[apple/xnu.git] / bsd / netinet6 / ipsec.h

/*	$FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $	*/
/*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/*
 * IPsec controller part.
 */

#ifndef _NETINET6_IPSEC_H_
#define _NETINET6_IPSEC_H_
#include <sys/appleapiopts.h>

#include <net/pfkeyv2.h>
#ifdef KERNEL_PRIVATE
#include <netkey/keydb.h>

/* lock for IPSec stats */
lck_grp_t         *sadb_stat_mutex_grp;
lck_grp_attr_t    *sadb_stat_mutex_grp_attr;
lck_attr_t        *sadb_stat_mutex_attr;
lck_mtx_t         *sadb_stat_mutex;


#define IPSEC_STAT_INCREMENT(x)	\
	{lck_mtx_lock(sadb_stat_mutex); (x)++; lck_mtx_unlock(sadb_stat_mutex);}


/*
 * Security Policy Index
 * Ensure that both address families in the "src" and "dst" are same.
 * When the value of the ul_proto is ICMPv6, the port field in "src"
 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
 */
struct secpolicyindex {
	u_int8_t dir;			/* direction of packet flow, see blow */
	struct sockaddr_storage src;	/* IP src address for SP */
	struct sockaddr_storage dst;	/* IP dst address for SP */
	u_int8_t prefs;			/* prefix length in bits for src */
	u_int8_t prefd;			/* prefix length in bits for dst */
	u_int16_t ul_proto;		/* upper layer Protocol */
#ifdef notyet
	uid_t uids;
	uid_t uidd;
	gid_t gids;
	gid_t gidd;
#endif
};

/* Security Policy Data Base */
struct secpolicy {
	LIST_ENTRY(secpolicy) chain;

	int refcnt;			/* reference count */
	struct secpolicyindex spidx;	/* selector */
	u_int32_t id;			/* It's unique number on the system. */
	u_int state;			/* 0: dead, others: alive */
#define IPSEC_SPSTATE_DEAD	0
#define IPSEC_SPSTATE_ALIVE	1

	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
	struct ipsecrequest *req;
				/* pointer to the ipsec request tree, */
				/* if policy == IPSEC else this value == NULL.*/

	/*
	 * lifetime handler.
	 * the policy can be used without limitiation if both lifetime and
	 * validtime are zero.
	 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
	 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
	 */
	long created;		/* time created the policy */
	long lastused;		/* updated every when kernel sends a packet */
	long lifetime;		/* duration of the lifetime of this policy */
	long validtime;		/* duration this policy is valid without use */
};

/* Request for IPsec */
struct ipsecrequest {
	struct ipsecrequest *next;
				/* pointer to next structure */
				/* If NULL, it means the end of chain. */
	struct secasindex saidx;/* hint for search proper SA */
				/* if __ss_len == 0 then no address specified.*/
	u_int level;		/* IPsec level defined below. */

	struct secpolicy *sp;	/* back pointer to SP */
};

/* security policy in PCB */
struct inpcbpolicy {
	struct secpolicy *sp_in;
	struct secpolicy *sp_out;
	int priv;			/* privileged socket ? */
};

/* SP acquiring list table. */
struct secspacq {
	LIST_ENTRY(secspacq) chain;

	struct secpolicyindex spidx;

	long created;		/* for lifetime */
	int count;		/* for lifetime */
	/* XXX: here is mbuf place holder to be sent ? */
};
#endif /* KERNEL_PRIVATE */

/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY		0
#define IPSEC_ULPROTO_ANY	255
#define IPSEC_PROTO_ANY		255

/* mode of security protocol */
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
#define	IPSEC_MODE_ANY		0	/* i.e. wildcard. */
#define	IPSEC_MODE_TRANSPORT	1
#define	IPSEC_MODE_TUNNEL	2

/*
 * Direction of security policy.
 * NOTE: Since INVALID is used just as flag.
 * The other are used for loop counter too.
 */
#define IPSEC_DIR_ANY		0
#define IPSEC_DIR_INBOUND	1
#define IPSEC_DIR_OUTBOUND	2
#define IPSEC_DIR_MAX		3
#define IPSEC_DIR_INVALID	4

