[apple/xnu.git] / bsd / netinet6 / ipsec.h

/*	$FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $	*/
/*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/*
 * IPsec controller part.
 */

#ifndef _NETINET6_IPSEC_H_
#define _NETINET6_IPSEC_H_
#include <sys/cdefs.h>
#include <sys/appleapiopts.h>

#include <net/pfkeyv2.h>
#ifdef KERNEL_PRIVATE
#include <netkey/keydb.h>

/* lock for IPSec stats */
extern lck_grp_t         *sadb_stat_mutex_grp;
extern lck_grp_attr_t    *sadb_stat_mutex_grp_attr;
extern lck_attr_t        *sadb_stat_mutex_attr;
extern lck_mtx_t         *sadb_stat_mutex;


#define IPSEC_STAT_INCREMENT(x)	\
	{lck_mtx_lock(sadb_stat_mutex); (x)++; lck_mtx_unlock(sadb_stat_mutex);}


/*
 * Security Policy Index
 * Ensure that both address families in the "src" and "dst" are same.
 * When the value of the ul_proto is ICMPv6, the port field in "src"
 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
 */
struct secpolicyindex {
	u_int8_t dir;			/* direction of packet flow, see blow */
	struct sockaddr_storage src;	/* IP src address for SP */
	struct sockaddr_storage dst;	/* IP dst address for SP */
	u_int8_t prefs;			/* prefix length in bits for src */
	u_int8_t prefd;			/* prefix length in bits for dst */
	u_int16_t ul_proto;		/* upper layer Protocol */
#ifdef notyet
	uid_t uids;
	uid_t uidd;
	gid_t gids;
	gid_t gidd;
#endif
};

/* Security Policy Data Base */
struct secpolicy {
	LIST_ENTRY(secpolicy) chain;

	int refcnt;			/* reference count */
	struct secpolicyindex spidx;	/* selector */
	u_int32_t id;			/* It's unique number on the system. */
	u_int state;			/* 0: dead, others: alive */
#define IPSEC_SPSTATE_DEAD	0
#define IPSEC_SPSTATE_ALIVE	1

	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
	struct ipsecrequest *req;
				/* pointer to the ipsec request tree, */
				/* if policy == IPSEC else this value == NULL.*/

	/*
	 * lifetime handler.
	 * the policy can be used without limitiation if both lifetime and
	 * validtime are zero.
	 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
	 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
	 */
	long created;		/* time created the policy */
	long lastused;		/* updated every when kernel sends a packet */
	long lifetime;		/* duration of the lifetime of this policy */
	long validtime;		/* duration this policy is valid without use */
};

/* Request for IPsec */
struct ipsecrequest {
	struct ipsecrequest *next;
				/* pointer to next structure */
				/* If NULL, it means the end of chain. */
	struct secasindex saidx;/* hint for search proper SA */
				/* if __ss_len == 0 then no address specified.*/
	u_int level;		/* IPsec level defined below. */

	struct secpolicy *sp;	/* back pointer to SP */
};

/* security policy in PCB */
struct inpcbpolicy {
	struct secpolicy *sp_in;
	struct secpolicy *sp_out;
	int priv;			/* privileged socket ? */
};

/* SP acquiring list table. */
struct secspacq {
	LIST_ENTRY(secspacq) chain;

	struct secpolicyindex spidx;

	long created;		/* for lifetime */
	int count;		/* for lifetime */
	/* XXX: here is mbuf place holder to be sent ? */
};
#endif /* KERNEL_PRIVATE */

/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY		0
#define IPSEC_ULPROTO_ANY	255
#define IPSEC_PROTO_ANY		255

/* mode of security protocol */
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
#define	IPSEC_MODE_ANY		0	/* i.e. wildcard. */
#define	IPSEC_MODE_TRANSPORT	1
#define	IPSEC_MODE_TUNNEL	2

/*
 * Direction of security policy.
 * NOTE: Since INVALID is used just as flag.
 * The other are used for loop counter too.
 */
#define IPSEC_DIR_ANY		0
#define IPSEC_DIR_INBOUND	1
#define IPSEC_DIR_OUTBOUND	2
#define IPSEC_DIR_MAX		3
#define IPSEC_DIR_INVALID	4

