[apple/xnu.git] / bsd / netinet6 / ipsec.h

/*	$FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $	*/
/*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/*
 * IPsec controller part.
 */

#ifndef _NETINET6_IPSEC_H_
#define _NETINET6_IPSEC_H_
#include <sys/cdefs.h>
#include <sys/appleapiopts.h>

#include <net/pfkeyv2.h>
#ifdef BSD_KERNEL_PRIVATE
#include <netkey/keydb.h>
#include <netinet/ip_var.h>

/* lock for IPSec stats */
extern lck_grp_t         *sadb_stat_mutex_grp;
extern lck_grp_attr_t    *sadb_stat_mutex_grp_attr;
extern lck_attr_t        *sadb_stat_mutex_attr;
extern lck_mtx_t         *sadb_stat_mutex;


#define IPSEC_STAT_INCREMENT(x)	\
	OSIncrementAtomic64((SInt64 *)&x)

struct secpolicyaddrrange {
	struct sockaddr_storage start;	/* Start (low values) of address range */
	struct sockaddr_storage end;	/* End (high values) of address range */
};

/*
 * Security Policy Index
 * Ensure that both address families in the "src" and "dst" are same.
 * When the value of the ul_proto is ICMPv6, the port field in "src"
 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
 */
struct secpolicyindex {
	u_int8_t dir;			/* direction of packet flow, see blow */
	struct sockaddr_storage src;	/* IP src address for SP */
	struct sockaddr_storage dst;	/* IP dst address for SP */
	u_int8_t prefs;			/* prefix length in bits for src */
	u_int8_t prefd;			/* prefix length in bits for dst */
	u_int16_t ul_proto;		/* upper layer Protocol */
	ifnet_t internal_if; /* Interface a matching packet is bound to */
	struct secpolicyaddrrange src_range;	/* IP src address range for SP */
	struct secpolicyaddrrange dst_range;	/* IP dst address range for SP */
#ifdef notyet
	uid_t uids;
	uid_t uidd;
	gid_t gids;
	gid_t gidd;
#endif
};

/* Security Policy Data Base */
struct secpolicy {
	LIST_ENTRY(secpolicy) chain;

	int refcnt;			/* reference count */
	struct secpolicyindex spidx;	/* selector */
	u_int32_t id;			/* It's unique number on the system. */
	u_int state;			/* 0: dead, others: alive */
#define IPSEC_SPSTATE_DEAD	0
#define IPSEC_SPSTATE_ALIVE	1

	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
	struct ipsecrequest *req;
				/* pointer to the ipsec request tree, */
				/* if policy == IPSEC else this value == NULL.*/

	ifnet_t ipsec_if; /* IPSec interface to use */
	ifnet_t outgoing_if; /* Outgoing interface for encrypted traffic */
    
	char disabled; /* Set to ignore policy */
    
	/*
	 * lifetime handler.
	 * the policy can be used without limitiation if both lifetime and
	 * validtime are zero.
	 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
	 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
	 */
	long created;		/* time created the policy */
	long lastused;		/* updated every when kernel sends a packet */
	long lifetime;		/* duration of the lifetime of this policy */
	long validtime;		/* duration this policy is valid without use */
};

/* Request for IPsec */
struct ipsecrequest {
	struct ipsecrequest *next;
				/* pointer to next structure */
				/* If NULL, it means the end of chain. */
	struct secasindex saidx;/* hint for search proper SA */
				/* if __ss_len == 0 then no address specified.*/
	u_int level;		/* IPsec level defined below. */

	struct secpolicy *sp;	/* back pointer to SP */
};

/* security policy in PCB */
struct inpcbpolicy {
	struct secpolicy *sp_in;
	struct secpolicy *sp_out;
	int priv;			/* privileged socket ? */
};

/* SP acquiring list table. */
struct secspacq {
	LIST_ENTRY(secspacq) chain;

	struct secpolicyindex spidx;

	long created;		/* for lifetime */
	int count;		/* for lifetime */
	/* XXX: here is mbuf place holder to be sent ? */
};
#endif /* BSD_KERNEL_PRIVATE */

/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY		0
#define IPSEC_ULPROTO_ANY	255
#define IPSEC_PROTO_ANY		255

/* mode of security protocol */
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
#define	IPSEC_MODE_ANY		0	/* i.e. wildcard. */
#define	IPSEC_MODE_TRANSPORT	1
#define	IPSEC_MODE_TUNNEL	2