/* Policy level */
/*
 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
 * DISCARD and NONE are allowed for system default.
 */
#define IPSEC_POLICY_DISCARD	0	/* discarding packet */
#define IPSEC_POLICY_NONE	1	/* through IPsec engine */
#define IPSEC_POLICY_IPSEC	2	/* do IPsec */
#define IPSEC_POLICY_ENTRUST	3	/* consulting SPD if present. */
#define IPSEC_POLICY_BYPASS	4	/* only for privileged socket. */
#define IPSEC_POLICY_GENERATE   5       /* same as discard - IKE daemon can override with generated policy */

/* Security protocol level */
#define	IPSEC_LEVEL_DEFAULT	0	/* reference to system default */
#define	IPSEC_LEVEL_USE		1	/* use SA if present. */
#define	IPSEC_LEVEL_REQUIRE	2	/* require SA. */
#define	IPSEC_LEVEL_UNIQUE	3	/* unique SA. */

#define IPSEC_MANUAL_REQID_MAX	0x3fff
				/*
				 * if security policy level == unique, this id
				 * indicate to a relative SA for use, else is
				 * zero.
				 * 1 - 0x3fff are reserved for manual keying.
				 * 0 are reserved for above reason.  Others is
				 * for kernel use.
				 * Note that this id doesn't identify SA
				 * by only itself.
				 */
#define IPSEC_REPLAYWSIZE  32

/* statistics for ipsec processing */
struct ipsecstat {
	u_quad_t in_success;  /* succeeded inbound process */
	u_quad_t in_polvio;
			/* security policy violation for inbound process */
	u_quad_t in_nosa;     /* inbound SA is unavailable */
	u_quad_t in_inval;    /* inbound processing failed due to EINVAL */
	u_quad_t in_nomem;    /* inbound processing failed due to ENOBUFS */
	u_quad_t in_badspi;   /* failed getting a SPI */
	u_quad_t in_ahreplay; /* AH replay check failed */
	u_quad_t in_espreplay; /* ESP replay check failed */
	u_quad_t in_ahauthsucc; /* AH authentication success */
	u_quad_t in_ahauthfail; /* AH authentication failure */
	u_quad_t in_espauthsucc; /* ESP authentication success */
	u_quad_t in_espauthfail; /* ESP authentication failure */
	u_quad_t in_esphist[256];
	u_quad_t in_ahhist[256];
	u_quad_t in_comphist[256];
	u_quad_t out_success; /* succeeded outbound process */
	u_quad_t out_polvio;
			/* security policy violation for outbound process */
	u_quad_t out_nosa;    /* outbound SA is unavailable */
	u_quad_t out_inval;   /* outbound process failed due to EINVAL */
	u_quad_t out_nomem;    /* inbound processing failed due to ENOBUFS */
	u_quad_t out_noroute; /* there is no route */
	u_quad_t out_esphist[256];
	u_quad_t out_ahhist[256];
	u_quad_t out_comphist[256];
};

#ifdef KERNEL_PRIVATE
/*
 * Definitions for IPsec & Key sysctl operations.
 */
/*
 * Names for IPsec & Key sysctl objects
 */
#define IPSECCTL_STATS			1	/* stats */
#define IPSECCTL_DEF_POLICY		2
#define IPSECCTL_DEF_ESP_TRANSLEV	3	/* int; ESP transport mode */
#define IPSECCTL_DEF_ESP_NETLEV		4	/* int; ESP tunnel mode */
#define IPSECCTL_DEF_AH_TRANSLEV	5	/* int; AH transport mode */
#define IPSECCTL_DEF_AH_NETLEV		6	/* int; AH tunnel mode */
#if 0	/* obsolete, do not reuse */
#define IPSECCTL_INBOUND_CALL_IKE	7
#endif
#define	IPSECCTL_AH_CLEARTOS		8
#define	IPSECCTL_AH_OFFSETMASK		9
#define	IPSECCTL_DFBIT			10
#define	IPSECCTL_ECN			11
#define	IPSECCTL_DEBUG			12
#define	IPSECCTL_ESP_RANDPAD		13
#define IPSECCTL_MAXID			14

