xref: /illumos-gate/usr/src/uts/common/inet/ip/keysock.c (revision 46b592853d0f4f11781b6b0a7533f267c6aee132)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/param.h>
27 #include <sys/types.h>
28 #include <sys/stream.h>
29 #include <sys/strsubr.h>
30 #include <sys/strsun.h>
31 #include <sys/stropts.h>
32 #include <sys/vnode.h>
33 #include <sys/zone.h>
34 #include <sys/strlog.h>
35 #include <sys/sysmacros.h>
36 #define	_SUN_TPI_VERSION 2
37 #include <sys/tihdr.h>
38 #include <sys/timod.h>
39 #include <sys/tiuser.h>
40 #include <sys/ddi.h>
41 #include <sys/sunddi.h>
42 #include <sys/sunldi.h>
43 #include <sys/file.h>
44 #include <sys/modctl.h>
45 #include <sys/debug.h>
46 #include <sys/kmem.h>
47 #include <sys/cmn_err.h>
48 #include <sys/proc.h>
49 #include <sys/suntpi.h>
50 #include <sys/atomic.h>
51 #include <sys/mkdev.h>
52 #include <sys/policy.h>
53 #include <sys/disp.h>
54 
55 #include <sys/socket.h>
56 #include <netinet/in.h>
57 #include <net/pfkeyv2.h>
58 
59 #include <inet/common.h>
60 #include <netinet/ip6.h>
61 #include <inet/ip.h>
62 #include <inet/proto_set.h>
63 #include <inet/nd.h>
64 #include <inet/optcom.h>
65 #include <inet/ipsec_info.h>
66 #include <inet/ipsec_impl.h>
67 #include <inet/keysock.h>
68 
69 #include <sys/isa_defs.h>
70 
71 /*
72  * This is a transport provider for the PF_KEY key mangement socket.
73  * (See RFC 2367 for details.)
74  * Downstream messages are wrapped in a keysock consumer interface KEYSOCK_IN
75  * messages (see ipsec_info.h), and passed to the appropriate consumer.
76  * Upstream messages are generated for all open PF_KEY sockets, when
77  * appropriate, as well as the sender (as long as SO_USELOOPBACK is enabled)
78  * in reply to downstream messages.
79  *
80  * Upstream messages must be created asynchronously for the following
81  * situations:
82  *
83  *	1.) A keysock consumer requires an SA, and there is currently none.
84  *	2.) An SA expires, either hard or soft lifetime.
85  *	3.) Other events a consumer deems fit.
86  *
87  * The MT model of this is PERMOD, with shared put procedures.  Two types of
88  * messages, SADB_FLUSH and SADB_DUMP, need to lock down the perimeter to send
89  * down the *multiple* messages they create.
90  */
91 
92 static vmem_t *keysock_vmem;		/* for minor numbers. */
93 
94 #define	KEYSOCK_MAX_CONSUMERS 256
95 
96 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
97 static struct T_info_ack keysock_g_t_info_ack = {
98 	T_INFO_ACK,
99 	T_INFINITE,	/* TSDU_size. Maximum size messages. */
100 	T_INVALID,	/* ETSDU_size. No expedited data. */
101 	T_INVALID,	/* CDATA_size. No connect data. */
102 	T_INVALID,	/* DDATA_size. No disconnect data. */
103 	0,		/* ADDR_size. */
104 	0,		/* OPT_size. No user-settable options */
105 	64 * 1024,	/* TIDU_size. keysock allows maximum size messages. */
106 	T_COTS,		/* SERV_type. keysock supports connection oriented. */
107 	TS_UNBND,	/* CURRENT_state. This is set from keysock_state. */
108 	(XPG4_1)	/* Provider flags */
109 };
110 
111 /* Named Dispatch Parameter Management Structure */
112 typedef struct keysockparam_s {
113 	uint_t	keysock_param_min;
114 	uint_t	keysock_param_max;
115 	uint_t	keysock_param_value;
116 	char	*keysock_param_name;
117 } keysockparam_t;
118 
119 /*
120  * Table of NDD variables supported by keysock. These are loaded into
121  * keysock_g_nd in keysock_init_nd.
122  * All of these are alterable, within the min/max values given, at run time.
123  */
124 static	keysockparam_t	lcl_param_arr[] = {
125 	/* min	max	value	name */
126 	{ 4096, 65536,	8192,	"keysock_xmit_hiwat"},
127 	{ 0,	65536,	1024,	"keysock_xmit_lowat"},
128 	{ 4096, 65536,	8192,	"keysock_recv_hiwat"},
129 	{ 65536, 1024*1024*1024, 256*1024,	"keysock_max_buf"},
130 	{ 0,	3,	0,	"keysock_debug"},
131 };
132 #define	keystack_xmit_hiwat	keystack_params[0].keysock_param_value
133 #define	keystack_xmit_lowat	keystack_params[1].keysock_param_value
134 #define	keystack_recv_hiwat	keystack_params[2].keysock_param_value
135 #define	keystack_max_buf	keystack_params[3].keysock_param_value
136 #define	keystack_debug	keystack_params[4].keysock_param_value
137 
138 #define	ks0dbg(a)	printf a
139 /* NOTE:  != 0 instead of > 0 so lint doesn't complain. */
140 #define	ks1dbg(keystack, a)	if (keystack->keystack_debug != 0) printf a
141 #define	ks2dbg(keystack, a)	if (keystack->keystack_debug > 1) printf a
142 #define	ks3dbg(keystack, a)	if (keystack->keystack_debug > 2) printf a
143 
144 static int keysock_close(queue_t *);
145 static int keysock_open(queue_t *, dev_t *, int, int, cred_t *);
146 static void keysock_wput(queue_t *, mblk_t *);
147 static void keysock_rput(queue_t *, mblk_t *);
148 static void keysock_rsrv(queue_t *);
149 static void keysock_passup(mblk_t *, sadb_msg_t *, minor_t,
150     keysock_consumer_t *, boolean_t, keysock_stack_t *);
151 static void *keysock_stack_init(netstackid_t stackid, netstack_t *ns);
152 static void keysock_stack_fini(netstackid_t stackid, void *arg);
153 
154 static struct module_info info = {
155 	5138, "keysock", 1, INFPSZ, 512, 128
156 };
157 
158 static struct qinit rinit = {
159 	(pfi_t)keysock_rput, (pfi_t)keysock_rsrv, keysock_open, keysock_close,
160 	NULL, &info
161 };
162 
163 static struct qinit winit = {
164 	(pfi_t)keysock_wput, NULL, NULL, NULL, NULL, &info
165 };
166 
167 struct streamtab keysockinfo = {
168 	&rinit, &winit
169 };
170 
171 extern struct modlinkage *keysock_modlp;
172 
173 /*
174  * Plumb IPsec.
175  *
176  * NOTE:  New "default" modules will need to be loaded here if needed before
177  *	  boot time.
178  */
179 
180 /* Keep these in global space to keep the lint from complaining. */
181 static char *IPSECESP = "ipsecesp";
182 static char *IPSECESPDEV = "/devices/pseudo/ipsecesp@0:ipsecesp";
183 static char *IPSECAH = "ipsecah";
184 static char *IPSECAHDEV = "/devices/pseudo/ipsecah@0:ipsecah";
185 static char *IP6DEV = "/devices/pseudo/ip6@0:ip6";
186 static char *KEYSOCK = "keysock";
187 static char *STRMOD = "strmod";
188 
189 /*
190  * Load the other ipsec modules and plumb them together.
191  */
192 int
193 keysock_plumb_ipsec(netstack_t *ns)
194 {
195 	ldi_handle_t	lh, ip6_lh = NULL;
196 	ldi_ident_t	li = NULL;
197 	int		err = 0;
198 	int		muxid, rval;
199 	boolean_t	esp_present = B_TRUE;
200 	cred_t		*cr;
201 	keysock_stack_t *keystack = ns->netstack_keysock;
202 
203 #ifdef NS_DEBUG
204 	(void) printf("keysock_plumb_ipsec(%d)\n",
205 	    ns->netstack_stackid);
206 #endif
207 
208 	keystack->keystack_plumbed = 0;	/* we're trying again.. */
209 
210 	cr = zone_get_kcred(netstackid_to_zoneid(
211 	    keystack->keystack_netstack->netstack_stackid));
212 	ASSERT(cr != NULL);
213 	/*
214 	 * Load up the drivers (AH/ESP).
215 	 *
216 	 * I do this separately from the actual plumbing in case this function
217 	 * ever gets called from a diskless boot before the root filesystem is
218 	 * up.  I don't have to worry about "keysock" because, well, if I'm
219 	 * here, keysock must've loaded successfully.
220 	 */
221 	if (i_ddi_attach_pseudo_node(IPSECAH) == NULL) {
222 		ks0dbg(("IPsec:  AH failed to attach.\n"));
223 		goto bail;
224 	}
225 	if (i_ddi_attach_pseudo_node(IPSECESP) == NULL) {
226 		ks0dbg(("IPsec:  ESP failed to attach.\n"));
227 		esp_present = B_FALSE;
228 	}
229 
230 	/*
231 	 * Set up the IP streams for AH and ESP, as well as tacking keysock
232 	 * on top of them.  Assume keysock has set the autopushes up already.
233 	 */
234 
235 	/* Open IP. */
236 	err = ldi_ident_from_mod(keysock_modlp, &li);
237 	if (err) {
238 		ks0dbg(("IPsec:  lid_ident_from_mod failed (err %d).\n",
239 		    err));
240 		goto bail;
241 	}
242 
243 	err = ldi_open_by_name(IP6DEV, FREAD|FWRITE, cr, &ip6_lh, li);
244 	if (err) {
245 		ks0dbg(("IPsec:  Open of IP6 failed (err %d).\n", err));
246 		goto bail;
247 	}
248 
249 	/* PLINK KEYSOCK/AH */
250 	err = ldi_open_by_name(IPSECAHDEV, FREAD|FWRITE, cr, &lh, li);
251 	if (err) {
252 		ks0dbg(("IPsec:  Open of AH failed (err %d).\n", err));
253 		goto bail;
254 	}
255 	err = ldi_ioctl(lh,
256 	    I_PUSH, (intptr_t)KEYSOCK, FKIOCTL, cr, &rval);
257 	if (err) {
258 		ks0dbg(("IPsec:  Push of KEYSOCK onto AH failed (err %d).\n",
259 		    err));
260 		(void) ldi_close(lh, FREAD|FWRITE, cr);
261 		goto bail;
262 	}
263 	err = ldi_ioctl(ip6_lh, I_PLINK, (intptr_t)lh,
264 	    FREAD+FWRITE+FNOCTTY+FKIOCTL, cr, &muxid);
265 	if (err) {
266 		ks0dbg(("IPsec:  PLINK of KEYSOCK/AH failed (err %d).\n", err));
267 		(void) ldi_close(lh, FREAD|FWRITE, cr);
268 		goto bail;
269 	}
270 	(void) ldi_close(lh, FREAD|FWRITE, cr);
271 
272 	/* PLINK KEYSOCK/ESP */
273 	if (esp_present) {
274 		err = ldi_open_by_name(IPSECESPDEV,
275 		    FREAD|FWRITE, cr, &lh, li);
276 		if (err) {
277 			ks0dbg(("IPsec:  Open of ESP failed (err %d).\n", err));
278 			goto bail;
279 		}
280 		err = ldi_ioctl(lh,
281 		    I_PUSH, (intptr_t)KEYSOCK, FKIOCTL, cr, &rval);
282 		if (err) {
283 			ks0dbg(("IPsec:  "
284 			    "Push of KEYSOCK onto ESP failed (err %d).\n",
285 			    err));
286 			(void) ldi_close(lh, FREAD|FWRITE, cr);
287 			goto bail;
288 		}
289 		err = ldi_ioctl(ip6_lh, I_PLINK, (intptr_t)lh,
290 		    FREAD+FWRITE+FNOCTTY+FKIOCTL, cr, &muxid);
291 		if (err) {
292 			ks0dbg(("IPsec:  "
293 			    "PLINK of KEYSOCK/ESP failed (err %d).\n", err));
294 			(void) ldi_close(lh, FREAD|FWRITE, cr);
295 			goto bail;
296 		}
297 		(void) ldi_close(lh, FREAD|FWRITE, cr);
298 	}
299 
300 bail:
301 	keystack->keystack_plumbed = (err == 0) ? 1 : -1;
302 	if (ip6_lh != NULL) {
303 		(void) ldi_close(ip6_lh, FREAD|FWRITE, cr);
304 	}
305 	if (li != NULL)
306 		ldi_ident_release(li);
307 #ifdef NS_DEBUG
308 	(void) printf("keysock_plumb_ipsec -> %d\n",
309 	    keystack->keystack_plumbed);
310 #endif
311 	crfree(cr);
312 	return (err);
313 }
314 
315 /* ARGSUSED */
316 static int
317 keysock_param_get(q, mp, cp, cr)
318 	queue_t	*q;
319 	mblk_t	*mp;
320 	caddr_t	cp;
321 	cred_t *cr;
322 {
323 	keysockparam_t	*keysockpa = (keysockparam_t *)cp;
324 	uint_t value;
325 	keysock_t *ks = (keysock_t *)q->q_ptr;
326 	keysock_stack_t	*keystack = ks->keysock_keystack;
327 
328 	mutex_enter(&keystack->keystack_param_lock);
329 	value = keysockpa->keysock_param_value;
330 	mutex_exit(&keystack->keystack_param_lock);
331 
332 	(void) mi_mpprintf(mp, "%u", value);
333 	return (0);
334 }
335 
336 /* This routine sets an NDD variable in a keysockparam_t structure. */
337 /* ARGSUSED */
338 static int
339 keysock_param_set(q, mp, value, cp, cr)
340 	queue_t	*q;
341 	mblk_t	*mp;
342 	char	*value;
343 	caddr_t	cp;
344 	cred_t *cr;
345 {
346 	ulong_t	new_value;
347 	keysockparam_t	*keysockpa = (keysockparam_t *)cp;
348 	keysock_t *ks = (keysock_t *)q->q_ptr;
349 	keysock_stack_t	*keystack = ks->keysock_keystack;
350 
351 	/* Convert the value from a string into a long integer. */
352 	if (ddi_strtoul(value, NULL, 10, &new_value) != 0)
353 		return (EINVAL);
354 
355 	mutex_enter(&keystack->keystack_param_lock);
356 	/*
357 	 * Fail the request if the new value does not lie within the
358 	 * required bounds.
