/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved. * Copyright 2017 Joyent, Inc. */ #ifndef _INET_IPSEC_IMPL_H #define _INET_IPSEC_IMPL_H #include #include #ifdef __cplusplus extern "C" { #endif #define IPSEC_CONF_SRC_ADDRESS 0 /* Source Address */ #define IPSEC_CONF_SRC_PORT 1 /* Source Port */ #define IPSEC_CONF_DST_ADDRESS 2 /* Dest Address */ #define IPSEC_CONF_DST_PORT 3 /* Dest Port */ #define IPSEC_CONF_SRC_MASK 4 /* Source Address Mask */ #define IPSEC_CONF_DST_MASK 5 /* Destination Address Mask */ #define IPSEC_CONF_ULP 6 /* Upper layer Port */ #define IPSEC_CONF_IPSEC_PROT 7 /* AH or ESP or AH_ESP */ #define IPSEC_CONF_IPSEC_AALGS 8 /* Auth Algorithms - MD5 etc. */ #define IPSEC_CONF_IPSEC_EALGS 9 /* Encr Algorithms - DES etc. */ #define IPSEC_CONF_IPSEC_EAALGS 10 /* Encr Algorithms - MD5 etc. */ #define IPSEC_CONF_IPSEC_SA 11 /* Shared or unique SA */ #define IPSEC_CONF_IPSEC_DIR 12 /* Direction of traffic */ #define IPSEC_CONF_ICMP_TYPE 13 /* ICMP type */ #define IPSEC_CONF_ICMP_CODE 14 /* ICMP code */ #define IPSEC_CONF_NEGOTIATE 15 /* Negotiation */ #define IPSEC_CONF_TUNNEL 16 /* Tunnel */ /* Type of an entry */ #define IPSEC_NTYPES 0x02 #define IPSEC_TYPE_OUTBOUND 0x00 #define IPSEC_TYPE_INBOUND 0x01 /* Policy */ #define IPSEC_POLICY_APPLY 0x01 #define IPSEC_POLICY_DISCARD 0x02 #define IPSEC_POLICY_BYPASS 0x03 /* Shared or unique SA */ #define IPSEC_SHARED_SA 0x01 #define IPSEC_UNIQUE_SA 0x02 /* IPsec protocols and combinations */ #define IPSEC_AH_ONLY 0x01 #define IPSEC_ESP_ONLY 0x02 #define IPSEC_AH_ESP 0x03 /* * Internally defined "any" algorithm. * Move to PF_KEY v3 when that RFC is released. */ #define SADB_AALG_ANY 255 #ifdef _KERNEL #include #include #include #include #include #include #include #include #include #include #include /* * Maximum number of authentication algorithms (can be indexed by one byte * per PF_KEY and the IKE IPsec DOI. */ #define MAX_AALGS 256 /* * IPsec task queue constants. */ #define IPSEC_TASKQ_MIN 10 #define IPSEC_TASKQ_MAX 20 /* * So we can access IPsec global variables that live in keysock.c. */ extern boolean_t keysock_extended_reg(netstack_t *); extern uint32_t keysock_next_seq(netstack_t *); /* Common-code for spdsock and keysock. */ extern void keysock_spdsock_wput_iocdata(queue_t *, mblk_t *, sa_family_t); /* * Locking for ipsec policy rules: * * policy heads: system policy is static; per-conn polheads are dynamic, * and refcounted (and inherited); use atomic refcounts and "don't let * go with both hands". * * policy: refcounted; references from polhead, ipsec_out * * actions: refcounted; referenced from: action hash table, policy, ipsec_out * selectors: refcounted; referenced from: selector hash table, policy. */ /* * the following are inspired by, but not directly based on, * some of the sys/queue.h type-safe pseudo-polymorphic macros * found in BSD. * * XXX If we use these more generally, we'll have to make the names * less generic (HASH_* will probably clobber other namespaces). */ #define HASH_LOCK(table, hash) \ mutex_enter(&(table)[hash].hash_lock) #define HASH_UNLOCK(table, hash) \ mutex_exit(&(table)[hash].hash_lock) #define HASH_LOCKED(table, hash) \ MUTEX_HELD(&(table)[hash].hash_lock) #define HASH_ITERATE(var, field, table, hash) \ var = table[hash].hash_head; var != NULL; var = var->field.hash_next #define HASH_NEXT(var, field) \ (var)->field.hash_next #define HASH_INSERT(var, field, table, hash) \ { \ ASSERT(HASH_LOCKED(table, hash)); \ (var)->field.hash_next = (table)[hash].hash_head; \ (var)->field.hash_pp = &(table)[hash].hash_head; \ (table)[hash].hash_head = var; \ if ((var)->field.hash_next != NULL) \ (var)->field.hash_next->field.hash_pp = \ &((var)->field.hash_next); \ } #define HASH_UNCHAIN(var, field, table, hash) \ { \ ASSERT(MUTEX_HELD(&(table)[hash].hash_lock)); \ HASHLIST_UNCHAIN(var, field); \ } #define HASHLIST_INSERT(var, field, head) \ { \ (var)->field.hash_next = head; \ (var)->field.hash_pp = &(head); \ head = var; \ if ((var)->field.hash_next != NULL) \ (var)->field.hash_next->field.hash_pp = \ &((var)->field.hash_next); \ } #define HASHLIST_UNCHAIN(var, field) \ { \ *var->field.hash_pp = var->field.hash_next; \ if (var->field.hash_next) \ var->field.hash_next->field.hash_pp = \ var->field.hash_pp; \ HASH_NULL(var, field); \ } #define HASH_NULL(var, field) \ { \ var->field.hash_next = NULL; \ var->field.hash_pp = NULL; \ } #define HASH_LINK(fieldname, type) \ struct { \ type *hash_next; \ type **hash_pp; \ } fieldname #define HASH_HEAD(tag) \ struct { \ struct tag *hash_head; \ kmutex_t hash_lock; \ } typedef struct ipsec_policy_s ipsec_policy_t; typedef HASH_HEAD(ipsec_policy_s) ipsec_policy_hash_t; /* * When adding new fields to ipsec_prot_t, make sure to update * ipsec_in_to_out_action() as well as other code in spd.c */ typedef struct ipsec_prot { unsigned int ipp_use_ah : 1, ipp_use_esp : 1, ipp_use_se : 1, ipp_use_unique : 1, ipp_use_espa : 1, ipp_pad : 27; uint8_t ipp_auth_alg; /* DOI number */ uint8_t ipp_encr_alg; /* DOI number */ uint8_t ipp_esp_auth_alg; /* DOI number */ uint16_t ipp_ah_minbits; /* AH: min keylen */ uint16_t ipp_ah_maxbits; /* AH: max keylen */ uint16_t ipp_espe_minbits; /* ESP encr: min keylen */ uint16_t ipp_espe_maxbits; /* ESP encr: max keylen */ uint16_t ipp_espa_minbits; /* ESP auth: min keylen */ uint16_t ipp_espa_maxbits; /* ESP auth: max keylen */ uint32_t ipp_km_proto; /* key mgmt protocol */ uint64_t ipp_km_cookie; /* key mgmt cookie */ uint32_t ipp_replay_depth; /* replay window */ /* XXX add lifetimes */ } ipsec_prot_t; #define IPSEC_MAX_KEYBITS (0xffff) /* * An individual policy action, possibly a member of a chain. * * Action chains may be shared between multiple policy rules. * * With one exception (IPSEC_POLICY_LOG), a chain consists of an * ordered list of alternative ways to handle a packet. * * All actions are also "interned" into a hash table (to allow * multiple rules with the same action chain to share one copy in * memory). */ typedef struct ipsec_act { uint8_t ipa_type; uint8_t ipa_log; union { ipsec_prot_t ipau_apply; uint8_t ipau_reject_type; uint32_t ipau_resolve_id; /* magic cookie */ uint8_t ipau_log_type; } ipa_u; #define ipa_apply ipa_u.ipau_apply #define ipa_reject_type ipa_u.ipau_reject_type #define ipa_log_type ipa_u.ipau_log_type #define ipa_resolve_type ipa_u.ipau_resolve_type } ipsec_act_t; #define IPSEC_ACT_APPLY 0x01 /* match IPSEC_POLICY_APPLY */ #define IPSEC_ACT_DISCARD 0x02 /* match IPSEC_POLICY_DISCARD */ #define IPSEC_ACT_BYPASS 0x03 /* match IPSEC_POLICY_BYPASS */ #define IPSEC_ACT_REJECT 0x04 #define IPSEC_ACT_CLEAR 0x05 typedef struct ipsec_action_s { HASH_LINK(ipa_hash, struct ipsec_action_s); struct ipsec_action_s *ipa_next; /* next alternative */ uint32_t ipa_refs; /* refcount */ ipsec_act_t ipa_act; /* * The following bits are equivalent to an OR of bits included in the * ipau_apply fields of this and subsequent actions in an * action chain; this is an optimization for the sake of * ipsec_out_process() in ip.c and a few other places. */ unsigned int ipa_hval: 8, ipa_allow_clear:1, /* rule allows cleartext? */ ipa_want_ah:1, /* an action wants ah */ ipa_want_esp:1, /* an action wants esp */ ipa_want_se:1, /* an action wants se */ ipa_want_unique:1, /* want unique sa's */ ipa_pad:19; uint32_t ipa_ovhd; /* per-packet encap ovhd */ } ipsec_action_t; #define IPACT_REFHOLD(ipa) { \ atomic_inc_32(&(ipa)->ipa_refs); \ ASSERT((ipa)->ipa_refs != 0); \ } #define IPACT_REFRELE(ipa) { \ ASSERT((ipa)->ipa_refs != 0); \ membar_exit(); \ if (atomic_dec_32_nv(&(ipa)->ipa_refs) == 0) \ ipsec_action_free(ipa); \ (ipa) = 0; \ } /* * For now, use a trivially sized hash table for actions. * In the future we can add the structure canonicalization necessary * to get the hash function to behave correctly.. */ #define IPSEC_ACTION_HASH_SIZE 1 /* * Merged address structure, for cheezy address-family independent * matches in policy code. */ typedef union ipsec_addr { in6_addr_t ipsad_v6; in_addr_t ipsad_v4; } ipsec_addr_t; /* * ipsec selector set, as used by the kernel policy structures. * Note that that we specify "local" and "remote" * rather than "source" and "destination", which allows the selectors * for symmetric policy rules to be shared between inbound and * outbound rules. * * "local" means "destination" on inbound, and "source" on outbound. * "remote" means "source" on inbound, and "destination" on outbound. * XXX if we add a fifth policy enforcement point for forwarded packets, * what do we do? * * The ipsl_valid mask is not done as a bitfield; this is so we * can use "ffs()" to find the "most interesting" valid tag. * * XXX should we have multiple types for space-conservation reasons? * (v4 vs v6? prefix vs. range)? */ typedef struct ipsec_selkey { uint32_t ipsl_valid; /* bitmask of valid entries */ #define IPSL_REMOTE_ADDR 0x00000001 #define IPSL_LOCAL_ADDR 0x00000002 #define IPSL_REMOTE_PORT 0x00000004 #define IPSL_LOCAL_PORT 0x00000008 #define IPSL_PROTOCOL 0x00000010 #define IPSL_ICMP_TYPE 0x00000020 #define IPSL_ICMP_CODE 0x00000040 #define IPSL_IPV6 0x00000080 #define IPSL_IPV4 0x00000100 #define IPSL_WILDCARD 0x0000007f ipsec_addr_t ipsl_local; ipsec_addr_t ipsl_remote; uint16_t ipsl_lport; uint16_t ipsl_rport; /* * ICMP type and code selectors. Both have an end value to * specify ranges, or * and *_end are equal for a single * value */ uint8_t ipsl_icmp_type; uint8_t ipsl_icmp_type_end; uint8_t ipsl_icmp_code; uint8_t ipsl_icmp_code_end; uint8_t ipsl_proto; /* ip payload type */ uint8_t ipsl_local_pfxlen; /* #bits of prefix */ uint8_t ipsl_remote_pfxlen; /* #bits of prefix */ uint8_t ipsl_mbz; /* Insert new elements above this line */ uint32_t ipsl_pol_hval; uint32_t ipsl_sel_hval; } ipsec_selkey_t; typedef struct ipsec_sel { HASH_LINK(ipsl_hash, struct ipsec_sel); uint32_t ipsl_refs; /* # refs to this sel */ ipsec_selkey_t ipsl_key; /* actual selector guts */ } ipsec_sel_t; /* * One policy rule. This will be linked into a single hash chain bucket in * the parent rule structure. If the selector is simple enough to * allow hashing, it gets filed under ipsec_policy_root_t->ipr_hash. * Otherwise it goes onto a linked list in ipsec_policy_root_t->ipr_nonhash[af] * * In addition, we file the rule into an avl tree keyed by the rule index. * (Duplicate rules are permitted; the comparison function breaks ties). */ struct ipsec_policy_s { HASH_LINK(ipsp_hash, struct ipsec_policy_s); avl_node_t ipsp_byid; uint64_t ipsp_index; /* unique id */ uint32_t ipsp_prio; /* rule priority */ uint32_t ipsp_refs; ipsec_sel_t *ipsp_sel; /* selector set (shared) */ ipsec_action_t *ipsp_act; /* action (may be shared) */ netstack_t *ipsp_netstack; /* No netstack_hold */ }; #define IPPOL_REFHOLD(ipp) { \ atomic_inc_32(&(ipp)->ipsp_refs); \ ASSERT((ipp)->ipsp_refs != 0); \ } #define IPPOL_REFRELE(ipp) { \ ASSERT((ipp)->ipsp_refs != 0); \ membar_exit(); \ if (atomic_dec_32_nv(&(ipp)->ipsp_refs) == 0) \ ipsec_policy_free(ipp); \ (ipp) = 0; \ } #define IPPOL_UNCHAIN(php, ip) \ HASHLIST_UNCHAIN((ip), ipsp_hash); \ avl_remove(&(php)->iph_rulebyid, (ip)); \ IPPOL_REFRELE(ip); /* * Policy ruleset. One per (protocol * direction) for system policy. */ #define IPSEC_AF_V4 0 #define IPSEC_AF_V6 1 #define IPSEC_NAF 2 typedef struct ipsec_policy_root_s { ipsec_policy_t *ipr_nonhash[IPSEC_NAF]; int ipr_nchains; ipsec_policy_hash_t *ipr_hash; } ipsec_policy_root_t; /* * Policy head. One for system