Print this page
First attempt at further IPsec cluster cleanup
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/sadb.h
+++ new/usr/src/uts/common/inet/sadb.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 26 #ifndef _INET_SADB_H
27 27 #define _INET_SADB_H
28 28
29 29 #ifdef __cplusplus
30 30 extern "C" {
31 31 #endif
32 32
33 33 #include <inet/ipsec_info.h>
34 34 #include <sys/crypto/common.h>
35 35 #include <sys/crypto/api.h>
36 36 #include <sys/note.h>
37 37
38 38 #define IPSA_MAX_ADDRLEN 4 /* Max address len. (in 32-bits) for an SA. */
39 39
40 40 #define MAXSALTSIZE 8
41 41
42 42 /*
43 43 * For combined mode ciphers, store the crypto_mechanism_t in the
44 44 * per-packet ipsec_in_t/ipsec_out_t structures. This is because the PARAMS
45 45 * and nonce values change for each packet. For non-combined mode
46 46 * ciphers, these values are constant for the life of the SA.
47 47 */
48 48 typedef struct ipsa_cm_mech_s {
49 49 crypto_mechanism_t combined_mech;
50 50 union {
51 51 CK_AES_CCM_PARAMS paramu_ccm;
52 52 CK_AES_GCM_PARAMS paramu_gcm;
53 53 } paramu;
54 54 uint8_t nonce[MAXSALTSIZE + sizeof (uint64_t)];
55 55 #define param_ulMACSize paramu.paramu_ccm.ulMACSize
56 56 #define param_ulNonceSize paramu.paramu_ccm.ipsa_ulNonceSize
57 57 #define param_ulAuthDataSize paramu.paramu_ccm.ipsa_ulAuthDataSize
58 58 #define param_ulDataSize paramu.paramu_ccm.ipsa_ulDataSize
59 59 #define param_nonce paramu.paramu_ccm.nonce
60 60 #define param_authData paramu.paramu_ccm.authData
61 61 #define param_pIv paramu.paramu_gcm.ipsa_pIv
62 62 #define param_ulIvLen paramu.paramu_gcm.ulIvLen
63 63 #define param_ulIvBits paramu.paramu_gcm.ulIvBits
64 64 #define param_pAAD paramu.paramu_gcm.pAAD
65 65 #define param_ulAADLen paramu.paramu_gcm.ulAADLen
66 66 #define param_ulTagBits paramu.paramu_gcm.ulTagBits
67 67 } ipsa_cm_mech_t;
68 68
69 69 /*
70 70 * The Initialization Vector (also known as IV or Nonce) used to
71 71 * initialize the Block Cipher, is made up of a Counter and a Salt.
72 72 * The Counter is fixed at 64 bits and is incremented for each packet.
73 73 * The Salt value can be any whole byte value upto 64 bits. This is
74 74 * algorithm mode specific and can be configured with ipsecalgs(1m).
75 75 *
76 76 * We only support whole byte salt lengths, this is because the salt is
77 77 * stored in an array of uint8_t's. This is enforced by ipsecalgs(1m)
78 78 * which configures the salt length as a number of bytes. Checks are
79 79 * made to ensure the salt length defined in ipsecalgs(1m) fits in
80 80 * the ipsec_nonce_t.
81 81 *
82 82 * The Salt value remains constant for the life of the SA, the Salt is
83 83 * know to both peers, but NOT transmitted on the network. The Counter
84 84 * portion of the nonce is transmitted over the network with each packet
85 85 * and is confusingly described as the Initialization Vector by RFCs
86 86 * 4309/4106.
87 87 *
88 88 * The maximum Initialization Vector length is 128 bits, if the actual
89 89 * size is less, its padded internally by the algorithm.
90 90 *
91 91 * The nonce structure is defined like this in the SA (ipsa_t)to ensure
92 92 * the Initilization Vector (counter) is 64 bit aligned, because it will
93 93 * be incremented as an uint64_t. The nonce as used by the algorithms is
94 94 * a straight uint8_t array.
95 95 *
96 96 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
97 97 * | | | | |x|x|x|x| |
98 98 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
99 99 * salt_offset <------>
100 100 * ipsa_saltlen <------->
101 101 * ipsa_nonce_buf------^
102 102 * ipsa_salt-------------~~~~~~^
103 103 * ipsa_nonce------------~~~~~~^
104 104 * ipsa_iv-----------------------------^
105 105 */
106 106 typedef struct ipsec_nonce_s {
107 107 uint8_t salt[MAXSALTSIZE];
108 108 uint64_t iv;
109 109 } ipsec_nonce_t;
110 110
111 111 /*
112 112 * IP security association. Synchronization assumes 32-bit loads, so
113 113 * the 64-bit quantities can't even be be read w/o locking it down!
114 114 */
115 115
116 116 /* keying info */
117 117 typedef struct ipsa_key_s {
118 118 uint8_t *sak_key; /* Algorithm key. */
119 119 uint_t sak_keylen; /* Algorithm key length (in bytes). */
120 120 uint_t sak_keybits; /* Algorithm key length (in bits) */
121 121 uint_t sak_algid; /* Algorithm ID number. */
122 122 } ipsa_key_t;
123 123
124 124 typedef struct ipsa_s {
125 125 struct ipsa_s *ipsa_next; /* Next in hash bucket */
126 126 struct ipsa_s **ipsa_ptpn; /* Pointer to previous next pointer. */
127 127 kmutex_t *ipsa_linklock; /* Pointer to hash-chain lock. */
128 128 void (*ipsa_freefunc)(struct ipsa_s *); /* freeassoc function */
129 129 void (*ipsa_noncefunc)(struct ipsa_s *, uchar_t *,
130 130 uint_t, uchar_t *, ipsa_cm_mech_t *, crypto_data_t *);
131 131 /*
132 132 * NOTE: I may need more pointers, depending on future SA
133 133 * requirements.
134 134 */
135 135 ipsa_key_t ipsa_authkeydata;
136 136 #define ipsa_authkey ipsa_authkeydata.sak_key
137 137 #define ipsa_authkeylen ipsa_authkeydata.sak_keylen
138 138 #define ipsa_authkeybits ipsa_authkeydata.sak_keybits
|
↓ open down ↓ |
138 lines elided |
↑ open up ↑ |
139 139 #define ipsa_auth_alg ipsa_authkeydata.sak_algid
140 140 ipsa_key_t ipsa_encrkeydata;
141 141 #define ipsa_encrkey ipsa_encrkeydata.sak_key
142 142 #define ipsa_encrkeylen ipsa_encrkeydata.sak_keylen
143 143 #define ipsa_encrkeybits ipsa_encrkeydata.sak_keybits
144 144 #define ipsa_encr_alg ipsa_encrkeydata.sak_algid
145 145
146 146 struct ipsid_s *ipsa_src_cid; /* Source certificate identity */
147 147 struct ipsid_s *ipsa_dst_cid; /* Destination certificate identity */
148 148 mblk_t *ipsa_lpkt; /* Packet received while larval (CAS me) */
149 - mblk_t *ipsa_bpkt_head; /* Packets received while idle */
150 - mblk_t *ipsa_bpkt_tail;
151 -#define SADB_MAX_IDLEPKTS 100
152 - uint8_t ipsa_mblkcnt; /* Number of packets received while idle */
153 149
154 150 /*
155 151 * PF_KEYv2 supports a replay window size of 255. Hence there is a
156 152 * need a bit vector to support a replay window of 255. 256 is a nice
157 153 * round number, so I support that.
