1 files changed, 3 insertions, 254 deletions
diff --git a/usr/src/uts/common/inet/ipsec_info.h b/usr/src/uts/common/inet/ipsec_info.h
index 3c7ede8405..c1bde9fcb7 100644
--- a/usr/src/uts/common/inet/ipsec_info.h
+++ b/usr/src/uts/common/inet/ipsec_info.h
@@ -34,22 +34,12 @@ extern "C" {
 
 /*
  * IPsec informational messages.  These are M_CTL STREAMS messages, which
- * convey IPsec information between various IP and related modules.  The
- * messages come in a few flavors:
- *
- *	* IPSEC_{IN,OUT}  -  These show what IPsec action have been taken (for
- *	  inbound datagrams), or need to be taken (for outbound datagrams).
- *	  They flow between AH/ESP and IP.
+ * convey IPsec information between various IP and related modules.  Most
+ * have been deprecated by the de-STREAMS-ing of TCP/IP.  What remains is:
  *
  *	* Keysock consumer interface  -  These messages are wrappers for
  *	  PF_KEY messages.  They flow between AH/ESP and keysock.
  *
- * Some of these messages include pointers such as a netstack_t pointer.
- * We do not explicitly reference count those with netstack_hold/rele,
- * since we depend on IP's ability to discard all of the IPSEC_{IN,OUT}
- * messages in order to handle the ipsa pointers.
- * We have special logic when doing asynch callouts to kEF for which we
- * verify netstack_t pointer using the netstackid_t.
  */
 
 /*
@@ -69,223 +59,11 @@ extern "C" {
  * M_CTL types for IPsec messages.  Remember, the values 0x40 - 0x4f and 0x60
  * - 0x6f are not to be used because of potential little-endian confusion.
  *
- * Offsets 1-25 (decimal) are in use, spread through this file.
+ * Offsets 3-7 (decimal) are in use, spread through this file.
  * Check for duplicates through the whole file before adding.
  */
 
 /*
- * IPSEC_{IN,OUT} policy expressors.
- */
-#define	IPSEC_IN	(IPSEC_M_CTL + 1)
-#define	IPSEC_OUT	(IPSEC_M_CTL + 2)
-#define	MAXSALTSIZE 8
-
-/*
- * For combined mode ciphers, store the crypto_mechanism_t in the
- * per-packet ipsec_in_t/ipsec_out_t structures. This is because the PARAMS
- * and nonce values change for each packet. For non-combined mode
- * ciphers, these values are constant for the life of the SA.
- */
-typedef struct ipsa_cm_mech_s {
-	crypto_mechanism_t combined_mech;
-	union {
-		CK_AES_CCM_PARAMS paramu_ccm;
-		CK_AES_GCM_PARAMS paramu_gcm;
-	} paramu;
-	uint8_t nonce[MAXSALTSIZE + sizeof (uint64_t)];
-#define	param_ulMACSize paramu.paramu_ccm.ulMACSize
-#define	param_ulNonceSize paramu.paramu_ccm.ipsa_ulNonceSize
-#define	param_ulAuthDataSize paramu.paramu_ccm.ipsa_ulAuthDataSize
-#define	param_ulDataSize paramu.paramu_ccm.ipsa_ulDataSize
-#define	param_nonce paramu.paramu_ccm.nonce
-#define	param_authData paramu.paramu_ccm.authData
-#define	param_pIv paramu.paramu_gcm.ipsa_pIv
-#define	param_ulIvLen paramu.paramu_gcm.ulIvLen
-#define	param_ulIvBits paramu.paramu_gcm.ulIvBits
-#define	param_pAAD paramu.paramu_gcm.pAAD
-#define	param_ulAADLen paramu.paramu_gcm.ulAADLen
-#define	param_ulTagBits paramu.paramu_gcm.ulTagBits
-} ipsa_cm_mech_t;
-
-/*
- * This is used for communication between IP and IPSEC (AH/ESP)
- * for Inbound datagrams. IPSEC_IN is allocated by IP before IPSEC
- * processing begins. On return spi fields are initialized so that
- * IP can locate the security associations later on for doing policy
- * checks. For loopback case, IPSEC processing is not done. But the
- * attributes of the security are reflected in <foo>_done fields below.
- * The code in policy check infers that it is a loopback case and
- * would not try to get the associations.
- *
- * The comment below (and for other netstack_t references) refers
- * to the fact that we only do netstack_hold in particular cases,
- * such as the references from open streams (ill_t and conn_t's
- * pointers). Internally within IP we rely on IP's ability to cleanup e.g.
- * ire_t's when an ill goes away.
