1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
  24  * Copyright 2017 Joyent, Inc.
  25  */
  26 
  27 #include <sys/param.h>
  28 #include <sys/types.h>
  29 #include <sys/stream.h>
  30 #include <sys/strsubr.h>
  31 #include <sys/strsun.h>
  32 #include <sys/stropts.h>
  33 #include <sys/zone.h>
  34 #include <sys/vnode.h>
  35 #include <sys/sysmacros.h>
  36 #define _SUN_TPI_VERSION 2
  37 #include <sys/tihdr.h>
  38 #include <sys/timod.h>
  39 #include <sys/ddi.h>
  40 #include <sys/sunddi.h>
  41 #include <sys/mkdev.h>
  42 #include <sys/debug.h>
  43 #include <sys/kmem.h>
  44 #include <sys/cmn_err.h>
  45 #include <sys/suntpi.h>
  46 #include <sys/policy.h>
  47 #include <sys/dls.h>
  48 
  49 #include <sys/socket.h>
  50 #include <netinet/in.h>
  51 #include <net/pfkeyv2.h>
  52 #include <net/pfpolicy.h>
  53 
  54 #include <inet/common.h>
  55 #include <netinet/ip6.h>
  56 #include <inet/ip.h>
  57 #include <inet/ip6.h>
  58 #include <inet/mi.h>
  59 #include <inet/proto_set.h>
  60 #include <inet/nd.h>
  61 #include <inet/ip_if.h>
  62 #include <inet/optcom.h>
  63 #include <inet/ipsec_impl.h>
  64 #include <inet/spdsock.h>
  65 #include <inet/sadb.h>
  66 #include <inet/iptun.h>
  67 #include <inet/iptun/iptun_impl.h>
  68 
  69 #include <sys/isa_defs.h>
  70 
  71 #include <c2/audit.h>
  72 
  73 /*
  74  * This is a transport provider for the PF_POLICY IPsec policy
  75  * management socket, which provides a management interface into the
  76  * SPD, allowing policy rules to be added, deleted, and queried.
  77  *
  78  * This effectively replaces the old private SIOC*IPSECONFIG ioctls
  79  * with an extensible interface which will hopefully be public some
  80  * day.
  81  *
  82  * See <net/pfpolicy.h> for more details on the protocol.
  83  *
  84  * We link against drv/ip and call directly into it to manipulate the
  85  * SPD; see ipsec_impl.h for the policy data structures and spd.c for
  86  * the code which maintains them.
  87  *
  88  * The MT model of this is QPAIR with the addition of some explicit
  89  * locking to protect system-wide policy data structures.
  90  */
  91 
  92 static vmem_t *spdsock_vmem;            /* for minor numbers. */
  93 
  94 #define ALIGNED64(x) IS_P2ALIGNED((x), sizeof (uint64_t))
  95 
  96 /* Default structure copied into T_INFO_ACK messages (from rts.c...) */
  97 static struct T_info_ack spdsock_g_t_info_ack = {
  98         T_INFO_ACK,
  99         T_INFINITE,     /* TSDU_size. Maximum size messages. */
 100         T_INVALID,      /* ETSDU_size. No expedited data. */
 101         T_INVALID,      /* CDATA_size. No connect data. */
 102         T_INVALID,      /* DDATA_size. No disconnect data. */
 103         0,              /* ADDR_size. */
 104         0,              /* OPT_size. No user-settable options */
 105         64 * 1024,      /* TIDU_size. spdsock allows maximum size messages. */
 106         T_COTS,         /* SERV_type. spdsock supports connection oriented. */
 107         TS_UNBND,       /* CURRENT_state. This is set from spdsock_state. */
 108         (XPG4_1)        /* Provider flags */
 109 };
 110 
 111 /* Named Dispatch Parameter Management Structure */
 112 typedef struct spdsockparam_s {
 113         uint_t  spdsock_param_min;
 114         uint_t  spdsock_param_max;
 115         uint_t  spdsock_param_value;
 116         char *spdsock_param_name;
 117 } spdsockparam_t;
 118 
 119 /*
 120  * Table of NDD variables supported by spdsock. These are loaded into
 121  * spdsock_g_nd in spdsock_init_nd.
 122  * All of these are alterable, within the min/max values given, at run time.
 123  */
 124 static  spdsockparam_t  lcl_param_arr[] = {
 125         /* min  max     value   name */
 126         { 4096, 65536,  8192,   "spdsock_xmit_hiwat"},
 127         { 0,    65536,  1024,   "spdsock_xmit_lowat"},
 128         { 4096, 65536,  8192,   "spdsock_recv_hiwat"},
 129         { 65536, 1024*1024*1024, 256*1024,      "spdsock_max_buf"},
 130         { 0,    3,      0,      "spdsock_debug"},
 131 };
 132 #define spds_xmit_hiwat spds_params[0].spdsock_param_value
 133 #define spds_xmit_lowat spds_params[1].spdsock_param_value
 134 #define spds_recv_hiwat spds_params[2].spdsock_param_value
 135 #define spds_max_buf    spds_params[3].spdsock_param_value
 136 #define spds_debug              spds_params[4].spdsock_param_value
 137 
 138 #define ss0dbg(a)       printf a
 139 /* NOTE:  != 0 instead of > 0 so lint doesn't complain. */
 140 #define ss1dbg(spds, a) if (spds->spds_debug != 0) printf a
 141 #define ss2dbg(spds, a) if (spds->spds_debug > 1) printf a
 142 #define ss3dbg(spds, a) if (spds->spds_debug > 2) printf a
 143 
 144 #define RESET_SPDSOCK_DUMP_POLHEAD(ss, iph) { \
 145         ASSERT(RW_READ_HELD(&(iph)->iph_lock)); \
 146         (ss)->spdsock_dump_head = (iph); \
 147         (ss)->spdsock_dump_gen = (iph)->iph_gen; \
 148         (ss)->spdsock_dump_cur_type = 0; \
 149         (ss)->spdsock_dump_cur_af = IPSEC_AF_V4; \
 150         (ss)->spdsock_dump_cur_rule = NULL; \
 151         (ss)->spdsock_dump_count = 0; \
 152         (ss)->spdsock_dump_cur_chain = 0; \
 153 }
 154 
 155 static int spdsock_close(queue_t *, int, cred_t *);
 156 static int spdsock_open(queue_t *, dev_t *, int, int, cred_t *);
 157 static int spdsock_wput(queue_t *, mblk_t *);
 158 static int spdsock_wsrv(queue_t *);
 159 static int spdsock_rsrv(queue_t *);
 160 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns);
 161 static void spdsock_stack_shutdown(netstackid_t stackid, void *arg);
 162 static void spdsock_stack_fini(netstackid_t stackid, void *arg);
 163 static void spdsock_loadcheck(void *);
 164 static void spdsock_merge_algs(spd_stack_t *);
 165 static void spdsock_flush_one(ipsec_policy_head_t *, netstack_t *);
 166 static mblk_t *spdsock_dump_next_record(spdsock_t *);
 167 static void update_iptun_policy(ipsec_tun_pol_t *);
 168 
 169 static struct module_info info = {
 170         5138, "spdsock", 1, INFPSZ, 512, 128
 171 };
 172 
 173 static struct qinit rinit = {
 174         NULL, spdsock_rsrv, spdsock_open, spdsock_close,
 175         NULL, &info
 176 };
 177 
 178 static struct qinit winit = {
 179         spdsock_wput, spdsock_wsrv, NULL, NULL, NULL, &info
 180 };
 181 
 182 struct streamtab spdsockinfo = {
 183         &rinit, &winit
 184 };
 185 
 186 /* mapping from alg type to protocol number, as per RFC 2407 */
 187 static const uint_t algproto[] = {
 188         PROTO_IPSEC_AH,
 189         PROTO_IPSEC_ESP,
 190 };
 191 
 192 #define NALGPROTOS      (sizeof (algproto) / sizeof (algproto[0]))
 193 
 194 /* mapping from kernel exec mode to spdsock exec mode */
 195 static const uint_t execmodes[] = {
 196         SPD_ALG_EXEC_MODE_SYNC,
 197         SPD_ALG_EXEC_MODE_ASYNC
 198 };
 199 
 200 #define NEXECMODES      (sizeof (execmodes) / sizeof (execmodes[0]))
 201 
 202 #define ALL_ACTIVE_POLHEADS ((ipsec_policy_head_t *)-1)
 203 #define ALL_INACTIVE_POLHEADS ((ipsec_policy_head_t *)-2)
 204 
 205 #define ITP_NAME(itp) (itp != NULL ? itp->itp_name : NULL)
 206 
 207 /* ARGSUSED */
 208 static int
 209 spdsock_param_get(
 210     queue_t     *q,
 211     mblk_t      *mp,
 212     caddr_t     cp,
 213     cred_t *cr)
 214 {
 215         spdsockparam_t  *spdsockpa = (spdsockparam_t *)cp;
 216         uint_t value;
 217         spdsock_t *ss = (spdsock_t *)q->q_ptr;
 218         spd_stack_t     *spds = ss->spdsock_spds;
 219 
 220         mutex_enter(&spds->spds_param_lock);
 221         value = spdsockpa->spdsock_param_value;
 222         mutex_exit(&spds->spds_param_lock);
 223 
 224         (void) mi_mpprintf(mp, "%u", value);
 225         return (0);
 226 }
 227 
 228 /* This routine sets an NDD variable in a spdsockparam_t structure. */
 229 /* ARGSUSED */
 230 static int
 231 spdsock_param_set(
 232     queue_t     *q,
 233     mblk_t      *mp,
 234     char *value,
 235     caddr_t     cp,
 236     cred_t *cr)
 237 {
 238         ulong_t new_value;
 239         spdsockparam_t  *spdsockpa = (spdsockparam_t *)cp;
 240         spdsock_t *ss = (spdsock_t *)q->q_ptr;
 241         spd_stack_t     *spds = ss->spdsock_spds;
 242 
 243         /* Convert the value from a string into a long integer. */
 244         if (ddi_strtoul(value, NULL, 10, &new_value) != 0)
 245                 return (EINVAL);
 246 
 247         mutex_enter(&spds->spds_param_lock);
 248         /*
 249          * Fail the request if the new value does not lie within the
 250          * required bounds.
 251          */
 252         if (new_value < spdsockpa->spdsock_param_min ||
 253             new_value > spdsockpa->spdsock_param_max) {
 254                 mutex_exit(&spds->spds_param_lock);
 255                 return (EINVAL);
 256         }
 257 
 258         /* Set the new value */
 259         spdsockpa->spdsock_param_value = new_value;
 260         mutex_exit(&spds->spds_param_lock);
 261 
 262         return (0);
 263 }
 264 
 265 /*
 266  * Initialize at module load time
 267  */
 268 boolean_t
 269 spdsock_ddi_init(void)
 270 {
 271         spdsock_max_optsize = optcom_max_optsize(
 272             spdsock_opt_obj.odb_opt_des_arr, spdsock_opt_obj.odb_opt_arr_cnt);
 273 
 274         spdsock_vmem = vmem_create("spdsock", (void *)1, MAXMIN, 1,
 275             NULL, NULL, NULL, 1, VM_SLEEP | VMC_IDENTIFIER);
 276 
 277         /*
 278          * We want to be informed each time a stack is created or
 279          * destroyed in the kernel, so we can maintain the
 280          * set of spd_stack_t's.
 281          */
 282         netstack_register(NS_SPDSOCK, spdsock_stack_init,
 283             spdsock_stack_shutdown, spdsock_stack_fini);
 284 
 285         return (B_TRUE);
 286 }
 287 
 288 /*
 289  * Walk through the param array specified registering each element with the
 290  * named dispatch handler.
 291  */
 292 static boolean_t
 293 spdsock_param_register(IDP *ndp, spdsockparam_t *ssp, int cnt)
 294 {
 295         for (; cnt-- > 0; ssp++) {
 296                 if (ssp->spdsock_param_name != NULL &&
 297                     ssp->spdsock_param_name[0]) {
 298                         if (!nd_load(ndp,
 299                             ssp->spdsock_param_name,
 300                             spdsock_param_get, spdsock_param_set,
 301                             (caddr_t)ssp)) {
 302                                 nd_free(ndp);
 303                                 return (B_FALSE);
 304                         }
 305                 }
 306         }
 307         return (B_TRUE);
 308 }
 309 
 310 /*
 311  * Initialize for each stack instance
 312  */
 313 /* ARGSUSED */
 314 static void *
 315 spdsock_stack_init(netstackid_t stackid, netstack_t *ns)
 316 {
 317         spd_stack_t     *spds;
 318         spdsockparam_t  *ssp;
 319 
 320         spds = (spd_stack_t *)kmem_zalloc(sizeof (*spds), KM_SLEEP);
 321         spds->spds_netstack = ns;
 322 
 323         ASSERT(spds->spds_g_nd == NULL);
 324 
 325         ssp = (spdsockparam_t *)kmem_alloc(sizeof (lcl_param_arr), KM_SLEEP);
 326         spds->spds_params = ssp;
 327         bcopy(lcl_param_arr, ssp, sizeof (lcl_param_arr));
 328 
 329         (void) spdsock_param_register(&spds->spds_g_nd, ssp,
 330             A_CNT(lcl_param_arr));
 331 
 332         mutex_init(&spds->spds_param_lock, NULL, MUTEX_DEFAULT, NULL);
 333         mutex_init(&spds->spds_alg_lock, NULL, MUTEX_DEFAULT, NULL);
 334 
 335         return (spds);
 336 }
 337 
 338 void
 339 spdsock_ddi_destroy(void)
 340 {
 341         vmem_destroy(spdsock_vmem);
 342 
 343         netstack_unregister(NS_SPDSOCK);
 344 }
 345 
 346 /*
 347  * Do pre-removal cleanup.
 348  */
 349 /* ARGSUSED */
 350 static void
 351 spdsock_stack_shutdown(netstackid_t stackid, void *arg)
 352 {
 353         spd_stack_t *spds = (spd_stack_t *)arg;
 354 
 355         if (spds->spds_mp_algs != NULL) {
 356                 freemsg(spds->spds_mp_algs);
 357                 spds->spds_mp_algs = NULL;
 358         }
 359 }
 360 
 361 /* ARGSUSED */
 362 static void
 363 spdsock_stack_fini(netstackid_t stackid, void *arg)
 364 {
 365         spd_stack_t *spds = (spd_stack_t *)arg;
 366 
 367         ASSERT(spds->spds_mp_algs == NULL);
 368         mutex_destroy(&spds->spds_param_lock);
 369         mutex_destroy(&spds->spds_alg_lock);
 370         nd_free(&spds->spds_g_nd);
 371         kmem_free(spds->spds_params, sizeof (lcl_param_arr));
 372         spds->spds_params = NULL;
 373 
 374         kmem_free(spds, sizeof (*spds));
 375 }
 376 
 377 /*
 378  * NOTE: large quantities of this should be shared with keysock.
 379  * Would be nice to combine some of this into a common module, but
 380  * not possible given time pressures.
 381  */
 382 
 383 /*
 384  * High-level reality checking of extensions.
 385  */
 386 /* ARGSUSED */ /* XXX */
 387 static boolean_t
 388 ext_check(spd_ext_t *ext)
 389 {
 390         spd_if_t *tunname = (spd_if_t *)ext;
 391         int i;
 392         char *idstr;
 393 
 394         if (ext->spd_ext_type == SPD_EXT_TUN_NAME) {
 395                 /* (NOTE:  Modified from SADB_EXT_IDENTITY..) */
 396 
 397                 /*
 398                  * Make sure the strings in these identities are
 399                  * null-terminated.  Let's "proactively" null-terminate the
 400                  * string at the last byte if it's not terminated sooner.
 401                  */
 402                 i = SPD_64TO8(tunname->spd_if_len) - sizeof (spd_if_t);
 403                 idstr = (char *)(tunname + 1);
 404                 while (*idstr != '\0' && i > 0) {
 405                         i--;
 406                         idstr++;
 407                 }
 408                 if (i == 0) {
 409                         /*
 410                          * I.e., if the bozo user didn't NULL-terminate the
 411                          * string...
 412                          */
 413                         idstr--;
 414                         *idstr = '\0';
 415                 }
 416         }
 417         return (B_TRUE);        /* For now... */
 418 }
 419 
 420 
 421 
 422 /* Return values for spdsock_get_ext(). */
 423 #define KGE_OK  0
 424 #define KGE_DUP 1
 425 #define KGE_UNK 2
 426 #define KGE_LEN 3
 427 #define KGE_CHK 4
 428 
 429 /*
 430  * Parse basic extension headers and return in the passed-in pointer vector.
 431  * Return values include:
 432  *
 433  *      KGE_OK  Everything's nice and parsed out.
 434  *              If there are no extensions, place NULL in extv[0].
 435  *      KGE_DUP There is a duplicate extension.
 436  *              First instance in appropriate bin.  First duplicate in
 437  *              extv[0].
 438  *      KGE_UNK Unknown extension type encountered.  extv[0] contains
 439  *              unknown header.
 440  *      KGE_LEN Extension length error.
 441  *      KGE_CHK High-level reality check failed on specific extension.
 442  *
 443  * My apologies for some of the pointer arithmetic in here.  I'm thinking
 444  * like an assembly programmer, yet trying to make the compiler happy.
 445  */
 446 static int
 447 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize)
 448 {
 449         bzero(extv, sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
 450 
 451         /* Use extv[0] as the "current working pointer". */
 452 
 453         extv[0] = (spd_ext_t *)(basehdr + 1);
 454 
 455         while (extv[0] < (spd_ext_t *)(((uint8_t *)basehdr) + msgsize)) {
 456                 /* Check for unknown headers. */
 457                 if (extv[0]->spd_ext_type == 0 ||
 458                     extv[0]->spd_ext_type > SPD_EXT_MAX)
 459                         return (KGE_UNK);
 460 
 461                 /*
 462                  * Check length.  Use uint64_t because extlen is in units
 463                  * of 64-bit words.  If length goes beyond the msgsize,
 464                  * return an error.  (Zero length also qualifies here.)
 465                  */
 466                 if (extv[0]->spd_ext_len == 0 ||
 467                     (void *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
 468                     (void *)((uint8_t *)basehdr + msgsize))
 469                         return (KGE_LEN);
 470 
 471                 /* Check for redundant headers. */
 472                 if (extv[extv[0]->spd_ext_type] != NULL)
 473                         return (KGE_DUP);
 474 
 475                 /*
 476                  * Reality check the extension if possible at the spdsock
 477                  * level.
