Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $FreeBSD: releng/5.2/sys/netinet6/ipsec.h 122246 2003-11-07 20:38:45Z ume $ */ 2 /* $KAME: ipsec.h,v 1.69 2003/09/10 23:49:11 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * IPsec controller part. 35 */ 36 37 #ifndef _NETINET6_IPSEC_H_ 38 #define _NETINET6_IPSEC_H_ 39 40 #if defined(_KERNEL) && !defined(_LKM) && !defined(KLD_MODULE) 41 #include "opt_inet.h" 42 #include "opt_ipsec.h" 43 #endif 44 45 #include <net/pfkeyv2.h> 46 #include <netkey/keydb.h> 47 48 #ifdef _KERNEL 49 50 /* 51 * Security Policy Index 52 * Ensure that both address families in the "src" and "dst" are same. 53 * When the value of the ul_proto is ICMPv6, the port field in "src" 54 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code. 55 */ 56 struct secpolicyindex { 57 struct sockaddr_storage src; /* IP src address for SP */ 58 struct sockaddr_storage dst; /* IP dst address for SP */ 59 u_int8_t prefs; /* prefix length in bits for src */ 60 u_int8_t prefd; /* prefix length in bits for dst */ 61 u_int16_t ul_proto; /* upper layer Protocol */ 62 #ifdef notyet 63 uid_t uids; 64 uid_t uidd; 65 gid_t gids; 66 gid_t gidd; 67 #endif 68 }; 69 70 /* Security Policy Data Base */ 71 struct secpolicy { 72 TAILQ_ENTRY(secpolicy) tailq; /* all SPD entries, both pcb/table */ 73 LIST_ENTRY(secpolicy) chain; /* SPD entries on table */ 74 75 u_int8_t dir; /* direction of packet flow */ 76 int readonly; /* write prohibited */ 77 int persist; /* will never be removed */ 78 int refcnt; /* reference count */ 79 struct secpolicyindex *spidx; /* selector - NULL if not valid */ 80 u_int32_t id; /* it identifies a policy in the SPD. */ 81 #define IPSEC_MANUAL_POLICYID_MAX 0x3fff 82 /* 83 * 1 - 0x3fff are reserved for user operation. 84 * 0 are reserved. Others are for kernel use. 85 */ 86 struct socket *so; /* backpointer to per-socket policy */ 87 u_int state; /* 0: dead, others: alive */ 88 #define IPSEC_SPSTATE_DEAD 0 89 #define IPSEC_SPSTATE_ALIVE 1 90 91 int policy; /* DISCARD, NONE or IPSEC, see below */ 92 struct ipsecrequest *req; 93 /* pointer to the ipsec request tree, */ 94 /* if policy == IPSEC else this value == NULL.*/ 95 96 /* 97 * lifetime handler. 98 * the policy can be used without limitiation if both lifetime and 99 * validtime are zero. 100 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime. 101 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime. 102 */ 103 long created; /* time created the policy */ 104 long lastused; /* updated every when kernel sends a packet */ 105 long lifetime; /* duration of the lifetime of this policy */ 106 long validtime; /* duration this policy is valid without use */ 107 }; 108 109 /* Request for IPsec */ 110 struct ifnet; 111 struct ipsecrequest { 112 struct ipsecrequest *next; 113 /* pointer to next structure */ 114 /* If NULL, it means the end of chain. */ 115 struct secasindex saidx;/* hint for search proper SA */ 116 /* if __ss_len == 0 then no address specified.*/ 117 u_int level; /* IPsec level defined below. */ 118 119 struct secasvar *sav; /* place holder of SA for use */ 120 struct secpolicy *sp; /* back pointer to SP */ 121 122 struct ifnet *tunifp; /* interface for tunnelling */ 123 }; 124 125 /* security policy in PCB */ 126 struct inpcbpolicy { 127 struct secpolicy *sp_in; 128 struct secpolicy *sp_out; 129 int priv; /* privileged socket ? */ 130 131 /* cached policy */ 132 /* XXX 3 == IPSEC_DIR_MAX */ 133 struct secpolicy *cache[3]; 134 struct secpolicyindex cacheidx[3]; 135 int cachegen[3]; /* cache generation #, the time we filled it */ 136 int cacheflags; 137 #define IPSEC_PCBSP_CONNECTED 1 138 }; 139 140 /* SP acquiring list table. */ 141 struct secspacq { 142 LIST_ENTRY(secspacq) chain; 143 144 struct secpolicyindex spidx; 145 146 long created; /* for lifetime */ 147 int count; /* for lifetime */ 148 /* XXX: here is mbuf place holder to be sent ? */ 149 }; 150 151 struct ipsecaux { 152 struct socket *so; 153 int hdrs; /* # of ipsec headers */ 154 155 struct secpolicy *sp; 156 struct ipsecrequest *req; 157 }; 158 #endif /* _KERNEL */ 159 160 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */ 161 #define IPSEC_PORT_ANY 0 162 #define IPSEC_ULPROTO_ANY 255 163 #define IPSEC_PROTO_ANY 255 164 165 /* mode of security protocol */ 166 /* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */ 167 #define IPSEC_MODE_ANY 0 /* i.e. wildcard. */ 168 #define IPSEC_MODE_TRANSPORT 1 169 #define IPSEC_MODE_TUNNEL 2 170 171 /* 172 * Direction of security policy. 173 * NOTE: Since INVALID is used just as flag. 174 * The other are used for loop counter too. 175 */ 176 #define IPSEC_DIR_ANY 0 177 #define IPSEC_DIR_INBOUND 1 178 #define IPSEC_DIR_OUTBOUND 2 179 #define IPSEC_DIR_MAX 3 180 #define IPSEC_DIR_INVALID 4 181 182 /* Policy level */ 183 /* 184 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB, 185 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD. 186 * DISCARD and NONE are allowed for system default. 187 */ 188 #define IPSEC_POLICY_DISCARD 0 /* discard the packet */ 189 #define IPSEC_POLICY_NONE 1 /* bypass IPsec engine */ 190 #define IPSEC_POLICY_IPSEC 2 /* pass to IPsec */ 191 #define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */ 192 #define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */ 193 194 /* Security protocol level */ 195 #define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */ 196 #define IPSEC_LEVEL_USE 1 /* use SA if present. */ 197 #define IPSEC_LEVEL_REQUIRE 2 /* require SA. */ 198 #define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */ 199 200 #define IPSEC_MANUAL_REQID_MAX 0x3fff 201 /* 202 * if security policy level == unique, this id 203 * indicate to a relative SA for use, else is 204 * zero. 205 * 1 - 0x3fff are reserved for manual keying. 206 * 0 are reserved for above reason. Others is 207 * for kernel use. 208 * Note that this id doesn't identify SA 209 * by only itself. 210 */ 211 #define IPSEC_REPLAYWSIZE 32 212 213 /* statistics for ipsec processing */ 214 struct ipsecstat { 215 u_quad_t in_success; /* succeeded inbound process */ 216 u_quad_t in_polvio; 217 /* security policy violation for inbound process */ 218 u_quad_t in_nosa; /* inbound SA is unavailable */ 219 u_quad_t in_inval; /* inbound processing failed due to EINVAL */ 220 u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */ 221 u_quad_t in_badspi; /* failed getting a SPI */ 222 u_quad_t in_ahreplay; /* AH replay check failed */ 223 u_quad_t in_espreplay; /* ESP replay check failed */ 224 u_quad_t in_ahauthsucc; /* AH authentication success */ 225 u_quad_t in_ahauthfail; /* AH authentication failure */ 226 u_quad_t in_espauthsucc; /* ESP authentication success */ 227 u_quad_t in_espauthfail; /* ESP authentication failure */ 228 u_quad_t in_esphist[256]; 229 u_quad_t in_ahhist[256]; 230 u_quad_t in_comphist[256]; 231 u_quad_t out_success; /* succeeded outbound process */ 232 u_quad_t out_polvio; 233 /* security policy violation for outbound process */ 234 u_quad_t out_nosa; /* outbound SA is unavailable */ 235 u_quad_t out_inval; /* outbound process failed due to EINVAL */ 236 u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */ 237 u_quad_t out_noroute; /* there is no route */ 238 u_quad_t out_esphist[256]; 239 u_quad_t out_ahhist[256]; 240 u_quad_t out_comphist[256]; 241 242 u_quad_t spdcachelookup; 243 u_quad_t spdcachemiss; 244 }; 245 246 /* 247 * Definitions for IPsec & Key sysctl operations. 248 */ 249 /* 250 * Names for IPsec & Key sysctl objects 251 */ 252 #define IPSECCTL_STATS 1 /* stats */ 253 #define IPSECCTL_DEF_POLICY 2 254 #define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */ 255 #define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */ 256 #define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */ 257 #define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */ 258 #if 0 /* obsolete, do not reuse */ 259 #define IPSECCTL_INBOUND_CALL_IKE 7 260 #endif 261 #define IPSECCTL_AH_CLEARTOS 8 262 #define IPSECCTL_AH_OFFSETMASK 9 263 #define IPSECCTL_DFBIT 10 264 #define IPSECCTL_ECN 11 265 #define IPSECCTL_DEBUG 12 266 #define IPSECCTL_ESP_RANDPAD 13 267 #define IPSECCTL_MAXID 14 268 269 #define IPSECCTL_NAMES { \ 270 { 0, 0 }, \ 271 { 0, 0 }, \ 272 { "def_policy", CTLTYPE_INT }, \ 273 { "esp_trans_deflev", CTLTYPE_INT }, \ 274 { "esp_net_deflev", CTLTYPE_INT }, \ 275 { "ah_trans_deflev", CTLTYPE_INT }, \ 276 { "ah_net_deflev", CTLTYPE_INT }, \ 277 { 0, 0 }, \ 278 { "ah_cleartos", CTLTYPE_INT }, \ 279 { "ah_offsetmask", CTLTYPE_INT }, \ 280 { "dfbit", CTLTYPE_INT }, \ 281 { "ecn", CTLTYPE_INT }, \ 282 { "debug", CTLTYPE_INT }, \ 283 { "esp_randpad", CTLTYPE_INT }, \ 284 } 285 286 #define IPSEC6CTL_NAMES { \ 287 { 0, 0 }, \ 288 { 0, 0 }, \ 289 { "def_policy", CTLTYPE_INT }, \ 290 { "esp_trans_deflev", CTLTYPE_INT }, \ 291 { "esp_net_deflev", CTLTYPE_INT }, \ 292 { "ah_trans_deflev", CTLTYPE_INT }, \ 293 { "ah_net_deflev", CTLTYPE_INT }, \ 294 { 0, 0 }, \ 295 { 0, 0 }, \ 296 { 0, 0 }, \ 297 { 0, 0 }, \ 298 { "ecn", CTLTYPE_INT }, \ 299 { "debug", CTLTYPE_INT }, \ 300 { "esp_randpad", CTLTYPE_INT }, \ 301 } 302 303 #ifdef _KERNEL 304 struct ipsec_output_state { 305 struct mbuf *m; 306 struct route *ro; 307 struct sockaddr *dst; 308 int encap; 309 }; 310 311 struct ipsec_history { 312 int ih_proto; 313 u_int32_t ih_spi; 314 }; 315 316 extern int ipsec_debug; 317 318 #ifdef INET 319 extern struct ipsecstat ipsecstat; 320 extern struct secpolicy *ip4_def_policy; 321 extern int ip4_esp_trans_deflev; 322 extern int ip4_esp_net_deflev; 323 extern int ip4_ah_trans_deflev; 324 extern int ip4_ah_net_deflev; 325 extern int ip4_ah_cleartos; 326 extern int ip4_ah_offsetmask; 327 extern int ip4_ipsec_dfbit; 328 extern int ip4_ipsec_ecn; 329 extern int ip4_esp_randpad; 330 #endif 331 332 #define ipseclog(x) do { if (ipsec_debug) log x; } while (/*CONSTCOND*/ 0) 333 334 extern int ipsec_pcbconn __P((struct inpcbpolicy *)); 335 extern int ipsec_pcbdisconn __P((struct inpcbpolicy *)); 336 extern int ipsec_invalpcbcacheall __P((void)); 337 338 extern struct secpolicy *ipsec4_getpolicybysock 339 __P((struct mbuf *, u_int, struct socket *, int *)); 340 extern struct secpolicy *ipsec4_getpolicybyaddr 341 __P((struct mbuf *, u_int, int, int *)); 342 extern struct secpolicy *ipsec4_getpolicybytag 343 __P((struct mbuf *, u_int, int *)); 344 345 struct inpcb; 346 extern int ipsec_init_pcbpolicy __P((struct socket *, struct inpcbpolicy **)); 347 extern int ipsec_copy_pcbpolicy 348 __P((struct inpcbpolicy *, struct inpcbpolicy *)); 349 extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *, int)); 350 351 extern int ipsec4_set_policy __P((struct inpcb *, int, caddr_t, size_t, int)); 352 extern int ipsec4_get_policy __P((struct inpcb *, caddr_t, size_t, 353 struct mbuf **)); 354 extern int ipsec4_delete_pcbpolicy __P((struct inpcb *)); 355 extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *)); 356 extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *)); 357 358 struct secas; 359 struct tcpcb; 360 struct tcp6cb; 361 extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *)); 362 extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *)); 363 364 extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *)); 365 extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *)); 366 367 struct ip; 368 extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t)); 369 extern const char *ipsec_logsastr __P((struct secasvar *)); 370 371 extern void ipsec_dumpmbuf __P((struct mbuf *)); 372 373 extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *, 374 int)); 375 extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int, 376 struct secasvar *)); 377 extern struct mbuf *ipsec_copypkt __P((struct mbuf *)); 378 extern void ipsec_delaux __P((struct mbuf *)); 379 extern int ipsec_setsocket __P((struct mbuf *, struct socket *)); 380 extern struct socket *ipsec_getsocket __P((struct mbuf *)); 381 extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t)); 382 extern int ipsec_getnhist __P((struct mbuf *)); 383 extern void ipsec_clearhist __P((struct mbuf *)); 384 385 #endif /* _KERNEL */ 386 387 #ifndef _KERNEL 388 extern caddr_t ipsec_set_policy __P((char *, int)); 389 extern int ipsec_get_policylen __P((caddr_t)); 390 extern char *ipsec_dump_policy __P((caddr_t, char *)); 391 392 extern const char *ipsec_strerror __P((void)); 393 #endif /* !_KERNEL */ 394 395 #endif /* _NETINET6_IPSEC_H_ */
Cache object: 1ad188ea84749a23580d8bf8548f2e30
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]