search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
6762791 race condition found in ipsecah during ipsec-persock test
[illumos-gate.git] / usr / src / uts / common / inet / sadb.h
blob0df0cfcae2d957313e9879446911860d48f6b927
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #ifndef _INET_SADB_H
27 #define _INET_SADB_H
28
29 #ifdef __cplusplus
30 extern "C" {
31 #endif
32
33 #include <inet/ipsec_info.h>
34 #include <sys/crypto/common.h>
35 #include <sys/crypto/api.h>
36 #include <sys/note.h>
37
38 #define IPSA_MAX_ADDRLEN 4 /* Max address len. (in 32-bits) for an SA. */
39
40 /*
41 * Return codes of IPsec processing functions.
42 */
43 typedef enum {
44 IPSEC_STATUS_SUCCESS = 1,
45 IPSEC_STATUS_FAILED = 2,
46 IPSEC_STATUS_PENDING = 3
47 } ipsec_status_t;
48
49 /*
50 * IP security association. Synchronization assumes 32-bit loads, so
51 * the 64-bit quantities can't even be be read w/o locking it down!
52 */
53
54 /* keying info */
55 typedef struct ipsa_key_s {
56 void *sak_key; /* Algorithm key. */
57 uint_t sak_keylen; /* Algorithm key length (in bytes). */
58 uint_t sak_keybits; /* Algorithm key length (in bits) */
59 uint_t sak_algid; /* Algorithm ID number. */
60 } ipsa_key_t;
61
62 /* the security association */
63 typedef struct ipsa_s {
64 struct ipsa_s *ipsa_next; /* Next in hash bucket */
65 struct ipsa_s **ipsa_ptpn; /* Pointer to previous next pointer. */
66 kmutex_t *ipsa_linklock; /* Pointer to hash-chain lock. */
67 void (*ipsa_freefunc)(struct ipsa_s *); /* freeassoc function */
68 /*
69 * NOTE: I may need more pointers, depending on future SA
70 * requirements.
71 */
72 ipsa_key_t ipsa_authkeydata;
73 #define ipsa_authkey ipsa_authkeydata.sak_key
74 #define ipsa_authkeylen ipsa_authkeydata.sak_keylen
75 #define ipsa_authkeybits ipsa_authkeydata.sak_keybits
76 #define ipsa_auth_alg ipsa_authkeydata.sak_algid
77 ipsa_key_t ipsa_encrkeydata;
78 #define ipsa_encrkey ipsa_encrkeydata.sak_key
79 #define ipsa_encrkeylen ipsa_encrkeydata.sak_keylen
80 #define ipsa_encrkeybits ipsa_encrkeydata.sak_keybits
81 #define ipsa_encr_alg ipsa_encrkeydata.sak_algid
82
83 struct ipsid_s *ipsa_src_cid; /* Source certificate identity */
84 struct ipsid_s *ipsa_dst_cid; /* Destination certificate identity */
85 uint64_t *ipsa_integ; /* Integrity bitmap */
86 uint64_t *ipsa_sens; /* Sensitivity bitmap */
87 mblk_t *ipsa_lpkt; /* Packet received while larval (CAS me) */
88 mblk_t *ipsa_bpkt_head; /* Packets received while idle */
89 mblk_t *ipsa_bpkt_tail;
90 #define SADB_MAX_IDLEPKTS 100
91 uint8_t ipsa_mblkcnt; /* Number of packets received while idle */
92
93 /*
94 * PF_KEYv2 supports a replay window size of 255. Hence there is a
95 * need a bit vector to support a replay window of 255. 256 is a nice
96 * round number, so I support that.
97 *
98 * Use an array of uint64_t for best performance on 64-bit
99 * processors. (And hope that 32-bit compilers can handle things
100 * okay.) The " >> 6 " is to get the appropriate number of 64-bit
101 * ints.
102 */
103 #define SADB_MAX_REPLAY 256 /* Must be 0 mod 64. */
104 uint64_t ipsa_replay_arr[SADB_MAX_REPLAY >> 6];
105
106 uint64_t ipsa_unique_id; /* Non-zero for unique SAs */
107 uint64_t ipsa_unique_mask; /* mask value for unique_id */
108
109 /*
110 * Reference count semantics:
111 *
112 * An SA has a reference count of 1 if something's pointing
113 * to it. This includes being in a hash table. So if an
114 * SA is in a hash table, it has a reference count of at least 1.
115 *
116 * When a ptr. to an IPSA is assigned, you MUST REFHOLD after
117 * said assignment. When a ptr. to an IPSA is released
118 * you MUST REFRELE. When the refcount hits 0, REFRELE
119 * will free the IPSA.
120 */
121 kmutex_t ipsa_lock; /* Locks non-linkage/refcnt fields. */
122 /* Q: Since I may be doing refcnts differently, will I need cv? */
123 uint_t ipsa_refcnt; /* Reference count. */
124
125 /*
126 * The following four time fields are the ones monitored by ah_ager()
127 * and esp_ager() respectively. They are all absolute wall-clock
128 * times. The times of creation (i.e. add time) and first use are
129 * pretty straightforward. The soft and hard expire times are
130 * derived from the times of first use and creation, plus the minimum
131 * expiration times in the fields that follow this.
