xref: /titanic_50/usr/src/uts/common/inet/ip/spd.c (revision cffcfaee1e6b29ef9ceb7d80e4e053ffd029906b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * IPsec Security Policy Database.
28  *
29  * This module maintains the SPD and provides routines used by ip and ip6
30  * to apply IPsec policy to inbound and outbound datagrams.
31  */
32 
33 #include <sys/types.h>
34 #include <sys/stream.h>
35 #include <sys/stropts.h>
36 #include <sys/sysmacros.h>
37 #include <sys/strsubr.h>
38 #include <sys/strsun.h>
39 #include <sys/strlog.h>
40 #include <sys/strsun.h>
41 #include <sys/cmn_err.h>
42 #include <sys/zone.h>
43 
44 #include <sys/systm.h>
45 #include <sys/param.h>
46 #include <sys/kmem.h>
47 #include <sys/ddi.h>
48 
49 #include <sys/crypto/api.h>
50 
51 #include <inet/common.h>
52 #include <inet/mi.h>
53 
54 #include <netinet/ip6.h>
55 #include <netinet/icmp6.h>
56 #include <netinet/udp.h>
57 
58 #include <inet/ip.h>
59 #include <inet/ip6.h>
60 
61 #include <net/pfkeyv2.h>
62 #include <net/pfpolicy.h>
63 #include <inet/sadb.h>
64 #include <inet/ipsec_impl.h>
65 
66 #include <inet/ip_impl.h>	/* For IP_MOD_ID */
67 
68 #include <inet/ipsecah.h>
69 #include <inet/ipsecesp.h>
70 #include <inet/ipdrop.h>
71 #include <inet/ipclassifier.h>
72 #include <inet/iptun.h>
73 #include <inet/iptun/iptun_impl.h>
74 
75 static void ipsec_update_present_flags(ipsec_stack_t *);
76 static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *,
77     netstack_t *);
78 static mblk_t *ipsec_check_ipsecin_policy(mblk_t *, ipsec_policy_t *,
79     ipha_t *, ip6_t *, uint64_t, ip_recv_attr_t *, netstack_t *);
80 static void ipsec_action_free_table(ipsec_action_t *);
81 static void ipsec_action_reclaim(void *);
82 static void ipsec_action_reclaim_stack(ipsec_stack_t *);
83 static void ipsid_init(netstack_t *);
84 static void ipsid_fini(netstack_t *);
85 
86 /* sel_flags values for ipsec_init_inbound_sel(). */
87 #define	SEL_NONE	0x0000
88 #define	SEL_PORT_POLICY	0x0001
89 #define	SEL_IS_ICMP	0x0002
90 #define	SEL_TUNNEL_MODE	0x0004
91 #define	SEL_POST_FRAG	0x0008
92 
93 /* Return values for ipsec_init_inbound_sel(). */
94 typedef enum { SELRET_NOMEM, SELRET_BADPKT, SELRET_SUCCESS, SELRET_TUNFRAG}
95     selret_t;
96 
97 static selret_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *,
98     ipha_t *, ip6_t *, uint8_t);
99 
100 static boolean_t ipsec_check_ipsecin_action(ip_recv_attr_t *, mblk_t *,
101     struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **,
102     kstat_named_t **, netstack_t *);
103 static void ipsec_unregister_prov_update(void);
104 static void ipsec_prov_update_callback_stack(uint32_t, void *, netstack_t *);
105 static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *);
106 static uint32_t selector_hash(ipsec_selector_t *, ipsec_policy_root_t *);
107 static boolean_t ipsec_kstat_init(ipsec_stack_t *);
108 static void ipsec_kstat_destroy(ipsec_stack_t *);
109 static int ipsec_free_tables(ipsec_stack_t *);
110 static int tunnel_compare(const void *, const void *);
111 static void ipsec_freemsg_chain(mblk_t *);
112 static void ip_drop_packet_chain(mblk_t *, boolean_t, ill_t *,
113     struct kstat_named *, ipdropper_t *);
114 static boolean_t ipsec_kstat_init(ipsec_stack_t *);
115 static void ipsec_kstat_destroy(ipsec_stack_t *);
116 static int ipsec_free_tables(ipsec_stack_t *);
117 static int tunnel_compare(const void *, const void *);
118 static void ipsec_freemsg_chain(mblk_t *);
119 
120 /*
121  * Selector hash table is statically sized at module load time.
122  * we default to 251 buckets, which is the largest prime number under 255
123  */
124 
125 #define	IPSEC_SPDHASH_DEFAULT 251
126 
127 /* SPD hash-size tunable per tunnel. */
128 #define	TUN_SPDHASH_DEFAULT 5
129 
130 uint32_t ipsec_spd_hashsize;
131 uint32_t tun_spd_hashsize;
132 
133 #define	IPSEC_SEL_NOHASH ((uint32_t)(~0))
134 
135 /*
136  * Handle global across all stack instances
137  */
138 static crypto_notify_handle_t prov_update_handle = NULL;
139 
140 static kmem_cache_t *ipsec_action_cache;
141 static kmem_cache_t *ipsec_sel_cache;
142 static kmem_cache_t *ipsec_pol_cache;
143 
144 /* Frag cache prototypes */
145 static void ipsec_fragcache_clean(ipsec_fragcache_t *, ipsec_stack_t *);
146 static ipsec_fragcache_entry_t *fragcache_delentry(int,
147     ipsec_fragcache_entry_t *, ipsec_fragcache_t *, ipsec_stack_t *);
148 boolean_t ipsec_fragcache_init(ipsec_fragcache_t *);
149 void ipsec_fragcache_uninit(ipsec_fragcache_t *, ipsec_stack_t *ipss);
150 mblk_t *ipsec_fragcache_add(ipsec_fragcache_t *, mblk_t *, mblk_t *,
151     int, ipsec_stack_t *);
152 
153 int ipsec_hdr_pullup_needed = 0;
154 int ipsec_weird_null_inbound_policy = 0;
155 
156 #define	ALGBITS_ROUND_DOWN(x, align)	(((x)/(align))*(align))
157 #define	ALGBITS_ROUND_UP(x, align)	ALGBITS_ROUND_DOWN((x)+(align)-1, align)
158 
159 /*
160  * Inbound traffic should have matching identities for both SA's.
161  */
162 
163 #define	SA_IDS_MATCH(sa1, sa2) 						\
164 	(((sa1) == NULL) || ((sa2) == NULL) ||				\
165 	(((sa1)->ipsa_src_cid == (sa2)->ipsa_src_cid) &&		\
166 	    (((sa1)->ipsa_dst_cid == (sa2)->ipsa_dst_cid))))
167 
168 /*
169  * IPv6 Fragments
170  */
171 #define	IS_V6_FRAGMENT(ipp)	(ipp.ipp_fields & IPPF_FRAGHDR)
172 
173 /*
174  * Policy failure messages.
175  */
176 static char *ipsec_policy_failure_msgs[] = {
177 
178 	/* IPSEC_POLICY_NOT_NEEDED */
179 	"%s: Dropping the datagram because the incoming packet "
180 	"is %s, but the recipient expects clear; Source %s, "
181 	"Destination %s.\n",
182 
183 	/* IPSEC_POLICY_MISMATCH */
184 	"%s: Policy Failure for the incoming packet (%s); Source %s, "
185 	"Destination %s.\n",
186 
187 	/* IPSEC_POLICY_AUTH_NOT_NEEDED	*/
188 	"%s: Authentication present while not expected in the "
189 	"incoming %s packet; Source %s, Destination %s.\n",
190 
191 	/* IPSEC_POLICY_ENCR_NOT_NEEDED */
192 	"%s: Encryption present while not expected in the "
193 	"incoming %s packet; Source %s, Destination %s.\n",
194 
195 	/* IPSEC_POLICY_SE_NOT_NEEDED */
196 	"%s: Self-Encapsulation present while not expected in the "
197 	"incoming %s packet; Source %s, Destination %s.\n",
198 };
199 
200 /*
201  * General overviews:
202  *
203  * Locking:
204  *
205  *	All of the system policy structures are protected by a single
206  *	rwlock.  These structures are threaded in a
207  *	fairly complex fashion and are not expected to change on a
208  *	regular basis, so this should not cause scaling/contention
209  *	problems.  As a result, policy checks should (hopefully) be MT-hot.
210  *
211  * Allocation policy:
212  *
213  *	We use custom kmem cache types for the various
214  *	bits & pieces of the policy data structures.  All allocations
215  *	use KM_NOSLEEP instead of KM_SLEEP for policy allocation.  The
216  *	policy table is of potentially unbounded size, so we don't
217  *	want to provide a way to hog all system memory with policy
218  *	entries..
219  */
220 
221 /* Convenient functions for freeing or dropping a b_next linked mblk chain */
222 
223 /* Free all messages in an mblk chain */
224 static void
225 ipsec_freemsg_chain(mblk_t *mp)
226 {
227 	mblk_t *mpnext;
228 	while (mp != NULL) {
229 		ASSERT(mp->b_prev == NULL);
230 		mpnext = mp->b_next;
231 		mp->b_next = NULL;
232 		freemsg(mp);
233 		mp = mpnext;
234 	}
235 }
236 
237 /*
238  * ip_drop all messages in an mblk chain
239  * Can handle a b_next chain of ip_recv_attr_t mblks, or just a b_next chain
240  * of data.
241  */
242 static void
243 ip_drop_packet_chain(mblk_t *mp, boolean_t inbound, ill_t *ill,
244     struct kstat_named *counter, ipdropper_t *who_called)
245 {
246 	mblk_t *mpnext;
247 	while (mp != NULL) {
248 		ASSERT(mp->b_prev == NULL);
249 		mpnext = mp->b_next;
250 		mp->b_next = NULL;
251 		if (ip_recv_attr_is_mblk(mp))
252 			mp = ip_recv_attr_free_mblk(mp);
253 		ip_drop_packet(mp, inbound, ill, counter, who_called);
254 		mp = mpnext;
255 	}
256 }
257 
258 /*
259  * AVL tree comparison function.
260  * the in-kernel avl assumes unique keys for all objects.
261  * Since sometimes policy will duplicate rules, we may insert
262  * multiple rules with the same rule id, so we need a tie-breaker.
263  */
264 static int
265 ipsec_policy_cmpbyid(const void *a, const void *b)
266 {
267 	const ipsec_policy_t *ipa, *ipb;
268 	uint64_t idxa, idxb;
269 
270 	ipa = (const ipsec_policy_t *)a;
271 	ipb = (const ipsec_policy_t *)b;
272 	idxa = ipa->ipsp_index;
273 	idxb = ipb->ipsp_index;
274 
275 	if (idxa < idxb)
276 		return (-1);
277 	if (idxa > idxb)
278 		return (1);
279 	/*
280 	 * Tie-breaker #1: All installed policy rules have a non-NULL
281 	 * ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not
282 	 * actually in-tree but rather a template node being used in
283 	 * an avl_find query; see ipsec_policy_delete().  This gives us
284 	 * a placeholder in the ordering just before the first entry with
285 	 * a key >= the one we're looking for, so we can walk forward from
286 	 * that point to get the remaining entries with the same id.
287 	 */
288 	if ((ipa->ipsp_sel == NULL) && (ipb->ipsp_sel != NULL))
289 		return (-1);
290 	if ((ipb->ipsp_sel == NULL) && (ipa->ipsp_sel != NULL))
291 		return (1);
292 	/*
293 	 * At most one of the arguments to the comparison should have a
294 	 * NULL selector pointer; if not, the tree is broken.
295 	 */
296 	ASSERT(ipa->ipsp_sel != NULL);
297 	ASSERT(ipb->ipsp_sel != NULL);
298 	/*
299 	 * Tie-breaker #2: use the virtual address of the policy node
300 	 * to arbitrarily break ties.  Since we use the new tree node in
301 	 * the avl_find() in ipsec_insert_always, the new node will be
302 	 * inserted into the tree in the right place in the sequence.
303 	 */
304 	if (ipa < ipb)
305 		return (-1);
306 	if (ipa > ipb)
307 		return (1);
308 	return (0);
309 }
310 
311 /*
312  * Free what ipsec_alloc_table allocated.
313  */
314 void
315 ipsec_polhead_free_table(ipsec_policy_head_t *iph)
316 {
317 	int dir;
318 	int i;
319 
320 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
321 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
322 
323 		if (ipr->ipr_hash == NULL)
324 			continue;
325 
326 		for (i = 0; i < ipr->ipr_nchains; i++) {
327 			ASSERT(ipr->ipr_hash[i].hash_head == NULL);
328 		}
329 		kmem_free(ipr->ipr_hash, ipr->ipr_nchains *
330 		    sizeof (ipsec_policy_hash_t));
331 		ipr->ipr_hash = NULL;
332 	}
333 }
334 
335 void
336 ipsec_polhead_destroy(ipsec_policy_head_t *iph)
337 {
338 	int dir;
339 
340 	avl_destroy(&iph->iph_rulebyid);
341 	rw_destroy(&iph->iph_lock);
342 
343 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
344 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
345 		int chain;
346 
347 		for (chain = 0; chain < ipr->ipr_nchains; chain++)
348 			mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
349 
350 	}
351 	ipsec_polhead_free_table(iph);
352 }
353 
354 /*
355  * Free the IPsec stack instance.
356  */
357 /* ARGSUSED */
358 static void
359 ipsec_stack_fini(netstackid_t stackid, void *arg)
360 {
361 	ipsec_stack_t	*ipss = (ipsec_stack_t *)arg;
362 	void *cookie;
363 	ipsec_tun_pol_t *node;
364 	netstack_t	*ns = ipss->ipsec_netstack;
365 	int		i;
366 	ipsec_algtype_t	algtype;
367 
368 	ipsec_loader_destroy(ipss);
369 
370 	rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
371 	/*
372 	 * It's possible we can just ASSERT() the tree is empty.  After all,
373 	 * we aren't called until IP is ready to unload (and presumably all
374 	 * tunnels have been unplumbed).  But we'll play it safe for now, the
375 	 * loop will just exit immediately if it's empty.
376 	 */
377 	cookie = NULL;
378 	while ((node = (ipsec_tun_pol_t *)
379 	    avl_destroy_nodes(&ipss->ipsec_tunnel_policies,
380 	    &cookie)) != NULL) {
381 		ITP_REFRELE(node, ns);
382 	}
383 	avl_destroy(&ipss->ipsec_tunnel_policies);
384 	rw_exit(&ipss->ipsec_tunnel_policy_lock);
385 	rw_destroy(&ipss->ipsec_tunnel_policy_lock);
386 
387 	ipsec_config_flush(ns);
388 
389 	ipsec_kstat_destroy(ipss);
390 
391 	ip_drop_unregister(&ipss->ipsec_dropper);
392 
393 	ip_drop_unregister(&ipss->ipsec_spd_dropper);
394 	ip_drop_destroy(ipss);
395 	/*
396 	 * Globals start with ref == 1 to prevent IPPH_REFRELE() from
397 	 * attempting to free them, hence they should have 1 now.
398 	 */
399 	ipsec_polhead_destroy(&ipss->ipsec_system_policy);
400 	ASSERT(ipss->ipsec_system_policy.iph_refs == 1);
401 	ipsec_polhead_destroy(&ipss->ipsec_inactive_policy);
402 	ASSERT(ipss->ipsec_inactive_policy.iph_refs == 1);
403 
404 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
405 		ipsec_action_free_table(ipss->ipsec_action_hash[i].hash_head);
406 		ipss->ipsec_action_hash[i].hash_head = NULL;
407 		mutex_destroy(&(ipss->ipsec_action_hash[i].hash_lock));
408 	}
409 
410 	for (i = 0; i < ipss->ipsec_spd_hashsize; i++) {
411 		ASSERT(ipss->ipsec_sel_hash[i].hash_head == NULL);
412 		mutex_destroy(&(ipss->ipsec_sel_hash[i].hash_lock));
413 	}
414 
415 	mutex_enter(&ipss->ipsec_alg_lock);
416 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype ++) {
417 		int nalgs = ipss->ipsec_nalgs[algtype];
418 
419 		for (i = 0; i < nalgs; i++) {
420 			if (ipss->ipsec_alglists[algtype][i] != NULL)
421 				ipsec_alg_unreg(algtype, i, ns);
422 		}
423 	}
424 	mutex_exit(&ipss->ipsec_alg_lock);
425 	mutex_destroy(&ipss->ipsec_alg_lock);
426 
427 	ipsid_gc(ns);
428 	ipsid_fini(ns);
429 
430 	(void) ipsec_free_tables(ipss);
431 	kmem_free(ipss, sizeof (*ipss));
432 }
433 
434 void
435 ipsec_policy_g_destroy(void)
436 {
437 	kmem_cache_destroy(ipsec_action_cache);
438 	kmem_cache_destroy(ipsec_sel_cache);
439 	kmem_cache_destroy(ipsec_pol_cache);
440 
441 	ipsec_unregister_prov_update();
442 
443 	netstack_unregister(NS_IPSEC);
444 }
445 
446 
447 /*
448  * Free what ipsec_alloc_tables allocated.
449  * Called when table allocation fails to free the table.
450  */
451 static int
452 ipsec_free_tables(ipsec_stack_t *ipss)
453 {
454 	int i;
455 
456 	if (ipss->ipsec_sel_hash != NULL) {
457 		for (i = 0; i < ipss->ipsec_spd_hashsize; i++) {
458 			ASSERT(ipss->ipsec_sel_hash[i].hash_head == NULL);
459 		}
460 		kmem_free(ipss->ipsec_sel_hash, ipss->ipsec_spd_hashsize *
461 		    sizeof (*ipss->ipsec_sel_hash));
462 		ipss->ipsec_sel_hash = NULL;
463 		ipss->ipsec_spd_hashsize = 0;
464 	}
465 	ipsec_polhead_free_table(&ipss->ipsec_system_policy);
466 	ipsec_polhead_free_table(&ipss->ipsec_inactive_policy);
467 
468 	return (ENOMEM);
469 }
470 
471 /*
472  * Attempt to allocate the tables in a single policy head.
473  * Return nonzero on failure after cleaning up any work in progress.
474  */
475 int
476 ipsec_alloc_table(ipsec_policy_head_t *iph, int nchains, int kmflag,
477     boolean_t global_cleanup, netstack_t *ns)
478 {
479 	int dir;
480 
481 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
482 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
483 
484 		ipr->ipr_nchains = nchains;
485 		ipr->ipr_hash = kmem_zalloc(nchains *
486 		    sizeof (ipsec_policy_hash_t), kmflag);
487 		if (ipr->ipr_hash == NULL)
488 			return (global_cleanup ?
489 			    ipsec_free_tables(ns->netstack_ipsec) :
490 			    ENOMEM);
491 	}
492 	return (0);
493 }
494 
495 /*
496  * Attempt to allocate the various tables.  Return nonzero on failure
497  * after cleaning up any work in progress.
498  */
499 static int
500 ipsec_alloc_tables(int kmflag, netstack_t *ns)
501 {
502 	int error;
503 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
504 
505 	error = ipsec_alloc_table(&ipss->ipsec_system_policy,
506 	    ipss->ipsec_spd_hashsize, kmflag, B_TRUE, ns);
507 	if (error != 0)
508 		return (error);
509 
510 	error = ipsec_alloc_table(&ipss->ipsec_inactive_policy,
511 	    ipss->ipsec_spd_hashsize, kmflag, B_TRUE, ns);
512 	if (error != 0)
513 		return (error);
514 
515 	ipss->ipsec_sel_hash = kmem_zalloc(ipss->ipsec_spd_hashsize *
516 	    sizeof (*ipss->ipsec_sel_hash), kmflag);
517 
518 	if (ipss->ipsec_sel_hash == NULL)
519 		return (ipsec_free_tables(ipss));
520 
521 	return (0);
522 }
523 
524 /*
525  * After table allocation, initialize a policy head.
526  */
527 void
528 ipsec_polhead_init(ipsec_policy_head_t *iph, int nchains)
529 {
530 	int dir, chain;
531 
532 	rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
533 	avl_create(&iph->iph_rulebyid, ipsec_policy_cmpbyid,
534 	    sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
535 
536 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
537 		ipsec_policy_root_t *ipr = &iph->iph_root[dir];
538 		ipr->ipr_nchains = nchains;
539 
540 		for (chain = 0; chain < nchains; chain++) {
541 			mutex_init(&(ipr->ipr_hash[chain].hash_lock),
542 			    NULL, MUTEX_DEFAULT, NULL);
543 		}
544 	}
545 }
546 
547 static boolean_t
548 ipsec_kstat_init(ipsec_stack_t *ipss)
549 {
550 	ipss->ipsec_ksp = kstat_create_netstack("ip", 0, "ipsec_stat", "net",
551 	    KSTAT_TYPE_NAMED, sizeof (ipsec_kstats_t) / sizeof (kstat_named_t),
552 	    KSTAT_FLAG_PERSISTENT, ipss->ipsec_netstack->netstack_stackid);
553 
554 	if (ipss->ipsec_ksp == NULL || ipss->ipsec_ksp->ks_data == NULL)
555 		return (B_FALSE);
556 
557 	ipss->ipsec_kstats = ipss->ipsec_ksp->ks_data;
558 
559 #define	KI(x) kstat_named_init(&ipss->ipsec_kstats->x, #x, KSTAT_DATA_UINT64)
560 	KI(esp_stat_in_requests);
561 	KI(esp_stat_in_discards);
562 	KI(esp_stat_lookup_failure);
563 	KI(ah_stat_in_requests);
564 	KI(ah_stat_in_discards);
565 	KI(ah_stat_lookup_failure);
566 	KI(sadb_acquire_maxpackets);
567 	KI(sadb_acquire_qhiwater);
568 #undef KI
569 
570 	kstat_install(ipss->ipsec_ksp);
571 	return (B_TRUE);
572 }
573 
574 static void
575 ipsec_kstat_destroy(ipsec_stack_t *ipss)
576 {
577 	kstat_delete_netstack(ipss->ipsec_ksp,
578 	    ipss->ipsec_netstack->netstack_stackid);
579 	ipss->ipsec_kstats = NULL;
580 
581 }
582 
583 /*
584  * Initialize the IPsec stack instance.
585  */
586 /* ARGSUSED */
587 static void *
588 ipsec_stack_init(netstackid_t stackid, netstack_t *ns)
589 {
590 	ipsec_stack_t	*ipss;
591 	int i;
592 
593 	ipss = (ipsec_stack_t *)kmem_zalloc(sizeof (*ipss), KM_SLEEP);
594 	ipss->ipsec_netstack = ns;
595 
596 	/*
597 	 * FIXME: netstack_ipsec is used by some of the routines we call
598 	 * below, but it isn't set until this routine returns.
599 	 * Either we introduce optional xxx_stack_alloc() functions
600 	 * that will be called by the netstack framework before xxx_stack_init,
601 	 * or we switch spd.c and sadb.c to operate on ipsec_stack_t
602 	 * (latter has some include file order issues for sadb.h, but makes
603 	 * sense if we merge some of the ipsec related stack_t's together.
604 	 */
605 	ns->netstack_ipsec = ipss;
606 
607 	/*
608 	 * Make two attempts to allocate policy hash tables; try it at
609 	 * the "preferred" size (may be set in /etc/system) first,
610 	 * then fall back to the default size.
611 	 */
612 	ipss->ipsec_spd_hashsize = (ipsec_spd_hashsize == 0) ?
613 	    IPSEC_SPDHASH_DEFAULT : ipsec_spd_hashsize;
614 
615 	if (ipsec_alloc_tables(KM_NOSLEEP, ns) != 0) {
616 		cmn_err(CE_WARN,
617 		    "Unable to allocate %d entry IPsec policy hash table",
618 		    ipss->ipsec_spd_hashsize);
619 		ipss->ipsec_spd_hashsize = IPSEC_SPDHASH_DEFAULT;
620 		cmn_err(CE_WARN, "Falling back to %d entries",
621 		    ipss->ipsec_spd_hashsize);
622 		(void) ipsec_alloc_tables(KM_SLEEP, ns);
623 	}
624 
625 	/* Just set a default for tunnels. */
626 	ipss->ipsec_tun_spd_hashsize = (tun_spd_hashsize == 0) ?
627 	    TUN_SPDHASH_DEFAULT : tun_spd_hashsize;
628 
629 	ipsid_init(ns);
630 	/*
631 	 * Globals need ref == 1 to prevent IPPH_REFRELE() from attempting
632 	 * to free them.
633 	 */
634 	ipss->ipsec_system_policy.iph_refs = 1;
635 	ipss->ipsec_inactive_policy.iph_refs = 1;
636 	ipsec_polhead_init(&ipss->ipsec_system_policy,
637 	    ipss->ipsec_spd_hashsize);
638 	ipsec_polhead_init(&ipss->ipsec_inactive_policy,
639 	    ipss->ipsec_spd_hashsize);
640 	rw_init(&ipss->ipsec_tunnel_policy_lock, NULL, RW_DEFAULT, NULL);
641 	avl_create(&ipss->ipsec_tunnel_policies, tunnel_compare,
642 	    sizeof (ipsec_tun_pol_t), 0);
643 
644 	ipss->ipsec_next_policy_index = 1;
645 
646 	rw_init(&ipss->ipsec_system_policy.iph_lock, NULL, RW_DEFAULT, NULL);
647 	rw_init(&ipss->ipsec_inactive_policy.iph_lock, NULL, RW_DEFAULT, NULL);
648 
649 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++)
650 		mutex_init(&(ipss->ipsec_action_hash[i].hash_lock),
651 		    NULL, MUTEX_DEFAULT, NULL);
652 
653 	for (i = 0; i < ipss->ipsec_spd_hashsize; i++)
654 		mutex_init(&(ipss->ipsec_sel_hash[i].hash_lock),
655 		    NULL, MUTEX_DEFAULT, NULL);
656 
657 	mutex_init(&ipss->ipsec_alg_lock, NULL, MUTEX_DEFAULT, NULL);
658 	for (i = 0; i < IPSEC_NALGTYPES; i++) {
659 		ipss->ipsec_nalgs[i] = 0;
660 	}
661 
662 	ip_drop_init(ipss);
663 	ip_drop_register(&ipss->ipsec_spd_dropper, "IPsec SPD");
664 
665 	/* IP's IPsec code calls the packet dropper */
666 	ip_drop_register(&ipss->ipsec_dropper, "IP IPsec processing");
667 
668 	(void) ipsec_kstat_init(ipss);
669 
670 	ipsec_loader_init(ipss);
671 	ipsec_loader_start(ipss);
672 
673 	return (ipss);
674 }
675 
676 /* Global across all stack instances */
677 void
678 ipsec_policy_g_init(void)
679 {
680 	ipsec_action_cache = kmem_cache_create("ipsec_actions",
681 	    sizeof (ipsec_action_t), _POINTER_ALIGNMENT, NULL, NULL,
682 	    ipsec_action_reclaim, NULL, NULL, 0);
683 	ipsec_sel_cache = kmem_cache_create("ipsec_selectors",
684 	    sizeof (ipsec_sel_t), _POINTER_ALIGNMENT, NULL, NULL,
685 	    NULL, NULL, NULL, 0);
686 	ipsec_pol_cache = kmem_cache_create("ipsec_policy",
687 	    sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL,
688 	    NULL, NULL, NULL, 0);
689 
690 	/*
691 	 * We want to be informed each time a stack is created or
692 	 * destroyed in the kernel, so we can maintain the
693 	 * set of ipsec_stack_t's.
694 	 */
695 	netstack_register(NS_IPSEC, ipsec_stack_init, NULL, ipsec_stack_fini);
696 }
697 
698 /*
699  * Sort algorithm lists.
700  *
701  * I may need to split this based on
702  * authentication/encryption, and I may wish to have an administrator
703  * configure this list.  Hold on to some NDD variables...
704  *
705  * XXX For now, sort on minimum key size (GAG!).  While minimum key size is
706  * not the ideal metric, it's the only quantifiable measure available.
707  * We need a better metric for sorting algorithms by preference.
708  */
709 static void
710 alg_insert_sortlist(enum ipsec_algtype at, uint8_t algid, netstack_t *ns)
711 {
712 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
713 	ipsec_alginfo_t *ai = ipss->ipsec_alglists[at][algid];
714 	uint8_t holder, swap;
715 	uint_t i;
716 	uint_t count = ipss->ipsec_nalgs[at];
717 	ASSERT(ai != NULL);
718 	ASSERT(algid == ai->alg_id);
719 
720 	ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
721 
722 	holder = algid;
723 
724 	for (i = 0; i < count - 1; i++) {
725 		ipsec_alginfo_t *alt;
726 
727 		alt = ipss->ipsec_alglists[at][ipss->ipsec_sortlist[at][i]];
728 		/*
729 		 * If you want to give precedence to newly added algs,
730 		 * add the = in the > comparison.
731 		 */
732 		if ((holder != algid) || (ai->alg_minbits > alt->alg_minbits)) {
733 			/* Swap sortlist[i] and holder. */
734 			swap = ipss->ipsec_sortlist[at][i];
735 			ipss->ipsec_sortlist[at][i] = holder;
736 			holder = swap;
737 			ai = alt;
738 		} /* Else just continue. */
739 	}
740 
741 	/* Store holder in last slot. */
742 	ipss->ipsec_sortlist[at][i] = holder;
743 }
744 
745 /*
746  * Remove an algorithm from a sorted algorithm list.
747  * This should be considerably easier, even with complex sorting.
748  */
749 static void
750 alg_remove_sortlist(enum ipsec_algtype at, uint8_t algid, netstack_t *ns)
751 {
752 	boolean_t copyback = B_FALSE;
753 	int i;
754 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
755 	int newcount = ipss->ipsec_nalgs[at];
756 
757 	ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
758 
759 	for (i = 0; i <= newcount; i++) {
760 		if (copyback) {
761 			ipss->ipsec_sortlist[at][i-1] =
762 			    ipss->ipsec_sortlist[at][i];
763 		} else if (ipss->ipsec_sortlist[at][i] == algid) {
764 			copyback = B_TRUE;
765 		}
766 	}
767 }
768 
769 /*
770  * Add the specified algorithm to the algorithm tables.
771  * Must be called while holding the algorithm table writer lock.
772  */
773 void
774 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg, netstack_t *ns)
775 {
776 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
777 
778 	ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
779 
780 	ASSERT(ipss->ipsec_alglists[algtype][alg->alg_id] == NULL);
781 	ipsec_alg_fix_min_max(alg, algtype, ns);
782 	ipss->ipsec_alglists[algtype][alg->alg_id] = alg;
783 
784 	ipss->ipsec_nalgs[algtype]++;
785 	alg_insert_sortlist(algtype, alg->alg_id, ns);
786 }
787 
788 /*
789  * Remove the specified algorithm from the algorithm tables.
790  * Must be called while holding the algorithm table writer lock.
791  */
792 void
793 ipsec_alg_unreg(ipsec_algtype_t algtype, uint8_t algid, netstack_t *ns)
794 {
795 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
796 
797 	ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
798 
799 	ASSERT(ipss->ipsec_alglists[algtype][algid] != NULL);
800 	ipsec_alg_free(ipss->ipsec_alglists[algtype][algid]);
801 	ipss->ipsec_alglists[algtype][algid] = NULL;
802 
803 	ipss->ipsec_nalgs[algtype]--;
804 	alg_remove_sortlist(algtype, algid, ns);
805 }
806 
807 /*
808  * Hooks for spdsock to get a grip on system policy.
809  */
810 
811 ipsec_policy_head_t *
812 ipsec_system_policy(netstack_t *ns)
813 {
814 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
815 	ipsec_policy_head_t *h = &ipss->ipsec_system_policy;
816 
817 	IPPH_REFHOLD(h);
818 	return (h);
819 }
820 
821 ipsec_policy_head_t *
822 ipsec_inactive_policy(netstack_t *ns)
823 {
824 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
825 	ipsec_policy_head_t *h = &ipss->ipsec_inactive_policy;
826 
827 	IPPH_REFHOLD(h);
828 	return (h);
829 }
830 
831 /*
832  * Lock inactive policy, then active policy, then exchange policy root
833  * pointers.
834  */
835 void
836 ipsec_swap_policy(ipsec_policy_head_t *active, ipsec_policy_head_t *inactive,
837     netstack_t *ns)
838 {
839 	int af, dir;
840 	avl_tree_t r1, r2;
841 
842 	rw_enter(&inactive->iph_lock, RW_WRITER);
843 	rw_enter(&active->iph_lock, RW_WRITER);
844 
845 	r1 = active->iph_rulebyid;
846 	r2 = inactive->iph_rulebyid;
847 	active->iph_rulebyid = r2;
848 	inactive->iph_rulebyid = r1;
849 
850 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
851 		ipsec_policy_hash_t *h1, *h2;
852 
853 		h1 = active->iph_root[dir].ipr_hash;
854 		h2 = inactive->iph_root[dir].ipr_hash;
855 		active->iph_root[dir].ipr_hash = h2;
856 		inactive->iph_root[dir].ipr_hash = h1;
857 
858 		for (af = 0; af < IPSEC_NAF; af++) {
859 			ipsec_policy_t *t1, *t2;
860 
861 			t1 = active->iph_root[dir].ipr_nonhash[af];
862 			t2 = inactive->iph_root[dir].ipr_nonhash[af];
863 			active->iph_root[dir].ipr_nonhash[af] = t2;
864 			inactive->iph_root[dir].ipr_nonhash[af] = t1;
865 			if (t1 != NULL) {
866 				t1->ipsp_hash.hash_pp =
867 				    &(inactive->iph_root[dir].ipr_nonhash[af]);
868 			}
869 			if (t2 != NULL) {
870 				t2->ipsp_hash.hash_pp =
871 				    &(active->iph_root[dir].ipr_nonhash[af]);
872 			}
873 
874 		}
875 	}
876 	active->iph_gen++;
877 	inactive->iph_gen++;
878 	ipsec_update_present_flags(ns->netstack_ipsec);
879 	rw_exit(&active->iph_lock);
880 	rw_exit(&inactive->iph_lock);
881 }
882 
883 /*
884  * Swap global policy primary/secondary.
885  */
886 void
887 ipsec_swap_global_policy(netstack_t *ns)
888 {
889 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
890 
891 	ipsec_swap_policy(&ipss->ipsec_system_policy,
892 	    &ipss->ipsec_inactive_policy, ns);
893 }
894 
895 /*
896  * Clone one policy rule..
897  */
898 static ipsec_policy_t *
899 ipsec_copy_policy(const ipsec_policy_t *src)
900 {
901 	ipsec_policy_t *dst = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
902 
903 	if (dst == NULL)
904 		return (NULL);
905 
906 	/*
907 	 * Adjust refcounts of cloned state.
908 	 */
909 	IPACT_REFHOLD(src->ipsp_act);
910 	src->ipsp_sel->ipsl_refs++;
911 
912 	HASH_NULL(dst, ipsp_hash);
913 	dst->ipsp_netstack = src->ipsp_netstack;
914 	dst->ipsp_refs = 1;
915 	dst->ipsp_sel = src->ipsp_sel;
916 	dst->ipsp_act = src->ipsp_act;
917 	dst->ipsp_prio = src->ipsp_prio;
918 	dst->ipsp_index = src->ipsp_index;
919 
920 	return (dst);
921 }
922 
923 void
924 ipsec_insert_always(avl_tree_t *tree, void *new_node)
925 {
926 	void *node;
927 	avl_index_t where;
928 
929 	node = avl_find(tree, new_node, &where);
930 	ASSERT(node == NULL);
931 	avl_insert(tree, new_node, where);
932 }
933 
934 
935 static int
936 ipsec_copy_chain(ipsec_policy_head_t *dph, ipsec_policy_t *src,
937     ipsec_policy_t **dstp)
938 {
939 	for (; src != NULL; src = src->ipsp_hash.hash_next) {
940 		ipsec_policy_t *dst = ipsec_copy_policy(src);
941 		if (dst == NULL)
942 			return (ENOMEM);
943 
944 		HASHLIST_INSERT(dst, ipsp_hash, *dstp);
945 		ipsec_insert_always(&dph->iph_rulebyid, dst);
946 	}
947 	return (0);
948 }
949 
950 
951 
952 /*
953  * Make one policy head look exactly like another.
