sadb_form_query(ksi
, IPSA_Q_DST
|IPSA_Q_SA
,
2557 IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SA
|IPSA_Q_INBOUND
|IPSA_Q_OUTBOUND
,
2562 error
= get_ipsa_pair(&sq
, &ipsapp
, diagnostic
);
2567 echo_target
= ipsapp
.ipsap_sa_ptr
;
2568 if (echo_target
== NULL
)
2569 echo_target
= ipsapp
.ipsap_psa_ptr
;
2571 if (sadb_msg_type
== SADB_DELETE
|| sadb_msg_type
== SADB_X_DELPAIR
) {
2573 * Bucket locks will be required if SA is actually unlinked.
2574 * get_ipsa_pair() returns valid hash bucket pointers even
2575 * if it can't find a pair SA pointer. To prevent a potential
2576 * deadlock, always lock the outbound bucket before the inbound.
2578 if (ipsapp
.in_inbound_table
) {
2579 mutex_enter(&ipsapp
.ipsap_pbucket
->isaf_lock
);
2580 mutex_enter(&ipsapp
.ipsap_bucket
->isaf_lock
);
2582 mutex_enter(&ipsapp
.ipsap_bucket
->isaf_lock
);
2583 mutex_enter(&ipsapp
.ipsap_pbucket
->isaf_lock
);
2586 if (ipsapp
.ipsap_sa_ptr
!= NULL
) {
2587 mutex_enter(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
2588 if (ipsapp
.ipsap_sa_ptr
->ipsa_flags
& IPSA_F_INBOUND
) {
2589 sadb_delete_cluster(ipsapp
.ipsap_sa_ptr
);
2591 ipsapp
.ipsap_sa_ptr
->ipsa_state
= IPSA_STATE_DEAD
;
2592 (void) sadb_torch_assoc(ipsapp
.ipsap_bucket
,
2593 ipsapp
.ipsap_sa_ptr
);
2595 * sadb_torch_assoc() releases the ipsa_lock
2596 * and calls sadb_unlinkassoc() which does a
2600 if (ipsapp
.ipsap_psa_ptr
!= NULL
) {
2601 mutex_enter(&ipsapp
.ipsap_psa_ptr
->ipsa_lock
);
2602 if (sadb_msg_type
== SADB_X_DELPAIR
||
2603 ipsapp
.ipsap_psa_ptr
->ipsa_haspeer
) {
2604 if (ipsapp
.ipsap_psa_ptr
->ipsa_flags
&
2607 (ipsapp
.ipsap_psa_ptr
);
2609 ipsapp
.ipsap_psa_ptr
->ipsa_state
=
2611 (void) sadb_torch_assoc(ipsapp
.ipsap_pbucket
,
2612 ipsapp
.ipsap_psa_ptr
);
2615 * Only half of the "pair" has been deleted.
2616 * Update the remaining SA and remove references
2617 * to its pair SA, which is now gone.
2619 ipsapp
.ipsap_psa_ptr
->ipsa_otherspi
= 0;
2620 ipsapp
.ipsap_psa_ptr
->ipsa_flags
&=
2622 mutex_exit(&ipsapp
.ipsap_psa_ptr
->ipsa_lock
);
2624 } else if (sadb_msg_type
== SADB_X_DELPAIR
) {
2625 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
;
2628 mutex_exit(&ipsapp
.ipsap_bucket
->isaf_lock
);
2629 mutex_exit(&ipsapp
.ipsap_pbucket
->isaf_lock
);
2632 ASSERT(mp
->b_cont
!= NULL
);
2635 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)
2636 mp
->b_cont
->b_rptr
, ksi
, echo_target
);
2638 destroy_ipsa_pair(&ipsapp
);
2644 * This function takes a sadb_sa_t and finds the ipsa_t structure
2645 * and the isaf_t (hash bucket) that its stored under. If the security
2646 * association has a peer, the ipsa_t structure and bucket for that security
2647 * association are also searched for. The "pair" of ipsa_t's and isaf_t's
2648 * are returned as a ipsap_t.
2650 * The hash buckets are returned for convenience, if the calling function
2651 * needs to use the hash bucket locks, say to remove the SA's, it should
2652 * take care to observe the convention of locking outbound bucket then
2653 * inbound bucket. The flag in_inbound_table provides direction.
2655 * Note that a "pair" is defined as one (but not both) of the following:
2657 * A security association which has a soft reference to another security
2658 * association via its SPI.
2660 * A security association that is not obviously "inbound" or "outbound" so
2661 * it appears in both hash tables, the "peer" being the same security
2662 * association in the other hash table.
2664 * This function will return NULL if the ipsa_t can't be found in the
2665 * inbound or outbound hash tables (not found). If only one ipsa_t is
2666 * found, the pair ipsa_t will be NULL. Both isaf_t values are valid
2667 * provided at least one ipsa_t is found.
2670 get_ipsa_pair(ipsa_query_t
*sq
, ipsap_t
*ipsapp
, int *diagnostic
)
2672 uint32_t pair_srcaddr
[IPSA_MAX_ADDRLEN
];
2673 uint32_t pair_dstaddr
[IPSA_MAX_ADDRLEN
];
2676 init_ipsa_pair(ipsapp
);
2678 ipsapp
->in_inbound_table
= B_FALSE
;
2680 /* Lock down both buckets. */
2681 mutex_enter(&sq
->outbound
->isaf_lock
);
2682 mutex_enter(&sq
->inbound
->isaf_lock
);
2684 if (sq
->assoc
->sadb_sa_flags
& IPSA_F_INBOUND
) {
2685 ipsapp
->ipsap_sa_ptr
= ipsec_getassocbyspi(sq
->inbound
,
2686 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
, sq
->af
);
2687 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
2688 ipsapp
->ipsap_bucket
= sq
->inbound
;
2689 ipsapp
->ipsap_pbucket
= sq
->outbound
;
2690 ipsapp
->in_inbound_table
= B_TRUE
;
2692 ipsapp
->ipsap_sa_ptr
= ipsec_getassocbyspi(sq
->outbound
,
2693 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
,
2695 ipsapp
->ipsap_bucket
= sq
->outbound
;
2696 ipsapp
->ipsap_pbucket
= sq
->inbound
;
2699 /* IPSA_F_OUTBOUND is set *or* no directions flags set. */
2700 ipsapp
->ipsap_sa_ptr
=
2701 ipsec_getassocbyspi(sq
->outbound
,
2702 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
, sq
->af
);
2703 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
2704 ipsapp
->ipsap_bucket
= sq
->outbound
;
2705 ipsapp
->ipsap_pbucket
= sq
->inbound
;
2707 ipsapp
->ipsap_sa_ptr
= ipsec_getassocbyspi(sq
->inbound
,
2708 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
,
2710 ipsapp
->ipsap_bucket
= sq
->inbound
;
2711 ipsapp
->ipsap_pbucket
= sq
->outbound
;
2712 if (ipsapp
->ipsap_sa_ptr
!= NULL
)
2713 ipsapp
->in_inbound_table
= B_TRUE
;
2717 if (ipsapp
->ipsap_sa_ptr
== NULL
) {
2718 mutex_exit(&sq
->outbound
->isaf_lock
);
2719 mutex_exit(&sq
->inbound
->isaf_lock
);
2720 *diagnostic
= SADB_X_DIAGNOSTIC_SA_NOTFOUND
;
2724 if ((ipsapp
->ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_LARVAL
) &&
2725 ipsapp
->in_inbound_table
) {
2726 mutex_exit(&sq
->outbound
->isaf_lock
);
2727 mutex_exit(&sq
->inbound
->isaf_lock
);
2731 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2732 if (ipsapp
->ipsap_sa_ptr
->ipsa_haspeer
) {
2734 * haspeer implies no sa_pairing, look for same spi
2735 * in other hashtable.
2737 ipsapp
->ipsap_psa_ptr
=
2738 ipsec_getassocbyspi(ipsapp
->ipsap_pbucket
,
2739 sq
->assoc
->sadb_sa_spi
, sq
->srcaddr
, sq
->dstaddr
, sq
->af
);
2740 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2741 mutex_exit(&sq
->outbound
->isaf_lock
);
2742 mutex_exit(&sq
->inbound
->isaf_lock
);
2745 pair_spi
= ipsapp
->ipsap_sa_ptr
->ipsa_otherspi
;
2746 IPSA_COPY_ADDR(&pair_srcaddr
,
2747 ipsapp
->ipsap_sa_ptr
->ipsa_srcaddr
, sq
->af
);
2748 IPSA_COPY_ADDR(&pair_dstaddr
,
2749 ipsapp
->ipsap_sa_ptr
->ipsa_dstaddr
, sq
->af
);
2750 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
2751 mutex_exit(&sq
->inbound
->isaf_lock
);
2752 mutex_exit(&sq
->outbound
->isaf_lock
);
2754 if (pair_spi
== 0) {
2755 ASSERT(ipsapp
->ipsap_bucket
!= NULL
);
2756 ASSERT(ipsapp
->ipsap_pbucket
!= NULL
);
2760 /* found sa in outbound sadb, peer should be inbound */
2762 if (ipsapp
->in_inbound_table
) {
2763 /* Found SA in inbound table, pair will be in outbound. */
2764 if (sq
->af
== AF_INET6
) {
2765 ipsapp
->ipsap_pbucket
= OUTBOUND_BUCKET_V6(sq
->sp
,
2766 *(uint32_t *)pair_srcaddr
);
2768 ipsapp
->ipsap_pbucket
= OUTBOUND_BUCKET_V4(sq
->sp
,
2769 *(uint32_t *)pair_srcaddr
);
2772 ipsapp
->ipsap_pbucket
= INBOUND_BUCKET(sq
->sp
, pair_spi
);
2774 mutex_enter(&ipsapp
->ipsap_pbucket
->isaf_lock
);
2775 ipsapp
->ipsap_psa_ptr
= ipsec_getassocbyspi(ipsapp
->ipsap_pbucket
,
2776 pair_spi
, pair_dstaddr
, pair_srcaddr
, sq
->af
);
2777 mutex_exit(&ipsapp
->ipsap_pbucket
->isaf_lock
);
2778 ASSERT(ipsapp
->ipsap_bucket
!= NULL
);
2779 ASSERT(ipsapp
->ipsap_pbucket
!= NULL
);
2784 * Perform NAT-traversal cached checksum offset calculations here.
2787 sadb_nat_calculations(ipsa_t
*newbie
, sadb_address_t
*natt_loc_ext
,
2788 sadb_address_t
*natt_rem_ext
, uint32_t *src_addr_ptr
,
2789 uint32_t *dst_addr_ptr
)
2791 struct sockaddr_in
*natt_loc
, *natt_rem
;
2792 uint32_t *natt_loc_ptr
= NULL
, *natt_rem_ptr
= NULL
;
2793 uint32_t running_sum
= 0;
2795 #define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16)
2797 if (natt_rem_ext
!= NULL
) {
2801 natt_rem
= (struct sockaddr_in
*)(natt_rem_ext
+ 1);
2803 /* Ensured by sadb_addrfix(). */
2804 ASSERT(natt_rem
->sin_family
== AF_INET
);
2806 natt_rem_ptr
= (uint32_t *)(&natt_rem
->sin_addr
);
2807 newbie
->ipsa_remote_nat_port
= natt_rem
->sin_port
;
2808 l_src
= *src_addr_ptr
;
2809 l_rem
= *natt_rem_ptr
;
2811 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2812 newbie
->ipsa_natt_addr_rem
= *natt_rem_ptr
;
2814 l_src
= ntohl(l_src
);
2817 l_rem
= ntohl(l_rem
);
2822 * We're 1's complement for checksums, so check for wraparound
2828 running_sum
+= l_src
- l_rem
;
2830 DOWN_SUM(running_sum
);
2831 DOWN_SUM(running_sum
);
2834 if (natt_loc_ext
!= NULL
) {
2835 natt_loc
= (struct sockaddr_in
*)(natt_loc_ext
+ 1);
2837 /* Ensured by sadb_addrfix(). */
2838 ASSERT(natt_loc
->sin_family
== AF_INET
);
2840 natt_loc_ptr
= (uint32_t *)(&natt_loc
->sin_addr
);
2841 newbie
->ipsa_local_nat_port
= natt_loc
->sin_port
;
2843 /* Instead of IPSA_COPY_ADDR(), just copy first 32 bits. */
2844 newbie
->ipsa_natt_addr_loc
= *natt_loc_ptr
;
2847 * NAT-T port agility means we may have natt_loc_ext, but
2848 * only for a local-port change.
2850 if (natt_loc
->sin_addr
.s_addr
!= INADDR_ANY
) {
2851 uint32_t l_dst
= ntohl(*dst_addr_ptr
);
2852 uint32_t l_loc
= ntohl(*natt_loc_ptr
);
2860 * We're 1's complement for checksums, so check for
2866 running_sum
+= l_dst
- l_loc
;
2867 DOWN_SUM(running_sum
);
2868 DOWN_SUM(running_sum
);
2872 newbie
->ipsa_inbound_cksum
= running_sum
;
2877 * This function is called from consumers that need to insert a fully-grown
2878 * security association into its tables. This function takes into account that
2879 * SAs can be "inbound", "outbound", or "both". The "primary" and "secondary"
2880 * hash bucket parameters are set in order of what the SA will be most of the
2881 * time. (For example, an SA with an unspecified source, and a multicast
2882 * destination will primarily be an outbound SA. OTOH, if that destination
2883 * is unicast for this node, then the SA will primarily be inbound.)
2885 * It takes a lot of parameters because even if clone is B_FALSE, this needs
2886 * to check both buckets for purposes of collision.
2888 * Return 0 upon success. Return various errnos (ENOMEM, EEXIST) for
2889 * various error conditions. We may need to set samsg->sadb_x_msg_diagnostic
2890 * with additional diagnostic information because there is at least one EINVAL
2894 sadb_common_add(queue_t
*pfkey_q
, mblk_t
*mp
, sadb_msg_t
*samsg
,
2895 keysock_in_t
*ksi
, isaf_t
*primary
, isaf_t
*secondary
,
2896 ipsa_t
*newbie
, boolean_t clone
, boolean_t is_inbound
, int *diagnostic
,
2897 netstack_t
*ns
, sadbp_t
*spp
)
2899 ipsa_t
*newbie_clone
= NULL
, *scratch
;
2901 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
2902 sadb_address_t
*srcext
=
2903 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
];
2904 sadb_address_t
*dstext
=
2905 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
2906 sadb_address_t
*isrcext
=
2907 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_INNER_SRC
];
2908 sadb_address_t
*idstext
=
2909 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_INNER_DST
];
2910 sadb_x_kmc_t
*kmcext
=
2911 (sadb_x_kmc_t
*)ksi
->ks_in_extv
[SADB_X_EXT_KM_COOKIE
];
2912 sadb_key_t
*akey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_AUTH
];
2913 sadb_key_t
*ekey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_ENCRYPT
];
2915 (sadb_sens_t
*)ksi
->ks_in_extv
[SADB_EXT_SENSITIVITY
];
2916 sadb_sens_t
*osens
=
2917 (sadb_sens_t
*)ksi
->ks_in_extv
[SADB_X_EXT_OUTER_SENS
];
2918 sadb_x_pair_t
*pair_ext
=
2919 (sadb_x_pair_t
*)ksi
->ks_in_extv
[SADB_X_EXT_PAIR
];
2920 sadb_x_replay_ctr_t
*replayext
=
2921 (sadb_x_replay_ctr_t
*)ksi
->ks_in_extv
[SADB_X_EXT_REPLAY_VALUE
];
2923 (samsg
->sadb_msg_satype
== SADB_SATYPE_AH
) ? IPPROTO_AH
:IPPROTO_ESP
;
2926 struct sockaddr_in
*src
, *dst
, *isrc
, *idst
;
2927 struct sockaddr_in6
*src6
, *dst6
, *isrc6
, *idst6
;
2928 sadb_lifetime_t
*soft
=
2929 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_SOFT
];
2930 sadb_lifetime_t
*hard
=
2931 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_HARD
];
2932 sadb_lifetime_t
*idle
=
2933 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_X_EXT_LIFETIME_IDLE
];
2936 boolean_t isupdate
= (newbie
!= NULL
);
2937 uint32_t *src_addr_ptr
, *dst_addr_ptr
, *isrc_addr_ptr
, *idst_addr_ptr
;
2938 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
2939 ip_stack_t
*ipst
= ns
->netstack_ip
;
2940 ipsec_alginfo_t
*alg
;
2942 boolean_t async
= B_FALSE
;
2944 init_ipsa_pair(&ipsapp
);
2946 if (srcext
== NULL
) {
2947 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
2950 if (dstext
== NULL
) {
2951 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
2954 if (assoc
== NULL
) {
2955 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SA
;
2959 src
= (struct sockaddr_in
*)(srcext
+ 1);
2960 src6
= (struct sockaddr_in6
*)(srcext
+ 1);
2961 dst
= (struct sockaddr_in
*)(dstext
+ 1);
2962 dst6
= (struct sockaddr_in6
*)(dstext
+ 1);
2963 if (isrcext
!= NULL
) {
2964 isrc
= (struct sockaddr_in
*)(isrcext
+ 1);
2965 isrc6
= (struct sockaddr_in6
*)(isrcext
+ 1);
2966 ASSERT(idstext
!= NULL
);
2967 idst
= (struct sockaddr_in
*)(idstext
+ 1);
2968 idst6
= (struct sockaddr_in6
*)(idstext
+ 1);
2974 af
= src
->sin_family
;
2976 if (af
== AF_INET
) {
2977 src_addr_ptr
= (uint32_t *)&src
->sin_addr
;
2978 dst_addr_ptr
= (uint32_t *)&dst
->sin_addr
;
2980 ASSERT(af
== AF_INET6
);
2981 src_addr_ptr
= (uint32_t *)&src6
->sin6_addr
;
2982 dst_addr_ptr
= (uint32_t *)&dst6
->sin6_addr
;
2985 if (!isupdate
&& (clone
== B_TRUE
|| is_inbound
== B_TRUE
) &&
2987 (assoc
->sadb_sa_state
!= SADB_X_SASTATE_ACTIVE_ELSEWHERE
)) {
2988 rcode
= cl_inet_checkspi(ns
->netstack_stackid
, protocol
,
2989 assoc
->sadb_sa_spi
, NULL
);
2996 * Check to see if the new SA will be cloned AND paired. The
2997 * reason a SA will be cloned is the source or destination addresses
2998 * are not specific enough to determine if the SA goes in the outbound
2999 * or the inbound hash table, so its cloned and put in both. If
3000 * the SA is paired, it's soft linked to another SA for the other
3001 * direction. Keeping track and looking up SA's that are direction
3002 * unspecific and linked is too hard.
3004 if (clone
&& (pair_ext
!= NULL
)) {
3005 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
3010 newbie
= sadb_makelarvalassoc(assoc
->sadb_sa_spi
,
3011 src_addr_ptr
, dst_addr_ptr
, af
, ns
);
3016 mutex_enter(&newbie
->ipsa_lock
);
3019 if (isrc
->sin_family
== AF_INET
) {
3020 if (srcext
->sadb_address_proto
!= IPPROTO_ENCAP
) {
3021 if (srcext
->sadb_address_proto
!= 0) {
3023 * Mismatched outer-packet protocol
3024 * and inner-packet address family.
3026 mutex_exit(&newbie
->ipsa_lock
);
3029 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
;
3032 /* Fill in with explicit protocol. */
3033 srcext
->sadb_address_proto
=
3035 dstext
->sadb_address_proto
=
3039 isrc_addr_ptr
= (uint32_t *)&isrc
->sin_addr
;
3040 idst_addr_ptr
= (uint32_t *)&idst
->sin_addr
;
3042 ASSERT(isrc
->sin_family
== AF_INET6
);
3043 if (srcext
->sadb_address_proto
!= IPPROTO_IPV6
) {
3044 if (srcext
->sadb_address_proto
!= 0) {
3046 * Mismatched outer-packet protocol
3047 * and inner-packet address family.
3049 mutex_exit(&newbie
->ipsa_lock
);
3052 SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
;
3055 /* Fill in with explicit protocol. */
3056 srcext
->sadb_address_proto
=
3058 dstext
->sadb_address_proto
=
3062 isrc_addr_ptr
= (uint32_t *)&isrc6
->sin6_addr
;
3063 idst_addr_ptr
= (uint32_t *)&idst6
->sin6_addr
;
3065 newbie
->ipsa_innerfam
= isrc
->sin_family
;
3067 IPSA_COPY_ADDR(newbie
->ipsa_innersrc
, isrc_addr_ptr
,
3068 newbie
->ipsa_innerfam
);
3069 IPSA_COPY_ADDR(newbie
->ipsa_innerdst
, idst_addr_ptr
,
3070 newbie
->ipsa_innerfam
);
3071 newbie
->ipsa_innersrcpfx
= isrcext
->sadb_address_prefixlen
;
3072 newbie
->ipsa_innerdstpfx
= idstext
->sadb_address_prefixlen
;
3074 /* Unique value uses inner-ports for Tunnel Mode... */
3075 newbie
->ipsa_unique_id
= SA_UNIQUE_ID(isrc
->sin_port
,
3076 idst
->sin_port
, dstext
->sadb_address_proto
,
3077 idstext
->sadb_address_proto
);
3078 newbie
->ipsa_unique_mask
= SA_UNIQUE_MASK(isrc
->sin_port
,
3079 idst
->sin_port
, dstext
->sadb_address_proto
,
3080 idstext
->sadb_address_proto
);
3082 /* ... and outer-ports for Transport Mode. */
3083 newbie
->ipsa_unique_id
= SA_UNIQUE_ID(src
->sin_port
,
3084 dst
->sin_port
, dstext
->sadb_address_proto
, 0);
3085 newbie
->ipsa_unique_mask
= SA_UNIQUE_MASK(src
->sin_port
,
3086 dst
->sin_port
, dstext
->sadb_address_proto
, 0);
3088 if (newbie
->ipsa_unique_mask
!= (uint64_t)0)
3089 newbie
->ipsa_flags
|= IPSA_F_UNIQUE
;
3091 sadb_nat_calculations(newbie
,
3092 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_LOC
],
3093 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_REM
],
3094 src_addr_ptr
, dst_addr_ptr
);
3096 newbie
->ipsa_type
= samsg
->sadb_msg_satype
;
3098 ASSERT((assoc
->sadb_sa_state
== SADB_SASTATE_MATURE
) ||
3099 (assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
));
3100 newbie
->ipsa_auth_alg
= assoc
->sadb_sa_auth
;
3101 newbie
->ipsa_encr_alg
= assoc
->sadb_sa_encrypt
;
3103 newbie
->ipsa_flags
|= assoc
->sadb_sa_flags
;
3104 if (newbie
->ipsa_flags
& SADB_X_SAFLAGS_NATT_LOC
&&
3105 ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_LOC
] == NULL
) {
3106 mutex_exit(&newbie
->ipsa_lock
);
3107 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_NATT_LOC
;
3111 if (newbie
->ipsa_flags
& SADB_X_SAFLAGS_NATT_REM
&&
3112 ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_NATT_REM
] == NULL
) {
3113 mutex_exit(&newbie
->ipsa_lock
);
3114 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_NATT_REM
;
3118 if (newbie
->ipsa_flags
& SADB_X_SAFLAGS_TUNNEL
&&
3119 ksi
->ks_in_extv
[SADB_X_EXT_ADDRESS_INNER_SRC
] == NULL
) {
3120 mutex_exit(&newbie
->ipsa_lock
);
3121 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
;
3126 * If unspecified source address, force replay_wsize to 0.
3127 * This is because an SA that has multiple sources of secure
3128 * traffic cannot enforce a replay counter w/o synchronizing the
3131 if (ksi
->ks_in_srctype
!= KS_IN_ADDR_UNSPEC
)
3132 newbie
->ipsa_replay_wsize
= assoc
->sadb_sa_replay
;
3134 newbie
->ipsa_replay_wsize
= 0;
3136 newbie
->ipsa_addtime
= gethrestime_sec();
3138 if (kmcext
!= NULL
) {
3139 newbie
->ipsa_kmp
= kmcext
->sadb_x_kmc_proto
;
3140 /* Be liberal in what we receive. Special-case IKEv1. */
3141 if (newbie
->ipsa_kmp
== SADB_X_KMP_IKE
) {
3142 /* Just in case in.iked is misbehaving... */
3143 kmcext
->sadb_x_kmc_reserved
= 0;
3145 newbie
->ipsa_kmc
= kmcext
->sadb_x_kmc_cookie64
;
3149 * XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
3150 * The spec says that one can update current lifetimes, but
3151 * that seems impractical, especially in the larval-to-mature
3152 * update that this function performs.
