IPsec相關數據結構1

版權聲明：如有需要，可供轉載，但請註明出處：https://blog.csdn.net/City_of_skey/article/details/86562770

目錄

1、簡介

2、xfrm_state

3、xfrm_policy

4、xfrm_tmpl 

---

1、簡介

ipsec對數據加密是在內核IP層實現的，通過PF_INET類型套接字和應用層通信文件在/net/key目錄下，安全聯盟SA和安全策略SP通過xfrm數據庫實現。ESP、AH協議下/net/ipv4目錄下實現。加密算法、認證算法在crypto目錄中實現。

以下是各文件實現的功能：

net/xfrm目錄下的文件實現功能個：

xfrm_state.c：xfrm狀態管理

xfrm_policy.c：xfrm策略管理

xfrm_algo.c：算法管理

xfrm_hash.c：哈希表管理

xfrm_input.c：安全路徑處理，ipsec入包處理

xfrm_user.c：netlink接口的SA和SP處理

net/ipv4目錄下個文件功能：

ah4.c：ah協議處理

esp4.c：esp協議處理

ipcomp.c：ip壓縮協議處理

xfrm4_input.c：Ipv4層接受ipsec包處理

xfrm4_outp.c：接受ipv4的ipsec包處理

xfrm4_state.c：ipv4的SA處理

xfrm4_policy.c：ipv4的SP處理

xfrm4_tunnel.c：ipv4通道處理

xfrm4_mode_transport.c：傳輸模式處理

xfrm4_mode_tunnel.c：隧道模式處理

xfrm4_mode_beet.c：beet模式處理

 

2、xfrm_state

struct xfrm_state結構體管理SA狀態，各元素定義如下

/* Full description of state of transformer. */
struct xfrm_state {			/*SA狀態結構體*/
#ifdef CONFIG_NET_NS
	struct net		*xs_net;
#endif
	union {
		struct hlist_node	gclist;
		struct hlist_node	bydst;		/*目的地址哈希表*/
	};
	struct hlist_node	bysrc;		/*源地址哈希表*/
	struct hlist_node	byspi;		/*spi哈希表*/

	atomic_t		refcnt;
	spinlock_t		lock;

	struct xfrm_id		id;			/*id標誌，也就是協議、目的ip、spi三元組*/
	struct xfrm_selector	sel;		/*狀態選擇子*/
	struct xfrm_mark	mark;		/*狀態的標準值*/

	u32			genid;

	/* Key manager bits */
	struct xfrm_state_walk	km;

	/* Parameters of this state. */
	struct {
		u32		reqid;			/*請求id*/
		u8		mode;			/*模式，傳輸模式、隧道模式*/
		u8		replay_window;	/*回放窗口*/
		u8		aalgo, ealgo, calgo;/*認證、加密、壓縮算法id*/
		u8		flags;			/*一些標誌*/
		u16		family;			/*協議族*/
		xfrm_address_t	saddr;	/*源地址*/
		int		header_len;		/*添加的協議長度*/
		int		trailer_len;
	} props;						/*SA參數*/

	struct xfrm_lifetime_cfg lft;		/*生成時間配置*/

	/* Data for transformer */
	struct xfrm_algo_auth	*aalg;	/*哈希算法*/
	struct xfrm_algo	*ealg;		/*加密算法*/
	struct xfrm_algo	*calg;		/*壓縮算法*/
	struct xfrm_algo_aead	*aead;

	/* Data for encapsulator */
	struct xfrm_encap_tmpl	*encap;	/*NAT封裝信息*/

	/* Data for care-of address */
	xfrm_address_t	*coaddr;

	/* IPComp needs an IPIP tunnel for handling uncompressed packets */
	struct xfrm_state	*tunnel;		/*通道*/

