static in_port_t
rds_update_next_port(in_port_t port)
{
(void) random_get_pseudo_bytes((uint8_t *)&port, sizeof (in_port_t));
if (port < rds_smallest_port)
port = rds_smallest_port;
return (port);
}
void
oce_gen_hkey(char *hkey, int key_size)
{
int i;
int nkeys = key_size/sizeof (uint32_t);
for (i = 0; i < nkeys; i++) {
(void) random_get_pseudo_bytes(
(uint8_t *)&hkey[i * sizeof (uint32_t)],
sizeof (uint32_t));
}
}
/*ARGSUSED*/
krb5_error_code KRB5_CALLCONV
krb5_c_random_make_octets(krb5_context context, krb5_data *data)
{
/*
* Solaris kerberos uses /dev/[u]random
*/
#ifndef _KERNEL /* User space code */
krb5_error_code err = 0;
CK_RV rv;
KRB5_LOG0(KRB5_INFO, "krb5_c_random_make_octets() start, user space using "
"krb5_get_random_octets()\n");
rv = C_GenerateRandom(krb_ctx_hSession(context), (CK_BYTE_PTR)data->data,
(CK_ULONG)data->length);
if (rv != CKR_OK) {
KRB5_LOG(KRB5_ERR, "C_GenerateRandom failed in "
"krb5_c_random_make_octets: rv = 0x%x.", rv);
err = PKCS_ERR;
}
if (err != 0) {
KRB5_LOG0(KRB5_ERR, "krb5_c_random_make_octets() end, error");
return (err);
}
#else /* Kernel code section */
/*
* Solaris Kerberos: for kernel code we use the randomness generator native
* to Solaris 9. We avoid global variables and other nastiness this way.
*
* Using random_get_pseudo_bytes() instead of random_get_bytes() because it
* will not return an error code if there isn't enough entropy but will use
* a pseudo random algorithm to produce randomness. Most of the time it
* should be as good as random_get_bytes() and we don't have to worry about
* dealing with a non-fatal error.
*/
KRB5_LOG0(KRB5_INFO, "krb5_c_random_make_octets() start, kernel using "
"random_get_pseudo_bytes()\n ");
if(random_get_pseudo_bytes((uint8_t *)data->data, data->length) != 0) {
KRB5_LOG0(KRB5_ERR, "krb5_c_random_make_octets() end, "
"random_get_pseudo_bytes() error.\n");
return(KRB5_CRYPTO_INTERNAL);
}
#endif /* !_KERNEL */
KRB5_LOG0(KRB5_INFO, "krb5_c_random_make_octets() end\n");
return(0);
}
static void
sctp_init_faddr(sctp_t *sctp, sctp_faddr_t *fp, in6_addr_t *addr,
mblk_t *timer_mp)
{
sctp_stack_t *sctps = sctp->sctp_sctps;
ASSERT(fp->ixa != NULL);
bcopy(addr, &fp->faddr, sizeof (*addr));
if (IN6_IS_ADDR_V4MAPPED(addr)) {
fp->isv4 = 1;
/* Make sure that sfa_pmss is a multiple of SCTP_ALIGN. */
fp->sfa_pmss =
(sctps->sctps_initial_mtu - sctp->sctp_hdr_len) &
~(SCTP_ALIGN - 1);
fp->ixa->ixa_flags |= IXAF_IS_IPV4;
} else {
fp->isv4 = 0;
fp->sfa_pmss =
(sctps->sctps_initial_mtu - sctp->sctp_hdr6_len) &
~(SCTP_ALIGN - 1);
fp->ixa->ixa_flags &= ~IXAF_IS_IPV4;
}
fp->cwnd = sctps->sctps_slow_start_initial * fp->sfa_pmss;
fp->rto = MIN(sctp->sctp_rto_initial, sctp->sctp_init_rto_max);
SCTP_MAX_RTO(sctp, fp);
fp->srtt = -1;
fp->rtt_updates = 0;
fp->strikes = 0;
fp->max_retr = sctp->sctp_pp_max_rxt;
/* Mark it as not confirmed. */
fp->state = SCTP_FADDRS_UNCONFIRMED;
fp->hb_interval = sctp->sctp_hb_interval;
fp->ssthresh = sctps->sctps_initial_ssthresh;
fp->suna = 0;
fp->pba = 0;
fp->acked = 0;
fp->lastactive = fp->hb_expiry = ddi_get_lbolt64();
fp->timer_mp = timer_mp;
fp->hb_pending = B_FALSE;
fp->hb_enabled = B_TRUE;
fp->df = 1;
fp->pmtu_discovered = 0;
fp->next = NULL;
fp->T3expire = 0;
(void) random_get_pseudo_bytes((uint8_t *)&fp->hb_secret,
sizeof (fp->hb_secret));
fp->rxt_unacked = 0;
sctp_get_dest(sctp, fp);
}
/*
* Compress a buffer, uncompress the newly compressed buffer, then
* compare it to the original. Do this for all 9 compression levels.
