1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #ifndef _INET_SADB_H 28 #define _INET_SADB_H 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 #ifdef __cplusplus 33 extern "C" { 34 #endif 35 36 #include <inet/ipsec_info.h> 37 #include <sys/crypto/common.h> 38 #include <sys/crypto/api.h> 39 40 #define IPSA_MAX_ADDRLEN 4 /* Max address len. (in 32-bits) for an SA. */ 41 42 /* 43 * Return codes of IPsec processing functions. 44 */ 45 typedef enum { 46 IPSEC_STATUS_SUCCESS = 1, 47 IPSEC_STATUS_FAILED = 2, 48 IPSEC_STATUS_PENDING = 3 49 } ipsec_status_t; 50 51 /* 52 * IP security association. Synchronization assumes 32-bit loads, so 53 * the 64-bit quantities can't even be be read w/o locking it down! 54 */ 55 56 /* keying info */ 57 typedef struct ipsa_key_s { 58 void *sak_key; /* Algorithm key. */ 59 uint_t sak_keylen; /* Algorithm key length (in bytes). */ 60 uint_t sak_keybits; /* Algorithm key length (in bits) */ 61 uint_t sak_algid; /* Algorithm ID number. */ 62 } ipsa_key_t; 63 64 /* the security association */ 65 typedef struct ipsa_s { 66 struct ipsa_s *ipsa_next; /* Next in hash bucket */ 67 struct ipsa_s **ipsa_ptpn; /* Pointer to previous next pointer. */ 68 kmutex_t *ipsa_linklock; /* Pointer to hash-chain lock. */ 69 void (*ipsa_freefunc)(struct ipsa_s *); /* freeassoc function */ 70 /* 71 * NOTE: I may need more pointers, depending on future SA 72 * requirements. 73 */ 74 ipsa_key_t ipsa_authkeydata; 75 #define ipsa_authkey ipsa_authkeydata.sak_key 76 #define ipsa_authkeylen ipsa_authkeydata.sak_keylen 77 #define ipsa_authkeybits ipsa_authkeydata.sak_keybits 78 #define ipsa_auth_alg ipsa_authkeydata.sak_algid 79 ipsa_key_t ipsa_encrkeydata; 80 #define ipsa_encrkey ipsa_encrkeydata.sak_key 81 #define ipsa_encrkeylen ipsa_encrkeydata.sak_keylen 82 #define ipsa_encrkeybits ipsa_encrkeydata.sak_keybits 83 #define ipsa_encr_alg ipsa_encrkeydata.sak_algid 84 85 struct ipsid_s *ipsa_src_cid; /* Source certificate identity */ 86 struct ipsid_s *ipsa_dst_cid; /* Destination certificate identity */ 87 struct ipsid_s *ipsa_proxy_cid; /* (src) Proxy agent's cert. id. */ 88 uint64_t *ipsa_integ; /* Integrity bitmap */ 89 uint64_t *ipsa_sens; /* Sensitivity bitmap */ 90 mblk_t *ipsa_lpkt; /* Packet received while larval (CAS me) */ 91 92 /* 93 * PF_KEYv2 supports a replay window size of 255. Hence there is a 94 * need a bit vector to support a replay window of 255. 256 is a nice 95 * round number, so I support that. 96 * 97 * Use an array of uint64_t for best performance on 64-bit 98 * processors. (And hope that 32-bit compilers can handle things 99 * okay.) The " >> 6 " is to get the appropriate number of 64-bit 100 * ints. 101 */ 102 #define SADB_MAX_REPLAY 256 /* Must be 0 mod 64. */ 103 uint64_t ipsa_replay_arr[SADB_MAX_REPLAY >> 6]; 104 105 uint64_t ipsa_unique_id; /* Non-zero for unique SAs */ 106 uint64_t ipsa_unique_mask; /* mask value for unique_id */ 107 108 /* 109 * Reference count semantics: 110 * 111 * An SA has a reference count of 1 if something's pointing 112 * to it. This includes being in a hash table. So if an 113 * SA is in a hash table, it has a reference count of at least 1. 