132 *
133 * For example, if I had a hard add time of 30 seconds, and a hard
134 * use time of 15, the ipsa_hardexpiretime would be time of add, plus
135 * 30 seconds. If I USE the SA such that time of first use plus 15
136 * seconds would be earlier than the add time plus 30 seconds, then
137 * ipsa_hardexpiretime would become this earlier time.
138 */
139 time_t ipsa_addtime; /* Time I was added. */
140 time_t ipsa_usetime; /* Time of my first use. */
141 time_t ipsa_lastuse; /* Time of my last use. */
142 time_t ipsa_idletime; /* Seconds of idle time */
143 time_t ipsa_last_nat_t_ka; /* Time of my last NAT-T keepalive. */
144 time_t ipsa_softexpiretime; /* Time of my first soft expire. */
145 time_t ipsa_hardexpiretime; /* Time of my first hard expire. */
146 time_t ipsa_idleexpiretime; /* Time of my next idle expire time */
147
148 /*
149 * The following fields are directly reflected in PF_KEYv2 LIFETIME
150 * extensions. The time_ts are in number-of-seconds, and the bytes
151 * are in... bytes.
152 */
153 time_t ipsa_softaddlt; /* Seconds of soft lifetime after add. */
154 time_t ipsa_softuselt; /* Seconds of soft lifetime after first use. */
155 time_t ipsa_hardaddlt; /* Seconds of hard lifetime after add. */
156 time_t ipsa_harduselt; /* Seconds of hard lifetime after first use. */
157 time_t ipsa_idleaddlt; /* Seconds of idle time after add */
158 time_t ipsa_idleuselt; /* Seconds of idle time after first use */
159 uint64_t ipsa_softbyteslt; /* Bytes of soft lifetime. */
160 uint64_t ipsa_hardbyteslt; /* Bytes of hard lifetime. */
161 uint64_t ipsa_bytes; /* Bytes encrypted/authed by this SA. */
162
163 /*
164 * "Allocations" are a concept mentioned in PF_KEYv2. We do not
165 * support them, except to record them per the PF_KEYv2 spec.
166 */
167 uint_t ipsa_softalloc; /* Allocations allowed (soft). */
168 uint_t ipsa_hardalloc; /* Allocations allowed (hard). */
169 uint_t ipsa_alloc; /* Allocations made. */
170
171 uint_t ipsa_integlen; /* Length of the integrity bitmap (bytes). */
172 uint_t ipsa_senslen; /* Length of the sensitivity bitmap (bytes). */
173
174 uint_t ipsa_type; /* Type of security association. (AH/etc.) */
175 uint_t ipsa_dpd; /* Domain for sensitivity bit vectors. */
176 uint_t ipsa_senslevel; /* Sensitivity level. */
177 uint_t ipsa_integlevel; /* Integrity level. */
178 uint_t ipsa_state; /* State of my association. */
179 uint_t ipsa_replay_wsize; /* Size of replay window */
180 uint32_t ipsa_flags; /* Flags for security association. */
181 uint32_t ipsa_spi; /* Security parameters index. */
182 uint32_t ipsa_replay; /* Highest seen replay value for this SA. */
183 uint32_t ipsa_kmp; /* key management proto */
184 uint32_t ipsa_kmc; /* key management cookie */
185
186 boolean_t ipsa_haspeer; /* Has peer in another table. */
187
188 /*
189 * Address storage.
190 * The source address can be INADDR_ANY, IN6ADDR_ANY, etc.
191 *
192 * Address families (per sys/socket.h) guide us. We could have just
193 * used sockaddr_storage
194 */
195 sa_family_t ipsa_addrfam;
196 sa_family_t ipsa_innerfam; /* Inner AF can be != src/dst AF. */
197
198 uint32_t ipsa_srcaddr[IPSA_MAX_ADDRLEN];
199 uint32_t ipsa_dstaddr[IPSA_MAX_ADDRLEN];
200 uint32_t ipsa_innersrc[IPSA_MAX_ADDRLEN];
201 uint32_t ipsa_innerdst[IPSA_MAX_ADDRLEN];
202
203 uint8_t ipsa_innersrcpfx;
204 uint8_t ipsa_innerdstpfx;
205
206 uint16_t ipsa_inbound_cksum; /* cksum correction for inbound packets */
207 uint16_t ipsa_local_nat_port; /* Local NAT-T port. (0 --> 4500) */
208 uint16_t ipsa_remote_nat_port; /* The other port that isn't 4500 */
209
210 /* these can only be v4 */
211 uint32_t ipsa_natt_addr_loc;
212 uint32_t ipsa_natt_addr_rem;
213
214 /*
215 * icmp type and code. *_end are to specify ranges. if only
216 * a single value, * and *_end are the same value.
217 */
218 uint8_t ipsa_icmp_type;
219 uint8_t ipsa_icmp_type_end;
220 uint8_t ipsa_icmp_code;
221 uint8_t ipsa_icmp_code_end;
222
223 /*
224 * For the kernel crypto framework.
225 */
226 crypto_key_t ipsa_kcfauthkey; /* authentication key */
227 crypto_key_t ipsa_kcfencrkey; /* encryption key */
228 crypto_ctx_template_t ipsa_authtmpl; /* auth context template */
229 crypto_ctx_template_t ipsa_encrtmpl; /* encr context template */
230 crypto_mechanism_t ipsa_amech; /* auth mech type and ICV len */
231 crypto_mechanism_t ipsa_emech; /* encr mech type */
232 size_t ipsa_mac_len; /* auth MAC length */
233 size_t ipsa_iv_len; /* encr IV length */
234
235 /*
236 * Input and output processing functions called from IP.
