1/*	$FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $	*/
2/*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/
3
4/*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 *    may be used to endorse or promote products derived from this software
18 *    without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33/*
34 * IPsec controller part.
35 */
36
37#ifndef _NETINET6_IPSEC_H_
38#define _NETINET6_IPSEC_H_
39#include <sys/cdefs.h>
40#include <sys/appleapiopts.h>
41
42#include <net/pfkeyv2.h>
43#ifdef KERNEL_PRIVATE
44#include <netkey/keydb.h>
45
46/* lock for IPSec stats */
47extern lck_grp_t         *sadb_stat_mutex_grp;
48extern lck_grp_attr_t    *sadb_stat_mutex_grp_attr;
49extern lck_attr_t        *sadb_stat_mutex_attr;
50extern lck_mtx_t         *sadb_stat_mutex;
51
52
53#define IPSEC_STAT_INCREMENT(x)	\
54	{lck_mtx_lock(sadb_stat_mutex); (x)++; lck_mtx_unlock(sadb_stat_mutex);}
55
56
57/*
58 * Security Policy Index
59 * Ensure that both address families in the "src" and "dst" are same.
60 * When the value of the ul_proto is ICMPv6, the port field in "src"
61 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
62 */
63struct secpolicyindex {
64	u_int8_t dir;			/* direction of packet flow, see blow */
65	struct sockaddr_storage src;	/* IP src address for SP */
66	struct sockaddr_storage dst;	/* IP dst address for SP */
67	u_int8_t prefs;			/* prefix length in bits for src */
68	u_int8_t prefd;			/* prefix length in bits for dst */
69	u_int16_t ul_proto;		/* upper layer Protocol */
70#ifdef notyet
71	uid_t uids;
72	uid_t uidd;
73	gid_t gids;
74	gid_t gidd;
75#endif
76};
77
78/* Security Policy Data Base */
79struct secpolicy {
80	LIST_ENTRY(secpolicy) chain;
81
82	int refcnt;			/* reference count */
83	struct secpolicyindex spidx;	/* selector */
84	u_int32_t id;			/* It's unique number on the system. */
85	u_int state;			/* 0: dead, others: alive */
86#define IPSEC_SPSTATE_DEAD	0
87#define IPSEC_SPSTATE_ALIVE	1
88
89	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
90	struct ipsecrequest *req;
91				/* pointer to the ipsec request tree, */
92				/* if policy == IPSEC else this value == NULL.*/
93
94	/*
95	 * lifetime handler.
96	 * the policy can be used without limitiation if both lifetime and
97	 * validtime are zero.
98	 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
99	 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
100	 */
101	long created;		/* time created the policy */
102	long lastused;		/* updated every when kernel sends a packet */
103	long lifetime;		/* duration of the lifetime of this policy */
104	long validtime;		/* duration this policy is valid without use */
105};
106
107/* Request for IPsec */
108struct ipsecrequest {
109	struct ipsecrequest *next;
110				/* pointer to next structure */
111				/* If NULL, it means the end of chain. */
112	struct secasindex saidx;/* hint for search proper SA */
113				/* if __ss_len == 0 then no address specified.*/
114	u_int level;		/* IPsec level defined below. */
115
116	struct secpolicy *sp;	/* back pointer to SP */
117};
118
119/* security policy in PCB */
120struct inpcbpolicy {
121	struct secpolicy *sp_in;
122	struct secpolicy *sp_out;
123	int priv;			/* privileged socket ? */
124};
125
126/* SP acquiring list table. */
127struct secspacq {
128	LIST_ENTRY(secspacq) chain;
129
130	struct secpolicyindex spidx;
131
132	long created;		/* for lifetime */
133	int count;		/* for lifetime */
134	/* XXX: here is mbuf place holder to be sent ? */
135};
136#endif /* KERNEL_PRIVATE */
137
138/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
139#define IPSEC_PORT_ANY		0
140#define IPSEC_ULPROTO_ANY	255
141#define IPSEC_PROTO_ANY		255
142
143/* mode of security protocol */
144/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
145#define	IPSEC_MODE_ANY		0	/* i.e. wildcard. */
146#define	IPSEC_MODE_TRANSPORT	1
147#define	IPSEC_MODE_TUNNEL	2
148
149/*
150 * Direction of security policy.
151 * NOTE: Since INVALID is used just as flag.
152 * The other are used for loop counter too.
153 */
154#define IPSEC_DIR_ANY		0
155#define IPSEC_DIR_INBOUND	1
156#define IPSEC_DIR_OUTBOUND	2
157#define IPSEC_DIR_MAX		3
158#define IPSEC_DIR_INVALID	4
159
160/* Policy level */
161/*
162 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
163 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
164 * DISCARD and NONE are allowed for system default.
165 */
166#define IPSEC_POLICY_DISCARD	0	/* discarding packet */
167#define IPSEC_POLICY_NONE	1	/* through IPsec engine */
168#define IPSEC_POLICY_IPSEC	2	/* do IPsec */
169#define IPSEC_POLICY_ENTRUST	3	/* consulting SPD if present. */
170#define IPSEC_POLICY_BYPASS	4	/* only for privileged socket. */
171#define IPSEC_POLICY_GENERATE   5       /* same as discard - IKE daemon can override with generated policy */
172
173/* Security protocol level */
174#define	IPSEC_LEVEL_DEFAULT	0	/* reference to system default */
175#define	IPSEC_LEVEL_USE		1	/* use SA if present. */
176#define	IPSEC_LEVEL_REQUIRE	2	/* require SA. */
177#define	IPSEC_LEVEL_UNIQUE	3	/* unique SA. */
178
179#define IPSEC_MANUAL_REQID_MAX	0x3fff
180				/*
181				 * if security policy level == unique, this id
182				 * indicate to a relative SA for use, else is
183				 * zero.
184				 * 1 - 0x3fff are reserved for manual keying.
185				 * 0 are reserved for above reason.  Others is
186				 * for kernel use.
187				 * Note that this id doesn't identify SA
188				 * by only itself.
189				 */
190#define IPSEC_REPLAYWSIZE  32
191
192/* statistics for ipsec processing */
193struct ipsecstat {
194	u_quad_t in_success;  /* succeeded inbound process */
195	u_quad_t in_polvio;
196			/* security policy violation for inbound process */
197	u_quad_t in_nosa;     /* inbound SA is unavailable */
198	u_quad_t in_inval;    /* inbound processing failed due to EINVAL */
199	u_quad_t in_nomem;    /* inbound processing failed due to ENOBUFS */
200	u_quad_t in_badspi;   /* failed getting a SPI */
201	u_quad_t in_ahreplay; /* AH replay check failed */
202	u_quad_t in_espreplay; /* ESP replay check failed */
203	u_quad_t in_ahauthsucc; /* AH authentication success */
204	u_quad_t in_ahauthfail; /* AH authentication failure */
205	u_quad_t in_espauthsucc; /* ESP authentication success */
206	u_quad_t in_espauthfail; /* ESP authentication failure */
207	u_quad_t in_esphist[256];
208	u_quad_t in_ahhist[256];
209	u_quad_t in_comphist[256];
210	u_quad_t out_success; /* succeeded outbound process */
211	u_quad_t out_polvio;
212			/* security policy violation for outbound process */
213	u_quad_t out_nosa;    /* outbound SA is unavailable */
214	u_quad_t out_inval;   /* outbound process failed due to EINVAL */
215	u_quad_t out_nomem;    /* inbound processing failed due to ENOBUFS */
216	u_quad_t out_noroute; /* there is no route */
217	u_quad_t out_esphist[256];
218	u_quad_t out_ahhist[256];
219	u_quad_t out_comphist[256];
220};
221
222#ifdef KERNEL_PRIVATE
223/*
224 * Definitions for IPsec & Key sysctl operations.
225 */
226/*
227 * Names for IPsec & Key sysctl objects
228 */
229#define IPSECCTL_STATS			1	/* stats */
230#define IPSECCTL_DEF_POLICY		2
231#define IPSECCTL_DEF_ESP_TRANSLEV	3	/* int; ESP transport mode */
232#define IPSECCTL_DEF_ESP_NETLEV		4	/* int; ESP tunnel mode */
233#define IPSECCTL_DEF_AH_TRANSLEV	5	/* int; AH transport mode */
234#define IPSECCTL_DEF_AH_NETLEV		6	/* int; AH tunnel mode */
235#if 0	/* obsolete, do not reuse */
236#define IPSECCTL_INBOUND_CALL_IKE	7
237#endif
238#define	IPSECCTL_AH_CLEARTOS		8
239#define	IPSECCTL_AH_OFFSETMASK		9
240#define	IPSECCTL_DFBIT			10
241#define	IPSECCTL_ECN			11
242#define	IPSECCTL_DEBUG			12
243#define	IPSECCTL_ESP_RANDPAD		13
244#define IPSECCTL_MAXID			14
245
246#define IPSECCTL_NAMES { \
247	{ 0, 0 }, \
248	{ 0, 0 }, \
249	{ "def_policy", CTLTYPE_INT }, \
250	{ "esp_trans_deflev", CTLTYPE_INT }, \
251	{ "esp_net_deflev", CTLTYPE_INT }, \
252	{ "ah_trans_deflev", CTLTYPE_INT }, \
253	{ "ah_net_deflev", CTLTYPE_INT }, \
254	{ 0, 0 }, \
255	{ "ah_cleartos", CTLTYPE_INT }, \
256	{ "ah_offsetmask", CTLTYPE_INT }, \
257	{ "dfbit", CTLTYPE_INT }, \
258	{ "ecn", CTLTYPE_INT }, \
259	{ "debug", CTLTYPE_INT }, \
260	{ "esp_randpad", CTLTYPE_INT }, \
261}
262
263#define IPSEC6CTL_NAMES { \
264	{ 0, 0 }, \
265	{ 0, 0 }, \
266	{ "def_policy", CTLTYPE_INT }, \
267	{ "esp_trans_deflev", CTLTYPE_INT }, \
268	{ "esp_net_deflev", CTLTYPE_INT }, \
269	{ "ah_trans_deflev", CTLTYPE_INT }, \
270	{ "ah_net_deflev", CTLTYPE_INT }, \
271	{ 0, 0 }, \
272	{ 0, 0 }, \
273	{ 0, 0 }, \
274	{ 0, 0 }, \
275	{ "ecn", CTLTYPE_INT }, \
276	{ "debug", CTLTYPE_INT }, \
277	{ "esp_randpad", CTLTYPE_INT }, \
278}
279
280#ifdef KERNEL
281
282#define IPSEC_IS_P2ALIGNED(p)        1
283#define IPSEC_GET_P2UNALIGNED_OFS(p) 0
284
285struct ipsec_output_state {
286    int tunneled;
287	struct mbuf *m;
288	struct route ro;
289	struct sockaddr *dst;
290};
291
292struct ipsec_history {
293	int ih_proto;
294	u_int32_t ih_spi;
295};
296
297extern int ipsec_debug;
298
299extern struct ipsecstat ipsecstat;
300extern struct secpolicy ip4_def_policy;
301extern int ip4_esp_trans_deflev;
302extern int ip4_esp_net_deflev;
303extern int ip4_ah_trans_deflev;
304extern int ip4_ah_net_deflev;
305extern int ip4_ah_cleartos;
306extern int ip4_ah_offsetmask;
307extern int ip4_ipsec_dfbit;
308extern int ip4_ipsec_ecn;
309extern int ip4_esp_randpad;
310
311#define ipseclog(x)	do { if (ipsec_debug) log x; } while (0)
312
313extern struct secpolicy *ipsec4_getpolicybysock(struct mbuf *, u_int,
314						struct socket *, int *);
315extern struct secpolicy *ipsec4_getpolicybyaddr(struct mbuf *, u_int, int,
316						int *);
317
318struct inpcb;
319extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **);
320extern int ipsec_copy_policy(struct inpcbpolicy *, struct inpcbpolicy *);
321extern u_int ipsec_get_reqlevel(struct ipsecrequest *);
322
323extern int ipsec4_set_policy(struct inpcb *inp, int optname,
324	caddr_t request, size_t len, int priv);
325extern int ipsec4_get_policy(struct inpcb *inpcb, caddr_t request,
326	size_t len, struct mbuf **mp);
327extern int ipsec4_delete_pcbpolicy(struct inpcb *);
328extern int ipsec4_in_reject_so(struct mbuf *, struct socket *);
329extern int ipsec4_in_reject(struct mbuf *, struct inpcb *);
330
331struct secas;
332struct tcpcb;
333extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
334extern int ipsec_updatereplay(u_int32_t, struct secasvar *);
335
336extern size_t ipsec4_hdrsiz(struct mbuf *, u_int, struct inpcb *);
337extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);
338extern size_t ipsec_hdrsiz(struct secpolicy *);
339
340struct ip;
341extern const char *ipsec4_logpacketstr(struct ip *, u_int32_t);
342extern const char *ipsec_logsastr(struct secasvar *);
343
344extern void ipsec_dumpmbuf(struct mbuf *);
345
346extern int ipsec4_output(struct ipsec_output_state *, struct secpolicy *, int);
347#if INET
348extern struct mbuf * ipsec4_splithdr(struct mbuf *);
349extern int ipsec4_encapsulate(struct mbuf *, struct secasvar *);
350extern int ipsec4_encapsulate_utun_esp_keepalive(struct mbuf **, struct secasvar *);
351#endif
352#if INET6
353extern struct mbuf * ipsec6_splithdr(struct mbuf *);
354extern int ipsec6_encapsulate(struct mbuf *, struct secasvar *);
355extern int ipsec6_encapsulate_utun_esp_keepalive(struct mbuf **, struct secasvar *);
356#endif
357extern int ipsec4_tunnel_validate(struct mbuf *, int, u_int, struct secasvar *, sa_family_t *);
358extern struct mbuf *ipsec_copypkt(struct mbuf *);
359extern void ipsec_delaux(struct mbuf *);
360extern int ipsec_setsocket(struct mbuf *, struct socket *);
361extern struct socket *ipsec_getsocket(struct mbuf *);
362extern int ipsec_addhist(struct mbuf *, int, u_int32_t);
363extern struct ipsec_history *ipsec_gethist(struct mbuf *, int *);
364extern void ipsec_clearhist(struct mbuf *);
365#endif /* KERNEL */
366#endif /* KERNEL_PRIVATE */
367
368#ifndef KERNEL
369__BEGIN_DECLS
370extern caddr_t ipsec_set_policy(char *, int);
371extern int ipsec_get_policylen(caddr_t);
372extern char *ipsec_dump_policy(caddr_t, char *);
373
374extern const char *ipsec_strerror(void);
375__END_DECLS
376#endif /* KERNEL */
377
378#endif /* _NETINET6_IPSEC_H_ */
379