1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25#include <sys/param.h> 26#include <sys/types.h> 27#include <sys/stream.h> 28#include <sys/strsubr.h> 29#include <sys/strsun.h> 30#include <sys/stropts.h> 31#include <sys/zone.h> 32#include <sys/vnode.h> 33#include <sys/sysmacros.h> 34#define _SUN_TPI_VERSION 2 35#include <sys/tihdr.h> 36#include <sys/ddi.h> 37#include <sys/sunddi.h> 38#include <sys/mkdev.h> 39#include <sys/debug.h> 40#include <sys/kmem.h> 41#include <sys/cmn_err.h> 42#include <sys/suntpi.h> 43#include <sys/policy.h> 44#include <sys/dls.h> 45 46#include <sys/socket.h> 47#include <netinet/in.h> 48#include <net/pfkeyv2.h> 49#include <net/pfpolicy.h> 50 51#include <inet/common.h> 52#include <netinet/ip6.h> 53#include <inet/ip.h> 54#include <inet/ip6.h> 55#include <inet/mi.h> 56#include <inet/proto_set.h> 57#include <inet/nd.h> 58#include <inet/ip_if.h> 59#include <inet/optcom.h> 60#include <inet/ipsec_impl.h> 61#include <inet/spdsock.h> 62#include <inet/sadb.h> 63#include <inet/iptun.h> 64#include <inet/iptun/iptun_impl.h> 65 66#include <sys/isa_defs.h> 67 68#include <c2/audit.h> 69 70/* 71 * This is a transport provider for the PF_POLICY IPsec policy 72 * management socket, which provides a management interface into the 73 * SPD, allowing policy rules to be added, deleted, and queried. 74 * 75 * This effectively replaces the old private SIOC*IPSECONFIG ioctls 76 * with an extensible interface which will hopefully be public some 77 * day. 78 * 79 * See <net/pfpolicy.h> for more details on the protocol. 80 * 81 * We link against drv/ip and call directly into it to manipulate the 82 * SPD; see ipsec_impl.h for the policy data structures and spd.c for 83 * the code which maintains them. 84 * 85 * The MT model of this is QPAIR with the addition of some explicit 86 * locking to protect system-wide policy data structures. 87 */ 88 89static vmem_t *spdsock_vmem; /* for minor numbers. */ 90 91#define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t)) 92 93/* Default structure copied into T_INFO_ACK messages (from rts.c...) */ 94static struct T_info_ack spdsock_g_t_info_ack = { 95 T_INFO_ACK, 96 T_INFINITE, /* TSDU_size. Maximum size messages. */ 97 T_INVALID, /* ETSDU_size. No expedited data. */ 98 T_INVALID, /* CDATA_size. No connect data. */ 99 T_INVALID, /* DDATA_size. No disconnect data. */ 100 0, /* ADDR_size. */ 101 0, /* OPT_size. No user-settable options */ 102 64 * 1024, /* TIDU_size. spdsock allows maximum size messages. */ 103 T_COTS, /* SERV_type. spdsock supports connection oriented. */ 104 TS_UNBND, /* CURRENT_state. This is set from spdsock_state. */ 105 (XPG4_1) /* Provider flags */ 106}; 107 108/* Named Dispatch Parameter Management Structure */ 109typedef struct spdsockparam_s { 110 uint_t spdsock_param_min; 111 uint_t spdsock_param_max; 112 uint_t spdsock_param_value; 113 char *spdsock_param_name; 114} spdsockparam_t; 115 116/* 117 * Table of NDD variables supported by spdsock. These are loaded into 118 * spdsock_g_nd in spdsock_init_nd. 119 * All of these are alterable, within the min/max values given, at run time. 120 */ 121static spdsockparam_t lcl_param_arr[] = { 122 /* min max value name */ 123 { 4096, 65536, 8192, "spdsock_xmit_hiwat"}, 124 { 0, 65536, 1024, "spdsock_xmit_lowat"}, 125 { 4096, 65536, 8192, "spdsock_recv_hiwat"}, 126 { 65536, 1024*1024*1024, 256*1024, "spdsock_max_buf"}, 127 { 0, 3, 0, "spdsock_debug"}, 128}; 129#define spds_xmit_hiwat spds_params[0].spdsock_param_value 130#define spds_xmit_lowat spds_params[1].spdsock_param_value 131#define spds_recv_hiwat spds_params[2].spdsock_param_value 132#define spds_max_buf spds_params[3].spdsock_param_value 133#define spds_debug spds_params[4].spdsock_param_value 134 135#define ss0dbg(a) printf a 136/* NOTE: != 0 instead of > 0 so lint doesn't complain. */ 137#define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a 138#define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a 139#define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a 140 141#define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \ 142 ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \ 143 (ss)->spdsock_dump_head = (iph); \ 144 (ss)->spdsock_dump_gen = (iph)->iph_gen; \ 145 (ss)->spdsock_dump_cur_type = 0; \ 146 (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \ 147 (ss)->spdsock_dump_cur_rule = NULL; \ 148 (ss)->spdsock_dump_count = 0; \ 149 (ss)->spdsock_dump_cur_chain = 0; \ 150} 151 152static int spdsock_close(queue_t *); 153static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *); 154static void spdsock_wput(queue_t *, mblk_t *); 155static void spdsock_wsrv(queue_t *); 156static void spdsock_rsrv(queue_t *); 157static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns); 158static void spdsock_stack_shutdown(netstackid_t stackid, void *arg); 159static void spdsock_stack_fini(netstackid_t stackid, void *arg); 160static void spdsock_loadcheck(void *); 161static void spdsock_merge_algs(spd_stack_t *); 162static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *); 163static mblk_t *spdsock_dump_next_record(spdsock_t *); 164static void update_iptun_policy(ipsec_tun_pol_t *); 165 166static struct module_info info = { 167 5138, "spdsock", 1, INFPSZ, 512, 128 168}; 169 170static struct qinit rinit = { 171 NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close, 172 NULL, &info 173}; 174 175static struct qinit winit = { 176 (pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info 177}; 178 179struct streamtab spdsockinfo = { 180 &rinit, &winit 181}; 182 183/* mapping from alg type to protocol number, as per RFC 2407 */ 184static const uint_t algproto[] = { 185 PROTO_IPSEC_AH, 186 PROTO_IPSEC_ESP, 187}; 188 189#define NALGPROTOS (sizeof (algproto) / sizeof (algproto[0])) 190 191/* mapping from kernel exec mode to spdsock exec mode */ 192static const uint_t execmodes[] = { 193 SPD_ALG_EXEC_MODE_SYNC, 194 SPD_ALG_EXEC_MODE_ASYNC 195}; 196 197#define NEXECMODES (sizeof (execmodes) / sizeof (execmodes[0])) 198 199#define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1) 200#define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2) 201 202#define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL) 203 204/* ARGSUSED */ 205static int 206spdsock_param_get(q, mp, cp, cr) 207 queue_t *q; 208 mblk_t *mp; 209 caddr_t cp; 210 cred_t *cr; 211{ 212 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 213 uint_t value; 214 spdsock_t *ss = (spdsock_t *)q->q_ptr; 215 spd_stack_t *spds = ss->spdsock_spds; 216 217 mutex_enter(&spds->spds_param_lock); 218 value = spdsockpa->spdsock_param_value; 219 mutex_exit(&spds->spds_param_lock); 220 221 (void) mi_mpprintf(mp, "%u", value); 222 return (0); 223} 224 225/* This routine sets an NDD variable in a spdsockparam_t structure. */ 226/* ARGSUSED */ 227static int 228spdsock_param_set(q, mp, value, cp, cr) 229 queue_t *q; 230 mblk_t *mp; 231 char *value; 232 caddr_t cp; 233 cred_t *cr; 234{ 235 ulong_t new_value; 236 spdsockparam_t *spdsockpa = (spdsockparam_t *)cp; 237 spdsock_t *ss = (spdsock_t *)q->q_ptr; 238 spd_stack_t *spds = ss->spdsock_spds; 239 240 /* Convert the value from a string into a long integer. */ 241 if (ddi_strtoul(value, NULL, 10, &new_value) != 0) 242 return (EINVAL); 243 244 mutex_enter(&spds->spds_param_lock); 245 /* 246 * Fail the request if the new value does not lie within the 247 * required bounds. 248 */ 249 if (new_value < spdsockpa->spdsock_param_min || 250 new_value > spdsockpa->spdsock_param_max) { 251 mutex_exit(&spds->spds_param_lock); 252 return (EINVAL); 253 } 254 255 /* Set the new value */ 256 spdsockpa->spdsock_param_value = new_value; 257 mutex_exit(&spds->spds_param_lock); 258 259 return (0); 260} 261 262/* 263 * Initialize at module load time 264 */ 265boolean_t 266spdsock_ddi_init(void) 267{ 268 spdsock_max_optsize = optcom_max_optsize( 269 spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt); 270 271 spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1, 272 NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER); 273 274 /* 275 * We want to be informed each time a stack is created or 276 * destroyed in the kernel, so we can maintain the 277 * set of spd_stack_t's. 278 */ 279 netstack_register(NS_SPDSOCK, spdsock_stack_init, 280 spdsock_stack_shutdown, spdsock_stack_fini); 281 282 return (B_TRUE); 283} 284 285/* 286 * Walk through the param array specified registering each element with the 287 * named dispatch handler. 288 */ 289static boolean_t 290spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt) 291{ 292 for (; cnt-- > 0; ssp++) { 293 if (ssp->spdsock_param_name != NULL && 294 ssp->spdsock_param_name[0]) { 295 if (!nd_load(ndp, 296 ssp->spdsock_param_name, 297 spdsock_param_get, spdsock_param_set, 298 (caddr_t)ssp)) { 299 nd_free(ndp); 300 return (B_FALSE); 301 } 302 } 303 } 304 return (B_TRUE); 305} 306 307/* 308 * Initialize for each stack instance 309 */ 310/* ARGSUSED */ 311static void * 312spdsock_stack_init(netstackid_t stackid, netstack_t *ns) 313{ 314 spd_stack_t *spds; 315 spdsockparam_t *ssp; 316 317 spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP); 318 spds->spds_netstack = ns; 319 320 ASSERT(spds->spds_g_nd == NULL); 321 322 ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP); 323 spds->spds_params = ssp; 324 bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr)); 325 326 (void) spdsock_param_register(&spds->spds_g_nd, ssp, 327 A_CNT(lcl_param_arr)); 328 329 mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL); 330 mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL); 331 332 return (spds); 333} 334 335void 336spdsock_ddi_destroy(void) 337{ 338 vmem_destroy(spdsock_vmem); 339 340 netstack_unregister(NS_SPDSOCK); 341} 342 343/* 344 * Do pre-removal cleanup. 345 */ 346/* ARGSUSED */ 347static void 348spdsock_stack_shutdown(netstackid_t stackid, void *arg) 349{ 350 spd_stack_t *spds = (spd_stack_t *)arg; 351 352 if (spds->spds_mp_algs != NULL) { 353 freemsg(spds->spds_mp_algs); 354 spds->spds_mp_algs = NULL; 355 } 356} 357 358/* ARGSUSED */ 359static void 360spdsock_stack_fini(netstackid_t stackid, void *arg) 361{ 362 spd_stack_t *spds = (spd_stack_t *)arg; 363 364 ASSERT(spds->spds_mp_algs == NULL); 365 mutex_destroy(&spds->spds_param_lock); 366 mutex_destroy(&spds->spds_alg_lock); 367 nd_free(&spds->spds_g_nd); 368 kmem_free(spds->spds_params, sizeof (lcl_param_arr)); 369 spds->spds_params = NULL; 370 371 kmem_free(spds, sizeof (*spds)); 372} 373 374/* 375 * NOTE: large quantities of this should be shared with keysock. 376 * Would be nice to combine some of this into a common module, but 377 * not possible given time pressures. 378 */ 379 380/* 381 * High-level reality checking of extensions. 382 */ 383/* ARGSUSED */ /* XXX */ 384static boolean_t 385ext_check(spd_ext_t *ext) 386{ 387 spd_if_t *tunname = (spd_if_t *)ext; 388 int i; 389 char *idstr; 390 391 if (ext->spd_ext_type == SPD_EXT_TUN_NAME) { 392 /* (NOTE: Modified from SADB_EXT_IDENTITY..) */ 393 394 /* 395 * Make sure the strings in these identities are 396 * null-terminated. Let's "proactively" null-terminate the 397 * string at the last byte if it's not terminated sooner. 398 */ 399 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t); 400 idstr = (char *)(tunname + 1); 401 while (*idstr != '\0' && i > 0) { 402 i--; 403 idstr++; 404 } 405 if (i == 0) { 406 /* 407 * I.e., if the bozo user didn't NULL-terminate the 408 * string... 409 */ 410 idstr--; 411 *idstr = '\0'; 412 } 413 } 414 return (B_TRUE); /* For now... */ 415} 416 417 418 419/* Return values for spdsock_get_ext(). */ 420#define KGE_OK 0 421#define KGE_DUP 1 422#define KGE_UNK 2 423#define KGE_LEN 3 424#define KGE_CHK 4 425 426/* 427 * Parse basic extension headers and return in the passed-in pointer vector. 428 * Return values include: 429 * 430 * KGE_OK Everything's nice and parsed out. 431 * If there are no extensions, place NULL in extv[0]. 432 * KGE_DUP There is a duplicate extension. 433 * First instance in appropriate bin. First duplicate in 434 * extv[0]. 435 * KGE_UNK Unknown extension type encountered. extv[0] contains 436 * unknown header. 437 * KGE_LEN Extension length error. 438 * KGE_CHK High-level reality check failed on specific extension. 439 * 440 * My apologies for some of the pointer arithmetic in here. I'm thinking 441 * like an assembly programmer, yet trying to make the compiler happy. 442 */ 443static int 444spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize) 445{ 446 bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 447 448 /* Use extv[0] as the "current working pointer". */ 449 450 extv[0] = (spd_ext_t *)(basehdr + 1); 451 452 while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) { 453 /* Check for unknown headers. */ 454 if (extv[0]->spd_ext_type == 0 || 455 extv[0]->spd_ext_type > SPD_EXT_MAX) 456 return (KGE_UNK); 457 458 /* 459 * Check length. Use uint64_t because extlen is in units 460 * of 64-bit words. If length goes beyond the msgsize, 461 * return an error. (Zero length also qualifies here.) 462 */ 463 if (extv[0]->spd_ext_len == 0 || 464 (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) > 465 (void *)((uint8_t *)basehdr + msgsize)) 466 return (KGE_LEN); 467 468 /* Check for redundant headers. */ 469 if (extv[extv[0]->spd_ext_type] != NULL) 470 return (KGE_DUP); 471 472 /* 473 * Reality check the extension if possible at the spdsock 474 * level. 