Print this page
8541 pfiles does not properly identify PF_KEY or PF_POLICY
Reviewed by: Mike Zeller <mike.zeller@joyent.com>
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ipsec_impl.h
+++ new/usr/src/uts/common/inet/ipsec_impl.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
↓ open down ↓ |
14 lines elided |
↑ open up ↑ |
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 + * Copyright 2017 Joyent, Inc.
25 26 */
26 27
27 28 #ifndef _INET_IPSEC_IMPL_H
28 29 #define _INET_IPSEC_IMPL_H
29 30
30 31 #include <inet/ip.h>
31 32 #include <inet/ipdrop.h>
32 33
33 34 #ifdef __cplusplus
34 35 extern "C" {
35 36 #endif
36 37
37 38 #define IPSEC_CONF_SRC_ADDRESS 0 /* Source Address */
38 39 #define IPSEC_CONF_SRC_PORT 1 /* Source Port */
39 40 #define IPSEC_CONF_DST_ADDRESS 2 /* Dest Address */
40 41 #define IPSEC_CONF_DST_PORT 3 /* Dest Port */
41 42 #define IPSEC_CONF_SRC_MASK 4 /* Source Address Mask */
42 43 #define IPSEC_CONF_DST_MASK 5 /* Destination Address Mask */
43 44 #define IPSEC_CONF_ULP 6 /* Upper layer Port */
44 45 #define IPSEC_CONF_IPSEC_PROT 7 /* AH or ESP or AH_ESP */
45 46 #define IPSEC_CONF_IPSEC_AALGS 8 /* Auth Algorithms - MD5 etc. */
46 47 #define IPSEC_CONF_IPSEC_EALGS 9 /* Encr Algorithms - DES etc. */
47 48 #define IPSEC_CONF_IPSEC_EAALGS 10 /* Encr Algorithms - MD5 etc. */
48 49 #define IPSEC_CONF_IPSEC_SA 11 /* Shared or unique SA */
49 50 #define IPSEC_CONF_IPSEC_DIR 12 /* Direction of traffic */
50 51 #define IPSEC_CONF_ICMP_TYPE 13 /* ICMP type */
51 52 #define IPSEC_CONF_ICMP_CODE 14 /* ICMP code */
52 53 #define IPSEC_CONF_NEGOTIATE 15 /* Negotiation */
53 54 #define IPSEC_CONF_TUNNEL 16 /* Tunnel */
54 55
55 56 /* Type of an entry */
56 57
57 58 #define IPSEC_NTYPES 0x02
58 59 #define IPSEC_TYPE_OUTBOUND 0x00
59 60 #define IPSEC_TYPE_INBOUND 0x01
60 61
61 62 /* Policy */
62 63 #define IPSEC_POLICY_APPLY 0x01
63 64 #define IPSEC_POLICY_DISCARD 0x02
64 65 #define IPSEC_POLICY_BYPASS 0x03
65 66
66 67 /* Shared or unique SA */
67 68 #define IPSEC_SHARED_SA 0x01
68 69 #define IPSEC_UNIQUE_SA 0x02
69 70
70 71 /* IPsec protocols and combinations */
71 72 #define IPSEC_AH_ONLY 0x01
72 73 #define IPSEC_ESP_ONLY 0x02
73 74 #define IPSEC_AH_ESP 0x03
74 75
75 76 /*
76 77 * Internally defined "any" algorithm.
77 78 * Move to PF_KEY v3 when that RFC is released.
78 79 */
79 80 #define SADB_AALG_ANY 255
80 81
81 82 #ifdef _KERNEL
82 83
83 84 #include <inet/common.h>
84 85 #include <netinet/ip6.h>
85 86 #include <netinet/icmp6.h>
86 87 #include <net/pfkeyv2.h>
87 88 #include <inet/ip.h>
88 89 #include <inet/sadb.h>
89 90 #include <inet/ipsecah.h>
90 91 #include <inet/ipsecesp.h>
91 92 #include <sys/crypto/common.h>
92 93 #include <sys/crypto/api.h>
93 94 #include <sys/avl.h>
94 95
95 96 /*
96 97 * Maximum number of authentication algorithms (can be indexed by one byte
97 98 * per PF_KEY and the IKE IPsec DOI.
98 99 */
99 100 #define MAX_AALGS 256
100 101
101 102 /*
102 103 * IPsec task queue constants.
|
↓ open down ↓ |
68 lines elided |
↑ open up ↑ |
103 104 */
104 105 #define IPSEC_TASKQ_MIN 10
105 106 #define IPSEC_TASKQ_MAX 20
106 107
107 108 /*
108 109 * So we can access IPsec global variables that live in keysock.c.
109 110 */
110 111 extern boolean_t keysock_extended_reg(netstack_t *);
111 112 extern uint32_t keysock_next_seq(netstack_t *);
112 113
114 +/* Common-code for spdsock and keysock. */
115 +extern void keysock_spdsock_wput_iocdata(queue_t *, mblk_t *, sa_family_t);
116 +
113 117 /*
114 118 * Locking for ipsec policy rules:
115 119 *
116 120 * policy heads: system policy is static; per-conn polheads are dynamic,
117 121 * and refcounted (and inherited); use atomic refcounts and "don't let
118 122 * go with both hands".
119 123 *
120 124 * policy: refcounted; references from polhead, ipsec_out
121 125 *
122 126 * actions: refcounted; referenced from: action hash table, policy, ipsec_out
123 127 * selectors: refcounted; referenced from: selector hash table, policy.
124 128 */
125 129
126 130 /*
127 131 * the following are inspired by, but not directly based on,
128 132 * some of the sys/queue.h type-safe pseudo-polymorphic macros
129 133 * found in BSD.
130 134 *
131 135 * XXX If we use these more generally, we'll have to make the names
132 136 * less generic (HASH_* will probably clobber other namespaces).
