xref: /illumos-gate/usr/src/uts/common/inet/ip/spd.c (revision a07094369b21309434206d9b3601d162693466fc)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * IPsec Security Policy Database.
31  *
32  * This module maintains the SPD and provides routines used by ip and ip6
33  * to apply IPsec policy to inbound and outbound datagrams.
34  */
35 
36 #include <sys/types.h>
37 #include <sys/stream.h>
38 #include <sys/stropts.h>
39 #include <sys/sysmacros.h>
40 #include <sys/strsubr.h>
41 #include <sys/strlog.h>
42 #include <sys/cmn_err.h>
43 #include <sys/zone.h>
44 
45 #include <sys/systm.h>
46 #include <sys/param.h>
47 #include <sys/kmem.h>
48 
49 #include <sys/crypto/api.h>
50 
51 #include <inet/common.h>
52 #include <inet/mi.h>
53 
54 #include <netinet/ip6.h>
55 #include <netinet/icmp6.h>
56 #include <netinet/udp.h>
57 
58 #include <inet/ip.h>
59 #include <inet/ip6.h>
60 
61 #include <net/pfkeyv2.h>
62 #include <net/pfpolicy.h>
63 #include <inet/ipsec_info.h>
64 #include <inet/sadb.h>
65 #include <inet/ipsec_impl.h>
66 #include <inet/ipsecah.h>
67 #include <inet/ipsecesp.h>
68 #include <inet/ipdrop.h>
69 #include <inet/ipclassifier.h>
70 
71 static void ipsec_update_present_flags();
72 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *);
73 static void ipsec_out_free(void *);
74 static void ipsec_in_free(void *);
75 static boolean_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *,
76     ipha_t *, ip6_t *);
77 static mblk_t *ipsec_attach_global_policy(mblk_t *, conn_t *,
78     ipsec_selector_t *);
79 static mblk_t *ipsec_apply_global_policy(mblk_t *, conn_t *,
80     ipsec_selector_t *);
81 static mblk_t *ipsec_check_ipsecin_policy(queue_t *, mblk_t *,
82     ipsec_policy_t *, ipha_t *, ip6_t *);
83 static void ipsec_in_release_refs(ipsec_in_t *);
84 static void ipsec_out_release_refs(ipsec_out_t *);
85 static void ipsec_action_reclaim(void *);
86 static void ipsid_init(void);
87 static void ipsid_fini(void);
88 static boolean_t ipsec_check_ipsecin_action(struct ipsec_in_s *, mblk_t *,
89     struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **,
90     kstat_named_t **);
91 static int32_t ipsec_act_ovhd(const ipsec_act_t *act);
92 static void ipsec_unregister_prov_update(void);
93 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *);
94 static uint32_t selector_hash(ipsec_selector_t *);
95 
96 /*
97  * Policy rule index generator.  We assume this won't wrap in the
98  * lifetime of a system.  If we make 2^20 policy changes per second,
99  * this will last 2^44 seconds, or roughly 500,000 years, so we don't
100  * have to worry about reusing policy index values.
101  *
102  * Protected by ipsec_conf_lock.
103  */
104 uint64_t	ipsec_next_policy_index = 1;
105 
106 /*
107  * Active & Inactive system policy roots
108  */
109 static ipsec_policy_head_t system_policy;
110 static ipsec_policy_head_t inactive_policy;
111 
112 /* Packet dropper for generic SPD drops. */
113 static ipdropper_t spd_dropper;
114 
115 /*
116  * For now, use a trivially sized hash table for actions.
117  * In the future we can add the structure canonicalization necessary
118  * to get the hash function to behave correctly..
119  */
120 #define	IPSEC_ACTION_HASH_SIZE 1
121 
122 /*
123  * Selector hash table is statically sized at module load time.
124  * we default to 251 buckets, which is the largest prime number under 255
125  */
126 
127 #define	IPSEC_SPDHASH_DEFAULT 251
128 uint32_t ipsec_spd_hashsize = 0;
129 
130 #define	IPSEC_SEL_NOHASH ((uint32_t)(~0))
131 
132 static HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE];
133 static HASH_HEAD(ipsec_sel) *ipsec_sel_hash;
134 
135 static kmem_cache_t *ipsec_action_cache;
136 static kmem_cache_t *ipsec_sel_cache;
137 static kmem_cache_t *ipsec_pol_cache;
138 static kmem_cache_t *ipsec_info_cache;
139 
140 boolean_t ipsec_inbound_v4_policy_present = B_FALSE;
141 boolean_t ipsec_outbound_v4_policy_present = B_FALSE;
142 boolean_t ipsec_inbound_v6_policy_present = B_FALSE;
143 boolean_t ipsec_outbound_v6_policy_present = B_FALSE;
144 
145 /*
146  * Because policy needs to know what algorithms are supported, keep the
147  * lists of algorithms here.
148  */
149 
150 kmutex_t alg_lock;
151 uint8_t ipsec_nalgs[IPSEC_NALGTYPES];
152 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
153 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
154 ipsec_algs_exec_mode_t ipsec_algs_exec_mode[IPSEC_NALGTYPES];
155 static crypto_notify_handle_t prov_update_handle = NULL;
156 
157 int ipsec_hdr_pullup_needed = 0;
158 int ipsec_weird_null_inbound_policy = 0;
159 
160 #define	ALGBITS_ROUND_DOWN(x, align)	(((x)/(align))*(align))
161 #define	ALGBITS_ROUND_UP(x, align)	ALGBITS_ROUND_DOWN((x)+(align)-1, align)
162 
163 /*
164  * Inbound traffic should have matching identities for both SA's.
165  */
166 
167 #define	SA_IDS_MATCH(sa1, sa2) 						\
168 	(((sa1) == NULL) || ((sa2) == NULL) ||				\
169 	(((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) &&		\
170 	    (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid))))
171 
172 #define	IPPOL_UNCHAIN(php, ip) 						\
173 	HASHLIST_UNCHAIN((ip), ipsp_hash);				\
174 	avl_remove(&(php)->iph_rulebyid, (ip));				\
175 	IPPOL_REFRELE(ip);
176 
177 /*
178  * Policy failure messages.
179  */
180 static char *ipsec_policy_failure_msgs[] = {
181 
182 	/* IPSEC_POLICY_NOT_NEEDED */
183 	"%s: Dropping the datagram because the incoming packet "
184 	"is %s, but the recipient expects clear; Source %s, "
185 	"Destination %s.\n",
186 
187 	/* IPSEC_POLICY_MISMATCH */
188 	"%s: Policy Failure for the incoming packet (%s); Source %s, "
189 	"Destination %s.\n",
190 
191 	/* IPSEC_POLICY_AUTH_NOT_NEEDED	*/
192 	"%s: Authentication present while not expected in the "
193 	"incoming %s packet; Source %s, Destination %s.\n",
194 
195 	/* IPSEC_POLICY_ENCR_NOT_NEEDED */
196 	"%s: Encryption present while not expected in the "
197 	"incoming %s packet; Source %s, Destination %s.\n",
198 
199 	/* IPSEC_POLICY_SE_NOT_NEEDED */
200 	"%s: Self-Encapsulation present while not expected in the "
201 	"incoming %s packet; Source %s, Destination %s.\n",
202 };
203 /*
204  * Have a counter for every possible policy message in the previous array.
205  */
206 static uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX];
207 /* Time since last ipsec policy failure that printed a message. */
208 hrtime_t ipsec_policy_failure_last = 0;
209 
210 /*
211  * General overviews:
212  *
213  * Locking:
214  *
215  *	All of the system policy structures are protected by a single
216  *	rwlock, ipsec_conf_lock.  These structures are threaded in a
217  *	fairly complex fashion and are not expected to change on a
218  *	regular basis, so this should not cause scaling/contention
219  *	problems.  As a result, policy checks should (hopefully) be MT-hot.
220  *
221  * Allocation policy:
222  *
223  *	We use custom kmem cache types for the various
224  *	bits & pieces of the policy data structures.  All allocations
225  *	use KM_NOSLEEP instead of KM_SLEEP for policy allocation.  The
226  *	policy table is of potentially unbounded size, so we don't
227  *	want to provide a way to hog all system memory with policy
228  *	entries..
229  */
230 
231 
232 /*
233  * AVL tree comparison function.
234  * the in-kernel avl assumes unique keys for all objects.
235  * Since sometimes policy will duplicate rules, we may insert
236  * multiple rules with the same rule id, so we need a tie-breaker.
237  */
238 static int
239 ipsec_policy_cmpbyid(const void *a, const void *b)
240 {
241 	const ipsec_policy_t *ipa, *ipb;
242 	uint64_t idxa, idxb;
243 
244 	ipa = (const ipsec_policy_t *)a;
245 	ipb = (const ipsec_policy_t *)b;
246 	idxa = ipa->ipsp_index;
247 	idxb = ipb->ipsp_index;
248 
249 	if (idxa < idxb)
250 		return (-1);
251 	if (idxa > idxb)
252 		return (1);
253 	/*
254 	 * Tie-breaker #1: All installed policy rules have a non-NULL
255 	 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not
256 	 * actually in-tree but rather a template node being used in
257 	 * an avl_find query; see ipsec_policy_delete().  This gives us
258 	 * a placeholder in the ordering just before the the first entry with
259 	 * a key >= the one we're looking for, so we can walk forward from
260 	 * that point to get the remaining entries with the same id.
261 	 */
262 	if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL))
263 		return (-1);
264 	if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL))
265 		return (1);
266 	/*
267 	 * At most one of the arguments to the comparison should have a
268 	 * NULL selector pointer; if not, the tree is broken.
269 	 */
270 	ASSERT(ipa->ipsp_sel != NULL);
271 	ASSERT(ipb->ipsp_sel != NULL);
272 	/*
273 	 * Tie-breaker #2: use the virtual address of the policy node
274 	 * to arbitrarily break ties.  Since we use the new tree node in
275 	 * the avl_find() in ipsec_insert_always, the new node will be
276 	 * inserted into the tree in the right place in the sequence.
277 	 */
278 	if (ipa < ipb)
279 		return (-1);
280 	if (ipa > ipb)
281 		return (1);
282 	return (0);
283 }
284 
285 static void
286 ipsec_polhead_free_table(ipsec_policy_head_t *iph)
287 {
288 	int dir, nchains;
289 
290 	nchains = ipsec_spd_hashsize;
291 
292 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
293 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
294 
295 		if (ipr->ipr_hash == NULL)
296 			continue;
297 
298 		kmem_free(ipr->ipr_hash, nchains *
299 		    sizeof (ipsec_policy_hash_t));
300 	}
301 }
302 
303 static void
304 ipsec_polhead_destroy(ipsec_policy_head_t *iph)
305 {
306 	int dir;
307 
308 	avl_destroy(&iph->iph_rulebyid);
309 	rw_destroy(&iph->iph_lock);
310 
311 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
312 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
313 		int nchains = ipr->ipr_nchains;
314 		int chain;
315 
316 		for (chain = 0; chain < nchains; chain++)
317 			mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
318 
319 	}
320 	ipsec_polhead_free_table(iph);
321 }
322 
323 /*
324  * Module unload hook.
325  */
326 void
327 ipsec_policy_destroy(void)
328 {
329 	int i;
330 
331 	ip_drop_unregister(&spd_dropper);
332 	ip_drop_destroy();
333 
334 	ipsec_polhead_destroy(&system_policy);
335 	ipsec_polhead_destroy(&inactive_policy);
336 
337 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
338 		mutex_destroy(&(ipsec_action_hash[i].hash_lock));
339 
340 	for (i = 0; i < ipsec_spd_hashsize; i++)
341 		mutex_destroy(&(ipsec_sel_hash[i].hash_lock));
342 
343 	ipsec_unregister_prov_update();
344 
345 	mutex_destroy(&alg_lock);
346 
347 	kmem_cache_destroy(ipsec_action_cache);
348 	kmem_cache_destroy(ipsec_sel_cache);
349 	kmem_cache_destroy(ipsec_pol_cache);
350 	kmem_cache_destroy(ipsec_info_cache);
351 	ipsid_gc();
352 	ipsid_fini();
353 }
354 
355 
356 /*
357  * Called when table allocation fails to free the table.
358  */
359 static int
360 ipsec_alloc_tables_failed()
361 {
362 	if (ipsec_sel_hash != NULL) {
363 		kmem_free(ipsec_sel_hash, ipsec_spd_hashsize *
364 		    sizeof (*ipsec_sel_hash));
365 		ipsec_sel_hash = NULL;
366 	}
367 	ipsec_polhead_free_table(&system_policy);
368 	ipsec_polhead_free_table(&inactive_policy);
369 
370 	return (ENOMEM);
371 }
372 
373 /*
374  * Attempt to allocate the tables in a single policy head.
375  * Return nonzero on failure after cleaning up any work in progress.
376  */
377 static int
378 ipsec_alloc_table(ipsec_policy_head_t *iph, int kmflag)
379 {
380 	int dir, nchains;
381 
382 	nchains = ipsec_spd_hashsize;
383 
384 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
385 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
386 
387 		ipr->ipr_hash = kmem_zalloc(nchains *
388 		    sizeof (ipsec_policy_hash_t), kmflag);
389 		if (ipr->ipr_hash == NULL)
390 			return (ipsec_alloc_tables_failed());
391 	}
392 	return (0);
393 }
394 
395 /*
396  * Attempt to allocate the various tables.  Return nonzero on failure
397  * after cleaning up any work in progress.
398  */
399 static int
400 ipsec_alloc_tables(int kmflag)
401 {
402 	int error;
403 
404 	error = ipsec_alloc_table(&system_policy, kmflag);
405 	if (error != 0)
406 		return (error);
407 
408 	error = ipsec_alloc_table(&inactive_policy, kmflag);
409 	if (error != 0)
410 		return (error);
411 
412 	ipsec_sel_hash = kmem_zalloc(ipsec_spd_hashsize *
413 	    sizeof (*ipsec_sel_hash), kmflag);
414 
415 	if (ipsec_sel_hash == NULL)
416 		return (ipsec_alloc_tables_failed());
417 
418 	return (0);
419 }
420 
421 /*
422  * After table allocation, initialize a policy head.
423  */
424 static void
425 ipsec_polhead_init(ipsec_policy_head_t *iph)
426 {
427 	int dir, chain, nchains;
428 
429 	nchains = ipsec_spd_hashsize;
430 
431 	rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
432 	avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid,
433 	    sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
434 
435 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
436 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
437 		ipr->ipr_nchains = nchains;
438 
439 		for (chain = 0; chain < nchains; chain++) {
440 			mutex_init(&(ipr->ipr_hash[chain].hash_lock),
441 			    NULL, MUTEX_DEFAULT, NULL);
442 		}
443 	}
444 }
445 
446 /*
447  * Module load hook.
448  */
449 void
450 ipsec_policy_init()
451 {
452 	int i;
453 
454 	/*
455 	 * Make two attempts to allocate policy hash tables; try it at
456 	 * the "preferred" size (may be set in /etc/system) first,
457 	 * then fall back to the default size.
458 	 */
459 	if (ipsec_spd_hashsize == 0)
460 		ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
461 
462 	if (ipsec_alloc_tables(KM_NOSLEEP) != 0) {
463 		cmn_err(CE_WARN,
464 		    "Unable to allocate %d entry IPsec policy hash table",
465 		    ipsec_spd_hashsize);
466 		ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
467 		cmn_err(CE_WARN, "Falling back to %d entries",
468 		    ipsec_spd_hashsize);
469 		(void) ipsec_alloc_tables(KM_SLEEP);
470 	}
471 
472 	ipsid_init();
473 	ipsec_polhead_init(&system_policy);
474 	ipsec_polhead_init(&inactive_policy);
475 
476 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
477 		mutex_init(&(ipsec_action_hash[i].hash_lock),
478 		    NULL, MUTEX_DEFAULT, NULL);
479 
480 	for (i = 0; i < ipsec_spd_hashsize; i++)
481 		mutex_init(&(ipsec_sel_hash[i].hash_lock),
482 		    NULL, MUTEX_DEFAULT, NULL);
483 
484 	mutex_init(&alg_lock, NULL, MUTEX_DEFAULT, NULL);
485 
486 	for (i = 0; i < IPSEC_NALGTYPES; i++)
487 		ipsec_nalgs[i] = 0;
488 
489 	ipsec_action_cache = kmem_cache_create("ipsec_actions",
490 	    sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL,
491 	    ipsec_action_reclaim, NULL, NULL, 0);
492 	ipsec_sel_cache = kmem_cache_create("ipsec_selectors",
493 	    sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL,
494 	    NULL, NULL, NULL, 0);
495 	ipsec_pol_cache = kmem_cache_create("ipsec_policy",
496 	    sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL,
497 	    NULL, NULL, NULL, 0);
498 	ipsec_info_cache = kmem_cache_create("ipsec_info",
499 	    sizeof (ipsec_info_t), _POINTER_ALIGNMENT, NULL, NULL,
500 	    NULL, NULL, NULL, 0);
501 
502 	ip_drop_init();
503 	ip_drop_register(&spd_dropper, "IPsec SPD");
504 }
505 
506 /*
507  * Sort algorithm lists.
508  *
509  * I may need to split this based on
510  * authentication/encryption, and I may wish to have an administrator
511  * configure this list.  Hold on to some NDD variables...
512  *
513  * XXX For now, sort on minimum key size (GAG!).  While minimum key size is
514  * not the ideal metric, it's the only quantifiable measure available.
515  * We need a better metric for sorting algorithms by preference.
516  */
517 static void
518 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid)
519 {
520 	ipsec_alginfo_t *ai = ipsec_alglists[at][algid];
521 	uint8_t holder, swap;
522 	uint_t i;
523 	uint_t count = ipsec_nalgs[at];
524 	ASSERT(ai != NULL);
525 	ASSERT(algid == ai->alg_id);
526 
527 	ASSERT(MUTEX_HELD(&alg_lock));
528 
529 	holder = algid;
530 
531 	for (i = 0; i < count - 1; i++) {
532 		ipsec_alginfo_t *alt;
533 
534 		alt = ipsec_alglists[at][ipsec_sortlist[at][i]];
535 		/*
536 		 * If you want to give precedence to newly added algs,
537 		 * add the = in the > comparison.
538 		 */
539 		if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) {
540 			/* Swap sortlist[i] and holder. */
541 			swap = ipsec_sortlist[at][i];
542 			ipsec_sortlist[at][i] = holder;
543 			holder = swap;
544 			ai = alt;
545 		} /* Else just continue. */
546 	}
547 
548 	/* Store holder in last slot. */
549 	ipsec_sortlist[at][i] = holder;
550 }
551 
552 /*
553  * Remove an algorithm from a sorted algorithm list.
554  * This should be considerably easier, even with complex sorting.
555  */
556 static void
557 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid)
558 {
559 	boolean_t copyback = B_FALSE;
560 	int i;
561 	int newcount = ipsec_nalgs[at];
562 
563 	ASSERT(MUTEX_HELD(&alg_lock));
564 
565 	for (i = 0; i <= newcount; i++) {
566 		if (copyback)
567 			ipsec_sortlist[at][i-1] = ipsec_sortlist[at][i];
568 		else if (ipsec_sortlist[at][i] == algid)
569 			copyback = B_TRUE;
570 	}
571 }
572 
573 /*
574  * Add the specified algorithm to the algorithm tables.
575  * Must be called while holding the algorithm table writer lock.
576  */
577 void
578 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg)
579 {
580 	ASSERT(MUTEX_HELD(&alg_lock));
581 
582 	ASSERT(ipsec_alglists[algtype][alg->alg_id] == NULL);
583 	ipsec_alg_fix_min_max(alg, algtype);
584 	ipsec_alglists[algtype][alg->alg_id] = alg;
585 
586 	ipsec_nalgs[algtype]++;
587 	alg_insert_sortlist(algtype, alg->alg_id);
588 }
589 
590 /*
591  * Remove the specified algorithm from the algorithm tables.
592  * Must be called while holding the algorithm table writer lock.
593  */
594 void
595 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid)
596 {
597 	ASSERT(MUTEX_HELD(&alg_lock));
598 
599 	ASSERT(ipsec_alglists[algtype][algid] != NULL);
600 	ipsec_alg_free(ipsec_alglists[algtype][algid]);
601 	ipsec_alglists[algtype][algid] = NULL;
602 
603 	ipsec_nalgs[algtype]--;
604 	alg_remove_sortlist(algtype, algid);
605 }
606 
607 /*
608  * Hooks for spdsock to get a grip on system policy.
609  */
610 
611 ipsec_policy_head_t *
612 ipsec_system_policy(void)
613 {
614 	ipsec_policy_head_t *h = &system_policy;
615 	IPPH_REFHOLD(h);
616 	return (h);
617 }
618 
619 ipsec_policy_head_t *
620 ipsec_inactive_policy(void)
621 {
622 	ipsec_policy_head_t *h = &inactive_policy;
623 	IPPH_REFHOLD(h);
624 	return (h);
625 }
626 
627 /*
628  * Lock inactive policy, then active policy, then exchange policy root
629  * pointers.
630  */
631 void
632 ipsec_swap_policy(void)
633 {
634 	int af, dir;
635 	avl_tree_t r1, r2;
636 
637 	rw_enter(&inactive_policy.iph_lock, RW_WRITER);
638 	rw_enter(&system_policy.iph_lock, RW_WRITER);
639 
640 	r1 = system_policy.iph_rulebyid;
641 	r2 = inactive_policy.iph_rulebyid;
642 	system_policy.iph_rulebyid = r2;
643 	inactive_policy.iph_rulebyid = r1;
644 
645 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
646 		ipsec_policy_hash_t *h1, *h2;
647 
648 		h1 = system_policy.iph_root[dir].ipr_hash;
649 		h2 = inactive_policy.iph_root[dir].ipr_hash;
650 		system_policy.iph_root[dir].ipr_hash = h2;
651 		inactive_policy.iph_root[dir].ipr_hash = h1;
652 
653 		for (af = 0; af < IPSEC_NAF; af++) {
654 			ipsec_policy_t *t1, *t2;
655 
656 			t1 = system_policy.iph_root[dir].ipr_nonhash[af];
657 			t2 = inactive_policy.iph_root[dir].ipr_nonhash[af];
658 			system_policy.iph_root[dir].ipr_nonhash[af] = t2;
659 			inactive_policy.iph_root[dir].ipr_nonhash[af] = t1;
660 			if (t1 != NULL) {
661 				t1->ipsp_hash.hash_pp =
662 				    &(inactive_policy.iph_root[dir].
663 				    ipr_nonhash[af]);
664 			}
665 			if (t2 != NULL) {
666 				t2->ipsp_hash.hash_pp =
667 				    &(system_policy.iph_root[dir].