475 */ 476 if (!ext_check(extv[0])) 477 return (KGE_CHK); 478 479 /* If I make it here, assign the appropriate bin. */ 480 extv[extv[0]->spd_ext_type] = extv[0]; 481 482 /* Advance pointer (See above for uint64_t ptr reasoning.) */ 483 extv[0] = (spd_ext_t *) 484 ((uint64_t *)extv[0] + extv[0]->spd_ext_len); 485 } 486 487 /* Everything's cool. */ 488 489 /* 490 * If extv[0] == NULL, then there are no extension headers in this 491 * message. Ensure that this is the case. 492 */ 493 if (extv[0] == (spd_ext_t *)(basehdr + 1)) 494 extv[0] = NULL; 495 496 return (KGE_OK); 497} 498 499static const int bad_ext_diag[] = { 500 SPD_DIAGNOSTIC_MALFORMED_LCLPORT, 501 SPD_DIAGNOSTIC_MALFORMED_REMPORT, 502 SPD_DIAGNOSTIC_MALFORMED_PROTO, 503 SPD_DIAGNOSTIC_MALFORMED_LCLADDR, 504 SPD_DIAGNOSTIC_MALFORMED_REMADDR, 505 SPD_DIAGNOSTIC_MALFORMED_ACTION, 506 SPD_DIAGNOSTIC_MALFORMED_RULE, 507 SPD_DIAGNOSTIC_MALFORMED_RULESET, 508 SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE 509}; 510 511static const int dup_ext_diag[] = { 512 SPD_DIAGNOSTIC_DUPLICATE_LCLPORT, 513 SPD_DIAGNOSTIC_DUPLICATE_REMPORT, 514 SPD_DIAGNOSTIC_DUPLICATE_PROTO, 515 SPD_DIAGNOSTIC_DUPLICATE_LCLADDR, 516 SPD_DIAGNOSTIC_DUPLICATE_REMADDR, 517 SPD_DIAGNOSTIC_DUPLICATE_ACTION, 518 SPD_DIAGNOSTIC_DUPLICATE_RULE, 519 SPD_DIAGNOSTIC_DUPLICATE_RULESET, 520 SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE 521}; 522 523/* 524 * Transmit a PF_POLICY error message to the instance either pointed to 525 * by ks, the instance with serial number serial, or more, depending. 526 * 527 * The faulty message (or a reasonable facsimile thereof) is in mp. 528 * This function will free mp or recycle it for delivery, thereby causing 529 * the stream head to free it. 530 */ 531static void 532spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic) 533{ 534 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 535 536 ASSERT(mp->b_datap->db_type == M_DATA); 537 538 if (spmsg->spd_msg_type < SPD_MIN || 539 spmsg->spd_msg_type > SPD_MAX) 540 spmsg->spd_msg_type = SPD_RESERVED; 541 542 /* 543 * Strip out extension headers. 544 */ 545 ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim); 546 mp->b_wptr = mp->b_rptr + sizeof (*spmsg); 547 spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t)); 548 spmsg->spd_msg_errno = (uint8_t)error; 549 spmsg->spd_msg_diagnostic = (uint16_t)diagnostic; 550 551 qreply(q, mp); 552} 553 554static void 555spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic) 556{ 557 spdsock_error(q, mp, EINVAL, diagnostic); 558} 559 560static void 561spd_echo(queue_t *q, mblk_t *mp) 562{ 563 qreply(q, mp); 564} 565 566/* 567 * Do NOT consume a reference to itp. 568 */ 569/*ARGSUSED*/ 570static void 571spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns) 572{ 573 boolean_t active = (boolean_t)cookie; 574 ipsec_policy_head_t *iph; 575 576 iph = active ? itp->itp_policy : itp->itp_inactive; 577 IPPH_REFHOLD(iph); 578 mutex_enter(&itp->itp_lock); 579 spdsock_flush_one(iph, ns); /* Releases iph refhold. */ 580 if (active) 581 itp->itp_flags &= ~ITPF_PFLAGS; 582 else 583 itp->itp_flags &= ~ITPF_IFLAGS; 584 mutex_exit(&itp->itp_lock); 585 /* SPD_FLUSH is worth a tunnel MTU check. */ 586 update_iptun_policy(itp); 587} 588 589/* 590 * Clear out one polhead. 591 */ 592static void 593spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns) 594{ 595 rw_enter(&iph->iph_lock, RW_WRITER); 596 ipsec_polhead_flush(iph, ns); 597 rw_exit(&iph->iph_lock); 598 IPPH_REFRELE(iph, ns); 599} 600 601static void 602spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp, 603 mblk_t *mp) 604{ 605 boolean_t active; 606 spdsock_t *ss = (spdsock_t *)q->q_ptr; 607 netstack_t *ns = ss->spdsock_spds->spds_netstack; 608 uint32_t auditing = AU_AUDITING(); 609 610 if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) { 611 spdsock_flush_one(iph, ns); 612 if (auditing) { 613 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 614 cred_t *cr; 615 pid_t cpid; 616 617 cr = msg_getcred(mp, &cpid); 618 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 619 audit_pf_policy(SPD_FLUSH, cr, ns, 620 ITP_NAME(itp), active, 0, cpid); 621 } 622 } else { 623 active = (iph == ALL_ACTIVE_POLHEADS); 624 625 /* First flush the global policy. */ 626 spdsock_flush_one(active ? ipsec_system_policy(ns) : 627 ipsec_inactive_policy(ns), ns); 628 if (auditing) { 629 cred_t *cr; 630 pid_t cpid; 631 632 cr = msg_getcred(mp, &cpid); 633 audit_pf_policy(SPD_FLUSH, cr, ns, NULL, 634 active, 0, cpid); 635 } 636 /* Then flush every tunnel's appropriate one. */ 637 itp_walk(spdsock_flush_node, (void *)active, ns); 638 if (auditing) { 639 cred_t *cr; 640 pid_t cpid; 641 642 cr = msg_getcred(mp, &cpid); 643 audit_pf_policy(SPD_FLUSH, cr, ns, 644 "all tunnels", active, 0, cpid); 645 } 646 } 647 648 spd_echo(q, mp); 649} 650 651static boolean_t 652spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag) 653{ 654 bzero(sel, sizeof (*sel)); 655 656 if (extv[SPD_EXT_PROTO] != NULL) { 657 struct spd_proto *pr = 658 (struct spd_proto *)extv[SPD_EXT_PROTO]; 659 sel->ipsl_proto = pr->spd_proto_number; 660 sel->ipsl_valid |= IPSL_PROTOCOL; 661 } 662 if (extv[SPD_EXT_LCLPORT] != NULL) { 663 struct spd_portrange *pr = 664 (struct spd_portrange *)extv[SPD_EXT_LCLPORT]; 665 sel->ipsl_lport = pr->spd_ports_minport; 666 sel->ipsl_valid |= IPSL_LOCAL_PORT; 667 } 668 if (extv[SPD_EXT_REMPORT] != NULL) { 669 struct spd_portrange *pr = 670 (struct spd_portrange *)extv[SPD_EXT_REMPORT]; 671 sel->ipsl_rport = pr->spd_ports_minport; 672 sel->ipsl_valid |= IPSL_REMOTE_PORT; 673 } 674 675 if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) { 676 struct spd_typecode *tc= 677 (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE]; 678 679 sel->ipsl_valid |= IPSL_ICMP_TYPE; 680 sel->ipsl_icmp_type = tc->spd_typecode_type; 681 if (tc->spd_typecode_type_end < tc->spd_typecode_type) 682 sel->ipsl_icmp_type_end = tc->spd_typecode_type; 683 else 684 sel->ipsl_icmp_type_end = tc->spd_typecode_type_end; 685 686 if (tc->spd_typecode_code != 255) { 687 sel->ipsl_valid |= IPSL_ICMP_CODE; 688 sel->ipsl_icmp_code = tc->spd_typecode_code; 689 if (tc->spd_typecode_code_end < tc->spd_typecode_code) 690 sel->ipsl_icmp_code_end = tc->spd_typecode_code; 691 else 692 sel->ipsl_icmp_code_end = 693 tc->spd_typecode_code_end; 694 } 695 } 696#define ADDR2SEL(sel, extv, field, pfield, extn, bit) \ 697 if ((extv)[(extn)] != NULL) { \ 698 uint_t addrlen; \ 699 struct spd_address *ap = \ 700 (struct spd_address *)((extv)[(extn)]); \ 701 addrlen = (ap->spd_address_af == AF_INET6) ? \ 702 IPV6_ADDR_LEN : IP_ADDR_LEN; \ 703 if (SPD_64TO8(ap->spd_address_len) < \ 704 (addrlen + sizeof (*ap))) { \ 705 *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN; \ 706 return (B_FALSE); \ 707 } \ 708 bcopy((ap+1), &((sel)->field), addrlen); \ 709 (sel)->pfield = ap->spd_address_prefixlen; \ 710 (sel)->ipsl_valid |= (bit); \ 711 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ? \ 712 IPSL_IPV6 : IPSL_IPV4; \ 713 } 714 715 ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen, 716 SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR); 717 ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen, 718 SPD_EXT_REMADDR, IPSL_REMOTE_ADDR); 719 720 if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) == 721 (IPSL_IPV6|IPSL_IPV4)) { 722 *diag = SPD_DIAGNOSTIC_MIXED_AF; 723 return (B_FALSE); 724 } 725 726#undef ADDR2SEL 727 728 return (B_TRUE); 729} 730 731static boolean_t 732spd_convert_type(uint32_t type, ipsec_act_t *act) 733{ 734 switch (type) { 735 case SPD_ACTTYPE_DROP: 736 act->ipa_type = IPSEC_ACT_DISCARD; 737 return (B_TRUE); 738 739 case SPD_ACTTYPE_PASS: 740 act->ipa_type = IPSEC_ACT_CLEAR; 741 return (B_TRUE); 742 743 case SPD_ACTTYPE_IPSEC: 744 act->ipa_type = IPSEC_ACT_APPLY; 745 return (B_TRUE); 746 } 747 return (B_FALSE); 748} 749 750static boolean_t 751spd_convert_flags(uint32_t flags, ipsec_act_t *act) 752{ 753 /* 754 * Note use of !! for boolean canonicalization. 755 */ 756 act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH); 757 act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP); 758 act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA); 759 act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE); 760 act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE); 761 return (B_TRUE); 762} 763 764static void 765spdsock_reset_act(ipsec_act_t *act) 766{ 767 bzero(act, sizeof (*act)); 768 act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS; 769 act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS; 770 act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS; 771} 772 773/* 774 * Sanity check action against reality, and shrink-wrap key sizes.. 775 */ 776static boolean_t 777spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag, 778 spd_stack_t *spds) 779{ 780 if (tunnel_polhead && act->ipa_apply.ipp_use_unique) { 781 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 782 return (B_FALSE); 783 } 784 if ((act->ipa_type != IPSEC_ACT_APPLY) && 785 (act->ipa_apply.ipp_use_ah || 786 act->ipa_apply.ipp_use_esp || 787 act->ipa_apply.ipp_use_espa || 788 act->ipa_apply.ipp_use_se || 789 act->ipa_apply.ipp_use_unique)) { 790 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 791 return (B_FALSE); 792 } 793 if ((act->ipa_type == IPSEC_ACT_APPLY) && 794 !act->ipa_apply.ipp_use_ah && 795 !act->ipa_apply.ipp_use_esp) { 796 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS; 797 return (B_FALSE); 798 } 799 return (ipsec_check_action(act, diag, spds->spds_netstack)); 800} 801 802/* 803 * We may be short a few error checks here.. 804 */ 805static boolean_t 806spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp, 807 int *diag, spd_stack_t *spds) 808{ 809 struct spd_ext_actions *sactp = 810 (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 811 ipsec_act_t act, *actp, *endactp; 812 struct spd_attribute *attrp, *endattrp; 813 uint64_t *endp; 814 int nact; 815 boolean_t tunnel_polhead; 816 817 tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL && 818 (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags & 819 SPD_RULE_FLAG_TUNNEL)); 820 821 *actpp = NULL; 822 *nactp = 0; 823 824 if (sactp == NULL) { 825 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT; 826 return (B_FALSE); 827 } 828 829 /* 830 * Parse the "action" extension and convert into an action chain. 831 */ 832 833 nact = sactp->spd_actions_count; 834 835 endp = (uint64_t *)sactp; 836 endp += sactp->spd_actions_len; 837 endattrp = (struct spd_attribute *)endp; 838 839 actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP); 840 if (actp == NULL) { 841 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM; 842 return (B_FALSE); 843 } 844 *actpp = actp; 845 *nactp = nact; 846 endactp = actp + nact; 847 848 spdsock_reset_act(&act); 849 attrp = (struct spd_attribute *)(&sactp[1]); 850 851 for (; attrp < endattrp; attrp++) { 852 switch (attrp->spd_attr_tag) { 853 case SPD_ATTR_NOP: 854 break; 855 856 case SPD_ATTR_EMPTY: 857 spdsock_reset_act(&act); 858 break; 859 860 case SPD_ATTR_END: 861 attrp = endattrp; 862 /* FALLTHRU */ 863 case SPD_ATTR_NEXT: 864 if (actp >= endactp) { 865 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 866 goto fail; 867 } 868 if (!spdsock_check_action(&act, tunnel_polhead, 869 diag, spds)) 870 goto fail; 871 *actp++ = act; 872 spdsock_reset_act(&act); 873 break; 874 875 case SPD_ATTR_TYPE: 876 if (!spd_convert_type(attrp->spd_attr_value, &act)) { 877 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE; 878 goto fail; 879 } 880 break; 881 882 case SPD_ATTR_FLAGS: 883 if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) { 884 /* 885 * Set "sa unique" for transport-mode 886 * tunnels whether we want to or not. 887 */ 888 attrp->spd_attr_value |= SPD_APPLY_UNIQUE; 889 } 890 if (!spd_convert_flags(attrp->spd_attr_value, &act)) { 891 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS; 892 goto fail; 893 } 894 break; 895 896 case SPD_ATTR_AH_AUTH: 897 if (attrp->spd_attr_value == 0) { 898 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG; 899 goto fail; 900 } 901 act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value; 902 break; 903 904 case SPD_ATTR_ESP_ENCR: 905 if (attrp->spd_attr_value == 0) { 906 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG; 907 goto fail; 908 } 909 act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value; 910 break; 911 912 case SPD_ATTR_ESP_AUTH: 913 if (attrp->spd_attr_value == 0) { 914 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG; 915 goto fail; 916 } 917 act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value; 918 break; 919 920 case SPD_ATTR_ENCR_MINBITS: 921 act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value; 922 break; 923 924 case