ipsec.h source code [netbsd/sys/netipsec/ipsec.h]

1	/ $NetBSD: ipsec.h,v 1.88 2019/06/12 22:23:50 christos Exp $ /
2	/ $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ /
3	/ $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ /
4
5	/*
6	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7	* All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	* 2. Redistributions in binary form must reproduce the above copyright
15	* notice, this list of conditions and the following disclaimer in the
16	* documentation and/or other materials provided with the distribution.
17	* 3. Neither the name of the project nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#ifndef _NETIPSEC_IPSEC_H_
35	#define _NETIPSEC_IPSEC_H_
36
37	#if defined(_KERNEL_OPT)
38	#include "opt_inet.h"
39	#include "opt_ipsec.h"
40	#endif
41
42	#include <net/pfkeyv2.h>
43
44	#ifdef _KERNEL
45	#include <sys/socketvar.h>
46	#include <sys/localcount.h>
47
48	#include <netinet/in_pcb_hdr.h>
49	#include <netipsec/keydb.h>
50
51	/*
52	* Security Policy Index
53	* Ensure that both address families in the "src" and "dst" are same.
54	* When the value of the ul_proto is ICMPv6, the port field in "src"
55	* specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
56	*/
57	struct secpolicyindex {
58	u_int8_t dir; / direction of packet flow, see blow /
59	union sockaddr_union src; / IP src address for SP /
60	union sockaddr_union dst; / IP dst address for SP /
61	u_int8_t prefs; / prefix length in bits for src /
62	u_int8_t prefd; / prefix length in bits for dst /
63	u_int16_t ul_proto; / upper layer Protocol /
64	};
65
66	/ Security Policy Data Base /
67	struct secpolicy {
68	struct pslist_entry pslist_entry;
69
70	struct localcount localcount; / reference count /
71	struct secpolicyindex spidx; / selector /
72	u_int32_t id; / It's unique number on the system. /
73	u_int state; / 0: dead, others: alive /
74	#define IPSEC_SPSTATE_DEAD 0
75	#define IPSEC_SPSTATE_ALIVE 1
76
77	u_int origin; / who generate this SP. /
78	#define IPSEC_SPORIGIN_USER 0
79	#define IPSEC_SPORIGIN_KERNEL 1
80
81	u_int policy; / DISCARD, NONE or IPSEC, see keyv2.h /
82	struct ipsecrequest *req;
83	/ pointer to the ipsec request tree, /
84	/ if policy == IPSEC else this value == NULL./
85
86	/*
87	* lifetime handler.
88	* the policy can be used without limitiation if both lifetime and
89	* validtime are zero.
90	* "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
91	* "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
92	*/
93	time_t created; / time created the policy /
94	time_t lastused; / updated every when kernel sends a packet /
95	time_t lifetime; / duration of the lifetime of this policy /
96	time_t validtime; / duration this policy is valid without use /
97	};
98
99	/ Request for IPsec /
100	struct ipsecrequest {
101	struct ipsecrequest *next;
102	/ pointer to next structure /
103	/ If NULL, it means the end of chain. /
104	struct secasindex saidx;/ hint for search proper SA /
105	/ if __ss_len == 0 then no address specified./
106	u_int level; / IPsec level defined below. /
107
108	struct secpolicy sp; /* back pointer to SP /
109	};
110
111	/ security policy in PCB /
112	struct inpcbpolicy {
113	struct secpolicy *sp_in;
114	struct secpolicy *sp_out;
115	int priv; / privileged socket ? /
116
117	/ cached policy /
118	struct {
119	struct secpolicy *cachesp;