133 137 */
134 138
135 139 #define HASH_LOCK(table, hash) \
136 140 mutex_enter(&(table)[hash].hash_lock)
137 141 #define HASH_UNLOCK(table, hash) \
138 142 mutex_exit(&(table)[hash].hash_lock)
139 143
140 144 #define HASH_LOCKED(table, hash) \
141 145 MUTEX_HELD(&(table)[hash].hash_lock)
142 146
143 147 #define HASH_ITERATE(var, field, table, hash) \
144 148 var = table[hash].hash_head; var != NULL; var = var->field.hash_next
145 149
146 150 #define HASH_NEXT(var, field) \
147 151 (var)->field.hash_next
148 152
149 153 #define HASH_INSERT(var, field, table, hash) \
150 154 { \
151 155 ASSERT(HASH_LOCKED(table, hash)); \
152 156 (var)->field.hash_next = (table)[hash].hash_head; \
153 157 (var)->field.hash_pp = &(table)[hash].hash_head; \
154 158 (table)[hash].hash_head = var; \
155 159 if ((var)->field.hash_next != NULL) \
156 160 (var)->field.hash_next->field.hash_pp = \
157 161 &((var)->field.hash_next); \
158 162 }
159 163
160 164
161 165 #define HASH_UNCHAIN(var, field, table, hash) \
162 166 { \
163 167 ASSERT(MUTEX_HELD(&(table)[hash].hash_lock)); \
164 168 HASHLIST_UNCHAIN(var, field); \
165 169 }
166 170
167 171 #define HASHLIST_INSERT(var, field, head) \
168 172 { \
169 173 (var)->field.hash_next = head; \
170 174 (var)->field.hash_pp = &(head); \
171 175 head = var; \
172 176 if ((var)->field.hash_next != NULL) \
173 177 (var)->field.hash_next->field.hash_pp = \
174 178 &((var)->field.hash_next); \
175 179 }
176 180
177 181 #define HASHLIST_UNCHAIN(var, field) \
178 182 { \
179 183 *var->field.hash_pp = var->field.hash_next; \
180 184 if (var->field.hash_next) \
181 185 var->field.hash_next->field.hash_pp = \
182 186 var->field.hash_pp; \
183 187 HASH_NULL(var, field); \
184 188 }
185 189
186 190
187 191 #define HASH_NULL(var, field) \
188 192 { \
189 193 var->field.hash_next = NULL; \
190 194 var->field.hash_pp = NULL; \
191 195 }
192 196
193 197 #define HASH_LINK(fieldname, type) \
194 198 struct { \
195 199 type *hash_next; \
196 200 type **hash_pp; \
197 201 } fieldname
198 202
199 203
200 204 #define HASH_HEAD(tag) \
201 205 struct { \
202 206 struct tag *hash_head; \
203 207 kmutex_t hash_lock; \
204 208 }
205 209
206 210
207 211 typedef struct ipsec_policy_s ipsec_policy_t;
208 212
209 213 typedef HASH_HEAD(ipsec_policy_s) ipsec_policy_hash_t;
210 214
211 215 /*
212 216 * When adding new fields to ipsec_prot_t, make sure to update
213 217 * ipsec_in_to_out_action() as well as other code in spd.c
214 218 */
215 219
216 220 typedef struct ipsec_prot
217 221 {
218 222 unsigned int
219 223 ipp_use_ah : 1,
220 224 ipp_use_esp : 1,
221 225 ipp_use_se : 1,
222 226 ipp_use_unique : 1,
223 227 ipp_use_espa : 1,
224 228 ipp_pad : 27;
225 229 uint8_t ipp_auth_alg; /* DOI number */
226 230 uint8_t ipp_encr_alg; /* DOI number */
227 231 uint8_t ipp_esp_auth_alg; /* DOI number */
228 232 uint16_t ipp_ah_minbits; /* AH: min keylen */
229 233 uint16_t ipp_ah_maxbits; /* AH: max keylen */
230 234 uint16_t ipp_espe_minbits; /* ESP encr: min keylen */
231 235 uint16_t ipp_espe_maxbits; /* ESP encr: max keylen */
232 236 uint16_t ipp_espa_minbits; /* ESP auth: min keylen */
233 237 uint16_t ipp_espa_maxbits; /* ESP auth: max keylen */
234 238 uint32_t ipp_km_proto; /* key mgmt protocol */
235 239 uint32_t ipp_km_cookie; /* key mgmt cookie */
236 240 uint32_t ipp_replay_depth; /* replay window */
237 241 /* XXX add lifetimes */
238 242 } ipsec_prot_t;
239 243
240 244 #define IPSEC_MAX_KEYBITS (0xffff)
241 245
242 246 /*
243 247 * An individual policy action, possibly a member of a chain.
244 248 *
245 249 * Action chains may be shared between multiple policy rules.
246 250 *
247 251 * With one exception (IPSEC_POLICY_LOG), a chain consists of an
248 252 * ordered list of alternative ways to handle a packet.
249 253 *
250 254 * All actions are also "interned" into a hash table (to allow
251 255 * multiple rules with the same action chain to share one copy in
252 256 * memory).
253 257 */
254 258
255 259 typedef struct ipsec_act
256 260 {
257 261 uint8_t ipa_type;
258 262 uint8_t ipa_log;
259 263 union
260 264 {
261 265 ipsec_prot_t ipau_apply;
262 266 uint8_t ipau_reject_type;
263 267 uint32_t ipau_resolve_id; /* magic cookie */
264 268 uint8_t ipau_log_type;
265 269 } ipa_u;
266 270 #define ipa_apply ipa_u.ipau_apply
267 271 #define ipa_reject_type ipa_u.ipau_reject_type
268 272 #define ipa_log_type ipa_u.ipau_log_type
269 273 #define ipa_resolve_type ipa_u.ipau_resolve_type
270 274 } ipsec_act_t;
271 275
272 276 #define IPSEC_ACT_APPLY 0x01 /* match IPSEC_POLICY_APPLY */
273 277 #define IPSEC_ACT_DISCARD 0x02 /* match IPSEC_POLICY_DISCARD */
274 278 #define IPSEC_ACT_BYPASS 0x03 /* match IPSEC_POLICY_BYPASS */
275 279 #define IPSEC_ACT_REJECT 0x04
276 280 #define IPSEC_ACT_CLEAR 0x05
277 281
278 282 typedef struct ipsec_action_s
279 283 {
280 284 HASH_LINK(ipa_hash, struct ipsec_action_s);
281 285 struct ipsec_action_s *ipa_next; /* next alternative */
282 286 uint32_t ipa_refs; /* refcount */
283 287 ipsec_act_t ipa_act;
284 288 /*
285 289 * The following bits are equivalent to an OR of bits included in the
286 290 * ipau_apply fields of this and subsequent actions in an
287 291 * action chain; this is an optimization for the sake of
288 292 * ipsec_out_process() in ip.c and a few other places.
