sadb.h revision 38d95a786e32a3f7e21450bff371f0778db4c181
* IP security association. Synchronization assumes 32-bit loads, so * the 64-bit quantities can't even be be read w/o locking it down! void *
sak_key;
/* Algorithm key. */ /* the security association */ * NOTE: I may need more pointers, depending on future SA * PF_KEYv2 supports a replay window size of 255. Hence there is a * need a bit vector to support a replay window of 255. 256 is a nice * round number, so I support that. * Use an array of uint64_t for best performance on 64-bit * processors. (And hope that 32-bit compilers can handle things * okay.) The " >> 6 " is to get the appropriate number of 64-bit * Reference count semantics: * An SA has a reference count of 1 if something's pointing * to it. This includes being in a hash table. So if an * SA is in a hash table, it has a reference count of at least 1. * When a ptr. to an IPSA is assigned, you MUST REFHOLD after * said assignment. When a ptr. to an IPSA is released * you MUST REFRELE. When the refcount hits 0, REFRELE /* Q: Since I may be doing refcnts differently, will I need cv? */ * The following four time fields are the ones monitored by ah_ager() * and esp_ager() respectively. They are all absolute wall-clock * times. The times of creation (i.e. add time) and first use are * pretty straightforward. The soft and hard expire times are * derived from the times of first use and creation, plus the minimum * expiration times in the fields that follow this. * For example, if I had a hard add time of 30 seconds, and a hard * use time of 15, the ipsa_hardexpiretime would be time of add, plus * 30 seconds. If I USE the SA such that time of first use plus 15 * seconds would be earlier than the add time plus 30 seconds, then * ipsa_hardexpiretime would become this earlier time. * The following fields are directly reflected in PF_KEYv2 LIFETIME * extensions. The time_ts are in number-of-seconds, and the bytes * "Allocations" are a concept mentioned in PF_KEYv2. We do not * support them, except to record them per the PF_KEYv2 spec. * The source address can be INADDR_ANY, IN6ADDR_ANY, etc. * Address families (per sys/socket.h) guide us. We could have just /* these can only be v4 */ * icmp type and code. *_end are to specify ranges. if only * a single value, * and *_end are the same value. * For the kernel crypto framework. * Input and output processing functions called from IP. * Soft reference to paired SA /* MLS boxen will probably need more fields in here. */ * ipsa_t address handling macros. We want these to be inlined, and deal * with 32-bit words to avoid bcmp/bcopy calls. * Assume we only have AF_INET and AF_INET6 addresses for now. Also assume * that we have 32-bit alignment on everything. * If you have a pointer, you REFHOLD. If you are releasing a pointer, you * REFRELE. An ipsa_t that is newly inserted into the table should have * a reference count of 1 (for the table's pointer), plus 1 more for every * pointer that is referencing the ipsa_t. * Decrement the reference count on the SA. * In architectures e.g sun4u, where atomic_add_32_nv is just * a cas, we need to maintain the right memory barrier semantics * as that of mutex_exit i.e all the loads and stores should complete * before the cas is executed. membar_exit() does that here. * Security association hash macros and definitions. For now, assume the * IPsec model, and hash outbounds on destination address, and inbounds on * Syntactic sugar to find the appropriate hash bucket directly. #
define IPSA_F_HW 0x200000 /* hwaccel capable SA *//* SA states are important for handling UPDATE PF_KEY messages. */ * NOTE: If the document authors do things right in defining algorithms, we'll * probably have flags for what all is here w.r.t. replay, ESP w/HMAC, * Protect each ipsa_t bucket (and linkage) with a lock. * ACQUIRE record. If AH/ESP/whatever cannot find an association for outbound * traffic, it sends up an SADB_ACQUIRE message and create an ACQUIRE record. /* waiting for an ACQUIRE to finish. */ /* These two point inside the last mblk inserted. */ /* Cache these instead of point so we can mask off accordingly */ /* These may change per-acquire. */ /* icmp type and code of triggering packet (if applicable) */ * Kernel-generated sequence numbers will be no less than 0x80000000 to * forestall any cretinous problems with manual keying accidentally updating * ACQUIRE fanout. Protect each linkage with a lock. * A (network protocol, ipsec protocol) specific SADB. * (i.e., one each for {ah, esp} and {v4, v6}. * Keep outbound assocs about the same as ire_cache entries for now. * One danger point, multiple SAs for a single dest will clog a bucket. * For the future, consider two-level hashing (2nd hash on IPC?), then probe. * A pair of SADB's (one for v4, one for v6), and related state (including * A pair of SA's for a single connection, the structure contains a * pointer to a SA and the SA its paired with (opposite direction) as well * as the SA's respective hash buckets. /* Pointer to an all-zeroes IPv6 address. */ * Form unique id from ipsec_out_t * This macro is used to generate unique ids (along with the addresses, both * inner and outer) for outbound datagrams that require unique SAs. * N.B. casts and unsigned shift amounts discourage unwarranted * sign extension of dstport, proto, and iproto. * Unique ID is 64-bits allocated as follows (pardon my big-endian bias): * +---------------*-------+-------+--------------+---------------+ * | MUST-BE-ZERO |<iprot>|<proto>| <src port> | <dest port> | * +---------------*-------+-------+--------------+---------------+ * If there are inner addresses (tunnel mode) the ports come from the * inner addresses. If there are no inner addresses, the ports come from * the outer addresses (transport mode). Tunnel mode MUST have <proto> * set to either IPPROTO_ENCAP or IPPPROTO_IPV6. * SA_UNIQUE_MASK generates a mask value to use when comparing the unique value * from a packet to an SA. (
proto != 0) ?
0xff : 0, \
* Decompose unique id back into its original fields. * All functions that return an ipsa_t will return it with IPSA_REFHOLD() /* SA retrieval (inbound and outbound) */ /* SA table construction and destruction. */ /* SA insertion and deletion. */ /* Support routines to interface a keysock consumer to PF_KEY. */ * Hw accel-related calls (downloading sadb to driver) * Sub-set of the IPsec hardware acceleration capabilities functions * One IPsec -> IP linking routine, and two IPsec rate-limiting routines. * increment: number of bits from keysize to keysize * default: # of increments from min to default key len * Min, max, and default key sizes effectively supported * by the encryption framework. * Software crypto execution mode. * Context templates management. * (ipss)->ipsec_kstats is equal to (ipss)->ipsec_ksp->ks_data if * kstat_create_netstack for (ipss)->ipsec_ksp succeeds, but when it * fails, it will be NULL. Note this is done for all stack instances, * so it *could* fail. hence a non-NULL checking is done for * IP_ESP_BUMP_STAT, IP_AH_BUMP_STAT and IP_ACQUIRE_STAT #
endif /* _INET_SADB_H */