#define IPSECCTL_NAMES { \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "def_policy", CTLTYPE_INT }, \
	{ "esp_trans_deflev", CTLTYPE_INT }, \
	{ "esp_net_deflev", CTLTYPE_INT }, \
	{ "ah_trans_deflev", CTLTYPE_INT }, \
	{ "ah_net_deflev", CTLTYPE_INT }, \
	{ 0, 0 }, \
	{ "ah_cleartos", CTLTYPE_INT }, \
	{ "ah_offsetmask", CTLTYPE_INT }, \
	{ "dfbit", CTLTYPE_INT }, \
	{ "ecn", CTLTYPE_INT }, \
	{ "debug", CTLTYPE_INT }, \
	{ "esp_randpad", CTLTYPE_INT }, \
}

#define IPSEC6CTL_NAMES { \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "def_policy", CTLTYPE_INT }, \
	{ "esp_trans_deflev", CTLTYPE_INT }, \
	{ "esp_net_deflev", CTLTYPE_INT }, \
	{ "ah_trans_deflev", CTLTYPE_INT }, \
	{ "ah_net_deflev", CTLTYPE_INT }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "ecn", CTLTYPE_INT }, \
	{ "debug", CTLTYPE_INT }, \
	{ "esp_randpad", CTLTYPE_INT }, \
}

#ifdef KERNEL
struct ipsec_output_state {
	struct mbuf *m;
	struct route *ro;
	struct sockaddr *dst;
};

struct ipsec_history {
	int ih_proto;
	u_int32_t ih_spi;
};

extern int ipsec_debug;

extern struct ipsecstat ipsecstat;
extern struct secpolicy ip4_def_policy;
extern int ip4_esp_trans_deflev;
extern int ip4_esp_net_deflev;
extern int ip4_ah_trans_deflev;
extern int ip4_ah_net_deflev;
extern int ip4_ah_cleartos;
extern int ip4_ah_offsetmask;
extern int ip4_ipsec_dfbit;
extern int ip4_ipsec_ecn;
extern int ip4_esp_randpad;

#define ipseclog(x)	do { if (ipsec_debug) log x; } while (0)

extern struct secpolicy *ipsec4_getpolicybysock(struct mbuf *, u_int,
						struct socket *, int *);
extern struct secpolicy *ipsec4_getpolicybyaddr(struct mbuf *, u_int, int,
						int *);

struct inpcb;
extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **);
extern int ipsec_copy_policy(struct inpcbpolicy *, struct inpcbpolicy *);
extern u_int ipsec_get_reqlevel(struct ipsecrequest *);

extern int ipsec4_set_policy(struct inpcb *inp, int optname,
	caddr_t request, size_t len, int priv);
extern int ipsec4_get_policy(struct inpcb *inpcb, caddr_t request,
	size_t len, struct mbuf **mp);
extern int ipsec4_delete_pcbpolicy(struct inpcb *);
extern int ipsec4_in_reject_so(struct mbuf *, struct socket *);
extern int ipsec4_in_reject(struct mbuf *, struct inpcb *);

struct secas;
struct tcpcb;
extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
extern int ipsec_updatereplay(u_int32_t, struct secasvar *);

extern size_t ipsec4_hdrsiz(struct mbuf *, u_int, struct inpcb *);
extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);
extern size_t ipsec_hdrsiz(struct secpolicy *);

struct ip;
extern const char *ipsec4_logpacketstr(struct ip *, u_int32_t);
extern const char *ipsec_logsastr(struct secasvar *);

extern void ipsec_dumpmbuf(struct mbuf *);

extern int ipsec4_output(struct ipsec_output_state *, struct secpolicy *, int);
extern int ipsec4_tunnel_validate(struct mbuf *, int, u_int, struct secasvar *, sa_family_t *);
extern struct mbuf *ipsec_copypkt(struct mbuf *);
extern void ipsec_delaux(struct mbuf *);
extern int ipsec_setsocket(struct mbuf *, struct socket *);
extern struct socket *ipsec_getsocket(struct mbuf *);
extern int ipsec_addhist(struct mbuf *, int, u_int32_t); 
extern struct ipsec_history *ipsec_gethist(struct mbuf *, int *);
extern void ipsec_clearhist(struct mbuf *);
#endif KERNEL
#endif KERNEL_PRIVATE

