xref: /netbsd/sys/netipsec/ipsec.h (revision 5b523eb0)
1 /*	$NetBSD: ipsec.h,v 1.93 2022/10/28 05:23:09 ozaki-r Exp $	*/
2 /*	$FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
3 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
4 
5 /*
6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #ifndef _NETIPSEC_IPSEC_H_
35 #define _NETIPSEC_IPSEC_H_
36 
37 #if defined(_KERNEL_OPT)
38 #include "opt_inet.h"
39 #include "opt_ipsec.h"
40 #endif
41 
42 #include <net/pfkeyv2.h>
43 
44 #ifdef _KERNEL
45 #include <sys/socketvar.h>
46 #include <sys/localcount.h>
47 
48 #include <netinet/in_pcb.h>
49 #include <netipsec/keydb.h>
50 
51 /*
52  * Security Policy Index
53  * Ensure that both address families in the "src" and "dst" are same.
54  * When the value of the ul_proto is ICMPv6, the port field in "src"
55  * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
56  */
57 struct secpolicyindex {
58 	u_int8_t dir;			/* direction of packet flow, see blow */
59 	union sockaddr_union src;	/* IP src address for SP */
60 	union sockaddr_union dst;	/* IP dst address for SP */
61 	u_int8_t prefs;			/* prefix length in bits for src */
62 	u_int8_t prefd;			/* prefix length in bits for dst */
63 	u_int16_t ul_proto;		/* upper layer Protocol */
64 };
65 
66 /* Security Policy Data Base */
67 struct secpolicy {
68 	struct pslist_entry pslist_entry;
69 
70 	struct localcount localcount;	/* reference count */
71 	struct secpolicyindex spidx;	/* selector */
72 	u_int32_t id;			/* It's unique number on the system. */
73 	u_int state;			/* 0: dead, others: alive */
74 #define IPSEC_SPSTATE_DEAD	0
75 #define IPSEC_SPSTATE_ALIVE	1
76 
77 	u_int origin;			/* who generate this SP. */
78 #define IPSEC_SPORIGIN_USER	0
79 #define IPSEC_SPORIGIN_KERNEL	1
80 
81 	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
82 	struct ipsecrequest *req;
83 				/* pointer to the ipsec request tree, */
84 				/* if policy == IPSEC else this value == NULL.*/
85 
86 	/*
87 	 * lifetime handler.
88 	 * the policy can be used without limitiation if both lifetime and
89 	 * validtime are zero.
90 	 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
91 	 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
92 	 */
93 	time_t created;		/* time created the policy */
94 	time_t lastused;	/* updated every when kernel sends a packet */
95 	time_t lifetime;	/* duration of the lifetime of this policy */
96 	time_t validtime;	/* duration this policy is valid without use */
97 };
98 
99 /* Request for IPsec */
100 struct ipsecrequest {
101 	struct ipsecrequest *next;
102 				/* pointer to next structure */
103 				/* If NULL, it means the end of chain. */
104 	struct secasindex saidx;/* hint for search proper SA */
105 				/* if __ss_len == 0 then no address specified.*/
106 	u_int level;		/* IPsec level defined below. */
107 
108 	struct secpolicy *sp;	/* back pointer to SP */
109 };
110 
111 /* security policy in PCB */
112 struct inpcbpolicy {
113 	struct secpolicy *sp_in;
114 	struct secpolicy *sp_out;
115 	int priv;			/* privileged socket ? */
116 
117 	/* cached policy */
118 	struct {
119 		struct secpolicy *cachesp;
120 		struct secpolicyindex cacheidx;
121 		int cachehint;		/* processing requirement hint: */
122 #define	IPSEC_PCBHINT_UNKNOWN	0	/* Unknown */
123 #define	IPSEC_PCBHINT_YES	1	/* IPsec processing is required */
