]>
Commit | Line | Data |
---|---|---|
507f26f6 | 1 | /* |
7f57c4f9 | 2 | * Copyright (C) 2016 Andreas Steffen |
9cee688f | 3 | * Copyright (C) 2006-2018 Tobias Brunner |
507f26f6 TB |
4 | * Copyright (C) 2006 Daniel Roethlisberger |
5 | * Copyright (C) 2005-2006 Martin Willi | |
6 | * Copyright (C) 2005 Jan Hutter | |
19ef2aec TB |
7 | * |
8 | * Copyright (C) secunet Security Networks AG | |
507f26f6 TB |
9 | * |
10 | * This program is free software; you can redistribute it and/or modify it | |
11 | * under the terms of the GNU General Public License as published by the | |
12 | * Free Software Foundation; either version 2 of the License, or (at your | |
13 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
14 | * | |
15 | * This program is distributed in the hope that it will be useful, but | |
16 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
17 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
18 | * for more details. | |
507f26f6 TB |
19 | */ |
20 | ||
21 | /** | |
22 | * @defgroup kernel_ipsec kernel_ipsec | |
8394ea2a | 23 | * @{ @ingroup kernel |
507f26f6 TB |
24 | */ |
25 | ||
26 | #ifndef KERNEL_IPSEC_H_ | |
27 | #define KERNEL_IPSEC_H_ | |
28 | ||
507f26f6 | 29 | typedef struct kernel_ipsec_t kernel_ipsec_t; |
89da06ac TB |
30 | typedef struct kernel_ipsec_sa_id_t kernel_ipsec_sa_id_t; |
31 | typedef struct kernel_ipsec_add_sa_t kernel_ipsec_add_sa_t; | |
32 | typedef struct kernel_ipsec_update_sa_t kernel_ipsec_update_sa_t; | |
33 | typedef struct kernel_ipsec_query_sa_t kernel_ipsec_query_sa_t; | |
34 | typedef struct kernel_ipsec_del_sa_t kernel_ipsec_del_sa_t; | |
35 | typedef struct kernel_ipsec_policy_id_t kernel_ipsec_policy_id_t; | |
36 | typedef struct kernel_ipsec_manage_policy_t kernel_ipsec_manage_policy_t; | |
37 | typedef struct kernel_ipsec_query_policy_t kernel_ipsec_query_policy_t; | |
507f26f6 | 38 | |
2e7cc07e | 39 | #include <networking/host.h> |
156f7e9b | 40 | #include <ipsec/ipsec_types.h> |
6f449d2e | 41 | #include <selectors/traffic_selector.h> |
bf0542c4 | 42 | #include <selectors/sec_label.h> |
29d30991 | 43 | #include <plugins/plugin.h> |
76f7d80e | 44 | #include <kernel/kernel_interface.h> |
507f26f6 | 45 | |
89da06ac TB |
46 | /** |
47 | * Data required to identify an SA in the kernel | |
48 | */ | |
49 | struct kernel_ipsec_sa_id_t { | |
50 | /** Source address */ | |
51 | host_t *src; | |
52 | /** Destination address */ | |
53 | host_t *dst; | |
54 | /** SPI */ | |
55 | uint32_t spi; | |
56 | /** Protocol (ESP/AH) */ | |
57 | uint8_t proto; | |
58 | /** Optional mark */ | |
59 | mark_t mark; | |
b32c3ce8 TB |
60 | /** Optional interface ID */ |
61 | uint32_t if_id; | |
89da06ac TB |
62 | }; |
63 | ||
64 | /** | |
65 | * Data required to add an SA to the kernel | |
66 | */ | |
67 | struct kernel_ipsec_add_sa_t { | |
68 | /** Reqid */ | |
69 | uint32_t reqid; | |
70 | /** Mode (tunnel, transport...) */ | |
71 | ipsec_mode_t mode; | |
72 | /** List of source traffic selectors */ | |
73 | linked_list_t *src_ts; | |
74 | /** List of destination traffic selectors */ | |
75 | linked_list_t *dst_ts; | |
c26e4330 AS |
76 | /** Network interface restricting policy */ |
77 | char *interface; | |
89da06ac TB |
78 | /** Lifetime configuration */ |
79 | lifetime_cfg_t *lifetime; | |
80 | /** Encryption algorithm */ | |
81 | uint16_t enc_alg; | |
82 | /** Encryption key */ | |
83 | chunk_t enc_key; | |
84 | /** Integrity protection algorithm */ | |
85 | uint16_t int_alg; | |
86 | /** Integrity protection key */ | |
87 | chunk_t int_key; | |
88 | /** Anti-replay window size */ | |
89 | uint32_t replay_window; | |
90 | /** Traffic Flow Confidentiality padding */ | |
91 | uint32_t tfc; | |
92 | /** IPComp transform */ | |
93 | uint16_t ipcomp; | |
94 | /** CPI for IPComp */ | |
95 | uint16_t cpi; | |
96 | /** TRUE to enable UDP encapsulation for NAT traversal */ | |
97 | bool encap; | |
af1eeda0 | 98 | /** HW offload mode */ |
8ced1570 | 99 | hw_offload_t hw_offload; |
9cee688f TB |
100 | /** Mark the SA should apply to packets after processing */ |
101 | mark_t mark; | |
bf0542c4 TB |
102 | /** Security label to match or apply */ |
103 | sec_label_t *label; | |
89da06ac TB |
104 | /** TRUE to use Extended Sequence Numbers */ |
105 | bool esn; | |
dc8b015d TB |
106 | /** TRUE to copy the DF bit to the outer IPv4 header in tunnel mode */ |
107 | bool copy_df; | |
108 | /** TRUE to copy the ECN header field to/from the outer header */ | |
109 | bool copy_ecn; | |
c993eaf9 TB |
110 | /** Whether to copy the DSCP header field to/from the outer header */ |
111 | dscp_copy_t copy_dscp; | |
89da06ac TB |
112 | /** TRUE if initiator of the exchange creating the SA */ |
113 | bool initiator; | |
114 | /** TRUE if this is an inbound SA */ | |
115 | bool inbound; | |
116 | /** TRUE if an SPI has already been allocated for this SA */ | |
117 | bool update; | |
118 | }; | |
119 | ||
120 | /** | |
121 | * Data required to update the hosts of an SA in the kernel | |
122 | */ | |
123 | struct kernel_ipsec_update_sa_t { | |
124 | /** CPI in case IPComp is used */ | |
125 | uint16_t cpi; | |
126 | /** New source address */ | |
127 | host_t *new_src; | |
128 | /** New destination address */ | |
129 | host_t *new_dst; | |
130 | /** TRUE if UDP encapsulation is currently enabled */ | |
131 | bool encap; | |
132 | /** TRUE to enable UDP encapsulation */ | |
133 | bool new_encap; | |
1b3af3e3 TB |
134 | /** New reqid, or 0 if unchanged */ |
135 | uint32_t new_reqid; | |
89da06ac TB |
136 | }; |
137 | ||
138 | /** | |
139 | * Data required to query an SA in the kernel | |
140 | */ | |
141 | struct kernel_ipsec_query_sa_t { | |
142 | uint16_t cpi; | |
143 | }; | |
144 | ||
145 | /** | |
146 | * Data required to delete an SA in the kernel | |
147 | */ | |
148 | struct kernel_ipsec_del_sa_t { | |
149 | /** CPI in case IPComp is used */ | |
150 | uint16_t cpi; | |
151 | }; | |
152 | ||
153 | /** | |
154 | * Data identifying a policy in the kernel | |
155 | */ | |
156 | struct kernel_ipsec_policy_id_t { | |
157 | /** Direction of traffic */ | |
158 | policy_dir_t dir; | |
159 | /** Source traffic selector */ | |
160 | traffic_selector_t *src_ts; | |
161 | /** Destination traffic selector */ | |
162 | traffic_selector_t *dst_ts; | |
163 | /** Optional mark */ | |
164 | mark_t mark; | |
b32c3ce8 TB |
165 | /** Optional interface ID */ |
166 | uint32_t if_id; | |
c26e4330 AS |
167 | /** Network interface restricting policy */ |
168 | char *interface; | |
bf0542c4 TB |
169 | /** Security label restricting policy */ |
170 | sec_label_t *label; | |
89da06ac TB |
171 | }; |
172 | ||
173 | /** | |
174 | * Data required to add/delete a policy to/from the kernel | |
175 | */ | |
176 | struct kernel_ipsec_manage_policy_t { | |
177 | /** Type of policy */ | |
178 | policy_type_t type; | |
179 | /** Priority class */ | |
180 | policy_priority_t prio; | |
7f57c4f9 AS |
181 | /** Manually-set priority (automatic if set to 0) */ |
182 | uint32_t manual_prio; | |
af1eeda0 TB |
183 | /** HW offload mode */ |
184 | hw_offload_t hw_offload; | |
89da06ac TB |
185 | /** Source address of the SA(s) tied to this policy */ |
186 | host_t *src; | |
187 | /** Destination address of the SA(s) tied to this policy */ | |
188 | host_t *dst; | |
189 | /** Details about the SA(s) tied to this policy */ | |
190 | ipsec_sa_cfg_t *sa; | |
191 | }; | |
192 | ||
193 | /** | |
194 | * Data required to query a policy in the kernel | |
195 | */ | |
196 | struct kernel_ipsec_query_policy_t { | |
197 | }; | |
198 | ||
507f26f6 TB |
199 | /** |
200 | * Interface to the ipsec subsystem of the kernel. | |
7daf5226 | 201 | * |
507f26f6 | 202 | * The kernel ipsec interface handles the communication with the kernel |
7daf5226 | 203 | * for SA and policy management. It allows setup of these, and provides |
507f26f6 TB |
204 | * further the handling of kernel events. |
205 | * Policy information are cached in the interface. This is necessary to do | |
206 | * reference counting. The Linux kernel does not allow the same policy | |
207 | * installed twice, but we need this as CHILD_SA exist multiple times | |
527b3f0c | 208 | * when rekeying. That's why we do reference counting of policies. |
507f26f6 TB |
209 | */ |
210 | struct kernel_ipsec_t { | |
7daf5226 | 211 | |
76f7d80e MW |
212 | /** |
213 | * Get the feature set supported by this kernel backend. | |
214 | * | |
215 | * @return ORed feature-set of backend | |
216 | */ | |
217 | kernel_feature_t (*get_features)(kernel_ipsec_t *this); | |
218 | ||
507f26f6 TB |
219 | /** |
220 | * Get a SPI from the kernel. | |
221 | * | |
507f26f6 TB |
222 | * @param src source address of SA |
223 | * @param dst destination address of SA | |
224 | * @param protocol protocol for SA (ESP/AH) | |
507f26f6 | 225 | * @param spi allocated spi |
2a1c9e20 | 226 | * @return SUCCESS if operation completed |
507f26f6 | 227 | */ |
7daf5226 | 228 | status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst, |
b12c53ce | 229 | uint8_t protocol, uint32_t *spi); |
7daf5226 | 230 | |
507f26f6 TB |
231 | /** |
232 | * Get a Compression Parameter Index (CPI) from the kernel. | |
7daf5226 | 233 | * |
507f26f6 TB |
234 | * @param src source address of SA |
235 | * @param dst destination address of SA | |
507f26f6 | 236 | * @param cpi allocated cpi |
2a1c9e20 | 237 | * @return SUCCESS if operation completed |
507f26f6 | 238 | */ |
7daf5226 | 239 | status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst, |
b12c53ce | 240 | uint16_t *cpi); |
7daf5226 | 241 | |
507f26f6 TB |
242 | /** |
243 | * Add an SA to the SAD. | |
888af963 | 244 | * |
d05d85fe MW |
245 | * This function does install a single SA for a single protocol in one |
246 | * direction. | |
888af963 | 247 | * |
89da06ac TB |
248 | * @param id data identifying this SA |
249 | * @param data data for this SA | |
507f26f6 TB |
250 | * @return SUCCESS if operation completed |
251 | */ | |
89da06ac TB |
252 | status_t (*add_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
253 | kernel_ipsec_add_sa_t *data); | |
7daf5226 | 254 | |
507f26f6 TB |
255 | /** |
256 | * Update the hosts on an installed SA. | |
257 | * | |
258 | * We cannot directly update the destination address as the kernel | |
259 | * requires the spi, the protocol AND the destination address (and family) | |
260 | * to identify SAs. Therefore if the destination address changed we | |
261 | * create a new SA and delete the old one. | |
262 | * | |
89da06ac TB |
263 | * @param id data identifying this SA |
264 | * @param data updated data for this SA | |
ea625fab | 265 | * @return SUCCESS if operation completed, NOT_SUPPORTED if |
89da06ac | 266 | * the kernel interface can't update the SA |
507f26f6 | 267 | */ |
89da06ac TB |
268 | status_t (*update_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
269 | kernel_ipsec_update_sa_t *data); | |
7daf5226 | 270 | |
2ad51539 AS |
271 | /** |
272 | * Query the number of bytes processed by an SA from the SAD. | |
7daf5226 | 273 | * |
89da06ac TB |
274 | * @param id data identifying this SA |
275 | * @param data data to query the SA | |
2ad51539 | 276 | * @param[out] bytes the number of bytes processed by SA |
7eeeb1c7 | 277 | * @param[out] packets number of packets processed by SA |
c99458e9 | 278 | * @param[out] time last (monotonic) time of SA use |
2ad51539 AS |
279 | * @return SUCCESS if operation completed |
280 | */ | |
89da06ac TB |
281 | status_t (*query_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
282 | kernel_ipsec_query_sa_t *data, uint64_t *bytes, | |
283 | uint64_t *packets, time_t *time); | |
7daf5226 | 284 | |
507f26f6 | 285 | /** |
89da06ac | 286 | * Delete a previously installed SA from the SAD. |
7daf5226 | 287 | * |
89da06ac TB |
288 | * @param id data identifying this SA |
289 | * @param data data to delete the SA | |
507f26f6 TB |
290 | * @return SUCCESS if operation completed |
291 | */ | |
89da06ac TB |
