1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _INET_IPSEC_IMPL_H 27 #define _INET_IPSEC_IMPL_H 28 29 #include <inet/ip.h> 30 #include <inet/ipdrop.h> 31 32 #ifdef __cplusplus 33 extern "C" { 34 #endif 35 36 #define IPSEC_CONF_SRC_ADDRESS 0 /* Source Address */ 37 #define IPSEC_CONF_SRC_PORT 1 /* Source Port */ 38 #define IPSEC_CONF_DST_ADDRESS 2 /* Dest Address */ 39 #define IPSEC_CONF_DST_PORT 3 /* Dest Port */ 40 #define IPSEC_CONF_SRC_MASK 4 /* Source Address Mask */ 41 #define IPSEC_CONF_DST_MASK 5 /* Destination Address Mask */ 42 #define IPSEC_CONF_ULP 6 /* Upper layer Port */ 43 #define IPSEC_CONF_IPSEC_PROT 7 /* AH or ESP or AH_ESP */ 44 #define IPSEC_CONF_IPSEC_AALGS 8 /* Auth Algorithms - MD5 etc. */ 45 #define IPSEC_CONF_IPSEC_EALGS 9 /* Encr Algorithms - DES etc. */ 46 #define IPSEC_CONF_IPSEC_EAALGS 10 /* Encr Algorithms - MD5 etc. */ 47 #define IPSEC_CONF_IPSEC_SA 11 /* Shared or unique SA */ 48 #define IPSEC_CONF_IPSEC_DIR 12 /* Direction of traffic */ 49 #define IPSEC_CONF_ICMP_TYPE 13 /* ICMP type */ 50 #define IPSEC_CONF_ICMP_CODE 14 /* ICMP code */ 51 #define IPSEC_CONF_NEGOTIATE 15 /* Negotiation */ 52 #define IPSEC_CONF_TUNNEL 16 /* Tunnel */ 53 54 /* Type of an entry */ 55 56 #define IPSEC_NTYPES 0x02 57 #define IPSEC_TYPE_OUTBOUND 0x00 58 #define IPSEC_TYPE_INBOUND 0x01 59 60 /* Policy */ 61 #define IPSEC_POLICY_APPLY 0x01 62 #define IPSEC_POLICY_DISCARD 0x02 63 #define IPSEC_POLICY_BYPASS 0x03 64 65 /* Shared or unique SA */ 66 #define IPSEC_SHARED_SA 0x01 67 #define IPSEC_UNIQUE_SA 0x02 68 69 /* IPsec protocols and combinations */ 70 #define IPSEC_AH_ONLY 0x01 71 #define IPSEC_ESP_ONLY 0x02 72 #define IPSEC_AH_ESP 0x03 73 74 /* 75 * Internally defined "any" algorithm. 76 * Move to PF_KEY v3 when that RFC is released. 77 */ 78 #define SADB_AALG_ANY 255 79 80 #ifdef _KERNEL 81 82 #include <inet/common.h> 83 #include <netinet/ip6.h> 84 #include <netinet/icmp6.h> 85 #include <net/pfkeyv2.h> 86 #include <inet/ip.h> 87 #include <inet/sadb.h> 88 #include <inet/ipsecah.h> 89 #include <inet/ipsecesp.h> 90 #include <sys/crypto/common.h> 91 #include <sys/crypto/api.h> 92 #include <sys/avl.h> 93 94 /* 95 * Maximum number of authentication algorithms (can be indexed by one byte 96 * per PF_KEY and the IKE IPsec DOI. 97 */ 98 #define MAX_AALGS 256 99 100 /* 101 * IPsec task queue constants. 102 */ 103 #define IPSEC_TASKQ_MIN 10 104 #define IPSEC_TASKQ_MAX 20 105 106 /* 107 * So we can access IPsec global variables that live in keysock.c. 108 */ 109 extern boolean_t keysock_extended_reg(netstack_t *); 110 extern uint32_t keysock_next_seq(netstack_t *); 111 112 /* 113 * Locking for ipsec policy rules: 114 * 115 * policy heads: system policy is static; per-conn polheads are dynamic, 116 * and refcounted (and inherited); use atomic refcounts and "don't let 117 * go with both hands". 118 * 119 * policy: refcounted; references from polhead, ipsec_out 120 * 121 * actions: refcounted; referenced from: action hash table, policy, ipsec_out 122 * selectors: refcounted; referenced from: selector hash table, policy. 123 */ 124 125 /* 126 * the following are inspired by, but not directly based on, 127 * some of the sys/queue.h type-safe pseudo-polymorphic macros 128 * found in BSD. 129 * 130 * XXX If we use these more generally, we'll have to make the names 131 * less generic (HASH_* will probably clobber other namespaces). 132 */ 133 134 #define HASH_LOCK(table, hash) \ 135 mutex_enter(&(table)[hash].hash_lock) 136 #define HASH_UNLOCK(table, hash) \ 137 mutex_exit(&(table)[hash].hash_lock) 138 139 #define HASH_LOCKED(table, hash) \ 140 MUTEX_HELD(&(table)[hash].hash_lock) 141 142 #define HASH_ITERATE(var, field, table, hash) \ 143 var = table[hash].hash_head; var != NULL; var = var->field.hash_next 144 145 #define HASH_NEXT(var, field) \ 146 (var)->field.hash_next 147 148 #define HASH_INSERT(var, field, table, hash) \ 149 { \ 150 ASSERT(HASH_LOCKED(table, hash)); \ 151 (var)->field.hash_next = (table)[hash].hash_head; \ 152 (var)->field.hash_pp = &(table)[hash].hash_head; \ 153 (table)[hash].hash_head = var; \ 154 if ((var)->field.hash_next != NULL) \ 155 (var)->field.hash_next->field.hash_pp = \ 156 &((var)->field.hash_next); \ 157 } 158 159 160 #define HASH_UNCHAIN(var, field, table, hash) \ 161 { \ 162 ASSERT(MUTEX_HELD(&(table)[hash].hash_lock)); \ 163 HASHLIST_UNCHAIN(var, field); \ 164 } 165 166 #define HASHLIST_INSERT(var, field, head) \ 167 { \ 168 (var)->field.hash_next = head; \ 169 (var)->field.hash_pp = &(head); \ 170 head = var; \ 171 if ((var)->field.hash_next != NULL) \ 172 (var)->field.hash_next->field.hash_pp = \ 173 &((var)->field.hash_next); \ 174 } 175 176 #define HASHLIST_UNCHAIN(var, field) \ 177 { \ 178 *var->field.hash_pp = var->field.hash_next; \ 179 if (var->field.hash_next) \ 180 var->field.hash_next->field.hash_pp = \ 181 var->field.hash_pp; \ 182 HASH_NULL(var, field); \ 183 } 184 185 186 #define HASH_NULL(var, field) \ 187 { \ 188 var->field.hash_next = NULL; \ 189 var->field.hash_pp = NULL; \ 190 } 191 192 #define HASH_LINK(fieldname, type) \ 193 struct { \ 194 type *hash_next; \ 195 type **hash_pp; \ 196 } fieldname 197 198 199 #define HASH_HEAD(tag) \ 200 struct { \ 201 struct tag *hash_head; \ 202 kmutex_t hash_lock; \ 203 } 204 205 206 typedef struct ipsec_policy_s ipsec_policy_t; 207 208 typedef HASH_HEAD(ipsec_policy_s) ipsec_policy_hash_t; 209 210 /* 211 * When adding new fields to ipsec_prot_t, make sure to update 212 * ipsec_in_to_out_action() as well as other code in spd.c 213 */ 214 215 typedef struct ipsec_prot 216 { 217 unsigned int 218 ipp_use_ah : 1, 219 ipp_use_esp : 1, 220 ipp_use_se : 1, 221 ipp_use_unique : 1, 222 ipp_use_espa : 1, 223 ipp_pad : 27; 224 uint8_t ipp_auth_alg; /* DOI number */ 225 uint8_t ipp_encr_alg; /* DOI number */ 226 uint8_t ipp_esp_auth_alg; /* DOI number */ 227 uint16_t ipp_ah_minbits; /* AH: min keylen */ 228 uint16_t ipp_ah_maxbits; /* AH: max keylen */ 229 uint16_t ipp_espe_minbits; /* ESP encr: min keylen */ 230 uint16_t ipp_espe_maxbits; /* ESP encr: max keylen */ 231 uint16_t ipp_espa_minbits; /* ESP auth: min keylen */ 232 uint16_t ipp_espa_maxbits; /* ESP auth: max keylen */ 233 uint32_t ipp_km_proto; /* key mgmt protocol */ 234 uint32_t ipp_km_cookie; /* key mgmt cookie */ 235 uint32_t ipp_replay_depth; /* replay window */ 236 /* XXX add lifetimes */ 237 } ipsec_prot_t; 238 239 #define IPSEC_MAX_KEYBITS (0xffff) 240 241 /* 242 * An individual policy action, possibly a member of a chain. 243 * 244 * Action chains may be shared between multiple policy rules. 245 * 246 * With one exception (IPSEC_POLICY_LOG), a chain consists of an 247 * ordered list of alternative ways to handle a packet. 248 * 249 * All actions are also "interned" into a hash table (to allow 250 * multiple rules with the same action chain to share one copy in 251 * memory). 252 */ 253 254 typedef struct ipsec_act 255 { 256 uint8_t ipa_type; 257 uint8_t ipa_log; 258 union 259 { 260 ipsec_prot_t ipau_apply; 261 uint8_t ipau_reject_type; 262 uint32_t ipau_resolve_id; /* magic cookie */ 263 uint8_t ipau_log_type; 264 } ipa_u; 265 #define ipa_apply ipa_u.ipau_apply 266 #define ipa_reject_type ipa_u.ipau_reject_type 267 #define ipa_log_type ipa_u.ipau_log_type 268 #define ipa_resolve_type ipa_u.ipau_resolve_type 269 } ipsec_act_t; 270 271 #define IPSEC_ACT_APPLY 0x01 /* match IPSEC_POLICY_APPLY */ 272 #define IPSEC_ACT_DISCARD 0x02 /* match IPSEC_POLICY_DISCARD */ 273 #define IPSEC_ACT_BYPASS 0x03 /* match IPSEC_POLICY_BYPASS */ 274 #define IPSEC_ACT_REJECT 0x04 275 #define IPSEC_ACT_CLEAR 0x05 276 277 typedef struct ipsec_action_s 278 { 279 HASH_LINK(ipa_hash, struct ipsec_action_s); 280 struct ipsec_action_s *ipa_next; /* next alternative */ 281 uint32_t ipa_refs; /* refcount */ 282 ipsec_act_t ipa_act; 283 /* 284 * The following bits are equivalent to an OR of bits included in the 285 * ipau_apply fields of this and subsequent actions in an 286 * action chain; this is an optimization for the sake of 287 * ipsec_out_process() in ip.c and a few other places. 288 */ 289 unsigned int 290 ipa_hval: 8, 291 ipa_allow_clear:1, /* rule allows cleartext? */ 292 ipa_want_ah:1, /* an action wants ah */ 293 ipa_want_esp:1, /* an action wants esp */ 294 ipa_want_se:1, /* an action wants se */ 295 ipa_want_unique:1, /* want unique sa's */ 296 ipa_pad:19; 297 uint32_t ipa_ovhd; /* per-packet encap ovhd */ 298 } ipsec_action_t; 299 300 #define IPACT_REFHOLD(ipa) { \ 301 atomic_add_32(&(ipa)->ipa_refs, 1); \ 302 ASSERT((ipa)->ipa_refs != 0); \ 303 } 304 #define IPACT_REFRELE(ipa) { \ 305 ASSERT((ipa)->ipa_refs != 0); \ 306 membar_exit(); \ 307 if (atomic_add_32_nv(&(ipa)->ipa_refs, -1) == 0) \ 308 ipsec_action_free(ipa); \ 309 (ipa) = 0; \ 310 } 311 312 /* 313 * For now, use a trivially sized hash table for actions. 