Print this page
5045 use atomic_{inc,dec}_* instead of atomic_add_*
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/uts/common/inet/ipsec_impl.h
+++ new/usr/src/uts/common/inet/ipsec_impl.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 26 #ifndef _INET_IPSEC_IMPL_H
27 27 #define _INET_IPSEC_IMPL_H
28 28
29 29 #include <inet/ip.h>
30 30 #include <inet/ipdrop.h>
31 31
32 32 #ifdef __cplusplus
33 33 extern "C" {
34 34 #endif
35 35
36 36 #define IPSEC_CONF_SRC_ADDRESS 0 /* Source Address */
37 37 #define IPSEC_CONF_SRC_PORT 1 /* Source Port */
38 38 #define IPSEC_CONF_DST_ADDRESS 2 /* Dest Address */
39 39 #define IPSEC_CONF_DST_PORT 3 /* Dest Port */
40 40 #define IPSEC_CONF_SRC_MASK 4 /* Source Address Mask */
41 41 #define IPSEC_CONF_DST_MASK 5 /* Destination Address Mask */
42 42 #define IPSEC_CONF_ULP 6 /* Upper layer Port */
43 43 #define IPSEC_CONF_IPSEC_PROT 7 /* AH or ESP or AH_ESP */
44 44 #define IPSEC_CONF_IPSEC_AALGS 8 /* Auth Algorithms - MD5 etc. */
45 45 #define IPSEC_CONF_IPSEC_EALGS 9 /* Encr Algorithms - DES etc. */
46 46 #define IPSEC_CONF_IPSEC_EAALGS 10 /* Encr Algorithms - MD5 etc. */
47 47 #define IPSEC_CONF_IPSEC_SA 11 /* Shared or unique SA */
48 48 #define IPSEC_CONF_IPSEC_DIR 12 /* Direction of traffic */
49 49 #define IPSEC_CONF_ICMP_TYPE 13 /* ICMP type */
50 50 #define IPSEC_CONF_ICMP_CODE 14 /* ICMP code */
51 51 #define IPSEC_CONF_NEGOTIATE 15 /* Negotiation */
52 52 #define IPSEC_CONF_TUNNEL 16 /* Tunnel */
53 53
54 54 /* Type of an entry */
55 55
56 56 #define IPSEC_NTYPES 0x02
57 57 #define IPSEC_TYPE_OUTBOUND 0x00
58 58 #define IPSEC_TYPE_INBOUND 0x01
59 59
60 60 /* Policy */
61 61 #define IPSEC_POLICY_APPLY 0x01
62 62 #define IPSEC_POLICY_DISCARD 0x02
63 63 #define IPSEC_POLICY_BYPASS 0x03
64 64
65 65 /* Shared or unique SA */
66 66 #define IPSEC_SHARED_SA 0x01
67 67 #define IPSEC_UNIQUE_SA 0x02
68 68
69 69 /* IPsec protocols and combinations */
70 70 #define IPSEC_AH_ONLY 0x01
71 71 #define IPSEC_ESP_ONLY 0x02
72 72 #define IPSEC_AH_ESP 0x03
73 73
74 74 /*
75 75 * Internally defined "any" algorithm.
76 76 * Move to PF_KEY v3 when that RFC is released.
77 77 */
78 78 #define SADB_AALG_ANY 255
79 79
80 80 #ifdef _KERNEL
81 81
82 82 #include <inet/common.h>
83 83 #include <netinet/ip6.h>
84 84 #include <netinet/icmp6.h>
85 85 #include <net/pfkeyv2.h>
86 86 #include <inet/ip.h>
87 87 #include <inet/sadb.h>
88 88 #include <inet/ipsecah.h>
89 89 #include <inet/ipsecesp.h>
90 90 #include <sys/crypto/common.h>
91 91 #include <sys/crypto/api.h>
92 92 #include <sys/avl.h>
93 93
94 94 /*
95 95 * Maximum number of authentication algorithms (can be indexed by one byte
96 96 * per PF_KEY and the IKE IPsec DOI.
97 97 */
98 98 #define MAX_AALGS 256
99 99
100 100 /*
101 101 * IPsec task queue constants.
102 102 */
103 103 #define IPSEC_TASKQ_MIN 10
104 104 #define IPSEC_TASKQ_MAX 20
105 105
106 106 /*
107 107 * So we can access IPsec global variables that live in keysock.c.
108 108 */
109 109 extern boolean_t keysock_extended_reg(netstack_t *);
110 110 extern uint32_t keysock_next_seq(netstack_t *);
111 111
112 112 /*
113 113 * Locking for ipsec policy rules:
114 114 *
115 115 * policy heads: system policy is static; per-conn polheads are dynamic,
116 116 * and refcounted (and inherited); use atomic refcounts and "don't let
117 117 * go with both hands".
118 118 *
119 119 * policy: refcounted; references from polhead, ipsec_out
120 120 *
121 121 * actions: refcounted; referenced from: action hash table, policy, ipsec_out
122 122 * selectors: refcounted; referenced from: selector hash table, policy.
123 123 */
124 124
125 125 /*
126 126 * the following are inspired by, but not directly based on,
127 127 * some of the sys/queue.h type-safe pseudo-polymorphic macros
128 128 * found in BSD.
129 129 *
130 130 * XXX If we use these more generally, we'll have to make the names
131 131 * less generic (HASH_* will probably clobber other namespaces).
