[apple/xnu.git] / bsd / net / if_utun_crypto.h

/*
 * Copyright (c) 2011 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 * 
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#ifndef	_NET_IF_UTUN_CRYPTO_H_
#define	_NET_IF_UTUN_CRYPTO_H_

// constants used in configuring the crypto context
typedef enum utun_crypto_ver {
	UTUN_CRYPTO_VER_1 = 1,
	UTUN_CRYPTO_VER_MAX,
} utun_crypto_ver_t;

#define UTUN_CRYPTO_KEYS_IPSEC_VER_1                  UTUN_CRYPTO_VER_1
#define UTUN_CRYPTO_IPSEC_VER_1                       UTUN_CRYPTO_VER_1
#define UTUN_CRYPTO_DTLS_VER_1                        UTUN_CRYPTO_VER_1

#define UTUN_CRYPTO_ARGS_VER_MAX                      UTUN_CRYPTO_VER_MAX
#define UTUN_CRYPTO_KEYS_ARGS_VER_MAX                 UTUN_CRYPTO_VER_MAX
#define UTUN_CRYPTO_FRAMER_ARGS_VER_MAX               UTUN_CRYPTO_VER_MAX

typedef enum utun_crypto_dir {
	UTUN_CRYPTO_DIR_IN = 1,
	UTUN_CRYPTO_DIR_OUT,
	UTUN_CRYPTO_DIR_MAX,
} utun_crypto_dir_t;

#define UTUN_CRYPTO_CTX_NUM_DIRS 2

#define BITSTOBYTES(n)                                (n >> 3)
#define BYTESTOBITS(n)                                (n << 3)

#define MAX_KEY_AUTH_LEN_BITS                         512 // corresponds to SHA512
#define MAX_KEY_AUTH_LEN_BYTES                        (BITSTOBYTES(MAX_KEY_AUTH_LEN_BITS))
#define MAX_KEY_ENC_LEN_BITS                          256 // corresponds to AES256
#define MAX_KEY_ENC_LEN_BYTES                         (BITSTOBYTES(MAX_KEY_ENC_LEN_BITS))

typedef enum utun_crypto_type {
	UTUN_CRYPTO_TYPE_IPSEC = 1,
	UTUN_CRYPTO_TYPE_DTLS,
	UTUN_CRYPTO_TYPE_MAX,
} utun_crypto_type_t;

typedef enum if_utun_crypto_ipsec_mode {
	IF_UTUN_CRYPTO_IPSEC_MODE_NONE = 0,
	IF_UTUN_CRYPTO_IPSEC_MODE_TRANSPORT,
	IF_UTUN_CRYPTO_IPSEC_MODE_TUNNEL,
	IF_UTUN_CRYPTO_IPSEC_MODE_MAX,
} if_utun_crypto_ipsec_mode_t;

typedef enum if_utun_crypto_ipsec_proto {
	IF_UTUN_CRYPTO_IPSEC_PROTO_NONE = 0,
	IF_UTUN_CRYPTO_IPSEC_PROTO_ESP,
	IF_UTUN_CRYPTO_IPSEC_PROTO_AH,
	IF_UTUN_CRYPTO_IPSEC_PROTO_MAX,
} if_utun_crypto_ipsec_proto_t;

typedef enum if_utun_crypto_ipsec_auth {
	IF_UTUN_CRYPTO_IPSEC_AUTH_NONE = 0,
	IF_UTUN_CRYPTO_IPSEC_AUTH_MD5,
	IF_UTUN_CRYPTO_IPSEC_AUTH_SHA1,
	IF_UTUN_CRYPTO_IPSEC_AUTH_SHA256,
	IF_UTUN_CRYPTO_IPSEC_AUTH_SHA384,
	IF_UTUN_CRYPTO_IPSEC_AUTH_SHA512,
	IF_UTUN_CRYPTO_IPSEC_AUTH_MAX,
} if_utun_crypto_ipsec_auth_t;

typedef enum if_utun_crypto_ipsec_enc {
	IF_UTUN_CRYPTO_IPSEC_ENC_NONE = 0,
	IF_UTUN_CRYPTO_IPSEC_ENC_DES,
	IF_UTUN_CRYPTO_IPSEC_ENC_3DES,
	IF_UTUN_CRYPTO_IPSEC_ENC_AES128,
	IF_UTUN_CRYPTO_IPSEC_ENC_AES256,
	IF_UTUN_CRYPTO_IPSEC_ENC_MAX,
} if_utun_crypto_ipsec_enc_t;

typedef enum if_utun_crypto_ipsec_keepalive {
	IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_NONE = 0,
	IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_NATT,
	IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_ESP,
	IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_MAX,
} if_utun_crypto_ipsec_keepalive_t;

typedef enum if_utun_crypto_ipsec_natd {
	IF_UTUN_CRYPTO_IPSEC_NATD_NONE = 0,
	IF_UTUN_CRYPTO_IPSEC_NATD_MINE,
	IF_UTUN_CRYPTO_IPSEC_NATD_PEER,
	IF_UTUN_CRYPTO_IPSEC_NATD_BOTH,
	IF_UTUN_CRYPTO_IPSEC_NATD_MAX,
} if_utun_crypto_ipsec_natd_t;

// structures used for storing the App's keying index arguments
typedef struct utun_crypto_keys_idx_ipsec_args_v1 {
	struct sockaddr_storage                       src_addr; // v4 or v6 socket address (ignore port numbers)
	struct sockaddr_storage                       dst_addr; // v4 or v6 socket address (ignore port numbers)
	if_utun_crypto_ipsec_proto_t                  proto;
	if_utun_crypto_ipsec_mode_t                   mode;
	u_int32_t                                     reqid; // policy's reqid, default to 0 for now since we are avoiding policies.
	u_int32_t                                     spi;		  // 0 when requesting the index, otherwise it contains the resulting index
	u_int32_t                                     spirange_min; // default to 0
	u_int32_t                                     spirange_max; // default to 0xffffffff
} __attribute__((packed)) utun_crypto_keys_idx_ipsec_args_v1_t;

typedef struct utun_crypto_keys_idx_dtls_args_v1 {
	// stub for DTLS keying index arguments
	u_int32_t                                     unused; // place holder
} __attribute__((packed)) utun_crypto_keys_idx_dtls_args_v1_t;

