xref: /illumos-gate/usr/src/uts/common/inet/ipsec_info.h (revision 46b592853d0f4f11781b6b0a7533f267c6aee132)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_INET_IPSEC_INFO_H
27 #define	_INET_IPSEC_INFO_H
28 
29 #ifdef	__cplusplus
30 extern "C" {
31 #endif
32 
33 #include <sys/crypto/common.h>
34 
35 /*
36  * IPsec informational messages.  These are M_CTL STREAMS messages, which
37  * convey IPsec information between various IP and related modules.  The
38  * messages come in a few flavors:
39  *
40  *	* IPSEC_{IN,OUT}  -  These show what IPsec action have been taken (for
41  *	  inbound datagrams), or need to be taken (for outbound datagrams).
42  *	  They flow between AH/ESP and IP.
43  *
44  *	* Keysock consumer interface  -  These messages are wrappers for
45  *	  PF_KEY messages.  They flow between AH/ESP and keysock.
46  *
47  * Some of these messages include pointers such as a netstack_t pointer.
48  * We do not explicitly reference count those with netstack_hold/rele,
49  * since we depend on IP's ability to discard all of the IPSEC_{IN,OUT}
50  * messages in order to handle the ipsa pointers.
51  * We have special logic when doing asynch callouts to kEF for which we
52  * verify netstack_t pointer using the netstackid_t.
53  */
54 
55 /*
56  * The IPsec M_CTL value MUST be something that will not be even close
57  * to an IPv4 or IPv6 header.  This means the first byte must not be
58  * 0x40 - 0x4f or 0x60-0x6f.  For big-endian machines, this is fixable with
59  * the IPSEC_M_CTL prefix.  For little-endian machines, the actual M_CTL
60  * _type_ must not be in the aforementioned ranges.
61  *
62  * The reason for this avoidance is because M_CTL's with a real IPv4/IPv6
63  * datagram get sent from to TCP or UDP when an ICMP datagram affects a
64  * TCP/UDP session.
65  */
66 #define	IPSEC_M_CTL	0x73706900
67 
68 /*
69  * M_CTL types for IPsec messages.  Remember, the values 0x40 - 0x4f and 0x60
70  * - 0x6f are not to be used because of potential little-endian confusion.
71  *
72  * Offsets 1-25 (decimal) are in use, spread through this file.
73  * Check for duplicates through the whole file before adding.
74  */
75 
76 /*
77  * IPSEC_{IN,OUT} policy expressors.
78  */
79 #define	IPSEC_IN	(IPSEC_M_CTL + 1)
80 #define	IPSEC_OUT	(IPSEC_M_CTL + 2)
81 #define	MAXSALTSIZE 8
82 
83 /*
84  * For combined mode ciphers, store the crypto_mechanism_t in the
85  * per-packet ipsec_in_t/ipsec_out_t structures. This is because the PARAMS
86  * and nonce values change for each packet. For non-combined mode
87  * ciphers, these values are constant for the life of the SA.
88  */
89 typedef struct ipsa_cm_mech_s {
90 	crypto_mechanism_t combined_mech;
91 	union {
92 		CK_AES_CCM_PARAMS paramu_ccm;
93 		CK_AES_GCM_PARAMS paramu_gcm;
94 	} paramu;
95 	uint8_t nonce[MAXSALTSIZE + sizeof (uint64_t)];
96 #define	param_ulMACSize paramu.paramu_ccm.ulMACSize
97 #define	param_ulNonceSize paramu.paramu_ccm.ipsa_ulNonceSize
98 #define	param_ulAuthDataSize paramu.paramu_ccm.ipsa_ulAuthDataSize
99 #define	param_ulDataSize paramu.paramu_ccm.ipsa_ulDataSize
100 #define	param_nonce paramu.paramu_ccm.nonce
101 #define	param_authData paramu.paramu_ccm.authData
102 #define	param_pIv paramu.paramu_gcm.ipsa_pIv
103 #define	param_ulIvLen paramu.paramu_gcm.ulIvLen
104 #define	param_ulIvBits paramu.paramu_gcm.ulIvBits
105 #define	param_pAAD paramu.paramu_gcm.pAAD
106 #define	param_ulAADLen paramu.paramu_gcm.ulAADLen
107 #define	param_ulTagBits paramu.paramu_gcm.ulTagBits
108 } ipsa_cm_mech_t;
109 
110 /*
111  * This is used for communication between IP and IPSEC (AH/ESP)
112  * for Inbound datagrams. IPSEC_IN is allocated by IP before IPSEC
113  * processing begins. On return spi fields are initialized so that
114  * IP can locate the security associations later on for doing policy
115  * checks. For loopback case, IPSEC processing is not done. But the
116  * attributes of the security are reflected in <foo>_done fields below.