132 132 */
133 133
134 134 #define HASH_LOCK(table, hash) \
135 135 mutex_enter(&(table)[hash].hash_lock)
136 136 #define HASH_UNLOCK(table, hash) \
137 137 mutex_exit(&(table)[hash].hash_lock)
138 138
139 139 #define HASH_LOCKED(table, hash) \
140 140 MUTEX_HELD(&(table)[hash].hash_lock)
141 141
142 142 #define HASH_ITERATE(var, field, table, hash) \
143 143 var = table[hash].hash_head; var != NULL; var = var->field.hash_next
144 144
145 145 #define HASH_NEXT(var, field) \
146 146 (var)->field.hash_next
147 147
148 148 #define HASH_INSERT(var, field, table, hash) \
149 149 { \
150 150 ASSERT(HASH_LOCKED(table, hash)); \
151 151 (var)->field.hash_next = (table)[hash].hash_head; \
152 152 (var)->field.hash_pp = &(table)[hash].hash_head; \
153 153 (table)[hash].hash_head = var; \
154 154 if ((var)->field.hash_next != NULL) \
155 155 (var)->field.hash_next->field.hash_pp = \
156 156 &((var)->field.hash_next); \
157 157 }
158 158
159 159
160 160 #define HASH_UNCHAIN(var, field, table, hash) \
161 161 { \
162 162 ASSERT(MUTEX_HELD(&(table)[hash].hash_lock)); \
163 163 HASHLIST_UNCHAIN(var, field); \
164 164 }
165 165
166 166 #define HASHLIST_INSERT(var, field, head) \
167 167 { \
168 168 (var)->field.hash_next = head; \
169 169 (var)->field.hash_pp = &(head); \
170 170 head = var; \
171 171 if ((var)->field.hash_next != NULL) \
172 172 (var)->field.hash_next->field.hash_pp = \
173 173 &((var)->field.hash_next); \
174 174 }
175 175
176 176 #define HASHLIST_UNCHAIN(var, field) \
177 177 { \
178 178 *var->field.hash_pp = var->field.hash_next; \
179 179 if (var->field.hash_next) \
180 180 var->field.hash_next->field.hash_pp = \
181 181 var->field.hash_pp; \
182 182 HASH_NULL(var, field); \
183 183 }
184 184
185 185
186 186 #define HASH_NULL(var, field) \
187 187 { \
188 188 var->field.hash_next = NULL; \
189 189 var->field.hash_pp = NULL; \
190 190 }
191 191
192 192 #define HASH_LINK(fieldname, type) \
193 193 struct { \
194 194 type *hash_next; \
195 195 type **hash_pp; \
196 196 } fieldname
197 197
198 198
199 199 #define HASH_HEAD(tag) \
200 200 struct { \
201 201 struct tag *hash_head; \
202 202 kmutex_t hash_lock; \
203 203 }
204 204
205 205
206 206 typedef struct ipsec_policy_s ipsec_policy_t;
207 207
208 208 typedef HASH_HEAD(ipsec_policy_s) ipsec_policy_hash_t;
209 209
210 210 /*
211 211 * When adding new fields to ipsec_prot_t, make sure to update
212 212 * ipsec_in_to_out_action() as well as other code in spd.c
213 213 */
214 214
215 215 typedef struct ipsec_prot
216 216 {
217 217 unsigned int
218 218 ipp_use_ah : 1,
219 219 ipp_use_esp : 1,
220 220 ipp_use_se : 1,
221 221 ipp_use_unique : 1,
222 222 ipp_use_espa : 1,
223 223 ipp_pad : 27;
224 224 uint8_t ipp_auth_alg; /* DOI number */
225 225 uint8_t ipp_encr_alg; /* DOI number */
226 226 uint8_t ipp_esp_auth_alg; /* DOI number */
227 227 uint16_t ipp_ah_minbits; /* AH: min keylen */
228 228 uint16_t ipp_ah_maxbits; /* AH: max keylen */
229 229 uint16_t ipp_espe_minbits; /* ESP encr: min keylen */
230 230 uint16_t ipp_espe_maxbits; /* ESP encr: max keylen */
231 231 uint16_t ipp_espa_minbits; /* ESP auth: min keylen */
232 232 uint16_t ipp_espa_maxbits; /* ESP auth: max keylen */
233 233 uint32_t ipp_km_proto; /* key mgmt protocol */
234 234 uint32_t ipp_km_cookie; /* key mgmt cookie */
235 235 uint32_t ipp_replay_depth; /* replay window */
236 236 /* XXX add lifetimes */
237 237 } ipsec_prot_t;
238 238
239 239 #define IPSEC_MAX_KEYBITS (0xffff)
240 240
241 241 /*
242 242 * An individual policy action, possibly a member of a chain.
243 243 *
244 244 * Action chains may be shared between multiple policy rules.
245 245 *
246 246 * With one exception (IPSEC_POLICY_LOG), a chain consists of an
247 247 * ordered list of alternative ways to handle a packet.
248 248 *
249 249 * All actions are also "interned" into a hash table (to allow
250 250 * multiple rules with the same action chain to share one copy in
251 251 * memory).
252 252 */
253 253
254 254 typedef struct ipsec_act
255 255 {
256 256 uint8_t ipa_type;
257 257 uint8_t ipa_log;
258 258 union
259 259 {
260 260 ipsec_prot_t ipau_apply;
261 261 uint8_t ipau_reject_type;
262 262 uint32_t ipau_resolve_id; /* magic cookie */
263 263 uint8_t ipau_log_type;
264 264 } ipa_u;
265 265 #define ipa_apply ipa_u.ipau_apply
266 266 #define ipa_reject_type ipa_u.ipau_reject_type
267 267 #define ipa_log_type ipa_u.ipau_log_type
268 268 #define ipa_resolve_type ipa_u.ipau_resolve_type
269 269 } ipsec_act_t;
270 270
271 271 #define IPSEC_ACT_APPLY 0x01 /* match IPSEC_POLICY_APPLY */
272 272 #define IPSEC_ACT_DISCARD 0x02 /* match IPSEC_POLICY_DISCARD */
273 273 #define IPSEC_ACT_BYPASS 0x03 /* match IPSEC_POLICY_BYPASS */
274 274 #define IPSEC_ACT_REJECT 0x04
275 275 #define IPSEC_ACT_CLEAR 0x05
276 276
277 277 typedef struct ipsec_action_s
278 278 {
279 279 HASH_LINK(ipa_hash, struct ipsec_action_s);
280 280 struct ipsec_action_s *ipa_next; /* next alternative */
281 281 uint32_t ipa_refs; /* refcount */
282 282 ipsec_act_t ipa_act;
283 283 /*
284 284 * The following bits are equivalent to an OR of bits included in the
285 285 * ipau_apply fields of this and subsequent actions in an
286 286 * action chain; this is an optimization for the sake of
287 287 * ipsec_out_process() in ip.c and a few other places.
288 288 */
289 289 unsigned int
290 290 ipa_hval: 8,
↓ open down ↓ |
290 lines elided |
↑ open up ↑ |
291 291 ipa_allow_clear:1, /* rule allows cleartext? */
292 292 ipa_want_ah:1, /* an action wants ah */
293 293 ipa_want_esp:1, /* an action wants esp */
294 294 ipa_want_se:1, /* an action wants se */
295 295 ipa_want_unique:1, /* want unique sa's */
296 296 ipa_pad:19;
297 297 uint32_t ipa_ovhd; /* per-packet encap ovhd */
298 298 } ipsec_action_t;
299 299
300 300 #define IPACT_REFHOLD(ipa) { \
301 - atomic_add_32(&(ipa)->ipa_refs, 1); \
301 + atomic_inc_32(&(ipa)->ipa_refs); \
302 302 ASSERT((ipa)->ipa_refs != 0); \
303 303 }
304 304 #define IPACT_REFRELE(ipa) { \
305 305 ASSERT((ipa)->ipa_refs != 0); \
306 306 membar_exit(); \
307 - if (atomic_add_32_nv(&(ipa)->ipa_refs, -1) == 0) \
307 + if (atomic_dec_32_nv(&(ipa)->ipa_refs) == 0) \
308 308 ipsec_action_free(ipa); \
309 309 (ipa) = 0; \
310 310 }
311 311
312 312 /*
313 313 * For now, use a trivially sized hash table for actions.
