Print this page
C. Fraire's code review fixes
8529 Extended and regular SADB_ACQUIREs should share address extension code
Portions contributed by: Bayard Bell <buffer.g.overflow@gmail.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/sadb.h
+++ new/usr/src/uts/common/inet/sadb.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 25 */
26 26
27 27 #ifndef _INET_SADB_H
28 28 #define _INET_SADB_H
29 29
30 30 #ifdef __cplusplus
31 31 extern "C" {
32 32 #endif
33 33
34 34 #include <inet/ipsec_info.h>
35 35 #include <sys/crypto/common.h>
36 36 #include <sys/crypto/api.h>
37 37 #include <sys/note.h>
38 38
39 39 #define IPSA_MAX_ADDRLEN 4 /* Max address len. (in 32-bits) for an SA. */
40 40
41 41 #define MAXSALTSIZE 8
42 42
43 43 /*
44 44 * For combined mode ciphers, store the crypto_mechanism_t in the
45 45 * per-packet ipsec_in_t/ipsec_out_t structures. This is because the PARAMS
46 46 * and nonce values change for each packet. For non-combined mode
47 47 * ciphers, these values are constant for the life of the SA.
48 48 */
49 49 typedef struct ipsa_cm_mech_s {
50 50 crypto_mechanism_t combined_mech;
51 51 union {
52 52 CK_AES_CCM_PARAMS paramu_ccm;
53 53 CK_AES_GCM_PARAMS paramu_gcm;
54 54 } paramu;
55 55 uint8_t nonce[MAXSALTSIZE + sizeof (uint64_t)];
56 56 #define param_ulMACSize paramu.paramu_ccm.ulMACSize
57 57 #define param_ulNonceSize paramu.paramu_ccm.ipsa_ulNonceSize
58 58 #define param_ulAuthDataSize paramu.paramu_ccm.ipsa_ulAuthDataSize
59 59 #define param_ulDataSize paramu.paramu_ccm.ipsa_ulDataSize
60 60 #define param_nonce paramu.paramu_ccm.nonce
61 61 #define param_authData paramu.paramu_ccm.authData
62 62 #define param_pIv paramu.paramu_gcm.ipsa_pIv
63 63 #define param_ulIvLen paramu.paramu_gcm.ulIvLen
64 64 #define param_ulIvBits paramu.paramu_gcm.ulIvBits
65 65 #define param_pAAD paramu.paramu_gcm.pAAD
66 66 #define param_ulAADLen paramu.paramu_gcm.ulAADLen
67 67 #define param_ulTagBits paramu.paramu_gcm.ulTagBits
68 68 } ipsa_cm_mech_t;
69 69
70 70 /*
71 71 * The Initialization Vector (also known as IV or Nonce) used to
72 72 * initialize the Block Cipher, is made up of a Counter and a Salt.
73 73 * The Counter is fixed at 64 bits and is incremented for each packet.
74 74 * The Salt value can be any whole byte value upto 64 bits. This is
75 75 * algorithm mode specific and can be configured with ipsecalgs(1m).
76 76 *
77 77 * We only support whole byte salt lengths, this is because the salt is
78 78 * stored in an array of uint8_t's. This is enforced by ipsecalgs(1m)
79 79 * which configures the salt length as a number of bytes. Checks are
80 80 * made to ensure the salt length defined in ipsecalgs(1m) fits in
81 81 * the ipsec_nonce_t.
82 82 *
83 83 * The Salt value remains constant for the life of the SA, the Salt is
84 84 * know to both peers, but NOT transmitted on the network. The Counter
85 85 * portion of the nonce is transmitted over the network with each packet
86 86 * and is confusingly described as the Initialization Vector by RFCs
87 87 * 4309/4106.
88 88 *
89 89 * The maximum Initialization Vector length is 128 bits, if the actual
90 90 * size is less, its padded internally by the algorithm.
91 91 *
92 92 * The nonce structure is defined like this in the SA (ipsa_t)to ensure
93 93 * the Initilization Vector (counter) is 64 bit aligned, because it will
94 94 * be incremented as an uint64_t. The nonce as used by the algorithms is
95 95 * a straight uint8_t array.
96 96 *
97 97 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
98 98 * | | | | |x|x|x|x| |
99 99 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
100 100 * salt_offset <------>
101 101 * ipsa_saltlen <------->
102 102 * ipsa_nonce_buf------^
103 103 * ipsa_salt-------------~~~~~~^
104 104 * ipsa_nonce------------~~~~~~^
105 105 * ipsa_iv-----------------------------^
106 106 */
107 107 typedef struct ipsec_nonce_s {
108 108 uint8_t salt[MAXSALTSIZE];
109 109 uint64_t iv;
110 110 } ipsec_nonce_t;
111 111
112 112 /*
113 113 * IP security association. Synchronization assumes 32-bit loads, so
114 114 * the 64-bit quantities can't even be be read w/o locking it down!
115 115 */
116 116
117 117 /* keying info */
118 118 typedef struct ipsa_key_s {
119 119 uint8_t *sak_key; /* Algorithm key. */
120 120 uint_t sak_keylen; /* Algorithm key length (in bytes). */
121 121 uint_t sak_keybits; /* Algorithm key length (in bits) */
122 122 uint_t sak_algid; /* Algorithm ID number. */
123 123 } ipsa_key_t;
124 124
125 125 typedef struct ipsa_s {
126 126 struct ipsa_s *ipsa_next; /* Next in hash bucket */
127 127 struct ipsa_s **ipsa_ptpn; /* Pointer to previous next pointer. */
128 128 kmutex_t *ipsa_linklock; /* Pointer to hash-chain lock. */
129 129 void (*ipsa_freefunc)(struct ipsa_s *); /* freeassoc function */
130 130 void (*ipsa_noncefunc)(struct ipsa_s *, uchar_t *,
131 131 uint_t, uchar_t *, ipsa_cm_mech_t *, crypto_data_t *);
132 132 /*
133 133 * NOTE: I may need more pointers, depending on future SA
134 134 * requirements.
