1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _INET_IPSEC_IMPL_H 27 #define _INET_IPSEC_IMPL_H 28 29 #pragma ident "%Z%%M% %I% %E% SMI" 30 31 #ifdef __cplusplus 32 extern "C" { 33 #endif 34 35 #define IPSEC_CONF_SRC_ADDRESS 0 /* Source Address */ 36 #define IPSEC_CONF_SRC_PORT 1 /* Source Port */ 37 #define IPSEC_CONF_DST_ADDRESS 2 /* Dest Address */ 38 #define IPSEC_CONF_DST_PORT 3 /* Dest Port */ 39 #define IPSEC_CONF_SRC_MASK 4 /* Source Address Mask */ 40 #define IPSEC_CONF_DST_MASK 5 /* Destination Address Mask */ 41 #define IPSEC_CONF_ULP 6 /* Upper layer Port */ 42 #define IPSEC_CONF_IPSEC_PROT 7 /* AH or ESP or AH_ESP */ 43 #define IPSEC_CONF_IPSEC_AALGS 8 /* Auth Algorithms - MD5 etc. */ 44 #define IPSEC_CONF_IPSEC_EALGS 9 /* Encr Algorithms - DES etc. */ 45 #define IPSEC_CONF_IPSEC_EAALGS 10 /* Encr Algorithms - MD5 etc. */ 46 #define IPSEC_CONF_IPSEC_SA 11 /* Shared or unique SA */ 47 #define IPSEC_CONF_IPSEC_DIR 12 /* Direction of traffic */ 48 #define IPSEC_CONF_ICMP_TYPE 13 /* ICMP type */ 49 #define IPSEC_CONF_ICMP_CODE 14 /* ICMP code */ 50 51 /* Type of an entry */ 52 53 #define IPSEC_NTYPES 0x02 54 #define IPSEC_TYPE_OUTBOUND 0x00 55 #define IPSEC_TYPE_INBOUND 0x01 56 57 /* Policy */ 58 #define IPSEC_POLICY_APPLY 0x01 59 #define IPSEC_POLICY_DISCARD 0x02 60 #define IPSEC_POLICY_BYPASS 0x03 61 62 /* Shared or unique SA */ 63 #define IPSEC_SHARED_SA 0x01 64 #define IPSEC_UNIQUE_SA 0x02 65 66 /* IPSEC protocols and combinations */ 67 #define IPSEC_AH_ONLY 0x01 68 #define IPSEC_ESP_ONLY 0x02 69 #define IPSEC_AH_ESP 0x03 70 71 #ifdef _KERNEL 72 73 #include <inet/common.h> 74 #include <netinet/ip6.h> 75 #include <netinet/icmp6.h> 76 #include <net/pfkeyv2.h> 77 #include <inet/ip.h> 78 #include <inet/sadb.h> 79 #include <inet/ipsecah.h> 80 #include <inet/ipsecesp.h> 81 #include <sys/crypto/common.h> 82 #include <sys/crypto/api.h> 83 #include <sys/avl.h> 84 85 /* 86 * Maximum number of authentication algorithms (can be indexed by one byte 87 * per PF_KEY and the IKE IPsec DOI. 88 */ 89 #define MAX_AALGS 256 90 91 /* 92 * IPsec task queue constants. 93 */ 94 #define IPSEC_TASKQ_MIN 10 95 #define IPSEC_TASKQ_MAX 20 96 97 /* 98 * So we can access IPsec global variables that live in keysock.c. 99 */ 100 extern boolean_t keysock_extended_reg(void); 101 extern uint32_t keysock_next_seq(void); 102 103 /* 104 * Locking for ipsec policy rules: 105 * 106 * policy heads: system policy is static; per-conn polheads are dynamic, 107 * and refcounted (and inherited); use atomic refcounts and "don't let 108 * go with both hands". 109 * 110 * policy: refcounted; references from polhead, ipsec_out 111 * 112 * actions: refcounted; referenced from: action hash table, policy, ipsec_out 113 * selectors: refcounted; referenced from: selector hash table, policy. 114 */ 115 116 /* 117 * the following are inspired by, but not directly based on, 118 * some of the sys/queue.h type-safe pseudo-polymorphic macros 119 * found in BSD. 120 * 121 * XXX If we use these more generally, we'll have to make the names 122 * less generic (HASH_* will probably clobber other namespaces). 