1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved. 25 */ 26 27 #ifndef _INET_IPSECAH_H 28 #define _INET_IPSECAH_H 29 30 #include <inet/ip.h> 31 #include <inet/ipdrop.h> 32 33 #ifdef __cplusplus 34 extern "C" { 35 #endif 36 37 #include <sys/note.h> 38 39 #ifdef _KERNEL 40 /* Named Dispatch Parameter Management Structure */ 41 typedef struct ipsecahparam_s { 42 uint_t ipsecah_param_min; 43 uint_t ipsecah_param_max; 44 uint_t ipsecah_param_value; 45 char *ipsecah_param_name; 46 } ipsecahparam_t; 47 48 /* 49 * Stats. This may eventually become a full-blown SNMP MIB once that spec 50 * stabilizes. 51 */ 52 typedef struct ah_kstats_s 53 { 54 kstat_named_t ah_stat_num_aalgs; 55 kstat_named_t ah_stat_good_auth; 56 kstat_named_t ah_stat_bad_auth; 57 kstat_named_t ah_stat_replay_failures; 58 kstat_named_t ah_stat_replay_early_failures; 59 kstat_named_t ah_stat_keysock_in; 60 kstat_named_t ah_stat_out_requests; 61 kstat_named_t ah_stat_acquire_requests; 62 kstat_named_t ah_stat_bytes_expired; 63 kstat_named_t ah_stat_out_discards; 64 kstat_named_t ah_stat_crypto_sync; 65 kstat_named_t ah_stat_crypto_async; 66 kstat_named_t ah_stat_crypto_failures; 67 } ah_kstats_t; 68 69 /* 70 * ahstack->ah_kstats is equal to ahstack->ah_ksp->ks_data if 71 * kstat_create_netstack for ahstack->ah_ksp succeeds, but when it 72 * fails, it will be NULL. Note this is done for all stack instances, 73 * so it *could* fail. hence a non-NULL checking is done for 74 * AH_BUMP_STAT and AH_DEBUMP_STAT 75 */ 76 #define AH_BUMP_STAT(ahstack, x) \ 77 do { \ 78 if (ahstack->ah_kstats != NULL) \ 79 (ahstack->ah_kstats->ah_stat_ ## x).value.ui64++; \ 80 _NOTE(CONSTCOND) \ 81 } while (0) 82 #define AH_DEBUMP_STAT(ahstack, x) \ 83 do { \ 84 if (ahstack->ah_kstats != NULL) \ 85 (ahstack->ah_kstats->ah_stat_ ## x).value.ui64--; \ 86 _NOTE(CONSTCOND) \ 87 } while (0) 88 89 /* 90 * IPSECAH stack instances 91 */ 92 struct ipsecah_stack { 93 netstack_t *ipsecah_netstack; /* Common netstack */ 94 95 caddr_t ipsecah_g_nd; 96 ipsecahparam_t *ipsecah_params; 97 kmutex_t ipsecah_param_lock; /* Protects params */ 98 99 sadbp_t ah_sadb; 100 101 /* Packet dropper for AH drops. */ 102 ipdropper_t ah_dropper; 103 104 kstat_t *ah_ksp; 105 ah_kstats_t *ah_kstats; 106 107 /* 108 * Keysock instance of AH. There can be only one per stack instance. 109 * Use atomic_cas_ptr() on this because I don't set it until 110 * KEYSOCK_HELLO comes down. 111 * Paired up with the ah_pfkey_q is the ah_event, which will age SAs. 112 */ 113 queue_t *ah_pfkey_q; 114 timeout_id_t ah_event; 115 }; 116 typedef struct ipsecah_stack ipsecah_stack_t; 117 118 #define ipsecah_debug ipsecah_params[0].ipsecah_param_value 119 #define ipsecah_age_interval ipsecah_params[1].ipsecah_param_value 120 #define ipsecah_age_int_max ipsecah_params[1].ipsecah_param_max 121 #define ipsecah_reap_delay ipsecah_params[2].ipsecah_param_value 122 #define ipsecah_replay_size ipsecah_params[3].ipsecah_param_value 123 #define ipsecah_acquire_timeout ipsecah_params[4].ipsecah_param_value 124 #define ipsecah_larval_timeout ipsecah_params[5].ipsecah_param_value 125 #define ipsecah_default_soft_bytes ipsecah_params[6].ipsecah_param_value 126 #define ipsecah_default_hard_bytes ipsecah_params[7].ipsecah_param_value 127 #define ipsecah_default_soft_addtime ipsecah_params[8].ipsecah_param_value 128 #define ipsecah_default_hard_addtime ipsecah_params[9].ipsecah_param_value 129 #define ipsecah_default_soft_usetime ipsecah_params[10].ipsecah_param_value 130 #define ipsecah_default_hard_usetime ipsecah_params[11].ipsecah_param_value 131 #define ipsecah_log_unknown_spi ipsecah_params[12].ipsecah_param_value 132 133 #endif /* _KERNEL */ 134 135 /* 136 * For now, only provide "aligned" version of header. 137 * If aligned version is needed, we'll go with the naming conventions then. 138 */ 139 140 typedef struct ah { 141 uint8_t ah_nexthdr; 142 uint8_t ah_length; 143 uint16_t ah_reserved; 144 uint32_t ah_spi; 145 uint32_t ah_replay; 146 } ah_t; 147 148 #define AH_BASELEN 12 149 #define AH_TOTAL_LEN(ah) (((ah)->ah_length << 2) + AH_BASELEN - \ 150 sizeof ((ah)->ah_replay)) 151 152 /* "Old" AH, without replay. For 1827-29 compatibility. */ 153 154 typedef struct ahold { 155 uint8_t ah_nexthdr; 156 uint8_t ah_length; 157 uint16_t ah_reserved; 158 uint32_t ah_spi; 159 } ahold_t; 160 161 #define AHOLD_BASELEN 8 162 #define AHOLD_TOTAL_LEN(ah) (((ah)->ah_length << 2) + AH_BASELEN) 163 164 #ifdef __cplusplus 165 } 166 #endif 167 168 #endif /* _INET_IPSECAH_H */ 169