117  * The code in policy check infers that it is a loopback case and
118  * would not try to get the associations.
119  *
120  * The comment below (and for other netstack_t references) refers
121  * to the fact that we only do netstack_hold in particular cases,
122  * such as the references from open streams (ill_t and conn_t's
123  * pointers). Internally within IP we rely on IP's ability to cleanup e.g.
124  * ire_t's when an ill goes away.
125  */
126 typedef struct ipsec_in_s {
127 	uint32_t ipsec_in_type;
128 	uint32_t ipsec_in_len;
129 	frtn_t ipsec_in_frtn;		/* for esballoc() callback */
130 	struct ipsa_s 	*ipsec_in_ah_sa;	/* SA for AH */
131 	struct ipsa_s 	*ipsec_in_esp_sa;	/* SA for ESP */
132 
133 	struct ipsec_policy_head_s *ipsec_in_policy;
134 	struct ipsec_action_s *ipsec_in_action; /* how we made it in.. */
135 	unsigned int
136 		ipsec_in_secure : 1,	/* Is the message attached secure ? */
137 		ipsec_in_v4 : 1,	/* Is this an ipv4 packet ? */
138 		ipsec_in_loopback : 1,	/* Is this a loopback request ? */
139 		ipsec_in_dont_check : 1, /* Used by TCP to avoid policy check */
140 
141 		ipsec_in_decaps : 1,	/* Was this packet decapsulated from */
142 					/* a matching inner packet? */
143 		ipsec_in_accelerated : 1, /* hardware accelerated packet */
144 
145 		ipsec_in_icmp_loopback : 1, /* Looped-back ICMP packet, */
146 					    /* all should trust this. */
147 		ipsec_in_pad_bits : 25;
148 
149 	int    ipsec_in_ill_index;	/* interface on which ipha_dst was */
150 					/* configured when pkt was recv'd  */
151 	int    ipsec_in_rill_index;	/* interface on which pkt was recv'd */
152 	uint32_t ipsec_in_esp_udp_ports;	/* For an ESP-in-UDP packet. */
153 	mblk_t *ipsec_in_da;		/* data attr. for accelerated pkts */
154 
155 	/*
156 	 * For call to the kernel crypto framework. State needed during
157 	 * the execution of a crypto request. Storing these here
158 	 * allow us to avoid a separate allocation before calling the
159 	 * crypto framework.
160 	 */
161 	size_t ipsec_in_skip_len;		/* len to skip for AH auth */
162 	crypto_data_t ipsec_in_crypto_data;	/* single op crypto data */
163 	crypto_dual_data_t ipsec_in_crypto_dual_data; /* for dual ops */
164 	crypto_data_t ipsec_in_crypto_mac;	/* to store the MAC */
165 
166 	zoneid_t ipsec_in_zoneid;	/* target zone for the datagram */
167 	netstack_t *ipsec_in_ns;	/* Does not have a netstack_hold */
168 	ipsa_cm_mech_t ipsec_in_cmm;	/* PARAMS for Combined mode mechs */
169 	netstackid_t ipsec_in_stackid;	/* Used while waing for kEF callback */
170 } ipsec_in_t;
171 
172 #define	IPSECOUT_MAX_ADDRLEN 4	/* Max addr len. (in 32-bit words) */
173 /*
174  * This is used for communication between IP and IPSEC (AH/ESP)
175  * for Outbound datagrams. IPSEC_OUT is allocated by IP before IPSEC
176  * processing begins. On return SA fields are initialized so that
177  * IP can locate the security associations later on for doing policy
178  * checks.  The policy and the actions associated with this packet are
179  * stored in the ipsec_out_policy and ipsec_out_act fields respectively.