359 	 */
360 	if (new_value < keysockpa->keysock_param_min ||
361 	    new_value > keysockpa->keysock_param_max) {
362 		mutex_exit(&keystack->keystack_param_lock);
363 		return (EINVAL);
364 	}
365 
366 	/* Set the new value */
367 	keysockpa->keysock_param_value = new_value;
368 	mutex_exit(&keystack->keystack_param_lock);
369 
370 	return (0);
371 }
372 
373 /*
374  * Initialize keysock at module load time
375  */
376 boolean_t
377 keysock_ddi_init(void)
378 {
379 	keysock_max_optsize = optcom_max_optsize(
380 	    keysock_opt_obj.odb_opt_des_arr, keysock_opt_obj.odb_opt_arr_cnt);
381 
382 	keysock_vmem = vmem_create("keysock", (void *)1, MAXMIN, 1,
383 	    NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER);
384 
385 	/*
386 	 * We want to be informed each time a stack is created or
387 	 * destroyed in the kernel, so we can maintain the
388 	 * set of keysock_stack_t's.
389 	 */
390 	netstack_register(NS_KEYSOCK, keysock_stack_init, NULL,
391 	    keysock_stack_fini);
392 
393 	return (B_TRUE);
394 }
395 
396 /*
397  * Walk through the param array specified registering each element with the
398  * named dispatch handler.
399  */
400 static boolean_t
401 keysock_param_register(IDP *ndp, keysockparam_t *ksp, int cnt)
402 {
403 	for (; cnt-- > 0; ksp++) {
404 		if (ksp->keysock_param_name != NULL &&
405 		    ksp->keysock_param_name[0]) {
406 			if (!nd_load(ndp,
407 			    ksp->keysock_param_name,
408 			    keysock_param_get, keysock_param_set,
409 			    (caddr_t)ksp)) {
410 				nd_free(ndp);
411 				return (B_FALSE);
412 			}
413 		}
414 	}
415 	return (B_TRUE);
416 }
417 
418 /*
419  * Initialize keysock for one stack instance
420  */
421 /* ARGSUSED */
422 static void *
423 keysock_stack_init(netstackid_t stackid, netstack_t *ns)
424 {
425 	keysock_stack_t	*keystack;
426 	keysockparam_t *ksp;
427 
428 	keystack = (keysock_stack_t *)kmem_zalloc(sizeof (*keystack), KM_SLEEP);
429 	keystack->keystack_netstack = ns;
430 
431 	keystack->keystack_acquire_seq = 0xffffffff;
432 
433 	ksp = (keysockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
434 	keystack->keystack_params = ksp;
435 	bcopy(lcl_param_arr, ksp, sizeof (lcl_param_arr));
436 
437 	(void) keysock_param_register(&keystack->keystack_g_nd, ksp,
438 	    A_CNT(lcl_param_arr));
439 
440 	mutex_init(&keystack->keystack_list_lock, NULL, MUTEX_DEFAULT, NULL);
441 	mutex_init(&keystack->keystack_consumers_lock,
442 	    NULL, MUTEX_DEFAULT, NULL);
443 	mutex_init(&keystack->keystack_param_lock, NULL, MUTEX_DEFAULT, NULL);
444 	return (keystack);
445 }
446 
447 /*
448  * Free NDD variable space, and other destructors, for keysock.
449  */
450 void
451 keysock_ddi_destroy(void)
452 {
453 	netstack_unregister(NS_KEYSOCK);
454 	vmem_destroy(keysock_vmem);
455 }
456 
457 /*
458  * Remove one stack instance from keysock
459  */
460 /* ARGSUSED */
461 static void
462 keysock_stack_fini(netstackid_t stackid, void *arg)
463 {
464 	keysock_stack_t *keystack = (keysock_stack_t *)arg;
465 
466 	nd_free(&keystack->keystack_g_nd);
467 	kmem_free(keystack->keystack_params, sizeof (lcl_param_arr));
468 	keystack->keystack_params = NULL;
469 
470 	mutex_destroy(&keystack->keystack_list_lock);
471 	mutex_destroy(&keystack->keystack_consumers_lock);
472 	mutex_destroy(&keystack->keystack_param_lock);
473 
474 	kmem_free(keystack, sizeof (*keystack));
475 }
476 
477 /*
478  * Close routine for keysock.
479  */
480 static int
481 keysock_close(queue_t *q)
482 {
483 	keysock_t *ks;
484 	keysock_consumer_t *kc;
485 	void *ptr = q->q_ptr;
486 	int size;
487 	keysock_stack_t	*keystack;
488 
489 
490 	qprocsoff(q);
491 
492 	/* Safe assumption. */
493 	ASSERT(ptr != NULL);
494 
495 	if (WR(q)->q_next) {
496 		kc = (keysock_consumer_t *)ptr;
497 		keystack = kc->kc_keystack;
498 
499 		ks1dbg(keystack, ("Module close, removing a consumer (%d).\n",
500 		    kc->kc_sa_type));
501 		/*
502 		 * Because of PERMOD open/close exclusive perimeter, I
503 		 * can inspect KC_FLUSHING w/o locking down kc->kc_lock.
504 		 */
505 		if (kc->kc_flags & KC_FLUSHING) {
506 			/*
507 			 * If this decrement was the last one, send
508 			 * down the next pending one, if any.
509 			 *
510 			 * With a PERMOD perimeter, the mutexes ops aren't
511 			 * really necessary, but if we ever loosen up, we will
512 			 * have this bit covered already.
513 			 */
514 			keystack->keystack_flushdump--;
515 			if (keystack->keystack_flushdump == 0) {
516 				/*
517 				 * The flush/dump terminated by having a
518 				 * consumer go away.  I need to send up to the
519 				 * appropriate keysock all of the relevant
520 				 * information.  Unfortunately, I don't
521 				 * have that handy.
522 				 */
523 				ks0dbg(("Consumer went away while flushing or"
524 				    " dumping.\n"));
525 			}
526 		}
527 		size = sizeof (keysock_consumer_t);
528 		mutex_enter(&keystack->keystack_consumers_lock);
529 		keystack->keystack_consumers[kc->kc_sa_type] = NULL;
530 		mutex_exit(&keystack->keystack_consumers_lock);
531 		mutex_destroy(&kc->kc_lock);
532 		netstack_rele(kc->kc_keystack->keystack_netstack);
533 	} else {
534 		ks = (keysock_t *)ptr;
535 		keystack = ks->keysock_keystack;
536 
537 		ks3dbg(keystack,
538 		    ("Driver close, PF_KEY socket is going away.\n"));
539 		if ((ks->keysock_flags & KEYSOCK_EXTENDED) != 0)
540 			atomic_add_32(&keystack->keystack_num_extended, -1);
541 		size = sizeof (keysock_t);
542 		mutex_enter(&keystack->keystack_list_lock);
543 		*(ks->keysock_ptpn) = ks->keysock_next;
544 		if (ks->keysock_next != NULL)
545 			ks->keysock_next->keysock_ptpn = ks->keysock_ptpn;
546 		mutex_exit(&keystack->keystack_list_lock);
547 		mutex_destroy(&ks->keysock_lock);
548 		vmem_free(keysock_vmem, (void *)(uintptr_t)ks->keysock_serial,
549 		    1);
550 		netstack_rele(ks->keysock_keystack->keystack_netstack);
551 	}
552 
553 	/* Now I'm free. */
554 	kmem_free(ptr, size);
555 	return (0);
556 }
557 /*
558  * Open routine for keysock.
559  */
560 /* ARGSUSED */
561 static int
562 keysock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
563 {
564 	keysock_t *ks;
565 	keysock_consumer_t *kc;
566 	mblk_t *mp;
567 	ipsec_info_t *ii;
568 	netstack_t *ns;
569 	keysock_stack_t *keystack;
570 
571 	if (secpolicy_ip_config(credp, B_FALSE) != 0) {
572 		/* Privilege debugging will log the error */
573 		return (EPERM);
574 	}
575 
576 	if (q->q_ptr != NULL)
577 		return (0);  /* Re-open of an already open instance. */
578 
579 	ns = netstack_find_by_cred(credp);
580 	ASSERT(ns != NULL);
581 	keystack = ns->netstack_keysock;
582 	ASSERT(keystack != NULL);
583 
584 	ks3dbg(keystack, ("Entering keysock open.\n"));
585 
586 	if (keystack->keystack_plumbed < 1) {
587 		netstack_t *ns = keystack->keystack_netstack;
588 
589 		keystack->keystack_plumbed = 0;
590 #ifdef NS_DEBUG
591 		printf("keysock_open(%d) - plumb\n",
592 		    keystack->keystack_netstack->netstack_stackid);
593 #endif
594 		/*
595 		 * Don't worry about ipsec_failure being true here.
596 		 * (See ip.c).  An open of keysock should try and force
597 		 * the issue.  Maybe it was a transient failure.
598 		 */
599 		ipsec_loader_loadnow(ns->netstack_ipsec);
600 	}
601 
602 	if (sflag & MODOPEN) {
603 		/* Initialize keysock_consumer state here. */
604 		kc = kmem_zalloc(sizeof (keysock_consumer_t), KM_NOSLEEP);
605 		if (kc == NULL) {
606 			netstack_rele(keystack->keystack_netstack);
607 			return (ENOMEM);
608 		}
609 		mutex_init(&kc->kc_lock, NULL, MUTEX_DEFAULT, 0);
610 		kc->kc_rq = q;
611 		kc->kc_wq = WR(q);
612 
613 		q->q_ptr = kc;
614 		WR(q)->q_ptr = kc;
615 
616 		kc->kc_keystack = keystack;
617 		qprocson(q);
618 
619 		/*
620 		 * Send down initial message to whatever I was pushed on top
621 		 * of asking for its consumer type.  The reply will set it.
