1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #ifndef _INET_IPSEC_INFO_H 28 #define _INET_IPSEC_INFO_H 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 #ifdef __cplusplus 33 extern "C" { 34 #endif 35 36 #include <sys/crypto/common.h> 37 38 /* 39 * IPsec informational messages. These are M_CTL STREAMS messages, which 40 * convey IPsec information between various IP and related modules. The 41 * messages come in a few flavors: 42 * 43 * * IPSEC_{IN,OUT} - These show what IPsec action have been taken (for 44 * inbound datagrams), or need to be taken (for outbound datagrams). 45 * They flow between AH/ESP and IP. 46 * 47 * * Keysock consumer interface - These messages are wrappers for 48 * PF_KEY messages. They flow between AH/ESP and keysock. 49 */ 50 51 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 52 #if 0 53 /* 54 * I obscure the ipsec_info "prefix" for purposes of export control, and 55 * domestic source distribution. 56 */ 57 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 58 59 /* 60 * The IPsec M_CTL value MUST be something that will not be even close 61 * to an IPv4 or IPv6 header. This means the first byte must not be 62 * 0x40 - 0x4f or 0x60-0x6f. For big-endian machines, this is fixable with 63 * the IPSEC_M_CTL prefix. For little-endian machines, the actual M_CTL 64 * _type_ must not be in the aforementioned ranges. 65 * 66 * The reason for this avoidance is because M_CTL's with a real IPv4/IPv6 67 * datagram get sent from to TCP or UDP when an ICMP datagram affects a 68 * TCP/UDP session. 69 */ 70 71 #define IPSEC_M_CTL (('!' << 24) + ('@' << 16) + ('@' << 8)) 72 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 73 #else 74 #define IPSEC_M_CTL 0x7dfaae00 75 #endif /* False */ 76 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 77 78 /* 79 * M_CTL types for IPsec messages. Remember, the values 0x40 - 0x4f and 0x60 80 * - 0x6f are not to be used because of potential little-endian confusion. 81 * 82 * Offsets 1-25 (decimal) are in use, spread through this file. 83 * Check for duplicates through the whole file before adding. 84 */ 85 86 /* 87 * IPSEC_{IN,OUT} policy expressors. 88 */ 89 #define IPSEC_IN (IPSEC_M_CTL + 1) 90 #define IPSEC_OUT (IPSEC_M_CTL + 2) 91 92 /* 93 * This is used for communication between IP and IPSEC (AH/ESP) 94 * for Inbound datagrams. IPSEC_IN is allocated by IP before IPSEC 95 * processing begins. On return spi fields are initialized so that 96 * IP can locate the security associations later on for doing policy 97 * checks. For loopback case, IPSEC processing is not done. But the 98 * attributes of the security are reflected in <foo>_done fields below. 99 * The code in policy check infers that it is a loopback case and 100 * would not try to get the associations. 101 */ 102 typedef struct ipsec_in_s { 103 uint32_t ipsec_in_type; 104 uint32_t ipsec_in_len; 105 frtn_t ipsec_in_frtn; /* for esballoc() callback */ 106 struct ipsa_s *ipsec_in_ah_sa; /* SA for AH */ 107 struct ipsa_s *ipsec_in_esp_sa; /* SA for ESP */ 108 109 struct ipsec_policy_head_s *ipsec_in_policy; 110 struct ipsec_action_s *ipsec_in_action; /* how we made it in.. */ 111 unsigned int 112 ipsec_in_secure : 1, /* Is the message attached secure ? */ 113 ipsec_in_v4 : 1, /* Is this an ipv4 packet ? */ 114 ipsec_in_loopback : 1, /* Is this a loopback request ? */ 115 ipsec_in_dont_check : 