URL https://opencores.org/ocsvn/or1k/or1k/trunk

Subversion Repositories or1k

[/] [or1k/] [trunk/] [ecos-2.0/] [packages/] [net/] [bsd_tcpip/] [v2_0/] [include/] [netinet6/] [ipsec.h] - Blame information for rev 1765

Details | Compare with Previous | View Log


//==========================================================================
//
//      include/netinet6/ipsec.h
//
//==========================================================================
//####BSDCOPYRIGHTBEGIN####
//
// -------------------------------------------
//
// Portions of this software may have been derived from OpenBSD, 
// FreeBSD or other sources, and are covered by the appropriate
// copyright disclaimers included herein.
//
// Portions created by Red Hat are
// Copyright (C) 2002 Red Hat, Inc. All Rights Reserved.
//
// -------------------------------------------
//
//####BSDCOPYRIGHTEND####
//==========================================================================
 
/*      $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
 
/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 
/*
 * IPsec controller part.
 */
 
#ifndef _NETINET6_IPSEC_H_
#define _NETINET6_IPSEC_H_
 
#if defined(_KERNEL) && !defined(_LKM) && !defined(KLD_MODULE)
#if defined(__FreeBSD__) && __FreeBSD__ >= 3
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
#endif
#if defined(__NetBSD__)
#include "opt_inet.h"
#include "opt_ipsec.h"
#endif
#endif
 
#include <net/pfkeyv2.h>
#include <netkey/keydb.h>
 
#ifdef _KERNEL
 
/*
 * Security Policy Index
 * Ensure that both address families in the "src" and "dst" are same.
 * When the value of the ul_proto is ICMPv6, the port field in "src"
 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
 */
struct secpolicyindex {
        u_int8_t dir;                   /* direction of packet flow, see blow */
        struct sockaddr_storage src;    /* IP src address for SP */
        struct sockaddr_storage dst;    /* IP dst address for SP */
        u_int8_t prefs;                 /* prefix length in bits for src */
        u_int8_t prefd;                 /* prefix length in bits for dst */
        u_int16_t ul_proto;             /* upper layer Protocol */
#ifdef notyet
        uid_t uids;
        uid_t uidd;
        gid_t gids;
        gid_t gidd;
#endif
};
 
/* Security Policy Data Base */
struct secpolicy {
        LIST_ENTRY(secpolicy) chain;
 
        int refcnt;                     /* reference count */
        struct secpolicyindex spidx;    /* selector */
        u_int32_t id;                   /* It's unique number on the system. */
        u_int state;                    /* 0: dead, others: alive */
#define IPSEC_SPSTATE_DEAD      0
#define IPSEC_SPSTATE_ALIVE     1
 
        u_int policy;           /* DISCARD, NONE or IPSEC, see keyv2.h */
        struct ipsecrequest *req;
                                /* pointer to the ipsec request tree, */
                                /* if policy == IPSEC else this value == NULL.*/
 
        /*
         * lifetime handler.
         * the policy can be used without limitiation if both lifetime and
         * validtime are zero.
         * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
         * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
         */
        long created;           /* time created the policy */
        long lastused;          /* updated every when kernel sends a packet */
        long lifetime;          /* duration of the lifetime of this policy */
        long validtime;         /* duration this policy is valid without use */
};
 
/* Request for IPsec */
struct ifnet;
struct ipsecrequest {
        struct ipsecrequest *next;
                                /* pointer to next structure */
                                /* If NULL, it means the end of chain. */
        struct secasindex saidx;/* hint for search proper SA */
                                /* if __ss_len == 0 then no address specified.*/
        u_int level;            /* IPsec level defined below. */
 
        struct secasvar *sav;   /* place holder of SA for use */
        struct secpolicy *sp;   /* back pointer to SP */
 
        struct ifnet *tunifp;   /* interface for tunnelling */
};
 
/* security policy in PCB */
struct inpcbpolicy {
        struct secpolicy *sp_in;
        struct secpolicy *sp_out;
        int priv;                       /* privileged socket ? */
 
        /* cached policy */
        /* XXX 3 == IPSEC_DIR_MAX */
        struct secpolicy *cache[3];
        struct secpolicyindex cacheidx[3];
        int cachegen[3];        /* cache generation #, the time we filled it */
        int cacheflags;
#define IPSEC_PCBSP_CONNECTED   1
};
 
/* SP acquiring list table. */
struct secspacq {
        LIST_ENTRY(secspacq) chain;
 
        struct secpolicyindex spidx;
 
        long created;           /* for lifetime */
        int count;              /* for lifetime */
        /* XXX: here is mbuf place holder to be sent ? */
};
 
struct ipsecaux {
        struct socket *so;
        int hdrs;       /* # of ipsec headers */
 
        struct secpolicy *sp;
        struct ipsecrequest *req;
};
#endif /* _KERNEL */
 
/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY          0
#define IPSEC_ULPROTO_ANY       255
#define IPSEC_PROTO_ANY         255
 
/* mode of security protocol */
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
#define IPSEC_MODE_ANY          0        /* i.e. wildcard. */
#define IPSEC_MODE_TRANSPORT    1
#define IPSEC_MODE_TUNNEL       2
 