123 */ 124 125 #define HASH_LOCK(table, hash) \ 126 mutex_enter(&(table)[hash].hash_lock) 127 #define HASH_UNLOCK(table, hash) \ 128 mutex_exit(&(table)[hash].hash_lock) 129 130 #define HASH_LOCKED(table, hash) \ 131 MUTEX_HELD(&(table)[hash].hash_lock) 132 133 #define HASH_ITERATE(var, field, table, hash) \ 134 var = table[hash].hash_head; var != NULL; var = var->field.hash_next 135 136 #define HASH_NEXT(var, field) \ 137 (var)->field.hash_next 138 139 #define HASH_INSERT(var, field, table, hash) \ 140 { \ 141 ASSERT(HASH_LOCKED(table, hash)); \ 142 (var)->field.hash_next = (table)[hash].hash_head; \ 143 (var)->field.hash_pp = &(table)[hash].hash_head; \ 144 (table)[hash].hash_head = var; \ 145 if ((var)->field.hash_next != NULL) \ 146 (var)->field.hash_next->field.hash_pp = \ 147 &((var)->field.hash_next); \ 148 } 149 150 151 #define HASH_UNCHAIN(var, field, table, hash) \ 152 { \ 153 ASSERT(MUTEX_HELD(&(table)[hash].hash_lock)); \ 154 HASHLIST_UNCHAIN(var, field); \ 155 } 156 157 #define HASHLIST_INSERT(var, field, head) \ 158 { \ 159 (var)->field.hash_next = head; \ 160 (var)->field.hash_pp = &(head); \ 161 head = var; \ 162 if ((var)->field.hash_next != NULL) \ 163 (var)->field.hash_next->field.hash_pp = \ 164 &((var)->field.hash_next); \ 165 } 166 167 #define HASHLIST_UNCHAIN(var, field) \ 168 { \ 169 *var->field.hash_pp = var->field.hash_next; \ 170 if (var->field.hash_next) \ 171 var->field.hash_next->field.hash_pp = \ 172 var->field.hash_pp; \ 173 HASH_NULL(var, field); \ 174 } 175 176 177 #define HASH_NULL(var, field) \ 178 { \ 179 var->field.hash_next = NULL; \ 180 var->field.hash_pp = NULL; \ 181 } 182 183 #define HASH_LINK(fieldname, type) \ 184 struct { \ 185 type *hash_next; \ 186 type **hash_pp; \ 187 } fieldname 188 189 190 #define HASH_HEAD(tag) \ 191 struct { \ 192 struct tag *hash_head; \ 193 kmutex_t hash_lock; \ 194 } 195 196 typedef struct ipsec_policy_s ipsec_policy_t; 197 198 typedef HASH_HEAD(ipsec_policy_s) ipsec_policy_hash_t; 199 200 /* 201 * When adding new fields to ipsec_prot_t, make sure to update 202 * ipsec_in_to_out_action() as well as other code in spd.c 203 */ 204 205 typedef struct ipsec_prot 206 { 207 unsigned int 208 ipp_use_ah : 1, 209 ipp_use_esp : 1, 210 ipp_use_se : 1, 211 ipp_use_unique : 1, 212 ipp_use_espa : 1, 213 ipp_pad : 27; 214 uint8_t ipp_auth_alg; /* DOI number */ 215 uint8_t ipp_encr_alg; /* DOI number */ 216 uint8_t ipp_esp_auth_alg; /* DOI number */ 217 uint16_t ipp_ah_minbits; /* AH: min keylen */ 218 uint16_t ipp_ah_maxbits; /* AH: max keylen */ 219 uint16_t ipp_espe_minbits; /* ESP encr: min keylen */ 220 uint16_t ipp_espe_maxbits; /* ESP encr: max keylen */ 221 uint16_t ipp_espa_minbits; /* ESP auth: min keylen */ 222 uint16_t ipp_espa_maxbits; /* ESP auth: max keylen */ 223 uint32_t ipp_km_proto; /* key mgmt protocol */ 224 uint32_t ipp_km_cookie; /* key mgmt cookie */ 225 uint32_t ipp_replay_depth; /* replay window */ 226 /* XXX add lifetimes */ 227 } ipsec_prot_t; 228 229 #define IPSEC_MAX_KEYBITS (0xffff) 230 231 /* 232 * An individual policy action, possibly a member of a chain. 233 * 234 * Action chains may be shared between multiple policy rules. 