- */
-typedef struct ipsec_in_s {
-	uint32_t ipsec_in_type;
-	uint32_t ipsec_in_len;
-	frtn_t ipsec_in_frtn;		/* for esballoc() callback */
-	struct ipsa_s 	*ipsec_in_ah_sa;	/* SA for AH */
-	struct ipsa_s 	*ipsec_in_esp_sa;	/* SA for ESP */
-
-	struct ipsec_policy_head_s *ipsec_in_policy;
-	struct ipsec_action_s *ipsec_in_action; /* how we made it in.. */
-	unsigned int
-		ipsec_in_secure : 1,	/* Is the message attached secure ? */
-		ipsec_in_v4 : 1,	/* Is this an ipv4 packet ? */
-		ipsec_in_loopback : 1,	/* Is this a loopback request ? */
-		ipsec_in_dont_check : 1, /* Used by TCP to avoid policy check */
-
-		ipsec_in_decaps : 1,	/* Was this packet decapsulated from */
-					/* a matching inner packet? */
-		ipsec_in_accelerated : 1, /* hardware accelerated packet */
-
-		ipsec_in_icmp_loopback : 1, /* Looped-back ICMP packet, */
-					    /* all should trust this. */
-		ipsec_in_pad_bits : 25;
-
-	int    ipsec_in_ill_index;	/* interface on which ipha_dst was */
-					/* configured when pkt was recv'd  */
-	int    ipsec_in_rill_index;	/* interface on which pkt was recv'd */
-	uint32_t ipsec_in_esp_udp_ports;	/* For an ESP-in-UDP packet. */
-	mblk_t *ipsec_in_da;		/* data attr. for accelerated pkts */
-
-	/*
-	 * For call to the kernel crypto framework. State needed during
-	 * the execution of a crypto request. Storing these here
-	 * allow us to avoid a separate allocation before calling the
-	 * crypto framework.
-	 */
-	size_t ipsec_in_skip_len;		/* len to skip for AH auth */
-	crypto_data_t ipsec_in_crypto_data;	/* single op crypto data */
-	crypto_dual_data_t ipsec_in_crypto_dual_data; /* for dual ops */
-	crypto_data_t ipsec_in_crypto_mac;	/* to store the MAC */
-
-	zoneid_t ipsec_in_zoneid;	/* target zone for the datagram */
-	netstack_t *ipsec_in_ns;	/* Does not have a netstack_hold */
-	ipsa_cm_mech_t ipsec_in_cmm;	/* PARAMS for Combined mode mechs */
-	netstackid_t ipsec_in_stackid;	/* Used while waing for kEF callback */
-} ipsec_in_t;
-
-#define	IPSECOUT_MAX_ADDRLEN 4	/* Max addr len. (in 32-bit words) */
-/*
- * This is used for communication between IP and IPSEC (AH/ESP)
- * for Outbound datagrams. IPSEC_OUT is allocated by IP before IPSEC
- * processing begins. On return SA fields are initialized so that
- * IP can locate the security associations later on for doing policy
- * checks.  The policy and the actions associated with this packet are
- * stored in the ipsec_out_policy and ipsec_out_act fields respectively.
- * IPSEC_OUT is also used to carry non-ipsec information when conn is
- * absent or the conn information is lost across the calls to ARP.
- * example: message from ARP or from ICMP error routines.
- */
-typedef struct ipsec_out_s {
-	uint32_t ipsec_out_type;
-	uint32_t ipsec_out_len;
-	frtn_t ipsec_out_frtn;		/* for esballoc() callback */
-	struct ipsec_policy_head_s *ipsec_out_polhead;
-	ipsec_latch_t		*ipsec_out_latch;
-	struct ipsec_policy_s 	*ipsec_out_policy; /* why are we here? */
-	struct ipsec_action_s	*ipsec_out_act;	/* what do we want? */
-	struct ipsa_s	*ipsec_out_ah_sa; /* AH SA used for the packet */
-	struct ipsa_s	*ipsec_out_esp_sa; /* ESP SA used for the packet */
-	/*
-	 * NOTE: "Source" and "Dest" are w.r.t. outbound datagrams.  Ports can
-	 *	 be zero, and the protocol number is needed to make the ports
-	 *	 significant.
-	 */
-	uint16_t ipsec_out_src_port;	/* Source port number of d-gram. */
-	uint16_t ipsec_out_dst_port;	/* Destination port number of d-gram. */
-	uint8_t  ipsec_out_icmp_type;	/* ICMP type of d-gram */
-	uint8_t  ipsec_out_icmp_code;	/* ICMP code of d-gram */
-
-	sa_family_t ipsec_out_inaf;	/* Inner address family */
-	uint32_t ipsec_out_insrc[IPSECOUT_MAX_ADDRLEN];	/* Inner src address */
-	uint32_t ipsec_out_indst[IPSECOUT_MAX_ADDRLEN];	/* Inner dest address */
-	uint8_t  ipsec_out_insrcpfx;	/* Inner source prefix */
-	uint8_t  ipsec_out_indstpfx;	/* Inner destination prefix */
-
-	uint_t ipsec_out_ill_index;	/* ill index used for multicast etc. */
-	uint8_t ipsec_out_proto;	/* IP protocol number for d-gram. */
-	unsigned int
-		ipsec_out_tunnel : 1,	/* Tunnel mode? */
-		ipsec_out_use_global_policy : 1, /* Inherit global policy ? */
-		ipsec_out_secure : 1,	/* Is this secure ? */
-		ipsec_out_proc_begin : 1, /* IPSEC processing begun */
-		/*
-		 * Following five values reflects the values stored
-		 * in conn.