3155 newbie
->ipsa_softaddlt
= soft
->sadb_lifetime_addtime
;
3156 newbie
->ipsa_softuselt
= soft
->sadb_lifetime_usetime
;
3157 newbie
->ipsa_softbyteslt
= soft
->sadb_lifetime_bytes
;
3158 newbie
->ipsa_softalloc
= soft
->sadb_lifetime_allocations
;
3159 SET_EXPIRE(newbie
, softaddlt
, softexpiretime
);
3162 newbie
->ipsa_hardaddlt
= hard
->sadb_lifetime_addtime
;
3163 newbie
->ipsa_harduselt
= hard
->sadb_lifetime_usetime
;
3164 newbie
->ipsa_hardbyteslt
= hard
->sadb_lifetime_bytes
;
3165 newbie
->ipsa_hardalloc
= hard
->sadb_lifetime_allocations
;
3166 SET_EXPIRE(newbie
, hardaddlt
, hardexpiretime
);
3169 newbie
->ipsa_idleaddlt
= idle
->sadb_lifetime_addtime
;
3170 newbie
->ipsa_idleuselt
= idle
->sadb_lifetime_usetime
;
3171 newbie
->ipsa_idleexpiretime
= newbie
->ipsa_addtime
+
3172 newbie
->ipsa_idleaddlt
;
3173 newbie
->ipsa_idletime
= newbie
->ipsa_idleaddlt
;
3176 newbie
->ipsa_authtmpl
= NULL
;
3177 newbie
->ipsa_encrtmpl
= NULL
;
3179 #ifdef IPSEC_LATENCY_TEST
3180 if (akey
!= NULL
&& newbie
->ipsa_auth_alg
!= SADB_AALG_NONE
) {
3184 async
= (ipss
->ipsec_algs_exec_mode
[IPSEC_ALG_AUTH
] ==
3185 IPSEC_ALGS_EXEC_ASYNC
);
3187 newbie
->ipsa_authkeybits
= akey
->sadb_key_bits
;
3188 newbie
->ipsa_authkeylen
= SADB_1TO8(akey
->sadb_key_bits
);
3189 /* In case we have to round up to the next byte... */
3190 if ((akey
->sadb_key_bits
& 0x7) != 0)
3191 newbie
->ipsa_authkeylen
++;
3192 newbie
->ipsa_authkey
= kmem_alloc(newbie
->ipsa_authkeylen
,
3194 if (newbie
->ipsa_authkey
== NULL
) {
3196 mutex_exit(&newbie
->ipsa_lock
);
3199 bcopy(akey
+ 1, newbie
->ipsa_authkey
, newbie
->ipsa_authkeylen
);
3200 bzero(akey
+ 1, newbie
->ipsa_authkeylen
);
3203 * Pre-initialize the kernel crypto framework key
3206 newbie
->ipsa_kcfauthkey
.ck_format
= CRYPTO_KEY_RAW
;
3207 newbie
->ipsa_kcfauthkey
.ck_length
= newbie
->ipsa_authkeybits
;
3208 newbie
->ipsa_kcfauthkey
.ck_data
= newbie
->ipsa_authkey
;
3210 rw_enter(&ipss
->ipsec_alg_lock
, RW_READER
);
3211 alg
= ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
]
3212 [newbie
->ipsa_auth_alg
];
3213 if (alg
!= NULL
&& ALG_VALID(alg
)) {
3214 newbie
->ipsa_amech
.cm_type
= alg
->alg_mech_type
;
3215 newbie
->ipsa_amech
.cm_param
=
3216 (char *)&newbie
->ipsa_mac_len
;
3217 newbie
->ipsa_amech
.cm_param_len
= sizeof (size_t);
3218 newbie
->ipsa_mac_len
= (size_t)alg
->alg_datalen
;
3220 newbie
->ipsa_amech
.cm_type
= CRYPTO_MECHANISM_INVALID
;
3222 error
= ipsec_create_ctx_tmpl(newbie
, IPSEC_ALG_AUTH
);
3223 rw_exit(&ipss
->ipsec_alg_lock
);
3225 mutex_exit(&newbie
->ipsa_lock
);
3227 * An error here indicates that alg is the wrong type
3228 * (IE: not authentication) or its not in the alg tables
3229 * created by ipsecalgs(1m), or Kcf does not like the
3230 * parameters passed in with this algorithm, which is
3231 * probably a coding error!
3233 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_CTX
;
3240 rw_enter(&ipss
->ipsec_alg_lock
, RW_READER
);
3241 async
= async
|| (ipss
->ipsec_algs_exec_mode
[IPSEC_ALG_ENCR
] ==
3242 IPSEC_ALGS_EXEC_ASYNC
);
3243 alg
= ipss
->ipsec_alglists
[IPSEC_ALG_ENCR
]
3244 [newbie
->ipsa_encr_alg
];
3246 if (alg
!= NULL
&& ALG_VALID(alg
)) {
3247 newbie
->ipsa_emech
.cm_type
= alg
->alg_mech_type
;
3248 newbie
->ipsa_datalen
= alg
->alg_datalen
;
3249 if (alg
->alg_flags
& ALG_FLAG_COUNTERMODE
)
3250 newbie
->ipsa_flags
|= IPSA_F_COUNTERMODE
;
3252 if (alg
->alg_flags
& ALG_FLAG_COMBINED
) {
3253 newbie
->ipsa_flags
|= IPSA_F_COMBINED
;
3254 newbie
->ipsa_mac_len
= alg
->alg_icvlen
;
3257 if (alg
->alg_flags
& ALG_FLAG_CCM
)
3258 newbie
->ipsa_noncefunc
= ccm_params_init
;
3259 else if (alg
->alg_flags
& ALG_FLAG_GCM
)
3260 newbie
->ipsa_noncefunc
= gcm_params_init
;
3261 else newbie
->ipsa_noncefunc
= cbc_params_init
;
3263 newbie
->ipsa_saltlen
= alg
->alg_saltlen
;
3264 newbie
->ipsa_saltbits
= SADB_8TO1(newbie
->ipsa_saltlen
);
3265 newbie
->ipsa_iv_len
= alg
->alg_ivlen
;
3266 newbie
->ipsa_nonce_len
= newbie
->ipsa_saltlen
+
3267 newbie
->ipsa_iv_len
;
3268 newbie
->ipsa_emech
.cm_param
= NULL
;
3269 newbie
->ipsa_emech
.cm_param_len
= 0;
3271 newbie
->ipsa_emech
.cm_type
= CRYPTO_MECHANISM_INVALID
;
3273 rw_exit(&ipss
->ipsec_alg_lock
);
3276 * The byte stream following the sadb_key_t is made up of:
3277 * key bytes, [salt bytes], [IV initial value]
3278 * All of these have variable length. The IV is typically
3279 * randomly generated by this function and not passed in.
3280 * By supporting the injection of a known IV, the whole
3281 * IPsec subsystem and the underlying crypto subsystem
3282 * can be tested with known test vectors.
3284 * The keying material has been checked by ext_check()
3285 * and ipsec_valid_key_size(), after removing salt/IV
3286 * bits, whats left is the encryption key. If this is too
3287 * short, ipsec_create_ctx_tmpl() will fail and the SA
3288 * won't get created.
3290 * set ipsa_encrkeylen to length of key only.
3292 newbie
->ipsa_encrkeybits
= ekey
->sadb_key_bits
;
3293 newbie
->ipsa_encrkeybits
-= ekey
->sadb_key_reserved
;
3294 newbie
->ipsa_encrkeybits
-= newbie
->ipsa_saltbits
;
3295 newbie
->ipsa_encrkeylen
= SADB_1TO8(newbie
->ipsa_encrkeybits
);
3297 /* In case we have to round up to the next byte... */
3298 if ((ekey
->sadb_key_bits
& 0x7) != 0)
3299 newbie
->ipsa_encrkeylen
++;
3301 newbie
->ipsa_encrkey
= kmem_alloc(newbie
->ipsa_encrkeylen
,
3303 if (newbie
->ipsa_encrkey
== NULL
) {
3305 mutex_exit(&newbie
->ipsa_lock
);
3309 buf_ptr
= (uint8_t *)(ekey
+ 1);
3310 bcopy(buf_ptr
, newbie
->ipsa_encrkey
, newbie
->ipsa_encrkeylen
);
3312 if (newbie
->ipsa_flags
& IPSA_F_COMBINED
) {
3314 * Combined mode algs need a nonce. Copy the salt and
3315 * IV into a buffer. The ipsa_nonce is a pointer into
3316 * this buffer, some bytes at the start of the buffer
3317 * may be unused, depends on the salt length. The IV
3318 * is 64 bit aligned so it can be incremented as a
3319 * uint64_t. Zero out key in samsg_t before freeing.
3322 newbie
->ipsa_nonce_buf
= kmem_alloc(
3323 sizeof (ipsec_nonce_t
), KM_NOSLEEP
);
3324 if (newbie
->ipsa_nonce_buf
== NULL
) {
3326 mutex_exit(&newbie
->ipsa_lock
);
3330 * Initialize nonce and salt pointers to point
3331 * to the nonce buffer. This is just in case we get
3332 * bad data, the pointers will be valid, the data
3335 * See sadb.h for layout of nonce.
3337 newbie
->ipsa_iv
= &newbie
->ipsa_nonce_buf
->iv
;
3338 newbie
->ipsa_salt
= (uint8_t *)newbie
->ipsa_nonce_buf
;
3339 newbie
->ipsa_nonce
= newbie
->ipsa_salt
;
3340 if (newbie
->ipsa_saltlen
!= 0) {
3341 salt_offset
= MAXSALTSIZE
-
3342 newbie
->ipsa_saltlen
;
3343 newbie
->ipsa_salt
= (uint8_t *)
3344 &newbie
->ipsa_nonce_buf
->salt
[salt_offset
];
3345 newbie
->ipsa_nonce
= newbie
->ipsa_salt
;
3346 buf_ptr
+= newbie
->ipsa_encrkeylen
;
3347 bcopy(buf_ptr
, newbie
->ipsa_salt
,
3348 newbie
->ipsa_saltlen
);
3351 * The IV for CCM/GCM mode increments, it should not
3352 * repeat. Get a random value for the IV, make a
3353 * copy, the SA will expire when/if the IV ever
3354 * wraps back to the initial value. If an Initial IV
3355 * is passed in via PF_KEY, save this in the SA.
3356 * Initialising IV for inbound is pointless as its
3357 * taken from the inbound packet.
3360 if (ekey
->sadb_key_reserved
!= 0) {
3361 buf_ptr
+= newbie
->ipsa_saltlen
;
3362 bcopy(buf_ptr
, (uint8_t *)newbie
->
3363 ipsa_iv
, SADB_1TO8(ekey
->
3364 sadb_key_reserved
));
3366 (void) random_get_pseudo_bytes(
3367 (uint8_t *)newbie
->ipsa_iv
,
3368 newbie
->ipsa_iv_len
);
3370 newbie
->ipsa_iv_softexpire
=
3371 (*newbie
->ipsa_iv
) << 9;
3372 newbie
->ipsa_iv_hardexpire
= *newbie
->ipsa_iv
;
3375 bzero((ekey
+ 1), SADB_1TO8(ekey
->sadb_key_bits
));
3378 * Pre-initialize the kernel crypto framework key
3381 newbie
->ipsa_kcfencrkey
.ck_format
= CRYPTO_KEY_RAW
;
3382 newbie
->ipsa_kcfencrkey
.ck_length
= newbie
->ipsa_encrkeybits
;
3383 newbie
->ipsa_kcfencrkey
.ck_data
= newbie
->ipsa_encrkey
;
3385 rw_enter(&ipss
->ipsec_alg_lock
, RW_READER
);
3386 error
= ipsec_create_ctx_tmpl(newbie
, IPSEC_ALG_ENCR
);
3387 rw_exit(&ipss
->ipsec_alg_lock
);
3389 mutex_exit(&newbie
->ipsa_lock
);
3390 /* See above for error explanation. */
3391 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_CTX
;
3397 newbie
->ipsa_flags
|= IPSA_F_ASYNC
;
3400 * Ptrs to processing functions.
3402 if (newbie
->ipsa_type
== SADB_SATYPE_ESP
)
3403 ipsecesp_init_funcs(newbie
);
3405 ipsecah_init_funcs(newbie
);
3406 ASSERT(newbie
->ipsa_output_func
!= NULL
&&
3407 newbie
->ipsa_input_func
!= NULL
);
3410 * Certificate ID stuff.
3412 if (ksi
->ks_in_extv
[SADB_EXT_IDENTITY_SRC
] != NULL
) {
3414 (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_SRC
];
3417 * Can assume strlen() will return okay because ext_check() in
3418 * keysock.c prepares the string for us.
3420 newbie
->ipsa_src_cid
= ipsid_lookup(id
->sadb_ident_type
,
3421 (char *)(id
+1), ns
);
3422 if (newbie
->ipsa_src_cid
== NULL
) {
3424 mutex_exit(&newbie
->ipsa_lock
);
3429 if (ksi
->ks_in_extv
[SADB_EXT_IDENTITY_DST
] != NULL
) {
3431 (sadb_ident_t
*)ksi
->ks_in_extv
[SADB_EXT_IDENTITY_DST
];
3434 * Can assume strlen() will return okay because ext_check() in
3435 * keysock.c prepares the string for us.
3437 newbie
->ipsa_dst_cid
= ipsid_lookup(id
->sadb_ident_type
,
3438 (char *)(id
+1), ns
);
3439 if (newbie
->ipsa_dst_cid
== NULL
) {
3441 mutex_exit(&newbie
->ipsa_lock
);
3447 * sensitivity label handling code:
3448 * Convert sens + bitmap into cred_t, and associate it
3452 uint64_t *bitmap
= (uint64_t *)(sens
+ 1);
3454 newbie
->ipsa_tsl
= sadb_label_from_sens(sens
, bitmap
);
3458 * Likewise for outer sensitivity.
3460 if (osens
!= NULL
) {
3461 uint64_t *bitmap
= (uint64_t *)(osens
+ 1);
3462 ts_label_t
*tsl
, *effective_tsl
;
3463 uint32_t *peer_addr_ptr
;
3464 zoneid_t zoneid
= GLOBAL_ZONEID
;
3467 peer_addr_ptr
= is_inbound
? src_addr_ptr
: dst_addr_ptr
;
3469 tsl
= sadb_label_from_sens(osens
, bitmap
);
3470 newbie
->ipsa_mac_exempt
= CONN_MAC_DEFAULT
;
3472 if (osens
->sadb_x_sens_flags
& SADB_X_SENS_IMPLICIT
) {
3473 newbie
->ipsa_mac_exempt
= CONN_MAC_IMPLICIT
;
3476 error
= tsol_check_dest(tsl
, peer_addr_ptr
,
3477 (af
== AF_INET6
)?IPV6_VERSION
:IPV4_VERSION
,
3478 newbie
->ipsa_mac_exempt
, B_TRUE
, &effective_tsl
);
3481 mutex_exit(&newbie
->ipsa_lock
);
3485 if (effective_tsl
!= NULL
) {
3487 tsl
= effective_tsl
;
3490 newbie
->ipsa_otsl
= tsl
;
3492 zone
= zone_find_by_label(tsl
);
3494 zoneid
= zone
->zone_id
;
3498 * For exclusive stacks we set the zoneid to zero to operate
3499 * as if in the global zone for tsol_compute_label_v4/v6
3501 if (ipst
->ips_netstack
->netstack_stackid
!= GLOBAL_NETSTACKID
)
3502 zoneid
= GLOBAL_ZONEID
;
3504 if (af
== AF_INET6
) {
3505 error
= tsol_compute_label_v6(tsl
, zoneid
,
3506 (in6_addr_t
*)peer_addr_ptr
,
3507 newbie
->ipsa_opt_storage
, ipst
);
3509 error
= tsol_compute_label_v4(tsl
, zoneid
,
3510 *peer_addr_ptr
, newbie
->ipsa_opt_storage
, ipst
);
3513 mutex_exit(&newbie
->ipsa_lock
);
3519 if (replayext
!= NULL
) {
3520 if ((replayext
->sadb_x_rc_replay32
== 0) &&
3521 (replayext
->sadb_x_rc_replay64
!= 0)) {
3523 *diagnostic
= SADB_X_DIAGNOSTIC_INVALID_REPLAY
;
3524 mutex_exit(&newbie
->ipsa_lock
);
3527 newbie
->ipsa_replay
= replayext
->sadb_x_rc_replay32
;
3530 /* now that the SA has been updated, set its new state */
3531 newbie
->ipsa_state
= assoc
->sadb_sa_state
;
3534 newbie
->ipsa_haspeer
= B_TRUE
;
3537 lifetime_fuzz(newbie
);
3541 * The less locks I hold when doing an insertion and possible cloning,
3544 mutex_exit(&newbie
->ipsa_lock
);
3547 newbie_clone
= sadb_cloneassoc(newbie
);
3549 if (newbie_clone
== NULL
) {
3556 * Enter the bucket locks. The order of entry is outbound,
3557 * inbound. We map "primary" and "secondary" into outbound and inbound
3558 * based on the destination address type. If the destination address
3559 * type is for a node that isn't mine (or potentially mine), the
3560 * "primary" bucket is the outbound one.
3563 /* primary == outbound */
3564 mutex_enter(&primary
->isaf_lock
);
3565 mutex_enter(&secondary
->isaf_lock
);
3567 /* primary == inbound */
3568 mutex_enter(&secondary
->isaf_lock
);
3569 mutex_enter(&primary
->isaf_lock
);
3573 * sadb_insertassoc() doesn't increment the reference
3574 * count. We therefore have to increment the
3575 * reference count one more time to reflect the
3576 * pointers of the table that reference this SA.
3578 IPSA_REFHOLD(newbie
);
3582 * Unlink from larval holding cell in the "inbound" fanout.
3584 ASSERT(newbie
->ipsa_linklock
== &primary
->isaf_lock
||
3585 newbie
->ipsa_linklock
== &secondary
->isaf_lock
);
3586 sadb_unlinkassoc(newbie
);
3589 mutex_enter(&newbie
->ipsa_lock
);
3590 error
= sadb_insertassoc(newbie
, primary
);
3591 mutex_exit(&newbie
->ipsa_lock
);
3595 * Since sadb_insertassoc() failed, we must decrement the
3596 * refcount again so the cleanup code will actually free
3599 IPSA_REFRELE(newbie
);
3603 if (newbie_clone
!= NULL
) {
3604 mutex_enter(&newbie_clone
->ipsa_lock
);
3605 error
= sadb_insertassoc(newbie_clone
, secondary
);
3606 mutex_exit(&newbie_clone
->ipsa_lock
);
3608 /* Collision in secondary table. */
3609 sadb_unlinkassoc(newbie
); /* This does REFRELE. */
3612 IPSA_REFHOLD(newbie_clone
);
3614 ASSERT(primary
!= secondary
);
3615 scratch
= ipsec_getassocbyspi(secondary
, newbie
->ipsa_spi
,
3616 ALL_ZEROES_PTR
, newbie
->ipsa_dstaddr
, af
);
3617 if (scratch
!= NULL
) {
3618 /* Collision in secondary table. */
3619 sadb_unlinkassoc(newbie
); /* This does REFRELE. */
3620 /* Set the error, since ipsec_getassocbyspi() can't. */
3626 /* OKAY! So let's do some reality check assertions. */
3628 ASSERT(MUTEX_NOT_HELD(&newbie
->ipsa_lock
));
3629 ASSERT(newbie_clone
== NULL
||
3630 (MUTEX_NOT_HELD(&newbie_clone
->ipsa_lock
)));
3635 * We can exit the locks in any order. Only entrance needs to
3636 * follow any protocol.
3638 mutex_exit(&secondary
->isaf_lock
);
3639 mutex_exit(&primary
->isaf_lock
);
3641 if (pair_ext
!= NULL
&& error
== 0) {
3642 /* update pair_spi if it exists. */
3645 sq
.spp
= spp
; /* XXX param */
3646 error
= sadb_form_query(ksi
, IPSA_Q_DST
, IPSA_Q_SRC
|IPSA_Q_DST
|
3647 IPSA_Q_SA
|IPSA_Q_INBOUND
|IPSA_Q_OUTBOUND
, &sq
, diagnostic
);
3651 error
= get_ipsa_pair(&sq
, &ipsapp
, diagnostic
);
3656 if (ipsapp
.ipsap_psa_ptr
!= NULL
) {
3657 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_ALREADY
;
3660 /* update_pairing() sets diagnostic */
3661 error
= update_pairing(&ipsapp
, &sq
, ksi
, diagnostic
);
3664 /* Common error point for this routine. */
3666 if (newbie
!= NULL
) {
3668 /* This SA is broken, let the reaper clean up. */
3669 mutex_enter(&newbie
->ipsa_lock
);
3670 newbie
->ipsa_state
= IPSA_STATE_DEAD
;
3671 newbie
->ipsa_hardexpiretime
= 1;
3672 mutex_exit(&newbie
->ipsa_lock
);
3674 IPSA_REFRELE(newbie
);
3676 if (newbie_clone
!= NULL
) {
3677 IPSA_REFRELE(newbie_clone
);
3682 * Construct favorable PF_KEY return message and send to
3683 * keysock. Update the flags in the original keysock message
3684 * to reflect the actual flags in the new SA.
3685 * (Q: Do I need to pass "newbie"? If I do,
3686 * make sure to REFHOLD, call, then REFRELE.)
3688 assoc
->sadb_sa_flags
= newbie
->ipsa_flags
;
3689 sadb_pfkey_echo(pfkey_q
, mp
, samsg
, ksi
, NULL
);
3692 destroy_ipsa_pair(&ipsapp
);
3697 * Set the time of first use for a security association. Update any
3698 * expiration times as a result.
3701 sadb_set_usetime(ipsa_t
*assoc
)
3703 time_t snapshot
= gethrestime_sec();
3705 mutex_enter(&assoc
->ipsa_lock
);
3706 assoc
->ipsa_lastuse
= snapshot
;
3707 assoc
->ipsa_idleexpiretime
= snapshot
+ assoc
->ipsa_idletime
;
3710 * Caller does check usetime before calling me usually, and
3711 * double-checking is better than a mutex_enter/exit hit.
3713 if (assoc
->ipsa_usetime
== 0) {
3715 * This is redundant for outbound SA's, as
3716 * ipsec_getassocbyconn() sets the IPSA_F_USED flag already.
3717 * Inbound SAs, however, have no such protection.
3719 assoc
->ipsa_flags
|= IPSA_F_USED
;
3720 assoc
->ipsa_usetime
= snapshot
;
3723 * After setting the use time, see if we have a use lifetime
3724 * that would cause the actual SA expiration time to shorten.
3726 UPDATE_EXPIRE(assoc
, softuselt
, softexpiretime
);
3727 UPDATE_EXPIRE(assoc
, harduselt
, hardexpiretime
);
3729 mutex_exit(&assoc
->ipsa_lock
);
3733 * Send up a PF_KEY expire message for this association.
3736 sadb_expire_assoc(queue_t
*pfkey_q
, ipsa_t
*assoc
)
3741 sadb_lifetime_t
*current
, *expire
;
3744 boolean_t tunnel_mode
;
3746 ASSERT(MUTEX_HELD(&assoc
->ipsa_lock
));
3748 /* Don't bother sending if there's no queue. */
3749 if (pfkey_q
== NULL
)
3752 mp
= sadb_keysock_out(0);
3754 /* cmn_err(CE_WARN, */
3755 /* "sadb_expire_assoc: Can't allocate KEYSOCK_OUT.\n"); */
3759 alloclen
= sizeof (*samsg
) + sizeof (*current
) + sizeof (*expire
) +
3760 2 * sizeof (sadb_address_t
) + sizeof (*saext
);
3762 af
= assoc
->ipsa_addrfam
;
3765 alloclen
+= 2 * sizeof (struct sockaddr_in
);
3768 alloclen
+= 2 * sizeof (struct sockaddr_in6
);
3771 /* Won't happen unless there's a kernel bug. */
3774 "sadb_expire_assoc: Unknown address length.\n");
3778 tunnel_mode
= (assoc
->ipsa_flags
& IPSA_F_TUNNEL
);
3780 alloclen
+= 2 * sizeof (sadb_address_t
);
3781 switch (assoc
->ipsa_innerfam
) {
3783 alloclen
+= 2 * sizeof (struct sockaddr_in
);
3786 alloclen
+= 2 * sizeof (struct sockaddr_in6
);
3789 /* Won't happen unless there's a kernel bug. */
3791 cmn_err(CE_WARN
, "sadb_expire_assoc: "
3792 "Unknown inner address length.\n");
3797 mp
->b_cont
= allocb(alloclen
, BPRI_HI
);
3798 if (mp
->b_cont
== NULL
) {
3800 /* cmn_err(CE_WARN, */
3801 /* "sadb_expire_assoc: Can't allocate message.\n"); */
3807 end
= mp
->b_wptr
+ alloclen
;
3809 samsg
= (sadb_msg_t
*)mp
->b_wptr
;
3810 mp
->b_wptr
+= sizeof (*samsg
);
3811 samsg
->sadb_msg_version
= PF_KEY_V2
;
3812 samsg
->sadb_msg_type
= SADB_EXPIRE
;
3813 samsg
->sadb_msg_errno
= 0;
3814 samsg
->sadb_msg_satype
= assoc
->ipsa_type
;
3815 samsg
->sadb_msg_len
= SADB_8TO64(alloclen
);
3816 samsg
->sadb_msg_reserved
= 0;
3817 samsg
->sadb_msg_seq
= 0;
3818 samsg
->sadb_msg_pid
= 0;
3820 saext
= (sadb_sa_t
*)mp
->b_wptr
;
3821 mp
->b_wptr
+= sizeof (*saext
);
3822 saext
->sadb_sa_len
= SADB_8TO64(sizeof (*saext
));
3823 saext
->sadb_sa_exttype
= SADB_EXT_SA
;
3824 saext
->sadb_sa_spi
= assoc
->ipsa_spi
;
3825 saext
->sadb_sa_replay
= assoc
->ipsa_replay_wsize
;
3826 saext
->sadb_sa_state
= assoc
->ipsa_state
;
3827 saext
->sadb_sa_auth
= assoc
->ipsa_auth_alg
;
3828 saext
->sadb_sa_encrypt
= assoc
->ipsa_encr_alg
;
3829 saext
->sadb_sa_flags
= assoc
->ipsa_flags
;
3831 current
= (sadb_lifetime_t
*)mp
->b_wptr
;
3832 mp
->b_wptr
+= sizeof (sadb_lifetime_t
);
3833 current
->sadb_lifetime_len
= SADB_8TO64(sizeof (*current
));
3834 current
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_CURRENT
;
3835 /* We do not support the concept. */
3836 current
->sadb_lifetime_allocations
= 0;
3837 current
->sadb_lifetime_bytes
= assoc
->ipsa_bytes
;
3838 current
->sadb_lifetime_addtime
= assoc
->ipsa_addtime
;
3839 current
->sadb_lifetime_usetime
= assoc
->ipsa_usetime
;
3841 expire
= (sadb_lifetime_t
*)mp
->b_wptr
;
3842 mp
->b_wptr
+= sizeof (*expire
);
3843 expire
->sadb_lifetime_len
= SADB_8TO64(sizeof (*expire
));
3845 if (assoc
->ipsa_state
== IPSA_STATE_DEAD
) {
3846 expire
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
3847 expire
->sadb_lifetime_allocations
= assoc
->ipsa_hardalloc
;
3848 expire
->sadb_lifetime_bytes
= assoc
->ipsa_hardbyteslt
;
3849 expire
->sadb_lifetime_addtime
= assoc
->ipsa_hardaddlt
;
3850 expire
->sadb_lifetime_usetime
= assoc
->ipsa_harduselt
;
3851 } else if (assoc
->ipsa_state
== IPSA_STATE_DYING
) {
3852 expire
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_SOFT
;
3853 expire
->sadb_lifetime_allocations
= assoc
->ipsa_softalloc
;
3854 expire
->sadb_lifetime_bytes
= assoc
->ipsa_softbyteslt
;
3855 expire
->sadb_lifetime_addtime
= assoc
->ipsa_softaddlt
;
3856 expire
->sadb_lifetime_usetime
= assoc
->ipsa_softuselt
;
3858 ASSERT(assoc
->ipsa_state
== IPSA_STATE_MATURE
);
3859 expire
->sadb_lifetime_exttype
= SADB_X_EXT_LIFETIME_IDLE
;
3860 expire
->sadb_lifetime_allocations
= 0;
3861 expire
->sadb_lifetime_bytes
= 0;
3862 expire
->sadb_lifetime_addtime
= assoc
->ipsa_idleaddlt
;
3863 expire
->sadb_lifetime_usetime
= assoc
->ipsa_idleuselt
;
3866 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
, SADB_EXT_ADDRESS_SRC
,
3867 af
, assoc
->ipsa_srcaddr
, tunnel_mode
? 0 : SA_SRCPORT(assoc
),
3868 SA_PROTO(assoc
), 0);
3869 ASSERT(mp
->b_wptr
!= NULL
);
3871 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
, SADB_EXT_ADDRESS_DST
,
3872 af
, assoc
->ipsa_dstaddr
, tunnel_mode
? 0 : SA_DSTPORT(assoc
),
3873 SA_PROTO(assoc
), 0);
3874 ASSERT(mp
->b_wptr
!= NULL
);
3877 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
,
3878 SADB_X_EXT_ADDRESS_INNER_SRC
, assoc
->ipsa_innerfam
,
3879 assoc
->ipsa_innersrc
, SA_SRCPORT(assoc
), SA_IPROTO(assoc
),
3880 assoc
->ipsa_innersrcpfx
);
3881 ASSERT(mp
->b_wptr
!= NULL
);
3882 mp
->b_wptr
= sadb_make_addr_ext(mp
->b_wptr
, end
,
3883 SADB_X_EXT_ADDRESS_INNER_DST
, assoc
->ipsa_innerfam
,
3884 assoc
->ipsa_innerdst
, SA_DSTPORT(assoc
), SA_IPROTO(assoc
),
3885 assoc
->ipsa_innerdstpfx
);
3886 ASSERT(mp
->b_wptr
!= NULL
);
3889 /* Can just putnext, we're ready to go! */
3890 putnext(pfkey_q
, mp1
);
3894 * "Age" the SA with the number of bytes that was used to protect traffic.