237 */
238 ipsec_status_t (*ipsa_output_func)(mblk_t *);
239 ipsec_status_t (*ipsa_input_func)(mblk_t *, void *);
240
241 /*
242 * Soft reference to paired SA
243 */
244 uint32_t ipsa_otherspi;
245
246 /* MLS boxen will probably need more fields in here. */
247
248 netstack_t *ipsa_netstack; /* Does not have a netstack_hold */
249 } ipsa_t;
250
251 /*
252 * ipsa_t address handling macros. We want these to be inlined, and deal
253 * with 32-bit words to avoid bcmp/bcopy calls.
254 *
255 * Assume we only have AF_INET and AF_INET6 addresses for now. Also assume
256 * that we have 32-bit alignment on everything.
257 */
258 #define IPSA_IS_ADDR_UNSPEC(addr, fam) ((((uint32_t *)(addr))[0] == 0) && \
259 (((fam) == AF_INET) || (((uint32_t *)(addr))[3] == 0 && \
260 ((uint32_t *)(addr))[2] == 0 && ((uint32_t *)(addr))[1] == 0)))
261 #define IPSA_ARE_ADDR_EQUAL(addr1, addr2, fam) \
262 ((((uint32_t *)(addr1))[0] == ((uint32_t *)(addr2))[0]) && \
263 (((fam) == AF_INET) || \
264 (((uint32_t *)(addr1))[3] == ((uint32_t *)(addr2))[3] && \
265 ((uint32_t *)(addr1))[2] == ((uint32_t *)(addr2))[2] && \
266 ((uint32_t *)(addr1))[1] == ((uint32_t *)(addr2))[1])))
267 #define IPSA_COPY_ADDR(dstaddr, srcaddr, fam) { \
268 ((uint32_t *)(dstaddr))[0] = ((uint32_t *)(srcaddr))[0]; \
269 if ((fam) == AF_INET6) {\
270 ((uint32_t *)(dstaddr))[1] = ((uint32_t *)(srcaddr))[1]; \
271 ((uint32_t *)(dstaddr))[2] = ((uint32_t *)(srcaddr))[2]; \
272 ((uint32_t *)(dstaddr))[3] = ((uint32_t *)(srcaddr))[3]; } }
273
274 /*
275 * ipsa_t reference hold/release macros.
276 *
277 * If you have a pointer, you REFHOLD. If you are releasing a pointer, you
278 * REFRELE. An ipsa_t that is newly inserted into the table should have
279 * a reference count of 1 (for the table's pointer), plus 1 more for every
280 * pointer that is referencing the ipsa_t.
281 */
282
283 #define IPSA_REFHOLD(ipsa) { \
284 atomic_add_32(&(ipsa)->ipsa_refcnt, 1); \
285 ASSERT((ipsa)->ipsa_refcnt != 0); \
286 }
287
288 /*
289 * Decrement the reference count on the SA.
290 * In architectures e.g sun4u, where atomic_add_32_nv is just
291 * a cas, we need to maintain the right memory barrier semantics
292 * as that of mutex_exit i.e all the loads and stores should complete
293 * before the cas is executed. membar_exit() does that here.
294 */
295
296 #define IPSA_REFRELE(ipsa) { \
297 ASSERT((ipsa)->ipsa_refcnt != 0); \
298 membar_exit(); \
299 if (atomic_add_32_nv(&(ipsa)->ipsa_refcnt, -1) == 0) \
300 ((ipsa)->ipsa_freefunc)(ipsa); \
301 }
302
303 /*
304 * Security association hash macros and definitions. For now, assume the
305 * IPsec model, and hash outbounds on destination address, and inbounds on
306 * SPI.
307 */
308
309 #define IPSEC_DEFAULT_HASH_SIZE 256
310
311 #define INBOUND_HASH(sadb, spi) ((spi) % ((sadb)->sdb_hashsize))
312 #define OUTBOUND_HASH_V4(sadb, v4addr) ((v4addr) % ((sadb)->sdb_hashsize))
313 #define OUTBOUND_HASH_V6(sadb, v6addr) OUTBOUND_HASH_V4((sadb), \
314 (*(uint32_t *)&(v6addr)) ^ (*(((uint32_t *)&(v6addr)) + 1)) ^ \
315 (*(((uint32_t *)&(v6addr)) + 2)) ^ (*(((uint32_t *)&(v6addr)) + 3)))
316
317 /*
318 * Syntactic sugar to find the appropriate hash bucket directly.