-		 */
-		ipsec_out_multicast_loop : 1,
-		ipsec_out_dontroute : 1,
-		ipsec_out_reserved : 1,
-		ipsec_out_v4 : 1,
-
-		ipsec_out_unspec_src : 1,	/* IPv6 ip6i_t info */
-		ipsec_out_reachable : 1, 	/* NDP reachability info */
-		ipsec_out_failed: 1,
-		ipsec_out_se_done: 1,
-
-		ipsec_out_esp_done: 1,
-		ipsec_out_ah_done: 1,
-		ipsec_out_need_policy: 1,
-
-		/*
-		 * To indicate that packet must be accelerated, i.e.
-		 * ICV or encryption performed, by Provider.
-		 */
-		ipsec_out_accelerated : 1,
-		/*
-		 * Used by IP to tell IPsec that the outbound ill for this
-		 * packet supports acceleration of the AH or ESP prototocol.
-		 * If set, ipsec_out_capab_ill_index contains the
-		 * index of the ill.
-		 */
-		ipsec_out_is_capab_ill : 1,
-		/*
-		 * Indicates ICMP message destined for self.  These
-		 * messages are to be trusted by all receivers.
-		 */
-		ipsec_out_icmp_loopback: 1,
-		ipsec_out_ip_nexthop : 1,	/* IP_NEXTHOP option is set */
-		ipsec_out_pad_bits : 13;
-	cred_t	*ipsec_out_cred;
-	uint32_t ipsec_out_capab_ill_index;
-
-	/*
-	 * For call to the kernel crypto framework. State needed during
-	 * the execution of a crypto request. Storing these here
-	 * allow us to avoid a separate allocation before calling the
-	 * crypto framework.
-	 */
-	size_t ipsec_out_skip_len;		/* len to skip for AH auth */
-	crypto_data_t ipsec_out_crypto_data;	/* single op crypto data */
-	crypto_dual_data_t ipsec_out_crypto_dual_data; /* for dual ops */
-	crypto_data_t ipsec_out_crypto_mac;	/* to store the MAC */
-
-	zoneid_t ipsec_out_zoneid;	/* source zone for the datagram */
-	in6_addr_t ipsec_out_nexthop_v6;	/* nexthop IP address */
-#define	ipsec_out_nexthop_addr V4_PART_OF_V6(ipsec_out_nexthop_v6)
-	netstack_t *ipsec_out_ns;	/* Does not have a netstack_hold */
-	netstackid_t ipsec_out_stackid;	/* Used while waing for kEF callback */
-	ipsa_cm_mech_t ipsec_out_cmm;	/* PARAMS for Combined mode mechs */
-} ipsec_out_t;
-
-/*
- * This is used to mark the ipsec_out_t *req* fields
- * when the operation is done without affecting the
- * requests.
- */
-#define	IPSEC_REQ_DONE		0x80000000
-/*
- * Operation could not be performed by the AH/ESP
- * module.
- */
-#define	IPSEC_REQ_FAILED	0x40000000
-
-/*
  * Keysock consumer interface.
  *
  * The driver/module keysock (which is a driver to PF_KEY sockets, but is
@@ -368,32 +146,6 @@ typedef struct keysock_out_err_s {
 } keysock_out_err_t;
 
 /*
- * M_CTL message type for sending inbound pkt information between IP & ULP.
- * These are _not_ related to IPsec in any way, but are here so that there is
- * one place where all these values are defined which makes it easier to track.
- * The choice of this value has the same rationale as explained above.
- */
-#define	IN_PKTINFO		(IPSEC_M_CTL + 24)
-
-
-/*
- * IPSEC_CTL messages are used by IPsec to send control type requests
- * to IP. Such a control message is currently used by IPsec to request
- * that IP send the contents of an IPsec SA or the entire SADB to
- * every IPsec hardware acceleration capable provider.
- */
-
-#define	IPSEC_CTL		(IPSEC_M_CTL + 25)
-
-typedef struct ipsec_ctl_s {
-	uint32_t ipsec_ctl_type;
-	uint32_t ipsec_ctl_len;
-	uint_t ipsec_ctl_sa_type;
-	void *ipsec_ctl_sa;
-} ipsec_ctl_t;
-
-
-/*
  * All IPsec informational messages are placed into the ipsec_info_t
  * union, so that allocation can be done once, and IPsec informational
  * messages can be recycled.
@@ -403,13 +155,10 @@ typedef union ipsec_info_u {
 		uint32_t ipsec_allu_type;
 		uint32_t ipsec_allu_len;	/* In bytes */
 	} ipsec_allu;
-	ipsec_in_t ipsec_in;
-	ipsec_out_t ipsec_out;
 	keysock_hello_ack_t keysock_hello_ack;
 	keysock_in_t keysock_in;
 	keysock_out_t keysock_out;
 	keysock_out_err_t keysock_out_err;
-	ipsec_ctl_t ipsec_ctl;
 } ipsec_info_t;
 #define	ipsec_info_type ipsec_allu.ipsec_allu_type
 #define	ipsec_info_len ipsec_allu.ipsec_allu_len