xref: /titanic_50/usr/src/uts/common/inet/ipsec_info.h (revision 8eea8e29cc4374d1ee24c25a07f45af132db3499)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #ifndef	_INET_IPSEC_INFO_H
28 #define	_INET_IPSEC_INFO_H
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 #ifdef	__cplusplus
33 extern "C" {
34 #endif
35 
36 #include <sys/crypto/common.h>
37 
38 /*
39  * IPsec informational messages.  These are M_CTL STREAMS messages, which
40  * convey IPsec information between various IP and related modules.  The
41  * messages come in a few flavors:
42  *
43  *	* IPSEC_{IN,OUT}  -  These show what IPsec action have been taken (for
44  *	  inbound datagrams), or need to be taken (for outbound datagrams).
45  *	  They flow between AH/ESP and IP.
46  *
47  *	* Keysock consumer interface  -  These messages are wrappers for
48  *	  PF_KEY messages.  They flow between AH/ESP and keysock.
49  */
50 
51 /* EXPORT DELETE START */ /* CRYPT DELETE START */
52 #if 0
53 /*
54  * I obscure the ipsec_info "prefix" for purposes of export control, and
55  * domestic source distribution.
56  */
57 /* EXPORT DELETE END */ /* CRYPT DELETE END */
58 
59 /*
60  * The IPsec M_CTL value MUST be something that will not be even close
61  * to an IPv4 or IPv6 header.  This means the first byte must not be
62  * 0x40 - 0x4f or 0x60-0x6f.  For big-endian machines, this is fixable with
63  * the IPSEC_M_CTL prefix.  For little-endian machines, the actual M_CTL
64  * _type_ must not be in the aforementioned ranges.
65  *
66  * The reason for this avoidance is because M_CTL's with a real IPv4/IPv6
67  * datagram get sent from to TCP or UDP when an ICMP datagram affects a
68  * TCP/UDP session.
69  */
70 
71 #define	IPSEC_M_CTL	(('!' << 24) + ('@' << 16) + ('@' << 8))
72 /* EXPORT DELETE START */ /* CRYPT DELETE START */
73 #else
74 #define	IPSEC_M_CTL	0x7dfaae00
75 #endif	/* False */
76 /* EXPORT DELETE END */ /* CRYPT DELETE END */
77 
78 /*
79  * M_CTL types for IPsec messages.  Remember, the values 0x40 - 0x4f and 0x60
80  * - 0x6f are not to be used because of potential little-endian confusion.
81  *
82  * Offsets 1-25 (decimal) are in use, spread through this file.
83  * Check for duplicates through the whole file before adding.
84  */
85 
86 /*
87  * IPSEC_{IN,OUT} policy expressors.
88  */
89 #define	IPSEC_IN	(IPSEC_M_CTL + 1)
90 #define	IPSEC_OUT	(IPSEC_M_CTL + 2)
91 
92 /*
93  * This is used for communication between IP and IPSEC (AH/ESP)
94  * for Inbound datagrams. IPSEC_IN is allocated by IP before IPSEC
95  * processing begins. On return spi fields are initialized so that
96  * IP can locate the security associations later on for doing policy
97  * checks. For loopback case, IPSEC processing is not done. But the
98  * attributes of the security are reflected in <foo>_done fields below.
99  * The code in policy check infers that it is a loopback case and
100  * would not try to get the associations.
101  */
102 typedef struct ipsec_in_s {
103 	uint32_t ipsec_in_type;
104 	uint32_t ipsec_in_len;
105 	frtn_t ipsec_in_frtn;		/* for esballoc() callback */
106 	struct ipsa_s 	*ipsec_in_ah_sa;	/* SA for AH */
107 	struct ipsa_s 	*ipsec_in_esp_sa;	/* SA for ESP */
108 
109 	struct ipsec_policy_head_s *ipsec_in_policy;
110 	struct ipsec_action_s *ipsec_in_action; /* how we made it in.. */
111 	unsigned int
112 		ipsec_in_secure : 1,	/* Is the message attached secure ? */
113 		ipsec_in_v4 : 1,	/* Is this an ipv4 packet ? */
114 		ipsec_in_loopback : 1,	/* Is this a loopback request ? */
115 		ipsec_in_dont_check : 1, /* Used by TCP to avoid policy check */
116 
117 		ipsec_in_decaps : 1,	/* Was this packet decapsulated from */
118 					/* a matching inner packet? */
119 		ipsec_in_attach_if : 1,	/* Don't load spread this packet */
120 		ipsec_in_accelerated : 1, /* hardware accelerated packet */
121 
122 		ipsec_in_icmp_loopback : 1, /* Looped-back ICMP packet, */
123 					    /* all should trust this. */
124 		ipsec_in_pad_bits : 24;
125 
126 	int    ipsec_in_ill_index;	/* interface on which ipha_dst was */
127 					/* configured when pkt was recv'd  */
128 	int    ipsec_in_rill_index;	/* interface on which pkt was recv'd */
129 	mblk_t *ipsec_in_da;		/* data attr. for accelerated pkts */
130 
131 	/*
132 	 * For call to the kernel crypto framework. State needed during
133 	 * the execution of a crypto request. Storing these here
134 	 * allow us to avoid a separate allocation before calling the
135 	 * crypto framework.
