URL https://opencores.org/ocsvn/openrisc/openrisc/trunk

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [rtos/] [ecos-3.0/] [packages/] [net/] [bsd_tcpip/] [current/] [include/] [netinet6/] [ipsec.h] - Blame information for rev 786

Details | Compare with Previous | View Log


//==========================================================================
//
//      include/netinet6/ipsec.h
//
//==========================================================================
// ####BSDCOPYRIGHTBEGIN####                                    
// -------------------------------------------                  
// This file is part of eCos, the Embedded Configurable Operating System.
//
// Portions of this software may have been derived from FreeBSD 
// or other sources, and if so are covered by the appropriate copyright
// and license included herein.                                 
//
// Portions created by the Free Software Foundation are         
// Copyright (C) 2002 Free Software Foundation, Inc.            
// -------------------------------------------                  
// ####BSDCOPYRIGHTEND####                                      
//==========================================================================
 
/*      $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
 
/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 
/*
 * IPsec controller part.
 */
 
#ifndef _NETINET6_IPSEC_H_
#define _NETINET6_IPSEC_H_
 
#include <net/pfkeyv2.h>
#include <netkey/keydb.h>
 
#ifdef _KERNEL
 
/*
 * Security Policy Index
 * Ensure that both address families in the "src" and "dst" are same.
 * When the value of the ul_proto is ICMPv6, the port field in "src"
 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
 */
struct secpolicyindex {
        u_int8_t dir;                   /* direction of packet flow, see blow */
        struct sockaddr_storage src;    /* IP src address for SP */
        struct sockaddr_storage dst;    /* IP dst address for SP */
        u_int8_t prefs;                 /* prefix length in bits for src */
        u_int8_t prefd;                 /* prefix length in bits for dst */
        u_int16_t ul_proto;             /* upper layer Protocol */
#ifdef notyet
        uid_t uids;
        uid_t uidd;
        gid_t gids;
        gid_t gidd;
#endif
};
 
/* Security Policy Data Base */
struct secpolicy {
        LIST_ENTRY(secpolicy) chain;
 
        int refcnt;                     /* reference count */
        struct secpolicyindex spidx;    /* selector */
        u_int32_t id;                   /* It's unique number on the system. */
        u_int state;                    /* 0: dead, others: alive */
#define IPSEC_SPSTATE_DEAD      0
#define IPSEC_SPSTATE_ALIVE     1
 
        u_int policy;           /* DISCARD, NONE or IPSEC, see keyv2.h */
        struct ipsecrequest *req;
                                /* pointer to the ipsec request tree, */
                                /* if policy == IPSEC else this value == NULL.*/
 
        /*
         * lifetime handler.
         * the policy can be used without limitiation if both lifetime and
         * validtime are zero.
         * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
         * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
         */
        long created;           /* time created the policy */
        long lastused;          /* updated every when kernel sends a packet */
        long lifetime;          /* duration of the lifetime of this policy */
        long validtime;         /* duration this policy is valid without use */
};
 
/* Request for IPsec */
struct ifnet;
struct ipsecrequest {
        struct ipsecrequest *next;
                                /* pointer to next structure */
                                /* If NULL, it means the end of chain. */
        struct secasindex saidx;/* hint for search proper SA */
                                /* if __ss_len == 0 then no address specified.*/
        u_int level;            /* IPsec level defined below. */
 
        struct secasvar *sav;   /* place holder of SA for use */
        struct secpolicy *sp;   /* back pointer to SP */
 
        struct ifnet *tunifp;   /* interface for tunnelling */
};
 
/* security policy in PCB */
struct inpcbpolicy {
        struct secpolicy *sp_in;
        struct secpolicy *sp_out;
        int priv;                       /* privileged socket ? */
 
        /* cached policy */
        /* XXX 3 == IPSEC_DIR_MAX */
        struct secpolicy *cache[3];
        struct secpolicyindex cacheidx[3];
        int cachegen[3];        /* cache generation #, the time we filled it */
        int cacheflags;
#define IPSEC_PCBSP_CONNECTED   1
};
 
/* SP acquiring list table. */
struct secspacq {
        LIST_ENTRY(secspacq) chain;
 
        struct secpolicyindex spidx;
 
        long created;           /* for lifetime */
        int count;              /* for lifetime */
        /* XXX: here is mbuf place holder to be sent ? */
};
 
struct ipsecaux {
        struct socket *so;
        int hdrs;       /* # of ipsec headers */
 
        struct secpolicy *sp;
        struct ipsecrequest *req;
};
#endif /* _KERNEL */
 
/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY          0
#define IPSEC_ULPROTO_ANY       255
#define IPSEC_PROTO_ANY         255
 
/* mode of security protocol */
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
#define IPSEC_MODE_ANY          0        /* i.e. wildcard. */
#define IPSEC_MODE_TRANSPORT    1
#define IPSEC_MODE_TUNNEL       2
 