114 * 115 * When a ptr. to an IPSA is assigned, you MUST REFHOLD after 116 * said assignment. When a ptr. to an IPSA is released 117 * you MUST REFRELE. When the refcount hits 0, REFRELE 118 * will free the IPSA. 119 */ 120 kmutex_t ipsa_lock; /* Locks non-linkage/refcnt fields. */ 121 /* Q: Since I may be doing refcnts differently, will I need cv? */ 122 uint_t ipsa_refcnt; /* Reference count. */ 123 124 /* 125 * The following four time fields are the ones monitored by ah_ager() 126 * and esp_ager() respectively. They are all absolute wall-clock 127 * times. The times of creation (i.e. add time) and first use are 128 * pretty straightforward. The soft and hard expire times are 129 * derived from the times of first use and creation, plus the minimum 130 * expiration times in the fields that follow this. 131 * 132 * For example, if I had a hard add time of 30 seconds, and a hard 133 * use time of 15, the ipsa_hardexpiretime would be time of add, plus 134 * 30 seconds. If I USE the SA such that time of first use plus 15 135 * seconds would be earlier than the add time plus 30 seconds, then 136 * ipsa_hardexpiretime would become this earlier time. 137 */ 138 time_t ipsa_addtime; /* Time I was added. */ 139 time_t ipsa_usetime; /* Time of my first use. */ 140 time_t ipsa_softexpiretime; /* Time of my first soft expire. */ 141 time_t ipsa_hardexpiretime; /* Time of my first hard expire. */ 142 143 /* 144 * The following fields are directly reflected in PF_KEYv2 LIFETIME 145 * extensions. The time_ts are in number-of-seconds, and the bytes 146 * are in... bytes. 147 */ 148 time_t ipsa_softaddlt; /* Seconds of soft lifetime after add. */ 149 time_t ipsa_softuselt; /* Seconds of soft lifetime after first use. */ 150 time_t ipsa_hardaddlt; /* Seconds of hard lifetime after add. */ 151 time_t ipsa_harduselt; /* Seconds of hard lifetime after first use. */ 152 uint64_t ipsa_softbyteslt; /* Bytes of soft lifetime. */ 153 uint64_t ipsa_hardbyteslt; /* Bytes of hard lifetime. */ 154 uint64_t ipsa_bytes; /* Bytes encrypted/authed by this SA. */ 155 156 /* 157 * "Allocations" are a concept mentioned in PF_KEYv2. We do not 158 * support them, except to record them per the PF_KEYv2 spec. 159 */ 160 uint_t ipsa_softalloc; /* Allocations allowed (soft). */ 161 uint_t ipsa_hardalloc; /* Allocations allowed (hard). */ 162 uint_t ipsa_alloc; /* Allocations made. */ 163 164 uint_t ipsa_integlen; /* Length of the integrity bitmap (bytes). */ 165 uint_t ipsa_senslen; /* Length of the sensitivity bitmap (bytes). */ 166 167 uint_t ipsa_type; /* Type of security association. (AH/etc.) */ 168 uint_t ipsa_dpd; /* Domain for sensitivity bit vectors. */ 169 uint_t ipsa_senslevel; /* Sensitivity level. */ 170 uint_t ipsa_integlevel; /* Integrity level. */ 171 uint_t ipsa_state; /* State of my association. */ 172 uint_t ipsa_replay_wsize; /* Size of replay window */ 173 uint32_t ipsa_flags; /* Flags for security association. */ 174 uint32_t ipsa_spi; /* Security parameters index. */ 175 uint32_t ipsa_replay; /* Highest seen replay value for this SA. */ 176 uint32_t ipsa_kmp; /* key management proto */ 177 uint32_t ipsa_kmc; /* key management cookie */ 178 179 boolean_t ipsa_haspeer; /* Has peer in another table. */ 180 181 /* 182 * Address storage. 