]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ipsec.h
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-201.42.3.tar.gz
[apple/xnu.git] / bsd / netinet6 / ipsec.h
1 /* $KAME: ipsec.h,v 1.28 2000/03/15 13:07:57 sakane Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 /*
33 * IPsec controller part.
34 */
35
36 #ifndef _NETINET6_IPSEC_H_
37 #define _NETINET6_IPSEC_H_
38
39 #include <net/pfkeyv2.h>
40 #include <netkey/keydb.h>
41
42 #if KERNEL
43 /*
44 * Security Policy Index
45 * NOTE: Encure to be same address family and upper layer protocol.
46 * NOTE: ul_proto, port number, uid, gid:
47 * ANY: reserved for waldcard.
48 * 0 to (~0 - 1): is one of the number of each value.
49 */
50 struct secpolicyindex {
51 u_int8_t dir; /* direction of packet flow, see blow */
52 struct sockaddr_storage src; /* IP src address for SP */
53 struct sockaddr_storage dst; /* IP dst address for SP */
54 u_int8_t prefs; /* prefix length in bits for src */
55 u_int8_t prefd; /* prefix length in bits for dst */
56 u_int16_t ul_proto; /* upper layer Protocol */
57 #ifdef notyet
58 uid_t uids;
59 uid_t uidd;
60 gid_t gids;
61 gid_t gidd;
62 #endif
63 };
64
65 /* Security Policy Data Base */
66 struct secpolicy {
67 LIST_ENTRY(secpolicy) chain;
68
69 int refcnt; /* reference count */
70 struct secpolicyindex spidx; /* selector */
71 u_int32_t id; /* It's unique number on the system. */
72 u_int state; /* 0: dead, others: alive */
73 #define IPSEC_SPSTATE_DEAD 0
74 #define IPSEC_SPSTATE_ALIVE 1
75
76 u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
77 struct ipsecrequest *req;
78 /* pointer to the ipsec request tree, */
79 /* if policy == IPSEC else this value == NULL.*/
80 };
81
82 /* Request for IPsec */
83 struct ipsecrequest {
84 struct ipsecrequest *next;
85 /* pointer to next structure */
86 /* If NULL, it means the end of chain. */
87 struct secasindex saidx;/* hint for search proper SA */
88 /* if __ss_len == 0 then no address specified.*/
89 u_int level; /* IPsec level defined below. */
90
91 struct secasvar *sav; /* place holder of SA for use */
92 struct secpolicy *sp; /* back pointer to SP */
93 };
94
95 /* security policy in PCB */
96 struct inpcbpolicy {
97 struct secpolicy *sp_in;
98 struct secpolicy *sp_out;
99 int priv; /* privileged socket ? */
100 };
101
102 /* SP acquiring list table. */
103 struct secspacq {
104 LIST_ENTRY(secspacq) chain;
105
106 struct secpolicyindex spidx;
107
108 u_int32_t tick; /* for lifetime */
109 int count; /* for lifetime */
110 /* XXX: here is mbuf place holder to be sent ? */
111 };
112 #endif /*KERNEL*/
113
114 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
115 #define IPSEC_PORT_ANY 0
116 #define IPSEC_ULPROTO_ANY 255
117 #define IPSEC_PROTO_ANY 255
118
119 /* mode of security protocol */
120 /* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
121 #define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
122 #define IPSEC_MODE_TRANSPORT 1
123 #define IPSEC_MODE_TUNNEL 2
124
125 /*
126 * Direction of security policy.
127 * NOTE: Since INVALID is used just as flag.
128 * The other are used for loop counter too.
129 */
130 #define IPSEC_DIR_ANY 0
131 #define IPSEC_DIR_INBOUND 1
132 #define IPSEC_DIR_OUTBOUND 2
133 #define IPSEC_DIR_MAX 3
134 #define IPSEC_DIR_INVALID 4
135
136 /* Policy level */
137 /*
138 * IPSEC, ENTRUST and BYPASS are allowd for setsockopt() in PCB,
139 * DISCARD, IPSEC and NONE are allowd for setkey() in SPD.
