X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/1c79356b52d46aa6b508fb032f5ae709b1f2897b..c0fea4742e91338fffdcf79f86a7c1d5e2b97eb1:/bsd/netinet6/ipsec.h diff --git a/bsd/netinet6/ipsec.h b/bsd/netinet6/ipsec.h index b800edc6f..154ff39a1 100644 --- a/bsd/netinet6/ipsec.h +++ b/bsd/netinet6/ipsec.h @@ -1,4 +1,5 @@ -/* $KAME: ipsec.h,v 1.28 2000/03/15 13:07:57 sakane Exp $ */ +/* $FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $ */ +/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -35,17 +36,17 @@ #ifndef _NETINET6_IPSEC_H_ #define _NETINET6_IPSEC_H_ +#include #include +#ifdef KERNEL_PRIVATE #include -#if KERNEL /* * Security Policy Index - * NOTE: Encure to be same address family and upper layer protocol. - * NOTE: ul_proto, port number, uid, gid: - * ANY: reserved for waldcard. - * 0 to (~0 - 1): is one of the number of each value. + * Ensure that both address families in the "src" and "dst" are same. + * When the value of the ul_proto is ICMPv6, the port field in "src" + * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code. */ struct secpolicyindex { u_int8_t dir; /* direction of packet flow, see blow */ @@ -77,6 +78,18 @@ struct secpolicy { struct ipsecrequest *req; /* pointer to the ipsec request tree, */ /* if policy == IPSEC else this value == NULL.*/ + + /* + * lifetime handler. + * the policy can be used without limitiation if both lifetime and + * validtime are zero. + * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime. + * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime. + */ + long created; /* time created the policy */ + long lastused; /* updated every when kernel sends a packet */ + long lifetime; /* duration of the lifetime of this policy */ + long validtime; /* duration this policy is valid without use */ }; /* Request for IPsec */ @@ -105,11 +118,11 @@ struct secspacq { struct secpolicyindex spidx; - u_int32_t tick; /* for lifetime */ + long created; /* for lifetime */ int count; /* for lifetime */ /* XXX: here is mbuf place holder to be sent ? */ }; -#endif /*KERNEL*/ +#endif /* KERNEL_PRIVATE */ /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */ #define IPSEC_PORT_ANY 0 @@ -135,9 +148,9 @@ struct secspacq { /* Policy level */ /* - * IPSEC, ENTRUST and BYPASS are allowd for setsockopt() in PCB, - * DISCARD, IPSEC and NONE are allowd for setkey() in SPD. - * DISCARD and NONE are allowd for system default. + * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB, + * DISCARD, IPSEC and NONE are allowed for setkey() in SPD. + * DISCARD and NONE are allowed for system default. */ #define IPSEC_POLICY_DISCARD 0 /* discarding packet */ #define IPSEC_POLICY_NONE 1 /* through IPsec engine */ @@ -194,6 +207,7 @@ struct ipsecstat { u_quad_t out_comphist[256]; }; +#ifdef KERNEL_PRIVATE /* * Definitions for IPsec & Key sysctl operations. */ @@ -206,13 +220,16 @@ struct ipsecstat { #define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */ #define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */ #define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */ +#if 0 /* obsolete, do not reuse */ #define IPSECCTL_INBOUND_CALL_IKE 7 +#endif #define IPSECCTL_AH_CLEARTOS 8 #define IPSECCTL_AH_OFFSETMASK 9 #define IPSECCTL_DFBIT 10 #define IPSECCTL_ECN 11 #define IPSECCTL_DEBUG 12 -#define IPSECCTL_MAXID 13 +#define IPSECCTL_ESP_RANDPAD 13 +#define IPSECCTL_MAXID 14 #define IPSECCTL_NAMES { \ { 0, 0 }, \ @@ -222,12 +239,13 @@ struct ipsecstat { { "esp_net_deflev", CTLTYPE_INT }, \ { "ah_trans_deflev", CTLTYPE_INT }, \ { "ah_net_deflev", CTLTYPE_INT }, \ - { "inbound_call_ike", CTLTYPE_INT }, \ + { 0, 0 }, \ { "ah_cleartos", CTLTYPE_INT }, \ { "ah_offsetmask", CTLTYPE_INT }, \ { "dfbit", CTLTYPE_INT }, \ { "ecn", CTLTYPE_INT }, \ { "debug", CTLTYPE_INT }, \ + { "esp_randpad", CTLTYPE_INT }, \ } #define IPSEC6CTL_NAMES { \ @@ -238,199 +256,93 @@ struct ipsecstat { { "esp_net_deflev", CTLTYPE_INT }, \ { "ah_trans_deflev", CTLTYPE_INT }, \ { "ah_net_deflev", CTLTYPE_INT }, \ - { "inbound_call_ike", CTLTYPE_INT }, \ + { 0, 0 }, \ { 0, 0 }, \ { 0, 0 }, \ { 0, 0 }, \ { "ecn", CTLTYPE_INT }, \ { "debug", CTLTYPE_INT }, \ + { "esp_randpad", CTLTYPE_INT }, \ } -#ifdef __bsdi__ -#define IPSECCTL_VARS { \ - 0, \ - 0, \ - &ip4_def_policy.policy, \ - &ip4_esp_trans_deflev, \ - &ip4_esp_net_deflev, \ - &ip4_ah_trans_deflev, \ - &ip4_ah_net_deflev, \ - &ip4_inbound_call_ike, \ - &ip4_ah_cleartos, \ - &ip4_ah_offsetmask, \ - &ip4_ipsec_dfbit, \ - &ip4_ipsec_ecn, \ - &ipsec_debug, \ -} - -#define IPSEC6CTL_VARS { \ - 0, \ - 0, \ - &ip6_def_policy.policy, \ - &ip6_esp_trans_deflev, \ - &ip6_esp_net_deflev, \ - &ip6_ah_trans_deflev, \ - &ip6_ah_net_deflev, \ - &ip6_inbound_call_ike, \ - 0, \ - 0, \ - 0, \ - &ip6_ipsec_ecn, \ - &ipsec_debug, \ -} -#endif - -#if KERNEL +#ifdef KERNEL struct ipsec_output_state { struct mbuf *m; struct route *ro; struct sockaddr *dst; }; +struct ipsec_history { + int ih_proto; + u_int32_t ih_spi; +}; + extern int ipsec_debug; -#if INET extern struct ipsecstat ipsecstat; extern struct secpolicy ip4_def_policy; extern int ip4_esp_trans_deflev; extern int ip4_esp_net_deflev; extern int ip4_ah_trans_deflev; extern int ip4_ah_net_deflev; -extern int ip4_inbound_call_ike; extern int ip4_ah_cleartos; extern int ip4_ah_offsetmask; extern int ip4_ipsec_dfbit; extern int ip4_ipsec_ecn; -#endif - -#if INET6 -extern struct ipsecstat ipsec6stat; -extern struct secpolicy ip6_def_policy; -extern int ip6_esp_trans_deflev; -extern int ip6_esp_net_deflev; -extern int ip6_ah_trans_deflev; -extern int ip6_ah_net_deflev; -extern int ip6_inbound_call_ike; -extern int ip6_ipsec_ecn; -#endif +extern int ip4_esp_randpad; #define ipseclog(x) do { if (ipsec_debug) log x; } while (0) -extern struct secpolicy *ipsec4_getpolicybysock - __P((struct mbuf *, u_int, struct socket *, int *)); -extern struct secpolicy *ipsec4_getpolicybyaddr - __P((struct mbuf *, u_int, int, int *)); - -#if INET6 -extern struct secpolicy *ipsec6_getpolicybysock - __P((struct mbuf *, u_int, struct socket *, int *)); -extern struct secpolicy *ipsec6_getpolicybyaddr - __P((struct mbuf *, u_int, int, int *)); -#endif /*INET6*/ +extern struct secpolicy *ipsec4_getpolicybysock(struct mbuf *, u_int, + struct socket *, int *); +extern struct secpolicy *ipsec4_getpolicybyaddr(struct mbuf *, u_int, int, + int *); struct inpcb; -#if INET6 -struct in6pcb; -#endif -extern int ipsec_init_policy __P((struct socket *so, struct inpcbpolicy **)); -extern int ipsec_copy_policy - __P((struct inpcbpolicy *, struct inpcbpolicy *)); -extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *)); - -extern int ipsec4_set_policy __P((struct inpcb *inp, int optname, - caddr_t request, size_t len, int priv)); -extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request, - size_t len, struct mbuf **mp)); -extern int ipsec4_delete_pcbpolicy __P((struct inpcb *)); -extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *)); -extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *)); - -#if INET6 -extern int ipsec6_in_reject_so __P((struct mbuf *, struct socket *)); -#if defined(__FreeBSD__) && __FreeBSD__ >= 3 || defined (__APPLE__) -extern int ipsec6_delete_pcbpolicy __P((struct inpcb *)); -extern int ipsec6_set_policy __P((struct inpcb *inp, int optname, - caddr_t request, size_t len, int priv)); -extern int ipsec6_get_policy - __P((struct inpcb *inp, caddr_t request, size_t len, struct mbuf **mp)); -extern int ipsec6_in_reject __P((struct mbuf *, struct inpcb *)); -#else -extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *)); -extern int ipsec6_set_policy __P((struct in6pcb *in6p, int optname, - caddr_t request, size_t len, int priv)); -extern int ipsec6_get_policy __P((struct in6pcb *in6p, caddr_t request, - size_t len, struct mbuf **mp)); -extern int ipsec6_in_reject __P((struct mbuf *, struct in6pcb *)); -#endif -#endif /*INET6*/ +extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **); +extern int ipsec_copy_policy(struct inpcbpolicy *, struct inpcbpolicy *); +extern u_int ipsec_get_reqlevel(struct