314 314 * In the future we can add the structure canonicalization necessary
315 315 * to get the hash function to behave correctly..
316 316 */
317 317 #define IPSEC_ACTION_HASH_SIZE 1
318 318
319 319 /*
320 320 * Merged address structure, for cheezy address-family independent
321 321 * matches in policy code.
322 322 */
323 323
324 324 typedef union ipsec_addr
325 325 {
326 326 in6_addr_t ipsad_v6;
327 327 in_addr_t ipsad_v4;
328 328 } ipsec_addr_t;
329 329
330 330 /*
331 331 * ipsec selector set, as used by the kernel policy structures.
332 332 * Note that that we specify "local" and "remote"
333 333 * rather than "source" and "destination", which allows the selectors
334 334 * for symmetric policy rules to be shared between inbound and
335 335 * outbound rules.
336 336 *
337 337 * "local" means "destination" on inbound, and "source" on outbound.
338 338 * "remote" means "source" on inbound, and "destination" on outbound.
339 339 * XXX if we add a fifth policy enforcement point for forwarded packets,
340 340 * what do we do?
341 341 *
342 342 * The ipsl_valid mask is not done as a bitfield; this is so we
343 343 * can use "ffs()" to find the "most interesting" valid tag.
344 344 *
345 345 * XXX should we have multiple types for space-conservation reasons?
346 346 * (v4 vs v6? prefix vs. range)?
347 347 */
348 348
349 349 typedef struct ipsec_selkey
350 350 {
351 351 uint32_t ipsl_valid; /* bitmask of valid entries */
352 352 #define IPSL_REMOTE_ADDR 0x00000001
353 353 #define IPSL_LOCAL_ADDR 0x00000002
354 354 #define IPSL_REMOTE_PORT 0x00000004
355 355 #define IPSL_LOCAL_PORT 0x00000008
356 356 #define IPSL_PROTOCOL 0x00000010
357 357 #define IPSL_ICMP_TYPE 0x00000020
358 358 #define IPSL_ICMP_CODE 0x00000040
359 359 #define IPSL_IPV6 0x00000080
360 360 #define IPSL_IPV4 0x00000100
361 361
362 362 #define IPSL_WILDCARD 0x0000007f
363 363
364 364 ipsec_addr_t ipsl_local;
365 365 ipsec_addr_t ipsl_remote;
366 366 uint16_t ipsl_lport;
367 367 uint16_t ipsl_rport;
368 368 /*
369 369 * ICMP type and code selectors. Both have an end value to
370 370 * specify ranges, or * and *_end are equal for a single
371 371 * value
372 372 */
373 373 uint8_t ipsl_icmp_type;
374 374 uint8_t ipsl_icmp_type_end;
375 375 uint8_t ipsl_icmp_code;
376 376 uint8_t ipsl_icmp_code_end;
377 377
378 378 uint8_t ipsl_proto; /* ip payload type */
379 379 uint8_t ipsl_local_pfxlen; /* #bits of prefix */
380 380 uint8_t ipsl_remote_pfxlen; /* #bits of prefix */
381 381 uint8_t ipsl_mbz;
382 382
383 383 /* Insert new elements above this line */
384 384 uint32_t ipsl_pol_hval;
385 385 uint32_t ipsl_sel_hval;
386 386 } ipsec_selkey_t;
387 387
388 388 typedef struct ipsec_sel
389 389 {
390 390 HASH_LINK(ipsl_hash, struct ipsec_sel);
391 391 uint32_t ipsl_refs; /* # refs to this sel */
392 392 ipsec_selkey_t ipsl_key; /* actual selector guts */
393 393 } ipsec_sel_t;
394 394
395 395 /*
396 396 * One policy rule. This will be linked into a single hash chain bucket in
397 397 * the parent rule structure. If the selector is simple enough to
398 398 * allow hashing, it gets filed under ipsec_policy_root_t->ipr_hash.
399 399 * Otherwise it goes onto a linked list in ipsec_policy_root_t->ipr_nonhash[af]
400 400 *
401 401 * In addition, we file the rule into an avl tree keyed by the rule index.
402 402 * (Duplicate rules are permitted; the comparison function breaks ties).
403 403 */
404 404 struct ipsec_policy_s
405 405 {
406 406 HASH_LINK(ipsp_hash, struct ipsec_policy_s);
↓ open down ↓ |
89 lines elided |
↑ open up ↑ |
407 407 avl_node_t ipsp_byid;
408 408 uint64_t ipsp_index; /* unique id */
409 409 uint32_t ipsp_prio; /* rule priority */
410 410 uint32_t ipsp_refs;
411 411 ipsec_sel_t *ipsp_sel; /* selector set (shared) */
412 412 ipsec_action_t *ipsp_act; /* action (may be shared) */
413 413 netstack_t *ipsp_netstack; /* No netstack_hold */
414 414 };
415 415
416 416 #define IPPOL_REFHOLD(ipp) { \
417 - atomic_add_32(&(ipp)->ipsp_refs, 1); \
417 + atomic_inc_32(&(ipp)->ipsp_refs); \
418 418 ASSERT((ipp)->ipsp_refs != 0); \
419 419 }
420 420 #define IPPOL_REFRELE(ipp) { \
421 421 ASSERT((ipp)->ipsp_refs != 0); \
422 422 membar_exit(); \
423 - if (atomic_add_32_nv(&(ipp)->ipsp_refs, -1) == 0) \
423 + if (atomic_dec_32_nv(&(ipp)->ipsp_refs) == 0) \
424 424 ipsec_policy_free(ipp); \
425 425 (ipp) = 0; \
426 426 }
427 427
428 428 #define IPPOL_UNCHAIN(php, ip) \
429 429 HASHLIST_UNCHAIN((ip), ipsp_hash); \
430 430 avl_remove(&(php)->iph_rulebyid, (ip)); \
431 431 IPPOL_REFRELE(ip);
432 432
433 433 /*
434 434 * Policy ruleset. One per (protocol * direction) for system policy.
