]> git.saurik.com Git - apple/xnu.git/blob - bsd/net/if_utun_crypto.h
projects / apple / xnu.git / blob
? search:


804ffa91e6c0b71ada8a9df8ffed856893fc58cb
[apple/xnu.git] / bsd / net / if_utun_crypto.h
1 /*
2 * Copyright (c) 2011 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #ifndef _NET_IF_UTUN_CRYPTO_H_
30 #define _NET_IF_UTUN_CRYPTO_H_
31
32 // constants used in configuring the crypto context
33 typedef enum utun_crypto_ver {
34 UTUN_CRYPTO_VER_1 = 1,
35 UTUN_CRYPTO_VER_MAX,
36 } utun_crypto_ver_t;
37
38 #define UTUN_CRYPTO_KEYS_IPSEC_VER_1 UTUN_CRYPTO_VER_1
39 #define UTUN_CRYPTO_IPSEC_VER_1 UTUN_CRYPTO_VER_1
40
41 #define UTUN_CRYPTO_ARGS_VER_MAX UTUN_CRYPTO_VER_MAX
42 #define UTUN_CRYPTO_KEYS_ARGS_VER_MAX UTUN_CRYPTO_VER_MAX
43
44 typedef enum utun_crypto_dir {
45 UTUN_CRYPTO_DIR_IN = 1,
46 UTUN_CRYPTO_DIR_OUT,
47 UTUN_CRYPTO_DIR_MAX,
48 } utun_crypto_dir_t;
49
50 #define UTUN_CRYPTO_CTX_NUM_DIRS 2
51
52 #define BITSTOBYTES(n) (n >> 3)
53 #define BYTESTOBITS(n) (n << 3)
54
55 #define MAX_KEY_AUTH_LEN_BITS 512 // corresponds to SHA512
56 #define MAX_KEY_AUTH_LEN_BYTES (BITSTOBYTES(MAX_KEY_AUTH_LEN_BITS))
57 #define MAX_KEY_ENC_LEN_BITS 256 // corresponds to AES256
58 #define MAX_KEY_ENC_LEN_BYTES (BITSTOBYTES(MAX_KEY_ENC_LEN_BITS))
59
60 typedef enum utun_crypto_type {
61 UTUN_CRYPTO_TYPE_IPSEC = 1,
62 UTUN_CRYPTO_TYPE_DTLS,
63 UTUN_CRYPTO_TYPE_MAX,
64 } utun_crypto_type_t;
65
66 typedef enum if_utun_crypto_ipsec_mode {
67 IF_UTUN_CRYPTO_IPSEC_MODE_NONE = 0,
68 IF_UTUN_CRYPTO_IPSEC_MODE_TRANSPORT,
69 IF_UTUN_CRYPTO_IPSEC_MODE_TUNNEL,
70 IF_UTUN_CRYPTO_IPSEC_MODE_MAX,
71 } if_utun_crypto_ipsec_mode_t;
72
73 typedef enum if_utun_crypto_ipsec_proto {
74 IF_UTUN_CRYPTO_IPSEC_PROTO_NONE = 0,
75 IF_UTUN_CRYPTO_IPSEC_PROTO_ESP,
76 IF_UTUN_CRYPTO_IPSEC_PROTO_AH,
77 IF_UTUN_CRYPTO_IPSEC_PROTO_MAX,
78 } if_utun_crypto_ipsec_proto_t;
79
80 typedef enum if_utun_crypto_ipsec_auth {
81 IF_UTUN_CRYPTO_IPSEC_AUTH_NONE = 0,
82 IF_UTUN_CRYPTO_IPSEC_AUTH_MD5,
83 IF_UTUN_CRYPTO_IPSEC_AUTH_SHA1,
84 IF_UTUN_CRYPTO_IPSEC_AUTH_SHA256,
85 IF_UTUN_CRYPTO_IPSEC_AUTH_SHA384,
86 IF_UTUN_CRYPTO_IPSEC_AUTH_SHA512,
87 IF_UTUN_CRYPTO_IPSEC_AUTH_MAX,
88 } if_utun_crypto_ipsec_auth_t;
89
90 typedef enum if_utun_crypto_ipsec_enc {
91 IF_UTUN_CRYPTO_IPSEC_ENC_NONE = 0,
92 IF_UTUN_CRYPTO_IPSEC_ENC_DES,
93 IF_UTUN_CRYPTO_IPSEC_ENC_3DES,
94 IF_UTUN_CRYPTO_IPSEC_ENC_AES128,
95 IF_UTUN_CRYPTO_IPSEC_ENC_AES256,
96 IF_UTUN_CRYPTO_IPSEC_ENC_MAX,
97 } if_utun_crypto_ipsec_enc_t;
98
99 typedef enum if_utun_crypto_ipsec_keepalive {
100 IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_NONE = 0,
101 IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_NATT,
102 IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_ESP,
103 IF_UTUN_CRYPTO_IPSEC_KEEPALIVE_MAX,
104 } if_utun_crypto_ipsec_keepalive_t;
105
106 typedef enum if_utun_crypto_ipsec_natd {
107 IF_UTUN_CRYPTO_IPSEC_NATD_NONE = 0,
