xref: /titanic_44/usr/src/uts/common/inet/ip/spdsock.c (revision bde3d612a7c090234c60e6e4578821237a5db135)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/param.h>
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/strsubr.h>
29 #include <sys/strsun.h>
30 #include <sys/stropts.h>
31 #include <sys/zone.h>
32 #include <sys/vnode.h>
33 #include <sys/sysmacros.h>
34 #define	_SUN_TPI_VERSION 2
35 #include <sys/tihdr.h>
36 #include <sys/ddi.h>
37 #include <sys/sunddi.h>
38 #include <sys/mkdev.h>
39 #include <sys/debug.h>
40 #include <sys/kmem.h>
41 #include <sys/cmn_err.h>
42 #include <sys/suntpi.h>
43 #include <sys/policy.h>
44 #include <sys/dls.h>
45 
46 #include <sys/socket.h>
47 #include <netinet/in.h>
48 #include <net/pfkeyv2.h>
49 #include <net/pfpolicy.h>
50 
51 #include <inet/common.h>
52 #include <netinet/ip6.h>
53 #include <inet/ip.h>
54 #include <inet/ip6.h>
55 #include <inet/mi.h>
56 #include <inet/proto_set.h>
57 #include <inet/nd.h>
58 #include <inet/ip_if.h>
59 #include <inet/optcom.h>
60 #include <inet/ipsec_impl.h>
61 #include <inet/spdsock.h>
62 #include <inet/sadb.h>
63 #include <inet/iptun.h>
64 #include <inet/iptun/iptun_impl.h>
65 
66 #include <sys/isa_defs.h>
67 
68 #include <c2/audit.h>
69 
70 /*
71  * This is a transport provider for the PF_POLICY IPsec policy
72  * management socket, which provides a management interface into the
73  * SPD, allowing policy rules to be added, deleted, and queried.
74  *
75  * This effectively replaces the old private SIOC*IPSECONFIG ioctls
76  * with an extensible interface which will hopefully be public some
77  * day.
78  *
79  * See <net/pfpolicy.h> for more details on the protocol.
80  *
81  * We link against drv/ip and call directly into it to manipulate the
82  * SPD; see ipsec_impl.h for the policy data structures and spd.c for
83  * the code which maintains them.
84  *
85  * The MT model of this is QPAIR with the addition of some explicit
86  * locking to protect system-wide policy data structures.
87  */
88 
89 static vmem_t *spdsock_vmem;		/* for minor numbers. */
90 
91 #define	ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
92 
93 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
94 static struct T_info_ack spdsock_g_t_info_ack = {
95 	T_INFO_ACK,
96 	T_INFINITE,	/* TSDU_size. Maximum size messages. */
97 	T_INVALID,	/* ETSDU_size. No expedited data. */
98 	T_INVALID,	/* CDATA_size. No connect data. */
99 	T_INVALID,	/* DDATA_size. No disconnect data. */
100 	0,		/* ADDR_size. */
101 	0,		/* OPT_size. No user-settable options */
102 	64 * 1024,	/* TIDU_size. spdsock allows maximum size messages. */
103 	T_COTS,		/* SERV_type. spdsock supports connection oriented. */
104 	TS_UNBND,	/* CURRENT_state. This is set from spdsock_state. */
105 	(XPG4_1)	/* Provider flags */
106 };
107 
108 /* Named Dispatch Parameter Management Structure */
109 typedef struct spdsockparam_s {
110 	uint_t	spdsock_param_min;
111 	uint_t	spdsock_param_max;
112 	uint_t	spdsock_param_value;
113 	char *spdsock_param_name;
114 } spdsockparam_t;
115 
116 /*
117  * Table of NDD variables supported by spdsock. These are loaded into
118  * spdsock_g_nd in spdsock_init_nd.
119  * All of these are alterable, within the min/max values given, at run time.
120  */
121 static	spdsockparam_t	lcl_param_arr[] = {
122 	/* min	max	value	name */
123 	{ 4096, 65536,	8192,	"spdsock_xmit_hiwat"},
124 	{ 0,	65536,	1024,	"spdsock_xmit_lowat"},
125 	{ 4096, 65536,	8192,	"spdsock_recv_hiwat"},
126 	{ 65536, 1024*1024*1024, 256*1024,	"spdsock_max_buf"},
127 	{ 0,	3,	0,	"spdsock_debug"},
128 };
129 #define	spds_xmit_hiwat	spds_params[0].spdsock_param_value
130 #define	spds_xmit_lowat	spds_params[1].spdsock_param_value
131 #define	spds_recv_hiwat	spds_params[2].spdsock_param_value
132 #define	spds_max_buf	spds_params[3].spdsock_param_value
133 #define	spds_debug		spds_params[4].spdsock_param_value
134 
135 #define	ss0dbg(a)	printf a
136 /* NOTE:  != 0 instead of > 0 so lint doesn't complain. */
137 #define	ss1dbg(spds, a)	if (spds->spds_debug != 0) printf a
138 #define	ss2dbg(spds, a)	if (spds->spds_debug > 1) printf a
139 #define	ss3dbg(spds, a)	if (spds->spds_debug > 2) printf a
140 
141 #define	RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
142 	ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
143 	(ss)->spdsock_dump_head = (iph); \
144 	(ss)->spdsock_dump_gen = (iph)->iph_gen; \
145 	(ss)->spdsock_dump_cur_type = 0; \
146 	(ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
147 	(ss)->spdsock_dump_cur_rule = NULL; \
148 	(ss)->spdsock_dump_count = 0; \
149 	(ss)->spdsock_dump_cur_chain = 0; \
150 }
151 
152 static int spdsock_close(queue_t *);
153 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *);
154 static void spdsock_wput(queue_t *, mblk_t *);
155 static void spdsock_wsrv(queue_t *);
156 static void spdsock_rsrv(queue_t *);
157 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns);
158 static void spdsock_stack_shutdown(netstackid_t stackid, void *arg);
159 static void spdsock_stack_fini(netstackid_t stackid, void *arg);
160 static void spdsock_loadcheck(void *);
161 static void spdsock_merge_algs(spd_stack_t *);
162 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *);
163 static mblk_t *spdsock_dump_next_record(spdsock_t *);
164 static void update_iptun_policy(ipsec_tun_pol_t *);
165 
166 static struct module_info info = {
167 	5138, "spdsock", 1, INFPSZ, 512, 128
168 };
169 
170 static struct qinit rinit = {
171 	NULL, (pfi_t)spdsock_rsrv, spdsock_open, spdsock_close,
172 	NULL, &info
173 };
174 
175 static struct qinit winit = {
176 	(pfi_t)spdsock_wput, (pfi_t)spdsock_wsrv, NULL, NULL, NULL, &info
177 };
178 
179 struct streamtab spdsockinfo = {
180 	&rinit, &winit
181 };
182 
183 /* mapping from alg type to protocol number, as per RFC 2407 */
184 static const uint_t algproto[] = {
185 	PROTO_IPSEC_AH,
186 	PROTO_IPSEC_ESP,
187 };
188 
189 #define	NALGPROTOS	(sizeof (algproto) / sizeof (algproto[0]))
190 
191 /* mapping from kernel exec mode to spdsock exec mode */
192 static const uint_t execmodes[] = {
193 	SPD_ALG_EXEC_MODE_SYNC,
194 	SPD_ALG_EXEC_MODE_ASYNC
195 };
196 
197 #define	NEXECMODES	(sizeof (execmodes) / sizeof (execmodes[0]))
198 
199 #define	ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
200 #define	ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
201 
202 #define	ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
203 
204 /* ARGSUSED */
205 static int
206 spdsock_param_get(q, mp, cp, cr)
207 	queue_t	*q;
208 	mblk_t	*mp;
209 	caddr_t	cp;
210 	cred_t *cr;
211 {
212 	spdsockparam_t	*spdsockpa = (spdsockparam_t *)cp;
213 	uint_t value;
214 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
215 	spd_stack_t	*spds = ss->spdsock_spds;
216 
217 	mutex_enter(&spds->spds_param_lock);
218 	value = spdsockpa->spdsock_param_value;
219 	mutex_exit(&spds->spds_param_lock);
220 
221 	(void) mi_mpprintf(mp, "%u", value);
222 	return (0);
223 }
224 
225 /* This routine sets an NDD variable in a spdsockparam_t structure. */
226 /* ARGSUSED */
227 static int
228 spdsock_param_set(q, mp, value, cp, cr)
229 	queue_t	*q;
230 	mblk_t	*mp;
231 	char *value;
232 	caddr_t	cp;
233 	cred_t *cr;
234 {
235 	ulong_t	new_value;
236 	spdsockparam_t	*spdsockpa = (spdsockparam_t *)cp;
237 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
238 	spd_stack_t	*spds = ss->spdsock_spds;
239 
240 	/* Convert the value from a string into a long integer. */
241 	if (ddi_strtoul(value, NULL, 10, &new_value) != 0)
242 		return (EINVAL);
243 
244 	mutex_enter(&spds->spds_param_lock);
245 	/*
246 	 * Fail the request if the new value does not lie within the
247 	 * required bounds.
248 	 */
249 	if (new_value < spdsockpa->spdsock_param_min ||
250 	    new_value > spdsockpa->spdsock_param_max) {
251 		mutex_exit(&spds->spds_param_lock);
252 		return (EINVAL);
253 	}
254 
255 	/* Set the new value */
256 	spdsockpa->spdsock_param_value = new_value;
257 	mutex_exit(&spds->spds_param_lock);
258 
259 	return (0);
260 }
261 
262 /*
263  * Initialize at module load time
264  */
265 boolean_t
266 spdsock_ddi_init(void)
267 {
268 	spdsock_max_optsize = optcom_max_optsize(
269 	    spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt);
270 
271 	spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1,
272 	    NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER);
273 
274 	/*
275 	 * We want to be informed each time a stack is created or
276 	 * destroyed in the kernel, so we can maintain the
277 	 * set of spd_stack_t's.
278 	 */
279 	netstack_register(NS_SPDSOCK, spdsock_stack_init,
280 	    spdsock_stack_shutdown, spdsock_stack_fini);
281 
282 	return (B_TRUE);
283 }
284 
285 /*
286  * Walk through the param array specified registering each element with the
287  * named dispatch handler.
288  */
289 static boolean_t
290 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt)
291 {
292 	for (; cnt-- > 0; ssp++) {
293 		if (ssp->spdsock_param_name != NULL &&
294 		    ssp->spdsock_param_name[0]) {
295 			if (!nd_load(ndp,
296 			    ssp->spdsock_param_name,
297 			    spdsock_param_get, spdsock_param_set,
298 			    (caddr_t)ssp)) {
299 				nd_free(ndp);
300 				return (B_FALSE);
301 			}
302 		}
303 	}
304 	return (B_TRUE);
305 }
306 
307 /*
308  * Initialize for each stack instance
309  */
310 /* ARGSUSED */
311 static void *
312 spdsock_stack_init(netstackid_t stackid, netstack_t *ns)
313 {
314 	spd_stack_t	*spds;
315 	spdsockparam_t	*ssp;
316 
317 	spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP);
318 	spds->spds_netstack = ns;
319 
320 	ASSERT(spds->spds_g_nd == NULL);
321 
322 	ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
323 	spds->spds_params = ssp;
324 	bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr));
325 
326 	(void) spdsock_param_register(&spds->spds_g_nd, ssp,
327 	    A_CNT(lcl_param_arr));
328 
329 	mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL);
330 	mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL);
331 
332 	return (spds);
333 }
334 
335 void
336 spdsock_ddi_destroy(void)
337 {
338 	vmem_destroy(spdsock_vmem);
339 
340 	netstack_unregister(NS_SPDSOCK);
341 }
342 
343 /*
344  * Do pre-removal cleanup.
345  */
346 /* ARGSUSED */
347 static void
348 spdsock_stack_shutdown(netstackid_t stackid, void *arg)
349 {
350 	spd_stack_t *spds = (spd_stack_t *)arg;
351 
352 	if (spds->spds_mp_algs != NULL) {
353 		freemsg(spds->spds_mp_algs);
354 		spds->spds_mp_algs = NULL;
355 	}
356 }
357 
358 /* ARGSUSED */
359 static void
360 spdsock_stack_fini(netstackid_t stackid, void *arg)
361 {
362 	spd_stack_t *spds = (spd_stack_t *)arg;
363 
364 	ASSERT(spds->spds_mp_algs == NULL);
365 	mutex_destroy(&spds->spds_param_lock);
366 	mutex_destroy(&spds->spds_alg_lock);
367 	nd_free(&spds->spds_g_nd);
368 	kmem_free(spds->spds_params, sizeof (lcl_param_arr));
369 	spds->spds_params = NULL;
370 
371 	kmem_free(spds, sizeof (*spds));
372 }
373 
374 /*
375  * NOTE: large quantities of this should be shared with keysock.
376  * Would be nice to combine some of this into a common module, but
377  * not possible given time pressures.
378  */
379 
380 /*
381  * High-level reality checking of extensions.
382  */
383 /* ARGSUSED */ /* XXX */
384 static boolean_t
385 ext_check(spd_ext_t *ext)
386 {
387 	spd_if_t *tunname = (spd_if_t *)ext;
388 	int i;
389 	char *idstr;
390 
391 	if (ext->spd_ext_type == SPD_EXT_TUN_NAME) {
392 		/* (NOTE:  Modified from SADB_EXT_IDENTITY..) */
393 
394 		/*
395 		 * Make sure the strings in these identities are
396 		 * null-terminated.  Let's "proactively" null-terminate the
397 		 * string at the last byte if it's not terminated sooner.
398 		 */
399 		i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t);
400 		idstr = (char *)(tunname + 1);
401 		while (*idstr != '\0' && i > 0) {
402 			i--;
403 			idstr++;
404 		}
405 		if (i == 0) {
406 			/*
407 			 * I.e., if the bozo user didn't NULL-terminate the
408 			 * string...
409 			 */
410 			idstr--;
411 			*idstr = '\0';
412 		}
413 	}
414 	return (B_TRUE);	/* For now... */
415 }
416 
417 
418 
419 /* Return values for spdsock_get_ext(). */
420 #define	KGE_OK	0
421 #define	KGE_DUP	1
422 #define	KGE_UNK	2
423 #define	KGE_LEN	3
424 #define	KGE_CHK	4
425 
426 /*
427  * Parse basic extension headers and return in the passed-in pointer vector.
428  * Return values include:
429  *
430  *	KGE_OK	Everything's nice and parsed out.
431  *		If there are no extensions, place NULL in extv[0].
432  *	KGE_DUP	There is a duplicate extension.
433  *		First instance in appropriate bin.  First duplicate in
434  *		extv[0].
435  *	KGE_UNK	Unknown extension type encountered.  extv[0] contains
436  *		unknown header.
437  *	KGE_LEN	Extension length error.
438  *	KGE_CHK	High-level reality check failed on specific extension.
439  *
440  * My apologies for some of the pointer arithmetic in here.  I'm thinking
441  * like an assembly programmer, yet trying to make the compiler happy.
442  */
443 static int
444 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize)
445 {
446 	bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
447 
448 	/* Use extv[0] as the "current working pointer". */
449 
450 	extv[0] = (spd_ext_t *)(basehdr + 1);
451 
452 	while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) {
453 		/* Check for unknown headers. */
454 		if (extv[0]->spd_ext_type == 0 ||
455 		    extv[0]->spd_ext_type > SPD_EXT_MAX)
456 			return (KGE_UNK);
457 
458 		/*
459 		 * Check length.  Use uint64_t because extlen is in units
460 		 * of 64-bit words.  If length goes beyond the msgsize,
461 		 * return an error.  (Zero length also qualifies here.)
462 		 */
463 		if (extv[0]->spd_ext_len == 0 ||
464 		    (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
465 		    (void *)((uint8_t *)basehdr + msgsize))
466 			return (KGE_LEN);
467 
468 		/* Check for redundant headers. */
469 		if (extv[extv[0]->spd_ext_type] != NULL)
470 			return (KGE_DUP);
471 
472 		/*
473 		 * Reality check the extension if possible at the spdsock
474 		 * level.
