search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Mark up sysctl node with Li, like in sysctl(7).
[netbsd-mini2440.git] / sys / netinet6 / ipsec.h
blob8825756509f6ed5fea5da944ecc11a0a8148e3a1
1 /* $NetBSD: ipsec.h,v 1.50 2009/03/14 14:46:10 dsl Exp $ */
2 /* $KAME: ipsec.h,v 1.51 2001/08/05 04:52:58 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #ifndef _NETINET6_IPSEC_H_
38 #define _NETINET6_IPSEC_H_
39
40 #if defined(_KERNEL_OPT)
41 #include "opt_inet.h"
42 #endif
43
44 #include <net/pfkeyv2.h>
45 #include <netkey/keydb.h>
46
47 #ifdef _KERNEL
48
49 /*
50 * Security Policy Index
51 * NOTE: Ensure to be same address family and upper layer protocol.
52 * NOTE: ul_proto, port number, uid, gid:
53 * ANY: reserved for waldcard.
54 * 0 to (~0 - 1): is one of the number of each value.
55 */
56 struct secpolicyindex {
57 struct sockaddr_storage src; /* IP src address for SP */
58 struct sockaddr_storage dst; /* IP dst address for SP */
59 u_int8_t prefs; /* prefix length in bits for src */
60 u_int8_t prefd; /* prefix length in bits for dst */
61 u_int16_t ul_proto; /* upper layer Protocol */
62 #ifdef notyet
63 uid_t uids;
64 uid_t uidd;
65 gid_t gids;
66 gid_t gidd;
67 #endif
68 };
69
70 /* Security Policy Data Base */
71 struct secpolicy {
72 TAILQ_ENTRY(secpolicy) tailq; /* all SPD entries, both pcb/table */
73 LIST_ENTRY(secpolicy) chain; /* SPD entries on table */
74
75 u_int8_t dir; /* direction of packet flow */
76 int readonly; /* write prohibited */
77 int persist; /* will never be removed */
78 int refcnt; /* reference count */
79 struct secpolicyindex *spidx; /* selector - NULL if not valid */
80 u_int16_t tag; /* PF tag */
81 u_int32_t id; /* it identifies a policy in the SPD. */
82 #define IPSEC_MANUAL_POLICYID_MAX 0x3fff
83 /*
84 * 1 - 0x3fff are reserved for user operation.
85 * 0 are reserved. Others are for kernel use.
86 */
87 struct socket *so; /* backpointer to per-socket policy */
88 u_int state; /* 0: dead, others: alive */
89 #define IPSEC_SPSTATE_DEAD 0
90 #define IPSEC_SPSTATE_ALIVE 1
91
92 int policy; /* DISCARD, NONE or IPSEC, see below */
93 struct ipsecrequest *req;
94 /* pointer to the ipsec request tree, */
95 /* if policy == IPSEC else this value == NULL.*/
96
97 /*
98 * lifetime handler.
99 * the policy can be used without limitiation if both lifetime and
100 * validtime are zero.
101 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
102 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
103 */
104 time_t created; /* time created the policy */
105 time_t lastused; /* updated every when kernel sends a packet */
106 long lifetime; /* duration of the lifetime of this policy */
107 long validtime; /* duration this policy is valid without use */
108 };
109
110 /* Request for IPsec */
111 struct ipsecrequest {
112 struct ipsecrequest *next;
113 /* pointer to next structure */
114 /* If NULL, it means the end of chain. */
115 struct secasindex saidx;/* hint for search proper SA */
116 /* if __ss_len == 0 then no address specified.*/
117 u_int level; /* IPsec level defined below. */
118
119 struct secasvar *sav; /* place holder of SA for use */
120 struct secpolicy *sp; /* back pointer to SP */
121 };
122
123 /* security policy in PCB */
124 struct inpcbpolicy {
125 struct secpolicy *sp_in;
126 struct secpolicy *sp_out;
127 int priv; /* privileged socket ? */
128
129 /* cached policy */
130 struct {
131 struct secpolicy *cachesp;
132 struct secpolicyindex cacheidx;
133 int cachehint; /* processing requirement hint: */
134 #define IPSEC_PCBHINT_MAYBE 0 /* IPsec processing maybe required */
135 #define IPSEC_PCBHINT_YES 1 /* IPsec processing is required */
136 #define IPSEC_PCBHINT_NO 2 /* IPsec processing not required */
137 u_int cachegen; /* spdgen when cache filled */
138 } sp_cache[3]; /* XXX 3 == IPSEC_DIR_MAX */
139 int sp_cacheflags;
140 #define IPSEC_PCBSP_CONNECTED 1
141 };
142
143 #define IPSEC_PCB_SKIP_IPSEC(inpp, dir) \
144 ((inpp)->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO && \
145 (inpp)->sp_cache[(dir)].cachegen == ipsec_spdgen)
146
147 /* SP acquiring list table. */
148 struct secspacq {
149 LIST_ENTRY(secspacq) chain;
150
151 struct secpolicyindex spidx;
152
153 long created; /* for lifetime */
154 int count; /* for lifetime */
155 /* XXX: here is mbuf place holder to be sent ? */
156 };
157
158 struct ipsecaux {
159 struct socket *so;
160 int hdrs; /* # of ipsec headers */
161
162 struct secpolicy *sp;
163 struct ipsecrequest *req;
164 };
165 #endif /* _KERNEL */
166
167 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
168 #define IPSEC_PORT_ANY 0
169 #define IPSEC_ULPROTO_ANY 255
170 #define IPSEC_PROTO_ANY 255
171
172 /* mode of security protocol */
173 /* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
174 #define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
175 #define IPSEC_MODE_TRANSPORT 1
176 #define IPSEC_MODE_TUNNEL 2
177
178 /*
179 * Direction of security policy.