 478                  */
 479                 if (!ext_check(extv[0]))
 480                         return (KGE_CHK);
 481 
 482                 /* If I make it here, assign the appropriate bin. */
 483                 extv[extv[0]->spd_ext_type] = extv[0];
 484 
 485                 /* Advance pointer (See above for uint64_t ptr reasoning.) */
 486                 extv[0] = (spd_ext_t *)
 487                     ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
 488         }
 489 
 490         /* Everything's cool. */
 491 
 492         /*
 493          * If extv[0] == NULL, then there are no extension headers in this
 494          * message.  Ensure that this is the case.
 495          */
 496         if (extv[0] == (spd_ext_t *)(basehdr + 1))
 497                 extv[0] = NULL;
 498 
 499         return (KGE_OK);
 500 }
 501 
 502 static const int bad_ext_diag[] = {
 503         SPD_DIAGNOSTIC_MALFORMED_LCLPORT,
 504         SPD_DIAGNOSTIC_MALFORMED_REMPORT,
 505         SPD_DIAGNOSTIC_MALFORMED_PROTO,
 506         SPD_DIAGNOSTIC_MALFORMED_LCLADDR,
 507         SPD_DIAGNOSTIC_MALFORMED_REMADDR,
 508         SPD_DIAGNOSTIC_MALFORMED_ACTION,
 509         SPD_DIAGNOSTIC_MALFORMED_RULE,
 510         SPD_DIAGNOSTIC_MALFORMED_RULESET,
 511         SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE
 512 };
 513 
 514 static const int dup_ext_diag[] = {
 515         SPD_DIAGNOSTIC_DUPLICATE_LCLPORT,
 516         SPD_DIAGNOSTIC_DUPLICATE_REMPORT,
 517         SPD_DIAGNOSTIC_DUPLICATE_PROTO,
 518         SPD_DIAGNOSTIC_DUPLICATE_LCLADDR,
 519         SPD_DIAGNOSTIC_DUPLICATE_REMADDR,
 520         SPD_DIAGNOSTIC_DUPLICATE_ACTION,
 521         SPD_DIAGNOSTIC_DUPLICATE_RULE,
 522         SPD_DIAGNOSTIC_DUPLICATE_RULESET,
 523         SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE
 524 };
 525 
 526 /*
 527  * Transmit a PF_POLICY error message to the instance either pointed to
 528  * by ks, the instance with serial number serial, or more, depending.
 529  *
 530  * The faulty message (or a reasonable facsimile thereof) is in mp.
 531  * This function will free mp or recycle it for delivery, thereby causing
 532  * the stream head to free it.
 533  */
 534 static void
 535 spdsock_error(queue_t *q, mblk_t *mp, int error, int diagnostic)
 536 {
 537         spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
 538 
 539         ASSERT(mp->b_datap->db_type == M_DATA);
 540 
 541         if (spmsg->spd_msg_type < SPD_MIN ||
 542             spmsg->spd_msg_type > SPD_MAX)
 543                 spmsg->spd_msg_type = SPD_RESERVED;
 544 
 545         /*
 546          * Strip out extension headers.
 547          */
 548         ASSERT(mp->b_rptr + sizeof (*spmsg) <= mp->b_datap->db_lim);
 549         mp->b_wptr = mp->b_rptr + sizeof (*spmsg);
 550         spmsg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t));
 551         spmsg->spd_msg_errno = (uint8_t)error;
 552         spmsg->spd_msg_diagnostic = (uint16_t)diagnostic;
 553 
 554         qreply(q, mp);
 555 }
 556 
 557 static void
 558 spdsock_diag(queue_t *q, mblk_t *mp, int diagnostic)
 559 {
 560         spdsock_error(q, mp, EINVAL, diagnostic);
 561 }
 562 
 563 static void
 564 spd_echo(queue_t *q, mblk_t *mp)
 565 {
 566         qreply(q, mp);
 567 }
 568 
 569 /*
 570  * Do NOT consume a reference to itp.
 571  */
 572 /*ARGSUSED*/
 573 static void
 574 spdsock_flush_node(ipsec_tun_pol_t *itp, void *cookie, netstack_t *ns)
 575 {
 576         boolean_t active = (boolean_t)cookie;
 577         ipsec_policy_head_t *iph;
 578 
 579         iph = active ? itp->itp_policy : itp->itp_inactive;
 580         IPPH_REFHOLD(iph);
 581         mutex_enter(&itp->itp_lock);
 582         spdsock_flush_one(iph, ns);  /* Releases iph refhold. */
 583         if (active)
 584                 itp->itp_flags &= ~ITPF_PFLAGS;
 585         else
 586                 itp->itp_flags &= ~ITPF_IFLAGS;
 587         mutex_exit(&itp->itp_lock);
 588         /* SPD_FLUSH is worth a tunnel MTU check. */
 589         update_iptun_policy(itp);
 590 }
 591 
 592 /*
 593  * Clear out one polhead.
 594  */
 595 static void
 596 spdsock_flush_one(ipsec_policy_head_t *iph, netstack_t *ns)
 597 {
 598         rw_enter(&iph->iph_lock, RW_WRITER);
 599         ipsec_polhead_flush(iph, ns);
 600         rw_exit(&iph->iph_lock);
 601         IPPH_REFRELE(iph, ns);
 602 }
 603 
 604 static void
 605 spdsock_flush(queue_t *q, ipsec_policy_head_t *iph, ipsec_tun_pol_t *itp,
 606     mblk_t *mp)
 607 {
 608         boolean_t active;
 609         spdsock_t *ss = (spdsock_t *)q->q_ptr;
 610         netstack_t *ns = ss->spdsock_spds->spds_netstack;
 611         uint32_t auditing = AU_AUDITING();
 612 
 613         if (iph != ALL_ACTIVE_POLHEADS && iph != ALL_INACTIVE_POLHEADS) {
 614                 spdsock_flush_one(iph, ns);
 615                 if (auditing) {
 616                         spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
 617                         cred_t *cr;
 618                         pid_t cpid;
 619 
 620                         cr = msg_getcred(mp, &cpid);
 621                         active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
 622                         audit_pf_policy(SPD_FLUSH, cr, ns,
 623                             ITP_NAME(itp), active, 0, cpid);
 624                 }
 625         } else {
 626                 active = (iph == ALL_ACTIVE_POLHEADS);
 627 
 628                 /* First flush the global policy. */
 629                 spdsock_flush_one(active ? ipsec_system_policy(ns) :
 630                     ipsec_inactive_policy(ns), ns);
 631                 if (auditing) {
 632                         cred_t *cr;
 633                         pid_t cpid;
 634 
 635                         cr = msg_getcred(mp, &cpid);
 636                         audit_pf_policy(SPD_FLUSH, cr, ns, NULL,
 637                             active, 0, cpid);
 638                 }
 639                 /* Then flush every tunnel's appropriate one. */
 640                 itp_walk(spdsock_flush_node, (void *)active, ns);
 641                 if (auditing) {
 642                         cred_t *cr;
 643                         pid_t cpid;
 644 
 645                         cr = msg_getcred(mp, &cpid);
 646                         audit_pf_policy(SPD_FLUSH, cr, ns,
 647                             "all tunnels", active, 0, cpid);
 648                 }
 649         }
 650 
 651         spd_echo(q, mp);
 652 }
 653 
 654 static boolean_t
 655 spdsock_ext_to_sel(spd_ext_t **extv, ipsec_selkey_t *sel, int *diag)
 656 {
 657         bzero(sel, sizeof (*sel));
 658 
 659         if (extv[SPD_EXT_PROTO] != NULL) {
 660                 struct spd_proto *pr =
 661                     (struct spd_proto *)extv[SPD_EXT_PROTO];
 662                 sel->ipsl_proto = pr->spd_proto_number;
 663                 sel->ipsl_valid |= IPSL_PROTOCOL;
 664         }
 665         if (extv[SPD_EXT_LCLPORT] != NULL) {
 666                 struct spd_portrange *pr =
 667                     (struct spd_portrange *)extv[SPD_EXT_LCLPORT];
 668                 sel->ipsl_lport = pr->spd_ports_minport;
 669                 sel->ipsl_valid |= IPSL_LOCAL_PORT;
 670         }
 671         if (extv[SPD_EXT_REMPORT] != NULL) {
 672                 struct spd_portrange *pr =
 673                     (struct spd_portrange *)extv[SPD_EXT_REMPORT];
 674                 sel->ipsl_rport = pr->spd_ports_minport;
 675                 sel->ipsl_valid |= IPSL_REMOTE_PORT;
 676         }
 677 
 678         if (extv[SPD_EXT_ICMP_TYPECODE] != NULL) {
 679                 struct spd_typecode *tc=
 680                     (struct spd_typecode *)extv[SPD_EXT_ICMP_TYPECODE];
 681 
 682                 sel->ipsl_valid |= IPSL_ICMP_TYPE;
 683                 sel->ipsl_icmp_type = tc->spd_typecode_type;
 684                 if (tc->spd_typecode_type_end < tc->spd_typecode_type)
 685                         sel->ipsl_icmp_type_end = tc->spd_typecode_type;
 686                 else
 687                         sel->ipsl_icmp_type_end = tc->spd_typecode_type_end;
 688 
 689                 if (tc->spd_typecode_code != 255) {
 690                         sel->ipsl_valid |= IPSL_ICMP_CODE;
 691                         sel->ipsl_icmp_code = tc->spd_typecode_code;
 692                         if (tc->spd_typecode_code_end < tc->spd_typecode_code)
 693                                 sel->ipsl_icmp_code_end = tc->spd_typecode_code;
 694                         else
 695                                 sel->ipsl_icmp_code_end =
 696                                     tc->spd_typecode_code_end;
 697                 }
 698         }
 699 #define ADDR2SEL(sel, extv, field, pfield, extn, bit)                   \
 700         if ((extv)[(extn)] != NULL) {                                   \
 701                 uint_t addrlen;                                         \
 702                 struct spd_address *ap =                                \
 703                         (struct spd_address *)((extv)[(extn)]);         \
 704                 addrlen = (ap->spd_address_af == AF_INET6) ?         \
 705                         IPV6_ADDR_LEN : IP_ADDR_LEN;                    \
 706                 if (SPD_64TO8(ap->spd_address_len) <                      \
 707                         (addrlen + sizeof (*ap))) {                     \
 708                         *diag = SPD_DIAGNOSTIC_BAD_ADDR_LEN;            \
 709                         return (B_FALSE);                               \
 710                 }                                                       \
 711                 bcopy((ap+1), &((sel)->field), addrlen);         \
 712                 (sel)->pfield = ap->spd_address_prefixlen;                \
 713                 (sel)->ipsl_valid |= (bit);                          \
 714                 (sel)->ipsl_valid |= (ap->spd_address_af == AF_INET6) ?   \
 715                         IPSL_IPV6 : IPSL_IPV4;                          \
 716         }
 717 
 718         ADDR2SEL(sel, extv, ipsl_local, ipsl_local_pfxlen,
 719             SPD_EXT_LCLADDR, IPSL_LOCAL_ADDR);
 720         ADDR2SEL(sel, extv, ipsl_remote, ipsl_remote_pfxlen,
 721             SPD_EXT_REMADDR, IPSL_REMOTE_ADDR);
 722 
 723         if ((sel->ipsl_valid & (IPSL_IPV6|IPSL_IPV4)) ==
 724             (IPSL_IPV6|IPSL_IPV4)) {
 725                 *diag = SPD_DIAGNOSTIC_MIXED_AF;
 726                 return (B_FALSE);
 727         }
 728 
 729 #undef ADDR2SEL
 730 
 731         return (B_TRUE);
 732 }
 733 
 734 static boolean_t
 735 spd_convert_type(uint32_t type, ipsec_act_t *act)
 736 {
 737         switch (type) {
 738         case SPD_ACTTYPE_DROP:
 739                 act->ipa_type = IPSEC_ACT_DISCARD;
 740                 return (B_TRUE);
 741 
 742         case SPD_ACTTYPE_PASS:
 743                 act->ipa_type = IPSEC_ACT_CLEAR;
 744                 return (B_TRUE);
 745 
 746         case SPD_ACTTYPE_IPSEC:
 747                 act->ipa_type = IPSEC_ACT_APPLY;
 748                 return (B_TRUE);
 749         }
 750         return (B_FALSE);
 751 }
 752 
 753 static boolean_t
 754 spd_convert_flags(uint32_t flags, ipsec_act_t *act)
 755 {
 756         /*
 757          * Note use of !! for boolean canonicalization.
 758          */
 759         act->ipa_apply.ipp_use_ah = !!(flags & SPD_APPLY_AH);
 760         act->ipa_apply.ipp_use_esp = !!(flags & SPD_APPLY_ESP);
 761         act->ipa_apply.ipp_use_espa = !!(flags & SPD_APPLY_ESPA);
 762         act->ipa_apply.ipp_use_se = !!(flags & SPD_APPLY_SE);
 763         act->ipa_apply.ipp_use_unique = !!(flags & SPD_APPLY_UNIQUE);
 764         return (B_TRUE);
 765 }
 766 
 767 static void
 768 spdsock_reset_act(ipsec_act_t *act)
 769 {
 770         bzero(act, sizeof (*act));
 771         act->ipa_apply.ipp_espe_maxbits = IPSEC_MAX_KEYBITS;
 772         act->ipa_apply.ipp_espa_maxbits = IPSEC_MAX_KEYBITS;
 773         act->ipa_apply.ipp_ah_maxbits = IPSEC_MAX_KEYBITS;
 774 }
 775 
 776 /*
 777  * Sanity check action against reality, and shrink-wrap key sizes..
 778  */
 779 static boolean_t
 780 spdsock_check_action(ipsec_act_t *act, boolean_t tunnel_polhead, int *diag,
 781     spd_stack_t *spds)
 782 {
 783         if (tunnel_polhead && act->ipa_apply.ipp_use_unique) {
 784                 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
 785                 return (B_FALSE);
 786         }
 787         if ((act->ipa_type != IPSEC_ACT_APPLY) &&
 788             (act->ipa_apply.ipp_use_ah ||
 789             act->ipa_apply.ipp_use_esp ||
 790             act->ipa_apply.ipp_use_espa ||
 791             act->ipa_apply.ipp_use_se ||
 792             act->ipa_apply.ipp_use_unique)) {
 793                 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
 794                 return (B_FALSE);
 795         }
 796         if ((act->ipa_type == IPSEC_ACT_APPLY) &&
 797             !act->ipa_apply.ipp_use_ah &&
 798             !act->ipa_apply.ipp_use_esp) {
 799                 *diag = SPD_DIAGNOSTIC_ADD_INCON_FLAGS;
 800                 return (B_FALSE);
 801         }
 802         return (ipsec_check_action(act, diag, spds->spds_netstack));
 803 }
 804 
 805 /*
 806  * We may be short a few error checks here..
 807  */
 808 static boolean_t
 809 spdsock_ext_to_actvec(spd_ext_t **extv, ipsec_act_t **actpp, uint_t *nactp,
 810     int *diag, spd_stack_t *spds)
 811 {
 812         struct spd_ext_actions *sactp =
 813             (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
 814         ipsec_act_t act, *actp, *endactp;
 815         struct spd_attribute *attrp, *endattrp;
 816         uint64_t *endp;
 817         int nact;
 818         boolean_t tunnel_polhead;
 819 
 820         tunnel_polhead = (extv[SPD_EXT_TUN_NAME] != NULL &&
 821             (((struct spd_rule *)extv[SPD_EXT_RULE])->spd_rule_flags &
 822             SPD_RULE_FLAG_TUNNEL));
 823 
 824         *actpp = NULL;
 825         *nactp = 0;
 826 
 827         if (sactp == NULL) {
 828                 *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT;
 829                 return (B_FALSE);
 830         }
 831 
 832         /*
 833          * Parse the "action" extension and convert into an action chain.
 834          */
 835 
 836         nact = sactp->spd_actions_count;
 837 
 838         endp = (uint64_t *)sactp;
 839         endp += sactp->spd_actions_len;
 840         endattrp = (struct spd_attribute *)endp;
 841 
 842         actp = kmem_alloc(sizeof (*actp) * nact, KM_NOSLEEP);
 843         if (actp == NULL) {
 844                 *diag = SPD_DIAGNOSTIC_ADD_NO_MEM;
 845                 return (B_FALSE);
 846         }
 847         *actpp = actp;
 848         *nactp = nact;
 849         endactp = actp + nact;
 850 
 851         spdsock_reset_act(&act);
 852         attrp = (struct spd_attribute *)(&sactp[1]);
 853 
 854         for (; attrp < endattrp; attrp++) {
 855                 switch (attrp->spd_attr_tag) {
 856                 case SPD_ATTR_NOP:
 857                         break;
 858 
 859                 case SPD_ATTR_EMPTY:
 860                         spdsock_reset_act(&act);
 861                         break;
 862 
 863                 case SPD_ATTR_END:
 864                         attrp = endattrp;
 865                         /* FALLTHRU */
 866                 case SPD_ATTR_NEXT:
 867                         if (actp >= endactp) {
 868                                 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
 869                                 goto fail;
 870                         }
 871                         if (!spdsock_check_action(&act, tunnel_polhead,
 872                             diag, spds))
 873                                 goto fail;
 874                         *actp++ = act;
 875                         spdsock_reset_act(&act);
 876                         break;
 877 
 878                 case SPD_ATTR_TYPE:
 879                         if (!spd_convert_type(attrp->spd_attr_value, &act)) {
 880                                 *diag = SPD_DIAGNOSTIC_ADD_BAD_TYPE;
 881                                 goto fail;
 882                         }
 883                         break;
 884 
 885                 case SPD_ATTR_FLAGS:
 886                         if (!tunnel_polhead && extv[SPD_EXT_TUN_NAME] != NULL) {
 887                                 /*
 888                                  * Set "sa unique" for transport-mode
 889                                  * tunnels whether we want to or not.
