ipsec_impl.h revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _INET_IPSEC_IMPL_H
#define _INET_IPSEC_IMPL_H
#pragma ident "%Z%%M% %I% %E% SMI"
#ifdef __cplusplus
extern "C" {
#endif
#define IPSEC_CONF_SRC_ADDRESS 0 /* Source Address */
/* Type of an entry */
#define IPSEC_NTYPES 0x02
#define IPSEC_TYPE_OUTBOUND 0x00
#define IPSEC_TYPE_INBOUND 0x01
/* Policy */
#define IPSEC_POLICY_APPLY 0x01
#define IPSEC_POLICY_DISCARD 0x02
#define IPSEC_POLICY_BYPASS 0x03
/* Shared or unique SA */
#define IPSEC_SHARED_SA 0x01
#define IPSEC_UNIQUE_SA 0x02
/* IPSEC protocols and combinations */
#define IPSEC_AH_ONLY 0x01
#define IPSEC_ESP_ONLY 0x02
#define IPSEC_AH_ESP 0x03
#ifdef _KERNEL
#include <inet/ipsecesp.h>
/*
* Maximum number of authentication algorithms (can be indexed by one byte
* per PF_KEY and the IKE IPsec DOI.
*/
#define MAX_AALGS 256
/*
* IPsec task queue constants.
*/
#define IPSEC_TASKQ_MIN 10
#define IPSEC_TASKQ_MAX 20
/*
* So we can access IPsec global variables that live in keysock.c.
*/
extern boolean_t keysock_extended_reg(void);
extern uint32_t keysock_next_seq(void);
/*
* Locking for ipsec policy rules:
*
* policy heads: system policy is static; per-conn polheads are dynamic,
* and refcounted (and inherited); use atomic refcounts and "don't let
* go with both hands".
*
* policy: refcounted; references from polhead, ipsec_out
*
* actions: refcounted; referenced from: action hash table, policy, ipsec_out
* selectors: refcounted; referenced from: selector hash table, policy.
*/
/*
* the following are inspired by, but not directly based on,
* found in BSD.
*
* XXX If we use these more generally, we'll have to make the names
* less generic (HASH_* will probably clobber other namespaces).
*/
{ \
}
{ \
}
struct { \
struct { \
}
typedef struct ipsec_policy_s ipsec_policy_t;
/*
* When adding new fields to ipsec_prot_t, make sure to update
* ipsec_in_to_out_action() as well as other code in spd.c
*/
typedef struct ipsec_prot
{
unsigned int
ipp_use_ah : 1,
ipp_use_esp : 1,
ipp_use_se : 1,
ipp_use_unique : 1,
ipp_use_espa : 1,
ipp_pad : 27;
/* XXX add lifetimes */
} ipsec_prot_t;
#define IPSEC_MAX_KEYBITS (0xffff)
/*
* An individual policy action, possibly a member of a chain.
*
* Rule chains may be shared between multiple policy rules.
*
* With one exception (IPSEC_POLICY_LOG), a chain consists of an
* ordered list of alternative ways to handle a packet.
*
* All actions are also "interned" into a hash table (to allow
* multiple rules with the same action chain to share one copy in
* memory).
*/
typedef struct ipsec_act
{
union
{
} ipa_u;
} ipsec_act_t;
#define IPSEC_ACT_REJECT 0x04
#define IPSEC_ACT_CLEAR 0x05
typedef struct ipsec_action_s
{
/*
* The following bits are equivalent to an OR of bits included in the
* ipau_apply fields of this and subsequent actions in an
* action chain; this is an optimization for the sake of
* ipsec_out_process() in ip.c and a few other places.
*/
unsigned int
ipa_hval: 8,
ipa_pad:19;
#define IPACT_REFHOLD(ipa) { \
}
#define IPACT_REFRELE(ipa) { \
membar_exit(); \
ipsec_action_free(ipa); \
(ipa) = 0; \
}
/*
* Merged address structure, for cheezy address-family independant
* matches in policy code.