1, /* Used by TCP to avoid policy check */ 116 117 ipsec_in_decaps : 1, /* Was this packet decapsulated from */ 118 /* a matching inner packet? */ 119 ipsec_in_attach_if : 1, /* Don't load spread this packet */ 120 ipsec_in_accelerated : 1, /* hardware accelerated packet */ 121 122 ipsec_in_icmp_loopback : 1, /* Looped-back ICMP packet, */ 123 /* all should trust this. */ 124 ipsec_in_pad_bits : 24; 125 126 int ipsec_in_ill_index; /* interface on which ipha_dst was */ 127 /* configured when pkt was recv'd */ 128 int ipsec_in_rill_index; /* interface on which pkt was recv'd */ 129 mblk_t *ipsec_in_da; /* data attr. for accelerated pkts */ 130 131 /* 132 * For call to the kernel crypto framework. State needed during 133 * the execution of a crypto request. Storing these here 134 * allow us to avoid a separate allocation before calling the 135 * crypto framework. 136 */ 137 size_t ipsec_in_skip_len; /* len to skip for AH auth */ 138 crypto_data_t ipsec_in_crypto_data; /* single op crypto data */ 139 crypto_dual_data_t ipsec_in_crypto_dual_data; /* for dual ops */ 140 crypto_data_t ipsec_in_crypto_mac; /* to store the MAC */ 141 142 zoneid_t ipsec_in_zoneid; /* target zone for the datagram */ 143 144 #ifdef DEBUG 145 /* 146 * To aid in IPSEC_IN leak detection, save a copy of the inbound IPsec 147 * header in DEBUG kernels. It takes no more space overall because 148 * ipsec_info_t is more than sizeof (IPv4 or IPv6) bytes larger than 149 * ipsec_in_t. (60 bytes was chosen as a nice safe number. Using 150 * an IP or IPv6 constant increases the header file count for 151 * consumers of this header file.) 152 */ 153 uint8_t ipsec_in_saved_hdr[60]; 154 #endif 155 } ipsec_in_t; 156 157 /* 158 * This is used for communication between IP and IPSEC (AH/ESP) 159 * for Outbound datagrams. IPSEC_OUT is allocated by IP before IPSEC 160 * processing begins. On return SA fields are initialized so that 161 * IP can locate the security associations later on for doing policy 162 * checks. The policy and the actions associated with this packet are 163 * stored in the ipsec_out_policy and ipsec_out_act fields respectively. 164 * IPSEC_OUT is also used to carry non-ipsec information when conn is 165 * absent or the conn information is lost across the calls to ARP. 166 * example: message from ARP or from ICMP error routines. 167 */ 168 typedef struct ipsec_out_s { 169 uint32_t ipsec_out_type; 170 uint32_t ipsec_out_len; 171 frtn_t ipsec_out_frtn; /* for esballoc() callback */ 172 struct ipsec_policy_head_s *ipsec_out_polhead; 173 ipsec_latch_t *ipsec_out_latch; 174 struct ipsec_policy_s *ipsec_out_policy; /* why are we here? */ 175 struct ipsec_action_s *ipsec_out_act; /* what do we want? */ 176 struct ipsa_s *ipsec_out_ah_sa; /* AH SA used for the packet */ 177 struct ipsa_s *ipsec_out_esp_sa; /* ESP SA used for the packet */ 178 /* 179 * NOTE: "Source" and "Dest" are w.r.t. outbound datagrams. Ports can 180 * be zero, and the protocol number is needed to make the ports 181 * significant. 