/*
 * Direction of security policy.
 * NOTE: Since INVALID is used just as flag.
 * The other are used for loop counter too.
 */
#define IPSEC_DIR_ANY           0
#define IPSEC_DIR_INBOUND       1
#define IPSEC_DIR_OUTBOUND      2
#define IPSEC_DIR_MAX           3
#define IPSEC_DIR_INVALID       4
 
/* Policy level */
/*
 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
 * DISCARD and NONE are allowed for system default.
 */
#define IPSEC_POLICY_DISCARD    0        /* discarding packet */
#define IPSEC_POLICY_NONE       1       /* through IPsec engine */
#define IPSEC_POLICY_IPSEC      2       /* do IPsec */
#define IPSEC_POLICY_ENTRUST    3       /* consulting SPD if present. */
#define IPSEC_POLICY_BYPASS     4       /* only for privileged socket. */
 
/* Security protocol level */
#define IPSEC_LEVEL_DEFAULT     0        /* reference to system default */
#define IPSEC_LEVEL_USE         1       /* use SA if present. */
#define IPSEC_LEVEL_REQUIRE     2       /* require SA. */
#define IPSEC_LEVEL_UNIQUE      3       /* unique SA. */
 
#define IPSEC_MANUAL_REQID_MAX  0x3fff
                                /*
                                 * if security policy level == unique, this id
                                 * indicate to a relative SA for use, else is
                                 * zero.
                                 * 1 - 0x3fff are reserved for manual keying.
                                 * 0 are reserved for above reason.  Others is
                                 * for kernel use.
                                 * Note that this id doesn't identify SA
                                 * by only itself.
                                 */
#define IPSEC_REPLAYWSIZE  32
 
/* statistics for ipsec processing */
struct ipsecstat {
        u_quad_t in_success;  /* succeeded inbound process */
        u_quad_t in_polvio;
                        /* security policy violation for inbound process */
        u_quad_t in_nosa;     /* inbound SA is unavailable */
        u_quad_t in_inval;    /* inbound processing failed due to EINVAL */
        u_quad_t in_nomem;    /* inbound processing failed due to ENOBUFS */
        u_quad_t in_badspi;   /* failed getting a SPI */
        u_quad_t in_ahreplay; /* AH replay check failed */
        u_quad_t in_espreplay; /* ESP replay check failed */
        u_quad_t in_ahauthsucc; /* AH authentication success */
        u_quad_t in_ahauthfail; /* AH authentication failure */
        u_quad_t in_espauthsucc; /* ESP authentication success */
        u_quad_t in_espauthfail; /* ESP authentication failure */
        u_quad_t in_esphist[256];
        u_quad_t in_ahhist[256];
        u_quad_t in_comphist[256];
        u_quad_t out_success; /* succeeded outbound process */
        u_quad_t out_polvio;
                        /* security policy violation for outbound process */
        u_quad_t out_nosa;    /* outbound SA is unavailable */
        u_quad_t out_inval;   /* outbound process failed due to EINVAL */
        u_quad_t out_nomem;    /* inbound processing failed due to ENOBUFS */
        u_quad_t out_noroute; /* there is no route */
        u_quad_t out_esphist[256];
        u_quad_t out_ahhist[256];
        u_quad_t out_comphist[256];
 
        u_quad_t spdcachelookup;
        u_quad_t spdcachemiss;
};
 
/*
 * Definitions for IPsec & Key sysctl operations.
 */
/*
 * Names for IPsec & Key sysctl objects
 */
#define IPSECCTL_STATS                  1       /* stats */
#define IPSECCTL_DEF_POLICY             2
#define IPSECCTL_DEF_ESP_TRANSLEV       3       /* int; ESP transport mode */
#define IPSECCTL_DEF_ESP_NETLEV         4       /* int; ESP tunnel mode */
#define IPSECCTL_DEF_AH_TRANSLEV        5       /* int; AH transport mode */
#define IPSECCTL_DEF_AH_NETLEV          6       /* int; AH tunnel mode */
#if 0   /* obsolete, do not reuse */
#define IPSECCTL_INBOUND_CALL_IKE       7
#endif
#define IPSECCTL_AH_CLEARTOS            8
#define IPSECCTL_AH_OFFSETMASK          9
#define IPSECCTL_DFBIT                  10
#define IPSECCTL_ECN                    11
#define IPSECCTL_DEBUG                  12
#define IPSECCTL_ESP_RANDPAD            13
#define IPSECCTL_MAXID                  14
 
#define IPSECCTL_NAMES { \
        { 0, 0 }, \
        { 0, 0 }, \
        { "def_policy", CTLTYPE_INT }, \
        { "esp_trans_deflev", CTLTYPE_INT }, \
        { "esp_net_deflev", CTLTYPE_INT }, \
        { "ah_trans_deflev", CTLTYPE_INT }, \
        { "ah_net_deflev", CTLTYPE_INT }, \
        { 0, 0 }, \
        { "ah_cleartos", CTLTYPE_INT }, \
        { "ah_offsetmask", CTLTYPE_INT }, \
        { "dfbit", CTLTYPE_INT }, \
        { "ecn", CTLTYPE_INT }, \
        { "debug", CTLTYPE_INT }, \
        { "esp_randpad", CTLTYPE_INT }, \
}
 