319 */
320
321 #define INBOUND_BUCKET(sadb, spi) &(((sadb)->sdb_if)[INBOUND_HASH(sadb, spi)])
322 #define OUTBOUND_BUCKET_V4(sadb, v4addr) \
323 &(((sadb)->sdb_of)[OUTBOUND_HASH_V4(sadb, v4addr)])
324 #define OUTBOUND_BUCKET_V6(sadb, v6addr) \
325 &(((sadb)->sdb_of)[OUTBOUND_HASH_V6(sadb, v6addr)])
326
327 #define IPSA_F_PFS SADB_SAFLAGS_PFS /* PFS in use for this SA? */
328 #define IPSA_F_NOREPFLD SADB_SAFLAGS_NOREPLAY /* No replay field, for */
329 /* backward compat. */
330 #define IPSA_F_USED SADB_X_SAFLAGS_USED /* SA has been used. */
331 #define IPSA_F_UNIQUE SADB_X_SAFLAGS_UNIQUE /* SA is unique */
332 #define IPSA_F_AALG1 SADB_X_SAFLAGS_AALG1 /* Auth alg flag 1 */
333 #define IPSA_F_AALG2 SADB_X_SAFLAGS_AALG2 /* Auth alg flag 2 */
334 #define IPSA_F_EALG1 SADB_X_SAFLAGS_EALG1 /* Encrypt alg flag 1 */
335 #define IPSA_F_EALG2 SADB_X_SAFLAGS_EALG2 /* Encrypt alg flag 2 */
336
337 #define IPSA_F_HW 0x200000 /* hwaccel capable SA */
338 #define IPSA_F_NATT_LOC SADB_X_SAFLAGS_NATT_LOC
339 #define IPSA_F_NATT_REM SADB_X_SAFLAGS_NATT_REM
340 #define IPSA_F_BEHIND_NAT SADB_X_SAFLAGS_NATTED
341 #define IPSA_F_NATT (SADB_X_SAFLAGS_NATT_LOC | SADB_X_SAFLAGS_NATT_REM | \
342 SADB_X_SAFLAGS_NATTED)
343 #define IPSA_F_CINVALID 0x40000 /* SA shouldn't be cached */
344 #define IPSA_F_PAIRED SADB_X_SAFLAGS_PAIRED /* SA is one of a pair */
345 #define IPSA_F_OUTBOUND SADB_X_SAFLAGS_OUTBOUND /* SA direction bit */
346 #define IPSA_F_INBOUND SADB_X_SAFLAGS_INBOUND /* SA direction bit */
347 #define IPSA_F_TUNNEL SADB_X_SAFLAGS_TUNNEL
348
349 /*
350 * Sets of flags that are allowed to by set or modified by PF_KEY apps.
351 */
352 #define AH_UPDATE_SETTABLE_FLAGS \
353 (SADB_X_SAFLAGS_PAIRED | SADB_SAFLAGS_NOREPLAY | \
354 SADB_X_SAFLAGS_OUTBOUND | SADB_X_SAFLAGS_INBOUND | \
355 SADB_X_SAFLAGS_KM1 | SADB_X_SAFLAGS_KM2 | \
356 SADB_X_SAFLAGS_KM3 | SADB_X_SAFLAGS_KM4)
357
358 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
359 #define ESP_UPDATE_SETTABLE_FLAGS (AH_UPDATE_SETTABLE_FLAGS | IPSA_F_NATT)
360
361 #define AH_ADD_SETTABLE_FLAGS \
362 (AH_UPDATE_SETTABLE_FLAGS | SADB_X_SAFLAGS_AALG1 | \
363 SADB_X_SAFLAGS_AALG2 | SADB_X_SAFLAGS_TUNNEL | \
364 SADB_SAFLAGS_NOREPLAY)
365
366 /* AH can't set NAT flags (or even use NAT). Add NAT flags to the ESP set. */
367 #define ESP_ADD_SETTABLE_FLAGS (AH_ADD_SETTABLE_FLAGS | IPSA_F_NATT | \
368 SADB_X_SAFLAGS_EALG1 | SADB_X_SAFLAGS_EALG2)
369
370
371
372 /* SA states are important for handling UPDATE PF_KEY messages. */
373 #define IPSA_STATE_LARVAL SADB_SASTATE_LARVAL
374 #define IPSA_STATE_MATURE SADB_SASTATE_MATURE
375 #define IPSA_STATE_DYING SADB_SASTATE_DYING
376 #define IPSA_STATE_DEAD SADB_SASTATE_DEAD
377 #define IPSA_STATE_IDLE SADB_X_SASTATE_IDLE
378 #define IPSA_STATE_ACTIVE_ELSEWHERE SADB_X_SASTATE_ACTIVE_ELSEWHERE
379
380 /*
381 * NOTE: If the document authors do things right in defining algorithms, we'll
382 * probably have flags for what all is here w.r.t. replay, ESP w/HMAC,
383 * etc.
384 */
385
386 #define IPSA_T_ACQUIRE SEC_TYPE_NONE /* If this typed returned, sa needed */
387 #define IPSA_T_AH SEC_TYPE_AH /* IPsec AH association */
388 #define IPSA_T_ESP SEC_TYPE_ESP /* IPsec ESP association */
389
390 #define IPSA_AALG_NONE SADB_AALG_NONE /* No auth. algorithm */
391 #define IPSA_AALG_MD5H SADB_AALG_MD5HMAC /* MD5-HMAC algorithm */
392 #define IPSA_AALG_SHA1H SADB_AALG_SHA1HMAC /* SHA1-HMAC algorithm */
393
394 #define IPSA_EALG_NONE SADB_EALG_NONE /* No encryption algorithm */
395 #define IPSA_EALG_DES_CBC SADB_EALG_DESCBC
396 #define IPSA_EALG_3DES SADB_EALG_3DESCBC
397
398 /*
399 * Protect each ipsa_t bucket (and linkage) with a lock.