/* Policy level */
/*
 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
 * DISCARD and NONE are allowed for system default.
 */
#define IPSEC_POLICY_DISCARD	0	/* discarding packet */
#define IPSEC_POLICY_NONE	1	/* through IPsec engine */
#define IPSEC_POLICY_IPSEC	2	/* do IPsec */
#define IPSEC_POLICY_ENTRUST	3	/* consulting SPD if present. */
#define IPSEC_POLICY_BYPASS	4	/* only for privileged socket. */
#define IPSEC_POLICY_GENERATE   5       /* same as discard - IKE daemon can override with generated policy */

/* Security protocol level */
#define	IPSEC_LEVEL_DEFAULT	0	/* reference to system default */
#define	IPSEC_LEVEL_USE		1	/* use SA if present. */
#define	IPSEC_LEVEL_REQUIRE	2	/* require SA. */
#define	IPSEC_LEVEL_UNIQUE	3	/* unique SA. */

#define IPSEC_MANUAL_REQID_MAX	0x3fff
				/*
				 * if security policy level == unique, this id
				 * indicate to a relative SA for use, else is
				 * zero.
				 * 1 - 0x3fff are reserved for manual keying.
				 * 0 are reserved for above reason.  Others is
				 * for kernel use.
				 * Note that this id doesn't identify SA
				 * by only itself.
				 */
#define IPSEC_REPLAYWSIZE  32

/* statistics for ipsec processing */
struct ipsecstat {
	u_quad_t in_success;  /* succeeded inbound process */
	u_quad_t in_polvio;
			/* security policy violation for inbound process */
	u_quad_t in_nosa;     /* inbound SA is unavailable */
	u_quad_t in_inval;    /* inbound processing failed due to EINVAL */
	u_quad_t in_nomem;    /* inbound processing failed due to ENOBUFS */
	u_quad_t in_badspi;   /* failed getting a SPI */
	u_quad_t in_ahreplay; /* AH replay check failed */
	u_quad_t in_espreplay; /* ESP replay check failed */
	u_quad_t in_ahauthsucc; /* AH authentication success */
	u_quad_t in_ahauthfail; /* AH authentication failure */
	u_quad_t in_espauthsucc; /* ESP authentication success */
	u_quad_t in_espauthfail; /* ESP authentication failure */
	u_quad_t in_esphist[256];
	u_quad_t in_ahhist[256];
	u_quad_t in_comphist[256];
	u_quad_t out_success; /* succeeded outbound process */
	u_quad_t out_polvio;
			/* security policy violation for outbound process */
	u_quad_t out_nosa;    /* outbound SA is unavailable */
	u_quad_t out_inval;   /* outbound process failed due to EINVAL */
	u_quad_t out_nomem;    /* inbound processing failed due to ENOBUFS */
	u_quad_t out_noroute; /* there is no route */
	u_quad_t out_esphist[256];
	u_quad_t out_ahhist[256];
	u_quad_t out_comphist[256];
};

#ifdef KERNEL_PRIVATE
/*
 * Definitions for IPsec & Key sysctl operations.
 */
/*
 * Names for IPsec & Key sysctl objects
 */
#define IPSECCTL_STATS			1	/* stats */
#define IPSECCTL_DEF_POLICY		2
#define IPSECCTL_DEF_ESP_TRANSLEV	3	/* int; ESP transport mode */
#define IPSECCTL_DEF_ESP_NETLEV		4	/* int; ESP tunnel mode */
#define IPSECCTL_DEF_AH_TRANSLEV	5	/* int; AH transport mode */
#define IPSECCTL_DEF_AH_NETLEV		6	/* int; AH tunnel mode */
#if 0	/* obsolete, do not reuse */
#define IPSECCTL_INBOUND_CALL_IKE	7
#endif
#define	IPSECCTL_AH_CLEARTOS		8
#define	IPSECCTL_AH_OFFSETMASK		9
#define	IPSECCTL_DFBIT			10
#define	IPSECCTL_ECN			11
#define	IPSECCTL_DEBUG			12
#define	IPSECCTL_ESP_RANDPAD		13
#define IPSECCTL_MAXID			14