158 154 *
159 155 * Use an array of uint64_t for best performance on 64-bit
160 156 * processors. (And hope that 32-bit compilers can handle things
161 157 * okay.) The " >> 6 " is to get the appropriate number of 64-bit
162 158 * ints.
163 159 */
164 160 #define SADB_MAX_REPLAY 256 /* Must be 0 mod 64. */
165 161 uint64_t ipsa_replay_arr[SADB_MAX_REPLAY >> 6];
166 162
167 163 uint64_t ipsa_unique_id; /* Non-zero for unique SAs */
168 164 uint64_t ipsa_unique_mask; /* mask value for unique_id */
169 165
170 166 /*
171 167 * Reference count semantics:
172 168 *
173 169 * An SA has a reference count of 1 if something's pointing
174 170 * to it. This includes being in a hash table. So if an
175 171 * SA is in a hash table, it has a reference count of at least 1.
176 172 *
177 173 * When a ptr. to an IPSA is assigned, you MUST REFHOLD after
178 174 * said assignment. When a ptr. to an IPSA is released
179 175 * you MUST REFRELE. When the refcount hits 0, REFRELE
180 176 * will free the IPSA.
181 177 */
182 178 kmutex_t ipsa_lock; /* Locks non-linkage/refcnt fields. */
183 179 /* Q: Since I may be doing refcnts differently, will I need cv? */
184 180 uint_t ipsa_refcnt; /* Reference count. */
185 181
186 182 /*
187 183 * The following four time fields are the ones monitored by ah_ager()
188 184 * and esp_ager() respectively. They are all absolute wall-clock
189 185 * times. The times of creation (i.e. add time) and first use are
190 186 * pretty straightforward. The soft and hard expire times are
191 187 * derived from the times of first use and creation, plus the minimum
192 188 * expiration times in the fields that follow this.
193 189 *
194 190 * For example, if I had a hard add time of 30 seconds, and a hard
195 191 * use time of 15, the ipsa_hardexpiretime would be time of add, plus
196 192 * 30 seconds. If I USE the SA such that time of first use plus 15
197 193 * seconds would be earlier than the add time plus 30 seconds, then
198 194 * ipsa_hardexpiretime would become this earlier time.
199 195 */
200 196 time_t ipsa_addtime; /* Time I was added. */
201 197 time_t ipsa_usetime; /* Time of my first use. */
202 198 time_t ipsa_lastuse; /* Time of my last use. */
203 199 time_t ipsa_idletime; /* Seconds of idle time */
204 200 time_t ipsa_last_nat_t_ka; /* Time of my last NAT-T keepalive. */
205 201 time_t ipsa_softexpiretime; /* Time of my first soft expire. */
206 202 time_t ipsa_hardexpiretime; /* Time of my first hard expire. */
207 203 time_t ipsa_idleexpiretime; /* Time of my next idle expire time */
208 204
209 205 struct ipsec_nonce_s *ipsa_nonce_buf;
210 206 uint8_t *ipsa_nonce;
211 207 uint_t ipsa_nonce_len;
212 208 uint8_t *ipsa_salt;
213 209 uint_t ipsa_saltbits;
214 210 uint_t ipsa_saltlen;
215 211 uint64_t *ipsa_iv;
216 212
217 213 uint64_t ipsa_iv_hardexpire;
218 214 uint64_t ipsa_iv_softexpire;
219 215 /*
220 216 * The following fields are directly reflected in PF_KEYv2 LIFETIME
221 217 * extensions. The time_ts are in number-of-seconds, and the bytes
222 218 * are in... bytes.
223 219 */
224 220 time_t ipsa_softaddlt; /* Seconds of soft lifetime after add. */
225 221 time_t ipsa_softuselt; /* Seconds of soft lifetime after first use. */
226 222 time_t ipsa_hardaddlt; /* Seconds of hard lifetime after add. */
227 223 time_t ipsa_harduselt; /* Seconds of hard lifetime after first use. */
228 224 time_t ipsa_idleaddlt; /* Seconds of idle time after add */
229 225 time_t ipsa_idleuselt; /* Seconds of idle time after first use */
230 226 uint64_t ipsa_softbyteslt; /* Bytes of soft lifetime. */
231 227 uint64_t ipsa_hardbyteslt; /* Bytes of hard lifetime. */
232 228 uint64_t ipsa_bytes; /* Bytes encrypted/authed by this SA. */
233 229
234 230 /*
235 231 * "Allocations" are a concept mentioned in PF_KEYv2. We do not
236 232 * support them, except to record them per the PF_KEYv2 spec.
237 233 */
238 234 uint_t ipsa_softalloc; /* Allocations allowed (soft). */
239 235 uint_t ipsa_hardalloc; /* Allocations allowed (hard). */
240 236 uint_t ipsa_alloc; /* Allocations made. */
241 237
242 238 uint_t ipsa_type; /* Type of security association. (AH/etc.) */
243 239 uint_t ipsa_state; /* State of my association. */
244 240 uint_t ipsa_replay_wsize; /* Size of replay window */
245 241 uint32_t ipsa_flags; /* Flags for security association. */
246 242 uint32_t ipsa_spi; /* Security parameters index. */
247 243 uint32_t ipsa_replay; /* Highest seen replay value for this SA. */
248 244 uint32_t ipsa_kmp; /* key management proto */
249 245 uint32_t ipsa_kmc; /* key management cookie */
250 246
251 247 boolean_t ipsa_haspeer; /* Has peer in another table. */
252 248
253 249 /*
254 250 * Address storage.
255 251 * The source address can be INADDR_ANY, IN6ADDR_ANY, etc.