289 293 */
290 294 unsigned int
291 295 ipa_hval: 8,
292 296 ipa_allow_clear:1, /* rule allows cleartext? */
293 297 ipa_want_ah:1, /* an action wants ah */
294 298 ipa_want_esp:1, /* an action wants esp */
295 299 ipa_want_se:1, /* an action wants se */
296 300 ipa_want_unique:1, /* want unique sa's */
297 301 ipa_pad:19;
298 302 uint32_t ipa_ovhd; /* per-packet encap ovhd */
299 303 } ipsec_action_t;
300 304
301 305 #define IPACT_REFHOLD(ipa) { \
302 306 atomic_inc_32(&(ipa)->ipa_refs); \
303 307 ASSERT((ipa)->ipa_refs != 0); \
304 308 }
305 309 #define IPACT_REFRELE(ipa) { \
306 310 ASSERT((ipa)->ipa_refs != 0); \
307 311 membar_exit(); \
308 312 if (atomic_dec_32_nv(&(ipa)->ipa_refs) == 0) \
309 313 ipsec_action_free(ipa); \
310 314 (ipa) = 0; \
311 315 }
312 316
313 317 /*
314 318 * For now, use a trivially sized hash table for actions.
315 319 * In the future we can add the structure canonicalization necessary
316 320 * to get the hash function to behave correctly..
317 321 */
318 322 #define IPSEC_ACTION_HASH_SIZE 1
319 323
320 324 /*
321 325 * Merged address structure, for cheezy address-family independent
322 326 * matches in policy code.
323 327 */
324 328
325 329 typedef union ipsec_addr
326 330 {
327 331 in6_addr_t ipsad_v6;
328 332 in_addr_t ipsad_v4;
329 333 } ipsec_addr_t;
330 334
331 335 /*
332 336 * ipsec selector set, as used by the kernel policy structures.
333 337 * Note that that we specify "local" and "remote"
334 338 * rather than "source" and "destination", which allows the selectors
335 339 * for symmetric policy rules to be shared between inbound and
336 340 * outbound rules.
337 341 *
338 342 * "local" means "destination" on inbound, and "source" on outbound.
339 343 * "remote" means "source" on inbound, and "destination" on outbound.
340 344 * XXX if we add a fifth policy enforcement point for forwarded packets,
341 345 * what do we do?
342 346 *
343 347 * The ipsl_valid mask is not done as a bitfield; this is so we
344 348 * can use "ffs()" to find the "most interesting" valid tag.
345 349 *
346 350 * XXX should we have multiple types for space-conservation reasons?
347 351 * (v4 vs v6? prefix vs. range)?
348 352 */
349 353
350 354 typedef struct ipsec_selkey
351 355 {
352 356 uint32_t ipsl_valid; /* bitmask of valid entries */
353 357 #define IPSL_REMOTE_ADDR 0x00000001
354 358 #define IPSL_LOCAL_ADDR 0x00000002
355 359 #define IPSL_REMOTE_PORT 0x00000004
356 360 #define IPSL_LOCAL_PORT 0x00000008
357 361 #define IPSL_PROTOCOL 0x00000010
358 362 #define IPSL_ICMP_TYPE 0x00000020
359 363 #define IPSL_ICMP_CODE 0x00000040
360 364 #define IPSL_IPV6 0x00000080
361 365 #define IPSL_IPV4 0x00000100
362 366
363 367 #define IPSL_WILDCARD 0x0000007f
364 368
365 369 ipsec_addr_t ipsl_local;
366 370 ipsec_addr_t ipsl_remote;
367 371 uint16_t ipsl_lport;
368 372 uint16_t ipsl_rport;
369 373 /*
370 374 * ICMP type and code selectors. Both have an end value to
371 375 * specify ranges, or * and *_end are equal for a single
372 376 * value
373 377 */
374 378 uint8_t ipsl_icmp_type;
375 379 uint8_t ipsl_icmp_type_end;
376 380 uint8_t ipsl_icmp_code;
377 381 uint8_t ipsl_icmp_code_end;
378 382
379 383 uint8_t ipsl_proto; /* ip payload type */
380 384 uint8_t ipsl_local_pfxlen; /* #bits of prefix */
381 385 uint8_t ipsl_remote_pfxlen; /* #bits of prefix */
382 386 uint8_t ipsl_mbz;
383 387
384 388 /* Insert new elements above this line */
385 389 uint32_t ipsl_pol_hval;
386 390 uint32_t ipsl_sel_hval;
387 391 } ipsec_selkey_t;
388 392
389 393 typedef struct ipsec_sel
390 394 {
391 395 HASH_LINK(ipsl_hash, struct ipsec_sel);
392 396 uint32_t ipsl_refs; /* # refs to this sel */
393 397 ipsec_selkey_t ipsl_key; /* actual selector guts */
394 398 } ipsec_sel_t;
395 399
396 400 /*
397 401 * One policy rule. This will be linked into a single hash chain bucket in
398 402 * the parent rule structure. If the selector is simple enough to
399 403 * allow hashing, it gets filed under ipsec_policy_root_t->ipr_hash.
400 404 * Otherwise it goes onto a linked list in ipsec_policy_root_t->ipr_nonhash[af]
401 405 *
402 406 * In addition, we file the rule into an avl tree keyed by the rule index.
403 407 * (Duplicate rules are permitted; the comparison function breaks ties).
404 408 */
405 409 struct ipsec_policy_s
406 410 {
407 411 HASH_LINK(ipsp_hash, struct ipsec_policy_s);
408 412 avl_node_t ipsp_byid;
409 413 uint64_t ipsp_index; /* unique id */
410 414 uint32_t ipsp_prio; /* rule priority */
411 415 uint32_t ipsp_refs;
412 416 ipsec_sel_t *ipsp_sel; /* selector set (shared) */
413 417 ipsec_action_t *ipsp_act; /* action (may be shared) */
414 418 netstack_t *ipsp_netstack; /* No netstack_hold */
415 419 };
416 420
417 421 #define IPPOL_REFHOLD(ipp) { \
418 422 atomic_inc_32(&(ipp)->ipsp_refs); \
419 423 ASSERT((ipp)->ipsp_refs != 0); \
420 424 }
421 425 #define IPPOL_REFRELE(ipp) { \
422 426 ASSERT((ipp)->ipsp_refs != 0); \
423 427 membar_exit(); \
424 428 if (atomic_dec_32_nv(&(ipp)->ipsp_refs) == 0) \
425 429 ipsec_policy_free(ipp); \
426 430 (ipp) = 0; \
427 431 }
428 432
429 433 #define IPPOL_UNCHAIN(php, ip) \
430 434 HASHLIST_UNCHAIN((ip), ipsp_hash); \
431 435 avl_remove(&(php)->iph_rulebyid, (ip)); \
432 436 IPPOL_REFRELE(ip);
433 437
434 438 /*
435 439 * Policy ruleset. One per (protocol * direction) for system policy.