/*
 * Direction of security policy.
 * NOTE: Since INVALID is used just as flag.
 * The other are used for loop counter too.
 */
#define IPSEC_DIR_ANY           0
#define IPSEC_DIR_INBOUND       1
#define IPSEC_DIR_OUTBOUND      2
#define IPSEC_DIR_MAX           3
#define IPSEC_DIR_INVALID       4
 
/* Policy level */
/*
 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
 * DISCARD and NONE are allowed for system default.
 */
#define IPSEC_POLICY_DISCARD    0        /* discarding packet */
#define IPSEC_POLICY_NONE       1       /* through IPsec engine */
#define IPSEC_POLICY_IPSEC      2       /* do IPsec */
#define IPSEC_POLICY_ENTRUST    3       /* consulting SPD if present. */
#define IPSEC_POLICY_BYPASS     4       /* only for privileged socket. */
 
/* Security protocol level */
#define IPSEC_LEVEL_DEFAULT     0        /* reference to system default */
#define IPSEC_LEVEL_USE         1       /* use SA if present. */
#define IPSEC_LEVEL_REQUIRE     2       /* require SA. */
#define IPSEC_LEVEL_UNIQUE      3       /* unique SA. */
 
#define IPSEC_MANUAL_REQID_MAX  0x3fff
                                /*
                                 * if security policy level == unique, this id
                                 * indicate to a relative SA for use, else is
                                 * zero.
                                 * 1 - 0x3fff are reserved for manual keying.
                                 * 0 are reserved for above reason.  Others is
                                 * for kernel use.
                                 * Note that this id doesn't identify SA
                                 * by only itself.
                                 */
#define IPSEC_REPLAYWSIZE  32
 
/* statistics for ipsec processing */
struct ipsecstat {
        u_quad_t in_success;  /* succeeded inbound process */
        u_quad_t in_polvio;
                        /* security policy violation for inbound process */
        u_quad_t in_nosa;     /* inbound SA is unavailable */
        u_quad_t in_inval;    /* inbound processing failed due to EINVAL */
        u_quad_t in_nomem;    /* inbound processing failed due to ENOBUFS */
        u_quad_t in_badspi;   /* failed getting a SPI */
        u_quad_t in_ahreplay; /* AH replay check failed */
        u_quad_t in_espreplay; /* ESP replay check failed */
        u_quad_t in_ahauthsucc; /* AH authentication success */
        u_quad_t in_ahauthfail; /* AH authentication failure */
        u_quad_t in_espauthsucc; /* ESP authentication success */
        u_quad_t in_espauthfail; /* ESP authentication failure */
        u_quad_t in_esphist[256];
        u_quad_t in_ahhist[256];
        u_quad_t in_comphist[256];
        u_quad_t out_success; /* succeeded outbound process */
        u_quad_t out_polvio;
                        /* security policy violation for outbound process */
        u_quad_t out_nosa;    /* outbound SA is unavailable */
        u_quad_t out_inval;   /* outbound process failed due to EINVAL */
        u_quad_t out_nomem;    /* inbound processing failed due to ENOBUFS */
        u_quad_t out_noroute; /* there is no route */
        u_quad_t out_esphist[256];
        u_quad_t out_ahhist[256];
        u_quad_t out_comphist[256];
 
        u_quad_t spdcachelookup;
        u_quad_t spdcachemiss;
};
 
/*
 * Definitions for IPsec & Key sysctl operations.
 */
/*
 * Names for IPsec & Key sysctl objects
 */
#define IPSECCTL_STATS                  1       /* stats */
#define IPSECCTL_DEF_POLICY             2
#define IPSECCTL_DEF_ESP_TRANSLEV       3       /* int; ESP transport mode */
#define IPSECCTL_DEF_ESP_NETLEV         4       /* int; ESP tunnel mode */
#define IPSECCTL_DEF_AH_TRANSLEV        5       /* int; AH transport mode */
#define IPSECCTL_DEF_AH_NETLEV          6       /* int; AH tunnel mode */
#if 0   /* obsolete, do not reuse */
#define IPSECCTL_INBOUND_CALL_IKE       7
#endif
#define IPSECCTL_AH_CLEARTOS            8
#define IPSECCTL_AH_OFFSETMASK          9
#define IPSECCTL_DFBIT                  10
#define IPSECCTL_ECN                    11
#define IPSECCTL_DEBUG                  12
#define IPSECCTL_ESP_RANDPAD            13
#define IPSECCTL_MAXID                  14
 
#define IPSECCTL_NAMES { \
        { 0, 0 }, \
        { 0, 0 }, \
        { "def_policy", CTLTYPE_INT }, \
        { "esp_trans_deflev", CTLTYPE_INT }, \
        { "esp_net_deflev", CTLTYPE_INT }, \
        { "ah_trans_deflev", CTLTYPE_INT }, \
        { "ah_net_deflev", CTLTYPE_INT }, \
        { 0, 0 }, \
        { "ah_cleartos", CTLTYPE_INT }, \
        { "ah_offsetmask", CTLTYPE_INT }, \
        { "dfbit", CTLTYPE_INT }, \
        { "ecn", CTLTYPE_INT }, \
        { "debug", CTLTYPE_INT }, \
        { "esp_randpad", CTLTYPE_INT }, \
}
 