668 				    ipr_nonhash[af]);
669 			}
670 
671 		}
672 	}
673 	system_policy.iph_gen++;
674 	inactive_policy.iph_gen++;
675 	ipsec_update_present_flags();
676 	rw_exit(&system_policy.iph_lock);
677 	rw_exit(&inactive_policy.iph_lock);
678 }
679 
680 /*
681  * Clone one policy rule..
682  */
683 static ipsec_policy_t *
684 ipsec_copy_policy(const ipsec_policy_t *src)
685 {
686 	ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
687 
688 	if (dst == NULL)
689 		return (NULL);
690 
691 	/*
692 	 * Adjust refcounts of cloned state.
693 	 */
694 	IPACT_REFHOLD(src->ipsp_act);
695 	src->ipsp_sel->ipsl_refs++;
696 
697 	HASH_NULL(dst, ipsp_hash);
698 	dst->ipsp_refs = 1;
699 	dst->ipsp_sel = src->ipsp_sel;
700 	dst->ipsp_act = src->ipsp_act;
701 	dst->ipsp_prio = src->ipsp_prio;
702 	dst->ipsp_index = src->ipsp_index;
703 
704 	return (dst);
705 }
706 
707 void
708 ipsec_insert_always(avl_tree_t *tree, void *new_node)
709 {
710 	void *node;
711 	avl_index_t where;
712 
713 	node = avl_find(tree, new_node, &where);
714 	ASSERT(node == NULL);
715 	avl_insert(tree, new_node, where);
716 }
717 
718 
719 static int
720 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src,
721     ipsec_policy_t **dstp)
722 {
723 	for (; src != NULL; src = src->ipsp_hash.hash_next) {
724 		ipsec_policy_t *dst = ipsec_copy_policy(src);
725 		if (dst == NULL)
726 			return (ENOMEM);
727 
728 		HASHLIST_INSERT(dst, ipsp_hash, *dstp);
729 		ipsec_insert_always(&dph->iph_rulebyid, dst);
730 	}
731 	return (0);
732 }
733 
734 
735 
736 /*
737  * Make one policy head look exactly like another.
738  *
739  * As with ipsec_swap_policy, we lock the destination policy head first, then
740  * the source policy head. Note that we only need to read-lock the source
741  * policy head as we are not changing it.
742  */
743 static int
744 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph)
745 {
746 	int af, dir, chain, nchains;
747 
748 	rw_enter(&dph->iph_lock, RW_WRITER);
749 
750 	ipsec_polhead_flush(dph);
751 
752 	rw_enter(&sph->iph_lock, RW_READER);
753 
754 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
755 		ipsec_policy_root_t *dpr = &dph->iph_root[dir];
756 		ipsec_policy_root_t *spr = &sph->iph_root[dir];
757 		nchains = dpr->ipr_nchains;
758 
759 		ASSERT(dpr->ipr_nchains == spr->ipr_nchains);
760 
761 		for (af = 0; af < IPSEC_NAF; af++) {
762 			if (ipsec_copy_chain(dph, spr->ipr_nonhash[af],
763 			    &dpr->ipr_nonhash[af]))
764 				goto abort_copy;
765 		}
766 
767 		for (chain = 0; chain < nchains; chain++) {
768 			if (ipsec_copy_chain(dph,
769 			    spr->ipr_hash[chain].hash_head,
770 			    &dpr->ipr_hash[chain].hash_head))
771 				goto abort_copy;
772 		}
773 	}
774 
775 	dph->iph_gen++;
776 
777 	rw_exit(&sph->iph_lock);
778 	rw_exit(&dph->iph_lock);
779 	return (0);
780 
781 abort_copy:
782 	ipsec_polhead_flush(dph);
783 	rw_exit(&sph->iph_lock);
784 	rw_exit(&dph->iph_lock);
785 	return (ENOMEM);
786 }
787 
788 /*
789  * Clone currently active policy to the inactive policy list.
790  */
791 int
792 ipsec_clone_system_policy(void)
793 {
794 	return (ipsec_copy_polhead(&system_policy, &inactive_policy));
795 }
796 
797 
798 /*
799  * Extract the string from ipsec_policy_failure_msgs[type] and
800  * log it.
801  *
802  * This function needs to be kept in synch with ipsec_rl_strlog() in
803  * sadb.c.
804  * XXX this function should be combined with the ipsec_rl_strlog() function.
805  */
806 void
807 ipsec_log_policy_failure(queue_t *q, int type, char *func_name, ipha_t *ipha,
808     ip6_t *ip6h, boolean_t secure)
809 {
810 	char	sbuf[INET6_ADDRSTRLEN];
811 	char	dbuf[INET6_ADDRSTRLEN];
812 	char	*s;
813 	char	*d;
814 	hrtime_t current = gethrtime();
815 
816 	ASSERT((ipha == NULL && ip6h != NULL) ||
817 	    (ip6h == NULL && ipha != NULL));
818 
819 	if (ipha != NULL) {
820 		s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf));
821 		d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf));
822 	} else {
823 		s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf));
824 		d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf));
825 
826 	}
827 
828 	/* Always bump the policy failure counter. */
829 	ipsec_policy_failure_count[type]++;
830 
831 	/* Convert interval (in msec) to hrtime (in nsec), which means * 10^6 */
832 	if (ipsec_policy_failure_last +
833 	    ((hrtime_t)ipsec_policy_log_interval * (hrtime_t)1000000) <=
834 	    current) {
835 		/*
836 		 * Throttle the logging such that I only log one message
837 		 * every 'ipsec_policy_log_interval' amount of time.
838 		 */
839 		(void) mi_strlog(q, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
840 		    ipsec_policy_failure_msgs[type],
841 		    func_name,
842 		    (secure ? "secure" : "not secure"), s, d);
843 		ipsec_policy_failure_last = current;
844 	}
845 }
846 
847 void
848 ipsec_config_flush()
849 {
850 	rw_enter(&system_policy.iph_lock, RW_WRITER);
851 	ipsec_polhead_flush(&system_policy);
852 	ipsec_next_policy_index = 1;
853 	rw_exit(&system_policy.iph_lock);
854 	ipsec_action_reclaim(0);
855 }
856 
857 /*
858  * Clip a policy's min/max keybits vs. the capabilities of the
859  * algorithm.
860  */
861 static void
862 act_alg_adjust(uint_t algtype, uint_t algid,
863     uint16_t *minbits, uint16_t *maxbits)
864 {
865 	ipsec_alginfo_t *algp = ipsec_alglists[algtype][algid];
866 	if (algp != NULL) {
867 		/*
868 		 * If passed-in minbits is zero, we assume the caller trusts
869 		 * us with setting the minimum key size.  We pick the
870 		 * algorithms DEFAULT key size for the minimum in this case.
871 		 */
872 		if (*minbits == 0) {
873 			*minbits = algp->alg_default_bits;
874 			ASSERT(*minbits >= algp->alg_minbits);
875 		} else {
876 			*minbits = MAX(*minbits, algp->alg_minbits);
877 		}
878 		if (*maxbits == 0)
879 			*maxbits = algp->alg_maxbits;
880 		else
881 			*maxbits = MIN(*maxbits, algp->alg_maxbits);
882 		ASSERT(*minbits <= *maxbits);
883 	} else {
884 		*minbits = 0;
885 		*maxbits = 0;
886 	}
887 }
888 
889 /*
890  * Check an action's requested algorithms against the algorithms currently
891  * loaded in the system.
892  */
893 boolean_t
894 ipsec_check_action(ipsec_act_t *act, int *diag)
895 {
896 	ipsec_prot_t *ipp;
897 
898 	ipp = &act->ipa_apply;
899 
900 	if (ipp->ipp_use_ah &&
901 	    ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) {
902 		*diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
903 		return (B_FALSE);
904 	}
905 	if (ipp->ipp_use_espa &&
906 	    ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] == NULL) {
907 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
908 		return (B_FALSE);
909 	}
910 	if (ipp->ipp_use_esp &&
911 	    ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) {
912 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
913 		return (B_FALSE);
914 	}
915 
916 	act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg,
917 	    &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits);
918 	act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg,
919 	    &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits);
920 	act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg,
921 	    &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits);
922 
923 	if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) {
924 		*diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE;
925 		return (B_FALSE);
926 	}
927 	if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) {
928 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE;
929 		return (B_FALSE);
930 	}
931 	if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) {
932 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE;
933 		return (B_FALSE);
934 	}
935 	/* TODO: sanity check lifetimes */
936 	return (B_TRUE);
937 }
938 
939 /*
940  * Set up a single action during wildcard expansion..
941  */
942 static void
943 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act,
944     uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg)
945 {
946 	ipsec_prot_t *ipp;
947 
948 	*outact = *act;
949 	ipp = &outact->ipa_apply;
950 	ipp->ipp_auth_alg = (uint8_t)auth_alg;
951 	ipp->ipp_encr_alg = (uint8_t)encr_alg;
952 	ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg;
953 
954 	act_alg_adjust(IPSEC_ALG_AUTH, auth_alg,
955 	    &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits);
956 	act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg,
957 	    &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits);
958 	act_alg_adjust(IPSEC_ALG_ENCR, encr_alg,
959 	    &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits);
960 }
961 
962 /*
963  * combinatoric expansion time: expand a wildcarded action into an
964  * array of wildcarded actions; we return the exploded action list,
965  * and return a count in *nact (output only).
966  */
967 static ipsec_act_t *
968 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact)
969 {
970 	boolean_t use_ah, use_esp, use_espa;
971 	boolean_t wild_auth, wild_encr, wild_eauth;
972 	uint_t	auth_alg, auth_idx, auth_min, auth_max;
973 	uint_t	eauth_alg, eauth_idx, eauth_min, eauth_max;
974 	uint_t  encr_alg, encr_idx, encr_min, encr_max;
975 	uint_t	action_count, ai;
976 	ipsec_act_t *outact;
977 
978 	if (act->ipa_type != IPSEC_ACT_APPLY) {
979 		outact = kmem_alloc(sizeof (*act), KM_NOSLEEP);
980 		*nact = 1;
981 		if (outact != NULL)
982 			bcopy(act, outact, sizeof (*act));
983 		return (outact);
984 	}
985 	/*
986 	 * compute the combinatoric explosion..
987 	 *
988 	 * we assume a request for encr if esp_req is PREF_REQUIRED
989 	 * we assume a request for ah auth if ah_req is PREF_REQUIRED.
990 	 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED
991 	 */
992 
993 	use_ah = act->ipa_apply.ipp_use_ah;
994 	use_esp = act->ipa_apply.ipp_use_esp;
995 	use_espa = act->ipa_apply.ipp_use_espa;
996 	auth_alg = act->ipa_apply.ipp_auth_alg;
997 	eauth_alg = act->ipa_apply.ipp_esp_auth_alg;
998 	encr_alg = act->ipa_apply.ipp_encr_alg;
999 
1000 	wild_auth = use_ah && (auth_alg == 0);
1001 	wild_eauth = use_espa && (eauth_alg == 0);
1002 	wild_encr = use_esp && (encr_alg == 0);
1003 
1004 	action_count = 1;
1005 	auth_min = auth_max = auth_alg;
1006 	eauth_min = eauth_max = eauth_alg;
1007 	encr_min = encr_max = encr_alg;
1008 
1009 	/*
1010 	 * set up for explosion.. for each dimension, expand output
1011 	 * size by the explosion factor.
1012 	 *
1013 	 * Don't include the "any" algorithms, if defined, as no
1014 	 * kernel policies should be set for these algorithms.
1015 	 */
1016 
1017 #define	SET_EXP_MINMAX(type, wild, alg, min, max) if (wild) {	\
1018 		int nalgs = ipsec_nalgs[type];			\
1019 		if (ipsec_alglists[type][alg] != NULL)		\
1020 			nalgs--;				\
1021 		action_count *= nalgs;				\
1022 		min = 0;					\
1023 		max = ipsec_nalgs[type] - 1;			\
1024 	}
1025 
1026 	SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE,
1027 	    auth_min, auth_max);
1028 	SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE,
1029 	    eauth_min, eauth_max);
1030 	SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE,
1031 	    encr_min, encr_max);
1032 
1033 #undef	SET_EXP_MINMAX
1034 
1035 	/*
1036 	 * ok, allocate the whole mess..
1037 	 */
1038 
1039 	outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP);
1040 	if (outact == NULL)
1041 		return (NULL);
1042 
1043 	/*
1044 	 * Now compute all combinations.  Note that non-wildcarded
1045 	 * dimensions just get a single value from auth_min, while
1046 	 * wildcarded dimensions indirect through the sortlist.
1047 	 *
1048 	 * We do encryption outermost since, at this time, there's
1049 	 * greater difference in security and performance between
1050 	 * encryption algorithms vs. authentication algorithms.
1051 	 */
1052 
1053 	ai = 0;
1054 
1055 #define	WHICH_ALG(type, wild, idx) ((wild)?(ipsec_sortlist[type][idx]):(idx))
1056 
1057 	for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) {
1058 		encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx);
1059 		if (wild_encr && encr_alg == SADB_EALG_NONE)
1060 			continue;
1061 		for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) {
1062 			auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth,
1063 			    auth_idx);
1064 			if (wild_auth && auth_alg == SADB_AALG_NONE)
1065 				continue;
1066 			for (eauth_idx = eauth_min; eauth_idx <= eauth_max;
1067 			    eauth_idx++) {
1068 				eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH,
1069 				    wild_eauth, eauth_idx);
1070 				if (wild_eauth && eauth_alg == SADB_AALG_NONE)
1071 					continue;
1072 
1073 				ipsec_setup_act(&outact[ai], act,
1074 				    auth_alg, encr_alg, eauth_alg);
1075 				ai++;
1076 			}
1077 		}
1078 	}
1079 
1080 #undef WHICH_ALG
1081 
1082 	ASSERT(ai == action_count);
1083 	*nact = action_count;
1084 	return (outact);
1085 }
1086 
1087 /*
1088  * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t.
1089  */
1090 static void
1091 ipsec_prot_from_req(ipsec_req_t *req, ipsec_prot_t *ipp)
1092 {
1093 	bzero(ipp, sizeof (*ipp));
1094 	/*
1095 	 * ipp_use_* are bitfields.  Look at "!!" in the following as a
1096 	 * "boolean canonicalization" operator.
1097 	 */
1098 	ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED);
1099 	ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED);
1100 	ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg) || !ipp->ipp_use_ah;
1101 	ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED);
1102 	ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) &
1103 	    IPSEC_PREF_UNIQUE);
1104 	ipp->ipp_encr_alg = req->ipsr_esp_alg;
1105 	ipp->ipp_auth_alg = req->ipsr_auth_alg;
1106 	ipp->ipp_esp_auth_alg = req->ipsr_esp_auth_alg;
1107 }
1108 
1109 /*
1110  * Extract a new-style action from a request.
1111  */
1112 void
1113 ipsec_actvec_from_req(ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp)
1114 {
1115 	struct ipsec_act act;
1116 	bzero(&act, sizeof (act));
1117 	if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) &&
1118 	    (req->ipsr_esp_req & IPSEC_PREF_NEVER)) {
1119 		act.ipa_type = IPSEC_ACT_BYPASS;
1120 	} else {
1121 		act.ipa_type = IPSEC_ACT_APPLY;
1122 		ipsec_prot_from_req(req, &act.ipa_apply);
1123 	}
1124 	*actp = ipsec_act_wildcard_expand(&act, nactp);
1125 }
1126 
1127 /*
1128  * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat).
1129  * We assume caller has already zero'ed *req for us.
1130  */
1131 static int
1132 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req)
1133 {
1134 	req->ipsr_esp_alg = ipp->ipp_encr_alg;
1135 	req->ipsr_auth_alg = ipp->ipp_auth_alg;
1136 	req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg;
1137 
1138 	if (ipp->ipp_use_unique) {
1139 		req->ipsr_ah_req |= IPSEC_PREF_UNIQUE;
1140 		req->ipsr_esp_req |= IPSEC_PREF_UNIQUE;
1141 	}
1142 	if (ipp->ipp_use_se)
1143 		req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED;
1144 	if (ipp->ipp_use_ah)
1145 		req->ipsr_ah_req |= IPSEC_PREF_REQUIRED;
1146 	if (ipp->ipp_use_esp)
1147 		req->ipsr_esp_req |= IPSEC_PREF_REQUIRED;
1148 	return (sizeof (*req));
1149 }
1150 
1151 /*
1152  * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1153  * We assume caller has already zero'ed *req for us.
1154  */
1155 static int
1156 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req)
1157 {
1158 	switch (ap->ipa_act.ipa_type) {
1159 	case IPSEC_ACT_BYPASS:
1160 		req->ipsr_ah_req = IPSEC_PREF_NEVER;
1161 		req->ipsr_esp_req = IPSEC_PREF_NEVER;
1162 		return (sizeof (*req));
1163 	case IPSEC_ACT_APPLY:
1164 		return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req));
1165 	}
1166 	return (sizeof (*req));
1167 }
1168 
1169 /*
1170  * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1171  * We assume caller has already zero'ed *req for us.
1172  */
1173 static int
1174 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af)
1175 {
1176 	ipsec_policy_t *p;
1177 
1178 	/*
1179 	 * FULL-PERSOCK: consult hash table, too?
1180 	 */
1181 	for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af];
1182 	    p != NULL;
1183 	    p = p->ipsp_hash.hash_next) {
1184 		if ((p->ipsp_sel->ipsl_key.ipsl_valid&IPSL_WILDCARD) == 0)
1185 			return (ipsec_req_from_act(p->ipsp_act, req));
1186 	}
1187 	return (sizeof (*req));
1188 }
1189 
1190 /*
1191  * Based on per-socket or latched policy, convert to an appropriate
1192  * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can
1193  * be tail-called from ip.
1194  */
1195 int
1196 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af)
1197 {
1198 	ipsec_latch_t *ipl;
1199 	int rv = sizeof (ipsec_req_t);
1200 
1201 	bzero(req, sizeof (*req));
1202 
1203 	mutex_enter(&connp->conn_lock);
1204 	ipl = connp->conn_latch;
1205 
1206 	/*
1207 	 * Find appropriate policy.  First choice is latched action;
1208 	 * failing that, see latched policy; failing that,
1209 	 * look at configured policy.
1210 	 */
1211 	if (ipl != NULL) {
1212 		if (ipl->ipl_in_action != NULL) {
1213 			rv = ipsec_req_from_act(ipl->ipl_in_action, req);
1214 			goto done;
1215 		}
1216 		if (ipl->ipl_in_policy != NULL) {
1217 			rv = ipsec_req_from_act(ipl->ipl_in_policy->ipsp_act,
1218 			    req);
1219 			goto done;
1220 		}
1221 	}
1222 	if (connp->conn_policy != NULL)
1223 		rv = ipsec_req_from_head(connp->conn_policy, req, af);
1224 done:
1225 	mutex_exit(&connp->conn_lock);
1226 	return (rv);
1227 }
1228 
1229 void
1230 ipsec_actvec_free(ipsec_act_t *act, uint_t nact)
1231 {
1232 	kmem_free(act, nact * sizeof (*act));
1233 }
1234 
1235 /*
1236  * When outbound policy is not cached, look it up the hard way and attach
1237  * an ipsec_out_t to the packet..
1238  */
1239 static mblk_t *
1240 ipsec_attach_global_policy(mblk_t *mp, conn_t *connp, ipsec_selector_t *sel)
1241 {
1242 	ipsec_policy_t *p;
1243 
1244 	p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel);
1245 
1246 	if (p == NULL)
1247 		return (NULL);
1248 	return (ipsec_attach_ipsec_out(mp, connp, p, sel->ips_protocol));
1249 }
1250 
1251 /*
1252  * We have an ipsec_out already, but don't have cached policy; fill it in
1253  * with the right actions.
1254  */
1255 static mblk_t *
1256 ipsec_apply_global_policy(mblk_t *ipsec_mp, conn_t *connp,
1257     ipsec_selector_t *sel)
1258 {
1259 	ipsec_out_t *io;
1260 	ipsec_policy_t *p;
1261 
1262 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
1263 	ASSERT(ipsec_mp->b_cont->b_datap->db_type == M_DATA);
1264 
1265 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
1266 
1267 	if (io->ipsec_out_policy == NULL) {
1268 		p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, io, sel);
1269 		io->ipsec_out_policy = p;
1270 	}
1271 	return (ipsec_mp);
1272 }
1273 
1274 
1275 /* ARGSUSED */
1276 /*
1277  * Consumes a reference to ipsp.
1278  */
1279 static mblk_t *
1280 ipsec_check_loopback_policy(queue_t *q, mblk_t *first_mp,
1281     boolean_t mctl_present, ipsec_policy_t *ipsp)
1282 {
1283 	mblk_t *ipsec_mp;
1284 	ipsec_in_t *ii;
1285 
1286 	if (!mctl_present)
1287 		return (first_mp);
1288 
1289 	ipsec_mp = first_mp;
1290 
1291 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
1292 	ASSERT(ii->ipsec_in_loopback);
1293 	IPPOL_REFRELE(ipsp);
1294 
1295 	/*
1296 	 * We should do an actual policy check here.  Revisit this
1297 	 * when we revisit the IPsec API.
1298 	 */
1299 
1300 	return (first_mp);
1301 }
1302 
1303 /*
1304  * Check that packet's inbound ports & proto match the selectors
1305  * expected by the SAs it traversed on the way in.
1306  */
1307 static boolean_t
1308 ipsec_check_ipsecin_unique(ipsec_in_t *ii, mblk_t *mp,
1309     ipha_t *ipha, ip6_t *ip6h,
1310     const char **reason, kstat_named_t **counter)
1311 {
1312 	uint64_t pkt_unique, ah_mask, esp_mask;
1313 	ipsa_t *ah_assoc;
1314 	ipsa_t *esp_assoc;
1315 	ipsec_selector_t sel;
1316 
1317 	ASSERT(ii->ipsec_in_secure);
1318 	ASSERT(!ii->ipsec_in_loopback);
1319 
1320 	ah_assoc = ii->ipsec_in_ah_sa;
1321 	esp_assoc = ii->ipsec_in_esp_sa;
1322 	ASSERT((ah_assoc != NULL) || (esp_assoc != NULL));
1323 
1324 	ah_mask = (ah_assoc != NULL) ? ah_assoc->ipsa_unique_mask : 0;
1325 	esp_mask = (esp_assoc != NULL) ? esp_assoc->ipsa_unique_mask : 0;
1326 
1327 	if ((ah_mask == 0) && (esp_mask == 0))
1328 		return (B_TRUE);
1329 
1330 	if (!ipsec_init_inbound_sel(&sel, mp, ipha, ip6h)) {
1331 		/*
1332 		 * Technically not a policy mismatch, but it is
1333 		 * an internal failure.