3895 * Send an SADB_EXPIRE message if appropriate. Return B_TRUE if there was
3896 * enough "charge" left in the SA to protect the data. Return B_FALSE
3897 * otherwise. (If B_FALSE is returned, the association either was, or became
3901 sadb_age_bytes(queue_t
*pfkey_q
, ipsa_t
*assoc
, uint64_t bytes
,
3904 boolean_t rc
= B_TRUE
;
3907 mutex_enter(&assoc
->ipsa_lock
);
3908 newtotal
= assoc
->ipsa_bytes
+ bytes
;
3909 if (assoc
->ipsa_hardbyteslt
!= 0 &&
3910 newtotal
>= assoc
->ipsa_hardbyteslt
) {
3911 if (assoc
->ipsa_state
!= IPSA_STATE_DEAD
) {
3912 sadb_delete_cluster(assoc
);
3914 * Send EXPIRE message to PF_KEY. May wish to pawn
3915 * this off on another non-interrupt thread. Also
3916 * unlink this SA immediately.
3918 assoc
->ipsa_state
= IPSA_STATE_DEAD
;
3920 sadb_expire_assoc(pfkey_q
, assoc
);
3922 * Set non-zero expiration time so sadb_age_assoc()
3923 * will work when reaping.
3925 assoc
->ipsa_hardexpiretime
= (time_t)1;
3926 } /* Else someone beat me to it! */
3928 } else if (assoc
->ipsa_softbyteslt
!= 0 &&
3929 (newtotal
>= assoc
->ipsa_softbyteslt
)) {
3930 if (assoc
->ipsa_state
< IPSA_STATE_DYING
) {
3932 * Send EXPIRE message to PF_KEY. May wish to pawn
3933 * this off on another non-interrupt thread.
3935 assoc
->ipsa_state
= IPSA_STATE_DYING
;
3936 assoc
->ipsa_bytes
= newtotal
;
3938 sadb_expire_assoc(pfkey_q
, assoc
);
3939 } /* Else someone beat me to it! */
3942 assoc
->ipsa_bytes
= newtotal
;
3943 mutex_exit(&assoc
->ipsa_lock
);
3948 * "Torch" an individual SA. Returns NULL, so it can be tail-called from
3952 sadb_torch_assoc(isaf_t
*head
, ipsa_t
*sa
)
3954 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
3955 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
3956 ASSERT(sa
->ipsa_state
== IPSA_STATE_DEAD
);
3959 * Force cached SAs to be revalidated..
3963 mutex_exit(&sa
->ipsa_lock
);
3964 sadb_unlinkassoc(sa
);
3970 * Do various SA-is-idle activities depending on delta (the number of idle
3971 * seconds on the SA) and/or other properties of the SA.
3973 * Return B_TRUE if I've sent a packet, because I have to drop the
3974 * association's mutex before sending a packet out the wire.
3978 sadb_idle_activities(ipsa_t
*assoc
, time_t delta
, boolean_t inbound
)
3980 ipsecesp_stack_t
*espstack
= assoc
->ipsa_netstack
->netstack_ipsecesp
;
3981 int nat_t_interval
= espstack
->ipsecesp_nat_keepalive_interval
;
3983 ASSERT(MUTEX_HELD(&assoc
->ipsa_lock
));
3985 if (!inbound
&& (assoc
->ipsa_flags
& IPSA_F_NATT_LOC
) &&
3986 delta
>= nat_t_interval
&&
3987 gethrestime_sec() - assoc
->ipsa_last_nat_t_ka
>= nat_t_interval
) {
3988 ASSERT(assoc
->ipsa_type
== SADB_SATYPE_ESP
);
3989 assoc
->ipsa_last_nat_t_ka
= gethrestime_sec();
3990 mutex_exit(&assoc
->ipsa_lock
);
3991 ipsecesp_send_keepalive(assoc
);
3998 * Return "assoc" if haspeer is true and I send an expire. This allows
3999 * the consumers' aging functions to tidy up an expired SA's peer.
4002 sadb_age_assoc(isaf_t
*head
, queue_t
*pfkey_q
, ipsa_t
*assoc
,
4003 time_t current
, int reap_delay
, boolean_t inbound
)
4005 ipsa_t
*retval
= NULL
;
4006 boolean_t dropped_mutex
= B_FALSE
;
4008 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
4010 mutex_enter(&assoc
->ipsa_lock
);
4012 if (((assoc
->ipsa_state
== IPSA_STATE_LARVAL
) ||
4013 ((assoc
->ipsa_state
== IPSA_STATE_IDLE
) ||
4014 (assoc
->ipsa_state
== IPSA_STATE_ACTIVE_ELSEWHERE
) &&
4015 (assoc
->ipsa_hardexpiretime
!= 0))) &&
4016 (assoc
->ipsa_hardexpiretime
<= current
)) {
4017 assoc
->ipsa_state
= IPSA_STATE_DEAD
;
4018 return (sadb_torch_assoc(head
, assoc
));
4022 * Check lifetimes. Fortunately, SA setup is done
4023 * such that there are only two times to look at,
4024 * softexpiretime, and hardexpiretime.
4029 if (assoc
->ipsa_hardexpiretime
!= 0 &&
4030 assoc
->ipsa_hardexpiretime
<= current
) {
4031 if (assoc
->ipsa_state
== IPSA_STATE_DEAD
)
4032 return (sadb_torch_assoc(head
, assoc
));
4035 sadb_delete_cluster(assoc
);
4039 * Send SADB_EXPIRE with hard lifetime, delay for unlinking.
4041 assoc
->ipsa_state
= IPSA_STATE_DEAD
;
4042 if (assoc
->ipsa_haspeer
|| assoc
->ipsa_otherspi
!= 0) {
4044 * If the SA is paired or peered with another, put
4045 * a copy on a list which can be processed later, the
4046 * pair/peer SA needs to be updated so the both die
4049 * If I return assoc, I have to bump up its reference
4050 * count to keep with the ipsa_t reference count
4053 IPSA_REFHOLD(assoc
);
4056 sadb_expire_assoc(pfkey_q
, assoc
);
4057 assoc
->ipsa_hardexpiretime
= current
+ reap_delay
;
4058 } else if (assoc
->ipsa_softexpiretime
!= 0 &&
4059 assoc
->ipsa_softexpiretime
<= current
&&
4060 assoc
->ipsa_state
< IPSA_STATE_DYING
) {
4062 * Send EXPIRE message to PF_KEY. May wish to pawn
4063 * this off on another non-interrupt thread.
4065 assoc
->ipsa_state
= IPSA_STATE_DYING
;
4066 if (assoc
->ipsa_haspeer
) {
4068 * If the SA has a peer, update the peer's state
4069 * on SOFT_EXPIRE, this is mostly to prevent two
4070 * expire messages from effectively the same SA.
4072 * Don't care about paired SA's, then can (and should)
4073 * be able to soft expire at different times.
4075 * If I return assoc, I have to bump up its
4076 * reference count to keep with the ipsa_t reference
4079 IPSA_REFHOLD(assoc
);
4082 sadb_expire_assoc(pfkey_q
, assoc
);
4083 } else if (assoc
->ipsa_idletime
!= 0 &&
4084 assoc
->ipsa_idleexpiretime
<= current
) {
4085 if (assoc
->ipsa_state
== IPSA_STATE_ACTIVE_ELSEWHERE
) {
4086 assoc
->ipsa_state
= IPSA_STATE_IDLE
;
4090 * Need to handle Mature case
4092 if (assoc
->ipsa_state
== IPSA_STATE_MATURE
) {
4093 sadb_expire_assoc(pfkey_q
, assoc
);
4096 /* Check idle time activities. */
4097 dropped_mutex
= sadb_idle_activities(assoc
,
4098 current
- assoc
->ipsa_lastuse
, inbound
);
4102 mutex_exit(&assoc
->ipsa_lock
);
4107 * Called by a consumer protocol to do ther dirty work of reaping dead
4108 * Security Associations.
4110 * NOTE: sadb_age_assoc() marks expired SA's as DEAD but only removed
4111 * SA's that are already marked DEAD, so expired SA's are only reaped
4112 * the second time sadb_ager() runs.
4115 sadb_ager(sadb_t
*sp
, queue_t
*pfkey_q
, int reap_delay
, netstack_t
*ns
)
4119 ipsa_t
*assoc
, *spare
;
4121 ipsacq_t
*acqrec
, *spareacq
;
4122 templist_t
*haspeerlist
, *newbie
;
4123 /* Snapshot current time now. */
4124 time_t current
= gethrestime_sec();
4128 * Do my dirty work. This includes aging real entries, aging
4129 * larvals, and aging outstanding ACQUIREs.
4131 * I hope I don't tie up resources for too long.
4136 for (i
= 0; i
< sp
->sdb_hashsize
; i
++) {
4137 acqlist
= &sp
->sdb_acq
[i
];
4138 mutex_enter(&acqlist
->iacqf_lock
);
4139 for (acqrec
= acqlist
->iacqf_ipsacq
; acqrec
!= NULL
;
4140 acqrec
= spareacq
) {
4141 spareacq
= acqrec
->ipsacq_next
;
4142 if (current
> acqrec
->ipsacq_expire
)
4143 sadb_destroy_acquire(acqrec
, ns
);
4145 mutex_exit(&acqlist
->iacqf_lock
);
4148 /* Age inbound associations. */
4149 for (i
= 0; i
< sp
->sdb_hashsize
; i
++) {
4150 bucket
= &(sp
->sdb_if
[i
]);
4151 mutex_enter(&bucket
->isaf_lock
);
4152 for (assoc
= bucket
->isaf_ipsa
; assoc
!= NULL
;
4154 spare
= assoc
->ipsa_next
;
4155 if (sadb_age_assoc(bucket
, pfkey_q
, assoc
, current
,
4156 reap_delay
, B_TRUE
) != NULL
) {
4158 * Put SA's which have a peer or SA's which
4159 * are paired on a list for processing after
4160 * all the hash tables have been walked.
4162 * sadb_age_assoc() increments the refcnt,
4163 * effectively doing an IPSA_REFHOLD().
4165 newbie
= kmem_alloc(sizeof (*newbie
),
4167 if (newbie
== NULL
) {
4169 * Don't forget to REFRELE().
4171 IPSA_REFRELE(assoc
);
4172 continue; /* for loop... */
4174 newbie
->next
= haspeerlist
;
4175 newbie
->ipsa
= assoc
;
4176 haspeerlist
= newbie
;
4179 mutex_exit(&bucket
->isaf_lock
);
4182 age_pair_peer_list(haspeerlist
, sp
, B_FALSE
);
4185 /* Age outbound associations. */
4186 for (i
= 0; i
< sp
->sdb_hashsize
; i
++) {
4187 bucket
= &(sp
->sdb_of
[i
]);
4188 mutex_enter(&bucket
->isaf_lock
);
4189 for (assoc
= bucket
->isaf_ipsa
; assoc
!= NULL
;
4191 spare
= assoc
->ipsa_next
;
4192 if (sadb_age_assoc(bucket
, pfkey_q
, assoc
, current
,
4193 reap_delay
, B_FALSE
) != NULL
) {
4195 * sadb_age_assoc() increments the refcnt,
4196 * effectively doing an IPSA_REFHOLD().
4198 newbie
= kmem_alloc(sizeof (*newbie
),
4200 if (newbie
== NULL
) {
4202 * Don't forget to REFRELE().
4204 IPSA_REFRELE(assoc
);
4205 continue; /* for loop... */
4207 newbie
->next
= haspeerlist
;
4208 newbie
->ipsa
= assoc
;
4209 haspeerlist
= newbie
;
4212 mutex_exit(&bucket
->isaf_lock
);
4215 age_pair_peer_list(haspeerlist
, sp
, B_TRUE
);
4218 * Run a GC pass to clean out dead identities.
4224 * Figure out when to reschedule the ager.
4227 sadb_retimeout(hrtime_t begin
, queue_t
*pfkey_q
, void (*ager
)(void *),
4228 void *agerarg
, uint_t
*intp
, uint_t intmax
, short mid
)
4230 hrtime_t end
= gethrtime();
4231 uint_t interval
= *intp
; /* "interval" is in ms. */
4234 * See how long this took. If it took too long, increase the
4237 if ((end
- begin
) > MSEC2NSEC(interval
)) {
4238 if (interval
>= intmax
) {
4239 /* XXX Rate limit this? Or recommend flush? */
4240 (void) strlog(mid
, 0, 0, SL_ERROR
| SL_WARN
,
4241 "Too many SA's to age out in %d msec.\n",
4244 /* Double by shifting by one bit. */
4246 interval
= min(interval
, intmax
);
4248 } else if ((end
- begin
) <= (MSEC2NSEC(interval
) / 2) &&
4249 interval
> SADB_AGE_INTERVAL_DEFAULT
) {
4251 * If I took less than half of the interval, then I should
4252 * ratchet the interval back down. Never automatically
4253 * shift below the default aging interval.
4255 * NOTE:This even overrides manual setting of the age
4256 * interval using NDD to lower the setting past the
4257 * default. In other words, if you set the interval
4258 * lower than the default, and your SADB gets too big,
4259 * the interval will only self-lower back to the default.
4261 /* Halve by shifting one bit. */
4263 interval
= max(interval
, SADB_AGE_INTERVAL_DEFAULT
);
4266 return (qtimeout(pfkey_q
, ager
, agerarg
,
4267 drv_usectohz(interval
* (MICROSEC
/ MILLISEC
))));
4272 * Update the lifetime values of an SA. This is the path an SADB_UPDATE
4273 * message takes when updating a MATURE or DYING SA.
4276 sadb_update_lifetimes(ipsa_t
*assoc
, sadb_lifetime_t
*hard
,
4277 sadb_lifetime_t
*soft
, sadb_lifetime_t
*idle
, boolean_t outbound
)
4279 mutex_enter(&assoc
->ipsa_lock
);
4282 * XXX RFC 2367 mentions how an SADB_EXT_LIFETIME_CURRENT can be
4283 * passed in during an update message. We currently don't handle
4288 if (hard
->sadb_lifetime_bytes
!= 0)
4289 assoc
->ipsa_hardbyteslt
= hard
->sadb_lifetime_bytes
;
4290 if (hard
->sadb_lifetime_usetime
!= 0)
4291 assoc
->ipsa_harduselt
= hard
->sadb_lifetime_usetime
;
4292 if (hard
->sadb_lifetime_addtime
!= 0)
4293 assoc
->ipsa_hardaddlt
= hard
->sadb_lifetime_addtime
;
4294 if (assoc
->ipsa_hardaddlt
!= 0) {
4295 assoc
->ipsa_hardexpiretime
=
4296 assoc
->ipsa_addtime
+ assoc
->ipsa_hardaddlt
;
4298 if (assoc
->ipsa_harduselt
!= 0 &&
4299 assoc
->ipsa_flags
& IPSA_F_USED
) {
4300 UPDATE_EXPIRE(assoc
, harduselt
, hardexpiretime
);
4302 if (hard
->sadb_lifetime_allocations
!= 0)
4303 assoc
->ipsa_hardalloc
= hard
->sadb_lifetime_allocations
;
4307 if (soft
->sadb_lifetime_bytes
!= 0) {
4308 if (soft
->sadb_lifetime_bytes
>
4309 assoc
->ipsa_hardbyteslt
) {
4310 assoc
->ipsa_softbyteslt
=
4311 assoc
->ipsa_hardbyteslt
;
4313 assoc
->ipsa_softbyteslt
=
4314 soft
->sadb_lifetime_bytes
;
4317 if (soft
->sadb_lifetime_usetime
!= 0) {
4318 if (soft
->sadb_lifetime_usetime
>
4319 assoc
->ipsa_harduselt
) {
4320 assoc
->ipsa_softuselt
=
4321 assoc
->ipsa_harduselt
;
4323 assoc
->ipsa_softuselt
=
4324 soft
->sadb_lifetime_usetime
;
4327 if (soft
->sadb_lifetime_addtime
!= 0) {
4328 if (soft
->sadb_lifetime_addtime
>
4329 assoc
->ipsa_hardexpiretime
) {
4330 assoc
->ipsa_softexpiretime
=
4331 assoc
->ipsa_hardexpiretime
;
4333 assoc
->ipsa_softaddlt
=
4334 soft
->sadb_lifetime_addtime
;
4337 if (assoc
->ipsa_softaddlt
!= 0) {
4338 assoc
->ipsa_softexpiretime
=
4339 assoc
->ipsa_addtime
+ assoc
->ipsa_softaddlt
;
4341 if (assoc
->ipsa_softuselt
!= 0 &&
4342 assoc
->ipsa_flags
& IPSA_F_USED
) {
4343 UPDATE_EXPIRE(assoc
, softuselt
, softexpiretime
);
4345 if (outbound
&& assoc
->ipsa_softexpiretime
!= 0) {
4346 if (assoc
->ipsa_state
== IPSA_STATE_MATURE
)
4347 lifetime_fuzz(assoc
);
4350 if (soft
->sadb_lifetime_allocations
!= 0)
4351 assoc
->ipsa_softalloc
= soft
->sadb_lifetime_allocations
;
4355 time_t current
= gethrestime_sec();
4356 if ((assoc
->ipsa_idleexpiretime
<= current
) &&
4357 (assoc
->ipsa_idleaddlt
== idle
->sadb_lifetime_addtime
)) {
4358 assoc
->ipsa_idleexpiretime
=
4359 current
+ assoc
->ipsa_idleaddlt
;
4361 if (idle
->sadb_lifetime_addtime
!= 0)
4362 assoc
->ipsa_idleaddlt
= idle
->sadb_lifetime_addtime
;
4363 if (idle
->sadb_lifetime_usetime
!= 0)
4364 assoc
->ipsa_idleuselt
= idle
->sadb_lifetime_usetime
;
4365 if (assoc
->ipsa_idleaddlt
!= 0) {
4366 assoc
->ipsa_idleexpiretime
=
4367 current
+ idle
->sadb_lifetime_addtime
;
4368 assoc
->ipsa_idletime
= idle
->sadb_lifetime_addtime
;
4370 if (assoc
->ipsa_idleuselt
!= 0) {
4371 if (assoc
->ipsa_idletime
!= 0) {
4372 assoc
->ipsa_idletime
= min(assoc
->ipsa_idletime
,
4373 assoc
->ipsa_idleuselt
);
4374 assoc
->ipsa_idleexpiretime
=
4375 current
+ assoc
->ipsa_idletime
;
4377 assoc
->ipsa_idleexpiretime
=
4378 current
+ assoc
->ipsa_idleuselt
;
4379 assoc
->ipsa_idletime
= assoc
->ipsa_idleuselt
;
4383 mutex_exit(&assoc
->ipsa_lock
);
4387 sadb_update_state(ipsa_t
*assoc
, uint_t new_state
, mblk_t
**ipkt_lst
)
4390 time_t current
= gethrestime_sec();
4392 mutex_enter(&assoc
->ipsa_lock
);
4394 switch (new_state
) {
4395 case SADB_X_SASTATE_ACTIVE_ELSEWHERE
:
4396 if (assoc
->ipsa_state
== SADB_X_SASTATE_IDLE
) {
4397 assoc
->ipsa_state
= IPSA_STATE_ACTIVE_ELSEWHERE
;
4398 assoc
->ipsa_idleexpiretime
=
4399 current
+ assoc
->ipsa_idletime
;
4402 case SADB_X_SASTATE_IDLE
:
4403 if (assoc
->ipsa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
) {
4404 assoc
->ipsa_state
= IPSA_STATE_IDLE
;
4405 assoc
->ipsa_idleexpiretime
=
4406 current
+ assoc
->ipsa_idletime
;
4412 case SADB_X_SASTATE_ACTIVE
:
4413 if (assoc
->ipsa_state
!= SADB_X_SASTATE_IDLE
) {
4417 assoc
->ipsa_state
= IPSA_STATE_MATURE
;
4418 assoc
->ipsa_idleexpiretime
= current
+ assoc
->ipsa_idletime
;
4420 if (ipkt_lst
== NULL
) {
4424 if (assoc
->ipsa_bpkt_head
!= NULL
) {
4425 *ipkt_lst
= assoc
->ipsa_bpkt_head
;
4426 assoc
->ipsa_bpkt_head
= assoc
->ipsa_bpkt_tail
= NULL
;
4427 assoc
->ipsa_mblkcnt
= 0;
4437 mutex_exit(&assoc
->ipsa_lock
);
4442 * Check a proposed KMC update for sanity.
4445 sadb_check_kmc(ipsa_query_t
*sq
, ipsa_t
*sa
, int *diagnostic
)
4447 uint32_t kmp
= sq
->kmp
;
4448 uint64_t kmc
= sq
->kmc
;
4453 if (sa
->ipsa_state
== IPSA_STATE_DEAD
)
4454 return (ESRCH
); /* DEAD == Not there, in this case. */
4456 if ((kmp
!= 0) && (sa
->ipsa_kmp
!= 0) && (sa
->ipsa_kmp
!= kmp
)) {
4457 *diagnostic
= SADB_X_DIAGNOSTIC_DUPLICATE_KMP
;
4461 if ((kmc
!= 0) && (sa
->ipsa_kmc
!= 0) && (sa
->ipsa_kmc
!= kmc
)) {
4462 *diagnostic
= SADB_X_DIAGNOSTIC_DUPLICATE_KMC
;
4470 * Actually update the KMC info.
4473 sadb_update_kmc(ipsa_query_t
*sq
, ipsa_t
*sa
)
4475 uint32_t kmp
= sq
->kmp
;
4476 uint64_t kmc
= sq
->kmc
;
4485 * Common code to update an SA.
4489 sadb_update_sa(mblk_t
*mp
, keysock_in_t
*ksi
, mblk_t
**ipkt_lst
,
4490 sadbp_t
*spp
, int *diagnostic
, queue_t
*pfkey_q
,
4491 int (*add_sa_func
)(mblk_t
*, keysock_in_t
*, int *, netstack_t
*),
4492 netstack_t
*ns
, uint8_t sadb_msg_type
)
4494 sadb_key_t
*akey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_AUTH
];
4495 sadb_key_t
*ekey
= (sadb_key_t
*)ksi
->ks_in_extv
[SADB_EXT_KEY_ENCRYPT
];
4496 sadb_x_replay_ctr_t
*replext
=
4497 (sadb_x_replay_ctr_t
*)ksi
->ks_in_extv
[SADB_X_EXT_REPLAY_VALUE
];
4498 sadb_lifetime_t
*soft
=
4499 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_SOFT
];
4500 sadb_lifetime_t
*hard
=
4501 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_EXT_LIFETIME_HARD
];
4502 sadb_lifetime_t
*idle
=
4503 (sadb_lifetime_t
*)ksi
->ks_in_extv
[SADB_X_EXT_LIFETIME_IDLE
];
4504 sadb_x_pair_t
*pair_ext
=
4505 (sadb_x_pair_t
*)ksi
->ks_in_extv
[SADB_X_EXT_PAIR
];
4506 ipsa_t
*echo_target
= NULL
;
4509 time_t current
= gethrestime_sec();
4511 sq
.spp
= spp
; /* XXX param */
4512 int error
= sadb_form_query(ksi
, IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SA
,
4513 IPSA_Q_SRC
|IPSA_Q_DST
|IPSA_Q_SA
|IPSA_Q_INBOUND
|IPSA_Q_OUTBOUND
|
4520 error
= get_ipsa_pair(&sq
, &ipsapp
, diagnostic
);
4524 if (ipsapp
.ipsap_psa_ptr
== NULL
&& ipsapp
.ipsap_sa_ptr
!= NULL
) {
4525 if (ipsapp
.ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_LARVAL
) {
4527 * REFRELE the target and let the add_sa_func()
4528 * deal with updating a larval SA.