256 252 *
257 253 * Address families (per sys/socket.h) guide us. We could have just
258 254 * used sockaddr_storage
259 255 */
260 256 sa_family_t ipsa_addrfam;
261 257 sa_family_t ipsa_innerfam; /* Inner AF can be != src/dst AF. */
262 258
263 259 uint32_t ipsa_srcaddr[IPSA_MAX_ADDRLEN];
264 260 uint32_t ipsa_dstaddr[IPSA_MAX_ADDRLEN];
265 261 uint32_t ipsa_innersrc[IPSA_MAX_ADDRLEN];
266 262 uint32_t ipsa_innerdst[IPSA_MAX_ADDRLEN];
267 263
268 264 uint8_t ipsa_innersrcpfx;
269 265 uint8_t ipsa_innerdstpfx;
270 266
271 267 uint16_t ipsa_inbound_cksum; /* cksum correction for inbound packets */
272 268 uint16_t ipsa_local_nat_port; /* Local NAT-T port. (0 --> 4500) */
273 269 uint16_t ipsa_remote_nat_port; /* The other port that isn't 4500 */
274 270
275 271 /* these can only be v4 */
276 272 uint32_t ipsa_natt_addr_loc;
277 273 uint32_t ipsa_natt_addr_rem;
278 274
279 275 /*
280 276 * icmp type and code. *_end are to specify ranges. if only
281 277 * a single value, * and *_end are the same value.
282 278 */
283 279 uint8_t ipsa_icmp_type;
284 280 uint8_t ipsa_icmp_type_end;
285 281 uint8_t ipsa_icmp_code;
286 282 uint8_t ipsa_icmp_code_end;
287 283
288 284 /*
289 285 * For the kernel crypto framework.
290 286 */
291 287 crypto_key_t ipsa_kcfauthkey; /* authentication key */
292 288 crypto_key_t ipsa_kcfencrkey; /* encryption key */
293 289 crypto_ctx_template_t ipsa_authtmpl; /* auth context template */
294 290 crypto_ctx_template_t ipsa_encrtmpl; /* encr context template */
295 291 crypto_mechanism_t ipsa_amech; /* auth mech type and ICV len */
296 292 crypto_mechanism_t ipsa_emech; /* encr mech type */
297 293 size_t ipsa_mac_len; /* auth MAC/ICV length */
298 294 size_t ipsa_iv_len; /* encr IV length */
299 295 size_t ipsa_datalen; /* block length in bytes. */
300 296
301 297 /*
302 298 * Input and output processing functions called from IP.
303 299 * The mblk_t is the data; the IPsec information is in the attributes
304 300 * Returns NULL if the mblk is consumed which it is if there was
305 301 * a failure or if pending. If failure then
306 302 * the ipIfInDiscards/OutDiscards counters are increased.
307 303 */
308 304 mblk_t *(*ipsa_output_func)(mblk_t *, ip_xmit_attr_t *);
309 305 mblk_t *(*ipsa_input_func)(mblk_t *, void *, ip_recv_attr_t *);
310 306
311 307 /*
312 308 * Soft reference to paired SA
313 309 */
314 310 uint32_t ipsa_otherspi;
315 311 netstack_t *ipsa_netstack; /* Does not have a netstack_hold */
316 312
317 313 ts_label_t *ipsa_tsl; /* MLS: label attributes */
318 314 ts_label_t *ipsa_otsl; /* MLS: outer label */
319 315 uint8_t ipsa_mac_exempt; /* MLS: mac exempt flag */
320 316 uchar_t ipsa_opt_storage[IP_MAX_OPT_LENGTH];
321 317 } ipsa_t;
322 318
323 319 /*
324 320 * ipsa_t address handling macros. We want these to be inlined, and deal
325 321 * with 32-bit words to avoid bcmp/bcopy calls.
326 322 *
327 323 * Assume we only have AF_INET and AF_INET6 addresses for now. Also assume
328 324 * that we have 32-bit alignment on everything.
329 325 */
330 326 #define IPSA_IS_ADDR_UNSPEC(addr, fam) ((((uint32_t *)(addr))[0] == 0) && \
331 327 (((fam) == AF_INET) || (((uint32_t *)(addr))[3] == 0 && \
332 328 ((uint32_t *)(addr))[2] == 0 && ((uint32_t *)(addr))[1] == 0)))
333 329 #define IPSA_ARE_ADDR_EQUAL(addr1, addr2, fam) \
334 330 ((((uint32_t *)(addr1))[0] == ((uint32_t *)(addr2))[0]) && \
335 331 (((fam) == AF_INET) || \
336 332 (((uint32_t *)(addr1))[3] == ((uint32_t *)(addr2))[3] && \
337 333 ((uint32_t *)(addr1))[2] == ((uint32_t *)(addr2))[2] && \
338 334 ((uint32_t *)(addr1))[1] == ((uint32_t *)(addr2))[1])))
339 335 #define IPSA_COPY_ADDR(dstaddr, srcaddr, fam) { \
340 336 ((uint32_t *)(dstaddr))[0] = ((uint32_t *)(srcaddr))[0]; \
341 337 if ((fam) == AF_INET6) {\
342 338 ((uint32_t *)(dstaddr))[1] = ((uint32_t *)(srcaddr))[1]; \
343 339 ((uint32_t *)(dstaddr))[2] = ((uint32_t *)(srcaddr))[2]; \
344 340 ((uint32_t *)(dstaddr))[3] = ((uint32_t *)(srcaddr))[3]; } }
345 341
346 342 /*
347 343 * ipsa_t reference hold/release macros.
348 344 *
349 345 * If you have a pointer, you REFHOLD. If you are releasing a pointer, you
350 346 * REFRELE. An ipsa_t that is newly inserted into the table should have
351 347 * a reference count of 1 (for the table's pointer), plus 1 more for every
352 348 * pointer that is referencing the ipsa_t.
353 349 */
354 350
355 351 #define IPSA_REFHOLD(ipsa) { \
356 352 atomic_inc_32(&(ipsa)->ipsa_refcnt); \
357 353 ASSERT((ipsa)->ipsa_refcnt != 0); \
358 354 }
359 355
360 356 /*
361 357 * Decrement the reference count on the SA.
362 358 * In architectures e.g sun4u, where atomic_add_32_nv is just
363 359 * a cas, we need to maintain the right memory barrier semantics
364 360 * as that of mutex_exit i.e all the loads and stores should complete
365 361 * before the cas is executed. membar_exit() does that here.
366 362 */
367 363
368 364 #define IPSA_REFRELE(ipsa) { \
369 365 ASSERT((ipsa)->ipsa_refcnt != 0); \
370 366 membar_exit(); \
371 367 if (atomic_dec_32_nv(&(ipsa)->ipsa_refcnt) == 0) \
372 368 ((ipsa)->ipsa_freefunc)(ipsa); \
373 369 }
374 370
375 371 /*
376 372 * Security association hash macros and definitions. For now, assume the
377 373 * IPsec model, and hash outbounds on destination address, and inbounds on
378 374 * SPI.
