xref: /titanic_44/usr/src/uts/common/inet/ip/spd.c (revision 30f5cf21f0e4186919b67ac48223d09ca110f8fe)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * IPsec Security Policy Database.
31  *
32  * This module maintains the SPD and provides routines used by ip and ip6
33  * to apply IPsec policy to inbound and outbound datagrams.
34  *
35  * XXX TODO LIST
36  * Inbound policy:
37  * Put policy failure logging back in here (as policy action flag bit)
38  */
39 
40 #include <sys/types.h>
41 #include <sys/stream.h>
42 #include <sys/stropts.h>
43 #include <sys/sysmacros.h>
44 #include <sys/strsubr.h>
45 #include <sys/strlog.h>
46 #include <sys/cmn_err.h>
47 #include <sys/zone.h>
48 
49 #include <sys/systm.h>
50 #include <sys/param.h>
51 #include <sys/kmem.h>
52 
53 #include <sys/crypto/api.h>
54 
55 #include <inet/common.h>
56 #include <inet/mi.h>
57 
58 #include <netinet/ip6.h>
59 #include <netinet/icmp6.h>
60 #include <netinet/udp.h>
61 
62 #include <inet/ip.h>
63 #include <inet/ip6.h>
64 
65 #include <net/pfkeyv2.h>
66 #include <net/pfpolicy.h>
67 #include <inet/ipsec_info.h>
68 #include <inet/sadb.h>
69 #include <inet/ipsec_impl.h>
70 #include <inet/ipsecah.h>
71 #include <inet/ipsecesp.h>
72 #include <inet/ipdrop.h>
73 #include <inet/ipclassifier.h>
74 
75 static void ipsec_update_present_flags();
76 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *);
77 static void ipsec_out_free(void *);
78 static void ipsec_in_free(void *);
79 static boolean_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *,
80     ipha_t *, ip6_t *);
81 static mblk_t *ipsec_attach_global_policy(mblk_t *, conn_t *,
82     ipsec_selector_t *);
83 static mblk_t *ipsec_apply_global_policy(mblk_t *, conn_t *,
84     ipsec_selector_t *);
85 static mblk_t *ipsec_check_ipsecin_policy(queue_t *, mblk_t *,
86     ipsec_policy_t *, ipha_t *, ip6_t *);
87 static void ipsec_in_release_refs(ipsec_in_t *);
88 static void ipsec_out_release_refs(ipsec_out_t *);
89 static void ipsec_action_reclaim(void *);
90 static void ipsid_init(void);
91 static void ipsid_fini(void);
92 static boolean_t ipsec_check_ipsecin_action(struct ipsec_in_s *, mblk_t *,
93     struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **,
94     kstat_named_t **);
95 static int32_t ipsec_act_ovhd(const ipsec_act_t *act);
96 static void ipsec_unregister_prov_update(void);
97 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *);
98 static uint32_t selector_hash(ipsec_selector_t *);
99 
100 /*
101  * Policy rule index generator.  We assume this won't wrap in the
102  * lifetime of a system.  If we make 2^20 policy changes per second,
103  * this will last 2^44 seconds, or roughly 500,000 years, so we don't
104  * have to worry about reusing policy index values.
105  *
106  * Protected by ipsec_conf_lock.
107  */
108 uint64_t	ipsec_next_policy_index = 1;
109 
110 /*
111  * Active & Inactive system policy roots
112  */
113 static ipsec_policy_head_t system_policy;
114 static ipsec_policy_head_t inactive_policy;
115 
116 /* Packet dropper for generic SPD drops. */
117 static ipdropper_t spd_dropper;
118 
119 /*
120  * For now, use a trivially sized hash table for actions.
121  * In the future we can add the structure canonicalization necessary
122  * to get the hash function to behave correctly..
123  */
124 #define	IPSEC_ACTION_HASH_SIZE 1
125 
126 /*
127  * Selector hash table is statically sized at module load time.
128  * we default to 251 buckets, which is the largest prime number under 255
129  */
130 
131 #define	IPSEC_SPDHASH_DEFAULT 251
132 uint32_t ipsec_spd_hashsize = 0;
133 
134 #define	IPSEC_SEL_NOHASH ((uint32_t)(~0))
135 
136 static HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE];
137 static HASH_HEAD(ipsec_sel) *ipsec_sel_hash;
138 
139 static kmem_cache_t *ipsec_action_cache;
140 static kmem_cache_t *ipsec_sel_cache;
141 static kmem_cache_t *ipsec_pol_cache;
142 static kmem_cache_t *ipsec_info_cache;
143 
144 boolean_t ipsec_inbound_v4_policy_present = B_FALSE;
145 boolean_t ipsec_outbound_v4_policy_present = B_FALSE;
146 boolean_t ipsec_inbound_v6_policy_present = B_FALSE;
147 boolean_t ipsec_outbound_v6_policy_present = B_FALSE;
148 
149 /*
150  * Because policy needs to know what algorithms are supported, keep the
151  * lists of algorithms here.
152  */
153 
154 kmutex_t alg_lock;
155 uint8_t ipsec_nalgs[IPSEC_NALGTYPES];
156 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
157 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
158 ipsec_algs_exec_mode_t ipsec_algs_exec_mode[IPSEC_NALGTYPES];
159 static crypto_notify_handle_t prov_update_handle = NULL;
160 
161 #define	ALGBITS_ROUND_DOWN(x, align)	(((x)/(align))*(align))
162 #define	ALGBITS_ROUND_UP(x, align)	ALGBITS_ROUND_DOWN((x)+(align)-1, align)
163 
164 /*
165  * Inbound traffic should have matching identities for both SA's.
166  */
167 
168 #define	SA_IDS_MATCH(sa1, sa2) 						\
169 	(((sa1) == NULL) || ((sa2) == NULL) ||				\
170 	(((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) &&		\
171 	    (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid))))
172 
173 #define	IPPOL_UNCHAIN(php, ip) 						\
174 	HASHLIST_UNCHAIN((ip), ipsp_hash);				\
175 	avl_remove(&(php)->iph_rulebyid, (ip));				\
176 	IPPOL_REFRELE(ip);
177 
178 /*
179  * Policy failure messages.
180  */
181 static char *ipsec_policy_failure_msgs[] = {
182 
183 	/* IPSEC_POLICY_NOT_NEEDED */
184 	"%s: Dropping the datagram because the incoming packet "
185 	"is %s, but the recipient expects clear; Source %s, "
186 	"Destination %s.\n",
187 
188 	/* IPSEC_POLICY_MISMATCH */
189 	"%s: Policy Failure for the incoming packet (%s); Source %s, "
190 	"Destination %s.\n",
191 
192 	/* IPSEC_POLICY_AUTH_NOT_NEEDED	*/
193 	"%s: Authentication present while not expected in the "
194 	"incoming %s packet; Source %s, Destination %s.\n",
195 
196 	/* IPSEC_POLICY_ENCR_NOT_NEEDED */
197 	"%s: Encryption present while not expected in the "
198 	"incoming %s packet; Source %s, Destination %s.\n",
199 
200 	/* IPSEC_POLICY_SE_NOT_NEEDED */
201 	"%s: Self-Encapsulation present while not expected in the "
202 	"incoming %s packet; Source %s, Destination %s.\n",
203 };
204 /*
205  * Have a counter for every possible policy message in the previous array.
206  */
207 static uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX];
208 /* Time since last ipsec policy failure that printed a message. */
209 hrtime_t ipsec_policy_failure_last = 0;
210 
211 /*
212  * General overviews:
213  *
214  * Locking:
215  *
216  *	All of the system policy structures are protected by a single
217  *	rwlock, ipsec_conf_lock.  These structures are threaded in a
218  *	fairly complex fashion and are not expected to change on a
219  *	regular basis, so this should not cause scaling/contention
220  *	problems.  As a result, policy checks should (hopefully) be MT-hot.
221  *
222  * Allocation policy:
223  *
224  *	We use custom kmem cache types for the various
225  *	bits & pieces of the policy data structures.  All allocations
226  *	use KM_NOSLEEP instead of KM_SLEEP for policy allocation.  The
227  *	policy table is of potentially unbounded size, so we don't
228  *	want to provide a way to hog all system memory with policy
229  *	entries..
230  */
231 
232 
233 /*
234  * AVL tree comparison function.
235  * the in-kernel avl assumes unique keys for all objects.
236  * Since sometimes policy will duplicate rules, we may insert
237  * multiple rules with the same rule id, so we need a tie-breaker.
238  */
239 static int
240 ipsec_policy_cmpbyid(const void *a, const void *b)
241 {
242 	const ipsec_policy_t *ipa, *ipb;
243 	uint64_t idxa, idxb;
244 
245 	ipa = (const ipsec_policy_t *)a;
246 	ipb = (const ipsec_policy_t *)b;
247 	idxa = ipa->ipsp_index;
248 	idxb = ipb->ipsp_index;
249 
250 	if (idxa < idxb)
251 		return (-1);
252 	if (idxa > idxb)
253 		return (1);
254 	/*
255 	 * Tie-breaker #1: All installed policy rules have a non-NULL
256 	 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not
257 	 * actually in-tree but rather a template node being used in
258 	 * an avl_find query; see ipsec_policy_delete().  This gives us
259 	 * a placeholder in the ordering just before the the first entry with
260 	 * a key >= the one we're looking for, so we can walk forward from
261 	 * that point to get the remaining entries with the same id.
262 	 */
263 	if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL))
264 		return (-1);
265 	if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL))
266 		return (1);
267 	/*
268 	 * At most one of the arguments to the comparison should have a
269 	 * NULL selector pointer; if not, the tree is broken.
270 	 */
271 	ASSERT(ipa->ipsp_sel != NULL);
272 	ASSERT(ipb->ipsp_sel != NULL);
273 	/*
274 	 * Tie-breaker #2: use the virtual address of the policy node
275 	 * to arbitrarily break ties.  Since we use the new tree node in
276 	 * the avl_find() in ipsec_insert_always, the new node will be
277 	 * inserted into the tree in the right place in the sequence.
278 	 */
279 	if (ipa < ipb)
280 		return (-1);
281 	if (ipa > ipb)
282 		return (1);
283 	return (0);
284 }
285 
286 static void
287 ipsec_polhead_free_table(ipsec_policy_head_t *iph)
288 {
289 	int dir, nchains;
290 
291 	nchains = ipsec_spd_hashsize;
292 
293 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
294 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
295 
296 		if (ipr->ipr_hash == NULL)
297 			continue;
298 
299 		kmem_free(ipr->ipr_hash, nchains *
300 		    sizeof (ipsec_policy_hash_t));
301 	}
302 }
303 
304 static void
305 ipsec_polhead_destroy(ipsec_policy_head_t *iph)
306 {
307 	int dir;
308 
309 	avl_destroy(&iph->iph_rulebyid);
310 	rw_destroy(&iph->iph_lock);
311 
312 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
313 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
314 		int nchains = ipr->ipr_nchains;
315 		int chain;
316 
317 		for (chain = 0; chain < nchains; chain++)
318 			mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
319 
320 	}
321 	ipsec_polhead_free_table(iph);
322 }
323 
324 /*
325  * Module unload hook.
326  */
327 void
328 ipsec_policy_destroy(void)
329 {
330 	int i;
331 
332 	ip_drop_unregister(&spd_dropper);
333 	ip_drop_destroy();
334 
335 	ipsec_polhead_destroy(&system_policy);
336 	ipsec_polhead_destroy(&inactive_policy);
337 
338 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
339 		mutex_destroy(&(ipsec_action_hash[i].hash_lock));
340 
341 	for (i = 0; i < ipsec_spd_hashsize; i++)
342 		mutex_destroy(&(ipsec_sel_hash[i].hash_lock));
343 
344 	ipsec_unregister_prov_update();
345 
346 	mutex_destroy(&alg_lock);
347 
348 	kmem_cache_destroy(ipsec_action_cache);
349 	kmem_cache_destroy(ipsec_sel_cache);
350 	kmem_cache_destroy(ipsec_pol_cache);
351 	kmem_cache_destroy(ipsec_info_cache);
352 	ipsid_gc();
353 	ipsid_fini();
354 }
355 
356 
357 /*
358  * Called when table allocation fails to free the table.
359  */
360 static int
361 ipsec_alloc_tables_failed()
362 {
363 	if (ipsec_sel_hash != NULL) {
364 		kmem_free(ipsec_sel_hash, ipsec_spd_hashsize *
365 		    sizeof (*ipsec_sel_hash));
366 		ipsec_sel_hash = NULL;
367 	}
368 	ipsec_polhead_free_table(&system_policy);
369 	ipsec_polhead_free_table(&inactive_policy);
370 
371 	return (ENOMEM);
372 }
373 
374 /*
375  * Attempt to allocate the tables in a single policy head.
376  * Return nonzero on failure after cleaning up any work in progress.
377  */
378 static int
379 ipsec_alloc_table(ipsec_policy_head_t *iph, int kmflag)
380 {
381 	int dir, nchains;
382 
383 	nchains = ipsec_spd_hashsize;
384 
385 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
386 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
387 
388 		ipr->ipr_hash = kmem_zalloc(nchains *
389 		    sizeof (ipsec_policy_hash_t), kmflag);
390 		if (ipr->ipr_hash == NULL)
391 			return (ipsec_alloc_tables_failed());
392 	}
393 	return (0);
394 }
395 
396 /*
397  * Attempt to allocate the various tables.  Return nonzero on failure
398  * after cleaning up any work in progress.
399  */
400 static int
401 ipsec_alloc_tables(int kmflag)
402 {
403 	int error;
404 
405 	error = ipsec_alloc_table(&system_policy, kmflag);
406 	if (error != 0)
407 		return (error);
408 
409 	error = ipsec_alloc_table(&inactive_policy, kmflag);
410 	if (error != 0)
411 		return (error);
412 
413 	ipsec_sel_hash = kmem_zalloc(ipsec_spd_hashsize *
414 	    sizeof (*ipsec_sel_hash), kmflag);
415 
416 	if (ipsec_sel_hash == NULL)
417 		return (ipsec_alloc_tables_failed());
418 
419 	return (0);
420 }
421 
422 /*
423  * After table allocation, initialize a policy head.
424  */
425 static void
426 ipsec_polhead_init(ipsec_policy_head_t *iph)
427 {
428 	int dir, chain, nchains;
429 
430 	nchains = ipsec_spd_hashsize;
431 
432 	rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
433 	avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid,
434 	    sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
435 
436 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
437 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
438 		ipr->ipr_nchains = nchains;
439 
440 		for (chain = 0; chain < nchains; chain++) {
441 			mutex_init(&(ipr->ipr_hash[chain].hash_lock),
442 			    NULL, MUTEX_DEFAULT, NULL);
443 		}
444 	}
445 }
446 
447 /*
448  * Module load hook.
449  */
450 void
451 ipsec_policy_init()
452 {
453 	int i;
454 
455 	/*
456 	 * Make two attempts to allocate policy hash tables; try it at
457 	 * the "preferred" size (may be set in /etc/system) first,
458 	 * then fall back to the default size.
459 	 */
460 	if (ipsec_spd_hashsize == 0)
461 		ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
462 
463 	if (ipsec_alloc_tables(KM_NOSLEEP) != 0) {
464 		cmn_err(CE_WARN,
465 		    "Unable to allocate %d entry IPsec policy hash table",
466 		    ipsec_spd_hashsize);
467 		ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
468 		cmn_err(CE_WARN, "Falling back to %d entries",
469 		    ipsec_spd_hashsize);
470 		(void) ipsec_alloc_tables(KM_SLEEP);
471 	}
472 
473 	ipsid_init();
474 	ipsec_polhead_init(&system_policy);
475 	ipsec_polhead_init(&inactive_policy);
476 
477 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
478 		mutex_init(&(ipsec_action_hash[i].hash_lock),
479 		    NULL, MUTEX_DEFAULT, NULL);
480 
481 	for (i = 0; i < ipsec_spd_hashsize; i++)
482 		mutex_init(&(ipsec_sel_hash[i].hash_lock),
483 		    NULL, MUTEX_DEFAULT, NULL);
484 
485 	mutex_init(&alg_lock, NULL, MUTEX_DEFAULT, NULL);
486 
487 	for (i = 0; i < IPSEC_NALGTYPES; i++)
488 		ipsec_nalgs[i] = 0;
489 
490 	ipsec_action_cache = kmem_cache_create("ipsec_actions",
491 	    sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL,
492 	    ipsec_action_reclaim, NULL, NULL, 0);
493 	ipsec_sel_cache = kmem_cache_create("ipsec_selectors",
494 	    sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL,
495 	    NULL, NULL, NULL, 0);
496 	ipsec_pol_cache = kmem_cache_create("ipsec_policy",
497 	    sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL,
498 	    NULL, NULL, NULL, 0);
499 	ipsec_info_cache = kmem_cache_create("ipsec_info",
500 	    sizeof (ipsec_info_t), _POINTER_ALIGNMENT, NULL, NULL,
501 	    NULL, NULL, NULL, 0);
502 
503 	ip_drop_init();
504 	ip_drop_register(&spd_dropper, "IPsec SPD");
505 }
506 
507 /*
508  * Sort algorithm lists.
509  *
510  * I may need to split this based on
511  * authentication/encryption, and I may wish to have an administrator
512  * configure this list.  Hold on to some NDD variables...
513  *
514  * XXX For now, sort on minimum key size (GAG!).  While minimum key size is
515  * not the ideal metric, it's the only quantifiable measure available.
516  * We need a better metric for sorting algorithms by preference.
517  */
518 static void
519 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid)
520 {
521 	ipsec_alginfo_t *ai = ipsec_alglists[at][algid];
522 	uint8_t holder, swap;
523 	uint_t i;
524 	uint_t count = ipsec_nalgs[at];
525 	ASSERT(ai != NULL);
526 	ASSERT(algid == ai->alg_id);
527 
528 	ASSERT(MUTEX_HELD(&alg_lock));
529 
530 	holder = algid;
531 
532 	for (i = 0; i < count - 1; i++) {
533 		ipsec_alginfo_t *alt;
534 
535 		alt = ipsec_alglists[at][ipsec_sortlist[at][i]];
536 		/*
537 		 * If you want to give precedence to newly added algs,
538 		 * add the = in the > comparison.
539 		 */
540 		if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) {
541 			/* Swap sortlist[i] and holder. */
542 			swap = ipsec_sortlist[at][i];
543 			ipsec_sortlist[at][i] = holder;
544 			holder = swap;
545 			ai = alt;
546 		} /* Else just continue. */
547 	}
548 
549 	/* Store holder in last slot. */
550 	ipsec_sortlist[at][i] = holder;
551 }
552 
553 /*
554  * Remove an algorithm from a sorted algorithm list.
555  * This should be considerably easier, even with complex sorting.
556  */
557 static void
558 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid)
559 {
560 	boolean_t copyback = B_FALSE;
561 	int i;
562 	int newcount = ipsec_nalgs[at];
563 
564 	ASSERT(MUTEX_HELD(&alg_lock));
565 
566 	for (i = 0; i <= newcount; i++) {
567 		if (copyback)
568 			ipsec_sortlist[at][i-1] = ipsec_sortlist[at][i];
569 		else if (ipsec_sortlist[at][i] == algid)
570 			copyback = B_TRUE;
571 	}
572 }
573 
574 /*
575  * Add the specified algorithm to the algorithm tables.
576  * Must be called while holding the algorithm table writer lock.
577  */
578 void
579 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg)
580 {
581 	ASSERT(MUTEX_HELD(&alg_lock));
582 
583 	ASSERT(ipsec_alglists[algtype][alg->alg_id] == NULL);
584 	ipsec_alg_fix_min_max(alg, algtype);
585 	ipsec_alglists[algtype][alg->alg_id] = alg;
586 
587 	ipsec_nalgs[algtype]++;
588 	alg_insert_sortlist(algtype, alg->alg_id);
589 }
590 
591 /*
592  * Remove the specified algorithm from the algorithm tables.
593  * Must be called while holding the algorithm table writer lock.
594  */
595 void
596 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid)
597 {
598 	ASSERT(MUTEX_HELD(&alg_lock));
599 
600 	ASSERT(ipsec_alglists[algtype][algid] != NULL);
601 	ipsec_alg_free(ipsec_alglists[algtype][algid]);
602 	ipsec_alglists[algtype][algid] = NULL;
603 
604 	ipsec_nalgs[algtype]--;
605 	alg_remove_sortlist(algtype, algid);
606 }
607 
608 /*
609  * Hooks for spdsock to get a grip on system policy.
610  */
611 
612 ipsec_policy_head_t *
613 ipsec_system_policy(void)
614 {
615 	ipsec_policy_head_t *h = &system_policy;
616 	IPPH_REFHOLD(h);
617 	return (h);
618 }
619 
620 ipsec_policy_head_t *
621 ipsec_inactive_policy(void)
622 {
623 	ipsec_policy_head_t *h = &inactive_policy;
624 	IPPH_REFHOLD(h);
625 	return (h);
626 }
627 
628 /*
629  * Lock inactive policy, then active policy, then exchange policy root
630  * pointers.
631  */
632 void
633 ipsec_swap_policy(void)
634 {
635 	int af, dir;
636 	avl_tree_t r1, r2;
637 
638 	rw_enter(&inactive_policy.iph_lock, RW_WRITER);
639 	rw_enter(&system_policy.iph_lock, RW_WRITER);
640 
641 	r1 = system_policy.iph_rulebyid;
642 	r2 = inactive_policy.iph_rulebyid;
643 	system_policy.iph_rulebyid = r2;
644 	inactive_policy.iph_rulebyid = r1;
645 
646 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
647 		ipsec_policy_hash_t *h1, *h2;
648 
649 		h1 = system_policy.iph_root[dir].ipr_hash;
650 		h2 = inactive_policy.iph_root[dir].ipr_hash;
651 		system_policy.iph_root[dir].ipr_hash = h2;
652 		inactive_policy.iph_root[dir].ipr_hash = h1;
653 
654 		for (af = 0; af < IPSEC_NAF; af++) {
655 			ipsec_policy_t *t1, *t2;
656 
657 			t1 = system_policy.iph_root[dir].ipr_nonhash[af];
658 			t2 = inactive_policy.iph_root[dir].ipr_nonhash[af];
659 			system_policy.iph_root[dir].ipr_nonhash[af] = t2;
660 			inactive_policy.iph_root[dir].ipr_nonhash[af] = t1;
661 			if (t1 != NULL) {
662 				t1->ipsp_hash.hash_pp =
663 				    &(inactive_policy.iph_root[dir].
