xref: /illumos-gate/usr/src/uts/common/inet/ip/spd.c (revision 9dd828891378a0a6a509ab601b4c5c20ca5562ec)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * IPsec Security Policy Database.
30  *
31  * This module maintains the SPD and provides routines used by ip and ip6
32  * to apply IPsec policy to inbound and outbound datagrams.
33  */
34 
35 #include <sys/types.h>
36 #include <sys/stream.h>
37 #include <sys/stropts.h>
38 #include <sys/sysmacros.h>
39 #include <sys/strsubr.h>
40 #include <sys/strlog.h>
41 #include <sys/cmn_err.h>
42 #include <sys/zone.h>
43 
44 #include <sys/systm.h>
45 #include <sys/param.h>
46 #include <sys/kmem.h>
47 
48 #include <sys/crypto/api.h>
49 
50 #include <inet/common.h>
51 #include <inet/mi.h>
52 
53 #include <netinet/ip6.h>
54 #include <netinet/icmp6.h>
55 #include <netinet/udp.h>
56 
57 #include <inet/ip.h>
58 #include <inet/ip6.h>
59 
60 #include <net/pfkeyv2.h>
61 #include <net/pfpolicy.h>
62 #include <inet/ipsec_info.h>
63 #include <inet/sadb.h>
64 #include <inet/ipsec_impl.h>
65 #include <inet/ipsecah.h>
66 #include <inet/ipsecesp.h>
67 #include <inet/ipdrop.h>
68 #include <inet/ipclassifier.h>
69 
70 static void ipsec_update_present_flags();
71 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *);
72 static void ipsec_out_free(void *);
73 static void ipsec_in_free(void *);
74 static boolean_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *,
75     ipha_t *, ip6_t *);
76 static mblk_t *ipsec_attach_global_policy(mblk_t *, conn_t *,
77     ipsec_selector_t *);
78 static mblk_t *ipsec_apply_global_policy(mblk_t *, conn_t *,
79     ipsec_selector_t *);
80 static mblk_t *ipsec_check_ipsecin_policy(queue_t *, mblk_t *,
81     ipsec_policy_t *, ipha_t *, ip6_t *);
82 static void ipsec_in_release_refs(ipsec_in_t *);
83 static void ipsec_out_release_refs(ipsec_out_t *);
84 static void ipsec_action_reclaim(void *);
85 static void ipsid_init(void);
86 static void ipsid_fini(void);
87 static boolean_t ipsec_check_ipsecin_action(struct ipsec_in_s *, mblk_t *,
88     struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **,
89     kstat_named_t **);
90 static int32_t ipsec_act_ovhd(const ipsec_act_t *act);
91 static void ipsec_unregister_prov_update(void);
92 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *);
93 static uint32_t selector_hash(ipsec_selector_t *);
94 
95 /*
96  * Policy rule index generator.  We assume this won't wrap in the
97  * lifetime of a system.  If we make 2^20 policy changes per second,
98  * this will last 2^44 seconds, or roughly 500,000 years, so we don't
99  * have to worry about reusing policy index values.
100  *
101  * Protected by ipsec_conf_lock.
102  */
103 uint64_t	ipsec_next_policy_index = 1;
104 
105 /*
106  * Active & Inactive system policy roots
107  */
108 static ipsec_policy_head_t system_policy;
109 static ipsec_policy_head_t inactive_policy;
110 
111 /* Packet dropper for generic SPD drops. */
112 static ipdropper_t spd_dropper;
113 
114 /*
115  * For now, use a trivially sized hash table for actions.
116  * In the future we can add the structure canonicalization necessary
117  * to get the hash function to behave correctly..
118  */
119 #define	IPSEC_ACTION_HASH_SIZE 1
120 
121 /*
122  * Selector hash table is statically sized at module load time.
123  * we default to 251 buckets, which is the largest prime number under 255
124  */
125 
126 #define	IPSEC_SPDHASH_DEFAULT 251
127 uint32_t ipsec_spd_hashsize = 0;
128 
129 #define	IPSEC_SEL_NOHASH ((uint32_t)(~0))
130 
131 static HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE];
132 static HASH_HEAD(ipsec_sel) *ipsec_sel_hash;
133 
134 static kmem_cache_t *ipsec_action_cache;
135 static kmem_cache_t *ipsec_sel_cache;
136 static kmem_cache_t *ipsec_pol_cache;
137 static kmem_cache_t *ipsec_info_cache;
138 
139 boolean_t ipsec_inbound_v4_policy_present = B_FALSE;
140 boolean_t ipsec_outbound_v4_policy_present = B_FALSE;
141 boolean_t ipsec_inbound_v6_policy_present = B_FALSE;
142 boolean_t ipsec_outbound_v6_policy_present = B_FALSE;
143 
144 /*
145  * Because policy needs to know what algorithms are supported, keep the
146  * lists of algorithms here.
147  */
148 
149 kmutex_t alg_lock;
150 uint8_t ipsec_nalgs[IPSEC_NALGTYPES];
151 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
152 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
153 ipsec_algs_exec_mode_t ipsec_algs_exec_mode[IPSEC_NALGTYPES];
154 static crypto_notify_handle_t prov_update_handle = NULL;
155 
156 int ipsec_hdr_pullup_needed = 0;
157 int ipsec_weird_null_inbound_policy = 0;
158 
159 #define	ALGBITS_ROUND_DOWN(x, align)	(((x)/(align))*(align))
160 #define	ALGBITS_ROUND_UP(x, align)	ALGBITS_ROUND_DOWN((x)+(align)-1, align)
161 
162 /*
163  * Inbound traffic should have matching identities for both SA's.
164  */
165 
166 #define	SA_IDS_MATCH(sa1, sa2) 						\
167 	(((sa1) == NULL) || ((sa2) == NULL) ||				\
168 	(((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) &&		\
169 	    (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid))))
170 
171 #define	IPPOL_UNCHAIN(php, ip) 						\
172 	HASHLIST_UNCHAIN((ip), ipsp_hash);				\
173 	avl_remove(&(php)->iph_rulebyid, (ip));				\
174 	IPPOL_REFRELE(ip);
175 
176 /*
177  * Policy failure messages.
178  */
179 static char *ipsec_policy_failure_msgs[] = {
180 
181 	/* IPSEC_POLICY_NOT_NEEDED */
182 	"%s: Dropping the datagram because the incoming packet "
183 	"is %s, but the recipient expects clear; Source %s, "
184 	"Destination %s.\n",
185 
186 	/* IPSEC_POLICY_MISMATCH */
187 	"%s: Policy Failure for the incoming packet (%s); Source %s, "
188 	"Destination %s.\n",
189 
190 	/* IPSEC_POLICY_AUTH_NOT_NEEDED	*/
191 	"%s: Authentication present while not expected in the "
192 	"incoming %s packet; Source %s, Destination %s.\n",
193 
194 	/* IPSEC_POLICY_ENCR_NOT_NEEDED */
195 	"%s: Encryption present while not expected in the "
196 	"incoming %s packet; Source %s, Destination %s.\n",
197 
198 	/* IPSEC_POLICY_SE_NOT_NEEDED */
199 	"%s: Self-Encapsulation present while not expected in the "
200 	"incoming %s packet; Source %s, Destination %s.\n",
201 };
202 /*
203  * Have a counter for every possible policy message in the previous array.
204  */
205 static uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX];
206 /* Time since last ipsec policy failure that printed a message. */
207 hrtime_t ipsec_policy_failure_last = 0;
208 
209 /*
210  * General overviews:
211  *
212  * Locking:
213  *
214  *	All of the system policy structures are protected by a single
215  *	rwlock, ipsec_conf_lock.  These structures are threaded in a
216  *	fairly complex fashion and are not expected to change on a
217  *	regular basis, so this should not cause scaling/contention
218  *	problems.  As a result, policy checks should (hopefully) be MT-hot.
219  *
220  * Allocation policy:
221  *
222  *	We use custom kmem cache types for the various
223  *	bits & pieces of the policy data structures.  All allocations
224  *	use KM_NOSLEEP instead of KM_SLEEP for policy allocation.  The
225  *	policy table is of potentially unbounded size, so we don't
226  *	want to provide a way to hog all system memory with policy
227  *	entries..
228  */
229 
230 
231 /*
232  * AVL tree comparison function.
233  * the in-kernel avl assumes unique keys for all objects.
234  * Since sometimes policy will duplicate rules, we may insert
235  * multiple rules with the same rule id, so we need a tie-breaker.
236  */
237 static int
238 ipsec_policy_cmpbyid(const void *a, const void *b)
239 {
240 	const ipsec_policy_t *ipa, *ipb;
241 	uint64_t idxa, idxb;
242 
243 	ipa = (const ipsec_policy_t *)a;
244 	ipb = (const ipsec_policy_t *)b;
245 	idxa = ipa->ipsp_index;
246 	idxb = ipb->ipsp_index;
247 
248 	if (idxa < idxb)
249 		return (-1);
250 	if (idxa > idxb)
251 		return (1);
252 	/*
253 	 * Tie-breaker #1: All installed policy rules have a non-NULL
254 	 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not
255 	 * actually in-tree but rather a template node being used in
256 	 * an avl_find query; see ipsec_policy_delete().  This gives us
257 	 * a placeholder in the ordering just before the the first entry with
258 	 * a key >= the one we're looking for, so we can walk forward from
259 	 * that point to get the remaining entries with the same id.
260 	 */
261 	if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL))
262 		return (-1);
263 	if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL))
264 		return (1);
265 	/*
266 	 * At most one of the arguments to the comparison should have a
267 	 * NULL selector pointer; if not, the tree is broken.
268 	 */
269 	ASSERT(ipa->ipsp_sel != NULL);
270 	ASSERT(ipb->ipsp_sel != NULL);
271 	/*
272 	 * Tie-breaker #2: use the virtual address of the policy node
273 	 * to arbitrarily break ties.  Since we use the new tree node in
274 	 * the avl_find() in ipsec_insert_always, the new node will be
275 	 * inserted into the tree in the right place in the sequence.
276 	 */
277 	if (ipa < ipb)
278 		return (-1);
279 	if (ipa > ipb)
280 		return (1);
281 	return (0);
282 }
283 
284 static void
285 ipsec_polhead_free_table(ipsec_policy_head_t *iph)
286 {
287 	int dir, nchains;
288 
289 	nchains = ipsec_spd_hashsize;
290 
291 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
292 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
293 
294 		if (ipr->ipr_hash == NULL)
295 			continue;
296 
297 		kmem_free(ipr->ipr_hash, nchains *
298 		    sizeof (ipsec_policy_hash_t));
299 	}
300 }
301 
302 static void
303 ipsec_polhead_destroy(ipsec_policy_head_t *iph)
304 {
305 	int dir;
306 
307 	avl_destroy(&iph->iph_rulebyid);
308 	rw_destroy(&iph->iph_lock);
309 
310 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
311 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
312 		int nchains = ipr->ipr_nchains;
313 		int chain;
314 
315 		for (chain = 0; chain < nchains; chain++)
316 			mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
317 
318 	}
319 	ipsec_polhead_free_table(iph);
320 }
321 
322 /*
323  * Module unload hook.
324  */
325 void
326 ipsec_policy_destroy(void)
327 {
328 	int i;
329 
330 	ip_drop_unregister(&spd_dropper);
331 	ip_drop_destroy();
332 
333 	ipsec_polhead_destroy(&system_policy);
334 	ipsec_polhead_destroy(&inactive_policy);
335 
336 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
337 		mutex_destroy(&(ipsec_action_hash[i].hash_lock));
338 
339 	for (i = 0; i < ipsec_spd_hashsize; i++)
340 		mutex_destroy(&(ipsec_sel_hash[i].hash_lock));
341 
342 	ipsec_unregister_prov_update();
343 
344 	mutex_destroy(&alg_lock);
345 
346 	kmem_cache_destroy(ipsec_action_cache);
347 	kmem_cache_destroy(ipsec_sel_cache);
348 	kmem_cache_destroy(ipsec_pol_cache);
349 	kmem_cache_destroy(ipsec_info_cache);
350 	ipsid_gc();
351 	ipsid_fini();
352 }
353 
354 
355 /*
356  * Called when table allocation fails to free the table.
357  */
358 static int
359 ipsec_alloc_tables_failed()
360 {
361 	if (ipsec_sel_hash != NULL) {
362 		kmem_free(ipsec_sel_hash, ipsec_spd_hashsize *
363 		    sizeof (*ipsec_sel_hash));
364 		ipsec_sel_hash = NULL;
365 	}
366 	ipsec_polhead_free_table(&system_policy);
367 	ipsec_polhead_free_table(&inactive_policy);
368 
369 	return (ENOMEM);
370 }
371 
372 /*
373  * Attempt to allocate the tables in a single policy head.
374  * Return nonzero on failure after cleaning up any work in progress.
375  */
376 static int
377 ipsec_alloc_table(ipsec_policy_head_t *iph, int kmflag)
378 {
379 	int dir, nchains;
380 
381 	nchains = ipsec_spd_hashsize;
382 
383 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
384 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
385 
386 		ipr->ipr_hash = kmem_zalloc(nchains *
387 		    sizeof (ipsec_policy_hash_t), kmflag);
388 		if (ipr->ipr_hash == NULL)
389 			return (ipsec_alloc_tables_failed());
390 	}
391 	return (0);
392 }
393 
394 /*
395  * Attempt to allocate the various tables.  Return nonzero on failure
396  * after cleaning up any work in progress.
397  */
398 static int
399 ipsec_alloc_tables(int kmflag)
400 {
401 	int error;
402 
403 	error = ipsec_alloc_table(&system_policy, kmflag);
404 	if (error != 0)
405 		return (error);
406 
407 	error = ipsec_alloc_table(&inactive_policy, kmflag);
408 	if (error != 0)
409 		return (error);
410 
411 	ipsec_sel_hash = kmem_zalloc(ipsec_spd_hashsize *
412 	    sizeof (*ipsec_sel_hash), kmflag);
413 
414 	if (ipsec_sel_hash == NULL)
415 		return (ipsec_alloc_tables_failed());
416 
417 	return (0);
418 }
419 
420 /*
421  * After table allocation, initialize a policy head.
422  */
423 static void
424 ipsec_polhead_init(ipsec_policy_head_t *iph)
425 {
426 	int dir, chain, nchains;
427 
428 	nchains = ipsec_spd_hashsize;
429 
430 	rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
431 	avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid,
432 	    sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
433 
434 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
435 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
436 		ipr->ipr_nchains = nchains;
437 
438 		for (chain = 0; chain < nchains; chain++) {
439 			mutex_init(&(ipr->ipr_hash[chain].hash_lock),
440 			    NULL, MUTEX_DEFAULT, NULL);
441 		}
442 	}
443 }
444 
445 /*
446  * Module load hook.
447  */
448 void
449 ipsec_policy_init()
450 {
451 	int i;
452 
453 	/*
454 	 * Make two attempts to allocate policy hash tables; try it at
455 	 * the "preferred" size (may be set in /etc/system) first,
456 	 * then fall back to the default size.
457 	 */
458 	if (ipsec_spd_hashsize == 0)
459 		ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
460 
461 	if (ipsec_alloc_tables(KM_NOSLEEP) != 0) {
462 		cmn_err(CE_WARN,
463 		    "Unable to allocate %d entry IPsec policy hash table",
464 		    ipsec_spd_hashsize);
465 		ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
466 		cmn_err(CE_WARN, "Falling back to %d entries",
467 		    ipsec_spd_hashsize);
468 		(void) ipsec_alloc_tables(KM_SLEEP);
469 	}
470 
471 	ipsid_init();
472 	ipsec_polhead_init(&system_policy);
473 	ipsec_polhead_init(&inactive_policy);
474 
475 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
476 		mutex_init(&(ipsec_action_hash[i].hash_lock),
477 		    NULL, MUTEX_DEFAULT, NULL);
478 
479 	for (i = 0; i < ipsec_spd_hashsize; i++)
480 		mutex_init(&(ipsec_sel_hash[i].hash_lock),
481 		    NULL, MUTEX_DEFAULT, NULL);
482 
483 	mutex_init(&alg_lock, NULL, MUTEX_DEFAULT, NULL);
484 
485 	for (i = 0; i < IPSEC_NALGTYPES; i++)
486 		ipsec_nalgs[i] = 0;
487 
488 	ipsec_action_cache = kmem_cache_create("ipsec_actions",
489 	    sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL,
490 	    ipsec_action_reclaim, NULL, NULL, 0);
491 	ipsec_sel_cache = kmem_cache_create("ipsec_selectors",
492 	    sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL,
493 	    NULL, NULL, NULL, 0);
494 	ipsec_pol_cache = kmem_cache_create("ipsec_policy",
495 	    sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL,
496 	    NULL, NULL, NULL, 0);
497 	ipsec_info_cache = kmem_cache_create("ipsec_info",
498 	    sizeof (ipsec_info_t), _POINTER_ALIGNMENT, NULL, NULL,
499 	    NULL, NULL, NULL, 0);
500 
501 	ip_drop_init();
502 	ip_drop_register(&spd_dropper, "IPsec SPD");
503 }
504 
505 /*
506  * Sort algorithm lists.
507  *
508  * I may need to split this based on
509  * authentication/encryption, and I may wish to have an administrator
510  * configure this list.  Hold on to some NDD variables...
511  *
512  * XXX For now, sort on minimum key size (GAG!).  While minimum key size is
513  * not the ideal metric, it's the only quantifiable measure available.
514  * We need a better metric for sorting algorithms by preference.
515  */
516 static void
517 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid)
518 {
519 	ipsec_alginfo_t *ai = ipsec_alglists[at][algid];
520 	uint8_t holder, swap;
521 	uint_t i;
522 	uint_t count = ipsec_nalgs[at];
523 	ASSERT(ai != NULL);
524 	ASSERT(algid == ai->alg_id);
525 
526 	ASSERT(MUTEX_HELD(&alg_lock));
527 
528 	holder = algid;
529 
530 	for (i = 0; i < count - 1; i++) {
531 		ipsec_alginfo_t *alt;
532 
533 		alt = ipsec_alglists[at][ipsec_sortlist[at][i]];
534 		/*
535 		 * If you want to give precedence to newly added algs,
536 		 * add the = in the > comparison.
537 		 */
538 		if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) {
539 			/* Swap sortlist[i] and holder. */
540 			swap = ipsec_sortlist[at][i];
541 			ipsec_sortlist[at][i] = holder;
542 			holder = swap;
543 			ai = alt;
544 		} /* Else just continue. */
545 	}
546 
547 	/* Store holder in last slot. */
548 	ipsec_sortlist[at][i] = holder;
549 }
550 
551 /*
552  * Remove an algorithm from a sorted algorithm list.
553  * This should be considerably easier, even with complex sorting.
554  */
555 static void
556 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid)
557 {
558 	boolean_t copyback = B_FALSE;
559 	int i;
560 	int newcount = ipsec_nalgs[at];
561 
562 	ASSERT(MUTEX_HELD(&alg_lock));
563 
564 	for (i = 0; i <= newcount; i++) {
565 		if (copyback)
566 			ipsec_sortlist[at][i-1] = ipsec_sortlist[at][i];
567 		else if (ipsec_sortlist[at][i] == algid)
568 			copyback = B_TRUE;
569 	}
570 }
571 
572 /*
573  * Add the specified algorithm to the algorithm tables.
574  * Must be called while holding the algorithm table writer lock.
575  */
576 void
577 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg)
578 {
579 	ASSERT(MUTEX_HELD(&alg_lock));
580 
581 	ASSERT(ipsec_alglists[algtype][alg->alg_id] == NULL);
582 	ipsec_alg_fix_min_max(alg, algtype);
583 	ipsec_alglists[algtype][alg->alg_id] = alg;
584 
585 	ipsec_nalgs[algtype]++;
586 	alg_insert_sortlist(algtype, alg->alg_id);
587 }
588 
589 /*
590  * Remove the specified algorithm from the algorithm tables.
591  * Must be called while holding the algorithm table writer lock.
592  */
593 void
594 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid)
595 {
596 	ASSERT(MUTEX_HELD(&alg_lock));
597 
598 	ASSERT(ipsec_alglists[algtype][algid] != NULL);
599 	ipsec_alg_free(ipsec_alglists[algtype][algid]);
600 	ipsec_alglists[algtype][algid] = NULL;
601 
602 	ipsec_nalgs[algtype]--;
603 	alg_remove_sortlist(algtype, algid);
604 }
605 
606 /*
607  * Hooks for spdsock to get a grip on system policy.
608  */
609 
610 ipsec_policy_head_t *
611 ipsec_system_policy(void)
612 {
613 	ipsec_policy_head_t *h = &system_policy;
614 	IPPH_REFHOLD(h);
615 	return (h);
616 }
617 
618 ipsec_policy_head_t *
619 ipsec_inactive_policy(void)
620 {
621 	ipsec_policy_head_t *h = &inactive_policy;
622 	IPPH_REFHOLD(h);
623 	return (h);
624 }
625 
626 /*
627  * Lock inactive policy, then active policy, then exchange policy root
628  * pointers.
629  */
630 void
631 ipsec_swap_policy(void)
632 {
633 	int af, dir;
634 	avl_tree_t r1, r2;
635 
636 	rw_enter(&inactive_policy.iph_lock, RW_WRITER);
637 	rw_enter(&system_policy.iph_lock, RW_WRITER);
638 
639 	r1 = system_policy.iph_rulebyid;
640 	r2 = inactive_policy.iph_rulebyid;
641 	system_policy.iph_rulebyid = r2;
642 	inactive_policy.iph_rulebyid = r1;
643 
644 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
645 		ipsec_policy_hash_t *h1, *h2;
646 
647 		h1 = system_policy.iph_root[dir].ipr_hash;
648 		h2 = inactive_policy.iph_root[dir].ipr_hash;
649 		system_policy.iph_root[dir].ipr_hash = h2;
650 		inactive_policy.iph_root[dir].ipr_hash = h1;
651 
652 		for (af = 0; af < IPSEC_NAF; af++) {
653 			ipsec_policy_t *t1, *t2;
654 
655 			t1 = system_policy.iph_root[dir].ipr_nonhash[af];
656 			t2 = inactive_policy.iph_root[dir].ipr_nonhash[af];
657 			system_policy.iph_root[dir].ipr_nonhash[af] = t2;
658 			inactive_policy.iph_root[dir].ipr_nonhash[af] = t1;
659 			if (t1 != NULL) {
660 				t1->ipsp_hash.hash_pp =
661 				    &(inactive_policy.iph_root[dir].
662 				    ipr_nonhash[af]);
663 			}
664 			if (t2 != NULL) {
665 				t2->ipsp_hash.hash_pp =
666 				    &(system_policy.iph_root[dir].