/*
 * Direction of security policy.
 * NOTE: Since INVALID is used just as flag.
 * The other are used for loop counter too.
 */
#define IPSEC_DIR_ANY		0
#define IPSEC_DIR_INBOUND	1
#define IPSEC_DIR_OUTBOUND	2
#define IPSEC_DIR_MAX		3
#define IPSEC_DIR_INVALID	4

/* Policy level */
/*
 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
 * DISCARD and NONE are allowed for system default.
 */
#define IPSEC_POLICY_DISCARD	0	/* discarding packet */
#define IPSEC_POLICY_NONE	1	/* through IPsec engine */
#define IPSEC_POLICY_IPSEC	2	/* do IPsec */
#define IPSEC_POLICY_ENTRUST	3	/* consulting SPD if present. */
#define IPSEC_POLICY_BYPASS	4	/* only for privileged socket. */
#define IPSEC_POLICY_GENERATE   5       /* same as discard - IKE daemon can override with generated policy */

/* Security protocol level */
#define	IPSEC_LEVEL_DEFAULT	0	/* reference to system default */
#define	IPSEC_LEVEL_USE		1	/* use SA if present. */
#define	IPSEC_LEVEL_REQUIRE	2	/* require SA. */
#define	IPSEC_LEVEL_UNIQUE	3	/* unique SA. */

#define IPSEC_MANUAL_REQID_MAX	0x3fff
				/*
				 * if security policy level == unique, this id
				 * indicate to a relative SA for use, else is
				 * zero.
				 * 1 - 0x3fff are reserved for manual keying.
				 * 0 are reserved for above reason.  Others is
				 * for kernel use.
				 * Note that this id doesn't identify SA
				 * by only itself.
				 */
#define IPSEC_REPLAYWSIZE  32

/* statistics for ipsec processing */
struct ipsecstat {
	u_quad_t in_success __attribute__ ((aligned (8))); /* succeeded inbound process */
	u_quad_t in_polvio __attribute__ ((aligned (8)));
			/* security policy violation for inbound process */
	u_quad_t in_nosa __attribute__ ((aligned (8)));     /* inbound SA is unavailable */
	u_quad_t in_inval __attribute__ ((aligned (8)));    /* inbound processing failed due to EINVAL */
	u_quad_t in_nomem __attribute__ ((aligned (8)));    /* inbound processing failed due to ENOBUFS */
	u_quad_t in_badspi __attribute__ ((aligned (8)));   /* failed getting a SPI */
	u_quad_t in_ahreplay __attribute__ ((aligned (8))); /* AH replay check failed */
	u_quad_t in_espreplay __attribute__ ((aligned (8))); /* ESP replay check failed */
	u_quad_t in_ahauthsucc __attribute__ ((aligned (8))); /* AH authentication success */
	u_quad_t in_ahauthfail __attribute__ ((aligned (8))); /* AH authentication failure */
	u_quad_t in_espauthsucc __attribute__ ((aligned (8))); /* ESP authentication success */
	u_quad_t in_espauthfail __attribute__ ((aligned (8))); /* ESP authentication failure */
	u_quad_t in_esphist[256] __attribute__ ((aligned (8)));
	u_quad_t in_ahhist[256] __attribute__ ((aligned (8)));
	u_quad_t in_comphist[256] __attribute__ ((aligned (8)));
	u_quad_t out_success __attribute__ ((aligned (8))); /* succeeded outbound process */
	u_quad_t out_polvio __attribute__ ((aligned (8)));
			/* security policy violation for outbound process */
	u_quad_t out_nosa __attribute__ ((aligned (8)));    /* outbound SA is unavailable */
	u_quad_t out_inval __attribute__ ((aligned (8)));   /* outbound process failed due to EINVAL */
	u_quad_t out_nomem __attribute__ ((aligned (8)));    /* inbound processing failed due to ENOBUFS */
	u_quad_t out_noroute __attribute__ ((aligned (8))); /* there is no route */
	u_quad_t out_esphist[256] __attribute__ ((aligned (8)));
	u_quad_t out_ahhist[256] __attribute__ ((aligned (8)));
	u_quad_t out_comphist[256] __attribute__ ((aligned (8)));
};

