xref: /illumos-gate/usr/src/uts/common/inet/ip/spdsock.c (revision 8a2b682e57a046b828f37bcde1776f131ef4629f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
24  * Copyright 2019, Joyent, Inc.
25  */
26 
27 #include <sys/param.h>
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/strsubr.h>
31 #include <sys/strsun.h>
32 #include <sys/stropts.h>
33 #include <sys/zone.h>
34 #include <sys/vnode.h>
35 #include <sys/sysmacros.h>
36 #define	_SUN_TPI_VERSION 2
37 #include <sys/tihdr.h>
38 #include <sys/timod.h>
39 #include <sys/ddi.h>
40 #include <sys/sunddi.h>
41 #include <sys/mkdev.h>
42 #include <sys/debug.h>
43 #include <sys/kmem.h>
44 #include <sys/cmn_err.h>
45 #include <sys/suntpi.h>
46 #include <sys/policy.h>
47 #include <sys/dls.h>
48 
49 #include <sys/socket.h>
50 #include <netinet/in.h>
51 #include <net/pfkeyv2.h>
52 #include <net/pfpolicy.h>
53 
54 #include <inet/common.h>
55 #include <netinet/ip6.h>
56 #include <inet/ip.h>
57 #include <inet/ip6.h>
58 #include <inet/mi.h>
59 #include <inet/proto_set.h>
60 #include <inet/nd.h>
61 #include <inet/ip_if.h>
62 #include <inet/optcom.h>
63 #include <inet/ipsec_impl.h>
64 #include <inet/spdsock.h>
65 #include <inet/sadb.h>
66 #include <inet/iptun.h>
67 #include <inet/iptun/iptun_impl.h>
68 
69 #include <sys/isa_defs.h>
70 
71 #include <c2/audit.h>
72 
73 /*
74  * This is a transport provider for the PF_POLICY IPsec policy
75  * management socket, which provides a management interface into the
76  * SPD, allowing policy rules to be added, deleted, and queried.
77  *
78  * This effectively replaces the old private SIOC*IPSECONFIG ioctls
79  * with an extensible interface which will hopefully be public some
80  * day.
81  *
82  * See <net/pfpolicy.h> for more details on the protocol.
83  *
84  * We link against drv/ip and call directly into it to manipulate the
85  * SPD; see ipsec_impl.h for the policy data structures and spd.c for
86  * the code which maintains them.
87  *
88  * The MT model of this is QPAIR with the addition of some explicit
89  * locking to protect system-wide policy data structures.
90  */
91 
92 static vmem_t *spdsock_vmem;		/* for minor numbers. */
93 
94 #define	ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
95 
96 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
97 static struct T_info_ack spdsock_g_t_info_ack = {
98 	T_INFO_ACK,
99 	T_INFINITE,	/* TSDU_size. Maximum size messages. */
100 	T_INVALID,	/* ETSDU_size. No expedited data. */
101 	T_INVALID,	/* CDATA_size. No connect data. */
102 	T_INVALID,	/* DDATA_size. No disconnect data. */
103 	0,		/* ADDR_size. */
104 	0,		/* OPT_size. No user-settable options */
105 	64 * 1024,	/* TIDU_size. spdsock allows maximum size messages. */
106 	T_COTS,		/* SERV_type. spdsock supports connection oriented. */
107 	TS_UNBND,	/* CURRENT_state. This is set from spdsock_state. */
108 	(XPG4_1)	/* Provider flags */
109 };
110 
111 /* Named Dispatch Parameter Management Structure */
112 typedef struct spdsockparam_s {
113 	uint_t	spdsock_param_min;
114 	uint_t	spdsock_param_max;
115 	uint_t	spdsock_param_value;
116 	char *spdsock_param_name;
117 } spdsockparam_t;
118 
119 /*
120  * Table of NDD variables supported by spdsock. These are loaded into
121  * spdsock_g_nd in spdsock_init_nd.
122  * All of these are alterable, within the min/max values given, at run time.
123  */
124 static	spdsockparam_t	lcl_param_arr[] = {
125 	/* min	max	value	name */
126 	{ 4096, 65536,	8192,	"spdsock_xmit_hiwat"},
127 	{ 0,	65536,	1024,	"spdsock_xmit_lowat"},
128 	{ 4096, 65536,	8192,	"spdsock_recv_hiwat"},
129 	{ 65536, 1024*1024*1024, 256*1024,	"spdsock_max_buf"},
130 	{ 0,	3,	0,	"spdsock_debug"},
131 };
132 #define	spds_xmit_hiwat	spds_params[0].spdsock_param_value
133 #define	spds_xmit_lowat	spds_params[1].spdsock_param_value
134 #define	spds_recv_hiwat	spds_params[2].spdsock_param_value
135 #define	spds_max_buf	spds_params[3].spdsock_param_value
136 #define	spds_debug		spds_params[4].spdsock_param_value
137 
138 #define	ss0dbg(a)	printf a
139 /* NOTE:  != 0 instead of > 0 so lint doesn't complain. */
140 #define	ss1dbg(spds, a)	if (spds->spds_debug != 0) printf a
141 #define	ss2dbg(spds, a)	if (spds->spds_debug > 1) printf a
142 #define	ss3dbg(spds, a)	if (spds->spds_debug > 2) printf a
143 
144 #define	RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
145 	ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
146 	(ss)->spdsock_dump_head = (iph); \
147 	(ss)->spdsock_dump_gen = (iph)->iph_gen; \
148 	(ss)->spdsock_dump_cur_type = 0; \
149 	(ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
150 	(ss)->spdsock_dump_cur_rule = NULL; \
151 	(ss)->spdsock_dump_count = 0; \
152 	(ss)->spdsock_dump_cur_chain = 0; \
153 }
154 
155 static int spdsock_close(queue_t *, int, cred_t *);
156 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *);
157 static int spdsock_wput(queue_t *, mblk_t *);
158 static int spdsock_wsrv(queue_t *);
159 static int spdsock_rsrv(queue_t *);
160 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns);
161 static void spdsock_stack_shutdown(netstackid_t stackid, void *arg);
162 static void spdsock_stack_fini(netstackid_t stackid, void *arg);
163 static void spdsock_loadcheck(void *);
164 static void spdsock_merge_algs(spd_stack_t *);
165 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *);
166 static mblk_t *spdsock_dump_next_record(spdsock_t *);
167 static void update_iptun_policy(ipsec_tun_pol_t *);
168 
169 static struct module_info info = {
170 	5138, "spdsock", 1, INFPSZ, 512, 128
171 };
172 
173 static struct qinit rinit = {
174 	NULL, spdsock_rsrv, spdsock_open, spdsock_close,
175 	NULL, &info
176 };
177 
178 static struct qinit winit = {
179 	spdsock_wput, spdsock_wsrv, NULL, NULL, NULL, &info
180 };
181 
182 struct streamtab spdsockinfo = {
183 	&rinit, &winit
184 };
185 
186 /* mapping from alg type to protocol number, as per RFC 2407 */
187 static const uint_t algproto[] = {
188 	PROTO_IPSEC_AH,
189 	PROTO_IPSEC_ESP,
190 };
191 
192 #define	NALGPROTOS	(sizeof (algproto) / sizeof (algproto[0]))
193 
194 /* mapping from kernel exec mode to spdsock exec mode */
195 static const uint_t execmodes[] = {
196 	SPD_ALG_EXEC_MODE_SYNC,
197 	SPD_ALG_EXEC_MODE_ASYNC
198 };
199 
200 #define	NEXECMODES	(sizeof (execmodes) / sizeof (execmodes[0]))
201 
202 #define	ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
203 #define	ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
204 
205 #define	ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
206 
207 /* ARGSUSED */
208 static int
209 spdsock_param_get(
210     queue_t	*q,
211     mblk_t	*mp,
212     caddr_t	cp,
213     cred_t *cr)
214 {
215 	spdsockparam_t	*spdsockpa = (spdsockparam_t *)cp;
216 	uint_t value;
217 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
218 	spd_stack_t	*spds = ss->spdsock_spds;
219 
220 	mutex_enter(&spds->spds_param_lock);
221 	value = spdsockpa->spdsock_param_value;
222 	mutex_exit(&spds->spds_param_lock);
223 
224 	(void) mi_mpprintf(mp, "%u", value);
225 	return (0);
226 }
227 
228 /* This routine sets an NDD variable in a spdsockparam_t structure. */
229 /* ARGSUSED */
230 static int
231 spdsock_param_set(
232     queue_t	*q,
233     mblk_t	*mp,
234     char *value,
235     caddr_t	cp,
236     cred_t *cr)
237 {
238 	ulong_t	new_value;
239 	spdsockparam_t	*spdsockpa = (spdsockparam_t *)cp;
240 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
241 	spd_stack_t	*spds = ss->spdsock_spds;
242 
243 	/* Convert the value from a string into a long integer. */
244 	if (ddi_strtoul(value, NULL, 10, &new_value) != 0)
245 		return (EINVAL);
246 
247 	mutex_enter(&spds->spds_param_lock);
248 	/*
249 	 * Fail the request if the new value does not lie within the
250 	 * required bounds.
251 	 */
252 	if (new_value < spdsockpa->spdsock_param_min ||
253 	    new_value > spdsockpa->spdsock_param_max) {
254 		mutex_exit(&spds->spds_param_lock);
255 		return (EINVAL);
256 	}
257 
258 	/* Set the new value */
259 	spdsockpa->spdsock_param_value = new_value;
260 	mutex_exit(&spds->spds_param_lock);
261 
262 	return (0);
263 }
264 
265 /*
266  * Initialize at module load time
267  */
268 boolean_t
269 spdsock_ddi_init(void)
270 {
271 	spdsock_max_optsize = optcom_max_optsize(
272 	    spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt);
273 
274 	spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1,
275 	    NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER);
276 
277 	/*
278 	 * We want to be informed each time a stack is created or
279 	 * destroyed in the kernel, so we can maintain the
280 	 * set of spd_stack_t's.
281 	 */
282 	netstack_register(NS_SPDSOCK, spdsock_stack_init,
283 	    spdsock_stack_shutdown, spdsock_stack_fini);
284 
285 	return (B_TRUE);
286 }
287 
288 /*
289  * Walk through the param array specified registering each element with the
290  * named dispatch handler.
291  */
292 static boolean_t
293 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt)
294 {
295 	for (; cnt-- > 0; ssp++) {
296 		if (ssp->spdsock_param_name != NULL &&
297 		    ssp->spdsock_param_name[0]) {
298 			if (!nd_load(ndp,
299 			    ssp->spdsock_param_name,
300 			    spdsock_param_get, spdsock_param_set,
301 			    (caddr_t)ssp)) {
302 				nd_free(ndp);
303 				return (B_FALSE);
304 			}
305 		}
306 	}
307 	return (B_TRUE);
308 }
309 
310 /*
311  * Initialize for each stack instance
312  */
313 /* ARGSUSED */
314 static void *
315 spdsock_stack_init(netstackid_t stackid, netstack_t *ns)
316 {
317 	spd_stack_t	*spds;
318 	spdsockparam_t	*ssp;
319 
320 	spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP);
321 	spds->spds_netstack = ns;
322 
323 	ASSERT(spds->spds_g_nd == NULL);
324 
325 	ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
326 	spds->spds_params = ssp;
327 	bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr));
328 
329 	(void) spdsock_param_register(&spds->spds_g_nd, ssp,
330 	    A_CNT(lcl_param_arr));
331 
332 	mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL);
333 	mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL);
334 
335 	return (spds);
336 }
337 
338 void
339 spdsock_ddi_destroy(void)
340 {
341 	vmem_destroy(spdsock_vmem);
342 
343 	netstack_unregister(NS_SPDSOCK);
344 }
345 
346 /*
347  * Do pre-removal cleanup.
348  */
349 /* ARGSUSED */
350 static void
351 spdsock_stack_shutdown(netstackid_t stackid, void *arg)
352 {
353 	spd_stack_t *spds = (spd_stack_t *)arg;
354 
355 	if (spds->spds_mp_algs != NULL) {
356 		freemsg(spds->spds_mp_algs);
357 		spds->spds_mp_algs = NULL;
358 	}
359 }
360 
361 /* ARGSUSED */
362 static void
363 spdsock_stack_fini(netstackid_t stackid, void *arg)
364 {
365 	spd_stack_t *spds = (spd_stack_t *)arg;
366 
367 	ASSERT(spds->spds_mp_algs == NULL);
368 	mutex_destroy(&spds->spds_param_lock);
369 	mutex_destroy(&spds->spds_alg_lock);
370 	nd_free(&spds->spds_g_nd);
371 	kmem_free(spds->spds_params, sizeof (lcl_param_arr));
372 	spds->spds_params = NULL;
373 
374 	kmem_free(spds, sizeof (*spds));
375 }
376 
377 /*
378  * NOTE: large quantities of this should be shared with keysock.
379  * Would be nice to combine some of this into a common module, but
380  * not possible given time pressures.
381  */
382 
383 /*
384  * High-level reality checking of extensions.
385  */
386 /* ARGSUSED */ /* XXX */
387 static boolean_t
388 ext_check(spd_ext_t *ext)
389 {
390 	spd_if_t *tunname = (spd_if_t *)ext;
391 	int i;
392 	char *idstr;
393 
394 	if (ext->spd_ext_type == SPD_EXT_TUN_NAME) {
395 		/* (NOTE:  Modified from SADB_EXT_IDENTITY..) */
396 
397 		/*
398 		 * Make sure the strings in these identities are
399 		 * null-terminated.  Let's "proactively" null-terminate the
400 		 * string at the last byte if it's not terminated sooner.
401 		 */
402 		i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t);
403 		idstr = (char *)(tunname + 1);
404 		while (*idstr != '\0' && i > 0) {
405 			i--;
406 			idstr++;
407 		}
408 		if (i == 0) {
409 			/*
410 			 * I.e., if the bozo user didn't NULL-terminate the
411 			 * string...
412 			 */
413 			idstr--;
414 			*idstr = '\0';
415 		}
416 	}
417 	return (B_TRUE);	/* For now... */
418 }
419 
420 
421 
422 /* Return values for spdsock_get_ext(). */
423 #define	KGE_OK	0
424 #define	KGE_DUP	1
425 #define	KGE_UNK	2
426 #define	KGE_LEN	3
427 #define	KGE_CHK	4
428 
429 /*
430  * Parse basic extension headers and return in the passed-in pointer vector.
431  * Return values include:
432  *
433  *	KGE_OK	Everything's nice and parsed out.
434  *		If there are no extensions, place NULL in extv[0].
435  *	KGE_DUP	There is a duplicate extension.
436  *		First instance in appropriate bin.  First duplicate in
437  *		extv[0].
438  *	KGE_UNK	Unknown extension type encountered.  extv[0] contains
439  *		unknown header.
440  *	KGE_LEN	Extension length error.
441  *	KGE_CHK	High-level reality check failed on specific extension.
442  *
443  * My apologies for some of the pointer arithmetic in here.  I'm thinking
444  * like an assembly programmer, yet trying to make the compiler happy.
445  */
446 static int
447 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize)
448 {
449 	bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
450 
451 	/* Use extv[0] as the "current working pointer". */
452 
453 	extv[0] = (spd_ext_t *)(basehdr + 1);
454 
455 	while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) {
456 		/* Check for unknown headers. */
457 		if (extv[0]->spd_ext_type == 0 ||
458 		    extv[0]->spd_ext_type > SPD_EXT_MAX)
459 			return (KGE_UNK);
460 
461 		/*
462 		 * Check length.  Use uint64_t because extlen is in units
463 		 * of 64-bit words.  If length goes beyond the msgsize,
464 		 * return an error.  (Zero length also qualifies here.)
465 		 */
466 		if (extv[0]->spd_ext_len == 0 ||
467 		    (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
468 		    (void *)((uint8_t *)basehdr + msgsize))
469 			return (KGE_LEN);
470 
471 		/* Check for redundant headers. */
472 		if (extv[extv[0]->spd_ext_type] != NULL)
473 			return (KGE_DUP);
474 
475 		/*
476 		 * Reality check the extension if possible at the spdsock
477 		 * level.
478 		 */
479 		if (!ext_check(extv[0]))
480 			return (KGE_CHK);
481 
482 		/* If I make it here, assign the appropriate bin. */
483 		extv[extv[0]->spd_ext_type] = extv[0];
484 
485 		/* Advance pointer (See above for uint64_t ptr reasoning.) */
486 		extv[0] = (spd_ext_t *)
487 		    ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
488 	}
489 
490 	/* Everything's cool. */
491 
492 	/*
493 	 * If extv[0] == NULL, then there are no extension headers in this
494 	 * message.  Ensure that this is the case.
495 	 */
496 	if (extv[0] == (spd_ext_t *)(basehdr + 1))
497 		extv[0] = NULL;
498 
499 	return (KGE_OK);
500 }
501 
502 static const int bad_ext_diag[] = {
503 	SPD_DIAGNOSTIC_MALFORMED_LCLPORT,
504 	SPD_DIAGNOSTIC_MALFORMED_REMPORT,
505 	SPD_DIAGNOSTIC_MALFORMED_PROTO,
506 	SPD_DIAGNOSTIC_MALFORMED_LCLADDR,
507 	SPD_DIAGNOSTIC_MALFORMED_REMADDR,
508 	SPD_DIAGNOSTIC_MALFORMED_ACTION,
509 	SPD_DIAGNOSTIC_MALFORMED_RULE,
510 	SPD_DIAGNOSTIC_MALFORMED_RULESET,
511 	SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
512 };
513 
514 static const int dup_ext_diag[] = {
515 	SPD_DIAGNOSTIC_DUPLICATE_LCLPORT,
516 	SPD_DIAGNOSTIC_DUPLICATE_REMPORT,
517 	SPD_DIAGNOSTIC_DUPLICATE_PROTO,
518 	SPD_DIAGNOSTIC_DUPLICATE_LCLADDR,
519 	SPD_DIAGNOSTIC_DUPLICATE_REMADDR,
520 	SPD_DIAGNOSTIC_DUPLICATE_ACTION,
521 	SPD_DIAGNOSTIC_DUPLICATE_RULE,
522 	SPD_DIAGNOSTIC_DUPLICATE_RULESET,
523 	SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
524 };
525 
526 /*
527  * Transmit a PF_POLICY error message to the instance either pointed to
528  * by ks, the instance with serial number serial, or more, depending.
529  *
530  * The faulty message (or a reasonable facsimile thereof) is in mp.
531  * This function will free mp or recycle it for delivery, thereby causing
532  * the stream head to free it.
533  */
534 static void
535 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic)
536 {
537 	spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
538 
539 	ASSERT(mp->b_datap->db_type == M_DATA);
540 
541 	if (spmsg->spd_msg_type < SPD_MIN ||
542 	    spmsg->spd_msg_type > SPD_MAX)
543 		spmsg->spd_msg_type = SPD_RESERVED;
544 
545 	/*
546 	 * Strip out extension headers.
547 	 */
548 	ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim);
549 	mp->b_wptr = mp->b_rptr + sizeof (*spmsg);
550 	spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t));
551 	spmsg->spd_msg_errno = (uint8_t)error;
552 	spmsg->spd_msg_diagnostic = (uint16_t)diagnostic;
553 
554 	qreply(q, mp);
555 }
556 
557 static void
558 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic)
559 {
560 	spdsock_error(q, mp, EINVAL, diagnostic);
561 }
562 
563 static void
564 spd_echo(queue_t *q, mblk_t *mp)
565 {
566 	qreply(q, mp);
567 }
568 
569 /*
570  * Do NOT consume a reference to itp.
571  */
572 /*ARGSUSED*/
573 static void
574 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns)
575 {
576 	boolean_t active = (boolean_t)cookie;
577 	ipsec_policy_head_t *iph;
578 
579 	iph = active ? itp->itp_policy : itp->itp_inactive;
580 	IPPH_REFHOLD(iph);
581 	mutex_enter(&itp->itp_lock);
582 	spdsock_flush_one(iph, ns);  /* Releases iph refhold. */
583 	if (active)
584 		itp->itp_flags &= ~ITPF_PFLAGS;
585 	else
586 		itp->itp_flags &= ~ITPF_IFLAGS;
587 	mutex_exit(&itp->itp_lock);
588 	/* SPD_FLUSH is worth a tunnel MTU check. */
589 	update_iptun_policy(itp);
590 }
591 
592 /*
593  * Clear out one polhead.
594  */
595 static void
596 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns)
597 {
598 	rw_enter(&iph->iph_lock, RW_WRITER);
599 	ipsec_polhead_flush(iph, ns);
600 	rw_exit(&iph->iph_lock);
601 	IPPH_REFRELE(iph, ns);
602 }
603 
604 static void
605 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp,
606     mblk_t *mp)
607 {
608 	boolean_t active;
609 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
610 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
611 	uint32_t auditing = AU_AUDITING();
612 
613 	if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) {
614 		spdsock_flush_one(iph, ns);
615 		if (auditing) {
616 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
617 			cred_t *cr;
618 			pid_t cpid;
619 
620 			cr = msg_getcred(mp, &cpid);
621 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
622 			audit_pf_policy(SPD_FLUSH, cr, ns,
623 			    ITP_NAME(itp), active, 0, cpid);
624 		}
625 	} else {
626 		active = (iph == ALL_ACTIVE_POLHEADS);
627 
628 		/* First flush the global policy. */
629 		spdsock_flush_one(active ? ipsec_system_policy(ns) :
630 		    ipsec_inactive_policy(ns), ns);
631 		if (auditing) {
632 			cred_t *cr;
633 			pid_t cpid;
634 
635 			cr = msg_getcred(mp, &cpid);
636 			audit_pf_policy(SPD_FLUSH, cr, ns, NULL,
637 			    active, 0, cpid);
638 		}
639 		/* Then flush every tunnel's appropriate one. */
640 		itp_walk(spdsock_flush_node, (void *)active, ns);
641 		if (auditing) {
642 			cred_t *cr;
643 			pid_t cpid;
644 
645 			cr = msg_getcred(mp, &cpid);
646 			audit_pf_policy(SPD_FLUSH, cr, ns,
647 			    "all tunnels", active, 0, cpid);
648 		}
649 	}
650 
651 	spd_echo(q, mp);
652 }
653 
654 static boolean_t
655 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag)
656 {
657 	bzero(sel, sizeof (*sel));
658 
659 	if (extv[SPD_EXT_PROTO] != NULL) {
660 		struct spd_proto *pr =
661 		    (struct spd_proto *)extv[SPD_EXT_PROTO];
662 		sel->ipsl_proto = pr->spd_proto_number;
663 		sel->ipsl_valid |= IPSL_PROTOCOL;
664 	}
665 	if (extv[SPD_EXT_LCLPORT] != NULL) {
666 		struct spd_portrange *pr =
667 		    (struct spd_portrange *)extv[SPD_EXT_LCLPORT];
668 		sel->ipsl_lport = pr->spd_ports_minport;
669 		sel->ipsl_valid |= IPSL_LOCAL_PORT;
670 	}
671 	if (extv[SPD_EXT_REMPORT] != NULL) {
672 		struct spd_portrange *pr =
673 		    (struct spd_portrange *)extv[SPD_EXT_REMPORT];
674 		sel->ipsl_rport = pr->spd_ports_minport;
675 		sel->ipsl_valid |= IPSL_REMOTE_PORT;
676 	}
677 
678 	if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) {
679 		struct spd_typecode *tc=
680 		    (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE];
681 
682 		sel->ipsl_valid |= IPSL_ICMP_TYPE;
683 		sel->ipsl_icmp_type = tc->spd_typecode_type;
684 		if (tc->spd_typecode_type_end < tc->spd_typecode_type)
685 			sel->ipsl_icmp_type_end = tc->spd_typecode_type;
686 		else
687 			sel->ipsl_icmp_type_end = tc->spd_typecode_type_end;
688 
689 		if (tc->spd_typecode_code != 255) {
690 			sel->ipsl_valid |= IPSL_ICMP_CODE;
691 			sel->ipsl_icmp_code = tc->spd_typecode_code;
692 			if (tc->spd_typecode_code_end < tc->spd_typecode_code)
693 				sel->ipsl_icmp_code_end = tc->spd_typecode_code;
694 			else
695 				sel->ipsl_icmp_code_end =
696 				    tc->spd_typecode_code_end;
697 		}
698 	}
699 #define	ADDR2SEL(sel, extv, field, pfield, extn, bit)			\
700 	if ((extv)[(extn)] != NULL) {					\
701 		uint_t addrlen;						\
702 		struct spd_address *ap =				\
703 			(struct spd_address *)((extv)[(extn)]);		\
704 		addrlen = (ap->spd_address_af == AF_INET6) ?		\
705 			IPV6_ADDR_LEN : IP_ADDR_LEN;			\
706 		if (SPD_64TO8(ap->spd_address_len) <			\
707 			(addrlen + sizeof (*ap))) {			\
708 			*diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN;		\
709 			return (B_FALSE);				\
710 		}							\
711 		bcopy((ap+1), &((sel)->field), addrlen);		\
712 		(sel)->pfield = ap->spd_address_prefixlen;		\
713 		(sel)->ipsl_valid |= (bit);				\
714 		(sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ?	\
715 			IPSL_IPV6 : IPSL_IPV4;				\
716 	}
717 
718 	ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen,
719 	    SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR);
720 	ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen,
721 	    SPD_EXT_REMADDR, IPSL_REMOTE_ADDR);
722 
723 	if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) ==
724 	    (IPSL_IPV6|IPSL_IPV4)) {
725 		*diag = SPD_DIAGNOSTIC_MIXED_AF;
726 		return (B_FALSE);
727 	}
728 
729 #undef ADDR2SEL
730 
731 	return (B_TRUE);
732 }
733 
734 static boolean_t
735 spd_convert_type(uint32_t type, ipsec_act_t *act)
736 {
737 	switch (type) {
738 	case SPD_ACTTYPE_DROP:
739 		act->ipa_type = IPSEC_ACT_DISCARD;
740 		return (B_TRUE);
741 
742 	case SPD_ACTTYPE_PASS:
743 		act->ipa_type = IPSEC_ACT_CLEAR;
744 		return (B_TRUE);
745 
746 	case SPD_ACTTYPE_IPSEC:
747 		act->ipa_type = IPSEC_ACT_APPLY;
748 		return (B_TRUE);
749 	}
750 	return (B_FALSE);
751 }
752 
753 static boolean_t
754 spd_convert_flags(uint32_t flags, ipsec_act_t *act)
755 {
756 	/*
757 	 * Note use of !! for boolean canonicalization.
758 	 */
759 	act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH);
760 	act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP);
761 	act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA);
762 	act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE);
763 	act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE);
764 	return (B_TRUE);
765 }
766 
767 static void
768 spdsock_reset_act(ipsec_act_t *act)
769 {
770 	bzero(act, sizeof (*act));
771 	act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS;
772 	act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS;
773 	act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS;
774 }
775 
776 /*
777  * Sanity check action against reality, and shrink-wrap key sizes..
778  */
779 static boolean_t
780 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag,
781     spd_stack_t *spds)
782 {
783 	if (tunnel_polhead && act->ipa_apply.ipp_use_unique) {
784 		*diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
785 		return (B_FALSE);
786 	}
787 	if ((act->ipa_type != IPSEC_ACT_APPLY) &&
788 	    (act->ipa_apply.ipp_use_ah ||
789 	    act->ipa_apply.ipp_use_esp ||
790 	    act->ipa_apply.ipp_use_espa ||
791 	    act->ipa_apply.ipp_use_se ||
792 	    act->ipa_apply.ipp_use_unique)) {
793 		*diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
794 		return (B_FALSE);
795 	}
796 	if ((act->ipa_type == IPSEC_ACT_APPLY) &&
797 	    !act->ipa_apply.ipp_use_ah &&
798 	    !act->ipa_apply.ipp_use_esp) {
799 		*diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
800 		return (B_FALSE);
801 	}
802 	return (ipsec_check_action(act, diag, spds->spds_netstack));
803 }
804 
805 /*
806  * We may be short a few error checks here..
807  */
808 static boolean_t
809 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp,
810     int *diag, spd_stack_t *spds)
811 {
812 	struct spd_ext_actions *sactp =
813 	    (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
814 	ipsec_act_t act, *actp, *endactp;
815 	struct spd_attribute *attrp, *endattrp;
816 	uint64_t *endp;
817 	int nact;
818 	boolean_t tunnel_polhead;
819 
820 	tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL &&
821 	    (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags &
822 	    SPD_RULE_FLAG_TUNNEL));
823 
824 	*actpp = NULL;
825 	*nactp = 0;
826 
827 	if (sactp == NULL) {
828 		*diag = SPD_DIAGNOSTIC_NO_ACTION_EXT;
829 		return (B_FALSE);
830 	}
831 
832 	/*
833 	 * Parse the "action" extension and convert into an action chain.
834 	 */
835 
836 	nact = sactp->spd_actions_count;
837 
838 	endp = (uint64_t *)sactp;
839 	endp += sactp->spd_actions_len;
840 	endattrp = (struct spd_attribute *)endp;
841 
842 	actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP);
843 	if (actp == NULL) {
844 		*diag = SPD_DIAGNOSTIC_ADD_NO_MEM;
845 		return (B_FALSE);
846 	}
847 	*actpp = actp;
848 	*nactp = nact;
849 	endactp = actp + nact;
850 
851 	spdsock_reset_act(&act);
852 	attrp = (struct spd_attribute *)(&sactp[1]);
853 
854 	for (; attrp < endattrp; attrp++) {
855 		switch (attrp->spd_attr_tag) {
856 		case SPD_ATTR_NOP:
857 			break;
858 
859 		case SPD_ATTR_EMPTY:
860 			spdsock_reset_act(&act);
861 			break;
862 
863 		case SPD_ATTR_END:
864 			attrp = endattrp;
865 			/* FALLTHRU */
866 		case SPD_ATTR_NEXT:
867 			if (actp >= endactp) {
868 				*diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
869 				goto fail;
870 			}
871 			if (!spdsock_check_action(&act, tunnel_polhead,
872 			    diag, spds))
873 				goto fail;
874 			*actp++ = act;
875 			spdsock_reset_act(&act);
876 			break;
877 
878 		case SPD_ATTR_TYPE:
879 			if (!spd_convert_type(attrp->spd_attr_value, &act)) {
880 				*diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE;
881 				goto fail;
882 			}
883 			break;
884 
885 		case SPD_ATTR_FLAGS:
886 			if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) {
887 				/*
888 				 * Set "sa unique" for transport-mode
889 				 * tunnels whether we want to or not.
890 				 */
891 				attrp->spd_attr_value |= SPD_APPLY_UNIQUE;
892 			}
893 			if (!spd_convert_flags(attrp->spd_attr_value, &act)) {
894 				*diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS;
895 				goto fail;
896 			}
897 			break;
898 
899 		case SPD_ATTR_AH_AUTH:
900 			if (attrp->spd_attr_value == 0) {
901 				*diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
902 				goto fail;
903 			}
904 			act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value;
905 			break;
906 
907 		case SPD_ATTR_ESP_ENCR:
908 			if (attrp->spd_attr_value == 0) {
909 				*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
910 				goto fail;
911 			}
912 			act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value;
913 			break;
914 
915 		case SPD_ATTR_ESP_AUTH:
916 			if (attrp->spd_attr_value == 0) {
917 				*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
918 				goto fail;
919 			}
920 			act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value;
921 			break;
922 
923 		case SPD_ATTR_ENCR_MINBITS:
924 			act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value;
925 			break;
926 
927 		case SPD_ATTR_ENCR_MAXBITS:
928 			act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value;
929 			break;
930 
931 		case SPD_ATTR_AH_MINBITS:
932 			act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value;
933 			break;
934 
935 		case SPD_ATTR_AH_MAXBITS:
936 			act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value;
937 			break;
938 
939 		case SPD_ATTR_ESPA_MINBITS:
940 			act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value;
941 			break;
942 
943 		case SPD_ATTR_ESPA_MAXBITS:
944 			act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value;
945 			break;
946 
947 		case SPD_ATTR_LIFE_SOFT_TIME:
948 		case SPD_ATTR_LIFE_HARD_TIME:
949 		case SPD_ATTR_LIFE_SOFT_BYTES:
950 		case SPD_ATTR_LIFE_HARD_BYTES:
951 			break;
952 
953 		case SPD_ATTR_KM_PROTO:
954 			act.ipa_apply.ipp_km_proto = attrp->spd_attr_value;
955 			break;
956 
957 		case SPD_ATTR_KM_COOKIE:
958 			act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value;
959 			break;
960 
961 		case SPD_ATTR_REPLAY_DEPTH:
962 			act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value;
963 			break;
964 		}
965 	}
966 	if (actp != endactp) {
967 		*diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
968 		goto fail;
969 	}
970 
971 	return (B_TRUE);
972 fail:
973 	ipsec_actvec_free(*actpp, nact);
974 	*actpp = NULL;
975 	return (B_FALSE);
976 }
977 
978 typedef struct
979 {
980 	ipsec_policy_t *pol;
981 	int dir;
982 } tmprule_t;
983 
984 static int
985 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule,
986     ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af,
987     tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
988 {
989 	ipsec_policy_t *pol;
990 
991 	sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4);
992 	sel->ipsl_valid |= af;
993 
994 	pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority,
995 	    index, spds->spds_netstack);
996 	if (pol == NULL)
997 		return (ENOMEM);
998 
999 	(*rp)->pol = pol;
1000 	(*rp)->dir = dir;
1001 	(*rp)++;
1002 
1003 	if (!ipsec_check_policy(iph, pol, dir))
1004 		return (EEXIST);
1005 
1006 	rule->spd_rule_index = pol->ipsp_index;
1007 	return (0);
1008 }
1009 
1010 static int
1011 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule,
1012     ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs,
1013     tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
1014 {
1015 	int error;
1016 
1017 	if (afs & IPSL_IPV4) {
1018 		error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp,
1019 		    index, spds);
1020 		if (error != 0)
1021 			return (error);
1022 	}
1023 	if (afs & IPSL_IPV6) {
1024 		error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp,
1025 		    index, spds);
1026 		if (error != 0)
1027 			return (error);
1028 	}
1029 	return (0);
1030 }
1031 
1032 
1033 static void
1034 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1035     spd_ext_t **extv, ipsec_tun_pol_t *itp)
1036 {
1037 	ipsec_selkey_t sel;
1038 	ipsec_act_t *actp;
1039 	uint_t nact;
1040 	int diag = 0, error, afs;
1041 	struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1042 	tmprule_t rules[4], *rulep = &rules[0];
1043 	boolean_t tunnel_mode, empty_itp, active;
1044 	uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index;
1045 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
1046 	spd_stack_t *spds = ss->spdsock_spds;
1047 	uint32_t auditing = AU_AUDITING();
1048 
1049 	if (rule == NULL) {
1050 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1051 		if (auditing) {
1052 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1053 			cred_t *cr;
1054 			pid_t cpid;
1055 
1056 			cr = msg_getcred(mp, &cpid);
1057 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1058 			audit_pf_policy(SPD_ADDRULE, cr,
1059 			    spds->spds_netstack, ITP_NAME(itp), active,
1060 			    SPD_DIAGNOSTIC_NO_RULE_EXT, cpid);
1061 		}
1062 		return;
1063 	}
1064 
1065 	tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL);
1066 
1067 	if (itp != NULL) {
1068 		mutex_enter(&itp->itp_lock);
1069 		ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph);
1070 		active = (itp->itp_policy == iph);
1071 		if (ITP_P_ISACTIVE(itp, iph)) {
1072 			/* Check for mix-and-match of tunnel/transport. */
1073 			if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) ||
1074 			    (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) {
1075 				mutex_exit(&itp->itp_lock);
1076 				spdsock_error(q, mp, EBUSY, 0);
1077 				return;
1078 			}
1079 			empty_itp = B_FALSE;
1080 		} else {
1081 			empty_itp = B_TRUE;
1082 			itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE;
1083 			if (tunnel_mode)
1084 				itp->itp_flags |= active ? ITPF_P_TUNNEL :
1085 				    ITPF_I_TUNNEL;
1086 		}
1087 	} else {
1088 		empty_itp = B_FALSE;
1089 	}
1090 
1091 	if (rule->spd_rule_index != 0) {
1092 		diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX;
1093 		error = EINVAL;
1094 		goto fail2;
1095 	}
1096 
1097 	if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1098 		error = EINVAL;
1099 		goto fail2;
1100 	}
1101 
1102 	if (itp != NULL) {
1103 		if (tunnel_mode) {
1104 			if (sel.ipsl_valid &
1105 			    (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) {
1106 				itp->itp_flags |= active ?
1107 				    ITPF_P_PER_PORT_SECURITY :
1108 				    ITPF_I_PER_PORT_SECURITY;
1109 			}
1110 		} else {
1111 			/*
1112 			 * For now, we don't allow transport-mode on a tunnel
1113 			 * with ANY specific selectors.  Bail if we have such
1114 			 * a request.
1115 			 */
1116 			if (sel.ipsl_valid & IPSL_WILDCARD) {
1117 				diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS;
1118 				error = EINVAL;
1119 				goto fail2;
1120 			}
1121 		}
1122 	}
1123 
1124 	if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) {
1125 		error = EINVAL;
1126 		goto fail2;
1127 	}
1128 	/*
1129 	 * If no addresses were specified, add both.
1130 	 */
1131 	afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4);
1132 	if (afs == 0)
1133 		afs = (IPSL_IPV6|IPSL_IPV4);
1134 
1135 	rw_enter(&iph->iph_lock, RW_WRITER);
1136 
1137 	if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) {
1138 		error = mkrulepair(iph, rule, &sel, actp, nact,
1139 		    IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds);
1140 		if (error != 0)
1141 			goto fail;
1142 	}
1143 
1144 	if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) {
1145 		error = mkrulepair(iph, rule, &sel, actp, nact,
1146 		    IPSEC_TYPE_INBOUND, afs, &rulep, index, spds);
1147 		if (error != 0)
1148 			goto fail;
1149 	}
1150 
1151 	while ((--rulep) >= &rules[0]) {
1152 		ipsec_enter_policy(iph, rulep->pol, rulep->dir,
1153 		    spds->spds_netstack);
1154 	}
1155 	rw_exit(&iph->iph_lock);
1156 	if (itp != NULL)
1157 		mutex_exit(&itp->itp_lock);
1158 
1159 	ipsec_actvec_free(actp, nact);
1160 	spd_echo(q, mp);
1161 	if (auditing) {
1162 		spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1163 		cred_t *cr;
1164 		pid_t cpid;
1165 
1166 		cr = msg_getcred(mp, &cpid);
1167 		active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1168 		audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1169 		    ITP_NAME(itp), active, 0, cpid);
1170 	}
1171 	return;
1172 
1173 fail:
1174 	rw_exit(&iph->iph_lock);
1175 	while ((--rulep) >= &rules[0])
1176 		IPPOL_REFRELE(rulep->pol);
1177 	ipsec_actvec_free(actp, nact);
1178 fail2:
1179 	if (itp != NULL) {
1180 		if (empty_itp)
1181 			itp->itp_flags = 0;
1182 		mutex_exit(&itp->itp_lock);
1183 	}
1184 	spdsock_error(q, mp, error, diag);
1185 	if (auditing) {
1186 		spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1187 		cred_t *cr;
1188 		pid_t cpid;
1189 
1190 		cr = msg_getcred(mp, &cpid);
1191 		active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1192 		audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1193 		    ITP_NAME(itp), active, error, cpid);
1194 	}
1195 }
1196 
1197 void
1198 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1199     spd_ext_t **extv, ipsec_tun_pol_t *itp)
1200 {
1201 	ipsec_selkey_t sel;
1202 	struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1203 	int err, diag = 0;
1204 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
1205 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
1206 	uint32_t auditing = AU_AUDITING();
1207 
1208 	if (rule == NULL) {
1209 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1210 		if (auditing) {
1211 			boolean_t active;
1212 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1213 			cred_t *cr;
1214 			pid_t cpid;
1215 
1216 			cr = msg_getcred(mp, &cpid);
1217 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1218 			audit_pf_policy(SPD_DELETERULE, cr, ns,
1219 			    ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT,
1220 			    cpid);
1221 		}
1222 		return;
1223 	}
1224 
1225 	/*
1226 	 * Must enter itp_lock first to avoid deadlock.  See tun.c's
1227 	 * set_sec_simple() for the other case of itp_lock and iph_lock.
1228 	 */
1229 	if (itp != NULL)
1230 		mutex_enter(&itp->itp_lock);
1231 
1232 	if (rule->spd_rule_index != 0) {
1233 		if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) !=
1234 		    0) {
1235 			err = ESRCH;
1236 			goto fail;
1237 		}
1238 	} else {
1239 		if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1240 			err = EINVAL;	/* diag already set... */
1241 			goto fail;
1242 		}
1243 
1244 		if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) &&
1245 		    !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) {
1246 			err = ESRCH;
1247 			goto fail;
1248 		}
1249 
1250 		if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) &&
1251 		    !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) {
1252 			err = ESRCH;
1253 			goto fail;
1254 		}
1255 	}
1256 
1257 	if (itp != NULL) {
1258 		ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive);
1259 		rw_enter(&iph->iph_lock, RW_READER);
1260 		if (avl_numnodes(&iph->iph_rulebyid) == 0) {
1261 			if (iph == itp->itp_policy)
1262 				itp->itp_flags &= ~ITPF_PFLAGS;
1263 			else
1264 				itp->itp_flags &= ~ITPF_IFLAGS;
1265 		}
1266 		/* Can exit locks in any order. */
1267 		rw_exit(&iph->iph_lock);
1268 		mutex_exit(&itp->itp_lock);
1269 	}
1270 	spd_echo(q, mp);
1271 	if (auditing) {
1272 		boolean_t active;
1273 		spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1274 		cred_t *cr;
1275 		pid_t cpid;
1276 
1277 		cr = msg_getcred(mp, &cpid);
1278 		active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1279 		audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1280 		    active, 0, cpid);
1281 	}
1282 	return;
1283 fail:
1284 	if (itp != NULL)
1285 		mutex_exit(&itp->itp_lock);
1286 	spdsock_error(q, mp, err, diag);
1287 	if (auditing) {
1288 		boolean_t active;
1289 		spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1290 		cred_t *cr;
1291 		pid_t cpid;
1292 
1293 		cr = msg_getcred(mp, &cpid);
1294 		active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1295 		audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1296 		    active, err, cpid);
1297 	}
1298 }
1299 
1300 /* Do NOT consume a reference to itp. */
1301 /* ARGSUSED */
1302 static void
1303 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns)
1304 {
1305 	mutex_enter(&itp->itp_lock);
1306 	ITPF_SWAP(itp->itp_flags);
1307 	ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns);
1308 	mutex_exit(&itp->itp_lock);
1309 	/* SPD_FLIP is worth a tunnel MTU check. */
1310 	update_iptun_policy(itp);
1311 }
1312 
1313 void
1314 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname)
1315 {
1316 	char *tname;
1317 	ipsec_tun_pol_t *itp;
1318 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
1319 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
1320 	uint32_t auditing = AU_AUDITING();
1321 
1322 	if (tunname != NULL) {
1323 		tname = (char *)tunname->spd_if_name;
1324 		if (*tname == '\0') {
1325 			/* can't fail */
1326 			ipsec_swap_global_policy(ns);
1327 			if (auditing) {
1328 				boolean_t active;
1329 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1330 				cred_t *cr;
1331 				pid_t cpid;
1332 
1333 				cr = msg_getcred(mp, &cpid);
1334 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1335 				audit_pf_policy(SPD_FLIP, cr, ns,
1336 				    NULL, active, 0, cpid);
1337 			}
1338 			itp_walk(spdsock_flip_node, NULL, ns);
1339 			if (auditing) {
1340 				boolean_t active;
1341 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1342 				cred_t *cr;
1343 				pid_t cpid;
1344 
1345 				cr = msg_getcred(mp, &cpid);
1346 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1347 				audit_pf_policy(SPD_FLIP, cr, ns,
1348 				    "all tunnels", active, 0, cpid);
1349 			}
1350 		} else {
1351 			itp = get_tunnel_policy(tname, ns);
1352 			if (itp == NULL) {
1353 				/* Better idea for "tunnel not found"? */
1354 				spdsock_error(q, mp, ESRCH, 0);
1355 				if (auditing) {
1356 					boolean_t active;
1357 					spd_msg_t *spmsg =
1358 					    (spd_msg_t *)mp->b_rptr;
1359 					cred_t *cr;
1360 					pid_t cpid;
1361 
1362 					cr = msg_getcred(mp, &cpid);
1363 					active = (spmsg->spd_msg_spdid ==
1364 					    SPD_ACTIVE);
1365 					audit_pf_policy(SPD_FLIP, cr, ns,
1366 					    ITP_NAME(itp), active,
1367 					    ESRCH, cpid);
1368 				}
1369 				return;
1370 			}
1371 			spdsock_flip_node(itp, NULL, ns);
1372 			if (auditing) {
1373 				boolean_t active;
1374 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1375 				cred_t *cr;
1376 				pid_t cpid;
1377 
1378 				cr = msg_getcred(mp, &cpid);
1379 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1380 				audit_pf_policy(SPD_FLIP, cr, ns,
1381 				    ITP_NAME(itp), active, 0, cpid);
1382 			}
1383 			ITP_REFRELE(itp, ns);
1384 		}
1385 	} else {
1386 		ipsec_swap_global_policy(ns);	/* can't fail */
1387 		if (auditing) {
1388 			boolean_t active;
1389 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1390 			cred_t *cr;
1391 			pid_t cpid;
1392 
1393 			cr = msg_getcred(mp, &cpid);
1394 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1395 			audit_pf_policy(SPD_FLIP, cr,
1396 			    ns, NULL, active, 0, cpid);
1397 		}
1398 	}
1399 	spd_echo(q, mp);
1400 }
1401 
1402 /*
1403  * Unimplemented feature
1404  */
1405 /* ARGSUSED */
1406 static void
1407 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1408     spd_ext_t **extv, ipsec_tun_pol_t *itp)
1409 {
1410 	spdsock_error(q, mp, EINVAL, 0);
1411 }
1412 
1413 
1414 static mblk_t *
1415 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph,
1416     uint32_t count, uint16_t error)
1417 {
1418 	size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t);
1419 	spd_msg_t *msg;
1420 	spd_ruleset_ext_t *ruleset;
1421 	mblk_t *m = allocb(len, BPRI_HI);
1422 
1423 	ASSERT(RW_READ_HELD(&iph->iph_lock));
1424 
1425 	if (m == NULL) {
1426 		return (NULL);
1427 	}
1428 	msg = (spd_msg_t *)m->b_rptr;
1429 	ruleset = (spd_ruleset_ext_t *)(&msg[1]);
1430 
1431 	m->b_wptr = (uint8_t *)&ruleset[1];
1432 
1433 	*msg = *(spd_msg_t *)(req->b_rptr);
1434 	msg->spd_msg_len = SPD_8TO64(len);
1435 	msg->spd_msg_errno = error;
1436 
1437 	ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset));
1438 	ruleset->spd_ruleset_type = SPD_EXT_RULESET;
1439 	ruleset->spd_ruleset_count = count;
1440 	ruleset->spd_ruleset_version = iph->iph_gen;
1441 	return (m);
1442 }
1443 
1444 static mblk_t *
1445 spdsock_dump_finish(spdsock_t *ss, int error)
1446 {
1447 	mblk_t *m;
1448 	ipsec_policy_head_t *iph = ss->spdsock_dump_head;
1449 	mblk_t *req = ss->spdsock_dump_req;
1450 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
1451 
1452 	rw_enter(&iph->iph_lock, RW_READER);
1453 	m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error);
1454 	rw_exit(&iph->iph_lock);
1455 	IPPH_REFRELE(iph, ns);
1456 	if (ss->spdsock_itp != NULL) {
1457 		ITP_REFRELE(ss->spdsock_itp, ns);
1458 		ss->spdsock_itp = NULL;
1459 	}
1460 	ss->spdsock_dump_req = NULL;
1461 	freemsg(req);
1462 
1463 	return (m);
1464 }
1465 
1466 /*
1467  * Rule encoding functions.
1468  * We do a two-pass encode.
1469  * If base != NULL, fill in encoded rule part starting at base+offset.
1470  * Always return "offset" plus length of to-be-encoded data.
1471  */
1472 static uint_t
1473 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type,
1474     uint8_t type_end, uint8_t code, uint8_t code_end)
1475 {
1476 	struct spd_typecode *tcp;
1477 
1478 	ASSERT(ALIGNED64(offset));
1479 
1480 	if (base != NULL) {
1481 		tcp = (struct spd_typecode *)(base + offset);
1482 		tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp));
1483 		tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE;
1484 		tcp->spd_typecode_code = code;
1485 		tcp->spd_typecode_type = type;
1486 		tcp->spd_typecode_type_end = type_end;
1487 		tcp->spd_typecode_code_end = code_end;
1488 	}
1489 	offset += sizeof (*tcp);
1490 
1491 	ASSERT(ALIGNED64(offset));
1492 
1493 	return (offset);
1494 }
1495 
1496 static uint_t
1497 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto)
1498 {
1499 	struct spd_proto *spp;
1500 
1501 	ASSERT(ALIGNED64(offset));
1502 
1503 	if (base != NULL) {
1504 		spp = (struct spd_proto *)(base + offset);
1505 		spp->spd_proto_len = SPD_8TO64(sizeof (*spp));
1506 		spp->spd_proto_exttype = SPD_EXT_PROTO;
1507 		spp->spd_proto_number = proto;
1508 		spp->spd_proto_reserved1 = 0;
1509 		spp->spd_proto_reserved2 = 0;
1510 	}
1511 	offset += sizeof (*spp);
1512 
1513 	ASSERT(ALIGNED64(offset));
1514 
1515 	return (offset);
1516 }
1517 
1518 static uint_t
1519 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port)
1520 {
1521 	struct spd_portrange *spp;
1522 
1523 	ASSERT(ALIGNED64(offset));
1524 
1525 	if (base != NULL) {
1526 		spp = (struct spd_portrange *)(base + offset);
1527 		spp->spd_ports_len = SPD_8TO64(sizeof (*spp));
1528 		spp->spd_ports_exttype = ext;
1529 		spp->spd_ports_minport = port;
1530 		spp->spd_ports_maxport = port;
1531 	}
1532 	offset += sizeof (*spp);
1533 
1534 	ASSERT(ALIGNED64(offset));
1535 
1536 	return (offset);
1537 }
1538 
1539 static uint_t
1540 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext,
1541     const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen)
1542 {
1543 	struct spd_address *sae;
1544 	ipsec_addr_t *spdaddr;
1545 	uint_t start = offset;
1546 	uint_t addrlen;
1547 	uint_t af;
1548 
1549 	if (sel->ipsl_valid & IPSL_IPV4) {
1550 		af = AF_INET;
1551 		addrlen = IP_ADDR_LEN;
1552 	} else {
1553 		af = AF_INET6;
1554 		addrlen = IPV6_ADDR_LEN;
1555 	}
1556 
1557 	ASSERT(ALIGNED64(offset));
1558 
1559 	if (base != NULL) {
1560 		sae = (struct spd_address *)(base + offset);
1561 		sae->spd_address_exttype = ext;
1562 		sae->spd_address_af = af;
1563 		sae->spd_address_prefixlen = pfxlen;
1564 		sae->spd_address_reserved2 = 0;
1565 
1566 		spdaddr = (ipsec_addr_t *)(&sae[1]);
1567 		bcopy(addr, spdaddr, addrlen);
1568 	}
1569 	offset += sizeof (*sae);
1570 	addrlen = roundup(addrlen, sizeof (uint64_t));
1571 	offset += addrlen;
1572 
1573 	ASSERT(ALIGNED64(offset));
1574 
1575 	if (base != NULL)
1576 		sae->spd_address_len = SPD_8TO64(offset - start);
1577 	return (offset);
1578 }
1579 
1580 static uint_t
1581 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel)
1582 {
1583 	const ipsec_selkey_t *selkey = &sel->ipsl_key;
1584 
1585 	if (selkey->ipsl_valid & IPSL_PROTOCOL)
1586 		offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto);
1587 	if (selkey->ipsl_valid & IPSL_LOCAL_PORT)
1588 		offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT,
1589 		    selkey->ipsl_lport);
1590 	if (selkey->ipsl_valid & IPSL_REMOTE_PORT)
1591 		offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT,
1592 		    selkey->ipsl_rport);
1593 	if (selkey->ipsl_valid & IPSL_REMOTE_ADDR)
1594 		offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR,
1595 		    selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen);
1596 	if (selkey->ipsl_valid & IPSL_LOCAL_ADDR)
1597 		offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR,
1598 		    selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen);
1599 	if (selkey->ipsl_valid & IPSL_ICMP_TYPE) {
1600 		offset = spdsock_encode_typecode(base, offset,
1601 		    selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end,
1602 		    (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1603 		    selkey->ipsl_icmp_code : 255,
1604 		    (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1605 		    selkey->ipsl_icmp_code_end : 255);
1606 	}
1607 	return (offset);
1608 }
1609 
1610 static uint_t
1611 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag,
1612     uint32_t value)
1613 {
1614 	struct spd_attribute *attr;
1615 
1616 	ASSERT(ALIGNED64(offset));
1617 
1618 	if (base != NULL) {
1619 		attr = (struct spd_attribute *)(base + offset);
1620 		attr->spd_attr_tag = tag;
1621 		attr->spd_attr_value = value;
1622 	}
1623 	offset += sizeof (struct spd_attribute);
1624 
1625 	ASSERT(ALIGNED64(offset));
1626 
1627 	return (offset);
1628 }
1629 
1630 
1631 #define	EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1632 
1633 static uint_t
1634 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap)
1635 {
1636 	const struct ipsec_act *act = &(ap->ipa_act);
1637 	uint_t flags;
1638 
1639 	EMIT(SPD_ATTR_EMPTY, 0);
1640 	switch (act->ipa_type) {
1641 	case IPSEC_ACT_DISCARD:
1642 	case IPSEC_ACT_REJECT:
1643 		EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP);
1644 		break;
1645 	case IPSEC_ACT_BYPASS:
1646 	case IPSEC_ACT_CLEAR:
1647 		EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS);
1648 		break;
1649 
1650 	case IPSEC_ACT_APPLY:
1651 		EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC);
1652 		flags = 0;
1653 		if (act->ipa_apply.ipp_use_ah)
1654 			flags |= SPD_APPLY_AH;
1655 		if (act->ipa_apply.ipp_use_esp)
1656 			flags |= SPD_APPLY_ESP;
1657 		if (act->ipa_apply.ipp_use_espa)
1658 			flags |= SPD_APPLY_ESPA;
1659 		if (act->ipa_apply.ipp_use_se)
1660 			flags |= SPD_APPLY_SE;
1661 		if (act->ipa_apply.ipp_use_unique)
1662 			flags |= SPD_APPLY_UNIQUE;
1663 		EMIT(SPD_ATTR_FLAGS, flags);
1664 		if (flags & SPD_APPLY_AH) {
1665 			EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg);
1666 			EMIT(SPD_ATTR_AH_MINBITS,
1667 			    act->ipa_apply.ipp_ah_minbits);
1668 			EMIT(SPD_ATTR_AH_MAXBITS,
1669 			    act->ipa_apply.ipp_ah_maxbits);
1670 		}
1671 		if (flags & SPD_APPLY_ESP) {
1672 			EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg);
1673 			EMIT(SPD_ATTR_ENCR_MINBITS,
1674 			    act->ipa_apply.ipp_espe_minbits);
1675 			EMIT(SPD_ATTR_ENCR_MAXBITS,
1676 			    act->ipa_apply.ipp_espe_maxbits);
1677 			if (flags & SPD_APPLY_ESPA) {
1678 				EMIT(SPD_ATTR_ESP_AUTH,
1679 				    act->ipa_apply.ipp_esp_auth_alg);
1680 				EMIT(SPD_ATTR_ESPA_MINBITS,
1681 				    act->ipa_apply.ipp_espa_minbits);
1682 				EMIT(SPD_ATTR_ESPA_MAXBITS,
1683 				    act->ipa_apply.ipp_espa_maxbits);
1684 			}
1685 		}
1686 		if (act->ipa_apply.ipp_km_proto != 0)
1687 			EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto);
1688 		if (act->ipa_apply.ipp_km_cookie != 0)
1689 			EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie);
1690 		if (act->ipa_apply.ipp_replay_depth != 0)
1691 			EMIT(SPD_ATTR_REPLAY_DEPTH,
1692 			    act->ipa_apply.ipp_replay_depth);
1693 		/* Add more here */
1694 		break;
1695 	}
1696 
1697 	return (offset);
1698 }
1699 
1700 static uint_t
1701 spdsock_encode_action_list(uint8_t *base, uint_t offset,
1702     const ipsec_action_t *ap)
1703 {
1704 	struct spd_ext_actions *act;
1705 	uint_t nact = 0;
1706 	uint_t start = offset;
1707 
1708 	ASSERT(ALIGNED64(offset));
1709 
1710 	if (base != NULL) {
1711 		act = (struct spd_ext_actions *)(base + offset);
1712 		act->spd_actions_len = 0;
1713 		act->spd_actions_exttype = SPD_EXT_ACTION;
1714 		act->spd_actions_count = 0;
1715 		act->spd_actions_reserved = 0;
1716 	}
1717 
1718 	offset += sizeof (*act);
1719 
1720 	ASSERT(ALIGNED64(offset));
1721 
1722 	while (ap != NULL) {
1723 		offset = spdsock_encode_action(base, offset, ap);
1724 		ap = ap->ipa_next;
1725 		nact++;
1726 		if (ap != NULL) {
1727 			EMIT(SPD_ATTR_NEXT, 0);
1728 		}
1729 	}
1730 	EMIT(SPD_ATTR_END, 0);
1731 
1732 	ASSERT(ALIGNED64(offset));
1733 
1734 	if (base != NULL) {
1735 		act->spd_actions_count = nact;
1736 		act->spd_actions_len = SPD_8TO64(offset - start);
1737 	}
1738 
1739 	return (offset);
1740 }
1741 
1742 #undef EMIT
1743 
1744 /* ARGSUSED */
1745 static uint_t
1746 spdsock_rule_flags(uint_t dir, uint_t af)
1747 {
1748 	uint_t flags = 0;
1749 
1750 	if (dir == IPSEC_TYPE_INBOUND)
1751 		flags |= SPD_RULE_FLAG_INBOUND;
1752 	if (dir == IPSEC_TYPE_OUTBOUND)
1753 		flags |= SPD_RULE_FLAG_OUTBOUND;
1754 
1755 	return (flags);
1756 }
1757 
1758 
1759 static uint_t
1760 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req,
1761     const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name,
1762     boolean_t tunnel)
1763 {
1764 	struct spd_msg *spmsg;
1765 	struct spd_rule *spr;
1766 	spd_if_t *sid;
1767 
1768 	uint_t start = offset;
1769 
1770 	ASSERT(ALIGNED64(offset));
1771 
1772 	if (base != NULL) {
1773 		spmsg = (struct spd_msg *)(base + offset);
1774 		bzero(spmsg, sizeof (*spmsg));
1775 		spmsg->spd_msg_version = PF_POLICY_V1;
1776 		spmsg->spd_msg_type = SPD_DUMP;
1777 		spmsg->spd_msg_seq = req->spd_msg_seq;
1778 		spmsg->spd_msg_pid = req->spd_msg_pid;
1779 	}
1780 	offset += sizeof (struct spd_msg);
1781 
1782 	ASSERT(ALIGNED64(offset));
1783 
1784 	if (base != NULL) {
1785 		spr = (struct spd_rule *)(base + offset);
1786 		spr->spd_rule_type = SPD_EXT_RULE;
1787 		spr->spd_rule_priority = rule->ipsp_prio;
1788 		spr->spd_rule_flags = spdsock_rule_flags(dir, af);
1789 		if (tunnel)
1790 			spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL;
1791 		spr->spd_rule_unused = 0;
1792 		spr->spd_rule_len = SPD_8TO64(sizeof (*spr));
1793 		spr->spd_rule_index = rule->ipsp_index;
1794 	}
1795 	offset += sizeof (struct spd_rule);
1796 
1797 	/*
1798 	 * If we have an interface name (i.e. if this policy head came from
1799 	 * a tunnel), add the SPD_EXT_TUN_NAME extension.
1800 	 */
1801 	if (name != NULL) {
1802 
1803 		ASSERT(ALIGNED64(offset));
1804 
1805 		if (base != NULL) {
1806 			sid = (spd_if_t *)(base + offset);
1807 			sid->spd_if_exttype = SPD_EXT_TUN_NAME;
1808 			sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) +
1809 			    roundup((strlen(name) - 4), 8));
1810 			(void) strlcpy((char *)sid->spd_if_name, name,
1811 			    LIFNAMSIZ);
1812 		}
1813 
1814 		offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8);
1815 	}
1816 
1817 	offset = spdsock_encode_sel(base, offset, rule->ipsp_sel);
1818 	offset = spdsock_encode_action_list(base, offset, rule->ipsp_act);
1819 
1820 	ASSERT(ALIGNED64(offset));
1821 
1822 	if (base != NULL) {
1823 		spmsg->spd_msg_len = SPD_8TO64(offset - start);
1824 	}
1825 	return (offset);
1826 }
1827 
1828 /* ARGSUSED */
1829 static mblk_t *
1830 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule,
1831     uint_t dir, uint_t af, char *name, boolean_t tunnel)
1832 {
1833 	mblk_t *m;
1834 	uint_t len;
1835 	spd_msg_t *mreq = (spd_msg_t *)req->b_rptr;
1836 
1837 	/*
1838 	 * Figure out how much space we'll need.
1839 	 */
1840 	len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name,
1841 	    tunnel);
1842 
1843 	/*
1844 	 * Allocate mblk.
1845 	 */
1846 	m = allocb(len, BPRI_HI);
1847 	if (m == NULL)
1848 		return (NULL);
1849 
1850 	/*
1851 	 * Fill it in..
1852 	 */
1853 	m->b_wptr = m->b_rptr + len;
1854 	bzero(m->b_rptr, len);
1855 	(void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af,
1856 	    name, tunnel);
1857 	return (m);
1858 }
1859 
1860 static ipsec_policy_t *
1861 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph,
1862     ipsec_policy_t *cur)
1863 {
1864 	ASSERT(RW_READ_HELD(&iph->iph_lock));
1865 
1866 	ss->spdsock_dump_count++;
1867 	ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next;
1868 	return (cur);
1869 }
1870 
1871 static ipsec_policy_t *
1872 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph)
1873 {
1874 	ipsec_policy_t *cur;
1875 	ipsec_policy_root_t *ipr;
1876 	int chain, nchains, type, af;
1877 
1878 	ASSERT(RW_READ_HELD(&iph->iph_lock));
1879 
1880 	cur = ss->spdsock_dump_cur_rule;
1881 
1882 	if (cur != NULL)
1883 		return (spdsock_dump_next_in_chain(ss, iph, cur));
1884 
1885 	type = ss->spdsock_dump_cur_type;
1886 
1887 next:
1888 	chain = ss->spdsock_dump_cur_chain;
1889 	ipr = &iph->iph_root[type];
1890 	nchains = ipr->ipr_nchains;
1891 
1892 	while (chain < nchains) {
1893 		cur = ipr->ipr_hash[chain].hash_head;
1894 		chain++;
1895 		if (cur != NULL) {
1896 			ss->spdsock_dump_cur_chain = chain;
1897 			return (spdsock_dump_next_in_chain(ss, iph, cur));
1898 		}
1899 	}
1900 	ss->spdsock_dump_cur_chain = nchains;
1901 
1902 	af = ss->spdsock_dump_cur_af;
1903 	while (af < IPSEC_NAF) {
1904 		cur = ipr->ipr_nonhash[af];
1905 		af++;
1906 		if (cur != NULL) {
1907 			ss->spdsock_dump_cur_af = af;
1908 			return (spdsock_dump_next_in_chain(ss, iph, cur));
1909 		}
1910 	}
1911 
1912 	type++;
1913 	if (type >= IPSEC_NTYPES)
1914 		return (NULL);
1915 
1916 	ss->spdsock_dump_cur_chain = 0;
1917 	ss->spdsock_dump_cur_type = type;
1918 	ss->spdsock_dump_cur_af = IPSEC_AF_V4;
1919 	goto next;
1920 
1921 }
1922 
1923 /*
1924  * If we're done with one policy head, but have more to go, we iterate through
1925  * another IPsec tunnel policy head (itp).  Return NULL if it is an error
1926  * worthy of returning EAGAIN via PF_POLICY.
1927  */
1928 static ipsec_tun_pol_t *
1929 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss)
1930 {
1931 	ipsec_tun_pol_t *itp;
1932 
1933 	ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock));
1934 	if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) {
1935 		/* Oops, state of the tunnel polheads changed. */
1936 		itp = NULL;
1937 	} else if (ss->spdsock_itp == NULL) {
1938 		/* Just finished global, find first node. */
1939 		itp = avl_first(&ipss->ipsec_tunnel_policies);
1940 	} else {
1941 		/* We just finished current polhead, find the next one. */
1942 		itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp);
1943 	}
1944 	if (itp != NULL) {
1945 		ITP_REFHOLD(itp);
1946 	}
1947 	if (ss->spdsock_itp != NULL) {
1948 		ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack);
1949 	}
1950 	ss->spdsock_itp = itp;
1951 	return (itp);
1952 }
1953 
1954 static mblk_t *
1955 spdsock_dump_next_record(spdsock_t *ss)
1956 {
1957 	ipsec_policy_head_t *iph;
1958 	ipsec_policy_t *rule;
1959 	mblk_t *m;
1960 	ipsec_tun_pol_t *itp;
1961 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
1962 	ipsec_stack_t *ipss = ns->netstack_ipsec;
1963 
1964 	iph = ss->spdsock_dump_head;
1965 
1966 	ASSERT(iph != NULL);
1967 
1968 	rw_enter(&iph->iph_lock, RW_READER);
1969 
1970 	if (iph->iph_gen != ss->spdsock_dump_gen) {
1971 		rw_exit(&iph->iph_lock);
1972 		return (spdsock_dump_finish(ss, EAGAIN));
1973 	}
1974 
1975 	while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) {
1976 		rw_exit(&iph->iph_lock);
1977 		if (--(ss->spdsock_dump_remaining_polheads) == 0)
1978 			return (spdsock_dump_finish(ss, 0));
1979 
1980 
1981 		/*
1982 		 * If we reach here, we have more policy heads (tunnel
1983 		 * entries) to dump.  Let's reset to a new policy head
1984 		 * and get some more rules.
1985 		 *
1986 		 * An empty policy head will have spdsock_dump_next_rule()
1987 		 * return NULL, and we loop (while dropping the number of
1988 		 * remaining polheads).  If we loop to 0, we finish.  We
1989 		 * keep looping until we hit 0 or until we have a rule to
1990 		 * encode.
1991 		 *
1992 		 * NOTE:  No need for ITP_REF*() macros here as we're only
1993 		 * going after and refholding the policy head itself.
1994 		 */
1995 		rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
1996 		itp = spdsock_dump_iterate_next_tunnel(ss, ipss);
1997 		if (itp == NULL) {
1998 			rw_exit(&ipss->ipsec_tunnel_policy_lock);
1999 			return (spdsock_dump_finish(ss, EAGAIN));
2000 		}
2001 
2002 		/* Reset other spdsock_dump thingies. */
2003 		IPPH_REFRELE(ss->spdsock_dump_head, ns);
2004 		if (ss->spdsock_dump_active) {
2005 			ss->spdsock_dump_tunnel =
2006 			    itp->itp_flags & ITPF_P_TUNNEL;
2007 			iph = itp->itp_policy;
2008 		} else {
2009 			ss->spdsock_dump_tunnel =
2010 			    itp->itp_flags & ITPF_I_TUNNEL;
2011 			iph = itp->itp_inactive;
2012 		}
2013 		IPPH_REFHOLD(iph);
2014 		rw_exit(&ipss->ipsec_tunnel_policy_lock);
2015 
2016 		rw_enter(&iph->iph_lock, RW_READER);
2017 		RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2018 	}
2019 
2020 	m = spdsock_encode_rule(ss->spdsock_dump_req, rule,
2021 	    ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af,
2022 	    (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name,
2023 	    ss->spdsock_dump_tunnel);
2024 	rw_exit(&iph->iph_lock);
2025 
2026 	if (m == NULL)
2027 		return (spdsock_dump_finish(ss, ENOMEM));
2028 	return (m);
2029 }
2030 
2031 /*
2032  * Dump records until we run into flow-control back-pressure.
2033  */
2034 static void
2035 spdsock_dump_some(queue_t *q, spdsock_t *ss)
2036 {
2037 	mblk_t *m, *dataind;
2038 
2039 	while ((ss->spdsock_dump_req != NULL) && canputnext(q)) {
2040 		m = spdsock_dump_next_record(ss);
2041 		if (m == NULL)
2042 			return;
2043 		dataind = allocb(sizeof (struct T_data_req), BPRI_HI);
2044 		if (dataind == NULL) {
2045 			freemsg(m);
2046 			return;
2047 		}
2048 		dataind->b_cont = m;
2049 		dataind->b_wptr += sizeof (struct T_data_req);
2050 		((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND;
2051 		((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0;
2052 		dataind->b_datap->db_type = M_PROTO;
2053 		putnext(q, dataind);
2054 	}
2055 }
2056 
2057 /*
2058  * Start dumping.
2059  * Format a start-of-dump record, and set up the stream and kick the rsrv
2060  * procedure to continue the job..
2061  */
2062 /* ARGSUSED */
2063 static void
2064 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp)
2065 {
2066 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2067 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
2068 	ipsec_stack_t *ipss = ns->netstack_ipsec;
2069 	mblk_t *mr;
2070 
2071 	/* spdsock_open() already set spdsock_itp to NULL. */
2072 	if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
2073 		rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
2074 		ss->spdsock_dump_remaining_polheads = 1 +
2075 		    avl_numnodes(&ipss->ipsec_tunnel_policies);
2076 		ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen;
2077 		rw_exit(&ipss->ipsec_tunnel_policy_lock);
2078 		if (iph == ALL_ACTIVE_POLHEADS) {
2079 			iph = ipsec_system_policy(ns);
2080 			ss->spdsock_dump_active = B_TRUE;
2081 		} else {
2082 			iph = ipsec_inactive_policy(ns);
2083 			ss->spdsock_dump_active = B_FALSE;
2084 		}
2085 		ASSERT(ss->spdsock_itp == NULL);
2086 	} else {
2087 		ss->spdsock_dump_remaining_polheads = 1;
2088 	}
2089 
2090 	rw_enter(&iph->iph_lock, RW_READER);
2091 
2092 	mr = spdsock_dump_ruleset(mp, iph, 0, 0);
2093 
2094 	if (!mr) {
2095 		rw_exit(&iph->iph_lock);
2096 		spdsock_error(q, mp, ENOMEM, 0);
2097 		return;
2098 	}
2099 
2100 	ss->spdsock_dump_req = mp;
2101 	RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2102 
2103 	rw_exit(&iph->iph_lock);
2104 
2105 	qreply(q, mr);
2106 	qenable(OTHERQ(q));
2107 }
2108 
2109 /* Do NOT consume a reference to ITP. */
2110 void
2111 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns)
2112 {
2113 	int *errptr = (int *)ep;
2114 
2115 	if (*errptr != 0)
2116 		return;	/* We've failed already for some reason. */
2117 	mutex_enter(&itp->itp_lock);
2118 	ITPF_CLONE(itp->itp_flags);
2119 	*errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns);
2120 	mutex_exit(&itp->itp_lock);
2121 }
2122 
2123 void
2124 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname)
2125 {
2126 	int error;
2127 	char *tname;
2128 	ipsec_tun_pol_t *itp;
2129 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2130 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
2131 	uint32_t auditing = AU_AUDITING();
2132 
2133 	if (tunname != NULL) {
2134 		tname = (char *)tunname->spd_if_name;
2135 		if (*tname == '\0') {
2136 			error = ipsec_clone_system_policy(ns);
2137 			if (auditing) {
2138 				boolean_t active;
2139 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2140 				cred_t *cr;
2141 				pid_t cpid;
2142 
2143 				cr = msg_getcred(mp, &cpid);
2144 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2145 				audit_pf_policy(SPD_CLONE, cr, ns,
2146 				    NULL, active, error, cpid);
2147 			}
2148 			if (error == 0) {
2149 				itp_walk(spdsock_clone_node, &error, ns);
2150 				if (auditing) {
2151 					boolean_t active;
2152 					spd_msg_t *spmsg =
2153 					    (spd_msg_t *)mp->b_rptr;
2154 					cred_t *cr;
2155 					pid_t cpid;
2156 
2157 					cr = msg_getcred(mp, &cpid);
2158 					active = (spmsg->spd_msg_spdid ==
2159 					    SPD_ACTIVE);
2160 					audit_pf_policy(SPD_CLONE, cr,
2161 					    ns, "all tunnels", active, 0,
2162 					    cpid);
2163 				}
2164 			}
2165 		} else {
2166 			itp = get_tunnel_policy(tname, ns);
2167 			if (itp == NULL) {
2168 				spdsock_error(q, mp, ENOENT, 0);
2169 				if (auditing) {
2170 					boolean_t active;
2171 					spd_msg_t *spmsg =
2172 					    (spd_msg_t *)mp->b_rptr;
2173 					cred_t *cr;
2174 					pid_t cpid;
2175 
2176 					cr = msg_getcred(mp, &cpid);
2177 					active = (spmsg->spd_msg_spdid ==
2178 					    SPD_ACTIVE);
2179 					audit_pf_policy(SPD_CLONE, cr,
2180 					    ns, NULL, active, ENOENT, cpid);
2181 				}
2182 				return;
2183 			}
2184 			spdsock_clone_node(itp, &error, NULL);
2185 			if (auditing) {
2186 				boolean_t active;
2187 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2188 				cred_t *cr;
2189 				pid_t cpid;
2190 
2191 				cr = msg_getcred(mp, &cpid);
2192 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2193 				audit_pf_policy(SPD_CLONE, cr, ns,
2194 				    ITP_NAME(itp), active, error, cpid);
2195 			}
2196 			ITP_REFRELE(itp, ns);
2197 		}
2198 	} else {
2199 		error = ipsec_clone_system_policy(ns);
2200 		if (auditing) {
2201 			boolean_t active;
2202 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2203 			cred_t *cr;
2204 			pid_t cpid;
2205 
2206 			cr = msg_getcred(mp, &cpid);
2207 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2208 			audit_pf_policy(SPD_CLONE, cr, ns, NULL,
2209 			    active, error, cpid);
2210 		}
2211 	}
2212 
2213 	if (error != 0)
2214 		spdsock_error(q, mp, error, 0);
2215 	else
2216 		spd_echo(q, mp);
2217 }
2218 
2219 /*
2220  * Process a SPD_ALGLIST request. The caller expects separate alg entries
2221  * for AH authentication, ESP authentication, and ESP encryption.
2222  * The same distinction is then used when setting the min and max key
2223  * sizes when defining policies.
2224  */
2225 
2226 #define	SPDSOCK_AH_AUTH		0
2227 #define	SPDSOCK_ESP_AUTH	1
2228 #define	SPDSOCK_ESP_ENCR	2
2229 #define	SPDSOCK_NTYPES		3
2230 
2231 static const uint_t algattr[SPDSOCK_NTYPES] = {
2232 	SPD_ATTR_AH_AUTH,
2233 	SPD_ATTR_ESP_AUTH,
2234 	SPD_ATTR_ESP_ENCR
2235 };
2236 static const uint_t minbitsattr[SPDSOCK_NTYPES] = {
2237 	SPD_ATTR_AH_MINBITS,
2238 	SPD_ATTR_ESPA_MINBITS,
2239 	SPD_ATTR_ENCR_MINBITS
2240 };
2241 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = {
2242 	SPD_ATTR_AH_MAXBITS,
2243 	SPD_ATTR_ESPA_MAXBITS,
2244 	SPD_ATTR_ENCR_MAXBITS
2245 };
2246 static const uint_t defbitsattr[SPDSOCK_NTYPES] = {
2247 	SPD_ATTR_AH_DEFBITS,
2248 	SPD_ATTR_ESPA_DEFBITS,
2249 	SPD_ATTR_ENCR_DEFBITS
2250 };
2251 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = {
2252 	SPD_ATTR_AH_INCRBITS,
2253 	SPD_ATTR_ESPA_INCRBITS,
2254 	SPD_ATTR_ENCR_INCRBITS
2255 };
2256 
2257 #define	ATTRPERALG	6	/* fixed attributes per algs */
2258 
2259 void
2260 spdsock_alglist(queue_t *q, mblk_t *mp)
2261 {
2262 	uint_t algtype;
2263 	uint_t algidx;
2264 	uint_t algcount;
2265 	uint_t size;
2266 	mblk_t *m;
2267 	uint8_t *cur;
2268 	spd_msg_t *msg;
2269 	struct spd_ext_actions *act;
2270 	struct spd_attribute *attr;
2271 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2272 	ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2273 
2274 	rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2275 	/*
2276 	 * The SPD client expects to receive separate entries for
2277 	 * AH authentication and ESP authentication supported algorithms.
2278 	 *
2279 	 * Don't return the "any" algorithms, if defined, as no
2280 	 * kernel policies can be set for these algorithms.
2281 	 */
2282 	algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2283 	    ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2284 
2285 	if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL)
2286 		algcount--;
2287 	if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL)
2288 		algcount--;
2289 
2290 	/*
2291 	 * For each algorithm, we encode:
2292 	 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2293 	 */
2294 
2295 	size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) +
2296 	    ATTRPERALG * sizeof (struct spd_attribute) * algcount;
2297 
2298 	ASSERT(ALIGNED64(size));
2299 
2300 	m = allocb(size, BPRI_HI);
2301 	if (m == NULL) {
2302 		rw_exit(&ipss->ipsec_alg_lock);
2303 		spdsock_error(q, mp, ENOMEM, 0);
2304 		return;
2305 	}
2306 
2307 	m->b_wptr = m->b_rptr + size;
2308 	cur = m->b_rptr;
2309 
2310 	msg = (spd_msg_t *)cur;
2311 	bcopy(mp->b_rptr, cur, sizeof (*msg));
2312 
2313 	msg->spd_msg_len = SPD_8TO64(size);
2314 	msg->spd_msg_errno = 0;
2315 	msg->spd_msg_diagnostic = 0;
2316 
2317 	cur += sizeof (*msg);
2318 
2319 	act = (struct spd_ext_actions *)cur;
2320 	cur += sizeof (*act);
2321 
2322 	act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2323 	act->spd_actions_exttype = SPD_EXT_ACTION;
2324 	act->spd_actions_count = algcount;
2325 	act->spd_actions_reserved = 0;
2326 
2327 	attr = (struct spd_attribute *)cur;
2328 
2329 #define	EMIT(tag, value) {					\
2330 		attr->spd_attr_tag = (tag);			\
2331 		attr->spd_attr_value = (value);			\
2332 		attr++;						\
2333 	}
2334 
2335 	/*
2336 	 * If you change the number of EMIT's here, change
2337 	 * ATTRPERALG above to match
2338 	 */
2339 #define	EMITALGATTRS(_type) {					\
2340 		EMIT(algattr[_type], algid);		/* 1 */	\
2341 		EMIT(minbitsattr[_type], minbits);	/* 2 */	\
2342 		EMIT(maxbitsattr[_type], maxbits);	/* 3 */	\
2343 		EMIT(defbitsattr[_type], defbits);	/* 4 */	\
2344 		EMIT(incrbitsattr[_type], incr);	/* 5 */	\
2345 		EMIT(SPD_ATTR_NEXT, 0);			/* 6 */	\
2346 	}
2347 
2348 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2349 		for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2350 		    algidx++) {
2351 			int algid = ipss->ipsec_sortlist[algtype][algidx];
2352 			ipsec_alginfo_t *alg =
2353 			    ipss->ipsec_alglists[algtype][algid];
2354 			uint_t minbits = alg->alg_minbits;
2355 			uint_t maxbits = alg->alg_maxbits;
2356 			uint_t defbits = alg->alg_default_bits;
2357 			uint_t incr = alg->alg_increment;
2358 
2359 			if (algtype == IPSEC_ALG_AUTH) {
2360 				if (algid == SADB_AALG_NONE)
2361 					continue;
2362 				EMITALGATTRS(SPDSOCK_AH_AUTH);
2363 				EMITALGATTRS(SPDSOCK_ESP_AUTH);
2364 			} else {
2365 				if (algid == SADB_EALG_NONE)
2366 					continue;
2367 				ASSERT(algtype == IPSEC_ALG_ENCR);
2368 				EMITALGATTRS(SPDSOCK_ESP_ENCR);
2369 			}
2370 		}
2371 	}
2372 
2373 	rw_exit(&ipss->ipsec_alg_lock);
2374 
2375 #undef EMITALGATTRS
2376 #undef EMIT
2377 #undef ATTRPERALG
2378 
2379 	attr--;
2380 	attr->spd_attr_tag = SPD_ATTR_END;
2381 
2382 	freemsg(mp);
2383 	qreply(q, m);
2384 }
2385 
2386 /*
2387  * Process a SPD_DUMPALGS request.
2388  */
2389 
2390 #define	ATTRPERALG	9	/* fixed attributes per algs */
2391 
2392 void
2393 spdsock_dumpalgs(queue_t *q, mblk_t *mp)
2394 {
2395 	uint_t algtype;
2396 	uint_t algidx;
2397 	uint_t size;
2398 	mblk_t *m;
2399 	uint8_t *cur;
2400 	spd_msg_t *msg;
2401 	struct spd_ext_actions *act;
2402 	struct spd_attribute *attr;
2403 	ipsec_alginfo_t *alg;
2404 	uint_t algid;
2405 	uint_t i;
2406 	uint_t alg_size;
2407 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2408 	ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2409 
2410 	rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2411 
2412 	/*
2413 	 * For each algorithm, we encode:
2414 	 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2415 	 *
2416 	 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2417 	 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* /
2418 	 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT}
2419 	 */
2420 
2421 	/*
2422 	 * Compute the size of the SPD message.
2423 	 */
2424 	size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions);
2425 
2426 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2427 		for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2428 		    algidx++) {
2429 			algid = ipss->ipsec_sortlist[algtype][algidx];
2430 			alg = ipss->ipsec_alglists[algtype][algid];
2431 			alg_size = sizeof (struct spd_attribute) *
2432 			    (ATTRPERALG + alg->alg_nkey_sizes +
2433 			    alg->alg_nblock_sizes + alg->alg_nparams) +
2434 			    CRYPTO_MAX_MECH_NAME;
2435 			size += alg_size;
2436 		}
2437 	}
2438 
2439 	ASSERT(ALIGNED64(size));
2440 
2441 	m = allocb(size, BPRI_HI);
2442 	if (m == NULL) {
2443 		rw_exit(&ipss->ipsec_alg_lock);
2444 		spdsock_error(q, mp, ENOMEM, 0);
2445 		return;
2446 	}
2447 
2448 	m->b_wptr = m->b_rptr + size;
2449 	cur = m->b_rptr;
2450 
2451 	msg = (spd_msg_t *)cur;
2452 	bcopy(mp->b_rptr, cur, sizeof (*msg));
2453 
2454 	msg->spd_msg_len = SPD_8TO64(size);
2455 	msg->spd_msg_errno = 0;
2456 	msg->spd_msg_type = SPD_ALGLIST;
2457 
2458 	msg->spd_msg_diagnostic = 0;
2459 
2460 	cur += sizeof (*msg);
2461 
2462 	act = (struct spd_ext_actions *)cur;
2463 	cur += sizeof (*act);
2464 
2465 	act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2466 	act->spd_actions_exttype = SPD_EXT_ACTION;
2467 	act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2468 	    ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2469 	act->spd_actions_reserved = 0;
2470 
2471 	/*
2472 	 * If there aren't any algorithms registered, return an empty message.
2473 	 * spdsock_get_ext() knows how to deal with this.
2474 	 */
2475 	if (act->spd_actions_count == 0) {
2476 		act->spd_actions_len = 0;
2477 		rw_exit(&ipss->ipsec_alg_lock);
2478 		goto error;
2479 	}
2480 
2481 	attr = (struct spd_attribute *)cur;
2482 
2483 #define	EMIT(tag, value) {					\
2484 		attr->spd_attr_tag = (tag);			\
2485 		attr->spd_attr_value = (value);			\
2486 		attr++;						\
2487 	}
2488 
2489 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2490 		for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2491 		    algidx++) {
2492 
2493 			algid = ipss->ipsec_sortlist[algtype][algidx];
2494 			alg = ipss->ipsec_alglists[algtype][algid];
2495 
2496 			/*
2497 			 * If you change the number of EMIT's here, change
2498 			 * ATTRPERALG above to match
2499 			 */
2500 			EMIT(SPD_ATTR_ALG_ID, algid);
2501 			EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]);
2502 			EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment);
2503 			EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes);
2504 			for (i = 0; i < alg->alg_nkey_sizes; i++)
2505 				EMIT(SPD_ATTR_ALG_KEYSIZE,
2506 				    alg->alg_key_sizes[i]);
2507 
2508 			EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes);
2509 			for (i = 0; i < alg->alg_nblock_sizes; i++)
2510 				EMIT(SPD_ATTR_ALG_BLOCKSIZE,
2511 				    alg->alg_block_sizes[i]);
2512 
2513 			EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams);
2514 			for (i = 0; i < alg->alg_nparams; i++)
2515 				EMIT(SPD_ATTR_ALG_PARAMS,
2516 				    alg->alg_params[i]);
2517 
2518 			EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags);
2519 
2520 			EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME);
2521 			bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME);
2522 			attr = (struct spd_attribute *)((char *)attr +
2523 			    CRYPTO_MAX_MECH_NAME);
2524 
2525 			EMIT(SPD_ATTR_NEXT, 0);
2526 		}
2527 	}
2528 
2529 	rw_exit(&ipss->ipsec_alg_lock);
2530 
2531 #undef EMITALGATTRS
2532 #undef EMIT
2533 #undef ATTRPERALG
2534 
2535 	attr--;
2536 	attr->spd_attr_tag = SPD_ATTR_END;
2537 
2538 error:
2539 	freemsg(mp);
2540 	qreply(q, m);
2541 }
2542 
2543 /*
2544  * Do the actual work of processing an SPD_UPDATEALGS request. Can
2545  * be invoked either once IPsec is loaded on a cached request, or
2546  * when a request is received while IPsec is loaded.
2547  */
2548 static int
2549 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds)
2550 {
2551 	struct spd_ext_actions *actp;
2552 	struct spd_attribute *attr, *endattr;
2553 	uint64_t *start, *end;
2554 	ipsec_alginfo_t *alg = NULL;
2555 	ipsec_algtype_t alg_type = 0;
2556 	boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE;
2557 	uint_t i, cur_key, cur_block, algid;
2558 	int diag = -1;
2559 
2560 	ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
2561 
2562 	/* parse the message, building the list of algorithms */
2563 
2564 	actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
2565 	if (actp == NULL)
2566 		return (SPD_DIAGNOSTIC_NO_ACTION_EXT);
2567 
2568 	start = (uint64_t *)actp;
2569 	end = (start + actp->spd_actions_len);
2570 	endattr = (struct spd_attribute *)end;
2571 	attr = (struct spd_attribute *)&actp[1];
2572 
2573 	bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS *
2574 	    sizeof (ipsec_alginfo_t *));
2575 
2576 	alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2577 
2578 #define	ALG_KEY_SIZES(a)   (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2579 #define	ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2580 #define	ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t))
2581 
2582 	while (attr < endattr) {
2583 		switch (attr->spd_attr_tag) {
2584 		case SPD_ATTR_NOP:
2585 		case SPD_ATTR_EMPTY:
2586 			break;
2587 		case SPD_ATTR_END:
2588 			attr = endattr;
2589 			/* FALLTHRU */
2590 		case SPD_ATTR_NEXT:
2591 			if (doing_proto) {
2592 				doing_proto = B_FALSE;
2593 				break;
2594 			}
2595 			if (skip_alg) {
2596 				ipsec_alg_free(alg);
2597 			} else {
2598 				ipsec_alg_free(
2599 				    spds->spds_algs[alg_type][alg->alg_id]);
2600 				spds->spds_algs[alg_type][alg->alg_id] =
2601 				    alg;
2602 			}
2603 			alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2604 			break;
2605 
2606 		case SPD_ATTR_ALG_ID:
2607 			if (attr->spd_attr_value >= IPSEC_MAX_ALGS) {
2608 				ss1dbg(spds, ("spdsock_do_updatealg: "
2609 				    "invalid alg id %d\n",
2610 				    attr->spd_attr_value));
2611 				diag = SPD_DIAGNOSTIC_ALG_ID_RANGE;
2612 				goto bail;
2613 			}
2614 			alg->alg_id = attr->spd_attr_value;
2615 			break;
2616 
2617 		case SPD_ATTR_ALG_PROTO:
2618 			/* find the alg type */
2619 			for (i = 0; i < NALGPROTOS; i++)
2620 				if (algproto[i] == attr->spd_attr_value)
2621 					break;
2622 			skip_alg = (i == NALGPROTOS);
2623 			if (!skip_alg)
2624 				alg_type = i;
2625 			break;
2626 
2627 		case SPD_ATTR_ALG_INCRBITS:
2628 			alg->alg_increment = attr->spd_attr_value;
2629 			break;
2630 
2631 		case SPD_ATTR_ALG_NKEYSIZES:
2632 			if (alg->alg_key_sizes != NULL) {
2633 				kmem_free(alg->alg_key_sizes,
2634 				    ALG_KEY_SIZES(alg));
2635 			}
2636 			alg->alg_nkey_sizes = attr->spd_attr_value;
2637 			/*
2638 			 * Allocate room for the trailing zero key size
2639 			 * value as well.
2640 			 */
2641 			alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg),
2642 			    KM_SLEEP);
2643 			cur_key = 0;
2644 			break;
2645 
2646 		case SPD_ATTR_ALG_KEYSIZE:
2647 			if (alg->alg_key_sizes == NULL ||
2648 			    cur_key >= alg->alg_nkey_sizes) {
2649 				ss1dbg(spds, ("spdsock_do_updatealg: "
2650 				    "too many key sizes\n"));
2651 				diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES;
2652 				goto bail;
2653 			}
2654 			alg->alg_key_sizes[cur_key++] = attr->spd_attr_value;
2655 			break;
2656 
2657 		case SPD_ATTR_ALG_FLAGS:
2658 			/*
2659 			 * Flags (bit mask). The alg_flags element of
2660 			 * ipsecalg_flags_t is only 8 bits wide. The
2661 			 * user can set the VALID bit, but we will ignore it
2662 			 * and make the decision is the algorithm is valid.
2663 			 */
2664 			alg->alg_flags |= (uint8_t)attr->spd_attr_value;
2665 			break;
2666 
2667 		case SPD_ATTR_ALG_NBLOCKSIZES:
2668 			if (alg->alg_block_sizes != NULL) {
2669 				kmem_free(alg->alg_block_sizes,
2670 				    ALG_BLOCK_SIZES(alg));
2671 			}
2672 			alg->alg_nblock_sizes = attr->spd_attr_value;
2673 			/*
2674 			 * Allocate room for the trailing zero block size
2675 			 * value as well.
2676 			 */
2677 			alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg),
2678 			    KM_SLEEP);
2679 			cur_block = 0;
2680 			break;
2681 
2682 		case SPD_ATTR_ALG_BLOCKSIZE:
2683 			if (alg->alg_block_sizes == NULL ||
2684 			    cur_block >= alg->alg_nblock_sizes) {
2685 				ss1dbg(spds, ("spdsock_do_updatealg: "
2686 				    "too many block sizes\n"));
2687 				diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2688 				goto bail;
2689 			}
2690 			alg->alg_block_sizes[cur_block++] =
2691 			    attr->spd_attr_value;
2692 			break;
2693 
2694 		case SPD_ATTR_ALG_NPARAMS:
2695 			if (alg->alg_params != NULL) {
2696 				kmem_free(alg->alg_params,
2697 				    ALG_PARAM_SIZES(alg));
2698 			}
2699 			alg->alg_nparams = attr->spd_attr_value;
2700 			/*
2701 			 * Allocate room for the trailing zero block size
2702 			 * value as well.
2703 			 */
2704 			alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg),
2705 			    KM_SLEEP);
2706 			cur_block = 0;
2707 			break;
2708 
2709 		case SPD_ATTR_ALG_PARAMS:
2710 			if (alg->alg_params == NULL ||
2711 			    cur_block >= alg->alg_nparams) {
2712 				ss1dbg(spds, ("spdsock_do_updatealg: "
2713 				    "too many params\n"));
2714 				diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2715 				goto bail;
2716 			}
2717 			/*
2718 			 * Array contains: iv_len, icv_len, salt_len
2719 			 * Any additional parameters are currently ignored.
2720 			 */
2721 			alg->alg_params[cur_block++] =
2722 			    attr->spd_attr_value;
2723 			break;
2724 
2725 		case SPD_ATTR_ALG_MECHNAME: {
2726 			char *mech_name;
2727 
2728 			if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) {
2729 				ss1dbg(spds, ("spdsock_do_updatealg: "
2730 				    "mech name too long\n"));
2731 				diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN;
2732 				goto bail;
2733 			}
2734 			mech_name = (char *)(attr + 1);
2735 			bcopy(mech_name, alg->alg_mech_name,
2736 			    attr->spd_attr_value);
2737 			alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0';
2738 			attr = (struct spd_attribute *)((char *)attr +
2739 			    attr->spd_attr_value);
2740 			break;
2741 		}
2742 
2743 		case SPD_ATTR_PROTO_ID:
2744 			doing_proto = B_TRUE;
2745 			for (i = 0; i < NALGPROTOS; i++) {
2746 				if (algproto[i] == attr->spd_attr_value) {
2747 					alg_type = i;
2748 					break;
2749 				}
2750 			}
2751 			break;
2752 
2753 		case SPD_ATTR_PROTO_EXEC_MODE:
2754 			if (!doing_proto)
2755 				break;
2756 			for (i = 0; i < NEXECMODES; i++) {
2757 				if (execmodes[i] == attr->spd_attr_value) {
2758 					spds->spds_algs_exec_mode[alg_type] = i;
2759 					break;
2760 				}
2761 			}
2762 			break;
2763 		}
2764 		attr++;
2765 	}
2766 
2767 #undef	ALG_KEY_SIZES
2768 #undef	ALG_BLOCK_SIZES
2769 #undef	ALG_PARAM_SIZES
2770 
2771 	/* update the algorithm tables */
2772 	spdsock_merge_algs(spds);
2773 bail:
2774 	/* cleanup */
2775 	ipsec_alg_free(alg);
2776 	for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++)
2777 		for (algid = 0; algid < IPSEC_MAX_ALGS; algid++)
2778 		if (spds->spds_algs[alg_type][algid] != NULL)
2779 			ipsec_alg_free(spds->spds_algs[alg_type][algid]);
2780 	return (diag);
2781 }
2782 
2783 /*
2784  * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2785  * the request until IPsec loads. If IPsec is loaded, act on it
2786  * immediately.
2787  */
2788 
2789 static void
2790 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
2791 {
2792 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2793 	spd_stack_t	*spds = ss->spdsock_spds;
2794 	ipsec_stack_t	*ipss = spds->spds_netstack->netstack_ipsec;
2795 	uint32_t auditing = AU_AUDITING();
2796 
2797 	if (!ipsec_loaded(ipss)) {
2798 		/*
2799 		 * IPsec is not loaded, save request and return nicely,
2800 		 * the message will be processed once IPsec loads.
2801 		 */
2802 		mblk_t *new_mp;
2803 
2804 		/* last update message wins */
2805 		if ((new_mp = copymsg(mp)) == NULL) {
2806 			spdsock_error(q, mp, ENOMEM, 0);
2807 			return;
2808 		}
2809 		mutex_enter(&spds->spds_alg_lock);
2810 		bcopy(extv, spds->spds_extv_algs,
2811 		    sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
2812 		if (spds->spds_mp_algs != NULL)
2813 			freemsg(spds->spds_mp_algs);
2814 		spds->spds_mp_algs = mp;
2815 		mutex_exit(&spds->spds_alg_lock);
2816 		if (auditing) {
2817 			cred_t *cr;
2818 			pid_t cpid;
2819 
2820 			cr = msg_getcred(mp, &cpid);
2821 			audit_pf_policy(SPD_UPDATEALGS, cr,
2822 			    spds->spds_netstack, NULL, B_TRUE, EAGAIN,
2823 			    cpid);
2824 		}
2825 		spd_echo(q, new_mp);
2826 	} else {
2827 		/*
2828 		 * IPsec is loaded, act on the message immediately.
2829 		 */
2830 		int diag;
2831 
2832 		mutex_enter(&spds->spds_alg_lock);
2833 		diag = spdsock_do_updatealg(extv, spds);
2834 		if (diag == -1) {
2835 			/* Keep the lock held while we walk the SA tables. */
2836 			sadb_alg_update(IPSEC_ALG_ALL, 0, 0,
2837 			    spds->spds_netstack);
2838 			mutex_exit(&spds->spds_alg_lock);
2839 			spd_echo(q, mp);
2840 			if (auditing) {
2841 				cred_t *cr;
2842 				pid_t cpid;
2843 
2844 				cr = msg_getcred(mp, &cpid);
2845 				audit_pf_policy(SPD_UPDATEALGS, cr,
2846 				    spds->spds_netstack, NULL, B_TRUE, 0,
2847 				    cpid);
2848 			}
2849 		} else {
2850 			mutex_exit(&spds->spds_alg_lock);
2851 			spdsock_diag(q, mp, diag);
2852 			if (auditing) {
2853 				cred_t *cr;
2854 				pid_t cpid;
2855 
2856 				cr = msg_getcred(mp, &cpid);
2857 				audit_pf_policy(SPD_UPDATEALGS, cr,
2858 				    spds->spds_netstack, NULL, B_TRUE, diag,
2859 				    cpid);
2860 			}
2861 		}
2862 	}
2863 }
2864 
2865 /*
2866  * Find a tunnel instance (using the name to link ID mapping), and
2867  * update it after an IPsec change.  We need to do this always in case
2868  * we add policy AFTER plumbing a tunnel.  We also need to do this
2869  * because, as a side-effect, the tunnel's MTU is updated to reflect
2870  * any IPsec overhead in the itp's policy.
2871  */
2872 static void
2873 update_iptun_policy(ipsec_tun_pol_t *itp)
2874 {
2875 	datalink_id_t linkid;
2876 
2877 	if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0)
2878 		iptun_set_policy(linkid, itp);
2879 }
2880 
2881 /*
2882  * Sort through the mess of polhead options to retrieve an appropriate one.
2883  * Returns NULL if we send an spdsock error.  Returns a valid pointer if we
2884  * found a valid polhead.  Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2885  * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2886  * act on ALL policy heads.
2887  */
2888 static ipsec_policy_head_t *
2889 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid,
2890     int msgtype, ipsec_tun_pol_t **itpp)
2891 {
2892 	ipsec_tun_pol_t *itp;
2893 	ipsec_policy_head_t *iph;
2894 	int errno;
2895 	char *tname;
2896 	boolean_t active;
2897 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2898 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
2899 	uint64_t gen;	/* Placeholder */
2900 
2901 	active = (spdid == SPD_ACTIVE);
2902 	*itpp = NULL;
2903 	if (!active && spdid != SPD_STANDBY) {
2904 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID);
2905 		return (NULL);
2906 	}
2907 
2908 	if (tunname != NULL) {
2909 		/* Acting on a tunnel's SPD. */
2910 		tname = (char *)tunname->spd_if_name;
2911 		if (*tname == '\0') {
2912 			/* Handle all-polhead cases here. */
2913 			if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) {
2914 				spdsock_diag(q, mp,
2915 				    SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
2916 				return (NULL);
2917 			}
2918 			return (active ? ALL_ACTIVE_POLHEADS :
2919 			    ALL_INACTIVE_POLHEADS);
2920 		}
2921 
2922 		itp = get_tunnel_policy(tname, ns);
2923 		if (itp == NULL) {
2924 			if (msgtype != SPD_ADDRULE) {
2925 				/* "Tunnel not found" */
2926 				spdsock_error(q, mp, ENOENT, 0);
2927 				return (NULL);
2928 			}
2929 
2930 			errno = 0;
2931 			itp = create_tunnel_policy(tname, &errno, &gen, ns);
2932 			if (itp == NULL) {
2933 				/*
2934 				 * Something very bad happened, most likely
2935 				 * ENOMEM.  Return an indicator.
2936 				 */
2937 				spdsock_error(q, mp, errno, 0);
2938 				return (NULL);
2939 			}
2940 		}
2941 
2942 		/* Match up the itp to an iptun instance. */
2943 		update_iptun_policy(itp);
2944 
2945 		*itpp = itp;
2946 		/* For spdsock dump state, set the polhead's name. */
2947 		if (msgtype == SPD_DUMP) {
2948 			ITP_REFHOLD(itp);
2949 			ss->spdsock_itp = itp;
2950 			ss->spdsock_dump_tunnel = itp->itp_flags &
2951 			    (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL);
2952 		}
2953 	} else {
2954 		itp = NULL;
2955 		/* For spdsock dump state, indicate it's global policy. */
2956 		if (msgtype == SPD_DUMP)
2957 			ss->spdsock_itp = NULL;
2958 	}
2959 
2960 	if (active)
2961 		iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy;
2962 	else
2963 		iph = (itp == NULL) ? ipsec_inactive_policy(ns) :
2964 		    itp->itp_inactive;
2965 
2966 	ASSERT(iph != NULL);
2967 	if (itp != NULL) {
2968 		IPPH_REFHOLD(iph);
2969 	}
2970 
2971 	return (iph);
2972 }
2973 
2974 static void
2975 spdsock_parse(queue_t *q, mblk_t *mp)
2976 {
2977 	spd_msg_t *spmsg;
2978 	spd_ext_t *extv[SPD_EXT_MAX + 1];
2979 	uint_t msgsize;
2980 	ipsec_policy_head_t *iph;
2981 	ipsec_tun_pol_t *itp;
2982 	spd_if_t *tunname;
2983 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2984 	spd_stack_t *spds = ss->spdsock_spds;
2985 	netstack_t *ns = spds->spds_netstack;
2986 	ipsec_stack_t *ipss = ns->netstack_ipsec;
2987 
2988 	/* Make sure nothing's below me. */
2989 	ASSERT(WR(q)->q_next == NULL);
2990 
2991 	spmsg = (spd_msg_t *)mp->b_rptr;
2992 
2993 	msgsize = SPD_64TO8(spmsg->spd_msg_len);
2994 
2995 	if (msgdsize(mp) != msgsize) {
2996 		/*
2997 		 * Message len incorrect w.r.t. actual size.  Send an error
2998 		 * (EMSGSIZE).	It may be necessary to massage things a
2999 		 * bit.	 For example, if the spd_msg_type is hosed,
3000 		 * I need to set it to SPD_RESERVED to get delivery to
3001 		 * do the right thing.	Then again, maybe just letting
3002 		 * the error delivery do the right thing.
3003 		 */
3004 		ss2dbg(spds,
3005 		    ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
3006 		    msgdsize(mp), msgsize));
3007 		spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE);
3008 		return;
3009 	}
3010 
3011 	if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) {
3012 		/* Get all message into one mblk. */
3013 		if (pullupmsg(mp, -1) == 0) {
3014 			/*
3015 			 * Something screwy happened.
3016 			 */
3017 			ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n"));
3018 			return;
3019 		} else {
3020 			spmsg = (spd_msg_t *)mp->b_rptr;
3021 		}
3022 	}
3023 
3024 	switch (spdsock_get_ext(extv, spmsg, msgsize)) {
3025 	case KGE_DUP:
3026 		/* Handle duplicate extension. */
3027 		ss1dbg(spds, ("Got duplicate extension of type %d.\n",
3028 		    extv[0]->spd_ext_type));
3029 		spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]);
3030 		return;
3031 	case KGE_UNK:
3032 		/* Handle unknown extension. */
3033 		ss1dbg(spds, ("Got unknown extension of type %d.\n",
3034 		    extv[0]->spd_ext_type));
3035 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT);
3036 		return;
3037 	case KGE_LEN:
3038 		/* Length error. */
3039 		ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n",
3040 		    extv[0]->spd_ext_len, extv[0]->spd_ext_type));
3041 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN);
3042 		return;
3043 	case KGE_CHK:
3044 		/* Reality check failed. */
3045 		ss1dbg(spds, ("Reality check failed on extension type %d.\n",
3046 		    extv[0]->spd_ext_type));
3047 		spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]);
3048 		return;
3049 	default:
3050 		/* Default case is no errors. */
3051 		break;
3052 	}
3053 
3054 	/*
3055 	 * Special-case SPD_UPDATEALGS so as not to load IPsec.
3056 	 */
3057 	if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) {
3058 		spdsock_t *ss = (spdsock_t *)q->q_ptr;
3059 
3060 		ASSERT(ss != NULL);
3061 		ipsec_loader_loadnow(ipss);
3062 		ss->spdsock_timeout_arg = mp;
3063 		ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck,
3064 		    q, LOADCHECK_INTERVAL);
3065 		return;
3066 	}
3067 
3068 	/* First check for messages that need no polheads at all. */
3069 	switch (spmsg->spd_msg_type) {
3070 	case SPD_UPDATEALGS:
3071 		spdsock_updatealg(q, mp, extv);
3072 		return;
3073 	case SPD_ALGLIST:
3074 		spdsock_alglist(q, mp);
3075 		return;
3076 	case SPD_DUMPALGS:
3077 		spdsock_dumpalgs(q, mp);
3078 		return;
3079 	}
3080 
3081 	/*
3082 	 * Then check for ones that need both primary/secondary polheads,
3083 	 * finding the appropriate tunnel policy if need be.
3084 	 */
3085 	tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME];
3086 	switch (spmsg->spd_msg_type) {
3087 	case SPD_FLIP:
3088 		spdsock_flip(q, mp, tunname);
3089 		return;
3090 	case SPD_CLONE:
3091 		spdsock_clone(q, mp, tunname);
3092 		return;
3093 	}
3094 
3095 	/*
3096 	 * Finally, find ones that operate on exactly one polhead, or
3097 	 * "all polheads" of a given type (active/inactive).
3098 	 */
3099 	iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid,
3100 	    spmsg->spd_msg_type, &itp);
3101 	if (iph == NULL)
3102 		return;
3103 
3104 	/* All-polheads-ready operations. */
3105 	switch (spmsg->spd_msg_type) {
3106 	case SPD_FLUSH:
3107 		if (itp != NULL) {
3108 			mutex_enter(&itp->itp_lock);
3109 			if (spmsg->spd_msg_spdid == SPD_ACTIVE)
3110 				itp->itp_flags &= ~ITPF_PFLAGS;
3111 			else
3112 				itp->itp_flags &= ~ITPF_IFLAGS;
3113 			mutex_exit(&itp->itp_lock);
3114 		}
3115 
3116 		spdsock_flush(q, iph, itp, mp);
3117 
3118 		if (itp != NULL) {
3119 			/* SPD_FLUSH is worth a tunnel MTU check. */
3120 			update_iptun_policy(itp);
3121 			ITP_REFRELE(itp, ns);
3122 		}
3123 		return;
3124 	case SPD_DUMP:
3125 		if (itp != NULL)
3126 			ITP_REFRELE(itp, ns);
3127 		spdsock_dump(q, iph, mp);
3128 		return;
3129 	}
3130 
3131 	if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
3132 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
3133 		return;
3134 	}
3135 
3136 	/* Single-polhead-only operations. */
3137 	switch (spmsg->spd_msg_type) {
3138 	case SPD_ADDRULE:
3139 		spdsock_addrule(q, iph, mp, extv, itp);
3140 		break;
3141 	case SPD_DELETERULE:
3142 		spdsock_deleterule(q, iph, mp, extv, itp);
3143 		break;
3144 	case SPD_LOOKUP:
3145 		spdsock_lookup(q, iph, mp, extv, itp);
3146 		break;
3147 	default:
3148 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE);
3149 		break;
3150 	}
3151 
3152 	IPPH_REFRELE(iph, ns);
3153 	if (itp != NULL) {
3154 		/* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */
3155 		if (spmsg->spd_msg_type == SPD_ADDRULE ||
3156 		    spmsg->spd_msg_type == SPD_DELETERULE)
3157 			update_iptun_policy(itp);
3158 		ITP_REFRELE(itp, ns);
3159 	}
3160 }
3161 
3162 /*
3163  * If an algorithm mapping was received before IPsec was loaded, process it.
3164  * Called from the IPsec loader.
3165  */
3166 void
3167 spdsock_update_pending_algs(netstack_t *ns)
3168 {
3169 	spd_stack_t *spds = ns->netstack_spdsock;
3170 
3171 	mutex_enter(&spds->spds_alg_lock);
3172 	if (spds->spds_mp_algs != NULL) {
3173 		(void) spdsock_do_updatealg(spds->spds_extv_algs, spds);
3174 		freemsg(spds->spds_mp_algs);
3175 		spds->spds_mp_algs = NULL;
3176 	}
3177 	mutex_exit(&spds->spds_alg_lock);
3178 }
3179 
3180 static void
3181 spdsock_loadcheck(void *arg)
3182 {
3183 	queue_t *q = (queue_t *)arg;
3184 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3185 	mblk_t *mp;
3186 	ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3187 
3188 	ASSERT(ss != NULL);
3189 
3190 	ss->spdsock_timeout = 0;
3191 	mp = ss->spdsock_timeout_arg;
3192 	ASSERT(mp != NULL);
3193 	ss->spdsock_timeout_arg = NULL;
3194 	if (ipsec_failed(ipss))
3195 		spdsock_error(q, mp, EPROTONOSUPPORT, 0);
3196 	else
3197 		spdsock_parse(q, mp);
3198 }
3199 
3200 /*
3201  * Copy relevant state bits.
3202  */
3203 static void
3204 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss)
3205 {
3206 	*tap = spdsock_g_t_info_ack;
3207 	tap->CURRENT_state = ss->spdsock_state;
3208 	tap->OPT_size = spdsock_max_optsize;
3209 }
3210 
3211 /*
3212  * This routine responds to T_CAPABILITY_REQ messages.  It is called by
3213  * spdsock_wput.  Much of the T_CAPABILITY_ACK information is copied from
3214  * spdsock_g_t_info_ack.  The current state of the stream is copied from
3215  * spdsock_state.
3216  */
3217 static void
3218 spdsock_capability_req(queue_t *q, mblk_t *mp)
3219 {
3220 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3221 	t_uscalar_t cap_bits1;
3222 	struct T_capability_ack	*tcap;
3223 
3224 	cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
3225 
3226 	mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
3227 	    mp->b_datap->db_type, T_CAPABILITY_ACK);
3228 	if (mp == NULL)
3229 		return;
3230 
3231 	tcap = (struct T_capability_ack *)mp->b_rptr;
3232 	tcap->CAP_bits1 = 0;
3233 
3234 	if (cap_bits1 & TC1_INFO) {
3235 		spdsock_copy_info(&tcap->INFO_ack, ss);
3236 		tcap->CAP_bits1 |= TC1_INFO;
3237 	}
3238 
3239 	qreply(q, mp);
3240 }
3241 
3242 /*
3243  * This routine responds to T_INFO_REQ messages. It is called by
3244  * spdsock_wput_other.
3245  * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3246  * The current state of the stream is copied from spdsock_state.
3247  */
3248 static void
3249 spdsock_info_req(
3250     queue_t	*q,
3251     mblk_t	*mp)
3252 {
3253 	mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
3254 	    T_INFO_ACK);
3255 	if (mp == NULL)
3256 		return;
3257 	spdsock_copy_info((struct T_info_ack *)mp->b_rptr,
3258 	    (spdsock_t *)q->q_ptr);
3259 	qreply(q, mp);
3260 }
3261 
3262 /*
3263  * spdsock_err_ack. This routine creates a
3264  * T_ERROR_ACK message and passes it
3265  * upstream.
3266  */
3267 static void
3268 spdsock_err_ack(
3269     queue_t	*q,
3270     mblk_t	*mp,
3271     int	t_error,
3272     int	sys_error)
3273 {
3274 	if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
3275 		qreply(q, mp);
3276 }
3277 
3278 /*
3279  * This routine retrieves the current status of socket options.
3280  * It returns the size of the option retrieved.
3281  */
3282 /* ARGSUSED */
3283 int
3284 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
3285 {
3286 	int *i1 = (int *)ptr;
3287 
3288 	switch (level) {
3289 	case SOL_SOCKET:
3290 		switch (name) {
3291 		case SO_TYPE:
3292 			*i1 = SOCK_RAW;
3293 			break;
3294 		/*
3295 		 * The following two items can be manipulated,
3296 		 * but changing them should do nothing.
3297 		 */
3298 		case SO_SNDBUF:
3299 			*i1 = (int)q->q_hiwat;
3300 			break;
3301 		case SO_RCVBUF:
3302 			*i1 = (int)(RD(q)->q_hiwat);
3303 			break;
3304 		}
3305 		break;
3306 	default:
3307 		return (0);
3308 	}
3309 	return (sizeof (int));
3310 }
3311 
3312 /*
3313  * This routine sets socket options.
3314  */
3315 /* ARGSUSED */
3316 int
3317 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name,
3318     uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
3319     void *thisdg_attrs, cred_t *cr)
3320 {
3321 	int *i1 = (int *)invalp;
3322 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3323 	spd_stack_t	*spds = ss->spdsock_spds;
3324 
3325 	switch (level) {
3326 	case SOL_SOCKET:
3327 		switch (name) {
3328 		case SO_SNDBUF:
3329 			if (*i1 > spds->spds_max_buf)
3330 				return (ENOBUFS);
3331 			q->q_hiwat = *i1;
3332 			break;
3333 		case SO_RCVBUF:
3334 			if (*i1 > spds->spds_max_buf)
3335 				return (ENOBUFS);
3336 			RD(q)->q_hiwat = *i1;
3337 			(void) proto_set_rx_hiwat(RD(q), NULL, *i1);
3338 			break;
3339 		}
3340 		break;
3341 	}
3342 	return (0);
3343 }
3344 
3345 
3346 /*
3347  * Handle STREAMS messages.
3348  */
3349 static void
3350 spdsock_wput_other(queue_t *q, mblk_t *mp)
3351 {
3352 	struct iocblk *iocp;
3353 	int error;
3354 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3355 	spd_stack_t	*spds = ss->spdsock_spds;
3356 	cred_t		*cr;
3357 
3358 	switch (mp->b_datap->db_type) {
3359 	case M_PROTO:
3360 	case M_PCPROTO:
3361 		if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) {
3362 			ss3dbg(spds, (
3363 			    "spdsock_wput_other: Not big enough M_PROTO\n"));
3364 			freemsg(mp);
3365 			return;
3366 		}
3367 		switch (((union T_primitives *)mp->b_rptr)->type) {
3368 		case T_CAPABILITY_REQ:
3369 			spdsock_capability_req(q, mp);
3370 			break;
3371 		case T_INFO_REQ:
3372 			spdsock_info_req(q, mp);
3373 			break;
3374 		case T_SVR4_OPTMGMT_REQ:
3375 		case T_OPTMGMT_REQ:
3376 			/*
3377 			 * All Solaris components should pass a db_credp
3378 			 * for this TPI message, hence we ASSERT.
3379 			 * But in case there is some other M_PROTO that looks
3380 			 * like a TPI message sent by some other kernel
3381 			 * component, we check and return an error.
3382 			 */
3383 			cr = msg_getcred(mp, NULL);
3384 			ASSERT(cr != NULL);
3385 			if (cr == NULL) {
3386 				spdsock_err_ack(q, mp, TSYSERR, EINVAL);
3387 				return;
3388 			}
3389 			if (((union T_primitives *)mp->b_rptr)->type ==
3390 			    T_SVR4_OPTMGMT_REQ) {
3391 				svr4_optcom_req(q, mp, cr, &spdsock_opt_obj);
3392 			} else {
3393 				tpi_optcom_req(q, mp, cr, &spdsock_opt_obj);
3394 			}
3395 			break;
3396 		case T_DATA_REQ:
3397 		case T_EXDATA_REQ:
3398 		case T_ORDREL_REQ:
3399 			/* Illegal for spdsock. */
3400 			freemsg(mp);
3401 			(void) putnextctl1(RD(q), M_ERROR, EPROTO);
3402 			break;
3403 		default:
3404 			/* Not supported by spdsock. */
3405 			spdsock_err_ack(q, mp, TNOTSUPPORT, 0);
3406 			break;
3407 		}
3408 		return;
3409 	case M_IOCDATA:
3410 		keysock_spdsock_wput_iocdata(q, mp, PF_POLICY);
3411 		return;
3412 	case M_IOCTL:
3413 		iocp = (struct iocblk *)mp->b_rptr;
3414 		error = EINVAL;
3415 
3416 		switch (iocp->ioc_cmd) {
3417 		case TI_GETMYNAME:
3418 		case TI_GETPEERNAME:
3419 			/*
3420 			 * For pfiles(1) observability with getsockname().
3421 			 * See keysock_spdsock_wput_iocdata() for the rest of
3422 			 * this.
3423 			 */
3424 			mi_copyin(q, mp, NULL,
3425 			    SIZEOF_STRUCT(strbuf, iocp->ioc_flag));
3426 			return;
3427 		case ND_SET:
3428 		case ND_GET:
3429 			if (nd_getset(q, spds->spds_g_nd, mp)) {
3430 				qreply(q, mp);
3431 				return;
3432 			} else
3433 				error = ENOENT;
3434 			/* FALLTHRU */
3435 		default:
3436 			miocnak(q, mp, 0, error);
3437 			return;
3438 		}
3439 	case M_FLUSH:
3440 		if (*mp->b_rptr & FLUSHW) {
3441 			flushq(q, FLUSHALL);
3442 			*mp->b_rptr &= ~FLUSHW;
3443 		}
3444 		if (*mp->b_rptr & FLUSHR) {
3445 			qreply(q, mp);
3446 			return;
3447 		}
3448 		/* Else FALLTHRU */
3449 	}
3450 
3451 	/* If fell through, just black-hole the message. */
3452 	freemsg(mp);
3453 }
3454 
3455 static int
3456 spdsock_wput(queue_t *q, mblk_t *mp)
3457 {
3458 	uint8_t *rptr = mp->b_rptr;
3459 	mblk_t *mp1;
3460 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3461 	spd_stack_t	*spds = ss->spdsock_spds;
3462 
3463 	/*
3464 	 * If we're dumping, defer processing other messages until the
3465 	 * dump completes.
3466 	 */
3467 	if (ss->spdsock_dump_req != NULL) {
3468 		if (!putq(q, mp))
3469 			freemsg(mp);
3470 		return (0);
3471 	}
3472 
3473 	switch (mp->b_datap->db_type) {
3474 	case M_DATA:
3475 		/*
3476 		 * Silently discard.
3477 		 */
3478 		ss2dbg(spds, ("raw M_DATA in spdsock.\n"));
3479 		freemsg(mp);
3480 		return (0);
3481 	case M_PROTO:
3482 	case M_PCPROTO:
3483 		if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) {
3484 			if (((union T_primitives *)rptr)->type == T_DATA_REQ) {
3485 				if ((mp1 = mp->b_cont) == NULL) {
3486 					/* No data after T_DATA_REQ. */
3487 					ss2dbg(spds,
3488 					    ("No data after DATA_REQ.\n"));
3489 					freemsg(mp);
3490 					return (0);
3491 				}
3492 				freeb(mp);
3493 				mp = mp1;
3494 				ss2dbg(spds, ("T_DATA_REQ\n"));
3495 				break;	/* Out of switch. */
3496 			}
3497 		}
3498 		/* FALLTHRU */
3499 	default:
3500 		ss3dbg(spds, ("In default wput case (%d %d).\n",
3501 		    mp->b_datap->db_type, ((union T_primitives *)rptr)->type));
3502 		spdsock_wput_other(q, mp);
3503 		return (0);
3504 	}
3505 
3506 	/* I now have a PF_POLICY message in an M_DATA block. */
3507 	spdsock_parse(q, mp);
3508 	return (0);
3509 }
3510 
3511 /*
3512  * Device open procedure, called when new queue pair created.
3513  * We are passed the read-side queue.
3514  */
3515 /* ARGSUSED */
3516 static int
3517 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
3518 {
3519 	spdsock_t *ss;
3520 	queue_t *oq = OTHERQ(q);
3521 	minor_t ssminor;
3522 	netstack_t *ns;
3523 	spd_stack_t *spds;
3524 
3525 	if (secpolicy_ip_config(credp, B_FALSE) != 0)
3526 		return (EPERM);
3527 
3528 	if (q->q_ptr != NULL)
3529 		return (0);  /* Re-open of an already open instance. */
3530 
3531 	if (sflag & MODOPEN)
3532 		return (EINVAL);
3533 
3534 	ns = netstack_find_by_cred(credp);
3535 	ASSERT(ns != NULL);
3536 	spds = ns->netstack_spdsock;
3537 	ASSERT(spds != NULL);
3538 
3539 	ss2dbg(spds, ("Made it into PF_POLICY socket open.\n"));
3540 
3541 	ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP);
3542 	if (ssminor == 0) {
3543 		netstack_rele(spds->spds_netstack);
3544 		return (ENOMEM);
3545 	}
3546 	ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP);
3547 	if (ss == NULL) {
3548 		vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1);
3549 		netstack_rele(spds->spds_netstack);
3550 		return (ENOMEM);
3551 	}
3552 
3553 	ss->spdsock_minor = ssminor;
3554 	ss->spdsock_state = TS_UNBND;
3555 	ss->spdsock_dump_req = NULL;
3556 
3557 	ss->spdsock_spds = spds;
3558 
3559 	q->q_ptr = ss;
3560 	oq->q_ptr = ss;
3561 
3562 	q->q_hiwat = spds->spds_recv_hiwat;
3563 
3564 	oq->q_hiwat = spds->spds_xmit_hiwat;
3565 	oq->q_lowat = spds->spds_xmit_lowat;
3566 
3567 	qprocson(q);
3568 	(void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat);
3569 
3570 	*devp = makedevice(getmajor(*devp), ss->spdsock_minor);
3571 	return (0);
3572 }
3573 
3574 /*
3575  * Read-side service procedure, invoked when we get back-enabled
3576  * when buffer space becomes available.
3577  *
3578  * Dump another chunk if we were dumping before; when we finish, kick
3579  * the write-side queue in case it's waiting for read queue space.
3580  */
3581 int
3582 spdsock_rsrv(queue_t *q)
3583 {
3584 	spdsock_t *ss = q->q_ptr;
3585 
3586 	if (ss->spdsock_dump_req != NULL)
3587 		spdsock_dump_some(q, ss);
3588 
3589 	if (ss->spdsock_dump_req == NULL)
3590 		qenable(OTHERQ(q));
3591 	return (0);
3592 }
3593 
3594 /*
3595  * Write-side service procedure, invoked when we defer processing
3596  * if another message is received while a dump is in progress.
3597  */
3598 int
3599 spdsock_wsrv(queue_t *q)
3600 {
3601 	spdsock_t *ss = q->q_ptr;
3602 	mblk_t *mp;
3603 	ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3604 
3605 	if (ss->spdsock_dump_req != NULL) {
3606 		qenable(OTHERQ(q));
3607 		return (0);
3608 	}
3609 
3610 	while ((mp = getq(q)) != NULL) {
3611 		if (ipsec_loaded(ipss)) {
3612 			(void) spdsock_wput(q, mp);
3613 			if (ss->spdsock_dump_req != NULL)
3614 				return (0);
3615 		} else if (!ipsec_failed(ipss)) {
3616 			(void) putq(q, mp);
3617 		} else {
3618 			spdsock_error(q, mp, EPFNOSUPPORT, 0);
3619 		}
3620 	}
3621 	return (0);
3622 }
3623 
3624 /* ARGSUSED */
3625 static int
3626 spdsock_close(queue_t *q, int flags __unused, cred_t *credp __unused)
3627 {
3628 	spdsock_t *ss = q->q_ptr;
3629 	spd_stack_t	*spds = ss->spdsock_spds;
3630 
3631 	qprocsoff(q);
3632 
3633 	/* Safe assumption. */
3634 	ASSERT(ss != NULL);
3635 
3636 	if (ss->spdsock_timeout != 0)
3637 		(void) quntimeout(q, ss->spdsock_timeout);
3638 
3639 	ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n"));
3640 
3641 	vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1);
3642 	netstack_rele(ss->spdsock_spds->spds_netstack);
3643 
3644 	kmem_free(ss, sizeof (spdsock_t));
3645 	return (0);
3646 }
3647 
3648 /*
3649  * Merge the IPsec algorithms tables with the received algorithm information.
3650  */
3651 void
3652 spdsock_merge_algs(spd_stack_t *spds)
3653 {
3654 	ipsec_alginfo_t *alg, *oalg;
3655 	ipsec_algtype_t algtype;
3656 	uint_t algidx, algid, nalgs;
3657 	crypto_mech_name_t *mechs;
3658 	uint_t mech_count, mech_idx;
3659 	netstack_t	*ns = spds->spds_netstack;
3660 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3661 
3662 	ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
3663 
3664 	/*
3665 	 * Get the list of supported mechanisms from the crypto framework.
3666 	 * If a mechanism is supported by KCF, resolve its mechanism
3667 	 * id and mark it as being valid. This operation must be done
3668 	 * without holding alg_lock, since it can cause a provider
3669 	 * module to be loaded and the provider notification callback to
3670 	 * be invoked.
3671 	 */
3672 	mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
3673 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3674 		for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3675 			int algflags = 0;
3676 			crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID;
3677 
3678 			alg = spds->spds_algs[algtype][algid];
3679 			if (alg == NULL)
3680 				continue;
3681 
3682 			/*
3683 			 * The NULL encryption algorithm is a special
3684 			 * case because there are no mechanisms, yet
3685 			 * the algorithm is still valid.
3686 			 */
3687 			if (alg->alg_id == SADB_EALG_NULL) {
3688 				alg->alg_mech_type = CRYPTO_MECHANISM_INVALID;
3689 				alg->alg_flags |= ALG_FLAG_VALID;
3690 				continue;
3691 			}
3692 
3693 			for (mech_idx = 0; mech_idx < mech_count; mech_idx++) {
3694 				if (strncmp(alg->alg_mech_name, mechs[mech_idx],
3695 				    CRYPTO_MAX_MECH_NAME) == 0) {
3696 					mt = crypto_mech2id(alg->alg_mech_name);
3697 					ASSERT(mt != CRYPTO_MECHANISM_INVALID);
3698 					algflags = ALG_FLAG_VALID;
3699 					break;
3700 				}
3701 			}
3702 			alg->alg_mech_type = mt;
3703 			alg->alg_flags |= algflags;
3704 		}
3705 	}
3706 
3707 	rw_enter(&ipss->ipsec_alg_lock, RW_WRITER);
3708 
3709 	/*
3710 	 * For each algorithm currently defined, check if it is
3711 	 * present in the new tables created from the SPD_UPDATEALGS
3712 	 * message received from user-space.
3713 	 * Delete the algorithm entries that are currently defined
3714 	 * but not part of the new tables.
3715 	 */
3716 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3717 		nalgs = ipss->ipsec_nalgs[algtype];
3718 		for (algidx = 0; algidx < nalgs; algidx++) {
3719 			algid = ipss->ipsec_sortlist[algtype][algidx];
3720 			if (spds->spds_algs[algtype][algid] == NULL)
3721 				ipsec_alg_unreg(algtype, algid, ns);
3722 		}
3723 	}
3724 
3725 	/*
3726 	 * For each algorithm we just received, check if it is
3727 	 * present in the currently defined tables. If it is, swap
3728 	 * the entry with the one we just allocated.
3729 	 * If the new algorithm is not in the current tables,
3730 	 * add it.
3731 	 */
3732 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3733 		for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3734 			alg = spds->spds_algs[algtype][algid];
3735 			if (alg == NULL)
3736 				continue;
3737 
3738 			if ((oalg = ipss->ipsec_alglists[algtype][algid]) ==
3739 			    NULL) {
3740 				/*
3741 				 * New algorithm, add it to the algorithm
3742 				 * table.
3743 				 */
3744 				ipsec_alg_reg(algtype, alg, ns);
3745 			} else {
3746 				/*
3747 				 * Algorithm is already in the table. Swap
3748 				 * the existing entry with the new one.
3749 				 */
3750 				ipsec_alg_fix_min_max(alg, algtype, ns);
3751 				ipss->ipsec_alglists[algtype][algid] = alg;
3752 				ipsec_alg_free(oalg);
3753 			}
3754 			spds->spds_algs[algtype][algid] = NULL;
3755 		}
3756 	}
3757 
3758 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3759 		ipss->ipsec_algs_exec_mode[algtype] =
3760 		    spds->spds_algs_exec_mode[algtype];
3761 	}
3762 
3763 	rw_exit(&ipss->ipsec_alg_lock);
3764 
3765 	crypto_free_mech_list(mechs, mech_count);
3766 
3767 	ipsecah_algs_changed(ns);
3768 	ipsecesp_algs_changed(ns);
3769 }
3770