OpenCores
URL https://opencores.org/ocsvn/openrisc_me/openrisc_me/trunk

Subversion Repositories openrisc_me

[/] [openrisc/] [trunk/] [gnu-src/] [newlib-1.18.0/] [newlib/] [libc/] [sys/] [linux/] [include/] [netinet6/] [ipsec.h] - Blame information for rev 207

Details | Compare with Previous | View Log

Line No. Rev Author Line
1 207 jeremybenn
/*      $FreeBSD: src/sys/netinet6/ipsec.h,v 1.9 2002/04/19 04:46:23 suz Exp $  */
2
/*      $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
3
 
4
/*
5
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6
 * All rights reserved.
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, this list of conditions and the following disclaimer.
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 * 3. Neither the name of the project nor the names of its contributors
17
 *    may be used to endorse or promote products derived from this software
18
 *    without specific prior written permission.
19
 *
20
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30
 * SUCH DAMAGE.
31
 */
32
 
33
/*
34
 * IPsec controller part.
35
 */
36
 
37
#ifndef _NETINET6_IPSEC_H_
38
#define _NETINET6_IPSEC_H_
39
 
40
#if defined(_KERNEL) && !defined(_LKM) && !defined(KLD_MODULE)
41
#include "opt_inet.h"
42
#include "opt_ipsec.h"
43
#endif
44
 
45
#include <net/pfkeyv2.h>
46
#include <netkey/keydb.h>
47
 
48
#ifdef _KERNEL
49
 
50
/*
51
 * Security Policy Index
52
 * Ensure that both address families in the "src" and "dst" are same.
53
 * When the value of the ul_proto is ICMPv6, the port field in "src"
54
 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
55
 */
56
struct secpolicyindex {
57
        u_int8_t dir;                   /* direction of packet flow, see blow */
58
        struct sockaddr_storage src;    /* IP src address for SP */
59
        struct sockaddr_storage dst;    /* IP dst address for SP */
60
        u_int8_t prefs;                 /* prefix length in bits for src */
61
        u_int8_t prefd;                 /* prefix length in bits for dst */
62
        u_int16_t ul_proto;             /* upper layer Protocol */
63
#ifdef notyet
64
        uid_t uids;
65
        uid_t uidd;
66
        gid_t gids;
67
        gid_t gidd;
68
#endif
69
};
70
 
71
/* Security Policy Data Base */
72
struct secpolicy {
73
        LIST_ENTRY(secpolicy) chain;
74
 
75
        int refcnt;                     /* reference count */
76
        struct secpolicyindex spidx;    /* selector */
77
        u_int32_t id;                   /* It's unique number on the system. */
78
        u_int state;                    /* 0: dead, others: alive */
79
#define IPSEC_SPSTATE_DEAD      0
80
#define IPSEC_SPSTATE_ALIVE     1
81
 
82
        u_int policy;           /* DISCARD, NONE or IPSEC, see keyv2.h */
83
        struct ipsecrequest *req;
84
                                /* pointer to the ipsec request tree, */
85
                                /* if policy == IPSEC else this value == NULL.*/
86
 
87
        /*
88
         * lifetime handler.
89
         * the policy can be used without limitiation if both lifetime and
90
         * validtime are zero.
91
         * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
92
         * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
93
         */
94
        long created;           /* time created the policy */
95
        long lastused;          /* updated every when kernel sends a packet */
96
        long lifetime;          /* duration of the lifetime of this policy */
97
        long validtime;         /* duration this policy is valid without use */
98
};
99
 
100
/* Request for IPsec */
101
struct ipsecrequest {
102
        struct ipsecrequest *next;
103
                                /* pointer to next structure */
104
                                /* If NULL, it means the end of chain. */
105
        struct secasindex saidx;/* hint for search proper SA */
106
                                /* if __ss_len == 0 then no address specified.*/
107
        u_int level;            /* IPsec level defined below. */
108
 
109
        struct secasvar *sav;   /* place holder of SA for use */
110
        struct secpolicy *sp;   /* back pointer to SP */
111
};
112
 
113
/* security policy in PCB */
114
struct inpcbpolicy {
115
        struct secpolicy *sp_in;
116
        struct secpolicy *sp_out;
117
        int priv;                       /* privileged socket ? */
118
};
119
 
120
/* SP acquiring list table. */
121
struct secspacq {
122
        LIST_ENTRY(secspacq) chain;
123
 
124
        struct secpolicyindex spidx;
125
 
126
        long created;           /* for lifetime */
127
        int count;              /* for lifetime */
128
        /* XXX: here is mbuf place holder to be sent ? */
129
};
130
#endif /* _KERNEL */
131
 
132
/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
133
#define IPSEC_PORT_ANY          0
134
#define IPSEC_ULPROTO_ANY       255
135
#define IPSEC_PROTO_ANY         255
136
 
137
/* mode of security protocol */
138
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
139
#define IPSEC_MODE_ANY          0        /* i.e. wildcard. */
140
#define IPSEC_MODE_TRANSPORT    1
141
#define IPSEC_MODE_TUNNEL       2
142
 