954  *
955  * As with ipsec_swap_policy, we lock the destination policy head first, then
956  * the source policy head. Note that we only need to read-lock the source
957  * policy head as we are not changing it.
958  */
959 int
960 ipsec_copy_polhead(ipsec_policy_head_t *sph, ipsec_policy_head_t *dph,
961     netstack_t *ns)
962 {
963 	int af, dir, chain, nchains;
964 
965 	rw_enter(&dph->iph_lock, RW_WRITER);
966 
967 	ipsec_polhead_flush(dph, ns);
968 
969 	rw_enter(&sph->iph_lock, RW_READER);
970 
971 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
972 		ipsec_policy_root_t *dpr = &dph->iph_root[dir];
973 		ipsec_policy_root_t *spr = &sph->iph_root[dir];
974 		nchains = dpr->ipr_nchains;
975 
976 		ASSERT(dpr->ipr_nchains == spr->ipr_nchains);
977 
978 		for (af = 0; af < IPSEC_NAF; af++) {
979 			if (ipsec_copy_chain(dph, spr->ipr_nonhash[af],
980 			    &dpr->ipr_nonhash[af]))
981 				goto abort_copy;
982 		}
983 
984 		for (chain = 0; chain < nchains; chain++) {
985 			if (ipsec_copy_chain(dph,
986 			    spr->ipr_hash[chain].hash_head,
987 			    &dpr->ipr_hash[chain].hash_head))
988 				goto abort_copy;
989 		}
990 	}
991 
992 	dph->iph_gen++;
993 
994 	rw_exit(&sph->iph_lock);
995 	rw_exit(&dph->iph_lock);
996 	return (0);
997 
998 abort_copy:
999 	ipsec_polhead_flush(dph, ns);
1000 	rw_exit(&sph->iph_lock);
1001 	rw_exit(&dph->iph_lock);
1002 	return (ENOMEM);
1003 }
1004 
1005 /*
1006  * Clone currently active policy to the inactive policy list.
1007  */
1008 int
1009 ipsec_clone_system_policy(netstack_t *ns)
1010 {
1011 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1012 
1013 	return (ipsec_copy_polhead(&ipss->ipsec_system_policy,
1014 	    &ipss->ipsec_inactive_policy, ns));
1015 }
1016 
1017 /*
1018  * Extract the string from ipsec_policy_failure_msgs[type] and
1019  * log it.
1020  *
1021  */
1022 void
1023 ipsec_log_policy_failure(int type, char *func_name, ipha_t *ipha, ip6_t *ip6h,
1024     boolean_t secure, netstack_t *ns)
1025 {
1026 	char	sbuf[INET6_ADDRSTRLEN];
1027 	char	dbuf[INET6_ADDRSTRLEN];
1028 	char	*s;
1029 	char	*d;
1030 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1031 
1032 	ASSERT((ipha == NULL && ip6h != NULL) ||
1033 	    (ip6h == NULL && ipha != NULL));
1034 
1035 	if (ipha != NULL) {
1036 		s = inet_ntop(AF_INET, &ipha->ipha_src, sbuf, sizeof (sbuf));
1037 		d = inet_ntop(AF_INET, &ipha->ipha_dst, dbuf, sizeof (dbuf));
1038 	} else {
1039 		s = inet_ntop(AF_INET6, &ip6h->ip6_src, sbuf, sizeof (sbuf));
1040 		d = inet_ntop(AF_INET6, &ip6h->ip6_dst, dbuf, sizeof (dbuf));
1041 
1042 	}
1043 
1044 	/* Always bump the policy failure counter. */
1045 	ipss->ipsec_policy_failure_count[type]++;
1046 
1047 	ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1048 	    ipsec_policy_failure_msgs[type], func_name,
1049 	    (secure ? "secure" : "not secure"), s, d);
1050 }
1051 
1052 /*
1053  * Rate-limiting front-end to strlog() for AH and ESP.	Uses the ndd variables
1054  * in /dev/ip and the same rate-limiting clock so that there's a single
1055  * knob to turn to throttle the rate of messages.
1056  */
1057 void
1058 ipsec_rl_strlog(netstack_t *ns, short mid, short sid, char level, ushort_t sl,
1059     char *fmt, ...)
1060 {
1061 	va_list adx;
1062 	hrtime_t current = gethrtime();
1063 	ip_stack_t	*ipst = ns->netstack_ip;
1064 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1065 
1066 	sl |= SL_CONSOLE;
1067 	/*
1068 	 * Throttle logging to stop syslog from being swamped. If variable
1069 	 * 'ipsec_policy_log_interval' is zero, don't log any messages at
1070 	 * all, otherwise log only one message every 'ipsec_policy_log_interval'
1071 	 * msec. Convert interval (in msec) to hrtime (in nsec).
1072 	 */
1073 
1074 	if (ipst->ips_ipsec_policy_log_interval) {
1075 		if (ipss->ipsec_policy_failure_last +
1076 		    MSEC2NSEC(ipst->ips_ipsec_policy_log_interval) <= current) {
1077 			va_start(adx, fmt);
1078 			(void) vstrlog(mid, sid, level, sl, fmt, adx);
1079 			va_end(adx);
1080 			ipss->ipsec_policy_failure_last = current;
1081 		}
1082 	}
1083 }
1084 
1085 void
1086 ipsec_config_flush(netstack_t *ns)
1087 {
1088 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1089 
1090 	rw_enter(&ipss->ipsec_system_policy.iph_lock, RW_WRITER);
1091 	ipsec_polhead_flush(&ipss->ipsec_system_policy, ns);
1092 	ipss->ipsec_next_policy_index = 1;
1093 	rw_exit(&ipss->ipsec_system_policy.iph_lock);
1094 	ipsec_action_reclaim_stack(ipss);
1095 }
1096 
1097 /*
1098  * Clip a policy's min/max keybits vs. the capabilities of the
1099  * algorithm.
1100  */
1101 static void
1102 act_alg_adjust(uint_t algtype, uint_t algid,
1103     uint16_t *minbits, uint16_t *maxbits, netstack_t *ns)
1104 {
1105 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1106 	ipsec_alginfo_t *algp = ipss->ipsec_alglists[algtype][algid];
1107 
1108 	if (algp != NULL) {
1109 		/*
1110 		 * If passed-in minbits is zero, we assume the caller trusts
1111 		 * us with setting the minimum key size.  We pick the
1112 		 * algorithms DEFAULT key size for the minimum in this case.
1113 		 */
1114 		if (*minbits == 0) {
1115 			*minbits = algp->alg_default_bits;
1116 			ASSERT(*minbits >= algp->alg_minbits);
1117 		} else {
1118 			*minbits = MAX(MIN(*minbits, algp->alg_maxbits),
1119 			    algp->alg_minbits);
1120 		}
1121 		if (*maxbits == 0)
1122 			*maxbits = algp->alg_maxbits;
1123 		else
1124 			*maxbits = MIN(MAX(*maxbits, algp->alg_minbits),
1125 			    algp->alg_maxbits);
1126 		ASSERT(*minbits <= *maxbits);
1127 	} else {
1128 		*minbits = 0;
1129 		*maxbits = 0;
1130 	}
1131 }
1132 
1133 /*
1134  * Check an action's requested algorithms against the algorithms currently
1135  * loaded in the system.
1136  */
1137 boolean_t
1138 ipsec_check_action(ipsec_act_t *act, int *diag, netstack_t *ns)
1139 {
1140 	ipsec_prot_t *ipp;
1141 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1142 
1143 	ipp = &act->ipa_apply;
1144 
1145 	if (ipp->ipp_use_ah &&
1146 	    ipss->ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_auth_alg] == NULL) {
1147 		*diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
1148 		return (B_FALSE);
1149 	}
1150 	if (ipp->ipp_use_espa &&
1151 	    ipss->ipsec_alglists[IPSEC_ALG_AUTH][ipp->ipp_esp_auth_alg] ==
1152 	    NULL) {
1153 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
1154 		return (B_FALSE);
1155 	}
1156 	if (ipp->ipp_use_esp &&
1157 	    ipss->ipsec_alglists[IPSEC_ALG_ENCR][ipp->ipp_encr_alg] == NULL) {
1158 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
1159 		return (B_FALSE);
1160 	}
1161 
1162 	act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_auth_alg,
1163 	    &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits, ns);
1164 	act_alg_adjust(IPSEC_ALG_AUTH, ipp->ipp_esp_auth_alg,
1165 	    &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits, ns);
1166 	act_alg_adjust(IPSEC_ALG_ENCR, ipp->ipp_encr_alg,
1167 	    &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits, ns);
1168 
1169 	if (ipp->ipp_ah_minbits > ipp->ipp_ah_maxbits) {
1170 		*diag = SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE;
1171 		return (B_FALSE);
1172 	}
1173 	if (ipp->ipp_espa_minbits > ipp->ipp_espa_maxbits) {
1174 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE;
1175 		return (B_FALSE);
1176 	}
1177 	if (ipp->ipp_espe_minbits > ipp->ipp_espe_maxbits) {
1178 		*diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE;
1179 		return (B_FALSE);
1180 	}
1181 	/* TODO: sanity check lifetimes */
1182 	return (B_TRUE);
1183 }
1184 
1185 /*
1186  * Set up a single action during wildcard expansion..
1187  */
1188 static void
1189 ipsec_setup_act(ipsec_act_t *outact, ipsec_act_t *act,
1190     uint_t auth_alg, uint_t encr_alg, uint_t eauth_alg, netstack_t *ns)
1191 {
1192 	ipsec_prot_t *ipp;
1193 
1194 	*outact = *act;
1195 	ipp = &outact->ipa_apply;
1196 	ipp->ipp_auth_alg = (uint8_t)auth_alg;
1197 	ipp->ipp_encr_alg = (uint8_t)encr_alg;
1198 	ipp->ipp_esp_auth_alg = (uint8_t)eauth_alg;
1199 
1200 	act_alg_adjust(IPSEC_ALG_AUTH, auth_alg,
1201 	    &ipp->ipp_ah_minbits, &ipp->ipp_ah_maxbits, ns);
1202 	act_alg_adjust(IPSEC_ALG_AUTH, eauth_alg,
1203 	    &ipp->ipp_espa_minbits, &ipp->ipp_espa_maxbits, ns);
1204 	act_alg_adjust(IPSEC_ALG_ENCR, encr_alg,
1205 	    &ipp->ipp_espe_minbits, &ipp->ipp_espe_maxbits, ns);
1206 }
1207 
1208 /*
1209  * combinatoric expansion time: expand a wildcarded action into an
1210  * array of wildcarded actions; we return the exploded action list,
1211  * and return a count in *nact (output only).
1212  */
1213 static ipsec_act_t *
1214 ipsec_act_wildcard_expand(ipsec_act_t *act, uint_t *nact, netstack_t *ns)
1215 {
1216 	boolean_t use_ah, use_esp, use_espa;
1217 	boolean_t wild_auth, wild_encr, wild_eauth;
1218 	uint_t	auth_alg, auth_idx, auth_min, auth_max;
1219 	uint_t	eauth_alg, eauth_idx, eauth_min, eauth_max;
1220 	uint_t  encr_alg, encr_idx, encr_min, encr_max;
1221 	uint_t	action_count, ai;
1222 	ipsec_act_t *outact;
1223 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1224 
1225 	if (act->ipa_type != IPSEC_ACT_APPLY) {
1226 		outact = kmem_alloc(sizeof (*act), KM_NOSLEEP);
1227 		*nact = 1;
1228 		if (outact != NULL)
1229 			bcopy(act, outact, sizeof (*act));
1230 		return (outact);
1231 	}
1232 	/*
1233 	 * compute the combinatoric explosion..
1234 	 *
1235 	 * we assume a request for encr if esp_req is PREF_REQUIRED
1236 	 * we assume a request for ah auth if ah_req is PREF_REQUIRED.
1237 	 * we assume a request for esp auth if !ah and esp_req is PREF_REQUIRED
1238 	 */
1239 
1240 	use_ah = act->ipa_apply.ipp_use_ah;
1241 	use_esp = act->ipa_apply.ipp_use_esp;
1242 	use_espa = act->ipa_apply.ipp_use_espa;
1243 	auth_alg = act->ipa_apply.ipp_auth_alg;
1244 	eauth_alg = act->ipa_apply.ipp_esp_auth_alg;
1245 	encr_alg = act->ipa_apply.ipp_encr_alg;
1246 
1247 	wild_auth = use_ah && (auth_alg == 0);
1248 	wild_eauth = use_espa && (eauth_alg == 0);
1249 	wild_encr = use_esp && (encr_alg == 0);
1250 
1251 	action_count = 1;
1252 	auth_min = auth_max = auth_alg;
1253 	eauth_min = eauth_max = eauth_alg;
1254 	encr_min = encr_max = encr_alg;
1255 
1256 	/*
1257 	 * set up for explosion.. for each dimension, expand output
1258 	 * size by the explosion factor.
1259 	 *
1260 	 * Don't include the "any" algorithms, if defined, as no
1261 	 * kernel policies should be set for these algorithms.
1262 	 */
1263 
1264 #define	SET_EXP_MINMAX(type, wild, alg, min, max, ipss)		\
1265 	if (wild) {						\
1266 		int nalgs = ipss->ipsec_nalgs[type];		\
1267 		if (ipss->ipsec_alglists[type][alg] != NULL)	\
1268 			nalgs--;				\
1269 		action_count *= nalgs;				\
1270 		min = 0;					\
1271 		max = ipss->ipsec_nalgs[type] - 1;		\
1272 	}
1273 
1274 	SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_auth, SADB_AALG_NONE,
1275 	    auth_min, auth_max, ipss);
1276 	SET_EXP_MINMAX(IPSEC_ALG_AUTH, wild_eauth, SADB_AALG_NONE,
1277 	    eauth_min, eauth_max, ipss);
1278 	SET_EXP_MINMAX(IPSEC_ALG_ENCR, wild_encr, SADB_EALG_NONE,
1279 	    encr_min, encr_max, ipss);
1280 
1281 #undef	SET_EXP_MINMAX
1282 
1283 	/*
1284 	 * ok, allocate the whole mess..
1285 	 */
1286 
1287 	outact = kmem_alloc(sizeof (*outact) * action_count, KM_NOSLEEP);
1288 	if (outact == NULL)
1289 		return (NULL);
1290 
1291 	/*
1292 	 * Now compute all combinations.  Note that non-wildcarded
1293 	 * dimensions just get a single value from auth_min, while
1294 	 * wildcarded dimensions indirect through the sortlist.
1295 	 *
1296 	 * We do encryption outermost since, at this time, there's
1297 	 * greater difference in security and performance between
1298 	 * encryption algorithms vs. authentication algorithms.
1299 	 */
1300 
1301 	ai = 0;
1302 
1303 #define	WHICH_ALG(type, wild, idx, ipss) \
1304 	((wild)?(ipss->ipsec_sortlist[type][idx]):(idx))
1305 
1306 	for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) {
1307 		encr_alg = WHICH_ALG(IPSEC_ALG_ENCR, wild_encr, encr_idx, ipss);
1308 		if (wild_encr && encr_alg == SADB_EALG_NONE)
1309 			continue;
1310 		for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) {
1311 			auth_alg = WHICH_ALG(IPSEC_ALG_AUTH, wild_auth,
1312 			    auth_idx, ipss);
1313 			if (wild_auth && auth_alg == SADB_AALG_NONE)
1314 				continue;
1315 			for (eauth_idx = eauth_min; eauth_idx <= eauth_max;
1316 			    eauth_idx++) {
1317 				eauth_alg = WHICH_ALG(IPSEC_ALG_AUTH,
1318 				    wild_eauth, eauth_idx, ipss);
1319 				if (wild_eauth && eauth_alg == SADB_AALG_NONE)
1320 					continue;
1321 
1322 				ipsec_setup_act(&outact[ai], act,
1323 				    auth_alg, encr_alg, eauth_alg, ns);
1324 				ai++;
1325 			}
1326 		}
1327 	}
1328 
1329 #undef WHICH_ALG
1330 
1331 	ASSERT(ai == action_count);
1332 	*nact = action_count;
1333 	return (outact);
1334 }
1335 
1336 /*
1337  * Extract the parts of an ipsec_prot_t from an old-style ipsec_req_t.
1338  */
1339 static void
1340 ipsec_prot_from_req(const ipsec_req_t *req, ipsec_prot_t *ipp)
1341 {
1342 	bzero(ipp, sizeof (*ipp));
1343 	/*
1344 	 * ipp_use_* are bitfields.  Look at "!!" in the following as a
1345 	 * "boolean canonicalization" operator.
1346 	 */
1347 	ipp->ipp_use_ah = !!(req->ipsr_ah_req & IPSEC_PREF_REQUIRED);
1348 	ipp->ipp_use_esp = !!(req->ipsr_esp_req & IPSEC_PREF_REQUIRED);
1349 	ipp->ipp_use_espa = !!(req->ipsr_esp_auth_alg);
1350 	ipp->ipp_use_se = !!(req->ipsr_self_encap_req & IPSEC_PREF_REQUIRED);
1351 	ipp->ipp_use_unique = !!((req->ipsr_ah_req|req->ipsr_esp_req) &
1352 	    IPSEC_PREF_UNIQUE);
1353 	ipp->ipp_encr_alg = req->ipsr_esp_alg;
1354 	/*
1355 	 * SADB_AALG_ANY is a placeholder to distinguish "any" from
1356 	 * "none" above.  If auth is required, as determined above,
1357 	 * SADB_AALG_ANY becomes 0, which is the representation
1358 	 * of "any" and "none" in PF_KEY v2.
1359 	 */
1360 	ipp->ipp_auth_alg = (req->ipsr_auth_alg != SADB_AALG_ANY) ?
1361 	    req->ipsr_auth_alg : 0;
1362 	ipp->ipp_esp_auth_alg = (req->ipsr_esp_auth_alg != SADB_AALG_ANY) ?
1363 	    req->ipsr_esp_auth_alg : 0;
1364 }
1365 
1366 /*
1367  * Extract a new-style action from a request.
1368  */
1369 void
1370 ipsec_actvec_from_req(const ipsec_req_t *req, ipsec_act_t **actp, uint_t *nactp,
1371     netstack_t *ns)
1372 {
1373 	struct ipsec_act act;
1374 
1375 	bzero(&act, sizeof (act));
1376 	if ((req->ipsr_ah_req & IPSEC_PREF_NEVER) &&
1377 	    (req->ipsr_esp_req & IPSEC_PREF_NEVER)) {
1378 		act.ipa_type = IPSEC_ACT_BYPASS;
1379 	} else {
1380 		act.ipa_type = IPSEC_ACT_APPLY;
1381 		ipsec_prot_from_req(req, &act.ipa_apply);
1382 	}
1383 	*actp = ipsec_act_wildcard_expand(&act, nactp, ns);
1384 }
1385 
1386 /*
1387  * Convert a new-style "prot" back to an ipsec_req_t (more backwards compat).
1388  * We assume caller has already zero'ed *req for us.
1389  */
1390 static int
1391 ipsec_req_from_prot(ipsec_prot_t *ipp, ipsec_req_t *req)
1392 {
1393 	req->ipsr_esp_alg = ipp->ipp_encr_alg;
1394 	req->ipsr_auth_alg = ipp->ipp_auth_alg;
1395 	req->ipsr_esp_auth_alg = ipp->ipp_esp_auth_alg;
1396 
1397 	if (ipp->ipp_use_unique) {
1398 		req->ipsr_ah_req |= IPSEC_PREF_UNIQUE;
1399 		req->ipsr_esp_req |= IPSEC_PREF_UNIQUE;
1400 	}
1401 	if (ipp->ipp_use_se)
1402 		req->ipsr_self_encap_req |= IPSEC_PREF_REQUIRED;
1403 	if (ipp->ipp_use_ah)
1404 		req->ipsr_ah_req |= IPSEC_PREF_REQUIRED;
1405 	if (ipp->ipp_use_esp)
1406 		req->ipsr_esp_req |= IPSEC_PREF_REQUIRED;
1407 	return (sizeof (*req));
1408 }
1409 
1410 /*
1411  * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1412  * We assume caller has already zero'ed *req for us.
1413  */
1414 static int
1415 ipsec_req_from_act(ipsec_action_t *ap, ipsec_req_t *req)
1416 {
1417 	switch (ap->ipa_act.ipa_type) {
1418 	case IPSEC_ACT_BYPASS:
1419 		req->ipsr_ah_req = IPSEC_PREF_NEVER;
1420 		req->ipsr_esp_req = IPSEC_PREF_NEVER;
1421 		return (sizeof (*req));
1422 	case IPSEC_ACT_APPLY:
1423 		return (ipsec_req_from_prot(&ap->ipa_act.ipa_apply, req));
1424 	}
1425 	return (sizeof (*req));
1426 }
1427 
1428 /*
1429  * Convert a new-style action back to an ipsec_req_t (more backwards compat).
1430  * We assume caller has already zero'ed *req for us.
1431  */
1432 int
1433 ipsec_req_from_head(ipsec_policy_head_t *ph, ipsec_req_t *req, int af)
1434 {
1435 	ipsec_policy_t *p;
1436 
1437 	/*
1438 	 * FULL-PERSOCK: consult hash table, too?
1439 	 */
1440 	for (p = ph->iph_root[IPSEC_INBOUND].ipr_nonhash[af];
1441 	    p != NULL;
1442 	    p = p->ipsp_hash.hash_next) {
1443 		if ((p->ipsp_sel->ipsl_key.ipsl_valid & IPSL_WILDCARD) == 0)
1444 			return (ipsec_req_from_act(p->ipsp_act, req));
1445 	}
1446 	return (sizeof (*req));
1447 }
1448 
1449 /*
1450  * Based on per-socket or latched policy, convert to an appropriate
1451  * IP_SEC_OPT ipsec_req_t for the socket option; return size so we can
1452  * be tail-called from ip.
1453  */
1454 int
1455 ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af)
1456 {
1457 	ipsec_latch_t *ipl;
1458 	int rv = sizeof (ipsec_req_t);
1459 
1460 	bzero(req, sizeof (*req));
1461 
1462 	ASSERT(MUTEX_HELD(&connp->conn_lock));
1463 	ipl = connp->conn_latch;
1464 
1465 	/*
1466 	 * Find appropriate policy.  First choice is latched action;
1467 	 * failing that, see latched policy; failing that,
1468 	 * look at configured policy.
1469 	 */
1470 	if (ipl != NULL) {
1471 		if (connp->conn_latch_in_action != NULL) {
1472 			rv = ipsec_req_from_act(connp->conn_latch_in_action,
1473 			    req);
1474 			goto done;
1475 		}
1476 		if (connp->conn_latch_in_policy != NULL) {
1477 			rv = ipsec_req_from_act(
1478 			    connp->conn_latch_in_policy->ipsp_act, req);
1479 			goto done;
1480 		}
1481 	}
1482 	if (connp->conn_policy != NULL)
1483 		rv = ipsec_req_from_head(connp->conn_policy, req, af);
1484 done:
1485 	return (rv);
1486 }
1487 
1488 void
1489 ipsec_actvec_free(ipsec_act_t *act, uint_t nact)
1490 {
1491 	kmem_free(act, nact * sizeof (*act));
1492 }
1493 
1494 /*
1495  * Consumes a reference to ipsp.
1496  */
1497 static mblk_t *
1498 ipsec_check_loopback_policy(mblk_t *data_mp, ip_recv_attr_t *ira,
1499     ipsec_policy_t *ipsp)
1500 {
1501 	if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
1502 		return (data_mp);
1503 
1504 	ASSERT(ira->ira_flags & IRAF_LOOPBACK);
1505 
1506 	IPPOL_REFRELE(ipsp);
1507 
1508 	/*
1509 	 * We should do an actual policy check here.  Revisit this
1510 	 * when we revisit the IPsec API.  (And pass a conn_t in when we
1511 	 * get there.)
1512 	 */
1513 
1514 	return (data_mp);
1515 }
1516 
1517 /*
1518  * Check that packet's inbound ports & proto match the selectors
1519  * expected by the SAs it traversed on the way in.
1520  */
1521 static boolean_t
1522 ipsec_check_ipsecin_unique(ip_recv_attr_t *ira, const char **reason,
1523     kstat_named_t **counter, uint64_t pkt_unique, netstack_t *ns)
1524 {
1525 	uint64_t ah_mask, esp_mask;
1526 	ipsa_t *ah_assoc;
1527 	ipsa_t *esp_assoc;
1528 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1529 
1530 	ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1531 	ASSERT(!(ira->ira_flags & IRAF_LOOPBACK));
1532 
1533 	ah_assoc = ira->ira_ipsec_ah_sa;
1534 	esp_assoc = ira->ira_ipsec_esp_sa;
1535 	ASSERT((ah_assoc != NULL) || (esp_assoc != NULL));
1536 
1537 	ah_mask = (ah_assoc != NULL) ? ah_assoc->ipsa_unique_mask : 0;
1538 	esp_mask = (esp_assoc != NULL) ? esp_assoc->ipsa_unique_mask : 0;
1539 
1540 	if ((ah_mask == 0) && (esp_mask == 0))
1541 		return (B_TRUE);
1542 
1543 	/*
1544 	 * The pkt_unique check will also check for tunnel mode on the SA
1545 	 * vs. the tunneled_packet boolean.  "Be liberal in what you receive"
1546 	 * should not apply in this case.  ;)
1547 	 */
1548 
1549 	if (ah_mask != 0 &&
1550 	    ah_assoc->ipsa_unique_id != (pkt_unique & ah_mask)) {
1551 		*reason = "AH inner header mismatch";
1552 		*counter = DROPPER(ipss, ipds_spd_ah_innermismatch);
1553 		return (B_FALSE);
1554 	}
1555 	if (esp_mask != 0 &&
1556 	    esp_assoc->ipsa_unique_id != (pkt_unique & esp_mask)) {
1557 		*reason = "ESP inner header mismatch";
1558 		*counter = DROPPER(ipss, ipds_spd_esp_innermismatch);
1559 		return (B_FALSE);
1560 	}
1561 	return (B_TRUE);
1562 }
1563 
1564 static boolean_t
1565 ipsec_check_ipsecin_action(ip_recv_attr_t *ira, mblk_t *mp, ipsec_action_t *ap,
1566     ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter,
1567     netstack_t *ns)
1568 {
1569 	boolean_t ret = B_TRUE;
1570 	ipsec_prot_t *ipp;
1571 	ipsa_t *ah_assoc;
1572 	ipsa_t *esp_assoc;
1573 	boolean_t decaps;
1574 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1575 
1576 	ASSERT((ipha == NULL && ip6h != NULL) ||
1577 	    (ip6h == NULL && ipha != NULL));
1578 
1579 	if (ira->ira_flags & IRAF_LOOPBACK) {
1580 		/*
1581 		 * Besides accepting pointer-equivalent actions, we also
1582 		 * accept any ICMP errors we generated for ourselves,
1583 		 * regardless of policy.  If we do not wish to make this
1584 		 * assumption in the future, check here, and where
1585 		 * IXAF_TRUSTED_ICMP is initialized in ip.c and ip6.c.
1586 		 */
1587 		if (ap == ira->ira_ipsec_action ||
1588 		    (ira->ira_flags & IRAF_TRUSTED_ICMP))
1589 			return (B_TRUE);
1590 
1591 		/* Deep compare necessary here?? */
1592 		*counter = DROPPER(ipss, ipds_spd_loopback_mismatch);
1593 		*reason = "loopback policy mismatch";
1594 		return (B_FALSE);
1595 	}
1596 	ASSERT(!(ira->ira_flags & IRAF_TRUSTED_ICMP));
1597 	ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1598 
1599 	ah_assoc = ira->ira_ipsec_ah_sa;
1600 	esp_assoc = ira->ira_ipsec_esp_sa;
1601 
1602 	decaps = (ira->ira_flags & IRAF_IPSEC_DECAPS);
1603 
1604 	switch (ap->ipa_act.ipa_type) {
1605 	case IPSEC_ACT_DISCARD:
1606 	case IPSEC_ACT_REJECT:
1607 		/* Should "fail hard" */
1608 		*counter = DROPPER(ipss, ipds_spd_explicit);
1609 		*reason = "blocked by policy";
1610 		return (B_FALSE);
1611 
1612 	case IPSEC_ACT_BYPASS:
1613 	case IPSEC_ACT_CLEAR:
1614 		*counter = DROPPER(ipss, ipds_spd_got_secure);
1615 		*reason = "expected clear, got protected";
1616 		return (B_FALSE);
1617 
1618 	case IPSEC_ACT_APPLY:
1619 		ipp = &ap->ipa_act.ipa_apply;
1620 		/*
1621 		 * As of now we do the simple checks of whether
1622 		 * the datagram has gone through the required IPSEC
1623 		 * protocol constraints or not. We might have more
1624 		 * in the future like sensitive levels, key bits, etc.
1625 		 * If it fails the constraints, check whether we would
1626 		 * have accepted this if it had come in clear.
1627 		 */
1628 		if (ipp->ipp_use_ah) {
1629 			if (ah_assoc == NULL) {
1630 				ret = ipsec_inbound_accept_clear(mp, ipha,
1631 				    ip6h);
1632 				*counter = DROPPER(ipss, ipds_spd_got_clear);
1633 				*reason = "unprotected not accepted";
1634 				break;
1635 			}
1636 			ASSERT(ah_assoc != NULL);
1637 			ASSERT(ipp->ipp_auth_alg != 0);
1638 
1639 			if (ah_assoc->ipsa_auth_alg !=
1640 			    ipp->ipp_auth_alg) {
1641 				*counter = DROPPER(ipss, ipds_spd_bad_ahalg);
1642 				*reason = "unacceptable ah alg";
1643 				ret = B_FALSE;
1644 				break;
1645 			}
1646 		} else if (ah_assoc != NULL) {
1647 			/*
1648 			 * Don't allow this. Check IPSEC NOTE above
1649 			 * ip_fanout_proto().
1650 			 */
1651 			*counter = DROPPER(ipss, ipds_spd_got_ah);
1652 			*reason = "unexpected AH";
1653 			ret = B_FALSE;
1654 			break;
1655 		}
1656 		if (ipp->ipp_use_esp) {
1657 			if (esp_assoc == NULL) {
1658 				ret = ipsec_inbound_accept_clear(mp, ipha,
1659 				    ip6h);
1660 				*counter = DROPPER(ipss, ipds_spd_got_clear);
1661 				*reason = "unprotected not accepted";
1662 				break;
1663 			}
1664 			ASSERT(esp_assoc != NULL);
1665 			ASSERT(ipp->ipp_encr_alg != 0);
1666 
1667 			if (esp_assoc->ipsa_encr_alg !=
1668 			    ipp->ipp_encr_alg) {
1669 				*counter = DROPPER(ipss, ipds_spd_bad_espealg);
1670 				*reason = "unacceptable esp alg";
1671 				ret = B_FALSE;
1672 				break;
1673 			}
1674 			/*
1675 			 * If the client does not need authentication,
1676 			 * we don't verify the alogrithm.
1677 			 */
1678 			if (ipp->ipp_use_espa) {
1679 				if (esp_assoc->ipsa_auth_alg !=
1680 				    ipp->ipp_esp_auth_alg) {
1681 					*counter = DROPPER(ipss,
1682 					    ipds_spd_bad_espaalg);
1683 					*reason = "unacceptable esp auth alg";
1684 					ret = B_FALSE;
1685 					break;
1686 				}
1687 			}
1688 		} else if (esp_assoc != NULL) {
1689 			/*
1690 			 * Don't allow this. Check IPSEC NOTE above
1691 			 * ip_fanout_proto().
1692 			 */
1693 			*counter = DROPPER(ipss, ipds_spd_got_esp);
1694 			*reason = "unexpected ESP";
1695 			ret = B_FALSE;
1696 			break;
1697 		}
1698 		if (ipp->ipp_use_se) {
1699 			if (!decaps) {
1700 				ret = ipsec_inbound_accept_clear(mp, ipha,
1701 				    ip6h);
1702 				if (!ret) {
1703 					/* XXX mutant? */
1704 					*counter = DROPPER(ipss,
1705 					    ipds_spd_bad_selfencap);
1706 					*reason = "self encap not found";
1707 					break;
1708 				}
1709 			}
1710 		} else if (decaps) {
1711 			/*
1712 			 * XXX If the packet comes in tunneled and the
1713 			 * recipient does not expect it to be tunneled, it
1714 			 * is okay. But we drop to be consistent with the
1715 			 * other cases.
1716 			 */
1717 			*counter = DROPPER(ipss, ipds_spd_got_selfencap);
1718 			*reason = "unexpected self encap";
1719 			ret = B_FALSE;
1720 			break;
1721 		}
1722 		if (ira->ira_ipsec_action != NULL) {
1723 			/*
1724 			 * This can happen if we do a double policy-check on
1725 			 * a packet
1726 			 * XXX XXX should fix this case!
1727 			 */
1728 			IPACT_REFRELE(ira->ira_ipsec_action);
1729 		}
1730 		ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1731 		ASSERT(ira->ira_ipsec_action == NULL);
1732 		IPACT_REFHOLD(ap);
1733 		ira->ira_ipsec_action = ap;
1734 		break;	/* from switch */
1735 	}
1736 	return (ret);
1737 }
1738 
1739 static boolean_t
1740 spd_match_inbound_ids(ipsec_latch_t *ipl, ipsa_t *sa)
1741 {
1742 	ASSERT(ipl->ipl_ids_latched == B_TRUE);
1743 	return ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_src_cid) &&
1744 	    ipsid_equal(ipl->ipl_local_cid, sa->ipsa_dst_cid);
1745 }
1746 
1747 /*
1748  * Takes a latched conn and an inbound packet and returns a unique_id suitable
1749  * for SA comparisons.  Most of the time we will copy from the conn_t, but
1750  * there are cases when the conn_t is latched but it has wildcard selectors,
1751  * and then we need to fallback to scooping them out of the packet.
1752  *
1753  * Assume we'll never have 0 with a conn_t present, so use 0 as a failure.  We
1754  * can get away with this because we only have non-zero ports/proto for
1755  * latched conn_ts.
1756  *
1757  * Ideal candidate for an "inline" keyword, as we're JUST convoluted enough
1758  * to not be a nice macro.
1759  */
1760 static uint64_t
1761 conn_to_unique(conn_t *connp, mblk_t *data_mp, ipha_t *ipha, ip6_t *ip6h)
1762 {
1763 	ipsec_selector_t sel;
1764 	uint8_t ulp = connp->conn_proto;
1765 
1766 	ASSERT(connp->conn_latch_in_policy != NULL);
1767 
1768 	if ((ulp == IPPROTO_TCP || ulp == IPPROTO_UDP || ulp == IPPROTO_SCTP) &&
1769 	    (connp->conn_fport == 0 || connp->conn_lport == 0)) {
1770 		/* Slow path - we gotta grab from the packet. */
1771 		if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h,
1772 		    SEL_NONE) != SELRET_SUCCESS) {
1773 			/* Failure -> have caller free packet with ENOMEM. */
1774 			return (0);
1775 		}
1776 		return (SA_UNIQUE_ID(sel.ips_remote_port, sel.ips_local_port,
1777 		    sel.ips_protocol, 0));
1778 	}
1779 
1780 #ifdef DEBUG_NOT_UNTIL_6478464
1781 	if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h, SEL_NONE) ==
1782 	    SELRET_SUCCESS) {
1783 		ASSERT(sel.ips_local_port == connp->conn_lport);
1784 		ASSERT(sel.ips_remote_port == connp->conn_fport);
1785 		ASSERT(sel.ips_protocol == connp->conn_proto);
1786 	}
1787 	ASSERT(connp->conn_proto != 0);
1788 #endif
1789 
1790 	return (SA_UNIQUE_ID(connp->conn_fport, connp->conn_lport, ulp, 0));
1791 }
1792 
1793 /*
1794  * Called to check policy on a latched connection.