136 	 */
137 	size_t ipsec_in_skip_len;		/* len to skip for AH auth */
138 	crypto_data_t ipsec_in_crypto_data;	/* single op crypto data */
139 	crypto_dual_data_t ipsec_in_crypto_dual_data; /* for dual ops */
140 	crypto_data_t ipsec_in_crypto_mac;	/* to store the MAC */
141 
142 	zoneid_t ipsec_in_zoneid;	/* target zone for the datagram */
143 
144 #ifdef DEBUG
145 	/*
146 	 * To aid in IPSEC_IN leak detection, save a copy of the inbound IPsec
147 	 * header in DEBUG kernels.  It takes no more space overall because
148 	 * ipsec_info_t is more than sizeof (IPv4 or IPv6) bytes larger than
149 	 * ipsec_in_t.  (60 bytes was chosen as a nice safe number.  Using
150 	 * an IP or IPv6 constant increases the header file count for
151 	 * consumers of this header file.)
152 	 */
153 	uint8_t ipsec_in_saved_hdr[60];
154 #endif
155 } ipsec_in_t;
156 
157 /*
158  * This is used for communication between IP and IPSEC (AH/ESP)
159  * for Outbound datagrams. IPSEC_OUT is allocated by IP before IPSEC
160  * processing begins. On return SA fields are initialized so that
161  * IP can locate the security associations later on for doing policy
162  * checks.  The policy and the actions associated with this packet are
163  * stored in the ipsec_out_policy and ipsec_out_act fields respectively.
164  * IPSEC_OUT is also used to carry non-ipsec information when conn is
165  * absent or the conn information is lost across the calls to ARP.
166  * example: message from ARP or from ICMP error routines.
167  */
168 typedef struct ipsec_out_s {
169 	uint32_t ipsec_out_type;
170 	uint32_t ipsec_out_len;
171 	frtn_t ipsec_out_frtn;		/* for esballoc() callback */
172 	struct ipsec_policy_head_s *ipsec_out_polhead;
173 	ipsec_latch_t		*ipsec_out_latch;
174 	struct ipsec_policy_s 	*ipsec_out_policy; /* why are we here? */
175 	struct ipsec_action_s	*ipsec_out_act;	/* what do we want? */
176 	struct ipsa_s	*ipsec_out_ah_sa; /* AH SA used for the packet */
177 	struct ipsa_s	*ipsec_out_esp_sa; /* ESP SA used for the packet */
178 	/*
179 	 * NOTE: "Source" and "Dest" are w.r.t. outbound datagrams.  Ports can
180 	 *	 be zero, and the protocol number is needed to make the ports
181 	 *	 significant.
182 	 */
183 	uint16_t ipsec_out_src_port;	/* Source port number of d-gram. */
184 	uint16_t ipsec_out_dst_port;	/* Destination port number of d-gram. */
185 	uint8_t  ipsec_out_icmp_type;	/* ICMP type of d-gram */
186 	uint8_t  ipsec_out_icmp_code;	/* ICMP code of d-gram */
187 	uint_t ipsec_out_ill_index;	/* ill index used for multicast etc. */
188 	uint8_t ipsec_out_proto;	/* IP protocol number for d-gram. */
189 	unsigned int
190 		ipsec_out_encaps : 1,	/* Encapsualtion done ? */
191 		ipsec_out_use_global_policy : 1, /* Inherit global policy ? */
192 		ipsec_out_secure : 1,	/* Is this secure ? */
193 		ipsec_out_proc_begin : 1, /* IPSEC processing begun */
194 		/*
195 		 * Following five values reflects the values stored
196 		 * in conn.
197 		 */
198 		ipsec_out_multicast_loop : 1,
199 		ipsec_out_dontroute : 1,
200 		ipsec_out_reserved : 1,
201 		ipsec_out_v4 : 1,
202 
203 		ipsec_out_attach_if : 1,
204 		ipsec_out_unspec_src : 1,	/* IPv6 ip6i_t info */
205 		ipsec_out_reachable : 1, 	/* NDP reachability info */
206 		/*
207 		 * Following bit is used by ip_mrtun_forward to convey
208 		 * xmit_ill information along with ICMP error msg
209 		 */
210 		ipsec_out_xmit_if: 1,
211 
212 		ipsec_out_failed: 1,
213 		ipsec_out_se_done: 1,
214 		ipsec_out_esp_done: 1,
215 		ipsec_out_ah_done: 1,
216 
217 		ipsec_out_need_policy: 1,
218 
219 		/*
220 		 * To indicate that packet must be accelerated, i.e.
221 		 * ICV or encryption performed, by Provider.
222 		 */
223 		ipsec_out_accelerated : 1,
224 		/*
225 		 * Used by IP to tell IPsec that the outbound ill for this
226 		 * packet supports acceleration of the AH or ESP prototocol.
227 		 * If set, ipsec_out_capab_ill_index contains the
228 		 * index of the ill.
229 		 */
230 		ipsec_out_is_capab_ill : 1,
231 		/*
232 		 * Indicates ICMP message destined for self.  These
233 		 * messages are to be trusted by all receivers.
234 		 */
235 		ipsec_out_icmp_loopback: 1,
236 		ipsec_out_pad_bits : 12;
237 	cred_t	*ipsec_out_cred;
238 	uint32_t ipsec_out_capab_ill_index;
239 
240 	/*
241 	 * For call to the kernel crypto framework. State needed during
242 	 * the execution of a crypto request. Storing these here
243 	 * allow us to avoid a separate allocation before calling the
244 	 * crypto framework.
245 	 */
246 	size_t ipsec_out_skip_len;		/* len to skip for AH auth */
247 	crypto_data_t ipsec_out_crypto_data;	/* single op crypto data */
248 	crypto_dual_data_t ipsec_out_crypto_dual_data; /* for dual ops */
249 	crypto_data_t ipsec_out_crypto_mac;	/* to store the MAC */
250 
251 	zoneid_t ipsec_out_zoneid;	/* source zone for the datagram */
252 } ipsec_out_t;
253 
254 /*
255  * This is used to mark the ipsec_out_t *req* fields
256  * when the operation is done without affecting the
257  * requests.
258  */
259 #define	IPSEC_REQ_DONE		0x80000000
260 /*
261  * Operation could not be performed by the AH/ESP
262  * module.
263  */
264 #define	IPSEC_REQ_FAILED	0x40000000
265 
266 /*
267  * Keysock consumer interface.
268  *
269  * The driver/module keysock (which is a driver to PF_KEY sockets, but is
270  * a module to 'consumers' like AH and ESP) uses keysock consumer interface
271  * messages to pass on PF_KEY messages to consumers who process and act upon
272  * them.
273  */
274 #define	KEYSOCK_IN		(IPSEC_M_CTL + 3)
275 #define	KEYSOCK_OUT		(IPSEC_M_CTL + 4)
276 #define	KEYSOCK_OUT_ERR		(IPSEC_M_CTL + 5)
277 #define	KEYSOCK_HELLO		(IPSEC_M_CTL + 6)
278 #define	KEYSOCK_HELLO_ACK	(IPSEC_M_CTL + 7)
279 
280 /*
281  * KEYSOCK_HELLO is sent by keysock to a consumer when it is pushed on top
282  * of one (i.e. opened as a module).
283  *
284  * NOTE: Keysock_hello is simply an ipsec_info_t
285  */
286 
287 /*
288  * KEYSOCK_HELLO_ACK is sent by a consumer to acknowledge a KEYSOCK_HELLO.
289  * It contains the PF_KEYv2 sa_type, so keysock can redirect PF_KEY messages
290  * to the right consumer.
291  */
292 typedef struct keysock_hello_ack_s {
293 	uint32_t ks_hello_type;
294 	uint32_t ks_hello_len;
295 	uint8_t ks_hello_satype;	/* PF_KEYv2 sa_type of ks client */
296 } keysock_hello_ack_t;
297 
298 #define	KS_IN_ADDR_UNKNOWN 0
299 #define	KS_IN_ADDR_NOTTHERE 1
300 #define	KS_IN_ADDR_UNSPEC 2
301 #define	KS_IN_ADDR_ME 3
302 #define	KS_IN_ADDR_NOTME 4
303 #define	KS_IN_ADDR_MBCAST 5
304 
305 /*
306  * KEYSOCK_IN is a PF_KEY message from a PF_KEY socket destined for a consumer.
307  */
308 typedef struct keysock_in_s {
309 	uint32_t ks_in_type;
310 	uint32_t ks_in_len;
311 	/*
312 	 * NOTE:	These pointers MUST be into the M_DATA that follows
313 	 *		this M_CTL message.  If they aren't, weirdness
314 	 *		results.
315 	 */
316 	struct sadb_ext *ks_in_extv[SADB_EXT_MAX + 1];
317 	int ks_in_srctype;	/* Source address type. */
318 	int ks_in_dsttype;	/* Dest address type. */
319 	int ks_in_proxytype;	/* Proxy address type. */
320 	minor_t ks_in_serial;	/* Serial # of sending socket. */
321 } keysock_in_t;
322 
323 /*
324  * KEYSOCK_OUT is a PF_KEY message from a consumer destined for a PF_KEY
325  * socket.
326  */
327 typedef struct keysock_out_s {
328 	uint32_t ks_out_type;
329 	uint32_t ks_out_len;
330 	minor_t ks_out_serial;	/* Serial # of sending socket. */
331 } keysock_out_t;
332 
333 /*
334  * KEYSOCK_OUT_ERR is sent to a consumer from keysock if for some reason
335  * keysock could not find a PF_KEY socket to deliver a consumer-originated
336  * message (e.g. SADB_ACQUIRE).
337  */
338 typedef struct keysock_out_err_s {
339 	uint32_t ks_err_type;
340 	uint32_t ks_err_len;
341 	minor_t ks_err_serial;
342 	int ks_err_errno;
343 	/*
344 	 * Other, richer error information may end up going here eventually.
345 	 */
346 } keysock_out_err_t;
347 
348 /*
349  * M_CTL message type for sending inbound pkt information between IP & ULP.
350  * These are _not_ related to IPsec in any way, but are here so that there is
351  * one place where all these values are defined which makes it easier to track.
352  * The choice of this value has the same rationale as explained above.
353  */
354 #define	IN_PKTINFO		(IPSEC_M_CTL + 24)
355 
356 
357 /*
358  * IPSEC_CTL messages are used by IPsec to send control type requests
359  * to IP. Such a control message is currently used by IPsec to request
360  * that IP send the contents of an IPsec SA or the entire SADB to
361  * every IPsec hardware acceleration capable provider.
362  */
363 
364 #define	IPSEC_CTL		(IPSEC_M_CTL + 25)
365 
366 typedef struct ipsec_ctl_s {
367 	uint32_t ipsec_ctl_type;
368 	uint32_t ipsec_ctl_len;
369 	uint_t ipsec_ctl_sa_type;
370 	void *ipsec_ctl_sa;
371 } ipsec_ctl_t;
372 
373 
374 /*
375  * All IPsec informational messages are placed into the ipsec_info_t
376  * union, so that allocation can be done once, and IPsec informational
377  * messages can be recycled.
378  */
379 typedef union ipsec_info_u {
380 	struct {
381 		uint32_t ipsec_allu_type;
382 		uint32_t ipsec_allu_len;	/* In bytes */
383 	} ipsec_allu;
384 	ipsec_in_t ipsec_in;
385 	ipsec_out_t ipsec_out;
386 	keysock_hello_ack_t keysock_hello_ack;
387 	keysock_in_t keysock_in;
388 	keysock_out_t keysock_out;
389 	keysock_out_err_t keysock_out_err;
390 	ipsec_ctl_t ipsec_ctl;
391 } ipsec_info_t;
392 #define	ipsec_info_type ipsec_allu.ipsec_allu_type
393 #define	ipsec_info_len ipsec_allu.ipsec_allu_len
394 
395 #ifdef	__cplusplus
396 }
397 #endif
398 
399 #endif	/* _INET_IPSEC_INFO_H */
400