*/
static int
splat_zlib_test1(struct file *file, void *arg)
{
void *src = NULL, *dst = NULL, *chk = NULL;
int i, rc, level;
src = vmalloc(BUFFER_SIZE);
if (src == NULL) {
rc = -ENOMEM;
goto out;
}
dst = vmalloc(BUFFER_SIZE);
if (dst == NULL) {
rc = -ENOMEM;
goto out;
}
chk = vmalloc(BUFFER_SIZE);
if (chk == NULL) {
rc = -ENOMEM;
goto out;
}
/* Source buffer is a repeating 1024 byte random pattern. */
random_get_pseudo_bytes(src, sizeof(uint8_t) * 1024);
for (i = 1; i < 128; i++)
memcpy(src + (i * 1024), src, 1024);
for (level = 1; level <= 9; level++)
if ((rc = splat_zlib_test1_check(file, src, dst, chk, level)))
break;
out:
if (src)
vfree(src);
if (dst)
vfree(dst);
if (chk)
vfree(chk);
return rc;
}
int
sfxge_toeplitz_hash_init(sfxge_t *sp)
{
int rc;
uint8_t toeplitz_key[SFXGE_TOEPLITZ_KEY_LEN];
(void) random_get_pseudo_bytes(toeplitz_key, sizeof (toeplitz_key));
if ((rc = efx_rx_scale_mode_set(sp->s_enp, EFX_RX_HASHALG_TOEPLITZ,
(1 << EFX_RX_HASH_IPV4) | (1 << EFX_RX_HASH_TCPIPV4) |
(1 << EFX_RX_HASH_IPV6) | (1 << EFX_RX_HASH_TCPIPV6), B_TRUE)) != 0)
return (rc);
if ((rc = efx_rx_scale_key_set(sp->s_enp, toeplitz_key,
sizeof (toeplitz_key))) != 0)
return (rc);
sp->s_toeplitz_cache = toeplitz_cache_init(toeplitz_key);
return (0);
}
int
sctp_listen(sctp_t *sctp)
{
sctp_tf_t *tf;
RUN_SCTP(sctp);
/*
* TCP handles listen() increasing the backlog, need to check
* if it should be handled here too
*/
if (sctp->sctp_state > SCTPS_BOUND) {
WAKE_SCTP(sctp);
return (EINVAL);
}
/* Do an anonymous bind for unbound socket doing listen(). */
if (sctp->sctp_nsaddrs == 0) {
struct sockaddr_storage ss;
int ret;
bzero(&ss, sizeof (ss));
ss.ss_family = sctp->sctp_family;
WAKE_SCTP(sctp);
if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss,
sizeof (ss))) != 0)
return (ret);
RUN_SCTP(sctp)
}
sctp->sctp_state = SCTPS_LISTEN;
(void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN);
sctp->sctp_last_secret_update = lbolt64;
bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN);
tf = &sctp_listen_fanout[SCTP_LISTEN_HASH(ntohs(sctp->sctp_lport))];
sctp_listen_hash_insert(tf, sctp);
WAKE_SCTP(sctp);
return (0);
}
uint64_t
unique_insert(uint64_t value)
{
avl_index_t idx;
unique_t *un = kmem_alloc(sizeof (unique_t), KM_SLEEP);
un->un_value = value;
mutex_enter(&unique_mtx);
while (un->un_value == 0 || un->un_value & ~UNIQUE_MASK ||
avl_find(&unique_avl, un, &idx)) {
mutex_exit(&unique_mtx);
(void) random_get_pseudo_bytes((void*)&un->un_value,
sizeof (un->un_value));
un->un_value &= UNIQUE_MASK;
mutex_enter(&unique_mtx);
}
avl_insert(&unique_avl, un, idx);
mutex_exit(&unique_mtx);
return (un->un_value);
}
void
auth_random_set_data(uchar_t *data, unsigned int length)
{
(void) random_get_pseudo_bytes(data, length);
}
/* ARGSUSED */
chap_validation_status_type
iscsit_radius_chap_validate(char *target_chap_name,
char *initiator_chap_name,
uint8_t *challenge,
uint32_t challenge_length,
uint8_t *target_response,
uint32_t response_length,
uint8_t identifier,