135 135 */
136 136 ipsa_key_t ipsa_authkeydata;
137 137 #define ipsa_authkey ipsa_authkeydata.sak_key
138 138 #define ipsa_authkeylen ipsa_authkeydata.sak_keylen
139 139 #define ipsa_authkeybits ipsa_authkeydata.sak_keybits
140 140 #define ipsa_auth_alg ipsa_authkeydata.sak_algid
141 141 ipsa_key_t ipsa_encrkeydata;
142 142 #define ipsa_encrkey ipsa_encrkeydata.sak_key
143 143 #define ipsa_encrkeylen ipsa_encrkeydata.sak_keylen
144 144 #define ipsa_encrkeybits ipsa_encrkeydata.sak_keybits
145 145 #define ipsa_encr_alg ipsa_encrkeydata.sak_algid
146 146
147 147 struct ipsid_s *ipsa_src_cid; /* Source certificate identity */
148 148 struct ipsid_s *ipsa_dst_cid; /* Destination certificate identity */
149 149 mblk_t *ipsa_lpkt; /* Packet received while larval (CAS me) */
150 150 mblk_t *ipsa_bpkt_head; /* Packets received while idle */
151 151 mblk_t *ipsa_bpkt_tail;
152 152 #define SADB_MAX_IDLEPKTS 100
153 153 uint8_t ipsa_mblkcnt; /* Number of packets received while idle */
154 154
155 155 /*
156 156 * PF_KEYv2 supports a replay window size of 255. Hence there is a
157 157 * need a bit vector to support a replay window of 255. 256 is a nice
158 158 * round number, so I support that.
159 159 *
160 160 * Use an array of uint64_t for best performance on 64-bit
161 161 * processors. (And hope that 32-bit compilers can handle things
162 162 * okay.) The " >> 6 " is to get the appropriate number of 64-bit
163 163 * ints.
164 164 */
165 165 #define SADB_MAX_REPLAY 256 /* Must be 0 mod 64. */
166 166 uint64_t ipsa_replay_arr[SADB_MAX_REPLAY >> 6];
167 167
168 168 uint64_t ipsa_unique_id; /* Non-zero for unique SAs */
169 169 uint64_t ipsa_unique_mask; /* mask value for unique_id */
170 170
171 171 /*
172 172 * Reference count semantics:
173 173 *
174 174 * An SA has a reference count of 1 if something's pointing
175 175 * to it. This includes being in a hash table. So if an
176 176 * SA is in a hash table, it has a reference count of at least 1.
177 177 *
178 178 * When a ptr. to an IPSA is assigned, you MUST REFHOLD after
179 179 * said assignment. When a ptr. to an IPSA is released
180 180 * you MUST REFRELE. When the refcount hits 0, REFRELE
181 181 * will free the IPSA.
182 182 */
183 183 kmutex_t ipsa_lock; /* Locks non-linkage/refcnt fields. */
184 184 /* Q: Since I may be doing refcnts differently, will I need cv? */
185 185 uint_t ipsa_refcnt; /* Reference count. */
186 186
187 187 /*
188 188 * The following four time fields are the ones monitored by ah_ager()
189 189 * and esp_ager() respectively. They are all absolute wall-clock
190 190 * times. The times of creation (i.e. add time) and first use are
191 191 * pretty straightforward. The soft and hard expire times are
192 192 * derived from the times of first use and creation, plus the minimum
193 193 * expiration times in the fields that follow this.
194 194 *
195 195 * For example, if I had a hard add time of 30 seconds, and a hard
196 196 * use time of 15, the ipsa_hardexpiretime would be time of add, plus
197 197 * 30 seconds. If I USE the SA such that time of first use plus 15
198 198 * seconds would be earlier than the add time plus 30 seconds, then
199 199 * ipsa_hardexpiretime would become this earlier time.
200 200 */
201 201 time_t ipsa_addtime; /* Time I was added. */
202 202 time_t ipsa_usetime; /* Time of my first use. */
203 203 time_t ipsa_lastuse; /* Time of my last use. */
204 204 time_t ipsa_idletime; /* Seconds of idle time */
205 205 time_t ipsa_last_nat_t_ka; /* Time of my last NAT-T keepalive. */
206 206 time_t ipsa_softexpiretime; /* Time of my first soft expire. */
207 207 time_t ipsa_hardexpiretime; /* Time of my first hard expire. */
208 208 time_t ipsa_idleexpiretime; /* Time of my next idle expire time */
209 209
210 210 struct ipsec_nonce_s *ipsa_nonce_buf;
211 211 uint8_t *ipsa_nonce;
212 212 uint_t ipsa_nonce_len;
213 213 uint8_t *ipsa_salt;
214 214 uint_t ipsa_saltbits;
215 215 uint_t ipsa_saltlen;
216 216 uint64_t *ipsa_iv;
217 217
218 218 uint64_t ipsa_iv_hardexpire;
219 219 uint64_t ipsa_iv_softexpire;
220 220 /*
221 221 * The following fields are directly reflected in PF_KEYv2 LIFETIME
222 222 * extensions. The time_ts are in number-of-seconds, and the bytes
223 223 * are in... bytes.
224 224 */
225 225 time_t ipsa_softaddlt; /* Seconds of soft lifetime after add. */
226 226 time_t ipsa_softuselt; /* Seconds of soft lifetime after first use. */
227 227 time_t ipsa_hardaddlt; /* Seconds of hard lifetime after add. */
228 228 time_t ipsa_harduselt; /* Seconds of hard lifetime after first use. */
229 229 time_t ipsa_idleaddlt; /* Seconds of idle time after add */
230 230 time_t ipsa_idleuselt; /* Seconds of idle time after first use */
231 231 uint64_t ipsa_softbyteslt; /* Bytes of soft lifetime. */
232 232 uint64_t ipsa_hardbyteslt; /* Bytes of hard lifetime. */
233 233 uint64_t ipsa_bytes; /* Bytes encrypted/authed by this SA. */
234 234
235 235 /*
236 236 * "Allocations" are a concept mentioned in PF_KEYv2. We do not
237 237 * support them, except to record them per the PF_KEYv2 spec.
238 238 */
239 239 uint_t ipsa_softalloc; /* Allocations allowed (soft). */
240 240 uint_t ipsa_hardalloc; /* Allocations allowed (hard). */
241 241 uint_t ipsa_alloc; /* Allocations made. */
242 242
243 243 uint_t ipsa_type; /* Type of security association. (AH/etc.) */
244 244 uint_t ipsa_state; /* State of my association. */
245 245 uint_t ipsa_replay_wsize; /* Size of replay window */
246 246 uint32_t ipsa_flags; /* Flags for security association. */
247 247 uint32_t ipsa_spi; /* Security parameters index. */
248 248 uint32_t ipsa_replay; /* Highest seen replay value for this SA. */
249 249 uint32_t ipsa_kmp; /* key management proto */
250 250 uint32_t ipsa_kmc; /* key management cookie */
251 251
252 252 boolean_t ipsa_haspeer; /* Has peer in another table. */
253 253
254 254 /*
255 255 * Address storage.
256 256 * The source address can be INADDR_ANY, IN6ADDR_ANY, etc.
257 257 *
258 258 * Address families (per sys/socket.h) guide us. We could have just
259 259 * used sockaddr_storage
260 260 */
261 261 sa_family_t ipsa_addrfam;
262 262 sa_family_t ipsa_innerfam; /* Inner AF can be != src/dst AF. */
263 263
264 264 uint32_t ipsa_srcaddr[IPSA_MAX_ADDRLEN];
265 265 uint32_t ipsa_dstaddr[IPSA_MAX_ADDRLEN];
266 266 uint32_t ipsa_innersrc[IPSA_MAX_ADDRLEN];
267 267 uint32_t ipsa_innerdst[IPSA_MAX_ADDRLEN];
268 268
269 269 uint8_t ipsa_innersrcpfx;
270 270 uint8_t ipsa_innerdstpfx;
271 271
272 272 uint16_t ipsa_inbound_cksum; /* cksum correction for inbound packets */
273 273 uint16_t ipsa_local_nat_port; /* Local NAT-T port. (0 --> 4500) */
274 274 uint16_t ipsa_remote_nat_port; /* The other port that isn't 4500 */
275 275
276 276 /* these can only be v4 */
277 277 uint32_t ipsa_natt_addr_loc;
278 278 uint32_t ipsa_natt_addr_rem;
279 279
280 280 /*
281 281 * icmp type and code. *_end are to specify ranges. if only
282 282 * a single value, * and *_end are the same value.
283 283 */
284 284 uint8_t ipsa_icmp_type;
285 285 uint8_t ipsa_icmp_type_end;
286 286 uint8_t ipsa_icmp_code;
287 287 uint8_t ipsa_icmp_code_end;
288 288
289 289 /*
290 290 * For the kernel crypto framework.
291 291 */
292 292 crypto_key_t ipsa_kcfauthkey; /* authentication key */
293 293 crypto_key_t ipsa_kcfencrkey; /* encryption key */
294 294 crypto_ctx_template_t ipsa_authtmpl; /* auth context template */
295 295 crypto_ctx_template_t ipsa_encrtmpl; /* encr context template */
296 296 crypto_mechanism_t ipsa_amech; /* auth mech type and ICV len */
297 297 crypto_mechanism_t ipsa_emech; /* encr mech type */
298 298 size_t ipsa_mac_len; /* auth MAC/ICV length */
299 299 size_t ipsa_iv_len; /* encr IV length */
300 300 size_t ipsa_datalen; /* block length in bytes. */
301 301
302 302 /*
303 303 * Input and output processing functions called from IP.
304 304 * The mblk_t is the data; the IPsec information is in the attributes
305 305 * Returns NULL if the mblk is consumed which it is if there was
306 306 * a failure or if pending. If failure then
307 307 * the ipIfInDiscards/OutDiscards counters are increased.
308 308 */
309 309 mblk_t *(*ipsa_output_func)(mblk_t *, ip_xmit_attr_t *);
310 310 mblk_t *(*ipsa_input_func)(mblk_t *, void *, ip_recv_attr_t *);
311 311
312 312 /*
313 313 * Soft reference to paired SA
314 314 */
315 315 uint32_t ipsa_otherspi;
316 316 netstack_t *ipsa_netstack; /* Does not have a netstack_hold */
317 317
318 318 ts_label_t *ipsa_tsl; /* MLS: label attributes */
319 319 ts_label_t *ipsa_otsl; /* MLS: outer label */
320 320 uint8_t ipsa_mac_exempt; /* MLS: mac exempt flag */
321 321 uchar_t ipsa_opt_storage[IP_MAX_OPT_LENGTH];
322 322 } ipsa_t;
323 323
324 324 /*
325 325 * ipsa_t address handling macros. We want these to be inlined, and deal
326 326 * with 32-bit words to avoid bcmp/bcopy calls.
327 327 *
328 328 * Assume we only have AF_INET and AF_INET6 addresses for now. Also assume
329 329 * that we have 32-bit alignment on everything.
330 330 */
331 331 #define IPSA_IS_ADDR_UNSPEC(addr, fam) ((((uint32_t *)(addr))[0] == 0) && \
332 332 (((fam) == AF_INET) || (((uint32_t *)(addr))[3] == 0 && \
333 333 ((uint32_t *)(addr))[2] == 0 && ((uint32_t *)(addr))[1] == 0)))
334 334 #define IPSA_ARE_ADDR_EQUAL(addr1, addr2, fam) \
335 335 ((((uint32_t *)(addr1))[0] == ((uint32_t *)(addr2))[0]) && \
336 336 (((fam) == AF_INET) || \
337 337 (((uint32_t *)(addr1))[3] == ((uint32_t *)(addr2))[3] && \
338 338 ((uint32_t *)(addr1))[2] == ((uint32_t *)(addr2))[2] && \
339 339 ((uint32_t *)(addr1))[1] == ((uint32_t *)(addr2))[1])))
340 340 #define IPSA_COPY_ADDR(dstaddr, srcaddr, fam) { \
341 341 ((uint32_t *)(dstaddr))[0] = ((uint32_t *)(srcaddr))[0]; \
342 342 if ((fam) == AF_INET6) {\
343 343 ((uint32_t *)(dstaddr))[1] = ((uint32_t *)(srcaddr))[1]; \
344 344 ((uint32_t *)(dstaddr))[2] = ((uint32_t *)(srcaddr))[2]; \
345 345 ((uint32_t *)(dstaddr))[3] = ((uint32_t *)(srcaddr))[3]; } }
346 346
347 347 /*
348 348 * ipsa_t reference hold/release macros.
349 349 *
350 350 * If you have a pointer, you REFHOLD. If you are releasing a pointer, you
351 351 * REFRELE. An ipsa_t that is newly inserted into the table should have
352 352 * a reference count of 1 (for the table's pointer), plus 1 more for every
353 353 * pointer that is referencing the ipsa_t.
354 354 */
355 355
356 356 #define IPSA_REFHOLD(ipsa) { \
357 357 atomic_inc_32(&(ipsa)->ipsa_refcnt); \
358 358 ASSERT((ipsa)->ipsa_refcnt != 0); \
359 359 }
360 360
361 361 /*
362 362 * Decrement the reference count on the SA.
363 363 * In architectures e.g sun4u, where atomic_add_32_nv is just
364 364 * a cas, we need to maintain the right memory barrier semantics
365 365 * as that of mutex_exit i.e all the loads and stores should complete
366 366 * before the cas is executed. membar_exit() does that here.
367 367 */
368 368
369 369 #define IPSA_REFRELE(ipsa) { \
370 370 ASSERT((ipsa)->ipsa_refcnt != 0); \
371 371 membar_exit(); \
372 372 if (atomic_dec_32_nv(&(ipsa)->ipsa_refcnt) == 0) \
373 373 ((ipsa)->ipsa_freefunc)(ipsa); \
374 374 }
375 375
376 376 /*
377 377 * Security association hash macros and definitions. For now, assume the
378 378 * IPsec model, and hash outbounds on destination address, and inbounds on
379 379 * SPI.
380 380 */
381 381
382 382 #define IPSEC_DEFAULT_HASH_SIZE 256
383 383
384 384 #define INBOUND_HASH(sadb, spi) ((spi) % ((sadb)->sdb_hashsize))
385 385 #define OUTBOUND_HASH_V4(sadb, v4addr) ((v4addr) % ((sadb)->sdb_hashsize))
386 386 #define OUTBOUND_HASH_V6(sadb, v6addr) OUTBOUND_HASH_V4((sadb), \
387 387 (*(uint32_t *)&(v6addr)) ^ (*(((uint32_t *)&(v6addr)) + 1)) ^ \
388 388 (*(((uint32_t *)&(v6addr)) + 2)) ^ (*(((uint32_t *)&(v6addr)) + 3)))
389 389
390 390 /*
391 391 * Syntactic sugar to find the appropriate hash bucket directly.
392 392 */
393 393
394 394 #define INBOUND_BUCKET(sadb, spi) &(((sadb)->sdb_if)[INBOUND_HASH(sadb, spi)])
395 395 #define OUTBOUND_BUCKET_V4(sadb, v4addr) \
396 396 &(((sadb)->sdb_of)[OUTBOUND_HASH_V4(sadb, v4addr)])
397 397 #define OUTBOUND_BUCKET_V6(sadb, v6addr) \
398 398 &(((sadb)->sdb_of)[OUTBOUND_HASH_V6(sadb, v6addr)])
399 399
400 400 #define IPSA_F_PFS SADB_SAFLAGS_PFS /* PFS in use for this SA? */
401 401 #define IPSA_F_NOREPFLD SADB_SAFLAGS_NOREPLAY /* No replay field, for */
402 402 /* backward compat. */
403 403 #define IPSA_F_USED SADB_X_SAFLAGS_USED /* SA has been used. */
404 404 #define IPSA_F_UNIQUE SADB_X_SAFLAGS_UNIQUE /* SA is unique */
405 405 #define IPSA_F_AALG1 SADB_X_SAFLAGS_AALG1 /* Auth alg flag 1 */
406 406 #define IPSA_F_AALG2 SADB_X_SAFLAGS_AALG2 /* Auth alg flag 2 */
407 407 #define IPSA_F_EALG1 SADB_X_SAFLAGS_EALG1 /* Encrypt alg flag 1 */
408 408 #define IPSA_F_EALG2 SADB_X_SAFLAGS_EALG2 /* Encrypt alg flag 2 */
409 409
410 410 #define IPSA_F_ASYNC 0x200000 /* Call KCF asynchronously? */
411 411 #define IPSA_F_NATT_LOC SADB_X_SAFLAGS_NATT_LOC
412 412 #define IPSA_F_NATT_REM SADB_X_SAFLAGS_NATT_REM
413 413 #define IPSA_F_BEHIND_NAT SADB_X_SAFLAGS_NATTED
414 414 #define IPSA_F_NATT (SADB_X_SAFLAGS_NATT_LOC | SADB_X_SAFLAGS_NATT_REM | \
415 415 SADB_X_SAFLAGS_NATTED)
416 416 #define IPSA_F_CINVALID 0x40000 /* SA shouldn't be cached */
417 417 #define IPSA_F_PAIRED SADB_X_SAFLAGS_PAIRED /* SA is one of a pair */
418 418 #define IPSA_F_OUTBOUND SADB_X_SAFLAGS_OUTBOUND /* SA direction bit */
419 419 #define IPSA_F_INBOUND SADB_X_SAFLAGS_INBOUND /* SA direction bit */
420 420 #define IPSA_F_TUNNEL SADB_X_SAFLAGS_TUNNEL
421 421 /*
422 422 * These flags are only defined here to prevent a flag value collision.
423 423 */
424 424 #define IPSA_F_COMBINED SADB_X_SAFLAGS_EALG1 /* Defined in pfkeyv2.h */
425 425 #define IPSA_F_COUNTERMODE SADB_X_SAFLAGS_EALG2 /* Defined in pfkeyv2.h */
426 426
427 427 /*
428 428 * Sets of flags that are allowed to by set or modified by PF_KEY apps.
429 429 */
430 430 #define AH_UPDATE_SETTABLE_FLAGS \
431 431 (SADB_X_SAFLAGS_PAIRED | SADB_SAFLAGS_NOREPLAY | \
432 432 SADB_X_SAFLAGS_OUTBOUND | SADB_X_SAFLAGS_INBOUND | \
433 433 SADB_X_SAFLAGS_KM1 | SADB_X_SAFLAGS_KM2 | \
434 434 SADB_X_SAFLAGS_KM3 | SADB_X_SAFLAGS_KM4)
435 435
436 436 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
437 437 #define ESP_UPDATE_SETTABLE_FLAGS (AH_UPDATE_SETTABLE_FLAGS | IPSA_F_NATT)
438 438
439 439 #define AH_ADD_SETTABLE_FLAGS \
440 440 (AH_UPDATE_SETTABLE_FLAGS | SADB_X_SAFLAGS_AALG1 | \
441 441 SADB_X_SAFLAGS_AALG2 | SADB_X_SAFLAGS_TUNNEL | \
442 442 SADB_SAFLAGS_NOREPLAY)
443 443
444 444 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
445 445 #define ESP_ADD_SETTABLE_FLAGS (AH_ADD_SETTABLE_FLAGS | IPSA_F_NATT | \
446 446 SADB_X_SAFLAGS_EALG1 | SADB_X_SAFLAGS_EALG2)
447 447
448 448
449 449
450 450 /* SA states are important for handling UPDATE PF_KEY messages. */
451 451 #define IPSA_STATE_LARVAL SADB_SASTATE_LARVAL
452 452 #define IPSA_STATE_MATURE SADB_SASTATE_MATURE
453 453 #define IPSA_STATE_DYING SADB_SASTATE_DYING
454 454 #define IPSA_STATE_DEAD SADB_SASTATE_DEAD
455 455 #define IPSA_STATE_IDLE SADB_X_SASTATE_IDLE
456 456 #define IPSA_STATE_ACTIVE_ELSEWHERE SADB_X_SASTATE_ACTIVE_ELSEWHERE
457 457
458 458 /*
459 459 * NOTE: If the document authors do things right in defining algorithms, we'll
460 460 * probably have flags for what all is here w.r.t. replay, ESP w/HMAC,
461 461 * etc.
462 462 */
463 463
464 464 #define IPSA_T_ACQUIRE SEC_TYPE_NONE /* If this typed returned, sa needed */
465 465 #define IPSA_T_AH SEC_TYPE_AH /* IPsec AH association */
466 466 #define IPSA_T_ESP SEC_TYPE_ESP /* IPsec ESP association */
467 467
468 468 #define IPSA_AALG_NONE SADB_AALG_NONE /* No auth. algorithm */
469 469 #define IPSA_AALG_MD5H SADB_AALG_MD5HMAC /* MD5-HMAC algorithm */
470 470 #define IPSA_AALG_SHA1H SADB_AALG_SHA1HMAC /* SHA1-HMAC algorithm */
471 471
472 472 #define IPSA_EALG_NONE SADB_EALG_NONE /* No encryption algorithm */
473 473 #define IPSA_EALG_DES_CBC SADB_EALG_DESCBC
474 474 #define IPSA_EALG_3DES SADB_EALG_3DESCBC
475 475
476 476 /*
477 477 * Protect each ipsa_t bucket (and linkage) with a lock.
478 478 */
479 479
480 480 typedef struct isaf_s {
481 481 ipsa_t *isaf_ipsa;
482 482 kmutex_t isaf_lock;
483 483 uint64_t isaf_gen;
484 484 } isaf_t;
485 485
486 486 /*
487 487 * ACQUIRE record. If AH/ESP/whatever cannot find an association for outbound
488 488 * traffic, it sends up an SADB_ACQUIRE message and create an ACQUIRE record.
489 489 */
490 490
491 491 #define IPSACQ_MAXPACKETS 4 /* Number of packets that can be queued up */
492 492 /* waiting for an ACQUIRE to finish. */
493 493
494 494 typedef struct ipsacq_s {
495 495 struct ipsacq_s *ipsacq_next;
496 496 struct ipsacq_s **ipsacq_ptpn;
497 497 kmutex_t *ipsacq_linklock;
498 498 struct ipsec_policy_s *ipsacq_policy;
499 499 struct ipsec_action_s *ipsacq_act;
500 500
501 501 sa_family_t ipsacq_addrfam; /* Address family. */
502 502 sa_family_t ipsacq_inneraddrfam; /* Inner-packet address family. */
503 503 int ipsacq_numpackets; /* How many packets queued up so far. */
504 504 uint32_t ipsacq_seq; /* PF_KEY sequence number. */
505 505 uint64_t ipsacq_unique_id; /* Unique ID for SAs that need it. */
506 506
507 507 kmutex_t ipsacq_lock; /* Protects non-linkage fields. */
508 508 time_t ipsacq_expire; /* Wall-clock time when this record expires. */
509 509 mblk_t *ipsacq_mp; /* List of datagrams waiting for an SA. */
510 510
511 511 /* These two point inside the last mblk inserted. */
512 512 uint32_t *ipsacq_srcaddr;
513 513 uint32_t *ipsacq_dstaddr;
514 514
515 515 /* Cache these instead of point so we can mask off accordingly */
516 516 uint32_t ipsacq_innersrc[IPSA_MAX_ADDRLEN];
517 517 uint32_t ipsacq_innerdst[IPSA_MAX_ADDRLEN];
518 518
519 519 /* These may change per-acquire. */
520 520 uint16_t ipsacq_srcport;
521 521 uint16_t ipsacq_dstport;
522 522 uint8_t ipsacq_proto;
523 523 uint8_t ipsacq_inner_proto;
524 524 uint8_t ipsacq_innersrcpfx;
525 525 uint8_t ipsacq_innerdstpfx;
526 526
527 527 /* icmp type and code of triggering packet (if applicable) */
528 528 uint8_t ipsacq_icmp_type;
529 529 uint8_t ipsacq_icmp_code;
530 530
531 531 /* label associated with triggering packet */
532 532 ts_label_t *ipsacq_tsl;
533 533 } ipsacq_t;
534 534
535 535 /*
536 536 * Kernel-generated sequence numbers will be no less than 0x80000000 to
537 537 * forestall any cretinous problems with manual keying accidentally updating
538 538 * an ACQUIRE entry.
539 539 */
540 540 #define IACQF_LOWEST_SEQ 0x80000000
541 541
542 542 #define SADB_AGE_INTERVAL_DEFAULT 8000
543 543
544 544 /*
545 545 * ACQUIRE fanout. Protect each linkage with a lock.
546 546 */
547 547
548 548 typedef struct iacqf_s {
549 549 ipsacq_t *iacqf_ipsacq;
550 550 kmutex_t iacqf_lock;
551 551 } iacqf_t;
552 552
553 553 /*
554 554 * A (network protocol, ipsec protocol) specific SADB.
555 555 * (i.e., one each for {ah, esp} and {v4, v6}.
556 556 *
557 557 * Keep outbound assocs in a simple hash table for now.
558 558 * One danger point, multiple SAs for a single dest will clog a bucket.
559 559 * For the future, consider two-level hashing (2nd hash on IPC?), then probe.
560 560 */
|
↓ open down ↓ |
560 lines elided |
↑ open up ↑ |
561 561
562 562 typedef struct sadb_s
563 563 {
564 564 isaf_t *sdb_of;
565 565 isaf_t *sdb_if;
566 566 iacqf_t *sdb_acq;
567 567 int sdb_hashsize;
568 568 } sadb_t;
569 569
570 570 /*
571 - * A pair of SADB's (one for v4, one for v6), and related state (including
572 - * acquire callbacks).
571 + * A pair of SADB's (one for v4, one for v6), and related state.
573 572 */
574 573
575 574 typedef struct sadbp_s
576 575 {
577 576 uint32_t s_satype;
578 577 uint32_t *s_acquire_timeout;
579 - void (*s_acqfn)(ipsacq_t *, mblk_t *, netstack_t *);
580 578 sadb_t s_v4;
581 579 sadb_t s_v6;
582 580 uint32_t s_addflags;
583 581 uint32_t s_updateflags;
584 582 } sadbp_t;
585 583
586 584 /*
587 585 * A pair of SA's for a single connection, the structure contains a
588 586 * pointer to a SA and the SA its paired with (opposite direction) as well
589 587 * as the SA's respective hash buckets.
590 588 */
591 589 typedef struct ipsap_s
592 590 {
593 591 boolean_t in_inbound_table;
594 592 isaf_t *ipsap_bucket;
595 593 ipsa_t *ipsap_sa_ptr;
596 594 isaf_t *ipsap_pbucket;
597 595 ipsa_t *ipsap_psa_ptr;
598 596 } ipsap_t;
599 597
600 598 typedef struct templist_s
601 599 {
602 600 ipsa_t *ipsa;
603 601 struct templist_s *next;
604 602 } templist_t;
605 603
606 604 /* Pointer to an all-zeroes IPv6 address. */
607 605 #define ALL_ZEROES_PTR ((uint32_t *)&ipv6_all_zeros)
608 606
609 607 /*
610 608 * Form unique id from ip_xmit_attr_t.
611 609 */
612 610 #define SA_FORM_UNIQUE_ID(ixa) \
613 611 SA_UNIQUE_ID((ixa)->ixa_ipsec_src_port, (ixa)->ixa_ipsec_dst_port, \
614 612 (((ixa)->ixa_flags & IXAF_IPSEC_TUNNEL) ? \
615 613 ((ixa)->ixa_ipsec_inaf == AF_INET6 ? \
616 614 IPPROTO_IPV6 : IPPROTO_ENCAP) : \
617 615 (ixa)->ixa_ipsec_proto), \
618 616 (((ixa)->ixa_flags & IXAF_IPSEC_TUNNEL) ? \
619 617 (ixa)->ixa_ipsec_proto : 0))
620 618
621 619 /*
622 620 * This macro is used to generate unique ids (along with the addresses, both
623 621 * inner and outer) for outbound datagrams that require unique SAs.
624 622 *
625 623 * N.B. casts and unsigned shift amounts discourage unwarranted
626 624 * sign extension of dstport, proto, and iproto.
627 625 *
628 626 * Unique ID is 64-bits allocated as follows (pardon my big-endian bias):
629 627 *
630 628 * 6 4 43 33 11
631 629 * 3 7 09 21 65 0
632 630 * +---------------*-------+-------+--------------+---------------+
633 631 * | MUST-BE-ZERO |<iprot>|<proto>| <src port> | <dest port> |
634 632 * +---------------*-------+-------+--------------+---------------+
635 633 *
636 634 * If there are inner addresses (tunnel mode) the ports come from the
637 635 * inner addresses. If there are no inner addresses, the ports come from
638 636 * the outer addresses (transport mode). Tunnel mode MUST have <proto>
639 637 * set to either IPPROTO_ENCAP or IPPPROTO_IPV6.
640 638 */
641 639 #define SA_UNIQUE_ID(srcport, dstport, proto, iproto) \
642 640 ((srcport) | ((uint64_t)(dstport) << 16U) | \
643 641 ((uint64_t)(proto) << 32U) | ((uint64_t)(iproto) << 40U))
644 642
645 643 /*
646 644 * SA_UNIQUE_MASK generates a mask value to use when comparing the unique value
647 645 * from a packet to an SA.
648 646 */
649 647
650 648 #define SA_UNIQUE_MASK(srcport, dstport, proto, iproto) \
651 649 SA_UNIQUE_ID((srcport != 0) ? 0xffff : 0, \
652 650 (dstport != 0) ? 0xffff : 0, \
653 651 (proto != 0) ? 0xff : 0, \
654 652 (iproto != 0) ? 0xff : 0)
655 653
656 654 /*
657 655 * Decompose unique id back into its original fields.
658 656 */
659 657 #define SA_IPROTO(ipsa) ((ipsa)->ipsa_unique_id>>40)&0xff
660 658 #define SA_PROTO(ipsa) ((ipsa)->ipsa_unique_id>>32)&0xff
661 659 #define SA_SRCPORT(ipsa) ((ipsa)->ipsa_unique_id & 0xffff)
662 660 #define SA_DSTPORT(ipsa) (((ipsa)->ipsa_unique_id >> 16) & 0xffff)
663 661
664 662 typedef struct ipsa_query_s ipsa_query_t;
665 663
666 664 typedef boolean_t (*ipsa_match_fn_t)(ipsa_query_t *, ipsa_t *);
667 665
668 666 #define IPSA_NMATCH 10
669 667
670 668 /*
671 669 * SADB query structure.
672 670 *
673 671 * Provide a generalized mechanism for matching entries in the SADB;
674 672 * one of these structures is initialized using sadb_form_query(),
675 673 * and then can be used as a parameter to sadb_match_query() which returns
676 674 * B_TRUE if the SA matches the query.
677 675 *
678 676 * Under the covers, sadb_form_query populates the matchers[] array with
679 677 * functions which are called one at a time until one fails to match.
680 678 */
681 679 struct ipsa_query_s {
682 680 uint32_t req, match;
683 681 sadb_address_t *srcext, *dstext;
684 682 sadb_ident_t *srcid, *dstid;
685 683 sadb_x_kmc_t *kmcext;
686 684 sadb_sa_t *assoc;
687 685 uint32_t spi;
688 686 struct sockaddr_in *src;
689 687 struct sockaddr_in6 *src6;
690 688 struct sockaddr_in *dst;
691 689 struct sockaddr_in6 *dst6;
692 690 sa_family_t af;
693 691 uint32_t *srcaddr, *dstaddr;
694 692 uint32_t ifindex;
695 693 uint32_t kmc, kmp;
696 694 char *didstr, *sidstr;
697 695 uint16_t didtype, sidtype;
698 696 sadbp_t *spp;
699 697 sadb_t *sp;
700 698 isaf_t *inbound, *outbound;
701 699 uint32_t outhash;
702 700 uint32_t inhash;
703 701 ipsa_match_fn_t matchers[IPSA_NMATCH];
704 702 };
705 703
706 704 #define IPSA_Q_SA 0x00000001
707 705 #define IPSA_Q_DST 0x00000002
708 706 #define IPSA_Q_SRC 0x00000004
709 707 #define IPSA_Q_DSTID 0x00000008
710 708 #define IPSA_Q_SRCID 0x00000010
711 709 #define IPSA_Q_KMC 0x00000020
712 710 #define IPSA_Q_INBOUND 0x00000040 /* fill in inbound isaf_t */
713 711 #define IPSA_Q_OUTBOUND 0x00000080 /* fill in outbound isaf_t */
714 712
715 713 int sadb_form_query(keysock_in_t *, uint32_t, uint32_t, ipsa_query_t *, int *);
716 714 boolean_t sadb_match_query(ipsa_query_t *q, ipsa_t *sa);
717 715
718 716
719 717 /*
720 718 * All functions that return an ipsa_t will return it with IPSA_REFHOLD()
721 719 * already called.