622 		 */
623 
624 		/* Allocate it. */
625 		mp = allocb(sizeof (ipsec_info_t), BPRI_HI);
626 		if (mp == NULL) {
627 			ks1dbg(keystack, (
628 			    "keysock_open:  Cannot allocate KEYSOCK_HELLO.\n"));
629 			/* Do I need to set these to null? */
630 			q->q_ptr = NULL;
631 			WR(q)->q_ptr = NULL;
632 			mutex_destroy(&kc->kc_lock);
633 			kmem_free(kc, sizeof (*kc));
634 			netstack_rele(keystack->keystack_netstack);
635 			return (ENOMEM);
636 		}
637 
638 		/* If I allocated okay, putnext to what I was pushed atop. */
639 		mp->b_wptr += sizeof (ipsec_info_t);
640 		mp->b_datap->db_type = M_CTL;
641 		ii = (ipsec_info_t *)mp->b_rptr;
642 		ii->ipsec_info_type = KEYSOCK_HELLO;
643 		/* Length only of type/len. */
644 		ii->ipsec_info_len = sizeof (ii->ipsec_allu);
645 		ks2dbg(keystack, ("Ready to putnext KEYSOCK_HELLO.\n"));
646 		putnext(kc->kc_wq, mp);
647 	} else {
648 		minor_t ksminor;
649 
650 		/* Initialize keysock state. */
651 
652 		ks2dbg(keystack, ("Made it into PF_KEY socket open.\n"));
653 
654 		ksminor = (minor_t)(uintptr_t)
655 		    vmem_alloc(keysock_vmem, 1, VM_NOSLEEP);
656 		if (ksminor == 0) {
657 			netstack_rele(keystack->keystack_netstack);
658 			return (ENOMEM);
659 		}
660 		ks = kmem_zalloc(sizeof (keysock_t), KM_NOSLEEP);
661 		if (ks == NULL) {
662 			vmem_free(keysock_vmem, (void *)(uintptr_t)ksminor, 1);
663 			netstack_rele(keystack->keystack_netstack);
664 			return (ENOMEM);
665 		}
666 
667 		mutex_init(&ks->keysock_lock, NULL, MUTEX_DEFAULT, 0);
668 		ks->keysock_rq = q;
669 		ks->keysock_wq = WR(q);
670 		ks->keysock_state = TS_UNBND;
671 		ks->keysock_serial = ksminor;
672 
673 		q->q_ptr = ks;
674 		WR(q)->q_ptr = ks;
675 		ks->keysock_keystack = keystack;
676 
677 		/*
678 		 * The receive hiwat is only looked at on the stream head
679 		 * queue.  Store in q_hiwat in order to return on SO_RCVBUF
680 		 * getsockopts.
681 		 */
682 
683 		q->q_hiwat = keystack->keystack_recv_hiwat;
684 
685 		/*
686 		 * The transmit hiwat/lowat is only looked at on IP's queue.
687 		 * Store in q_hiwat/q_lowat in order to return on
688 		 * SO_SNDBUF/SO_SNDLOWAT getsockopts.
689 		 */
690 
691 		WR(q)->q_hiwat = keystack->keystack_xmit_hiwat;
692 		WR(q)->q_lowat = keystack->keystack_xmit_lowat;
693 
694 		*devp = makedevice(getmajor(*devp), ksminor);
695 
696 		/*
697 		 * Thread keysock into the global keysock list.
698 		 */
699 		mutex_enter(&keystack->keystack_list_lock);
700 		ks->keysock_next = keystack->keystack_list;
701 		ks->keysock_ptpn = &keystack->keystack_list;
702 		if (keystack->keystack_list != NULL) {
703 			keystack->keystack_list->keysock_ptpn =
704 			    &ks->keysock_next;
705 		}
706 		keystack->keystack_list = ks;
707 		mutex_exit(&keystack->keystack_list_lock);
708 
709 		qprocson(q);
710 		(void) proto_set_rx_hiwat(q, NULL,
711 		    keystack->keystack_recv_hiwat);
712 		/*
713 		 * Wait outside the keysock module perimeter for IPsec
714 		 * plumbing to be completed.  If it fails, keysock_close()
715 		 * undoes everything we just did.
716 		 */
717 		if (!ipsec_loader_wait(q,
718 		    keystack->keystack_netstack->netstack_ipsec)) {
719 			(void) keysock_close(q);
720 			return (EPFNOSUPPORT);
721 		}
722 	}
723 
724 	return (0);
725 }
726 
727 /* BELOW THIS LINE ARE ROUTINES INCLUDING AND RELATED TO keysock_wput(). */
728 
729 /*
730  * Copy relevant state bits.
731  */
732 static void
733 keysock_copy_info(struct T_info_ack *tap, keysock_t *ks)
734 {
735 	*tap = keysock_g_t_info_ack;
736 	tap->CURRENT_state = ks->keysock_state;
737 	tap->OPT_size = keysock_max_optsize;
738 }
739 
740 /*
741  * This routine responds to T_CAPABILITY_REQ messages.  It is called by
742  * keysock_wput.  Much of the T_CAPABILITY_ACK information is copied from
743  * keysock_g_t_info_ack.  The current state of the stream is copied from
744  * keysock_state.
745  */
746 static void
747 keysock_capability_req(queue_t *q, mblk_t *mp)
748 {
749 	keysock_t *ks = (keysock_t *)q->q_ptr;
750 	t_uscalar_t cap_bits1;
751 	struct T_capability_ack	*tcap;
752 
753 	cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
754 
755 	mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
756 	    mp->b_datap->db_type, T_CAPABILITY_ACK);
757 	if (mp == NULL)
758 		return;
759 
760 	tcap = (struct T_capability_ack *)mp->b_rptr;
761 	tcap->CAP_bits1 = 0;
762 
763 	if (cap_bits1 & TC1_INFO) {
764 		keysock_copy_info(&tcap->INFO_ack, ks);
765 		tcap->CAP_bits1 |= TC1_INFO;
766 	}
767 
768 	qreply(q, mp);
769 }
770 
771 /*
772  * This routine responds to T_INFO_REQ messages. It is called by
773  * keysock_wput_other.
774  * Most of the T_INFO_ACK information is copied from keysock_g_t_info_ack.
775  * The current state of the stream is copied from keysock_state.
776  */
777 static void
778 keysock_info_req(q, mp)
779 	queue_t	*q;
780 	mblk_t	*mp;
781 {
782 	mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
783 	    T_INFO_ACK);
784 	if (mp == NULL)
785 		return;
786 	keysock_copy_info((struct T_info_ack *)mp->b_rptr,
787 	    (keysock_t *)q->q_ptr);
788 	qreply(q, mp);
789 }
790 
791 /*
792  * keysock_err_ack. This routine creates a
793  * T_ERROR_ACK message and passes it
794  * upstream.
795  */
796 static void
797 keysock_err_ack(q, mp, t_error, sys_error)
798 	queue_t	*q;
799 	mblk_t	*mp;
800 	int	t_error;
801 	int	sys_error;
802 {
803 	if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
804 		qreply(q, mp);
805 }
806 
807 /*
808  * This routine retrieves the current status of socket options.
809  * It returns the size of the option retrieved.
810  */
811 /* ARGSUSED */
812 int
813 keysock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
814 {
815 	int *i1 = (int *)ptr;
816 	keysock_t *ks = (keysock_t *)q->q_ptr;
817 
818 	switch (level) {
819 	case SOL_SOCKET:
820 		mutex_enter(&ks->keysock_lock);
821 		switch (name) {
822 		case SO_TYPE:
823 			*i1 = SOCK_RAW;
824 			break;
825 		case SO_USELOOPBACK:
826 			*i1 = (int)(!((ks->keysock_flags & KEYSOCK_NOLOOP) ==
827 			    KEYSOCK_NOLOOP));
828 			break;
829 		/*
830 		 * The following two items can be manipulated,
831 		 * but changing them should do nothing.
832 		 */
833 		case SO_SNDBUF:
834 			*i1 = (int)q->q_hiwat;
835 			break;
836 		case SO_RCVBUF:
837 			*i1 = (int)(RD(q)->q_hiwat);
838 			break;
839 		}
840 		mutex_exit(&ks->keysock_lock);
841 		break;
842 	default:
843 		return (0);
844 	}
845 	return (sizeof (int));
846 }
847 
848 /*
849  * This routine sets socket options.
850  */
851 /* ARGSUSED */
852 int
853 keysock_opt_set(queue_t *q, uint_t mgmt_flags, int level,
854     int name, uint_t inlen, uchar_t *invalp, uint_t *outlenp,
855     uchar_t *outvalp, void *thisdg_attrs, cred_t *cr, mblk_t *mblk)
856 {
857 	int *i1 = (int *)invalp, errno = 0;
858 	keysock_t *ks = (keysock_t *)q->q_ptr;
859 	keysock_stack_t	*keystack = ks->keysock_keystack;
860 
861 	switch (level) {
862 	case SOL_SOCKET:
863 		mutex_enter(&ks->keysock_lock);
864 		switch (name) {
865 		case SO_USELOOPBACK:
866 			if (!(*i1))
867 				ks->keysock_flags |= KEYSOCK_NOLOOP;
868 			else ks->keysock_flags &= ~KEYSOCK_NOLOOP;
869 			break;
870 		case SO_SNDBUF:
871 			if (*i1 > keystack->keystack_max_buf)
872 				errno = ENOBUFS;
873 			else q->q_hiwat = *i1;
874 			break;
875 		case SO_RCVBUF:
876 			if (*i1 > keystack->keystack_max_buf) {
877 				errno = ENOBUFS;
878 			} else {
879 				RD(q)->q_hiwat = *i1;
880 				(void) proto_set_rx_hiwat(RD(q), NULL, *i1);
881 			}
882 			break;
883 		default:
884 			errno = EINVAL;
885 		}
886 		mutex_exit(&ks->keysock_lock);
887 		break;
888 	default:
889 		errno = EINVAL;
890 	}
891 	return (errno);
892 }
893 
894 /*
895  * Handle STREAMS messages.
896  */
897 static void
898 keysock_wput_other(queue_t *q, mblk_t *mp)
899 {
900 	struct iocblk *iocp;
901 	int error;
902 	keysock_t *ks = (keysock_t *)q->q_ptr;
903 	keysock_stack_t	*keystack = ks->keysock_keystack;
904 	cred_t		*cr;
905 
906 	switch (mp->b_datap->db_type) {
907 	case M_PROTO:
908 	case M_PCPROTO:
909 		if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) {
910 			ks3dbg(keystack, (
911 			    "keysock_wput_other: Not big enough M_PROTO\n"));
912 			freemsg(mp);
913 			return;
914 		}
915 		switch (((union T_primitives *)mp->b_rptr)->type) {
916 		case T_CAPABILITY_REQ:
917 			keysock_capability_req(q, mp);
918 			break;
919 		case T_INFO_REQ:
920 			keysock_info_req(q, mp);
921 			break;
922 		case T_SVR4_OPTMGMT_REQ:
923 		case T_OPTMGMT_REQ:
924 			/*
925 			 * All Solaris components should pass a db_credp
926 			 * for this TPI message, hence we ASSERT.
927 			 * But in case there is some other M_PROTO that looks
928 			 * like a TPI message sent by some other kernel
929 			 * component, we check and return an error.
930 			 */
931 			cr = msg_getcred(mp, NULL);
932 			ASSERT(cr != NULL);
933 			if (cr == NULL) {
934 				keysock_err_ack(q, mp, TSYSERR, EINVAL);
935 				return;
936 			}
937 			if (((union T_primitives *)mp->b_rptr)->type ==
938 			    T_SVR4_OPTMGMT_REQ) {
939 				(void) svr4_optcom_req(q, mp, cr,
940 				    &keysock_opt_obj, B_FALSE);
941 			} else {
942 				(void) tpi_optcom_req(q, mp, cr,
943 				    &keysock_opt_obj, B_FALSE);
944 			}
945 			break;
946 		case T_DATA_REQ:
947 		case T_EXDATA_REQ:
948 		case T_ORDREL_REQ:
949 			/* Illegal for keysock. */
950 			freemsg(mp);
951 			(void) putnextctl1(RD(q), M_ERROR, EPROTO);
952 			break;
953 		default:
954 			/* Not supported by keysock. */
955 			keysock_err_ack(q, mp, TNOTSUPPORT, 0);
956 			break;
957 		}
958 		return;
959 	case M_IOCTL:
960 		iocp = (struct iocblk *)mp->b_rptr;
961 		error = EINVAL;
962 
963 		switch (iocp->ioc_cmd) {
964 		case ND_SET:
965 		case ND_GET:
966 			if (nd_getset(q, keystack->keystack_g_nd, mp)) {
967 				qreply(q, mp);
968 				return;
969 			} else
970 				error = ENOENT;
971 			/* FALLTHRU */
972 		default:
973 			miocnak(q, mp, 0, error);
974 			return;
975 		}
976 	case M_FLUSH:
977 		if (*mp->b_rptr & FLUSHW) {
978 			flushq(q, FLUSHALL);
979 			*mp->b_rptr &= ~FLUSHW;
980 		}
981 		if (*mp->b_rptr & FLUSHR) {
982 			qreply(q, mp);
983 			return;
984 		}
985 		/* Else FALLTHRU */
986 	}
987 
988 	/* If fell through, just black-hole the message. */
989 	freemsg(mp);
990 }
991 
992 /*
993  * Transmit a PF_KEY error message to the instance either pointed to
994  * by ks, the instance with serial number serial, or more, depending.
