1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _INET_IPSEC_IMPL_H 27 #define _INET_IPSEC_IMPL_H 28 29 #pragma ident "%Z%%M% %I% %E% SMI" 30 31 #include <inet/ip.h> 32 #include <inet/ipdrop.h> 33 34 #ifdef __cplusplus 35 extern "C" { 36 #endif 37 38 #define IPSEC_CONF_SRC_ADDRESS 0 /* Source Address */ 39 #define IPSEC_CONF_SRC_PORT 1 /* Source Port */ 40 #define IPSEC_CONF_DST_ADDRESS 2 /* Dest Address */ 41 #define IPSEC_CONF_DST_PORT 3 /* Dest Port */ 42 #define IPSEC_CONF_SRC_MASK 4 /* Source Address Mask */ 43 #define IPSEC_CONF_DST_MASK 5 /* Destination Address Mask */ 44 #define IPSEC_CONF_ULP 6 /* Upper layer Port */ 45 #define IPSEC_CONF_IPSEC_PROT 7 /* AH or ESP or AH_ESP */ 46 #define IPSEC_CONF_IPSEC_AALGS 8 /* Auth Algorithms - MD5 etc. */ 47 #define IPSEC_CONF_IPSEC_EALGS 9 /* Encr Algorithms - DES etc. */ 48 #define IPSEC_CONF_IPSEC_EAALGS 10 /* Encr Algorithms - MD5 etc. */ 49 #define IPSEC_CONF_IPSEC_SA 11 /* Shared or unique SA */ 50 #define IPSEC_CONF_IPSEC_DIR 12 /* Direction of traffic */ 51 #define IPSEC_CONF_ICMP_TYPE 13 /* ICMP type */ 52 #define IPSEC_CONF_ICMP_CODE 14 /* ICMP code */ 53 #define IPSEC_CONF_NEGOTIATE 15 /* Negotiation */ 54 #define IPSEC_CONF_TUNNEL 16 /* Tunnel */ 55 56 /* Type of an entry */ 57 58 #define IPSEC_NTYPES 0x02 59 #define IPSEC_TYPE_OUTBOUND 0x00 60 #define IPSEC_TYPE_INBOUND 0x01 61 62 /* Policy */ 63 #define IPSEC_POLICY_APPLY 0x01 64 #define IPSEC_POLICY_DISCARD 0x02 65 #define IPSEC_POLICY_BYPASS 0x03 66 67 /* Shared or unique SA */ 68 #define IPSEC_SHARED_SA 0x01 69 #define IPSEC_UNIQUE_SA 0x02 70 71 /* IPSEC protocols and combinations */ 72 #define IPSEC_AH_ONLY 0x01 73 #define IPSEC_ESP_ONLY 0x02 74 #define IPSEC_AH_ESP 0x03 75 76 #ifdef _KERNEL 77 78 #include <inet/common.h> 79 #include <netinet/ip6.h> 80 #include <netinet/icmp6.h> 81 #include <net/pfkeyv2.h> 82 #include <inet/ip.h> 83 #include <inet/sadb.h> 84 #include <inet/ipsecah.h> 85 #include <inet/ipsecesp.h> 86 #include <sys/crypto/common.h> 87 #include <sys/crypto/api.h> 88 #include <sys/avl.h> 89 90 /* 91 * Maximum number of authentication algorithms (can be indexed by one byte 92 * per PF_KEY and the IKE IPsec DOI. 93 */ 94 #define MAX_AALGS 256 95 96 /* 97 * IPsec task queue constants. 98 */ 99 #define IPSEC_TASKQ_MIN 10 100 #define IPSEC_TASKQ_MAX 20 101 102 /* 103 * So we can access IPsec global variables that live in keysock.c. 104 */ 105 extern boolean_t keysock_extended_reg(netstack_t *); 106 extern uint32_t keysock_next_seq(netstack_t *); 107 108 /* 109 * Locking for ipsec policy rules: 110 * 111 * policy heads: system policy is static; per-conn polheads are dynamic, 112 * and refcounted (and inherited); use atomic refcounts and "don't let 113 * go with both hands". 114 * 115 * policy: refcounted; references from polhead, ipsec_out 116 * 117 * actions: refcounted; referenced from: action hash table, policy, ipsec_out 118 * selectors: refcounted; referenced from: selector hash table, policy. 119 */ 120 121 /* 122 * the following are inspired by, but not directly based on, 123 * some of the sys/queue.h type-safe pseudo-polymorphic macros 124 * found in BSD. 125 * 126 * XXX If we use these more generally, we'll have to make the names 127 * less generic (HASH_* will probably clobber other namespaces). 128 */ 129 130 #define HASH_LOCK(table, hash) \ 131 mutex_enter(&(table)[hash].hash_lock) 132 #define HASH_UNLOCK(table, hash) \ 133 mutex_exit(&(table)[hash].hash_lock) 134 135 #define HASH_LOCKED(table, hash) \ 136 MUTEX_HELD(&(table)[hash].hash_lock) 137 138 #define HASH_ITERATE(var, field, table, hash) \ 139 var = table[hash].hash_head; var != NULL; var = var->field.hash_next 140 141 #define HASH_NEXT(var, field) \ 142 (var)->field.hash_next 143 144 #define HASH_INSERT(var, field, table, hash) \ 145 { \ 146 ASSERT(HASH_LOCKED(table, hash)); \ 147 (var)->field.hash_next = (table)[hash].hash_head; \ 148 (var)->field.hash_pp = &(table)[hash].hash_head; \ 149 (table)[hash].hash_head = var; \ 150 if ((var)->field.hash_next != NULL) \ 151 (var)->field.hash_next->field.hash_pp = \ 152 &((var)->field.hash_next); \ 153 } 154 155 156 #define HASH_UNCHAIN(var, field, table, hash) \ 157 { \ 158 ASSERT(MUTEX_HELD(&(table)[hash].hash_lock)); \ 159 HASHLIST_UNCHAIN(var, field); \ 160 } 161 162 #define HASHLIST_INSERT(var, field, head) \ 163 { \ 164 (var)->field.hash_next = head; \ 165 (var)->field.hash_pp = &(head); \ 166 head = var; \ 167 if ((var)->field.hash_next != NULL) \ 168 (var)->field.hash_next->field.hash_pp = \ 169 &((var)->field.hash_next); \ 170 } 171 172 #define HASHLIST_UNCHAIN(var, field) \ 173 { \ 174 *var->field.hash_pp = var->field.hash_next; \ 175 if (var->field.hash_next) \ 176 var->field.hash_next->field.hash_pp = \ 177 var->field.hash_pp; \ 178 HASH_NULL(var, field); \ 179 } 180 181 182 #define HASH_NULL(var, field) \ 183 { \ 184 var->field.hash_next = NULL; \ 185 var->field.hash_pp = NULL; \ 186 } 187 188 #define HASH_LINK(fieldname, type) \ 189 struct { \ 190 type *hash_next; \ 191 type **hash_pp; \ 192 } fieldname 193 194 195 #define HASH_HEAD(tag) \ 196 struct { \ 197 struct tag *hash_head; \ 198 kmutex_t hash_lock; \ 199 } 200 201 202 typedef struct ipsec_policy_s ipsec_policy_t; 203 204 typedef HASH_HEAD(ipsec_policy_s) ipsec_policy_hash_t; 205 206 /* 207 * When adding new fields to ipsec_prot_t, make sure to update 208 * ipsec_in_to_out_action() as well as other code in spd.c 209 */ 210 211 typedef struct ipsec_prot 212 { 213 unsigned int 214 ipp_use_ah : 1, 215 ipp_use_esp : 1, 216 ipp_use_se : 1, 217 ipp_use_unique : 1, 218 ipp_use_espa : 1, 219 ipp_pad : 27; 220 uint8_t ipp_auth_alg; /* DOI number */ 221 uint8_t ipp_encr_alg; /* DOI number */ 222 uint8_t ipp_esp_auth_alg; /* DOI number */ 223 uint16_t ipp_ah_minbits; /* AH: min keylen */ 224 uint16_t ipp_ah_maxbits; /* AH: max keylen */ 225 uint16_t ipp_espe_minbits; /* ESP encr: min keylen */ 226 uint16_t ipp_espe_maxbits; /* ESP encr: max keylen */ 227 uint16_t ipp_espa_minbits; /* ESP auth: min keylen */ 228 uint16_t ipp_espa_maxbits; /* ESP auth: max keylen */ 229 uint32_t ipp_km_proto; /* key mgmt protocol */ 230 uint32_t ipp_km_cookie; /* key mgmt cookie */ 231 uint32_t ipp_replay_depth; /* replay window */ 232 /* XXX add lifetimes */ 233 } ipsec_prot_t; 234 235 #define IPSEC_MAX_KEYBITS (0xffff) 236 237 /* 238 * An individual policy action, possibly a member of a chain. 239 * 240 * Action chains may be shared between multiple policy rules. 241 * 242 * With one exception (IPSEC_POLICY_LOG), a chain consists of an 243 * ordered list of alternative ways to handle a packet. 244 * 245 * All actions are also "interned" into a hash table (to allow 246 * multiple rules with the same action chain to share one copy in 247 * memory). 248 */ 249 250 typedef struct ipsec_act 251 { 252 uint8_t ipa_type; 253 uint8_t ipa_log; 254 union 255 { 256 ipsec_prot_t ipau_apply; 257 uint8_t ipau_reject_type; 258 uint32_t ipau_resolve_id; /* magic cookie */ 259 uint8_t ipau_log_type; 260 } ipa_u; 261 #define ipa_apply ipa_u.ipau_apply 262 #define ipa_reject_type ipa_u.ipau_reject_type 263 #define ipa_log_type ipa_u.ipau_log_type 264 #define ipa_resolve_type ipa_u.ipau_resolve_type 265 } ipsec_act_t; 266 267 #define IPSEC_ACT_APPLY 0x01 /* match IPSEC_POLICY_APPLY */ 268 #define IPSEC_ACT_DISCARD 0x02 /* match IPSEC_POLICY_DISCARD */ 269 #define IPSEC_ACT_BYPASS 0x03 /* match IPSEC_POLICY_BYPASS */ 270 #define IPSEC_ACT_REJECT 0x04 271 #define IPSEC_ACT_CLEAR 0x05 272 273 typedef struct ipsec_action_s 274 { 275 HASH_LINK(ipa_hash, struct ipsec_action_s); 276 struct ipsec_action_s *ipa_next; /* next alternative */ 277 uint32_t ipa_refs; /* refcount */ 278 ipsec_act_t ipa_act; 279 /* 280 * The following bits are equivalent to an OR of bits included in the 281 * ipau_apply fields of this and subsequent actions in an 282 * action chain; this is an optimization for the sake of 283 * ipsec_out_process() in ip.c and a few other places. 