#ifdef BSD_KERNEL_PRIVATE
/*
 * Definitions for IPsec & Key sysctl operations.
 */
/*
 * Names for IPsec & Key sysctl objects
 */
#define IPSECCTL_STATS			1	/* stats */
#define IPSECCTL_DEF_POLICY		2
#define IPSECCTL_DEF_ESP_TRANSLEV	3	/* int; ESP transport mode */
#define IPSECCTL_DEF_ESP_NETLEV		4	/* int; ESP tunnel mode */
#define IPSECCTL_DEF_AH_TRANSLEV	5	/* int; AH transport mode */
#define IPSECCTL_DEF_AH_NETLEV		6	/* int; AH tunnel mode */
#if 0	/* obsolete, do not reuse */
#define IPSECCTL_INBOUND_CALL_IKE	7
#endif
#define	IPSECCTL_AH_CLEARTOS		8
#define	IPSECCTL_AH_OFFSETMASK		9
#define	IPSECCTL_DFBIT			10
#define	IPSECCTL_ECN			11
#define	IPSECCTL_DEBUG			12
#define	IPSECCTL_ESP_RANDPAD		13
#define IPSECCTL_MAXID			14

#define IPSECCTL_NAMES { \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "def_policy", CTLTYPE_INT }, \
	{ "esp_trans_deflev", CTLTYPE_INT }, \
	{ "esp_net_deflev", CTLTYPE_INT }, \
	{ "ah_trans_deflev", CTLTYPE_INT }, \
	{ "ah_net_deflev", CTLTYPE_INT }, \
	{ 0, 0 }, \
	{ "ah_cleartos", CTLTYPE_INT }, \
	{ "ah_offsetmask", CTLTYPE_INT }, \
	{ "dfbit", CTLTYPE_INT }, \
	{ "ecn", CTLTYPE_INT }, \
	{ "debug", CTLTYPE_INT }, \
	{ "esp_randpad", CTLTYPE_INT }, \
}

#define IPSEC6CTL_NAMES { \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "def_policy", CTLTYPE_INT }, \
	{ "esp_trans_deflev", CTLTYPE_INT }, \
	{ "esp_net_deflev", CTLTYPE_INT }, \
	{ "ah_trans_deflev", CTLTYPE_INT }, \
	{ "ah_net_deflev", CTLTYPE_INT }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "ecn", CTLTYPE_INT }, \
	{ "debug", CTLTYPE_INT }, \
	{ "esp_randpad", CTLTYPE_INT }, \
}

#if defined(__ARM__)
#define IPSEC_IS_P2ALIGNED(p)        IS_P2ALIGNED(p, sizeof (u_int32_t))
#define IPSEC_GET_P2UNALIGNED_OFS(p) (sizeof(u_int32_t) - (((uintptr_t)(p)) & ((uintptr_t)(sizeof(u_int32_t)) - 1)))
#else
#define IPSEC_IS_P2ALIGNED(p)        1
#define IPSEC_GET_P2UNALIGNED_OFS(p) 0
#endif

struct ipsec_output_state {
	int tunneled;
	struct mbuf *m;
	struct route_in6 ro;
	struct sockaddr *dst;
	u_int outgoing_if;
};

struct ipsec_history {
	int ih_proto;
	u_int32_t ih_spi;
};

extern int ipsec_debug;

extern struct ipsecstat ipsecstat;
extern struct secpolicy ip4_def_policy;
extern int ip4_esp_trans_deflev;
extern int ip4_esp_net_deflev;
extern int ip4_ah_trans_deflev;
extern int ip4_ah_net_deflev;
extern int ip4_ah_cleartos;
extern int ip4_ah_offsetmask;
extern int ip4_ipsec_dfbit;
extern int ip4_ipsec_ecn;
extern int ip4_esp_randpad;

#define ipseclog(x)	do { if (ipsec_debug) log x; } while (0)

extern struct secpolicy *ipsec4_getpolicybysock(struct mbuf *, u_int,
						struct socket *, int *);
extern struct secpolicy *ipsec4_getpolicybyaddr(struct mbuf *, u_int, int,
						int *);
extern int ipsec4_getpolicybyinterface(struct mbuf *, u_int, int *,
                        struct ip_out_args *, struct secpolicy **);

extern u_int ipsec_get_reqlevel(struct ipsecrequest *);

struct inpcb;
extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **);
extern int ipsec_copy_policy(struct inpcbpolicy *, struct inpcbpolicy *);
extern u_int ipsec_get_reqlevel(struct ipsecrequest *);