475 		 */
476 		if (!ext_check(extv[0]))
477 			return (KGE_CHK);
478 
479 		/* If I make it here, assign the appropriate bin. */
480 		extv[extv[0]->spd_ext_type] = extv[0];
481 
482 		/* Advance pointer (See above for uint64_t ptr reasoning.) */
483 		extv[0] = (spd_ext_t *)
484 		    ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
485 	}
486 
487 	/* Everything's cool. */
488 
489 	/*
490 	 * If extv[0] == NULL, then there are no extension headers in this
491 	 * message.  Ensure that this is the case.
492 	 */
493 	if (extv[0] == (spd_ext_t *)(basehdr + 1))
494 		extv[0] = NULL;
495 
496 	return (KGE_OK);
497 }
498 
499 static const int bad_ext_diag[] = {
500 	SPD_DIAGNOSTIC_MALFORMED_LCLPORT,
501 	SPD_DIAGNOSTIC_MALFORMED_REMPORT,
502 	SPD_DIAGNOSTIC_MALFORMED_PROTO,
503 	SPD_DIAGNOSTIC_MALFORMED_LCLADDR,
504 	SPD_DIAGNOSTIC_MALFORMED_REMADDR,
505 	SPD_DIAGNOSTIC_MALFORMED_ACTION,
506 	SPD_DIAGNOSTIC_MALFORMED_RULE,
507 	SPD_DIAGNOSTIC_MALFORMED_RULESET,
508 	SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
509 };
510 
511 static const int dup_ext_diag[] = {
512 	SPD_DIAGNOSTIC_DUPLICATE_LCLPORT,
513 	SPD_DIAGNOSTIC_DUPLICATE_REMPORT,
514 	SPD_DIAGNOSTIC_DUPLICATE_PROTO,
515 	SPD_DIAGNOSTIC_DUPLICATE_LCLADDR,
516 	SPD_DIAGNOSTIC_DUPLICATE_REMADDR,
517 	SPD_DIAGNOSTIC_DUPLICATE_ACTION,
518 	SPD_DIAGNOSTIC_DUPLICATE_RULE,
519 	SPD_DIAGNOSTIC_DUPLICATE_RULESET,
520 	SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
521 };
522 
523 /*
524  * Transmit a PF_POLICY error message to the instance either pointed to
525  * by ks, the instance with serial number serial, or more, depending.
526  *
527  * The faulty message (or a reasonable facsimile thereof) is in mp.
528  * This function will free mp or recycle it for delivery, thereby causing
529  * the stream head to free it.
530  */
531 static void
532 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic)
533 {
534 	spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
535 
536 	ASSERT(mp->b_datap->db_type == M_DATA);
537 
538 	if (spmsg->spd_msg_type < SPD_MIN ||
539 	    spmsg->spd_msg_type > SPD_MAX)
540 		spmsg->spd_msg_type = SPD_RESERVED;
541 
542 	/*
543 	 * Strip out extension headers.
544 	 */
545 	ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim);
546 	mp->b_wptr = mp->b_rptr + sizeof (*spmsg);
547 	spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t));
548 	spmsg->spd_msg_errno = (uint8_t)error;
549 	spmsg->spd_msg_diagnostic = (uint16_t)diagnostic;
550 
551 	qreply(q, mp);
552 }
553 
554 static void
555 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic)
556 {
557 	spdsock_error(q, mp, EINVAL, diagnostic);
558 }
559 
560 static void
561 spd_echo(queue_t *q, mblk_t *mp)
562 {
563 	qreply(q, mp);
564 }
565 
566 /*
567  * Do NOT consume a reference to itp.
568  */
569 /*ARGSUSED*/
570 static void
571 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns)
572 {
573 	boolean_t active = (boolean_t)cookie;
574 	ipsec_policy_head_t *iph;
575 
576 	iph = active ? itp->itp_policy : itp->itp_inactive;
577 	IPPH_REFHOLD(iph);
578 	mutex_enter(&itp->itp_lock);
579 	spdsock_flush_one(iph, ns);  /* Releases iph refhold. */
580 	if (active)
581 		itp->itp_flags &= ~ITPF_PFLAGS;
582 	else
583 		itp->itp_flags &= ~ITPF_IFLAGS;
584 	mutex_exit(&itp->itp_lock);
585 	/* SPD_FLUSH is worth a tunnel MTU check. */
586 	update_iptun_policy(itp);
587 }
588 
589 /*
590  * Clear out one polhead.
591  */
592 static void
593 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns)
594 {
595 	rw_enter(&iph->iph_lock, RW_WRITER);
596 	ipsec_polhead_flush(iph, ns);
597 	rw_exit(&iph->iph_lock);
598 	IPPH_REFRELE(iph, ns);
599 }
600 
601 static void
602 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp,
603     mblk_t *mp)
604 {
605 	boolean_t active;
606 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
607 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
608 	uint32_t auditing = AU_AUDITING();
609 
610 	if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) {
611 		spdsock_flush_one(iph, ns);
612 		if (auditing) {
613 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
614 			cred_t *cr;
615 			pid_t cpid;
616 
617 			cr = msg_getcred(mp, &cpid);
618 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
619 			audit_pf_policy(SPD_FLUSH, cr, ns,
620 			    ITP_NAME(itp), active, 0, cpid);
621 		}
622 	} else {
623 		active = (iph == ALL_ACTIVE_POLHEADS);
624 
625 		/* First flush the global policy. */
626 		spdsock_flush_one(active ? ipsec_system_policy(ns) :
627 		    ipsec_inactive_policy(ns), ns);
628 		if (auditing) {
629 			cred_t *cr;
630 			pid_t cpid;
631 
632 			cr = msg_getcred(mp, &cpid);
633 			audit_pf_policy(SPD_FLUSH, cr, ns, NULL,
634 			    active, 0, cpid);
635 		}
636 		/* Then flush every tunnel's appropriate one. */
637 		itp_walk(spdsock_flush_node, (void *)active, ns);
638 		if (auditing) {
639 			cred_t *cr;
640 			pid_t cpid;
641 
642 			cr = msg_getcred(mp, &cpid);
643 			audit_pf_policy(SPD_FLUSH, cr, ns,
644 			    "all tunnels", active, 0, cpid);
645 		}
646 	}
647 
648 	spd_echo(q, mp);
649 }
650 
651 static boolean_t
652 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag)
653 {
654 	bzero(sel, sizeof (*sel));
655 
656 	if (extv[SPD_EXT_PROTO] != NULL) {
657 		struct spd_proto *pr =
658 		    (struct spd_proto *)extv[SPD_EXT_PROTO];
659 		sel->ipsl_proto = pr->spd_proto_number;
660 		sel->ipsl_valid |= IPSL_PROTOCOL;
661 	}
662 	if (extv[SPD_EXT_LCLPORT] != NULL) {
663 		struct spd_portrange *pr =
664 		    (struct spd_portrange *)extv[SPD_EXT_LCLPORT];
665 		sel->ipsl_lport = pr->spd_ports_minport;
666 		sel->ipsl_valid |= IPSL_LOCAL_PORT;
667 	}
668 	if (extv[SPD_EXT_REMPORT] != NULL) {
669 		struct spd_portrange *pr =
670 		    (struct spd_portrange *)extv[SPD_EXT_REMPORT];
671 		sel->ipsl_rport = pr->spd_ports_minport;
672 		sel->ipsl_valid |= IPSL_REMOTE_PORT;
673 	}
674 
675 	if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) {
676 		struct spd_typecode *tc=
677 		    (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE];
678 
679 		sel->ipsl_valid |= IPSL_ICMP_TYPE;
680 		sel->ipsl_icmp_type = tc->spd_typecode_type;
681 		if (tc->spd_typecode_type_end < tc->spd_typecode_type)
682 			sel->ipsl_icmp_type_end = tc->spd_typecode_type;
683 		else
684 			sel->ipsl_icmp_type_end = tc->spd_typecode_type_end;
685 
686 		if (tc->spd_typecode_code != 255) {
687 			sel->ipsl_valid |= IPSL_ICMP_CODE;
688 			sel->ipsl_icmp_code = tc->spd_typecode_code;
689 			if (tc->spd_typecode_code_end < tc->spd_typecode_code)
690 				sel->ipsl_icmp_code_end = tc->spd_typecode_code;
691 			else
692 				sel->ipsl_icmp_code_end =
693 				    tc->spd_typecode_code_end;
694 		}
695 	}
696 #define	ADDR2SEL(sel, extv, field, pfield, extn, bit)			      \
697 	if ((extv)[(extn)] != NULL) {					      \
698 		uint_t addrlen;						      \
699 		struct spd_address *ap = 				      \
700 			(struct spd_address *)((extv)[(extn)]); 	      \
701 		addrlen = (ap->spd_address_af == AF_INET6) ? 		      \
702 			IPV6_ADDR_LEN : IP_ADDR_LEN;			      \
703 		if (SPD_64TO8(ap->spd_address_len) < 			      \
704 			(addrlen + sizeof (*ap))) {			      \
705 			*diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN;		      \
706 			return (B_FALSE);				      \
707 		}							      \
708 		bcopy((ap+1), &((sel)->field), addrlen);		      \
709 		(sel)->pfield = ap->spd_address_prefixlen;		      \
710 		(sel)->ipsl_valid |= (bit);				      \
711 		(sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ?	      \
712 			IPSL_IPV6 : IPSL_IPV4;				      \
713 	}
714 
715 	ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen,
716 	    SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR);
717 	ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen,
718 	    SPD_EXT_REMADDR, IPSL_REMOTE_ADDR);
719 
720 	if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) ==
721 	    (IPSL_IPV6|IPSL_IPV4)) {
722 		*diag = SPD_DIAGNOSTIC_MIXED_AF;
723 		return (B_FALSE);
724 	}
725 
726 #undef ADDR2SEL
727 
728 	return (B_TRUE);
729 }
730 
731 static boolean_t
732 spd_convert_type(uint32_t type, ipsec_act_t *act)
733 {
734 	switch (type) {
735 	case SPD_ACTTYPE_DROP:
736 		act->ipa_type = IPSEC_ACT_DISCARD;
737 		return (B_TRUE);
738 
739 	case SPD_ACTTYPE_PASS:
740 		act->ipa_type = IPSEC_ACT_CLEAR;
741 		return (B_TRUE);
742 
743 	case SPD_ACTTYPE_IPSEC:
744 		act->ipa_type = IPSEC_ACT_APPLY;
745 		return (B_TRUE);
746 	}
747 	return (B_FALSE);
748 }
749 
750 static boolean_t
751 spd_convert_flags(uint32_t flags, ipsec_act_t *act)
752 {
753 	/*
754 	 * Note use of !! for boolean canonicalization.
755 	 */
756 	act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH);
757 	act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP);
758 	act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA);
759 	act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE);
760 	act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE);
761 	return (B_TRUE);
762 }
763 
764 static void
765 spdsock_reset_act(ipsec_act_t *act)
766 {
767 	bzero(act, sizeof (*act));
768 	act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS;
769 	act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS;
770 	act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS;
771 }
772 
773 /*
774  * Sanity check action against reality, and shrink-wrap key sizes..
775  */
776 static boolean_t
777 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag,
778     spd_stack_t *spds)
779 {
780 	if (tunnel_polhead && act->ipa_apply.ipp_use_unique) {
781 		*diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
782 		return (B_FALSE);
783 	}
784 	if ((act->ipa_type != IPSEC_ACT_APPLY) &&
785 	    (act->ipa_apply.ipp_use_ah ||
786 	    act->ipa_apply.ipp_use_esp ||
787 	    act->ipa_apply.ipp_use_espa ||
788 	    act->ipa_apply.ipp_use_se ||
789 	    act->ipa_apply.ipp_use_unique)) {
790 		*diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
791 		return (B_FALSE);
792 	}
793 	if ((act->ipa_type == IPSEC_ACT_APPLY) &&
794 	    !act->ipa_apply.ipp_use_ah &&
795 	    !act->ipa_apply.ipp_use_esp) {
796 		*diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
797 		return (B_FALSE);
798 	}
799 	return (ipsec_check_action(act, diag, spds->spds_netstack));
800 }
801 
802 /*
803  * We may be short a few error checks here..
804  */
805 static boolean_t
806 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp,
807     int *diag, spd_stack_t *spds)
808 {
809 	struct spd_ext_actions *sactp =
810 	    (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
811 	ipsec_act_t act, *actp, *endactp;
812 	struct spd_attribute *attrp, *endattrp;
813 	uint64_t *endp;
814 	int nact;
815 	boolean_t tunnel_polhead;
816 
817 	tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL &&
818 	    (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags &
819 	    SPD_RULE_FLAG_TUNNEL));
820 
821 	*actpp = NULL;
822 	*nactp = 0;
823 
824 	if (sactp == NULL) {
825 		*diag = SPD_DIAGNOSTIC_NO_ACTION_EXT;
826 		return (B_FALSE);
827 	}
828 
829 	/*
830 	 * Parse the "action" extension and convert into an action chain.
831 	 */
832 
833 	nact = sactp->spd_actions_count;
834 
835 	endp = (uint64_t *)sactp;
836 	endp += sactp->spd_actions_len;
837 	endattrp = (struct spd_attribute *)endp;
838 
839 	actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP);
840 	if (actp == NULL) {
841 		*diag = SPD_DIAGNOSTIC_ADD_NO_MEM;
842 		return (B_FALSE);
843 	}
844 	*actpp = actp;
845 	*nactp = nact;
846 	endactp = actp + nact;
847 
848 	spdsock_reset_act(&act);
849 	attrp = (struct spd_attribute *)(&sactp[1]);
850 
851 	for (; attrp < endattrp; attrp++) {
852 		switch (attrp->spd_attr_tag) {
853 		case SPD_ATTR_NOP:
854 			break;
855 
856 		case SPD_ATTR_EMPTY:
857 			spdsock_reset_act(&act);
858 			break;
859 
860 		case SPD_ATTR_END:
861 			attrp = endattrp;
862 			/* FALLTHRU */
863 		case SPD_ATTR_NEXT:
864 			if (actp >= endactp) {
865 				*diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
866 				goto fail;
867 			}
868 			if (!spdsock_check_action(&act, tunnel_polhead,
869 			    diag, spds))
870 				goto fail;
871 			*actp++ = act;
872 			spdsock_reset_act(&act);
873 			break;
874 
875 		case SPD_ATTR_TYPE:
876 			if (!spd_convert_type(attrp->spd_attr_value, &act)) {
877 				*diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE;
878 				goto fail;
879 			}
880 			break;
881 
882 		case SPD_ATTR_FLAGS:
883 			if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) {
884 				/*
885 				 * Set "sa unique" for transport-mode
886 				 * tunnels whether we want to or not.