1795  * Note that we don't dereference conn_latch or conn_ihere since the conn might
1796  * be closing. The caller passes a held ipsec_latch_t instead.
1797  */
1798 static boolean_t
1799 ipsec_check_ipsecin_latch(ip_recv_attr_t *ira, mblk_t *mp, ipsec_latch_t *ipl,
1800     ipsec_action_t *ap, ipha_t *ipha, ip6_t *ip6h, const char **reason,
1801     kstat_named_t **counter, conn_t *connp, netstack_t *ns)
1802 {
1803 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1804 
1805 	ASSERT(ipl->ipl_ids_latched == B_TRUE);
1806 	ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1807 
1808 	if (!(ira->ira_flags & IRAF_LOOPBACK)) {
1809 		/*
1810 		 * Over loopback, there aren't real security associations,
1811 		 * so there are neither identities nor "unique" values
1812 		 * for us to check the packet against.
1813 		 */
1814 		if (ira->ira_ipsec_ah_sa != NULL) {
1815 			if (!spd_match_inbound_ids(ipl,
1816 			    ira->ira_ipsec_ah_sa)) {
1817 				*counter = DROPPER(ipss, ipds_spd_ah_badid);
1818 				*reason = "AH identity mismatch";
1819 				return (B_FALSE);
1820 			}
1821 		}
1822 
1823 		if (ira->ira_ipsec_esp_sa != NULL) {
1824 			if (!spd_match_inbound_ids(ipl,
1825 			    ira->ira_ipsec_esp_sa)) {
1826 				*counter = DROPPER(ipss, ipds_spd_esp_badid);
1827 				*reason = "ESP identity mismatch";
1828 				return (B_FALSE);
1829 			}
1830 		}
1831 
1832 		/*
1833 		 * Can fudge pkt_unique from connp because we're latched.
1834 		 * In DEBUG kernels (see conn_to_unique()'s implementation),
1835 		 * verify this even if it REALLY slows things down.
1836 		 */
1837 		if (!ipsec_check_ipsecin_unique(ira, reason, counter,
1838 		    conn_to_unique(connp, mp, ipha, ip6h), ns)) {
1839 			return (B_FALSE);
1840 		}
1841 	}
1842 	return (ipsec_check_ipsecin_action(ira, mp, ap, ipha, ip6h, reason,
1843 	    counter, ns));
1844 }
1845 
1846 /*
1847  * Check to see whether this secured datagram meets the policy
1848  * constraints specified in ipsp.
1849  *
1850  * Called from ipsec_check_global_policy, and ipsec_check_inbound_policy.
1851  *
1852  * Consumes a reference to ipsp.
1853  * Returns the mblk if ok.
1854  */
1855 static mblk_t *
1856 ipsec_check_ipsecin_policy(mblk_t *data_mp, ipsec_policy_t *ipsp,
1857     ipha_t *ipha, ip6_t *ip6h, uint64_t pkt_unique, ip_recv_attr_t *ira,
1858     netstack_t *ns)
1859 {
1860 	ipsec_action_t *ap;
1861 	const char *reason = "no policy actions found";
1862 	ip_stack_t	*ipst = ns->netstack_ip;
1863 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
1864 	kstat_named_t *counter;
1865 
1866 	counter = DROPPER(ipss, ipds_spd_got_secure);
1867 
1868 	ASSERT(ipsp != NULL);
1869 
1870 	ASSERT((ipha == NULL && ip6h != NULL) ||
1871 	    (ip6h == NULL && ipha != NULL));
1872 
1873 	if (ira->ira_flags & IRAF_LOOPBACK)
1874 		return (ipsec_check_loopback_policy(data_mp, ira, ipsp));
1875 
1876 	ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
1877 
1878 	if (ira->ira_ipsec_action != NULL) {
1879 		/*
1880 		 * this can happen if we do a double policy-check on a packet
1881 		 * Would be nice to be able to delete this test..
1882 		 */
1883 		IPACT_REFRELE(ira->ira_ipsec_action);
1884 	}
1885 	ASSERT(ira->ira_ipsec_action == NULL);
1886 
1887 	if (!SA_IDS_MATCH(ira->ira_ipsec_ah_sa, ira->ira_ipsec_esp_sa)) {
1888 		reason = "inbound AH and ESP identities differ";
1889 		counter = DROPPER(ipss, ipds_spd_ahesp_diffid);
1890 		goto drop;
1891 	}
1892 
1893 	if (!ipsec_check_ipsecin_unique(ira, &reason, &counter, pkt_unique,
1894 	    ns))
1895 		goto drop;
1896 
1897 	/*
1898 	 * Ok, now loop through the possible actions and see if any
1899 	 * of them work for us.
1900 	 */
1901 
1902 	for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) {
1903 		if (ipsec_check_ipsecin_action(ira, data_mp, ap,
1904 		    ipha, ip6h, &reason, &counter, ns)) {
1905 			BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
1906 			IPPOL_REFRELE(ipsp);
1907 			return (data_mp);
1908 		}
1909 	}
1910 drop:
1911 	ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
1912 	    "ipsec inbound policy mismatch: %s, packet dropped\n",
1913 	    reason);
1914 	IPPOL_REFRELE(ipsp);
1915 	ASSERT(ira->ira_ipsec_action == NULL);
1916 	BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
1917 	ip_drop_packet(data_mp, B_TRUE, NULL, counter,
1918 	    &ipss->ipsec_spd_dropper);
1919 	return (NULL);
1920 }
1921 
1922 /*
1923  * sleazy prefix-length-based compare.
1924  * another inlining candidate..
1925  */
1926 boolean_t
1927 ip_addr_match(uint8_t *addr1, int pfxlen, in6_addr_t *addr2p)
1928 {
1929 	int offset = pfxlen>>3;
1930 	int bitsleft = pfxlen & 7;
1931 	uint8_t *addr2 = (uint8_t *)addr2p;
1932 
1933 	/*
1934 	 * and there was much evil..
1935 	 * XXX should inline-expand the bcmp here and do this 32 bits
1936 	 * or 64 bits at a time..
1937 	 */
1938 	return ((bcmp(addr1, addr2, offset) == 0) &&
1939 	    ((bitsleft == 0) ||
1940 	    (((addr1[offset] ^ addr2[offset]) & (0xff<<(8-bitsleft))) == 0)));
1941 }
1942 
1943 static ipsec_policy_t *
1944 ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain,
1945     ipsec_selector_t *sel, boolean_t is_icmp_inv_acq)
1946 {
1947 	ipsec_selkey_t *isel;
1948 	ipsec_policy_t *p;
1949 	int bpri = best ? best->ipsp_prio : 0;
1950 
1951 	for (p = chain; p != NULL; p = p->ipsp_hash.hash_next) {
1952 		uint32_t valid;
1953 
1954 		if (p->ipsp_prio <= bpri)
1955 			continue;
1956 		isel = &p->ipsp_sel->ipsl_key;
1957 		valid = isel->ipsl_valid;
1958 
1959 		if ((valid & IPSL_PROTOCOL) &&
1960 		    (isel->ipsl_proto != sel->ips_protocol))
1961 			continue;
1962 
1963 		if ((valid & IPSL_REMOTE_ADDR) &&
1964 		    !ip_addr_match((uint8_t *)&isel->ipsl_remote,
1965 		    isel->ipsl_remote_pfxlen, &sel->ips_remote_addr_v6))
1966 			continue;
1967 
1968 		if ((valid & IPSL_LOCAL_ADDR) &&
1969 		    !ip_addr_match((uint8_t *)&isel->ipsl_local,
1970 		    isel->ipsl_local_pfxlen, &sel->ips_local_addr_v6))
1971 			continue;
1972 
1973 		if ((valid & IPSL_REMOTE_PORT) &&
1974 		    isel->ipsl_rport != sel->ips_remote_port)
1975 			continue;
1976 
1977 		if ((valid & IPSL_LOCAL_PORT) &&
1978 		    isel->ipsl_lport != sel->ips_local_port)
1979 			continue;
1980 
1981 		if (!is_icmp_inv_acq) {
1982 			if ((valid & IPSL_ICMP_TYPE) &&
1983 			    (isel->ipsl_icmp_type > sel->ips_icmp_type ||
1984 			    isel->ipsl_icmp_type_end < sel->ips_icmp_type)) {
1985 				continue;
1986 			}
1987 
1988 			if ((valid & IPSL_ICMP_CODE) &&
1989 			    (isel->ipsl_icmp_code > sel->ips_icmp_code ||
1990 			    isel->ipsl_icmp_code_end <
1991 			    sel->ips_icmp_code)) {
1992 				continue;
1993 			}
1994 		} else {
1995 			/*
1996 			 * special case for icmp inverse acquire
1997 			 * we only want policies that aren't drop/pass
1998 			 */
1999 			if (p->ipsp_act->ipa_act.ipa_type != IPSEC_ACT_APPLY)
2000 				continue;
2001 		}
2002 
2003 		/* we matched all the packet-port-field selectors! */
2004 		best = p;
2005 		bpri = p->ipsp_prio;
2006 	}
2007 
2008 	return (best);
2009 }
2010 
2011 /*
2012  * Try to find and return the best policy entry under a given policy
2013  * root for a given set of selectors; the first parameter "best" is
2014  * the current best policy so far.  If "best" is non-null, we have a
2015  * reference to it.  We return a reference to a policy; if that policy
2016  * is not the original "best", we need to release that reference
2017  * before returning.
2018  */
2019 ipsec_policy_t *
2020 ipsec_find_policy_head(ipsec_policy_t *best, ipsec_policy_head_t *head,
2021     int direction, ipsec_selector_t *sel)
2022 {
2023 	ipsec_policy_t *curbest;
2024 	ipsec_policy_root_t *root;
2025 	uint8_t is_icmp_inv_acq = sel->ips_is_icmp_inv_acq;
2026 	int af = sel->ips_isv4 ? IPSEC_AF_V4 : IPSEC_AF_V6;
2027 
2028 	curbest = best;
2029 	root = &head->iph_root[direction];
2030 
2031 #ifdef DEBUG
2032 	if (is_icmp_inv_acq) {
2033 		if (sel->ips_isv4) {
2034 			if (sel->ips_protocol != IPPROTO_ICMP) {
2035 				cmn_err(CE_WARN, "ipsec_find_policy_head:"
2036 				    " expecting icmp, got %d",
2037 				    sel->ips_protocol);
2038 			}
2039 		} else {
2040 			if (sel->ips_protocol != IPPROTO_ICMPV6) {
2041 				cmn_err(CE_WARN, "ipsec_find_policy_head:"
2042 				    " expecting icmpv6, got %d",
2043 				    sel->ips_protocol);
2044 			}
2045 		}
2046 	}
2047 #endif
2048 
2049 	rw_enter(&head->iph_lock, RW_READER);
2050 
2051 	if (root->ipr_nchains > 0) {
2052 		curbest = ipsec_find_policy_chain(curbest,
2053 		    root->ipr_hash[selector_hash(sel, root)].hash_head, sel,
2054 		    is_icmp_inv_acq);
2055 	}
2056 	curbest = ipsec_find_policy_chain(curbest, root->ipr_nonhash[af], sel,
2057 	    is_icmp_inv_acq);
2058 
2059 	/*
2060 	 * Adjust reference counts if we found anything new.
2061 	 */
2062 	if (curbest != best) {
2063 		ASSERT(curbest != NULL);
2064 		IPPOL_REFHOLD(curbest);
2065 
2066 		if (best != NULL) {
2067 			IPPOL_REFRELE(best);
2068 		}
2069 	}
2070 
2071 	rw_exit(&head->iph_lock);
2072 
2073 	return (curbest);
2074 }
2075 
2076 /*
2077  * Find the best system policy (either global or per-interface) which
2078  * applies to the given selector; look in all the relevant policy roots
2079  * to figure out which policy wins.
2080  *
2081  * Returns a reference to a policy; caller must release this
2082  * reference when done.
2083  */
2084 ipsec_policy_t *
2085 ipsec_find_policy(int direction, const conn_t *connp, ipsec_selector_t *sel,
2086     netstack_t *ns)
2087 {
2088 	ipsec_policy_t *p;
2089 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
2090 
2091 	p = ipsec_find_policy_head(NULL, &ipss->ipsec_system_policy,
2092 	    direction, sel);
2093 	if ((connp != NULL) && (connp->conn_policy != NULL)) {
2094 		p = ipsec_find_policy_head(p, connp->conn_policy,
2095 		    direction, sel);
2096 	}
2097 
2098 	return (p);
2099 }
2100 
2101 /*
2102  * Check with global policy and see whether this inbound
2103  * packet meets the policy constraints.
2104  *
2105  * Locate appropriate policy from global policy, supplemented by the
2106  * conn's configured and/or cached policy if the conn is supplied.
2107  *
2108  * Dispatch to ipsec_check_ipsecin_policy if we have policy and an
2109  * encrypted packet to see if they match.
2110  *
2111  * Otherwise, see if the policy allows cleartext; if not, drop it on the
2112  * floor.
2113  */
2114 mblk_t *
2115 ipsec_check_global_policy(mblk_t *data_mp, conn_t *connp,
2116     ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira, netstack_t *ns)
2117 {
2118 	ipsec_policy_t *p;
2119 	ipsec_selector_t sel;
2120 	boolean_t policy_present;
2121 	kstat_named_t *counter;
2122 	uint64_t pkt_unique;
2123 	ip_stack_t	*ipst = ns->netstack_ip;
2124 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
2125 
2126 	sel.ips_is_icmp_inv_acq = 0;
2127 
2128 	ASSERT((ipha == NULL && ip6h != NULL) ||
2129 	    (ip6h == NULL && ipha != NULL));
2130 
2131 	if (ipha != NULL)
2132 		policy_present = ipss->ipsec_inbound_v4_policy_present;
2133 	else
2134 		policy_present = ipss->ipsec_inbound_v6_policy_present;
2135 
2136 	if (!policy_present && connp == NULL) {
2137 		/*
2138 		 * No global policy and no per-socket policy;
2139 		 * just pass it back (but we shouldn't get here in that case)
2140 		 */
2141 		return (data_mp);
2142 	}
2143 
2144 	/*
2145 	 * If we have cached policy, use it.
2146 	 * Otherwise consult system policy.
2147 	 */
2148 	if ((connp != NULL) && (connp->conn_latch != NULL)) {
2149 		p = connp->conn_latch_in_policy;
2150 		if (p != NULL) {
2151 			IPPOL_REFHOLD(p);
2152 		}
2153 		/*
2154 		 * Fudge sel for UNIQUE_ID setting below.
2155 		 */
2156 		pkt_unique = conn_to_unique(connp, data_mp, ipha, ip6h);
2157 	} else {
2158 		/* Initialize the ports in the selector */
2159 		if (ipsec_init_inbound_sel(&sel, data_mp, ipha, ip6h,
2160 		    SEL_NONE) == SELRET_NOMEM) {
2161 			/*
2162 			 * Technically not a policy mismatch, but it is
2163 			 * an internal failure.
2164 			 */
2165 			ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
2166 			    "ipsec_init_inbound_sel", ipha, ip6h, B_TRUE, ns);
2167 			counter = DROPPER(ipss, ipds_spd_nomem);
2168 			goto fail;
2169 		}
2170 
2171 		/*
2172 		 * Find the policy which best applies.
2173 		 *
2174 		 * If we find global policy, we should look at both
2175 		 * local policy and global policy and see which is
2176 		 * stronger and match accordingly.
2177 		 *
2178 		 * If we don't find a global policy, check with
2179 		 * local policy alone.
2180 		 */
2181 
2182 		p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
2183 		pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
2184 		    sel.ips_local_port, sel.ips_protocol, 0);
2185 	}
2186 
2187 	if (p == NULL) {
2188 		if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
2189 			/*
2190 			 * We have no policy; default to succeeding.
2191 			 * XXX paranoid system design doesn't do this.
2192 			 */
2193 			BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2194 			return (data_mp);
2195 		} else {
2196 			counter = DROPPER(ipss, ipds_spd_got_secure);
2197 			ipsec_log_policy_failure(IPSEC_POLICY_NOT_NEEDED,
2198 			    "ipsec_check_global_policy", ipha, ip6h, B_TRUE,
2199 			    ns);
2200 			goto fail;
2201 		}
2202 	}
2203 	if (ira->ira_flags & IRAF_IPSEC_SECURE) {
2204 		return (ipsec_check_ipsecin_policy(data_mp, p, ipha, ip6h,
2205 		    pkt_unique, ira, ns));
2206 	}
2207 	if (p->ipsp_act->ipa_allow_clear) {
2208 		BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2209 		IPPOL_REFRELE(p);
2210 		return (data_mp);
2211 	}
2212 	IPPOL_REFRELE(p);
2213 	/*
2214 	 * If we reach here, we will drop the packet because it failed the
2215 	 * global policy check because the packet was cleartext, and it
2216 	 * should not have been.
2217 	 */
2218 	ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
2219 	    "ipsec_check_global_policy", ipha, ip6h, B_FALSE, ns);
2220 	counter = DROPPER(ipss, ipds_spd_got_clear);
2221 
2222 fail:
2223 	ip_drop_packet(data_mp, B_TRUE, NULL, counter,
2224 	    &ipss->ipsec_spd_dropper);
2225 	BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2226 	return (NULL);
2227 }
2228 
2229 /*
2230  * We check whether an inbound datagram is a valid one
2231  * to accept in clear. If it is secure, it is the job
2232  * of IPSEC to log information appropriately if it
2233  * suspects that it may not be the real one.
2234  *
2235  * It is called only while fanning out to the ULP
2236  * where ULP accepts only secure data and the incoming
2237  * is clear. Usually we never accept clear datagrams in
2238  * such cases. ICMP is the only exception.
2239  *
2240  * NOTE : We don't call this function if the client (ULP)
2241  * is willing to accept things in clear.
2242  */
2243 boolean_t
2244 ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h)
2245 {
2246 	ushort_t iph_hdr_length;
2247 	icmph_t *icmph;
2248 	icmp6_t *icmp6;
2249 	uint8_t *nexthdrp;
2250 
2251 	ASSERT((ipha != NULL && ip6h == NULL) ||
2252 	    (ipha == NULL && ip6h != NULL));
2253 
2254 	if (ip6h != NULL) {
2255 		iph_hdr_length = ip_hdr_length_v6(mp, ip6h);
2256 		if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length,
2257 		    &nexthdrp)) {
2258 			return (B_FALSE);
2259 		}
2260 		if (*nexthdrp != IPPROTO_ICMPV6)
2261 			return (B_FALSE);
2262 		icmp6 = (icmp6_t *)(&mp->b_rptr[iph_hdr_length]);
2263 		/* Match IPv6 ICMP policy as closely as IPv4 as possible. */
2264 		switch (icmp6->icmp6_type) {
2265 		case ICMP6_PARAM_PROB:
2266 			/* Corresponds to port/proto unreach in IPv4. */
2267 		case ICMP6_ECHO_REQUEST:
2268 			/* Just like IPv4. */
2269 			return (B_FALSE);
2270 
2271 		case MLD_LISTENER_QUERY:
2272 		case MLD_LISTENER_REPORT:
2273 		case MLD_LISTENER_REDUCTION:
2274 			/*
2275 			 * XXX Seperate NDD in IPv4 what about here?
2276 			 * Plus, mcast is important to ND.
2277 			 */
2278 		case ICMP6_DST_UNREACH:
2279 			/* Corresponds to HOST/NET unreachable in IPv4. */
2280 		case ICMP6_PACKET_TOO_BIG:
2281 		case ICMP6_ECHO_REPLY:
2282 			/* These are trusted in IPv4. */
2283 		case ND_ROUTER_SOLICIT:
2284 		case ND_ROUTER_ADVERT:
2285 		case ND_NEIGHBOR_SOLICIT:
2286 		case ND_NEIGHBOR_ADVERT:
2287 		case ND_REDIRECT:
2288 			/* Trust ND messages for now. */
2289 		case ICMP6_TIME_EXCEEDED:
2290 		default:
2291 			return (B_TRUE);
2292 		}
2293 	} else {
2294 		/*
2295 		 * If it is not ICMP, fail this request.
2296 		 */
2297 		if (ipha->ipha_protocol != IPPROTO_ICMP) {
2298 #ifdef FRAGCACHE_DEBUG
2299 			cmn_err(CE_WARN, "Dropping - ipha_proto = %d\n",
2300 			    ipha->ipha_protocol);
2301 #endif
2302 			return (B_FALSE);
2303 		}
2304 		iph_hdr_length = IPH_HDR_LENGTH(ipha);
2305 		icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
2306 		/*
2307 		 * It is an insecure icmp message. Check to see whether we are
2308 		 * willing to accept this one.
2309 		 */
2310 
2311 		switch (icmph->icmph_type) {
2312 		case ICMP_ECHO_REPLY:
2313 		case ICMP_TIME_STAMP_REPLY:
2314 		case ICMP_INFO_REPLY:
2315 		case ICMP_ROUTER_ADVERTISEMENT:
2316 			/*
2317 			 * We should not encourage clear replies if this
2318 			 * client expects secure. If somebody is replying
2319 			 * in clear some mailicious user watching both the
2320 			 * request and reply, can do chosen-plain-text attacks.
2321 			 * With global policy we might be just expecting secure
2322 			 * but sending out clear. We don't know what the right
2323 			 * thing is. We can't do much here as we can't control
2324 			 * the sender here. Till we are sure of what to do,
2325 			 * accept them.
2326 			 */
2327 			return (B_TRUE);
2328 		case ICMP_ECHO_REQUEST:
2329 		case ICMP_TIME_STAMP_REQUEST:
2330 		case ICMP_INFO_REQUEST:
2331 		case ICMP_ADDRESS_MASK_REQUEST:
2332 		case ICMP_ROUTER_SOLICITATION:
2333 		case ICMP_ADDRESS_MASK_REPLY:
2334 			/*
2335 			 * Don't accept this as somebody could be sending
2336 			 * us plain text to get encrypted data. If we reply,
2337 			 * it will lead to chosen plain text attack.
2338 			 */
2339 			return (B_FALSE);
2340 		case ICMP_DEST_UNREACHABLE:
2341 			switch (icmph->icmph_code) {
2342 			case ICMP_FRAGMENTATION_NEEDED:
2343 				/*
2344 				 * Be in sync with icmp_inbound, where we have
2345 				 * already set dce_pmtu
2346 				 */
2347 #ifdef FRAGCACHE_DEBUG
2348 			cmn_err(CE_WARN, "ICMP frag needed\n");
2349 #endif
2350 				return (B_TRUE);
2351 			case ICMP_HOST_UNREACHABLE:
2352 			case ICMP_NET_UNREACHABLE:
2353 				/*
2354 				 * By accepting, we could reset a connection.
2355 				 * How do we solve the problem of some
2356 				 * intermediate router sending in-secure ICMP
2357 				 * messages ?
2358 				 */
2359 				return (B_TRUE);
2360 			case ICMP_PORT_UNREACHABLE:
2361 			case ICMP_PROTOCOL_UNREACHABLE:
2362 			default :
2363 				return (B_FALSE);
2364 			}
2365 		case ICMP_SOURCE_QUENCH:
2366 			/*
2367 			 * If this is an attack, TCP will slow start
2368 			 * because of this. Is it very harmful ?
2369 			 */
2370 			return (B_TRUE);
2371 		case ICMP_PARAM_PROBLEM:
2372 			return (B_FALSE);
2373 		case ICMP_TIME_EXCEEDED:
2374 			return (B_TRUE);
2375 		case ICMP_REDIRECT:
2376 			return (B_FALSE);
2377 		default :
2378 			return (B_FALSE);
2379 		}
2380 	}
2381 }
2382 
2383 void
2384 ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote)
2385 {
2386 	mutex_enter(&ipl->ipl_lock);
2387 
2388 	if (ipl->ipl_ids_latched) {
2389 		/* I lost, someone else got here before me */
2390 		mutex_exit(&ipl->ipl_lock);
2391 		return;
2392 	}
2393 
2394 	if (local != NULL)
2395 		IPSID_REFHOLD(local);
2396 	if (remote != NULL)
2397 		IPSID_REFHOLD(remote);
2398 
2399 	ipl->ipl_local_cid = local;
2400 	ipl->ipl_remote_cid = remote;
2401 	ipl->ipl_ids_latched = B_TRUE;
2402 	mutex_exit(&ipl->ipl_lock);
2403 }
2404 
2405 void
2406 ipsec_latch_inbound(conn_t *connp, ip_recv_attr_t *ira)
2407 {
2408 	ipsa_t *sa;
2409 	ipsec_latch_t *ipl = connp->conn_latch;
2410 
2411 	if (!ipl->ipl_ids_latched) {
2412 		ipsid_t *local = NULL;
2413 		ipsid_t *remote = NULL;
2414 
2415 		if (!(ira->ira_flags & IRAF_LOOPBACK)) {
2416 			ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
2417 			if (ira->ira_ipsec_esp_sa != NULL)
2418 				sa = ira->ira_ipsec_esp_sa;
2419 			else
2420 				sa = ira->ira_ipsec_ah_sa;
2421 			ASSERT(sa != NULL);
2422 			local = sa->ipsa_dst_cid;
2423 			remote = sa->ipsa_src_cid;
2424 		}
2425 		ipsec_latch_ids(ipl, local, remote);
2426 	}
2427 	if (ira->ira_flags & IRAF_IPSEC_SECURE) {
2428 		if (connp->conn_latch_in_action != NULL) {
2429 			/*
2430 			 * Previously cached action.  This is probably
2431 			 * harmless, but in DEBUG kernels, check for
2432 			 * action equality.
2433 			 *
2434 			 * Preserve the existing action to preserve latch
2435 			 * invariance.
2436 			 */
2437 			ASSERT(connp->conn_latch_in_action ==
2438 			    ira->ira_ipsec_action);
2439 			return;
2440 		}
2441 		connp->conn_latch_in_action = ira->ira_ipsec_action;
2442 		IPACT_REFHOLD(connp->conn_latch_in_action);
2443 	}
2444 }
2445 
2446 /*
2447  * Check whether the policy constraints are met either for an
2448  * inbound datagram; called from IP in numerous places.
2449  *
2450  * Note that this is not a chokepoint for inbound policy checks;
2451  * see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy()
2452  */
2453 mblk_t *
2454 ipsec_check_inbound_policy(mblk_t *mp, conn_t *connp,
2455     ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira)
2456 {
2457 	boolean_t	ret;
2458 	ipsec_latch_t	*ipl;
2459 	ipsec_action_t	*ap;
2460 	uint64_t	unique_id;
2461 	ipsec_stack_t	*ipss;
2462 	ip_stack_t	*ipst;
2463 	netstack_t	*ns;
2464 	ipsec_policy_head_t *policy_head;
2465 	ipsec_policy_t	*p = NULL;
2466 
2467 	ASSERT(connp != NULL);
2468 	ns = connp->conn_netstack;
2469 	ipss = ns->netstack_ipsec;
2470 	ipst = ns->netstack_ip;
2471 
2472 	if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
2473 		/*
2474 		 * This is the case where the incoming datagram is
2475 		 * cleartext and we need to see whether this client
2476 		 * would like to receive such untrustworthy things from
2477 		 * the wire.
2478 		 */
2479 		ASSERT(mp != NULL);
2480 
2481 		mutex_enter(&connp->conn_lock);
2482 		if (connp->conn_state_flags & CONN_CONDEMNED) {
2483 			mutex_exit(&connp->conn_lock);
2484 			ip_drop_packet(mp, B_TRUE, NULL,
2485 			    DROPPER(ipss, ipds_spd_got_clear),
2486 			    &ipss->ipsec_spd_dropper);
2487 			BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2488 			return (NULL);
2489 		}
2490 		if (connp->conn_latch != NULL) {
2491 			/* Hold a reference in case the conn is closing */
2492 			p = connp->conn_latch_in_policy;
2493 			if (p != NULL)
2494 				IPPOL_REFHOLD(p);
2495 			mutex_exit(&connp->conn_lock);
2496 			/*
2497 			 * Policy is cached in the conn.
2498 			 */
2499 			if (p != NULL && !p->ipsp_act->ipa_allow_clear) {
2500 				ret = ipsec_inbound_accept_clear(mp,
2501 				    ipha, ip6h);
2502 				if (ret) {
2503 					BUMP_MIB(&ipst->ips_ip_mib,
2504 					    ipsecInSucceeded);
2505 					IPPOL_REFRELE(p);
2506 					return (mp);
2507 				} else {
2508 					ipsec_log_policy_failure(
2509 					    IPSEC_POLICY_MISMATCH,
2510 					    "ipsec_check_inbound_policy", ipha,
2511 					    ip6h, B_FALSE, ns);
2512 					ip_drop_packet(mp, B_TRUE, NULL,
2513 					    DROPPER(ipss, ipds_spd_got_clear),
2514 					    &ipss->ipsec_spd_dropper);
2515 					BUMP_MIB(&ipst->ips_ip_mib,
2516 					    ipsecInFailed);
2517 					IPPOL_REFRELE(p);
2518 					return (NULL);
2519 				}
2520 			} else {
2521 				BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2522 				if (p != NULL)
2523 					IPPOL_REFRELE(p);
2524 				return (mp);
2525 			}
2526 		} else {
2527 			policy_head = connp->conn_policy;
2528 
2529 			/* Hold a reference in case the conn is closing */
2530 			if (policy_head != NULL)
2531 				IPPH_REFHOLD(policy_head);
2532 			mutex_exit(&connp->conn_lock);
2533 			/*
2534 			 * As this is a non-hardbound connection we need
2535 			 * to look at both per-socket policy and global
2536 			 * policy.
2537 			 */
2538 			mp = ipsec_check_global_policy(mp, connp,
2539 			    ipha, ip6h, ira, ns);
2540 			if (policy_head != NULL)
2541 				IPPH_REFRELE(policy_head, ns);
2542 			return (mp);
2543 		}
2544 	}
2545 
2546 	mutex_enter(&connp->conn_lock);
2547 	/* Connection is closing */
2548 	if (connp->conn_state_flags & CONN_CONDEMNED) {
2549 		mutex_exit(&connp->conn_lock);
2550 		ip_drop_packet(mp, B_TRUE, NULL,
2551 		    DROPPER(ipss, ipds_spd_got_clear),
2552 		    &ipss->ipsec_spd_dropper);
2553 		BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2554 		return (NULL);
2555 	}
2556 
2557 	/*
2558 	 * Once a connection is latched it remains so for life, the conn_latch
2559 	 * pointer on the conn has not changed, simply initializing ipl here
2560 	 * as the earlier initialization was done only in the cleartext case.
2561 	 */
2562 	if ((ipl = connp->conn_latch) == NULL) {
2563 		mblk_t *retmp;
2564 		policy_head = connp->conn_policy;
2565 
2566 		/* Hold a reference in case the conn is closing */
2567 		if (policy_head != NULL)
2568 			IPPH_REFHOLD(policy_head);
2569 		mutex_exit(&connp->conn_lock);
2570 		/*
2571 		 * We don't have policies cached in the conn
2572 		 * for this stream. So, look at the global
2573 		 * policy. It will check against conn or global
2574 		 * depending on whichever is stronger.
2575 		 */
2576 		retmp = ipsec_check_global_policy(mp, connp,
2577 		    ipha, ip6h, ira, ns);
2578 		if (policy_head != NULL)
2579 			IPPH_REFRELE(policy_head, ns);
2580 		return (retmp);
2581 	}
2582 
2583 	IPLATCH_REFHOLD(ipl);
2584 	/* Hold reference on conn_latch_in_action in case conn is closing */
2585 	ap = connp->conn_latch_in_action;
2586 	if (ap != NULL)
2587 		IPACT_REFHOLD(ap);
2588 	mutex_exit(&connp->conn_lock);
2589 
2590 	if (ap != NULL) {
2591 		/* Policy is cached & latched; fast(er) path */
2592 		const char *reason;
2593 		kstat_named_t *counter;
2594 
2595 		if (ipsec_check_ipsecin_latch(ira, mp, ipl, ap,
2596 		    ipha, ip6h, &reason, &counter, connp, ns)) {
2597 			BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
2598 			IPLATCH_REFRELE(ipl);
2599 			IPACT_REFRELE(ap);
2600 			return (mp);
2601 		}
2602 		ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0,
2603 		    SL_ERROR|SL_WARN|SL_CONSOLE,
2604 		    "ipsec inbound policy mismatch: %s, packet dropped\n",
2605 		    reason);
2606 		ip_drop_packet(mp, B_TRUE, NULL, counter,
2607 		    &ipss->ipsec_spd_dropper);
2608 		BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
2609 		IPLATCH_REFRELE(ipl);
2610 		IPACT_REFRELE(ap);
2611 		return (NULL);
2612 	}
2613 	if ((p = connp->conn_latch_in_policy) == NULL) {
2614 		ipsec_weird_null_inbound_policy++;
2615 		IPLATCH_REFRELE(ipl);
2616 		return (mp);
2617 	}
2618 
2619 	unique_id = conn_to_unique(connp, mp, ipha, ip6h);
2620 	IPPOL_REFHOLD(p);
2621 	mp = ipsec_check_ipsecin_policy(mp, p, ipha, ip6h, unique_id, ira, ns);
2622 	/*
2623 	 * NOTE: ipsecIn{Failed,Succeeeded} bumped by
2624 	 * ipsec_check_ipsecin_policy().
2625 	 */
2626 	if (mp != NULL)
2627 		ipsec_latch_inbound(connp, ira);
2628 	IPLATCH_REFRELE(ipl);
2629 	return (mp);
2630 }
2631 
2632 /*
2633  * Handle all sorts of cases like tunnel-mode and ICMP.
2634  */
2635 static int
2636 prepended_length(mblk_t *mp, uintptr_t hptr)
2637 {
2638 	int rc = 0;
2639 
2640 	while (mp != NULL) {
2641 		if (hptr >= (uintptr_t)mp->b_rptr && hptr <
2642 		    (uintptr_t)mp->b_wptr) {
2643 			rc += (int)(hptr - (uintptr_t)mp->b_rptr);
2644 			break;	/* out of while loop */
2645 		}
2646 		rc += (int)MBLKL(mp);
2647 		mp = mp->b_cont;
2648 	}
2649 
2650 	if (mp == NULL) {
2651 		/*
2652 		 * IF (big IF) we make it here by naturally exiting the loop,
2653 		 * then ip6h isn't in the mblk chain "mp" at all.
2654 		 *
2655 		 * The only case where this happens is with a reversed IP
2656 		 * header that gets passed up by inbound ICMP processing.
2657 		 * This unfortunately triggers longstanding bug 6478464.  For
2658 		 * now, just pass up 0 for the answer.
2659 		 */
2660 #ifdef DEBUG_NOT_UNTIL_6478464
2661 		ASSERT(mp != NULL);
2662 #endif
2663 		rc = 0;
2664 	}
2665 
2666 	return (rc);
2667 }
2668 
2669 /*
2670  * Returns:
2671  *
2672  * SELRET_NOMEM --> msgpullup() needed to gather things failed.
2673  * SELRET_BADPKT --> If we're being called after tunnel-mode fragment
2674  *		     gathering, the initial fragment is too short for
2675  *		     useful data.  Only returned if SEL_TUNNEL_FIRSTFRAG is
2676  *		     set.
2677  * SELRET_SUCCESS --> "sel" now has initialized IPsec selector data.
2678  * SELRET_TUNFRAG --> This is a fragment in a tunnel-mode packet.  Caller
2679  *		      should put this packet in a fragment-gathering queue.
2680  *		      Only returned if SEL_TUNNEL_MODE and SEL_PORT_POLICY
2681  *		      is set.
2682  *
2683  * Note that ipha/ip6h can be in a different mblk (mp->b_cont) in the case
2684  * of tunneled packets.
2685  * Also, mp->b_rptr can be an ICMP error where ipha/ip6h is the packet in
2686  * error past the ICMP error.