436 440 */
437 441
438 442 #define IPSEC_AF_V4 0
439 443 #define IPSEC_AF_V6 1
440 444 #define IPSEC_NAF 2
441 445
442 446 typedef struct ipsec_policy_root_s
443 447 {
444 448 ipsec_policy_t *ipr_nonhash[IPSEC_NAF];
445 449 int ipr_nchains;
446 450 ipsec_policy_hash_t *ipr_hash;
447 451 } ipsec_policy_root_t;
448 452
449 453 /*
450 454 * Policy head. One for system policy; there may also be one present
451 455 * on ill_t's with interface-specific policy, as well as one present
452 456 * for sockets with per-socket policy allocated.
453 457 */
454 458
455 459 typedef struct ipsec_policy_head_s
456 460 {
457 461 uint32_t iph_refs;
458 462 krwlock_t iph_lock;
459 463 uint64_t iph_gen; /* generation number */
460 464 ipsec_policy_root_t iph_root[IPSEC_NTYPES];
461 465 avl_tree_t iph_rulebyid;
462 466 } ipsec_policy_head_t;
463 467
464 468 #define IPPH_REFHOLD(iph) { \
465 469 atomic_inc_32(&(iph)->iph_refs); \
466 470 ASSERT((iph)->iph_refs != 0); \
467 471 }
468 472 #define IPPH_REFRELE(iph, ns) { \
469 473 ASSERT((iph)->iph_refs != 0); \
470 474 membar_exit(); \
471 475 if (atomic_dec_32_nv(&(iph)->iph_refs) == 0) \
472 476 ipsec_polhead_free(iph, ns); \
473 477 (iph) = 0; \
474 478 }
475 479
476 480 /*
477 481 * IPsec fragment related structures
478 482 */
479 483
480 484 typedef struct ipsec_fragcache_entry {
481 485 struct ipsec_fragcache_entry *itpfe_next; /* hash list chain */
482 486 mblk_t *itpfe_fraglist; /* list of fragments */
483 487 time_t itpfe_exp; /* time when entry is stale */
484 488 int itpfe_depth; /* # of fragments in list */
485 489 ipsec_addr_t itpfe_frag_src;
486 490 ipsec_addr_t itpfe_frag_dst;
487 491 #define itpfe_src itpfe_frag_src.ipsad_v4
488 492 #define itpfe_src6 itpfe_frag_src.ipsad_v6
489 493 #define itpfe_dst itpfe_frag_dst.ipsad_v4
490 494 #define itpfe_dst6 itpfe_frag_dst.ipsad_v6
491 495 uint32_t itpfe_id; /* IP datagram ID */
492 496 uint8_t itpfe_proto; /* IP Protocol */
493 497 uint8_t itpfe_last; /* Last packet */
494 498 } ipsec_fragcache_entry_t;
495 499
496 500 typedef struct ipsec_fragcache {
497 501 kmutex_t itpf_lock;
498 502 struct ipsec_fragcache_entry **itpf_ptr;
499 503 struct ipsec_fragcache_entry *itpf_freelist;
500 504 time_t itpf_expire_hint; /* time when oldest entry is stale */
501 505 } ipsec_fragcache_t;
502 506
503 507 /*
504 508 * Tunnel policies. We keep a minature of the transport-mode/global policy
505 509 * per each tunnel instance.
506 510 *
507 511 * People who need both an itp held down AND one of its polheads need to
508 512 * first lock the itp, THEN the polhead, otherwise deadlock WILL occur.
509 513 */
510 514 typedef struct ipsec_tun_pol_s {
511 515 avl_node_t itp_node;
512 516 kmutex_t itp_lock;
513 517 uint64_t itp_next_policy_index;
514 518 ipsec_policy_head_t *itp_policy;
515 519 ipsec_policy_head_t *itp_inactive;
516 520 uint32_t itp_flags;
517 521 uint32_t itp_refcnt;
518 522 char itp_name[LIFNAMSIZ];
519 523 ipsec_fragcache_t itp_fragcache;
520 524 } ipsec_tun_pol_t;
521 525 /* NOTE - Callers (tun code) synchronize their own instances for these flags. */
522 526 #define ITPF_P_ACTIVE 0x1 /* Are we using IPsec right now? */
523 527 #define ITPF_P_TUNNEL 0x2 /* Negotiate tunnel-mode */
524 528 /* Optimization -> Do we have per-port security entries in this polhead? */
525 529 #define ITPF_P_PER_PORT_SECURITY 0x4
526 530 #define ITPF_PFLAGS 0x7
527 531 #define ITPF_SHIFT 3
528 532
529 533 #define ITPF_I_ACTIVE 0x8 /* Is the inactive using IPsec right now? */
530 534 #define ITPF_I_TUNNEL 0x10 /* Negotiate tunnel-mode (on inactive) */
531 535 /* Optimization -> Do we have per-port security entries in this polhead? */
532 536 #define ITPF_I_PER_PORT_SECURITY 0x20
533 537 #define ITPF_IFLAGS 0x38
534 538
535 539 /* NOTE: f cannot be an expression. */
536 540 #define ITPF_CLONE(f) (f) = (((f) & ITPF_PFLAGS) | \
537 541 (((f) & ITPF_PFLAGS) << ITPF_SHIFT));
538 542 #define ITPF_SWAP(f) (f) = ((((f) & ITPF_PFLAGS) << ITPF_SHIFT) | \
539 543 (((f) & ITPF_IFLAGS) >> ITPF_SHIFT))
540 544
541 545 #define ITP_P_ISACTIVE(itp, iph) ((itp)->itp_flags & \
542 546 (((itp)->itp_policy == (iph)) ? ITPF_P_ACTIVE : ITPF_I_ACTIVE))
543 547
544 548 #define ITP_P_ISTUNNEL(itp, iph) ((itp)->itp_flags & \
545 549 (((itp)->itp_policy == (iph)) ? ITPF_P_TUNNEL : ITPF_I_TUNNEL))
546 550
547 551 #define ITP_P_ISPERPORT(itp, iph) ((itp)->itp_flags & \
548 552 (((itp)->itp_policy == (iph)) ? ITPF_P_PER_PORT_SECURITY : \
549 553 ITPF_I_PER_PORT_SECURITY))
550 554
551 555 #define ITP_REFHOLD(itp) { \
552 556 atomic_inc_32(&((itp)->itp_refcnt)); \
553 557 ASSERT((itp)->itp_refcnt != 0); \
554 558 }
555 559
556 560 #define ITP_REFRELE(itp, ns) { \
557 561 ASSERT((itp)->itp_refcnt != 0); \
558 562 membar_exit(); \
559 563 if (atomic_dec_32_nv(&((itp)->itp_refcnt)) == 0) \
560 564 itp_free(itp, ns); \
561 565 }
562 566
563 567 /*
564 568 * Certificate identity.