policy; there may also be one present * on ill_t's with interface-specific policy, as well as one present * for sockets with per-socket policy allocated. */ typedef struct ipsec_policy_head_s { uint32_t iph_refs; krwlock_t iph_lock; uint64_t iph_gen; /* generation number */ ipsec_policy_root_t iph_root[IPSEC_NTYPES]; avl_tree_t iph_rulebyid; } ipsec_policy_head_t; #define IPPH_REFHOLD(iph) { \ atomic_inc_32(&(iph)->iph_refs); \ ASSERT((iph)->iph_refs != 0); \ } #define IPPH_REFRELE(iph, ns) { \ ASSERT((iph)->iph_refs != 0); \ membar_exit(); \ if (atomic_dec_32_nv(&(iph)->iph_refs) == 0) \ ipsec_polhead_free(iph, ns); \ (iph) = 0; \ } /* * IPsec fragment related structures */ typedef struct ipsec_fragcache_entry { struct ipsec_fragcache_entry *itpfe_next; /* hash list chain */ mblk_t *itpfe_fraglist; /* list of fragments */ time_t itpfe_exp; /* time when entry is stale */ int itpfe_depth; /* # of fragments in list */ ipsec_addr_t itpfe_frag_src; ipsec_addr_t itpfe_frag_dst; #define itpfe_src itpfe_frag_src.ipsad_v4 #define itpfe_src6 itpfe_frag_src.ipsad_v6 #define itpfe_dst itpfe_frag_dst.ipsad_v4 #define itpfe_dst6 itpfe_frag_dst.ipsad_v6 uint32_t itpfe_id; /* IP datagram ID */ uint8_t itpfe_proto; /* IP Protocol */ uint8_t itpfe_last; /* Last packet */ } ipsec_fragcache_entry_t; typedef struct ipsec_fragcache { kmutex_t itpf_lock; struct ipsec_fragcache_entry **itpf_ptr; struct ipsec_fragcache_entry *itpf_freelist; time_t itpf_expire_hint; /* time when oldest entry is stale */ } ipsec_fragcache_t; /* * Tunnel policies. We keep a minature of the transport-mode/global policy * per each tunnel instance. * * People who need both an itp held down AND one of its polheads need to * first lock the itp, THEN the polhead, otherwise deadlock WILL occur. */ typedef struct ipsec_tun_pol_s { avl_node_t itp_node; kmutex_t itp_lock; uint64_t itp_next_policy_index; ipsec_policy_head_t *itp_policy; ipsec_policy_head_t *itp_inactive; uint32_t itp_flags; uint32_t itp_refcnt; char itp_name[LIFNAMSIZ]; ipsec_fragcache_t itp_fragcache; } ipsec_tun_pol_t; /* NOTE - Callers (tun code) synchronize their own instances for these flags. */ #define ITPF_P_ACTIVE 0x1 /* Are we using IPsec right now? */ #define ITPF_P_TUNNEL 0x2 /* Negotiate tunnel-mode */ /* Optimization -> Do we have per-port security entries in this polhead? */ #define ITPF_P_PER_PORT_SECURITY 0x4 #define ITPF_PFLAGS 0x7 #define ITPF_SHIFT 3 #define ITPF_I_ACTIVE 0x8 /* Is the inactive using IPsec right now? */ #define ITPF_I_TUNNEL 0x10 /* Negotiate tunnel-mode (on inactive) */ /* Optimization -> Do we have per-port security entries in this polhead? */ #define ITPF_I_PER_PORT_SECURITY 0x20 #define ITPF_IFLAGS 0x38 /* NOTE: f cannot be an expression. */ #define ITPF_CLONE(f) (f) = (((f) & ITPF_PFLAGS) | \ (((f) & ITPF_PFLAGS) << ITPF_SHIFT)); #define ITPF_SWAP(f) (f) = ((((f) & ITPF_PFLAGS) << ITPF_SHIFT) | \ (((f) & ITPF_IFLAGS) >> ITPF_SHIFT)) #define ITP_P_ISACTIVE(itp, iph) ((itp)->itp_flags & \ (((itp)->itp_policy == (iph)) ? ITPF_P_ACTIVE : ITPF_I_ACTIVE)) #define ITP_P_ISTUNNEL(itp, iph) ((itp)->itp_flags & \ (((itp)->itp_policy == (iph)) ? ITPF_P_TUNNEL : ITPF_I_TUNNEL)) #define ITP_P_ISPERPORT(itp, iph) ((itp)->itp_flags & \ (((itp)->itp_policy == (iph)) ? ITPF_P_PER_PORT_SECURITY : \ ITPF_I_PER_PORT_SECURITY)) #define ITP_REFHOLD(itp) { \ atomic_inc_32(&((itp)->itp_refcnt)); \ ASSERT((itp)->itp_refcnt != 0); \ } #define ITP_REFRELE(itp, ns) { \ ASSERT((itp)->itp_refcnt != 0); \ membar_exit(); \ if (atomic_dec_32_nv(&((itp)->itp_refcnt)) == 0) \ itp_free(itp, ns); \ } /* * Certificate identity. */ typedef struct ipsid_s { struct ipsid_s *ipsid_next; struct ipsid_s **ipsid_ptpn; uint32_t ipsid_refcnt; int ipsid_type; /* id type */ char *ipsid_cid; /* certificate id string */ } ipsid_t; /* * ipsid_t