 890                                  */
 891                                 attrp->spd_attr_value |= SPD_APPLY_UNIQUE;
 892                         }
 893                         if (!spd_convert_flags(attrp->spd_attr_value, &act)) {
 894                                 *diag = SPD_DIAGNOSTIC_ADD_BAD_FLAGS;
 895                                 goto fail;
 896                         }
 897                         break;
 898 
 899                 case SPD_ATTR_AH_AUTH:
 900                         if (attrp->spd_attr_value == 0) {
 901                                 *diag = SPD_DIAGNOSTIC_UNSUPP_AH_ALG;
 902                                 goto fail;
 903                         }
 904                         act.ipa_apply.ipp_auth_alg = attrp->spd_attr_value;
 905                         break;
 906 
 907                 case SPD_ATTR_ESP_ENCR:
 908                         if (attrp->spd_attr_value == 0) {
 909                                 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG;
 910                                 goto fail;
 911                         }
 912                         act.ipa_apply.ipp_encr_alg = attrp->spd_attr_value;
 913                         break;
 914 
 915                 case SPD_ATTR_ESP_AUTH:
 916                         if (attrp->spd_attr_value == 0) {
 917                                 *diag = SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG;
 918                                 goto fail;
 919                         }
 920                         act.ipa_apply.ipp_esp_auth_alg = attrp->spd_attr_value;
 921                         break;
 922 
 923                 case SPD_ATTR_ENCR_MINBITS:
 924                         act.ipa_apply.ipp_espe_minbits = attrp->spd_attr_value;
 925                         break;
 926 
 927                 case SPD_ATTR_ENCR_MAXBITS:
 928                         act.ipa_apply.ipp_espe_maxbits = attrp->spd_attr_value;
 929                         break;
 930 
 931                 case SPD_ATTR_AH_MINBITS:
 932                         act.ipa_apply.ipp_ah_minbits = attrp->spd_attr_value;
 933                         break;
 934 
 935                 case SPD_ATTR_AH_MAXBITS:
 936                         act.ipa_apply.ipp_ah_maxbits = attrp->spd_attr_value;
 937                         break;
 938 
 939                 case SPD_ATTR_ESPA_MINBITS:
 940                         act.ipa_apply.ipp_espa_minbits = attrp->spd_attr_value;
 941                         break;
 942 
 943                 case SPD_ATTR_ESPA_MAXBITS:
 944                         act.ipa_apply.ipp_espa_maxbits = attrp->spd_attr_value;
 945                         break;
 946 
 947                 case SPD_ATTR_LIFE_SOFT_TIME:
 948                 case SPD_ATTR_LIFE_HARD_TIME:
 949                 case SPD_ATTR_LIFE_SOFT_BYTES:
 950                 case SPD_ATTR_LIFE_HARD_BYTES:
 951                         break;
 952 
 953                 case SPD_ATTR_KM_PROTO:
 954                         act.ipa_apply.ipp_km_proto = attrp->spd_attr_value;
 955                         break;
 956 
 957                 case SPD_ATTR_KM_COOKIE:
 958                         act.ipa_apply.ipp_km_cookie = attrp->spd_attr_value;
 959                         break;
 960 
 961                 case SPD_ATTR_REPLAY_DEPTH:
 962                         act.ipa_apply.ipp_replay_depth = attrp->spd_attr_value;
 963                         break;
 964                 }
 965         }
 966         if (actp != endactp) {
 967                 *diag = SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT;
 968                 goto fail;
 969         }
 970 
 971         return (B_TRUE);
 972 fail:
 973         ipsec_actvec_free(*actpp, nact);
 974         *actpp = NULL;
 975         return (B_FALSE);
 976 }
 977 
 978 typedef struct
 979 {
 980         ipsec_policy_t *pol;
 981         int dir;
 982 } tmprule_t;
 983 
 984 static int
 985 mkrule(ipsec_policy_head_t *iph, struct spd_rule *rule,
 986     ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t af,
 987     tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
 988 {
 989         ipsec_policy_t *pol;
 990 
 991         sel->ipsl_valid &= ~(IPSL_IPV6|IPSL_IPV4);
 992         sel->ipsl_valid |= af;
 993 
 994         pol = ipsec_policy_create(sel, actp, nact, rule->spd_rule_priority,
 995             index, spds->spds_netstack);
 996         if (pol == NULL)
 997                 return (ENOMEM);
 998 
 999         (*rp)->pol = pol;
1000         (*rp)->dir = dir;
1001         (*rp)++;
1002 
1003         if (!ipsec_check_policy(iph, pol, dir))
1004                 return (EEXIST);
1005 
1006         rule->spd_rule_index = pol->ipsp_index;
1007         return (0);
1008 }
1009 
1010 static int
1011 mkrulepair(ipsec_policy_head_t *iph, struct spd_rule *rule,
1012     ipsec_selkey_t *sel, ipsec_act_t *actp, int nact, uint_t dir, uint_t afs,
1013     tmprule_t **rp, uint64_t *index, spd_stack_t *spds)
1014 {
1015         int error;
1016 
1017         if (afs & IPSL_IPV4) {
1018                 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV4, rp,
1019                     index, spds);
1020                 if (error != 0)
1021                         return (error);
1022         }
1023         if (afs & IPSL_IPV6) {
1024                 error = mkrule(iph, rule, sel, actp, nact, dir, IPSL_IPV6, rp,
1025                     index, spds);
1026                 if (error != 0)
1027                         return (error);
1028         }
1029         return (0);
1030 }
1031 
1032 
1033 static void
1034 spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1035     spd_ext_t **extv, ipsec_tun_pol_t *itp)
1036 {
1037         ipsec_selkey_t sel;
1038         ipsec_act_t *actp;
1039         uint_t nact;
1040         int diag = 0, error, afs;
1041         struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1042         tmprule_t rules[4], *rulep = &rules[0];
1043         boolean_t tunnel_mode, empty_itp, active;
1044         uint64_t *index = (itp == NULL) ? NULL : &itp->itp_next_policy_index;
1045         spdsock_t *ss = (spdsock_t *)q->q_ptr;
1046         spd_stack_t *spds = ss->spdsock_spds;
1047         uint32_t auditing = AU_AUDITING();
1048 
1049         if (rule == NULL) {
1050                 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1051                 if (auditing) {
1052                         spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1053                         cred_t *cr;
1054                         pid_t cpid;
1055 
1056                         cr = msg_getcred(mp, &cpid);
1057                         active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1058                         audit_pf_policy(SPD_ADDRULE, cr,
1059                             spds->spds_netstack, ITP_NAME(itp), active,
1060                             SPD_DIAGNOSTIC_NO_RULE_EXT, cpid);
1061                 }
1062                 return;
1063         }
1064 
1065         tunnel_mode = (rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL);
1066 
1067         if (itp != NULL) {
1068                 mutex_enter(&itp->itp_lock);
1069                 ASSERT(itp->itp_policy == iph || itp->itp_inactive == iph);
1070                 active = (itp->itp_policy == iph);
1071                 if (ITP_P_ISACTIVE(itp, iph)) {
1072                         /* Check for mix-and-match of tunnel/transport. */
1073                         if ((tunnel_mode && !ITP_P_ISTUNNEL(itp, iph)) ||
1074                             (!tunnel_mode && ITP_P_ISTUNNEL(itp, iph))) {
1075                                 mutex_exit(&itp->itp_lock);
1076                                 spdsock_error(q, mp, EBUSY, 0);
1077                                 return;
1078                         }
1079                         empty_itp = B_FALSE;
1080                 } else {
1081                         empty_itp = B_TRUE;
1082                         itp->itp_flags = active ? ITPF_P_ACTIVE : ITPF_I_ACTIVE;
1083                         if (tunnel_mode)
1084                                 itp->itp_flags |= active ? ITPF_P_TUNNEL :
1085                                     ITPF_I_TUNNEL;
1086                 }
1087         } else {
1088                 empty_itp = B_FALSE;
1089         }
1090 
1091         if (rule->spd_rule_index != 0) {
1092                 diag = SPD_DIAGNOSTIC_INVALID_RULE_INDEX;
1093                 error = EINVAL;
1094                 goto fail2;
1095         }
1096 
1097         if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1098                 error = EINVAL;
1099                 goto fail2;
1100         }
1101 
1102         if (itp != NULL) {
1103                 if (tunnel_mode) {
1104                         if (sel.ipsl_valid &
1105                             (IPSL_REMOTE_PORT | IPSL_LOCAL_PORT)) {
1106                                 itp->itp_flags |= active ?
1107                                     ITPF_P_PER_PORT_SECURITY :
1108                                     ITPF_I_PER_PORT_SECURITY;
1109                         }
1110                 } else {
1111                         /*
1112                          * For now, we don't allow transport-mode on a tunnel
1113                          * with ANY specific selectors.  Bail if we have such
1114                          * a request.
1115                          */
1116                         if (sel.ipsl_valid & IPSL_WILDCARD) {
1117                                 diag = SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS;
1118                                 error = EINVAL;
1119                                 goto fail2;
1120                         }
1121                 }
1122         }
1123 
1124         if (!spdsock_ext_to_actvec(extv, &actp, &nact, &diag, spds)) {
1125                 error = EINVAL;
1126                 goto fail2;
1127         }
1128         /*
1129          * If no addresses were specified, add both.
1130          */
1131         afs = sel.ipsl_valid & (IPSL_IPV6|IPSL_IPV4);
1132         if (afs == 0)
1133                 afs = (IPSL_IPV6|IPSL_IPV4);
1134 
1135         rw_enter(&iph->iph_lock, RW_WRITER);
1136 
1137         if (rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) {
1138                 error = mkrulepair(iph, rule, &sel, actp, nact,
1139                     IPSEC_TYPE_OUTBOUND, afs, &rulep, index, spds);
1140                 if (error != 0)
1141                         goto fail;
1142         }
1143 
1144         if (rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) {
1145                 error = mkrulepair(iph, rule, &sel, actp, nact,
1146                     IPSEC_TYPE_INBOUND, afs, &rulep, index, spds);
1147                 if (error != 0)
1148                         goto fail;
1149         }
1150 
1151         while ((--rulep) >= &rules[0]) {
1152                 ipsec_enter_policy(iph, rulep->pol, rulep->dir,
1153                     spds->spds_netstack);
1154         }
1155         rw_exit(&iph->iph_lock);
1156         if (itp != NULL)
1157                 mutex_exit(&itp->itp_lock);
1158 
1159         ipsec_actvec_free(actp, nact);
1160         spd_echo(q, mp);
1161         if (auditing) {
1162                 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1163                 cred_t *cr;
1164                 pid_t cpid;
1165 
1166                 cr = msg_getcred(mp, &cpid);
1167                 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1168                 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1169                     ITP_NAME(itp), active, 0, cpid);
1170         }
1171         return;
1172 
1173 fail:
1174         rw_exit(&iph->iph_lock);
1175         while ((--rulep) >= &rules[0])
1176                 IPPOL_REFRELE(rulep->pol);
1177         ipsec_actvec_free(actp, nact);
1178 fail2:
1179         if (itp != NULL) {
1180                 if (empty_itp)
1181                         itp->itp_flags = 0;
1182                 mutex_exit(&itp->itp_lock);
1183         }
1184         spdsock_error(q, mp, error, diag);
1185         if (auditing) {
1186                 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1187                 cred_t *cr;
1188                 pid_t cpid;
1189 
1190                 cr = msg_getcred(mp, &cpid);
1191                 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1192                 audit_pf_policy(SPD_ADDRULE, cr, spds->spds_netstack,
1193                     ITP_NAME(itp), active, error, cpid);
1194         }
1195 }
1196 
1197 void
1198 spdsock_deleterule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1199     spd_ext_t **extv, ipsec_tun_pol_t *itp)
1200 {
1201         ipsec_selkey_t sel;
1202         struct spd_rule *rule = (struct spd_rule *)extv[SPD_EXT_RULE];
1203         int err, diag = 0;
1204         spdsock_t *ss = (spdsock_t *)q->q_ptr;
1205         netstack_t *ns = ss->spdsock_spds->spds_netstack;
1206         uint32_t auditing = AU_AUDITING();
1207 
1208         if (rule == NULL) {
1209                 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NO_RULE_EXT);
1210                 if (auditing) {
1211                         boolean_t active;
1212                         spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1213                         cred_t *cr;
1214                         pid_t cpid;
1215 
1216                         cr = msg_getcred(mp, &cpid);
1217                         active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1218                         audit_pf_policy(SPD_DELETERULE, cr, ns,
1219                             ITP_NAME(itp), active, SPD_DIAGNOSTIC_NO_RULE_EXT,
1220                             cpid);
1221                 }
1222                 return;
1223         }
1224 
1225         /*
1226          * Must enter itp_lock first to avoid deadlock.  See tun.c's
1227          * set_sec_simple() for the other case of itp_lock and iph_lock.
1228          */
1229         if (itp != NULL)
1230                 mutex_enter(&itp->itp_lock);
1231 
1232         if (rule->spd_rule_index != 0) {
1233                 if (ipsec_policy_delete_index(iph, rule->spd_rule_index, ns) !=
1234                     0) {
1235                         err = ESRCH;
1236                         goto fail;
1237                 }
1238         } else {
1239                 if (!spdsock_ext_to_sel(extv, &sel, &diag)) {
1240                         err = EINVAL;   /* diag already set... */
1241                         goto fail;
1242                 }
1243 
1244                 if ((rule->spd_rule_flags & SPD_RULE_FLAG_INBOUND) &&
1245                     !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_INBOUND, ns)) {
1246                         err = ESRCH;
1247                         goto fail;
1248                 }
1249 
1250                 if ((rule->spd_rule_flags & SPD_RULE_FLAG_OUTBOUND) &&
1251                     !ipsec_policy_delete(iph, &sel, IPSEC_TYPE_OUTBOUND, ns)) {
1252                         err = ESRCH;
1253                         goto fail;
1254                 }
1255         }
1256 
1257         if (itp != NULL) {
1258                 ASSERT(iph == itp->itp_policy || iph == itp->itp_inactive);
1259                 rw_enter(&iph->iph_lock, RW_READER);
1260                 if (avl_numnodes(&iph->iph_rulebyid) == 0) {
1261                         if (iph == itp->itp_policy)
1262                                 itp->itp_flags &= ~ITPF_PFLAGS;
1263                         else
1264                                 itp->itp_flags &= ~ITPF_IFLAGS;
1265                 }
1266                 /* Can exit locks in any order. */
1267                 rw_exit(&iph->iph_lock);
1268                 mutex_exit(&itp->itp_lock);
1269         }
1270         spd_echo(q, mp);
1271         if (auditing) {
1272                 boolean_t active;
1273                 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1274                 cred_t *cr;
1275                 pid_t cpid;
1276 
1277                 cr = msg_getcred(mp, &cpid);
1278                 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1279                 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1280                     active, 0, cpid);
1281         }
1282         return;
1283 fail:
1284         if (itp != NULL)
1285                 mutex_exit(&itp->itp_lock);
1286         spdsock_error(q, mp, err, diag);
1287         if (auditing) {
1288                 boolean_t active;
1289                 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1290                 cred_t *cr;
1291                 pid_t cpid;
1292 
1293                 cr = msg_getcred(mp, &cpid);
1294                 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1295                 audit_pf_policy(SPD_DELETERULE, cr, ns, ITP_NAME(itp),
1296                     active, err, cpid);
1297         }
1298 }
1299 
1300 /* Do NOT consume a reference to itp. */
1301 /* ARGSUSED */
1302 static void
1303 spdsock_flip_node(ipsec_tun_pol_t *itp, void *ignoreme, netstack_t *ns)
1304 {
1305         mutex_enter(&itp->itp_lock);
1306         ITPF_SWAP(itp->itp_flags);
1307         ipsec_swap_policy(itp->itp_policy, itp->itp_inactive, ns);
1308         mutex_exit(&itp->itp_lock);
1309         /* SPD_FLIP is worth a tunnel MTU check. */
1310         update_iptun_policy(itp);
1311 }
1312 
1313 void
1314 spdsock_flip(queue_t *q, mblk_t *mp, spd_if_t *tunname)
1315 {
1316         char *tname;
1317         ipsec_tun_pol_t *itp;
1318         spdsock_t *ss = (spdsock_t *)q->q_ptr;
1319         netstack_t *ns = ss->spdsock_spds->spds_netstack;
1320         uint32_t auditing = AU_AUDITING();
1321 
1322         if (tunname != NULL) {
1323                 tname = (char *)tunname->spd_if_name;
1324                 if (*tname == '\0') {
1325                         /* can't fail */
1326                         ipsec_swap_global_policy(ns);
1327                         if (auditing) {
1328                                 boolean_t active;
1329                                 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1330                                 cred_t *cr;
1331                                 pid_t cpid;
1332 
1333                                 cr = msg_getcred(mp, &cpid);
1334                                 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1335                                 audit_pf_policy(SPD_FLIP, cr, ns,
1336                                     NULL, active, 0, cpid);
1337                         }
1338                         itp_walk(spdsock_flip_node, NULL, ns);
1339                         if (auditing) {
1340                                 boolean_t active;
1341                                 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1342                                 cred_t *cr;
1343                                 pid_t cpid;
1344 
1345                                 cr = msg_getcred(mp, &cpid);
1346                                 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1347                                 audit_pf_policy(SPD_FLIP, cr, ns,
1348                                     "all tunnels", active, 0, cpid);
1349                         }
1350                 } else {
1351                         itp = get_tunnel_policy(tname, ns);
1352                         if (itp == NULL) {
1353                                 /* Better idea for "tunnel not found"? */
1354                                 spdsock_error(q, mp, ESRCH, 0);
1355                                 if (auditing) {
1356                                         boolean_t active;
1357                                         spd_msg_t *spmsg =
1358                                             (spd_msg_t *)mp->b_rptr;
1359                                         cred_t *cr;
1360                                         pid_t cpid;
1361 
1362                                         cr = msg_getcred(mp, &cpid);
1363                                         active = (spmsg->spd_msg_spdid ==
1364                                             SPD_ACTIVE);
1365                                         audit_pf_policy(SPD_FLIP, cr, ns,
1366                                             ITP_NAME(itp), active,
1367                                             ESRCH, cpid);
1368                                 }
1369                                 return;
1370                         }
1371                         spdsock_flip_node(itp, NULL, ns);
1372                         if (auditing) {
1373                                 boolean_t active;
1374                                 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1375                                 cred_t *cr;
1376                                 pid_t cpid;
1377 
1378                                 cr = msg_getcred(mp, &cpid);
1379                                 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1380                                 audit_pf_policy(SPD_FLIP, cr, ns,
1381                                     ITP_NAME(itp), active, 0, cpid);
1382                         }
1383                         ITP_REFRELE(itp, ns);
1384                 }
1385         } else {
1386                 ipsec_swap_global_policy(ns);   /* can't fail */
1387                 if (auditing) {
1388                         boolean_t active;
1389                         spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
1390                         cred_t *cr;
1391                         pid_t cpid;
1392 
1393                         cr = msg_getcred(mp, &cpid);
1394                         active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
1395                         audit_pf_policy(SPD_FLIP, cr,
1396                             ns, NULL, active, 0, cpid);
1397                 }
1398         }
1399         spd_echo(q, mp);
1400 }
1401 
1402 /*
1403  * Unimplemented feature
1404  */
1405 /* ARGSUSED */
1406 static void
1407 spdsock_lookup(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
1408     spd_ext_t **extv, ipsec_tun_pol_t *itp)
1409 {
1410         spdsock_error(q, mp, EINVAL, 0);
1411 }
1412 
1413 
1414 static mblk_t *
1415 spdsock_dump_ruleset(mblk_t *req, ipsec_policy_head_t *iph,
1416     uint32_t count, uint16_t error)
1417 {
1418         size_t len = sizeof (spd_ruleset_ext_t) + sizeof (spd_msg_t);
1419         spd_msg_t *msg;
1420         spd_ruleset_ext_t *ruleset;
1421         mblk_t *m = allocb(len, BPRI_HI);
1422 
1423         ASSERT(RW_READ_HELD(&iph->iph_lock));
1424 
1425         if (m == NULL) {
1426                 return (NULL);
1427         }
1428         msg = (spd_msg_t *)m->b_rptr;
1429         ruleset = (spd_ruleset_ext_t *)(&msg[1]);
1430 
1431         m->b_wptr = (uint8_t *)&ruleset[1];
1432 
1433         *msg = *(spd_msg_t *)(req->b_rptr);
1434         msg->spd_msg_len = SPD_8TO64(len);
1435         msg->spd_msg_errno = error;
1436 
1437         ruleset->spd_ruleset_len = SPD_8TO64(sizeof (*ruleset));
1438         ruleset->spd_ruleset_type = SPD_EXT_RULESET;
1439         ruleset->spd_ruleset_count = count;
1440         ruleset->spd_ruleset_version = iph->iph_gen;
1441         return (m);
1442 }
1443 
1444 static mblk_t *
1445 spdsock_dump_finish(spdsock_t *ss, int error)
1446 {
1447         mblk_t *m;
1448         ipsec_policy_head_t *iph = ss->spdsock_dump_head;
1449         mblk_t *req = ss->spdsock_dump_req;
1450         netstack_t *ns = ss->spdsock_spds->spds_netstack;
1451 
1452         rw_enter(&iph->iph_lock, RW_READER);
1453         m = spdsock_dump_ruleset(req, iph, ss->spdsock_dump_count, error);
1454         rw_exit(&iph->iph_lock);
1455         IPPH_REFRELE(iph, ns);
1456         if (ss->spdsock_itp != NULL) {
1457                 ITP_REFRELE(ss->spdsock_itp, ns);
1458                 ss->spdsock_itp = NULL;
1459         }
1460         ss->spdsock_dump_req = NULL;
1461         freemsg(req);
1462 
1463         return (m);
1464 }
1465 
1466 /*
1467  * Rule encoding functions.