#define IPSECCTL_NAMES { \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "def_policy", CTLTYPE_INT }, \
	{ "esp_trans_deflev", CTLTYPE_INT }, \
	{ "esp_net_deflev", CTLTYPE_INT }, \
	{ "ah_trans_deflev", CTLTYPE_INT }, \
	{ "ah_net_deflev", CTLTYPE_INT }, \
	{ 0, 0 }, \
	{ "ah_cleartos", CTLTYPE_INT }, \
	{ "ah_offsetmask", CTLTYPE_INT }, \
	{ "dfbit", CTLTYPE_INT }, \
	{ "ecn", CTLTYPE_INT }, \
	{ "debug", CTLTYPE_INT }, \
	{ "esp_randpad", CTLTYPE_INT }, \
}

#define IPSEC6CTL_NAMES { \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "def_policy", CTLTYPE_INT }, \
	{ "esp_trans_deflev", CTLTYPE_INT }, \
	{ "esp_net_deflev", CTLTYPE_INT }, \
	{ "ah_trans_deflev", CTLTYPE_INT }, \
	{ "ah_net_deflev", CTLTYPE_INT }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "ecn", CTLTYPE_INT }, \
	{ "debug", CTLTYPE_INT }, \
	{ "esp_randpad", CTLTYPE_INT }, \
}

#ifdef KERNEL
struct ipsec_output_state {
    int tunneled;
	struct mbuf *m;
	struct route ro;
	struct sockaddr *dst;
};

struct ipsec_history {
	int ih_proto;
	u_int32_t ih_spi;
};

extern int ipsec_debug;

extern struct ipsecstat ipsecstat;
extern struct secpolicy ip4_def_policy;
extern int ip4_esp_trans_deflev;
extern int ip4_esp_net_deflev;
extern int ip4_ah_trans_deflev;
extern int ip4_ah_net_deflev;
extern int ip4_ah_cleartos;
extern int ip4_ah_offsetmask;
extern int ip4_ipsec_dfbit;
extern int ip4_ipsec_ecn;
extern int ip4_esp_randpad;

#define ipseclog(x)	do { if (ipsec_debug) log x; } while (0)

extern struct secpolicy *ipsec4_getpolicybysock(struct mbuf *, u_int,
						struct socket *, int *);
extern struct secpolicy *ipsec4_getpolicybyaddr(struct mbuf *, u_int, int,
						int *);

struct inpcb;
extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **);
extern int ipsec_copy_policy(struct inpcbpolicy *, struct inpcbpolicy *);
extern u_int ipsec_get_reqlevel(struct ipsecrequest *);

extern int ipsec4_set_policy(struct inpcb *inp, int optname,
	caddr_t request, size_t len, int priv);
extern int ipsec4_get_policy(struct inpcb *inpcb, caddr_t request,
	size_t len, struct mbuf **mp);
extern int ipsec4_delete_pcbpolicy(struct inpcb *);
extern int ipsec4_in_reject_so(struct mbuf *, struct socket *);
extern int ipsec4_in_reject(struct mbuf *, struct inpcb *);

struct secas;
struct tcpcb;
extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
extern int ipsec_updatereplay(u_int32_t, struct secasvar *);

extern size_t ipsec4_hdrsiz(struct mbuf *, u_int, struct inpcb *);
extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);
extern size_t ipsec_hdrsiz(struct secpolicy *);

struct ip;
extern const char *ipsec4_logpacketstr(struct ip *, u_int32_t);
extern const char *ipsec_logsastr(struct secasvar *);

extern void ipsec_dumpmbuf(struct mbuf *);

extern int ipsec4_output(struct ipsec_output_state *, struct secpolicy *, int);
extern int ipsec4_tunnel_validate(struct mbuf *, int, u_int, struct secasvar *, sa_family_t *);
extern struct mbuf *ipsec_copypkt(struct mbuf *);
extern void ipsec_delaux(struct mbuf *);
extern int ipsec_setsocket(struct mbuf *, struct socket *);
extern struct socket *ipsec_getsocket(struct mbuf *);
extern int ipsec_addhist(struct mbuf *, int, u_int32_t); 
extern struct ipsec_history *ipsec_gethist(struct mbuf *, int *);
extern void ipsec_clearhist(struct mbuf *);
#endif /* KERNEL */
#endif /* KERNEL_PRIVATE */

#ifndef KERNEL
__BEGIN_DECLS
extern caddr_t ipsec_set_policy(char *, int);
extern int ipsec_get_policylen(caddr_t);
extern char *ipsec_dump_policy(caddr_t, char *);

extern const char *ipsec_strerror(void);
__END_DECLS
#endif /* KERNEL */

#endif /* _NETINET6_IPSEC_H_ */
Commit	Line	Data
9bccf70c A	1	/* $FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $ */
9bccf70c A	2	/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */
1c79356b A	3
	4	/*
	5	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	6	* All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	* 1. Redistributions of source code must retain the above copyright
	12	* notice, this list of conditions and the following disclaimer.
	13	* 2. Redistributions in binary form must reproduce the above copyright
	14	* notice, this list of conditions and the following disclaimer in the
	15	* documentation and/or other materials provided with the distribution.
	16	* 3. Neither the name of the project nor the names of its contributors
	17	* may be used to endorse or promote products derived from this software
	18	* without specific prior written permission.
	19	*
	20	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	21	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	22	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	23	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	24	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	25	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	26	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	27	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	29	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	30	* SUCH DAMAGE.
	31	*/
	32
	33	/*
	34	* IPsec controller part.
	35	*/
	36
	37	#ifndef _NETINET6_IPSEC_H_
	38	#define _NETINET6_IPSEC_H_
b0d623f7	39	#include <sys/cdefs.h>
9bccf70c	40	#include <sys/appleapiopts.h>
1c79356b A	41
1c79356b A	42	#include <net/pfkeyv2.h>
91447636	43	#ifdef KERNEL_PRIVATE
1c79356b A	44	#include <netkey/keydb.h>
1c79356b A	45
2d21ac55	46	/* lock for IPSec stats */
b0d623f7 A	47	extern lck_grp_t *sadb_stat_mutex_grp;
	48	extern lck_grp_attr_t *sadb_stat_mutex_grp_attr;
	49	extern lck_attr_t *sadb_stat_mutex_attr;
	50	extern lck_mtx_t *sadb_stat_mutex;
2d21ac55 A	51
	52
	53	#define IPSEC_STAT_INCREMENT(x) \
	54	{lck_mtx_lock(sadb_stat_mutex); (x)++; lck_mtx_unlock(sadb_stat_mutex);}
	55
	56
1c79356b A	57	/*
1c79356b A	58	* Security Policy Index
55e303ae A	59	* Ensure that both address families in the "src" and "dst" are same.
	60	* When the value of the ul_proto is ICMPv6, the port field in "src"
	61	* specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
1c79356b A	62	*/
	63	struct secpolicyindex {
	64	u_int8_t dir; /* direction of packet flow, see blow */
	65	struct sockaddr_storage src; /* IP src address for SP */
	66	struct sockaddr_storage dst; /* IP dst address for SP */
	67	u_int8_t prefs; /* prefix length in bits for src */
	68	u_int8_t prefd; /* prefix length in bits for dst */
	69	u_int16_t ul_proto; /* upper layer Protocol */
	70	#ifdef notyet
	71	uid_t uids;
	72	uid_t uidd;
	73	gid_t gids;
	74	gid_t gidd;
	75	#endif
	76	};
	77
	78	/* Security Policy Data Base */
	79	struct secpolicy {
	80	LIST_ENTRY(secpolicy) chain;
	81
	82	int refcnt; /* reference count */
	83	struct secpolicyindex spidx; /* selector */
	84	u_int32_t id; /* It's unique number on the system. */
	85	u_int state; /* 0: dead, others: alive */
	86	#define IPSEC_SPSTATE_DEAD 0
	87	#define IPSEC_SPSTATE_ALIVE 1
	88