143
/*
144
 * Direction of security policy.
145
 * NOTE: Since INVALID is used just as flag.
146
 * The other are used for loop counter too.
147
 */
148
#define IPSEC_DIR_ANY           0
149
#define IPSEC_DIR_INBOUND       1
150
#define IPSEC_DIR_OUTBOUND      2
151
#define IPSEC_DIR_MAX           3
152
#define IPSEC_DIR_INVALID       4
153
 
154
/* Policy level */
155
/*
156
 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
157
 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
158
 * DISCARD and NONE are allowed for system default.
159
 */
160
#define IPSEC_POLICY_DISCARD    0        /* discarding packet */
161
#define IPSEC_POLICY_NONE       1       /* through IPsec engine */
162
#define IPSEC_POLICY_IPSEC      2       /* do IPsec */
163
#define IPSEC_POLICY_ENTRUST    3       /* consulting SPD if present. */
164
#define IPSEC_POLICY_BYPASS     4       /* only for privileged socket. */
165
 
166
/* Security protocol level */
167
#define IPSEC_LEVEL_DEFAULT     0        /* reference to system default */
168
#define IPSEC_LEVEL_USE         1       /* use SA if present. */
169
#define IPSEC_LEVEL_REQUIRE     2       /* require SA. */
170
#define IPSEC_LEVEL_UNIQUE      3       /* unique SA. */
171
 
172
#define IPSEC_MANUAL_REQID_MAX  0x3fff
173
                                /*
174
                                 * if security policy level == unique, this id
175
                                 * indicate to a relative SA for use, else is
176
                                 * zero.
177
                                 * 1 - 0x3fff are reserved for manual keying.
178
                                 * 0 are reserved for above reason.  Others is
179
                                 * for kernel use.
180
                                 * Note that this id doesn't identify SA
181
                                 * by only itself.
182
                                 */
183
#define IPSEC_REPLAYWSIZE  32
184
 
185
/* statistics for ipsec processing */
186
struct ipsecstat {
187
        u_quad_t in_success;  /* succeeded inbound process */
188
        u_quad_t in_polvio;
189
                        /* security policy violation for inbound process */
190
        u_quad_t in_nosa;     /* inbound SA is unavailable */
191
        u_quad_t in_inval;    /* inbound processing failed due to EINVAL */
192
        u_quad_t in_nomem;    /* inbound processing failed due to ENOBUFS */
193
        u_quad_t in_badspi;   /* failed getting a SPI */
194
        u_quad_t in_ahreplay; /* AH replay check failed */
195
        u_quad_t in_espreplay; /* ESP replay check failed */
196
        u_quad_t in_ahauthsucc; /* AH authentication success */
197
        u_quad_t in_ahauthfail; /* AH authentication failure */
198
        u_quad_t in_espauthsucc; /* ESP authentication success */
199
        u_quad_t in_espauthfail; /* ESP authentication failure */
200
        u_quad_t in_esphist[256];
201
        u_quad_t in_ahhist[256];
202
        u_quad_t in_comphist[256];
203
        u_quad_t out_success; /* succeeded outbound process */
204
        u_quad_t out_polvio;
205
                        /* security policy violation for outbound process */
206
        u_quad_t out_nosa;    /* outbound SA is unavailable */
207
        u_quad_t out_inval;   /* outbound process failed due to EINVAL */
208
        u_quad_t out_nomem;    /* inbound processing failed due to ENOBUFS */
209
        u_quad_t out_noroute; /* there is no route */
210
        u_quad_t out_esphist[256];
211
        u_quad_t out_ahhist[256];
212
        u_quad_t out_comphist[256];
213
};
214
 
215
/*
216
 * Definitions for IPsec & Key sysctl operations.
217
 */
218
/*
219
 * Names for IPsec & Key sysctl objects
220
 */
221
#define IPSECCTL_STATS                  1       /* stats */
222
#define IPSECCTL_DEF_POLICY             2
223
#define IPSECCTL_DEF_ESP_TRANSLEV       3       /* int; ESP transport mode */
224
#define IPSECCTL_DEF_ESP_NETLEV         4       /* int; ESP tunnel mode */
225
#define IPSECCTL_DEF_AH_TRANSLEV        5       /* int; AH transport mode */
226
#define IPSECCTL_DEF_AH_NETLEV          6       /* int; AH tunnel mode */
227
#if 0   /* obsolete, do not reuse */
228
#define IPSECCTL_INBOUND_CALL_IKE       7
229
#endif
230
#define IPSECCTL_AH_CLEARTOS            8
231
#define IPSECCTL_AH_OFFSETMASK          9
232
#define IPSECCTL_DFBIT                  10
233
#define IPSECCTL_ECN                    11
234
#define IPSECCTL_DEBUG                  12
235
#define IPSECCTL_ESP_RANDPAD            13
236
#define IPSECCTL_MAXID                  14
237
 