379 375 */
380 376
381 377 #define IPSEC_DEFAULT_HASH_SIZE 256
382 378
383 379 #define INBOUND_HASH(sadb, spi) ((spi) % ((sadb)->sdb_hashsize))
384 380 #define OUTBOUND_HASH_V4(sadb, v4addr) ((v4addr) % ((sadb)->sdb_hashsize))
385 381 #define OUTBOUND_HASH_V6(sadb, v6addr) OUTBOUND_HASH_V4((sadb), \
386 382 (*(uint32_t *)&(v6addr)) ^ (*(((uint32_t *)&(v6addr)) + 1)) ^ \
387 383 (*(((uint32_t *)&(v6addr)) + 2)) ^ (*(((uint32_t *)&(v6addr)) + 3)))
388 384
389 385 /*
390 386 * Syntactic sugar to find the appropriate hash bucket directly.
391 387 */
392 388
393 389 #define INBOUND_BUCKET(sadb, spi) &(((sadb)->sdb_if)[INBOUND_HASH(sadb, spi)])
394 390 #define OUTBOUND_BUCKET_V4(sadb, v4addr) \
395 391 &(((sadb)->sdb_of)[OUTBOUND_HASH_V4(sadb, v4addr)])
396 392 #define OUTBOUND_BUCKET_V6(sadb, v6addr) \
397 393 &(((sadb)->sdb_of)[OUTBOUND_HASH_V6(sadb, v6addr)])
398 394
399 395 #define IPSA_F_PFS SADB_SAFLAGS_PFS /* PFS in use for this SA? */
400 396 #define IPSA_F_NOREPFLD SADB_SAFLAGS_NOREPLAY /* No replay field, for */
401 397 /* backward compat. */
402 398 #define IPSA_F_USED SADB_X_SAFLAGS_USED /* SA has been used. */
403 399 #define IPSA_F_UNIQUE SADB_X_SAFLAGS_UNIQUE /* SA is unique */
404 400 #define IPSA_F_AALG1 SADB_X_SAFLAGS_AALG1 /* Auth alg flag 1 */
405 401 #define IPSA_F_AALG2 SADB_X_SAFLAGS_AALG2 /* Auth alg flag 2 */
406 402 #define IPSA_F_EALG1 SADB_X_SAFLAGS_EALG1 /* Encrypt alg flag 1 */
407 403 #define IPSA_F_EALG2 SADB_X_SAFLAGS_EALG2 /* Encrypt alg flag 2 */
408 404
409 405 #define IPSA_F_ASYNC 0x200000 /* Call KCF asynchronously? */
410 406 #define IPSA_F_NATT_LOC SADB_X_SAFLAGS_NATT_LOC
411 407 #define IPSA_F_NATT_REM SADB_X_SAFLAGS_NATT_REM
412 408 #define IPSA_F_BEHIND_NAT SADB_X_SAFLAGS_NATTED
413 409 #define IPSA_F_NATT (SADB_X_SAFLAGS_NATT_LOC | SADB_X_SAFLAGS_NATT_REM | \
414 410 SADB_X_SAFLAGS_NATTED)
415 411 #define IPSA_F_CINVALID 0x40000 /* SA shouldn't be cached */
416 412 #define IPSA_F_PAIRED SADB_X_SAFLAGS_PAIRED /* SA is one of a pair */
417 413 #define IPSA_F_OUTBOUND SADB_X_SAFLAGS_OUTBOUND /* SA direction bit */
418 414 #define IPSA_F_INBOUND SADB_X_SAFLAGS_INBOUND /* SA direction bit */
419 415 #define IPSA_F_TUNNEL SADB_X_SAFLAGS_TUNNEL
420 416 /*
421 417 * These flags are only defined here to prevent a flag value collision.
422 418 */
423 419 #define IPSA_F_COMBINED SADB_X_SAFLAGS_EALG1 /* Defined in pfkeyv2.h */
424 420 #define IPSA_F_COUNTERMODE SADB_X_SAFLAGS_EALG2 /* Defined in pfkeyv2.h */
425 421
426 422 /*
427 423 * Sets of flags that are allowed to by set or modified by PF_KEY apps.
428 424 */
429 425 #define AH_UPDATE_SETTABLE_FLAGS \
430 426 (SADB_X_SAFLAGS_PAIRED | SADB_SAFLAGS_NOREPLAY | \
431 427 SADB_X_SAFLAGS_OUTBOUND | SADB_X_SAFLAGS_INBOUND | \
432 428 SADB_X_SAFLAGS_KM1 | SADB_X_SAFLAGS_KM2 | \
433 429 SADB_X_SAFLAGS_KM3 | SADB_X_SAFLAGS_KM4)
434 430
435 431 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
436 432 #define ESP_UPDATE_SETTABLE_FLAGS (AH_UPDATE_SETTABLE_FLAGS | IPSA_F_NATT)
437 433
438 434 #define AH_ADD_SETTABLE_FLAGS \
439 435 (AH_UPDATE_SETTABLE_FLAGS | SADB_X_SAFLAGS_AALG1 | \
440 436 SADB_X_SAFLAGS_AALG2 | SADB_X_SAFLAGS_TUNNEL | \
441 437 SADB_SAFLAGS_NOREPLAY)
442 438
443 439 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
|
↓ open down ↓ |
281 lines elided |
↑ open up ↑ |
444 440 #define ESP_ADD_SETTABLE_FLAGS (AH_ADD_SETTABLE_FLAGS | IPSA_F_NATT | \
445 441 SADB_X_SAFLAGS_EALG1 | SADB_X_SAFLAGS_EALG2)
446 442
447 443
448 444
449 445 /* SA states are important for handling UPDATE PF_KEY messages. */
450 446 #define IPSA_STATE_LARVAL SADB_SASTATE_LARVAL
451 447 #define IPSA_STATE_MATURE SADB_SASTATE_MATURE
452 448 #define IPSA_STATE_DYING SADB_SASTATE_DYING
453 449 #define IPSA_STATE_DEAD SADB_SASTATE_DEAD
454 -#define IPSA_STATE_IDLE SADB_X_SASTATE_IDLE
455 -#define IPSA_STATE_ACTIVE_ELSEWHERE SADB_X_SASTATE_ACTIVE_ELSEWHERE
450 +/* Deprecated */
451 +/* #define IPSA_STATE_IDLE SADB_X_SASTATE_IDLE */
452 +/* #define IPSA_STATE_ACTIVE_ELSEWHERE SADB_X_SASTATE_ACTIVE_ELSEWHERE */
456 453
457 454 /*
458 455 * NOTE: If the document authors do things right in defining algorithms, we'll
459 456 * probably have flags for what all is here w.r.t. replay, ESP w/HMAC,
460 457 * etc.