435 435 */
436 436
437 437 #define IPSEC_AF_V4 0
438 438 #define IPSEC_AF_V6 1
439 439 #define IPSEC_NAF 2
440 440
441 441 typedef struct ipsec_policy_root_s
442 442 {
443 443 ipsec_policy_t *ipr_nonhash[IPSEC_NAF];
444 444 int ipr_nchains;
445 445 ipsec_policy_hash_t *ipr_hash;
446 446 } ipsec_policy_root_t;
447 447
448 448 /*
449 449 * Policy head. One for system policy; there may also be one present
450 450 * on ill_t's with interface-specific policy, as well as one present
451 451 * for sockets with per-socket policy allocated.
452 452 */
453 453
↓ open down ↓ |
20 lines elided |
↑ open up ↑ |
454 454 typedef struct ipsec_policy_head_s
455 455 {
456 456 uint32_t iph_refs;
457 457 krwlock_t iph_lock;
458 458 uint64_t iph_gen; /* generation number */
459 459 ipsec_policy_root_t iph_root[IPSEC_NTYPES];
460 460 avl_tree_t iph_rulebyid;
461 461 } ipsec_policy_head_t;
462 462
463 463 #define IPPH_REFHOLD(iph) { \
464 - atomic_add_32(&(iph)->iph_refs, 1); \
464 + atomic_inc_32(&(iph)->iph_refs); \
465 465 ASSERT((iph)->iph_refs != 0); \
466 466 }
467 467 #define IPPH_REFRELE(iph, ns) { \
468 468 ASSERT((iph)->iph_refs != 0); \
469 469 membar_exit(); \
470 - if (atomic_add_32_nv(&(iph)->iph_refs, -1) == 0) \
470 + if (atomic_dec_32_nv(&(iph)->iph_refs) == 0) \
471 471 ipsec_polhead_free(iph, ns); \
472 472 (iph) = 0; \
473 473 }
474 474
475 475 /*
476 476 * IPsec fragment related structures
477 477 */
478 478
479 479 typedef struct ipsec_fragcache_entry {
480 480 struct ipsec_fragcache_entry *itpfe_next; /* hash list chain */
481 481 mblk_t *itpfe_fraglist; /* list of fragments */
482 482 time_t itpfe_exp; /* time when entry is stale */
483 483 int itpfe_depth; /* # of fragments in list */
484 484 ipsec_addr_t itpfe_frag_src;
485 485 ipsec_addr_t itpfe_frag_dst;
486 486 #define itpfe_src itpfe_frag_src.ipsad_v4
487 487 #define itpfe_src6 itpfe_frag_src.ipsad_v6
488 488 #define itpfe_dst itpfe_frag_dst.ipsad_v4
489 489 #define itpfe_dst6 itpfe_frag_dst.ipsad_v6
490 490 uint32_t itpfe_id; /* IP datagram ID */
491 491 uint8_t itpfe_proto; /* IP Protocol */
492 492 uint8_t itpfe_last; /* Last packet */
493 493 } ipsec_fragcache_entry_t;
494 494
495 495 typedef struct ipsec_fragcache {
496 496 kmutex_t itpf_lock;
497 497 struct ipsec_fragcache_entry **itpf_ptr;
498 498 struct ipsec_fragcache_entry *itpf_freelist;
499 499 time_t itpf_expire_hint; /* time when oldest entry is stale */
500 500 } ipsec_fragcache_t;
501 501
502 502 /*
503 503 * Tunnel policies. We keep a minature of the transport-mode/global policy
504 504 * per each tunnel instance.
505 505 *
506 506 * People who need both an itp held down AND one of its polheads need to
507 507 * first lock the itp, THEN the polhead, otherwise deadlock WILL occur.
508 508 */
509 509 typedef struct ipsec_tun_pol_s {
510 510 avl_node_t itp_node;
511 511 kmutex_t itp_lock;
512 512 uint64_t itp_next_policy_index;
513 513 ipsec_policy_head_t *itp_policy;
514 514 ipsec_policy_head_t *itp_inactive;
515 515 uint32_t itp_flags;
516 516 uint32_t itp_refcnt;
517 517 char itp_name[LIFNAMSIZ];
518 518 ipsec_fragcache_t itp_fragcache;
519 519 } ipsec_tun_pol_t;
520 520 /* NOTE - Callers (tun code) synchronize their own instances for these flags. */
521 521 #define ITPF_P_ACTIVE 0x1 /* Are we using IPsec right now? */
522 522 #define ITPF_P_TUNNEL 0x2 /* Negotiate tunnel-mode */
523 523 /* Optimization -> Do we have per-port security entries in this polhead? */
524 524 #define ITPF_P_PER_PORT_SECURITY 0x4
525 525 #define ITPF_PFLAGS 0x7
526 526 #define ITPF_SHIFT 3
527 527
528 528 #define ITPF_I_ACTIVE 0x8 /* Is the inactive using IPsec right now? */
529 529 #define ITPF_I_TUNNEL 0x10 /* Negotiate tunnel-mode (on inactive) */
530 530 /* Optimization -> Do we have per-port security entries in this polhead? */
531 531 #define ITPF_I_PER_PORT_SECURITY 0x20
532 532 #define ITPF_IFLAGS 0x38
533 533
534 534 /* NOTE: f cannot be an expression. */
535 535 #define ITPF_CLONE(f) (f) = (((f) & ITPF_PFLAGS) | \
536 536 (((f) & ITPF_PFLAGS) << ITPF_SHIFT));
537 537 #define ITPF_SWAP(f) (f) = ((((f) & ITPF_PFLAGS) << ITPF_SHIFT) | \
538 538 (((f) & ITPF_IFLAGS) >> ITPF_SHIFT))
539 539
540 540 #define ITP_P_ISACTIVE(itp, iph) ((itp)->itp_flags & \
↓ open down ↓ |
60 lines elided |
↑ open up ↑ |
541 541 (((itp)->itp_policy == (iph)) ? ITPF_P_ACTIVE : ITPF_I_ACTIVE))
542 542
543 543 #define ITP_P_ISTUNNEL(itp, iph) ((itp)->itp_flags & \
544 544 (((itp)->itp_policy == (iph)) ? ITPF_P_TUNNEL : ITPF_I_TUNNEL))
545 545
546 546 #define ITP_P_ISPERPORT(itp, iph) ((itp)->itp_flags & \
547 547 (((itp)->itp_policy == (iph)) ? ITPF_P_PER_PORT_SECURITY : \
548 548 ITPF_I_PER_PORT_SECURITY))
549 549
550 550 #define ITP_REFHOLD(itp) { \
551 - atomic_add_32(&((itp)->itp_refcnt), 1); \
551 + atomic_inc_32(&((itp)->itp_refcnt)); \
552 552 ASSERT((itp)->itp_refcnt != 0); \
553 553 }
554 554
555 555 #define ITP_REFRELE(itp, ns) { \
556 556 ASSERT((itp)->itp_refcnt != 0); \
557 557 membar_exit(); \
558 - if (atomic_add_32_nv(&((itp)->itp_refcnt), -1) == 0) \
558 + if (atomic_dec_32_nv(&((itp)->itp_refcnt)) == 0) \
559 559 itp_free(itp, ns); \
560 560 }
561 561
562 562 /*
563 563 * Certificate identity.
564 564 */
565 565
566 566 typedef struct ipsid_s
567 567 {
568 568 struct ipsid_s *ipsid_next;
569 569 struct ipsid_s **ipsid_ptpn;
↓ open down ↓ |
1 lines elided |
↑ open up ↑ |
570 570 uint32_t ipsid_refcnt;
571 571 int ipsid_type; /* id type */
572 572 char *ipsid_cid; /* certificate id string */
573 573 } ipsid_t;
574 574
575 575 /*
576 576 * ipsid_t reference hold/release macros, just like ipsa versions.
577 577 */
578 578
579 579 #define IPSID_REFHOLD(ipsid) { \
580 - atomic_add_32(&(ipsid)->ipsid_refcnt, 1); \
580 + atomic_inc_32(&(ipsid)->ipsid_refcnt); \
581 581 ASSERT((ipsid)->ipsid_refcnt != 0); \
582 582 }
583 583
584 584 /*
585 585 * Decrement the reference count on the ID. Someone else will clean up
586 586 * after us later.
587 587 */
588 588
589 589 #define IPSID_REFRELE(ipsid) { \
590 590 membar_exit(); \
591 - atomic_add_32(&(ipsid)->ipsid_refcnt, -1); \
591 + atomic_dec_32(&(ipsid)->ipsid_refcnt); \
592 592 }
593 593
594 594 /*
595 595 * Following are the estimates of what the maximum AH and ESP header size
596 596 * would be. This is used to tell the upper layer the right value of MSS
597 597 * it should use without consulting AH/ESP. If the size is something
598 598 * different from this, ULP will learn the right one through
599 599 * ICMP_FRAGMENTATION_NEEDED messages generated locally.
600 600 *
601 601 * AH : 12 bytes of constant header + 32 bytes of ICV checksum (SHA-512).
602 602 */
603 603 #define IPSEC_MAX_AH_HDR_SIZE (44)
604 604
605 605 /*
606 606 * ESP : Is a bit more complex...
607 607 *
608 608 * A system of one inequality and one equation MUST be solved for proper ESP
609 609 * overhead. The inequality is:
610 610 *
611 611 * MTU - sizeof (IP header + options) >=
612 612 * sizeof (esph_t) + sizeof (IV or ctr) + data-size + 2 + ICV
613 613 *
614 614 * IV or counter is almost always the cipher's block size. The equation is:
615 615 *
616 616 * data-size % block-size = (block-size - 2)
617 617 *
618 618 * so we can put as much data into the datagram as possible. If we are
619 619 * pessimistic and include our largest overhead cipher (AES) and hash
620 620 * (SHA-512), and assume 1500-byte MTU minus IPv4 overhead of 20 bytes, we get:
621 621 *
622 622 * 1480 >= 8 + 16 + data-size + 2 + 32
623 623 * 1480 >= 58 + data-size
624 624 * 1422 >= data-size, 1422 % 16 = 14, so 58 is the overhead!
625 625 *
626 626 * But, let's re-run the numbers with the same algorithms, but with an IPv6
627 627 * header:
628 628 *
629 629 * 1460 >= 58 + data-size
630 630 * 1402 >= data-size, 1402 % 16 = 10, meaning shrink to 1390 to get 14,
631 631 *
632 632 * which means the overhead is now 70.
633 633 *
634 634 * Hmmm... IPv4 headers can never be anything other than multiples of 4-bytes,
635 635 * and IPv6 ones can never be anything other than multiples of 8-bytes. We've
636 636 * seen overheads of 58 and 70. 58 % 16 == 10, and 70 % 16 == 6. IPv4 could
637 637 * force us to have 62 ( % 16 == 14) or 66 ( % 16 == 2), or IPv6 could force us
638 638 * to have 78 ( % 16 = 14). Let's compute IPv6 + 8-bytes of options:
639 639 *
640 640 * 1452 >= 58 + data-size
641 641 * 1394 >= data-size, 1394 % 16 = 2, meaning shrink to 1390 to get 14,
642 642 *
643 643 * Aha! The "ESP overhead" shrinks to 62 (70 - 8). This is good. Let's try
644 644 * IPv4 + 8 bytes of IPv4 options:
645 645 *
646 646 * 1472 >= 58 + data-size
647 647 * 1414 >= data-size, 1414 % 16 = 6, meaning shrink to 1406,
648 648 *
649 649 * meaning 66 is the overhead. Let's try 12 bytes:
650 650 *
651 651 * 1468 >= 58 + data-size
652 652 * 1410 >= data-size, 1410 % 16 = 2, meaning also shrink to 1406,
653 653 *
654 654 * meaning 62 is the overhead. How about 16 bytes?
655 655 *
656 656 * 1464 >= 58 + data-size
657 657 * 1406 >= data-size, 1402 % 16 = 14, which is great!
658 658 *
659 659 * this means 58 is the overhead. If I wrap and add 20 bytes, it looks just
660 660 * like IPv6's 70 bytes. If I add 24, we go back to 66 bytes.
661 661 *
662 662 * So picking 70 is a sensible, conservative default. Optimal calculations
663 663 * will depend on knowing pre-ESP header length (called "divpoint" in the ESP
664 664 * code), which could be cached in the conn_t for connected endpoints, or
665 665 * which must be computed on every datagram otherwise.
666 666 */
667 667 #define IPSEC_MAX_ESP_HDR_SIZE (70)
668 668
669 669 /*
670 670 * Alternate, when we know the crypto block size via the SA. Assume an ICV on
671 671 * the SA. Use:
672 672 *
673 673 * sizeof (esph_t) + 2 * (sizeof (IV/counter)) - 2 + sizeof (ICV). The "-2"
674 674 * discounts the overhead of the pad + padlen that gets swallowed up by the
675 675 * second (theoretically all-pad) cipher-block. If you use our examples of
676 676 * AES and SHA512, you get:
677 677 *
678 678 * 8 + 32 - 2 + 32 == 70.