722 720 */
723 721
724 722 /* SA retrieval (inbound and outbound) */
725 723 ipsa_t *ipsec_getassocbyspi(isaf_t *, uint32_t, uint32_t *, uint32_t *,
726 724 sa_family_t);
727 725 ipsa_t *ipsec_getassocbyconn(isaf_t *, ip_xmit_attr_t *, uint32_t *, uint32_t *,
728 726 sa_family_t, uint8_t, ts_label_t *);
729 727
730 728 /* SA insertion. */
731 729 int sadb_insertassoc(ipsa_t *, isaf_t *);
732 730
733 731 /* SA table construction and destruction. */
734 732 void sadbp_init(const char *name, sadbp_t *, int, int, netstack_t *);
735 733 void sadbp_flush(sadbp_t *, netstack_t *);
736 734 void sadbp_destroy(sadbp_t *, netstack_t *);
737 735
738 736 /* SA insertion and deletion. */
739 737 int sadb_insertassoc(ipsa_t *, isaf_t *);
740 738 void sadb_unlinkassoc(ipsa_t *);
741 739
742 740 /* Support routines to interface a keysock consumer to PF_KEY. */
743 741 mblk_t *sadb_keysock_out(minor_t);
744 742 int sadb_hardsoftchk(sadb_lifetime_t *, sadb_lifetime_t *, sadb_lifetime_t *);
745 743 int sadb_labelchk(struct keysock_in_s *);
746 744 void sadb_pfkey_echo(queue_t *, mblk_t *, sadb_msg_t *, struct keysock_in_s *,
747 745 ipsa_t *);
748 746 void sadb_pfkey_error(queue_t *, mblk_t *, int, int, uint_t);
749 747 void sadb_keysock_hello(queue_t **, queue_t *, mblk_t *, void (*)(void *),
750 748 void *, timeout_id_t *, int);
751 749 int sadb_addrcheck(queue_t *, mblk_t *, sadb_ext_t *, uint_t, netstack_t *);
752 750 boolean_t sadb_addrfix(keysock_in_t *, queue_t *, mblk_t *, netstack_t *);
753 751 int sadb_addrset(ire_t *);
754 752 int sadb_delget_sa(mblk_t *, keysock_in_t *, sadbp_t *, int *, queue_t *,
755 753 uint8_t);
756 754
757 755 int sadb_purge_sa(mblk_t *, keysock_in_t *, sadb_t *, int *, queue_t *);
758 756 int sadb_common_add(queue_t *, mblk_t *, sadb_msg_t *,
759 757 keysock_in_t *, isaf_t *, isaf_t *, ipsa_t *, boolean_t, boolean_t, int *,
760 758 netstack_t *, sadbp_t *);
761 759 void sadb_set_usetime(ipsa_t *);
762 760 boolean_t sadb_age_bytes(queue_t *, ipsa_t *, uint64_t, boolean_t);
763 761 int sadb_update_sa(mblk_t *, keysock_in_t *, mblk_t **, sadbp_t *,
764 762 int *, queue_t *, int (*)(mblk_t *, keysock_in_t *, int *, netstack_t *),
765 763 netstack_t *, uint8_t);
|
↓ open down ↓ |
176 lines elided |
↑ open up ↑ |
766 764 void sadb_acquire(mblk_t *, ip_xmit_attr_t *, boolean_t, boolean_t);
767 765 void gcm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
768 766 crypto_data_t *);
769 767 void ccm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
770 768 crypto_data_t *);
771 769 void cbc_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
772 770 crypto_data_t *);
773 771
774 772 void sadb_destroy_acquire(ipsacq_t *, netstack_t *);
775 773 struct ipsec_stack;
776 -mblk_t *sadb_setup_acquire(ipsacq_t *, uint8_t, struct ipsec_stack *);
777 774 ipsa_t *sadb_getspi(keysock_in_t *, uint32_t, int *, netstack_t *, uint_t);
778 775 void sadb_in_acquire(sadb_msg_t *, sadbp_t *, queue_t *, netstack_t *);
779 776 boolean_t sadb_replay_check(ipsa_t *, uint32_t);
780 777 boolean_t sadb_replay_peek(ipsa_t *, uint32_t);
781 778 int sadb_dump(queue_t *, mblk_t *, keysock_in_t *, sadb_t *);
782 779 void sadb_replay_delete(ipsa_t *);
783 780 void sadb_ager(sadb_t *, queue_t *, int, netstack_t *);
784 781
785 782 timeout_id_t sadb_retimeout(hrtime_t, queue_t *, void (*)(void *), void *,
786 783 uint_t *, uint_t, short);
787 784 void sadb_sa_refrele(void *target);
788 785 mblk_t *sadb_set_lpkt(ipsa_t *, mblk_t *, ip_recv_attr_t *);
789 786 mblk_t *sadb_clear_lpkt(ipsa_t *);
790 787 void sadb_buf_pkt(ipsa_t *, mblk_t *, ip_recv_attr_t *);
791 788 void sadb_clear_buf_pkt(void *ipkt);
792 789
793 790 /* Note that buf_pkt is the product of ip_recv_attr_to_mblk() */
794 791 #define HANDLE_BUF_PKT(taskq, stack, dropper, buf_pkt) \
795 792 { \
796 793 if (buf_pkt != NULL) { \
797 794 if (taskq_dispatch(taskq, sadb_clear_buf_pkt, \
798 795 (void *) buf_pkt, TQ_NOSLEEP) == 0) { \
799 796 /* Dispatch was unsuccessful drop the packets. */ \
800 797 mblk_t *tmp; \
801 798 while (buf_pkt != NULL) { \
802 799 tmp = buf_pkt->b_next; \
803 800 buf_pkt->b_next = NULL; \
804 801 buf_pkt = ip_recv_attr_free_mblk(buf_pkt); \
805 802 ip_drop_packet(buf_pkt, B_TRUE, NULL, \
806 803 DROPPER(stack, \
807 804 ipds_sadb_inidle_timeout), \
808 805 &dropper); \
809 806 buf_pkt = tmp; \
810 807 } \
811 808 } \
812 809 } \
813 810 } \
814 811
815 812 /*
816 813 * Two IPsec rate-limiting routines.
817 814 */
818 815 /*PRINTFLIKE6*/
819 816 extern void ipsec_rl_strlog(netstack_t *, short, short, char,
820 817 ushort_t, char *, ...)
821 818 __KPRINTFLIKE(6);
822 819 extern void ipsec_assocfailure(short, short, char, ushort_t, char *, uint32_t,
823 820 void *, int, netstack_t *);
824 821
825 822 /*
826 823 * Algorithm types.
827 824 */
828 825
829 826 #define IPSEC_NALGTYPES 2
830 827
831 828 typedef enum ipsec_algtype {
832 829 IPSEC_ALG_AUTH = 0,
833 830 IPSEC_ALG_ENCR = 1,
834 831 IPSEC_ALG_ALL = 2
835 832 } ipsec_algtype_t;
836 833
837 834 /*
838 835 * Definitions as per IPsec/ISAKMP DOI.
839 836 */
840 837
841 838 #define IPSEC_MAX_ALGS 256
842 839 #define PROTO_IPSEC_AH 2
843 840 #define PROTO_IPSEC_ESP 3
844 841
845 842 /*
846 843 * Common algorithm info.