667 				    ipr_nonhash[af]);
668 			}
669 
670 		}
671 	}
672 	system_policy.iph_gen++;
673 	inactive_policy.iph_gen++;
674 	ipsec_update_present_flags();
675 	rw_exit(&system_policy.iph_lock);
676 	rw_exit(&inactive_policy.iph_lock);
677 }
678 
679 /*
680  * Clone one policy rule..
681  */
682 static ipsec_policy_t *
683 ipsec_copy_policy(const ipsec_policy_t *src)
684 {
685 	ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
686 
687 	if (dst == NULL)
688 		return (NULL);
689 
690 	/*
691 	 * Adjust refcounts of cloned state.
692 	 */
693 	IPACT_REFHOLD(src->ipsp_act);
694 	src->ipsp_sel->ipsl_refs++;
695 
696 	HASH_NULL(dst, ipsp_hash);
697 	dst->ipsp_refs = 1;
698 	dst->ipsp_sel = src->ipsp_sel;
699 	dst->ipsp_act = src->ipsp_act;
700 	dst->ipsp_prio = src->ipsp_prio;
701 	dst->ipsp_index = src->ipsp_index;
702 
703 	return (dst);
704 }
705 
706 void
707 ipsec_insert_always(avl_tree_t *tree, void *new_node)
708 {
709 	void *node;
710 	avl_index_t where;
711 
712 	node = avl_find(tree, new_node, &where);
713 	ASSERT(node == NULL);
714 	avl_insert(tree, new_node, where);
715 }
716 
717 
718 static int
719 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src,
720     ipsec_policy_t **dstp)
721 {
722 	for (; src != NULL; src = src->ipsp_hash.hash_next) {
723 		ipsec_policy_t *dst = ipsec_copy_policy(src);
724 		if (dst == NULL)
725 			return (ENOMEM);
726 
727 		HASHLIST_INSERT(dst, ipsp_hash, *dstp);
728 		ipsec_insert_always(&dph->iph_rulebyid, dst);
729 	}
730 	return (0);
731 }
732 
733 
734 
735 /*
736  * Make one policy head look exactly like another.
737  *
738  * As with ipsec_swap_policy, we lock the destination policy head first, then
739  * the source policy head. Note that we only need to read-lock the source
740  * policy head as we are not changing it.
741  */
742 static int
743 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph)
744 {
745 	int af, dir, chain, nchains;
746 
747 	rw_enter(&dph->iph_lock, RW_WRITER);
748 
749 	ipsec_polhead_flush(dph);
750 
751 	rw_enter(&sph->iph_lock, RW_READER);
752 
753 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
754 		ipsec_policy_root_t *dpr = &dph->iph_root[dir];
755 		ipsec_policy_root_t *spr = &sph->iph_root[dir];
756 		nchains = dpr->ipr_nchains;
757 
758 		ASSERT(dpr->ipr_nchains == spr->ipr_nchains);
759 
760 		for (af = 0; af < IPSEC_NAF; af++) {
761 			if (ipsec_copy_chain(dph, spr->ipr_nonhash[af],
762 			    &dpr->ipr_nonhash[af]))
763 				goto abort_copy;
764 		}
765 
766 		for (chain = 0; chain < nchains; chain++) {
767 			if (ipsec_copy_chain(dph,
768 			    spr->ipr_hash[chain].hash_head,
769 			    &dpr->ipr_hash[chain].hash_head))
770 				goto abort_copy;
771 		}
772 	}
773 
774 	dph->iph_gen++;
775 
776 	rw_exit(&sph->iph_lock);
777 	rw_exit(&dph->iph_lock);
778 	return (0);
779 
780 abort_copy:
781 	ipsec_polhead_flush(dph);
782 	rw_exit(&sph->iph_lock);
783 	rw_exit(&dph->iph_lock);
784 	return (ENOMEM);
785 }
786 
787 /*
788  * Clone currently active policy to the inactive policy list.
789  */
790 int
791 ipsec_clone_system_policy(void)
792 {
793 	return (ipsec_copy_polhead(&system_policy, &inactive_policy));
794 }
795 
796 
797 /*
798  * Extract the string from ipsec_policy_failure_msgs[type] and
799  * log it.
800  *
801  */
802 void
803 ipsec_log_policy_failure(queue_t *q, int type, char *func_name, ipha_t *ipha,
804     ip6_t *ip6h, boolean_t secure)
805 {
806 	char	sbuf[INET6_ADDRSTRLEN];
807 	char	dbuf[INET6_ADDRSTRLEN];
808 	char	*s;
809 	char	*d;
810 	short mid = 0;
811 
812 	ASSERT((ipha == NULL && ip6h != NULL) ||
813 	    (ip6h == NULL && ipha != NULL));
814 
815 	if (ipha != NULL) {
816 		s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf));
817 		d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf));
818 	} else {
819 		s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf));
820 		d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf));
821 
822 	}
823 
824 	/* Always bump the policy failure counter. */
825 	ipsec_policy_failure_count[type]++;
826 
827 	if (q != NULL) {
828 		mid = q->q_qinfo->qi_minfo->mi_idnum;
829 	}
830 	ipsec_rl_strlog(mid, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
831 		ipsec_policy_failure_msgs[type],
832 		func_name,
833 		(secure ? "secure" : "not secure"), s, d);
834 }
835 
836 /*
837  * Rate-limiting front-end to strlog() for AH and ESP.	Uses the ndd variables
838  * in /dev/ip and the same rate-limiting clock so that there's a single
839  * knob to turn to throttle the rate of messages.
840  */
841 void
842 ipsec_rl_strlog(short mid, short sid, char level, ushort_t sl, char *fmt, ...)
843 {
844 	va_list adx;
845 	hrtime_t current = gethrtime();
846 
847 	sl |= SL_CONSOLE;
848 	/*
849 	 * Throttle logging to stop syslog from being swamped. If variable
850 	 * 'ipsec_policy_log_interval' is zero, don't log any messages at
851 	 * all, otherwise log only one message every 'ipsec_policy_log_interval'
852 	 * msec. Convert interval (in msec) to hrtime (in nsec).
853 	 */
854 
855 	if (ipsec_policy_log_interval) {
856 		if (ipsec_policy_failure_last +
857 		    ((hrtime_t)ipsec_policy_log_interval * (hrtime_t)1000000) <=
858 		    current) {
859 			va_start(adx, fmt);
860 			(void) vstrlog(mid, sid, level, sl, fmt, adx);
861 			va_end(adx);
862 			ipsec_policy_failure_last = current;
863 		}
864 	}
865 }
866 
867 void
868 ipsec_config_flush()
869 {
870 	rw_enter(&system_policy.iph_lock, RW_WRITER);
871 	ipsec_polhead_flush(&system_policy);
872 	ipsec_next_policy_index = 1;
873 	rw_exit(&system_policy.iph_lock);
874 	ipsec_action_reclaim(0);
875 }
876 
877 /*
878  * Clip a policy's min/max keybits vs. the capabilities of the
879  * algorithm.
880  */
881 static void
882 act_alg_adjust(uint_t algtype, uint_t algid,
883     uint16_t *minbits, uint16_t *maxbits)
884 {
885 	ipsec_alginfo_t *algp = ipsec_alglists[algtype][algid];
886 	if (algp != NULL) {
887 		/*
888 		 * If passed-in minbits is zero, we assume the caller trusts
889 		 * us with setting the minimum key size.  We pick the
890 		 * algorithms DEFAULT key size for the minimum in this case.
891 		 */
892 		if (*minbits == 0) {
893 			*minbits = algp->alg_default_bits;
894 			ASSERT(*minbits >= algp->alg_minbits);
895 		} else {
896 			*minbits = MAX(*minbits, algp->alg_minbits);
897 		}
898 		if (*maxbits == 0)
899 			*maxbits = algp->alg_maxbits;
900 		else
901 			*maxbits = MIN(*maxbits, algp->alg_maxbits);
902 		ASSERT(*minbits <= *maxbits);
903 	} else {
904 		*minbits = 0;
905 		*maxbits = 0;
906 	}
907 }
908 
909 /*
910  * Check an action's requested algorithms against the algorithms currently
911  * loaded in the system.
912  */
913 boolean_t
914 ipsec_check_action(ipsec_act_t *act, int *diag)
915 {
916 	ipsec_prot_t *ipp;
917 
918 	ipp = &act->ipa_apply;
919 
920 	if (ipp->ipp_use_ah &&
921 	    ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) {
922 		*diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
923 		return (B_FALSE);
924 	}
925 	if (ipp->ipp_use_espa &&
926 	    ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] == NULL) {
927 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
928 		return (B_FALSE);
929 	}
930 	if (ipp->ipp_use_esp &&
931 	    ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) {
932 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
933 		return (B_FALSE);
934 	}
935 
936 	act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg,
937 	    &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits);
938 	act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg,
939 	    &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits);
940 	act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg,
941 	    &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits);
942 
943 	if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) {
944 		*diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE;
945 		return (B_FALSE);
946 	}
947 	if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) {
948 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE;
949 		return (B_FALSE);
950 	}
951 	if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) {
952 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE;
953 		return (B_FALSE);
954 	}
955 	/* TODO: sanity check lifetimes */
956 	return (B_TRUE);
957 }
958 
959 /*
960  * Set up a single action during wildcard expansion..
961  */
962 static void
963 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act,
964     uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg)
965 {
966 	ipsec_prot_t *ipp;
967 
968 	*outact = *act;
969 	ipp = &outact->ipa_apply;
970 	ipp->ipp_auth_alg = (uint8_t)auth_alg;
971 	ipp->ipp_encr_alg = (uint8_t)encr_alg;
972 	ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg;
973 
974 	act_alg_adjust(IPSEC_ALG_AUTH, auth_alg,
975 	    &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits);
976 	act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg,
977 	    &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits);
978 	act_alg_adjust(IPSEC_ALG_ENCR, encr_alg,
979 	    &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits);
980 }
981 
982 /*
983  * combinatoric expansion time: expand a wildcarded action into an
984  * array of wildcarded actions; we return the exploded action list,
985  * and return a count in *nact (output only).
986  */
987 static ipsec_act_t *
988 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact)
989 {
990 	boolean_t use_ah, use_esp, use_espa;
991 	boolean_t wild_auth, wild_encr, wild_eauth;
992 	uint_t	auth_alg, auth_idx, auth_min, auth_max;
993 	uint_t	eauth_alg, eauth_idx, eauth_min, eauth_max;
994 	uint_t  encr_alg, encr_idx, encr_min, encr_max;
995 	uint_t	action_count, ai;
996 	ipsec_act_t *outact;
997 
998 	if (act->ipa_type != IPSEC_ACT_APPLY) {
999 		outact = kmem_alloc(sizeof (*act), KM_NOSLEEP);
1000 		*nact = 1;
1001 		if (outact != NULL)
1002 			bcopy(act, outact, sizeof (*act));
1003 		return (outact);
1004 	}
1005 	/*
1006 	 * compute the combinatoric explosion..
1007 	 *
1008 	 * we assume a request for encr if esp_req is PREF_REQUIRED
1009 	 * we assume a request for ah auth if ah_req is PREF_REQUIRED.
1010 	 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED
1011 	 */
1012 
1013 	use_ah = act->ipa_apply.ipp_use_ah;
1014 	use_esp = act->ipa_apply.ipp_use_esp;
1015 	use_espa = act->ipa_apply.ipp_use_espa;
1016 	auth_alg = act->ipa_apply.ipp_auth_alg;
1017 	eauth_alg = act->ipa_apply.ipp_esp_auth_alg;
1018 	encr_alg = act->ipa_apply.ipp_encr_alg;
1019 
1020 	wild_auth = use_ah && (auth_alg == 0);
1021 	wild_eauth = use_espa && (eauth_alg == 0);
1022 	wild_encr = use_esp && (encr_alg == 0);
1023 
1024 	action_count = 1;
1025 	auth_min = auth_max = auth_alg;
1026 	eauth_min = eauth_max = eauth_alg;
1027 	encr_min = encr_max = encr_alg;
1028 
1029 	/*
1030 	 * set up for explosion.. for each dimension, expand output
1031 	 * size by the explosion factor.
1032 	 *
1033 	 * Don't include the "any" algorithms, if defined, as no
1034 	 * kernel policies should be set for these algorithms.
1035 	 */
1036 
1037 #define	SET_EXP_MINMAX(type, wild, alg, min, max) if (wild) {	\
1038 		int nalgs = ipsec_nalgs[type];			\
1039 		if (ipsec_alglists[type][alg] != NULL)		\
1040 			nalgs--;				\
1041 		action_count *= nalgs;				\
1042 		min = 0;					\
1043 		max = ipsec_nalgs[type] - 1;			\
1044 	}
1045 
1046 	SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE,
1047 	    auth_min, auth_max);
1048 	SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE,
1049 	    eauth_min, eauth_max);
1050 	SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE,
1051 	    encr_min, encr_max);
1052 
1053 #undef	SET_EXP_MINMAX
1054 
1055 	/*
1056 	 * ok, allocate the whole mess..
1057 	 */
1058 
1059 	outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP);
1060 	if (outact == NULL)
1061 		return (NULL);
1062 
1063 	/*
1064 	 * Now compute all combinations.  Note that non-wildcarded
1065 	 * dimensions just get a single value from auth_min, while
1066 	 * wildcarded dimensions indirect through the sortlist.
1067 	 *
1068 	 * We do encryption outermost since, at this time, there's
1069 	 * greater difference in security and performance between
1070 	 * encryption algorithms vs. authentication algorithms.
1071 	 */
1072 
1073 	ai = 0;
1074 
1075 #define	WHICH_ALG(type, wild, idx) ((wild)?(ipsec_sortlist[type][idx]):(idx))
1076 
1077 	for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) {
1078 		encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx);
1079 		if (wild_encr && encr_alg == SADB_EALG_NONE)
1080 			continue;
1081 		for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) {
1082 			auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth,
1083 			    auth_idx);
1084 			if (wild_auth && auth_alg == SADB_AALG_NONE)
1085 				continue;
1086 			for (eauth_idx = eauth_min; eauth_idx <= eauth_max;
1087 			    eauth_idx++) {
1088 				eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH,
1089 				    wild_eauth, eauth_idx);
1090 				if (wild_eauth && eauth_alg == SADB_AALG_NONE)
1091 					continue;
1092 
1093 				ipsec_setup_act(&outact[ai], act,
1094 				    auth_alg, encr_alg, eauth_alg);
1095 				ai++;
1096 			}
1097 		}
1098 	}
1099 
1100 #undef WHICH_ALG
1101 
1102 	ASSERT(ai == action_count);
1103 	*nact = action_count;
1104 	return (outact);
1105 }
1106 
1107 /*
1108  * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t.
1109  */
1110 static void
1111 ipsec_prot_from_req(ipsec_req_t *req, ipsec_prot_t *ipp)
1112 {
1113 	bzero(ipp, sizeof (*ipp));
1114 	/*
1115 	 * ipp_use_* are bitfields.  Look at "!!" in the following as a
1116 	 * "boolean canonicalization" operator.
1117 	 */
1118 	ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED);
1119 	ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED);
1120 	ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg) || !ipp->ipp_use_ah;
1121 	ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED);
1122 	ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) &
1123 	    IPSEC_PREF_UNIQUE);
1124 	ipp->ipp_encr_alg = req->ipsr_esp_alg;
1125 	ipp->ipp_auth_alg = req->ipsr_auth_alg;
1126 	ipp->ipp_esp_auth_alg = req->ipsr_esp_auth_alg;
1127 }
1128 
1129 /*
1130  * Extract a new-style action from a request.
1131  */
1132 void
1133 ipsec_actvec_from_req(ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp)
1134 {
1135 	struct ipsec_act act;
1136 	bzero(&act, sizeof (act));
1137 	if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) &&
1138 	    (req->ipsr_esp_req & IPSEC_PREF_NEVER)) {
1139 		act.ipa_type = IPSEC_ACT_BYPASS;
1140 	} else {
1141 		act.ipa_type = IPSEC_ACT_APPLY;
1142 		ipsec_prot_from_req(req, &act.ipa_apply);
1143 	}
1144 	*actp = ipsec_act_wildcard_expand(&act, nactp);
1145 }
1146 
1147 /*
1148  * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat).
1149  * We assume caller has already zero'ed *req for us.
1150  */
1151 static int
1152 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req)
1153 {
1154 	req->ipsr_esp_alg = ipp->ipp_encr_alg;
1155 	req->ipsr_auth_alg = ipp->ipp_auth_alg;
1156 	req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg;
1157 
1158 	if (ipp->ipp_use_unique) {
1159 		req->ipsr_ah_req |= IPSEC_PREF_UNIQUE;
1160 		req->ipsr_esp_req |= IPSEC_PREF_UNIQUE;
1161 	}
1162 	if (ipp->ipp_use_se)
1163 		req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED;
1164 	if (ipp->ipp_use_ah)
1165 		req->ipsr_ah_req |= IPSEC_PREF_REQUIRED;
1166 	if (ipp->ipp_use_esp)
1167 		req->ipsr_esp_req |= IPSEC_PREF_REQUIRED;
1168 	return (sizeof (*req));
1169 }
1170 
1171 /*
1172  * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1173  * We assume caller has already zero'ed *req for us.
1174  */
1175 static int
1176 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req)
1177 {
1178 	switch (ap->ipa_act.ipa_type) {
1179 	case IPSEC_ACT_BYPASS:
1180 		req->ipsr_ah_req = IPSEC_PREF_NEVER;
1181 		req->ipsr_esp_req = IPSEC_PREF_NEVER;
1182 		return (sizeof (*req));
1183 	case IPSEC_ACT_APPLY:
1184 		return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req));
1185 	}
1186 	return (sizeof (*req));
1187 }
1188 
1189 /*
1190  * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1191  * We assume caller has already zero'ed *req for us.
1192  */
1193 static int
1194 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af)
1195 {
1196 	ipsec_policy_t *p;
1197 
1198 	/*
1199 	 * FULL-PERSOCK: consult hash table, too?
1200 	 */
1201 	for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af];
1202 	    p != NULL;
1203 	    p = p->ipsp_hash.hash_next) {
1204 		if ((p->ipsp_sel->ipsl_key.ipsl_valid&IPSL_WILDCARD) == 0)
1205 			return (ipsec_req_from_act(p->ipsp_act, req));
1206 	}
1207 	return (sizeof (*req));
1208 }
1209 
1210 /*
1211  * Based on per-socket or latched policy, convert to an appropriate
1212  * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can
1213  * be tail-called from ip.
1214  */
1215 int
1216 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af)
1217 {
1218 	ipsec_latch_t *ipl;
1219 	int rv = sizeof (ipsec_req_t);
1220 
1221 	bzero(req, sizeof (*req));
1222 
1223 	mutex_enter(&connp->conn_lock);
1224 	ipl = connp->conn_latch;
1225 
1226 	/*
1227 	 * Find appropriate policy.  First choice is latched action;
1228 	 * failing that, see latched policy; failing that,
1229 	 * look at configured policy.
1230 	 */
1231 	if (ipl != NULL) {
1232 		if (ipl->ipl_in_action != NULL) {
1233 			rv = ipsec_req_from_act(ipl->ipl_in_action, req);
1234 			goto done;
1235 		}
1236 		if (ipl->ipl_in_policy != NULL) {
1237 			rv = ipsec_req_from_act(ipl->ipl_in_policy->ipsp_act,
1238 			    req);
1239 			goto done;
1240 		}
1241 	}
1242 	if (connp->conn_policy != NULL)
1243 		rv = ipsec_req_from_head(connp->conn_policy, req, af);
1244 done:
1245 	mutex_exit(&connp->conn_lock);
1246 	return (rv);
1247 }
1248 
1249 void
1250 ipsec_actvec_free(ipsec_act_t *act, uint_t nact)
1251 {
1252 	kmem_free(act, nact * sizeof (*act));
1253 }
1254 
1255 /*
1256  * When outbound policy is not cached, look it up the hard way and attach
1257  * an ipsec_out_t to the packet..
1258  */
1259 static mblk_t *
1260 ipsec_attach_global_policy(mblk_t *mp, conn_t *connp, ipsec_selector_t *sel)
1261 {
1262 	ipsec_policy_t *p;
1263 
1264 	p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel);
1265 
1266 	if (p == NULL)
1267 		return (NULL);
1268 	return (ipsec_attach_ipsec_out(mp, connp, p, sel->ips_protocol));
1269 }
1270 
1271 /*
1272  * We have an ipsec_out already, but don't have cached policy; fill it in
1273  * with the right actions.
1274  */
1275 static mblk_t *
1276 ipsec_apply_global_policy(mblk_t *ipsec_mp, conn_t *connp,
1277     ipsec_selector_t *sel)
1278 {
1279 	ipsec_out_t *io;
1280 	ipsec_policy_t *p;
1281 
1282 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
1283 	ASSERT(ipsec_mp->b_cont->b_datap->db_type == M_DATA);
1284 
1285 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
1286 
1287 	if (io->ipsec_out_policy == NULL) {
1288 		p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, io, sel);
1289 		io->ipsec_out_policy = p;
1290 	}
1291 	return (ipsec_mp);
1292 }
1293 
1294 
1295 /* ARGSUSED */
1296 /*
1297  * Consumes a reference to ipsp.
1298  */
1299 static mblk_t *
1300 ipsec_check_loopback_policy(queue_t *q, mblk_t *first_mp,
1301     boolean_t mctl_present, ipsec_policy_t *ipsp)
1302 {
1303 	mblk_t *ipsec_mp;
1304 	ipsec_in_t *ii;
1305 
1306 	if (!mctl_present)
1307 		return (first_mp);
1308 
1309 	ipsec_mp = first_mp;
1310 
1311 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
1312 	ASSERT(ii->ipsec_in_loopback);
1313 	IPPOL_REFRELE(ipsp);
1314 
1315 	/*
1316 	 * We should do an actual policy check here.  Revisit this
1317 	 * when we revisit the IPsec API.
1318 	 */
1319 
1320 	return (first_mp);
1321 }
1322 
1323 /*
1324  * Check that packet's inbound ports & proto match the selectors
1325  * expected by the SAs it traversed on the way in.
1326  */
1327 static boolean_t
1328 ipsec_check_ipsecin_unique(ipsec_in_t *ii, mblk_t *mp,
1329     ipha_t *ipha, ip6_t *ip6h,
1330     const char **reason, kstat_named_t **counter)
1331 {
1332 	uint64_t pkt_unique, ah_mask, esp_mask;
1333 	ipsa_t *ah_assoc;
1334 	ipsa_t *esp_assoc;
1335 	ipsec_selector_t sel;
1336 
1337 	ASSERT(ii->ipsec_in_secure);
1338 	ASSERT(!ii->ipsec_in_loopback);
1339 
1340 	ah_assoc = ii->ipsec_in_ah_sa;
1341 	esp_assoc = ii->ipsec_in_esp_sa;
1342 	ASSERT((ah_assoc != NULL) || (esp_assoc != NULL));
1343 
1344 	ah_mask = (ah_assoc != NULL) ? ah_assoc->ipsa_unique_mask : 0;
1345 	esp_mask = (esp_assoc != NULL) ? esp_assoc->ipsa_unique_mask : 0;
1346 
1347 	if ((ah_mask == 0) && (esp_mask == 0))
1348 		return (B_TRUE);
1349 
1350 	if (!ipsec_init_inbound_sel(&sel, mp, ipha, ip6h)) {
1351 		/*
1352 		 * Technically not a policy mismatch, but it is
1353 		 * an internal failure.