995  *
996  * The faulty message (or a reasonable facsimile thereof) is in mp.
997  * This function will free mp or recycle it for delivery, thereby causing
998  * the stream head to free it.
999  */
1000 static void
1001 keysock_error(keysock_t *ks, mblk_t *mp, int error, int diagnostic)
1002 {
1003 	sadb_msg_t *samsg = (sadb_msg_t *)mp->b_rptr;
1004 	keysock_stack_t	*keystack = ks->keysock_keystack;
1005 
1006 	ASSERT(mp->b_datap->db_type == M_DATA);
1007 
1008 	if (samsg->sadb_msg_type < SADB_GETSPI ||
1009 	    samsg->sadb_msg_type > SADB_MAX)
1010 		samsg->sadb_msg_type = SADB_RESERVED;
1011 
1012 	/*
1013 	 * Strip out extension headers.
1014 	 */
1015 	ASSERT(mp->b_rptr + sizeof (*samsg) <= mp->b_datap->db_lim);
1016 	mp->b_wptr = mp->b_rptr + sizeof (*samsg);
1017 	samsg->sadb_msg_len = SADB_8TO64(sizeof (sadb_msg_t));
1018 	samsg->sadb_msg_errno = (uint8_t)error;
1019 	samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic;
1020 
1021 	keysock_passup(mp, samsg, ks->keysock_serial, NULL, B_FALSE, keystack);
1022 }
1023 
1024 /*
1025  * Pass down a message to a consumer.  Wrap it in KEYSOCK_IN, and copy
1026  * in the extv if passed in.
1027  */
1028 static void
1029 keysock_passdown(keysock_t *ks, mblk_t *mp, uint8_t satype, sadb_ext_t *extv[],
1030     boolean_t flushmsg)
1031 {
1032 	keysock_consumer_t *kc;
1033 	mblk_t *wrapper;
1034 	keysock_in_t *ksi;
1035 	int i;
1036 	keysock_stack_t	*keystack = ks->keysock_keystack;
1037 
1038 	wrapper = allocb(sizeof (ipsec_info_t), BPRI_HI);
1039 	if (wrapper == NULL) {
1040 		ks3dbg(keystack, ("keysock_passdown: allocb failed.\n"));
1041 		if (extv[SADB_EXT_KEY_ENCRYPT] != NULL)
1042 			bzero(extv[SADB_EXT_KEY_ENCRYPT],
1043 			    SADB_64TO8(
1044 			    extv[SADB_EXT_KEY_ENCRYPT]->sadb_ext_len));
1045 		if (extv[SADB_EXT_KEY_AUTH] != NULL)
1046 			bzero(extv[SADB_EXT_KEY_AUTH],
1047 			    SADB_64TO8(
1048 			    extv[SADB_EXT_KEY_AUTH]->sadb_ext_len));
1049 		if (flushmsg) {
1050 			ks0dbg((
1051 			    "keysock: Downwards flush/dump message failed!\n"));
1052 			/* If this is true, I hold the perimeter. */
1053 			keystack->keystack_flushdump--;
1054 		}
1055 		freemsg(mp);
1056 		return;
1057 	}
1058 
1059 	wrapper->b_datap->db_type = M_CTL;
1060 	ksi = (keysock_in_t *)wrapper->b_rptr;
1061 	ksi->ks_in_type = KEYSOCK_IN;
1062 	ksi->ks_in_len = sizeof (keysock_in_t);
1063 	if (extv[SADB_EXT_ADDRESS_SRC] != NULL)
1064 		ksi->ks_in_srctype = KS_IN_ADDR_UNKNOWN;
1065 	else ksi->ks_in_srctype = KS_IN_ADDR_NOTTHERE;
1066 	if (extv[SADB_EXT_ADDRESS_DST] != NULL)
1067 		ksi->ks_in_dsttype = KS_IN_ADDR_UNKNOWN;
1068 	else ksi->ks_in_dsttype = KS_IN_ADDR_NOTTHERE;
1069 	for (i = 0; i <= SADB_EXT_MAX; i++)
1070 		ksi->ks_in_extv[i] = extv[i];
1071 	ksi->ks_in_serial = ks->keysock_serial;
1072 	wrapper->b_wptr += sizeof (ipsec_info_t);
1073 	wrapper->b_cont = mp;
1074 
1075 	/*
1076 	 * Find the appropriate consumer where the message is passed down.
1077 	 */
1078 	kc = keystack->keystack_consumers[satype];
1079 	if (kc == NULL) {
1080 		freeb(wrapper);
1081 		keysock_error(ks, mp, EINVAL, SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE);
1082 		if (flushmsg) {
1083 			ks0dbg((
1084 			    "keysock: Downwards flush/dump message failed!\n"));
1085 			/* If this is true, I hold the perimeter. */
1086 			keystack->keystack_flushdump--;
1087 		}
1088 		return;
1089 	}
1090 
1091 	/*
1092 	 * NOTE: There used to be code in here to spin while a flush or
1093 	 *	 dump finished.  Keysock now assumes that consumers have enough
1094 	 *	 MT-savviness to deal with that.
1095 	 */
1096 
1097 	/*
1098 	 * Current consumers (AH and ESP) are guaranteed to return a
1099 	 * FLUSH or DUMP message back, so when we reach here, we don't
1100 	 * have to worry about keysock_flushdumps.
1101 	 */
1102 
1103 	putnext(kc->kc_wq, wrapper);
1104 }
1105 
1106 /*
1107  * High-level reality checking of extensions.
1108  */
1109 static boolean_t
1110 ext_check(sadb_ext_t *ext, keysock_stack_t *keystack)
1111 {
1112 	int i;
1113 	uint64_t *lp;
1114 	sadb_ident_t *id;
1115 	char *idstr;
1116 
1117 	switch (ext->sadb_ext_type) {
1118 	case SADB_EXT_ADDRESS_SRC:
1119 	case SADB_EXT_ADDRESS_DST:
1120 	case SADB_X_EXT_ADDRESS_INNER_SRC:
1121 	case SADB_X_EXT_ADDRESS_INNER_DST:
1122 		/* Check for at least enough addtl length for a sockaddr. */
1123 		if (ext->sadb_ext_len <= SADB_8TO64(sizeof (sadb_address_t)))
1124 			return (B_FALSE);
1125 		break;
1126 	case SADB_EXT_LIFETIME_HARD:
1127 	case SADB_EXT_LIFETIME_SOFT:
1128 	case SADB_EXT_LIFETIME_CURRENT:
1129 		if (ext->sadb_ext_len != SADB_8TO64(sizeof (sadb_lifetime_t)))
1130 			return (B_FALSE);
1131 		break;
1132 	case SADB_EXT_SPIRANGE:
1133 		/* See if the SPI range is legit. */
1134 		if (htonl(((sadb_spirange_t *)ext)->sadb_spirange_min) >
1135 		    htonl(((sadb_spirange_t *)ext)->sadb_spirange_max))
1136 			return (B_FALSE);
1137 		break;
1138 	case SADB_EXT_KEY_AUTH:
1139 	case SADB_EXT_KEY_ENCRYPT:
1140 		/* Key length check. */
1141 		if (((sadb_key_t *)ext)->sadb_key_bits == 0)
1142 			return (B_FALSE);
1143 		/*
1144 		 * Check to see if the key length (in bits) is less than the
1145 		 * extension length (in 8-bits words).
1146 		 */
1147 		if ((roundup(SADB_1TO8(((sadb_key_t *)ext)->sadb_key_bits), 8) +
1148 		    sizeof (sadb_key_t)) != SADB_64TO8(ext->sadb_ext_len)) {
1149 			ks1dbg(keystack, (
1150 			    "ext_check:  Key bits/length inconsistent.\n"));
1151 			ks1dbg(keystack, ("%d bits, len is %d bytes.\n",
1152 			    ((sadb_key_t *)ext)->sadb_key_bits,
1153 			    SADB_64TO8(ext->sadb_ext_len)));
1154 			return (B_FALSE);
1155 		}
1156 
1157 		/* All-zeroes key check. */
1158 		lp = (uint64_t *)(((char *)ext) + sizeof (sadb_key_t));
1159 		for (i = 0;
1160 		    i < (ext->sadb_ext_len - SADB_8TO64(sizeof (sadb_key_t)));
1161 		    i++)
1162 			if (lp[i] != 0)
1163 				break;	/* Out of for loop. */
1164 		/* If finished the loop naturally, it's an all zero key. */
1165 		if (lp[i] == 0)
1166 			return (B_FALSE);
1167 		break;
1168 	case SADB_EXT_IDENTITY_SRC:
1169 	case SADB_EXT_IDENTITY_DST:
1170 		/*
1171 		 * Make sure the strings in these identities are
1172 		 * null-terminated.  RFC 2367 underspecified how to handle
1173 		 * such a case.  I "proactively" null-terminate the string
1174 		 * at the last byte if it's not terminated sooner.
1175 		 */
1176 		id = (sadb_ident_t *)ext;
1177 		i = SADB_64TO8(id->sadb_ident_len);
1178 		i -= sizeof (sadb_ident_t);
1179 		idstr = (char *)(id + 1);
1180 		while (*idstr != '\0' && i > 0) {
1181 			i--;
1182 			idstr++;
1183 		}
1184 		if (i == 0) {
1185 			/*
1186 			 * I.e., if the bozo user didn't NULL-terminate the
1187 			 * string...
1188 			 */
1189 			idstr--;
1190 			*idstr = '\0';
1191 		}
1192 		break;
1193 	}
1194 	return (B_TRUE);	/* For now... */
1195 }
1196 
1197 /* Return values for keysock_get_ext(). */
1198 #define	KGE_OK	0
1199 #define	KGE_DUP	1
1200 #define	KGE_UNK	2
1201 #define	KGE_LEN	3
1202 #define	KGE_CHK	4
1203 
1204 /*
1205  * Parse basic extension headers and return in the passed-in pointer vector.
1206  * Return values include:
1207  *
1208  *	KGE_OK	Everything's nice and parsed out.
1209  *		If there are no extensions, place NULL in extv[0].
1210  *	KGE_DUP	There is a duplicate extension.
1211  *		First instance in appropriate bin.  First duplicate in
1212  *		extv[0].
1213  *	KGE_UNK	Unknown extension type encountered.  extv[0] contains
1214  *		unknown header.
1215  *	KGE_LEN	Extension length error.
1216  *	KGE_CHK	High-level reality check failed on specific extension.
1217  *
1218  * My apologies for some of the pointer arithmetic in here.  I'm thinking
1219  * like an assembly programmer, yet trying to make the compiler happy.
1220  */
1221 static int
1222 keysock_get_ext(sadb_ext_t *extv[], sadb_msg_t *basehdr, uint_t msgsize,
1223     keysock_stack_t *keystack)
1224 {
1225 	bzero(extv, sizeof (sadb_ext_t *) * (SADB_EXT_MAX + 1));
1226 
1227 	/* Use extv[0] as the "current working pointer". */
1228 
1229 	extv[0] = (sadb_ext_t *)(basehdr + 1);
1230 
1231 	while (extv[0] < (sadb_ext_t *)(((uint8_t *)basehdr) + msgsize)) {
1232 		/* Check for unknown headers. */
1233 		if (extv[0]->sadb_ext_type == 0 ||
1234 		    extv[0]->sadb_ext_type > SADB_EXT_MAX)
1235 			return (KGE_UNK);
1236 
1237 		/*
1238 		 * Check length.  Use uint64_t because extlen is in units
1239 		 * of 64-bit words.  If length goes beyond the msgsize,
1240 		 * return an error.  (Zero length also qualifies here.)