235 * 236 * With one exception (IPSEC_POLICY_LOG), a chain consists of an 237 * ordered list of alternative ways to handle a packet. 238 * 239 * All actions are also "interned" into a hash table (to allow 240 * multiple rules with the same action chain to share one copy in 241 * memory). 242 */ 243 244 typedef struct ipsec_act 245 { 246 uint8_t ipa_type; 247 uint8_t ipa_log; 248 union 249 { 250 ipsec_prot_t ipau_apply; 251 uint8_t ipau_reject_type; 252 uint32_t ipau_resolve_id; /* magic cookie */ 253 uint8_t ipau_log_type; 254 } ipa_u; 255 #define ipa_apply ipa_u.ipau_apply 256 #define ipa_reject_type ipa_u.ipau_reject_type 257 #define ipa_log_type ipa_u.ipau_log_type 258 #define ipa_resolve_type ipa_u.ipau_resolve_type 259 } ipsec_act_t; 260 261 #define IPSEC_ACT_APPLY 0x01 /* match IPSEC_POLICY_APPLY */ 262 #define IPSEC_ACT_DISCARD 0x02 /* match IPSEC_POLICY_DISCARD */ 263 #define IPSEC_ACT_BYPASS 0x03 /* match IPSEC_POLICY_BYPASS */ 264 #define IPSEC_ACT_REJECT 0x04 265 #define IPSEC_ACT_CLEAR 0x05 266 267 typedef struct ipsec_action_s 268 { 269 HASH_LINK(ipa_hash, struct ipsec_action_s); 270 struct ipsec_action_s *ipa_next; /* next alternative */ 271 uint32_t ipa_refs; /* refcount */ 272 ipsec_act_t ipa_act; 273 /* 274 * The following bits are equivalent to an OR of bits included in the 275 * ipau_apply fields of this and subsequent actions in an 276 * action chain; this is an optimization for the sake of 277 * ipsec_out_process() in ip.c and a few other places. 278 */ 279 unsigned int 280 ipa_hval: 8, 281 ipa_allow_clear:1, /* rule allows cleartext? */ 282 ipa_want_ah:1, /* an action wants ah */ 283 ipa_want_esp:1, /* an action wants esp */ 284 ipa_want_se:1, /* an action wants se */ 285 ipa_want_unique:1, /* want unique sa's */ 286 ipa_pad:19; 287 uint32_t ipa_ovhd; /* per-packet encap ovhd */ 288 } ipsec_action_t; 289 290 #define IPACT_REFHOLD(ipa) { \ 291 atomic_add_32(&(ipa)->ipa_refs, 1); \ 292 ASSERT((ipa)->ipa_refs != 0); \ 293 } 294 #define IPACT_REFRELE(ipa) { \ 295 ASSERT((ipa)->ipa_refs != 0); \ 296 membar_exit(); \ 297 if (atomic_add_32_nv(&(ipa)->ipa_refs, -1) == 0) \ 298 ipsec_action_free(ipa); \ 299 (ipa) = 0; \ 300 } 301 302 /* 303 * Merged address structure, for cheezy address-family independant 304 * matches in policy code. 305 */ 306 307 typedef union ipsec_addr 308 { 309 in6_addr_t ipsad_v6; 310 in_addr_t ipsad_v4; 311 } ipsec_addr_t; 312 313 /* 314 * ipsec selector set, as used by the kernel policy structures. 315 * Note that that we specify "local" and "remote" 316 * rather than "source" and "destination", which allows the selectors 317 * for symmetric policy rules to be shared between inbound and 318 * outbound rules. 319 * 320 * "local" means "destination" on inbound, and "source" on outbound. 321 * "remote" means "source" on inbound, and "destination" on outbound. 322 * XXX if we add a fifth policy enforcement point for forwarded packets, 323 * what do we do? 324 * 325 * The ipsl_valid mask is not done as a bitfield; this is so we 326 * can use "ffs()" to find the "most interesting" valid tag. 327 * 328 * XXX should we have multiple types for space-conservation reasons? 329 * (v4 vs v6? prefix vs. range)? 330 */ 331 332 typedef struct ipsec_selkey 333 { 334 uint32_t ipsl_valid; /* bitmask of valid entries */ 335 #define IPSL_REMOTE_ADDR 0x00000001 336 #define IPSL_LOCAL_ADDR 0x00000002 337 #define IPSL_REMOTE_PORT 0x00000004 338 #define IPSL_LOCAL_PORT 0x00000008 339 #define IPSL_PROTOCOL 0x00000010 340 #define IPSL_ICMP_TYPE 0x00000020 341 #define IPSL_ICMP_CODE 0x00000040 342 #define IPSL_IPV6 0x00000080 343 #define IPSL_IPV4 0x00000100 344 345 #define IPSL_WILDCARD 0x0000007f 346 347 ipsec_addr_t ipsl_local; 348 ipsec_addr_t ipsl_remote; 349 uint16_t ipsl_lport; 350 uint16_t ipsl_rport; 351 /* 352 * ICMP type and code selectors. Both have an end value to 353 * specify ranges, or * and *_end are equal for a single 354 * value 355 */ 356 uint8_t ipsl_icmp_type; 357 uint8_t ipsl_icmp_type_end; 358 uint8_t ipsl_icmp_code; 359 uint8_t ipsl_icmp_code_end; 360 361 uint8_t ipsl_proto; /* ip payload type */ 362 uint8_t ipsl_local_pfxlen; /* #bits of prefix */ 363 uint8_t ipsl_remote_pfxlen; /* #bits of prefix */ 364 uint8_t ipsl_mbz; 365 366 uint32_t ipsl_hval; 367 } ipsec_selkey_t; 368 369 typedef struct ipsec_sel 370 { 371 HASH_LINK(ipsl_hash, struct ipsec_sel); 372 uint32_t ipsl_refs; /* # refs to this sel */ 373 ipsec_selkey_t ipsl_key; /* actual selector guts */ 374 } ipsec_sel_t; 375 376 /* 377 * One policy rule. This will be linked into a single hash chain bucket in 378 * the parent rule structure. If the selector is simple enough to 379 * allow hashing, it gets filed under ipsec_policy_root_t->ipr_hash. 380 * Otherwise it goes onto a linked list in ipsec_policy_root_t->ipr_nonhash[af] 381 * 382 * In addition, we file the rule into an avl tree keyed by the rule index. 383 * (Duplicate rules are permitted; the comparison function breaks ties). 384 */ 385 struct ipsec_policy_s 386 { 387 HASH_LINK(ipsp_hash, struct ipsec_policy_s); 388 avl_node_t ipsp_byid; 389 uint64_t ipsp_index; /* unique id */ 390 uint32_t ipsp_prio; /* rule priority */ 391 uint32_t ipsp_refs; 392 ipsec_sel_t *ipsp_sel; /* selector set (shared) */ 393 ipsec_action_t *ipsp_act; /* action (may be shared) */ 394 }; 395 396 #define IPPOL_REFHOLD(ipp) { \ 397 atomic_add_32(&(ipp)->ipsp_refs, 1); \ 398 ASSERT((ipp)->ipsp_refs != 0); \ 399 } 400 #define IPPOL_REFRELE(ipp) { \ 401 ASSERT((ipp)->ipsp_refs != 0); \ 402 membar_exit(); \ 403 if (atomic_add_32_nv(&(ipp)->ipsp_refs, -1) == 0) \ 404 ipsec_policy_free(ipp); \ 405 (ipp) = 0; \ 406 } 407 408 /* 409 * Policy ruleset. One per (protocol * direction) for system policy. 410 */ 411 412 #define IPSEC_AF_V4 0 413 #define IPSEC_AF_V6 1 414 #define IPSEC_NAF 2 415 416 typedef struct ipsec_policy_root_s 417 { 418 ipsec_policy_t *ipr_nonhash[IPSEC_NAF]; 419 int ipr_nchains; 420 ipsec_policy_hash_t *ipr_hash; 421 } ipsec_policy_root_t; 422 423 /* 424 * Policy head. One for system policy; there may also be one present 425 * on ill_t's with interface-specific policy, as well as one present 426 * for sockets with per-socket policy allocated. 427 */ 428 429 typedef struct ipsec_policy_head_s 430 { 431 uint32_t iph_refs; 432 krwlock_t iph_lock; 433 uint64_t iph_gen; /* generation number */ 434 ipsec_policy_root_t iph_root[IPSEC_NTYPES]; 435 avl_tree_t iph_rulebyid; 436 } ipsec_policy_head_t; 437 438 #define IPPH_REFHOLD(iph) { \ 439 atomic_add_32(&(iph)->iph_refs, 1); \ 440 ASSERT((iph)->iph_refs != 0); \ 441 } 442 #define IPPH_REFRELE(iph) { \ 443 ASSERT((iph)->iph_refs != 0); \ 444 membar_exit(); \ 445 if (atomic_add_32_nv(&(iph)->iph_refs, -1) == 0) \ 446 ipsec_polhead_free(iph); \ 447 (iph) = 0; \ 448 } 449 450 /* 451 * Certificate identity. 452 */ 453 454 typedef struct ipsid_s 455 { 456 struct ipsid_s *ipsid_next; 457 struct ipsid_s **ipsid_ptpn; 458 uint32_t ipsid_refcnt; 459 int ipsid_type; /* id type */ 460 char *ipsid_cid; /* certificate id string */ 461 } ipsid_t; 462 463 /* 464 * ipsid_t reference hold/release macros, just like ipsa versions. 465 */ 466 467 #define IPSID_REFHOLD(ipsid) { \ 468 atomic_add_32(&(ipsid)->ipsid_refcnt, 1); \ 469 ASSERT((ipsid)->ipsid_refcnt != 0); \ 470 } 471 472 /* 473 * Decrement the reference count on the ID. Someone else will clean up 474 * after us later. 475 */ 476 477 #define IPSID_REFRELE(ipsid) { \ 478 membar_exit(); \ 479 atomic_add_32(&(ipsid)->ipsid_refcnt, -1); \ 480 } 481 482 extern boolean_t ipsec_inbound_v4_policy_present; 483 extern boolean_t ipsec_outbound_v4_policy_present; 484 extern boolean_t ipsec_inbound_v6_policy_present; 485 extern boolean_t ipsec_outbound_v6_policy_present; 486 487 struct ipsec_out_s; 488 489 /* 490 * Following are the estimates of what the maximum AH and ESP header size 491 * would be. This is used to tell the upper layer the right value of MSS 492 * it should use without consulting AH/ESP. If the size is something 493 * different from this, ULP will learn the right one through 494 * ICMP_FRAGMENTATION_NEEDED messages generated locally. 495 * 496 * AH : 12 bytes of constant header + 12 bytes of ICV checksum (MD5/SHA1). 497 * 498 * ESP : 8 bytes of constant header + 16 bytes of IV + 12 bytes ICV + 499 * 2 bytes of trailer + 15 bytes pad = 53 500 * 501 * Note that for ESP, this estimate is overly pessimistic; however, a 502 * more accurate estimate needs to know the exact amount of space 503 * which will be available to ESP so it can just leave 2 bytes free in 504 * the last cipherblock for the ESP inner trailer, and that 505 * information is not available at the right moment in the current 506 * stack. 507 */ 508 #define IPSEC_MAX_AH_HDR_SIZE (24) 509 #define IPSEC_MAX_ESP_HDR_SIZE (53) 510 511 /* Alternate, when we know the crypto block size */ 512 #define IPSEC_BASE_ESP_HDR_SIZE(sa) (4 + 4 + 12 + 1 + 2 * (sa)->ipsa_iv_len) 513 #define IPSEC_DEF_BLOCKSIZE (8) /* safe default */ 514 515 /* 516 * Loader states.. 517 */ 518 #define IPSEC_LOADER_WAIT 0 519 #define IPSEC_LOADER_FAILED -1 520 #define IPSEC_LOADER_SUCCEEDED 1 521 522 extern kmutex_t ipsec_loader_lock; 523 extern int ipsec_loader_state; 524 525 /* 526 * ipsec_loader entrypoints. 