2687  */
2688 static selret_t
2689 ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2690     ip6_t *ip6h, uint8_t sel_flags)
2691 {
2692 	uint16_t *ports;
2693 	int outer_hdr_len = 0;	/* For ICMP or tunnel-mode cases... */
2694 	ushort_t hdr_len;
2695 	mblk_t *spare_mp = NULL;
2696 	uint8_t *nexthdrp, *transportp;
2697 	uint8_t nexthdr;
2698 	uint8_t icmp_proto;
2699 	ip_pkt_t ipp;
2700 	boolean_t port_policy_present = (sel_flags & SEL_PORT_POLICY);
2701 	boolean_t is_icmp = (sel_flags & SEL_IS_ICMP);
2702 	boolean_t tunnel_mode = (sel_flags & SEL_TUNNEL_MODE);
2703 	boolean_t post_frag = (sel_flags & SEL_POST_FRAG);
2704 
2705 	ASSERT((ipha == NULL && ip6h != NULL) ||
2706 	    (ipha != NULL && ip6h == NULL));
2707 
2708 	if (ip6h != NULL) {
2709 		outer_hdr_len = prepended_length(mp, (uintptr_t)ip6h);
2710 		nexthdr = ip6h->ip6_nxt;
2711 		icmp_proto = IPPROTO_ICMPV6;
2712 		sel->ips_isv4 = B_FALSE;
2713 		sel->ips_local_addr_v6 = ip6h->ip6_dst;
2714 		sel->ips_remote_addr_v6 = ip6h->ip6_src;
2715 
2716 		bzero(&ipp, sizeof (ipp));
2717 
2718 		switch (nexthdr) {
2719 		case IPPROTO_HOPOPTS:
2720 		case IPPROTO_ROUTING:
2721 		case IPPROTO_DSTOPTS:
2722 		case IPPROTO_FRAGMENT:
2723 			/*
2724 			 * Use ip_hdr_length_nexthdr_v6().  And have a spare
2725 			 * mblk that's contiguous to feed it
2726 			 */
2727 			if ((spare_mp = msgpullup(mp, -1)) == NULL)
2728 				return (SELRET_NOMEM);
2729 			if (!ip_hdr_length_nexthdr_v6(spare_mp,
2730 			    (ip6_t *)(spare_mp->b_rptr + outer_hdr_len),
2731 			    &hdr_len, &nexthdrp)) {
2732 				/* Malformed packet - caller frees. */
2733 				ipsec_freemsg_chain(spare_mp);
2734 				return (SELRET_BADPKT);
2735 			}
2736 			/* Repopulate now that we have the whole packet */
2737 			ip6h = (ip6_t *)(spare_mp->b_rptr + outer_hdr_len);
2738 			(void) ip_find_hdr_v6(spare_mp, ip6h, B_FALSE, &ipp,
2739 			    NULL);
2740 			nexthdr = *nexthdrp;
2741 			/* We can just extract based on hdr_len now. */
2742 			break;
2743 		default:
2744 			(void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
2745 			hdr_len = IPV6_HDR_LEN;
2746 			break;
2747 		}
2748 		if (port_policy_present && IS_V6_FRAGMENT(ipp) && !is_icmp) {
2749 			/* IPv6 Fragment */
2750 			ipsec_freemsg_chain(spare_mp);
2751 			return (SELRET_TUNFRAG);
2752 		}
2753 		transportp = (uint8_t *)ip6h + hdr_len;
2754 	} else {
2755 		outer_hdr_len = prepended_length(mp, (uintptr_t)ipha);
2756 		icmp_proto = IPPROTO_ICMP;
2757 		sel->ips_isv4 = B_TRUE;
2758 		sel->ips_local_addr_v4 = ipha->ipha_dst;
2759 		sel->ips_remote_addr_v4 = ipha->ipha_src;
2760 		nexthdr = ipha->ipha_protocol;
2761 		hdr_len = IPH_HDR_LENGTH(ipha);
2762 
2763 		if (port_policy_present &&
2764 		    IS_V4_FRAGMENT(ipha->ipha_fragment_offset_and_flags) &&
2765 		    !is_icmp) {
2766 			/* IPv4 Fragment */
2767 			ipsec_freemsg_chain(spare_mp);
2768 			return (SELRET_TUNFRAG);
2769 		}
2770 		transportp = (uint8_t *)ipha + hdr_len;
2771 	}
2772 	sel->ips_protocol = nexthdr;
2773 
2774 	if ((nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2775 	    nexthdr != IPPROTO_SCTP && nexthdr != icmp_proto) ||
2776 	    (!port_policy_present && !post_frag && tunnel_mode)) {
2777 		sel->ips_remote_port = sel->ips_local_port = 0;
2778 		ipsec_freemsg_chain(spare_mp);
2779 		return (SELRET_SUCCESS);
2780 	}
2781 
2782 	if (transportp + 4 > mp->b_wptr) {
2783 		/* If we didn't pullup a copy already, do so now. */
2784 		/*
2785 		 * XXX performance, will upper-layers frequently split TCP/UDP
2786 		 * apart from IP or options?  If so, perhaps we should revisit
2787 		 * the spare_mp strategy.
2788 		 */
2789 		ipsec_hdr_pullup_needed++;
2790 		if (spare_mp == NULL &&
2791 		    (spare_mp = msgpullup(mp, -1)) == NULL) {
2792 			return (SELRET_NOMEM);
2793 		}
2794 		transportp = &spare_mp->b_rptr[hdr_len + outer_hdr_len];
2795 	}
2796 
2797 	if (nexthdr == icmp_proto) {
2798 		sel->ips_icmp_type = *transportp++;
2799 		sel->ips_icmp_code = *transportp;
2800 		sel->ips_remote_port = sel->ips_local_port = 0;
2801 	} else {
2802 		ports = (uint16_t *)transportp;
2803 		sel->ips_remote_port = *ports++;
2804 		sel->ips_local_port = *ports;
2805 	}
2806 	ipsec_freemsg_chain(spare_mp);
2807 	return (SELRET_SUCCESS);
2808 }
2809 
2810 /*
2811  * This is called with a b_next chain of messages from the fragcache code,
2812  * hence it needs to discard a chain on error.
2813  */
2814 static boolean_t
2815 ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
2816     ip6_t *ip6h, int outer_hdr_len, ipsec_stack_t *ipss)
2817 {
2818 	/*
2819 	 * XXX cut&paste shared with ipsec_init_inbound_sel
2820 	 */
2821 	uint16_t *ports;
2822 	ushort_t hdr_len;
2823 	mblk_t *spare_mp = NULL;
2824 	uint8_t *nexthdrp;
2825 	uint8_t nexthdr;
2826 	uint8_t *typecode;
2827 	uint8_t check_proto;
2828 
2829 	ASSERT((ipha == NULL && ip6h != NULL) ||
2830 	    (ipha != NULL && ip6h == NULL));
2831 
2832 	if (ip6h != NULL) {
2833 		check_proto = IPPROTO_ICMPV6;
2834 		nexthdr = ip6h->ip6_nxt;
2835 		switch (nexthdr) {
2836 		case IPPROTO_HOPOPTS:
2837 		case IPPROTO_ROUTING:
2838 		case IPPROTO_DSTOPTS:
2839 		case IPPROTO_FRAGMENT:
2840 			/*
2841 			 * Use ip_hdr_length_nexthdr_v6().  And have a spare
2842 			 * mblk that's contiguous to feed it
2843 			 */
2844 			spare_mp = msgpullup(mp, -1);
2845 			if (spare_mp == NULL ||
2846 			    !ip_hdr_length_nexthdr_v6(spare_mp,
2847 			    (ip6_t *)(spare_mp->b_rptr + outer_hdr_len),
2848 			    &hdr_len, &nexthdrp)) {
2849 				/* Always works, even if NULL. */
2850 				ipsec_freemsg_chain(spare_mp);
2851 				ip_drop_packet_chain(mp, B_FALSE, NULL,
2852 				    DROPPER(ipss, ipds_spd_nomem),
2853 				    &ipss->ipsec_spd_dropper);
2854 				return (B_FALSE);
2855 			} else {
2856 				nexthdr = *nexthdrp;
2857 				/* We can just extract based on hdr_len now. */
2858 			}
2859 			break;
2860 		default:
2861 			hdr_len = IPV6_HDR_LEN;
2862 			break;
2863 		}
2864 	} else {
2865 		check_proto = IPPROTO_ICMP;
2866 		hdr_len = IPH_HDR_LENGTH(ipha);
2867 		nexthdr = ipha->ipha_protocol;
2868 	}
2869 
2870 	sel->ips_protocol = nexthdr;
2871 	if (nexthdr != IPPROTO_TCP && nexthdr != IPPROTO_UDP &&
2872 	    nexthdr != IPPROTO_SCTP && nexthdr != check_proto) {
2873 		sel->ips_local_port = sel->ips_remote_port = 0;
2874 		ipsec_freemsg_chain(spare_mp); /* Always works, even if NULL */
2875 		return (B_TRUE);
2876 	}
2877 
2878 	if (&mp->b_rptr[hdr_len] + 4 + outer_hdr_len > mp->b_wptr) {
2879 		/* If we didn't pullup a copy already, do so now. */
2880 		/*
2881 		 * XXX performance, will upper-layers frequently split TCP/UDP
2882 		 * apart from IP or options?  If so, perhaps we should revisit
2883 		 * the spare_mp strategy.
2884 		 *
2885 		 * XXX should this be msgpullup(mp, hdr_len+4) ???
2886 		 */
2887 		if (spare_mp == NULL &&
2888 		    (spare_mp = msgpullup(mp, -1)) == NULL) {
2889 			ip_drop_packet_chain(mp, B_FALSE, NULL,
2890 			    DROPPER(ipss, ipds_spd_nomem),
2891 			    &ipss->ipsec_spd_dropper);
2892 			return (B_FALSE);
2893 		}
2894 		ports = (uint16_t *)&spare_mp->b_rptr[hdr_len + outer_hdr_len];
2895 	} else {
2896 		ports = (uint16_t *)&mp->b_rptr[hdr_len + outer_hdr_len];
2897 	}
2898 
2899 	if (nexthdr == check_proto) {
2900 		typecode = (uint8_t *)ports;
2901 		sel->ips_icmp_type = *typecode++;
2902 		sel->ips_icmp_code = *typecode;
2903 		sel->ips_remote_port = sel->ips_local_port = 0;
2904 	} else {
2905 		sel->ips_local_port = *ports++;
2906 		sel->ips_remote_port = *ports;
2907 	}
2908 	ipsec_freemsg_chain(spare_mp);	/* Always works, even if NULL */
2909 	return (B_TRUE);
2910 }
2911 
2912 /*
2913  * Prepend an mblk with a ipsec_crypto_t to the message chain.
2914  * Frees the argument and returns NULL should the allocation fail.
2915  * Returns the pointer to the crypto data part.
2916  */
2917 mblk_t *
2918 ipsec_add_crypto_data(mblk_t *data_mp, ipsec_crypto_t **icp)
2919 {
2920 	mblk_t	*mp;
2921 
2922 	mp = allocb(sizeof (ipsec_crypto_t), BPRI_MED);
2923 	if (mp == NULL) {
2924 		freemsg(data_mp);
2925 		return (NULL);
2926 	}
2927 	bzero(mp->b_rptr, sizeof (ipsec_crypto_t));
2928 	mp->b_wptr += sizeof (ipsec_crypto_t);
2929 	mp->b_cont = data_mp;
2930 	mp->b_datap->db_type = M_EVENT;	/* For ASSERT */
2931 	*icp = (ipsec_crypto_t *)mp->b_rptr;
2932 	return (mp);
2933 }
2934 
2935 /*
2936  * Remove what was prepended above. Return b_cont and a pointer to the
2937  * crypto data.
2938  * The caller must call ipsec_free_crypto_data for mblk once it is done
2939  * with the crypto data.
2940  */
2941 mblk_t *
2942 ipsec_remove_crypto_data(mblk_t *crypto_mp, ipsec_crypto_t **icp)
2943 {
2944 	ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
2945 	ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
2946 
2947 	*icp = (ipsec_crypto_t *)crypto_mp->b_rptr;
2948 	return (crypto_mp->b_cont);
2949 }
2950 
2951 /*
2952  * Free what was prepended above. Return b_cont.
2953  */
2954 mblk_t *
2955 ipsec_free_crypto_data(mblk_t *crypto_mp)
2956 {
2957 	mblk_t	*mp;
2958 
2959 	ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
2960 	ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
2961 
2962 	mp = crypto_mp->b_cont;
2963 	freeb(crypto_mp);
2964 	return (mp);
2965 }
2966 
2967 /*
2968  * Create an ipsec_action_t based on the way an inbound packet was protected.
2969  * Used to reflect traffic back to a sender.
2970  *
2971  * We don't bother interning the action into the hash table.
2972  */
2973 ipsec_action_t *
2974 ipsec_in_to_out_action(ip_recv_attr_t *ira)
2975 {
2976 	ipsa_t *ah_assoc, *esp_assoc;
2977 	uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0;
2978 	ipsec_action_t *ap;
2979 	boolean_t unique;
2980 
2981 	ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
2982 
2983 	if (ap == NULL)
2984 		return (NULL);
2985 
2986 	bzero(ap, sizeof (*ap));
2987 	HASH_NULL(ap, ipa_hash);
2988 	ap->ipa_next = NULL;
2989 	ap->ipa_refs = 1;
2990 
2991 	/*
2992 	 * Get the algorithms that were used for this packet.
2993 	 */
2994 	ap->ipa_act.ipa_type = IPSEC_ACT_APPLY;
2995 	ap->ipa_act.ipa_log = 0;
2996 	ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
2997 
2998 	ah_assoc = ira->ira_ipsec_ah_sa;
2999 	ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL);
3000 
3001 	esp_assoc = ira->ira_ipsec_esp_sa;
3002 	ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL);
3003 
3004 	if (esp_assoc != NULL) {
3005 		encr_alg = esp_assoc->ipsa_encr_alg;
3006 		espa_alg = esp_assoc->ipsa_auth_alg;
3007 		ap->ipa_act.ipa_apply.ipp_use_espa = (espa_alg != 0);
3008 	}
3009 	if (ah_assoc != NULL)
3010 		auth_alg = ah_assoc->ipsa_auth_alg;
3011 
3012 	ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg;
3013 	ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg;
3014 	ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg;
3015 	ap->ipa_act.ipa_apply.ipp_use_se =
3016 	    !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
3017 	unique = B_FALSE;
3018 
3019 	if (esp_assoc != NULL) {
3020 		ap->ipa_act.ipa_apply.ipp_espa_minbits =
3021 		    esp_assoc->ipsa_authkeybits;
3022 		ap->ipa_act.ipa_apply.ipp_espa_maxbits =
3023 		    esp_assoc->ipsa_authkeybits;
3024 		ap->ipa_act.ipa_apply.ipp_espe_minbits =
3025 		    esp_assoc->ipsa_encrkeybits;
3026 		ap->ipa_act.ipa_apply.ipp_espe_maxbits =
3027 		    esp_assoc->ipsa_encrkeybits;
3028 		ap->ipa_act.ipa_apply.ipp_km_proto = esp_assoc->ipsa_kmp;
3029 		ap->ipa_act.ipa_apply.ipp_km_cookie = esp_assoc->ipsa_kmc;
3030 		if (esp_assoc->ipsa_flags & IPSA_F_UNIQUE)
3031 			unique = B_TRUE;
3032 	}
3033 	if (ah_assoc != NULL) {
3034 		ap->ipa_act.ipa_apply.ipp_ah_minbits =
3035 		    ah_assoc->ipsa_authkeybits;
3036 		ap->ipa_act.ipa_apply.ipp_ah_maxbits =
3037 		    ah_assoc->ipsa_authkeybits;
3038 		ap->ipa_act.ipa_apply.ipp_km_proto = ah_assoc->ipsa_kmp;
3039 		ap->ipa_act.ipa_apply.ipp_km_cookie = ah_assoc->ipsa_kmc;
3040 		if (ah_assoc->ipsa_flags & IPSA_F_UNIQUE)
3041 			unique = B_TRUE;
3042 	}
3043 	ap->ipa_act.ipa_apply.ipp_use_unique = unique;
3044 	ap->ipa_want_unique = unique;
3045 	ap->ipa_allow_clear = B_FALSE;
3046 	ap->ipa_want_se = !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
3047 	ap->ipa_want_ah = (ah_assoc != NULL);
3048 	ap->ipa_want_esp = (esp_assoc != NULL);
3049 
3050 	ap->ipa_ovhd = ipsec_act_ovhd(&ap->ipa_act);
3051 
3052 	ap->ipa_act.ipa_apply.ipp_replay_depth = 0; /* don't care */
3053 
3054 	return (ap);
3055 }
3056 
3057 
3058 /*
3059  * Compute the worst-case amount of extra space required by an action.
3060  * Note that, because of the ESP considerations listed below, this is
3061  * actually not the same as the best-case reduction in the MTU; in the
3062  * future, we should pass additional information to this function to
3063  * allow the actual MTU impact to be computed.
3064  *
3065  * AH: Revisit this if we implement algorithms with
3066  * a verifier size of more than 12 bytes.
3067  *
3068  * ESP: A more exact but more messy computation would take into
3069  * account the interaction between the cipher block size and the
3070  * effective MTU, yielding the inner payload size which reflects a
3071  * packet with *minimum* ESP padding..
3072  */
3073 int32_t
3074 ipsec_act_ovhd(const ipsec_act_t *act)
3075 {
3076 	int32_t overhead = 0;
3077 
3078 	if (act->ipa_type == IPSEC_ACT_APPLY) {
3079 		const ipsec_prot_t *ipp = &act->ipa_apply;
3080 
3081 		if (ipp->ipp_use_ah)
3082 			overhead += IPSEC_MAX_AH_HDR_SIZE;
3083 		if (ipp->ipp_use_esp) {
3084 			overhead += IPSEC_MAX_ESP_HDR_SIZE;
3085 			overhead += sizeof (struct udphdr);
3086 		}
3087 		if (ipp->ipp_use_se)
3088 			overhead += IP_SIMPLE_HDR_LENGTH;
3089 	}
3090 	return (overhead);
3091 }
3092 
3093 /*
3094  * This hash function is used only when creating policies and thus is not
3095  * performance-critical for packet flows.
3096  *
3097  * Future work: canonicalize the structures hashed with this (i.e.,
3098  * zeroize padding) so the hash works correctly.
3099  */
3100 /* ARGSUSED */
3101 static uint32_t
3102 policy_hash(int size, const void *start, const void *end)
3103 {
3104 	return (0);
3105 }
3106 
3107 
3108 /*
3109  * Hash function macros for each address type.
3110  *
3111  * The IPV6 hash function assumes that the low order 32-bits of the
3112  * address (typically containing the low order 24 bits of the mac
3113  * address) are reasonably well-distributed.  Revisit this if we run
3114  * into trouble from lots of collisions on ::1 addresses and the like
3115  * (seems unlikely).
3116  */
3117 #define	IPSEC_IPV4_HASH(a, n) ((a) % (n))
3118 #define	IPSEC_IPV6_HASH(a, n) (((a).s6_addr32[3]) % (n))
3119 
3120 /*
3121  * These two hash functions should produce coordinated values
3122  * but have slightly different roles.
3123  */
3124 static uint32_t
3125 selkey_hash(const ipsec_selkey_t *selkey, netstack_t *ns)
3126 {
3127 	uint32_t valid = selkey->ipsl_valid;
3128 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3129 
3130 	if (!(valid & IPSL_REMOTE_ADDR))
3131 		return (IPSEC_SEL_NOHASH);
3132 
3133 	if (valid & IPSL_IPV4) {
3134 		if (selkey->ipsl_remote_pfxlen == 32) {
3135 			return (IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4,
3136 			    ipss->ipsec_spd_hashsize));
3137 		}
3138 	}
3139 	if (valid & IPSL_IPV6) {
3140 		if (selkey->ipsl_remote_pfxlen == 128) {
3141 			return (IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6,
3142 			    ipss->ipsec_spd_hashsize));
3143 		}
3144 	}
3145 	return (IPSEC_SEL_NOHASH);
3146 }
3147 
3148 static uint32_t
3149 selector_hash(ipsec_selector_t *sel, ipsec_policy_root_t *root)
3150 {
3151 	if (sel->ips_isv4) {
3152 		return (IPSEC_IPV4_HASH(sel->ips_remote_addr_v4,
3153 		    root->ipr_nchains));
3154 	}
3155 	return (IPSEC_IPV6_HASH(sel->ips_remote_addr_v6, root->ipr_nchains));
3156 }
3157 
3158 /*
3159  * Intern actions into the action hash table.
3160  */
3161 ipsec_action_t *
3162 ipsec_act_find(const ipsec_act_t *a, int n, netstack_t *ns)
3163 {
3164 	int i;
3165 	uint32_t hval;
3166 	ipsec_action_t *ap;
3167 	ipsec_action_t *prev = NULL;
3168 	int32_t overhead, maxovhd = 0;
3169 	boolean_t allow_clear = B_FALSE;
3170 	boolean_t want_ah = B_FALSE;
3171 	boolean_t want_esp = B_FALSE;
3172 	boolean_t want_se = B_FALSE;
3173 	boolean_t want_unique = B_FALSE;
3174 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3175 
3176 	/*
3177 	 * TODO: should canonicalize a[] (i.e., zeroize any padding)
3178 	 * so we can use a non-trivial policy_hash function.
3179 	 */
3180 	for (i = n-1; i >= 0; i--) {
3181 		hval = policy_hash(IPSEC_ACTION_HASH_SIZE, &a[i], &a[n]);
3182 
3183 		HASH_LOCK(ipss->ipsec_action_hash, hval);
3184 
3185 		for (HASH_ITERATE(ap, ipa_hash,
3186 		    ipss->ipsec_action_hash, hval)) {
3187 			if (bcmp(&ap->ipa_act, &a[i], sizeof (*a)) != 0)
3188 				continue;
3189 			if (ap->ipa_next != prev)
3190 				continue;
3191 			break;
3192 		}
3193 		if (ap != NULL) {
3194 			HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3195 			prev = ap;
3196 			continue;
3197 		}
3198 		/*
3199 		 * need to allocate a new one..
3200 		 */
3201 		ap = kmem_cache_alloc(ipsec_action_cache, KM_NOSLEEP);
3202 		if (ap == NULL) {
3203 			HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3204 			if (prev != NULL)
3205 				ipsec_action_free(prev);
3206 			return (NULL);
3207 		}
3208 		HASH_INSERT(ap, ipa_hash, ipss->ipsec_action_hash, hval);
3209 
3210 		ap->ipa_next = prev;
3211 		ap->ipa_act = a[i];
3212 
3213 		overhead = ipsec_act_ovhd(&a[i]);
3214 		if (maxovhd < overhead)
3215 			maxovhd = overhead;
3216 
3217 		if ((a[i].ipa_type == IPSEC_ACT_BYPASS) ||
3218 		    (a[i].ipa_type == IPSEC_ACT_CLEAR))
3219 			allow_clear = B_TRUE;
3220 		if (a[i].ipa_type == IPSEC_ACT_APPLY) {
3221 			const ipsec_prot_t *ipp = &a[i].ipa_apply;
3222 
3223 			ASSERT(ipp->ipp_use_ah || ipp->ipp_use_esp);
3224 			want_ah |= ipp->ipp_use_ah;
3225 			want_esp |= ipp->ipp_use_esp;
3226 			want_se |= ipp->ipp_use_se;
3227 			want_unique |= ipp->ipp_use_unique;
3228 		}
3229 		ap->ipa_allow_clear = allow_clear;
3230 		ap->ipa_want_ah = want_ah;
3231 		ap->ipa_want_esp = want_esp;
3232 		ap->ipa_want_se = want_se;
3233 		ap->ipa_want_unique = want_unique;
3234 		ap->ipa_refs = 1; /* from the hash table */
3235 		ap->ipa_ovhd = maxovhd;
3236 		if (prev)
3237 			prev->ipa_refs++;
3238 		prev = ap;
3239 		HASH_UNLOCK(ipss->ipsec_action_hash, hval);
3240 	}
3241 
3242 	ap->ipa_refs++;		/* caller's reference */
3243 
3244 	return (ap);
3245 }
3246 
3247 /*
3248  * Called when refcount goes to 0, indicating that all references to this
3249  * node are gone.
3250  *
3251  * This does not unchain the action from the hash table.
3252  */
3253 void
3254 ipsec_action_free(ipsec_action_t *ap)
3255 {
3256 	for (;;) {
3257 		ipsec_action_t *np = ap->ipa_next;
3258 		ASSERT(ap->ipa_refs == 0);
3259 		ASSERT(ap->ipa_hash.hash_pp == NULL);
3260 		kmem_cache_free(ipsec_action_cache, ap);
3261 		ap = np;
3262 		/* Inlined IPACT_REFRELE -- avoid recursion */
3263 		if (ap == NULL)
3264 			break;
3265 		membar_exit();
3266 		if (atomic_dec_32_nv(&(ap)->ipa_refs) != 0)
3267 			break;
3268 		/* End inlined IPACT_REFRELE */
3269 	}
3270 }
3271 
3272 /*
3273  * Called when the action hash table goes away.
3274  *
3275  * The actions can be queued on an mblk with ipsec_in or
3276  * ipsec_out, hence the actions might still be around.
3277  * But we decrement ipa_refs here since we no longer have
3278  * a reference to the action from the hash table.
3279  */
3280 static void
3281 ipsec_action_free_table(ipsec_action_t *ap)
3282 {
3283 	while (ap != NULL) {
3284 		ipsec_action_t *np = ap->ipa_next;
3285 
3286 		/* FIXME: remove? */
3287 		(void) printf("ipsec_action_free_table(%p) ref %d\n",
3288 		    (void *)ap, ap->ipa_refs);
3289 		ASSERT(ap->ipa_refs > 0);
3290 		IPACT_REFRELE(ap);
3291 		ap = np;
3292 	}
3293 }
3294 
3295 /*
3296  * Need to walk all stack instances since the reclaim function
3297  * is global for all instances
3298  */
3299 /* ARGSUSED */
3300 static void
3301 ipsec_action_reclaim(void *arg)
3302 {
3303 	netstack_handle_t nh;
3304 	netstack_t *ns;
3305 	ipsec_stack_t *ipss;
3306 
3307 	netstack_next_init(&nh);
3308 	while ((ns = netstack_next(&nh)) != NULL) {
3309 		/*
3310 		 * netstack_next() can return a netstack_t with a NULL
3311 		 * netstack_ipsec at boot time.
3312 		 */
3313 		if ((ipss = ns->netstack_ipsec) == NULL) {
3314 			netstack_rele(ns);
3315 			continue;
3316 		}
3317 		ipsec_action_reclaim_stack(ipss);
3318 		netstack_rele(ns);
3319 	}
3320 	netstack_next_fini(&nh);
3321 }
3322 
3323 /*
3324  * Periodically sweep action hash table for actions with refcount==1, and
3325  * nuke them.  We cannot do this "on demand" (i.e., from IPACT_REFRELE)
3326  * because we can't close the race between another thread finding the action
3327  * in the hash table without holding the bucket lock during IPACT_REFRELE.
3328  * Instead, we run this function sporadically to clean up after ourselves;
3329  * we also set it as the "reclaim" function for the action kmem_cache.
3330  *
3331  * Note that it may take several passes of ipsec_action_gc() to free all
3332  * "stale" actions.
3333  */
3334 static void
3335 ipsec_action_reclaim_stack(ipsec_stack_t *ipss)
3336 {
3337 	int i;
3338 
3339 	for (i = 0; i < IPSEC_ACTION_HASH_SIZE; i++) {
3340 		ipsec_action_t *ap, *np;
3341 
3342 		/* skip the lock if nobody home */
3343 		if (ipss->ipsec_action_hash[i].hash_head == NULL)
3344 			continue;
3345 
3346 		HASH_LOCK(ipss->ipsec_action_hash, i);
3347 		for (ap = ipss->ipsec_action_hash[i].hash_head;
3348 		    ap != NULL; ap = np) {
3349 			ASSERT(ap->ipa_refs > 0);
3350 			np = ap->ipa_hash.hash_next;
3351 			if (ap->ipa_refs > 1)
3352 				continue;
3353 			HASH_UNCHAIN(ap, ipa_hash,
3354 			    ipss->ipsec_action_hash, i);
3355 			IPACT_REFRELE(ap);
3356 		}
3357 		HASH_UNLOCK(ipss->ipsec_action_hash, i);
3358 	}
3359 }
3360 
3361 /*
3362  * Intern a selector set into the selector set hash table.
3363  * This is simpler than the actions case..
3364  */
3365 static ipsec_sel_t *
3366 ipsec_find_sel(ipsec_selkey_t *selkey, netstack_t *ns)
3367 {
3368 	ipsec_sel_t *sp;
3369 	uint32_t hval, bucket;
3370 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3371 
3372 	/*
3373 	 * Exactly one AF bit should be set in selkey.
3374 	 */
3375 	ASSERT(!(selkey->ipsl_valid & IPSL_IPV4) ^
3376 	    !(selkey->ipsl_valid & IPSL_IPV6));
3377 
3378 	hval = selkey_hash(selkey, ns);
3379 	/* Set pol_hval to uninitialized until we put it in a polhead. */
3380 	selkey->ipsl_sel_hval = hval;
3381 
3382 	bucket = (hval == IPSEC_SEL_NOHASH) ? 0 : hval;
3383 
3384 	ASSERT(!HASH_LOCKED(ipss->ipsec_sel_hash, bucket));
3385 	HASH_LOCK(ipss->ipsec_sel_hash, bucket);
3386 
3387 	for (HASH_ITERATE(sp, ipsl_hash, ipss->ipsec_sel_hash, bucket)) {
3388 		if (bcmp(&sp->ipsl_key, selkey,
3389 		    offsetof(ipsec_selkey_t, ipsl_pol_hval)) == 0)
3390 			break;
3391 	}
3392 	if (sp != NULL) {
3393 		sp->ipsl_refs++;
3394 
3395 		HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3396 		return (sp);
3397 	}
3398 
3399 	sp = kmem_cache_alloc(ipsec_sel_cache, KM_NOSLEEP);
3400 	if (sp == NULL) {
3401 		HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3402 		return (NULL);
3403 	}
3404 
3405 	HASH_INSERT(sp, ipsl_hash, ipss->ipsec_sel_hash, bucket);
3406 	sp->ipsl_refs = 2;	/* one for hash table, one for caller */
3407 	sp->ipsl_key = *selkey;
3408 	/* Set to uninitalized and have insertion into polhead fix things. */
3409 	if (selkey->ipsl_sel_hval != IPSEC_SEL_NOHASH)
3410 		sp->ipsl_key.ipsl_pol_hval = 0;
3411 	else
3412 		sp->ipsl_key.ipsl_pol_hval = IPSEC_SEL_NOHASH;
3413 
3414 	HASH_UNLOCK(ipss->ipsec_sel_hash, bucket);
3415 
3416 	return (sp);
3417 }
3418 
3419 static void
3420 ipsec_sel_rel(ipsec_sel_t **spp, netstack_t *ns)
3421 {
3422 	ipsec_sel_t *sp = *spp;
3423 	int hval = sp->ipsl_key.ipsl_sel_hval;
3424 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3425 
3426 	*spp = NULL;
3427 
3428 	if (hval == IPSEC_SEL_NOHASH)
3429 		hval = 0;
3430 
3431 	ASSERT(!HASH_LOCKED(ipss->ipsec_sel_hash, hval));
3432 	HASH_LOCK(ipss->ipsec_sel_hash, hval);
3433 	if (--sp->ipsl_refs == 1) {
3434 		HASH_UNCHAIN(sp, ipsl_hash, ipss->ipsec_sel_hash, hval);
3435 		sp->ipsl_refs--;
3436 		HASH_UNLOCK(ipss->ipsec_sel_hash, hval);
3437 		ASSERT(sp->ipsl_refs == 0);
3438 		kmem_cache_free(ipsec_sel_cache, sp);
3439 		/* Caller unlocks */
3440 		return;
3441 	}
3442 
3443 	HASH_UNLOCK(ipss->ipsec_sel_hash, hval);
3444 }
3445 
3446 /*
3447  * Free a policy rule which we know is no longer being referenced.
3448  */
3449 void
3450 ipsec_policy_free(ipsec_policy_t *ipp)
3451 {
3452 	ASSERT(ipp->ipsp_refs == 0);
3453 	ASSERT(ipp->ipsp_sel != NULL);
3454 	ASSERT(ipp->ipsp_act != NULL);
3455 	ASSERT(ipp->ipsp_netstack != NULL);
3456 
3457 	ipsec_sel_rel(&ipp->ipsp_sel, ipp->ipsp_netstack);
3458 	IPACT_REFRELE(ipp->ipsp_act);
3459 	kmem_cache_free(ipsec_pol_cache, ipp);
3460 }
3461 
3462 /*
3463  * Construction of new policy rules; construct a policy, and add it to
3464  * the appropriate tables.
3465  */
3466 ipsec_policy_t *
3467 ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a,
3468     int nacts, int prio, uint64_t *index_ptr, netstack_t *ns)
3469 {
3470 	ipsec_action_t *ap;
3471 	ipsec_sel_t *sp;
3472 	ipsec_policy_t *ipp;
3473 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3474 
3475 	if (index_ptr == NULL)
3476 		index_ptr = &ipss->ipsec_next_policy_index;
3477 
3478 	ipp = kmem_cache_alloc(ipsec_pol_cache, KM_NOSLEEP);
3479 	ap = ipsec_act_find(a, nacts, ns);
3480 	sp = ipsec_find_sel(keys, ns);
3481 
3482 	if ((ap == NULL) || (sp == NULL) || (ipp == NULL)) {
3483 		if (ap != NULL) {
3484 			IPACT_REFRELE(ap);
3485 		}
3486 		if (sp != NULL)
3487 			ipsec_sel_rel(&sp, ns);
3488 		if (ipp != NULL)
3489 			kmem_cache_free(ipsec_pol_cache, ipp);
3490 		return (NULL);
3491 	}
3492 
3493 	HASH_NULL(ipp, ipsp_hash);
3494 
3495 	ipp->ipsp_netstack = ns;	/* Needed for ipsec_policy_free */
3496 	ipp->ipsp_refs = 1;	/* caller's reference */
3497 	ipp->ipsp_sel = sp;
3498 	ipp->ipsp_act = ap;
3499 	ipp->ipsp_prio = prio;	/* rule priority */
3500 	ipp->ipsp_index = *index_ptr;
3501 	(*index_ptr)++;
3502 
3503 	return (ipp);
3504 }
3505 
3506 static void
3507 ipsec_update_present_flags(ipsec_stack_t *ipss)
3508 {
3509 	boolean_t hashpol;
3510 
3511 	hashpol = (avl_numnodes(&ipss->ipsec_system_policy.iph_rulebyid) > 0);
3512 
3513 	if (hashpol) {
3514 		ipss->ipsec_outbound_v4_policy_present = B_TRUE;
3515 		ipss->ipsec_outbound_v6_policy_present = B_TRUE;
3516 		ipss->ipsec_inbound_v4_policy_present = B_TRUE;
3517 		ipss->ipsec_inbound_v6_policy_present = B_TRUE;
3518 		return;
3519 	}
3520 
3521 	ipss->ipsec_outbound_v4_policy_present = (NULL !=
3522 	    ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
3523 	    ipr_nonhash[IPSEC_AF_V4]);
3524 	ipss->ipsec_outbound_v6_policy_present = (NULL !=
3525 	    ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_OUTBOUND].
3526 	    ipr_nonhash[IPSEC_AF_V6]);
3527 	ipss->ipsec_inbound_v4_policy_present = (NULL !=
3528 	    ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_INBOUND].
3529 	    ipr_nonhash[IPSEC_AF_V4]);
3530 	ipss->ipsec_inbound_v6_policy_present = (NULL !=
3531 	    ipss->ipsec_system_policy.iph_root[IPSEC_TYPE_INBOUND].
3532 	    ipr_nonhash[IPSEC_AF_V6]);
3533 }
3534 
3535 boolean_t
3536 ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir,
3537 	netstack_t *ns)
3538 {
3539 	ipsec_sel_t *sp;
3540 	ipsec_policy_t *ip, *nip, *head;
3541 	int af;
3542 	ipsec_policy_root_t *pr = &php->iph_root[dir];
3543 
3544 	sp = ipsec_find_sel(keys, ns);
3545 
3546 	if (sp == NULL)
3547 		return (B_FALSE);
3548 
3549 	af = (sp->ipsl_key.ipsl_valid & IPSL_IPV4) ? IPSEC_AF_V4 : IPSEC_AF_V6;
3550 
3551 	rw_enter(&php->iph_lock, RW_WRITER);
3552 
3553 	if (sp->ipsl_key.ipsl_pol_hval == IPSEC_SEL_NOHASH) {
3554 		head = pr->ipr_nonhash[af];
3555 	} else {
3556 		head = pr->ipr_hash[sp->ipsl_key.ipsl_pol_hval].hash_head;
3557 	}
3558 
3559 	for (ip = head; ip != NULL; ip = nip) {
3560 		nip = ip->ipsp_hash.hash_next;
3561 		if (ip->ipsp_sel != sp) {
3562 			continue;
3563 		}
3564 
3565 		IPPOL_UNCHAIN(php, ip);
3566 
3567 		php->iph_gen++;
3568 		ipsec_update_present_flags(ns->netstack_ipsec);
3569 
3570 		rw_exit(&php->iph_lock);
3571 
3572 		ipsec_sel_rel(&sp, ns);
3573 
3574 		return (B_TRUE);
3575 	}
3576 
3577 	rw_exit(&php->iph_lock);
3578 	ipsec_sel_rel(&sp, ns);
3579 	return (B_FALSE);
3580 }
3581 
3582 int
3583 ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index,
3584     netstack_t *ns)
3585 {
3586 	boolean_t found = B_FALSE;
3587 	ipsec_policy_t ipkey;
3588 	ipsec_policy_t *ip;
3589 	avl_index_t where;
3590 
3591 	bzero(&ipkey, sizeof (ipkey));
3592 	ipkey.ipsp_index = policy_index;
3593 
3594 	rw_enter(&php->iph_lock, RW_WRITER);
3595 
3596 	/*
3597 	 * We could be cleverer here about the walk.
3598 	 * but well, (k+1)*log(N) will do for now (k==number of matches,
3599 	 * N==number of table entries
3600 	 */
3601 	for (;;) {
3602 		ip = (ipsec_policy_t *)avl_find(&php->iph_rulebyid,
3603 		    (void *)&ipkey, &where);
3604 		ASSERT(ip == NULL);
3605 
3606 		ip = avl_nearest(&php->iph_rulebyid, where, AVL_AFTER);
3607 
3608 		if (ip == NULL)
3609 			break;
3610 
3611 		if (ip->ipsp_index != policy_index) {
3612 			ASSERT(ip->ipsp_index > policy_index);
3613 			break;
3614 		}
3615 
3616 		IPPOL_UNCHAIN(php, ip);
3617 		found = B_TRUE;
3618 	}
3619 
3620 	if (found) {
3621 		php->iph_gen++;
3622 		ipsec_update_present_flags(ns->netstack_ipsec);
3623 	}
3624 
3625 	rw_exit(&php->iph_lock);
3626 
3627 	return (found ? 0 : ENOENT);
3628 }
3629 
3630 /*
3631  * Given a constructed ipsec_policy_t policy rule, see if it can be entered
3632  * into the correct policy ruleset.  As a side-effect, it sets the hash
3633  * entries on "ipp"'s ipsp_pol_hval.
3634  *
3635  * Returns B_TRUE if it can be entered, B_FALSE if it can't be (because a
3636  * duplicate policy exists with exactly the same selectors), or an icmp
3637  * rule exists with a different encryption/authentication action.
3638  */
3639 boolean_t
3640 ipsec_check_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction)
3641 {
3642 	ipsec_policy_root_t *pr = &php->iph_root[direction];
3643 	int af = -1;
3644 	ipsec_policy_t *p2, *head;
3645 	uint8_t check_proto;
3646 	ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3647 	uint32_t	valid = selkey->ipsl_valid;
3648 
3649 	if (valid & IPSL_IPV6) {
3650 		ASSERT(!(valid & IPSL_IPV4));
3651 		af = IPSEC_AF_V6;
3652 		check_proto = IPPROTO_ICMPV6;
3653 	} else {
3654 		ASSERT(valid & IPSL_IPV4);
3655 		af = IPSEC_AF_V4;
3656 		check_proto = IPPROTO_ICMP;
3657 	}
3658 
3659 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3660 
3661 	/*
3662 	 * Double-check that we don't have any duplicate selectors here.
3663 	 * Because selectors are interned below, we need only compare pointers
3664 	 * for equality.
3665 	 */
3666 	if (selkey->ipsl_sel_hval == IPSEC_SEL_NOHASH) {
3667 		head = pr->ipr_nonhash[af];
3668 	} else {
3669 		selkey->ipsl_pol_hval =
3670 		    (selkey->ipsl_valid & IPSL_IPV4) ?
3671 		    IPSEC_IPV4_HASH(selkey->ipsl_remote.ipsad_v4,
3672 		    pr->ipr_nchains) :
3673 		    IPSEC_IPV6_HASH(selkey->ipsl_remote.ipsad_v6,
3674 		    pr->ipr_nchains);
3675 
3676 		head = pr->ipr_hash[selkey->ipsl_pol_hval].hash_head;
3677 	}
3678 
3679 	for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3680 		if (p2->ipsp_sel == ipp->ipsp_sel)
3681 			return (B_FALSE);
3682 	}
3683 
3684 	/*
3685 	 * If it's ICMP and not a drop or pass rule, run through the ICMP
3686 	 * rules and make sure the action is either new or the same as any
3687 	 * other actions.  We don't have to check the full chain because
3688 	 * discard and bypass will override all other actions
3689 	 */
3690 
3691 	if (valid & IPSL_PROTOCOL &&
3692 	    selkey->ipsl_proto == check_proto &&
3693 	    (ipp->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_APPLY)) {
3694 
3695 		for (p2 = head; p2 != NULL; p2 = p2->ipsp_hash.hash_next) {
3696 
3697 			if (p2->ipsp_sel->ipsl_key.ipsl_valid & IPSL_PROTOCOL &&
3698 			    p2->ipsp_sel->ipsl_key.ipsl_proto == check_proto &&
3699 			    (p2->ipsp_act->ipa_act.ipa_type ==
3700 			    IPSEC_ACT_APPLY)) {
3701 				return (ipsec_compare_action(p2, ipp));
3702 			}
3703 		}
3704 	}
3705 
3706 	return (B_TRUE);
3707 }
3708 
3709 /*
3710  * compare the action chains of two policies for equality
3711  * B_TRUE -> effective equality
3712  */
3713 
3714 static boolean_t
3715 ipsec_compare_action(ipsec_policy_t *p1, ipsec_policy_t *p2)
3716 {
3717 
3718 	ipsec_action_t *act1, *act2;
3719 
3720 	/* We have a valid rule. Let's compare the actions */
3721 	if (p1->ipsp_act == p2->ipsp_act) {
3722 		/* same action. We are good */
3723 		return (B_TRUE);
3724 	}
3725 
3726 	/* we have to walk the chain */
3727 
3728 	act1 = p1->ipsp_act;
3729 	act2 = p2->ipsp_act;
3730 
3731 	while (act1 != NULL && act2 != NULL) {
3732 
3733 		/* otherwise, Are we close enough? */
3734 		if (act1->ipa_allow_clear != act2->ipa_allow_clear ||
3735 		    act1->ipa_want_ah != act2->ipa_want_ah ||
3736 		    act1->ipa_want_esp != act2->ipa_want_esp ||
3737 		    act1->ipa_want_se != act2->ipa_want_se) {
3738 			/* Nope, we aren't */
3739 			return (B_FALSE);
3740 		}
3741 
3742 		if (act1->ipa_want_ah) {
3743 			if (act1->ipa_act.ipa_apply.ipp_auth_alg !=
3744 			    act2->ipa_act.ipa_apply.ipp_auth_alg) {
3745 				return (B_FALSE);
3746 			}
3747 
3748 			if (act1->ipa_act.ipa_apply.ipp_ah_minbits !=
3749 			    act2->ipa_act.ipa_apply.ipp_ah_minbits ||
3750 			    act1->ipa_act.ipa_apply.ipp_ah_maxbits !=
3751 			    act2->ipa_act.ipa_apply.ipp_ah_maxbits) {
3752 				return (B_FALSE);
3753 			}
3754 		}
3755 
3756 		if (act1->ipa_want_esp) {
3757 			if (act1->ipa_act.ipa_apply.ipp_use_esp !=
3758 			    act2->ipa_act.ipa_apply.ipp_use_esp ||
3759 			    act1->ipa_act.ipa_apply.ipp_use_espa !=
3760 			    act2->ipa_act.ipa_apply.ipp_use_espa) {
3761 				return (B_FALSE);
3762 			}
3763 
3764 			if (act1->ipa_act.ipa_apply.ipp_use_esp) {
3765 				if (act1->ipa_act.ipa_apply.ipp_encr_alg !=
3766 				    act2->ipa_act.ipa_apply.ipp_encr_alg) {
3767 					return (B_FALSE);
3768 				}
3769 
3770 				if (act1->ipa_act.ipa_apply.ipp_espe_minbits !=
3771 				    act2->ipa_act.ipa_apply.ipp_espe_minbits ||
3772 				    act1->ipa_act.ipa_apply.ipp_espe_maxbits !=
3773 				    act2->ipa_act.ipa_apply.ipp_espe_maxbits) {
3774 					return (B_FALSE);
3775 				}
3776 			}
3777 
3778 			if (act1->ipa_act.ipa_apply.ipp_use_espa) {
3779 				if (act1->ipa_act.ipa_apply.ipp_esp_auth_alg !=
3780 				    act2->ipa_act.ipa_apply.ipp_esp_auth_alg) {
3781 					return (B_FALSE);
3782 				}
3783 
3784 				if (act1->ipa_act.ipa_apply.ipp_espa_minbits !=
3785 				    act2->ipa_act.ipa_apply.ipp_espa_minbits ||
3786 				    act1->ipa_act.ipa_apply.ipp_espa_maxbits !=
3787 				    act2->ipa_act.ipa_apply.ipp_espa_maxbits) {
3788 					return (B_FALSE);
3789 				}
3790 			}
3791 
3792 		}
3793 
3794 		act1 = act1->ipa_next;
3795 		act2 = act2->ipa_next;
3796 	}
3797 
3798 	if (act1 != NULL || act2 != NULL) {
3799 		return (B_FALSE);
3800 	}
3801 
3802 	return (B_TRUE);
3803 }
3804 
3805 
3806 /*
3807  * Given a constructed ipsec_policy_t policy rule, enter it into
3808  * the correct policy ruleset.
3809  *
3810  * ipsec_check_policy() is assumed to have succeeded first (to check for
3811  * duplicates).
3812  */
3813 void
3814 ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction,
3815     netstack_t *ns)
3816 {
3817 	ipsec_policy_root_t *pr = &php->iph_root[direction];
3818 	ipsec_selkey_t *selkey = &ipp->ipsp_sel->ipsl_key;
3819 	uint32_t valid = selkey->ipsl_valid;
3820 	uint32_t hval = selkey->ipsl_pol_hval;
3821 	int af = -1;
3822 
3823 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3824 
3825 	if (valid & IPSL_IPV6) {
3826 		ASSERT(!(valid & IPSL_IPV4));
3827 		af = IPSEC_AF_V6;
3828 	} else {
3829 		ASSERT(valid & IPSL_IPV4);
3830 		af = IPSEC_AF_V4;
3831 	}
3832 
3833 	php->iph_gen++;
3834 
3835 	if (hval == IPSEC_SEL_NOHASH) {
3836 		HASHLIST_INSERT(ipp, ipsp_hash, pr->ipr_nonhash[af]);
3837 	} else {
3838 		HASH_LOCK(pr->ipr_hash, hval);
3839 		HASH_INSERT(ipp, ipsp_hash, pr->ipr_hash, hval);
3840 		HASH_UNLOCK(pr->ipr_hash, hval);
3841 	}
3842 
3843 	ipsec_insert_always(&php->iph_rulebyid, ipp);
3844 
3845 	ipsec_update_present_flags(ns->netstack_ipsec);
3846 }
3847 
3848 static void
3849 ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr)
3850 {
3851 	ipsec_policy_t *ip, *nip;
3852 	int af, chain, nchain;
3853 
3854 	for (af = 0; af < IPSEC_NAF; af++) {
3855 		for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) {
3856 			nip = ip->ipsp_hash.hash_next;
3857 			IPPOL_UNCHAIN(php, ip);
3858 		}
3859 		ipr->ipr_nonhash[af] = NULL;
3860 	}
3861 	nchain = ipr->ipr_nchains;
3862 
3863 	for (chain = 0; chain < nchain; chain++) {
3864 		for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL;
3865 		    ip = nip) {
3866 			nip = ip->ipsp_hash.hash_next;
3867 			IPPOL_UNCHAIN(php, ip);
3868 		}
3869 		ipr->ipr_hash[chain].hash_head = NULL;
3870 	}
3871 }
3872 
3873 /*
3874  * Create and insert inbound or outbound policy associated with actp for the
3875  * address family fam into the policy head ph.  Returns B_TRUE if policy was
3876  * inserted, and B_FALSE otherwise.
3877  */
3878 boolean_t
3879 ipsec_polhead_insert(ipsec_policy_head_t *ph, ipsec_act_t *actp, uint_t nact,
3880     int fam, int ptype, netstack_t *ns)
3881 {
3882 	ipsec_selkey_t		sel;
3883 	ipsec_policy_t		*pol;
3884 	ipsec_policy_root_t	*pr;
3885 
3886 	bzero(&sel, sizeof (sel));
3887 	sel.ipsl_valid = (fam == IPSEC_AF_V4 ? IPSL_IPV4 : IPSL_IPV6);
3888 	if ((pol = ipsec_policy_create(&sel, actp, nact, IPSEC_PRIO_SOCKET,
3889 	    NULL, ns)) != NULL) {
3890 		pr = &ph->iph_root[ptype];
3891 		HASHLIST_INSERT(pol, ipsp_hash, pr->ipr_nonhash[fam]);
3892 		ipsec_insert_always(&ph->iph_rulebyid, pol);
3893 	}
3894 	return (pol != NULL);
3895 }
3896 
3897 void
3898 ipsec_polhead_flush(ipsec_policy_head_t *php, netstack_t *ns)
3899 {
3900 	int dir;
3901 
3902 	ASSERT(RW_WRITE_HELD(&php->iph_lock));
3903 
3904 	for (dir = 0; dir < IPSEC_NTYPES; dir++)
3905 		ipsec_ipr_flush(php, &php->iph_root[dir]);
3906 
3907 	php->iph_gen++;
3908 	ipsec_update_present_flags(ns->netstack_ipsec);
3909 }
3910 
3911 void
3912 ipsec_polhead_free(ipsec_policy_head_t *php, netstack_t *ns)
3913 {
3914 	int dir;
3915 
3916 	ASSERT(php->iph_refs == 0);
3917 
3918 	rw_enter(&php->iph_lock, RW_WRITER);
3919 	ipsec_polhead_flush(php, ns);
3920 	rw_exit(&php->iph_lock);
3921 	rw_destroy(&php->iph_lock);
3922 	for (dir = 0; dir < IPSEC_NTYPES; dir++) {
3923 		ipsec_policy_root_t *ipr = &php->iph_root[dir];
3924 		int chain;
3925 
3926 		for (chain = 0; chain < ipr->ipr_nchains; chain++)
3927 			mutex_destroy(&(ipr->ipr_hash[chain].hash_lock));
3928 
3929 	}
3930 	ipsec_polhead_free_table(php);
3931 	kmem_free(php, sizeof (*php));
3932 }
3933 
3934 static void
3935 ipsec_ipr_init(ipsec_policy_root_t *ipr)
3936 {
3937 	int af;
3938 
3939 	ipr->ipr_nchains = 0;
3940 	ipr->ipr_hash = NULL;
3941 
3942 	for (af = 0; af < IPSEC_NAF; af++) {
3943 		ipr->ipr_nonhash[af] = NULL;
3944 	}
3945 }
3946 
3947 ipsec_policy_head_t *
3948 ipsec_polhead_create(void)
3949 {
3950 	ipsec_policy_head_t *php;
3951 
3952 	php = kmem_alloc(sizeof (*php), KM_NOSLEEP);
3953 	if (php == NULL)
3954 		return (php);
3955 
3956 	rw_init(&php->iph_lock, NULL, RW_DEFAULT, NULL);
3957 	php->iph_refs = 1;
3958 	php->iph_gen = 0;
3959 
3960 	ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_INBOUND]);
3961 	ipsec_ipr_init(&php->iph_root[IPSEC_TYPE_OUTBOUND]);
3962 
3963 	avl_create(&php->iph_rulebyid, ipsec_policy_cmpbyid,
3964 	    sizeof (ipsec_policy_t), offsetof(ipsec_policy_t, ipsp_byid));
3965 
3966 	return (php);
3967 }
3968 
3969 /*
3970  * Clone the policy head into a new polhead; release one reference to the
3971  * old one and return the only reference to the new one.
3972  * If the old one had a refcount of 1, just return it.
3973  */
3974 ipsec_policy_head_t *
3975 ipsec_polhead_split(ipsec_policy_head_t *php, netstack_t *ns)
3976 {
3977 	ipsec_policy_head_t *nphp;
3978 
3979 	if (php == NULL)
3980 		return (ipsec_polhead_create());
3981 	else if (php->iph_refs == 1)
3982 		return (php);
3983 
3984 	nphp = ipsec_polhead_create();
3985 	if (nphp == NULL)
3986 		return (NULL);
3987 
3988 	if (ipsec_copy_polhead(php, nphp, ns) != 0) {
3989 		ipsec_polhead_free(nphp, ns);
3990 		return (NULL);
3991 	}
3992 	IPPH_REFRELE(php, ns);
3993 	return (nphp);
3994 }
3995 
3996 /*
3997  * When sending a response to a ICMP request or generating a RST
3998  * in the TCP case, the outbound packets need to go at the same level
3999  * of protection as the incoming ones i.e we associate our outbound
4000  * policy with how the packet came in. We call this after we have
4001  * accepted the incoming packet which may or may not have been in
4002  * clear and hence we are sending the reply back with the policy
4003  * matching the incoming datagram's policy.
4004  *
4005  * NOTE : This technology serves two purposes :
4006  *
4007  * 1) If we have multiple outbound policies, we send out a reply
4008  *    matching with how it came in rather than matching the outbound
4009  *    policy.
4010  *
4011  * 2) For assymetric policies, we want to make sure that incoming
4012  *    and outgoing has the same level of protection. Assymetric
4013  *    policies exist only with global policy where we may not have
4014  *    both outbound and inbound at the same time.
4015  *
4016  * NOTE2:	This function is called by cleartext cases, so it needs to be
4017  *		in IP proper.
4018  *
4019  * Note: the caller has moved other parts of ira into ixa already.
4020  */
4021 boolean_t
4022 ipsec_in_to_out(ip_recv_attr_t *ira, ip_xmit_attr_t *ixa, mblk_t *data_mp,
4023     ipha_t *ipha, ip6_t *ip6h)
4024 {
4025 	ipsec_selector_t sel;
4026 	ipsec_action_t	*reflect_action = NULL;
4027 	netstack_t	*ns = ixa->ixa_ipst->ips_netstack;
4028 
4029 	bzero((void*)&sel, sizeof (sel));
4030 
4031 	if (ira->ira_ipsec_action != NULL) {
4032 		/* transfer reference.. */
4033 		reflect_action = ira->ira_ipsec_action;
4034 		ira->ira_ipsec_action = NULL;
4035 	} else if (!(ira->ira_flags & IRAF_LOOPBACK))
4036 		reflect_action = ipsec_in_to_out_action(ira);
4037 
4038 	/*
4039 	 * The caller is going to send the datagram out which might
4040 	 * go on the wire or delivered locally through ire_send_local.
4041 	 *
4042 	 * 1) If it goes out on the wire, new associations will be
4043 	 *    obtained.
4044 	 * 2) If it is delivered locally, ire_send_local will convert
4045 	 *    this ip_xmit_attr_t back to a ip_recv_attr_t looking at the
4046 	 *    requests.
4047 	 */
4048 	ixa->ixa_ipsec_action = reflect_action;
4049 
4050 	if (!ipsec_init_outbound_ports(&sel, data_mp, ipha, ip6h, 0,
4051 	    ns->netstack_ipsec)) {
4052 		/* Note: data_mp already consumed and ip_drop_packet done */
4053 		return (B_FALSE);
4054 	}
4055 	ixa->ixa_ipsec_src_port = sel.ips_local_port;
4056 	ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4057 	ixa->ixa_ipsec_proto = sel.ips_protocol;
4058 	ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4059 	ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4060 
4061 	/*
4062 	 * Don't use global policy for this, as we want
4063 	 * to use the same protection that was applied to the inbound packet.
4064 	 * Thus we set IXAF_NO_IPSEC is it arrived in the clear to make
4065 	 * it be sent in the clear.
4066 	 */
4067 	if (ira->ira_flags & IRAF_IPSEC_SECURE)
4068 		ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4069 	else
4070 		ixa->ixa_flags |= IXAF_NO_IPSEC;
4071 
4072 	return (B_TRUE);
4073 }
4074 
4075 void
4076 ipsec_out_release_refs(ip_xmit_attr_t *ixa)
4077 {
4078 	if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
4079 		return;
4080 
4081 	if (ixa->ixa_ipsec_ah_sa != NULL) {
4082 		IPSA_REFRELE(ixa->ixa_ipsec_ah_sa);
4083 		ixa->ixa_ipsec_ah_sa = NULL;
4084 	}
4085 	if (ixa->ixa_ipsec_esp_sa != NULL) {
4086 		IPSA_REFRELE(ixa->ixa_ipsec_esp_sa);
4087 		ixa->ixa_ipsec_esp_sa = NULL;
4088 	}
4089 	if (ixa->ixa_ipsec_policy != NULL) {
4090 		IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4091 		ixa->ixa_ipsec_policy = NULL;
4092 	}
4093 	if (ixa->ixa_ipsec_action != NULL) {
4094 		IPACT_REFRELE(ixa->ixa_ipsec_action);
4095 		ixa->ixa_ipsec_action = NULL;
4096 	}
4097 	if (ixa->ixa_ipsec_latch) {
4098 		IPLATCH_REFRELE(ixa->ixa_ipsec_latch);
4099 		ixa->ixa_ipsec_latch = NULL;
4100 	}
4101 	/* Clear the soft references to the SAs */
4102 	ixa->ixa_ipsec_ref[0].ipsr_sa = NULL;
4103 	ixa->ixa_ipsec_ref[0].ipsr_bucket = NULL;
4104 	ixa->ixa_ipsec_ref[0].ipsr_gen = 0;
4105 	ixa->ixa_ipsec_ref[1].ipsr_sa = NULL;
4106 	ixa->ixa_ipsec_ref[1].ipsr_bucket = NULL;
4107 	ixa->ixa_ipsec_ref[1].ipsr_gen = 0;
4108 	ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4109 }
4110 
4111 void
4112 ipsec_in_release_refs(ip_recv_attr_t *ira)
4113 {
4114 	if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
4115 		return;
4116 
4117 	if (ira->ira_ipsec_ah_sa != NULL) {
4118 		IPSA_REFRELE(ira->ira_ipsec_ah_sa);
4119 		ira->ira_ipsec_ah_sa = NULL;
4120 	}
4121 	if (ira->ira_ipsec_esp_sa != NULL) {
4122 		IPSA_REFRELE(ira->ira_ipsec_esp_sa);
4123 		ira->ira_ipsec_esp_sa = NULL;
4124 	}
4125 	ira->ira_flags &= ~IRAF_IPSEC_SECURE;
4126 }
4127 
4128 /*
4129  * This is called from ire_send_local when a packet
4130  * is looped back. We setup the ip_recv_attr_t "borrowing" the references
4131  * held by the callers.
4132  * Note that we don't do any IPsec but we carry the actions and IPSEC flags
4133  * across so that the fanout policy checks see that IPsec was applied.
4134  *
4135  * The caller should do ipsec_in_release_refs() on the ira by calling
4136  * ira_cleanup().
4137  */
4138 void
4139 ipsec_out_to_in(ip_xmit_attr_t *ixa, ill_t *ill, ip_recv_attr_t *ira)
4140 {
4141 	ipsec_policy_t *pol;
4142 	ipsec_action_t *act;
4143 
4144 	/* Non-IPsec operations */
4145 	ira->ira_free_flags = 0;
4146 	ira->ira_zoneid = ixa->ixa_zoneid;
4147 	ira->ira_cred = ixa->ixa_cred;
4148 	ira->ira_cpid = ixa->ixa_cpid;
4149 	ira->ira_tsl = ixa->ixa_tsl;
4150 	ira->ira_ill = ira->ira_rill = ill;
4151 	ira->ira_flags = ixa->ixa_flags & IAF_MASK;
4152 	ira->ira_no_loop_zoneid = ixa->ixa_no_loop_zoneid;
4153 	ira->ira_pktlen = ixa->ixa_pktlen;
4154 	ira->ira_ip_hdr_length = ixa->ixa_ip_hdr_length;
4155 	ira->ira_protocol = ixa->ixa_protocol;
4156 	ira->ira_mhip = NULL;
4157 
4158 	ira->ira_flags |= IRAF_LOOPBACK | IRAF_L2SRC_LOOPBACK;
4159 
4160 	ira->ira_sqp = ixa->ixa_sqp;
4161 	ira->ira_ring = NULL;
4162 
4163 	ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
4164 	ira->ira_rifindex = ira->ira_ruifindex;
4165 
4166 	if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
4167 		return;
4168 
4169 	ira->ira_flags |= IRAF_IPSEC_SECURE;
4170 
4171 	ira->ira_ipsec_ah_sa = NULL;
4172 	ira->ira_ipsec_esp_sa = NULL;
4173 
4174 	act = ixa->ixa_ipsec_action;
4175 	if (act == NULL) {
4176 		pol = ixa->ixa_ipsec_policy;
4177 		if (pol != NULL) {
4178 			act = pol->ipsp_act;
4179 			IPACT_REFHOLD(act);
4180 		}
4181 	}
4182 	ixa->ixa_ipsec_action = NULL;
4183 	ira->ira_ipsec_action = act;
4184 }
4185 
4186 /*
4187  * Consults global policy and per-socket policy to see whether this datagram
4188  * should go out secure. If so it updates the ip_xmit_attr_t
4189  * Should not be used when connecting, since then we want to latch the policy.
4190  *
4191  * If connp is NULL we just look at the global policy.
4192  *
4193  * Returns NULL if the packet was dropped, in which case the MIB has
4194  * been incremented and ip_drop_packet done.
4195  */
4196 mblk_t *
4197 ip_output_attach_policy(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h,
4198     const conn_t *connp, ip_xmit_attr_t *ixa)
4199 {
4200 	ipsec_selector_t sel;
4201 	boolean_t	policy_present;
4202 	ip_stack_t	*ipst = ixa->ixa_ipst;
4203 	netstack_t	*ns = ipst->ips_netstack;
4204 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
4205 	ipsec_policy_t	*p;
4206 
4207 	ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
4208 	ASSERT((ipha != NULL && ip6h == NULL) ||
4209 	    (ip6h != NULL && ipha == NULL));
4210 
4211 	if (ipha != NULL)
4212 		policy_present = ipss->ipsec_outbound_v4_policy_present;
4213 	else
4214 		policy_present = ipss->ipsec_outbound_v6_policy_present;
4215 
4216 	if (!policy_present && (connp == NULL || connp->conn_policy == NULL))
4217 		return (mp);
4218 
4219 	bzero((void*)&sel, sizeof (sel));
4220 
4221 	if (ipha != NULL) {
4222 		sel.ips_local_addr_v4 = ipha->ipha_src;
4223 		sel.ips_remote_addr_v4 = ip_get_dst(ipha);
4224 		sel.ips_isv4 = B_TRUE;
4225 	} else {
4226 		sel.ips_isv4 = B_FALSE;
4227 		sel.ips_local_addr_v6 = ip6h->ip6_src;
4228 		sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, mp, NULL);
4229 	}
4230 	sel.ips_protocol = ixa->ixa_protocol;
4231 
4232 	if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h, 0, ipss)) {
4233 		if (ipha != NULL) {
4234 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
4235 		} else {
4236 			BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
4237 		}
4238 		/* Note: mp already consumed and ip_drop_packet done */
4239 		return (NULL);
4240 	}
4241 
4242 	ASSERT(ixa->ixa_ipsec_policy == NULL);
4243 	p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4244 	ixa->ixa_ipsec_policy = p;
4245 	if (p != NULL) {
4246 		ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4247 		if (connp == NULL || connp->conn_policy == NULL)
4248 			ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
4249 	} else {
4250 		ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4251 	}
4252 
4253 	/*
4254 	 * Copy the right port information.
4255 	 */
4256 	ixa->ixa_ipsec_src_port = sel.ips_local_port;
4257 	ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4258 	ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4259 	ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4260 	ixa->ixa_ipsec_proto = sel.ips_protocol;
4261 	return (mp);
4262 }
4263 
4264 /*
4265  * When appropriate, this function caches inbound and outbound policy
4266  * for this connection. The outbound policy is stored in conn_ixa.
4267  * Note that it can not be used for SCTP since conn_faddr isn't set for SCTP.
4268  *
4269  * XXX need to work out more details about per-interface policy and
4270  * caching here!
4271  *
4272  * XXX may want to split inbound and outbound caching for ill..
4273  */
4274 int
4275 ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
4276 {
4277 	boolean_t global_policy_present;
4278 	netstack_t	*ns = connp->conn_netstack;
4279 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
4280 
4281 	connp->conn_ixa->ixa_ipsec_policy_gen =
4282 	    ipss->ipsec_system_policy.iph_gen;
4283 	/*
4284 	 * There is no policy latching for ICMP sockets because we can't
4285 	 * decide on which policy to use until we see the packet and get
4286 	 * type/code selectors.
4287 	 */
4288 	if (connp->conn_proto == IPPROTO_ICMP ||
4289 	    connp->conn_proto == IPPROTO_ICMPV6) {
4290 		connp->conn_in_enforce_policy =
4291 		    connp->conn_out_enforce_policy = B_TRUE;
4292 		if (connp->conn_latch != NULL) {
4293 			IPLATCH_REFRELE(connp->conn_latch);
4294 			connp->conn_latch = NULL;
4295 		}
4296 		if (connp->conn_latch_in_policy != NULL) {
4297 			IPPOL_REFRELE(connp->conn_latch_in_policy);
4298 			connp->conn_latch_in_policy = NULL;
4299 		}
4300 		if (connp->conn_latch_in_action != NULL) {
4301 			IPACT_REFRELE(connp->conn_latch_in_action);
4302 			connp->conn_latch_in_action = NULL;
4303 		}
4304 		if (connp->conn_ixa->ixa_ipsec_policy != NULL) {
4305 			IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
4306 			connp->conn_ixa->ixa_ipsec_policy = NULL;
4307 		}
4308 		if (connp->conn_ixa->ixa_ipsec_action != NULL) {
4309 			IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
4310 			connp->conn_ixa->ixa_ipsec_action = NULL;
4311 		}
4312 		connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4313 		return (0);
4314 	}
4315 
4316 	global_policy_present = isv4 ?
4317 	    (ipss->ipsec_outbound_v4_policy_present ||
4318 	    ipss->ipsec_inbound_v4_policy_present) :
4319 	    (ipss->ipsec_outbound_v6_policy_present ||
4320 	    ipss->ipsec_inbound_v6_policy_present);
4321 
4322 	if ((connp->conn_policy != NULL) || global_policy_present) {
4323 		ipsec_selector_t sel;
4324 		ipsec_policy_t	*p;
4325 
4326 		if (connp->conn_latch == NULL &&
4327 		    (connp->conn_latch = iplatch_create()) == NULL) {
4328 			return (ENOMEM);
4329 		}
4330 
4331 		bzero((void*)&sel, sizeof (sel));
4332 
4333 		sel.ips_protocol = connp->conn_proto;
4334 		sel.ips_local_port = connp->conn_lport;
4335 		sel.ips_remote_port = connp->conn_fport;
4336 		sel.ips_is_icmp_inv_acq = 0;
4337 		sel.ips_isv4 = isv4;
4338 		if (isv4) {
4339 			sel.ips_local_addr_v4 = connp->conn_laddr_v4;
4340 			sel.ips_remote_addr_v4 = connp->conn_faddr_v4;
4341 		} else {
4342 			sel.ips_local_addr_v6 = connp->conn_laddr_v6;
4343 			sel.ips_remote_addr_v6 = connp->conn_faddr_v6;
4344 		}
4345 
4346 		p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
4347 		if (connp->conn_latch_in_policy != NULL)
4348 			IPPOL_REFRELE(connp->conn_latch_in_policy);
4349 		connp->conn_latch_in_policy = p;
4350 		connp->conn_in_enforce_policy = (p != NULL);
4351 
4352 		p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4353 		if (connp->conn_ixa->ixa_ipsec_policy != NULL)
4354 			IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
4355 		connp->conn_ixa->ixa_ipsec_policy = p;
4356 		connp->conn_out_enforce_policy = (p != NULL);
4357 		if (p != NULL) {
4358 			connp->conn_ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4359 			if (connp->conn_policy == NULL) {
4360 				connp->conn_ixa->ixa_flags |=
4361 				    IXAF_IPSEC_GLOBAL_POLICY;
4362 			}
4363 		} else {
4364 			connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4365 		}
4366 		/* Clear the latched actions too, in case we're recaching. */
4367 		if (connp->conn_ixa->ixa_ipsec_action != NULL) {
4368 			IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
4369 			connp->conn_ixa->ixa_ipsec_action = NULL;
4370 		}
4371 		if (connp->conn_latch_in_action != NULL) {
4372 			IPACT_REFRELE(connp->conn_latch_in_action);
4373 			connp->conn_latch_in_action = NULL;
4374 		}
4375 		connp->conn_ixa->ixa_ipsec_src_port = sel.ips_local_port;
4376 		connp->conn_ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4377 		connp->conn_ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4378 		connp->conn_ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4379 		connp->conn_ixa->ixa_ipsec_proto = sel.ips_protocol;
4380 	} else {
4381 		connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4382 	}
4383 
4384 	/*
4385 	 * We may or may not have policy for this endpoint.  We still set
4386 	 * conn_policy_cached so that inbound datagrams don't have to look
4387 	 * at global policy as policy is considered latched for these
4388 	 * endpoints.  We should not set conn_policy_cached until the conn
4389 	 * reflects the actual policy. If we *set* this before inheriting
4390 	 * the policy there is a window where the check
4391 	 * CONN_INBOUND_POLICY_PRESENT, will neither check with the policy
4392 	 * on the conn (because we have not yet copied the policy on to
4393 	 * conn and hence not set conn_in_enforce_policy) nor with the
4394 	 * global policy (because conn_policy_cached is already set).
4395 	 */
4396 	connp->conn_policy_cached = B_TRUE;
4397 	return (0);
4398 }
4399 
4400 /*
4401  * When appropriate, this function caches outbound policy for faddr/fport.
4402  * It is used when we are not connected i.e., when we can not latch the
4403  * policy.
4404  */
4405 void
4406 ipsec_cache_outbound_policy(const conn_t *connp, const in6_addr_t *v6src,
4407     const in6_addr_t *v6dst, in_port_t dstport, ip_xmit_attr_t *ixa)
4408 {
4409 	boolean_t	isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
4410 	boolean_t	global_policy_present;
4411 	netstack_t	*ns = connp->conn_netstack;
4412 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
4413 
4414 	ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
4415 
4416 	/*
4417 	 * There is no policy caching for ICMP sockets because we can't
4418 	 * decide on which policy to use until we see the packet and get
4419 	 * type/code selectors.
