4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
27 #ifndef _INET_IPSEC_IMPL_H
28 #define _INET_IPSEC_IMPL_H
31 #include <inet/ipdrop.h>
37 #define IPSEC_CONF_SRC_ADDRESS 0 /* Source Address */
38 #define IPSEC_CONF_SRC_PORT 1 /* Source Port */
39 #define IPSEC_CONF_DST_ADDRESS 2 /* Dest Address */
40 #define IPSEC_CONF_DST_PORT 3 /* Dest Port */
41 #define IPSEC_CONF_SRC_MASK 4 /* Source Address Mask */
42 #define IPSEC_CONF_DST_MASK 5 /* Destination Address Mask */
43 #define IPSEC_CONF_ULP 6 /* Upper layer Port */
44 #define IPSEC_CONF_IPSEC_PROT 7 /* AH or ESP or AH_ESP */
45 #define IPSEC_CONF_IPSEC_AALGS 8 /* Auth Algorithms - MD5 etc. */
46 #define IPSEC_CONF_IPSEC_EALGS 9 /* Encr Algorithms - DES etc. */
47 #define IPSEC_CONF_IPSEC_EAALGS 10 /* Encr Algorithms - MD5 etc. */
48 #define IPSEC_CONF_IPSEC_SA 11 /* Shared or unique SA */
49 #define IPSEC_CONF_IPSEC_DIR 12 /* Direction of traffic */
50 #define IPSEC_CONF_ICMP_TYPE 13 /* ICMP type */
51 #define IPSEC_CONF_ICMP_CODE 14 /* ICMP code */
52 #define IPSEC_CONF_NEGOTIATE 15 /* Negotiation */
53 #define IPSEC_CONF_TUNNEL 16 /* Tunnel */
55 /* Type of an entry */
57 #define IPSEC_NTYPES 0x02
58 #define IPSEC_TYPE_OUTBOUND 0x00
59 #define IPSEC_TYPE_INBOUND 0x01
62 #define IPSEC_POLICY_APPLY 0x01
63 #define IPSEC_POLICY_DISCARD 0x02
64 #define IPSEC_POLICY_BYPASS 0x03
66 /* Shared or unique SA */
67 #define IPSEC_SHARED_SA 0x01
68 #define IPSEC_UNIQUE_SA 0x02
70 /* IPsec protocols and combinations */
71 #define IPSEC_AH_ONLY 0x01
72 #define IPSEC_ESP_ONLY 0x02
73 #define IPSEC_AH_ESP 0x03
76 * Internally defined "any" algorithm.
77 * Move to PF_KEY v3 when that RFC is released.
79 #define SADB_AALG_ANY 255
83 #include <inet/common.h>
84 #include <netinet/ip6.h>
85 #include <netinet/icmp6.h>
86 #include <net/pfkeyv2.h>
88 #include <inet/sadb.h>
89 #include <inet/ipsecah.h>
90 #include <inet/ipsecesp.h>
91 #include <sys/crypto/common.h>
92 #include <sys/crypto/api.h>
96 * Maximum number of authentication algorithms (can be indexed by one byte
97 * per PF_KEY and the IKE IPsec DOI.
102 * IPsec task queue constants.
104 #define IPSEC_TASKQ_MIN 10
105 #define IPSEC_TASKQ_MAX 20
108 * So we can access IPsec global variables that live in keysock.c.
110 extern boolean_t
keysock_extended_reg(netstack_t
*);
111 extern uint32_t keysock_next_seq(netstack_t
*);
114 * Locking for ipsec policy rules:
116 * policy heads: system policy is static; per-conn polheads are dynamic,
117 * and refcounted (and inherited); use atomic refcounts and "don't let
118 * go with both hands".
120 * policy: refcounted; references from polhead, ipsec_out
122 * actions: refcounted; referenced from: action hash table, policy, ipsec_out
123 * selectors: refcounted; referenced from: selector hash table, policy.
127 * the following are inspired by, but not directly based on,
128 * some of the sys/queue.h type-safe pseudo-polymorphic macros
131 * XXX If we use these more generally, we'll have to make the names
132 * less generic (HASH_* will probably clobber other namespaces).