565 569 */
566 570
567 571 typedef struct ipsid_s
568 572 {
569 573 struct ipsid_s *ipsid_next;
570 574 struct ipsid_s **ipsid_ptpn;
571 575 uint32_t ipsid_refcnt;
572 576 int ipsid_type; /* id type */
573 577 char *ipsid_cid; /* certificate id string */
574 578 } ipsid_t;
575 579
576 580 /*
577 581 * ipsid_t reference hold/release macros, just like ipsa versions.
578 582 */
579 583
580 584 #define IPSID_REFHOLD(ipsid) { \
581 585 atomic_inc_32(&(ipsid)->ipsid_refcnt); \
582 586 ASSERT((ipsid)->ipsid_refcnt != 0); \
583 587 }
584 588
585 589 /*
586 590 * Decrement the reference count on the ID. Someone else will clean up
587 591 * after us later.
588 592 */
589 593
590 594 #define IPSID_REFRELE(ipsid) { \
591 595 membar_exit(); \
592 596 atomic_dec_32(&(ipsid)->ipsid_refcnt); \
593 597 }
594 598
595 599 /*
596 600 * Following are the estimates of what the maximum AH and ESP header size
597 601 * would be. This is used to tell the upper layer the right value of MSS
598 602 * it should use without consulting AH/ESP. If the size is something
599 603 * different from this, ULP will learn the right one through
600 604 * ICMP_FRAGMENTATION_NEEDED messages generated locally.
601 605 *
602 606 * AH : 12 bytes of constant header + 32 bytes of ICV checksum (SHA-512).
603 607 */
604 608 #define IPSEC_MAX_AH_HDR_SIZE (44)
605 609
606 610 /*
607 611 * ESP : Is a bit more complex...
608 612 *
609 613 * A system of one inequality and one equation MUST be solved for proper ESP
610 614 * overhead. The inequality is:
611 615 *
612 616 * MTU - sizeof (IP header + options) >=
613 617 * sizeof (esph_t) + sizeof (IV or ctr) + data-size + 2 + ICV
614 618 *
615 619 * IV or counter is almost always the cipher's block size. The equation is:
616 620 *
617 621 * data-size % block-size = (block-size - 2)
618 622 *
619 623 * so we can put as much data into the datagram as possible. If we are
620 624 * pessimistic and include our largest overhead cipher (AES) and hash
621 625 * (SHA-512), and assume 1500-byte MTU minus IPv4 overhead of 20 bytes, we get:
622 626 *
623 627 * 1480 >= 8 + 16 + data-size + 2 + 32
624 628 * 1480 >= 58 + data-size
625 629 * 1422 >= data-size, 1422 % 16 = 14, so 58 is the overhead!
626 630 *
627 631 * But, let's re-run the numbers with the same algorithms, but with an IPv6
628 632 * header:
629 633 *
630 634 * 1460 >= 58 + data-size
631 635 * 1402 >= data-size, 1402 % 16 = 10, meaning shrink to 1390 to get 14,
632 636 *
633 637 * which means the overhead is now 70.
634 638 *
635 639 * Hmmm... IPv4 headers can never be anything other than multiples of 4-bytes,
636 640 * and IPv6 ones can never be anything other than multiples of 8-bytes. We've
637 641 * seen overheads of 58 and 70. 58 % 16 == 10, and 70 % 16 == 6. IPv4 could
638 642 * force us to have 62 ( % 16 == 14) or 66 ( % 16 == 2), or IPv6 could force us
639 643 * to have 78 ( % 16 = 14). Let's compute IPv6 + 8-bytes of options:
640 644 *
641 645 * 1452 >= 58 + data-size
642 646 * 1394 >= data-size, 1394 % 16 = 2, meaning shrink to 1390 to get 14,
643 647 *
644 648 * Aha! The "ESP overhead" shrinks to 62 (70 - 8). This is good. Let's try
645 649 * IPv4 + 8 bytes of IPv4 options:
646 650 *
647 651 * 1472 >= 58 + data-size
648 652 * 1414 >= data-size, 1414 % 16 = 6, meaning shrink to 1406,
649 653 *
650 654 * meaning 66 is the overhead. Let's try 12 bytes:
651 655 *
652 656 * 1468 >= 58 + data-size
653 657 * 1410 >= data-size, 1410 % 16 = 2, meaning also shrink to 1406,
654 658 *
655 659 * meaning 62 is the overhead. How about 16 bytes?
656 660 *
657 661 * 1464 >= 58 + data-size
658 662 * 1406 >= data-size, 1402 % 16 = 14, which is great!
659 663 *
660 664 * this means 58 is the overhead. If I wrap and add 20 bytes, it looks just
661 665 * like IPv6's 70 bytes. If I add 24, we go back to 66 bytes.
662 666 *
663 667 * So picking 70 is a sensible, conservative default. Optimal calculations
664 668 * will depend on knowing pre-ESP header length (called "divpoint" in the ESP
665 669 * code), which could be cached in the conn_t for connected endpoints, or
666 670 * which must be computed on every datagram otherwise.
667 671 */
668 672 #define IPSEC_MAX_ESP_HDR_SIZE (70)
669 673
670 674 /*
671 675 * Alternate, when we know the crypto block size via the SA. Assume an ICV on
672 676 * the SA. Use:
673 677 *
674 678 * sizeof (esph_t) + 2 * (sizeof (IV/counter)) - 2 + sizeof (ICV). The "-2"
675 679 * discounts the overhead of the pad + padlen that gets swallowed up by the
676 680 * second (theoretically all-pad) cipher-block. If you use our examples of
677 681 * AES and SHA512, you get:
678 682 *
679 683 * 8 + 32 - 2 + 32 == 70.