4420 	 */
4421 	if (connp->conn_proto == IPPROTO_ICMP ||
4422 	    connp->conn_proto == IPPROTO_ICMPV6) {
4423 		ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4424 		if (ixa->ixa_ipsec_policy != NULL) {
4425 			IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4426 			ixa->ixa_ipsec_policy = NULL;
4427 		}
4428 		if (ixa->ixa_ipsec_action != NULL) {
4429 			IPACT_REFRELE(ixa->ixa_ipsec_action);
4430 			ixa->ixa_ipsec_action = NULL;
4431 		}
4432 		return;
4433 	}
4434 
4435 	global_policy_present = isv4 ?
4436 	    (ipss->ipsec_outbound_v4_policy_present ||
4437 	    ipss->ipsec_inbound_v4_policy_present) :
4438 	    (ipss->ipsec_outbound_v6_policy_present ||
4439 	    ipss->ipsec_inbound_v6_policy_present);
4440 
4441 	if ((connp->conn_policy != NULL) || global_policy_present) {
4442 		ipsec_selector_t sel;
4443 		ipsec_policy_t	*p;
4444 
4445 		bzero((void*)&sel, sizeof (sel));
4446 
4447 		sel.ips_protocol = connp->conn_proto;
4448 		sel.ips_local_port = connp->conn_lport;
4449 		sel.ips_remote_port = dstport;
4450 		sel.ips_is_icmp_inv_acq = 0;
4451 		sel.ips_isv4 = isv4;
4452 		if (isv4) {
4453 			IN6_V4MAPPED_TO_IPADDR(v6src, sel.ips_local_addr_v4);
4454 			IN6_V4MAPPED_TO_IPADDR(v6dst, sel.ips_remote_addr_v4);
4455 		} else {
4456 			sel.ips_local_addr_v6 = *v6src;
4457 			sel.ips_remote_addr_v6 = *v6dst;
4458 		}
4459 
4460 		p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
4461 		if (ixa->ixa_ipsec_policy != NULL)
4462 			IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4463 		ixa->ixa_ipsec_policy = p;
4464 		if (p != NULL) {
4465 			ixa->ixa_flags |= IXAF_IPSEC_SECURE;
4466 			if (connp->conn_policy == NULL)
4467 				ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
4468 		} else {
4469 			ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4470 		}
4471 		/* Clear the latched actions too, in case we're recaching. */
4472 		if (ixa->ixa_ipsec_action != NULL) {
4473 			IPACT_REFRELE(ixa->ixa_ipsec_action);
4474 			ixa->ixa_ipsec_action = NULL;
4475 		}
4476 
4477 		ixa->ixa_ipsec_src_port = sel.ips_local_port;
4478 		ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
4479 		ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
4480 		ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
4481 		ixa->ixa_ipsec_proto = sel.ips_protocol;
4482 	} else {
4483 		ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4484 		if (ixa->ixa_ipsec_policy != NULL) {
4485 			IPPOL_REFRELE(ixa->ixa_ipsec_policy);
4486 			ixa->ixa_ipsec_policy = NULL;
4487 		}
4488 		if (ixa->ixa_ipsec_action != NULL) {
4489 			IPACT_REFRELE(ixa->ixa_ipsec_action);
4490 			ixa->ixa_ipsec_action = NULL;
4491 		}
4492 	}
4493 }
4494 
4495 /*
4496  * Returns B_FALSE if the policy has gone stale.
4497  */
4498 boolean_t
4499 ipsec_outbound_policy_current(ip_xmit_attr_t *ixa)
4500 {
4501 	ipsec_stack_t	*ipss = ixa->ixa_ipst->ips_netstack->netstack_ipsec;
4502 
4503 	if (!(ixa->ixa_flags & IXAF_IPSEC_GLOBAL_POLICY))
4504 		return (B_TRUE);
4505 
4506 	return (ixa->ixa_ipsec_policy_gen == ipss->ipsec_system_policy.iph_gen);
4507 }
4508 
4509 void
4510 iplatch_free(ipsec_latch_t *ipl)
4511 {
4512 	if (ipl->ipl_local_cid != NULL)
4513 		IPSID_REFRELE(ipl->ipl_local_cid);
4514 	if (ipl->ipl_remote_cid != NULL)
4515 		IPSID_REFRELE(ipl->ipl_remote_cid);
4516 	mutex_destroy(&ipl->ipl_lock);
4517 	kmem_free(ipl, sizeof (*ipl));
4518 }
4519 
4520 ipsec_latch_t *
4521 iplatch_create()
4522 {
4523 	ipsec_latch_t *ipl = kmem_alloc(sizeof (*ipl), KM_NOSLEEP);
4524 	if (ipl == NULL)
4525 		return (ipl);
4526 	bzero(ipl, sizeof (*ipl));
4527 	mutex_init(&ipl->ipl_lock, NULL, MUTEX_DEFAULT, NULL);
4528 	ipl->ipl_refcnt = 1;
4529 	return (ipl);
4530 }
4531 
4532 /*
4533  * Hash function for ID hash table.
4534  */
4535 static uint32_t
4536 ipsid_hash(int idtype, char *idstring)
4537 {
4538 	uint32_t hval = idtype;
4539 	unsigned char c;
4540 
4541 	while ((c = *idstring++) != 0) {
4542 		hval = (hval << 4) | (hval >> 28);
4543 		hval ^= c;
4544 	}
4545 	hval = hval ^ (hval >> 16);
4546 	return (hval & (IPSID_HASHSIZE-1));
4547 }
4548 
4549 /*
4550  * Look up identity string in hash table.  Return identity object
4551  * corresponding to the name -- either preexisting, or newly allocated.
4552  *
4553  * Return NULL if we need to allocate a new one and can't get memory.
4554  */
4555 ipsid_t *
4556 ipsid_lookup(int idtype, char *idstring, netstack_t *ns)
4557 {
4558 	ipsid_t *retval;
4559 	char *nstr;
4560 	int idlen = strlen(idstring) + 1;
4561 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
4562 	ipsif_t *bucket;
4563 
4564 	bucket = &ipss->ipsec_ipsid_buckets[ipsid_hash(idtype, idstring)];
4565 
4566 	mutex_enter(&bucket->ipsif_lock);
4567 
4568 	for (retval = bucket->ipsif_head; retval != NULL;
4569 	    retval = retval->ipsid_next) {
4570 		if (idtype != retval->ipsid_type)
4571 			continue;
4572 		if (bcmp(idstring, retval->ipsid_cid, idlen) != 0)
4573 			continue;
4574 
4575 		IPSID_REFHOLD(retval);
4576 		mutex_exit(&bucket->ipsif_lock);
4577 		return (retval);
4578 	}
4579 
4580 	retval = kmem_alloc(sizeof (*retval), KM_NOSLEEP);
4581 	if (!retval) {
4582 		mutex_exit(&bucket->ipsif_lock);
4583 		return (NULL);
4584 	}
4585 
4586 	nstr = kmem_alloc(idlen, KM_NOSLEEP);
4587 	if (!nstr) {
4588 		mutex_exit(&bucket->ipsif_lock);
4589 		kmem_free(retval, sizeof (*retval));
4590 		return (NULL);
4591 	}
4592 
4593 	retval->ipsid_refcnt = 1;
4594 	retval->ipsid_next = bucket->ipsif_head;
4595 	if (retval->ipsid_next != NULL)
4596 		retval->ipsid_next->ipsid_ptpn = &retval->ipsid_next;
4597 	retval->ipsid_ptpn = &bucket->ipsif_head;
4598 	retval->ipsid_type = idtype;
4599 	retval->ipsid_cid = nstr;
4600 	bucket->ipsif_head = retval;
4601 	bcopy(idstring, nstr, idlen);
4602 	mutex_exit(&bucket->ipsif_lock);
4603 
4604 	return (retval);
4605 }
4606 
4607 /*
4608  * Garbage collect the identity hash table.
4609  */
4610 void
4611 ipsid_gc(netstack_t *ns)
4612 {
4613 	int i, len;
4614 	ipsid_t *id, *nid;
4615 	ipsif_t *bucket;
4616 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
4617 
4618 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4619 		bucket = &ipss->ipsec_ipsid_buckets[i];
4620 		mutex_enter(&bucket->ipsif_lock);
4621 		for (id = bucket->ipsif_head; id != NULL; id = nid) {
4622 			nid = id->ipsid_next;
4623 			if (id->ipsid_refcnt == 0) {
4624 				*id->ipsid_ptpn = nid;
4625 				if (nid != NULL)
4626 					nid->ipsid_ptpn = id->ipsid_ptpn;
4627 				len = strlen(id->ipsid_cid) + 1;
4628 				kmem_free(id->ipsid_cid, len);
4629 				kmem_free(id, sizeof (*id));
4630 			}
4631 		}
4632 		mutex_exit(&bucket->ipsif_lock);
4633 	}
4634 }
4635 
4636 /*
4637  * Return true if two identities are the same.
4638  */
4639 boolean_t
4640 ipsid_equal(ipsid_t *id1, ipsid_t *id2)
4641 {
4642 	if (id1 == id2)
4643 		return (B_TRUE);
4644 #ifdef DEBUG
4645 	if ((id1 == NULL) || (id2 == NULL))
4646 		return (B_FALSE);
4647 	/*
4648 	 * test that we're interning id's correctly..
4649 	 */
4650 	ASSERT((strcmp(id1->ipsid_cid, id2->ipsid_cid) != 0) ||
4651 	    (id1->ipsid_type != id2->ipsid_type));
4652 #endif
4653 	return (B_FALSE);
4654 }
4655 
4656 /*
4657  * Initialize identity table; called during module initialization.
4658  */
4659 static void
4660 ipsid_init(netstack_t *ns)
4661 {
4662 	ipsif_t *bucket;
4663 	int i;
4664 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
4665 
4666 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4667 		bucket = &ipss->ipsec_ipsid_buckets[i];
4668 		mutex_init(&bucket->ipsif_lock, NULL, MUTEX_DEFAULT, NULL);
4669 	}
4670 }
4671 
4672 /*
4673  * Free identity table (preparatory to module unload)
4674  */
4675 static void
4676 ipsid_fini(netstack_t *ns)
4677 {
4678 	ipsif_t *bucket;
4679 	int i;
4680 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
4681 
4682 	for (i = 0; i < IPSID_HASHSIZE; i++) {
4683 		bucket = &ipss->ipsec_ipsid_buckets[i];
4684 		ASSERT(bucket->ipsif_head == NULL);
4685 		mutex_destroy(&bucket->ipsif_lock);
4686 	}
4687 }
4688 
4689 /*
4690  * Update the minimum and maximum supported key sizes for the
4691  * specified algorithm. Must be called while holding the algorithms lock.
4692  */
4693 void
4694 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type,
4695     netstack_t *ns)
4696 {
4697 	size_t crypto_min = (size_t)-1, crypto_max = 0;
4698 	size_t cur_crypto_min, cur_crypto_max;
4699 	boolean_t is_valid;
4700 	crypto_mechanism_info_t *mech_infos;
4701 	uint_t nmech_infos;
4702 	int crypto_rc, i;
4703 	crypto_mech_usage_t mask;
4704 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
4705 
4706 	ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
4707 
4708 	/*
4709 	 * Compute the min, max, and default key sizes (in number of
4710 	 * increments to the default key size in bits) as defined
4711 	 * by the algorithm mappings. This range of key sizes is used
4712 	 * for policy related operations. The effective key sizes
4713 	 * supported by the framework could be more limited than
4714 	 * those defined for an algorithm.
4715 	 */
4716 	alg->alg_default_bits = alg->alg_key_sizes[0];
4717 	alg->alg_default = 0;
4718 	if (alg->alg_increment != 0) {
4719 		/* key sizes are defined by range & increment */
4720 		alg->alg_minbits = alg->alg_key_sizes[1];
4721 		alg->alg_maxbits = alg->alg_key_sizes[2];
4722 	} else if (alg->alg_nkey_sizes == 0) {
4723 		/* no specified key size for algorithm */
4724 		alg->alg_minbits = alg->alg_maxbits = 0;
4725 	} else {
4726 		/* key sizes are defined by enumeration */
4727 		alg->alg_minbits = (uint16_t)-1;
4728 		alg->alg_maxbits = 0;
4729 
4730 		for (i = 0; i < alg->alg_nkey_sizes; i++) {
4731 			if (alg->alg_key_sizes[i] < alg->alg_minbits)
4732 				alg->alg_minbits = alg->alg_key_sizes[i];
4733 			if (alg->alg_key_sizes[i] > alg->alg_maxbits)
4734 				alg->alg_maxbits = alg->alg_key_sizes[i];
4735 		}
4736 	}
4737 
4738 	if (!(alg->alg_flags & ALG_FLAG_VALID))
4739 		return;
4740 
4741 	/*
4742 	 * Mechanisms do not apply to the NULL encryption
4743 	 * algorithm, so simply return for this case.
4744 	 */
4745 	if (alg->alg_id == SADB_EALG_NULL)
4746 		return;
4747 
4748 	/*
4749 	 * Find the min and max key sizes supported by the cryptographic
4750 	 * framework providers.
4751 	 */
4752 
4753 	/* get the key sizes supported by the framework */
4754 	crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type,
4755 	    &mech_infos, &nmech_infos, KM_SLEEP);
4756 	if (crypto_rc != CRYPTO_SUCCESS || nmech_infos == 0) {
4757 		alg->alg_flags &= ~ALG_FLAG_VALID;
4758 		return;
4759 	}
4760 
4761 	/* min and max key sizes supported by framework */
4762 	for (i = 0, is_valid = B_FALSE; i < nmech_infos; i++) {
4763 		int unit_bits;
4764 
4765 		/*
4766 		 * Ignore entries that do not support the operations
4767 		 * needed for the algorithm type.
4768 		 */
4769 		if (alg_type == IPSEC_ALG_AUTH) {
4770 			mask = CRYPTO_MECH_USAGE_MAC;
4771 		} else {
4772 			mask = CRYPTO_MECH_USAGE_ENCRYPT |
4773 			    CRYPTO_MECH_USAGE_DECRYPT;
4774 		}
4775 		if ((mech_infos[i].mi_usage & mask) != mask)
4776 			continue;
4777 
4778 		unit_bits = (mech_infos[i].mi_keysize_unit ==
4779 		    CRYPTO_KEYSIZE_UNIT_IN_BYTES)  ? 8 : 1;
4780 		/* adjust min/max supported by framework */
4781 		cur_crypto_min = mech_infos[i].mi_min_key_size * unit_bits;
4782 		cur_crypto_max = mech_infos[i].mi_max_key_size * unit_bits;
4783 
4784 		if (cur_crypto_min < crypto_min)
4785 			crypto_min = cur_crypto_min;
4786 
4787 		/*
4788 		 * CRYPTO_EFFECTIVELY_INFINITE is a special value of
4789 		 * the crypto framework which means "no upper limit".
4790 		 */
4791 		if (mech_infos[i].mi_max_key_size ==
4792 		    CRYPTO_EFFECTIVELY_INFINITE) {
4793 			crypto_max = (size_t)-1;
4794 		} else if (cur_crypto_max > crypto_max) {
4795 			crypto_max = cur_crypto_max;
4796 		}
4797 
4798 		is_valid = B_TRUE;
4799 	}
4800 
4801 	kmem_free(mech_infos, sizeof (crypto_mechanism_info_t) *
4802 	    nmech_infos);
4803 
4804 	if (!is_valid) {
4805 		/* no key sizes supported by framework */
4806 		alg->alg_flags &= ~ALG_FLAG_VALID;
4807 		return;
4808 	}
4809 
4810 	/*
4811 	 * Determine min and max key sizes from alg_key_sizes[].
4812 	 * defined for the algorithm entry. Adjust key sizes based on
4813 	 * those supported by the framework.
4814 	 */
4815 	alg->alg_ef_default_bits = alg->alg_key_sizes[0];
4816 
4817 	/*
4818 	 * For backwards compatability, assume that the IV length
4819 	 * is the same as the data length.
4820 	 */
4821 	alg->alg_ivlen = alg->alg_datalen;
4822 
4823 	/*
4824 	 * Copy any algorithm parameters (if provided) into dedicated
4825 	 * elements in the ipsec_alginfo_t structure.
4826 	 * There may be a better place to put this code.
4827 	 */
4828 	for (i = 0; i < alg->alg_nparams; i++) {
4829 		switch (i) {
4830 		case 0:
4831 			/* Initialisation Vector length (bytes) */
4832 			alg->alg_ivlen =  alg->alg_params[0];
4833 			break;
4834 		case 1:
4835 			/* Integrity Check Vector length (bytes) */
4836 			alg->alg_icvlen = alg->alg_params[1];
4837 			break;
4838 		case 2:
4839 			/* Salt length (bytes) */
4840 			alg->alg_saltlen = (uint8_t)alg->alg_params[2];
4841 			break;
4842 		default:
4843 			break;
4844 		}
4845 	}
4846 
4847 	/* Default if the IV length is not specified. */
4848 	if (alg_type == IPSEC_ALG_ENCR && alg->alg_ivlen == 0)
4849 		alg->alg_ivlen = alg->alg_datalen;
4850 
4851 	alg_flag_check(alg);
4852 
4853 	if (alg->alg_increment != 0) {
4854 		/* supported key sizes are defined by range  & increment */
4855 		crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment);
4856 		crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment);
4857 
4858 		alg->alg_ef_minbits = MAX(alg->alg_minbits,
4859 		    (uint16_t)crypto_min);
4860 		alg->alg_ef_maxbits = MIN(alg->alg_maxbits,
4861 		    (uint16_t)crypto_max);
4862 
4863 		/*
4864 		 * If the sizes supported by the framework are outside
4865 		 * the range of sizes defined by the algorithm mappings,
4866 		 * the algorithm cannot be used. Check for this
4867 		 * condition here.
4868 		 */
4869 		if (alg->alg_ef_minbits > alg->alg_ef_maxbits) {
4870 			alg->alg_flags &= ~ALG_FLAG_VALID;
4871 			return;
4872 		}
4873 		if (alg->alg_ef_default_bits < alg->alg_ef_minbits)
4874 			alg->alg_ef_default_bits = alg->alg_ef_minbits;
4875 		if (alg->alg_ef_default_bits > alg->alg_ef_maxbits)
4876 			alg->alg_ef_default_bits = alg->alg_ef_maxbits;
4877 	} else if (alg->alg_nkey_sizes == 0) {
4878 		/* no specified key size for algorithm */
4879 		alg->alg_ef_minbits = alg->alg_ef_maxbits = 0;
4880 	} else {
4881 		/* supported key sizes are defined by enumeration */
4882 		alg->alg_ef_minbits = (uint16_t)-1;
4883 		alg->alg_ef_maxbits = 0;
4884 
4885 		for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) {
4886 			/*
4887 			 * Ignore the current key size if it is not in the
4888 			 * range of sizes supported by the framework.
4889 			 */
4890 			if (alg->alg_key_sizes[i] < crypto_min ||
4891 			    alg->alg_key_sizes[i] > crypto_max)
4892 				continue;
4893 			if (alg->alg_key_sizes[i] < alg->alg_ef_minbits)
4894 				alg->alg_ef_minbits = alg->alg_key_sizes[i];
4895 			if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits)
4896 				alg->alg_ef_maxbits = alg->alg_key_sizes[i];
4897 			is_valid = B_TRUE;
4898 		}
4899 
4900 		if (!is_valid) {
4901 			alg->alg_flags &= ~ALG_FLAG_VALID;
4902 			return;
4903 		}
4904 		alg->alg_ef_default = 0;
4905 	}
4906 }
4907 
4908 /*
4909  * Sanity check parameters provided by ipsecalgs(1m). Assume that
4910  * the algoritm is marked as valid, there is a check at the top
4911  * of this function. If any of the checks below fail, the algorithm
4912  * entry is invalid.
4913  */
4914 void
4915 alg_flag_check(ipsec_alginfo_t *alg)
4916 {
4917 	alg->alg_flags &= ~ALG_FLAG_VALID;
4918 
4919 	/*
4920 	 * Can't have the algorithm marked as CCM and GCM.
4921 	 * Check the ALG_FLAG_COMBINED and ALG_FLAG_COUNTERMODE
4922 	 * flags are set for CCM & GCM.
4923 	 */
4924 	if ((alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) ==
4925 	    (ALG_FLAG_CCM|ALG_FLAG_GCM))
4926 		return;
4927 	if (alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) {
4928 		if (!(alg->alg_flags & ALG_FLAG_COUNTERMODE))
4929 			return;
4930 		if (!(alg->alg_flags & ALG_FLAG_COMBINED))
4931 			return;
4932 	}
4933 
4934 	/*
4935 	 * For ALG_FLAG_COUNTERMODE, check the parameters
4936 	 * fit in the ipsec_nonce_t structure.
4937 	 */
4938 	if (alg->alg_flags & ALG_FLAG_COUNTERMODE) {
4939 		if (alg->alg_ivlen != sizeof (((ipsec_nonce_t *)NULL)->iv))
4940 			return;
4941 		if (alg->alg_saltlen > sizeof (((ipsec_nonce_t *)NULL)->salt))
4942 			return;
4943 	}
4944 	if ((alg->alg_flags & ALG_FLAG_COMBINED) &&
4945 	    (alg->alg_icvlen == 0))
4946 		return;
4947 
4948 	/* all is well. */
4949 	alg->alg_flags |= ALG_FLAG_VALID;
4950 }
4951 
4952 /*
4953  * Free the memory used by the specified algorithm.
4954  */
4955 void
4956 ipsec_alg_free(ipsec_alginfo_t *alg)
4957 {
4958 	if (alg == NULL)
4959 		return;
4960 
4961 	if (alg->alg_key_sizes != NULL) {
4962 		kmem_free(alg->alg_key_sizes,
4963 		    (alg->alg_nkey_sizes + 1) * sizeof (uint16_t));
4964 		alg->alg_key_sizes = NULL;
4965 	}
4966 	if (alg->alg_block_sizes != NULL) {
4967 		kmem_free(alg->alg_block_sizes,
4968 		    (alg->alg_nblock_sizes + 1) * sizeof (uint16_t));
4969 		alg->alg_block_sizes = NULL;
4970 	}
4971 	if (alg->alg_params != NULL) {
4972 		kmem_free(alg->alg_params,
4973 		    (alg->alg_nparams + 1) * sizeof (uint16_t));
4974 		alg->alg_params = NULL;
4975 	}
4976 	kmem_free(alg, sizeof (*alg));
4977 }
4978 
4979 /*
4980  * Check the validity of the specified key size for an algorithm.
4981  * Returns B_TRUE if key size is valid, B_FALSE otherwise.
4982  */
4983 boolean_t
4984 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg)
4985 {
4986 	if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits)
4987 		return (B_FALSE);
4988 
4989 	if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) {
4990 		/*
4991 		 * If the key sizes are defined by enumeration, the new
4992 		 * key size must be equal to one of the supported values.
4993 		 */
4994 		int i;
4995 
4996 		for (i = 0; i < alg->alg_nkey_sizes; i++)
4997 			if (key_size == alg->alg_key_sizes[i])
4998 				break;
4999 		if (i == alg->alg_nkey_sizes)
5000 			return (B_FALSE);
5001 	}
5002 
5003 	return (B_TRUE);
5004 }
5005 
5006 /*
5007  * Callback function invoked by the crypto framework when a provider
5008  * registers or unregisters. This callback updates the algorithms
5009  * tables when a crypto algorithm is no longer available or becomes
5010  * available, and triggers the freeing/creation of context templates
5011  * associated with existing SAs, if needed.
5012  *
5013  * Need to walk all stack instances since the callback is global
5014  * for all instances
5015  */
5016 void
5017 ipsec_prov_update_callback(uint32_t event, void *event_arg)
5018 {
5019 	netstack_handle_t nh;
5020 	netstack_t *ns;
5021 
5022 	netstack_next_init(&nh);
5023 	while ((ns = netstack_next(&nh)) != NULL) {
5024 		ipsec_prov_update_callback_stack(event, event_arg, ns);
5025 		netstack_rele(ns);
5026 	}
5027 	netstack_next_fini(&nh);
5028 }
5029 
5030 static void
5031 ipsec_prov_update_callback_stack(uint32_t event, void *event_arg,
5032     netstack_t *ns)
5033 {
5034 	crypto_notify_event_change_t *prov_change =
5035 	    (crypto_notify_event_change_t *)event_arg;
5036 	uint_t algidx, algid, algtype, mech_count, mech_idx;
5037 	ipsec_alginfo_t *alg;
5038 	ipsec_alginfo_t oalg;
5039 	crypto_mech_name_t *mechs;
5040 	boolean_t alg_changed = B_FALSE;
5041 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
5042 
5043 	/* ignore events for which we didn't register */
5044 	if (event != CRYPTO_EVENT_MECHS_CHANGED) {
5045 		ip1dbg(("ipsec_prov_update_callback: unexpected event 0x%x "
5046 		    " received from crypto framework\n", event));
5047 		return;
5048 	}
5049 
5050 	mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
5051 	if (mechs == NULL)
5052 		return;
5053 
5054 	/*
5055 	 * Walk the list of currently defined IPsec algorithm. Update
5056 	 * the algorithm valid flag and trigger an update of the
5057 	 * SAs that depend on that algorithm.
5058 	 */
5059 	mutex_enter(&ipss->ipsec_alg_lock);
5060 	for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
5061 		for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
5062 		    algidx++) {
5063 
5064 			algid = ipss->ipsec_sortlist[algtype][algidx];
5065 			alg = ipss->ipsec_alglists[algtype][algid];
5066 			ASSERT(alg != NULL);
5067 
5068 			/*
5069 			 * Skip the algorithms which do not map to the
5070 			 * crypto framework provider being added or removed.
5071 			 */
5072 			if (strncmp(alg->alg_mech_name,
5073 			    prov_change->ec_mech_name,
5074 			    CRYPTO_MAX_MECH_NAME) != 0)
5075 				continue;
5076 
5077 			/*
5078 			 * Determine if the mechanism is valid. If it
5079 			 * is not, mark the algorithm as being invalid. If
5080 			 * it is, mark the algorithm as being valid.
5081 			 */
5082 			for (mech_idx = 0; mech_idx < mech_count; mech_idx++)
5083 				if (strncmp(alg->alg_mech_name,
5084 				    mechs[mech_idx], CRYPTO_MAX_MECH_NAME) == 0)
5085 					break;
5086 			if (mech_idx == mech_count &&
5087 			    alg->alg_flags & ALG_FLAG_VALID) {
5088 				alg->alg_flags &= ~ALG_FLAG_VALID;
5089 				alg_changed = B_TRUE;
5090 			} else if (mech_idx < mech_count &&
5091 			    !(alg->alg_flags & ALG_FLAG_VALID)) {
5092 				alg->alg_flags |= ALG_FLAG_VALID;
5093 				alg_changed = B_TRUE;
5094 			}
5095 
5096 			/*
5097 			 * Update the supported key sizes, regardless
5098 			 * of whether a crypto provider was added or
5099 			 * removed.
5100 			 */
5101 			oalg = *alg;
5102 			ipsec_alg_fix_min_max(alg, algtype, ns);
5103 			if (!alg_changed &&
5104 			    alg->alg_ef_minbits != oalg.alg_ef_minbits ||
5105 			    alg->alg_ef_maxbits != oalg.alg_ef_maxbits ||
5106 			    alg->alg_ef_default != oalg.alg_ef_default ||
5107 			    alg->alg_ef_default_bits !=
5108 			    oalg.alg_ef_default_bits)
5109 				alg_changed = B_TRUE;
5110 
5111 			/*
5112 			 * Update the affected SAs if a software provider is
5113 			 * being added or removed.
5114 			 */
5115 			if (prov_change->ec_provider_type ==
5116 			    CRYPTO_SW_PROVIDER)
5117 				sadb_alg_update(algtype, alg->alg_id,
5118 				    prov_change->ec_change ==
5119 				    CRYPTO_MECH_ADDED, ns);
5120 		}
5121 	}
5122 	mutex_exit(&ipss->ipsec_alg_lock);
5123 	crypto_free_mech_list(mechs, mech_count);
5124 
5125 	if (alg_changed) {
5126 		/*
5127 		 * An algorithm has changed, i.e. it became valid or
5128 		 * invalid, or its support key sizes have changed.
5129 		 * Notify ipsecah and ipsecesp of this change so
5130 		 * that they can send a SADB_REGISTER to their consumers.
5131 		 */
5132 		ipsecah_algs_changed(ns);
5133 		ipsecesp_algs_changed(ns);
5134 	}
5135 }
5136 
5137 /*
5138  * Registers with the crypto framework to be notified of crypto
5139  * providers changes. Used to update the algorithm tables and
5140  * to free or create context templates if needed. Invoked after IPsec
5141  * is loaded successfully.
5142  *
5143  * This is called separately for each IP instance, so we ensure we only
5144  * register once.
5145  */
5146 void
5147 ipsec_register_prov_update(void)
5148 {
5149 	if (prov_update_handle != NULL)
5150 		return;
5151 
5152 	prov_update_handle = crypto_notify_events(
5153 	    ipsec_prov_update_callback, CRYPTO_EVENT_MECHS_CHANGED);
5154 }
5155 
5156 /*
5157  * Unregisters from the framework to be notified of crypto providers
5158  * changes. Called from ipsec_policy_g_destroy().
5159  */
5160 static void
5161 ipsec_unregister_prov_update(void)
5162 {
5163 	if (prov_update_handle != NULL)
5164 		crypto_unnotify_events(prov_update_handle);
5165 }
5166 
5167 /*
5168  * Tunnel-mode support routines.
5169  */
5170 
5171 /*
5172  * Returns an mblk chain suitable for putnext() if policies match and IPsec
5173  * SAs are available.  If there's no per-tunnel policy, or a match comes back
5174  * with no match, then still return the packet and have global policy take
5175  * a crack at it in IP.
5176  * This updates the ip_xmit_attr with the IPsec policy.
5177  *
5178  * Remember -> we can be forwarding packets.  Keep that in mind w.r.t.
5179  * inner-packet contents.
5180  */
5181 mblk_t *
5182 ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
5183     ip6_t *inner_ipv6, ipha_t *outer_ipv4, ip6_t *outer_ipv6, int outer_hdr_len,
5184     ip_xmit_attr_t *ixa)
5185 {
5186 	ipsec_policy_head_t *polhead;
5187 	ipsec_selector_t sel;
5188 	mblk_t *nmp;
5189 	boolean_t is_fragment;
5190 	ipsec_policy_t *pol;
5191 	ipsec_tun_pol_t *itp = iptun->iptun_itp;
5192 	netstack_t *ns = iptun->iptun_ns;
5193 	ipsec_stack_t *ipss = ns->netstack_ipsec;
5194 
5195 	ASSERT(outer_ipv6 != NULL && outer_ipv4 == NULL ||
5196 	    outer_ipv4 != NULL && outer_ipv6 == NULL);
5197 	/* We take care of inners in a bit. */
5198 
5199 	/* Are the IPsec fields initialized at all? */
5200 	if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE)) {
5201 		ASSERT(ixa->ixa_ipsec_policy == NULL);
5202 		ASSERT(ixa->ixa_ipsec_latch == NULL);
5203 		ASSERT(ixa->ixa_ipsec_action == NULL);
5204 		ASSERT(ixa->ixa_ipsec_ah_sa == NULL);
5205 		ASSERT(ixa->ixa_ipsec_esp_sa == NULL);
5206 	}
5207 
5208 	ASSERT(itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE));
5209 	polhead = itp->itp_policy;
5210 
5211 	bzero(&sel, sizeof (sel));
5212 	if (inner_ipv4 != NULL) {
5213 		ASSERT(inner_ipv6 == NULL);
5214 		sel.ips_isv4 = B_TRUE;
5215 		sel.ips_local_addr_v4 = inner_ipv4->ipha_src;
5216 		sel.ips_remote_addr_v4 = inner_ipv4->ipha_dst;
5217 		sel.ips_protocol = (uint8_t)inner_ipv4->ipha_protocol;
5218 	} else {
5219 		ASSERT(inner_ipv6 != NULL);
5220 		sel.ips_isv4 = B_FALSE;
5221 		sel.ips_local_addr_v6 = inner_ipv6->ip6_src;
5222 		/*
5223 		 * We don't care about routing-header dests in the
5224 		 * forwarding/tunnel path, so just grab ip6_dst.
5225 		 */
5226 		sel.ips_remote_addr_v6 = inner_ipv6->ip6_dst;
5227 	}
5228 
5229 	if (itp->itp_flags & ITPF_P_PER_PORT_SECURITY) {
5230 		/*
5231 		 * Caller can prepend the outer header, which means
5232 		 * inner_ipv[46] may be stuck in the middle.  Pullup the whole
5233 		 * mess now if need-be, for easier processing later.  Don't
5234 		 * forget to rewire the outer header too.
5235 		 */
5236 		if (mp->b_cont != NULL) {
5237 			nmp = msgpullup(mp, -1);
5238 			if (nmp == NULL) {
5239 				ip_drop_packet(mp, B_FALSE, NULL,
5240 				    DROPPER(ipss, ipds_spd_nomem),
5241 				    &ipss->ipsec_spd_dropper);
5242 				return (NULL);
5243 			}
5244 			freemsg(mp);
5245 			mp = nmp;
5246 			if (outer_ipv4 != NULL)
5247 				outer_ipv4 = (ipha_t *)mp->b_rptr;
5248 			else
5249 				outer_ipv6 = (ip6_t *)mp->b_rptr;
5250 			if (inner_ipv4 != NULL) {
5251 				inner_ipv4 =
5252 				    (ipha_t *)(mp->b_rptr + outer_hdr_len);
5253 			} else {
5254 				inner_ipv6 =
5255 				    (ip6_t *)(mp->b_rptr + outer_hdr_len);
5256 			}
5257 		}
5258 		if (inner_ipv4 != NULL) {
5259 			is_fragment = IS_V4_FRAGMENT(
5260 			    inner_ipv4->ipha_fragment_offset_and_flags);
5261 		} else {
5262 			sel.ips_remote_addr_v6 = ip_get_dst_v6(inner_ipv6, mp,
5263 			    &is_fragment);
5264 		}
5265 
5266 		if (is_fragment) {
5267 			ipha_t *oiph;
5268 			ipha_t *iph = NULL;
5269 			ip6_t *ip6h = NULL;
5270 			int hdr_len;
5271 			uint16_t ip6_hdr_length;
5272 			uint8_t v6_proto;
5273 			uint8_t *v6_proto_p;
5274 
5275 			/*
5276 			 * We have a fragment we need to track!
5277 			 */
5278 			mp = ipsec_fragcache_add(&itp->itp_fragcache, NULL, mp,
5279 			    outer_hdr_len, ipss);
5280 			if (mp == NULL)
5281 				return (NULL);
5282 			ASSERT(mp->b_cont == NULL);
5283 
5284 			/*
5285 			 * If we get here, we have a full fragment chain
5286 			 */
5287 
5288 			oiph = (ipha_t *)mp->b_rptr;
5289 			if (IPH_HDR_VERSION(oiph) == IPV4_VERSION) {
5290 				hdr_len = ((outer_hdr_len != 0) ?