#define IPSEC6CTL_NAMES { \
        { 0, 0 }, \
        { 0, 0 }, \
        { "def_policy", CTLTYPE_INT }, \
        { "esp_trans_deflev", CTLTYPE_INT }, \
        { "esp_net_deflev", CTLTYPE_INT }, \
        { "ah_trans_deflev", CTLTYPE_INT }, \
        { "ah_net_deflev", CTLTYPE_INT }, \
        { 0, 0 }, \
        { 0, 0 }, \
        { 0, 0 }, \
        { 0, 0 }, \
        { "ecn", CTLTYPE_INT }, \
        { "debug", CTLTYPE_INT }, \
        { "esp_randpad", CTLTYPE_INT }, \
}
 
#ifdef __bsdi__
#define IPSECCTL_VARS { \
        0, \
        0, \
        &ip4_def_policy.policy, \
        &ip4_esp_trans_deflev, \
        &ip4_esp_net_deflev, \
        &ip4_ah_trans_deflev, \
        &ip4_ah_net_deflev, \
        0, \
        &ip4_ah_cleartos, \
        &ip4_ah_offsetmask, \
        &ip4_ipsec_dfbit, \
        &ip4_ipsec_ecn, \
        &ipsec_debug, \
        &ip4_esp_randpad, \
}
 
#define IPSEC6CTL_VARS { \
        0, \
        0, \
        &ip6_def_policy.policy, \
        &ip6_esp_trans_deflev, \
        &ip6_esp_net_deflev, \
        &ip6_ah_trans_deflev, \
        &ip6_ah_net_deflev, \
        0, \
        0, \
        0, \
        0, \
        &ip6_ipsec_ecn, \
        &ipsec_debug, \
        &ip6_esp_randpad, \
}
#endif
 
#ifdef _KERNEL
struct ipsec_output_state {
        struct mbuf *m;
        struct route *ro;
        struct sockaddr *dst;
        int encap;
};
 
struct ipsec_history {
        int ih_proto;
        u_int32_t ih_spi;
};
 
extern int ipsec_debug;
extern int ipsec_tunnel_device;
 
#ifdef INET
extern struct ipsecstat ipsecstat;
extern struct secpolicy ip4_def_policy;
extern int ip4_esp_trans_deflev;
extern int ip4_esp_net_deflev;
extern int ip4_ah_trans_deflev;
extern int ip4_ah_net_deflev;
extern int ip4_ah_cleartos;
extern int ip4_ah_offsetmask;
extern int ip4_ipsec_dfbit;
extern int ip4_ipsec_ecn;
extern int ip4_esp_randpad;
#endif
 
#ifdef INET6
extern struct ipsecstat ipsec6stat;
extern struct secpolicy ip6_def_policy;
extern int ip6_esp_trans_deflev;
extern int ip6_esp_net_deflev;
extern int ip6_ah_trans_deflev;
extern int ip6_ah_net_deflev;
extern int ip6_ipsec_ecn;
extern int ip6_esp_randpad;
#endif
 
#define ipseclog(x)     do { if (ipsec_debug) log x; } while (0)
 
extern int ipsec_pcbconn __P((struct inpcbpolicy *));
extern int ipsec_pcbdisconn __P((struct inpcbpolicy *));
extern int ipsec_invalpcbcacheall __P((void));
 
extern struct secpolicy *ipsec4_getpolicybysock
        __P((struct mbuf *, u_int, struct socket *, int *));
extern struct secpolicy *ipsec4_getpolicybyaddr
        __P((struct mbuf *, u_int, int, int *));
 
#ifdef INET6
extern struct secpolicy *ipsec6_getpolicybysock
        __P((struct mbuf *, u_int, struct socket *, int *));
extern struct secpolicy *ipsec6_getpolicybyaddr
        __P((struct mbuf *, u_int, int, int *));
#endif /* INET6 */
 
struct inpcb;
#ifdef INET6
struct in6pcb;
#endif
extern int ipsec_init_policy __P((struct socket *so, struct inpcbpolicy **));
extern int ipsec_copy_policy
        __P((struct inpcbpolicy *, struct inpcbpolicy *));
extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *));
 
extern int ipsec4_set_policy __P((struct inpcb *inp, int optname,
        caddr_t request, size_t len, int priv));
extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request,
        size_t len, struct mbuf **mp));
extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *));
extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
 