#ifndef KERNEL
extern caddr_t ipsec_set_policy(char *, int);
extern int ipsec_get_policylen(caddr_t);
extern char *ipsec_dump_policy(caddr_t, char *);

extern const char *ipsec_strerror(void);
#endif KERNEL

#endif /* _NETINET6_IPSEC_H_ */
Commit	Line	Data
9bccf70c A	1	/* $FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $ */
9bccf70c A	2	/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */
1c79356b A	3
	4	/*
	5	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	6	* All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	* 1. Redistributions of source code must retain the above copyright
	12	* notice, this list of conditions and the following disclaimer.
	13	* 2. Redistributions in binary form must reproduce the above copyright
	14	* notice, this list of conditions and the following disclaimer in the
	15	* documentation and/or other materials provided with the distribution.
	16	* 3. Neither the name of the project nor the names of its contributors
	17	* may be used to endorse or promote products derived from this software
	18	* without specific prior written permission.
	19	*
	20	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	21	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	22	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	23	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	24	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	25	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	26	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	27	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	29	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	30	* SUCH DAMAGE.
	31	*/
	32
	33	/*
	34	* IPsec controller part.
	35	*/
	36
	37	#ifndef _NETINET6_IPSEC_H_
	38	#define _NETINET6_IPSEC_H_
9bccf70c	39	#include <sys/appleapiopts.h>
1c79356b A	40
1c79356b A	41	#include <net/pfkeyv2.h>
91447636	42	#ifdef KERNEL_PRIVATE
1c79356b A	43	#include <netkey/keydb.h>
1c79356b A	44
2d21ac55 A	45	/* lock for IPSec stats */
	46	lck_grp_t *sadb_stat_mutex_grp;
	47	lck_grp_attr_t *sadb_stat_mutex_grp_attr;
	48	lck_attr_t *sadb_stat_mutex_attr;
	49	lck_mtx_t *sadb_stat_mutex;
	50
	51
	52	#define IPSEC_STAT_INCREMENT(x) \
	53	{lck_mtx_lock(sadb_stat_mutex); (x)++; lck_mtx_unlock(sadb_stat_mutex);}
	54
	55
1c79356b A	56	/*
1c79356b A	57	* Security Policy Index
55e303ae A	58	* Ensure that both address families in the "src" and "dst" are same.
	59	* When the value of the ul_proto is ICMPv6, the port field in "src"
	60	* specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
1c79356b A	61	*/
	62	struct secpolicyindex {
	63	u_int8_t dir; /* direction of packet flow, see blow */
	64	struct sockaddr_storage src; /* IP src address for SP */
	65	struct sockaddr_storage dst; /* IP dst address for SP */
	66	u_int8_t prefs; /* prefix length in bits for src */
	67	u_int8_t prefd; /* prefix length in bits for dst */
	68	u_int16_t ul_proto; /* upper layer Protocol */
	69	#ifdef notyet
	70	uid_t uids;
	71	uid_t uidd;
	72	gid_t gids;
	73	gid_t gidd;
	74	#endif
	75	};
	76
	77	/* Security Policy Data Base */
	78	struct secpolicy {
	79	LIST_ENTRY(secpolicy) chain;
	80
	81	int refcnt; /* reference count */
	82	struct secpolicyindex spidx; /* selector */
	83	u_int32_t id; /* It's unique number on the system. */
	84	u_int state; /* 0: dead, others: alive */
	85	#define IPSEC_SPSTATE_DEAD 0
	86	#define IPSEC_SPSTATE_ALIVE 1
	87
	88	u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