4530 destroy_ipsa_pair(&ipsapp
);
4531 return (add_sa_func(mp
, ksi
, diagnostic
, ns
));
4536 * At this point we have an UPDATE to a MATURE SA. There should
4537 * not be any keying material present.
4540 *diagnostic
= SADB_X_DIAGNOSTIC_AKEY_PRESENT
;
4545 *diagnostic
= SADB_X_DIAGNOSTIC_EKEY_PRESENT
;
4550 if (sq
.assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
) {
4551 if (ipsapp
.ipsap_sa_ptr
!= NULL
&&
4552 ipsapp
.ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_IDLE
) {
4553 if ((error
= sadb_update_state(ipsapp
.ipsap_sa_ptr
,
4554 sq
.assoc
->sadb_sa_state
, NULL
)) != 0) {
4555 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4559 if (ipsapp
.ipsap_psa_ptr
!= NULL
&&
4560 ipsapp
.ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_IDLE
) {
4561 if ((error
= sadb_update_state(ipsapp
.ipsap_psa_ptr
,
4562 sq
.assoc
->sadb_sa_state
, NULL
)) != 0) {
4563 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4568 if (sq
.assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE
) {
4569 if (ipsapp
.ipsap_sa_ptr
!= NULL
) {
4570 error
= sadb_update_state(ipsapp
.ipsap_sa_ptr
,
4571 sq
.assoc
->sadb_sa_state
,
4572 (ipsapp
.ipsap_sa_ptr
->ipsa_flags
&
4573 IPSA_F_INBOUND
) ? ipkt_lst
: NULL
);
4575 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4579 if (ipsapp
.ipsap_psa_ptr
!= NULL
) {
4580 error
= sadb_update_state(ipsapp
.ipsap_psa_ptr
,
4581 sq
.assoc
->sadb_sa_state
,
4582 (ipsapp
.ipsap_psa_ptr
->ipsa_flags
&
4583 IPSA_F_INBOUND
) ? ipkt_lst
: NULL
);
4585 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4589 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
,
4595 * Reality checks for updates of active associations.
4596 * Sundry first-pass UPDATE-specific reality checks.
4597 * Have to do the checks here, because it's after the add_sa code.
4598 * XXX STATS : logging/stats here?
4601 if (!((sq
.assoc
->sadb_sa_state
== SADB_SASTATE_MATURE
) ||
4602 (sq
.assoc
->sadb_sa_state
== SADB_X_SASTATE_ACTIVE_ELSEWHERE
))) {
4603 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4607 if (sq
.assoc
->sadb_sa_flags
& ~spp
->s_updateflags
) {
4608 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SAFLAGS
;
4612 if (ksi
->ks_in_extv
[SADB_EXT_LIFETIME_CURRENT
] != NULL
) {
4613 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_LIFETIME
;
4618 if ((*diagnostic
= sadb_hardsoftchk(hard
, soft
, idle
)) != 0) {
4623 if ((*diagnostic
= sadb_labelchk(ksi
)) != 0)
4626 error
= sadb_check_kmc(&sq
, ipsapp
.ipsap_sa_ptr
, diagnostic
);
4630 error
= sadb_check_kmc(&sq
, ipsapp
.ipsap_psa_ptr
, diagnostic
);
4635 if (ipsapp
.ipsap_sa_ptr
!= NULL
) {
4637 * Do not allow replay value change for MATURE or LARVAL SA.
4640 if ((replext
!= NULL
) &&
4641 ((ipsapp
.ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_LARVAL
) ||
4642 (ipsapp
.ipsap_sa_ptr
->ipsa_state
== IPSA_STATE_MATURE
))) {
4643 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_SASTATE
;
4650 if (ipsapp
.ipsap_sa_ptr
!= NULL
) {
4651 sadb_update_lifetimes(ipsapp
.ipsap_sa_ptr
, hard
, soft
,
4653 sadb_update_kmc(&sq
, ipsapp
.ipsap_sa_ptr
);
4654 if ((replext
!= NULL
) &&
4655 (ipsapp
.ipsap_sa_ptr
->ipsa_replay_wsize
!= 0)) {
4657 * If an inbound SA, update the replay counter
4658 * and check off all the other sequence number
4660 if (ksi
->ks_in_dsttype
== KS_IN_ADDR_ME
) {
4661 if (!sadb_replay_check(ipsapp
.ipsap_sa_ptr
,
4662 replext
->sadb_x_rc_replay32
)) {
4664 SADB_X_DIAGNOSTIC_INVALID_REPLAY
;
4668 mutex_enter(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
4669 ipsapp
.ipsap_sa_ptr
->ipsa_idleexpiretime
=
4671 ipsapp
.ipsap_sa_ptr
->ipsa_idletime
;
4672 mutex_exit(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
4674 mutex_enter(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
4675 ipsapp
.ipsap_sa_ptr
->ipsa_replay
=
4676 replext
->sadb_x_rc_replay32
;
4677 ipsapp
.ipsap_sa_ptr
->ipsa_idleexpiretime
=
4679 ipsapp
.ipsap_sa_ptr
->ipsa_idletime
;
4680 mutex_exit(&ipsapp
.ipsap_sa_ptr
->ipsa_lock
);
4685 if (sadb_msg_type
== SADB_X_UPDATEPAIR
) {
4686 if (ipsapp
.ipsap_psa_ptr
!= NULL
) {
4687 sadb_update_lifetimes(ipsapp
.ipsap_psa_ptr
, hard
, soft
,
4689 sadb_update_kmc(&sq
, ipsapp
.ipsap_psa_ptr
);
4691 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
;
4697 if (pair_ext
!= NULL
)
4698 error
= update_pairing(&ipsapp
, &sq
, ksi
, diagnostic
);
4701 sadb_pfkey_echo(pfkey_q
, mp
, (sadb_msg_t
*)mp
->b_cont
->b_rptr
,
4705 destroy_ipsa_pair(&ipsapp
);
4712 update_pairing(ipsap_t
*ipsapp
, ipsa_query_t
*sq
, keysock_in_t
*ksi
,
4715 sadb_sa_t
*assoc
= (sadb_sa_t
*)ksi
->ks_in_extv
[SADB_EXT_SA
];
4716 sadb_x_pair_t
*pair_ext
=
4717 (sadb_x_pair_t
*)ksi
->ks_in_extv
[SADB_X_EXT_PAIR
];
4720 boolean_t undo_pair
= B_FALSE
;
4721 uint32_t ipsa_flags
;
4723 if (pair_ext
->sadb_x_pair_spi
== 0 || pair_ext
->sadb_x_pair_spi
==
4724 assoc
->sadb_sa_spi
) {
4725 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4730 * Assume for now that the spi value provided in the SADB_UPDATE
4731 * message was valid, update the SA with its pair spi value.
4732 * If the spi turns out to be bogus or the SA no longer exists
4733 * then this will be detected when the reverse update is made
4736 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4737 ipsapp
->ipsap_sa_ptr
->ipsa_flags
|= IPSA_F_PAIRED
;
4738 ipsapp
->ipsap_sa_ptr
->ipsa_otherspi
= pair_ext
->sadb_x_pair_spi
;
4739 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4742 * After updating the ipsa_otherspi element of the SA, get_ipsa_pair()
4743 * should now return pointers to the SA *AND* its pair, if this is not
4744 * the case, the "otherspi" either did not exist or was deleted. Also
4745 * check that "otherspi" is not already paired. If everything looks
4746 * good, complete the update. IPSA_REFRELE the first pair_pointer
4747 * after this update to ensure its not deleted until we are done.
4749 error
= get_ipsa_pair(sq
, &oipsapp
, diagnostic
);
4752 * This should never happen, calling function still has
4753 * IPSA_REFHELD on the SA we just updated.
4755 return (error
); /* XXX EINVAL instead of ESRCH? */
4758 if (oipsapp
.ipsap_psa_ptr
== NULL
) {
4759 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4763 ipsa_flags
= oipsapp
.ipsap_psa_ptr
->ipsa_flags
;
4764 if ((oipsapp
.ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_DEAD
) ||
4765 (oipsapp
.ipsap_psa_ptr
->ipsa_state
== IPSA_STATE_DYING
)) {
4767 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4769 } else if ((ipsa_flags
& (IPSA_F_OUTBOUND
| IPSA_F_INBOUND
)) ==
4770 (IPSA_F_OUTBOUND
| IPSA_F_INBOUND
)) {
4771 /* This SA is in both hashtables. */
4772 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
;
4774 } else if (ipsa_flags
& IPSA_F_PAIRED
) {
4775 /* This SA is already paired with another. */
4776 *diagnostic
= SADB_X_DIAGNOSTIC_PAIR_ALREADY
;
4782 /* The pair SA does not exist. */
4783 mutex_enter(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4784 ipsapp
->ipsap_sa_ptr
->ipsa_flags
&= ~IPSA_F_PAIRED
;
4785 ipsapp
->ipsap_sa_ptr
->ipsa_otherspi
= 0;
4786 mutex_exit(&ipsapp
->ipsap_sa_ptr
->ipsa_lock
);
4788 mutex_enter(&oipsapp
.ipsap_psa_ptr
->ipsa_lock
);
4789 oipsapp
.ipsap_psa_ptr
->ipsa_otherspi
= assoc
->sadb_sa_spi
;
4790 oipsapp
.ipsap_psa_ptr
->ipsa_flags
|= IPSA_F_PAIRED
;
4791 mutex_exit(&oipsapp
.ipsap_psa_ptr
->ipsa_lock
);
4794 destroy_ipsa_pair(&oipsapp
);
4799 * The following functions deal with ACQUIRE LISTS. An ACQUIRE list is
4800 * a list of outstanding SADB_ACQUIRE messages. If ipsec_getassocbyconn() fails
4801 * for an outbound datagram, that datagram is queued up on an ACQUIRE record,
4802 * and an SADB_ACQUIRE message is sent up. Presumably, a user-space key
4803 * management daemon will process the ACQUIRE, use a SADB_GETSPI to reserve
4804 * an SPI value and a larval SA, then SADB_UPDATE the larval SA, and ADD the
4805 * other direction's SA.
4809 * Check the ACQUIRE lists. If there's an existing ACQUIRE record,
4810 * grab it, lock it, and return it. Otherwise return NULL.
4812 * XXX MLS number of arguments getting unwieldy here
4815 sadb_checkacquire(iacqf_t
*bucket
, ipsec_action_t
*ap
, ipsec_policy_t
*pp
,
4816 uint32_t *src
, uint32_t *dst
, uint32_t *isrc
, uint32_t *idst
,
4817 uint64_t unique_id
, ts_label_t
*tsl
)
4821 uint32_t blank_address
[4] = {0, 0, 0, 0};
4824 ASSERT(idst
== NULL
);
4825 isrc
= idst
= blank_address
;
4829 * Scan list for duplicates. Check for UNIQUE, src/dest, policy.
4831 * XXX May need search for duplicates based on other things too!
4833 for (walker
= bucket
->iacqf_ipsacq
; walker
!= NULL
;
4834 walker
= walker
->ipsacq_next
) {
4835 mutex_enter(&walker
->ipsacq_lock
);
4836 fam
= walker
->ipsacq_addrfam
;
4837 if (IPSA_ARE_ADDR_EQUAL(dst
, walker
->ipsacq_dstaddr
, fam
) &&
4838 IPSA_ARE_ADDR_EQUAL(src
, walker
->ipsacq_srcaddr
, fam
) &&
4839 ip_addr_match((uint8_t *)isrc
, walker
->ipsacq_innersrcpfx
,
4840 (in6_addr_t
*)walker
->ipsacq_innersrc
) &&
4841 ip_addr_match((uint8_t *)idst
, walker
->ipsacq_innerdstpfx
,
4842 (in6_addr_t
*)walker
->ipsacq_innerdst
) &&
4843 (ap
== walker
->ipsacq_act
) &&
4844 (pp
== walker
->ipsacq_policy
) &&
4845 /* XXX do deep compares of ap/pp? */
4846 (unique_id
== walker
->ipsacq_unique_id
) &&
4847 (ipsec_label_match(tsl
, walker
->ipsacq_tsl
)))
4848 break; /* everything matched */
4849 mutex_exit(&walker
->ipsacq_lock
);
4856 * Generate an SADB_ACQUIRE base message mblk, including KEYSOCK_OUT metadata.
4857 * In other words, this will return, upon success, a two-mblk chain.
4859 static inline mblk_t
*
4860 sadb_acquire_msg_base(minor_t serial
, uint8_t satype
, uint32_t seq
, pid_t pid
)
4865 mp
= sadb_keysock_out(serial
);
4868 mp
->b_cont
= allocb(sizeof (sadb_msg_t
), BPRI_HI
);
4869 if (mp
->b_cont
== NULL
) {
4874 samsg
= (sadb_msg_t
*)mp
->b_cont
->b_rptr
;
4875 mp
->b_cont
->b_wptr
+= sizeof (*samsg
);
4876 samsg
->sadb_msg_version
= PF_KEY_V2
;
4877 samsg
->sadb_msg_type
= SADB_ACQUIRE
;
4878 samsg
->sadb_msg_errno
= 0;
4879 samsg
->sadb_msg_reserved
= 0;
4880 samsg
->sadb_msg_satype
= satype
;
4881 samsg
->sadb_msg_seq
= seq
;
4882 samsg
->sadb_msg_pid
= pid
;
4888 * Generate address and TX/MLS sensitivity label PF_KEY extensions that are
4889 * common to both regular and extended ACQUIREs.
4892 sadb_acquire_msg_common(ipsec_selector_t
*sel
, ipsec_policy_t
*pp
,
4893 ipsec_action_t
*ap
, boolean_t tunnel_mode
, ts_label_t
*tsl
,
4898 uint8_t *start
, *cur
, *end
;
4899 uint32_t *saddrptr
, *daddrptr
;
4901 ipsec_action_t
*oldap
;
4902 ipsec_selkey_t
*ipsl
;
4903 uint8_t proto
, pfxlen
;
4904 uint16_t lport
, rport
;
4908 * Get action pointer set if it isn't already.
4918 * Biggest-case scenario:
4919 * 4x (sadb_address_t + struct sockaddr_in6)
4920 * (src, dst, isrc, idst)
4921 * (COMING SOON, 6x, because of triggering-packet contents.)
4924 * And wiggle room for label bitvectors. Luckily there are
4925 * programmatic ways to find it.
4927 len
= 4 * (sizeof (sadb_address_t
) + sizeof (struct sockaddr_in6
));
4929 /* Figure out full and proper length of sensitivity labels. */
4931 ASSERT(tsl
== NULL
);
4932 senslen
= SADB_64TO8(sens
->sadb_sens_len
);
4933 } else if (tsl
!= NULL
) {
4934 senslen
= sadb_sens_len_from_label(tsl
);
4938 ASSERT(senslen
== 0);
4943 mp
= allocb(len
, BPRI_HI
);
4952 * Address extensions first, from most-recently-defined to least.
4953 * (This should immediately trigger surprise or verify robustness on
4954 * older apps, like in.iked.)
4958 * Form inner address extensions based NOT on the inner
4959 * selectors (i.e. the packet data), but on the policy's
4960 * selector key (i.e. the policy's selector information).
4962 * NOTE: The position of IPv4 and IPv6 addresses is the
4963 * same in ipsec_selkey_t (unless the compiler does very
4964 * strange things with unions, consult your local C language
4965 * lawyer for details).
4969 ipsl
= &(pp
->ipsp_sel
->ipsl_key
);
4970 if (ipsl
->ipsl_valid
& IPSL_IPV4
) {
4972 ASSERT(sel
->ips_protocol
== IPPROTO_ENCAP
);
4973 ASSERT(!(ipsl
->ipsl_valid
& IPSL_IPV6
));
4976 ASSERT(sel
->ips_protocol
== IPPROTO_IPV6
);
4977 ASSERT(ipsl
->ipsl_valid
& IPSL_IPV6
);
4980 if (ipsl
->ipsl_valid
& IPSL_LOCAL_ADDR
) {
4981 saddrptr
= (uint32_t *)(&ipsl
->ipsl_local
);
4982 pfxlen
= ipsl
->ipsl_local_pfxlen
;
4984 saddrptr
= (uint32_t *)(&ipv6_all_zeros
);
4987 /* XXX What about ICMP type/code? */
4988 lport
= (ipsl
->ipsl_valid
& IPSL_LOCAL_PORT
) ?
4989 ipsl
->ipsl_lport
: 0;
4990 proto
= (ipsl
->ipsl_valid
& IPSL_PROTOCOL
) ?
4991 ipsl
->ipsl_proto
: 0;
4993 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_SRC
,
4994 af
, saddrptr
, lport
, proto
, pfxlen
);
5000 if (ipsl
->ipsl_valid
& IPSL_REMOTE_ADDR
) {
5001 daddrptr
= (uint32_t *)(&ipsl
->ipsl_remote
);
5002 pfxlen
= ipsl
->ipsl_remote_pfxlen
;
5004 daddrptr
= (uint32_t *)(&ipv6_all_zeros
);
5007 /* XXX What about ICMP type/code? */
5008 rport
= (ipsl
->ipsl_valid
& IPSL_REMOTE_PORT
) ?
5009 ipsl
->ipsl_rport
: 0;
5011 cur
= sadb_make_addr_ext(cur
, end
, SADB_X_EXT_ADDRESS_INNER_DST
,
5012 af
, daddrptr
, rport
, proto
, pfxlen
);
5018 * TODO - if we go to 3884's dream of transport mode IP-in-IP
5019 * _with_ inner-packet address selectors, we'll need to further
5020 * distinguish tunnel mode here. For now, having inner
5021 * addresses and/or ports is sufficient.
5023 * Meanwhile, whack proto/ports to reflect IP-in-IP for the
5026 proto
= sel
->ips_protocol
; /* Either _ENCAP or _IPV6 */
5028 } else if ((ap
!= NULL
) && (!ap
->ipa_want_unique
)) {
5030 * For cases when the policy calls out specific ports (or not).
5036 ipsl
= &(pp
->ipsp_sel
->ipsl_key
);
5037 if (ipsl
->ipsl_valid
& IPSL_PROTOCOL
)
5038 proto
= ipsl
->ipsl_proto
;
5039 if (ipsl
->ipsl_valid
& IPSL_REMOTE_PORT
)
5040 rport
= ipsl
->ipsl_rport
;
5041 if (ipsl
->ipsl_valid
& IPSL_LOCAL_PORT
)
5042 lport
= ipsl
->ipsl_lport
;
5046 * For require-unique-SA policies.
5048 proto
= sel
->ips_protocol
;
5049 lport
= sel
->ips_local_port
;
5050 rport
= sel
->ips_remote_port
;
5054 * Regular addresses. These are outer-packet ones for tunnel mode.
5055 * Or for transport mode, the regulard address & port information.
5057 af
= sel
->ips_isv4
? AF_INET
: AF_INET6
;
5060 * NOTE: The position of IPv4 and IPv6 addresses is the same in
5063 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_SRC
, af
,
5064 (uint32_t *)(&sel
->ips_local_addr_v6
), lport
, proto
, 0);
5070 cur
= sadb_make_addr_ext(cur
, end
, SADB_EXT_ADDRESS_DST
, af
,
5071 (uint32_t *)(&sel
->ips_remote_addr_v6
), rport
, proto
, 0);
5078 * If present, generate a sensitivity label.
5080 if (cur
+ senslen
> end
) {
5085 /* Explicit sadb_sens_t, usually from inverse-ACQUIRE. */
5086 bcopy(sens
, cur
, senslen
);
5087 } else if (tsl
!= NULL
) {
5088 /* Generate sadb_sens_t from ACQUIRE source. */
5089 sadb_sens_from_label((sadb_sens_t
*)cur
, SADB_EXT_SENSITIVITY
,
5094 ASSERT(senslen
== 0);
5104 * Generate a regular ACQUIRE's proposal extension and KMC information..
5107 sadb_acquire_prop(ipsec_action_t
*ap
, netstack_t
*ns
, boolean_t do_esp
)
5109 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5110 ipsecesp_stack_t
*espstack
= ns
->netstack_ipsecesp
;
5111 ipsecah_stack_t
*ahstack
= ns
->netstack_ipsecah
;
5115 ipsec_action_t
*walker
;
5116 int ncombs
, allocsize
, ealgid
, aalgid
, aminbits
, amaxbits
, eminbits
,
5118 uint64_t softbytes
, hardbytes
, softaddtime
, hardaddtime
, softusetime
,
5124 * Since it's an rwlock read, AND writing to the IPsec algorithms is
5125 * rare, just acquire it once up top, and drop it upon return.
5127 rw_enter(&ipss
->ipsec_alg_lock
, RW_READER
);
5129 uint64_t num_aalgs
, num_ealgs
;
5131 if (espstack
->esp_kstats
== NULL
)
5134 num_aalgs
= ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
];
5135 num_ealgs
= ipss
->ipsec_nalgs
[IPSEC_ALG_ENCR
];
5137 goto bail
; /* IPsec not loaded yet, apparently. */
5138 num_aalgs
++; /* No-auth or self-auth-crypto ESP. */
5140 /* Use netstack's maximum loaded algorithms... */
5141 ncombs
= num_ealgs
* num_aalgs
;
5142 replay
= espstack
->ipsecesp_replay_size
;
5144 if (ahstack
->ah_kstats
== NULL
)
5147 ncombs
= ipss
->ipsec_nalgs
[IPSEC_ALG_AUTH
];
5150 goto bail
; /* IPsec not loaded yet, apparently. */
5151 replay
= ahstack
->ipsecah_replay_size
;
5154 allocsize
= sizeof (*prop
) + ncombs
* sizeof (*comb
) +
5155 sizeof (sadb_x_kmc_t
);
5156 mp
= allocb(allocsize
, BPRI_HI
);
5159 prop
= (sadb_prop_t
*)mp
->b_rptr
;
5160 mp
->b_wptr
+= sizeof (*prop
);
5161 comb
= (sadb_comb_t
*)mp
->b_wptr
;
5162 /* Decrement allocsize, if it goes to or below 0, stop. */
5163 allocsize
-= sizeof (*prop
);
5164 prop
->sadb_prop_exttype
= SADB_EXT_PROPOSAL
;
5165 prop
->sadb_prop_len
= SADB_8TO64(sizeof (*prop
));
5166 *(uint32_t *)(&prop
->sadb_prop_replay
) = 0; /* Quick zero-out! */
5167 prop
->sadb_prop_replay
= replay
;
5170 * Based upon algorithm properties, and what-not, prioritize a
5171 * proposal, based on the ordering of the ESP algorithms in the
5172 * alternatives in the policy rule or socket that was placed
5173 * in the acquire record.
5175 * For each action in policy list
5177 * I should not hit it, but if I've hit limit, return.
5180 for (walker
= ap
; walker
!= NULL
; walker
= walker
->ipa_next
) {
5181 ipsec_alginfo_t
*ealg
, *aalg
;
5184 if (walker
->ipa_act
.ipa_type
!= IPSEC_POLICY_APPLY
)
5187 prot
= &walker
->ipa_act
.ipa_apply
;
5188 if (walker
->ipa_act
.ipa_apply
.ipp_km_proto
!= 0)
5189 kmp
= walker
->ipa_act
.ipa_apply
.ipp_km_proto
;
5190 if (walker
->ipa_act
.ipa_apply
.ipp_km_cookie
!= 0)
5191 kmc
= walker
->ipa_act
.ipa_apply
.ipp_km_cookie
;
5192 if (walker
->ipa_act
.ipa_apply
.ipp_replay_depth
) {
5193 prop
->sadb_prop_replay
=
5194 walker
->ipa_act
.ipa_apply
.ipp_replay_depth
;
5198 if (!prot
->ipp_use_esp
)
5201 if (prot
->ipp_esp_auth_alg
!= 0) {
5202 aalg
= ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
]
5203 [prot
->ipp_esp_auth_alg
];
5204 if (aalg
== NULL
|| !ALG_VALID(aalg
))
5209 ASSERT(prot
->ipp_encr_alg
> 0);
5210 ealg
= ipss
->ipsec_alglists
[IPSEC_ALG_ENCR
]
5211 [prot
->ipp_encr_alg
];
5212 if (ealg
== NULL
|| !ALG_VALID(ealg
))
5216 * These may want to come from policy rule..
5218 softbytes
= espstack
->ipsecesp_default_soft_bytes
;
5219 hardbytes
= espstack
->ipsecesp_default_hard_bytes
;
5220 softaddtime
= espstack
->ipsecesp_default_soft_addtime
;
5221 hardaddtime
= espstack
->ipsecesp_default_hard_addtime
;
5222 softusetime
= espstack
->ipsecesp_default_soft_usetime
;
5223 hardusetime
= espstack
->ipsecesp_default_hard_usetime
;
5225 if (!prot
->ipp_use_ah
)
5228 aalg
= ipss
->ipsec_alglists
[IPSEC_ALG_AUTH
]
5229 [prot
->ipp_auth_alg
];
5230 if (aalg
== NULL
|| !ALG_VALID(aalg
))
5234 * These may want to come from policy rule..