183 * The source address can be INADDR_ANY, IN6ADDR_ANY, etc. 184 * 185 * Address families (per sys/socket.h) guide us. We could have just 186 * used sockaddr_storage 187 */ 188 sa_family_t ipsa_addrfam; 189 sa_family_t ipsa_proxyfam; /* Proxy AF can be != src/dst AF. */ 190 191 uint32_t ipsa_srcaddr[IPSA_MAX_ADDRLEN]; 192 uint32_t ipsa_dstaddr[IPSA_MAX_ADDRLEN]; 193 uint32_t ipsa_proxysrc[IPSA_MAX_ADDRLEN]; 194 uint32_t ipsa_proxydst[IPSA_MAX_ADDRLEN]; 195 196 /* these can only be v4 */ 197 uint32_t ipsa_natt_addr_loc[IPSA_MAX_ADDRLEN]; 198 uint32_t ipsa_natt_addr_rem[IPSA_MAX_ADDRLEN]; 199 200 uint16_t ipsa_inbound_cksum; /* cksum correction for inbound packets */ 201 uint16_t ipsa_remote_port; /* the other port that isn't 4500 */ 202 203 timeout_id_t ipsa_natt_ka_timer; 204 queue_t *ipsa_natt_q; 205 /* 206 * icmp type and code. *_end are to specify ranges. if only 207 * a single value, * and *_end are the same value. 208 */ 209 uint8_t ipsa_icmp_type; 210 uint8_t ipsa_icmp_type_end; 211 uint8_t ipsa_icmp_code; 212 uint8_t ipsa_icmp_code_end; 213 214 /* 215 * For the kernel crypto framework. 216 */ 217 crypto_key_t ipsa_kcfauthkey; /* authentication key */ 218 crypto_key_t ipsa_kcfencrkey; /* encryption key */ 219 crypto_ctx_template_t ipsa_authtmpl; /* auth context template */ 220 crypto_ctx_template_t ipsa_encrtmpl; /* encr context template */ 221 crypto_mechanism_t ipsa_amech; /* auth mech type and ICV len */ 222 crypto_mechanism_t ipsa_emech; /* encr mech type */ 223 size_t ipsa_mac_len; /* auth MAC length */ 224 size_t ipsa_iv_len; /* encr IV length */ 225 226 /* 227 * Input and output processing functions called from IP. 228 */ 229 ipsec_status_t (*ipsa_output_func)(mblk_t *); 230 ipsec_status_t (*ipsa_input_func)(mblk_t *, void *); 231 232 /* MLS boxen will probably need more fields in here. */ 233 234 } ipsa_t; 235 236 /* 237 * ipsa_t address handling macros. We want these to be inlined, and deal 238 * with 32-bit words to avoid bcmp/bcopy calls. 239 * 240 * Assume we only have AF_INET and AF_INET6 addresses for now. Also assume 241 * that we have 32-bit alignment on everything. 242 */ 243 #define IPSA_IS_ADDR_UNSPEC(addr, fam) ((((uint32_t *)(addr))[0] == 0) && \ 244 (((fam) == AF_INET) || (((uint32_t *)(addr))[3] == 0 && \ 245 ((uint32_t *)(addr))[2] == 0 && ((uint32_t *)(addr))[1] == 0))) 246 #define IPSA_ARE_ADDR_EQUAL(addr1, addr2, fam) \ 247 ((((uint32_t *)(addr1))[0] == ((uint32_t *)(addr2))[0]) && \ 248 (((fam) == AF_INET) || \ 249 (((uint32_t *)(addr1))[3] == ((uint32_t *)(addr2))[3] && \ 250 ((uint32_t *)(addr1))[2] == ((uint32_t *)(addr2))[2] && \ 251 ((uint32_t *)(addr1))[1] == ((uint32_t *)(addr2))[1]))) 252 #define IPSA_COPY_ADDR(dstaddr, srcaddr, fam) { \ 253 ((uint32_t *)(dstaddr))[0] = ((uint32_t *)(srcaddr))[0]; \ 254 if ((fam) == AF_INET6) {\ 255 ((uint32_t *)(dstaddr))[1] = ((uint32_t *)(srcaddr))[1]; \ 256 ((uint32_t *)(dstaddr))[2] = ((uint32_t *)(srcaddr))[2]; \ 257 ((uint32_t *)(dstaddr))[3] = ((uint32_t *)(srcaddr))[3]; } } 258 259 /* 260 * ipsa_t reference hold/release macros. 