108 IF_UTUN_CRYPTO_IPSEC_NATD_MINE,
109 IF_UTUN_CRYPTO_IPSEC_NATD_PEER,
110 IF_UTUN_CRYPTO_IPSEC_NATD_BOTH,
111 IF_UTUN_CRYPTO_IPSEC_NATD_MAX,
112 } if_utun_crypto_ipsec_natd_t;
113
114 // structures used for storing the App's keying index arguments
115 typedef struct utun_crypto_keys_idx_ipsec_args_v1 {
116 struct sockaddr_storage src_addr; // v4 or v6 socket address (ignore port numbers)
117 struct sockaddr_storage dst_addr; // v4 or v6 socket address (ignore port numbers)
118 if_utun_crypto_ipsec_proto_t proto;
119 if_utun_crypto_ipsec_mode_t mode;
120 u_int32_t reqid; // policy's reqid, default to 0 for now since we are avoiding policies.
121 u_int32_t spi; // 0 when requesting the index, otherwise it contains the resulting index
122 u_int32_t spirange_min; // default to 0
123 u_int32_t spirange_max; // default to 0xffffffff
124 } __attribute__((packed)) utun_crypto_keys_idx_ipsec_args_v1_t;
125
126 typedef struct utun_crypto_keys_idx_dtls_args_v1 {
127 // stub for DTLS keying index arguments
128 u_int32_t unused; // place holder
129 } __attribute__((packed)) utun_crypto_keys_idx_dtls_args_v1_t;
130
131 // App's parent structure for sending/storing keying index arguments
132 typedef struct utun_crypto_keys_idx_args {
133 utun_crypto_ver_t ver;
134 utun_crypto_type_t type;
135 utun_crypto_dir_t dir;
136 u_int32_t args_ulen;
137 u_int32_t varargs_buflen;
138 union {
139 // don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_CTX_IDX_ARGS_HDR_SIZE breaks backwards compatibility
140 utun_crypto_keys_idx_ipsec_args_v1_t ipsec_v1;
141 utun_crypto_keys_idx_dtls_args_v1_t dtls_v1;
142 // future (additional) versions of the arguments may be placed here
143 } u;
144 u_int8_t varargs_buf[0];
145 } __attribute__((aligned(4), packed)) utun_crypto_keys_idx_args_t;
146
147 // structures used for storing the App's keying material arguments
148 typedef struct utun_crypto_keys_ipsec_args_v1 {
149 struct sockaddr_storage src_addr; // v4 or v6 socket address (ignore port numbers)
150 struct sockaddr_storage dst_addr; // v4 or v6 socket address (ignore port numbers)
151 if_utun_crypto_ipsec_proto_t proto;
152 if_utun_crypto_ipsec_mode_t mode;
153 if_utun_crypto_ipsec_auth_t alg_auth;
154 if_utun_crypto_ipsec_enc_t alg_enc;
155 if_utun_crypto_ipsec_keepalive_t keepalive;
156 if_utun_crypto_ipsec_natd_t natd;
157 u_int8_t replay; // window size default to 4
158 u_int8_t punt_rx_keepalive;
159 u_int16_t interval_tx_keepalive;
160 u_int16_t key_auth_len; // 128 or 160 or 192 or 256 or 384 or 512
161 u_int16_t key_enc_len; // 64 or 128 or 192 or 256
162 u_int16_t natt_port; // if non-zero flags will be set to include SADB_X_EXT_NATT
163 u_int16_t unused;
164 u_int32_t seq; // default to 0
165 u_int32_t spi;
166 u_int32_t pid; // vpnagent's process id
167 u_int32_t reqid; // policy's reqid, default to 0 for now since we are avoiding policies.