887 				 */
888 				attrp->spd_attr_value |= SPD_APPLY_UNIQUE;
889 			}
890 			if (!spd_convert_flags(attrp->spd_attr_value, &act)) {
891 				*diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS;
892 				goto fail;
893 			}
894 			break;
895 
896 		case SPD_ATTR_AH_AUTH:
897 			if (attrp->spd_attr_value == 0) {
898 				*diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
899 				goto fail;
900 			}
901 			act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value;
902 			break;
903 
904 		case SPD_ATTR_ESP_ENCR:
905 			if (attrp->spd_attr_value == 0) {
906 				*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
907 				goto fail;
908 			}
909 			act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value;
910 			break;
911 
912 		case SPD_ATTR_ESP_AUTH:
913 			if (attrp->spd_attr_value == 0) {
914 				*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
915 				goto fail;
916 			}
917 			act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value;
918 			break;
919 
920 		case SPD_ATTR_ENCR_MINBITS:
921 			act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value;
922 			break;
923 
924 		case SPD_ATTR_ENCR_MAXBITS:
925 			act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value;
926 			break;
927 
928 		case SPD_ATTR_AH_MINBITS:
929 			act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value;
930 			break;
931 
932 		case SPD_ATTR_AH_MAXBITS:
933 			act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value;
934 			break;
935 
936 		case SPD_ATTR_ESPA_MINBITS:
937 			act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value;
938 			break;
939 
940 		case SPD_ATTR_ESPA_MAXBITS:
941 			act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value;
942 			break;
943 
944 		case SPD_ATTR_LIFE_SOFT_TIME:
945 		case SPD_ATTR_LIFE_HARD_TIME:
946 		case SPD_ATTR_LIFE_SOFT_BYTES:
947 		case SPD_ATTR_LIFE_HARD_BYTES:
948 			break;
949 
950 		case SPD_ATTR_KM_PROTO:
951 			act.ipa_apply.ipp_km_proto = attrp->spd_attr_value;
952 			break;
953 
954 		case SPD_ATTR_KM_COOKIE:
955 			act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value;
956 			break;
957 
958 		case SPD_ATTR_REPLAY_DEPTH:
959 			act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value;
960 			break;
961 		}
962 	}
963 	if (actp != endactp) {
964 		*diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
965 		goto fail;
966 	}
967 
968 	return (B_TRUE);
969 fail:
970 	ipsec_actvec_free(*actpp, nact);
971 	*actpp = NULL;
972 	return (B_FALSE);
973 }
974 
975 typedef struct
976 {
977 	ipsec_policy_t *pol;
978 	int dir;
979 } tmprule_t;
980 
981 static int
982 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule,
983     ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af,
984     tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
985 {
986 	ipsec_policy_t *pol;
987 
988 	sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4);
989 	sel->ipsl_valid |= af;
990 
991 	pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority,
992 	    index, spds->spds_netstack);
993 	if (pol == NULL)
994 		return (ENOMEM);
995 
996 	(*rp)->pol = pol;
997 	(*rp)->dir = dir;
998 	(*rp)++;
999 
1000 	if (!ipsec_check_policy(iph, pol, dir))
1001 		return (EEXIST);
1002 
1003 	rule->spd_rule_index = pol->ipsp_index;
1004 	return (0);
1005 }
1006 
1007 static int
1008 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule,
1009     ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs,
1010     tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
1011 {
1012 	int error;
1013 
1014 	if (afs & IPSL_IPV4) {
1015 		error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp,
1016 		    index, spds);
1017 		if (error != 0)
1018 			return (error);
1019 	}
1020 	if (afs & IPSL_IPV6) {
1021 		error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp,
1022 		    index, spds);
1023 		if (error != 0)
1024 			return (error);
1025 	}
1026 	return (0);
1027 }
1028 
1029 
1030 static void
1031 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1032     spd_ext_t **extv, ipsec_tun_pol_t *itp)
1033 {
1034 	ipsec_selkey_t sel;
1035 	ipsec_act_t *actp;
1036 	uint_t nact;
1037 	int diag = 0, error, afs;
1038 	struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1039 	tmprule_t rules[4], *rulep = &rules[0];
1040 	boolean_t tunnel_mode, empty_itp, active;
1041 	uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index;
1042 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
1043 	spd_stack_t *spds = ss->spdsock_spds;
1044 	uint32_t auditing = AU_AUDITING();
1045 
1046 	if (rule == NULL) {
1047 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1048 		if (auditing) {
1049 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1050 			cred_t *cr;
1051 			pid_t cpid;
1052 
1053 			cr = msg_getcred(mp, &cpid);
1054 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1055 			audit_pf_policy(SPD_ADDRULE, cr,
1056 			    spds->spds_netstack, ITP_NAME(itp), active,
1057 			    SPD_DIAGNOSTIC_NO_RULE_EXT, cpid);
1058 		}
1059 		return;
1060 	}
1061 
1062 	tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL);
1063 
1064 	if (itp != NULL) {
1065 		mutex_enter(&itp->itp_lock);
1066 		ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph);
1067 		active = (itp->itp_policy == iph);
1068 		if (ITP_P_ISACTIVE(itp, iph)) {
1069 			/* Check for mix-and-match of tunnel/transport. */
1070 			if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) ||
1071 			    (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) {
1072 				mutex_exit(&itp->itp_lock);
1073 				spdsock_error(q, mp, EBUSY, 0);
1074 				return;
1075 			}
1076 			empty_itp = B_FALSE;
1077 		} else {
1078 			empty_itp = B_TRUE;
1079 			itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE;
1080 			if (tunnel_mode)
1081 				itp->itp_flags |= active ? ITPF_P_TUNNEL :
1082 				    ITPF_I_TUNNEL;
1083 		}
1084 	} else {
1085 		empty_itp = B_FALSE;
1086 	}
1087 
1088 	if (rule->spd_rule_index != 0) {
1089 		diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX;
1090 		error = EINVAL;
1091 		goto fail2;
1092 	}
1093 
1094 	if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1095 		error = EINVAL;
1096 		goto fail2;
1097 	}
1098 
1099 	if (itp != NULL) {
1100 		if (tunnel_mode) {
1101 			if (sel.ipsl_valid &
1102 			    (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) {
1103 				itp->itp_flags |= active ?
1104 				    ITPF_P_PER_PORT_SECURITY :
1105 				    ITPF_I_PER_PORT_SECURITY;
1106 			}
1107 		} else {
1108 			/*
1109 			 * For now, we don't allow transport-mode on a tunnel
1110 			 * with ANY specific selectors.  Bail if we have such
1111 			 * a request.
1112 			 */
1113 			if (sel.ipsl_valid & IPSL_WILDCARD) {
1114 				diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS;
1115 				error = EINVAL;
1116 				goto fail2;
1117 			}
1118 		}
1119 	}
1120 
1121 	if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) {
1122 		error = EINVAL;
1123 		goto fail2;
1124 	}
1125 	/*
1126 	 * If no addresses were specified, add both.
1127 	 */
1128 	afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4);
1129 	if (afs == 0)
1130 		afs = (IPSL_IPV6|IPSL_IPV4);
1131 
1132 	rw_enter(&iph->iph_lock, RW_WRITER);
1133 
1134 	if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) {
1135 		error = mkrulepair(iph, rule, &sel, actp, nact,
1136 		    IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds);
1137 		if (error != 0)
1138 			goto fail;
1139 	}
1140 
1141 	if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) {
1142 		error = mkrulepair(iph, rule, &sel, actp, nact,
1143 		    IPSEC_TYPE_INBOUND, afs, &rulep, index, spds);
1144 		if (error != 0)
1145 			goto fail;
1146 	}
1147 
1148 	while ((--rulep) >= &rules[0]) {
1149 		ipsec_enter_policy(iph, rulep->pol, rulep->dir,
1150 		    spds->spds_netstack);
1151 	}
1152 	rw_exit(&iph->iph_lock);
1153 	if (itp != NULL)
1154 		mutex_exit(&itp->itp_lock);
1155 
1156 	ipsec_actvec_free(actp, nact);
1157 	spd_echo(q, mp);
1158 	if (auditing) {
1159 		spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1160 		cred_t *cr;
1161 		pid_t cpid;
1162 
1163 		cr = msg_getcred(mp, &cpid);
1164 		active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1165 		audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1166 		    ITP_NAME(itp), active, 0, cpid);
1167 	}
1168 	return;
1169 
1170 fail:
1171 	rw_exit(&iph->iph_lock);
1172 	while ((--rulep) >= &rules[0])
1173 		IPPOL_REFRELE(rulep->pol);
1174 	ipsec_actvec_free(actp, nact);
1175 fail2:
1176 	if (itp != NULL) {
1177 		if (empty_itp)
1178 			itp->itp_flags = 0;
1179 		mutex_exit(&itp->itp_lock);
1180 	}
1181 	spdsock_error(q, mp, error, diag);
1182 	if (auditing) {
1183 		spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1184 		cred_t *cr;
1185 		pid_t cpid;
1186 
1187 		cr = msg_getcred(mp, &cpid);
1188 		active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1189 		audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1190 		    ITP_NAME(itp), active, error, cpid);
1191 	}
1192 }
1193 
1194 void
1195 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1196     spd_ext_t **extv, ipsec_tun_pol_t *itp)
1197 {
1198 	ipsec_selkey_t sel;
1199 	struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1200 	int err, diag = 0;
1201 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
1202 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
1203 	uint32_t auditing = AU_AUDITING();
1204 
1205 	if (rule == NULL) {
1206 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1207 		if (auditing) {
1208 			boolean_t active;
1209 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1210 			cred_t *cr;
1211 			pid_t cpid;
1212 
1213 			cr = msg_getcred(mp, &cpid);
1214 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1215 			audit_pf_policy(SPD_DELETERULE, cr, ns,
1216 			    ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT,
1217 			    cpid);
1218 		}
1219 		return;
1220 	}
1221 
1222 	/*
1223 	 * Must enter itp_lock first to avoid deadlock.  See tun.c's
1224 	 * set_sec_simple() for the other case of itp_lock and iph_lock.
1225 	 */
1226 	if (itp != NULL)
1227 		mutex_enter(&itp->itp_lock);
1228 
1229 	if (rule->spd_rule_index != 0) {
1230 		if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) !=
1231 		    0) {
1232 			err = ESRCH;
1233 			goto fail;
1234 		}
1235 	} else {
1236 		if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1237 			err = EINVAL;	/* diag already set... */
1238 			goto fail;
1239 		}
1240 
1241 		if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) &&
1242 		    !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) {
1243 			err = ESRCH;
1244 			goto fail;
1245 		}
1246 
1247 		if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) &&
1248 		    !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) {
1249 			err = ESRCH;
1250 			goto fail;
1251 		}
1252 	}
1253 
1254 	if (itp != NULL) {
1255 		ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive);
1256 		rw_enter(&iph->iph_lock, RW_READER);
1257 		if (avl_numnodes(&iph->iph_rulebyid) == 0) {
1258 			if (iph == itp->itp_policy)
1259 				itp->itp_flags &= ~ITPF_PFLAGS;
1260 			else
1261 				itp->itp_flags &= ~ITPF_IFLAGS;
1262 		}
1263 		/* Can exit locks in any order. */
1264 		rw_exit(&iph->iph_lock);
1265 		mutex_exit(&itp->itp_lock);
1266 	}
1267 	spd_echo(q, mp);
1268 	if (auditing) {
1269 		boolean_t active;
1270 		spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1271 		cred_t *cr;
1272 		pid_t cpid;
1273 
1274 		cr = msg_getcred(mp, &cpid);
1275 		active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1276 		audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1277 		    active, 0, cpid);
1278 	}
1279 	return;
1280 fail:
1281 	if (itp != NULL)
1282 		mutex_exit(&itp->itp_lock);
1283 	spdsock_error(q, mp, err, diag);
1284 	if (auditing) {
1285 		boolean_t active;
1286 		spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1287 		cred_t *cr;
1288 		pid_t cpid;
1289 
1290 		cr = msg_getcred(mp, &cpid);
1291 		active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1292 		audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1293 		    active, err, cpid);
1294 	}
1295 }
1296 
1297 /* Do NOT consume a reference to itp. */
1298 /* ARGSUSED */
1299 static void
1300 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns)
1301 {
1302 	mutex_enter(&itp->itp_lock);
1303 	ITPF_SWAP(itp->itp_flags);
1304 	ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns);
1305 	mutex_exit(&itp->itp_lock);
1306 	/* SPD_FLIP is worth a tunnel MTU check. */
1307 	update_iptun_policy(itp);
1308 }
1309 
1310 void
1311 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname)
1312 {
1313 	char *tname;
1314 	ipsec_tun_pol_t *itp;
1315 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
1316 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
1317 	uint32_t auditing = AU_AUDITING();
1318 
1319 	if (tunname != NULL) {
1320 		tname = (char *)tunname->spd_if_name;
1321 		if (*tname == '\0') {
1322 			/* can't fail */
1323 			ipsec_swap_global_policy(ns);
1324 			if (auditing) {
1325 				boolean_t active;
1326 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1327 				cred_t *cr;
1328 				pid_t cpid;
1329 
1330 				cr = msg_getcred(mp, &cpid);
1331 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1332 				audit_pf_policy(SPD_FLIP, cr, ns,
1333 				    NULL, active, 0, cpid);
1334 			}
1335 			itp_walk(spdsock_flip_node, NULL, ns);
1336 			if (auditing) {
1337 				boolean_t active;
1338 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1339 				cred_t *cr;
1340 				pid_t cpid;
1341 
1342 				cr = msg_getcred(mp, &cpid);
1343 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1344 				audit_pf_policy(SPD_FLIP, cr, ns,
1345 				    "all tunnels", active, 0, cpid);
1346 			}
1347 		} else {
1348 			itp = get_tunnel_policy(tname, ns);
1349 			if (itp == NULL) {
1350 				/* Better idea for "tunnel not found"? */
1351 				spdsock_error(q, mp, ESRCH, 0);
1352 				if (auditing) {
1353 					boolean_t active;
1354 					spd_msg_t *spmsg =
1355 					    (spd_msg_t *)mp->b_rptr;
1356 					cred_t *cr;
1357 					pid_t cpid;
1358 
1359 					cr = msg_getcred(mp, &cpid);
1360 					active = (spmsg->spd_msg_spdid ==
1361 					    SPD_ACTIVE);
1362 					audit_pf_policy(SPD_FLIP, cr, ns,
1363 					    ITP_NAME(itp), active,
1364 					    ESRCH, cpid);
1365 				}
1366 				return;
1367 			}
1368 			spdsock_flip_node(itp, NULL, ns);
1369 			if (auditing) {
1370 				boolean_t active;
1371 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1372 				cred_t *cr;
1373 				pid_t cpid;
1374 
1375 				cr = msg_getcred(mp, &cpid);
1376 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1377 				audit_pf_policy(SPD_FLIP, cr, ns,
1378 				    ITP_NAME(itp), active, 0, cpid);
1379 			}
1380 			ITP_REFRELE(itp, ns);
1381 		}
1382 	} else {
1383 		ipsec_swap_global_policy(ns);	/* can't fail */
1384 		if (auditing) {
1385 			boolean_t active;
1386 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1387 			cred_t *cr;
1388 			pid_t cpid;
1389 
1390 			cr = msg_getcred(mp, &cpid);
1391 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1392 			audit_pf_policy(SPD_FLIP, cr,
1393 			    ns, NULL, active, 0, cpid);
1394 		}
1395 	}
1396 	spd_echo(q, mp);
1397 }
1398 
1399 /*
1400  * Unimplemented feature
1401  */
1402 /* ARGSUSED */
1403 static void
1404 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1405     spd_ext_t **extv, ipsec_tun_pol_t *itp)
1406 {
1407 	spdsock_error(q, mp, EINVAL, 0);
1408 }
1409 
1410 
1411 static mblk_t *
1412 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph,
1413     uint32_t count, uint16_t error)
1414 {
1415 	size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t);
1416 	spd_msg_t *msg;
1417 	spd_ruleset_ext_t *ruleset;
1418 	mblk_t *m = allocb(len, BPRI_HI);
1419 
1420 	ASSERT(RW_READ_HELD(&iph->iph_lock));
1421 
1422 	if (m == NULL) {
1423 		return (NULL);
1424 	}
1425 	msg = (spd_msg_t *)m->b_rptr;
1426 	ruleset = (spd_ruleset_ext_t *)(&msg[1]);
1427 
1428 	m->b_wptr = (uint8_t *)&ruleset[1];
1429 
1430 	*msg = *(spd_msg_t *)(req->b_rptr);
1431 	msg->spd_msg_len = SPD_8TO64(len);
1432 	msg->spd_msg_errno = error;
1433 
1434 	ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset));
1435 	ruleset->spd_ruleset_type = SPD_EXT_RULESET;
1436 	ruleset->spd_ruleset_count = count;
1437 	ruleset->spd_ruleset_version = iph->iph_gen;
1438 	return (m);
1439 }
1440 
1441 static mblk_t *
1442 spdsock_dump_finish(spdsock_t *ss, int error)
1443 {
1444 	mblk_t *m;
1445 	ipsec_policy_head_t *iph = ss->spdsock_dump_head;
1446 	mblk_t *req = ss->spdsock_dump_req;
1447 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
1448 
1449 	rw_enter(&iph->iph_lock, RW_READER);
1450 	m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error);
1451 	rw_exit(&iph->iph_lock);
1452 	IPPH_REFRELE(iph, ns);
1453 	if (ss->spdsock_itp != NULL) {
1454 		ITP_REFRELE(ss->spdsock_itp, ns);
1455 		ss->spdsock_itp = NULL;
1456 	}
1457 	ss->spdsock_dump_req = NULL;
1458 	freemsg(req);
1459 
1460 	return (m);
1461 }
1462 
1463 /*
1464  * Rule encoding functions.
1465  * We do a two-pass encode.
1466  * If base != NULL, fill in encoded rule part starting at base+offset.
1467  * Always return "offset" plus length of to-be-encoded data.
