1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #ifndef _INET_IPSEC_INFO_H 28 #define _INET_IPSEC_INFO_H 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 #ifdef __cplusplus 33 extern "C" { 34 #endif 35 36 #include <sys/crypto/common.h> 37 38 /* 39 * IPsec informational messages. These are M_CTL STREAMS messages, which 40 * convey IPsec information between various IP and related modules. The 41 * messages come in a few flavors: 42 * 43 * * IPSEC_{IN,OUT} - These show what IPsec action have been taken (for 44 * inbound datagrams), or need to be taken (for outbound datagrams). 45 * They flow between AH/ESP and IP. 46 * 47 * * Keysock consumer interface - These messages are wrappers for 48 * PF_KEY messages. They flow between AH/ESP and keysock. 49 */ 50 51 /* 52 * The IPsec M_CTL value MUST be something that will not be even close 53 * to an IPv4 or IPv6 header. This means the first byte must not be 54 * 0x40 - 0x4f or 0x60-0x6f. For big-endian machines, this is fixable with 55 * the IPSEC_M_CTL prefix. For little-endian machines, the actual M_CTL 56 * _type_ must not be in the aforementioned ranges. 57 * 58 * The reason for this avoidance is because M_CTL's with a real IPv4/IPv6 59 * datagram get sent from to TCP or UDP when an ICMP datagram affects a 60 * TCP/UDP session. 61 */ 62 #define IPSEC_M_CTL 0x73706900 63 64 /* 65 * M_CTL types for IPsec messages. Remember, the values 0x40 - 0x4f and 0x60 66 * - 0x6f are not to be used because of potential little-endian confusion. 67 * 68 * Offsets 1-25 (decimal) are in use, spread through this file. 69 * Check for duplicates through the whole file before adding. 70 */ 71 72 /* 73 * IPSEC_{IN,OUT} policy expressors. 74 */ 75 #define IPSEC_IN (IPSEC_M_CTL + 1) 76 #define IPSEC_OUT (IPSEC_M_CTL + 2) 77 78 /* 79 * This is used for communication between IP and IPSEC (AH/ESP) 80 * for Inbound datagrams. IPSEC_IN is allocated by IP before IPSEC 81 * processing begins. On return spi fields are initialized so that 82 * IP can locate the security associations later on for doing policy 83 * checks. For loopback case, IPSEC processing is not done. But the 84 * attributes of the security are reflected in <foo>_done fields below. 85 * The code in policy check infers that it is a loopback case and 86 * would not try to get the associations. 87 */ 88 typedef struct ipsec_in_s { 89 uint32_t ipsec_in_type; 90 uint32_t ipsec_in_len; 91 frtn_t ipsec_in_frtn; /* for esballoc() callback */ 92 struct ipsa_s *ipsec_in_ah_sa; /* SA for AH */ 93 struct ipsa_s *ipsec_in_esp_sa; /* SA for ESP */ 94 95 struct ipsec_policy_head_s *ipsec_in_policy; 96 struct ipsec_action_s *ipsec_in_action; /* how we made it in.. */ 97 unsigned int 98 ipsec_in_secure : 1, /* Is the message attached secure ? */ 99 ipsec_in_v4 : 1, /* Is this an ipv4 packet ? */ 100 ipsec_in_loopback : 1, /* Is this a loopback request ? */ 101 ipsec_in_dont_check : 1, /* Used by TCP to avoid policy check */ 102 103 ipsec_in_decaps : 1, /* Was this packet decapsulated from */ 104 /* a matching inner packet? */ 105 ipsec_in_attach_if : 1, /* Don't load spread this packet */ 106 ipsec_in_accelerated : 1, /* hardware accelerated packet */ 107 108 ipsec_in_icmp_loopback : 1, /* Looped-back ICMP packet, */ 109 /* all should