*/
typedef union ipsec_addr
{
} ipsec_addr_t;
/*
* ipsec selector set, as used by the kernel policy structures.
* Note that that we specify "local" and "remote"
* rather than "source" and "destination", which allows the selectors
* for symmetric policy rules to be shared between inbound and
* outbound rules.
*
* "local" means "destination" on inbound, and "source" on outbound.
* "remote" means "source" on inbound, and "destination" on outbound.
* XXX if we add a fifth policy enforcement point for forwarded packets,
* what do we do?
*
* The ipsl_valid mask is not done as a bitfield; this is so we
* can use "ffs()" to find the "most interesting" valid tag.
*
* XXX should we have multiple types for space-conservation reasons?
* (v4 vs v6? prefix vs. range)?
*/
typedef struct ipsec_selkey
{
#define IPSL_REMOTE_ADDR 0x00000001
#define IPSL_LOCAL_ADDR 0x00000002
#define IPSL_REMOTE_PORT 0x00000004
#define IPSL_LOCAL_PORT 0x00000008
#define IPSL_PROTOCOL 0x00000010
#define IPSL_ICMP_TYPE 0x00000020
#define IPSL_ICMP_CODE 0x00000040
#define IPSL_IPV6 0x00000080
#define IPSL_IPV4 0x00000100
#define IPSL_WILDCARD 0x0000007f
/*
* ICMP type and code selectors. Both have an end value to
* specify ranges, or * and *_end are equal for a single
* value
*/
typedef struct ipsec_sel
{
} ipsec_sel_t;
/*
* "Tree" linkage.
*
* XXX use singly-linked list for now, until we have a classifier..
*/
typedef struct ipsec_tree_link
{
/*
* One policy rule.
*/
struct ipsec_policy_s
{
};
#define IPPOL_REFHOLD(ipp) { \
}
#define IPPOL_REFRELE(ipp) { \
membar_exit(); \
ipsec_policy_free(ipp); \
(ipp) = 0; \
}
/*
* Policy ruleset. One per (protocol * direction) for system policy.
*/
#define IPSEC_AF_V4 0
#define IPSEC_AF_V6 1
#define IPSEC_NAF 2
typedef struct ipsec_policy_root_s
{
/*
* Policy head. One for system policy; there may also be one present
* on ill_t's with interface-specific policy, as well as one present
* for sockets with per-socket policy allocated.
*/
typedef struct ipsec_policy_head_s
{
#define IPPH_REFHOLD(iph) { \
}
#define IPPH_REFRELE(iph) { \
membar_exit(); \
(iph) = 0; \
}
/*
* Certificate identity.
*/
typedef struct ipsid_s
{
struct ipsid_s *ipsid_next;
struct ipsid_s **ipsid_ptpn;
int ipsid_type; /* id type */
char *ipsid_cid; /* certificate id string */
} ipsid_t;
/*
*/
#define IPSID_REFHOLD(ipsid) { \
}
/*
* Decrement the reference count on the ID. Someone else will clean up
* after us later.
*/
#define IPSID_REFRELE(ipsid) { \
membar_exit(); \
}
struct ipsec_out_s;
/*
* Following are the estimates of what the maximum AH and ESP header size
* would be. This is used to tell the upper layer the right value of MSS
* different from this, ULP will learn the right one through
* ICMP_FRAGMENTATION_NEEDED messages generated locally.
*
*
* ESP : 8 bytes of constant header + 16 bytes of IV + 12 bytes ICV +
* 2 bytes of trailer + 15 bytes pad = 53
*
* Note that for ESP, this estimate is overly pessimistic; however, a
* more accurate estimate needs to know the exact amount of space
* which will be available to ESP so it can just leave 2 bytes free in
* the last cipherblock for the ESP inner trailer, and that
* information is not available at the right moment in the current
* stack.
*/
#define IPSEC_MAX_AH_HDR_SIZE (24)
#define IPSEC_MAX_ESP_HDR_SIZE (53)
/* Alternate, when we know the crypto block size */
/*
* Loader states..