140 * DISCARD and NONE are allowd for system default.
141 */
142 #define IPSEC_POLICY_DISCARD 0 /* discarding packet */
143 #define IPSEC_POLICY_NONE 1 /* through IPsec engine */
144 #define IPSEC_POLICY_IPSEC 2 /* do IPsec */
145 #define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
146 #define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
147
148 /* Security protocol level */
149 #define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
150 #define IPSEC_LEVEL_USE 1 /* use SA if present. */
151 #define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
152 #define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
153
154 #define IPSEC_MANUAL_REQID_MAX 0x3fff
155 /*
156 * if security policy level == unique, this id
157 * indicate to a relative SA for use, else is
158 * zero.
159 * 1 - 0x3fff are reserved for manual keying.
160 * 0 are reserved for above reason. Others is
161 * for kernel use.
162 * Note that this id doesn't identify SA
163 * by only itself.
164 */
165 #define IPSEC_REPLAYWSIZE 32
166
167 /* statistics for ipsec processing */
168 struct ipsecstat {
169 u_quad_t in_success; /* succeeded inbound process */
170 u_quad_t in_polvio;
171 /* security policy violation for inbound process */
172 u_quad_t in_nosa; /* inbound SA is unavailable */
173 u_quad_t in_inval; /* inbound processing failed due to EINVAL */
174 u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */
175 u_quad_t in_badspi; /* failed getting a SPI */
176 u_quad_t in_ahreplay; /* AH replay check failed */
177 u_quad_t in_espreplay; /* ESP replay check failed */
178 u_quad_t in_ahauthsucc; /* AH authentication success */
179 u_quad_t in_ahauthfail; /* AH authentication failure */
180 u_quad_t in_espauthsucc; /* ESP authentication success */
181 u_quad_t in_espauthfail; /* ESP authentication failure */
182 u_quad_t in_esphist[256];
183 u_quad_t in_ahhist[256];
184 u_quad_t in_comphist[256];
185 u_quad_t out_success; /* succeeded outbound process */
186 u_quad_t out_polvio;
187 /* security policy violation for outbound process */
188 u_quad_t out_nosa; /* outbound SA is unavailable */
189 u_quad_t out_inval; /* outbound process failed due to EINVAL */
190 u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */
191 u_quad_t out_noroute; /* there is no route */
192 u_quad_t out_esphist[256];
193 u_quad_t out_ahhist[256];
194 u_quad_t out_comphist[256];
195 };
196
197 /*
198 * Definitions for IPsec & Key sysctl operations.
199 */
200 /*
201 * Names for IPsec & Key sysctl objects
202 */
203 #define IPSECCTL_STATS 1 /* stats */
204 #define IPSECCTL_DEF_POLICY 2
205 #define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */
206 #define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */
207 #define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */
208 #define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */
209 #define IPSECCTL_INBOUND_CALL_IKE 7
210 #define IPSECCTL_AH_CLEARTOS 8
211 #define IPSECCTL_AH_OFFSETMASK 9
212 #define IPSECCTL_DFBIT 10
213 #define IPSECCTL_ECN 11
214 #define IPSECCTL_DEBUG 12
215 #define IPSECCTL_MAXID 13
216
217 #define IPSECCTL_NAMES { \
218 { 0, 0 }, \
219 { 0, 0 }, \
220 { "def_policy", CTLTYPE_INT }, \
221 { "esp_trans_deflev", CTLTYPE_INT }, \
222 { "esp_net_deflev", CTLTYPE_INT }, \
223 { "ah_trans_deflev", CTLTYPE_INT }, \
224 { "ah_net_deflev", CTLTYPE_INT }, \
225 { "inbound_call_ike", CTLTYPE_INT }, \
226 { "ah_cleartos", CTLTYPE_INT }, \