261 * 262 * If you have a pointer, you REFHOLD. If you are releasing a pointer, you 263 * REFRELE. An ipsa_t that is newly inserted into the table should have 264 * a reference count of 1 (for the table's pointer), plus 1 more for every 265 * pointer that is referencing the ipsa_t. 266 */ 267 268 #define IPSA_REFHOLD(ipsa) { \ 269 atomic_add_32(&(ipsa)->ipsa_refcnt, 1); \ 270 ASSERT((ipsa)->ipsa_refcnt != 0); \ 271 } 272 273 /* 274 * Decrement the reference count on the SA. 275 * In architectures e.g sun4u, where atomic_add_32_nv is just 276 * a cas, we need to maintain the right memory barrier semantics 277 * as that of mutex_exit i.e all the loads and stores should complete 278 * before the cas is executed. membar_exit() does that here. 279 */ 280 281 #define IPSA_REFRELE(ipsa) { \ 282 ASSERT((ipsa)->ipsa_refcnt != 0); \ 283 membar_exit(); \ 284 if (atomic_add_32_nv(&(ipsa)->ipsa_refcnt, -1) == 0) \ 285 ((ipsa)->ipsa_freefunc)(ipsa); \ 286 } 287 288 /* 289 * Security association hash macros and definitions. For now, assume the 290 * IPsec model, and hash outbounds on destination address, and inbounds on 291 * SPI. 292 * 293 * Also assume a 256 bucket hash. 294 */ 295 #define OUTBOUND_BUCKETS 256 296 /* Outbound hash treats v4addr like a 32-bit quantity */ 297 #define OUTBOUND_HASH_V4(v4addr) (((uint32_t)(v4addr) ^ \ 298 (((uint32_t)v4addr) >> 8) ^ (((uint32_t)v4addr) >> 16) ^ \ 299 (((uint32_t)v4addr) >> 24)) & 0xff) 300 /* Its v6 counterpart treats v6addr like something I can take the address of. */ 301 #define OUTBOUND_HASH_V6(v6addr) OUTBOUND_HASH_V4((*(uint32_t *)&(v6addr)) ^ \ 302 (*((uint32_t *)&(v6addr)) + 1) ^ (*((uint32_t *)&(v6addr)) + 2) ^ \ 303 (*((uint32_t *)&(v6addr)) + 3)) 304 305 /* No v4/v6 distinction needed for inbound. */ 306 #define INBOUND_BUCKETS 256 307 #define INBOUND_HASH(spi) OUTBOUND_HASH_V4(spi) 308 309 #define IPSA_F_PFS SADB_SAFLAGS_PFS /* PFS in use for this SA? */ 310 #define IPSA_F_NOREPFLD SADB_SAFLAGS_NOREPLAY /* No replay field, for */ 311 /* backward compat. */ 312 #define IPSA_F_USED SADB_X_SAFLAGS_USED /* SA has been used. */ 313 #define IPSA_F_UNIQUE SADB_X_SAFLAGS_UNIQUE /* SA is unique */ 314 #define IPSA_F_AALG1 SADB_X_SAFLAGS_AALG1 /* Auth alg flag 1 */ 315 #define IPSA_F_AALG2 SADB_X_SAFLAGS_AALG2 /* Auth alg flag 2 */ 316 #define IPSA_F_EALG1 SADB_X_SAFLAGS_EALG1 /* Encrypt alg flag 1 */ 317 #define IPSA_F_EALG2 SADB_X_SAFLAGS_EALG2 /* Encrypt alg flag 2 */ 318 319 #define IPSA_F_HW 0x200000 /* hwaccel capable SA */ 320 #define IPSA_F_NATT_LOC SADB_X_SAFLAGS_NATT_LOC 321 #define IPSA_F_NATT_REM SADB_X_SAFLAGS_NATT_REM 322 #define IPSA_F_NATT (SADB_X_SAFLAGS_NATT_LOC | SADB_X_SAFLAGS_NATT_REM) 323 #define IPSA_F_CINVALID 0x40000 /* SA shouldn't be cached */ 324 325 /* SA states are important for handling UPDATE PF_KEY messages. */ 326 #define IPSA_STATE_LARVAL SADB_SASTATE_LARVAL 327 #define IPSA_STATE_MATURE SADB_SASTATE_MATURE 328 #define IPSA_STATE_DYING SADB_SASTATE_DYING 329 #define IPSA_STATE_DEAD SADB_SASTATE_DEAD 330 331 /* 332 * NOTE: If the document authors do things right in defining algorithms, we'll 