#define IPSEC6CTL_NAMES { \
        { 0, 0 }, \
        { 0, 0 }, \
        { "def_policy", CTLTYPE_INT }, \
        { "esp_trans_deflev", CTLTYPE_INT }, \
        { "esp_net_deflev", CTLTYPE_INT }, \
        { "ah_trans_deflev", CTLTYPE_INT }, \
        { "ah_net_deflev", CTLTYPE_INT }, \
        { 0, 0 }, \
        { 0, 0 }, \
        { 0, 0 }, \
        { 0, 0 }, \
        { "ecn", CTLTYPE_INT }, \
        { "debug", CTLTYPE_INT }, \
        { "esp_randpad", CTLTYPE_INT }, \
}
 
#ifdef __bsdi__
#define IPSECCTL_VARS { \
        0, \
        0, \
        &ip4_def_policy.policy, \
        &ip4_esp_trans_deflev, \
        &ip4_esp_net_deflev, \
        &ip4_ah_trans_deflev, \
        &ip4_ah_net_deflev, \
        0, \
        &ip4_ah_cleartos, \
        &ip4_ah_offsetmask, \
        &ip4_ipsec_dfbit, \
        &ip4_ipsec_ecn, \
        &ipsec_debug, \
        &ip4_esp_randpad, \
}
 
#define IPSEC6CTL_VARS { \
        0, \
        0, \
        &ip6_def_policy.policy, \
        &ip6_esp_trans_deflev, \
        &ip6_esp_net_deflev, \
        &ip6_ah_trans_deflev, \
        &ip6_ah_net_deflev, \
        0, \
        0, \
        0, \
        0, \
        &ip6_ipsec_ecn, \
        &ipsec_debug, \
        &ip6_esp_randpad, \
}
#endif
 
#ifdef _KERNEL
struct ipsec_output_state {
        struct mbuf *m;
        struct route *ro;
        struct sockaddr *dst;
        int encap;
};
 
struct ipsec_history {
        int ih_proto;
        u_int32_t ih_spi;
};
 
extern int ipsec_debug;
extern int ipsec_tunnel_device;
 
#ifdef INET
extern struct ipsecstat ipsecstat;
extern struct secpolicy ip4_def_policy;
extern int ip4_esp_trans_deflev;
extern int ip4_esp_net_deflev;
extern int ip4_ah_trans_deflev;
extern int ip4_ah_net_deflev;
extern int ip4_ah_cleartos;
extern int ip4_ah_offsetmask;
extern int ip4_ipsec_dfbit;
extern int ip4_ipsec_ecn;
extern int ip4_esp_randpad;
#endif
 
#ifdef INET6
extern struct ipsecstat ipsec6stat;
extern struct secpolicy ip6_def_policy;
extern int ip6_esp_trans_deflev;
extern int ip6_esp_net_deflev;
extern int ip6_ah_trans_deflev;
extern int ip6_ah_net_deflev;
extern int ip6_ipsec_ecn;
extern int ip6_esp_randpad;
#endif
 
#define ipseclog(x)     do { if (ipsec_debug) log x; } while (0)
 
extern int ipsec_pcbconn __P((struct inpcbpolicy *));
extern int ipsec_pcbdisconn __P((struct inpcbpolicy *));
extern int ipsec_invalpcbcacheall __P((void));
 
extern struct secpolicy *ipsec4_getpolicybysock
        __P((struct mbuf *, u_int, struct socket *, int *));
extern struct secpolicy *ipsec4_getpolicybyaddr
        __P((struct mbuf *, u_int, int, int *));
 
#ifdef INET6
extern struct secpolicy *ipsec6_getpolicybysock
        __P((struct mbuf *, u_int, struct socket *, int *));
extern struct secpolicy *ipsec6_getpolicybyaddr
        __P((struct mbuf *, u_int, int, int *));
#endif /* INET6 */
 
struct inpcb;
#ifdef INET6
struct in6pcb;
#endif
extern int ipsec_init_policy __P((struct socket *so, struct inpcbpolicy **));
extern int ipsec_copy_policy
        __P((struct inpcbpolicy *, struct inpcbpolicy *));
extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *));
 
extern int ipsec4_set_policy __P((struct inpcb *inp, int optname,
        caddr_t request, size_t len, int priv));
extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request,
        size_t len, struct mbuf **mp));
extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *));
extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
 