// App's parent structure for sending/storing keying index arguments
typedef struct utun_crypto_keys_idx_args {
	utun_crypto_ver_t                             ver;
	utun_crypto_type_t                            type;
	utun_crypto_dir_t                             dir;
	u_int32_t                                     args_ulen;
	u_int32_t                                     varargs_buflen;
	union {
		// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_CTX_IDX_ARGS_HDR_SIZE breaks backwards compatibility
		utun_crypto_keys_idx_ipsec_args_v1_t  ipsec_v1;
		utun_crypto_keys_idx_dtls_args_v1_t   dtls_v1;
		// future (additional) versions of the arguments may be placed here
	} u;
	u_int8_t                                      varargs_buf[0];
} __attribute__((aligned(4), packed)) utun_crypto_keys_idx_args_t;

// structures used for storing the App's keying material arguments
typedef struct utun_crypto_keys_ipsec_args_v1 {
	struct sockaddr_storage                       src_addr; // v4 or v6 socket address (ignore port numbers)
	struct sockaddr_storage                       dst_addr; // v4 or v6 socket address (ignore port numbers)
	if_utun_crypto_ipsec_proto_t                  proto;
	if_utun_crypto_ipsec_mode_t                   mode;
	if_utun_crypto_ipsec_auth_t                   alg_auth;
	if_utun_crypto_ipsec_enc_t                    alg_enc;
	if_utun_crypto_ipsec_keepalive_t              keepalive;
	if_utun_crypto_ipsec_natd_t                   natd;
	u_int8_t                                      replay;   // window size default to 4
	u_int8_t                                      punt_rx_keepalive;
	u_int16_t                                     interval_tx_keepalive;
	u_int16_t                                     key_auth_len; // 128 or 160 or 192 or 256 or 384 or 512
	u_int16_t                                     key_enc_len;  // 64 or 128 or 192 or 256
	u_int16_t                                     natt_port; // if non-zero flags will be set to include SADB_X_EXT_NATT
	u_int16_t                                     unused;
	u_int32_t                                     seq;	  // default to 0
	u_int32_t                                     spi;
	u_int32_t                                     pid;      // vpnagent's process id
	u_int32_t                                     reqid; // policy's reqid, default to 0 for now since we are avoiding policies.
	u_int64_t                                     lifetime_hard; // value in seconds
	u_int64_t                                     lifetime_soft; // value in seconds
	// key_auth and key_enc will actually be stored in utun_crypto_KEYS_args_t.varargs_buf
} __attribute__((packed)) utun_crypto_keys_ipsec_args_v1_t;

typedef struct utun_crypto_keys_dtls_args_v1 {
	// stub for DTLS keying material arguments
	u_int32_t                                     unused; // place holder
} __attribute__((packed)) utun_crypto_keys_dtls_args_v1_t;

// App's parent structure for sending/storing keying material arguments
typedef struct utun_crypto_keys_args {
	utun_crypto_ver_t                             ver;
	utun_crypto_type_t                            type;
	utun_crypto_dir_t                             dir;
	u_int32_t                                     args_ulen;
	u_int32_t                                     varargs_buflen;
	union {
		// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE breaks backwards compatibility
		utun_crypto_keys_ipsec_args_v1_t      ipsec_v1;
		utun_crypto_keys_dtls_args_v1_t       dtls_v1;
		// future (additional) versions of the arguments may be placed here
	} u;
	u_int8_t                                      varargs_buf[0];
} __attribute__((aligned(4), packed)) utun_crypto_keys_args_t;

// structures used for storing the App's crypto arguments
typedef struct utun_crypto_ipsec_args_v1 {
	// stub for IPSec crypto context arguments
	u_int32_t                                     unused; // place holder
} __attribute__((packed)) utun_crypto_ipsec_args_v1_t;

typedef struct utun_crypto_dtls_args_v1 {
	// stub for DTLS crypto context arguments
	int                                           kpi_handle;
} __attribute__((packed)) utun_crypto_dtls_args_v1_t;

// App's parent structure for starting/stopping crypto
typedef struct utun_crypto_args {
	utun_crypto_ver_t                             ver;
	utun_crypto_type_t                            type;
	u_int32_t                                     stop_data_traffic;
	u_int32_t                                     args_ulen;
	u_int32_t                                     varargs_buflen;
	union {
		// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_ARGS_HDR_SIZE breaks backwards compatibility
		utun_crypto_ipsec_args_v1_t           ipsec_v1;
		utun_crypto_dtls_args_v1_t            dtls_v1;
		// future (additional) versions of the arguments may be placed here
	} u;
	u_int8_t                                      varargs_buf[0]; // must be at the end of this struct
} __attribute__((aligned(4), packed)) utun_crypto_args_t;

typedef enum {
  UTUN_CRYPTO_INNER_TYPE_IPv4 = 1,
  UTUN_CRYPTO_INNER_TYPE_IPv6,
  UTUN_CRYPTO_INNER_TYPE_MAX,
} utun_crypto_framer_inner_type_t;

typedef struct utun_crypto_framer_ipsec_args_v1 {
	// stub for IPSec framer arguments
	u_int32_t                                     unused; // place holder
} __attribute__((packed)) utun_crypto_framer_ipsec_args_v1_t;

typedef struct utun_crypto_framer_dtls_in_args_v1 {
	int                                           in_pattern_len;
	int                                           in_pattern_mask_len;
	int                                           in_data_offset;
	// in_pattern, in_pattern_mask will actually be stored in utun_crypto_framer_args_t.varargs_buf
} __attribute__((packed)) utun_crypto_framer_dtls_in_args_v1_t;

typedef struct utun_crypto_framer_dtls_out_args_v1 {
	int                                           out_pattern_len;
	u_int32_t                                     len_field_mask; // 0 means unconfigured
	int                                           len_field_offset;
	int                                           len_field_extra;
	u_int32_t                                     sequence_field;
	u_int32_t                                     sequence_field_mask; // 0 means unconfigured
	int                                           sequence_field_offset;
	// out_pattern will actually be stored in utun_crypto_framer_args_t.varargs_buf
} __attribute__((packed)) utun_crypto_framer_dtls_out_args_v1_t;

typedef struct utun_crypto_framer_dtls_args_v1 {
	// the following depend on utun_crypto_framer_args_t.dir
	union {
		// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE breaks backwards compatibility
		utun_crypto_framer_dtls_in_args_v1_t  in;
		utun_crypto_framer_dtls_out_args_v1_t out;
		// future (additional) versions of the arguments may be placed here
	} u;
} __attribute__((packed)) utun_crypto_framer_dtls_args_v1_t;