120	struct secpolicyindex cacheidx;
121	int cachehint; / processing requirement hint: /
122	#define IPSEC_PCBHINT_UNKNOWN 0 /* Unknown */
123	#define IPSEC_PCBHINT_YES 1 /* IPsec processing is required */
124	#define IPSEC_PCBHINT_NO 2 /* IPsec processing not required */
125	u_int cachegen; / spdgen when cache filled /
126	} sp_cache[`3`]; / XXX 3 == IPSEC_DIR_MAX /
127	int sp_cacheflags;
128	#define IPSEC_PCBSP_CONNECTED 1
129	struct inpcb_hdr sp_inph; /* back pointer /
130	};
131
132	extern u_int ipsec_spdgen;
133
134	static __inline bool
135	ipsec_pcb_skip_ipsec(struct inpcbpolicy pcbsp, int* dir)
136	{
137
138	KASSERT(inph_locked(pcbsp->sp_inph));
139
140	return pcbsp->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO &&
141	pcbsp->sp_cache[(dir)].cachegen == ipsec_spdgen;
142	}
143
144	/ SP acquiring list table. /
145	struct secspacq {
146	LIST_ENTRY(secspacq) chain;
147
148	struct secpolicyindex spidx;
149
150	time_t created; / for lifetime /
151	int count; / for lifetime /
152	/ XXX: here is mbuf place holder to be sent ? /
153	};
154	#endif /* _KERNEL */
155
156	/ buffer size for formatted output of ipsec address (addr + '%' + scope_id?) /
157	#define IPSEC_ADDRSTRLEN (INET6_ADDRSTRLEN + 11)
158	/ buffer size for ipsec_logsastr() /
159	#define IPSEC_LOGSASTRLEN 192
160
161	/ according to IANA assignment, port 0x0000 and proto 0xff are reserved. /
162	#define IPSEC_PORT_ANY 0
163	#define IPSEC_ULPROTO_ANY 255
164	#define IPSEC_PROTO_ANY 255
165
166	/ mode of security protocol /
167	/ NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD /
168	#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
169	#define IPSEC_MODE_TRANSPORT 1
170	#define IPSEC_MODE_TUNNEL 2
171	#define IPSEC_MODE_TCPMD5 3 /* TCP MD5 mode */
172
173	/*
174	* Direction of security policy.
175	* NOTE: Since INVALID is used just as flag.
176	* The other are used for loop counter too.
177	*/
178	#define IPSEC_DIR_ANY 0
179	#define IPSEC_DIR_INBOUND 1
180	#define IPSEC_DIR_OUTBOUND 2
181	#define IPSEC_DIR_MAX 3
182	#define IPSEC_DIR_INVALID 4
183
184	#define IPSEC_DIR_IS_VALID(dir) ((dir) >= 0 && (dir) <= IPSEC_DIR_MAX)
185	#define IPSEC_DIR_IS_INOROUT(dir) ((dir) == IPSEC_DIR_INBOUND \|\| \
186	(dir) == IPSEC_DIR_OUTBOUND)
187
188	/ Policy level /
189	/*
190	* IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
191	* DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
192	* DISCARD and NONE are allowed for system default.
193	*/
194	#define IPSEC_POLICY_DISCARD 0 /* discarding packet */
195	#define IPSEC_POLICY_NONE 1 /* through IPsec engine */
196	#define IPSEC_POLICY_IPSEC 2 /* do IPsec */
197	#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
198	#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
199
200	/ Security protocol level /
201	#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
202	#define IPSEC_LEVEL_USE 1 /* use SA if present. */
203	#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
204	#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
205
206	#define IPSEC_MANUAL_REQID_MAX 0x3fff
207	/*
208	* if security policy level == unique, this id
209	* indicate to a relative SA for use, else is
210	* zero.
211	* 1 - 0x3fff are reserved for manual keying.
212	* 0 are reserved for above reason. Others is
213	* for kernel use.
214	* Note that this id doesn't identify SA
215	* by only itself.