	89	struct ipsecrequest *req;
	90	/* pointer to the ipsec request tree, */
	91	/* if policy == IPSEC else this value == NULL.*/
9bccf70c A	92
	93	/*
	94	* lifetime handler.
	95	* the policy can be used without limitiation if both lifetime and
	96	* validtime are zero.
	97	* "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
	98	* "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
	99	*/
	100	long created; /* time created the policy */
	101	long lastused; /* updated every when kernel sends a packet */
	102	long lifetime; /* duration of the lifetime of this policy */
	103	long validtime; /* duration this policy is valid without use */
1c79356b A	104	};
	105
	106	/* Request for IPsec */
	107	struct ipsecrequest {
	108	struct ipsecrequest *next;
	109	/* pointer to next structure */
	110	/* If NULL, it means the end of chain. */
	111	struct secasindex saidx;/* hint for search proper SA */
	112	/* if __ss_len == 0 then no address specified.*/
	113	u_int level; /* IPsec level defined below. */
	114
1c79356b A	115	struct secpolicy sp; / back pointer to SP */
	116	};
	117
	118	/* security policy in PCB */
	119	struct inpcbpolicy {
	120	struct secpolicy *sp_in;
	121	struct secpolicy *sp_out;
	122	int priv; /* privileged socket ? */
	123	};
	124
	125	/* SP acquiring list table. */
	126	struct secspacq {
	127	LIST_ENTRY(secspacq) chain;
	128
	129	struct secpolicyindex spidx;
	130
9bccf70c	131	long created; /* for lifetime */
1c79356b A	132	int count; /* for lifetime */
	133	/* XXX: here is mbuf place holder to be sent ? */
	134	};
91447636	135	#endif /* KERNEL_PRIVATE */
1c79356b A	136
	137	/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
	138	#define IPSEC_PORT_ANY 0
	139	#define IPSEC_ULPROTO_ANY 255
	140	#define IPSEC_PROTO_ANY 255
	141
	142	/* mode of security protocol */
	143	/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
	144	#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
	145	#define IPSEC_MODE_TRANSPORT 1
	146	#define IPSEC_MODE_TUNNEL 2
	147
	148	/*
	149	* Direction of security policy.
	150	* NOTE: Since INVALID is used just as flag.
	151	* The other are used for loop counter too.
	152	*/
	153	#define IPSEC_DIR_ANY 0
	154	#define IPSEC_DIR_INBOUND 1
	155	#define IPSEC_DIR_OUTBOUND 2
	156	#define IPSEC_DIR_MAX 3
	157	#define IPSEC_DIR_INVALID 4
	158
	159	/* Policy level */
	160	/*
9bccf70c A	161	* IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
	162	* DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
	163	* DISCARD and NONE are allowed for system default.
1c79356b A	164	*/
	165	#define IPSEC_POLICY_DISCARD 0 /* discarding packet */
	166	#define IPSEC_POLICY_NONE 1 /* through IPsec engine */
	167	#define IPSEC_POLICY_IPSEC 2 /* do IPsec */
	168	#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
	169	#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
2d21ac55	170	#define IPSEC_POLICY_GENERATE 5 /* same as discard - IKE daemon can override with generated policy */
1c79356b A	171
	172	/* Security protocol level */
	173	#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
	174	#define IPSEC_LEVEL_USE 1 /* use SA if present. */
	175	#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
	176	#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
	177
	178	#define IPSEC_MANUAL_REQID_MAX 0x3fff
	179	/*
	180	* if security policy level == unique, this id
	181	* indicate to a relative SA for use, else is
	182	* zero.
	183	* 1 - 0x3fff are reserved for manual keying.
