1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _INET_IPSEC_INFO_H 27 #define _INET_IPSEC_INFO_H 28 29 #pragma ident "%Z%%M% %I% %E% SMI" 30 31 #ifdef __cplusplus 32 extern "C" { 33 #endif 34 35 #include <sys/crypto/common.h> 36 37 /* 38 * IPsec informational messages. These are M_CTL STREAMS messages, which 39 * convey IPsec information between various IP and related modules. The 40 * messages come in a few flavors: 41 * 42 * * IPSEC_{IN,OUT} - These show what IPsec action have been taken (for 43 * inbound datagrams), or need to be taken (for outbound datagrams). 44 * They flow between AH/ESP and IP. 45 * 46 * * Keysock consumer interface - These messages are wrappers for 47 * PF_KEY messages. They flow between AH/ESP and keysock. 48 */ 49 50 /* 51 * The IPsec M_CTL value MUST be something that will not be even close 52 * to an IPv4 or IPv6 header. This means the first byte must not be 53 * 0x40 - 0x4f or 0x60-0x6f. For big-endian machines, this is fixable with 54 * the IPSEC_M_CTL prefix. For little-endian machines, the actual M_CTL 55 * _type_ must not be in the aforementioned ranges. 56 * 57 * The reason for this avoidance is because M_CTL's with a real IPv4/IPv6 58 * datagram get sent from to TCP or UDP when an ICMP datagram affects a 59 * TCP/UDP session. 60 */ 61 #define IPSEC_M_CTL 0x73706900 62 63 /* 64 * M_CTL types for IPsec messages. Remember, the values 0x40 - 0x4f and 0x60 65 * - 0x6f are not to be used because of potential little-endian confusion. 66 * 67 * Offsets 1-25 (decimal) are in use, spread through this file. 68 * Check for duplicates through the whole file before adding. 69 */ 70 71 /* 72 * IPSEC_{IN,OUT} policy expressors. 73 */ 74 #define IPSEC_IN (IPSEC_M_CTL + 1) 75 #define IPSEC_OUT (IPSEC_M_CTL + 2) 76 77 /* 78 * This is used for communication between IP and IPSEC (AH/ESP) 79 * for Inbound datagrams. IPSEC_IN is allocated by IP before IPSEC 80 * processing begins. On return spi fields are initialized so that 81 * IP can locate the security associations later on for doing policy 82 * checks. For loopback case, IPSEC processing is not done. But the 83 * attributes of the security are reflected in <foo>_done fields below. 84 * The code in policy check infers that it is a loopback case and 85 * would not try to get the associations. 86 */ 87 typedef struct ipsec_in_s { 88 uint32_t ipsec_in_type; 89 uint32_t ipsec_in_len; 90 frtn_t ipsec_in_frtn; /* for esballoc() callback */ 91 struct ipsa_s *ipsec_in_ah_sa; /* SA for AH */ 92 struct ipsa_s *ipsec_in_esp_sa; /* SA for ESP */ 93 94 struct ipsec_policy_head_s *ipsec_in_policy; 95 struct ipsec_action_s *ipsec_in_action; /* how we made it in.. */ 96 unsigned int 97 ipsec_in_secure : 1, /* Is the message attached secure ? */ 98 ipsec_in_v4 : 1, /* Is this an ipv4 packet ? */ 99 ipsec_in_loopback : 1, /* Is this a loopback request ? */ 100 ipsec_in_dont_check : 1, /* Used by TCP to avoid policy check */ 101 102 ipsec_in_decaps : 1, /* Was this packet decapsulated from */ 103 /* a matching inner packet? */ 104 ipsec_in_attach_if : 1, /* Don't load spread this packet */ 105 ipsec_in_accelerated : 1, /* hardware accelerated packet */ 106 107 ipsec_in_icmp_loopback : 1, /* Looped-back ICMP packet, */ 108 /* all should trust this. */ 109 ipsec_in_pad_bits : 24; 110 111 int ipsec_in_ill_index; /* interface on which ipha_dst was */ 112 /* configured when pkt was recv'd */ 113 int ipsec_in_rill_index; /* interface on which pkt was recv'd */ 114 mblk_t *ipsec_in_da; /* data attr. for accelerated pkts */ 115 116 /* 117 * For call to the kernel crypto framework. State needed during 118 * the execution of a crypto request. Storing these here 119 * allow us to avoid a separate allocation before calling the 120 * crypto framework. 121 */ 122 size_t ipsec_in_skip_len; /* len to skip for AH auth */ 123 crypto_data_t ipsec_in_crypto_data; /* single op crypto data */ 124 crypto_dual_data_t ipsec_in_crypto_dual_data; /* for dual ops */ 125 crypto_data_t ipsec_in_crypto_mac; /* to store the MAC */ 126 127 zoneid_t ipsec_in_zoneid; /* target zone for the datagram */ 128 } ipsec_in_t; 129 130 #define IPSECOUT_MAX_ADDRLEN 4 /* Max addr len. (in 32-bit words) */ 131 /* 132 * This is used for communication between IP and IPSEC (AH/ESP) 133 * for Outbound datagrams. IPSEC_OUT is allocated by IP before IPSEC 134 * processing begins. On return SA fields are initialized so that 135 * IP can locate the security associations later on for doing policy 136 * checks. The policy and the actions associated with this packet are 137 * stored in the ipsec_out_policy and ipsec_out_act fields respectively. 138 * IPSEC_OUT is also used to carry non-ipsec information when conn is 139 * absent or the conn information is lost across the calls to ARP. 140 * example: message from ARP or from ICMP error routines. 141 */ 142 typedef struct ipsec_out_s { 143 uint32_t ipsec_out_type; 144 uint32_t ipsec_out_len; 145 frtn_t ipsec_out_frtn; /* for esballoc() callback */ 146 struct ipsec_policy_head_s *ipsec_out_polhead; 147 ipsec_latch_t *ipsec_out_latch; 148 struct ipsec_policy_s *ipsec_out_policy; /* why are we here? */ 149 struct ipsec_action_s *ipsec_out_act; /* what do we want? */ 150 struct ipsa_s *ipsec_out_ah_sa; /* AH SA used for the packet */ 151 struct ipsa_s *ipsec_out_esp_sa; /* ESP SA used for the packet */ 152 /* 153 * NOTE: "Source" and "Dest" are w.r.t. outbound datagrams. Ports can 154 * be zero, and the protocol number is needed to make the ports 155 * significant. 156 */ 157 uint16_t ipsec_out_src_port; /* Source port number of d-gram. */ 158 uint16_t ipsec_out_dst_port; /* Destination port number of d-gram. */ 159 uint8_t ipsec_out_icmp_type; /* ICMP type of d-gram */ 160 uint8_t ipsec_out_icmp_code; /* ICMP code of d-gram */ 161 162 sa_family_t ipsec_out_inaf; /* Inner address family */ 163 uint32_t ipsec_out_insrc[IPSECOUT_MAX_ADDRLEN]; /* Inner src address */ 164 uint32_t ipsec_out_indst[IPSECOUT_MAX_ADDRLEN]; /* Inner dest address */ 165 uint8_t ipsec_out_insrcpfx; /* Inner source prefix */ 166 uint8_t ipsec_out_indstpfx; /* Inner destination prefix */ 167 168 uint_t ipsec_out_ill_index; /* ill index used for multicast etc. */ 169 uint8_t ipsec_out_proto; /* IP protocol number for d-gram. */ 170 unsigned int 171 ipsec_out_tunnel : 1, /* Tunnel mode? */ 172 ipsec_out_use_global_policy : 1, /* Inherit global policy ? */ 173 ipsec_out_secure : 1, /* Is this secure ? */ 174 ipsec_out_proc_begin : 1, /* IPSEC processing begun */ 175 /* 176 * Following five values reflects the values stored 177 * in conn. 178 */ 179 ipsec_out_multicast_loop : 1, 180 ipsec_out_dontroute : 1, 181 ipsec_out_reserved : 1, 182 ipsec_out_v4 : 1, 183 184 ipsec_out_attach_if : 1, 185 ipsec_out_unspec_src : 1, /* IPv6 ip6i_t info */ 186 ipsec_out_reachable : 1, /* NDP reachability info */ 187 /* 188 * Following bit is used by ip_mrtun_forward to convey 189 * xmit_ill information along with ICMP error msg 190 */ 191 ipsec_out_xmit_if: 1, 192 193 ipsec_out_failed: 1, 194 ipsec_out_se_done: 1, 195 ipsec_out_esp_done: 1, 196 ipsec_out_ah_done: 1, 197 198 ipsec_out_need_policy: 1, 199 200 /* 201 * To indicate that packet must be accelerated, i.e. 202 * ICV or encryption performed, by Provider. 203 */ 204 ipsec_out_accelerated : 1, 205 /* 206 * Used by IP to tell IPsec that the outbound ill for this 207 * packet supports acceleration of the AH or ESP prototocol. 208 * If set, ipsec_out_capab_ill_index contains the 209 * index of the ill. 210 */ 211 ipsec_out_is_capab_ill : 1, 212 /* 213 * Indicates ICMP message destined for self. These 214 * messages are to be trusted by all receivers. 215 */ 216 ipsec_out_icmp_loopback: 1, 217 ipsec_out_ip_nexthop : 1, /* IP_NEXTHOP option is set */ 218 ipsec_out_pad_bits : 11; 219 cred_t *ipsec_out_cred; 220 uint32_t ipsec_out_capab_ill_index; 221 222 /* 223 * For call to the kernel crypto framework. State needed during 224 * the execution of a crypto request. Storing these here 225 * allow us to avoid a separate allocation before calling the 226 * crypto framework. 227 */ 228 size_t ipsec_out_skip_len; /* len to skip for AH auth */ 229 crypto_data_t ipsec_out_crypto_data; /* single op crypto data */ 230 crypto_dual_data_t ipsec_out_crypto_dual_data; /* for dual ops */ 231 crypto_data_t ipsec_out_crypto_mac; /* to store the MAC */ 232 233 zoneid_t ipsec_out_zoneid; /* source zone for the datagram */ 234 in6_addr_t ipsec_out_nexthop_v6; /* nexthop IP address */ 235 #define ipsec_out_nexthop_addr V4_PART_OF_V6(ipsec_out_nexthop_v6) 236 } ipsec_out_t; 237 238 /* 239 * This is used to mark the ipsec_out_t *req* fields 240 * when the operation is done without affecting the 241 * requests. 242 */ 243 #define IPSEC_REQ_DONE 0x80000000 244 /* 245 * Operation could not be performed by the AH/ESP 246 * module. 247 */ 248 #define IPSEC_REQ_FAILED 0x40000000 249 250 /* 251 * Keysock consumer interface. 252 * 253 * The driver/module keysock (which is a driver to PF_KEY sockets, but is 254 * a module to 'consumers' like AH and ESP) uses keysock consumer interface 255 * messages to pass on PF_KEY messages to consumers who process and act upon 256 * them. 257 */ 258 #define KEYSOCK_IN (IPSEC_M_CTL + 3) 259 #define KEYSOCK_OUT (IPSEC_M_CTL + 4) 260 #define KEYSOCK_OUT_ERR (IPSEC_M_CTL + 5) 261 #define KEYSOCK_HELLO (IPSEC_M_CTL + 6) 262 #define KEYSOCK_HELLO_ACK (IPSEC_M_CTL + 7) 263 264 /* 265 * KEYSOCK_HELLO is sent by keysock to a consumer when it is pushed on top 266 * of one (i.e. opened as a module). 267 * 268 * NOTE: Keysock_hello is simply an ipsec_info_t 269 */ 270 271 /* TUN_HELLO is just like KEYSOCK_HELLO, except for tunnels to talk with IP. */ 272 #define TUN_HELLO KEYSOCK_HELLO 273 274 /* 275 * KEYSOCK_HELLO_ACK is sent by a consumer to acknowledge a KEYSOCK_HELLO. 276 * It contains the PF_KEYv2 sa_type, so keysock can redirect PF_KEY messages 277 * to the right consumer. 278 */ 279 typedef struct keysock_hello_ack_s { 280 uint32_t ks_hello_type; 281 uint32_t ks_hello_len; 282 uint8_t ks_hello_satype; /* PF_KEYv2 sa_type of ks client */ 283 } keysock_hello_ack_t; 284 285 #define KS_IN_ADDR_UNKNOWN 0 286 #define KS_IN_ADDR_NOTTHERE 1 287 #define KS_IN_ADDR_UNSPEC 2 288 #define KS_IN_ADDR_ME 3 289 #define KS_IN_ADDR_NOTME 4 290 #define KS_IN_ADDR_MBCAST 5 291 #define KS_IN_ADDR_DONTCARE 6 292 293 /* 294 * KEYSOCK_IN is a PF_KEY message from a PF_KEY socket destined for a consumer. 295 */ 296 typedef struct keysock_in_s { 297 uint32_t ks_in_type; 298 uint32_t ks_in_len; 299 /* 300 * NOTE: These pointers MUST be into the M_DATA that follows 301 * this M_CTL message. If they aren't, weirdness 302 * results. 303 */ 304 struct sadb_ext *ks_in_extv[SADB_EXT_MAX + 1]; 305 int ks_in_srctype; /* Source address type. */ 306 int ks_in_dsttype; /* Dest address type. */ 307 minor_t ks_in_serial; /* Serial # of sending socket. */ 308 } keysock_in_t; 309 310 /* 311 * KEYSOCK_OUT is a PF_KEY message from a consumer destined for a PF_KEY 312 * socket. 313 */ 314 typedef struct keysock_out_s { 315 uint32_t ks_out_type; 316 uint32_t ks_out_len; 317 minor_t ks_out_serial; /* Serial # of sending socket. */ 318 } keysock_out_t; 319 320 /* 321 * KEYSOCK_OUT_ERR is sent to a consumer from keysock if for some reason 322 * keysock could not find a PF_KEY socket to deliver a consumer-originated 323 * message (e.g. SADB_ACQUIRE). 324 */ 325 typedef struct keysock_out_err_s { 326 uint32_t ks_err_type; 327 uint32_t ks_err_len; 328 minor_t ks_err_serial; 329 int ks_err_errno; 330 /* 331 * Other, richer error information may end up going here eventually. 332 */ 333 } keysock_out_err_t; 334 335 /* 336 * M_CTL message type for sending inbound pkt information between IP & ULP. 337 * These are _not_ related to IPsec in any way, but are here so that there is 338 * one place where all these values are defined which makes it easier to track. 339 * The choice of this value has the same rationale as explained above. 340 */ 341 #define IN_PKTINFO (IPSEC_M_CTL + 24) 342 343 344 /* 345 * IPSEC_CTL messages are used by IPsec to send control type requests 346 * to IP. Such a control message is currently used by IPsec to request 347 * that IP send the contents of an IPsec SA or the entire SADB to 348 * every IPsec hardware acceleration capable provider. 349 */ 350 351 #define IPSEC_CTL (IPSEC_M_CTL + 25) 352 353 typedef struct ipsec_ctl_s { 354 uint32_t ipsec_ctl_type; 355 uint32_t ipsec_ctl_len; 356 uint_t ipsec_ctl_sa_type; 357 void *ipsec_ctl_sa; 358 } ipsec_ctl_t; 359 360 361 /* 362 * All IPsec informational messages are placed into the ipsec_info_t 363 * union, so that allocation can be done once, and IPsec informational 364 * messages can be recycled. 365 */ 366 typedef union ipsec_info_u { 367 struct { 368 uint32_t ipsec_allu_type; 369 uint32_t ipsec_allu_len; /* In bytes */ 370 } ipsec_allu; 371 ipsec_in_t ipsec_in; 372 ipsec_out_t ipsec_out; 373 keysock_hello_ack_t keysock_hello_ack; 374 keysock_in_t keysock_in; 375 keysock_out_t keysock_out; 376 keysock_out_err_t keysock_out_err; 377 ipsec_ctl_t ipsec_ctl; 378 } ipsec_info_t; 379 #define ipsec_info_type ipsec_allu.ipsec_allu_type 380 #define ipsec_info_len ipsec_allu.ipsec_allu_len 381 382 #ifdef __cplusplus 383 } 384 #endif 385 386 #endif /* _INET_IPSEC_INFO_H */ 387