	/* If a tunnel, number of users + 1 */
	atomic_t		tunnel_users;	/*通道數量*/

	/* State for replay detection */
	struct xfrm_replay_state replay;	/*回放檢測結構*/

	/* Replay detection state at the time we sent the last notification */
	struct xfrm_replay_state preplay;/*上次的回放結構*/

	/* internal flag that only holds state for delayed aevent at the
	 * moment
	*/
	u32			xflags;		/*標誌*/

	/* Replay detection notification settings */
	u32			replay_maxage;	/*回放最大時間間隔*/
	u32			replay_maxdiff;	/*回放最大差值*/

	/* Replay detection notification timer */
	struct timer_list	rtimer;	/*回放檢測定時器*/

	/* Statistics */
	struct xfrm_stats	stats;	/*統計值*/

	struct xfrm_lifetime_cur curlft;	/*當前定時器*/
	struct tasklet_hrtimer	mtimer;

	/* Last used time */
	unsigned long		lastused;

	/* Reference to data common to all the instances of this
	 * transformer. */
	const struct xfrm_type	*type;	/*協議 ESP、AH、IPCOMP*/
	struct xfrm_mode	*inner_mode;/*模式，隧道、傳輸*/
	struct xfrm_mode	*inner_mode_iaf;
	struct xfrm_mode	*outer_mode;

	/* Security context */
	struct xfrm_sec_ctx	*security;	/*安全上下文*/

	/* Private data of this transformer, format is opaque,
	 * interpreted by xfrm_type methods. */
	void			*data;		/*內部數據*/
};

3、xfrm_policy

struct xfrm_policy結構體定義了SP，各元素定義如下：

struct xfrm_policy {
#ifdef CONFIG_NET_NS
	struct net		*xp_net;
#endif
	struct hlist_node	bydst;/*按目的地址鏈表*/
	struct hlist_node	byidx;/*按id號鏈表*/

	/* This lock only affects elements except for entry. */
	rwlock_t		lock;
	atomic_t		refcnt;/*引用計數*/
	struct timer_list	timer;/*策略定時器*/

	struct flow_cache_object flo;
	atomic_t		genid;
	u32			priority;/*策略優先級*/
	u32			index;/*策略索引號*/
	struct xfrm_mark	mark;
	struct xfrm_selector	selector;/*選擇子*/
	struct xfrm_lifetime_cfg lft;		/*策略生命週期*/
	struct xfrm_lifetime_cur curlft;	/*當前生命期數據*/
	struct xfrm_policy_walk_entry walk;
	u8			type;	/*類型*/
	u8			action;	/*策略動作，接受、加密、阻塞*/
	u8			flags;	/*標誌*/
	u8			xfrm_nr;	
	u16			family;/*協議*/
	struct xfrm_sec_ctx	*security;/*安全上下文*/
	struct xfrm_tmpl       	xfrm_vec[XFRM_MAX_DEPTH];/*狀態模板*/
};

4、xfrm_tmpl 

struct xfrm_tmpl結構體是模板結構體，用於SA和SP的查詢

struct xfrm_tmpl {
/* id in template is interpreted as:
 * daddr - destination of tunnel, may be zero for transport mode.
 * spi   - zero to acquire spi. Not zero if spi is static, then
 *	   daddr must be fixed too.
 * proto - AH/ESP/IPCOMP
 */
	struct xfrm_id		id;		/*SA三元組:目的ip、協議、spi*/

/* Source address of tunnel. Ignored, if it is not a tunnel. */
	xfrm_address_t		saddr;	/*源地址*/

	unsigned short		encap_family;

	u32			reqid;	/*請求id*/	

/* Mode: transport, tunnel etc. */
	u8			mode;

/* Sharing mode: unique, this session only, this user only etc. */
	u8			share;

/* May skip this transfomration if no SA is found */
	u8			optional;

/* Skip aalgos/ealgos/calgos checks. */
	u8			allalgs;

/* Bit mask of algos allowed for acquisition */
	u32			aalgos;
	u32			ealgos;
	u32			calgos;
};