1334 		 */
1335 		*reason = "ipsec_init_inbound_sel";
1336 		*counter = &ipdrops_spd_nomem;
1337 		return (B_FALSE);
1338 	}
1339 
1340 	pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port, sel.ips_local_port,
1341 	    sel.ips_protocol);
1342 
1343 	if (ah_mask != 0) {
1344 		if (ah_assoc->ipsa_unique_id != (pkt_unique & ah_mask)) {
1345 			*reason = "AH inner header mismatch";
1346 			*counter = &ipdrops_spd_ah_innermismatch;
1347 			return (B_FALSE);
1348 		}
1349 	}
1350 	if (esp_mask != 0) {
1351 		if (esp_assoc->ipsa_unique_id != (pkt_unique & esp_mask)) {
1352 			*reason = "ESP inner header mismatch";
1353 			*counter = &ipdrops_spd_esp_innermismatch;
1354 			return (B_FALSE);
1355 		}
1356 	}
1357 	return (B_TRUE);
1358 }
1359 
1360 static boolean_t
1361 ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap,
1362     ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter)
1363 {
1364 	boolean_t ret = B_TRUE;
1365 	ipsec_prot_t *ipp;
1366 	ipsa_t *ah_assoc;
1367 	ipsa_t *esp_assoc;
1368 	boolean_t decaps;
1369 
1370 	ASSERT((ipha == NULL && ip6h != NULL) ||
1371 	    (ip6h == NULL && ipha != NULL));
1372 
1373 	if (ii->ipsec_in_loopback) {
1374 		/*
1375 		 * Besides accepting pointer-equivalent actions, we also
1376 		 * accept any ICMP errors we generated for ourselves,
1377 		 * regardless of policy.  If we do not wish to make this
1378 		 * assumption in the future, check here, and where
1379 		 * icmp_loopback is initialized in ip.c and ip6.c.  (Look for
1380 		 * ipsec_out_icmp_loopback.)
1381 		 */
1382 		if (ap == ii->ipsec_in_action || ii->ipsec_in_icmp_loopback)
1383 			return (B_TRUE);
1384 
1385 		/* Deep compare necessary here?? */
1386 		*counter = &ipdrops_spd_loopback_mismatch;
1387 		*reason = "loopback policy mismatch";
1388 		return (B_FALSE);
1389 	}
1390 	ASSERT(!ii->ipsec_in_icmp_loopback);
1391 
1392 	ah_assoc = ii->ipsec_in_ah_sa;
1393 	esp_assoc = ii->ipsec_in_esp_sa;
1394 
1395 	decaps = ii->ipsec_in_decaps;
1396 
1397 	switch (ap->ipa_act.ipa_type) {
1398 	case IPSEC_ACT_DISCARD:
1399 	case IPSEC_ACT_REJECT:
1400 		/* Should "fail hard" */
1401 		*counter = &ipdrops_spd_explicit;
1402 		*reason = "blocked by policy";
1403 		return (B_FALSE);
1404 
1405 	case IPSEC_ACT_BYPASS:
1406 	case IPSEC_ACT_CLEAR:
1407 		*counter = &ipdrops_spd_got_secure;
1408 		*reason = "expected clear, got protected";
1409 		return (B_FALSE);
1410 
1411 	case IPSEC_ACT_APPLY:
1412 		ipp = &ap->ipa_act.ipa_apply;
1413 		/*
1414 		 * As of now we do the simple checks of whether
1415 		 * the datagram has gone through the required IPSEC
1416 		 * protocol constraints or not. We might have more
1417 		 * in the future like sensitive levels, key bits, etc.
1418 		 * If it fails the constraints, check whether we would
1419 		 * have accepted this if it had come in clear.
1420 		 */
1421 		if (ipp->ipp_use_ah) {
1422 			if (ah_assoc == NULL) {
1423 				ret = ipsec_inbound_accept_clear(mp, ipha,
1424 				    ip6h);
1425 				*counter = &ipdrops_spd_got_clear;
1426 				*reason = "unprotected not accepted";
1427 				break;
1428 			}
1429 			ASSERT(ah_assoc != NULL);
1430 			ASSERT(ipp->ipp_auth_alg != 0);
1431 
1432 			if (ah_assoc->ipsa_auth_alg !=
1433 			    ipp->ipp_auth_alg) {
1434 				*counter = &ipdrops_spd_bad_ahalg;
1435 				*reason = "unacceptable ah alg";
1436 				ret = B_FALSE;
1437 				break;
1438 			}
1439 		} else if (ah_assoc != NULL) {
1440 			/*
1441 			 * Don't allow this. Check IPSEC NOTE above
1442 			 * ip_fanout_proto().
1443 			 */
1444 			*counter = &ipdrops_spd_got_ah;
1445 			*reason = "unexpected AH";
1446 			ret = B_FALSE;
1447 			break;
1448 		}
1449 		if (ipp->ipp_use_esp) {
1450 			if (esp_assoc == NULL) {
1451 				ret = ipsec_inbound_accept_clear(mp, ipha,
1452 				    ip6h);
1453 				*counter = &ipdrops_spd_got_clear;
1454 				*reason = "unprotected not accepted";
1455 				break;
1456 			}
1457 			ASSERT(esp_assoc != NULL);
1458 			ASSERT(ipp->ipp_encr_alg != 0);
1459 
1460 			if (esp_assoc->ipsa_encr_alg !=
1461 			    ipp->ipp_encr_alg) {
1462 				*counter = &ipdrops_spd_bad_espealg;
1463 				*reason = "unacceptable esp alg";
1464 				ret = B_FALSE;
1465 				break;
1466 			}
1467 			/*
1468 			 * If the client does not need authentication,
1469 			 * we don't verify the alogrithm.
1470 			 */
1471 			if (ipp->ipp_use_espa) {
1472 				if (esp_assoc->ipsa_auth_alg !=
1473 				    ipp->ipp_esp_auth_alg) {
1474 					*counter = &ipdrops_spd_bad_espaalg;
1475 					*reason = "unacceptable esp auth alg";
1476 					ret = B_FALSE;
1477 					break;
1478 				}
1479 			}
1480 		} else if (esp_assoc != NULL) {
1481 				/*
1482 				 * Don't allow this. Check IPSEC NOTE above
1483 				 * ip_fanout_proto().
1484 				 */
1485 			*counter = &ipdrops_spd_got_esp;
1486 			*reason = "unexpected ESP";
1487 			ret = B_FALSE;
1488 			break;
1489 		}
1490 		if (ipp->ipp_use_se) {
1491 			if (!decaps) {
1492 				ret = ipsec_inbound_accept_clear(mp, ipha,
1493 				    ip6h);
1494 				if (!ret) {
1495 					/* XXX mutant? */
1496 					*counter = &ipdrops_spd_bad_selfencap;
1497 					*reason = "self encap not found";
1498 					break;
1499 				}
1500 			}
1501 		} else if (decaps) {
1502 			/*
1503 			 * XXX If the packet comes in tunneled and the
1504 			 * recipient does not expect it to be tunneled, it
1505 			 * is okay. But we drop to be consistent with the
1506 			 * other cases.
1507 			 */
1508 			*counter = &ipdrops_spd_got_selfencap;
1509 			*reason = "unexpected self encap";
1510 			ret = B_FALSE;
1511 			break;
1512 		}
1513 		if (ii->ipsec_in_action != NULL) {
1514 			/*
1515 			 * This can happen if we do a double policy-check on
1516 			 * a packet
1517 			 * XXX XXX should fix this case!
1518 			 */
1519 			IPACT_REFRELE(ii->ipsec_in_action);
1520 		}
1521 		ASSERT(ii->ipsec_in_action == NULL);
1522 		IPACT_REFHOLD(ap);
1523 		ii->ipsec_in_action = ap;
1524 		break;	/* from switch */
1525 	}
1526 	return (ret);
1527 }
1528 
1529 static boolean_t
1530 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa)
1531 {
1532 	ASSERT(ipl->ipl_ids_latched == B_TRUE);
1533 	return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) &&
1534 	    ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid);
1535 }
1536 
1537 /*
1538  * Called to check policy on a latched connection, both from this file
1539  * and from tcp.c
1540  */
1541 boolean_t
1542 ipsec_check_ipsecin_latch(ipsec_in_t *ii, mblk_t *mp, ipsec_latch_t *ipl,
1543     ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter)
1544 {
1545 	ASSERT(ipl->ipl_ids_latched == B_TRUE);
1546 
1547 	if (!ii->ipsec_in_loopback) {
1548 		/*
1549 		 * Over loopback, there aren't real security associations,
1550 		 * so there are neither identities nor "unique" values
1551 		 * for us to check the packet against.
1552 		 */
1553 		if ((ii->ipsec_in_ah_sa != NULL) &&
1554 		    (!spd_match_inbound_ids(ipl, ii->ipsec_in_ah_sa))) {
1555 			*counter = &ipdrops_spd_ah_badid;
1556 			*reason = "AH identity mismatch";
1557 			return (B_FALSE);
1558 		}
1559 
1560 		if ((ii->ipsec_in_esp_sa != NULL) &&
1561 		    (!spd_match_inbound_ids(ipl, ii->ipsec_in_esp_sa))) {
1562 			*counter = &ipdrops_spd_esp_badid;
1563 			*reason = "ESP identity mismatch";
1564 			return (B_FALSE);
1565 		}
1566 
1567 		if (!ipsec_check_ipsecin_unique(ii, mp, ipha, ip6h, reason,
1568 		    counter)) {
1569 			return (B_FALSE);
1570 		}
1571 	}
1572 
1573 	return (ipsec_check_ipsecin_action(ii, mp, ipl->ipl_in_action,
1574 	    ipha, ip6h, reason, counter));
1575 }
1576 
1577 /*
1578  * Check to see whether this secured datagram meets the policy
1579  * constraints specified in ipsp.
1580  *
1581  * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy.
1582  *
1583  * Consumes a reference to ipsp.
1584  */
1585 static mblk_t *
1586 ipsec_check_ipsecin_policy(queue_t *q, mblk_t *first_mp, ipsec_policy_t *ipsp,
1587     ipha_t *ipha, ip6_t *ip6h)
1588 {
1589 	ipsec_in_t *ii;
1590 	ipsec_action_t *ap;
1591 	const char *reason = "no policy actions found";
1592 	mblk_t *data_mp, *ipsec_mp;
1593 	kstat_named_t *counter = &ipdrops_spd_got_secure;
1594 
1595 	data_mp = first_mp->b_cont;
1596 	ipsec_mp = first_mp;
1597 
1598 	ASSERT(ipsp != NULL);
1599 
1600 	ASSERT((ipha == NULL && ip6h != NULL) ||
1601 	    (ip6h == NULL && ipha != NULL));
1602 
1603 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
1604 
1605 	if (ii->ipsec_in_loopback)
1606 		return (ipsec_check_loopback_policy(q, first_mp, B_TRUE, ipsp));
1607 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
1608 	ASSERT(ii->ipsec_in_secure);
1609 
1610 	if (ii->ipsec_in_action != NULL) {
1611 		/*
1612 		 * this can happen if we do a double policy-check on a packet
1613 		 * Would be nice to be able to delete this test..
1614 		 */
1615 		IPACT_REFRELE(ii->ipsec_in_action);
1616 	}
1617 	ASSERT(ii->ipsec_in_action == NULL);
1618 
1619 	if (!SA_IDS_MATCH(ii->ipsec_in_ah_sa, ii->ipsec_in_esp_sa)) {
1620 		reason = "inbound AH and ESP identities differ";
1621 		counter = &ipdrops_spd_ahesp_diffid;
1622 		goto drop;
1623 	}
1624 
1625 	if (!ipsec_check_ipsecin_unique(ii, data_mp, ipha, ip6h,
1626 	    &reason, &counter))
1627 		goto drop;
1628 
1629 	/*
1630 	 * Ok, now loop through the possible actions and see if any
1631 	 * of them work for us.
1632 	 */
1633 
1634 	for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) {
1635 		if (ipsec_check_ipsecin_action(ii, data_mp, ap,
1636 		    ipha, ip6h, &reason, &counter)) {
1637 			BUMP_MIB(&ip_mib, ipsecInSucceeded);
1638 			IPPOL_REFRELE(ipsp);
1639 			return (first_mp);
1640 		}
1641 	}
1642 drop:
1643 	(void) mi_strlog(q, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1644 	    "ipsec inbound policy mismatch: %s, packet dropped\n",
1645 	    reason);
1646 	IPPOL_REFRELE(ipsp);
1647 	ASSERT(ii->ipsec_in_action == NULL);
1648 	BUMP_MIB(&ip_mib, ipsecInFailed);
1649 	ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper);
1650 	return (NULL);
1651 }
1652 
1653 /*
1654  * sleazy prefix-length-based compare.
1655  * another inlining candidate..
1656  */
1657 static boolean_t
1658 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p)
1659 {
1660 	int offset = pfxlen>>3;
1661 	int bitsleft = pfxlen & 7;
1662 	uint8_t *addr2 = (uint8_t *)addr2p;
1663 
1664 	/*
1665 	 * and there was much evil..
1666 	 * XXX should inline-expand the bcmp here and do this 32 bits
1667 	 * or 64 bits at a time..
1668 	 */
1669 	return ((bcmp(addr1, addr2, offset) == 0) &&
1670 	    ((bitsleft == 0) ||
1671 		(((addr1[offset] ^ addr2[offset]) &
1672 		    (0xff<<(8-bitsleft))) == 0)));
1673 }
1674 
1675 static ipsec_policy_t *
1676 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain,
1677     ipsec_selector_t *sel, boolean_t is_icmp_inv_acq)
1678 {
1679 	ipsec_selkey_t *isel;
1680 	ipsec_policy_t *p;
1681 	int bpri = best ? best->ipsp_prio : 0;
1682 
1683 	for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) {
1684 		uint32_t valid;
1685 
1686 		if (p->ipsp_prio <= bpri)
1687 			continue;
1688 		isel = &p->ipsp_sel->ipsl_key;
1689 		valid = isel->ipsl_valid;
1690 
1691 		if ((valid & IPSL_PROTOCOL) &&
1692 		    (isel->ipsl_proto != sel->ips_protocol))
1693 			continue;
1694 
1695 		if ((valid & IPSL_REMOTE_ADDR) &&
1696 		    !ip_addr_match((uint8_t *)&isel->ipsl_remote,
1697 			isel->ipsl_remote_pfxlen,
1698 			&sel->ips_remote_addr_v6))
1699 			continue;
1700 
1701 		if ((valid & IPSL_LOCAL_ADDR) &&
1702 		    !ip_addr_match((uint8_t *)&isel->ipsl_local,
1703 			isel->ipsl_local_pfxlen,
1704 			&sel->ips_local_addr_v6))
1705 			continue;
1706 
1707 		if ((valid & IPSL_REMOTE_PORT) &&
1708 		    isel->ipsl_rport != sel->ips_remote_port)
1709 			continue;
1710 
1711 		if ((valid & IPSL_LOCAL_PORT) &&
1712 		    isel->ipsl_lport != sel->ips_local_port)
1713 			continue;
1714 
1715 		if (!is_icmp_inv_acq) {
1716 			if ((valid & IPSL_ICMP_TYPE) &&
1717 			    (isel->ipsl_icmp_type > sel->ips_icmp_type ||
1718 			    isel->ipsl_icmp_type_end < sel->ips_icmp_type)) {
1719 				continue;
1720 			}
1721 
1722 			if ((valid & IPSL_ICMP_CODE) &&
1723 			    (isel->ipsl_icmp_code > sel->ips_icmp_code ||
1724 			    isel->ipsl_icmp_code_end <
1725 			    sel->ips_icmp_code)) {
1726 				continue;
1727 			}
1728 		} else {
1729 			/*
1730 			 * special case for icmp inverse acquire
1731 			 * we only want policies that aren't drop/pass
1732 			 */
1733 			if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY)
1734 				continue;
1735 		}
1736 
1737 		/* we matched all the packet-port-field selectors! */
1738 		best = p;
1739 		bpri = p->ipsp_prio;
1740 	}
1741 
1742 	return (best);
1743 }
1744 
1745 /*
1746  * Try to find and return the best policy entry under a given policy
1747  * root for a given set of selectors; the first parameter "best" is
1748  * the current best policy so far.  If "best" is non-null, we have a
1749  * reference to it.  We return a reference to a policy; if that policy
1750  * is not the original "best", we need to release that reference
1751  * before returning.
1752  */
1753 static ipsec_policy_t *
1754 ipsec_find_policy_head(ipsec_policy_t *best,
1755     ipsec_policy_head_t *head, int direction, ipsec_selector_t *sel,
1756     int selhash)
1757 {
1758 	ipsec_policy_t *curbest;
1759 	ipsec_policy_root_t *root;
1760 	uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq;
1761 	int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6;
1762 
1763 	curbest = best;
1764 	root = &head->iph_root[direction];
1765 
1766 #ifdef DEBUG
1767 	if (is_icmp_inv_acq) {
1768 		if (sel->ips_isv4) {
1769 			if (sel->ips_protocol != IPPROTO_ICMP) {
1770 			    cmn_err(CE_WARN, "ipsec_find_policy_head:"
1771 			    " expecting icmp, got %d", sel->ips_protocol);
1772 			}
1773 		} else {
1774 			if (sel->ips_protocol != IPPROTO_ICMPV6) {
1775 				cmn_err(CE_WARN, "ipsec_find_policy_head:"
1776 				" expecting icmpv6, got %d", sel->ips_protocol);
1777 			}
1778 		}
1779 	}
1780 #endif
1781 
1782 	rw_enter(&head->iph_lock, RW_READER);
1783 
1784 	if (root->ipr_nchains > 0) {
1785 		curbest = ipsec_find_policy_chain(curbest,
1786 		    root->ipr_hash[selhash].hash_head, sel, is_icmp_inv_acq);
1787 	}
1788 	curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel,
1789 	    is_icmp_inv_acq);
1790 
1791 	/*
1792 	 * Adjust reference counts if we found anything new.
1793 	 */
1794 	if (curbest != best) {
1795 		ASSERT(curbest != NULL);
1796 		IPPOL_REFHOLD(curbest);
1797 
1798 		if (best != NULL) {
1799 			IPPOL_REFRELE(best);
1800 		}
1801 	}
1802 
1803 	rw_exit(&head->iph_lock);
1804 
1805 	return (curbest);
1806 }
1807 
1808 /*
1809  * Find the best system policy (either global or per-interface) which
1810  * applies to the given selector; look in all the relevant policy roots
1811  * to figure out which policy wins.
1812  *
1813  * Returns a reference to a policy; caller must release this
1814  * reference when done.
1815  */
1816 ipsec_policy_t *
1817 ipsec_find_policy(int direction, conn_t *connp, ipsec_out_t *io,
1818     ipsec_selector_t *sel)
1819 {
1820 	ipsec_policy_t *p;
1821 	int selhash = selector_hash(sel);
1822 
1823 	p = ipsec_find_policy_head(NULL, &system_policy, direction, sel,
1824 	    selhash);
1825 	if ((connp != NULL) && (connp->conn_policy != NULL)) {
1826 		p = ipsec_find_policy_head(p, connp->conn_policy,
1827 		    direction, sel, selhash);
1828 	} else if ((io != NULL) && (io->ipsec_out_polhead != NULL)) {
1829 		p = ipsec_find_policy_head(p, io->ipsec_out_polhead,
1830 		    direction, sel, selhash);
1831 	}
1832 
1833 	return (p);
1834 }
1835 
1836 /*
1837  * Check with global policy and see whether this inbound
1838  * packet meets the policy constraints.
1839  *
1840  * Locate appropriate policy from global policy, supplemented by the
1841  * conn's configured and/or cached policy if the conn is supplied.
1842  *
1843  * Dispatch to ipsec_check_ipsecin_policy if we have policy and an
1844  * encrypted packet to see if they match.
1845  *
1846  * Otherwise, see if the policy allows cleartext; if not, drop it on the
1847  * floor.
1848  */
1849 mblk_t *
1850 ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp,
1851     ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present)
1852 {
1853 	ipsec_policy_t *p;
1854 	ipsec_selector_t sel;
1855 	queue_t *q = NULL;
1856 	mblk_t *data_mp, *ipsec_mp;
1857 	boolean_t policy_present;
1858 	kstat_named_t *counter;
1859 	ipsec_in_t *ii = NULL;
1860 
1861 	data_mp = mctl_present ? first_mp->b_cont : first_mp;
1862 	ipsec_mp = mctl_present ? first_mp : NULL;
1863 
1864 	sel.ips_is_icmp_inv_acq = 0;
1865 
1866 	ASSERT((ipha == NULL && ip6h != NULL) ||
1867 	    (ip6h == NULL && ipha != NULL));
1868 
1869 	if (ipha != NULL)
1870 		policy_present = ipsec_inbound_v4_policy_present;
1871 	else
1872 		policy_present = ipsec_inbound_v6_policy_present;
1873 
1874 	if (!policy_present && connp == NULL) {
1875 		/*
1876 		 * No global policy and no per-socket policy;
1877 		 * just pass it back (but we shouldn't get here in that case)
1878 		 */
1879 		return (first_mp);
1880 	}
1881 
1882 	if (connp != NULL)
1883 		q = CONNP_TO_WQ(connp);
1884 
1885 	if (ipsec_mp != NULL) {
1886 		ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
1887 		ii = (ipsec_in_t *)(ipsec_mp->b_rptr);
1888 		ASSERT(ii->ipsec_in_type == IPSEC_IN);
1889 	}
1890 
1891 	/*
1892 	 * If we have cached policy, use it.
1893 	 * Otherwise consult system policy.
1894 	 */
1895 	if ((connp != NULL) && (connp->conn_latch != NULL)) {
1896 		p = connp->conn_latch->ipl_in_policy;
1897 		if (p != NULL) {
1898 			IPPOL_REFHOLD(p);
1899 		}
1900 	} else {
1901 		/* Initialize the ports in the selector */
1902 		if (!ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h)) {
1903 			/*
1904 			 * Technically not a policy mismatch, but it is
1905 			 * an internal failure.
1906 			 */
1907 			ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH,
1908 			    "ipsec_init_inbound_sel", ipha, ip6h, B_FALSE);
1909 			counter = &ipdrops_spd_nomem;
1910 			goto fail;
1911 		}
1912 
1913 		/*
1914 		 * Find the policy which best applies.
1915 		 *
1916 		 * If we find global policy, we should look at both
1917 		 * local policy and global policy and see which is
1918 		 * stronger and match accordingly.
1919 		 *
1920 		 * If we don't find a global policy, check with
1921 		 * local policy alone.