216	*/
217	#define IPSEC_REPLAYWSIZE 32
218
219	#ifdef _KERNEL
220
221	extern int ipsec_debug;
222	#ifdef IPSEC_DEBUG
223	extern int ipsec_replay;
224	extern int ipsec_integrity;
225	#endif
226
227	extern struct secpolicy ip4_def_policy;
228	extern int ip4_esp_trans_deflev;
229	extern int ip4_esp_net_deflev;
230	extern int ip4_ah_trans_deflev;
231	extern int ip4_ah_net_deflev;
232	extern int ip4_ah_cleartos;
233	extern int ip4_ah_offsetmask;
234	extern int ip4_ipsec_dfbit;
235	extern int ip4_ipsec_ecn;
236	extern int crypto_support;
237
238	#include <sys/syslog.h>
239
240	#define DPRINTF(fmt, args...) \
241	do { \
242	if (ipsec_debug) \
243	log(LOG_DEBUG, "%s: " fmt, __func__, ##args); \
244	} while (/CONSTCOND/0)
245
246	#define IPSECLOG(level, fmt, args...) \
247	do { \
248	if (ipsec_debug) \
249	log(level, "%s: " fmt, __func__, ##args); \
250	} while (/CONSTCOND/0)
251
252	#define ipsec_indone(m) \
253	((m->m_flags & M_AUTHIPHDR) \|\| (m->m_flags & M_DECRYPTED))
254	#define ipsec_outdone(m) \
255	(m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL)
256
257	static __inline bool
258	ipsec_skip_pfil(struct mbuf *m)
259	{
260	bool rv;
261
262	if (ipsec_indone(m) &&
263	((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != `0`)) {
264	m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL;
265	rv = true;
266	} else {
267	rv = false;
268	}
269
270	return rv;
271	}
272
273	void ipsec_pcbconn(struct inpcbpolicy *);
274	void ipsec_pcbdisconn(struct inpcbpolicy *);
275	void ipsec_invalpcbcacheall(void);
276
277	struct inpcb;
278	int ipsec4_output(struct mbuf , struct* inpcb , int, u_long , bool , bool );
279
280	int ipsec_ip_input(struct mbuf *, bool);
281	void ipsec_mtu(struct mbuf , int* *);
282	#ifdef INET6
283	void ipsec6_udp_cksum(struct mbuf *);
284	#endif
285
286	struct inpcb;
287	int ipsec_init_pcbpolicy(struct socket so, struct* inpcbpolicy **);
288	int ipsec_copy_policy(const struct inpcbpolicy , struct* inpcbpolicy *);
289	u_int ipsec_get_reqlevel(const struct ipsecrequest *);
290
291	int ipsec_set_policy(void , const* void *, size_t, kauth_cred_t);
292	int ipsec_get_policy(void , const* void , size_t, struct* mbuf **);
293	int ipsec_delete_pcbpolicy(void *);
294	int ipsec_in_reject(struct mbuf , void* *);
295
296	struct secasvar ipsec_lookup_sa(const* struct ipsecrequest *,
297	const struct mbuf *);
298
299	struct secas;
300	struct tcpcb;
301	int ipsec_chkreplay(u_int32_t, const struct secasvar *);
302	int ipsec_updatereplay(u_int32_t, const struct secasvar *);
303
304	size_t ipsec_hdrsiz(struct mbuf , u_int, void* *);
305	size_t ipsec4_hdrsiz_tcp(struct tcpcb *);
306
307	union sockaddr_union;
308	const char ipsec_address(const* union sockaddr_union* sa, char *, size_t);
309	const char ipsec_logsastr(const* struct secasvar , char* *, size_t);
310
311	/ NetBSD protosw ctlin entrypoint /
312	void esp4_ctlinput(int, const* struct sockaddr , void* *);
313	void ah4_ctlinput(int, const* struct sockaddr , void* *);
314
315	void ipsec_output_init(void);
316	struct m_tag;
317	void ipsec4_common_input(struct mbuf m, int, int*);
318	int ipsec4_common_input_cb(struct mbuf , struct* secasvar , int, int*);
319	int ipsec4_process_packet(struct mbuf , const* struct ipsecrequest , u_long );
320	int ipsec_process_done(struct mbuf , const* struct ipsecrequest *,
321	struct secasvar *);
322
323	struct mbuf m_clone(struct* mbuf *);
324	struct mbuf m_makespace(struct* mbuf , int, int, int* *);
325	void m_pad(struct* mbuf , int*);
326	int m_striphdr(struct mbuf , int, int*);
327
328	extern int ipsec_used __read_mostly;
329	extern int ipsec_enabled __read_mostly;
330
331	#endif /* _KERNEL */
332
333	#ifndef _KERNEL
334	char ipsec_set_policy(const* char , int*);
335	int ipsec_get_policylen(char *);
336	char ipsec_dump_policy(char* , const* char *);
337	const char ipsec_strerror(void*);
338	#endif /* !_KERNEL */
339
340	#ifdef _KERNEL
341	/ External declarations of per-file init functions /
342	void ah_attach(void);
343	void esp_attach(void);
344	void ipcomp_attach(void);
345	void ipe4_attach(void);
346	void tcpsignature_attach(void);
347
348	void ipsec_attach(void);
349
350	void sysctl_net_inet_ipsec_setup(struct sysctllog **);
351	#ifdef INET6
352	void sysctl_net_inet6_ipsec6_setup(struct sysctllog **);
353	#endif
354
355	#endif /* _KERNEL */
356	#endif /* !_NETIPSEC_IPSEC_H_ */
357

Browse the source code of netbsd/sys/netipsec/ipsec.h