1354 		 */
1355 		*reason = "ipsec_init_inbound_sel";
1356 		*counter = &ipdrops_spd_nomem;
1357 		return (B_FALSE);
1358 	}
1359 
1360 	pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port, sel.ips_local_port,
1361 	    sel.ips_protocol);
1362 
1363 	if (ah_mask != 0) {
1364 		if (ah_assoc->ipsa_unique_id != (pkt_unique & ah_mask)) {
1365 			*reason = "AH inner header mismatch";
1366 			*counter = &ipdrops_spd_ah_innermismatch;
1367 			return (B_FALSE);
1368 		}
1369 	}
1370 	if (esp_mask != 0) {
1371 		if (esp_assoc->ipsa_unique_id != (pkt_unique & esp_mask)) {
1372 			*reason = "ESP inner header mismatch";
1373 			*counter = &ipdrops_spd_esp_innermismatch;
1374 			return (B_FALSE);
1375 		}
1376 	}
1377 	return (B_TRUE);
1378 }
1379 
1380 static boolean_t
1381 ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap,
1382     ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter)
1383 {
1384 	boolean_t ret = B_TRUE;
1385 	ipsec_prot_t *ipp;
1386 	ipsa_t *ah_assoc;
1387 	ipsa_t *esp_assoc;
1388 	boolean_t decaps;
1389 
1390 	ASSERT((ipha == NULL && ip6h != NULL) ||
1391 	    (ip6h == NULL && ipha != NULL));
1392 
1393 	if (ii->ipsec_in_loopback) {
1394 		/*
1395 		 * Besides accepting pointer-equivalent actions, we also
1396 		 * accept any ICMP errors we generated for ourselves,
1397 		 * regardless of policy.  If we do not wish to make this
1398 		 * assumption in the future, check here, and where
1399 		 * icmp_loopback is initialized in ip.c and ip6.c.  (Look for
1400 		 * ipsec_out_icmp_loopback.)
1401 		 */
1402 		if (ap == ii->ipsec_in_action || ii->ipsec_in_icmp_loopback)
1403 			return (B_TRUE);
1404 
1405 		/* Deep compare necessary here?? */
1406 		*counter = &ipdrops_spd_loopback_mismatch;
1407 		*reason = "loopback policy mismatch";
1408 		return (B_FALSE);
1409 	}
1410 	ASSERT(!ii->ipsec_in_icmp_loopback);
1411 
1412 	ah_assoc = ii->ipsec_in_ah_sa;
1413 	esp_assoc = ii->ipsec_in_esp_sa;
1414 
1415 	decaps = ii->ipsec_in_decaps;
1416 
1417 	switch (ap->ipa_act.ipa_type) {
1418 	case IPSEC_ACT_DISCARD:
1419 	case IPSEC_ACT_REJECT:
1420 		/* Should "fail hard" */
1421 		*counter = &ipdrops_spd_explicit;
1422 		*reason = "blocked by policy";
1423 		return (B_FALSE);
1424 
1425 	case IPSEC_ACT_BYPASS:
1426 	case IPSEC_ACT_CLEAR:
1427 		*counter = &ipdrops_spd_got_secure;
1428 		*reason = "expected clear, got protected";
1429 		return (B_FALSE);
1430 
1431 	case IPSEC_ACT_APPLY:
1432 		ipp = &ap->ipa_act.ipa_apply;
1433 		/*
1434 		 * As of now we do the simple checks of whether
1435 		 * the datagram has gone through the required IPSEC
1436 		 * protocol constraints or not. We might have more
1437 		 * in the future like sensitive levels, key bits, etc.
1438 		 * If it fails the constraints, check whether we would
1439 		 * have accepted this if it had come in clear.
1440 		 */
1441 		if (ipp->ipp_use_ah) {
1442 			if (ah_assoc == NULL) {
1443 				ret = ipsec_inbound_accept_clear(mp, ipha,
1444 				    ip6h);
1445 				*counter = &ipdrops_spd_got_clear;
1446 				*reason = "unprotected not accepted";
1447 				break;
1448 			}
1449 			ASSERT(ah_assoc != NULL);
1450 			ASSERT(ipp->ipp_auth_alg != 0);
1451 
1452 			if (ah_assoc->ipsa_auth_alg !=
1453 			    ipp->ipp_auth_alg) {
1454 				*counter = &ipdrops_spd_bad_ahalg;
1455 				*reason = "unacceptable ah alg";
1456 				ret = B_FALSE;
1457 				break;
1458 			}
1459 		} else if (ah_assoc != NULL) {
1460 			/*
1461 			 * Don't allow this. Check IPSEC NOTE above
1462 			 * ip_fanout_proto().
1463 			 */
1464 			*counter = &ipdrops_spd_got_ah;
1465 			*reason = "unexpected AH";
1466 			ret = B_FALSE;
1467 			break;
1468 		}
1469 		if (ipp->ipp_use_esp) {
1470 			if (esp_assoc == NULL) {
1471 				ret = ipsec_inbound_accept_clear(mp, ipha,
1472 				    ip6h);
1473 				*counter = &ipdrops_spd_got_clear;
1474 				*reason = "unprotected not accepted";
1475 				break;
1476 			}
1477 			ASSERT(esp_assoc != NULL);
1478 			ASSERT(ipp->ipp_encr_alg != 0);
1479 
1480 			if (esp_assoc->ipsa_encr_alg !=
1481 			    ipp->ipp_encr_alg) {
1482 				*counter = &ipdrops_spd_bad_espealg;
1483 				*reason = "unacceptable esp alg";
1484 				ret = B_FALSE;
1485 				break;
1486 			}
1487 			/*
1488 			 * If the client does not need authentication,
1489 			 * we don't verify the alogrithm.
1490 			 */
1491 			if (ipp->ipp_use_espa) {
1492 				if (esp_assoc->ipsa_auth_alg !=
1493 				    ipp->ipp_esp_auth_alg) {
1494 					*counter = &ipdrops_spd_bad_espaalg;
1495 					*reason = "unacceptable esp auth alg";
1496 					ret = B_FALSE;
1497 					break;
1498 				}
1499 			}
1500 		} else if (esp_assoc != NULL) {
1501 				/*
1502 				 * Don't allow this. Check IPSEC NOTE above
1503 				 * ip_fanout_proto().
1504 				 */
1505 			*counter = &ipdrops_spd_got_esp;
1506 			*reason = "unexpected ESP";
1507 			ret = B_FALSE;
1508 			break;
1509 		}
1510 		if (ipp->ipp_use_se) {
1511 			if (!decaps) {
1512 				ret = ipsec_inbound_accept_clear(mp, ipha,
1513 				    ip6h);
1514 				if (!ret) {
1515 					/* XXX mutant? */
1516 					*counter = &ipdrops_spd_bad_selfencap;
1517 					*reason = "self encap not found";
1518 					break;
1519 				}
1520 			}
1521 		} else if (decaps) {
1522 			/*
1523 			 * XXX If the packet comes in tunneled and the
1524 			 * recipient does not expect it to be tunneled, it
1525 			 * is okay. But we drop to be consistent with the
1526 			 * other cases.
1527 			 */
1528 			*counter = &ipdrops_spd_got_selfencap;
1529 			*reason = "unexpected self encap";
1530 			ret = B_FALSE;
1531 			break;
1532 		}
1533 		if (ii->ipsec_in_action != NULL) {
1534 			/*
1535 			 * This can happen if we do a double policy-check on
1536 			 * a packet
1537 			 * XXX XXX should fix this case!
1538 			 */
1539 			IPACT_REFRELE(ii->ipsec_in_action);
1540 		}
1541 		ASSERT(ii->ipsec_in_action == NULL);
1542 		IPACT_REFHOLD(ap);
1543 		ii->ipsec_in_action = ap;
1544 		break;	/* from switch */
1545 	}
1546 	return (ret);
1547 }
1548 
1549 static boolean_t
1550 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa)
1551 {
1552 	ASSERT(ipl->ipl_ids_latched == B_TRUE);
1553 	return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) &&
1554 	    ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid);
1555 }
1556 
1557 /*
1558  * Called to check policy on a latched connection, both from this file
1559  * and from tcp.c
1560  */
1561 boolean_t
1562 ipsec_check_ipsecin_latch(ipsec_in_t *ii, mblk_t *mp, ipsec_latch_t *ipl,
1563     ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter)
1564 {
1565 	ASSERT(ipl->ipl_ids_latched == B_TRUE);
1566 
1567 	if (!ii->ipsec_in_loopback) {
1568 		/*
1569 		 * Over loopback, there aren't real security associations,
1570 		 * so there are neither identities nor "unique" values
1571 		 * for us to check the packet against.
1572 		 */
1573 		if ((ii->ipsec_in_ah_sa != NULL) &&
1574 		    (!spd_match_inbound_ids(ipl, ii->ipsec_in_ah_sa))) {
1575 			*counter = &ipdrops_spd_ah_badid;
1576 			*reason = "AH identity mismatch";
1577 			return (B_FALSE);
1578 		}
1579 
1580 		if ((ii->ipsec_in_esp_sa != NULL) &&
1581 		    (!spd_match_inbound_ids(ipl, ii->ipsec_in_esp_sa))) {
1582 			*counter = &ipdrops_spd_esp_badid;
1583 			*reason = "ESP identity mismatch";
1584 			return (B_FALSE);
1585 		}
1586 
1587 		if (!ipsec_check_ipsecin_unique(ii, mp, ipha, ip6h, reason,
1588 		    counter)) {
1589 			return (B_FALSE);
1590 		}
1591 	}
1592 
1593 	return (ipsec_check_ipsecin_action(ii, mp, ipl->ipl_in_action,
1594 	    ipha, ip6h, reason, counter));
1595 }
1596 
1597 /*
1598  * Check to see whether this secured datagram meets the policy
1599  * constraints specified in ipsp.
1600  *
1601  * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy.
1602  *
1603  * Consumes a reference to ipsp.
1604  */
1605 static mblk_t *
1606 ipsec_check_ipsecin_policy(queue_t *q, mblk_t *first_mp, ipsec_policy_t *ipsp,
1607     ipha_t *ipha, ip6_t *ip6h)
1608 {
1609 	ipsec_in_t *ii;
1610 	ipsec_action_t *ap;
1611 	const char *reason = "no policy actions found";
1612 	mblk_t *data_mp, *ipsec_mp;
1613 	short mid = 0;
1614 	kstat_named_t *counter = &ipdrops_spd_got_secure;
1615 
1616 	data_mp = first_mp->b_cont;
1617 	ipsec_mp = first_mp;
1618 
1619 	ASSERT(ipsp != NULL);
1620 
1621 	ASSERT((ipha == NULL && ip6h != NULL) ||
1622 	    (ip6h == NULL && ipha != NULL));
1623 
1624 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
1625 
1626 	if (ii->ipsec_in_loopback)
1627 		return (ipsec_check_loopback_policy(q, first_mp, B_TRUE, ipsp));
1628 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
1629 	ASSERT(ii->ipsec_in_secure);
1630 
1631 	if (ii->ipsec_in_action != NULL) {
1632 		/*
1633 		 * this can happen if we do a double policy-check on a packet
1634 		 * Would be nice to be able to delete this test..
1635 		 */
1636 		IPACT_REFRELE(ii->ipsec_in_action);
1637 	}
1638 	ASSERT(ii->ipsec_in_action == NULL);
1639 
1640 	if (!SA_IDS_MATCH(ii->ipsec_in_ah_sa, ii->ipsec_in_esp_sa)) {
1641 		reason = "inbound AH and ESP identities differ";
1642 		counter = &ipdrops_spd_ahesp_diffid;
1643 		goto drop;
1644 	}
1645 
1646 	if (!ipsec_check_ipsecin_unique(ii, data_mp, ipha, ip6h,
1647 	    &reason, &counter))
1648 		goto drop;
1649 
1650 	/*
1651 	 * Ok, now loop through the possible actions and see if any
1652 	 * of them work for us.
1653 	 */
1654 
1655 	for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) {
1656 		if (ipsec_check_ipsecin_action(ii, data_mp, ap,
1657 		    ipha, ip6h, &reason, &counter)) {
1658 			BUMP_MIB(&ip_mib, ipsecInSucceeded);
1659 			IPPOL_REFRELE(ipsp);
1660 			return (first_mp);
1661 		}
1662 	}
1663 drop:
1664 	if (q != NULL) {
1665 		mid = q->q_qinfo->qi_minfo->mi_idnum;
1666 	}
1667 	ipsec_rl_strlog(mid, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1668 	    "ipsec inbound policy mismatch: %s, packet dropped\n",
1669 	    reason);
1670 	IPPOL_REFRELE(ipsp);
1671 	ASSERT(ii->ipsec_in_action == NULL);
1672 	BUMP_MIB(&ip_mib, ipsecInFailed);
1673 	ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper);
1674 	return (NULL);
1675 }
1676 
1677 /*
1678  * sleazy prefix-length-based compare.
1679  * another inlining candidate..
1680  */
1681 static boolean_t
1682 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p)
1683 {
1684 	int offset = pfxlen>>3;
1685 	int bitsleft = pfxlen & 7;
1686 	uint8_t *addr2 = (uint8_t *)addr2p;
1687 
1688 	/*
1689 	 * and there was much evil..
1690 	 * XXX should inline-expand the bcmp here and do this 32 bits
1691 	 * or 64 bits at a time..
1692 	 */
1693 	return ((bcmp(addr1, addr2, offset) == 0) &&
1694 	    ((bitsleft == 0) ||
1695 		(((addr1[offset] ^ addr2[offset]) &
1696 		    (0xff<<(8-bitsleft))) == 0)));
1697 }
1698 
1699 static ipsec_policy_t *
1700 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain,
1701     ipsec_selector_t *sel, boolean_t is_icmp_inv_acq)
1702 {
1703 	ipsec_selkey_t *isel;
1704 	ipsec_policy_t *p;
1705 	int bpri = best ? best->ipsp_prio : 0;
1706 
1707 	for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) {
1708 		uint32_t valid;
1709 
1710 		if (p->ipsp_prio <= bpri)
1711 			continue;
1712 		isel = &p->ipsp_sel->ipsl_key;
1713 		valid = isel->ipsl_valid;
1714 
1715 		if ((valid & IPSL_PROTOCOL) &&
1716 		    (isel->ipsl_proto != sel->ips_protocol))
1717 			continue;
1718 
1719 		if ((valid & IPSL_REMOTE_ADDR) &&
1720 		    !ip_addr_match((uint8_t *)&isel->ipsl_remote,
1721 			isel->ipsl_remote_pfxlen,
1722 			&sel->ips_remote_addr_v6))
1723 			continue;
1724 
1725 		if ((valid & IPSL_LOCAL_ADDR) &&
1726 		    !ip_addr_match((uint8_t *)&isel->ipsl_local,
1727 			isel->ipsl_local_pfxlen,
1728 			&sel->ips_local_addr_v6))
1729 			continue;
1730 
1731 		if ((valid & IPSL_REMOTE_PORT) &&
1732 		    isel->ipsl_rport != sel->ips_remote_port)
1733 			continue;
1734 
1735 		if ((valid & IPSL_LOCAL_PORT) &&
1736 		    isel->ipsl_lport != sel->ips_local_port)
1737 			continue;
1738 
1739 		if (!is_icmp_inv_acq) {
1740 			if ((valid & IPSL_ICMP_TYPE) &&
1741 			    (isel->ipsl_icmp_type > sel->ips_icmp_type ||
1742 			    isel->ipsl_icmp_type_end < sel->ips_icmp_type)) {
1743 				continue;
1744 			}
1745 
1746 			if ((valid & IPSL_ICMP_CODE) &&
1747 			    (isel->ipsl_icmp_code > sel->ips_icmp_code ||
1748 			    isel->ipsl_icmp_code_end <
1749 			    sel->ips_icmp_code)) {
1750 				continue;
1751 			}
1752 		} else {
1753 			/*
1754 			 * special case for icmp inverse acquire
1755 			 * we only want policies that aren't drop/pass
1756 			 */
1757 			if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY)
1758 				continue;
1759 		}
1760 
1761 		/* we matched all the packet-port-field selectors! */
1762 		best = p;
1763 		bpri = p->ipsp_prio;
1764 	}
1765 
1766 	return (best);
1767 }
1768 
1769 /*
1770  * Try to find and return the best policy entry under a given policy
1771  * root for a given set of selectors; the first parameter "best" is
1772  * the current best policy so far.  If "best" is non-null, we have a
1773  * reference to it.  We return a reference to a policy; if that policy
1774  * is not the original "best", we need to release that reference
1775  * before returning.
1776  */
1777 static ipsec_policy_t *
1778 ipsec_find_policy_head(ipsec_policy_t *best,
1779     ipsec_policy_head_t *head, int direction, ipsec_selector_t *sel,
1780     int selhash)
1781 {
1782 	ipsec_policy_t *curbest;
1783 	ipsec_policy_root_t *root;
1784 	uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq;
1785 	int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6;
1786 
1787 	curbest = best;
1788 	root = &head->iph_root[direction];
1789 
1790 #ifdef DEBUG
1791 	if (is_icmp_inv_acq) {
1792 		if (sel->ips_isv4) {
1793 			if (sel->ips_protocol != IPPROTO_ICMP) {
1794 			    cmn_err(CE_WARN, "ipsec_find_policy_head:"
1795 			    " expecting icmp, got %d", sel->ips_protocol);
1796 			}
1797 		} else {
1798 			if (sel->ips_protocol != IPPROTO_ICMPV6) {
1799 				cmn_err(CE_WARN, "ipsec_find_policy_head:"
1800 				" expecting icmpv6, got %d", sel->ips_protocol);
1801 			}
1802 		}
1803 	}
1804 #endif
1805 
1806 	rw_enter(&head->iph_lock, RW_READER);
1807 
1808 	if (root->ipr_nchains > 0) {
1809 		curbest = ipsec_find_policy_chain(curbest,
1810 		    root->ipr_hash[selhash].hash_head, sel, is_icmp_inv_acq);
1811 	}
1812 	curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel,
1813 	    is_icmp_inv_acq);
1814 
1815 	/*
1816 	 * Adjust reference counts if we found anything new.
1817 	 */
1818 	if (curbest != best) {
1819 		ASSERT(curbest != NULL);
1820 		IPPOL_REFHOLD(curbest);
1821 
1822 		if (best != NULL) {
1823 			IPPOL_REFRELE(best);
1824 		}
1825 	}
1826 
1827 	rw_exit(&head->iph_lock);
1828 
1829 	return (curbest);
1830 }
1831 
1832 /*
1833  * Find the best system policy (either global or per-interface) which
1834  * applies to the given selector; look in all the relevant policy roots
1835  * to figure out which policy wins.
1836  *
1837  * Returns a reference to a policy; caller must release this
1838  * reference when done.
1839  */
1840 ipsec_policy_t *
1841 ipsec_find_policy(int direction, conn_t *connp, ipsec_out_t *io,
1842     ipsec_selector_t *sel)
1843 {
1844 	ipsec_policy_t *p;
1845 	int selhash = selector_hash(sel);
1846 
1847 	p = ipsec_find_policy_head(NULL, &system_policy, direction, sel,
1848 	    selhash);
1849 	if ((connp != NULL) && (connp->conn_policy != NULL)) {
1850 		p = ipsec_find_policy_head(p, connp->conn_policy,
1851 		    direction, sel, selhash);
1852 	} else if ((io != NULL) && (io->ipsec_out_polhead != NULL)) {
1853 		p = ipsec_find_policy_head(p, io->ipsec_out_polhead,
1854 		    direction, sel, selhash);
1855 	}
1856 
1857 	return (p);
1858 }
1859 
1860 /*
1861  * Check with global policy and see whether this inbound
1862  * packet meets the policy constraints.
1863  *
1864  * Locate appropriate policy from global policy, supplemented by the
1865  * conn's configured and/or cached policy if the conn is supplied.
1866  *
1867  * Dispatch to ipsec_check_ipsecin_policy if we have policy and an
1868  * encrypted packet to see if they match.
1869  *
1870  * Otherwise, see if the policy allows cleartext; if not, drop it on the
1871  * floor.
1872  */
1873 mblk_t *
1874 ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp,
1875     ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present)
1876 {
1877 	ipsec_policy_t *p;
1878 	ipsec_selector_t sel;
1879 	queue_t *q = NULL;
1880 	mblk_t *data_mp, *ipsec_mp;
1881 	boolean_t policy_present;
1882 	kstat_named_t *counter;
1883 	ipsec_in_t *ii = NULL;
1884 
1885 	data_mp = mctl_present ? first_mp->b_cont : first_mp;
1886 	ipsec_mp = mctl_present ? first_mp : NULL;
1887 
1888 	sel.ips_is_icmp_inv_acq = 0;
1889 
1890 	ASSERT((ipha == NULL && ip6h != NULL) ||
1891 	    (ip6h == NULL && ipha != NULL));
1892 
1893 	if (ipha != NULL)
1894 		policy_present = ipsec_inbound_v4_policy_present;
1895 	else
1896 		policy_present = ipsec_inbound_v6_policy_present;
1897 
1898 	if (!policy_present && connp == NULL) {
1899 		/*
1900 		 * No global policy and no per-socket policy;
1901 		 * just pass it back (but we shouldn't get here in that case)
1902 		 */
1903 		return (first_mp);
1904 	}
1905 
1906 	if (connp != NULL)
1907 		q = CONNP_TO_WQ(connp);
1908 
1909 	if (ipsec_mp != NULL) {
1910 		ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
1911 		ii = (ipsec_in_t *)(ipsec_mp->b_rptr);
1912 		ASSERT(ii->ipsec_in_type == IPSEC_IN);
1913 	}
1914 
1915 	/*
1916 	 * If we have cached policy, use it.
1917 	 * Otherwise consult system policy.
1918 	 */
1919 	if ((connp != NULL) && (connp->conn_latch != NULL)) {
1920 		p = connp->conn_latch->ipl_in_policy;
1921 		if (p != NULL) {
1922 			IPPOL_REFHOLD(p);
1923 		}
1924 	} else {
1925 		/* Initialize the ports in the selector */
1926 		if (!ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h)) {
1927 			/*
1928 			 * Technically not a policy mismatch, but it is
1929 			 * an internal failure.
1930 			 */
1931 			ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH,
1932 			    "ipsec_init_inbound_sel", ipha, ip6h, B_FALSE);
1933 			counter = &ipdrops_spd_nomem;
1934 			goto fail;
1935 		}
1936 
1937 		/*
1938 		 * Find the policy which best applies.