5236 softbytes
= ahstack
->ipsecah_default_soft_bytes
;
5237 hardbytes
= ahstack
->ipsecah_default_hard_bytes
;
5238 softaddtime
= ahstack
->ipsecah_default_soft_addtime
;
5239 hardaddtime
= ahstack
->ipsecah_default_hard_addtime
;
5240 softusetime
= ahstack
->ipsecah_default_soft_usetime
;
5241 hardusetime
= ahstack
->ipsecah_default_hard_usetime
;
5245 ealgid
= eminbits
= emaxbits
= 0;
5247 ealgid
= ealg
->alg_id
;
5249 MAX(prot
->ipp_espe_minbits
, ealg
->alg_ef_minbits
);
5251 MIN(prot
->ipp_espe_maxbits
, ealg
->alg_ef_maxbits
);
5255 aalgid
= aminbits
= amaxbits
= 0;
5257 aalgid
= aalg
->alg_id
;
5258 aminbits
= MAX(prot
->ipp_espa_minbits
,
5259 aalg
->alg_ef_minbits
);
5260 amaxbits
= MIN(prot
->ipp_espa_maxbits
,
5261 aalg
->alg_ef_maxbits
);
5264 comb
->sadb_comb_flags
= 0;
5265 comb
->sadb_comb_reserved
= 0;
5266 comb
->sadb_comb_encrypt
= ealgid
;
5267 comb
->sadb_comb_encrypt_minbits
= eminbits
;
5268 comb
->sadb_comb_encrypt_maxbits
= emaxbits
;
5269 comb
->sadb_comb_auth
= aalgid
;
5270 comb
->sadb_comb_auth_minbits
= aminbits
;
5271 comb
->sadb_comb_auth_maxbits
= amaxbits
;
5272 comb
->sadb_comb_soft_allocations
= 0;
5273 comb
->sadb_comb_hard_allocations
= 0;
5274 comb
->sadb_comb_soft_bytes
= softbytes
;
5275 comb
->sadb_comb_hard_bytes
= hardbytes
;
5276 comb
->sadb_comb_soft_addtime
= softaddtime
;
5277 comb
->sadb_comb_hard_addtime
= hardaddtime
;
5278 comb
->sadb_comb_soft_usetime
= softusetime
;
5279 comb
->sadb_comb_hard_usetime
= hardusetime
;
5281 prop
->sadb_prop_len
+= SADB_8TO64(sizeof (*comb
));
5282 mp
->b_wptr
+= sizeof (*comb
);
5283 allocsize
-= sizeof (*comb
);
5284 /* Should never dip BELOW sizeof (KM cookie extension). */
5285 ASSERT3S(allocsize
, >=, sizeof (sadb_x_kmc_t
));
5286 if (allocsize
<= sizeof (sadb_x_kmc_t
))
5287 break; /* out of space.. */
5291 /* Don't include KMC extension if there's no room. */
5292 if (((kmp
!= 0) || (kmc
!= 0)) && allocsize
>= sizeof (sadb_x_kmc_t
)) {
5293 if (sadb_make_kmc_ext(mp
->b_wptr
,
5294 mp
->b_wptr
+ sizeof (sadb_x_kmc_t
), kmp
, kmc
) == NULL
) {
5299 mp
->b_wptr
+= sizeof (sadb_x_kmc_t
);
5300 prop
->sadb_prop_len
+= SADB_8TO64(sizeof (sadb_x_kmc_t
));
5304 rw_exit(&ipss
->ipsec_alg_lock
);
5309 * Generate an extended ACQUIRE's extended-proposal extension.
5312 sadb_acquire_extended_prop(ipsec_action_t
*ap
, netstack_t
*ns
)
5317 int allocsize
, numecombs
= 0, numalgdescs
= 0;
5318 uint32_t kmp
= 0, replay
= 0;
5320 ipsec_action_t
*walker
;
5322 allocsize
= sizeof (*eprop
);
5325 * Going to walk through the action list twice. Once for allocation
5326 * measurement, and once for actual construction.
5328 for (walker
= ap
; walker
!= NULL
; walker
= walker
->ipa_next
) {
5332 * Skip non-IPsec policies
5334 if (walker
->ipa_act
.ipa_type
!= IPSEC_ACT_APPLY
)
5337 ipp
= &walker
->ipa_act
.ipa_apply
;
5339 if (walker
->ipa_act
.ipa_apply
.ipp_km_proto
)
5340 kmp
= ipp
->ipp_km_proto
;
5341 if (walker
->ipa_act
.ipa_apply
.ipp_km_cookie
)
5342 kmc
= ipp
->ipp_km_cookie
;
5343 if (walker
->ipa_act
.ipa_apply
.ipp_replay_depth
)
5344 replay
= ipp
->ipp_replay_depth
;
5346 if (ipp
->ipp_use_ah
)
5348 if (ipp
->ipp_use_esp
) {
5350 if (ipp
->ipp_use_espa
)
5356 ASSERT(numecombs
> 0);
5358 allocsize
+= numecombs
* sizeof (sadb_x_ecomb_t
) +
5359 numalgdescs
* sizeof (sadb_x_algdesc_t
) + sizeof (sadb_x_kmc_t
);
5360 mp
= allocb(allocsize
, BPRI_HI
);
5363 eprop
= (sadb_prop_t
*)mp
->b_rptr
;
5364 end
= mp
->b_rptr
+ allocsize
;
5365 cur
= mp
->b_rptr
+ sizeof (*eprop
);
5367 eprop
->sadb_prop_exttype
= SADB_X_EXT_EPROP
;
5368 eprop
->sadb_x_prop_ereserved
= 0;
5369 eprop
->sadb_x_prop_numecombs
= 0;
5370 *(uint32_t *)(&eprop
->sadb_prop_replay
) = 0; /* Quick zero-out! */
5371 /* Pick ESP's replay default if need be. */
5372 eprop
->sadb_prop_replay
= (replay
== 0) ?
5373 ns
->netstack_ipsecesp
->ipsecesp_replay_size
: replay
;
5375 /* This time, walk through and actually allocate. */
5376 for (walker
= ap
; walker
!= NULL
; walker
= walker
->ipa_next
) {
5378 * Skip non-IPsec policies
5380 if (walker
->ipa_act
.ipa_type
!= IPSEC_ACT_APPLY
)
5382 cur
= sadb_action_to_ecomb(cur
, end
, walker
, ns
);
5384 /* NOTE: inverse-ACQUIRE should note this as ENOMEM. */
5388 eprop
->sadb_x_prop_numecombs
++;
5391 ASSERT(end
- cur
>= sizeof (sadb_x_kmc_t
));
5392 if ((kmp
!= 0) || (kmc
!= 0)) {
5393 cur
= sadb_make_kmc_ext(cur
, end
, kmp
, kmc
);
5400 eprop
->sadb_prop_len
= SADB_8TO64(cur
- mp
->b_rptr
);
5406 * For this mblk, insert a new acquire record. Assume bucket contains addrs
5407 * of all of the same length. Give up (and drop) if memory
5408 * cannot be allocated for a new one; otherwise, invoke callback to
5409 * send the acquire up..
5411 * In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE
5412 * list. The ah_add_sa_finish() routines can look at the packet's attached
5413 * attributes and handle this case specially.
5416 sadb_acquire(mblk_t
*datamp
, ip_xmit_attr_t
*ixa
, boolean_t need_ah
,
5419 mblk_t
*asyncmp
, *regular
, *extended
, *common
, *prop
, *eprop
;
5424 ipha_t
*ipha
= (ipha_t
*)datamp
->b_rptr
;
5425 ip6_t
*ip6h
= (ip6_t
*)datamp
->b_rptr
;
5426 uint32_t *src
, *dst
, *isrc
, *idst
;
5427 ipsec_policy_t
*pp
= ixa
->ixa_ipsec_policy
;
5428 ipsec_action_t
*ap
= ixa
->ixa_ipsec_action
;
5432 uint64_t unique_id
= 0;
5433 boolean_t tunnel_mode
= (ixa
->ixa_flags
& IXAF_IPSEC_TUNNEL
) != 0;
5435 netstack_t
*ns
= ixa
->ixa_ipst
->ips_netstack
;
5436 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5437 ipsecesp_stack_t
*espstack
= ns
->netstack_ipsecesp
;
5438 ipsecah_stack_t
*ahstack
= ns
->netstack_ipsecah
;
5439 ipsec_selector_t sel
;
5442 ASSERT((pp
!= NULL
) || (ap
!= NULL
));
5444 ASSERT(need_ah
|| need_esp
);
5446 /* Assign sadb pointers */
5449 * ESP happens first if we need both AH and ESP.
5451 spp
= &espstack
->esp_sadb
;
5453 spp
= &ahstack
->ah_sadb
;
5455 sp
= (ixa
->ixa_flags
& IXAF_IS_IPV4
) ? &spp
->s_v4
: &spp
->s_v6
;
5457 if (is_system_labeled())
5466 if (ap
->ipa_act
.ipa_apply
.ipp_use_unique
|| tunnel_mode
)
5467 unique_id
= SA_FORM_UNIQUE_ID(ixa
);
5470 * Set up an ACQUIRE record.
5472 * Immediately, make sure the ACQUIRE sequence number doesn't slip
5473 * below the lowest point allowed in the kernel. (In other words,
5474 * make sure the high bit on the sequence number is set.)
5477 seq
= keysock_next_seq(ns
) | IACQF_LOWEST_SEQ
;
5479 if (IPH_HDR_VERSION(ipha
) == IP_VERSION
) {
5480 src
= (uint32_t *)&ipha
->ipha_src
;
5481 dst
= (uint32_t *)&ipha
->ipha_dst
;
5483 hashoffset
= OUTBOUND_HASH_V4(sp
, ipha
->ipha_dst
);
5484 ASSERT(ixa
->ixa_flags
& IXAF_IS_IPV4
);
5486 ASSERT(IPH_HDR_VERSION(ipha
) == IPV6_VERSION
);
5487 src
= (uint32_t *)&ip6h
->ip6_src
;
5488 dst
= (uint32_t *)&ip6h
->ip6_dst
;
5490 hashoffset
= OUTBOUND_HASH_V6(sp
, ip6h
->ip6_dst
);
5491 ASSERT(!(ixa
->ixa_flags
& IXAF_IS_IPV4
));
5497 * Tunnel mode with no policy pointer means this is a
5498 * reflected ICMP (like a ECHO REQUEST) that came in
5499 * with self-encapsulated protection. Until we better
5500 * support this, drop the packet.
5502 ip_drop_packet(datamp
, B_FALSE
, NULL
,
5503 DROPPER(ipss
, ipds_spd_got_selfencap
),
5504 &ipss
->ipsec_spd_dropper
);
5507 /* Snag inner addresses. */
5508 isrc
= ixa
->ixa_ipsec_insrc
;
5509 idst
= ixa
->ixa_ipsec_indst
;
5515 * Check buckets to see if there is an existing entry. If so,
5516 * grab it. sadb_checkacquire locks newbie if found.
5518 bucket
= &(sp
->sdb_acq
[hashoffset
]);
5519 mutex_enter(&bucket
->iacqf_lock
);
5520 newbie
= sadb_checkacquire(bucket
, ap
, pp
, src
, dst
, isrc
, idst
,
5523 if (newbie
== NULL
) {
5525 * Otherwise, allocate a new one.
5527 newbie
= kmem_zalloc(sizeof (*newbie
), KM_NOSLEEP
);
5528 if (newbie
== NULL
) {
5529 mutex_exit(&bucket
->iacqf_lock
);
5530 ip_drop_packet(datamp
, B_FALSE
, NULL
,
5531 DROPPER(ipss
, ipds_sadb_acquire_nomem
),
5532 &ipss
->ipsec_sadb_dropper
);
5535 newbie
->ipsacq_policy
= pp
;
5540 newbie
->ipsacq_act
= ap
;
5541 newbie
->ipsacq_linklock
= &bucket
->iacqf_lock
;
5542 newbie
->ipsacq_next
= bucket
->iacqf_ipsacq
;
5543 newbie
->ipsacq_ptpn
= &bucket
->iacqf_ipsacq
;
5544 if (newbie
->ipsacq_next
!= NULL
)
5545 newbie
->ipsacq_next
->ipsacq_ptpn
= &newbie
->ipsacq_next
;
5547 bucket
->iacqf_ipsacq
= newbie
;
5548 mutex_init(&newbie
->ipsacq_lock
, NULL
, MUTEX_DEFAULT
, NULL
);
5549 mutex_enter(&newbie
->ipsacq_lock
);
5553 * XXX MLS does it actually help us to drop the bucket lock here?
5554 * we have inserted a half-built, locked acquire record into the
5555 * bucket. any competing thread will now be able to lock the bucket
5556 * to scan it, but will immediately pile up on the new acquire
5557 * record's lock; I don't think we gain anything here other than to
5558 * disperse blame for lock contention.
5560 * we might be able to dispense with acquire record locks entirely..
5561 * just use the bucket locks..
5564 mutex_exit(&bucket
->iacqf_lock
);
5567 * This assert looks silly for now, but we may need to enter newbie's
5568 * mutex during a search.
5570 ASSERT(MUTEX_HELD(&newbie
->ipsacq_lock
));
5573 * Make the ip_xmit_attr_t into something we can queue.
5574 * If no memory it frees datamp.
5576 asyncmp
= ip_xmit_attr_to_mblk(ixa
);
5577 if (asyncmp
!= NULL
)
5578 linkb(asyncmp
, datamp
);
5580 /* Queue up packet. Use b_next. */
5582 if (asyncmp
== NULL
) {
5583 /* Statistics for allocation failure */
5584 if (ixa
->ixa_flags
& IXAF_IS_IPV4
) {
5585 BUMP_MIB(&ixa
->ixa_ipst
->ips_ip_mib
,
5586 ipIfStatsOutDiscards
);
5588 BUMP_MIB(&ixa
->ixa_ipst
->ips_ip6_mib
,
5589 ipIfStatsOutDiscards
);
5591 ip_drop_output("No memory for asyncmp", datamp
, NULL
);
5594 * The acquire record will be freed quickly if it's new
5595 * (ipsacq_expire == 0), and will proceed as if no packet
5598 mutex_exit(&newbie
->ipsacq_lock
);
5600 } else if (newbie
->ipsacq_numpackets
== 0) {
5602 newbie
->ipsacq_mp
= asyncmp
;
5603 newbie
->ipsacq_numpackets
= 1;
5604 newbie
->ipsacq_expire
= gethrestime_sec();
5606 * Extended ACQUIRE with both AH+ESP will use ESP's timeout
5609 newbie
->ipsacq_expire
+= *spp
->s_acquire_timeout
;
5610 newbie
->ipsacq_seq
= seq
;
5611 newbie
->ipsacq_addrfam
= af
;
5613 newbie
->ipsacq_srcport
= ixa
->ixa_ipsec_src_port
;
5614 newbie
->ipsacq_dstport
= ixa
->ixa_ipsec_dst_port
;
5615 newbie
->ipsacq_icmp_type
= ixa
->ixa_ipsec_icmp_type
;
5616 newbie
->ipsacq_icmp_code
= ixa
->ixa_ipsec_icmp_code
;
5618 newbie
->ipsacq_inneraddrfam
= ixa
->ixa_ipsec_inaf
;
5619 newbie
->ipsacq_proto
= ixa
->ixa_ipsec_inaf
== AF_INET6
?
5620 IPPROTO_IPV6
: IPPROTO_ENCAP
;
5621 newbie
->ipsacq_innersrcpfx
= ixa
->ixa_ipsec_insrcpfx
;
5622 newbie
->ipsacq_innerdstpfx
= ixa
->ixa_ipsec_indstpfx
;
5623 IPSA_COPY_ADDR(newbie
->ipsacq_innersrc
,
5624 ixa
->ixa_ipsec_insrc
, ixa
->ixa_ipsec_inaf
);
5625 IPSA_COPY_ADDR(newbie
->ipsacq_innerdst
,
5626 ixa
->ixa_ipsec_indst
, ixa
->ixa_ipsec_inaf
);
5628 newbie
->ipsacq_proto
= ixa
->ixa_ipsec_proto
;
5630 newbie
->ipsacq_unique_id
= unique_id
;
5634 newbie
->ipsacq_tsl
= tsl
;
5637 /* Scan to the end of the list & insert. */
5638 mblk_t
*lastone
= newbie
->ipsacq_mp
;
5640 while (lastone
->b_next
!= NULL
)
5641 lastone
= lastone
->b_next
;
5642 lastone
->b_next
= asyncmp
;
5643 if (newbie
->ipsacq_numpackets
++ == ipsacq_maxpackets
) {
5644 newbie
->ipsacq_numpackets
= ipsacq_maxpackets
;
5645 lastone
= newbie
->ipsacq_mp
;
5646 newbie
->ipsacq_mp
= lastone
->b_next
;
5647 lastone
->b_next
= NULL
;
5649 /* Freeing the async message */
5650 lastone
= ip_xmit_attr_free_mblk(lastone
);
5651 ip_drop_packet(lastone
, B_FALSE
, NULL
,
5652 DROPPER(ipss
, ipds_sadb_acquire_toofull
),
5653 &ipss
->ipsec_sadb_dropper
);
5655 IP_ACQUIRE_STAT(ipss
, qhiwater
,
5656 newbie
->ipsacq_numpackets
);
5661 * Reset addresses. Set them to the most recently added mblk chain,
5662 * so that the address pointers in the acquire record will point
5663 * at an mblk still attached to the acquire list.
5666 newbie
->ipsacq_srcaddr
= src
;
5667 newbie
->ipsacq_dstaddr
= dst
;
5670 * If the acquire record has more than one queued packet, we've
5671 * already sent an ACQUIRE, and don't need to repeat ourself.
5673 if (newbie
->ipsacq_seq
!= seq
|| newbie
->ipsacq_numpackets
> 1) {
5674 /* I have an acquire outstanding already! */
5675 mutex_exit(&newbie
->ipsacq_lock
);
5680 ESP_BUMP_STAT(espstack
, acquire_requests
);
5681 q
= espstack
->esp_pfkey_q
;
5684 * Two cases get us here:
5685 * 1.) AH-only policy.
5687 * 2.) A continuation of an AH+ESP policy, and this is the
5688 * post-ESP, AH-needs-to-send-a-regular-ACQUIRE case.
5689 * (i.e. called from esp_do_outbound_ah().)
5691 AH_BUMP_STAT(ahstack
, acquire_requests
);
5692 q
= ahstack
->ah_pfkey_q
;
5696 * Get selectors and other policy-expression bits needed for an
5699 bzero(&sel
, sizeof (sel
));
5700 sel
.ips_isv4
= (ixa
->ixa_flags
& IXAF_IS_IPV4
) != 0;
5702 sel
.ips_protocol
= (ixa
->ixa_ipsec_inaf
== AF_INET
) ?
5703 IPPROTO_ENCAP
: IPPROTO_IPV6
;
5705 sel
.ips_protocol
= ixa
->ixa_ipsec_proto
;
5706 sel
.ips_local_port
= ixa
->ixa_ipsec_src_port
;
5707 sel
.ips_remote_port
= ixa
->ixa_ipsec_dst_port
;
5709 sel
.ips_icmp_type
= ixa
->ixa_ipsec_icmp_type
;
5710 sel
.ips_icmp_code
= ixa
->ixa_ipsec_icmp_code
;
5711 sel
.ips_is_icmp_inv_acq
= 0;
5712 if (af
== AF_INET
) {
5713 sel
.ips_local_addr_v4
= ipha
->ipha_src
;
5714 sel
.ips_remote_addr_v4
= ipha
->ipha_dst
;
5716 sel
.ips_local_addr_v6
= ip6h
->ip6_src
;
5717 sel
.ips_remote_addr_v6
= ip6h
->ip6_dst
;
5722 * 1. Generate addresses, kmc, and sensitivity. These are "common"
5723 * and should be an mblk pointed to by common. TBD -- eventually it
5724 * will include triggering packet contents as more address extensions.
5726 * 2. Generate ACQUIRE & KEYSOCK_OUT and single-protocol proposal.
5727 * These are "regular" and "prop". String regular->b_cont->b_cont =
5728 * common, common->b_cont = prop.
5730 * 3. If extended register got turned on, generate EXT_ACQUIRE &
5731 * KEYSOCK_OUT and multi-protocol eprop. These are "extended" and
5732 * "eprop". String extended->b_cont->b_cont = dupb(common) and
5733 * extended->b_cont->b_cont->b_cont = prop.
5735 * 4. Deliver: putnext(q, regular) and if there, putnext(q, extended).
5738 regular
= extended
= prop
= eprop
= NULL
;
5740 common
= sadb_acquire_msg_common(&sel
, pp
, ap
, tunnel_mode
, tsl
, NULL
);
5744 regular
= sadb_acquire_msg_base(0, (need_esp
?
5745 SADB_SATYPE_ESP
: SADB_SATYPE_AH
), newbie
->ipsacq_seq
, 0);
5746 if (regular
== NULL
)
5750 * Pardon the boolean cleverness. At least one of need_* must be true.
5751 * If they are equal, it's an AH & ESP policy and ESP needs to go
5752 * first. If they aren't, just check the contents of need_esp.
5754 prop
= sadb_acquire_prop(ap
, ns
, need_esp
);
5758 /* Link the parts together. */
5759 regular
->b_cont
->b_cont
= common
;
5760 common
->b_cont
= prop
;
5762 * Prop is now linked, so don't freemsg() it if the extended
5763 * construction goes off the rails.
5767 ((sadb_msg_t
*)(regular
->b_cont
->b_rptr
))->sadb_msg_len
=
5768 SADB_8TO64(msgsize(regular
->b_cont
));
5771 * If we need an extended ACQUIRE, build it here.
5773 if (keysock_extended_reg(ns
)) {
5774 /* NOTE: "common" still points to what we need. */
5775 extended
= sadb_acquire_msg_base(0, 0, newbie
->ipsacq_seq
, 0);
5776 if (extended
== NULL
) {
5781 extended
->b_cont
->b_cont
= dupb(common
);
5783 if (extended
->b_cont
->b_cont
== NULL
)
5786 eprop
= sadb_acquire_extended_prop(ap
, ns
);
5789 extended
->b_cont
->b_cont
->b_cont
= eprop
;
5791 ((sadb_msg_t
*)(extended
->b_cont
->b_rptr
))->sadb_msg_len
=
5792 SADB_8TO64(msgsize(extended
->b_cont
));
5795 /* So we don't hold a lock across putnext()... */
5796 mutex_exit(&newbie
->ipsacq_lock
);
5798 if (extended
!= NULL
)
5799 putnext(q
, extended
);
5800 ASSERT(regular
!= NULL
);
5801 putnext(q
, regular
);
5805 /* Make this acquire record go away quickly... */
5806 newbie
->ipsacq_expire
= 0;
5807 /* Exploit freemsg(NULL) being legal for fun & profit. */
5812 mutex_exit(&newbie
->ipsacq_lock
);
5816 * Unlink and free an acquire record.
5819 sadb_destroy_acquire(ipsacq_t
*acqrec
, netstack_t
*ns
)
5822 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5824 ASSERT(MUTEX_HELD(acqrec
->ipsacq_linklock
));
5826 if (acqrec
->ipsacq_policy
!= NULL
) {
5827 IPPOL_REFRELE(acqrec
->ipsacq_policy
);
5829 if (acqrec
->ipsacq_act
!= NULL
) {
5830 IPACT_REFRELE(acqrec
->ipsacq_act
);
5834 *(acqrec
->ipsacq_ptpn
) = acqrec
->ipsacq_next
;
5835 if (acqrec
->ipsacq_next
!= NULL
)
5836 acqrec
->ipsacq_next
->ipsacq_ptpn
= acqrec
->ipsacq_ptpn
;
5838 if (acqrec
->ipsacq_tsl
!= NULL
) {
5839 label_rele(acqrec
->ipsacq_tsl
);
5840 acqrec
->ipsacq_tsl
= NULL
;
5844 * Free hanging mp's.
5846 * XXX Instead of freemsg(), perhaps use IPSEC_REQ_FAILED.
5849 mutex_enter(&acqrec
->ipsacq_lock
);
5850 while (acqrec
->ipsacq_mp
!= NULL
) {
5851 mp
= acqrec
->ipsacq_mp
;
5852 acqrec
->ipsacq_mp
= mp
->b_next
;
5854 /* Freeing the async message */
5855 mp
= ip_xmit_attr_free_mblk(mp
);
5856 ip_drop_packet(mp
, B_FALSE
, NULL
,
5857 DROPPER(ipss
, ipds_sadb_acquire_timeout
),
5858 &ipss
->ipsec_sadb_dropper
);
5860 mutex_exit(&acqrec
->ipsacq_lock
);
5863 mutex_destroy(&acqrec
->ipsacq_lock
);
5864 kmem_free(acqrec
, sizeof (*acqrec
));
5868 * Destroy an acquire list fanout.
5871 sadb_destroy_acqlist(iacqf_t
**listp
, uint_t numentries
, boolean_t forever
,
5875 iacqf_t
*list
= *listp
;
5880 for (i
= 0; i
< numentries
; i
++) {
5881 mutex_enter(&(list
[i
].iacqf_lock
));
5882 while (list
[i
].iacqf_ipsacq
!= NULL
)
5883 sadb_destroy_acquire(list
[i
].iacqf_ipsacq
, ns
);
5884 mutex_exit(&(list
[i
].iacqf_lock
));
5886 mutex_destroy(&(list
[i
].iacqf_lock
));
5891 kmem_free(list
, numentries
* sizeof (*list
));
5896 * Create an algorithm descriptor for an extended ACQUIRE. Filter crypto
5897 * framework's view of reality vs. IPsec's. EF's wins, BTW.
5900 sadb_new_algdesc(uint8_t *start
, uint8_t *limit
,
5901 sadb_x_ecomb_t
*ecomb
, uint8_t satype
, uint8_t algtype
,
5902 uint8_t alg
, uint16_t minbits
, uint16_t maxbits
, ipsec_stack_t
*ipss
)
5904 uint8_t *cur
= start
;
5905 ipsec_alginfo_t
*algp
;
5906 sadb_x_algdesc_t
*algdesc
= (sadb_x_algdesc_t
*)cur
;
5908 cur
+= sizeof (*algdesc
);
5912 ecomb
->sadb_x_ecomb_numalgs
++;
5915 * Normalize vs. crypto framework's limits. This way, you can specify
5916 * a stronger policy, and when the framework loads a stronger version,
5917 * you can just keep plowing w/o rewhacking your SPD.
5919 rw_enter(&ipss
->ipsec_alg_lock
, RW_READER
);
5920 algp
= ipss
->ipsec_alglists
[(algtype
== SADB_X_ALGTYPE_AUTH
) ?