314 * In the future we can add the structure canonicalization necessary 315 * to get the hash function to behave correctly.. 316 */ 317 #define IPSEC_ACTION_HASH_SIZE 1 318 319 /* 320 * Merged address structure, for cheezy address-family independent 321 * matches in policy code. 322 */ 323 324 typedef union ipsec_addr 325 { 326 in6_addr_t ipsad_v6; 327 in_addr_t ipsad_v4; 328 } ipsec_addr_t; 329 330 /* 331 * ipsec selector set, as used by the kernel policy structures. 332 * Note that that we specify "local" and "remote" 333 * rather than "source" and "destination", which allows the selectors 334 * for symmetric policy rules to be shared between inbound and 335 * outbound rules. 336 * 337 * "local" means "destination" on inbound, and "source" on outbound. 338 * "remote" means "source" on inbound, and "destination" on outbound. 339 * XXX if we add a fifth policy enforcement point for forwarded packets, 340 * what do we do? 341 * 342 * The ipsl_valid mask is not done as a bitfield; this is so we 343 * can use "ffs()" to find the "most interesting" valid tag. 344 * 345 * XXX should we have multiple types for space-conservation reasons? 346 * (v4 vs v6? prefix vs. range)? 347 */ 348 349 typedef struct ipsec_selkey 350 { 351 uint32_t ipsl_valid; /* bitmask of valid entries */ 352 #define IPSL_REMOTE_ADDR 0x00000001 353 #define IPSL_LOCAL_ADDR 0x00000002 354 #define IPSL_REMOTE_PORT 0x00000004 355 #define IPSL_LOCAL_PORT 0x00000008 356 #define IPSL_PROTOCOL 0x00000010 357 #define IPSL_ICMP_TYPE 0x00000020 358 #define IPSL_ICMP_CODE 0x00000040 359 #define IPSL_IPV6 0x00000080 360 #define IPSL_IPV4 0x00000100 361 362 #define IPSL_WILDCARD 0x0000007f 363 364 ipsec_addr_t ipsl_local; 365 ipsec_addr_t ipsl_remote; 366 uint16_t ipsl_lport; 367 uint16_t ipsl_rport; 368 /* 369 * ICMP type and code selectors. Both have an end value to 370 * specify ranges, or * and *_end are equal for a single 371 * value 372 */ 373 uint8_t ipsl_icmp_type; 374 uint8_t ipsl_icmp_type_end; 375 uint8_t ipsl_icmp_code; 376 uint8_t ipsl_icmp_code_end; 377 378 uint8_t ipsl_proto; /* ip payload type */ 379 uint8_t ipsl_local_pfxlen; /* #bits of prefix */ 380 uint8_t ipsl_remote_pfxlen; /* #bits of prefix */ 381 uint8_t ipsl_mbz; 382 383 /* Insert new elements above this line */ 384 uint32_t ipsl_pol_hval; 385 uint32_t ipsl_sel_hval; 386 } ipsec_selkey_t; 387 388 typedef struct ipsec_sel 389 { 390 HASH_LINK(ipsl_hash, struct ipsec_sel); 391 uint32_t ipsl_refs; /* # refs to this sel */ 392 ipsec_selkey_t ipsl_key; /* actual selector guts */ 393 } ipsec_sel_t; 394 395 /* 396 * One policy rule. This will be linked into a single hash chain bucket in 397 * the parent rule structure. If the selector is simple enough to 398 * allow hashing, it gets filed under ipsec_policy_root_t->ipr_hash. 399 * Otherwise it goes onto a linked list in ipsec_policy_root_t->ipr_nonhash[af] 400 * 401 * In addition, we file the rule into an avl tree keyed by the rule index. 402 * (Duplicate rules are permitted; the comparison function breaks ties). 403 */ 404 struct ipsec_policy_s 405 { 406 HASH_LINK(ipsp_hash, struct ipsec_policy_s); 407 avl_node_t ipsp_byid; 408 uint64_t ipsp_index; /* unique id */ 409 uint32_t ipsp_prio; /* rule priority */ 410 uint32_t ipsp_refs; 411 ipsec_sel_t *ipsp_sel; /* selector set (shared) */ 412 ipsec_action_t *ipsp_act; /* action (may be shared) */ 413 }; 414 415 #define IPPOL_REFHOLD(ipp) { \ 416 atomic_add_32(&(ipp)->ipsp_refs, 1); \ 417 ASSERT((ipp)->ipsp_refs != 0); \ 418 } 419 #define IPPOL_REFRELE(ipp, ns) { \ 420 ASSERT((ipp)->ipsp_refs != 0); \ 421 membar_exit(); \ 422 if (atomic_add_32_nv(&(ipp)->ipsp_refs, -1) == 0) \ 423 ipsec_policy_free(ipp, ns); \ 424 (ipp) = 0; \ 425 } 426 427 #define IPPOL_UNCHAIN(php, ip, ns) \ 428 HASHLIST_UNCHAIN((ip), ipsp_hash); \ 429 avl_remove(&(php)->iph_rulebyid, (ip)); \ 430 IPPOL_REFRELE(ip, ns); 431 432 /* 433 * Policy ruleset. One per (protocol * direction) for system policy. 434 */ 435 436 #define IPSEC_AF_V4 0 437 #define IPSEC_AF_V6 1 438 #define IPSEC_NAF 2 439 440 typedef struct ipsec_policy_root_s 441 { 442 ipsec_policy_t *ipr_nonhash[IPSEC_NAF]; 443 int ipr_nchains; 444 ipsec_policy_hash_t *ipr_hash; 445 } ipsec_policy_root_t; 446 447 /* 448 * Policy head. One for system policy; there may also be one present 449 * on ill_t's with interface-specific policy, as well as one present 450 * for sockets with per-socket policy allocated. 451 */ 452 453 typedef struct ipsec_policy_head_s 454 { 455 uint32_t iph_refs; 456 krwlock_t iph_lock; 457 uint64_t iph_gen; /* generation number */ 458 ipsec_policy_root_t iph_root[IPSEC_NTYPES]; 459 avl_tree_t iph_rulebyid; 460 } ipsec_policy_head_t; 461 462 #define IPPH_REFHOLD(iph) { \ 463 atomic_add_32(&(iph)->iph_refs, 1); \ 464 ASSERT((iph)->iph_refs != 0); \ 465 } 466 #define IPPH_REFRELE(iph, ns) { \ 467 ASSERT((iph)->iph_refs != 0); \ 468 membar_exit(); \ 469 if (atomic_add_32_nv(&(iph)->iph_refs, -1) == 0) \ 470 ipsec_polhead_free(iph, ns); \ 471 (iph) = 0; \ 472 } 473 474 /* 475 * IPsec fragment related structures 476 */ 477 478 typedef struct ipsec_fragcache_entry { 479 struct ipsec_fragcache_entry *itpfe_next; /* hash list chain */ 480 mblk_t *itpfe_fraglist; /* list of fragments */ 481 time_t itpfe_exp; /* time when entry is stale */ 482 int itpfe_depth; /* # of fragments in list */ 483 ipsec_addr_t itpfe_frag_src; 484 ipsec_addr_t itpfe_frag_dst; 485 #define itpfe_src itpfe_frag_src.ipsad_v4 486 #define itpfe_src6 itpfe_frag_src.ipsad_v6 487 #define itpfe_dst itpfe_frag_dst.ipsad_v4 488 #define itpfe_dst6 itpfe_frag_dst.ipsad_v6 489 uint32_t itpfe_id; /* IP datagram ID */ 490 uint8_t itpfe_proto; /* IP Protocol */ 491 uint8_t itpfe_last; /* Last packet */ 492 } ipsec_fragcache_entry_t; 493 494 typedef struct ipsec_fragcache { 495 kmutex_t itpf_lock; 496 struct ipsec_fragcache_entry **itpf_ptr; 497 struct ipsec_fragcache_entry *itpf_freelist; 498 time_t itpf_expire_hint; /* time when oldest entry is stale */ 499 } ipsec_fragcache_t; 500 501 /* 502 * Tunnel policies. We keep a minature of the transport-mode/global policy 503 * per each tunnel instance. 504 * 505 * People who need both an itp held down AND one of its polheads need to 506 * first lock the itp, THEN the polhead, otherwise deadlock WILL occur. 507 */ 508 typedef struct ipsec_tun_pol_s { 509 avl_node_t itp_node; 510 kmutex_t itp_lock; 511 uint64_t itp_next_policy_index; 512 ipsec_policy_head_t *itp_policy; 513 ipsec_policy_head_t *itp_inactive; 514 uint32_t itp_flags; 515 uint32_t itp_refcnt; 516 char itp_name[LIFNAMSIZ]; 517 ipsec_fragcache_t itp_fragcache; 518 } ipsec_tun_pol_t; 519 /* NOTE - Callers (tun code) synchronize their own instances for these flags. */ 520 #define ITPF_P_ACTIVE 0x1 /* Are we using IPsec right now? */ 521 #define ITPF_P_TUNNEL 0x2 /* Negotiate tunnel-mode */ 522 /* Optimization -> Do we have per-port security entries in this polhead? */ 523 #define ITPF_P_PER_PORT_SECURITY 0x4 524 #define ITPF_PFLAGS 0x7 525 #define ITPF_SHIFT 3 526 527 #define ITPF_I_ACTIVE 0x8 /* Is the inactive using IPsec right now? */ 528 #define ITPF_I_TUNNEL 0x10 /* Negotiate tunnel-mode (on inactive) */ 529 /* Optimization -> Do we have per-port security entries in this polhead? */ 530 #define ITPF_I_PER_PORT_SECURITY 0x20 531 #define ITPF_IFLAGS 0x38 532 533 /* NOTE: f cannot be an expression. */ 534 #define ITPF_CLONE(f) (f) = (((f) & ITPF_PFLAGS) | \ 535 (((f) & ITPF_PFLAGS) << ITPF_SHIFT)); 536 #define ITPF_SWAP(f) (f) = ((((f) & ITPF_PFLAGS) << ITPF_SHIFT) | \ 537 (((f) & ITPF_IFLAGS) >> ITPF_SHIFT)) 538 539 #define ITP_P_ISACTIVE(itp, iph) ((itp)->itp_flags & \ 540 (((itp)->itp_policy == (iph)) ? ITPF_P_ACTIVE : ITPF_I_ACTIVE)) 541 542 #define ITP_P_ISTUNNEL(itp, iph) ((itp)->itp_flags & \ 543 (((itp)->itp_policy == (iph)) ? ITPF_P_TUNNEL : ITPF_I_TUNNEL)) 544 545 #define ITP_P_ISPERPORT(itp, iph) ((itp)->itp_flags & \ 546 (((itp)->itp_policy == (iph)) ? ITPF_P_PER_PORT_SECURITY : \ 547 ITPF_I_PER_PORT_SECURITY)) 548 549 #define ITP_REFHOLD(itp) { \ 550 atomic_add_32(&((itp)->itp_refcnt), 1); \ 551 ASSERT((itp)->itp_refcnt != 0); \ 552 } 553 554 #define ITP_REFRELE(itp, ns) { \ 555 ASSERT((itp)->itp_refcnt != 0); \ 556 membar_exit(); \ 557 if (atomic_add_32_nv(&((itp)->itp_refcnt), -1) == 0) \ 558 itp_free(itp, ns); \ 559 } 560 561 /* 562 * Certificate identity. 563 */ 564 565 typedef struct ipsid_s 566 { 567 struct ipsid_s *ipsid_next; 568 struct ipsid_s **ipsid_ptpn; 569 uint32_t ipsid_refcnt; 570 int ipsid_type; /* id type */ 571 char *ipsid_cid; /* certificate id string */ 572 } ipsid_t; 573 574 /* 575 * ipsid_t reference hold/release macros, just like ipsa versions. 576 */ 577 578 #define IPSID_REFHOLD(ipsid) { \ 579 atomic_add_32(&(ipsid)->ipsid_refcnt, 1); \ 580 ASSERT((ipsid)->ipsid_refcnt != 0); \ 581 } 582 583 /* 584 * Decrement the reference count on the ID. Someone else will clean up 585 * after us later. 586 */ 587 588 #define IPSID_REFRELE(ipsid) { \ 589 membar_exit(); \ 590 atomic_add_32(&(ipsid)->ipsid_refcnt, -1); \ 591 } 592 593 struct ipsec_out_s; 594 595 /* 596 * Following are the estimates of what the maximum AH and ESP header size 597 * would be. This is used to tell the upper layer the right value of MSS 598 * it should use without consulting AH/ESP. If the size is something 599 * different from this, ULP will learn the right one through 600 * ICMP_FRAGMENTATION_NEEDED messages generated locally. 601 * 602 * AH : 12 bytes of constant header + 32 bytes of ICV checksum (SHA-512). 603 */ 604 #define IPSEC_MAX_AH_HDR_SIZE (44) 605 606 /* 607 * ESP : Is a bit more complex... 608 * 609 * A system of one inequality and one equation MUST be solved for proper ESP 610 * overhead. The inequality is: 611 * 612 * MTU - sizeof (IP header + options) >= 613 * sizeof (esph_t) + sizeof (IV or ctr) + data-size + 2 + ICV 614 * 615 * IV or counter is almost always the cipher's block size. The equation is: 616 * 617 * data-size % block-size = (block-size - 2) 618 * 619 * so we can put as much data into the datagram as possible. If we are 620 * pessimistic and include our largest overhead cipher (AES) and hash 621 * (SHA-512), and assume 1500-byte MTU minus IPv4 overhead of 20 bytes, we get: 622 * 623 * 1480 >= 8 + 16 + data-size + 2 + 32 624 * 1480 >= 58 + data-size 625 * 1422 >= data-size, 1422 % 16 = 14, so 58 is the overhead! 626 * 627 * But, let's re-run the numbers with the same algorithms, but with an IPv6 628 * header: 629 * 630 * 1460 >= 58 + data-size 631 * 1402 >= data-size, 1402 % 16 = 10, meaning shrink to 1390 to get 14, 632 * 633 * which means the overhead is now 70. 634 * 635 * Hmmm... IPv4 headers can never be anything other than multiples of 4-bytes, 636 * and IPv6 ones can never be anything other than multiples of 8-bytes. We've 637 * seen overheads of 58 and 70. 58 % 16 == 10, and 70 % 16 == 6. IPv4 could 638 * force us to have 62 ( % 16 == 14) or 66 ( % 16 == 2), or IPv6 could force us 639 * to have 78 ( % 16 = 14). Let's compute IPv6 + 8-bytes of options: 640 * 641 * 1452 >= 58 + data-size 642 * 1394 >= data-size, 1394 % 16 = 2, meaning shrink to 1390 to get 14, 643 * 644 * Aha! The "ESP overhead" shrinks to 62 (70 - 8). This is good. Let's try 645 * IPv4 + 8 bytes of IPv4 options: 646 * 647 * 1472 >= 58 + data-size 648 * 1414 >= data-size, 1414 % 16 = 6, meaning shrink to 1406, 649 * 650 * meaning 66 is the overhead. Let's try 12 bytes: 651 * 652 * 1468 >= 58 + data-size 653 * 1410 >= data-size, 1410 % 16 = 2, meaning also shrink to 1406, 654 * 655 * meaning 62 is the overhead. How about 16 bytes? 656 * 657 * 1464 >= 58 + data-size 658 * 1406 >= data-size, 1402 % 16 = 14, which is great! 659 * 660 * this means 58 is the overhead. If I wrap and add 20 bytes, it looks just 661 * like IPv6's 70 bytes. If I add 24, we go back to 66 bytes. 662 * 663 * So picking 70 is a sensible, conservative default. Optimal calculations 664 * will depend on knowing pre-ESP header length (called "divpoint" in the ESP 665 * code), which could be cached in the conn_t for connected endpoints, or 666 * which must be computed on every datagram otherwise. 667 */ 668 #define IPSEC_MAX_ESP_HDR_SIZE (70) 669 670 /* 671 * Alternate, when we know the crypto block size via the SA. Assume an ICV on 672 * the SA. Use: 673 * 674 * sizeof (esph_t) + 2 * (sizeof (IV/counter)) - 2 + sizeof (ICV). The "-2" 675 * discounts the overhead of the pad + padlen that gets swallowed up by the 676 * second (theoretically all-pad) cipher-block. If you use our examples of 677 * AES and SHA512, you get: 678 * 679 * 8 + 32 - 2 + 32 == 70. 680 * 681 * Which is our pre-computed maximum above. 682 */ 683 #include <inet/ipsecesp.h> 684 #define IPSEC_BASE_ESP_HDR_SIZE(sa) \ 685 (sizeof (esph_t) + ((sa)->ipsa_iv_len << 1) - 2 + (sa)->ipsa_mac_len) 686 687 /* 688 * Identity hash table. 689 * 690 * Identities are refcounted and "interned" into the hash table. 691 * Only references coming from other objects (SA's, latching state) 692 * are counted in ipsid_refcnt. 693 * 694 * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket 695 * is locked, (b) we know that the refcount must be > 0. 696 * 697 * The ipsid_next and ipsid_ptpn fields are only to be referenced or 698 * modified when the bucket lock is held; in particular, we only 699 * delete objects while holding the bucket lock, and we only increase 700 * the refcount from 0 to 1 while the bucket lock is held. 701 */ 702 703 #define IPSID_HASHSIZE 64 704 705 typedef struct ipsif_s 706 { 707 ipsid_t *ipsif_head; 708 kmutex_t ipsif_lock; 709 } ipsif_t; 710 711 712 /* 713 * IPsec stack instances 714 */ 715 struct ipsec_stack { 716 netstack_t *ipsec_netstack; /* Common netstack */ 717 718 /* Packet dropper for IP IPsec processing failures */ 719 ipdropper_t ipsec_dropper; 720 721 /* From spd.c */ 722 /* 723 * Policy rule index generator. We assume this won't wrap in the 724 * lifetime of a system. If we make 2^20 policy changes per second, 725 * this will last 2^44 seconds, or roughly 500,000 years, so we don't 726 * have to worry about reusing policy index values. 727 */ 728 uint64_t ipsec_next_policy_index; 729 730 HASH_HEAD(ipsec_action_s) ipsec_action_hash[IPSEC_ACTION_HASH_SIZE]; 731 HASH_HEAD(ipsec_sel) *ipsec_sel_hash; 732 uint32_t ipsec_spd_hashsize; 733 734 ipsif_t ipsec_ipsid_buckets[IPSID_HASHSIZE]; 735 736 /* 737 * Active & Inactive system policy roots 738 */ 739 ipsec_policy_head_t ipsec_system_policy; 740 ipsec_policy_head_t ipsec_inactive_policy; 741 742 /* Packet dropper for generic SPD drops. */ 743 ipdropper_t ipsec_spd_dropper; 744 745 /* ipdrop.c */ 746 kstat_t *ipsec_ip_drop_kstat; 747 struct ip_dropstats *ipsec_ip_drop_types; 748 749 /* spd.c */ 750 /* 751 * Have a counter for every possible policy message in 752 * ipsec_policy_failure_msgs 753 */ 754 uint32_t ipsec_policy_failure_count[IPSEC_POLICY_MAX]; 755 /* Time since last ipsec policy failure that printed a message. */ 756 hrtime_t ipsec_policy_failure_last; 757 758 /* ip_spd.c */ 759 /* stats */ 760 kstat_t *ipsec_ksp; 761 struct ipsec_kstats_s *ipsec_kstats; 762 763 /* sadb.c */ 764 /* Packet dropper for generic SADB drops. */ 765 ipdropper_t ipsec_sadb_dropper; 766 767 /* spd.c */ 768 boolean_t ipsec_inbound_v4_policy_present; 769 boolean_t ipsec_outbound_v4_policy_present; 770 boolean_t ipsec_inbound_v6_policy_present; 771 boolean_t ipsec_outbound_v6_policy_present; 772 773 /* spd.c */ 774 /* 775 * Because policy needs to know what algorithms are supported, keep the 776 * lists of algorithms here. 777 */ 778 kmutex_t ipsec_alg_lock; 779 780 uint8_t ipsec_nalgs[IPSEC_NALGTYPES]; 781 ipsec_alginfo_t *ipsec_alglists[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 782 783 uint8_t ipsec_sortlist[IPSEC_NALGTYPES][IPSEC_MAX_ALGS]; 784 785 int ipsec_algs_exec_mode[IPSEC_NALGTYPES]; 786 787 uint32_t ipsec_tun_spd_hashsize; 788 /* 789 * Tunnel policies - AVL tree indexed by tunnel name. 790 */ 791 krwlock_t ipsec_tunnel_policy_lock; 792 uint64_t ipsec_tunnel_policy_gen; 793 avl_tree_t ipsec_tunnel_policies; 794 795 /* ipsec_loader.c */ 796 kmutex_t ipsec_loader_lock; 797 int ipsec_loader_state; 798 int ipsec_loader_sig; 799 kt_did_t ipsec_loader_tid; 800 kcondvar_t ipsec_loader_sig_cv; /* For loader_sig conditions. */ 801 802 }; 803 typedef struct ipsec_stack ipsec_stack_t; 804 805 /* Handle the kstat_create in ip_drop_init() failing */ 806 #define DROPPER(_ipss, _dropper) \ 807 (((_ipss)->ipsec_ip_drop_types == NULL) ? NULL : \ 808 &((_ipss)->ipsec_ip_drop_types->_dropper)) 809 810 /* 811 * Loader states.. 812 */ 813 #define IPSEC_LOADER_WAIT 0 814 #define IPSEC_LOADER_FAILED -1 815 #define IPSEC_LOADER_SUCCEEDED 1 816 817 /* 818 * ipsec_loader entrypoints. 819 */ 820 extern void ipsec_loader_init(ipsec_stack_t *); 821 extern void ipsec_loader_start(ipsec_stack_t *); 822 extern void ipsec_loader_destroy(ipsec_stack_t *); 823 extern void ipsec_loader_loadnow(ipsec_stack_t *); 824 extern boolean_t ipsec_loader_wait(queue_t *q, ipsec_stack_t *); 825 extern boolean_t ipsec_loaded(ipsec_stack_t *); 826 extern boolean_t ipsec_failed(ipsec_stack_t *); 827 828 /* 829 * callback from ipsec_loader to ip 830 */ 831 extern void ip_ipsec_load_complete(ipsec_stack_t *); 832 833 /* 834 * ipsec policy entrypoints (spd.c) 835 */ 836 837 extern void ipsec_policy_g_destroy(void); 838 extern void ipsec_policy_g_init(void); 839 840 extern int ipsec_alloc_table(ipsec_policy_head_t *, int, int, boolean_t, 841 netstack_t *); 842 extern void ipsec_polhead_init(ipsec_policy_head_t *, int); 843 extern void ipsec_polhead_destroy(ipsec_policy_head_t *); 844 extern void ipsec_polhead_free_table(ipsec_policy_head_t *); 845 extern mblk_t *ipsec_check_global_policy(mblk_t *, conn_t *, ipha_t *, 846 ip6_t *, boolean_t, netstack_t *); 847 extern mblk_t *ipsec_check_inbound_policy(mblk_t *, conn_t *, ipha_t *, ip6_t *, 848 boolean_t); 849 850 extern boolean_t ipsec_in_to_out(mblk_t *, ipha_t *, ip6_t *); 851 extern void ipsec_log_policy_failure(int, char *, ipha_t *, ip6_t *, boolean_t, 852 netstack_t *); 853 extern boolean_t ipsec_inbound_accept_clear(mblk_t *, ipha_t *, ip6_t *); 854 extern int ipsec_conn_cache_policy(conn_t *, boolean_t); 855 extern mblk_t *ipsec_alloc_ipsec_out(netstack_t *); 856 extern mblk_t *ipsec_attach_ipsec_out(mblk_t **, conn_t *, ipsec_policy_t *, 857 uint8_t, netstack_t *); 858 extern mblk_t *ipsec_init_ipsec_out(mblk_t *, mblk_t **, conn_t *, 859 ipsec_policy_t *, uint8_t, netstack_t *); 860 struct ipsec_in_s; 861 extern ipsec_action_t *ipsec_in_to_out_action(struct ipsec_in_s *); 862 extern boolean_t ipsec_check_ipsecin_latch(struct ipsec_in_s *, mblk_t *, 863 struct ipsec_latch_s *, ipha_t *, ip6_t *, const char **, kstat_named_t **, 864 conn_t *); 865 extern void ipsec_latch_inbound(ipsec_latch_t *ipl, struct ipsec_in_s *ii); 866 867 extern void ipsec_policy_free(ipsec_policy_t *, netstack_t *); 868 extern void ipsec_action_free(ipsec_action_t *); 869 extern void ipsec_polhead_free(ipsec_policy_head_t *, netstack_t *); 870 extern ipsec_policy_head_t *ipsec_polhead_split(ipsec_policy_head_t *, 871 netstack_t *); 872 extern ipsec_policy_head_t *ipsec_polhead_create(void); 873 extern ipsec_policy_head_t *ipsec_system_policy(netstack_t *); 874 extern ipsec_policy_head_t *ipsec_inactive_policy(netstack_t *); 875 extern void ipsec_swap_policy(ipsec_policy_head_t *, ipsec_policy_head_t *, 876 netstack_t *); 877 extern void ipsec_swap_global_policy(netstack_t *); 878 879 extern int ipsec_clone_system_policy(netstack_t *); 880 extern ipsec_policy_t *ipsec_policy_create(ipsec_selkey_t *, 881 const ipsec_act_t *, int, int, uint64_t *, netstack_t *); 882 extern boolean_t ipsec_policy_delete(ipsec_policy_head_t *, 883 ipsec_selkey_t *, int, netstack_t *); 884 extern int ipsec_policy_delete_index(ipsec_policy_head_t *, uint64_t, 885 netstack_t *); 886 extern boolean_t ipsec_polhead_insert(ipsec_policy_head_t *, ipsec_act_t *, 887 uint_t, int, int, netstack_t *); 888 extern void ipsec_polhead_flush(ipsec_policy_head_t *, netstack_t *); 889 extern int ipsec_copy_polhead(ipsec_policy_head_t *, ipsec_policy_head_t *, 890 netstack_t *); 891 extern void ipsec_actvec_from_req(const ipsec_req_t *, ipsec_act_t **, uint_t *, 892 netstack_t *); 893 extern void ipsec_actvec_free(ipsec_act_t *, uint_t); 894 extern int ipsec_req_from_head(ipsec_policy_head_t *, ipsec_req_t *, int); 895 extern mblk_t *ipsec_construct_inverse_acquire(sadb_msg_t *, sadb_ext_t **, 896 netstack_t *); 897 extern mblk_t *ip_wput_attach_policy(mblk_t *, ipha_t *, ip6_t *, ire_t *, 898 conn_t *, boolean_t, zoneid_t); 899 extern mblk_t *ip_wput_ire_parse_ipsec_out(mblk_t *, ipha_t *, ip6_t *, 900 ire_t *, conn_t *, boolean_t, zoneid_t); 901 extern ipsec_policy_t *ipsec_find_policy(int, conn_t *, 902 struct ipsec_out_s *, ipsec_selector_t *, netstack_t *); 903 extern ipsid_t *ipsid_lookup(int, char *, netstack_t *); 904 extern boolean_t ipsid_equal(ipsid_t *, ipsid_t *); 905 extern void ipsid_gc(netstack_t *); 906 extern void ipsec_latch_ids(ipsec_latch_t *, ipsid_t *, ipsid_t *); 907 908 extern void ipsec_config_flush(netstack_t *); 909 extern boolean_t ipsec_check_policy(ipsec_policy_head_t *, ipsec_policy_t *, 910 int); 911 extern void ipsec_enter_policy(ipsec_policy_head_t *, ipsec_policy_t *, int, 912 netstack_t *); 913 extern boolean_t ipsec_check_action(ipsec_act_t *, int *, netstack_t *); 914 915 extern mblk_t *ipsec_out_tag(mblk_t *, mblk_t *, netstack_t *); 916 extern mblk_t *ipsec_in_tag(mblk_t *, mblk_t *, netstack_t *); 917 extern mblk_t *ip_copymsg(mblk_t *mp); 918 919 extern void iplatch_free(ipsec_latch_t *, netstack_t *); 920 extern ipsec_latch_t *iplatch_create(void); 921 extern int ipsec_set_req(cred_t *, conn_t *, ipsec_req_t *); 922 923 extern void ipsec_insert_always(avl_tree_t *tree, void *new_node); 924 925 extern int32_t ipsec_act_ovhd(const ipsec_act_t *act); 926 927 /* 928 * Tunnel-support SPD functions and variables. 929 */ 930 struct iptun_s; /* Defined in inet/iptun/iptun_impl.h. */ 931 extern boolean_t ipsec_tun_inbound(mblk_t *, mblk_t **, ipsec_tun_pol_t *, 932 ipha_t *, ip6_t *, ipha_t *, ip6_t *, int, netstack_t *); 933 extern mblk_t *ipsec_tun_outbound(mblk_t *, struct iptun_s *, ipha_t *, 934 ip6_t *, ipha_t *, ip6_t *, int); 935 extern void itp_free(ipsec_tun_pol_t *, netstack_t *); 936 extern ipsec_tun_pol_t *create_tunnel_policy(char *, int *, uint64_t *, 937 netstack_t *); 938 extern ipsec_tun_pol_t *get_tunnel_policy(char *, netstack_t *); 939 extern void itp_unlink(ipsec_tun_pol_t *, netstack_t *); 940 extern void itp_walk(void (*)(ipsec_tun_pol_t *, void *, netstack_t *), 941 void *, netstack_t *); 942 943 extern ipsec_tun_pol_t *itp_get_byaddr(uint32_t *, uint32_t *, int, 944 ip_stack_t *); 945 946 /* 947 * IPsec AH/ESP functions called from IP or the common SADB code in AH. 948 */ 949 950 extern void ipsecah_in_assocfailure(mblk_t *, char, ushort_t, char *, 951 uint32_t, void *, int, ipsecah_stack_t *); 952 extern void ipsecesp_in_assocfailure(mblk_t *, char, ushort_t, char *, 953 uint32_t, void *, int, ipsecesp_stack_t *); 954 extern void ipsecesp_send_keepalive(ipsa_t *); 955 956 /* 957 * Algorithm management helper functions. 958 */ 959 extern boolean_t ipsec_valid_key_size(uint16_t, ipsec_alginfo_t *); 960 961 /* 962 * Per-socket policy, for now, takes precedence... this priority value 963 * insures it. 964 */ 965 #define IPSEC_PRIO_SOCKET 0x1000000 966 967 /* DDI initialization functions. */ 968 extern boolean_t ipsecesp_ddi_init(void); 969 extern boolean_t ipsecah_ddi_init(void); 970 extern boolean_t keysock_ddi_init(void); 971 extern boolean_t spdsock_ddi_init(void); 972 973 extern void ipsecesp_ddi_destroy(void); 974 extern void ipsecah_ddi_destroy(void); 975 extern void keysock_ddi_destroy(void); 976 extern void spdsock_ddi_destroy(void); 977 978 /* 979 * AH- and ESP-specific functions that are called directly by other modules. 980 */ 981 extern void ipsecah_fill_defs(struct sadb_x_ecomb *, netstack_t *); 982 extern void ipsecesp_fill_defs(struct sadb_x_ecomb *, netstack_t *); 983 extern void ipsecah_algs_changed(netstack_t *); 984 extern void ipsecesp_algs_changed(netstack_t *); 985 extern void ipsecesp_init_funcs(ipsa_t *); 986 extern void ipsecah_init_funcs(ipsa_t *); 987 extern ipsec_status_t ipsecah_icmp_error(mblk_t *); 988 extern ipsec_status_t ipsecesp_icmp_error(mblk_t *); 989 990 /* 991 * Wrapper for putnext() to ipsec accelerated interface. 992 */ 993 extern void ipsec_hw_putnext(queue_t *, mblk_t *); 994 995 /* 996 * spdsock functions that are called directly by IP. 997 */ 998 extern void spdsock_update_pending_algs(netstack_t *); 999 1000 /* 1001 * IP functions that are called from AH and ESP. 1002 */ 1003 extern boolean_t ipsec_outbound_sa(mblk_t *, uint_t); 1004 extern esph_t *ipsec_inbound_esp_sa(mblk_t *, netstack_t *); 1005 extern ah_t *ipsec_inbound_ah_sa(mblk_t *, netstack_t *); 1006 extern ipsec_policy_t *ipsec_find_policy_head(ipsec_policy_t *, 1007 ipsec_policy_head_t *, int, ipsec_selector_t *, netstack_t *); 1008 1009 /* 1010 * IP dropper init/destroy. 1011 */ 1012 void ip_drop_init(ipsec_stack_t *); 1013 void ip_drop_destroy(ipsec_stack_t *); 1014 1015 /* 1016 * Common functions 1017 */ 1018 extern boolean_t ip_addr_match(uint8_t *, int, in6_addr_t *); 1019 1020 /* 1021 * AH and ESP counters types. 1022 */ 1023 typedef uint32_t ah_counter; 1024 typedef uint32_t esp_counter; 1025 1026 #endif /* _KERNEL */ 1027 1028 #ifdef __cplusplus 1029 } 1030 #endif 1031 1032 #endif /* _INET_IPSEC_IMPL_H */ 1033