664 				    ipr_nonhash[af]);
665 			}
666 			if (t2 != NULL) {
667 				t2->ipsp_hash.hash_pp =
668 				    &(system_policy.iph_root[dir].
669 				    ipr_nonhash[af]);
670 			}
671 
672 		}
673 	}
674 	system_policy.iph_gen++;
675 	inactive_policy.iph_gen++;
676 	ipsec_update_present_flags();
677 	rw_exit(&system_policy.iph_lock);
678 	rw_exit(&inactive_policy.iph_lock);
679 }
680 
681 /*
682  * Clone one policy rule..
683  */
684 static ipsec_policy_t *
685 ipsec_copy_policy(const ipsec_policy_t *src)
686 {
687 	ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
688 
689 	if (dst == NULL)
690 		return (NULL);
691 
692 	/*
693 	 * Adjust refcounts of cloned state.
694 	 */
695 	IPACT_REFHOLD(src->ipsp_act);
696 	src->ipsp_sel->ipsl_refs++;
697 
698 	HASH_NULL(dst, ipsp_hash);
699 	dst->ipsp_refs = 1;
700 	dst->ipsp_sel = src->ipsp_sel;
701 	dst->ipsp_act = src->ipsp_act;
702 	dst->ipsp_prio = src->ipsp_prio;
703 	dst->ipsp_index = src->ipsp_index;
704 
705 	return (dst);
706 }
707 
708 void
709 ipsec_insert_always(avl_tree_t *tree, void *new_node)
710 {
711 	void *node;
712 	avl_index_t where;
713 
714 	node = avl_find(tree, new_node, &where);
715 	ASSERT(node == NULL);
716 	avl_insert(tree, new_node, where);
717 }
718 
719 
720 static int
721 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src,
722     ipsec_policy_t **dstp)
723 {
724 	for (; src != NULL; src = src->ipsp_hash.hash_next) {
725 		ipsec_policy_t *dst = ipsec_copy_policy(src);
726 		if (dst == NULL)
727 			return (ENOMEM);
728 
729 		HASHLIST_INSERT(dst, ipsp_hash, *dstp);
730 		ipsec_insert_always(&dph->iph_rulebyid, dst);
731 	}
732 	return (0);
733 }
734 
735 
736 
737 /*
738  * Make one policy head look exactly like another.
739  *
740  * As with ipsec_swap_policy, we lock the destination policy head first, then
741  * the source policy head. Note that we only need to read-lock the source
742  * policy head as we are not changing it.
743  */
744 static int
745 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph)
746 {
747 	int af, dir, chain, nchains;
748 
749 	rw_enter(&dph->iph_lock, RW_WRITER);
750 
751 	ipsec_polhead_flush(dph);
752 
753 	rw_enter(&sph->iph_lock, RW_READER);
754 
755 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
756 		ipsec_policy_root_t *dpr = &dph->iph_root[dir];
757 		ipsec_policy_root_t *spr = &sph->iph_root[dir];
758 		nchains = dpr->ipr_nchains;
759 
760 		ASSERT(dpr->ipr_nchains == spr->ipr_nchains);
761 
762 		for (af = 0; af < IPSEC_NAF; af++) {
763 			if (ipsec_copy_chain(dph, spr->ipr_nonhash[af],
764 			    &dpr->ipr_nonhash[af]))
765 				goto abort_copy;
766 		}
767 
768 		for (chain = 0; chain < nchains; chain++) {
769 			if (ipsec_copy_chain(dph,
770 			    spr->ipr_hash[chain].hash_head,
771 			    &dpr->ipr_hash[chain].hash_head))
772 				goto abort_copy;
773 		}
774 	}
775 
776 	dph->iph_gen++;
777 
778 	rw_exit(&sph->iph_lock);
779 	rw_exit(&dph->iph_lock);
780 	return (0);
781 
782 abort_copy:
783 	ipsec_polhead_flush(dph);
784 	rw_exit(&sph->iph_lock);
785 	rw_exit(&dph->iph_lock);
786 	return (ENOMEM);
787 }
788 
789 /*
790  * Clone currently active policy to the inactive policy list.
791  */
792 int
793 ipsec_clone_system_policy(void)
794 {
795 	return (ipsec_copy_polhead(&system_policy, &inactive_policy));
796 }
797 
798 
799 /*
800  * Extract the string from ipsec_policy_failure_msgs[type] and
801  * log it.
802  *
803  * This function needs to be kept in synch with ipsec_rl_strlog() in
804  * sadb.c.
805  * XXX this function should be combined with the ipsec_rl_strlog() function.
806  */
807 void
808 ipsec_log_policy_failure(queue_t *q, int type, char *func_name, ipha_t *ipha,
809     ip6_t *ip6h, boolean_t secure)
810 {
811 	char	sbuf[INET6_ADDRSTRLEN];
812 	char	dbuf[INET6_ADDRSTRLEN];
813 	char	*s;
814 	char	*d;
815 	hrtime_t current = gethrtime();
816 
817 	ASSERT((ipha == NULL && ip6h != NULL) ||
818 	    (ip6h == NULL && ipha != NULL));
819 
820 	if (ipha != NULL) {
821 		s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf));
822 		d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf));
823 	} else {
824 		s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf));
825 		d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf));
826 
827 	}
828 
829 	/* Always bump the policy failure counter. */
830 	ipsec_policy_failure_count[type]++;
831 
832 	/* Convert interval (in msec) to hrtime (in nsec), which means * 10^6 */
833 	if (ipsec_policy_failure_last +
834 	    ((hrtime_t)ipsec_policy_log_interval * (hrtime_t)1000000) <=
835 	    current) {
836 		/*
837 		 * Throttle the logging such that I only log one message
838 		 * every 'ipsec_policy_log_interval' amount of time.
839 		 */
840 		(void) mi_strlog(q, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
841 		    ipsec_policy_failure_msgs[type],
842 		    func_name,
843 		    (secure ? "secure" : "not secure"), s, d);
844 		ipsec_policy_failure_last = current;
845 	}
846 }
847 
848 void
849 ipsec_config_flush()
850 {
851 	rw_enter(&system_policy.iph_lock, RW_WRITER);
852 	ipsec_polhead_flush(&system_policy);
853 	ipsec_next_policy_index = 1;
854 	rw_exit(&system_policy.iph_lock);
855 	ipsec_action_reclaim(0);
856 }
857 
858 /*
859  * Clip a policy's min/max keybits vs. the capabilities of the
860  * algorithm.
861  */
862 static void
863 act_alg_adjust(uint_t algtype, uint_t algid,
864     uint16_t *minbits, uint16_t *maxbits)
865 {
866 	ipsec_alginfo_t *algp = ipsec_alglists[algtype][algid];
867 	if (algp != NULL) {
868 		/*
869 		 * If passed-in minbits is zero, we assume the caller trusts
870 		 * us with setting the minimum key size.  We pick the
871 		 * algorithms DEFAULT key size for the minimum in this case.
872 		 */
873 		if (*minbits == 0) {
874 			*minbits = algp->alg_default_bits;
875 			ASSERT(*minbits >= algp->alg_minbits);
876 		} else {
877 			*minbits = MAX(*minbits, algp->alg_minbits);
878 		}
879 		if (*maxbits == 0)
880 			*maxbits = algp->alg_maxbits;
881 		else
882 			*maxbits = MIN(*maxbits, algp->alg_maxbits);
883 		ASSERT(*minbits <= *maxbits);
884 	} else {
885 		*minbits = 0;
886 		*maxbits = 0;
887 	}
888 }
889 
890 /*
891  * Check an action's requested algorithms against the algorithms currently
892  * loaded in the system.
893  */
894 boolean_t
895 ipsec_check_action(ipsec_act_t *act, int *diag)
896 {
897 	ipsec_prot_t *ipp;
898 
899 	ipp = &act->ipa_apply;
900 
901 	if (ipp->ipp_use_ah &&
902 	    ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) {
903 		*diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
904 		return (B_FALSE);
905 	}
906 	if (ipp->ipp_use_espa &&
907 	    ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] == NULL) {
908 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
909 		return (B_FALSE);
910 	}
911 	if (ipp->ipp_use_esp &&
912 	    ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) {
913 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
914 		return (B_FALSE);
915 	}
916 
917 	act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg,
918 	    &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits);
919 	act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg,
920 	    &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits);
921 	act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg,
922 	    &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits);
923 
924 	if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) {
925 		*diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE;
926 		return (B_FALSE);
927 	}
928 	if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) {
929 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE;
930 		return (B_FALSE);
931 	}
932 	if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) {
933 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE;
934 		return (B_FALSE);
935 	}
936 	/* TODO: sanity check lifetimes */
937 	return (B_TRUE);
938 }
939 
940 /*
941  * Set up a single action during wildcard expansion..
942  */
943 static void
944 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act,
945     uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg)
946 {
947 	ipsec_prot_t *ipp;
948 
949 	*outact = *act;
950 	ipp = &outact->ipa_apply;
951 	ipp->ipp_auth_alg = (uint8_t)auth_alg;
952 	ipp->ipp_encr_alg = (uint8_t)encr_alg;
953 	ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg;
954 
955 	act_alg_adjust(IPSEC_ALG_AUTH, auth_alg,
956 	    &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits);
957 	act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg,
958 	    &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits);
959 	act_alg_adjust(IPSEC_ALG_ENCR, encr_alg,
960 	    &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits);
961 }
962 
963 /*
964  * combinatoric expansion time: expand a wildcarded action into an
965  * array of wildcarded actions; we return the exploded action list,
966  * and return a count in *nact (output only).
967  */
968 static ipsec_act_t *
969 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact)
970 {
971 	boolean_t use_ah, use_esp, use_espa;
972 	boolean_t wild_auth, wild_encr, wild_eauth;
973 	uint_t	auth_alg, auth_idx, auth_min, auth_max;
974 	uint_t	eauth_alg, eauth_idx, eauth_min, eauth_max;
975 	uint_t  encr_alg, encr_idx, encr_min, encr_max;
976 	uint_t	action_count, ai;
977 	ipsec_act_t *outact;
978 
979 	if (act->ipa_type != IPSEC_ACT_APPLY) {
980 		outact = kmem_alloc(sizeof (*act), KM_NOSLEEP);
981 		*nact = 1;
982 		if (outact != NULL)
983 			bcopy(act, outact, sizeof (*act));
984 		return (outact);
985 	}
986 	/*
987 	 * compute the combinatoric explosion..
988 	 *
989 	 * we assume a request for encr if esp_req is PREF_REQUIRED
990 	 * we assume a request for ah auth if ah_req is PREF_REQUIRED.
991 	 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED
992 	 */
993 
994 	use_ah = act->ipa_apply.ipp_use_ah;
995 	use_esp = act->ipa_apply.ipp_use_esp;
996 	use_espa = act->ipa_apply.ipp_use_espa;
997 	auth_alg = act->ipa_apply.ipp_auth_alg;
998 	eauth_alg = act->ipa_apply.ipp_esp_auth_alg;
999 	encr_alg = act->ipa_apply.ipp_encr_alg;
1000 
1001 	wild_auth = use_ah && (auth_alg == 0);
1002 	wild_eauth = use_espa && (eauth_alg == 0);
1003 	wild_encr = use_esp && (encr_alg == 0);
1004 
1005 	action_count = 1;
1006 	auth_min = auth_max = auth_alg;
1007 	eauth_min = eauth_max = eauth_alg;
1008 	encr_min = encr_max = encr_alg;
1009 
1010 	/*
1011 	 * set up for explosion.. for each dimension, expand output
1012 	 * size by the explosion factor.
1013 	 *
1014 	 * Don't include the "any" algorithms, if defined, as no
1015 	 * kernel policies should be set for these algorithms.
1016 	 */
1017 
1018 #define	SET_EXP_MINMAX(type, wild, alg, min, max) if (wild) {	\
1019 		int nalgs = ipsec_nalgs[type];			\
1020 		if (ipsec_alglists[type][alg] != NULL)		\
1021 			nalgs--;				\
1022 		action_count *= nalgs;				\
1023 		min = 0;					\
1024 		max = ipsec_nalgs[type] - 1;			\
1025 	}
1026 
1027 	SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE,
1028 	    auth_min, auth_max);
1029 	SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE,
1030 	    eauth_min, eauth_max);
1031 	SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE,
1032 	    encr_min, encr_max);
1033 
1034 #undef	SET_EXP_MINMAX
1035 
1036 	/*
1037 	 * ok, allocate the whole mess..
1038 	 */
1039 
1040 	outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP);
1041 	if (outact == NULL)
1042 		return (NULL);
1043 
1044 	/*
1045 	 * Now compute all combinations.  Note that non-wildcarded
1046 	 * dimensions just get a single value from auth_min, while
1047 	 * wildcarded dimensions indirect through the sortlist.
1048 	 *
1049 	 * We do encryption outermost since, at this time, there's
1050 	 * greater difference in security and performance between
1051 	 * encryption algorithms vs. authentication algorithms.
1052 	 */
1053 
1054 	ai = 0;
1055 
1056 #define	WHICH_ALG(type, wild, idx) ((wild)?(ipsec_sortlist[type][idx]):(idx))
1057 
1058 	for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) {
1059 		encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx);
1060 		if (wild_encr && encr_alg == SADB_EALG_NONE)
1061 			continue;
1062 		for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) {
1063 			auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth,
1064 			    auth_idx);
1065 			if (wild_auth && auth_alg == SADB_AALG_NONE)
1066 				continue;
1067 			for (eauth_idx = eauth_min; eauth_idx <= eauth_max;
1068 			    eauth_idx++) {
1069 				eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH,
1070 				    wild_eauth, eauth_idx);
1071 				if (wild_eauth && eauth_alg == SADB_AALG_NONE)
1072 					continue;
1073 
1074 				ipsec_setup_act(&outact[ai], act,
1075 				    auth_alg, encr_alg, eauth_alg);
1076 				ai++;
1077 			}
1078 		}
1079 	}
1080 
1081 #undef WHICH_ALG
1082 
1083 	ASSERT(ai == action_count);
1084 	*nact = action_count;
1085 	return (outact);
1086 }
1087 
1088 /*
1089  * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t.
1090  */
1091 static void
1092 ipsec_prot_from_req(ipsec_req_t *req, ipsec_prot_t *ipp)
1093 {
1094 	bzero(ipp, sizeof (*ipp));
1095 	/*
1096 	 * ipp_use_* are bitfields.  Look at "!!" in the following as a
1097 	 * "boolean canonicalization" operator.
1098 	 */
1099 	ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED);
1100 	ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED);
1101 	ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg) || !ipp->ipp_use_ah;
1102 	ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED);
1103 	ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) &
1104 	    IPSEC_PREF_UNIQUE);
1105 	ipp->ipp_encr_alg = req->ipsr_esp_alg;
1106 	ipp->ipp_auth_alg = req->ipsr_auth_alg;
1107 	ipp->ipp_esp_auth_alg = req->ipsr_esp_auth_alg;
1108 }
1109 
1110 /*
1111  * Extract a new-style action from a request.
1112  */
1113 void
1114 ipsec_actvec_from_req(ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp)
1115 {
1116 	struct ipsec_act act;
1117 	bzero(&act, sizeof (act));
1118 	if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) &&
1119 	    (req->ipsr_esp_req & IPSEC_PREF_NEVER)) {
1120 		act.ipa_type = IPSEC_ACT_BYPASS;
1121 	} else {
1122 		act.ipa_type = IPSEC_ACT_APPLY;
1123 		ipsec_prot_from_req(req, &act.ipa_apply);
1124 	}
1125 	*actp = ipsec_act_wildcard_expand(&act, nactp);
1126 }
1127 
1128 /*
1129  * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat).
1130  * We assume caller has already zero'ed *req for us.
1131  */
1132 static int
1133 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req)
1134 {
1135 	req->ipsr_esp_alg = ipp->ipp_encr_alg;
1136 	req->ipsr_auth_alg = ipp->ipp_auth_alg;
1137 	req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg;
1138 
1139 	if (ipp->ipp_use_unique) {
1140 		req->ipsr_ah_req |= IPSEC_PREF_UNIQUE;
1141 		req->ipsr_esp_req |= IPSEC_PREF_UNIQUE;
1142 	}
1143 	if (ipp->ipp_use_se)
1144 		req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED;
1145 	if (ipp->ipp_use_ah)
1146 		req->ipsr_ah_req |= IPSEC_PREF_REQUIRED;
1147 	if (ipp->ipp_use_esp)
1148 		req->ipsr_esp_req |= IPSEC_PREF_REQUIRED;
1149 	return (sizeof (*req));
1150 }
1151 
1152 /*
1153  * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1154  * We assume caller has already zero'ed *req for us.
1155  */
1156 static int
1157 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req)
1158 {
1159 	switch (ap->ipa_act.ipa_type) {
1160 	case IPSEC_ACT_BYPASS:
1161 		req->ipsr_ah_req = IPSEC_PREF_NEVER;
1162 		req->ipsr_esp_req = IPSEC_PREF_NEVER;
1163 		return (sizeof (*req));
1164 	case IPSEC_ACT_APPLY:
1165 		return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req));
1166 	}
1167 	return (sizeof (*req));
1168 }
1169 
1170 /*
1171  * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1172  * We assume caller has already zero'ed *req for us.
1173  */
1174 static int
1175 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af)
1176 {
1177 	ipsec_policy_t *p;
1178 
1179 	/*
1180 	 * FULL-PERSOCK: consult hash table, too?
1181 	 */
1182 	for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af];
1183 	    p != NULL;
1184 	    p = p->ipsp_hash.hash_next) {
1185 		if ((p->ipsp_sel->ipsl_key.ipsl_valid&IPSL_WILDCARD) == 0)
1186 			return (ipsec_req_from_act(p->ipsp_act, req));
1187 	}
1188 	return (sizeof (*req));
1189 }
1190 
1191 /*
1192  * Based on per-socket or latched policy, convert to an appropriate
1193  * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can
1194  * be tail-called from ip.
1195  */
1196 int
1197 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af)
1198 {
1199 	ipsec_latch_t *ipl;
1200 	int rv = sizeof (ipsec_req_t);
1201 
1202 	bzero(req, sizeof (*req));
1203 
1204 	mutex_enter(&connp->conn_lock);
1205 	ipl = connp->conn_latch;
1206 
1207 	/*
1208 	 * Find appropriate policy.  First choice is latched action;
1209 	 * failing that, see latched policy; failing that,
1210 	 * look at configured policy.
1211 	 */
1212 	if (ipl != NULL) {
1213 		if (ipl->ipl_in_action != NULL) {
1214 			rv = ipsec_req_from_act(ipl->ipl_in_action, req);
1215 			goto done;
1216 		}
1217 		if (ipl->ipl_in_policy != NULL) {
1218 			rv = ipsec_req_from_act(ipl->ipl_in_policy->ipsp_act,
1219 			    req);
1220 			goto done;
1221 		}
1222 	}
1223 	if (connp->conn_policy != NULL)
1224 		rv = ipsec_req_from_head(connp->conn_policy, req, af);
1225 done:
1226 	mutex_exit(&connp->conn_lock);
1227 	return (rv);
1228 }
1229 
1230 void
1231 ipsec_actvec_free(ipsec_act_t *act, uint_t nact)
1232 {
1233 	kmem_free(act, nact * sizeof (*act));
1234 }
1235 
1236 /*
1237  * When outbound policy is not cached, look it up the hard way and attach
1238  * an ipsec_out_t to the packet..
1239  */
1240 static mblk_t *
1241 ipsec_attach_global_policy(mblk_t *mp, conn_t *connp, ipsec_selector_t *sel)
1242 {
1243 	ipsec_policy_t *p;
1244 
1245 	p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel);
1246 
1247 	if (p == NULL)
1248 		return (NULL);
1249 	return (ipsec_attach_ipsec_out(mp, connp, p, sel->ips_protocol));
1250 }
1251 
1252 /*
1253  * We have an ipsec_out already, but don't have cached policy; fill it in
1254  * with the right actions.
1255  */
1256 static mblk_t *
1257 ipsec_apply_global_policy(mblk_t *ipsec_mp, conn_t *connp,
1258     ipsec_selector_t *sel)
1259 {
1260 	ipsec_out_t *io;
1261 	ipsec_policy_t *p;
1262 
1263 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
1264 	ASSERT(ipsec_mp->b_cont->b_datap->db_type == M_DATA);
1265 
1266 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
1267 
1268 	if (io->ipsec_out_policy == NULL) {
1269 		p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, io, sel);
1270 		io->ipsec_out_policy = p;
1271 	}
1272 	return (ipsec_mp);
1273 }
1274 
1275 
1276 /* ARGSUSED */
1277 /*
1278  * Consumes a reference to ipsp.
1279  */
1280 static mblk_t *
1281 ipsec_check_loopback_policy(queue_t *q, mblk_t *first_mp,
1282     boolean_t mctl_present, ipsec_policy_t *ipsp)
1283 {
1284 	mblk_t *ipsec_mp;
1285 	ipsec_in_t *ii;
1286 
1287 	if (!mctl_present)
1288 		return (first_mp);
1289 
1290 	ipsec_mp = first_mp;
1291 
1292 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
1293 	ASSERT(ii->ipsec_in_loopback);
1294 	IPPOL_REFRELE(ipsp);
1295 
1296 	/*
1297 	 * We should do an actual policy check here.  Revisit this
1298 	 * when we revisit the IPsec API.
1299 	 */
1300 
1301 	return (first_mp);
1302 }
1303 
1304 static boolean_t
1305 ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap,
1306     ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter)
1307 {
1308 	boolean_t ret = B_TRUE;
1309 	ipsec_prot_t *ipp;
1310 	ipsa_t *ah_assoc;
1311 	ipsa_t *esp_assoc;
1312 	boolean_t decaps;
1313 
1314 	ASSERT((ipha == NULL && ip6h != NULL) ||
1315 	    (ip6h == NULL && ipha != NULL));
1316 
1317 	if (ii->ipsec_in_loopback) {
1318 		/*
1319 		 * Besides accepting pointer-equivalent actions, we also
1320 		 * accept any ICMP errors we generated for ourselves,
1321 		 * regardless of policy.  If we do not wish to make this
1322 		 * assumption in the future, check here, and where
1323 		 * icmp_loopback is initialized in ip.c and ip6.c.  (Look for
1324 		 * ipsec_out_icmp_loopback.)
1325 		 */
1326 		if (ap == ii->ipsec_in_action || ii->ipsec_in_icmp_loopback)
1327 			return (B_TRUE);
1328 
1329 		/* Deep compare necessary here?? */
1330 		*counter = &ipdrops_spd_loopback_mismatch;
1331 		*reason = "loopback policy mismatch";
1332 		return (B_FALSE);
1333 	}
1334 	ASSERT(!ii->ipsec_in_icmp_loopback);
1335 
1336 	ah_assoc = ii->ipsec_in_ah_sa;
1337 	esp_assoc = ii->ipsec_in_esp_sa;
1338 
1339 	decaps = ii->ipsec_in_decaps;
1340 
1341 	switch (ap->ipa_act.ipa_type) {
1342 	case IPSEC_ACT_DISCARD:
1343 	case IPSEC_ACT_REJECT:
1344 		/* Should "fail hard" */
1345 		*counter = &ipdrops_spd_explicit;
1346 		*reason = "blocked by policy";
1347 		return (B_FALSE);
1348 
1349 	case IPSEC_ACT_BYPASS:
1350 	case IPSEC_ACT_CLEAR:
1351 		*counter = &ipdrops_spd_got_secure;
1352 		*reason = "expected clear, got protected";
1353 		return (B_FALSE);
1354 
1355 	case IPSEC_ACT_APPLY:
1356 		ipp = &ap->ipa_act.ipa_apply;
1357 		/*
1358 		 * As of now we do the simple checks of whether
1359 		 * the datagram has gone through the required IPSEC
1360 		 * protocol constraints or not. We might have more
1361 		 * in the future like sensitive levels, key bits, etc.
1362 		 * If it fails the constraints, check whether we would
1363 		 * have accepted this if it had come in clear.
1364 		 */
1365 		if (ipp->ipp_use_ah) {
1366 			if (ah_assoc == NULL) {
1367 				ret = ipsec_inbound_accept_clear(mp, ipha,
1368 				    ip6h);
1369 				*counter = &ipdrops_spd_got_clear;
1370 				*reason = "unprotected not accepted";
1371 				break;
1372 			}
1373 			ASSERT(ah_assoc != NULL);
1374 			ASSERT(ipp->ipp_auth_alg != 0);
1375 
1376 			if (ah_assoc->ipsa_auth_alg !=
1377 			    ipp->ipp_auth_alg) {
1378 				*counter = &ipdrops_spd_bad_ahalg;
1379 				*reason = "unacceptable ah alg";
1380 				ret = B_FALSE;
1381 				break;
1382 			}
1383 		} else if (ah_assoc != NULL) {
1384 			/*
1385 			 * Don't allow this. Check IPSEC NOTE above
1386 			 * ip_fanout_proto().
1387 			 */
1388 			*counter = &ipdrops_spd_got_ah;
1389 			*reason = "unexpected AH";
1390 			ret = B_FALSE;
1391 			break;
1392 		}
1393 		if (ipp->ipp_use_esp) {
1394 			if (esp_assoc == NULL) {
1395 				ret = ipsec_inbound_accept_clear(mp, ipha,
1396 				    ip6h);
1397 				*counter = &ipdrops_spd_got_clear;
1398 				*reason = "unprotected not accepted";
1399 				break;
1400 			}
1401 			ASSERT(esp_assoc != NULL);
1402 			ASSERT(ipp->ipp_encr_alg != 0);
1403 
1404 			if (esp_assoc->ipsa_encr_alg !=
1405 			    ipp->ipp_encr_alg) {
1406 				*counter = &ipdrops_spd_bad_espealg;
1407 				*reason = "unacceptable esp alg";
1408 				ret = B_FALSE;
1409 				break;
1410 			}
1411 			/*
1412 			 * If the client does not need authentication,
1413 			 * we don't verify the alogrithm.
1414 			 */
1415 			if (ipp->ipp_use_espa) {
1416 				if (esp_assoc->ipsa_auth_alg !=
1417 				    ipp->ipp_esp_auth_alg) {
1418 					*counter = &ipdrops_spd_bad_espaalg;
1419 					*reason = "unacceptable esp auth alg";
1420 					ret = B_FALSE;
1421 					break;
1422 				}
1423 			}
1424 		} else if (esp_assoc != NULL) {
1425 				/*
1426 				 * Don't allow this. Check IPSEC NOTE above
1427 				 * ip_fanout_proto().
1428 				 */
1429 			*counter = &ipdrops_spd_got_esp;
1430 			*reason = "unexpected ESP";
1431 			ret = B_FALSE;
1432 			break;
1433 		}
1434 		if (ipp->ipp_use_se) {
1435 			if (!decaps) {
1436 				ret = ipsec_inbound_accept_clear(mp, ipha,
1437 				    ip6h);
1438 				if (!ret) {
1439 					/* XXX mutant? */
1440 					*counter = &ipdrops_spd_bad_selfencap;
1441 					*reason = "self encap not found";
1442 					break;
1443 				}
1444 			}
1445 		} else if (decaps) {
1446 			/*
1447 			 * XXX If the packet comes in tunneled and the
1448 			 * recipient does not expect it to be tunneled, it
1449 			 * is okay. But we drop to be consistent with the
1450 			 * other cases.
1451 			 */
1452 			*counter = &ipdrops_spd_got_selfencap;
1453 			*reason = "unexpected self encap";
1454 			ret = B_FALSE;
1455 			break;
1456 		}
1457 		if (ii->ipsec_in_action != NULL) {
1458 			/*
1459 			 * This can happen if we do a double policy-check on
1460 			 * a packet
1461 			 * XXX XXX should fix this case!
1462 			 */
1463 			IPACT_REFRELE(ii->ipsec_in_action);
1464 		}
1465 		ASSERT(ii->ipsec_in_action == NULL);
1466 		IPACT_REFHOLD(ap);
1467 		ii->ipsec_in_action = ap;
1468 		break;	/* from switch */
1469 	}
1470 	return (ret);
1471 }
1472 
1473 static boolean_t
1474 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa)
1475 {
1476 	ASSERT(ipl->ipl_ids_latched == B_TRUE);
1477 	return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) &&
1478 	    ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid);
1479 }
1480 
1481 /*
1482  * Called to check policy on a latched connection, both from this file
1483  * and from tcp.c
1484  */
1485 boolean_t
1486 ipsec_check_ipsecin_latch(ipsec_in_t *ii, mblk_t *mp, ipsec_latch_t *ipl,
1487     ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter)
1488 {
1489 	ASSERT(ipl->ipl_ids_latched == B_TRUE);
1490 
1491 	if ((ii->ipsec_in_ah_sa != NULL) &&
1492 	    (!spd_match_inbound_ids(ipl, ii->ipsec_in_ah_sa))) {
1493 		*counter = &ipdrops_spd_ah_badid;
1494 		*reason = "AH identity mismatch";
1495 		return (B_FALSE);
1496 	}
1497 
1498 	if ((ii->ipsec_in_esp_sa != NULL) &&
1499 	    (!spd_match_inbound_ids(ipl, ii->ipsec_in_esp_sa))) {
1500 		*counter = &ipdrops_spd_esp_badid;
1501 		*reason = "ESP identity mismatch";
1502 		return (B_FALSE);
1503 	}
1504 
1505 	return (ipsec_check_ipsecin_action(ii, mp, ipl->ipl_in_action,
1506 	    ipha, ip6h, reason, counter));
1507 }
1508 
1509 /*
1510  * Check to see whether this secured datagram meets the policy
1511  * constraints specified in ipsp.
1512  *
1513  * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy.
1514  *
1515  * Consumes a reference to ipsp.
1516  */
1517 static mblk_t *
1518 ipsec_check_ipsecin_policy(queue_t *q, mblk_t *first_mp, ipsec_policy_t *ipsp,
1519     ipha_t *ipha, ip6_t *ip6h)
1520 {
1521 	ipsec_in_t *ii;
1522 	ipsec_action_t *ap;
1523 	const char *reason = "no policy actions found";
1524 	mblk_t *data_mp, *ipsec_mp;
1525 	kstat_named_t *counter = &ipdrops_spd_got_secure;
1526 
1527 	data_mp = first_mp->b_cont;
1528 	ipsec_mp = first_mp;
1529 
1530 	ASSERT(ipsp != NULL);
1531 
1532 	ASSERT((ipha == NULL && ip6h != NULL) ||
1533 	    (ip6h == NULL && ipha != NULL));
1534 
1535 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
1536 
1537 	if (ii->ipsec_in_loopback)
1538 		return (ipsec_check_loopback_policy(q, first_mp, B_TRUE, ipsp));
1539 
1540 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
1541 	if (ii->ipsec_in_action != NULL) {
1542 		/*
1543 		 * this can happen if we do a double policy-check on a packet
1544 		 * Would be nice to be able to delete this test..
1545 		 */
1546 		IPACT_REFRELE(ii->ipsec_in_action);
1547 	}
1548 	ASSERT(ii->ipsec_in_action == NULL);
1549 
1550 	if (!SA_IDS_MATCH(ii->ipsec_in_ah_sa, ii->ipsec_in_esp_sa)) {
1551 		reason = "inbound AH and ESP identities differ";
1552 		counter = &ipdrops_spd_ahesp_diffid;
1553 		goto drop;
1554 	}
1555 
1556 	/*
1557 	 * Ok, now loop through the possible actions and see if any
1558 	 * of them work for us.
1559 	 */
1560 
1561 	for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) {
1562 		if (ipsec_check_ipsecin_action(ii, data_mp, ap,
1563 		    ipha, ip6h, &reason, &counter)) {
1564 			BUMP_MIB(&ip_mib, ipsecInSucceeded);
1565 			IPPOL_REFRELE(ipsp);
1566 			return (first_mp);
1567 		}
1568 	}
1569 drop:
1570 	(void) mi_strlog(q, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1571 	    "ipsec inbound policy mismatch: %s, packet dropped\n",
1572 	    reason);
1573 	IPPOL_REFRELE(ipsp);
1574 	ASSERT(ii->ipsec_in_action == NULL);
1575 	BUMP_MIB(&ip_mib, ipsecInFailed);
1576 	ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper);
1577 	return (NULL);
1578 }
1579 
1580 /*
1581  * sleazy prefix-length-based compare.
1582  * another inlining candidate..
1583  */
1584 static boolean_t
1585 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p)
1586 {
1587 	int offset = pfxlen>>3;
1588 	int bitsleft = pfxlen & 7;
1589 	uint8_t *addr2 = (uint8_t *)addr2p;
1590 
1591 	/*
1592 	 * and there was much evil..
1593 	 * XXX should inline-expand the bcmp here and do this 32 bits
1594 	 * or 64 bits at a time..
1595 	 */
1596 	return ((bcmp(addr1, addr2, offset) == 0) &&
1597 	    ((bitsleft == 0) ||
1598 		(((addr1[offset] ^ addr2[offset]) &
1599 		    (0xff<<(8-bitsleft))) == 0)));
1600 }
1601 
1602 static ipsec_policy_t *
1603 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain,
1604     ipsec_selector_t *sel, boolean_t is_icmp_inv_acq)
1605 {
1606 	ipsec_selkey_t *isel;
1607 	ipsec_policy_t *p;
1608 	int bpri = best ? best->ipsp_prio : 0;
1609 
1610 	for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) {
1611 		uint32_t valid;
1612 
1613 		if (p->ipsp_prio <= bpri)
1614 			continue;
1615 		isel = &p->ipsp_sel->ipsl_key;
1616 		valid = isel->ipsl_valid;
1617 
1618 		if ((valid & IPSL_PROTOCOL) &&
1619 		    (isel->ipsl_proto != sel->ips_protocol))
1620 			continue;
1621 
1622 		if ((valid & IPSL_REMOTE_ADDR) &&
1623 		    !ip_addr_match((uint8_t *)&isel->ipsl_remote,
1624 			isel->ipsl_remote_pfxlen,
1625 			&sel->ips_remote_addr_v6))
1626 			continue;
1627 
1628 		if ((valid & IPSL_LOCAL_ADDR) &&
1629 		    !ip_addr_match((uint8_t *)&isel->ipsl_local,
1630 			isel->ipsl_local_pfxlen,
1631 			&sel->ips_local_addr_v6))
1632 			continue;
1633 
1634 		if ((valid & IPSL_REMOTE_PORT) &&
1635 		    isel->ipsl_rport != sel->ips_remote_port)
1636 			continue;
1637 
1638 		if ((valid & IPSL_LOCAL_PORT) &&
1639 		    isel->ipsl_lport != sel->ips_local_port)
1640 			continue;
1641 
1642 		if (!is_icmp_inv_acq) {
1643 			if ((valid & IPSL_ICMP_TYPE) &&
1644 			    (isel->ipsl_icmp_type > sel->ips_icmp_type ||
1645 			    isel->ipsl_icmp_type_end < sel->ips_icmp_type)) {
1646 				continue;
1647 			}
1648 
1649 			if ((valid & IPSL_ICMP_CODE) &&
1650 			    (isel->ipsl_icmp_code > sel->ips_icmp_code ||
1651 			    isel->ipsl_icmp_code_end <
1652 			    sel->ips_icmp_code)) {
1653 				continue;
1654 			}
1655 		} else {
1656 			/*
1657 			 * special case for icmp inverse acquire
1658 			 * we only want policies that aren't drop/pass
1659 			 */
1660 			if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY)
1661 				continue;
1662 		}
1663 
1664 		/* we matched all the packet-port-field selectors! */
1665 		best = p;
1666 		bpri = p->ipsp_prio;
1667 	}
1668 
1669 	return (best);
1670 }
1671 
1672 /*
1673  * Try to find and return the best policy entry under a given policy
1674  * root for a given set of selectors; the first parameter "best" is
1675  * the current best policy so far.  If "best" is non-null, we have a
1676  * reference to it.  We return a reference to a policy; if that policy
1677  * is not the original "best", we need to release that reference
1678  * before returning.
1679  */
1680 static ipsec_policy_t *
1681 ipsec_find_policy_head(ipsec_policy_t *best,
1682     ipsec_policy_head_t *head, int direction, ipsec_selector_t *sel,
1683     int selhash)
1684 {
1685 	ipsec_policy_t *curbest;
1686 	ipsec_policy_root_t *root;
1687 	uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq;
1688 	int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6;
1689 
1690 	curbest = best;
1691 	root = &head->iph_root[direction];
1692 
1693 #ifdef DEBUG
1694 	if (is_icmp_inv_acq) {
1695 		if (sel->ips_isv4) {
1696 			if (sel->ips_protocol != IPPROTO_ICMP) {
1697 			    cmn_err(CE_WARN, "ipsec_find_policy_head:"
1698 			    " expecting icmp, got %d", sel->ips_protocol);
1699 			}
1700 		} else {
1701 			if (sel->ips_protocol != IPPROTO_ICMPV6) {
1702 				cmn_err(CE_WARN, "ipsec_find_policy_head:"
1703 				" expecting icmpv6, got %d", sel->ips_protocol);
1704 			}
1705 		}
1706 	}
1707 #endif
1708 
1709 	rw_enter(&head->iph_lock, RW_READER);
1710 
1711 	if (root->ipr_nchains > 0) {
1712 		curbest = ipsec_find_policy_chain(curbest,
1713 		    root->ipr_hash[selhash].hash_head, sel, is_icmp_inv_acq);
1714 	}
1715 	curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel,
1716 	    is_icmp_inv_acq);
1717 
1718 	/*
1719 	 * Adjust reference counts if we found anything new.
1720 	 */
1721 	if (curbest != best) {
1722 		ASSERT(curbest != NULL);
1723 		IPPOL_REFHOLD(curbest);
1724 
1725 		if (best != NULL) {
1726 			IPPOL_REFRELE(best);
1727 		}
1728 	}
1729 
1730 	rw_exit(&head->iph_lock);
1731 
1732 	return (curbest);
1733 }
1734 
1735 /*
1736  * Find the best system policy (either global or per-interface) which
1737  * applies to the given selector; look in all the relevant policy roots
1738  * to figure out which policy wins.
1739  *
1740  * Returns a reference to a policy; caller must release this
1741  * reference when done.
1742  */
1743 ipsec_policy_t *
1744 ipsec_find_policy(int direction, conn_t *connp, ipsec_out_t *io,
1745     ipsec_selector_t *sel)
1746 {
1747 	ipsec_policy_t *p;
1748 	int selhash = selector_hash(sel);
1749 
1750 	p = ipsec_find_policy_head(NULL, &system_policy, direction, sel,
1751 	    selhash);
1752 	if ((connp != NULL) && (connp->conn_policy != NULL)) {
1753 		p = ipsec_find_policy_head(p, connp->conn_policy,
1754 		    direction, sel, selhash);
1755 	} else if ((io != NULL) && (io->ipsec_out_polhead != NULL)) {
1756 		p = ipsec_find_policy_head(p, io->ipsec_out_polhead,
1757 		    direction, sel, selhash);
1758 	}
1759 
1760 	return (p);
1761 }
1762 
1763 /*
1764  * Check with global policy and see whether this inbound
1765  * packet meets the policy constraints.
1766  *
1767  * Locate appropriate policy from global policy, supplemented by the
1768  * conn's configured and/or cached policy if the conn is supplied.
1769  *
1770  * Dispatch to ipsec_check_ipsecin_policy if we have policy and an
1771  * encrypted packet to see if they match.
1772  *
1773  * Otherwise, see if the policy allows cleartext; if not, drop it on the
1774  * floor.
1775  */
1776 mblk_t *
1777 ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp,
1778     ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present)
1779 {
1780 	ipsec_policy_t *p;
1781 	ipsec_selector_t sel;
1782 	queue_t *q = NULL;
1783 	mblk_t *data_mp, *ipsec_mp;
1784 	boolean_t policy_present;
1785 	kstat_named_t *counter;
1786 
1787 	data_mp = mctl_present ? first_mp->b_cont : first_mp;
1788 	ipsec_mp = mctl_present ? first_mp : NULL;
1789 
1790 	sel.ips_is_icmp_inv_acq = 0;
1791 
1792 	ASSERT((ipha == NULL && ip6h != NULL) ||
1793 	    (ip6h == NULL && ipha != NULL));
1794 
1795 	if (ipha != NULL)
1796 		policy_present = ipsec_inbound_v4_policy_present;
1797 	else
1798 		policy_present = ipsec_inbound_v6_policy_present;
1799 
1800 	if (!policy_present && connp == NULL) {
1801 		/*
1802 		 * No global policy and no per-socket policy;
1803 		 * just pass it back (but we shouldn't get here in that case)
1804 		 */
1805 		return (first_mp);
1806 	}
1807 
1808 	if (connp != NULL)
1809 		q = CONNP_TO_WQ(connp);
1810 
1811 	if (ipsec_mp != NULL) {
1812 		ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
1813 		ASSERT(((ipsec_in_t *)ipsec_mp->b_rptr)->ipsec_in_type ==
1814 		    IPSEC_IN);
1815 	}
1816 
1817 	/*
1818 	 * If we have cached policy, use it.
1819 	 * Otherwise consult system policy.
1820 	 */
1821 	if ((connp != NULL) && (connp->conn_latch != NULL)) {
1822 		p = connp->conn_latch->ipl_in_policy;
1823 		if (p != NULL) {
1824 			IPPOL_REFHOLD(p);
1825 		}
1826 	} else {
1827 		/* Initialize the ports in the selector */
1828 		if (!ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h)) {
1829 			/*
1830 			 * Technically not a policy mismatch, but it is
1831 			 * an internal failure.
1832 			 */
1833 			ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH,
1834 			    "ipsec_init_inbound_sel", ipha, ip6h, B_FALSE);
1835 			counter = &ipdrops_spd_nomem;
1836 			goto fail;
1837 		}
1838 
1839 		/*
1840 		 * Find the policy which best applies.
1841 		 *
1842 		 * If we find global policy, we should look at both
1843 		 * local policy and global policy and see which is
1844 		 * stronger and match accordingly.
1845 		 *
1846 		 * If we don't find a global policy, check with
1847 		 * local policy alone.
1848 		 */
1849 
1850 		p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel);
1851 	}
1852 
1853 	if (p == NULL) {
1854 		if (ipsec_mp == NULL) {
1855 			/*
1856 			 * We have no policy; default to succeeding.
1857 			 * XXX paranoid system design doesn't do this.
1858 			 */
1859 			BUMP_MIB(&ip_mib, ipsecInSucceeded);
1860 			return (first_mp);
1861 		} else {
1862 			counter = &ipdrops_spd_got_secure;
1863 			ipsec_log_policy_failure(q, IPSEC_POLICY_NOT_NEEDED,
1864 			    "ipsec_check_global_policy", ipha, ip6h, B_TRUE);
1865 			goto fail;
1866 		}
1867 	}
1868 	if (ipsec_mp != NULL)
1869 		return (ipsec_check_ipsecin_policy(q, ipsec_mp, p, ipha, ip6h));
1870 	if (p->ipsp_act->ipa_allow_clear) {
1871 		BUMP_MIB(&ip_mib, ipsecInSucceeded);
1872 		IPPOL_REFRELE(p);
1873 		return (first_mp);
1874 	}
1875 	IPPOL_REFRELE(p);
1876 	/*
1877 	 * If we reach here, we will drop the packet because it failed the
1878 	 * global policy check because the packet was cleartext, and it
1879 	 * should not have been.
1880 	 */
1881 	ipsec_log_policy_failure(q, IPSEC_POLICY_MISMATCH,
1882 	    "ipsec_check_global_policy", ipha, ip6h, B_FALSE);
1883 	counter = &ipdrops_spd_got_clear;
1884 
1885 fail:
1886 	ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter, &spd_dropper);
1887 	BUMP_MIB(&ip_mib, ipsecInFailed);
1888 	return (NULL);
1889 }
1890 
1891 /*
1892  * We check whether an inbound datagram is a valid one
1893  * to accept in clear. If it is secure, it is the job
1894  * of IPSEC to log information appropriately if it
1895  * suspects that it may not be the real one.