1939 		 *
1940 		 * If we find global policy, we should look at both
1941 		 * local policy and global policy and see which is
1942 		 * stronger and match accordingly.
1943 		 *
1944 		 * If we don't find a global policy, check with
1945 		 * local policy alone.
1946 		 */
1947 
1948 		p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel);
1949 	}
1950 
1951 	if (p == NULL) {
1952 		if (ipsec_mp == NULL) {
1953 			/*
1954 			 * We have no policy; default to succeeding.
1955 			 * XXX paranoid system design doesn't do this.
1956 			 */
1957 			BUMP_MIB(&ip_mib, ipsecInSucceeded);
1958 			return (first_mp);
1959 		} else {
1960 			counter = &ipdrops_spd_got_secure;
1961 			ipsec_log_policy_failure(q, IPSEC_POLICY_NOT_NEEDED,
1962 			    "ipsec_check_global_policy", ipha, ip6h, B_TRUE);
1963 			goto fail;
1964 		}
1965 	}
1966 	if ((ii != NULL) && (ii->ipsec_in_secure))
1967 		return (ipsec_check_ipsecin_policy(q, ipsec_mp, p, ipha, ip6h));
1968 	if (p->ipsp_act->ipa_allow_clear) {
1969 		BUMP_MIB(&ip_mib, ipsecInSucceeded);
1970 		IPPOL_REFRELE(p);
1971 		return (first_mp);
1972 	}
1973 	IPPOL_REFRELE(p);
1974 	/*
1975 	 * If we reach here, we will drop the packet because it failed the
1976 	 * global policy check because the packet was cleartext, and it
1977 	 * should not have been.
1978 	 */
1979 	ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH,
1980 	    "ipsec_check_global_policy", ipha, ip6h, B_FALSE);
1981 	counter = &ipdrops_spd_got_clear;
1982 
1983 fail:
1984 	ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper);
1985 	BUMP_MIB(&ip_mib, ipsecInFailed);
1986 	return (NULL);
1987 }
1988 
1989 /*
1990  * We check whether an inbound datagram is a valid one
1991  * to accept in clear. If it is secure, it is the job
1992  * of IPSEC to log information appropriately if it
1993  * suspects that it may not be the real one.
1994  *
1995  * It is called only while fanning out to the ULP
1996  * where ULP accepts only secure data and the incoming
1997  * is clear. Usually we never accept clear datagrams in
1998  * such cases. ICMP is the only exception.
1999  *
2000  * NOTE : We don't call this function if the client (ULP)
2001  * is willing to accept things in clear.
2002  */
2003 boolean_t
2004 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h)
2005 {
2006 	ushort_t iph_hdr_length;
2007 	icmph_t *icmph;
2008 	icmp6_t *icmp6;
2009 	uint8_t *nexthdrp;
2010 
2011 	ASSERT((ipha != NULL && ip6h == NULL) ||
2012 	    (ipha == NULL && ip6h != NULL));
2013 
2014 	if (ip6h != NULL) {
2015 		iph_hdr_length = ip_hdr_length_v6(mp, ip6h);
2016 		if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length,
2017 		    &nexthdrp)) {
2018 			return (B_FALSE);
2019 		}
2020 		if (*nexthdrp != IPPROTO_ICMPV6)
2021 			return (B_FALSE);
2022 		icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]);
2023 		/* Match IPv6 ICMP policy as closely as IPv4 as possible. */
2024 		switch (icmp6->icmp6_type) {
2025 		case ICMP6_PARAM_PROB:
2026 			/* Corresponds to port/proto unreach in IPv4. */
2027 		case ICMP6_ECHO_REQUEST:
2028 			/* Just like IPv4. */
2029 			return (B_FALSE);
2030 
2031 		case MLD_LISTENER_QUERY:
2032 		case MLD_LISTENER_REPORT:
2033 		case MLD_LISTENER_REDUCTION:
2034 			/*
2035 			 * XXX Seperate NDD in IPv4 what about here?
2036 			 * Plus, mcast is important to ND.
2037 			 */
2038 		case ICMP6_DST_UNREACH:
2039 			/* Corresponds to HOST/NET unreachable in IPv4. */
2040 		case ICMP6_PACKET_TOO_BIG:
2041 		case ICMP6_ECHO_REPLY:
2042 			/* These are trusted in IPv4. */
2043 		case ND_ROUTER_SOLICIT:
2044 		case ND_ROUTER_ADVERT:
2045 		case ND_NEIGHBOR_SOLICIT:
2046 		case ND_NEIGHBOR_ADVERT:
2047 		case ND_REDIRECT:
2048 			/* Trust ND messages for now. */
2049 		case ICMP6_TIME_EXCEEDED:
2050 		default:
2051 			return (B_TRUE);
2052 		}
2053 	} else {
2054 		/*
2055 		 * If it is not ICMP, fail this request.
2056 		 */
2057 		if (ipha->ipha_protocol != IPPROTO_ICMP)
2058 			return (B_FALSE);
2059 		iph_hdr_length = IPH_HDR_LENGTH(ipha);
2060 		icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
2061 		/*
2062 		 * It is an insecure icmp message. Check to see whether we are
2063 		 * willing to accept this one.
2064 		 */
2065 
2066 		switch (icmph->icmph_type) {
2067 		case ICMP_ECHO_REPLY:
2068 		case ICMP_TIME_STAMP_REPLY:
2069 		case ICMP_INFO_REPLY:
2070 		case ICMP_ROUTER_ADVERTISEMENT:
2071 			/*
2072 			 * We should not encourage clear replies if this
2073 			 * client expects secure. If somebody is replying
2074 			 * in clear some mailicious user watching both the
2075 			 * request and reply, can do chosen-plain-text attacks.
2076 			 * With global policy we might be just expecting secure
2077 			 * but sending out clear. We don't know what the right
2078 			 * thing is. We can't do much here as we can't control
2079 			 * the sender here. Till we are sure of what to do,
2080 			 * accept them.
2081 			 */
2082 			return (B_TRUE);
2083 		case ICMP_ECHO_REQUEST:
2084 		case ICMP_TIME_STAMP_REQUEST:
2085 		case ICMP_INFO_REQUEST:
2086 		case ICMP_ADDRESS_MASK_REQUEST:
2087 		case ICMP_ROUTER_SOLICITATION:
2088 		case ICMP_ADDRESS_MASK_REPLY:
2089 			/*
2090 			 * Don't accept this as somebody could be sending
2091 			 * us plain text to get encrypted data. If we reply,
2092 			 * it will lead to chosen plain text attack.
2093 			 */
2094 			return (B_FALSE);
2095 		case ICMP_DEST_UNREACHABLE:
2096 			switch (icmph->icmph_code) {
2097 			case ICMP_FRAGMENTATION_NEEDED:
2098 				/*
2099 				 * Be in sync with icmp_inbound, where we have
2100 				 * already set ire_max_frag.
2101 				 */
2102 				return (B_TRUE);
2103 			case ICMP_HOST_UNREACHABLE:
2104 			case ICMP_NET_UNREACHABLE:
2105 				/*
2106 				 * By accepting, we could reset a connection.
2107 				 * How do we solve the problem of some
2108 				 * intermediate router sending in-secure ICMP
2109 				 * messages ?
2110 				 */
2111 				return (B_TRUE);
2112 			case ICMP_PORT_UNREACHABLE:
2113 			case ICMP_PROTOCOL_UNREACHABLE:
2114 			default :
2115 				return (B_FALSE);
2116 			}
2117 		case ICMP_SOURCE_QUENCH:
2118 			/*
2119 			 * If this is an attack, TCP will slow start
2120 			 * because of this. Is it very harmful ?
2121 			 */
2122 			return (B_TRUE);
2123 		case ICMP_PARAM_PROBLEM:
2124 			return (B_FALSE);
2125 		case ICMP_TIME_EXCEEDED:
2126 			return (B_TRUE);
2127 		case ICMP_REDIRECT:
2128 			return (B_FALSE);
2129 		default :
2130 			return (B_FALSE);
2131 		}
2132 	}
2133 }
2134 
2135 void
2136 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote)
2137 {
2138 	mutex_enter(&ipl->ipl_lock);
2139 
2140 	if (ipl->ipl_ids_latched) {
2141 		/* I lost, someone else got here before me */
2142 		mutex_exit(&ipl->ipl_lock);
2143 		return;
2144 	}
2145 
2146 	if (local != NULL)
2147 		IPSID_REFHOLD(local);
2148 	if (remote != NULL)
2149 		IPSID_REFHOLD(remote);
2150 
2151 	ipl->ipl_local_cid = local;
2152 	ipl->ipl_remote_cid = remote;
2153 	ipl->ipl_ids_latched = B_TRUE;
2154 	mutex_exit(&ipl->ipl_lock);
2155 }
2156 
2157 void
2158 ipsec_latch_inbound(ipsec_latch_t *ipl, ipsec_in_t *ii)
2159 {
2160 	ipsa_t *sa;
2161 
2162 	if (!ipl->ipl_ids_latched) {
2163 		ipsid_t *local = NULL;
2164 		ipsid_t *remote = NULL;
2165 
2166 		if (!ii->ipsec_in_loopback) {
2167 			if (ii->ipsec_in_esp_sa != NULL)
2168 				sa = ii->ipsec_in_esp_sa;
2169 			else
2170 				sa = ii->ipsec_in_ah_sa;
2171 			ASSERT(sa != NULL);
2172 			local = sa->ipsa_dst_cid;
2173 			remote = sa->ipsa_src_cid;
2174 		}
2175 		ipsec_latch_ids(ipl, local, remote);
2176 	}
2177 	ipl->ipl_in_action = ii->ipsec_in_action;
2178 	IPACT_REFHOLD(ipl->ipl_in_action);
2179 }
2180 
2181 /*
2182  * Check whether the policy constraints are met either for an
2183  * inbound datagram; called from IP in numerous places.
2184  *
2185  * Note that this is not a chokepoint for inbound policy checks;
2186  * see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy()
2187  */
2188 mblk_t *
2189 ipsec_check_inbound_policy(mblk_t *first_mp, conn_t *connp,
2190     ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present)
2191 {
2192 	ipsec_in_t *ii;
2193 	boolean_t ret;
2194 	queue_t *q;
2195 	short mid = 0;
2196 	mblk_t *mp = mctl_present ? first_mp->b_cont : first_mp;
2197 	mblk_t *ipsec_mp = mctl_present ? first_mp : NULL;
2198 	ipsec_latch_t *ipl;
2199 
2200 	ASSERT(connp != NULL);
2201 	ipl = connp->conn_latch;
2202 
2203 	if (ipsec_mp == NULL) {
2204 clear:
2205 		/*
2206 		 * This is the case where the incoming datagram is
2207 		 * cleartext and we need to see whether this client
2208 		 * would like to receive such untrustworthy things from
2209 		 * the wire.
2210 		 */
2211 		ASSERT(mp != NULL);
2212 
2213 		if (ipl != NULL) {
2214 			/*
2215 			 * Policy is cached in the conn.
2216 			 */
2217 			if ((ipl->ipl_in_policy != NULL) &&
2218 			    (!ipl->ipl_in_policy->ipsp_act->ipa_allow_clear)) {
2219 				ret = ipsec_inbound_accept_clear(mp,
2220 				    ipha, ip6h);
2221 				if (ret) {
2222 					BUMP_MIB(&ip_mib, ipsecInSucceeded);
2223 					return (first_mp);
2224 				} else {
2225 					ipsec_log_policy_failure(
2226 					    CONNP_TO_WQ(connp),
2227 					    IPSEC_POLICY_MISMATCH,
2228 					    "ipsec_check_inbound_policy", ipha,
2229 					    ip6h, B_FALSE);
2230 					ip_drop_packet(first_mp, B_TRUE, NULL,
2231 					    NULL, &ipdrops_spd_got_clear,
2232 					    &spd_dropper);
2233 					BUMP_MIB(&ip_mib, ipsecInFailed);
2234 					return (NULL);
2235 				}
2236 			} else {
2237 				BUMP_MIB(&ip_mib, ipsecInSucceeded);
2238 				return (first_mp);
2239 			}
2240 		} else {
2241 			/*
2242 			 * As this is a non-hardbound connection we need
2243 			 * to look at both per-socket policy and global
2244 			 * policy. As this is cleartext, mark the mp as
2245 			 * M_DATA in case if it is an ICMP error being
2246 			 * reported before calling ipsec_check_global_policy
2247 			 * so that it does not mistake it for IPSEC_IN.
2248 			 */
2249 			uchar_t db_type = mp->b_datap->db_type;
2250 			mp->b_datap->db_type = M_DATA;
2251 			first_mp = ipsec_check_global_policy(first_mp, connp,
2252 			    ipha, ip6h, mctl_present);
2253 			if (first_mp != NULL)
2254 				mp->b_datap->db_type = db_type;
2255 			return (first_mp);
2256 		}
2257 	}
2258 	/*
2259 	 * If it is inbound check whether the attached message
2260 	 * is secure or not. We have a special case for ICMP,
2261 	 * where we have a IPSEC_IN message and the attached
2262 	 * message is not secure. See icmp_inbound_error_fanout
2263 	 * for details.
2264 	 */
2265 	ASSERT(ipsec_mp != NULL);
2266 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
2267 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
2268 
2269 	if (!ii->ipsec_in_secure)
2270 		goto clear;
2271 
2272 	/*
2273 	 * mp->b_cont could be either a M_CTL message
2274 	 * for icmp errors being sent up or a M_DATA message.
2275 	 */
2276 	ASSERT(mp->b_datap->db_type == M_CTL ||
2277 	    mp->b_datap->db_type == M_DATA);
2278 
2279 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
2280 
2281 	if (ipl == NULL) {
2282 		/*
2283 		 * We don't have policies cached in the conn
2284 		 * for this stream. So, look at the global
2285 		 * policy. It will check against conn or global
2286 		 * depending on whichever is stronger.
2287 		 */
2288 		return (ipsec_check_global_policy(first_mp, connp,
2289 		    ipha, ip6h, mctl_present));
2290 	}
2291 
2292 	if (ipl->ipl_in_action != NULL) {
2293 		/* Policy is cached & latched; fast(er) path */
2294 		const char *reason;
2295 		kstat_named_t *counter;
2296 		if (ipsec_check_ipsecin_latch(ii, mp, ipl,
2297 		    ipha, ip6h, &reason, &counter)) {
2298 			BUMP_MIB(&ip_mib, ipsecInSucceeded);
2299 			return (first_mp);
2300 		}
2301 		q = CONNP_TO_WQ(connp);
2302 		if (q != NULL) {
2303 			mid = q->q_qinfo->qi_minfo->mi_idnum;
2304 		}
2305 		ipsec_rl_strlog(mid, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
2306 		    "ipsec inbound policy mismatch: %s, packet dropped\n",
2307 		    reason);
2308 		ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter,
2309 		    &spd_dropper);
2310 		BUMP_MIB(&ip_mib, ipsecInFailed);
2311 		return (NULL);
2312 	} else if (ipl->ipl_in_policy == NULL) {
2313 		ipsec_weird_null_inbound_policy++;
2314 		return (first_mp);
2315 	}
2316 
2317 	IPPOL_REFHOLD(ipl->ipl_in_policy);
2318 	first_mp = ipsec_check_ipsecin_policy(CONNP_TO_WQ(connp), first_mp,
2319 	    ipl->ipl_in_policy, ipha, ip6h);
2320 	/*
2321 	 * NOTE: ipsecIn{Failed,Succeeeded} bumped by
2322 	 * ipsec_check_ipsecin_policy().
2323 	 */
2324 	if (first_mp != NULL)
2325 		ipsec_latch_inbound(ipl, ii);
2326 	return (first_mp);
2327 }
2328 
2329 boolean_t
2330 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp,
2331     ipha_t *ipha, ip6_t *ip6h)
2332 {
2333 	uint16_t *ports;
2334 	ushort_t hdr_len;
2335 	mblk_t *spare_mp = NULL;
2336 	uint8_t *nexthdrp;
2337 	uint8_t nexthdr;
2338 	uint8_t *typecode;
2339 	uint8_t check_proto;
2340 
2341 	ASSERT((ipha == NULL && ip6h != NULL) ||
2342 	    (ipha != NULL && ip6h == NULL));
2343 
2344 	if (ip6h != NULL) {
2345 		check_proto = IPPROTO_ICMPV6;
2346 		sel->ips_isv4 = B_FALSE;
2347 		sel->ips_local_addr_v6 = ip6h->ip6_dst;
2348 		sel->ips_remote_addr_v6 = ip6h->ip6_src;
2349 
2350 		nexthdr = ip6h->ip6_nxt;
2351 		switch (nexthdr) {
2352 		case IPPROTO_HOPOPTS:
2353 		case IPPROTO_ROUTING:
2354 		case IPPROTO_DSTOPTS:
2355 			/*
2356 			 * Use ip_hdr_length_nexthdr_v6().  And have a spare
2357 			 * mblk that's contiguous to feed it
2358 			 */
2359 			if ((spare_mp = msgpullup(mp, -1)) == NULL)
2360 				return (B_FALSE);
2361 			if (!ip_hdr_length_nexthdr_v6(spare_mp,
2362 			    (ip6_t *)spare_mp->b_rptr, &hdr_len, &nexthdrp)) {
2363 				/* Malformed packet - XXX ip_drop_packet()? */
2364 				freemsg(spare_mp);
2365 				return (B_FALSE);
2366 			}
2367 			nexthdr = *nexthdrp;
2368 			/* We can just extract based on hdr_len now. */
2369 			break;
2370 		default:
2371 			hdr_len = IPV6_HDR_LEN;
2372 			break;
2373 		}
2374 	} else {
2375 		check_proto = IPPROTO_ICMP;
2376 		sel->ips_isv4 = B_TRUE;
2377 		sel->ips_local_addr_v4 = ipha->ipha_dst;
2378 		sel->ips_remote_addr_v4 = ipha->ipha_src;
2379 		nexthdr = ipha->ipha_protocol;
2380 		hdr_len = IPH_HDR_LENGTH(ipha);
2381 	}
2382 	sel->ips_protocol = nexthdr;
2383 
2384 	if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2385 	    nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2386 		sel->ips_remote_port = sel->ips_local_port = 0;
2387 		freemsg(spare_mp);	/* Always works, even if NULL. */
2388 		return (B_TRUE);
2389 	}
2390 
2391 	if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) {
2392 		/* If we didn't pullup a copy already, do so now. */
2393 		/*
2394 		 * XXX performance, will upper-layers frequently split TCP/UDP
2395 		 * apart from IP or options?  If so, perhaps we should revisit
2396 		 * the spare_mp strategy.
2397 		 */
2398 		ipsec_hdr_pullup_needed++;
2399 		if (spare_mp == NULL &&
2400 		    (spare_mp = msgpullup(mp, -1)) == NULL) {
2401 			return (B_FALSE);
2402 		}
2403 		ports = (uint16_t *)&spare_mp->b_rptr[hdr_len];
2404 	} else {
2405 		ports = (uint16_t *)&mp->b_rptr[hdr_len];
2406 	}
2407 
2408 	if (nexthdr == check_proto) {
2409 		typecode = (uint8_t *)ports;
2410 		sel->ips_icmp_type = *typecode++;
2411 		sel->ips_icmp_code = *typecode;
2412 		sel->ips_remote_port = sel->ips_local_port = 0;
2413 		freemsg(spare_mp);	/* Always works, even if NULL */
2414 		return (B_TRUE);
2415 	}
2416 
2417 	sel->ips_remote_port = *ports++;
2418 	sel->ips_local_port = *ports;
2419 	freemsg(spare_mp);	/* Always works, even if NULL */
2420 	return (B_TRUE);
2421 }
2422 
2423 static boolean_t
2424 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2425     ip6_t *ip6h)
2426 {
2427 	/*
2428 	 * XXX cut&paste shared with ipsec_init_inbound_sel
2429 	 */
2430 	uint16_t *ports;
2431 	ushort_t hdr_len;
2432 	mblk_t *spare_mp = NULL;
2433 	uint8_t *nexthdrp;
2434 	uint8_t nexthdr;
2435 	uint8_t *typecode;
2436 	uint8_t check_proto;
2437 
2438 	ASSERT((ipha == NULL && ip6h != NULL) ||
2439 	    (ipha != NULL && ip6h == NULL));
2440 
2441 	if (ip6h != NULL) {
2442 		check_proto = IPPROTO_ICMPV6;
2443 		nexthdr = ip6h->ip6_nxt;
2444 		switch (nexthdr) {
2445 		case IPPROTO_HOPOPTS:
2446 		case IPPROTO_ROUTING:
2447 		case IPPROTO_DSTOPTS:
2448 			/*
2449 			 * Use ip_hdr_length_nexthdr_v6().  And have a spare
2450 			 * mblk that's contiguous to feed it
2451 			 */
2452 			spare_mp = msgpullup(mp, -1);
2453 			if (spare_mp == NULL ||
2454 			    !ip_hdr_length_nexthdr_v6(spare_mp,
2455 				(ip6_t *)spare_mp->b_rptr, &hdr_len,
2456 				&nexthdrp)) {
2457 				/* Always works, even if NULL. */
2458 				freemsg(spare_mp);
2459 				freemsg(mp);
2460 				return (B_FALSE);
2461 			} else {
2462 				nexthdr = *nexthdrp;
2463 				/* We can just extract based on hdr_len now. */
2464 			}
2465 			break;
2466 		default:
2467 			hdr_len = IPV6_HDR_LEN;
2468 			break;
2469 		}
2470 	} else {
2471 		check_proto = IPPROTO_ICMP;
2472 		hdr_len = IPH_HDR_LENGTH(ipha);
2473 		nexthdr = ipha->ipha_protocol;
2474 	}
2475 
2476 	sel->ips_protocol = nexthdr;
2477 	if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2478 	    nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2479 		sel->ips_local_port = sel->ips_remote_port = 0;
2480 		freemsg(spare_mp);  /* Always works, even if NULL. */
2481 		return (B_TRUE);
2482 	}
2483 
2484 	if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) {
2485 		/* If we didn't pullup a copy already, do so now. */
2486 		/*
2487 		 * XXX performance, will upper-layers frequently split TCP/UDP
2488 		 * apart from IP or options?  If so, perhaps we should revisit
2489 		 * the spare_mp strategy.
2490 		 *
2491 		 * XXX should this be msgpullup(mp, hdr_len+4) ???