#ifdef INET6
extern int ipsec6_in_reject_so __P((struct mbuf *, struct socket *));
#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) || (defined(__bsdi__) && _BSDI_VERSION >= 199802)
extern int ipsec6_delete_pcbpolicy __P((struct inpcb *));
extern int ipsec6_set_policy __P((struct inpcb *inp, int optname,
        caddr_t request, size_t len, int priv));
extern int ipsec6_get_policy
        __P((struct inpcb *inp, caddr_t request, size_t len, struct mbuf **mp));
extern int ipsec6_in_reject __P((struct mbuf *, struct inpcb *));
#else
extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));
extern int ipsec6_set_policy __P((struct in6pcb *in6p, int optname,
        caddr_t request, size_t len, int priv));
extern int ipsec6_get_policy __P((struct in6pcb *in6p, caddr_t request,
        size_t len, struct mbuf **mp));
extern int ipsec6_in_reject __P((struct mbuf *, struct in6pcb *));
#endif
#endif /* INET6 */
 
struct secas;
struct tcpcb;
struct tcp6cb;
extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
 
extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
#if (defined(__FreeBSD__) && __FreeBSD__ == 3) || (defined(__bsdi__) && _BSDI_VERSION >= 199802)
extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *, int));
#elif  (defined(__FreeBSD__) && __FreeBSD__ >= 4)
extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *));
#else
extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *));
#endif
#ifdef INET6
#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) || (defined(__bsdi__) && _BSDI_VERSION >= 199802)
extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
#else
extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct in6pcb *));
#if defined(__NetBSD__) && !defined(TCP6)
extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *));
#else
extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *));
#endif
#endif
#endif
 
struct ip;
#ifdef INET6
struct ip6_hdr;
#endif
extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t));
#ifdef INET6
extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t));
#endif
extern const char *ipsec_logsastr __P((struct secasvar *));
 
extern void ipsec_dumpmbuf __P((struct mbuf *));
 
extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *,
        int));
#ifdef INET6
extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *,
        struct mbuf *, struct secpolicy *, int, int *));
extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,
        struct secpolicy *, int));
#endif
extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int,
        struct secasvar *));
#ifdef INET6
extern int ipsec6_tunnel_validate __P((struct mbuf *, int, u_int,
        struct secasvar *));
#endif
extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
extern void ipsec_delaux __P((struct mbuf *));
extern int ipsec_setsocket __P((struct mbuf *, struct socket *));
extern struct socket *ipsec_getsocket __P((struct mbuf *));
extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t));
extern int ipsec_getnhist __P((struct mbuf *));
extern struct ipsec_history *ipsec_gethist __P((struct mbuf *, int *));
extern void ipsec_clearhist __P((struct mbuf *));
 
#if defined(__bsdi__) || defined(__NetBSD__)
extern int ipsec_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
#endif /* __bsdi__ || __NetBSD__ */
 
#endif /* _KERNEL */
 
#ifndef _KERNEL
extern caddr_t ipsec_set_policy __P((char *, int));
extern int ipsec_get_policylen __P((caddr_t));
extern char *ipsec_dump_policy __P((caddr_t, char *));
 
extern const char *ipsec_strerror __P((void));
#endif /* !_KERNEL */
 
#endif /* _NETINET6_IPSEC_H_ */

Browse

Tools

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [rtos/] [ecos-3.0/] [packages/] [net/] [bsd_tcpip/] [current/] [include/] [netinet6/] [ipsec.h] - Blame information for rev 786

Line No.	Rev	Author	Line
1	786	skrzyp	`//==========================================================================`
2			`//`
3			`// include/netinet6/ipsec.h`
4			`//`
5			`//==========================================================================`
6			`// ####BSDCOPYRIGHTBEGIN####`
7			`// -------------------------------------------`
8			`// This file is part of eCos, the Embedded Configurable Operating System.`
9			`//`
10			`// Portions of this software may have been derived from FreeBSD`
11			`// or other sources, and if so are covered by the appropriate copyright`
12			`// and license included herein.`
13			`//`
14			`// Portions created by the Free Software Foundation are`
15			`// Copyright (C) 2002 Free Software Foundation, Inc.`
16			`// -------------------------------------------`
17			`// ####BSDCOPYRIGHTEND####`
18			`//==========================================================================`
19
20			`/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */`
21
22			`/*`
23			`* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.`
24			`* All rights reserved.`
25			`*`
26			`* Redistribution and use in source and binary forms, with or without`
27			`* modification, are permitted provided that the following conditions`
28			`* are met:`
29			`* 1. Redistributions of source code must retain the above copyright`
30			`* notice, this list of conditions and the following disclaimer.`
31			`* 2. Redistributions in binary form must reproduce the above copyright`
32			`* notice, this list of conditions and the following disclaimer in the`
33			`* documentation and/or other materials provided with the distribution.`
34			`* 3. Neither the name of the project nor the names of its contributors`
35			`* may be used to endorse or promote products derived from this software`
36			`* without specific prior written permission.`
37			`*`
38			* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
39			`* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
40			`* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
41			`* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE`
42			`* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
43			`* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS`
44			`* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)`
45			`* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT`
46			`* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY`
47			`* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF`
48			`* SUCH DAMAGE.`
49			`*/`
50
51			`/*`
52			`* IPsec controller part.`
53			`*/`
54
55			`#ifndef _NETINET6_IPSEC_H_`
56			`#define _NETINET6_IPSEC_H_`
57
58			`#include <net/pfkeyv2.h>`
59			`#include <netkey/keydb.h>`
60
61			`#ifdef _KERNEL`
62
63			`/*`
64			`* Security Policy Index`
65			`* Ensure that both address families in the "src" and "dst" are same.`
66			`* When the value of the ul_proto is ICMPv6, the port field in "src"`
67			`* specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.`
68			`*/`
69			`struct secpolicyindex {`
70			`u_int8_t dir; /* direction of packet flow, see blow */`
71			`struct sockaddr_storage src; /* IP src address for SP */`
72			`struct sockaddr_storage dst; /* IP dst address for SP */`
73			`u_int8_t prefs; /* prefix length in bits for src */`
74			`u_int8_t prefd; /* prefix length in bits for dst */`
75			`u_int16_t ul_proto; /* upper layer Protocol */`
76			`#ifdef notyet`
77			`uid_t uids;`
78			`uid_t uidd;`
79			`gid_t gids;`
80			`gid_t gidd;`
81			`#endif`
82			`};`
83
84			`/* Security Policy Data Base */`
85			`struct secpolicy {`
86			`LIST_ENTRY(secpolicy) chain;`
87
88			`int refcnt; /* reference count */`
89			`struct secpolicyindex spidx; /* selector */`
90			`u_int32_t id; /* It's unique number on the system. */`
91			`u_int state; /* 0: dead, others: alive */`
92			`#define IPSEC_SPSTATE_DEAD 0`
93			`#define IPSEC_SPSTATE_ALIVE 1`
94
95			`u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */`
96			`struct ipsecrequest *req;`
97			`/* pointer to the ipsec request tree, */`
98			`/* if policy == IPSEC else this value == NULL.*/`
99
100			`/*`
101			`* lifetime handler.`
102			`* the policy can be used without limitiation if both lifetime and`
103			`* validtime are zero.`
104			`* "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.`
105			`* "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.`
106			`*/`
107			`long created; /* time created the policy */`
108			`long lastused; /* updated every when kernel sends a packet */`
109			`long lifetime; /* duration of the lifetime of this policy */`
110			`long validtime; /* duration this policy is valid without use */`
111			`};`
112
113			`/* Request for IPsec */`
114			`struct ifnet;`
115			`struct ipsecrequest {`
116			`struct ipsecrequest *next;`
117			`/* pointer to next structure */`
118			`/* If NULL, it means the end of chain. */`
119			`struct secasindex saidx;/* hint for search proper SA */`