#ifdef INET6
extern int ipsec6_in_reject_so __P((struct mbuf *, struct socket *));
#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) || (defined(__bsdi__) && _BSDI_VERSION >= 199802)
extern int ipsec6_delete_pcbpolicy __P((struct inpcb *));
extern int ipsec6_set_policy __P((struct inpcb *inp, int optname,
        caddr_t request, size_t len, int priv));
extern int ipsec6_get_policy
        __P((struct inpcb *inp, caddr_t request, size_t len, struct mbuf **mp));
extern int ipsec6_in_reject __P((struct mbuf *, struct inpcb *));
#else
extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));
extern int ipsec6_set_policy __P((struct in6pcb *in6p, int optname,
        caddr_t request, size_t len, int priv));
extern int ipsec6_get_policy __P((struct in6pcb *in6p, caddr_t request,
        size_t len, struct mbuf **mp));
extern int ipsec6_in_reject __P((struct mbuf *, struct in6pcb *));
#endif
#endif /* INET6 */
 
struct secas;
struct tcpcb;
struct tcp6cb;
extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
 
extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
#if (defined(__FreeBSD__) && __FreeBSD__ == 3) || (defined(__bsdi__) && _BSDI_VERSION >= 199802)
extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *, int));
#elif  (defined(__FreeBSD__) && __FreeBSD__ >= 4)
extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *));
#else
extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *));
#endif
#ifdef INET6
#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) || (defined(__bsdi__) && _BSDI_VERSION >= 199802)
extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
#else
extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct in6pcb *));
#if defined(__NetBSD__) && !defined(TCP6)
extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *));
#else
extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *));
#endif
#endif
#endif
 
struct ip;
#ifdef INET6
struct ip6_hdr;
#endif
extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t));
#ifdef INET6
extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t));
#endif
extern const char *ipsec_logsastr __P((struct secasvar *));
 
extern void ipsec_dumpmbuf __P((struct mbuf *));
 
extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *,
        int));
#ifdef INET6
extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *,
        struct mbuf *, struct secpolicy *, int, int *));
extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,
        struct secpolicy *, int));
#endif
extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int,
        struct secasvar *));
#ifdef INET6
extern int ipsec6_tunnel_validate __P((struct mbuf *, int, u_int,
        struct secasvar *));
#endif
extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
extern void ipsec_delaux __P((struct mbuf *));
extern int ipsec_setsocket __P((struct mbuf *, struct socket *));
extern struct socket *ipsec_getsocket __P((struct mbuf *));
extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t));
extern int ipsec_getnhist __P((struct mbuf *));
extern struct ipsec_history *ipsec_gethist __P((struct mbuf *, int *));
extern void ipsec_clearhist __P((struct mbuf *));
 
#if defined(__bsdi__) || defined(__NetBSD__)
extern int ipsec_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
#endif /* __bsdi__ || __NetBSD__ */
 
#endif /* _KERNEL */
 
#ifndef _KERNEL
extern caddr_t ipsec_set_policy __P((char *, int));
extern int ipsec_get_policylen __P((caddr_t));
extern char *ipsec_dump_policy __P((caddr_t, char *));
 
extern const char *ipsec_strerror __P((void));
#endif /* !_KERNEL */
 
#endif /* _NETINET6_IPSEC_H_ */

Browse

Tools

Subversion Repositories or1k

[/] [or1k/] [trunk/] [ecos-2.0/] [packages/] [net/] [bsd_tcpip/] [v2_0/] [include/] [netinet6/] [ipsec.h] - Blame information for rev 1765