227 { "ah_offsetmask", CTLTYPE_INT }, \
228 { "dfbit", CTLTYPE_INT }, \
229 { "ecn", CTLTYPE_INT }, \
230 { "debug", CTLTYPE_INT }, \
231 }
232
233 #define IPSEC6CTL_NAMES { \
234 { 0, 0 }, \
235 { 0, 0 }, \
236 { "def_policy", CTLTYPE_INT }, \
237 { "esp_trans_deflev", CTLTYPE_INT }, \
238 { "esp_net_deflev", CTLTYPE_INT }, \
239 { "ah_trans_deflev", CTLTYPE_INT }, \
240 { "ah_net_deflev", CTLTYPE_INT }, \
241 { "inbound_call_ike", CTLTYPE_INT }, \
242 { 0, 0 }, \
243 { 0, 0 }, \
244 { 0, 0 }, \
245 { "ecn", CTLTYPE_INT }, \
246 { "debug", CTLTYPE_INT }, \
247 }
248
249 #ifdef __bsdi__
250 #define IPSECCTL_VARS { \
251 0, \
252 0, \
253 &ip4_def_policy.policy, \
254 &ip4_esp_trans_deflev, \
255 &ip4_esp_net_deflev, \
256 &ip4_ah_trans_deflev, \
257 &ip4_ah_net_deflev, \
258 &ip4_inbound_call_ike, \
259 &ip4_ah_cleartos, \
260 &ip4_ah_offsetmask, \
261 &ip4_ipsec_dfbit, \
262 &ip4_ipsec_ecn, \
263 &ipsec_debug, \
264 }
265
266 #define IPSEC6CTL_VARS { \
267 0, \
268 0, \
269 &ip6_def_policy.policy, \
270 &ip6_esp_trans_deflev, \
271 &ip6_esp_net_deflev, \
272 &ip6_ah_trans_deflev, \
273 &ip6_ah_net_deflev, \
274 &ip6_inbound_call_ike, \
275 0, \
276 0, \
277 0, \
278 &ip6_ipsec_ecn, \
279 &ipsec_debug, \
280 }
281 #endif
282
283 #if KERNEL
284 struct ipsec_output_state {
285 struct mbuf *m;
286 struct route *ro;
287 struct sockaddr *dst;
288 };
289
290 extern int ipsec_debug;
291
292 #if INET
293 extern struct ipsecstat ipsecstat;
294 extern struct secpolicy ip4_def_policy;
295 extern int ip4_esp_trans_deflev;
296 extern int ip4_esp_net_deflev;
297 extern int ip4_ah_trans_deflev;
298 extern int ip4_ah_net_deflev;
299 extern int ip4_inbound_call_ike;
300 extern int ip4_ah_cleartos;
301 extern int ip4_ah_offsetmask;
302 extern int ip4_ipsec_dfbit;
303 extern int ip4_ipsec_ecn;
304 #endif
305
306 #if INET6
307 extern struct ipsecstat ipsec6stat;
308 extern struct secpolicy ip6_def_policy;
309 extern int ip6_esp_trans_deflev;
310 extern int ip6_esp_net_deflev;
311 extern int ip6_ah_trans_deflev;
312 extern int ip6_ah_net_deflev;
313 extern int ip6_inbound_call_ike;
314 extern int ip6_ipsec_ecn;
315 #endif
316
317 #define ipseclog(x) do { if (ipsec_debug) log x; } while (0)
318
319 extern struct secpolicy *ipsec4_getpolicybysock
320 __P((struct mbuf *, u_int, struct socket *, int *));
321 extern struct secpolicy *ipsec4_getpolicybyaddr
322 __P((struct mbuf *, u_int, int, int *));
323
324 #if INET6
325 extern struct secpolicy *ipsec6_getpolicybysock
326 __P((struct mbuf *, u_int, struct socket *, int *));
327 extern struct secpolicy *ipsec6_getpolicybyaddr
328 __P((struct mbuf *, u_int, int, int *));
329 #endif /*INET6*/
330
331 struct inpcb;
332 #if INET6
333 struct in6pcb;
334 #endif
335 extern int ipsec_init_policy __P((struct socket *so, struct inpcbpolicy **));
336 extern int ipsec_copy_policy
337 __P((struct inpcbpolicy *, struct inpcbpolicy *));
338 extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *));
339
340 extern int ipsec4_set_policy __P((struct inpcb *inp, int optname,
341 caddr_t request, size_t len, int priv));
342 extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request,
343 size_t len, struct mbuf **mp));
344 extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
345 extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *));
346 extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
347
348 #if INET6
349 extern int ipsec6_in_reject_so __P((struct mbuf *, struct socket *));