180 * NOTE: Since INVALID is used just as flag.
181 * The other are used for loop counter too.
182 */
183 #define IPSEC_DIR_ANY 0
184 #define IPSEC_DIR_INBOUND 1
185 #define IPSEC_DIR_OUTBOUND 2
186 #define IPSEC_DIR_MAX 3
187 #define IPSEC_DIR_INVALID 4
188
189 /* Policy level */
190 /*
191 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
192 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
193 * DISCARD and NONE are allowed for system default.
194 */
195 #define IPSEC_POLICY_DISCARD 0 /* discarding packet */
196 #define IPSEC_POLICY_NONE 1 /* through IPsec engine */
197 #define IPSEC_POLICY_IPSEC 2 /* do IPsec */
198 #define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
199 #define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
200
201 /* Security protocol level */
202 #define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
203 #define IPSEC_LEVEL_USE 1 /* use SA if present. */
204 #define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
205 #define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
206
207 #define IPSEC_MANUAL_REQID_MAX 0x3fff
208 /*
209 * if security policy level == unique, this id
210 * indicate to a relative SA for use, else is
211 * zero.
212 * 1 - 0x3fff are reserved for manual keying.
213 * 0 are reserved for above reason. Others is
214 * for kernel use.
215 * Note that this id doesn't identify SA
216 * by only itself.
217 */
218 #define IPSEC_REPLAYWSIZE 32
219
220 /*
221 * statistics for ipsec processing.
222 * Each counter is an unsigned 64-bit value.
223 */
224 #define IPSEC_STAT_IN_SUCCESS 0 /* succeeded inbound process */
225 #define IPSEC_STAT_IN_POLVIO 1 /* security policy violation for
226 inbound process */
227 #define IPSEC_STAT_IN_NOSA 2 /* inbound SA is unavailable */
228 #define IPSEC_STAT_IN_INVAL 3 /* inbound processing failed EINVAL */
229 #define IPSEC_STAT_IN_NOMEM 4 /* inbound processing failed ENOBUFS */
230 #define IPSEC_STAT_IN_BADSPI 5 /* failed getting an SPI */
231 #define IPSEC_STAT_IN_AHREPLAY 6 /* AH replay check failed */
232 #define IPSEC_STAT_IN_ESPREPLAY 7 /* ESP replay check failed */
233 #define IPSEC_STAT_IN_AHAUTHSUCC 8 /* AH authentication success */
234 #define IPSEC_STAT_IN_AHAUTHFAIL 9 /* AH authentication failure */
235 #define IPSEC_STAT_IN_ESPAUTHSUCC 10 /* ESP authentication success */
236 #define IPSEC_STAT_IN_ESPAUTHFAIL 11 /* ESP authentication failure */
237 #define IPSEC_STAT_IN_ESPHIST 12
238 /* space for 256 counters */
239 #define IPSEC_STAT_IN_AHHIST 268
240 /* space for 256 counters */
241 #define IPSEC_STAT_IN_COMPHIST 524
242 /* space for 256 counters */
243 #define IPSEC_STAT_OUT_SUCCESS 780 /* succeeded outbound process */
244 #define IPSEC_STAT_OUT_POLVIO 781 /* security policy violation for
245 outbound process */
246 #define IPSEC_STAT_OUT_NOSA 782 /* outbound SA is unavailable */
247 #define IPSEC_STAT_OUT_INVAL 783 /* outbound processing failed EINVAL */
248 #define IPSEC_STAT_OUT_NOMEM 784 /* outbound processing failed ENOBUFS */
249 #define IPSEC_STAT_OUT_NOROUTE 785 /* no route */
250 #define IPSEC_STAT_OUT_ESPHIST 786
251 /* space for 256 counters */
252 #define IPSEC_STAT_OUT_AHHIST 1042
253 /* space for 256 counters */
254 #define IPSEC_STAT_OUT_COMPHIST 1298
255 /* space for 256 counters */
256 #define IPSEC_STAT_SPDCACHELOOKUP 1554
257 #define IPSEC_STAT_SPDCACHEMISS 1555
258
259 #define IPSEC_NSTATS 1556
260
261 /*
262 * Definitions for IPsec & Key sysctl operations.
263 */
264 /*
265 * Names for IPsec & Key sysctl objects
266 */
267 #define IPSECCTL_STATS 1 /* stats */
268 #define IPSECCTL_DEF_POLICY 2
269 #define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */
270 #define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */
271 #define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */
272 #define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */
273 #if 0 /* obsolete, do not reuse */
274 #define IPSECCTL_INBOUND_CALL_IKE 7
275 #endif
276 #define IPSECCTL_AH_CLEARTOS 8
277 #define IPSECCTL_AH_OFFSETMASK 9
278 #define IPSECCTL_DFBIT 10
279 #define IPSECCTL_ECN 11
280 #define IPSECCTL_DEBUG 12
281 #define IPSECCTL_MAXID 13
282
283 #define IPSECCTL_NAMES { \
284 { 0, 0 }, \
285 { 0, 0 }, \
286 { "def_policy", CTLTYPE_INT }, \
287 { "esp_trans_deflev", CTLTYPE_INT }, \
288 { "esp_net_deflev", CTLTYPE_INT }, \
289 { "ah_trans_deflev", CTLTYPE_INT }, \
290 { "ah_net_deflev", CTLTYPE_INT }, \
291 { 0, 0 }, \
292 { "ah_cleartos", CTLTYPE_INT }, \
293 { "ah_offsetmask", CTLTYPE_INT }, \
294 { "dfbit", CTLTYPE_INT }, \
295 { "ecn", CTLTYPE_INT }, \
296 { "debug", CTLTYPE_INT }, \
297 }
298
299 #define IPSEC6CTL_NAMES { \
300 { 0, 0 }, \
301 { 0, 0 }, \
302 { "def_policy", CTLTYPE_INT }, \
303 { "esp_trans_deflev", CTLTYPE_INT }, \
304 { "esp_net_deflev", CTLTYPE_INT }, \
305 { "ah_trans_deflev", CTLTYPE_INT }, \
306 { "ah_net_deflev", CTLTYPE_INT }, \
307 { 0, 0 }, \
308 { 0, 0 }, \
309 { 0, 0 }, \
310 { 0, 0 }, \
311 { "ecn", CTLTYPE_INT }, \
312 { "debug", CTLTYPE_INT }, \
313 }
314
315 #ifdef _KERNEL
316 struct ipsec_output_state {
317 struct mbuf *m;
318 struct route *ro;
319 const struct sockaddr *dst;
320 int encap;
321 };
322
323 struct ipsec_history {
324 int ih_proto;
325 u_int32_t ih_spi;
326 };
327
328 extern int ipsec_debug;
329
330 #ifdef INET
331 extern struct secpolicy *ip4_def_policy;
332 extern int ip4_esp_trans_deflev;
333 extern int ip4_esp_net_deflev;
334 extern int ip4_ah_trans_deflev;
335 extern int ip4_ah_net_deflev;
336 extern int ip4_ah_cleartos;
337 extern int ip4_ah_offsetmask;
338 extern int ip4_ipsec_dfbit;
339 extern int ip4_ipsec_ecn;
340 #endif
341
342 #ifdef INET6
343 extern struct secpolicy *ip6_def_policy;
344 extern int ip6_esp_trans_deflev;
345 extern int ip6_esp_net_deflev;
346 extern int ip6_ah_trans_deflev;
347 extern int ip6_ah_net_deflev;
348 extern int ip6_ipsec_ecn;
349 #endif
350
351 #define ipseclog(x) do { if (ipsec_debug) log x; } while (/*CONSTCOND*/ 0)
352
353 extern int ipsec_pcbconn(struct inpcbpolicy *);
354 extern int ipsec_pcbdisconn(struct inpcbpolicy *);
355 extern void ipsec_invalpcbcacheall(void);
356
357 extern u_int ipsec_spdgen;
358
359 extern struct secpolicy *ipsec4_getpolicybysock
360 (struct mbuf *, u_int, struct socket *, int *);
361 extern struct secpolicy *ipsec4_getpolicybyaddr
362 (struct mbuf *, u_int, int, int *);
363
364 #ifdef INET6
365 extern struct secpolicy *ipsec6_getpolicybysock
366 (struct mbuf *, u_int, struct socket *, int *);
367 extern struct secpolicy *ipsec6_getpolicybyaddr
368 (struct mbuf *, u_int, int, int *);
369 #endif /* INET6 */
370
371 struct inpcb;
372 #ifdef INET6
373 struct in6pcb;
374 #endif
375 extern int ipsec_init_pcbpolicy(struct socket *, struct inpcbpolicy **);