2492 		 */
2493 		if (spare_mp == NULL &&
2494 		    (spare_mp = msgpullup(mp, -1)) == NULL) {
2495 			freemsg(mp);
2496 			return (B_FALSE);
2497 		}
2498 		ports = (uint16_t *)&spare_mp->b_rptr[hdr_len];
2499 	} else {
2500 		ports = (uint16_t *)&mp->b_rptr[hdr_len];
2501 	}
2502 
2503 	if (nexthdr == check_proto) {
2504 		typecode = (uint8_t *)ports;
2505 		sel->ips_icmp_type = *typecode++;
2506 		sel->ips_icmp_code = *typecode;
2507 		sel->ips_remote_port = sel->ips_local_port = 0;
2508 		freemsg(spare_mp);	/* Always works, even if NULL */
2509 		return (B_TRUE);
2510 	}
2511 
2512 	sel->ips_local_port = *ports++;
2513 	sel->ips_remote_port = *ports;
2514 	freemsg(spare_mp);	/* Always works, even if NULL */
2515 	return (B_TRUE);
2516 }
2517 
2518 /*
2519  * Create an ipsec_action_t based on the way an inbound packet was protected.
2520  * Used to reflect traffic back to a sender.
2521  *
2522  * We don't bother interning the action into the hash table.
2523  */
2524 ipsec_action_t *
2525 ipsec_in_to_out_action(ipsec_in_t *ii)
2526 {
2527 	ipsa_t *ah_assoc, *esp_assoc;
2528 	uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0;
2529 	ipsec_action_t *ap;
2530 	boolean_t unique;
2531 
2532 	ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2533 
2534 	if (ap == NULL)
2535 		return (NULL);
2536 
2537 	bzero(ap, sizeof (*ap));
2538 	HASH_NULL(ap, ipa_hash);
2539 	ap->ipa_next = NULL;
2540 	ap->ipa_refs = 1;
2541 
2542 	/*
2543 	 * Get the algorithms that were used for this packet.
2544 	 */
2545 	ap->ipa_act.ipa_type = IPSEC_ACT_APPLY;
2546 	ap->ipa_act.ipa_log = 0;
2547 	ah_assoc = ii->ipsec_in_ah_sa;
2548 	ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL);
2549 
2550 	esp_assoc = ii->ipsec_in_esp_sa;
2551 	ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL);
2552 
2553 	if (esp_assoc != NULL) {
2554 		encr_alg = esp_assoc->ipsa_encr_alg;
2555 		espa_alg = esp_assoc->ipsa_auth_alg;
2556 		ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0);
2557 	}
2558 	if (ah_assoc != NULL)
2559 		auth_alg = ah_assoc->ipsa_auth_alg;
2560 
2561 	ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg;
2562 	ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg;
2563 	ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg;
2564 	ap->ipa_act.ipa_apply.ipp_use_se = ii->ipsec_in_decaps;
2565 	unique = B_FALSE;
2566 
2567 	if (esp_assoc != NULL) {
2568 		ap->ipa_act.ipa_apply.ipp_espa_minbits =
2569 		    esp_assoc->ipsa_authkeybits;
2570 		ap->ipa_act.ipa_apply.ipp_espa_maxbits =
2571 		    esp_assoc->ipsa_authkeybits;
2572 		ap->ipa_act.ipa_apply.ipp_espe_minbits =
2573 		    esp_assoc->ipsa_encrkeybits;
2574 		ap->ipa_act.ipa_apply.ipp_espe_maxbits =
2575 		    esp_assoc->ipsa_encrkeybits;
2576 		ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp;
2577 		ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc;
2578 		if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE)
2579 			unique = B_TRUE;
2580 	}
2581 	if (ah_assoc != NULL) {
2582 		ap->ipa_act.ipa_apply.ipp_ah_minbits =
2583 		    ah_assoc->ipsa_authkeybits;
2584 		ap->ipa_act.ipa_apply.ipp_ah_maxbits =
2585 		    ah_assoc->ipsa_authkeybits;
2586 		ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp;
2587 		ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc;
2588 		if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE)
2589 			unique = B_TRUE;
2590 	}
2591 	ap->ipa_act.ipa_apply.ipp_use_unique = unique;
2592 	ap->ipa_want_unique = unique;
2593 	ap->ipa_allow_clear = B_FALSE;
2594 	ap->ipa_want_se = ii->ipsec_in_decaps;
2595 	ap->ipa_want_ah = (ah_assoc != NULL);
2596 	ap->ipa_want_esp = (esp_assoc != NULL);
2597 
2598 	ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act);
2599 
2600 	ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */
2601 
2602 	return (ap);
2603 }
2604 
2605 
2606 /*
2607  * Compute the worst-case amount of extra space required by an action.
2608  * Note that, because of the ESP considerations listed below, this is
2609  * actually not the same as the best-case reduction in the MTU; in the
2610  * future, we should pass additional information to this function to
2611  * allow the actual MTU impact to be computed.
2612  *
2613  * AH: Revisit this if we implement algorithms with
2614  * a verifier size of more than 12 bytes.
2615  *
2616  * ESP: A more exact but more messy computation would take into
2617  * account the interaction between the cipher block size and the
2618  * effective MTU, yielding the inner payload size which reflects a
2619  * packet with *minimum* ESP padding..
2620  */
2621 static int32_t
2622 ipsec_act_ovhd(const ipsec_act_t *act)
2623 {
2624 	int32_t overhead = 0;
2625 
2626 	if (act->ipa_type == IPSEC_ACT_APPLY) {
2627 		const ipsec_prot_t *ipp = &act->ipa_apply;
2628 
2629 		if (ipp->ipp_use_ah)
2630 			overhead += IPSEC_MAX_AH_HDR_SIZE;
2631 		if (ipp->ipp_use_esp) {
2632 			overhead += IPSEC_MAX_ESP_HDR_SIZE;
2633 			overhead += sizeof (struct udphdr);
2634 		}
2635 		if (ipp->ipp_use_se)
2636 			overhead += IP_SIMPLE_HDR_LENGTH;
2637 	}
2638 	return (overhead);
2639 }
2640 
2641 /*
2642  * This hash function is used only when creating policies and thus is not
2643  * performance-critical for packet flows.
2644  *
2645  * Future work: canonicalize the structures hashed with this (i.e.,
2646  * zeroize padding) so the hash works correctly.
2647  */
2648 /* ARGSUSED */
2649 static uint32_t
2650 policy_hash(int size, const void *start, const void *end)
2651 {
2652 	return (0);
2653 }
2654 
2655 
2656 /*
2657  * Hash function macros for each address type.
2658  *
2659  * The IPV6 hash function assumes that the low order 32-bits of the
2660  * address (typically containing the low order 24 bits of the mac
2661  * address) are reasonably well-distributed.  Revisit this if we run
2662  * into trouble from lots of collisions on ::1 addresses and the like
2663  * (seems unlikely).
2664  */
2665 #define	IPSEC_IPV4_HASH(a) ((a) % ipsec_spd_hashsize)
2666 #define	IPSEC_IPV6_HASH(a) ((a.s6_addr32[3]) % ipsec_spd_hashsize)
2667 
2668 /*
2669  * These two hash functions should produce coordinated values
2670  * but have slightly different roles.
2671  */
2672 static uint32_t
2673 selkey_hash(const ipsec_selkey_t *selkey)
2674 {
2675 	uint32_t valid = selkey->ipsl_valid;
2676 
2677 	if (!(valid & IPSL_REMOTE_ADDR))
2678 		return (IPSEC_SEL_NOHASH);
2679 
2680 	if (valid & IPSL_IPV4) {
2681 		if (selkey->ipsl_remote_pfxlen == 32)
2682 			return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4));
2683 	}
2684 	if (valid & IPSL_IPV6) {
2685 		if (selkey->ipsl_remote_pfxlen == 128)
2686 			return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6));
2687 	}
2688 	return (IPSEC_SEL_NOHASH);
2689 }
2690 
2691 static uint32_t
2692 selector_hash(ipsec_selector_t *sel)
2693 {
2694 	if (sel->ips_isv4) {
2695 		return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4));
2696 	}
2697 	return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6));
2698 }
2699 
2700 /*
2701  * Intern actions into the action hash table.
2702  */
2703 ipsec_action_t *
2704 ipsec_act_find(const ipsec_act_t *a, int n)
2705 {
2706 	int i;
2707 	uint32_t hval;
2708 	ipsec_action_t *ap;
2709 	ipsec_action_t *prev = NULL;
2710 	int32_t overhead, maxovhd = 0;
2711 	boolean_t allow_clear = B_FALSE;
2712 	boolean_t want_ah = B_FALSE;
2713 	boolean_t want_esp = B_FALSE;
2714 	boolean_t want_se = B_FALSE;
2715 	boolean_t want_unique = B_FALSE;
2716 
2717 	/*
2718 	 * TODO: should canonicalize a[] (i.e., zeroize any padding)
2719 	 * so we can use a non-trivial policy_hash function.
2720 	 */
2721 	for (i = n-1; i >= 0; i--) {
2722 		hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]);
2723 
2724 		HASH_LOCK(ipsec_action_hash, hval);
2725 
2726 		for (HASH_ITERATE(ap, ipa_hash, ipsec_action_hash, hval)) {
2727 			if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0)
2728 				continue;
2729 			if (ap->ipa_next != prev)
2730 				continue;
2731 			break;
2732 		}
2733 		if (ap != NULL) {
2734 			HASH_UNLOCK(ipsec_action_hash, hval);
2735 			prev = ap;
2736 			continue;
2737 		}
2738 		/*
2739 		 * need to allocate a new one..
2740 		 */
2741 		ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2742 		if (ap == NULL) {
2743 			HASH_UNLOCK(ipsec_action_hash, hval);
2744 			if (prev != NULL)
2745 				ipsec_action_free(prev);
2746 			return (NULL);
2747 		}
2748 		HASH_INSERT(ap, ipa_hash, ipsec_action_hash, hval);
2749 
2750 		ap->ipa_next = prev;
2751 		ap->ipa_act = a[i];
2752 
2753 		overhead = ipsec_act_ovhd(&a[i]);
2754 		if (maxovhd < overhead)
2755 			maxovhd = overhead;
2756 
2757 		if ((a[i].ipa_type == IPSEC_ACT_BYPASS) ||
2758 		    (a[i].ipa_type == IPSEC_ACT_CLEAR))
2759 			allow_clear = B_TRUE;
2760 		if (a[i].ipa_type == IPSEC_ACT_APPLY) {
2761 			const ipsec_prot_t *ipp = &a[i].ipa_apply;
2762 
2763 			ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp);
2764 			want_ah |= ipp->ipp_use_ah;
2765 			want_esp |= ipp->ipp_use_esp;
2766 			want_se |= ipp->ipp_use_se;
2767 			want_unique |= ipp->ipp_use_unique;
2768 		}
2769 		ap->ipa_allow_clear = allow_clear;
2770 		ap->ipa_want_ah = want_ah;
2771 		ap->ipa_want_esp = want_esp;
2772 		ap->ipa_want_se = want_se;
2773 		ap->ipa_want_unique = want_unique;
2774 		ap->ipa_refs = 1; /* from the hash table */
2775 		ap->ipa_ovhd = maxovhd;
2776 		if (prev)
2777 			prev->ipa_refs++;
2778 		prev = ap;
2779 		HASH_UNLOCK(ipsec_action_hash, hval);
2780 	}
2781 
2782 	ap->ipa_refs++;		/* caller's reference */
2783 
2784 	return (ap);
2785 }
2786 
2787 /*
2788  * Called when refcount goes to 0, indicating that all references to this
2789  * node are gone.
2790  *
2791  * This does not unchain the action from the hash table.
2792  */
2793 void
2794 ipsec_action_free(ipsec_action_t *ap)
2795 {
2796 	for (;;) {
2797 		ipsec_action_t *np = ap->ipa_next;
2798 		ASSERT(ap->ipa_refs == 0);
2799 		ASSERT(ap->ipa_hash.hash_pp == NULL);
2800 		kmem_cache_free(ipsec_action_cache, ap);
2801 		ap = np;
2802 		/* Inlined IPACT_REFRELE -- avoid recursion */
2803 		if (ap == NULL)
2804 			break;
2805 		membar_exit();
2806 		if (atomic_add_32_nv(&(ap)->ipa_refs, -1) != 0)
2807 			break;
2808 		/* End inlined IPACT_REFRELE */
2809 	}
2810 }
2811 
2812 /*
2813  * Periodically sweep action hash table for actions with refcount==1, and
2814  * nuke them.  We cannot do this "on demand" (i.e., from IPACT_REFRELE)
2815  * because we can't close the race between another thread finding the action
2816  * in the hash table without holding the bucket lock during IPACT_REFRELE.
2817  * Instead, we run this function sporadically to clean up after ourselves;
2818  * we also set it as the "reclaim" function for the action kmem_cache.
2819  *
2820  * Note that it may take several passes of ipsec_action_gc() to free all
2821  * "stale" actions.
2822  */
2823 /* ARGSUSED */
2824 static void
2825 ipsec_action_reclaim(void *dummy)
2826 {
2827 	int i;
2828 
2829 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
2830 		ipsec_action_t *ap, *np;
2831 
2832 		/* skip the lock if nobody home */
2833 		if (ipsec_action_hash[i].hash_head == NULL)
2834 			continue;
2835 
2836 		HASH_LOCK(ipsec_action_hash, i);
2837 		for (ap = ipsec_action_hash[i].hash_head;
2838 		    ap != NULL; ap = np) {
2839 			ASSERT(ap->ipa_refs > 0);
2840 			np = ap->ipa_hash.hash_next;
2841 			if (ap->ipa_refs > 1)
2842 				continue;
2843 			HASH_UNCHAIN(ap, ipa_hash, ipsec_action_hash, i);
2844 			IPACT_REFRELE(ap);
2845 		}
2846 		HASH_UNLOCK(ipsec_action_hash, i);
2847 	}
2848 }
2849 
2850 /*
2851  * Intern a selector set into the selector set hash table.
2852  * This is simpler than the actions case..
2853  */
2854 static ipsec_sel_t *
2855 ipsec_find_sel(ipsec_selkey_t *selkey)
2856 {
2857 	ipsec_sel_t *sp;
2858 	uint32_t hval, bucket;
2859 
2860 	/*
2861 	 * Exactly one AF bit should be set in selkey.
2862 	 */
2863 	ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^
2864 	    !(selkey->ipsl_valid & IPSL_IPV6));
2865 
2866 	hval = selkey_hash(selkey);
2867 	selkey->ipsl_hval = hval;
2868 
2869 	bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval;
2870 
2871 	ASSERT(!HASH_LOCKED(ipsec_sel_hash, bucket));
2872 	HASH_LOCK(ipsec_sel_hash, bucket);
2873 
2874 	for (HASH_ITERATE(sp, ipsl_hash, ipsec_sel_hash, bucket)) {
2875 		if (bcmp(&sp->ipsl_key, selkey, sizeof (*selkey)) == 0)
2876 			break;
2877 	}
2878 	if (sp != NULL) {
2879 		sp->ipsl_refs++;
2880 
2881 		HASH_UNLOCK(ipsec_sel_hash, bucket);
2882 		return (sp);
2883 	}
2884 
2885 	sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP);
2886 	if (sp == NULL) {
2887 		HASH_UNLOCK(ipsec_sel_hash, bucket);
2888 		return (NULL);
2889 	}
2890 
2891 	HASH_INSERT(sp, ipsl_hash, ipsec_sel_hash, bucket);
2892 	sp->ipsl_refs = 2;	/* one for hash table, one for caller */
2893 	sp->ipsl_key = *selkey;
2894 
2895 	HASH_UNLOCK(ipsec_sel_hash, bucket);
2896 
2897 	return (sp);
2898 }
2899 
2900 static void
2901 ipsec_sel_rel(ipsec_sel_t **spp)
2902 {
2903 	ipsec_sel_t *sp = *spp;
2904 	int hval = sp->ipsl_key.ipsl_hval;
2905 	*spp = NULL;
2906 
2907 	if (hval == IPSEC_SEL_NOHASH)
2908 		hval = 0;
2909 
2910 	ASSERT(!HASH_LOCKED(ipsec_sel_hash, hval));
2911 	HASH_LOCK(ipsec_sel_hash, hval);
2912 	if (--sp->ipsl_refs == 1) {
2913 		HASH_UNCHAIN(sp, ipsl_hash, ipsec_sel_hash, hval);
2914 		sp->ipsl_refs--;
2915 		HASH_UNLOCK(ipsec_sel_hash, hval);
2916 		ASSERT(sp->ipsl_refs == 0);
2917 		kmem_cache_free(ipsec_sel_cache, sp);
2918 		/* Caller unlocks */
2919 		return;
2920 	}
2921 
2922 	HASH_UNLOCK(ipsec_sel_hash, hval);
2923 }
2924 
2925 /*
2926  * Free a policy rule which we know is no longer being referenced.
2927  */
2928 void
2929 ipsec_policy_free(ipsec_policy_t *ipp)
2930 {
2931 	ASSERT(ipp->ipsp_refs == 0);
2932 	ASSERT(ipp->ipsp_sel != NULL);
2933 	ASSERT(ipp->ipsp_act != NULL);
2934 	ipsec_sel_rel(&ipp->ipsp_sel);
2935 	IPACT_REFRELE(ipp->ipsp_act);
2936 	kmem_cache_free(ipsec_pol_cache, ipp);
2937 }
2938 
2939 /*
2940  * Construction of new policy rules; construct a policy, and add it to
2941  * the appropriate tables.
2942  */
2943 ipsec_policy_t *
2944 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a,
2945     int nacts, int prio)
2946 {
2947 	ipsec_action_t *ap;
2948 	ipsec_sel_t *sp;
2949 	ipsec_policy_t *ipp;
2950 
2951 	ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
2952 	ap = ipsec_act_find(a, nacts);
2953 	sp = ipsec_find_sel(keys);
2954 
2955 	if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) {
2956 		if (ap != NULL) {
2957 			IPACT_REFRELE(ap);
2958 		}
2959 		if (sp != NULL)
2960 			ipsec_sel_rel(&sp);
2961 		if (ipp != NULL)
2962 			kmem_cache_free(ipsec_pol_cache, ipp);
2963 		return (NULL);
2964 	}
2965 
2966 	HASH_NULL(ipp, ipsp_hash);
2967 
2968 	ipp->ipsp_refs = 1;	/* caller's reference */
2969 	ipp->ipsp_sel = sp;
2970 	ipp->ipsp_act = ap;
2971 	ipp->ipsp_prio = prio;	/* rule priority */
2972 	ipp->ipsp_index = ipsec_next_policy_index++;
2973 
2974 	return (ipp);
2975 }
2976 
2977 static void
2978 ipsec_update_present_flags()
2979 {
2980 	boolean_t hashpol = (avl_numnodes(&system_policy.iph_rulebyid) > 0);
2981 
2982 	if (hashpol) {
2983 		ipsec_outbound_v4_policy_present = B_TRUE;
2984 		ipsec_outbound_v6_policy_present = B_TRUE;
2985 		ipsec_inbound_v4_policy_present = B_TRUE;
2986 		ipsec_inbound_v6_policy_present = B_TRUE;
2987 		return;
2988 	}
2989 
2990 	ipsec_outbound_v4_policy_present = (NULL !=
2991 	    system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
2992 	    ipr_nonhash[IPSEC_AF_V4]);
2993 	ipsec_outbound_v6_policy_present = (NULL !=
2994 	    system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
2995 	    ipr_nonhash[IPSEC_AF_V6]);
2996 	ipsec_inbound_v4_policy_present = (NULL !=
2997 	    system_policy.iph_root[IPSEC_TYPE_INBOUND].
2998 	    ipr_nonhash[IPSEC_AF_V4]);
2999 	ipsec_inbound_v6_policy_present = (NULL !=
3000 	    system_policy.iph_root[IPSEC_TYPE_INBOUND].
3001 	    ipr_nonhash[IPSEC_AF_V6]);
3002 }
3003 
3004 boolean_t
3005 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir)
3006 {
3007 	ipsec_sel_t *sp;
3008 	ipsec_policy_t *ip, *nip, *head;
3009 	int af;
3010 	ipsec_policy_root_t *pr = &php->iph_root[dir];
3011 
3012 	sp = ipsec_find_sel(keys);
3013 
3014 	if (sp == NULL)
3015 		return (B_FALSE);
3016 
3017 	af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6;
3018 
3019 	rw_enter(&php->iph_lock, RW_WRITER);
3020 
3021 	if (keys->ipsl_hval == IPSEC_SEL_NOHASH) {
3022 		head = pr->ipr_nonhash[af];
3023 	} else {
3024 		head = pr->ipr_hash[keys->ipsl_hval].hash_head;
3025 	}
3026 
3027 	for (ip = head; ip != NULL; ip = nip) {
3028 		nip = ip->ipsp_hash.hash_next;
3029 		if (ip->ipsp_sel != sp) {
3030 			continue;
3031 		}
3032 
3033 		IPPOL_UNCHAIN(php, ip);
3034 
3035 		php->iph_gen++;
3036 		ipsec_update_present_flags();
3037 
3038 		rw_exit(&php->iph_lock);
3039 
3040 		ipsec_sel_rel(&sp);
3041 
3042 		return (B_TRUE);
3043 	}
3044 
3045 	rw_exit(&php->iph_lock);
3046 	ipsec_sel_rel(&sp);
3047 	return (B_FALSE);
3048 }
3049 
3050 int
3051 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index)
3052 {
3053 	boolean_t found = B_FALSE;
3054 	ipsec_policy_t ipkey;
3055 	ipsec_policy_t *ip;
3056 	avl_index_t where;
3057 
3058 	(void) memset(&ipkey, 0, sizeof (ipkey));
3059 	ipkey.ipsp_index = policy_index;
3060 
3061 	rw_enter(&php->iph_lock, RW_WRITER);
3062 
3063 	/*
3064 	 * We could be cleverer here about the walk.
3065 	 * but well, (k+1)*log(N) will do for now (k==number of matches,
3066 	 * N==number of table entries
3067 	 */
3068 	for (;;) {
3069 		ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid,
3070 		    (void *)&ipkey, &where);
3071 		ASSERT(ip == NULL);
3072 
3073 		ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER);
3074 
3075 		if (ip == NULL)
3076 			break;
3077 
3078 		if (ip->ipsp_index != policy_index) {
3079 			ASSERT(ip->ipsp_index > policy_index);
3080 			break;
3081 		}
3082 
3083 		IPPOL_UNCHAIN(php, ip);
3084 		found = B_TRUE;
3085 	}
3086 
3087 	if (found) {
3088 		php->iph_gen++;
3089 		ipsec_update_present_flags();
3090 	}
3091 
3092 	rw_exit(&php->iph_lock);
3093 
3094 	return (found ? 0 : ENOENT);
3095 }
3096 
3097 /*
3098  * Given a constructed ipsec_policy_t policy rule, see if it can be entered
3099  * into the correct policy ruleset.
3100  *
3101  * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a
3102  * duplicate policy exists with exactly the same selectors), or an icmp
3103  * rule exists with a different encryption/authentication action.