120			`/* if __ss_len == 0 then no address specified.*/`
121			`u_int level; /* IPsec level defined below. */`
122
123			`struct secasvar sav; / place holder of SA for use */`
124			`struct secpolicy sp; / back pointer to SP */`
125
126			`struct ifnet tunifp; / interface for tunnelling */`
127			`};`
128
129			`/* security policy in PCB */`
130			`struct inpcbpolicy {`
131			`struct secpolicy *sp_in;`
132			`struct secpolicy *sp_out;`
133			`int priv; /* privileged socket ? */`
134
135			`/* cached policy */`
136			`/* XXX 3 == IPSEC_DIR_MAX */`
137			`struct secpolicy *cache[3];`
138			`struct secpolicyindex cacheidx[3];`
139			`int cachegen[3]; /* cache generation #, the time we filled it */`
140			`int cacheflags;`
141			`#define IPSEC_PCBSP_CONNECTED 1`
142			`};`
143
144			`/* SP acquiring list table. */`
145			`struct secspacq {`
146			`LIST_ENTRY(secspacq) chain;`
147
148			`struct secpolicyindex spidx;`
149
150			`long created; /* for lifetime */`
151			`int count; /* for lifetime */`
152			`/* XXX: here is mbuf place holder to be sent ? */`
153			`};`
154
155			`struct ipsecaux {`
156			`struct socket *so;`
157			`int hdrs; /* # of ipsec headers */`
158
159			`struct secpolicy *sp;`
160			`struct ipsecrequest *req;`
161			`};`
162			`#endif /* _KERNEL */`
163
164			`/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */`
165			`#define IPSEC_PORT_ANY 0`
166			`#define IPSEC_ULPROTO_ANY 255`
167			`#define IPSEC_PROTO_ANY 255`
168
169			`/* mode of security protocol */`
170			`/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */`
171			`#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */`
172			`#define IPSEC_MODE_TRANSPORT 1`
173			`#define IPSEC_MODE_TUNNEL 2`
174
175			`/*`
176			`* Direction of security policy.`
177			`* NOTE: Since INVALID is used just as flag.`
178			`* The other are used for loop counter too.`
179			`*/`
180			`#define IPSEC_DIR_ANY 0`
181			`#define IPSEC_DIR_INBOUND 1`
182			`#define IPSEC_DIR_OUTBOUND 2`
183			`#define IPSEC_DIR_MAX 3`
184			`#define IPSEC_DIR_INVALID 4`
185
186			`/* Policy level */`
187			`/*`
188			`* IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,`
189			`* DISCARD, IPSEC and NONE are allowed for setkey() in SPD.`
190			`* DISCARD and NONE are allowed for system default.`
191			`*/`
192			`#define IPSEC_POLICY_DISCARD 0 /* discarding packet */`
193			`#define IPSEC_POLICY_NONE 1 /* through IPsec engine */`
194			`#define IPSEC_POLICY_IPSEC 2 /* do IPsec */`
195			`#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */`
196			`#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */`
197
198			`/* Security protocol level */`
199			`#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */`
200			`#define IPSEC_LEVEL_USE 1 /* use SA if present. */`
201			`#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */`
202			`#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */`
203
204			`#define IPSEC_MANUAL_REQID_MAX 0x3fff`
205			`/*`
206			`* if security policy level == unique, this id`
207			`* indicate to a relative SA for use, else is`
208			`* zero.`
209			`* 1 - 0x3fff are reserved for manual keying.`
210			`* 0 are reserved for above reason. Others is`
211			`* for kernel use.`
212			`* Note that this id doesn't identify SA`
213			`* by only itself.`
214			`*/`
215			`#define IPSEC_REPLAYWSIZE 32`
216
217			`/* statistics for ipsec processing */`
218			`struct ipsecstat {`
219			`u_quad_t in_success; /* succeeded inbound process */`
220			`u_quad_t in_polvio;`
221			`/* security policy violation for inbound process */`
222			`u_quad_t in_nosa; /* inbound SA is unavailable */`
223			`u_quad_t in_inval; /* inbound processing failed due to EINVAL */`
224			`u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */`
225			`u_quad_t in_badspi; /* failed getting a SPI */`
226			`u_quad_t in_ahreplay; /* AH replay check failed */`
227			`u_quad_t in_espreplay; /* ESP replay check failed */`
228			`u_quad_t in_ahauthsucc; /* AH authentication success */`
229			`u_quad_t in_ahauthfail; /* AH authentication failure */`
230			`u_quad_t in_espauthsucc; /* ESP authentication success */`
231			`u_quad_t in_espauthfail; /* ESP authentication failure */`
232			`u_quad_t in_esphist[256];`
233			`u_quad_t in_ahhist[256];`
234			`u_quad_t in_comphist[256];`
235			`u_quad_t out_success; /* succeeded outbound process */`
236			`u_quad_t out_polvio;`
237			`/* security policy violation for outbound process */`
238			`u_quad_t out_nosa; /* outbound SA is unavailable */`
239			`u_quad_t out_inval; /* outbound process failed due to EINVAL */`
240			`u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */`
241			`u_quad_t out_noroute; /* there is no route */`
242			`u_quad_t out_esphist[256];`
243			`u_quad_t out_ahhist[256];`
244			`u_quad_t out_comphist[256];`
245
246			`u_quad_t spdcachelookup;`
247			`u_quad_t spdcachemiss;`
248			`};`
249
250			`/*`
251			`* Definitions for IPsec & Key sysctl operations.`
