FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.h
1 /* $NetBSD: ipsec.h,v 1.42 2004/03/02 02:17:39 thorpej Exp $ */
2 /* $KAME: ipsec.h,v 1.51 2001/08/05 04:52:58 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #ifndef _NETINET6_IPSEC_H_
38 #define _NETINET6_IPSEC_H_
39
40 #if defined(_KERNEL_OPT)
41 #include "opt_inet.h"
42 #endif
43
44 #include <net/pfkeyv2.h>
45 #include <netkey/keydb.h>
46
47 #ifdef _KERNEL
48
49 /*
50 * Security Policy Index
51 * NOTE: Ensure to be same address family and upper layer protocol.
52 * NOTE: ul_proto, port number, uid, gid:
53 * ANY: reserved for waldcard.
54 * 0 to (~0 - 1): is one of the number of each value.
55 */
56 struct secpolicyindex {
57 struct sockaddr_storage src; /* IP src address for SP */
58 struct sockaddr_storage dst; /* IP dst address for SP */
59 u_int8_t prefs; /* prefix length in bits for src */
60 u_int8_t prefd; /* prefix length in bits for dst */
61 u_int16_t ul_proto; /* upper layer Protocol */
62 #ifdef notyet
63 uid_t uids;
64 uid_t uidd;
65 gid_t gids;
66 gid_t gidd;
67 #endif
68 };
69
70 /* Security Policy Data Base */
71 struct secpolicy {
72 TAILQ_ENTRY(secpolicy) tailq; /* all SPD entries, both pcb/table */
73 LIST_ENTRY(secpolicy) chain; /* SPD entries on table */
74
75 u_int8_t dir; /* direction of packet flow */
76 int readonly; /* write prohibited */
77 int persist; /* will never be removed */
78 int refcnt; /* reference count */
79 struct secpolicyindex *spidx; /* selector - NULL if not valid */
80 u_int16_t tag; /* PF tag */
81 u_int32_t id; /* it identifies a policy in the SPD. */
82 #define IPSEC_MANUAL_POLICYID_MAX 0x3fff
83 /*
84 * 1 - 0x3fff are reserved for user operation.
85 * 0 are reserved. Others are for kernel use.
86 */
87 struct socket *so; /* backpointer to per-socket policy */
88 u_int state; /* 0: dead, others: alive */
89 #define IPSEC_SPSTATE_DEAD 0
90 #define IPSEC_SPSTATE_ALIVE 1
91
92 int policy; /* DISCARD, NONE or IPSEC, see below */
93 struct ipsecrequest *req;
94 /* pointer to the ipsec request tree, */
95 /* if policy == IPSEC else this value == NULL.*/
96
97 /*
98 * lifetime handler.
99 * the policy can be used without limitiation if both lifetime and
100 * validtime are zero.
101 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
102 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
103 */
104 long created; /* time created the policy */
105 long lastused; /* updated every when kernel sends a packet */
106 long lifetime; /* duration of the lifetime of this policy */
107 long validtime; /* duration this policy is valid without use */
108 };
109
110 /* Request for IPsec */
111 struct ipsecrequest {
112 struct ipsecrequest *next;
113 /* pointer to next structure */
114 /* If NULL, it means the end of chain. */
115 struct secasindex saidx;/* hint for search proper SA */
116 /* if __ss_len == 0 then no address specified.*/
117 u_int level; /* IPsec level defined below. */
118
119 struct secasvar *sav; /* place holder of SA for use */
120 struct secpolicy *sp; /* back pointer to SP */
121 };
122
123 /* security policy in PCB */
124 struct inpcbpolicy {
125 struct secpolicy *sp_in;
126 struct secpolicy *sp_out;
127 int priv; /* privileged socket ? */
128
129 /* cached policy */
130 struct {
131 struct secpolicy *cachesp;
132 struct secpolicyindex cacheidx;
133 int cachehint; /* processing requirement hint: */
134 #define IPSEC_PCBHINT_MAYBE 0 /* IPsec processing maybe required */
135 #define IPSEC_PCBHINT_YES 1 /* IPsec processing is required */
136 #define IPSEC_PCBHINT_NO 2 /* IPsec processing not required */
137 u_int cachegen; /* spdgen when cache filled */
138 } sp_cache[3]; /* XXX 3 == IPSEC_DIR_MAX */
139 int sp_cacheflags;
140 #define IPSEC_PCBSP_CONNECTED 1
141 };
142
143 #define IPSEC_PCB_SKIP_IPSEC(inpp, dir) \
144 ((inpp)->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO && \
145 (inpp)->sp_cache[(dir)].cachegen == ipsec_spdgen)
146
147 /* SP acquiring list table. */
148 struct secspacq {
149 LIST_ENTRY(secspacq) chain;
150
151 struct secpolicyindex spidx;
152
153 long created; /* for lifetime */
154 int count; /* for lifetime */
155 /* XXX: here is mbuf place holder to be sent ? */
156 };
157
158 struct ipsecaux {
159 struct socket *so;
160 int hdrs; /* # of ipsec headers */
161
162 struct secpolicy *sp;
163 struct ipsecrequest *req;
164 };
165 #endif /* _KERNEL */
166
167 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
168 #define IPSEC_PORT_ANY 0
169 #define IPSEC_ULPROTO_ANY 255
170 #define IPSEC_PROTO_ANY 255
171
172 /* mode of security protocol */
173 /* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
174 #define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
175 #define IPSEC_MODE_TRANSPORT 1
176 #define IPSEC_MODE_TUNNEL 2
177
178 /*
179 * Direction of security policy.
180 * NOTE: Since INVALID is used just as flag.
181 * The other are used for loop counter too.
182 */
183 #define IPSEC_DIR_ANY 0
184 #define IPSEC_DIR_INBOUND 1
185 #define IPSEC_DIR_OUTBOUND 2
186 #define IPSEC_DIR_MAX 3
187 #define IPSEC_DIR_INVALID 4
188
189 /* Policy level */
190 /*
191 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
192 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
193 * DISCARD and NONE are allowed for system default.
194 */
195 #define IPSEC_POLICY_DISCARD 0 /* discarding packet */
196 #define IPSEC_POLICY_NONE 1 /* through IPsec engine */
197 #define IPSEC_POLICY_IPSEC 2 /* do IPsec */
198 #define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
199 #define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
200
201 /* Security protocol level */
202 #define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
203 #define IPSEC_LEVEL_USE 1 /* use SA if present. */
204 #define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
205 #define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
206
207 #define IPSEC_MANUAL_REQID_MAX 0x3fff
208 /*
209 * if security policy level == unique, this id
210 * indicate to a relative SA for use, else is
211 * zero.
212 * 1 - 0x3fff are reserved for manual keying.
213 * 0 are reserved for above reason. Others is
214 * for kernel use.
215 * Note that this id doesn't identify SA
216 * by only itself.
217 */
218 #define IPSEC_REPLAYWSIZE 32
219
220 /* statistics for ipsec processing */
221 struct ipsecstat {
222 u_quad_t in_success; /* succeeded inbound process */
223 u_quad_t in_polvio;
224 /* security policy violation for inbound process */
225 u_quad_t in_nosa; /* inbound SA is unavailable */
226 u_quad_t in_inval; /* inbound processing failed due to EINVAL */
227 u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */
228 u_quad_t in_badspi; /* failed getting a SPI */
229 u_quad_t in_ahreplay; /* AH replay check failed */
230 u_quad_t in_espreplay; /* ESP replay check failed */
231 u_quad_t in_ahauthsucc; /* AH authentication success */
232 u_quad_t in_ahauthfail; /* AH authentication failure */
233 u_quad_t in_espauthsucc; /* ESP authentication success */
234 u_quad_t in_espauthfail; /* ESP authentication failure */
235 u_quad_t in_esphist[256];
236 u_quad_t in_ahhist[256];
237 u_quad_t in_comphist[256];
238 u_quad_t out_success; /* succeeded outbound process */
239 u_quad_t out_polvio;
240 /* security policy violation for outbound process */
241 u_quad_t out_nosa; /* outbound SA is unavailable */
242 u_quad_t out_inval; /* outbound process failed due to EINVAL */
243 u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */
244 u_quad_t out_noroute; /* there is no route */
245 u_quad_t out_esphist[256];
246 u_quad_t out_ahhist[256];
247 u_quad_t out_comphist[256];
248
249 u_quad_t spdcachelookup;
250 u_quad_t spdcachemiss;
251 };
252
253 /*
254 * Definitions for IPsec & Key sysctl operations.