400 */
401
402 typedef struct isaf_s {
403 ipsa_t *isaf_ipsa;
404 kmutex_t isaf_lock;
405 uint64_t isaf_gen;
406 } isaf_t;
407
408 /*
409 * ACQUIRE record. If AH/ESP/whatever cannot find an association for outbound
410 * traffic, it sends up an SADB_ACQUIRE message and create an ACQUIRE record.
411 */
412
413 #define IPSACQ_MAXPACKETS 4 /* Number of packets that can be queued up */
414 /* waiting for an ACQUIRE to finish. */
415
416 typedef struct ipsacq_s {
417 struct ipsacq_s *ipsacq_next;
418 struct ipsacq_s **ipsacq_ptpn;
419 kmutex_t *ipsacq_linklock;
420 struct ipsec_policy_s *ipsacq_policy;
421 struct ipsec_action_s *ipsacq_act;
422
423 sa_family_t ipsacq_addrfam; /* Address family. */
424 sa_family_t ipsacq_inneraddrfam; /* Inner-packet address family. */
425 int ipsacq_numpackets; /* How many packets queued up so far. */
426 uint32_t ipsacq_seq; /* PF_KEY sequence number. */
427 uint64_t ipsacq_unique_id; /* Unique ID for SAs that need it. */
428
429 kmutex_t ipsacq_lock; /* Protects non-linkage fields. */
430 time_t ipsacq_expire; /* Wall-clock time when this record expires. */
431 mblk_t *ipsacq_mp; /* List of datagrams waiting for an SA. */
432
433 /* These two point inside the last mblk inserted. */
434 uint32_t *ipsacq_srcaddr;
435 uint32_t *ipsacq_dstaddr;
436
437 /* Cache these instead of point so we can mask off accordingly */
438 uint32_t ipsacq_innersrc[IPSA_MAX_ADDRLEN];
439 uint32_t ipsacq_innerdst[IPSA_MAX_ADDRLEN];
440
441 /* These may change per-acquire. */
442 uint16_t ipsacq_srcport;
443 uint16_t ipsacq_dstport;
444 uint8_t ipsacq_proto;
445 uint8_t ipsacq_inner_proto;
446 uint8_t ipsacq_innersrcpfx;
447 uint8_t ipsacq_innerdstpfx;
448
449 /* icmp type and code of triggering packet (if applicable) */
450 uint8_t ipsacq_icmp_type;
451 uint8_t ipsacq_icmp_code;
452 } ipsacq_t;
453
454 /*
455 * Kernel-generated sequence numbers will be no less than 0x80000000 to
456 * forestall any cretinous problems with manual keying accidentally updating
457 * an ACQUIRE entry.
458 */
459 #define IACQF_LOWEST_SEQ 0x80000000
460
461 #define SADB_AGE_INTERVAL_DEFAULT 1000
462
463 /*
464 * ACQUIRE fanout. Protect each linkage with a lock.
465 */
466
467 typedef struct iacqf_s {
468 ipsacq_t *iacqf_ipsacq;
469 kmutex_t iacqf_lock;
470 } iacqf_t;
471
472 /*
473 * A (network protocol, ipsec protocol) specific SADB.
474 * (i.e., one each for {ah, esp} and {v4, v6}.
475 *
476 * Keep outbound assocs about the same as ire_cache entries for now.
477 * One danger point, multiple SAs for a single dest will clog a bucket.
478 * For the future, consider two-level hashing (2nd hash on IPC?), then probe.
479 */
480
481 typedef struct sadb_s
482 {
483 isaf_t *sdb_of;
484 isaf_t *sdb_if;
485 iacqf_t *sdb_acq;
486 int sdb_hashsize;
487 } sadb_t;
488
489 /*
490 * A pair of SADB's (one for v4, one for v6), and related state (including
491 * acquire callbacks).
492 */
493
494 typedef struct sadbp_s
495 {
496 uint32_t s_satype;
497 queue_t *s_ip_q;
498 uint32_t *s_acquire_timeout;
499 void (*s_acqfn)(ipsacq_t *, mblk_t *, netstack_t *);
500 sadb_t s_v4;
501 sadb_t s_v6;
502 uint32_t s_addflags;
503 uint32_t s_updateflags;
504 } sadbp_t;
505
506 /*
507 * A pair of SA's for a single connection, the structure contains a
508 * pointer to a SA and the SA its paired with (opposite direction) as well
509 * as the SA's respective hash buckets.
510 */
511 typedef struct ipsap_s
512 {
513 isaf_t *ipsap_bucket;
514 ipsa_t *ipsap_sa_ptr;
515 isaf_t *ipsap_pbucket;
516 ipsa_t *ipsap_psa_ptr;
517 } ipsap_t;
518
519 typedef struct templist_s
520 {
521 ipsa_t *ipsa;
522 struct templist_s *next;
523 } templist_t;
524
525 /* Pointer to an all-zeroes IPv6 address. */
526 #define ALL_ZEROES_PTR ((uint32_t *)&ipv6_all_zeros)
527
528 /*
529 * Form unique id from ipsec_out_t
530 */
531
532 #define SA_FORM_UNIQUE_ID(io) \
533 SA_UNIQUE_ID((io)->ipsec_out_src_port, (io)->ipsec_out_dst_port, \
534 ((io)->ipsec_out_tunnel ? ((io)->ipsec_out_inaf == AF_INET6 ? \
535 IPPROTO_IPV6 : IPPROTO_ENCAP) : (io)->ipsec_out_proto), \
536 ((io)->ipsec_out_tunnel ? (io)->ipsec_out_proto : 0))
537
538 /*
539 * This macro is used to generate unique ids (along with the addresses, both
540 * inner and outer) for outbound datagrams that require unique SAs.
541 *
542 * N.B. casts and unsigned shift amounts discourage unwarranted
543 * sign extension of dstport, proto, and iproto.
544 *
545 * Unique ID is 64-bits allocated as follows (pardon my big-endian bias):
546 *
547 * 6 4 43 33 11
548 * 3 7 09 21 65 0
549 * +---------------*-------+-------+--------------+---------------+
550 * | MUST-BE-ZERO |<iprot>|<proto>| <src port> | <dest port> |
551 * +---------------*-------+-------+--------------+---------------+
552 *
553 * If there are inner addresses (tunnel mode) the ports come from the
554 * inner addresses. If there are no inner addresses, the ports come from
555 * the outer addresses (transport mode). Tunnel mode MUST have <proto>
556 * set to either IPPROTO_ENCAP or IPPPROTO_IPV6.
557 */
558 #define SA_UNIQUE_ID(srcport, dstport, proto, iproto) \
559 ((srcport) | ((uint64_t)(dstport) << 16U) | \
560 ((uint64_t)(proto) << 32U) | ((uint64_t)(iproto) << 40U))
561
562 /*
563 * SA_UNIQUE_MASK generates a mask value to use when comparing the unique value
564 * from a packet to an SA.
565 */
566
567 #define SA_UNIQUE_MASK(srcport, dstport, proto, iproto) \
568 SA_UNIQUE_ID((srcport != 0) ? 0xffff : 0, \
569 (dstport != 0) ? 0xffff : 0, \
570 (proto != 0) ? 0xff : 0, \
571 (iproto != 0) ? 0xff : 0)
572
573 /*
574 * Decompose unique id back into its original fields.
575 */
576 #define SA_IPROTO(ipsa) ((ipsa)->ipsa_unique_id>>40)&0xff
577 #define SA_PROTO(ipsa) ((ipsa)->ipsa_unique_id>>32)&0xff
578 #define SA_SRCPORT(ipsa) ((ipsa)->ipsa_unique_id & 0xffff)
579 #define SA_DSTPORT(ipsa) (((ipsa)->ipsa_unique_id >> 16) & 0xffff)
580
581 /*
582 * All functions that return an ipsa_t will return it with IPSA_REFHOLD()
583 * already called.
584 */
585
586 /* SA retrieval (inbound and outbound) */
587 ipsa_t *ipsec_getassocbyspi(isaf_t *, uint32_t, uint32_t *, uint32_t *,
588 sa_family_t);
589 ipsa_t *ipsec_getassocbyconn(isaf_t *, ipsec_out_t *, uint32_t *, uint32_t *,
590 sa_family_t, uint8_t);
591 ipsap_t *get_ipsa_pair(sadb_sa_t *, sadb_address_t *, sadb_address_t *,
592 sadbp_t *);
593 void destroy_ipsa_pair(ipsap_t *);
594 int update_pairing(ipsap_t *, keysock_in_t *, int *, sadbp_t *);
595
596 /* SA insertion. */
597 int sadb_insertassoc(ipsa_t *, isaf_t *);
598
599 /* SA table construction and destruction. */
600 void sadbp_init(const char *name, sadbp_t *, int, int, netstack_t *);
601 void sadbp_flush(sadbp_t *, netstack_t *);
602 void sadbp_destroy(sadbp_t *, netstack_t *);
603
604 /* SA insertion and deletion. */
605 int sadb_insertassoc(ipsa_t *, isaf_t *);
606 void sadb_unlinkassoc(ipsa_t *);
607
608 /* Support routines to interface a keysock consumer to PF_KEY. */
609 mblk_t *sadb_keysock_out(minor_t);
610 int sadb_hardsoftchk(sadb_lifetime_t *, sadb_lifetime_t *, sadb_lifetime_t *);
611 void sadb_pfkey_echo(queue_t *, mblk_t *, sadb_msg_t *, struct keysock_in_s *,
612 ipsa_t *);
613 void sadb_pfkey_error(queue_t *, mblk_t *, int, int, uint_t);
614 void sadb_keysock_hello(queue_t **, queue_t *, mblk_t *, void (*)(void *),
615 void *, timeout_id_t *, int);
616 int sadb_addrcheck(queue_t *, mblk_t *, sadb_ext_t *, uint_t, netstack_t *);
617 boolean_t sadb_addrfix(keysock_in_t *, queue_t *, mblk_t *, netstack_t *);
618 int sadb_addrset(ire_t *);
619 int sadb_delget_sa(mblk_t *, keysock_in_t *, sadbp_t *, int *, queue_t *,
620 uint8_t);
621
622 int sadb_purge_sa(mblk_t *, keysock_in_t *, sadb_t *, queue_t *, queue_t *);
623 int sadb_common_add(queue_t *, queue_t *, mblk_t *, sadb_msg_t *,
624 keysock_in_t *, isaf_t *, isaf_t *, ipsa_t *, boolean_t, boolean_t, int *,
625 netstack_t *, sadbp_t *);
626 void sadb_set_usetime(ipsa_t *);