1241 		 */
1242 		if (extv[0]->sadb_ext_len == 0 ||
1243 		    (void *)((uint64_t *)extv[0] + extv[0]->sadb_ext_len) >
1244 		    (void *)((uint8_t *)basehdr + msgsize))
1245 			return (KGE_LEN);
1246 
1247 		/* Check for redundant headers. */
1248 		if (extv[extv[0]->sadb_ext_type] != NULL)
1249 			return (KGE_DUP);
1250 
1251 		/*
1252 		 * Reality check the extension if possible at the keysock
1253 		 * level.
1254 		 */
1255 		if (!ext_check(extv[0], keystack))
1256 			return (KGE_CHK);
1257 
1258 		/* If I make it here, assign the appropriate bin. */
1259 		extv[extv[0]->sadb_ext_type] = extv[0];
1260 
1261 		/* Advance pointer (See above for uint64_t ptr reasoning.) */
1262 		extv[0] = (sadb_ext_t *)
1263 		    ((uint64_t *)extv[0] + extv[0]->sadb_ext_len);
1264 	}
1265 
1266 	/* Everything's cool. */
1267 
1268 	/*
1269 	 * If extv[0] == NULL, then there are no extension headers in this
1270 	 * message.  Ensure that this is the case.
1271 	 */
1272 	if (extv[0] == (sadb_ext_t *)(basehdr + 1))
1273 		extv[0] = NULL;
1274 
1275 	return (KGE_OK);
1276 }
1277 
1278 /*
1279  * qwriter() callback to handle flushes and dumps.  This routine will hold
1280  * the inner perimeter.
1281  */
1282 void
1283 keysock_do_flushdump(queue_t *q, mblk_t *mp)
1284 {
1285 	int i, start, finish;
1286 	mblk_t *mp1 = NULL;
1287 	keysock_t *ks = (keysock_t *)q->q_ptr;
1288 	sadb_ext_t *extv[SADB_EXT_MAX + 1];
1289 	sadb_msg_t *samsg = (sadb_msg_t *)mp->b_rptr;
1290 	keysock_stack_t	*keystack = ks->keysock_keystack;
1291 
1292 	/*
1293 	 * I am guaranteed this will work.  I did the work in keysock_parse()
1294 	 * already.
1295 	 */
1296 	(void) keysock_get_ext(extv, samsg, SADB_64TO8(samsg->sadb_msg_len),
1297 	    keystack);
1298 
1299 	/*
1300 	 * I hold the perimeter, therefore I don't need to use atomic ops.
1301 	 */
1302 	if (keystack->keystack_flushdump != 0) {
1303 		/* XXX Should I instead use EBUSY? */
1304 		/* XXX Or is there a way to queue these up? */
1305 		keysock_error(ks, mp, ENOMEM, SADB_X_DIAGNOSTIC_NONE);
1306 		return;
1307 	}
1308 
1309 	if (samsg->sadb_msg_satype == SADB_SATYPE_UNSPEC) {
1310 		start = 0;
1311 		finish = KEYSOCK_MAX_CONSUMERS - 1;
1312 	} else {
1313 		start = samsg->sadb_msg_satype;
1314 		finish = samsg->sadb_msg_satype;
1315 	}
1316 
1317 	/*
1318 	 * Fill up keysock_flushdump with the number of outstanding dumps
1319 	 * and/or flushes.
1320 	 */
1321 
1322 	keystack->keystack_flushdump_errno = 0;
1323 
1324 	/*
1325 	 * Okay, I hold the perimeter.  Eventually keysock_flushdump will
1326 	 * contain the number of consumers with outstanding flush operations.
1327 	 *
1328 	 * SO, here's the plan:
1329 	 *	* For each relevant consumer (Might be one, might be all)
1330 	 *		* Twiddle on the FLUSHING flag.
1331 	 *		* Pass down the FLUSH/DUMP message.
1332 	 *
1333 	 * When I see upbound FLUSH/DUMP messages, I will decrement the
1334 	 * keysock_flushdump.  When I decrement it to 0, I will pass the
1335 	 * FLUSH/DUMP message back up to the PF_KEY sockets.  Because I will
1336 	 * pass down the right SA type to the consumer (either its own, or
1337 	 * that of UNSPEC), the right one will be reflected from each consumer,
1338 	 * and accordingly back to the socket.
1339 	 */
1340 
1341 	mutex_enter(&keystack->keystack_consumers_lock);
1342 	for (i = start; i <= finish; i++) {
1343 		if (keystack->keystack_consumers[i] != NULL) {
1344 			mp1 = copymsg(mp);
1345 			if (mp1 == NULL) {
1346 				ks0dbg(("SADB_FLUSH copymsg() failed.\n"));
1347 				/*
1348 				 * Error?  And what about outstanding
1349 				 * flushes?  Oh, yeah, they get sucked up and
1350 				 * the counter is decremented.  Consumers
1351 				 * (see keysock_passdown()) are guaranteed
1352 				 * to deliver back a flush request, even if
1353 				 * it's an error.
1354 				 */
1355 				keysock_error(ks, mp, ENOMEM,
1356 				    SADB_X_DIAGNOSTIC_NONE);
1357 				return;
1358 			}
1359 			/*
1360 			 * Because my entry conditions are met above, the
1361 			 * following assertion should hold true.
1362 			 */
1363 			mutex_enter(&keystack->keystack_consumers[i]->kc_lock);
1364 			ASSERT((keystack->keystack_consumers[i]->kc_flags &
1365 			    KC_FLUSHING) == 0);
1366 			keystack->keystack_consumers[i]->kc_flags |=
1367 			    KC_FLUSHING;
1368 			mutex_exit(&(keystack->keystack_consumers[i]->kc_lock));
1369 			/* Always increment the number of flushes... */
1370 			keystack->keystack_flushdump++;
1371 			/* Guaranteed to return a message. */
1372 			keysock_passdown(ks, mp1, i, extv, B_TRUE);
1373 		} else if (start == finish) {
1374 			/*
1375 			 * In case where start == finish, and there's no
1376 			 * consumer, should we force an error?  Yes.
1377 			 */
1378 			mutex_exit(&keystack->keystack_consumers_lock);
1379 			keysock_error(ks, mp, EINVAL,
1380 			    SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE);
1381 			return;
1382 		}
1383 	}
1384 	mutex_exit(&keystack->keystack_consumers_lock);
1385 
1386 	if (keystack->keystack_flushdump == 0) {
1387 		/*
1388 		 * There were no consumers at all for this message.
1389 		 * XXX For now return ESRCH.
1390 		 */
1391 		keysock_error(ks, mp, ESRCH, SADB_X_DIAGNOSTIC_NO_SADBS);
1392 	} else {
1393 		/* Otherwise, free the original message. */
1394 		freemsg(mp);
1395 	}
1396 }
1397 
1398 /*
1399  * Get the right diagnostic for a duplicate.  Should probably use a static
1400  * table lookup.
1401  */
1402 int
1403 keysock_duplicate(int ext_type)
1404 {
1405 	int rc = 0;
1406 
1407 	switch (ext_type) {
1408 	case SADB_EXT_ADDRESS_SRC:
1409 		rc = SADB_X_DIAGNOSTIC_DUPLICATE_SRC;
1410 		break;
1411 	case SADB_EXT_ADDRESS_DST:
1412 		rc = SADB_X_DIAGNOSTIC_DUPLICATE_DST;
1413 		break;
1414 	case SADB_X_EXT_ADDRESS_INNER_SRC:
1415 		rc = SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC;
1416 		break;
1417 	case SADB_X_EXT_ADDRESS_INNER_DST:
1418 		rc = SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST;
1419 		break;
1420 	case SADB_EXT_SA:
1421 		rc = SADB_X_DIAGNOSTIC_DUPLICATE_SA;
1422 		break;
1423 	case SADB_EXT_SPIRANGE:
1424 		rc = SADB_X_DIAGNOSTIC_DUPLICATE_RANGE;
1425 		break;
1426 	case SADB_EXT_KEY_AUTH:
1427 		rc = SADB_X_DIAGNOSTIC_DUPLICATE_AKEY;
1428 		break;
1429 	case SADB_EXT_KEY_ENCRYPT:
1430 		rc = SADB_X_DIAGNOSTIC_DUPLICATE_EKEY;
1431 		break;
1432 	}
1433 	return (rc);
1434 }
1435 
1436 /*
1437  * Get the right diagnostic for a reality check failure.  Should probably use
1438  * a static table lookup.
1439  */
1440 int
1441 keysock_malformed(int ext_type)
1442 {
1443 	int rc = 0;
1444 
1445 	switch (ext_type) {
1446 	case SADB_EXT_ADDRESS_SRC:
1447 		rc = SADB_X_DIAGNOSTIC_MALFORMED_SRC;
1448 		break;
1449 	case SADB_EXT_ADDRESS_DST:
1450 		rc = SADB_X_DIAGNOSTIC_MALFORMED_DST;
1451 		break;
1452 	case SADB_X_EXT_ADDRESS_INNER_SRC:
1453 		rc = SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC;
1454 		break;
1455 	case SADB_X_EXT_ADDRESS_INNER_DST:
1456 		rc = SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST;
1457 		break;
1458 	case SADB_EXT_SA:
1459 		rc = SADB_X_DIAGNOSTIC_MALFORMED_SA;
1460 		break;
1461 	case SADB_EXT_SPIRANGE:
1462 		rc = SADB_X_DIAGNOSTIC_MALFORMED_RANGE;
1463 		break;
1464 	case SADB_EXT_KEY_AUTH:
1465 		rc = SADB_X_DIAGNOSTIC_MALFORMED_AKEY;
1466 		break;
1467 	case SADB_EXT_KEY_ENCRYPT:
1468 		rc = SADB_X_DIAGNOSTIC_MALFORMED_EKEY;
1469 		break;
1470 	}
1471 	return (rc);
1472 }
1473 
1474 /*
1475  * Keysock massaging of an inverse ACQUIRE.  Consult policy,
1476  * and construct an appropriate response.
1477  */
1478 static void
1479 keysock_inverse_acquire(mblk_t *mp, sadb_msg_t *samsg, sadb_ext_t *extv[],
1480     keysock_t *ks)
1481 {
1482 	mblk_t *reply_mp;
1483 	keysock_stack_t	*keystack = ks->keysock_keystack;
1484 
1485 	/*
1486 	 * Reality check things...
1487 	 */
1488 	if (extv[SADB_EXT_ADDRESS_SRC] == NULL) {
1489 		keysock_error(ks, mp, EINVAL, SADB_X_DIAGNOSTIC_MISSING_SRC);
1490 		return;
1491 	}
1492 	if (extv[SADB_EXT_ADDRESS_DST] == NULL) {
1493 		keysock_error(ks, mp, EINVAL, SADB_X_DIAGNOSTIC_MISSING_DST);
1494 		return;
1495 	}
1496 
1497 	if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] != NULL &&
1498 	    extv[SADB_X_EXT_ADDRESS_INNER_DST] == NULL) {
1499 		keysock_error(ks, mp, EINVAL,
1500 		    SADB_X_DIAGNOSTIC_MISSING_INNER_DST);
1501 		return;
1502 	}
1503 
1504 	if (extv[SADB_X_EXT_ADDRESS_INNER_SRC] == NULL &&
1505 	    extv[SADB_X_EXT_ADDRESS_INNER_DST] != NULL) {
1506 		keysock_error(ks, mp, EINVAL,
1507 		    SADB_X_DIAGNOSTIC_MISSING_INNER_SRC);
1508 		return;
1509 	}
1510 
1511 	reply_mp = ipsec_construct_inverse_acquire(samsg, extv,
1512 	    keystack->keystack_netstack);
1513 
1514 	if (reply_mp != NULL) {
1515 		freemsg(mp);
1516 		keysock_passup(reply_mp, (sadb_msg_t *)reply_mp->b_rptr,
1517 		    ks->keysock_serial, NULL, B_FALSE, keystack);
1518 	} else {
1519 		keysock_error(ks, mp, samsg->sadb_msg_errno,
1520 		    samsg->sadb_x_msg_diagnostic);
1521 	}
1522 }
1523 
1524 /*
1525  * Spew an extended REGISTER down to the relevant consumers.