ipsecrequest *); + +extern int ipsec4_set_policy(struct inpcb *inp, int optname, + caddr_t request, size_t len, int priv); +extern int ipsec4_get_policy(struct inpcb *inpcb, caddr_t request, + size_t len, struct mbuf **mp); +extern int ipsec4_delete_pcbpolicy(struct inpcb *); +extern int ipsec4_in_reject_so(struct mbuf *, struct socket *); +extern int ipsec4_in_reject(struct mbuf *, struct inpcb *); struct secas; struct tcpcb; -struct tcp6cb; -extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *)); -extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *)); - -extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *)); -#if defined(__FreeBSD__) && __FreeBSD__ >= 3 || defined (__APPLE__) -extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *, int)); -#else -extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *)); -#endif -#if INET6 -#if defined(__FreeBSD__) && __FreeBSD__ >= 3 || defined (__APPLE__) -extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct inpcb *)); -#else -extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct in6pcb *)); -#if defined(__NetBSD__) && !defined(TCP6) -extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *)); -#else -extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *)); -#endif -#endif -#endif +extern int ipsec_chkreplay(u_int32_t, struct secasvar *); +extern int ipsec_updatereplay(u_int32_t, struct secasvar *); -struct ip; -#if INET6 -struct ip6_hdr; -#endif -extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t)); -#if INET6 -extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t)); -#endif -extern const char *ipsec_logsastr __P((struct secasvar *)); - -extern void ipsec_dumpmbuf __P((struct mbuf *)); +extern size_t ipsec4_hdrsiz(struct mbuf *, u_int, struct inpcb *); +extern size_t ipsec_hdrsiz_tcp(struct tcpcb *); -extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *, - int)); -#if INET6 -extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *, - struct mbuf *, struct secpolicy *, int, int *)); -extern int ipsec6_output_tunnel __P((struct ipsec_output_state *, - struct secpolicy *, int)); -#endif -extern int ipsec4_tunnel_validate __P((struct ip *, u_int, struct secasvar *)); -#if INET6 -extern int ipsec6_tunnel_validate __P((struct ip6_hdr *, u_int, - struct secasvar *)); -#endif -extern struct mbuf *ipsec_copypkt __P((struct mbuf *)); -extern void ipsec_setsocket __P((struct mbuf *, struct socket *)); -extern struct socket *ipsec_getsocket __P((struct mbuf *)); - -#if defined(__bsdi__) || defined(__NetBSD__) -extern int ipsec_sysctl __P((int *, u_int, void *, size_t *, void *, size_t)); -extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t)); -#endif /* __bsdi__ || __NetBSD__ */ - -#endif /*KERNEL*/ +struct ip; +extern const char *ipsec4_logpacketstr(struct ip *, u_int32_t); +extern const char *ipsec_logsastr(struct secasvar *); + +extern void ipsec_dumpmbuf(struct mbuf *); + +extern int ipsec4_output(struct ipsec_output_state *, struct secpolicy *, int); +extern int ipsec4_tunnel_validate(struct mbuf *, int, u_int, struct secasvar *); +extern struct mbuf *ipsec_copypkt(struct mbuf *); +extern void ipsec_delaux(struct mbuf *); +extern int ipsec_setsocket(struct mbuf *, struct socket *); +extern struct socket *ipsec_getsocket(struct mbuf *); +extern int ipsec_addhist(struct mbuf *, int, u_int32_t); +extern struct ipsec_history *ipsec_gethist(struct mbuf *, int *); +extern void ipsec_clearhist(struct mbuf *); +#endif KERNEL +#endif KERNEL_PRIVATE #ifndef KERNEL -extern caddr_t ipsec_set_policy __P((char *policy, int buflen)); -extern int ipsec_get_policylen __P((caddr_t buf)); -extern char *ipsec_dump_policy __P((caddr_t buf, char *delimiter)); +extern caddr_t ipsec_set_policy(char *, int); +extern int ipsec_get_policylen(caddr_t); +extern char *ipsec_dump_policy(caddr_t, char *); -extern char *ipsec_strerror __P((void)); -#endif /*!KERNEL*/ +extern const char *ipsec_strerror(void); +#endif KERNEL -#endif /*_NETINET6_IPSEC_H_*/ +#endif /* _NETINET6_IPSEC_H_ */