Line No.	Rev	Author	Line
1	1254	phoenix	`//==========================================================================`
2			`//`
3			`// include/netinet6/ipsec.h`
4			`//`
5			`//==========================================================================`
6			`//####BSDCOPYRIGHTBEGIN####`
7			`//`
8			`// -------------------------------------------`
9			`//`
10			`// Portions of this software may have been derived from OpenBSD,`
11			`// FreeBSD or other sources, and are covered by the appropriate`
12			`// copyright disclaimers included herein.`
13			`//`
14			`// Portions created by Red Hat are`
15			`// Copyright (C) 2002 Red Hat, Inc. All Rights Reserved.`
16			`//`
17			`// -------------------------------------------`
18			`//`
19			`//####BSDCOPYRIGHTEND####`
20			`//==========================================================================`
21
22			`/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */`
23
24			`/*`
25			`* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.`
26			`* All rights reserved.`
27			`*`
28			`* Redistribution and use in source and binary forms, with or without`
29			`* modification, are permitted provided that the following conditions`
30			`* are met:`
31			`* 1. Redistributions of source code must retain the above copyright`
32			`* notice, this list of conditions and the following disclaimer.`
33			`* 2. Redistributions in binary form must reproduce the above copyright`
34			`* notice, this list of conditions and the following disclaimer in the`
35			`* documentation and/or other materials provided with the distribution.`
36			`* 3. Neither the name of the project nor the names of its contributors`
37			`* may be used to endorse or promote products derived from this software`
38			`* without specific prior written permission.`
39			`*`
40			* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
41			`* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
42			`* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
43			`* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE`
44			`* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
45			`* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS`
46			`* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)`
47			`* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT`
48			`* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY`
49			`* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF`
50			`* SUCH DAMAGE.`
51			`*/`
52
53			`/*`
54			`* IPsec controller part.`
55			`*/`
56
57			`#ifndef _NETINET6_IPSEC_H_`
58			`#define _NETINET6_IPSEC_H_`
59
60			`#if defined(_KERNEL) && !defined(_LKM) && !defined(KLD_MODULE)`
61			`#if defined(__FreeBSD__) && __FreeBSD__ >= 3`
62			`#include "opt_inet.h"`
63			`#include "opt_inet6.h"`
64			`#include "opt_ipsec.h"`
65			`#endif`
66			`#if defined(__NetBSD__)`
67			`#include "opt_inet.h"`
68			`#include "opt_ipsec.h"`
69			`#endif`
70			`#endif`
71
72			`#include <net/pfkeyv2.h>`
73			`#include <netkey/keydb.h>`
74
75			`#ifdef _KERNEL`
76
77			`/*`
78			`* Security Policy Index`
79			`* Ensure that both address families in the "src" and "dst" are same.`
80			`* When the value of the ul_proto is ICMPv6, the port field in "src"`
81			`* specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.`
82			`*/`
83			`struct secpolicyindex {`
84			`u_int8_t dir; /* direction of packet flow, see blow */`
85			`struct sockaddr_storage src; /* IP src address for SP */`
86			`struct sockaddr_storage dst; /* IP dst address for SP */`
87			`u_int8_t prefs; /* prefix length in bits for src */`
88			`u_int8_t prefd; /* prefix length in bits for dst */`
89			`u_int16_t ul_proto; /* upper layer Protocol */`
90			`#ifdef notyet`
91			`uid_t uids;`
92			`uid_t uidd;`
93			`gid_t gids;`
94			`gid_t gidd;`
95			`#endif`
96			`};`
97
98			`/* Security Policy Data Base */`
99			`struct secpolicy {`
100			`LIST_ENTRY(secpolicy) chain;`
101
102			`int refcnt; /* reference count */`
103			`struct secpolicyindex spidx; /* selector */`
104			`u_int32_t id; /* It's unique number on the system. */`
105			`u_int state; /* 0: dead, others: alive */`
106			`#define IPSEC_SPSTATE_DEAD 0`
107			`#define IPSEC_SPSTATE_ALIVE 1`
108
109			`u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */`
110			`struct ipsecrequest *req;`
111			`/* pointer to the ipsec request tree, */`
112			`/* if policy == IPSEC else this value == NULL.*/`
113
114			`/*`
115			`* lifetime handler.`
116			`* the policy can be used without limitiation if both lifetime and`
117			`* validtime are zero.`
118			`* "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.`
119			`* "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.`
120			`*/`
121			`long created; /* time created the policy */`
122			`long lastused; /* updated every when kernel sends a packet */`
123			`long lifetime; /* duration of the lifetime of this policy */`
124			`long validtime; /* duration this policy is valid without use */`
125			`};`
126
127			`/* Request for IPsec */`