SPD_ATTR_ENCR_MAXBITS: 925 act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value; 926 break; 927 928 case SPD_ATTR_AH_MINBITS: 929 act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value; 930 break; 931 932 case SPD_ATTR_AH_MAXBITS: 933 act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value; 934 break; 935 936 case SPD_ATTR_ESPA_MINBITS: 937 act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value; 938 break; 939 940 case SPD_ATTR_ESPA_MAXBITS: 941 act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value; 942 break; 943 944 case SPD_ATTR_LIFE_SOFT_TIME: 945 case SPD_ATTR_LIFE_HARD_TIME: 946 case SPD_ATTR_LIFE_SOFT_BYTES: 947 case SPD_ATTR_LIFE_HARD_BYTES: 948 break; 949 950 case SPD_ATTR_KM_PROTO: 951 act.ipa_apply.ipp_km_proto = attrp->spd_attr_value; 952 break; 953 954 case SPD_ATTR_KM_COOKIE: 955 act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value; 956 break; 957 958 case SPD_ATTR_REPLAY_DEPTH: 959 act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value; 960 break; 961 } 962 } 963 if (actp != endactp) { 964 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT; 965 goto fail; 966 } 967 968 return (B_TRUE); 969fail: 970 ipsec_actvec_free(*actpp, nact); 971 *actpp = NULL; 972 return (B_FALSE); 973} 974 975typedef struct 976{ 977 ipsec_policy_t *pol; 978 int dir; 979} tmprule_t; 980 981static int 982mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule, 983 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af, 984 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 985{ 986 ipsec_policy_t *pol; 987 988 sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4); 989 sel->ipsl_valid |= af; 990 991 pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority, 992 index, spds->spds_netstack); 993 if (pol == NULL) 994 return (ENOMEM); 995 996 (*rp)->pol = pol; 997 (*rp)->dir = dir; 998 (*rp)++; 999 1000 if (!ipsec_check_policy(iph, pol, dir)) 1001 return (EEXIST); 1002 1003 rule->spd_rule_index = pol->ipsp_index; 1004 return (0); 1005} 1006 1007static int 1008mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule, 1009 ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs, 1010 tmprule_t **rp, uint64_t *index, spd_stack_t *spds) 1011{ 1012 int error; 1013 1014 if (afs & IPSL_IPV4) { 1015 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp, 1016 index, spds); 1017 if (error != 0) 1018 return (error); 1019 } 1020 if (afs & IPSL_IPV6) { 1021 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp, 1022 index, spds); 1023 if (error != 0) 1024 return (error); 1025 } 1026 return (0); 1027} 1028 1029 1030static void 1031spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1032 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1033{ 1034 ipsec_selkey_t sel; 1035 ipsec_act_t *actp; 1036 uint_t nact; 1037 int diag = 0, error, afs; 1038 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1039 tmprule_t rules[4], *rulep = &rules[0]; 1040 boolean_t tunnel_mode, empty_itp, active; 1041 uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index; 1042 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1043 spd_stack_t *spds = ss->spdsock_spds; 1044 uint32_t auditing = AU_AUDITING(); 1045 1046 if (rule == NULL) { 1047 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1048 if (auditing) { 1049 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1050 cred_t *cr; 1051 pid_t cpid; 1052 1053 cr = msg_getcred(mp, &cpid); 1054 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1055 audit_pf_policy(SPD_ADDRULE, cr, 1056 spds->spds_netstack, ITP_NAME(itp), active, 1057 SPD_DIAGNOSTIC_NO_RULE_EXT, cpid); 1058 } 1059 return; 1060 } 1061 1062 tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL); 1063 1064 if (itp != NULL) { 1065 mutex_enter(&itp->itp_lock); 1066 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph); 1067 active = (itp->itp_policy == iph); 1068 if (ITP_P_ISACTIVE(itp, iph)) { 1069 /* Check for mix-and-match of tunnel/transport. */ 1070 if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) || 1071 (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) { 1072 mutex_exit(&itp->itp_lock); 1073 spdsock_error(q, mp, EBUSY, 0); 1074 return; 1075 } 1076 empty_itp = B_FALSE; 1077 } else { 1078 empty_itp = B_TRUE; 1079 itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE; 1080 if (tunnel_mode) 1081 itp->itp_flags |= active ? ITPF_P_TUNNEL : 1082 ITPF_I_TUNNEL; 1083 } 1084 } else { 1085 empty_itp = B_FALSE; 1086 } 1087 1088 if (rule->spd_rule_index != 0) { 1089 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX; 1090 error = EINVAL; 1091 goto fail2; 1092 } 1093 1094 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1095 error = EINVAL; 1096 goto fail2; 1097 } 1098 1099 if (itp != NULL) { 1100 if (tunnel_mode) { 1101 if (sel.ipsl_valid & 1102 (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) { 1103 itp->itp_flags |= active ? 1104 ITPF_P_PER_PORT_SECURITY : 1105 ITPF_I_PER_PORT_SECURITY; 1106 } 1107 } else { 1108 /* 1109 * For now, we don't allow transport-mode on a tunnel 1110 * with ANY specific selectors. Bail if we have such 1111 * a request. 1112 */ 1113 if (sel.ipsl_valid & IPSL_WILDCARD) { 1114 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS; 1115 error = EINVAL; 1116 goto fail2; 1117 } 1118 } 1119 } 1120 1121 if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) { 1122 error = EINVAL; 1123 goto fail2; 1124 } 1125 /* 1126 * If no addresses were specified, add both. 1127 */ 1128 afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4); 1129 if (afs == 0) 1130 afs = (IPSL_IPV6|IPSL_IPV4); 1131 1132 rw_enter(&iph->iph_lock, RW_WRITER); 1133 1134 if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) { 1135 error = mkrulepair(iph, rule, &sel, actp, nact, 1136 IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds); 1137 if (error != 0) 1138 goto fail; 1139 } 1140 1141 if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) { 1142 error = mkrulepair(iph, rule, &sel, actp, nact, 1143 IPSEC_TYPE_INBOUND, afs, &rulep, index, spds); 1144 if (error != 0) 1145 goto fail; 1146 } 1147 1148 while ((--rulep) >= &rules[0]) { 1149 ipsec_enter_policy(iph, rulep->pol, rulep->dir, 1150 spds->spds_netstack); 1151 } 1152 rw_exit(&iph->iph_lock); 1153 if (itp != NULL) 1154 mutex_exit(&itp->itp_lock); 1155 1156 ipsec_actvec_free(actp, nact); 1157 spd_echo(q, mp); 1158 if (auditing) { 1159 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1160 cred_t *cr; 1161 pid_t cpid; 1162 1163 cr = msg_getcred(mp, &cpid); 1164 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1165 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1166 ITP_NAME(itp), active, 0, cpid); 1167 } 1168 return; 1169 1170fail: 1171 rw_exit(&iph->iph_lock); 1172 while ((--rulep) >= &rules[0]) 1173 IPPOL_REFRELE(rulep->pol); 1174 ipsec_actvec_free(actp, nact); 1175fail2: 1176 if (itp != NULL) { 1177 if (empty_itp) 1178 itp->itp_flags = 0; 1179 mutex_exit(&itp->itp_lock); 1180 } 1181 spdsock_error(q, mp, error, diag); 1182 if (auditing) { 1183 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1184 cred_t *cr; 1185 pid_t cpid; 1186 1187 cr = msg_getcred(mp, &cpid); 1188 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1189 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack, 1190 ITP_NAME(itp), active, error, cpid); 1191 } 1192} 1193 1194void 1195spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1196 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1197{ 1198 ipsec_selkey_t sel; 1199 struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE]; 1200 int err, diag = 0; 1201 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1202 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1203 uint32_t auditing = AU_AUDITING(); 1204 1205 if (rule == NULL) { 1206 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT); 1207 if (auditing) { 1208 boolean_t active; 1209 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1210 cred_t *cr; 1211 pid_t cpid; 1212 1213 cr = msg_getcred(mp, &cpid); 1214 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1215 audit_pf_policy(SPD_DELETERULE, cr, ns, 1216 ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT, 1217 cpid); 1218 } 1219 return; 1220 } 1221 1222 /* 1223 * Must enter itp_lock first to avoid deadlock. See tun.c's 1224 * set_sec_simple() for the other case of itp_lock and iph_lock. 1225 */ 1226 if (itp != NULL) 1227 mutex_enter(&itp->itp_lock); 1228 1229 if (rule->spd_rule_index != 0) { 1230 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) != 1231 0) { 1232 err = ESRCH; 1233 goto fail; 1234 } 1235 } else { 1236 if (!spdsock_ext_to_sel(extv, &sel, &diag)) { 1237 err = EINVAL; /* diag already set... */ 1238 goto fail; 1239 } 1240 1241 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) && 1242 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) { 1243 err = ESRCH; 1244 goto fail; 1245 } 1246 1247 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) && 1248 !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) { 1249 err = ESRCH; 1250 goto fail; 1251 } 1252 } 1253 1254 if (itp != NULL) { 1255 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive); 1256 rw_enter(&iph->iph_lock, RW_READER); 1257 if (avl_numnodes(&iph->iph_rulebyid) == 0) { 1258 if (iph == itp->itp_policy) 1259 itp->itp_flags &= ~ITPF_PFLAGS; 1260 else 1261 itp->itp_flags &= ~ITPF_IFLAGS; 1262 } 1263 /* Can exit locks in any order. */ 1264 rw_exit(&iph->iph_lock); 1265 mutex_exit(&itp->itp_lock); 1266 } 1267 spd_echo(q, mp); 1268 if (auditing) { 1269 boolean_t active; 1270 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1271 cred_t *cr; 1272 pid_t cpid; 1273 1274 cr = msg_getcred(mp, &cpid); 1275 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1276 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1277 active, 0, cpid); 1278 } 1279 return; 1280fail: 1281 if (itp != NULL) 1282 mutex_exit(&itp->itp_lock); 1283 spdsock_error(q, mp, err, diag); 1284 if (auditing) { 1285 boolean_t active; 1286 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1287 cred_t *cr; 1288 pid_t cpid; 1289 1290 cr = msg_getcred(mp, &cpid); 1291 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1292 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp), 1293 active, err, cpid); 1294 } 1295} 1296 1297/* Do NOT consume a reference to itp. */ 1298/* ARGSUSED */ 1299static void 1300spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns) 1301{ 1302 mutex_enter(&itp->itp_lock); 1303 ITPF_SWAP(itp->itp_flags); 1304 ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns); 1305 mutex_exit(&itp->itp_lock); 1306 /* SPD_FLIP is worth a tunnel MTU check. */ 1307 update_iptun_policy(itp); 1308} 1309 1310void 1311spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname) 1312{ 1313 char *tname; 1314 ipsec_tun_pol_t *itp; 1315 spdsock_t *ss = (spdsock_t *)q->q_ptr; 1316 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1317 uint32_t auditing = AU_AUDITING(); 1318 1319 if (tunname != NULL) { 1320 tname = (char *)tunname->spd_if_name; 1321 if (*tname == '\0') { 1322 /* can't fail */ 1323 ipsec_swap_global_policy(ns); 1324 if (auditing) { 1325 boolean_t active; 1326 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1327 cred_t *cr; 1328 pid_t cpid; 1329 1330 cr = msg_getcred(mp, &cpid); 1331 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1332 audit_pf_policy(SPD_FLIP, cr, ns, 1333 NULL, active, 0, cpid); 1334 } 1335 itp_walk(spdsock_flip_node, NULL, ns); 1336 if (auditing) { 1337 boolean_t active; 1338 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1339 cred_t *cr; 1340 pid_t cpid; 1341 1342 cr = msg_getcred(mp, &cpid); 1343 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1344 audit_pf_policy(SPD_FLIP, cr, ns, 1345 "all tunnels", active, 0, cpid); 1346 } 1347 } else { 1348 itp = get_tunnel_policy(tname, ns); 1349 if (itp == NULL) { 1350 /* Better idea for "tunnel not found"? */ 1351 spdsock_error(q, mp, ESRCH, 0); 1352 if (auditing) { 1353 boolean_t active; 1354 spd_msg_t *spmsg = 1355 (spd_msg_t *)mp->b_rptr; 1356 cred_t *cr; 1357 pid_t cpid; 1358 1359 cr = msg_getcred(mp, &cpid); 1360 active = (spmsg->spd_msg_spdid == 1361 SPD_ACTIVE); 1362 audit_pf_policy(SPD_FLIP, cr, ns, 1363 ITP_NAME(itp), active, 1364 ESRCH, cpid); 1365 } 1366 return; 1367 } 1368 spdsock_flip_node(itp, NULL, ns); 1369 if (auditing) { 1370 boolean_t active; 1371 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1372 cred_t *cr; 1373 pid_t cpid; 1374 1375 cr = msg_getcred(mp, &cpid); 1376 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1377 audit_pf_policy(SPD_FLIP, cr, ns, 1378 ITP_NAME(itp), active, 0, cpid); 1379 } 1380 ITP_REFRELE(itp, ns); 1381 } 1382 } else { 1383 ipsec_swap_global_policy(ns); /* can't fail */ 1384 if (auditing) { 1385 boolean_t active; 1386 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 1387 cred_t *cr; 1388 pid_t cpid; 1389 1390 cr = msg_getcred(mp, &cpid); 1391 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 1392 audit_pf_policy(SPD_FLIP, cr, 1393 ns, NULL, active, 0, cpid); 1394 } 1395 } 1396 spd_echo(q, mp); 1397} 1398 1399/* 1400 * Unimplemented feature 1401 */ 1402/* ARGSUSED */ 1403static void 1404spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp, 1405 spd_ext_t **extv, ipsec_tun_pol_t *itp) 1406{ 1407 spdsock_error(q, mp, EINVAL, 0); 1408} 1409 1410 1411static mblk_t * 1412spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph, 1413 uint32_t count, uint16_t error) 1414{ 1415 size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t); 1416 spd_msg_t *msg; 1417 spd_ruleset_ext_t *ruleset; 1418 mblk_t *m = allocb(len, BPRI_HI); 1419 1420 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1421 1422 if (m == NULL) { 1423 return (NULL); 1424 } 1425 msg = (spd_msg_t *)m->b_rptr; 1426 ruleset = (spd_ruleset_ext_t *)(&msg[1]); 1427 1428 m->b_wptr = (uint8_t *)&ruleset[1]; 1429 1430 *msg = *(spd_msg_t *)(req->b_rptr); 1431 msg->spd_msg_len = SPD_8TO64(len); 1432 msg->spd_msg_errno = error; 1433 1434 ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset)); 1435 ruleset->spd_ruleset_type = SPD_EXT_RULESET; 1436 ruleset->spd_ruleset_count = count; 1437 ruleset->spd_ruleset_version = iph->iph_gen; 1438 return (m); 1439} 1440 1441static mblk_t * 1442spdsock_dump_finish(spdsock_t *ss, int error) 1443{ 1444 mblk_t *m; 1445 ipsec_policy_head_t *iph = ss->spdsock_dump_head; 1446 mblk_t *req = ss->spdsock_dump_req; 1447 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1448 1449 rw_enter(&iph->iph_lock, RW_READER); 1450 m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error); 1451 rw_exit(&iph->iph_lock); 1452 IPPH_REFRELE(iph, ns); 1453 if (ss->spdsock_itp != NULL) { 1454 ITP_REFRELE(ss->spdsock_itp, ns); 1455 ss->spdsock_itp = NULL; 1456 } 1457 ss->spdsock_dump_req = NULL; 1458 freemsg(req); 1459 1460 return (m); 1461} 1462 1463/* 1464 * Rule encoding functions. 