1526  */
1527 static void
1528 keysock_extended_register(keysock_t *ks, mblk_t *mp, sadb_ext_t *extv[])
1529 {
1530 	sadb_x_ereg_t *ereg = (sadb_x_ereg_t *)extv[SADB_X_EXT_EREG];
1531 	uint8_t *satypes, *fencepost;
1532 	mblk_t *downmp;
1533 	sadb_ext_t *downextv[SADB_EXT_MAX + 1];
1534 	keysock_stack_t	*keystack = ks->keysock_keystack;
1535 
1536 	if (ks->keysock_registered[0] != 0 || ks->keysock_registered[1] != 0 ||
1537 	    ks->keysock_registered[2] != 0 || ks->keysock_registered[3] != 0) {
1538 		keysock_error(ks, mp, EBUSY, 0);
1539 	}
1540 
1541 	ks->keysock_flags |= KEYSOCK_EXTENDED;
1542 	if (ereg == NULL) {
1543 		keysock_error(ks, mp, EINVAL, SADB_X_DIAGNOSTIC_SATYPE_NEEDED);
1544 	} else {
1545 		ASSERT(mp->b_rptr + msgdsize(mp) == mp->b_wptr);
1546 		fencepost = (uint8_t *)mp->b_wptr;
1547 		satypes = ereg->sadb_x_ereg_satypes;
1548 		while (*satypes != SADB_SATYPE_UNSPEC && satypes != fencepost) {
1549 			downmp = copymsg(mp);
1550 			if (downmp == NULL) {
1551 				keysock_error(ks, mp, ENOMEM, 0);
1552 				return;
1553 			}
1554 			/*
1555 			 * Since we've made it here, keysock_get_ext will work!
1556 			 */
1557 			(void) keysock_get_ext(downextv,
1558 			    (sadb_msg_t *)downmp->b_rptr, msgdsize(downmp),
1559 			    keystack);
1560 			keysock_passdown(ks, downmp, *satypes, downextv,
1561 			    B_FALSE);
1562 			++satypes;
1563 		}
1564 		freemsg(mp);
1565 	}
1566 
1567 	/*
1568 	 * Set global to indicate we prefer an extended ACQUIRE.
1569 	 */
1570 	atomic_add_32(&keystack->keystack_num_extended, 1);
1571 }
1572 
1573 static void
1574 keysock_delpair_all(keysock_t *ks, mblk_t *mp, sadb_ext_t *extv[])
1575 {
1576 	int i, start, finish;
1577 	mblk_t *mp1 = NULL;
1578 	keysock_stack_t *keystack = ks->keysock_keystack;
1579 
1580 	start = 0;
1581 	finish = KEYSOCK_MAX_CONSUMERS - 1;
1582 
1583 	for (i = start; i <= finish; i++) {
1584 		if (keystack->keystack_consumers[i] != NULL) {
1585 			mp1 = copymsg(mp);
1586 			if (mp1 == NULL) {
1587 				keysock_error(ks, mp, ENOMEM,
1588 				    SADB_X_DIAGNOSTIC_NONE);
1589 				return;
1590 			}
1591 			keysock_passdown(ks, mp1, i, extv, B_FALSE);
1592 		}
1593 	}
1594 }
1595 
1596 /*
1597  * Handle PF_KEY messages.
1598  */
1599 static void
1600 keysock_parse(queue_t *q, mblk_t *mp)
1601 {
1602 	sadb_msg_t *samsg;
1603 	sadb_ext_t *extv[SADB_EXT_MAX + 1];
1604 	keysock_t *ks = (keysock_t *)q->q_ptr;
1605 	uint_t msgsize;
1606 	uint8_t satype;
1607 	keysock_stack_t	*keystack = ks->keysock_keystack;
1608 
1609 	/* Make sure I'm a PF_KEY socket.  (i.e. nothing's below me) */
1610 	ASSERT(WR(q)->q_next == NULL);
1611 
1612 	samsg = (sadb_msg_t *)mp->b_rptr;
1613 	ks2dbg(keystack, ("Received possible PF_KEY message, type %d.\n",
1614 	    samsg->sadb_msg_type));
1615 
1616 	msgsize = SADB_64TO8(samsg->sadb_msg_len);
1617 
1618 	if (msgdsize(mp) != msgsize) {
1619 		/*
1620 		 * Message len incorrect w.r.t. actual size.  Send an error
1621 		 * (EMSGSIZE).	It may be necessary to massage things a
1622 		 * bit.	 For example, if the sadb_msg_type is hosed,
1623 		 * I need to set it to SADB_RESERVED to get delivery to
1624 		 * do the right thing.	Then again, maybe just letting
1625 		 * the error delivery do the right thing.
1626 		 */
1627 		ks2dbg(keystack,
1628 		    ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
1629 		    msgdsize(mp), msgsize));
1630 		keysock_error(ks, mp, EMSGSIZE, SADB_X_DIAGNOSTIC_NONE);
1631 		return;
1632 	}
1633 
1634 	if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) {
1635 		/* Get all message into one mblk. */
1636 		if (pullupmsg(mp, -1) == 0) {
1637 			/*
1638 			 * Something screwy happened.
1639 			 */
1640 			ks3dbg(keystack,
1641 			    ("keysock_parse: pullupmsg() failed.\n"));
1642 			return;
1643 		} else {
1644 			samsg = (sadb_msg_t *)mp->b_rptr;
1645 		}
1646 	}
1647 
1648 	switch (keysock_get_ext(extv, samsg, msgsize, keystack)) {
1649 	case KGE_DUP:
1650 		/* Handle duplicate extension. */
1651 		ks1dbg(keystack, ("Got duplicate extension of type %d.\n",
1652 		    extv[0]->sadb_ext_type));
1653 		keysock_error(ks, mp, EINVAL,
1654 		    keysock_duplicate(extv[0]->sadb_ext_type));
1655 		return;
1656 	case KGE_UNK:
1657 		/* Handle unknown extension. */
1658 		ks1dbg(keystack, ("Got unknown extension of type %d.\n",
1659 		    extv[0]->sadb_ext_type));
1660 		keysock_error(ks, mp, EINVAL, SADB_X_DIAGNOSTIC_UNKNOWN_EXT);
1661 		return;
1662 	case KGE_LEN:
1663 		/* Length error. */
1664 		ks1dbg(keystack,
1665 		    ("Length %d on extension type %d overrun or 0.\n",
1666 		    extv[0]->sadb_ext_len, extv[0]->sadb_ext_type));
1667 		keysock_error(ks, mp, EINVAL, SADB_X_DIAGNOSTIC_BAD_EXTLEN);
1668 		return;
1669 	case KGE_CHK:
1670 		/* Reality check failed. */
1671 		ks1dbg(keystack,
1672 		    ("Reality check failed on extension type %d.\n",
1673 		    extv[0]->sadb_ext_type));
1674 		keysock_error(ks, mp, EINVAL,
1675 		    keysock_malformed(extv[0]->sadb_ext_type));
1676 		return;
1677 	default:
1678 		/* Default case is no errors. */
1679 		break;
1680 	}
1681 
1682 	switch (samsg->sadb_msg_type) {
1683 	case SADB_REGISTER:
1684 		/*
1685 		 * There's a semantic weirdness in that a message OTHER than
1686 		 * the return REGISTER message may be passed up if I set the
1687 		 * registered bit BEFORE I pass it down.
1688 		 *
1689 		 * SOOOO, I'll not twiddle any registered bits until I see
1690 		 * the upbound REGISTER (with a serial number in it).
1691 		 */
1692 		if (samsg->sadb_msg_satype == SADB_SATYPE_UNSPEC) {
1693 			/* Handle extended register here. */
1694 			keysock_extended_register(ks, mp, extv);
1695 			return;
1696 		} else if (ks->keysock_flags & KEYSOCK_EXTENDED) {
1697 			keysock_error(ks, mp, EBUSY, 0);
1698 			return;
1699 		}
1700 		/* FALLTHRU */
1701 	case SADB_GETSPI:
1702 	case SADB_ADD:
1703 	case SADB_UPDATE:
1704 	case SADB_X_UPDATEPAIR:
1705 	case SADB_DELETE:
1706 	case SADB_X_DELPAIR:
1707 	case SADB_GET:
1708 		/*
1709 		 * Pass down to appropriate consumer.
1710 		 */
1711 		if (samsg->sadb_msg_satype != SADB_SATYPE_UNSPEC)
1712 			keysock_passdown(ks, mp, samsg->sadb_msg_satype, extv,
1713 			    B_FALSE);
1714 		else keysock_error(ks, mp, EINVAL,
1715 		    SADB_X_DIAGNOSTIC_SATYPE_NEEDED);
1716 		return;
1717 	case SADB_X_DELPAIR_STATE:
1718 		if (samsg->sadb_msg_satype == SADB_SATYPE_UNSPEC) {
1719 			keysock_delpair_all(ks, mp, extv);
1720 		} else {
1721 			keysock_passdown(ks, mp, samsg->sadb_msg_satype, extv,
1722 			    B_FALSE);
1723 		}
1724 		return;
1725 	case SADB_ACQUIRE:
1726 		/*
1727 		 * If I _receive_ an acquire, this means I should spread it
1728 		 * out to registered sockets.  Unless there's an errno...
1729 		 *
1730 		 * Need ADDRESS, may have ID, SENS, and PROP, unless errno,
1731 		 * in which case there should be NO extensions.
1732 		 *
1733 		 * Return to registered.
1734 		 */
1735 		if (samsg->sadb_msg_errno != 0) {
1736 			satype = samsg->sadb_msg_satype;
1737 			if (satype == SADB_SATYPE_UNSPEC) {
1738 				if (!(ks->keysock_flags & KEYSOCK_EXTENDED)) {
1739 					keysock_error(ks, mp, EINVAL,
1740 					    SADB_X_DIAGNOSTIC_SATYPE_NEEDED);
1741 					return;
1742 				}
1743 				/*
1744 				 * Reassign satype based on the first
1745 				 * flags that KEYSOCK_SETREG says.
1746 				 */
1747 				while (satype <= SADB_SATYPE_MAX) {
1748 					if (KEYSOCK_ISREG(ks, satype))
1749 						break;
1750 					satype++;
1751 				}
1752 				if (satype > SADB_SATYPE_MAX) {
1753 					keysock_error(ks, mp, EBUSY, 0);
1754 					return;
1755 				}
1756 			}
1757 			keysock_passdown(ks, mp, satype, extv, B_FALSE);
1758 		} else {
1759 			if (samsg->sadb_msg_satype == SADB_SATYPE_UNSPEC) {
1760 				keysock_error(ks, mp, EINVAL,
1761 				    SADB_X_DIAGNOSTIC_SATYPE_NEEDED);
1762 			} else {
1763 				keysock_passup(mp, samsg, 0, NULL, B_FALSE,
1764 				    keystack);
1765 			}
1766 		}
1767 		return;
1768 	case SADB_EXPIRE:
1769 		/*
1770 		 * If someone sends this in, then send out to all senders.
1771 		 * (Save maybe ESP or AH, I have to be careful here.)
1772 		 *
1773 		 * Need ADDRESS, may have ID and SENS.
1774 		 *
1775 		 * XXX for now this is unsupported.
1776 		 */
1777 		break;
1778 	case SADB_FLUSH:
1779 		/*
1780 		 * Nuke all SAs.
1781 		 *
1782 		 * No extensions at all.  Return to all listeners.
1783 		 *
1784 		 * Question:	Should I hold a lock here to prevent
1785 		 *		additions/deletions while flushing?
1786 		 * Answer:	No.  (See keysock_passdown() for details.)
1787 		 */
1788 		if (extv[0] != NULL) {
1789 			/*
1790 			 * FLUSH messages shouldn't have extensions.
1791 			 * Return EINVAL.
1792 			 */
1793 			ks2dbg(keystack, ("FLUSH message with extension.\n"));
1794 			keysock_error(ks, mp, EINVAL, SADB_X_DIAGNOSTIC_NO_EXT);
1795 			return;
1796 		}
1797 
1798 		/* Passing down of DUMP/FLUSH messages are special. */
1799 		qwriter(q, mp, keysock_do_flushdump, PERIM_INNER);
1800 		return;
1801 	case SADB_DUMP:	 /* not used by normal applications */
1802 		if ((extv[0] != NULL) &&
1803 		    ((msgsize >
1804 		    (sizeof (sadb_msg_t) + sizeof (sadb_x_edump_t))) ||
1805 		    (extv[SADB_X_EXT_EDUMP] == NULL))) {
1806 				keysock_error(ks, mp, EINVAL,
1807 				    SADB_X_DIAGNOSTIC_NO_EXT);
1808 				return;
1809 		}
1810 		qwriter(q, mp, keysock_do_flushdump, PERIM_INNER);
1811 		return;
1812 	case SADB_X_PROMISC:
1813 		/*
1814 		 * Promiscuous processing message.