extern int ipsec4_set_policy(struct inpcb *inp, int optname,
						caddr_t request, size_t len, int priv);
extern int ipsec4_delete_pcbpolicy(struct inpcb *);
extern int ipsec4_in_reject_so(struct mbuf *, struct socket *);
extern int ipsec4_in_reject(struct mbuf *, struct inpcb *);

struct secas;
struct tcpcb;
extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
extern int ipsec_updatereplay(u_int32_t, struct secasvar *);

extern size_t ipsec4_hdrsiz(struct mbuf *, u_int, struct inpcb *);
extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);
extern size_t ipsec_hdrsiz(struct secpolicy *);

struct ip;
extern const char *ipsec4_logpacketstr(struct ip *, u_int32_t);
extern const char *ipsec_logsastr(struct secasvar *);

extern void ipsec_dumpmbuf(struct mbuf *);

extern int ipsec4_interface_output(struct ipsec_output_state *state, ifnet_t interface);
extern int ipsec4_output(struct ipsec_output_state *, struct secpolicy *, int);
#if INET
extern struct mbuf * ipsec4_splithdr(struct mbuf *);
extern int ipsec4_encapsulate(struct mbuf *, struct secasvar *);
#endif
#if INET6
extern struct mbuf * ipsec6_splithdr(struct mbuf *);
extern int ipsec6_encapsulate(struct mbuf *, struct secasvar *);
#endif
extern int ipsec4_tunnel_validate(struct mbuf *, int, u_int, struct secasvar *, sa_family_t *);
extern struct mbuf *ipsec_copypkt(struct mbuf *);
extern void ipsec_delaux(struct mbuf *);
extern int ipsec_setsocket(struct mbuf *, struct socket *);
extern struct socket *ipsec_getsocket(struct mbuf *);
extern int ipsec_addhist(struct mbuf *, int, u_int32_t); 
extern struct ipsec_history *ipsec_gethist(struct mbuf *, int *);
extern void ipsec_clearhist(struct mbuf *);
#endif /* BSD_KERNEL_PRIVATE */

#ifndef KERNEL
__BEGIN_DECLS
extern caddr_t ipsec_set_policy(char *, int);
extern int ipsec_get_policylen(caddr_t);
extern char *ipsec_dump_policy(caddr_t, char *);