5921 IPSEC_ALG_AUTH
: IPSEC_ALG_ENCR
][alg
];
5923 rw_exit(&ipss
->ipsec_alg_lock
);
5924 return (NULL
); /* Algorithm doesn't exist. Fail gracefully. */
5926 if (minbits
< algp
->alg_ef_minbits
)
5927 minbits
= algp
->alg_ef_minbits
;
5928 if (maxbits
> algp
->alg_ef_maxbits
)
5929 maxbits
= algp
->alg_ef_maxbits
;
5930 rw_exit(&ipss
->ipsec_alg_lock
);
5932 algdesc
->sadb_x_algdesc_reserved
= SADB_8TO1(algp
->alg_saltlen
);
5933 algdesc
->sadb_x_algdesc_satype
= satype
;
5934 algdesc
->sadb_x_algdesc_algtype
= algtype
;
5935 algdesc
->sadb_x_algdesc_alg
= alg
;
5936 algdesc
->sadb_x_algdesc_minbits
= minbits
;
5937 algdesc
->sadb_x_algdesc_maxbits
= maxbits
;
5943 * Convert the given ipsec_action_t into an ecomb starting at *ecomb
5944 * which must fit before *limit
5946 * return NULL if we ran out of room or a pointer to the end of the ecomb.
5949 sadb_action_to_ecomb(uint8_t *start
, uint8_t *limit
, ipsec_action_t
*act
,
5952 uint8_t *cur
= start
;
5953 sadb_x_ecomb_t
*ecomb
= (sadb_x_ecomb_t
*)cur
;
5955 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
5957 cur
+= sizeof (*ecomb
);
5961 ASSERT(act
->ipa_act
.ipa_type
== IPSEC_ACT_APPLY
);
5963 ipp
= &act
->ipa_act
.ipa_apply
;
5965 ecomb
->sadb_x_ecomb_numalgs
= 0;
5966 ecomb
->sadb_x_ecomb_reserved
= 0;
5967 ecomb
->sadb_x_ecomb_reserved2
= 0;
5969 * No limits on allocations, since we really don't support that
5970 * concept currently.
5972 ecomb
->sadb_x_ecomb_soft_allocations
= 0;
5973 ecomb
->sadb_x_ecomb_hard_allocations
= 0;
5976 * XXX TBD: Policy or global parameters will eventually be
5977 * able to fill in some of these.
5979 ecomb
->sadb_x_ecomb_flags
= 0;
5980 ecomb
->sadb_x_ecomb_soft_bytes
= 0;
5981 ecomb
->sadb_x_ecomb_hard_bytes
= 0;
5982 ecomb
->sadb_x_ecomb_soft_addtime
= 0;
5983 ecomb
->sadb_x_ecomb_hard_addtime
= 0;
5984 ecomb
->sadb_x_ecomb_soft_usetime
= 0;
5985 ecomb
->sadb_x_ecomb_hard_usetime
= 0;
5987 if (ipp
->ipp_use_ah
) {
5988 cur
= sadb_new_algdesc(cur
, limit
, ecomb
,
5989 SADB_SATYPE_AH
, SADB_X_ALGTYPE_AUTH
, ipp
->ipp_auth_alg
,
5990 ipp
->ipp_ah_minbits
, ipp
->ipp_ah_maxbits
, ipss
);
5993 ipsecah_fill_defs(ecomb
, ns
);
5996 if (ipp
->ipp_use_esp
) {
5997 if (ipp
->ipp_use_espa
) {
5998 cur
= sadb_new_algdesc(cur
, limit
, ecomb
,
5999 SADB_SATYPE_ESP
, SADB_X_ALGTYPE_AUTH
,
6000 ipp
->ipp_esp_auth_alg
,
6001 ipp
->ipp_espa_minbits
,
6002 ipp
->ipp_espa_maxbits
, ipss
);
6007 cur
= sadb_new_algdesc(cur
, limit
, ecomb
,
6008 SADB_SATYPE_ESP
, SADB_X_ALGTYPE_CRYPT
,
6010 ipp
->ipp_espe_minbits
,
6011 ipp
->ipp_espe_maxbits
, ipss
);
6014 /* Fill in lifetimes if and only if AH didn't already... */
6015 if (!ipp
->ipp_use_ah
)
6016 ipsecesp_fill_defs(ecomb
, ns
);
6022 #include <sys/tsol/label_macro.h> /* XXX should not need this */
6025 * From a cred_t, construct a sensitivity label extension
6027 * We send up a fixed-size sensitivity label bitmap, and are perhaps
6028 * overly chummy with the underlying data structures here.
6033 sadb_sens_len_from_label(ts_label_t
*tsl
)
6035 int baselen
= sizeof (sadb_sens_t
) + _C_LEN
* 4;
6036 return (roundup(baselen
, sizeof (uint64_t)));
6040 sadb_sens_from_label(sadb_sens_t
*sens
, int exttype
, ts_label_t
*tsl
,
6047 ASSERT((_C_LEN
& 1) == 0);
6048 ASSERT((senslen
& 7) == 0);
6050 sl
= label2bslabel(tsl
);
6052 sens
->sadb_sens_exttype
= exttype
;
6053 sens
->sadb_sens_len
= SADB_8TO64(senslen
);
6055 sens
->sadb_sens_dpd
= tsl
->tsl_doi
;
6056 sens
->sadb_sens_sens_level
= LCLASS(sl
);
6057 sens
->sadb_sens_integ_level
= 0; /* TBD */
6058 sens
->sadb_sens_sens_len
= _C_LEN
>> 1;
6059 sens
->sadb_sens_integ_len
= 0; /* TBD */
6060 sens
->sadb_x_sens_flags
= 0;
6062 bitmap
= (uint8_t *)(sens
+ 1);
6063 bcopy(&(((_bslabel_impl_t
*)sl
)->compartments
), bitmap
, _C_LEN
* 4);
6067 * Okay, how do we report errors/invalid labels from this?
6068 * With a special designated "not a label" cred_t ?
6072 sadb_label_from_sens(sadb_sens_t
*sens
, uint64_t *bitmap
)
6074 int bitmap_len
= SADB_64TO8(sens
->sadb_sens_sens_len
);
6078 if (sens
->sadb_sens_integ_level
!= 0)
6080 if (sens
->sadb_sens_integ_len
!= 0)
6082 if (bitmap_len
> _C_LEN
* 4)
6086 LCLASS_SET((_bslabel_impl_t
*)&sl
, sens
->sadb_sens_sens_level
);
6087 bcopy(bitmap
, &((_bslabel_impl_t
*)&sl
)->compartments
,
6090 tsl
= labelalloc(&sl
, sens
->sadb_sens_dpd
, KM_NOSLEEP
);
6094 if (sens
->sadb_x_sens_flags
& SADB_X_SENS_UNLABELED
)
6095 tsl
->tsl_flags
|= TSLF_UNLABELED
;
6099 /* End XXX label-library-leakage */
6102 * Given an SADB_GETSPI message, find an appropriately ranged SA and
6103 * allocate an SA. If there are message improprieties, return (ipsa_t *)-1.
6104 * If there was a memory allocation error, return NULL. (Assume NULL !=
6107 * master_spi is passed in host order.
6110 sadb_getspi(keysock_in_t
*ksi
, uint32_t master_spi
, int *diagnostic
,
6111 netstack_t
*ns
, uint_t sa_type
)
6113 sadb_address_t
*src
=
6114 (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_SRC
],
6115 *dst
= (sadb_address_t
*)ksi
->ks_in_extv
[SADB_EXT_ADDRESS_DST
];
6116 sadb_spirange_t
*range
=
6117 (sadb_spirange_t
*)ksi
->ks_in_extv
[SADB_EXT_SPIRANGE
];
6118 struct sockaddr_in
*ssa
, *dsa
;
6119 struct sockaddr_in6
*ssa6
, *dsa6
;
6120 uint32_t *srcaddr
, *dstaddr
;
6122 uint32_t add
, min
, max
;
6124 (sa_type
== SADB_SATYPE_AH
) ? IPPROTO_AH
: IPPROTO_ESP
;
6127 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_SRC
;
6128 return ((ipsa_t
*)-1);
6131 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_DST
;
6132 return ((ipsa_t
*)-1);
6134 if (range
== NULL
) {
6135 *diagnostic
= SADB_X_DIAGNOSTIC_MISSING_RANGE
;
6136 return ((ipsa_t
*)-1);
6139 min
= ntohl(range
->sadb_spirange_min
);
6140 max
= ntohl(range
->sadb_spirange_max
);
6141 dsa
= (struct sockaddr_in
*)(dst
+ 1);
6142 dsa6
= (struct sockaddr_in6
*)dsa
;
6144 ssa
= (struct sockaddr_in
*)(src
+ 1);
6145 ssa6
= (struct sockaddr_in6
*)ssa
;
6146 ASSERT(dsa
->sin_family
== ssa
->sin_family
);
6148 srcaddr
= ALL_ZEROES_PTR
;
6149 af
= dsa
->sin_family
;
6153 srcaddr
= (uint32_t *)(&ssa
->sin_addr
);
6154 dstaddr
= (uint32_t *)(&dsa
->sin_addr
);
6158 srcaddr
= (uint32_t *)(&ssa6
->sin6_addr
);
6159 dstaddr
= (uint32_t *)(&dsa6
->sin6_addr
);
6162 *diagnostic
= SADB_X_DIAGNOSTIC_BAD_DST_AF
;
6163 return ((ipsa_t
*)-1);
6166 if (master_spi
< min
|| master_spi
> max
) {
6167 /* Return a random value in the range. */
6168 if (cl_inet_getspi
) {
6169 cl_inet_getspi(ns
->netstack_stackid
, protocol
,
6170 (uint8_t *)&add
, sizeof (add
), NULL
);
6172 (void) random_get_pseudo_bytes((uint8_t *)&add
,
6175 master_spi
= min
+ (add
% (max
- min
+ 1));
6179 * Since master_spi is passed in host order, we need to htonl() it
6180 * for the purposes of creating a new SA.
6182 return (sadb_makelarvalassoc(htonl(master_spi
), srcaddr
, dstaddr
, af
,
6188 * Locate an ACQUIRE and nuke it. If I have an samsg that's larger than the
6189 * base header, just ignore it. Otherwise, lock down the whole ACQUIRE list
6190 * and scan for the sequence number in question. I may wish to accept an
6191 * address pair with it, for easier searching.
6193 * Caller frees the message, so we don't have to here.
6195 * NOTE: The pfkey_q parameter may be used in the future for ACQUIRE
6200 sadb_in_acquire(sadb_msg_t
*samsg
, sadbp_t
*sp
, queue_t
*pfkey_q
,
6208 * I only accept the base header for this!
6209 * Though to be honest, requiring the dst address would help
6212 * XXX There are already cases where I can get the dst address.
6214 if (samsg
->sadb_msg_len
> SADB_8TO64(sizeof (*samsg
)))
6218 * Using the samsg->sadb_msg_seq, find the ACQUIRE record, delete it,
6219 * (and in the future send a message to IP with the appropriate error
6222 * Q: Do I want to reject if pid != 0?
6225 for (i
= 0; i
< sp
->s_v4
.sdb_hashsize
; i
++) {
6226 bucket
= &sp
->s_v4
.sdb_acq
[i
];
6227 mutex_enter(&bucket
->iacqf_lock
);
6228 for (acqrec
= bucket
->iacqf_ipsacq
; acqrec
!= NULL
;
6229 acqrec
= acqrec
->ipsacq_next
) {
6230 if (samsg
->sadb_msg_seq
== acqrec
->ipsacq_seq
)
6231 break; /* for acqrec... loop. */
6234 break; /* for i = 0... loop. */
6236 mutex_exit(&bucket
->iacqf_lock
);
6239 if (acqrec
== NULL
) {
6240 for (i
= 0; i
< sp
->s_v6
.sdb_hashsize
; i
++) {
6241 bucket
= &sp
->s_v6
.sdb_acq
[i
];
6242 mutex_enter(&bucket
->iacqf_lock
);
6243 for (acqrec
= bucket
->iacqf_ipsacq
; acqrec
!= NULL
;
6244 acqrec
= acqrec
->ipsacq_next
) {
6245 if (samsg
->sadb_msg_seq
== acqrec
->ipsacq_seq
)
6246 break; /* for acqrec... loop. */
6249 break; /* for i = 0... loop. */
6251 mutex_exit(&bucket
->iacqf_lock
);
6260 * What do I do with the errno and IP? I may need mp's services a
6261 * little more. See sadb_destroy_acquire() for future directions
6262 * beyond free the mblk chain on the acquire record.
6265 ASSERT(&bucket
->iacqf_lock
== acqrec
->ipsacq_linklock
);
6266 sadb_destroy_acquire(acqrec
, ns
);
6267 /* Have to exit mutex here, because of breaking out of for loop. */
6268 mutex_exit(&bucket
->iacqf_lock
);
6272 * The following functions work with the replay windows of an SA. They assume
6273 * the ipsa->ipsa_replay_arr is an array of uint64_t, and that the bit vector
6274 * represents the highest sequence number packet received, and back
6275 * (ipsa->ipsa_replay_wsize) packets.
6279 * Is the replay bit set?
6282 ipsa_is_replay_set(ipsa_t
*ipsa
, uint32_t offset
)
6284 uint64_t bit
= (uint64_t)1 << (uint64_t)(offset
& 63);
6286 return ((bit
& ipsa
->ipsa_replay_arr
[offset
>> 6]) ? B_TRUE
: B_FALSE
);
6290 * Shift the bits of the replay window over.
6293 ipsa_shift_replay(ipsa_t
*ipsa
, uint32_t shift
)
6296 int jump
= ((shift
- 1) >> 6) + 1;
6301 for (i
= (ipsa
->ipsa_replay_wsize
- 1) >> 6; i
>= 0; i
--) {
6302 if (i
+ jump
<= (ipsa
->ipsa_replay_wsize
- 1) >> 6) {
6303 ipsa
->ipsa_replay_arr
[i
+ jump
] |=
6304 ipsa
->ipsa_replay_arr
[i
] >> (64 - (shift
& 63));
6306 ipsa
->ipsa_replay_arr
[i
] <<= shift
;
6311 * Set a bit in the bit vector.
6314 ipsa_set_replay(ipsa_t
*ipsa
, uint32_t offset
)
6316 uint64_t bit
= (uint64_t)1 << (uint64_t)(offset
& 63);
6318 ipsa
->ipsa_replay_arr
[offset
>> 6] |= bit
;
6321 #define SADB_MAX_REPLAY_VALUE 0xffffffff
6324 * Assume caller has NOT done ntohl() already on seq. Check to see
6325 * if replay sequence number "seq" has been seen already.
6328 sadb_replay_check(ipsa_t
*ipsa
, uint32_t seq
)
6333 if (ipsa
->ipsa_replay_wsize
== 0)
6337 * NOTE: I've already checked for 0 on the wire in sadb_replay_peek().
6340 /* Convert sequence number into host order before holding the mutex. */
6343 mutex_enter(&ipsa
->ipsa_lock
);
6345 /* Initialize inbound SA's ipsa_replay field to last one received. */
6346 if (ipsa
->ipsa_replay
== 0)
6347 ipsa
->ipsa_replay
= 1;
6349 if (seq
> ipsa
->ipsa_replay
) {
6351 * I have received a new "highest value received". Shift
6352 * the replay window over.
6354 diff
= seq
- ipsa
->ipsa_replay
;
6355 if (diff
< ipsa
->ipsa_replay_wsize
) {
6356 /* In replay window, shift bits over. */
6357 ipsa_shift_replay(ipsa
, diff
);
6359 /* WAY FAR AHEAD, clear bits and start again. */
6360 bzero(ipsa
->ipsa_replay_arr
,
6361 sizeof (ipsa
->ipsa_replay_arr
));
6363 ipsa_set_replay(ipsa
, 0);
6364 ipsa
->ipsa_replay
= seq
;
6368 diff
= ipsa
->ipsa_replay
- seq
;
6369 if (diff
>= ipsa
->ipsa_replay_wsize
|| ipsa_is_replay_set(ipsa
, diff
)) {
6373 /* Set this packet as seen. */
6374 ipsa_set_replay(ipsa
, diff
);
6378 mutex_exit(&ipsa
->ipsa_lock
);
6383 * "Peek" and see if we should even bother going through the effort of
6384 * running an authentication check on the sequence number passed in.
6385 * this takes into account packets that are below the replay window,
6386 * and collisions with already replayed packets. Return B_TRUE if it
6387 * is okay to proceed, B_FALSE if this packet should be dropped immediately.
6388 * Assume same byte-ordering as sadb_replay_check.
6391 sadb_replay_peek(ipsa_t
*ipsa
, uint32_t seq
)
6393 boolean_t rc
= B_FALSE
;
6396 if (ipsa
->ipsa_replay_wsize
== 0)
6400 * 0 is 0, regardless of byte order... :)
6402 * If I get 0 on the wire (and there is a replay window) then the
6403 * sender most likely wrapped. This ipsa may need to be marked or
6410 mutex_enter(&ipsa
->ipsa_lock
);
6411 if (seq
< ipsa
->ipsa_replay
- ipsa
->ipsa_replay_wsize
&&
6412 ipsa
->ipsa_replay
>= ipsa
->ipsa_replay_wsize
)
6416 * If I've hit 0xffffffff, then quite honestly, I don't need to
6417 * bother with formalities. I'm not accepting any more packets
6420 if (ipsa
->ipsa_replay
== SADB_MAX_REPLAY_VALUE
) {
6422 * Since we're already holding the lock, update the
6423 * expire time ala. sadb_replay_delete() and return.
6425 ipsa
->ipsa_hardexpiretime
= (time_t)1;
6429 if (seq
<= ipsa
->ipsa_replay
) {
6431 * This seq is in the replay window. I'm not below it,
6432 * because I already checked for that above!
6434 diff
= ipsa
->ipsa_replay
- seq
;
6435 if (ipsa_is_replay_set(ipsa
, diff
))
6438 /* Else return B_TRUE, I'm going to advance the window. */
6442 mutex_exit(&ipsa
->ipsa_lock
);
6447 * Delete a single SA.
6449 * For now, use the quick-and-dirty trick of making the association's
6450 * hard-expire lifetime (time_t)1, ensuring deletion by the *_ager().
6453 sadb_replay_delete(ipsa_t
*assoc
)
6455 mutex_enter(&assoc
->ipsa_lock
);
6456 assoc
->ipsa_hardexpiretime
= (time_t)1;
6457 mutex_exit(&assoc
->ipsa_lock
);
6461 * Special front-end to ipsec_rl_strlog() dealing with SA failure.
6462 * this is designed to take only a format string with "* %x * %s *", so
6463 * that "spi" is printed first, then "addr" is converted using inet_pton().
6465 * This is abstracted out to save the stack space for only when inet_pton()
6466 * is called. Make sure "spi" is in network order; it usually is when this
6470 ipsec_assocfailure(short mid
, short sid
, char level
, ushort_t sl
, char *fmt
,
6471 uint32_t spi
, void *addr
, int af
, netstack_t
*ns
)
6473 char buf
[INET6_ADDRSTRLEN
];
6475 ASSERT(af
== AF_INET6
|| af
== AF_INET
);
6477 ipsec_rl_strlog(ns
, mid
, sid
, level
, sl
, fmt
, ntohl(spi
),
6478 inet_ntop(af
, addr
, buf
, sizeof (buf
)));
6482 * Fills in a reference to the policy, if any, from the conn, in *ppp
6485 ipsec_conn_pol(ipsec_selector_t
*sel
, conn_t
*connp
, ipsec_policy_t
**ppp
)
6488 ipsec_latch_t
*ipl
= connp
->conn_latch
;
6490 if ((ipl
!= NULL
) && (connp
->conn_ixa
->ixa_ipsec_policy
!= NULL
)) {
6491 pp
= connp
->conn_ixa
->ixa_ipsec_policy
;
6494 pp
= ipsec_find_policy(IPSEC_TYPE_OUTBOUND
, connp
, sel
,
6495 connp
->conn_netstack
);
6501 * The following functions scan through active conn_t structures
6502 * and return a reference to the best-matching policy it can find.
6503 * Caller must release the reference.
6506 ipsec_udp_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
, ip_stack_t
*ipst
)
6509 conn_t
*connp
= NULL
;
6510 ipsec_selector_t portonly
;
6512 bzero((void *)&portonly
, sizeof (portonly
));
6514 if (sel
->ips_local_port
== 0)
6517 connfp
= &ipst
->ips_ipcl_udp_fanout
[IPCL_UDP_HASH(sel
->ips_local_port
,
6519 mutex_enter(&connfp
->connf_lock
);
6521 if (sel
->ips_isv4
) {
6522 connp
= connfp
->connf_head
;
6523 while (connp
!= NULL
) {
6524 if (IPCL_UDP_MATCH(connp
, sel
->ips_local_port
,
6525 sel
->ips_local_addr_v4
, sel
->ips_remote_port
,
6526 sel
->ips_remote_addr_v4
))
6528 connp
= connp
->conn_next
;
6531 if (connp
== NULL
) {
6532 /* Try port-only match in IPv6. */
6533 portonly
.ips_local_port
= sel
->ips_local_port
;
6538 if (connp
== NULL
) {
6539 connp
= connfp
->connf_head
;
6540 while (connp
!= NULL
) {
6541 if (IPCL_UDP_MATCH_V6(connp
, sel
->ips_local_port
,
6542 sel
->ips_local_addr_v6
, sel
->ips_remote_port
,
6543 sel
->ips_remote_addr_v6
))
6545 connp
= connp
->conn_next
;
6548 if (connp
== NULL
) {
6549 mutex_exit(&connfp
->connf_lock
);
6554 CONN_INC_REF(connp
);
6555 mutex_exit(&connfp
->connf_lock
);
6557 ipsec_conn_pol(sel
, connp
, ppp
);
6558 CONN_DEC_REF(connp
);
6562 ipsec_find_listen_conn(uint16_t *pptr
, ipsec_selector_t
*sel
, ip_stack_t
*ipst
)
6565 conn_t
*connp
= NULL
;
6566 const in6_addr_t
*v6addrmatch
= &sel
->ips_local_addr_v6
;
6568 if (sel
->ips_local_port
== 0)
6571 connfp
= &ipst
->ips_ipcl_bind_fanout
[
6572 IPCL_BIND_HASH(sel
->ips_local_port
, ipst
)];
6573 mutex_enter(&connfp
->connf_lock
);
6575 if (sel
->ips_isv4
) {
6576 connp
= connfp
->connf_head
;
6577 while (connp
!= NULL
) {
6578 if (IPCL_BIND_MATCH(connp
, IPPROTO_TCP
,
6579 sel
->ips_local_addr_v4
, pptr
[1]))
6581 connp
= connp
->conn_next
;
6584 if (connp
== NULL
) {
6585 /* Match to all-zeroes. */
6586 v6addrmatch
= &ipv6_all_zeros
;
6590 if (connp
== NULL
) {
6591 connp
= connfp
->connf_head
;
6592 while (connp
!= NULL
) {
6593 if (IPCL_BIND_MATCH_V6(connp
, IPPROTO_TCP
,
6594 *v6addrmatch
, pptr
[1]))
6596 connp
= connp
->conn_next
;
6599 if (connp
== NULL
) {
6600 mutex_exit(&connfp
->connf_lock
);
6605 CONN_INC_REF(connp
);
6606 mutex_exit(&connfp
->connf_lock
);
6611 ipsec_tcp_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
, ip_stack_t
*ipst
)
6616 uint16_t *pptr
= (uint16_t *)&ports
;
6619 * Find TCP state in the following order:
6620 * 1.) Connected conns.
6623 * Even though #2 will be the common case for inbound traffic, only
6624 * following this order insures correctness.
6627 if (sel
->ips_local_port
== 0)
6631 * 0 should be fport, 1 should be lport. SRC is the local one here.
6632 * See ipsec_construct_inverse_acquire() for details.
6634 pptr
[0] = sel
->ips_remote_port
;
6635 pptr
[1] = sel
->ips_local_port
;
6637 connfp
= &ipst
->ips_ipcl_conn_fanout
[
6638 IPCL_CONN_HASH(sel
->ips_remote_addr_v4
, ports
, ipst
)];
6639 mutex_enter(&connfp
->connf_lock
);
6640 connp
= connfp
->connf_head
;
6642 if (sel
->ips_isv4
) {
6643 while (connp
!= NULL
) {
6644 if (IPCL_CONN_MATCH(connp
, IPPROTO_TCP
,
6645 sel
->ips_remote_addr_v4
, sel
->ips_local_addr_v4
,
6648 connp
= connp
->conn_next
;
6651 while (connp
!= NULL
) {
6652 if (IPCL_CONN_MATCH_V6(connp
, IPPROTO_TCP
,
6653 sel
->ips_remote_addr_v6
, sel
->ips_local_addr_v6
,
6656 connp
= connp
->conn_next
;
6660 if (connp
!= NULL
) {
6661 CONN_INC_REF(connp
);
6662 mutex_exit(&connfp
->connf_lock
);
6664 mutex_exit(&connfp
->connf_lock
);
6666 /* Try the listen hash. */
6667 if ((connp
= ipsec_find_listen_conn(pptr
, sel
, ipst
)) == NULL
)
6671 ipsec_conn_pol(sel
, connp
, ppp
);
6672 CONN_DEC_REF(connp
);
6676 ipsec_sctp_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
,
6681 uint16_t *pptr
= (uint16_t *)&ports
;
6684 * Find SCP state in the following order:
6685 * 1.) Connected conns.
6688 * Even though #2 will be the common case for inbound traffic, only
6689 * following this order insures correctness.
6692 if (sel
->ips_local_port
== 0)
6696 * 0 should be fport, 1 should be lport. SRC is the local one here.
6697 * See ipsec_construct_inverse_acquire() for details.
6699 pptr
[0] = sel
->ips_remote_port
;
6700 pptr
[1] = sel
->ips_local_port
;
6703 * For labeled systems, there's no need to check the
6704 * label here. It's known to be good as we checked
6705 * before allowing the connection to become bound.