1922 		 */
1923 
1924 		p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel);
1925 	}
1926 
1927 	if (p == NULL) {
1928 		if (ipsec_mp == NULL) {
1929 			/*
1930 			 * We have no policy; default to succeeding.
1931 			 * XXX paranoid system design doesn't do this.
1932 			 */
1933 			BUMP_MIB(&ip_mib, ipsecInSucceeded);
1934 			return (first_mp);
1935 		} else {
1936 			counter = &ipdrops_spd_got_secure;
1937 			ipsec_log_policy_failure(q, IPSEC_POLICY_NOT_NEEDED,
1938 			    "ipsec_check_global_policy", ipha, ip6h, B_TRUE);
1939 			goto fail;
1940 		}
1941 	}
1942 	if ((ii != NULL) && (ii->ipsec_in_secure))
1943 		return (ipsec_check_ipsecin_policy(q, ipsec_mp, p, ipha, ip6h));
1944 	if (p->ipsp_act->ipa_allow_clear) {
1945 		BUMP_MIB(&ip_mib, ipsecInSucceeded);
1946 		IPPOL_REFRELE(p);
1947 		return (first_mp);
1948 	}
1949 	IPPOL_REFRELE(p);
1950 	/*
1951 	 * If we reach here, we will drop the packet because it failed the
1952 	 * global policy check because the packet was cleartext, and it
1953 	 * should not have been.
1954 	 */
1955 	ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH,
1956 	    "ipsec_check_global_policy", ipha, ip6h, B_FALSE);
1957 	counter = &ipdrops_spd_got_clear;
1958 
1959 fail:
1960 	ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper);
1961 	BUMP_MIB(&ip_mib, ipsecInFailed);
1962 	return (NULL);
1963 }
1964 
1965 /*
1966  * We check whether an inbound datagram is a valid one
1967  * to accept in clear. If it is secure, it is the job
1968  * of IPSEC to log information appropriately if it
1969  * suspects that it may not be the real one.
1970  *
1971  * It is called only while fanning out to the ULP
1972  * where ULP accepts only secure data and the incoming
1973  * is clear. Usually we never accept clear datagrams in
1974  * such cases. ICMP is the only exception.
1975  *
1976  * NOTE : We don't call this function if the client (ULP)
1977  * is willing to accept things in clear.
1978  */
1979 boolean_t
1980 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h)
1981 {
1982 	ushort_t iph_hdr_length;
1983 	icmph_t *icmph;
1984 	icmp6_t *icmp6;
1985 	uint8_t *nexthdrp;
1986 
1987 	ASSERT((ipha != NULL && ip6h == NULL) ||
1988 	    (ipha == NULL && ip6h != NULL));
1989 
1990 	if (ip6h != NULL) {
1991 		iph_hdr_length = ip_hdr_length_v6(mp, ip6h);
1992 		if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length,
1993 		    &nexthdrp)) {
1994 			return (B_FALSE);
1995 		}
1996 		if (*nexthdrp != IPPROTO_ICMPV6)
1997 			return (B_FALSE);
1998 		icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]);
1999 		/* Match IPv6 ICMP policy as closely as IPv4 as possible. */
2000 		switch (icmp6->icmp6_type) {
2001 		case ICMP6_PARAM_PROB:
2002 			/* Corresponds to port/proto unreach in IPv4. */
2003 		case ICMP6_ECHO_REQUEST:
2004 			/* Just like IPv4. */
2005 			return (B_FALSE);
2006 
2007 		case MLD_LISTENER_QUERY:
2008 		case MLD_LISTENER_REPORT:
2009 		case MLD_LISTENER_REDUCTION:
2010 			/*
2011 			 * XXX Seperate NDD in IPv4 what about here?
2012 			 * Plus, mcast is important to ND.
2013 			 */
2014 		case ICMP6_DST_UNREACH:
2015 			/* Corresponds to HOST/NET unreachable in IPv4. */
2016 		case ICMP6_PACKET_TOO_BIG:
2017 		case ICMP6_ECHO_REPLY:
2018 			/* These are trusted in IPv4. */
2019 		case ND_ROUTER_SOLICIT:
2020 		case ND_ROUTER_ADVERT:
2021 		case ND_NEIGHBOR_SOLICIT:
2022 		case ND_NEIGHBOR_ADVERT:
2023 		case ND_REDIRECT:
2024 			/* Trust ND messages for now. */
2025 		case ICMP6_TIME_EXCEEDED:
2026 		default:
2027 			return (B_TRUE);
2028 		}
2029 	} else {
2030 		/*
2031 		 * If it is not ICMP, fail this request.
2032 		 */
2033 		if (ipha->ipha_protocol != IPPROTO_ICMP)
2034 			return (B_FALSE);
2035 		iph_hdr_length = IPH_HDR_LENGTH(ipha);
2036 		icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
2037 		/*
2038 		 * It is an insecure icmp message. Check to see whether we are
2039 		 * willing to accept this one.
2040 		 */
2041 
2042 		switch (icmph->icmph_type) {
2043 		case ICMP_ECHO_REPLY:
2044 		case ICMP_TIME_STAMP_REPLY:
2045 		case ICMP_INFO_REPLY:
2046 		case ICMP_ROUTER_ADVERTISEMENT:
2047 			/*
2048 			 * We should not encourage clear replies if this
2049 			 * client expects secure. If somebody is replying
2050 			 * in clear some mailicious user watching both the
2051 			 * request and reply, can do chosen-plain-text attacks.
2052 			 * With global policy we might be just expecting secure
2053 			 * but sending out clear. We don't know what the right
2054 			 * thing is. We can't do much here as we can't control
2055 			 * the sender here. Till we are sure of what to do,
2056 			 * accept them.
2057 			 */
2058 			return (B_TRUE);
2059 		case ICMP_ECHO_REQUEST:
2060 		case ICMP_TIME_STAMP_REQUEST:
2061 		case ICMP_INFO_REQUEST:
2062 		case ICMP_ADDRESS_MASK_REQUEST:
2063 		case ICMP_ROUTER_SOLICITATION:
2064 		case ICMP_ADDRESS_MASK_REPLY:
2065 			/*
2066 			 * Don't accept this as somebody could be sending
2067 			 * us plain text to get encrypted data. If we reply,
2068 			 * it will lead to chosen plain text attack.
2069 			 */
2070 			return (B_FALSE);
2071 		case ICMP_DEST_UNREACHABLE:
2072 			switch (icmph->icmph_code) {
2073 			case ICMP_FRAGMENTATION_NEEDED:
2074 				/*
2075 				 * Be in sync with icmp_inbound, where we have
2076 				 * already set ire_max_frag.
2077 				 */
2078 				return (B_TRUE);
2079 			case ICMP_HOST_UNREACHABLE:
2080 			case ICMP_NET_UNREACHABLE:
2081 				/*
2082 				 * By accepting, we could reset a connection.
2083 				 * How do we solve the problem of some
2084 				 * intermediate router sending in-secure ICMP
2085 				 * messages ?
2086 				 */
2087 				return (B_TRUE);
2088 			case ICMP_PORT_UNREACHABLE:
2089 			case ICMP_PROTOCOL_UNREACHABLE:
2090 			default :
2091 				return (B_FALSE);
2092 			}
2093 		case ICMP_SOURCE_QUENCH:
2094 			/*
2095 			 * If this is an attack, TCP will slow start
2096 			 * because of this. Is it very harmful ?
2097 			 */
2098 			return (B_TRUE);
2099 		case ICMP_PARAM_PROBLEM:
2100 			return (B_FALSE);
2101 		case ICMP_TIME_EXCEEDED:
2102 			return (B_TRUE);
2103 		case ICMP_REDIRECT:
2104 			return (B_FALSE);
2105 		default :
2106 			return (B_FALSE);
2107 		}
2108 	}
2109 }
2110 
2111 void
2112 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote)
2113 {
2114 	mutex_enter(&ipl->ipl_lock);
2115 
2116 	if (ipl->ipl_ids_latched) {
2117 		/* I lost, someone else got here before me */
2118 		mutex_exit(&ipl->ipl_lock);
2119 		return;
2120 	}
2121 
2122 	if (local != NULL)
2123 		IPSID_REFHOLD(local);
2124 	if (remote != NULL)
2125 		IPSID_REFHOLD(remote);
2126 
2127 	ipl->ipl_local_cid = local;
2128 	ipl->ipl_remote_cid = remote;
2129 	ipl->ipl_ids_latched = B_TRUE;
2130 	mutex_exit(&ipl->ipl_lock);
2131 }
2132 
2133 void
2134 ipsec_latch_inbound(ipsec_latch_t *ipl, ipsec_in_t *ii)
2135 {
2136 	ipsa_t *sa;
2137 
2138 	if (!ipl->ipl_ids_latched) {
2139 		ipsid_t *local = NULL;
2140 		ipsid_t *remote = NULL;
2141 
2142 		if (!ii->ipsec_in_loopback) {
2143 			if (ii->ipsec_in_esp_sa != NULL)
2144 				sa = ii->ipsec_in_esp_sa;
2145 			else
2146 				sa = ii->ipsec_in_ah_sa;
2147 			ASSERT(sa != NULL);
2148 			local = sa->ipsa_dst_cid;
2149 			remote = sa->ipsa_src_cid;
2150 		}
2151 		ipsec_latch_ids(ipl, local, remote);
2152 	}
2153 	ipl->ipl_in_action = ii->ipsec_in_action;
2154 	IPACT_REFHOLD(ipl->ipl_in_action);
2155 }
2156 
2157 /*
2158  * Check whether the policy constraints are met either for an
2159  * inbound datagram; called from IP in numerous places.
2160  *
2161  * Note that this is not a chokepoint for inbound policy checks;
2162  * see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy()
2163  */
2164 mblk_t *
2165 ipsec_check_inbound_policy(mblk_t *first_mp, conn_t *connp,
2166     ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present)
2167 {
2168 	ipsec_in_t *ii;
2169 	boolean_t ret;
2170 	mblk_t *mp = mctl_present ? first_mp->b_cont : first_mp;
2171 	mblk_t *ipsec_mp = mctl_present ? first_mp : NULL;
2172 	ipsec_latch_t *ipl;
2173 
2174 	ASSERT(connp != NULL);
2175 	ipl = connp->conn_latch;
2176 
2177 	if (ipsec_mp == NULL) {
2178 clear:
2179 		/*
2180 		 * This is the case where the incoming datagram is
2181 		 * cleartext and we need to see whether this client
2182 		 * would like to receive such untrustworthy things from
2183 		 * the wire.
2184 		 */
2185 		ASSERT(mp != NULL);
2186 
2187 		if (ipl != NULL) {
2188 			/*
2189 			 * Policy is cached in the conn.
2190 			 */
2191 			if ((ipl->ipl_in_policy != NULL) &&
2192 			    (!ipl->ipl_in_policy->ipsp_act->ipa_allow_clear)) {
2193 				ret = ipsec_inbound_accept_clear(mp,
2194 				    ipha, ip6h);
2195 				if (ret) {
2196 					BUMP_MIB(&ip_mib, ipsecInSucceeded);
2197 					return (first_mp);
2198 				} else {
2199 					ip_drop_packet(first_mp, B_TRUE, NULL,
2200 					    NULL, &ipdrops_spd_got_clear,
2201 					    &spd_dropper);
2202 					ipsec_log_policy_failure(
2203 					    CONNP_TO_WQ(connp),
2204 					    IPSEC_POLICY_MISMATCH,
2205 					    "ipsec_check_inbound_policy", ipha,
2206 					    ip6h, B_FALSE);
2207 					BUMP_MIB(&ip_mib, ipsecInFailed);
2208 					return (NULL);
2209 				}
2210 			} else {
2211 				BUMP_MIB(&ip_mib, ipsecInSucceeded);
2212 				return (first_mp);
2213 			}
2214 		} else {
2215 			/*
2216 			 * As this is a non-hardbound connection we need
2217 			 * to look at both per-socket policy and global
2218 			 * policy. As this is cleartext, mark the mp as
2219 			 * M_DATA in case if it is an ICMP error being
2220 			 * reported before calling ipsec_check_global_policy
2221 			 * so that it does not mistake it for IPSEC_IN.
2222 			 */
2223 			uchar_t db_type = mp->b_datap->db_type;
2224 			mp->b_datap->db_type = M_DATA;
2225 			first_mp = ipsec_check_global_policy(first_mp, connp,
2226 			    ipha, ip6h, mctl_present);
2227 			if (first_mp != NULL)
2228 				mp->b_datap->db_type = db_type;
2229 			return (first_mp);
2230 		}
2231 	}
2232 	/*
2233 	 * If it is inbound check whether the attached message
2234 	 * is secure or not. We have a special case for ICMP,
2235 	 * where we have a IPSEC_IN message and the attached
2236 	 * message is not secure. See icmp_inbound_error_fanout
2237 	 * for details.
2238 	 */
2239 	ASSERT(ipsec_mp != NULL);
2240 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
2241 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
2242 
2243 	if (!ii->ipsec_in_secure)
2244 		goto clear;
2245 
2246 	/*
2247 	 * mp->b_cont could be either a M_CTL message
2248 	 * for icmp errors being sent up or a M_DATA message.
2249 	 */
2250 	ASSERT(mp->b_datap->db_type == M_CTL ||
2251 	    mp->b_datap->db_type == M_DATA);
2252 
2253 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
2254 
2255 	if (ipl == NULL) {
2256 		/*
2257 		 * We don't have policies cached in the conn
2258 		 * for this stream. So, look at the global
2259 		 * policy. It will check against conn or global
2260 		 * depending on whichever is stronger.
2261 		 */
2262 		return (ipsec_check_global_policy(first_mp, connp,
2263 		    ipha, ip6h, mctl_present));
2264 	}
2265 
2266 	if (ipl->ipl_in_action != NULL) {
2267 		/* Policy is cached & latched; fast(er) path */
2268 		const char *reason;
2269 		kstat_named_t *counter;
2270 		if (ipsec_check_ipsecin_latch(ii, mp, ipl,
2271 		    ipha, ip6h, &reason, &counter)) {
2272 			BUMP_MIB(&ip_mib, ipsecInSucceeded);
2273 			return (first_mp);
2274 		}
2275 		(void) mi_strlog(CONNP_TO_WQ(connp), 0,
2276 		    SL_ERROR|SL_WARN|SL_CONSOLE,
2277 		    "ipsec inbound policy mismatch: %s, packet dropped\n",
2278 		    reason);
2279 		ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter,
2280 		    &spd_dropper);
2281 		BUMP_MIB(&ip_mib, ipsecInFailed);
2282 		return (NULL);
2283 	} else if (ipl->ipl_in_policy == NULL) {
2284 		ipsec_weird_null_inbound_policy++;
2285 		return (first_mp);
2286 	}
2287 
2288 	IPPOL_REFHOLD(ipl->ipl_in_policy);
2289 	first_mp = ipsec_check_ipsecin_policy(CONNP_TO_WQ(connp), first_mp,
2290 	    ipl->ipl_in_policy, ipha, ip6h);
2291 	/*
2292 	 * NOTE: ipsecIn{Failed,Succeeeded} bumped by
2293 	 * ipsec_check_ipsecin_policy().
2294 	 */
2295 	if (first_mp != NULL)
2296 		ipsec_latch_inbound(ipl, ii);
2297 	return (first_mp);
2298 }
2299 
2300 boolean_t
2301 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp,
2302     ipha_t *ipha, ip6_t *ip6h)
2303 {
2304 	uint16_t *ports;
2305 	ushort_t hdr_len;
2306 	mblk_t *spare_mp = NULL;
2307 	uint8_t *nexthdrp;
2308 	uint8_t nexthdr;
2309 	uint8_t *typecode;
2310 	uint8_t check_proto;
2311 
2312 	ASSERT((ipha == NULL && ip6h != NULL) ||
2313 	    (ipha != NULL && ip6h == NULL));
2314 
2315 	if (ip6h != NULL) {
2316 		check_proto = IPPROTO_ICMPV6;
2317 		sel->ips_isv4 = B_FALSE;
2318 		sel->ips_local_addr_v6 = ip6h->ip6_dst;
2319 		sel->ips_remote_addr_v6 = ip6h->ip6_src;
2320 
2321 		nexthdr = ip6h->ip6_nxt;
2322 		switch (nexthdr) {
2323 		case IPPROTO_HOPOPTS:
2324 		case IPPROTO_ROUTING:
2325 		case IPPROTO_DSTOPTS:
2326 			/*
2327 			 * Use ip_hdr_length_nexthdr_v6().  And have a spare
2328 			 * mblk that's contiguous to feed it
2329 			 */
2330 			if ((spare_mp = msgpullup(mp, -1)) == NULL)
2331 				return (B_FALSE);
2332 			if (!ip_hdr_length_nexthdr_v6(spare_mp,
2333 			    (ip6_t *)spare_mp->b_rptr, &hdr_len, &nexthdrp)) {
2334 				/* Malformed packet - XXX ip_drop_packet()? */
2335 				freemsg(spare_mp);
2336 				return (B_FALSE);
2337 			}
2338 			nexthdr = *nexthdrp;
2339 			/* We can just extract based on hdr_len now. */
2340 			break;
2341 		default:
2342 			hdr_len = IPV6_HDR_LEN;
2343 			break;
2344 		}
2345 	} else {
2346 		check_proto = IPPROTO_ICMP;
2347 		sel->ips_isv4 = B_TRUE;
2348 		sel->ips_local_addr_v4 = ipha->ipha_dst;
2349 		sel->ips_remote_addr_v4 = ipha->ipha_src;
2350 		nexthdr = ipha->ipha_protocol;
2351 		hdr_len = IPH_HDR_LENGTH(ipha);
2352 	}
2353 	sel->ips_protocol = nexthdr;
2354 
2355 	if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2356 	    nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2357 		sel->ips_remote_port = sel->ips_local_port = 0;
2358 		freemsg(spare_mp);	/* Always works, even if NULL. */
2359 		return (B_TRUE);
2360 	}
2361 
2362 	if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) {
2363 		/* If we didn't pullup a copy already, do so now. */
2364 		/*
2365 		 * XXX performance, will upper-layers frequently split TCP/UDP
2366 		 * apart from IP or options?  If so, perhaps we should revisit
2367 		 * the spare_mp strategy.
2368 		 */
2369 		ipsec_hdr_pullup_needed++;
2370 		if (spare_mp == NULL &&
2371 		    (spare_mp = msgpullup(mp, -1)) == NULL) {
2372 			return (B_FALSE);
2373 		}
2374 		ports = (uint16_t *)&spare_mp->b_rptr[hdr_len];
2375 	} else {
2376 		ports = (uint16_t *)&mp->b_rptr[hdr_len];
2377 	}
2378 
2379 	if (nexthdr == check_proto) {
2380 		typecode = (uint8_t *)ports;
2381 		sel->ips_icmp_type = *typecode++;
2382 		sel->ips_icmp_code = *typecode;
2383 		sel->ips_remote_port = sel->ips_local_port = 0;
2384 		freemsg(spare_mp);	/* Always works, even if NULL */
2385 		return (B_TRUE);
2386 	}
2387 
2388 	sel->ips_remote_port = *ports++;
2389 	sel->ips_local_port = *ports;
2390 	freemsg(spare_mp);	/* Always works, even if NULL */
2391 	return (B_TRUE);
2392 }
2393 
2394 static boolean_t
2395 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2396     ip6_t *ip6h)
2397 {
2398 	/*
2399 	 * XXX cut&paste shared with ipsec_init_inbound_sel
2400 	 */
2401 	uint16_t *ports;
2402 	ushort_t hdr_len;
2403 	mblk_t *spare_mp = NULL;
2404 	uint8_t *nexthdrp;
2405 	uint8_t nexthdr;
2406 	uint8_t *typecode;
2407 	uint8_t check_proto;
2408 
2409 	ASSERT((ipha == NULL && ip6h != NULL) ||
2410 	    (ipha != NULL && ip6h == NULL));
2411 
2412 	if (ip6h != NULL) {
2413 		check_proto = IPPROTO_ICMPV6;
2414 		nexthdr = ip6h->ip6_nxt;
2415 		switch (nexthdr) {
2416 		case IPPROTO_HOPOPTS:
2417 		case IPPROTO_ROUTING:
2418 		case IPPROTO_DSTOPTS:
2419 			/*
2420 			 * Use ip_hdr_length_nexthdr_v6().  And have a spare
2421 			 * mblk that's contiguous to feed it
2422 			 */
2423 			spare_mp = msgpullup(mp, -1);
2424 			if (spare_mp == NULL ||
2425 			    !ip_hdr_length_nexthdr_v6(spare_mp,
2426 				(ip6_t *)spare_mp->b_rptr, &hdr_len,
2427 				&nexthdrp)) {
2428 				/* Always works, even if NULL. */
2429 				freemsg(spare_mp);
2430 				freemsg(mp);
2431 				return (B_FALSE);
2432 			} else {
2433 				nexthdr = *nexthdrp;
2434 				/* We can just extract based on hdr_len now. */
2435 			}
2436 			break;
2437 		default:
2438 			hdr_len = IPV6_HDR_LEN;
2439 			break;
2440 		}
2441 	} else {
2442 		check_proto = IPPROTO_ICMP;
2443 		hdr_len = IPH_HDR_LENGTH(ipha);
2444 		nexthdr = ipha->ipha_protocol;
2445 	}
2446 
2447 	sel->ips_protocol = nexthdr;
2448 	if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2449 	    nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2450 		sel->ips_local_port = sel->ips_remote_port = 0;
2451 		freemsg(spare_mp);  /* Always works, even if NULL. */
2452 		return (B_TRUE);
2453 	}
2454 
2455 	if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) {
2456 		/* If we didn't pullup a copy already, do so now. */
2457 		/*
2458 		 * XXX performance, will upper-layers frequently split TCP/UDP
2459 		 * apart from IP or options?  If so, perhaps we should revisit
2460 		 * the spare_mp strategy.
2461 		 *
2462 		 * XXX should this be msgpullup(mp, hdr_len+4) ???
2463 		 */
2464 		if (spare_mp == NULL &&
2465 		    (spare_mp = msgpullup(mp, -1)) == NULL) {
2466 			freemsg(mp);
2467 			return (B_FALSE);
2468 		}
2469 		ports = (uint16_t *)&spare_mp->b_rptr[hdr_len];
2470 	} else {
2471 		ports = (uint16_t *)&mp->b_rptr[hdr_len];
2472 	}
2473 
2474 	if (nexthdr == check_proto) {
2475 		typecode = (uint8_t *)ports;
2476 		sel->ips_icmp_type = *typecode++;
2477 		sel->ips_icmp_code = *typecode;
2478 		sel->ips_remote_port = sel->ips_local_port = 0;
2479 		freemsg(spare_mp);	/* Always works, even if NULL */
2480 		return (B_TRUE);
2481 	}
2482 
2483 	sel->ips_local_port = *ports++;
2484 	sel->ips_remote_port = *ports;
2485 	freemsg(spare_mp);	/* Always works, even if NULL */
2486 	return (B_TRUE);
2487 }
2488 
2489 /*
2490  * Create an ipsec_action_t based on the way an inbound packet was protected.