trust this. */ 110 ipsec_in_pad_bits : 24; 111 112 int ipsec_in_ill_index; /* interface on which ipha_dst was */ 113 /* configured when pkt was recv'd */ 114 int ipsec_in_rill_index; /* interface on which pkt was recv'd */ 115 mblk_t *ipsec_in_da; /* data attr. for accelerated pkts */ 116 117 /* 118 * For call to the kernel crypto framework. State needed during 119 * the execution of a crypto request. Storing these here 120 * allow us to avoid a separate allocation before calling the 121 * crypto framework. 122 */ 123 size_t ipsec_in_skip_len; /* len to skip for AH auth */ 124 crypto_data_t ipsec_in_crypto_data; /* single op crypto data */ 125 crypto_dual_data_t ipsec_in_crypto_dual_data; /* for dual ops */ 126 crypto_data_t ipsec_in_crypto_mac; /* to store the MAC */ 127 128 zoneid_t ipsec_in_zoneid; /* target zone for the datagram */ 129 130 #ifdef DEBUG 131 /* 132 * To aid in IPSEC_IN leak detection, save a copy of the inbound IPsec 133 * header in DEBUG kernels. It takes no more space overall because 134 * ipsec_info_t is more than sizeof (IPv4 or IPv6) bytes larger than 135 * ipsec_in_t. (60 bytes was chosen as a nice safe number. Using 136 * an IP or IPv6 constant increases the header file count for 137 * consumers of this header file.) 138 */ 139 uint8_t ipsec_in_saved_hdr[60]; 140 #endif 141 } ipsec_in_t; 142 143 /* 144 * This is used for communication between IP and IPSEC (AH/ESP) 145 * for Outbound datagrams. IPSEC_OUT is allocated by IP before IPSEC 146 * processing begins. On return SA fields are initialized so that 147 * IP can locate the security associations later on for doing policy 148 * checks. The policy and the actions associated with this packet are 149 * stored in the ipsec_out_policy and ipsec_out_act fields respectively. 150 * IPSEC_OUT is also used to carry non-ipsec information when conn is 151 * absent or the conn information is lost across the calls to ARP. 152 * example: message from ARP or from ICMP error routines. 153 */ 154 typedef struct ipsec_out_s { 155 uint32_t ipsec_out_type; 156 uint32_t ipsec_out_len; 157 frtn_t ipsec_out_frtn; /* for esballoc() callback */ 158 struct ipsec_policy_head_s *ipsec_out_polhead; 159 ipsec_latch_t *ipsec_out_latch; 160 struct ipsec_policy_s *ipsec_out_policy; /* why are we here? */ 161 struct ipsec_action_s *ipsec_out_act; /* what do we want? */ 162 struct ipsa_s *ipsec_out_ah_sa; /* AH SA used for the packet */ 163 struct ipsa_s *ipsec_out_esp_sa; /* ESP SA used for the packet */ 164 /* 165 * NOTE: "Source" and "Dest" are w.r.t. outbound datagrams. Ports can 166 * be zero, and the protocol number is needed to make the ports 167 * significant. 168 */ 169 uint16_t ipsec_out_src_port; /* Source port number of d-gram. */ 170 uint16_t ipsec_out_dst_port; /* Destination port number of d-gram. */ 171 uint8_t ipsec_out_icmp_type; /* ICMP type of d-gram */ 172 uint8_t ipsec_out_icmp_code; /* ICMP code of d-gram */ 173 uint_t ipsec_out_ill_index; /* ill index used for multicast etc. */ 174 uint8_t ipsec_out_proto; /* IP protocol number for d-gram. */ 175 unsigned int 176 ipsec_out_encaps : 1, /* Encapsualtion done ? */ 177 ipsec_out_use_global_policy : 1, /* Inherit global policy ? */ 178 ipsec_out_secure : 1, /* Is this secure ? */ 179 