180  * IPSEC_OUT is also used to carry non-ipsec information when conn is
181  * absent or the conn information is lost across the calls to ARP.
182  * example: message from ARP or from ICMP error routines.
183  */
184 typedef struct ipsec_out_s {
185 	uint32_t ipsec_out_type;
186 	uint32_t ipsec_out_len;
187 	frtn_t ipsec_out_frtn;		/* for esballoc() callback */
188 	struct ipsec_policy_head_s *ipsec_out_polhead;
189 	ipsec_latch_t		*ipsec_out_latch;
190 	struct ipsec_policy_s 	*ipsec_out_policy; /* why are we here? */
191 	struct ipsec_action_s	*ipsec_out_act;	/* what do we want? */
192 	struct ipsa_s	*ipsec_out_ah_sa; /* AH SA used for the packet */
193 	struct ipsa_s	*ipsec_out_esp_sa; /* ESP SA used for the packet */
194 	/*
195 	 * NOTE: "Source" and "Dest" are w.r.t. outbound datagrams.  Ports can
196 	 *	 be zero, and the protocol number is needed to make the ports
197 	 *	 significant.
198 	 */
199 	uint16_t ipsec_out_src_port;	/* Source port number of d-gram. */
200 	uint16_t ipsec_out_dst_port;	/* Destination port number of d-gram. */
201 	uint8_t  ipsec_out_icmp_type;	/* ICMP type of d-gram */
202 	uint8_t  ipsec_out_icmp_code;	/* ICMP code of d-gram */
203 
204 	sa_family_t ipsec_out_inaf;	/* Inner address family */
205 	uint32_t ipsec_out_insrc[IPSECOUT_MAX_ADDRLEN];	/* Inner src address */
206 	uint32_t ipsec_out_indst[IPSECOUT_MAX_ADDRLEN];	/* Inner dest address */
207 	uint8_t  ipsec_out_insrcpfx;	/* Inner source prefix */
208 	uint8_t  ipsec_out_indstpfx;	/* Inner destination prefix */
209 
210 	uint_t ipsec_out_ill_index;	/* ill index used for multicast etc. */
211 	uint8_t ipsec_out_proto;	/* IP protocol number for d-gram. */
212 	unsigned int
213 		ipsec_out_tunnel : 1,	/* Tunnel mode? */
214 		ipsec_out_use_global_policy : 1, /* Inherit global policy ? */
215 		ipsec_out_secure : 1,	/* Is this secure ? */
216 		ipsec_out_proc_begin : 1, /* IPSEC processing begun */
217 		/*
218 		 * Following five values reflects the values stored
219 		 * in conn.
220 		 */
221 		ipsec_out_multicast_loop : 1,
222 		ipsec_out_dontroute : 1,
223 		ipsec_out_reserved : 1,
224 		ipsec_out_v4 : 1,
225 
226 		ipsec_out_unspec_src : 1,	/* IPv6 ip6i_t info */
227 		ipsec_out_reachable : 1, 	/* NDP reachability info */
228 		ipsec_out_failed: 1,
229 		ipsec_out_se_done: 1,
230 
231 		ipsec_out_esp_done: 1,
232 		ipsec_out_ah_done: 1,
233 		ipsec_out_need_policy: 1,
234 
235 		/*
236 		 * To indicate that packet must be accelerated, i.e.
237 		 * ICV or encryption performed, by Provider.
238 		 */
239 		ipsec_out_accelerated : 1,
240 		/*
241 		 * Used by IP to tell IPsec that the outbound ill for this
242 		 * packet supports acceleration of the AH or ESP prototocol.
243 		 * If set, ipsec_out_capab_ill_index contains the
244 		 * index of the ill.
245 		 */
246 		ipsec_out_is_capab_ill : 1,
247 		/*
248 		 * Indicates ICMP message destined for self.  These
249 		 * messages are to be trusted by all receivers.
250 		 */
251 		ipsec_out_icmp_loopback: 1,
252 		ipsec_out_ip_nexthop : 1,	/* IP_NEXTHOP option is set */
253 		ipsec_out_pad_bits : 13;
254 	cred_t	*ipsec_out_cred;
255 	uint32_t ipsec_out_capab_ill_index;
256 
257 	/*
258 	 * For call to the kernel crypto framework. State needed during
259 	 * the execution of a crypto request. Storing these here
260 	 * allow us to avoid a separate allocation before calling the
261 	 * crypto framework.
262 	 */
263 	size_t ipsec_out_skip_len;		/* len to skip for AH auth */
264 	crypto_data_t ipsec_out_crypto_data;	/* single op crypto data */
265 	crypto_dual_data_t ipsec_out_crypto_dual_data; /* for dual ops */
266 	crypto_data_t ipsec_out_crypto_mac;	/* to store the MAC */
267 
268 	zoneid_t ipsec_out_zoneid;	/* source zone for the datagram */
269 	in6_addr_t ipsec_out_nexthop_v6;	/* nexthop IP address */
270 #define	ipsec_out_nexthop_addr V4_PART_OF_V6(ipsec_out_nexthop_v6)
271 	netstack_t *ipsec_out_ns;	/* Does not have a netstack_hold */
272 	netstackid_t ipsec_out_stackid;	/* Used while waing for kEF callback */
273 	ipsa_cm_mech_t ipsec_out_cmm;	/* PARAMS for Combined mode mechs */
274 } ipsec_out_t;
275 
276 /*
277  * This is used to mark the ipsec_out_t *req* fields
278  * when the operation is done without affecting the
279  * requests.
280  */
281 #define	IPSEC_REQ_DONE		0x80000000
282 /*
283  * Operation could not be performed by the AH/ESP
284  * module.
285  */
286 #define	IPSEC_REQ_FAILED	0x40000000
287 
288 /*
289  * Keysock consumer interface.
290  *
291  * The driver/module keysock (which is a driver to PF_KEY sockets, but is
292  * a module to 'consumers' like AH and ESP) uses keysock consumer interface
293  * messages to pass on PF_KEY messages to consumers who process and act upon
294  * them.
295  */
296 #define	KEYSOCK_IN		(IPSEC_M_CTL + 3)
297 #define	KEYSOCK_OUT		(IPSEC_M_CTL + 4)
298 #define	KEYSOCK_OUT_ERR		(IPSEC_M_CTL + 5)
299 #define	KEYSOCK_HELLO		(IPSEC_M_CTL + 6)
300 #define	KEYSOCK_HELLO_ACK	(IPSEC_M_CTL + 7)
301 
302 /*
303  * KEYSOCK_HELLO is sent by keysock to a consumer when it is pushed on top
304  * of one (i.e. opened as a module).
305  *
306  * NOTE: Keysock_hello is simply an ipsec_info_t
307  */
308 
309 /*
310  * KEYSOCK_HELLO_ACK is sent by a consumer to acknowledge a KEYSOCK_HELLO.
311  * It contains the PF_KEYv2 sa_type, so keysock can redirect PF_KEY messages
312  * to the right consumer.
313  */
314 typedef struct keysock_hello_ack_s {
315 	uint32_t ks_hello_type;
316 	uint32_t ks_hello_len;
317 	uint8_t ks_hello_satype;	/* PF_KEYv2 sa_type of ks client */
318 } keysock_hello_ack_t;
319 
320 #define	KS_IN_ADDR_UNKNOWN 0
321 #define	KS_IN_ADDR_NOTTHERE 1
322 #define	KS_IN_ADDR_UNSPEC 2
323 #define	KS_IN_ADDR_ME 3
324 #define	KS_IN_ADDR_NOTME 4
325 #define	KS_IN_ADDR_MBCAST 5
326 #define	KS_IN_ADDR_DONTCARE 6
327 
328 /*
329  * KEYSOCK_IN is a PF_KEY message from a PF_KEY socket destined for a consumer.
330  */
331 typedef struct keysock_in_s {
332 	uint32_t ks_in_type;
333 	uint32_t ks_in_len;
334 	/*
335 	 * NOTE:	These pointers MUST be into the M_DATA that follows
336 	 *		this M_CTL message.  If they aren't, weirdness
337 	 *		results.
338 	 */
339 	struct sadb_ext *ks_in_extv[SADB_EXT_MAX + 1];
340 	int ks_in_srctype;	/* Source address type. */
341 	int ks_in_dsttype;	/* Dest address type. */
342 	minor_t ks_in_serial;	/* Serial # of sending socket. */
343 } keysock_in_t;
344 
345 /*
346  * KEYSOCK_OUT is a PF_KEY message from a consumer destined for a PF_KEY
347  * socket.
348  */
349 typedef struct keysock_out_s {
350 	uint32_t ks_out_type;
351 	uint32_t ks_out_len;
352 	minor_t ks_out_serial;	/* Serial # of sending socket. */
353 } keysock_out_t;
354 
355 /*
356  * KEYSOCK_OUT_ERR is sent to a consumer from keysock if for some reason
357  * keysock could not find a PF_KEY socket to deliver a consumer-originated
358  * message (e.g. SADB_ACQUIRE).
359  */
360 typedef struct keysock_out_err_s {
361 	uint32_t ks_err_type;
362 	uint32_t ks_err_len;
363 	minor_t ks_err_serial;
364 	int ks_err_errno;
365 	/*
366 	 * Other, richer error information may end up going here eventually.
367 	 */
368 } keysock_out_err_t;
369 
370 /*
371  * M_CTL message type for sending inbound pkt information between IP & ULP.
372  * These are _not_ related to IPsec in any way, but are here so that there is
373  * one place where all these values are defined which makes it easier to track.
374  * The choice of this value has the same rationale as explained above.
375  */
376 #define	IN_PKTINFO		(IPSEC_M_CTL + 24)
377 
378 
379 /*
380  * IPSEC_CTL messages are used by IPsec to send control type requests
381  * to IP. Such a control message is currently used by IPsec to request
382  * that IP send the contents of an IPsec SA or the entire SADB to
383  * every IPsec hardware acceleration capable provider.
384  */
385 
386 #define	IPSEC_CTL		(IPSEC_M_CTL + 25)
387 
388 typedef struct ipsec_ctl_s {
389 	uint32_t ipsec_ctl_type;
390 	uint32_t ipsec_ctl_len;
391 	uint_t ipsec_ctl_sa_type;
392 	void *ipsec_ctl_sa;
393 } ipsec_ctl_t;
394 
395 
396 /*
397  * All IPsec informational messages are placed into the ipsec_info_t
398  * union, so that allocation can be done once, and IPsec informational
399  * messages can be recycled.
400  */
401 typedef union ipsec_info_u {
402 	struct {
403 		uint32_t ipsec_allu_type;
404 		uint32_t ipsec_allu_len;	/* In bytes */
405 	} ipsec_allu;
406 	ipsec_in_t ipsec_in;
407 	ipsec_out_t ipsec_out;
408 	keysock_hello_ack_t keysock_hello_ack;
409 	keysock_in_t keysock_in;
410 	keysock_out_t keysock_out;
411 	keysock_out_err_t keysock_out_err;
412 	ipsec_ctl_t ipsec_ctl;
413 } ipsec_info_t;
414 #define	ipsec_info_type ipsec_allu.ipsec_allu_type
415 #define	ipsec_info_len ipsec_allu.ipsec_allu_len
416 
417 #ifdef	__cplusplus
418 }
419 #endif
420 
421 #endif	/* _INET_IPSEC_INFO_H */
422