1465 * We do a two-pass encode. 1466 * If base != NULL, fill in encoded rule part starting at base+offset. 1467 * Always return "offset" plus length of to-be-encoded data. 1468 */ 1469static uint_t 1470spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type, 1471 uint8_t type_end, uint8_t code, uint8_t code_end) 1472{ 1473 struct spd_typecode *tcp; 1474 1475 ASSERT(ALIGNED64(offset)); 1476 1477 if (base != NULL) { 1478 tcp = (struct spd_typecode *)(base + offset); 1479 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp)); 1480 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE; 1481 tcp->spd_typecode_code = code; 1482 tcp->spd_typecode_type = type; 1483 tcp->spd_typecode_type_end = type_end; 1484 tcp->spd_typecode_code_end = code_end; 1485 } 1486 offset += sizeof (*tcp); 1487 1488 ASSERT(ALIGNED64(offset)); 1489 1490 return (offset); 1491} 1492 1493static uint_t 1494spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto) 1495{ 1496 struct spd_proto *spp; 1497 1498 ASSERT(ALIGNED64(offset)); 1499 1500 if (base != NULL) { 1501 spp = (struct spd_proto *)(base + offset); 1502 spp->spd_proto_len = SPD_8TO64(sizeof (*spp)); 1503 spp->spd_proto_exttype = SPD_EXT_PROTO; 1504 spp->spd_proto_number = proto; 1505 spp->spd_proto_reserved1 = 0; 1506 spp->spd_proto_reserved2 = 0; 1507 } 1508 offset += sizeof (*spp); 1509 1510 ASSERT(ALIGNED64(offset)); 1511 1512 return (offset); 1513} 1514 1515static uint_t 1516spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port) 1517{ 1518 struct spd_portrange *spp; 1519 1520 ASSERT(ALIGNED64(offset)); 1521 1522 if (base != NULL) { 1523 spp = (struct spd_portrange *)(base + offset); 1524 spp->spd_ports_len = SPD_8TO64(sizeof (*spp)); 1525 spp->spd_ports_exttype = ext; 1526 spp->spd_ports_minport = port; 1527 spp->spd_ports_maxport = port; 1528 } 1529 offset += sizeof (*spp); 1530 1531 ASSERT(ALIGNED64(offset)); 1532 1533 return (offset); 1534} 1535 1536static uint_t 1537spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext, 1538 const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen) 1539{ 1540 struct spd_address *sae; 1541 ipsec_addr_t *spdaddr; 1542 uint_t start = offset; 1543 uint_t addrlen; 1544 uint_t af; 1545 1546 if (sel->ipsl_valid & IPSL_IPV4) { 1547 af = AF_INET; 1548 addrlen = IP_ADDR_LEN; 1549 } else { 1550 af = AF_INET6; 1551 addrlen = IPV6_ADDR_LEN; 1552 } 1553 1554 ASSERT(ALIGNED64(offset)); 1555 1556 if (base != NULL) { 1557 sae = (struct spd_address *)(base + offset); 1558 sae->spd_address_exttype = ext; 1559 sae->spd_address_af = af; 1560 sae->spd_address_prefixlen = pfxlen; 1561 sae->spd_address_reserved2 = 0; 1562 1563 spdaddr = (ipsec_addr_t *)(&sae[1]); 1564 bcopy(addr, spdaddr, addrlen); 1565 } 1566 offset += sizeof (*sae); 1567 addrlen = roundup(addrlen, sizeof (uint64_t)); 1568 offset += addrlen; 1569 1570 ASSERT(ALIGNED64(offset)); 1571 1572 if (base != NULL) 1573 sae->spd_address_len = SPD_8TO64(offset - start); 1574 return (offset); 1575} 1576 1577static uint_t 1578spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel) 1579{ 1580 const ipsec_selkey_t *selkey = &sel->ipsl_key; 1581 1582 if (selkey->ipsl_valid & IPSL_PROTOCOL) 1583 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto); 1584 if (selkey->ipsl_valid & IPSL_LOCAL_PORT) 1585 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT, 1586 selkey->ipsl_lport); 1587 if (selkey->ipsl_valid & IPSL_REMOTE_PORT) 1588 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT, 1589 selkey->ipsl_rport); 1590 if (selkey->ipsl_valid & IPSL_REMOTE_ADDR) 1591 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR, 1592 selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen); 1593 if (selkey->ipsl_valid & IPSL_LOCAL_ADDR) 1594 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR, 1595 selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen); 1596 if (selkey->ipsl_valid & IPSL_ICMP_TYPE) { 1597 offset = spdsock_encode_typecode(base, offset, 1598 selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end, 1599 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1600 selkey->ipsl_icmp_code : 255, 1601 (selkey->ipsl_valid & IPSL_ICMP_CODE) ? 1602 selkey->ipsl_icmp_code_end : 255); 1603 } 1604 return (offset); 1605} 1606 1607static uint_t 1608spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag, 1609 uint32_t value) 1610{ 1611 struct spd_attribute *attr; 1612 1613 ASSERT(ALIGNED64(offset)); 1614 1615 if (base != NULL) { 1616 attr = (struct spd_attribute *)(base + offset); 1617 attr->spd_attr_tag = tag; 1618 attr->spd_attr_value = value; 1619 } 1620 offset += sizeof (struct spd_attribute); 1621 1622 ASSERT(ALIGNED64(offset)); 1623 1624 return (offset); 1625} 1626 1627 1628#define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v)) 1629 1630static uint_t 1631spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap) 1632{ 1633 const struct ipsec_act *act = &(ap->ipa_act); 1634 uint_t flags; 1635 1636 EMIT(SPD_ATTR_EMPTY, 0); 1637 switch (act->ipa_type) { 1638 case IPSEC_ACT_DISCARD: 1639 case IPSEC_ACT_REJECT: 1640 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP); 1641 break; 1642 case IPSEC_ACT_BYPASS: 1643 case IPSEC_ACT_CLEAR: 1644 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS); 1645 break; 1646 1647 case IPSEC_ACT_APPLY: 1648 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC); 1649 flags = 0; 1650 if (act->ipa_apply.ipp_use_ah) 1651 flags |= SPD_APPLY_AH; 1652 if (act->ipa_apply.ipp_use_esp) 1653 flags |= SPD_APPLY_ESP; 1654 if (act->ipa_apply.ipp_use_espa) 1655 flags |= SPD_APPLY_ESPA; 1656 if (act->ipa_apply.ipp_use_se) 1657 flags |= SPD_APPLY_SE; 1658 if (act->ipa_apply.ipp_use_unique) 1659 flags |= SPD_APPLY_UNIQUE; 1660 EMIT(SPD_ATTR_FLAGS, flags); 1661 if (flags & SPD_APPLY_AH) { 1662 EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg); 1663 EMIT(SPD_ATTR_AH_MINBITS, 1664 act->ipa_apply.ipp_ah_minbits); 1665 EMIT(SPD_ATTR_AH_MAXBITS, 1666 act->ipa_apply.ipp_ah_maxbits); 1667 } 1668 if (flags & SPD_APPLY_ESP) { 1669 EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg); 1670 EMIT(SPD_ATTR_ENCR_MINBITS, 1671 act->ipa_apply.ipp_espe_minbits); 1672 EMIT(SPD_ATTR_ENCR_MAXBITS, 1673 act->ipa_apply.ipp_espe_maxbits); 1674 if (flags & SPD_APPLY_ESPA) { 1675 EMIT(SPD_ATTR_ESP_AUTH, 1676 act->ipa_apply.ipp_esp_auth_alg); 1677 EMIT(SPD_ATTR_ESPA_MINBITS, 1678 act->ipa_apply.ipp_espa_minbits); 1679 EMIT(SPD_ATTR_ESPA_MAXBITS, 1680 act->ipa_apply.ipp_espa_maxbits); 1681 } 1682 } 1683 if (act->ipa_apply.ipp_km_proto != 0) 1684 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto); 1685 if (act->ipa_apply.ipp_km_cookie != 0) 1686 EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie); 1687 if (act->ipa_apply.ipp_replay_depth != 0) 1688 EMIT(SPD_ATTR_REPLAY_DEPTH, 1689 act->ipa_apply.ipp_replay_depth); 1690 /* Add more here */ 1691 break; 1692 } 1693 1694 return (offset); 1695} 1696 1697static uint_t 1698spdsock_encode_action_list(uint8_t *base, uint_t offset, 1699 const ipsec_action_t *ap) 1700{ 1701 struct spd_ext_actions *act; 1702 uint_t nact = 0; 1703 uint_t start = offset; 1704 1705 ASSERT(ALIGNED64(offset)); 1706 1707 if (base != NULL) { 1708 act = (struct spd_ext_actions *)(base + offset); 1709 act->spd_actions_len = 0; 1710 act->spd_actions_exttype = SPD_EXT_ACTION; 1711 act->spd_actions_count = 0; 1712 act->spd_actions_reserved = 0; 1713 } 1714 1715 offset += sizeof (*act); 1716 1717 ASSERT(ALIGNED64(offset)); 1718 1719 while (ap != NULL) { 1720 offset = spdsock_encode_action(base, offset, ap); 1721 ap = ap->ipa_next; 1722 nact++; 1723 if (ap != NULL) { 1724 EMIT(SPD_ATTR_NEXT, 0); 1725 } 1726 } 1727 EMIT(SPD_ATTR_END, 0); 1728 1729 ASSERT(ALIGNED64(offset)); 1730 1731 if (base != NULL) { 1732 act->spd_actions_count = nact; 1733 act->spd_actions_len = SPD_8TO64(offset - start); 1734 } 1735 1736 return (offset); 1737} 1738 1739#undef EMIT 1740 1741/* ARGSUSED */ 1742static uint_t 1743spdsock_rule_flags(uint_t dir, uint_t af) 1744{ 1745 uint_t flags = 0; 1746 1747 if (dir == IPSEC_TYPE_INBOUND) 1748 flags |= SPD_RULE_FLAG_INBOUND; 1749 if (dir == IPSEC_TYPE_OUTBOUND) 1750 flags |= SPD_RULE_FLAG_OUTBOUND; 1751 1752 return (flags); 1753} 1754 1755 1756static uint_t 1757spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req, 1758 const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name, 1759 boolean_t tunnel) 1760{ 1761 struct spd_msg *spmsg; 1762 struct spd_rule *spr; 1763 spd_if_t *sid; 1764 1765 uint_t start = offset; 1766 1767 ASSERT(ALIGNED64(offset)); 1768 1769 if (base != NULL) { 1770 spmsg = (struct spd_msg *)(base + offset); 1771 bzero(spmsg, sizeof (*spmsg)); 1772 spmsg->spd_msg_version = PF_POLICY_V1; 1773 spmsg->spd_msg_type = SPD_DUMP; 1774 spmsg->spd_msg_seq = req->spd_msg_seq; 1775 spmsg->spd_msg_pid = req->spd_msg_pid; 1776 } 1777 offset += sizeof (struct spd_msg); 1778 1779 ASSERT(ALIGNED64(offset)); 1780 1781 if (base != NULL) { 1782 spr = (struct spd_rule *)(base + offset); 1783 spr->spd_rule_type = SPD_EXT_RULE; 1784 spr->spd_rule_priority = rule->ipsp_prio; 1785 spr->spd_rule_flags = spdsock_rule_flags(dir, af); 1786 if (tunnel) 1787 spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL; 1788 spr->spd_rule_unused = 0; 1789 spr->spd_rule_len = SPD_8TO64(sizeof (*spr)); 1790 spr->spd_rule_index = rule->ipsp_index; 1791 } 1792 offset += sizeof (struct spd_rule); 1793 1794 /* 1795 * If we have an interface name (i.e. if this policy head came from 1796 * a tunnel), add the SPD_EXT_TUN_NAME extension. 1797 */ 1798 if (name != NULL) { 1799 1800 ASSERT(ALIGNED64(offset)); 1801 1802 if (base != NULL) { 1803 sid = (spd_if_t *)(base + offset); 1804 sid->spd_if_exttype = SPD_EXT_TUN_NAME; 1805 sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) + 1806 roundup((strlen(name) - 4), 8)); 1807 (void) strlcpy((char *)sid->spd_if_name, name, 1808 LIFNAMSIZ); 1809 } 1810 1811 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8); 1812 } 1813 1814 offset = spdsock_encode_sel(base, offset, rule->ipsp_sel); 1815 offset = spdsock_encode_action_list(base, offset, rule->ipsp_act); 1816 1817 ASSERT(ALIGNED64(offset)); 1818 1819 if (base != NULL) { 1820 spmsg->spd_msg_len = SPD_8TO64(offset - start); 1821 } 1822 return (offset); 1823} 1824 1825/* ARGSUSED */ 1826static mblk_t * 1827spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule, 1828 uint_t dir, uint_t af, char *name, boolean_t tunnel) 1829{ 1830 mblk_t *m; 1831 uint_t len; 1832 spd_msg_t *mreq = (spd_msg_t *)req->b_rptr; 1833 1834 /* 1835 * Figure out how much space we'll need. 1836 */ 1837 len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name, 1838 tunnel); 1839 1840 /* 1841 * Allocate mblk. 1842 */ 1843 m = allocb(len, BPRI_HI); 1844 if (m == NULL) 1845 return (NULL); 1846 1847 /* 1848 * Fill it in.. 1849 */ 1850 m->b_wptr = m->b_rptr + len; 1851 bzero(m->b_rptr, len); 1852 (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af, 1853 name, tunnel); 1854 return (m); 1855} 1856 1857static ipsec_policy_t * 1858spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph, 1859 ipsec_policy_t *cur) 1860{ 1861 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1862 1863 ss->spdsock_dump_count++; 1864 ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next; 1865 return (cur); 1866} 1867 1868static ipsec_policy_t * 1869spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph) 1870{ 1871 ipsec_policy_t *cur; 1872 ipsec_policy_root_t *ipr; 1873 int chain, nchains, type, af; 1874 1875 ASSERT(RW_READ_HELD(&iph->iph_lock)); 1876 1877 cur = ss->spdsock_dump_cur_rule; 1878 1879 if (cur != NULL) 1880 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1881 1882 type = ss->spdsock_dump_cur_type; 1883 1884next: 1885 chain = ss->spdsock_dump_cur_chain; 1886 ipr = &iph->iph_root[type]; 1887 nchains = ipr->ipr_nchains; 1888 1889 while (chain < nchains) { 1890 cur = ipr->ipr_hash[chain].hash_head; 1891 chain++; 1892 if (cur != NULL) { 1893 ss->spdsock_dump_cur_chain = chain; 1894 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1895 } 1896 } 1897 ss->spdsock_dump_cur_chain = nchains; 1898 1899 af = ss->spdsock_dump_cur_af; 1900 while (af < IPSEC_NAF) { 1901 cur = ipr->ipr_nonhash[af]; 1902 af++; 1903 if (cur != NULL) { 1904 ss->spdsock_dump_cur_af = af; 1905 return (spdsock_dump_next_in_chain(ss, iph, cur)); 1906 } 1907 } 1908 1909 type++; 1910 if (type >= IPSEC_NTYPES) 1911 return (NULL); 1912 1913 ss->spdsock_dump_cur_chain = 0; 1914 ss->spdsock_dump_cur_type = type; 1915 ss->spdsock_dump_cur_af = IPSEC_AF_V4; 1916 goto next; 1917 1918} 1919 1920/* 1921 * If we're done with one policy head, but have more to go, we iterate through 1922 * another IPsec tunnel policy head (itp). Return NULL if it is an error 1923 * worthy of returning EAGAIN via PF_POLICY. 