	89	u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
	90	struct ipsecrequest *req;
	91	/* pointer to the ipsec request tree, */
	92	/* if policy == IPSEC else this value == NULL.*/
9bccf70c A	93
	94	/*
	95	* lifetime handler.
	96	* the policy can be used without limitiation if both lifetime and
	97	* validtime are zero.
	98	* "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
	99	* "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
	100	*/
	101	long created; /* time created the policy */
	102	long lastused; /* updated every when kernel sends a packet */
	103	long lifetime; /* duration of the lifetime of this policy */
	104	long validtime; /* duration this policy is valid without use */
1c79356b A	105	};
	106
	107	/* Request for IPsec */
	108	struct ipsecrequest {
	109	struct ipsecrequest *next;
	110	/* pointer to next structure */
	111	/* If NULL, it means the end of chain. */
	112	struct secasindex saidx;/* hint for search proper SA */
	113	/* if __ss_len == 0 then no address specified.*/
	114	u_int level; /* IPsec level defined below. */
	115
1c79356b A	116	struct secpolicy sp; / back pointer to SP */
	117	};
	118
	119	/* security policy in PCB */
	120	struct inpcbpolicy {
	121	struct secpolicy *sp_in;
	122	struct secpolicy *sp_out;
	123	int priv; /* privileged socket ? */
	124	};
	125
	126	/* SP acquiring list table. */
	127	struct secspacq {
	128	LIST_ENTRY(secspacq) chain;
	129
	130	struct secpolicyindex spidx;
	131
9bccf70c	132	long created; /* for lifetime */
1c79356b A	133	int count; /* for lifetime */
	134	/* XXX: here is mbuf place holder to be sent ? */
	135	};
91447636	136	#endif /* KERNEL_PRIVATE */
1c79356b A	137
	138	/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
	139	#define IPSEC_PORT_ANY 0
	140	#define IPSEC_ULPROTO_ANY 255
	141	#define IPSEC_PROTO_ANY 255
	142
	143	/* mode of security protocol */
	144	/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
	145	#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
	146	#define IPSEC_MODE_TRANSPORT 1
	147	#define IPSEC_MODE_TUNNEL 2
	148
	149	/*
	150	* Direction of security policy.
	151	* NOTE: Since INVALID is used just as flag.
	152	* The other are used for loop counter too.
	153	*/
	154	#define IPSEC_DIR_ANY 0
	155	#define IPSEC_DIR_INBOUND 1
	156	#define IPSEC_DIR_OUTBOUND 2
	157	#define IPSEC_DIR_MAX 3
	158	#define IPSEC_DIR_INVALID 4
	159
	160	/* Policy level */
	161	/*
9bccf70c A	162	* IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
	163	* DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
	164	* DISCARD and NONE are allowed for system default.
1c79356b A	165	*/
	166	#define IPSEC_POLICY_DISCARD 0 /* discarding packet */
	167	#define IPSEC_POLICY_NONE 1 /* through IPsec engine */
	168	#define IPSEC_POLICY_IPSEC 2 /* do IPsec */
	169	#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
	170	#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
2d21ac55	171	#define IPSEC_POLICY_GENERATE 5 /* same as discard - IKE daemon can override with generated policy */
1c79356b A	172
	173	/* Security protocol level */
	174	#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
	175	#define IPSEC_LEVEL_USE 1 /* use SA if present. */
	176	#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
	177	#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
	178
	179	#define IPSEC_MANUAL_REQID_MAX 0x3fff
	180	/*
	181	* if security policy level == unique, this id
	182	* indicate to a relative SA for use, else is
	183	* zero.
	184	* 1 - 0x3fff are reserved for manual keying.
	185	* 0 are reserved for above reason. Others is
	186	* for kernel use.
	187	* Note that this id doesn't identify SA
	188	* by only itself.
	189	*/
	190	#define IPSEC_REPLAYWSIZE 32
	191
	192	/* statistics for ipsec processing */
	193	struct ipsecstat {
	194	u_quad_t in_success; /* succeeded inbound process */
	195	u_quad_t in_polvio;
	196	/* security policy violation for inbound process */
	197	u_quad_t in_nosa; /* inbound SA is unavailable */
	198	u_quad_t in_inval; /* inbound processing failed due to EINVAL */
	199	u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */
	200	u_quad_t in_badspi; /* failed getting a SPI */
	201	u_quad_t in_ahreplay; /* AH replay check failed */
	202	u_quad_t in_espreplay; /* ESP replay check failed */
	203	u_quad_t in_ahauthsucc; /* AH authentication success */
	204	u_quad_t in_ahauthfail; /* AH authentication failure */
	205	u_quad_t in_espauthsucc; /* ESP authentication success */
	206	u_quad_t in_espauthfail; /* ESP authentication failure */
	207	u_quad_t in_esphist[256];
	208	u_quad_t in_ahhist[256];
	209	u_quad_t in_comphist[256];
	210	u_quad_t out_success; /* succeeded outbound process */
	211	u_quad_t out_polvio;
	212	/* security policy violation for outbound process */
	213	u_quad_t out_nosa; /* outbound SA is unavailable */
	214	u_quad_t out_inval; /* outbound process failed due to EINVAL */
	215	u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */
	216	u_quad_t out_noroute; /* there is no route */
	217	u_quad_t out_esphist[256];
	218	u_quad_t out_ahhist[256];
	219	u_quad_t out_comphist[256];
	220	};
	221
91447636	222	#ifdef KERNEL_PRIVATE
1c79356b A	223	/*
	224	* Definitions for IPsec & Key sysctl operations.
	225	*/
	226	/*
	227	* Names for IPsec & Key sysctl objects
	228	*/
	229	#define IPSECCTL_STATS 1 /* stats */
	230	#define IPSECCTL_DEF_POLICY 2
	231	#define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */
	232	#define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */
	233	#define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */
	234	#define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */
55e303ae	235	#if 0 /* obsolete, do not reuse */
1c79356b	236	#define IPSECCTL_INBOUND_CALL_IKE 7
9bccf70c	237	#endif
1c79356b A	238	#define IPSECCTL_AH_CLEARTOS 8
	239	#define IPSECCTL_AH_OFFSETMASK 9
	240	#define IPSECCTL_DFBIT 10
	241	#define IPSECCTL_ECN 11
	242	#define IPSECCTL_DEBUG 12
9bccf70c A	243	#define IPSECCTL_ESP_RANDPAD 13
9bccf70c A	244	#define IPSECCTL_MAXID 14
1c79356b A	245
	246	#define IPSECCTL_NAMES { \
	247	{ 0, 0 }, \
	248	{ 0, 0 }, \
	249	{ "def_policy", CTLTYPE_INT }, \
	250	{ "esp_trans_deflev", CTLTYPE_INT }, \
	251	{ "esp_net_deflev", CTLTYPE_INT }, \
	252	{ "ah_trans_deflev", CTLTYPE_INT }, \
	253	{ "ah_net_deflev", CTLTYPE_INT }, \
9bccf70c	254	{ 0, 0 }, \
1c79356b A	255	{ "ah_cleartos", CTLTYPE_INT }, \
	256	{ "ah_offsetmask", CTLTYPE_INT }, \
	257	{ "dfbit", CTLTYPE_INT }, \
	258	{ "ecn", CTLTYPE_INT }, \
	259	{ "debug", CTLTYPE_INT }, \
9bccf70c	260	{ "esp_randpad", CTLTYPE_INT }, \
1c79356b A	261	}
	262
	263	#define IPSEC6CTL_NAMES { \
	264	{ 0, 0 }, \
	265	{ 0, 0 }, \
	266	{ "def_policy", CTLTYPE_INT }, \
	267	{ "esp_trans_deflev", CTLTYPE_INT }, \
	268	{ "esp_net_deflev", CTLTYPE_INT }, \
	269	{ "ah_trans_deflev", CTLTYPE_INT }, \
	270	{ "ah_net_deflev", CTLTYPE_INT }, \
9bccf70c	271	{ 0, 0 }, \
1c79356b A	272	{ 0, 0 }, \
	273	{ 0, 0 }, \
	274	{ 0, 0 }, \
	275	{ "ecn", CTLTYPE_INT }, \
	276	{ "debug", CTLTYPE_INT }, \
9bccf70c	277	{ "esp_randpad", CTLTYPE_INT }, \
1c79356b A	278	}