284 */ 285 unsigned int 286 ipa_hval: 8, 287 ipa_allow_clear:1, /* rule allows cleartext? */ 288 ipa_want_ah:1, /* an action wants ah */ 289 ipa_want_esp:1, /* an action wants esp */ 290 ipa_want_se:1, /* an action wants se */ 291 ipa_want_unique:1, /* want unique sa's */ 292 ipa_pad:19; 293 uint32_t ipa_ovhd; /* per-packet encap ovhd */ 294 } ipsec_action_t; 295 296 #define IPACT_REFHOLD(ipa) { \ 297 atomic_add_32(&(ipa)->ipa_refs, 1); \ 298 ASSERT((ipa)->ipa_refs != 0); \ 299 } 300 #define IPACT_REFRELE(ipa) { \ 301 ASSERT((ipa)->ipa_refs != 0); \ 302 membar_exit(); \ 303 if (atomic_add_32_nv(&(ipa)->ipa_refs, -1) == 0) \ 304 ipsec_action_free(ipa); \ 305 (ipa) = 0; \ 306 } 307 308 /* 309 * For now, use a trivially sized hash table for actions. 310 * In the future we can add the structure canonicalization necessary 311 * to get the hash function to behave correctly.. 312 */ 313 #define IPSEC_ACTION_HASH_SIZE 1 314 315 /* 316 * Merged address structure, for cheezy address-family independent 317 * matches in policy code. 318 */ 319 320 typedef union ipsec_addr 321 { 322 in6_addr_t ipsad_v6; 323 in_addr_t ipsad_v4; 324 } ipsec_addr_t; 325 326 /* 327 * ipsec selector set, as used by the kernel policy structures. 328 * Note that that we specify "local" and "remote" 329 * rather than "source" and "destination", which allows the selectors 330 * for symmetric policy rules to be shared between inbound and 331 * outbound rules. 332 * 333 * "local" means "destination" on inbound, and "source" on outbound. 334 * "remote" means "source" on inbound, and "destination" on outbound. 335 * XXX if we add a fifth policy enforcement point for forwarded packets, 336 * what do we do? 337 * 338 * The ipsl_valid mask is not done as a bitfield; this is so we 339 * can use "ffs()" to find the "most interesting" valid tag. 340 * 341 * XXX should we have multiple types for space-conservation reasons? 342 * (v4 vs v6? prefix vs. range)? 343 */ 344 345 typedef struct ipsec_selkey 346 { 347 uint32_t ipsl_valid; /* bitmask of valid entries */ 348 #define IPSL_REMOTE_ADDR 0x00000001 349 #define IPSL_LOCAL_ADDR 0x00000002 350 #define IPSL_REMOTE_PORT 0x00000004 351 #define IPSL_LOCAL_PORT 0x00000008 352 #define IPSL_PROTOCOL 0x00000010 353 #define IPSL_ICMP_TYPE 0x00000020 354 #define IPSL_ICMP_CODE 0x00000040 355 #define IPSL_IPV6 0x00000080 356 #define IPSL_IPV4 0x00000100 357 358 #define IPSL_WILDCARD 0x0000007f 359 360 ipsec_addr_t ipsl_local; 361 ipsec_addr_t ipsl_remote; 362 uint16_t ipsl_lport; 363 uint16_t ipsl_rport; 364 /* 365 * ICMP type and code selectors. Both have an end value to 366 * specify ranges, or * and *_end are equal for a single 367 * value 368 */ 369 uint8_t ipsl_icmp_type; 370 uint8_t ipsl_icmp_type_end; 371 uint8_t ipsl_icmp_code; 372 uint8_t ipsl_icmp_code_end; 373 374 uint8_t ipsl_proto; /* ip payload type */ 375 uint8_t ipsl_local_pfxlen; /* #bits of prefix */ 376 uint8_t ipsl_remote_pfxlen; /* #bits of prefix */ 377 uint8_t ipsl_mbz; 378 379 /* Insert new elements above this line */ 380 uint32_t ipsl_pol_hval; 381 uint32_t ipsl_sel_hval; 382 } ipsec_selkey_t; 383 384 typedef struct ipsec_sel 385 { 386 HASH_LINK(ipsl_hash, struct ipsec_sel); 387 uint32_t ipsl_refs; /* # refs to this sel */ 388 ipsec_selkey_t ipsl_key; /* actual selector guts */ 389 } ipsec_sel_t; 390 391 /* 392 * One policy rule. This will be linked into a single hash chain bucket in 393 * the parent rule structure. If the selector is simple enough to 394 * allow hashing, it gets filed under ipsec_policy_root_t->ipr_hash. 395 * Otherwise it goes onto a linked list in ipsec_policy_root_t->ipr_nonhash[af] 396 * 397 * In addition, we file the rule into an avl tree keyed by the rule index. 398 * (Duplicate rules are permitted; the comparison function breaks ties). 