5291 				    IPH_HDR_LENGTH(oiph) : 0);
5292 				iph = (ipha_t *)(mp->b_rptr + hdr_len);
5293 			} else {
5294 				ASSERT(IPH_HDR_VERSION(oiph) == IPV6_VERSION);
5295 				ip6h = (ip6_t *)mp->b_rptr;
5296 				if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
5297 				    &ip6_hdr_length, &v6_proto_p)) {
5298 					ip_drop_packet_chain(mp, B_FALSE, NULL,
5299 					    DROPPER(ipss,
5300 					    ipds_spd_malformed_packet),
5301 					    &ipss->ipsec_spd_dropper);
5302 					return (NULL);
5303 				}
5304 				hdr_len = ip6_hdr_length;
5305 			}
5306 			outer_hdr_len = hdr_len;
5307 
5308 			if (sel.ips_isv4) {
5309 				if (iph == NULL) {
5310 					/* Was v6 outer */
5311 					iph = (ipha_t *)(mp->b_rptr + hdr_len);
5312 				}
5313 				inner_ipv4 = iph;
5314 				sel.ips_local_addr_v4 = inner_ipv4->ipha_src;
5315 				sel.ips_remote_addr_v4 = inner_ipv4->ipha_dst;
5316 				sel.ips_protocol =
5317 				    (uint8_t)inner_ipv4->ipha_protocol;
5318 			} else {
5319 				inner_ipv6 = (ip6_t *)(mp->b_rptr +
5320 				    hdr_len);
5321 				sel.ips_local_addr_v6 = inner_ipv6->ip6_src;
5322 				sel.ips_remote_addr_v6 = inner_ipv6->ip6_dst;
5323 				if (!ip_hdr_length_nexthdr_v6(mp,
5324 				    inner_ipv6, &ip6_hdr_length, &v6_proto_p)) {
5325 					ip_drop_packet_chain(mp, B_FALSE, NULL,
5326 					    DROPPER(ipss,
5327 					    ipds_spd_malformed_frag),
5328 					    &ipss->ipsec_spd_dropper);
5329 					return (NULL);
5330 				}
5331 				v6_proto = *v6_proto_p;
5332 				sel.ips_protocol = v6_proto;
5333 #ifdef FRAGCACHE_DEBUG
5334 				cmn_err(CE_WARN, "v6_sel.ips_protocol = %d\n",
5335 				    sel.ips_protocol);
5336 #endif
5337 			}
5338 			/* Ports are extracted below */
5339 		}
5340 
5341 		/* Get ports... */
5342 		if (!ipsec_init_outbound_ports(&sel, mp,
5343 		    inner_ipv4, inner_ipv6, outer_hdr_len, ipss)) {
5344 			/* callee did ip_drop_packet_chain() on mp. */
5345 			return (NULL);
5346 		}
5347 #ifdef FRAGCACHE_DEBUG
5348 		if (inner_ipv4 != NULL)
5349 			cmn_err(CE_WARN,
5350 			    "(v4) sel.ips_protocol = %d, "
5351 			    "sel.ips_local_port = %d, "
5352 			    "sel.ips_remote_port = %d\n",
5353 			    sel.ips_protocol, ntohs(sel.ips_local_port),
5354 			    ntohs(sel.ips_remote_port));
5355 		if (inner_ipv6 != NULL)
5356 			cmn_err(CE_WARN,
5357 			    "(v6) sel.ips_protocol = %d, "
5358 			    "sel.ips_local_port = %d, "
5359 			    "sel.ips_remote_port = %d\n",
5360 			    sel.ips_protocol, ntohs(sel.ips_local_port),
5361 			    ntohs(sel.ips_remote_port));
5362 #endif
5363 		/* Success so far! */
5364 	}
5365 	rw_enter(&polhead->iph_lock, RW_READER);
5366 	pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_OUTBOUND, &sel);
5367 	rw_exit(&polhead->iph_lock);
5368 	if (pol == NULL) {
5369 		/*
5370 		 * No matching policy on this tunnel, drop the packet.
5371 		 *
5372 		 * NOTE:  Tunnel-mode tunnels are different from the
5373 		 * IP global transport mode policy head.  For a tunnel-mode
5374 		 * tunnel, we drop the packet in lieu of passing it
5375 		 * along accepted the way a global-policy miss would.
5376 		 *
5377 		 * NOTE2:  "negotiate transport" tunnels should match ALL
5378 		 * inbound packets, but we do not uncomment the ASSERT()
5379 		 * below because if/when we open PF_POLICY, a user can
5380 		 * shoot him/her-self in the foot with a 0 priority.
5381 		 */
5382 
5383 		/* ASSERT(itp->itp_flags & ITPF_P_TUNNEL); */
5384 #ifdef FRAGCACHE_DEBUG
5385 		cmn_err(CE_WARN, "ipsec_tun_outbound(): No matching tunnel "
5386 		    "per-port policy\n");
5387 #endif
5388 		ip_drop_packet_chain(mp, B_FALSE, NULL,
5389 		    DROPPER(ipss, ipds_spd_explicit),
5390 		    &ipss->ipsec_spd_dropper);
5391 		return (NULL);
5392 	}
5393 
5394 #ifdef FRAGCACHE_DEBUG
5395 	cmn_err(CE_WARN, "Having matching tunnel per-port policy\n");
5396 #endif
5397 
5398 	/*
5399 	 * NOTE: ixa_cleanup() function will release pol references.
5400 	 */
5401 	ixa->ixa_ipsec_policy = pol;
5402 	/*
5403 	 * NOTE: There is a subtle difference between iptun_zoneid and
5404 	 * iptun_connp->conn_zoneid explained in iptun_conn_create().  When
5405 	 * interacting with the ip module, we must use conn_zoneid.
5406 	 */
5407 	ixa->ixa_zoneid = iptun->iptun_connp->conn_zoneid;
5408 
5409 	ASSERT((outer_ipv4 != NULL) ? (ixa->ixa_flags & IXAF_IS_IPV4) :
5410 	    !(ixa->ixa_flags & IXAF_IS_IPV4));
5411 	ASSERT(ixa->ixa_ipsec_policy != NULL);
5412 	ixa->ixa_flags |= IXAF_IPSEC_SECURE;
5413 
5414 	if (!(itp->itp_flags & ITPF_P_TUNNEL)) {
5415 		/* Set up transport mode for tunnelled packets. */
5416 		ixa->ixa_ipsec_proto = (inner_ipv4 != NULL) ? IPPROTO_ENCAP :
5417 		    IPPROTO_IPV6;
5418 		return (mp);
5419 	}
5420 
5421 	/* Fill in tunnel-mode goodies here. */
5422 	ixa->ixa_flags |= IXAF_IPSEC_TUNNEL;
5423 	/* XXX Do I need to fill in all of the goodies here? */
5424 	if (inner_ipv4) {
5425 		ixa->ixa_ipsec_inaf = AF_INET;
5426 		ixa->ixa_ipsec_insrc[0] =
5427 		    pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v4;
5428 		ixa->ixa_ipsec_indst[0] =
5429 		    pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v4;
5430 	} else {
5431 		ixa->ixa_ipsec_inaf = AF_INET6;
5432 		ixa->ixa_ipsec_insrc[0] =
5433 		    pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[0];
5434 		ixa->ixa_ipsec_insrc[1] =
5435 		    pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[1];
5436 		ixa->ixa_ipsec_insrc[2] =
5437 		    pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[2];
5438 		ixa->ixa_ipsec_insrc[3] =
5439 		    pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[3];
5440 		ixa->ixa_ipsec_indst[0] =
5441 		    pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[0];
5442 		ixa->ixa_ipsec_indst[1] =
5443 		    pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[1];
5444 		ixa->ixa_ipsec_indst[2] =
5445 		    pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[2];
5446 		ixa->ixa_ipsec_indst[3] =
5447 		    pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[3];
5448 	}
5449 	ixa->ixa_ipsec_insrcpfx = pol->ipsp_sel->ipsl_key.ipsl_local_pfxlen;
5450 	ixa->ixa_ipsec_indstpfx = pol->ipsp_sel->ipsl_key.ipsl_remote_pfxlen;
5451 	/* NOTE:  These are used for transport mode too. */
5452 	ixa->ixa_ipsec_src_port = pol->ipsp_sel->ipsl_key.ipsl_lport;
5453 	ixa->ixa_ipsec_dst_port = pol->ipsp_sel->ipsl_key.ipsl_rport;
5454 	ixa->ixa_ipsec_proto = pol->ipsp_sel->ipsl_key.ipsl_proto;
5455 
5456 	return (mp);
5457 }
5458 
5459 /*
5460  * NOTE: The following releases pol's reference and
5461  * calls ip_drop_packet() for me on NULL returns.
5462  */
5463 mblk_t *
5464 ipsec_check_ipsecin_policy_reasm(mblk_t *attr_mp, ipsec_policy_t *pol,
5465     ipha_t *inner_ipv4, ip6_t *inner_ipv6, uint64_t pkt_unique, netstack_t *ns)
5466 {
5467 	/* Assume attr_mp is a chain of b_next-linked ip_recv_attr mblk. */
5468 	mblk_t *data_chain = NULL, *data_tail = NULL;
5469 	mblk_t *next;
5470 	mblk_t *data_mp;
5471 	ip_recv_attr_t	iras;
5472 
5473 	while (attr_mp != NULL) {
5474 		ASSERT(ip_recv_attr_is_mblk(attr_mp));
5475 		next = attr_mp->b_next;
5476 		attr_mp->b_next = NULL;  /* No tripping asserts. */
5477 
5478 		data_mp = attr_mp->b_cont;
5479 		attr_mp->b_cont = NULL;
5480 		if (!ip_recv_attr_from_mblk(attr_mp, &iras)) {
5481 			/* The ill or ip_stack_t disappeared on us */
5482 			freemsg(data_mp);	/* ip_drop_packet?? */
5483 			ira_cleanup(&iras, B_TRUE);
5484 			goto fail;
5485 		}
5486 
5487 		/*
5488 		 * Need IPPOL_REFHOLD(pol) for extras because
5489 		 * ipsecin_policy does the refrele.
5490 		 */
5491 		IPPOL_REFHOLD(pol);
5492 
5493 		data_mp = ipsec_check_ipsecin_policy(data_mp, pol, inner_ipv4,
5494 		    inner_ipv6, pkt_unique, &iras, ns);
5495 		ira_cleanup(&iras, B_TRUE);
5496 
5497 		if (data_mp == NULL)
5498 			goto fail;
5499 
5500 		if (data_tail == NULL) {
5501 			/* First one */
5502 			data_chain = data_tail = data_mp;
5503 		} else {
5504 			data_tail->b_next = data_mp;
5505 			data_tail = data_mp;
5506 		}
5507 		attr_mp = next;
5508 	}
5509 	/*
5510 	 * One last release because either the loop bumped it up, or we never
5511 	 * called ipsec_check_ipsecin_policy().
5512 	 */
5513 	IPPOL_REFRELE(pol);
5514 
5515 	/* data_chain is ready for return to tun module. */
5516 	return (data_chain);
5517 
5518 fail:
5519 	/*
5520 	 * Need to get rid of any extra pol
5521 	 * references, and any remaining bits as well.
5522 	 */
5523 	IPPOL_REFRELE(pol);
5524 	ipsec_freemsg_chain(data_chain);
5525 	ipsec_freemsg_chain(next);	/* ipdrop stats? */
5526 	return (NULL);
5527 }
5528 
5529 /*
5530  * Return a message if the inbound packet passed an IPsec policy check.  Returns
5531  * NULL if it failed or if it is a fragment needing its friends before a
5532  * policy check can be performed.
5533  *
5534  * Expects a non-NULL data_mp, and a non-NULL polhead.
5535  * The returned mblk may be a b_next chain of packets if fragments
5536  * neeeded to be collected for a proper policy check.
5537  *
5538  * This function calls ip_drop_packet() on data_mp if need be.
5539  *
5540  * NOTE:  outer_hdr_len is signed.  If it's a negative value, the caller
5541  * is inspecting an ICMP packet.
5542  */
5543 mblk_t *
5544 ipsec_tun_inbound(ip_recv_attr_t *ira, mblk_t *data_mp, ipsec_tun_pol_t *itp,
5545     ipha_t *inner_ipv4, ip6_t *inner_ipv6, ipha_t *outer_ipv4,
5546     ip6_t *outer_ipv6, int outer_hdr_len, netstack_t *ns)
5547 {
5548 	ipsec_policy_head_t *polhead;
5549 	ipsec_selector_t sel;
5550 	ipsec_policy_t *pol;
5551 	uint16_t tmpport;
5552 	selret_t rc;
5553 	boolean_t port_policy_present, is_icmp, global_present;
5554 	in6_addr_t tmpaddr;
5555 	ipaddr_t tmp4;
5556 	uint8_t flags, *inner_hdr;
5557 	ipsec_stack_t *ipss = ns->netstack_ipsec;
5558 
5559 	sel.ips_is_icmp_inv_acq = 0;
5560 
5561 	if (outer_ipv4 != NULL) {
5562 		ASSERT(outer_ipv6 == NULL);
5563 		global_present = ipss->ipsec_inbound_v4_policy_present;
5564 	} else {
5565 		ASSERT(outer_ipv6 != NULL);
5566 		global_present = ipss->ipsec_inbound_v6_policy_present;
5567 	}
5568 
5569 	ASSERT(inner_ipv4 != NULL && inner_ipv6 == NULL ||
5570 	    inner_ipv4 == NULL && inner_ipv6 != NULL);
5571 
5572 	if (outer_hdr_len < 0) {
5573 		outer_hdr_len = (-outer_hdr_len);
5574 		is_icmp = B_TRUE;
5575 	} else {
5576 		is_icmp = B_FALSE;
5577 	}
5578 
5579 	if (itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE)) {
5580 		mblk_t *mp = data_mp;
5581 
5582 		polhead = itp->itp_policy;
5583 		/*
5584 		 * We need to perform full Tunnel-Mode enforcement,
5585 		 * and we need to have inner-header data for such enforcement.
5586 		 *
5587 		 * See ipsec_init_inbound_sel() for the 0x80000000 on inbound
5588 		 * and on return.
5589 		 */
5590 
5591 		port_policy_present = ((itp->itp_flags &
5592 		    ITPF_P_PER_PORT_SECURITY) ? B_TRUE : B_FALSE);
5593 		/*
5594 		 * NOTE:  Even if our policy is transport mode, set the
5595 		 * SEL_TUNNEL_MODE flag so ipsec_init_inbound_sel() can
5596 		 * do the right thing w.r.t. outer headers.
5597 		 */
5598 		flags = ((port_policy_present ? SEL_PORT_POLICY : SEL_NONE) |
5599 		    (is_icmp ? SEL_IS_ICMP : SEL_NONE) | SEL_TUNNEL_MODE);
5600 
5601 		rc = ipsec_init_inbound_sel(&sel, data_mp, inner_ipv4,
5602 		    inner_ipv6, flags);
5603 
5604 		switch (rc) {
5605 		case SELRET_NOMEM:
5606 			ip_drop_packet(data_mp, B_TRUE, NULL,
5607 			    DROPPER(ipss, ipds_spd_nomem),
5608 			    &ipss->ipsec_spd_dropper);
5609 			return (NULL);
5610 		case SELRET_TUNFRAG:
5611 			/*
5612 			 * At this point, if we're cleartext, we don't want
5613 			 * to go there.
5614 			 */
5615 			if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
5616 				ip_drop_packet(data_mp, B_TRUE, NULL,
5617 				    DROPPER(ipss, ipds_spd_got_clear),
5618 				    &ipss->ipsec_spd_dropper);
5619 				return (NULL);
5620 			}
5621 
5622 			/*
5623 			 * Inner and outer headers may not be contiguous.
5624 			 * Pullup the data_mp now to satisfy assumptions of
5625 			 * ipsec_fragcache_add()
5626 			 */
5627 			if (data_mp->b_cont != NULL) {
5628 				mblk_t *nmp;
5629 
5630 				nmp = msgpullup(data_mp, -1);
5631 				if (nmp == NULL) {
5632 					ip_drop_packet(data_mp, B_TRUE, NULL,
5633 					    DROPPER(ipss, ipds_spd_nomem),
5634 					    &ipss->ipsec_spd_dropper);
5635 					return (NULL);
5636 				}
5637 				freemsg(data_mp);
5638 				data_mp = nmp;
5639 				if (outer_ipv4 != NULL)
5640 					outer_ipv4 =
5641 					    (ipha_t *)data_mp->b_rptr;
5642 				else
5643 					outer_ipv6 =
5644 					    (ip6_t *)data_mp->b_rptr;
5645 				if (inner_ipv4 != NULL) {
5646 					inner_ipv4 =
5647 					    (ipha_t *)(data_mp->b_rptr +
5648 					    outer_hdr_len);
5649 				} else {
5650 					inner_ipv6 =
5651 					    (ip6_t *)(data_mp->b_rptr +
5652 					    outer_hdr_len);
5653 				}
5654 			}
5655 
5656 			/*
5657 			 * If we need to queue the packet. First we
5658 			 * get an mblk with the attributes. ipsec_fragcache_add
5659 			 * will prepend that to the queued data and return
5660 			 * a list of b_next messages each of which starts with
5661 			 * the attribute mblk.
5662 			 */
5663 			mp = ip_recv_attr_to_mblk(ira);
5664 			if (mp == NULL) {
5665 				ip_drop_packet(data_mp, B_TRUE, NULL,
5666 				    DROPPER(ipss, ipds_spd_nomem),
5667 				    &ipss->ipsec_spd_dropper);
5668 				return (NULL);
5669 			}
5670 
5671 			mp = ipsec_fragcache_add(&itp->itp_fragcache,
5672 			    mp, data_mp, outer_hdr_len, ipss);
5673 
5674 			if (mp == NULL) {
5675 				/*
5676 				 * Data is cached, fragment chain is not
5677 				 * complete.
5678 				 */
5679 				return (NULL);
5680 			}
5681 
5682 			/*
5683 			 * If we get here, we have a full fragment chain.
5684 			 * Reacquire headers and selectors from first fragment.
5685 			 */
5686 			ASSERT(ip_recv_attr_is_mblk(mp));
5687 			data_mp = mp->b_cont;
5688 			inner_hdr = data_mp->b_rptr;
5689 			if (outer_ipv4 != NULL) {
5690 				inner_hdr += IPH_HDR_LENGTH(
5691 				    (ipha_t *)data_mp->b_rptr);
5692 			} else {
5693 				inner_hdr += ip_hdr_length_v6(data_mp,
5694 				    (ip6_t *)data_mp->b_rptr);
5695 			}
5696 			ASSERT(inner_hdr <= data_mp->b_wptr);
5697 
5698 			if (inner_ipv4 != NULL) {
5699 				inner_ipv4 = (ipha_t *)inner_hdr;
5700 				inner_ipv6 = NULL;
5701 			} else {
5702 				inner_ipv6 = (ip6_t *)inner_hdr;
5703 				inner_ipv4 = NULL;
5704 			}
5705 
5706 			/*
5707 			 * Use SEL_TUNNEL_MODE to take into account the outer
5708 			 * header.  Use SEL_POST_FRAG so we always get ports.
5709 			 */
5710 			rc = ipsec_init_inbound_sel(&sel, data_mp,
5711 			    inner_ipv4, inner_ipv6,
5712 			    SEL_TUNNEL_MODE | SEL_POST_FRAG);
5713 			switch (rc) {
5714 			case SELRET_SUCCESS:
5715 				/*
5716 				 * Get to same place as first caller's
5717 				 * SELRET_SUCCESS case.
5718 				 */
5719 				break;
5720 			case SELRET_NOMEM:
5721 				ip_drop_packet_chain(mp, B_TRUE, NULL,
5722 				    DROPPER(ipss, ipds_spd_nomem),
5723 				    &ipss->ipsec_spd_dropper);
5724 				return (NULL);
5725 			case SELRET_BADPKT:
5726 				ip_drop_packet_chain(mp, B_TRUE, NULL,
5727 				    DROPPER(ipss, ipds_spd_malformed_frag),
5728 				    &ipss->ipsec_spd_dropper);
5729 				return (NULL);
5730 			case SELRET_TUNFRAG:
5731 				cmn_err(CE_WARN, "(TUNFRAG on 2nd call...)");
5732 				/* FALLTHRU */
5733 			default:
5734 				cmn_err(CE_WARN, "ipsec_init_inbound_sel(mark2)"
5735 				    " returns bizarro 0x%x", rc);
5736 				/* Guaranteed panic! */
5737 				ASSERT(rc == SELRET_NOMEM);
5738 				return (NULL);
5739 			}
5740 			/* FALLTHRU */
5741 		case SELRET_SUCCESS:
5742 			/*
5743 			 * Common case:
5744 			 * No per-port policy or a non-fragment.  Keep going.
5745 			 */
5746 			break;
5747 		case SELRET_BADPKT:
5748 			/*
5749 			 * We may receive ICMP (with IPv6 inner) packets that
5750 			 * trigger this return value.  Send 'em in for
5751 			 * enforcement checking.
5752 			 */
5753 			cmn_err(CE_NOTE, "ipsec_tun_inbound(): "
5754 			    "sending 'bad packet' in for enforcement");
5755 			break;
5756 		default:
5757 			cmn_err(CE_WARN,
5758 			    "ipsec_init_inbound_sel() returns bizarro 0x%x",
5759 			    rc);
5760 			ASSERT(rc == SELRET_NOMEM);	/* Guaranteed panic! */
5761 			return (NULL);
5762 		}
5763 
5764 		if (is_icmp) {
5765 			/*
5766 			 * Swap local/remote because this is an ICMP packet.
5767 			 */
5768 			tmpaddr = sel.ips_local_addr_v6;
5769 			sel.ips_local_addr_v6 = sel.ips_remote_addr_v6;
5770 			sel.ips_remote_addr_v6 = tmpaddr;
5771 			tmpport = sel.ips_local_port;
5772 			sel.ips_local_port = sel.ips_remote_port;
5773 			sel.ips_remote_port = tmpport;
5774 		}
5775 
5776 		/* find_policy_head() */
5777 		rw_enter(&polhead->iph_lock, RW_READER);
5778 		pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND,
5779 		    &sel);
5780 		rw_exit(&polhead->iph_lock);
5781 		if (pol != NULL) {
5782 			uint64_t pkt_unique;
5783 
5784 			if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
5785 				if (!pol->ipsp_act->ipa_allow_clear) {
5786 					/*
5787 					 * XXX should never get here with
5788 					 * tunnel reassembled fragments?
5789 					 */
5790 					ASSERT(mp == data_mp);
5791 					ip_drop_packet(data_mp, B_TRUE, NULL,
5792 					    DROPPER(ipss, ipds_spd_got_clear),
5793 					    &ipss->ipsec_spd_dropper);
5794 					IPPOL_REFRELE(pol);
5795 					return (NULL);
5796 				} else {
5797 					IPPOL_REFRELE(pol);
5798 					return (mp);
5799 				}
5800 			}
5801 			pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
5802 			    sel.ips_local_port,
5803 			    (inner_ipv4 == NULL) ? IPPROTO_IPV6 :
5804 			    IPPROTO_ENCAP, sel.ips_protocol);
5805 
5806 			/*
5807 			 * NOTE: The following releases pol's reference and
5808 			 * calls ip_drop_packet() for me on NULL returns.
5809 			 *
5810 			 * "sel" is still good here, so let's use it!
5811 			 */
5812 			if (data_mp == mp) {
5813 				/* A single packet without attributes */
5814 				data_mp = ipsec_check_ipsecin_policy(data_mp,
5815 				    pol, inner_ipv4, inner_ipv6, pkt_unique,
5816 				    ira, ns);
5817 			} else {
5818 				/*
5819 				 * We pass in the b_next chain of attr_mp's
5820 				 * and get back a b_next chain of data_mp's.
5821 				 */
5822 				data_mp = ipsec_check_ipsecin_policy_reasm(mp,
5823 				    pol, inner_ipv4, inner_ipv6, pkt_unique,
5824 				    ns);
5825 			}
5826 			return (data_mp);
5827 		}
5828 
5829 		/*
5830 		 * Else fallthru and check the global policy on the outer
5831 		 * header(s) if this tunnel is an old-style transport-mode
5832 		 * one.  Drop the packet explicitly (no policy entry) for
5833 		 * a new-style tunnel-mode tunnel.
5834 		 */
5835 		if ((itp->itp_flags & ITPF_P_TUNNEL) && !is_icmp) {
5836 			ip_drop_packet_chain(data_mp, B_TRUE, NULL,
5837 			    DROPPER(ipss, ipds_spd_explicit),
5838 			    &ipss->ipsec_spd_dropper);
5839 			return (NULL);
5840 		}
5841 	}
5842 
5843 	/*
5844 	 * NOTE:  If we reach here, we will not have packet chains from
5845 	 * fragcache_add(), because the only way I get chains is on a
5846 	 * tunnel-mode tunnel, which either returns with a pass, or gets
5847 	 * hit by the ip_drop_packet_chain() call right above here.
5848 	 */
5849 	ASSERT(data_mp->b_next == NULL);
5850 
5851 	/* If no per-tunnel security, check global policy now. */
5852 	if ((ira->ira_flags & IRAF_IPSEC_SECURE) && !global_present) {
5853 		if (ira->ira_flags & IRAF_TRUSTED_ICMP) {
5854 			/*
5855 			 * This is an ICMP message that was geenrated locally.
5856 			 * We should accept it.
5857 			 */
5858 			return (data_mp);
5859 		}
5860 
5861 		ip_drop_packet(data_mp, B_TRUE, NULL,
5862 		    DROPPER(ipss, ipds_spd_got_secure),
5863 		    &ipss->ipsec_spd_dropper);
5864 		return (NULL);
5865 	}
5866 
5867 	if (is_icmp) {
5868 		/*
5869 		 * For ICMP packets, "outer_ipvN" is set to the outer header
5870 		 * that is *INSIDE* the ICMP payload.  For global policy
5871 		 * checking, we need to reverse src/dst on the payload in
5872 		 * order to construct selectors appropriately.  See "ripha"
5873 		 * constructions in ip.c.  To avoid a bug like 6478464 (see
5874 		 * earlier in this file), we will actually exchange src/dst
5875 		 * in the packet, and reverse if after the call to
5876 		 * ipsec_check_global_policy().
5877 		 */
5878 		if (outer_ipv4 != NULL) {
5879 			tmp4 = outer_ipv4->ipha_src;
5880 			outer_ipv4->ipha_src = outer_ipv4->ipha_dst;
5881 			outer_ipv4->ipha_dst = tmp4;
5882 		} else {
5883 			ASSERT(outer_ipv6 != NULL);
5884 			tmpaddr = outer_ipv6->ip6_src;
5885 			outer_ipv6->ip6_src = outer_ipv6->ip6_dst;
5886 			outer_ipv6->ip6_dst = tmpaddr;
5887 		}
5888 	}
5889 
5890 	data_mp = ipsec_check_global_policy(data_mp, NULL, outer_ipv4,
5891 	    outer_ipv6, ira, ns);
5892 	if (data_mp == NULL)
5893 		return (NULL);
5894 
5895 	if (is_icmp) {
5896 		/* Set things back to normal. */
5897 		if (outer_ipv4 != NULL) {
5898 			tmp4 = outer_ipv4->ipha_src;
5899 			outer_ipv4->ipha_src = outer_ipv4->ipha_dst;
5900 			outer_ipv4->ipha_dst = tmp4;
5901 		} else {
5902 			/* No need for ASSERT()s now. */
5903 			tmpaddr = outer_ipv6->ip6_src;
5904 			outer_ipv6->ip6_src = outer_ipv6->ip6_dst;
5905 			outer_ipv6->ip6_dst = tmpaddr;
5906 		}
5907 	}
5908 
5909 	/*
5910 	 * At this point, we pretend it's a cleartext accepted
5911 	 * packet.
5912 	 */
5913 	return (data_mp);
5914 }
5915 
5916 /*
5917  * AVL comparison routine for our list of tunnel polheads.
5918  */
5919 static int
5920 tunnel_compare(const void *arg1, const void *arg2)
5921 {
5922 	ipsec_tun_pol_t *left, *right;
5923 	int rc;
5924 
5925 	left = (ipsec_tun_pol_t *)arg1;
5926 	right = (ipsec_tun_pol_t *)arg2;
5927 
5928 	rc = strncmp(left->itp_name, right->itp_name, LIFNAMSIZ);
5929 	return (rc == 0 ? rc : (rc > 0 ? 1 : -1));
5930 }
5931 
5932 /*
5933  * Free a tunnel policy node.
5934  */
5935 void
5936 itp_free(ipsec_tun_pol_t *node, netstack_t *ns)
5937 {
5938 	if (node->itp_policy != NULL) {
5939 		IPPH_REFRELE(node->itp_policy, ns);
5940 		node->itp_policy = NULL;
5941 	}
5942 	if (node->itp_inactive != NULL) {
5943 		IPPH_REFRELE(node->itp_inactive, ns);
5944 		node->itp_inactive = NULL;
5945 	}
5946 	mutex_destroy(&node->itp_lock);
5947 	kmem_free(node, sizeof (*node));
5948 }
5949 
5950 void
5951 itp_unlink(ipsec_tun_pol_t *node, netstack_t *ns)
5952 {
5953 	ipsec_stack_t *ipss = ns->netstack_ipsec;
5954 
5955 	rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
5956 	ipss->ipsec_tunnel_policy_gen++;
5957 	ipsec_fragcache_uninit(&node->itp_fragcache, ipss);
5958 	avl_remove(&ipss->ipsec_tunnel_policies, node);
5959 	rw_exit(&ipss->ipsec_tunnel_policy_lock);
5960 	ITP_REFRELE(node, ns);
5961 }
5962 
5963 /*
5964  * Public interface to look up a tunnel security policy by name.  Used by
5965  * spdsock mostly.  Returns "node" with a bumped refcnt.
5966  */
5967 ipsec_tun_pol_t *
5968 get_tunnel_policy(char *name, netstack_t *ns)
5969 {
5970 	ipsec_tun_pol_t *node, lookup;
5971 	ipsec_stack_t *ipss = ns->netstack_ipsec;
5972 
5973 	(void) strncpy(lookup.itp_name, name, LIFNAMSIZ);
5974 
5975 	rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
5976 	node = (ipsec_tun_pol_t *)avl_find(&ipss->ipsec_tunnel_policies,
5977 	    &lookup, NULL);
5978 	if (node != NULL) {
5979 		ITP_REFHOLD(node);
5980 	}
5981 	rw_exit(&ipss->ipsec_tunnel_policy_lock);
5982 
5983 	return (node);
5984 }
5985 
5986 /*
5987  * Public interface to walk all tunnel security polcies.  Useful for spdsock
5988  * DUMP operations.  iterator() will not consume a reference.
5989  */
5990 void
5991 itp_walk(void (*iterator)(ipsec_tun_pol_t *, void *, netstack_t *),
5992     void *arg, netstack_t *ns)
5993 {
5994 	ipsec_tun_pol_t *node;
5995 	ipsec_stack_t *ipss = ns->netstack_ipsec;
5996 
5997 	rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
5998 	for (node = avl_first(&ipss->ipsec_tunnel_policies); node != NULL;
5999 	    node = AVL_NEXT(&ipss->ipsec_tunnel_policies, node)) {
6000 		iterator(node, arg, ns);
6001 	}
6002 	rw_exit(&ipss->ipsec_tunnel_policy_lock);
6003 }
6004 
6005 /*
6006  * Initialize policy head.  This can only fail if there's a memory problem.
6007  */
6008 static boolean_t
6009 tunnel_polhead_init(ipsec_policy_head_t *iph, netstack_t *ns)
6010 {
6011 	ipsec_stack_t *ipss = ns->netstack_ipsec;
6012 
6013 	rw_init(&iph->iph_lock, NULL, RW_DEFAULT, NULL);
6014 	iph->iph_refs = 1;
6015 	iph->iph_gen = 0;
6016 	if (ipsec_alloc_table(iph, ipss->ipsec_tun_spd_hashsize,
6017 	    KM_SLEEP, B_FALSE, ns) != 0) {
6018 		ipsec_polhead_free_table(iph);
6019 		return (B_FALSE);
6020 	}
6021 	ipsec_polhead_init(iph, ipss->ipsec_tun_spd_hashsize);
6022 	return (B_TRUE);
6023 }
6024 
6025 /*
6026  * Create a tunnel policy node with "name".  Set errno with
6027  * ENOMEM if there's a memory problem, and EEXIST if there's an existing
6028  * node.
6029  */
6030 ipsec_tun_pol_t *
6031 create_tunnel_policy(char *name, int *errno, uint64_t *gen, netstack_t *ns)
6032 {
6033 	ipsec_tun_pol_t *newbie, *existing;
6034 	avl_index_t where;
6035 	ipsec_stack_t *ipss = ns->netstack_ipsec;
6036 
6037 	newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP);
6038 	if (newbie == NULL) {
6039 		*errno = ENOMEM;
6040 		return (NULL);
6041 	}
6042 	if (!ipsec_fragcache_init(&newbie->itp_fragcache)) {
6043 		kmem_free(newbie, sizeof (*newbie));
6044 		*errno = ENOMEM;
6045 		return (NULL);
6046 	}
6047 
6048 	(void) strncpy(newbie->itp_name, name, LIFNAMSIZ);
6049 
6050 	rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
6051 	existing = (ipsec_tun_pol_t *)avl_find(&ipss->ipsec_tunnel_policies,
6052 	    newbie, &where);
6053 	if (existing != NULL) {
6054 		itp_free(newbie, ns);
6055 		*errno = EEXIST;
6056 		rw_exit(&ipss->ipsec_tunnel_policy_lock);
6057 		return (NULL);
6058 	}
6059 	ipss->ipsec_tunnel_policy_gen++;
6060 	*gen = ipss->ipsec_tunnel_policy_gen;
6061 	newbie->itp_refcnt = 2;	/* One for the caller, one for the tree. */
6062 	newbie->itp_next_policy_index = 1;
6063 	avl_insert(&ipss->ipsec_tunnel_policies, newbie, where);
6064 	mutex_init(&newbie->itp_lock, NULL, MUTEX_DEFAULT, NULL);
6065 	newbie->itp_policy = kmem_zalloc(sizeof (ipsec_policy_head_t),
6066 	    KM_NOSLEEP);
6067 	if (newbie->itp_policy == NULL)
6068 		goto nomem;
6069 	newbie->itp_inactive = kmem_zalloc(sizeof (ipsec_policy_head_t),
6070 	    KM_NOSLEEP);
6071 	if (newbie->itp_inactive == NULL) {
6072 		kmem_free(newbie->itp_policy, sizeof (ipsec_policy_head_t));
6073 		goto nomem;
6074 	}
6075 
6076 	if (!tunnel_polhead_init(newbie->itp_policy, ns)) {
6077 		kmem_free(newbie->itp_policy, sizeof (ipsec_policy_head_t));
6078 		kmem_free(newbie->itp_inactive, sizeof (ipsec_policy_head_t));
6079 		goto nomem;
6080 	} else if (!tunnel_polhead_init(newbie->itp_inactive, ns)) {
6081 		IPPH_REFRELE(newbie->itp_policy, ns);
6082 		kmem_free(newbie->itp_inactive, sizeof (ipsec_policy_head_t));
6083 		goto nomem;
6084 	}
6085 	rw_exit(&ipss->ipsec_tunnel_policy_lock);
6086 
6087 	return (newbie);
6088 nomem:
6089 	*errno = ENOMEM;
6090 	kmem_free(newbie, sizeof (*newbie));
6091 	return (NULL);
6092 }
6093 
6094 /*
6095  * Given two addresses, find a tunnel instance's IPsec policy heads.
6096  * Returns NULL on failure.