1c79356b A	279
9bccf70c	280	#ifdef KERNEL
1c79356b	281	struct ipsec_output_state {
ebb1b9f4	282	int tunneled;
1c79356b	283	struct mbuf *m;
ebb1b9f4	284	struct route ro;
1c79356b A	285	struct sockaddr *dst;
	286	};
	287
9bccf70c A	288	struct ipsec_history {
	289	int ih_proto;
	290	u_int32_t ih_spi;
	291	};
	292
1c79356b A	293	extern int ipsec_debug;
1c79356b A	294
1c79356b A	295	extern struct ipsecstat ipsecstat;
	296	extern struct secpolicy ip4_def_policy;
	297	extern int ip4_esp_trans_deflev;
	298	extern int ip4_esp_net_deflev;
	299	extern int ip4_ah_trans_deflev;
	300	extern int ip4_ah_net_deflev;
1c79356b A	301	extern int ip4_ah_cleartos;
	302	extern int ip4_ah_offsetmask;
	303	extern int ip4_ipsec_dfbit;
	304	extern int ip4_ipsec_ecn;
9bccf70c	305	extern int ip4_esp_randpad;
1c79356b A	306
	307	#define ipseclog(x) do { if (ipsec_debug) log x; } while (0)
	308
91447636 A	309	extern struct secpolicy ipsec4_getpolicybysock(struct mbuf , u_int,
	310	struct socket , int );
	311	extern struct secpolicy ipsec4_getpolicybyaddr(struct mbuf , u_int, int,
	312	int *);
1c79356b	313
1c79356b	314	struct inpcb;
91447636 A	315	extern int ipsec_init_policy(struct socket so, struct inpcbpolicy *);
	316	extern int ipsec_copy_policy(struct inpcbpolicy , struct inpcbpolicy );
	317	extern u_int ipsec_get_reqlevel(struct ipsecrequest *);
	318
	319	extern int ipsec4_set_policy(struct inpcb *inp, int optname,
	320	caddr_t request, size_t len, int priv);
	321	extern int ipsec4_get_policy(struct inpcb *inpcb, caddr_t request,
	322	size_t len, struct mbuf **mp);
	323	extern int ipsec4_delete_pcbpolicy(struct inpcb *);
	324	extern int ipsec4_in_reject_so(struct mbuf , struct socket );
	325	extern int ipsec4_in_reject(struct mbuf , struct inpcb );
1c79356b	326
1c79356b A	327	struct secas;
1c79356b A	328	struct tcpcb;
91447636 A	329	extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
91447636 A	330	extern int ipsec_updatereplay(u_int32_t, struct secasvar *);
1c79356b	331
91447636 A	332	extern size_t ipsec4_hdrsiz(struct mbuf , u_int, struct inpcb );
91447636 A	333	extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);
2d21ac55	334	extern size_t ipsec_hdrsiz(struct secpolicy *);
1c79356b A	335
1c79356b A	336	struct ip;
91447636 A	337	extern const char ipsec4_logpacketstr(struct ip , u_int32_t);
	338	extern const char ipsec_logsastr(struct secasvar );
	339
	340	extern void ipsec_dumpmbuf(struct mbuf *);
	341
	342	extern int ipsec4_output(struct ipsec_output_state , struct secpolicy , int);
2d21ac55	343	extern int ipsec4_tunnel_validate(struct mbuf , int, u_int, struct secasvar , sa_family_t *);
91447636 A	344	extern struct mbuf ipsec_copypkt(struct mbuf );
	345	extern void ipsec_delaux(struct mbuf *);
	346	extern int ipsec_setsocket(struct mbuf , struct socket );
	347	extern struct socket ipsec_getsocket(struct mbuf );
	348	extern int ipsec_addhist(struct mbuf *, int, u_int32_t);
	349	extern struct ipsec_history ipsec_gethist(struct mbuf , int *);
	350	extern void ipsec_clearhist(struct mbuf *);
b0d623f7 A	351	#endif /* KERNEL */
b0d623f7 A	352	#endif /* KERNEL_PRIVATE */
1c79356b A	353
1c79356b A	354	#ifndef KERNEL
b0d623f7	355	__BEGIN_DECLS
91447636 A	356	extern caddr_t ipsec_set_policy(char *, int);
	357	extern int ipsec_get_policylen(caddr_t);
	358	extern char ipsec_dump_policy(caddr_t, char );
1c79356b	359
91447636	360	extern const char *ipsec_strerror(void);
b0d623f7 A	361	__END_DECLS
b0d623f7 A	362	#endif /* KERNEL */
1c79356b	363
0c530ab8	364	#endif /* _NETINET6_IPSEC_H_ */