6848192 get_ipsa_pair() does not always follow bucket lock entry rules, could potentially deadlock.

6846548 PF_KEY diagnostics need to be more specific
6853208 ipsecalgs(1m) does not cope when there are no algorithms registered.
6856693 sadb_update_sa() checks for duplicate SADB_UPDATE messages in the wrong place.
6846547 Faulty PF_KEY replies should not cause in.iked to halt

2 files changed, 49 insertions, 13 deletions

diff --git a/usr/src/lib/libipsecutil/common/ipsec_util.c b/usr/src/lib/libipsecutil/common/ipsec_util.c
index ade9d99e08..46700b4680 100644
--- a/usr/src/lib/libipsecutil/common/ipsec_util.c
+++ b/usr/src/lib/libipsecutil/common/ipsec_util.c
@@ -1052,7 +1052,6 @@ spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize,
 	while ((char *)extv[0] < ((char *)basehdr + msgsize)) {
 		/* Check for unknown headers. */
 		i++;
-
 		if (extv[0]->spd_ext_type == 0 ||
 		    extv[0]->spd_ext_type > SPD_EXT_MAX) {
 			if (diag_buf != NULL) {
@@ -1413,6 +1412,15 @@ keysock_diag(int diagnostic)
 	case SADB_X_DIAGNOSTIC_SA_EXPIRED:
 		return (dgettext(TEXT_DOMAIN,
 		    "Security association is not valid"));
+	case SADB_X_DIAGNOSTIC_BAD_CTX:
+		return (dgettext(TEXT_DOMAIN,
+		    "Algorithm invalid or not supported by Crypto Framework"));
+	case SADB_X_DIAGNOSTIC_INVALID_REPLAY:
+		return (dgettext(TEXT_DOMAIN,
+		    "Invalid Replay counter"));
+	case SADB_X_DIAGNOSTIC_MISSING_LIFETIME:
+		return (dgettext(TEXT_DOMAIN,
+		    "Inappropriate lifetimes"));
 	default:
 		return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code"));
 	}
@@ -2986,7 +2994,21 @@ rparseidtype(uint16_t type)
  * error type. If the command calling this function was started by smf(5) the
  * error type could be used as a hint to the restarter. In the future this
  * function could be used to do something more intelligent with a process that
- * encounters an error.
+ * encounters an error. If exit() is called with an error code other than those
+ * defined by smf(5), the program will just get restarted. Unless restarting
+ * is likely to resolve the error condition, its probably sensible to just
+ * log the error and keep running.
+ *
+ * The SERVICE_* exit_types mean nothing if the command was run from the
+ * command line, just exit(). There are two special cases:
+ *
+ * SERVICE_DEGRADE - Not implemented in smf(5), one day it could hint that
+ *                   the service is not running as well is it could. For
+ *                   now, don't do anything, just record the error.
+ * DEBUG_FATAL - Something happened, if the command was being run in debug
+ *               mode, exit() as you really want to know something happened,
+ *               otherwise just keep running. This is ignored when running
+ *               under smf(5).
  *
  * The function will handle an optional variable args error message, this
  * will be written to the error stream, typically a log file or stderr.
@@ -3020,6 +3042,7 @@ ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...)
 		case SERVICE_DISABLE:
 		case SERVICE_FATAL:
 		case SERVICE_RESTART:
+		case DEBUG_FATAL:
 			warnxfp(fp, "Fatal error - exiting.");
 			exit_status = 1;
 			break;
@@ -3030,7 +3053,9 @@ ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...)
 		case SERVICE_EXIT_OK:
 			exit_status = SMF_EXIT_OK;
 			break;
-		case SERVICE_DEGRADE:
+		case SERVICE_DEGRADE: /* Not implemented yet. */
+		case DEBUG_FATAL:
+			/* Keep running, don't exit(). */
 			return;
 			break;
 		case SERVICE_BADPERM:
diff --git a/usr/src/lib/libipsecutil/common/ipsec_util.h b/usr/src/lib/libipsecutil/common/ipsec_util.h
index 350b423df9..ce1b552fe2 100644
--- a/usr/src/lib/libipsecutil/common/ipsec_util.h
+++ b/usr/src/lib/libipsecutil/common/ipsec_util.h
@@ -105,16 +105,26 @@ typedef struct keywdtab {
 	char	*kw_str;
 } keywdtab_t;
 
-/* Exit the programe and enter new state */
+/*
+ * These different exit states are designed to give consistant behaviour
+ * when a program needs to exit because of an error. These exit_types
+ * are used in macros, defined later in this file, which call ipsecutil_exit().
+ * What happens when ipsecutil_exit() may differ if the command was started
+ * on the command line or via smf(5), See ipsecutil_exit() source for details.
+ *
+ * Note: The calling function should decide what "debug mode" is before calling
+ * ipsecutil_exit() with DEBUG_FATAL.
+ */
 typedef enum exit_type {
-	SERVICE_EXIT_OK,
-	SERVICE_DEGRADE,
-	SERVICE_BADPERM,
-	SERVICE_BADCONF,
-	SERVICE_MAINTAIN,
-	SERVICE_DISABLE,
-	SERVICE_FATAL,
-	SERVICE_RESTART
+	SERVICE_EXIT_OK,	/* Exit without error. */
+	SERVICE_DEGRADE,	/* A hint that service should be degraded. */
+	SERVICE_BADPERM,	/* A Permission error occured. */
+	SERVICE_BADCONF,	/* Misconfiguration. */
+	SERVICE_MAINTAIN,	/* smf(5) to put service in maintenance mode. */
+	SERVICE_DISABLE,	/* Tell smf(5) to disable me. */
+	SERVICE_FATAL,		/* Whatever happened is not fixable. */
+	SERVICE_RESTART,	/* Tell smf(5) to restart the service. */
+	DEBUG_FATAL		/* Exit in debug mode. */
 } exit_type_t;
 
 /*
@@ -372,7 +382,8 @@ extern const char *do_inet_ntop(const void *, char *, size_t);
  * programs that use libipsecutil. These wll work in usr/src/cmd
  * and usr/src/lib, but because macros in usr/src/lib don't get
  * expanded when I18N message catalogs are built, avoid using
- * these with text inside libipsecutil.
+ * these with text inside libipsecutil. See source of ipsecutil_exit()
+ * for more details.
  */
 #define	EXIT_OK(x) \
 	ipsecutil_exit(SERVICE_EXIT_OK, my_fmri, debugfile, \