xref: /illumos-gate/usr/src/uts/common/inet/ip/ipsecesp.c (revision 46b592853d0f4f11781b6b0a7533f267c6aee132)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/stropts.h>
29 #include <sys/errno.h>
30 #include <sys/strlog.h>
31 #include <sys/tihdr.h>
32 #include <sys/socket.h>
33 #include <sys/ddi.h>
34 #include <sys/sunddi.h>
35 #include <sys/kmem.h>
36 #include <sys/zone.h>
37 #include <sys/sysmacros.h>
38 #include <sys/cmn_err.h>
39 #include <sys/vtrace.h>
40 #include <sys/debug.h>
41 #include <sys/atomic.h>
42 #include <sys/strsun.h>
43 #include <sys/random.h>
44 #include <netinet/in.h>
45 #include <net/if.h>
46 #include <netinet/ip6.h>
47 #include <net/pfkeyv2.h>
48 #include <net/pfpolicy.h>
49 
50 #include <inet/common.h>
51 #include <inet/mi.h>
52 #include <inet/nd.h>
53 #include <inet/ip.h>
54 #include <inet/ip_impl.h>
55 #include <inet/ip6.h>
56 #include <inet/sadb.h>
57 #include <inet/ipsec_info.h>
58 #include <inet/ipsec_impl.h>
59 #include <inet/ipsecesp.h>
60 #include <inet/ipdrop.h>
61 #include <inet/tcp.h>
62 #include <sys/kstat.h>
63 #include <sys/policy.h>
64 #include <sys/strsun.h>
65 #include <inet/udp_impl.h>
66 #include <sys/taskq.h>
67 #include <sys/note.h>
68 
69 #include <sys/iphada.h>
70 
71 /*
72  * Table of ND variables supported by ipsecesp. These are loaded into
73  * ipsecesp_g_nd in ipsecesp_init_nd.
74  * All of these are alterable, within the min/max values given, at run time.
75  */
76 static	ipsecespparam_t	lcl_param_arr[] = {
77 	/* min	max			value	name */
78 	{ 0,	3,			0,	"ipsecesp_debug"},
79 	{ 125,	32000, SADB_AGE_INTERVAL_DEFAULT, "ipsecesp_age_interval"},
80 	{ 1,	10,			1,	"ipsecesp_reap_delay"},
81 	{ 1,	SADB_MAX_REPLAY,	64,	"ipsecesp_replay_size"},
82 	{ 1,	300,			15,	"ipsecesp_acquire_timeout"},
83 	{ 1,	1800,			90,	"ipsecesp_larval_timeout"},
84 	/* Default lifetime values for ACQUIRE messages. */
85 	{ 0,	0xffffffffU,	0,	"ipsecesp_default_soft_bytes"},
86 	{ 0,	0xffffffffU,	0,	"ipsecesp_default_hard_bytes"},
87 	{ 0,	0xffffffffU,	24000,	"ipsecesp_default_soft_addtime"},
88 	{ 0,	0xffffffffU,	28800,	"ipsecesp_default_hard_addtime"},
89 	{ 0,	0xffffffffU,	0,	"ipsecesp_default_soft_usetime"},
90 	{ 0,	0xffffffffU,	0,	"ipsecesp_default_hard_usetime"},
91 	{ 0,	1,		0,	"ipsecesp_log_unknown_spi"},
92 	{ 0,	2,		1,	"ipsecesp_padding_check"},
93 	{ 0,	600,		20,	"ipsecesp_nat_keepalive_interval"},
94 };
95 #define	ipsecesp_debug	ipsecesp_params[0].ipsecesp_param_value
96 #define	ipsecesp_age_interval ipsecesp_params[1].ipsecesp_param_value
97 #define	ipsecesp_age_int_max	ipsecesp_params[1].ipsecesp_param_max
98 #define	ipsecesp_reap_delay	ipsecesp_params[2].ipsecesp_param_value
99 #define	ipsecesp_replay_size	ipsecesp_params[3].ipsecesp_param_value
100 #define	ipsecesp_acquire_timeout	\
101 	ipsecesp_params[4].ipsecesp_param_value
102 #define	ipsecesp_larval_timeout	\
103 	ipsecesp_params[5].ipsecesp_param_value
104 #define	ipsecesp_default_soft_bytes	\
105 	ipsecesp_params[6].ipsecesp_param_value
106 #define	ipsecesp_default_hard_bytes	\
107 	ipsecesp_params[7].ipsecesp_param_value
108 #define	ipsecesp_default_soft_addtime	\
109 	ipsecesp_params[8].ipsecesp_param_value
110 #define	ipsecesp_default_hard_addtime	\
111 	ipsecesp_params[9].ipsecesp_param_value
112 #define	ipsecesp_default_soft_usetime	\
113 	ipsecesp_params[10].ipsecesp_param_value
114 #define	ipsecesp_default_hard_usetime	\
115 	ipsecesp_params[11].ipsecesp_param_value
116 #define	ipsecesp_log_unknown_spi	\
117 	ipsecesp_params[12].ipsecesp_param_value
118 #define	ipsecesp_padding_check	\
119 	ipsecesp_params[13].ipsecesp_param_value
120 /* For ipsecesp_nat_keepalive_interval, see ipsecesp.h. */
121 
122 #define	esp0dbg(a)	printf a
123 /* NOTE:  != 0 instead of > 0 so lint doesn't complain. */
124 #define	esp1dbg(espstack, a)	if (espstack->ipsecesp_debug != 0) printf a
125 #define	esp2dbg(espstack, a)	if (espstack->ipsecesp_debug > 1) printf a
126 #define	esp3dbg(espstack, a)	if (espstack->ipsecesp_debug > 2) printf a
127 
128 static int ipsecesp_open(queue_t *, dev_t *, int, int, cred_t *);
129 static int ipsecesp_close(queue_t *);
130 static void ipsecesp_rput(queue_t *, mblk_t *);
131 static void ipsecesp_wput(queue_t *, mblk_t *);
132 static void	*ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns);
133 static void	ipsecesp_stack_fini(netstackid_t stackid, void *arg);
134 static void esp_send_acquire(ipsacq_t *, mblk_t *, netstack_t *);
135 
136 static void esp_prepare_udp(netstack_t *, mblk_t *, ipha_t *);
137 static ipsec_status_t esp_outbound_accelerated(mblk_t *, uint_t);
138 static ipsec_status_t esp_inbound_accelerated(mblk_t *, mblk_t *,
139     boolean_t, ipsa_t *);
140 
141 static boolean_t esp_register_out(uint32_t, uint32_t, uint_t,
142     ipsecesp_stack_t *);
143 static boolean_t esp_strip_header(mblk_t *, boolean_t, uint32_t,
144     kstat_named_t **, ipsecesp_stack_t *);
145 static ipsec_status_t esp_submit_req_inbound(mblk_t *, ipsa_t *, uint_t);
146 static ipsec_status_t esp_submit_req_outbound(mblk_t *, ipsa_t *, uchar_t *,
147     uint_t);
148 extern void (*cl_inet_getspi)(netstackid_t, uint8_t, uint8_t *, size_t,
149     void *);
150 
151 /* Setable in /etc/system */
152 uint32_t esp_hash_size = IPSEC_DEFAULT_HASH_SIZE;
153 
154 static struct module_info info = {
155 	5137, "ipsecesp", 0, INFPSZ, 65536, 1024
156 };
157 
158 static struct qinit rinit = {
159 	(pfi_t)ipsecesp_rput, NULL, ipsecesp_open, ipsecesp_close, NULL, &info,
160 	NULL
161 };
162 
163 static struct qinit winit = {
164 	(pfi_t)ipsecesp_wput, NULL, ipsecesp_open, ipsecesp_close, NULL, &info,
165 	NULL
166 };
167 
168 struct streamtab ipsecespinfo = {
169 	&rinit, &winit, NULL, NULL
170 };
171 
172 static taskq_t *esp_taskq;
173 
174 /*
175  * OTOH, this one is set at open/close, and I'm D_MTQPAIR for now.
176  *
177  * Question:	Do I need this, given that all instance's esps->esps_wq point
178  *		to IP?
179  *
180  * Answer:	Yes, because I need to know which queue is BOUND to
181  *		IPPROTO_ESP
182  */
183 
184 /*
185  * Stats.  This may eventually become a full-blown SNMP MIB once that spec
186  * stabilizes.
187  */
188 
189 typedef struct esp_kstats_s {
190 	kstat_named_t esp_stat_num_aalgs;
191 	kstat_named_t esp_stat_good_auth;
192 	kstat_named_t esp_stat_bad_auth;
193 	kstat_named_t esp_stat_bad_padding;
194 	kstat_named_t esp_stat_replay_failures;
195 	kstat_named_t esp_stat_replay_early_failures;
196 	kstat_named_t esp_stat_keysock_in;
197 	kstat_named_t esp_stat_out_requests;
198 	kstat_named_t esp_stat_acquire_requests;
199 	kstat_named_t esp_stat_bytes_expired;
200 	kstat_named_t esp_stat_out_discards;
201 	kstat_named_t esp_stat_in_accelerated;
202 	kstat_named_t esp_stat_out_accelerated;
203 	kstat_named_t esp_stat_noaccel;
204 	kstat_named_t esp_stat_crypto_sync;
205 	kstat_named_t esp_stat_crypto_async;
206 	kstat_named_t esp_stat_crypto_failures;
207 	kstat_named_t esp_stat_num_ealgs;
208 	kstat_named_t esp_stat_bad_decrypt;
209 	kstat_named_t esp_stat_sa_port_renumbers;
210 } esp_kstats_t;
211 
212 /*
213  * espstack->esp_kstats is equal to espstack->esp_ksp->ks_data if
214  * kstat_create_netstack for espstack->esp_ksp succeeds, but when it
215  * fails, it will be NULL. Note this is done for all stack instances,
216  * so it *could* fail. hence a non-NULL checking is done for
217  * ESP_BUMP_STAT and ESP_DEBUMP_STAT
218  */
219 #define	ESP_BUMP_STAT(espstack, x)					\
220 do {									\
221 	if (espstack->esp_kstats != NULL)				\
222 		(espstack->esp_kstats->esp_stat_ ## x).value.ui64++;	\
223 _NOTE(CONSTCOND)							\
224 } while (0)
225 
226 #define	ESP_DEBUMP_STAT(espstack, x)					\
227 do {									\
228 	if (espstack->esp_kstats != NULL)				\
229 		(espstack->esp_kstats->esp_stat_ ## x).value.ui64--;	\
230 _NOTE(CONSTCOND)							\
231 } while (0)
232 
233 static int	esp_kstat_update(kstat_t *, int);
234 
235 static boolean_t
236 esp_kstat_init(ipsecesp_stack_t *espstack, netstackid_t stackid)
237 {
238 	espstack->esp_ksp = kstat_create_netstack("ipsecesp", 0, "esp_stat",
239 	    "net", KSTAT_TYPE_NAMED,
240 	    sizeof (esp_kstats_t) / sizeof (kstat_named_t),
241 	    KSTAT_FLAG_PERSISTENT, stackid);
242 
243 	if (espstack->esp_ksp == NULL || espstack->esp_ksp->ks_data == NULL)
244 		return (B_FALSE);
245 
246 	espstack->esp_kstats = espstack->esp_ksp->ks_data;
247 
248 	espstack->esp_ksp->ks_update = esp_kstat_update;
249 	espstack->esp_ksp->ks_private = (void *)(uintptr_t)stackid;
250 
251 #define	K64 KSTAT_DATA_UINT64
252 #define	KI(x) kstat_named_init(&(espstack->esp_kstats->esp_stat_##x), #x, K64)
253 
254 	KI(num_aalgs);
255 	KI(num_ealgs);
256 	KI(good_auth);
257 	KI(bad_auth);
258 	KI(bad_padding);
259 	KI(replay_failures);
260 	KI(replay_early_failures);
261 	KI(keysock_in);
262 	KI(out_requests);
263 	KI(acquire_requests);
264 	KI(bytes_expired);
265 	KI(out_discards);
266 	KI(in_accelerated);
267 	KI(out_accelerated);
268 	KI(noaccel);
269 	KI(crypto_sync);
270 	KI(crypto_async);
271 	KI(crypto_failures);
272 	KI(bad_decrypt);
273 	KI(sa_port_renumbers);
274 
275 #undef KI
276 #undef K64
277 
278 	kstat_install(espstack->esp_ksp);
279 
280 	return (B_TRUE);
281 }
282 
283 static int
284 esp_kstat_update(kstat_t *kp, int rw)
285 {
286 	esp_kstats_t *ekp;
287 	netstackid_t	stackid = (zoneid_t)(uintptr_t)kp->ks_private;
288 	netstack_t	*ns;
289 	ipsec_stack_t	*ipss;
290 
291 	if ((kp == NULL) || (kp->ks_data == NULL))
292 		return (EIO);
293 
294 	if (rw == KSTAT_WRITE)
295 		return (EACCES);
296 
297 	ns = netstack_find_by_stackid(stackid);
298 	if (ns == NULL)
299 		return (-1);
300 	ipss = ns->netstack_ipsec;
301 	if (ipss == NULL) {
302 		netstack_rele(ns);
303 		return (-1);
304 	}
305 	ekp = (esp_kstats_t *)kp->ks_data;
306 
307 	mutex_enter(&ipss->ipsec_alg_lock);
308 	ekp->esp_stat_num_aalgs.value.ui64 =
309 	    ipss->ipsec_nalgs[IPSEC_ALG_AUTH];
310 	ekp->esp_stat_num_ealgs.value.ui64 =
311 	    ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
312 	mutex_exit(&ipss->ipsec_alg_lock);
313 
314 	netstack_rele(ns);
315 	return (0);
316 }
317 
318 #ifdef DEBUG
319 /*
320  * Debug routine, useful to see pre-encryption data.
321  */
322 static char *
323 dump_msg(mblk_t *mp)
324 {
325 	char tmp_str[3], tmp_line[256];
326 
327 	while (mp != NULL) {
328 		unsigned char *ptr;
329 
330 		printf("mblk address 0x%p, length %ld, db_ref %d "
331 		    "type %d, base 0x%p, lim 0x%p\n",
332 		    (void *) mp, (long)(mp->b_wptr - mp->b_rptr),
333 		    mp->b_datap->db_ref, mp->b_datap->db_type,
334 		    (void *)mp->b_datap->db_base, (void *)mp->b_datap->db_lim);
335 		ptr = mp->b_rptr;
336 
337 		tmp_line[0] = '\0';
338 		while (ptr < mp->b_wptr) {
339 			uint_t diff;
340 
341 			diff = (ptr - mp->b_rptr);
342 			if (!(diff & 0x1f)) {
343 				if (strlen(tmp_line) > 0) {
344 					printf("bytes: %s\n", tmp_line);
345 					tmp_line[0] = '\0';
346 				}
347 			}
348 			if (!(diff & 0x3))
349 				(void) strcat(tmp_line, " ");
350 			(void) sprintf(tmp_str, "%02x", *ptr);
351 			(void) strcat(tmp_line, tmp_str);
352 			ptr++;
353 		}
354 		if (strlen(tmp_line) > 0)
355 			printf("bytes: %s\n", tmp_line);
356 
357 		mp = mp->b_cont;
358 	}
359 
360 	return ("\n");
361 }
362 
363 #else /* DEBUG */
364 static char *
365 dump_msg(mblk_t *mp)
366 {
367 	printf("Find value of mp %p.\n", mp);
368 	return ("\n");
369 }
370 #endif /* DEBUG */
371 
372 /*
373  * Don't have to lock age_interval, as only one thread will access it at
374  * a time, because I control the one function that does with timeout().
375  */
376 static void
377 esp_ager(void *arg)
378 {
379 	ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)arg;
380 	netstack_t	*ns = espstack->ipsecesp_netstack;
381 	hrtime_t begin = gethrtime();
382 
383 	sadb_ager(&espstack->esp_sadb.s_v4, espstack->esp_pfkey_q,
384 	    espstack->esp_sadb.s_ip_q, espstack->ipsecesp_reap_delay, ns);
385 	sadb_ager(&espstack->esp_sadb.s_v6, espstack->esp_pfkey_q,
386 	    espstack->esp_sadb.s_ip_q, espstack->ipsecesp_reap_delay, ns);
387 
388 	espstack->esp_event = sadb_retimeout(begin, espstack->esp_pfkey_q,
389 	    esp_ager, espstack,
390 	    &espstack->ipsecesp_age_interval, espstack->ipsecesp_age_int_max,
391 	    info.mi_idnum);
392 }
393 
394 /*
395  * Get an ESP NDD parameter.
396  */
397 /* ARGSUSED */
398 static int
399 ipsecesp_param_get(q, mp, cp, cr)
400 	queue_t	*q;
401 	mblk_t	*mp;
402 	caddr_t	cp;
403 	cred_t *cr;
404 {
405 	ipsecespparam_t	*ipsecesppa = (ipsecespparam_t *)cp;
406 	uint_t value;
407 	ipsecesp_stack_t	*espstack = (ipsecesp_stack_t *)q->q_ptr;
408 
409 	mutex_enter(&espstack->ipsecesp_param_lock);
410 	value = ipsecesppa->ipsecesp_param_value;
411 	mutex_exit(&espstack->ipsecesp_param_lock);
412 
413 	(void) mi_mpprintf(mp, "%u", value);
414 	return (0);
415 }
416 
417 /*
418  * This routine sets an NDD variable in a ipsecespparam_t structure.
419  */
420 /* ARGSUSED */
421 static int
422 ipsecesp_param_set(q, mp, value, cp, cr)
423 	queue_t	*q;
424 	mblk_t	*mp;
425 	char	*value;
426 	caddr_t	cp;
427 	cred_t *cr;
428 {
429 	ulong_t	new_value;
430 	ipsecespparam_t	*ipsecesppa = (ipsecespparam_t *)cp;
431 	ipsecesp_stack_t	*espstack = (ipsecesp_stack_t *)q->q_ptr;
432 
433 	/*
434 	 * Fail the request if the new value does not lie within the
435 	 * required bounds.
436 	 */
437 	if (ddi_strtoul(value, NULL, 10, &new_value) != 0 ||
438 	    new_value < ipsecesppa->ipsecesp_param_min ||
439 	    new_value > ipsecesppa->ipsecesp_param_max) {
440 		return (EINVAL);
441 	}
442 
443 	/* Set the new value */
444 	mutex_enter(&espstack->ipsecesp_param_lock);
445 	ipsecesppa->ipsecesp_param_value = new_value;
446 	mutex_exit(&espstack->ipsecesp_param_lock);
447 	return (0);
448 }
449 
450 /*
451  * Using lifetime NDD variables, fill in an extended combination's
452  * lifetime information.
453  */
454 void
455 ipsecesp_fill_defs(sadb_x_ecomb_t *ecomb, netstack_t *ns)
456 {
457 	ipsecesp_stack_t	*espstack = ns->netstack_ipsecesp;
458 
459 	ecomb->sadb_x_ecomb_soft_bytes = espstack->ipsecesp_default_soft_bytes;
460 	ecomb->sadb_x_ecomb_hard_bytes = espstack->ipsecesp_default_hard_bytes;
461 	ecomb->sadb_x_ecomb_soft_addtime =
462 	    espstack->ipsecesp_default_soft_addtime;
463 	ecomb->sadb_x_ecomb_hard_addtime =
464 	    espstack->ipsecesp_default_hard_addtime;
465 	ecomb->sadb_x_ecomb_soft_usetime =
466 	    espstack->ipsecesp_default_soft_usetime;
467 	ecomb->sadb_x_ecomb_hard_usetime =
468 	    espstack->ipsecesp_default_hard_usetime;
469 }
470 
471 /*
472  * Initialize things for ESP at module load time.
473  */
474 boolean_t
475 ipsecesp_ddi_init(void)
476 {
477 	esp_taskq = taskq_create("esp_taskq", 1, minclsyspri,
478 	    IPSEC_TASKQ_MIN, IPSEC_TASKQ_MAX, 0);
479 
480 	/*
481 	 * We want to be informed each time a stack is created or
482 	 * destroyed in the kernel, so we can maintain the
483 	 * set of ipsecesp_stack_t's.
484 	 */
485 	netstack_register(NS_IPSECESP, ipsecesp_stack_init, NULL,
486 	    ipsecesp_stack_fini);
487 
488 	return (B_TRUE);
489 }
490 
491 /*
492  * Walk through the param array specified registering each element with the
493  * named dispatch handler.
494  */
495 static boolean_t
496 ipsecesp_param_register(IDP *ndp, ipsecespparam_t *espp, int cnt)
497 {
498 	for (; cnt-- > 0; espp++) {
499 		if (espp->ipsecesp_param_name != NULL &&
500 		    espp->ipsecesp_param_name[0]) {
501 			if (!nd_load(ndp,
502 			    espp->ipsecesp_param_name,
503 			    ipsecesp_param_get, ipsecesp_param_set,
504 			    (caddr_t)espp)) {
505 				nd_free(ndp);
506 				return (B_FALSE);
507 			}
508 		}
509 	}
510 	return (B_TRUE);
511 }
512 /*
513  * Initialize things for ESP for each stack instance
514  */
515 static void *
516 ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns)
517 {
518 	ipsecesp_stack_t	*espstack;
519 	ipsecespparam_t		*espp;
520 
521 	espstack = (ipsecesp_stack_t *)kmem_zalloc(sizeof (*espstack),
522 	    KM_SLEEP);
523 	espstack->ipsecesp_netstack = ns;
524 
525 	espp = (ipsecespparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
526 	espstack->ipsecesp_params = espp;
527 	bcopy(lcl_param_arr, espp, sizeof (lcl_param_arr));
528 
529 	(void) ipsecesp_param_register(&espstack->ipsecesp_g_nd, espp,
530 	    A_CNT(lcl_param_arr));
531 
532 	(void) esp_kstat_init(espstack, stackid);
533 
534 	espstack->esp_sadb.s_acquire_timeout =
535 	    &espstack->ipsecesp_acquire_timeout;
536 	espstack->esp_sadb.s_acqfn = esp_send_acquire;
537 	sadbp_init("ESP", &espstack->esp_sadb, SADB_SATYPE_ESP, esp_hash_size,
538 	    espstack->ipsecesp_netstack);
539 
540 	mutex_init(&espstack->ipsecesp_param_lock, NULL, MUTEX_DEFAULT, 0);
541 
542 	ip_drop_register(&espstack->esp_dropper, "IPsec ESP");
543 	return (espstack);
544 }
545 
546 /*
547  * Destroy things for ESP at module unload time.
548  */
549 void
550 ipsecesp_ddi_destroy(void)
551 {
552 	netstack_unregister(NS_IPSECESP);
553 	taskq_destroy(esp_taskq);
554 }
555 
556 /*
557  * Destroy things for ESP for one stack instance
558  */
559 static void
560 ipsecesp_stack_fini(netstackid_t stackid, void *arg)
561 {
562 	ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)arg;
563 
564 	if (espstack->esp_pfkey_q != NULL) {
565 		(void) quntimeout(espstack->esp_pfkey_q, espstack->esp_event);
566 	}
567 	espstack->esp_sadb.s_acqfn = NULL;
568 	espstack->esp_sadb.s_acquire_timeout = NULL;
569 	sadbp_destroy(&espstack->esp_sadb, espstack->ipsecesp_netstack);
570 	ip_drop_unregister(&espstack->esp_dropper);
571 	mutex_destroy(&espstack->ipsecesp_param_lock);
572 	nd_free(&espstack->ipsecesp_g_nd);
573 
574 	kmem_free(espstack->ipsecesp_params, sizeof (lcl_param_arr));
575 	espstack->ipsecesp_params = NULL;
576 	kstat_delete_netstack(espstack->esp_ksp, stackid);
577 	espstack->esp_ksp = NULL;
578 	espstack->esp_kstats = NULL;
579 	kmem_free(espstack, sizeof (*espstack));
580 }
581 
582 /*
583  * ESP module open routine.