// App's parent structure for sending/storing framer arguments
typedef struct utun_crypto_framer_args {
	utun_crypto_ver_t                             ver;
	utun_crypto_type_t                            type;
	utun_crypto_dir_t                             dir;
	utun_crypto_framer_inner_type_t               inner_type;
	u_int32_t                                     args_ulen;
	u_int32_t                                     varargs_buflen;
	union {
		// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE breaks backwards compatibility
		utun_crypto_framer_ipsec_args_v1_t    ipsec_v1;
		utun_crypto_framer_dtls_args_v1_t     dtls_v1;
		// future (additional) versions of the arguments may be placed here
	} u;
	u_int8_t                                      varargs_buf[0];
} __attribute__((aligned(4), packed)) utun_crypto_framer_args_t;

#define utun_crypto_framer_args_dtls_in(framer)   framer->u.dtls_v1.u.in
#define utun_crypto_framer_args_dtls_out(framer)  framer->u.dtls_v1.u.out

#ifdef KERNEL_PRIVATE

#include <sys/kern_control.h>
#include <net/kpi_protocol.h>
#include <net/kpi_interface.h>
#include <net/pfkeyv2.h>
#include <netkey/key.h>
#include <netkey/keydb.h>
#include <net/bpf.h>

struct utun_pcb;

// structures used for storing kernel's keying material runtime state
typedef struct utun_crypto_keys_ipsec_state {
	// kernel's ipsec keying material state
	u_int32_t                                     spi;
	struct secashead                             *sah;
	struct secasvar                              *sav;
	u_int8_t                                      proto;
	u_int8_t                                      ifamily;
	u_int8_t                                      mode;
	u_int8_t                                      unused;
} __attribute__((packed)) utun_crypto_keys_ipsec_state_t;

typedef struct utun_crypto_keys_dtls_state {
	// stub for kernel's DTLS keying material state
	u_int32_t                                     unused; // place holder
} __attribute__((packed)) utun_crypto_keys_dtls_state_t;

// kernel's parent structure for keying material state
typedef struct utun_crypto_keys_state {
	union {
		utun_crypto_keys_ipsec_state_t        ipsec;
		utun_crypto_keys_dtls_state_t         dtls;
	} u;
} __attribute__((aligned(4), packed)) utun_crypto_keys_state_t;

// kernel's parent structure for keying material
typedef struct utun_crypto_keys {
	int                                           valid; // is valid?
	utun_crypto_type_t                            type;
	u_int16_t                                     unused;
	utun_crypto_keys_state_t                      state; // runtime state
	LIST_ENTRY(utun_crypto_keys)                  chain;
} __attribute__((aligned(4), packed)) utun_crypto_keys_t;

// structures used for storing kernel's framer runtime state
typedef struct utun_crypto_framer_ipsec_state {
	// stub for kernel's IPSec framer state
	u_int32_t                                     unused; // place holder
} __attribute__((packed)) utun_crypto_framer_ipsec_state_t;

typedef struct utun_crypto_framer_dtls_in_state {
	u_int8_t                                     *in_pattern;
	int                                           in_pattern_len;
	u_int8_t                                     *in_pattern_mask;
	u_int8_t                                     *in_pattern_masked;
	int                                           in_data_offset;
	struct bpf_program                            in_pattern_filter;
} __attribute__((packed)) utun_crypto_framer_dtls_in_state_t;

typedef struct utun_crypto_framer_dtls_out_state {
	u_int8_t                                     *out_pattern;
	int                                           out_pattern_len;
	u_int32_t                                     len_field_mask; // 0 means unconfigured
	int                                           len_field_offset;
	int                                           len_field_extra;
	u_int32_t                                     sequence_field;
	u_int32_t                                     sequence_field_initval;
	u_int32_t                                     sequence_field_mask; // 0 means unconfigured
	int                                           sequence_field_offset;
} __attribute__((packed)) utun_crypto_framer_dtls_out_state_t;

typedef struct utun_crypto_framer_dtls_state {
	union {
		// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE breaks backwards compatibility
		utun_crypto_framer_dtls_in_state_t  in;
		utun_crypto_framer_dtls_out_state_t out;
		// future (additional) versions of the arguments may be placed here
	} u;
} __attribute__((packed)) utun_crypto_framer_dtls_state_t;

// kernel's parent structure for framer state
typedef struct utun_crypto_framer_state {
	union {
		utun_crypto_framer_ipsec_state_t ipsec;
		utun_crypto_framer_dtls_state_t  dtls;
	} u;
} __attribute__((aligned(4), packed)) utun_crypto_framer_state_t;

// kernel's parent structure for the framer
typedef struct utun_crypto_framer {
	int                                           valid; // is valid?
	utun_crypto_type_t                            type;
	utun_crypto_dir_t                             dir;
	utun_crypto_framer_inner_type_t               inner_type;
	protocol_family_t                             inner_protocol_family;
	utun_crypto_framer_state_t                    state; // runtime state
	LIST_ENTRY(utun_crypto_framer)                framer_chain;
} __attribute__((aligned(4), packed)) utun_crypto_framer_t;

#define UTUN_CRYPTO_INNER_TYPE_TO_IDX(type)           (type - 1)
#define UTUN_CRYPTO_IDX_TO_INNER_TYPE(idx)            (idx + 1)
#define UTUN_CRYPTO_INNER_TYPE_IDX_MAX                UTUN_CRYPTO_INNER_TYPE_TO_IDX(UTUN_CRYPTO_INNER_TYPE_MAX)

#define UTUN_CRYPTO_DIR_TO_IDX(dir)                   (dir - 1)
#define UTUN_CRYPTO_IDX_TO_DIR(idx)                   (idx + 1)
#define UTUN_CRYPTO_DIR_IDX_MAX                       UTUN_CRYPTO_DIR_TO_IDX(UTUN_CRYPTO_DIR_MAX)

#define utun_crypto_framer_state_dtls_in(framer)      framer->state.u.dtls.u.in
#define utun_crypto_framer_state_dtls_out(framer)     framer->state.u.dtls.u.out

// kernel's parent structure for all crypto stuff
typedef struct utun_crypto_ctx {
	int                                           valid;
	utun_crypto_type_t                            type;
	u_int16_t                                     unused;
	LIST_HEAD(chain, utun_crypto_keys)            keys_listhead;
	LIST_HEAD(framer_chain, utun_crypto_framer)   framer_listheads[UTUN_CRYPTO_INNER_TYPE_IDX_MAX];
	int                                           num_framers;
	int                                           kpi_handle;
	caddr_t                                       kpi_ref;
	int                                           kpi_refcnt;
} __attribute__((aligned(4), packed)) utun_crypto_ctx_t;