3104  */
3105 boolean_t
3106 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
3107 {
3108 	ipsec_policy_root_t *pr = &php->iph_root[direction];
3109 	int af = -1;
3110 	ipsec_policy_t *p2, *head;
3111 	uint8_t check_proto;
3112 	ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3113 	uint32_t	valid = selkey->ipsl_valid;
3114 
3115 	if (valid & IPSL_IPV6) {
3116 		ASSERT(!(valid & IPSL_IPV4));
3117 		af = IPSEC_AF_V6;
3118 		check_proto = IPPROTO_ICMPV6;
3119 	} else {
3120 		ASSERT(valid & IPSL_IPV4);
3121 		af = IPSEC_AF_V4;
3122 		check_proto = IPPROTO_ICMP;
3123 	}
3124 
3125 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3126 
3127 	/*
3128 	 * Double-check that we don't have any duplicate selectors here.
3129 	 * Because selectors are interned below, we need only compare pointers
3130 	 * for equality.
3131 	 */
3132 	if (selkey->ipsl_hval == IPSEC_SEL_NOHASH) {
3133 		head = pr->ipr_nonhash[af];
3134 	} else {
3135 		head = pr->ipr_hash[selkey->ipsl_hval].hash_head;
3136 	}
3137 
3138 	for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3139 		if (p2->ipsp_sel == ipp->ipsp_sel)
3140 			return (B_FALSE);
3141 	}
3142 
3143 	/*
3144 	 * If it's ICMP and not a drop or pass rule, run through the ICMP
3145 	 * rules and make sure the action is either new or the same as any
3146 	 * other actions.  We don't have to check the full chain because
3147 	 * discard and bypass will override all other actions
3148 	 */
3149 
3150 	if (valid & IPSL_PROTOCOL &&
3151 	    selkey->ipsl_proto == check_proto &&
3152 	    (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) {
3153 
3154 		for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3155 
3156 			if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL &&
3157 			    p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto &&
3158 			    (p2->ipsp_act->ipa_act.ipa_type ==
3159 				IPSEC_ACT_APPLY)) {
3160 				return (ipsec_compare_action(p2, ipp));
3161 			}
3162 		}
3163 	}
3164 
3165 	return (B_TRUE);
3166 }
3167 
3168 /*
3169  * compare the action chains of two policies for equality
3170  * B_TRUE -> effective equality
3171  */
3172 
3173 static boolean_t
3174 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2)
3175 {
3176 
3177 	ipsec_action_t *act1, *act2;
3178 
3179 	/* We have a valid rule. Let's compare the actions */
3180 	if (p1->ipsp_act == p2->ipsp_act) {
3181 		/* same action. We are good */
3182 		return (B_TRUE);
3183 	}
3184 
3185 	/* we have to walk the chain */
3186 
3187 	act1 = p1->ipsp_act;
3188 	act2 = p2->ipsp_act;
3189 
3190 	while (act1 != NULL && act2 != NULL) {
3191 
3192 		/* otherwise, Are we close enough? */
3193 		if (act1->ipa_allow_clear != act2->ipa_allow_clear ||
3194 		    act1->ipa_want_ah != act2->ipa_want_ah ||
3195 		    act1->ipa_want_esp != act2->ipa_want_esp ||
3196 		    act1->ipa_want_se != act2->ipa_want_se) {
3197 			/* Nope, we aren't */
3198 			return (B_FALSE);
3199 		}
3200 
3201 		if (act1->ipa_want_ah) {
3202 			if (act1->ipa_act.ipa_apply.ipp_auth_alg !=
3203 			    act2->ipa_act.ipa_apply.ipp_auth_alg) {
3204 				return (B_FALSE);
3205 			}
3206 
3207 			if (act1->ipa_act.ipa_apply.ipp_ah_minbits !=
3208 			    act2->ipa_act.ipa_apply.ipp_ah_minbits ||
3209 			    act1->ipa_act.ipa_apply.ipp_ah_maxbits !=
3210 			    act2->ipa_act.ipa_apply.ipp_ah_maxbits) {
3211 				return (B_FALSE);
3212 			}
3213 		}
3214 
3215 		if (act1->ipa_want_esp) {
3216 			if (act1->ipa_act.ipa_apply.ipp_use_esp !=
3217 			    act2->ipa_act.ipa_apply.ipp_use_esp ||
3218 			    act1->ipa_act.ipa_apply.ipp_use_espa !=
3219 			    act2->ipa_act.ipa_apply.ipp_use_espa) {
3220 				return (B_FALSE);
3221 			}
3222 
3223 			if (act1->ipa_act.ipa_apply.ipp_use_esp) {
3224 				if (act1->ipa_act.ipa_apply.ipp_encr_alg !=
3225 				    act2->ipa_act.ipa_apply.ipp_encr_alg) {
3226 					return (B_FALSE);
3227 				}
3228 
3229 				if (act1->ipa_act.ipa_apply.ipp_espe_minbits !=
3230 				    act2->ipa_act.ipa_apply.ipp_espe_minbits ||
3231 				    act1->ipa_act.ipa_apply.ipp_espe_maxbits !=
3232 				    act2->ipa_act.ipa_apply.ipp_espe_maxbits) {
3233 					return (B_FALSE);
3234 				}
3235 			}
3236 
3237 			if (act1->ipa_act.ipa_apply.ipp_use_espa) {
3238 				if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg !=
3239 				    act2->ipa_act.ipa_apply.ipp_esp_auth_alg) {
3240 					return (B_FALSE);
3241 				}
3242 
3243 				if (act1->ipa_act.ipa_apply.ipp_espa_minbits !=
3244 				    act2->ipa_act.ipa_apply.ipp_espa_minbits ||
3245 				    act1->ipa_act.ipa_apply.ipp_espa_maxbits !=
3246 				    act2->ipa_act.ipa_apply.ipp_espa_maxbits) {
3247 					return (B_FALSE);
3248 				}
3249 			}
3250 
3251 		}
3252 
3253 		act1 = act1->ipa_next;
3254 		act2 = act2->ipa_next;
3255 	}
3256 
3257 	if (act1 != NULL || act2 != NULL) {
3258 		return (B_FALSE);
3259 	}
3260 
3261 	return (B_TRUE);
3262 }
3263 
3264 
3265 /*
3266  * Given a constructed ipsec_policy_t policy rule, enter it into
3267  * the correct policy ruleset.
3268  *
3269  * ipsec_check_policy() is assumed to have succeeded first (to check for
3270  * duplicates).
3271  */
3272 void
3273 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
3274 {
3275 	ipsec_policy_root_t *pr = &php->iph_root[direction];
3276 	ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3277 	uint32_t valid = selkey->ipsl_valid;
3278 	uint32_t hval = selkey->ipsl_hval;
3279 	int af = -1;
3280 
3281 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3282 
3283 	if (valid & IPSL_IPV6) {
3284 		ASSERT(!(valid & IPSL_IPV4));
3285 		af = IPSEC_AF_V6;
3286 	} else {
3287 		ASSERT(valid & IPSL_IPV4);
3288 		af = IPSEC_AF_V4;
3289 	}
3290 
3291 	php->iph_gen++;
3292 
3293 	if (hval == IPSEC_SEL_NOHASH) {
3294 		HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]);
3295 	} else {
3296 		HASH_LOCK(pr->ipr_hash, hval);
3297 		HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval);
3298 		HASH_UNLOCK(pr->ipr_hash, hval);
3299 	}
3300 
3301 	ipsec_insert_always(&php->iph_rulebyid, ipp);
3302 
3303 	ipsec_update_present_flags();
3304 }
3305 
3306 static void
3307 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr)
3308 {
3309 	ipsec_policy_t *ip, *nip;
3310 
3311 	int af, chain, nchain;
3312 
3313 	for (af = 0; af < IPSEC_NAF; af++) {
3314 		for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) {
3315 			nip = ip->ipsp_hash.hash_next;
3316 			IPPOL_UNCHAIN(php, ip);
3317 		}
3318 		ipr->ipr_nonhash[af] = NULL;
3319 	}
3320 	nchain = ipr->ipr_nchains;
3321 
3322 	for (chain = 0; chain < nchain; chain++) {
3323 		for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL;
3324 		    ip = nip) {
3325 			nip = ip->ipsp_hash.hash_next;
3326 			IPPOL_UNCHAIN(php, ip);
3327 		}
3328 		ipr->ipr_hash[chain].hash_head = NULL;
3329 	}
3330 }
3331 
3332 
3333 void
3334 ipsec_polhead_flush(ipsec_policy_head_t *php)
3335 {
3336 	int dir;
3337 
3338 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3339 
3340 	for (dir = 0; dir < IPSEC_NTYPES; dir++)
3341 		ipsec_ipr_flush(php, &php->iph_root[dir]);
3342 
3343 	ipsec_update_present_flags();
3344 }
3345 
3346 void
3347 ipsec_polhead_free(ipsec_policy_head_t *php)
3348 {
3349 	ASSERT(php->iph_refs == 0);
3350 	rw_enter(&php->iph_lock, RW_WRITER);
3351 	ipsec_polhead_flush(php);
3352 	rw_exit(&php->iph_lock);
3353 	rw_destroy(&php->iph_lock);
3354 	kmem_free(php, sizeof (*php));
3355 }
3356 
3357 static void
3358 ipsec_ipr_init(ipsec_policy_root_t *ipr)
3359 {
3360 	int af;
3361 
3362 	ipr->ipr_nchains = 0;
3363 	ipr->ipr_hash = NULL;
3364 
3365 	for (af = 0; af < IPSEC_NAF; af++) {
3366 		ipr->ipr_nonhash[af] = NULL;
3367 	}
3368 }
3369 
3370 extern ipsec_policy_head_t *
3371 ipsec_polhead_create(void)
3372 {
3373 	ipsec_policy_head_t *php;
3374 
3375 	php = kmem_alloc(sizeof (*php), KM_NOSLEEP);
3376 	if (php == NULL)
3377 		return (php);
3378 
3379 	rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL);
3380 	php->iph_refs = 1;
3381 	php->iph_gen = 0;
3382 
3383 	ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]);
3384 	ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]);
3385 
3386 	avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid,
3387 	    sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
3388 
3389 	return (php);
3390 }
3391 
3392 /*
3393  * Clone the policy head into a new polhead; release one reference to the
3394  * old one and return the only reference to the new one.
3395  * If the old one had a refcount of 1, just return it.
3396  */
3397 extern ipsec_policy_head_t *
3398 ipsec_polhead_split(ipsec_policy_head_t *php)
3399 {
3400 	ipsec_policy_head_t *nphp;
3401 
3402 	if (php == NULL)
3403 		return (ipsec_polhead_create());
3404 	else if (php->iph_refs == 1)
3405 		return (php);
3406 
3407 	nphp = ipsec_polhead_create();
3408 	if (nphp == NULL)
3409 		return (NULL);
3410 
3411 	if (ipsec_copy_polhead(php, nphp) != 0) {
3412 		ipsec_polhead_free(nphp);
3413 		return (NULL);
3414 	}
3415 	IPPH_REFRELE(php);
3416 	return (nphp);
3417 }
3418 
3419 /*
3420  * When sending a response to a ICMP request or generating a RST
3421  * in the TCP case, the outbound packets need to go at the same level
3422  * of protection as the incoming ones i.e we associate our outbound
3423  * policy with how the packet came in. We call this after we have
3424  * accepted the incoming packet which may or may not have been in
3425  * clear and hence we are sending the reply back with the policy
3426  * matching the incoming datagram's policy.
3427  *
3428  * NOTE : This technology serves two purposes :
3429  *
3430  * 1) If we have multiple outbound policies, we send out a reply
3431  *    matching with how it came in rather than matching the outbound
3432  *    policy.
3433  *
3434  * 2) For assymetric policies, we want to make sure that incoming
3435  *    and outgoing has the same level of protection. Assymetric
3436  *    policies exist only with global policy where we may not have
3437  *    both outbound and inbound at the same time.
3438  *
3439  * NOTE2:	This function is called by cleartext cases, so it needs to be
3440  *		in IP proper.
3441  */
3442 boolean_t
3443 ipsec_in_to_out(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h)
3444 {
3445 	ipsec_in_t  *ii;
3446 	ipsec_out_t  *io;
3447 	boolean_t v4;
3448 	mblk_t *mp;
3449 	boolean_t secure, attach_if;
3450 	uint_t ifindex;
3451 	ipsec_selector_t sel;
3452 	ipsec_action_t *reflect_action = NULL;
3453 	zoneid_t zoneid;
3454 
3455 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
3456 
3457 	bzero((void*)&sel, sizeof (sel));
3458 
3459 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
3460 
3461 	mp = ipsec_mp->b_cont;
3462 	ASSERT(mp != NULL);
3463 
3464 	if (ii->ipsec_in_action != NULL) {
3465 		/* transfer reference.. */
3466 		reflect_action = ii->ipsec_in_action;
3467 		ii->ipsec_in_action = NULL;
3468 	} else if (!ii->ipsec_in_loopback)
3469 		reflect_action = ipsec_in_to_out_action(ii);
3470 	secure = ii->ipsec_in_secure;
3471 	attach_if = ii->ipsec_in_attach_if;
3472 	ifindex = ii->ipsec_in_ill_index;
3473 	zoneid = ii->ipsec_in_zoneid;
3474 	ASSERT(zoneid != ALL_ZONES);
3475 	v4 = ii->ipsec_in_v4;
3476 
3477 	ipsec_in_release_refs(ii);
3478 
3479 	/*
3480 	 * The caller is going to send the datagram out which might
3481 	 * go on the wire or delivered locally through ip_wput_local.
3482 	 *
3483 	 * 1) If it goes out on the wire, new associations will be
3484 	 *    obtained.
3485 	 * 2) If it is delivered locally, ip_wput_local will convert
3486 	 *    this IPSEC_OUT to a IPSEC_IN looking at the requests.
3487 	 */
3488 
3489 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
3490 	bzero(io, sizeof (ipsec_out_t));
3491 	io->ipsec_out_type = IPSEC_OUT;
3492 	io->ipsec_out_len = sizeof (ipsec_out_t);
3493 	io->ipsec_out_frtn.free_func = ipsec_out_free;
3494 	io->ipsec_out_frtn.free_arg = (char *)io;
3495 	io->ipsec_out_act = reflect_action;
3496 
3497 	if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h))
3498 		return (B_FALSE);
3499 
3500 	io->ipsec_out_src_port = sel.ips_local_port;
3501 	io->ipsec_out_dst_port = sel.ips_remote_port;
3502 	io->ipsec_out_proto = sel.ips_protocol;
3503 	io->ipsec_out_icmp_type = sel.ips_icmp_type;
3504 	io->ipsec_out_icmp_code = sel.ips_icmp_code;
3505 
3506 	/*
3507 	 * Don't use global policy for this, as we want
3508 	 * to use the same protection that was applied to the inbound packet.
3509 	 */
3510 	io->ipsec_out_use_global_policy = B_FALSE;
3511 	io->ipsec_out_proc_begin = B_FALSE;
3512 	io->ipsec_out_secure = secure;
3513 	io->ipsec_out_v4 = v4;
3514 	io->ipsec_out_attach_if = attach_if;
3515 	io->ipsec_out_ill_index = ifindex;
3516 	io->ipsec_out_zoneid = zoneid;
3517 	return (B_TRUE);
3518 }
3519 
3520 mblk_t *
3521 ipsec_in_tag(mblk_t *mp, mblk_t *cont)
3522 {
3523 	ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr;
3524 	ipsec_in_t *nii;
3525 	mblk_t *nmp;
3526 	frtn_t nfrtn;
3527 
3528 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
3529 	ASSERT(ii->ipsec_in_len == sizeof (ipsec_in_t));
3530 
3531 	nmp = ipsec_in_alloc(ii->ipsec_in_v4);
3532 
3533 	ASSERT(nmp->b_datap->db_type == M_CTL);
3534 	ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t)));
3535 
3536 	/*
3537 	 * Bump refcounts.
3538 	 */
3539 	if (ii->ipsec_in_ah_sa != NULL)
3540 		IPSA_REFHOLD(ii->ipsec_in_ah_sa);
3541 	if (ii->ipsec_in_esp_sa != NULL)
3542 		IPSA_REFHOLD(ii->ipsec_in_esp_sa);
3543 	if (ii->ipsec_in_policy != NULL)
3544 		IPPH_REFHOLD(ii->ipsec_in_policy);
3545 
3546 	/*
3547 	 * Copy everything, but preserve the free routine provided by
3548 	 * ipsec_in_alloc().
3549 	 */
3550 	nii = (ipsec_in_t *)nmp->b_rptr;
3551 	nfrtn = nii->ipsec_in_frtn;
3552 	bcopy(ii, nii, sizeof (*ii));
3553 	nii->ipsec_in_frtn = nfrtn;
3554 
3555 	nmp->b_cont = cont;
3556 
3557 	return (nmp);
3558 }
3559 
3560 mblk_t *
3561 ipsec_out_tag(mblk_t *mp, mblk_t *cont)
3562 {
3563 	ipsec_out_t *io = (ipsec_out_t *)mp->b_rptr;
3564 	ipsec_out_t *nio;
3565 	mblk_t *nmp;
3566 	frtn_t nfrtn;
3567 
3568 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
3569 	ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
3570 
3571 	nmp = ipsec_alloc_ipsec_out();
3572 	if (nmp == NULL) {
3573 		freemsg(cont);	/* XXX ip_drop_packet() ? */
3574 		return (NULL);
3575 	}
3576 	ASSERT(nmp->b_datap->db_type == M_CTL);
3577 	ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t)));
3578 
3579 	/*
3580 	 * Bump refcounts.
3581 	 */
3582 	if (io->ipsec_out_ah_sa != NULL)
3583 		IPSA_REFHOLD(io->ipsec_out_ah_sa);
3584 	if (io->ipsec_out_esp_sa != NULL)
3585 		IPSA_REFHOLD(io->ipsec_out_esp_sa);
3586 	if (io->ipsec_out_polhead != NULL)
3587 		IPPH_REFHOLD(io->ipsec_out_polhead);
3588 	if (io->ipsec_out_policy != NULL)
3589 		IPPOL_REFHOLD(io->ipsec_out_policy);
3590 	if (io->ipsec_out_act != NULL)
3591 		IPACT_REFHOLD(io->ipsec_out_act);
3592 	if (io->ipsec_out_latch != NULL)
3593 		IPLATCH_REFHOLD(io->ipsec_out_latch);
3594 	if (io->ipsec_out_cred != NULL)
3595 		crhold(io->ipsec_out_cred);
3596 
3597 	/*
3598 	 * Copy everything, but preserve the free routine provided by
3599 	 * ipsec_alloc_ipsec_out().
3600 	 */
3601 	nio = (ipsec_out_t *)nmp->b_rptr;
3602 	nfrtn = nio->ipsec_out_frtn;
3603 	bcopy(io, nio, sizeof (*io));
3604 	nio->ipsec_out_frtn = nfrtn;
3605 
3606 	nmp->b_cont = cont;
3607 
3608 	return (nmp);
3609 }
3610 
3611 static void
3612 ipsec_out_release_refs(ipsec_out_t *io)
3613 {
3614 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
3615 	ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
3616 
3617 	/* Note: IPSA_REFRELE is multi-line macro */
3618 	if (io->ipsec_out_ah_sa != NULL)
3619 		IPSA_REFRELE(io->ipsec_out_ah_sa);
3620 	if (io->ipsec_out_esp_sa != NULL)
3621 		IPSA_REFRELE(io->ipsec_out_esp_sa);
3622 	if (io->ipsec_out_polhead != NULL)
3623 		IPPH_REFRELE(io->ipsec_out_polhead);
3624 	if (io->ipsec_out_policy != NULL)
3625 		IPPOL_REFRELE(io->ipsec_out_policy);
3626 	if (io->ipsec_out_act != NULL)
3627 		IPACT_REFRELE(io->ipsec_out_act);
3628 	if (io->ipsec_out_cred != NULL) {
3629 		crfree(io->ipsec_out_cred);
3630 		io->ipsec_out_cred = NULL;
3631 	}
3632 	if (io->ipsec_out_latch) {
3633 		IPLATCH_REFRELE(io->ipsec_out_latch);
3634 		io->ipsec_out_latch = NULL;
3635 	}
3636 }
3637 
3638 static void
3639 ipsec_out_free(void *arg)
3640 {
3641 	ipsec_out_t *io = (ipsec_out_t *)arg;
3642 	ipsec_out_release_refs(io);
3643 	kmem_cache_free(ipsec_info_cache, arg);
3644 }
3645 
3646 static void
3647 ipsec_in_release_refs(ipsec_in_t *ii)
3648 {
3649 	/* Note: IPSA_REFRELE is multi-line macro */
3650 	if (ii->ipsec_in_ah_sa != NULL)
3651 		IPSA_REFRELE(ii->ipsec_in_ah_sa);
3652 	if (ii->ipsec_in_esp_sa != NULL)
3653 		IPSA_REFRELE(ii->ipsec_in_esp_sa);
3654 	if (ii->ipsec_in_policy != NULL)
3655 		IPPH_REFRELE(ii->ipsec_in_policy);
3656 	if (ii->ipsec_in_da != NULL) {
3657 		freeb(ii->ipsec_in_da);
3658 		ii->ipsec_in_da = NULL;
3659 	}
3660 }
3661 
3662 static void
3663 ipsec_in_free(void *arg)
3664 {
3665 	ipsec_in_t *ii = (ipsec_in_t *)arg;
3666 	ipsec_in_release_refs(ii);
3667 	kmem_cache_free(ipsec_info_cache, arg);
3668 }
3669 
3670 /*
3671  * This is called only for outbound datagrams if the datagram needs to
3672  * go out secure.  A NULL mp can be passed to get an ipsec_out. This
3673  * facility is used by ip_unbind.
3674  *
3675  * NOTE : o As the data part could be modified by ipsec_out_process etc.
3676  *	    we can't make it fast by calling a dup.
3677  */
3678 mblk_t *
3679 ipsec_alloc_ipsec_out()
3680 {
3681 	mblk_t *ipsec_mp;
3682 
3683 	ipsec_out_t *io = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP);
3684 
3685 	if (io == NULL)
3686 		return (NULL);
3687 
3688 	bzero(io, sizeof (ipsec_out_t));
3689 
3690 	io->ipsec_out_type = IPSEC_OUT;
3691 	io->ipsec_out_len = sizeof (ipsec_out_t);
3692 	io->ipsec_out_frtn.free_func = ipsec_out_free;
3693 	io->ipsec_out_frtn.free_arg = (char *)io;
3694 
3695 	/*
3696 	 * Set the zoneid to ALL_ZONES which is used as an invalid value. Code
3697 	 * using ipsec_out_zoneid should assert that the zoneid has been set to
3698 	 * a sane value.