1924 */ 1925static ipsec_tun_pol_t * 1926spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss) 1927{ 1928 ipsec_tun_pol_t *itp; 1929 1930 ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock)); 1931 if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) { 1932 /* Oops, state of the tunnel polheads changed. */ 1933 itp = NULL; 1934 } else if (ss->spdsock_itp == NULL) { 1935 /* Just finished global, find first node. */ 1936 itp = avl_first(&ipss->ipsec_tunnel_policies); 1937 } else { 1938 /* We just finished current polhead, find the next one. */ 1939 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp); 1940 } 1941 if (itp != NULL) { 1942 ITP_REFHOLD(itp); 1943 } 1944 if (ss->spdsock_itp != NULL) { 1945 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack); 1946 } 1947 ss->spdsock_itp = itp; 1948 return (itp); 1949} 1950 1951static mblk_t * 1952spdsock_dump_next_record(spdsock_t *ss) 1953{ 1954 ipsec_policy_head_t *iph; 1955 ipsec_policy_t *rule; 1956 mblk_t *m; 1957 ipsec_tun_pol_t *itp; 1958 netstack_t *ns = ss->spdsock_spds->spds_netstack; 1959 ipsec_stack_t *ipss = ns->netstack_ipsec; 1960 1961 iph = ss->spdsock_dump_head; 1962 1963 ASSERT(iph != NULL); 1964 1965 rw_enter(&iph->iph_lock, RW_READER); 1966 1967 if (iph->iph_gen != ss->spdsock_dump_gen) { 1968 rw_exit(&iph->iph_lock); 1969 return (spdsock_dump_finish(ss, EAGAIN)); 1970 } 1971 1972 while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) { 1973 rw_exit(&iph->iph_lock); 1974 if (--(ss->spdsock_dump_remaining_polheads) == 0) 1975 return (spdsock_dump_finish(ss, 0)); 1976 1977 1978 /* 1979 * If we reach here, we have more policy heads (tunnel 1980 * entries) to dump. Let's reset to a new policy head 1981 * and get some more rules. 1982 * 1983 * An empty policy head will have spdsock_dump_next_rule() 1984 * return NULL, and we loop (while dropping the number of 1985 * remaining polheads). If we loop to 0, we finish. We 1986 * keep looping until we hit 0 or until we have a rule to 1987 * encode. 1988 * 1989 * NOTE: No need for ITP_REF*() macros here as we're only 1990 * going after and refholding the policy head itself. 1991 */ 1992 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 1993 itp = spdsock_dump_iterate_next_tunnel(ss, ipss); 1994 if (itp == NULL) { 1995 rw_exit(&ipss->ipsec_tunnel_policy_lock); 1996 return (spdsock_dump_finish(ss, EAGAIN)); 1997 } 1998 1999 /* Reset other spdsock_dump thingies. */ 2000 IPPH_REFRELE(ss->spdsock_dump_head, ns); 2001 if (ss->spdsock_dump_active) { 2002 ss->spdsock_dump_tunnel = 2003 itp->itp_flags & ITPF_P_TUNNEL; 2004 iph = itp->itp_policy; 2005 } else { 2006 ss->spdsock_dump_tunnel = 2007 itp->itp_flags & ITPF_I_TUNNEL; 2008 iph = itp->itp_inactive; 2009 } 2010 IPPH_REFHOLD(iph); 2011 rw_exit(&ipss->ipsec_tunnel_policy_lock); 2012 2013 rw_enter(&iph->iph_lock, RW_READER); 2014 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 2015 } 2016 2017 m = spdsock_encode_rule(ss->spdsock_dump_req, rule, 2018 ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af, 2019 (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name, 2020 ss->spdsock_dump_tunnel); 2021 rw_exit(&iph->iph_lock); 2022 2023 if (m == NULL) 2024 return (spdsock_dump_finish(ss, ENOMEM)); 2025 return (m); 2026} 2027 2028/* 2029 * Dump records until we run into flow-control back-pressure. 2030 */ 2031static void 2032spdsock_dump_some(queue_t *q, spdsock_t *ss) 2033{ 2034 mblk_t *m, *dataind; 2035 2036 while ((ss->spdsock_dump_req != NULL) && canputnext(q)) { 2037 m = spdsock_dump_next_record(ss); 2038 if (m == NULL) 2039 return; 2040 dataind = allocb(sizeof (struct T_data_req), BPRI_HI); 2041 if (dataind == NULL) { 2042 freemsg(m); 2043 return; 2044 } 2045 dataind->b_cont = m; 2046 dataind->b_wptr += sizeof (struct T_data_req); 2047 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND; 2048 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0; 2049 dataind->b_datap->db_type = M_PROTO; 2050 putnext(q, dataind); 2051 } 2052} 2053 2054/* 2055 * Start dumping. 2056 * Format a start-of-dump record, and set up the stream and kick the rsrv 2057 * procedure to continue the job.. 2058 */ 2059/* ARGSUSED */ 2060static void 2061spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp) 2062{ 2063 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2064 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2065 ipsec_stack_t *ipss = ns->netstack_ipsec; 2066 mblk_t *mr; 2067 2068 /* spdsock_open() already set spdsock_itp to NULL. */ 2069 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 2070 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER); 2071 ss->spdsock_dump_remaining_polheads = 1 + 2072 avl_numnodes(&ipss->ipsec_tunnel_policies); 2073 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen; 2074 rw_exit(&ipss->ipsec_tunnel_policy_lock); 2075 if (iph == ALL_ACTIVE_POLHEADS) { 2076 iph = ipsec_system_policy(ns); 2077 ss->spdsock_dump_active = B_TRUE; 2078 } else { 2079 iph = ipsec_inactive_policy(ns); 2080 ss->spdsock_dump_active = B_FALSE; 2081 } 2082 ASSERT(ss->spdsock_itp == NULL); 2083 } else { 2084 ss->spdsock_dump_remaining_polheads = 1; 2085 } 2086 2087 rw_enter(&iph->iph_lock, RW_READER); 2088 2089 mr = spdsock_dump_ruleset(mp, iph, 0, 0); 2090 2091 if (!mr) { 2092 rw_exit(&iph->iph_lock); 2093 spdsock_error(q, mp, ENOMEM, 0); 2094 return; 2095 } 2096 2097 ss->spdsock_dump_req = mp; 2098 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph); 2099 2100 rw_exit(&iph->iph_lock); 2101 2102 qreply(q, mr); 2103 qenable(OTHERQ(q)); 2104} 2105 2106/* Do NOT consume a reference to ITP. */ 2107void 2108spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns) 2109{ 2110 int *errptr = (int *)ep; 2111 2112 if (*errptr != 0) 2113 return; /* We've failed already for some reason. */ 2114 mutex_enter(&itp->itp_lock); 2115 ITPF_CLONE(itp->itp_flags); 2116 *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns); 2117 mutex_exit(&itp->itp_lock); 2118} 2119 2120void 2121spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname) 2122{ 2123 int error; 2124 char *tname; 2125 ipsec_tun_pol_t *itp; 2126 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2127 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2128 uint32_t auditing = AU_AUDITING(); 2129 2130 if (tunname != NULL) { 2131 tname = (char *)tunname->spd_if_name; 2132 if (*tname == '\0') { 2133 error = ipsec_clone_system_policy(ns); 2134 if (auditing) { 2135 boolean_t active; 2136 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2137 cred_t *cr; 2138 pid_t cpid; 2139 2140 cr = msg_getcred(mp, &cpid); 2141 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2142 audit_pf_policy(SPD_CLONE, cr, ns, 2143 NULL, active, error, cpid); 2144 } 2145 if (error == 0) { 2146 itp_walk(spdsock_clone_node, &error, ns); 2147 if (auditing) { 2148 boolean_t active; 2149 spd_msg_t *spmsg = 2150 (spd_msg_t *)mp->b_rptr; 2151 cred_t *cr; 2152 pid_t cpid; 2153 2154 cr = msg_getcred(mp, &cpid); 2155 active = (spmsg->spd_msg_spdid == 2156 SPD_ACTIVE); 2157 audit_pf_policy(SPD_CLONE, cr, 2158 ns, "all tunnels", active, 0, 2159 cpid); 2160 } 2161 } 2162 } else { 2163 itp = get_tunnel_policy(tname, ns); 2164 if (itp == NULL) { 2165 spdsock_error(q, mp, ENOENT, 0); 2166 if (auditing) { 2167 boolean_t active; 2168 spd_msg_t *spmsg = 2169 (spd_msg_t *)mp->b_rptr; 2170 cred_t *cr; 2171 pid_t cpid; 2172 2173 cr = msg_getcred(mp, &cpid); 2174 active = (spmsg->spd_msg_spdid == 2175 SPD_ACTIVE); 2176 audit_pf_policy(SPD_CLONE, cr, 2177 ns, NULL, active, ENOENT, cpid); 2178 } 2179 return; 2180 } 2181 spdsock_clone_node(itp, &error, NULL); 2182 if (auditing) { 2183 boolean_t active; 2184 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2185 cred_t *cr; 2186 pid_t cpid; 2187 2188 cr = msg_getcred(mp, &cpid); 2189 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2190 audit_pf_policy(SPD_CLONE, cr, ns, 2191 ITP_NAME(itp), active, error, cpid); 2192 } 2193 ITP_REFRELE(itp, ns); 2194 } 2195 } else { 2196 error = ipsec_clone_system_policy(ns); 2197 if (auditing) { 2198 boolean_t active; 2199 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr; 2200 cred_t *cr; 2201 pid_t cpid; 2202 2203 cr = msg_getcred(mp, &cpid); 2204 active = (spmsg->spd_msg_spdid == SPD_ACTIVE); 2205 audit_pf_policy(SPD_CLONE, cr, ns, NULL, 2206 active, error, cpid); 2207 } 2208 } 2209 2210 if (error != 0) 2211 spdsock_error(q, mp, error, 0); 2212 else 2213 spd_echo(q, mp); 2214} 2215 2216/* 2217 * Process a SPD_ALGLIST request. The caller expects separate alg entries 2218 * for AH authentication, ESP authentication, and ESP encryption. 2219 * The same distinction is then used when setting the min and max key 2220 * sizes when defining policies. 2221 */ 2222 2223#define SPDSOCK_AH_AUTH 0 2224#define SPDSOCK_ESP_AUTH 1 2225#define SPDSOCK_ESP_ENCR 2 2226#define SPDSOCK_NTYPES 3 2227 2228static const uint_t algattr[SPDSOCK_NTYPES] = { 2229 SPD_ATTR_AH_AUTH, 2230 SPD_ATTR_ESP_AUTH, 2231 SPD_ATTR_ESP_ENCR 2232}; 2233static const uint_t minbitsattr[SPDSOCK_NTYPES] = { 2234 SPD_ATTR_AH_MINBITS, 2235 SPD_ATTR_ESPA_MINBITS, 2236 SPD_ATTR_ENCR_MINBITS 2237}; 2238static const uint_t maxbitsattr[SPDSOCK_NTYPES] = { 2239 SPD_ATTR_AH_MAXBITS, 2240 SPD_ATTR_ESPA_MAXBITS, 2241 SPD_ATTR_ENCR_MAXBITS 2242}; 2243static const uint_t defbitsattr[SPDSOCK_NTYPES] = { 2244 SPD_ATTR_AH_DEFBITS, 2245 SPD_ATTR_ESPA_DEFBITS, 2246 SPD_ATTR_ENCR_DEFBITS 2247}; 2248static const uint_t incrbitsattr[SPDSOCK_NTYPES] = { 2249 SPD_ATTR_AH_INCRBITS, 2250 SPD_ATTR_ESPA_INCRBITS, 2251 SPD_ATTR_ENCR_INCRBITS 2252}; 2253 2254#define ATTRPERALG 6 /* fixed attributes per algs */ 2255 2256void 2257spdsock_alglist(queue_t *q, mblk_t *mp) 2258{ 2259 uint_t algtype; 2260 uint_t algidx; 2261 uint_t algcount; 2262 uint_t size; 2263 mblk_t *m; 2264 uint8_t *cur; 2265 spd_msg_t *msg; 2266 struct spd_ext_actions *act; 2267 struct spd_attribute *attr; 2268 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2269 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2270 2271 mutex_enter(&ipss->ipsec_alg_lock); 2272 /* 2273 * The SPD client expects to receive separate entries for 2274 * AH authentication and ESP authentication supported algorithms. 2275 * 2276 * Don't return the "any" algorithms, if defined, as no 2277 * kernel policies can be set for these algorithms. 