679 679 *
680 680 * Which is our pre-computed maximum above.
681 681 */
682 682 #include <inet/ipsecesp.h>
683 683 #define IPSEC_BASE_ESP_HDR_SIZE(sa) \
684 684 (sizeof (esph_t) + ((sa)->ipsa_iv_len << 1) - 2 + (sa)->ipsa_mac_len)
685 685
686 686 /*
687 687 * Identity hash table.
688 688 *
689 689 * Identities are refcounted and "interned" into the hash table.
690 690 * Only references coming from other objects (SA's, latching state)
691 691 * are counted in ipsid_refcnt.
692 692 *
693 693 * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket
694 694 * is locked, (b) we know that the refcount must be > 0.
695 695 *
696 696 * The ipsid_next and ipsid_ptpn fields are only to be referenced or
697 697 * modified when the bucket lock is held; in particular, we only
698 698 * delete objects while holding the bucket lock, and we only increase
699 699 * the refcount from 0 to 1 while the bucket lock is held.
700 700 */
701 701
702 702 #define IPSID_HASHSIZE 64
703 703
704 704 typedef struct ipsif_s
705 705 {
706 706 ipsid_t *ipsif_head;
707 707 kmutex_t ipsif_lock;
708 708 } ipsif_t;
709 709
710 710 /*
711 711 * For call to the kernel crypto framework. State needed during
712 712 * the execution of a crypto request.
713 713 */
714 714 typedef struct ipsec_crypto_s {
715 715 size_t ic_skip_len; /* len to skip for AH auth */
716 716 crypto_data_t ic_crypto_data; /* single op crypto data */
717 717 crypto_dual_data_t ic_crypto_dual_data; /* for dual ops */
718 718 crypto_data_t ic_crypto_mac; /* to store the MAC */
719 719 ipsa_cm_mech_t ic_cmm;
720 720 } ipsec_crypto_t;
721 721
722 722 /*
723 723 * IPsec stack instances
724 724 */
725 725 struct ipsec_stack {
726 726 netstack_t *ipsec_netstack; /* Common netstack */
727 727
728 728 /* Packet dropper for IP IPsec processing failures */
729 729 ipdropper_t ipsec_dropper;
730 730
731 731 /* From spd.c */
732 732 /*
733 733 * Policy rule index generator. We assume this won't wrap in the
734 734 * lifetime of a system. If we make 2^20 policy changes per second,
735 735 * this will last 2^44 seconds, or roughly 500,000 years, so we don't
736 736 * have to worry about reusing policy index values.
737 737 */
738 738 uint64_t ipsec_next_policy_index;
739 739
740 740 HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE];
741 741 HASH_HEAD(ipsec_sel) *ipsec_sel_hash;
742 742 uint32_t ipsec_spd_hashsize;
743 743
744 744 ipsif_t ipsec_ipsid_buckets[IPSID_HASHSIZE];
745 745
746 746 /*
747 747 * Active & Inactive system policy roots
748 748 */
749 749 ipsec_policy_head_t ipsec_system_policy;
750 750 ipsec_policy_head_t ipsec_inactive_policy;
751 751
752 752 /* Packet dropper for generic SPD drops. */
753 753 ipdropper_t ipsec_spd_dropper;
754 754
755 755 /* ipdrop.c */
756 756 kstat_t *ipsec_ip_drop_kstat;
757 757 struct ip_dropstats *ipsec_ip_drop_types;
758 758
759 759 /* spd.c */
760 760 /*
761 761 * Have a counter for every possible policy message in
762 762 * ipsec_policy_failure_msgs
763 763 */
764 764 uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX];
765 765 /* Time since last ipsec policy failure that printed a message. */
766 766 hrtime_t ipsec_policy_failure_last;
767 767
768 768 /* ip_spd.c */
769 769 /* stats */
770 770 kstat_t *ipsec_ksp;
771 771 struct ipsec_kstats_s *ipsec_kstats;
772 772
773 773 /* sadb.c */
774 774 /* Packet dropper for generic SADB drops. */
775 775 ipdropper_t ipsec_sadb_dropper;
776 776
777 777 /* spd.c */
778 778 boolean_t ipsec_inbound_v4_policy_present;
779 779 boolean_t ipsec_outbound_v4_policy_present;
780 780 boolean_t ipsec_inbound_v6_policy_present;
781 781 boolean_t ipsec_outbound_v6_policy_present;
782 782
783 783 /* spd.c */
784 784 /*
785 785 * Because policy needs to know what algorithms are supported, keep the
786 786 * lists of algorithms here.
787 787 */
788 788 kmutex_t ipsec_alg_lock;
789 789
790 790 uint8_t ipsec_nalgs[IPSEC_NALGTYPES];
791 791 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
792 792
793 793 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
794 794
795 795 int ipsec_algs_exec_mode[IPSEC_NALGTYPES];
796 796
797 797 uint32_t ipsec_tun_spd_hashsize;
798 798 /*
799 799 * Tunnel policies - AVL tree indexed by tunnel name.
800 800 */
801 801 krwlock_t ipsec_tunnel_policy_lock;
802 802 uint64_t ipsec_tunnel_policy_gen;
803 803 avl_tree_t ipsec_tunnel_policies;
804 804
805 805 /* ipsec_loader.c */
806 806 kmutex_t ipsec_loader_lock;
807 807 int ipsec_loader_state;
808 808 int ipsec_loader_sig;
809 809 kt_did_t ipsec_loader_tid;
810 810 kcondvar_t ipsec_loader_sig_cv; /* For loader_sig conditions. */
811 811
812 812 };
813 813 typedef struct ipsec_stack ipsec_stack_t;
814 814
815 815 /* Handle the kstat_create in ip_drop_init() failing */
816 816 #define DROPPER(_ipss, _dropper) \
817 817 (((_ipss)->ipsec_ip_drop_types == NULL) ? NULL : \
818 818 &((_ipss)->ipsec_ip_drop_types->_dropper))
819 819
820 820 /*
821 821 * Loader states..
822 822 */
823 823 #define IPSEC_LOADER_WAIT 0
824 824 #define IPSEC_LOADER_FAILED -1
825 825 #define IPSEC_LOADER_SUCCEEDED 1
826 826
827 827 /*
828 828 * ipsec_loader entrypoints.