1896  *
1897  * It is called only while fanning out to the ULP
1898  * where ULP accepts only secure data and the incoming
1899  * is clear. Usually we never accept clear datagrams in
1900  * such cases. ICMP is the only exception.
1901  *
1902  * NOTE : We don't call this function if the client (ULP)
1903  * is willing to accept things in clear.
1904  */
1905 boolean_t
1906 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h)
1907 {
1908 	ushort_t iph_hdr_length;
1909 	icmph_t *icmph;
1910 	icmp6_t *icmp6;
1911 	uint8_t *nexthdrp;
1912 
1913 	ASSERT((ipha != NULL && ip6h == NULL) ||
1914 	    (ipha == NULL && ip6h != NULL));
1915 
1916 	if (ip6h != NULL) {
1917 		iph_hdr_length = ip_hdr_length_v6(mp, ip6h);
1918 		if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length,
1919 		    &nexthdrp)) {
1920 			return (B_FALSE);
1921 		}
1922 		if (*nexthdrp != IPPROTO_ICMPV6)
1923 			return (B_FALSE);
1924 		icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]);
1925 		/* Match IPv6 ICMP policy as closely as IPv4 as possible. */
1926 		switch (icmp6->icmp6_type) {
1927 		case ICMP6_PARAM_PROB:
1928 			/* Corresponds to port/proto unreach in IPv4. */
1929 		case ICMP6_ECHO_REQUEST:
1930 			/* Just like IPv4. */
1931 			return (B_FALSE);
1932 
1933 		case MLD_LISTENER_QUERY:
1934 		case MLD_LISTENER_REPORT:
1935 		case MLD_LISTENER_REDUCTION:
1936 			/*
1937 			 * XXX Seperate NDD in IPv4 what about here?
1938 			 * Plus, mcast is important to ND.
1939 			 */
1940 		case ICMP6_DST_UNREACH:
1941 			/* Corresponds to HOST/NET unreachable in IPv4. */
1942 		case ICMP6_PACKET_TOO_BIG:
1943 		case ICMP6_ECHO_REPLY:
1944 			/* These are trusted in IPv4. */
1945 		case ND_ROUTER_SOLICIT:
1946 		case ND_ROUTER_ADVERT:
1947 		case ND_NEIGHBOR_SOLICIT:
1948 		case ND_NEIGHBOR_ADVERT:
1949 		case ND_REDIRECT:
1950 			/* Trust ND messages for now. */
1951 		case ICMP6_TIME_EXCEEDED:
1952 		default:
1953 			return (B_TRUE);
1954 		}
1955 	} else {
1956 		/*
1957 		 * If it is not ICMP, fail this request.
1958 		 */
1959 		if (ipha->ipha_protocol != IPPROTO_ICMP)
1960 			return (B_FALSE);
1961 		iph_hdr_length = IPH_HDR_LENGTH(ipha);
1962 		icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
1963 		/*
1964 		 * It is an insecure icmp message. Check to see whether we are
1965 		 * willing to accept this one.
1966 		 */
1967 
1968 		switch (icmph->icmph_type) {
1969 		case ICMP_ECHO_REPLY:
1970 		case ICMP_TIME_STAMP_REPLY:
1971 		case ICMP_INFO_REPLY:
1972 		case ICMP_ROUTER_ADVERTISEMENT:
1973 			/*
1974 			 * We should not encourage clear replies if this
1975 			 * client expects secure. If somebody is replying
1976 			 * in clear some mailicious user watching both the
1977 			 * request and reply, can do chosen-plain-text attacks.
1978 			 * With global policy we might be just expecting secure
1979 			 * but sending out clear. We don't know what the right
1980 			 * thing is. We can't do much here as we can't control
1981 			 * the sender here. Till we are sure of what to do,
1982 			 * accept them.
1983 			 */
1984 			return (B_TRUE);
1985 		case ICMP_ECHO_REQUEST:
1986 		case ICMP_TIME_STAMP_REQUEST:
1987 		case ICMP_INFO_REQUEST:
1988 		case ICMP_ADDRESS_MASK_REQUEST:
1989 		case ICMP_ROUTER_SOLICITATION:
1990 		case ICMP_ADDRESS_MASK_REPLY:
1991 			/*
1992 			 * Don't accept this as somebody could be sending
1993 			 * us plain text to get encrypted data. If we reply,
1994 			 * it will lead to chosen plain text attack.
1995 			 */
1996 			return (B_FALSE);
1997 		case ICMP_DEST_UNREACHABLE:
1998 			switch (icmph->icmph_code) {
1999 			case ICMP_FRAGMENTATION_NEEDED:
2000 				/*
2001 				 * Be in sync with icmp_inbound, where we have
2002 				 * already set ire_max_frag.
2003 				 */
2004 				return (B_TRUE);
2005 			case ICMP_HOST_UNREACHABLE:
2006 			case ICMP_NET_UNREACHABLE:
2007 				/*
2008 				 * By accepting, we could reset a connection.
2009 				 * How do we solve the problem of some
2010 				 * intermediate router sending in-secure ICMP
2011 				 * messages ?
2012 				 */
2013 				return (B_TRUE);
2014 			case ICMP_PORT_UNREACHABLE:
2015 			case ICMP_PROTOCOL_UNREACHABLE:
2016 			default :
2017 				return (B_FALSE);
2018 			}
2019 		case ICMP_SOURCE_QUENCH:
2020 			/*
2021 			 * If this is an attack, TCP will slow start
2022 			 * because of this. Is it very harmful ?
2023 			 */
2024 			return (B_TRUE);
2025 		case ICMP_PARAM_PROBLEM:
2026 			return (B_FALSE);
2027 		case ICMP_TIME_EXCEEDED:
2028 			return (B_TRUE);
2029 		case ICMP_REDIRECT:
2030 			return (B_FALSE);
2031 		default :
2032 			return (B_FALSE);
2033 		}
2034 	}
2035 }
2036 
2037 void
2038 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote)
2039 {
2040 	mutex_enter(&ipl->ipl_lock);
2041 
2042 	if (ipl->ipl_ids_latched) {
2043 		/* I lost, someone else got here before me */
2044 		mutex_exit(&ipl->ipl_lock);
2045 		return;
2046 	}
2047 
2048 	if (local != NULL)
2049 		IPSID_REFHOLD(local);
2050 	if (remote != NULL)
2051 		IPSID_REFHOLD(remote);
2052 
2053 	ipl->ipl_local_cid = local;
2054 	ipl->ipl_remote_cid = remote;
2055 	ipl->ipl_ids_latched = B_TRUE;
2056 	mutex_exit(&ipl->ipl_lock);
2057 }
2058 
2059 void
2060 ipsec_latch_inbound(ipsec_latch_t *ipl, ipsec_in_t *ii)
2061 {
2062 	ipsa_t *sa;
2063 
2064 	if (!ipl->ipl_ids_latched) {
2065 		ipsid_t *local = NULL;
2066 		ipsid_t *remote = NULL;
2067 
2068 		if (!ii->ipsec_in_loopback) {
2069 			if (ii->ipsec_in_esp_sa != NULL)
2070 				sa = ii->ipsec_in_esp_sa;
2071 			else
2072 				sa = ii->ipsec_in_ah_sa;
2073 			ASSERT(sa != NULL);
2074 			local = sa->ipsa_dst_cid;
2075 			remote = sa->ipsa_src_cid;
2076 		}
2077 		ipsec_latch_ids(ipl, local, remote);
2078 	}
2079 	ipl->ipl_in_action = ii->ipsec_in_action;
2080 	IPACT_REFHOLD(ipl->ipl_in_action);
2081 }
2082 
2083 /*
2084  * Check whether the policy constraints are met either for an
2085  * inbound datagram; called from IP in numerous places.
2086  *
2087  * Note that this is not a chokepoint for inbound policy checks;
2088  * see also ipsec_check_ipsecin_latch()
2089  */
2090 mblk_t *
2091 ipsec_check_inbound_policy(mblk_t *first_mp, conn_t *connp,
2092     ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present)
2093 {
2094 	ipsec_in_t *ii;
2095 	boolean_t ret;
2096 	mblk_t *mp = mctl_present ? first_mp->b_cont : first_mp;
2097 	mblk_t *ipsec_mp = mctl_present ? first_mp : NULL;
2098 	ipsec_latch_t *ipl;
2099 
2100 	ASSERT(connp != NULL);
2101 	ipl = connp->conn_latch;
2102 
2103 	if (ipsec_mp == NULL) {
2104 		/*
2105 		 * This is the case where the incoming datagram is
2106 		 * cleartext and we need to see whether this client
2107 		 * would like to receive such untrustworthy things from
2108 		 * the wire.
2109 		 */
2110 		ASSERT(mp != NULL);
2111 
2112 		if (ipl != NULL) {
2113 			/*
2114 			 * Policy is cached in the conn.
2115 			 */
2116 			if ((ipl->ipl_in_policy != NULL) &&
2117 			    (!ipl->ipl_in_policy->ipsp_act->ipa_allow_clear)) {
2118 				ret = ipsec_inbound_accept_clear(mp,
2119 				    ipha, ip6h);
2120 				if (ret) {
2121 					BUMP_MIB(&ip_mib, ipsecInSucceeded);
2122 					return (first_mp);
2123 				} else {
2124 					ip_drop_packet(first_mp, B_TRUE, NULL,
2125 					    NULL, &ipdrops_spd_got_clear,
2126 					    &spd_dropper);
2127 					ipsec_log_policy_failure(
2128 					    CONNP_TO_WQ(connp),
2129 					    IPSEC_POLICY_MISMATCH,
2130 					    "ipsec_check_inbound_policy", ipha,
2131 					    ip6h, B_FALSE);
2132 					BUMP_MIB(&ip_mib, ipsecInFailed);
2133 					return (NULL);
2134 				}
2135 			} else {
2136 				BUMP_MIB(&ip_mib, ipsecInSucceeded);
2137 				return (first_mp);
2138 			}
2139 		} else {
2140 			/*
2141 			 * As this is a non-hardbound connection we need
2142 			 * to look at both per-socket policy and global
2143 			 * policy. As this is cleartext, mark the mp as
2144 			 * M_DATA in case if it is an ICMP error being
2145 			 * reported before calling ipsec_check_global_policy
2146 			 * so that it does not mistake it for IPSEC_IN.
2147 			 */
2148 			uchar_t db_type = mp->b_datap->db_type;
2149 			mp->b_datap->db_type = M_DATA;
2150 			first_mp = ipsec_check_global_policy(first_mp, connp,
2151 			    ipha, ip6h, mctl_present);
2152 			if (first_mp != NULL)
2153 				mp->b_datap->db_type = db_type;
2154 			return (first_mp);
2155 		}
2156 	}
2157 	/*
2158 	 * If it is inbound check whether the attached message
2159 	 * is secure or not. We have a special case for ICMP,
2160 	 * where we have a IPSEC_IN message and the attached
2161 	 * message is not secure. See icmp_inbound_error_fanout
2162 	 * for details.
2163 	 */
2164 	ASSERT(ipsec_mp != NULL);
2165 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
2166 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
2167 
2168 	/*
2169 	 * mp->b_cont could be either a M_CTL message
2170 	 * for icmp errors being sent up or a M_DATA message.
2171 	 */
2172 	ASSERT(mp->b_datap->db_type == M_CTL ||
2173 	    mp->b_datap->db_type == M_DATA);
2174 
2175 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
2176 
2177 	if (ipl == NULL) {
2178 		/*
2179 		 * We don't have policies cached in the conn's
2180 		 * for this stream. So, look at the global
2181 		 * policy. It will check against conn or global
2182 		 * depending on whichever is stronger.
2183 		 */
2184 		return (ipsec_check_global_policy(first_mp, connp,
2185 		    ipha, ip6h, mctl_present));
2186 	} else if (ipl->ipl_in_action != NULL) {
2187 		/* Policy is cached & latched; fast(er) path */
2188 		const char *reason;
2189 		kstat_named_t *counter;
2190 		if (ipsec_check_ipsecin_latch(ii, mp, ipl,
2191 		    ipha, ip6h, &reason, &counter)) {
2192 			BUMP_MIB(&ip_mib, ipsecInSucceeded);
2193 			return (first_mp);
2194 		}
2195 		(void) mi_strlog(CONNP_TO_WQ(connp), 0,
2196 		    SL_ERROR|SL_WARN|SL_CONSOLE,
2197 		    "ipsec inbound policy mismatch: %s, packet dropped\n",
2198 		    reason);
2199 		ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter,
2200 		    &spd_dropper);
2201 		BUMP_MIB(&ip_mib, ipsecInFailed);
2202 		return (NULL);
2203 	} else if (ipl->ipl_in_policy == NULL)
2204 		return (first_mp);
2205 
2206 	IPPOL_REFHOLD(ipl->ipl_in_policy);
2207 	first_mp = ipsec_check_ipsecin_policy(CONNP_TO_WQ(connp), first_mp,
2208 	    ipl->ipl_in_policy, ipha, ip6h);
2209 	/*
2210 	 * NOTE: ipsecIn{Failed,Succeeeded} bumped by
2211 	 * ipsec_check_ipsecin_policy().
2212 	 */
2213 	if (first_mp != NULL)
2214 		ipsec_latch_inbound(ipl, ii);
2215 	return (first_mp);
2216 }
2217 
2218 boolean_t
2219 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp,
2220     ipha_t *ipha, ip6_t *ip6h)
2221 {
2222 	uint16_t *ports;
2223 	ushort_t hdr_len;
2224 	mblk_t *spare_mp = NULL;
2225 	uint8_t *nexthdrp;
2226 	uint8_t nexthdr;
2227 	uint8_t *typecode;
2228 	uint8_t check_proto;
2229 
2230 	ASSERT((ipha == NULL && ip6h != NULL) ||
2231 	    (ipha != NULL && ip6h == NULL));
2232 
2233 	if (ip6h != NULL) {
2234 		check_proto = IPPROTO_ICMPV6;
2235 		sel->ips_isv4 = B_FALSE;
2236 		sel->ips_local_addr_v6 = ip6h->ip6_dst;
2237 		sel->ips_remote_addr_v6 = ip6h->ip6_src;
2238 
2239 		nexthdr = ip6h->ip6_nxt;
2240 		switch (nexthdr) {
2241 		case IPPROTO_HOPOPTS:
2242 		case IPPROTO_ROUTING:
2243 		case IPPROTO_DSTOPTS:
2244 			/*
2245 			 * Use ip_hdr_length_nexthdr_v6().  And have a spare
2246 			 * mblk that's contiguous to feed it
2247 			 */
2248 			if ((spare_mp = msgpullup(mp, -1)) == NULL)
2249 				return (B_FALSE);
2250 			if (!ip_hdr_length_nexthdr_v6(spare_mp,
2251 			    (ip6_t *)spare_mp->b_rptr, &hdr_len, &nexthdrp)) {
2252 				/* Malformed packet - XXX ip_drop_packet()? */
2253 				freemsg(spare_mp);
2254 				return (B_FALSE);
2255 			}
2256 			nexthdr = *nexthdrp;
2257 			/* We can just extract based on hdr_len now. */
2258 			break;
2259 		default:
2260 			hdr_len = IPV6_HDR_LEN;
2261 			break;
2262 		}
2263 	} else {
2264 		check_proto = IPPROTO_ICMP;
2265 		sel->ips_isv4 = B_TRUE;
2266 		sel->ips_local_addr_v4 = ipha->ipha_dst;
2267 		sel->ips_remote_addr_v4 = ipha->ipha_src;
2268 		nexthdr = ipha->ipha_protocol;
2269 		hdr_len = IPH_HDR_LENGTH(ipha);
2270 	}
2271 	sel->ips_protocol = nexthdr;
2272 
2273 	if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2274 	    nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2275 		sel->ips_remote_port = sel->ips_local_port = 0;
2276 		freemsg(spare_mp);	/* Always works, even if NULL. */
2277 		return (B_TRUE);
2278 	}
2279 
2280 	if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) {
2281 		/* If we didn't pullup a copy already, do so now. */
2282 		/*
2283 		 * XXX performance, will upper-layers frequently split TCP/UDP
2284 		 * apart from IP or options?  If so, perhaps we should revisit
2285 		 * the spare_mp strategy.
2286 		 */
2287 		if (spare_mp == NULL &&
2288 		    (spare_mp = msgpullup(mp, -1)) == NULL) {
2289 			return (B_FALSE);
2290 		}
2291 		ports = (uint16_t *)&spare_mp->b_rptr[hdr_len];
2292 	} else {
2293 		ports = (uint16_t *)&mp->b_rptr[hdr_len];
2294 	}
2295 
2296 	if (nexthdr == check_proto) {
2297 		typecode = (uint8_t *)ports;
2298 		sel->ips_icmp_type = *typecode++;
2299 		sel->ips_icmp_code = *typecode;
2300 		sel->ips_remote_port = sel->ips_local_port = 0;
2301 		freemsg(spare_mp);	/* Always works, even if NULL */
2302 		return (B_TRUE);
2303 	}
2304 
2305 	sel->ips_remote_port = *ports++;
2306 	sel->ips_local_port = *ports;
2307 	freemsg(spare_mp);	/* Always works, even if NULL */
2308 	return (B_TRUE);
2309 }
2310 
2311 static boolean_t
2312 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2313     ip6_t *ip6h)
2314 {
2315 	/*
2316 	 * XXX cut&paste shared with ipsec_init_inbound_sel
2317 	 */
2318 	uint16_t *ports;
2319 	ushort_t hdr_len;
2320 	mblk_t *spare_mp = NULL;
2321 	uint8_t *nexthdrp;
2322 	uint8_t nexthdr;
2323 	uint8_t *typecode;
2324 	uint8_t check_proto;
2325 
2326 	ASSERT((ipha == NULL && ip6h != NULL) ||
2327 	    (ipha != NULL && ip6h == NULL));
2328 
2329 	if (ip6h != NULL) {
2330 		check_proto = IPPROTO_ICMPV6;
2331 		nexthdr = ip6h->ip6_nxt;
2332 		switch (nexthdr) {
2333 		case IPPROTO_HOPOPTS:
2334 		case IPPROTO_ROUTING:
2335 		case IPPROTO_DSTOPTS:
2336 			/*
2337 			 * Use ip_hdr_length_nexthdr_v6().  And have a spare
2338 			 * mblk that's contiguous to feed it
2339 			 */
2340 			spare_mp = msgpullup(mp, -1);
2341 			if (spare_mp == NULL ||
2342 			    !ip_hdr_length_nexthdr_v6(spare_mp,
2343 				(ip6_t *)spare_mp->b_rptr, &hdr_len,
2344 				&nexthdrp)) {
2345 				/* Always works, even if NULL. */
2346 				freemsg(spare_mp);
2347 				freemsg(mp);
2348 				return (B_FALSE);
2349 			} else {
2350 				nexthdr = *nexthdrp;
2351 				/* We can just extract based on hdr_len now. */
2352 			}
2353 			break;
2354 		default:
2355 			hdr_len = IPV6_HDR_LEN;
2356 			break;
2357 		}
2358 	} else {
2359 		check_proto = IPPROTO_ICMP;
2360 		hdr_len = IPH_HDR_LENGTH(ipha);
2361 		nexthdr = ipha->ipha_protocol;
2362 	}
2363 
2364 	sel->ips_protocol = nexthdr;
2365 	if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2366 	    nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2367 		sel->ips_local_port = sel->ips_remote_port = 0;
2368 		freemsg(spare_mp);  /* Always works, even if NULL. */
2369 		return (B_TRUE);
2370 	}
2371 
2372 	if (&mp->b_rptr[hdr_len] + 4 > mp->b_wptr) {
2373 		/* If we didn't pullup a copy already, do so now. */
2374 		/*
2375 		 * XXX performance, will upper-layers frequently split TCP/UDP
2376 		 * apart from IP or options?  If so, perhaps we should revisit
2377 		 * the spare_mp strategy.
2378 		 *
2379 		 * XXX should this be msgpullup(mp, hdr_len+4) ???
2380 		 */
2381 		if (spare_mp == NULL &&
2382 		    (spare_mp = msgpullup(mp, -1)) == NULL) {
2383 			freemsg(mp);
2384 			return (B_FALSE);
2385 		}
2386 		ports = (uint16_t *)&spare_mp->b_rptr[hdr_len];
2387 	} else {
2388 		ports = (uint16_t *)&mp->b_rptr[hdr_len];
2389 	}
2390 
2391 	if (nexthdr == check_proto) {
2392 		typecode = (uint8_t *)ports;
2393 		sel->ips_icmp_type = *typecode++;
2394 		sel->ips_icmp_code = *typecode;
2395 		sel->ips_remote_port = sel->ips_local_port = 0;
2396 		freemsg(spare_mp);	/* Always works, even if NULL */
2397 		return (B_TRUE);
2398 	}
2399 
2400 	sel->ips_local_port = *ports++;
2401 	sel->ips_remote_port = *ports;
2402 	freemsg(spare_mp);	/* Always works, even if NULL */
2403 	return (B_TRUE);
2404 }
2405 
2406 /*
2407  * Create an ipsec_action_t based on the way an inbound packet was protected.
2408  * Used to reflect traffic back to a sender.
2409  *
2410  * We don't bother interning the action into the hash table.
2411  */
2412 ipsec_action_t *
2413 ipsec_in_to_out_action(ipsec_in_t *ii)
2414 {
2415 	ipsa_t *ah_assoc, *esp_assoc;
2416 	uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0;
2417 	ipsec_action_t *ap;
2418 	boolean_t unique;
2419 
2420 	ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2421 
2422 	if (ap == NULL)
2423 		return (NULL);
2424 
2425 	bzero(ap, sizeof (*ap));
2426 	HASH_NULL(ap, ipa_hash);
2427 	ap->ipa_next = NULL;
2428 	ap->ipa_refs = 1;
2429 
2430 	/*
2431 	 * Get the algorithms that were used for this packet.