1468  * We do a two-pass encode.
1469  * If base != NULL, fill in encoded rule part starting at base+offset.
1470  * Always return "offset" plus length of to-be-encoded data.
1471  */
1472 static uint_t
1473 spdsock_encode_typecode(uint8_t *base, uint_t offset, uint8_t type,
1474     uint8_t type_end, uint8_t code, uint8_t code_end)
1475 {
1476         struct spd_typecode *tcp;
1477 
1478         ASSERT(ALIGNED64(offset));
1479 
1480         if (base != NULL) {
1481                 tcp = (struct spd_typecode *)(base + offset);
1482                 tcp->spd_typecode_len = SPD_8TO64(sizeof (*tcp));
1483                 tcp->spd_typecode_exttype = SPD_EXT_ICMP_TYPECODE;
1484                 tcp->spd_typecode_code = code;
1485                 tcp->spd_typecode_type = type;
1486                 tcp->spd_typecode_type_end = type_end;
1487                 tcp->spd_typecode_code_end = code_end;
1488         }
1489         offset += sizeof (*tcp);
1490 
1491         ASSERT(ALIGNED64(offset));
1492 
1493         return (offset);
1494 }
1495 
1496 static uint_t
1497 spdsock_encode_proto(uint8_t *base, uint_t offset, uint8_t proto)
1498 {
1499         struct spd_proto *spp;
1500 
1501         ASSERT(ALIGNED64(offset));
1502 
1503         if (base != NULL) {
1504                 spp = (struct spd_proto *)(base + offset);
1505                 spp->spd_proto_len = SPD_8TO64(sizeof (*spp));
1506                 spp->spd_proto_exttype = SPD_EXT_PROTO;
1507                 spp->spd_proto_number = proto;
1508                 spp->spd_proto_reserved1 = 0;
1509                 spp->spd_proto_reserved2 = 0;
1510         }
1511         offset += sizeof (*spp);
1512 
1513         ASSERT(ALIGNED64(offset));
1514 
1515         return (offset);
1516 }
1517 
1518 static uint_t
1519 spdsock_encode_port(uint8_t *base, uint_t offset, uint16_t ext, uint16_t port)
1520 {
1521         struct spd_portrange *spp;
1522 
1523         ASSERT(ALIGNED64(offset));
1524 
1525         if (base != NULL) {
1526                 spp = (struct spd_portrange *)(base + offset);
1527                 spp->spd_ports_len = SPD_8TO64(sizeof (*spp));
1528                 spp->spd_ports_exttype = ext;
1529                 spp->spd_ports_minport = port;
1530                 spp->spd_ports_maxport = port;
1531         }
1532         offset += sizeof (*spp);
1533 
1534         ASSERT(ALIGNED64(offset));
1535 
1536         return (offset);
1537 }
1538 
1539 static uint_t
1540 spdsock_encode_addr(uint8_t *base, uint_t offset, uint16_t ext,
1541     const ipsec_selkey_t *sel, const ipsec_addr_t *addr, uint_t pfxlen)
1542 {
1543         struct spd_address *sae;
1544         ipsec_addr_t *spdaddr;
1545         uint_t start = offset;
1546         uint_t addrlen;
1547         uint_t af;
1548 
1549         if (sel->ipsl_valid & IPSL_IPV4) {
1550                 af = AF_INET;
1551                 addrlen = IP_ADDR_LEN;
1552         } else {
1553                 af = AF_INET6;
1554                 addrlen = IPV6_ADDR_LEN;
1555         }
1556 
1557         ASSERT(ALIGNED64(offset));
1558 
1559         if (base != NULL) {
1560                 sae = (struct spd_address *)(base + offset);
1561                 sae->spd_address_exttype = ext;
1562                 sae->spd_address_af = af;
1563                 sae->spd_address_prefixlen = pfxlen;
1564                 sae->spd_address_reserved2 = 0;
1565 
1566                 spdaddr = (ipsec_addr_t *)(&sae[1]);
1567                 bcopy(addr, spdaddr, addrlen);
1568         }
1569         offset += sizeof (*sae);
1570         addrlen = roundup(addrlen, sizeof (uint64_t));
1571         offset += addrlen;
1572 
1573         ASSERT(ALIGNED64(offset));
1574 
1575         if (base != NULL)
1576                 sae->spd_address_len = SPD_8TO64(offset - start);
1577         return (offset);
1578 }
1579 
1580 static uint_t
1581 spdsock_encode_sel(uint8_t *base, uint_t offset, const ipsec_sel_t *sel)
1582 {
1583         const ipsec_selkey_t *selkey = &sel->ipsl_key;
1584 
1585         if (selkey->ipsl_valid & IPSL_PROTOCOL)
1586                 offset = spdsock_encode_proto(base, offset, selkey->ipsl_proto);
1587         if (selkey->ipsl_valid & IPSL_LOCAL_PORT)
1588                 offset = spdsock_encode_port(base, offset, SPD_EXT_LCLPORT,
1589                     selkey->ipsl_lport);
1590         if (selkey->ipsl_valid & IPSL_REMOTE_PORT)
1591                 offset = spdsock_encode_port(base, offset, SPD_EXT_REMPORT,
1592                     selkey->ipsl_rport);
1593         if (selkey->ipsl_valid & IPSL_REMOTE_ADDR)
1594                 offset = spdsock_encode_addr(base, offset, SPD_EXT_REMADDR,
1595                     selkey, &selkey->ipsl_remote, selkey->ipsl_remote_pfxlen);
1596         if (selkey->ipsl_valid & IPSL_LOCAL_ADDR)
1597                 offset = spdsock_encode_addr(base, offset, SPD_EXT_LCLADDR,
1598                     selkey, &selkey->ipsl_local, selkey->ipsl_local_pfxlen);
1599         if (selkey->ipsl_valid & IPSL_ICMP_TYPE) {
1600                 offset = spdsock_encode_typecode(base, offset,
1601                     selkey->ipsl_icmp_type, selkey->ipsl_icmp_type_end,
1602                     (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1603                     selkey->ipsl_icmp_code : 255,
1604                     (selkey->ipsl_valid & IPSL_ICMP_CODE) ?
1605                     selkey->ipsl_icmp_code_end : 255);
1606         }
1607         return (offset);
1608 }
1609 
1610 static uint_t
1611 spdsock_encode_actattr(uint8_t *base, uint_t offset, uint32_t tag,
1612     uint32_t value)
1613 {
1614         struct spd_attribute *attr;
1615 
1616         ASSERT(ALIGNED64(offset));
1617 
1618         if (base != NULL) {
1619                 attr = (struct spd_attribute *)(base + offset);
1620                 attr->spd_attr_tag = tag;
1621                 attr->spd_attr_value = value;
1622         }
1623         offset += sizeof (struct spd_attribute);
1624 
1625         ASSERT(ALIGNED64(offset));
1626 
1627         return (offset);
1628 }
1629 
1630 
1631 #define EMIT(t, v) offset = spdsock_encode_actattr(base, offset, (t), (v))
1632 
1633 static uint_t
1634 spdsock_encode_action(uint8_t *base, uint_t offset, const ipsec_action_t *ap)
1635 {
1636         const struct ipsec_act *act = &(ap->ipa_act);
1637         uint_t flags;
1638 
1639         EMIT(SPD_ATTR_EMPTY, 0);
1640         switch (act->ipa_type) {
1641         case IPSEC_ACT_DISCARD:
1642         case IPSEC_ACT_REJECT:
1643                 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_DROP);
1644                 break;
1645         case IPSEC_ACT_BYPASS:
1646         case IPSEC_ACT_CLEAR:
1647                 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_PASS);
1648                 break;
1649 
1650         case IPSEC_ACT_APPLY:
1651                 EMIT(SPD_ATTR_TYPE, SPD_ACTTYPE_IPSEC);
1652                 flags = 0;
1653                 if (act->ipa_apply.ipp_use_ah)
1654                         flags |= SPD_APPLY_AH;
1655                 if (act->ipa_apply.ipp_use_esp)
1656                         flags |= SPD_APPLY_ESP;
1657                 if (act->ipa_apply.ipp_use_espa)
1658                         flags |= SPD_APPLY_ESPA;
1659                 if (act->ipa_apply.ipp_use_se)
1660                         flags |= SPD_APPLY_SE;
1661                 if (act->ipa_apply.ipp_use_unique)
1662                         flags |= SPD_APPLY_UNIQUE;
1663                 EMIT(SPD_ATTR_FLAGS, flags);
1664                 if (flags & SPD_APPLY_AH) {
1665                         EMIT(SPD_ATTR_AH_AUTH, act->ipa_apply.ipp_auth_alg);
1666                         EMIT(SPD_ATTR_AH_MINBITS,
1667                             act->ipa_apply.ipp_ah_minbits);
1668                         EMIT(SPD_ATTR_AH_MAXBITS,
1669                             act->ipa_apply.ipp_ah_maxbits);
1670                 }
1671                 if (flags & SPD_APPLY_ESP) {
1672                         EMIT(SPD_ATTR_ESP_ENCR, act->ipa_apply.ipp_encr_alg);
1673                         EMIT(SPD_ATTR_ENCR_MINBITS,
1674                             act->ipa_apply.ipp_espe_minbits);
1675                         EMIT(SPD_ATTR_ENCR_MAXBITS,
1676                             act->ipa_apply.ipp_espe_maxbits);
1677                         if (flags & SPD_APPLY_ESPA) {
1678                                 EMIT(SPD_ATTR_ESP_AUTH,
1679                                     act->ipa_apply.ipp_esp_auth_alg);
1680                                 EMIT(SPD_ATTR_ESPA_MINBITS,
1681                                     act->ipa_apply.ipp_espa_minbits);
1682                                 EMIT(SPD_ATTR_ESPA_MAXBITS,
1683                                     act->ipa_apply.ipp_espa_maxbits);
1684                         }
1685                 }
1686                 if (act->ipa_apply.ipp_km_proto != 0)
1687                         EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_proto);
1688                 if (act->ipa_apply.ipp_km_cookie != 0)
1689                         EMIT(SPD_ATTR_KM_PROTO, act->ipa_apply.ipp_km_cookie);
1690                 if (act->ipa_apply.ipp_replay_depth != 0)
1691                         EMIT(SPD_ATTR_REPLAY_DEPTH,
1692                             act->ipa_apply.ipp_replay_depth);
1693                 /* Add more here */
1694                 break;
1695         }
1696 
1697         return (offset);
1698 }
1699 
1700 static uint_t
1701 spdsock_encode_action_list(uint8_t *base, uint_t offset,
1702     const ipsec_action_t *ap)
1703 {
1704         struct spd_ext_actions *act;
1705         uint_t nact = 0;
1706         uint_t start = offset;
1707 
1708         ASSERT(ALIGNED64(offset));
1709 
1710         if (base != NULL) {
1711                 act = (struct spd_ext_actions *)(base + offset);
1712                 act->spd_actions_len = 0;
1713                 act->spd_actions_exttype = SPD_EXT_ACTION;
1714                 act->spd_actions_count = 0;
1715                 act->spd_actions_reserved = 0;
1716         }
1717 
1718         offset += sizeof (*act);
1719 
1720         ASSERT(ALIGNED64(offset));
1721 
1722         while (ap != NULL) {
1723                 offset = spdsock_encode_action(base, offset, ap);
1724                 ap = ap->ipa_next;
1725                 nact++;
1726                 if (ap != NULL) {
1727                         EMIT(SPD_ATTR_NEXT, 0);
1728                 }
1729         }
1730         EMIT(SPD_ATTR_END, 0);
1731 
1732         ASSERT(ALIGNED64(offset));
1733 
1734         if (base != NULL) {
1735                 act->spd_actions_count = nact;
1736                 act->spd_actions_len = SPD_8TO64(offset - start);
1737         }
1738 
1739         return (offset);
1740 }
1741 
1742 #undef EMIT
1743 
1744 /* ARGSUSED */
1745 static uint_t
1746 spdsock_rule_flags(uint_t dir, uint_t af)
1747 {
1748         uint_t flags = 0;
1749 
1750         if (dir == IPSEC_TYPE_INBOUND)
1751                 flags |= SPD_RULE_FLAG_INBOUND;
1752         if (dir == IPSEC_TYPE_OUTBOUND)
1753                 flags |= SPD_RULE_FLAG_OUTBOUND;
1754 
1755         return (flags);
1756 }
1757 
1758 
1759 static uint_t
1760 spdsock_encode_rule_head(uint8_t *base, uint_t offset, spd_msg_t *req,
1761     const ipsec_policy_t *rule, uint_t dir, uint_t af, char *name,
1762     boolean_t tunnel)
1763 {
1764         struct spd_msg *spmsg;
1765         struct spd_rule *spr;
1766         spd_if_t *sid;
1767 
1768         uint_t start = offset;
1769 
1770         ASSERT(ALIGNED64(offset));
1771 
1772         if (base != NULL) {
1773                 spmsg = (struct spd_msg *)(base + offset);
1774                 bzero(spmsg, sizeof (*spmsg));
1775                 spmsg->spd_msg_version = PF_POLICY_V1;
1776                 spmsg->spd_msg_type = SPD_DUMP;
1777                 spmsg->spd_msg_seq = req->spd_msg_seq;
1778                 spmsg->spd_msg_pid = req->spd_msg_pid;
1779         }
1780         offset += sizeof (struct spd_msg);
1781 
1782         ASSERT(ALIGNED64(offset));
1783 
1784         if (base != NULL) {
1785                 spr = (struct spd_rule *)(base + offset);
1786                 spr->spd_rule_type = SPD_EXT_RULE;
1787                 spr->spd_rule_priority = rule->ipsp_prio;
1788                 spr->spd_rule_flags = spdsock_rule_flags(dir, af);
1789                 if (tunnel)
1790                         spr->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL;
1791                 spr->spd_rule_unused = 0;
1792                 spr->spd_rule_len = SPD_8TO64(sizeof (*spr));
1793                 spr->spd_rule_index = rule->ipsp_index;
1794         }
1795         offset += sizeof (struct spd_rule);
1796 
1797         /*
1798          * If we have an interface name (i.e. if this policy head came from
1799          * a tunnel), add the SPD_EXT_TUN_NAME extension.
1800          */
1801         if (name != NULL) {
1802 
1803                 ASSERT(ALIGNED64(offset));
1804 
1805                 if (base != NULL) {
1806                         sid = (spd_if_t *)(base + offset);
1807                         sid->spd_if_exttype = SPD_EXT_TUN_NAME;
1808                         sid->spd_if_len = SPD_8TO64(sizeof (spd_if_t) +
1809                             roundup((strlen(name) - 4), 8));
1810                         (void) strlcpy((char *)sid->spd_if_name, name,
1811                             LIFNAMSIZ);
1812                 }
1813 
1814                 offset += sizeof (spd_if_t) + roundup((strlen(name) - 4), 8);
1815         }
1816 
1817         offset = spdsock_encode_sel(base, offset, rule->ipsp_sel);
1818         offset = spdsock_encode_action_list(base, offset, rule->ipsp_act);
1819 
1820         ASSERT(ALIGNED64(offset));
1821 
1822         if (base != NULL) {
1823                 spmsg->spd_msg_len = SPD_8TO64(offset - start);
1824         }
1825         return (offset);
1826 }
1827 
1828 /* ARGSUSED */
1829 static mblk_t *
1830 spdsock_encode_rule(mblk_t *req, const ipsec_policy_t *rule,
1831     uint_t dir, uint_t af, char *name, boolean_t tunnel)
1832 {
1833         mblk_t *m;
1834         uint_t len;
1835         spd_msg_t *mreq = (spd_msg_t *)req->b_rptr;
1836 
1837         /*
1838          * Figure out how much space we'll need.
1839          */
1840         len = spdsock_encode_rule_head(NULL, 0, mreq, rule, dir, af, name,
1841             tunnel);
1842 
1843         /*
1844          * Allocate mblk.
1845          */
1846         m = allocb(len, BPRI_HI);
1847         if (m == NULL)
1848                 return (NULL);
1849 
1850         /*
1851          * Fill it in..