584  */
585 /* ARGSUSED */
586 static int
587 ipsecesp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
588 {
589 	netstack_t		*ns;
590 	ipsecesp_stack_t	*espstack;
591 
592 	if (secpolicy_ip_config(credp, B_FALSE) != 0)
593 		return (EPERM);
594 
595 	if (q->q_ptr != NULL)
596 		return (0);  /* Re-open of an already open instance. */
597 
598 	if (sflag != MODOPEN)
599 		return (EINVAL);
600 
601 	ns = netstack_find_by_cred(credp);
602 	ASSERT(ns != NULL);
603 	espstack = ns->netstack_ipsecesp;
604 	ASSERT(espstack != NULL);
605 
606 	/*
607 	 * ASSUMPTIONS (because I'm MT_OCEXCL):
608 	 *
609 	 *	* I'm being pushed on top of IP for all my opens (incl. #1).
610 	 *	* Only ipsecesp_open() can write into esp_sadb.s_ip_q.
611 	 *	* Because of this, I can check lazily for esp_sadb.s_ip_q.
612 	 *
613 	 *  If these assumptions are wrong, I'm in BIG trouble...
614 	 */
615 
616 	q->q_ptr = espstack;
617 	WR(q)->q_ptr = q->q_ptr;
618 
619 	if (espstack->esp_sadb.s_ip_q == NULL) {
620 		struct T_unbind_req *tur;
621 
622 		espstack->esp_sadb.s_ip_q = WR(q);
623 		/* Allocate an unbind... */
624 		espstack->esp_ip_unbind = allocb(sizeof (struct T_unbind_req),
625 		    BPRI_HI);
626 
627 		/*
628 		 * Send down T_BIND_REQ to bind IPPROTO_ESP.
629 		 * Handle the ACK here in ESP.
630 		 */
631 		qprocson(q);
632 		if (espstack->esp_ip_unbind == NULL ||
633 		    !sadb_t_bind_req(espstack->esp_sadb.s_ip_q, IPPROTO_ESP)) {
634 			if (espstack->esp_ip_unbind != NULL) {
635 				freeb(espstack->esp_ip_unbind);
636 				espstack->esp_ip_unbind = NULL;
637 			}
638 			q->q_ptr = NULL;
639 			netstack_rele(espstack->ipsecesp_netstack);
640 			return (ENOMEM);
641 		}
642 
643 		espstack->esp_ip_unbind->b_datap->db_type = M_PROTO;
644 		tur = (struct T_unbind_req *)espstack->esp_ip_unbind->b_rptr;
645 		tur->PRIM_type = T_UNBIND_REQ;
646 	} else {
647 		qprocson(q);
648 	}
649 
650 	/*
651 	 * For now, there's not much I can do.  I'll be getting a message
652 	 * passed down to me from keysock (in my wput), and a T_BIND_ACK
653 	 * up from IP (in my rput).
654 	 */
655 
656 	return (0);
657 }
658 
659 /*
660  * ESP module close routine.
661  */
662 static int
663 ipsecesp_close(queue_t *q)
664 {
665 	ipsecesp_stack_t	*espstack = (ipsecesp_stack_t *)q->q_ptr;
666 
667 	/*
668 	 * If esp_sadb.s_ip_q is attached to this instance, send a
669 	 * T_UNBIND_REQ to IP for the instance before doing
670 	 * a qprocsoff().
671 	 */
672 	if (WR(q) == espstack->esp_sadb.s_ip_q &&
673 	    espstack->esp_ip_unbind != NULL) {
674 		putnext(WR(q), espstack->esp_ip_unbind);
675 		espstack->esp_ip_unbind = NULL;
676 	}
677 
678 	/*
679 	 * Clean up q_ptr, if needed.
680 	 */
681 	qprocsoff(q);
682 
683 	/* Keysock queue check is safe, because of OCEXCL perimeter. */
684 
685 	if (q == espstack->esp_pfkey_q) {
686 		esp1dbg(espstack,
687 		    ("ipsecesp_close:  Ummm... keysock is closing ESP.\n"));
688 		espstack->esp_pfkey_q = NULL;
689 		/* Detach qtimeouts. */
690 		(void) quntimeout(q, espstack->esp_event);
691 	}
692 
693 	if (WR(q) == espstack->esp_sadb.s_ip_q) {
694 		/*
695 		 * If the esp_sadb.s_ip_q is attached to this instance, find
696 		 * another.  The OCEXCL outer perimeter helps us here.
697 		 */
698 		espstack->esp_sadb.s_ip_q = NULL;
699 
700 		/*
701 		 * Find a replacement queue for esp_sadb.s_ip_q.
702 		 */
703 		if (espstack->esp_pfkey_q != NULL &&
704 		    espstack->esp_pfkey_q != RD(q)) {
705 			/*
706 			 * See if we can use the pfkey_q.
707 			 */
708 			espstack->esp_sadb.s_ip_q = WR(espstack->esp_pfkey_q);
709 		}
710 
711 		if (espstack->esp_sadb.s_ip_q == NULL ||
712 		    !sadb_t_bind_req(espstack->esp_sadb.s_ip_q, IPPROTO_ESP)) {
713 			esp1dbg(espstack, ("ipsecesp: Can't reassign ip_q.\n"));
714 			espstack->esp_sadb.s_ip_q = NULL;
715 		} else {
716 			espstack->esp_ip_unbind =
717 			    allocb(sizeof (struct T_unbind_req), BPRI_HI);
718 
719 			if (espstack->esp_ip_unbind != NULL) {
720 				struct T_unbind_req *tur;
721 
722 				espstack->esp_ip_unbind->b_datap->db_type =
723 				    M_PROTO;
724 				tur = (struct T_unbind_req *)
725 				    espstack->esp_ip_unbind->b_rptr;
726 				tur->PRIM_type = T_UNBIND_REQ;
727 			}
728 			/* If it's NULL, I can't do much here. */
729 		}
730 	}
731 
732 	netstack_rele(espstack->ipsecesp_netstack);
733 	return (0);
734 }
735 
736 /*
737  * Add a number of bytes to what the SA has protected so far.  Return
738  * B_TRUE if the SA can still protect that many bytes.
739  *
740  * Caller must REFRELE the passed-in assoc.  This function must REFRELE
741  * any obtained peer SA.
742  */
743 static boolean_t
744 esp_age_bytes(ipsa_t *assoc, uint64_t bytes, boolean_t inbound)
745 {
746 	ipsa_t *inassoc, *outassoc;
747 	isaf_t *bucket;
748 	boolean_t inrc, outrc, isv6;
749 	sadb_t *sp;
750 	int outhash;
751 	netstack_t		*ns = assoc->ipsa_netstack;
752 	ipsecesp_stack_t	*espstack = ns->netstack_ipsecesp;
753 
754 	/* No peer?  No problem! */
755 	if (!assoc->ipsa_haspeer) {
756 		return (sadb_age_bytes(espstack->esp_pfkey_q, assoc, bytes,
757 		    B_TRUE));
758 	}
759 
760 	/*
761 	 * Otherwise, we want to grab both the original assoc and its peer.
762 	 * There might be a race for this, but if it's a real race, two
763 	 * expire messages may occur.  We limit this by only sending the
764 	 * expire message on one of the peers, we'll pick the inbound
765 	 * arbitrarily.
766 	 *
767 	 * If we need tight synchronization on the peer SA, then we need to
768 	 * reconsider.
769 	 */
770 
771 	/* Use address length to select IPv6/IPv4 */
772 	isv6 = (assoc->ipsa_addrfam == AF_INET6);
773 	sp = isv6 ? &espstack->esp_sadb.s_v6 : &espstack->esp_sadb.s_v4;
774 
775 	if (inbound) {
776 		inassoc = assoc;
777 		if (isv6) {
778 			outhash = OUTBOUND_HASH_V6(sp, *((in6_addr_t *)
779 			    &inassoc->ipsa_dstaddr));
780 		} else {
781 			outhash = OUTBOUND_HASH_V4(sp, *((ipaddr_t *)
782 			    &inassoc->ipsa_dstaddr));
783 		}
784 		bucket = &sp->sdb_of[outhash];
785 		mutex_enter(&bucket->isaf_lock);
786 		outassoc = ipsec_getassocbyspi(bucket, inassoc->ipsa_spi,
787 		    inassoc->ipsa_srcaddr, inassoc->ipsa_dstaddr,
788 		    inassoc->ipsa_addrfam);
789 		mutex_exit(&bucket->isaf_lock);
790 		if (outassoc == NULL) {
791 			/* Q: Do we wish to set haspeer == B_FALSE? */
792 			esp0dbg(("esp_age_bytes: "
793 			    "can't find peer for inbound.\n"));
794 			return (sadb_age_bytes(espstack->esp_pfkey_q, inassoc,
795 			    bytes, B_TRUE));
796 		}
797 	} else {
798 		outassoc = assoc;
799 		bucket = INBOUND_BUCKET(sp, outassoc->ipsa_spi);
800 		mutex_enter(&bucket->isaf_lock);
801 		inassoc = ipsec_getassocbyspi(bucket, outassoc->ipsa_spi,
802 		    outassoc->ipsa_srcaddr, outassoc->ipsa_dstaddr,
803 		    outassoc->ipsa_addrfam);
804 		mutex_exit(&bucket->isaf_lock);
805 		if (inassoc == NULL) {
806 			/* Q: Do we wish to set haspeer == B_FALSE? */
807 			esp0dbg(("esp_age_bytes: "
808 			    "can't find peer for outbound.\n"));
809 			return (sadb_age_bytes(espstack->esp_pfkey_q, outassoc,
810 			    bytes, B_TRUE));
811 		}
812 	}
813 
814 	inrc = sadb_age_bytes(espstack->esp_pfkey_q, inassoc, bytes, B_TRUE);
815 	outrc = sadb_age_bytes(espstack->esp_pfkey_q, outassoc, bytes, B_FALSE);
816 
817 	/*
818 	 * REFRELE any peer SA.
819 	 *
820 	 * Because of the multi-line macro nature of IPSA_REFRELE, keep
821 	 * them in { }.
822 	 */
823 	if (inbound) {
824 		IPSA_REFRELE(outassoc);
825 	} else {
826 		IPSA_REFRELE(inassoc);
827 	}
828 
829 	return (inrc && outrc);
830 }
831 
832 /*
833  * Do incoming NAT-T manipulations for packet.
834  */
835 static ipsec_status_t
836 esp_fix_natt_checksums(mblk_t *data_mp, ipsa_t *assoc)
837 {
838 	ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
839 	tcpha_t *tcph;
840 	udpha_t *udpha;
841 	/* Initialize to our inbound cksum adjustment... */
842 	uint32_t sum = assoc->ipsa_inbound_cksum;
843 
844 	switch (ipha->ipha_protocol) {
845 	case IPPROTO_TCP:
846 		tcph = (tcpha_t *)(data_mp->b_rptr +
847 		    IPH_HDR_LENGTH(ipha));
848 
849 #define	DOWN_SUM(x) (x) = ((x) & 0xFFFF) +	 ((x) >> 16)
850 		sum += ~ntohs(tcph->tha_sum) & 0xFFFF;
851 		DOWN_SUM(sum);
852 		DOWN_SUM(sum);
853 		tcph->tha_sum = ~htons(sum);
854 		break;
855 	case IPPROTO_UDP:
856 		udpha = (udpha_t *)(data_mp->b_rptr + IPH_HDR_LENGTH(ipha));
857 
858 		if (udpha->uha_checksum != 0) {
859 			/* Adujst if the inbound one was not zero. */
860 			sum += ~ntohs(udpha->uha_checksum) & 0xFFFF;
861 			DOWN_SUM(sum);
862 			DOWN_SUM(sum);
863 			udpha->uha_checksum = ~htons(sum);
864 			if (udpha->uha_checksum == 0)
865 				udpha->uha_checksum = 0xFFFF;
866 		}
867 #undef DOWN_SUM
868 		break;
869 	case IPPROTO_IP:
870 		/*
871 		 * This case is only an issue for self-encapsulated
872 		 * packets.  So for now, fall through.
873 		 */
874 		break;
875 	}
876 	return (IPSEC_STATUS_SUCCESS);
877 }
878 
879 
880 /*
881  * Strip ESP header, check padding, and fix IP header.
882  * Returns B_TRUE on success, B_FALSE if an error occured.
883  */
884 static boolean_t
885 esp_strip_header(mblk_t *data_mp, boolean_t isv4, uint32_t ivlen,
886     kstat_named_t **counter, ipsecesp_stack_t *espstack)
887 {
888 	ipha_t *ipha;
889 	ip6_t *ip6h;
890 	uint_t divpoint;
891 	mblk_t *scratch;
892 	uint8_t nexthdr, padlen;
893 	uint8_t lastpad;
894 	ipsec_stack_t	*ipss = espstack->ipsecesp_netstack->netstack_ipsec;
895 	uint8_t *lastbyte;
896 
897 	/*
898 	 * Strip ESP data and fix IP header.
899 	 *
900 	 * XXX In case the beginning of esp_inbound() changes to not do a
901 	 * pullup, this part of the code can remain unchanged.
902 	 */
903 	if (isv4) {
904 		ASSERT((data_mp->b_wptr - data_mp->b_rptr) >= sizeof (ipha_t));
905 		ipha = (ipha_t *)data_mp->b_rptr;
906 		ASSERT((data_mp->b_wptr - data_mp->b_rptr) >= sizeof (esph_t) +
907 		    IPH_HDR_LENGTH(ipha));
908 		divpoint = IPH_HDR_LENGTH(ipha);
909 	} else {
910 		ASSERT((data_mp->b_wptr - data_mp->b_rptr) >= sizeof (ip6_t));
911 		ip6h = (ip6_t *)data_mp->b_rptr;
912 		divpoint = ip_hdr_length_v6(data_mp, ip6h);
913 	}
914 
915 	scratch = data_mp;
916 	while (scratch->b_cont != NULL)
917 		scratch = scratch->b_cont;
918 
919 	ASSERT((scratch->b_wptr - scratch->b_rptr) >= 3);
920 
921 	/*
922 	 * "Next header" and padding length are the last two bytes in the
923 	 * ESP-protected datagram, thus the explicit - 1 and - 2.
924 	 * lastpad is the last byte of the padding, which can be used for
925 	 * a quick check to see if the padding is correct.
926 	 */
927 	lastbyte = scratch->b_wptr - 1;
928 	nexthdr = *lastbyte--;
929 	padlen = *lastbyte--;
930 
931 	if (isv4) {
932 		/* Fix part of the IP header. */
933 		ipha->ipha_protocol = nexthdr;
934 		/*
935 		 * Reality check the padlen.  The explicit - 2 is for the
936 		 * padding length and the next-header bytes.
937 		 */
938 		if (padlen >= ntohs(ipha->ipha_length) - sizeof (ipha_t) - 2 -
939 		    sizeof (esph_t) - ivlen) {
940 			ESP_BUMP_STAT(espstack, bad_decrypt);
941 			ipsec_rl_strlog(espstack->ipsecesp_netstack,
942 			    info.mi_idnum, 0, 0,
943 			    SL_ERROR | SL_WARN,
944 			    "Corrupt ESP packet (padlen too big).\n");
945 			esp1dbg(espstack, ("padlen (%d) is greater than:\n",
946 			    padlen));
947 			esp1dbg(espstack, ("pkt len(%d) - ip hdr - esp "
948 			    "hdr - ivlen(%d) = %d.\n",
949 			    ntohs(ipha->ipha_length), ivlen,
950 			    (int)(ntohs(ipha->ipha_length) - sizeof (ipha_t) -
951 			    2 - sizeof (esph_t) - ivlen)));
952 			*counter = DROPPER(ipss, ipds_esp_bad_padlen);
953 			return (B_FALSE);
954 		}
955 
956 		/*
957 		 * Fix the rest of the header.  The explicit - 2 is for the
958 		 * padding length and the next-header bytes.
959 		 */
960 		ipha->ipha_length = htons(ntohs(ipha->ipha_length) - padlen -
961 		    2 - sizeof (esph_t) - ivlen);
962 		ipha->ipha_hdr_checksum = 0;
963 		ipha->ipha_hdr_checksum = (uint16_t)ip_csum_hdr(ipha);
964 	} else {
965 		if (ip6h->ip6_nxt == IPPROTO_ESP) {
966 			ip6h->ip6_nxt = nexthdr;
967 		} else {
968 			ip6_pkt_t ipp;
969 
970 			bzero(&ipp, sizeof (ipp));
971 			(void) ip_find_hdr_v6(data_mp, ip6h, &ipp, NULL);
972 			if (ipp.ipp_dstopts != NULL) {
973 				ipp.ipp_dstopts->ip6d_nxt = nexthdr;
974 			} else if (ipp.ipp_rthdr != NULL) {
975 				ipp.ipp_rthdr->ip6r_nxt = nexthdr;
976 			} else if (ipp.ipp_hopopts != NULL) {
977 				ipp.ipp_hopopts->ip6h_nxt = nexthdr;
978 			} else {
979 				/* Panic a DEBUG kernel. */
980 				ASSERT(ipp.ipp_hopopts != NULL);
981 				/* Otherwise, pretend it's IP + ESP. */
982 				cmn_err(CE_WARN, "ESP IPv6 headers wrong.\n");
983 				ip6h->ip6_nxt = nexthdr;
984 			}
985 		}
986 
987 		if (padlen >= ntohs(ip6h->ip6_plen) - 2 - sizeof (esph_t) -
988 		    ivlen) {
989 			ESP_BUMP_STAT(espstack, bad_decrypt);
990 			ipsec_rl_strlog(espstack->ipsecesp_netstack,
991 			    info.mi_idnum, 0, 0,
992 			    SL_ERROR | SL_WARN,
993 			    "Corrupt ESP packet (v6 padlen too big).\n");
994 			esp1dbg(espstack, ("padlen (%d) is greater than:\n",
995 			    padlen));
996 			esp1dbg(espstack,
997 			    ("pkt len(%u) - ip hdr - esp hdr - ivlen(%d) = "
998 			    "%u.\n", (unsigned)(ntohs(ip6h->ip6_plen)
999 			    + sizeof (ip6_t)), ivlen,
1000 			    (unsigned)(ntohs(ip6h->ip6_plen) - 2 -
1001 			    sizeof (esph_t) - ivlen)));
1002 			*counter = DROPPER(ipss, ipds_esp_bad_padlen);
1003 			return (B_FALSE);
1004 		}
1005 
1006 
1007 		/*
1008 		 * Fix the rest of the header.  The explicit - 2 is for the
1009 		 * padding length and the next-header bytes.  IPv6 is nice,
1010 		 * because there's no hdr checksum!
1011 		 */
1012 		ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) - padlen -
1013 		    2 - sizeof (esph_t) - ivlen);
1014 	}
1015 
1016 	if (espstack->ipsecesp_padding_check > 0 && padlen > 0) {
1017 		/*
1018 		 * Weak padding check: compare last-byte to length, they
1019 		 * should be equal.
1020 		 */
1021 		lastpad = *lastbyte--;
1022 
1023 		if (padlen != lastpad) {
1024 			ipsec_rl_strlog(espstack->ipsecesp_netstack,
1025 			    info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
1026 			    "Corrupt ESP packet (lastpad != padlen).\n");
1027 			esp1dbg(espstack,
1028 			    ("lastpad (%d) not equal to padlen (%d):\n",
1029 			    lastpad, padlen));
1030 			ESP_BUMP_STAT(espstack, bad_padding);
1031 			*counter = DROPPER(ipss, ipds_esp_bad_padding);
1032 			return (B_FALSE);
1033 		}
1034 
1035 		/*
1036 		 * Strong padding check: Check all pad bytes to see that
1037 		 * they're ascending.  Go backwards using a descending counter
1038 		 * to verify.  padlen == 1 is checked by previous block, so
1039 		 * only bother if we've more than 1 byte of padding.
1040 		 * Consequently, start the check one byte before the location
1041 		 * of "lastpad".
1042 		 */
1043 		if (espstack->ipsecesp_padding_check > 1) {
1044 			/*
1045 			 * This assert may have to become an if and a pullup
1046 			 * if we start accepting multi-dblk mblks. For now,
1047 			 * though, any packet here will have been pulled up in
1048 			 * esp_inbound.
1049 			 */
1050 			ASSERT(MBLKL(scratch) >= lastpad + 3);
1051 
1052 			/*
1053 			 * Use "--lastpad" because we already checked the very
1054 			 * last pad byte previously.
1055 			 */
1056 			while (--lastpad != 0) {
1057 				if (lastpad != *lastbyte) {
1058 					ipsec_rl_strlog(
1059 					    espstack->ipsecesp_netstack,
1060 					    info.mi_idnum, 0, 0,
1061 					    SL_ERROR | SL_WARN, "Corrupt ESP "
1062 					    "packet (bad padding).\n");
1063 					esp1dbg(espstack,
1064 					    ("padding not in correct"
1065 					    " format:\n"));
1066 					ESP_BUMP_STAT(espstack, bad_padding);
1067 					*counter = DROPPER(ipss,
1068 					    ipds_esp_bad_padding);
1069 					return (B_FALSE);
1070 				}
1071 				lastbyte--;
1072 			}
1073 		}
1074 	}
1075 
1076 	/* Trim off the padding. */
1077 	ASSERT(data_mp->b_cont == NULL);
1078 	data_mp->b_wptr -= (padlen + 2);
1079 
1080 	/*
1081 	 * Remove the ESP header.
1082 	 *
1083 	 * The above assertions about data_mp's size will make this work.
1084 	 *
1085 	 * XXX  Question:  If I send up and get back a contiguous mblk,
1086 	 * would it be quicker to bcopy over, or keep doing the dupb stuff?
1087 	 * I go with copying for now.
1088 	 */
1089 
1090 	if (IS_P2ALIGNED(data_mp->b_rptr, sizeof (uint32_t)) &&
1091 	    IS_P2ALIGNED(ivlen, sizeof (uint32_t))) {
1092 		uint8_t *start = data_mp->b_rptr;
1093 		uint32_t *src, *dst;
1094 
1095 		src = (uint32_t *)(start + divpoint);
1096 		dst = (uint32_t *)(start + divpoint + sizeof (esph_t) + ivlen);
1097 
1098 		ASSERT(IS_P2ALIGNED(dst, sizeof (uint32_t)) &&
1099 		    IS_P2ALIGNED(src, sizeof (uint32_t)));
1100 
1101 		do {
1102 			src--;
1103 			dst--;
1104 			*dst = *src;
1105 		} while (src != (uint32_t *)start);
1106 
1107 		data_mp->b_rptr = (uchar_t *)dst;
1108 	} else {
1109 		uint8_t *start = data_mp->b_rptr;
1110 		uint8_t *src, *dst;
1111 
1112 		src = start + divpoint;
1113 		dst = src + sizeof (esph_t) + ivlen;
1114 
1115 		do {
1116 			src--;
1117 			dst--;
1118 			*dst = *src;
1119 		} while (src != start);
1120 
1121 		data_mp->b_rptr = dst;
1122 	}
1123 
1124 	esp2dbg(espstack, ("data_mp after inbound ESP adjustment:\n"));
1125 	esp2dbg(espstack, (dump_msg(data_mp)));
1126 
1127 	return (B_TRUE);
1128 }
1129 
1130 /*
1131  * Updating use times can be tricky business if the ipsa_haspeer flag is
1132  * set.  This function is called once in an SA's lifetime.
1133  *
1134  * Caller has to REFRELE "assoc" which is passed in.  This function has
1135  * to REFRELE any peer SA that is obtained.
1136  */
1137 static void
1138 esp_set_usetime(ipsa_t *assoc, boolean_t inbound)
1139 {
1140 	ipsa_t *inassoc, *outassoc;
1141 	isaf_t *bucket;
1142 	sadb_t *sp;
1143 	int outhash;
1144 	boolean_t isv6;
1145 	netstack_t		*ns = assoc->ipsa_netstack;
1146 	ipsecesp_stack_t	*espstack = ns->netstack_ipsecesp;
1147 
1148 	/* No peer?  No problem! */
1149 	if (!assoc->ipsa_haspeer) {
1150 		sadb_set_usetime(assoc);
1151 		return;
1152 	}
1153 
1154 	/*
1155 	 * Otherwise, we want to grab both the original assoc and its peer.