461 458 */
462 459
463 460 #define IPSA_T_ACQUIRE SEC_TYPE_NONE /* If this typed returned, sa needed */
464 461 #define IPSA_T_AH SEC_TYPE_AH /* IPsec AH association */
465 462 #define IPSA_T_ESP SEC_TYPE_ESP /* IPsec ESP association */
466 463
467 464 #define IPSA_AALG_NONE SADB_AALG_NONE /* No auth. algorithm */
468 465 #define IPSA_AALG_MD5H SADB_AALG_MD5HMAC /* MD5-HMAC algorithm */
469 466 #define IPSA_AALG_SHA1H SADB_AALG_SHA1HMAC /* SHA1-HMAC algorithm */
470 467
471 468 #define IPSA_EALG_NONE SADB_EALG_NONE /* No encryption algorithm */
472 469 #define IPSA_EALG_DES_CBC SADB_EALG_DESCBC
473 470 #define IPSA_EALG_3DES SADB_EALG_3DESCBC
474 471
475 472 /*
476 473 * Protect each ipsa_t bucket (and linkage) with a lock.
477 474 */
478 475
479 476 typedef struct isaf_s {
480 477 ipsa_t *isaf_ipsa;
481 478 kmutex_t isaf_lock;
482 479 uint64_t isaf_gen;
483 480 } isaf_t;
484 481
485 482 /*
486 483 * ACQUIRE record. If AH/ESP/whatever cannot find an association for outbound
487 484 * traffic, it sends up an SADB_ACQUIRE message and create an ACQUIRE record.
488 485 */
489 486
490 487 #define IPSACQ_MAXPACKETS 4 /* Number of packets that can be queued up */
491 488 /* waiting for an ACQUIRE to finish. */
492 489
493 490 typedef struct ipsacq_s {
494 491 struct ipsacq_s *ipsacq_next;
495 492 struct ipsacq_s **ipsacq_ptpn;
496 493 kmutex_t *ipsacq_linklock;
497 494 struct ipsec_policy_s *ipsacq_policy;
498 495 struct ipsec_action_s *ipsacq_act;
499 496
500 497 sa_family_t ipsacq_addrfam; /* Address family. */
501 498 sa_family_t ipsacq_inneraddrfam; /* Inner-packet address family. */
502 499 int ipsacq_numpackets; /* How many packets queued up so far. */
503 500 uint32_t ipsacq_seq; /* PF_KEY sequence number. */
504 501 uint64_t ipsacq_unique_id; /* Unique ID for SAs that need it. */
505 502
506 503 kmutex_t ipsacq_lock; /* Protects non-linkage fields. */
507 504 time_t ipsacq_expire; /* Wall-clock time when this record expires. */
508 505 mblk_t *ipsacq_mp; /* List of datagrams waiting for an SA. */
509 506
510 507 /* These two point inside the last mblk inserted. */
511 508 uint32_t *ipsacq_srcaddr;
512 509 uint32_t *ipsacq_dstaddr;
513 510
514 511 /* Cache these instead of point so we can mask off accordingly */
515 512 uint32_t ipsacq_innersrc[IPSA_MAX_ADDRLEN];
516 513 uint32_t ipsacq_innerdst[IPSA_MAX_ADDRLEN];
517 514
518 515 /* These may change per-acquire. */
519 516 uint16_t ipsacq_srcport;
520 517 uint16_t ipsacq_dstport;
521 518 uint8_t ipsacq_proto;
522 519 uint8_t ipsacq_inner_proto;
523 520 uint8_t ipsacq_innersrcpfx;
524 521 uint8_t ipsacq_innerdstpfx;
525 522
526 523 /* icmp type and code of triggering packet (if applicable) */
527 524 uint8_t ipsacq_icmp_type;
528 525 uint8_t ipsacq_icmp_code;
529 526
530 527 /* label associated with triggering packet */
531 528 ts_label_t *ipsacq_tsl;
532 529 } ipsacq_t;
533 530
534 531 /*
535 532 * Kernel-generated sequence numbers will be no less than 0x80000000 to
536 533 * forestall any cretinous problems with manual keying accidentally updating
537 534 * an ACQUIRE entry.
538 535 */
539 536 #define IACQF_LOWEST_SEQ 0x80000000
540 537
541 538 #define SADB_AGE_INTERVAL_DEFAULT 8000
542 539
543 540 /*
544 541 * ACQUIRE fanout. Protect each linkage with a lock.
545 542 */
546 543
547 544 typedef struct iacqf_s {
548 545 ipsacq_t *iacqf_ipsacq;
549 546 kmutex_t iacqf_lock;
550 547 } iacqf_t;
551 548
552 549 /*
553 550 * A (network protocol, ipsec protocol) specific SADB.
554 551 * (i.e., one each for {ah, esp} and {v4, v6}.
555 552 *
556 553 * Keep outbound assocs in a simple hash table for now.
557 554 * One danger point, multiple SAs for a single dest will clog a bucket.
558 555 * For the future, consider two-level hashing (2nd hash on IPC?), then probe.
559 556 */
560 557
561 558 typedef struct sadb_s
562 559 {
563 560 isaf_t *sdb_of;
564 561 isaf_t *sdb_if;
565 562 iacqf_t *sdb_acq;
566 563 int sdb_hashsize;
567 564 } sadb_t;
568 565
569 566 /*
570 567 * A pair of SADB's (one for v4, one for v6), and related state (including
571 568 * acquire callbacks).
572 569 */
573 570
574 571 typedef struct sadbp_s
575 572 {
576 573 uint32_t s_satype;
577 574 uint32_t *s_acquire_timeout;
578 575 void (*s_acqfn)(ipsacq_t *, mblk_t *, netstack_t *);
579 576 sadb_t s_v4;
580 577 sadb_t s_v6;
581 578 uint32_t s_addflags;
582 579 uint32_t s_updateflags;
583 580 } sadbp_t;
584 581
585 582 /*
586 583 * A pair of SA's for a single connection, the structure contains a
587 584 * pointer to a SA and the SA its paired with (opposite direction) as well
588 585 * as the SA's respective hash buckets.
589 586 */
590 587 typedef struct ipsap_s
591 588 {
592 589 boolean_t in_inbound_table;
593 590 isaf_t *ipsap_bucket;
594 591 ipsa_t *ipsap_sa_ptr;
595 592 isaf_t *ipsap_pbucket;
596 593 ipsa_t *ipsap_psa_ptr;
597 594 } ipsap_t;
598 595
599 596 typedef struct templist_s
600 597 {
601 598 ipsa_t *ipsa;
602 599 struct templist_s *next;
603 600 } templist_t;
604 601
605 602 /* Pointer to an all-zeroes IPv6 address. */
606 603 #define ALL_ZEROES_PTR ((uint32_t *)&ipv6_all_zeros)
607 604
608 605 /*
609 606 * Form unique id from ip_xmit_attr_t.
