master
1/* $NetBSD: ipsec.h,v 1.93 2022/10/28 05:23:09 ozaki-r Exp $ */
2/* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
3/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#ifndef _NETIPSEC_IPSEC_H_
35#define _NETIPSEC_IPSEC_H_
36
37#if defined(_KERNEL_OPT)
38#include "opt_inet.h"
39#include "opt_ipsec.h"
40#endif
41
42#include <net/pfkeyv2.h>
43
44#ifdef _KERNEL
45#include <sys/socketvar.h>
46#include <sys/localcount.h>
47
48#include <netinet/in_pcb.h>
49#include <netipsec/keydb.h>
50
51/*
52 * Security Policy Index
53 * Ensure that both address families in the "src" and "dst" are same.
54 * When the value of the ul_proto is ICMPv6, the port field in "src"
55 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
56 */
57struct secpolicyindex {
58 u_int8_t dir; /* direction of packet flow, see blow */
59 union sockaddr_union src; /* IP src address for SP */
60 union sockaddr_union dst; /* IP dst address for SP */
61 u_int8_t prefs; /* prefix length in bits for src */
62 u_int8_t prefd; /* prefix length in bits for dst */
63 u_int16_t ul_proto; /* upper layer Protocol */
64};
65
66/* Security Policy Data Base */
67struct secpolicy {
68 struct pslist_entry pslist_entry;
69
70 struct localcount localcount; /* reference count */
71 struct secpolicyindex spidx; /* selector */
72 u_int32_t id; /* It's unique number on the system. */
73 u_int state; /* 0: dead, others: alive */
74#define IPSEC_SPSTATE_DEAD 0
75#define IPSEC_SPSTATE_ALIVE 1
76
77 u_int origin; /* who generate this SP. */
78#define IPSEC_SPORIGIN_USER 0
79#define IPSEC_SPORIGIN_KERNEL 1
80
81 u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
82 struct ipsecrequest *req;
83 /* pointer to the ipsec request tree, */
84 /* if policy == IPSEC else this value == NULL.*/
85
86 /*
87 * lifetime handler.
88 * the policy can be used without limitiation if both lifetime and
89 * validtime are zero.
90 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
91 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
92 */
93 time_t created; /* time created the policy */
94 time_t lastused; /* updated every when kernel sends a packet */
95 time_t lifetime; /* duration of the lifetime of this policy */
96 time_t validtime; /* duration this policy is valid without use */
97};
98
99/* Request for IPsec */
100struct ipsecrequest {
101 struct ipsecrequest *next;
102 /* pointer to next structure */
103 /* If NULL, it means the end of chain. */
104 struct secasindex saidx;/* hint for search proper SA */
105 /* if __ss_len == 0 then no address specified.*/
106 u_int level; /* IPsec level defined below. */
107
108 struct secpolicy *sp; /* back pointer to SP */
109};
110
111/* security policy in PCB */
112struct inpcbpolicy {
113 struct secpolicy *sp_in;
114 struct secpolicy *sp_out;
115 int priv; /* privileged socket ? */
116
117 /* cached policy */
118 struct {
119 struct secpolicy *cachesp;
120 struct secpolicyindex cacheidx;
121 int cachehint; /* processing requirement hint: */
122#define IPSEC_PCBHINT_UNKNOWN 0 /* Unknown */
123#define IPSEC_PCBHINT_YES 1 /* IPsec processing is required */
124#define IPSEC_PCBHINT_NO 2 /* IPsec processing not required */
125 u_int cachegen; /* spdgen when cache filled */
126 } sp_cache[3]; /* XXX 3 == IPSEC_DIR_MAX */
127 int sp_cacheflags;
128#define IPSEC_PCBSP_CONNECTED 1
129 struct inpcb *sp_inp; /* back pointer */
130};
131
132extern u_int ipsec_spdgen;
133
134static __inline bool
135ipsec_pcb_skip_ipsec(struct inpcbpolicy *pcbsp, int dir)
136{