1156 	 * There might be a race for this, but if it's a real race, the times
1157 	 * will be out-of-synch by at most a second, and since our time
1158 	 * granularity is a second, this won't be a problem.
1159 	 *
1160 	 * If we need tight synchronization on the peer SA, then we need to
1161 	 * reconsider.
1162 	 */
1163 
1164 	/* Use address length to select IPv6/IPv4 */
1165 	isv6 = (assoc->ipsa_addrfam == AF_INET6);
1166 	sp = isv6 ? &espstack->esp_sadb.s_v6 : &espstack->esp_sadb.s_v4;
1167 
1168 	if (inbound) {
1169 		inassoc = assoc;
1170 		if (isv6) {
1171 			outhash = OUTBOUND_HASH_V6(sp, *((in6_addr_t *)
1172 			    &inassoc->ipsa_dstaddr));
1173 		} else {
1174 			outhash = OUTBOUND_HASH_V4(sp, *((ipaddr_t *)
1175 			    &inassoc->ipsa_dstaddr));
1176 		}
1177 		bucket = &sp->sdb_of[outhash];
1178 		mutex_enter(&bucket->isaf_lock);
1179 		outassoc = ipsec_getassocbyspi(bucket, inassoc->ipsa_spi,
1180 		    inassoc->ipsa_srcaddr, inassoc->ipsa_dstaddr,
1181 		    inassoc->ipsa_addrfam);
1182 		mutex_exit(&bucket->isaf_lock);
1183 		if (outassoc == NULL) {
1184 			/* Q: Do we wish to set haspeer == B_FALSE? */
1185 			esp0dbg(("esp_set_usetime: "
1186 			    "can't find peer for inbound.\n"));
1187 			sadb_set_usetime(inassoc);
1188 			return;
1189 		}
1190 	} else {
1191 		outassoc = assoc;
1192 		bucket = INBOUND_BUCKET(sp, outassoc->ipsa_spi);
1193 		mutex_enter(&bucket->isaf_lock);
1194 		inassoc = ipsec_getassocbyspi(bucket, outassoc->ipsa_spi,
1195 		    outassoc->ipsa_srcaddr, outassoc->ipsa_dstaddr,
1196 		    outassoc->ipsa_addrfam);
1197 		mutex_exit(&bucket->isaf_lock);
1198 		if (inassoc == NULL) {
1199 			/* Q: Do we wish to set haspeer == B_FALSE? */
1200 			esp0dbg(("esp_set_usetime: "
1201 			    "can't find peer for outbound.\n"));
1202 			sadb_set_usetime(outassoc);
1203 			return;
1204 		}
1205 	}
1206 
1207 	/* Update usetime on both. */
1208 	sadb_set_usetime(inassoc);
1209 	sadb_set_usetime(outassoc);
1210 
1211 	/*
1212 	 * REFRELE any peer SA.
1213 	 *
1214 	 * Because of the multi-line macro nature of IPSA_REFRELE, keep
1215 	 * them in { }.
1216 	 */
1217 	if (inbound) {
1218 		IPSA_REFRELE(outassoc);
1219 	} else {
1220 		IPSA_REFRELE(inassoc);
1221 	}
1222 }
1223 
1224 /*
1225  * Handle ESP inbound data for IPv4 and IPv6.
1226  * On success returns B_TRUE, on failure returns B_FALSE and frees the
1227  * mblk chain ipsec_in_mp.
1228  */
1229 ipsec_status_t
1230 esp_inbound(mblk_t *ipsec_in_mp, void *arg)
1231 {
1232 	mblk_t *data_mp = ipsec_in_mp->b_cont;
1233 	ipsec_in_t *ii = (ipsec_in_t *)ipsec_in_mp->b_rptr;
1234 	esph_t *esph = (esph_t *)arg;
1235 	ipsa_t *ipsa = ii->ipsec_in_esp_sa;
1236 	netstack_t	*ns = ii->ipsec_in_ns;
1237 	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
1238 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1239 
1240 	/*
1241 	 * We may wish to check replay in-range-only here as an optimization.
1242 	 * Include the reality check of ipsa->ipsa_replay >
1243 	 * ipsa->ipsa_replay_wsize for times when it's the first N packets,
1244 	 * where N == ipsa->ipsa_replay_wsize.
1245 	 *
1246 	 * Another check that may come here later is the "collision" check.
1247 	 * If legitimate packets flow quickly enough, this won't be a problem,
1248 	 * but collisions may cause authentication algorithm crunching to
1249 	 * take place when it doesn't need to.
1250 	 */
1251 	if (!sadb_replay_peek(ipsa, esph->esph_replay)) {
1252 		ESP_BUMP_STAT(espstack, replay_early_failures);
1253 		IP_ESP_BUMP_STAT(ipss, in_discards);
1254 		/*
1255 		 * TODO: Extract inbound interface from the IPSEC_IN
1256 		 * message's ii->ipsec_in_rill_index.
1257 		 */
1258 		ip_drop_packet(ipsec_in_mp, B_TRUE, NULL, NULL,
1259 		    DROPPER(ipss, ipds_esp_early_replay),
1260 		    &espstack->esp_dropper);
1261 		return (IPSEC_STATUS_FAILED);
1262 	}
1263 
1264 	/*
1265 	 * Has this packet already been processed by a hardware
1266 	 * IPsec accelerator?
1267 	 */
1268 	if (ii->ipsec_in_accelerated) {
1269 		ipsec_status_t rv;
1270 		esp3dbg(espstack,
1271 		    ("esp_inbound: pkt processed by ill=%d isv6=%d\n",
1272 		    ii->ipsec_in_ill_index, !ii->ipsec_in_v4));
1273 		rv = esp_inbound_accelerated(ipsec_in_mp,
1274 		    data_mp, ii->ipsec_in_v4, ipsa);
1275 		return (rv);
1276 	}
1277 	ESP_BUMP_STAT(espstack, noaccel);
1278 
1279 	/*
1280 	 * Adjust the IP header's payload length to reflect the removal
1281 	 * of the ICV.
1282 	 */
1283 	if (!ii->ipsec_in_v4) {
1284 		ip6_t *ip6h = (ip6_t *)data_mp->b_rptr;
1285 		ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) -
1286 		    ipsa->ipsa_mac_len);
1287 	} else {
1288 		ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
1289 		ipha->ipha_length = htons(ntohs(ipha->ipha_length) -
1290 		    ipsa->ipsa_mac_len);
1291 	}
1292 
1293 	/* submit the request to the crypto framework */
1294 	return (esp_submit_req_inbound(ipsec_in_mp, ipsa,
1295 	    (uint8_t *)esph - data_mp->b_rptr));
1296 }
1297 
1298 /*
1299  * Perform the really difficult work of inserting the proposed situation.
1300  * Called while holding the algorithm lock.
1301  */
1302 static void
1303 esp_insert_prop(sadb_prop_t *prop, ipsacq_t *acqrec, uint_t combs)
1304 {
1305 	sadb_comb_t *comb = (sadb_comb_t *)(prop + 1);
1306 	ipsec_out_t *io;
1307 	ipsec_action_t *ap;
1308 	ipsec_prot_t *prot;
1309 	netstack_t *ns;
1310 	ipsecesp_stack_t *espstack;
1311 	ipsec_stack_t *ipss;
1312 
1313 	io = (ipsec_out_t *)acqrec->ipsacq_mp->b_rptr;
1314 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
1315 	ns = io->ipsec_out_ns;
1316 	espstack = ns->netstack_ipsecesp;
1317 	ipss = ns->netstack_ipsec;
1318 	ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
1319 
1320 	prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
1321 	prop->sadb_prop_len = SADB_8TO64(sizeof (sadb_prop_t));
1322 	*(uint32_t *)(&prop->sadb_prop_replay) = 0;	/* Quick zero-out! */
1323 
1324 	prop->sadb_prop_replay = espstack->ipsecesp_replay_size;
1325 
1326 	/*
1327 	 * Based upon algorithm properties, and what-not, prioritize
1328 	 * a proposal.  If the IPSEC_OUT message has an algorithm specified,
1329 	 * use it first and foremost.
1330 	 *
1331 	 * For each action in policy list
1332 	 *   Add combination.  If I've hit limit, return.
1333 	 */
1334 
1335 	for (ap = acqrec->ipsacq_act; ap != NULL;
1336 	    ap = ap->ipa_next) {
1337 		ipsec_alginfo_t *ealg = NULL;
1338 		ipsec_alginfo_t *aalg = NULL;
1339 
1340 		if (ap->ipa_act.ipa_type != IPSEC_POLICY_APPLY)
1341 			continue;
1342 
1343 		prot = &ap->ipa_act.ipa_apply;
1344 
1345 		if (!(prot->ipp_use_esp))
1346 			continue;
1347 
1348 		if (prot->ipp_esp_auth_alg != 0) {
1349 			aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
1350 			    [prot->ipp_esp_auth_alg];
1351 			if (aalg == NULL || !ALG_VALID(aalg))
1352 				continue;
1353 		}
1354 
1355 		ASSERT(prot->ipp_encr_alg > 0);
1356 		ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
1357 		    [prot->ipp_encr_alg];
1358 		if (ealg == NULL || !ALG_VALID(ealg))
1359 			continue;
1360 
1361 		comb->sadb_comb_flags = 0;
1362 		comb->sadb_comb_reserved = 0;
1363 		comb->sadb_comb_encrypt = ealg->alg_id;
1364 		comb->sadb_comb_encrypt_minbits =
1365 		    MAX(prot->ipp_espe_minbits, ealg->alg_ef_minbits);
1366 		comb->sadb_comb_encrypt_maxbits =
1367 		    MIN(prot->ipp_espe_maxbits, ealg->alg_ef_maxbits);
1368 
1369 		if (aalg == NULL) {
1370 			comb->sadb_comb_auth = 0;
1371 			comb->sadb_comb_auth_minbits = 0;
1372 			comb->sadb_comb_auth_maxbits = 0;
1373 		} else {
1374 			comb->sadb_comb_auth = aalg->alg_id;
1375 			comb->sadb_comb_auth_minbits =
1376 			    MAX(prot->ipp_espa_minbits, aalg->alg_ef_minbits);
1377 			comb->sadb_comb_auth_maxbits =
1378 			    MIN(prot->ipp_espa_maxbits, aalg->alg_ef_maxbits);
1379 		}
1380 
1381 		/*
1382 		 * The following may be based on algorithm
1383 		 * properties, but in the meantime, we just pick
1384 		 * some good, sensible numbers.  Key mgmt. can
1385 		 * (and perhaps should) be the place to finalize
1386 		 * such decisions.
1387 		 */
1388 
1389 		/*
1390 		 * No limits on allocations, since we really don't
1391 		 * support that concept currently.
1392 		 */
1393 		comb->sadb_comb_soft_allocations = 0;
1394 		comb->sadb_comb_hard_allocations = 0;
1395 
1396 		/*
1397 		 * These may want to come from policy rule..
1398 		 */
1399 		comb->sadb_comb_soft_bytes =
1400 		    espstack->ipsecesp_default_soft_bytes;
1401 		comb->sadb_comb_hard_bytes =
1402 		    espstack->ipsecesp_default_hard_bytes;
1403 		comb->sadb_comb_soft_addtime =
1404 		    espstack->ipsecesp_default_soft_addtime;
1405 		comb->sadb_comb_hard_addtime =
1406 		    espstack->ipsecesp_default_hard_addtime;
1407 		comb->sadb_comb_soft_usetime =
1408 		    espstack->ipsecesp_default_soft_usetime;
1409 		comb->sadb_comb_hard_usetime =
1410 		    espstack->ipsecesp_default_hard_usetime;
1411 
1412 		prop->sadb_prop_len += SADB_8TO64(sizeof (*comb));
1413 		if (--combs == 0)
1414 			break;	/* out of space.. */
1415 		comb++;
1416 	}
1417 }
1418 
1419 /*
1420  * Prepare and actually send the SADB_ACQUIRE message to PF_KEY.
1421  */
1422 static void
1423 esp_send_acquire(ipsacq_t *acqrec, mblk_t *extended, netstack_t *ns)
1424 {
1425 	uint_t combs;
1426 	sadb_msg_t *samsg;
1427 	sadb_prop_t *prop;
1428 	mblk_t *pfkeymp, *msgmp;
1429 	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
1430 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1431 
1432 	ESP_BUMP_STAT(espstack, acquire_requests);
1433 
1434 	if (espstack->esp_pfkey_q == NULL) {
1435 		mutex_exit(&acqrec->ipsacq_lock);
1436 		return;
1437 	}
1438 
1439 	/* Set up ACQUIRE. */
1440 	pfkeymp = sadb_setup_acquire(acqrec, SADB_SATYPE_ESP,
1441 	    ns->netstack_ipsec);
1442 	if (pfkeymp == NULL) {
1443 		esp0dbg(("sadb_setup_acquire failed.\n"));
1444 		mutex_exit(&acqrec->ipsacq_lock);
1445 		return;
1446 	}
1447 	ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
1448 	combs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] *
1449 	    ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
1450 	msgmp = pfkeymp->b_cont;
1451 	samsg = (sadb_msg_t *)(msgmp->b_rptr);
1452 
1453 	/* Insert proposal here. */
1454 
1455 	prop = (sadb_prop_t *)(((uint64_t *)samsg) + samsg->sadb_msg_len);
1456 	esp_insert_prop(prop, acqrec, combs);
1457 	samsg->sadb_msg_len += prop->sadb_prop_len;
1458 	msgmp->b_wptr += SADB_64TO8(samsg->sadb_msg_len);
1459 
1460 	mutex_exit(&ipss->ipsec_alg_lock);
1461 
1462 	/*
1463 	 * Must mutex_exit() before sending PF_KEY message up, in
1464 	 * order to avoid recursive mutex_enter() if there are no registered
1465 	 * listeners.
1466 	 *
1467 	 * Once I've sent the message, I'm cool anyway.
1468 	 */
1469 	mutex_exit(&acqrec->ipsacq_lock);
1470 	if (extended != NULL) {
1471 		putnext(espstack->esp_pfkey_q, extended);
1472 	}
1473 	putnext(espstack->esp_pfkey_q, pfkeymp);
1474 }
1475 
1476 /*
1477  * Handle the SADB_GETSPI message.  Create a larval SA.
1478  */
1479 static void
1480 esp_getspi(mblk_t *mp, keysock_in_t *ksi, ipsecesp_stack_t *espstack)
1481 {
1482 	ipsa_t *newbie, *target;
1483 	isaf_t *outbound, *inbound;
1484 	int rc, diagnostic;
1485 	sadb_sa_t *assoc;
1486 	keysock_out_t *kso;
1487 	uint32_t newspi;
1488 
1489 	/*
1490 	 * Randomly generate a proposed SPI value
1491 	 */
1492 	if (cl_inet_getspi != NULL) {
1493 		cl_inet_getspi(espstack->ipsecesp_netstack->netstack_stackid,
1494 		    IPPROTO_ESP, (uint8_t *)&newspi, sizeof (uint32_t), NULL);
1495 	} else {
1496 		(void) random_get_pseudo_bytes((uint8_t *)&newspi,
1497 		    sizeof (uint32_t));
1498 	}
1499 	newbie = sadb_getspi(ksi, newspi, &diagnostic,
1500 	    espstack->ipsecesp_netstack, IPPROTO_ESP);
1501 
1502 	if (newbie == NULL) {
1503 		sadb_pfkey_error(espstack->esp_pfkey_q, mp, ENOMEM, diagnostic,
1504 		    ksi->ks_in_serial);
1505 		return;
1506 	} else if (newbie == (ipsa_t *)-1) {
1507 		sadb_pfkey_error(espstack->esp_pfkey_q, mp, EINVAL, diagnostic,
1508 		    ksi->ks_in_serial);
1509 		return;
1510 	}
1511 
1512 	/*
1513 	 * XXX - We may randomly collide.  We really should recover from this.
1514 	 *	 Unfortunately, that could require spending way-too-much-time
1515 	 *	 in here.  For now, let the user retry.
1516 	 */
1517 
1518 	if (newbie->ipsa_addrfam == AF_INET6) {
1519 		outbound = OUTBOUND_BUCKET_V6(&espstack->esp_sadb.s_v6,
1520 		    *(uint32_t *)(newbie->ipsa_dstaddr));
1521 		inbound = INBOUND_BUCKET(&espstack->esp_sadb.s_v6,
1522 		    newbie->ipsa_spi);
1523 	} else {
1524 		ASSERT(newbie->ipsa_addrfam == AF_INET);
1525 		outbound = OUTBOUND_BUCKET_V4(&espstack->esp_sadb.s_v4,
1526 		    *(uint32_t *)(newbie->ipsa_dstaddr));
1527 		inbound = INBOUND_BUCKET(&espstack->esp_sadb.s_v4,
1528 		    newbie->ipsa_spi);
1529 	}
1530 
1531 	mutex_enter(&outbound->isaf_lock);
1532 	mutex_enter(&inbound->isaf_lock);
1533 
1534 	/*
1535 	 * Check for collisions (i.e. did sadb_getspi() return with something
1536 	 * that already exists?).
1537 	 *
1538 	 * Try outbound first.  Even though SADB_GETSPI is traditionally
1539 	 * for inbound SAs, you never know what a user might do.
1540 	 */
1541 	target = ipsec_getassocbyspi(outbound, newbie->ipsa_spi,
1542 	    newbie->ipsa_srcaddr, newbie->ipsa_dstaddr, newbie->ipsa_addrfam);
1543 	if (target == NULL) {
1544 		target = ipsec_getassocbyspi(inbound, newbie->ipsa_spi,
1545 		    newbie->ipsa_srcaddr, newbie->ipsa_dstaddr,
1546 		    newbie->ipsa_addrfam);
1547 	}
1548 
1549 	/*
1550 	 * I don't have collisions elsewhere!
1551 	 * (Nor will I because I'm still holding inbound/outbound locks.)
1552 	 */
1553 
1554 	if (target != NULL) {
1555 		rc = EEXIST;
1556 		IPSA_REFRELE(target);
1557 	} else {
1558 		/*
1559 		 * sadb_insertassoc() also checks for collisions, so
1560 		 * if there's a colliding entry, rc will be set
1561 		 * to EEXIST.
1562 		 */
1563 		rc = sadb_insertassoc(newbie, inbound);
1564 		newbie->ipsa_hardexpiretime = gethrestime_sec();
1565 		newbie->ipsa_hardexpiretime +=
1566 		    espstack->ipsecesp_larval_timeout;
1567 	}
1568 
1569 	/*
1570 	 * Can exit outbound mutex.  Hold inbound until we're done
1571 	 * with newbie.
1572 	 */
1573 	mutex_exit(&outbound->isaf_lock);
1574 
1575 	if (rc != 0) {
1576 		mutex_exit(&inbound->isaf_lock);
1577 		IPSA_REFRELE(newbie);
1578 		sadb_pfkey_error(espstack->esp_pfkey_q, mp, rc,
1579 		    SADB_X_DIAGNOSTIC_NONE, ksi->ks_in_serial);
1580 		return;
1581 	}
1582 
1583 
1584 	/* Can write here because I'm still holding the bucket lock. */
1585 	newbie->ipsa_type = SADB_SATYPE_ESP;
1586 
1587 	/*
1588 	 * Construct successful return message. We have one thing going
1589 	 * for us in PF_KEY v2.  That's the fact that
1590 	 *	sizeof (sadb_spirange_t) == sizeof (sadb_sa_t)
1591 	 */
1592 	assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SPIRANGE];
1593 	assoc->sadb_sa_exttype = SADB_EXT_SA;
1594 	assoc->sadb_sa_spi = newbie->ipsa_spi;
1595 	*((uint64_t *)(&assoc->sadb_sa_replay)) = 0;
1596 	mutex_exit(&inbound->isaf_lock);
1597 
1598 	/* Convert KEYSOCK_IN to KEYSOCK_OUT. */
1599 	kso = (keysock_out_t *)ksi;
1600 	kso->ks_out_len = sizeof (*kso);
1601 	kso->ks_out_serial = ksi->ks_in_serial;
1602 	kso->ks_out_type = KEYSOCK_OUT;
1603 
1604 	/*
1605 	 * Can safely putnext() to esp_pfkey_q, because this is a turnaround
1606 	 * from the esp_pfkey_q.
1607 	 */
1608 	putnext(espstack->esp_pfkey_q, mp);
1609 }
1610 
1611 /*
1612  * Insert the ESP header into a packet.  Duplicate an mblk, and insert a newly
1613  * allocated mblk with the ESP header in between the two.
1614  */
1615 static boolean_t
1616 esp_insert_esp(mblk_t *mp, mblk_t *esp_mp, uint_t divpoint,
1617     ipsecesp_stack_t *espstack)
1618 {
1619 	mblk_t *split_mp = mp;
1620 	uint_t wheretodiv = divpoint;
1621 
1622 	while ((split_mp->b_wptr - split_mp->b_rptr) < wheretodiv) {
1623 		wheretodiv -= (split_mp->b_wptr - split_mp->b_rptr);
1624 		split_mp = split_mp->b_cont;
1625 		ASSERT(split_mp != NULL);
1626 	}
1627 
1628 	if (split_mp->b_wptr - split_mp->b_rptr != wheretodiv) {
1629 		mblk_t *scratch;
1630 
1631 		/* "scratch" is the 2nd half, split_mp is the first. */
1632 		scratch = dupb(split_mp);
1633 		if (scratch == NULL) {
1634 			esp1dbg(espstack,
1635 			    ("esp_insert_esp: can't allocate scratch.\n"));
1636 			return (B_FALSE);
1637 		}
1638 		/* NOTE:  dupb() doesn't set b_cont appropriately. */
1639 		scratch->b_cont = split_mp->b_cont;
1640 		scratch->b_rptr += wheretodiv;
1641 		split_mp->b_wptr = split_mp->b_rptr + wheretodiv;
1642 		split_mp->b_cont = scratch;
1643 	}
1644 	/*
1645 	 * At this point, split_mp is exactly "wheretodiv" bytes long, and
1646 	 * holds the end of the pre-ESP part of the datagram.
1647 	 */
1648 	esp_mp->b_cont = split_mp->b_cont;
1649 	split_mp->b_cont = esp_mp;
1650 
1651 	return (B_TRUE);
1652 }
1653 
1654 /*
1655  * Section 7 of RFC 3947 says:
1656  *
1657  * 7.  Recovering from the Expiring NAT Mappings
1658  *
1659  *    There are cases where NAT box decides to remove mappings that are still
1660  *    alive (for example, when the keepalive interval is too long, or when the
1661  *    NAT box is rebooted).  To recover from this, ends that are NOT behind
1662  *    NAT SHOULD use the last valid UDP encapsulated IKE or IPsec packet from
1663  *    the other end to determine which IP and port addresses should be used.
1664  *    The host behind dynamic NAT MUST NOT do this, as otherwise it opens a
1665  *    DoS attack possibility because the IP address or port of the other host
1666  *    will not change (it is not behind NAT).
1667  *
1668  *    Keepalives cannot be used for these purposes, as they are not
1669  *    authenticated, but any IKE authenticated IKE packet or ESP packet can be
1670  *    used to detect whether the IP address or the port has changed.
1671  *
1672  * The following function will check an SA and its explicitly-set pair to see
1673  * if the NAT-T remote port matches the received packet (which must have
1674  * passed ESP authentication, see esp_in_done() for the caller context).  If
1675  * there is a mismatch, the SAs are updated.  It is not important if we race
1676  * with a transmitting thread, as if there is a transmitting thread, it will
1677  * merely emit a packet that will most-likely be dropped.
1678  *
1679  * "ports" are ordered src,dst, and assoc is an inbound SA, where src should
1680  * match ipsa_remote_nat_port and dst should match ipsa_local_nat_port.