iscsi_ipaddr_t rad_svr_ip_addr,
uint32_t rad_svr_port,
uint8_t *rad_svr_shared_secret,
uint32_t rad_svr_shared_secret_len)
{
chap_validation_status_type validation_status;
char lbolt[64];
int rcv_status;
void *socket;
radius_packet_data_t req;
radius_packet_data_t resp;
MD5_CTX context;
uint8_t md5_digest[16]; /* MD5 digest length 16 */
uint8_t random_number[16];
if (rad_svr_shared_secret_len == 0) {
/* The secret must not be empty (section 3, RFC 2865) */
cmn_err(CE_WARN, "empty RADIUS shared secret");
return (CHAP_VALIDATION_BAD_RADIUS_SECRET);
}
bzero(&req, sizeof (radius_packet_data_t));
req.identifier = identifier;
req.code = RAD_ACCESS_REQ;
set_radius_attrs(&req,
target_chap_name,
target_response,
response_length,
challenge,
challenge_length);
/* Prepare the request authenticator */
MD5Init(&context);
bzero(&md5_digest, 16);
/* First, the shared secret */
MD5Update(&context, rad_svr_shared_secret, rad_svr_shared_secret_len);
/* Then a unique number - use lbolt plus a random number */
bzero(&lbolt, sizeof (lbolt));
(void) snprintf(lbolt, sizeof (lbolt), "%lx", ddi_get_lbolt());
MD5Update(&context, (uint8_t *)lbolt, strlen(lbolt));
bzero(&random_number, sizeof (random_number));
(void) random_get_pseudo_bytes(random_number, sizeof (random_number));
MD5Update(&context, random_number, sizeof (random_number));
MD5Final(md5_digest, &context);
bcopy(md5_digest, &req.authenticator, RAD_AUTHENTICATOR_LEN);
socket = idm_socreate(PF_INET, SOCK_DGRAM, 0);
if (socket == NULL) {
/* Error obtaining socket for RADIUS use */
return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR);
}
/* Send the authentication access request to the RADIUS server */
if (iscsit_snd_radius_request(socket,
rad_svr_ip_addr,
rad_svr_port,
&req) != 0) {
idm_soshutdown(socket);
idm_sodestroy(socket);
return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR);
}
bzero(&resp, sizeof (radius_packet_data_t));
/* Analyze the response coming through from the same socket. */
rcv_status = iscsit_rcv_radius_response(socket,
rad_svr_shared_secret,
rad_svr_shared_secret_len,
req.authenticator, &resp);
if (rcv_status == RAD_RSP_RCVD_SUCCESS) {
if (resp.code == RAD_ACCESS_ACPT) {
validation_status = CHAP_VALIDATION_PASSED;
} else if (resp.code == RAD_ACCESS_REJ) {
validation_status = CHAP_VALIDATION_INVALID_RESPONSE;
} else {
validation_status =
CHAP_VALIDATION_UNKNOWN_RADIUS_CODE;
}
} else if (rcv_status == RAD_RSP_RCVD_AUTH_FAILED) {
validation_status = CHAP_VALIDATION_BAD_RADIUS_SECRET;
} else {
validation_status = CHAP_VALIDATION_RADIUS_ACCESS_ERROR;
}
/* Done! Close the socket. */
idm_soshutdown(socket);
idm_sodestroy(socket);
return (validation_status);
}
int
osi_readRandom(void *data, afs_size_t len) {
random_get_pseudo_bytes(data, len);
return 0;
}
int
sctp_listen(sctp_t *sctp)
{
sctp_tf_t *tf;
sctp_stack_t *sctps = sctp->sctp_sctps;
conn_t *connp = sctp->sctp_connp;
RUN_SCTP(sctp);
/*
* TCP handles listen() increasing the backlog, need to check