2278 */ 2279 algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2280 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2281 2282 if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL) 2283 algcount--; 2284 if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL) 2285 algcount--; 2286 2287 /* 2288 * For each algorithm, we encode: 2289 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2290 */ 2291 2292 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) + 2293 ATTRPERALG * sizeof (struct spd_attribute) * algcount; 2294 2295 ASSERT(ALIGNED64(size)); 2296 2297 m = allocb(size, BPRI_HI); 2298 if (m == NULL) { 2299 mutex_exit(&ipss->ipsec_alg_lock); 2300 spdsock_error(q, mp, ENOMEM, 0); 2301 return; 2302 } 2303 2304 m->b_wptr = m->b_rptr + size; 2305 cur = m->b_rptr; 2306 2307 msg = (spd_msg_t *)cur; 2308 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2309 2310 msg->spd_msg_len = SPD_8TO64(size); 2311 msg->spd_msg_errno = 0; 2312 msg->spd_msg_diagnostic = 0; 2313 2314 cur += sizeof (*msg); 2315 2316 act = (struct spd_ext_actions *)cur; 2317 cur += sizeof (*act); 2318 2319 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2320 act->spd_actions_exttype = SPD_EXT_ACTION; 2321 act->spd_actions_count = algcount; 2322 act->spd_actions_reserved = 0; 2323 2324 attr = (struct spd_attribute *)cur; 2325 2326#define EMIT(tag, value) { \ 2327 attr->spd_attr_tag = (tag); \ 2328 attr->spd_attr_value = (value); \ 2329 attr++; \ 2330 } 2331 2332 /* 2333 * If you change the number of EMIT's here, change 2334 * ATTRPERALG above to match 2335 */ 2336#define EMITALGATTRS(_type) { \ 2337 EMIT(algattr[_type], algid); /* 1 */ \ 2338 EMIT(minbitsattr[_type], minbits); /* 2 */ \ 2339 EMIT(maxbitsattr[_type], maxbits); /* 3 */ \ 2340 EMIT(defbitsattr[_type], defbits); /* 4 */ \ 2341 EMIT(incrbitsattr[_type], incr); /* 5 */ \ 2342 EMIT(SPD_ATTR_NEXT, 0); /* 6 */ \ 2343 } 2344 2345 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2346 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2347 algidx++) { 2348 int algid = ipss->ipsec_sortlist[algtype][algidx]; 2349 ipsec_alginfo_t *alg = 2350 ipss->ipsec_alglists[algtype][algid]; 2351 uint_t minbits = alg->alg_minbits; 2352 uint_t maxbits = alg->alg_maxbits; 2353 uint_t defbits = alg->alg_default_bits; 2354 uint_t incr = alg->alg_increment; 2355 2356 if (algtype == IPSEC_ALG_AUTH) { 2357 if (algid == SADB_AALG_NONE) 2358 continue; 2359 EMITALGATTRS(SPDSOCK_AH_AUTH); 2360 EMITALGATTRS(SPDSOCK_ESP_AUTH); 2361 } else { 2362 if (algid == SADB_EALG_NONE) 2363 continue; 2364 ASSERT(algtype == IPSEC_ALG_ENCR); 2365 EMITALGATTRS(SPDSOCK_ESP_ENCR); 2366 } 2367 } 2368 } 2369 2370 mutex_exit(&ipss->ipsec_alg_lock); 2371 2372#undef EMITALGATTRS 2373#undef EMIT 2374#undef ATTRPERALG 2375 2376 attr--; 2377 attr->spd_attr_tag = SPD_ATTR_END; 2378 2379 freemsg(mp); 2380 qreply(q, m); 2381} 2382 2383/* 2384 * Process a SPD_DUMPALGS request. 2385 */ 2386 2387#define ATTRPERALG 9 /* fixed attributes per algs */ 2388 2389void 2390spdsock_dumpalgs(queue_t *q, mblk_t *mp) 2391{ 2392 uint_t algtype; 2393 uint_t algidx; 2394 uint_t size; 2395 mblk_t *m; 2396 uint8_t *cur; 2397 spd_msg_t *msg; 2398 struct spd_ext_actions *act; 2399 struct spd_attribute *attr; 2400 ipsec_alginfo_t *alg; 2401 uint_t algid; 2402 uint_t i; 2403 uint_t alg_size; 2404 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2405 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 2406 2407 mutex_enter(&ipss->ipsec_alg_lock); 2408 2409 /* 2410 * For each algorithm, we encode: 2411 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT} 2412 * 2413 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE* 2414 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* / 2415 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT} 2416 */ 2417 2418 /* 2419 * Compute the size of the SPD message. 2420 */ 2421 size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions); 2422 2423 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2424 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2425 algidx++) { 2426 algid = ipss->ipsec_sortlist[algtype][algidx]; 2427 alg = ipss->ipsec_alglists[algtype][algid]; 2428 alg_size = sizeof (struct spd_attribute) * 2429 (ATTRPERALG + alg->alg_nkey_sizes + 2430 alg->alg_nblock_sizes + alg->alg_nparams) + 2431 CRYPTO_MAX_MECH_NAME; 2432 size += alg_size; 2433 } 2434 } 2435 2436 ASSERT(ALIGNED64(size)); 2437 2438 m = allocb(size, BPRI_HI); 2439 if (m == NULL) { 2440 mutex_exit(&ipss->ipsec_alg_lock); 2441 spdsock_error(q, mp, ENOMEM, 0); 2442 return; 2443 } 2444 2445 m->b_wptr = m->b_rptr + size; 2446 cur = m->b_rptr; 2447 2448 msg = (spd_msg_t *)cur; 2449 bcopy(mp->b_rptr, cur, sizeof (*msg)); 2450 2451 msg->spd_msg_len = SPD_8TO64(size); 2452 msg->spd_msg_errno = 0; 2453 msg->spd_msg_type = SPD_ALGLIST; 2454 2455 msg->spd_msg_diagnostic = 0; 2456 2457 cur += sizeof (*msg); 2458 2459 act = (struct spd_ext_actions *)cur; 2460 cur += sizeof (*act); 2461 2462 act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t)); 2463 act->spd_actions_exttype = SPD_EXT_ACTION; 2464 act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] + 2465 ipss->ipsec_nalgs[IPSEC_ALG_ENCR]; 2466 act->spd_actions_reserved = 0; 2467 2468 /* 2469 * If there aren't any algorithms registered, return an empty message. 2470 * spdsock_get_ext() knows how to deal with this. 2471 */ 2472 if (act->spd_actions_count == 0) { 2473 act->spd_actions_len = 0; 2474 mutex_exit(&ipss->ipsec_alg_lock); 2475 goto error; 2476 } 2477 2478 attr = (struct spd_attribute *)cur; 2479 2480#define EMIT(tag, value) { \ 2481 attr->spd_attr_tag = (tag); \ 2482 attr->spd_attr_value = (value); \ 2483 attr++; \ 2484 } 2485 2486 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 2487 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype]; 2488 algidx++) { 2489 2490 algid = ipss->ipsec_sortlist[algtype][algidx]; 2491 alg = ipss->ipsec_alglists[algtype][algid]; 2492 2493 /* 2494 * If you change the number of EMIT's here, change 2495 * ATTRPERALG above to match 2496 */ 2497 EMIT(SPD_ATTR_ALG_ID, algid); 2498 EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]); 2499 EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment); 2500 EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes); 2501 for (i = 0; i < alg->alg_nkey_sizes; i++) 2502 EMIT(SPD_ATTR_ALG_KEYSIZE, 2503 alg->alg_key_sizes[i]); 2504 2505 EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes); 2506 for (i = 0; i < alg->alg_nblock_sizes; i++) 2507 EMIT(SPD_ATTR_ALG_BLOCKSIZE, 2508 alg->alg_block_sizes[i]); 2509 2510 EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams); 2511 for (i = 0; i < alg->alg_nparams; i++) 2512 EMIT(SPD_ATTR_ALG_PARAMS, 2513 alg->alg_params[i]); 2514 2515 EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags); 2516 2517 EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME); 2518 bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME); 2519 attr = (struct spd_attribute *)((char *)attr + 2520 CRYPTO_MAX_MECH_NAME); 2521 2522 EMIT(SPD_ATTR_NEXT, 0); 2523 } 2524 } 2525 2526 mutex_exit(&ipss->ipsec_alg_lock); 2527 2528#undef EMITALGATTRS 2529#undef EMIT 2530#undef ATTRPERALG 2531 2532 attr--; 2533 attr->spd_attr_tag = SPD_ATTR_END; 2534 2535error: 2536 freemsg(mp); 2537 qreply(q, m); 2538} 2539 2540/* 2541 * Do the actual work of processing an SPD_UPDATEALGS request. Can 2542 * be invoked either once IPsec is loaded on a cached request, or 2543 * when a request is received while IPsec is loaded. 2544 */ 2545static int 2546spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds) 2547{ 2548 struct spd_ext_actions *actp; 2549 struct spd_attribute *attr, *endattr; 2550 uint64_t *start, *end; 2551 ipsec_alginfo_t *alg = NULL; 2552 ipsec_algtype_t alg_type = 0; 2553 boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE; 2554 uint_t i, cur_key, cur_block, algid; 2555 int diag = -1; 2556 2557 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 2558 2559 /* parse the message, building the list of algorithms */ 2560 2561 actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION]; 2562 if (actp == NULL) 2563 return (SPD_DIAGNOSTIC_NO_ACTION_EXT); 2564 2565 start = (uint64_t *)actp; 2566 end = (start + actp->spd_actions_len); 2567 endattr = (struct spd_attribute *)end; 2568 attr = (struct spd_attribute *)&actp[1]; 2569 2570 bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS * 2571 sizeof (ipsec_alginfo_t *)); 2572 2573 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2574 2575#define ALG_KEY_SIZES(a) (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t)) 2576#define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t)) 2577#define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t)) 2578 2579 while (attr < endattr) { 2580 switch (attr->spd_attr_tag) { 2581 case SPD_ATTR_NOP: 2582 case SPD_ATTR_EMPTY: 2583 break; 2584 case SPD_ATTR_END: 2585 attr = endattr; 2586 /* FALLTHRU */ 2587 case SPD_ATTR_NEXT: 2588 if (doing_proto) { 2589 doing_proto = B_FALSE; 2590 break; 2591 } 2592 if (skip_alg) { 2593 ipsec_alg_free(alg); 2594 } else { 2595 ipsec_alg_free( 2596 spds->spds_algs[alg_type][alg->alg_id]); 2597 spds->spds_algs[alg_type][alg->alg_id] = 2598 alg; 2599 } 2600 alg = kmem_zalloc(sizeof (*alg), KM_SLEEP); 2601 break; 2602 2603 case SPD_ATTR_ALG_ID: 2604 if (attr->spd_attr_value >= IPSEC_MAX_ALGS) { 2605 ss1dbg(spds, ("spdsock_do_updatealg: " 2606 "invalid alg id %d\n", 2607 attr->spd_attr_value)); 2608 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE; 2609 goto bail; 2610 } 2611 alg->alg_id = attr->spd_attr_value; 2612 break; 2613 2614 case SPD_ATTR_ALG_PROTO: 2615 /* find the alg type */ 2616 for (i = 0; i < NALGPROTOS; i++) 2617 if (algproto[i] == attr->spd_attr_value) 2618 break; 2619 skip_alg = (i == NALGPROTOS); 2620 if (!skip_alg) 2621 alg_type = i; 2622 break; 2623 2624 case SPD_ATTR_ALG_INCRBITS: 2625 alg->alg_increment = attr->spd_attr_value; 2626 break; 2627 2628 case SPD_ATTR_ALG_NKEYSIZES: 2629 if (alg->alg_key_sizes != NULL) { 2630 kmem_free(alg->alg_key_sizes, 2631 ALG_KEY_SIZES(alg)); 2632 } 2633 alg->alg_nkey_sizes = attr->spd_attr_value; 2634 /* 2635 * Allocate room for the trailing zero key size 2636 * value as well. 2637 */ 2638 alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg), 2639 KM_SLEEP); 2640 cur_key = 0; 2641 break; 2642 2643 case SPD_ATTR_ALG_KEYSIZE: 2644 if (alg->alg_key_sizes == NULL || 2645 cur_key >= alg->alg_nkey_sizes) { 2646 ss1dbg(spds, ("spdsock_do_updatealg: " 2647 "too many key sizes\n")); 2648 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES; 2649 goto bail; 2650 } 2651 alg->alg_key_sizes[cur_key++] = attr->spd_attr_value; 2652 break; 2653 2654 case SPD_ATTR_ALG_FLAGS: 2655 /* 2656 * Flags (bit mask). The alg_flags element of 2657 * ipsecalg_flags_t is only 8 bits wide. The 2658 * user can set the VALID bit, but we will ignore it 2659 * and make the decision is the algorithm is valid. 2660 */ 2661 alg->alg_flags |= (uint8_t)attr->spd_attr_value; 2662 break; 2663 2664 case SPD_ATTR_ALG_NBLOCKSIZES: 2665 if (alg->alg_block_sizes != NULL) { 2666 kmem_free(alg->alg_block_sizes, 2667 ALG_BLOCK_SIZES(alg)); 2668 } 2669 alg->alg_nblock_sizes = attr->spd_attr_value; 2670 /* 2671 * Allocate room for the trailing zero block size 2672 * value as well. 2673 */ 2674 alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg), 2675 KM_SLEEP); 2676 cur_block = 0; 2677 break; 2678 2679 case SPD_ATTR_ALG_BLOCKSIZE: 2680 if (alg->alg_block_sizes == NULL || 2681 cur_block >= alg->alg_nblock_sizes) { 2682 ss1dbg(spds, ("spdsock_do_updatealg: " 2683 "too many block sizes\n")); 2684 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2685 goto bail; 2686 } 2687 alg->alg_block_sizes[cur_block++] = 2688 attr->spd_attr_value; 2689 break; 2690 2691 case SPD_ATTR_ALG_NPARAMS: 2692 if (alg->alg_params != NULL) { 2693 kmem_free(alg->alg_params, 2694 ALG_PARAM_SIZES(alg)); 2695 } 2696 alg->alg_nparams = attr->spd_attr_value; 2697 /* 2698 * Allocate room for the trailing zero block size 2699 * value as well. 2700 */ 2701 alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg), 2702 KM_SLEEP); 2703 cur_block = 0; 2704 break; 2705 2706 case SPD_ATTR_ALG_PARAMS: 2707 if (alg->alg_params == NULL || 2708 cur_block >= alg->alg_nparams) { 2709 ss1dbg(spds, ("spdsock_do_updatealg: " 2710 "too many params\n")); 2711 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES; 2712 goto bail; 2713 } 2714 /* 2715 * Array contains: iv_len, icv_len, salt_len 2716 * Any additional parameters are currently ignored. 2717 */ 2718 alg->alg_params[cur_block++] = 2719 attr->spd_attr_value; 2720 break; 2721 2722 case SPD_ATTR_ALG_MECHNAME: { 2723 char *mech_name; 2724 2725 if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) { 2726 ss1dbg(spds, ("spdsock_do_updatealg: " 2727 "mech name too long\n")); 2728 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN; 2729 goto bail; 2730 } 2731 mech_name = (char *)(attr + 1); 2732 bcopy(mech_name, alg->alg_mech_name, 2733 attr->spd_attr_value); 2734 alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; 2735 attr = (struct spd_attribute *)((char *)attr + 2736 attr->spd_attr_value); 2737 break; 2738 } 2739 2740 case SPD_ATTR_PROTO_ID: 2741 doing_proto = B_TRUE; 2742 for (i = 0; i < NALGPROTOS; i++) { 2743 if (algproto[i] == attr->spd_attr_value) { 2744 alg_type = i; 2745 break; 2746 } 2747 } 2748 break; 2749 2750 case SPD_ATTR_PROTO_EXEC_MODE: 2751 if (!doing_proto) 2752 break; 2753 for (i = 0; i < NEXECMODES; i++) { 2754 if (execmodes[i] == attr->spd_attr_value) { 2755 spds->spds_algs_exec_mode[alg_type] = i; 2756 break; 2757 } 2758 } 2759 break; 2760 } 2761 attr++; 2762 } 2763 2764#undef ALG_KEY_SIZES 2765#undef ALG_BLOCK_SIZES 2766#undef ALG_PARAM_SIZES 2767 2768 /* update the algorithm tables */ 2769 spdsock_merge_algs(spds); 2770bail: 2771 /* cleanup */ 2772 ipsec_alg_free(alg); 2773 for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++) 2774 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) 2775 if (spds->spds_algs[alg_type][algid] != NULL) 2776 ipsec_alg_free(spds->spds_algs[alg_type][algid]); 2777 return (diag); 2778} 2779 2780/* 2781 * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue 2782 * the request until IPsec loads. If IPsec is loaded, act on it 2783 * immediately. 