680 684 *
681 685 * Which is our pre-computed maximum above.
682 686 */
683 687 #include <inet/ipsecesp.h>
684 688 #define IPSEC_BASE_ESP_HDR_SIZE(sa) \
685 689 (sizeof (esph_t) + ((sa)->ipsa_iv_len << 1) - 2 + (sa)->ipsa_mac_len)
686 690
687 691 /*
688 692 * Identity hash table.
689 693 *
690 694 * Identities are refcounted and "interned" into the hash table.
691 695 * Only references coming from other objects (SA's, latching state)
692 696 * are counted in ipsid_refcnt.
693 697 *
694 698 * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket
695 699 * is locked, (b) we know that the refcount must be > 0.
696 700 *
697 701 * The ipsid_next and ipsid_ptpn fields are only to be referenced or
698 702 * modified when the bucket lock is held; in particular, we only
699 703 * delete objects while holding the bucket lock, and we only increase
700 704 * the refcount from 0 to 1 while the bucket lock is held.
701 705 */
702 706
703 707 #define IPSID_HASHSIZE 64
704 708
705 709 typedef struct ipsif_s
706 710 {
707 711 ipsid_t *ipsif_head;
708 712 kmutex_t ipsif_lock;
709 713 } ipsif_t;
710 714
711 715 /*
712 716 * For call to the kernel crypto framework. State needed during
713 717 * the execution of a crypto request.
714 718 */
715 719 typedef struct ipsec_crypto_s {
716 720 size_t ic_skip_len; /* len to skip for AH auth */
717 721 crypto_data_t ic_crypto_data; /* single op crypto data */
718 722 crypto_dual_data_t ic_crypto_dual_data; /* for dual ops */
719 723 crypto_data_t ic_crypto_mac; /* to store the MAC */
720 724 ipsa_cm_mech_t ic_cmm;
721 725 } ipsec_crypto_t;
722 726
723 727 /*
724 728 * IPsec stack instances
725 729 */
726 730 struct ipsec_stack {
727 731 netstack_t *ipsec_netstack; /* Common netstack */
728 732
729 733 /* Packet dropper for IP IPsec processing failures */
730 734 ipdropper_t ipsec_dropper;
731 735
732 736 /* From spd.c */
733 737 /*
734 738 * Policy rule index generator. We assume this won't wrap in the
735 739 * lifetime of a system. If we make 2^20 policy changes per second,
736 740 * this will last 2^44 seconds, or roughly 500,000 years, so we don't
737 741 * have to worry about reusing policy index values.
738 742 */
739 743 uint64_t ipsec_next_policy_index;
740 744
741 745 HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE];
742 746 HASH_HEAD(ipsec_sel) *ipsec_sel_hash;
743 747 uint32_t ipsec_spd_hashsize;
744 748
745 749 ipsif_t ipsec_ipsid_buckets[IPSID_HASHSIZE];
746 750
747 751 /*
748 752 * Active & Inactive system policy roots
749 753 */
750 754 ipsec_policy_head_t ipsec_system_policy;
751 755 ipsec_policy_head_t ipsec_inactive_policy;
752 756
753 757 /* Packet dropper for generic SPD drops. */
754 758 ipdropper_t ipsec_spd_dropper;
755 759
756 760 /* ipdrop.c */
757 761 kstat_t *ipsec_ip_drop_kstat;
758 762 struct ip_dropstats *ipsec_ip_drop_types;
759 763
760 764 /* spd.c */
761 765 /*
762 766 * Have a counter for every possible policy message in
763 767 * ipsec_policy_failure_msgs
764 768 */
765 769 uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX];
766 770 /* Time since last ipsec policy failure that printed a message. */
767 771 hrtime_t ipsec_policy_failure_last;
768 772
769 773 /* ip_spd.c */
770 774 /* stats */
771 775 kstat_t *ipsec_ksp;
772 776 struct ipsec_kstats_s *ipsec_kstats;
773 777
774 778 /* sadb.c */
775 779 /* Packet dropper for generic SADB drops. */
776 780 ipdropper_t ipsec_sadb_dropper;
777 781
778 782 /* spd.c */
779 783 boolean_t ipsec_inbound_v4_policy_present;
780 784 boolean_t ipsec_outbound_v4_policy_present;
781 785 boolean_t ipsec_inbound_v6_policy_present;
782 786 boolean_t ipsec_outbound_v6_policy_present;
783 787
784 788 /* spd.c */
785 789 /*
786 790 * Because policy needs to know what algorithms are supported, keep the
787 791 * lists of algorithms here.
788 792 */
789 793 krwlock_t ipsec_alg_lock;
790 794
791 795 uint8_t ipsec_nalgs[IPSEC_NALGTYPES];
792 796 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
793 797
794 798 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
795 799
796 800 int ipsec_algs_exec_mode[IPSEC_NALGTYPES];
797 801
798 802 uint32_t ipsec_tun_spd_hashsize;
799 803 /*
800 804 * Tunnel policies - AVL tree indexed by tunnel name.
801 805 */
802 806 krwlock_t ipsec_tunnel_policy_lock;
803 807 uint64_t ipsec_tunnel_policy_gen;
804 808 avl_tree_t ipsec_tunnel_policies;
805 809
806 810 /* ipsec_loader.c */
807 811 kmutex_t ipsec_loader_lock;
808 812 int ipsec_loader_state;
809 813 int ipsec_loader_sig;
810 814 kt_did_t ipsec_loader_tid;
811 815 kcondvar_t ipsec_loader_sig_cv; /* For loader_sig conditions. */
812 816
813 817 };
814 818 typedef struct ipsec_stack ipsec_stack_t;
815 819
816 820 /* Handle the kstat_create in ip_drop_init() failing */
817 821 #define DROPPER(_ipss, _dropper) \
818 822 (((_ipss)->ipsec_ip_drop_types == NULL) ? NULL : \
819 823 &((_ipss)->ipsec_ip_drop_types->_dropper))
820 824
821 825 /*
822 826 * Loader states..
823 827 */
824 828 #define IPSEC_LOADER_WAIT 0
825 829 #define IPSEC_LOADER_FAILED -1
826 830 #define IPSEC_LOADER_SUCCEEDED 1
827 831
828 832 /*
829 833 * ipsec_loader entrypoints.