1815 		 */
1816 		if (samsg->sadb_msg_satype == 0)
1817 			ks->keysock_flags &= ~KEYSOCK_PROMISC;
1818 		else
1819 			ks->keysock_flags |= KEYSOCK_PROMISC;
1820 		keysock_passup(mp, samsg, ks->keysock_serial, NULL, B_FALSE,
1821 		    keystack);
1822 		return;
1823 	case SADB_X_INVERSE_ACQUIRE:
1824 		keysock_inverse_acquire(mp, samsg, extv, ks);
1825 		return;
1826 	default:
1827 		ks2dbg(keystack, ("Got unknown message type %d.\n",
1828 		    samsg->sadb_msg_type));
1829 		keysock_error(ks, mp, EINVAL, SADB_X_DIAGNOSTIC_UNKNOWN_MSG);
1830 		return;
1831 	}
1832 
1833 	/* As a placeholder... */
1834 	ks0dbg(("keysock_parse():  Hit EOPNOTSUPP\n"));
1835 	keysock_error(ks, mp, EOPNOTSUPP, SADB_X_DIAGNOSTIC_NONE);
1836 }
1837 
1838 /*
1839  * wput routing for PF_KEY/keysock/whatever.  Unlike the routing socket,
1840  * I don't convert to ioctl()'s for IP.  I am the end-all driver as far
1841  * as PF_KEY sockets are concerned.  I do some conversion, but not as much
1842  * as IP/rts does.
1843  */
1844 static void
1845 keysock_wput(queue_t *q, mblk_t *mp)
1846 {
1847 	uchar_t *rptr = mp->b_rptr;
1848 	mblk_t *mp1;
1849 	keysock_t *ks;
1850 	keysock_stack_t	*keystack;
1851 
1852 	if (WR(q)->q_next) {
1853 		keysock_consumer_t *kc = (keysock_consumer_t *)q->q_ptr;
1854 		keystack = kc->kc_keystack;
1855 
1856 		ks3dbg(keystack, ("In keysock_wput\n"));
1857 
1858 		/*
1859 		 * We shouldn't get writes on a consumer instance.
1860 		 * But for now, just passthru.
1861 		 */
1862 		ks1dbg(keystack, ("Huh?  wput for an consumer instance (%d)?\n",
1863 		    kc->kc_sa_type));
1864 		putnext(q, mp);
1865 		return;
1866 	}
1867 	ks = (keysock_t *)q->q_ptr;
1868 	keystack = ks->keysock_keystack;
1869 
1870 	ks3dbg(keystack, ("In keysock_wput\n"));
1871 
1872 	switch (mp->b_datap->db_type) {
1873 	case M_DATA:
1874 		/*
1875 		 * Silently discard.
1876 		 */
1877 		ks2dbg(keystack, ("raw M_DATA in keysock.\n"));
1878 		freemsg(mp);
1879 		return;
1880 	case M_PROTO:
1881 	case M_PCPROTO:
1882 		if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) {
1883 			if (((union T_primitives *)rptr)->type == T_DATA_REQ) {
1884 				if ((mp1 = mp->b_cont) == NULL) {
1885 					/* No data after T_DATA_REQ. */
1886 					ks2dbg(keystack,
1887 					    ("No data after DATA_REQ.\n"));
1888 					freemsg(mp);
1889 					return;
1890 				}
1891 				freeb(mp);
1892 				mp = mp1;
1893 				ks2dbg(keystack, ("T_DATA_REQ\n"));
1894 				break;	/* Out of switch. */
1895 			}
1896 		}
1897 		/* FALLTHRU */
1898 	default:
1899 		ks3dbg(keystack, ("In default wput case (%d %d).\n",
1900 		    mp->b_datap->db_type, ((union T_primitives *)rptr)->type));
1901 		keysock_wput_other(q, mp);
1902 		return;
1903 	}
1904 
1905 	/* I now have a PF_KEY message in an M_DATA block, pointed to by mp. */
1906 	keysock_parse(q, mp);
1907 }
1908 
1909 /* BELOW THIS LINE ARE ROUTINES INCLUDING AND RELATED TO keysock_rput(). */
1910 
1911 /*
1912  * Called upon receipt of a KEYSOCK_HELLO_ACK to set up the appropriate
1913  * state vectors.
1914  */
1915 static void
1916 keysock_link_consumer(uint8_t satype, keysock_consumer_t *kc)
1917 {
1918 	keysock_t *ks;
1919 	keysock_stack_t	*keystack = kc->kc_keystack;
1920 
1921 	mutex_enter(&keystack->keystack_consumers_lock);
1922 	mutex_enter(&kc->kc_lock);
1923 	if (keystack->keystack_consumers[satype] != NULL) {
1924 		ks0dbg((
1925 		    "Hmmmm, someone closed %d before the HELLO_ACK happened.\n",
1926 		    satype));
1927 		/*
1928 		 * Perhaps updating the new below-me consumer with what I have
1929 		 * so far would work too?
1930 		 */
1931 		mutex_exit(&kc->kc_lock);
1932 		mutex_exit(&keystack->keystack_consumers_lock);
1933 	} else {
1934 		/* Add new below-me consumer. */
1935 		keystack->keystack_consumers[satype] = kc;
1936 
1937 		kc->kc_flags = 0;
1938 		kc->kc_sa_type = satype;
1939 		mutex_exit(&kc->kc_lock);
1940 		mutex_exit(&keystack->keystack_consumers_lock);
1941 
1942 		/* Scan the keysock list. */
1943 		mutex_enter(&keystack->keystack_list_lock);
1944 		for (ks = keystack->keystack_list; ks != NULL;
1945 		    ks = ks->keysock_next) {
1946 			if (KEYSOCK_ISREG(ks, satype)) {
1947 				/*
1948 				 * XXX Perhaps send an SADB_REGISTER down on
1949 				 * the socket's behalf.
1950 				 */
1951 				ks1dbg(keystack,
1952 				    ("Socket %u registered already for "
1953 				    "new consumer.\n", ks->keysock_serial));
1954 			}
1955 		}
1956 		mutex_exit(&keystack->keystack_list_lock);
1957 	}
1958 }
1959 
1960 /*
1961  * Generate a KEYSOCK_OUT_ERR message for my consumer.
1962  */
1963 static void
1964 keysock_out_err(keysock_consumer_t *kc, int ks_errno, mblk_t *mp)
1965 {
1966 	keysock_out_err_t *kse;
1967 	mblk_t *imp;
1968 	keysock_stack_t	*keystack = kc->kc_keystack;
1969 
1970 	imp = allocb(sizeof (ipsec_info_t), BPRI_HI);
1971 	if (imp == NULL) {
1972 		ks1dbg(keystack, ("keysock_out_err:  Can't alloc message.\n"));
1973 		return;
1974 	}
1975 
1976 	imp->b_datap->db_type = M_CTL;
1977 	imp->b_wptr += sizeof (ipsec_info_t);
1978 
1979 	kse = (keysock_out_err_t *)imp->b_rptr;
1980 	imp->b_cont = mp;
1981 	kse->ks_err_type = KEYSOCK_OUT_ERR;
1982 	kse->ks_err_len = sizeof (*kse);
1983 	/* Is serial necessary? */
1984 	kse->ks_err_serial = 0;
1985 	kse->ks_err_errno = ks_errno;
1986 
1987 	/*
1988 	 * XXX What else do I need to do here w.r.t. information
1989 	 * to tell the consumer what caused this error?
1990 	 *
1991 	 * I believe the answer is the PF_KEY ACQUIRE (or other) message
1992 	 * attached in mp, which is appended at the end.  I believe the
1993 	 * db_ref won't matter here, because the PF_KEY message is only read
1994 	 * for KEYSOCK_OUT_ERR.
1995 	 */
1996 
1997 	putnext(kc->kc_wq, imp);
1998 }
1999 
2000 /* XXX this is a hack errno. */
2001 #define	EIPSECNOSA 255
2002 
2003 /*
2004  * Route message (pointed by mp, header in samsg) toward appropriate
2005  * sockets.  Assume the message's creator did its job correctly.
2006  *
2007  * This should be a function that is followed by a return in its caller.
2008  * The compiler _should_ be able to use tail-call optimizations to make the
2009  * large ## of parameters not a huge deal.
2010  */
2011 static void
2012 keysock_passup(mblk_t *mp, sadb_msg_t *samsg, minor_t serial,
2013     keysock_consumer_t *kc, boolean_t persistent, keysock_stack_t *keystack)
2014 {
2015 	keysock_t *ks;
2016 	uint8_t satype = samsg->sadb_msg_satype;
2017 	boolean_t toall = B_FALSE, allreg = B_FALSE, allereg = B_FALSE,
2018 	    setalg = B_FALSE;
2019 	mblk_t *mp1;
2020 	int err = EIPSECNOSA;
2021 
2022 	/* Convert mp, which is M_DATA, into an M_PROTO of type T_DATA_IND */
2023 	mp1 = allocb(sizeof (struct T_data_req), BPRI_HI);
2024 	if (mp1 == NULL) {
2025 		err = ENOMEM;
2026 		goto error;
2027 	}
2028 	mp1->b_wptr += sizeof (struct T_data_req);
2029 	((struct T_data_ind *)mp1->b_rptr)->PRIM_type = T_DATA_IND;
2030 	((struct T_data_ind *)mp1->b_rptr)->MORE_flag = 0;
2031 	mp1->b_datap->db_type = M_PROTO;
2032 	mp1->b_cont = mp;
2033 	mp = mp1;
2034 
2035 	switch (samsg->sadb_msg_type) {
2036 	case SADB_FLUSH:
2037 	case SADB_GETSPI:
2038 	case SADB_UPDATE:
2039 	case SADB_X_UPDATEPAIR:
2040 	case SADB_ADD:
2041 	case SADB_DELETE:
2042 	case SADB_X_DELPAIR:
2043 	case SADB_EXPIRE:
2044 		/*
2045 		 * These are most likely replies.  Don't worry about
2046 		 * KEYSOCK_OUT_ERR handling.  Deliver to all sockets.
2047 		 */
2048 		ks3dbg(keystack,
2049 		    ("Delivering normal message (%d) to all sockets.\n",
2050 		    samsg->sadb_msg_type));
2051 		toall = B_TRUE;
2052 		break;
2053 	case SADB_REGISTER:
2054 		/*
2055 		 * REGISTERs come up for one of three reasons:
2056 		 *
2057 		 *	1.) In response to a normal SADB_REGISTER
2058 		 *		(samsg->sadb_msg_satype != SADB_SATYPE_UNSPEC &&
2059 		 *		    serial != 0)
2060 		 *		Deliver to normal SADB_REGISTERed sockets.
2061 		 *	2.) In response to an extended REGISTER
2062 		 *		(samsg->sadb_msg_satype == SADB_SATYPE_UNSPEC)
2063 		 *		Deliver to extended REGISTERed socket.
2064 		 *	3.) Spontaneous algorithm changes
2065 		 *		(samsg->sadb_msg_satype != SADB_SATYPE_UNSPEC &&
2066 		 *		    serial == 0)
2067 		 *		Deliver to REGISTERed sockets of all sorts.
2068 		 */
2069 		if (kc == NULL) {
2070 			/* Here because of keysock_error() call. */
2071 			ASSERT(samsg->sadb_msg_errno != 0);
2072 			break;	/* Out of switch. */
2073 		}
2074 		ks3dbg(keystack, ("Delivering REGISTER.\n"));
2075 		if (satype == SADB_SATYPE_UNSPEC) {
2076 			/* REGISTER Reason #2 */
2077 			allereg = B_TRUE;
2078 			/*
2079 			 * Rewhack SA type so PF_KEY socket holder knows what
2080 			 * consumer generated this algorithm list.
