ipsecah.h revision f4b3ec61df05330d25f55a36b975b4d7519fdeb1
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _INET_IPSECAH_H
#define _INET_IPSECAH_H
#pragma ident "%Z%%M% %I% %E% SMI"
#include <inet/ip.h>
#include <inet/ipdrop.h>
#ifdef __cplusplus
extern "C" {
#endif
#include <sys/note.h>
#ifdef _KERNEL
/* Named Dispatch Parameter Management Structure */
typedef struct ipsecahparam_s {
uint_t ipsecah_param_min;
uint_t ipsecah_param_max;
uint_t ipsecah_param_value;
char *ipsecah_param_name;
} ipsecahparam_t;
/*
* Stats. This may eventually become a full-blown SNMP MIB once that spec
* stabilizes.
*/
typedef struct ah_kstats_s
{
kstat_named_t ah_stat_num_aalgs;
kstat_named_t ah_stat_good_auth;
kstat_named_t ah_stat_bad_auth;
kstat_named_t ah_stat_replay_failures;
kstat_named_t ah_stat_replay_early_failures;
kstat_named_t ah_stat_keysock_in;
kstat_named_t ah_stat_out_requests;
kstat_named_t ah_stat_acquire_requests;
kstat_named_t ah_stat_bytes_expired;
kstat_named_t ah_stat_out_discards;
kstat_named_t ah_stat_in_accelerated;
kstat_named_t ah_stat_out_accelerated;
kstat_named_t ah_stat_noaccel;
kstat_named_t ah_stat_crypto_sync;
kstat_named_t ah_stat_crypto_async;
kstat_named_t ah_stat_crypto_failures;
} ah_kstats_t;
/*
* ahstack->ah_kstats is equal to ahstack->ah_ksp->ks_data if
* kstat_create_netstack for ahstack->ah_ksp succeeds, but when it
* fails, it will be NULL. Note this is done for all stack instances,
* so it *could* fail. hence a non-NULL checking is done for
* AH_BUMP_STAT and AH_DEBUMP_STAT
*/
#define AH_BUMP_STAT(ahstack, x) \
do { \
if (ahstack->ah_kstats != NULL) \
(ahstack->ah_kstats->ah_stat_ ## x).value.ui64++; \
_NOTE(CONSTCOND) \
} while (0)
#define AH_DEBUMP_STAT(ahstack, x) \
do { \
if (ahstack->ah_kstats != NULL) \
(ahstack->ah_kstats->ah_stat_ ## x).value.ui64--; \
_NOTE(CONSTCOND) \
} while (0)
/*
* IPSECAH stack instances
*/
struct ipsecah_stack {
netstack_t *ipsecah_netstack; /* Common netstack */
caddr_t ipsecah_g_nd;
ipsecahparam_t *ipsecah_params;
kmutex_t ipsecah_param_lock; /* Protects params */
sadbp_t ah_sadb;
/* Packet dropper for AH drops. */
ipdropper_t ah_dropper;
kstat_t *ah_ksp;
ah_kstats_t *ah_kstats;
/*
* Keysock instance of AH. There can be only one per stack instance.
* Use casptr() on this because I don't set it until KEYSOCK_HELLO
* comes down.
* Paired up with the ah_pfkey_q is the ah_event, which will age SAs.
*/
queue_t *ah_pfkey_q;
timeout_id_t ah_event;
mblk_t *ah_ip_unbind;
};
typedef struct ipsecah_stack ipsecah_stack_t;
#endif /* _KERNEL */
/*
* For now, only provide "aligned" version of header.
* If aligned version is needed, we'll go with the naming conventions then.
*/
typedef struct ah {
uint8_t ah_nexthdr;
uint8_t ah_length;
uint16_t ah_reserved;
uint32_t ah_spi;
uint32_t ah_replay;
} ah_t;
#define AH_BASELEN 12
#define AH_TOTAL_LEN(ah) (((ah)->ah_length << 2) + AH_BASELEN - \
sizeof ((ah)->ah_replay))
/* "Old" AH, without replay. For 1827-29 compatibility. */
typedef struct ahold {
uint8_t ah_nexthdr;
uint8_t ah_length;
uint16_t ah_reserved;
uint32_t ah_spi;
} ahold_t;
#define AHOLD_BASELEN 8
#define AHOLD_TOTAL_LEN(ah) (((ah)->ah_length << 2) + AH_BASELEN)
#ifdef __cplusplus
}
#endif
#endif /* _INET_IPSECAH_H */