#define UTUN_CRYPTO_KEYS_IDX_ARGS_HDR_SIZE            ((size_t)(&((utun_crypto_keys_idx_args_t *)0)->u))
#define UTUN_CRYPTO_KEYS_IDX_ARGS_VARARGS_BUF(args)   ((u_int8_t *)args + UTUN_CRYPTO_KEYS_IDX_ARGS_HDR_SIZE + args->args_ulen)
#define UTUN_CRYPTO_KEYS_IDX_ARGS_TOTAL_SIZE(args)    ((size_t)(UTUN_CRYPTO_KEYS_IDX_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))

#define UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE                ((size_t)(&((utun_crypto_keys_args_t *)0)->u))
#define UTUN_CRYPTO_KEYS_ARGS_VARARGS_BUF(args)       ((u_int8_t *)args + UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE + args->args_ulen)
#define UTUN_CRYPTO_KEYS_ARGS_TOTAL_SIZE(args)        ((size_t)(UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))

#define UTUN_CRYPTO_FRAMER_ARGS_HDR_SIZE                ((size_t)(&((utun_crypto_framer_args_t *)0)->u))
#define UTUN_CRYPTO_FRAMER_ARGS_VARARGS_BUF(args)       ((u_int8_t *)args + UTUN_CRYPTO_FRAMER_ARGS_HDR_SIZE + args->args_ulen)
#define UTUN_CRYPTO_FRAMER_ARGS_TOTAL_SIZE(args)        ((size_t)(UTUN_CRYPTO_FRAMER_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))

#define UTUN_CRYPTO_ARGS_HDR_SIZE                     ((size_t)(&((utun_crypto_args_t *)0)->u))
#define UTUN_CRYPTO_ARGS_VARARGS_BUF(args)            ((u_int8_t *)args + UTUN_CRYPTO_ARGS_HDR_SIZE + args->args_ulen)
#define UTUN_CRYPTO_ARGS_TOTAL_SIZE(args)             ((size_t)(UTUN_CRYPTO_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))

typedef caddr_t (*utun_crypto_kpi_connect_func)(int kpi_handle, struct utun_pcb *utun_ref);

typedef errno_t (*utun_crypto_kpi_send_func)(caddr_t ref, mbuf_t *pkt);

typedef struct utun_crypto_kpi_reg {
  /* Dispatch functions */
  utun_crypto_type_t           crypto_kpi_type;
  u_int32_t                    crypto_kpi_flags;
  utun_crypto_kpi_connect_func crypto_kpi_connect;
  utun_crypto_kpi_send_func    crypto_kpi_send;
} utun_crypto_kpi_reg_t;

typedef struct utun_crypto_kpi_reg_list {
  utun_crypto_kpi_reg_t            reg;
  struct utun_crypto_kpi_reg_list *next;
} utun_crypto_kpi_reg_list_t;

void
utun_ctl_init_crypto(void);

/*
 * Summary: registers the crypto KPI's Kext routines with UTUN... so that UTUN can make calls into it (e.g. DTLS)
 */
errno_t
utun_crypto_kpi_register(utun_crypto_kpi_reg_t *reg);

void
utun_cleanup_crypto(struct utun_pcb *pcb);

errno_t
utun_ctl_enable_crypto(__unused kern_ctl_ref  kctlref,
		       __unused u_int32_t     unit, 
		       __unused void         *unitinfo,
		       __unused int           opt, 
		       void                  *data, 
		       size_t                 len);

errno_t
utun_ctl_disable_crypto(__unused kern_ctl_ref  kctlref,
			__unused u_int32_t     unit, 
			__unused void         *unitinfo,
			__unused int           opt, 
			void                  *data, 
			size_t                 len);

errno_t
utun_ctl_config_crypto_keys(__unused kern_ctl_ref  kctlref,
			    __unused u_int32_t	   unit, 
			    __unused void         *unitinfo,
			    __unused int           opt, 
			    void                  *data, 
			    size_t                 len);

errno_t
utun_ctl_unconfig_crypto_keys(__unused kern_ctl_ref  kctlref,
			      __unused u_int32_t     unit, 
			      __unused void         *unitinfo,
			      __unused int           opt, 
			      void                  *data, 
			      size_t                 len);

errno_t
utun_ctl_config_crypto_framer(__unused kern_ctl_ref  kctlref,
			      __unused u_int32_t	   unit, 
			      __unused void         *unitinfo,
			      __unused int           opt, 
			      void                  *data, 
			      size_t                 len);

errno_t
utun_ctl_unconfig_crypto_framer(__unused kern_ctl_ref  kctlref,
				__unused u_int32_t     unit, 
				__unused void         *unitinfo,
				__unused int           opt, 
				void                  *data, 
				size_t                 len);

errno_t
utun_ctl_generate_crypto_keys_idx(__unused kern_ctl_ref  kctlref,
				  __unused u_int32_t     unit, 
				  __unused void         *unitinfo,
				  __unused int           opt, 
				  void                  *data, 
				  size_t                *len);

errno_t
utun_ctl_stop_crypto_data_traffic(__unused kern_ctl_ref  kctlref,
				  __unused u_int32_t     unit, 
				  __unused void         *unitinfo,
				  __unused int           opt, 
				  void                  *data, 
				  size_t                 len);

errno_t
utun_ctl_start_crypto_data_traffic(__unused kern_ctl_ref  kctlref,
				   __unused u_int32_t     unit, 
				   __unused void         *unitinfo,
				   __unused int           opt, 
				   void                  *data, 
				   size_t                 len);

int
utun_pkt_crypto_output(struct utun_pcb *pcb, mbuf_t *m);