	184	* 0 are reserved for above reason. Others is
	185	* for kernel use.
	186	* Note that this id doesn't identify SA
	187	* by only itself.
	188	*/
	189	#define IPSEC_REPLAYWSIZE 32
	190
	191	/* statistics for ipsec processing */
	192	struct ipsecstat {
	193	u_quad_t in_success; /* succeeded inbound process */
	194	u_quad_t in_polvio;
	195	/* security policy violation for inbound process */
	196	u_quad_t in_nosa; /* inbound SA is unavailable */
	197	u_quad_t in_inval; /* inbound processing failed due to EINVAL */
	198	u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */
	199	u_quad_t in_badspi; /* failed getting a SPI */
	200	u_quad_t in_ahreplay; /* AH replay check failed */
	201	u_quad_t in_espreplay; /* ESP replay check failed */
	202	u_quad_t in_ahauthsucc; /* AH authentication success */
	203	u_quad_t in_ahauthfail; /* AH authentication failure */
	204	u_quad_t in_espauthsucc; /* ESP authentication success */
	205	u_quad_t in_espauthfail; /* ESP authentication failure */
	206	u_quad_t in_esphist[256];
	207	u_quad_t in_ahhist[256];
	208	u_quad_t in_comphist[256];
	209	u_quad_t out_success; /* succeeded outbound process */
	210	u_quad_t out_polvio;
	211	/* security policy violation for outbound process */
	212	u_quad_t out_nosa; /* outbound SA is unavailable */
	213	u_quad_t out_inval; /* outbound process failed due to EINVAL */
	214	u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */
	215	u_quad_t out_noroute; /* there is no route */
	216	u_quad_t out_esphist[256];
	217	u_quad_t out_ahhist[256];
	218	u_quad_t out_comphist[256];
	219	};
	220
91447636	221	#ifdef KERNEL_PRIVATE
1c79356b A	222	/*
	223	* Definitions for IPsec & Key sysctl operations.
	224	*/
	225	/*
	226	* Names for IPsec & Key sysctl objects
	227	*/
	228	#define IPSECCTL_STATS 1 /* stats */
	229	#define IPSECCTL_DEF_POLICY 2
	230	#define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */
	231	#define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */
	232	#define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */
	233	#define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */
55e303ae	234	#if 0 /* obsolete, do not reuse */
1c79356b	235	#define IPSECCTL_INBOUND_CALL_IKE 7
9bccf70c	236	#endif
1c79356b A	237	#define IPSECCTL_AH_CLEARTOS 8
	238	#define IPSECCTL_AH_OFFSETMASK 9
	239	#define IPSECCTL_DFBIT 10
	240	#define IPSECCTL_ECN 11
	241	#define IPSECCTL_DEBUG 12
9bccf70c A	242	#define IPSECCTL_ESP_RANDPAD 13
9bccf70c A	243	#define IPSECCTL_MAXID 14
1c79356b A	244
	245	#define IPSECCTL_NAMES { \
	246	{ 0, 0 }, \
	247	{ 0, 0 }, \
	248	{ "def_policy", CTLTYPE_INT }, \
	249	{ "esp_trans_deflev", CTLTYPE_INT }, \
	250	{ "esp_net_deflev", CTLTYPE_INT }, \
	251	{ "ah_trans_deflev", CTLTYPE_INT }, \
	252	{ "ah_net_deflev", CTLTYPE_INT }, \
9bccf70c	253	{ 0, 0 }, \
1c79356b A	254	{ "ah_cleartos", CTLTYPE_INT }, \
	255	{ "ah_offsetmask", CTLTYPE_INT }, \
	256	{ "dfbit", CTLTYPE_INT }, \
	257	{ "ecn", CTLTYPE_INT }, \
	258	{ "debug", CTLTYPE_INT }, \
9bccf70c	259	{ "esp_randpad", CTLTYPE_INT }, \
1c79356b A	260	}
	261
	262	#define IPSEC6CTL_NAMES { \
	263	{ 0, 0 }, \
	264	{ 0, 0 }, \
	265	{ "def_policy", CTLTYPE_INT }, \
	266	{ "esp_trans_deflev", CTLTYPE_INT }, \
	267	{ "esp_net_deflev", CTLTYPE_INT }, \
	268	{ "ah_trans_deflev", CTLTYPE_INT }, \
	269	{ "ah_net_deflev", CTLTYPE_INT }, \
9bccf70c	270	{ 0, 0 }, \
1c79356b A	271	{ 0, 0 }, \
	272	{ 0, 0 }, \
	273	{ 0, 0 }, \
	274	{ "ecn", CTLTYPE_INT }, \
	275	{ "debug", CTLTYPE_INT }, \