2432 	 */
2433 	ap->ipa_act.ipa_type = IPSEC_ACT_APPLY;
2434 	ap->ipa_act.ipa_log = 0;
2435 	ah_assoc = ii->ipsec_in_ah_sa;
2436 	ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL);
2437 
2438 	esp_assoc = ii->ipsec_in_esp_sa;
2439 	ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL);
2440 
2441 	if (esp_assoc != NULL) {
2442 		encr_alg = esp_assoc->ipsa_encr_alg;
2443 		espa_alg = esp_assoc->ipsa_auth_alg;
2444 		ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0);
2445 	}
2446 	if (ah_assoc != NULL)
2447 		auth_alg = ah_assoc->ipsa_auth_alg;
2448 
2449 	ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg;
2450 	ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg;
2451 	ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg;
2452 	ap->ipa_act.ipa_apply.ipp_use_se = ii->ipsec_in_decaps;
2453 	unique = B_FALSE;
2454 
2455 	if (esp_assoc != NULL) {
2456 		ap->ipa_act.ipa_apply.ipp_espa_minbits =
2457 		    esp_assoc->ipsa_authkeybits;
2458 		ap->ipa_act.ipa_apply.ipp_espa_maxbits =
2459 		    esp_assoc->ipsa_authkeybits;
2460 		ap->ipa_act.ipa_apply.ipp_espe_minbits =
2461 		    esp_assoc->ipsa_encrkeybits;
2462 		ap->ipa_act.ipa_apply.ipp_espe_maxbits =
2463 		    esp_assoc->ipsa_encrkeybits;
2464 		ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp;
2465 		ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc;
2466 		if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE)
2467 			unique = B_TRUE;
2468 	}
2469 	if (ah_assoc != NULL) {
2470 		ap->ipa_act.ipa_apply.ipp_ah_minbits =
2471 		    ah_assoc->ipsa_authkeybits;
2472 		ap->ipa_act.ipa_apply.ipp_ah_maxbits =
2473 		    ah_assoc->ipsa_authkeybits;
2474 		ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp;
2475 		ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc;
2476 		if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE)
2477 			unique = B_TRUE;
2478 	}
2479 	ap->ipa_act.ipa_apply.ipp_use_unique = unique;
2480 	ap->ipa_want_unique = unique;
2481 	ap->ipa_allow_clear = B_FALSE;
2482 	ap->ipa_want_se = ii->ipsec_in_decaps;
2483 	ap->ipa_want_ah = (ah_assoc != NULL);
2484 	ap->ipa_want_esp = (esp_assoc != NULL);
2485 
2486 	ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act);
2487 
2488 	ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */
2489 
2490 	return (ap);
2491 }
2492 
2493 
2494 /*
2495  * Compute the worst-case amount of extra space required by an action.
2496  * Note that, because of the ESP considerations listed below, this is
2497  * actually not the same as the best-case reduction in the MTU; in the
2498  * future, we should pass additional information to this function to
2499  * allow the actual MTU impact to be computed.
2500  *
2501  * AH: Revisit this if we implement algorithms with
2502  * a verifier size of more than 12 bytes.
2503  *
2504  * ESP: A more exact but more messy computation would take into
2505  * account the interaction between the cipher block size and the
2506  * effective MTU, yielding the inner payload size which reflects a
2507  * packet with *minimum* ESP padding..
2508  */
2509 static int32_t
2510 ipsec_act_ovhd(const ipsec_act_t *act)
2511 {
2512 	int32_t overhead = 0;
2513 
2514 	if (act->ipa_type == IPSEC_ACT_APPLY) {
2515 		const ipsec_prot_t *ipp = &act->ipa_apply;
2516 
2517 		if (ipp->ipp_use_ah)
2518 			overhead += IPSEC_MAX_AH_HDR_SIZE;
2519 		if (ipp->ipp_use_esp) {
2520 			overhead += IPSEC_MAX_ESP_HDR_SIZE;
2521 			overhead += sizeof (struct udphdr);
2522 		}
2523 		if (ipp->ipp_use_se)
2524 			overhead += IP_SIMPLE_HDR_LENGTH;
2525 	}
2526 	return (overhead);
2527 }
2528 
2529 /*
2530  * This hash function is used only when creating policies and thus is not
2531  * performance-critical for packet flows.
2532  *
2533  * Future work: canonicalize the structures hashed with this (i.e.,
2534  * zeroize padding) so the hash works correctly.
2535  */
2536 /* ARGSUSED */
2537 static uint32_t
2538 policy_hash(int size, const void *start, const void *end)
2539 {
2540 	return (0);
2541 }
2542 
2543 
2544 /*
2545  * Hash function macros for each address type.
2546  *
2547  * The IPV6 hash function assumes that the low order 32-bits of the
2548  * address (typically containing the low order 24 bits of the mac
2549  * address) are reasonably well-distributed.  Revisit this if we run
2550  * into trouble from lots of collisions on ::1 addresses and the like
2551  * (seems unlikely).
2552  */
2553 #define	IPSEC_IPV4_HASH(a) ((a) % ipsec_spd_hashsize)
2554 #define	IPSEC_IPV6_HASH(a) ((a.s6_addr32[3]) % ipsec_spd_hashsize)
2555 
2556 /*
2557  * These two hash functions should produce coordinated values
2558  * but have slightly different roles.
2559  */
2560 static uint32_t
2561 selkey_hash(const ipsec_selkey_t *selkey)
2562 {
2563 	uint32_t valid = selkey->ipsl_valid;
2564 
2565 	if (!(valid & IPSL_REMOTE_ADDR))
2566 		return (IPSEC_SEL_NOHASH);
2567 
2568 	if (valid & IPSL_IPV4) {
2569 		if (selkey->ipsl_remote_pfxlen == 32)
2570 			return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4));
2571 	}
2572 	if (valid & IPSL_IPV6) {
2573 		if (selkey->ipsl_remote_pfxlen == 128)
2574 			return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6));
2575 	}
2576 	return (IPSEC_SEL_NOHASH);
2577 }
2578 
2579 static uint32_t
2580 selector_hash(ipsec_selector_t *sel)
2581 {
2582 	if (sel->ips_isv4) {
2583 		return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4));
2584 	}
2585 	return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6));
2586 }
2587 
2588 /*
2589  * Intern actions into the action hash table.
2590  */
2591 ipsec_action_t *
2592 ipsec_act_find(const ipsec_act_t *a, int n)
2593 {
2594 	int i;
2595 	uint32_t hval;
2596 	ipsec_action_t *ap;
2597 	ipsec_action_t *prev = NULL;
2598 	int32_t overhead, maxovhd = 0;
2599 	boolean_t allow_clear = B_FALSE;
2600 	boolean_t want_ah = B_FALSE;
2601 	boolean_t want_esp = B_FALSE;
2602 	boolean_t want_se = B_FALSE;
2603 	boolean_t want_unique = B_FALSE;
2604 
2605 	/*
2606 	 * TODO: should canonicalize a[] (i.e., zeroize any padding)
2607 	 * so we can use a non-trivial policy_hash function.
2608 	 */
2609 	for (i = n-1; i >= 0; i--) {
2610 		hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]);
2611 
2612 		HASH_LOCK(ipsec_action_hash, hval);
2613 
2614 		for (HASH_ITERATE(ap, ipa_hash, ipsec_action_hash, hval)) {
2615 			if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0)
2616 				continue;
2617 			if (ap->ipa_next != prev)
2618 				continue;
2619 			break;
2620 		}
2621 		if (ap != NULL) {
2622 			HASH_UNLOCK(ipsec_action_hash, hval);
2623 			prev = ap;
2624 			continue;
2625 		}
2626 		/*
2627 		 * need to allocate a new one..
2628 		 */
2629 		ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2630 		if (ap == NULL) {
2631 			HASH_UNLOCK(ipsec_action_hash, hval);
2632 			if (prev != NULL)
2633 				ipsec_action_free(prev);
2634 			return (NULL);
2635 		}
2636 		HASH_INSERT(ap, ipa_hash, ipsec_action_hash, hval);
2637 
2638 		ap->ipa_next = prev;
2639 		ap->ipa_act = a[i];
2640 
2641 		overhead = ipsec_act_ovhd(&a[i]);
2642 		if (maxovhd < overhead)
2643 			maxovhd = overhead;
2644 
2645 		if ((a[i].ipa_type == IPSEC_ACT_BYPASS) ||
2646 		    (a[i].ipa_type == IPSEC_ACT_CLEAR))
2647 			allow_clear = B_TRUE;
2648 		if (a[i].ipa_type == IPSEC_ACT_APPLY) {
2649 			const ipsec_prot_t *ipp = &a[i].ipa_apply;
2650 
2651 			ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp);
2652 			want_ah |= ipp->ipp_use_ah;
2653 			want_esp |= ipp->ipp_use_esp;
2654 			want_se |= ipp->ipp_use_se;
2655 			want_unique |= ipp->ipp_use_unique;
2656 		}
2657 		ap->ipa_allow_clear = allow_clear;
2658 		ap->ipa_want_ah = want_ah;
2659 		ap->ipa_want_esp = want_esp;
2660 		ap->ipa_want_se = want_se;
2661 		ap->ipa_want_unique = want_unique;
2662 		ap->ipa_refs = 1; /* from the hash table */
2663 		ap->ipa_ovhd = maxovhd;
2664 		if (prev)
2665 			prev->ipa_refs++;
2666 		prev = ap;
2667 		HASH_UNLOCK(ipsec_action_hash, hval);
2668 	}
2669 
2670 	ap->ipa_refs++;		/* caller's reference */
2671 
2672 	return (ap);
2673 }
2674 
2675 /*
2676  * Called when refcount goes to 0, indicating that all references to this
2677  * node are gone.
2678  *
2679  * This does not unchain the action from the hash table.
2680  */
2681 void
2682 ipsec_action_free(ipsec_action_t *ap)
2683 {
2684 	for (;;) {
2685 		ipsec_action_t *np = ap->ipa_next;
2686 		ASSERT(ap->ipa_refs == 0);
2687 		ASSERT(ap->ipa_hash.hash_pp == NULL);
2688 		kmem_cache_free(ipsec_action_cache, ap);
2689 		ap = np;
2690 		/* Inlined IPACT_REFRELE -- avoid recursion */
2691 		if (ap == NULL)
2692 			break;
2693 		membar_exit();
2694 		if (atomic_add_32_nv(&(ap)->ipa_refs, -1) != 0)
2695 			break;
2696 		/* End inlined IPACT_REFRELE */
2697 	}
2698 }
2699 
2700 /*
2701  * Periodically sweep action hash table for actions with refcount==1, and
2702  * nuke them.  We cannot do this "on demand" (i.e., from IPACT_REFRELE)
2703  * because we can't close the race between another thread finding the action
2704  * in the hash table without holding the bucket lock during IPACT_REFRELE.
2705  * Instead, we run this function sporadically to clean up after ourselves;
2706  * we also set it as the "reclaim" function for the action kmem_cache.
2707  *
2708  * Note that it may take several passes of ipsec_action_gc() to free all
2709  * "stale" actions.
2710  */
2711 /* ARGSUSED */
2712 static void
2713 ipsec_action_reclaim(void *dummy)
2714 {
2715 	int i;
2716 
2717 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
2718 		ipsec_action_t *ap, *np;
2719 
2720 		/* skip the lock if nobody home */
2721 		if (ipsec_action_hash[i].hash_head == NULL)
2722 			continue;
2723 
2724 		HASH_LOCK(ipsec_action_hash, i);
2725 		for (ap = ipsec_action_hash[i].hash_head;
2726 		    ap != NULL; ap = np) {
2727 			ASSERT(ap->ipa_refs > 0);
2728 			np = ap->ipa_hash.hash_next;
2729 			if (ap->ipa_refs > 1)
2730 				continue;
2731 			HASH_UNCHAIN(ap, ipa_hash, ipsec_action_hash, i);
2732 			IPACT_REFRELE(ap);
2733 		}
2734 		HASH_UNLOCK(ipsec_action_hash, i);
2735 	}
2736 }
2737 
2738 /*
2739  * Intern a selector set into the selector set hash table.
2740  * This is simpler than the actions case..
2741  */
2742 static ipsec_sel_t *
2743 ipsec_find_sel(ipsec_selkey_t *selkey)
2744 {
2745 	ipsec_sel_t *sp;
2746 	uint32_t hval, bucket;
2747 
2748 	/*
2749 	 * Exactly one AF bit should be set in selkey.
2750 	 */
2751 	ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^
2752 	    !(selkey->ipsl_valid & IPSL_IPV6));
2753 
2754 	hval = selkey_hash(selkey);
2755 	selkey->ipsl_hval = hval;
2756 
2757 	bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval;
2758 
2759 	ASSERT(!HASH_LOCKED(ipsec_sel_hash, bucket));
2760 	HASH_LOCK(ipsec_sel_hash, bucket);
2761 
2762 	for (HASH_ITERATE(sp, ipsl_hash, ipsec_sel_hash, bucket)) {
2763 		if (bcmp(&sp->ipsl_key, selkey, sizeof (*selkey)) == 0)
2764 			break;
2765 	}
2766 	if (sp != NULL) {
2767 		sp->ipsl_refs++;
2768 
2769 		HASH_UNLOCK(ipsec_sel_hash, bucket);
2770 		return (sp);
2771 	}
2772 
2773 	sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP);
2774 	if (sp == NULL) {
2775 		HASH_UNLOCK(ipsec_sel_hash, bucket);
2776 		return (NULL);
2777 	}
2778 
2779 	HASH_INSERT(sp, ipsl_hash, ipsec_sel_hash, bucket);
2780 	sp->ipsl_refs = 2;	/* one for hash table, one for caller */
2781 	sp->ipsl_key = *selkey;
2782 
2783 	HASH_UNLOCK(ipsec_sel_hash, bucket);
2784 
2785 	return (sp);
2786 }
2787 
2788 static void
2789 ipsec_sel_rel(ipsec_sel_t **spp)
2790 {
2791 	ipsec_sel_t *sp = *spp;
2792 	int hval = sp->ipsl_key.ipsl_hval;
2793 	*spp = NULL;
2794 
2795 	if (hval == IPSEC_SEL_NOHASH)
2796 		hval = 0;
2797 
2798 	ASSERT(!HASH_LOCKED(ipsec_sel_hash, hval));
2799 	HASH_LOCK(ipsec_sel_hash, hval);
2800 	if (--sp->ipsl_refs == 1) {
2801 		HASH_UNCHAIN(sp, ipsl_hash, ipsec_sel_hash, hval);
2802 		sp->ipsl_refs--;
2803 		HASH_UNLOCK(ipsec_sel_hash, hval);
2804 		ASSERT(sp->ipsl_refs == 0);
2805 		kmem_cache_free(ipsec_sel_cache, sp);
2806 		/* Caller unlocks */
2807 		return;
2808 	}
2809 
2810 	HASH_UNLOCK(ipsec_sel_hash, hval);
2811 }
2812 
2813 /*
2814  * Free a policy rule which we know is no longer being referenced.
2815  */
2816 void
2817 ipsec_policy_free(ipsec_policy_t *ipp)
2818 {
2819 	ASSERT(ipp->ipsp_refs == 0);
2820 	ASSERT(ipp->ipsp_sel != NULL);
2821 	ASSERT(ipp->ipsp_act != NULL);
2822 	ipsec_sel_rel(&ipp->ipsp_sel);
2823 	IPACT_REFRELE(ipp->ipsp_act);
2824 	kmem_cache_free(ipsec_pol_cache, ipp);
2825 }
2826 
2827 /*
2828  * Construction of new policy rules; construct a policy, and add it to
2829  * the appropriate tables.
2830  */
2831 ipsec_policy_t *
2832 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a,
2833     int nacts, int prio)
2834 {
2835 	ipsec_action_t *ap;
2836 	ipsec_sel_t *sp;
2837 	ipsec_policy_t *ipp;
2838 
2839 	ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
2840 	ap = ipsec_act_find(a, nacts);
2841 	sp = ipsec_find_sel(keys);
2842 
2843 	if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) {
2844 		if (ap != NULL) {
2845 			IPACT_REFRELE(ap);
2846 		}
2847 		if (sp != NULL)
2848 			ipsec_sel_rel(&sp);
2849 		if (ipp != NULL)
2850 			kmem_cache_free(ipsec_pol_cache, ipp);
2851 		return (NULL);
2852 	}
2853 
2854 	HASH_NULL(ipp, ipsp_hash);
2855 
2856 	ipp->ipsp_refs = 1;	/* caller's reference */
2857 	ipp->ipsp_sel = sp;
2858 	ipp->ipsp_act = ap;
2859 	ipp->ipsp_prio = prio;	/* rule priority */
2860 	ipp->ipsp_index = ipsec_next_policy_index++;
2861 
2862 	return (ipp);
2863 }
2864 
2865 static void
2866 ipsec_update_present_flags()
2867 {
2868 	boolean_t hashpol = (avl_numnodes(&system_policy.iph_rulebyid) > 0);
2869 
2870 	if (hashpol) {
2871 		ipsec_outbound_v4_policy_present = B_TRUE;
2872 		ipsec_outbound_v6_policy_present = B_TRUE;
2873 		ipsec_inbound_v4_policy_present = B_TRUE;
2874 		ipsec_inbound_v6_policy_present = B_TRUE;
2875 		return;
2876 	}
2877 
2878 	ipsec_outbound_v4_policy_present = (NULL !=
2879 	    system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
2880 	    ipr_nonhash[IPSEC_AF_V4]);
2881 	ipsec_outbound_v6_policy_present = (NULL !=
2882 	    system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
2883 	    ipr_nonhash[IPSEC_AF_V6]);
2884 	ipsec_inbound_v4_policy_present = (NULL !=
2885 	    system_policy.iph_root[IPSEC_TYPE_INBOUND].
2886 	    ipr_nonhash[IPSEC_AF_V4]);
2887 	ipsec_inbound_v6_policy_present = (NULL !=
2888 	    system_policy.iph_root[IPSEC_TYPE_INBOUND].
2889 	    ipr_nonhash[IPSEC_AF_V6]);
2890 }
2891 
2892 boolean_t
2893 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir)
2894 {
2895 	ipsec_sel_t *sp;
2896 	ipsec_policy_t *ip, *nip, *head;
2897 	int af;
2898 	ipsec_policy_root_t *pr = &php->iph_root[dir];
2899 
2900 	sp = ipsec_find_sel(keys);
2901 
2902 	if (sp == NULL)
2903 		return (B_FALSE);
2904 
2905 	af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6;
2906 
2907 	rw_enter(&php->iph_lock, RW_WRITER);
2908 
2909 	if (keys->ipsl_hval == IPSEC_SEL_NOHASH) {
2910 		head = pr->ipr_nonhash[af];
2911 	} else {
2912 		head = pr->ipr_hash[keys->ipsl_hval].hash_head;
2913 	}
2914 
2915 	for (ip = head; ip != NULL; ip = nip) {
2916 		nip = ip->ipsp_hash.hash_next;
2917 		if (ip->ipsp_sel != sp) {
2918 			continue;
2919 		}
2920 
2921 		IPPOL_UNCHAIN(php, ip);
2922 
2923 		php->iph_gen++;
2924 		ipsec_update_present_flags();
2925 
2926 		rw_exit(&php->iph_lock);
2927 
2928 		ipsec_sel_rel(&sp);
2929 
2930 		return (B_TRUE);
2931 	}
2932 
2933 	rw_exit(&php->iph_lock);
2934 	ipsec_sel_rel(&sp);
2935 	return (B_FALSE);
2936 }
2937 
2938 int
2939 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index)
2940 {
2941 	boolean_t found = B_FALSE;
2942 	ipsec_policy_t ipkey;
2943 	ipsec_policy_t *ip;
2944 	avl_index_t where;
2945 
2946 	(void) memset(&ipkey, 0, sizeof (ipkey));
2947 	ipkey.ipsp_index = policy_index;
2948 
2949 	rw_enter(&php->iph_lock, RW_WRITER);
2950 
2951 	/*
2952 	 * We could be cleverer here about the walk.
2953 	 * but well, (k+1)*log(N) will do for now (k==number of matches,
2954 	 * N==number of table entries
2955 	 */
2956 	for (;;) {
2957 		ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid,
2958 		    (void *)&ipkey, &where);
2959 		ASSERT(ip == NULL);
2960 
2961 		ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER);
2962 
2963 		if (ip == NULL)
2964 			break;
2965 
2966 		if (ip->ipsp_index != policy_index) {
2967 			ASSERT(ip->ipsp_index > policy_index);
2968 			break;
2969 		}
2970 
2971 		IPPOL_UNCHAIN(php, ip);
2972 		found = B_TRUE;
2973 	}
2974 
2975 	if (found) {
2976 		php->iph_gen++;
2977 		ipsec_update_present_flags();
2978 	}
2979 
2980 	rw_exit(&php->iph_lock);
2981 
2982 	return (found ? 0 : ENOENT);
2983 }
2984 
2985 /*
2986  * Given a constructed ipsec_policy_t policy rule, see if it can be entered
2987  * into the correct policy ruleset.
2988  *
2989  * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a
2990  * duplicate policy exists with exactly the same selectors), or an icmp
2991  * rule exists with a different encryption/authentication action.
2992  */
2993 boolean_t
2994 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
2995 {
2996 	ipsec_policy_root_t *pr = &php->iph_root[direction];
2997 	int af = -1;
2998 	ipsec_policy_t *p2, *head;
2999 	uint8_t check_proto;
3000 	ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3001 	uint32_t	valid = selkey->ipsl_valid;
3002 
3003 	if (valid & IPSL_IPV6) {
3004 		ASSERT(!(valid & IPSL_IPV4));
3005 		af = IPSEC_AF_V6;
3006 		check_proto = IPPROTO_ICMPV6;
3007 	} else {
3008 		ASSERT(valid & IPSL_IPV4);
3009 		af = IPSEC_AF_V4;
3010 		check_proto = IPPROTO_ICMP;
3011 	}
3012 
3013 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3014 
3015 	/*
3016 	 * Double-check that we don't have any duplicate selectors here.
3017 	 * Because selectors are interned below, we need only compare pointers
3018 	 * for equality.
3019 	 */
3020 	if (selkey->ipsl_hval == IPSEC_SEL_NOHASH) {
3021 		head = pr->ipr_nonhash[af];
3022 	} else {
3023 		head = pr->ipr_hash[selkey->ipsl_hval].hash_head;
3024 	}
3025 
3026 	for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3027 		if (p2->ipsp_sel == ipp->ipsp_sel)
3028 			return (B_FALSE);
3029 	}
3030 
3031 	/*
3032 	 * If it's ICMP and not a drop or pass rule, run through the ICMP
3033 	 * rules and make sure the action is either new or the same as any
3034 	 * other actions.  We don't have to check the full chain because
3035 	 * discard and bypass will override all other actions
3036 	 */
3037 
3038 	if (valid & IPSL_PROTOCOL &&
3039 	    selkey->ipsl_proto == check_proto &&
3040 	    (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) {
3041 
3042 		for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3043 
3044 			if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL &&
3045 			    p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto &&
3046 			    (p2->ipsp_act->ipa_act.ipa_type ==
3047 				IPSEC_ACT_APPLY)) {
3048 				return (ipsec_compare_action(p2, ipp));
3049 			}
3050 		}
3051 	}
3052 
3053 	return (B_TRUE);
3054 }
3055 
3056 /*
3057  * compare the action chains of two policies for equality
3058  * B_TRUE -> effective equality
3059  */
3060 
3061 static boolean_t
3062 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2)
3063 {
3064 
3065 	ipsec_action_t *act1, *act2;
3066 
3067 	/* We have a valid rule. Let's compare the actions */
3068 	if (p1->ipsp_act == p2->ipsp_act) {
3069 		/* same action. We are good */
3070 		return (B_TRUE);
3071 	}
3072 
3073 	/* we have to walk the chain */
3074 
3075 	act1 = p1->ipsp_act;
3076 	act2 = p2->ipsp_act;
3077 
3078 	while (act1 != NULL && act2 != NULL) {
3079 
3080 		/* otherwise, Are we close enough? */
3081 		if (act1->ipa_allow_clear != act2->ipa_allow_clear ||
3082 		    act1->ipa_want_ah != act2->ipa_want_ah ||
3083 		    act1->ipa_want_esp != act2->ipa_want_esp ||
3084 		    act1->ipa_want_se != act2->ipa_want_se) {
3085 			/* Nope, we aren't */
3086 			return (B_FALSE);
3087 		}
3088 
3089 		if (act1->ipa_want_ah) {
3090 			if (act1->ipa_act.ipa_apply.ipp_auth_alg !=
3091 			    act2->ipa_act.ipa_apply.ipp_auth_alg) {
3092 				return (B_FALSE);
3093 			}
3094 
3095 			if (act1->ipa_act.ipa_apply.ipp_ah_minbits !=
3096 			    act2->ipa_act.ipa_apply.ipp_ah_minbits ||
3097 			    act1->ipa_act.ipa_apply.ipp_ah_maxbits !=
3098 			    act2->ipa_act.ipa_apply.ipp_ah_maxbits) {
3099 				return (B_FALSE);
3100 			}
3101 		}
3102 
3103 		if (act1->ipa_want_esp) {
3104 			if (act1->ipa_act.ipa_apply.ipp_use_esp !=
3105 			    act2->ipa_act.ipa_apply.ipp_use_esp ||
3106 			    act1->ipa_act.ipa_apply.ipp_use_espa !=
3107 			    act2->ipa_act.ipa_apply.ipp_use_espa) {
3108 				return (B_FALSE);
3109 			}
3110 
3111 			if (act1->ipa_act.ipa_apply.ipp_use_esp) {
3112 				if (act1->ipa_act.ipa_apply.ipp_encr_alg !=
3113 				    act2->ipa_act.ipa_apply.ipp_encr_alg) {
3114 					return (B_FALSE);
3115 				}
3116 
3117 				if (act1->ipa_act.ipa_apply.ipp_espe_minbits !=
3118 				    act2->ipa_act.ipa_apply.ipp_espe_minbits ||
3119 				    act1->ipa_act.ipa_apply.ipp_espe_maxbits !=
3120 				    act2->ipa_act.ipa_apply.ipp_espe_maxbits) {
3121 					return (B_FALSE);
3122 				}
3123 			}
3124 
3125 			if (act1->ipa_act.ipa_apply.ipp_use_espa) {
3126 				if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg !=
3127 				    act2->ipa_act.ipa_apply.ipp_esp_auth_alg) {
3128 					return (B_FALSE);
3129 				}
3130 
3131 				if (act1->ipa_act.ipa_apply.ipp_espa_minbits !=
3132 				    act2->ipa_act.ipa_apply.ipp_espa_minbits ||
3133 				    act1->ipa_act.ipa_apply.ipp_espa_maxbits !=
3134 				    act2->ipa_act.ipa_apply.ipp_espa_maxbits) {
3135 					return (B_FALSE);
3136 				}
3137 			}
3138 
3139 		}
3140 
3141 		act1 = act1->ipa_next;
3142 		act2 = act2->ipa_next;
3143 	}
3144 
3145 	if (act1 != NULL || act2 != NULL) {
3146 		return (B_FALSE);
3147 	}
3148 
3149 	return (B_TRUE);
3150 }
3151 
3152 
3153 /*
3154  * Given a constructed ipsec_policy_t policy rule, enter it into
3155  * the correct policy ruleset.
3156  *
3157  * ipsec_check_policy() is assumed to have succeeded first (to check for
3158  * duplicates).
3159  */
3160 void
3161 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
3162 {
3163 	ipsec_policy_root_t *pr = &php->iph_root[direction];
3164 	ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3165 	uint32_t valid = selkey->ipsl_valid;
3166 	uint32_t hval = selkey->ipsl_hval;
3167 	int af = -1;
3168 
3169 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3170 
3171 	if (valid & IPSL_IPV6) {
3172 		ASSERT(!(valid & IPSL_IPV4));
3173 		af = IPSEC_AF_V6;
3174 	} else {
3175 		ASSERT(valid & IPSL_IPV4);
3176 		af = IPSEC_AF_V4;
3177 	}
3178 
3179 	php->iph_gen++;
3180 
3181 	if (hval == IPSEC_SEL_NOHASH) {
3182 		HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]);
3183 	} else {
3184 		HASH_LOCK(pr->ipr_hash, hval);
3185 		HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval);
3186 		HASH_UNLOCK(pr->ipr_hash, hval);
3187 	}
3188 
3189 	ipsec_insert_always(&php->iph_rulebyid, ipp);
3190 
3191 	ipsec_update_present_flags();
3192 }
3193 
3194 static void
3195 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr)
3196 {
3197 	ipsec_policy_t *ip, *nip;
3198 
3199 	int af, chain, nchain;
3200 
3201 	for (af = 0; af < IPSEC_NAF; af++) {
3202 		for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) {
3203 			nip = ip->ipsp_hash.hash_next;
3204 			IPPOL_UNCHAIN(php, ip);
3205 		}
3206 		ipr->ipr_nonhash[af] = NULL;
3207 	}
3208 	nchain = ipr->ipr_nchains;
3209 
3210 	for (chain = 0; chain < nchain; chain++) {
3211 		for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL;
3212 		    ip = nip) {
3213 			nip = ip->ipsp_hash.hash_next;
3214 			IPPOL_UNCHAIN(php, ip);
3215 		}
3216 		ipr->ipr_hash[chain].hash_head = NULL;
3217 	}
3218 }
3219 
3220 
3221 void
3222 ipsec_polhead_flush(ipsec_policy_head_t *php)
3223 {
3224 	int dir;
3225 
3226 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3227 
3228 	for (dir = 0; dir < IPSEC_NTYPES; dir++)
3229 		ipsec_ipr_flush(php, &php->iph_root[dir]);
3230 
3231 	ipsec_update_present_flags();
3232 }
3233 
3234 void
3235 ipsec_polhead_free(ipsec_policy_head_t *php)
3236 {
3237 	ASSERT(php->iph_refs == 0);
3238 	rw_enter(&php->iph_lock, RW_WRITER);
3239 	ipsec_polhead_flush(php);
3240 	rw_exit(&php->iph_lock);
3241 	rw_destroy(&php->iph_lock);
3242 	kmem_free(php, sizeof (*php));
3243 }
3244 
3245 static void
3246 ipsec_ipr_init(ipsec_policy_root_t *ipr)
3247 {
3248 	int af;
3249 
3250 	ipr->ipr_nchains = 0;
3251 	ipr->ipr_hash = NULL;
3252 
3253 	for (af = 0; af < IPSEC_NAF; af++) {
3254 		ipr->ipr_nonhash[af] = NULL;
3255 	}
3256 }
3257 
3258 extern ipsec_policy_head_t *
3259 ipsec_polhead_create(void)
3260 {
3261 	ipsec_policy_head_t *php;
3262 
3263 	php = kmem_alloc(sizeof (*php), KM_NOSLEEP);
3264 	if (php == NULL)
3265 		return (php);
3266 
3267 	rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL);
3268 	php->iph_refs = 1;
3269 	php->iph_gen = 0;
3270 
3271 	ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]);
3272 	ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]);
3273 
3274 	avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid,
3275 	    sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
3276 
3277 	return (php);
3278 }
3279 
3280 /*
3281  * Clone the policy head into a new polhead; release one reference to the
3282  * old one and return the only reference to the new one.
3283  * If the old one had a refcount of 1, just return it.
3284  */
3285 extern ipsec_policy_head_t *
3286 ipsec_polhead_split(ipsec_policy_head_t *php)
3287 {
3288 	ipsec_policy_head_t *nphp;
3289 
3290 	if (php == NULL)
3291 		return (ipsec_polhead_create());
3292 	else if (php->iph_refs == 1)
3293 		return (php);
3294 
3295 	nphp = ipsec_polhead_create();
3296 	if (nphp == NULL)
3297 		return (NULL);
3298 
3299 	if (ipsec_copy_polhead(php, nphp) != 0) {
3300 		ipsec_polhead_free(nphp);
3301 		return (NULL);
3302 	}
3303 	IPPH_REFRELE(php);
3304 	return (nphp);
3305 }
3306 
3307 /*
3308  * When sending a response to a ICMP request or generating a RST
3309  * in the TCP case, the outbound packets need to go at the same level
3310  * of protection as the incoming ones i.e we associate our outbound
3311  * policy with how the packet came in. We call this after we have
3312  * accepted the incoming packet which may or may not have been in
3313  * clear and hence we are sending the reply back with the policy
3314  * matching the incoming datagram's policy.
3315  *
3316  * NOTE : This technology serves two purposes :
3317  *
3318  * 1) If we have multiple outbound policies, we send out a reply
3319  *    matching with how it came in rather than matching the outbound
3320  *    policy.
3321  *
3322  * 2) For assymetric policies, we want to make sure that incoming
3323  *    and outgoing has the same level of protection. Assymetric
3324  *    policies exist only with global policy where we may not have
3325  *    both outbound and inbound at the same time.
3326  *
3327  * NOTE2:	This function is called by cleartext cases, so it needs to be
3328  *		in IP proper.
3329  */
3330 boolean_t
3331 ipsec_in_to_out(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h)
3332 {
3333 	ipsec_in_t  *ii;
3334 	ipsec_out_t  *io;
3335 	boolean_t v4;
3336 	mblk_t *mp;
3337 	boolean_t secure, attach_if;
3338 	uint_t ifindex;
3339 	ipsec_selector_t sel;
3340 	ipsec_action_t *reflect_action = NULL;
3341 	zoneid_t zoneid;
3342 
3343 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
3344 
3345 	bzero((void*)&sel, sizeof (sel));
3346 
3347 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
3348 
3349 	mp = ipsec_mp->b_cont;
3350 	ASSERT(mp != NULL);
3351 
3352 	if (ii->ipsec_in_action != NULL) {
3353 		/* transfer reference.. */
3354 		reflect_action = ii->ipsec_in_action;
3355 		ii->ipsec_in_action = NULL;
3356 	} else if (!ii->ipsec_in_loopback)
3357 		reflect_action = ipsec_in_to_out_action(ii);
3358 	secure = ii->ipsec_in_secure;
3359 	attach_if = ii->ipsec_in_attach_if;
3360 	ifindex = ii->ipsec_in_ill_index;
3361 	zoneid = ii->ipsec_in_zoneid;
3362 	v4 = ii->ipsec_in_v4;
3363 
3364 	ipsec_in_release_refs(ii);
3365 
3366 	/*
3367 	 * The caller is going to send the datagram out which might
3368 	 * go on the wire or delivered locally through ip_wput_local.
3369 	 *
3370 	 * 1) If it goes out on the wire, new associations will be
3371 	 *    obtained.
3372 	 * 2) If it is delivered locally, ip_wput_local will convert
3373 	 *    this IPSEC_OUT to a IPSEC_IN looking at the requests.
3374 	 */
3375 
3376 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
3377 	bzero(io, sizeof (ipsec_out_t));
3378 	io->ipsec_out_type = IPSEC_OUT;
3379 	io->ipsec_out_len = sizeof (ipsec_out_t);
3380 	io->ipsec_out_frtn.free_func = ipsec_out_free;
3381 	io->ipsec_out_frtn.free_arg = (char *)io;
3382 	io->ipsec_out_act = reflect_action;
3383 
3384 	if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h))
3385 		return (B_FALSE);
3386 
3387 	io->ipsec_out_src_port = sel.ips_local_port;
3388 	io->ipsec_out_dst_port = sel.ips_remote_port;
3389 	io->ipsec_out_proto = sel.ips_protocol;
3390 	io->ipsec_out_icmp_type = sel.ips_icmp_type;
3391 	io->ipsec_out_icmp_code = sel.ips_icmp_code;
3392 
3393 	/*
3394 	 * Don't use global policy for this, as we want
3395 	 * to use the same protection that was applied to the inbound packet.
3396 	 */
3397 	io->ipsec_out_use_global_policy = B_FALSE;
3398 	io->ipsec_out_proc_begin = B_FALSE;
3399 	io->ipsec_out_secure = secure;
3400 	io->ipsec_out_v4 = v4;
3401 	io->ipsec_out_attach_if = attach_if;
3402 	io->ipsec_out_ill_index = ifindex;
3403 	io->ipsec_out_zoneid = zoneid;
3404 	return (B_TRUE);
3405 }
3406 
3407 mblk_t *
3408 ipsec_in_tag(mblk_t *mp, mblk_t *cont)
3409 {
3410 	ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr;
3411 	ipsec_in_t *nii;
3412 	mblk_t *nmp;
3413 	frtn_t nfrtn;
3414 
3415 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
3416 	ASSERT(ii->ipsec_in_len == sizeof (ipsec_in_t));
3417 
3418 	nmp = ipsec_in_alloc(ii->ipsec_in_v4);
3419 
3420 	ASSERT(nmp->b_datap->db_type == M_CTL);
3421 	ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t)));
3422 
3423 	/*
3424 	 * Bump refcounts.
3425 	 */
3426 	if (ii->ipsec_in_ah_sa != NULL)
3427 		IPSA_REFHOLD(ii->ipsec_in_ah_sa);
3428 	if (ii->ipsec_in_esp_sa != NULL)
3429 		IPSA_REFHOLD(ii->ipsec_in_esp_sa);
3430 	if (ii->ipsec_in_policy != NULL)
3431 		IPPH_REFHOLD(ii->ipsec_in_policy);
3432 
3433 	/*
3434 	 * Copy everything, but preserve the free routine provided by
3435 	 * ipsec_in_alloc().
3436 	 */
3437 	nii = (ipsec_in_t *)nmp->b_rptr;
3438 	nfrtn = nii->ipsec_in_frtn;
3439 	bcopy(ii, nii, sizeof (*ii));
3440 	nii->ipsec_in_frtn = nfrtn;
3441 
3442 	nmp->b_cont = cont;
3443 
3444 	return (nmp);
3445 }
3446 
3447 mblk_t *
3448 ipsec_out_tag(mblk_t *mp, mblk_t *cont)
3449 {
3450 	ipsec_out_t *io = (ipsec_out_t *)mp->b_rptr;
3451 	ipsec_out_t *nio;
3452 	mblk_t *nmp;
3453 	frtn_t nfrtn;
3454 
3455 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
3456 	ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
3457 
3458 	nmp = ipsec_alloc_ipsec_out();
3459 	if (nmp == NULL) {
3460 		freemsg(cont);	/* XXX ip_drop_packet() ? */
3461 		return (NULL);
3462 	}
3463 	ASSERT(nmp->b_datap->db_type == M_CTL);
3464 	ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t)));
3465 
3466 	/*
3467 	 * Bump refcounts.
3468 	 */
3469 	if (io->ipsec_out_ah_sa != NULL)
3470 		IPSA_REFHOLD(io->ipsec_out_ah_sa);
3471 	if (io->ipsec_out_esp_sa != NULL)
3472 		IPSA_REFHOLD(io->ipsec_out_esp_sa);
3473 	if (io->ipsec_out_polhead != NULL)
3474 		IPPH_REFHOLD(io->ipsec_out_polhead);
3475 	if (io->ipsec_out_policy != NULL)
3476 		IPPOL_REFHOLD(io->ipsec_out_policy);
3477 	if (io->ipsec_out_act != NULL)
3478 		IPACT_REFHOLD(io->ipsec_out_act);
3479 	if (io->ipsec_out_latch != NULL)
3480 		IPLATCH_REFHOLD(io->ipsec_out_latch);
3481 	if (io->ipsec_out_cred != NULL)
3482 		crhold(io->ipsec_out_cred);
3483 
3484 	/*
3485 	 * Copy everything, but preserve the free routine provided by
3486 	 * ipsec_alloc_ipsec_out().
3487 	 */
3488 	nio = (ipsec_out_t *)nmp->b_rptr;
3489 	nfrtn = nio->ipsec_out_frtn;
3490 	bcopy(io, nio, sizeof (*io));
3491 	nio->ipsec_out_frtn = nfrtn;
3492 
3493 	nmp->b_cont = cont;
3494 
3495 	return (nmp);
3496 }
3497 
3498 static void
3499 ipsec_out_release_refs(ipsec_out_t *io)
3500 {
3501 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
3502 	ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
3503 
3504 	/* Note: IPSA_REFRELE is multi-line macro */
3505 	if (io->ipsec_out_ah_sa != NULL)
3506 		IPSA_REFRELE(io->ipsec_out_ah_sa);
3507 	if (io->ipsec_out_esp_sa != NULL)
3508 		IPSA_REFRELE(io->ipsec_out_esp_sa);
3509 	if (io->ipsec_out_polhead != NULL)
3510 		IPPH_REFRELE(io->ipsec_out_polhead);
3511 	if (io->ipsec_out_policy != NULL)
3512 		IPPOL_REFRELE(io->ipsec_out_policy);
3513 	if (io->ipsec_out_act != NULL)
3514 		IPACT_REFRELE(io->ipsec_out_act);
3515 	if (io->ipsec_out_cred != NULL) {
3516 		crfree(io->ipsec_out_cred);
3517 		io->ipsec_out_cred = NULL;
3518 	}
3519 	if (io->ipsec_out_latch) {
3520 		IPLATCH_REFRELE(io->ipsec_out_latch);
3521 		io->ipsec_out_latch = NULL;
3522 	}
3523 }
3524 
3525 static void
3526 ipsec_out_free(void *arg)
3527 {
3528 	ipsec_out_t *io = (ipsec_out_t *)arg;
3529 	ipsec_out_release_refs(io);
3530 	kmem_cache_free(ipsec_info_cache, arg);
3531 }
3532 
3533 static void
3534 ipsec_in_release_refs(ipsec_in_t *ii)
3535 {
3536 	/* Note: IPSA_REFRELE is multi-line macro */
3537 	if (ii->ipsec_in_ah_sa != NULL)
3538 		IPSA_REFRELE(ii->ipsec_in_ah_sa);
3539 	if (ii->ipsec_in_esp_sa != NULL)
3540 		IPSA_REFRELE(ii->ipsec_in_esp_sa);
3541 	if (ii->ipsec_in_policy != NULL)
3542 		IPPH_REFRELE(ii->ipsec_in_policy);
3543 	if (ii->ipsec_in_da != NULL) {
3544 		freeb(ii->ipsec_in_da);
3545 		ii->ipsec_in_da = NULL;
3546 	}
3547 }
3548 
3549 static void
3550 ipsec_in_free(void *arg)
3551 {
3552 	ipsec_in_t *ii = (ipsec_in_t *)arg;
3553 	ipsec_in_release_refs(ii);
3554 	kmem_cache_free(ipsec_info_cache, arg);
3555 }
3556 
3557 /*
3558  * This is called only for outbound datagrams if the datagram needs to
3559  * go out secure.  A NULL mp can be passed to get an ipsec_out. This
3560  * facility is used by ip_unbind.
3561  *
3562  * NOTE : o As the data part could be modified by ipsec_out_process etc.
3563  *	    we can't make it fast by calling a dup.
3564  */
3565 mblk_t *
3566 ipsec_alloc_ipsec_out()
3567 {
3568 	mblk_t *ipsec_mp;
3569 
3570 	ipsec_out_t *io = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP);
3571 
3572 	if (io == NULL)
3573 		return (NULL);
3574 
3575 	bzero(io, sizeof (ipsec_out_t));
3576 
3577 	io->ipsec_out_type = IPSEC_OUT;
3578 	io->ipsec_out_len = sizeof (ipsec_out_t);
3579 	io->ipsec_out_frtn.free_func = ipsec_out_free;
3580 	io->ipsec_out_frtn.free_arg = (char *)io;
3581 
3582 	/*
3583 	 * Set the zoneid to ALL_ZONES which is used as an invalid value. Code
3584 	 * using ipsec_out_zoneid should assert that the zoneid has been set to
3585 	 * a sane value.
3586 	 */
3587 	io->ipsec_out_zoneid = ALL_ZONES;
3588 
3589 	ipsec_mp = desballoc((uint8_t *)io, sizeof (ipsec_info_t), BPRI_HI,
3590 	    &io->ipsec_out_frtn);
3591 	if (ipsec_mp == NULL) {
3592 		ipsec_out_free(io);
3593 
3594 		return (NULL);
3595 	}
3596 	ipsec_mp->b_datap->db_type = M_CTL;
3597 	ipsec_mp->b_wptr = ipsec_mp->b_rptr + sizeof (ipsec_info_t);
3598 
3599 	return (ipsec_mp);
3600 }
3601 
3602 /*
3603  * Attach an IPSEC_OUT; use pol for policy if it is non-null.
3604  * Otherwise initialize using conn.
3605  *
3606  * If pol is non-null, we consume a reference to it.