2784 */ 2785 2786static void 2787spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[]) 2788{ 2789 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2790 spd_stack_t *spds = ss->spdsock_spds; 2791 ipsec_stack_t *ipss = spds->spds_netstack->netstack_ipsec; 2792 uint32_t auditing = AU_AUDITING(); 2793 2794 if (!ipsec_loaded(ipss)) { 2795 /* 2796 * IPsec is not loaded, save request and return nicely, 2797 * the message will be processed once IPsec loads. 2798 */ 2799 mblk_t *new_mp; 2800 2801 /* last update message wins */ 2802 if ((new_mp = copymsg(mp)) == NULL) { 2803 spdsock_error(q, mp, ENOMEM, 0); 2804 return; 2805 } 2806 mutex_enter(&spds->spds_alg_lock); 2807 bcopy(extv, spds->spds_extv_algs, 2808 sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1)); 2809 if (spds->spds_mp_algs != NULL) 2810 freemsg(spds->spds_mp_algs); 2811 spds->spds_mp_algs = mp; 2812 mutex_exit(&spds->spds_alg_lock); 2813 if (auditing) { 2814 cred_t *cr; 2815 pid_t cpid; 2816 2817 cr = msg_getcred(mp, &cpid); 2818 audit_pf_policy(SPD_UPDATEALGS, cr, 2819 spds->spds_netstack, NULL, B_TRUE, EAGAIN, 2820 cpid); 2821 } 2822 spd_echo(q, new_mp); 2823 } else { 2824 /* 2825 * IPsec is loaded, act on the message immediately. 2826 */ 2827 int diag; 2828 2829 mutex_enter(&spds->spds_alg_lock); 2830 diag = spdsock_do_updatealg(extv, spds); 2831 if (diag == -1) { 2832 /* Keep the lock held while we walk the SA tables. */ 2833 sadb_alg_update(IPSEC_ALG_ALL, 0, 0, 2834 spds->spds_netstack); 2835 mutex_exit(&spds->spds_alg_lock); 2836 spd_echo(q, mp); 2837 if (auditing) { 2838 cred_t *cr; 2839 pid_t cpid; 2840 2841 cr = msg_getcred(mp, &cpid); 2842 audit_pf_policy(SPD_UPDATEALGS, cr, 2843 spds->spds_netstack, NULL, B_TRUE, 0, 2844 cpid); 2845 } 2846 } else { 2847 mutex_exit(&spds->spds_alg_lock); 2848 spdsock_diag(q, mp, diag); 2849 if (auditing) { 2850 cred_t *cr; 2851 pid_t cpid; 2852 2853 cr = msg_getcred(mp, &cpid); 2854 audit_pf_policy(SPD_UPDATEALGS, cr, 2855 spds->spds_netstack, NULL, B_TRUE, diag, 2856 cpid); 2857 } 2858 } 2859 } 2860} 2861 2862/* 2863 * Find a tunnel instance (using the name to link ID mapping), and 2864 * update it after an IPsec change. We need to do this always in case 2865 * we add policy AFTER plumbing a tunnel. We also need to do this 2866 * because, as a side-effect, the tunnel's MTU is updated to reflect 2867 * any IPsec overhead in the itp's policy. 2868 */ 2869static void 2870update_iptun_policy(ipsec_tun_pol_t *itp) 2871{ 2872 datalink_id_t linkid; 2873 2874 if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0) 2875 iptun_set_policy(linkid, itp); 2876} 2877 2878/* 2879 * Sort through the mess of polhead options to retrieve an appropriate one. 2880 * Returns NULL if we send an spdsock error. Returns a valid pointer if we 2881 * found a valid polhead. Returns ALL_ACTIVE_POLHEADS (aka. -1) or 2882 * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to 2883 * act on ALL policy heads. 2884 */ 2885static ipsec_policy_head_t * 2886get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid, 2887 int msgtype, ipsec_tun_pol_t **itpp) 2888{ 2889 ipsec_tun_pol_t *itp; 2890 ipsec_policy_head_t *iph; 2891 int errno; 2892 char *tname; 2893 boolean_t active; 2894 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2895 netstack_t *ns = ss->spdsock_spds->spds_netstack; 2896 uint64_t gen; /* Placeholder */ 2897 2898 active = (spdid == SPD_ACTIVE); 2899 *itpp = NULL; 2900 if (!active && spdid != SPD_STANDBY) { 2901 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID); 2902 return (NULL); 2903 } 2904 2905 if (tunname != NULL) { 2906 /* Acting on a tunnel's SPD. */ 2907 tname = (char *)tunname->spd_if_name; 2908 if (*tname == '\0') { 2909 /* Handle all-polhead cases here. */ 2910 if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) { 2911 spdsock_diag(q, mp, 2912 SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 2913 return (NULL); 2914 } 2915 return (active ? ALL_ACTIVE_POLHEADS : 2916 ALL_INACTIVE_POLHEADS); 2917 } 2918 2919 itp = get_tunnel_policy(tname, ns); 2920 if (itp == NULL) { 2921 if (msgtype != SPD_ADDRULE) { 2922 /* "Tunnel not found" */ 2923 spdsock_error(q, mp, ENOENT, 0); 2924 return (NULL); 2925 } 2926 2927 errno = 0; 2928 itp = create_tunnel_policy(tname, &errno, &gen, ns); 2929 if (itp == NULL) { 2930 /* 2931 * Something very bad happened, most likely 2932 * ENOMEM. Return an indicator. 2933 */ 2934 spdsock_error(q, mp, errno, 0); 2935 return (NULL); 2936 } 2937 } 2938 2939 /* Match up the itp to an iptun instance. */ 2940 update_iptun_policy(itp); 2941 2942 *itpp = itp; 2943 /* For spdsock dump state, set the polhead's name. */ 2944 if (msgtype == SPD_DUMP) { 2945 ITP_REFHOLD(itp); 2946 ss->spdsock_itp = itp; 2947 ss->spdsock_dump_tunnel = itp->itp_flags & 2948 (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL); 2949 } 2950 } else { 2951 itp = NULL; 2952 /* For spdsock dump state, indicate it's global policy. */ 2953 if (msgtype == SPD_DUMP) 2954 ss->spdsock_itp = NULL; 2955 } 2956 2957 if (active) 2958 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy; 2959 else 2960 iph = (itp == NULL) ? ipsec_inactive_policy(ns) : 2961 itp->itp_inactive; 2962 2963 ASSERT(iph != NULL); 2964 if (itp != NULL) { 2965 IPPH_REFHOLD(iph); 2966 } 2967 2968 return (iph); 2969} 2970 2971static void 2972spdsock_parse(queue_t *q, mblk_t *mp) 2973{ 2974 spd_msg_t *spmsg; 2975 spd_ext_t *extv[SPD_EXT_MAX + 1]; 2976 uint_t msgsize; 2977 ipsec_policy_head_t *iph; 2978 ipsec_tun_pol_t *itp; 2979 spd_if_t *tunname; 2980 spdsock_t *ss = (spdsock_t *)q->q_ptr; 2981 spd_stack_t *spds = ss->spdsock_spds; 2982 netstack_t *ns = spds->spds_netstack; 2983 ipsec_stack_t *ipss = ns->netstack_ipsec; 2984 2985 /* Make sure nothing's below me. */ 2986 ASSERT(WR(q)->q_next == NULL); 2987 2988 spmsg = (spd_msg_t *)mp->b_rptr; 2989 2990 msgsize = SPD_64TO8(spmsg->spd_msg_len); 2991 2992 if (msgdsize(mp) != msgsize) { 2993 /* 2994 * Message len incorrect w.r.t. actual size. Send an error 2995 * (EMSGSIZE). It may be necessary to massage things a 2996 * bit. For example, if the spd_msg_type is hosed, 2997 * I need to set it to SPD_RESERVED to get delivery to 2998 * do the right thing. Then again, maybe just letting 2999 * the error delivery do the right thing. 3000 */ 3001 ss2dbg(spds, 3002 ("mblk (%lu) and base (%d) message sizes don't jibe.\n", 3003 msgdsize(mp), msgsize)); 3004 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE); 3005 return; 3006 } 3007 3008 if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) { 3009 /* Get all message into one mblk. */ 3010 if (pullupmsg(mp, -1) == 0) { 3011 /* 3012 * Something screwy happened. 3013 */ 3014 ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n")); 3015 return; 3016 } else { 3017 spmsg = (spd_msg_t *)mp->b_rptr; 3018 } 3019 } 3020 3021 switch (spdsock_get_ext(extv, spmsg, msgsize)) { 3022 case KGE_DUP: 3023 /* Handle duplicate extension. */ 3024 ss1dbg(spds, ("Got duplicate extension of type %d.\n", 3025 extv[0]->spd_ext_type)); 3026 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]); 3027 return; 3028 case KGE_UNK: 3029 /* Handle unknown extension. */ 3030 ss1dbg(spds, ("Got unknown extension of type %d.\n", 3031 extv[0]->spd_ext_type)); 3032 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT); 3033 return; 3034 case KGE_LEN: 3035 /* Length error. */ 3036 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n", 3037 extv[0]->spd_ext_len, extv[0]->spd_ext_type)); 3038 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN); 3039 return; 3040 case KGE_CHK: 3041 /* Reality check failed. */ 3042 ss1dbg(spds, ("Reality check failed on extension type %d.\n", 3043 extv[0]->spd_ext_type)); 3044 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]); 3045 return; 3046 default: 3047 /* Default case is no errors. */ 3048 break; 3049 } 3050 3051 /* 3052 * Special-case SPD_UPDATEALGS so as not to load IPsec. 3053 */ 3054 if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) { 3055 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3056 3057 ASSERT(ss != NULL); 3058 ipsec_loader_loadnow(ipss); 3059 ss->spdsock_timeout_arg = mp; 3060 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck, 3061 q, LOADCHECK_INTERVAL); 3062 return; 3063 } 3064 3065 /* First check for messages that need no polheads at all. */ 3066 switch (spmsg->spd_msg_type) { 3067 case SPD_UPDATEALGS: 3068 spdsock_updatealg(q, mp, extv); 3069 return; 3070 case SPD_ALGLIST: 3071 spdsock_alglist(q, mp); 3072 return; 3073 case SPD_DUMPALGS: 3074 spdsock_dumpalgs(q, mp); 3075 return; 3076 } 3077 3078 /* 3079 * Then check for ones that need both primary/secondary polheads, 3080 * finding the appropriate tunnel policy if need be. 3081 */ 3082 tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME]; 3083 switch (spmsg->spd_msg_type) { 3084 case SPD_FLIP: 3085 spdsock_flip(q, mp, tunname); 3086 return; 3087 case SPD_CLONE: 3088 spdsock_clone(q, mp, tunname); 3089 return; 3090 } 3091 3092 /* 3093 * Finally, find ones that operate on exactly one polhead, or 3094 * "all polheads" of a given type (active/inactive). 3095 */ 3096 iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid, 3097 spmsg->spd_msg_type, &itp); 3098 if (iph == NULL) 3099 return; 3100 3101 /* All-polheads-ready operations. */ 3102 switch (spmsg->spd_msg_type) { 3103 case SPD_FLUSH: 3104 if (itp != NULL) { 3105 mutex_enter(&itp->itp_lock); 3106 if (spmsg->spd_msg_spdid == SPD_ACTIVE) 3107 itp->itp_flags &= ~ITPF_PFLAGS; 3108 else 3109 itp->itp_flags &= ~ITPF_IFLAGS; 3110 mutex_exit(&itp->itp_lock); 3111 } 3112 3113 spdsock_flush(q, iph, itp, mp); 3114 3115 if (itp != NULL) { 3116 /* SPD_FLUSH is worth a tunnel MTU check. */ 3117 update_iptun_policy(itp); 3118 ITP_REFRELE(itp, ns); 3119 } 3120 return; 3121 case SPD_DUMP: 3122 if (itp != NULL) 3123 ITP_REFRELE(itp, ns); 3124 spdsock_dump(q, iph, mp); 3125 return; 3126 } 3127 3128 if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) { 3129 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP); 3130 return; 3131 } 3132 3133 /* Single-polhead-only operations. */ 3134 switch (spmsg->spd_msg_type) { 3135 case SPD_ADDRULE: 3136 spdsock_addrule(q, iph, mp, extv, itp); 3137 break; 3138 case SPD_DELETERULE: 3139 spdsock_deleterule(q, iph, mp, extv, itp); 3140 break; 3141 case SPD_LOOKUP: 3142 spdsock_lookup(q, iph, mp, extv, itp); 3143 break; 3144 default: 3145 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE); 3146 break; 3147 } 3148 3149 IPPH_REFRELE(iph, ns); 3150 if (itp != NULL) { 3151 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */ 3152 if (spmsg->spd_msg_type == SPD_ADDRULE || 3153 spmsg->spd_msg_type == SPD_DELETERULE) 3154 update_iptun_policy(itp); 3155 ITP_REFRELE(itp, ns); 3156 } 3157} 3158 3159/* 3160 * If an algorithm mapping was received before IPsec was loaded, process it. 3161 * Called from the IPsec loader. 3162 */ 3163void 3164spdsock_update_pending_algs(netstack_t *ns) 3165{ 3166 spd_stack_t *spds = ns->netstack_spdsock; 3167 3168 mutex_enter(&spds->spds_alg_lock); 3169 if (spds->spds_mp_algs != NULL) { 3170 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds); 3171 freemsg(spds->spds_mp_algs); 3172 spds->spds_mp_algs = NULL; 3173 } 3174 mutex_exit(&spds->spds_alg_lock); 3175} 3176 3177static void 3178spdsock_loadcheck(void *arg) 3179{ 3180 queue_t *q = (queue_t *)arg; 3181 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3182 mblk_t *mp; 3183 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3184 3185 ASSERT(ss != NULL); 3186 3187 ss->spdsock_timeout = 0; 3188 mp = ss->spdsock_timeout_arg; 3189 ASSERT(mp != NULL); 3190 ss->spdsock_timeout_arg = NULL; 3191 if (ipsec_failed(ipss)) 3192 spdsock_error(q, mp, EPROTONOSUPPORT, 0); 3193 else 3194 spdsock_parse(q, mp); 3195} 3196 3197/* 3198 * Copy relevant state bits. 3199 */ 3200static void 3201spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss) 3202{ 3203 *tap = spdsock_g_t_info_ack; 3204 tap->CURRENT_state = ss->spdsock_state; 3205 tap->OPT_size = spdsock_max_optsize; 3206} 3207 3208/* 3209 * This routine responds to T_CAPABILITY_REQ messages. It is called by 3210 * spdsock_wput. Much of the T_CAPABILITY_ACK information is copied from 3211 * spdsock_g_t_info_ack. The current state of the stream is copied from 3212 * spdsock_state. 3213 */ 3214static void 3215spdsock_capability_req(queue_t *q, mblk_t *mp) 3216{ 3217 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3218 t_uscalar_t cap_bits1; 3219 struct T_capability_ack *tcap; 3220 3221 cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1; 3222 3223 mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack), 3224 mp->b_datap->db_type, T_CAPABILITY_ACK); 3225 if (mp == NULL) 3226 return; 3227 3228 tcap = (struct T_capability_ack *)mp->b_rptr; 3229 tcap->CAP_bits1 = 0; 3230 3231 if (cap_bits1 & TC1_INFO) { 3232 spdsock_copy_info(&tcap->INFO_ack, ss); 3233 tcap->CAP_bits1 |= TC1_INFO; 3234 } 3235 3236 qreply(q, mp); 3237} 3238 3239/* 3240 * This routine responds to T_INFO_REQ messages. It is called by 3241 * spdsock_wput_other. 3242 * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack. 3243 * The current state of the stream is copied from spdsock_state. 