6097  */
6098 ipsec_tun_pol_t *
6099 itp_get_byaddr(uint32_t *laddr, uint32_t *faddr, int af, ip_stack_t *ipst)
6100 {
6101 	conn_t *connp;
6102 	iptun_t *iptun;
6103 	ipsec_tun_pol_t *itp = NULL;
6104 
6105 	/* Classifiers are used to "src" being foreign. */
6106 	if (af == AF_INET) {
6107 		connp = ipcl_iptun_classify_v4((ipaddr_t *)faddr,
6108 		    (ipaddr_t *)laddr, ipst);
6109 	} else {
6110 		ASSERT(af == AF_INET6);
6111 		ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t *)laddr));
6112 		ASSERT(!IN6_IS_ADDR_V4MAPPED((in6_addr_t *)faddr));
6113 		connp = ipcl_iptun_classify_v6((in6_addr_t *)faddr,
6114 		    (in6_addr_t *)laddr, ipst);
6115 	}
6116 
6117 	if (connp == NULL)
6118 		return (NULL);
6119 
6120 	if (IPCL_IS_IPTUN(connp)) {
6121 		iptun = connp->conn_iptun;
6122 		if (iptun != NULL) {
6123 			itp = iptun->iptun_itp;
6124 			if (itp != NULL) {
6125 				/* Braces due to the macro's nature... */
6126 				ITP_REFHOLD(itp);
6127 			}
6128 		}  /* Else itp is already NULL. */
6129 	}
6130 
6131 	CONN_DEC_REF(connp);
6132 	return (itp);
6133 }
6134 
6135 /*
6136  * Frag cache code, based on SunScreen 3.2 source
6137  *	screen/kernel/common/screen_fragcache.c
6138  */
6139 
6140 #define	IPSEC_FRAG_TTL_MAX	5
6141 /*
6142  * Note that the following parameters create 256 hash buckets
6143  * with 1024 free entries to be distributed.  Things are cleaned
6144  * periodically and are attempted to be cleaned when there is no
6145  * free space, but this system errs on the side of dropping packets
6146  * over creating memory exhaustion.  We may decide to make hash
6147  * factor a tunable if this proves to be a bad decision.
6148  */
6149 #define	IPSEC_FRAG_HASH_SLOTS	(1<<8)
6150 #define	IPSEC_FRAG_HASH_FACTOR	4
6151 #define	IPSEC_FRAG_HASH_SIZE	(IPSEC_FRAG_HASH_SLOTS * IPSEC_FRAG_HASH_FACTOR)
6152 
6153 #define	IPSEC_FRAG_HASH_MASK		(IPSEC_FRAG_HASH_SLOTS - 1)
6154 #define	IPSEC_FRAG_HASH_FUNC(id)	(((id) & IPSEC_FRAG_HASH_MASK) ^ \
6155 					    (((id) / \
6156 					    (ushort_t)IPSEC_FRAG_HASH_SLOTS) & \
6157 					    IPSEC_FRAG_HASH_MASK))
6158 
6159 /* Maximum fragments per packet.  48 bytes payload x 1366 packets > 64KB */
6160 #define	IPSEC_MAX_FRAGS		1366
6161 
6162 #define	V4_FRAG_OFFSET(ipha) ((ntohs(ipha->ipha_fragment_offset_and_flags) & \
6163 				    IPH_OFFSET) << 3)
6164 #define	V4_MORE_FRAGS(ipha) (ntohs(ipha->ipha_fragment_offset_and_flags) & \
6165 		IPH_MF)
6166 
6167 /*
6168  * Initialize an ipsec fragcache instance.
6169  * Returns B_FALSE if memory allocation fails.
6170  */
6171 boolean_t
6172 ipsec_fragcache_init(ipsec_fragcache_t *frag)
6173 {
6174 	ipsec_fragcache_entry_t *ftemp;
6175 	int i;
6176 
6177 	mutex_init(&frag->itpf_lock, NULL, MUTEX_DEFAULT, NULL);
6178 	frag->itpf_ptr = (ipsec_fragcache_entry_t **)
6179 	    kmem_zalloc(sizeof (ipsec_fragcache_entry_t *) *
6180 	    IPSEC_FRAG_HASH_SLOTS, KM_NOSLEEP);
6181 	if (frag->itpf_ptr == NULL)
6182 		return (B_FALSE);
6183 
6184 	ftemp = (ipsec_fragcache_entry_t *)
6185 	    kmem_zalloc(sizeof (ipsec_fragcache_entry_t) *
6186 	    IPSEC_FRAG_HASH_SIZE, KM_NOSLEEP);
6187 	if (ftemp == NULL) {
6188 		kmem_free(frag->itpf_ptr, sizeof (ipsec_fragcache_entry_t *) *
6189 		    IPSEC_FRAG_HASH_SLOTS);
6190 		return (B_FALSE);
6191 	}
6192 
6193 	frag->itpf_freelist = NULL;
6194 
6195 	for (i = 0; i < IPSEC_FRAG_HASH_SIZE; i++) {
6196 		ftemp->itpfe_next = frag->itpf_freelist;
6197 		frag->itpf_freelist = ftemp;
6198 		ftemp++;
6199 	}
6200 
6201 	frag->itpf_expire_hint = 0;
6202 
6203 	return (B_TRUE);
6204 }
6205 
6206 void
6207 ipsec_fragcache_uninit(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6208 {
6209 	ipsec_fragcache_entry_t *fep;
6210 	int i;
6211 
6212 	mutex_enter(&frag->itpf_lock);
6213 	if (frag->itpf_ptr) {
6214 		/* Delete any existing fragcache entry chains */
6215 		for (i = 0; i < IPSEC_FRAG_HASH_SLOTS; i++) {
6216 			fep = (frag->itpf_ptr)[i];
6217 			while (fep != NULL) {
6218 				/* Returned fep is next in chain or NULL */
6219 				fep = fragcache_delentry(i, fep, frag, ipss);
6220 			}
6221 		}
6222 		/*
6223 		 * Chase the pointers back to the beginning
6224 		 * of the memory allocation and then
6225 		 * get rid of the allocated freelist
6226 		 */
6227 		while (frag->itpf_freelist->itpfe_next != NULL)
6228 			frag->itpf_freelist = frag->itpf_freelist->itpfe_next;
6229 		/*
6230 		 * XXX - If we ever dynamically grow the freelist
6231 		 * then we'll have to free entries individually
6232 		 * or determine how many entries or chunks we have
6233 		 * grown since the initial allocation.
6234 		 */
6235 		kmem_free(frag->itpf_freelist,
6236 		    sizeof (ipsec_fragcache_entry_t) *
6237 		    IPSEC_FRAG_HASH_SIZE);
6238 		/* Free the fragcache structure */
6239 		kmem_free(frag->itpf_ptr,
6240 		    sizeof (ipsec_fragcache_entry_t *) *
6241 		    IPSEC_FRAG_HASH_SLOTS);
6242 	}
6243 	mutex_exit(&frag->itpf_lock);
6244 	mutex_destroy(&frag->itpf_lock);
6245 }
6246 
6247 /*
6248  * Add a fragment to the fragment cache.   Consumes mp if NULL is returned.
6249  * Returns mp if a whole fragment has been assembled, NULL otherwise
6250  * The returned mp could be a b_next chain of fragments.
6251  *
6252  * The iramp argument is set on inbound; NULL if outbound.
6253  */
6254 mblk_t *
6255 ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *iramp, mblk_t *mp,
6256     int outer_hdr_len, ipsec_stack_t *ipss)
6257 {
6258 	boolean_t is_v4;
6259 	time_t itpf_time;
6260 	ipha_t *iph;
6261 	ipha_t *oiph;
6262 	ip6_t *ip6h = NULL;
6263 	uint8_t v6_proto;
6264 	uint8_t *v6_proto_p;
6265 	uint16_t ip6_hdr_length;
6266 	ip_pkt_t ipp;
6267 	ip6_frag_t *fraghdr;
6268 	ipsec_fragcache_entry_t *fep;
6269 	int i;
6270 	mblk_t *nmp, *prevmp;
6271 	int firstbyte, lastbyte;
6272 	int offset;
6273 	int last;
6274 	boolean_t inbound = (iramp != NULL);
6275 
6276 #ifdef FRAGCACHE_DEBUG
6277 	cmn_err(CE_WARN, "Fragcache: %s\n", inbound ? "INBOUND" : "OUTBOUND");
6278 #endif
6279 	/*
6280 	 * You're on the slow path, so insure that every packet in the
6281 	 * cache is a single-mblk one.
6282 	 */
6283 	if (mp->b_cont != NULL) {
6284 		nmp = msgpullup(mp, -1);
6285 		if (nmp == NULL) {
6286 			ip_drop_packet(mp, inbound, NULL,
6287 			    DROPPER(ipss, ipds_spd_nomem),
6288 			    &ipss->ipsec_spd_dropper);
6289 			if (inbound)
6290 				(void) ip_recv_attr_free_mblk(iramp);
6291 			return (NULL);
6292 		}
6293 		freemsg(mp);
6294 		mp = nmp;
6295 	}
6296 
6297 	mutex_enter(&frag->itpf_lock);
6298 
6299 	oiph  = (ipha_t *)mp->b_rptr;
6300 	iph  = (ipha_t *)(mp->b_rptr + outer_hdr_len);
6301 
6302 	if (IPH_HDR_VERSION(iph) == IPV4_VERSION) {
6303 		is_v4 = B_TRUE;
6304 	} else {
6305 		ASSERT(IPH_HDR_VERSION(iph) == IPV6_VERSION);
6306 		ip6h = (ip6_t *)(mp->b_rptr + outer_hdr_len);
6307 
6308 		if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ip6_hdr_length,
6309 		    &v6_proto_p)) {
6310 			/*
6311 			 * Find upper layer protocol.
6312 			 * If it fails we have a malformed packet
6313 			 */
6314 			mutex_exit(&frag->itpf_lock);
6315 			ip_drop_packet(mp, inbound, NULL,
6316 			    DROPPER(ipss, ipds_spd_malformed_packet),
6317 			    &ipss->ipsec_spd_dropper);
6318 			if (inbound)
6319 				(void) ip_recv_attr_free_mblk(iramp);
6320 			return (NULL);
6321 		} else {
6322 			v6_proto = *v6_proto_p;
6323 		}
6324 
6325 
6326 		bzero(&ipp, sizeof (ipp));
6327 		(void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
6328 		if (!(ipp.ipp_fields & IPPF_FRAGHDR)) {
6329 			/*
6330 			 * We think this is a fragment, but didn't find
6331 			 * a fragment header.  Something is wrong.
6332 			 */
6333 			mutex_exit(&frag->itpf_lock);
6334 			ip_drop_packet(mp, inbound, NULL,
6335 			    DROPPER(ipss, ipds_spd_malformed_frag),
6336 			    &ipss->ipsec_spd_dropper);
6337 			if (inbound)
6338 				(void) ip_recv_attr_free_mblk(iramp);
6339 			return (NULL);
6340 		}
6341 		fraghdr = ipp.ipp_fraghdr;
6342 		is_v4 = B_FALSE;
6343 	}
6344 
6345 	/* Anything to cleanup? */
6346 
6347 	/*
6348 	 * This cleanup call could be put in a timer loop
6349 	 * but it may actually be just as reasonable a decision to
6350 	 * leave it here.  The disadvantage is this only gets called when
6351 	 * frags are added.  The advantage is that it is not
6352 	 * susceptible to race conditions like a time-based cleanup
6353 	 * may be.
6354 	 */
6355 	itpf_time = gethrestime_sec();
6356 	if (itpf_time >= frag->itpf_expire_hint)
6357 		ipsec_fragcache_clean(frag, ipss);
6358 
6359 	/* Lookup to see if there is an existing entry */
6360 
6361 	if (is_v4)
6362 		i = IPSEC_FRAG_HASH_FUNC(iph->ipha_ident);
6363 	else
6364 		i = IPSEC_FRAG_HASH_FUNC(fraghdr->ip6f_ident);
6365 
6366 	for (fep = (frag->itpf_ptr)[i]; fep; fep = fep->itpfe_next) {
6367 		if (is_v4) {
6368 			ASSERT(iph != NULL);
6369 			if ((fep->itpfe_id == iph->ipha_ident) &&
6370 			    (fep->itpfe_src == iph->ipha_src) &&
6371 			    (fep->itpfe_dst == iph->ipha_dst) &&
6372 			    (fep->itpfe_proto == iph->ipha_protocol))
6373 				break;
6374 		} else {
6375 			ASSERT(fraghdr != NULL);
6376 			ASSERT(fep != NULL);
6377 			if ((fep->itpfe_id == fraghdr->ip6f_ident) &&
6378 			    IN6_ARE_ADDR_EQUAL(&fep->itpfe_src6,
6379 			    &ip6h->ip6_src) &&
6380 			    IN6_ARE_ADDR_EQUAL(&fep->itpfe_dst6,
6381 			    &ip6h->ip6_dst) && (fep->itpfe_proto == v6_proto))
6382 				break;
6383 		}
6384 	}
6385 
6386 	if (is_v4) {
6387 		firstbyte = V4_FRAG_OFFSET(iph);
6388 		lastbyte  = firstbyte + ntohs(iph->ipha_length) -
6389 		    IPH_HDR_LENGTH(iph);
6390 		last = (V4_MORE_FRAGS(iph) == 0);
6391 #ifdef FRAGCACHE_DEBUG
6392 		cmn_err(CE_WARN, "V4 fragcache: firstbyte = %d, lastbyte = %d, "
6393 		    "is_last_frag = %d, id = %d, mp = %p\n", firstbyte,
6394 		    lastbyte, last, iph->ipha_ident, mp);
6395 #endif
6396 	} else {
6397 		firstbyte = ntohs(fraghdr->ip6f_offlg & IP6F_OFF_MASK);
6398 		lastbyte  = firstbyte + ntohs(ip6h->ip6_plen) +
6399 		    sizeof (ip6_t) - ip6_hdr_length;
6400 		last = (fraghdr->ip6f_offlg & IP6F_MORE_FRAG) == 0;
6401 #ifdef FRAGCACHE_DEBUG
6402 		cmn_err(CE_WARN, "V6 fragcache: firstbyte = %d, lastbyte = %d, "
6403 		    "is_last_frag = %d, id = %d, fraghdr = %p, mp = %p\n",
6404 		    firstbyte, lastbyte, last, fraghdr->ip6f_ident, fraghdr,
6405 		    mp);
6406 #endif
6407 	}
6408 
6409 	/* check for bogus fragments and delete the entry */
6410 	if (firstbyte > 0 && firstbyte <= 8) {
6411 		if (fep != NULL)
6412 			(void) fragcache_delentry(i, fep, frag, ipss);
6413 		mutex_exit(&frag->itpf_lock);
6414 		ip_drop_packet(mp, inbound, NULL,
6415 		    DROPPER(ipss, ipds_spd_malformed_frag),
6416 		    &ipss->ipsec_spd_dropper);
6417 		if (inbound)
6418 			(void) ip_recv_attr_free_mblk(iramp);
6419 		return (NULL);
6420 	}
6421 
6422 	/* Not found, allocate a new entry */
6423 	if (fep == NULL) {
6424 		if (frag->itpf_freelist == NULL) {
6425 			/* see if there is some space */
6426 			ipsec_fragcache_clean(frag, ipss);
6427 			if (frag->itpf_freelist == NULL) {
6428 				mutex_exit(&frag->itpf_lock);
6429 				ip_drop_packet(mp, inbound, NULL,
6430 				    DROPPER(ipss, ipds_spd_nomem),
6431 				    &ipss->ipsec_spd_dropper);
6432 				if (inbound)
6433 					(void) ip_recv_attr_free_mblk(iramp);
6434 				return (NULL);
6435 			}
6436 		}
6437 
6438 		fep = frag->itpf_freelist;
6439 		frag->itpf_freelist = fep->itpfe_next;
6440 
6441 		if (is_v4) {
6442 			bcopy((caddr_t)&iph->ipha_src, (caddr_t)&fep->itpfe_src,
6443 			    sizeof (struct in_addr));
6444 			bcopy((caddr_t)&iph->ipha_dst, (caddr_t)&fep->itpfe_dst,
6445 			    sizeof (struct in_addr));
6446 			fep->itpfe_id = iph->ipha_ident;
6447 			fep->itpfe_proto = iph->ipha_protocol;
6448 			i = IPSEC_FRAG_HASH_FUNC(fep->itpfe_id);
6449 		} else {
6450 			bcopy((in6_addr_t *)&ip6h->ip6_src,
6451 			    (in6_addr_t *)&fep->itpfe_src6,
6452 			    sizeof (struct in6_addr));
6453 			bcopy((in6_addr_t *)&ip6h->ip6_dst,
6454 			    (in6_addr_t *)&fep->itpfe_dst6,
6455 			    sizeof (struct in6_addr));
6456 			fep->itpfe_id = fraghdr->ip6f_ident;
6457 			fep->itpfe_proto = v6_proto;
6458 			i = IPSEC_FRAG_HASH_FUNC(fep->itpfe_id);
6459 		}
6460 		itpf_time = gethrestime_sec();
6461 		fep->itpfe_exp = itpf_time + IPSEC_FRAG_TTL_MAX + 1;
6462 		fep->itpfe_last = 0;
6463 		fep->itpfe_fraglist = NULL;
6464 		fep->itpfe_depth = 0;
6465 		fep->itpfe_next = (frag->itpf_ptr)[i];
6466 		(frag->itpf_ptr)[i] = fep;
6467 
6468 		if (frag->itpf_expire_hint > fep->itpfe_exp)
6469 			frag->itpf_expire_hint = fep->itpfe_exp;
6470 
6471 	}
6472 
6473 	/* Insert it in the frag list */
6474 	/* List is in order by starting offset of fragments */
6475 
6476 	prevmp = NULL;
6477 	for (nmp = fep->itpfe_fraglist; nmp; nmp = nmp->b_next) {
6478 		ipha_t *niph;
6479 		ipha_t *oniph;
6480 		ip6_t *nip6h;
6481 		ip_pkt_t nipp;
6482 		ip6_frag_t *nfraghdr;
6483 		uint16_t nip6_hdr_length;
6484 		uint8_t *nv6_proto_p;
6485 		int nfirstbyte, nlastbyte;
6486 		char *data, *ndata;
6487 		mblk_t *ndata_mp = (inbound ? nmp->b_cont : nmp);
6488 		int hdr_len;
6489 
6490 		oniph  = (ipha_t *)mp->b_rptr;
6491 		nip6h = NULL;
6492 		niph = NULL;
6493 
6494 		/*
6495 		 * Determine outer header type and length and set
6496 		 * pointers appropriately
6497 		 */
6498 
6499 		if (IPH_HDR_VERSION(oniph) == IPV4_VERSION) {
6500 			hdr_len = ((outer_hdr_len != 0) ?
6501 			    IPH_HDR_LENGTH(oiph) : 0);
6502 			niph = (ipha_t *)(ndata_mp->b_rptr + hdr_len);
6503 		} else {
6504 			ASSERT(IPH_HDR_VERSION(oniph) == IPV6_VERSION);
6505 			ASSERT(ndata_mp->b_cont == NULL);
6506 			nip6h = (ip6_t *)ndata_mp->b_rptr;
6507 			(void) ip_hdr_length_nexthdr_v6(ndata_mp, nip6h,
6508 			    &nip6_hdr_length, &v6_proto_p);
6509 			hdr_len = ((outer_hdr_len != 0) ? nip6_hdr_length : 0);
6510 		}
6511 
6512 		/*
6513 		 * Determine inner header type and length and set
6514 		 * pointers appropriately
6515 		 */
6516 
6517 		if (is_v4) {
6518 			if (niph == NULL) {
6519 				/* Was v6 outer */
6520 				niph = (ipha_t *)(ndata_mp->b_rptr + hdr_len);
6521 			}
6522 			nfirstbyte = V4_FRAG_OFFSET(niph);
6523 			nlastbyte = nfirstbyte + ntohs(niph->ipha_length) -
6524 			    IPH_HDR_LENGTH(niph);
6525 		} else {
6526 			ASSERT(ndata_mp->b_cont == NULL);
6527 			nip6h = (ip6_t *)(ndata_mp->b_rptr + hdr_len);
6528 			if (!ip_hdr_length_nexthdr_v6(ndata_mp, nip6h,
6529 			    &nip6_hdr_length, &nv6_proto_p)) {
6530 				mutex_exit(&frag->itpf_lock);
6531 				ip_drop_packet_chain(nmp, inbound, NULL,
6532 				    DROPPER(ipss, ipds_spd_malformed_frag),
6533 				    &ipss->ipsec_spd_dropper);
6534 				ipsec_freemsg_chain(ndata_mp);
6535 				if (inbound)
6536 					(void) ip_recv_attr_free_mblk(iramp);
6537 				return (NULL);
6538 			}
6539 			bzero(&nipp, sizeof (nipp));
6540 			(void) ip_find_hdr_v6(ndata_mp, nip6h, B_FALSE, &nipp,
6541 			    NULL);
6542 			nfraghdr = nipp.ipp_fraghdr;
6543 			nfirstbyte = ntohs(nfraghdr->ip6f_offlg &
6544 			    IP6F_OFF_MASK);
6545 			nlastbyte  = nfirstbyte + ntohs(nip6h->ip6_plen) +
6546 			    sizeof (ip6_t) - nip6_hdr_length;
6547 		}
6548 
6549 		/* Check for overlapping fragments */
6550 		if (firstbyte >= nfirstbyte && firstbyte < nlastbyte) {
6551 			/*
6552 			 * Overlap Check:
6553 			 *  ~~~~---------		# Check if the newly
6554 			 * ~	ndata_mp|		# received fragment
6555 			 *  ~~~~---------		# overlaps with the
6556 			 *	 ---------~~~~~~	# current fragment.
6557 			 *	|    mp		~
6558 			 *	 ---------~~~~~~
6559 			 */
6560 			if (is_v4) {
6561 				data  = (char *)iph  + IPH_HDR_LENGTH(iph) +
6562 				    firstbyte - nfirstbyte;
6563 				ndata = (char *)niph + IPH_HDR_LENGTH(niph);
6564 			} else {
6565 				data  = (char *)ip6h  +
6566 				    nip6_hdr_length + firstbyte -
6567 				    nfirstbyte;
6568 				ndata = (char *)nip6h + nip6_hdr_length;
6569 			}
6570 			if (bcmp(data, ndata, MIN(lastbyte, nlastbyte) -
6571 			    firstbyte)) {
6572 				/* Overlapping data does not match */
6573 				(void) fragcache_delentry(i, fep, frag, ipss);
6574 				mutex_exit(&frag->itpf_lock);
6575 				ip_drop_packet(mp, inbound, NULL,
6576 				    DROPPER(ipss, ipds_spd_overlap_frag),
6577 				    &ipss->ipsec_spd_dropper);
6578 				if (inbound)
6579 					(void) ip_recv_attr_free_mblk(iramp);
6580 				return (NULL);
6581 			}
6582 			/* Part of defense for jolt2.c fragmentation attack */
6583 			if (firstbyte >= nfirstbyte && lastbyte <= nlastbyte) {
6584 				/*
6585 				 * Check for identical or subset fragments:
6586 				 *  ----------	    ~~~~--------~~~~~
6587 				 * |    nmp   | or  ~	   nmp	    ~
6588 				 *  ----------	    ~~~~--------~~~~~
6589 				 *  ----------		  ------
6590 				 * |	mp    |		 |  mp  |
6591 				 *  ----------		  ------
6592 				 */
6593 				mutex_exit(&frag->itpf_lock);
6594 				ip_drop_packet(mp, inbound, NULL,
6595 				    DROPPER(ipss, ipds_spd_evil_frag),
6596 				    &ipss->ipsec_spd_dropper);
6597 				if (inbound)
6598 					(void) ip_recv_attr_free_mblk(iramp);
6599 				return (NULL);
6600 			}
6601 
6602 		}
6603 
6604 		/* Correct location for this fragment? */
6605 		if (firstbyte <= nfirstbyte) {
6606 			/*
6607 			 * Check if the tail end of the new fragment overlaps
6608 			 * with the head of the current fragment.
6609 			 *	  --------~~~~~~~
6610 			 *	 |    nmp	~
6611 			 *	  --------~~~~~~~
6612 			 *  ~~~~~--------
6613 			 *  ~	mp	 |
6614 			 *  ~~~~~--------
6615 			 */
6616 			if (lastbyte > nfirstbyte) {
6617 				/* Fragments overlap */
6618 				data  = (char *)iph  + IPH_HDR_LENGTH(iph) +
6619 				    firstbyte - nfirstbyte;
6620 				ndata = (char *)niph + IPH_HDR_LENGTH(niph);
6621 				if (is_v4) {
6622 					data  = (char *)iph +
6623 					    IPH_HDR_LENGTH(iph) + firstbyte -
6624 					    nfirstbyte;
6625 					ndata = (char *)niph +
6626 					    IPH_HDR_LENGTH(niph);
6627 				} else {
6628 					data  = (char *)ip6h  +
6629 					    nip6_hdr_length + firstbyte -
6630 					    nfirstbyte;
6631 					ndata = (char *)nip6h + nip6_hdr_length;
6632 				}
6633 				if (bcmp(data, ndata, MIN(lastbyte, nlastbyte)
6634 				    - nfirstbyte)) {
6635 					/* Overlap mismatch */
6636 					(void) fragcache_delentry(i, fep, frag,
6637 					    ipss);
6638 					mutex_exit(&frag->itpf_lock);
6639 					ip_drop_packet(mp, inbound, NULL,
6640 					    DROPPER(ipss,
6641 					    ipds_spd_overlap_frag),
6642 					    &ipss->ipsec_spd_dropper);
6643 					if (inbound) {
6644 						(void) ip_recv_attr_free_mblk(
6645 						    iramp);
6646 					}
6647 					return (NULL);
6648 				}
6649 			}
6650 
6651 			/*
6652 			 * Fragment does not illegally overlap and can now
6653 			 * be inserted into the chain
6654 			 */
6655 			break;
6656 		}
6657 
6658 		prevmp = nmp;
6659 	}
6660 	/* Prepend the attributes before we link it in */
6661 	if (iramp != NULL) {
6662 		ASSERT(iramp->b_cont == NULL);
6663 		iramp->b_cont = mp;
6664 		mp = iramp;
6665 		iramp = NULL;
6666 	}
6667 	mp->b_next = nmp;
6668 
6669 	if (prevmp == NULL) {
6670 		fep->itpfe_fraglist = mp;
6671 	} else {
6672 		prevmp->b_next = mp;
6673 	}
6674 	if (last)
6675 		fep->itpfe_last = 1;
6676 
6677 	/* Part of defense for jolt2.c fragmentation attack */
6678 	if (++(fep->itpfe_depth) > IPSEC_MAX_FRAGS) {
6679 		(void) fragcache_delentry(i, fep, frag, ipss);
6680 		mutex_exit(&frag->itpf_lock);
6681 		if (inbound)
6682 			mp = ip_recv_attr_free_mblk(mp);
6683 
6684 		ip_drop_packet(mp, inbound, NULL,
6685 		    DROPPER(ipss, ipds_spd_max_frags),
6686 		    &ipss->ipsec_spd_dropper);
6687 		return (NULL);
6688 	}
6689 
6690 	/* Check for complete packet */
6691 
6692 	if (!fep->itpfe_last) {
6693 		mutex_exit(&frag->itpf_lock);
6694 #ifdef FRAGCACHE_DEBUG
6695 		cmn_err(CE_WARN, "Fragment cached, last not yet seen.\n");
6696 #endif
6697 		return (NULL);
6698 	}
6699 
6700 	offset = 0;
6701 	for (mp = fep->itpfe_fraglist; mp; mp = mp->b_next) {
6702 		mblk_t *data_mp = (inbound ? mp->b_cont : mp);
6703 		int hdr_len;
6704 
6705 		oiph  = (ipha_t *)data_mp->b_rptr;
6706 		ip6h = NULL;
6707 		iph = NULL;
6708 
6709 		if (IPH_HDR_VERSION(oiph) == IPV4_VERSION) {
6710 			hdr_len = ((outer_hdr_len != 0) ?
6711 			    IPH_HDR_LENGTH(oiph) : 0);
6712 			iph = (ipha_t *)(data_mp->b_rptr + hdr_len);
6713 		} else {
6714 			ASSERT(IPH_HDR_VERSION(oiph) == IPV6_VERSION);
6715 			ASSERT(data_mp->b_cont == NULL);
6716 			ip6h = (ip6_t *)data_mp->b_rptr;
6717 			(void) ip_hdr_length_nexthdr_v6(data_mp, ip6h,
6718 			    &ip6_hdr_length, &v6_proto_p);
6719 			hdr_len = ((outer_hdr_len != 0) ? ip6_hdr_length : 0);
6720 		}
6721 
6722 		/* Calculate current fragment start/end */
6723 		if (is_v4) {
6724 			if (iph == NULL) {
6725 				/* Was v6 outer */
6726 				iph = (ipha_t *)(data_mp->b_rptr + hdr_len);
6727 			}
6728 			firstbyte = V4_FRAG_OFFSET(iph);
6729 			lastbyte = firstbyte + ntohs(iph->ipha_length) -
6730 			    IPH_HDR_LENGTH(iph);
6731 		} else {
6732 			ASSERT(data_mp->b_cont == NULL);
6733 			ip6h = (ip6_t *)(data_mp->b_rptr + hdr_len);
6734 			if (!ip_hdr_length_nexthdr_v6(data_mp, ip6h,
6735 			    &ip6_hdr_length, &v6_proto_p)) {
6736 				mutex_exit(&frag->itpf_lock);
6737 				ip_drop_packet_chain(mp, inbound, NULL,
6738 				    DROPPER(ipss, ipds_spd_malformed_frag),
6739 				    &ipss->ipsec_spd_dropper);
6740 				return (NULL);
6741 			}
6742 			v6_proto = *v6_proto_p;
6743 			bzero(&ipp, sizeof (ipp));
6744 			(void) ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp,
6745 			    NULL);
6746 			fraghdr = ipp.ipp_fraghdr;
6747 			firstbyte = ntohs(fraghdr->ip6f_offlg &
6748 			    IP6F_OFF_MASK);
6749 			lastbyte  = firstbyte + ntohs(ip6h->ip6_plen) +
6750 			    sizeof (ip6_t) - ip6_hdr_length;
6751 		}
6752 
6753 		/*
6754 		 * If this fragment is greater than current offset,
6755 		 * we have a missing fragment so return NULL
6756 		 */
6757 		if (firstbyte > offset) {
6758 			mutex_exit(&frag->itpf_lock);
6759 #ifdef FRAGCACHE_DEBUG
6760 			/*
6761 			 * Note, this can happen when the last frag
6762 			 * gets sent through because it is smaller
6763 			 * than the MTU.  It is not necessarily an
6764 			 * error condition.
6765 			 */
6766 			cmn_err(CE_WARN, "Frag greater than offset! : "
6767 			    "missing fragment: firstbyte = %d, offset = %d, "
6768 			    "mp = %p\n", firstbyte, offset, mp);
6769 #endif
6770 			return (NULL);
6771 		}
6772 #ifdef FRAGCACHE_DEBUG
6773 		cmn_err(CE_WARN, "Frag offsets : "
6774 		    "firstbyte = %d, offset = %d, mp = %p\n",
6775 		    firstbyte, offset, mp);
6776 #endif
6777 
6778 		/*
6779 		 * If we are at the last fragment, we have the complete
6780 		 * packet, so rechain things and return it to caller
6781 		 * for processing
6782 		 */
6783 
6784 		if ((is_v4 && !V4_MORE_FRAGS(iph)) ||
6785 		    (!is_v4 && !(fraghdr->ip6f_offlg & IP6F_MORE_FRAG))) {
6786 			mp = fep->itpfe_fraglist;
6787 			fep->itpfe_fraglist = NULL;
6788 			(void) fragcache_delentry(i, fep, frag, ipss);
6789 			mutex_exit(&frag->itpf_lock);
6790 
6791 			if ((is_v4 && (firstbyte + ntohs(iph->ipha_length) >
6792 			    65535)) || (!is_v4 && (firstbyte +
6793 			    ntohs(ip6h->ip6_plen) > 65535))) {
6794 				/* It is an invalid "ping-o-death" packet */
6795 				/* Discard it */
6796 				ip_drop_packet_chain(mp, inbound, NULL,
6797 				    DROPPER(ipss, ipds_spd_evil_frag),
6798 				    &ipss->ipsec_spd_dropper);
6799 				return (NULL);
6800 			}
6801 #ifdef FRAGCACHE_DEBUG
6802 			cmn_err(CE_WARN, "Fragcache returning mp = %p, "
6803 			    "mp->b_next = %p", mp, mp->b_next);
6804 #endif
6805 			/*
6806 			 * For inbound case, mp has attrmp b_next'd chain
6807 			 * For outbound case, it is just data mp chain
6808 			 */
6809 			return (mp);
6810 		}
6811 
6812 		/*
6813 		 * Update new ending offset if this
6814 		 * fragment extends the packet
6815 		 */
6816 		if (offset < lastbyte)
6817 			offset = lastbyte;
6818 	}
6819 
6820 	mutex_exit(&frag->itpf_lock);
6821 
6822 	/* Didn't find last fragment, so return NULL */
6823 	return (NULL);
6824 }
6825 
6826 static void
6827 ipsec_fragcache_clean(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6828 {
6829 	ipsec_fragcache_entry_t *fep;
6830 	int i;
6831 	ipsec_fragcache_entry_t *earlyfep = NULL;
6832 	time_t itpf_time;
6833 	int earlyexp;
6834 	int earlyi = 0;
6835 
6836 	ASSERT(MUTEX_HELD(&frag->itpf_lock));
6837 
6838 	itpf_time = gethrestime_sec();
6839 	earlyexp = itpf_time + 10000;
6840 
6841 	for (i = 0; i < IPSEC_FRAG_HASH_SLOTS; i++) {
6842 		fep = (frag->itpf_ptr)[i];
6843 		while (fep) {
6844 			if (fep->itpfe_exp < itpf_time) {
6845 				/* found */
6846 				fep = fragcache_delentry(i, fep, frag, ipss);
6847 			} else {
6848 				if (fep->itpfe_exp < earlyexp) {
6849 					earlyfep = fep;
6850 					earlyexp = fep->itpfe_exp;
6851 					earlyi = i;
6852 				}
6853 				fep = fep->itpfe_next;
6854 			}
6855 		}
6856 	}
6857 
6858 	frag->itpf_expire_hint = earlyexp;
6859 
6860 	/* if (!found) */
6861 	if (frag->itpf_freelist == NULL)
6862 		(void) fragcache_delentry(earlyi, earlyfep, frag, ipss);
6863 }
6864 
6865 static ipsec_fragcache_entry_t *
6866 fragcache_delentry(int slot, ipsec_fragcache_entry_t *fep,
6867     ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
6868 {
6869 	ipsec_fragcache_entry_t *targp;
6870 	ipsec_fragcache_entry_t *nextp = fep->itpfe_next;
6871 
6872 	ASSERT(MUTEX_HELD(&frag->itpf_lock));
6873 
6874 	/* Free up any fragment list still in cache entry */
6875 	if (fep->itpfe_fraglist != NULL) {
6876 		ip_drop_packet_chain(fep->itpfe_fraglist,
6877 		    ip_recv_attr_is_mblk(fep->itpfe_fraglist), NULL,
6878 		    DROPPER(ipss, ipds_spd_expired_frags),
6879 		    &ipss->ipsec_spd_dropper);
6880 	}
6881 	fep->itpfe_fraglist = NULL;
6882 
6883 	targp = (frag->itpf_ptr)[slot];
6884 	ASSERT(targp != 0);
6885 
6886 	if (targp == fep) {
6887 		/* unlink from head of hash chain */
6888 		(frag->itpf_ptr)[slot] = nextp;
6889 		/* link into free list */
6890 		fep->itpfe_next = frag->itpf_freelist;
6891 		frag->itpf_freelist = fep;
6892 		return (nextp);
6893 	}
6894 
6895 	/* maybe should use double linked list to make update faster */
6896 	/* must be past front of chain */
6897 	while (targp) {
6898 		if (targp->itpfe_next == fep) {
6899 			/* unlink from hash chain */
6900 			targp->itpfe_next = nextp;
6901 			/* link into free list */
6902 			fep->itpfe_next = frag->itpf_freelist;
6903 			frag->itpf_freelist = fep;
6904 			return (nextp);
6905 		}
6906 		targp = targp->itpfe_next;
6907 		ASSERT(targp != 0);
6908 	}
6909 	/* NOTREACHED */
6910 	return (NULL);
6911 }
6912