extern const char *ipsec_strerror(void);
__END_DECLS
#endif /* KERNEL */

#endif /* _NETINET6_IPSEC_H_ */
Commit	Line	Data
9bccf70c A	1	/* $FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $ */
9bccf70c A	2	/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */
1c79356b A	3
	4	/*
	5	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	6	* All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	* 1. Redistributions of source code must retain the above copyright
	12	* notice, this list of conditions and the following disclaimer.
	13	* 2. Redistributions in binary form must reproduce the above copyright
	14	* notice, this list of conditions and the following disclaimer in the
	15	* documentation and/or other materials provided with the distribution.
	16	* 3. Neither the name of the project nor the names of its contributors
	17	* may be used to endorse or promote products derived from this software
	18	* without specific prior written permission.
	19	*
	20	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	21	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	22	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	23	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	24	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	25	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	26	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	27	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	29	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	30	* SUCH DAMAGE.
	31	*/
	32
	33	/*
	34	* IPsec controller part.
	35	*/
	36
	37	#ifndef _NETINET6_IPSEC_H_
	38	#define _NETINET6_IPSEC_H_
b0d623f7	39	#include <sys/cdefs.h>
9bccf70c	40	#include <sys/appleapiopts.h>
1c79356b A	41
1c79356b A	42	#include <net/pfkeyv2.h>
39236c6e	43	#ifdef BSD_KERNEL_PRIVATE
1c79356b	44	#include <netkey/keydb.h>
39236c6e	45	#include <netinet/ip_var.h>
1c79356b	46
2d21ac55	47	/* lock for IPSec stats */
b0d623f7 A	48	extern lck_grp_t *sadb_stat_mutex_grp;
	49	extern lck_grp_attr_t *sadb_stat_mutex_grp_attr;
	50	extern lck_attr_t *sadb_stat_mutex_attr;
	51	extern lck_mtx_t *sadb_stat_mutex;
2d21ac55 A	52
	53
	54	#define IPSEC_STAT_INCREMENT(x) \
3e170ce0	55	OSIncrementAtomic64((SInt64 *)&x)
2d21ac55	56
39236c6e A	57	struct secpolicyaddrrange {
	58	struct sockaddr_storage start; /* Start (low values) of address range */
	59	struct sockaddr_storage end; /* End (high values) of address range */
	60	};
2d21ac55	61
1c79356b A	62	/*
1c79356b A	63	* Security Policy Index
55e303ae A	64	* Ensure that both address families in the "src" and "dst" are same.
	65	* When the value of the ul_proto is ICMPv6, the port field in "src"
	66	* specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
1c79356b A	67	*/
	68	struct secpolicyindex {
	69	u_int8_t dir; /* direction of packet flow, see blow */
	70	struct sockaddr_storage src; /* IP src address for SP */
	71	struct sockaddr_storage dst; /* IP dst address for SP */
	72	u_int8_t prefs; /* prefix length in bits for src */
	73	u_int8_t prefd; /* prefix length in bits for dst */
	74	u_int16_t ul_proto; /* upper layer Protocol */
39236c6e A	75	ifnet_t internal_if; /* Interface a matching packet is bound to */
	76	struct secpolicyaddrrange src_range; /* IP src address range for SP */
	77	struct secpolicyaddrrange dst_range; /* IP dst address range for SP */
1c79356b A	78	#ifdef notyet
	79	uid_t uids;
	80	uid_t uidd;
	81	gid_t gids;
	82	gid_t gidd;
	83	#endif
	84	};
	85
	86	/* Security Policy Data Base */
	87	struct secpolicy {
	88	LIST_ENTRY(secpolicy) chain;
	89
	90	int refcnt; /* reference count */
	91	struct secpolicyindex spidx; /* selector */
	92	u_int32_t id; /* It's unique number on the system. */
	93	u_int state; /* 0: dead, others: alive */
	94	#define IPSEC_SPSTATE_DEAD 0
	95	#define IPSEC_SPSTATE_ALIVE 1
	96
	97	u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
	98	struct ipsecrequest *req;
	99	/* pointer to the ipsec request tree, */
	100	/* if policy == IPSEC else this value == NULL.*/
9bccf70c	101
39236c6e A	102	ifnet_t ipsec_if; /* IPSec interface to use */