292 | status_t (*del_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
293 | kernel_ipsec_del_sa_t *data); | |
7daf5226 | 294 | |
0b0f466b TB |
295 | /** |
296 | * Flush all SAs from the SAD. | |
297 | * | |
298 | * @return SUCCESS if operation completed | |
299 | */ | |
89da06ac | 300 | status_t (*flush_sas)(kernel_ipsec_t *this); |
0b0f466b | 301 | |
507f26f6 TB |
302 | /** |
303 | * Add a policy to the SPD. | |
7daf5226 | 304 | * |
89da06ac TB |
305 | * @param id data identifying this policy |
306 | * @param data data for this policy | |
507f26f6 TB |
307 | * @return SUCCESS if operation completed |
308 | */ | |
89da06ac TB |
309 | status_t (*add_policy)(kernel_ipsec_t *this, |
310 | kernel_ipsec_policy_id_t *id, | |
311 | kernel_ipsec_manage_policy_t *data); | |
7daf5226 | 312 | |
507f26f6 TB |
313 | /** |
314 | * Query the use time of a policy. | |
315 | * | |
6180a558 MW |
316 | * The use time of a policy is the time the policy was used for the last |
317 | * time. It is not the system time, but a monotonic timestamp as returned | |
318 | * by time_monotonic. | |
7daf5226 | 319 | * |
89da06ac TB |
320 | * @param id data identifying this policy |
321 | * @param data data to query the policy | |
6180a558 | 322 | * @param[out] use_time the monotonic timestamp of this SA's last use |
507f26f6 TB |
323 | * @return SUCCESS if operation completed |
324 | */ | |
89da06ac TB |
325 | status_t (*query_policy)(kernel_ipsec_t *this, |
326 | kernel_ipsec_policy_id_t *id, | |
327 | kernel_ipsec_query_policy_t *data, | |
328 | time_t *use_time); | |
7daf5226 | 329 | |
507f26f6 TB |
330 | /** |
331 | * Remove a policy from the SPD. | |
332 | * | |
89da06ac TB |
333 | * @param id data identifying this policy |
334 | * @param data data for this policy | |
507f26f6 TB |
335 | * @return SUCCESS if operation completed |
336 | */ | |
89da06ac TB |
337 | status_t (*del_policy)(kernel_ipsec_t *this, |
338 | kernel_ipsec_policy_id_t *id, | |
339 | kernel_ipsec_manage_policy_t *data); | |
7daf5226 | 340 | |
0b0f466b TB |
341 | /** |
342 | * Flush all policies from the SPD. | |
343 | * | |
344 | * @return SUCCESS if operation completed | |
345 | */ | |
89da06ac | 346 | status_t (*flush_policies)(kernel_ipsec_t *this); |
0b0f466b | 347 | |
54f81859 MW |
348 | /** |
349 | * Install a bypass policy for the given socket. | |
350 | * | |
351 | * @param fd socket file descriptor to setup policy for | |
352 | * @param family protocol family of the socket | |
353 | * @return TRUE of policy set up successfully | |
354 | */ | |
355 | bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family); | |
356 | ||
e49abced TB |
357 | /** |
358 | * Enable decapsulation of ESP-in-UDP packets for the given port/socket. | |
359 | * | |
360 | * @param fd socket file descriptor | |
361 | * @param family protocol family of the socket | |
362 | * @param port the UDP port | |
363 | * @return TRUE if UDP decapsulation was enabled successfully | |
364 | */ | |
365 | bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family, | |
b12c53ce | 366 | uint16_t port); |
e49abced | 367 | |
507f26f6 TB |
368 | /** |
369 | * Destroy the implementation. | |
370 | */ | |
89da06ac | 371 | void (*destroy)(kernel_ipsec_t *this); |
507f26f6 TB |
372 | }; |
373 | ||
29d30991 MW |
374 | /** |
375 | * Helper function to (un-)register IPsec kernel interfaces from plugin features. | |
376 | * | |
377 | * This function is a plugin_feature_callback_t and can be used with the | |
378 | * PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor. | |
379 | * | |
380 | * @param plugin plugin registering the kernel interface | |
381 | * @param feature associated plugin feature | |
382 | * @param reg TRUE to register, FALSE to unregister | |
383 | * @param data data passed to callback, an kernel_ipsec_constructor_t | |
384 | */ | |
385 | bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature, | |
386 | bool reg, void *data); | |
387 | ||
1490ff4d | 388 | #endif /** KERNEL_IPSEC_H_ @}*/ |