829 829 */
830 830 extern void ipsec_loader_init(ipsec_stack_t *);
831 831 extern void ipsec_loader_start(ipsec_stack_t *);
832 832 extern void ipsec_loader_destroy(ipsec_stack_t *);
833 833 extern void ipsec_loader_loadnow(ipsec_stack_t *);
834 834 extern boolean_t ipsec_loader_wait(queue_t *q, ipsec_stack_t *);
835 835 extern boolean_t ipsec_loaded(ipsec_stack_t *);
836 836 extern boolean_t ipsec_failed(ipsec_stack_t *);
837 837
838 838 /*
839 839 * ipsec policy entrypoints (spd.c)
840 840 */
841 841
842 842 extern void ipsec_policy_g_destroy(void);
843 843 extern void ipsec_policy_g_init(void);
844 844
845 845 extern mblk_t *ipsec_add_crypto_data(mblk_t *, ipsec_crypto_t **);
846 846 extern mblk_t *ipsec_remove_crypto_data(mblk_t *, ipsec_crypto_t **);
847 847 extern mblk_t *ipsec_free_crypto_data(mblk_t *);
848 848 extern int ipsec_alloc_table(ipsec_policy_head_t *, int, int, boolean_t,
849 849 netstack_t *);
850 850 extern void ipsec_polhead_init(ipsec_policy_head_t *, int);
851 851 extern void ipsec_polhead_destroy(ipsec_policy_head_t *);
852 852 extern void ipsec_polhead_free_table(ipsec_policy_head_t *);
853 853 extern mblk_t *ipsec_check_global_policy(mblk_t *, conn_t *, ipha_t *,
854 854 ip6_t *, ip_recv_attr_t *, netstack_t *ns);
855 855 extern mblk_t *ipsec_check_inbound_policy(mblk_t *, conn_t *, ipha_t *, ip6_t *,
856 856 ip_recv_attr_t *);
857 857
858 858 extern boolean_t ipsec_in_to_out(ip_recv_attr_t *, ip_xmit_attr_t *,
859 859 mblk_t *, ipha_t *, ip6_t *);
860 860 extern void ipsec_in_release_refs(ip_recv_attr_t *);
861 861 extern void ipsec_out_release_refs(ip_xmit_attr_t *);
862 862 extern void ipsec_log_policy_failure(int, char *, ipha_t *, ip6_t *, boolean_t,
863 863 netstack_t *);
864 864 extern boolean_t ipsec_inbound_accept_clear(mblk_t *, ipha_t *, ip6_t *);
865 865 extern int ipsec_conn_cache_policy(conn_t *, boolean_t);
866 866 extern void ipsec_cache_outbound_policy(const conn_t *, const in6_addr_t *,
867 867 const in6_addr_t *, in_port_t, ip_xmit_attr_t *);
868 868 extern boolean_t ipsec_outbound_policy_current(ip_xmit_attr_t *);
869 869 extern ipsec_action_t *ipsec_in_to_out_action(ip_recv_attr_t *);
870 870 extern void ipsec_latch_inbound(conn_t *connp, ip_recv_attr_t *ira);
871 871
872 872 extern void ipsec_policy_free(ipsec_policy_t *);
873 873 extern void ipsec_action_free(ipsec_action_t *);
874 874 extern void ipsec_polhead_free(ipsec_policy_head_t *, netstack_t *);
875 875 extern ipsec_policy_head_t *ipsec_polhead_split(ipsec_policy_head_t *,
876 876 netstack_t *);
877 877 extern ipsec_policy_head_t *ipsec_polhead_create(void);
878 878 extern ipsec_policy_head_t *ipsec_system_policy(netstack_t *);
879 879 extern ipsec_policy_head_t *ipsec_inactive_policy(netstack_t *);
880 880 extern void ipsec_swap_policy(ipsec_policy_head_t *, ipsec_policy_head_t *,
881 881 netstack_t *);
882 882 extern void ipsec_swap_global_policy(netstack_t *);
883 883
884 884 extern int ipsec_clone_system_policy(netstack_t *);
885 885 extern ipsec_policy_t *ipsec_policy_create(ipsec_selkey_t *,
886 886 const ipsec_act_t *, int, int, uint64_t *, netstack_t *);
887 887 extern boolean_t ipsec_policy_delete(ipsec_policy_head_t *,
888 888 ipsec_selkey_t *, int, netstack_t *);
889 889 extern int ipsec_policy_delete_index(ipsec_policy_head_t *, uint64_t,
890 890 netstack_t *);
891 891 extern boolean_t ipsec_polhead_insert(ipsec_policy_head_t *, ipsec_act_t *,
892 892 uint_t, int, int, netstack_t *);
893 893 extern void ipsec_polhead_flush(ipsec_policy_head_t *, netstack_t *);
894 894 extern int ipsec_copy_polhead(ipsec_policy_head_t *, ipsec_policy_head_t *,
895 895 netstack_t *);
896 896 extern void ipsec_actvec_from_req(const ipsec_req_t *, ipsec_act_t **, uint_t *,
897 897 netstack_t *);
898 898 extern void ipsec_actvec_free(ipsec_act_t *, uint_t);
899 899 extern int ipsec_req_from_head(ipsec_policy_head_t *, ipsec_req_t *, int);
900 900 extern mblk_t *ipsec_construct_inverse_acquire(sadb_msg_t *, sadb_ext_t **,
901 901 netstack_t *);
902 902 extern ipsec_policy_t *ipsec_find_policy(int, const conn_t *,
903 903 ipsec_selector_t *, netstack_t *);
904 904 extern ipsid_t *ipsid_lookup(int, char *, netstack_t *);
905 905 extern boolean_t ipsid_equal(ipsid_t *, ipsid_t *);
906 906 extern void ipsid_gc(netstack_t *);
907 907 extern void ipsec_latch_ids(ipsec_latch_t *, ipsid_t *, ipsid_t *);
908 908
909 909 extern void ipsec_config_flush(netstack_t *);
910 910 extern boolean_t ipsec_check_policy(ipsec_policy_head_t *, ipsec_policy_t *,
911 911 int);
912 912 extern void ipsec_enter_policy(ipsec_policy_head_t *, ipsec_policy_t *, int,
913 913 netstack_t *);
914 914 extern boolean_t ipsec_check_action(ipsec_act_t *, int *, netstack_t *);
915 915
916 916 extern void iplatch_free(ipsec_latch_t *);
917 917 extern ipsec_latch_t *iplatch_create(void);
918 918 extern int ipsec_set_req(cred_t *, conn_t *, ipsec_req_t *);
919 919
920 920 extern void ipsec_insert_always(avl_tree_t *tree, void *new_node);
921 921
922 922 extern int32_t ipsec_act_ovhd(const ipsec_act_t *act);
923 923 extern mblk_t *sadb_whack_label(mblk_t *, ipsa_t *, ip_xmit_attr_t *,
924 924 kstat_named_t *, ipdropper_t *);
925 925 extern mblk_t *sadb_whack_label_v4(mblk_t *, ipsa_t *, kstat_named_t *,
926 926 ipdropper_t *);
927 927 extern mblk_t *sadb_whack_label_v6(mblk_t *, ipsa_t *, kstat_named_t *,
928 928 ipdropper_t *);
929 929 extern boolean_t update_iv(uint8_t *, queue_t *, ipsa_t *, ipsecesp_stack_t *);
930 930
931 931 /*
932 932 * Tunnel-support SPD functions and variables.
933 933 */
934 934 struct iptun_s; /* Defined in inet/iptun/iptun_impl.h. */
935 935 extern mblk_t *ipsec_tun_inbound(ip_recv_attr_t *, mblk_t *, ipsec_tun_pol_t *,
936 936 ipha_t *, ip6_t *, ipha_t *, ip6_t *, int, netstack_t *);
937 937 extern mblk_t *ipsec_tun_outbound(mblk_t *, struct iptun_s *, ipha_t *,
938 938 ip6_t *, ipha_t *, ip6_t *, int, ip_xmit_attr_t *);
939 939 extern void itp_free(ipsec_tun_pol_t *, netstack_t *);
940 940 extern ipsec_tun_pol_t *create_tunnel_policy(char *, int *, uint64_t *,
941 941 netstack_t *);
942 942 extern ipsec_tun_pol_t *get_tunnel_policy(char *, netstack_t *);
943 943 extern void itp_unlink(ipsec_tun_pol_t *, netstack_t *);
944 944 extern void itp_walk(void (*)(ipsec_tun_pol_t *, void *, netstack_t *),
945 945 void *, netstack_t *);
946 946
947 947 extern ipsec_tun_pol_t *itp_get_byaddr(uint32_t *, uint32_t *, int,
948 948 ip_stack_t *);
949 949
950 950 /*
951 951 * IPsec AH/ESP functions called from IP or the common SADB code in AH.
952 952 */
953 953
954 954 extern void ipsecah_in_assocfailure(mblk_t *, char, ushort_t, char *,
955 955 uint32_t, void *, int, ip_recv_attr_t *ira);
956 956 extern void ipsecesp_in_assocfailure(mblk_t *, char, ushort_t, char *,
957 957 uint32_t, void *, int, ip_recv_attr_t *ira);
958 958 extern void ipsecesp_send_keepalive(ipsa_t *);
959 959
960 960 /*
961 961 * Algorithm management helper functions.
962 962 */
963 963 extern boolean_t ipsec_valid_key_size(uint16_t, ipsec_alginfo_t *);
964 964
965 965 /*
966 966 * Per-socket policy, for now, takes precedence... this priority value
967 967 * insures it.
968 968 */
969 969 #define IPSEC_PRIO_SOCKET 0x1000000
970 970
971 971 /* DDI initialization functions. */
972 972 extern boolean_t ipsecesp_ddi_init(void);
973 973 extern boolean_t ipsecah_ddi_init(void);
974 974 extern boolean_t keysock_ddi_init(void);
975 975 extern boolean_t spdsock_ddi_init(void);
976 976
977 977 extern void ipsecesp_ddi_destroy(void);
978 978 extern void ipsecah_ddi_destroy(void);
979 979 extern void keysock_ddi_destroy(void);
980 980 extern void spdsock_ddi_destroy(void);
981 981
982 982 /*
983 983 * AH- and ESP-specific functions that are called directly by other modules.
984 984 */
985 985 extern void ipsecah_fill_defs(struct sadb_x_ecomb *, netstack_t *);
986 986 extern void ipsecesp_fill_defs(struct sadb_x_ecomb *, netstack_t *);
987 987 extern void ipsecah_algs_changed(netstack_t *);
988 988 extern void ipsecesp_algs_changed(netstack_t *);
989 989 extern void ipsecesp_init_funcs(ipsa_t *);
990 990 extern void ipsecah_init_funcs(ipsa_t *);
991 991 extern mblk_t *ipsecah_icmp_error(mblk_t *, ip_recv_attr_t *);
992 992 extern mblk_t *ipsecesp_icmp_error(mblk_t *, ip_recv_attr_t *);
993 993
994 994 /*
995 995 * spdsock functions that are called directly by IP.
996 996 */
997 997 extern void spdsock_update_pending_algs(netstack_t *);
998 998
999 999 /*
1000 1000 * IP functions that are called from AH and ESP.
1001 1001 */
1002 1002 extern boolean_t ipsec_outbound_sa(mblk_t *, ip_xmit_attr_t *, uint_t);
1003 1003 extern mblk_t *ipsec_inbound_esp_sa(mblk_t *, ip_recv_attr_t *, esph_t **);
1004 1004 extern mblk_t *ipsec_inbound_ah_sa(mblk_t *, ip_recv_attr_t *, ah_t **);
1005 1005 extern ipsec_policy_t *ipsec_find_policy_head(ipsec_policy_t *,
1006 1006 ipsec_policy_head_t *, int, ipsec_selector_t *);
1007 1007
1008 1008 /*
1009 1009 * IP dropper init/destroy.
1010 1010 */
1011 1011 void ip_drop_init(ipsec_stack_t *);
1012 1012 void ip_drop_destroy(ipsec_stack_t *);
1013 1013
1014 1014 /*
1015 1015 * Common functions
1016 1016 */
1017 1017 extern boolean_t ip_addr_match(uint8_t *, int, in6_addr_t *);
1018 1018 extern boolean_t ipsec_label_match(ts_label_t *, ts_label_t *);
1019 1019
1020 1020 /*
1021 1021 * AH and ESP counters types.
1022 1022 */
1023 1023 typedef uint32_t ah_counter;
1024 1024 typedef uint32_t esp_counter;
1025 1025
1026 1026 #endif /* _KERNEL */
1027 1027
1028 1028 #ifdef __cplusplus
1029 1029 }
1030 1030 #endif
1031 1031
1032 1032 #endif /* _INET_IPSEC_IMPL_H */
↓ open down ↓ |
431 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX