1/*	$NetBSD: policy.h,v 1.8 2008/12/05 06:02:20 tteras Exp $	*/
2
3/* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#ifndef _POLICY_H
35#define _POLICY_H
36
37#include <sys/queue.h>
38
39
40#ifdef HAVE_SECCTX
41#define MAX_CTXSTR_SIZE 50
42struct security_ctx {
43	u_int8_t ctx_doi;       /* Security Context DOI */
44	u_int8_t ctx_alg;       /* Security Context Algorithm */
45	u_int16_t ctx_strlen;   /* Security Context stringlength
46				 * (includes terminating NULL)
47				 */
48	char ctx_str[MAX_CTXSTR_SIZE];  /* Security Context string */
49};
50#endif
51
52/* refs. ipsec.h */
53/*
54 * Security Policy Index
55 * NOTE: Ensure to be same address family and upper layer protocol.
56 * NOTE: ul_proto, port number, uid, gid:
57 *	ANY: reserved for waldcard.
58 *	0 to (~0 - 1): is one of the number of each value.
59 */
60struct policyindex {
61	u_int8_t dir;			/* direction of packet flow, see blow */
62	struct sockaddr_storage src;	/* IP src address for SP */
63	struct sockaddr_storage dst;	/* IP dst address for SP */
64	u_int8_t prefs;			/* prefix length in bits for src */
65	u_int8_t prefd;			/* prefix length in bits for dst */
66	u_int16_t ul_proto;		/* upper layer Protocol */
67	u_int32_t priority;		/* priority for the policy */
68 	u_int64_t created;		/* Used for generated SPD entries deletion */
69#ifdef HAVE_SECCTX
70	struct security_ctx sec_ctx;    /* Security Context */
71#endif
72};
73
74/* Security Policy Data Base */
75struct secpolicy {
76	TAILQ_ENTRY(secpolicy) chain;
77
78	struct policyindex spidx;	/* selector */
79	u_int32_t id;			/* It's unique number on the system. */
80
81	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
82	struct ipsecrequest *req;
83				/* pointer to the ipsec request tree, */
84				/* if policy == IPSEC else this value == NULL.*/
85
86	/* MIPv6 needs to perform negotiation of SA using different addresses
87	 * than the endpoints of the SA (CoA for the source). In that case,
88	 * MIGRATE msg provides that info (before movement occurs on the MN) */
89	struct sockaddr *local;
90	struct sockaddr *remote;
91};
92
93/* Security Assocciation Index */
94/* NOTE: Ensure to be same address family */
95struct secasindex {
96	struct sockaddr_storage src;	/* srouce address for SA */
97	struct sockaddr_storage dst;	/* destination address for SA */
98	u_int16_t proto;		/* IPPROTO_ESP or IPPROTO_AH */
99	u_int8_t mode;			/* mode of protocol, see ipsec.h */
100	u_int32_t reqid;		/* reqid id who owned this SA */
101					/* see IPSEC_MANUAL_REQID_MAX. */
102};
103
104/* Request for IPsec */
105struct ipsecrequest {
106	struct ipsecrequest *next;
107				/* pointer to next structure */
108				/* If NULL, it means the end of chain. */
109
110	struct secasindex saidx;/* hint for search proper SA */
111				/* if __ss_len == 0 then no address specified.*/
112	u_int level;		/* IPsec level defined below. */
113
114	struct secpolicy *sp;	/* back pointer to SP */
115};
116
117#ifdef HAVE_PFKEY_POLICY_PRIORITY
118#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx)              \
119do {                                                                         \
120	bzero((idx), sizeof(struct policyindex));                            \
121	(idx)->dir = (_dir);                                                 \
122	(idx)->prefs = (ps);                                                 \
123	(idx)->prefd = (pd);                                                 \
124	(idx)->ul_proto = (ulp);                                             \
125	(idx)->priority = (_priority);                                        \
126	(idx)->created = (_created);                                        \
127	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
128	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
129} while (0)
130#else
131#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx)              \
132do {                                                                         \
133	bzero((idx), sizeof(struct policyindex));                            \
134	(idx)->dir = (_dir);                                                 \
135	(idx)->prefs = (ps);                                                 \
136	(idx)->prefd = (pd);                                                 \
137	(idx)->ul_proto = (ulp);                                             \
138	(idx)->created = (_created);                                        \
139	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
140	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
141} while (0)
142#endif
143
144struct ph2handle;
145struct policyindex;
146extern struct secpolicy *getsp __P((struct policyindex *));
147extern struct secpolicy *getsp_r __P((struct policyindex *));
148struct secpolicy *getspbyspid __P((u_int32_t));
149extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *));
150extern int cmpspidxwild __P((struct policyindex *, struct policyindex *));
151extern struct secpolicy *newsp __P((void));
152extern void delsp __P((struct secpolicy *));
153extern void delsp_bothdir __P((struct policyindex *));
154extern void inssp __P((struct secpolicy *));
155extern void remsp __P((struct secpolicy *));
156extern void flushsp __P((void));
157extern void initsp __P((void));
158extern struct ipsecrequest *newipsecreq __P((void));
159
160extern const char *spidx2str __P((const struct policyindex *));
161#ifdef HAVE_SECCTX
162#include <selinux/selinux.h>
163extern int get_security_context __P((vchar_t *, struct policyindex *));
164extern void init_avc __P((void));
165extern int within_range __P((security_context_t, security_context_t));
166extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
167#endif
168
169#endif /* _POLICY_H */
170