9bccf70c	276	{ "esp_randpad", CTLTYPE_INT }, \
1c79356b A	277	}
1c79356b A	278
9bccf70c	279	#ifdef KERNEL
1c79356b A	280	struct ipsec_output_state {
	281	struct mbuf *m;
	282	struct route *ro;
	283	struct sockaddr *dst;
	284	};
	285
9bccf70c A	286	struct ipsec_history {
	287	int ih_proto;
	288	u_int32_t ih_spi;
	289	};
	290
1c79356b A	291	extern int ipsec_debug;
1c79356b A	292
1c79356b A	293	extern struct ipsecstat ipsecstat;
	294	extern struct secpolicy ip4_def_policy;
	295	extern int ip4_esp_trans_deflev;
	296	extern int ip4_esp_net_deflev;
	297	extern int ip4_ah_trans_deflev;
	298	extern int ip4_ah_net_deflev;
1c79356b A	299	extern int ip4_ah_cleartos;
	300	extern int ip4_ah_offsetmask;
	301	extern int ip4_ipsec_dfbit;
	302	extern int ip4_ipsec_ecn;
9bccf70c	303	extern int ip4_esp_randpad;
1c79356b A	304
	305	#define ipseclog(x) do { if (ipsec_debug) log x; } while (0)
	306
91447636 A	307	extern struct secpolicy ipsec4_getpolicybysock(struct mbuf , u_int,
	308	struct socket , int );
	309	extern struct secpolicy ipsec4_getpolicybyaddr(struct mbuf , u_int, int,
	310	int *);
1c79356b	311
1c79356b	312	struct inpcb;
91447636 A	313	extern int ipsec_init_policy(struct socket so, struct inpcbpolicy *);
	314	extern int ipsec_copy_policy(struct inpcbpolicy , struct inpcbpolicy );
	315	extern u_int ipsec_get_reqlevel(struct ipsecrequest *);
	316
	317	extern int ipsec4_set_policy(struct inpcb *inp, int optname,
	318	caddr_t request, size_t len, int priv);
	319	extern int ipsec4_get_policy(struct inpcb *inpcb, caddr_t request,
	320	size_t len, struct mbuf **mp);
	321	extern int ipsec4_delete_pcbpolicy(struct inpcb *);
	322	extern int ipsec4_in_reject_so(struct mbuf , struct socket );
	323	extern int ipsec4_in_reject(struct mbuf , struct inpcb );
1c79356b	324
1c79356b A	325	struct secas;
1c79356b A	326	struct tcpcb;
91447636 A	327	extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
91447636 A	328	extern int ipsec_updatereplay(u_int32_t, struct secasvar *);
1c79356b	329
91447636 A	330	extern size_t ipsec4_hdrsiz(struct mbuf , u_int, struct inpcb );
91447636 A	331	extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);
2d21ac55	332	extern size_t ipsec_hdrsiz(struct secpolicy *);
1c79356b A	333
1c79356b A	334	struct ip;
91447636 A	335	extern const char ipsec4_logpacketstr(struct ip , u_int32_t);
	336	extern const char ipsec_logsastr(struct secasvar );
	337
	338	extern void ipsec_dumpmbuf(struct mbuf *);
	339
	340	extern int ipsec4_output(struct ipsec_output_state , struct secpolicy , int);
2d21ac55	341	extern int ipsec4_tunnel_validate(struct mbuf , int, u_int, struct secasvar , sa_family_t *);
91447636 A	342	extern struct mbuf ipsec_copypkt(struct mbuf );
	343	extern void ipsec_delaux(struct mbuf *);
	344	extern int ipsec_setsocket(struct mbuf , struct socket );
	345	extern struct socket ipsec_getsocket(struct mbuf );
	346	extern int ipsec_addhist(struct mbuf *, int, u_int32_t);
	347	extern struct ipsec_history ipsec_gethist(struct mbuf , int *);
	348	extern void ipsec_clearhist(struct mbuf *);
	349	#endif KERNEL
	350	#endif KERNEL_PRIVATE
1c79356b A	351
1c79356b A	352	#ifndef KERNEL
91447636 A	353	extern caddr_t ipsec_set_policy(char *, int);
	354	extern int ipsec_get_policylen(caddr_t);
	355	extern char ipsec_dump_policy(caddr_t, char );
1c79356b	356
91447636 A	357	extern const char *ipsec_strerror(void);
91447636 A	358	#endif KERNEL
1c79356b	359
0c530ab8	360	#endif /* _NETINET6_IPSEC_H_ */