399 */ 400 struct ipsec_policy_s 401 { 402 HASH_LINK(ipsp_hash, struct ipsec_policy_s); 403 avl_node_t ipsp_byid; 404 uint64_t ipsp_index; /* unique id */ 405 uint32_t ipsp_prio; /* rule priority */ 406 uint32_t ipsp_refs; 407 ipsec_sel_t *ipsp_sel; /* selector set (shared) */ 408 ipsec_action_t *ipsp_act; /* action (may be shared) */ 409 }; 410 411 #define IPPOL_REFHOLD(ipp) { \ 412 atomic_add_32(&(ipp)->ipsp_refs, 1); \ 413 ASSERT((ipp)->ipsp_refs != 0); \ 414 } 415 #define IPPOL_REFRELE(ipp, ns) { \ 416 ASSERT((ipp)->ipsp_refs != 0); \ 417 membar_exit(); \ 418 if (atomic_add_32_nv(&(ipp)->ipsp_refs, -1) == 0) \ 419 ipsec_policy_free(ipp, ns); \ 420 (ipp) = 0; \ 421 } 422 423 #define IPPOL_UNCHAIN(php, ip, ns) \ 424 HASHLIST_UNCHAIN((ip), ipsp_hash); \ 425 avl_remove(&(php)->iph_rulebyid, (ip)); \ 426 IPPOL_REFRELE(ip, ns); 427 428 /* 429 * Policy ruleset. One per (protocol * direction) for system policy. 430 */ 431 432 #define IPSEC_AF_V4 0 433 #define IPSEC_AF_V6 1 434 #define IPSEC_NAF 2 435 436 typedef struct ipsec_policy_root_s 437 { 438 ipsec_policy_t *ipr_nonhash[IPSEC_NAF]; 439 int ipr_nchains; 440 ipsec_policy_hash_t *ipr_hash; 441 } ipsec_policy_root_t; 442 443 /* 444 * Policy head. One for system policy; there may also be one present 445 * on ill_t's with interface-specific policy, as well as one present 446 * for sockets with per-socket policy allocated. 447 */ 448 449 typedef struct ipsec_policy_head_s 450 { 451 uint32_t iph_refs; 452 krwlock_t iph_lock; 453 uint64_t iph_gen; /* generation number */ 454 ipsec_policy_root_t iph_root[IPSEC_NTYPES]; 455 avl_tree_t iph_rulebyid; 456 } ipsec_policy_head_t; 457 458 #define IPPH_REFHOLD(iph) { \ 459 atomic_add_32(&(iph)->iph_refs, 1); \ 460 ASSERT((iph)->iph_refs != 0); \ 461 } 462 #define IPPH_REFRELE(iph, ns) { \ 463 ASSERT((iph)->iph_refs != 0); \ 464 membar_exit(); \ 465 if (atomic_add_32_nv(&(iph)->iph_refs, -1) == 0) \ 466 ipsec_polhead_free(iph, ns); \ 467 (iph) = 0; \ 468 } 469 470 /* 471 * IPsec fragment related structures 472 */ 473 474 typedef struct ipsec_fragcache_entry { 475 struct ipsec_fragcache_entry *itpfe_next; /* hash list chain */ 476 mblk_t *itpfe_fraglist; /* list of fragments */ 477 time_t itpfe_exp; /* time when entry is stale */ 478 int itpfe_depth; /* # of fragments in list */ 479 ipsec_addr_t itpfe_frag_src; 480 ipsec_addr_t itpfe_frag_dst; 481 #define itpfe_src itpfe_frag_src.ipsad_v4 482 #define itpfe_src6 itpfe_frag_src.ipsad_v6 483 #define itpfe_dst itpfe_frag_dst.ipsad_v4 484 #define itpfe_dst6 itpfe_frag_dst.ipsad_v6 485 uint32_t itpfe_id; /* IP datagram ID */ 486 uint8_t itpfe_proto; /* IP Protocol */ 487 uint8_t itpfe_last; /* Last packet */ 488 } ipsec_fragcache_entry_t; 489 490 typedef struct ipsec_fragcache { 491 kmutex_t itpf_lock; 492 struct ipsec_fragcache_entry **itpf_ptr; 493 struct ipsec_fragcache_entry *itpf_freelist; 494 time_t itpf_expire_hint; /* time when oldest entry is stale */ 495 } ipsec_fragcache_t; 496 497 /* 498 * Tunnel policies. We keep a minature of the transport-mode/global policy 499 * per each tunnel instance. 500 * 501 * People who need both an itp held down AND one of its polheads need to 502 * first lock the itp, THEN the polhead, otherwise deadlock WILL occur. 503 */ 504 typedef struct ipsec_tun_pol_s { 505 avl_node_t itp_node; 506 kmutex_t itp_lock; 507 uint64_t itp_next_policy_index; 508 ipsec_policy_head_t *itp_policy; 509 ipsec_policy_head_t *itp_inactive; 510 uint32_t itp_flags; 511 uint32_t itp_refcnt; 512 char itp_name[LIFNAMSIZ]; 513 ipsec_fragcache_t itp_fragcache; 514 } ipsec_tun_pol_t; 515 /* NOTE - Callers (tun code) synchronize their own instances for these flags. */ 516 #define ITPF_P_ACTIVE 0x1 /* Are we using IPsec right now? */ 517 #define ITPF_P_TUNNEL 0x2 /* Negotiate tunnel-mode */ 518 /* Optimization -> Do we have per-port security entries in this polhead? */ 519 #define ITPF_P_PER_PORT_SECURITY 0x4 520 #define ITPF_PFLAGS 0x7 521 #define ITPF_SHIFT 3 522 523 #define ITPF_I_ACTIVE 0x8 /* Is the inactive using IPsec right now? */ 524 #define ITPF_I_TUNNEL 0x10 /* Negotiate tunnel-mode (on inactive) */ 525 /* Optimization -> Do we have per-port security entries in this polhead? */ 526 #define ITPF_I_PER_PORT_SECURITY 0x20 527 #define ITPF_IFLAGS 0x38 528 529 /* NOTE: f cannot be an expression. */ 530 #define ITPF_CLONE(f) (f) = (((f) & ITPF_PFLAGS) | \ 531 (((f) & ITPF_PFLAGS) << ITPF_SHIFT)); 532 #define ITPF_SWAP(f) (f) = ((((f) & ITPF_PFLAGS) << ITPF_SHIFT) | \ 533 (((f) & ITPF_IFLAGS) >> ITPF_SHIFT)) 534 535 #define ITP_P_ISACTIVE(itp, iph) ((itp)->itp_flags & \ 536 (((itp)->itp_policy == (iph)) ? ITPF_P_ACTIVE : ITPF_I_ACTIVE)) 537 538 #define ITP_P_ISTUNNEL(itp, iph) ((itp)->itp_flags & \ 539 (((itp)->itp_policy == (iph)) ? ITPF_P_TUNNEL : ITPF_I_TUNNEL)) 540 541 #define ITP_P_ISPERPORT(itp, iph) ((itp)->itp_flags & \ 542 (((itp)->itp_policy == (iph)) ? ITPF_P_PER_PORT_SECURITY : \ 543 ITPF_I_PER_PORT_SECURITY)) 544 545 #define ITP_REFHOLD(itp) { \ 546 atomic_add_32(&((itp)->itp_refcnt), 1); \ 547 ASSERT((itp)->itp_refcnt != 0); \ 548 } 549 550 #define ITP_REFRELE(itp, ns) { \ 551 ASSERT((itp)->itp_refcnt != 0); \ 552 membar_exit(); \ 553 if (atomic_add_32_nv(&((itp)->itp_refcnt), -1) == 0) \ 554 itp_free(itp, ns); \ 555 } 556 557 /* 558 * Certificate identity. 559 */ 560 561 typedef struct ipsid_s 562 { 563 struct ipsid_s *ipsid_next; 564 struct ipsid_s **ipsid_ptpn; 565 uint32_t ipsid_refcnt; 566 int ipsid_type; /* id type */ 567 char *ipsid_cid; /* certificate id string */ 568 } ipsid_t; 569 570 /* 571 * ipsid_t reference hold/release macros, just like ipsa versions. 572 */ 573 574 #define IPSID_REFHOLD(ipsid) { \ 575 atomic_add_32(&(ipsid)->ipsid_refcnt, 1); \ 576 ASSERT((ipsid)->ipsid_refcnt != 0); \ 577 } 578 579 /* 580 * Decrement the reference count on the ID. Someone else will clean up 581 * after us later. 582 */ 583 584 #define IPSID_REFRELE(ipsid) { \ 585 membar_exit(); \ 586 atomic_add_32(&(ipsid)->ipsid_refcnt, -1); \ 587 } 588 589 struct ipsec_out_s; 590 591 /* 592 * Following are the estimates of what the maximum AH and ESP header size 593 * would be. This is used to tell the upper layer the right value of MSS 594 * it should use without consulting AH/ESP. If the size is something 595 * different from this, ULP will learn the right one through 596 * ICMP_FRAGMENTATION_NEEDED messages generated locally. 597 * 598 * AH : 12 bytes of constant header + 12 bytes of ICV checksum (MD5/SHA1). 599 * 600 * ESP : 8 bytes of constant header + 16 bytes of IV + 12 bytes ICV + 601 * 2 bytes of trailer + 15 bytes pad = 53 602 * 603 * Note that for ESP, this estimate is overly pessimistic; however, a 604 * more accurate estimate needs to know the exact amount of space 605 * which will be available to ESP so it can just leave 2 bytes free in 606 * the last cipherblock for the ESP inner trailer, and that 607 * information is not available at the right moment in the current 608 * stack. 609 */ 610 #define IPSEC_MAX_AH_HDR_SIZE (24) 611 #define IPSEC_MAX_ESP_HDR_SIZE (53) 612 613 /* Alternate, when we know the crypto block size */ 614 #define IPSEC_BASE_ESP_HDR_SIZE(sa) (4 + 4 + 12 + 1 + 2 * (sa)->ipsa_iv_len) 615 #define IPSEC_DEF_BLOCKSIZE (8) /* safe default */ 616 617 /* 618 * Identity hash table. 619 * 620 * Identities are refcounted and "interned" into the hash table. 621 * Only references coming from other objects (SA's, latching state) 622 * are counted in ipsid_refcnt. 623 * 624 * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket 625 * is locked, (b) we know that the refcount must be > 0. 626 * 627 * The ipsid_next and ipsid_ptpn fields are only to be referenced or 628 * modified when the bucket lock is held; in particular, we only 629 * delete objects while holding the bucket lock, and we only increase 630 * the refcount from 0 to 1 while the bucket lock is held. 631 */ 632 633 #define IPSID_HASHSIZE 64 634 635 typedef struct ipsif_s 636 { 637 ipsid_t *ipsif_head; 638 kmutex_t ipsif_lock; 639 } ipsif_t; 640 641 642 /* 643 * IPSEC stack instances 644 */ 645 struct ipsec_stack { 646 netstack_t *ipsec_netstack; /* Common netstack */ 647 648 /* Packet dropper for IP IPsec processing failures */ 649 ipdropper_t ipsec_dropper; 650 651 /* From spd.c */ 652 /* 653 * Policy rule index generator. We assume this won't wrap in the 654 * lifetime of a system. If we make 2^20 policy changes per second, 655 * this will last 2^44 seconds, or roughly 500,000 years, so we don't 656 * have to worry about reusing policy index values. 