1468  */
1469 static uint_t
1470 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type,
1471     uint8_t type_end, uint8_t code, uint8_t code_end)
1472 {
1473 	struct spd_typecode *tcp;
1474 
1475 	ASSERT(ALIGNED64(offset));
1476 
1477 	if (base != NULL) {
1478 		tcp = (struct spd_typecode *)(base + offset);
1479 		tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp));
1480 		tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE;
1481 		tcp->spd_typecode_code = code;
1482 		tcp->spd_typecode_type = type;
1483 		tcp->spd_typecode_type_end = type_end;
1484 		tcp->spd_typecode_code_end = code_end;
1485 	}
1486 	offset += sizeof (*tcp);
1487 
1488 	ASSERT(ALIGNED64(offset));
1489 
1490 	return (offset);
1491 }
1492 
1493 static uint_t
1494 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto)
1495 {
1496 	struct spd_proto *spp;
1497 
1498 	ASSERT(ALIGNED64(offset));
1499 
1500 	if (base != NULL) {
1501 		spp = (struct spd_proto *)(base + offset);
1502 		spp->spd_proto_len = SPD_8TO64(sizeof (*spp));
1503 		spp->spd_proto_exttype = SPD_EXT_PROTO;
1504 		spp->spd_proto_number = proto;
1505 		spp->spd_proto_reserved1 = 0;
1506 		spp->spd_proto_reserved2 = 0;
1507 	}
1508 	offset += sizeof (*spp);
1509 
1510 	ASSERT(ALIGNED64(offset));
1511 
1512 	return (offset);
1513 }
1514 
1515 static uint_t
1516 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port)
1517 {
1518 	struct spd_portrange *spp;
1519 
1520 	ASSERT(ALIGNED64(offset));
1521 
1522 	if (base != NULL) {
1523 		spp = (struct spd_portrange *)(base + offset);
1524 		spp->spd_ports_len = SPD_8TO64(sizeof (*spp));
1525 		spp->spd_ports_exttype = ext;
1526 		spp->spd_ports_minport = port;
1527 		spp->spd_ports_maxport = port;
1528 	}
1529 	offset += sizeof (*spp);
1530 
1531 	ASSERT(ALIGNED64(offset));
1532 
1533 	return (offset);
1534 }
1535 
1536 static uint_t
1537 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext,
1538     const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen)
1539 {
1540 	struct spd_address *sae;
1541 	ipsec_addr_t *spdaddr;
1542 	uint_t start = offset;
1543 	uint_t addrlen;
1544 	uint_t af;
1545 
1546 	if (sel->ipsl_valid & IPSL_IPV4) {
1547 		af = AF_INET;
1548 		addrlen = IP_ADDR_LEN;
1549 	} else {
1550 		af = AF_INET6;
1551 		addrlen = IPV6_ADDR_LEN;
1552 	}
1553 
1554 	ASSERT(ALIGNED64(offset));
1555 
1556 	if (base != NULL) {
1557 		sae = (struct spd_address *)(base + offset);
1558 		sae->spd_address_exttype = ext;
1559 		sae->spd_address_af = af;
1560 		sae->spd_address_prefixlen = pfxlen;
1561 		sae->spd_address_reserved2 = 0;
1562 
1563 		spdaddr = (ipsec_addr_t *)(&sae[1]);
1564 		bcopy(addr, spdaddr, addrlen);
1565 	}
1566 	offset += sizeof (*sae);
1567 	addrlen = roundup(addrlen, sizeof (uint64_t));
1568 	offset += addrlen;
1569 
1570 	ASSERT(ALIGNED64(offset));
1571 
1572 	if (base != NULL)
1573 		sae->spd_address_len = SPD_8TO64(offset - start);
1574 	return (offset);
1575 }
1576 
1577 static uint_t
1578 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel)
1579 {
1580 	const ipsec_selkey_t *selkey = &sel->ipsl_key;
1581 
1582 	if (selkey->ipsl_valid & IPSL_PROTOCOL)
1583 		offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto);
1584 	if (selkey->ipsl_valid & IPSL_LOCAL_PORT)
1585 		offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT,
1586 		    selkey->ipsl_lport);
1587 	if (selkey->ipsl_valid & IPSL_REMOTE_PORT)
1588 		offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT,
1589 		    selkey->ipsl_rport);
1590 	if (selkey->ipsl_valid & IPSL_REMOTE_ADDR)
1591 		offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR,
1592 		    selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen);
1593 	if (selkey->ipsl_valid & IPSL_LOCAL_ADDR)
1594 		offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR,
1595 		    selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen);
1596 	if (selkey->ipsl_valid & IPSL_ICMP_TYPE) {
1597 		offset = spdsock_encode_typecode(base, offset,
1598 		    selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end,
1599 		    (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1600 		    selkey->ipsl_icmp_code : 255,
1601 		    (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1602 		    selkey->ipsl_icmp_code_end : 255);
1603 	}
1604 	return (offset);
1605 }
1606 
1607 static uint_t
1608 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag,
1609     uint32_t value)
1610 {
1611 	struct spd_attribute *attr;
1612 
1613 	ASSERT(ALIGNED64(offset));
1614 
1615 	if (base != NULL) {
1616 		attr = (struct spd_attribute *)(base + offset);
1617 		attr->spd_attr_tag = tag;
1618 		attr->spd_attr_value = value;
1619 	}
1620 	offset += sizeof (struct spd_attribute);
1621 
1622 	ASSERT(ALIGNED64(offset));
1623 
1624 	return (offset);
1625 }
1626 
1627 
1628 #define	EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1629 
1630 static uint_t
1631 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap)
1632 {
1633 	const struct ipsec_act *act = &(ap->ipa_act);
1634 	uint_t flags;
1635 
1636 	EMIT(SPD_ATTR_EMPTY, 0);
1637 	switch (act->ipa_type) {
1638 	case IPSEC_ACT_DISCARD:
1639 	case IPSEC_ACT_REJECT:
1640 		EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP);
1641 		break;
1642 	case IPSEC_ACT_BYPASS:
1643 	case IPSEC_ACT_CLEAR:
1644 		EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS);
1645 		break;
1646 
1647 	case IPSEC_ACT_APPLY:
1648 		EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC);
1649 		flags = 0;
1650 		if (act->ipa_apply.ipp_use_ah)
1651 			flags |= SPD_APPLY_AH;
1652 		if (act->ipa_apply.ipp_use_esp)
1653 			flags |= SPD_APPLY_ESP;
1654 		if (act->ipa_apply.ipp_use_espa)
1655 			flags |= SPD_APPLY_ESPA;
1656 		if (act->ipa_apply.ipp_use_se)
1657 			flags |= SPD_APPLY_SE;
1658 		if (act->ipa_apply.ipp_use_unique)
1659 			flags |= SPD_APPLY_UNIQUE;
1660 		EMIT(SPD_ATTR_FLAGS, flags);
1661 		if (flags & SPD_APPLY_AH) {
1662 			EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg);
1663 			EMIT(SPD_ATTR_AH_MINBITS,
1664 			    act->ipa_apply.ipp_ah_minbits);
1665 			EMIT(SPD_ATTR_AH_MAXBITS,
1666 			    act->ipa_apply.ipp_ah_maxbits);
1667 		}
1668 		if (flags & SPD_APPLY_ESP) {
1669 			EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg);
1670 			EMIT(SPD_ATTR_ENCR_MINBITS,
1671 			    act->ipa_apply.ipp_espe_minbits);
1672 			EMIT(SPD_ATTR_ENCR_MAXBITS,
1673 			    act->ipa_apply.ipp_espe_maxbits);
1674 			if (flags & SPD_APPLY_ESPA) {
1675 				EMIT(SPD_ATTR_ESP_AUTH,
1676 				    act->ipa_apply.ipp_esp_auth_alg);
1677 				EMIT(SPD_ATTR_ESPA_MINBITS,
1678 				    act->ipa_apply.ipp_espa_minbits);
1679 				EMIT(SPD_ATTR_ESPA_MAXBITS,
1680 				    act->ipa_apply.ipp_espa_maxbits);
1681 			}
1682 		}
1683 		if (act->ipa_apply.ipp_km_proto != 0)
1684 			EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto);
1685 		if (act->ipa_apply.ipp_km_cookie != 0)
1686 			EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie);
1687 		if (act->ipa_apply.ipp_replay_depth != 0)
1688 			EMIT(SPD_ATTR_REPLAY_DEPTH,
1689 			    act->ipa_apply.ipp_replay_depth);
1690 		/* Add more here */
1691 		break;
1692 	}
1693 
1694 	return (offset);
1695 }
1696 
1697 static uint_t
1698 spdsock_encode_action_list(uint8_t *base, uint_t offset,
1699     const ipsec_action_t *ap)
1700 {
1701 	struct spd_ext_actions *act;
1702 	uint_t nact = 0;
1703 	uint_t start = offset;
1704 
1705 	ASSERT(ALIGNED64(offset));
1706 
1707 	if (base != NULL) {
1708 		act = (struct spd_ext_actions *)(base + offset);
1709 		act->spd_actions_len = 0;
1710 		act->spd_actions_exttype = SPD_EXT_ACTION;
1711 		act->spd_actions_count = 0;
1712 		act->spd_actions_reserved = 0;
1713 	}
1714 
1715 	offset += sizeof (*act);
1716 
1717 	ASSERT(ALIGNED64(offset));
1718 
1719 	while (ap != NULL) {
1720 		offset = spdsock_encode_action(base, offset, ap);
1721 		ap = ap->ipa_next;
1722 		nact++;
1723 		if (ap != NULL) {
1724 			EMIT(SPD_ATTR_NEXT, 0);
1725 		}
1726 	}
1727 	EMIT(SPD_ATTR_END, 0);
1728 
1729 	ASSERT(ALIGNED64(offset));
1730 
1731 	if (base != NULL) {
1732 		act->spd_actions_count = nact;
1733 		act->spd_actions_len = SPD_8TO64(offset - start);
1734 	}
1735 
1736 	return (offset);
1737 }
1738 
1739 #undef EMIT
1740 
1741 /* ARGSUSED */
1742 static uint_t
1743 spdsock_rule_flags(uint_t dir, uint_t af)
1744 {
1745 	uint_t flags = 0;
1746 
1747 	if (dir == IPSEC_TYPE_INBOUND)
1748 		flags |= SPD_RULE_FLAG_INBOUND;
1749 	if (dir == IPSEC_TYPE_OUTBOUND)
1750 		flags |= SPD_RULE_FLAG_OUTBOUND;
1751 
1752 	return (flags);
1753 }
1754 
1755 
1756 static uint_t
1757 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req,
1758     const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name,
1759     boolean_t tunnel)
1760 {
1761 	struct spd_msg *spmsg;
1762 	struct spd_rule *spr;
1763 	spd_if_t *sid;
1764 
1765 	uint_t start = offset;
1766 
1767 	ASSERT(ALIGNED64(offset));
1768 
1769 	if (base != NULL) {
1770 		spmsg = (struct spd_msg *)(base + offset);
1771 		bzero(spmsg, sizeof (*spmsg));
1772 		spmsg->spd_msg_version = PF_POLICY_V1;
1773 		spmsg->spd_msg_type = SPD_DUMP;
1774 		spmsg->spd_msg_seq = req->spd_msg_seq;
1775 		spmsg->spd_msg_pid = req->spd_msg_pid;
1776 	}
1777 	offset += sizeof (struct spd_msg);
1778 
1779 	ASSERT(ALIGNED64(offset));
1780 
1781 	if (base != NULL) {
1782 		spr = (struct spd_rule *)(base + offset);
1783 		spr->spd_rule_type = SPD_EXT_RULE;
1784 		spr->spd_rule_priority = rule->ipsp_prio;
1785 		spr->spd_rule_flags = spdsock_rule_flags(dir, af);
1786 		if (tunnel)
1787 			spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL;
1788 		spr->spd_rule_unused = 0;
1789 		spr->spd_rule_len = SPD_8TO64(sizeof (*spr));
1790 		spr->spd_rule_index = rule->ipsp_index;
1791 	}
1792 	offset += sizeof (struct spd_rule);
1793 
1794 	/*
1795 	 * If we have an interface name (i.e. if this policy head came from
1796 	 * a tunnel), add the SPD_EXT_TUN_NAME extension.
1797 	 */
1798 	if (name != NULL) {
1799 
1800 		ASSERT(ALIGNED64(offset));
1801 
1802 		if (base != NULL) {
1803 			sid = (spd_if_t *)(base + offset);
1804 			sid->spd_if_exttype = SPD_EXT_TUN_NAME;
1805 			sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) +
1806 			    roundup((strlen(name) - 4), 8));
1807 			(void) strlcpy((char *)sid->spd_if_name, name,
1808 			    LIFNAMSIZ);
1809 		}
1810 
1811 		offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8);
1812 	}
1813 
1814 	offset = spdsock_encode_sel(base, offset, rule->ipsp_sel);
1815 	offset = spdsock_encode_action_list(base, offset, rule->ipsp_act);
1816 
1817 	ASSERT(ALIGNED64(offset));
1818 
1819 	if (base != NULL) {
1820 		spmsg->spd_msg_len = SPD_8TO64(offset - start);
1821 	}
1822 	return (offset);
1823 }
1824 
1825 /* ARGSUSED */
1826 static mblk_t *
1827 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule,
1828     uint_t dir, uint_t af, char *name, boolean_t tunnel)
1829 {
1830 	mblk_t *m;
1831 	uint_t len;
1832 	spd_msg_t *mreq = (spd_msg_t *)req->b_rptr;
1833 
1834 	/*
1835 	 * Figure out how much space we'll need.
1836 	 */
1837 	len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name,
1838 	    tunnel);
1839 
1840 	/*
1841 	 * Allocate mblk.
1842 	 */
1843 	m = allocb(len, BPRI_HI);
1844 	if (m == NULL)
1845 		return (NULL);
1846 
1847 	/*
1848 	 * Fill it in..
1849 	 */
1850 	m->b_wptr = m->b_rptr + len;
1851 	bzero(m->b_rptr, len);
1852 	(void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af,
1853 	    name, tunnel);
1854 	return (m);
1855 }
1856 
1857 static ipsec_policy_t *
1858 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph,
1859     ipsec_policy_t *cur)
1860 {
1861 	ASSERT(RW_READ_HELD(&iph->iph_lock));
1862 
1863 	ss->spdsock_dump_count++;
1864 	ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next;
1865 	return (cur);
1866 }
1867 
1868 static ipsec_policy_t *
1869 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph)
1870 {
1871 	ipsec_policy_t *cur;
1872 	ipsec_policy_root_t *ipr;
1873 	int chain, nchains, type, af;
1874 
1875 	ASSERT(RW_READ_HELD(&iph->iph_lock));
1876 
1877 	cur = ss->spdsock_dump_cur_rule;
1878 
1879 	if (cur != NULL)
1880 		return (spdsock_dump_next_in_chain(ss, iph, cur));
1881 
1882 	type = ss->spdsock_dump_cur_type;
1883 
1884 next:
1885 	chain = ss->spdsock_dump_cur_chain;
1886 	ipr = &iph->iph_root[type];
1887 	nchains = ipr->ipr_nchains;
1888 
1889 	while (chain < nchains) {
1890 		cur = ipr->ipr_hash[chain].hash_head;
1891 		chain++;
1892 		if (cur != NULL) {
1893 			ss->spdsock_dump_cur_chain = chain;
1894 			return (spdsock_dump_next_in_chain(ss, iph, cur));
1895 		}
1896 	}
1897 	ss->spdsock_dump_cur_chain = nchains;
1898 
1899 	af = ss->spdsock_dump_cur_af;
1900 	while (af < IPSEC_NAF) {
1901 		cur = ipr->ipr_nonhash[af];
1902 		af++;
1903 		if (cur != NULL) {
1904 			ss->spdsock_dump_cur_af = af;
1905 			return (spdsock_dump_next_in_chain(ss, iph, cur));
1906 		}
1907 	}
1908 
1909 	type++;
1910 	if (type >= IPSEC_NTYPES)
1911 		return (NULL);
1912 
1913 	ss->spdsock_dump_cur_chain = 0;
1914 	ss->spdsock_dump_cur_type = type;
1915 	ss->spdsock_dump_cur_af = IPSEC_AF_V4;
1916 	goto next;
1917 
1918 }
1919 
1920 /*
1921  * If we're done with one policy head, but have more to go, we iterate through
1922  * another IPsec tunnel policy head (itp).  Return NULL if it is an error
1923  * worthy of returning EAGAIN via PF_POLICY.