128			`struct ifnet;`
129			`struct ipsecrequest {`
130			`struct ipsecrequest *next;`
131			`/* pointer to next structure */`
132			`/* If NULL, it means the end of chain. */`
133			`struct secasindex saidx;/* hint for search proper SA */`
134			`/* if __ss_len == 0 then no address specified.*/`
135			`u_int level; /* IPsec level defined below. */`
136
137			`struct secasvar sav; / place holder of SA for use */`
138			`struct secpolicy sp; / back pointer to SP */`
139
140			`struct ifnet tunifp; / interface for tunnelling */`
141			`};`
142
143			`/* security policy in PCB */`
144			`struct inpcbpolicy {`
145			`struct secpolicy *sp_in;`
146			`struct secpolicy *sp_out;`
147			`int priv; /* privileged socket ? */`
148
149			`/* cached policy */`
150			`/* XXX 3 == IPSEC_DIR_MAX */`
151			`struct secpolicy *cache[3];`
152			`struct secpolicyindex cacheidx[3];`
153			`int cachegen[3]; /* cache generation #, the time we filled it */`
154			`int cacheflags;`
155			`#define IPSEC_PCBSP_CONNECTED 1`
156			`};`
157
158			`/* SP acquiring list table. */`
159			`struct secspacq {`
160			`LIST_ENTRY(secspacq) chain;`
161
162			`struct secpolicyindex spidx;`
163
164			`long created; /* for lifetime */`
165			`int count; /* for lifetime */`
166			`/* XXX: here is mbuf place holder to be sent ? */`
167			`};`
168
169			`struct ipsecaux {`
170			`struct socket *so;`
171			`int hdrs; /* # of ipsec headers */`
172
173			`struct secpolicy *sp;`
174			`struct ipsecrequest *req;`
175			`};`
176			`#endif /* _KERNEL */`
177
178			`/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */`
179			`#define IPSEC_PORT_ANY 0`
180			`#define IPSEC_ULPROTO_ANY 255`
181			`#define IPSEC_PROTO_ANY 255`
182
183			`/* mode of security protocol */`
184			`/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */`
185			`#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */`
186			`#define IPSEC_MODE_TRANSPORT 1`
187			`#define IPSEC_MODE_TUNNEL 2`
188
189			`/*`
190			`* Direction of security policy.`
191			`* NOTE: Since INVALID is used just as flag.`
192			`* The other are used for loop counter too.`
193			`*/`
194			`#define IPSEC_DIR_ANY 0`
195			`#define IPSEC_DIR_INBOUND 1`
196			`#define IPSEC_DIR_OUTBOUND 2`
197			`#define IPSEC_DIR_MAX 3`
198			`#define IPSEC_DIR_INVALID 4`
199
200			`/* Policy level */`
201			`/*`
202			`* IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,`
203			`* DISCARD, IPSEC and NONE are allowed for setkey() in SPD.`
204			`* DISCARD and NONE are allowed for system default.`
205			`*/`
206			`#define IPSEC_POLICY_DISCARD 0 /* discarding packet */`
207			`#define IPSEC_POLICY_NONE 1 /* through IPsec engine */`
208			`#define IPSEC_POLICY_IPSEC 2 /* do IPsec */`
209			`#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */`
210			`#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */`
211
212			`/* Security protocol level */`
213			`#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */`
214			`#define IPSEC_LEVEL_USE 1 /* use SA if present. */`
215			`#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */`
216			`#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */`
217
218			`#define IPSEC_MANUAL_REQID_MAX 0x3fff`
219			`/*`
220			`* if security policy level == unique, this id`
221			`* indicate to a relative SA for use, else is`
222			`* zero.`
223			`* 1 - 0x3fff are reserved for manual keying.`
224			`* 0 are reserved for above reason. Others is`
225			`* for kernel use.`
226			`* Note that this id doesn't identify SA`
227			`* by only itself.`
228			`*/`
229			`#define IPSEC_REPLAYWSIZE 32`
230
231			`/* statistics for ipsec processing */`
232			`struct ipsecstat {`
233			`u_quad_t in_success; /* succeeded inbound process */`
234			`u_quad_t in_polvio;`
235			`/* security policy violation for inbound process */`
236			`u_quad_t in_nosa; /* inbound SA is unavailable */`
237			`u_quad_t in_inval; /* inbound processing failed due to EINVAL */`
238			`u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */`
239			`u_quad_t in_badspi; /* failed getting a SPI */`
240			`u_quad_t in_ahreplay; /* AH replay check failed */`
241			`u_quad_t in_espreplay; /* ESP replay check failed */`
242			`u_quad_t in_ahauthsucc; /* AH authentication success */`
243			`u_quad_t in_ahauthfail; /* AH authentication failure */`
244			`u_quad_t in_espauthsucc; /* ESP authentication success */`
245			`u_quad_t in_espauthfail; /* ESP authentication failure */`
246			`u_quad_t in_esphist[256];`
247			`u_quad_t in_ahhist[256];`
248			`u_quad_t in_comphist[256];`
249			`u_quad_t out_success; /* succeeded outbound process */`
250			`u_quad_t out_polvio;`
251			`/* security policy violation for outbound process */`
252			`u_quad_t out_nosa; /* outbound SA is unavailable */`
253			`u_quad_t out_inval; /* outbound process failed due to EINVAL */`
254			`u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */`
255			`u_quad_t out_noroute; /* there is no route */`
256			`u_quad_t out_esphist[256];`
257			`u_quad_t out_ahhist[256];`