6707 if (sel
->ips_isv4
) {
6708 in6_addr_t src
, dst
;
6710 IN6_IPADDR_TO_V4MAPPED(sel
->ips_remote_addr_v4
, &dst
);
6711 IN6_IPADDR_TO_V4MAPPED(sel
->ips_local_addr_v4
, &src
);
6712 connp
= sctp_find_conn(&dst
, &src
, ports
, ALL_ZONES
,
6713 0, ipst
->ips_netstack
->netstack_sctp
);
6715 connp
= sctp_find_conn(&sel
->ips_remote_addr_v6
,
6716 &sel
->ips_local_addr_v6
, ports
, ALL_ZONES
,
6717 0, ipst
->ips_netstack
->netstack_sctp
);
6721 ipsec_conn_pol(sel
, connp
, ppp
);
6722 CONN_DEC_REF(connp
);
6726 * Fill in a query for the SPD (in "sel") using two PF_KEY address extensions.
6727 * Returns 0 or errno, and always sets *diagnostic to something appropriate
6730 * NOTE: For right now, this function (and ipsec_selector_t for that matter),
6731 * ignore prefix lengths in the address extension. Since we match on first-
6732 * entered policies, this shouldn't matter. Also, since we normalize prefix-
6733 * set addresses to mask out the lower bits, we should get a suitable search
6734 * key for the SPD anyway. This is the function to change if the assumption
6735 * about suitable search keys is wrong.
6738 ipsec_get_inverse_acquire_sel(ipsec_selector_t
*sel
, sadb_address_t
*srcext
,
6739 sadb_address_t
*dstext
, int *diagnostic
)
6741 struct sockaddr_in
*src
, *dst
;
6742 struct sockaddr_in6
*src6
, *dst6
;
6746 bzero(sel
, sizeof (*sel
));
6747 sel
->ips_protocol
= srcext
->sadb_address_proto
;
6748 dst
= (struct sockaddr_in
*)(dstext
+ 1);
6749 if (dst
->sin_family
== AF_INET6
) {
6750 dst6
= (struct sockaddr_in6
*)dst
;
6751 src6
= (struct sockaddr_in6
*)(srcext
+ 1);
6752 if (src6
->sin6_family
!= AF_INET6
) {
6753 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
6756 sel
->ips_remote_addr_v6
= dst6
->sin6_addr
;
6757 sel
->ips_local_addr_v6
= src6
->sin6_addr
;
6758 if (sel
->ips_protocol
== IPPROTO_ICMPV6
) {
6759 sel
->ips_is_icmp_inv_acq
= 1;
6761 sel
->ips_remote_port
= dst6
->sin6_port
;
6762 sel
->ips_local_port
= src6
->sin6_port
;
6764 sel
->ips_isv4
= B_FALSE
;
6766 src
= (struct sockaddr_in
*)(srcext
+ 1);
6767 if (src
->sin_family
!= AF_INET
) {
6768 *diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
6771 sel
->ips_remote_addr_v4
= dst
->sin_addr
.s_addr
;
6772 sel
->ips_local_addr_v4
= src
->sin_addr
.s_addr
;
6773 if (sel
->ips_protocol
== IPPROTO_ICMP
) {
6774 sel
->ips_is_icmp_inv_acq
= 1;
6776 sel
->ips_remote_port
= dst
->sin_port
;
6777 sel
->ips_local_port
= src
->sin_port
;
6779 sel
->ips_isv4
= B_TRUE
;
6785 * We have encapsulation.
6786 * - Lookup tun_t by address and look for an associated
6788 * - If there are inner selectors
6789 * - check ITPF_P_TUNNEL and ITPF_P_ACTIVE
6790 * - Look up tunnel policy based on selectors
6792 * - Sanity check the negotation
6793 * - If appropriate, fall through to global policy
6796 ipsec_tun_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
,
6797 sadb_address_t
*innsrcext
, sadb_address_t
*inndstext
, ipsec_tun_pol_t
*itp
,
6801 ipsec_policy_head_t
*polhead
;
6805 /* Check for inner selectors and act appropriately */
6807 if (innsrcext
!= NULL
) {
6808 /* Inner selectors present */
6809 ASSERT(inndstext
!= NULL
);
6810 if ((itp
== NULL
) ||
6811 (itp
->itp_flags
& (ITPF_P_ACTIVE
| ITPF_P_TUNNEL
)) !=
6812 (ITPF_P_ACTIVE
| ITPF_P_TUNNEL
)) {
6814 * If inner packet selectors, we must have negotiate
6815 * tunnel and active policy. If the tunnel has
6816 * transport-mode policy set on it, or has no policy,
6822 * Reset "sel" to indicate inner selectors. Pass
6823 * inner PF_KEY address extensions for this to happen.
6825 if ((err
= ipsec_get_inverse_acquire_sel(sel
,
6826 innsrcext
, inndstext
, diagnostic
)) != 0)
6829 * Now look for a tunnel policy based on those inner
6830 * selectors. (Common code is below.)
6834 /* No inner selectors present */
6835 if ((itp
== NULL
) || !(itp
->itp_flags
& ITPF_P_ACTIVE
)) {
6837 * Transport mode negotiation with no tunnel policy
6838 * configured - return to indicate a global policy
6842 } else if (itp
->itp_flags
& ITPF_P_TUNNEL
) {
6843 /* Tunnel mode set with no inner selectors. */
6847 * Else, this is a tunnel policy configured with ifconfig(1m)
6848 * or "negotiate transport" with ipsecconf(1m). We have an
6849 * itp with policy set based on any match, so don't bother
6850 * changing fields in "sel".
6854 ASSERT(itp
!= NULL
);
6855 polhead
= itp
->itp_policy
;
6856 ASSERT(polhead
!= NULL
);
6857 rw_enter(&polhead
->iph_lock
, RW_READER
);
6858 *ppp
= ipsec_find_policy_head(NULL
, polhead
, IPSEC_TYPE_INBOUND
, sel
);
6859 rw_exit(&polhead
->iph_lock
);
6862 * Don't default to global if we didn't find a matching policy entry.
6863 * Instead, send ENOENT, just like if we hit a transport-mode tunnel.
6872 * For sctp conn_faddr is the primary address, hence this is of limited
6876 ipsec_oth_pol(ipsec_selector_t
*sel
, ipsec_policy_t
**ppp
,
6879 boolean_t isv4
= sel
->ips_isv4
;
6884 connfp
= &ipst
->ips_ipcl_proto_fanout_v4
[sel
->ips_protocol
];
6886 connfp
= &ipst
->ips_ipcl_proto_fanout_v6
[sel
->ips_protocol
];
6889 mutex_enter(&connfp
->connf_lock
);
6890 for (connp
= connfp
->connf_head
; connp
!= NULL
;
6891 connp
= connp
->conn_next
) {
6893 if ((connp
->conn_laddr_v4
== INADDR_ANY
||
6894 connp
->conn_laddr_v4
== sel
->ips_local_addr_v4
) &&
6895 (connp
->conn_faddr_v4
== INADDR_ANY
||
6896 connp
->conn_faddr_v4
== sel
->ips_remote_addr_v4
))
6899 if ((IN6_IS_ADDR_UNSPECIFIED(&connp
->conn_laddr_v6
) ||
6900 IN6_ARE_ADDR_EQUAL(&connp
->conn_laddr_v6
,
6901 &sel
->ips_local_addr_v6
)) &&
6902 (IN6_IS_ADDR_UNSPECIFIED(&connp
->conn_faddr_v6
) ||
6903 IN6_ARE_ADDR_EQUAL(&connp
->conn_faddr_v6
,
6904 &sel
->ips_remote_addr_v6
)))
6908 if (connp
== NULL
) {
6909 mutex_exit(&connfp
->connf_lock
);
6913 CONN_INC_REF(connp
);
6914 mutex_exit(&connfp
->connf_lock
);
6916 ipsec_conn_pol(sel
, connp
, ppp
);
6917 CONN_DEC_REF(connp
);
6921 * Construct an inverse ACQUIRE reply based on:
6923 * 1.) Current global policy.
6924 * 2.) An conn_t match depending on what all was passed in the extv[].
6925 * 3.) A tunnel's policy head.
6927 * N.) Other stuff TBD (e.g. identities)
6929 * If there is an error, set sadb_msg_errno and sadb_x_msg_diagnostic
6930 * in this function so the caller can extract them where appropriately.
6932 * The SRC address is the local one - just like an outbound ACQUIRE message.
6934 * XXX MLS: key management supplies a label which we just reflect back up
6935 * again. clearly we need to involve the label in the rest of the checks.
6938 ipsec_construct_inverse_acquire(sadb_msg_t
*samsg
, sadb_ext_t
*extv
[],
6943 sadb_address_t
*srcext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_SRC
],
6944 *dstext
= (sadb_address_t
*)extv
[SADB_EXT_ADDRESS_DST
],
6945 *innsrcext
= (sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_SRC
],
6946 *inndstext
= (sadb_address_t
*)extv
[SADB_X_EXT_ADDRESS_INNER_DST
];
6947 sadb_sens_t
*sens
= (sadb_sens_t
*)extv
[SADB_EXT_SENSITIVITY
];
6948 struct sockaddr_in6
*src
, *dst
;
6949 struct sockaddr_in6
*isrc
, *idst
;
6950 ipsec_tun_pol_t
*itp
= NULL
;
6951 ipsec_policy_t
*pp
= NULL
;
6952 ipsec_selector_t sel
, isel
;
6953 mblk_t
*retmp
= NULL
;
6954 ip_stack_t
*ipst
= ns
->netstack_ip
;
6957 /* Normalize addresses */
6958 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
, (sadb_ext_t
*)srcext
, 0, ns
)
6959 == KS_IN_ADDR_UNKNOWN
) {
6961 diagnostic
= SADB_X_DIAGNOSTIC_BAD_SRC
;
6964 src
= (struct sockaddr_in6
*)(srcext
+ 1);
6965 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
, (sadb_ext_t
*)dstext
, 0, ns
)
6966 == KS_IN_ADDR_UNKNOWN
) {
6968 diagnostic
= SADB_X_DIAGNOSTIC_BAD_DST
;
6971 dst
= (struct sockaddr_in6
*)(dstext
+ 1);
6972 if (src
->sin6_family
!= dst
->sin6_family
) {
6974 diagnostic
= SADB_X_DIAGNOSTIC_AF_MISMATCH
;
6978 /* Check for tunnel mode and act appropriately */
6979 if (innsrcext
!= NULL
) {
6980 if (inndstext
== NULL
) {
6982 diagnostic
= SADB_X_DIAGNOSTIC_MISSING_INNER_DST
;
6985 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
,
6986 (sadb_ext_t
*)innsrcext
, 0, ns
) == KS_IN_ADDR_UNKNOWN
) {
6988 diagnostic
= SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC
;
6991 isrc
= (struct sockaddr_in6
*)(innsrcext
+ 1);
6992 if (sadb_addrcheck(NULL
, (mblk_t
*)samsg
,
6993 (sadb_ext_t
*)inndstext
, 0, ns
) == KS_IN_ADDR_UNKNOWN
) {
6995 diagnostic
= SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST
;
6998 idst
= (struct sockaddr_in6
*)(inndstext
+ 1);
6999 if (isrc
->sin6_family
!= idst
->sin6_family
) {
7001 diagnostic
= SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
;
7004 if (isrc
->sin6_family
!= AF_INET
&&
7005 isrc
->sin6_family
!= AF_INET6
) {
7007 diagnostic
= SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF
;
7010 } else if (inndstext
!= NULL
) {
7012 diagnostic
= SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
;
7016 /* Get selectors first, based on outer addresses */
7017 err
= ipsec_get_inverse_acquire_sel(&sel
, srcext
, dstext
, &diagnostic
);
7021 /* Check for tunnel mode mismatches. */
7022 if (innsrcext
!= NULL
&&
7023 ((isrc
->sin6_family
== AF_INET
&&
7024 sel
.ips_protocol
!= IPPROTO_ENCAP
&& sel
.ips_protocol
!= 0) ||
7025 (isrc
->sin6_family
== AF_INET6
&&
7026 sel
.ips_protocol
!= IPPROTO_IPV6
&& sel
.ips_protocol
!= 0))) {
7032 * Okay, we have the addresses and other selector information.
7033 * Let's first find a conn...
7036 switch (sel
.ips_protocol
) {
7038 ipsec_tcp_pol(&sel
, &pp
, ipst
);
7041 ipsec_udp_pol(&sel
, &pp
, ipst
);
7044 ipsec_sctp_pol(&sel
, &pp
, ipst
);
7049 * Assume sel.ips_remote_addr_* has the right address at
7050 * that exact position.
7052 itp
= itp_get_byaddr((uint32_t *)(&sel
.ips_local_addr_v6
),
7053 (uint32_t *)(&sel
.ips_remote_addr_v6
), src
->sin6_family
,
7056 if (innsrcext
== NULL
) {
7058 * Transport-mode tunnel, make sure we fake out isel
7059 * to contain something based on the outer protocol.
7061 bzero(&isel
, sizeof (isel
));
7062 isel
.ips_isv4
= (sel
.ips_protocol
== IPPROTO_ENCAP
);
7063 } /* Else isel is initialized by ipsec_tun_pol(). */
7064 err
= ipsec_tun_pol(&isel
, &pp
, innsrcext
, inndstext
, itp
,
7067 * NOTE: isel isn't used for now, but in RFC 430x IPsec, it
7074 ipsec_oth_pol(&sel
, &pp
, ipst
);
7079 * If we didn't find a matching conn_t or other policy head, take a
7080 * look in the global policy.
7083 pp
= ipsec_find_policy(IPSEC_TYPE_OUTBOUND
, NULL
, &sel
, ns
);
7085 /* There's no global policy. */
7093 retmp
= sadb_acquire_msg_base(0, 0, samsg
->sadb_msg_seq
,
7094 samsg
->sadb_msg_pid
);
7095 if (retmp
!= NULL
) {
7096 /* Remove KEYSOCK_OUT, because caller constructs it instead. */
7097 mblk_t
*kso
= retmp
;
7099 retmp
= retmp
->b_cont
;
7101 /* Append addresses... */
7102 retmp
->b_cont
= sadb_acquire_msg_common(&sel
, pp
, NULL
,
7103 (itp
!= NULL
&& (itp
->itp_flags
& ITPF_P_TUNNEL
)), NULL
,
7105 if (retmp
->b_cont
== NULL
) {
7109 /* And the policy result. */
7110 retmp
->b_cont
->b_cont
=
7111 sadb_acquire_extended_prop(pp
->ipsp_act
, ns
);
7112 if (retmp
->b_cont
->b_cont
== NULL
) {
7116 ((sadb_msg_t
*)retmp
->b_rptr
)->sadb_msg_len
=
7117 SADB_8TO64(msgsize(retmp
));
7123 ASSERT(err
== 0 && diagnostic
== 0);
7128 ITP_REFRELE(itp
, ns
);
7130 samsg
->sadb_msg_errno
= (uint8_t)err
;
7131 samsg
->sadb_x_msg_diagnostic
= (uint16_t)diagnostic
;
7136 * ipsa_lpkt is a one-element queue, only manipulated by the next two
7137 * functions. They have to hold the ipsa_lock because of potential races
7138 * between key management using SADB_UPDATE, and inbound packets that may
7139 * queue up on the larval SA (hence the 'l' in "lpkt").
7145 * Returns the passed-in packet if the SA is no longer larval.
7147 * Returns NULL if the SA is larval, and needs to be swapped into the SA for
7148 * processing after an SADB_UPDATE.
7151 sadb_set_lpkt(ipsa_t
*ipsa
, mblk_t
*npkt
, ip_recv_attr_t
*ira
)
7155 mutex_enter(&ipsa
->ipsa_lock
);
7156 opkt
= ipsa
->ipsa_lpkt
;
7157 if (ipsa
->ipsa_state
== IPSA_STATE_LARVAL
) {
7159 * Consume npkt and place it in the LARVAL SA's inbound
7164 attrmp
= ip_recv_attr_to_mblk(ira
);
7165 if (attrmp
== NULL
) {
7166 ill_t
*ill
= ira
->ira_ill
;
7168 BUMP_MIB(ill
->ill_ip_mib
, ipIfStatsInDiscards
);
7169 ip_drop_input("ipIfStatsInDiscards", npkt
, ill
);
7173 ASSERT(attrmp
->b_cont
== NULL
);
7174 attrmp
->b_cont
= npkt
;
7175 ipsa
->ipsa_lpkt
= attrmp
;
7180 * If not larval, we lost the race. NOTE: ipsa_lpkt may still
7181 * have been non-NULL in the non-larval case, because of
7182 * inbound packets arriving prior to sadb_common_add()
7183 * transferring the SA completely out of larval state, but
7184 * after lpkt was grabbed by the AH/ESP-specific add routines.
7185 * We should clear the old ipsa_lpkt in this case to make sure
7186 * that it doesn't linger on the now-MATURE IPsec SA, or get
7187 * picked up as an out-of-order packet.
7189 ipsa
->ipsa_lpkt
= NULL
;
7191 mutex_exit(&ipsa
->ipsa_lock
);
7194 ipsec_stack_t
*ipss
;
7196 ipss
= ira
->ira_ill
->ill_ipst
->ips_netstack
->netstack_ipsec
;
7197 opkt
= ip_recv_attr_free_mblk(opkt
);
7198 ip_drop_packet(opkt
, B_TRUE
, ira
->ira_ill
,
7199 DROPPER(ipss
, ipds_sadb_inlarval_replace
),
7200 &ipss
->ipsec_sadb_dropper
);
7206 * sadb_clear_lpkt: Atomically clear ipsa->ipsa_lpkt and return the
7210 sadb_clear_lpkt(ipsa_t
*ipsa
)
7214 mutex_enter(&ipsa
->ipsa_lock
);
7215 opkt
= ipsa
->ipsa_lpkt
;
7216 ipsa
->ipsa_lpkt
= NULL
;
7217 mutex_exit(&ipsa
->ipsa_lock
);
7222 * Buffer a packet that's in IDLE state as set by Solaris Clustering.
7225 sadb_buf_pkt(ipsa_t
*ipsa
, mblk_t
*bpkt
, ip_recv_attr_t
*ira
)
7227 netstack_t
*ns
= ira
->ira_ill
->ill_ipst
->ips_netstack
;
7228 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
7229 in6_addr_t
*srcaddr
= (in6_addr_t
*)(&ipsa
->ipsa_srcaddr
);
7230 in6_addr_t
*dstaddr
= (in6_addr_t
*)(&ipsa
->ipsa_dstaddr
);
7233 ASSERT(ipsa
->ipsa_state
== IPSA_STATE_IDLE
);
7235 if (cl_inet_idlesa
== NULL
) {
7236 ip_drop_packet(bpkt
, B_TRUE
, ira
->ira_ill
,
7237 DROPPER(ipss
, ipds_sadb_inidle_overflow
),
7238 &ipss
->ipsec_sadb_dropper
);
7242 cl_inet_idlesa(ns
->netstack_stackid
,
7243 (ipsa
->ipsa_type
== SADB_SATYPE_AH
) ? IPPROTO_AH
: IPPROTO_ESP
,
7244 ipsa
->ipsa_spi
, ipsa
->ipsa_addrfam
, *srcaddr
, *dstaddr
, NULL
);
7246 mp
= ip_recv_attr_to_mblk(ira
);
7248 ip_drop_packet(bpkt
, B_TRUE
, ira
->ira_ill
,
7249 DROPPER(ipss
, ipds_sadb_inidle_overflow
),
7250 &ipss
->ipsec_sadb_dropper
);
7255 mutex_enter(&ipsa
->ipsa_lock
);
7256 ipsa
->ipsa_mblkcnt
++;
7257 if (ipsa
->ipsa_bpkt_head
== NULL
) {
7258 ipsa
->ipsa_bpkt_head
= ipsa
->ipsa_bpkt_tail
= bpkt
;
7260 ipsa
->ipsa_bpkt_tail
->b_next
= bpkt
;
7261 ipsa
->ipsa_bpkt_tail
= bpkt
;
7262 if (ipsa
->ipsa_mblkcnt
> SADB_MAX_IDLEPKTS
) {
7265 tmp
= ipsa
->ipsa_bpkt_head
;
7266 ipsa
->ipsa_bpkt_head
= ipsa
->ipsa_bpkt_head
->b_next
;
7267 tmp
= ip_recv_attr_free_mblk(tmp
);
7268 ip_drop_packet(tmp
, B_TRUE
, NULL
,
7269 DROPPER(ipss
, ipds_sadb_inidle_overflow
),
7270 &ipss
->ipsec_sadb_dropper
);
7271 ipsa
->ipsa_mblkcnt
--;
7274 mutex_exit(&ipsa
->ipsa_lock
);
7278 * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
7279 * and put into STREAMS again.
7282 sadb_clear_buf_pkt(void *ipkt
)
7284 mblk_t
*tmp
, *buf_pkt
;
7285 ip_recv_attr_t iras
;
7287 buf_pkt
= (mblk_t
*)ipkt
;
7289 while (buf_pkt
!= NULL
) {
7292 tmp
= buf_pkt
->b_next
;
7293 buf_pkt
->b_next
= NULL
;
7295 data_mp
= buf_pkt
->b_cont
;
7296 buf_pkt
->b_cont
= NULL
;
7297 if (!ip_recv_attr_from_mblk(buf_pkt
, &iras
)) {
7298 /* The ill or ip_stack_t disappeared on us. */
7299 ip_drop_input("ip_recv_attr_from_mblk", data_mp
, NULL
);
7302 ip_input_post_ipsec(data_mp
, &iras
);
7304 ira_cleanup(&iras
, B_TRUE
);
7309 * Walker callback used by sadb_alg_update() to free/create crypto
7310 * context template when a crypto software provider is removed or
7314 struct sadb_update_alg_state
{
7315 ipsec_algtype_t alg_type
;
7318 boolean_t async_auth
;
7319 boolean_t async_encr
;
7323 sadb_alg_update_cb(isaf_t
*head
, ipsa_t
*entry
, void *cookie
)
7325 struct sadb_update_alg_state
*update_state
=
7326 (struct sadb_update_alg_state
*)cookie
;
7327 crypto_ctx_template_t
*ctx_tmpl
= NULL
;
7329 ASSERT(MUTEX_HELD(&head
->isaf_lock
));
7331 if (entry
->ipsa_state
== IPSA_STATE_LARVAL
)
7334 mutex_enter(&entry
->ipsa_lock
);
7336 if ((entry
->ipsa_encr_alg
!= SADB_EALG_NONE
&& entry
->ipsa_encr_alg
!=
7337 SADB_EALG_NULL
&& update_state
->async_encr
) ||
7338 (entry
->ipsa_auth_alg
!= SADB_AALG_NONE
&&
7339 update_state
->async_auth
)) {
7340 entry
->ipsa_flags
|= IPSA_F_ASYNC
;
7342 entry
->ipsa_flags
&= ~IPSA_F_ASYNC
;
7345 switch (update_state
->alg_type
) {
7346 case IPSEC_ALG_AUTH
:
7347 if (entry
->ipsa_auth_alg
== update_state
->alg_id
)
7348 ctx_tmpl
= &entry
->ipsa_authtmpl
;
7350 case IPSEC_ALG_ENCR
:
7351 if (entry
->ipsa_encr_alg
== update_state
->alg_id
)
7352 ctx_tmpl
= &entry
->ipsa_encrtmpl
;
7358 if (ctx_tmpl
== NULL
) {
7359 mutex_exit(&entry
->ipsa_lock
);
7364 * The context template of the SA may be affected by the change
7365 * of crypto provider.
7367 if (update_state
->is_added
) {
7368 /* create the context template if not already done */
7369 if (*ctx_tmpl
== NULL
) {
7370 (void) ipsec_create_ctx_tmpl(entry
,
7371 update_state
->alg_type
);
7375 * The crypto provider was removed. If the context template
7376 * exists but it is no longer valid, free it.
7378 if (*ctx_tmpl
!= NULL
)
7379 ipsec_destroy_ctx_tmpl(entry
, update_state
->alg_type
);
7382 mutex_exit(&entry
->ipsa_lock
);
7386 * Invoked by IP when an software crypto provider has been updated, or if
7387 * the crypto synchrony changes. The type and id of the corresponding
7388 * algorithm is passed as argument. The type is set to ALL in the case of
7389 * a synchrony change.
7391 * is_added is B_TRUE if the provider was added, B_FALSE if it was
7392 * removed. The function updates the SADB and free/creates the
7393 * context templates associated with SAs if needed.
7396 #define SADB_ALG_UPDATE_WALK(sadb, table) \
7397 sadb_walker((sadb).table, (sadb).sdb_hashsize, sadb_alg_update_cb, \
7401 sadb_alg_update(ipsec_algtype_t alg_type
, uint8_t alg_id
, boolean_t is_added
,
7404 struct sadb_update_alg_state update_state
;
7405 ipsecah_stack_t
*ahstack
= ns
->netstack_ipsecah
;
7406 ipsecesp_stack_t
*espstack
= ns
->netstack_ipsecesp
;
7407 ipsec_stack_t
*ipss
= ns
->netstack_ipsec
;
7409 update_state
.alg_type
= alg_type
;
7410 update_state
.alg_id
= alg_id
;
7411 update_state
.is_added
= is_added
;
7412 update_state
.async_auth
= ipss
->ipsec_algs_exec_mode
[IPSEC_ALG_AUTH
] ==
7413 IPSEC_ALGS_EXEC_ASYNC
;
7414 update_state
.async_encr
= ipss
->ipsec_algs_exec_mode
[IPSEC_ALG_ENCR
] ==
7415 IPSEC_ALGS_EXEC_ASYNC
;
7417 if (alg_type
== IPSEC_ALG_AUTH
|| alg_type
== IPSEC_ALG_ALL
) {
7418 /* walk the AH tables only for auth. algorithm changes */
7419 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v4
, sdb_of
);
7420 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v4
, sdb_if
);
7421 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v6
, sdb_of
);
7422 SADB_ALG_UPDATE_WALK(ahstack
->ah_sadb
.s_v6
, sdb_if
);
7425 /* walk the ESP tables */
7426 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v4
, sdb_of
);
7427 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v4
, sdb_if
);
7428 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v6
, sdb_of
);
7429 SADB_ALG_UPDATE_WALK(espstack
->esp_sadb
.s_v6
, sdb_if
);
7433 * Creates a context template for the specified SA. This function
7434 * is called when an SA is created and when a context template needs
7435 * to be created due to a change of software provider.