627 boolean_t sadb_age_bytes(queue_t *, ipsa_t *, uint64_t, boolean_t);
628 int sadb_update_sa(mblk_t *, keysock_in_t *, mblk_t **, sadbp_t *,
629 int *, queue_t *, int (*)(mblk_t *, keysock_in_t *, int *, netstack_t *),
630 netstack_t *, uint8_t);
631 void sadb_acquire(mblk_t *, ipsec_out_t *, boolean_t, boolean_t);
632
633 void sadb_destroy_acquire(ipsacq_t *, netstack_t *);
634 struct ipsec_stack;
635 mblk_t *sadb_setup_acquire(ipsacq_t *, uint8_t, struct ipsec_stack *);
636 ipsa_t *sadb_getspi(keysock_in_t *, uint32_t, int *, netstack_t *, uint_t);
637 void sadb_in_acquire(sadb_msg_t *, sadbp_t *, queue_t *, netstack_t *);
638 boolean_t sadb_replay_check(ipsa_t *, uint32_t);
639 boolean_t sadb_replay_peek(ipsa_t *, uint32_t);
640 int sadb_dump(queue_t *, mblk_t *, keysock_in_t *, sadb_t *);
641 void sadb_replay_delete(ipsa_t *);
642 void sadb_ager(sadb_t *, queue_t *, queue_t *, int, netstack_t *);
643
644 timeout_id_t sadb_retimeout(hrtime_t, queue_t *, void (*)(void *), void *,
645 uint_t *, uint_t, short);
646 void sadb_sa_refrele(void *target);
647 boolean_t sadb_set_lpkt(ipsa_t *, mblk_t *, netstack_t *);
648 mblk_t *sadb_clear_lpkt(ipsa_t *);
649 void sadb_buf_pkt(ipsa_t *, mblk_t *, netstack_t *);
650 void sadb_clear_buf_pkt(void *ipkt);
651
652 #define HANDLE_BUF_PKT(taskq, stack, dropper, buf_pkt) \
653 { \
654 if (buf_pkt != NULL) { \
655 if (taskq_dispatch(taskq, sadb_clear_buf_pkt, \
656 (void *) buf_pkt, TQ_NOSLEEP) == 0) { \
657 /* Dispatch was unsuccessful drop the packets. */ \
658 mblk_t *tmp; \
659 while (buf_pkt != NULL) { \
660 tmp = buf_pkt->b_next; \
661 buf_pkt->b_next = NULL; \
662 ip_drop_packet(buf_pkt, B_TRUE, NULL, \
663 NULL, DROPPER(stack, \
664 ipds_sadb_inidle_timeout), \
665 &dropper); \
666 buf_pkt = tmp; \
667 } \
668 } \
669 } \
670 } \
671
672 /*
673 * Hw accel-related calls (downloading sadb to driver)
674 */
675 void sadb_ill_download(ill_t *, uint_t);
676 mblk_t *sadb_fmt_sa_req(uint_t, uint_t, ipsa_t *, boolean_t);
677 /*
678 * Sub-set of the IPsec hardware acceleration capabilities functions
679 * implemented by ip_if.c
680 */
681 extern boolean_t ipsec_capab_match(ill_t *, uint_t, boolean_t, ipsa_t *,
682 netstack_t *);
683 extern void ill_ipsec_capab_send_all(uint_t, mblk_t *, ipsa_t *,
684 netstack_t *);
685
686
687 /*
688 * One IPsec -> IP linking routine, and two IPsec rate-limiting routines.
689 */
690 extern boolean_t sadb_t_bind_req(queue_t *, int);
691 /*PRINTFLIKE6*/
692 extern void ipsec_rl_strlog(netstack_t *, short, short, char,
693 ushort_t, char *, ...)
694 __KPRINTFLIKE(6);
695 extern void ipsec_assocfailure(short, short, char, ushort_t, char *, uint32_t,
696 void *, int, netstack_t *);
697
698 /*
699 * Algorithm types.
700 */
701
702 #define IPSEC_NALGTYPES 2
703
704 typedef enum ipsec_algtype {
705 IPSEC_ALG_AUTH = 0,
706 IPSEC_ALG_ENCR = 1
707 } ipsec_algtype_t;
708
709 /*
710 * Definitions as per IPsec/ISAKMP DOI.
711 */
712
713 #define IPSEC_MAX_ALGS 256
714 #define PROTO_IPSEC_AH 2
715 #define PROTO_IPSEC_ESP 3
716
717 /*
718 * Common algorithm info.
719 */
720 typedef struct ipsec_alginfo
721 {
722 uint8_t alg_id;
723 uint8_t alg_flags;
724 uint16_t *alg_key_sizes;
725 uint16_t *alg_block_sizes;
726 uint16_t alg_nkey_sizes;
727 uint16_t alg_nblock_sizes;
728 uint16_t alg_minbits;
729 uint16_t alg_maxbits;
730 uint16_t alg_datalen;
731 /*
732 * increment: number of bits from keysize to keysize
733 * default: # of increments from min to default key len
734 */
735 uint16_t alg_increment;
736 uint16_t alg_default;
737 uint16_t alg_default_bits;
738 /*
739 * Min, max, and default key sizes effectively supported
740 * by the encryption framework.
741 */
742 uint16_t alg_ef_minbits;
743 uint16_t alg_ef_maxbits;
744 uint16_t alg_ef_default;
745 uint16_t alg_ef_default_bits;
746
747 crypto_mech_type_t alg_mech_type; /* KCF mechanism type */
748 crypto_mech_name_t alg_mech_name; /* KCF mechanism name */
749 } ipsec_alginfo_t;
750
751 #define alg_datalen alg_block_sizes[0]
752
753 #define ALG_FLAG_VALID 0x01
754 #define ALG_VALID(_alg) ((_alg)->alg_flags & ALG_FLAG_VALID)
755
756 /*
757 * Software crypto execution mode.
758 */
759 typedef enum {
760 IPSEC_ALGS_EXEC_SYNC = 0,
761 IPSEC_ALGS_EXEC_ASYNC = 1
762 } ipsec_algs_exec_mode_t;
763
764 extern void ipsec_alg_reg(ipsec_algtype_t, ipsec_alginfo_t *, netstack_t *);
765 extern void ipsec_alg_unreg(ipsec_algtype_t, uint8_t, netstack_t *);
766 extern void ipsec_alg_fix_min_max(ipsec_alginfo_t *, ipsec_algtype_t,
767 netstack_t *ns);
768 extern void ipsec_alg_free(ipsec_alginfo_t *);
769 extern void ipsec_register_prov_update(void);
770 extern void sadb_alg_update(ipsec_algtype_t, uint8_t, boolean_t,
771 netstack_t *);
772
773 /*
774 * Context templates management.
775 */
776
777 #define IPSEC_CTX_TMPL_ALLOC ((crypto_ctx_template_t)-1)
778 #define IPSEC_CTX_TMPL(_sa, _which, _type, _tmpl) { \
779 if ((_tmpl = (_sa)->_which) == IPSEC_CTX_TMPL_ALLOC) { \
780 mutex_enter(&assoc->ipsa_lock); \
781 if ((_sa)->_which == IPSEC_CTX_TMPL_ALLOC) { \
782 ipsec_stack_t *ipss; \
783 \
784 ipss = assoc->ipsa_netstack->netstack_ipsec; \
785 mutex_enter(&ipss->ipsec_alg_lock); \
786 (void) ipsec_create_ctx_tmpl(_sa, _type); \
787 mutex_exit(&ipss->ipsec_alg_lock); \
788 } \
789 mutex_exit(&assoc->ipsa_lock); \
790 if ((_tmpl = (_sa)->_which) == IPSEC_CTX_TMPL_ALLOC) \
791 _tmpl = NULL; \
792 } \
793 }
794
795 extern int ipsec_create_ctx_tmpl(ipsa_t *, ipsec_algtype_t);
796 extern void ipsec_destroy_ctx_tmpl(ipsa_t *, ipsec_algtype_t);
797
798 /* key checking */
799 extern int ipsec_check_key(crypto_mech_type_t, sadb_key_t *, boolean_t, int *);
800
801 typedef struct ipsec_kstats_s {
802 kstat_named_t esp_stat_in_requests;
803 kstat_named_t esp_stat_in_discards;
804 kstat_named_t esp_stat_lookup_failure;
805 kstat_named_t ah_stat_in_requests;
806 kstat_named_t ah_stat_in_discards;
807 kstat_named_t ah_stat_lookup_failure;
808 kstat_named_t sadb_acquire_maxpackets;
809 kstat_named_t sadb_acquire_qhiwater;
810 } ipsec_kstats_t;
811
812 /*
813 * (ipss)->ipsec_kstats is equal to (ipss)->ipsec_ksp->ks_data if
814 * kstat_create_netstack for (ipss)->ipsec_ksp succeeds, but when it
815 * fails, it will be NULL. Note this is done for all stack instances,
816 * so it *could* fail. hence a non-NULL checking is done for
817 * IP_ESP_BUMP_STAT, IP_AH_BUMP_STAT and IP_ACQUIRE_STAT
818 */
819 #define IP_ESP_BUMP_STAT(ipss, x) \
820 do { \
821 if ((ipss)->ipsec_kstats != NULL) \
822 ((ipss)->ipsec_kstats->esp_stat_ ## x).value.ui64++; \
823 _NOTE(CONSTCOND) \
824 } while (0)
825
826 #define IP_AH_BUMP_STAT(ipss, x) \
827 do { \
828 if ((ipss)->ipsec_kstats != NULL) \
829 ((ipss)->ipsec_kstats->ah_stat_ ## x).value.ui64++; \
830 _NOTE(CONSTCOND) \
831 } while (0)
832
833 #define IP_ACQUIRE_STAT(ipss, val, new) \
834 do { \
835 if ((ipss)->ipsec_kstats != NULL && \
836 ((uint64_t)(new)) > \
837 ((ipss)->ipsec_kstats->sadb_acquire_ ## val).value.ui64) \
838 ((ipss)->ipsec_kstats->sadb_acquire_ ## val).value.ui64 = \
839 ((uint64_t)(new)); \
840 _NOTE(CONSTCOND) \
841 } while (0)
842
843
844 #ifdef __cplusplus
845 }
846 #endif
847
848 #endif /* _INET_SADB_H */
Community developed and maintained version of the OS/Net consolidation