847 844 */
848 845 typedef struct ipsec_alginfo
849 846 {
850 847 uint8_t alg_id;
851 848 uint8_t alg_flags;
852 849 uint16_t *alg_key_sizes;
853 850 uint16_t *alg_block_sizes;
854 851 uint16_t *alg_params;
855 852 uint16_t alg_nkey_sizes;
856 853 uint16_t alg_ivlen;
857 854 uint16_t alg_icvlen;
858 855 uint8_t alg_saltlen;
859 856 uint16_t alg_nblock_sizes;
860 857 uint16_t alg_nparams;
861 858 uint16_t alg_minbits;
862 859 uint16_t alg_maxbits;
863 860 uint16_t alg_datalen;
864 861 /*
865 862 * increment: number of bits from keysize to keysize
866 863 * default: # of increments from min to default key len
867 864 */
868 865 uint16_t alg_increment;
869 866 uint16_t alg_default;
870 867 uint16_t alg_default_bits;
871 868 /*
872 869 * Min, max, and default key sizes effectively supported
873 870 * by the encryption framework.
874 871 */
875 872 uint16_t alg_ef_minbits;
876 873 uint16_t alg_ef_maxbits;
877 874 uint16_t alg_ef_default;
878 875 uint16_t alg_ef_default_bits;
879 876
880 877 crypto_mech_type_t alg_mech_type; /* KCF mechanism type */
881 878 crypto_mech_name_t alg_mech_name; /* KCF mechanism name */
882 879 } ipsec_alginfo_t;
883 880
884 881 #define alg_datalen alg_block_sizes[0]
885 882 #define ALG_VALID(_alg) ((_alg)->alg_flags & ALG_FLAG_VALID)
886 883
887 884 /*
888 885 * Software crypto execution mode.
889 886 */
890 887 typedef enum {
891 888 IPSEC_ALGS_EXEC_SYNC = 0,
892 889 IPSEC_ALGS_EXEC_ASYNC = 1
893 890 } ipsec_algs_exec_mode_t;
894 891
895 892 extern void ipsec_alg_reg(ipsec_algtype_t, ipsec_alginfo_t *, netstack_t *);
896 893 extern void ipsec_alg_unreg(ipsec_algtype_t, uint8_t, netstack_t *);
897 894 extern void ipsec_alg_fix_min_max(ipsec_alginfo_t *, ipsec_algtype_t,
898 895 netstack_t *ns);
899 896 extern void alg_flag_check(ipsec_alginfo_t *);
900 897 extern void ipsec_alg_free(ipsec_alginfo_t *);
901 898 extern void ipsec_register_prov_update(void);
902 899 extern void sadb_alg_update(ipsec_algtype_t, uint8_t, boolean_t, netstack_t *);
903 900
904 901 extern int sadb_sens_len_from_label(ts_label_t *);
905 902 extern void sadb_sens_from_label(sadb_sens_t *, int, ts_label_t *, int);
906 903
907 904 /*
908 905 * Context templates management.
909 906 */
910 907
911 908 #define IPSEC_CTX_TMPL_ALLOC ((crypto_ctx_template_t)-1)
912 909 #define IPSEC_CTX_TMPL(_sa, _which, _type, _tmpl) { \
913 910 if ((_tmpl = (_sa)->_which) == IPSEC_CTX_TMPL_ALLOC) { \
914 911 mutex_enter(&assoc->ipsa_lock); \
915 912 if ((_sa)->_which == IPSEC_CTX_TMPL_ALLOC) { \
916 913 ipsec_stack_t *ipss; \
917 914 \
918 915 ipss = assoc->ipsa_netstack->netstack_ipsec; \
919 916 rw_enter(&ipss->ipsec_alg_lock, RW_READER); \
920 917 (void) ipsec_create_ctx_tmpl(_sa, _type); \
921 918 rw_exit(&ipss->ipsec_alg_lock); \
922 919 } \
923 920 mutex_exit(&assoc->ipsa_lock); \
924 921 if ((_tmpl = (_sa)->_which) == IPSEC_CTX_TMPL_ALLOC) \
925 922 _tmpl = NULL; \
926 923 } \
927 924 }
928 925
929 926 extern int ipsec_create_ctx_tmpl(ipsa_t *, ipsec_algtype_t);
930 927 extern void ipsec_destroy_ctx_tmpl(ipsa_t *, ipsec_algtype_t);
931 928
932 929 /* key checking */
933 930 extern int ipsec_check_key(crypto_mech_type_t, sadb_key_t *, boolean_t, int *);
934 931
935 932 typedef struct ipsec_kstats_s {
936 933 kstat_named_t esp_stat_in_requests;
937 934 kstat_named_t esp_stat_in_discards;
938 935 kstat_named_t esp_stat_lookup_failure;
939 936 kstat_named_t ah_stat_in_requests;
940 937 kstat_named_t ah_stat_in_discards;
941 938 kstat_named_t ah_stat_lookup_failure;
942 939 kstat_named_t sadb_acquire_maxpackets;
943 940 kstat_named_t sadb_acquire_qhiwater;
944 941 } ipsec_kstats_t;
945 942
946 943 /*
947 944 * (ipss)->ipsec_kstats is equal to (ipss)->ipsec_ksp->ks_data if
948 945 * kstat_create_netstack for (ipss)->ipsec_ksp succeeds, but when it
949 946 * fails, it will be NULL. Note this is done for all stack instances,
950 947 * so it *could* fail. hence a non-NULL checking is done for
951 948 * IP_ESP_BUMP_STAT, IP_AH_BUMP_STAT and IP_ACQUIRE_STAT
952 949 */
953 950 #define IP_ESP_BUMP_STAT(ipss, x) \
954 951 do { \
955 952 if ((ipss)->ipsec_kstats != NULL) \
956 953 ((ipss)->ipsec_kstats->esp_stat_ ## x).value.ui64++; \
957 954 _NOTE(CONSTCOND) \
958 955 } while (0)
959 956
960 957 #define IP_AH_BUMP_STAT(ipss, x) \
961 958 do { \
962 959 if ((ipss)->ipsec_kstats != NULL) \
963 960 ((ipss)->ipsec_kstats->ah_stat_ ## x).value.ui64++; \
964 961 _NOTE(CONSTCOND) \
965 962 } while (0)
966 963
967 964 #define IP_ACQUIRE_STAT(ipss, val, new) \
968 965 do { \
969 966 if ((ipss)->ipsec_kstats != NULL && \
970 967 ((uint64_t)(new)) > \
971 968 ((ipss)->ipsec_kstats->sadb_acquire_ ## val).value.ui64) \
972 969 ((ipss)->ipsec_kstats->sadb_acquire_ ## val).value.ui64 = \
973 970 ((uint64_t)(new)); \
974 971 _NOTE(CONSTCOND) \
975 972 } while (0)
976 973
977 974
978 975 #ifdef __cplusplus
979 976 }
980 977 #endif
981 978
982 979 #endif /* _INET_SADB_H */
|
↓ open down ↓ |
196 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX