1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #ifndef _INET_IPSEC_IMPL_H 28 #define _INET_IPSEC_IMPL_H 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 #ifdef __cplusplus 33 extern "C" { 34 #endif 35 36 #define IPSEC_CONF_SRC_ADDRESS 0 /* Source Address */ 37 #define IPSEC_CONF_SRC_PORT 1 /* Source Port */ 38 #define IPSEC_CONF_DST_ADDRESS 2 /* Dest Address */ 39 #define IPSEC_CONF_DST_PORT 3 /* Dest Port */ 40 #define IPSEC_CONF_SRC_MASK 4 /* Source Address Mask */ 41 #define IPSEC_CONF_DST_MASK 5 /* Destination Address Mask */ 42 #define IPSEC_CONF_ULP 6 /* Upper layer Port */ 43 #define IPSEC_CONF_IPSEC_PROT 7 /* AH or ESP or AH_ESP */ 44 #define IPSEC_CONF_IPSEC_AALGS 8 /* Auth Algorithms - MD5 etc. */ 45 #define IPSEC_CONF_IPSEC_EALGS 9 /* Encr Algorithms - DES etc. */ 46 #define IPSEC_CONF_IPSEC_EAALGS 10 /* Encr Algorithms - MD5 etc. */ 47 #define IPSEC_CONF_IPSEC_SA 11 /* Shared or unique SA */ 48 #define IPSEC_CONF_IPSEC_DIR 12 /* Direction of traffic */ 49 #define IPSEC_CONF_ICMP_TYPE 13 /* ICMP type */ 50 #define IPSEC_CONF_ICMP_CODE 14 /* ICMP code */ 51 52 /* Type of an entry */ 53 54 #define IPSEC_NTYPES 0x02 55 #define IPSEC_TYPE_OUTBOUND 0x00 56 #define IPSEC_TYPE_INBOUND 0x01 57 58 /* Policy */ 59 #define IPSEC_POLICY_APPLY 0x01 60 #define IPSEC_POLICY_DISCARD 0x02 61 #define IPSEC_POLICY_BYPASS 0x03 62 63 /* Shared or unique SA */ 64 #define IPSEC_SHARED_SA 0x01 65 #define IPSEC_UNIQUE_SA 0x02 66 67 /* IPSEC protocols and combinations */ 68 #define IPSEC_AH_ONLY 0x01 69 #define IPSEC_ESP_ONLY 0x02 70 #define IPSEC_AH_ESP 0x03 71 72 #ifdef _KERNEL 73 74 #include <inet/common.h> 75 #include <netinet/ip6.h> 76 #include <netinet/icmp6.h> 77 #include <net/pfkeyv2.h> 78 #include <inet/ip.h> 79 #include <inet/sadb.h> 80 #include <inet/ipsecah.h> 81 #include <inet/ipsecesp.h> 82 #include <sys/crypto/common.h> 83 #include <sys/crypto/api.h> 84 85 /* 86 * Maximum number of authentication algorithms (can be indexed by one byte 87 * per PF_KEY and the IKE IPsec DOI. 88 */ 89 #define MAX_AALGS 256 90 91 /* 92 * IPsec task queue constants. 93 */ 94 #define IPSEC_TASKQ_MIN 10 95 #define IPSEC_TASKQ_MAX 20 96 97 /* 98 * So we can access IPsec global variables that live in keysock.c. 99 */ 100 extern boolean_t keysock_extended_reg(void); 101 extern uint32_t keysock_next_seq(void); 102 103 /* 104 * Locking for ipsec policy rules: 105 * 106 * policy heads: system policy is static; per-conn polheads are dynamic, 107 * and refcounted (and inherited); use atomic refcounts and "don't let 108 * go with both hands". 109 * 110 * policy: refcounted; references from polhead, ipsec_out 111 * 112 * actions: refcounted; referenced from: action hash table, policy, ipsec_out 113 * selectors: refcounted; referenced from: selector hash table, policy. 114 */ 115 116 /* 117 * the following are inspired by, but not directly based on, 118 * some of the sys/queue.h type-safe pseudo-polymorphic macros 119 * found in BSD. 120 * 121 * XXX If we use these more generally, we'll have to make the names 122 * less generic (HASH_* will probably clobber other namespaces). 123 */ 124 125 #define HASH_LOCK(table, hash) \ 126 mutex_enter(&(table)[hash].hash_lock) 127 #define HASH_UNLOCK(table, hash) \ 128 mutex_exit(&(table)[hash].hash_lock) 129 130 #define HASH_LOCKED(table, hash) \ 131 MUTEX_HELD(&(table)[hash].hash_lock) 132 133 #define HASH_ITERATE(var, field, table, hash) \ 134 var = table[hash].hash_head; var != NULL; var = var->field.hash_next 135 136 #define HASH_NEXT(var, field) \ 137 (var)->field.hash_next 138 139 #define HASH_INSERT(var, field, table, hash) \ 140 { \ 141 ASSERT(HASH_LOCKED(table, hash)); \ 142 (var)->field.hash_next = (table)[hash].hash_head; \ 143 (var)->field.hash_pp = &(table)[hash].hash_head; \ 144 (table)[hash].hash_head = var; \ 145 if ((var)->field.hash_next != NULL) \ 146 (var)->field.hash_next->field.hash_pp = \ 147 &((var)->field.hash_next); \ 148 } 149 150 #define HASH_UNCHAIN(var, field, table, hash) \ 151 { \ 152 ASSERT(MUTEX_HELD(&(table)[hash].hash_lock)); \ 153 *var->field.hash_pp = var->field.hash_next; \ 154 if (var->field.hash_next) \ 155 var->field.hash_next->field.hash_pp = \ 156 var->field.hash_pp; \ 157 var->field.hash_next = NULL; \ 158 var->field.hash_pp = NULL; \ 159 } 160 161 #define HASH_LINK(fieldname, type) \ 162 struct { \ 163 type *hash_next; \ 164 type **hash_pp; \ 165 } fieldname 166 167 168 #define HASH_HEAD(tag) \ 169 struct { \ 170 struct tag *hash_head; \ 171 kmutex_t hash_lock; \ 172 } 173 174 typedef struct ipsec_policy_s ipsec_policy_t; 175 176 /* 177 * When adding new fields to ipsec_prot_t, make sure to update 178 * ipsec_in_to_out_action() as well as other code in spd.c 179 */ 180 181 typedef struct ipsec_prot 182 { 183 unsigned int 184 ipp_use_ah : 1, 185 ipp_use_esp : 1, 186 ipp_use_se : 1, 187 ipp_use_unique : 1, 188 ipp_use_espa : 1, 189 ipp_pad : 27; 190 uint8_t ipp_auth_alg; /* DOI number */ 191 uint8_t ipp_encr_alg; /* DOI number */ 192 uint8_t ipp_esp_auth_alg; /* DOI number */ 193 uint16_t ipp_ah_minbits; /* AH: min keylen */ 194 uint16_t ipp_ah_maxbits; /* AH: max keylen */ 195 uint16_t ipp_espe_minbits; /* ESP encr: min keylen */ 196 uint16_t ipp_espe_maxbits; /* ESP encr: max keylen */ 197 uint16_t ipp_espa_minbits; /* ESP auth: min keylen */ 198 uint16_t ipp_espa_maxbits; /* ESP auth: max keylen */ 199 uint32_t ipp_km_proto; /* key mgmt protocol */ 200 uint32_t ipp_km_cookie; /* key mgmt cookie */ 201 uint32_t ipp_replay_depth; /* replay window */ 202 /* XXX add lifetimes */ 203 } ipsec_prot_t; 204 205 #define IPSEC_MAX_KEYBITS (0xffff) 206 207 /* 208 * An individual policy action, possibly a member of a chain. 209 * 210 * Rule chains may be shared between multiple policy rules. 211 * 212 * With one exception (IPSEC_POLICY_LOG), a chain consists of an 213 * ordered list of alternative ways to handle a packet. 214 * 215 * All actions are also "interned" into a hash table (to allow 216 * multiple rules with the same action chain to share one copy in 217 * memory). 218 */ 219 220 typedef struct ipsec_act 221 { 222 uint8_t ipa_type; 223 uint8_t ipa_log; 224 union 225 { 226 ipsec_prot_t ipau_apply; 227 uint8_t ipau_reject_type; 228 uint32_t ipau_resolve_id; /* magic cookie */ 229 uint8_t ipau_log_type; 230 } ipa_u; 231 #define ipa_apply ipa_u.ipau_apply 232 #define ipa_reject_type ipa_u.ipau_reject_type 233 #define ipa_log_type ipa_u.ipau_log_type 234 #define ipa_resolve_type ipa_u.ipau_resolve_type 235 } ipsec_act_t; 236 237 #define IPSEC_ACT_APPLY 0x01 /* match IPSEC_POLICY_APPLY */ 238 #define IPSEC_ACT_DISCARD 0x02 /* match IPSEC_POLICY_DISCARD */ 239 #define IPSEC_ACT_BYPASS 0x03 /* match IPSEC_POLICY_BYPASS */ 240 #define IPSEC_ACT_REJECT 0x04 241 #define IPSEC_ACT_CLEAR 0x05 242 243 typedef struct ipsec_action_s 244 { 245 HASH_LINK(ipa_hash, struct ipsec_action_s); 246 struct ipsec_action_s *ipa_next; /* next alternative */ 247 uint32_t ipa_refs; /* refcount */ 248 ipsec_act_t ipa_act; 249 /* 250 * The following bits are equivalent to an OR of bits included in the 251 * ipau_apply fields of this and subsequent actions in an 252 * action chain; this is an optimization for the sake of 253 * ipsec_out_process() in ip.c and a few other places. 254 */ 255 unsigned int 256 ipa_hval: 8, 257 ipa_allow_clear:1, /* rule allows cleartext? */ 258 ipa_want_ah:1, /* an action wants ah */ 259 ipa_want_esp:1, /* an action wants esp */ 260 ipa_want_se:1, /* an action wants se */ 261 ipa_want_unique:1, /* want unique sa's */ 262 ipa_pad:19; 263 uint32_t ipa_ovhd; /* per-packet encap ovhd */ 264 } ipsec_action_t; 265 266 #define IPACT_REFHOLD(ipa) { \ 267 atomic_add_32(&(ipa)->ipa_refs, 1); \ 268 ASSERT((ipa)->ipa_refs != 0); \ 269 } 270 #define IPACT_REFRELE(ipa) { \ 271 ASSERT((ipa)->ipa_refs != 0); \ 272 membar_exit(); \ 273 if (atomic_add_32_nv(&(ipa)->ipa_refs, -1) == 0) \ 274 ipsec_action_free(ipa); \ 275 (ipa) = 0; \ 276 } 277 278 /* 279 * Merged address structure, for cheezy address-family independant 280 * matches in policy code. 281 */ 282 283 typedef union ipsec_addr 284 { 285 in6_addr_t ipsad_v6; 286 in_addr_t ipsad_v4; 287 } ipsec_addr_t; 288 289 /* 290 * ipsec selector set, as used by the kernel policy structures. 291 * Note that that we specify "local" and "remote" 292 * rather than "source" and "destination", which allows the selectors 293 * for symmetric policy rules to be shared between inbound and 294 * outbound rules. 295 * 296 * "local" means "destination" on inbound, and "source" on outbound. 297 * "remote" means "source" on inbound, and "destination" on outbound. 298 * XXX if we add a fifth policy enforcement point for forwarded packets, 299 * what do we do? 300 * 301 * The ipsl_valid mask is not done as a bitfield; this is so we 302 * can use "ffs()" to find the "most interesting" valid tag. 303 * 304 * XXX should we have multiple types for space-conservation reasons? 305 * (v4 vs v6? prefix vs. range)? 306 */ 307 308 typedef struct ipsec_selkey 309 { 310 uint32_t ipsl_valid; /* bitmask of valid entries */ 311 #define IPSL_REMOTE_ADDR 0x00000001 312 #define IPSL_LOCAL_ADDR 0x00000002 313 #define IPSL_REMOTE_PORT 0x00000004 314 #define IPSL_LOCAL_PORT 0x00000008 315 #define IPSL_PROTOCOL 0x00000010 316 #define IPSL_ICMP_TYPE 0x00000020 317 #define IPSL_ICMP_CODE 0x00000040 318 #define IPSL_IPV6 0x00000080 319 #define IPSL_IPV4 0x00000100 320 321 #define IPSL_WILDCARD 0x0000007f 322 323 ipsec_addr_t ipsl_local; 324 ipsec_addr_t ipsl_remote; 325 uint16_t ipsl_lport; 326 uint16_t ipsl_rport; 327 /* 328 * ICMP type and code selectors. Both have an end value to 329 * specify ranges, or * and *_end are equal for a single 330 * value 331 */ 332 uint8_t ipsl_icmp_type; 333 uint8_t ipsl_icmp_type_end; 334 uint8_t ipsl_icmp_code; 335 uint8_t ipsl_icmp_code_end; 336 uint8_t ipsl_proto; /* ip payload type */ 337 uint8_t ipsl_local_pfxlen; /* #bits of prefix */ 338 uint8_t ipsl_remote_pfxlen; /* #bits of prefix */ 339 uint8_t ipsl_mbz; 340 } ipsec_selkey_t; 341 342 #define ipsl_hval ipsl_mbz /* space-conservation */ 343 344 typedef struct ipsec_sel 345 { 346 HASH_LINK(ipsl_hash, struct ipsec_sel); 347 uint32_t ipsl_refs; /* # refs to this sel */ 348 ipsec_selkey_t ipsl_key; /* actual selector guts */ 349 } ipsec_sel_t; 350 351 /* 352 * "Tree" linkage. 353 * 354 * XXX use singly-linked list for now, until we have a classifier.. 355 */ 356 typedef struct ipsec_tree_link 357 { 358 ipsec_policy_t *itl_next; /* next one in list.. */ 359 } ipsec_tree_link_t; 360 361 /* 362 * One policy rule. 363 */ 364 struct ipsec_policy_s 365 { 366 ipsec_tree_link_t ipsp_links; /* protected by iph_lock */ 367 uint64_t ipsp_index; /* unique id */ 368 uint32_t ipsp_prio; /* rule priority */ 369 uint32_t ipsp_refs; 370 ipsec_sel_t *ipsp_sel; /* selector set (shared) */ 371 ipsec_action_t *ipsp_act; /* action (may be shared) */ 372 }; 373 374 #define IPPOL_REFHOLD(ipp) { \ 375 atomic_add_32(&(ipp)->ipsp_refs, 1); \ 376 ASSERT((ipp)->ipsp_refs != 0); \ 377 } 378 #define IPPOL_REFRELE(ipp) { \ 379 ASSERT((ipp)->ipsp_refs != 0); \ 380 membar_exit(); \ 381 if (atomic_add_32_nv(&(ipp)->ipsp_refs, -1) == 0) \ 382 ipsec_policy_free(ipp); \ 383 (ipp) = 0; \ 384 } 385 386 /* 387 * Policy ruleset. One per (protocol * direction) for system policy. 388 */ 389 390 #define IPSEC_AF_V4 0 391 #define IPSEC_AF_V6 1 392 #define IPSEC_NAF 2 393 394 typedef struct ipsec_policy_root_s 395 { 396 ipsec_policy_t *ipr[IPSEC_NAF]; 397 } ipsec_policy_root_t; 398 399 /* 400 * Policy head. One for system policy; there may also be one present 401 * on ill_t's with interface-specific policy, as well as one present 402 * for sockets with per-socket policy allocated. 403 */ 404 405 typedef struct ipsec_policy_head_s 406 { 407 uint32_t iph_refs; 408 krwlock_t iph_lock; 409 uint64_t iph_gen; /* generation number */ 410 ipsec_policy_root_t iph_root[IPSEC_NTYPES]; 411 } ipsec_policy_head_t; 412 413 #define IPPH_REFHOLD(iph) { \ 414 atomic_add_32(&(iph)->iph_refs, 1); \ 415 ASSERT((iph)->iph_refs != 0); \ 416 } 417 #define IPPH_REFRELE(iph) { \ 418 ASSERT((iph)->iph_refs != 0); \ 419 membar_exit(); \ 420 if (atomic_add_32_nv(&(iph)->iph_refs, -1) == 0) \ 421 ipsec_polhead_free(iph); \ 422 (iph) = 0; \ 423 } 424 425 /* 426 * Certificate identity. 427 */ 428 429 typedef struct ipsid_s 430 { 431 struct ipsid_s *ipsid_next; 432 struct ipsid_s **ipsid_ptpn; 433 uint32_t ipsid_refcnt; 434 int ipsid_type; /* id type */ 435 char *ipsid_cid; /* certificate id string */ 436 } ipsid_t; 437 438 /* 439 * ipsid_t reference hold/release macros, just like ipsa versions. 440 */ 441 442 #define IPSID_REFHOLD(ipsid) { \ 443 atomic_add_32(&(ipsid)->ipsid_refcnt, 1); \ 444 ASSERT((ipsid)->ipsid_refcnt != 0); \ 445 } 446 447 /* 448 * Decrement the reference count on the ID. Someone else will clean up 449 * after us later. 450 */ 451 452 #define IPSID_REFRELE(ipsid) { \ 453 membar_exit(); \ 454 atomic_add_32(&(ipsid)->ipsid_refcnt, -1); \ 455 } 456 457 extern boolean_t ipsec_inbound_v4_policy_present; 458 extern boolean_t ipsec_outbound_v4_policy_present; 459 extern boolean_t ipsec_inbound_v6_policy_present; 460 extern boolean_t ipsec_outbound_v6_policy_present; 461 462 struct ipsec_out_s; 463 464 /* 465 * Following are the estimates of what the maximum AH and ESP header size 466 * would be. This is used to tell the upper layer the right value of MSS 467 * it should use without consulting AH/ESP. If the size is something 468 * different from this, ULP will learn the right one through 469 * ICMP_FRAGMENTATION_NEEDED messages generated locally. 470 * 471 * AH : 12 bytes of constant header + 12 bytes of ICV checksum (MD5/SHA1). 472 * 473 * ESP : 8 bytes of constant header + 16 bytes of IV + 12 bytes ICV + 474 * 2 bytes of trailer + 15 bytes pad = 53 475 * 476 * Note that for ESP, this estimate is overly pessimistic; however, a 477 * more accurate estimate needs to know the exact amount of space 478 * which will be available to ESP so it can just leave 2 bytes free in 479 * the last cipherblock for the ESP inner trailer, and that 480 * information is not available at the right moment in the current 481 * stack. 482 */ 483 #define IPSEC_MAX_AH_HDR_SIZE (24) 484 #define IPSEC_MAX_ESP_HDR_SIZE (53) 485 486 /* Alternate, when we know the crypto block size */ 487 #define IPSEC_BASE_ESP_HDR_SIZE(sa) (4 + 4 + 12 + 1 + 2 * (sa)->ipsa_iv_len) 488 #define IPSEC_DEF_BLOCKSIZE (8) /* safe default */ 489 490 /* 491 * Loader states.. 492 */ 493 #define IPSEC_LOADER_WAIT 0 494 #define IPSEC_LOADER_FAILED -1 495 #define IPSEC_LOADER_SUCCEEDED 1 496 497 extern kmutex_t ipsec_loader_lock; 498 extern int ipsec_loader_state; 499 500 /* 501 * ipsec_loader entrypoints. 502 */ 503 extern void ipsec_loader_init(void); 504 extern void ipsec_loader_start(void); 505 extern void ipsec_loader_destroy(void); 506 extern void ipsec_loader_loadnow(void); 507 extern boolean_t ipsec_loader_wait(queue_t *q); 508 extern boolean_t ipsec_loaded(void); 509 extern boolean_t ipsec_failed(void); 510 511 /* 512 * callback from ipsec_loader to ip 513 */ 514 extern void ip_ipsec_load_complete(); 515 516 /* 517 * ipsec policy entrypoints (spd.c) 518 */ 519 520 extern void ipsec_policy_destroy(void); 521 extern void ipsec_policy_init(void); 522 extern boolean_t ipsec_inherit_global_policy(conn_t *, ipsec_req_t *, 523 ipsec_selector_t *, boolean_t); 524 extern mblk_t *ipsec_check_global_policy(mblk_t *, conn_t *, ipha_t *, 525 ip6_t *, boolean_t); 526 extern mblk_t *ipsec_check_inbound_policy(mblk_t *, conn_t *, ipha_t *, ip6_t *, 527 boolean_t); 528 529 extern boolean_t ipsec_in_to_out(mblk_t *, ipha_t *, ip6_t *); 530 extern void ipsec_log_policy_failure(queue_t *, int, char *, ipha_t *, 531 ip6_t *, boolean_t); 532 extern boolean_t ipsec_inbound_accept_clear(mblk_t *, ipha_t *, ip6_t *); 533 extern int ipsec_policy_alloc(conn_t *); 534 extern int ipsec_conn_cache_policy(conn_t *, boolean_t); 535 extern mblk_t *ipsec_alloc_ipsec_out(void); 536 extern mblk_t *ipsec_attach_ipsec_out(mblk_t *, conn_t *, ipsec_policy_t *, 537 uint8_t); 538 extern mblk_t *ipsec_init_ipsec_out(mblk_t *, conn_t *, ipsec_policy_t *, 539 uint8_t); 540 struct ipsec_in_s; 541 extern ipsec_action_t *ipsec_in_to_out_action(struct ipsec_in_s *); 542 extern boolean_t ipsec_check_ipsecin_latch(struct ipsec_in_s *, mblk_t *, 543 struct ipsec_latch_s *, ipha_t *, ip6_t *, const char **, kstat_named_t **); 544 extern void ipsec_latch_inbound(ipsec_latch_t *ipl, struct ipsec_in_s *ii); 545 546 extern void ipsec_policy_free(ipsec_policy_t *); 547 extern void ipsec_action_free(ipsec_action_t *); 548 extern void ipsec_polhead_free(ipsec_policy_head_t *); 549 extern ipsec_policy_head_t *ipsec_polhead_split(ipsec_policy_head_t *); 550 extern ipsec_policy_head_t *ipsec_polhead_create(void); 551 extern ipsec_policy_head_t *ipsec_system_policy(void); 552 extern ipsec_policy_head_t *ipsec_inactive_policy(void); 553 extern void ipsec_swap_policy(void); 554 555 extern int ipsec_clone_system_policy(void); 556 extern ipsec_policy_t *ipsec_policy_create(const ipsec_selkey_t *, 557 const ipsec_act_t *, int, int); 558 extern boolean_t ipsec_policy_delete(ipsec_policy_head_t *, 559 const ipsec_selkey_t *, int); 560 extern int ipsec_policy_delete_index(ipsec_policy_head_t *, uint64_t); 561 extern void ipsec_polhead_flush(ipsec_policy_head_t *); 562 extern void ipsec_actvec_from_req(ipsec_req_t *, ipsec_act_t **, uint_t *); 563 extern void ipsec_actvec_free(ipsec_act_t *, uint_t); 564 extern mblk_t *ipsec_construct_inverse_acquire(sadb_msg_t *, sadb_ext_t **); 565 extern mblk_t *ip_wput_attach_policy(mblk_t *, ipha_t *, ip6_t *, ire_t *, 566 conn_t *, boolean_t); 567 extern mblk_t *ip_wput_ire_parse_ipsec_out(mblk_t *, ipha_t *, ip6_t *, 568 ire_t *, conn_t *, boolean_t); 569 extern ipsec_policy_t *ipsec_find_policy(int, conn_t *, 570 struct ipsec_out_s *, ipsec_selector_t *); 571 extern ipsid_t *ipsid_lookup(int, char *); 572 extern boolean_t ipsid_equal(ipsid_t *, ipsid_t *); 573 extern void ipsid_gc(void); 574 extern void ipsec_latch_ids(ipsec_latch_t *, ipsid_t *, ipsid_t *); 575 576 extern void ipsec_config_flush(void); 577 extern boolean_t ipsec_check_policy(ipsec_policy_head_t *, ipsec_policy_t *, 578 int); 579 extern void ipsec_enter_policy(ipsec_policy_head_t *, ipsec_policy_t *, int); 580 extern boolean_t ipsec_check_action(ipsec_act_t *, int *); 581 582 extern void ipsec_config_list_compat(queue_t *, mblk_t *); 583 extern int ipsec_config_add_compat(mblk_t *); 584 extern int ipsec_config_delete_compat(mblk_t *); 585 586 extern mblk_t *ipsec_out_tag(mblk_t *, mblk_t *); 587 extern mblk_t *ipsec_in_tag(mblk_t *, mblk_t *); 588 extern mblk_t *ip_copymsg(mblk_t *mp); 589 590 extern void iplatch_free(ipsec_latch_t *); 591 extern ipsec_latch_t *iplatch_create(void); 592 extern int ipsec_set_req(cred_t *, conn_t *, ipsec_req_t *); 593 594 /* 595 * IPsec AH/ESP functions called from IP. 596 */ 597 598 extern void ipsecah_rl_strlog(char, ushort_t, char *, ...); 599 extern void ipsecah_in_assocfailure(mblk_t *, char, ushort_t, char *, 600 uint32_t, void *, int); 601 extern void ipsecesp_in_assocfailure(mblk_t *, char, ushort_t, char *, 602 uint32_t, void *, int); 603 604 /* 605 * Algorithm management helper functions. 606 */ 607 extern boolean_t ipsec_valid_key_size(uint16_t, ipsec_alginfo_t *); 608 609 /* 610 * Per-socket policy, for now, takes precedence... this priority value 611 * insures it. 612 */ 613 #define IPSEC_PRIO_SOCKET 0x1000000 614 615 /* DDI initialization functions. */ 616 extern boolean_t ipsecesp_ddi_init(void); 617 extern boolean_t ipsecah_ddi_init(void); 618 extern boolean_t keysock_ddi_init(void); 619 extern boolean_t spdsock_ddi_init(void); 620 621 extern void ipsecesp_ddi_destroy(void); 622 extern void ipsecah_ddi_destroy(void); 623 extern void keysock_ddi_destroy(void); 624 extern void spdsock_ddi_destroy(void); 625 626 /* 627 * AH- and ESP-specific functions that are called directly by other modules. 628 */ 629 extern void ipsecah_fill_defs(struct sadb_x_ecomb *); 630 extern void ipsecesp_fill_defs(struct sadb_x_ecomb *); 631 extern void ipsecah_algs_changed(void); 632 extern void ipsecesp_algs_changed(void); 633 extern void ipsecesp_init_funcs(ipsa_t *); 634 extern void ipsecah_init_funcs(ipsa_t *); 635 extern ipsec_status_t ipsecah_icmp_error(mblk_t *); 636 extern ipsec_status_t ipsecesp_icmp_error(mblk_t *); 637 638 /* 639 * Wrapper for putnext() to ipsec accelerated interface. 640 */ 641 extern void ipsec_hw_putnext(queue_t *, mblk_t *); 642 643 /* 644 * spdsock functions that are called directly by IP. 645 */ 646 extern void spdsock_update_pending_algs(void); 647 648 /* 649 * IP functions that are called from AH and ESP. 650 */ 651 extern boolean_t ipsec_outbound_sa(mblk_t *, uint_t); 652 extern esph_t *ipsec_inbound_esp_sa(mblk_t *); 653 extern ah_t *ipsec_inbound_ah_sa(mblk_t *); 654 655 /* 656 * NAT-Traversal cleanup 657 */ 658 extern void nattymod_clean_ipif(ipif_t *); 659 660 /* 661 * AH and ESP counters types. 662 */ 663 typedef uint32_t ah_counter; 664 typedef uint32_t esp_counter; 665 666 #endif /* _KERNEL */ 667 668 #ifdef __cplusplus 669 } 670 #endif 671 672 #endif /* _INET_IPSEC_IMPL_H */ 673