1681  */
1682 #ifdef _LITTLE_ENDIAN
1683 #define	FIRST_16(x) ((x) & 0xFFFF)
1684 #define	NEXT_16(x) (((x) >> 16) & 0xFFFF)
1685 #else
1686 #define	FIRST_16(x) (((x) >> 16) & 0xFFFF)
1687 #define	NEXT_16(x) ((x) & 0xFFFF)
1688 #endif
1689 static void
1690 esp_port_freshness(uint32_t ports, ipsa_t *assoc)
1691 {
1692 	uint16_t remote = FIRST_16(ports);
1693 	uint16_t local = NEXT_16(ports);
1694 	ipsa_t *outbound_peer;
1695 	isaf_t *bucket;
1696 	ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
1697 
1698 	/* We found a conn_t, therefore local != 0. */
1699 	ASSERT(local != 0);
1700 	/* Assume an IPv4 SA. */
1701 	ASSERT(assoc->ipsa_addrfam == AF_INET);
1702 
1703 	/*
1704 	 * On-the-wire rport == 0 means something's very wrong.
1705 	 * An unpaired SA is also useless to us.
1706 	 * If we are behind the NAT, don't bother.
1707 	 * A zero local NAT port defaults to 4500, so check that too.
1708 	 * And, of course, if the ports already match, we don't need to
1709 	 * bother.
1710 	 */
1711 	if (remote == 0 || assoc->ipsa_otherspi == 0 ||
1712 	    (assoc->ipsa_flags & IPSA_F_BEHIND_NAT) ||
1713 	    (assoc->ipsa_remote_nat_port == 0 &&
1714 	    remote == htons(IPPORT_IKE_NATT)) ||
1715 	    remote == assoc->ipsa_remote_nat_port)
1716 		return;
1717 
1718 	/* Try and snag the peer.   NOTE:  Assume IPv4 for now. */
1719 	bucket = OUTBOUND_BUCKET_V4(&(espstack->esp_sadb.s_v4),
1720 	    assoc->ipsa_srcaddr[0]);
1721 	mutex_enter(&bucket->isaf_lock);
1722 	outbound_peer = ipsec_getassocbyspi(bucket, assoc->ipsa_otherspi,
1723 	    assoc->ipsa_dstaddr, assoc->ipsa_srcaddr, AF_INET);
1724 	mutex_exit(&bucket->isaf_lock);
1725 
1726 	/* We probably lost a race to a deleting or expiring thread. */
1727 	if (outbound_peer == NULL)
1728 		return;
1729 
1730 	/*
1731 	 * Hold the mutexes for both SAs so we don't race another inbound
1732 	 * thread.  A lock-entry order shouldn't matter, since all other
1733 	 * per-ipsa locks are individually held-then-released.
1734 	 *
1735 	 * Luckily, this has nothing to do with the remote-NAT address,
1736 	 * so we don't have to re-scribble the cached-checksum differential.
1737 	 */
1738 	mutex_enter(&outbound_peer->ipsa_lock);
1739 	mutex_enter(&assoc->ipsa_lock);
1740 	outbound_peer->ipsa_remote_nat_port = assoc->ipsa_remote_nat_port =
1741 	    remote;
1742 	mutex_exit(&assoc->ipsa_lock);
1743 	mutex_exit(&outbound_peer->ipsa_lock);
1744 	IPSA_REFRELE(outbound_peer);
1745 	ESP_BUMP_STAT(espstack, sa_port_renumbers);
1746 }
1747 /*
1748  * Finish processing of an inbound ESP packet after processing by the
1749  * crypto framework.
1750  * - Remove the ESP header.
1751  * - Send packet back to IP.
1752  * If authentication was performed on the packet, this function is called
1753  * only if the authentication succeeded.
1754  * On success returns B_TRUE, on failure returns B_FALSE and frees the
1755  * mblk chain ipsec_in_mp.
1756  */
1757 static ipsec_status_t
1758 esp_in_done(mblk_t *ipsec_in_mp)
1759 {
1760 	ipsec_in_t *ii = (ipsec_in_t *)ipsec_in_mp->b_rptr;
1761 	mblk_t *data_mp;
1762 	ipsa_t *assoc;
1763 	uint_t espstart;
1764 	uint32_t ivlen = 0;
1765 	uint_t processed_len;
1766 	esph_t *esph;
1767 	kstat_named_t *counter;
1768 	boolean_t is_natt;
1769 	netstack_t	*ns = ii->ipsec_in_ns;
1770 	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
1771 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1772 
1773 	assoc = ii->ipsec_in_esp_sa;
1774 	ASSERT(assoc != NULL);
1775 
1776 	is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0);
1777 
1778 	/* get the pointer to the ESP header */
1779 	if (assoc->ipsa_encr_alg == SADB_EALG_NULL) {
1780 		/* authentication-only ESP */
1781 		espstart = ii->ipsec_in_crypto_data.cd_offset;
1782 		processed_len = ii->ipsec_in_crypto_data.cd_length;
1783 	} else {
1784 		/* encryption present */
1785 		ivlen = assoc->ipsa_iv_len;
1786 		if (assoc->ipsa_auth_alg == SADB_AALG_NONE) {
1787 			/* encryption-only ESP */
1788 			espstart = ii->ipsec_in_crypto_data.cd_offset -
1789 			    sizeof (esph_t) - assoc->ipsa_iv_len;
1790 			processed_len = ii->ipsec_in_crypto_data.cd_length +
1791 			    ivlen;
1792 		} else {
1793 			/* encryption with authentication */
1794 			espstart = ii->ipsec_in_crypto_dual_data.dd_offset1;
1795 			processed_len = ii->ipsec_in_crypto_dual_data.dd_len2 +
1796 			    ivlen;
1797 		}
1798 	}
1799 
1800 	data_mp = ipsec_in_mp->b_cont;
1801 	esph = (esph_t *)(data_mp->b_rptr + espstart);
1802 
1803 	if (assoc->ipsa_auth_alg != IPSA_AALG_NONE ||
1804 	    (assoc->ipsa_flags & IPSA_F_COMBINED)) {
1805 		/*
1806 		 * Authentication passed if we reach this point.
1807 		 * Packets with authentication will have the ICV
1808 		 * after the crypto data. Adjust b_wptr before
1809 		 * making padlen checks.
1810 		 */
1811 		ESP_BUMP_STAT(espstack, good_auth);
1812 		data_mp->b_wptr -= assoc->ipsa_mac_len;
1813 
1814 		/*
1815 		 * Check replay window here!
1816 		 * For right now, assume keysock will set the replay window
1817 		 * size to zero for SAs that have an unspecified sender.
1818 		 * This may change...
1819 		 */
1820 
1821 		if (!sadb_replay_check(assoc, esph->esph_replay)) {
1822 			/*
1823 			 * Log the event. As of now we print out an event.
1824 			 * Do not print the replay failure number, or else
1825 			 * syslog cannot collate the error messages.  Printing
1826 			 * the replay number that failed opens a denial-of-
1827 			 * service attack.
1828 			 */
1829 			ipsec_assocfailure(info.mi_idnum, 0, 0,
1830 			    SL_ERROR | SL_WARN,
1831 			    "Replay failed for ESP spi 0x%x, dst %s.\n",
1832 			    assoc->ipsa_spi, assoc->ipsa_dstaddr,
1833 			    assoc->ipsa_addrfam, espstack->ipsecesp_netstack);
1834 			ESP_BUMP_STAT(espstack, replay_failures);
1835 			counter = DROPPER(ipss, ipds_esp_replay);
1836 			goto drop_and_bail;
1837 		}
1838 
1839 		if (is_natt)
1840 			esp_port_freshness(ii->ipsec_in_esp_udp_ports, assoc);
1841 	}
1842 
1843 	esp_set_usetime(assoc, B_TRUE);
1844 
1845 	if (!esp_age_bytes(assoc, processed_len, B_TRUE)) {
1846 		/* The ipsa has hit hard expiration, LOG and AUDIT. */
1847 		ipsec_assocfailure(info.mi_idnum, 0, 0,
1848 		    SL_ERROR | SL_WARN,
1849 		    "ESP association 0x%x, dst %s had bytes expire.\n",
1850 		    assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
1851 		    espstack->ipsecesp_netstack);
1852 		ESP_BUMP_STAT(espstack, bytes_expired);
1853 		counter = DROPPER(ipss, ipds_esp_bytes_expire);
1854 		goto drop_and_bail;
1855 	}
1856 
1857 	/*
1858 	 * Remove ESP header and padding from packet.  I hope the compiler
1859 	 * spews "branch, predict taken" code for this.
1860 	 */
1861 
1862 	if (esp_strip_header(data_mp, ii->ipsec_in_v4, ivlen, &counter,
1863 	    espstack)) {
1864 		if (is_natt)
1865 			return (esp_fix_natt_checksums(data_mp, assoc));
1866 
1867 		if (assoc->ipsa_state == IPSA_STATE_IDLE) {
1868 			/*
1869 			 * Cluster buffering case.  Tell caller that we're
1870 			 * handling the packet.
1871 			 */
1872 			sadb_buf_pkt(assoc, ipsec_in_mp, ns);
1873 			return (IPSEC_STATUS_PENDING);
1874 		}
1875 
1876 		return (IPSEC_STATUS_SUCCESS);
1877 	}
1878 
1879 	esp1dbg(espstack, ("esp_in_done: esp_strip_header() failed\n"));
1880 drop_and_bail:
1881 	IP_ESP_BUMP_STAT(ipss, in_discards);
1882 	/*
1883 	 * TODO: Extract inbound interface from the IPSEC_IN message's
1884 	 * ii->ipsec_in_rill_index.
1885 	 */
1886 	ip_drop_packet(ipsec_in_mp, B_TRUE, NULL, NULL, counter,
1887 	    &espstack->esp_dropper);
1888 	return (IPSEC_STATUS_FAILED);
1889 }
1890 
1891 /*
1892  * Called upon failing the inbound ICV check. The message passed as
1893  * argument is freed.
1894  */
1895 static void
1896 esp_log_bad_auth(mblk_t *ipsec_in)
1897 {
1898 	ipsec_in_t *ii = (ipsec_in_t *)ipsec_in->b_rptr;
1899 	ipsa_t *assoc = ii->ipsec_in_esp_sa;
1900 	netstack_t	*ns = ii->ipsec_in_ns;
1901 	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
1902 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1903 
1904 	/*
1905 	 * Log the event. Don't print to the console, block
1906 	 * potential denial-of-service attack.
1907 	 */
1908 	ESP_BUMP_STAT(espstack, bad_auth);
1909 
1910 	ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
1911 	    "ESP Authentication failed for spi 0x%x, dst %s.\n",
1912 	    assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
1913 	    espstack->ipsecesp_netstack);
1914 
1915 	IP_ESP_BUMP_STAT(ipss, in_discards);
1916 	/*
1917 	 * TODO: Extract inbound interface from the IPSEC_IN
1918 	 * message's ii->ipsec_in_rill_index.
1919 	 */
1920 	ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL,
1921 	    DROPPER(ipss, ipds_esp_bad_auth),
1922 	    &espstack->esp_dropper);
1923 }
1924 
1925 
1926 /*
1927  * Invoked for outbound packets after ESP processing. If the packet
1928  * also requires AH, performs the AH SA selection and AH processing.
1929  * Returns B_TRUE if the AH processing was not needed or if it was
1930  * performed successfully. Returns B_FALSE and consumes the passed mblk
1931  * if AH processing was required but could not be performed.
1932  */
1933 static boolean_t
1934 esp_do_outbound_ah(mblk_t *ipsec_mp)
1935 {
1936 	ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
1937 	ipsec_status_t ipsec_rc;
1938 	ipsec_action_t *ap;
1939 
1940 	ap = io->ipsec_out_act;
1941 	if (ap == NULL) {
1942 		ipsec_policy_t *pp = io->ipsec_out_policy;
1943 		ap = pp->ipsp_act;
1944 	}
1945 
1946 	if (!ap->ipa_want_ah)
1947 		return (B_TRUE);
1948 
1949 	ASSERT(io->ipsec_out_ah_done == B_FALSE);
1950 
1951 	if (io->ipsec_out_ah_sa == NULL) {
1952 		if (!ipsec_outbound_sa(ipsec_mp, IPPROTO_AH)) {
1953 			sadb_acquire(ipsec_mp, io, B_TRUE, B_FALSE);
1954 			return (B_FALSE);
1955 		}
1956 	}
1957 	ASSERT(io->ipsec_out_ah_sa != NULL);
1958 
1959 	io->ipsec_out_ah_done = B_TRUE;
1960 	ipsec_rc = io->ipsec_out_ah_sa->ipsa_output_func(ipsec_mp);
1961 	return (ipsec_rc == IPSEC_STATUS_SUCCESS);
1962 }
1963 
1964 
1965 /*
1966  * Kernel crypto framework callback invoked after completion of async
1967  * crypto requests.
1968  */
1969 static void
1970 esp_kcf_callback(void *arg, int status)
1971 {
1972 	mblk_t *ipsec_mp = (mblk_t *)arg;
1973 	ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
1974 	ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
1975 	boolean_t is_inbound = (ii->ipsec_in_type == IPSEC_IN);
1976 	netstackid_t	stackid;
1977 	netstack_t	*ns, *ns_arg;
1978 	ipsecesp_stack_t *espstack;
1979 	ipsec_stack_t	*ipss;
1980 
1981 	ASSERT(ipsec_mp->b_cont != NULL);
1982 
1983 	if (is_inbound) {
1984 		stackid = ii->ipsec_in_stackid;
1985 		ns_arg = ii->ipsec_in_ns;
1986 	} else {
1987 		stackid = io->ipsec_out_stackid;
1988 		ns_arg = io->ipsec_out_ns;
1989 	}
1990 
1991 	/*
1992 	 * Verify that the netstack is still around; could have vanished
1993 	 * while kEf was doing its work.
1994 	 */
1995 	ns = netstack_find_by_stackid(stackid);
1996 	if (ns == NULL || ns != ns_arg) {
1997 		/* Disappeared on us */
1998 		if (ns != NULL)
1999 			netstack_rele(ns);
2000 		freemsg(ipsec_mp);
2001 		return;
2002 	}
2003 
2004 	espstack = ns->netstack_ipsecesp;
2005 	ipss = ns->netstack_ipsec;
2006 
2007 	if (status == CRYPTO_SUCCESS) {
2008 		if (is_inbound) {
2009 			if (esp_in_done(ipsec_mp) != IPSEC_STATUS_SUCCESS) {
2010 				netstack_rele(ns);
2011 				return;
2012 			}
2013 			/* finish IPsec processing */
2014 			ip_fanout_proto_again(ipsec_mp, NULL, NULL, NULL);
2015 		} else {
2016 			/*
2017 			 * If a ICV was computed, it was stored by the
2018 			 * crypto framework at the end of the packet.
2019 			 */
2020 			ipha_t *ipha = (ipha_t *)ipsec_mp->b_cont->b_rptr;
2021 
2022 			esp_set_usetime(io->ipsec_out_esp_sa, B_FALSE);
2023 			/* NAT-T packet. */
2024 			if (ipha->ipha_protocol == IPPROTO_UDP)
2025 				esp_prepare_udp(ns, ipsec_mp->b_cont, ipha);
2026 
2027 			/* do AH processing if needed */
2028 			if (!esp_do_outbound_ah(ipsec_mp)) {
2029 				netstack_rele(ns);
2030 				return;
2031 			}
2032 			/* finish IPsec processing */
2033 			if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
2034 				ip_wput_ipsec_out(NULL, ipsec_mp, ipha, NULL,
2035 				    NULL);
2036 			} else {
2037 				ip6_t *ip6h = (ip6_t *)ipha;
2038 				ip_wput_ipsec_out_v6(NULL, ipsec_mp, ip6h,
2039 				    NULL, NULL);
2040 			}
2041 		}
2042 
2043 	} else if (status == CRYPTO_INVALID_MAC) {
2044 		esp_log_bad_auth(ipsec_mp);
2045 
2046 	} else {
2047 		esp1dbg(espstack,
2048 		    ("esp_kcf_callback: crypto failed with 0x%x\n",
2049 		    status));
2050 		ESP_BUMP_STAT(espstack, crypto_failures);
2051 		if (is_inbound)
2052 			IP_ESP_BUMP_STAT(ipss, in_discards);
2053 		else
2054 			ESP_BUMP_STAT(espstack, out_discards);
2055 		ip_drop_packet(ipsec_mp, is_inbound, NULL, NULL,
2056 		    DROPPER(ipss, ipds_esp_crypto_failed),
2057 		    &espstack->esp_dropper);
2058 	}
2059 	netstack_rele(ns);
2060 }
2061 
2062 /*
2063  * Invoked on crypto framework failure during inbound and outbound processing.
2064  */
2065 static void
2066 esp_crypto_failed(mblk_t *mp, boolean_t is_inbound, int kef_rc,
2067     ipsecesp_stack_t *espstack)
2068 {
2069 	ipsec_stack_t	*ipss = espstack->ipsecesp_netstack->netstack_ipsec;
2070 
2071 	esp1dbg(espstack, ("crypto failed for %s ESP with 0x%x\n",
2072 	    is_inbound ? "inbound" : "outbound", kef_rc));
2073 	ip_drop_packet(mp, is_inbound, NULL, NULL,
2074 	    DROPPER(ipss, ipds_esp_crypto_failed),
2075 	    &espstack->esp_dropper);
2076 	ESP_BUMP_STAT(espstack, crypto_failures);
2077 	if (is_inbound)
2078 		IP_ESP_BUMP_STAT(ipss, in_discards);
2079 	else
2080 		ESP_BUMP_STAT(espstack, out_discards);
2081 }
2082 
2083 #define	ESP_INIT_CALLREQ(_cr) {						\
2084 	(_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_RESTRICTED;		\
2085 	(_cr)->cr_callback_arg = ipsec_mp;				\
2086 	(_cr)->cr_callback_func = esp_kcf_callback;			\
2087 }
2088 
2089 #define	ESP_INIT_CRYPTO_MAC(mac, icvlen, icvbuf) {			\
2090 	(mac)->cd_format = CRYPTO_DATA_RAW;				\
2091 	(mac)->cd_offset = 0;						\
2092 	(mac)->cd_length = icvlen;					\
2093 	(mac)->cd_raw.iov_base = (char *)icvbuf;			\
2094 	(mac)->cd_raw.iov_len = icvlen;					\
2095 }
2096 
2097 #define	ESP_INIT_CRYPTO_DATA(data, mp, off, len) {			\
2098 	if (MBLKL(mp) >= (len) + (off)) {				\
2099 		(data)->cd_format = CRYPTO_DATA_RAW;			\
2100 		(data)->cd_raw.iov_base = (char *)(mp)->b_rptr;		\
2101 		(data)->cd_raw.iov_len = MBLKL(mp);			\
2102 		(data)->cd_offset = off;				\
2103 	} else {							\
2104 		(data)->cd_format = CRYPTO_DATA_MBLK;			\
2105 		(data)->cd_mp = mp;			       		\
2106 		(data)->cd_offset = off;				\
2107 	}								\
2108 	(data)->cd_length = len;					\
2109 }
2110 
2111 #define	ESP_INIT_CRYPTO_DUAL_DATA(data, mp, off1, len1, off2, len2) {	\
2112 	(data)->dd_format = CRYPTO_DATA_MBLK;				\
2113 	(data)->dd_mp = mp;						\
2114 	(data)->dd_len1 = len1;						\
2115 	(data)->dd_offset1 = off1;					\
2116 	(data)->dd_len2 = len2;						\
2117 	(data)->dd_offset2 = off2;					\
2118 }
2119 
2120 static ipsec_status_t
2121 esp_submit_req_inbound(mblk_t *ipsec_mp, ipsa_t *assoc, uint_t esph_offset)
2122 {
2123 	ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
2124 	boolean_t do_auth;
2125 	uint_t auth_offset, msg_len, auth_len;
2126 	crypto_call_req_t call_req;
2127 	mblk_t *esp_mp;
2128 	esph_t *esph_ptr;
2129 	int kef_rc = CRYPTO_FAILED;
2130 	uint_t icv_len = assoc->ipsa_mac_len;
2131 	crypto_ctx_template_t auth_ctx_tmpl;
2132 	boolean_t do_encr;
2133 	uint_t encr_offset, encr_len;
2134 	uint_t iv_len = assoc->ipsa_iv_len;
2135 	crypto_ctx_template_t encr_ctx_tmpl;
2136 	netstack_t	*ns = ii->ipsec_in_ns;
2137 	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
2138 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
2139 	uchar_t *iv_ptr;
2140 
2141 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
2142 
2143 	/*
2144 	 * In case kEF queues and calls back, keep netstackid_t for
2145 	 * verification that the IP instance is still around in
2146 	 * esp_kcf_callback().
2147 	 */
2148 	ASSERT(ii->ipsec_in_stackid == ns->netstack_stackid);
2149 
2150 	do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE;
2151 	do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL;
2152 
2153 	/*
2154 	 * An inbound packet is of the form:
2155 	 * IPSEC_IN -> [IP,options,ESP,IV,data,ICV,pad]
2156 	 */
2157 	esp_mp = ipsec_mp->b_cont;
2158 	esph_ptr = (esph_t *)(esp_mp->b_rptr + esph_offset);
2159 	iv_ptr = (uchar_t *)(esph_ptr + 1);
2160 	/* Packet length starting at IP header ending after ESP ICV. */
2161 	msg_len = MBLKL(esp_mp);
2162 
2163 	encr_offset = esph_offset + sizeof (esph_t) + iv_len;
2164 	encr_len = msg_len - encr_offset;
2165 
2166 	ESP_INIT_CALLREQ(&call_req);
2167 
2168 	/*
2169 	 * Counter mode algs need a nonce. This is setup in sadb_common_add().
2170 	 * If for some reason we are using a SA which does not have a nonce
2171 	 * then we must fail here.