333 * probably have flags for what all is here w.r.t. replay, ESP w/HMAC, 334 * etc. 335 */ 336 337 #define IPSA_T_ACQUIRE SEC_TYPE_NONE /* If this typed returned, sa needed */ 338 #define IPSA_T_AH SEC_TYPE_AH /* IPsec AH association */ 339 #define IPSA_T_ESP SEC_TYPE_ESP /* IPsec ESP association */ 340 341 #define IPSA_AALG_NONE SADB_AALG_NONE /* No auth. algorithm */ 342 #define IPSA_AALG_MD5H SADB_AALG_MD5HMAC /* MD5-HMAC algorithm */ 343 #define IPSA_AALG_SHA1H SADB_AALG_SHA1HMAC /* SHA1-HMAC algorithm */ 344 345 #define IPSA_EALG_NONE SADB_EALG_NONE /* No encryption algorithm */ 346 #define IPSA_EALG_DES_CBC SADB_EALG_DESCBC 347 #define IPSA_EALG_3DES SADB_EALG_3DESCBC 348 349 /* 350 * Protect each ipsa_t bucket (and linkage) with a lock. 351 */ 352 353 typedef struct isaf_s { 354 ipsa_t *isaf_ipsa; 355 kmutex_t isaf_lock; 356 uint64_t isaf_gen; 357 } isaf_t; 358 359 /* 360 * ACQUIRE record. If AH/ESP/whatever cannot find an association for outbound 361 * traffic, it sends up an SADB_ACQUIRE message and create an ACQUIRE record. 362 */ 363 364 #define IPSACQ_MAXPACKETS 4 /* Number of packets that can be queued up */ 365 /* waiting for an ACQUIRE to finish. */ 366 367 typedef struct ipsacq_s { 368 struct ipsacq_s *ipsacq_next; 369 struct ipsacq_s **ipsacq_ptpn; 370 kmutex_t *ipsacq_linklock; 371 struct ipsec_policy_s *ipsacq_policy; 372 struct ipsec_action_s *ipsacq_act; 373 374 sa_family_t ipsacq_addrfam; /* Address family. */ 375 int ipsacq_numpackets; /* How many packets queued up so far. */ 376 uint32_t ipsacq_seq; /* PF_KEY sequence number. */ 377 uint64_t ipsacq_unique_id; /* Unique ID for SAs that need it. */ 378 379 kmutex_t ipsacq_lock; /* Protects non-linkage fields. */ 380 time_t ipsacq_expire; /* Wall-clock time when this record expires. */ 381 mblk_t *ipsacq_mp; /* List of datagrams waiting for an SA. */ 382 383 /* These two point inside the last mblk inserted. */ 384 uint32_t *ipsacq_srcaddr; 385 uint32_t *ipsacq_dstaddr; 386 387 /* uint32_t ipsacq_proxysrc[IPSA_MAX_ADDRLEN]; */ /* For later */ 388 /* uint32_t ipsacq_proxydst[IPSA_MAX_ADDRLEN]; */ /* For later */ 389 390 /* These may change per-acquire. */ 391 uint16_t ipsacq_srcport; 392 uint16_t ipsacq_dstport; 393 uint8_t ipsacq_proto; 394 /* icmp type and code of triggering packet (if applicable) */ 395 uint8_t ipsacq_icmp_type; 396 uint8_t ipsacq_icmp_code; 397 } ipsacq_t; 398 399 /* 400 * Kernel-generated sequence numbers will be no less than 0x80000000 to 401 * forestall any cretinous problems with manual keying accidentally updating 402 * an ACQUIRE entry. 403 */ 404 #define IACQF_LOWEST_SEQ 0x80000000 405 406 #define SADB_AGE_INTERVAL_DEFAULT 1000 407 408 /* 409 * ACQUIRE fanout. Protect each linkage with a lock. 410 */ 411 412 typedef struct iacqf_s { 413 ipsacq_t *iacqf_ipsacq; 414 kmutex_t iacqf_lock; 415 } iacqf_t; 416 417 /* 418 * A (network protocol, ipsec protocol) specific SADB. 419 * (i.e., one each for {ah, esp} and {v4, v6}. 420 * 421 * Keep outbound assocs about the same as ire_cache entries for now. 422 * One danger point, multiple SAs for a single dest will clog a bucket. 