#endif // KERNEL_PRIVATE

#endif // _NET_IF_UTUN_CRYPTO_H_
Commit	Line	Data
316670eb A	1	/*
	2	* Copyright (c) 2011 Apple Inc. All rights reserved.
	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
	25	*
	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
	29	#ifndef _NET_IF_UTUN_CRYPTO_H_
	30	#define _NET_IF_UTUN_CRYPTO_H_
	31
	32	// constants used in configuring the crypto context
	33	typedef enum utun_crypto_ver {
	34	UTUN_CRYPTO_VER_1 = 1,
	35	UTUN_CRYPTO_VER_MAX,
	36	} utun_crypto_ver_t;
	37
	38	#define UTUN_CRYPTO_KEYS_IPSEC_VER_1 UTUN_CRYPTO_VER_1
	39	#define UTUN_CRYPTO_IPSEC_VER_1 UTUN_CRYPTO_VER_1
39236c6e	40	#define UTUN_CRYPTO_DTLS_VER_1 UTUN_CRYPTO_VER_1
316670eb A	41
	42	#define UTUN_CRYPTO_ARGS_VER_MAX UTUN_CRYPTO_VER_MAX
	43	#define UTUN_CRYPTO_KEYS_ARGS_VER_MAX UTUN_CRYPTO_VER_MAX
39236c6e	44	#define UTUN_CRYPTO_FRAMER_ARGS_VER_MAX UTUN_CRYPTO_VER_MAX
316670eb A	45
	46	typedef enum utun_crypto_dir {
	47	UTUN_CRYPTO_DIR_IN = 1,
	48	UTUN_CRYPTO_DIR_OUT,
	49	UTUN_CRYPTO_DIR_MAX,
	50	} utun_crypto_dir_t;
	51
	52	#define UTUN_CRYPTO_CTX_NUM_DIRS 2
	53
	54	#define BITSTOBYTES(n) (n >> 3)
	55	#define BYTESTOBITS(n) (n << 3)
	56
	57	#define MAX_KEY_AUTH_LEN_BITS 512 // corresponds to SHA512
	58	#define MAX_KEY_AUTH_LEN_BYTES (BITSTOBYTES(MAX_KEY_AUTH_LEN_BITS))
	59	#define MAX_KEY_ENC_LEN_BITS 256 // corresponds to AES256
	60	#define MAX_KEY_ENC_LEN_BYTES (BITSTOBYTES(MAX_KEY_ENC_LEN_BITS))
	61
	62	typedef enum utun_crypto_type {
	63	UTUN_CRYPTO_TYPE_IPSEC = 1,
	64	UTUN_CRYPTO_TYPE_DTLS,
	65	UTUN_CRYPTO_TYPE_MAX,
	66	} utun_crypto_type_t;
	67
	68	typedef enum if_utun_crypto_ipsec_mode {
	69	IF_UTUN_CRYPTO_IPSEC_MODE_NONE = 0,
	70	IF_UTUN_CRYPTO_IPSEC_MODE_TRANSPORT,
	71	IF_UTUN_CRYPTO_IPSEC_MODE_TUNNEL,
	72	IF_UTUN_CRYPTO_IPSEC_MODE_MAX,
	73	} if_utun_crypto_ipsec_mode_t;
	74
	75	typedef enum if_utun_crypto_ipsec_proto {
	76	IF_UTUN_CRYPTO_IPSEC_PROTO_NONE = 0,
	77	IF_UTUN_CRYPTO_IPSEC_PROTO_ESP,
	78	IF_UTUN_CRYPTO_IPSEC_PROTO_AH,
	79	IF_UTUN_CRYPTO_IPSEC_PROTO_MAX,
	80	} if_utun_crypto_ipsec_proto_t;
	81
	82	typedef enum if_utun_crypto_ipsec_auth {
	83	IF_UTUN_CRYPTO_IPSEC_AUTH_NONE = 0,
	84	IF_UTUN_CRYPTO_IPSEC_AUTH_MD5,
	85	IF_UTUN_CRYPTO_IPSEC_AUTH_SHA1,
	86	IF_UTUN_CRYPTO_IPSEC_AUTH_SHA256,
	87	IF_UTUN_CRYPTO_IPSEC_AUTH_SHA384,
	88	IF_UTUN_CRYPTO_IPSEC_AUTH_SHA512,
	89	IF_UTUN_CRYPTO_IPSEC_AUTH_MAX,
	90	} if_utun_crypto_ipsec_auth_t;
	91
	92	typedef enum if_utun_crypto_ipsec_enc {
	93	IF_UTUN_CRYPTO_IPSEC_ENC_NONE = 0,
	94	IF_UTUN_CRYPTO_IPSEC_ENC_DES,
	95	IF_UTUN_CRYPTO_IPSEC_ENC_3DES,
	96	IF_UTUN_CRYPTO_IPSEC_ENC_AES128,
	97	IF_UTUN_CRYPTO_IPSEC_ENC_AES256,
	98	IF_UTUN_CRYPTO_IPSEC_ENC_MAX,
	99	} if_utun_crypto_ipsec_enc_t;
	100
	101	typedef enum if_utun_crypto_ipsec_keepalive {
	102	IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_NONE = 0,
	103	IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_NATT,
	104	IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_ESP,
	105	IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_MAX,
	106	} if_utun_crypto_ipsec_keepalive_t;
	107
	108	typedef enum if_utun_crypto_ipsec_natd {
109	IF_UTUN_CRYPTO_IPSEC_NATD_NONE = 0,
110	IF_UTUN_CRYPTO_IPSEC_NATD_MINE,
111	IF_UTUN_CRYPTO_IPSEC_NATD_PEER,
112	IF_UTUN_CRYPTO_IPSEC_NATD_BOTH,
113	IF_UTUN_CRYPTO_IPSEC_NATD_MAX,
114	} if_utun_crypto_ipsec_natd_t;
115
116	// structures used for storing the App's keying index arguments
117	typedef struct utun_crypto_keys_idx_ipsec_args_v1 {
118	struct sockaddr_storage src_addr; // v4 or v6 socket address (ignore port numbers)
119	struct sockaddr_storage dst_addr; // v4 or v6 socket address (ignore port numbers)
120	if_utun_crypto_ipsec_proto_t proto;
121	if_utun_crypto_ipsec_mode_t mode;
122	u_int32_t reqid; // policy's reqid, default to 0 for now since we are avoiding policies.
123	u_int32_t spi; // 0 when requesting the index, otherwise it contains the resulting index
124	u_int32_t spirange_min; // default to 0
125	u_int32_t spirange_max; // default to 0xffffffff
126	} __attribute__((packed)) utun_crypto_keys_idx_ipsec_args_v1_t;
127
128	typedef struct utun_crypto_keys_idx_dtls_args_v1 {
129	// stub for DTLS keying index arguments
130	u_int32_t unused; // place holder
131	} __attribute__((packed)) utun_crypto_keys_idx_dtls_args_v1_t;
132
133	// App's parent structure for sending/storing keying index arguments
134	typedef struct utun_crypto_keys_idx_args {
135	utun_crypto_ver_t ver;
136	utun_crypto_type_t type;
137	utun_crypto_dir_t dir;
138	u_int32_t args_ulen;
139	u_int32_t varargs_buflen;
140	union {
141	// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_CTX_IDX_ARGS_HDR_SIZE breaks backwards compatibility
142	utun_crypto_keys_idx_ipsec_args_v1_t ipsec_v1;
143	utun_crypto_keys_idx_dtls_args_v1_t dtls_v1;
144	// future (additional) versions of the arguments may be placed here
145	} u;
146	u_int8_t varargs_buf[0];
147	} __attribute__((aligned(4), packed)) utun_crypto_keys_idx_args_t;
148
149	// structures used for storing the App's keying material arguments