2491  * Used to reflect traffic back to a sender.
2492  *
2493  * We don't bother interning the action into the hash table.
2494  */
2495 ipsec_action_t *
2496 ipsec_in_to_out_action(ipsec_in_t *ii)
2497 {
2498 	ipsa_t *ah_assoc, *esp_assoc;
2499 	uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0;
2500 	ipsec_action_t *ap;
2501 	boolean_t unique;
2502 
2503 	ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2504 
2505 	if (ap == NULL)
2506 		return (NULL);
2507 
2508 	bzero(ap, sizeof (*ap));
2509 	HASH_NULL(ap, ipa_hash);
2510 	ap->ipa_next = NULL;
2511 	ap->ipa_refs = 1;
2512 
2513 	/*
2514 	 * Get the algorithms that were used for this packet.
2515 	 */
2516 	ap->ipa_act.ipa_type = IPSEC_ACT_APPLY;
2517 	ap->ipa_act.ipa_log = 0;
2518 	ah_assoc = ii->ipsec_in_ah_sa;
2519 	ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL);
2520 
2521 	esp_assoc = ii->ipsec_in_esp_sa;
2522 	ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL);
2523 
2524 	if (esp_assoc != NULL) {
2525 		encr_alg = esp_assoc->ipsa_encr_alg;
2526 		espa_alg = esp_assoc->ipsa_auth_alg;
2527 		ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0);
2528 	}
2529 	if (ah_assoc != NULL)
2530 		auth_alg = ah_assoc->ipsa_auth_alg;
2531 
2532 	ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg;
2533 	ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg;
2534 	ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg;
2535 	ap->ipa_act.ipa_apply.ipp_use_se = ii->ipsec_in_decaps;
2536 	unique = B_FALSE;
2537 
2538 	if (esp_assoc != NULL) {
2539 		ap->ipa_act.ipa_apply.ipp_espa_minbits =
2540 		    esp_assoc->ipsa_authkeybits;
2541 		ap->ipa_act.ipa_apply.ipp_espa_maxbits =
2542 		    esp_assoc->ipsa_authkeybits;
2543 		ap->ipa_act.ipa_apply.ipp_espe_minbits =
2544 		    esp_assoc->ipsa_encrkeybits;
2545 		ap->ipa_act.ipa_apply.ipp_espe_maxbits =
2546 		    esp_assoc->ipsa_encrkeybits;
2547 		ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp;
2548 		ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc;
2549 		if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE)
2550 			unique = B_TRUE;
2551 	}
2552 	if (ah_assoc != NULL) {
2553 		ap->ipa_act.ipa_apply.ipp_ah_minbits =
2554 		    ah_assoc->ipsa_authkeybits;
2555 		ap->ipa_act.ipa_apply.ipp_ah_maxbits =
2556 		    ah_assoc->ipsa_authkeybits;
2557 		ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp;
2558 		ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc;
2559 		if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE)
2560 			unique = B_TRUE;
2561 	}
2562 	ap->ipa_act.ipa_apply.ipp_use_unique = unique;
2563 	ap->ipa_want_unique = unique;
2564 	ap->ipa_allow_clear = B_FALSE;
2565 	ap->ipa_want_se = ii->ipsec_in_decaps;
2566 	ap->ipa_want_ah = (ah_assoc != NULL);
2567 	ap->ipa_want_esp = (esp_assoc != NULL);
2568 
2569 	ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act);
2570 
2571 	ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */
2572 
2573 	return (ap);
2574 }
2575 
2576 
2577 /*
2578  * Compute the worst-case amount of extra space required by an action.
2579  * Note that, because of the ESP considerations listed below, this is
2580  * actually not the same as the best-case reduction in the MTU; in the
2581  * future, we should pass additional information to this function to
2582  * allow the actual MTU impact to be computed.
2583  *
2584  * AH: Revisit this if we implement algorithms with
2585  * a verifier size of more than 12 bytes.
2586  *
2587  * ESP: A more exact but more messy computation would take into
2588  * account the interaction between the cipher block size and the
2589  * effective MTU, yielding the inner payload size which reflects a
2590  * packet with *minimum* ESP padding..
2591  */
2592 static int32_t
2593 ipsec_act_ovhd(const ipsec_act_t *act)
2594 {
2595 	int32_t overhead = 0;
2596 
2597 	if (act->ipa_type == IPSEC_ACT_APPLY) {
2598 		const ipsec_prot_t *ipp = &act->ipa_apply;
2599 
2600 		if (ipp->ipp_use_ah)
2601 			overhead += IPSEC_MAX_AH_HDR_SIZE;
2602 		if (ipp->ipp_use_esp) {
2603 			overhead += IPSEC_MAX_ESP_HDR_SIZE;
2604 			overhead += sizeof (struct udphdr);
2605 		}
2606 		if (ipp->ipp_use_se)
2607 			overhead += IP_SIMPLE_HDR_LENGTH;
2608 	}
2609 	return (overhead);
2610 }
2611 
2612 /*
2613  * This hash function is used only when creating policies and thus is not
2614  * performance-critical for packet flows.
2615  *
2616  * Future work: canonicalize the structures hashed with this (i.e.,
2617  * zeroize padding) so the hash works correctly.
2618  */
2619 /* ARGSUSED */
2620 static uint32_t
2621 policy_hash(int size, const void *start, const void *end)
2622 {
2623 	return (0);
2624 }
2625 
2626 
2627 /*
2628  * Hash function macros for each address type.
2629  *
2630  * The IPV6 hash function assumes that the low order 32-bits of the
2631  * address (typically containing the low order 24 bits of the mac
2632  * address) are reasonably well-distributed.  Revisit this if we run
2633  * into trouble from lots of collisions on ::1 addresses and the like
2634  * (seems unlikely).
2635  */
2636 #define	IPSEC_IPV4_HASH(a) ((a) % ipsec_spd_hashsize)
2637 #define	IPSEC_IPV6_HASH(a) ((a.s6_addr32[3]) % ipsec_spd_hashsize)
2638 
2639 /*
2640  * These two hash functions should produce coordinated values
2641  * but have slightly different roles.
2642  */
2643 static uint32_t
2644 selkey_hash(const ipsec_selkey_t *selkey)
2645 {
2646 	uint32_t valid = selkey->ipsl_valid;
2647 
2648 	if (!(valid & IPSL_REMOTE_ADDR))
2649 		return (IPSEC_SEL_NOHASH);
2650 
2651 	if (valid & IPSL_IPV4) {
2652 		if (selkey->ipsl_remote_pfxlen == 32)
2653 			return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4));
2654 	}
2655 	if (valid & IPSL_IPV6) {
2656 		if (selkey->ipsl_remote_pfxlen == 128)
2657 			return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6));
2658 	}
2659 	return (IPSEC_SEL_NOHASH);
2660 }
2661 
2662 static uint32_t
2663 selector_hash(ipsec_selector_t *sel)
2664 {
2665 	if (sel->ips_isv4) {
2666 		return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4));
2667 	}
2668 	return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6));
2669 }
2670 
2671 /*
2672  * Intern actions into the action hash table.
2673  */
2674 ipsec_action_t *
2675 ipsec_act_find(const ipsec_act_t *a, int n)
2676 {
2677 	int i;
2678 	uint32_t hval;
2679 	ipsec_action_t *ap;
2680 	ipsec_action_t *prev = NULL;
2681 	int32_t overhead, maxovhd = 0;
2682 	boolean_t allow_clear = B_FALSE;
2683 	boolean_t want_ah = B_FALSE;
2684 	boolean_t want_esp = B_FALSE;
2685 	boolean_t want_se = B_FALSE;
2686 	boolean_t want_unique = B_FALSE;
2687 
2688 	/*
2689 	 * TODO: should canonicalize a[] (i.e., zeroize any padding)
2690 	 * so we can use a non-trivial policy_hash function.
2691 	 */
2692 	for (i = n-1; i >= 0; i--) {
2693 		hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]);
2694 
2695 		HASH_LOCK(ipsec_action_hash, hval);
2696 
2697 		for (HASH_ITERATE(ap, ipa_hash, ipsec_action_hash, hval)) {
2698 			if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0)
2699 				continue;
2700 			if (ap->ipa_next != prev)
2701 				continue;
2702 			break;
2703 		}
2704 		if (ap != NULL) {
2705 			HASH_UNLOCK(ipsec_action_hash, hval);
2706 			prev = ap;
2707 			continue;
2708 		}
2709 		/*
2710 		 * need to allocate a new one..
2711 		 */
2712 		ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2713 		if (ap == NULL) {
2714 			HASH_UNLOCK(ipsec_action_hash, hval);
2715 			if (prev != NULL)
2716 				ipsec_action_free(prev);
2717 			return (NULL);
2718 		}
2719 		HASH_INSERT(ap, ipa_hash, ipsec_action_hash, hval);
2720 
2721 		ap->ipa_next = prev;
2722 		ap->ipa_act = a[i];
2723 
2724 		overhead = ipsec_act_ovhd(&a[i]);
2725 		if (maxovhd < overhead)
2726 			maxovhd = overhead;
2727 
2728 		if ((a[i].ipa_type == IPSEC_ACT_BYPASS) ||
2729 		    (a[i].ipa_type == IPSEC_ACT_CLEAR))
2730 			allow_clear = B_TRUE;
2731 		if (a[i].ipa_type == IPSEC_ACT_APPLY) {
2732 			const ipsec_prot_t *ipp = &a[i].ipa_apply;
2733 
2734 			ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp);
2735 			want_ah |= ipp->ipp_use_ah;
2736 			want_esp |= ipp->ipp_use_esp;
2737 			want_se |= ipp->ipp_use_se;
2738 			want_unique |= ipp->ipp_use_unique;
2739 		}
2740 		ap->ipa_allow_clear = allow_clear;
2741 		ap->ipa_want_ah = want_ah;
2742 		ap->ipa_want_esp = want_esp;
2743 		ap->ipa_want_se = want_se;
2744 		ap->ipa_want_unique = want_unique;
2745 		ap->ipa_refs = 1; /* from the hash table */
2746 		ap->ipa_ovhd = maxovhd;
2747 		if (prev)
2748 			prev->ipa_refs++;
2749 		prev = ap;
2750 		HASH_UNLOCK(ipsec_action_hash, hval);
2751 	}
2752 
2753 	ap->ipa_refs++;		/* caller's reference */
2754 
2755 	return (ap);
2756 }
2757 
2758 /*
2759  * Called when refcount goes to 0, indicating that all references to this
2760  * node are gone.
2761  *
2762  * This does not unchain the action from the hash table.
2763  */
2764 void
2765 ipsec_action_free(ipsec_action_t *ap)
2766 {
2767 	for (;;) {
2768 		ipsec_action_t *np = ap->ipa_next;
2769 		ASSERT(ap->ipa_refs == 0);
2770 		ASSERT(ap->ipa_hash.hash_pp == NULL);
2771 		kmem_cache_free(ipsec_action_cache, ap);
2772 		ap = np;
2773 		/* Inlined IPACT_REFRELE -- avoid recursion */
2774 		if (ap == NULL)
2775 			break;
2776 		membar_exit();
2777 		if (atomic_add_32_nv(&(ap)->ipa_refs, -1) != 0)
2778 			break;
2779 		/* End inlined IPACT_REFRELE */
2780 	}
2781 }
2782 
2783 /*
2784  * Periodically sweep action hash table for actions with refcount==1, and
2785  * nuke them.  We cannot do this "on demand" (i.e., from IPACT_REFRELE)
2786  * because we can't close the race between another thread finding the action
2787  * in the hash table without holding the bucket lock during IPACT_REFRELE.
2788  * Instead, we run this function sporadically to clean up after ourselves;
2789  * we also set it as the "reclaim" function for the action kmem_cache.
2790  *
2791  * Note that it may take several passes of ipsec_action_gc() to free all
2792  * "stale" actions.
2793  */
2794 /* ARGSUSED */
2795 static void
2796 ipsec_action_reclaim(void *dummy)
2797 {
2798 	int i;
2799 
2800 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
2801 		ipsec_action_t *ap, *np;
2802 
2803 		/* skip the lock if nobody home */
2804 		if (ipsec_action_hash[i].hash_head == NULL)
2805 			continue;
2806 
2807 		HASH_LOCK(ipsec_action_hash, i);
2808 		for (ap = ipsec_action_hash[i].hash_head;
2809 		    ap != NULL; ap = np) {
2810 			ASSERT(ap->ipa_refs > 0);
2811 			np = ap->ipa_hash.hash_next;
2812 			if (ap->ipa_refs > 1)
2813 				continue;
2814 			HASH_UNCHAIN(ap, ipa_hash, ipsec_action_hash, i);
2815 			IPACT_REFRELE(ap);
2816 		}
2817 		HASH_UNLOCK(ipsec_action_hash, i);
2818 	}
2819 }
2820 
2821 /*
2822  * Intern a selector set into the selector set hash table.
2823  * This is simpler than the actions case..
2824  */
2825 static ipsec_sel_t *
2826 ipsec_find_sel(ipsec_selkey_t *selkey)
2827 {
2828 	ipsec_sel_t *sp;
2829 	uint32_t hval, bucket;
2830 
2831 	/*
2832 	 * Exactly one AF bit should be set in selkey.
2833 	 */
2834 	ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^
2835 	    !(selkey->ipsl_valid & IPSL_IPV6));
2836 
2837 	hval = selkey_hash(selkey);
2838 	selkey->ipsl_hval = hval;
2839 
2840 	bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval;
2841 
2842 	ASSERT(!HASH_LOCKED(ipsec_sel_hash, bucket));
2843 	HASH_LOCK(ipsec_sel_hash, bucket);
2844 
2845 	for (HASH_ITERATE(sp, ipsl_hash, ipsec_sel_hash, bucket)) {
2846 		if (bcmp(&sp->ipsl_key, selkey, sizeof (*selkey)) == 0)
2847 			break;
2848 	}
2849 	if (sp != NULL) {
2850 		sp->ipsl_refs++;
2851 
2852 		HASH_UNLOCK(ipsec_sel_hash, bucket);
2853 		return (sp);
2854 	}
2855 
2856 	sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP);
2857 	if (sp == NULL) {
2858 		HASH_UNLOCK(ipsec_sel_hash, bucket);
2859 		return (NULL);
2860 	}
2861 
2862 	HASH_INSERT(sp, ipsl_hash, ipsec_sel_hash, bucket);
2863 	sp->ipsl_refs = 2;	/* one for hash table, one for caller */
2864 	sp->ipsl_key = *selkey;
2865 
2866 	HASH_UNLOCK(ipsec_sel_hash, bucket);
2867 
2868 	return (sp);
2869 }
2870 
2871 static void
2872 ipsec_sel_rel(ipsec_sel_t **spp)
2873 {
2874 	ipsec_sel_t *sp = *spp;
2875 	int hval = sp->ipsl_key.ipsl_hval;
2876 	*spp = NULL;
2877 
2878 	if (hval == IPSEC_SEL_NOHASH)
2879 		hval = 0;
2880 
2881 	ASSERT(!HASH_LOCKED(ipsec_sel_hash, hval));
2882 	HASH_LOCK(ipsec_sel_hash, hval);
2883 	if (--sp->ipsl_refs == 1) {
2884 		HASH_UNCHAIN(sp, ipsl_hash, ipsec_sel_hash, hval);
2885 		sp->ipsl_refs--;
2886 		HASH_UNLOCK(ipsec_sel_hash, hval);
2887 		ASSERT(sp->ipsl_refs == 0);
2888 		kmem_cache_free(ipsec_sel_cache, sp);
2889 		/* Caller unlocks */
2890 		return;
2891 	}
2892 
2893 	HASH_UNLOCK(ipsec_sel_hash, hval);
2894 }
2895 
2896 /*
2897  * Free a policy rule which we know is no longer being referenced.
2898  */
2899 void
2900 ipsec_policy_free(ipsec_policy_t *ipp)
2901 {
2902 	ASSERT(ipp->ipsp_refs == 0);
2903 	ASSERT(ipp->ipsp_sel != NULL);
2904 	ASSERT(ipp->ipsp_act != NULL);
2905 	ipsec_sel_rel(&ipp->ipsp_sel);
2906 	IPACT_REFRELE(ipp->ipsp_act);
2907 	kmem_cache_free(ipsec_pol_cache, ipp);
2908 }
2909 
2910 /*
2911  * Construction of new policy rules; construct a policy, and add it to
2912  * the appropriate tables.
2913  */
2914 ipsec_policy_t *
2915 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a,
2916     int nacts, int prio)
2917 {
2918 	ipsec_action_t *ap;
2919 	ipsec_sel_t *sp;
2920 	ipsec_policy_t *ipp;
2921 
2922 	ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
2923 	ap = ipsec_act_find(a, nacts);
2924 	sp = ipsec_find_sel(keys);
2925 
2926 	if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) {
2927 		if (ap != NULL) {
2928 			IPACT_REFRELE(ap);
2929 		}
2930 		if (sp != NULL)
2931 			ipsec_sel_rel(&sp);
2932 		if (ipp != NULL)
2933 			kmem_cache_free(ipsec_pol_cache, ipp);
2934 		return (NULL);
2935 	}
2936 
2937 	HASH_NULL(ipp, ipsp_hash);
2938 
2939 	ipp->ipsp_refs = 1;	/* caller's reference */
2940 	ipp->ipsp_sel = sp;
2941 	ipp->ipsp_act = ap;
2942 	ipp->ipsp_prio = prio;	/* rule priority */
2943 	ipp->ipsp_index = ipsec_next_policy_index++;
2944 
2945 	return (ipp);
2946 }
2947 
2948 static void
2949 ipsec_update_present_flags()
2950 {
2951 	boolean_t hashpol = (avl_numnodes(&system_policy.iph_rulebyid) > 0);
2952 
2953 	if (hashpol) {
2954 		ipsec_outbound_v4_policy_present = B_TRUE;
2955 		ipsec_outbound_v6_policy_present = B_TRUE;
2956 		ipsec_inbound_v4_policy_present = B_TRUE;
2957 		ipsec_inbound_v6_policy_present = B_TRUE;
2958 		return;
2959 	}
2960 
2961 	ipsec_outbound_v4_policy_present = (NULL !=
2962 	    system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
2963 	    ipr_nonhash[IPSEC_AF_V4]);
2964 	ipsec_outbound_v6_policy_present = (NULL !=
2965 	    system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
2966 	    ipr_nonhash[IPSEC_AF_V6]);
2967 	ipsec_inbound_v4_policy_present = (NULL !=
2968 	    system_policy.iph_root[IPSEC_TYPE_INBOUND].
2969 	    ipr_nonhash[IPSEC_AF_V4]);
2970 	ipsec_inbound_v6_policy_present = (NULL !=
2971 	    system_policy.iph_root[IPSEC_TYPE_INBOUND].
2972 	    ipr_nonhash[IPSEC_AF_V6]);
2973 }
2974 
2975 boolean_t
2976 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir)
2977 {
2978 	ipsec_sel_t *sp;
2979 	ipsec_policy_t *ip, *nip, *head;
2980 	int af;
2981 	ipsec_policy_root_t *pr = &php->iph_root[dir];
2982 
2983 	sp = ipsec_find_sel(keys);
2984 
2985 	if (sp == NULL)
2986 		return (B_FALSE);
2987 
2988 	af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6;
2989 
2990 	rw_enter(&php->iph_lock, RW_WRITER);
2991 
2992 	if (keys->ipsl_hval == IPSEC_SEL_NOHASH) {
2993 		head = pr->ipr_nonhash[af];
2994 	} else {
2995 		head = pr->ipr_hash[keys->ipsl_hval].hash_head;
2996 	}
2997 
2998 	for (ip = head; ip != NULL; ip = nip) {
2999 		nip = ip->ipsp_hash.hash_next;
3000 		if (ip->ipsp_sel != sp) {
3001 			continue;
3002 		}
3003 
3004 		IPPOL_UNCHAIN(php, ip);
3005 
3006 		php->iph_gen++;
3007 		ipsec_update_present_flags();
3008 
3009 		rw_exit(&php->iph_lock);
3010 
3011 		ipsec_sel_rel(&sp);
3012 
3013 		return (B_TRUE);
3014 	}
3015 
3016 	rw_exit(&php->iph_lock);
3017 	ipsec_sel_rel(&sp);
3018 	return (B_FALSE);
3019 }
3020 
3021 int
3022 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index)
3023 {
3024 	boolean_t found = B_FALSE;
3025 	ipsec_policy_t ipkey;
3026 	ipsec_policy_t *ip;
3027 	avl_index_t where;
3028 
3029 	(void) memset(&ipkey, 0, sizeof (ipkey));
3030 	ipkey.ipsp_index = policy_index;
3031 
3032 	rw_enter(&php->iph_lock, RW_WRITER);
3033 
3034 	/*
3035 	 * We could be cleverer here about the walk.
3036 	 * but well, (k+1)*log(N) will do for now (k==number of matches,
3037 	 * N==number of table entries
3038 	 */
3039 	for (;;) {
3040 		ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid,
3041 		    (void *)&ipkey, &where);
3042 		ASSERT(ip == NULL);
3043 
3044 		ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER);
3045 
3046 		if (ip == NULL)
3047 			break;
3048 
3049 		if (ip->ipsp_index != policy_index) {
3050 			ASSERT(ip->ipsp_index > policy_index);
3051 			break;
3052 		}
3053 
3054 		IPPOL_UNCHAIN(php, ip);
3055 		found = B_TRUE;
3056 	}
3057 
3058 	if (found) {
3059 		php->iph_gen++;
3060 		ipsec_update_present_flags();
3061 	}
3062 
3063 	rw_exit(&php->iph_lock);
3064 
3065 	return (found ? 0 : ENOENT);
3066 }
3067 
3068 /*
3069  * Given a constructed ipsec_policy_t policy rule, see if it can be entered
3070  * into the correct policy ruleset.
3071  *
3072  * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a
3073  * duplicate policy exists with exactly the same selectors), or an icmp
3074  * rule exists with a different encryption/authentication action.