527 */ 528 extern void ipsec_loader_init(void); 529 extern void ipsec_loader_start(void); 530 extern void ipsec_loader_destroy(void); 531 extern void ipsec_loader_loadnow(void); 532 extern boolean_t ipsec_loader_wait(queue_t *q); 533 extern boolean_t ipsec_loaded(void); 534 extern boolean_t ipsec_failed(void); 535 536 /* 537 * callback from ipsec_loader to ip 538 */ 539 extern void ip_ipsec_load_complete(); 540 541 /* 542 * ipsec policy entrypoints (spd.c) 543 */ 544 545 extern void ipsec_policy_destroy(void); 546 extern void ipsec_policy_init(void); 547 extern boolean_t ipsec_inherit_global_policy(conn_t *, ipsec_req_t *, 548 ipsec_selector_t *, boolean_t); 549 extern mblk_t *ipsec_check_global_policy(mblk_t *, conn_t *, ipha_t *, 550 ip6_t *, boolean_t); 551 extern mblk_t *ipsec_check_inbound_policy(mblk_t *, conn_t *, ipha_t *, ip6_t *, 552 boolean_t); 553 554 extern boolean_t ipsec_in_to_out(mblk_t *, ipha_t *, ip6_t *); 555 extern void ipsec_log_policy_failure(queue_t *, int, char *, ipha_t *, 556 ip6_t *, boolean_t); 557 extern boolean_t ipsec_inbound_accept_clear(mblk_t *, ipha_t *, ip6_t *); 558 extern int ipsec_policy_alloc(conn_t *); 559 extern int ipsec_conn_cache_policy(conn_t *, boolean_t); 560 extern mblk_t *ipsec_alloc_ipsec_out(void); 561 extern mblk_t *ipsec_attach_ipsec_out(mblk_t *, conn_t *, ipsec_policy_t *, 562 uint8_t); 563 extern mblk_t *ipsec_init_ipsec_out(mblk_t *, conn_t *, ipsec_policy_t *, 564 uint8_t); 565 struct ipsec_in_s; 566 extern ipsec_action_t *ipsec_in_to_out_action(struct ipsec_in_s *); 567 extern boolean_t ipsec_check_ipsecin_latch(struct ipsec_in_s *, mblk_t *, 568 struct ipsec_latch_s *, ipha_t *, ip6_t *, const char **, kstat_named_t **); 569 extern void ipsec_latch_inbound(ipsec_latch_t *ipl, struct ipsec_in_s *ii); 570 571 extern void ipsec_policy_free(ipsec_policy_t *); 572 extern void ipsec_action_free(ipsec_action_t *); 573 extern void ipsec_polhead_free(ipsec_policy_head_t *); 574 extern ipsec_policy_head_t *ipsec_polhead_split(ipsec_policy_head_t *); 575 extern ipsec_policy_head_t *ipsec_polhead_create(void); 576 extern ipsec_policy_head_t *ipsec_system_policy(void); 577 extern ipsec_policy_head_t *ipsec_inactive_policy(void); 578 extern void ipsec_swap_policy(void); 579 580 extern int ipsec_clone_system_policy(void); 581 extern ipsec_policy_t *ipsec_policy_create(ipsec_selkey_t *, 582 const ipsec_act_t *, int, int); 583 extern boolean_t ipsec_policy_delete(ipsec_policy_head_t *, 584 ipsec_selkey_t *, int); 585 extern int ipsec_policy_delete_index(ipsec_policy_head_t *, uint64_t); 586 extern void ipsec_polhead_flush(ipsec_policy_head_t *); 587 extern void ipsec_actvec_from_req(ipsec_req_t *, ipsec_act_t **, uint_t *); 588 extern void ipsec_actvec_free(ipsec_act_t *, uint_t); 589 extern mblk_t *ipsec_construct_inverse_acquire(sadb_msg_t *, sadb_ext_t **); 590 extern mblk_t *ip_wput_attach_policy(mblk_t *, ipha_t *, ip6_t *, ire_t *, 591 conn_t *, boolean_t, zoneid_t); 592 extern mblk_t *ip_wput_ire_parse_ipsec_out(mblk_t *, ipha_t *, ip6_t *, 593 ire_t *, conn_t *, boolean_t, zoneid_t); 594 extern ipsec_policy_t *ipsec_find_policy(int, conn_t *, 595 struct ipsec_out_s *, ipsec_selector_t *); 596 extern ipsid_t *ipsid_lookup(int, char *); 597 extern boolean_t ipsid_equal(ipsid_t *, ipsid_t *); 598 extern void ipsid_gc(void); 599 extern void ipsec_latch_ids(ipsec_latch_t *, ipsid_t *, ipsid_t *); 600 601 extern void ipsec_config_flush(void); 602 extern boolean_t ipsec_check_policy(ipsec_policy_head_t *, ipsec_policy_t *, 603 int); 604 extern void ipsec_enter_policy(ipsec_policy_head_t *, ipsec_policy_t *, int); 605 extern boolean_t ipsec_check_action(ipsec_act_t *, int *); 606 607 extern void ipsec_config_list_compat(queue_t *, mblk_t *); 608 extern int ipsec_config_add_compat(mblk_t *); 609 extern int ipsec_config_delete_compat(mblk_t *); 610 611 extern mblk_t *ipsec_out_tag(mblk_t *, mblk_t *); 612 extern mblk_t *ipsec_in_tag(mblk_t *, mblk_t *); 613 extern mblk_t *ip_copymsg(mblk_t *mp); 614 615 extern void iplatch_free(ipsec_latch_t *); 616 extern ipsec_latch_t *iplatch_create(void); 617 extern int ipsec_set_req(cred_t *, conn_t *, ipsec_req_t *); 618 619 extern void ipsec_insert_always(avl_tree_t *tree, void *new_node); 620 621 /* 622 * IPsec AH/ESP functions called from IP. 623 */ 624 625 extern void ipsecah_in_assocfailure(mblk_t *, char, ushort_t, char *, 626 uint32_t, void *, int); 627 extern void ipsecesp_in_assocfailure(mblk_t *, char, ushort_t, char *, 628 uint32_t, void *, int); 629 630 /* 631 * Algorithm management helper functions. 632 */ 633 extern boolean_t ipsec_valid_key_size(uint16_t, ipsec_alginfo_t *); 634 635 /* 636 * Per-socket policy, for now, takes precedence... this priority value 637 * insures it. 638 */ 639 #define IPSEC_PRIO_SOCKET 0x1000000 640 641 /* DDI initialization functions. */ 642 extern boolean_t ipsecesp_ddi_init(void); 643 extern boolean_t ipsecah_ddi_init(void); 644 extern boolean_t keysock_ddi_init(void); 645 extern boolean_t spdsock_ddi_init(void); 646 647 extern void ipsecesp_ddi_destroy(void); 648 extern void ipsecah_ddi_destroy(void); 649 extern void keysock_ddi_destroy(void); 650 extern void spdsock_ddi_destroy(void); 651 652 /* 653 * AH- and ESP-specific functions that are called directly by other modules. 654 */ 655 extern void ipsecah_fill_defs(struct sadb_x_ecomb *); 656 extern void ipsecesp_fill_defs(struct sadb_x_ecomb *); 657 extern void ipsecah_algs_changed(void); 658 extern void ipsecesp_algs_changed(void); 659 extern void ipsecesp_init_funcs(ipsa_t *); 660 extern void ipsecah_init_funcs(ipsa_t *); 661 extern ipsec_status_t ipsecah_icmp_error(mblk_t *); 662 extern ipsec_status_t ipsecesp_icmp_error(mblk_t *); 663 664 /* 665 * Wrapper for putnext() to ipsec accelerated interface. 666 */ 667 extern void ipsec_hw_putnext(queue_t *, mblk_t *); 668 669 /* 670 * spdsock functions that are called directly by IP. 671 */ 672 extern void spdsock_update_pending_algs(void); 673 674 /* 675 * IP functions that are called from AH and ESP. 676 */ 677 extern boolean_t ipsec_outbound_sa(mblk_t *, uint_t); 678 extern esph_t *ipsec_inbound_esp_sa(mblk_t *); 679 extern ah_t *ipsec_inbound_ah_sa(mblk_t *); 680 681 /* 682 * NAT-Traversal cleanup 683 */ 684 extern void nattymod_clean_ipif(ipif_t *); 685 686 /* 687 * AH and ESP counters types. 688 */ 689 typedef uint32_t ah_counter; 690 typedef uint32_t esp_counter; 691 692 #endif /* _KERNEL */ 693 694 #ifdef __cplusplus 695 } 696 #endif 697 698 #endif /* _INET_IPSEC_IMPL_H */ 699