258			`u_quad_t out_comphist[256];`
259
260			`u_quad_t spdcachelookup;`
261			`u_quad_t spdcachemiss;`
262			`};`
263
264			`/*`
265			`* Definitions for IPsec & Key sysctl operations.`
266			`*/`
267			`/*`
268			`* Names for IPsec & Key sysctl objects`
269			`*/`
270			`#define IPSECCTL_STATS 1 /* stats */`
271			`#define IPSECCTL_DEF_POLICY 2`
272			`#define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */`
273			`#define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */`
274			`#define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */`
275			`#define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */`
276			`#if 0 /* obsolete, do not reuse */`
277			`#define IPSECCTL_INBOUND_CALL_IKE 7`
278			`#endif`
279			`#define IPSECCTL_AH_CLEARTOS 8`
280			`#define IPSECCTL_AH_OFFSETMASK 9`
281			`#define IPSECCTL_DFBIT 10`
282			`#define IPSECCTL_ECN 11`
283			`#define IPSECCTL_DEBUG 12`
284			`#define IPSECCTL_ESP_RANDPAD 13`
285			`#define IPSECCTL_MAXID 14`
286
287			`#define IPSECCTL_NAMES { \`
288			`{ 0, 0 }, \`
289			`{ 0, 0 }, \`
290			`{ "def_policy", CTLTYPE_INT }, \`
291			`{ "esp_trans_deflev", CTLTYPE_INT }, \`
292			`{ "esp_net_deflev", CTLTYPE_INT }, \`
293			`{ "ah_trans_deflev", CTLTYPE_INT }, \`
294			`{ "ah_net_deflev", CTLTYPE_INT }, \`
295			`{ 0, 0 }, \`
296			`{ "ah_cleartos", CTLTYPE_INT }, \`
297			`{ "ah_offsetmask", CTLTYPE_INT }, \`
298			`{ "dfbit", CTLTYPE_INT }, \`
299			`{ "ecn", CTLTYPE_INT }, \`
300			`{ "debug", CTLTYPE_INT }, \`
301			`{ "esp_randpad", CTLTYPE_INT }, \`
302			`}`
303
304			`#define IPSEC6CTL_NAMES { \`
305			`{ 0, 0 }, \`
306			`{ 0, 0 }, \`
307			`{ "def_policy", CTLTYPE_INT }, \`
308			`{ "esp_trans_deflev", CTLTYPE_INT }, \`
309			`{ "esp_net_deflev", CTLTYPE_INT }, \`
310			`{ "ah_trans_deflev", CTLTYPE_INT }, \`
311			`{ "ah_net_deflev", CTLTYPE_INT }, \`
312			`{ 0, 0 }, \`
313			`{ 0, 0 }, \`
314			`{ 0, 0 }, \`
315			`{ 0, 0 }, \`
316			`{ "ecn", CTLTYPE_INT }, \`
317			`{ "debug", CTLTYPE_INT }, \`
318			`{ "esp_randpad", CTLTYPE_INT }, \`
319			`}`
320
321			`#ifdef __bsdi__`
322			`#define IPSECCTL_VARS { \`
323			`0, \`
324			`0, \`
325			`&ip4_def_policy.policy, \`
326			`&ip4_esp_trans_deflev, \`
327			`&ip4_esp_net_deflev, \`
328			`&ip4_ah_trans_deflev, \`
329			`&ip4_ah_net_deflev, \`
330			`0, \`
331			`&ip4_ah_cleartos, \`
332			`&ip4_ah_offsetmask, \`
333			`&ip4_ipsec_dfbit, \`
334			`&ip4_ipsec_ecn, \`
335			`&ipsec_debug, \`
336			`&ip4_esp_randpad, \`
337			`}`
338
339			`#define IPSEC6CTL_VARS { \`
340			`0, \`
341			`0, \`
342			`&ip6_def_policy.policy, \`
343			`&ip6_esp_trans_deflev, \`
344			`&ip6_esp_net_deflev, \`
345			`&ip6_ah_trans_deflev, \`
346			`&ip6_ah_net_deflev, \`
347			`0, \`
348			`0, \`
349			`0, \`
350			`0, \`
351			`&ip6_ipsec_ecn, \`
352			`&ipsec_debug, \`
353			`&ip6_esp_randpad, \`
354			`}`
355			`#endif`
356
357			`#ifdef _KERNEL`
358			`struct ipsec_output_state {`
359			`struct mbuf *m;`
360			`struct route *ro;`
361			`struct sockaddr *dst;`
362			`int encap;`
363			`};`
364
365			`struct ipsec_history {`
366			`int ih_proto;`
367			`u_int32_t ih_spi;`
368			`};`
369
370			`extern int ipsec_debug;`
371			`extern int ipsec_tunnel_device;`
372
373			`#ifdef INET`
374			`extern struct ipsecstat ipsecstat;`
375			`extern struct secpolicy ip4_def_policy;`
376			`extern int ip4_esp_trans_deflev;`
377			`extern int ip4_esp_net_deflev;`
378			`extern int ip4_ah_trans_deflev;`
379			`extern int ip4_ah_net_deflev;`
380			`extern int ip4_ah_cleartos;`
381			`extern int ip4_ah_offsetmask;`
382			`extern int ip4_ipsec_dfbit;`
383			`extern int ip4_ipsec_ecn;`
384			`extern int ip4_esp_randpad;`
385			`#endif`
386
387			`#ifdef INET6`
388			`extern struct ipsecstat ipsec6stat;`
389			`extern struct secpolicy ip6_def_policy;`
390			`extern int ip6_esp_trans_deflev;`
391			`extern int ip6_esp_net_deflev;`
392			`extern int ip6_ah_trans_deflev;`
393			`extern int ip6_ah_net_deflev;`
394			`extern int ip6_ipsec_ecn;`
395			`extern int ip6_esp_randpad;`
396			`#endif`
397
398			`#define ipseclog(x) do { if (ipsec_debug) log x; } while (0)`
399
400			`extern int ipsec_pcbconn __P((struct inpcbpolicy *));`
401			`extern int ipsec_pcbdisconn __P((struct inpcbpolicy *));`
402			`extern int ipsec_invalpcbcacheall __P((void));`
403
404			`extern struct secpolicy *ipsec4_getpolicybysock`
405			`__P((struct mbuf , u_int, struct socket , int *));`
406			`extern struct secpolicy *ipsec4_getpolicybyaddr`
407			`__P((struct mbuf , u_int, int, int ));`
408
409			`#ifdef INET6`
410			`extern struct secpolicy *ipsec6_getpolicybysock`
411			`__P((struct mbuf , u_int, struct socket , int *));`
412			`extern struct secpolicy *ipsec6_getpolicybyaddr`
413			`__P((struct mbuf , u_int, int, int ));`
414			`#endif /* INET6 */`
415
416			`struct inpcb;`
417			`#ifdef INET6`
418			`struct in6pcb;`
419			`#endif`
420			`extern int ipsec_init_policy __P((struct socket so, struct inpcbpolicy *));`
421			`extern int ipsec_copy_policy`