376 extern int ipsec_copy_pcbpolicy
377 (struct inpcbpolicy *, struct inpcbpolicy *);
378 extern u_int ipsec_get_reqlevel(struct ipsecrequest *, int);
379
380 extern int ipsec4_set_policy(struct inpcb *, int, void *, size_t, kauth_cred_t);
381 extern int ipsec4_get_policy(struct inpcb *, void *, size_t,
382 struct mbuf **);
383 extern int ipsec4_delete_pcbpolicy(struct inpcb *);
384 extern int ipsec4_in_reject_so(struct mbuf *, struct socket *);
385 extern int ipsec4_in_reject(struct mbuf *, struct inpcb *);
386
387 #ifdef INET6
388 extern int ipsec6_in_reject_so(struct mbuf *, struct socket *);
389 extern int ipsec6_delete_pcbpolicy(struct in6pcb *);
390 extern int ipsec6_set_policy(struct in6pcb *, int, void *, size_t,
391 kauth_cred_t);
392 extern int ipsec6_get_policy(struct in6pcb *, void *, size_t,
393 struct mbuf **);
394 extern int ipsec6_in_reject(struct mbuf *, struct in6pcb *);
395 #endif /* INET6 */
396
397 struct secas;
398 struct tcpcb;
399 struct tcp6cb;
400 extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
401 extern int ipsec_updatereplay(u_int32_t, struct secasvar *);
402
403 extern void ipsec4_init(void);
404 extern size_t ipsec4_hdrsiz(struct mbuf *, u_int, struct inpcb *);
405 extern size_t ipsec4_hdrsiz_tcp(struct tcpcb *);
406 #ifdef INET6
407 extern void ipsec6_init(void);
408 extern size_t ipsec6_hdrsiz(struct mbuf *, u_int, struct in6pcb *);
409 extern size_t ipsec6_hdrsiz_tcp(struct tcpcb *);
410 #endif
411
412 struct ip;
413 #ifdef INET6
414 struct ip6_hdr;
415 #endif
416 extern const char *ipsec4_logpacketstr(struct ip *, u_int32_t);
417 #ifdef INET6
418 extern const char *ipsec6_logpacketstr(struct ip6_hdr *, u_int32_t);
419 #endif
420 extern const char *ipsec_logsastr(struct secasvar *);
421
422 extern void ipsec_dumpmbuf(struct mbuf *);
423
424 extern int ipsec4_output(struct ipsec_output_state *, struct secpolicy *,
425 int);
426 #ifdef INET6
427 extern int ipsec6_output_trans(struct ipsec_output_state *, u_char *,
428 struct mbuf *, struct secpolicy *, int, int *);
429 extern int ipsec6_output_tunnel(struct ipsec_output_state *,
430 struct secpolicy *, int);
431 #endif
432 extern int ipsec4_tunnel_validate(struct ip *, u_int, struct secasvar *);
433 #ifdef INET6
434 extern int ipsec6_tunnel_validate(struct ip6_hdr *, u_int,
435 struct secasvar *);
436 #endif
437 extern struct mbuf *ipsec_copypkt(struct mbuf *);
438 extern void ipsec_delaux(struct mbuf *);
439 extern int ipsec_addhist(struct mbuf *, int, u_int32_t);
440 extern int ipsec_getnhist(struct mbuf *);
441 extern struct ipsec_history *ipsec_gethist(struct mbuf *, int *);
442 extern void ipsec_clearhist(struct mbuf *);
443
444 extern int ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
445 extern int ipsec6_sysctl(int *, u_int, void *, size_t *, void *, size_t);
446
447 #endif /* _KERNEL */
448
449 #ifndef _KERNEL
450 typedef void *ipsec_policy_t;
451 extern ipsec_policy_t ipsec_set_policy(const char *, int);
452 extern int ipsec_get_policylen(ipsec_policy_t);
453 extern char *ipsec_dump_policy(ipsec_policy_t, const char *);
454
455 extern const char *ipsec_strerror(void);
456 #endif /* !_KERNEL */
457
458 #endif /* !_NETINET6_IPSEC_H_ */
NetBSD on the FriendlyARM MINI2440