423 * For the future, consider two-level hashing (2nd hash on IPC?), then probe. 424 */ 425 426 typedef struct sadb_s 427 { 428 isaf_t *sdb_of; 429 isaf_t *sdb_if; 430 iacqf_t *sdb_acq; 431 } sadb_t; 432 433 /* 434 * A pair of SADB's (one for v4, one for v6), and related state (including 435 * acquire callbacks). 436 */ 437 438 typedef struct sadbp_s 439 { 440 uint32_t s_satype; 441 queue_t *s_ip_q; 442 uint32_t *s_acquire_timeout; 443 void (*s_acqfn)(ipsacq_t *, mblk_t *); 444 sadb_t s_v4; 445 sadb_t s_v6; 446 } sadbp_t; 447 448 /* 449 * Global IPsec security association databases (and all that go with them). 450 */ 451 extern sadbp_t ah_sadb, esp_sadb; 452 453 /* Pointer to an all-zeroes IPv6 address. */ 454 #define ALL_ZEROES_PTR ((uint32_t *)&ipv6_all_zeros) 455 456 /* 457 * Form unique id from ipsec_out_t 458 */ 459 460 #define SA_FORM_UNIQUE_ID(io) \ 461 SA_UNIQUE_ID((io)->ipsec_out_src_port, (io)->ipsec_out_dst_port, \ 462 (io)->ipsec_out_proto) 463 464 /* 465 * This macro is used to generate unique ids (along with the addresses) for 466 * outbound datagrams that require unique SAs. 467 * 468 * N.B. casts and unsigned shift amounts discourage unwarranted 469 * sign extension of dstport and proto. 470 */ 471 #define SA_UNIQUE_ID(srcport, dstport, proto) \ 472 ((srcport) | ((uint64_t)(dstport) << 16U) | ((uint64_t)(proto) << 32U)) 473 474 /* 475 * SA_UNIQUE_MASK generates a mask value to use when comparing the unique value 476 * from a packet to an SA. 477 */ 478 479 #define SA_UNIQUE_MASK(srcport, dstport, proto) \ 480 SA_UNIQUE_ID((srcport != 0)? 0xffff : 0, \ 481 (dstport != 0)? 0xffff : 0, \ 482 (proto != 0)? 0xff : 0) 483 484 /* 485 * Decompose unique id back into its original fields. 486 */ 487 #define SA_PROTO(ipsa) ((ipsa)->ipsa_unique_id>>32)&0xff 488 #define SA_SRCPORT(ipsa) ((ipsa)->ipsa_unique_id & 0xffff) 489 #define SA_DSTPORT(ipsa) (((ipsa)->ipsa_unique_id >> 16) & 0xffff) 490 491 /* 492 * All functions that return an ipsa_t will return it with IPSA_REFHOLD() 493 * already called. 494 */ 495 496 /* SA retrieval (inbound and outbound) */ 497 ipsa_t *ipsec_getassocbyspi(isaf_t *, uint32_t, uint32_t *, uint32_t *, 498 sa_family_t); 499 ipsa_t *ipsec_getassocbyconn(isaf_t *, ipsec_out_t *, uint32_t *, uint32_t *, 500 sa_family_t, uint8_t); 501 502 /* SA insertion. */ 503 int sadb_insertassoc(ipsa_t *, isaf_t *); 504 505 /* SA table construction and destruction. */ 506 void sadbp_init(sadbp_t *, int); 507 void sadbp_flush(sadbp_t *); 508 void sadbp_destroy(sadbp_t *); 509 510 /* SA insertion and deletion. */ 511 int sadb_insertassoc(ipsa_t *, isaf_t *); 512 void sadb_unlinkassoc(ipsa_t *); 513 514 /* Support routines to interface a keysock consumer to PF_KEY. */ 515 mblk_t *sadb_keysock_out(minor_t); 516 int sadb_hardsoftchk(sadb_lifetime_t *, sadb_lifetime_t *); 517 void sadb_pfkey_echo(queue_t *, mblk_t *, sadb_msg_t *, struct keysock_in_s *, 518 ipsa_t *); 519 void sadb_pfkey_error(queue_t *, mblk_t *, int, int, uint_t); 520 void sadb_keysock_hello(queue_t **, queue_t *, mblk_t *, void (*)(void *), 521 timeout_id_t *, int); 522 int sadb_addrcheck(queue_t *, queue_t *, mblk_t *, sadb_ext_t *, uint_t); 523 void sadb_srcaddrfix(keysock_in_t *); 524 int sadb_addrset(ire_t *); 525 int sadb_delget_sa(mblk_t *, keysock_in_t *, sadbp_t *, int *, queue_t *, 526 boolean_t); 527 #define sadb_get_sa(m, k, s, i, q) sadb_delget_sa(m, k, s, i, q, B_FALSE) 528 #define sadb_del_sa(m, k, s, i, q) sadb_delget_sa(m, k, s, i, q, B_TRUE) 529 530 int sadb_purge_sa(mblk_t *, keysock_in_t *, sadb_t *, int *, 531 queue_t *, queue_t *); 532 int sadb_common_add(queue_t *, queue_t *, mblk_t *, sadb_msg_t *, 533 keysock_in_t *, isaf_t *, isaf_t *, ipsa_t *, boolean_t, boolean_t); 534 void sadb_set_usetime(ipsa_t *); 535 boolean_t sadb_age_bytes(queue_t *, ipsa_t *, uint64_t, boolean_t); 536 int sadb_update_sa(mblk_t *, keysock_in_t *, sadb_t *, 537 int *, queue_t *, int (*)(mblk_t *, keysock_in_t *, int *)); 538 void sadb_acquire(mblk_t *, ipsec_out_t *, boolean_t, boolean_t); 539 540 void sadb_destroy_acquire(ipsacq_t *); 541 void sadb_destroy_acqlist(iacqf_t *, uint_t, boolean_t); 542 uint8_t *sadb_setup_acquire(uint8_t *, uint8_t *, ipsacq_t *); 543 ipsa_t *sadb_getspi(keysock_in_t *, uint32_t, int *); 544 void sadb_in_acquire(sadb_msg_t *, sadbp_t *, queue_t *); 545 boolean_t sadb_replay_check(ipsa_t *, uint32_t); 546 boolean_t sadb_replay_peek(ipsa_t *, uint32_t); 547 mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *); 548 int sadb_dump(queue_t *, mblk_t *, minor_t, sadb_t *); 549 void sadb_replay_delete(ipsa_t *); 550 void sadb_ager(sadb_t *, queue_t *, queue_t *, int); 551 552 timeout_id_t sadb_retimeout(hrtime_t, queue_t *, void (*)(void *), 553 uint_t *, uint_t, short); 554 void sadb_sa_refrele(void *target); 555 void sadb_set_lpkt(ipsa_t *, mblk_t *); 556 mblk_t *sadb_clear_lpkt(ipsa_t *); 557 558 /* 559 * Hw accel-related calls (downloading sadb to driver) 560 */ 561 void sadb_ill_download(ill_t *, uint_t); 562 mblk_t *sadb_fmt_sa_req(uint_t, uint_t, ipsa_t *, boolean_t); 563 /* 564 * Sub-set of the IPsec hardware acceleration capabilities functions 565 * implemented by ip_if.c 566 */ 567 extern boolean_t ipsec_capab_match(ill_t *, uint_t, boolean_t, ipsa_t *); 568 extern void ill_ipsec_capab_send_all(uint_t, mblk_t *, ipsa_t *); 569 570 571 /* 572 * One IPsec -> IP linking routine, and two IPsec rate-limiting routines. 573 */ 574 extern boolean_t sadb_t_bind_req(queue_t *, int); 575 /*PRINTFLIKE5*/ 576 extern void ipsec_rl_strlog(short, short, char, ushort_t, char *, ...) 577 __KPRINTFLIKE(5); 578 extern void ipsec_assocfailure(short, short, char, ushort_t, char *, uint32_t, 579 void *, int); 580 581 /* 582 * Algorithm types. 583 */ 584 585 #define IPSEC_NALGTYPES 2 586 587 typedef enum ipsec_algtype { 588 IPSEC_ALG_AUTH = 0, 589 IPSEC_ALG_ENCR = 1 590 } ipsec_algtype_t; 591 592 /* 593 * Definitions as per IPsec/ISAKMP DOI. 594 */ 595 596 #define IPSEC_MAX_ALGS 256 597 #define PROTO_IPSEC_AH 2 598 #define PROTO_IPSEC_ESP 3 599 600 /* 601 * Common algorithm info. 602 */ 603 typedef struct ipsec_alginfo 604 { 605 uint8_t alg_id; 606 uint8_t alg_flags; 607 uint16_t *alg_key_sizes; 608 uint16_t *alg_block_sizes; 609 uint16_t alg_nkey_sizes; 610 uint16_t alg_nblock_sizes; 611 uint16_t alg_minbits; 612 uint16_t alg_maxbits; 613 uint16_t alg_datalen; 614 /* 615 * increment: number of bits from keysize to keysize 616 * default: # of increments from min to default key len 617 */ 618 uint16_t alg_increment; 619 uint16_t alg_default; 620 uint16_t alg_default_bits; 621 /* 622 * Min, max, and default key sizes effectively supported 623 * by the encryption framework. 