238
#define IPSECCTL_NAMES { \
239
        { 0, 0 }, \
240
        { 0, 0 }, \
241
        { "def_policy", CTLTYPE_INT }, \
242
        { "esp_trans_deflev", CTLTYPE_INT }, \
243
        { "esp_net_deflev", CTLTYPE_INT }, \
244
        { "ah_trans_deflev", CTLTYPE_INT }, \
245
        { "ah_net_deflev", CTLTYPE_INT }, \
246
        { 0, 0 }, \
247
        { "ah_cleartos", CTLTYPE_INT }, \
248
        { "ah_offsetmask", CTLTYPE_INT }, \
249
        { "dfbit", CTLTYPE_INT }, \
250
        { "ecn", CTLTYPE_INT }, \
251
        { "debug", CTLTYPE_INT }, \
252
        { "esp_randpad", CTLTYPE_INT }, \
253
}
254
 
255
#define IPSEC6CTL_NAMES { \
256
        { 0, 0 }, \
257
        { 0, 0 }, \
258
        { "def_policy", CTLTYPE_INT }, \
259
        { "esp_trans_deflev", CTLTYPE_INT }, \
260
        { "esp_net_deflev", CTLTYPE_INT }, \
261
        { "ah_trans_deflev", CTLTYPE_INT }, \
262
        { "ah_net_deflev", CTLTYPE_INT }, \
263
        { 0, 0 }, \
264
        { 0, 0 }, \
265
        { 0, 0 }, \
266
        { 0, 0 }, \
267
        { "ecn", CTLTYPE_INT }, \
268
        { "debug", CTLTYPE_INT }, \
269
        { "esp_randpad", CTLTYPE_INT }, \
270
}
271
 
272
#ifdef _KERNEL
273
struct ipsec_output_state {
274
        struct mbuf *m;
275
        struct route *ro;
276
        struct sockaddr *dst;
277
};
278
 
279
struct ipsec_history {
280
        int ih_proto;
281
        u_int32_t ih_spi;
282
};
283
 
284
extern int ipsec_debug;
285
 
286
extern struct ipsecstat ipsecstat;
287
extern struct secpolicy ip4_def_policy;
288
extern int ip4_esp_trans_deflev;
289
extern int ip4_esp_net_deflev;
290
extern int ip4_ah_trans_deflev;
291
extern int ip4_ah_net_deflev;
292
extern int ip4_ah_cleartos;
293
extern int ip4_ah_offsetmask;
294
extern int ip4_ipsec_dfbit;
295
extern int ip4_ipsec_ecn;
296
extern int ip4_esp_randpad;
297
 
298
#define ipseclog(x)     do { if (ipsec_debug) log x; } while (0)
299
 
300
extern struct secpolicy *ipsec4_getpolicybysock
301
        __P((struct mbuf *, u_int, struct socket *, int *));
302
extern struct secpolicy *ipsec4_getpolicybyaddr
303
        __P((struct mbuf *, u_int, int, int *));
304
 
305
struct inpcb;
306
extern int ipsec_init_policy __P((struct socket *so, struct inpcbpolicy **));
307
extern int ipsec_copy_policy
308
        __P((struct inpcbpolicy *, struct inpcbpolicy *));
309
extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *));
310
 
311
extern int ipsec4_set_policy __P((struct inpcb *inp, int optname,
312
        caddr_t request, size_t len, int priv));
313
extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request,
314
        size_t len, struct mbuf **mp));
315
extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
316
extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *));
317
extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
318
 
319
struct secas;
320
struct tcpcb;
321
extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
322
extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
323
 
324
extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
325
extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *));
326
 
327
struct ip;
328
extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t));
329
extern const char *ipsec_logsastr __P((struct secasvar *));
330
 
331
extern void ipsec_dumpmbuf __P((struct mbuf *));
332
 
333
extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *,
334
        int));
335
extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int,
336
        struct secasvar *));
337
extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
338
extern void ipsec_delaux __P((struct mbuf *));
339
extern int ipsec_setsocket __P((struct mbuf *, struct socket *));
340
extern struct socket *ipsec_getsocket __P((struct mbuf *));
341
extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t));
342
extern struct ipsec_history *ipsec_gethist __P((struct mbuf *, int *));
343
extern void ipsec_clearhist __P((struct mbuf *));
344
#endif /* _KERNEL */
345
 
346
#ifndef _KERNEL
347
extern caddr_t ipsec_set_policy __P((char *, int));
348
extern int ipsec_get_policylen __P((caddr_t));
349
extern char *ipsec_dump_policy __P((caddr_t, char *));
350
 
351
extern const char *ipsec_strerror __P((void));
352
#endif /* !_KERNEL */
353
 
354
#endif /* _NETINET6_IPSEC_H_ */

powered by: WebSVN 2.1.0

© copyright 1999-2024 OpenCores.org, equivalent to Oliscience, all rights reserved. OpenCores®, registered trademark.