124 #define	IPSEC_PCBHINT_NO	2	/* IPsec processing not required */
125 		u_int cachegen;		/* spdgen when cache filled */
126 	} sp_cache[3];			/* XXX 3 == IPSEC_DIR_MAX */
127 	int sp_cacheflags;
128 #define	IPSEC_PCBSP_CONNECTED	1
129 	struct inpcb *sp_inp;		/* back pointer */
130 };
131 
132 extern u_int ipsec_spdgen;
133 
134 static __inline bool
ipsec_pcb_skip_ipsec(struct inpcbpolicy * pcbsp,int dir)135 ipsec_pcb_skip_ipsec(struct inpcbpolicy *pcbsp, int dir)
136 {
137 
138 	KASSERT(inp_locked(pcbsp->sp_inp));
139 
140 	return pcbsp->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO &&
141 	    pcbsp->sp_cache[(dir)].cachegen == ipsec_spdgen;
142 }
143 
144 /* SP acquiring list table. */
145 struct secspacq {
146 	LIST_ENTRY(secspacq) chain;
147 
148 	struct secpolicyindex spidx;
149 
150 	time_t created;		/* for lifetime */
151 	int count;		/* for lifetime */
152 	/* XXX: here is mbuf place holder to be sent ? */
153 };
154 #endif /* _KERNEL */
155 
156 /* buffer size for formatted output of ipsec address (addr + '%' + scope_id?) */
157 #define	IPSEC_ADDRSTRLEN	(INET6_ADDRSTRLEN + 11)
158 /* buffer size for ipsec_logsastr() */
159 #define	IPSEC_LOGSASTRLEN	192
160 
161 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
162 #define IPSEC_PORT_ANY		0
163 #define IPSEC_ULPROTO_ANY	255
164 #define IPSEC_PROTO_ANY		255
165 
166 /* mode of security protocol */
167 /* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
168 #define	IPSEC_MODE_ANY		0	/* i.e. wildcard. */
169 #define	IPSEC_MODE_TRANSPORT	1
170 #define	IPSEC_MODE_TUNNEL	2
171 #define	IPSEC_MODE_TCPMD5	3	/* TCP MD5 mode */
172 
173 /*
174  * Direction of security policy.
175  * NOTE: Since INVALID is used just as flag.
176  * The other are used for loop counter too.
177  */
178 #define IPSEC_DIR_ANY		0
179 #define IPSEC_DIR_INBOUND	1
180 #define IPSEC_DIR_OUTBOUND	2
181 #define IPSEC_DIR_MAX		3
182 #define IPSEC_DIR_INVALID	4
183 
184 #define IPSEC_DIR_IS_VALID(dir)		((dir) >= 0 && (dir) <= IPSEC_DIR_MAX)
185 #define IPSEC_DIR_IS_INOROUT(dir)	((dir) == IPSEC_DIR_INBOUND || \
186 					 (dir) == IPSEC_DIR_OUTBOUND)
187 
188 /* Policy level */
189 /*
190  * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
191  * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
192  * DISCARD and NONE are allowed for system default.
193  */
194 #define IPSEC_POLICY_DISCARD	0	/* discarding packet */
195 #define IPSEC_POLICY_NONE	1	/* through IPsec engine */
196 #define IPSEC_POLICY_IPSEC	2	/* do IPsec */
197 #define IPSEC_POLICY_ENTRUST	3	/* consulting SPD if present. */
198 #define IPSEC_POLICY_BYPASS	4	/* only for privileged socket. */
199 
200 /* Security protocol level */
201 #define	IPSEC_LEVEL_DEFAULT	0	/* reference to system default */
202 #define	IPSEC_LEVEL_USE		1	/* use SA if present. */
203 #define	IPSEC_LEVEL_REQUIRE	2	/* require SA. */
204 #define	IPSEC_LEVEL_UNIQUE	3	/* unique SA. */
205 
206 #define IPSEC_MANUAL_REQID_MAX	0x3fff
207 				/*
208 				 * if security policy level == unique, this id
209 				 * indicate to a relative SA for use, else is
210 				 * zero.
211 				 * 1 - 0x3fff are reserved for manual keying.
212 				 * 0 are reserved for above reason.  Others is
213 				 * for kernel use.
214 				 * Note that this id doesn't identify SA
215 				 * by only itself.
216 				 */
217 #define IPSEC_REPLAYWSIZE  32
218 
219 #ifdef _KERNEL
220 
221 extern int ipsec_debug;
222 #ifdef IPSEC_DEBUG
223 extern int ipsec_replay;
224 extern int ipsec_integrity;
225 #endif
226 
227 extern struct secpolicy ip4_def_policy;
228 extern int ip4_esp_trans_deflev;
229 extern int ip4_esp_net_deflev;
230 extern int ip4_ah_trans_deflev;
231 extern int ip4_ah_net_deflev;
232 extern int ip4_ah_cleartos;
233 extern int ip4_ah_offsetmask;
234 extern int ip4_ipsec_dfbit;
235 extern int ip4_ipsec_ecn;
236 extern int crypto_support;
237 
238 #include <sys/syslog.h>
239 
240 #define	DPRINTF(fmt, args...) 						\
241 	do {								\
242 		if (ipsec_debug)					\
243 			log(LOG_DEBUG, "%s: " fmt, __func__, ##args);	\
244 	} while (/*CONSTCOND*/0)
245 
246 #define IPSECLOG(level, fmt, args...) 					\
247 	do {								\
248 		if (ipsec_debug)					\
249 			log(level, "%s: " fmt, __func__, ##args);	\
250 	} while (/*CONSTCOND*/0)
251 
252 #define ipsec_indone(m)	\
253 	((m->m_flags & M_AUTHIPHDR) || (m->m_flags & M_DECRYPTED))
254 #define ipsec_outdone(m) \
255 	(m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL)
256 
257 static __inline bool
ipsec_skip_pfil(struct mbuf * m)258 ipsec_skip_pfil(struct mbuf *m)
259 {
260 	bool rv;
261 
262 	if (ipsec_indone(m) &&
263 	    ((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != 0)) {
264 		m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL;
265 		rv = true;
266 	} else {
267 		rv = false;
268 	}
269 
270 	return rv;
271 }
272 
273 void ipsec_pcbconn(struct inpcbpolicy *);
274 void ipsec_pcbdisconn(struct inpcbpolicy *);
275 void ipsec_invalpcbcacheall(void);
276 
277 struct inpcb;
278 int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *, bool *);
279 
280 int ipsec_ip_input_checkpolicy(struct mbuf *, bool);
281 void ipsec_mtu(struct mbuf *, int *);
282 #ifdef INET6
283 void ipsec6_udp_cksum(struct mbuf *);
284 #endif
285 
286 struct inpcb;
287 int ipsec_init_pcbpolicy(struct socket *so, struct inpcbpolicy **);
288 int ipsec_copy_policy(const struct inpcbpolicy *, struct inpcbpolicy *);
289 u_int ipsec_get_reqlevel(const struct ipsecrequest *);
290 
291 int ipsec_set_policy(struct inpcb *, const void *, size_t, kauth_cred_t);
292 int ipsec_get_policy(struct inpcb *, const void *, size_t, struct mbuf **);
293 int ipsec_delete_pcbpolicy(struct inpcb *);
294 int ipsec_in_reject(struct mbuf *, struct inpcb *);
295 
296 struct secasvar *ipsec_lookup_sa(const struct ipsecrequest *,
297     const struct mbuf *);
298 
299 struct secas;
300 struct tcpcb;
301 int ipsec_chkreplay(u_int32_t, const struct secasvar *);
302 int ipsec_updatereplay(u_int32_t, const struct secasvar *);
303 
304 size_t ipsec_hdrsiz(struct mbuf *, u_int, struct inpcb *);
305 size_t ipsec4_hdrsiz_tcp(struct tcpcb *);
306 
307 union sockaddr_union;
308 const char *ipsec_address(const union sockaddr_union* sa, char *, size_t);
309 const char *ipsec_logsastr(const struct secasvar *, char *, size_t);
310 
311 /* NetBSD protosw ctlin entrypoint */
312 void *esp4_ctlinput(int, const struct sockaddr *, void *);
313 void *ah4_ctlinput(int, const struct sockaddr *, void *);
314 
315 void ipsec_output_init(void);
316 struct m_tag;
317 void ipsec4_common_input(struct mbuf *m, int, int);
318 int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int);
319 int ipsec4_process_packet(struct mbuf *, const struct ipsecrequest *, u_long *);
320 int ipsec_process_done(struct mbuf *, const struct ipsecrequest *,
321     struct secasvar *, int);
322 
323 struct mbuf *m_clone(struct mbuf *);
324 struct mbuf *m_makespace(struct mbuf *, int, int, int *);
325 void *m_pad(struct mbuf *, int);
326 int m_striphdr(struct mbuf *, int, int);
327 
328 extern int ipsec_used __read_mostly;
329 extern int ipsec_enabled __read_mostly;
330 
331 #endif /* _KERNEL */
332 
333 #ifndef _KERNEL
334 char *ipsec_set_policy(const char *, int);
335 int ipsec_get_policylen(char *);
336 char *ipsec_dump_policy(char *, const char *);
337 const char *ipsec_strerror(void);
338 #endif /* !_KERNEL */
339 
340 #ifdef _KERNEL
341 /* External declarations of per-file init functions */
342 void ah_attach(void);
343 void esp_attach(void);
344 void ipcomp_attach(void);
345 void ipe4_attach(void);
346 void tcpsignature_attach(void);
347 
348 void ipsec_attach(void);
349 
350 void sysctl_net_inet_ipsec_setup(struct sysctllog **);
351 #ifdef INET6
352 void sysctl_net_inet6_ipsec6_setup(struct sysctllog **);
353 #endif
354 
355 #endif /* _KERNEL */
356 #endif /* !_NETIPSEC_IPSEC_H_ */
357