* if it should be handled here too
*/
if (sctp->sctp_state > SCTPS_BOUND ||
(sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
WAKE_SCTP(sctp);
return (EINVAL);
}
/* Do an anonymous bind for unbound socket doing listen(). */
if (sctp->sctp_nsaddrs == 0) {
struct sockaddr_storage ss;
int ret;
bzero(&ss, sizeof (ss));
ss.ss_family = connp->conn_family;
WAKE_SCTP(sctp);
if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss,
sizeof (ss))) != 0)
return (ret);
RUN_SCTP(sctp)
}
/* Cache things in the ixa without any refhold */
ASSERT(!(connp->conn_ixa->ixa_free_flags & IXA_FREE_CRED));
connp->conn_ixa->ixa_cred = connp->conn_cred;
connp->conn_ixa->ixa_cpid = connp->conn_cpid;
if (is_system_labeled())
connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
sctp->sctp_state = SCTPS_LISTEN;
(void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN);
sctp->sctp_last_secret_update = ddi_get_lbolt64();
bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN);
/*
* If there is an association limit, allocate and initialize
* the counter struct. Note that since listen can be called
* multiple times, the struct may have been allready allocated.
*/
if (!list_is_empty(&sctps->sctps_listener_conf) &&
sctp->sctp_listen_cnt == NULL) {
sctp_listen_cnt_t *slc;
uint32_t ratio;
ratio = sctp_find_listener_conf(sctps,
ntohs(connp->conn_lport));
if (ratio != 0) {
uint32_t mem_ratio, tot_buf;
slc = kmem_alloc(sizeof (sctp_listen_cnt_t), KM_SLEEP);
/*
* Calculate the connection limit based on
* the configured ratio and maxusers. Maxusers
* are calculated based on memory size,
* ~ 1 user per MB. Note that the conn_rcvbuf
* and conn_sndbuf may change after a
* connection is accepted. So what we have
* is only an approximation.
*/
if ((tot_buf = connp->conn_rcvbuf +
connp->conn_sndbuf) < MB) {
mem_ratio = MB / tot_buf;
slc->slc_max = maxusers / ratio * mem_ratio;
} else {
mem_ratio = tot_buf / MB;
slc->slc_max = maxusers / ratio / mem_ratio;
}
/* At least we should allow some associations! */
if (slc->slc_max < sctp_min_assoc_listener)
slc->slc_max = sctp_min_assoc_listener;
slc->slc_cnt = 1;
slc->slc_drop = 0;
sctp->sctp_listen_cnt = slc;
}
}
tf = &sctps->sctps_listen_fanout[SCTP_LISTEN_HASH(
ntohs(connp->conn_lport))];
sctp_listen_hash_insert(tf, sctp);
WAKE_SCTP(sctp);
return (0);
}
void
iscsiAuthRandomSetData(uchar_t *data, unsigned int length)
{
(void) random_get_pseudo_bytes(data, length);
}
/* ARGSUSED */
int
tswtcl_process(mblk_t **mpp, tswtcl_data_t *tswtcl_data,
ipp_action_id_t *next_action)
{
ipha_t *ipha;
hrtime_t now;
ip6_t *ip6_hdr;
uint32_t pkt_len;
mblk_t *mp = *mpp;
hrtime_t deltaT;
uint64_t bitsinwin;
uint32_t min = 0, additive, rnd;
tswtcl_cfg_t *cfg_parms = tswtcl_data->cfg_parms;
if (mp == NULL) {
tswtcl0dbg(("tswtcl_process: null mp!\n"));
atomic_add_64(&tswtcl_data->epackets, 1);
return (EINVAL);
}
if (mp->b_datap->db_type != M_DATA) {
if ((mp->b_cont != NULL) &&
(mp->b_cont->b_datap->db_type == M_DATA)) {
mp = mp->b_cont;
} else {