reference hold/release macros, just like ipsa versions. */ #define IPSID_REFHOLD(ipsid) { \ atomic_inc_32(&(ipsid)->ipsid_refcnt); \ ASSERT((ipsid)->ipsid_refcnt != 0); \ } /* * Decrement the reference count on the ID. Someone else will clean up * after us later. */ #define IPSID_REFRELE(ipsid) { \ membar_exit(); \ atomic_dec_32(&(ipsid)->ipsid_refcnt); \ } /* * Following are the estimates of what the maximum AH and ESP header size * would be. This is used to tell the upper layer the right value of MSS * it should use without consulting AH/ESP. If the size is something * different from this, ULP will learn the right one through * ICMP_FRAGMENTATION_NEEDED messages generated locally. * * AH : 12 bytes of constant header + 32 bytes of ICV checksum (SHA-512). */ #define IPSEC_MAX_AH_HDR_SIZE (44) /* * ESP : Is a bit more complex... * * A system of one inequality and one equation MUST be solved for proper ESP * overhead. The inequality is: * * MTU - sizeof (IP header + options) >= * sizeof (esph_t) + sizeof (IV or ctr) + data-size + 2 + ICV * * IV or counter is almost always the cipher's block size. The equation is: * * data-size % block-size = (block-size - 2) * * so we can put as much data into the datagram as possible. If we are * pessimistic and include our largest overhead cipher (AES) and hash * (SHA-512), and assume 1500-byte MTU minus IPv4 overhead of 20 bytes, we get: * * 1480 >= 8 + 16 + data-size + 2 + 32 * 1480 >= 58 + data-size * 1422 >= data-size, 1422 % 16 = 14, so 58 is the overhead! * * But, let's re-run the numbers with the same algorithms, but with an IPv6 * header: * * 1460 >= 58 + data-size * 1402 >= data-size, 1402 % 16 = 10, meaning shrink to 1390 to get 14, * * which means the overhead is now 70. * * Hmmm... IPv4 headers can never be anything other than multiples of 4-bytes, * and IPv6 ones can never be anything other than multiples of 8-bytes. We've * seen overheads of 58 and 70. 58 % 16 == 10, and 70 % 16 == 6. IPv4 could * force us to have 62 ( % 16 == 14) or 66 ( % 16 == 2), or IPv6 could force us * to have 78 ( % 16 = 14). Let's compute IPv6 + 8-bytes of options: * * 1452 >= 58 + data-size * 1394 >= data-size, 1394 % 16 = 2, meaning shrink to 1390 to get 14, * * Aha! The "ESP overhead" shrinks to 62 (70 - 8). This is good. Let's try * IPv4 + 8 bytes of IPv4 options: * * 1472 >= 58 + data-size * 1414 >= data-size, 1414 % 16 = 6, meaning shrink to 1406, * * meaning 66 is the overhead. Let's try 12 bytes: * * 1468 >= 58 + data-size * 1410 >= data-size, 1410 % 16 = 2, meaning also shrink to 1406, * * meaning 62 is the overhead. How about 16 bytes? * * 1464 >= 58 + data-size * 1406 >= data-size, 1402 % 16 = 14, which is great! * * this means 58 is the overhead. If I wrap and add 20 bytes, it looks just * like IPv6's 70 bytes. If I add 24, we go back to 66 bytes. * * So picking 70 is a sensible, conservative default. Optimal calculations * will depend on knowing pre-ESP header length (called "divpoint" in the ESP * code), which could be cached in the conn_t for connected endpoints, or * which must be computed on every datagram otherwise. */ #define IPSEC_MAX_ESP_HDR_SIZE (70) /* * Alternate, when we know the crypto block size via the SA. Assume an ICV on * the SA. Use: * * sizeof (esph_t) + 2 * (sizeof (IV/counter)) - 2 + sizeof (ICV). The "-2" * discounts the overhead of the pad + padlen that gets swallowed up by the * second (theoretically all-pad) cipher-block. If you use our examples of * AES and SHA512, you get: * * 8 + 32 - 2 + 32 == 70. * * Which is our pre-computed maximum above. */ #include #define IPSEC_BASE_ESP_HDR_SIZE(sa) \ (sizeof (esph_t) + ((sa)->ipsa_iv_len << 1) - 2 + (sa)->ipsa_mac_len) /* * Identity hash table. * * Identities are refcounted and "interned" into the hash table. * Only references coming from other