182 */ 183 uint16_t ipsec_out_src_port; /* Source port number of d-gram. */ 184 uint16_t ipsec_out_dst_port; /* Destination port number of d-gram. */ 185 uint8_t ipsec_out_icmp_type; /* ICMP type of d-gram */ 186 uint8_t ipsec_out_icmp_code; /* ICMP code of d-gram */ 187 uint_t ipsec_out_ill_index; /* ill index used for multicast etc. */ 188 uint8_t ipsec_out_proto; /* IP protocol number for d-gram. */ 189 unsigned int 190 ipsec_out_encaps : 1, /* Encapsualtion done ? */ 191 ipsec_out_use_global_policy : 1, /* Inherit global policy ? */ 192 ipsec_out_secure : 1, /* Is this secure ? */ 193 ipsec_out_proc_begin : 1, /* IPSEC processing begun */ 194 /* 195 * Following five values reflects the values stored 196 * in conn. 197 */ 198 ipsec_out_multicast_loop : 1, 199 ipsec_out_dontroute : 1, 200 ipsec_out_reserved : 1, 201 ipsec_out_v4 : 1, 202 203 ipsec_out_attach_if : 1, 204 ipsec_out_unspec_src : 1, /* IPv6 ip6i_t info */ 205 ipsec_out_reachable : 1, /* NDP reachability info */ 206 /* 207 * Following bit is used by ip_mrtun_forward to convey 208 * xmit_ill information along with ICMP error msg 209 */ 210 ipsec_out_xmit_if: 1, 211 212 ipsec_out_failed: 1, 213 ipsec_out_se_done: 1, 214 ipsec_out_esp_done: 1, 215 ipsec_out_ah_done: 1, 216 217 ipsec_out_need_policy: 1, 218 219 /* 220 * To indicate that packet must be accelerated, i.e. 221 * ICV or encryption performed, by Provider. 222 */ 223 ipsec_out_accelerated : 1, 224 /* 225 * Used by IP to tell IPsec that the outbound ill for this 226 * packet supports acceleration of the AH or ESP prototocol. 227 * If set, ipsec_out_capab_ill_index contains the 228 * index of the ill. 229 */ 230 ipsec_out_is_capab_ill : 1, 231 /* 232 * Indicates ICMP message destined for self. These 233 * messages are to be trusted by all receivers. 234 */ 235 ipsec_out_icmp_loopback: 1, 236 ipsec_out_pad_bits : 12; 237 cred_t *ipsec_out_cred; 238 uint32_t ipsec_out_capab_ill_index; 239 240 /* 241 * For call to the kernel crypto framework. State needed during 242 * the execution of a crypto request. Storing these here 243 * allow us to avoid a separate allocation before calling the 244 * crypto framework. 245 */ 246 size_t ipsec_out_skip_len; /* len to skip for AH auth */ 247 crypto_data_t ipsec_out_crypto_data; /* single op crypto data */ 248 crypto_dual_data_t ipsec_out_crypto_dual_data; /* for dual ops */ 249 crypto_data_t ipsec_out_crypto_mac; /* to store the MAC */ 250 251 zoneid_t ipsec_out_zoneid; /* source zone for the datagram */ 252 } ipsec_out_t; 253 254 /* 255 * This is used to mark the ipsec_out_t *req* fields 256 * when the operation is done without affecting the 257 * requests. 258 */ 259 #define IPSEC_REQ_DONE 0x80000000 260 /* 261 * Operation could not be performed by the AH/ESP 262 * module. 263 */ 264 #define IPSEC_REQ_FAILED 0x40000000 265 266 /* 267 * Keysock consumer interface. 268 * 269 * The driver/module keysock (which is a driver to PF_KEY sockets, but is 270 * a module to 'consumers' like AH and ESP) uses keysock consumer interface 271 * messages to pass on PF_KEY messages to consumers who process and act upon 272 * them. 273 */ 274 #define KEYSOCK_IN (IPSEC_M_CTL + 3) 275 #define KEYSOCK_OUT (IPSEC_M_CTL + 4) 276 #define KEYSOCK_OUT_ERR (IPSEC_M_CTL + 5) 277 #define KEYSOCK_HELLO (IPSEC_M_CTL + 6) 278 #define KEYSOCK_HELLO_ACK (IPSEC_M_CTL + 7) 279 280 /* 281 * KEYSOCK_HELLO is sent by keysock to a consumer when it is pushed on top 282 * of one (i.e. opened as a module). 283 * 284 * NOTE: Keysock_hello is simply an ipsec_info_t 285 */ 286 287 /* 288 * KEYSOCK_HELLO_ACK is sent by a consumer to acknowledge a KEYSOCK_HELLO. 289 * It contains the PF_KEYv2 sa_type, so keysock can redirect PF_KEY messages 290 * to the right consumer. 291 */ 292 typedef struct keysock_hello_ack_s { 293 uint32_t ks_hello_type; 294 uint32_t ks_hello_len; 295 uint8_t ks_hello_satype; /* PF_KEYv2 sa_type of ks client */ 296 } keysock_hello_ack_t; 297 298 #define KS_IN_ADDR_UNKNOWN 0 299 #define KS_IN_ADDR_NOTTHERE 1 300 #define KS_IN_ADDR_UNSPEC 2 301 #define KS_IN_ADDR_ME 3 302 #define KS_IN_ADDR_NOTME 4 303 #define KS_IN_ADDR_MBCAST 5 304 305 /* 306 * KEYSOCK_IN is a PF_KEY message from a PF_KEY socket destined for a consumer. 307 */ 308 typedef struct keysock_in_s { 309 uint32_t ks_in_type; 310 uint32_t ks_in_len; 311 /* 312 * NOTE: These pointers MUST be into the M_DATA that follows 313 * this M_CTL message. If they aren't, weirdness 314 * results. 315 */ 316 struct sadb_ext *ks_in_extv[SADB_EXT_MAX + 1]; 317 int ks_in_srctype; /* Source address type. */ 318 int ks_in_dsttype; /* Dest address type. */ 319 int ks_in_proxytype; /* Proxy address type. */ 320 minor_t ks_in_serial; /* Serial # of sending socket. */ 321 } keysock_in_t; 322 323 /* 324 * KEYSOCK_OUT is a PF_KEY message from a consumer destined for a PF_KEY 325 * socket. 326 */ 327 typedef struct keysock_out_s { 328 uint32_t ks_out_type; 329 uint32_t ks_out_len; 330 minor_t ks_out_serial; /* Serial # of sending socket. */ 331 } keysock_out_t; 332 333 /* 334 * KEYSOCK_OUT_ERR is sent to a consumer from keysock if for some reason 335 * keysock could not find a PF_KEY socket to deliver a consumer-originated 336 * message (e.g. SADB_ACQUIRE). 337 */ 338 typedef struct keysock_out_err_s { 339 uint32_t ks_err_type; 340 uint32_t ks_err_len; 341 minor_t ks_err_serial; 342 int ks_err_errno; 343 /* 344 * Other, richer error information may end up going here eventually. 345 */ 346 } keysock_out_err_t; 347 348 /* 349 * M_CTL message type for sending inbound pkt information between IP & ULP. 350 * These are _not_ related to IPsec in any way, but are here so that there is 351 * one place where all these values are defined which makes it easier to track. 352 * The choice of this value has the same rationale as explained above. 353 */ 354 #define IN_PKTINFO (IPSEC_M_CTL + 24) 355 356 357 /* 358 * IPSEC_CTL messages are used by IPsec to send control type requests 359 * to IP. Such a control message is currently used by IPsec to request 360 * that IP send the contents of an IPsec SA or the entire SADB to 361 * every IPsec hardware acceleration capable provider. 362 */ 363 364 #define IPSEC_CTL (IPSEC_M_CTL + 25) 365 366 typedef struct ipsec_ctl_s { 367 uint32_t ipsec_ctl_type; 368 uint32_t ipsec_ctl_len; 369 uint_t ipsec_ctl_sa_type; 370 void *ipsec_ctl_sa; 371 } ipsec_ctl_t; 372 373 374 /* 375 * All IPsec informational messages are placed into the ipsec_info_t 376 * union, so that allocation can be done once, and IPsec informational 377 * messages can be recycled. 378 */ 379 typedef union ipsec_info_u { 380 struct { 381 uint32_t ipsec_allu_type; 382 uint32_t ipsec_allu_len; /* In bytes */ 383 } ipsec_allu; 384 ipsec_in_t ipsec_in; 385 ipsec_out_t ipsec_out; 386 keysock_hello_ack_t keysock_hello_ack; 387 keysock_in_t keysock_in; 388 keysock_out_t keysock_out; 389 keysock_out_err_t keysock_out_err; 390 ipsec_ctl_t ipsec_ctl; 391 } ipsec_info_t; 392 #define ipsec_info_type ipsec_allu.ipsec_allu_type 393 #define ipsec_info_len ipsec_allu.ipsec_allu_len 394 395 #ifdef __cplusplus 396 } 397 #endif 398 399 #endif /* _INET_IPSEC_INFO_H */ 400