135 #define HASH_LOCK(table, hash) \
136 mutex_enter(&(table)[hash].hash_lock)
137 #define HASH_UNLOCK(table, hash) \
138 mutex_exit(&(table)[hash].hash_lock)
140 #define HASH_LOCKED(table, hash) \
141 MUTEX_HELD(&(table)[hash].hash_lock)
143 #define HASH_ITERATE(var, field, table, hash) \
144 var = table[hash].hash_head; var != NULL; var = var->field.hash_next
146 #define HASH_NEXT(var, field) \
147 (var)->field.hash_next
149 #define HASH_INSERT(var, field, table, hash) \
151 ASSERT(HASH_LOCKED(table, hash)); \
152 (var)->field.hash_next = (table)[hash].hash_head; \
153 (var)->field.hash_pp = &(table)[hash].hash_head; \
154 (table)[hash].hash_head = var; \
155 if ((var)->field.hash_next != NULL) \
156 (var)->field.hash_next->field.hash_pp = \
157 &((var)->field.hash_next); \
161 #define HASH_UNCHAIN(var, field, table, hash) \
163 ASSERT(MUTEX_HELD(&(table)[hash].hash_lock)); \
164 HASHLIST_UNCHAIN(var, field); \
167 #define HASHLIST_INSERT(var, field, head) \
169 (var)->field.hash_next = head; \
170 (var)->field.hash_pp = &(head); \
172 if ((var)->field.hash_next != NULL) \
173 (var)->field.hash_next->field.hash_pp = \
174 &((var)->field.hash_next); \
177 #define HASHLIST_UNCHAIN(var, field) \
179 *var->field.hash_pp = var->field.hash_next; \
180 if (var->field.hash_next) \
181 var->field.hash_next->field.hash_pp = \
182 var->field.hash_pp; \
183 HASH_NULL(var, field); \
187 #define HASH_NULL(var, field) \
189 var->field.hash_next = NULL; \
190 var->field.hash_pp = NULL; \
193 #define HASH_LINK(fieldname, type) \
200 #define HASH_HEAD(tag) \
202 struct tag *hash_head; \
203 kmutex_t hash_lock; \
207 typedef struct ipsec_policy_s ipsec_policy_t
;
209 typedef HASH_HEAD(ipsec_policy_s
) ipsec_policy_hash_t
;
212 * When adding new fields to ipsec_prot_t, make sure to update
213 * ipsec_in_to_out_action() as well as other code in spd.c
216 typedef struct ipsec_prot
225 uint8_t ipp_auth_alg
; /* DOI number */
226 uint8_t ipp_encr_alg
; /* DOI number */
227 uint8_t ipp_esp_auth_alg
; /* DOI number */
228 uint16_t ipp_ah_minbits
; /* AH: min keylen */
229 uint16_t ipp_ah_maxbits
; /* AH: max keylen */
230 uint16_t ipp_espe_minbits
; /* ESP encr: min keylen */
231 uint16_t ipp_espe_maxbits
; /* ESP encr: max keylen */
232 uint16_t ipp_espa_minbits
; /* ESP auth: min keylen */
233 uint16_t ipp_espa_maxbits
; /* ESP auth: max keylen */
234 uint32_t ipp_km_proto
; /* key mgmt protocol */
235 uint32_t ipp_km_cookie
; /* key mgmt cookie */
236 uint32_t ipp_replay_depth
; /* replay window */
237 /* XXX add lifetimes */
240 #define IPSEC_MAX_KEYBITS (0xffff)
243 * An individual policy action, possibly a member of a chain.
245 * Action chains may be shared between multiple policy rules.
247 * With one exception (IPSEC_POLICY_LOG), a chain consists of an
248 * ordered list of alternative ways to handle a packet.
250 * All actions are also "interned" into a hash table (to allow
251 * multiple rules with the same action chain to share one copy in
255 typedef struct ipsec_act
261 ipsec_prot_t ipau_apply
;
262 uint8_t ipau_reject_type
;
263 uint32_t ipau_resolve_id
; /* magic cookie */
264 uint8_t ipau_log_type
;
266 #define ipa_apply ipa_u.ipau_apply
267 #define ipa_reject_type ipa_u.ipau_reject_type
268 #define ipa_log_type ipa_u.ipau_log_type
269 #define ipa_resolve_type ipa_u.ipau_resolve_type
272 #define IPSEC_ACT_APPLY 0x01 /* match IPSEC_POLICY_APPLY */
273 #define IPSEC_ACT_DISCARD 0x02 /* match IPSEC_POLICY_DISCARD */
274 #define IPSEC_ACT_BYPASS 0x03 /* match IPSEC_POLICY_BYPASS */
275 #define IPSEC_ACT_REJECT 0x04
276 #define IPSEC_ACT_CLEAR 0x05
278 typedef struct ipsec_action_s
280 HASH_LINK(ipa_hash
, struct ipsec_action_s
);
281 struct ipsec_action_s
*ipa_next
; /* next alternative */
282 uint32_t ipa_refs
; /* refcount */
285 * The following bits are equivalent to an OR of bits included in the
286 * ipau_apply fields of this and subsequent actions in an
287 * action chain; this is an optimization for the sake of
288 * ipsec_out_process() in ip.c and a few other places.
292 ipa_allow_clear
:1, /* rule allows cleartext? */
293 ipa_want_ah
:1, /* an action wants ah */
294 ipa_want_esp
:1, /* an action wants esp */
295 ipa_want_se
:1, /* an action wants se */
296 ipa_want_unique
:1, /* want unique sa's */
298 uint32_t ipa_ovhd
; /* per-packet encap ovhd */
301 #define IPACT_REFHOLD(ipa) { \
302 atomic_inc_32(&(ipa)->ipa_refs); \
303 ASSERT((ipa)->ipa_refs != 0); \
305 #define IPACT_REFRELE(ipa) { \
306 ASSERT((ipa)->ipa_refs != 0); \
308 if (atomic_dec_32_nv(&(ipa)->ipa_refs) == 0) \
309 ipsec_action_free(ipa); \
314 * For now, use a trivially sized hash table for actions.