610 607 */
611 608 #define SA_FORM_UNIQUE_ID(ixa) \
612 609 SA_UNIQUE_ID((ixa)->ixa_ipsec_src_port, (ixa)->ixa_ipsec_dst_port, \
613 610 (((ixa)->ixa_flags & IXAF_IPSEC_TUNNEL) ? \
614 611 ((ixa)->ixa_ipsec_inaf == AF_INET6 ? \
615 612 IPPROTO_IPV6 : IPPROTO_ENCAP) : \
616 613 (ixa)->ixa_ipsec_proto), \
617 614 (((ixa)->ixa_flags & IXAF_IPSEC_TUNNEL) ? \
618 615 (ixa)->ixa_ipsec_proto : 0))
619 616
620 617 /*
621 618 * This macro is used to generate unique ids (along with the addresses, both
622 619 * inner and outer) for outbound datagrams that require unique SAs.
623 620 *
624 621 * N.B. casts and unsigned shift amounts discourage unwarranted
625 622 * sign extension of dstport, proto, and iproto.
626 623 *
627 624 * Unique ID is 64-bits allocated as follows (pardon my big-endian bias):
628 625 *
629 626 * 6 4 43 33 11
630 627 * 3 7 09 21 65 0
631 628 * +---------------*-------+-------+--------------+---------------+
632 629 * | MUST-BE-ZERO |<iprot>|<proto>| <src port> | <dest port> |
633 630 * +---------------*-------+-------+--------------+---------------+
634 631 *
635 632 * If there are inner addresses (tunnel mode) the ports come from the
636 633 * inner addresses. If there are no inner addresses, the ports come from
637 634 * the outer addresses (transport mode). Tunnel mode MUST have <proto>
638 635 * set to either IPPROTO_ENCAP or IPPPROTO_IPV6.
639 636 */
640 637 #define SA_UNIQUE_ID(srcport, dstport, proto, iproto) \
641 638 ((srcport) | ((uint64_t)(dstport) << 16U) | \
642 639 ((uint64_t)(proto) << 32U) | ((uint64_t)(iproto) << 40U))
643 640
644 641 /*
645 642 * SA_UNIQUE_MASK generates a mask value to use when comparing the unique value
646 643 * from a packet to an SA.
647 644 */
648 645
649 646 #define SA_UNIQUE_MASK(srcport, dstport, proto, iproto) \
650 647 SA_UNIQUE_ID((srcport != 0) ? 0xffff : 0, \
651 648 (dstport != 0) ? 0xffff : 0, \
652 649 (proto != 0) ? 0xff : 0, \
653 650 (iproto != 0) ? 0xff : 0)
654 651
655 652 /*
656 653 * Decompose unique id back into its original fields.
657 654 */
658 655 #define SA_IPROTO(ipsa) ((ipsa)->ipsa_unique_id>>40)&0xff
659 656 #define SA_PROTO(ipsa) ((ipsa)->ipsa_unique_id>>32)&0xff
660 657 #define SA_SRCPORT(ipsa) ((ipsa)->ipsa_unique_id & 0xffff)
661 658 #define SA_DSTPORT(ipsa) (((ipsa)->ipsa_unique_id >> 16) & 0xffff)
662 659
663 660 typedef struct ipsa_query_s ipsa_query_t;
664 661
665 662 typedef boolean_t (*ipsa_match_fn_t)(ipsa_query_t *, ipsa_t *);
666 663
667 664 #define IPSA_NMATCH 10
668 665
669 666 /*
670 667 * SADB query structure.
671 668 *
672 669 * Provide a generalized mechanism for matching entries in the SADB;
673 670 * one of these structures is initialized using sadb_form_query(),
674 671 * and then can be used as a parameter to sadb_match_query() which returns
675 672 * B_TRUE if the SA matches the query.
676 673 *
677 674 * Under the covers, sadb_form_query populates the matchers[] array with
678 675 * functions which are called one at a time until one fails to match.
679 676 */
680 677 struct ipsa_query_s {
681 678 uint32_t req, match;
682 679 sadb_address_t *srcext, *dstext;
683 680 sadb_ident_t *srcid, *dstid;
684 681 sadb_x_kmc_t *kmcext;
685 682 sadb_sa_t *assoc;
686 683 uint32_t spi;
687 684 struct sockaddr_in *src;
688 685 struct sockaddr_in6 *src6;
689 686 struct sockaddr_in *dst;
690 687 struct sockaddr_in6 *dst6;
691 688 sa_family_t af;
692 689 uint32_t *srcaddr, *dstaddr;
693 690 uint32_t ifindex;
694 691 uint32_t kmc, kmp;
695 692 char *didstr, *sidstr;
696 693 uint16_t didtype, sidtype;
697 694 sadbp_t *spp;
698 695 sadb_t *sp;
699 696 isaf_t *inbound, *outbound;
700 697 uint32_t outhash;
701 698 uint32_t inhash;
702 699 ipsa_match_fn_t matchers[IPSA_NMATCH];
703 700 };
704 701
705 702 #define IPSA_Q_SA 0x00000001
706 703 #define IPSA_Q_DST 0x00000002
707 704 #define IPSA_Q_SRC 0x00000004
708 705 #define IPSA_Q_DSTID 0x00000008
709 706 #define IPSA_Q_SRCID 0x00000010
710 707 #define IPSA_Q_KMC 0x00000020
711 708 #define IPSA_Q_INBOUND 0x00000040 /* fill in inbound isaf_t */
712 709 #define IPSA_Q_OUTBOUND 0x00000080 /* fill in outbound isaf_t */
713 710
714 711 int sadb_form_query(keysock_in_t *, uint32_t, uint32_t, ipsa_query_t *, int *);
715 712 boolean_t sadb_match_query(ipsa_query_t *q, ipsa_t *sa);
716 713
717 714
718 715 /*
719 716 * All functions that return an ipsa_t will return it with IPSA_REFHOLD()
720 717 * already called.