350 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 || defined (__APPLE__)
351 extern int ipsec6_delete_pcbpolicy __P((struct inpcb *));
352 extern int ipsec6_set_policy __P((struct inpcb *inp, int optname,
353 caddr_t request, size_t len, int priv));
354 extern int ipsec6_get_policy
355 __P((struct inpcb *inp, caddr_t request, size_t len, struct mbuf **mp));
356 extern int ipsec6_in_reject __P((struct mbuf *, struct inpcb *));
357 #else
358 extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));
359 extern int ipsec6_set_policy __P((struct in6pcb *in6p, int optname,
360 caddr_t request, size_t len, int priv));
361 extern int ipsec6_get_policy __P((struct in6pcb *in6p, caddr_t request,
362 size_t len, struct mbuf **mp));
363 extern int ipsec6_in_reject __P((struct mbuf *, struct in6pcb *));
364 #endif
365 #endif /*INET6*/
366
367 struct secas;
368 struct tcpcb;
369 struct tcp6cb;
370 extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
371 extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
372
373 extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
374 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 || defined (__APPLE__)
375 extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *, int));
376 #else
377 extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *));
378 #endif
379 #if INET6
380 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 || defined (__APPLE__)
381 extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
382 #else
383 extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct in6pcb *));
384 #if defined(__NetBSD__) && !defined(TCP6)
385 extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *));
386 #else
387 extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *));
388 #endif
389 #endif
390 #endif
391
392 struct ip;
393 #if INET6
394 struct ip6_hdr;
395 #endif
396 extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t));
397 #if INET6
398 extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t));
399 #endif
400 extern const char *ipsec_logsastr __P((struct secasvar *));
401
402 extern void ipsec_dumpmbuf __P((struct mbuf *));
403
404 extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *,
405 int));
406 #if INET6
407 extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *,
408 struct mbuf *, struct secpolicy *, int, int *));
409 extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,
410 struct secpolicy *, int));
411 #endif
412 extern int ipsec4_tunnel_validate __P((struct ip *, u_int, struct secasvar *));
413 #if INET6
414 extern int ipsec6_tunnel_validate __P((struct ip6_hdr *, u_int,
415 struct secasvar *));
416 #endif
417 extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
418 extern void ipsec_setsocket __P((struct mbuf *, struct socket *));
419 extern struct socket *ipsec_getsocket __P((struct mbuf *));
420
421 #if defined(__bsdi__) || defined(__NetBSD__)
422 extern int ipsec_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
423 extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
424 #endif /* __bsdi__ || __NetBSD__ */
425
426 #endif /*KERNEL*/
427
428 #ifndef KERNEL
429 extern caddr_t ipsec_set_policy __P((char *policy, int buflen));
430 extern int ipsec_get_policylen __P((caddr_t buf));
431 extern char *ipsec_dump_policy __P((caddr_t buf, char *delimiter));
432
433 extern char *ipsec_strerror __P((void));
434 #endif /*!KERNEL*/
435
436 #endif /*_NETINET6_IPSEC_H_*/
mirror of XNU