objects (SA's, latching state) * are counted in ipsid_refcnt. * * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket * is locked, (b) we know that the refcount must be > 0. * * The ipsid_next and ipsid_ptpn fields are only to be referenced or * modified when the bucket lock is held; in particular, we only * delete objects while holding the bucket lock, and we only increase * the refcount from 0 to 1 while the bucket lock is held. */ #define IPSID_HASHSIZE 64 typedef struct ipsif_s { ipsid_t *ipsif_head; kmutex_t ipsif_lock; } ipsif_t; /* * For call to the kernel crypto framework. State needed during * the execution of a crypto request. */ typedef struct ipsec_crypto_s { size_t ic_skip_len; /* len to skip for AH auth */ crypto_data_t ic_crypto_data; /* single op crypto data */ crypto_dual_data_t ic_crypto_dual_data; /* for dual ops */ crypto_data_t ic_crypto_mac; /* to store the MAC */ ipsa_cm_mech_t ic_cmm; } ipsec_crypto_t; /* * IPsec stack instances */ struct ipsec_stack { netstack_t *ipsec_netstack; /* Common netstack */ /* Packet dropper for IP IPsec processing failures */ ipdropper_t ipsec_dropper; /* From spd.c */ /* * Policy rule index generator. We assume this won't wrap in the * lifetime of a system. If we make 2^20 policy changes per second, * this will last 2^44 seconds, or roughly 500,000 years, so we don't * have to worry about reusing policy index values. */ uint64_t ipsec_next_policy_index; HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE]; HASH_HEAD(ipsec_sel) *ipsec_sel_hash; uint32_t ipsec_spd_hashsize; ipsif_t ipsec_ipsid_buckets[IPSID_HASHSIZE]; /* * Active & Inactive system policy roots */ ipsec_policy_head_t ipsec_system_policy; ipsec_policy_head_t ipsec_inactive_policy; /* Packet dropper for generic SPD drops. */ ipdropper_t ipsec_spd_dropper; /* ipdrop.c */ kstat_t *ipsec_ip_drop_kstat; struct ip_dropstats *ipsec_ip_drop_types; /* spd.c */ /* * Have a counter for every possible policy message in * ipsec_policy_failure_msgs */ uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX]; /* Time since last ipsec policy failure that printed a message. */ hrtime_t ipsec_policy_failure_last; /* ip_spd.c */ /* stats */ kstat_t *ipsec_ksp; struct ipsec_kstats_s *ipsec_kstats; /* sadb.c */ /* Packet dropper for generic SADB drops. */ ipdropper_t ipsec_sadb_dropper; /* spd.c */ boolean_t ipsec_inbound_v4_policy_present; boolean_t ipsec_outbound_v4_policy_present; boolean_t ipsec_inbound_v6_policy_present; boolean_t ipsec_outbound_v6_policy_present; /* spd.c */ /* * Because policy needs to know what algorithms are supported, keep the * lists of algorithms here. */ krwlock_t ipsec_alg_lock; uint8_t ipsec_nalgs[IPSEC_NALGTYPES]; ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; int ipsec_algs_exec_mode[IPSEC_NALGTYPES]; uint32_t ipsec_tun_spd_hashsize; /* * Tunnel policies - AVL tree indexed by tunnel name. */ krwlock_t ipsec_tunnel_policy_lock; uint64_t ipsec_tunnel_policy_gen; avl_tree_t ipsec_tunnel_policies; /* ipsec_loader.c */ kmutex_t ipsec_loader_lock; int ipsec_loader_state; int ipsec_loader_sig; kt_did_t ipsec_loader_tid; kcondvar_t ipsec_loader_sig_cv; /* For loader_sig conditions. */ }; typedef struct ipsec_stack ipsec_stack_t; /* Handle the kstat_create in ip_drop_init() failing */ #define DROPPER(_ipss, _dropper) \ (((_ipss)->ipsec_ip_drop_types == NULL) ? NULL : \ &((_ipss)->ipsec_ip_drop_types->_dropper)) /* * Loader states.. */ #define IPSEC_LOADER_WAIT 0 #define IPSEC_LOADER_FAILED -1 #define IPSEC_LOADER_SUCCEEDED 1 /* * ipsec_loader entrypoints. */ extern void ipsec_loader_init(ipsec_stack_t *); extern void ipsec_loader_start(ipsec_stack_t *); extern void ipsec_loader_destroy(ipsec_stack_t *); extern void ipsec_loader_loadnow(ipsec_stack_t *); extern boolean_t ipsec_loader_wait(queue_t *q, ipsec_stack_t *); extern boolean_t ipsec_loaded(ipsec_stack_t *); extern boolean_t ipsec_failed(ipsec_stack_t *); /* * ipsec policy entrypoints (spd.c) */ extern void ipsec_policy_g_destroy(void); extern void ipsec_policy_g_init(void); extern mblk_t *ipsec_add_crypto_data(mblk_t *, ipsec_crypto_t **); extern mblk_t *ipsec_remove_crypto_data(mblk_t *, ipsec_crypto_t **); extern mblk_t *ipsec_free_crypto_data(mblk_t *); extern int ipsec_alloc_table(ipsec_policy_head_t *, int, int, boolean_t, netstack_t *); extern void ipsec_polhead_init(ipsec_policy_head_t *, int); extern void ipsec_polhead_destroy(ipsec_policy_head_t *); extern void ipsec_polhead_free_table(ipsec_policy_head_t *); extern mblk_t *ipsec_check_global_policy(mblk_t *, conn_t *, ipha_t *, ip6_t *, ip_recv_attr_t *, netstack_t *ns); extern mblk_t *ipsec_check_inbound_policy(mblk_t *, conn_t *, ipha_t *, ip6_t *, ip_recv_attr_t *); extern boolean_t ipsec_in_to_out(ip_recv_attr_t *, ip_xmit_attr_t *, mblk_t *, ipha_t *, ip6_t *); extern void ipsec_in_release_refs(ip_recv_attr_t *); extern void ipsec_out_release_refs(ip_xmit_attr_t *); extern void ipsec_log_policy_failure(int, char *, ipha_t *, ip6_t *, boolean_t, netstack_t *); extern boolean_t ipsec_inbound_accept_clear(mblk_t *, ipha_t *, ip6_t *); extern int ipsec_conn_cache_policy(conn_t *, boolean_t); extern void ipsec_cache_outbound_policy(const conn_t *, const in6_addr_t *, const in6_addr_t *, in_port_t, ip_xmit_attr_t *); extern boolean_t ipsec_outbound_policy_current(ip_xmit_attr_t *); extern ipsec_action_t *ipsec_in_to_out_action(ip_recv_attr_t *); extern void ipsec_latch_inbound(conn_t *connp, ip_recv_attr_t *ira); extern void ipsec_policy_free(ipsec_policy_t *); extern void ipsec_action_free(ipsec_action_t *); extern void ipsec_polhead_free(ipsec_policy_head_t *, netstack_t *); extern ipsec_policy_head_t *ipsec_polhead_split(ipsec_policy_head_t *, netstack_t *); extern ipsec_policy_head_t *ipsec_polhead_create(void); extern ipsec_policy_head_t *ipsec_system_policy(netstack_t *); extern ipsec_policy_head_t *ipsec_inactive_policy(netstack_t *); extern void ipsec_swap_policy(ipsec_policy_head_t *, ipsec_policy_head_t *, netstack_t *); extern void ipsec_swap_global_policy(netstack_t *); extern int ipsec_clone_system_policy(netstack_t *); extern ipsec_policy_t *ipsec_policy_create(ipsec_selkey_t *, const ipsec_act_t *, int, int, uint64_t *, netstack_t *); extern boolean_t ipsec_policy_delete(ipsec_policy_head_t *, ipsec_selkey_t *, int, netstack_t *); extern int ipsec_policy_delete_index(ipsec_policy_head_t *, uint64_t, netstack_t *); extern boolean_t ipsec_polhead_insert(ipsec_policy_head_t *, ipsec_act_t *, uint_t, int, int, netstack_t *); extern void ipsec_polhead_flush(ipsec_policy_head_t *, netstack_t *); extern int ipsec_copy_polhead(ipsec_policy_head_t *, ipsec_policy_head_t *, netstack_t *); extern void ipsec_actvec_from_req(const ipsec_req_t *, ipsec_act_t **, uint_t *, netstack_t *); extern void ipsec_actvec_free(ipsec_act_t *, uint_t); extern int ipsec_req_from_head(ipsec_policy_head_t *, ipsec_req_t *, int); extern mblk_t *ipsec_construct_inverse_acquire(sadb_msg_t *, sadb_ext_t **, netstack_t *); extern ipsec_policy_t *ipsec_find_policy(int, const conn_t *, ipsec_selector_t *, netstack_t *); extern ipsid_t *ipsid_lookup(int, char *, netstack_t *); extern boolean_t ipsid_equal(ipsid_t *, ipsid_t *); extern void ipsid_gc(netstack_t *); extern void ipsec_latch_ids(ipsec_latch_t *, ipsid_t *, ipsid_t *); extern void ipsec_config_flush(netstack_t *); extern boolean_t ipsec_check_policy(ipsec_policy_head_t *, ipsec_policy_t *, int); extern void ipsec_enter_policy(ipsec_policy_head_t *, ipsec_policy_t *, int, netstack_t *); extern boolean_t ipsec_check_action(ipsec_act_t *, int *, netstack_t *); extern void iplatch_free(ipsec_latch_t *); extern ipsec_latch_t *iplatch_create(void); extern int ipsec_set_req(cred_t *, conn_t *, ipsec_req_t *); extern void ipsec_insert_always(avl_tree_t *tree, void *new_node); extern int32_t ipsec_act_ovhd(const ipsec_act_t *act); extern mblk_t *sadb_whack_label(mblk_t *, ipsa_t *, ip_xmit_attr_t *, kstat_named_t *, ipdropper_t *); extern mblk_t *sadb_whack_label_v4(mblk_t *, ipsa_t *, kstat_named_t *, ipdropper_t *); extern mblk_t *sadb_whack_label_v6(mblk_t *, ipsa_t *, kstat_named_t *, ipdropper_t *); extern boolean_t update_iv(uint8_t *, queue_t *, ipsa_t *, ipsecesp_stack_t *); /* * Tunnel-support SPD functions and variables. */ struct iptun_s; /* Defined in inet/iptun/iptun_impl.h. */ extern mblk_t *ipsec_tun_inbound(ip_recv_attr_t *, mblk_t *, ipsec_tun_pol_t *, ipha_t *, ip6_t *, ipha_t *, ip6_t *, int, netstack_t *); extern mblk_t *ipsec_tun_outbound(mblk_t *, struct iptun_s *, ipha_t *, ip6_t *, ipha_t *, ip6_t *, int, ip_xmit_attr_t *); extern void itp_free(ipsec_tun_pol_t *, netstack_t *); extern ipsec_tun_pol_t *create_tunnel_policy(char *, int *, uint64_t *, netstack_t *); extern ipsec_tun_pol_t *get_tunnel_policy(char *, netstack_t *); extern void itp_unlink(ipsec_tun_pol_t *, netstack_t *); extern void itp_walk(void (*)(ipsec_tun_pol_t *, void *, netstack_t *), void *, netstack_t *); extern ipsec_tun_pol_t *itp_get_byaddr(uint32_t *, uint32_t *, int, ip_stack_t *); /* * IPsec AH/ESP functions called from IP or the common SADB code in AH. */ extern void ipsecah_in_assocfailure(mblk_t *, char, ushort_t, char *, uint32_t, void *, int, ip_recv_attr_t *ira); extern void ipsecesp_in_assocfailure(mblk_t *, char, ushort_t, char *, uint32_t, void *, int, ip_recv_attr_t *ira); extern void ipsecesp_send_keepalive(ipsa_t *); /* * Algorithm management helper functions. */ extern boolean_t ipsec_valid_key_size(uint16_t, ipsec_alginfo_t *); /* * Per-socket policy, for now, takes precedence... this priority value * insures it. */ #define IPSEC_PRIO_SOCKET 0x1000000 /* DDI initialization functions. */ extern boolean_t ipsecesp_ddi_init(void); extern boolean_t ipsecah_ddi_init(void); extern boolean_t keysock_ddi_init(void); extern boolean_t spdsock_ddi_init(void); extern void ipsecesp_ddi_destroy(void); extern void ipsecah_ddi_destroy(void); extern void keysock_ddi_destroy(void); extern void spdsock_ddi_destroy(void); /* * AH- and ESP-specific functions that are called directly by other modules. */ extern void ipsecah_fill_defs(struct sadb_x_ecomb *, netstack_t *); extern void ipsecesp_fill_defs(struct sadb_x_ecomb *, netstack_t *); extern void ipsecah_algs_changed(netstack_t *); extern void ipsecesp_algs_changed(netstack_t *); extern void ipsecesp_init_funcs(ipsa_t *); extern void ipsecah_init_funcs(ipsa_t *); extern mblk_t *ipsecah_icmp_error(mblk_t *, ip_recv_attr_t *); extern mblk_t *ipsecesp_icmp_error(mblk_t *, ip_recv_attr_t *); /* * spdsock functions that are called directly by IP. */ extern void spdsock_update_pending_algs(netstack_t *); /* * IP functions that are called from AH and ESP. */ extern boolean_t ipsec_outbound_sa(mblk_t *, ip_xmit_attr_t *, uint_t); extern mblk_t *ipsec_inbound_esp_sa(mblk_t *, ip_recv_attr_t *, esph_t **); extern mblk_t *ipsec_inbound_ah_sa(mblk_t *, ip_recv_attr_t *, ah_t **); extern ipsec_policy_t *ipsec_find_policy_head(ipsec_policy_t *, ipsec_policy_head_t *, int, ipsec_selector_t *); /* * IP dropper init/destroy. */ void ip_drop_init(ipsec_stack_t *); void ip_drop_destroy(ipsec_stack_t *); /* * Common functions */ extern boolean_t ip_addr_match(uint8_t *, int, in6_addr_t *); extern boolean_t ipsec_label_match(ts_label_t *, ts_label_t *); /* * AH and ESP counters types. */ typedef uint32_t ah_counter; typedef uint32_t esp_counter; #endif /* _KERNEL */ #ifdef __cplusplus } #endif #endif /* _INET_IPSEC_IMPL_H */