	103	ifnet_t outgoing_if; /* Outgoing interface for encrypted traffic */
	104
	105	char disabled; /* Set to ignore policy */
	106
9bccf70c A	107	/*
	108	* lifetime handler.
	109	* the policy can be used without limitiation if both lifetime and
	110	* validtime are zero.
	111	* "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
	112	* "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
	113	*/
	114	long created; /* time created the policy */
	115	long lastused; /* updated every when kernel sends a packet */
	116	long lifetime; /* duration of the lifetime of this policy */
	117	long validtime; /* duration this policy is valid without use */
1c79356b A	118	};
	119
	120	/* Request for IPsec */
	121	struct ipsecrequest {
	122	struct ipsecrequest *next;
	123	/* pointer to next structure */
	124	/* If NULL, it means the end of chain. */
	125	struct secasindex saidx;/* hint for search proper SA */
	126	/* if __ss_len == 0 then no address specified.*/
	127	u_int level; /* IPsec level defined below. */
	128
1c79356b A	129	struct secpolicy sp; / back pointer to SP */
	130	};
	131
	132	/* security policy in PCB */
	133	struct inpcbpolicy {
	134	struct secpolicy *sp_in;
	135	struct secpolicy *sp_out;
	136	int priv; /* privileged socket ? */
	137	};
	138
	139	/* SP acquiring list table. */
	140	struct secspacq {
	141	LIST_ENTRY(secspacq) chain;
	142
	143	struct secpolicyindex spidx;
	144
9bccf70c	145	long created; /* for lifetime */
1c79356b A	146	int count; /* for lifetime */
	147	/* XXX: here is mbuf place holder to be sent ? */
	148	};
39236c6e	149	#endif /* BSD_KERNEL_PRIVATE */
1c79356b A	150
	151	/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
	152	#define IPSEC_PORT_ANY 0
	153	#define IPSEC_ULPROTO_ANY 255
	154	#define IPSEC_PROTO_ANY 255
	155
	156	/* mode of security protocol */
	157	/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
	158	#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
	159	#define IPSEC_MODE_TRANSPORT 1
	160	#define IPSEC_MODE_TUNNEL 2
	161
	162	/*
	163	* Direction of security policy.
	164	* NOTE: Since INVALID is used just as flag.
	165	* The other are used for loop counter too.
	166	*/
	167	#define IPSEC_DIR_ANY 0
	168	#define IPSEC_DIR_INBOUND 1
	169	#define IPSEC_DIR_OUTBOUND 2
	170	#define IPSEC_DIR_MAX 3
	171	#define IPSEC_DIR_INVALID 4
	172
	173	/* Policy level */
	174	/*
9bccf70c A	175	* IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
	176	* DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
	177	* DISCARD and NONE are allowed for system default.
1c79356b A	178	*/
	179	#define IPSEC_POLICY_DISCARD 0 /* discarding packet */
	180	#define IPSEC_POLICY_NONE 1 /* through IPsec engine */
	181	#define IPSEC_POLICY_IPSEC 2 /* do IPsec */
	182	#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
	183	#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
2d21ac55	184	#define IPSEC_POLICY_GENERATE 5 /* same as discard - IKE daemon can override with generated policy */
1c79356b A	185
	186	/* Security protocol level */
	187	#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
	188	#define IPSEC_LEVEL_USE 1 /* use SA if present. */
	189	#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
	190	#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
	191
	192	#define IPSEC_MANUAL_REQID_MAX 0x3fff
	193	/*
	194	* if security policy level == unique, this id
	195	* indicate to a relative SA for use, else is
	196	* zero.
	197	* 1 - 0x3fff are reserved for manual keying.
	198	* 0 are reserved for above reason. Others is
	199	* for kernel use.
	200	* Note that this id doesn't identify SA
	201	* by only itself.
	202	*/
	203	#define IPSEC_REPLAYWSIZE 32
	204
	205	/* statistics for ipsec processing */
	206	struct ipsecstat {
3e170ce0 A	207	u_quad_t in_success __attribute__ ((aligned (8))); /* succeeded inbound process */
3e170ce0 A	208	u_quad_t in_polvio __attribute__ ((aligned (8)));
1c79356b	209	/* security policy violation for inbound process */
3e170ce0 A	210	u_quad_t in_nosa __attribute__ ((aligned (8))); /* inbound SA is unavailable */
	211	u_quad_t in_inval __attribute__ ((aligned (8))); /* inbound processing failed due to EINVAL */