7438 ipsec_create_ctx_tmpl(ipsa_t
*sa
, ipsec_algtype_t alg_type
)
7440 ipsec_alginfo_t
*alg
;
7441 crypto_mechanism_t mech
;
7443 crypto_ctx_template_t
*sa_tmpl
;
7445 ipsec_stack_t
*ipss
= sa
->ipsa_netstack
->netstack_ipsec
;
7447 ASSERT(RW_READ_HELD(&ipss
->ipsec_alg_lock
));
7448 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
7450 /* get pointers to the algorithm info, context template, and key */
7452 case IPSEC_ALG_AUTH
:
7453 key
= &sa
->ipsa_kcfauthkey
;
7454 sa_tmpl
= &sa
->ipsa_authtmpl
;
7455 alg
= ipss
->ipsec_alglists
[alg_type
][sa
->ipsa_auth_alg
];
7457 case IPSEC_ALG_ENCR
:
7458 key
= &sa
->ipsa_kcfencrkey
;
7459 sa_tmpl
= &sa
->ipsa_encrtmpl
;
7460 alg
= ipss
->ipsec_alglists
[alg_type
][sa
->ipsa_encr_alg
];
7466 if (alg
== NULL
|| !ALG_VALID(alg
))
7469 /* initialize the mech info structure for the framework */
7470 ASSERT(alg
->alg_mech_type
!= CRYPTO_MECHANISM_INVALID
);
7471 mech
.cm_type
= alg
->alg_mech_type
;
7472 mech
.cm_param
= NULL
;
7473 mech
.cm_param_len
= 0;
7475 /* create a new context template */
7476 rv
= crypto_create_ctx_template(&mech
, key
, sa_tmpl
, KM_NOSLEEP
);
7479 * CRYPTO_MECH_NOT_SUPPORTED can be returned if only hardware
7480 * providers are available for that mechanism. In that case
7481 * we don't fail, and will generate the context template from
7482 * the framework callback when a software provider for that
7483 * mechanism registers.
7485 * The context template is assigned the special value
7486 * IPSEC_CTX_TMPL_ALLOC if the allocation failed due to a
7487 * lack of memory. No attempt will be made to use
7488 * the context template if it is set to this value.
7490 if (rv
== CRYPTO_HOST_MEMORY
) {
7491 *sa_tmpl
= IPSEC_CTX_TMPL_ALLOC
;
7492 } else if (rv
!= CRYPTO_SUCCESS
) {
7494 if (rv
!= CRYPTO_MECH_NOT_SUPPORTED
)
7502 * Destroy the context template of the specified algorithm type
7503 * of the specified SA. Must be called while holding the SA lock.
7506 ipsec_destroy_ctx_tmpl(ipsa_t
*sa
, ipsec_algtype_t alg_type
)
7508 ASSERT(MUTEX_HELD(&sa
->ipsa_lock
));
7510 if (alg_type
== IPSEC_ALG_AUTH
) {
7511 if (sa
->ipsa_authtmpl
== IPSEC_CTX_TMPL_ALLOC
)
7512 sa
->ipsa_authtmpl
= NULL
;
7513 else if (sa
->ipsa_authtmpl
!= NULL
) {
7514 crypto_destroy_ctx_template(sa
->ipsa_authtmpl
);
7515 sa
->ipsa_authtmpl
= NULL
;
7518 ASSERT(alg_type
== IPSEC_ALG_ENCR
);
7519 if (sa
->ipsa_encrtmpl
== IPSEC_CTX_TMPL_ALLOC
)
7520 sa
->ipsa_encrtmpl
= NULL
;
7521 else if (sa
->ipsa_encrtmpl
!= NULL
) {
7522 crypto_destroy_ctx_template(sa
->ipsa_encrtmpl
);
7523 sa
->ipsa_encrtmpl
= NULL
;
7529 * Use the kernel crypto framework to check the validity of a key received
7530 * via keysock. Returns 0 if the key is OK, -1 otherwise.
7533 ipsec_check_key(crypto_mech_type_t mech_type
, sadb_key_t
*sadb_key
,
7534 boolean_t is_auth
, int *diag
)
7536 crypto_mechanism_t mech
;
7537 crypto_key_t crypto_key
;
7540 mech
.cm_type
= mech_type
;
7541 mech
.cm_param
= NULL
;
7542 mech
.cm_param_len
= 0;
7544 crypto_key
.ck_format
= CRYPTO_KEY_RAW
;
7545 crypto_key
.ck_data
= sadb_key
+ 1;
7546 crypto_key
.ck_length
= sadb_key
->sadb_key_bits
;
7548 crypto_rc
= crypto_key_check(&mech
, &crypto_key
);
7550 switch (crypto_rc
) {
7551 case CRYPTO_SUCCESS
:
7553 case CRYPTO_MECHANISM_INVALID
:
7554 case CRYPTO_MECH_NOT_SUPPORTED
:
7555 *diag
= is_auth
? SADB_X_DIAGNOSTIC_BAD_AALG
:
7556 SADB_X_DIAGNOSTIC_BAD_EALG
;
7558 case CRYPTO_KEY_SIZE_RANGE
:
7559 *diag
= is_auth
? SADB_X_DIAGNOSTIC_BAD_AKEYBITS
:
7560 SADB_X_DIAGNOSTIC_BAD_EKEYBITS
;
7562 case CRYPTO_WEAK_KEY
:
7563 *diag
= is_auth
? SADB_X_DIAGNOSTIC_WEAK_AKEY
:
7564 SADB_X_DIAGNOSTIC_WEAK_EKEY
;
7572 * Whack options in the outer IP header when ipsec changes the outer label
7574 * This is inelegant and really could use refactoring.
7577 sadb_whack_label_v4(mblk_t
*mp
, ipsa_t
*assoc
, kstat_named_t
*counter
,
7578 ipdropper_t
*dropper
)
7584 uint8_t *opt_storage
= assoc
->ipsa_opt_storage
;
7585 ipha_t
*ipha
= (ipha_t
*)mp
->b_rptr
;
7587 plen
= ntohs(ipha
->ipha_length
);
7589 delta
= tsol_remove_secopt(ipha
, MBLKL(mp
));
7590 mp
->b_wptr
+= delta
;
7593 /* XXX XXX code copied from tsol_check_label */
7595 /* Make sure we have room for the worst-case addition */
7596 hlen
= IPH_HDR_LENGTH(ipha
) + opt_storage
[IPOPT_OLEN
];
7597 hlen
= (hlen
+ 3) & ~3;
7598 if (hlen
> IP_MAX_HDR_LENGTH
)
7599 hlen
= IP_MAX_HDR_LENGTH
;
7600 hlen
-= IPH_HDR_LENGTH(ipha
);
7603 if ((db
->db_ref
!= 1) || (mp
->b_wptr
+ hlen
> db
->db_lim
)) {
7607 /* allocate enough to be meaningful, but not *too* much */
7608 copylen
= MBLKL(mp
);
7611 new_mp
= allocb_tmpl(hlen
+ copylen
+
7612 (mp
->b_rptr
- mp
->b_datap
->db_base
), mp
);
7614 if (new_mp
== NULL
) {
7615 ip_drop_packet(mp
, B_FALSE
, NULL
, counter
, dropper
);
7620 new_mp
->b_rptr
+= mp
->b_rptr
- mp
->b_datap
->db_base
;
7621 new_mp
->b_wptr
= new_mp
->b_rptr
+ copylen
;
7622 bcopy(mp
->b_rptr
, new_mp
->b_rptr
, copylen
);
7623 new_mp
->b_cont
= mp
;
7624 if ((mp
->b_rptr
+= copylen
) >= mp
->b_wptr
) {
7625 new_mp
->b_cont
= mp
->b_cont
;
7629 ipha
= (ipha_t
*)mp
->b_rptr
;
7632 delta
= tsol_prepend_option(assoc
->ipsa_opt_storage
, ipha
, MBLKL(mp
));
7634 ASSERT(delta
!= -1);
7637 mp
->b_wptr
+= delta
;
7644 ASSERT3P(mp
->b_wptr
, <=, db
->db_lim
);
7645 ASSERT3P(mp
->b_rptr
, <=, db
->db_lim
);
7647 ASSERT3P(mp
->b_wptr
, >=, db
->db_base
);
7648 ASSERT3P(mp
->b_rptr
, >=, db
->db_base
);
7651 ipha
->ipha_length
= htons(plen
);
7657 sadb_whack_label_v6(mblk_t
*mp
, ipsa_t
*assoc
, kstat_named_t
*counter
,
7658 ipdropper_t
*dropper
)
7664 uint8_t *opt_storage
= assoc
->ipsa_opt_storage
;
7665 uint_t sec_opt_len
; /* label option length not including type, len */
7666 ip6_t
*ip6h
= (ip6_t
*)mp
->b_rptr
;
7668 plen
= ntohs(ip6h
->ip6_plen
);
7670 delta
= tsol_remove_secopt_v6(ip6h
, MBLKL(mp
));
7671 mp
->b_wptr
+= delta
;
7674 /* XXX XXX code copied from tsol_check_label_v6 */
7676 * Make sure we have room for the worst-case addition. Add 2 bytes for
7677 * the hop-by-hop ext header's next header and length fields. Add
7678 * another 2 bytes for the label option type, len and then round
7679 * up to the next 8-byte multiple.
7681 sec_opt_len
= opt_storage
[1];
7684 hlen
= (4 + sec_opt_len
+ 7) & ~7;
7686 if ((db
->db_ref
!= 1) || (mp
->b_wptr
+ hlen
> db
->db_lim
)) {
7691 hdr_len
= ip_hdr_length_v6(mp
, ip6h
);
7693 * Allocate enough to be meaningful, but not *too* much.
7694 * Also all the IPv6 extension headers must be in the same mblk
7696 copylen
= MBLKL(mp
);
7699 if (copylen
< hdr_len
)
7701 new_mp
= allocb_tmpl(hlen
+ copylen
+
7702 (mp
->b_rptr
- mp
->b_datap
->db_base
), mp
);
7703 if (new_mp
== NULL
) {
7704 ip_drop_packet(mp
, B_FALSE
, NULL
, counter
, dropper
);
7709 new_mp
->b_rptr
+= mp
->b_rptr
- mp
->b_datap
->db_base
;
7710 new_mp
->b_wptr
= new_mp
->b_rptr
+ copylen
;
7711 bcopy(mp
->b_rptr
, new_mp
->b_rptr
, copylen
);
7712 new_mp
->b_cont
= mp
;
7713 if ((mp
->b_rptr
+= copylen
) >= mp
->b_wptr
) {
7714 new_mp
->b_cont
= mp
->b_cont
;
7718 ip6h
= (ip6_t
*)mp
->b_rptr
;
7721 delta
= tsol_prepend_option_v6(assoc
->ipsa_opt_storage
,
7724 ASSERT(delta
!= -1);
7727 mp
->b_wptr
+= delta
;
7734 ASSERT3P(mp
->b_wptr
, <=, db
->db_lim
);
7735 ASSERT3P(mp
->b_rptr
, <=, db
->db_lim
);
7737 ASSERT3P(mp
->b_wptr
, >=, db
->db_base
);
7738 ASSERT3P(mp
->b_rptr
, >=, db
->db_base
);
7741 ip6h
->ip6_plen
= htons(plen
);
7746 /* Whack the labels and update ip_xmit_attr_t as needed */
7748 sadb_whack_label(mblk_t
*mp
, ipsa_t
*assoc
, ip_xmit_attr_t
*ixa
,
7749 kstat_named_t
*counter
, ipdropper_t
*dropper
)
7754 if (ixa
->ixa_flags
& IXAF_IS_IPV4
) {
7755 ipha_t
*ipha
= (ipha_t
*)mp
->b_rptr
;
7757 ASSERT(IPH_HDR_VERSION(ipha
) == IPV4_VERSION
);
7758 iplen
= ntohs(ipha
->ipha_length
);
7759 mp
= sadb_whack_label_v4(mp
, assoc
, counter
, dropper
);
7763 ipha
= (ipha_t
*)mp
->b_rptr
;
7764 ASSERT(IPH_HDR_VERSION(ipha
) == IPV4_VERSION
);
7765 adjust
= (int)ntohs(ipha
->ipha_length
) - iplen
;
7767 ip6_t
*ip6h
= (ip6_t
*)mp
->b_rptr
;
7769 ASSERT(IPH_HDR_VERSION(ip6h
) == IPV6_VERSION
);
7770 iplen
= ntohs(ip6h
->ip6_plen
);
7771 mp
= sadb_whack_label_v6(mp
, assoc
, counter
, dropper
);
7775 ip6h
= (ip6_t
*)mp
->b_rptr
;
7776 ASSERT(IPH_HDR_VERSION(ip6h
) == IPV6_VERSION
);
7777 adjust
= (int)ntohs(ip6h
->ip6_plen
) - iplen
;
7779 ixa
->ixa_pktlen
+= adjust
;
7780 ixa
->ixa_ip_hdr_length
+= adjust
;
7785 * If this is an outgoing SA then add some fuzz to the
7786 * SOFT EXPIRE time. The reason for this is to stop
7787 * peers trying to renegotiate SOFT expiring SA's at
7788 * the same time. The amount of fuzz needs to be at
7789 * least 8 seconds which is the typical interval
7790 * sadb_ager(), although this is only a guide as it
7794 lifetime_fuzz(ipsa_t
*assoc
)
7798 if (assoc
->ipsa_softaddlt
== 0)
7801 (void) random_get_pseudo_bytes(&rnd
, sizeof (rnd
));
7802 rnd
= (rnd
& 0xF) + 8;
7803 assoc
->ipsa_softexpiretime
-= rnd
;
7804 assoc
->ipsa_softaddlt
-= rnd
;
7808 destroy_ipsa_pair(ipsap_t
*ipsapp
)
7811 * Because of the multi-line macro nature of IPSA_REFRELE, keep
7814 if (ipsapp
->ipsap_sa_ptr
!= NULL
) {
7815 IPSA_REFRELE(ipsapp
->ipsap_sa_ptr
);
7817 if (ipsapp
->ipsap_psa_ptr
!= NULL
) {
7818 IPSA_REFRELE(ipsapp
->ipsap_psa_ptr
);
7820 init_ipsa_pair(ipsapp
);
7824 init_ipsa_pair(ipsap_t
*ipsapp
)
7826 ipsapp
->ipsap_bucket
= NULL
;
7827 ipsapp
->ipsap_sa_ptr
= NULL
;
7828 ipsapp
->ipsap_pbucket
= NULL
;
7829 ipsapp
->ipsap_psa_ptr
= NULL
;
7833 * The sadb_ager() function walks through the hash tables of SA's and ages
7834 * them, if the SA expires as a result, its marked as DEAD and will be reaped
7835 * the next time sadb_ager() runs. SA's which are paired or have a peer (same
7836 * SA appears in both the inbound and outbound tables because its not possible
7837 * to determine its direction) are placed on a list when they expire. This is
7838 * to ensure that pair/peer SA's are reaped at the same time, even if they
7839 * expire at different times.
7841 * This function is called twice by sadb_ager(), one after processing the
7842 * inbound table, then again after processing the outbound table.
7845 age_pair_peer_list(templist_t
*haspeerlist
, sadb_t
*sp
, boolean_t outbound
)
7847 templist_t
*listptr
;
7851 ipsa_t
*peer_assoc
, *dying
;
7853 * Haspeer cases will contain both IPv4 and IPv6. This code
7854 * is address independent.
7856 while (haspeerlist
!= NULL
) {
7857 /* "dying" contains the SA that has a peer. */
7858 dying
= haspeerlist
->ipsa
;
7859 haspeer
= (dying
->ipsa_haspeer
);
7860 listptr
= haspeerlist
;
7861 haspeerlist
= listptr
->next
;
7862 kmem_free(listptr
, sizeof (*listptr
));
7864 * Pick peer bucket based on addrfam.
7868 bucket
= INBOUND_BUCKET(sp
, dying
->ipsa_spi
);
7870 bucket
= INBOUND_BUCKET(sp
,
7871 dying
->ipsa_otherspi
);
7872 } else { /* inbound */
7874 if (dying
->ipsa_addrfam
== AF_INET6
) {
7875 outhash
= OUTBOUND_HASH_V6(sp
,
7876 *((in6_addr_t
*)&dying
->
7879 outhash
= OUTBOUND_HASH_V4(sp
,
7880 *((ipaddr_t
*)&dying
->
7883 } else if (dying
->ipsa_addrfam
== AF_INET6
) {
7884 outhash
= OUTBOUND_HASH_V6(sp
,
7885 *((in6_addr_t
*)&dying
->
7888 outhash
= OUTBOUND_HASH_V4(sp
,
7889 *((ipaddr_t
*)&dying
->
7892 bucket
= &(sp
->sdb_of
[outhash
]);
7895 mutex_enter(&bucket
->isaf_lock
);
7897 * "haspeer" SA's have the same src/dst address ordering,
7898 * "paired" SA's have the src/dst addresses reversed.
7901 peer_assoc
= ipsec_getassocbyspi(bucket
,
7902 dying
->ipsa_spi
, dying
->ipsa_srcaddr
,
7903 dying
->ipsa_dstaddr
, dying
->ipsa_addrfam
);
7905 peer_assoc
= ipsec_getassocbyspi(bucket
,
7906 dying
->ipsa_otherspi
, dying
->ipsa_dstaddr
,
7907 dying
->ipsa_srcaddr
, dying
->ipsa_addrfam
);
7910 mutex_exit(&bucket
->isaf_lock
);
7911 if (peer_assoc
!= NULL
) {
7912 mutex_enter(&peer_assoc
->ipsa_lock
);
7913 mutex_enter(&dying
->ipsa_lock
);
7916 * Only SA's which have a "peer" or are
7917 * "paired" end up on this list, so this
7918 * must be a "paired" SA, update the flags
7919 * to break the pair.
7921 peer_assoc
->ipsa_otherspi
= 0;
7922 peer_assoc
->ipsa_flags
&= ~IPSA_F_PAIRED
;
7923 dying
->ipsa_otherspi
= 0;
7924 dying
->ipsa_flags
&= ~IPSA_F_PAIRED
;
7926 if (haspeer
|| outbound
) {
7928 * Update the state of the "inbound" SA when
7929 * the "outbound" SA has expired. Don't update
7930 * the "outbound" SA when the "inbound" SA
7931 * SA expires because setting the hard_addtime
7932 * below will cause this to happen.
7934 peer_assoc
->ipsa_state
= dying
->ipsa_state
;
7936 if (dying
->ipsa_state
== IPSA_STATE_DEAD
)
7937 peer_assoc
->ipsa_hardexpiretime
= 1;
7939 mutex_exit(&dying
->ipsa_lock
);
7940 mutex_exit(&peer_assoc
->ipsa_lock
);
7941 IPSA_REFRELE(peer_assoc
);
7943 IPSA_REFRELE(dying
);
7948 * Ensure that the IV used for CCM mode never repeats. The IV should
7949 * only be updated by this function. Also check to see if the IV
7950 * is about to wrap and generate a SOFT Expire. This function is only
7951 * called for outgoing packets, the IV for incomming packets is taken
7952 * from the wire. If the outgoing SA needs to be expired, update
7953 * the matching incomming SA.
7956 update_iv(uint8_t *iv_ptr
, queue_t
*pfkey_q
, ipsa_t
*assoc
,
7957 ipsecesp_stack_t
*espstack
)
7959 boolean_t rc
= B_TRUE
;
7960 isaf_t
*inbound_bucket
;
7962 ipsa_t
*pair_sa
= NULL
;
7963 int sa_new_state
= 0;
7965 /* For non counter modes, the IV is random data. */
7966 if (!(assoc
->ipsa_flags
& IPSA_F_COUNTERMODE
)) {
7967 (void) random_get_pseudo_bytes(iv_ptr
, assoc
->ipsa_iv_len
);
7971 mutex_enter(&assoc
->ipsa_lock
);
7973 (*assoc
->ipsa_iv
)++;
7975 if (*assoc
->ipsa_iv
== assoc
->ipsa_iv_hardexpire
) {
7976 sa_new_state
= IPSA_STATE_DEAD
;
7978 } else if (*assoc
->ipsa_iv
== assoc
->ipsa_iv_softexpire
) {
7979 if (assoc
->ipsa_state
!= IPSA_STATE_DYING
) {
7981 * This SA may have already been expired when its
7984 sa_new_state
= IPSA_STATE_DYING
;
7989 * If there is a state change, we need to update this SA
7990 * and its "pair", we can find the bucket for the "pair" SA
7991 * while holding the ipsa_t mutex, but we won't actually
7992 * update anything untill the ipsa_t mutex has been released
7995 assoc
->ipsa_state
= sa_new_state
;
7996 if (assoc
->ipsa_addrfam
== AF_INET6
) {
7997 sp
= &espstack
->esp_sadb
.s_v6
;
7999 sp
= &espstack
->esp_sadb
.s_v4
;
8001 inbound_bucket
= INBOUND_BUCKET(sp
, assoc
->ipsa_otherspi
);
8002 sadb_expire_assoc(pfkey_q
, assoc
);
8005 bcopy(assoc
->ipsa_iv
, iv_ptr
, assoc
->ipsa_iv_len
);
8007 mutex_exit(&assoc
->ipsa_lock
);
8010 /* Find the inbound SA, need to lock hash bucket. */
8011 mutex_enter(&inbound_bucket
->isaf_lock
);
8012 pair_sa
= ipsec_getassocbyspi(inbound_bucket
,
8013 assoc
->ipsa_otherspi
, assoc
->ipsa_dstaddr
,
8014 assoc
->ipsa_srcaddr
, assoc
->ipsa_addrfam
);
8015 mutex_exit(&inbound_bucket
->isaf_lock
);
8016 if (pair_sa
!= NULL
) {
8017 mutex_enter(&pair_sa
->ipsa_lock
);
8018 pair_sa
->ipsa_state
= sa_new_state
;
8019 mutex_exit(&pair_sa
->ipsa_lock
);
8020 IPSA_REFRELE(pair_sa
);
8028 ccm_params_init(ipsa_t
*assoc
, uchar_t
*esph
, uint_t data_len
, uchar_t
*iv_ptr
,
8029 ipsa_cm_mech_t
*cm_mech
, crypto_data_t
*crypto_data
)
8032 crypto_mechanism_t
*combined_mech
;
8033 CK_AES_CCM_PARAMS
*params
;
8035 combined_mech
= (crypto_mechanism_t
*)cm_mech
;
8036 params
= (CK_AES_CCM_PARAMS
*)(combined_mech
+ 1);
8037 nonce
= (uchar_t
*)(params
+ 1);
8038 params
->ulMACSize
= assoc
->ipsa_mac_len
;
8039 params
->ulNonceSize
= assoc
->ipsa_nonce_len
;
8040 params
->ulAuthDataSize
= sizeof (esph_t
);
8041 params
->ulDataSize
= data_len
;
8042 params
->nonce
= nonce
;
8043 params
->authData
= esph
;
8045 cm_mech
->combined_mech
.cm_type
= assoc
->ipsa_emech
.cm_type
;
8046 cm_mech
->combined_mech
.cm_param_len
= sizeof (CK_AES_CCM_PARAMS
);
8047 cm_mech
->combined_mech
.cm_param
= (caddr_t
)params
;
8048 /* See gcm_params_init() for comments. */
8049 bcopy(assoc
->ipsa_nonce
, nonce
, assoc
->ipsa_saltlen
);
8050 nonce
+= assoc
->ipsa_saltlen
;
8051 bcopy(iv_ptr
, nonce
, assoc
->ipsa_iv_len
);
8052 crypto_data
->cd_miscdata
= NULL
;
8057 cbc_params_init(ipsa_t
*assoc
, uchar_t
*esph
, uint_t data_len
, uchar_t
*iv_ptr
,
8058 ipsa_cm_mech_t
*cm_mech
, crypto_data_t
*crypto_data
)
8060 cm_mech
->combined_mech
.cm_type
= assoc
->ipsa_emech
.cm_type
;
8061 cm_mech
->combined_mech
.cm_param_len
= 0;
8062 cm_mech
->combined_mech
.cm_param
= NULL
;
8063 crypto_data
->cd_miscdata
= (char *)iv_ptr
;
8068 gcm_params_init(ipsa_t
*assoc
, uchar_t
*esph
, uint_t data_len
, uchar_t
*iv_ptr
,
8069 ipsa_cm_mech_t
*cm_mech
, crypto_data_t
*crypto_data
)
8072 crypto_mechanism_t
*combined_mech
;
8073 CK_AES_GCM_PARAMS
*params
;
8075 combined_mech
= (crypto_mechanism_t
*)cm_mech
;
8076 params
= (CK_AES_GCM_PARAMS
*)(combined_mech
+ 1);
8077 nonce
= (uchar_t
*)(params
+ 1);
8079 params
->pIv
= nonce
;
8080 params
->ulIvLen
= assoc
->ipsa_nonce_len
;
8081 params
->ulIvBits
= SADB_8TO1(assoc
->ipsa_nonce_len
);
8082 params
->pAAD
= esph
;
8083 params
->ulAADLen
= sizeof (esph_t
);
8084 params
->ulTagBits
= SADB_8TO1(assoc
->ipsa_mac_len
);
8086 cm_mech
->combined_mech
.cm_type
= assoc
->ipsa_emech
.cm_type
;
8087 cm_mech
->combined_mech
.cm_param_len
= sizeof (CK_AES_GCM_PARAMS
);
8088 cm_mech
->combined_mech
.cm_param
= (caddr_t
)params
;
8090 * Create the nonce, which is made up of the salt and the IV.
8091 * Copy the salt from the SA and the IV from the packet.
8092 * For inbound packets we copy the IV from the packet because it
8093 * was set by the sending system, for outbound packets we copy the IV
8094 * from the packet because the IV in the SA may be changed by another
8095 * thread, the IV in the packet was created while holding a mutex.
8097 bcopy(assoc
->ipsa_nonce
, nonce
, assoc
->ipsa_saltlen
);
8098 nonce
+= assoc
->ipsa_saltlen
;
8099 bcopy(iv_ptr
, nonce
, assoc
->ipsa_iv_len
);
8100 crypto_data
->cd_miscdata
= NULL
;