3699 	 */
3700 	io->ipsec_out_zoneid = ALL_ZONES;
3701 
3702 	ipsec_mp = desballoc((uint8_t *)io, sizeof (ipsec_info_t), BPRI_HI,
3703 	    &io->ipsec_out_frtn);
3704 	if (ipsec_mp == NULL) {
3705 		ipsec_out_free(io);
3706 
3707 		return (NULL);
3708 	}
3709 	ipsec_mp->b_datap->db_type = M_CTL;
3710 	ipsec_mp->b_wptr = ipsec_mp->b_rptr + sizeof (ipsec_info_t);
3711 
3712 	return (ipsec_mp);
3713 }
3714 
3715 /*
3716  * Attach an IPSEC_OUT; use pol for policy if it is non-null.
3717  * Otherwise initialize using conn.
3718  *
3719  * If pol is non-null, we consume a reference to it.
3720  */
3721 mblk_t *
3722 ipsec_attach_ipsec_out(mblk_t *mp, conn_t *connp, ipsec_policy_t *pol,
3723     uint8_t proto)
3724 {
3725 	mblk_t *ipsec_mp;
3726 	queue_t *q;
3727 	short mid = 0;
3728 
3729 	ASSERT((pol != NULL) || (connp != NULL));
3730 
3731 	ipsec_mp = ipsec_alloc_ipsec_out();
3732 	if (ipsec_mp == NULL) {
3733 		q = CONNP_TO_WQ(connp);
3734 		if (q != NULL) {
3735 			mid = q->q_qinfo->qi_minfo->mi_idnum;
3736 		}
3737 		ipsec_rl_strlog(mid, 0, 0, SL_ERROR|SL_NOTE,
3738 		    "ipsec_attach_ipsec_out: Allocation failure\n");
3739 		BUMP_MIB(&ip_mib, ipOutDiscards);
3740 		ip_drop_packet(mp, B_FALSE, NULL, NULL, &ipdrops_spd_nomem,
3741 		    &spd_dropper);
3742 		return (NULL);
3743 	}
3744 	ipsec_mp->b_cont = mp;
3745 	return (ipsec_init_ipsec_out(ipsec_mp, connp, pol, proto));
3746 }
3747 
3748 /*
3749  * Initialize the IPSEC_OUT (ipsec_mp) using pol if it is non-null.
3750  * Otherwise initialize using conn.
3751  *
3752  * If pol is non-null, we consume a reference to it.
3753  */
3754 mblk_t *
3755 ipsec_init_ipsec_out(mblk_t *ipsec_mp, conn_t *connp, ipsec_policy_t *pol,
3756     uint8_t proto)
3757 {
3758 	mblk_t *mp;
3759 	ipsec_out_t *io;
3760 	ipsec_policy_t *p;
3761 	ipha_t *ipha;
3762 	ip6_t *ip6h;
3763 
3764 	ASSERT((pol != NULL) || (connp != NULL));
3765 
3766 	/*
3767 	 * If mp is NULL, we won't/should not be using it.
3768 	 */
3769 	mp = ipsec_mp->b_cont;
3770 
3771 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
3772 	ASSERT(ipsec_mp->b_wptr == (ipsec_mp->b_rptr + sizeof (ipsec_info_t)));
3773 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
3774 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
3775 	ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
3776 	io->ipsec_out_latch = NULL;
3777 	/*
3778 	 * Set the zoneid when we have the connp.
3779 	 * Otherwise, we're called from ip_wput_attach_policy() who will take
3780 	 * care of setting the zoneid.
3781 	 */
3782 	if (connp != NULL)
3783 		io->ipsec_out_zoneid = connp->conn_zoneid;
3784 
3785 	if (mp != NULL) {
3786 		ipha = (ipha_t *)mp->b_rptr;
3787 		if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
3788 			io->ipsec_out_v4 = B_TRUE;
3789 			ip6h = NULL;
3790 		} else {
3791 			io->ipsec_out_v4 = B_FALSE;
3792 			ip6h = (ip6_t *)ipha;
3793 			ipha = NULL;
3794 		}
3795 	} else {
3796 		ASSERT(connp != NULL && connp->conn_policy_cached);
3797 		ip6h = NULL;
3798 		ipha = NULL;
3799 		io->ipsec_out_v4 = !connp->conn_pkt_isv6;
3800 	}
3801 
3802 	p = NULL;
3803 
3804 	/*
3805 	 * Take latched policies over global policy.  Check here again for
3806 	 * this, in case we had conn_latch set while the packet was flying
3807 	 * around in IP.
3808 	 */
3809 	if (connp != NULL && connp->conn_latch != NULL) {
3810 		p = connp->conn_latch->ipl_out_policy;
3811 		io->ipsec_out_latch = connp->conn_latch;
3812 		IPLATCH_REFHOLD(connp->conn_latch);
3813 		if (p != NULL) {
3814 			IPPOL_REFHOLD(p);
3815 		}
3816 		io->ipsec_out_src_port = connp->conn_lport;
3817 		io->ipsec_out_dst_port = connp->conn_fport;
3818 		io->ipsec_out_icmp_type = io->ipsec_out_icmp_code = 0;
3819 		if (pol != NULL)
3820 			IPPOL_REFRELE(pol);
3821 	} else if (pol != NULL) {
3822 		ipsec_selector_t sel;
3823 
3824 		bzero((void*)&sel, sizeof (sel));
3825 
3826 		p = pol;
3827 		/*
3828 		 * conn does not have the port information. Get
3829 		 * it from the packet.
3830 		 */
3831 
3832 		if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) {
3833 			/* XXX any cleanup required here?? */
3834 			return (NULL);
3835 		}
3836 		io->ipsec_out_src_port = sel.ips_local_port;
3837 		io->ipsec_out_dst_port = sel.ips_remote_port;
3838 		io->ipsec_out_icmp_type = sel.ips_icmp_type;
3839 		io->ipsec_out_icmp_code = sel.ips_icmp_code;
3840 	}
3841 
3842 	io->ipsec_out_proto = proto;
3843 	io->ipsec_out_use_global_policy = B_TRUE;
3844 	io->ipsec_out_secure = (p != NULL);
3845 	io->ipsec_out_policy = p;
3846 
3847 	if (p == NULL) {
3848 		if (connp->conn_policy != NULL) {
3849 			io->ipsec_out_secure = B_TRUE;
3850 			ASSERT(io->ipsec_out_latch == NULL);
3851 			ASSERT(io->ipsec_out_use_global_policy == B_TRUE);
3852 			io->ipsec_out_need_policy = B_TRUE;
3853 			ASSERT(io->ipsec_out_polhead == NULL);
3854 			IPPH_REFHOLD(connp->conn_policy);
3855 			io->ipsec_out_polhead = connp->conn_policy;
3856 		}
3857 	}
3858 	return (ipsec_mp);
3859 }
3860 
3861 /*
3862  * Allocate an IPSEC_IN mblk.  This will be prepended to an inbound datagram
3863  * and keep track of what-if-any IPsec processing will be applied to the
3864  * datagram.
3865  */
3866 mblk_t *
3867 ipsec_in_alloc(boolean_t isv4)
3868 {
3869 	mblk_t *ipsec_in;
3870 	ipsec_in_t *ii = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP);
3871 
3872 	if (ii == NULL)
3873 		return (NULL);
3874 
3875 	bzero(ii, sizeof (ipsec_info_t));
3876 	ii->ipsec_in_type = IPSEC_IN;
3877 	ii->ipsec_in_len = sizeof (ipsec_in_t);
3878 
3879 	ii->ipsec_in_v4 = isv4;
3880 	ii->ipsec_in_secure = B_TRUE;
3881 
3882 	ii->ipsec_in_frtn.free_func = ipsec_in_free;
3883 	ii->ipsec_in_frtn.free_arg = (char *)ii;
3884 
3885 	ipsec_in = desballoc((uint8_t *)ii, sizeof (ipsec_info_t), BPRI_HI,
3886 	    &ii->ipsec_in_frtn);
3887 	if (ipsec_in == NULL) {
3888 		ip1dbg(("ipsec_in_alloc: IPSEC_IN allocation failure.\n"));
3889 		ipsec_in_free(ii);
3890 		return (NULL);
3891 	}
3892 
3893 	ipsec_in->b_datap->db_type = M_CTL;
3894 	ipsec_in->b_wptr += sizeof (ipsec_info_t);
3895 
3896 	return (ipsec_in);
3897 }
3898 
3899 /*
3900  * This is called from ip_wput_local when a packet which needs
3901  * security is looped back, to convert the IPSEC_OUT to a IPSEC_IN
3902  * before fanout, where the policy check happens.  In most of the
3903  * cases, IPSEC processing has *never* been done.  There is one case
3904  * (ip_wput_ire_fragmentit -> ip_wput_frag -> icmp_frag_needed) where
3905  * the packet is destined for localhost, IPSEC processing has already
3906  * been done.
3907  *
3908  * Future: This could happen after SA selection has occurred for
3909  * outbound.. which will tell us who the src and dst identities are..
3910  * Then it's just a matter of splicing the ah/esp SA pointers from the
3911  * ipsec_out_t to the ipsec_in_t.
3912  */
3913 void
3914 ipsec_out_to_in(mblk_t *ipsec_mp)
3915 {
3916 	ipsec_in_t  *ii;
3917 	ipsec_out_t *io;
3918 	ipsec_policy_t *pol;
3919 	ipsec_action_t *act;
3920 	boolean_t v4, icmp_loopback;
3921 
3922 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
3923 
3924 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
3925 
3926 	v4 = io->ipsec_out_v4;
3927 	icmp_loopback = io->ipsec_out_icmp_loopback;
3928 
3929 	act = io->ipsec_out_act;
3930 	if (act == NULL) {
3931 		pol = io->ipsec_out_policy;
3932 		if (pol != NULL) {
3933 			act = pol->ipsp_act;
3934 			IPACT_REFHOLD(act);
3935 		}
3936 	}
3937 	io->ipsec_out_act = NULL;
3938 
3939 	ipsec_out_release_refs(io);
3940 
3941 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
3942 	bzero(ii, sizeof (ipsec_in_t));
3943 	ii->ipsec_in_type = IPSEC_IN;
3944 	ii->ipsec_in_len = sizeof (ipsec_in_t);
3945 	ii->ipsec_in_loopback = B_TRUE;
3946 	ii->ipsec_in_frtn.free_func = ipsec_in_free;
3947 	ii->ipsec_in_frtn.free_arg = (char *)ii;
3948 	ii->ipsec_in_action = act;
3949 
3950 	/*
3951 	 * In most of the cases, we can't look at the ipsec_out_XXX_sa
3952 	 * because this never went through IPSEC processing. So, look at
3953 	 * the requests and infer whether it would have gone through
3954 	 * IPSEC processing or not. Initialize the "done" fields with
3955 	 * the requests. The possible values for "done" fields are :
3956 	 *
3957 	 * 1) zero, indicates that a particular preference was never
3958 	 *    requested.
3959 	 * 2) non-zero, indicates that it could be IPSEC_PREF_REQUIRED/
3960 	 *    IPSEC_PREF_NEVER. If IPSEC_REQ_DONE is set, it means that
3961 	 *    IPSEC processing has been completed.
3962 	 */
3963 	ii->ipsec_in_secure = B_TRUE;
3964 	ii->ipsec_in_v4 = v4;
3965 	ii->ipsec_in_icmp_loopback = icmp_loopback;
3966 	ii->ipsec_in_attach_if = B_FALSE;
3967 }
3968 
3969 /*
3970  * Consults global policy to see whether this datagram should
3971  * go out secure. If so it attaches a ipsec_mp in front and
3972  * returns.
3973  */
3974 mblk_t *
3975 ip_wput_attach_policy(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h, ire_t *ire,
3976     conn_t *connp, boolean_t unspec_src)
3977 {
3978 	mblk_t *mp;
3979 	ipsec_out_t *io = NULL;
3980 	ipsec_selector_t sel;
3981 	uint_t	ill_index;
3982 	boolean_t conn_dontroutex;
3983 	boolean_t conn_multicast_loopx;
3984 	boolean_t policy_present;
3985 
3986 	ASSERT((ipha != NULL && ip6h == NULL) ||
3987 	    (ip6h != NULL && ipha == NULL));
3988 
3989 	bzero((void*)&sel, sizeof (sel));
3990 
3991 	if (ipha != NULL)
3992 		policy_present = ipsec_outbound_v4_policy_present;
3993 	else
3994 		policy_present = ipsec_outbound_v6_policy_present;
3995 	/*
3996 	 * Fast Path to see if there is any policy.
3997 	 */
3998 	if (!policy_present) {
3999 		if (ipsec_mp->b_datap->db_type == M_CTL) {
4000 			io = (ipsec_out_t *)ipsec_mp->b_rptr;
4001 			if (!io->ipsec_out_secure) {
4002 				/*
4003 				 * If there is no global policy and ip_wput
4004 				 * or ip_wput_multicast has attached this mp
4005 				 * for multicast case, free the ipsec_mp and
4006 				 * return the original mp.
4007 				 */
4008 				mp = ipsec_mp->b_cont;
4009 				freeb(ipsec_mp);
4010 				ipsec_mp = mp;
4011 				io = NULL;
4012 			}
4013 		}
4014 		if (((io == NULL) || (io->ipsec_out_polhead == NULL)) &&
4015 		    ((connp == NULL) || (connp->conn_policy == NULL)))
4016 			return (ipsec_mp);
4017 	}
4018 
4019 	ill_index = 0;
4020 	conn_multicast_loopx = conn_dontroutex = B_FALSE;
4021 	mp = ipsec_mp;
4022 	if (ipsec_mp->b_datap->db_type == M_CTL) {
4023 		mp = ipsec_mp->b_cont;
4024 		/*
4025 		 * This is a connection where we have some per-socket
4026 		 * policy or ip_wput has attached an ipsec_mp for
4027 		 * the multicast datagram.
4028 		 */
4029 		io = (ipsec_out_t *)ipsec_mp->b_rptr;
4030 		if (!io->ipsec_out_secure) {
4031 			/*
4032 			 * This ipsec_mp was allocated in ip_wput or
4033 			 * ip_wput_multicast so that we will know the
4034 			 * value of ill_index, conn_dontroute,
4035 			 * conn_multicast_loop in the multicast case if
4036 			 * we inherit global policy here.
4037 			 */
4038 			ill_index = io->ipsec_out_ill_index;
4039 			conn_dontroutex = io->ipsec_out_dontroute;
4040 			conn_multicast_loopx = io->ipsec_out_multicast_loop;
4041 			freeb(ipsec_mp);
4042 			ipsec_mp = mp;
4043 			io = NULL;
4044 		}
4045 	}
4046 
4047 	if (ipha != NULL) {
4048 		sel.ips_local_addr_v4 = (ipha->ipha_src != 0 ?
4049 		    ipha->ipha_src : ire->ire_src_addr);
4050 		sel.ips_remote_addr_v4 = ip_get_dst(ipha);
4051 		sel.ips_protocol = (uint8_t)ipha->ipha_protocol;
4052 		sel.ips_isv4 = B_TRUE;
4053 	} else {
4054 		ushort_t hdr_len;
4055 		uint8_t	*nexthdrp;
4056 		boolean_t is_fragment;
4057 
4058 		sel.ips_isv4 = B_FALSE;
4059 		if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
4060 			if (!unspec_src)
4061 				sel.ips_local_addr_v6 = ire->ire_src_addr_v6;
4062 		} else {
4063 			sel.ips_local_addr_v6 = ip6h->ip6_src;
4064 		}
4065 
4066 		sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, &is_fragment);
4067 		if (is_fragment) {
4068 			/*
4069 			 * It's a packet fragment for a packet that
4070 			 * we have already processed (since IPsec processing
4071 			 * is done before fragmentation), so we don't
4072 			 * have to do policy checks again. Fragments can
4073 			 * come back to us for processing if they have
4074 			 * been queued up due to flow control.
4075 			 */
4076 			if (ipsec_mp->b_datap->db_type == M_CTL) {
4077 				mp = ipsec_mp->b_cont;
4078 				freeb(ipsec_mp);
4079 				ipsec_mp = mp;
4080 			}
4081 			return (ipsec_mp);
4082 		}
4083 
4084 		/* IPv6 common-case. */
4085 		sel.ips_protocol = ip6h->ip6_nxt;
4086 		switch (ip6h->ip6_nxt) {
4087 		case IPPROTO_TCP:
4088 		case IPPROTO_UDP:
4089 		case IPPROTO_SCTP:
4090 		case IPPROTO_ICMPV6:
4091 			break;
4092 		default:
4093 			if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
4094 			    &hdr_len, &nexthdrp)) {
4095 				BUMP_MIB(&ip6_mib, ipv6OutDiscards);
4096 				freemsg(ipsec_mp); /* Not IPsec-related drop. */
4097 				return (NULL);
4098 			}
4099 			sel.ips_protocol = *nexthdrp;
4100 			break;
4101 		}
4102 	}
4103 
4104 	if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) {
4105 		if (ipha != NULL) {
4106 			BUMP_MIB(&ip_mib, ipOutDiscards);
4107 		} else {
4108 			BUMP_MIB(&ip6_mib, ipv6OutDiscards);
4109 		}
4110 
4111 		ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
4112 		    &ipdrops_spd_nomem, &spd_dropper);
4113 		return (NULL);
4114 	}
4115 
4116 	if (io != NULL) {
4117 		/*
4118 		 * We seem to have some local policy (we already have
4119 		 * an ipsec_out).  Look at global policy and see
4120 		 * whether we have to inherit or not.
4121 		 */
4122 		io->ipsec_out_need_policy = B_FALSE;
4123 		ipsec_mp = ipsec_apply_global_policy(ipsec_mp, connp, &sel);
4124 		ASSERT((io->ipsec_out_policy != NULL) ||
4125 		    (io->ipsec_out_act != NULL));
4126 		ASSERT(io->ipsec_out_need_policy == B_FALSE);
4127 		return (ipsec_mp);
4128 	}
4129 	ipsec_mp = ipsec_attach_global_policy(mp, connp, &sel);
4130 	if (ipsec_mp == NULL)
4131 		return (mp);
4132 
4133 	/*
4134 	 * Copy the right port information.
4135 	 */
4136 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
4137 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
4138 
4139 	ASSERT(io->ipsec_out_need_policy == B_FALSE);
4140 	ASSERT((io->ipsec_out_policy != NULL) ||
4141 	    (io->ipsec_out_act != NULL));
4142 	io->ipsec_out_src_port = sel.ips_local_port;
4143 	io->ipsec_out_dst_port = sel.ips_remote_port;
4144 	io->ipsec_out_icmp_type = sel.ips_icmp_type;
4145 	io->ipsec_out_icmp_code = sel.ips_icmp_code;
4146 	/*
4147 	 * Set ill_index, conn_dontroute and conn_multicast_loop
4148 	 * for multicast datagrams.
4149 	 */
4150 	io->ipsec_out_ill_index = ill_index;
4151 	io->ipsec_out_dontroute = conn_dontroutex;
4152 	io->ipsec_out_multicast_loop = conn_multicast_loopx;
4153 	/*
4154 	 * When conn is non-NULL, the zoneid is set by ipsec_init_ipsec_out().
4155 	 * Otherwise set the zoneid based on the ire.
4156 	 */
4157 	if (connp == NULL) {
4158 		zoneid_t zoneid = ire->ire_zoneid;
4159 
4160 		if (zoneid == ALL_ZONES)
4161 			zoneid = GLOBAL_ZONEID;
4162 		io->ipsec_out_zoneid = zoneid;
4163 	}
4164 	return (ipsec_mp);
4165 }
4166 
4167 /*
4168  * When appropriate, this function caches inbound and outbound policy
4169  * for this connection.
4170  *
4171  * XXX need to work out more details about per-interface policy and
4172  * caching here!
4173  *
4174  * XXX may want to split inbound and outbound caching for ill..
4175  */
4176 int
4177 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
4178 {
4179 	boolean_t global_policy_present;
4180 
4181 	/*
4182 	 * There is no policy latching for ICMP sockets because we can't
4183 	 * decide on which policy to use until we see the packet and get
4184 	 * type/code selectors.
4185 	 */
4186 	if (connp->conn_ulp == IPPROTO_ICMP ||
4187 	    connp->conn_ulp == IPPROTO_ICMPV6) {
4188 		connp->conn_in_enforce_policy =
4189 		    connp->conn_out_enforce_policy = B_TRUE;
4190 		if (connp->conn_latch != NULL) {
4191 			IPLATCH_REFRELE(connp->conn_latch);
4192 			connp->conn_latch = NULL;
4193 		}
4194 		connp->conn_flags |= IPCL_CHECK_POLICY;
4195 		return (0);
4196 	}
4197 
4198 	global_policy_present = isv4 ?
4199 	    (ipsec_outbound_v4_policy_present ||
4200 		ipsec_inbound_v4_policy_present) :
4201 	    (ipsec_outbound_v6_policy_present ||
4202 		ipsec_inbound_v6_policy_present);
4203 
4204 	if ((connp->conn_policy != NULL) || global_policy_present) {
4205 		ipsec_selector_t sel;
4206 		ipsec_policy_t	*p;
4207 
4208 		if (connp->conn_latch == NULL &&
4209 		    (connp->conn_latch = iplatch_create()) == NULL) {
4210 			return (ENOMEM);
4211 		}
4212 
4213 		sel.ips_protocol = connp->conn_ulp;
4214 		sel.ips_local_port = connp->conn_lport;
4215 		sel.ips_remote_port = connp->conn_fport;
4216 		sel.ips_is_icmp_inv_acq = 0;
4217 		sel.ips_isv4 = isv4;
4218 		if (isv4) {
4219 			sel.ips_local_addr_v4 = connp->conn_src;
4220 			sel.ips_remote_addr_v4 = connp->conn_rem;
4221 		} else {
4222 			sel.ips_local_addr_v6 = connp->conn_srcv6;
4223 			sel.ips_remote_addr_v6 = connp->conn_remv6;
4224 		}
4225 
4226 		p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel);
4227 		if (connp->conn_latch->ipl_in_policy != NULL)
4228 			IPPOL_REFRELE(connp->conn_latch->ipl_in_policy);
4229 		connp->conn_latch->ipl_in_policy = p;
4230 		connp->conn_in_enforce_policy = (p != NULL);
4231 
4232 		p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, &sel);
4233 		if (connp->conn_latch->ipl_out_policy != NULL)
4234 			IPPOL_REFRELE(connp->conn_latch->ipl_out_policy);
4235 		connp->conn_latch->ipl_out_policy = p;
4236 		connp->conn_out_enforce_policy = (p != NULL);
4237 
4238 		/* Clear the latched actions too, in case we're recaching. */
4239 		if (connp->conn_latch->ipl_out_action != NULL)
4240 			IPACT_REFRELE(connp->conn_latch->ipl_out_action);
4241 		if (connp->conn_latch->ipl_in_action != NULL)
4242 			IPACT_REFRELE(connp->conn_latch->ipl_in_action);
4243 	}
4244 
4245 	/*
4246 	 * We may or may not have policy for this endpoint.  We still set
4247 	 * conn_policy_cached so that inbound datagrams don't have to look
4248 	 * at global policy as policy is considered latched for these
4249 	 * endpoints.  We should not set conn_policy_cached until the conn
4250 	 * reflects the actual policy. If we *set* this before inheriting
4251 	 * the policy there is a window where the check
4252 	 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy
4253 	 * on the conn (because we have not yet copied the policy on to
4254 	 * conn and hence not set conn_in_enforce_policy) nor with the
4255 	 * global policy (because conn_policy_cached is already set).