137
138 KASSERT(inp_locked(pcbsp->sp_inp));
139
140 return pcbsp->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO &&
141 pcbsp->sp_cache[(dir)].cachegen == ipsec_spdgen;
142}
143
144/* SP acquiring list table. */
145struct secspacq {
146 LIST_ENTRY(secspacq) chain;
147
148 struct secpolicyindex spidx;
149
150 time_t created; /* for lifetime */
151 int count; /* for lifetime */
152 /* XXX: here is mbuf place holder to be sent ? */
153};
154#endif /* _KERNEL */
155
156/* buffer size for formatted output of ipsec address (addr + '%' + scope_id?) */
157#define IPSEC_ADDRSTRLEN (INET6_ADDRSTRLEN + 11)
158/* buffer size for ipsec_logsastr() */
159#define IPSEC_LOGSASTRLEN 192
160
161/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
162#define IPSEC_PORT_ANY 0
163#define IPSEC_ULPROTO_ANY 255
164#define IPSEC_PROTO_ANY 255
165
166/* mode of security protocol */
167/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
168#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
169#define IPSEC_MODE_TRANSPORT 1
170#define IPSEC_MODE_TUNNEL 2
171#define IPSEC_MODE_TCPMD5 3 /* TCP MD5 mode */
172
173/*
174 * Direction of security policy.
175 * NOTE: Since INVALID is used just as flag.
176 * The other are used for loop counter too.
177 */
178#define IPSEC_DIR_ANY 0
179#define IPSEC_DIR_INBOUND 1
180#define IPSEC_DIR_OUTBOUND 2
181#define IPSEC_DIR_MAX 3
182#define IPSEC_DIR_INVALID 4
183
184#define IPSEC_DIR_IS_VALID(dir) ((dir) >= 0 && (dir) <= IPSEC_DIR_MAX)
185#define IPSEC_DIR_IS_INOROUT(dir) ((dir) == IPSEC_DIR_INBOUND || \
186 (dir) == IPSEC_DIR_OUTBOUND)
187
188/* Policy level */
189/*
190 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
191 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
192 * DISCARD and NONE are allowed for system default.
193 */
194#define IPSEC_POLICY_DISCARD 0 /* discarding packet */
195#define IPSEC_POLICY_NONE 1 /* through IPsec engine */
196#define IPSEC_POLICY_IPSEC 2 /* do IPsec */
197#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
198#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
199
200/* Security protocol level */
201#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
202#define IPSEC_LEVEL_USE 1 /* use SA if present. */
203#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
204#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
205
206#define IPSEC_MANUAL_REQID_MAX 0x3fff
207 /*
208 * if security policy level == unique, this id
209 * indicate to a relative SA for use, else is
210 * zero.
211 * 1 - 0x3fff are reserved for manual keying.
212 * 0 are reserved for above reason. Others is
213 * for kernel use.
214 * Note that this id doesn't identify SA
215 * by only itself.
216 */
217#define IPSEC_REPLAYWSIZE 32
218
219#ifdef _KERNEL
220
221extern int ipsec_debug;
222#ifdef IPSEC_DEBUG
223extern int ipsec_replay;
224extern int ipsec_integrity;
225#endif
226
227extern struct secpolicy ip4_def_policy;
228extern int ip4_esp_trans_deflev;
229extern int ip4_esp_net_deflev;
230extern int ip4_ah_trans_deflev;
231extern int ip4_ah_net_deflev;
232extern int ip4_ah_cleartos;
233extern int ip4_ah_offsetmask;
234extern int ip4_ipsec_dfbit;
235extern int ip4_ipsec_ecn;
236extern int crypto_support;
237
238#include <sys/syslog.h>
239
240#define DPRINTF(fmt, args...) \
241 do { \
242 if (ipsec_debug) \
243 log(LOG_DEBUG, "%s: " fmt, __func__, ##args); \
244 } while (/*CONSTCOND*/0)
245
246#define IPSECLOG(level, fmt, args...) \
247 do { \
248 if (ipsec_debug) \
249 log(level, "%s: " fmt, __func__, ##args); \
250 } while (/*CONSTCOND*/0)
251
252#define ipsec_indone(m) \
253 ((m->m_flags & M_AUTHIPHDR) || (m->m_flags & M_DECRYPTED))
254#define ipsec_outdone(m) \
255 (m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL)
256
257static __inline bool
258ipsec_skip_pfil(struct mbuf *m)
259{
260 bool rv;
261
262 if (ipsec_indone(m) &&
263 ((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != 0)) {
264 m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL;
265 rv = true;
266 } else {
267 rv = false;
268 }
269
270 return rv;
271}
272
273void ipsec_pcbconn(struct inpcbpolicy *);
274void ipsec_pcbdisconn(struct inpcbpolicy *);
275void ipsec_invalpcbcacheall(void);
276
277struct inpcb;
278int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *, bool *);
279
280int ipsec_ip_input_checkpolicy(struct mbuf *, bool);
281void ipsec_mtu(struct mbuf *, int *);
282#ifdef INET6
283void ipsec6_udp_cksum(struct mbuf *);
284#endif
285
286struct inpcb;
287int ipsec_init_pcbpolicy(struct socket *so, struct inpcbpolicy **);
288int ipsec_copy_policy(const struct inpcbpolicy *, struct inpcbpolicy *);
289u_int ipsec_get_reqlevel(const struct ipsecrequest *);
290
291int ipsec_set_policy(struct inpcb *, const void *, size_t, kauth_cred_t);
292int ipsec_get_policy(struct inpcb *, const void *, size_t, struct mbuf **);
293int ipsec_delete_pcbpolicy(struct inpcb *);
294int ipsec_in_reject(struct mbuf *, struct inpcb *);
295
296struct secasvar *ipsec_lookup_sa(const struct ipsecrequest *,
297 const struct mbuf *);
298
299struct secas;
300struct tcpcb;
301int ipsec_chkreplay(u_int32_t, const struct secasvar *);
302int ipsec_updatereplay(u_int32_t, const struct secasvar *);
303
304size_t ipsec_hdrsiz(struct mbuf *, u_int, struct inpcb *);
305size_t ipsec4_hdrsiz_tcp(struct tcpcb *);
306
307union sockaddr_union;
308const char *ipsec_address(const union sockaddr_union* sa, char *, size_t);
309const char *ipsec_logsastr(const struct secasvar *, char *, size_t);
310
311/* NetBSD protosw ctlin entrypoint */
312void *esp4_ctlinput(int, const struct sockaddr *, void *);
313void *ah4_ctlinput(int, const struct sockaddr *, void *);
314
315void ipsec_output_init(void);
316struct m_tag;
317void ipsec4_common_input(struct mbuf *m, int, int);
318int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int);
319int ipsec4_process_packet(struct mbuf *, const struct ipsecrequest *, u_long *);
320int ipsec_process_done(struct mbuf *, const struct ipsecrequest *,
321 struct secasvar *, int);
322
323struct mbuf *m_clone(struct mbuf *);
324struct mbuf *m_makespace(struct mbuf *, int, int, int *);
325void *m_pad(struct mbuf *, int);
326int m_striphdr(struct mbuf *, int, int);
327
328extern int ipsec_used __read_mostly;
329extern int ipsec_enabled __read_mostly;
330
331#endif /* _KERNEL */
332
333#ifndef _KERNEL
334char *ipsec_set_policy(const char *, int);
335int ipsec_get_policylen(char *);
336char *ipsec_dump_policy(char *, const char *);
337const char *ipsec_strerror(void);
338#endif /* !_KERNEL */
339
340#ifdef _KERNEL
341/* External declarations of per-file init functions */
342void ah_attach(void);
343void esp_attach(void);
344void ipcomp_attach(void);
345void ipe4_attach(void);
346void tcpsignature_attach(void);
347
348void ipsec_attach(void);
349
350void sysctl_net_inet_ipsec_setup(struct sysctllog **);
351#ifdef INET6
352void sysctl_net_inet6_ipsec6_setup(struct sysctllog **);
353#endif
354
355#endif /* _KERNEL */
356#endif /* !_NETIPSEC_IPSEC_H_ */