315 * In the future we can add the structure canonicalization necessary
316 * to get the hash function to behave correctly..
318 #define IPSEC_ACTION_HASH_SIZE 1
321 * Merged address structure, for cheezy address-family independent
322 * matches in policy code.
325 typedef union ipsec_addr
332 * ipsec selector set, as used by the kernel policy structures.
333 * Note that that we specify "local" and "remote"
334 * rather than "source" and "destination", which allows the selectors
335 * for symmetric policy rules to be shared between inbound and
338 * "local" means "destination" on inbound, and "source" on outbound.
339 * "remote" means "source" on inbound, and "destination" on outbound.
340 * XXX if we add a fifth policy enforcement point for forwarded packets,
343 * The ipsl_valid mask is not done as a bitfield; this is so we
344 * can use "ffs()" to find the "most interesting" valid tag.
346 * XXX should we have multiple types for space-conservation reasons?
347 * (v4 vs v6? prefix vs. range)?
350 typedef struct ipsec_selkey
352 uint32_t ipsl_valid
; /* bitmask of valid entries */
353 #define IPSL_REMOTE_ADDR 0x00000001
354 #define IPSL_LOCAL_ADDR 0x00000002
355 #define IPSL_REMOTE_PORT 0x00000004
356 #define IPSL_LOCAL_PORT 0x00000008
357 #define IPSL_PROTOCOL 0x00000010
358 #define IPSL_ICMP_TYPE 0x00000020
359 #define IPSL_ICMP_CODE 0x00000040
360 #define IPSL_IPV6 0x00000080
361 #define IPSL_IPV4 0x00000100
363 #define IPSL_WILDCARD 0x0000007f
365 ipsec_addr_t ipsl_local
;
366 ipsec_addr_t ipsl_remote
;
370 * ICMP type and code selectors. Both have an end value to
371 * specify ranges, or * and *_end are equal for a single
374 uint8_t ipsl_icmp_type
;
375 uint8_t ipsl_icmp_type_end
;
376 uint8_t ipsl_icmp_code
;
377 uint8_t ipsl_icmp_code_end
;
379 uint8_t ipsl_proto
; /* ip payload type */
380 uint8_t ipsl_local_pfxlen
; /* #bits of prefix */
381 uint8_t ipsl_remote_pfxlen
; /* #bits of prefix */
384 /* Insert new elements above this line */
385 uint32_t ipsl_pol_hval
;
386 uint32_t ipsl_sel_hval
;
389 typedef struct ipsec_sel
391 HASH_LINK(ipsl_hash
, struct ipsec_sel
);
392 uint32_t ipsl_refs
; /* # refs to this sel */
393 ipsec_selkey_t ipsl_key
; /* actual selector guts */
397 * One policy rule. This will be linked into a single hash chain bucket in
398 * the parent rule structure. If the selector is simple enough to
399 * allow hashing, it gets filed under ipsec_policy_root_t->ipr_hash.
400 * Otherwise it goes onto a linked list in ipsec_policy_root_t->ipr_nonhash[af]
402 * In addition, we file the rule into an avl tree keyed by the rule index.
403 * (Duplicate rules are permitted; the comparison function breaks ties).
405 struct ipsec_policy_s
407 HASH_LINK(ipsp_hash
, struct ipsec_policy_s
);
408 avl_node_t ipsp_byid
;
409 uint64_t ipsp_index
; /* unique id */
410 uint32_t ipsp_prio
; /* rule priority */
412 ipsec_sel_t
*ipsp_sel
; /* selector set (shared) */
413 ipsec_action_t
*ipsp_act
; /* action (may be shared) */
414 netstack_t
*ipsp_netstack
; /* No netstack_hold */
417 #define IPPOL_REFHOLD(ipp) { \
418 atomic_inc_32(&(ipp)->ipsp_refs); \
419 ASSERT((ipp)->ipsp_refs != 0); \
421 #define IPPOL_REFRELE(ipp) { \
422 ASSERT((ipp)->ipsp_refs != 0); \
424 if (atomic_dec_32_nv(&(ipp)->ipsp_refs) == 0) \
425 ipsec_policy_free(ipp); \
429 #define IPPOL_UNCHAIN(php, ip) \
430 HASHLIST_UNCHAIN((ip), ipsp_hash); \
431 avl_remove(&(php)->iph_rulebyid, (ip)); \
435 * Policy ruleset. One per (protocol * direction) for system policy.
438 #define IPSEC_AF_V4 0
439 #define IPSEC_AF_V6 1
442 typedef struct ipsec_policy_root_s
444 ipsec_policy_t
*ipr_nonhash
[IPSEC_NAF
];
446 ipsec_policy_hash_t
*ipr_hash
;
447 } ipsec_policy_root_t
;
450 * Policy head. One for system policy; there may also be one present
451 * on ill_t's with interface-specific policy, as well as one present
452 * for sockets with per-socket policy allocated.
455 typedef struct ipsec_policy_head_s
459 uint64_t iph_gen
; /* generation number */
460 ipsec_policy_root_t iph_root
[IPSEC_NTYPES
];
461 avl_tree_t iph_rulebyid
;
462 } ipsec_policy_head_t
;
464 #define IPPH_REFHOLD(iph) { \
465 atomic_inc_32(&(iph)->iph_refs); \
466 ASSERT((iph)->iph_refs != 0); \
468 #define IPPH_REFRELE(iph, ns) { \
469 ASSERT((iph)->iph_refs != 0); \
471 if (atomic_dec_32_nv(&(iph)->iph_refs) == 0) \
472 ipsec_polhead_free(iph, ns); \
477 * IPsec fragment related structures
480 typedef struct ipsec_fragcache_entry
{
481 struct ipsec_fragcache_entry
*itpfe_next
; /* hash list chain */
482 mblk_t
*itpfe_fraglist
; /* list of fragments */
483 time_t itpfe_exp
; /* time when entry is stale */
484 int itpfe_depth
; /* # of fragments in list */
485 ipsec_addr_t itpfe_frag_src
;
486 ipsec_addr_t itpfe_frag_dst
;
487 #define itpfe_src itpfe_frag_src.ipsad_v4
488 #define itpfe_src6 itpfe_frag_src.ipsad_v6
489 #define itpfe_dst itpfe_frag_dst.ipsad_v4
490 #define itpfe_dst6 itpfe_frag_dst.ipsad_v6
491 uint32_t itpfe_id
; /* IP datagram ID */
492 uint8_t itpfe_proto
; /* IP Protocol */
493 uint8_t itpfe_last
; /* Last packet */
494 } ipsec_fragcache_entry_t
;
496 typedef struct ipsec_fragcache
{
498 struct ipsec_fragcache_entry
**itpf_ptr
;
499 struct ipsec_fragcache_entry
*itpf_freelist
;
500 time_t itpf_expire_hint
; /* time when oldest entry is stale */
504 * Tunnel policies. We keep a minature of the transport-mode/global policy
505 * per each tunnel instance.
507 * People who need both an itp held down AND one of its polheads need to
508 * first lock the itp, THEN the polhead, otherwise deadlock WILL occur.
510 typedef struct ipsec_tun_pol_s
{
513 uint64_t itp_next_policy_index
;
514 ipsec_policy_head_t
*itp_policy
;
515 ipsec_policy_head_t
*itp_inactive
;
518 char itp_name
[LIFNAMSIZ
];
519 ipsec_fragcache_t itp_fragcache
;
521 /* NOTE - Callers (tun code) synchronize their own instances for these flags. */
522 #define ITPF_P_ACTIVE 0x1 /* Are we using IPsec right now? */
523 #define ITPF_P_TUNNEL 0x2 /* Negotiate tunnel-mode */
524 /* Optimization -> Do we have per-port security entries in this polhead? */
525 #define ITPF_P_PER_PORT_SECURITY 0x4
526 #define ITPF_PFLAGS 0x7
529 #define ITPF_I_ACTIVE 0x8 /* Is the inactive using IPsec right now? */
530 #define ITPF_I_TUNNEL 0x10 /* Negotiate tunnel-mode (on inactive) */
531 /* Optimization -> Do we have per-port security entries in this polhead? */
532 #define ITPF_I_PER_PORT_SECURITY 0x20
533 #define ITPF_IFLAGS 0x38
535 /* NOTE: f cannot be an expression. */
536 #define ITPF_CLONE(f) (f) = (((f) & ITPF_PFLAGS) | \
537 (((f) & ITPF_PFLAGS) << ITPF_SHIFT));
538 #define ITPF_SWAP(f) (f) = ((((f) & ITPF_PFLAGS) << ITPF_SHIFT) | \
539 (((f) & ITPF_IFLAGS) >> ITPF_SHIFT))
541 #define ITP_P_ISACTIVE(itp, iph) ((itp)->itp_flags & \
542 (((itp)->itp_policy == (iph)) ? ITPF_P_ACTIVE : ITPF_I_ACTIVE))
544 #define ITP_P_ISTUNNEL(itp, iph) ((itp)->itp_flags & \
545 (((itp)->itp_policy == (iph)) ? ITPF_P_TUNNEL : ITPF_I_TUNNEL))
547 #define ITP_P_ISPERPORT(itp, iph) ((itp)->itp_flags & \
548 (((itp)->itp_policy == (iph)) ? ITPF_P_PER_PORT_SECURITY : \
549 ITPF_I_PER_PORT_SECURITY))
551 #define ITP_REFHOLD(itp) { \
552 atomic_inc_32(&((itp)->itp_refcnt)); \
553 ASSERT((itp)->itp_refcnt != 0); \
556 #define ITP_REFRELE(itp, ns) { \
557 ASSERT((itp)->itp_refcnt != 0); \
559 if (atomic_dec_32_nv(&((itp)->itp_refcnt)) == 0) \
564 * Certificate identity.
567 typedef struct ipsid_s
569 struct ipsid_s
*ipsid_next
;
570 struct ipsid_s
**ipsid_ptpn
;
571 uint32_t ipsid_refcnt
;
572 int ipsid_type
; /* id type */
573 char *ipsid_cid
; /* certificate id string */
577 * ipsid_t reference hold/release macros, just like ipsa versions.
580 #define IPSID_REFHOLD(ipsid) { \
581 atomic_inc_32(&(ipsid)->ipsid_refcnt); \
582 ASSERT((ipsid)->ipsid_refcnt != 0); \
586 * Decrement the reference count on the ID. Someone else will clean up
590 #define IPSID_REFRELE(ipsid) { \
592 atomic_dec_32(&(ipsid)->ipsid_refcnt); \
596 * Following are the estimates of what the maximum AH and ESP header size
597 * would be. This is used to tell the upper layer the right value of MSS
598 * it should use without consulting AH/ESP. If the size is something
599 * different from this, ULP will learn the right one through
600 * ICMP_FRAGMENTATION_NEEDED messages generated locally.
602 * AH : 12 bytes of constant header + 32 bytes of ICV checksum (SHA-512).
604 #define IPSEC_MAX_AH_HDR_SIZE (44)
607 * ESP : Is a bit more complex...
609 * A system of one inequality and one equation MUST be solved for proper ESP
610 * overhead. The inequality is:
612 * MTU - sizeof (IP header + options) >=
613 * sizeof (esph_t) + sizeof (IV or ctr) + data-size + 2 + ICV
615 * IV or counter is almost always the cipher's block size. The equation is:
617 * data-size % block-size = (block-size - 2)
619 * so we can put as much data into the datagram as possible. If we are
620 * pessimistic and include our largest overhead cipher (AES) and hash
621 * (SHA-512), and assume 1500-byte MTU minus IPv4 overhead of 20 bytes, we get:
623 * 1480 >= 8 + 16 + data-size + 2 + 32
624 * 1480 >= 58 + data-size
625 * 1422 >= data-size, 1422 % 16 = 14, so 58 is the overhead!
627 * But, let's re-run the numbers with the same algorithms, but with an IPv6
630 * 1460 >= 58 + data-size
631 * 1402 >= data-size, 1402 % 16 = 10, meaning shrink to 1390 to get 14,
633 * which means the overhead is now 70.
635 * Hmmm... IPv4 headers can never be anything other than multiples of 4-bytes,
636 * and IPv6 ones can never be anything other than multiples of 8-bytes. We've
637 * seen overheads of 58 and 70. 58 % 16 == 10, and 70 % 16 == 6. IPv4 could
638 * force us to have 62 ( % 16 == 14) or 66 ( % 16 == 2), or IPv6 could force us
639 * to have 78 ( % 16 = 14). Let's compute IPv6 + 8-bytes of options:
641 * 1452 >= 58 + data-size
642 * 1394 >= data-size, 1394 % 16 = 2, meaning shrink to 1390 to get 14,
644 * Aha! The "ESP overhead" shrinks to 62 (70 - 8). This is good. Let's try
645 * IPv4 + 8 bytes of IPv4 options:
647 * 1472 >= 58 + data-size
648 * 1414 >= data-size, 1414 % 16 = 6, meaning shrink to 1406,
650 * meaning 66 is the overhead. Let's try 12 bytes:
652 * 1468 >= 58 + data-size
653 * 1410 >= data-size, 1410 % 16 = 2, meaning also shrink to 1406,
655 * meaning 62 is the overhead. How about 16 bytes?
657 * 1464 >= 58 + data-size
658 * 1406 >= data-size, 1402 % 16 = 14, which is great!
660 * this means 58 is the overhead. If I wrap and add 20 bytes, it looks just
661 * like IPv6's 70 bytes. If I add 24, we go back to 66 bytes.
663 * So picking 70 is a sensible, conservative default. Optimal calculations
664 * will depend on knowing pre-ESP header length (called "divpoint" in the ESP
665 * code), which could be cached in the conn_t for connected endpoints, or
666 * which must be computed on every datagram otherwise.
668 #define IPSEC_MAX_ESP_HDR_SIZE (70)
671 * Alternate, when we know the crypto block size via the SA. Assume an ICV on
674 * sizeof (esph_t) + 2 * (sizeof (IV/counter)) - 2 + sizeof (ICV). The "-2"
675 * discounts the overhead of the pad + padlen that gets swallowed up by the
676 * second (theoretically all-pad) cipher-block. If you use our examples of
677 * AES and SHA512, you get:
679 * 8 + 32 - 2 + 32 == 70.
681 * Which is our pre-computed maximum above.
683 #include <inet/ipsecesp.h>
684 #define IPSEC_BASE_ESP_HDR_SIZE(sa) \
685 (sizeof (esph_t) + ((sa)->ipsa_iv_len << 1) - 2 + (sa)->ipsa_mac_len)
688 * Identity hash table.
690 * Identities are refcounted and "interned" into the hash table.
691 * Only references coming from other objects (SA's, latching state)
692 * are counted in ipsid_refcnt.
694 * Locking: IPSID_REFHOLD is safe only when (a) the object's hash bucket
695 * is locked, (b) we know that the refcount must be > 0.
697 * The ipsid_next and ipsid_ptpn fields are only to be referenced or
698 * modified when the bucket lock is held; in particular, we only
699 * delete objects while holding the bucket lock, and we only increase
700 * the refcount from 0 to 1 while the bucket lock is held.
703 #define IPSID_HASHSIZE 64
705 typedef struct ipsif_s
712 * For call to the kernel crypto framework. State needed during
713 * the execution of a crypto request.
715 typedef struct ipsec_crypto_s
{
716 size_t ic_skip_len
; /* len to skip for AH auth */
717 crypto_data_t ic_crypto_data
; /* single op crypto data */
718 crypto_dual_data_t ic_crypto_dual_data
; /* for dual ops */
719 crypto_data_t ic_crypto_mac
; /* to store the MAC */
720 ipsa_cm_mech_t ic_cmm
;
724 * IPsec stack instances
727 netstack_t
*ipsec_netstack
; /* Common netstack */
729 /* Packet dropper for IP IPsec processing failures */
730 ipdropper_t ipsec_dropper
;
734 * Policy rule index generator. We assume this won't wrap in the
735 * lifetime of a system. If we make 2^20 policy changes per second,
736 * this will last 2^44 seconds, or roughly 500,000 years, so we don't
737 * have to worry about reusing policy index values.
739 uint64_t ipsec_next_policy_index
;
741 HASH_HEAD(ipsec_action_s
) ipsec_action_hash
[IPSEC_ACTION_HASH_SIZE
];
742 HASH_HEAD(ipsec_sel
) *ipsec_sel_hash
;
743 uint32_t ipsec_spd_hashsize
;
745 ipsif_t ipsec_ipsid_buckets
[IPSID_HASHSIZE
];
748 * Active & Inactive system policy roots
750 ipsec_policy_head_t ipsec_system_policy
;
751 ipsec_policy_head_t ipsec_inactive_policy
;
753 /* Packet dropper for generic SPD drops. */
754 ipdropper_t ipsec_spd_dropper
;
757 kstat_t
*ipsec_ip_drop_kstat
;
758 struct ip_dropstats
*ipsec_ip_drop_types
;
762 * Have a counter for every possible policy message in
763 * ipsec_policy_failure_msgs
765 uint32_t ipsec_policy_failure_count
[IPSEC_POLICY_MAX
];
766 /* Time since last ipsec policy failure that printed a message. */
767 hrtime_t ipsec_policy_failure_last
;
772 struct ipsec_kstats_s
*ipsec_kstats
;
775 /* Packet dropper for generic SADB drops. */
776 ipdropper_t ipsec_sadb_dropper
;
779 boolean_t ipsec_inbound_v4_policy_present
;
780 boolean_t ipsec_outbound_v4_policy_present
;
781 boolean_t ipsec_inbound_v6_policy_present
;
782 boolean_t ipsec_outbound_v6_policy_present
;
786 * Because policy needs to know what algorithms are supported, keep the
787 * lists of algorithms here.
789 krwlock_t ipsec_alg_lock
;
791 uint8_t ipsec_nalgs
[IPSEC_NALGTYPES
];
792 ipsec_alginfo_t
*ipsec_alglists
[IPSEC_NALGTYPES
][IPSEC_MAX_ALGS
];
794 uint8_t ipsec_sortlist
[IPSEC_NALGTYPES
][IPSEC_MAX_ALGS
];
796 int ipsec_algs_exec_mode
[IPSEC_NALGTYPES
];
798 uint32_t ipsec_tun_spd_hashsize
;
800 * Tunnel policies - AVL tree indexed by tunnel name.
802 krwlock_t ipsec_tunnel_policy_lock
;
803 uint64_t ipsec_tunnel_policy_gen
;
804 avl_tree_t ipsec_tunnel_policies
;
807 kmutex_t ipsec_loader_lock
;
808 int ipsec_loader_state
;
809 int ipsec_loader_sig
;
810 kt_did_t ipsec_loader_tid
;
811 kcondvar_t ipsec_loader_sig_cv
; /* For loader_sig conditions. */
814 typedef struct ipsec_stack ipsec_stack_t
;
816 /* Handle the kstat_create in ip_drop_init() failing */
817 #define DROPPER(_ipss, _dropper) \
818 (((_ipss)->ipsec_ip_drop_types == NULL) ? NULL : \
819 &((_ipss)->ipsec_ip_drop_types->_dropper))
824 #define IPSEC_LOADER_WAIT 0
825 #define IPSEC_LOADER_FAILED -1
826 #define IPSEC_LOADER_SUCCEEDED 1
829 * ipsec_loader entrypoints.