422			`__P((struct inpcbpolicy , struct inpcbpolicy ));`
423			`extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *));`
424
425			`extern int ipsec4_set_policy __P((struct inpcb *inp, int optname,`
426			`caddr_t request, size_t len, int priv));`
427			`extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request,`
428			`size_t len, struct mbuf **mp));`
429			`extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));`
430			`extern int ipsec4_in_reject_so __P((struct mbuf , struct socket ));`
431			`extern int ipsec4_in_reject __P((struct mbuf , struct inpcb ));`
432
433			`#ifdef INET6`
434			`extern int ipsec6_in_reject_so __P((struct mbuf , struct socket ));`
435			`#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) \|\| (defined(__bsdi__) && _BSDI_VERSION >= 199802)`
436			`extern int ipsec6_delete_pcbpolicy __P((struct inpcb *));`
437			`extern int ipsec6_set_policy __P((struct inpcb *inp, int optname,`
438			`caddr_t request, size_t len, int priv));`
439			`extern int ipsec6_get_policy`
440			`__P((struct inpcb inp, caddr_t request, size_t len, struct mbuf *mp));`
441			`extern int ipsec6_in_reject __P((struct mbuf , struct inpcb ));`
442			`#else`
443			`extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));`
444			`extern int ipsec6_set_policy __P((struct in6pcb *in6p, int optname,`
445			`caddr_t request, size_t len, int priv));`
446			`extern int ipsec6_get_policy __P((struct in6pcb *in6p, caddr_t request,`
447			`size_t len, struct mbuf **mp));`
448			`extern int ipsec6_in_reject __P((struct mbuf , struct in6pcb ));`
449			`#endif`
450			`#endif /* INET6 */`
451
452			`struct secas;`
453			`struct tcpcb;`
454			`struct tcp6cb;`
455			`extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));`
456			`extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));`
457
458			`extern size_t ipsec4_hdrsiz __P((struct mbuf , u_int, struct inpcb ));`
459			`#if (defined(__FreeBSD__) && __FreeBSD__ == 3) \|\| (defined(__bsdi__) && _BSDI_VERSION >= 199802)`
460			`extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *, int));`
461			`#elif (defined(__FreeBSD__) && __FreeBSD__ >= 4)`
462			`extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *));`
463			`#else`
464			`extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *));`
465			`#endif`
466			`#ifdef INET6`
467			`#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) \|\| (defined(__bsdi__) && _BSDI_VERSION >= 199802)`
468			`extern size_t ipsec6_hdrsiz __P((struct mbuf , u_int, struct inpcb ));`
469			`#else`
470			`extern size_t ipsec6_hdrsiz __P((struct mbuf , u_int, struct in6pcb ));`
471			`#if defined(__NetBSD__) && !defined(TCP6)`
472			`extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *));`
473			`#else`
474			`extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *));`
475			`#endif`
476			`#endif`
477			`#endif`
478
479			`struct ip;`
480			`#ifdef INET6`
481			`struct ip6_hdr;`
482			`#endif`
483			`extern const char ipsec4_logpacketstr __P((struct ip , u_int32_t));`
484			`#ifdef INET6`
485			`extern const char ipsec6_logpacketstr __P((struct ip6_hdr , u_int32_t));`
486			`#endif`
487			`extern const char ipsec_logsastr __P((struct secasvar ));`
488
489			`extern void ipsec_dumpmbuf __P((struct mbuf *));`
490
491			`extern int ipsec4_output __P((struct ipsec_output_state , struct secpolicy ,`
492			`int));`
493			`#ifdef INET6`
494			`extern int ipsec6_output_trans __P((struct ipsec_output_state , u_char ,`
495			`struct mbuf , struct secpolicy , int, int *));`
496			`extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,`
497			`struct secpolicy *, int));`
498			`#endif`
499			`extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int,`
500			`struct secasvar *));`
501			`#ifdef INET6`
502			`extern int ipsec6_tunnel_validate __P((struct mbuf *, int, u_int,`
503			`struct secasvar *));`
504			`#endif`
505			`extern struct mbuf ipsec_copypkt __P((struct mbuf ));`
506			`extern void ipsec_delaux __P((struct mbuf *));`
507			`extern int ipsec_setsocket __P((struct mbuf , struct socket ));`
508			`extern struct socket ipsec_getsocket __P((struct mbuf ));`
509			`extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t));`
510			`extern int ipsec_getnhist __P((struct mbuf *));`
511			`extern struct ipsec_history ipsec_gethist __P((struct mbuf , int *));`
512			`extern void ipsec_clearhist __P((struct mbuf *));`
513
514			`#if defined(__bsdi__) \|\| defined(__NetBSD__)`
515			`extern int ipsec_sysctl __P((int , u_int, void , size_t , void , size_t));`
516			`extern int ipsec6_sysctl __P((int , u_int, void , size_t , void , size_t));`
517			`#endif /* __bsdi__ \|\| __NetBSD__ */`
518
519			`#endif /* _KERNEL */`
520
521			`#ifndef _KERNEL`
522			`extern caddr_t ipsec_set_policy __P((char *, int));`
523			`extern int ipsec_get_policylen __P((caddr_t));`
524			`extern char ipsec_dump_policy __P((caddr_t, char ));`
525
526			`extern const char *ipsec_strerror __P((void));`
527			`#endif /* !_KERNEL */`
528
529			`#endif /* _NETINET6_IPSEC_H_ */`