1852          */
1853         m->b_wptr = m->b_rptr + len;
1854         bzero(m->b_rptr, len);
1855         (void) spdsock_encode_rule_head(m->b_rptr, 0, mreq, rule, dir, af,
1856             name, tunnel);
1857         return (m);
1858 }
1859 
1860 static ipsec_policy_t *
1861 spdsock_dump_next_in_chain(spdsock_t *ss, ipsec_policy_head_t *iph,
1862     ipsec_policy_t *cur)
1863 {
1864         ASSERT(RW_READ_HELD(&iph->iph_lock));
1865 
1866         ss->spdsock_dump_count++;
1867         ss->spdsock_dump_cur_rule = cur->ipsp_hash.hash_next;
1868         return (cur);
1869 }
1870 
1871 static ipsec_policy_t *
1872 spdsock_dump_next_rule(spdsock_t *ss, ipsec_policy_head_t *iph)
1873 {
1874         ipsec_policy_t *cur;
1875         ipsec_policy_root_t *ipr;
1876         int chain, nchains, type, af;
1877 
1878         ASSERT(RW_READ_HELD(&iph->iph_lock));
1879 
1880         cur = ss->spdsock_dump_cur_rule;
1881 
1882         if (cur != NULL)
1883                 return (spdsock_dump_next_in_chain(ss, iph, cur));
1884 
1885         type = ss->spdsock_dump_cur_type;
1886 
1887 next:
1888         chain = ss->spdsock_dump_cur_chain;
1889         ipr = &iph->iph_root[type];
1890         nchains = ipr->ipr_nchains;
1891 
1892         while (chain < nchains) {
1893                 cur = ipr->ipr_hash[chain].hash_head;
1894                 chain++;
1895                 if (cur != NULL) {
1896                         ss->spdsock_dump_cur_chain = chain;
1897                         return (spdsock_dump_next_in_chain(ss, iph, cur));
1898                 }
1899         }
1900         ss->spdsock_dump_cur_chain = nchains;
1901 
1902         af = ss->spdsock_dump_cur_af;
1903         while (af < IPSEC_NAF) {
1904                 cur = ipr->ipr_nonhash[af];
1905                 af++;
1906                 if (cur != NULL) {
1907                         ss->spdsock_dump_cur_af = af;
1908                         return (spdsock_dump_next_in_chain(ss, iph, cur));
1909                 }
1910         }
1911 
1912         type++;
1913         if (type >= IPSEC_NTYPES)
1914                 return (NULL);
1915 
1916         ss->spdsock_dump_cur_chain = 0;
1917         ss->spdsock_dump_cur_type = type;
1918         ss->spdsock_dump_cur_af = IPSEC_AF_V4;
1919         goto next;
1920 
1921 }
1922 
1923 /*
1924  * If we're done with one policy head, but have more to go, we iterate through
1925  * another IPsec tunnel policy head (itp).  Return NULL if it is an error
1926  * worthy of returning EAGAIN via PF_POLICY.
1927  */
1928 static ipsec_tun_pol_t *
1929 spdsock_dump_iterate_next_tunnel(spdsock_t *ss, ipsec_stack_t *ipss)
1930 {
1931         ipsec_tun_pol_t *itp;
1932 
1933         ASSERT(RW_READ_HELD(&ipss->ipsec_tunnel_policy_lock));
1934         if (ipss->ipsec_tunnel_policy_gen > ss->spdsock_dump_tun_gen) {
1935                 /* Oops, state of the tunnel polheads changed. */
1936                 itp = NULL;
1937         } else if (ss->spdsock_itp == NULL) {
1938                 /* Just finished global, find first node. */
1939                 itp = avl_first(&ipss->ipsec_tunnel_policies);
1940         } else {
1941                 /* We just finished current polhead, find the next one. */
1942                 itp = AVL_NEXT(&ipss->ipsec_tunnel_policies, ss->spdsock_itp);
1943         }
1944         if (itp != NULL) {
1945                 ITP_REFHOLD(itp);
1946         }
1947         if (ss->spdsock_itp != NULL) {
1948                 ITP_REFRELE(ss->spdsock_itp, ipss->ipsec_netstack);
1949         }
1950         ss->spdsock_itp = itp;
1951         return (itp);
1952 }
1953 
1954 static mblk_t *
1955 spdsock_dump_next_record(spdsock_t *ss)
1956 {
1957         ipsec_policy_head_t *iph;
1958         ipsec_policy_t *rule;
1959         mblk_t *m;
1960         ipsec_tun_pol_t *itp;
1961         netstack_t *ns = ss->spdsock_spds->spds_netstack;
1962         ipsec_stack_t *ipss = ns->netstack_ipsec;
1963 
1964         iph = ss->spdsock_dump_head;
1965 
1966         ASSERT(iph != NULL);
1967 
1968         rw_enter(&iph->iph_lock, RW_READER);
1969 
1970         if (iph->iph_gen != ss->spdsock_dump_gen) {
1971                 rw_exit(&iph->iph_lock);
1972                 return (spdsock_dump_finish(ss, EAGAIN));
1973         }
1974 
1975         while ((rule = spdsock_dump_next_rule(ss, iph)) == NULL) {
1976                 rw_exit(&iph->iph_lock);
1977                 if (--(ss->spdsock_dump_remaining_polheads) == 0)
1978                         return (spdsock_dump_finish(ss, 0));
1979 
1980 
1981                 /*
1982                  * If we reach here, we have more policy heads (tunnel
1983                  * entries) to dump.  Let's reset to a new policy head
1984                  * and get some more rules.
1985                  *
1986                  * An empty policy head will have spdsock_dump_next_rule()
1987                  * return NULL, and we loop (while dropping the number of
1988                  * remaining polheads).  If we loop to 0, we finish.  We
1989                  * keep looping until we hit 0 or until we have a rule to
1990                  * encode.
1991                  *
1992                  * NOTE:  No need for ITP_REF*() macros here as we're only
1993                  * going after and refholding the policy head itself.
1994                  */
1995                 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
1996                 itp = spdsock_dump_iterate_next_tunnel(ss, ipss);
1997                 if (itp == NULL) {
1998                         rw_exit(&ipss->ipsec_tunnel_policy_lock);
1999                         return (spdsock_dump_finish(ss, EAGAIN));
2000                 }
2001 
2002                 /* Reset other spdsock_dump thingies. */
2003                 IPPH_REFRELE(ss->spdsock_dump_head, ns);
2004                 if (ss->spdsock_dump_active) {
2005                         ss->spdsock_dump_tunnel =
2006                             itp->itp_flags & ITPF_P_TUNNEL;
2007                         iph = itp->itp_policy;
2008                 } else {
2009                         ss->spdsock_dump_tunnel =
2010                             itp->itp_flags & ITPF_I_TUNNEL;
2011                         iph = itp->itp_inactive;
2012                 }
2013                 IPPH_REFHOLD(iph);
2014                 rw_exit(&ipss->ipsec_tunnel_policy_lock);
2015 
2016                 rw_enter(&iph->iph_lock, RW_READER);
2017                 RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2018         }
2019 
2020         m = spdsock_encode_rule(ss->spdsock_dump_req, rule,
2021             ss->spdsock_dump_cur_type, ss->spdsock_dump_cur_af,
2022             (ss->spdsock_itp == NULL) ? NULL : ss->spdsock_itp->itp_name,
2023             ss->spdsock_dump_tunnel);
2024         rw_exit(&iph->iph_lock);
2025 
2026         if (m == NULL)
2027                 return (spdsock_dump_finish(ss, ENOMEM));
2028         return (m);
2029 }
2030 
2031 /*
2032  * Dump records until we run into flow-control back-pressure.
2033  */
2034 static void
2035 spdsock_dump_some(queue_t *q, spdsock_t *ss)
2036 {
2037         mblk_t *m, *dataind;
2038 
2039         while ((ss->spdsock_dump_req != NULL) && canputnext(q)) {
2040                 m = spdsock_dump_next_record(ss);
2041                 if (m == NULL)
2042                         return;
2043                 dataind = allocb(sizeof (struct T_data_req), BPRI_HI);
2044                 if (dataind == NULL) {
2045                         freemsg(m);
2046                         return;
2047                 }
2048                 dataind->b_cont = m;
2049                 dataind->b_wptr += sizeof (struct T_data_req);
2050                 ((struct T_data_ind *)dataind->b_rptr)->PRIM_type = T_DATA_IND;
2051                 ((struct T_data_ind *)dataind->b_rptr)->MORE_flag = 0;
2052                 dataind->b_datap->db_type = M_PROTO;
2053                 putnext(q, dataind);
2054         }
2055 }
2056 
2057 /*
2058  * Start dumping.
2059  * Format a start-of-dump record, and set up the stream and kick the rsrv
2060  * procedure to continue the job..
2061  */
2062 /* ARGSUSED */
2063 static void
2064 spdsock_dump(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp)
2065 {
2066         spdsock_t *ss = (spdsock_t *)q->q_ptr;
2067         netstack_t *ns = ss->spdsock_spds->spds_netstack;
2068         ipsec_stack_t *ipss = ns->netstack_ipsec;
2069         mblk_t *mr;
2070 
2071         /* spdsock_open() already set spdsock_itp to NULL. */
2072         if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
2073                 rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_READER);
2074                 ss->spdsock_dump_remaining_polheads = 1 +
2075                     avl_numnodes(&ipss->ipsec_tunnel_policies);
2076                 ss->spdsock_dump_tun_gen = ipss->ipsec_tunnel_policy_gen;
2077                 rw_exit(&ipss->ipsec_tunnel_policy_lock);
2078                 if (iph == ALL_ACTIVE_POLHEADS) {
2079                         iph = ipsec_system_policy(ns);
2080                         ss->spdsock_dump_active = B_TRUE;
2081                 } else {
2082                         iph = ipsec_inactive_policy(ns);
2083                         ss->spdsock_dump_active = B_FALSE;
2084                 }
2085                 ASSERT(ss->spdsock_itp == NULL);
2086         } else {
2087                 ss->spdsock_dump_remaining_polheads = 1;
2088         }
2089 
2090         rw_enter(&iph->iph_lock, RW_READER);
2091 
2092         mr = spdsock_dump_ruleset(mp, iph, 0, 0);
2093 
2094         if (!mr) {
2095                 rw_exit(&iph->iph_lock);
2096                 spdsock_error(q, mp, ENOMEM, 0);
2097                 return;
2098         }
2099 
2100         ss->spdsock_dump_req = mp;
2101         RESET_SPDSOCK_DUMP_POLHEAD(ss, iph);
2102 
2103         rw_exit(&iph->iph_lock);
2104 
2105         qreply(q, mr);
2106         qenable(OTHERQ(q));
2107 }
2108 
2109 /* Do NOT consume a reference to ITP. */
2110 void
2111 spdsock_clone_node(ipsec_tun_pol_t *itp, void *ep, netstack_t *ns)
2112 {
2113         int *errptr = (int *)ep;
2114 
2115         if (*errptr != 0)
2116                 return; /* We've failed already for some reason. */
2117         mutex_enter(&itp->itp_lock);
2118         ITPF_CLONE(itp->itp_flags);
2119         *errptr = ipsec_copy_polhead(itp->itp_policy, itp->itp_inactive, ns);
2120         mutex_exit(&itp->itp_lock);
2121 }
2122 
2123 void
2124 spdsock_clone(queue_t *q, mblk_t *mp, spd_if_t *tunname)
2125 {
2126         int error;
2127         char *tname;
2128         ipsec_tun_pol_t *itp;
2129         spdsock_t *ss = (spdsock_t *)q->q_ptr;
2130         netstack_t *ns = ss->spdsock_spds->spds_netstack;
2131         uint32_t auditing = AU_AUDITING();
2132 
2133         if (tunname != NULL) {
2134                 tname = (char *)tunname->spd_if_name;
2135                 if (*tname == '\0') {
2136                         error = ipsec_clone_system_policy(ns);
2137                         if (auditing) {
2138                                 boolean_t active;
2139                                 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2140                                 cred_t *cr;
2141                                 pid_t cpid;
2142 
2143                                 cr = msg_getcred(mp, &cpid);
2144                                 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2145                                 audit_pf_policy(SPD_CLONE, cr, ns,
2146                                     NULL, active, error, cpid);
2147                         }
2148                         if (error == 0) {
2149                                 itp_walk(spdsock_clone_node, &error, ns);
2150                                 if (auditing) {
2151                                         boolean_t active;
2152                                         spd_msg_t *spmsg =
2153                                             (spd_msg_t *)mp->b_rptr;
2154                                         cred_t *cr;
2155                                         pid_t cpid;
2156 
2157                                         cr = msg_getcred(mp, &cpid);
2158                                         active = (spmsg->spd_msg_spdid ==
2159                                             SPD_ACTIVE);
2160                                         audit_pf_policy(SPD_CLONE, cr,
2161                                             ns, "all tunnels", active, 0,
2162                                             cpid);
2163                                 }
2164                         }
2165                 } else {
2166                         itp = get_tunnel_policy(tname, ns);
2167                         if (itp == NULL) {
2168                                 spdsock_error(q, mp, ENOENT, 0);
2169                                 if (auditing) {
2170                                         boolean_t active;
2171                                         spd_msg_t *spmsg =
2172                                             (spd_msg_t *)mp->b_rptr;
2173                                         cred_t *cr;
2174                                         pid_t cpid;
2175 
2176                                         cr = msg_getcred(mp, &cpid);
2177                                         active = (spmsg->spd_msg_spdid ==
2178                                             SPD_ACTIVE);
2179                                         audit_pf_policy(SPD_CLONE, cr,
2180                                             ns, NULL, active, ENOENT, cpid);
2181                                 }
2182                                 return;
2183                         }
2184                         spdsock_clone_node(itp, &error, NULL);
2185                         if (auditing) {
2186                                 boolean_t active;
2187                                 spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2188                                 cred_t *cr;
2189                                 pid_t cpid;
2190 
2191                                 cr = msg_getcred(mp, &cpid);
2192                                 active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2193                                 audit_pf_policy(SPD_CLONE, cr, ns,
2194                                     ITP_NAME(itp), active, error, cpid);
2195                         }
2196                         ITP_REFRELE(itp, ns);
2197                 }
2198         } else {
2199                 error = ipsec_clone_system_policy(ns);
2200                 if (auditing) {
2201                         boolean_t active;
2202                         spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
2203                         cred_t *cr;
2204                         pid_t cpid;
2205 
2206                         cr = msg_getcred(mp, &cpid);
2207                         active = (spmsg->spd_msg_spdid == SPD_ACTIVE);
2208                         audit_pf_policy(SPD_CLONE, cr, ns, NULL,
2209                             active, error, cpid);
2210                 }
2211         }
2212 
2213         if (error != 0)
2214                 spdsock_error(q, mp, error, 0);
2215         else
2216                 spd_echo(q, mp);
2217 }
2218 
2219 /*
2220  * Process a SPD_ALGLIST request. The caller expects separate alg entries
2221  * for AH authentication, ESP authentication, and ESP encryption.
2222  * The same distinction is then used when setting the min and max key
2223  * sizes when defining policies.
2224  */
2225 
2226 #define SPDSOCK_AH_AUTH         0
2227 #define SPDSOCK_ESP_AUTH        1
2228 #define SPDSOCK_ESP_ENCR        2
2229 #define SPDSOCK_NTYPES          3
2230 
2231 static const uint_t algattr[SPDSOCK_NTYPES] = {
2232         SPD_ATTR_AH_AUTH,
2233         SPD_ATTR_ESP_AUTH,
2234         SPD_ATTR_ESP_ENCR
2235 };
2236 static const uint_t minbitsattr[SPDSOCK_NTYPES] = {
2237         SPD_ATTR_AH_MINBITS,
2238         SPD_ATTR_ESPA_MINBITS,
2239         SPD_ATTR_ENCR_MINBITS
2240 };
2241 static const uint_t maxbitsattr[SPDSOCK_NTYPES] = {
2242         SPD_ATTR_AH_MAXBITS,
2243         SPD_ATTR_ESPA_MAXBITS,
2244         SPD_ATTR_ENCR_MAXBITS
2245 };
2246 static const uint_t defbitsattr[SPDSOCK_NTYPES] = {
2247         SPD_ATTR_AH_DEFBITS,
2248         SPD_ATTR_ESPA_DEFBITS,
2249         SPD_ATTR_ENCR_DEFBITS
2250 };
2251 static const uint_t incrbitsattr[SPDSOCK_NTYPES] = {
2252         SPD_ATTR_AH_INCRBITS,
2253         SPD_ATTR_ESPA_INCRBITS,
2254         SPD_ATTR_ENCR_INCRBITS
2255 };
2256 
2257 #define ATTRPERALG      6       /* fixed attributes per algs */
2258 
2259 void
2260 spdsock_alglist(queue_t *q, mblk_t *mp)
2261 {
2262         uint_t algtype;
2263         uint_t algidx;
2264         uint_t algcount;
2265         uint_t size;
2266         mblk_t *m;
2267         uint8_t *cur;
2268         spd_msg_t *msg;
2269         struct spd_ext_actions *act;
2270         struct spd_attribute *attr;
2271         spdsock_t *ss = (spdsock_t *)q->q_ptr;
2272         ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2273 
2274         rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2275         /*
2276          * The SPD client expects to receive separate entries for
2277          * AH authentication and ESP authentication supported algorithms.
2278          *
2279          * Don't return the "any" algorithms, if defined, as no
2280          * kernel policies can be set for these algorithms.
2281          */
2282         algcount = 2 * ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2283             ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2284 
2285         if (ipss->ipsec_alglists[IPSEC_ALG_AUTH][SADB_AALG_NONE] != NULL)
2286                 algcount--;
2287         if (ipss->ipsec_alglists[IPSEC_ALG_ENCR][SADB_EALG_NONE] != NULL)
2288                 algcount--;
2289 
2290         /*
2291          * For each algorithm, we encode:
2292          * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2293          */
2294 
2295         size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions) +
2296             ATTRPERALG * sizeof (struct spd_attribute) * algcount;
2297 
2298         ASSERT(ALIGNED64(size));
2299 
2300         m = allocb(size, BPRI_HI);
2301         if (m == NULL) {
2302                 rw_exit(&ipss->ipsec_alg_lock);
2303                 spdsock_error(q, mp, ENOMEM, 0);
2304                 return;
2305         }
2306 
2307         m->b_wptr = m->b_rptr + size;
2308         cur = m->b_rptr;
2309 
2310         msg = (spd_msg_t *)cur;
2311         bcopy(mp->b_rptr, cur, sizeof (*msg));
2312 
2313         msg->spd_msg_len = SPD_8TO64(size);
2314         msg->spd_msg_errno = 0;
2315         msg->spd_msg_diagnostic = 0;
2316 
2317         cur += sizeof (*msg);
2318 
2319         act = (struct spd_ext_actions *)cur;
2320         cur += sizeof (*act);
2321 
2322         act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2323         act->spd_actions_exttype = SPD_EXT_ACTION;
2324         act->spd_actions_count = algcount;
2325         act->spd_actions_reserved = 0;
2326 
2327         attr = (struct spd_attribute *)cur;
2328 
2329 #define EMIT(tag, value) {                                      \
2330                 attr->spd_attr_tag = (tag);                  \
2331                 attr->spd_attr_value = (value);                      \
2332                 attr++;                                         \
2333         }
2334 
2335         /*
2336          * If you change the number of EMIT's here, change
2337          * ATTRPERALG above to match
2338          */
2339 #define EMITALGATTRS(_type) {                                   \
2340                 EMIT(algattr[_type], algid);            /* 1 */ \
2341                 EMIT(minbitsattr[_type], minbits);      /* 2 */ \
2342                 EMIT(maxbitsattr[_type], maxbits);      /* 3 */ \
2343                 EMIT(defbitsattr[_type], defbits);      /* 4 */ \
2344                 EMIT(incrbitsattr[_type], incr);        /* 5 */ \
2345                 EMIT(SPD_ATTR_NEXT, 0);                 /* 6 */ \
2346         }
2347 
2348         for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2349                 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2350                     algidx++) {
2351                         int algid = ipss->ipsec_sortlist[algtype][algidx];
2352                         ipsec_alginfo_t *alg =
2353                             ipss->ipsec_alglists[algtype][algid];
2354                         uint_t minbits = alg->alg_minbits;
2355                         uint_t maxbits = alg->alg_maxbits;
2356                         uint_t defbits = alg->alg_default_bits;
2357                         uint_t incr = alg->alg_increment;
2358 
2359                         if (algtype == IPSEC_ALG_AUTH) {
2360                                 if (algid == SADB_AALG_NONE)
2361                                         continue;
2362                                 EMITALGATTRS(SPDSOCK_AH_AUTH);
2363                                 EMITALGATTRS(SPDSOCK_ESP_AUTH);
2364                         } else {
2365                                 if (algid == SADB_EALG_NONE)
2366                                         continue;
2367                                 ASSERT(algtype == IPSEC_ALG_ENCR);
2368                                 EMITALGATTRS(SPDSOCK_ESP_ENCR);
2369                         }
2370                 }
2371         }
2372 
2373         rw_exit(&ipss->ipsec_alg_lock);
2374 
2375 #undef EMITALGATTRS
2376 #undef EMIT
2377 #undef ATTRPERALG
2378 
2379         attr--;
2380         attr->spd_attr_tag = SPD_ATTR_END;
2381 
2382         freemsg(mp);
2383         qreply(q, m);
2384 }
2385 
2386 /*
2387  * Process a SPD_DUMPALGS request.
2388  */
2389 
2390 #define ATTRPERALG      9       /* fixed attributes per algs */
2391 
2392 void
2393 spdsock_dumpalgs(queue_t *q, mblk_t *mp)
2394 {
2395         uint_t algtype;
2396         uint_t algidx;
2397         uint_t size;
2398         mblk_t *m;
2399         uint8_t *cur;
2400         spd_msg_t *msg;
2401         struct spd_ext_actions *act;
2402         struct spd_attribute *attr;
2403         ipsec_alginfo_t *alg;
2404         uint_t algid;
2405         uint_t i;
2406         uint_t alg_size;
2407         spdsock_t *ss = (spdsock_t *)q->q_ptr;
2408         ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
2409 
2410         rw_enter(&ipss->ipsec_alg_lock, RW_READER);
2411 
2412         /*
2413          * For each algorithm, we encode:
2414          * ALG / MINBITS / MAXBITS / DEFBITS / INCRBITS / {END, NEXT}
2415          *
2416          * ALG_ID / ALG_PROTO / ALG_INCRBITS / ALG_NKEYSIZES / ALG_KEYSIZE*
2417          * ALG_NBLOCKSIZES / ALG_BLOCKSIZE* / ALG_NPARAMS / ALG_PARAMS* /
2418          * ALG_MECHNAME / ALG_FLAGS / {END, NEXT}
2419          */
2420 
2421         /*
2422          * Compute the size of the SPD message.
2423          */
2424         size = sizeof (spd_msg_t) + sizeof (struct spd_ext_actions);
2425 
2426         for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2427                 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2428                     algidx++) {
2429                         algid = ipss->ipsec_sortlist[algtype][algidx];
2430                         alg = ipss->ipsec_alglists[algtype][algid];
2431                         alg_size = sizeof (struct spd_attribute) *
2432                             (ATTRPERALG + alg->alg_nkey_sizes +
2433                             alg->alg_nblock_sizes + alg->alg_nparams) +
2434                             CRYPTO_MAX_MECH_NAME;
2435                         size += alg_size;
2436                 }
2437         }
2438 
2439         ASSERT(ALIGNED64(size));
2440 
2441         m = allocb(size, BPRI_HI);
2442         if (m == NULL) {
2443                 rw_exit(&ipss->ipsec_alg_lock);
2444                 spdsock_error(q, mp, ENOMEM, 0);
2445                 return;
2446         }
2447 
2448         m->b_wptr = m->b_rptr + size;
2449         cur = m->b_rptr;
2450 
2451         msg = (spd_msg_t *)cur;
2452         bcopy(mp->b_rptr, cur, sizeof (*msg));
2453 
2454         msg->spd_msg_len = SPD_8TO64(size);
2455         msg->spd_msg_errno = 0;
2456         msg->spd_msg_type = SPD_ALGLIST;
2457 
2458         msg->spd_msg_diagnostic = 0;
2459 
2460         cur += sizeof (*msg);
2461 
2462         act = (struct spd_ext_actions *)cur;
2463         cur += sizeof (*act);
2464 
2465         act->spd_actions_len = SPD_8TO64(size - sizeof (spd_msg_t));
2466         act->spd_actions_exttype = SPD_EXT_ACTION;
2467         act->spd_actions_count = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] +
2468             ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
2469         act->spd_actions_reserved = 0;
2470 
2471         /*
2472          * If there aren't any algorithms registered, return an empty message.
2473          * spdsock_get_ext() knows how to deal with this.
2474          */
2475         if (act->spd_actions_count == 0) {
2476                 act->spd_actions_len = 0;
2477                 rw_exit(&ipss->ipsec_alg_lock);
2478                 goto error;
2479         }
2480 
2481         attr = (struct spd_attribute *)cur;
2482 
2483 #define EMIT(tag, value) {                                      \
2484                 attr->spd_attr_tag = (tag);                  \
2485                 attr->spd_attr_value = (value);                      \
2486                 attr++;                                         \
2487         }
2488 
2489         for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
2490                 for (algidx = 0; algidx < ipss->ipsec_nalgs[algtype];
2491                     algidx++) {
2492 
2493                         algid = ipss->ipsec_sortlist[algtype][algidx];
2494                         alg = ipss->ipsec_alglists[algtype][algid];
2495 
2496                         /*
2497                          * If you change the number of EMIT's here, change
2498                          * ATTRPERALG above to match
2499                          */
2500                         EMIT(SPD_ATTR_ALG_ID, algid);
2501                         EMIT(SPD_ATTR_ALG_PROTO, algproto[algtype]);
2502                         EMIT(SPD_ATTR_ALG_INCRBITS, alg->alg_increment);
2503                         EMIT(SPD_ATTR_ALG_NKEYSIZES, alg->alg_nkey_sizes);
2504                         for (i = 0; i < alg->alg_nkey_sizes; i++)
2505                                 EMIT(SPD_ATTR_ALG_KEYSIZE,
2506                                     alg->alg_key_sizes[i]);
2507 
2508                         EMIT(SPD_ATTR_ALG_NBLOCKSIZES, alg->alg_nblock_sizes);
2509                         for (i = 0; i < alg->alg_nblock_sizes; i++)
2510                                 EMIT(SPD_ATTR_ALG_BLOCKSIZE,
2511                                     alg->alg_block_sizes[i]);
2512 
2513                         EMIT(SPD_ATTR_ALG_NPARAMS, alg->alg_nparams);
2514                         for (i = 0; i < alg->alg_nparams; i++)
2515                                 EMIT(SPD_ATTR_ALG_PARAMS,
2516                                     alg->alg_params[i]);
2517 
2518                         EMIT(SPD_ATTR_ALG_FLAGS, alg->alg_flags);
2519 
2520                         EMIT(SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME);
2521                         bcopy(alg->alg_mech_name, attr, CRYPTO_MAX_MECH_NAME);
2522                         attr = (struct spd_attribute *)((char *)attr +
2523                             CRYPTO_MAX_MECH_NAME);
2524 
2525                         EMIT(SPD_ATTR_NEXT, 0);
2526                 }
2527         }
2528 
2529         rw_exit(&ipss->ipsec_alg_lock);
2530 
2531 #undef EMITALGATTRS
2532 #undef EMIT
2533 #undef ATTRPERALG
2534 
2535         attr--;
2536         attr->spd_attr_tag = SPD_ATTR_END;
2537 
2538 error:
2539         freemsg(mp);
2540         qreply(q, m);
2541 }
2542 
2543 /*
2544  * Do the actual work of processing an SPD_UPDATEALGS request. Can
2545  * be invoked either once IPsec is loaded on a cached request, or
2546  * when a request is received while IPsec is loaded.
2547  */
2548 static int
2549 spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds)
2550 {
2551         struct spd_ext_actions *actp;
2552         struct spd_attribute *attr, *endattr;
2553         uint64_t *start, *end;
2554         ipsec_alginfo_t *alg = NULL;
2555         ipsec_algtype_t alg_type = 0;
2556         boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE;
2557         uint_t i, cur_key, cur_block, algid;
2558         int diag = -1;
2559 
2560         ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
2561 
2562         /* parse the message, building the list of algorithms */
2563 
2564         actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
2565         if (actp == NULL)
2566                 return (SPD_DIAGNOSTIC_NO_ACTION_EXT);
2567 
2568         start = (uint64_t *)actp;
2569         end = (start + actp->spd_actions_len);
2570         endattr = (struct spd_attribute *)end;
2571         attr = (struct spd_attribute *)&actp[1];
2572 
2573         bzero(spds->spds_algs, IPSEC_NALGTYPES * IPSEC_MAX_ALGS *
2574             sizeof (ipsec_alginfo_t *));
2575 
2576         alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2577 
2578 #define ALG_KEY_SIZES(a)   (((a)->alg_nkey_sizes + 1) * sizeof (uint16_t))
2579 #define ALG_BLOCK_SIZES(a) (((a)->alg_nblock_sizes + 1) * sizeof (uint16_t))
2580 #define ALG_PARAM_SIZES(a) (((a)->alg_nparams + 1) * sizeof (uint16_t))
2581 
2582         while (attr < endattr) {
2583                 switch (attr->spd_attr_tag) {
2584                 case SPD_ATTR_NOP:
2585                 case SPD_ATTR_EMPTY:
2586                         break;
2587                 case SPD_ATTR_END:
2588                         attr = endattr;
2589                         /* FALLTHRU */
2590                 case SPD_ATTR_NEXT:
2591                         if (doing_proto) {
2592                                 doing_proto = B_FALSE;
2593                                 break;
2594                         }
2595                         if (skip_alg) {
2596                                 ipsec_alg_free(alg);
2597                         } else {
2598                                 ipsec_alg_free(
2599                                     spds->spds_algs[alg_type][alg->alg_id]);
2600                                 spds->spds_algs[alg_type][alg->alg_id] =
2601                                     alg;
2602                         }
2603                         alg = kmem_zalloc(sizeof (*alg), KM_SLEEP);
2604                         break;
2605 
2606                 case SPD_ATTR_ALG_ID:
2607                         if (attr->spd_attr_value >= IPSEC_MAX_ALGS) {
2608                                 ss1dbg(spds, ("spdsock_do_updatealg: "
2609                                     "invalid alg id %d\n",
2610                                     attr->spd_attr_value));
2611                                 diag = SPD_DIAGNOSTIC_ALG_ID_RANGE;
2612                                 goto bail;
2613                         }
2614                         alg->alg_id = attr->spd_attr_value;
2615                         break;
2616 
2617                 case SPD_ATTR_ALG_PROTO:
2618                         /* find the alg type */
2619                         for (i = 0; i < NALGPROTOS; i++)
2620                                 if (algproto[i] == attr->spd_attr_value)
2621                                         break;
2622                         skip_alg = (i == NALGPROTOS);
2623                         if (!skip_alg)
2624                                 alg_type = i;
2625                         break;
2626 
2627                 case SPD_ATTR_ALG_INCRBITS:
2628                         alg->alg_increment = attr->spd_attr_value;
2629                         break;
2630 
2631                 case SPD_ATTR_ALG_NKEYSIZES:
2632                         if (alg->alg_key_sizes != NULL) {
2633                                 kmem_free(alg->alg_key_sizes,
2634                                     ALG_KEY_SIZES(alg));
2635                         }
2636                         alg->alg_nkey_sizes = attr->spd_attr_value;
2637                         /*
2638                          * Allocate room for the trailing zero key size
2639                          * value as well.
2640                          */
2641                         alg->alg_key_sizes = kmem_zalloc(ALG_KEY_SIZES(alg),
2642                             KM_SLEEP);
2643                         cur_key = 0;
2644                         break;
2645 
2646                 case SPD_ATTR_ALG_KEYSIZE:
2647                         if (alg->alg_key_sizes == NULL ||
2648                             cur_key >= alg->alg_nkey_sizes) {
2649                                 ss1dbg(spds, ("spdsock_do_updatealg: "
2650                                     "too many key sizes\n"));
2651                                 diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES;
2652                                 goto bail;
2653                         }
2654                         alg->alg_key_sizes[cur_key++] = attr->spd_attr_value;
2655                         break;
2656 
2657                 case SPD_ATTR_ALG_FLAGS:
2658                         /*
2659                          * Flags (bit mask). The alg_flags element of
2660                          * ipsecalg_flags_t is only 8 bits wide. The
2661                          * user can set the VALID bit, but we will ignore it
2662                          * and make the decision is the algorithm is valid.
2663                          */
2664                         alg->alg_flags |= (uint8_t)attr->spd_attr_value;
2665                         break;
2666 
2667                 case SPD_ATTR_ALG_NBLOCKSIZES:
2668                         if (alg->alg_block_sizes != NULL) {
2669                                 kmem_free(alg->alg_block_sizes,
2670                                     ALG_BLOCK_SIZES(alg));
2671                         }
2672                         alg->alg_nblock_sizes = attr->spd_attr_value;
2673                         /*
2674                          * Allocate room for the trailing zero block size
2675                          * value as well.
2676                          */
2677                         alg->alg_block_sizes = kmem_zalloc(ALG_BLOCK_SIZES(alg),
2678                             KM_SLEEP);
2679                         cur_block = 0;
2680                         break;
2681 
2682                 case SPD_ATTR_ALG_BLOCKSIZE:
2683                         if (alg->alg_block_sizes == NULL ||
2684                             cur_block >= alg->alg_nblock_sizes) {
2685                                 ss1dbg(spds, ("spdsock_do_updatealg: "
2686                                     "too many block sizes\n"));
2687                                 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2688                                 goto bail;
2689                         }
2690                         alg->alg_block_sizes[cur_block++] =
2691                             attr->spd_attr_value;
2692                         break;
2693 
2694                 case SPD_ATTR_ALG_NPARAMS:
2695                         if (alg->alg_params != NULL) {
2696                                 kmem_free(alg->alg_params,
2697                                     ALG_PARAM_SIZES(alg));
2698                         }
2699                         alg->alg_nparams = attr->spd_attr_value;
2700                         /*
2701                          * Allocate room for the trailing zero block size
2702                          * value as well.
2703                          */
2704                         alg->alg_params = kmem_zalloc(ALG_PARAM_SIZES(alg),
2705                             KM_SLEEP);
2706                         cur_block = 0;
2707                         break;
2708 
2709                 case SPD_ATTR_ALG_PARAMS:
2710                         if (alg->alg_params == NULL ||
2711                             cur_block >= alg->alg_nparams) {
2712                                 ss1dbg(spds, ("spdsock_do_updatealg: "
2713                                     "too many params\n"));
2714                                 diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
2715                                 goto bail;
2716                         }
2717                         /*
2718                          * Array contains: iv_len, icv_len, salt_len
2719                          * Any additional parameters are currently ignored.
2720                          */
2721                         alg->alg_params[cur_block++] =
2722                             attr->spd_attr_value;
2723                         break;
2724 
2725                 case SPD_ATTR_ALG_MECHNAME: {
2726                         char *mech_name;
2727 
2728                         if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) {
2729                                 ss1dbg(spds, ("spdsock_do_updatealg: "
2730                                     "mech name too long\n"));
2731                                 diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN;
2732                                 goto bail;
2733                         }
2734                         mech_name = (char *)(attr + 1);
2735                         bcopy(mech_name, alg->alg_mech_name,
2736                             attr->spd_attr_value);
2737                         alg->alg_mech_name[CRYPTO_MAX_MECH_NAME-1] = '\0';
2738                         attr = (struct spd_attribute *)((char *)attr +
2739                             attr->spd_attr_value);
2740                         break;
2741                 }
2742 
2743                 case SPD_ATTR_PROTO_ID:
2744                         doing_proto = B_TRUE;
2745                         for (i = 0; i < NALGPROTOS; i++) {
2746                                 if (algproto[i] == attr->spd_attr_value) {
2747                                         alg_type = i;
2748                                         break;
2749                                 }
2750                         }
2751                         break;
2752 
2753                 case SPD_ATTR_PROTO_EXEC_MODE:
2754                         if (!doing_proto)
2755                                 break;
2756                         for (i = 0; i < NEXECMODES; i++) {
2757                                 if (execmodes[i] == attr->spd_attr_value) {
2758                                         spds->spds_algs_exec_mode[alg_type] = i;
2759                                         break;
2760                                 }
2761                         }
2762                         break;
2763                 }
2764                 attr++;
2765         }
2766 
2767 #undef  ALG_KEY_SIZES
2768 #undef  ALG_BLOCK_SIZES
2769 #undef  ALG_PARAM_SIZES
2770 
2771         /* update the algorithm tables */
2772         spdsock_merge_algs(spds);
2773 bail:
2774         /* cleanup */
2775         ipsec_alg_free(alg);
2776         for (alg_type = 0; alg_type < IPSEC_NALGTYPES; alg_type++)
2777                 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++)
2778                 if (spds->spds_algs[alg_type][algid] != NULL)
2779                         ipsec_alg_free(spds->spds_algs[alg_type][algid]);
2780         return (diag);
2781 }
2782 
2783 /*
2784  * Process an SPD_UPDATEALGS request. If IPsec is not loaded, queue
2785  * the request until IPsec loads. If IPsec is loaded, act on it
2786  * immediately.
2787  */
2788 
2789 static void
2790 spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
2791 {
2792         spdsock_t *ss = (spdsock_t *)q->q_ptr;
2793         spd_stack_t     *spds = ss->spdsock_spds;
2794         ipsec_stack_t   *ipss = spds->spds_netstack->netstack_ipsec;
2795         uint32_t auditing = AU_AUDITING();
2796 
2797         if (!ipsec_loaded(ipss)) {
2798                 /*
2799                  * IPsec is not loaded, save request and return nicely,
2800                  * the message will be processed once IPsec loads.
2801                  */
2802                 mblk_t *new_mp;
2803 
2804                 /* last update message wins */
2805                 if ((new_mp = copymsg(mp)) == NULL) {
2806                         spdsock_error(q, mp, ENOMEM, 0);
2807                         return;
2808                 }
2809                 mutex_enter(&spds->spds_alg_lock);
2810                 bcopy(extv, spds->spds_extv_algs,
2811                     sizeof (spd_ext_t *) * (SPD_EXT_MAX + 1));
2812                 if (spds->spds_mp_algs != NULL)
2813                         freemsg(spds->spds_mp_algs);
2814                 spds->spds_mp_algs = mp;
2815                 mutex_exit(&spds->spds_alg_lock);
2816                 if (auditing) {
2817                         cred_t *cr;
2818                         pid_t cpid;
2819 
2820                         cr = msg_getcred(mp, &cpid);
2821                         audit_pf_policy(SPD_UPDATEALGS, cr,
2822                             spds->spds_netstack, NULL, B_TRUE, EAGAIN,
2823                             cpid);
2824                 }
2825                 spd_echo(q, new_mp);
2826         } else {
2827                 /*
2828                  * IPsec is loaded, act on the message immediately.
2829                  */
2830                 int diag;
2831 
2832                 mutex_enter(&spds->spds_alg_lock);
2833                 diag = spdsock_do_updatealg(extv, spds);
2834                 if (diag == -1) {
2835                         /* Keep the lock held while we walk the SA tables. */
2836                         sadb_alg_update(IPSEC_ALG_ALL, 0, 0,
2837                             spds->spds_netstack);
2838                         mutex_exit(&spds->spds_alg_lock);
2839                         spd_echo(q, mp);
2840                         if (auditing) {
2841                                 cred_t *cr;
2842                                 pid_t cpid;
2843 
2844                                 cr = msg_getcred(mp, &cpid);
2845                                 audit_pf_policy(SPD_UPDATEALGS, cr,
2846                                     spds->spds_netstack, NULL, B_TRUE, 0,
2847                                     cpid);
2848                         }
2849                 } else {
2850                         mutex_exit(&spds->spds_alg_lock);
2851                         spdsock_diag(q, mp, diag);
2852                         if (auditing) {
2853                                 cred_t *cr;
2854                                 pid_t cpid;
2855 
2856                                 cr = msg_getcred(mp, &cpid);
2857                                 audit_pf_policy(SPD_UPDATEALGS, cr,
2858                                     spds->spds_netstack, NULL, B_TRUE, diag,
2859                                     cpid);
2860                         }
2861                 }
2862         }
2863 }
2864 
2865 /*
2866  * Find a tunnel instance (using the name to link ID mapping), and
2867  * update it after an IPsec change.  We need to do this always in case
2868  * we add policy AFTER plumbing a tunnel.  We also need to do this
2869  * because, as a side-effect, the tunnel's MTU is updated to reflect
2870  * any IPsec overhead in the itp's policy.
2871  */
2872 static void
2873 update_iptun_policy(ipsec_tun_pol_t *itp)
2874 {
2875         datalink_id_t linkid;
2876 
2877         if (dls_mgmt_get_linkid(itp->itp_name, &linkid) == 0)
2878                 iptun_set_policy(linkid, itp);
2879 }
2880 
2881 /*
2882  * Sort through the mess of polhead options to retrieve an appropriate one.
2883  * Returns NULL if we send an spdsock error.  Returns a valid pointer if we
2884  * found a valid polhead.  Returns ALL_ACTIVE_POLHEADS (aka. -1) or
2885  * ALL_INACTIVE_POLHEADS (aka. -2) if the operation calls for the operation to
2886  * act on ALL policy heads.
2887  */
2888 static ipsec_policy_head_t *
2889 get_appropriate_polhead(queue_t *q, mblk_t *mp, spd_if_t *tunname, int spdid,
2890     int msgtype, ipsec_tun_pol_t **itpp)
2891 {
2892         ipsec_tun_pol_t *itp;
2893         ipsec_policy_head_t *iph;
2894         int errno;
2895         char *tname;
2896         boolean_t active;
2897         spdsock_t *ss = (spdsock_t *)q->q_ptr;
2898         netstack_t *ns = ss->spdsock_spds->spds_netstack;
2899         uint64_t gen;   /* Placeholder */
2900 
2901         active = (spdid == SPD_ACTIVE);
2902         *itpp = NULL;
2903         if (!active && spdid != SPD_STANDBY) {
2904                 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_SPDID);
2905                 return (NULL);
2906         }
2907 
2908         if (tunname != NULL) {
2909                 /* Acting on a tunnel's SPD. */
2910                 tname = (char *)tunname->spd_if_name;
2911                 if (*tname == '\0') {
2912                         /* Handle all-polhead cases here. */
2913                         if (msgtype != SPD_FLUSH && msgtype != SPD_DUMP) {
2914                                 spdsock_diag(q, mp,
2915                                     SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
2916                                 return (NULL);
2917                         }
2918                         return (active ? ALL_ACTIVE_POLHEADS :
2919                             ALL_INACTIVE_POLHEADS);
2920                 }
2921 
2922                 itp = get_tunnel_policy(tname, ns);
2923                 if (itp == NULL) {
2924                         if (msgtype != SPD_ADDRULE) {
2925                                 /* "Tunnel not found" */
2926                                 spdsock_error(q, mp, ENOENT, 0);
2927                                 return (NULL);
2928                         }
2929 
2930                         errno = 0;
2931                         itp = create_tunnel_policy(tname, &errno, &gen, ns);
2932                         if (itp == NULL) {
2933                                 /*
2934                                  * Something very bad happened, most likely
2935                                  * ENOMEM.  Return an indicator.
2936                                  */
2937                                 spdsock_error(q, mp, errno, 0);
2938                                 return (NULL);
2939                         }
2940                 }
2941 
2942                 /* Match up the itp to an iptun instance. */
2943                 update_iptun_policy(itp);
2944 
2945                 *itpp = itp;
2946                 /* For spdsock dump state, set the polhead's name. */
2947                 if (msgtype == SPD_DUMP) {
2948                         ITP_REFHOLD(itp);
2949                         ss->spdsock_itp = itp;
2950                         ss->spdsock_dump_tunnel = itp->itp_flags &
2951                             (active ? ITPF_P_TUNNEL : ITPF_I_TUNNEL);
2952                 }
2953         } else {
2954                 itp = NULL;
2955                 /* For spdsock dump state, indicate it's global policy. */
2956                 if (msgtype == SPD_DUMP)
2957                         ss->spdsock_itp = NULL;
2958         }
2959 
2960         if (active)
2961                 iph = (itp == NULL) ? ipsec_system_policy(ns) : itp->itp_policy;
2962         else
2963                 iph = (itp == NULL) ? ipsec_inactive_policy(ns) :
2964                     itp->itp_inactive;
2965 
2966         ASSERT(iph != NULL);
2967         if (itp != NULL) {
2968                 IPPH_REFHOLD(iph);
2969         }
2970 
2971         return (iph);
2972 }
2973 
2974 static void
2975 spdsock_parse(queue_t *q, mblk_t *mp)
2976 {
2977         spd_msg_t *spmsg;
2978         spd_ext_t *extv[SPD_EXT_MAX + 1];
2979         uint_t msgsize;
2980         ipsec_policy_head_t *iph;
2981         ipsec_tun_pol_t *itp;
2982         spd_if_t *tunname;
2983         spdsock_t *ss = (spdsock_t *)q->q_ptr;
2984         spd_stack_t *spds = ss->spdsock_spds;
2985         netstack_t *ns = spds->spds_netstack;
2986         ipsec_stack_t *ipss = ns->netstack_ipsec;
2987 
2988         /* Make sure nothing's below me. */
2989         ASSERT(WR(q)->q_next == NULL);
2990 
2991         spmsg = (spd_msg_t *)mp->b_rptr;
2992 
2993         msgsize = SPD_64TO8(spmsg->spd_msg_len);
2994 
2995         if (msgdsize(mp) != msgsize) {
2996                 /*
2997                  * Message len incorrect w.r.t. actual size.  Send an error
2998                  * (EMSGSIZE).  It may be necessary to massage things a
2999                  * bit.  For example, if the spd_msg_type is hosed,
3000                  * I need to set it to SPD_RESERVED to get delivery to
3001                  * do the right thing.  Then again, maybe just letting
3002                  * the error delivery do the right thing.
3003                  */
3004                 ss2dbg(spds,
3005                     ("mblk (%lu) and base (%d) message sizes don't jibe.\n",
3006                     msgdsize(mp), msgsize));
3007                 spdsock_error(q, mp, EMSGSIZE, SPD_DIAGNOSTIC_NONE);
3008                 return;
3009         }
3010 
3011         if (msgsize > (uint_t)(mp->b_wptr - mp->b_rptr)) {
3012                 /* Get all message into one mblk. */
3013                 if (pullupmsg(mp, -1) == 0) {
3014                         /*
3015                          * Something screwy happened.
3016                          */
3017                         ss3dbg(spds, ("spdsock_parse: pullupmsg() failed.\n"));
3018                         return;
3019                 } else {
3020                         spmsg = (spd_msg_t *)mp->b_rptr;
3021                 }
3022         }
3023 
3024         switch (spdsock_get_ext(extv, spmsg, msgsize)) {
3025         case KGE_DUP:
3026                 /* Handle duplicate extension. */
3027                 ss1dbg(spds, ("Got duplicate extension of type %d.\n",
3028                     extv[0]->spd_ext_type));
3029                 spdsock_diag(q, mp, dup_ext_diag[extv[0]->spd_ext_type]);
3030                 return;
3031         case KGE_UNK:
3032                 /* Handle unknown extension. */
3033                 ss1dbg(spds, ("Got unknown extension of type %d.\n",
3034                     extv[0]->spd_ext_type));
3035                 spdsock_diag(q, mp, SPD_DIAGNOSTIC_UNKNOWN_EXT);
3036                 return;
3037         case KGE_LEN:
3038                 /* Length error. */
3039                 ss1dbg(spds, ("Length %d on extension type %d overrun or 0.\n",
3040                     extv[0]->spd_ext_len, extv[0]->spd_ext_type));
3041                 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_EXTLEN);
3042                 return;
3043         case KGE_CHK:
3044                 /* Reality check failed. */
3045                 ss1dbg(spds, ("Reality check failed on extension type %d.\n",
3046                     extv[0]->spd_ext_type));
3047                 spdsock_diag(q, mp, bad_ext_diag[extv[0]->spd_ext_type]);
3048                 return;
3049         default:
3050                 /* Default case is no errors. */
3051                 break;
3052         }
3053 
3054         /*
3055          * Special-case SPD_UPDATEALGS so as not to load IPsec.
3056          */
3057         if (!ipsec_loaded(ipss) && spmsg->spd_msg_type != SPD_UPDATEALGS) {
3058                 spdsock_t *ss = (spdsock_t *)q->q_ptr;
3059 
3060                 ASSERT(ss != NULL);
3061                 ipsec_loader_loadnow(ipss);
3062                 ss->spdsock_timeout_arg = mp;
3063                 ss->spdsock_timeout = qtimeout(q, spdsock_loadcheck,
3064                     q, LOADCHECK_INTERVAL);
3065                 return;
3066         }
3067 
3068         /* First check for messages that need no polheads at all. */
3069         switch (spmsg->spd_msg_type) {
3070         case SPD_UPDATEALGS:
3071                 spdsock_updatealg(q, mp, extv);
3072                 return;
3073         case SPD_ALGLIST:
3074                 spdsock_alglist(q, mp);
3075                 return;
3076         case SPD_DUMPALGS:
3077                 spdsock_dumpalgs(q, mp);
3078                 return;
3079         }
3080 
3081         /*
3082          * Then check for ones that need both primary/secondary polheads,
3083          * finding the appropriate tunnel policy if need be.
3084          */
3085         tunname = (spd_if_t *)extv[SPD_EXT_TUN_NAME];
3086         switch (spmsg->spd_msg_type) {
3087         case SPD_FLIP:
3088                 spdsock_flip(q, mp, tunname);
3089                 return;
3090         case SPD_CLONE:
3091                 spdsock_clone(q, mp, tunname);
3092                 return;
3093         }
3094 
3095         /*
3096          * Finally, find ones that operate on exactly one polhead, or
3097          * "all polheads" of a given type (active/inactive).
3098          */
3099         iph = get_appropriate_polhead(q, mp, tunname, spmsg->spd_msg_spdid,
3100             spmsg->spd_msg_type, &itp);
3101         if (iph == NULL)
3102                 return;
3103 
3104         /* All-polheads-ready operations. */
3105         switch (spmsg->spd_msg_type) {
3106         case SPD_FLUSH:
3107                 if (itp != NULL) {
3108                         mutex_enter(&itp->itp_lock);
3109                         if (spmsg->spd_msg_spdid == SPD_ACTIVE)
3110                                 itp->itp_flags &= ~ITPF_PFLAGS;
3111                         else
3112                                 itp->itp_flags &= ~ITPF_IFLAGS;
3113                         mutex_exit(&itp->itp_lock);
3114                 }
3115 
3116                 spdsock_flush(q, iph, itp, mp);
3117 
3118                 if (itp != NULL) {
3119                         /* SPD_FLUSH is worth a tunnel MTU check. */
3120                         update_iptun_policy(itp);
3121                         ITP_REFRELE(itp, ns);
3122                 }
3123                 return;
3124         case SPD_DUMP:
3125                 if (itp != NULL)
3126                         ITP_REFRELE(itp, ns);
3127                 spdsock_dump(q, iph, mp);
3128                 return;
3129         }
3130 
3131         if (iph == ALL_ACTIVE_POLHEADS || iph == ALL_INACTIVE_POLHEADS) {
3132                 spdsock_diag(q, mp, SPD_DIAGNOSTIC_NOT_GLOBAL_OP);
3133                 return;
3134         }
3135 
3136         /* Single-polhead-only operations. */
3137         switch (spmsg->spd_msg_type) {
3138         case SPD_ADDRULE:
3139                 spdsock_addrule(q, iph, mp, extv, itp);
3140                 break;
3141         case SPD_DELETERULE:
3142                 spdsock_deleterule(q, iph, mp, extv, itp);
3143                 break;
3144         case SPD_LOOKUP:
3145                 spdsock_lookup(q, iph, mp, extv, itp);
3146                 break;
3147         default:
3148                 spdsock_diag(q, mp, SPD_DIAGNOSTIC_BAD_MSG_TYPE);
3149                 break;
3150         }
3151 
3152         IPPH_REFRELE(iph, ns);
3153         if (itp != NULL) {
3154                 /* SPD_{ADD,DELETE}RULE are worth a tunnel MTU check. */
3155                 if (spmsg->spd_msg_type == SPD_ADDRULE ||
3156                     spmsg->spd_msg_type == SPD_DELETERULE)
3157                         update_iptun_policy(itp);
3158                 ITP_REFRELE(itp, ns);
3159         }
3160 }
3161 
3162 /*
3163  * If an algorithm mapping was received before IPsec was loaded, process it.
3164  * Called from the IPsec loader.
3165  */
3166 void
3167 spdsock_update_pending_algs(netstack_t *ns)
3168 {
3169         spd_stack_t *spds = ns->netstack_spdsock;
3170 
3171         mutex_enter(&spds->spds_alg_lock);
3172         if (spds->spds_mp_algs != NULL) {
3173                 (void) spdsock_do_updatealg(spds->spds_extv_algs, spds);
3174                 freemsg(spds->spds_mp_algs);
3175                 spds->spds_mp_algs = NULL;
3176         }
3177         mutex_exit(&spds->spds_alg_lock);
3178 }
3179 
3180 static void
3181 spdsock_loadcheck(void *arg)
3182 {
3183         queue_t *q = (queue_t *)arg;
3184         spdsock_t *ss = (spdsock_t *)q->q_ptr;
3185         mblk_t *mp;
3186         ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3187 
3188         ASSERT(ss != NULL);
3189 
3190         ss->spdsock_timeout = 0;
3191         mp = ss->spdsock_timeout_arg;
3192         ASSERT(mp != NULL);
3193         ss->spdsock_timeout_arg = NULL;
3194         if (ipsec_failed(ipss))
3195                 spdsock_error(q, mp, EPROTONOSUPPORT, 0);
3196         else
3197                 spdsock_parse(q, mp);
3198 }
3199 
3200 /*
3201  * Copy relevant state bits.
3202  */
3203 static void
3204 spdsock_copy_info(struct T_info_ack *tap, spdsock_t *ss)
3205 {
3206         *tap = spdsock_g_t_info_ack;
3207         tap->CURRENT_state = ss->spdsock_state;
3208         tap->OPT_size = spdsock_max_optsize;
3209 }
3210 
3211 /*
3212  * This routine responds to T_CAPABILITY_REQ messages.  It is called by
3213  * spdsock_wput.  Much of the T_CAPABILITY_ACK information is copied from
3214  * spdsock_g_t_info_ack.  The current state of the stream is copied from
3215  * spdsock_state.
3216  */
3217 static void
3218 spdsock_capability_req(queue_t *q, mblk_t *mp)
3219 {
3220         spdsock_t *ss = (spdsock_t *)q->q_ptr;
3221         t_uscalar_t cap_bits1;
3222         struct T_capability_ack *tcap;
3223 
3224         cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
3225 
3226         mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
3227             mp->b_datap->db_type, T_CAPABILITY_ACK);
3228         if (mp == NULL)
3229                 return;
3230 
3231         tcap = (struct T_capability_ack *)mp->b_rptr;
3232         tcap->CAP_bits1 = 0;
3233 
3234         if (cap_bits1 & TC1_INFO) {
3235                 spdsock_copy_info(&tcap->INFO_ack, ss);
3236                 tcap->CAP_bits1 |= TC1_INFO;
3237         }
3238 
3239         qreply(q, mp);
3240 }
3241 
3242 /*
3243  * This routine responds to T_INFO_REQ messages. It is called by
3244  * spdsock_wput_other.
3245  * Most of the T_INFO_ACK information is copied from spdsock_g_t_info_ack.
3246  * The current state of the stream is copied from spdsock_state.
3247  */
3248 static void
3249 spdsock_info_req(
3250     queue_t     *q,
3251     mblk_t      *mp)
3252 {
3253         mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
3254             T_INFO_ACK);
3255         if (mp == NULL)
3256                 return;
3257         spdsock_copy_info((struct T_info_ack *)mp->b_rptr,
3258             (spdsock_t *)q->q_ptr);
3259         qreply(q, mp);
3260 }
3261 
3262 /*
3263  * spdsock_err_ack. This routine creates a
3264  * T_ERROR_ACK message and passes it
3265  * upstream.
3266  */
3267 static void
3268 spdsock_err_ack(
3269     queue_t     *q,
3270     mblk_t      *mp,
3271     int t_error,
3272     int sys_error)
3273 {
3274         if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
3275                 qreply(q, mp);
3276 }
3277 
3278 /*
3279  * This routine retrieves the current status of socket options.
3280  * It returns the size of the option retrieved.
3281  */
3282 /* ARGSUSED */
3283 int
3284 spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
3285 {
3286         int *i1 = (int *)ptr;
3287 
3288         switch (level) {
3289         case SOL_SOCKET:
3290                 switch (name) {
3291                 case SO_TYPE:
3292                         *i1 = SOCK_RAW;
3293                         break;
3294                 /*
3295                  * The following two items can be manipulated,
3296                  * but changing them should do nothing.
3297                  */
3298                 case SO_SNDBUF:
3299                         *i1 = (int)q->q_hiwat;
3300                         break;
3301                 case SO_RCVBUF:
3302                         *i1 = (int)(RD(q)->q_hiwat);
3303                         break;
3304                 }
3305                 break;
3306         default:
3307                 return (0);
3308         }
3309         return (sizeof (int));
3310 }
3311 
3312 /*
3313  * This routine sets socket options.
3314  */
3315 /* ARGSUSED */
3316 int
3317 spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name,
3318     uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
3319     void *thisdg_attrs, cred_t *cr)
3320 {
3321         int *i1 = (int *)invalp;
3322         spdsock_t *ss = (spdsock_t *)q->q_ptr;
3323         spd_stack_t     *spds = ss->spdsock_spds;
3324 
3325         switch (level) {
3326         case SOL_SOCKET:
3327                 switch (name) {
3328                 case SO_SNDBUF:
3329                         if (*i1 > spds->spds_max_buf)
3330                                 return (ENOBUFS);
3331                         q->q_hiwat = *i1;
3332                         break;
3333                 case SO_RCVBUF:
3334                         if (*i1 > spds->spds_max_buf)
3335                                 return (ENOBUFS);
3336                         RD(q)->q_hiwat = *i1;
3337                         (void) proto_set_rx_hiwat(RD(q), NULL, *i1);
3338                         break;
3339                 }
3340                 break;
3341         }
3342         return (0);
3343 }
3344 
3345 
3346 /*
3347  * Handle STREAMS messages.
3348  */
3349 static void
3350 spdsock_wput_other(queue_t *q, mblk_t *mp)
3351 {
3352         struct iocblk *iocp;
3353         int error;
3354         spdsock_t *ss = (spdsock_t *)q->q_ptr;
3355         spd_stack_t     *spds = ss->spdsock_spds;
3356         cred_t          *cr;
3357 
3358         switch (mp->b_datap->db_type) {
3359         case M_PROTO:
3360         case M_PCPROTO:
3361                 if ((mp->b_wptr - mp->b_rptr) < sizeof (long)) {
3362                         ss3dbg(spds, (
3363                             "spdsock_wput_other: Not big enough M_PROTO\n"));
3364                         freemsg(mp);
3365                         return;
3366                 }
3367                 switch (((union T_primitives *)mp->b_rptr)->type) {
3368                 case T_CAPABILITY_REQ:
3369                         spdsock_capability_req(q, mp);
3370                         break;
3371                 case T_INFO_REQ:
3372                         spdsock_info_req(q, mp);
3373                         break;
3374                 case T_SVR4_OPTMGMT_REQ:
3375                 case T_OPTMGMT_REQ:
3376                         /*
3377                          * All Solaris components should pass a db_credp
3378                          * for this TPI message, hence we ASSERT.
3379                          * But in case there is some other M_PROTO that looks
3380                          * like a TPI message sent by some other kernel
3381                          * component, we check and return an error.
3382                          */
3383                         cr = msg_getcred(mp, NULL);
3384                         ASSERT(cr != NULL);
3385                         if (cr == NULL) {
3386                                 spdsock_err_ack(q, mp, TSYSERR, EINVAL);
3387                                 return;
3388                         }
3389                         if (((union T_primitives *)mp->b_rptr)->type ==
3390                             T_SVR4_OPTMGMT_REQ) {
3391                                 svr4_optcom_req(q, mp, cr, &spdsock_opt_obj);
3392                         } else {
3393                                 tpi_optcom_req(q, mp, cr, &spdsock_opt_obj);
3394                         }
3395                         break;
3396                 case T_DATA_REQ:
3397                 case T_EXDATA_REQ:
3398                 case T_ORDREL_REQ:
3399                         /* Illegal for spdsock. */
3400                         freemsg(mp);
3401                         (void) putnextctl1(RD(q), M_ERROR, EPROTO);
3402                         break;
3403                 default:
3404                         /* Not supported by spdsock. */
3405                         spdsock_err_ack(q, mp, TNOTSUPPORT, 0);
3406                         break;
3407                 }
3408                 return;
3409         case M_IOCDATA:
3410                 keysock_spdsock_wput_iocdata(q, mp, PF_POLICY);
3411                 return;
3412         case M_IOCTL:
3413                 iocp = (struct iocblk *)mp->b_rptr;
3414                 error = EINVAL;
3415 
3416                 switch (iocp->ioc_cmd) {
3417                 case TI_GETMYNAME:
3418                 case TI_GETPEERNAME:
3419                         /*
3420                          * For pfiles(1) observability with getsockname().
3421                          * See keysock_spdsock_wput_iocdata() for the rest of
3422                          * this.
3423                          */
3424                         mi_copyin(q, mp, NULL,
3425                             SIZEOF_STRUCT(strbuf, iocp->ioc_flag));
3426                         return;
3427                 case ND_SET:
3428                 case ND_GET:
3429                         if (nd_getset(q, spds->spds_g_nd, mp)) {
3430                                 qreply(q, mp);
3431                                 return;
3432                         } else
3433                                 error = ENOENT;
3434                         /* FALLTHRU */
3435                 default:
3436                         miocnak(q, mp, 0, error);
3437                         return;
3438                 }
3439         case M_FLUSH:
3440                 if (*mp->b_rptr & FLUSHW) {
3441                         flushq(q, FLUSHALL);
3442                         *mp->b_rptr &= ~FLUSHW;
3443                 }
3444                 if (*mp->b_rptr & FLUSHR) {
3445                         qreply(q, mp);
3446                         return;
3447                 }
3448                 /* Else FALLTHRU */
3449         }
3450 
3451         /* If fell through, just black-hole the message. */
3452         freemsg(mp);
3453 }
3454 
3455 static int
3456 spdsock_wput(queue_t *q, mblk_t *mp)
3457 {
3458         uint8_t *rptr = mp->b_rptr;
3459         mblk_t *mp1;
3460         spdsock_t *ss = (spdsock_t *)q->q_ptr;
3461         spd_stack_t     *spds = ss->spdsock_spds;
3462 
3463         /*
3464          * If we're dumping, defer processing other messages until the
3465          * dump completes.
3466          */
3467         if (ss->spdsock_dump_req != NULL) {
3468                 if (!putq(q, mp))
3469                         freemsg(mp);
3470                 return (0);
3471         }
3472 
3473         switch (mp->b_datap->db_type) {
3474         case M_DATA:
3475                 /*
3476                  * Silently discard.
3477                  */
3478                 ss2dbg(spds, ("raw M_DATA in spdsock.\n"));
3479                 freemsg(mp);
3480                 return (0);
3481         case M_PROTO:
3482         case M_PCPROTO:
3483                 if ((mp->b_wptr - rptr) >= sizeof (struct T_data_req)) {
3484                         if (((union T_primitives *)rptr)->type == T_DATA_REQ) {
3485                                 if ((mp1 = mp->b_cont) == NULL) {
3486                                         /* No data after T_DATA_REQ. */
3487                                         ss2dbg(spds,
3488                                             ("No data after DATA_REQ.\n"));
3489                                         freemsg(mp);
3490                                         return (0);
3491                                 }
3492                                 freeb(mp);
3493                                 mp = mp1;
3494                                 ss2dbg(spds, ("T_DATA_REQ\n"));
3495                                 break;  /* Out of switch. */
3496                         }
3497                 }
3498                 /* FALLTHRU */
3499         default:
3500                 ss3dbg(spds, ("In default wput case (%d %d).\n",
3501                     mp->b_datap->db_type, ((union T_primitives *)rptr)->type));
3502                 spdsock_wput_other(q, mp);
3503                 return (0);
3504         }
3505 
3506         /* I now have a PF_POLICY message in an M_DATA block. */
3507         spdsock_parse(q, mp);
3508         return (0);
3509 }
3510 
3511 /*
3512  * Device open procedure, called when new queue pair created.
3513  * We are passed the read-side queue.
3514  */
3515 /* ARGSUSED */
3516 static int
3517 spdsock_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
3518 {
3519         spdsock_t *ss;
3520         queue_t *oq = OTHERQ(q);
3521         minor_t ssminor;
3522         netstack_t *ns;
3523         spd_stack_t *spds;
3524 
3525         if (secpolicy_ip_config(credp, B_FALSE) != 0)
3526                 return (EPERM);
3527 
3528         if (q->q_ptr != NULL)
3529                 return (0);  /* Re-open of an already open instance. */
3530 
3531         if (sflag & MODOPEN)
3532                 return (EINVAL);
3533 
3534         ns = netstack_find_by_cred(credp);
3535         ASSERT(ns != NULL);
3536         spds = ns->netstack_spdsock;
3537         ASSERT(spds != NULL);
3538 
3539         ss2dbg(spds, ("Made it into PF_POLICY socket open.\n"));
3540 
3541         ssminor = (minor_t)(uintptr_t)vmem_alloc(spdsock_vmem, 1, VM_NOSLEEP);
3542         if (ssminor == 0) {
3543                 netstack_rele(spds->spds_netstack);
3544                 return (ENOMEM);
3545         }
3546         ss = kmem_zalloc(sizeof (spdsock_t), KM_NOSLEEP);
3547         if (ss == NULL) {
3548                 vmem_free(spdsock_vmem, (void *)(uintptr_t)ssminor, 1);
3549                 netstack_rele(spds->spds_netstack);
3550                 return (ENOMEM);
3551         }
3552 
3553         ss->spdsock_minor = ssminor;
3554         ss->spdsock_state = TS_UNBND;
3555         ss->spdsock_dump_req = NULL;
3556 
3557         ss->spdsock_spds = spds;
3558 
3559         q->q_ptr = ss;
3560         oq->q_ptr = ss;
3561 
3562         q->q_hiwat = spds->spds_recv_hiwat;
3563 
3564         oq->q_hiwat = spds->spds_xmit_hiwat;
3565         oq->q_lowat = spds->spds_xmit_lowat;
3566 
3567         qprocson(q);
3568         (void) proto_set_rx_hiwat(q, NULL, spds->spds_recv_hiwat);
3569 
3570         *devp = makedevice(getmajor(*devp), ss->spdsock_minor);
3571         return (0);
3572 }
3573 
3574 /*
3575  * Read-side service procedure, invoked when we get back-enabled
3576  * when buffer space becomes available.
3577  *
3578  * Dump another chunk if we were dumping before; when we finish, kick
3579  * the write-side queue in case it's waiting for read queue space.
3580  */
3581 int
3582 spdsock_rsrv(queue_t *q)
3583 {
3584         spdsock_t *ss = q->q_ptr;
3585 
3586         if (ss->spdsock_dump_req != NULL)
3587                 spdsock_dump_some(q, ss);
3588 
3589         if (ss->spdsock_dump_req == NULL)
3590                 qenable(OTHERQ(q));
3591         return (0);
3592 }
3593 
3594 /*
3595  * Write-side service procedure, invoked when we defer processing
3596  * if another message is received while a dump is in progress.
3597  */
3598 int
3599 spdsock_wsrv(queue_t *q)
3600 {
3601         spdsock_t *ss = q->q_ptr;
3602         mblk_t *mp;
3603         ipsec_stack_t *ipss = ss->spdsock_spds->spds_netstack->netstack_ipsec;
3604 
3605         if (ss->spdsock_dump_req != NULL) {
3606                 qenable(OTHERQ(q));
3607                 return (0);
3608         }
3609 
3610         while ((mp = getq(q)) != NULL) {
3611                 if (ipsec_loaded(ipss)) {
3612                         spdsock_wput(q, mp);
3613                         if (ss->spdsock_dump_req != NULL)
3614                                 return (0);
3615                 } else if (!ipsec_failed(ipss)) {
3616                         (void) putq(q, mp);
3617                 } else {
3618                         spdsock_error(q, mp, EPFNOSUPPORT, 0);
3619                 }
3620         }
3621         return (0);
3622 }
3623 
3624 /* ARGSUSED */
3625 static int
3626 spdsock_close(queue_t *q, int flags __unused, cred_t *credp __unused)
3627 {
3628         spdsock_t *ss = q->q_ptr;
3629         spd_stack_t     *spds = ss->spdsock_spds;
3630 
3631         qprocsoff(q);
3632 
3633         /* Safe assumption. */
3634         ASSERT(ss != NULL);
3635 
3636         if (ss->spdsock_timeout != 0)
3637                 (void) quntimeout(q, ss->spdsock_timeout);
3638 
3639         ss3dbg(spds, ("Driver close, PF_POLICY socket is going away.\n"));
3640 
3641         vmem_free(spdsock_vmem, (void *)(uintptr_t)ss->spdsock_minor, 1);
3642         netstack_rele(ss->spdsock_spds->spds_netstack);
3643 
3644         kmem_free(ss, sizeof (spdsock_t));
3645         return (0);
3646 }
3647 
3648 /*
3649  * Merge the IPsec algorithms tables with the received algorithm information.
3650  */
3651 void
3652 spdsock_merge_algs(spd_stack_t *spds)
3653 {
3654         ipsec_alginfo_t *alg, *oalg;
3655         ipsec_algtype_t algtype;
3656         uint_t algidx, algid, nalgs;
3657         crypto_mech_name_t *mechs;
3658         uint_t mech_count, mech_idx;
3659         netstack_t      *ns = spds->spds_netstack;
3660         ipsec_stack_t   *ipss = ns->netstack_ipsec;
3661 
3662         ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
3663 
3664         /*
3665          * Get the list of supported mechanisms from the crypto framework.
3666          * If a mechanism is supported by KCF, resolve its mechanism
3667          * id and mark it as being valid. This operation must be done
3668          * without holding alg_lock, since it can cause a provider
3669          * module to be loaded and the provider notification callback to
3670          * be invoked.
3671          */
3672         mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
3673         for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3674                 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3675                         int algflags = 0;
3676                         crypto_mech_type_t mt = CRYPTO_MECHANISM_INVALID;
3677 
3678                         alg = spds->spds_algs[algtype][algid];
3679                         if (alg == NULL)
3680                                 continue;
3681 
3682                         /*
3683                          * The NULL encryption algorithm is a special
3684                          * case because there are no mechanisms, yet
3685                          * the algorithm is still valid.
3686                          */
3687                         if (alg->alg_id == SADB_EALG_NULL) {
3688                                 alg->alg_mech_type = CRYPTO_MECHANISM_INVALID;
3689                                 alg->alg_flags |= ALG_FLAG_VALID;
3690                                 continue;
3691                         }
3692 
3693                         for (mech_idx = 0; mech_idx < mech_count; mech_idx++) {
3694                                 if (strncmp(alg->alg_mech_name, mechs[mech_idx],
3695                                     CRYPTO_MAX_MECH_NAME) == 0) {
3696                                         mt = crypto_mech2id(alg->alg_mech_name);
3697                                         ASSERT(mt != CRYPTO_MECHANISM_INVALID);
3698                                         algflags = ALG_FLAG_VALID;
3699                                         break;
3700                                 }
3701                         }
3702                         alg->alg_mech_type = mt;
3703                         alg->alg_flags |= algflags;
3704                 }
3705         }
3706 
3707         rw_enter(&ipss->ipsec_alg_lock, RW_WRITER);
3708 
3709         /*
3710          * For each algorithm currently defined, check if it is
3711          * present in the new tables created from the SPD_UPDATEALGS
3712          * message received from user-space.
3713          * Delete the algorithm entries that are currently defined
3714          * but not part of the new tables.
3715          */
3716         for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3717                 nalgs = ipss->ipsec_nalgs[algtype];
3718                 for (algidx = 0; algidx < nalgs; algidx++) {
3719                         algid = ipss->ipsec_sortlist[algtype][algidx];
3720                         if (spds->spds_algs[algtype][algid] == NULL)
3721                                 ipsec_alg_unreg(algtype, algid, ns);
3722                 }
3723         }
3724 
3725         /*
3726          * For each algorithm we just received, check if it is
3727          * present in the currently defined tables. If it is, swap
3728          * the entry with the one we just allocated.
3729          * If the new algorithm is not in the current tables,
3730          * add it.
3731          */
3732         for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3733                 for (algid = 0; algid < IPSEC_MAX_ALGS; algid++) {
3734                         alg = spds->spds_algs[algtype][algid];
3735                         if (alg == NULL)
3736                                 continue;
3737 
3738                         if ((oalg = ipss->ipsec_alglists[algtype][algid]) ==
3739                             NULL) {
3740                                 /*
3741                                  * New algorithm, add it to the algorithm
3742                                  * table.
3743                                  */
3744                                 ipsec_alg_reg(algtype, alg, ns);
3745                         } else {
3746                                 /*
3747                                  * Algorithm is already in the table. Swap
3748                                  * the existing entry with the new one.
3749                                  */
3750                                 ipsec_alg_fix_min_max(alg, algtype, ns);
3751                                 ipss->ipsec_alglists[algtype][algid] = alg;
3752                                 ipsec_alg_free(oalg);
3753                         }
3754                         spds->spds_algs[algtype][algid] = NULL;
3755                 }
3756         }
3757 
3758         for (algtype = 0; algtype < IPSEC_NALGTYPES; algtype++) {
3759                 ipss->ipsec_algs_exec_mode[algtype] =
3760                     spds->spds_algs_exec_mode[algtype];
3761         }
3762 
3763         rw_exit(&ipss->ipsec_alg_lock);
3764 
3765         crypto_free_mech_list(mechs, mech_count);
3766 
3767         ipsecah_algs_changed(ns);
3768         ipsecesp_algs_changed(ns);
3769 }