830 834 */
831 835 extern void ipsec_loader_init(ipsec_stack_t *);
832 836 extern void ipsec_loader_start(ipsec_stack_t *);
833 837 extern void ipsec_loader_destroy(ipsec_stack_t *);
834 838 extern void ipsec_loader_loadnow(ipsec_stack_t *);
835 839 extern boolean_t ipsec_loader_wait(queue_t *q, ipsec_stack_t *);
836 840 extern boolean_t ipsec_loaded(ipsec_stack_t *);
837 841 extern boolean_t ipsec_failed(ipsec_stack_t *);
838 842
839 843 /*
840 844 * ipsec policy entrypoints (spd.c)
841 845 */
842 846
843 847 extern void ipsec_policy_g_destroy(void);
844 848 extern void ipsec_policy_g_init(void);
845 849
846 850 extern mblk_t *ipsec_add_crypto_data(mblk_t *, ipsec_crypto_t **);
847 851 extern mblk_t *ipsec_remove_crypto_data(mblk_t *, ipsec_crypto_t **);
848 852 extern mblk_t *ipsec_free_crypto_data(mblk_t *);
849 853 extern int ipsec_alloc_table(ipsec_policy_head_t *, int, int, boolean_t,
850 854 netstack_t *);
851 855 extern void ipsec_polhead_init(ipsec_policy_head_t *, int);
852 856 extern void ipsec_polhead_destroy(ipsec_policy_head_t *);
853 857 extern void ipsec_polhead_free_table(ipsec_policy_head_t *);
854 858 extern mblk_t *ipsec_check_global_policy(mblk_t *, conn_t *, ipha_t *,
855 859 ip6_t *, ip_recv_attr_t *, netstack_t *ns);
856 860 extern mblk_t *ipsec_check_inbound_policy(mblk_t *, conn_t *, ipha_t *, ip6_t *,
857 861 ip_recv_attr_t *);
858 862
859 863 extern boolean_t ipsec_in_to_out(ip_recv_attr_t *, ip_xmit_attr_t *,
860 864 mblk_t *, ipha_t *, ip6_t *);
861 865 extern void ipsec_in_release_refs(ip_recv_attr_t *);
862 866 extern void ipsec_out_release_refs(ip_xmit_attr_t *);
863 867 extern void ipsec_log_policy_failure(int, char *, ipha_t *, ip6_t *, boolean_t,
864 868 netstack_t *);
865 869 extern boolean_t ipsec_inbound_accept_clear(mblk_t *, ipha_t *, ip6_t *);
866 870 extern int ipsec_conn_cache_policy(conn_t *, boolean_t);
867 871 extern void ipsec_cache_outbound_policy(const conn_t *, const in6_addr_t *,
868 872 const in6_addr_t *, in_port_t, ip_xmit_attr_t *);
869 873 extern boolean_t ipsec_outbound_policy_current(ip_xmit_attr_t *);
870 874 extern ipsec_action_t *ipsec_in_to_out_action(ip_recv_attr_t *);
871 875 extern void ipsec_latch_inbound(conn_t *connp, ip_recv_attr_t *ira);
872 876
873 877 extern void ipsec_policy_free(ipsec_policy_t *);
874 878 extern void ipsec_action_free(ipsec_action_t *);
875 879 extern void ipsec_polhead_free(ipsec_policy_head_t *, netstack_t *);
876 880 extern ipsec_policy_head_t *ipsec_polhead_split(ipsec_policy_head_t *,
877 881 netstack_t *);
878 882 extern ipsec_policy_head_t *ipsec_polhead_create(void);
879 883 extern ipsec_policy_head_t *ipsec_system_policy(netstack_t *);
880 884 extern ipsec_policy_head_t *ipsec_inactive_policy(netstack_t *);
881 885 extern void ipsec_swap_policy(ipsec_policy_head_t *, ipsec_policy_head_t *,
882 886 netstack_t *);
883 887 extern void ipsec_swap_global_policy(netstack_t *);
884 888
885 889 extern int ipsec_clone_system_policy(netstack_t *);
886 890 extern ipsec_policy_t *ipsec_policy_create(ipsec_selkey_t *,
887 891 const ipsec_act_t *, int, int, uint64_t *, netstack_t *);
888 892 extern boolean_t ipsec_policy_delete(ipsec_policy_head_t *,
889 893 ipsec_selkey_t *, int, netstack_t *);
890 894 extern int ipsec_policy_delete_index(ipsec_policy_head_t *, uint64_t,
891 895 netstack_t *);
892 896 extern boolean_t ipsec_polhead_insert(ipsec_policy_head_t *, ipsec_act_t *,
893 897 uint_t, int, int, netstack_t *);
894 898 extern void ipsec_polhead_flush(ipsec_policy_head_t *, netstack_t *);
895 899 extern int ipsec_copy_polhead(ipsec_policy_head_t *, ipsec_policy_head_t *,
896 900 netstack_t *);
897 901 extern void ipsec_actvec_from_req(const ipsec_req_t *, ipsec_act_t **, uint_t *,
898 902 netstack_t *);
899 903 extern void ipsec_actvec_free(ipsec_act_t *, uint_t);
900 904 extern int ipsec_req_from_head(ipsec_policy_head_t *, ipsec_req_t *, int);
901 905 extern mblk_t *ipsec_construct_inverse_acquire(sadb_msg_t *, sadb_ext_t **,
902 906 netstack_t *);
903 907 extern ipsec_policy_t *ipsec_find_policy(int, const conn_t *,
904 908 ipsec_selector_t *, netstack_t *);
905 909 extern ipsid_t *ipsid_lookup(int, char *, netstack_t *);
906 910 extern boolean_t ipsid_equal(ipsid_t *, ipsid_t *);
907 911 extern void ipsid_gc(netstack_t *);
908 912 extern void ipsec_latch_ids(ipsec_latch_t *, ipsid_t *, ipsid_t *);
909 913
910 914 extern void ipsec_config_flush(netstack_t *);
911 915 extern boolean_t ipsec_check_policy(ipsec_policy_head_t *, ipsec_policy_t *,
912 916 int);
913 917 extern void ipsec_enter_policy(ipsec_policy_head_t *, ipsec_policy_t *, int,
914 918 netstack_t *);
915 919 extern boolean_t ipsec_check_action(ipsec_act_t *, int *, netstack_t *);
916 920
917 921 extern void iplatch_free(ipsec_latch_t *);
918 922 extern ipsec_latch_t *iplatch_create(void);
919 923 extern int ipsec_set_req(cred_t *, conn_t *, ipsec_req_t *);
920 924
921 925 extern void ipsec_insert_always(avl_tree_t *tree, void *new_node);
922 926
923 927 extern int32_t ipsec_act_ovhd(const ipsec_act_t *act);
924 928 extern mblk_t *sadb_whack_label(mblk_t *, ipsa_t *, ip_xmit_attr_t *,
925 929 kstat_named_t *, ipdropper_t *);
926 930 extern mblk_t *sadb_whack_label_v4(mblk_t *, ipsa_t *, kstat_named_t *,
927 931 ipdropper_t *);
928 932 extern mblk_t *sadb_whack_label_v6(mblk_t *, ipsa_t *, kstat_named_t *,
929 933 ipdropper_t *);
930 934 extern boolean_t update_iv(uint8_t *, queue_t *, ipsa_t *, ipsecesp_stack_t *);
931 935
932 936 /*
933 937 * Tunnel-support SPD functions and variables.