721 718 */
722 719
723 720 /* SA retrieval (inbound and outbound) */
724 721 ipsa_t *ipsec_getassocbyspi(isaf_t *, uint32_t, uint32_t *, uint32_t *,
725 722 sa_family_t);
726 723 ipsa_t *ipsec_getassocbyconn(isaf_t *, ip_xmit_attr_t *, uint32_t *, uint32_t *,
727 724 sa_family_t, uint8_t, ts_label_t *);
728 725
729 726 /* SA insertion. */
730 727 int sadb_insertassoc(ipsa_t *, isaf_t *);
731 728
732 729 /* SA table construction and destruction. */
733 730 void sadbp_init(const char *name, sadbp_t *, int, int, netstack_t *);
734 731 void sadbp_flush(sadbp_t *, netstack_t *);
735 732 void sadbp_destroy(sadbp_t *, netstack_t *);
736 733
737 734 /* SA insertion and deletion. */
738 735 int sadb_insertassoc(ipsa_t *, isaf_t *);
739 736 void sadb_unlinkassoc(ipsa_t *);
740 737
741 738 /* Support routines to interface a keysock consumer to PF_KEY. */
742 739 mblk_t *sadb_keysock_out(minor_t);
743 740 int sadb_hardsoftchk(sadb_lifetime_t *, sadb_lifetime_t *, sadb_lifetime_t *);
744 741 int sadb_labelchk(struct keysock_in_s *);
745 742 void sadb_pfkey_echo(queue_t *, mblk_t *, sadb_msg_t *, struct keysock_in_s *,
746 743 ipsa_t *);
747 744 void sadb_pfkey_error(queue_t *, mblk_t *, int, int, uint_t);
748 745 void sadb_keysock_hello(queue_t **, queue_t *, mblk_t *, void (*)(void *),
749 746 void *, timeout_id_t *, int);
750 747 int sadb_addrcheck(queue_t *, mblk_t *, sadb_ext_t *, uint_t, netstack_t *);
751 748 boolean_t sadb_addrfix(keysock_in_t *, queue_t *, mblk_t *, netstack_t *);
|
↓ open down ↓ |
286 lines elided |
↑ open up ↑ |
752 749 int sadb_addrset(ire_t *);
753 750 int sadb_delget_sa(mblk_t *, keysock_in_t *, sadbp_t *, int *, queue_t *,
754 751 uint8_t);
755 752
756 753 int sadb_purge_sa(mblk_t *, keysock_in_t *, sadb_t *, int *, queue_t *);
757 754 int sadb_common_add(queue_t *, mblk_t *, sadb_msg_t *,
758 755 keysock_in_t *, isaf_t *, isaf_t *, ipsa_t *, boolean_t, boolean_t, int *,
759 756 netstack_t *, sadbp_t *);
760 757 void sadb_set_usetime(ipsa_t *);
761 758 boolean_t sadb_age_bytes(queue_t *, ipsa_t *, uint64_t, boolean_t);
762 -int sadb_update_sa(mblk_t *, keysock_in_t *, mblk_t **, sadbp_t *,
759 +int sadb_update_sa(mblk_t *, keysock_in_t *, sadbp_t *,
763 760 int *, queue_t *, int (*)(mblk_t *, keysock_in_t *, int *, netstack_t *),
764 761 netstack_t *, uint8_t);
765 762 void sadb_acquire(mblk_t *, ip_xmit_attr_t *, boolean_t, boolean_t);
766 763 void gcm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
767 764 crypto_data_t *);
768 765 void ccm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
769 766 crypto_data_t *);
770 767 void cbc_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
771 768 crypto_data_t *);
772 769
773 770 void sadb_destroy_acquire(ipsacq_t *, netstack_t *);
774 771 struct ipsec_stack;
775 772 mblk_t *sadb_setup_acquire(ipsacq_t *, uint8_t, struct ipsec_stack *);
776 -ipsa_t *sadb_getspi(keysock_in_t *, uint32_t, int *, netstack_t *, uint_t);
773 +ipsa_t *sadb_getspi(keysock_in_t *, uint32_t, int *, netstack_t *);
777 774 void sadb_in_acquire(sadb_msg_t *, sadbp_t *, queue_t *, netstack_t *);
778 775 boolean_t sadb_replay_check(ipsa_t *, uint32_t);
779 776 boolean_t sadb_replay_peek(ipsa_t *, uint32_t);
780 777 int sadb_dump(queue_t *, mblk_t *, keysock_in_t *, sadb_t *);
781 778 void sadb_replay_delete(ipsa_t *);
782 779 void sadb_ager(sadb_t *, queue_t *, int, netstack_t *);
783 780
784 781 timeout_id_t sadb_retimeout(hrtime_t, queue_t *, void (*)(void *), void *,
785 782 uint_t *, uint_t, short);
786 783 void sadb_sa_refrele(void *target);
787 784 mblk_t *sadb_set_lpkt(ipsa_t *, mblk_t *, ip_recv_attr_t *);
788 785 mblk_t *sadb_clear_lpkt(ipsa_t *);
789 -void sadb_buf_pkt(ipsa_t *, mblk_t *, ip_recv_attr_t *);
790 -void sadb_clear_buf_pkt(void *ipkt);
791 786
792 -/* Note that buf_pkt is the product of ip_recv_attr_to_mblk() */
793 -#define HANDLE_BUF_PKT(taskq, stack, dropper, buf_pkt) \
794 -{ \
795 - if (buf_pkt != NULL) { \
796 - if (taskq_dispatch(taskq, sadb_clear_buf_pkt, \
797 - (void *) buf_pkt, TQ_NOSLEEP) == 0) { \
798 - /* Dispatch was unsuccessful drop the packets. */ \
799 - mblk_t *tmp; \
800 - while (buf_pkt != NULL) { \
801 - tmp = buf_pkt->b_next; \
802 - buf_pkt->b_next = NULL; \
803 - buf_pkt = ip_recv_attr_free_mblk(buf_pkt); \
804 - ip_drop_packet(buf_pkt, B_TRUE, NULL, \
805 - DROPPER(stack, \
806 - ipds_sadb_inidle_timeout), \
807 - &dropper); \
808 - buf_pkt = tmp; \
809 - } \
810 - } \
811 - } \
812 -} \
813 -
814 787 /*
815 788 * Two IPsec rate-limiting routines.
816 789 */
817 790 /*PRINTFLIKE6*/
818 791 extern void ipsec_rl_strlog(netstack_t *, short, short, char,
819 792 ushort_t, char *, ...)
820 793 __KPRINTFLIKE(6);
821 794 extern void ipsec_assocfailure(short, short, char, ushort_t, char *, uint32_t,
822 795 void *, int, netstack_t *);
823 796
824 797 /*
825 798 * Algorithm types.
826 799 */
827 800
828 801 #define IPSEC_NALGTYPES 2
829 802
830 803 typedef enum ipsec_algtype {
831 804 IPSEC_ALG_AUTH = 0,
832 805 IPSEC_ALG_ENCR = 1,
833 806 IPSEC_ALG_ALL = 2
834 807 } ipsec_algtype_t;
835 808
836 809 /*
837 810 * Definitions as per IPsec/ISAKMP DOI.
838 811 */
839 812
840 813 #define IPSEC_MAX_ALGS 256
841 814 #define PROTO_IPSEC_AH 2
842 815 #define PROTO_IPSEC_ESP 3
843 816
844 817 /*
845 818 * Common algorithm info.