3075  */
3076 boolean_t
3077 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
3078 {
3079 	ipsec_policy_root_t *pr = &php->iph_root[direction];
3080 	int af = -1;
3081 	ipsec_policy_t *p2, *head;
3082 	uint8_t check_proto;
3083 	ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3084 	uint32_t	valid = selkey->ipsl_valid;
3085 
3086 	if (valid & IPSL_IPV6) {
3087 		ASSERT(!(valid & IPSL_IPV4));
3088 		af = IPSEC_AF_V6;
3089 		check_proto = IPPROTO_ICMPV6;
3090 	} else {
3091 		ASSERT(valid & IPSL_IPV4);
3092 		af = IPSEC_AF_V4;
3093 		check_proto = IPPROTO_ICMP;
3094 	}
3095 
3096 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3097 
3098 	/*
3099 	 * Double-check that we don't have any duplicate selectors here.
3100 	 * Because selectors are interned below, we need only compare pointers
3101 	 * for equality.
3102 	 */
3103 	if (selkey->ipsl_hval == IPSEC_SEL_NOHASH) {
3104 		head = pr->ipr_nonhash[af];
3105 	} else {
3106 		head = pr->ipr_hash[selkey->ipsl_hval].hash_head;
3107 	}
3108 
3109 	for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3110 		if (p2->ipsp_sel == ipp->ipsp_sel)
3111 			return (B_FALSE);
3112 	}
3113 
3114 	/*
3115 	 * If it's ICMP and not a drop or pass rule, run through the ICMP
3116 	 * rules and make sure the action is either new or the same as any
3117 	 * other actions.  We don't have to check the full chain because
3118 	 * discard and bypass will override all other actions
3119 	 */
3120 
3121 	if (valid & IPSL_PROTOCOL &&
3122 	    selkey->ipsl_proto == check_proto &&
3123 	    (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) {
3124 
3125 		for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3126 
3127 			if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL &&
3128 			    p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto &&
3129 			    (p2->ipsp_act->ipa_act.ipa_type ==
3130 				IPSEC_ACT_APPLY)) {
3131 				return (ipsec_compare_action(p2, ipp));
3132 			}
3133 		}
3134 	}
3135 
3136 	return (B_TRUE);
3137 }
3138 
3139 /*
3140  * compare the action chains of two policies for equality
3141  * B_TRUE -> effective equality
3142  */
3143 
3144 static boolean_t
3145 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2)
3146 {
3147 
3148 	ipsec_action_t *act1, *act2;
3149 
3150 	/* We have a valid rule. Let's compare the actions */
3151 	if (p1->ipsp_act == p2->ipsp_act) {
3152 		/* same action. We are good */
3153 		return (B_TRUE);
3154 	}
3155 
3156 	/* we have to walk the chain */
3157 
3158 	act1 = p1->ipsp_act;
3159 	act2 = p2->ipsp_act;
3160 
3161 	while (act1 != NULL && act2 != NULL) {
3162 
3163 		/* otherwise, Are we close enough? */
3164 		if (act1->ipa_allow_clear != act2->ipa_allow_clear ||
3165 		    act1->ipa_want_ah != act2->ipa_want_ah ||
3166 		    act1->ipa_want_esp != act2->ipa_want_esp ||
3167 		    act1->ipa_want_se != act2->ipa_want_se) {
3168 			/* Nope, we aren't */
3169 			return (B_FALSE);
3170 		}
3171 
3172 		if (act1->ipa_want_ah) {
3173 			if (act1->ipa_act.ipa_apply.ipp_auth_alg !=
3174 			    act2->ipa_act.ipa_apply.ipp_auth_alg) {
3175 				return (B_FALSE);
3176 			}
3177 
3178 			if (act1->ipa_act.ipa_apply.ipp_ah_minbits !=
3179 			    act2->ipa_act.ipa_apply.ipp_ah_minbits ||
3180 			    act1->ipa_act.ipa_apply.ipp_ah_maxbits !=
3181 			    act2->ipa_act.ipa_apply.ipp_ah_maxbits) {
3182 				return (B_FALSE);
3183 			}
3184 		}
3185 
3186 		if (act1->ipa_want_esp) {
3187 			if (act1->ipa_act.ipa_apply.ipp_use_esp !=
3188 			    act2->ipa_act.ipa_apply.ipp_use_esp ||
3189 			    act1->ipa_act.ipa_apply.ipp_use_espa !=
3190 			    act2->ipa_act.ipa_apply.ipp_use_espa) {
3191 				return (B_FALSE);
3192 			}
3193 
3194 			if (act1->ipa_act.ipa_apply.ipp_use_esp) {
3195 				if (act1->ipa_act.ipa_apply.ipp_encr_alg !=
3196 				    act2->ipa_act.ipa_apply.ipp_encr_alg) {
3197 					return (B_FALSE);
3198 				}
3199 
3200 				if (act1->ipa_act.ipa_apply.ipp_espe_minbits !=
3201 				    act2->ipa_act.ipa_apply.ipp_espe_minbits ||
3202 				    act1->ipa_act.ipa_apply.ipp_espe_maxbits !=
3203 				    act2->ipa_act.ipa_apply.ipp_espe_maxbits) {
3204 					return (B_FALSE);
3205 				}
3206 			}
3207 
3208 			if (act1->ipa_act.ipa_apply.ipp_use_espa) {
3209 				if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg !=
3210 				    act2->ipa_act.ipa_apply.ipp_esp_auth_alg) {
3211 					return (B_FALSE);
3212 				}
3213 
3214 				if (act1->ipa_act.ipa_apply.ipp_espa_minbits !=
3215 				    act2->ipa_act.ipa_apply.ipp_espa_minbits ||
3216 				    act1->ipa_act.ipa_apply.ipp_espa_maxbits !=
3217 				    act2->ipa_act.ipa_apply.ipp_espa_maxbits) {
3218 					return (B_FALSE);
3219 				}
3220 			}
3221 
3222 		}
3223 
3224 		act1 = act1->ipa_next;
3225 		act2 = act2->ipa_next;
3226 	}
3227 
3228 	if (act1 != NULL || act2 != NULL) {
3229 		return (B_FALSE);
3230 	}
3231 
3232 	return (B_TRUE);
3233 }
3234 
3235 
3236 /*
3237  * Given a constructed ipsec_policy_t policy rule, enter it into
3238  * the correct policy ruleset.
3239  *
3240  * ipsec_check_policy() is assumed to have succeeded first (to check for
3241  * duplicates).
3242  */
3243 void
3244 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
3245 {
3246 	ipsec_policy_root_t *pr = &php->iph_root[direction];
3247 	ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3248 	uint32_t valid = selkey->ipsl_valid;
3249 	uint32_t hval = selkey->ipsl_hval;
3250 	int af = -1;
3251 
3252 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3253 
3254 	if (valid & IPSL_IPV6) {
3255 		ASSERT(!(valid & IPSL_IPV4));
3256 		af = IPSEC_AF_V6;
3257 	} else {
3258 		ASSERT(valid & IPSL_IPV4);
3259 		af = IPSEC_AF_V4;
3260 	}
3261 
3262 	php->iph_gen++;
3263 
3264 	if (hval == IPSEC_SEL_NOHASH) {
3265 		HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]);
3266 	} else {
3267 		HASH_LOCK(pr->ipr_hash, hval);
3268 		HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval);
3269 		HASH_UNLOCK(pr->ipr_hash, hval);
3270 	}
3271 
3272 	ipsec_insert_always(&php->iph_rulebyid, ipp);
3273 
3274 	ipsec_update_present_flags();
3275 }
3276 
3277 static void
3278 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr)
3279 {
3280 	ipsec_policy_t *ip, *nip;
3281 
3282 	int af, chain, nchain;
3283 
3284 	for (af = 0; af < IPSEC_NAF; af++) {
3285 		for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) {
3286 			nip = ip->ipsp_hash.hash_next;
3287 			IPPOL_UNCHAIN(php, ip);
3288 		}
3289 		ipr->ipr_nonhash[af] = NULL;
3290 	}
3291 	nchain = ipr->ipr_nchains;
3292 
3293 	for (chain = 0; chain < nchain; chain++) {
3294 		for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL;
3295 		    ip = nip) {
3296 			nip = ip->ipsp_hash.hash_next;
3297 			IPPOL_UNCHAIN(php, ip);
3298 		}
3299 		ipr->ipr_hash[chain].hash_head = NULL;
3300 	}
3301 }
3302 
3303 
3304 void
3305 ipsec_polhead_flush(ipsec_policy_head_t *php)
3306 {
3307 	int dir;
3308 
3309 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3310 
3311 	for (dir = 0; dir < IPSEC_NTYPES; dir++)
3312 		ipsec_ipr_flush(php, &php->iph_root[dir]);
3313 
3314 	ipsec_update_present_flags();
3315 }
3316 
3317 void
3318 ipsec_polhead_free(ipsec_policy_head_t *php)
3319 {
3320 	ASSERT(php->iph_refs == 0);
3321 	rw_enter(&php->iph_lock, RW_WRITER);
3322 	ipsec_polhead_flush(php);
3323 	rw_exit(&php->iph_lock);
3324 	rw_destroy(&php->iph_lock);
3325 	kmem_free(php, sizeof (*php));
3326 }
3327 
3328 static void
3329 ipsec_ipr_init(ipsec_policy_root_t *ipr)
3330 {
3331 	int af;
3332 
3333 	ipr->ipr_nchains = 0;
3334 	ipr->ipr_hash = NULL;
3335 
3336 	for (af = 0; af < IPSEC_NAF; af++) {
3337 		ipr->ipr_nonhash[af] = NULL;
3338 	}
3339 }
3340 
3341 extern ipsec_policy_head_t *
3342 ipsec_polhead_create(void)
3343 {
3344 	ipsec_policy_head_t *php;
3345 
3346 	php = kmem_alloc(sizeof (*php), KM_NOSLEEP);
3347 	if (php == NULL)
3348 		return (php);
3349 
3350 	rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL);
3351 	php->iph_refs = 1;
3352 	php->iph_gen = 0;
3353 
3354 	ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]);
3355 	ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]);
3356 
3357 	avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid,
3358 	    sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
3359 
3360 	return (php);
3361 }
3362 
3363 /*
3364  * Clone the policy head into a new polhead; release one reference to the
3365  * old one and return the only reference to the new one.
3366  * If the old one had a refcount of 1, just return it.
3367  */
3368 extern ipsec_policy_head_t *
3369 ipsec_polhead_split(ipsec_policy_head_t *php)
3370 {
3371 	ipsec_policy_head_t *nphp;
3372 
3373 	if (php == NULL)
3374 		return (ipsec_polhead_create());
3375 	else if (php->iph_refs == 1)
3376 		return (php);
3377 
3378 	nphp = ipsec_polhead_create();
3379 	if (nphp == NULL)
3380 		return (NULL);
3381 
3382 	if (ipsec_copy_polhead(php, nphp) != 0) {
3383 		ipsec_polhead_free(nphp);
3384 		return (NULL);
3385 	}
3386 	IPPH_REFRELE(php);
3387 	return (nphp);
3388 }
3389 
3390 /*
3391  * When sending a response to a ICMP request or generating a RST
3392  * in the TCP case, the outbound packets need to go at the same level
3393  * of protection as the incoming ones i.e we associate our outbound
3394  * policy with how the packet came in. We call this after we have
3395  * accepted the incoming packet which may or may not have been in
3396  * clear and hence we are sending the reply back with the policy
3397  * matching the incoming datagram's policy.
3398  *
3399  * NOTE : This technology serves two purposes :
3400  *
3401  * 1) If we have multiple outbound policies, we send out a reply
3402  *    matching with how it came in rather than matching the outbound
3403  *    policy.
3404  *
3405  * 2) For assymetric policies, we want to make sure that incoming
3406  *    and outgoing has the same level of protection. Assymetric
3407  *    policies exist only with global policy where we may not have
3408  *    both outbound and inbound at the same time.
3409  *
3410  * NOTE2:	This function is called by cleartext cases, so it needs to be
3411  *		in IP proper.
3412  */
3413 boolean_t
3414 ipsec_in_to_out(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h)
3415 {
3416 	ipsec_in_t  *ii;
3417 	ipsec_out_t  *io;
3418 	boolean_t v4;
3419 	mblk_t *mp;
3420 	boolean_t secure, attach_if;
3421 	uint_t ifindex;
3422 	ipsec_selector_t sel;
3423 	ipsec_action_t *reflect_action = NULL;
3424 	zoneid_t zoneid;
3425 
3426 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
3427 
3428 	bzero((void*)&sel, sizeof (sel));
3429 
3430 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
3431 
3432 	mp = ipsec_mp->b_cont;
3433 	ASSERT(mp != NULL);
3434 
3435 	if (ii->ipsec_in_action != NULL) {
3436 		/* transfer reference.. */
3437 		reflect_action = ii->ipsec_in_action;
3438 		ii->ipsec_in_action = NULL;
3439 	} else if (!ii->ipsec_in_loopback)
3440 		reflect_action = ipsec_in_to_out_action(ii);
3441 	secure = ii->ipsec_in_secure;
3442 	attach_if = ii->ipsec_in_attach_if;
3443 	ifindex = ii->ipsec_in_ill_index;
3444 	zoneid = ii->ipsec_in_zoneid;
3445 	v4 = ii->ipsec_in_v4;
3446 
3447 	ipsec_in_release_refs(ii);
3448 
3449 	/*
3450 	 * The caller is going to send the datagram out which might
3451 	 * go on the wire or delivered locally through ip_wput_local.
3452 	 *
3453 	 * 1) If it goes out on the wire, new associations will be
3454 	 *    obtained.
3455 	 * 2) If it is delivered locally, ip_wput_local will convert
3456 	 *    this IPSEC_OUT to a IPSEC_IN looking at the requests.
3457 	 */
3458 
3459 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
3460 	bzero(io, sizeof (ipsec_out_t));
3461 	io->ipsec_out_type = IPSEC_OUT;
3462 	io->ipsec_out_len = sizeof (ipsec_out_t);
3463 	io->ipsec_out_frtn.free_func = ipsec_out_free;
3464 	io->ipsec_out_frtn.free_arg = (char *)io;
3465 	io->ipsec_out_act = reflect_action;
3466 
3467 	if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h))
3468 		return (B_FALSE);
3469 
3470 	io->ipsec_out_src_port = sel.ips_local_port;
3471 	io->ipsec_out_dst_port = sel.ips_remote_port;
3472 	io->ipsec_out_proto = sel.ips_protocol;
3473 	io->ipsec_out_icmp_type = sel.ips_icmp_type;
3474 	io->ipsec_out_icmp_code = sel.ips_icmp_code;
3475 
3476 	/*
3477 	 * Don't use global policy for this, as we want
3478 	 * to use the same protection that was applied to the inbound packet.
3479 	 */
3480 	io->ipsec_out_use_global_policy = B_FALSE;
3481 	io->ipsec_out_proc_begin = B_FALSE;
3482 	io->ipsec_out_secure = secure;
3483 	io->ipsec_out_v4 = v4;
3484 	io->ipsec_out_attach_if = attach_if;
3485 	io->ipsec_out_ill_index = ifindex;
3486 	io->ipsec_out_zoneid = zoneid;
3487 	return (B_TRUE);
3488 }
3489 
3490 mblk_t *
3491 ipsec_in_tag(mblk_t *mp, mblk_t *cont)
3492 {
3493 	ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr;
3494 	ipsec_in_t *nii;
3495 	mblk_t *nmp;
3496 	frtn_t nfrtn;
3497 
3498 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
3499 	ASSERT(ii->ipsec_in_len == sizeof (ipsec_in_t));
3500 
3501 	nmp = ipsec_in_alloc(ii->ipsec_in_v4);
3502 
3503 	ASSERT(nmp->b_datap->db_type == M_CTL);
3504 	ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t)));
3505 
3506 	/*
3507 	 * Bump refcounts.
3508 	 */
3509 	if (ii->ipsec_in_ah_sa != NULL)
3510 		IPSA_REFHOLD(ii->ipsec_in_ah_sa);
3511 	if (ii->ipsec_in_esp_sa != NULL)
3512 		IPSA_REFHOLD(ii->ipsec_in_esp_sa);
3513 	if (ii->ipsec_in_policy != NULL)
3514 		IPPH_REFHOLD(ii->ipsec_in_policy);
3515 
3516 	/*
3517 	 * Copy everything, but preserve the free routine provided by
3518 	 * ipsec_in_alloc().
3519 	 */
3520 	nii = (ipsec_in_t *)nmp->b_rptr;
3521 	nfrtn = nii->ipsec_in_frtn;
3522 	bcopy(ii, nii, sizeof (*ii));
3523 	nii->ipsec_in_frtn = nfrtn;
3524 
3525 	nmp->b_cont = cont;
3526 
3527 	return (nmp);
3528 }
3529 
3530 mblk_t *
3531 ipsec_out_tag(mblk_t *mp, mblk_t *cont)
3532 {
3533 	ipsec_out_t *io = (ipsec_out_t *)mp->b_rptr;
3534 	ipsec_out_t *nio;
3535 	mblk_t *nmp;
3536 	frtn_t nfrtn;
3537 
3538 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
3539 	ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
3540 
3541 	nmp = ipsec_alloc_ipsec_out();
3542 	if (nmp == NULL) {
3543 		freemsg(cont);	/* XXX ip_drop_packet() ? */
3544 		return (NULL);
3545 	}
3546 	ASSERT(nmp->b_datap->db_type == M_CTL);
3547 	ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t)));
3548 
3549 	/*
3550 	 * Bump refcounts.
3551 	 */
3552 	if (io->ipsec_out_ah_sa != NULL)
3553 		IPSA_REFHOLD(io->ipsec_out_ah_sa);
3554 	if (io->ipsec_out_esp_sa != NULL)
3555 		IPSA_REFHOLD(io->ipsec_out_esp_sa);
3556 	if (io->ipsec_out_polhead != NULL)
3557 		IPPH_REFHOLD(io->ipsec_out_polhead);
3558 	if (io->ipsec_out_policy != NULL)
3559 		IPPOL_REFHOLD(io->ipsec_out_policy);
3560 	if (io->ipsec_out_act != NULL)
3561 		IPACT_REFHOLD(io->ipsec_out_act);
3562 	if (io->ipsec_out_latch != NULL)
3563 		IPLATCH_REFHOLD(io->ipsec_out_latch);
3564 	if (io->ipsec_out_cred != NULL)
3565 		crhold(io->ipsec_out_cred);
3566 
3567 	/*
3568 	 * Copy everything, but preserve the free routine provided by
3569 	 * ipsec_alloc_ipsec_out().
3570 	 */
3571 	nio = (ipsec_out_t *)nmp->b_rptr;
3572 	nfrtn = nio->ipsec_out_frtn;
3573 	bcopy(io, nio, sizeof (*io));
3574 	nio->ipsec_out_frtn = nfrtn;
3575 
3576 	nmp->b_cont = cont;
3577 
3578 	return (nmp);
3579 }
3580 
3581 static void
3582 ipsec_out_release_refs(ipsec_out_t *io)
3583 {
3584 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
3585 	ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
3586 
3587 	/* Note: IPSA_REFRELE is multi-line macro */
3588 	if (io->ipsec_out_ah_sa != NULL)
3589 		IPSA_REFRELE(io->ipsec_out_ah_sa);
3590 	if (io->ipsec_out_esp_sa != NULL)
3591 		IPSA_REFRELE(io->ipsec_out_esp_sa);
3592 	if (io->ipsec_out_polhead != NULL)
3593 		IPPH_REFRELE(io->ipsec_out_polhead);
3594 	if (io->ipsec_out_policy != NULL)
3595 		IPPOL_REFRELE(io->ipsec_out_policy);
3596 	if (io->ipsec_out_act != NULL)
3597 		IPACT_REFRELE(io->ipsec_out_act);
3598 	if (io->ipsec_out_cred != NULL) {
3599 		crfree(io->ipsec_out_cred);
3600 		io->ipsec_out_cred = NULL;
3601 	}
3602 	if (io->ipsec_out_latch) {
3603 		IPLATCH_REFRELE(io->ipsec_out_latch);
3604 		io->ipsec_out_latch = NULL;
3605 	}
3606 }
3607 
3608 static void
3609 ipsec_out_free(void *arg)
3610 {
3611 	ipsec_out_t *io = (ipsec_out_t *)arg;
3612 	ipsec_out_release_refs(io);
3613 	kmem_cache_free(ipsec_info_cache, arg);
3614 }
3615 
3616 static void
3617 ipsec_in_release_refs(ipsec_in_t *ii)
3618 {
3619 	/* Note: IPSA_REFRELE is multi-line macro */
3620 	if (ii->ipsec_in_ah_sa != NULL)
3621 		IPSA_REFRELE(ii->ipsec_in_ah_sa);
3622 	if (ii->ipsec_in_esp_sa != NULL)
3623 		IPSA_REFRELE(ii->ipsec_in_esp_sa);
3624 	if (ii->ipsec_in_policy != NULL)
3625 		IPPH_REFRELE(ii->ipsec_in_policy);
3626 	if (ii->ipsec_in_da != NULL) {
3627 		freeb(ii->ipsec_in_da);
3628 		ii->ipsec_in_da = NULL;
3629 	}
3630 }
3631 
3632 static void
3633 ipsec_in_free(void *arg)
3634 {
3635 	ipsec_in_t *ii = (ipsec_in_t *)arg;
3636 	ipsec_in_release_refs(ii);
3637 	kmem_cache_free(ipsec_info_cache, arg);
3638 }
3639 
3640 /*
3641  * This is called only for outbound datagrams if the datagram needs to
3642  * go out secure.  A NULL mp can be passed to get an ipsec_out. This
3643  * facility is used by ip_unbind.
3644  *
3645  * NOTE : o As the data part could be modified by ipsec_out_process etc.
3646  *	    we can't make it fast by calling a dup.
3647  */
3648 mblk_t *
3649 ipsec_alloc_ipsec_out()
3650 {
3651 	mblk_t *ipsec_mp;
3652 
3653 	ipsec_out_t *io = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP);
3654 
3655 	if (io == NULL)
3656 		return (NULL);
3657 
3658 	bzero(io, sizeof (ipsec_out_t));
3659 
3660 	io->ipsec_out_type = IPSEC_OUT;
3661 	io->ipsec_out_len = sizeof (ipsec_out_t);
3662 	io->ipsec_out_frtn.free_func = ipsec_out_free;
3663 	io->ipsec_out_frtn.free_arg = (char *)io;
3664 
3665 	/*
3666 	 * Set the zoneid to ALL_ZONES which is used as an invalid value. Code
3667 	 * using ipsec_out_zoneid should assert that the zoneid has been set to
3668 	 * a sane value.