ipsec_out_proc_begin : 1, /* IPSEC processing begun */ 180 /* 181 * Following five values reflects the values stored 182 * in conn. 183 */ 184 ipsec_out_multicast_loop : 1, 185 ipsec_out_dontroute : 1, 186 ipsec_out_reserved : 1, 187 ipsec_out_v4 : 1, 188 189 ipsec_out_attach_if : 1, 190 ipsec_out_unspec_src : 1, /* IPv6 ip6i_t info */ 191 ipsec_out_reachable : 1, /* NDP reachability info */ 192 /* 193 * Following bit is used by ip_mrtun_forward to convey 194 * xmit_ill information along with ICMP error msg 195 */ 196 ipsec_out_xmit_if: 1, 197 198 ipsec_out_failed: 1, 199 ipsec_out_se_done: 1, 200 ipsec_out_esp_done: 1, 201 ipsec_out_ah_done: 1, 202 203 ipsec_out_need_policy: 1, 204 205 /* 206 * To indicate that packet must be accelerated, i.e. 207 * ICV or encryption performed, by Provider. 208 */ 209 ipsec_out_accelerated : 1, 210 /* 211 * Used by IP to tell IPsec that the outbound ill for this 212 * packet supports acceleration of the AH or ESP prototocol. 213 * If set, ipsec_out_capab_ill_index contains the 214 * index of the ill. 215 */ 216 ipsec_out_is_capab_ill : 1, 217 /* 218 * Indicates ICMP message destined for self. These 219 * messages are to be trusted by all receivers. 220 */ 221 ipsec_out_icmp_loopback: 1, 222 ipsec_out_pad_bits : 12; 223 cred_t *ipsec_out_cred; 224 uint32_t ipsec_out_capab_ill_index; 225 226 /* 227 * For call to the kernel crypto framework. State needed during 228 * the execution of a crypto request. Storing these here 229 * allow us to avoid a separate allocation before calling the 230 * crypto framework. 231 */ 232 size_t ipsec_out_skip_len; /* len to skip for AH auth */ 233 crypto_data_t ipsec_out_crypto_data; /* single op crypto data */ 234 crypto_dual_data_t ipsec_out_crypto_dual_data; /* for dual ops */ 235 crypto_data_t ipsec_out_crypto_mac; /* to store the MAC */ 236 237 zoneid_t ipsec_out_zoneid; /* source zone for the datagram */ 238 } ipsec_out_t; 239 240 /* 241 * This is used to mark the ipsec_out_t *req* fields 242 * when the operation is done without affecting the 243 * requests. 244 */ 245 #define IPSEC_REQ_DONE 0x80000000 246 /* 247 * Operation could not be performed by the AH/ESP 248 * module. 249 */ 250 #define IPSEC_REQ_FAILED 0x40000000 251 252 /* 253 * Keysock consumer interface. 254 * 255 * The driver/module keysock (which is a driver to PF_KEY sockets, but is 256 * a module to 'consumers' like AH and ESP) uses keysock consumer interface 257 * messages to pass on PF_KEY messages to consumers who process and act upon 258 * them. 259 */ 260 #define KEYSOCK_IN (IPSEC_M_CTL + 3) 261 #define KEYSOCK_OUT (IPSEC_M_CTL + 4) 262 #define KEYSOCK_OUT_ERR (IPSEC_M_CTL + 5) 263 #define KEYSOCK_HELLO (IPSEC_M_CTL + 6) 264 #define KEYSOCK_HELLO_ACK (IPSEC_M_CTL + 7) 265 266 /* 267 * KEYSOCK_HELLO is sent by keysock to a consumer when it is pushed on top 268 * of one (i.e. opened as a module). 269 * 270 * NOTE: Keysock_hello is simply an ipsec_info_t 271 */ 272 273 /* 274 * KEYSOCK_HELLO_ACK is sent by a consumer to acknowledge a KEYSOCK_HELLO. 275 * It contains the PF_KEYv2 sa_type, so keysock can redirect PF_KEY messages 276 * to the right consumer. 277 */ 278 typedef struct keysock_hello_ack_s { 279 uint32_t ks_hello_type; 280 uint32_t ks_hello_len; 281 uint8_t ks_hello_satype; /* PF_KEYv2 sa_type of ks client */ 282 } keysock_hello_ack_t; 283 284 #define KS_IN_ADDR_UNKNOWN 0 285 #define KS_IN_ADDR_NOTTHERE 1 286 #define KS_IN_ADDR_UNSPEC 2 287 #define KS_IN_ADDR_ME 3 288 #define KS_IN_ADDR_NOTME 4 289 #define KS_IN_ADDR_MBCAST 5 290 291 /* 292 * KEYSOCK_IN is a PF_KEY message from a PF_KEY socket destined for a consumer. 293 */ 294 typedef struct keysock_in_s { 295 uint32_t ks_in_type; 296 uint32_t ks_in_len; 297 /* 298 * NOTE: These pointers MUST be into the M_DATA that follows 299 * this M_CTL message. If they aren't, weirdness 300 * results. 301 */ 302 struct sadb_ext *ks_in_extv[SADB_EXT_MAX + 1]; 303 int ks_in_srctype; /* Source address type. */ 304 int ks_in_dsttype; /* Dest address type. */ 305 int ks_in_proxytype; /* Proxy address type. */ 306 minor_t ks_in_serial; /* Serial # of sending socket. */ 307 } keysock_in_t; 308 309 /* 310 * KEYSOCK_OUT is a PF_KEY message from a consumer destined for a PF_KEY 311 * socket. 312 */ 313 typedef struct keysock_out_s { 314 uint32_t ks_out_type; 315 uint32_t ks_out_len; 316 minor_t ks_out_serial; /* Serial # of sending socket. */ 317 } keysock_out_t; 318 319 /* 320 * KEYSOCK_OUT_ERR is sent to a consumer from keysock if for some reason 321 * keysock could not find a PF_KEY socket to deliver a consumer-originated 322 * message (e.g. SADB_ACQUIRE). 323 */ 324 typedef struct keysock_out_err_s { 325 uint32_t ks_err_type; 326 uint32_t ks_err_len; 327 minor_t ks_err_serial; 328 int ks_err_errno; 329 /* 330 * Other, richer error information may end up going here eventually. 331 */ 332 } keysock_out_err_t; 333 334 /* 335 * M_CTL message type for sending inbound pkt information between IP & ULP. 336 * These are _not_ related to IPsec in any way, but are here so that there is 337 * one place where all these values are defined which makes it easier to track. 338 * The choice of this value has the same rationale as explained above. 339 */ 340 #define IN_PKTINFO (IPSEC_M_CTL + 24) 341 342 343 /* 344 * IPSEC_CTL messages are used by IPsec to send control type requests 345 * to IP. Such a control message is currently used by IPsec to request 346 * that IP send the contents of an IPsec SA or the entire SADB to 347 * every IPsec hardware acceleration capable provider. 348 */ 349 350 #define IPSEC_CTL (IPSEC_M_CTL + 25) 351 352 typedef struct ipsec_ctl_s { 353 uint32_t ipsec_ctl_type; 354 uint32_t ipsec_ctl_len; 355 uint_t ipsec_ctl_sa_type; 356 void *ipsec_ctl_sa; 357 } ipsec_ctl_t; 358 359 360 /* 361 * All IPsec informational messages are placed into the ipsec_info_t 362 * union, so that allocation can be done once, and IPsec informational 363 * messages can be recycled. 364 */ 365 typedef union ipsec_info_u { 366 struct { 367 uint32_t ipsec_allu_type; 368 uint32_t ipsec_allu_len; /* In bytes */ 369 } ipsec_allu; 370 ipsec_in_t ipsec_in; 371 ipsec_out_t ipsec_out; 372 keysock_hello_ack_t keysock_hello_ack; 373 keysock_in_t keysock_in; 374 keysock_out_t keysock_out; 375 keysock_out_err_t keysock_out_err; 376 ipsec_ctl_t ipsec_ctl; 377 } ipsec_info_t; 378 #define ipsec_info_type ipsec_allu.ipsec_allu_type 379 #define ipsec_info_len ipsec_allu.ipsec_allu_len 380 381 #ifdef __cplusplus 382 } 383 #endif 384 385 #endif /* _INET_IPSEC_INFO_H */ 386