934 938 */
935 939 struct iptun_s; /* Defined in inet/iptun/iptun_impl.h. */
936 940 extern mblk_t *ipsec_tun_inbound(ip_recv_attr_t *, mblk_t *, ipsec_tun_pol_t *,
937 941 ipha_t *, ip6_t *, ipha_t *, ip6_t *, int, netstack_t *);
938 942 extern mblk_t *ipsec_tun_outbound(mblk_t *, struct iptun_s *, ipha_t *,
939 943 ip6_t *, ipha_t *, ip6_t *, int, ip_xmit_attr_t *);
940 944 extern void itp_free(ipsec_tun_pol_t *, netstack_t *);
941 945 extern ipsec_tun_pol_t *create_tunnel_policy(char *, int *, uint64_t *,
942 946 netstack_t *);
943 947 extern ipsec_tun_pol_t *get_tunnel_policy(char *, netstack_t *);
944 948 extern void itp_unlink(ipsec_tun_pol_t *, netstack_t *);
945 949 extern void itp_walk(void (*)(ipsec_tun_pol_t *, void *, netstack_t *),
946 950 void *, netstack_t *);
947 951
948 952 extern ipsec_tun_pol_t *itp_get_byaddr(uint32_t *, uint32_t *, int,
949 953 ip_stack_t *);
950 954
951 955 /*
952 956 * IPsec AH/ESP functions called from IP or the common SADB code in AH.
953 957 */
954 958
955 959 extern void ipsecah_in_assocfailure(mblk_t *, char, ushort_t, char *,
956 960 uint32_t, void *, int, ip_recv_attr_t *ira);
957 961 extern void ipsecesp_in_assocfailure(mblk_t *, char, ushort_t, char *,
958 962 uint32_t, void *, int, ip_recv_attr_t *ira);
959 963 extern void ipsecesp_send_keepalive(ipsa_t *);
960 964
961 965 /*
962 966 * Algorithm management helper functions.
963 967 */
964 968 extern boolean_t ipsec_valid_key_size(uint16_t, ipsec_alginfo_t *);
965 969
966 970 /*
967 971 * Per-socket policy, for now, takes precedence... this priority value
968 972 * insures it.
969 973 */
970 974 #define IPSEC_PRIO_SOCKET 0x1000000
971 975
972 976 /* DDI initialization functions. */
973 977 extern boolean_t ipsecesp_ddi_init(void);
974 978 extern boolean_t ipsecah_ddi_init(void);
975 979 extern boolean_t keysock_ddi_init(void);
976 980 extern boolean_t spdsock_ddi_init(void);
977 981
978 982 extern void ipsecesp_ddi_destroy(void);
979 983 extern void ipsecah_ddi_destroy(void);
980 984 extern void keysock_ddi_destroy(void);
981 985 extern void spdsock_ddi_destroy(void);
982 986
983 987 /*
984 988 * AH- and ESP-specific functions that are called directly by other modules.
985 989 */
986 990 extern void ipsecah_fill_defs(struct sadb_x_ecomb *, netstack_t *);
987 991 extern void ipsecesp_fill_defs(struct sadb_x_ecomb *, netstack_t *);
988 992 extern void ipsecah_algs_changed(netstack_t *);
989 993 extern void ipsecesp_algs_changed(netstack_t *);
990 994 extern void ipsecesp_init_funcs(ipsa_t *);
991 995 extern void ipsecah_init_funcs(ipsa_t *);
992 996 extern mblk_t *ipsecah_icmp_error(mblk_t *, ip_recv_attr_t *);
993 997 extern mblk_t *ipsecesp_icmp_error(mblk_t *, ip_recv_attr_t *);
994 998
995 999 /*
996 1000 * spdsock functions that are called directly by IP.
997 1001 */
998 1002 extern void spdsock_update_pending_algs(netstack_t *);
999 1003
1000 1004 /*
1001 1005 * IP functions that are called from AH and ESP.
1002 1006 */
1003 1007 extern boolean_t ipsec_outbound_sa(mblk_t *, ip_xmit_attr_t *, uint_t);
1004 1008 extern mblk_t *ipsec_inbound_esp_sa(mblk_t *, ip_recv_attr_t *, esph_t **);
1005 1009 extern mblk_t *ipsec_inbound_ah_sa(mblk_t *, ip_recv_attr_t *, ah_t **);
1006 1010 extern ipsec_policy_t *ipsec_find_policy_head(ipsec_policy_t *,
1007 1011 ipsec_policy_head_t *, int, ipsec_selector_t *);
1008 1012
1009 1013 /*
1010 1014 * IP dropper init/destroy.
1011 1015 */
1012 1016 void ip_drop_init(ipsec_stack_t *);
1013 1017 void ip_drop_destroy(ipsec_stack_t *);
1014 1018
1015 1019 /*
1016 1020 * Common functions
1017 1021 */
1018 1022 extern boolean_t ip_addr_match(uint8_t *, int, in6_addr_t *);
1019 1023 extern boolean_t ipsec_label_match(ts_label_t *, ts_label_t *);
1020 1024
1021 1025 /*
1022 1026 * AH and ESP counters types.
1023 1027 */
1024 1028 typedef uint32_t ah_counter;
1025 1029 typedef uint32_t esp_counter;
1026 1030
1027 1031 #endif /* _KERNEL */
1028 1032
1029 1033 #ifdef __cplusplus
1030 1034 }
1031 1035 #endif
1032 1036
1033 1037 #endif /* _INET_IPSEC_IMPL_H */
|
↓ open down ↓ |
911 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX