The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netipsec/ipsec.h

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $NetBSD: ipsec.h,v 1.93 2022/10/28 05:23:09 ozaki-r Exp $       */
    2 /*      $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $       */
    3 /*      $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
    4 
    5 /*
    6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    7  * All rights reserved.
    8  *
    9  * Redistribution and use in source and binary forms, with or without
   10  * modification, are permitted provided that the following conditions
   11  * are met:
   12  * 1. Redistributions of source code must retain the above copyright
   13  *    notice, this list of conditions and the following disclaimer.
   14  * 2. Redistributions in binary form must reproduce the above copyright
   15  *    notice, this list of conditions and the following disclaimer in the
   16  *    documentation and/or other materials provided with the distribution.
   17  * 3. Neither the name of the project nor the names of its contributors
   18  *    may be used to endorse or promote products derived from this software
   19  *    without specific prior written permission.
   20  *
   21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   31  * SUCH DAMAGE.
   32  */
   33 
   34 #ifndef _NETIPSEC_IPSEC_H_
   35 #define _NETIPSEC_IPSEC_H_
   36 
   37 #if defined(_KERNEL_OPT)
   38 #include "opt_inet.h"
   39 #include "opt_ipsec.h"
   40 #endif
   41 
   42 #include <net/pfkeyv2.h>
   43 
   44 #ifdef _KERNEL
   45 #include <sys/socketvar.h>
   46 #include <sys/localcount.h>
   47 
   48 #include <netinet/in_pcb.h>
   49 #include <netipsec/keydb.h>
   50 
   51 /*
   52  * Security Policy Index
   53  * Ensure that both address families in the "src" and "dst" are same.
   54  * When the value of the ul_proto is ICMPv6, the port field in "src"
   55  * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
   56  */
   57 struct secpolicyindex {
   58         u_int8_t dir;                   /* direction of packet flow, see blow */
   59         union sockaddr_union src;       /* IP src address for SP */
   60         union sockaddr_union dst;       /* IP dst address for SP */
   61         u_int8_t prefs;                 /* prefix length in bits for src */
   62         u_int8_t prefd;                 /* prefix length in bits for dst */
   63         u_int16_t ul_proto;             /* upper layer Protocol */
   64 };
   65 
   66 /* Security Policy Data Base */
   67 struct secpolicy {
   68         struct pslist_entry pslist_entry;
   69 
   70         struct localcount localcount;   /* reference count */
   71         struct secpolicyindex spidx;    /* selector */
   72         u_int32_t id;                   /* It's unique number on the system. */
   73         u_int state;                    /* 0: dead, others: alive */
   74 #define IPSEC_SPSTATE_DEAD      0
   75 #define IPSEC_SPSTATE_ALIVE     1
   76 
   77         u_int origin;                   /* who generate this SP. */
   78 #define IPSEC_SPORIGIN_USER     0
   79 #define IPSEC_SPORIGIN_KERNEL   1
   80 
   81         u_int policy;           /* DISCARD, NONE or IPSEC, see keyv2.h */
   82         struct ipsecrequest *req;
   83                                 /* pointer to the ipsec request tree, */
   84                                 /* if policy == IPSEC else this value == NULL.*/
   85 
   86         /*
   87          * lifetime handler.
   88          * the policy can be used without limitiation if both lifetime and
   89          * validtime are zero.
   90          * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
   91          * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
   92          */
   93         time_t created;         /* time created the policy */
   94         time_t lastused;        /* updated every when kernel sends a packet */
   95         time_t lifetime;        /* duration of the lifetime of this policy */
   96         time_t validtime;       /* duration this policy is valid without use */
   97 };
   98 
   99 /* Request for IPsec */
  100 struct ipsecrequest {
  101         struct ipsecrequest *next;
  102                                 /* pointer to next structure */
  103                                 /* If NULL, it means the end of chain. */
  104         struct secasindex saidx;/* hint for search proper SA */
  105                                 /* if __ss_len == 0 then no address specified.*/
  106         u_int level;            /* IPsec level defined below. */
  107 
  108         struct secpolicy *sp;   /* back pointer to SP */
  109 };
  110 
  111 /* security policy in PCB */
  112 struct inpcbpolicy {
  113         struct secpolicy *sp_in;
  114         struct secpolicy *sp_out;
  115         int priv;                       /* privileged socket ? */
  116 
  117         /* cached policy */
  118         struct {
  119                 struct secpolicy *cachesp;
  120                 struct secpolicyindex cacheidx;
  121                 int cachehint;          /* processing requirement hint: */
  122 #define IPSEC_PCBHINT_UNKNOWN   0       /* Unknown */
  123 #define IPSEC_PCBHINT_YES       1       /* IPsec processing is required */
  124 #define IPSEC_PCBHINT_NO        2       /* IPsec processing not required */
  125                 u_int cachegen;         /* spdgen when cache filled */
  126         } sp_cache[3];                  /* XXX 3 == IPSEC_DIR_MAX */
  127         int sp_cacheflags;
  128 #define IPSEC_PCBSP_CONNECTED   1
  129         struct inpcb *sp_inp;           /* back pointer */
  130 };
  131 
  132 extern u_int ipsec_spdgen;
  133 
  134 static __inline bool
  135 ipsec_pcb_skip_ipsec(struct inpcbpolicy *pcbsp, int dir)
  136 {
  137 
  138         KASSERT(inp_locked(pcbsp->sp_inp));
  139 
  140         return pcbsp->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO &&
  141             pcbsp->sp_cache[(dir)].cachegen == ipsec_spdgen;
  142 }
  143 
  144 /* SP acquiring list table. */
  145 struct secspacq {
  146         LIST_ENTRY(secspacq) chain;
  147 
  148         struct secpolicyindex spidx;
  149 
  150         time_t created;         /* for lifetime */
  151         int count;              /* for lifetime */
  152         /* XXX: here is mbuf place holder to be sent ? */
  153 };
  154 #endif /* _KERNEL */
  155 
  156 /* buffer size for formatted output of ipsec address (addr + '%' + scope_id?) */
  157 #define IPSEC_ADDRSTRLEN        (INET6_ADDRSTRLEN + 11)
  158 /* buffer size for ipsec_logsastr() */
  159 #define IPSEC_LOGSASTRLEN       192
  160 
  161 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
  162 #define IPSEC_PORT_ANY          0
  163 #define IPSEC_ULPROTO_ANY       255
  164 #define IPSEC_PROTO_ANY         255
  165 
  166 /* mode of security protocol */
  167 /* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
  168 #define IPSEC_MODE_ANY          0       /* i.e. wildcard. */
  169 #define IPSEC_MODE_TRANSPORT    1
  170 #define IPSEC_MODE_TUNNEL       2
  171 #define IPSEC_MODE_TCPMD5       3       /* TCP MD5 mode */
  172 
  173 /*
  174  * Direction of security policy.
  175  * NOTE: Since INVALID is used just as flag.
  176  * The other are used for loop counter too.
  177  */
  178 #define IPSEC_DIR_ANY           0
  179 #define IPSEC_DIR_INBOUND       1
  180 #define IPSEC_DIR_OUTBOUND      2
  181 #define IPSEC_DIR_MAX           3
  182 #define IPSEC_DIR_INVALID       4
  183 
  184 #define IPSEC_DIR_IS_VALID(dir)         ((dir) >= 0 && (dir) <= IPSEC_DIR_MAX)
  185 #define IPSEC_DIR_IS_INOROUT(dir)       ((dir) == IPSEC_DIR_INBOUND || \
  186                                          (dir) == IPSEC_DIR_OUTBOUND)
  187 
  188 /* Policy level */
  189 /*
  190  * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
  191  * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
  192  * DISCARD and NONE are allowed for system default.
  193  */
  194 #define IPSEC_POLICY_DISCARD    0       /* discarding packet */
  195 #define IPSEC_POLICY_NONE       1       /* through IPsec engine */
  196 #define IPSEC_POLICY_IPSEC      2       /* do IPsec */
  197 #define IPSEC_POLICY_ENTRUST    3       /* consulting SPD if present. */
  198 #define IPSEC_POLICY_BYPASS     4       /* only for privileged socket. */
  199 
  200 /* Security protocol level */
  201 #define IPSEC_LEVEL_DEFAULT     0       /* reference to system default */
  202 #define IPSEC_LEVEL_USE         1       /* use SA if present. */
  203 #define IPSEC_LEVEL_REQUIRE     2       /* require SA. */
  204 #define IPSEC_LEVEL_UNIQUE      3       /* unique SA. */
  205 
  206 #define IPSEC_MANUAL_REQID_MAX  0x3fff
  207                                 /*
  208                                  * if security policy level == unique, this id
  209                                  * indicate to a relative SA for use, else is
  210                                  * zero.
  211                                  * 1 - 0x3fff are reserved for manual keying.
  212                                  * 0 are reserved for above reason.  Others is
  213                                  * for kernel use.
  214                                  * Note that this id doesn't identify SA
  215                                  * by only itself.
  216                                  */
  217 #define IPSEC_REPLAYWSIZE  32
  218 
  219 #ifdef _KERNEL
  220 
  221 extern int ipsec_debug;
  222 #ifdef IPSEC_DEBUG
  223 extern int ipsec_replay;
  224 extern int ipsec_integrity;
  225 #endif
  226 
  227 extern struct secpolicy ip4_def_policy;
  228 extern int ip4_esp_trans_deflev;
  229 extern int ip4_esp_net_deflev;
  230 extern int ip4_ah_trans_deflev;
  231 extern int ip4_ah_net_deflev;
  232 extern int ip4_ah_cleartos;
  233 extern int ip4_ah_offsetmask;
  234 extern int ip4_ipsec_dfbit;
  235 extern int ip4_ipsec_ecn;
  236 extern int crypto_support;
  237 
  238 #include <sys/syslog.h>
  239 
  240 #define DPRINTF(fmt, args...)                                           \
  241         do {                                                            \
  242                 if (ipsec_debug)                                        \
  243                         log(LOG_DEBUG, "%s: " fmt, __func__, ##args);   \
  244         } while (/*CONSTCOND*/0)
  245 
  246 #define IPSECLOG(level, fmt, args...)                                   \
  247         do {                                                            \
  248                 if (ipsec_debug)                                        \
  249                         log(level, "%s: " fmt, __func__, ##args);       \
  250         } while (/*CONSTCOND*/0)
  251 
  252 #define ipsec_indone(m) \
  253         ((m->m_flags & M_AUTHIPHDR) || (m->m_flags & M_DECRYPTED))
  254 #define ipsec_outdone(m) \
  255         (m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL)
  256 
  257 static __inline bool
  258 ipsec_skip_pfil(struct mbuf *m)
  259 {
  260         bool rv;
  261 
  262         if (ipsec_indone(m) &&
  263             ((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != 0)) {
  264                 m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL;
  265                 rv = true;
  266         } else {
  267                 rv = false;
  268         }
  269 
  270         return rv;
  271 }
  272 
  273 void ipsec_pcbconn(struct inpcbpolicy *);
  274 void ipsec_pcbdisconn(struct inpcbpolicy *);
  275 void ipsec_invalpcbcacheall(void);
  276 
  277 struct inpcb;
  278 int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *, bool *);
  279 
  280 int ipsec_ip_input_checkpolicy(struct mbuf *, bool);
  281 void ipsec_mtu(struct mbuf *, int *);
  282 #ifdef INET6
  283 void ipsec6_udp_cksum(struct mbuf *);
  284 #endif
  285 
  286 struct inpcb;
  287 int ipsec_init_pcbpolicy(struct socket *so, struct inpcbpolicy **);
  288 int ipsec_copy_policy(const struct inpcbpolicy *, struct inpcbpolicy *);
  289 u_int ipsec_get_reqlevel(const struct ipsecrequest *);
  290 
  291 int ipsec_set_policy(struct inpcb *, const void *, size_t, kauth_cred_t);
  292 int ipsec_get_policy(struct inpcb *, const void *, size_t, struct mbuf **);
  293 int ipsec_delete_pcbpolicy(struct inpcb *);
  294 int ipsec_in_reject(struct mbuf *, struct inpcb *);
  295 
  296 struct secasvar *ipsec_lookup_sa(const struct ipsecrequest *,
  297     const struct mbuf *);
  298 
  299 struct secas;
  300 struct tcpcb;
  301 int ipsec_chkreplay(u_int32_t, const struct secasvar *);
  302 int ipsec_updatereplay(u_int32_t, const struct secasvar *);
  303 
  304 size_t ipsec_hdrsiz(struct mbuf *, u_int, struct inpcb *);
  305 size_t ipsec4_hdrsiz_tcp(struct tcpcb *);
  306 
  307 union sockaddr_union;
  308 const char *ipsec_address(const union sockaddr_union* sa, char *, size_t);
  309 const char *ipsec_logsastr(const struct secasvar *, char *, size_t);
  310 
  311 /* NetBSD protosw ctlin entrypoint */
  312 void *esp4_ctlinput(int, const struct sockaddr *, void *);
  313 void *ah4_ctlinput(int, const struct sockaddr *, void *);
  314 
  315 void ipsec_output_init(void);
  316 struct m_tag;
  317 void ipsec4_common_input(struct mbuf *m, int, int);
  318 int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int);
  319 int ipsec4_process_packet(struct mbuf *, const struct ipsecrequest *, u_long *);
  320 int ipsec_process_done(struct mbuf *, const struct ipsecrequest *,
  321     struct secasvar *, int);
  322 
  323 struct mbuf *m_clone(struct mbuf *);
  324 struct mbuf *m_makespace(struct mbuf *, int, int, int *);
  325 void *m_pad(struct mbuf *, int);
  326 int m_striphdr(struct mbuf *, int, int);
  327 
  328 extern int ipsec_used __read_mostly;
  329 extern int ipsec_enabled __read_mostly;
  330 
  331 #endif /* _KERNEL */
  332 
  333 #ifndef _KERNEL
  334 char *ipsec_set_policy(const char *, int);
  335 int ipsec_get_policylen(char *);
  336 char *ipsec_dump_policy(char *, const char *);
  337 const char *ipsec_strerror(void);
  338 #endif /* !_KERNEL */
  339 
  340 #ifdef _KERNEL
  341 /* External declarations of per-file init functions */
  342 void ah_attach(void);
  343 void esp_attach(void);
  344 void ipcomp_attach(void);
  345 void ipe4_attach(void);
  346 void tcpsignature_attach(void);
  347 
  348 void ipsec_attach(void);
  349 
  350 void sysctl_net_inet_ipsec_setup(struct sysctllog **);
  351 #ifdef INET6
  352 void sysctl_net_inet6_ipsec6_setup(struct sysctllog **);
  353 #endif
  354 
  355 #endif /* _KERNEL */
  356 #endif /* !_NETIPSEC_IPSEC_H_ */

Cache object: 55cce48d1a19b2904ba8a19672501cb1


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.