150	typedef struct utun_crypto_keys_ipsec_args_v1 {
151	struct sockaddr_storage src_addr; // v4 or v6 socket address (ignore port numbers)
152	struct sockaddr_storage dst_addr; // v4 or v6 socket address (ignore port numbers)
153	if_utun_crypto_ipsec_proto_t proto;
154	if_utun_crypto_ipsec_mode_t mode;
155	if_utun_crypto_ipsec_auth_t alg_auth;
156	if_utun_crypto_ipsec_enc_t alg_enc;
157	if_utun_crypto_ipsec_keepalive_t keepalive;
158	if_utun_crypto_ipsec_natd_t natd;
159	u_int8_t replay; // window size default to 4
160	u_int8_t punt_rx_keepalive;
161	u_int16_t interval_tx_keepalive;
162	u_int16_t key_auth_len; // 128 or 160 or 192 or 256 or 384 or 512
163	u_int16_t key_enc_len; // 64 or 128 or 192 or 256
164	u_int16_t natt_port; // if non-zero flags will be set to include SADB_X_EXT_NATT
165	u_int16_t unused;
166	u_int32_t seq; // default to 0
167	u_int32_t spi;
168	u_int32_t pid; // vpnagent's process id
169	u_int32_t reqid; // policy's reqid, default to 0 for now since we are avoiding policies.
170	u_int64_t lifetime_hard; // value in seconds
171	u_int64_t lifetime_soft; // value in seconds
172	// key_auth and key_enc will actually be stored in utun_crypto_KEYS_args_t.varargs_buf
173	} __attribute__((packed)) utun_crypto_keys_ipsec_args_v1_t;
174
39236c6e	175	typedef struct utun_crypto_keys_dtls_args_v1 {
316670eb A	176	// stub for DTLS keying material arguments
	177	u_int32_t unused; // place holder
	178	} __attribute__((packed)) utun_crypto_keys_dtls_args_v1_t;
	179
	180	// App's parent structure for sending/storing keying material arguments
	181	typedef struct utun_crypto_keys_args {
	182	utun_crypto_ver_t ver;
	183	utun_crypto_type_t type;
	184	utun_crypto_dir_t dir;
	185	u_int32_t args_ulen;
	186	u_int32_t varargs_buflen;
	187	union {
	188	// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE breaks backwards compatibility
	189	utun_crypto_keys_ipsec_args_v1_t ipsec_v1;
	190	utun_crypto_keys_dtls_args_v1_t dtls_v1;
	191	// future (additional) versions of the arguments may be placed here
	192	} u;
	193	u_int8_t varargs_buf[0];
	194	} __attribute__((aligned(4), packed)) utun_crypto_keys_args_t;
	195
	196	// structures used for storing the App's crypto arguments
	197	typedef struct utun_crypto_ipsec_args_v1 {
	198	// stub for IPSec crypto context arguments
	199	u_int32_t unused; // place holder
	200	} __attribute__((packed)) utun_crypto_ipsec_args_v1_t;
	201
	202	typedef struct utun_crypto_dtls_args_v1 {
	203	// stub for DTLS crypto context arguments
39236c6e	204	int kpi_handle;
316670eb A	205	} __attribute__((packed)) utun_crypto_dtls_args_v1_t;
	206
	207	// App's parent structure for starting/stopping crypto
	208	typedef struct utun_crypto_args {
	209	utun_crypto_ver_t ver;
	210	utun_crypto_type_t type;
	211	u_int32_t stop_data_traffic;
	212	u_int32_t args_ulen;
	213	u_int32_t varargs_buflen;
	214	union {
	215	// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_ARGS_HDR_SIZE breaks backwards compatibility
	216	utun_crypto_ipsec_args_v1_t ipsec_v1;
	217	utun_crypto_dtls_args_v1_t dtls_v1;
	218	// future (additional) versions of the arguments may be placed here
	219	} u;
	220	u_int8_t varargs_buf[0]; // must be at the end of this struct
	221	} __attribute__((aligned(4), packed)) utun_crypto_args_t;
	222
39236c6e A	223	typedef enum {
	224	UTUN_CRYPTO_INNER_TYPE_IPv4 = 1,
	225	UTUN_CRYPTO_INNER_TYPE_IPv6,
	226	UTUN_CRYPTO_INNER_TYPE_MAX,
	227	} utun_crypto_framer_inner_type_t;
	228
	229	typedef struct utun_crypto_framer_ipsec_args_v1 {
	230	// stub for IPSec framer arguments
	231	u_int32_t unused; // place holder
	232	} __attribute__((packed)) utun_crypto_framer_ipsec_args_v1_t;
	233
	234	typedef struct utun_crypto_framer_dtls_in_args_v1 {
	235	int in_pattern_len;
	236	int in_pattern_mask_len;
	237	int in_data_offset;
	238	// in_pattern, in_pattern_mask will actually be stored in utun_crypto_framer_args_t.varargs_buf
	239	} __attribute__((packed)) utun_crypto_framer_dtls_in_args_v1_t;
	240
	241	typedef struct utun_crypto_framer_dtls_out_args_v1 {
	242	int out_pattern_len;
	243	u_int32_t len_field_mask; // 0 means unconfigured
	244	int len_field_offset;
	245	int len_field_extra;
	246	u_int32_t sequence_field;
	247	u_int32_t sequence_field_mask; // 0 means unconfigured
	248	int sequence_field_offset;
	249	// out_pattern will actually be stored in utun_crypto_framer_args_t.varargs_buf
	250	} __attribute__((packed)) utun_crypto_framer_dtls_out_args_v1_t;
	251
	252	typedef struct utun_crypto_framer_dtls_args_v1 {
	253	// the following depend on utun_crypto_framer_args_t.dir
	254	union {
	255	// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE breaks backwards compatibility
	256	utun_crypto_framer_dtls_in_args_v1_t in;
	257	utun_crypto_framer_dtls_out_args_v1_t out;
	258	// future (additional) versions of the arguments may be placed here
	259	} u;
	260	} __attribute__((packed)) utun_crypto_framer_dtls_args_v1_t;
	261
	262	// App's parent structure for sending/storing framer arguments