2081 			 */
2082 			satype = kc->kc_sa_type;
2083 			samsg->sadb_msg_satype = satype;
2084 			setalg = B_TRUE;
2085 		} else if (serial == 0) {
2086 			/* REGISTER Reason #3 */
2087 			allreg = B_TRUE;
2088 			allereg = B_TRUE;
2089 		} else {
2090 			/* REGISTER Reason #1 */
2091 			allreg = B_TRUE;
2092 			setalg = B_TRUE;
2093 		}
2094 		break;
2095 	case SADB_ACQUIRE:
2096 		/*
2097 		 * ACQUIREs are either extended (sadb_msg_satype == 0) or
2098 		 * regular (sadb_msg_satype != 0).  And we're guaranteed
2099 		 * that serial == 0 for an ACQUIRE.
2100 		 */
2101 		ks3dbg(keystack, ("Delivering ACQUIRE.\n"));
2102 		allereg = (satype == SADB_SATYPE_UNSPEC);
2103 		allreg = !allereg;
2104 		/*
2105 		 * Corner case - if we send a regular ACQUIRE and there's
2106 		 * extended ones registered, don't send an error down to
2107 		 * consumers if nobody's listening and prematurely destroy
2108 		 * their ACQUIRE record.  This might be too hackish of a
2109 		 * solution.
2110 		 */
2111 		if (allreg && keystack->keystack_num_extended > 0)
2112 			err = 0;
2113 		break;
2114 	case SADB_X_PROMISC:
2115 	case SADB_X_INVERSE_ACQUIRE:
2116 	case SADB_DUMP:
2117 	case SADB_GET:
2118 	default:
2119 		/*
2120 		 * Deliver to the sender and promiscuous only.
2121 		 */
2122 		ks3dbg(keystack, ("Delivering sender/promisc only (%d).\n",
2123 		    samsg->sadb_msg_type));
2124 		break;
2125 	}
2126 
2127 	mutex_enter(&keystack->keystack_list_lock);
2128 	for (ks = keystack->keystack_list; ks != NULL; ks = ks->keysock_next) {
2129 		/* Delivery loop. */
2130 
2131 		/*
2132 		 * Check special keysock-setting cases (REGISTER replies)
2133 		 * here.
2134 		 */
2135 		if (setalg && serial == ks->keysock_serial) {
2136 			ASSERT(kc != NULL);
2137 			ASSERT(kc->kc_sa_type == satype);
2138 			KEYSOCK_SETREG(ks, satype);
2139 		}
2140 
2141 		/*
2142 		 * NOLOOP takes precedence over PROMISC.  So if you've set
2143 		 * !SO_USELOOPBACK, don't expect to see any data...
2144 		 */
2145 		if (ks->keysock_flags & KEYSOCK_NOLOOP)
2146 			continue;
2147 
2148 		/*
2149 		 * Messages to all, or promiscuous sockets just GET the
2150 		 * message.  Perform rules-type checking iff it's not for all
2151 		 * listeners or the socket is in promiscuous mode.
2152 		 *
2153 		 * NOTE:Because of the (kc != NULL && ISREG()), make sure
2154 		 *	extended ACQUIREs arrive off a consumer that is
2155 		 *	part of the extended REGISTER set of consumers.
2156 		 */
2157 		if (serial != ks->keysock_serial &&
2158 		    !toall &&
2159 		    !(ks->keysock_flags & KEYSOCK_PROMISC) &&
2160 		    !((ks->keysock_flags & KEYSOCK_EXTENDED) ?
2161 		    allereg : allreg && kc != NULL &&
2162 		    KEYSOCK_ISREG(ks, kc->kc_sa_type)))
2163 			continue;
2164 
2165 		mp1 = dupmsg(mp);
2166 		if (mp1 == NULL) {
2167 			ks2dbg(keystack, (
2168 			    "keysock_passup():  dupmsg() failed.\n"));
2169 			mp1 = mp;
2170 			mp = NULL;
2171 			err = ENOMEM;
2172 		}
2173 
2174 		/*
2175 		 * At this point, we can deliver or attempt to deliver
2176 		 * this message.  We're free of obligation to report
2177 		 * no listening PF_KEY sockets.  So set err to 0.
2178 		 */
2179 		err = 0;
2180 
2181 		/*
2182 		 * See if we canputnext(), as well as see if the message
2183 		 * needs to be queued if we can't.
2184 		 */
2185 		if (!canputnext(ks->keysock_rq)) {
2186 			if (persistent) {
2187 				if (putq(ks->keysock_rq, mp1) == 0) {
2188 					ks1dbg(keystack, (
2189 					    "keysock_passup: putq failed.\n"));
2190 				} else {
2191 					continue;
2192 				}
2193 			}
2194 			freemsg(mp1);
2195 			continue;
2196 		}
2197 
2198 		ks3dbg(keystack,
2199 		    ("Putting to serial %d.\n", ks->keysock_serial));
2200 		/*
2201 		 * Unlike the specific keysock instance case, this
2202 		 * will only hit for listeners, so we will only
2203 		 * putnext() if we can.
2204 		 */
2205 		putnext(ks->keysock_rq, mp1);
2206 		if (mp == NULL)
2207 			break;	/* out of for loop. */
2208 	}
2209 	mutex_exit(&keystack->keystack_list_lock);
2210 
2211 error:
2212 	if ((err != 0) && (kc != NULL)) {
2213 		/*
2214 		 * Generate KEYSOCK_OUT_ERR for consumer.
2215 		 * Basically, I send this back if I have not been able to
2216 		 * transmit (for whatever reason)
2217 		 */
2218 		ks1dbg(keystack,
2219 		    ("keysock_passup():  No registered of type %d.\n",
2220 		    satype));
2221 		if (mp != NULL) {
2222 			if (mp->b_datap->db_type == M_PROTO) {
2223 				mp1 = mp;
2224 				mp = mp->b_cont;
2225 				freeb(mp1);
2226 			}
2227 			/*
2228 			 * Do a copymsg() because people who get
2229 			 * KEYSOCK_OUT_ERR may alter the message contents.
2230 			 */
2231 			mp1 = copymsg(mp);
2232 			if (mp1 == NULL) {
2233 				ks2dbg(keystack,
2234 				    ("keysock_passup: copymsg() failed.\n"));
2235 				mp1 = mp;
2236 				mp = NULL;
2237 			}
2238 			keysock_out_err(kc, err, mp1);
2239 		}
2240 	}
2241 
2242 	/*
2243 	 * XXX Blank the message somehow.  This is difficult because we don't
2244 	 * know at this point if the message has db_ref > 1, etc.
2245 	 *
2246 	 * Optimally, keysock messages containing actual keying material would
2247 	 * be allocated with esballoc(), with a zeroing free function.
2248 	 */
2249 	if (mp != NULL)
2250 		freemsg(mp);
2251 }
2252 
2253 /*
2254  * Keysock's read service procedure is there only for PF_KEY reply
2255  * messages that really need to reach the top.
2256  */
2257 static void
2258 keysock_rsrv(queue_t *q)
2259 {
2260 	mblk_t *mp;
2261 
2262 	while ((mp = getq(q)) != NULL) {
2263 		if (canputnext(q)) {
2264 			putnext(q, mp);
2265 		} else {
2266 			(void) putbq(q, mp);
2267 			return;
2268 		}
2269 	}
2270 }
2271 
2272 /*
2273  * The read procedure should only be invoked by a keysock consumer, like
2274  * ESP, AH, etc.  I should only see KEYSOCK_OUT and KEYSOCK_HELLO_ACK
2275  * messages on my read queues.
2276  */
2277 static void
2278 keysock_rput(queue_t *q, mblk_t *mp)
2279 {
2280 	keysock_consumer_t *kc = (keysock_consumer_t *)q->q_ptr;
2281 	ipsec_info_t *ii;
2282 	keysock_hello_ack_t *ksa;
2283 	minor_t serial;
2284 	mblk_t *mp1;
2285 	sadb_msg_t *samsg;
2286 	keysock_stack_t	*keystack = kc->kc_keystack;
2287 
2288 	/* Make sure I'm a consumer instance.  (i.e. something's below me) */
2289 	ASSERT(WR(q)->q_next != NULL);
2290 
2291 	if (mp->b_datap->db_type != M_CTL) {
2292 		/*
2293 		 * Keysock should only see keysock consumer interface
2294 		 * messages (see ipsec_info.h) on its read procedure.
2295 		 * To be robust, however, putnext() up so the STREAM head can
2296 		 * deal with it appropriately.
2297 		 */
2298 		ks1dbg(keystack,
2299 		    ("Hmmm, a non M_CTL (%d, 0x%x) on keysock_rput.\n",
2300 		    mp->b_datap->db_type, mp->b_datap->db_type));
2301 		putnext(q, mp);
2302 		return;
2303 	}
2304 
2305 	ii = (ipsec_info_t *)mp->b_rptr;
2306 
2307 	switch (ii->ipsec_info_type) {
2308 	case KEYSOCK_OUT:
2309 		/*
2310 		 * A consumer needs to pass a response message or an ACQUIRE
2311 		 * UP.  I assume that the consumer has done the right
2312 		 * thing w.r.t. message creation, etc.
2313 		 */
2314 		serial = ((keysock_out_t *)mp->b_rptr)->ks_out_serial;
2315 		mp1 = mp->b_cont;	/* Get M_DATA portion. */
2316 		freeb(mp);
2317 		samsg = (sadb_msg_t *)mp1->b_rptr;
2318 		if (samsg->sadb_msg_type == SADB_FLUSH ||
2319 		    (samsg->sadb_msg_type == SADB_DUMP &&
2320 		    samsg->sadb_msg_len == SADB_8TO64(sizeof (*samsg)))) {
2321 			/*
2322 			 * If I'm an end-of-FLUSH or an end-of-DUMP marker...
2323 			 */
2324 			ASSERT(keystack->keystack_flushdump != 0);
2325 						/* Am I flushing? */
2326 
2327 			mutex_enter(&kc->kc_lock);
2328 			kc->kc_flags &= ~KC_FLUSHING;
2329 			mutex_exit(&kc->kc_lock);
2330 
2331 			if (samsg->sadb_msg_errno != 0)
2332 				keystack->keystack_flushdump_errno =
2333 				    samsg->sadb_msg_errno;
2334 
2335 			/*
2336 			 * Lower the atomic "flushing" count.  If it's
2337 			 * the last one, send up the end-of-{FLUSH,DUMP} to
2338 			 * the appropriate PF_KEY socket.
2339 			 */
2340 			if (atomic_add_32_nv(&keystack->keystack_flushdump,
2341 			    -1) != 0) {
2342 				ks1dbg(keystack,
2343 				    ("One flush/dump message back from %d,"
2344 				    " more to go.\n", samsg->sadb_msg_satype));
2345 				freemsg(mp1);
2346 				return;
2347 			}
2348 
2349 			samsg->sadb_msg_errno =
2350 			    (uint8_t)keystack->keystack_flushdump_errno;
2351 			if (samsg->sadb_msg_type == SADB_DUMP) {
2352 				samsg->sadb_msg_seq = 0;
2353 			}
2354 		}
2355 		keysock_passup(mp1, samsg, serial, kc,
2356 		    (samsg->sadb_msg_type == SADB_DUMP), keystack);
2357 		return;
2358 	case KEYSOCK_HELLO_ACK:
2359 		/* Aha, now we can link in the consumer! */
2360 		ksa = (keysock_hello_ack_t *)ii;
2361 		keysock_link_consumer(ksa->ks_hello_satype, kc);
2362 		freemsg(mp);
2363 		return;
2364 	default:
2365 		ks1dbg(keystack, ("Hmmm, an IPsec info I'm not used to, 0x%x\n",
2366 		    ii->ipsec_info_type));
2367 		putnext(q, mp);
2368 	}
2369 }
2370 
2371 /*
2372  * So we can avoid external linking problems....
2373  */
2374 boolean_t
2375 keysock_extended_reg(netstack_t *ns)
2376 {
2377 	keysock_stack_t	*keystack = ns->netstack_keysock;
2378 
2379 	return (keystack->keystack_num_extended != 0);
2380 }
2381 
2382 uint32_t
2383 keysock_next_seq(netstack_t *ns)
2384 {
2385 	keysock_stack_t	*keystack = ns->netstack_keysock;
2386 
2387 	return (atomic_add_32_nv(&keystack->keystack_acquire_seq, -1));
2388 }
2389