4256 	 */
4257 	connp->conn_policy_cached = B_TRUE;
4258 	if (connp->conn_in_enforce_policy)
4259 		connp->conn_flags |= IPCL_CHECK_POLICY;
4260 	return (0);
4261 }
4262 
4263 void
4264 iplatch_free(ipsec_latch_t *ipl)
4265 {
4266 	if (ipl->ipl_out_policy != NULL)
4267 		IPPOL_REFRELE(ipl->ipl_out_policy);
4268 	if (ipl->ipl_in_policy != NULL)
4269 		IPPOL_REFRELE(ipl->ipl_in_policy);
4270 	if (ipl->ipl_in_action != NULL)
4271 		IPACT_REFRELE(ipl->ipl_in_action);
4272 	if (ipl->ipl_out_action != NULL)
4273 		IPACT_REFRELE(ipl->ipl_out_action);
4274 	if (ipl->ipl_local_cid != NULL)
4275 		IPSID_REFRELE(ipl->ipl_local_cid);
4276 	if (ipl->ipl_remote_cid != NULL)
4277 		IPSID_REFRELE(ipl->ipl_remote_cid);
4278 	if (ipl->ipl_local_id != NULL)
4279 		crfree(ipl->ipl_local_id);
4280 	mutex_destroy(&ipl->ipl_lock);
4281 	kmem_free(ipl, sizeof (*ipl));
4282 }
4283 
4284 ipsec_latch_t *
4285 iplatch_create()
4286 {
4287 	ipsec_latch_t *ipl = kmem_alloc(sizeof (*ipl), KM_NOSLEEP);
4288 	if (ipl == NULL)
4289 		return (ipl);
4290 	bzero(ipl, sizeof (*ipl));
4291 	mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL);
4292 	ipl->ipl_refcnt = 1;
4293 	return (ipl);
4294 }
4295 
4296 /*
4297  * Identity hash table.
4298  *
4299  * Identities are refcounted and "interned" into the hash table.
4300  * Only references coming from other objects (SA's, latching state)
4301  * are counted in ipsid_refcnt.
4302  *
4303  * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket
4304  * is locked, (b) we know that the refcount must be > 0.
4305  *
4306  * The ipsid_next and ipsid_ptpn fields are only to be referenced or
4307  * modified when the bucket lock is held; in particular, we only
4308  * delete objects while holding the bucket lock, and we only increase
4309  * the refcount from 0 to 1 while the bucket lock is held.
4310  */
4311 
4312 #define	IPSID_HASHSIZE 64
4313 
4314 typedef struct ipsif_s
4315 {
4316 	ipsid_t *ipsif_head;
4317 	kmutex_t ipsif_lock;
4318 } ipsif_t;
4319 
4320 ipsif_t ipsid_buckets[IPSID_HASHSIZE];
4321 
4322 /*
4323  * Hash function for ID hash table.
4324  */
4325 static uint32_t
4326 ipsid_hash(int idtype, char *idstring)
4327 {
4328 	uint32_t hval = idtype;
4329 	unsigned char c;
4330 
4331 	while ((c = *idstring++) != 0) {
4332 		hval = (hval << 4) | (hval >> 28);
4333 		hval ^= c;
4334 	}
4335 	hval = hval ^ (hval >> 16);
4336 	return (hval & (IPSID_HASHSIZE-1));
4337 }
4338 
4339 /*
4340  * Look up identity string in hash table.  Return identity object
4341  * corresponding to the name -- either preexisting, or newly allocated.
4342  *
4343  * Return NULL if we need to allocate a new one and can't get memory.
4344  */
4345 ipsid_t *
4346 ipsid_lookup(int idtype, char *idstring)
4347 {
4348 	ipsid_t *retval;
4349 	char *nstr;
4350 	int idlen = strlen(idstring) + 1;
4351 
4352 	ipsif_t *bucket = &ipsid_buckets[ipsid_hash(idtype, idstring)];
4353 
4354 	mutex_enter(&bucket->ipsif_lock);
4355 
4356 	for (retval = bucket->ipsif_head; retval != NULL;
4357 	    retval = retval->ipsid_next) {
4358 		if (idtype != retval->ipsid_type)
4359 			continue;
4360 		if (bcmp(idstring, retval->ipsid_cid, idlen) != 0)
4361 			continue;
4362 
4363 		IPSID_REFHOLD(retval);
4364 		mutex_exit(&bucket->ipsif_lock);
4365 		return (retval);
4366 	}
4367 
4368 	retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP);
4369 	if (!retval) {
4370 		mutex_exit(&bucket->ipsif_lock);
4371 		return (NULL);
4372 	}
4373 
4374 	nstr = kmem_alloc(idlen, KM_NOSLEEP);
4375 	if (!nstr) {
4376 		mutex_exit(&bucket->ipsif_lock);
4377 		kmem_free(retval, sizeof (*retval));
4378 		return (NULL);
4379 	}
4380 
4381 	retval->ipsid_refcnt = 1;
4382 	retval->ipsid_next = bucket->ipsif_head;
4383 	if (retval->ipsid_next != NULL)
4384 		retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next;
4385 	retval->ipsid_ptpn = &bucket->ipsif_head;
4386 	retval->ipsid_type = idtype;
4387 	retval->ipsid_cid = nstr;
4388 	bucket->ipsif_head = retval;
4389 	bcopy(idstring, nstr, idlen);
4390 	mutex_exit(&bucket->ipsif_lock);
4391 
4392 	return (retval);
4393 }
4394 
4395 /*
4396  * Garbage collect the identity hash table.
4397  */
4398 void
4399 ipsid_gc()
4400 {
4401 	int i, len;
4402 	ipsid_t *id, *nid;
4403 	ipsif_t *bucket;
4404 
4405 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4406 		bucket = &ipsid_buckets[i];
4407 		mutex_enter(&bucket->ipsif_lock);
4408 		for (id = bucket->ipsif_head; id != NULL; id = nid) {
4409 			nid = id->ipsid_next;
4410 			if (id->ipsid_refcnt == 0) {
4411 				*id->ipsid_ptpn = nid;
4412 				if (nid != NULL)
4413 					nid->ipsid_ptpn = id->ipsid_ptpn;
4414 				len = strlen(id->ipsid_cid) + 1;
4415 				kmem_free(id->ipsid_cid, len);
4416 				kmem_free(id, sizeof (*id));
4417 			}
4418 		}
4419 		mutex_exit(&bucket->ipsif_lock);
4420 	}
4421 }
4422 
4423 /*
4424  * Return true if two identities are the same.
4425  */
4426 boolean_t
4427 ipsid_equal(ipsid_t *id1, ipsid_t *id2)
4428 {
4429 	if (id1 == id2)
4430 		return (B_TRUE);
4431 #ifdef DEBUG
4432 	if ((id1 == NULL) || (id2 == NULL))
4433 		return (B_FALSE);
4434 	/*
4435 	 * test that we're interning id's correctly..
4436 	 */
4437 	ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) ||
4438 	    (id1->ipsid_type != id2->ipsid_type));
4439 #endif
4440 	return (B_FALSE);
4441 }
4442 
4443 /*
4444  * Initialize identity table; called during module initialization.
4445  */
4446 static void
4447 ipsid_init()
4448 {
4449 	ipsif_t *bucket;
4450 	int i;
4451 
4452 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4453 		bucket = &ipsid_buckets[i];
4454 		mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL);
4455 	}
4456 }
4457 
4458 /*
4459  * Free identity table (preparatory to module unload)
4460  */
4461 static void
4462 ipsid_fini()
4463 {
4464 	ipsif_t *bucket;
4465 	int i;
4466 
4467 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4468 		bucket = &ipsid_buckets[i];
4469 		mutex_destroy(&bucket->ipsif_lock);
4470 	}
4471 }
4472 
4473 /*
4474  * Update the minimum and maximum supported key sizes for the
4475  * specified algorithm. Must be called while holding the algorithms lock.
4476  */
4477 void
4478 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type)
4479 {
4480 	size_t crypto_min = (size_t)-1, crypto_max = 0;
4481 	size_t cur_crypto_min, cur_crypto_max;
4482 	boolean_t is_valid;
4483 	crypto_mechanism_info_t *mech_infos;
4484 	uint_t nmech_infos;
4485 	int crypto_rc, i;
4486 	crypto_mech_usage_t mask;
4487 
4488 	ASSERT(MUTEX_HELD(&alg_lock));
4489 
4490 	/*
4491 	 * Compute the min, max, and default key sizes (in number of
4492 	 * increments to the default key size in bits) as defined
4493 	 * by the algorithm mappings. This range of key sizes is used
4494 	 * for policy related operations. The effective key sizes
4495 	 * supported by the framework could be more limited than
4496 	 * those defined for an algorithm.
4497 	 */
4498 	alg->alg_default_bits = alg->alg_key_sizes[0];
4499 	if (alg->alg_increment != 0) {
4500 		/* key sizes are defined by range & increment */
4501 		alg->alg_minbits = alg->alg_key_sizes[1];
4502 		alg->alg_maxbits = alg->alg_key_sizes[2];
4503 
4504 		alg->alg_default = SADB_ALG_DEFAULT_INCR(alg->alg_minbits,
4505 		    alg->alg_increment, alg->alg_default_bits);
4506 	} else if (alg->alg_nkey_sizes == 0) {
4507 		/* no specified key size for algorithm */
4508 		alg->alg_minbits = alg->alg_maxbits = 0;
4509 	} else {
4510 		/* key sizes are defined by enumeration */
4511 		alg->alg_minbits = (uint16_t)-1;
4512 		alg->alg_maxbits = 0;
4513 
4514 		for (i = 0; i < alg->alg_nkey_sizes; i++) {
4515 			if (alg->alg_key_sizes[i] < alg->alg_minbits)
4516 				alg->alg_minbits = alg->alg_key_sizes[i];
4517 			if (alg->alg_key_sizes[i] > alg->alg_maxbits)
4518 				alg->alg_maxbits = alg->alg_key_sizes[i];
4519 		}
4520 		alg->alg_default = 0;
4521 	}
4522 
4523 	if (!(alg->alg_flags & ALG_FLAG_VALID))
4524 		return;
4525 
4526 	/*
4527 	 * Mechanisms do not apply to the NULL encryption
4528 	 * algorithm, so simply return for this case.
4529 	 */
4530 	if (alg->alg_id == SADB_EALG_NULL)
4531 		return;
4532 
4533 	/*
4534 	 * Find the min and max key sizes supported by the cryptographic
4535 	 * framework providers.
4536 	 */
4537 
4538 	/* get the key sizes supported by the framework */
4539 	crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type,
4540 	    &mech_infos, &nmech_infos, KM_SLEEP);
4541 	if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) {
4542 		alg->alg_flags &= ~ALG_FLAG_VALID;
4543 		return;
4544 	}
4545 
4546 	/* min and max key sizes supported by framework */
4547 	for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) {
4548 		int unit_bits;
4549 
4550 		/*
4551 		 * Ignore entries that do not support the operations
4552 		 * needed for the algorithm type.
4553 		 */
4554 		if (alg_type == IPSEC_ALG_AUTH)
4555 			mask = CRYPTO_MECH_USAGE_MAC;
4556 		else
4557 			mask = CRYPTO_MECH_USAGE_ENCRYPT |
4558 				CRYPTO_MECH_USAGE_DECRYPT;
4559 		if ((mech_infos[i].mi_usage & mask) != mask)
4560 			continue;
4561 
4562 		unit_bits = (mech_infos[i].mi_keysize_unit ==
4563 		    CRYPTO_KEYSIZE_UNIT_IN_BYTES)  ? 8 : 1;
4564 		/* adjust min/max supported by framework */
4565 		cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits;
4566 		cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits;
4567 
4568 		if (cur_crypto_min < crypto_min)
4569 			crypto_min = cur_crypto_min;
4570 
4571 		/*
4572 		 * CRYPTO_EFFECTIVELY_INFINITE is a special value of
4573 		 * the crypto framework which means "no upper limit".
4574 		 */
4575 		if (mech_infos[i].mi_max_key_size ==
4576 		    CRYPTO_EFFECTIVELY_INFINITE)
4577 			crypto_max = (size_t)-1;
4578 		else if (cur_crypto_max > crypto_max)
4579 			crypto_max = cur_crypto_max;
4580 
4581 		is_valid = B_TRUE;
4582 	}
4583 
4584 	kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) *
4585 	    nmech_infos);
4586 
4587 	if (!is_valid) {
4588 		/* no key sizes supported by framework */
4589 		alg->alg_flags &= ~ALG_FLAG_VALID;
4590 		return;
4591 	}
4592 
4593 	/*
4594 	 * Determine min and max key sizes from alg_key_sizes[].
4595 	 * defined for the algorithm entry. Adjust key sizes based on
4596 	 * those supported by the framework.
4597 	 */
4598 	alg->alg_ef_default_bits = alg->alg_key_sizes[0];
4599 	if (alg->alg_increment != 0) {
4600 		/* supported key sizes are defined by range  & increment */
4601 		crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment);
4602 		crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment);
4603 
4604 		alg->alg_ef_minbits = MAX(alg->alg_minbits,
4605 		    (uint16_t)crypto_min);
4606 		alg->alg_ef_maxbits = MIN(alg->alg_maxbits,
4607 		    (uint16_t)crypto_max);
4608 
4609 		/*
4610 		 * If the sizes supported by the framework are outside
4611 		 * the range of sizes defined by the algorithm mappings,
4612 		 * the algorithm cannot be used. Check for this
4613 		 * condition here.
4614 		 */
4615 		if (alg->alg_ef_minbits > alg->alg_ef_maxbits) {
4616 			alg->alg_flags &= ~ALG_FLAG_VALID;
4617 			return;
4618 		}
4619 
4620 		if (alg->alg_ef_default_bits < alg->alg_ef_minbits)
4621 		    alg->alg_ef_default_bits = alg->alg_ef_minbits;
4622 		if (alg->alg_ef_default_bits > alg->alg_ef_maxbits)
4623 		    alg->alg_ef_default_bits = alg->alg_ef_maxbits;
4624 
4625 		alg->alg_ef_default = SADB_ALG_DEFAULT_INCR(alg->alg_ef_minbits,
4626 		    alg->alg_increment, alg->alg_ef_default_bits);
4627 	} else if (alg->alg_nkey_sizes == 0) {
4628 		/* no specified key size for algorithm */
4629 		alg->alg_ef_minbits = alg->alg_ef_maxbits = 0;
4630 	} else {
4631 		/* supported key sizes are defined by enumeration */
4632 		alg->alg_ef_minbits = (uint16_t)-1;
4633 		alg->alg_ef_maxbits = 0;
4634 
4635 		for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) {
4636 			/*
4637 			 * Ignore the current key size if it is not in the
4638 			 * range of sizes supported by the framework.
4639 			 */
4640 			if (alg->alg_key_sizes[i] < crypto_min ||
4641 			    alg->alg_key_sizes[i] > crypto_max)
4642 				continue;
4643 			if (alg->alg_key_sizes[i] < alg->alg_ef_minbits)
4644 				alg->alg_ef_minbits = alg->alg_key_sizes[i];
4645 			if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits)
4646 				alg->alg_ef_maxbits = alg->alg_key_sizes[i];
4647 			is_valid = B_TRUE;
4648 		}
4649 
4650 		if (!is_valid) {
4651 			alg->alg_flags &= ~ALG_FLAG_VALID;
4652 			return;
4653 		}
4654 		alg->alg_ef_default = 0;
4655 	}
4656 }
4657 
4658 /*
4659  * Free the memory used by the specified algorithm.
4660  */
4661 void
4662 ipsec_alg_free(ipsec_alginfo_t *alg)
4663 {
4664 	if (alg == NULL)
4665 		return;
4666 
4667 	if (alg->alg_key_sizes != NULL)
4668 		kmem_free(alg->alg_key_sizes,
4669 		    (alg->alg_nkey_sizes + 1) * sizeof (uint16_t));
4670 
4671 	if (alg->alg_block_sizes != NULL)
4672 		kmem_free(alg->alg_block_sizes,
4673 		    (alg->alg_nblock_sizes + 1) * sizeof (uint16_t));
4674 
4675 	kmem_free(alg, sizeof (*alg));
4676 }
4677 
4678 /*
4679  * Check the validity of the specified key size for an algorithm.
4680  * Returns B_TRUE if key size is valid, B_FALSE otherwise.
4681  */
4682 boolean_t
4683 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg)
4684 {
4685 	if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits)
4686 		return (B_FALSE);
4687 
4688 	if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) {
4689 		/*
4690 		 * If the key sizes are defined by enumeration, the new
4691 		 * key size must be equal to one of the supported values.
4692 		 */
4693 		int i;
4694 
4695 		for (i = 0; i < alg->alg_nkey_sizes; i++)
4696 			if (key_size == alg->alg_key_sizes[i])
4697 				break;
4698 		if (i == alg->alg_nkey_sizes)
4699 			return (B_FALSE);
4700 	}
4701 
4702 	return (B_TRUE);
4703 }
4704 
4705 /*
4706  * Callback function invoked by the crypto framework when a provider
4707  * registers or unregisters. This callback updates the algorithms
4708  * tables when a crypto algorithm is no longer available or becomes
4709  * available, and triggers the freeing/creation of context templates
4710  * associated with existing SAs, if needed.
4711  */
4712 void
4713 ipsec_prov_update_callback(uint32_t event, void *event_arg)
4714 {
4715 	crypto_notify_event_change_t *prov_change =
4716 	    (crypto_notify_event_change_t *)event_arg;
4717 	uint_t algidx, algid, algtype, mech_count, mech_idx;
4718 	ipsec_alginfo_t *alg;
4719 	ipsec_alginfo_t oalg;
4720 	crypto_mech_name_t *mechs;
4721 	boolean_t alg_changed = B_FALSE;
4722 
4723 	/* ignore events for which we didn't register */
4724 	if (event != CRYPTO_EVENT_PROVIDERS_CHANGE) {
4725 		ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x "
4726 			" received from crypto framework\n", event));
4727 		return;
4728 	}
4729 
4730 	mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
4731 	if (mechs == NULL)
4732 		return;
4733 
4734 	/*
4735 	 * Walk the list of currently defined IPsec algorithm. Update
4736 	 * the algorithm valid flag and trigger an update of the
4737 	 * SAs that depend on that algorithm.
4738 	 */
4739 	mutex_enter(&alg_lock);
4740 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
4741 		for (algidx = 0; algidx < ipsec_nalgs[algtype]; algidx++) {
4742 
4743 			algid = ipsec_sortlist[algtype][algidx];
4744 			alg = ipsec_alglists[algtype][algid];
4745 			ASSERT(alg != NULL);
4746 
4747 			/*
4748 			 * Skip the algorithms which do not map to the
4749 			 * crypto framework provider being added or removed.
4750 			 */
4751 			if (strncmp(alg->alg_mech_name,
4752 			    prov_change->ec_mech_name,
4753 			    CRYPTO_MAX_MECH_NAME) != 0)
4754 				continue;
4755 
4756 			/*
4757 			 * Determine if the mechanism is valid. If it
4758 			 * is not, mark the algorithm as being invalid. If
4759 			 * it is, mark the algorithm as being valid.
4760 			 */
4761 			for (mech_idx = 0; mech_idx < mech_count; mech_idx++)
4762 				if (strncmp(alg->alg_mech_name,
4763 				    mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0)
4764 					break;
4765 			if (mech_idx == mech_count &&
4766 			    alg->alg_flags & ALG_FLAG_VALID) {
4767 				alg->alg_flags &= ~ALG_FLAG_VALID;
4768 				alg_changed = B_TRUE;
4769 			} else if (mech_idx < mech_count &&
4770 			    !(alg->alg_flags & ALG_FLAG_VALID)) {
4771 				alg->alg_flags |= ALG_FLAG_VALID;
4772 				alg_changed = B_TRUE;
4773 			}
4774 
4775 			/*
4776 			 * Update the supported key sizes, regardless
4777 			 * of whether a crypto provider was added or
4778 			 * removed.
4779 			 */
4780 			oalg = *alg;
4781 			ipsec_alg_fix_min_max(alg, algtype);
4782 			if (!alg_changed &&
4783 			    alg->alg_ef_minbits != oalg.alg_ef_minbits ||
4784 			    alg->alg_ef_maxbits != oalg.alg_ef_maxbits ||
4785 			    alg->alg_ef_default != oalg.alg_ef_default ||
4786 			    alg->alg_ef_default_bits !=
4787 			    oalg.alg_ef_default_bits)
4788 				alg_changed = B_TRUE;
4789 
4790 			/*
4791 			 * Update the affected SAs if a software provider is
4792 			 * being added or removed.
4793 			 */
4794 			if (prov_change->ec_provider_type ==
4795 			    CRYPTO_SW_PROVIDER)
4796 				sadb_alg_update(algtype, alg->alg_id,
4797 				    prov_change->ec_change ==
4798 				    CRYPTO_EVENT_CHANGE_ADDED);
4799 		}
4800 	}
4801 	mutex_exit(&alg_lock);
4802 	crypto_free_mech_list(mechs, mech_count);
4803 
4804 	if (alg_changed) {
4805 		/*
4806 		 * An algorithm has changed, i.e. it became valid or
4807 		 * invalid, or its support key sizes have changed.
4808 		 * Notify ipsecah and ipsecesp of this change so
4809 		 * that they can send a SADB_REGISTER to their consumers.
4810 		 */
4811 		ipsecah_algs_changed();
4812 		ipsecesp_algs_changed();
4813 	}
4814 }
4815 
4816 /*
4817  * Registers with the crypto framework to be notified of crypto
4818  * providers changes. Used to update the algorithm tables and
4819  * to free or create context templates if needed. Invoked after IPsec
4820  * is loaded successfully.
4821  */
4822 void
4823 ipsec_register_prov_update(void)
4824 {
4825 	prov_update_handle = crypto_notify_events(
4826 	    ipsec_prov_update_callback, CRYPTO_EVENT_PROVIDERS_CHANGE);
4827 }
4828 
4829 /*
4830  * Unregisters from the framework to be notified of crypto providers
4831  * changes. Called from ipsec_policy_destroy().
4832  */
4833 static void
4834 ipsec_unregister_prov_update(void)
4835 {
4836 	if (prov_update_handle != NULL)
4837 		crypto_unnotify_events(prov_update_handle);
4838 }
4839