	263	typedef struct utun_crypto_framer_args {
	264	utun_crypto_ver_t ver;
	265	utun_crypto_type_t type;
	266	utun_crypto_dir_t dir;
	267	utun_crypto_framer_inner_type_t inner_type;
	268	u_int32_t args_ulen;
	269	u_int32_t varargs_buflen;
	270	union {
	271	// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE breaks backwards compatibility
	272	utun_crypto_framer_ipsec_args_v1_t ipsec_v1;
	273	utun_crypto_framer_dtls_args_v1_t dtls_v1;
	274	// future (additional) versions of the arguments may be placed here
	275	} u;
	276	u_int8_t varargs_buf[0];
	277	} __attribute__((aligned(4), packed)) utun_crypto_framer_args_t;
	278
	279	#define utun_crypto_framer_args_dtls_in(framer) framer->u.dtls_v1.u.in
	280	#define utun_crypto_framer_args_dtls_out(framer) framer->u.dtls_v1.u.out
	281
316670eb A	282	#ifdef KERNEL_PRIVATE
	283
	284	#include <sys/kern_control.h>
	285	#include <net/kpi_protocol.h>
	286	#include <net/kpi_interface.h>
	287	#include <net/pfkeyv2.h>
	288	#include <netkey/key.h>
	289	#include <netkey/keydb.h>
39236c6e	290	#include <net/bpf.h>
316670eb A	291
	292	struct utun_pcb;
	293
	294	// structures used for storing kernel's keying material runtime state
	295	typedef struct utun_crypto_keys_ipsec_state {
	296	// kernel's ipsec keying material state
	297	u_int32_t spi;
	298	struct secashead *sah;
	299	struct secasvar *sav;
	300	u_int8_t proto;
	301	u_int8_t ifamily;
	302	u_int8_t mode;
	303	u_int8_t unused;
	304	} __attribute__((packed)) utun_crypto_keys_ipsec_state_t;
	305
	306	typedef struct utun_crypto_keys_dtls_state {
	307	// stub for kernel's DTLS keying material state
	308	u_int32_t unused; // place holder
	309	} __attribute__((packed)) utun_crypto_keys_dtls_state_t;
	310
	311	// kernel's parent structure for keying material state
	312	typedef struct utun_crypto_keys_state {
	313	union {
	314	utun_crypto_keys_ipsec_state_t ipsec;
	315	utun_crypto_keys_dtls_state_t dtls;
	316	} u;
	317	} __attribute__((aligned(4), packed)) utun_crypto_keys_state_t;
	318
	319	// kernel's parent structure for keying material
	320	typedef struct utun_crypto_keys {
	321	int valid; // is valid?
	322	utun_crypto_type_t type;
	323	u_int16_t unused;
	324	utun_crypto_keys_state_t state; // runtime state
	325	LIST_ENTRY(utun_crypto_keys) chain;
	326	} __attribute__((aligned(4), packed)) utun_crypto_keys_t;
	327
39236c6e A	328	// structures used for storing kernel's framer runtime state
	329	typedef struct utun_crypto_framer_ipsec_state {
	330	// stub for kernel's IPSec framer state
	331	u_int32_t unused; // place holder
	332	} __attribute__((packed)) utun_crypto_framer_ipsec_state_t;
	333
	334	typedef struct utun_crypto_framer_dtls_in_state {
	335	u_int8_t *in_pattern;
	336	int in_pattern_len;
	337	u_int8_t *in_pattern_mask;
	338	u_int8_t *in_pattern_masked;
	339	int in_data_offset;
	340	struct bpf_program in_pattern_filter;
	341	} __attribute__((packed)) utun_crypto_framer_dtls_in_state_t;
	342
	343	typedef struct utun_crypto_framer_dtls_out_state {
	344	u_int8_t *out_pattern;
	345	int out_pattern_len;
	346	u_int32_t len_field_mask; // 0 means unconfigured
	347	int len_field_offset;
	348	int len_field_extra;
	349	u_int32_t sequence_field;
	350	u_int32_t sequence_field_initval;
	351	u_int32_t sequence_field_mask; // 0 means unconfigured
	352	int sequence_field_offset;
	353	} __attribute__((packed)) utun_crypto_framer_dtls_out_state_t;
	354
	355	typedef struct utun_crypto_framer_dtls_state {
	356	union {
	357	// don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE breaks backwards compatibility
	358	utun_crypto_framer_dtls_in_state_t in;
	359	utun_crypto_framer_dtls_out_state_t out;
	360	// future (additional) versions of the arguments may be placed here
	361	} u;
	362	} __attribute__((packed)) utun_crypto_framer_dtls_state_t;
	363
	364	// kernel's parent structure for framer state
	365	typedef struct utun_crypto_framer_state {
	366	union {
	367	utun_crypto_framer_ipsec_state_t ipsec;
	368	utun_crypto_framer_dtls_state_t dtls;
	369	} u;
	370	} __attribute__((aligned(4), packed)) utun_crypto_framer_state_t;
	371
	372	// kernel's parent structure for the framer
	373	typedef struct utun_crypto_framer {
	374	int valid; // is valid?
	375	utun_crypto_type_t type;
	376	utun_crypto_dir_t dir;
	377	utun_crypto_framer_inner_type_t inner_type;
	378	protocol_family_t inner_protocol_family;
	379	utun_crypto_framer_state_t state; // runtime state
	380	LIST_ENTRY(utun_crypto_framer) framer_chain;
	381	} __attribute__((aligned(4), packed)) utun_crypto_framer_t;
	382
	383	#define UTUN_CRYPTO_INNER_TYPE_TO_IDX(type) (type - 1)
	384	#define UTUN_CRYPTO_IDX_TO_INNER_TYPE(idx) (idx + 1)
	385	#define UTUN_CRYPTO_INNER_TYPE_IDX_MAX UTUN_CRYPTO_INNER_TYPE_TO_IDX(UTUN_CRYPTO_INNER_TYPE_MAX)
	386
	387	#define UTUN_CRYPTO_DIR_TO_IDX(dir) (dir - 1)
	388	#define UTUN_CRYPTO_IDX_TO_DIR(idx) (idx + 1)
	389	#define UTUN_CRYPTO_DIR_IDX_MAX UTUN_CRYPTO_DIR_TO_IDX(UTUN_CRYPTO_DIR_MAX)
	390
	391	#define utun_crypto_framer_state_dtls_in(framer) framer->state.u.dtls.u.in