831 extern void ipsec_loader_init(ipsec_stack_t
*);
832 extern void ipsec_loader_start(ipsec_stack_t
*);
833 extern void ipsec_loader_destroy(ipsec_stack_t
*);
834 extern void ipsec_loader_loadnow(ipsec_stack_t
*);
835 extern boolean_t
ipsec_loader_wait(queue_t
*q
, ipsec_stack_t
*);
836 extern boolean_t
ipsec_loaded(ipsec_stack_t
*);
837 extern boolean_t
ipsec_failed(ipsec_stack_t
*);
840 * ipsec policy entrypoints (spd.c)
843 extern void ipsec_policy_g_destroy(void);
844 extern void ipsec_policy_g_init(void);
846 extern mblk_t
*ipsec_add_crypto_data(mblk_t
*, ipsec_crypto_t
**);
847 extern mblk_t
*ipsec_remove_crypto_data(mblk_t
*, ipsec_crypto_t
**);
848 extern mblk_t
*ipsec_free_crypto_data(mblk_t
*);
849 extern int ipsec_alloc_table(ipsec_policy_head_t
*, int, int, boolean_t
,
851 extern void ipsec_polhead_init(ipsec_policy_head_t
*, int);
852 extern void ipsec_polhead_destroy(ipsec_policy_head_t
*);
853 extern void ipsec_polhead_free_table(ipsec_policy_head_t
*);
854 extern mblk_t
*ipsec_check_global_policy(mblk_t
*, conn_t
*, ipha_t
*,
855 ip6_t
*, ip_recv_attr_t
*, netstack_t
*ns
);
856 extern mblk_t
*ipsec_check_inbound_policy(mblk_t
*, conn_t
*, ipha_t
*, ip6_t
*,
859 extern boolean_t
ipsec_in_to_out(ip_recv_attr_t
*, ip_xmit_attr_t
*,
860 mblk_t
*, ipha_t
*, ip6_t
*);
861 extern void ipsec_in_release_refs(ip_recv_attr_t
*);
862 extern void ipsec_out_release_refs(ip_xmit_attr_t
*);
863 extern void ipsec_log_policy_failure(int, char *, ipha_t
*, ip6_t
*, boolean_t
,
865 extern boolean_t
ipsec_inbound_accept_clear(mblk_t
*, ipha_t
*, ip6_t
*);
866 extern int ipsec_conn_cache_policy(conn_t
*, boolean_t
);
867 extern void ipsec_cache_outbound_policy(const conn_t
*, const in6_addr_t
*,
868 const in6_addr_t
*, in_port_t
, ip_xmit_attr_t
*);
869 extern boolean_t
ipsec_outbound_policy_current(ip_xmit_attr_t
*);
870 extern ipsec_action_t
*ipsec_in_to_out_action(ip_recv_attr_t
*);
871 extern void ipsec_latch_inbound(conn_t
*connp
, ip_recv_attr_t
*ira
);
873 extern void ipsec_policy_free(ipsec_policy_t
*);
874 extern void ipsec_action_free(ipsec_action_t
*);
875 extern void ipsec_polhead_free(ipsec_policy_head_t
*, netstack_t
*);
876 extern ipsec_policy_head_t
*ipsec_polhead_split(ipsec_policy_head_t
*,
878 extern ipsec_policy_head_t
*ipsec_polhead_create(void);
879 extern ipsec_policy_head_t
*ipsec_system_policy(netstack_t
*);
880 extern ipsec_policy_head_t
*ipsec_inactive_policy(netstack_t
*);
881 extern void ipsec_swap_policy(ipsec_policy_head_t
*, ipsec_policy_head_t
*,
883 extern void ipsec_swap_global_policy(netstack_t
*);
885 extern int ipsec_clone_system_policy(netstack_t
*);
886 extern ipsec_policy_t
*ipsec_policy_create(ipsec_selkey_t
*,
887 const ipsec_act_t
*, int, int, uint64_t *, netstack_t
*);
888 extern boolean_t
ipsec_policy_delete(ipsec_policy_head_t
*,
889 ipsec_selkey_t
*, int, netstack_t
*);
890 extern int ipsec_policy_delete_index(ipsec_policy_head_t
*, uint64_t,
892 extern boolean_t
ipsec_polhead_insert(ipsec_policy_head_t
*, ipsec_act_t
*,
893 uint_t
, int, int, netstack_t
*);
894 extern void ipsec_polhead_flush(ipsec_policy_head_t
*, netstack_t
*);
895 extern int ipsec_copy_polhead(ipsec_policy_head_t
*, ipsec_policy_head_t
*,
897 extern void ipsec_actvec_from_req(const ipsec_req_t
*, ipsec_act_t
**, uint_t
*,
899 extern void ipsec_actvec_free(ipsec_act_t
*, uint_t
);
900 extern int ipsec_req_from_head(ipsec_policy_head_t
*, ipsec_req_t
*, int);
901 extern mblk_t
*ipsec_construct_inverse_acquire(sadb_msg_t
*, sadb_ext_t
**,
903 extern ipsec_policy_t
*ipsec_find_policy(int, const conn_t
*,
904 ipsec_selector_t
*, netstack_t
*);
905 extern ipsid_t
*ipsid_lookup(int, char *, netstack_t
*);
906 extern boolean_t
ipsid_equal(ipsid_t
*, ipsid_t
*);
907 extern void ipsid_gc(netstack_t
*);
908 extern void ipsec_latch_ids(ipsec_latch_t
*, ipsid_t
*, ipsid_t
*);
910 extern void ipsec_config_flush(netstack_t
*);
911 extern boolean_t
ipsec_check_policy(ipsec_policy_head_t
*, ipsec_policy_t
*,
913 extern void ipsec_enter_policy(ipsec_policy_head_t
*, ipsec_policy_t
*, int,
915 extern boolean_t
ipsec_check_action(ipsec_act_t
*, int *, netstack_t
*);
917 extern void iplatch_free(ipsec_latch_t
*);
918 extern ipsec_latch_t
*iplatch_create(void);
919 extern int ipsec_set_req(cred_t
*, conn_t
*, ipsec_req_t
*);
921 extern void ipsec_insert_always(avl_tree_t
*tree
, void *new_node
);
923 extern int32_t ipsec_act_ovhd(const ipsec_act_t
*act
);
924 extern boolean_t
update_iv(uint8_t *, queue_t
*, ipsa_t
*, ipsecesp_stack_t
*);
927 * Tunnel-support SPD functions and variables.
929 struct iptun_s
; /* Defined in inet/iptun/iptun_impl.h. */
930 extern mblk_t
*ipsec_tun_inbound(ip_recv_attr_t
*, mblk_t
*, ipsec_tun_pol_t
*,
931 ipha_t
*, ip6_t
*, ipha_t
*, ip6_t
*, int, netstack_t
*);
932 extern mblk_t
*ipsec_tun_outbound(mblk_t
*, struct iptun_s
*, ipha_t
*,
933 ip6_t
*, ipha_t
*, ip6_t
*, int, ip_xmit_attr_t
*);
934 extern void itp_free(ipsec_tun_pol_t
*, netstack_t
*);
935 extern ipsec_tun_pol_t
*create_tunnel_policy(char *, int *, uint64_t *,
937 extern ipsec_tun_pol_t
*get_tunnel_policy(char *, netstack_t
*);
938 extern void itp_unlink(ipsec_tun_pol_t
*, netstack_t
*);
939 extern void itp_walk(void (*)(ipsec_tun_pol_t
*, void *, netstack_t
*),
940 void *, netstack_t
*);
942 extern ipsec_tun_pol_t
*itp_get_byaddr(uint32_t *, uint32_t *, int,
946 * IPsec AH/ESP functions called from IP or the common SADB code in AH.
949 extern void ipsecah_in_assocfailure(mblk_t
*, char, ushort_t
, char *,
950 uint32_t, void *, int, ip_recv_attr_t
*ira
);
951 extern void ipsecesp_in_assocfailure(mblk_t
*, char, ushort_t
, char *,
952 uint32_t, void *, int, ip_recv_attr_t
*ira
);
953 extern void ipsecesp_send_keepalive(ipsa_t
*);
956 * Algorithm management helper functions.
958 extern boolean_t
ipsec_valid_key_size(uint16_t, ipsec_alginfo_t
*);
961 * Per-socket policy, for now, takes precedence... this priority value
964 #define IPSEC_PRIO_SOCKET 0x1000000
966 /* DDI initialization functions. */
967 extern boolean_t
ipsecesp_ddi_init(void);
968 extern boolean_t
ipsecah_ddi_init(void);
969 extern boolean_t
keysock_ddi_init(void);
970 extern boolean_t
spdsock_ddi_init(void);
972 extern void ipsecesp_ddi_destroy(void);
973 extern void ipsecah_ddi_destroy(void);
974 extern void keysock_ddi_destroy(void);
975 extern void spdsock_ddi_destroy(void);
978 * AH- and ESP-specific functions that are called directly by other modules.
980 extern void ipsecah_fill_defs(struct sadb_x_ecomb
*, netstack_t
*);
981 extern void ipsecesp_fill_defs(struct sadb_x_ecomb
*, netstack_t
*);
982 extern void ipsecah_algs_changed(netstack_t
*);
983 extern void ipsecesp_algs_changed(netstack_t
*);
984 extern void ipsecesp_init_funcs(ipsa_t
*);
985 extern void ipsecah_init_funcs(ipsa_t
*);
986 extern mblk_t
*ipsecah_icmp_error(mblk_t
*, ip_recv_attr_t
*);
987 extern mblk_t
*ipsecesp_icmp_error(mblk_t
*, ip_recv_attr_t
*);
990 * spdsock functions that are called directly by IP.
992 extern void spdsock_update_pending_algs(netstack_t
*);
995 * IP functions that are called from AH and ESP.
997 extern boolean_t
ipsec_outbound_sa(mblk_t
*, ip_xmit_attr_t
*, uint_t
);
998 extern mblk_t
*ipsec_inbound_esp_sa(mblk_t
*, ip_recv_attr_t
*, esph_t
**);
999 extern mblk_t
*ipsec_inbound_ah_sa(mblk_t
*, ip_recv_attr_t
*, ah_t
**);
1000 extern ipsec_policy_t
*ipsec_find_policy_head(ipsec_policy_t
*,
1001 ipsec_policy_head_t
*, int, ipsec_selector_t
*);
1004 * IP dropper init/destroy.
1006 void ip_drop_init(ipsec_stack_t
*);
1007 void ip_drop_destroy(ipsec_stack_t
*);
1012 extern boolean_t
ip_addr_match(uint8_t *, int, in6_addr_t
*);
1015 * AH and ESP counters types.
1017 typedef uint32_t ah_counter
;
1018 typedef uint32_t esp_counter
;
1020 #endif /* _KERNEL */
1026 #endif /* _INET_IPSEC_IMPL_H */