657 */ 658 uint64_t ipsec_next_policy_index; 659 660 HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE]; 661 HASH_HEAD(ipsec_sel) *ipsec_sel_hash; 662 uint32_t ipsec_spd_hashsize; 663 664 ipsif_t ipsec_ipsid_buckets[IPSID_HASHSIZE]; 665 666 /* 667 * Active & Inactive system policy roots 668 */ 669 ipsec_policy_head_t ipsec_system_policy; 670 ipsec_policy_head_t ipsec_inactive_policy; 671 672 /* Packet dropper for generic SPD drops. */ 673 ipdropper_t ipsec_spd_dropper; 674 krwlock_t ipsec_itp_get_byaddr_rw_lock; 675 ipsec_tun_pol_t *(*ipsec_itp_get_byaddr) 676 (uint32_t *, uint32_t *, int, netstack_t *); 677 678 /* ipdrop.c */ 679 kstat_t *ipsec_ip_drop_kstat; 680 struct ip_dropstats *ipsec_ip_drop_types; 681 682 /* spd.c */ 683 /* 684 * Have a counter for every possible policy message in 685 * ipsec_policy_failure_msgs 686 */ 687 uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX]; 688 /* Time since last ipsec policy failure that printed a message. */ 689 hrtime_t ipsec_policy_failure_last; 690 691 /* ip_spd.c */ 692 /* stats */ 693 kstat_t *ipsec_ksp; 694 struct ipsec_kstats_s *ipsec_kstats; 695 696 /* sadb.c */ 697 /* Packet dropper for generic SADB drops. */ 698 ipdropper_t ipsec_sadb_dropper; 699 700 /* spd.c */ 701 boolean_t ipsec_inbound_v4_policy_present; 702 boolean_t ipsec_outbound_v4_policy_present; 703 boolean_t ipsec_inbound_v6_policy_present; 704 boolean_t ipsec_outbound_v6_policy_present; 705 706 /* spd.c */ 707 /* 708 * Because policy needs to know what algorithms are supported, keep the 709 * lists of algorithms here. 710 */ 711 kmutex_t ipsec_alg_lock; 712 713 uint8_t ipsec_nalgs[IPSEC_NALGTYPES]; 714 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 715 716 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 717 718 int ipsec_algs_exec_mode[IPSEC_NALGTYPES]; 719 720 uint32_t ipsec_tun_spd_hashsize; 721 /* 722 * Tunnel policies - AVL tree indexed by tunnel name. 723 */ 724 krwlock_t ipsec_tunnel_policy_lock; 725 uint64_t ipsec_tunnel_policy_gen; 726 avl_tree_t ipsec_tunnel_policies; 727 728 /* ipsec_loader.c */ 729 kmutex_t ipsec_loader_lock; 730 int ipsec_loader_state; 731 int ipsec_loader_sig; 732 kt_did_t ipsec_loader_tid; 733 kcondvar_t ipsec_loader_sig_cv; /* For loader_sig conditions. */ 734 735 }; 736 typedef struct ipsec_stack ipsec_stack_t; 737 738 /* Handle the kstat_create in ip_drop_init() failing */ 739 #define DROPPER(_ipss, _dropper) \ 740 (((_ipss)->ipsec_ip_drop_types == NULL) ? NULL : \ 741 &((_ipss)->ipsec_ip_drop_types->_dropper)) 742 743 /* 744 * Loader states.. 745 */ 746 #define IPSEC_LOADER_WAIT 0 747 #define IPSEC_LOADER_FAILED -1 748 #define IPSEC_LOADER_SUCCEEDED 1 749 750 /* 751 * ipsec_loader entrypoints. 752 */ 753 extern void ipsec_loader_init(ipsec_stack_t *); 754 extern void ipsec_loader_start(ipsec_stack_t *); 755 extern void ipsec_loader_destroy(ipsec_stack_t *); 756 extern void ipsec_loader_loadnow(ipsec_stack_t *); 757 extern boolean_t ipsec_loader_wait(queue_t *q, ipsec_stack_t *); 758 extern boolean_t ipsec_loaded(ipsec_stack_t *); 759 extern boolean_t ipsec_failed(ipsec_stack_t *); 760 761 /* 762 * callback from ipsec_loader to ip 763 */ 764 extern void ip_ipsec_load_complete(ipsec_stack_t *); 765 766 /* 767 * ipsec policy entrypoints (spd.c) 768 */ 769 770 extern void ipsec_policy_g_destroy(void); 771 extern void ipsec_policy_g_init(void); 772 773 extern int ipsec_alloc_table(ipsec_policy_head_t *, int, int, boolean_t, 774 netstack_t *); 775 extern void ipsec_polhead_init(ipsec_policy_head_t *, int); 776 extern void ipsec_polhead_destroy(ipsec_policy_head_t *); 777 extern void ipsec_polhead_free_table(ipsec_policy_head_t *); 778 extern mblk_t *ipsec_check_global_policy(mblk_t *, conn_t *, ipha_t *, 779 ip6_t *, boolean_t, netstack_t *); 780 extern mblk_t *ipsec_check_inbound_policy(mblk_t *, conn_t *, ipha_t *, ip6_t *, 781 boolean_t); 782 783 extern boolean_t ipsec_in_to_out(mblk_t *, ipha_t *, ip6_t *); 784 extern void ipsec_log_policy_failure(int, char *, ipha_t *, ip6_t *, boolean_t, 785 netstack_t *); 786 extern boolean_t ipsec_inbound_accept_clear(mblk_t *, ipha_t *, ip6_t *); 787 extern int ipsec_conn_cache_policy(conn_t *, boolean_t); 788 extern mblk_t *ipsec_alloc_ipsec_out(netstack_t *); 789 extern mblk_t *ipsec_attach_ipsec_out(mblk_t *, conn_t *, ipsec_policy_t *, 790 uint8_t, netstack_t *); 791 extern mblk_t *ipsec_init_ipsec_out(mblk_t *, conn_t *, ipsec_policy_t *, 792 uint8_t, netstack_t *); 793 struct ipsec_in_s; 794 extern ipsec_action_t *ipsec_in_to_out_action(struct ipsec_in_s *); 795 extern boolean_t ipsec_check_ipsecin_latch(struct ipsec_in_s *, mblk_t *, 796 struct ipsec_latch_s *, ipha_t *, ip6_t *, const char **, kstat_named_t **, 797 conn_t *); 798 extern void ipsec_latch_inbound(ipsec_latch_t *ipl, struct ipsec_in_s *ii); 799 800 extern void ipsec_policy_free(ipsec_policy_t *, netstack_t *); 801 extern void ipsec_action_free(ipsec_action_t *); 802 extern void ipsec_polhead_free(ipsec_policy_head_t *, netstack_t *); 803 extern ipsec_policy_head_t *ipsec_polhead_split(ipsec_policy_head_t *, 804 netstack_t *); 805 extern ipsec_policy_head_t *ipsec_polhead_create(void); 806 extern ipsec_policy_head_t *ipsec_system_policy(netstack_t *); 807 extern ipsec_policy_head_t *ipsec_inactive_policy(netstack_t *); 808 extern void ipsec_swap_policy(ipsec_policy_head_t *, ipsec_policy_head_t *, 809 netstack_t *); 810 extern void ipsec_swap_global_policy(netstack_t *); 811 812 extern int ipsec_clone_system_policy(netstack_t *); 813 extern ipsec_policy_t *ipsec_policy_create(ipsec_selkey_t *, 814 const ipsec_act_t *, int, int, uint64_t *, netstack_t *); 815 extern boolean_t ipsec_policy_delete(ipsec_policy_head_t *, 816 ipsec_selkey_t *, int, netstack_t *); 817 extern int ipsec_policy_delete_index(ipsec_policy_head_t *, uint64_t, 818 netstack_t *); 819 extern void ipsec_polhead_flush(ipsec_policy_head_t *, netstack_t *); 820 extern int ipsec_copy_polhead(ipsec_policy_head_t *, ipsec_policy_head_t *, 821 netstack_t *); 822 extern void ipsec_actvec_from_req(ipsec_req_t *, ipsec_act_t **, uint_t *, 823 netstack_t *); 824 extern void ipsec_actvec_free(ipsec_act_t *, uint_t); 825 extern int ipsec_req_from_head(ipsec_policy_head_t *, ipsec_req_t *, int); 826 extern mblk_t *ipsec_construct_inverse_acquire(sadb_msg_t *, sadb_ext_t **, 827 netstack_t *); 828 extern mblk_t *ip_wput_attach_policy(mblk_t *, ipha_t *, ip6_t *, ire_t *, 829 conn_t *, boolean_t, zoneid_t); 830 extern mblk_t *ip_wput_ire_parse_ipsec_out(mblk_t *, ipha_t *, ip6_t *, 831 ire_t *, conn_t *, boolean_t, zoneid_t); 832 extern ipsec_policy_t *ipsec_find_policy(int, conn_t *, 833 struct ipsec_out_s *, ipsec_selector_t *, netstack_t *); 834 extern ipsid_t *ipsid_lookup(int, char *, netstack_t *); 835 extern boolean_t ipsid_equal(ipsid_t *, ipsid_t *); 836 extern void ipsid_gc(netstack_t *); 837 extern void ipsec_latch_ids(ipsec_latch_t *, ipsid_t *, ipsid_t *); 838 839 extern void ipsec_config_flush(netstack_t *); 840 extern boolean_t ipsec_check_policy(ipsec_policy_head_t *, ipsec_policy_t *, 841 int); 842 extern void ipsec_enter_policy(ipsec_policy_head_t *, ipsec_policy_t *, int, 843 netstack_t *); 844 extern boolean_t ipsec_check_action(ipsec_act_t *, int *, netstack_t *); 845 846 extern mblk_t *ipsec_out_tag(mblk_t *, mblk_t *, netstack_t *); 847 extern mblk_t *ipsec_in_tag(mblk_t *, mblk_t *, netstack_t *); 848 extern mblk_t *ip_copymsg(mblk_t *mp); 849 850 extern void iplatch_free(ipsec_latch_t *, netstack_t *); 851 extern ipsec_latch_t *iplatch_create(void); 852 extern int ipsec_set_req(cred_t *, conn_t *, ipsec_req_t *); 853 854 extern void ipsec_insert_always(avl_tree_t *tree, void *new_node); 855 856 extern int32_t ipsec_act_ovhd(const ipsec_act_t *act); 857 858 859 extern boolean_t iph_ipvN(ipsec_policy_head_t *, boolean_t); 860 861 /* 862 * Tunnel-support SPD functions and variables. 863 */ 864 struct tun_s; /* Defined in inet/tun.h. */ 865 extern boolean_t ipsec_tun_inbound(mblk_t *, mblk_t **, ipsec_tun_pol_t *, 866 ipha_t *, ip6_t *, ipha_t *, ip6_t *, int, netstack_t *); 867 extern mblk_t *ipsec_tun_outbound(mblk_t *, struct tun_s *, ipha_t *, 868 ip6_t *, ipha_t *, ip6_t *, int, netstack_t *); 869 extern void itp_free(ipsec_tun_pol_t *, netstack_t *); 870 extern ipsec_tun_pol_t *create_tunnel_policy(char *, int *, uint64_t *, 871 netstack_t *); 872 extern ipsec_tun_pol_t *get_tunnel_policy(char *, netstack_t *); 873 extern void itp_unlink(ipsec_tun_pol_t *, netstack_t *); 874 extern void itp_walk(void (*)(ipsec_tun_pol_t *, void *, netstack_t *), 875 void *, netstack_t *); 876 877 extern ipsec_tun_pol_t *itp_get_byaddr_dummy(uint32_t *, uint32_t *, 878 int, netstack_t *); 879 880 /* 881 * IPsec AH/ESP functions called from IP. 882 */ 883 884 extern void ipsecah_in_assocfailure(mblk_t *, char, ushort_t, char *, 885 uint32_t, void *, int, ipsecah_stack_t *); 886 extern void ipsecesp_in_assocfailure(mblk_t *, char, ushort_t, char *, 887 uint32_t, void *, int, ipsecesp_stack_t *); 888 889 /* 890 * Algorithm management helper functions. 891 */ 892 extern boolean_t ipsec_valid_key_size(uint16_t, ipsec_alginfo_t *); 893 894 /* 895 * Per-socket policy, for now, takes precedence... this priority value 896 * insures it. 897 */ 898 #define IPSEC_PRIO_SOCKET 0x1000000 899 900 /* DDI initialization functions. */ 901 extern boolean_t ipsecesp_ddi_init(void); 902 extern boolean_t ipsecah_ddi_init(void); 903 extern boolean_t keysock_ddi_init(void); 904 extern boolean_t spdsock_ddi_init(void); 905 906 extern void ipsecesp_ddi_destroy(void); 907 extern void ipsecah_ddi_destroy(void); 908 extern void keysock_ddi_destroy(void); 909 extern void spdsock_ddi_destroy(void); 910 911 /* 912 * AH- and ESP-specific functions that are called directly by other modules. 913 */ 914 extern void ipsecah_fill_defs(struct sadb_x_ecomb *, netstack_t *); 915 extern void ipsecesp_fill_defs(struct sadb_x_ecomb *, netstack_t *); 916 extern void ipsecah_algs_changed(netstack_t *); 917 extern void ipsecesp_algs_changed(netstack_t *); 918 extern void ipsecesp_init_funcs(ipsa_t *); 919 extern void ipsecah_init_funcs(ipsa_t *); 920 extern ipsec_status_t ipsecah_icmp_error(mblk_t *); 921 extern ipsec_status_t ipsecesp_icmp_error(mblk_t *); 922 923 /* 924 * Wrapper for putnext() to ipsec accelerated interface. 925 */ 926 extern void ipsec_hw_putnext(queue_t *, mblk_t *); 927 928 /* 929 * spdsock functions that are called directly by IP. 930 */ 931 extern void spdsock_update_pending_algs(netstack_t *); 932 933 /* 934 * IP functions that are called from AH and ESP. 935 */ 936 extern boolean_t ipsec_outbound_sa(mblk_t *, uint_t); 937 extern esph_t *ipsec_inbound_esp_sa(mblk_t *, netstack_t *); 938 extern ah_t *ipsec_inbound_ah_sa(mblk_t *, netstack_t *); 939 extern ipsec_policy_t *ipsec_find_policy_head(ipsec_policy_t *, 940 ipsec_policy_head_t *, int, ipsec_selector_t *, netstack_t *); 941 942 /* 943 * IP dropper init/destroy. 944 */ 945 void ip_drop_init(ipsec_stack_t *); 946 void ip_drop_destroy(ipsec_stack_t *); 947 948 /* 949 * NAT-Traversal cleanup 950 */ 951 extern void nattymod_clean_ipif(ipif_t *); 952 953 /* 954 * Common functions 955 */ 956 extern boolean_t ip_addr_match(uint8_t *, int, in6_addr_t *); 957 958 /* 959 * AH and ESP counters types. 960 */ 961 typedef uint32_t ah_counter; 962 typedef uint32_t esp_counter; 963 964 #endif /* _KERNEL */ 965 966 #ifdef __cplusplus 967 } 968 #endif 969 970 #endif /* _INET_IPSEC_IMPL_H */ 971