392	#define utun_crypto_framer_state_dtls_out(framer) framer->state.u.dtls.u.out
393
316670eb A	394	// kernel's parent structure for all crypto stuff
	395	typedef struct utun_crypto_ctx {
	396	int valid;
	397	utun_crypto_type_t type;
	398	u_int16_t unused;
	399	LIST_HEAD(chain, utun_crypto_keys) keys_listhead;
39236c6e A	400	LIST_HEAD(framer_chain, utun_crypto_framer) framer_listheads[UTUN_CRYPTO_INNER_TYPE_IDX_MAX];
	401	int num_framers;
	402	int kpi_handle;
	403	caddr_t kpi_ref;
	404	int kpi_refcnt;
316670eb A	405	} __attribute__((aligned(4), packed)) utun_crypto_ctx_t;
	406
	407	#define UTUN_CRYPTO_KEYS_IDX_ARGS_HDR_SIZE ((size_t)(&((utun_crypto_keys_idx_args_t *)0)->u))
	408	#define UTUN_CRYPTO_KEYS_IDX_ARGS_VARARGS_BUF(args) ((u_int8_t *)args + UTUN_CRYPTO_KEYS_IDX_ARGS_HDR_SIZE + args->args_ulen)
	409	#define UTUN_CRYPTO_KEYS_IDX_ARGS_TOTAL_SIZE(args) ((size_t)(UTUN_CRYPTO_KEYS_IDX_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))
	410
	411	#define UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE ((size_t)(&((utun_crypto_keys_args_t *)0)->u))
	412	#define UTUN_CRYPTO_KEYS_ARGS_VARARGS_BUF(args) ((u_int8_t *)args + UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE + args->args_ulen)
	413	#define UTUN_CRYPTO_KEYS_ARGS_TOTAL_SIZE(args) ((size_t)(UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))
	414
39236c6e A	415	#define UTUN_CRYPTO_FRAMER_ARGS_HDR_SIZE ((size_t)(&((utun_crypto_framer_args_t *)0)->u))
	416	#define UTUN_CRYPTO_FRAMER_ARGS_VARARGS_BUF(args) ((u_int8_t *)args + UTUN_CRYPTO_FRAMER_ARGS_HDR_SIZE + args->args_ulen)
	417	#define UTUN_CRYPTO_FRAMER_ARGS_TOTAL_SIZE(args) ((size_t)(UTUN_CRYPTO_FRAMER_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))
	418
316670eb A	419	#define UTUN_CRYPTO_ARGS_HDR_SIZE ((size_t)(&((utun_crypto_args_t *)0)->u))
	420	#define UTUN_CRYPTO_ARGS_VARARGS_BUF(args) ((u_int8_t *)args + UTUN_CRYPTO_ARGS_HDR_SIZE + args->args_ulen)
	421	#define UTUN_CRYPTO_ARGS_TOTAL_SIZE(args) ((size_t)(UTUN_CRYPTO_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))
	422
39236c6e A	423	typedef caddr_t (utun_crypto_kpi_connect_func)(int kpi_handle, struct utun_pcb utun_ref);
	424
	425	typedef errno_t (utun_crypto_kpi_send_func)(caddr_t ref, mbuf_t pkt);
	426
	427	typedef struct utun_crypto_kpi_reg {
	428	/* Dispatch functions */
	429	utun_crypto_type_t crypto_kpi_type;
	430	u_int32_t crypto_kpi_flags;
	431	utun_crypto_kpi_connect_func crypto_kpi_connect;
	432	utun_crypto_kpi_send_func crypto_kpi_send;
	433	} utun_crypto_kpi_reg_t;
	434
	435	typedef struct utun_crypto_kpi_reg_list {
	436	utun_crypto_kpi_reg_t reg;
	437	struct utun_crypto_kpi_reg_list *next;
	438	} utun_crypto_kpi_reg_list_t;
	439
	440	void
	441	utun_ctl_init_crypto(void);
	442
	443	/*
	444	* Summary: registers the crypto KPI's Kext routines with UTUN... so that UTUN can make calls into it (e.g. DTLS)
	445	*/
	446	errno_t
	447	utun_crypto_kpi_register(utun_crypto_kpi_reg_t *reg);
316670eb A	448
	449	void
	450	utun_cleanup_crypto(struct utun_pcb *pcb);
	451
	452	errno_t
	453	utun_ctl_enable_crypto(__unused kern_ctl_ref kctlref,
	454	__unused u_int32_t unit,
	455	__unused void *unitinfo,
	456	__unused int opt,
	457	void *data,
	458	size_t len);
	459
	460	errno_t
	461	utun_ctl_disable_crypto(__unused kern_ctl_ref kctlref,
	462	__unused u_int32_t unit,
	463	__unused void *unitinfo,
	464	__unused int opt,
	465	void *data,
	466	size_t len);
	467
	468	errno_t
	469	utun_ctl_config_crypto_keys(__unused kern_ctl_ref kctlref,
	470	__unused u_int32_t unit,
	471	__unused void *unitinfo,
	472	__unused int opt,
	473	void *data,
	474	size_t len);
	475
	476	errno_t
	477	utun_ctl_unconfig_crypto_keys(__unused kern_ctl_ref kctlref,
	478	__unused u_int32_t unit,
	479	__unused void *unitinfo,
	480	__unused int opt,
	481	void *data,
	482	size_t len);
	483
39236c6e A	484	errno_t
	485	utun_ctl_config_crypto_framer(__unused kern_ctl_ref kctlref,
	486	__unused u_int32_t unit,
	487	__unused void *unitinfo,
	488	__unused int opt,
	489	void *data,
	490	size_t len);
	491
	492	errno_t
	493	utun_ctl_unconfig_crypto_framer(__unused kern_ctl_ref kctlref,
	494	__unused u_int32_t unit,
	495	__unused void *unitinfo,
	496	__unused int opt,
	497	void *data,
	498	size_t len);
	499
316670eb A	500	errno_t
	501	utun_ctl_generate_crypto_keys_idx(__unused kern_ctl_ref kctlref,
	502	__unused u_int32_t unit,
	503	__unused void *unitinfo,
	504	__unused int opt,
	505	void *data,
	506	size_t *len);
	507
	508	errno_t
	509	utun_ctl_stop_crypto_data_traffic(__unused kern_ctl_ref kctlref,
	510	__unused u_int32_t unit,
	511	__unused void *unitinfo,
	512	__unused int opt,
	513	void *data,
	514	size_t len);
	515
	516	errno_t
	517	utun_ctl_start_crypto_data_traffic(__unused kern_ctl_ref kctlref,
	518	__unused u_int32_t unit,
	519	__unused void *unitinfo,
	520	__unused int opt,
	521	void *data,
	522	size_t len);
	523
	524	int
	525	utun_pkt_crypto_output(struct utun_pcb pcb, mbuf_t m);
	526
	527	#endif // KERNEL_PRIVATE
	528
	529	#endif // _NET_IF_UTUN_CRYPTO_H_