255 */
256 /*
257 * Names for IPsec & Key sysctl objects
258 */
259 #define IPSECCTL_STATS 1 /* stats */
260 #define IPSECCTL_DEF_POLICY 2
261 #define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */
262 #define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */
263 #define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */
264 #define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */
265 #if 0 /* obsolete, do not reuse */
266 #define IPSECCTL_INBOUND_CALL_IKE 7
267 #endif
268 #define IPSECCTL_AH_CLEARTOS 8
269 #define IPSECCTL_AH_OFFSETMASK 9
270 #define IPSECCTL_DFBIT 10
271 #define IPSECCTL_ECN 11
272 #define IPSECCTL_DEBUG 12
273 #define IPSECCTL_MAXID 13
274
275 #define IPSECCTL_NAMES { \
276 { 0, 0 }, \
277 { 0, 0 }, \
278 { "def_policy", CTLTYPE_INT }, \
279 { "esp_trans_deflev", CTLTYPE_INT }, \
280 { "esp_net_deflev", CTLTYPE_INT }, \
281 { "ah_trans_deflev", CTLTYPE_INT }, \
282 { "ah_net_deflev", CTLTYPE_INT }, \
283 { 0, 0 }, \
284 { "ah_cleartos", CTLTYPE_INT }, \
285 { "ah_offsetmask", CTLTYPE_INT }, \
286 { "dfbit", CTLTYPE_INT }, \
287 { "ecn", CTLTYPE_INT }, \
288 { "debug", CTLTYPE_INT }, \
289 }
290
291 #define IPSEC6CTL_NAMES { \
292 { 0, 0 }, \
293 { 0, 0 }, \
294 { "def_policy", CTLTYPE_INT }, \
295 { "esp_trans_deflev", CTLTYPE_INT }, \
296 { "esp_net_deflev", CTLTYPE_INT }, \
297 { "ah_trans_deflev", CTLTYPE_INT }, \
298 { "ah_net_deflev", CTLTYPE_INT }, \
299 { 0, 0 }, \
300 { 0, 0 }, \
301 { 0, 0 }, \
302 { 0, 0 }, \
303 { "ecn", CTLTYPE_INT }, \
304 { "debug", CTLTYPE_INT }, \
305 }
306
307 #ifdef _KERNEL
308 struct ipsec_output_state {
309 struct mbuf *m;
310 struct route *ro;
311 struct sockaddr *dst;
312 int encap;
313 };
314
315 struct ipsec_history {
316 int ih_proto;
317 u_int32_t ih_spi;
318 };
319
320 extern int ipsec_debug;
321
322 #ifdef INET
323 extern struct ipsecstat ipsecstat;
324 extern struct secpolicy *ip4_def_policy;
325 extern int ip4_esp_trans_deflev;
326 extern int ip4_esp_net_deflev;
327 extern int ip4_ah_trans_deflev;
328 extern int ip4_ah_net_deflev;
329 extern int ip4_ah_cleartos;
330 extern int ip4_ah_offsetmask;
331 extern int ip4_ipsec_dfbit;
332 extern int ip4_ipsec_ecn;
333 #endif
334
335 #ifdef INET6
336 extern struct ipsecstat ipsec6stat;
337 extern struct secpolicy *ip6_def_policy;
338 extern int ip6_esp_trans_deflev;
339 extern int ip6_esp_net_deflev;
340 extern int ip6_ah_trans_deflev;
341 extern int ip6_ah_net_deflev;
342 extern int ip6_ipsec_ecn;
343 #endif
344
345 #define ipseclog(x) do { if (ipsec_debug) log x; } while (/*CONSTCOND*/ 0)
346
347 extern int ipsec_pcbconn __P((struct inpcbpolicy *));
348 extern int ipsec_pcbdisconn __P((struct inpcbpolicy *));
349 extern void ipsec_invalpcbcacheall __P((void));
350
351 extern u_int ipsec_spdgen;
352
353 extern struct secpolicy *ipsec4_getpolicybysock
354 __P((struct mbuf *, u_int, struct socket *, int *));
355 extern struct secpolicy *ipsec4_getpolicybyaddr
356 __P((struct mbuf *, u_int, int, int *));
357
358 #ifdef INET6
359 extern struct secpolicy *ipsec6_getpolicybysock
360 __P((struct mbuf *, u_int, struct socket *, int *));
361 extern struct secpolicy *ipsec6_getpolicybyaddr
362 __P((struct mbuf *, u_int, int, int *));
363 #endif /* INET6 */
364
365 struct inpcb;
366 #ifdef INET6
367 struct in6pcb;
368 #endif
369 extern int ipsec_init_pcbpolicy __P((struct socket *, struct inpcbpolicy **));
370 extern int ipsec_copy_pcbpolicy
371 __P((struct inpcbpolicy *, struct inpcbpolicy *));
372 extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *, int));
373
374 extern int ipsec4_set_policy __P((struct inpcb *, int, caddr_t, size_t, int));
375 extern int ipsec4_get_policy __P((struct inpcb *, caddr_t, size_t,
376 struct mbuf **));
377 extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
378 extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *));
379 extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
380
381 #ifdef INET6
382 extern int ipsec6_in_reject_so __P((struct mbuf *, struct socket *));
383 extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));
384 extern int ipsec6_set_policy __P((struct in6pcb *, int, caddr_t, size_t, int));
385 extern int ipsec6_get_policy __P((struct in6pcb *, caddr_t, size_t,
386 struct mbuf **));
387 extern int ipsec6_in_reject __P((struct mbuf *, struct in6pcb *));
388 #endif /* INET6 */
389
390 struct secas;
391 struct tcpcb;
392 struct tcp6cb;
393 extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
394 extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
395
396 extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
397 extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *));
398 #ifdef INET6
399 extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct in6pcb *));
400 extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *));
401 #endif
402
403 struct ip;
404 #ifdef INET6
405 struct ip6_hdr;
406 #endif
407 extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t));
408 #ifdef INET6
409 extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t));
410 #endif
411 extern const char *ipsec_logsastr __P((struct secasvar *));
412
413 extern void ipsec_dumpmbuf __P((struct mbuf *));
414
415 extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *,
416 int));
417 #ifdef INET6
418 extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *,
419 struct mbuf *, struct secpolicy *, int, int *));
420 extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,
421 struct secpolicy *, int));
422 #endif
423 extern int ipsec4_tunnel_validate __P((struct ip *, u_int, struct secasvar *));
424 #ifdef INET6
425 extern int ipsec6_tunnel_validate __P((struct ip6_hdr *, u_int,
426 struct secasvar *));
427 #endif
428 extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
429 extern void ipsec_delaux __P((struct mbuf *));
430 extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t));
431 extern int ipsec_getnhist __P((struct mbuf *));
432 extern struct ipsec_history *ipsec_gethist __P((struct mbuf *, int *));
433 extern void ipsec_clearhist __P((struct mbuf *));
434
435 extern int ipsec_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
436 extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
437
438 #endif /* _KERNEL */
439
440 #ifndef _KERNEL
441 extern caddr_t ipsec_set_policy __P((char *, int));
442 extern int ipsec_get_policylen __P((caddr_t));
443 extern char *ipsec_dump_policy __P((caddr_t, char *));
444
445 extern const char *ipsec_strerror __P((void));
446 #endif /* !_KERNEL */
447
448 #endif /* _NETINET6_IPSEC_H_ */
Cache object: eee3521aa8ed65a441063dba68e860f8
|