2172 	 */
2173 	if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) &&
2174 	    (assoc->ipsa_nonce == NULL)) {
2175 		ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
2176 		    DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper);
2177 		return (IPSEC_STATUS_FAILED);
2178 	}
2179 
2180 	if (do_auth) {
2181 		/* force asynchronous processing? */
2182 		if (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
2183 		    IPSEC_ALGS_EXEC_ASYNC)
2184 			call_req.cr_flag |= CRYPTO_ALWAYS_QUEUE;
2185 
2186 		/* authentication context template */
2187 		IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH,
2188 		    auth_ctx_tmpl);
2189 
2190 		/* ICV to be verified */
2191 		ESP_INIT_CRYPTO_MAC(&ii->ipsec_in_crypto_mac,
2192 		    icv_len, esp_mp->b_wptr - icv_len);
2193 
2194 		/* authentication starts at the ESP header */
2195 		auth_offset = esph_offset;
2196 		auth_len = msg_len - auth_offset - icv_len;
2197 		if (!do_encr) {
2198 			/* authentication only */
2199 			/* initialize input data argument */
2200 			ESP_INIT_CRYPTO_DATA(&ii->ipsec_in_crypto_data,
2201 			    esp_mp, auth_offset, auth_len);
2202 
2203 			/* call the crypto framework */
2204 			kef_rc = crypto_mac_verify(&assoc->ipsa_amech,
2205 			    &ii->ipsec_in_crypto_data,
2206 			    &assoc->ipsa_kcfauthkey, auth_ctx_tmpl,
2207 			    &ii->ipsec_in_crypto_mac, &call_req);
2208 		}
2209 	}
2210 
2211 	if (do_encr) {
2212 		/* force asynchronous processing? */
2213 		if (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
2214 		    IPSEC_ALGS_EXEC_ASYNC)
2215 			call_req.cr_flag |= CRYPTO_ALWAYS_QUEUE;
2216 
2217 		/* encryption template */
2218 		IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR,
2219 		    encr_ctx_tmpl);
2220 
2221 		/* Call the nonce update function. Also passes in IV */
2222 		(assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, encr_len,
2223 		    iv_ptr, &ii->ipsec_in_cmm, &ii->ipsec_in_crypto_data);
2224 
2225 		if (!do_auth) {
2226 			/* decryption only */
2227 			/* initialize input data argument */
2228 			ESP_INIT_CRYPTO_DATA(&ii->ipsec_in_crypto_data,
2229 			    esp_mp, encr_offset, encr_len);
2230 
2231 			/* call the crypto framework */
2232 			kef_rc = crypto_decrypt((crypto_mechanism_t *)
2233 			    &ii->ipsec_in_cmm, &ii->ipsec_in_crypto_data,
2234 			    &assoc->ipsa_kcfencrkey, encr_ctx_tmpl,
2235 			    NULL, &call_req);
2236 		}
2237 	}
2238 
2239 	if (do_auth && do_encr) {
2240 		/* dual operation */
2241 		/* initialize input data argument */
2242 		ESP_INIT_CRYPTO_DUAL_DATA(&ii->ipsec_in_crypto_dual_data,
2243 		    esp_mp, auth_offset, auth_len,
2244 		    encr_offset, encr_len - icv_len);
2245 
2246 		/* specify IV */
2247 		ii->ipsec_in_crypto_dual_data.dd_miscdata = (char *)iv_ptr;
2248 
2249 		/* call the framework */
2250 		kef_rc = crypto_mac_verify_decrypt(&assoc->ipsa_amech,
2251 		    &assoc->ipsa_emech, &ii->ipsec_in_crypto_dual_data,
2252 		    &assoc->ipsa_kcfauthkey, &assoc->ipsa_kcfencrkey,
2253 		    auth_ctx_tmpl, encr_ctx_tmpl, &ii->ipsec_in_crypto_mac,
2254 		    NULL, &call_req);
2255 	}
2256 
2257 	switch (kef_rc) {
2258 	case CRYPTO_SUCCESS:
2259 		ESP_BUMP_STAT(espstack, crypto_sync);
2260 		return (esp_in_done(ipsec_mp));
2261 	case CRYPTO_QUEUED:
2262 		/* esp_kcf_callback() will be invoked on completion */
2263 		ESP_BUMP_STAT(espstack, crypto_async);
2264 		return (IPSEC_STATUS_PENDING);
2265 	case CRYPTO_INVALID_MAC:
2266 		ESP_BUMP_STAT(espstack, crypto_sync);
2267 		esp_log_bad_auth(ipsec_mp);
2268 		return (IPSEC_STATUS_FAILED);
2269 	}
2270 
2271 	esp_crypto_failed(ipsec_mp, B_TRUE, kef_rc, espstack);
2272 	return (IPSEC_STATUS_FAILED);
2273 }
2274 
2275 /*
2276  * Compute the IP and UDP checksums -- common code for both keepalives and
2277  * actual ESP-in-UDP packets.  Be flexible with multiple mblks because ESP
2278  * uses mblk-insertion to insert the UDP header.
2279  * TODO - If there is an easy way to prep a packet for HW checksums, make
2280  * it happen here.
2281  */
2282 static void
2283 esp_prepare_udp(netstack_t *ns, mblk_t *mp, ipha_t *ipha)
2284 {
2285 	int offset;
2286 	uint32_t cksum;
2287 	uint16_t *arr;
2288 	mblk_t *udpmp = mp;
2289 	uint_t hlen = IPH_HDR_LENGTH(ipha);
2290 
2291 	ASSERT(MBLKL(mp) >= sizeof (ipha_t));
2292 
2293 	ipha->ipha_hdr_checksum = 0;
2294 	ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
2295 
2296 	if (ns->netstack_udp->us_do_checksum) {
2297 		ASSERT(MBLKL(udpmp) >= sizeof (udpha_t));
2298 		/* arr points to the IP header. */
2299 		arr = (uint16_t *)ipha;
2300 		IP_STAT(ns->netstack_ip, ip_out_sw_cksum);
2301 		IP_STAT_UPDATE(ns->netstack_ip, ip_udp_out_sw_cksum_bytes,
2302 		    ntohs(htons(ipha->ipha_length) - hlen));
2303 		/* arr[6-9] are the IP addresses. */
2304 		cksum = IP_UDP_CSUM_COMP + arr[6] + arr[7] + arr[8] + arr[9] +
2305 		    ntohs(htons(ipha->ipha_length) - hlen);
2306 		cksum = IP_CSUM(mp, hlen, cksum);
2307 		offset = hlen + UDP_CHECKSUM_OFFSET;
2308 		while (offset >= MBLKL(udpmp)) {
2309 			offset -= MBLKL(udpmp);
2310 			udpmp = udpmp->b_cont;
2311 		}
2312 		/* arr points to the UDP header's checksum field. */
2313 		arr = (uint16_t *)(udpmp->b_rptr + offset);
2314 		*arr = cksum;
2315 	}
2316 }
2317 
2318 /*
2319  * taskq handler so we can send the NAT-T keepalive on a separate thread.
2320  */
2321 static void
2322 actually_send_keepalive(void *arg)
2323 {
2324 	mblk_t *ipsec_mp = (mblk_t *)arg;
2325 	ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
2326 	ipha_t *ipha;
2327 	netstack_t *ns;
2328 
2329 	ASSERT(DB_TYPE(ipsec_mp) == M_CTL);
2330 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
2331 	ASSERT(ipsec_mp->b_cont != NULL);
2332 	ASSERT(DB_TYPE(ipsec_mp->b_cont) == M_DATA);
2333 
2334 	ns = netstack_find_by_stackid(io->ipsec_out_stackid);
2335 	if (ns == NULL || ns != io->ipsec_out_ns) {
2336 		/* Just freemsg(). */
2337 		if (ns != NULL)
2338 			netstack_rele(ns);
2339 		freemsg(ipsec_mp);
2340 		return;
2341 	}
2342 
2343 	ipha = (ipha_t *)ipsec_mp->b_cont->b_rptr;
2344 	ip_wput_ipsec_out(NULL, ipsec_mp, ipha, NULL, NULL);
2345 	netstack_rele(ns);
2346 }
2347 
2348 /*
2349  * Send a one-byte UDP NAT-T keepalive.  Construct an IPSEC_OUT too that'll
2350  * get fed into esp_send_udp/ip_wput_ipsec_out.
2351  */
2352 void
2353 ipsecesp_send_keepalive(ipsa_t *assoc)
2354 {
2355 	mblk_t *mp = NULL, *ipsec_mp = NULL;
2356 	ipha_t *ipha;
2357 	udpha_t *udpha;
2358 	ipsec_out_t *io;
2359 
2360 	ASSERT(MUTEX_NOT_HELD(&assoc->ipsa_lock));
2361 
2362 	mp = allocb(sizeof (ipha_t) + sizeof (udpha_t) + 1, BPRI_HI);
2363 	if (mp == NULL)
2364 		return;
2365 	ipha = (ipha_t *)mp->b_rptr;
2366 	ipha->ipha_version_and_hdr_length = IP_SIMPLE_HDR_VERSION;
2367 	ipha->ipha_type_of_service = 0;
2368 	ipha->ipha_length = htons(sizeof (ipha_t) + sizeof (udpha_t) + 1);
2369 	/* Use the low-16 of the SPI so we have some clue where it came from. */
2370 	ipha->ipha_ident = *(((uint16_t *)(&assoc->ipsa_spi)) + 1);
2371 	ipha->ipha_fragment_offset_and_flags = 0;  /* Too small to fragment! */
2372 	ipha->ipha_ttl = 0xFF;
2373 	ipha->ipha_protocol = IPPROTO_UDP;
2374 	ipha->ipha_hdr_checksum = 0;
2375 	ipha->ipha_src = assoc->ipsa_srcaddr[0];
2376 	ipha->ipha_dst = assoc->ipsa_dstaddr[0];
2377 	udpha = (udpha_t *)(ipha + 1);
2378 	udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ?
2379 	    assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT);
2380 	udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ?
2381 	    assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT);
2382 	udpha->uha_length = htons(sizeof (udpha_t) + 1);
2383 	udpha->uha_checksum = 0;
2384 	mp->b_wptr = (uint8_t *)(udpha + 1);
2385 	*(mp->b_wptr++) = 0xFF;
2386 
2387 	ipsec_mp = ipsec_alloc_ipsec_out(assoc->ipsa_netstack);
2388 	if (ipsec_mp == NULL) {
2389 		freeb(mp);
2390 		return;
2391 	}
2392 	ipsec_mp->b_cont = mp;
2393 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
2394 	io->ipsec_out_zoneid =
2395 	    netstackid_to_zoneid(assoc->ipsa_netstack->netstack_stackid);
2396 	io->ipsec_out_stackid = assoc->ipsa_netstack->netstack_stackid;
2397 
2398 	esp_prepare_udp(assoc->ipsa_netstack, mp, ipha);
2399 	/*
2400 	 * We're holding an isaf_t bucket lock, so pawn off the actual
2401 	 * packet transmission to another thread.  Just in case syncq
2402 	 * processing causes a same-bucket packet to be processed.
2403 	 */
2404 	if (taskq_dispatch(esp_taskq, actually_send_keepalive, ipsec_mp,
2405 	    TQ_NOSLEEP) == 0) {
2406 		/* Assume no memory if taskq_dispatch() fails. */
2407 		ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
2408 		    DROPPER(assoc->ipsa_netstack->netstack_ipsec,
2409 		    ipds_esp_nomem),
2410 		    &assoc->ipsa_netstack->netstack_ipsecesp->esp_dropper);
2411 	}
2412 }
2413 
2414 static ipsec_status_t
2415 esp_submit_req_outbound(mblk_t *ipsec_mp, ipsa_t *assoc, uchar_t *icv_buf,
2416     uint_t payload_len)
2417 {
2418 	ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
2419 	uint_t auth_len;
2420 	crypto_call_req_t call_req;
2421 	mblk_t *esp_mp, *data_mp, *ip_mp;
2422 	esph_t *esph_ptr;
2423 	int kef_rc = CRYPTO_FAILED;
2424 	uint_t icv_len = assoc->ipsa_mac_len;
2425 	crypto_ctx_template_t auth_ctx_tmpl;
2426 	boolean_t do_auth;
2427 	boolean_t do_encr;
2428 	uint_t iv_len = assoc->ipsa_iv_len;
2429 	crypto_ctx_template_t encr_ctx_tmpl;
2430 	boolean_t is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0);
2431 	size_t esph_offset = (is_natt ? UDPH_SIZE : 0);
2432 	netstack_t	*ns = io->ipsec_out_ns;
2433 	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
2434 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
2435 	uchar_t *iv_ptr;
2436 	crypto_data_t *cd_ptr = NULL;
2437 
2438 	esp3dbg(espstack, ("esp_submit_req_outbound:%s",
2439 	    is_natt ? "natt" : "not natt"));
2440 
2441 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
2442 
2443 	/*
2444 	 * In case kEF queues and calls back, keep netstackid_t for
2445 	 * verification that the IP instance is still around in
2446 	 * esp_kcf_callback().
2447 	 */
2448 	io->ipsec_out_stackid = ns->netstack_stackid;
2449 
2450 	do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL;
2451 	do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE;
2452 
2453 	/*
2454 	 * Outbound IPsec packets are of the form:
2455 	 * IPSEC_OUT -> [IP,options] -> [ESP,IV] -> [data] -> [pad,ICV]
2456 	 * unless it's NATT, then it's
2457 	 * IPSEC_OUT -> [IP,options] -> [udp][ESP,IV] -> [data] -> [pad,ICV]
2458 	 * Get a pointer to the mblk containing the ESP header.
2459 	 */
2460 	ip_mp = ipsec_mp->b_cont;
2461 	esp_mp = ipsec_mp->b_cont->b_cont;
2462 	ASSERT(ip_mp != NULL && esp_mp != NULL);
2463 	esph_ptr = (esph_t *)(esp_mp->b_rptr + esph_offset);
2464 	iv_ptr = (uchar_t *)(esph_ptr + 1);
2465 	data_mp = ipsec_mp->b_cont->b_cont->b_cont;
2466 
2467 	/*
2468 	 * Combined mode algs need a nonce. This is setup in sadb_common_add().
2469 	 * If for some reason we are using a SA which does not have a nonce
2470 	 * then we must fail here.
2471 	 */
2472 	if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) &&
2473 	    (assoc->ipsa_nonce == NULL)) {
2474 		ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
2475 		    DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper);
2476 		return (IPSEC_STATUS_FAILED);
2477 	}
2478 
2479 	ESP_INIT_CALLREQ(&call_req);
2480 
2481 	if (do_auth) {
2482 		/* force asynchronous processing? */
2483 		if (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
2484 		    IPSEC_ALGS_EXEC_ASYNC)
2485 			call_req.cr_flag |= CRYPTO_ALWAYS_QUEUE;
2486 
2487 		/* authentication context template */
2488 		IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH,
2489 		    auth_ctx_tmpl);
2490 
2491 		/* where to store the computed mac */
2492 		ESP_INIT_CRYPTO_MAC(&io->ipsec_out_crypto_mac,
2493 		    icv_len, icv_buf);
2494 
2495 		/* authentication starts at the ESP header */
2496 		auth_len = payload_len + iv_len + sizeof (esph_t);
2497 		if (!do_encr) {
2498 			/* authentication only */
2499 			/* initialize input data argument */
2500 			ESP_INIT_CRYPTO_DATA(&io->ipsec_out_crypto_data,
2501 			    esp_mp, esph_offset, auth_len);
2502 
2503 			/* call the crypto framework */
2504 			kef_rc = crypto_mac(&assoc->ipsa_amech,
2505 			    &io->ipsec_out_crypto_data,
2506 			    &assoc->ipsa_kcfauthkey, auth_ctx_tmpl,
2507 			    &io->ipsec_out_crypto_mac, &call_req);
2508 		}
2509 	}
2510 
2511 	if (do_encr) {
2512 		/* force asynchronous processing? */
2513 		if (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
2514 		    IPSEC_ALGS_EXEC_ASYNC)
2515 			call_req.cr_flag |= CRYPTO_ALWAYS_QUEUE;
2516 
2517 		/* encryption context template */
2518 		IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR,
2519 		    encr_ctx_tmpl);
2520 		/* Call the nonce update function. */
2521 		(assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, payload_len,
2522 		    iv_ptr, &io->ipsec_out_cmm, &io->ipsec_out_crypto_data);
2523 
2524 		if (!do_auth) {
2525 			/* encryption only, skip mblk that contains ESP hdr */
2526 			/* initialize input data argument */
2527 			ESP_INIT_CRYPTO_DATA(&io->ipsec_out_crypto_data,
2528 			    data_mp, 0, payload_len);
2529 
2530 			/*
2531 			 * For combined mode ciphers, the ciphertext is the same
2532 			 * size as the clear text, the ICV should follow the
2533 			 * ciphertext. To convince the kcf to allow in-line
2534 			 * encryption, with an ICV, use ipsec_out_crypto_mac
2535 			 * to point to the same buffer as the data. The calling
2536 			 * function need to ensure the buffer is large enough to
2537 			 * include the ICV.
2538 			 *
2539 			 * The IV is already written to the packet buffer, the
2540 			 * nonce setup function copied it to the params struct
2541 			 * for the cipher to use.
2542 			 */
2543 			if (assoc->ipsa_flags & IPSA_F_COMBINED) {
2544 				bcopy(&io->ipsec_out_crypto_data,
2545 				    &io->ipsec_out_crypto_mac,
2546 				    sizeof (crypto_data_t));
2547 				io->ipsec_out_crypto_mac.cd_length =
2548 				    payload_len + icv_len;
2549 				cd_ptr = &io->ipsec_out_crypto_mac;
2550 			}
2551 
2552 			/* call the crypto framework */
2553 			kef_rc = crypto_encrypt((crypto_mechanism_t *)
2554 			    &io->ipsec_out_cmm,
2555 			    &io->ipsec_out_crypto_data,
2556 			    &assoc->ipsa_kcfencrkey, encr_ctx_tmpl,
2557 			    cd_ptr, &call_req);
2558 
2559 		}
2560 	}
2561 
2562 	if (do_auth && do_encr) {
2563 		/*
2564 		 * Encryption and authentication:
2565 		 * Pass the pointer to the mblk chain starting at the ESP
2566 		 * header to the framework. Skip the ESP header mblk
2567 		 * for encryption, which is reflected by an encryption
2568 		 * offset equal to the length of that mblk. Start
2569 		 * the authentication at the ESP header, i.e. use an
2570 		 * authentication offset of zero.
2571 		 */
2572 		ESP_INIT_CRYPTO_DUAL_DATA(&io->ipsec_out_crypto_dual_data,
2573 		    esp_mp, MBLKL(esp_mp), payload_len, esph_offset, auth_len);
2574 
2575 		/* specify IV */
2576 		io->ipsec_out_crypto_dual_data.dd_miscdata = (char *)iv_ptr;
2577 
2578 		/* call the framework */
2579 		kef_rc = crypto_encrypt_mac(&assoc->ipsa_emech,
2580 		    &assoc->ipsa_amech, NULL,
2581 		    &assoc->ipsa_kcfencrkey, &assoc->ipsa_kcfauthkey,
2582 		    encr_ctx_tmpl, auth_ctx_tmpl,
2583 		    &io->ipsec_out_crypto_dual_data,
2584 		    &io->ipsec_out_crypto_mac, &call_req);
2585 	}
2586 
2587 	switch (kef_rc) {
2588 	case CRYPTO_SUCCESS:
2589 		ESP_BUMP_STAT(espstack, crypto_sync);
2590 		esp_set_usetime(assoc, B_FALSE);
2591 		if (is_natt)
2592 			esp_prepare_udp(ns, ipsec_mp->b_cont,
2593 			    (ipha_t *)ipsec_mp->b_cont->b_rptr);
2594 		return (IPSEC_STATUS_SUCCESS);
2595 	case CRYPTO_QUEUED:
2596 		/* esp_kcf_callback() will be invoked on completion */
2597 		ESP_BUMP_STAT(espstack, crypto_async);
2598 		return (IPSEC_STATUS_PENDING);
2599 	}
2600 
2601 	esp_crypto_failed(ipsec_mp, B_FALSE, kef_rc, espstack);
2602 	return (IPSEC_STATUS_FAILED);
2603 }
2604 
2605 /*
2606  * Handle outbound IPsec processing for IPv4 and IPv6
2607  * On success returns B_TRUE, on failure returns B_FALSE and frees the
2608  * mblk chain ipsec_in_mp.
2609  */
2610 static ipsec_status_t
2611 esp_outbound(mblk_t *mp)
2612 {
2613 	mblk_t *ipsec_out_mp, *data_mp, *espmp, *tailmp;
2614 	ipsec_out_t *io;
2615 	ipha_t *ipha;
2616 	ip6_t *ip6h;
2617 	esph_t *esph_ptr, *iv_ptr;
2618 	uint_t af;
2619 	uint8_t *nhp;
2620 	uintptr_t divpoint, datalen, adj, padlen, i, alloclen;
2621 	uintptr_t esplen = sizeof (esph_t);
2622 	uint8_t protocol;
2623 	ipsa_t *assoc;
2624 	uint_t iv_len, block_size, mac_len = 0;
2625 	uchar_t *icv_buf;
2626 	udpha_t *udpha;
2627 	boolean_t is_natt = B_FALSE;
2628 	netstack_t	*ns;
2629 	ipsecesp_stack_t *espstack;
2630 	ipsec_stack_t	*ipss;
2631 
2632 	ipsec_out_mp = mp;
2633 	data_mp = ipsec_out_mp->b_cont;
2634 
2635 	io = (ipsec_out_t *)ipsec_out_mp->b_rptr;
2636 	ns = io->ipsec_out_ns;
2637 	espstack = ns->netstack_ipsecesp;
2638 	ipss = ns->netstack_ipsec;
2639 
2640 	ESP_BUMP_STAT(espstack, out_requests);
2641 
2642 	/*
2643 	 * <sigh> We have to copy the message here, because TCP (for example)
2644 	 * keeps a dupb() of the message lying around for retransmission.
2645 	 * Since ESP changes the whole of the datagram, we have to create our
2646 	 * own copy lest we clobber TCP's data.  Since we have to copy anyway,
2647 	 * we might as well make use of msgpullup() and get the mblk into one
2648 	 * contiguous piece!
2649 	 */
2650 	ipsec_out_mp->b_cont = msgpullup(data_mp, -1);
2651 	if (ipsec_out_mp->b_cont == NULL) {
2652 		esp0dbg(("esp_outbound: msgpullup() failed, "
2653 		    "dropping packet.\n"));
2654 		ipsec_out_mp->b_cont = data_mp;
2655 		/*
2656 		 * TODO:  Find the outbound IRE for this packet and
2657 		 * pass it to ip_drop_packet().
2658 		 */
2659 		ip_drop_packet(ipsec_out_mp, B_FALSE, NULL, NULL,
2660 		    DROPPER(ipss, ipds_esp_nomem),
2661 		    &espstack->esp_dropper);
2662 		return (IPSEC_STATUS_FAILED);
2663 	} else {
2664 		freemsg(data_mp);
2665 		data_mp = ipsec_out_mp->b_cont;
2666 	}
2667 
2668 	/*
2669 	 * Reality check....
2670 	 */
2671 
2672 	ipha = (ipha_t *)data_mp->b_rptr;  /* So we can call esp_acquire(). */
2673 
2674 	if (io->ipsec_out_v4) {
2675 		af = AF_INET;
2676 		divpoint = IPH_HDR_LENGTH(ipha);
2677 		datalen = ntohs(ipha->ipha_length) - divpoint;
2678 		nhp = (uint8_t *)&ipha->ipha_protocol;
2679 	} else {
2680 		ip6_pkt_t ipp;
2681 
2682 		af = AF_INET6;
2683 		ip6h = (ip6_t *)ipha;
2684 		bzero(&ipp, sizeof (ipp));
2685 		divpoint = ip_find_hdr_v6(data_mp, ip6h, &ipp, NULL);
2686 		if (ipp.ipp_dstopts != NULL &&
2687 		    ipp.ipp_dstopts->ip6d_nxt != IPPROTO_ROUTING) {
2688 			/*
2689 			 * Destination options are tricky.  If we get in here,
2690 			 * then we have a terminal header following the
2691 			 * destination options.  We need to adjust backwards
2692 			 * so we insert ESP BEFORE the destination options
2693 			 * bag.  (So that the dstopts get encrypted!)
2694 			 *
2695 			 * Since this is for outbound packets only, we know
2696 			 * that non-terminal destination options only precede
2697 			 * routing headers.
2698 			 */
2699 			divpoint -= ipp.ipp_dstoptslen;
2700 		}
2701 		datalen = ntohs(ip6h->ip6_plen) + sizeof (ip6_t) - divpoint;
2702 
2703 		if (ipp.ipp_rthdr != NULL) {
2704 			nhp = &ipp.ipp_rthdr->ip6r_nxt;
2705 		} else if (ipp.ipp_hopopts != NULL) {
2706 			nhp = &ipp.ipp_hopopts->ip6h_nxt;
2707 		} else {
2708 			ASSERT(divpoint == sizeof (ip6_t));
2709 			/* It's probably IP + ESP. */
2710 			nhp = &ip6h->ip6_nxt;
2711 		}
2712 	}
2713 	assoc = io->ipsec_out_esp_sa;
2714 	ASSERT(assoc != NULL);
2715 
2716 	mac_len = assoc->ipsa_mac_len;
2717 
2718 	if (assoc->ipsa_flags & IPSA_F_NATT) {
2719 		/* wedge in fake UDP */
2720 		is_natt = B_TRUE;
2721 		esplen += UDPH_SIZE;
2722 	}
2723 
2724 	/*
2725 	 * Set up ESP header and encryption padding for ENCR PI request.
2726 	 */
2727 
2728 	/* Determine the padding length.  Pad to 4-bytes for no-encryption. */
2729 	if (assoc->ipsa_encr_alg != SADB_EALG_NULL) {
2730 		iv_len = assoc->ipsa_iv_len;
2731 		block_size = assoc->ipsa_datalen;
2732 
2733 		/*
2734 		 * Pad the data to the length of the cipher block size.
2735 		 * Include the two additional bytes (hence the - 2) for the
2736 		 * padding length and the next header.  Take this into account
2737 		 * when calculating the actual length of the padding.
2738 		 */
2739 		ASSERT(ISP2(iv_len));
2740 		padlen = ((unsigned)(block_size - datalen - 2)) &
2741 		    (block_size - 1);
2742 	} else {
2743 		iv_len = 0;
2744 		padlen = ((unsigned)(sizeof (uint32_t) - datalen - 2)) &
2745 		    (sizeof (uint32_t) - 1);
2746 	}
2747 
2748 	/* Allocate ESP header and IV. */
2749 	esplen += iv_len;
2750 
2751 	/*
2752 	 * Update association byte-count lifetimes.  Don't forget to take
2753 	 * into account the padding length and next-header (hence the + 2).
2754 	 *
2755 	 * Use the amount of data fed into the "encryption algorithm".  This
2756 	 * is the IV, the data length, the padding length, and the final two
2757 	 * bytes (padlen, and next-header).
2758 	 *
2759 	 */
2760 
2761 	if (!esp_age_bytes(assoc, datalen + padlen + iv_len + 2, B_FALSE)) {
2762 		/*
2763 		 * TODO:  Find the outbound IRE for this packet and
2764 		 * pass it to ip_drop_packet().
2765 		 */
2766 		ip_drop_packet(mp, B_FALSE, NULL, NULL,
2767 		    DROPPER(ipss, ipds_esp_bytes_expire),
2768 		    &espstack->esp_dropper);
2769 		return (IPSEC_STATUS_FAILED);
2770 	}
2771 
2772 	espmp = allocb(esplen, BPRI_HI);
2773 	if (espmp == NULL) {
2774 		ESP_BUMP_STAT(espstack, out_discards);
2775 		esp1dbg(espstack, ("esp_outbound: can't allocate espmp.\n"));
2776 		/*
2777 		 * TODO:  Find the outbound IRE for this packet and
2778 		 * pass it to ip_drop_packet().
2779 		 */
2780 		ip_drop_packet(mp, B_FALSE, NULL, NULL,
2781 		    DROPPER(ipss, ipds_esp_nomem),
2782 		    &espstack->esp_dropper);
2783 		return (IPSEC_STATUS_FAILED);
2784 	}
2785 	espmp->b_wptr += esplen;
2786 	esph_ptr = (esph_t *)espmp->b_rptr;
2787 
2788 	if (is_natt) {
2789 		esp3dbg(espstack, ("esp_outbound: NATT"));
2790 
2791 		udpha = (udpha_t *)espmp->b_rptr;
2792 		udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ?
2793 		    assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT);
2794 		udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ?
2795 		    assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT);
2796 		/*
2797 		 * Set the checksum to 0, so that the esp_prepare_udp() call
2798 		 * can do the right thing.
2799 		 */
2800 		udpha->uha_checksum = 0;
2801 		esph_ptr = (esph_t *)(udpha + 1);
2802 	}
2803 
2804 	esph_ptr->esph_spi = assoc->ipsa_spi;
2805 
2806 	esph_ptr->esph_replay = htonl(atomic_add_32_nv(&assoc->ipsa_replay, 1));
2807 	if (esph_ptr->esph_replay == 0 && assoc->ipsa_replay_wsize != 0) {
2808 		/*
2809 		 * XXX We have replay counter wrapping.
2810 		 * We probably want to nuke this SA (and its peer).
2811 		 */
2812 		ipsec_assocfailure(info.mi_idnum, 0, 0,
2813 		    SL_ERROR | SL_CONSOLE | SL_WARN,
2814 		    "Outbound ESP SA (0x%x, %s) has wrapped sequence.\n",
2815 		    esph_ptr->esph_spi, assoc->ipsa_dstaddr, af,
2816 		    espstack->ipsecesp_netstack);
2817 
2818 		ESP_BUMP_STAT(espstack, out_discards);
2819 		sadb_replay_delete(assoc);
2820 		/*
2821 		 * TODO:  Find the outbound IRE for this packet and
2822 		 * pass it to ip_drop_packet().
2823 		 */
2824 		ip_drop_packet(mp, B_FALSE, NULL, NULL,
2825 		    DROPPER(ipss, ipds_esp_replay),
2826 		    &espstack->esp_dropper);
2827 		return (IPSEC_STATUS_FAILED);
2828 	}
2829 
2830 	iv_ptr = (esph_ptr + 1);
2831 	/*
2832 	 * iv_ptr points to the mblk which will contain the IV once we have
2833 	 * written it there. This mblk will be part of a mblk chain that
2834 	 * will make up the packet.
2835 	 *
2836 	 * For counter mode algorithms, the IV is a 64 bit quantity, it
2837 	 * must NEVER repeat in the lifetime of the SA, otherwise an
2838 	 * attacker who had recorded enough packets might be able to
2839 	 * determine some clear text.
2840 	 *
2841 	 * To ensure this does not happen, the IV is stored in the SA and
2842 	 * incremented for each packet, the IV is then copied into the
2843 	 * "packet" for transmission to the receiving system. The IV will
2844 	 * also be copied into the nonce, when the packet is encrypted.
2845 	 *
2846 	 * CBC mode algorithms use a random IV for each packet. We do not
2847 	 * require the highest quality random bits, but for best security
2848 	 * with CBC mode ciphers, the value must be unlikely to repeat and
2849 	 * must not be known in advance to an adversary capable of influencing
2850 	 * the clear text.
2851 	 */
2852 	if (!update_iv((uint8_t *)iv_ptr, espstack->esp_pfkey_q, assoc,
2853 	    espstack)) {
2854 		ip_drop_packet(mp, B_FALSE, NULL, NULL,
2855 		    DROPPER(ipss, ipds_esp_iv_wrap), &espstack->esp_dropper);
2856 		return (IPSEC_STATUS_FAILED);
2857 	}
2858 
2859 	/* Fix the IP header. */
2860 	alloclen = padlen + 2 + mac_len;
2861 	adj = alloclen + (espmp->b_wptr - espmp->b_rptr);
2862 
2863 	protocol = *nhp;
2864 
2865 	if (io->ipsec_out_v4) {
2866 		ipha->ipha_length = htons(ntohs(ipha->ipha_length) + adj);
2867 		if (is_natt) {
2868 			*nhp = IPPROTO_UDP;
2869 			udpha->uha_length = htons(ntohs(ipha->ipha_length) -
2870 			    IPH_HDR_LENGTH(ipha));
2871 		} else {
2872 			*nhp = IPPROTO_ESP;
2873 		}
2874 		ipha->ipha_hdr_checksum = 0;
2875 		ipha->ipha_hdr_checksum = (uint16_t)ip_csum_hdr(ipha);
2876 	} else {
2877 		ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) + adj);
2878 		*nhp = IPPROTO_ESP;
2879 	}
2880 
2881 	/* I've got the two ESP mblks, now insert them. */
2882 
2883 	esp2dbg(espstack, ("data_mp before outbound ESP adjustment:\n"));
2884 	esp2dbg(espstack, (dump_msg(data_mp)));
2885 
2886 	if (!esp_insert_esp(data_mp, espmp, divpoint, espstack)) {
2887 		ESP_BUMP_STAT(espstack, out_discards);
2888 		/* NOTE:  esp_insert_esp() only fails if there's no memory. */
2889 		/*
2890 		 * TODO:  Find the outbound IRE for this packet and
2891 		 * pass it to ip_drop_packet().
2892 		 */
2893 		ip_drop_packet(mp, B_FALSE, NULL, NULL,
2894 		    DROPPER(ipss, ipds_esp_nomem),
2895 		    &espstack->esp_dropper);
2896 		freeb(espmp);
2897 		return (IPSEC_STATUS_FAILED);
2898 	}
2899 
2900 	/* Append padding (and leave room for ICV). */
2901 	for (tailmp = data_mp; tailmp->b_cont != NULL; tailmp = tailmp->b_cont)
2902 		;
2903 	if (tailmp->b_wptr + alloclen > tailmp->b_datap->db_lim) {
2904 		tailmp->b_cont = allocb(alloclen, BPRI_HI);
2905 		if (tailmp->b_cont == NULL) {
2906 			ESP_BUMP_STAT(espstack, out_discards);
2907 			esp0dbg(("esp_outbound:  Can't allocate tailmp.\n"));
2908 			/*
2909 			 * TODO:  Find the outbound IRE for this packet and
2910 			 * pass it to ip_drop_packet().
2911 			 */
2912 			ip_drop_packet(mp, B_FALSE, NULL, NULL,
2913 			    DROPPER(ipss, ipds_esp_nomem),
2914 			    &espstack->esp_dropper);
2915 			return (IPSEC_STATUS_FAILED);
2916 		}
2917 		tailmp = tailmp->b_cont;
2918 	}
2919 
2920 	/*
2921 	 * If there's padding, N bytes of padding must be of the form 0x1,
2922 	 * 0x2, 0x3... 0xN.
2923 	 */
2924 	for (i = 0; i < padlen; ) {
2925 		i++;
2926 		*tailmp->b_wptr++ = i;
2927 	}
2928 	*tailmp->b_wptr++ = i;
2929 	*tailmp->b_wptr++ = protocol;
2930 
2931 	esp2dbg(espstack, ("data_Mp before encryption:\n"));
2932 	esp2dbg(espstack, (dump_msg(data_mp)));
2933 
2934 	/*
2935 	 * The packet is eligible for hardware acceleration if the
2936 	 * following conditions are satisfied:
2937 	 *
2938 	 * 1. the packet will not be fragmented
2939 	 * 2. the provider supports the algorithms specified by SA
2940 	 * 3. there is no pending control message being exchanged
2941 	 * 4. snoop is not attached
2942 	 * 5. the destination address is not a multicast address
2943 	 *
2944 	 * All five of these conditions are checked by IP prior to
2945 	 * sending the packet to ESP.
2946 	 *
2947 	 * But We, and We Alone, can, nay MUST check if the packet
2948 	 * is over NATT, and then disqualify it from hardware
2949 	 * acceleration.
2950 	 */
2951 
2952 	if (io->ipsec_out_is_capab_ill && !(assoc->ipsa_flags & IPSA_F_NATT)) {
2953 		return (esp_outbound_accelerated(ipsec_out_mp, mac_len));
2954 	}
2955 	ESP_BUMP_STAT(espstack, noaccel);
2956 
2957 	/*
2958 	 * Okay.  I've set up the pre-encryption ESP.  Let's do it!
2959 	 */
2960 
2961 	if (mac_len > 0) {
2962 		ASSERT(tailmp->b_wptr + mac_len <= tailmp->b_datap->db_lim);
2963 		icv_buf = tailmp->b_wptr;
2964 		tailmp->b_wptr += mac_len;
2965 	} else {
2966 		icv_buf = NULL;
2967 	}
2968 
2969 	return (esp_submit_req_outbound(ipsec_out_mp, assoc, icv_buf,
2970 	    datalen + padlen + 2));
2971 }
2972 
2973 /*
2974  * IP calls this to validate the ICMP errors that
2975  * we got from the network.
2976  */
2977 ipsec_status_t
2978 ipsecesp_icmp_error(mblk_t *ipsec_mp)
2979 {
2980 	ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
2981 	boolean_t is_inbound = (ii->ipsec_in_type == IPSEC_IN);
2982 	netstack_t	*ns;
2983 	ipsecesp_stack_t *espstack;
2984 	ipsec_stack_t	*ipss;
2985 
2986 	if (is_inbound) {
2987 		ns = ii->ipsec_in_ns;
2988 	} else {
2989 		ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
2990 
2991 		ns = io->ipsec_out_ns;
2992 	}
2993 	espstack = ns->netstack_ipsecesp;
2994 	ipss = ns->netstack_ipsec;
2995 
2996 	/*
2997 	 * Unless we get an entire packet back, this function is useless.
2998 	 * Why?
2999 	 *
3000 	 * 1.)	Partial packets are useless, because the "next header"
3001 	 *	is at the end of the decrypted ESP packet.  Without the
3002 	 *	whole packet, this is useless.
3003 	 *
3004 	 * 2.)	If we every use a stateful cipher, such as a stream or a
3005 	 *	one-time pad, we can't do anything.
3006 	 *
3007 	 * Since the chances of us getting an entire packet back are very
3008 	 * very small, we discard here.
3009 	 */
3010 	IP_ESP_BUMP_STAT(ipss, in_discards);
3011 	ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
3012 	    DROPPER(ipss, ipds_esp_icmp),
3013 	    &espstack->esp_dropper);
3014 	return (IPSEC_STATUS_FAILED);
3015 }
3016 
3017 /*
3018  * ESP module read put routine.
3019  */
3020 /* ARGSUSED */
3021 static void
3022 ipsecesp_rput(queue_t *q, mblk_t *mp)
3023 {
3024 	ipsecesp_stack_t	*espstack = (ipsecesp_stack_t *)q->q_ptr;
3025 
3026 	ASSERT(mp->b_datap->db_type != M_CTL);	/* No more IRE_DB_REQ. */
3027 
3028 	switch (mp->b_datap->db_type) {
3029 	case M_PROTO:
3030 	case M_PCPROTO:
3031 		/* TPI message of some sort. */
3032 		switch (*((t_scalar_t *)mp->b_rptr)) {
3033 		case T_BIND_ACK:
3034 			esp3dbg(espstack,
3035 			    ("Thank you IP from ESP for T_BIND_ACK\n"));
3036 			break;
3037 		case T_ERROR_ACK:
3038 			cmn_err(CE_WARN,
3039 			    "ipsecesp:  ESP received T_ERROR_ACK from IP.");
3040 			/*
3041 			 * Make esp_sadb.s_ip_q NULL, and in the
3042 			 * future, perhaps try again.
3043 			 */
3044 			espstack->esp_sadb.s_ip_q = NULL;
3045 			break;
3046 		case T_OK_ACK:
3047 			/* Probably from a (rarely sent) T_UNBIND_REQ. */
3048 			break;
3049 		default:
3050 			esp0dbg(("Unknown M_{,PC}PROTO message.\n"));
3051 		}
3052 		freemsg(mp);
3053 		break;
3054 	default:
3055 		/* For now, passthru message. */
3056 		esp2dbg(espstack, ("ESP got unknown mblk type %d.\n",
3057 		    mp->b_datap->db_type));
3058 		putnext(q, mp);
3059 	}
3060 }
3061 
3062 /*
3063  * Construct an SADB_REGISTER message with the current algorithms.
3064  * This function gets called when 'ipsecalgs -s' is run or when
3065  * in.iked (or other KMD) starts.
3066  */
3067 static boolean_t
3068 esp_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
3069     ipsecesp_stack_t *espstack)
3070 {
3071 	mblk_t *pfkey_msg_mp, *keysock_out_mp;
3072 	sadb_msg_t *samsg;
3073 	sadb_supported_t *sasupp_auth = NULL;
3074 	sadb_supported_t *sasupp_encr = NULL;
3075 	sadb_alg_t *saalg;
3076 	uint_t allocsize = sizeof (*samsg);
3077 	uint_t i, numalgs_snap;
3078 	int current_aalgs;
3079 	ipsec_alginfo_t **authalgs;
3080 	uint_t num_aalgs;
3081 	int current_ealgs;
3082 	ipsec_alginfo_t **encralgs;
3083 	uint_t num_ealgs;
3084 	ipsec_stack_t	*ipss = espstack->ipsecesp_netstack->netstack_ipsec;
3085 
3086 	/* Allocate the KEYSOCK_OUT. */
3087 	keysock_out_mp = sadb_keysock_out(serial);
3088 	if (keysock_out_mp == NULL) {
3089 		esp0dbg(("esp_register_out: couldn't allocate mblk.\n"));
3090 		return (B_FALSE);
3091 	}
3092 
3093 	/*
3094 	 * Allocate the PF_KEY message that follows KEYSOCK_OUT.
3095 	 */
3096 
3097 	mutex_enter(&ipss->ipsec_alg_lock);
3098 
3099 	/*
3100 	 * Fill SADB_REGISTER message's algorithm descriptors.  Hold
3101 	 * down the lock while filling it.
3102 	 *
3103 	 * Return only valid algorithms, so the number of algorithms
3104 	 * to send up may be less than the number of algorithm entries
3105 	 * in the table.
3106 	 */
3107 	authalgs = ipss->ipsec_alglists[IPSEC_ALG_AUTH];
3108 	for (num_aalgs = 0, i = 0; i < IPSEC_MAX_ALGS; i++)
3109 		if (authalgs[i] != NULL && ALG_VALID(authalgs[i]))
3110 			num_aalgs++;
3111 
3112 	if (num_aalgs != 0) {
3113 		allocsize += (num_aalgs * sizeof (*saalg));
3114 		allocsize += sizeof (*sasupp_auth);
3115 	}
3116 	encralgs = ipss->ipsec_alglists[IPSEC_ALG_ENCR];
3117 	for (num_ealgs = 0, i = 0; i < IPSEC_MAX_ALGS; i++)
3118 		if (encralgs[i] != NULL && ALG_VALID(encralgs[i]))
3119 			num_ealgs++;
3120 
3121 	if (num_ealgs != 0) {
3122 		allocsize += (num_ealgs * sizeof (*saalg));
3123 		allocsize += sizeof (*sasupp_encr);
3124 	}
3125 	keysock_out_mp->b_cont = allocb(allocsize, BPRI_HI);
3126 	if (keysock_out_mp->b_cont == NULL) {
3127 		mutex_exit(&ipss->ipsec_alg_lock);
3128 		freemsg(keysock_out_mp);
3129 		return (B_FALSE);
3130 	}
3131 
3132 	pfkey_msg_mp = keysock_out_mp->b_cont;
3133 	pfkey_msg_mp->b_wptr += allocsize;
3134 	if (num_aalgs != 0) {
3135 		sasupp_auth = (sadb_supported_t *)
3136 		    (pfkey_msg_mp->b_rptr + sizeof (*samsg));
3137 		saalg = (sadb_alg_t *)(sasupp_auth + 1);
3138 
3139 		ASSERT(((ulong_t)saalg & 0x7) == 0);
3140 
3141 		numalgs_snap = 0;
3142 		for (i = 0;
3143 		    ((i < IPSEC_MAX_ALGS) && (numalgs_snap < num_aalgs));
3144 		    i++) {
3145 			if (authalgs[i] == NULL || !ALG_VALID(authalgs[i]))
3146 				continue;
3147 
3148 			saalg->sadb_alg_id = authalgs[i]->alg_id;
3149 			saalg->sadb_alg_ivlen = 0;
3150 			saalg->sadb_alg_minbits	= authalgs[i]->alg_ef_minbits;
3151 			saalg->sadb_alg_maxbits	= authalgs[i]->alg_ef_maxbits;
3152 			saalg->sadb_x_alg_increment =
3153 			    authalgs[i]->alg_increment;
3154 			saalg->sadb_x_alg_saltbits = SADB_8TO1(
3155 			    authalgs[i]->alg_saltlen);
3156 			numalgs_snap++;
3157 			saalg++;
3158 		}
3159 		ASSERT(numalgs_snap == num_aalgs);
3160 #ifdef DEBUG
3161 		/*
3162 		 * Reality check to make sure I snagged all of the
3163 		 * algorithms.
3164 		 */
3165 		for (; i < IPSEC_MAX_ALGS; i++) {
3166 			if (authalgs[i] != NULL && ALG_VALID(authalgs[i])) {
3167 				cmn_err(CE_PANIC, "esp_register_out()! "
3168 				    "Missed aalg #%d.\n", i);
3169 			}
3170 		}
3171 #endif /* DEBUG */
3172 	} else {
3173 		saalg = (sadb_alg_t *)(pfkey_msg_mp->b_rptr + sizeof (*samsg));
3174 	}
3175 
3176 	if (num_ealgs != 0) {
3177 		sasupp_encr = (sadb_supported_t *)saalg;
3178 		saalg = (sadb_alg_t *)(sasupp_encr + 1);
3179 
3180 		numalgs_snap = 0;
3181 		for (i = 0;
3182 		    ((i < IPSEC_MAX_ALGS) && (numalgs_snap < num_ealgs)); i++) {
3183 			if (encralgs[i] == NULL || !ALG_VALID(encralgs[i]))
3184 				continue;
3185 			saalg->sadb_alg_id = encralgs[i]->alg_id;
3186 			saalg->sadb_alg_ivlen = encralgs[i]->alg_ivlen;
3187 			saalg->sadb_alg_minbits	= encralgs[i]->alg_ef_minbits;
3188 			saalg->sadb_alg_maxbits	= encralgs[i]->alg_ef_maxbits;
3189 			/*
3190 			 * We could advertise the ICV length, except there
3191 			 * is not a value in sadb_x_algb to do this.
3192 			 * saalg->sadb_alg_maclen = encralgs[i]->alg_maclen;
3193 			 */
3194 			saalg->sadb_x_alg_increment =
3195 			    encralgs[i]->alg_increment;
3196 			saalg->sadb_x_alg_saltbits =
3197 			    SADB_8TO1(encralgs[i]->alg_saltlen);
3198 
3199 			numalgs_snap++;
3200 			saalg++;
3201 		}
3202 		ASSERT(numalgs_snap == num_ealgs);
3203 #ifdef DEBUG
3204 		/*
3205 		 * Reality check to make sure I snagged all of the
3206 		 * algorithms.
3207 		 */
3208 		for (; i < IPSEC_MAX_ALGS; i++) {
3209 			if (encralgs[i] != NULL && ALG_VALID(encralgs[i])) {
3210 				cmn_err(CE_PANIC, "esp_register_out()! "
3211 				    "Missed ealg #%d.\n", i);
3212 			}
3213 		}
3214 #endif /* DEBUG */
3215 	}
3216 
3217 	current_aalgs = num_aalgs;
3218 	current_ealgs = num_ealgs;
3219 
3220 	mutex_exit(&ipss->ipsec_alg_lock);
3221 
3222 	/* Now fill the rest of the SADB_REGISTER message. */
3223 
3224 	samsg = (sadb_msg_t *)pfkey_msg_mp->b_rptr;
3225 	samsg->sadb_msg_version = PF_KEY_V2;
3226 	samsg->sadb_msg_type = SADB_REGISTER;
3227 	samsg->sadb_msg_errno = 0;
3228 	samsg->sadb_msg_satype = SADB_SATYPE_ESP;
3229 	samsg->sadb_msg_len = SADB_8TO64(allocsize);
3230 	samsg->sadb_msg_reserved = 0;
3231 	/*
3232 	 * Assume caller has sufficient sequence/pid number info.  If it's one
3233 	 * from me over a new alg., I could give two hoots about sequence.
3234 	 */
3235 	samsg->sadb_msg_seq = sequence;
3236 	samsg->sadb_msg_pid = pid;
3237 
3238 	if (sasupp_auth != NULL) {
3239 		sasupp_auth->sadb_supported_len = SADB_8TO64(
3240 		    sizeof (*sasupp_auth) + sizeof (*saalg) * current_aalgs);
3241 		sasupp_auth->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH;
3242 		sasupp_auth->sadb_supported_reserved = 0;
3243 	}
3244 
3245 	if (sasupp_encr != NULL) {
3246 		sasupp_encr->sadb_supported_len = SADB_8TO64(
3247 		    sizeof (*sasupp_encr) + sizeof (*saalg) * current_ealgs);
3248 		sasupp_encr->sadb_supported_exttype =
3249 		    SADB_EXT_SUPPORTED_ENCRYPT;
3250 		sasupp_encr->sadb_supported_reserved = 0;
3251 	}
3252 
3253 	if (espstack->esp_pfkey_q != NULL)
3254 		putnext(espstack->esp_pfkey_q, keysock_out_mp);
3255 	else {
3256 		freemsg(keysock_out_mp);
3257 		return (B_FALSE);
3258 	}
3259 
3260 	return (B_TRUE);
3261 }
3262 
3263 /*
3264  * Invoked when the algorithm table changes. Causes SADB_REGISTER
3265  * messages continaining the current list of algorithms to be
3266  * sent up to the ESP listeners.