3607  */
3608 mblk_t *
3609 ipsec_attach_ipsec_out(mblk_t *mp, conn_t *connp, ipsec_policy_t *pol,
3610     uint8_t proto)
3611 {
3612 	mblk_t *ipsec_mp;
3613 
3614 	ASSERT((pol != NULL) || (connp != NULL));
3615 
3616 	ipsec_mp = ipsec_alloc_ipsec_out();
3617 	if (ipsec_mp == NULL) {
3618 		(void) mi_strlog(CONNP_TO_WQ(connp), 0, SL_ERROR|SL_NOTE,
3619 		    "ipsec_attach_ipsec_out: Allocation failure\n");
3620 		BUMP_MIB(&ip_mib, ipOutDiscards);
3621 		ip_drop_packet(mp, B_FALSE, NULL, NULL, &ipdrops_spd_nomem,
3622 		    &spd_dropper);
3623 		return (NULL);
3624 	}
3625 	ipsec_mp->b_cont = mp;
3626 	return (ipsec_init_ipsec_out(ipsec_mp, connp, pol, proto));
3627 }
3628 
3629 /*
3630  * Initialize the IPSEC_OUT (ipsec_mp) using pol if it is non-null.
3631  * Otherwise initialize using conn.
3632  *
3633  * If pol is non-null, we consume a reference to it.
3634  */
3635 mblk_t *
3636 ipsec_init_ipsec_out(mblk_t *ipsec_mp, conn_t *connp, ipsec_policy_t *pol,
3637     uint8_t proto)
3638 {
3639 	mblk_t *mp;
3640 	ipsec_out_t *io;
3641 	ipsec_policy_t *p;
3642 	ipha_t *ipha;
3643 	ip6_t *ip6h;
3644 
3645 	ASSERT((pol != NULL) || (connp != NULL));
3646 
3647 	/*
3648 	 * If mp is NULL, we won't/should not be using it.
3649 	 */
3650 	mp = ipsec_mp->b_cont;
3651 
3652 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
3653 	ASSERT(ipsec_mp->b_wptr == (ipsec_mp->b_rptr + sizeof (ipsec_info_t)));
3654 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
3655 	ASSERT(io->ipsec_out_type == IPSEC_OUT);
3656 	ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
3657 	io->ipsec_out_latch = NULL;
3658 	/*
3659 	 * Set the zoneid when we have the connp.
3660 	 * Otherwise, we're called from ip_wput_attach_policy() who will take
3661 	 * care of setting the zoneid.
3662 	 */
3663 	if (connp != NULL)
3664 		io->ipsec_out_zoneid = connp->conn_zoneid;
3665 
3666 	if (mp != NULL) {
3667 		ipha = (ipha_t *)mp->b_rptr;
3668 		if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
3669 			io->ipsec_out_v4 = B_TRUE;
3670 			ip6h = NULL;
3671 		} else {
3672 			io->ipsec_out_v4 = B_FALSE;
3673 			ip6h = (ip6_t *)ipha;
3674 			ipha = NULL;
3675 		}
3676 	} else {
3677 		ASSERT(connp != NULL && connp->conn_policy_cached);
3678 		ip6h = NULL;
3679 		ipha = NULL;
3680 		io->ipsec_out_v4 = !connp->conn_pkt_isv6;
3681 	}
3682 
3683 	p = NULL;
3684 
3685 	/*
3686 	 * Take latched policies over global policy.  Check here again for
3687 	 * this, in case we had conn_latch set while the packet was flying
3688 	 * around in IP.
3689 	 */
3690 	if (connp != NULL && connp->conn_latch != NULL) {
3691 		p = connp->conn_latch->ipl_out_policy;
3692 		io->ipsec_out_latch = connp->conn_latch;
3693 		IPLATCH_REFHOLD(connp->conn_latch);
3694 		if (p != NULL) {
3695 			IPPOL_REFHOLD(p);
3696 		}
3697 		io->ipsec_out_src_port = connp->conn_lport;
3698 		io->ipsec_out_dst_port = connp->conn_fport;
3699 		io->ipsec_out_icmp_type = io->ipsec_out_icmp_code = 0;
3700 		if (pol != NULL)
3701 			IPPOL_REFRELE(pol);
3702 	} else if (pol != NULL) {
3703 		ipsec_selector_t sel;
3704 
3705 		bzero((void*)&sel, sizeof (sel));
3706 
3707 		p = pol;
3708 		/*
3709 		 * conn does not have the port information. Get
3710 		 * it from the packet.
3711 		 */
3712 
3713 		if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) {
3714 			/* XXX any cleanup required here?? */
3715 			return (NULL);
3716 		}
3717 		io->ipsec_out_src_port = sel.ips_local_port;
3718 		io->ipsec_out_dst_port = sel.ips_remote_port;
3719 		io->ipsec_out_icmp_type = sel.ips_icmp_type;
3720 		io->ipsec_out_icmp_code = sel.ips_icmp_code;
3721 	}
3722 
3723 	io->ipsec_out_proto = proto;
3724 	io->ipsec_out_use_global_policy = B_TRUE;
3725 	io->ipsec_out_secure = (p != NULL);
3726 	io->ipsec_out_policy = p;
3727 
3728 	if (p == NULL) {
3729 		if (connp->conn_policy != NULL) {
3730 			io->ipsec_out_secure = B_TRUE;
3731 			ASSERT(io->ipsec_out_latch == NULL);
3732 			ASSERT(io->ipsec_out_use_global_policy == B_TRUE);
3733 			io->ipsec_out_need_policy = B_TRUE;
3734 			ASSERT(io->ipsec_out_polhead == NULL);
3735 			IPPH_REFHOLD(connp->conn_policy);
3736 			io->ipsec_out_polhead = connp->conn_policy;
3737 		}
3738 	}
3739 	return (ipsec_mp);
3740 }
3741 
3742 /*
3743  * Allocate an IPSEC_IN mblk.  This will be prepended to an inbound datagram
3744  * and keep track of what-if-any IPsec processing will be applied to the
3745  * datagram.
3746  */
3747 mblk_t *
3748 ipsec_in_alloc(boolean_t isv4)
3749 {
3750 	mblk_t *ipsec_in;
3751 	ipsec_in_t *ii = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP);
3752 
3753 	if (ii == NULL)
3754 		return (NULL);
3755 
3756 	bzero(ii, sizeof (ipsec_info_t));
3757 	ii->ipsec_in_type = IPSEC_IN;
3758 	ii->ipsec_in_len = sizeof (ipsec_in_t);
3759 
3760 	ii->ipsec_in_v4 = isv4;
3761 	ii->ipsec_in_secure = B_TRUE;
3762 
3763 	ii->ipsec_in_frtn.free_func = ipsec_in_free;
3764 	ii->ipsec_in_frtn.free_arg = (char *)ii;
3765 
3766 	ipsec_in = desballoc((uint8_t *)ii, sizeof (ipsec_info_t), BPRI_HI,
3767 	    &ii->ipsec_in_frtn);
3768 	if (ipsec_in == NULL) {
3769 		ip1dbg(("ipsec_in_alloc: IPSEC_IN allocation failure.\n"));
3770 		ipsec_in_free(ii);
3771 		return (NULL);
3772 	}
3773 
3774 	ipsec_in->b_datap->db_type = M_CTL;
3775 	ipsec_in->b_wptr += sizeof (ipsec_info_t);
3776 
3777 	return (ipsec_in);
3778 }
3779 
3780 /*
3781  * This is called from ip_wput_local when a packet which needs
3782  * security is looped back, to convert the IPSEC_OUT to a IPSEC_IN
3783  * before fanout, where the policy check happens.  In most of the
3784  * cases, IPSEC processing has *never* been done.  There is one case
3785  * (ip_wput_ire_fragmentit -> ip_wput_frag -> icmp_frag_needed) where
3786  * the packet is destined for localhost, IPSEC processing has already
3787  * been done.
3788  *
3789  * Future: This could happen after SA selection has occurred for
3790  * outbound.. which will tell us who the src and dst identities are..
3791  * Then it's just a matter of splicing the ah/esp SA pointers from the
3792  * ipsec_out_t to the ipsec_in_t.
3793  */
3794 void
3795 ipsec_out_to_in(mblk_t *ipsec_mp)
3796 {
3797 	ipsec_in_t  *ii;
3798 	ipsec_out_t *io;
3799 	ipsec_policy_t *pol;
3800 	ipsec_action_t *act;
3801 	boolean_t v4, icmp_loopback;
3802 
3803 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
3804 
3805 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
3806 
3807 	v4 = io->ipsec_out_v4;
3808 	icmp_loopback = io->ipsec_out_icmp_loopback;
3809 
3810 	act = io->ipsec_out_act;
3811 	if (act == NULL) {
3812 		pol = io->ipsec_out_policy;
3813 		if (pol != NULL) {
3814 			act = pol->ipsp_act;
3815 			IPACT_REFHOLD(act);
3816 		}
3817 	}
3818 	io->ipsec_out_act = NULL;
3819 
3820 	ipsec_out_release_refs(io);
3821 
3822 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
3823 	bzero(ii, sizeof (ipsec_in_t));
3824 	ii->ipsec_in_type = IPSEC_IN;
3825 	ii->ipsec_in_len = sizeof (ipsec_in_t);
3826 	ii->ipsec_in_loopback = B_TRUE;
3827 	ii->ipsec_in_frtn.free_func = ipsec_in_free;
3828 	ii->ipsec_in_frtn.free_arg = (char *)ii;
3829 	ii->ipsec_in_action = act;
3830 
3831 	/*
3832 	 * In most of the cases, we can't look at the ipsec_out_XXX_sa
3833 	 * because this never went through IPSEC processing. So, look at
3834 	 * the requests and infer whether it would have gone through
3835 	 * IPSEC processing or not. Initialize the "done" fields with
3836 	 * the requests. The possible values for "done" fields are :
3837 	 *
3838 	 * 1) zero, indicates that a particular preference was never
3839 	 *    requested.
3840 	 * 2) non-zero, indicates that it could be IPSEC_PREF_REQUIRED/
3841 	 *    IPSEC_PREF_NEVER. If IPSEC_REQ_DONE is set, it means that
3842 	 *    IPSEC processing has been completed.
3843 	 */
3844 	ii->ipsec_in_secure = B_TRUE;
3845 	ii->ipsec_in_v4 = v4;
3846 	ii->ipsec_in_icmp_loopback = icmp_loopback;
3847 	ii->ipsec_in_attach_if = B_FALSE;
3848 }
3849 
3850 /*
3851  * Consults global policy to see whether this datagram should
3852  * go out secure. If so it attaches a ipsec_mp in front and
3853  * returns.
3854  */
3855 mblk_t *
3856 ip_wput_attach_policy(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h, ire_t *ire,
3857     conn_t *connp, boolean_t unspec_src)
3858 {
3859 	mblk_t *mp;
3860 	ipsec_out_t *io = NULL;
3861 	ipsec_selector_t sel;
3862 	uint_t	ill_index;
3863 	boolean_t conn_dontroutex;
3864 	boolean_t conn_multicast_loopx;
3865 	boolean_t policy_present;
3866 
3867 	ASSERT((ipha != NULL && ip6h == NULL) ||
3868 	    (ip6h != NULL && ipha == NULL));
3869 
3870 	bzero((void*)&sel, sizeof (sel));
3871 
3872 	if (ipha != NULL)
3873 		policy_present = ipsec_outbound_v4_policy_present;
3874 	else
3875 		policy_present = ipsec_outbound_v6_policy_present;
3876 	/*
3877 	 * Fast Path to see if there is any policy.
3878 	 */
3879 	if (!policy_present) {
3880 		if (ipsec_mp->b_datap->db_type == M_CTL) {
3881 			io = (ipsec_out_t *)ipsec_mp->b_rptr;
3882 			if (!io->ipsec_out_secure) {
3883 				/*
3884 				 * If there is no global policy and ip_wput
3885 				 * or ip_wput_multicast has attached this mp
3886 				 * for multicast case, free the ipsec_mp and
3887 				 * return the original mp.
3888 				 */
3889 				mp = ipsec_mp->b_cont;
3890 				freeb(ipsec_mp);
3891 				ipsec_mp = mp;
3892 				io = NULL;
3893 			}
3894 		}
3895 		if (((io == NULL) || (io->ipsec_out_polhead == NULL)) &&
3896 		    ((connp == NULL) || (connp->conn_policy == NULL)))
3897 			return (ipsec_mp);
3898 	}
3899 
3900 	ill_index = 0;
3901 	conn_multicast_loopx = conn_dontroutex = B_FALSE;
3902 	mp = ipsec_mp;
3903 	if (ipsec_mp->b_datap->db_type == M_CTL) {
3904 		mp = ipsec_mp->b_cont;
3905 		/*
3906 		 * This is a connection where we have some per-socket
3907 		 * policy or ip_wput has attached an ipsec_mp for
3908 		 * the multicast datagram.
3909 		 */
3910 		io = (ipsec_out_t *)ipsec_mp->b_rptr;
3911 		if (!io->ipsec_out_secure) {
3912 			/*
3913 			 * This ipsec_mp was allocated in ip_wput or
3914 			 * ip_wput_multicast so that we will know the
3915 			 * value of ill_index, conn_dontroute,
3916 			 * conn_multicast_loop in the multicast case if
3917 			 * we inherit global policy here.
3918 			 */
3919 			ill_index = io->ipsec_out_ill_index;
3920 			conn_dontroutex = io->ipsec_out_dontroute;
3921 			conn_multicast_loopx = io->ipsec_out_multicast_loop;
3922 			freeb(ipsec_mp);
3923 			ipsec_mp = mp;
3924 			io = NULL;
3925 		}
3926 	}
3927 
3928 	if (ipha != NULL) {
3929 		sel.ips_local_addr_v4 = (ipha->ipha_src != 0 ?
3930 		    ipha->ipha_src : ire->ire_src_addr);
3931 		sel.ips_remote_addr_v4 = ip_get_dst(ipha);
3932 		sel.ips_protocol = (uint8_t)ipha->ipha_protocol;
3933 		sel.ips_isv4 = B_TRUE;
3934 	} else {
3935 		ushort_t hdr_len;
3936 		uint8_t	*nexthdrp;
3937 		boolean_t is_fragment;
3938 
3939 		sel.ips_isv4 = B_FALSE;
3940 		if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
3941 			if (!unspec_src)
3942 				sel.ips_local_addr_v6 = ire->ire_src_addr_v6;
3943 		} else {
3944 			sel.ips_local_addr_v6 = ip6h->ip6_src;
3945 		}
3946 
3947 		sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, &is_fragment);
3948 		if (is_fragment) {
3949 			/*
3950 			 * It's a packet fragment for a packet that
3951 			 * we have already processed (since IPsec processing
3952 			 * is done before fragmentation), so we don't
3953 			 * have to do policy checks again. Fragments can
3954 			 * come back to us for processing if they have
3955 			 * been queued up due to flow control.
3956 			 */
3957 			if (ipsec_mp->b_datap->db_type == M_CTL) {
3958 				mp = ipsec_mp->b_cont;
3959 				freeb(ipsec_mp);
3960 				ipsec_mp = mp;
3961 			}
3962 			return (ipsec_mp);
3963 		}
3964 
3965 		/* IPv6 common-case. */
3966 		sel.ips_protocol = ip6h->ip6_nxt;
3967 		switch (ip6h->ip6_nxt) {
3968 		case IPPROTO_TCP:
3969 		case IPPROTO_UDP:
3970 		case IPPROTO_SCTP:
3971 		case IPPROTO_ICMPV6:
3972 			break;
3973 		default:
3974 			if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
3975 			    &hdr_len, &nexthdrp)) {
3976 				BUMP_MIB(&ip6_mib, ipv6OutDiscards);
3977 				freemsg(ipsec_mp); /* Not IPsec-related drop. */
3978 				return (NULL);
3979 			}
3980 			sel.ips_protocol = *nexthdrp;
3981 			break;
3982 		}
3983 	}
3984 
3985 	if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h)) {
3986 		if (ipha != NULL) {
3987 			BUMP_MIB(&ip_mib, ipOutDiscards);
3988 		} else {
3989 			BUMP_MIB(&ip6_mib, ipv6OutDiscards);
3990 		}
3991 
3992 		ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
3993 		    &ipdrops_spd_nomem, &spd_dropper);
3994 		return (NULL);
3995 	}
3996 
3997 	if (io != NULL) {
3998 		/*
3999 		 * We seem to have some local policy (we already have
4000 		 * an ipsec_out).  Look at global policy and see
4001 		 * whether we have to inherit or not.
4002 		 */
4003 		io->ipsec_out_need_policy = B_FALSE;
4004 		ipsec_mp = ipsec_apply_global_policy(ipsec_mp, connp, &sel);
4005 		ASSERT((io->ipsec_out_policy != NULL) ||
4006 		    (io->ipsec_out_act != NULL));
4007 		ASSERT(io->ipsec_out_need_policy == B_FALSE);
4008 		return (ipsec_mp);
4009 	}
4010 	ipsec_mp = ipsec_attach_global_policy(mp, connp, &sel);
4011 	if (ipsec_mp == NULL)
4012 		return (mp);
4013 
4014 	/*
4015 	 * Copy the right port information.
4016 	 */
4017 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
4018 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
4019 
4020 	ASSERT(io->ipsec_out_need_policy == B_FALSE);
4021 	ASSERT((io->ipsec_out_policy != NULL) ||
4022 	    (io->ipsec_out_act != NULL));
4023 	io->ipsec_out_src_port = sel.ips_local_port;
4024 	io->ipsec_out_dst_port = sel.ips_remote_port;
4025 	io->ipsec_out_icmp_type = sel.ips_icmp_type;
4026 	io->ipsec_out_icmp_code = sel.ips_icmp_code;
4027 	/*
4028 	 * Set ill_index, conn_dontroute and conn_multicast_loop
4029 	 * for multicast datagrams.
4030 	 */
4031 	io->ipsec_out_ill_index = ill_index;
4032 	io->ipsec_out_dontroute = conn_dontroutex;
4033 	io->ipsec_out_multicast_loop = conn_multicast_loopx;
4034 	/*
4035 	 * When conn is non-NULL, the zoneid is set by ipsec_init_ipsec_out().
4036 	 * Otherwise set the zoneid based on the ire.
4037 	 */
4038 	if (connp == NULL)
4039 		io->ipsec_out_zoneid = ire->ire_zoneid;
4040 	return (ipsec_mp);
4041 }
4042 
4043 /*
4044  * When appropriate, this function caches inbound and outbound policy
4045  * for this connection.
4046  *
4047  * XXX need to work out more details about per-interface policy and
4048  * caching here!
4049  *
4050  * XXX may want to split inbound and outbound caching for ill..
4051  */
4052 int
4053 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
4054 {
4055 	boolean_t global_policy_present;
4056 
4057 	/*
4058 	 * There is no policy latching for ICMP sockets because we can't
4059 	 * decide on which policy to use until we see the packet and get
4060 	 * type/code selectors.
4061 	 */
4062 	if (connp->conn_ulp == IPPROTO_ICMP ||
4063 	    connp->conn_ulp == IPPROTO_ICMPV6) {
4064 		connp->conn_in_enforce_policy =
4065 		    connp->conn_out_enforce_policy = B_TRUE;
4066 		if (connp->conn_latch != NULL) {
4067 			IPLATCH_REFRELE(connp->conn_latch);
4068 			connp->conn_latch = NULL;
4069 		}
4070 		connp->conn_flags |= IPCL_CHECK_POLICY;
4071 		return (0);
4072 	}
4073 
4074 	global_policy_present = isv4 ?
4075 	    (ipsec_outbound_v4_policy_present ||
4076 		ipsec_inbound_v4_policy_present) :
4077 	    (ipsec_outbound_v6_policy_present ||
4078 		ipsec_inbound_v6_policy_present);
4079 
4080 	if ((connp->conn_policy != NULL) || global_policy_present) {
4081 		ipsec_selector_t sel;
4082 		ipsec_policy_t	*p;
4083 
4084 		if (connp->conn_latch == NULL &&
4085 		    (connp->conn_latch = iplatch_create()) == NULL) {
4086 			return (ENOMEM);
4087 		}
4088 
4089 		sel.ips_protocol = connp->conn_ulp;
4090 		sel.ips_local_port = connp->conn_lport;
4091 		sel.ips_remote_port = connp->conn_fport;
4092 		sel.ips_is_icmp_inv_acq = 0;
4093 		sel.ips_isv4 = isv4;
4094 		if (isv4) {
4095 			sel.ips_local_addr_v4 = connp->conn_src;
4096 			sel.ips_remote_addr_v4 = connp->conn_rem;
4097 		} else {
4098 			sel.ips_local_addr_v6 = connp->conn_srcv6;
4099 			sel.ips_remote_addr_v6 = connp->conn_remv6;
4100 		}
4101 
4102 		p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel);
4103 		if (connp->conn_latch->ipl_in_policy != NULL)
4104 			IPPOL_REFRELE(connp->conn_latch->ipl_in_policy);
4105 		connp->conn_latch->ipl_in_policy = p;
4106 		connp->conn_in_enforce_policy = (p != NULL);
4107 
4108 		p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, &sel);
4109 		if (connp->conn_latch->ipl_out_policy != NULL)
4110 			IPPOL_REFRELE(connp->conn_latch->ipl_out_policy);
4111 		connp->conn_latch->ipl_out_policy = p;
4112 		connp->conn_out_enforce_policy = (p != NULL);
4113 
4114 		/* Clear the latched actions too, in case we're recaching. */
4115 		if (connp->conn_latch->ipl_out_action != NULL)
4116 			IPACT_REFRELE(connp->conn_latch->ipl_out_action);
4117 		if (connp->conn_latch->ipl_in_action != NULL)
4118 			IPACT_REFRELE(connp->conn_latch->ipl_in_action);
4119 	}
4120 
4121 	/*
4122 	 * We may or may not have policy for this endpoint.  We still set
4123 	 * conn_policy_cached so that inbound datagrams don't have to look
4124 	 * at global policy as policy is considered latched for these
4125 	 * endpoints.  We should not set conn_policy_cached until the conn
4126 	 * reflects the actual policy. If we *set* this before inheriting
4127 	 * the policy there is a window where the check
4128 	 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy
4129 	 * on the conn (because we have not yet copied the policy on to
4130 	 * conn and hence not set conn_in_enforce_policy) nor with the
4131 	 * global policy (because conn_policy_cached is already set).
4132 	 */
4133 	connp->conn_policy_cached = B_TRUE;
4134 	if (connp->conn_in_enforce_policy)
4135 		connp->conn_flags |= IPCL_CHECK_POLICY;
4136 	return (0);
4137 }
4138 
4139 void
4140 iplatch_free(ipsec_latch_t *ipl)
4141 {
4142 	if (ipl->ipl_out_policy != NULL)
4143 		IPPOL_REFRELE(ipl->ipl_out_policy);
4144 	if (ipl->ipl_in_policy != NULL)
4145 		IPPOL_REFRELE(ipl->ipl_in_policy);
4146 	if (ipl->ipl_in_action != NULL)
4147 		IPACT_REFRELE(ipl->ipl_in_action);
4148 	if (ipl->ipl_out_action != NULL)
4149 		IPACT_REFRELE(ipl->ipl_out_action);
4150 	if (ipl->ipl_local_cid != NULL)
4151 		IPSID_REFRELE(ipl->ipl_local_cid);
4152 	if (ipl->ipl_remote_cid != NULL)
4153 		IPSID_REFRELE(ipl->ipl_remote_cid);
4154 	if (ipl->ipl_local_id != NULL)
4155 		crfree(ipl->ipl_local_id);
4156 	mutex_destroy(&ipl->ipl_lock);
4157 	kmem_free(ipl, sizeof (*ipl));
4158 }
4159 
4160 ipsec_latch_t *
4161 iplatch_create()
4162 {
4163 	ipsec_latch_t *ipl = kmem_alloc(sizeof (*ipl), KM_NOSLEEP);
4164 	if (ipl == NULL)
4165 		return (ipl);
4166 	bzero(ipl, sizeof (*ipl));
4167 	mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL);
4168 	ipl->ipl_refcnt = 1;
4169 	return (ipl);
4170 }
4171 
4172 /*
4173  * Identity hash table.
4174  *
4175  * Identities are refcounted and "interned" into the hash table.
4176  * Only references coming from other objects (SA's, latching state)
4177  * are counted in ipsid_refcnt.
4178  *
4179  * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket
4180  * is locked, (b) we know that the refcount must be > 0.
4181  *
4182  * The ipsid_next and ipsid_ptpn fields are only to be referenced or
4183  * modified when the bucket lock is held; in particular, we only
4184  * delete objects while holding the bucket lock, and we only increase
4185  * the refcount from 0 to 1 while the bucket lock is held.
4186  */
4187 
4188 #define	IPSID_HASHSIZE 64
4189 
4190 typedef struct ipsif_s
4191 {
4192 	ipsid_t *ipsif_head;
4193 	kmutex_t ipsif_lock;
4194 } ipsif_t;
4195 
4196 ipsif_t ipsid_buckets[IPSID_HASHSIZE];
4197 
4198 /*
4199  * Hash function for ID hash table.
4200  */
4201 static uint32_t
4202 ipsid_hash(int idtype, char *idstring)
4203 {
4204 	uint32_t hval = idtype;
4205 	unsigned char c;
4206 
4207 	while ((c = *idstring++) != 0) {
4208 		hval = (hval << 4) | (hval >> 28);
4209 		hval ^= c;
4210 	}
4211 	hval = hval ^ (hval >> 16);
4212 	return (hval & (IPSID_HASHSIZE-1));
4213 }
4214 
4215 /*
4216  * Look up identity string in hash table.  Return identity object
4217  * corresponding to the name -- either preexisting, or newly allocated.
4218  *
4219  * Return NULL if we need to allocate a new one and can't get memory.
4220  */
4221 ipsid_t *
4222 ipsid_lookup(int idtype, char *idstring)
4223 {
4224 	ipsid_t *retval;
4225 	char *nstr;
4226 	int idlen = strlen(idstring) + 1;
4227 
4228 	ipsif_t *bucket = &ipsid_buckets[ipsid_hash(idtype, idstring)];
4229 
4230 	mutex_enter(&bucket->ipsif_lock);
4231 
4232 	for (retval = bucket->ipsif_head; retval != NULL;
4233 	    retval = retval->ipsid_next) {
4234 		if (idtype != retval->ipsid_type)
4235 			continue;
4236 		if (bcmp(idstring, retval->ipsid_cid, idlen) != 0)
4237 			continue;
4238 
4239 		IPSID_REFHOLD(retval);
4240 		mutex_exit(&bucket->ipsif_lock);
4241 		return (retval);
4242 	}
4243 
4244 	retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP);
4245 	if (!retval) {
4246 		mutex_exit(&bucket->ipsif_lock);
4247 		return (NULL);
4248 	}
4249 
4250 	nstr = kmem_alloc(idlen, KM_NOSLEEP);
4251 	if (!nstr) {
4252 		mutex_exit(&bucket->ipsif_lock);
4253 		kmem_free(retval, sizeof (*retval));
4254 		return (NULL);
4255 	}
4256 
4257 	retval->ipsid_refcnt = 1;
4258 	retval->ipsid_next = bucket->ipsif_head;
4259 	if (retval->ipsid_next != NULL)
4260 		retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next;
4261 	retval->ipsid_ptpn = &bucket->ipsif_head;
4262 	retval->ipsid_type = idtype;
4263 	retval->ipsid_cid = nstr;
4264 	bucket->ipsif_head = retval;
4265 	bcopy(idstring, nstr, idlen);
4266 	mutex_exit(&bucket->ipsif_lock);
4267 
4268 	return (retval);
4269 }
4270 
4271 /*
4272  * Garbage collect the identity hash table.
4273  */
4274 void
4275 ipsid_gc()
4276 {
4277 	int i, len;
4278 	ipsid_t *id, *nid;
4279 	ipsif_t *bucket;
4280 
4281 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4282 		bucket = &ipsid_buckets[i];
4283 		mutex_enter(&bucket->ipsif_lock);
4284 		for (id = bucket->ipsif_head; id != NULL; id = nid) {
4285 			nid = id->ipsid_next;
4286 			if (id->ipsid_refcnt == 0) {
4287 				*id->ipsid_ptpn = nid;
4288 				if (nid != NULL)
4289 					nid->ipsid_ptpn = id->ipsid_ptpn;
4290 				len = strlen(id->ipsid_cid) + 1;
4291 				kmem_free(id->ipsid_cid, len);
4292 				kmem_free(id, sizeof (*id));
4293 			}
4294 		}
4295 		mutex_exit(&bucket->ipsif_lock);
4296 	}
4297 }
4298 
4299 /*
4300  * Return true if two identities are the same.
4301  */
4302 boolean_t
4303 ipsid_equal(ipsid_t *id1, ipsid_t *id2)
4304 {
4305 	if (id1 == id2)
4306 		return (B_TRUE);
4307 #ifdef DEBUG
4308 	if ((id1 == NULL) || (id2 == NULL))
4309 		return (B_FALSE);
4310 	/*
4311 	 * test that we're interning id's correctly..
4312 	 */
4313 	ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) ||
4314 	    (id1->ipsid_type != id2->ipsid_type));
4315 #endif
4316 	return (B_FALSE);
4317 }
4318 
4319 /*
4320  * Initialize identity table; called during module initialization.
4321  */
4322 static void
4323 ipsid_init()
4324 {
4325 	ipsif_t *bucket;
4326 	int i;
4327 
4328 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4329 		bucket = &ipsid_buckets[i];
4330 		mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL);
4331 	}
4332 }
4333 
4334 /*
4335  * Free identity table (preparatory to module unload)
4336  */
4337 static void
4338 ipsid_fini()
4339 {
4340 	ipsif_t *bucket;
4341 	int i;
4342 
4343 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4344 		bucket = &ipsid_buckets[i];
4345 		mutex_destroy(&bucket->ipsif_lock);
4346 	}
4347 }
4348 
4349 /*
4350  * Update the minimum and maximum supported key sizes for the
4351  * specified algorithm. Must be called while holding the algorithms lock.
4352  */
4353 void
4354 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type)
4355 {
4356 	size_t crypto_min = (size_t)-1, crypto_max = 0;
4357 	size_t cur_crypto_min, cur_crypto_max;
4358 	boolean_t is_valid;
4359 	crypto_mechanism_info_t *mech_infos;
4360 	uint_t nmech_infos;
4361 	int crypto_rc, i;
4362 	crypto_mech_usage_t mask;
4363 
4364 	ASSERT(MUTEX_HELD(&alg_lock));
4365 
4366 	/*
4367 	 * Compute the min, max, and default key sizes (in number of
4368 	 * increments to the default key size in bits) as defined
4369 	 * by the algorithm mappings. This range of key sizes is used
4370 	 * for policy related operations. The effective key sizes
4371 	 * supported by the framework could be more limited than
4372 	 * those defined for an algorithm.
4373 	 */
4374 	alg->alg_default_bits = alg->alg_key_sizes[0];
4375 	if (alg->alg_increment != 0) {
4376 		/* key sizes are defined by range & increment */
4377 		alg->alg_minbits = alg->alg_key_sizes[1];
4378 		alg->alg_maxbits = alg->alg_key_sizes[2];
4379 
4380 		alg->alg_default = SADB_ALG_DEFAULT_INCR(alg->alg_minbits,
4381 		    alg->alg_increment, alg->alg_default_bits);
4382 	} else if (alg->alg_nkey_sizes == 0) {
4383 		/* no specified key size for algorithm */
4384 		alg->alg_minbits = alg->alg_maxbits = 0;
4385 	} else {
4386 		/* key sizes are defined by enumeration */
4387 		alg->alg_minbits = (uint16_t)-1;
4388 		alg->alg_maxbits = 0;
4389 
4390 		for (i = 0; i < alg->alg_nkey_sizes; i++) {
4391 			if (alg->alg_key_sizes[i] < alg->alg_minbits)
4392 				alg->alg_minbits = alg->alg_key_sizes[i];
4393 			if (alg->alg_key_sizes[i] > alg->alg_maxbits)
4394 				alg->alg_maxbits = alg->alg_key_sizes[i];
4395 		}
4396 		alg->alg_default = 0;
4397 	}
4398 
4399 	if (!(alg->alg_flags & ALG_FLAG_VALID))
4400 		return;
4401 
4402 	/*
4403 	 * Mechanisms do not apply to the NULL encryption
4404 	 * algorithm, so simply return for this case.
4405 	 */
4406 	if (alg->alg_id == SADB_EALG_NULL)
4407 		return;
4408 
4409 	/*
4410 	 * Find the min and max key sizes supported by the cryptographic
4411 	 * framework providers.
4412 	 */
4413 
4414 	/* get the key sizes supported by the framework */
4415 	crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type,
4416 	    &mech_infos, &nmech_infos, KM_SLEEP);
4417 	if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) {
4418 		alg->alg_flags &= ~ALG_FLAG_VALID;
4419 		return;
4420 	}
4421 
4422 	/* min and max key sizes supported by framework */
4423 	for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) {
4424 		int unit_bits;
4425 
4426 		/*
4427 		 * Ignore entries that do not support the operations
4428 		 * needed for the algorithm type.
4429 		 */
4430 		if (alg_type == IPSEC_ALG_AUTH)
4431 			mask = CRYPTO_MECH_USAGE_MAC;
4432 		else
4433 			mask = CRYPTO_MECH_USAGE_ENCRYPT |
4434 				CRYPTO_MECH_USAGE_DECRYPT;
4435 		if ((mech_infos[i].mi_usage & mask) != mask)
4436 			continue;
4437 
4438 		unit_bits = (mech_infos[i].mi_keysize_unit ==
4439 		    CRYPTO_KEYSIZE_UNIT_IN_BYTES)  ? 8 : 1;
4440 		/* adjust min/max supported by framework */
4441 		cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits;
4442 		cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits;
4443 
4444 		if (cur_crypto_min < crypto_min)
4445 			crypto_min = cur_crypto_min;
4446 
4447 		/*
4448 		 * CRYPTO_EFFECTIVELY_INFINITE is a special value of
4449 		 * the crypto framework which means "no upper limit".
4450 		 */
4451 		if (mech_infos[i].mi_max_key_size ==
4452 		    CRYPTO_EFFECTIVELY_INFINITE)
4453 			crypto_max = (size_t)-1;
4454 		else if (cur_crypto_max > crypto_max)
4455 			crypto_max = cur_crypto_max;
4456 
4457 		is_valid = B_TRUE;
4458 	}
4459 
4460 	kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) *
4461 	    nmech_infos);
4462 
4463 	if (!is_valid) {
4464 		/* no key sizes supported by framework */
4465 		alg->alg_flags &= ~ALG_FLAG_VALID;
4466 		return;
4467 	}
4468 
4469 	/*
4470 	 * Determine min and max key sizes from alg_key_sizes[].
4471 	 * defined for the algorithm entry. Adjust key sizes based on
4472 	 * those supported by the framework.
4473 	 */
4474 	alg->alg_ef_default_bits = alg->alg_key_sizes[0];
4475 	if (alg->alg_increment != 0) {
4476 		/* supported key sizes are defined by range  & increment */
4477 		crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment);
4478 		crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment);
4479 
4480 		alg->alg_ef_minbits = MAX(alg->alg_minbits,
4481 		    (uint16_t)crypto_min);
4482 		alg->alg_ef_maxbits = MIN(alg->alg_maxbits,
4483 		    (uint16_t)crypto_max);
4484 
4485 		/*
4486 		 * If the sizes supported by the framework are outside
4487 		 * the range of sizes defined by the algorithm mappings,
4488 		 * the algorithm cannot be used. Check for this
4489 		 * condition here.
4490 		 */
4491 		if (alg->alg_ef_minbits > alg->alg_ef_maxbits) {
4492 			alg->alg_flags &= ~ALG_FLAG_VALID;
4493 			return;
4494 		}
4495 
4496 		if (alg->alg_ef_default_bits < alg->alg_ef_minbits)
4497 		    alg->alg_ef_default_bits = alg->alg_ef_minbits;
4498 		if (alg->alg_ef_default_bits > alg->alg_ef_maxbits)
4499 		    alg->alg_ef_default_bits = alg->alg_ef_maxbits;
4500 
4501 		alg->alg_ef_default = SADB_ALG_DEFAULT_INCR(alg->alg_ef_minbits,
4502 		    alg->alg_increment, alg->alg_ef_default_bits);
4503 	} else if (alg->alg_nkey_sizes == 0) {
4504 		/* no specified key size for algorithm */
4505 		alg->alg_ef_minbits = alg->alg_ef_maxbits = 0;
4506 	} else {
4507 		/* supported key sizes are defined by enumeration */
4508 		alg->alg_ef_minbits = (uint16_t)-1;
4509 		alg->alg_ef_maxbits = 0;
4510 
4511 		for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) {
4512 			/*
4513 			 * Ignore the current key size if it is not in the
4514 			 * range of sizes supported by the framework.
4515 			 */
4516 			if (alg->alg_key_sizes[i] < crypto_min ||
4517 			    alg->alg_key_sizes[i] > crypto_max)
4518 				continue;
4519 			if (alg->alg_key_sizes[i] < alg->alg_ef_minbits)
4520 				alg->alg_ef_minbits = alg->alg_key_sizes[i];
4521 			if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits)
4522 				alg->alg_ef_maxbits = alg->alg_key_sizes[i];
4523 			is_valid = B_TRUE;
4524 		}
4525 
4526 		if (!is_valid) {
4527 			alg->alg_flags &= ~ALG_FLAG_VALID;
4528 			return;
4529 		}
4530 		alg->alg_ef_default = 0;
4531 	}
4532 }
4533 
4534 /*
4535  * Free the memory used by the specified algorithm.
4536  */
4537 void
4538 ipsec_alg_free(ipsec_alginfo_t *alg)
4539 {
4540 	if (alg == NULL)
4541 		return;
4542 
4543 	if (alg->alg_key_sizes != NULL)
4544 		kmem_free(alg->alg_key_sizes,
4545 		    (alg->alg_nkey_sizes + 1) * sizeof (uint16_t));
4546 
4547 	if (alg->alg_block_sizes != NULL)
4548 		kmem_free(alg->alg_block_sizes,
4549 		    (alg->alg_nblock_sizes + 1) * sizeof (uint16_t));
4550 
4551 	kmem_free(alg, sizeof (*alg));
4552 }
4553 
4554 /*
4555  * Check the validity of the specified key size for an algorithm.
4556  * Returns B_TRUE if key size is valid, B_FALSE otherwise.
4557  */
4558 boolean_t
4559 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg)
4560 {
4561 	if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits)
4562 		return (B_FALSE);
4563 
4564 	if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) {
4565 		/*
4566 		 * If the key sizes are defined by enumeration, the new
4567 		 * key size must be equal to one of the supported values.
4568 		 */
4569 		int i;
4570 
4571 		for (i = 0; i < alg->alg_nkey_sizes; i++)
4572 			if (key_size == alg->alg_key_sizes[i])
4573 				break;
4574 		if (i == alg->alg_nkey_sizes)
4575 			return (B_FALSE);
4576 	}
4577 
4578 	return (B_TRUE);
4579 }
4580 
4581 /*
4582  * Callback function invoked by the crypto framework when a provider
4583  * registers or unregisters. This callback updates the algorithms
4584  * tables when a crypto algorithm is no longer available or becomes
4585  * available, and triggers the freeing/creation of context templates
4586  * associated with existing SAs, if needed.
4587  */
4588 void
4589 ipsec_prov_update_callback(uint32_t event, void *event_arg)
4590 {
4591 	crypto_notify_event_change_t *prov_change =
4592 	    (crypto_notify_event_change_t *)event_arg;
4593 	uint_t algidx, algid, algtype, mech_count, mech_idx;
4594 	ipsec_alginfo_t *alg;
4595 	ipsec_alginfo_t oalg;
4596 	crypto_mech_name_t *mechs;
4597 	boolean_t alg_changed = B_FALSE;
4598 
4599 	/* ignore events for which we didn't register */
4600 	if (event != CRYPTO_EVENT_PROVIDERS_CHANGE) {
4601 		ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x "
4602 			" received from crypto framework\n", event));
4603 		return;
4604 	}
4605 
4606 	mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
4607 	if (mechs == NULL)
4608 		return;
4609 
4610 	/*
4611 	 * Walk the list of currently defined IPsec algorithm. Update
4612 	 * the algorithm valid flag and trigger an update of the
4613 	 * SAs that depend on that algorithm.
4614 	 */
4615 	mutex_enter(&alg_lock);
4616 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
4617 		for (algidx = 0; algidx < ipsec_nalgs[algtype]; algidx++) {
4618 
4619 			algid = ipsec_sortlist[algtype][algidx];
4620 			alg = ipsec_alglists[algtype][algid];
4621 			ASSERT(alg != NULL);
4622 
4623 			/*
4624 			 * Skip the algorithms which do not map to the
4625 			 * crypto framework provider being added or removed.
4626 			 */
4627 			if (strncmp(alg->alg_mech_name,
4628 			    prov_change->ec_mech_name,
4629 			    CRYPTO_MAX_MECH_NAME) != 0)
4630 				continue;
4631 
4632 			/*
4633 			 * Determine if the mechanism is valid. If it
4634 			 * is not, mark the algorithm as being invalid. If
4635 			 * it is, mark the algorithm as being valid.
4636 			 */
4637 			for (mech_idx = 0; mech_idx < mech_count; mech_idx++)
4638 				if (strncmp(alg->alg_mech_name,
4639 				    mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0)
4640 					break;
4641 			if (mech_idx == mech_count &&
4642 			    alg->alg_flags & ALG_FLAG_VALID) {
4643 				alg->alg_flags &= ~ALG_FLAG_VALID;
4644 				alg_changed = B_TRUE;
4645 			} else if (mech_idx < mech_count &&
4646 			    !(alg->alg_flags & ALG_FLAG_VALID)) {
4647 				alg->alg_flags |= ALG_FLAG_VALID;
4648 				alg_changed = B_TRUE;
4649 			}
4650 
4651 			/*
4652 			 * Update the supported key sizes, regardless
4653 			 * of whether a crypto provider was added or
4654 			 * removed.
4655 			 */
4656 			oalg = *alg;
4657 			ipsec_alg_fix_min_max(alg, algtype);
4658 			if (!alg_changed &&
4659 			    alg->alg_ef_minbits != oalg.alg_ef_minbits ||
4660 			    alg->alg_ef_maxbits != oalg.alg_ef_maxbits ||
4661 			    alg->alg_ef_default != oalg.alg_ef_default ||
4662 			    alg->alg_ef_default_bits !=
4663 			    oalg.alg_ef_default_bits)
4664 				alg_changed = B_TRUE;
4665 
4666 			/*
4667 			 * Update the affected SAs if a software provider is
4668 			 * being added or removed.
4669 			 */
4670 			if (prov_change->ec_provider_type ==
4671 			    CRYPTO_SW_PROVIDER)
4672 				sadb_alg_update(algtype, alg->alg_id,
4673 				    prov_change->ec_change ==
4674 				    CRYPTO_EVENT_CHANGE_ADDED);
4675 		}
4676 	}
4677 	mutex_exit(&alg_lock);
4678 	crypto_free_mech_list(mechs, mech_count);
4679 
4680 	if (alg_changed) {
4681 		/*
4682 		 * An algorithm has changed, i.e. it became valid or
4683 		 * invalid, or its support key sizes have changed.
4684 		 * Notify ipsecah and ipsecesp of this change so
4685 		 * that they can send a SADB_REGISTER to their consumers.
4686 		 */
4687 		ipsecah_algs_changed();
4688 		ipsecesp_algs_changed();
4689 	}
4690 }
4691 
4692 /*
4693  * Registers with the crypto framework to be notified of crypto
4694  * providers changes. Used to update the algorithm tables and
4695  * to free or create context templates if needed. Invoked after IPsec
4696  * is loaded successfully.
4697  */
4698 void
4699 ipsec_register_prov_update(void)
4700 {
4701 	prov_update_handle = crypto_notify_events(
4702 	    ipsec_prov_update_callback, CRYPTO_EVENT_PROVIDERS_CHANGE);
4703 }
4704 
4705 /*
4706  * Unregisters from the framework to be notified of crypto providers
4707  * changes. Called from ipsec_policy_destroy().
4708  */
4709 static void
4710 ipsec_unregister_prov_update(void)
4711 {
4712 	if (prov_update_handle != NULL)
4713 		crypto_unnotify_events(prov_update_handle);
4714 }
4715