846 819 */
847 820 typedef struct ipsec_alginfo
848 821 {
849 822 uint8_t alg_id;
850 823 uint8_t alg_flags;
851 824 uint16_t *alg_key_sizes;
852 825 uint16_t *alg_block_sizes;
853 826 uint16_t *alg_params;
854 827 uint16_t alg_nkey_sizes;
855 828 uint16_t alg_ivlen;
856 829 uint16_t alg_icvlen;
857 830 uint8_t alg_saltlen;
858 831 uint16_t alg_nblock_sizes;
859 832 uint16_t alg_nparams;
860 833 uint16_t alg_minbits;
861 834 uint16_t alg_maxbits;
862 835 uint16_t alg_datalen;
863 836 /*
864 837 * increment: number of bits from keysize to keysize
865 838 * default: # of increments from min to default key len
866 839 */
867 840 uint16_t alg_increment;
868 841 uint16_t alg_default;
869 842 uint16_t alg_default_bits;
870 843 /*
871 844 * Min, max, and default key sizes effectively supported
872 845 * by the encryption framework.
873 846 */
874 847 uint16_t alg_ef_minbits;
875 848 uint16_t alg_ef_maxbits;
876 849 uint16_t alg_ef_default;
877 850 uint16_t alg_ef_default_bits;
878 851
879 852 crypto_mech_type_t alg_mech_type; /* KCF mechanism type */
880 853 crypto_mech_name_t alg_mech_name; /* KCF mechanism name */
881 854 } ipsec_alginfo_t;
882 855
883 856 #define alg_datalen alg_block_sizes[0]
884 857 #define ALG_VALID(_alg) ((_alg)->alg_flags & ALG_FLAG_VALID)
885 858
886 859 /*
887 860 * Software crypto execution mode.
888 861 */
889 862 typedef enum {
890 863 IPSEC_ALGS_EXEC_SYNC = 0,
891 864 IPSEC_ALGS_EXEC_ASYNC = 1
892 865 } ipsec_algs_exec_mode_t;
893 866
894 867 extern void ipsec_alg_reg(ipsec_algtype_t, ipsec_alginfo_t *, netstack_t *);
895 868 extern void ipsec_alg_unreg(ipsec_algtype_t, uint8_t, netstack_t *);
896 869 extern void ipsec_alg_fix_min_max(ipsec_alginfo_t *, ipsec_algtype_t,
897 870 netstack_t *ns);
898 871 extern void alg_flag_check(ipsec_alginfo_t *);
899 872 extern void ipsec_alg_free(ipsec_alginfo_t *);
900 873 extern void ipsec_register_prov_update(void);
901 874 extern void sadb_alg_update(ipsec_algtype_t, uint8_t, boolean_t, netstack_t *);
902 875
903 876 extern int sadb_sens_len_from_label(ts_label_t *);
904 877 extern void sadb_sens_from_label(sadb_sens_t *, int, ts_label_t *, int);
905 878
906 879 /*
907 880 * Context templates management.
908 881 */
909 882
910 883 #define IPSEC_CTX_TMPL_ALLOC ((crypto_ctx_template_t)-1)
911 884 #define IPSEC_CTX_TMPL(_sa, _which, _type, _tmpl) { \
912 885 if ((_tmpl = (_sa)->_which) == IPSEC_CTX_TMPL_ALLOC) { \
913 886 mutex_enter(&assoc->ipsa_lock); \
914 887 if ((_sa)->_which == IPSEC_CTX_TMPL_ALLOC) { \
915 888 ipsec_stack_t *ipss; \
916 889 \
917 890 ipss = assoc->ipsa_netstack->netstack_ipsec; \
918 891 mutex_enter(&ipss->ipsec_alg_lock); \
919 892 (void) ipsec_create_ctx_tmpl(_sa, _type); \
920 893 mutex_exit(&ipss->ipsec_alg_lock); \
921 894 } \
922 895 mutex_exit(&assoc->ipsa_lock); \
923 896 if ((_tmpl = (_sa)->_which) == IPSEC_CTX_TMPL_ALLOC) \
924 897 _tmpl = NULL; \
925 898 } \
926 899 }
927 900
928 901 extern int ipsec_create_ctx_tmpl(ipsa_t *, ipsec_algtype_t);
929 902 extern void ipsec_destroy_ctx_tmpl(ipsa_t *, ipsec_algtype_t);
930 903
931 904 /* key checking */
932 905 extern int ipsec_check_key(crypto_mech_type_t, sadb_key_t *, boolean_t, int *);
933 906
934 907 typedef struct ipsec_kstats_s {
935 908 kstat_named_t esp_stat_in_requests;
936 909 kstat_named_t esp_stat_in_discards;
937 910 kstat_named_t esp_stat_lookup_failure;
938 911 kstat_named_t ah_stat_in_requests;
939 912 kstat_named_t ah_stat_in_discards;
940 913 kstat_named_t ah_stat_lookup_failure;
941 914 kstat_named_t sadb_acquire_maxpackets;
942 915 kstat_named_t sadb_acquire_qhiwater;
943 916 } ipsec_kstats_t;
944 917
945 918 /*
946 919 * (ipss)->ipsec_kstats is equal to (ipss)->ipsec_ksp->ks_data if
947 920 * kstat_create_netstack for (ipss)->ipsec_ksp succeeds, but when it
948 921 * fails, it will be NULL. Note this is done for all stack instances,
949 922 * so it *could* fail. hence a non-NULL checking is done for
950 923 * IP_ESP_BUMP_STAT, IP_AH_BUMP_STAT and IP_ACQUIRE_STAT
951 924 */
952 925 #define IP_ESP_BUMP_STAT(ipss, x) \
953 926 do { \
954 927 if ((ipss)->ipsec_kstats != NULL) \
955 928 ((ipss)->ipsec_kstats->esp_stat_ ## x).value.ui64++; \
956 929 _NOTE(CONSTCOND) \
957 930 } while (0)
958 931
959 932 #define IP_AH_BUMP_STAT(ipss, x) \
960 933 do { \
961 934 if ((ipss)->ipsec_kstats != NULL) \
962 935 ((ipss)->ipsec_kstats->ah_stat_ ## x).value.ui64++; \
963 936 _NOTE(CONSTCOND) \
964 937 } while (0)
965 938
966 939 #define IP_ACQUIRE_STAT(ipss, val, new) \
967 940 do { \
968 941 if ((ipss)->ipsec_kstats != NULL && \
969 942 ((uint64_t)(new)) > \
970 943 ((ipss)->ipsec_kstats->sadb_acquire_ ## val).value.ui64) \
971 944 ((ipss)->ipsec_kstats->sadb_acquire_ ## val).value.ui64 = \
972 945 ((uint64_t)(new)); \
973 946 _NOTE(CONSTCOND) \
974 947 } while (0)
975 948
976 949
977 950 #ifdef __cplusplus
978 951 }
979 952 #endif
980 953
981 954 #endif /* _INET_SADB_H */
|
↓ open down ↓ |
158 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX