129 void (*ipsa_noncefunc)(struct ipsa_s *, uchar_t *,
130 uint_t, uchar_t *, ipsa_cm_mech_t *, crypto_data_t *);
131 /*
132 * NOTE: I may need more pointers, depending on future SA
133 * requirements.
134 */
135 ipsa_key_t ipsa_authkeydata;
136 #define ipsa_authkey ipsa_authkeydata.sak_key
137 #define ipsa_authkeylen ipsa_authkeydata.sak_keylen
138 #define ipsa_authkeybits ipsa_authkeydata.sak_keybits
139 #define ipsa_auth_alg ipsa_authkeydata.sak_algid
140 ipsa_key_t ipsa_encrkeydata;
141 #define ipsa_encrkey ipsa_encrkeydata.sak_key
142 #define ipsa_encrkeylen ipsa_encrkeydata.sak_keylen
143 #define ipsa_encrkeybits ipsa_encrkeydata.sak_keybits
144 #define ipsa_encr_alg ipsa_encrkeydata.sak_algid
145
146 struct ipsid_s *ipsa_src_cid; /* Source certificate identity */
147 struct ipsid_s *ipsa_dst_cid; /* Destination certificate identity */
148 mblk_t *ipsa_lpkt; /* Packet received while larval (CAS me) */
149 mblk_t *ipsa_bpkt_head; /* Packets received while idle */
150 mblk_t *ipsa_bpkt_tail;
151 #define SADB_MAX_IDLEPKTS 100
152 uint8_t ipsa_mblkcnt; /* Number of packets received while idle */
153
154 /*
155 * PF_KEYv2 supports a replay window size of 255. Hence there is a
156 * need a bit vector to support a replay window of 255. 256 is a nice
157 * round number, so I support that.
158 *
159 * Use an array of uint64_t for best performance on 64-bit
160 * processors. (And hope that 32-bit compilers can handle things
161 * okay.) The " >> 6 " is to get the appropriate number of 64-bit
162 * ints.
163 */
164 #define SADB_MAX_REPLAY 256 /* Must be 0 mod 64. */
165 uint64_t ipsa_replay_arr[SADB_MAX_REPLAY >> 6];
166
167 uint64_t ipsa_unique_id; /* Non-zero for unique SAs */
168 uint64_t ipsa_unique_mask; /* mask value for unique_id */
169
170 /*
171 * Reference count semantics:
172 *
434
435 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
436 #define ESP_UPDATE_SETTABLE_FLAGS (AH_UPDATE_SETTABLE_FLAGS | IPSA_F_NATT)
437
438 #define AH_ADD_SETTABLE_FLAGS \
439 (AH_UPDATE_SETTABLE_FLAGS | SADB_X_SAFLAGS_AALG1 | \
440 SADB_X_SAFLAGS_AALG2 | SADB_X_SAFLAGS_TUNNEL | \
441 SADB_SAFLAGS_NOREPLAY)
442
443 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
444 #define ESP_ADD_SETTABLE_FLAGS (AH_ADD_SETTABLE_FLAGS | IPSA_F_NATT | \
445 SADB_X_SAFLAGS_EALG1 | SADB_X_SAFLAGS_EALG2)
446
447
448
449 /* SA states are important for handling UPDATE PF_KEY messages. */
450 #define IPSA_STATE_LARVAL SADB_SASTATE_LARVAL
451 #define IPSA_STATE_MATURE SADB_SASTATE_MATURE
452 #define IPSA_STATE_DYING SADB_SASTATE_DYING
453 #define IPSA_STATE_DEAD SADB_SASTATE_DEAD
454 #define IPSA_STATE_IDLE SADB_X_SASTATE_IDLE
455 #define IPSA_STATE_ACTIVE_ELSEWHERE SADB_X_SASTATE_ACTIVE_ELSEWHERE
456
457 /*
458 * NOTE: If the document authors do things right in defining algorithms, we'll
459 * probably have flags for what all is here w.r.t. replay, ESP w/HMAC,
460 * etc.
461 */
462
463 #define IPSA_T_ACQUIRE SEC_TYPE_NONE /* If this typed returned, sa needed */
464 #define IPSA_T_AH SEC_TYPE_AH /* IPsec AH association */
465 #define IPSA_T_ESP SEC_TYPE_ESP /* IPsec ESP association */
466
467 #define IPSA_AALG_NONE SADB_AALG_NONE /* No auth. algorithm */
468 #define IPSA_AALG_MD5H SADB_AALG_MD5HMAC /* MD5-HMAC algorithm */
469 #define IPSA_AALG_SHA1H SADB_AALG_SHA1HMAC /* SHA1-HMAC algorithm */
470
471 #define IPSA_EALG_NONE SADB_EALG_NONE /* No encryption algorithm */
472 #define IPSA_EALG_DES_CBC SADB_EALG_DESCBC
473 #define IPSA_EALG_3DES SADB_EALG_3DESCBC
474
475 /*
742 mblk_t *sadb_keysock_out(minor_t);
743 int sadb_hardsoftchk(sadb_lifetime_t *, sadb_lifetime_t *, sadb_lifetime_t *);
744 int sadb_labelchk(struct keysock_in_s *);
745 void sadb_pfkey_echo(queue_t *, mblk_t *, sadb_msg_t *, struct keysock_in_s *,
746 ipsa_t *);
747 void sadb_pfkey_error(queue_t *, mblk_t *, int, int, uint_t);
748 void sadb_keysock_hello(queue_t **, queue_t *, mblk_t *, void (*)(void *),
749 void *, timeout_id_t *, int);
750 int sadb_addrcheck(queue_t *, mblk_t *, sadb_ext_t *, uint_t, netstack_t *);
751 boolean_t sadb_addrfix(keysock_in_t *, queue_t *, mblk_t *, netstack_t *);
752 int sadb_addrset(ire_t *);
753 int sadb_delget_sa(mblk_t *, keysock_in_t *, sadbp_t *, int *, queue_t *,
754 uint8_t);
755
756 int sadb_purge_sa(mblk_t *, keysock_in_t *, sadb_t *, int *, queue_t *);
757 int sadb_common_add(queue_t *, mblk_t *, sadb_msg_t *,
758 keysock_in_t *, isaf_t *, isaf_t *, ipsa_t *, boolean_t, boolean_t, int *,
759 netstack_t *, sadbp_t *);
760 void sadb_set_usetime(ipsa_t *);
761 boolean_t sadb_age_bytes(queue_t *, ipsa_t *, uint64_t, boolean_t);
762 int sadb_update_sa(mblk_t *, keysock_in_t *, mblk_t **, sadbp_t *,
763 int *, queue_t *, int (*)(mblk_t *, keysock_in_t *, int *, netstack_t *),
764 netstack_t *, uint8_t);
765 void sadb_acquire(mblk_t *, ip_xmit_attr_t *, boolean_t, boolean_t);
766 void gcm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
767 crypto_data_t *);
768 void ccm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
769 crypto_data_t *);
770 void cbc_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
771 crypto_data_t *);
772
773 void sadb_destroy_acquire(ipsacq_t *, netstack_t *);
774 struct ipsec_stack;
775 mblk_t *sadb_setup_acquire(ipsacq_t *, uint8_t, struct ipsec_stack *);
776 ipsa_t *sadb_getspi(keysock_in_t *, uint32_t, int *, netstack_t *, uint_t);
777 void sadb_in_acquire(sadb_msg_t *, sadbp_t *, queue_t *, netstack_t *);
778 boolean_t sadb_replay_check(ipsa_t *, uint32_t);
779 boolean_t sadb_replay_peek(ipsa_t *, uint32_t);
780 int sadb_dump(queue_t *, mblk_t *, keysock_in_t *, sadb_t *);
781 void sadb_replay_delete(ipsa_t *);
782 void sadb_ager(sadb_t *, queue_t *, int, netstack_t *);
783
784 timeout_id_t sadb_retimeout(hrtime_t, queue_t *, void (*)(void *), void *,
785 uint_t *, uint_t, short);
786 void sadb_sa_refrele(void *target);
787 mblk_t *sadb_set_lpkt(ipsa_t *, mblk_t *, ip_recv_attr_t *);
788 mblk_t *sadb_clear_lpkt(ipsa_t *);
789 void sadb_buf_pkt(ipsa_t *, mblk_t *, ip_recv_attr_t *);
790 void sadb_clear_buf_pkt(void *ipkt);
791
792 /* Note that buf_pkt is the product of ip_recv_attr_to_mblk() */
793 #define HANDLE_BUF_PKT(taskq, stack, dropper, buf_pkt) \
794 { \
795 if (buf_pkt != NULL) { \
796 if (taskq_dispatch(taskq, sadb_clear_buf_pkt, \
797 (void *) buf_pkt, TQ_NOSLEEP) == 0) { \
798 /* Dispatch was unsuccessful drop the packets. */ \
799 mblk_t *tmp; \
800 while (buf_pkt != NULL) { \
801 tmp = buf_pkt->b_next; \
802 buf_pkt->b_next = NULL; \
803 buf_pkt = ip_recv_attr_free_mblk(buf_pkt); \
804 ip_drop_packet(buf_pkt, B_TRUE, NULL, \
805 DROPPER(stack, \
806 ipds_sadb_inidle_timeout), \
807 &dropper); \
808 buf_pkt = tmp; \
809 } \
810 } \
811 } \
812 } \
813
814 /*
815 * Two IPsec rate-limiting routines.
816 */
817 /*PRINTFLIKE6*/
818 extern void ipsec_rl_strlog(netstack_t *, short, short, char,
819 ushort_t, char *, ...)
820 __KPRINTFLIKE(6);
821 extern void ipsec_assocfailure(short, short, char, ushort_t, char *, uint32_t,
822 void *, int, netstack_t *);
823
824 /*
825 * Algorithm types.
826 */
827
828 #define IPSEC_NALGTYPES 2
829
830 typedef enum ipsec_algtype {
831 IPSEC_ALG_AUTH = 0,
832 IPSEC_ALG_ENCR = 1,
833 IPSEC_ALG_ALL = 2
|
129 void (*ipsa_noncefunc)(struct ipsa_s *, uchar_t *,
130 uint_t, uchar_t *, ipsa_cm_mech_t *, crypto_data_t *);
131 /*
132 * NOTE: I may need more pointers, depending on future SA
133 * requirements.
134 */
135 ipsa_key_t ipsa_authkeydata;
136 #define ipsa_authkey ipsa_authkeydata.sak_key
137 #define ipsa_authkeylen ipsa_authkeydata.sak_keylen
138 #define ipsa_authkeybits ipsa_authkeydata.sak_keybits
139 #define ipsa_auth_alg ipsa_authkeydata.sak_algid
140 ipsa_key_t ipsa_encrkeydata;
141 #define ipsa_encrkey ipsa_encrkeydata.sak_key
142 #define ipsa_encrkeylen ipsa_encrkeydata.sak_keylen
143 #define ipsa_encrkeybits ipsa_encrkeydata.sak_keybits
144 #define ipsa_encr_alg ipsa_encrkeydata.sak_algid
145
146 struct ipsid_s *ipsa_src_cid; /* Source certificate identity */
147 struct ipsid_s *ipsa_dst_cid; /* Destination certificate identity */
148 mblk_t *ipsa_lpkt; /* Packet received while larval (CAS me) */
149
150 /*
151 * PF_KEYv2 supports a replay window size of 255. Hence there is a
152 * need a bit vector to support a replay window of 255. 256 is a nice
153 * round number, so I support that.
154 *
155 * Use an array of uint64_t for best performance on 64-bit
156 * processors. (And hope that 32-bit compilers can handle things
157 * okay.) The " >> 6 " is to get the appropriate number of 64-bit
158 * ints.
159 */
160 #define SADB_MAX_REPLAY 256 /* Must be 0 mod 64. */
161 uint64_t ipsa_replay_arr[SADB_MAX_REPLAY >> 6];
162
163 uint64_t ipsa_unique_id; /* Non-zero for unique SAs */
164 uint64_t ipsa_unique_mask; /* mask value for unique_id */
165
166 /*
167 * Reference count semantics:
168 *
430
431 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
432 #define ESP_UPDATE_SETTABLE_FLAGS (AH_UPDATE_SETTABLE_FLAGS | IPSA_F_NATT)
433
434 #define AH_ADD_SETTABLE_FLAGS \
435 (AH_UPDATE_SETTABLE_FLAGS | SADB_X_SAFLAGS_AALG1 | \
436 SADB_X_SAFLAGS_AALG2 | SADB_X_SAFLAGS_TUNNEL | \
437 SADB_SAFLAGS_NOREPLAY)
438
439 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
440 #define ESP_ADD_SETTABLE_FLAGS (AH_ADD_SETTABLE_FLAGS | IPSA_F_NATT | \
441 SADB_X_SAFLAGS_EALG1 | SADB_X_SAFLAGS_EALG2)
442
443
444
445 /* SA states are important for handling UPDATE PF_KEY messages. */
446 #define IPSA_STATE_LARVAL SADB_SASTATE_LARVAL
447 #define IPSA_STATE_MATURE SADB_SASTATE_MATURE
448 #define IPSA_STATE_DYING SADB_SASTATE_DYING
449 #define IPSA_STATE_DEAD SADB_SASTATE_DEAD
450 /* Deprecated */
451 /* #define IPSA_STATE_IDLE SADB_X_SASTATE_IDLE */
452 /* #define IPSA_STATE_ACTIVE_ELSEWHERE SADB_X_SASTATE_ACTIVE_ELSEWHERE */
453
454 /*
455 * NOTE: If the document authors do things right in defining algorithms, we'll
456 * probably have flags for what all is here w.r.t. replay, ESP w/HMAC,
457 * etc.
458 */
459
460 #define IPSA_T_ACQUIRE SEC_TYPE_NONE /* If this typed returned, sa needed */
461 #define IPSA_T_AH SEC_TYPE_AH /* IPsec AH association */
462 #define IPSA_T_ESP SEC_TYPE_ESP /* IPsec ESP association */
463
464 #define IPSA_AALG_NONE SADB_AALG_NONE /* No auth. algorithm */
465 #define IPSA_AALG_MD5H SADB_AALG_MD5HMAC /* MD5-HMAC algorithm */
466 #define IPSA_AALG_SHA1H SADB_AALG_SHA1HMAC /* SHA1-HMAC algorithm */
467
468 #define IPSA_EALG_NONE SADB_EALG_NONE /* No encryption algorithm */
469 #define IPSA_EALG_DES_CBC SADB_EALG_DESCBC
470 #define IPSA_EALG_3DES SADB_EALG_3DESCBC
471
472 /*
739 mblk_t *sadb_keysock_out(minor_t);
740 int sadb_hardsoftchk(sadb_lifetime_t *, sadb_lifetime_t *, sadb_lifetime_t *);
741 int sadb_labelchk(struct keysock_in_s *);
742 void sadb_pfkey_echo(queue_t *, mblk_t *, sadb_msg_t *, struct keysock_in_s *,
743 ipsa_t *);
744 void sadb_pfkey_error(queue_t *, mblk_t *, int, int, uint_t);
745 void sadb_keysock_hello(queue_t **, queue_t *, mblk_t *, void (*)(void *),
746 void *, timeout_id_t *, int);
747 int sadb_addrcheck(queue_t *, mblk_t *, sadb_ext_t *, uint_t, netstack_t *);
748 boolean_t sadb_addrfix(keysock_in_t *, queue_t *, mblk_t *, netstack_t *);
749 int sadb_addrset(ire_t *);
750 int sadb_delget_sa(mblk_t *, keysock_in_t *, sadbp_t *, int *, queue_t *,
751 uint8_t);
752
753 int sadb_purge_sa(mblk_t *, keysock_in_t *, sadb_t *, int *, queue_t *);
754 int sadb_common_add(queue_t *, mblk_t *, sadb_msg_t *,
755 keysock_in_t *, isaf_t *, isaf_t *, ipsa_t *, boolean_t, boolean_t, int *,
756 netstack_t *, sadbp_t *);
757 void sadb_set_usetime(ipsa_t *);
758 boolean_t sadb_age_bytes(queue_t *, ipsa_t *, uint64_t, boolean_t);
759 int sadb_update_sa(mblk_t *, keysock_in_t *, sadbp_t *,
760 int *, queue_t *, int (*)(mblk_t *, keysock_in_t *, int *, netstack_t *),
761 netstack_t *, uint8_t);
762 void sadb_acquire(mblk_t *, ip_xmit_attr_t *, boolean_t, boolean_t);
763 void gcm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
764 crypto_data_t *);
765 void ccm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
766 crypto_data_t *);
767 void cbc_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
768 crypto_data_t *);
769
770 void sadb_destroy_acquire(ipsacq_t *, netstack_t *);
771 struct ipsec_stack;
772 mblk_t *sadb_setup_acquire(ipsacq_t *, uint8_t, struct ipsec_stack *);
773 ipsa_t *sadb_getspi(keysock_in_t *, uint32_t, int *, netstack_t *);
774 void sadb_in_acquire(sadb_msg_t *, sadbp_t *, queue_t *, netstack_t *);
775 boolean_t sadb_replay_check(ipsa_t *, uint32_t);
776 boolean_t sadb_replay_peek(ipsa_t *, uint32_t);
777 int sadb_dump(queue_t *, mblk_t *, keysock_in_t *, sadb_t *);
778 void sadb_replay_delete(ipsa_t *);
779 void sadb_ager(sadb_t *, queue_t *, int, netstack_t *);
780
781 timeout_id_t sadb_retimeout(hrtime_t, queue_t *, void (*)(void *), void *,
782 uint_t *, uint_t, short);
783 void sadb_sa_refrele(void *target);
784 mblk_t *sadb_set_lpkt(ipsa_t *, mblk_t *, ip_recv_attr_t *);
785 mblk_t *sadb_clear_lpkt(ipsa_t *);
786
787 /*
788 * Two IPsec rate-limiting routines.
789 */
790 /*PRINTFLIKE6*/
791 extern void ipsec_rl_strlog(netstack_t *, short, short, char,
792 ushort_t, char *, ...)
793 __KPRINTFLIKE(6);
794 extern void ipsec_assocfailure(short, short, char, ushort_t, char *, uint32_t,
795 void *, int, netstack_t *);
796
797 /*
798 * Algorithm types.
799 */
800
801 #define IPSEC_NALGTYPES 2
802
803 typedef enum ipsec_algtype {
804 IPSEC_ALG_AUTH = 0,
805 IPSEC_ALG_ENCR = 1,
806 IPSEC_ALG_ALL = 2
|