3669 	 */
3670 	io->ipsec_out_zoneid = ALL_ZONES;
3671 
3672 	ipsec_mp = desballoc((uint8_t *)io, sizeof (ipsec_info_t), BPRI_HI,
3673 	    &io->ipsec_out_frtn);
3674 	if (ipsec_mp == NULL) {
3675 		ipsec_out_free(io);
3676 
3677 		return (NULL);
3678 	}
3679 	ipsec_mp->b_datap->db_type = M_CTL;
3680 	ipsec_mp->b_wptr = ipsec_mp->b_rptr + sizeof (ipsec_info_t);
3681 
3682 	return (ipsec_mp);
3683 }
3684 
3685 /*
3686  * Attach an IPSEC_OUT; use pol for policy if it is non-null.
3687  * Otherwise initialize using conn.
3688  *
3689  * If pol is non-null, we consume a reference to it.
3690  */
3691 mblk_t *
3692 ipsec_attach_ipsec_out(mblk_t *mp, conn_t *connp, ipsec_policy_t *pol,
3693     uint8_t proto)
3694 {
3695 	mblk_t *ipsec_mp;
3696 
3697 	ASSERT((pol != NULL) || (connp != NULL));
3698 
3699 	ipsec_mp = ipsec_alloc_ipsec_out();
3700 	if (ipsec_mp == NULL) {
3701 		(void) mi_strlog(CONNP_TO_WQ(connp), 0, SL_ERROR|SL_NOTE,
3702 		    "ipsec_attach_ipsec_out: Allocation failure\n");
3703 		BUMP_MIB(&ip_mib, ipOutDiscards);
3704 		ip_drop_packet(mp, B_FALSE, NULL, NULL, &ipdrops_spd_nomem,
3705 		    &spd_dropper);
3706 		return (NULL);
3707 	}
3708 	ipsec_mp->b_cont = mp;
3709 	return (ipsec_init_ipsec_out(ipsec_mp, connp, pol, proto));
3710 }
3711 
3712 /*
3713  * Initialize the IPSEC_OUT (ipsec_mp) using pol if it is non-null.
3714  * Otherwise initialize using conn.
3715  *
3716  * If pol is non-null, we consume a reference to it.
3717  */
3718 mblk_t *
3719 ipsec_init_ipsec_out(mblk_t *ipsec_mp, conn_t *connp, ipsec_policy_t *pol,
3720     uint8_t proto)
3721 {
3722 	mblk_t *mp;
3723 	ipsec_out_t *io;
3724 	ipsec_policy_t *p;
3725 	ipha_t *ipha;
3726 	ip6_t *ip6h;
3727 
3728 	ASSERT((pol != NULL) || (connp != NULL));
3729 
3730 	/*
3731 	 * If mp is NULL, we won't/should not be using it.
3732 	 */
3733 	mp = ipsec_mp->b_cont;
3734 
3735 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
3736 	ASSERT(ipsec_mp->b_wptr == (ipsec_mp->b_rptr + sizeof (ipsec_info_t)));
3737 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
3738 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
3739 	ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
3740 	io->ipsec_out_latch = NULL;
3741 	/*
3742 	 * Set the zoneid when we have the connp.
3743 	 * Otherwise, we're called from ip_wput_attach_policy() who will take
3744 	 * care of setting the zoneid.
3745 	 */
3746 	if (connp != NULL)
3747 		io->ipsec_out_zoneid = connp->conn_zoneid;
3748 
3749 	if (mp != NULL) {
3750 		ipha = (ipha_t *)mp->b_rptr;
3751 		if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
3752 			io->ipsec_out_v4 = B_TRUE;
3753 			ip6h = NULL;
3754 		} else {
3755 			io->ipsec_out_v4 = B_FALSE;
3756 			ip6h = (ip6_t *)ipha;
3757 			ipha = NULL;
3758 		}
3759 	} else {
3760 		ASSERT(connp != NULL && connp->conn_policy_cached);
3761 		ip6h = NULL;
3762 		ipha = NULL;
3763 		io->ipsec_out_v4 = !connp->conn_pkt_isv6;
3764 	}
3765 
3766 	p = NULL;
3767 
3768 	/*
3769 	 * Take latched policies over global policy.  Check here again for
3770 	 * this, in case we had conn_latch set while the packet was flying
3771 	 * around in IP.
3772 	 */
3773 	if (connp != NULL && connp->conn_latch != NULL) {
3774 		p = connp->conn_latch->ipl_out_policy;
3775 		io->ipsec_out_latch = connp->conn_latch;
3776 		IPLATCH_REFHOLD(connp->conn_latch);
3777 		if (p != NULL) {
3778 			IPPOL_REFHOLD(p);
3779 		}
3780 		io->ipsec_out_src_port = connp->conn_lport;
3781 		io->ipsec_out_dst_port = connp->conn_fport;
3782 		io->ipsec_out_icmp_type = io->ipsec_out_icmp_code = 0;
3783 		if (pol != NULL)
3784 			IPPOL_REFRELE(pol);
3785 	} else if (pol != NULL) {
3786 		ipsec_selector_t sel;
3787 
3788 		bzero((void*)&sel, sizeof (sel));
3789 
3790 		p = pol;
3791 		/*
3792 		 * conn does not have the port information. Get
3793 		 * it from the packet.
3794 		 */
3795 
3796 		if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) {
3797 			/* XXX any cleanup required here?? */
3798 			return (NULL);
3799 		}
3800 		io->ipsec_out_src_port = sel.ips_local_port;
3801 		io->ipsec_out_dst_port = sel.ips_remote_port;
3802 		io->ipsec_out_icmp_type = sel.ips_icmp_type;
3803 		io->ipsec_out_icmp_code = sel.ips_icmp_code;
3804 	}
3805 
3806 	io->ipsec_out_proto = proto;
3807 	io->ipsec_out_use_global_policy = B_TRUE;
3808 	io->ipsec_out_secure = (p != NULL);
3809 	io->ipsec_out_policy = p;
3810 
3811 	if (p == NULL) {
3812 		if (connp->conn_policy != NULL) {
3813 			io->ipsec_out_secure = B_TRUE;
3814 			ASSERT(io->ipsec_out_latch == NULL);
3815 			ASSERT(io->ipsec_out_use_global_policy == B_TRUE);
3816 			io->ipsec_out_need_policy = B_TRUE;
3817 			ASSERT(io->ipsec_out_polhead == NULL);
3818 			IPPH_REFHOLD(connp->conn_policy);
3819 			io->ipsec_out_polhead = connp->conn_policy;
3820 		}
3821 	}
3822 	return (ipsec_mp);
3823 }
3824 
3825 /*
3826  * Allocate an IPSEC_IN mblk.  This will be prepended to an inbound datagram
3827  * and keep track of what-if-any IPsec processing will be applied to the
3828  * datagram.
3829  */
3830 mblk_t *
3831 ipsec_in_alloc(boolean_t isv4)
3832 {
3833 	mblk_t *ipsec_in;
3834 	ipsec_in_t *ii = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP);
3835 
3836 	if (ii == NULL)
3837 		return (NULL);
3838 
3839 	bzero(ii, sizeof (ipsec_info_t));
3840 	ii->ipsec_in_type = IPSEC_IN;
3841 	ii->ipsec_in_len = sizeof (ipsec_in_t);
3842 
3843 	ii->ipsec_in_v4 = isv4;
3844 	ii->ipsec_in_secure = B_TRUE;
3845 
3846 	ii->ipsec_in_frtn.free_func = ipsec_in_free;
3847 	ii->ipsec_in_frtn.free_arg = (char *)ii;
3848 
3849 	ipsec_in = desballoc((uint8_t *)ii, sizeof (ipsec_info_t), BPRI_HI,
3850 	    &ii->ipsec_in_frtn);
3851 	if (ipsec_in == NULL) {
3852 		ip1dbg(("ipsec_in_alloc: IPSEC_IN allocation failure.\n"));
3853 		ipsec_in_free(ii);
3854 		return (NULL);
3855 	}
3856 
3857 	ipsec_in->b_datap->db_type = M_CTL;
3858 	ipsec_in->b_wptr += sizeof (ipsec_info_t);
3859 
3860 	return (ipsec_in);
3861 }
3862 
3863 /*
3864  * This is called from ip_wput_local when a packet which needs
3865  * security is looped back, to convert the IPSEC_OUT to a IPSEC_IN
3866  * before fanout, where the policy check happens.  In most of the
3867  * cases, IPSEC processing has *never* been done.  There is one case
3868  * (ip_wput_ire_fragmentit -> ip_wput_frag -> icmp_frag_needed) where
3869  * the packet is destined for localhost, IPSEC processing has already
3870  * been done.
3871  *
3872  * Future: This could happen after SA selection has occurred for
3873  * outbound.. which will tell us who the src and dst identities are..
3874  * Then it's just a matter of splicing the ah/esp SA pointers from the
3875  * ipsec_out_t to the ipsec_in_t.
3876  */
3877 void
3878 ipsec_out_to_in(mblk_t *ipsec_mp)
3879 {
3880 	ipsec_in_t  *ii;
3881 	ipsec_out_t *io;
3882 	ipsec_policy_t *pol;
3883 	ipsec_action_t *act;
3884 	boolean_t v4, icmp_loopback;
3885 
3886 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
3887 
3888 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
3889 
3890 	v4 = io->ipsec_out_v4;
3891 	icmp_loopback = io->ipsec_out_icmp_loopback;
3892 
3893 	act = io->ipsec_out_act;
3894 	if (act == NULL) {
3895 		pol = io->ipsec_out_policy;
3896 		if (pol != NULL) {
3897 			act = pol->ipsp_act;
3898 			IPACT_REFHOLD(act);
3899 		}
3900 	}
3901 	io->ipsec_out_act = NULL;
3902 
3903 	ipsec_out_release_refs(io);
3904 
3905 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
3906 	bzero(ii, sizeof (ipsec_in_t));
3907 	ii->ipsec_in_type = IPSEC_IN;
3908 	ii->ipsec_in_len = sizeof (ipsec_in_t);
3909 	ii->ipsec_in_loopback = B_TRUE;
3910 	ii->ipsec_in_frtn.free_func = ipsec_in_free;
3911 	ii->ipsec_in_frtn.free_arg = (char *)ii;
3912 	ii->ipsec_in_action = act;
3913 
3914 	/*
3915 	 * In most of the cases, we can't look at the ipsec_out_XXX_sa
3916 	 * because this never went through IPSEC processing. So, look at
3917 	 * the requests and infer whether it would have gone through
3918 	 * IPSEC processing or not. Initialize the "done" fields with
3919 	 * the requests. The possible values for "done" fields are :
3920 	 *
3921 	 * 1) zero, indicates that a particular preference was never
3922 	 *    requested.
3923 	 * 2) non-zero, indicates that it could be IPSEC_PREF_REQUIRED/
3924 	 *    IPSEC_PREF_NEVER. If IPSEC_REQ_DONE is set, it means that
3925 	 *    IPSEC processing has been completed.
3926 	 */
3927 	ii->ipsec_in_secure = B_TRUE;
3928 	ii->ipsec_in_v4 = v4;
3929 	ii->ipsec_in_icmp_loopback = icmp_loopback;
3930 	ii->ipsec_in_attach_if = B_FALSE;
3931 }
3932 
3933 /*
3934  * Consults global policy to see whether this datagram should
3935  * go out secure. If so it attaches a ipsec_mp in front and
3936  * returns.
3937  */
3938 mblk_t *
3939 ip_wput_attach_policy(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h, ire_t *ire,
3940     conn_t *connp, boolean_t unspec_src)
3941 {
3942 	mblk_t *mp;
3943 	ipsec_out_t *io = NULL;
3944 	ipsec_selector_t sel;
3945 	uint_t	ill_index;
3946 	boolean_t conn_dontroutex;
3947 	boolean_t conn_multicast_loopx;
3948 	boolean_t policy_present;
3949 
3950 	ASSERT((ipha != NULL && ip6h == NULL) ||
3951 	    (ip6h != NULL && ipha == NULL));
3952 
3953 	bzero((void*)&sel, sizeof (sel));
3954 
3955 	if (ipha != NULL)
3956 		policy_present = ipsec_outbound_v4_policy_present;
3957 	else
3958 		policy_present = ipsec_outbound_v6_policy_present;
3959 	/*
3960 	 * Fast Path to see if there is any policy.
3961 	 */
3962 	if (!policy_present) {
3963 		if (ipsec_mp->b_datap->db_type == M_CTL) {
3964 			io = (ipsec_out_t *)ipsec_mp->b_rptr;
3965 			if (!io->ipsec_out_secure) {
3966 				/*
3967 				 * If there is no global policy and ip_wput
3968 				 * or ip_wput_multicast has attached this mp
3969 				 * for multicast case, free the ipsec_mp and
3970 				 * return the original mp.
3971 				 */
3972 				mp = ipsec_mp->b_cont;
3973 				freeb(ipsec_mp);
3974 				ipsec_mp = mp;
3975 				io = NULL;
3976 			}
3977 		}
3978 		if (((io == NULL) || (io->ipsec_out_polhead == NULL)) &&
3979 		    ((connp == NULL) || (connp->conn_policy == NULL)))
3980 			return (ipsec_mp);
3981 	}
3982 
3983 	ill_index = 0;
3984 	conn_multicast_loopx = conn_dontroutex = B_FALSE;
3985 	mp = ipsec_mp;
3986 	if (ipsec_mp->b_datap->db_type == M_CTL) {
3987 		mp = ipsec_mp->b_cont;
3988 		/*
3989 		 * This is a connection where we have some per-socket
3990 		 * policy or ip_wput has attached an ipsec_mp for
3991 		 * the multicast datagram.
3992 		 */
3993 		io = (ipsec_out_t *)ipsec_mp->b_rptr;
3994 		if (!io->ipsec_out_secure) {
3995 			/*
3996 			 * This ipsec_mp was allocated in ip_wput or
3997 			 * ip_wput_multicast so that we will know the
3998 			 * value of ill_index, conn_dontroute,
3999 			 * conn_multicast_loop in the multicast case if
4000 			 * we inherit global policy here.
4001 			 */
4002 			ill_index = io->ipsec_out_ill_index;
4003 			conn_dontroutex = io->ipsec_out_dontroute;
4004 			conn_multicast_loopx = io->ipsec_out_multicast_loop;
4005 			freeb(ipsec_mp);
4006 			ipsec_mp = mp;
4007 			io = NULL;
4008 		}
4009 	}
4010 
4011 	if (ipha != NULL) {
4012 		sel.ips_local_addr_v4 = (ipha->ipha_src != 0 ?
4013 		    ipha->ipha_src : ire->ire_src_addr);
4014 		sel.ips_remote_addr_v4 = ip_get_dst(ipha);
4015 		sel.ips_protocol = (uint8_t)ipha->ipha_protocol;
4016 		sel.ips_isv4 = B_TRUE;
4017 	} else {
4018 		ushort_t hdr_len;
4019 		uint8_t	*nexthdrp;
4020 		boolean_t is_fragment;
4021 
4022 		sel.ips_isv4 = B_FALSE;
4023 		if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
4024 			if (!unspec_src)
4025 				sel.ips_local_addr_v6 = ire->ire_src_addr_v6;
4026 		} else {
4027 			sel.ips_local_addr_v6 = ip6h->ip6_src;
4028 		}
4029 
4030 		sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, &is_fragment);
4031 		if (is_fragment) {
4032 			/*
4033 			 * It's a packet fragment for a packet that
4034 			 * we have already processed (since IPsec processing
4035 			 * is done before fragmentation), so we don't
4036 			 * have to do policy checks again. Fragments can
4037 			 * come back to us for processing if they have
4038 			 * been queued up due to flow control.
4039 			 */
4040 			if (ipsec_mp->b_datap->db_type == M_CTL) {
4041 				mp = ipsec_mp->b_cont;
4042 				freeb(ipsec_mp);
4043 				ipsec_mp = mp;
4044 			}
4045 			return (ipsec_mp);
4046 		}
4047 
4048 		/* IPv6 common-case. */
4049 		sel.ips_protocol = ip6h->ip6_nxt;
4050 		switch (ip6h->ip6_nxt) {
4051 		case IPPROTO_TCP:
4052 		case IPPROTO_UDP:
4053 		case IPPROTO_SCTP:
4054 		case IPPROTO_ICMPV6:
4055 			break;
4056 		default:
4057 			if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
4058 			    &hdr_len, &nexthdrp)) {
4059 				BUMP_MIB(&ip6_mib, ipv6OutDiscards);
4060 				freemsg(ipsec_mp); /* Not IPsec-related drop. */
4061 				return (NULL);
4062 			}
4063 			sel.ips_protocol = *nexthdrp;
4064 			break;
4065 		}
4066 	}
4067 
4068 	if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) {
4069 		if (ipha != NULL) {
4070 			BUMP_MIB(&ip_mib, ipOutDiscards);
4071 		} else {
4072 			BUMP_MIB(&ip6_mib, ipv6OutDiscards);
4073 		}
4074 
4075 		ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
4076 		    &ipdrops_spd_nomem, &spd_dropper);
4077 		return (NULL);
4078 	}
4079 
4080 	if (io != NULL) {
4081 		/*
4082 		 * We seem to have some local policy (we already have
4083 		 * an ipsec_out).  Look at global policy and see
4084 		 * whether we have to inherit or not.
4085 		 */
4086 		io->ipsec_out_need_policy = B_FALSE;
4087 		ipsec_mp = ipsec_apply_global_policy(ipsec_mp, connp, &sel);
4088 		ASSERT((io->ipsec_out_policy != NULL) ||
4089 		    (io->ipsec_out_act != NULL));
4090 		ASSERT(io->ipsec_out_need_policy == B_FALSE);
4091 		return (ipsec_mp);
4092 	}
4093 	ipsec_mp = ipsec_attach_global_policy(mp, connp, &sel);
4094 	if (ipsec_mp == NULL)
4095 		return (mp);
4096 
4097 	/*
4098 	 * Copy the right port information.
4099 	 */
4100 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
4101 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
4102 
4103 	ASSERT(io->ipsec_out_need_policy == B_FALSE);
4104 	ASSERT((io->ipsec_out_policy != NULL) ||
4105 	    (io->ipsec_out_act != NULL));
4106 	io->ipsec_out_src_port = sel.ips_local_port;
4107 	io->ipsec_out_dst_port = sel.ips_remote_port;
4108 	io->ipsec_out_icmp_type = sel.ips_icmp_type;
4109 	io->ipsec_out_icmp_code = sel.ips_icmp_code;
4110 	/*
4111 	 * Set ill_index, conn_dontroute and conn_multicast_loop
4112 	 * for multicast datagrams.
4113 	 */
4114 	io->ipsec_out_ill_index = ill_index;
4115 	io->ipsec_out_dontroute = conn_dontroutex;
4116 	io->ipsec_out_multicast_loop = conn_multicast_loopx;
4117 	/*
4118 	 * When conn is non-NULL, the zoneid is set by ipsec_init_ipsec_out().
4119 	 * Otherwise set the zoneid based on the ire.
4120 	 */
4121 	if (connp == NULL)
4122 		io->ipsec_out_zoneid = ire->ire_zoneid;
4123 	return (ipsec_mp);
4124 }
4125 
4126 /*
4127  * When appropriate, this function caches inbound and outbound policy
4128  * for this connection.
4129  *
4130  * XXX need to work out more details about per-interface policy and
4131  * caching here!
4132  *
4133  * XXX may want to split inbound and outbound caching for ill..
4134  */
4135 int
4136 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
4137 {
4138 	boolean_t global_policy_present;
4139 
4140 	/*
4141 	 * There is no policy latching for ICMP sockets because we can't
4142 	 * decide on which policy to use until we see the packet and get
4143 	 * type/code selectors.
4144 	 */
4145 	if (connp->conn_ulp == IPPROTO_ICMP ||
4146 	    connp->conn_ulp == IPPROTO_ICMPV6) {
4147 		connp->conn_in_enforce_policy =
4148 		    connp->conn_out_enforce_policy = B_TRUE;
4149 		if (connp->conn_latch != NULL) {
4150 			IPLATCH_REFRELE(connp->conn_latch);
4151 			connp->conn_latch = NULL;
4152 		}
4153 		connp->conn_flags |= IPCL_CHECK_POLICY;
4154 		return (0);
4155 	}
4156 
4157 	global_policy_present = isv4 ?
4158 	    (ipsec_outbound_v4_policy_present ||
4159 		ipsec_inbound_v4_policy_present) :
4160 	    (ipsec_outbound_v6_policy_present ||
4161 		ipsec_inbound_v6_policy_present);
4162 
4163 	if ((connp->conn_policy != NULL) || global_policy_present) {
4164 		ipsec_selector_t sel;
4165 		ipsec_policy_t	*p;
4166 
4167 		if (connp->conn_latch == NULL &&
4168 		    (connp->conn_latch = iplatch_create()) == NULL) {
4169 			return (ENOMEM);
4170 		}
4171 
4172 		sel.ips_protocol = connp->conn_ulp;
4173 		sel.ips_local_port = connp->conn_lport;
4174 		sel.ips_remote_port = connp->conn_fport;
4175 		sel.ips_is_icmp_inv_acq = 0;
4176 		sel.ips_isv4 = isv4;
4177 		if (isv4) {
4178 			sel.ips_local_addr_v4 = connp->conn_src;
4179 			sel.ips_remote_addr_v4 = connp->conn_rem;
4180 		} else {
4181 			sel.ips_local_addr_v6 = connp->conn_srcv6;
4182 			sel.ips_remote_addr_v6 = connp->conn_remv6;
4183 		}
4184 
4185 		p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel);
4186 		if (connp->conn_latch->ipl_in_policy != NULL)
4187 			IPPOL_REFRELE(connp->conn_latch->ipl_in_policy);
4188 		connp->conn_latch->ipl_in_policy = p;
4189 		connp->conn_in_enforce_policy = (p != NULL);
4190 
4191 		p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, &sel);
4192 		if (connp->conn_latch->ipl_out_policy != NULL)
4193 			IPPOL_REFRELE(connp->conn_latch->ipl_out_policy);
4194 		connp->conn_latch->ipl_out_policy = p;
4195 		connp->conn_out_enforce_policy = (p != NULL);
4196 
4197 		/* Clear the latched actions too, in case we're recaching. */
4198 		if (connp->conn_latch->ipl_out_action != NULL)
4199 			IPACT_REFRELE(connp->conn_latch->ipl_out_action);
4200 		if (connp->conn_latch->ipl_in_action != NULL)
4201 			IPACT_REFRELE(connp->conn_latch->ipl_in_action);
4202 	}
4203 
4204 	/*
4205 	 * We may or may not have policy for this endpoint.  We still set
4206 	 * conn_policy_cached so that inbound datagrams don't have to look
4207 	 * at global policy as policy is considered latched for these
4208 	 * endpoints.  We should not set conn_policy_cached until the conn
4209 	 * reflects the actual policy. If we *set* this before inheriting
4210 	 * the policy there is a window where the check
4211 	 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy
4212 	 * on the conn (because we have not yet copied the policy on to
4213 	 * conn and hence not set conn_in_enforce_policy) nor with the
4214 	 * global policy (because conn_policy_cached is already set).
4215 	 */
4216 	connp->conn_policy_cached = B_TRUE;
4217 	if (connp->conn_in_enforce_policy)
4218 		connp->conn_flags |= IPCL_CHECK_POLICY;
4219 	return (0);
4220 }
4221 
4222 void
4223 iplatch_free(ipsec_latch_t *ipl)
4224 {
4225 	if (ipl->ipl_out_policy != NULL)
4226 		IPPOL_REFRELE(ipl->ipl_out_policy);
4227 	if (ipl->ipl_in_policy != NULL)
4228 		IPPOL_REFRELE(ipl->ipl_in_policy);
4229 	if (ipl->ipl_in_action != NULL)
4230 		IPACT_REFRELE(ipl->ipl_in_action);
4231 	if (ipl->ipl_out_action != NULL)
4232 		IPACT_REFRELE(ipl->ipl_out_action);
4233 	if (ipl->ipl_local_cid != NULL)
4234 		IPSID_REFRELE(ipl->ipl_local_cid);
4235 	if (ipl->ipl_remote_cid != NULL)
4236 		IPSID_REFRELE(ipl->ipl_remote_cid);
4237 	if (ipl->ipl_local_id != NULL)
4238 		crfree(ipl->ipl_local_id);
4239 	mutex_destroy(&ipl->ipl_lock);
4240 	kmem_free(ipl, sizeof (*ipl));
4241 }
4242 
4243 ipsec_latch_t *
4244 iplatch_create()
4245 {
4246 	ipsec_latch_t *ipl = kmem_alloc(sizeof (*ipl), KM_NOSLEEP);
4247 	if (ipl == NULL)
4248 		return (ipl);
4249 	bzero(ipl, sizeof (*ipl));
4250 	mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL);
4251 	ipl->ipl_refcnt = 1;
4252 	return (ipl);
4253 }
4254 
4255 /*
4256  * Identity hash table.
4257  *
4258  * Identities are refcounted and "interned" into the hash table.
4259  * Only references coming from other objects (SA's, latching state)
4260  * are counted in ipsid_refcnt.
4261  *
4262  * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket
4263  * is locked, (b) we know that the refcount must be > 0.
4264  *
4265  * The ipsid_next and ipsid_ptpn fields are only to be referenced or
4266  * modified when the bucket lock is held; in particular, we only
4267  * delete objects while holding the bucket lock, and we only increase
4268  * the refcount from 0 to 1 while the bucket lock is held.
4269  */
4270 
4271 #define	IPSID_HASHSIZE 64
4272 
4273 typedef struct ipsif_s
4274 {
4275 	ipsid_t *ipsif_head;
4276 	kmutex_t ipsif_lock;
4277 } ipsif_t;
4278 
4279 ipsif_t ipsid_buckets[IPSID_HASHSIZE];
4280 
4281 /*
4282  * Hash function for ID hash table.
4283  */
4284 static uint32_t
4285 ipsid_hash(int idtype, char *idstring)
4286 {
4287 	uint32_t hval = idtype;
4288 	unsigned char c;
4289 
4290 	while ((c = *idstring++) != 0) {
4291 		hval = (hval << 4) | (hval >> 28);
4292 		hval ^= c;
4293 	}
4294 	hval = hval ^ (hval >> 16);
4295 	return (hval & (IPSID_HASHSIZE-1));
4296 }
4297 
4298 /*
4299  * Look up identity string in hash table.  Return identity object
4300  * corresponding to the name -- either preexisting, or newly allocated.
4301  *
4302  * Return NULL if we need to allocate a new one and can't get memory.
4303  */
4304 ipsid_t *
4305 ipsid_lookup(int idtype, char *idstring)
4306 {
4307 	ipsid_t *retval;
4308 	char *nstr;
4309 	int idlen = strlen(idstring) + 1;
4310 
4311 	ipsif_t *bucket = &ipsid_buckets[ipsid_hash(idtype, idstring)];
4312 
4313 	mutex_enter(&bucket->ipsif_lock);
4314 
4315 	for (retval = bucket->ipsif_head; retval != NULL;
4316 	    retval = retval->ipsid_next) {
4317 		if (idtype != retval->ipsid_type)
4318 			continue;
4319 		if (bcmp(idstring, retval->ipsid_cid, idlen) != 0)
4320 			continue;
4321 
4322 		IPSID_REFHOLD(retval);
4323 		mutex_exit(&bucket->ipsif_lock);
4324 		return (retval);
4325 	}
4326 
4327 	retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP);
4328 	if (!retval) {
4329 		mutex_exit(&bucket->ipsif_lock);
4330 		return (NULL);
4331 	}
4332 
4333 	nstr = kmem_alloc(idlen, KM_NOSLEEP);
4334 	if (!nstr) {
4335 		mutex_exit(&bucket->ipsif_lock);
4336 		kmem_free(retval, sizeof (*retval));
4337 		return (NULL);
4338 	}
4339 
4340 	retval->ipsid_refcnt = 1;
4341 	retval->ipsid_next = bucket->ipsif_head;
4342 	if (retval->ipsid_next != NULL)
4343 		retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next;
4344 	retval->ipsid_ptpn = &bucket->ipsif_head;
4345 	retval->ipsid_type = idtype;
4346 	retval->ipsid_cid = nstr;
4347 	bucket->ipsif_head = retval;
4348 	bcopy(idstring, nstr, idlen);
4349 	mutex_exit(&bucket->ipsif_lock);
4350 
4351 	return (retval);
4352 }
4353 
4354 /*
4355  * Garbage collect the identity hash table.
4356  */
4357 void
4358 ipsid_gc()
4359 {
4360 	int i, len;
4361 	ipsid_t *id, *nid;
4362 	ipsif_t *bucket;
4363 
4364 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4365 		bucket = &ipsid_buckets[i];
4366 		mutex_enter(&bucket->ipsif_lock);
4367 		for (id = bucket->ipsif_head; id != NULL; id = nid) {
4368 			nid = id->ipsid_next;
4369 			if (id->ipsid_refcnt == 0) {
4370 				*id->ipsid_ptpn = nid;
4371 				if (nid != NULL)
4372 					nid->ipsid_ptpn = id->ipsid_ptpn;
4373 				len = strlen(id->ipsid_cid) + 1;
4374 				kmem_free(id->ipsid_cid, len);
4375 				kmem_free(id, sizeof (*id));
4376 			}
4377 		}
4378 		mutex_exit(&bucket->ipsif_lock);
4379 	}
4380 }
4381 
4382 /*
4383  * Return true if two identities are the same.
4384  */
4385 boolean_t
4386 ipsid_equal(ipsid_t *id1, ipsid_t *id2)
4387 {
4388 	if (id1 == id2)
4389 		return (B_TRUE);
4390 #ifdef DEBUG
4391 	if ((id1 == NULL) || (id2 == NULL))
4392 		return (B_FALSE);
4393 	/*
4394 	 * test that we're interning id's correctly..
4395 	 */
4396 	ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) ||
4397 	    (id1->ipsid_type != id2->ipsid_type));
4398 #endif
4399 	return (B_FALSE);
4400 }
4401 
4402 /*
4403  * Initialize identity table; called during module initialization.
4404  */
4405 static void
4406 ipsid_init()
4407 {
4408 	ipsif_t *bucket;
4409 	int i;
4410 
4411 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4412 		bucket = &ipsid_buckets[i];
4413 		mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL);
4414 	}
4415 }
4416 
4417 /*
4418  * Free identity table (preparatory to module unload)
4419  */
4420 static void
4421 ipsid_fini()
4422 {
4423 	ipsif_t *bucket;
4424 	int i;
4425 
4426 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4427 		bucket = &ipsid_buckets[i];
4428 		mutex_destroy(&bucket->ipsif_lock);
4429 	}
4430 }
4431 
4432 /*
4433  * Update the minimum and maximum supported key sizes for the
4434  * specified algorithm. Must be called while holding the algorithms lock.
4435  */
4436 void
4437 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type)
4438 {
4439 	size_t crypto_min = (size_t)-1, crypto_max = 0;
4440 	size_t cur_crypto_min, cur_crypto_max;
4441 	boolean_t is_valid;
4442 	crypto_mechanism_info_t *mech_infos;
4443 	uint_t nmech_infos;
4444 	int crypto_rc, i;
4445 	crypto_mech_usage_t mask;
4446 
4447 	ASSERT(MUTEX_HELD(&alg_lock));
4448 
4449 	/*
4450 	 * Compute the min, max, and default key sizes (in number of
4451 	 * increments to the default key size in bits) as defined
4452 	 * by the algorithm mappings. This range of key sizes is used
4453 	 * for policy related operations. The effective key sizes
4454 	 * supported by the framework could be more limited than
4455 	 * those defined for an algorithm.
4456 	 */
4457 	alg->alg_default_bits = alg->alg_key_sizes[0];
4458 	if (alg->alg_increment != 0) {
4459 		/* key sizes are defined by range & increment */
4460 		alg->alg_minbits = alg->alg_key_sizes[1];
4461 		alg->alg_maxbits = alg->alg_key_sizes[2];
4462 
4463 		alg->alg_default = SADB_ALG_DEFAULT_INCR(alg->alg_minbits,
4464 		    alg->alg_increment, alg->alg_default_bits);
4465 	} else if (alg->alg_nkey_sizes == 0) {
4466 		/* no specified key size for algorithm */
4467 		alg->alg_minbits = alg->alg_maxbits = 0;
4468 	} else {
4469 		/* key sizes are defined by enumeration */
4470 		alg->alg_minbits = (uint16_t)-1;
4471 		alg->alg_maxbits = 0;
4472 
4473 		for (i = 0; i < alg->alg_nkey_sizes; i++) {
4474 			if (alg->alg_key_sizes[i] < alg->alg_minbits)
4475 				alg->alg_minbits = alg->alg_key_sizes[i];
4476 			if (alg->alg_key_sizes[i] > alg->alg_maxbits)
4477 				alg->alg_maxbits = alg->alg_key_sizes[i];
4478 		}
4479 		alg->alg_default = 0;
4480 	}
4481 
4482 	if (!(alg->alg_flags & ALG_FLAG_VALID))
4483 		return;
4484 
4485 	/*
4486 	 * Mechanisms do not apply to the NULL encryption
4487 	 * algorithm, so simply return for this case.
4488 	 */
4489 	if (alg->alg_id == SADB_EALG_NULL)
4490 		return;
4491 
4492 	/*
4493 	 * Find the min and max key sizes supported by the cryptographic
4494 	 * framework providers.
4495 	 */
4496 
4497 	/* get the key sizes supported by the framework */
4498 	crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type,
4499 	    &mech_infos, &nmech_infos, KM_SLEEP);
4500 	if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) {
4501 		alg->alg_flags &= ~ALG_FLAG_VALID;
4502 		return;
4503 	}
4504 
4505 	/* min and max key sizes supported by framework */
4506 	for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) {
4507 		int unit_bits;
4508 
4509 		/*
4510 		 * Ignore entries that do not support the operations
4511 		 * needed for the algorithm type.
4512 		 */
4513 		if (alg_type == IPSEC_ALG_AUTH)
4514 			mask = CRYPTO_MECH_USAGE_MAC;
4515 		else
4516 			mask = CRYPTO_MECH_USAGE_ENCRYPT |
4517 				CRYPTO_MECH_USAGE_DECRYPT;
4518 		if ((mech_infos[i].mi_usage & mask) != mask)
4519 			continue;
4520 
4521 		unit_bits = (mech_infos[i].mi_keysize_unit ==
4522 		    CRYPTO_KEYSIZE_UNIT_IN_BYTES)  ? 8 : 1;
4523 		/* adjust min/max supported by framework */
4524 		cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits;
4525 		cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits;
4526 
4527 		if (cur_crypto_min < crypto_min)
4528 			crypto_min = cur_crypto_min;
4529 
4530 		/*
4531 		 * CRYPTO_EFFECTIVELY_INFINITE is a special value of
4532 		 * the crypto framework which means "no upper limit".
4533 		 */
4534 		if (mech_infos[i].mi_max_key_size ==
4535 		    CRYPTO_EFFECTIVELY_INFINITE)
4536 			crypto_max = (size_t)-1;
4537 		else if (cur_crypto_max > crypto_max)
4538 			crypto_max = cur_crypto_max;
4539 
4540 		is_valid = B_TRUE;
4541 	}
4542 
4543 	kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) *
4544 	    nmech_infos);
4545 
4546 	if (!is_valid) {
4547 		/* no key sizes supported by framework */
4548 		alg->alg_flags &= ~ALG_FLAG_VALID;
4549 		return;
4550 	}
4551 
4552 	/*
4553 	 * Determine min and max key sizes from alg_key_sizes[].
4554 	 * defined for the algorithm entry. Adjust key sizes based on
4555 	 * those supported by the framework.
4556 	 */
4557 	alg->alg_ef_default_bits = alg->alg_key_sizes[0];
4558 	if (alg->alg_increment != 0) {
4559 		/* supported key sizes are defined by range  & increment */
4560 		crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment);
4561 		crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment);
4562 
4563 		alg->alg_ef_minbits = MAX(alg->alg_minbits,
4564 		    (uint16_t)crypto_min);
4565 		alg->alg_ef_maxbits = MIN(alg->alg_maxbits,
4566 		    (uint16_t)crypto_max);
4567 
4568 		/*
4569 		 * If the sizes supported by the framework are outside
4570 		 * the range of sizes defined by the algorithm mappings,
4571 		 * the algorithm cannot be used. Check for this
4572 		 * condition here.
4573 		 */
4574 		if (alg->alg_ef_minbits > alg->alg_ef_maxbits) {
4575 			alg->alg_flags &= ~ALG_FLAG_VALID;
4576 			return;
4577 		}
4578 
4579 		if (alg->alg_ef_default_bits < alg->alg_ef_minbits)
4580 		    alg->alg_ef_default_bits = alg->alg_ef_minbits;
4581 		if (alg->alg_ef_default_bits > alg->alg_ef_maxbits)
4582 		    alg->alg_ef_default_bits = alg->alg_ef_maxbits;
4583 
4584 		alg->alg_ef_default = SADB_ALG_DEFAULT_INCR(alg->alg_ef_minbits,
4585 		    alg->alg_increment, alg->alg_ef_default_bits);
4586 	} else if (alg->alg_nkey_sizes == 0) {
4587 		/* no specified key size for algorithm */
4588 		alg->alg_ef_minbits = alg->alg_ef_maxbits = 0;
4589 	} else {
4590 		/* supported key sizes are defined by enumeration */
4591 		alg->alg_ef_minbits = (uint16_t)-1;
4592 		alg->alg_ef_maxbits = 0;
4593 
4594 		for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) {
4595 			/*
4596 			 * Ignore the current key size if it is not in the
4597 			 * range of sizes supported by the framework.
4598 			 */
4599 			if (alg->alg_key_sizes[i] < crypto_min ||
4600 			    alg->alg_key_sizes[i] > crypto_max)
4601 				continue;
4602 			if (alg->alg_key_sizes[i] < alg->alg_ef_minbits)
4603 				alg->alg_ef_minbits = alg->alg_key_sizes[i];
4604 			if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits)
4605 				alg->alg_ef_maxbits = alg->alg_key_sizes[i];
4606 			is_valid = B_TRUE;
4607 		}
4608 
4609 		if (!is_valid) {
4610 			alg->alg_flags &= ~ALG_FLAG_VALID;
4611 			return;
4612 		}
4613 		alg->alg_ef_default = 0;
4614 	}
4615 }
4616 
4617 /*
4618  * Free the memory used by the specified algorithm.
4619  */
4620 void
4621 ipsec_alg_free(ipsec_alginfo_t *alg)
4622 {
4623 	if (alg == NULL)
4624 		return;
4625 
4626 	if (alg->alg_key_sizes != NULL)
4627 		kmem_free(alg->alg_key_sizes,
4628 		    (alg->alg_nkey_sizes + 1) * sizeof (uint16_t));
4629 
4630 	if (alg->alg_block_sizes != NULL)
4631 		kmem_free(alg->alg_block_sizes,
4632 		    (alg->alg_nblock_sizes + 1) * sizeof (uint16_t));
4633 
4634 	kmem_free(alg, sizeof (*alg));
4635 }
4636 
4637 /*
4638  * Check the validity of the specified key size for an algorithm.
4639  * Returns B_TRUE if key size is valid, B_FALSE otherwise.
4640  */
4641 boolean_t
4642 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg)
4643 {
4644 	if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits)
4645 		return (B_FALSE);
4646 
4647 	if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) {
4648 		/*
4649 		 * If the key sizes are defined by enumeration, the new
4650 		 * key size must be equal to one of the supported values.
4651 		 */
4652 		int i;
4653 
4654 		for (i = 0; i < alg->alg_nkey_sizes; i++)
4655 			if (key_size == alg->alg_key_sizes[i])
4656 				break;
4657 		if (i == alg->alg_nkey_sizes)
4658 			return (B_FALSE);
4659 	}
4660 
4661 	return (B_TRUE);
4662 }
4663 
4664 /*
4665  * Callback function invoked by the crypto framework when a provider
4666  * registers or unregisters. This callback updates the algorithms
4667  * tables when a crypto algorithm is no longer available or becomes
4668  * available, and triggers the freeing/creation of context templates
4669  * associated with existing SAs, if needed.
4670  */
4671 void
4672 ipsec_prov_update_callback(uint32_t event, void *event_arg)
4673 {
4674 	crypto_notify_event_change_t *prov_change =
4675 	    (crypto_notify_event_change_t *)event_arg;
4676 	uint_t algidx, algid, algtype, mech_count, mech_idx;
4677 	ipsec_alginfo_t *alg;
4678 	ipsec_alginfo_t oalg;
4679 	crypto_mech_name_t *mechs;
4680 	boolean_t alg_changed = B_FALSE;
4681 
4682 	/* ignore events for which we didn't register */
4683 	if (event != CRYPTO_EVENT_PROVIDERS_CHANGE) {
4684 		ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x "
4685 			" received from crypto framework\n", event));
4686 		return;
4687 	}
4688 
4689 	mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
4690 	if (mechs == NULL)
4691 		return;
4692 
4693 	/*
4694 	 * Walk the list of currently defined IPsec algorithm. Update
4695 	 * the algorithm valid flag and trigger an update of the
4696 	 * SAs that depend on that algorithm.
4697 	 */
4698 	mutex_enter(&alg_lock);
4699 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
4700 		for (algidx = 0; algidx < ipsec_nalgs[algtype]; algidx++) {
4701 
4702 			algid = ipsec_sortlist[algtype][algidx];
4703 			alg = ipsec_alglists[algtype][algid];
4704 			ASSERT(alg != NULL);
4705 
4706 			/*
4707 			 * Skip the algorithms which do not map to the
4708 			 * crypto framework provider being added or removed.
4709 			 */
4710 			if (strncmp(alg->alg_mech_name,
4711 			    prov_change->ec_mech_name,
4712 			    CRYPTO_MAX_MECH_NAME) != 0)
4713 				continue;
4714 
4715 			/*
4716 			 * Determine if the mechanism is valid. If it
4717 			 * is not, mark the algorithm as being invalid. If
4718 			 * it is, mark the algorithm as being valid.
4719 			 */
4720 			for (mech_idx = 0; mech_idx < mech_count; mech_idx++)
4721 				if (strncmp(alg->alg_mech_name,
4722 				    mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0)
4723 					break;
4724 			if (mech_idx == mech_count &&
4725 			    alg->alg_flags & ALG_FLAG_VALID) {
4726 				alg->alg_flags &= ~ALG_FLAG_VALID;
4727 				alg_changed = B_TRUE;
4728 			} else if (mech_idx < mech_count &&
4729 			    !(alg->alg_flags & ALG_FLAG_VALID)) {
4730 				alg->alg_flags |= ALG_FLAG_VALID;
4731 				alg_changed = B_TRUE;
4732 			}
4733 
4734 			/*
4735 			 * Update the supported key sizes, regardless
4736 			 * of whether a crypto provider was added or
4737 			 * removed.
4738 			 */
4739 			oalg = *alg;
4740 			ipsec_alg_fix_min_max(alg, algtype);
4741 			if (!alg_changed &&
4742 			    alg->alg_ef_minbits != oalg.alg_ef_minbits ||
4743 			    alg->alg_ef_maxbits != oalg.alg_ef_maxbits ||
4744 			    alg->alg_ef_default != oalg.alg_ef_default ||
4745 			    alg->alg_ef_default_bits !=
4746 			    oalg.alg_ef_default_bits)
4747 				alg_changed = B_TRUE;
4748 
4749 			/*
4750 			 * Update the affected SAs if a software provider is
4751 			 * being added or removed.
4752 			 */
4753 			if (prov_change->ec_provider_type ==
4754 			    CRYPTO_SW_PROVIDER)
4755 				sadb_alg_update(algtype, alg->alg_id,
4756 				    prov_change->ec_change ==
4757 				    CRYPTO_EVENT_CHANGE_ADDED);
4758 		}
4759 	}
4760 	mutex_exit(&alg_lock);
4761 	crypto_free_mech_list(mechs, mech_count);
4762 
4763 	if (alg_changed) {
4764 		/*
4765 		 * An algorithm has changed, i.e. it became valid or
4766 		 * invalid, or its support key sizes have changed.
4767 		 * Notify ipsecah and ipsecesp of this change so
4768 		 * that they can send a SADB_REGISTER to their consumers.
4769 		 */
4770 		ipsecah_algs_changed();
4771 		ipsecesp_algs_changed();
4772 	}
4773 }
4774 
4775 /*
4776  * Registers with the crypto framework to be notified of crypto
4777  * providers changes. Used to update the algorithm tables and
4778  * to free or create context templates if needed. Invoked after IPsec
4779  * is loaded successfully.
4780  */
4781 void
4782 ipsec_register_prov_update(void)
4783 {
4784 	prov_update_handle = crypto_notify_events(
4785 	    ipsec_prov_update_callback, CRYPTO_EVENT_PROVIDERS_CHANGE);
4786 }
4787 
4788 /*
4789  * Unregisters from the framework to be notified of crypto providers
4790  * changes. Called from ipsec_policy_destroy().
4791  */
4792 static void
4793 ipsec_unregister_prov_update(void)
4794 {
4795 	if (prov_update_handle != NULL)
4796 		crypto_unnotify_events(prov_update_handle);
4797 }
4798