3267  */
3268 void
3269 ipsecesp_algs_changed(netstack_t *ns)
3270 {
3271 	ipsecesp_stack_t	*espstack = ns->netstack_ipsecesp;
3272 
3273 	/*
3274 	 * Time to send a PF_KEY SADB_REGISTER message to ESP listeners
3275 	 * everywhere.  (The function itself checks for NULL esp_pfkey_q.)
3276 	 */
3277 	(void) esp_register_out(0, 0, 0, espstack);
3278 }
3279 
3280 /*
3281  * Stub function that taskq_dispatch() invokes to take the mblk (in arg)
3282  * and put() it into AH and STREAMS again.
3283  */
3284 static void
3285 inbound_task(void *arg)
3286 {
3287 	esph_t *esph;
3288 	mblk_t *mp = (mblk_t *)arg;
3289 	ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr;
3290 	netstack_t *ns;
3291 	ipsecesp_stack_t *espstack;
3292 	int ipsec_rc;
3293 
3294 	ns = netstack_find_by_stackid(ii->ipsec_in_stackid);
3295 	if (ns == NULL || ns != ii->ipsec_in_ns) {
3296 		/* Just freemsg(). */
3297 		if (ns != NULL)
3298 			netstack_rele(ns);
3299 		freemsg(mp);
3300 		return;
3301 	}
3302 
3303 	espstack = ns->netstack_ipsecesp;
3304 
3305 	esp2dbg(espstack, ("in ESP inbound_task"));
3306 	ASSERT(espstack != NULL);
3307 
3308 	esph = ipsec_inbound_esp_sa(mp, ns);
3309 	if (esph != NULL) {
3310 		ASSERT(ii->ipsec_in_esp_sa != NULL);
3311 		ipsec_rc = ii->ipsec_in_esp_sa->ipsa_input_func(mp, esph);
3312 		if (ipsec_rc == IPSEC_STATUS_SUCCESS)
3313 			ip_fanout_proto_again(mp, NULL, NULL, NULL);
3314 	}
3315 	netstack_rele(ns);
3316 }
3317 
3318 /*
3319  * Now that weak-key passed, actually ADD the security association, and
3320  * send back a reply ADD message.
3321  */
3322 static int
3323 esp_add_sa_finish(mblk_t *mp, sadb_msg_t *samsg, keysock_in_t *ksi,
3324     int *diagnostic, ipsecesp_stack_t *espstack)
3325 {
3326 	isaf_t *primary = NULL, *secondary, *inbound, *outbound;
3327 	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
3328 	sadb_address_t *dstext =
3329 	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
3330 	struct sockaddr_in *dst;
3331 	struct sockaddr_in6 *dst6;
3332 	boolean_t is_ipv4, clone = B_FALSE, is_inbound = B_FALSE;
3333 	uint32_t *dstaddr;
3334 	ipsa_t *larval = NULL;
3335 	ipsacq_t *acqrec;
3336 	iacqf_t *acq_bucket;
3337 	mblk_t *acq_msgs = NULL;
3338 	int rc;
3339 	sadb_t *sp;
3340 	int outhash;
3341 	mblk_t *lpkt;
3342 	ipsec_stack_t	*ipss = espstack->ipsecesp_netstack->netstack_ipsec;
3343 
3344 	/*
3345 	 * Locate the appropriate table(s).
3346 	 */
3347 
3348 	dst = (struct sockaddr_in *)(dstext + 1);
3349 	dst6 = (struct sockaddr_in6 *)dst;
3350 	is_ipv4 = (dst->sin_family == AF_INET);
3351 	if (is_ipv4) {
3352 		sp = &espstack->esp_sadb.s_v4;
3353 		dstaddr = (uint32_t *)(&dst->sin_addr);
3354 		outhash = OUTBOUND_HASH_V4(sp, *(ipaddr_t *)dstaddr);
3355 	} else {
3356 		sp = &espstack->esp_sadb.s_v6;
3357 		dstaddr = (uint32_t *)(&dst6->sin6_addr);
3358 		outhash = OUTBOUND_HASH_V6(sp, *(in6_addr_t *)dstaddr);
3359 	}
3360 
3361 	inbound = INBOUND_BUCKET(sp, assoc->sadb_sa_spi);
3362 	outbound = &sp->sdb_of[outhash];
3363 
3364 	/*
3365 	 * Use the direction flags provided by the KMD to determine
3366 	 * if the inbound or outbound table should be the primary
3367 	 * for this SA. If these flags were absent then make this
3368 	 * decision based on the addresses.
3369 	 */
3370 	if (assoc->sadb_sa_flags & IPSA_F_INBOUND) {
3371 		primary = inbound;
3372 		secondary = outbound;
3373 		is_inbound = B_TRUE;
3374 		if (assoc->sadb_sa_flags & IPSA_F_OUTBOUND)
3375 			clone = B_TRUE;
3376 	} else {
3377 		if (assoc->sadb_sa_flags & IPSA_F_OUTBOUND) {
3378 			primary = outbound;
3379 			secondary = inbound;
3380 		}
3381 	}
3382 
3383 	if (primary == NULL) {
3384 		/*
3385 		 * The KMD did not set a direction flag, determine which
3386 		 * table to insert the SA into based on addresses.
3387 		 */
3388 		switch (ksi->ks_in_dsttype) {
3389 		case KS_IN_ADDR_MBCAST:
3390 			clone = B_TRUE;	/* All mcast SAs can be bidirectional */
3391 			assoc->sadb_sa_flags |= IPSA_F_OUTBOUND;
3392 			/* FALLTHRU */
3393 		/*
3394 		 * If the source address is either one of mine, or unspecified
3395 		 * (which is best summed up by saying "not 'not mine'"),
3396 		 * then the association is potentially bi-directional,
3397 		 * in that it can be used for inbound traffic and outbound
3398 		 * traffic.  The best example of such an SA is a multicast
3399 		 * SA (which allows me to receive the outbound traffic).
3400 		 */
3401 		case KS_IN_ADDR_ME:
3402 			assoc->sadb_sa_flags |= IPSA_F_INBOUND;
3403 			primary = inbound;
3404 			secondary = outbound;
3405 			if (ksi->ks_in_srctype != KS_IN_ADDR_NOTME)
3406 				clone = B_TRUE;
3407 			is_inbound = B_TRUE;
3408 			break;
3409 		/*
3410 		 * If the source address literally not mine (either
3411 		 * unspecified or not mine), then this SA may have an
3412 		 * address that WILL be mine after some configuration.
3413 		 * We pay the price for this by making it a bi-directional
3414 		 * SA.
3415 		 */
3416 		case KS_IN_ADDR_NOTME:
3417 			assoc->sadb_sa_flags |= IPSA_F_OUTBOUND;
3418 			primary = outbound;
3419 			secondary = inbound;
3420 			if (ksi->ks_in_srctype != KS_IN_ADDR_ME) {
3421 				assoc->sadb_sa_flags |= IPSA_F_INBOUND;
3422 				clone = B_TRUE;
3423 			}
3424 			break;
3425 		default:
3426 			*diagnostic = SADB_X_DIAGNOSTIC_BAD_DST;
3427 			return (EINVAL);
3428 		}
3429 	}
3430 
3431 	/*
3432 	 * Find a ACQUIRE list entry if possible.  If we've added an SA that
3433 	 * suits the needs of an ACQUIRE list entry, we can eliminate the
3434 	 * ACQUIRE list entry and transmit the enqueued packets.  Use the
3435 	 * high-bit of the sequence number to queue it.  Key off destination
3436 	 * addr, and change acqrec's state.
3437 	 */
3438 
3439 	if (samsg->sadb_msg_seq & IACQF_LOWEST_SEQ) {
3440 		acq_bucket = &sp->sdb_acq[outhash];
3441 		mutex_enter(&acq_bucket->iacqf_lock);
3442 		for (acqrec = acq_bucket->iacqf_ipsacq; acqrec != NULL;
3443 		    acqrec = acqrec->ipsacq_next) {
3444 			mutex_enter(&acqrec->ipsacq_lock);
3445 			/*
3446 			 * Q:  I only check sequence.  Should I check dst?
3447 			 * A: Yes, check dest because those are the packets
3448 			 *    that are queued up.
3449 			 */
3450 			if (acqrec->ipsacq_seq == samsg->sadb_msg_seq &&
3451 			    IPSA_ARE_ADDR_EQUAL(dstaddr,
3452 			    acqrec->ipsacq_dstaddr, acqrec->ipsacq_addrfam))
3453 				break;
3454 			mutex_exit(&acqrec->ipsacq_lock);
3455 		}
3456 		if (acqrec != NULL) {
3457 			/*
3458 			 * AHA!  I found an ACQUIRE record for this SA.
3459 			 * Grab the msg list, and free the acquire record.
3460 			 * I already am holding the lock for this record,
3461 			 * so all I have to do is free it.
3462 			 */
3463 			acq_msgs = acqrec->ipsacq_mp;
3464 			acqrec->ipsacq_mp = NULL;
3465 			mutex_exit(&acqrec->ipsacq_lock);
3466 			sadb_destroy_acquire(acqrec,
3467 			    espstack->ipsecesp_netstack);
3468 		}
3469 		mutex_exit(&acq_bucket->iacqf_lock);
3470 	}
3471 
3472 	/*
3473 	 * Find PF_KEY message, and see if I'm an update.  If so, find entry
3474 	 * in larval list (if there).
3475 	 */
3476 
3477 	if (samsg->sadb_msg_type == SADB_UPDATE) {
3478 		mutex_enter(&inbound->isaf_lock);
3479 		larval = ipsec_getassocbyspi(inbound, assoc->sadb_sa_spi,
3480 		    ALL_ZEROES_PTR, dstaddr, dst->sin_family);
3481 		mutex_exit(&inbound->isaf_lock);
3482 
3483 		if ((larval == NULL) ||
3484 		    (larval->ipsa_state != IPSA_STATE_LARVAL)) {
3485 			*diagnostic = SADB_X_DIAGNOSTIC_SA_NOTFOUND;
3486 			if (larval != NULL) {
3487 				IPSA_REFRELE(larval);
3488 			}
3489 			esp0dbg(("Larval update, but larval disappeared.\n"));
3490 			return (ESRCH);
3491 		} /* Else sadb_common_add unlinks it for me! */
3492 	}
3493 
3494 	lpkt = NULL;
3495 	if (larval != NULL)
3496 		lpkt = sadb_clear_lpkt(larval);
3497 
3498 	rc = sadb_common_add(espstack->esp_sadb.s_ip_q, espstack->esp_pfkey_q,
3499 	    mp, samsg, ksi, primary, secondary, larval, clone, is_inbound,
3500 	    diagnostic, espstack->ipsecesp_netstack, &espstack->esp_sadb);
3501 
3502 	if (rc == 0 && lpkt != NULL)
3503 		rc = !taskq_dispatch(esp_taskq, inbound_task, lpkt, TQ_NOSLEEP);
3504 
3505 	if (rc != 0) {
3506 		ip_drop_packet(lpkt, B_TRUE, NULL, NULL,
3507 		    DROPPER(ipss, ipds_sadb_inlarval_timeout),
3508 		    &espstack->esp_dropper);
3509 	}
3510 
3511 	/*
3512 	 * How much more stack will I create with all of these
3513 	 * esp_outbound() calls?
3514 	 */
3515 
3516 	while (acq_msgs != NULL) {
3517 		mblk_t *mp = acq_msgs;
3518 
3519 		acq_msgs = acq_msgs->b_next;
3520 		mp->b_next = NULL;
3521 		if (rc == 0) {
3522 			if (ipsec_outbound_sa(mp, IPPROTO_ESP)) {
3523 				((ipsec_out_t *)(mp->b_rptr))->
3524 				    ipsec_out_esp_done = B_TRUE;
3525 				if (esp_outbound(mp) == IPSEC_STATUS_SUCCESS) {
3526 					ipha_t *ipha;
3527 
3528 					/* do AH processing if needed */
3529 					if (!esp_do_outbound_ah(mp))
3530 						continue;
3531 
3532 					ipha = (ipha_t *)mp->b_cont->b_rptr;
3533 
3534 					/* finish IPsec processing */
3535 					if (is_ipv4) {
3536 						ip_wput_ipsec_out(NULL, mp,
3537 						    ipha, NULL, NULL);
3538 					} else {
3539 						ip6_t *ip6h = (ip6_t *)ipha;
3540 						ip_wput_ipsec_out_v6(NULL,
3541 						    mp, ip6h, NULL, NULL);
3542 					}
3543 				}
3544 				continue;
3545 			}
3546 		}
3547 		ESP_BUMP_STAT(espstack, out_discards);
3548 		ip_drop_packet(mp, B_FALSE, NULL, NULL,
3549 		    DROPPER(ipss, ipds_sadb_acquire_timeout),
3550 		    &espstack->esp_dropper);
3551 	}
3552 
3553 	return (rc);
3554 }
3555 
3556 /*
3557  * Add new ESP security association.  This may become a generic AH/ESP
3558  * routine eventually.
3559  */
3560 static int
3561 esp_add_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic, netstack_t *ns)
3562 {
3563 	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
3564 	sadb_address_t *srcext =
3565 	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
3566 	sadb_address_t *dstext =
3567 	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
3568 	sadb_address_t *isrcext =
3569 	    (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_SRC];
3570 	sadb_address_t *idstext =
3571 	    (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_INNER_DST];
3572 	sadb_address_t *nttext_loc =
3573 	    (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_LOC];
3574 	sadb_address_t *nttext_rem =
3575 	    (sadb_address_t *)ksi->ks_in_extv[SADB_X_EXT_ADDRESS_NATT_REM];
3576 	sadb_key_t *akey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_AUTH];
3577 	sadb_key_t *ekey = (sadb_key_t *)ksi->ks_in_extv[SADB_EXT_KEY_ENCRYPT];
3578 	struct sockaddr_in *src, *dst;
3579 	struct sockaddr_in *natt_loc, *natt_rem;
3580 	struct sockaddr_in6 *natt_loc6, *natt_rem6;
3581 	sadb_lifetime_t *soft =
3582 	    (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_SOFT];
3583 	sadb_lifetime_t *hard =
3584 	    (sadb_lifetime_t *)ksi->ks_in_extv[SADB_EXT_LIFETIME_HARD];
3585 	sadb_lifetime_t *idle =
3586 	    (sadb_lifetime_t *)ksi->ks_in_extv[SADB_X_EXT_LIFETIME_IDLE];
3587 	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
3588 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3589 
3590 	/* I need certain extensions present for an ADD message. */
3591 	if (srcext == NULL) {
3592 		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_SRC;
3593 		return (EINVAL);
3594 	}
3595 	if (dstext == NULL) {
3596 		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
3597 		return (EINVAL);
3598 	}
3599 	if (isrcext == NULL && idstext != NULL) {
3600 		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_SRC;
3601 		return (EINVAL);
3602 	}
3603 	if (isrcext != NULL && idstext == NULL) {
3604 		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_INNER_DST;
3605 		return (EINVAL);
3606 	}
3607 	if (assoc == NULL) {
3608 		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
3609 		return (EINVAL);
3610 	}
3611 	if (ekey == NULL && assoc->sadb_sa_encrypt != SADB_EALG_NULL) {
3612 		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_EKEY;
3613 		return (EINVAL);
3614 	}
3615 
3616 	src = (struct sockaddr_in *)(srcext + 1);
3617 	dst = (struct sockaddr_in *)(dstext + 1);
3618 	natt_loc = (struct sockaddr_in *)(nttext_loc + 1);
3619 	natt_loc6 = (struct sockaddr_in6 *)(nttext_loc + 1);
3620 	natt_rem = (struct sockaddr_in *)(nttext_rem + 1);
3621 	natt_rem6 = (struct sockaddr_in6 *)(nttext_rem + 1);
3622 
3623 	/* Sundry ADD-specific reality checks. */
3624 	/* XXX STATS :  Logging/stats here? */
3625 
3626 	if ((assoc->sadb_sa_state != SADB_SASTATE_MATURE) &&
3627 	    (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) {
3628 		*diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
3629 		return (EINVAL);
3630 	}
3631 	if (assoc->sadb_sa_encrypt == SADB_EALG_NONE) {
3632 		*diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG;
3633 		return (EINVAL);
3634 	}
3635 
3636 	if (assoc->sadb_sa_encrypt == SADB_EALG_NULL &&
3637 	    assoc->sadb_sa_auth == SADB_AALG_NONE) {
3638 		*diagnostic = SADB_X_DIAGNOSTIC_BAD_AALG;
3639 		return (EINVAL);
3640 	}
3641 
3642 	if (assoc->sadb_sa_flags & ~espstack->esp_sadb.s_addflags) {
3643 		*diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS;
3644 		return (EINVAL);
3645 	}
3646 
3647 	if ((*diagnostic = sadb_hardsoftchk(hard, soft, idle)) != 0) {
3648 		return (EINVAL);
3649 	}
3650 	ASSERT(src->sin_family == dst->sin_family);
3651 
3652 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC) {
3653 		if (nttext_loc == NULL) {
3654 			*diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_LOC;
3655 			return (EINVAL);
3656 		}
3657 
3658 		if (natt_loc->sin_family == AF_INET6 &&
3659 		    !IN6_IS_ADDR_V4MAPPED(&natt_loc6->sin6_addr)) {
3660 			*diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC;
3661 			return (EINVAL);
3662 		}
3663 	}
3664 
3665 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM) {
3666 		if (nttext_rem == NULL) {
3667 			*diagnostic = SADB_X_DIAGNOSTIC_MISSING_NATT_REM;
3668 			return (EINVAL);
3669 		}
3670 		if (natt_rem->sin_family == AF_INET6 &&
3671 		    !IN6_IS_ADDR_V4MAPPED(&natt_rem6->sin6_addr)) {
3672 			*diagnostic = SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM;
3673 			return (EINVAL);
3674 		}
3675 	}
3676 
3677 
3678 	/* Stuff I don't support, for now.  XXX Diagnostic? */
3679 	if (ksi->ks_in_extv[SADB_EXT_LIFETIME_CURRENT] != NULL ||
3680 	    ksi->ks_in_extv[SADB_EXT_SENSITIVITY] != NULL)
3681 		return (EOPNOTSUPP);
3682 
3683 	/*
3684 	 * XXX Policy :  I'm not checking identities or sensitivity
3685 	 * labels at this time, but if I did, I'd do them here, before I sent
3686 	 * the weak key check up to the algorithm.
3687 	 */
3688 
3689 	mutex_enter(&ipss->ipsec_alg_lock);
3690 
3691 	/*
3692 	 * First locate the authentication algorithm.
3693 	 */
3694 	if (akey != NULL) {
3695 		ipsec_alginfo_t *aalg;
3696 
3697 		aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
3698 		    [assoc->sadb_sa_auth];
3699 		if (aalg == NULL || !ALG_VALID(aalg)) {
3700 			mutex_exit(&ipss->ipsec_alg_lock);
3701 			esp1dbg(espstack, ("Couldn't find auth alg #%d.\n",
3702 			    assoc->sadb_sa_auth));
3703 			*diagnostic = SADB_X_DIAGNOSTIC_BAD_AALG;
3704 			return (EINVAL);
3705 		}
3706 
3707 		/*
3708 		 * Sanity check key sizes.
3709 		 * Note: It's not possible to use SADB_AALG_NONE because
3710 		 * this auth_alg is not defined with ALG_FLAG_VALID. If this
3711 		 * ever changes, the same check for SADB_AALG_NONE and
3712 		 * a auth_key != NULL should be made here ( see below).
3713 		 */
3714 		if (!ipsec_valid_key_size(akey->sadb_key_bits, aalg)) {
3715 			mutex_exit(&ipss->ipsec_alg_lock);
3716 			*diagnostic = SADB_X_DIAGNOSTIC_BAD_AKEYBITS;
3717 			return (EINVAL);
3718 		}
3719 		ASSERT(aalg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
3720 
3721 		/* check key and fix parity if needed */
3722 		if (ipsec_check_key(aalg->alg_mech_type, akey, B_TRUE,
3723 		    diagnostic) != 0) {
3724 			mutex_exit(&ipss->ipsec_alg_lock);
3725 			return (EINVAL);
3726 		}
3727 	}
3728 
3729 	/*
3730 	 * Then locate the encryption algorithm.
3731 	 */
3732 	if (ekey != NULL) {
3733 		uint_t keybits;
3734 		ipsec_alginfo_t *ealg;
3735 
3736 		ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
3737 		    [assoc->sadb_sa_encrypt];
3738 		if (ealg == NULL || !ALG_VALID(ealg)) {
3739 			mutex_exit(&ipss->ipsec_alg_lock);
3740 			esp1dbg(espstack, ("Couldn't find encr alg #%d.\n",
3741 			    assoc->sadb_sa_encrypt));
3742 			*diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG;
3743 			return (EINVAL);
3744 		}
3745 
3746 		/*
3747 		 * Sanity check key sizes. If the encryption algorithm is
3748 		 * SADB_EALG_NULL but the encryption key is NOT
3749 		 * NULL then complain.
3750 		 *
3751 		 * The keying material includes salt bits if required by
3752 		 * algorithm and optionally the Initial IV, check the
3753 		 * length of whats left.
3754 		 */
3755 		keybits = ekey->sadb_key_bits;
3756 		keybits -= ekey->sadb_key_reserved;
3757 		keybits -= SADB_8TO1(ealg->alg_saltlen);
3758 		if ((assoc->sadb_sa_encrypt == SADB_EALG_NULL) ||
3759 		    (!ipsec_valid_key_size(keybits, ealg))) {
3760 			mutex_exit(&ipss->ipsec_alg_lock);
3761 			*diagnostic = SADB_X_DIAGNOSTIC_BAD_EKEYBITS;
3762 			return (EINVAL);
3763 		}
3764 		ASSERT(ealg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
3765 
3766 		/* check key */
3767 		if (ipsec_check_key(ealg->alg_mech_type, ekey, B_FALSE,
3768 		    diagnostic) != 0) {
3769 			mutex_exit(&ipss->ipsec_alg_lock);
3770 			return (EINVAL);
3771 		}
3772 	}
3773 	mutex_exit(&ipss->ipsec_alg_lock);
3774 
3775 	return (esp_add_sa_finish(mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi,
3776 	    diagnostic, espstack));
3777 }
3778 
3779 /*
3780  * Update a security association.  Updates come in two varieties.  The first
3781  * is an update of lifetimes on a non-larval SA.  The second is an update of
3782  * a larval SA, which ends up looking a lot more like an add.
3783  */
3784 static int
3785 esp_update_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic,
3786     ipsecesp_stack_t *espstack, uint8_t sadb_msg_type)
3787 {
3788 	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
3789 	mblk_t    *buf_pkt;
3790 	int rcode;
3791 
3792 	sadb_address_t *dstext =
3793 	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
3794 
3795 	if (dstext == NULL) {
3796 		*diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
3797 		return (EINVAL);
3798 	}
3799 
3800 	rcode = sadb_update_sa(mp, ksi, &buf_pkt, &espstack->esp_sadb,
3801 	    diagnostic, espstack->esp_pfkey_q, esp_add_sa,
3802 	    espstack->ipsecesp_netstack, sadb_msg_type);
3803 
3804 	if ((assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE) ||
3805 	    (rcode != 0)) {
3806 		return (rcode);
3807 	}
3808 
3809 	HANDLE_BUF_PKT(esp_taskq, espstack->ipsecesp_netstack->netstack_ipsec,
3810 	    espstack->esp_dropper, buf_pkt);
3811 
3812 	return (rcode);
3813 }
3814 
3815 /*
3816  * Delete a security association.  This is REALLY likely to be code common to
3817  * both AH and ESP.  Find the association, then unlink it.