252			`*/`
253			`/*`
254			`* Names for IPsec & Key sysctl objects`
255			`*/`
256			`#define IPSECCTL_STATS 1 /* stats */`
257			`#define IPSECCTL_DEF_POLICY 2`
258			`#define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */`
259			`#define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */`
260			`#define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */`
261			`#define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */`
262			`#if 0 /* obsolete, do not reuse */`
263			`#define IPSECCTL_INBOUND_CALL_IKE 7`
264			`#endif`
265			`#define IPSECCTL_AH_CLEARTOS 8`
266			`#define IPSECCTL_AH_OFFSETMASK 9`
267			`#define IPSECCTL_DFBIT 10`
268			`#define IPSECCTL_ECN 11`
269			`#define IPSECCTL_DEBUG 12`
270			`#define IPSECCTL_ESP_RANDPAD 13`
271			`#define IPSECCTL_MAXID 14`
272
273			`#define IPSECCTL_NAMES { \`
274			`{ 0, 0 }, \`
275			`{ 0, 0 }, \`
276			`{ "def_policy", CTLTYPE_INT }, \`
277			`{ "esp_trans_deflev", CTLTYPE_INT }, \`
278			`{ "esp_net_deflev", CTLTYPE_INT }, \`
279			`{ "ah_trans_deflev", CTLTYPE_INT }, \`
280			`{ "ah_net_deflev", CTLTYPE_INT }, \`
281			`{ 0, 0 }, \`
282			`{ "ah_cleartos", CTLTYPE_INT }, \`
283			`{ "ah_offsetmask", CTLTYPE_INT }, \`
284			`{ "dfbit", CTLTYPE_INT }, \`
285			`{ "ecn", CTLTYPE_INT }, \`
286			`{ "debug", CTLTYPE_INT }, \`
287			`{ "esp_randpad", CTLTYPE_INT }, \`
288			`}`
289
290			`#define IPSEC6CTL_NAMES { \`
291			`{ 0, 0 }, \`
292			`{ 0, 0 }, \`
293			`{ "def_policy", CTLTYPE_INT }, \`
294			`{ "esp_trans_deflev", CTLTYPE_INT }, \`
295			`{ "esp_net_deflev", CTLTYPE_INT }, \`
296			`{ "ah_trans_deflev", CTLTYPE_INT }, \`
297			`{ "ah_net_deflev", CTLTYPE_INT }, \`
298			`{ 0, 0 }, \`
299			`{ 0, 0 }, \`
300			`{ 0, 0 }, \`
301			`{ 0, 0 }, \`
302			`{ "ecn", CTLTYPE_INT }, \`
303			`{ "debug", CTLTYPE_INT }, \`
304			`{ "esp_randpad", CTLTYPE_INT }, \`
305			`}`
306
307			`#ifdef __bsdi__`
308			`#define IPSECCTL_VARS { \`
309			`0, \`
310			`0, \`
311			`&ip4_def_policy.policy, \`
312			`&ip4_esp_trans_deflev, \`
313			`&ip4_esp_net_deflev, \`
314			`&ip4_ah_trans_deflev, \`
315			`&ip4_ah_net_deflev, \`
316			`0, \`
317			`&ip4_ah_cleartos, \`
318			`&ip4_ah_offsetmask, \`
319			`&ip4_ipsec_dfbit, \`
320			`&ip4_ipsec_ecn, \`
321			`&ipsec_debug, \`
322			`&ip4_esp_randpad, \`
323			`}`
324
325			`#define IPSEC6CTL_VARS { \`
326			`0, \`
327			`0, \`
328			`&ip6_def_policy.policy, \`
329			`&ip6_esp_trans_deflev, \`
330			`&ip6_esp_net_deflev, \`
331			`&ip6_ah_trans_deflev, \`
332			`&ip6_ah_net_deflev, \`
333			`0, \`
334			`0, \`
335			`0, \`
336			`0, \`
337			`&ip6_ipsec_ecn, \`
338			`&ipsec_debug, \`
339			`&ip6_esp_randpad, \`
340			`}`
341			`#endif`
342
343			`#ifdef _KERNEL`
344			`struct ipsec_output_state {`
345			`struct mbuf *m;`
346			`struct route *ro;`
347			`struct sockaddr *dst;`
348			`int encap;`
349			`};`
350
351			`struct ipsec_history {`
352			`int ih_proto;`
353			`u_int32_t ih_spi;`
354			`};`
355
356			`extern int ipsec_debug;`
357			`extern int ipsec_tunnel_device;`
358
359			`#ifdef INET`
360			`extern struct ipsecstat ipsecstat;`
361			`extern struct secpolicy ip4_def_policy;`
362			`extern int ip4_esp_trans_deflev;`
363			`extern int ip4_esp_net_deflev;`
364			`extern int ip4_ah_trans_deflev;`
365			`extern int ip4_ah_net_deflev;`
366			`extern int ip4_ah_cleartos;`
367			`extern int ip4_ah_offsetmask;`
368			`extern int ip4_ipsec_dfbit;`
369			`extern int ip4_ipsec_ecn;`
370			`extern int ip4_esp_randpad;`
371			`#endif`
372
373			`#ifdef INET6`
374			`extern struct ipsecstat ipsec6stat;`
375			`extern struct secpolicy ip6_def_policy;`
376			`extern int ip6_esp_trans_deflev;`
377			`extern int ip6_esp_net_deflev;`
378			`extern int ip6_ah_trans_deflev;`
379			`extern int ip6_ah_net_deflev;`
380			`extern int ip6_ipsec_ecn;`
381			`extern int ip6_esp_randpad;`
382			`#endif`
383
384			`#define ipseclog(x) do { if (ipsec_debug) log x; } while (0)`
385
386			`extern int ipsec_pcbconn __P((struct inpcbpolicy *));`
387			`extern int ipsec_pcbdisconn __P((struct inpcbpolicy *));`
388			`extern int ipsec_invalpcbcacheall __P((void));`
389
390			`extern struct secpolicy *ipsec4_getpolicybysock`
391			`__P((struct mbuf , u_int, struct socket , int *));`
392			`extern struct secpolicy *ipsec4_getpolicybyaddr`
393			`__P((struct mbuf , u_int, int, int ));`
394
395			`#ifdef INET6`
396			`extern struct secpolicy *ipsec6_getpolicybysock`
397			`__P((struct mbuf , u_int, struct socket , int *));`
398			`extern struct secpolicy *ipsec6_getpolicybyaddr`
399			`__P((struct mbuf , u_int, int, int ));`
400			`#endif /* INET6 */`
401
402			`struct inpcb;`
403			`#ifdef INET6`
404			`struct in6pcb;`
405			`#endif`
406			`extern int ipsec_init_policy __P((struct socket so, struct inpcbpolicy *));`
407			`extern int ipsec_copy_policy`
408			`__P((struct inpcbpolicy , struct inpcbpolicy ));`
409			`extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *));`
410
411			`extern int ipsec4_set_policy __P((struct inpcb *inp, int optname,`
412			`caddr_t request, size_t len, int priv));`
413			`extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request,`
414			`size_t len, struct mbuf **mp));`
415			`extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));`
416			`extern int ipsec4_in_reject_so __P((struct mbuf , struct socket ));`
417			`extern int ipsec4_in_reject __P((struct mbuf , struct inpcb ));`
418
419			`#ifdef INET6`
420			`extern int ipsec6_in_reject_so __P((struct mbuf , struct socket ));`
421			`#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) \|\| (defined(__bsdi__) && _BSDI_VERSION >= 199802)`
422			`extern int ipsec6_delete_pcbpolicy __P((struct inpcb *));`
423			`extern int ipsec6_set_policy __P((struct inpcb *inp, int optname,`
424			`caddr_t request, size_t len, int priv));`
425			`extern int ipsec6_get_policy`
426			`__P((struct inpcb inp, caddr_t request, size_t len, struct mbuf *mp));`
427			`extern int ipsec6_in_reject __P((struct mbuf , struct inpcb ));`
428			`#else`
429			`extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));`
430			`extern int ipsec6_set_policy __P((struct in6pcb *in6p, int optname,`
431			`caddr_t request, size_t len, int priv));`
432			`extern int ipsec6_get_policy __P((struct in6pcb *in6p, caddr_t request,`
433			`size_t len, struct mbuf **mp));`
434			`extern int ipsec6_in_reject __P((struct mbuf , struct in6pcb ));`
435			`#endif`
436			`#endif /* INET6 */`
437
438			`struct secas;`
439			`struct tcpcb;`
440			`struct tcp6cb;`
441			`extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));`
442			`extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));`
443
444			`extern size_t ipsec4_hdrsiz __P((struct mbuf , u_int, struct inpcb ));`
445			`#if (defined(__FreeBSD__) && __FreeBSD__ == 3) \|\| (defined(__bsdi__) && _BSDI_VERSION >= 199802)`
446			`extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *, int));`
447			`#elif (defined(__FreeBSD__) && __FreeBSD__ >= 4)`
448			`extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *));`
449			`#else`
450			`extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *));`
451			`#endif`
452			`#ifdef INET6`
453			`#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) \|\| (defined(__bsdi__) && _BSDI_VERSION >= 199802)`
454			`extern size_t ipsec6_hdrsiz __P((struct mbuf , u_int, struct inpcb ));`
455			`#else`
456			`extern size_t ipsec6_hdrsiz __P((struct mbuf , u_int, struct in6pcb ));`
457			`#if defined(__NetBSD__) && !defined(TCP6)`
458			`extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *));`
459			`#else`
460			`extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *));`
461			`#endif`
462			`#endif`
463			`#endif`
464
465			`struct ip;`
466			`#ifdef INET6`
467			`struct ip6_hdr;`
468			`#endif`
469			`extern const char ipsec4_logpacketstr __P((struct ip , u_int32_t));`
470			`#ifdef INET6`
471			`extern const char ipsec6_logpacketstr __P((struct ip6_hdr , u_int32_t));`
472			`#endif`
473			`extern const char ipsec_logsastr __P((struct secasvar ));`
474
475			`extern void ipsec_dumpmbuf __P((struct mbuf *));`
476
477			`extern int ipsec4_output __P((struct ipsec_output_state , struct secpolicy ,`
478			`int));`
479			`#ifdef INET6`
480			`extern int ipsec6_output_trans __P((struct ipsec_output_state , u_char ,`
481			`struct mbuf , struct secpolicy , int, int *));`
482			`extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,`
483			`struct secpolicy *, int));`
484			`#endif`
485			`extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int,`
486			`struct secasvar *));`
487			`#ifdef INET6`
488			`extern int ipsec6_tunnel_validate __P((struct mbuf *, int, u_int,`
489			`struct secasvar *));`
490			`#endif`
491			`extern struct mbuf ipsec_copypkt __P((struct mbuf ));`
492			`extern void ipsec_delaux __P((struct mbuf *));`
493			`extern int ipsec_setsocket __P((struct mbuf , struct socket ));`
494			`extern struct socket ipsec_getsocket __P((struct mbuf ));`
495			`extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t));`
496			`extern int ipsec_getnhist __P((struct mbuf *));`
497			`extern struct ipsec_history ipsec_gethist __P((struct mbuf , int *));`
498			`extern void ipsec_clearhist __P((struct mbuf *));`
499
500			`#if defined(__bsdi__) \|\| defined(__NetBSD__)`
501			`extern int ipsec_sysctl __P((int , u_int, void , size_t , void , size_t));`
502			`extern int ipsec6_sysctl __P((int , u_int, void , size_t , void , size_t));`
503			`#endif /* __bsdi__ \|\| __NetBSD__ */`
504
505			`#endif /* _KERNEL */`
506
507			`#ifndef _KERNEL`
508			`extern caddr_t ipsec_set_policy __P((char *, int));`
509			`extern int ipsec_get_policylen __P((caddr_t));`
510			`extern char ipsec_dump_policy __P((caddr_t, char ));`
511
512			`extern const char *ipsec_strerror __P((void));`
513			`#endif /* !_KERNEL */`
514
515			`#endif /* _NETINET6_IPSEC_H_ */`