3244 */ 3245static void 3246spdsock_info_req(q, mp) 3247 queue_t *q; 3248 mblk_t *mp; 3249{ 3250 mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO, 3251 T_INFO_ACK); 3252 if (mp == NULL) 3253 return; 3254 spdsock_copy_info((struct T_info_ack *)mp->b_rptr, 3255 (spdsock_t *)q->q_ptr); 3256 qreply(q, mp); 3257} 3258 3259/* 3260 * spdsock_err_ack. This routine creates a 3261 * T_ERROR_ACK message and passes it 3262 * upstream. 3263 */ 3264static void 3265spdsock_err_ack(q, mp, t_error, sys_error) 3266 queue_t *q; 3267 mblk_t *mp; 3268 int t_error; 3269 int sys_error; 3270{ 3271 if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL) 3272 qreply(q, mp); 3273} 3274 3275/* 3276 * This routine retrieves the current status of socket options. 3277 * It returns the size of the option retrieved. 3278 */ 3279/* ARGSUSED */ 3280int 3281spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr) 3282{ 3283 int *i1 = (int *)ptr; 3284 3285 switch (level) { 3286 case SOL_SOCKET: 3287 switch (name) { 3288 case SO_TYPE: 3289 *i1 = SOCK_RAW; 3290 break; 3291 /* 3292 * The following two items can be manipulated, 3293 * but changing them should do nothing. 3294 */ 3295 case SO_SNDBUF: 3296 *i1 = (int)q->q_hiwat; 3297 break; 3298 case SO_RCVBUF: 3299 *i1 = (int)(RD(q)->q_hiwat); 3300 break; 3301 } 3302 break; 3303 default: 3304 return (0); 3305 } 3306 return (sizeof (int)); 3307} 3308 3309/* 3310 * This routine sets socket options. 3311 */ 3312/* ARGSUSED */ 3313int 3314spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name, 3315 uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp, 3316 void *thisdg_attrs, cred_t *cr) 3317{ 3318 int *i1 = (int *)invalp; 3319 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3320 spd_stack_t *spds = ss->spdsock_spds; 3321 3322 switch (level) { 3323 case SOL_SOCKET: 3324 switch (name) { 3325 case SO_SNDBUF: 3326 if (*i1 > spds->spds_max_buf) 3327 return (ENOBUFS); 3328 q->q_hiwat = *i1; 3329 break; 3330 case SO_RCVBUF: 3331 if (*i1 > spds->spds_max_buf) 3332 return (ENOBUFS); 3333 RD(q)->q_hiwat = *i1; 3334 (void) proto_set_rx_hiwat(RD(q), NULL, *i1); 3335 break; 3336 } 3337 break; 3338 } 3339 return (0); 3340} 3341 3342 3343/* 3344 * Handle STREAMS messages. 3345 */ 3346static void 3347spdsock_wput_other(queue_t *q, mblk_t *mp) 3348{ 3349 struct iocblk *iocp; 3350 int error; 3351 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3352 spd_stack_t *spds = ss->spdsock_spds; 3353 cred_t *cr; 3354 3355 switch (mp->b_datap->db_type) { 3356 case M_PROTO: 3357 case M_PCPROTO: 3358 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) { 3359 ss3dbg(spds, ( 3360 "spdsock_wput_other: Not big enough M_PROTO\n")); 3361 freemsg(mp); 3362 return; 3363 } 3364 switch (((union T_primitives *)mp->b_rptr)->type) { 3365 case T_CAPABILITY_REQ: 3366 spdsock_capability_req(q, mp); 3367 break; 3368 case T_INFO_REQ: 3369 spdsock_info_req(q, mp); 3370 break; 3371 case T_SVR4_OPTMGMT_REQ: 3372 case T_OPTMGMT_REQ: 3373 /* 3374 * All Solaris components should pass a db_credp 3375 * for this TPI message, hence we ASSERT. 3376 * But in case there is some other M_PROTO that looks 3377 * like a TPI message sent by some other kernel 3378 * component, we check and return an error. 3379 */ 3380 cr = msg_getcred(mp, NULL); 3381 ASSERT(cr != NULL); 3382 if (cr == NULL) { 3383 spdsock_err_ack(q, mp, TSYSERR, EINVAL); 3384 return; 3385 } 3386 if (((union T_primitives *)mp->b_rptr)->type == 3387 T_SVR4_OPTMGMT_REQ) { 3388 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj); 3389 } else { 3390 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj); 3391 } 3392 break; 3393 case T_DATA_REQ: 3394 case T_EXDATA_REQ: 3395 case T_ORDREL_REQ: 3396 /* Illegal for spdsock. */ 3397 freemsg(mp); 3398 (void) putnextctl1(RD(q), M_ERROR, EPROTO); 3399 break; 3400 default: 3401 /* Not supported by spdsock. */ 3402 spdsock_err_ack(q, mp, TNOTSUPPORT, 0); 3403 break; 3404 } 3405 return; 3406 case M_IOCTL: 3407 iocp = (struct iocblk *)mp->b_rptr; 3408 error = EINVAL; 3409 3410 switch (iocp->ioc_cmd) { 3411 case ND_SET: 3412 case ND_GET: 3413 if (nd_getset(q, spds->spds_g_nd, mp)) { 3414 qreply(q, mp); 3415 return; 3416 } else 3417 error = ENOENT; 3418 /* FALLTHRU */ 3419 default: 3420 miocnak(q, mp, 0, error); 3421 return; 3422 } 3423 case M_FLUSH: 3424 if (*mp->b_rptr & FLUSHW) { 3425 flushq(q, FLUSHALL); 3426 *mp->b_rptr &= ~FLUSHW; 3427 } 3428 if (*mp->b_rptr & FLUSHR) { 3429 qreply(q, mp); 3430 return; 3431 } 3432 /* Else FALLTHRU */ 3433 } 3434 3435 /* If fell through, just black-hole the message. */ 3436 freemsg(mp); 3437} 3438 3439static void 3440spdsock_wput(queue_t *q, mblk_t *mp) 3441{ 3442 uint8_t *rptr = mp->b_rptr; 3443 mblk_t *mp1; 3444 spdsock_t *ss = (spdsock_t *)q->q_ptr; 3445 spd_stack_t *spds = ss->spdsock_spds; 3446 3447 /* 3448 * If we're dumping, defer processing other messages until the 3449 * dump completes. 3450 */ 3451 if (ss->spdsock_dump_req != NULL) { 3452 if (!putq(q, mp)) 3453 freemsg(mp); 3454 return; 3455 } 3456 3457 switch (mp->b_datap->db_type) { 3458 case M_DATA: 3459 /* 3460 * Silently discard. 3461 */ 3462 ss2dbg(spds, ("raw M_DATA in spdsock.\n")); 3463 freemsg(mp); 3464 return; 3465 case M_PROTO: 3466 case M_PCPROTO: 3467 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) { 3468 if (((union T_primitives *)rptr)->type == T_DATA_REQ) { 3469 if ((mp1 = mp->b_cont) == NULL) { 3470 /* No data after T_DATA_REQ. */ 3471 ss2dbg(spds, 3472 ("No data after DATA_REQ.\n")); 3473 freemsg(mp); 3474 return; 3475 } 3476 freeb(mp); 3477 mp = mp1; 3478 ss2dbg(spds, ("T_DATA_REQ\n")); 3479 break; /* Out of switch. */ 3480 } 3481 } 3482 /* FALLTHRU */ 3483 default: 3484 ss3dbg(spds, ("In default wput case (%d %d).\n", 3485 mp->b_datap->db_type, ((union T_primitives *)rptr)->type)); 3486 spdsock_wput_other(q, mp); 3487 return; 3488 } 3489 3490 /* I now have a PF_POLICY message in an M_DATA block. */ 3491 spdsock_parse(q, mp); 3492} 3493 3494/* 3495 * Device open procedure, called when new queue pair created. 3496 * We are passed the read-side queue. 3497 */ 3498/* ARGSUSED */ 3499static int 3500spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp) 3501{ 3502 spdsock_t *ss; 3503 queue_t *oq = OTHERQ(q); 3504 minor_t ssminor; 3505 netstack_t *ns; 3506 spd_stack_t *spds; 3507 3508 if (secpolicy_ip_config(credp, B_FALSE) != 0) 3509 return (EPERM); 3510 3511 if (q->q_ptr != NULL) 3512 return (0); /* Re-open of an already open instance. */ 3513 3514 if (sflag & MODOPEN) 3515 return (EINVAL); 3516 3517 ns = netstack_find_by_cred(credp); 3518 ASSERT(ns != NULL); 3519 spds = ns->netstack_spdsock; 3520 ASSERT(spds != NULL); 3521 3522 ss2dbg(spds, ("Made it into PF_POLICY socket open.\n")); 3523 3524 ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP); 3525 if (ssminor == 0) { 3526 netstack_rele(spds->spds_netstack); 3527 return (ENOMEM); 3528 } 3529 ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP); 3530 if (ss == NULL) { 3531 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1); 3532 netstack_rele(spds->spds_netstack); 3533 return (ENOMEM); 3534 } 3535 3536 ss->spdsock_minor = ssminor; 3537 ss->spdsock_state = TS_UNBND; 3538 ss->spdsock_dump_req = NULL; 3539 3540 ss->spdsock_spds = spds; 3541 3542 q->q_ptr = ss; 3543 oq->q_ptr = ss; 3544 3545 q->q_hiwat = spds->spds_recv_hiwat; 3546 3547 oq->q_hiwat = spds->spds_xmit_hiwat; 3548 oq->q_lowat = spds->spds_xmit_lowat; 3549 3550 qprocson(q); 3551 (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat); 3552 3553 *devp = makedevice(getmajor(*devp), ss->spdsock_minor); 3554 return (0); 3555} 3556 3557/* 3558 * Read-side service procedure, invoked when we get back-enabled 3559 * when buffer space becomes available. 3560 * 3561 * Dump another chunk if we were dumping before; when we finish, kick 3562 * the write-side queue in case it's waiting for read queue space. 3563 */ 3564void 3565spdsock_rsrv(queue_t *q) 3566{ 3567 spdsock_t *ss = q->q_ptr; 3568 3569 if (ss->spdsock_dump_req != NULL) 3570 spdsock_dump_some(q, ss); 3571 3572 if (ss->spdsock_dump_req == NULL) 3573 qenable(OTHERQ(q)); 3574} 3575 3576/* 3577 * Write-side service procedure, invoked when we defer processing 3578 * if another message is received while a dump is in progress. 3579 */ 3580void 3581spdsock_wsrv(queue_t *q) 3582{ 3583 spdsock_t *ss = q->q_ptr; 3584 mblk_t *mp; 3585 ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec; 3586 3587 if (ss->spdsock_dump_req != NULL) { 3588 qenable(OTHERQ(q)); 3589 return; 3590 } 3591 3592 while ((mp = getq(q)) != NULL) { 3593 if (ipsec_loaded(ipss)) { 3594 spdsock_wput(q, mp); 3595 if (ss->spdsock_dump_req != NULL) 3596 return; 3597 } else if (!ipsec_failed(ipss)) { 3598 (void) putq(q, mp); 3599 } else { 3600 spdsock_error(q, mp, EPFNOSUPPORT, 0); 3601 } 3602 } 3603} 3604 3605static int 3606spdsock_close(queue_t *q) 3607{ 3608 spdsock_t *ss = q->q_ptr; 3609 spd_stack_t *spds = ss->spdsock_spds; 3610 3611 qprocsoff(q); 3612 3613 /* Safe assumption. */ 3614 ASSERT(ss != NULL); 3615 3616 if (ss->spdsock_timeout != 0) 3617 (void) quntimeout(q, ss->spdsock_timeout); 3618 3619 ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n")); 3620 3621 vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1); 3622 netstack_rele(ss->spdsock_spds->spds_netstack); 3623 3624 kmem_free(ss, sizeof (spdsock_t)); 3625 return (0); 3626} 3627 3628/* 3629 * Merge the IPsec algorithms tables with the received algorithm information. 3630 */ 3631void 3632spdsock_merge_algs(spd_stack_t *spds) 3633{ 3634 ipsec_alginfo_t *alg, *oalg; 3635 ipsec_algtype_t algtype; 3636 uint_t algidx, algid, nalgs; 3637 crypto_mech_name_t *mechs; 3638 uint_t mech_count, mech_idx; 3639 netstack_t *ns = spds->spds_netstack; 3640 ipsec_stack_t *ipss = ns->netstack_ipsec; 3641 3642 ASSERT(MUTEX_HELD(&spds->spds_alg_lock)); 3643 3644 /* 3645 * Get the list of supported mechanisms from the crypto framework. 3646 * If a mechanism is supported by KCF, resolve its mechanism 3647 * id and mark it as being valid. This operation must be done 3648 * without holding alg_lock, since it can cause a provider 3649 * module to be loaded and the provider notification callback to 3650 * be invoked. 3651 */ 3652 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 3653 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3654 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3655 int algflags = 0; 3656 crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID; 3657 3658 alg = spds->spds_algs[algtype][algid]; 3659 if (alg == NULL) 3660 continue; 3661 3662 /* 3663 * The NULL encryption algorithm is a special 3664 * case because there are no mechanisms, yet 3665 * the algorithm is still valid. 3666 */ 3667 if (alg->alg_id == SADB_EALG_NULL) { 3668 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID; 3669 alg->alg_flags |= ALG_FLAG_VALID; 3670 continue; 3671 } 3672 3673 for (mech_idx = 0; mech_idx < mech_count; mech_idx++) { 3674 if (strncmp(alg->alg_mech_name, mechs[mech_idx], 3675 CRYPTO_MAX_MECH_NAME) == 0) { 3676 mt = crypto_mech2id(alg->alg_mech_name); 3677 ASSERT(mt != CRYPTO_MECHANISM_INVALID); 3678 algflags = ALG_FLAG_VALID; 3679 break; 3680 } 3681 } 3682 alg->alg_mech_type = mt; 3683 alg->alg_flags |= algflags; 3684 } 3685 } 3686 3687 mutex_enter(&ipss->ipsec_alg_lock); 3688 3689 /* 3690 * For each algorithm currently defined, check if it is 3691 * present in the new tables created from the SPD_UPDATEALGS 3692 * message received from user-space. 3693 * Delete the algorithm entries that are currently defined 3694 * but not part of the new tables. 3695 */ 3696 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3697 nalgs = ipss->ipsec_nalgs[algtype]; 3698 for (algidx = 0; algidx < nalgs; algidx++) { 3699 algid = ipss->ipsec_sortlist[algtype][algidx]; 3700 if (spds->spds_algs[algtype][algid] == NULL) 3701 ipsec_alg_unreg(algtype, algid, ns); 3702 } 3703 } 3704 3705 /* 3706 * For each algorithm we just received, check if it is 3707 * present in the currently defined tables. If it is, swap 3708 * the entry with the one we just allocated. 3709 * If the new algorithm is not in the current tables, 3710 * add it. 3711 */ 3712 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3713 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) { 3714 alg = spds->spds_algs[algtype][algid]; 3715 if (alg == NULL) 3716 continue; 3717 3718 if ((oalg = ipss->ipsec_alglists[algtype][algid]) == 3719 NULL) { 3720 /* 3721 * New algorithm, add it to the algorithm 3722 * table. 3723 */ 3724 ipsec_alg_reg(algtype, alg, ns); 3725 } else { 3726 /* 3727 * Algorithm is already in the table. Swap 3728 * the existing entry with the new one. 3729 */ 3730 ipsec_alg_fix_min_max(alg, algtype, ns); 3731 ipss->ipsec_alglists[algtype][algid] = alg; 3732 ipsec_alg_free(oalg); 3733 } 3734 spds->spds_algs[algtype][algid] = NULL; 3735 } 3736 } 3737 3738 for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) { 3739 ipss->ipsec_algs_exec_mode[algtype] = 3740 spds->spds_algs_exec_mode[algtype]; 3741 } 3742 3743 mutex_exit(&ipss->ipsec_alg_lock); 3744 3745 crypto_free_mech_list(mechs, mech_count); 3746 3747 ipsecah_algs_changed(ns); 3748 ipsecesp_algs_changed(ns); 3749} 3750