tswtcl0dbg(("tswtcl_process: no data\n"));
atomic_add_64(&tswtcl_data->epackets, 1);
return (EINVAL);
}
}
/* Figure out the ToS/Traffic Class and length from the message */
if ((mp->b_wptr - mp->b_rptr) < IP_SIMPLE_HDR_LENGTH) {
if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
tswtcl0dbg(("tswtcl_process: pullup error\n"));
atomic_add_64(&tswtcl_data->epackets, 1);
return (EINVAL);
}
}
ipha = (ipha_t *)mp->b_rptr;
if (IPH_HDR_VERSION(ipha) == IPV4_VERSION) {
pkt_len = ntohs(ipha->ipha_length);
} else {
ip6_hdr = (ip6_t *)mp->b_rptr;
pkt_len = ntohs(ip6_hdr->ip6_plen) +
ip_hdr_length_v6(mp, ip6_hdr);
}
/* Convert into bits */
pkt_len <<= 3;
/* Get current time */
now = gethrtime();
/* Update the avg_rate and win_front tswtcl_data */
mutex_enter(&tswtcl_data->tswtcl_lock);
/* avg_rate = bits/sec and window in msec */
bitsinwin = ((uint64_t)tswtcl_data->avg_rate * cfg_parms->window /
1000) + pkt_len;
deltaT = now - tswtcl_data->win_front + cfg_parms->nsecwindow;
tswtcl_data->avg_rate = (uint64_t)bitsinwin * METER_SEC_TO_NSEC /
deltaT;
tswtcl_data->win_front = now;
if (tswtcl_data->avg_rate <= cfg_parms->committed_rate) {
*next_action = cfg_parms->green_action;
} else if (tswtcl_data->avg_rate <= cfg_parms->peak_rate) {
/*
* Compute the probability:
*
* p0 = (avg_rate - committed_rate) / avg_rate
*
* Yellow with probability p0
* Green with probability (1 - p0)
*
*/
uint32_t aminusc;
/* Get a random no. betweeen 0 and avg_rate */
(void) random_get_pseudo_bytes((uint8_t *)&additive,
sizeof (additive));
rnd = min + (additive % (tswtcl_data->avg_rate - min + 1));
aminusc = tswtcl_data->avg_rate - cfg_parms->committed_rate;
if (aminusc >= rnd) {
*next_action = cfg_parms->yellow_action;
} else {
*next_action = cfg_parms->green_action;
}
} else {
/*
* Compute the probability:
*
* p1 = (avg_rate - peak_rate) / avg_rate
* p2 = (peak_rate - committed_rate) / avg_rate
*
* Red with probability p1
* Yellow with probability p2
* Green with probability (1 - (p1 + p2))
*
*/
uint32_t aminusp;
/* Get a random no. betweeen 0 and avg_rate */
(void) random_get_pseudo_bytes((uint8_t *)&additive,
sizeof (additive));
rnd = min + (additive % (tswtcl_data->avg_rate - min + 1));
aminusp = tswtcl_data->avg_rate - cfg_parms->peak_rate;
if (aminusp >= rnd) {
*next_action = cfg_parms->red_action;
} else if ((cfg_parms->pminusc + aminusp) >= rnd) {
*next_action = cfg_parms->yellow_action;
} else {
*next_action = cfg_parms->green_action;
}
}
mutex_exit(&tswtcl_data->tswtcl_lock);
/* Update Stats */
if (*next_action == cfg_parms->green_action) {
atomic_add_64(&tswtcl_data->green_packets, 1);
atomic_add_64(&tswtcl_data->green_bits, pkt_len);
} else if (*next_action == cfg_parms->yellow_action) {
atomic_add_64(&tswtcl_data->yellow_packets, 1);
atomic_add_64(&tswtcl_data->yellow_bits, pkt_len);
} else {
ASSERT(*next_action == cfg_parms->red_action);
atomic_add_64(&tswtcl_data->red_packets, 1);
atomic_add_64(&tswtcl_data->red_bits, pkt_len);
}
return (0);
}