1924  */
1925 static ipsec_tun_pol_t *
1926 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss)
1927 {
1928 	ipsec_tun_pol_t *itp;
1929 
1930 	ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock));
1931 	if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) {
1932 		/* Oops, state of the tunnel polheads changed. */
1933 		itp = NULL;
1934 	} else if (ss->spdsock_itp == NULL) {
1935 		/* Just finished global, find first node. */
1936 		itp = avl_first(&ipss->ipsec_tunnel_policies);
1937 	} else {
1938 		/* We just finished current polhead, find the next one. */
1939 		itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp);
1940 	}
1941 	if (itp != NULL) {
1942 		ITP_REFHOLD(itp);
1943 	}
1944 	if (ss->spdsock_itp != NULL) {
1945 		ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack);
1946 	}
1947 	ss->spdsock_itp = itp;
1948 	return (itp);
1949 }
1950 
1951 static mblk_t *
1952 spdsock_dump_next_record(spdsock_t *ss)
1953 {
1954 	ipsec_policy_head_t *iph;
1955 	ipsec_policy_t *rule;
1956 	mblk_t *m;
1957 	ipsec_tun_pol_t *itp;
1958 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
1959 	ipsec_stack_t *ipss = ns->netstack_ipsec;
1960 
1961 	iph = ss->spdsock_dump_head;
1962 
1963 	ASSERT(iph != NULL);
1964 
1965 	rw_enter(&iph->iph_lock, RW_READER);
1966 
1967 	if (iph->iph_gen != ss->spdsock_dump_gen) {
1968 		rw_exit(&iph->iph_lock);
1969 		return (spdsock_dump_finish(ss, EAGAIN));
1970 	}
1971 
1972 	while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) {
1973 		rw_exit(&iph->iph_lock);
1974 		if (--(ss->spdsock_dump_remaining_polheads) == 0)
1975 			return (spdsock_dump_finish(ss, 0));
1976 
1977 
1978 		/*
1979 		 * If we reach here, we have more policy heads (tunnel
1980 		 * entries) to dump.  Let's reset to a new policy head
1981 		 * and get some more rules.
1982 		 *
1983 		 * An empty policy head will have spdsock_dump_next_rule()
1984 		 * return NULL, and we loop (while dropping the number of
1985 		 * remaining polheads).  If we loop to 0, we finish.  We
1986 		 * keep looping until we hit 0 or until we have a rule to
1987 		 * encode.
1988 		 *
1989 		 * NOTE:  No need for ITP_REF*() macros here as we're only
1990 		 * going after and refholding the policy head itself.
1991 		 */
1992 		rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
1993 		itp = spdsock_dump_iterate_next_tunnel(ss, ipss);
1994 		if (itp == NULL) {
1995 			rw_exit(&ipss->ipsec_tunnel_policy_lock);
1996 			return (spdsock_dump_finish(ss, EAGAIN));
1997 		}
1998 
1999 		/* Reset other spdsock_dump thingies. */
2000 		IPPH_REFRELE(ss->spdsock_dump_head, ns);
2001 		if (ss->spdsock_dump_active) {
2002 			ss->spdsock_dump_tunnel =
2003 			    itp->itp_flags & ITPF_P_TUNNEL;
2004 			iph = itp->itp_policy;
2005 		} else {
2006 			ss->spdsock_dump_tunnel =
2007 			    itp->itp_flags & ITPF_I_TUNNEL;
2008 			iph = itp->itp_inactive;
2009 		}
2010 		IPPH_REFHOLD(iph);
2011 		rw_exit(&ipss->ipsec_tunnel_policy_lock);
2012 
2013 		rw_enter(&iph->iph_lock, RW_READER);
2014 		RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2015 	}
2016 
2017 	m = spdsock_encode_rule(ss->spdsock_dump_req, rule,
2018 	    ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af,
2019 	    (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name,
2020 	    ss->spdsock_dump_tunnel);
2021 	rw_exit(&iph->iph_lock);
2022 
2023 	if (m == NULL)
2024 		return (spdsock_dump_finish(ss, ENOMEM));
2025 	return (m);
2026 }
2027 
2028 /*
2029  * Dump records until we run into flow-control back-pressure.
2030  */
2031 static void
2032 spdsock_dump_some(queue_t *q, spdsock_t *ss)
2033 {
2034 	mblk_t *m, *dataind;
2035 
2036 	while ((ss->spdsock_dump_req != NULL) && canputnext(q)) {
2037 		m = spdsock_dump_next_record(ss);
2038 		if (m == NULL)
2039 			return;
2040 		dataind = allocb(sizeof (struct T_data_req), BPRI_HI);
2041 		if (dataind == NULL) {
2042 			freemsg(m);
2043 			return;
2044 		}
2045 		dataind->b_cont = m;
2046 		dataind->b_wptr += sizeof (struct T_data_req);
2047 		((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND;
2048 		((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0;
2049 		dataind->b_datap->db_type = M_PROTO;
2050 		putnext(q, dataind);
2051 	}
2052 }
2053 
2054 /*
2055  * Start dumping.
2056  * Format a start-of-dump record, and set up the stream and kick the rsrv
2057  * procedure to continue the job..
2058  */
2059 /* ARGSUSED */
2060 static void
2061 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp)
2062 {
2063 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2064 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
2065 	ipsec_stack_t *ipss = ns->netstack_ipsec;
2066 	mblk_t *mr;
2067 
2068 	/* spdsock_open() already set spdsock_itp to NULL. */
2069 	if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
2070 		rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
2071 		ss->spdsock_dump_remaining_polheads = 1 +
2072 		    avl_numnodes(&ipss->ipsec_tunnel_policies);
2073 		ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen;
2074 		rw_exit(&ipss->ipsec_tunnel_policy_lock);
2075 		if (iph == ALL_ACTIVE_POLHEADS) {
2076 			iph = ipsec_system_policy(ns);
2077 			ss->spdsock_dump_active = B_TRUE;
2078 		} else {
2079 			iph = ipsec_inactive_policy(ns);
2080 			ss->spdsock_dump_active = B_FALSE;
2081 		}
2082 		ASSERT(ss->spdsock_itp == NULL);
2083 	} else {
2084 		ss->spdsock_dump_remaining_polheads = 1;
2085 	}
2086 
2087 	rw_enter(&iph->iph_lock, RW_READER);
2088 
2089 	mr = spdsock_dump_ruleset(mp, iph, 0, 0);
2090 
2091 	if (!mr) {
2092 		rw_exit(&iph->iph_lock);
2093 		spdsock_error(q, mp, ENOMEM, 0);
2094 		return;
2095 	}
2096 
2097 	ss->spdsock_dump_req = mp;
2098 	RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2099 
2100 	rw_exit(&iph->iph_lock);
2101 
2102 	qreply(q, mr);
2103 	qenable(OTHERQ(q));
2104 }
2105 
2106 /* Do NOT consume a reference to ITP. */
2107 void
2108 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns)
2109 {
2110 	int *errptr = (int *)ep;
2111 
2112 	if (*errptr != 0)
2113 		return;	/* We've failed already for some reason. */
2114 	mutex_enter(&itp->itp_lock);
2115 	ITPF_CLONE(itp->itp_flags);
2116 	*errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns);
2117 	mutex_exit(&itp->itp_lock);
2118 }
2119 
2120 void
2121 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname)
2122 {
2123 	int error;
2124 	char *tname;
2125 	ipsec_tun_pol_t *itp;
2126 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2127 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
2128 	uint32_t auditing = AU_AUDITING();
2129 
2130 	if (tunname != NULL) {
2131 		tname = (char *)tunname->spd_if_name;
2132 		if (*tname == '\0') {
2133 			error = ipsec_clone_system_policy(ns);
2134 			if (auditing) {
2135 				boolean_t active;
2136 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2137 				cred_t *cr;
2138 				pid_t cpid;
2139 
2140 				cr = msg_getcred(mp, &cpid);
2141 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2142 				audit_pf_policy(SPD_CLONE, cr, ns,
2143 				    NULL, active, error, cpid);
2144 			}
2145 			if (error == 0) {
2146 				itp_walk(spdsock_clone_node, &error, ns);
2147 				if (auditing) {
2148 					boolean_t active;
2149 					spd_msg_t *spmsg =
2150 					    (spd_msg_t *)mp->b_rptr;
2151 					cred_t *cr;
2152 					pid_t cpid;
2153 
2154 					cr = msg_getcred(mp, &cpid);
2155 					active = (spmsg->spd_msg_spdid ==
2156 					    SPD_ACTIVE);
2157 					audit_pf_policy(SPD_CLONE, cr,
2158 					    ns, "all tunnels", active, 0,
2159 					    cpid);
2160 				}
2161 			}
2162 		} else {
2163 			itp = get_tunnel_policy(tname, ns);
2164 			if (itp == NULL) {
2165 				spdsock_error(q, mp, ENOENT, 0);
2166 				if (auditing) {
2167 					boolean_t active;
2168 					spd_msg_t *spmsg =
2169 					    (spd_msg_t *)mp->b_rptr;
2170 					cred_t *cr;
2171 					pid_t cpid;
2172 
2173 					cr = msg_getcred(mp, &cpid);
2174 					active = (spmsg->spd_msg_spdid ==
2175 					    SPD_ACTIVE);
2176 					audit_pf_policy(SPD_CLONE, cr,
2177 					    ns, NULL, active, ENOENT, cpid);
2178 				}
2179 				return;
2180 			}
2181 			spdsock_clone_node(itp, &error, NULL);
2182 			if (auditing) {
2183 				boolean_t active;
2184 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2185 				cred_t *cr;
2186 				pid_t cpid;
2187 
2188 				cr = msg_getcred(mp, &cpid);
2189 				active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2190 				audit_pf_policy(SPD_CLONE, cr, ns,
2191 				    ITP_NAME(itp), active, error, cpid);
2192 			}
2193 			ITP_REFRELE(itp, ns);
2194 		}
2195 	} else {
2196 		error = ipsec_clone_system_policy(ns);
2197 		if (auditing) {
2198 			boolean_t active;
2199 			spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2200 			cred_t *cr;
2201 			pid_t cpid;
2202 
2203 			cr = msg_getcred(mp, &cpid);
2204 			active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2205 			audit_pf_policy(SPD_CLONE, cr, ns, NULL,
2206 			    active, error, cpid);
2207 		}
2208 	}
2209 
2210 	if (error != 0)
2211 		spdsock_error(q, mp, error, 0);
2212 	else
2213 		spd_echo(q, mp);
2214 }
2215 
2216 /*
2217  * Process a SPD_ALGLIST request. The caller expects separate alg entries
2218  * for AH authentication, ESP authentication, and ESP encryption.
2219  * The same distinction is then used when setting the min and max key
2220  * sizes when defining policies.
2221  */
2222 
2223 #define	SPDSOCK_AH_AUTH		0
2224 #define	SPDSOCK_ESP_AUTH	1
2225 #define	SPDSOCK_ESP_ENCR	2
2226 #define	SPDSOCK_NTYPES		3
2227 
2228 static const uint_t algattr[SPDSOCK_NTYPES] = {
2229 	SPD_ATTR_AH_AUTH,
2230 	SPD_ATTR_ESP_AUTH,
2231 	SPD_ATTR_ESP_ENCR
2232 };
2233 static const uint_t minbitsattr[SPDSOCK_NTYPES] = {
2234 	SPD_ATTR_AH_MINBITS,
2235 	SPD_ATTR_ESPA_MINBITS,
2236 	SPD_ATTR_ENCR_MINBITS
2237 };
2238 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = {
2239 	SPD_ATTR_AH_MAXBITS,
2240 	SPD_ATTR_ESPA_MAXBITS,
2241 	SPD_ATTR_ENCR_MAXBITS
2242 };
2243 static const uint_t defbitsattr[SPDSOCK_NTYPES] = {
2244 	SPD_ATTR_AH_DEFBITS,
2245 	SPD_ATTR_ESPA_DEFBITS,
2246 	SPD_ATTR_ENCR_DEFBITS
2247 };
2248 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = {
2249 	SPD_ATTR_AH_INCRBITS,
2250 	SPD_ATTR_ESPA_INCRBITS,
2251 	SPD_ATTR_ENCR_INCRBITS
2252 };
2253 
2254 #define	ATTRPERALG	6	/* fixed attributes per algs */
2255 
2256 void
2257 spdsock_alglist(queue_t *q, mblk_t *mp)
2258 {
2259 	uint_t algtype;
2260 	uint_t algidx;
2261 	uint_t algcount;
2262 	uint_t size;
2263 	mblk_t *m;
2264 	uint8_t *cur;
2265 	spd_msg_t *msg;
2266 	struct spd_ext_actions *act;
2267 	struct spd_attribute *attr;
2268 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2269 	ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2270 
2271 	mutex_enter(&ipss->ipsec_alg_lock);
2272 	/*
2273 	 * The SPD client expects to receive separate entries for
2274 	 * AH authentication and ESP authentication supported algorithms.
2275 	 *
2276 	 * Don't return the "any" algorithms, if defined, as no
2277 	 * kernel policies can be set for these algorithms.
2278 	 */
2279 	algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2280 	    ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2281 
2282 	if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL)
2283 		algcount--;
2284 	if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL)
2285 		algcount--;
2286 
2287 	/*
2288 	 * For each algorithm, we encode:
2289 	 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2290 	 */
2291 
2292 	size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) +
2293 	    ATTRPERALG * sizeof (struct spd_attribute) * algcount;
2294 
2295 	ASSERT(ALIGNED64(size));
2296 
2297 	m = allocb(size, BPRI_HI);
2298 	if (m == NULL) {
2299 		mutex_exit(&ipss->ipsec_alg_lock);
2300 		spdsock_error(q, mp, ENOMEM, 0);
2301 		return;
2302 	}
2303 
2304 	m->b_wptr = m->b_rptr + size;
2305 	cur = m->b_rptr;
2306 
2307 	msg = (spd_msg_t *)cur;
2308 	bcopy(mp->b_rptr, cur, sizeof (*msg));
2309 
2310 	msg->spd_msg_len = SPD_8TO64(size);
2311 	msg->spd_msg_errno = 0;
2312 	msg->spd_msg_diagnostic = 0;
2313 
2314 	cur += sizeof (*msg);
2315 
2316 	act = (struct spd_ext_actions *)cur;
2317 	cur += sizeof (*act);
2318 
2319 	act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2320 	act->spd_actions_exttype = SPD_EXT_ACTION;
2321 	act->spd_actions_count = algcount;
2322 	act->spd_actions_reserved = 0;
2323 
2324 	attr = (struct spd_attribute *)cur;
2325 
2326 #define	EMIT(tag, value) {					\
2327 		attr->spd_attr_tag = (tag); 			\
2328 		attr->spd_attr_value = (value); 		\
2329 		attr++;			  			\
2330 	}
2331 
2332 	/*
2333 	 * If you change the number of EMIT's here, change
2334 	 * ATTRPERALG above to match
2335 	 */
2336 #define	EMITALGATTRS(_type) {					\
2337 		EMIT(algattr[_type], algid); 		/* 1 */	\
2338 		EMIT(minbitsattr[_type], minbits);	/* 2 */	\
2339 		EMIT(maxbitsattr[_type], maxbits);	/* 3 */	\
2340 		EMIT(defbitsattr[_type], defbits);	/* 4 */	\
2341 		EMIT(incrbitsattr[_type], incr);	/* 5 */	\
2342 		EMIT(SPD_ATTR_NEXT, 0);			/* 6 */	\
2343 	}
2344 
2345 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2346 		for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2347 		    algidx++) {
2348 			int algid = ipss->ipsec_sortlist[algtype][algidx];
2349 			ipsec_alginfo_t *alg =
2350 			    ipss->ipsec_alglists[algtype][algid];
2351 			uint_t minbits = alg->alg_minbits;
2352 			uint_t maxbits = alg->alg_maxbits;
2353 			uint_t defbits = alg->alg_default_bits;
2354 			uint_t incr = alg->alg_increment;
2355 
2356 			if (algtype == IPSEC_ALG_AUTH) {
2357 				if (algid == SADB_AALG_NONE)
2358 					continue;
2359 				EMITALGATTRS(SPDSOCK_AH_AUTH);
2360 				EMITALGATTRS(SPDSOCK_ESP_AUTH);
2361 			} else {
2362 				if (algid == SADB_EALG_NONE)
2363 					continue;
2364 				ASSERT(algtype == IPSEC_ALG_ENCR);
2365 				EMITALGATTRS(SPDSOCK_ESP_ENCR);
2366 			}
2367 		}
2368 	}
2369 
2370 	mutex_exit(&ipss->ipsec_alg_lock);
2371 
2372 #undef EMITALGATTRS
2373 #undef EMIT
2374 #undef ATTRPERALG
2375 
2376 	attr--;
2377 	attr->spd_attr_tag = SPD_ATTR_END;
2378 
2379 	freemsg(mp);
2380 	qreply(q, m);
2381 }
2382 
2383 /*
2384  * Process a SPD_DUMPALGS request.
2385  */
2386 
2387 #define	ATTRPERALG	9	/* fixed attributes per algs */
2388 
2389 void
2390 spdsock_dumpalgs(queue_t *q, mblk_t *mp)
2391 {
2392 	uint_t algtype;
2393 	uint_t algidx;
2394 	uint_t size;
2395 	mblk_t *m;
2396 	uint8_t *cur;
2397 	spd_msg_t *msg;
2398 	struct spd_ext_actions *act;
2399 	struct spd_attribute *attr;
2400 	ipsec_alginfo_t *alg;
2401 	uint_t algid;
2402 	uint_t i;
2403 	uint_t alg_size;
2404 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2405 	ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2406 
2407 	mutex_enter(&ipss->ipsec_alg_lock);
2408 
2409 	/*
2410 	 * For each algorithm, we encode:
2411 	 * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2412 	 *
2413 	 * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2414 	 * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* /
2415 	 * ALG_MECHNAME / ALG_FLAGS / {END, NEXT}
2416 	 */
2417 
2418 	/*
2419 	 * Compute the size of the SPD message.
2420 	 */
2421 	size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions);
2422 
2423 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2424 		for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2425 		    algidx++) {
2426 			algid = ipss->ipsec_sortlist[algtype][algidx];
2427 			alg = ipss->ipsec_alglists[algtype][algid];
2428 			alg_size = sizeof (struct spd_attribute) *
2429 			    (ATTRPERALG + alg->alg_nkey_sizes +
2430 			    alg->alg_nblock_sizes + alg->alg_nparams) +
2431 			    CRYPTO_MAX_MECH_NAME;
2432 			size += alg_size;
2433 		}
2434 	}
2435 
2436 	ASSERT(ALIGNED64(size));
2437 
2438 	m = allocb(size, BPRI_HI);
2439 	if (m == NULL) {
2440 		mutex_exit(&ipss->ipsec_alg_lock);
2441 		spdsock_error(q, mp, ENOMEM, 0);
2442 		return;
2443 	}
2444 
2445 	m->b_wptr = m->b_rptr + size;
2446 	cur = m->b_rptr;
2447 
2448 	msg = (spd_msg_t *)cur;
2449 	bcopy(mp->b_rptr, cur, sizeof (*msg));
2450 
2451 	msg->spd_msg_len = SPD_8TO64(size);
2452 	msg->spd_msg_errno = 0;
2453 	msg->spd_msg_type = SPD_ALGLIST;
2454 
2455 	msg->spd_msg_diagnostic = 0;
2456 
2457 	cur += sizeof (*msg);
2458 
2459 	act = (struct spd_ext_actions *)cur;
2460 	cur += sizeof (*act);
2461 
2462 	act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2463 	act->spd_actions_exttype = SPD_EXT_ACTION;
2464 	act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2465 	    ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2466 	act->spd_actions_reserved = 0;
2467 
2468 	/*
2469 	 * If there aren't any algorithms registered, return an empty message.
2470 	 * spdsock_get_ext() knows how to deal with this.
2471 	 */
2472 	if (act->spd_actions_count == 0) {
2473 		act->spd_actions_len = 0;
2474 		mutex_exit(&ipss->ipsec_alg_lock);
2475 		goto error;
2476 	}
2477 
2478 	attr = (struct spd_attribute *)cur;
2479 
2480 #define	EMIT(tag, value) {					\
2481 		attr->spd_attr_tag = (tag); 			\
2482 		attr->spd_attr_value = (value); 		\
2483 		attr++;			  			\
2484 	}
2485 
2486 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2487 		for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2488 		    algidx++) {
2489 
2490 			algid = ipss->ipsec_sortlist[algtype][algidx];
2491 			alg = ipss->ipsec_alglists[algtype][algid];
2492 
2493 			/*
2494 			 * If you change the number of EMIT's here, change
2495 			 * ATTRPERALG above to match
2496 			 */
2497 			EMIT(SPD_ATTR_ALG_ID, algid);
2498 			EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]);
2499 			EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment);
2500 			EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes);
2501 			for (i = 0; i < alg->alg_nkey_sizes; i++)
2502 				EMIT(SPD_ATTR_ALG_KEYSIZE,
2503 				    alg->alg_key_sizes[i]);
2504 
2505 			EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes);
2506 			for (i = 0; i < alg->alg_nblock_sizes; i++)
2507 				EMIT(SPD_ATTR_ALG_BLOCKSIZE,
2508 				    alg->alg_block_sizes[i]);
2509 
2510 			EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams);
2511 			for (i = 0; i < alg->alg_nparams; i++)
2512 				EMIT(SPD_ATTR_ALG_PARAMS,
2513 				    alg->alg_params[i]);
2514 
2515 			EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags);
2516 
2517 			EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME);
2518 			bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME);
2519 			attr = (struct spd_attribute *)((char *)attr +
2520 			    CRYPTO_MAX_MECH_NAME);
2521 
2522 			EMIT(SPD_ATTR_NEXT, 0);
2523 		}
2524 	}
2525 
2526 	mutex_exit(&ipss->ipsec_alg_lock);
2527 
2528 #undef EMITALGATTRS
2529 #undef EMIT
2530 #undef ATTRPERALG
2531 
2532 	attr--;
2533 	attr->spd_attr_tag = SPD_ATTR_END;
2534 
2535 error:
2536 	freemsg(mp);
2537 	qreply(q, m);
2538 }
2539 
2540 /*
2541  * Do the actual work of processing an SPD_UPDATEALGS request. Can
2542  * be invoked either once IPsec is loaded on a cached request, or
2543  * when a request is received while IPsec is loaded.
2544  */
2545 static int
2546 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds)
2547 {
2548 	struct spd_ext_actions *actp;
2549 	struct spd_attribute *attr, *endattr;
2550 	uint64_t *start, *end;
2551 	ipsec_alginfo_t *alg = NULL;
2552 	ipsec_algtype_t alg_type = 0;
2553 	boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE;
2554 	uint_t i, cur_key, cur_block, algid;
2555 	int diag = -1;
2556 
2557 	ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
2558 
2559 	/* parse the message, building the list of algorithms */
2560 
2561 	actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
2562 	if (actp == NULL)
2563 		return (SPD_DIAGNOSTIC_NO_ACTION_EXT);
2564 
2565 	start = (uint64_t *)actp;
2566 	end = (start + actp->spd_actions_len);
2567 	endattr = (struct spd_attribute *)end;
2568 	attr = (struct spd_attribute *)&actp[1];
2569 
2570 	bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS *
2571 	    sizeof (ipsec_alginfo_t *));
2572 
2573 	alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2574 
2575 #define	ALG_KEY_SIZES(a)   (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2576 #define	ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2577 #define	ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t))
2578 
2579 	while (attr < endattr) {
2580 		switch (attr->spd_attr_tag) {
2581 		case SPD_ATTR_NOP:
2582 		case SPD_ATTR_EMPTY:
2583 			break;
2584 		case SPD_ATTR_END:
2585 			attr = endattr;
2586 			/* FALLTHRU */
2587 		case SPD_ATTR_NEXT:
2588 			if (doing_proto) {
2589 				doing_proto = B_FALSE;
2590 				break;
2591 			}
2592 			if (skip_alg) {
2593 				ipsec_alg_free(alg);
2594 			} else {
2595 				ipsec_alg_free(
2596 				    spds->spds_algs[alg_type][alg->alg_id]);
2597 				spds->spds_algs[alg_type][alg->alg_id] =
2598 				    alg;
2599 			}
2600 			alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2601 			break;
2602 
2603 		case SPD_ATTR_ALG_ID:
2604 			if (attr->spd_attr_value >= IPSEC_MAX_ALGS) {
2605 				ss1dbg(spds, ("spdsock_do_updatealg: "
2606 				    "invalid alg id %d\n",
2607 				    attr->spd_attr_value));
2608 				diag = SPD_DIAGNOSTIC_ALG_ID_RANGE;
2609 				goto bail;
2610 			}
2611 			alg->alg_id = attr->spd_attr_value;
2612 			break;
2613 
2614 		case SPD_ATTR_ALG_PROTO:
2615 			/* find the alg type */
2616 			for (i = 0; i < NALGPROTOS; i++)
2617 				if (algproto[i] == attr->spd_attr_value)
2618 					break;
2619 			skip_alg = (i == NALGPROTOS);
2620 			if (!skip_alg)
2621 				alg_type = i;
2622 			break;
2623 
2624 		case SPD_ATTR_ALG_INCRBITS:
2625 			alg->alg_increment = attr->spd_attr_value;
2626 			break;
2627 
2628 		case SPD_ATTR_ALG_NKEYSIZES:
2629 			if (alg->alg_key_sizes != NULL) {
2630 				kmem_free(alg->alg_key_sizes,
2631 				    ALG_KEY_SIZES(alg));
2632 			}
2633 			alg->alg_nkey_sizes = attr->spd_attr_value;
2634 			/*
2635 			 * Allocate room for the trailing zero key size
2636 			 * value as well.
2637 			 */
2638 			alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg),
2639 			    KM_SLEEP);
2640 			cur_key = 0;
2641 			break;
2642 
2643 		case SPD_ATTR_ALG_KEYSIZE:
2644 			if (alg->alg_key_sizes == NULL ||
2645 			    cur_key >= alg->alg_nkey_sizes) {
2646 				ss1dbg(spds, ("spdsock_do_updatealg: "
2647 				    "too many key sizes\n"));
2648 				diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES;
2649 				goto bail;
2650 			}
2651 			alg->alg_key_sizes[cur_key++] = attr->spd_attr_value;
2652 			break;
2653 
2654 		case SPD_ATTR_ALG_FLAGS:
2655 			/*
2656 			 * Flags (bit mask). The alg_flags element of
2657 			 * ipsecalg_flags_t is only 8 bits wide. The
2658 			 * user can set the VALID bit, but we will ignore it
2659 			 * and make the decision is the algorithm is valid.
2660 			 */
2661 			alg->alg_flags |= (uint8_t)attr->spd_attr_value;
2662 			break;
2663 
2664 		case SPD_ATTR_ALG_NBLOCKSIZES:
2665 			if (alg->alg_block_sizes != NULL) {
2666 				kmem_free(alg->alg_block_sizes,
2667 				    ALG_BLOCK_SIZES(alg));
2668 			}
2669 			alg->alg_nblock_sizes = attr->spd_attr_value;
2670 			/*
2671 			 * Allocate room for the trailing zero block size
2672 			 * value as well.
2673 			 */
2674 			alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg),
2675 			    KM_SLEEP);
2676 			cur_block = 0;
2677 			break;
2678 
2679 		case SPD_ATTR_ALG_BLOCKSIZE:
2680 			if (alg->alg_block_sizes == NULL ||
2681 			    cur_block >= alg->alg_nblock_sizes) {
2682 				ss1dbg(spds, ("spdsock_do_updatealg: "
2683 				    "too many block sizes\n"));
2684 				diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2685 				goto bail;
2686 			}
2687 			alg->alg_block_sizes[cur_block++] =
2688 			    attr->spd_attr_value;
2689 			break;
2690 
2691 		case SPD_ATTR_ALG_NPARAMS:
2692 			if (alg->alg_params != NULL) {
2693 				kmem_free(alg->alg_params,
2694 				    ALG_PARAM_SIZES(alg));
2695 			}
2696 			alg->alg_nparams = attr->spd_attr_value;
2697 			/*
2698 			 * Allocate room for the trailing zero block size
2699 			 * value as well.
2700 			 */
2701 			alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg),
2702 			    KM_SLEEP);
2703 			cur_block = 0;
2704 			break;
2705 
2706 		case SPD_ATTR_ALG_PARAMS:
2707 			if (alg->alg_params == NULL ||
2708 			    cur_block >= alg->alg_nparams) {
2709 				ss1dbg(spds, ("spdsock_do_updatealg: "
2710 				    "too many params\n"));
2711 				diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2712 				goto bail;
2713 			}
2714 			/*
2715 			 * Array contains: iv_len, icv_len, salt_len
2716 			 * Any additional parameters are currently ignored.
2717 			 */
2718 			alg->alg_params[cur_block++] =
2719 			    attr->spd_attr_value;
2720 			break;
2721 
2722 		case SPD_ATTR_ALG_MECHNAME: {
2723 			char *mech_name;
2724 
2725 			if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) {
2726 				ss1dbg(spds, ("spdsock_do_updatealg: "
2727 				    "mech name too long\n"));
2728 				diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN;
2729 				goto bail;
2730 			}
2731 			mech_name = (char *)(attr + 1);
2732 			bcopy(mech_name, alg->alg_mech_name,
2733 			    attr->spd_attr_value);
2734 			alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0';
2735 			attr = (struct spd_attribute *)((char *)attr +
2736 			    attr->spd_attr_value);
2737 			break;
2738 		}
2739 
2740 		case SPD_ATTR_PROTO_ID:
2741 			doing_proto = B_TRUE;
2742 			for (i = 0; i < NALGPROTOS; i++) {
2743 				if (algproto[i] == attr->spd_attr_value) {
2744 					alg_type = i;
2745 					break;
2746 				}
2747 			}
2748 			break;
2749 
2750 		case SPD_ATTR_PROTO_EXEC_MODE:
2751 			if (!doing_proto)
2752 				break;
2753 			for (i = 0; i < NEXECMODES; i++) {
2754 				if (execmodes[i] == attr->spd_attr_value) {
2755 					spds->spds_algs_exec_mode[alg_type] = i;
2756 					break;
2757 				}
2758 			}
2759 			break;
2760 		}
2761 		attr++;
2762 	}
2763 
2764 #undef	ALG_KEY_SIZES
2765 #undef	ALG_BLOCK_SIZES
2766 #undef	ALG_PARAM_SIZES
2767 
2768 	/* update the algorithm tables */
2769 	spdsock_merge_algs(spds);
2770 bail:
2771 	/* cleanup */
2772 	ipsec_alg_free(alg);
2773 	for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++)
2774 		for (algid = 0; algid < IPSEC_MAX_ALGS; algid++)
2775 		if (spds->spds_algs[alg_type][algid] != NULL)
2776 			ipsec_alg_free(spds->spds_algs[alg_type][algid]);
2777 	return (diag);
2778 }
2779 
2780 /*
2781  * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2782  * the request until IPsec loads. If IPsec is loaded, act on it
2783  * immediately.
2784  */
2785 
2786 static void
2787 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
2788 {
2789 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2790 	spd_stack_t	*spds = ss->spdsock_spds;
2791 	ipsec_stack_t	*ipss = spds->spds_netstack->netstack_ipsec;
2792 	uint32_t auditing = AU_AUDITING();
2793 
2794 	if (!ipsec_loaded(ipss)) {
2795 		/*
2796 		 * IPsec is not loaded, save request and return nicely,
2797 		 * the message will be processed once IPsec loads.
2798 		 */
2799 		mblk_t *new_mp;
2800 
2801 		/* last update message wins */
2802 		if ((new_mp = copymsg(mp)) == NULL) {
2803 			spdsock_error(q, mp, ENOMEM, 0);
2804 			return;
2805 		}
2806 		mutex_enter(&spds->spds_alg_lock);
2807 		bcopy(extv, spds->spds_extv_algs,
2808 		    sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
2809 		if (spds->spds_mp_algs != NULL)
2810 			freemsg(spds->spds_mp_algs);
2811 		spds->spds_mp_algs = mp;
2812 		mutex_exit(&spds->spds_alg_lock);
2813 		if (auditing) {
2814 			cred_t *cr;
2815 			pid_t cpid;
2816 
2817 			cr = msg_getcred(mp, &cpid);
2818 			audit_pf_policy(SPD_UPDATEALGS, cr,
2819 			    spds->spds_netstack, NULL, B_TRUE, EAGAIN,
2820 			    cpid);
2821 		}
2822 		spd_echo(q, new_mp);
2823 	} else {
2824 		/*
2825 		 * IPsec is loaded, act on the message immediately.
2826 		 */
2827 		int diag;
2828 
2829 		mutex_enter(&spds->spds_alg_lock);
2830 		diag = spdsock_do_updatealg(extv, spds);
2831 		if (diag == -1) {
2832 			/* Keep the lock held while we walk the SA tables. */
2833 			sadb_alg_update(IPSEC_ALG_ALL, 0, 0,
2834 			    spds->spds_netstack);
2835 			mutex_exit(&spds->spds_alg_lock);
2836 			spd_echo(q, mp);
2837 			if (auditing) {
2838 				cred_t *cr;
2839 				pid_t cpid;
2840 
2841 				cr = msg_getcred(mp, &cpid);
2842 				audit_pf_policy(SPD_UPDATEALGS, cr,
2843 				    spds->spds_netstack, NULL, B_TRUE, 0,
2844 				    cpid);
2845 			}
2846 		} else {
2847 			mutex_exit(&spds->spds_alg_lock);
2848 			spdsock_diag(q, mp, diag);
2849 			if (auditing) {
2850 				cred_t *cr;
2851 				pid_t cpid;
2852 
2853 				cr = msg_getcred(mp, &cpid);
2854 				audit_pf_policy(SPD_UPDATEALGS, cr,
2855 				    spds->spds_netstack, NULL, B_TRUE, diag,
2856 				    cpid);
2857 			}
2858 		}
2859 	}
2860 }
2861 
2862 /*
2863  * Find a tunnel instance (using the name to link ID mapping), and
2864  * update it after an IPsec change.  We need to do this always in case
2865  * we add policy AFTER plumbing a tunnel.  We also need to do this
2866  * because, as a side-effect, the tunnel's MTU is updated to reflect
2867  * any IPsec overhead in the itp's policy.
2868  */
2869 static void
2870 update_iptun_policy(ipsec_tun_pol_t *itp)
2871 {
2872 	datalink_id_t linkid;
2873 
2874 	if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0)
2875 		iptun_set_policy(linkid, itp);
2876 }
2877 
2878 /*
2879  * Sort through the mess of polhead options to retrieve an appropriate one.
2880  * Returns NULL if we send an spdsock error.  Returns a valid pointer if we
2881  * found a valid polhead.  Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2882  * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2883  * act on ALL policy heads.
2884  */
2885 static ipsec_policy_head_t *
2886 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid,
2887     int msgtype, ipsec_tun_pol_t **itpp)
2888 {
2889 	ipsec_tun_pol_t *itp;
2890 	ipsec_policy_head_t *iph;
2891 	int errno;
2892 	char *tname;
2893 	boolean_t active;
2894 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2895 	netstack_t *ns = ss->spdsock_spds->spds_netstack;
2896 	uint64_t gen;	/* Placeholder */
2897 
2898 	active = (spdid == SPD_ACTIVE);
2899 	*itpp = NULL;
2900 	if (!active && spdid != SPD_STANDBY) {
2901 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID);
2902 		return (NULL);
2903 	}
2904 
2905 	if (tunname != NULL) {
2906 		/* Acting on a tunnel's SPD. */
2907 		tname = (char *)tunname->spd_if_name;
2908 		if (*tname == '\0') {
2909 			/* Handle all-polhead cases here. */
2910 			if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) {
2911 				spdsock_diag(q, mp,
2912 				    SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
2913 				return (NULL);
2914 			}
2915 			return (active ? ALL_ACTIVE_POLHEADS :
2916 			    ALL_INACTIVE_POLHEADS);
2917 		}
2918 
2919 		itp = get_tunnel_policy(tname, ns);
2920 		if (itp == NULL) {
2921 			if (msgtype != SPD_ADDRULE) {
2922 				/* "Tunnel not found" */
2923 				spdsock_error(q, mp, ENOENT, 0);
2924 				return (NULL);
2925 			}
2926 
2927 			errno = 0;
2928 			itp = create_tunnel_policy(tname, &errno, &gen, ns);
2929 			if (itp == NULL) {
2930 				/*
2931 				 * Something very bad happened, most likely
2932 				 * ENOMEM.  Return an indicator.
2933 				 */
2934 				spdsock_error(q, mp, errno, 0);
2935 				return (NULL);
2936 			}
2937 		}
2938 
2939 		/* Match up the itp to an iptun instance. */
2940 		update_iptun_policy(itp);
2941 
2942 		*itpp = itp;
2943 		/* For spdsock dump state, set the polhead's name. */
2944 		if (msgtype == SPD_DUMP) {
2945 			ITP_REFHOLD(itp);
2946 			ss->spdsock_itp = itp;
2947 			ss->spdsock_dump_tunnel = itp->itp_flags &
2948 			    (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL);
2949 		}
2950 	} else {
2951 		itp = NULL;
2952 		/* For spdsock dump state, indicate it's global policy. */
2953 		if (msgtype == SPD_DUMP)
2954 			ss->spdsock_itp = NULL;
2955 	}
2956 
2957 	if (active)
2958 		iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy;
2959 	else
2960 		iph = (itp == NULL) ? ipsec_inactive_policy(ns) :
2961 		    itp->itp_inactive;
2962 
2963 	ASSERT(iph != NULL);
2964 	if (itp != NULL) {
2965 		IPPH_REFHOLD(iph);
2966 	}
2967 
2968 	return (iph);
2969 }
2970 
2971 static void
2972 spdsock_parse(queue_t *q, mblk_t *mp)
2973 {
2974 	spd_msg_t *spmsg;
2975 	spd_ext_t *extv[SPD_EXT_MAX + 1];
2976 	uint_t msgsize;
2977 	ipsec_policy_head_t *iph;
2978 	ipsec_tun_pol_t *itp;
2979 	spd_if_t *tunname;
2980 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
2981 	spd_stack_t *spds = ss->spdsock_spds;
2982 	netstack_t *ns = spds->spds_netstack;
2983 	ipsec_stack_t *ipss = ns->netstack_ipsec;
2984 
2985 	/* Make sure nothing's below me. */
2986 	ASSERT(WR(q)->q_next == NULL);
2987 
2988 	spmsg = (spd_msg_t *)mp->b_rptr;
2989 
2990 	msgsize = SPD_64TO8(spmsg->spd_msg_len);
2991 
2992 	if (msgdsize(mp) != msgsize) {
2993 		/*
2994 		 * Message len incorrect w.r.t. actual size.  Send an error
2995 		 * (EMSGSIZE).	It may be necessary to massage things a
2996 		 * bit.	 For example, if the spd_msg_type is hosed,
2997 		 * I need to set it to SPD_RESERVED to get delivery to
2998 		 * do the right thing.	Then again, maybe just letting
2999 		 * the error delivery do the right thing.
3000 		 */
3001 		ss2dbg(spds,
3002 		    ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
3003 		    msgdsize(mp), msgsize));
3004 		spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE);
3005 		return;
3006 	}
3007 
3008 	if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) {
3009 		/* Get all message into one mblk. */
3010 		if (pullupmsg(mp, -1) == 0) {
3011 			/*
3012 			 * Something screwy happened.
3013 			 */
3014 			ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n"));
3015 			return;
3016 		} else {
3017 			spmsg = (spd_msg_t *)mp->b_rptr;
3018 		}
3019 	}
3020 
3021 	switch (spdsock_get_ext(extv, spmsg, msgsize)) {
3022 	case KGE_DUP:
3023 		/* Handle duplicate extension. */
3024 		ss1dbg(spds, ("Got duplicate extension of type %d.\n",
3025 		    extv[0]->spd_ext_type));
3026 		spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]);
3027 		return;
3028 	case KGE_UNK:
3029 		/* Handle unknown extension. */
3030 		ss1dbg(spds, ("Got unknown extension of type %d.\n",
3031 		    extv[0]->spd_ext_type));
3032 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT);
3033 		return;
3034 	case KGE_LEN:
3035 		/* Length error. */
3036 		ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n",
3037 		    extv[0]->spd_ext_len, extv[0]->spd_ext_type));
3038 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN);
3039 		return;
3040 	case KGE_CHK:
3041 		/* Reality check failed. */
3042 		ss1dbg(spds, ("Reality check failed on extension type %d.\n",
3043 		    extv[0]->spd_ext_type));
3044 		spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]);
3045 		return;
3046 	default:
3047 		/* Default case is no errors. */
3048 		break;
3049 	}
3050 
3051 	/*
3052 	 * Special-case SPD_UPDATEALGS so as not to load IPsec.
3053 	 */
3054 	if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) {
3055 		spdsock_t *ss = (spdsock_t *)q->q_ptr;
3056 
3057 		ASSERT(ss != NULL);
3058 		ipsec_loader_loadnow(ipss);
3059 		ss->spdsock_timeout_arg = mp;
3060 		ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck,
3061 		    q, LOADCHECK_INTERVAL);
3062 		return;
3063 	}
3064 
3065 	/* First check for messages that need no polheads at all. */
3066 	switch (spmsg->spd_msg_type) {
3067 	case SPD_UPDATEALGS:
3068 		spdsock_updatealg(q, mp, extv);
3069 		return;
3070 	case SPD_ALGLIST:
3071 		spdsock_alglist(q, mp);
3072 		return;
3073 	case SPD_DUMPALGS:
3074 		spdsock_dumpalgs(q, mp);
3075 		return;
3076 	}
3077 
3078 	/*
3079 	 * Then check for ones that need both primary/secondary polheads,
3080 	 * finding the appropriate tunnel policy if need be.
3081 	 */
3082 	tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME];
3083 	switch (spmsg->spd_msg_type) {
3084 	case SPD_FLIP:
3085 		spdsock_flip(q, mp, tunname);
3086 		return;
3087 	case SPD_CLONE:
3088 		spdsock_clone(q, mp, tunname);
3089 		return;
3090 	}
3091 
3092 	/*
3093 	 * Finally, find ones that operate on exactly one polhead, or
3094 	 * "all polheads" of a given type (active/inactive).
3095 	 */
3096 	iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid,
3097 	    spmsg->spd_msg_type, &itp);
3098 	if (iph == NULL)
3099 		return;
3100 
3101 	/* All-polheads-ready operations. */
3102 	switch (spmsg->spd_msg_type) {
3103 	case SPD_FLUSH:
3104 		if (itp != NULL) {
3105 			mutex_enter(&itp->itp_lock);
3106 			if (spmsg->spd_msg_spdid == SPD_ACTIVE)
3107 				itp->itp_flags &= ~ITPF_PFLAGS;
3108 			else
3109 				itp->itp_flags &= ~ITPF_IFLAGS;
3110 			mutex_exit(&itp->itp_lock);
3111 		}
3112 
3113 		spdsock_flush(q, iph, itp, mp);
3114 
3115 		if (itp != NULL) {
3116 			/* SPD_FLUSH is worth a tunnel MTU check. */
3117 			update_iptun_policy(itp);
3118 			ITP_REFRELE(itp, ns);
3119 		}
3120 		return;
3121 	case SPD_DUMP:
3122 		if (itp != NULL)
3123 			ITP_REFRELE(itp, ns);
3124 		spdsock_dump(q, iph, mp);
3125 		return;
3126 	}
3127 
3128 	if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
3129 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
3130 		return;
3131 	}
3132 
3133 	/* Single-polhead-only operations. */
3134 	switch (spmsg->spd_msg_type) {
3135 	case SPD_ADDRULE:
3136 		spdsock_addrule(q, iph, mp, extv, itp);
3137 		break;
3138 	case SPD_DELETERULE:
3139 		spdsock_deleterule(q, iph, mp, extv, itp);
3140 		break;
3141 	case SPD_LOOKUP:
3142 		spdsock_lookup(q, iph, mp, extv, itp);
3143 		break;
3144 	default:
3145 		spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE);
3146 		break;
3147 	}
3148 
3149 	IPPH_REFRELE(iph, ns);
3150 	if (itp != NULL) {
3151 		/* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */
3152 		if (spmsg->spd_msg_type == SPD_ADDRULE ||
3153 		    spmsg->spd_msg_type == SPD_DELETERULE)
3154 			update_iptun_policy(itp);
3155 		ITP_REFRELE(itp, ns);
3156 	}
3157 }
3158 
3159 /*
3160  * If an algorithm mapping was received before IPsec was loaded, process it.
3161  * Called from the IPsec loader.
3162  */
3163 void
3164 spdsock_update_pending_algs(netstack_t *ns)
3165 {
3166 	spd_stack_t *spds = ns->netstack_spdsock;
3167 
3168 	mutex_enter(&spds->spds_alg_lock);
3169 	if (spds->spds_mp_algs != NULL) {
3170 		(void) spdsock_do_updatealg(spds->spds_extv_algs, spds);
3171 		freemsg(spds->spds_mp_algs);
3172 		spds->spds_mp_algs = NULL;
3173 	}
3174 	mutex_exit(&spds->spds_alg_lock);
3175 }
3176 
3177 static void
3178 spdsock_loadcheck(void *arg)
3179 {
3180 	queue_t *q = (queue_t *)arg;
3181 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3182 	mblk_t *mp;
3183 	ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3184 
3185 	ASSERT(ss != NULL);
3186 
3187 	ss->spdsock_timeout = 0;
3188 	mp = ss->spdsock_timeout_arg;
3189 	ASSERT(mp != NULL);
3190 	ss->spdsock_timeout_arg = NULL;
3191 	if (ipsec_failed(ipss))
3192 		spdsock_error(q, mp, EPROTONOSUPPORT, 0);
3193 	else
3194 		spdsock_parse(q, mp);
3195 }
3196 
3197 /*
3198  * Copy relevant state bits.
3199  */
3200 static void
3201 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss)
3202 {
3203 	*tap = spdsock_g_t_info_ack;
3204 	tap->CURRENT_state = ss->spdsock_state;
3205 	tap->OPT_size = spdsock_max_optsize;
3206 }
3207 
3208 /*
3209  * This routine responds to T_CAPABILITY_REQ messages.  It is called by
3210  * spdsock_wput.  Much of the T_CAPABILITY_ACK information is copied from
3211  * spdsock_g_t_info_ack.  The current state of the stream is copied from
3212  * spdsock_state.
3213  */
3214 static void
3215 spdsock_capability_req(queue_t *q, mblk_t *mp)
3216 {
3217 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3218 	t_uscalar_t cap_bits1;
3219 	struct T_capability_ack	*tcap;
3220 
3221 	cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
3222 
3223 	mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
3224 	    mp->b_datap->db_type, T_CAPABILITY_ACK);
3225 	if (mp == NULL)
3226 		return;
3227 
3228 	tcap = (struct T_capability_ack *)mp->b_rptr;
3229 	tcap->CAP_bits1 = 0;
3230 
3231 	if (cap_bits1 & TC1_INFO) {
3232 		spdsock_copy_info(&tcap->INFO_ack, ss);
3233 		tcap->CAP_bits1 |= TC1_INFO;
3234 	}
3235 
3236 	qreply(q, mp);
3237 }
3238 
3239 /*
3240  * This routine responds to T_INFO_REQ messages. It is called by
3241  * spdsock_wput_other.
3242  * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3243  * The current state of the stream is copied from spdsock_state.
3244  */
3245 static void
3246 spdsock_info_req(q, mp)
3247 	queue_t	*q;
3248 	mblk_t	*mp;
3249 {
3250 	mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
3251 	    T_INFO_ACK);
3252 	if (mp == NULL)
3253 		return;
3254 	spdsock_copy_info((struct T_info_ack *)mp->b_rptr,
3255 	    (spdsock_t *)q->q_ptr);
3256 	qreply(q, mp);
3257 }
3258 
3259 /*
3260  * spdsock_err_ack. This routine creates a
3261  * T_ERROR_ACK message and passes it
3262  * upstream.
3263  */
3264 static void
3265 spdsock_err_ack(q, mp, t_error, sys_error)
3266 	queue_t	*q;
3267 	mblk_t	*mp;
3268 	int	t_error;
3269 	int	sys_error;
3270 {
3271 	if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
3272 		qreply(q, mp);
3273 }
3274 
3275 /*
3276  * This routine retrieves the current status of socket options.
3277  * It returns the size of the option retrieved.
3278  */
3279 /* ARGSUSED */
3280 int
3281 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
3282 {
3283 	int *i1 = (int *)ptr;
3284 
3285 	switch (level) {
3286 	case SOL_SOCKET:
3287 		switch (name) {
3288 		case SO_TYPE:
3289 			*i1 = SOCK_RAW;
3290 			break;
3291 		/*
3292 		 * The following two items can be manipulated,
3293 		 * but changing them should do nothing.
3294 		 */
3295 		case SO_SNDBUF:
3296 			*i1 = (int)q->q_hiwat;
3297 			break;
3298 		case SO_RCVBUF:
3299 			*i1 = (int)(RD(q)->q_hiwat);
3300 			break;
3301 		}
3302 		break;
3303 	default:
3304 		return (0);
3305 	}
3306 	return (sizeof (int));
3307 }
3308 
3309 /*
3310  * This routine sets socket options.
3311  */
3312 /* ARGSUSED */
3313 int
3314 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name,
3315     uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
3316     void *thisdg_attrs, cred_t *cr)
3317 {
3318 	int *i1 = (int *)invalp;
3319 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3320 	spd_stack_t	*spds = ss->spdsock_spds;
3321 
3322 	switch (level) {
3323 	case SOL_SOCKET:
3324 		switch (name) {
3325 		case SO_SNDBUF:
3326 			if (*i1 > spds->spds_max_buf)
3327 				return (ENOBUFS);
3328 			q->q_hiwat = *i1;
3329 			break;
3330 		case SO_RCVBUF:
3331 			if (*i1 > spds->spds_max_buf)
3332 				return (ENOBUFS);
3333 			RD(q)->q_hiwat = *i1;
3334 			(void) proto_set_rx_hiwat(RD(q), NULL, *i1);
3335 			break;
3336 		}
3337 		break;
3338 	}
3339 	return (0);
3340 }
3341 
3342 
3343 /*
3344  * Handle STREAMS messages.
3345  */
3346 static void
3347 spdsock_wput_other(queue_t *q, mblk_t *mp)
3348 {
3349 	struct iocblk *iocp;
3350 	int error;
3351 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3352 	spd_stack_t	*spds = ss->spdsock_spds;
3353 	cred_t		*cr;
3354 
3355 	switch (mp->b_datap->db_type) {
3356 	case M_PROTO:
3357 	case M_PCPROTO:
3358 		if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) {
3359 			ss3dbg(spds, (
3360 			    "spdsock_wput_other: Not big enough M_PROTO\n"));
3361 			freemsg(mp);
3362 			return;
3363 		}
3364 		switch (((union T_primitives *)mp->b_rptr)->type) {
3365 		case T_CAPABILITY_REQ:
3366 			spdsock_capability_req(q, mp);
3367 			break;
3368 		case T_INFO_REQ:
3369 			spdsock_info_req(q, mp);
3370 			break;
3371 		case T_SVR4_OPTMGMT_REQ:
3372 		case T_OPTMGMT_REQ:
3373 			/*
3374 			 * All Solaris components should pass a db_credp
3375 			 * for this TPI message, hence we ASSERT.
3376 			 * But in case there is some other M_PROTO that looks
3377 			 * like a TPI message sent by some other kernel
3378 			 * component, we check and return an error.
3379 			 */
3380 			cr = msg_getcred(mp, NULL);
3381 			ASSERT(cr != NULL);
3382 			if (cr == NULL) {
3383 				spdsock_err_ack(q, mp, TSYSERR, EINVAL);
3384 				return;
3385 			}
3386 			if (((union T_primitives *)mp->b_rptr)->type ==
3387 			    T_SVR4_OPTMGMT_REQ) {
3388 				svr4_optcom_req(q, mp, cr, &spdsock_opt_obj);
3389 			} else {
3390 				tpi_optcom_req(q, mp, cr, &spdsock_opt_obj);
3391 			}
3392 			break;
3393 		case T_DATA_REQ:
3394 		case T_EXDATA_REQ:
3395 		case T_ORDREL_REQ:
3396 			/* Illegal for spdsock. */
3397 			freemsg(mp);
3398 			(void) putnextctl1(RD(q), M_ERROR, EPROTO);
3399 			break;
3400 		default:
3401 			/* Not supported by spdsock. */
3402 			spdsock_err_ack(q, mp, TNOTSUPPORT, 0);
3403 			break;
3404 		}
3405 		return;
3406 	case M_IOCTL:
3407 		iocp = (struct iocblk *)mp->b_rptr;
3408 		error = EINVAL;
3409 
3410 		switch (iocp->ioc_cmd) {
3411 		case ND_SET:
3412 		case ND_GET:
3413 			if (nd_getset(q, spds->spds_g_nd, mp)) {
3414 				qreply(q, mp);
3415 				return;
3416 			} else
3417 				error = ENOENT;
3418 			/* FALLTHRU */
3419 		default:
3420 			miocnak(q, mp, 0, error);
3421 			return;
3422 		}
3423 	case M_FLUSH:
3424 		if (*mp->b_rptr & FLUSHW) {
3425 			flushq(q, FLUSHALL);
3426 			*mp->b_rptr &= ~FLUSHW;
3427 		}
3428 		if (*mp->b_rptr & FLUSHR) {
3429 			qreply(q, mp);
3430 			return;
3431 		}
3432 		/* Else FALLTHRU */
3433 	}
3434 
3435 	/* If fell through, just black-hole the message. */
3436 	freemsg(mp);
3437 }
3438 
3439 static void
3440 spdsock_wput(queue_t *q, mblk_t *mp)
3441 {
3442 	uint8_t *rptr = mp->b_rptr;
3443 	mblk_t *mp1;
3444 	spdsock_t *ss = (spdsock_t *)q->q_ptr;
3445 	spd_stack_t	*spds = ss->spdsock_spds;
3446 
3447 	/*
3448 	 * If we're dumping, defer processing other messages until the
3449 	 * dump completes.
3450 	 */
3451 	if (ss->spdsock_dump_req != NULL) {
3452 		if (!putq(q, mp))
3453 			freemsg(mp);
3454 		return;
3455 	}
3456 
3457 	switch (mp->b_datap->db_type) {
3458 	case M_DATA:
3459 		/*
3460 		 * Silently discard.
3461 		 */
3462 		ss2dbg(spds, ("raw M_DATA in spdsock.\n"));
3463 		freemsg(mp);
3464 		return;
3465 	case M_PROTO:
3466 	case M_PCPROTO:
3467 		if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) {
3468 			if (((union T_primitives *)rptr)->type == T_DATA_REQ) {
3469 				if ((mp1 = mp->b_cont) == NULL) {
3470 					/* No data after T_DATA_REQ. */
3471 					ss2dbg(spds,
3472 					    ("No data after DATA_REQ.\n"));
3473 					freemsg(mp);
3474 					return;
3475 				}
3476 				freeb(mp);
3477 				mp = mp1;
3478 				ss2dbg(spds, ("T_DATA_REQ\n"));
3479 				break;	/* Out of switch. */
3480 			}
3481 		}
3482 		/* FALLTHRU */
3483 	default:
3484 		ss3dbg(spds, ("In default wput case (%d %d).\n",
3485 		    mp->b_datap->db_type, ((union T_primitives *)rptr)->type));
3486 		spdsock_wput_other(q, mp);
3487 		return;
3488 	}
3489 
3490 	/* I now have a PF_POLICY message in an M_DATA block. */
3491 	spdsock_parse(q, mp);
3492 }
3493 
3494 /*
3495  * Device open procedure, called when new queue pair created.
3496  * We are passed the read-side queue.
3497  */
3498 /* ARGSUSED */
3499 static int
3500 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
3501 {
3502 	spdsock_t *ss;
3503 	queue_t *oq = OTHERQ(q);
3504 	minor_t ssminor;
3505 	netstack_t *ns;
3506 	spd_stack_t *spds;
3507 
3508 	if (secpolicy_ip_config(credp, B_FALSE) != 0)
3509 		return (EPERM);
3510 
3511 	if (q->q_ptr != NULL)
3512 		return (0);  /* Re-open of an already open instance. */
3513 
3514 	if (sflag & MODOPEN)
3515 		return (EINVAL);
3516 
3517 	ns = netstack_find_by_cred(credp);
3518 	ASSERT(ns != NULL);
3519 	spds = ns->netstack_spdsock;
3520 	ASSERT(spds != NULL);
3521 
3522 	ss2dbg(spds, ("Made it into PF_POLICY socket open.\n"));
3523 
3524 	ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP);
3525 	if (ssminor == 0) {
3526 		netstack_rele(spds->spds_netstack);
3527 		return (ENOMEM);
3528 	}
3529 	ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP);
3530 	if (ss == NULL) {
3531 		vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1);
3532 		netstack_rele(spds->spds_netstack);
3533 		return (ENOMEM);
3534 	}
3535 
3536 	ss->spdsock_minor = ssminor;
3537 	ss->spdsock_state = TS_UNBND;
3538 	ss->spdsock_dump_req = NULL;
3539 
3540 	ss->spdsock_spds = spds;
3541 
3542 	q->q_ptr = ss;
3543 	oq->q_ptr = ss;
3544 
3545 	q->q_hiwat = spds->spds_recv_hiwat;
3546 
3547 	oq->q_hiwat = spds->spds_xmit_hiwat;
3548 	oq->q_lowat = spds->spds_xmit_lowat;
3549 
3550 	qprocson(q);
3551 	(void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat);
3552 
3553 	*devp = makedevice(getmajor(*devp), ss->spdsock_minor);
3554 	return (0);
3555 }
3556 
3557 /*
3558  * Read-side service procedure, invoked when we get back-enabled
3559  * when buffer space becomes available.
3560  *
3561  * Dump another chunk if we were dumping before; when we finish, kick
3562  * the write-side queue in case it's waiting for read queue space.
3563  */
3564 void
3565 spdsock_rsrv(queue_t *q)
3566 {
3567 	spdsock_t *ss = q->q_ptr;
3568 
3569 	if (ss->spdsock_dump_req != NULL)
3570 		spdsock_dump_some(q, ss);
3571 
3572 	if (ss->spdsock_dump_req == NULL)
3573 		qenable(OTHERQ(q));
3574 }
3575 
3576 /*
3577  * Write-side service procedure, invoked when we defer processing
3578  * if another message is received while a dump is in progress.
3579  */
3580 void
3581 spdsock_wsrv(queue_t *q)
3582 {
3583 	spdsock_t *ss = q->q_ptr;
3584 	mblk_t *mp;
3585 	ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3586 
3587 	if (ss->spdsock_dump_req != NULL) {
3588 		qenable(OTHERQ(q));
3589 		return;
3590 	}
3591 
3592 	while ((mp = getq(q)) != NULL) {
3593 		if (ipsec_loaded(ipss)) {
3594 			spdsock_wput(q, mp);
3595 			if (ss->spdsock_dump_req != NULL)
3596 				return;
3597 		} else if (!ipsec_failed(ipss)) {
3598 			(void) putq(q, mp);
3599 		} else {
3600 			spdsock_error(q, mp, EPFNOSUPPORT, 0);
3601 		}
3602 	}
3603 }
3604 
3605 static int
3606 spdsock_close(queue_t *q)
3607 {
3608 	spdsock_t *ss = q->q_ptr;
3609 	spd_stack_t	*spds = ss->spdsock_spds;
3610 
3611 	qprocsoff(q);
3612 
3613 	/* Safe assumption. */
3614 	ASSERT(ss != NULL);
3615 
3616 	if (ss->spdsock_timeout != 0)
3617 		(void) quntimeout(q, ss->spdsock_timeout);
3618 
3619 	ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n"));
3620 
3621 	vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1);
3622 	netstack_rele(ss->spdsock_spds->spds_netstack);
3623 
3624 	kmem_free(ss, sizeof (spdsock_t));
3625 	return (0);
3626 }
3627 
3628 /*
3629  * Merge the IPsec algorithms tables with the received algorithm information.
3630  */
3631 void
3632 spdsock_merge_algs(spd_stack_t *spds)
3633 {
3634 	ipsec_alginfo_t *alg, *oalg;
3635 	ipsec_algtype_t algtype;
3636 	uint_t algidx, algid, nalgs;
3637 	crypto_mech_name_t *mechs;
3638 	uint_t mech_count, mech_idx;
3639 	netstack_t	*ns = spds->spds_netstack;
3640 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3641 
3642 	ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
3643 
3644 	/*
3645 	 * Get the list of supported mechanisms from the crypto framework.
3646 	 * If a mechanism is supported by KCF, resolve its mechanism
3647 	 * id and mark it as being valid. This operation must be done
3648 	 * without holding alg_lock, since it can cause a provider
3649 	 * module to be loaded and the provider notification callback to
3650 	 * be invoked.
3651 	 */
3652 	mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
3653 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3654 		for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3655 			int algflags = 0;
3656 			crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID;
3657 
3658 			alg = spds->spds_algs[algtype][algid];
3659 			if (alg == NULL)
3660 				continue;
3661 
3662 			/*
3663 			 * The NULL encryption algorithm is a special
3664 			 * case because there are no mechanisms, yet
3665 			 * the algorithm is still valid.
3666 			 */
3667 			if (alg->alg_id == SADB_EALG_NULL) {
3668 				alg->alg_mech_type = CRYPTO_MECHANISM_INVALID;
3669 				alg->alg_flags |= ALG_FLAG_VALID;
3670 				continue;
3671 			}
3672 
3673 			for (mech_idx = 0; mech_idx < mech_count; mech_idx++) {
3674 				if (strncmp(alg->alg_mech_name, mechs[mech_idx],
3675 				    CRYPTO_MAX_MECH_NAME) == 0) {
3676 					mt = crypto_mech2id(alg->alg_mech_name);
3677 					ASSERT(mt != CRYPTO_MECHANISM_INVALID);
3678 					algflags = ALG_FLAG_VALID;
3679 					break;
3680 				}
3681 			}
3682 			alg->alg_mech_type = mt;
3683 			alg->alg_flags |= algflags;
3684 		}
3685 	}
3686 
3687 	mutex_enter(&ipss->ipsec_alg_lock);
3688 
3689 	/*
3690 	 * For each algorithm currently defined, check if it is
3691 	 * present in the new tables created from the SPD_UPDATEALGS
3692 	 * message received from user-space.
3693 	 * Delete the algorithm entries that are currently defined
3694 	 * but not part of the new tables.
3695 	 */
3696 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3697 		nalgs = ipss->ipsec_nalgs[algtype];
3698 		for (algidx = 0; algidx < nalgs; algidx++) {
3699 			algid = ipss->ipsec_sortlist[algtype][algidx];
3700 			if (spds->spds_algs[algtype][algid] == NULL)
3701 				ipsec_alg_unreg(algtype, algid, ns);
3702 		}
3703 	}
3704 
3705 	/*
3706 	 * For each algorithm we just received, check if it is
3707 	 * present in the currently defined tables. If it is, swap
3708 	 * the entry with the one we just allocated.
3709 	 * If the new algorithm is not in the current tables,
3710 	 * add it.
3711 	 */
3712 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3713 		for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3714 			alg = spds->spds_algs[algtype][algid];
3715 			if (alg == NULL)
3716 				continue;
3717 
3718 			if ((oalg = ipss->ipsec_alglists[algtype][algid]) ==
3719 			    NULL) {
3720 				/*
3721 				 * New algorithm, add it to the algorithm
3722 				 * table.
3723 				 */
3724 				ipsec_alg_reg(algtype, alg, ns);
3725 			} else {
3726 				/*
3727 				 * Algorithm is already in the table. Swap
3728 				 * the existing entry with the new one.
3729 				 */
3730 				ipsec_alg_fix_min_max(alg, algtype, ns);
3731 				ipss->ipsec_alglists[algtype][algid] = alg;
3732 				ipsec_alg_free(oalg);
3733 			}
3734 			spds->spds_algs[algtype][algid] = NULL;
3735 		}
3736 	}
3737 
3738 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3739 		ipss->ipsec_algs_exec_mode[algtype] =
3740 		    spds->spds_algs_exec_mode[algtype];
3741 	}
3742 
3743 	mutex_exit(&ipss->ipsec_alg_lock);
3744 
3745 	crypto_free_mech_list(mechs, mech_count);
3746 
3747 	ipsecah_algs_changed(ns);
3748 	ipsecesp_algs_changed(ns);
3749 }
3750