1 /* $NetBSD: ipsec.h,v 1.93 2022/10/28 05:23:09 ozaki-r Exp $ */
2 /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
3 /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef _NETIPSEC_IPSEC_H_
35 #define _NETIPSEC_IPSEC_H_
36
37 #if defined(_KERNEL_OPT)
38 #include "opt_inet.h"
39 #include "opt_ipsec.h"
40 #endif
41
42 #include <net/pfkeyv2.h>
43
44 #ifdef _KERNEL
45 #include <sys/socketvar.h>
46 #include <sys/localcount.h>
47
48 #include <netinet/in_pcb.h>
49 #include <netipsec/keydb.h>
50
51 /*
52 * Security Policy Index
53 * Ensure that both address families in the "src" and "dst" are same.
54 * When the value of the ul_proto is ICMPv6, the port field in "src"
55 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
56 */
57 struct secpolicyindex {
58 u_int8_t dir; /* direction of packet flow, see blow */
59 union sockaddr_union src; /* IP src address for SP */
60 union sockaddr_union dst; /* IP dst address for SP */
61 u_int8_t prefs; /* prefix length in bits for src */
62 u_int8_t prefd; /* prefix length in bits for dst */
63 u_int16_t ul_proto; /* upper layer Protocol */
64 };
65
66 /* Security Policy Data Base */
67 struct secpolicy {
68 struct pslist_entry pslist_entry;
69
70 struct localcount localcount; /* reference count */
71 struct secpolicyindex spidx; /* selector */
72 u_int32_t id; /* It's unique number on the system. */
73 u_int state; /* 0: dead, others: alive */
74 #define IPSEC_SPSTATE_DEAD 0
75 #define IPSEC_SPSTATE_ALIVE 1
76
77 u_int origin; /* who generate this SP. */
78 #define IPSEC_SPORIGIN_USER 0
79 #define IPSEC_SPORIGIN_KERNEL 1
80
81 u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
82 struct ipsecrequest *req;
83 /* pointer to the ipsec request tree, */
84 /* if policy == IPSEC else this value == NULL.*/
85
86 /*
87 * lifetime handler.
88 * the policy can be used without limitiation if both lifetime and
89 * validtime are zero.
90 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
91 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
92 */
93 time_t created; /* time created the policy */
94 time_t lastused; /* updated every when kernel sends a packet */
95 time_t lifetime; /* duration of the lifetime of this policy */
96 time_t validtime; /* duration this policy is valid without use */
97 };
98
99 /* Request for IPsec */
100 struct ipsecrequest {
101 struct ipsecrequest *next;
102 /* pointer to next structure */
103 /* If NULL, it means the end of chain. */
104 struct secasindex saidx;/* hint for search proper SA */
105 /* if __ss_len == 0 then no address specified.*/
106 u_int level; /* IPsec level defined below. */
107
108 struct secpolicy *sp; /* back pointer to SP */
109 };
110
111 /* security policy in PCB */
112 struct inpcbpolicy {
113 struct secpolicy *sp_in;
114 struct secpolicy *sp_out;
115 int priv; /* privileged socket ? */
116
117 /* cached policy */
118 struct {
119 struct secpolicy *cachesp;
120 struct secpolicyindex cacheidx;
121 int cachehint; /* processing requirement hint: */
122 #define IPSEC_PCBHINT_UNKNOWN 0 /* Unknown */
123 #define IPSEC_PCBHINT_YES 1 /* IPsec processing is required */
124 #define IPSEC_PCBHINT_NO 2 /* IPsec processing not required */
125 u_int cachegen; /* spdgen when cache filled */
126 } sp_cache[3]; /* XXX 3 == IPSEC_DIR_MAX */
127 int sp_cacheflags;
128 #define IPSEC_PCBSP_CONNECTED 1
129 struct inpcb *sp_inp; /* back pointer */
130 };
131
132 extern u_int ipsec_spdgen;
133
134 static __inline bool
ipsec_pcb_skip_ipsec(struct inpcbpolicy * pcbsp,int dir)135 ipsec_pcb_skip_ipsec(struct inpcbpolicy *pcbsp, int dir)
136 {
137
138 KASSERT(inp_locked(pcbsp->sp_inp));
139
140 return pcbsp->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO &&
141 pcbsp->sp_cache[(dir)].cachegen == ipsec_spdgen;
142 }
143
144 /* SP acquiring list table. */
145 struct secspacq {
146 LIST_ENTRY(secspacq) chain;
147
148 struct secpolicyindex spidx;
149
150 time_t created; /* for lifetime */
151 int count; /* for lifetime */
152 /* XXX: here is mbuf place holder to be sent ? */
153 };
154 #endif /* _KERNEL */
155
156 /* buffer size for formatted output of ipsec address (addr + '%' + scope_id?) */
157 #define IPSEC_ADDRSTRLEN (INET6_ADDRSTRLEN + 11)
158 /* buffer size for ipsec_logsastr() */
159 #define IPSEC_LOGSASTRLEN 192
160
161 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
162 #define IPSEC_PORT_ANY 0
163 #define IPSEC_ULPROTO_ANY 255
164 #define IPSEC_PROTO_ANY 255
165
166 /* mode of security protocol */
167 /* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
168 #define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
169 #define IPSEC_MODE_TRANSPORT 1
170 #define IPSEC_MODE_TUNNEL 2
171 #define IPSEC_MODE_TCPMD5 3 /* TCP MD5 mode */
172
173 /*
174 * Direction of security policy.
175 * NOTE: Since INVALID is used just as flag.
176 * The other are used for loop counter too.
177 */
178 #define IPSEC_DIR_ANY 0
179 #define IPSEC_DIR_INBOUND 1
180 #define IPSEC_DIR_OUTBOUND 2
181 #define IPSEC_DIR_MAX 3
182 #define IPSEC_DIR_INVALID 4
183
184 #define IPSEC_DIR_IS_VALID(dir) ((dir) >= 0 && (dir) <= IPSEC_DIR_MAX)
185 #define IPSEC_DIR_IS_INOROUT(dir) ((dir) == IPSEC_DIR_INBOUND || \
186 (dir) == IPSEC_DIR_OUTBOUND)
187
188 /* Policy level */
189 /*
190 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
191 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
192 * DISCARD and NONE are allowed for system default.
193 */
194 #define IPSEC_POLICY_DISCARD 0 /* discarding packet */
195 #define IPSEC_POLICY_NONE 1 /* through IPsec engine */
196 #define IPSEC_POLICY_IPSEC 2 /* do IPsec */
197 #define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
198 #define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
199
200 /* Security protocol level */
201 #define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
202 #define IPSEC_LEVEL_USE 1 /* use SA if present. */
203 #define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
204 #define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
205
206 #define IPSEC_MANUAL_REQID_MAX 0x3fff
207 /*
208 * if security policy level == unique, this id
209 * indicate to a relative SA for use, else is
210 * zero.
211 * 1 - 0x3fff are reserved for manual keying.
212 * 0 are reserved for above reason. Others is
213 * for kernel use.
214 * Note that this id doesn't identify SA
215 * by only itself.
216 */
217 #define IPSEC_REPLAYWSIZE 32
218
219 #ifdef _KERNEL
220
221 extern int ipsec_debug;
222 #ifdef IPSEC_DEBUG
223 extern int ipsec_replay;
224 extern int ipsec_integrity;
225 #endif
226
227 extern struct secpolicy ip4_def_policy;
228 extern int ip4_esp_trans_deflev;
229 extern int ip4_esp_net_deflev;
230 extern int ip4_ah_trans_deflev;
231 extern int ip4_ah_net_deflev;
232 extern int ip4_ah_cleartos;
233 extern int ip4_ah_offsetmask;
234 extern int ip4_ipsec_dfbit;
235 extern int ip4_ipsec_ecn;
236 extern int crypto_support;
237
238 #include <sys/syslog.h>
239
240 #define DPRINTF(fmt, args...) \
241 do { \
242 if (ipsec_debug) \
243 log(LOG_DEBUG, "%s: " fmt, __func__, ##args); \
244 } while (/*CONSTCOND*/0)
245
246 #define IPSECLOG(level, fmt, args...) \
247 do { \
248 if (ipsec_debug) \
249 log(level, "%s: " fmt, __func__, ##args); \
250 } while (/*CONSTCOND*/0)
251
252 #define ipsec_indone(m) \
253 ((m->m_flags & M_AUTHIPHDR) || (m->m_flags & M_DECRYPTED))
254 #define ipsec_outdone(m) \
255 (m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL)
256
257 static __inline bool
ipsec_skip_pfil(struct mbuf * m)258 ipsec_skip_pfil(struct mbuf *m)
259 {
260 bool rv;
261
262 if (ipsec_indone(m) &&
263 ((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != 0)) {
264 m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL;
265 rv = true;
266 } else {
267 rv = false;
268 }
269
270 return rv;
271 }
272
273 void ipsec_pcbconn(struct inpcbpolicy *);
274 void ipsec_pcbdisconn(struct inpcbpolicy *);
275 void ipsec_invalpcbcacheall(void);
276
277 struct inpcb;
278 int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *, bool *);
279
280 int ipsec_ip_input_checkpolicy(struct mbuf *, bool);
281 void ipsec_mtu(struct mbuf *, int *);
282 #ifdef INET6
283 void ipsec6_udp_cksum(struct mbuf *);
284 #endif
285
286 struct inpcb;
287 int ipsec_init_pcbpolicy(struct socket *so, struct inpcbpolicy **);
288 int ipsec_copy_policy(const struct inpcbpolicy *, struct inpcbpolicy *);
289 u_int ipsec_get_reqlevel(const struct ipsecrequest *);
290
291 int ipsec_set_policy(struct inpcb *, const void *, size_t, kauth_cred_t);
292 int ipsec_get_policy(struct inpcb *, const void *, size_t, struct mbuf **);
293 int ipsec_delete_pcbpolicy(struct inpcb *);
294 int ipsec_in_reject(struct mbuf *, struct inpcb *);
295
296 struct secasvar *ipsec_lookup_sa(const struct ipsecrequest *,
297 const struct mbuf *);
298
299 struct secas;
300 struct tcpcb;
301 int ipsec_chkreplay(u_int32_t, const struct secasvar *);
302 int ipsec_updatereplay(u_int32_t, const struct secasvar *);
303
304 size_t ipsec_hdrsiz(struct mbuf *, u_int, struct inpcb *);
305 size_t ipsec4_hdrsiz_tcp(struct tcpcb *);
306
307 union sockaddr_union;
308 const char *ipsec_address(const union sockaddr_union* sa, char *, size_t);
309 const char *ipsec_logsastr(const struct secasvar *, char *, size_t);
310
311 /* NetBSD protosw ctlin entrypoint */
312 void *esp4_ctlinput(int, const struct sockaddr *, void *);
313 void *ah4_ctlinput(int, const struct sockaddr *, void *);
314
315 void ipsec_output_init(void);
316 struct m_tag;
317 void ipsec4_common_input(struct mbuf *m, int, int);
318 int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int);
319 int ipsec4_process_packet(struct mbuf *, const struct ipsecrequest *, u_long *);
320 int ipsec_process_done(struct mbuf *, const struct ipsecrequest *,
321 struct secasvar *, int);
322
323 struct mbuf *m_clone(struct mbuf *);
324 struct mbuf *m_makespace(struct mbuf *, int, int, int *);
325 void *m_pad(struct mbuf *, int);
326 int m_striphdr(struct mbuf *, int, int);
327
328 extern int ipsec_used __read_mostly;
329 extern int ipsec_enabled __read_mostly;
330
331 #endif /* _KERNEL */
332
333 #ifndef _KERNEL
334 char *ipsec_set_policy(const char *, int);
335 int ipsec_get_policylen(char *);
336 char *ipsec_dump_policy(char *, const char *);
337 const char *ipsec_strerror(void);
338 #endif /* !_KERNEL */
339
340 #ifdef _KERNEL
341 /* External declarations of per-file init functions */
342 void ah_attach(void);
343 void esp_attach(void);
344 void ipcomp_attach(void);
345 void ipe4_attach(void);
346 void tcpsignature_attach(void);
347
348 void ipsec_attach(void);
349
350 void sysctl_net_inet_ipsec_setup(struct sysctllog **);
351 #ifdef INET6
352 void sysctl_net_inet6_ipsec6_setup(struct sysctllog **);
353 #endif
354
355 #endif /* _KERNEL */
356 #endif /* !_NETIPSEC_IPSEC_H_ */
357