3818  */
3819 static int
3820 esp_del_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic,
3821     ipsecesp_stack_t *espstack, uint8_t sadb_msg_type)
3822 {
3823 	sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
3824 	sadb_address_t *dstext =
3825 	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
3826 	sadb_address_t *srcext =
3827 	    (sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_SRC];
3828 	struct sockaddr_in *sin;
3829 
3830 	if (assoc == NULL) {
3831 		if (dstext != NULL) {
3832 			sin = (struct sockaddr_in *)(dstext + 1);
3833 		} else if (srcext != NULL) {
3834 			sin = (struct sockaddr_in *)(srcext + 1);
3835 		} else {
3836 			*diagnostic = SADB_X_DIAGNOSTIC_MISSING_SA;
3837 			return (EINVAL);
3838 		}
3839 		return (sadb_purge_sa(mp, ksi,
3840 		    (sin->sin_family == AF_INET6) ? &espstack->esp_sadb.s_v6 :
3841 		    &espstack->esp_sadb.s_v4, espstack->esp_pfkey_q,
3842 		    espstack->esp_sadb.s_ip_q));
3843 	}
3844 
3845 	return (sadb_delget_sa(mp, ksi, &espstack->esp_sadb, diagnostic,
3846 	    espstack->esp_pfkey_q, sadb_msg_type));
3847 }
3848 
3849 /*
3850  * Convert the entire contents of all of ESP's SA tables into PF_KEY SADB_DUMP
3851  * messages.
3852  */
3853 static void
3854 esp_dump(mblk_t *mp, keysock_in_t *ksi, ipsecesp_stack_t *espstack)
3855 {
3856 	int error;
3857 	sadb_msg_t *samsg;
3858 
3859 	/*
3860 	 * Dump each fanout, bailing if error is non-zero.
3861 	 */
3862 
3863 	error = sadb_dump(espstack->esp_pfkey_q, mp, ksi,
3864 	    &espstack->esp_sadb.s_v4);
3865 	if (error != 0)
3866 		goto bail;
3867 
3868 	error = sadb_dump(espstack->esp_pfkey_q, mp, ksi,
3869 	    &espstack->esp_sadb.s_v6);
3870 bail:
3871 	ASSERT(mp->b_cont != NULL);
3872 	samsg = (sadb_msg_t *)mp->b_cont->b_rptr;
3873 	samsg->sadb_msg_errno = (uint8_t)error;
3874 	sadb_pfkey_echo(espstack->esp_pfkey_q, mp,
3875 	    (sadb_msg_t *)mp->b_cont->b_rptr, ksi, NULL);
3876 }
3877 
3878 /*
3879  * First-cut reality check for an inbound PF_KEY message.
3880  */
3881 static boolean_t
3882 esp_pfkey_reality_failures(mblk_t *mp, keysock_in_t *ksi,
3883     ipsecesp_stack_t *espstack)
3884 {
3885 	int diagnostic;
3886 
3887 	if (ksi->ks_in_extv[SADB_EXT_PROPOSAL] != NULL) {
3888 		diagnostic = SADB_X_DIAGNOSTIC_PROP_PRESENT;
3889 		goto badmsg;
3890 	}
3891 	if (ksi->ks_in_extv[SADB_EXT_SUPPORTED_AUTH] != NULL ||
3892 	    ksi->ks_in_extv[SADB_EXT_SUPPORTED_ENCRYPT] != NULL) {
3893 		diagnostic = SADB_X_DIAGNOSTIC_SUPP_PRESENT;
3894 		goto badmsg;
3895 	}
3896 	return (B_FALSE);	/* False ==> no failures */
3897 
3898 badmsg:
3899 	sadb_pfkey_error(espstack->esp_pfkey_q, mp, EINVAL, diagnostic,
3900 	    ksi->ks_in_serial);
3901 	return (B_TRUE);	/* True ==> failures */
3902 }
3903 
3904 /*
3905  * ESP parsing of PF_KEY messages.  Keysock did most of the really silly
3906  * error cases.  What I receive is a fully-formed, syntactically legal
3907  * PF_KEY message.  I then need to check semantics...
3908  *
3909  * This code may become common to AH and ESP.  Stay tuned.
3910  *
3911  * I also make the assumption that db_ref's are cool.  If this assumption
3912  * is wrong, this means that someone other than keysock or me has been
3913  * mucking with PF_KEY messages.
3914  */
3915 static void
3916 esp_parse_pfkey(mblk_t *mp, ipsecesp_stack_t *espstack)
3917 {
3918 	mblk_t *msg = mp->b_cont;
3919 	sadb_msg_t *samsg;
3920 	keysock_in_t *ksi;
3921 	int error;
3922 	int diagnostic = SADB_X_DIAGNOSTIC_NONE;
3923 
3924 	ASSERT(msg != NULL);
3925 
3926 	samsg = (sadb_msg_t *)msg->b_rptr;
3927 	ksi = (keysock_in_t *)mp->b_rptr;
3928 
3929 	/*
3930 	 * If applicable, convert unspecified AF_INET6 to unspecified
3931 	 * AF_INET.  And do other address reality checks.
3932 	 */
3933 	if (!sadb_addrfix(ksi, espstack->esp_pfkey_q, mp,
3934 	    espstack->ipsecesp_netstack) ||
3935 	    esp_pfkey_reality_failures(mp, ksi, espstack)) {
3936 		return;
3937 	}
3938 
3939 	switch (samsg->sadb_msg_type) {
3940 	case SADB_ADD:
3941 		error = esp_add_sa(mp, ksi, &diagnostic,
3942 		    espstack->ipsecesp_netstack);
3943 		if (error != 0) {
3944 			sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
3945 			    diagnostic, ksi->ks_in_serial);
3946 		}
3947 		/* else esp_add_sa() took care of things. */
3948 		break;
3949 	case SADB_DELETE:
3950 	case SADB_X_DELPAIR:
3951 	case SADB_X_DELPAIR_STATE:
3952 		error = esp_del_sa(mp, ksi, &diagnostic, espstack,
3953 		    samsg->sadb_msg_type);
3954 		if (error != 0) {
3955 			sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
3956 			    diagnostic, ksi->ks_in_serial);
3957 		}
3958 		/* Else esp_del_sa() took care of things. */
3959 		break;
3960 	case SADB_GET:
3961 		error = sadb_delget_sa(mp, ksi, &espstack->esp_sadb,
3962 		    &diagnostic, espstack->esp_pfkey_q, samsg->sadb_msg_type);
3963 		if (error != 0) {
3964 			sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
3965 			    diagnostic, ksi->ks_in_serial);
3966 		}
3967 		/* Else sadb_get_sa() took care of things. */
3968 		break;
3969 	case SADB_FLUSH:
3970 		sadbp_flush(&espstack->esp_sadb, espstack->ipsecesp_netstack);
3971 		sadb_pfkey_echo(espstack->esp_pfkey_q, mp, samsg, ksi, NULL);
3972 		break;
3973 	case SADB_REGISTER:
3974 		/*
3975 		 * Hmmm, let's do it!  Check for extensions (there should
3976 		 * be none), extract the fields, call esp_register_out(),
3977 		 * then either free or report an error.
3978 		 *
3979 		 * Keysock takes care of the PF_KEY bookkeeping for this.
3980 		 */
3981 		if (esp_register_out(samsg->sadb_msg_seq, samsg->sadb_msg_pid,
3982 		    ksi->ks_in_serial, espstack)) {
3983 			freemsg(mp);
3984 		} else {
3985 			/*
3986 			 * Only way this path hits is if there is a memory
3987 			 * failure.  It will not return B_FALSE because of
3988 			 * lack of esp_pfkey_q if I am in wput().
3989 			 */
3990 			sadb_pfkey_error(espstack->esp_pfkey_q, mp, ENOMEM,
3991 			    diagnostic, ksi->ks_in_serial);
3992 		}
3993 		break;
3994 	case SADB_UPDATE:
3995 	case SADB_X_UPDATEPAIR:
3996 		/*
3997 		 * Find a larval, if not there, find a full one and get
3998 		 * strict.
3999 		 */
4000 		error = esp_update_sa(mp, ksi, &diagnostic, espstack,
4001 		    samsg->sadb_msg_type);
4002 		if (error != 0) {
4003 			sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
4004 			    diagnostic, ksi->ks_in_serial);
4005 		}
4006 		/* else esp_update_sa() took care of things. */
4007 		break;
4008 	case SADB_GETSPI:
4009 		/*
4010 		 * Reserve a new larval entry.
4011 		 */
4012 		esp_getspi(mp, ksi, espstack);
4013 		break;
4014 	case SADB_ACQUIRE:
4015 		/*
4016 		 * Find larval and/or ACQUIRE record and kill it (them), I'm
4017 		 * most likely an error.  Inbound ACQUIRE messages should only
4018 		 * have the base header.
4019 		 */
4020 		sadb_in_acquire(samsg, &espstack->esp_sadb,
4021 		    espstack->esp_pfkey_q, espstack->ipsecesp_netstack);
4022 		freemsg(mp);
4023 		break;
4024 	case SADB_DUMP:
4025 		/*
4026 		 * Dump all entries.
4027 		 */
4028 		esp_dump(mp, ksi, espstack);
4029 		/* esp_dump will take care of the return message, etc. */
4030 		break;
4031 	case SADB_EXPIRE:
4032 		/* Should never reach me. */
4033 		sadb_pfkey_error(espstack->esp_pfkey_q, mp, EOPNOTSUPP,
4034 		    diagnostic, ksi->ks_in_serial);
4035 		break;
4036 	default:
4037 		sadb_pfkey_error(espstack->esp_pfkey_q, mp, EINVAL,
4038 		    SADB_X_DIAGNOSTIC_UNKNOWN_MSG, ksi->ks_in_serial);
4039 		break;
4040 	}
4041 }
4042 
4043 /*
4044  * Handle case where PF_KEY says it can't find a keysock for one of my
4045  * ACQUIRE messages.
4046  */
4047 static void
4048 esp_keysock_no_socket(mblk_t *mp, ipsecesp_stack_t *espstack)
4049 {
4050 	sadb_msg_t *samsg;
4051 	keysock_out_err_t *kse = (keysock_out_err_t *)mp->b_rptr;
4052 
4053 	if (mp->b_cont == NULL) {
4054 		freemsg(mp);
4055 		return;
4056 	}
4057 	samsg = (sadb_msg_t *)mp->b_cont->b_rptr;
4058 
4059 	/*
4060 	 * If keysock can't find any registered, delete the acquire record
4061 	 * immediately, and handle errors.
4062 	 */
4063 	if (samsg->sadb_msg_type == SADB_ACQUIRE) {
4064 		samsg->sadb_msg_errno = kse->ks_err_errno;
4065 		samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg));
4066 		/*
4067 		 * Use the write-side of the esp_pfkey_q, in case there is
4068 		 * no esp_sadb.s_ip_q.
4069 		 */
4070 		sadb_in_acquire(samsg, &espstack->esp_sadb,
4071 		    WR(espstack->esp_pfkey_q), espstack->ipsecesp_netstack);
4072 	}
4073 
4074 	freemsg(mp);
4075 }
4076 
4077 /*
4078  * ESP module write put routine.
4079  */
4080 static void
4081 ipsecesp_wput(queue_t *q, mblk_t *mp)
4082 {
4083 	ipsec_info_t *ii;
4084 	struct iocblk *iocp;
4085 	ipsecesp_stack_t	*espstack = (ipsecesp_stack_t *)q->q_ptr;
4086 
4087 	esp3dbg(espstack, ("In esp_wput().\n"));
4088 
4089 	/* NOTE: Each case must take care of freeing or passing mp. */
4090 	switch (mp->b_datap->db_type) {
4091 	case M_CTL:
4092 		if ((mp->b_wptr - mp->b_rptr) < sizeof (ipsec_info_t)) {
4093 			/* Not big enough message. */
4094 			freemsg(mp);
4095 			break;
4096 		}
4097 		ii = (ipsec_info_t *)mp->b_rptr;
4098 
4099 		switch (ii->ipsec_info_type) {
4100 		case KEYSOCK_OUT_ERR:
4101 			esp1dbg(espstack, ("Got KEYSOCK_OUT_ERR message.\n"));
4102 			esp_keysock_no_socket(mp, espstack);
4103 			break;
4104 		case KEYSOCK_IN:
4105 			ESP_BUMP_STAT(espstack, keysock_in);
4106 			esp3dbg(espstack, ("Got KEYSOCK_IN message.\n"));
4107 
4108 			/* Parse the message. */
4109 			esp_parse_pfkey(mp, espstack);
4110 			break;
4111 		case KEYSOCK_HELLO:
4112 			sadb_keysock_hello(&espstack->esp_pfkey_q, q, mp,
4113 			    esp_ager, (void *)espstack, &espstack->esp_event,
4114 			    SADB_SATYPE_ESP);
4115 			break;
4116 		default:
4117 			esp2dbg(espstack, ("Got M_CTL from above of 0x%x.\n",
4118 			    ii->ipsec_info_type));
4119 			freemsg(mp);
4120 			break;
4121 		}
4122 		break;
4123 	case M_IOCTL:
4124 		iocp = (struct iocblk *)mp->b_rptr;
4125 		switch (iocp->ioc_cmd) {
4126 		case ND_SET:
4127 		case ND_GET:
4128 			if (nd_getset(q, espstack->ipsecesp_g_nd, mp)) {
4129 				qreply(q, mp);
4130 				return;
4131 			} else {
4132 				iocp->ioc_error = ENOENT;
4133 			}
4134 			/* FALLTHRU */
4135 		default:
4136 			/* We really don't support any other ioctls, do we? */
4137 
4138 			/* Return EINVAL */
4139 			if (iocp->ioc_error != ENOENT)
4140 				iocp->ioc_error = EINVAL;
4141 			iocp->ioc_count = 0;
4142 			mp->b_datap->db_type = M_IOCACK;
4143 			qreply(q, mp);
4144 			return;
4145 		}
4146 	default:
4147 		esp3dbg(espstack,
4148 		    ("Got default message, type %d, passing to IP.\n",
4149 		    mp->b_datap->db_type));
4150 		putnext(q, mp);
4151 	}
4152 }
4153 
4154 /*
4155  * Process an outbound ESP packet that can be accelerated by a IPsec
4156  * hardware acceleration capable Provider.
4157  * The caller already inserted and initialized the ESP header.
4158  * This function allocates a tagging M_CTL, and adds room at the end
4159  * of the packet to hold the ICV if authentication is needed.
4160  *
4161  * On success returns B_TRUE, on failure returns B_FALSE and frees the
4162  * mblk chain ipsec_out.
4163  */
4164 static ipsec_status_t
4165 esp_outbound_accelerated(mblk_t *ipsec_out, uint_t icv_len)
4166 {
4167 	ipsec_out_t *io;
4168 	mblk_t *lastmp;
4169 	netstack_t	*ns;
4170 	ipsecesp_stack_t *espstack;
4171 	ipsec_stack_t	*ipss;
4172 
4173 	io = (ipsec_out_t *)ipsec_out->b_rptr;
4174 	ns = io->ipsec_out_ns;
4175 	espstack = ns->netstack_ipsecesp;
4176 	ipss = ns->netstack_ipsec;
4177 
4178 	ESP_BUMP_STAT(espstack, out_accelerated);
4179 
4180 	/* mark packet as being accelerated in IPSEC_OUT */
4181 	ASSERT(io->ipsec_out_accelerated == B_FALSE);
4182 	io->ipsec_out_accelerated = B_TRUE;
4183 
4184 	/*
4185 	 * add room at the end of the packet for the ICV if needed
4186 	 */
4187 	if (icv_len > 0) {
4188 		/* go to last mblk */
4189 		lastmp = ipsec_out;	/* For following while loop. */
4190 		do {
4191 			lastmp = lastmp->b_cont;
4192 		} while (lastmp->b_cont != NULL);
4193 
4194 		/* if not enough available room, allocate new mblk */
4195 		if ((lastmp->b_wptr + icv_len) > lastmp->b_datap->db_lim) {
4196 			lastmp->b_cont = allocb(icv_len, BPRI_HI);
4197 			if (lastmp->b_cont == NULL) {
4198 				ESP_BUMP_STAT(espstack, out_discards);
4199 				ip_drop_packet(ipsec_out, B_FALSE, NULL, NULL,
4200 				    DROPPER(ipss, ipds_esp_nomem),
4201 				    &espstack->esp_dropper);
4202 				return (IPSEC_STATUS_FAILED);
4203 			}
4204 			lastmp = lastmp->b_cont;
4205 		}
4206 		lastmp->b_wptr += icv_len;
4207 	}
4208 
4209 	return (IPSEC_STATUS_SUCCESS);
4210 }
4211 
4212 /*
4213  * Process an inbound accelerated ESP packet.
4214  * On success returns B_TRUE, on failure returns B_FALSE and frees the
4215  * mblk chain ipsec_in.
4216  */
4217 static ipsec_status_t
4218 esp_inbound_accelerated(mblk_t *ipsec_in, mblk_t *data_mp, boolean_t isv4,
4219     ipsa_t *assoc)
4220 {
4221 	ipsec_in_t *ii = (ipsec_in_t *)ipsec_in->b_rptr;
4222 	mblk_t *hada_mp;
4223 	uint32_t icv_len = 0;
4224 	da_ipsec_t *hada;
4225 	ipha_t *ipha;
4226 	ip6_t *ip6h;
4227 	kstat_named_t *counter;
4228 	netstack_t	*ns = ii->ipsec_in_ns;
4229 	ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
4230 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
4231 
4232 	ESP_BUMP_STAT(espstack, in_accelerated);
4233 
4234 	hada_mp = ii->ipsec_in_da;
4235 	ASSERT(hada_mp != NULL);
4236 	hada = (da_ipsec_t *)hada_mp->b_rptr;
4237 
4238 	/*
4239 	 * We only support one level of decapsulation in hardware, so
4240 	 * nuke the pointer.
4241 	 */
4242 	ii->ipsec_in_da = NULL;
4243 	ii->ipsec_in_accelerated = B_FALSE;
4244 
4245 	if (assoc->ipsa_auth_alg != IPSA_AALG_NONE) {
4246 		/*
4247 		 * ESP with authentication. We expect the Provider to have
4248 		 * computed the ICV and placed it in the hardware acceleration
4249 		 * data attributes.
4250 		 *
4251 		 * Extract ICV length from attributes M_CTL and sanity check
4252 		 * its value. We allow the mblk to be smaller than da_ipsec_t
4253 		 * for a small ICV, as long as the entire ICV fits within the
4254 		 * mblk.
4255 		 *
4256 		 * Also ensures that the ICV length computed by Provider
4257 		 * corresponds to the ICV length of the agorithm specified by
4258 		 * the SA.
4259 		 */
4260 		icv_len = hada->da_icv_len;
4261 		if ((icv_len != assoc->ipsa_mac_len) ||
4262 		    (icv_len > DA_ICV_MAX_LEN) || (MBLKL(hada_mp) <
4263 		    (sizeof (da_ipsec_t) - DA_ICV_MAX_LEN + icv_len))) {
4264 			esp0dbg(("esp_inbound_accelerated: "
4265 			    "ICV len (%u) incorrect or mblk too small (%u)\n",
4266 			    icv_len, (uint32_t)(MBLKL(hada_mp))));
4267 			counter = DROPPER(ipss, ipds_esp_bad_auth);
4268 			goto esp_in_discard;
4269 		}
4270 	}
4271 
4272 	/* get pointers to IP header */
4273 	if (isv4) {
4274 		ipha = (ipha_t *)data_mp->b_rptr;
4275 	} else {
4276 		ip6h = (ip6_t *)data_mp->b_rptr;
4277 	}
4278 
4279 	/*
4280 	 * Compare ICV in ESP packet vs ICV computed by adapter.
4281 	 * We also remove the ICV from the end of the packet since
4282 	 * it will no longer be needed.
4283 	 *
4284 	 * Assume that esp_inbound() already ensured that the pkt
4285 	 * was in one mblk.
4286 	 */
4287 	ASSERT(data_mp->b_cont == NULL);
4288 	data_mp->b_wptr -= icv_len;
4289 	/* adjust IP header */
4290 	if (isv4)
4291 		ipha->ipha_length = htons(ntohs(ipha->ipha_length) - icv_len);
4292 	else
4293 		ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) - icv_len);
4294 	if (icv_len && bcmp(hada->da_icv, data_mp->b_wptr, icv_len)) {
4295 		int af;
4296 		void *addr;
4297 
4298 		if (isv4) {
4299 			addr = &ipha->ipha_dst;
4300 			af = AF_INET;
4301 		} else {
4302 			addr = &ip6h->ip6_dst;
4303 			af = AF_INET6;
4304 		}
4305 
4306 		/*
4307 		 * Log the event. Don't print to the console, block
4308 		 * potential denial-of-service attack.
4309 		 */
4310 		ESP_BUMP_STAT(espstack, bad_auth);
4311 		ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
4312 		    "ESP Authentication failed spi %x, dst_addr %s",
4313 		    assoc->ipsa_spi, addr, af, espstack->ipsecesp_netstack);
4314 		counter = DROPPER(ipss, ipds_esp_bad_auth);
4315 		goto esp_in_discard;
4316 	}
4317 
4318 	esp3dbg(espstack, ("esp_inbound_accelerated: ESP authentication "
4319 	    "succeeded, checking replay\n"));
4320 
4321 	ipsec_in->b_cont = data_mp;
4322 
4323 	/*
4324 	 * Remove ESP header and padding from packet.
4325 	 */
4326 	if (!esp_strip_header(data_mp, ii->ipsec_in_v4, assoc->ipsa_iv_len,
4327 	    &counter, espstack)) {
4328 		esp1dbg(espstack, ("esp_inbound_accelerated: "
4329 		    "esp_strip_header() failed\n"));
4330 		goto esp_in_discard;
4331 	}
4332 
4333 	freeb(hada_mp);
4334 
4335 	/*
4336 	 * Account for usage..
4337 	 */
4338 	if (!esp_age_bytes(assoc, msgdsize(data_mp), B_TRUE)) {
4339 		/* The ipsa has hit hard expiration, LOG and AUDIT. */
4340 		ESP_BUMP_STAT(espstack, bytes_expired);
4341 		IP_ESP_BUMP_STAT(ipss, in_discards);
4342 		ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
4343 		    "ESP association 0x%x, dst %s had bytes expire.\n",
4344 		    assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
4345 		    espstack->ipsecesp_netstack);
4346 		ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL,
4347 		    DROPPER(ipss, ipds_esp_bytes_expire),
4348 		    &espstack->esp_dropper);
4349 		return (IPSEC_STATUS_FAILED);
4350 	}
4351 
4352 	/* done processing the packet */
4353 	return (IPSEC_STATUS_SUCCESS);
4354 
4355 esp_in_discard:
4356 	IP_ESP_BUMP_STAT(ipss, in_discards);
4357 	freeb(hada_mp);
4358 
4359 	ipsec_in->b_cont = data_mp;	/* For ip_drop_packet()'s sake... */
4360 	ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL, counter,
4361 	    &espstack->esp_dropper);
4362 
4363 	return (IPSEC_STATUS_FAILED);
4364 }
4365 
4366 /*
4367  * Wrapper to allow IP to trigger an ESP association failure message
4368  * during inbound SA selection.
4369  */
4370 void
4371 ipsecesp_in_assocfailure(mblk_t *mp, char level, ushort_t sl, char *fmt,
4372     uint32_t spi, void *addr, int af, ipsecesp_stack_t *espstack)
4373 {
4374 	ipsec_stack_t	*ipss = espstack->ipsecesp_netstack->netstack_ipsec;
4375 
4376 	if (espstack->ipsecesp_log_unknown_spi) {
4377 		ipsec_assocfailure(info.mi_idnum, 0, level, sl, fmt, spi,
4378 		    addr, af, espstack->ipsecesp_netstack);
4379 	}
4380 
4381 	ip_drop_packet(mp, B_TRUE, NULL, NULL,
4382 	    DROPPER(ipss, ipds_esp_no_sa),
4383 	    &espstack->esp_dropper);
4384 }
4385 
4386 /*
4387  * Initialize the ESP input and output processing functions.
4388  */
4389 void
4390 ipsecesp_init_funcs(ipsa_t *sa)
4391 {
4392 	if (sa->ipsa_output_func == NULL)
4393 		sa->ipsa_output_func = esp_outbound;
4394 	if (sa->ipsa_input_func == NULL)
4395 		sa->ipsa_input_func = esp_inbound;
4396 }
4397