624 */ 625 uint16_t alg_ef_minbits; 626 uint16_t alg_ef_maxbits; 627 uint16_t alg_ef_default; 628 uint16_t alg_ef_default_bits; 629 630 crypto_mech_type_t alg_mech_type; /* KCF mechanism type */ 631 crypto_mech_name_t alg_mech_name; /* KCF mechanism name */ 632 } ipsec_alginfo_t; 633 634 #define alg_datalen alg_block_sizes[0] 635 636 #define ALG_FLAG_VALID 0x01 637 #define ALG_VALID(_alg) ((_alg)->alg_flags & ALG_FLAG_VALID) 638 639 /* 640 * Software crypto execution mode. 641 */ 642 typedef enum { 643 IPSEC_ALGS_EXEC_SYNC = 0, 644 IPSEC_ALGS_EXEC_ASYNC = 1 645 } ipsec_algs_exec_mode_t; 646 647 extern uint8_t ipsec_nalgs[IPSEC_NALGTYPES]; 648 extern ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 649 extern uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 650 extern ipsec_algs_exec_mode_t ipsec_algs_exec_mode[IPSEC_NALGTYPES]; 651 652 extern kmutex_t alg_lock; 653 654 extern void ipsec_alg_reg(ipsec_algtype_t, ipsec_alginfo_t *); 655 extern void ipsec_alg_unreg(ipsec_algtype_t, uint8_t); 656 extern void ipsec_alg_fix_min_max(ipsec_alginfo_t *, ipsec_algtype_t); 657 extern void ipsec_alg_free(ipsec_alginfo_t *); 658 extern void ipsec_register_prov_update(void); 659 extern void sadb_alg_update(ipsec_algtype_t, uint8_t, boolean_t); 660 661 /* 662 * Context templates management. 663 */ 664 665 #define IPSEC_CTX_TMPL_ALLOC ((crypto_ctx_template_t)-1) 666 #define IPSEC_CTX_TMPL(_sa, _which, _type, _tmpl) { \ 667 if ((_tmpl = (_sa)->_which) == IPSEC_CTX_TMPL_ALLOC) { \ 668 mutex_enter(&assoc->ipsa_lock); \ 669 if ((_sa)->_which == IPSEC_CTX_TMPL_ALLOC) { \ 670 mutex_enter(&alg_lock); \ 671 (void) ipsec_create_ctx_tmpl(_sa, _type); \ 672 mutex_exit(&alg_lock); \ 673 } \ 674 mutex_exit(&assoc->ipsa_lock); \ 675 if ((_tmpl = (_sa)->_which) == IPSEC_CTX_TMPL_ALLOC) \ 676 _tmpl = NULL; \ 677 } \ 678 } 679 680 extern int ipsec_create_ctx_tmpl(ipsa_t *, ipsec_algtype_t); 681 extern void ipsec_destroy_ctx_tmpl(ipsa_t *, ipsec_algtype_t); 682 683 /* key checking */ 684 extern int ipsec_check_key(crypto_mech_type_t, sadb_key_t *, boolean_t, int *); 685 686 /* natt cleanup */ 687 extern void sadb_clear_timeouts(queue_t *); 688 689 typedef struct { 690 kstat_named_t esp_stat_in_requests; 691 kstat_named_t esp_stat_in_discards; 692 kstat_named_t esp_stat_lookup_failure; 693 kstat_named_t ah_stat_in_requests; 694 kstat_named_t ah_stat_in_discards; 695 kstat_named_t ah_stat_lookup_failure; 696 } ipsec_kstats_t; 697 698 extern ipsec_kstats_t *ipsec_kstats; 699 extern void ipsec_kstat_init(void); 700 extern void ipsec_kstat_destroy(void); 701 702 #define IP_ESP_BUMP_STAT(x) (ipsec_kstats->esp_stat_ ## x).value.ui64++ 703 #define IP_AH_BUMP_STAT(x) (ipsec_kstats->ah_stat_ ## x).value.ui64++ 704 705 #ifdef __cplusplus 706 } 707 #endif 708 709 #endif /* _INET_SADB_H */ 710