	212	u_quad_t in_nomem __attribute__ ((aligned (8))); /* inbound processing failed due to ENOBUFS */
	213	u_quad_t in_badspi __attribute__ ((aligned (8))); /* failed getting a SPI */
	214	u_quad_t in_ahreplay __attribute__ ((aligned (8))); /* AH replay check failed */
	215	u_quad_t in_espreplay __attribute__ ((aligned (8))); /* ESP replay check failed */
	216	u_quad_t in_ahauthsucc __attribute__ ((aligned (8))); /* AH authentication success */
	217	u_quad_t in_ahauthfail __attribute__ ((aligned (8))); /* AH authentication failure */
	218	u_quad_t in_espauthsucc __attribute__ ((aligned (8))); /* ESP authentication success */
	219	u_quad_t in_espauthfail __attribute__ ((aligned (8))); /* ESP authentication failure */
	220	u_quad_t in_esphist[256] __attribute__ ((aligned (8)));
	221	u_quad_t in_ahhist[256] __attribute__ ((aligned (8)));
	222	u_quad_t in_comphist[256] __attribute__ ((aligned (8)));
	223	u_quad_t out_success __attribute__ ((aligned (8))); /* succeeded outbound process */
	224	u_quad_t out_polvio __attribute__ ((aligned (8)));
1c79356b	225	/* security policy violation for outbound process */
3e170ce0 A	226	u_quad_t out_nosa __attribute__ ((aligned (8))); /* outbound SA is unavailable */
	227	u_quad_t out_inval __attribute__ ((aligned (8))); /* outbound process failed due to EINVAL */
	228	u_quad_t out_nomem __attribute__ ((aligned (8))); /* inbound processing failed due to ENOBUFS */
	229	u_quad_t out_noroute __attribute__ ((aligned (8))); /* there is no route */
	230	u_quad_t out_esphist[256] __attribute__ ((aligned (8)));
	231	u_quad_t out_ahhist[256] __attribute__ ((aligned (8)));
	232	u_quad_t out_comphist[256] __attribute__ ((aligned (8)));
1c79356b A	233	};
1c79356b A	234
39236c6e	235	#ifdef BSD_KERNEL_PRIVATE
1c79356b A	236	/*
	237	* Definitions for IPsec & Key sysctl operations.
	238	*/
	239	/*
	240	* Names for IPsec & Key sysctl objects
	241	*/
	242	#define IPSECCTL_STATS 1 /* stats */
	243	#define IPSECCTL_DEF_POLICY 2
	244	#define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */
	245	#define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */
	246	#define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */
	247	#define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */
55e303ae	248	#if 0 /* obsolete, do not reuse */
1c79356b	249	#define IPSECCTL_INBOUND_CALL_IKE 7
9bccf70c	250	#endif
1c79356b A	251	#define IPSECCTL_AH_CLEARTOS 8
	252	#define IPSECCTL_AH_OFFSETMASK 9
	253	#define IPSECCTL_DFBIT 10
	254	#define IPSECCTL_ECN 11
	255	#define IPSECCTL_DEBUG 12
9bccf70c A	256	#define IPSECCTL_ESP_RANDPAD 13
9bccf70c A	257	#define IPSECCTL_MAXID 14
1c79356b A	258
	259	#define IPSECCTL_NAMES { \
	260	{ 0, 0 }, \
	261	{ 0, 0 }, \
	262	{ "def_policy", CTLTYPE_INT }, \
	263	{ "esp_trans_deflev", CTLTYPE_INT }, \
	264	{ "esp_net_deflev", CTLTYPE_INT }, \
	265	{ "ah_trans_deflev", CTLTYPE_INT }, \
	266	{ "ah_net_deflev", CTLTYPE_INT }, \
9bccf70c	267	{ 0, 0 }, \
1c79356b A	268	{ "ah_cleartos", CTLTYPE_INT }, \
	269	{ "ah_offsetmask", CTLTYPE_INT }, \
	270	{ "dfbit", CTLTYPE_INT }, \
	271	{ "ecn", CTLTYPE_INT }, \
	272	{ "debug", CTLTYPE_INT }, \
9bccf70c	273	{ "esp_randpad", CTLTYPE_INT }, \
1c79356b A	274	}
	275
	276	#define IPSEC6CTL_NAMES { \
	277	{ 0, 0 }, \
	278	{ 0, 0 }, \
	279	{ "def_policy", CTLTYPE_INT }, \
	280	{ "esp_trans_deflev", CTLTYPE_INT }, \
	281	{ "esp_net_deflev", CTLTYPE_INT }, \
	282	{ "ah_trans_deflev", CTLTYPE_INT }, \
	283	{ "ah_net_deflev", CTLTYPE_INT }, \
9bccf70c	284	{ 0, 0 }, \
1c79356b A	285	{ 0, 0 }, \
	286	{ 0, 0 }, \
	287	{ 0, 0 }, \
	288	{ "ecn", CTLTYPE_INT }, \
	289	{ "debug", CTLTYPE_INT }, \
9bccf70c	290	{ "esp_randpad", CTLTYPE_INT }, \
1c79356b A	291	}
1c79356b A	292
5ba3f43e A	293	#if defined(__ARM__)
	294	#define IPSEC_IS_P2ALIGNED(p) IS_P2ALIGNED(p, sizeof (u_int32_t))
	295	#define IPSEC_GET_P2UNALIGNED_OFS(p) (sizeof(u_int32_t) - (((uintptr_t)(p)) & ((uintptr_t)(sizeof(u_int32_t)) - 1)))
	296	#else
316670eb A	297	#define IPSEC_IS_P2ALIGNED(p) 1
316670eb A	298	#define IPSEC_GET_P2UNALIGNED_OFS(p) 0
5ba3f43e	299	#endif
316670eb	300
1c79356b	301	struct ipsec_output_state {
fe8ab488	302	int tunneled;
1c79356b	303	struct mbuf *m;
5c9f4661	304	struct route_in6 ro;
1c79356b	305	struct sockaddr *dst;
fe8ab488	306	u_int outgoing_if;
1c79356b A	307	};
1c79356b A	308
9bccf70c A	309	struct ipsec_history {
	310	int ih_proto;
	311	u_int32_t ih_spi;
	312	};
	313
1c79356b A	314	extern int ipsec_debug;
1c79356b A	315
1c79356b A	316	extern struct ipsecstat ipsecstat;
	317	extern struct secpolicy ip4_def_policy;
	318	extern int ip4_esp_trans_deflev;
	319	extern int ip4_esp_net_deflev;
	320	extern int ip4_ah_trans_deflev;
	321	extern int ip4_ah_net_deflev;
1c79356b A	322	extern int ip4_ah_cleartos;
	323	extern int ip4_ah_offsetmask;
	324	extern int ip4_ipsec_dfbit;
	325	extern int ip4_ipsec_ecn;
9bccf70c	326	extern int ip4_esp_randpad;
1c79356b A	327
	328	#define ipseclog(x) do { if (ipsec_debug) log x; } while (0)
	329
91447636 A	330	extern struct secpolicy ipsec4_getpolicybysock(struct mbuf , u_int,
	331	struct socket , int );
	332	extern struct secpolicy ipsec4_getpolicybyaddr(struct mbuf , u_int, int,
	333	int *);
39236c6e A	334	extern int ipsec4_getpolicybyinterface(struct mbuf , u_int, int ,
39236c6e A	335	struct ip_out_args , struct secpolicy *);
1c79356b	336
fe8ab488 A	337	extern u_int ipsec_get_reqlevel(struct ipsecrequest *);
fe8ab488 A	338
1c79356b	339	struct inpcb;
91447636 A	340	extern int ipsec_init_policy(struct socket so, struct inpcbpolicy *);
	341	extern int ipsec_copy_policy(struct inpcbpolicy , struct inpcbpolicy );
	342	extern u_int ipsec_get_reqlevel(struct ipsecrequest *);
	343
	344	extern int ipsec4_set_policy(struct inpcb *inp, int optname,
fe8ab488	345	caddr_t request, size_t len, int priv);
91447636 A	346	extern int ipsec4_delete_pcbpolicy(struct inpcb *);
	347	extern int ipsec4_in_reject_so(struct mbuf , struct socket );
	348	extern int ipsec4_in_reject(struct mbuf , struct inpcb );
1c79356b	349
1c79356b A	350	struct secas;
1c79356b A	351	struct tcpcb;
91447636 A	352	extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
91447636 A	353	extern int ipsec_updatereplay(u_int32_t, struct secasvar *);
1c79356b	354
91447636 A	355	extern size_t ipsec4_hdrsiz(struct mbuf , u_int, struct inpcb );
91447636 A	356	extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);
2d21ac55	357	extern size_t ipsec_hdrsiz(struct secpolicy *);
1c79356b A	358
1c79356b A	359	struct ip;
91447636 A	360	extern const char ipsec4_logpacketstr(struct ip , u_int32_t);
	361	extern const char ipsec_logsastr(struct secasvar );
	362
	363	extern void ipsec_dumpmbuf(struct mbuf *);
	364
fe8ab488	365	extern int ipsec4_interface_output(struct ipsec_output_state *state, ifnet_t interface);
91447636	366	extern int ipsec4_output(struct ipsec_output_state , struct secpolicy , int);
316670eb A	367	#if INET
	368	extern struct mbuf * ipsec4_splithdr(struct mbuf *);
	369	extern int ipsec4_encapsulate(struct mbuf , struct secasvar );
316670eb A	370	#endif
	371	#if INET6
	372	extern struct mbuf * ipsec6_splithdr(struct mbuf *);
	373	extern int ipsec6_encapsulate(struct mbuf , struct secasvar );
316670eb	374	#endif
2d21ac55	375	extern int ipsec4_tunnel_validate(struct mbuf , int, u_int, struct secasvar , sa_family_t *);
91447636 A	376	extern struct mbuf ipsec_copypkt(struct mbuf );
	377	extern void ipsec_delaux(struct mbuf *);
	378	extern int ipsec_setsocket(struct mbuf , struct socket );
	379	extern struct socket ipsec_getsocket(struct mbuf );
	380	extern int ipsec_addhist(struct mbuf *, int, u_int32_t);
	381	extern struct ipsec_history ipsec_gethist(struct mbuf , int *);
	382	extern void ipsec_clearhist(struct mbuf *);
39236c6e	383	#endif /* BSD_KERNEL_PRIVATE */
1c79356b A	384
1c79356b A	385	#ifndef KERNEL
b0d623f7	386	__BEGIN_DECLS
91447636 A	387	extern caddr_t ipsec_set_policy(char *, int);
	388	extern int ipsec_get_policylen(caddr_t);
	389	extern char ipsec_dump_policy(caddr_t, char );
1c79356b	390
91447636	391	extern const char *ipsec_strerror(void);
b0d623f7 A	392	__END_DECLS
b0d623f7 A	393	#endif /* KERNEL */
1c79356b	394
0c530ab8	395	#endif /* _NETINET6_IPSEC_H_ */