*/
#define IPSEC_LOADER_WAIT 0
#define IPSEC_LOADER_FAILED -1
#define IPSEC_LOADER_SUCCEEDED 1
extern kmutex_t ipsec_loader_lock;
extern int ipsec_loader_state;
/*
* ipsec_loader entrypoints.
*/
extern void ipsec_loader_init(void);
extern void ipsec_loader_start(void);
extern void ipsec_loader_destroy(void);
extern void ipsec_loader_loadnow(void);
extern boolean_t ipsec_loaded(void);
extern boolean_t ipsec_failed(void);
/*
* callback from ipsec_loader to ip
*/
extern void ip_ipsec_load_complete();
/*
* ipsec policy entrypoints (spd.c)
*/
extern void ipsec_policy_destroy(void);
extern void ipsec_policy_init(void);
extern int ipsec_policy_alloc(conn_t *);
extern mblk_t *ipsec_alloc_ipsec_out(void);
uint8_t);
uint8_t);
struct ipsec_in_s;
extern void ipsec_policy_free(ipsec_policy_t *);
extern void ipsec_action_free(ipsec_action_t *);
extern void ipsec_polhead_free(ipsec_policy_head_t *);
extern ipsec_policy_head_t *ipsec_polhead_create(void);
extern ipsec_policy_head_t *ipsec_system_policy(void);
extern ipsec_policy_head_t *ipsec_inactive_policy(void);
extern void ipsec_swap_policy(void);
extern int ipsec_clone_system_policy(void);
const ipsec_act_t *, int, int);
const ipsec_selkey_t *, int);
extern void ipsec_polhead_flush(ipsec_policy_head_t *);
struct ipsec_out_s *, ipsec_selector_t *);
extern ipsid_t *ipsid_lookup(int, char *);
extern void ipsid_gc(void);
extern void ipsec_config_flush(void);
int);
extern int ipsec_config_add_compat(mblk_t *);
extern int ipsec_config_delete_compat(mblk_t *);
extern void iplatch_free(ipsec_latch_t *);
extern ipsec_latch_t *iplatch_create(void);
/*
*/
extern void ipsecah_rl_strlog(char, ushort_t, char *, ...);
uint32_t, void *, int);
uint32_t, void *, int);
/*
* Algorithm management helper functions.
*/
/*
* Per-socket policy, for now, takes precedence... this priority value
* insures it.
*/
#define IPSEC_PRIO_SOCKET 0x1000000
/* DDI initialization functions. */
extern boolean_t ipsecesp_ddi_init(void);
extern boolean_t ipsecah_ddi_init(void);
extern boolean_t keysock_ddi_init(void);
extern boolean_t spdsock_ddi_init(void);
extern void ipsecesp_ddi_destroy(void);
extern void ipsecah_ddi_destroy(void);
extern void keysock_ddi_destroy(void);
extern void spdsock_ddi_destroy(void);
/*
* AH- and ESP-specific functions that are called directly by other modules.
*/
extern void ipsecah_fill_defs(struct sadb_x_ecomb *);
extern void ipsecesp_fill_defs(struct sadb_x_ecomb *);
extern void ipsecah_algs_changed(void);
extern void ipsecesp_algs_changed(void);
extern void ipsecesp_init_funcs(ipsa_t *);
extern void ipsecah_init_funcs(ipsa_t *);
/*
* Wrapper for putnext() to ipsec accelerated interface.
*/
/*
* spdsock functions that are called directly by IP.
*/
extern void spdsock_update_pending_algs(void);
/*
* IP functions that are called from AH and ESP.
*/
/*
* NAT-Traversal cleanup
*/
extern void nattymod_clean_ipif(ipif_t *);
/*
* AH and ESP counters types.
*/
typedef uint32_t ah_counter;
typedef uint32_t esp_counter;
#endif /* _KERNEL */
#ifdef __cplusplus
}
#endif
#endif /* _INET_IPSEC_IMPL_H */