168 u_int64_t lifetime_hard; // value in seconds
169 u_int64_t lifetime_soft; // value in seconds
170 // key_auth and key_enc will actually be stored in utun_crypto_KEYS_args_t.varargs_buf
171 } __attribute__((packed)) utun_crypto_keys_ipsec_args_v1_t;
172
173 typedef struct utun_crypto_ctx_dtls_mat_args_v1 {
174 // stub for DTLS keying material arguments
175 u_int32_t unused; // place holder
176 } __attribute__((packed)) utun_crypto_keys_dtls_args_v1_t;
177
178 // App's parent structure for sending/storing keying material arguments
179 typedef struct utun_crypto_keys_args {
180 utun_crypto_ver_t ver;
181 utun_crypto_type_t type;
182 utun_crypto_dir_t dir;
183 u_int32_t args_ulen;
184 u_int32_t varargs_buflen;
185 union {
186 // don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE breaks backwards compatibility
187 utun_crypto_keys_ipsec_args_v1_t ipsec_v1;
188 utun_crypto_keys_dtls_args_v1_t dtls_v1;
189 // future (additional) versions of the arguments may be placed here
190 } u;
191 u_int8_t varargs_buf[0];
192 } __attribute__((aligned(4), packed)) utun_crypto_keys_args_t;
193
194 // structures used for storing the App's crypto arguments
195 typedef struct utun_crypto_ipsec_args_v1 {
196 // stub for IPSec crypto context arguments
197 u_int32_t unused; // place holder
198 } __attribute__((packed)) utun_crypto_ipsec_args_v1_t;
199
200 typedef struct utun_crypto_dtls_args_v1 {
201 // stub for DTLS crypto context arguments
202 u_int32_t unused; // place holder
203 } __attribute__((packed)) utun_crypto_dtls_args_v1_t;
204
205 // App's parent structure for starting/stopping crypto
206 typedef struct utun_crypto_args {
207 utun_crypto_ver_t ver;
208 utun_crypto_type_t type;
209 u_int32_t stop_data_traffic;
210 u_int32_t args_ulen;
211 u_int32_t varargs_buflen;
212 union {
213 // don't change the order, number, or size of elements above this line (in this struct). otherwise UTUN_CRYPTO_ARGS_HDR_SIZE breaks backwards compatibility
214 utun_crypto_ipsec_args_v1_t ipsec_v1;
215 utun_crypto_dtls_args_v1_t dtls_v1;
216 // future (additional) versions of the arguments may be placed here
217 } u;
218 u_int8_t varargs_buf[0]; // must be at the end of this struct
219 } __attribute__((aligned(4), packed)) utun_crypto_args_t;
220
221 #ifdef KERNEL_PRIVATE
222
223 #include <sys/kern_control.h>
224 #include <net/kpi_protocol.h>
225 #include <net/kpi_interface.h>
226 #include <net/pfkeyv2.h>
227 #include <netkey/key.h>
228 #include <netkey/keydb.h>
229
230 struct utun_pcb;
231
232 // structures used for storing kernel's keying material runtime state
233 typedef struct utun_crypto_keys_ipsec_state {
234 // kernel's ipsec keying material state
235 u_int32_t spi;
236 struct secashead *sah;
237 struct secasvar *sav;
238 u_int8_t proto;
239 u_int8_t ifamily;
240 u_int8_t mode;
241 u_int8_t unused;
242 } __attribute__((packed)) utun_crypto_keys_ipsec_state_t;
243
244 typedef struct utun_crypto_keys_dtls_state {
245 // stub for kernel's DTLS keying material state
246 u_int32_t unused; // place holder
247 } __attribute__((packed)) utun_crypto_keys_dtls_state_t;
248
249 // kernel's parent structure for keying material state
250 typedef struct utun_crypto_keys_state {
251 union {
252 utun_crypto_keys_ipsec_state_t ipsec;
253 utun_crypto_keys_dtls_state_t dtls;
254 } u;
255 } __attribute__((aligned(4), packed)) utun_crypto_keys_state_t;
256
257 // kernel's parent structure for keying material
258 typedef struct utun_crypto_keys {
259 int valid; // is valid?
260 utun_crypto_type_t type;
261 u_int16_t unused;
262 utun_crypto_keys_state_t state; // runtime state
263 LIST_ENTRY(utun_crypto_keys) chain;
264 } __attribute__((aligned(4), packed)) utun_crypto_keys_t;
265
266 // kernel's parent structure for all crypto stuff
267 typedef struct utun_crypto_ctx {
268 int valid;
269 utun_crypto_type_t type;
270 u_int16_t unused;
271 LIST_HEAD(chain, utun_crypto_keys) keys_listhead;
272 } __attribute__((aligned(4), packed)) utun_crypto_ctx_t;
273
274 #define UTUN_CRYPTO_KEYS_IDX_ARGS_HDR_SIZE ((size_t)(&((utun_crypto_keys_idx_args_t *)0)->u))
275 #define UTUN_CRYPTO_KEYS_IDX_ARGS_VARARGS_BUF(args) ((u_int8_t *)args + UTUN_CRYPTO_KEYS_IDX_ARGS_HDR_SIZE + args->args_ulen)
276 #define UTUN_CRYPTO_KEYS_IDX_ARGS_TOTAL_SIZE(args) ((size_t)(UTUN_CRYPTO_KEYS_IDX_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))
277
278 #define UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE ((size_t)(&((utun_crypto_keys_args_t *)0)->u))
279 #define UTUN_CRYPTO_KEYS_ARGS_VARARGS_BUF(args) ((u_int8_t *)args + UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE + args->args_ulen)
280 #define UTUN_CRYPTO_KEYS_ARGS_TOTAL_SIZE(args) ((size_t)(UTUN_CRYPTO_KEYS_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))
281
282 #define UTUN_CRYPTO_ARGS_HDR_SIZE ((size_t)(&((utun_crypto_args_t *)0)->u))
283 #define UTUN_CRYPTO_ARGS_VARARGS_BUF(args) ((u_int8_t *)args + UTUN_CRYPTO_ARGS_HDR_SIZE + args->args_ulen)
284 #define UTUN_CRYPTO_ARGS_TOTAL_SIZE(args) ((size_t)(UTUN_CRYPTO_ARGS_HDR_SIZE + args->args_ulen + args->varargs_buflen))
285
286 #define UTUN_CRYPTO_DIR_TO_IDX(dir) (dir - 1)
287 #define UTUN_CRYPTO_IDX_TO_DIR(idx) (idx + 1)
288
289 void
290 utun_cleanup_crypto(struct utun_pcb *pcb);
291
292 errno_t
293 utun_ctl_enable_crypto(__unused kern_ctl_ref kctlref,
294 __unused u_int32_t unit,
295 __unused void *unitinfo,
296 __unused int opt,
297 void *data,
298 size_t len);
299
300 errno_t
301 utun_ctl_disable_crypto(__unused kern_ctl_ref kctlref,
302 __unused u_int32_t unit,
303 __unused void *unitinfo,
304 __unused int opt,
305 void *data,
306 size_t len);
307
308 errno_t
309 utun_ctl_config_crypto_keys(__unused kern_ctl_ref kctlref,
310 __unused u_int32_t unit,
311 __unused void *unitinfo,
312 __unused int opt,
313 void *data,
314 size_t len);
315
316 errno_t
317 utun_ctl_unconfig_crypto_keys(__unused kern_ctl_ref kctlref,
318 __unused u_int32_t unit,
319 __unused void *unitinfo,
320 __unused int opt,
321 void *data,
322 size_t len);
323
324 errno_t
325 utun_ctl_generate_crypto_keys_idx(__unused kern_ctl_ref kctlref,
326 __unused u_int32_t unit,
327 __unused void *unitinfo,
328 __unused int opt,
329 void *data,
330 size_t *len);
331
332 errno_t
333 utun_ctl_stop_crypto_data_traffic(__unused kern_ctl_ref kctlref,
334 __unused u_int32_t unit,
335 __unused void *unitinfo,
336 __unused int opt,
337 void *data,
338 size_t len);
339
340 errno_t
341 utun_ctl_start_crypto_data_traffic(__unused kern_ctl_ref kctlref,
342 __unused u_int32_t unit,
343 __unused void *unitinfo,
344 __unused int opt,
345 void *data,
346 size_t len);
347
348 int
349 utun_pkt_crypto_output(struct utun_pcb *pcb, mbuf_t *m);
350
351 #endif // KERNEL_PRIVATE
352
353 #endif // _NET_IF_UTUN_CRYPTO_H_
mirror of XNU