]>
Commit | Line | Data |
---|---|---|
507f26f6 | 1 | /* |
9f166d9a | 2 | * Copyright (C) 2006-2010 Tobias Brunner |
507f26f6 TB |
3 | * Copyright (C) 2006 Daniel Roethlisberger |
4 | * Copyright (C) 2005-2006 Martin Willi | |
5 | * Copyright (C) 2005 Jan Hutter | |
6 | * Hochschule fuer Technik Rapperswil | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
507f26f6 TB |
17 | */ |
18 | ||
19 | /** | |
20 | * @defgroup kernel_ipsec kernel_ipsec | |
6f449d2e | 21 | * @{ @ingroup hkernel |
507f26f6 TB |
22 | */ |
23 | ||
24 | #ifndef KERNEL_IPSEC_H_ | |
25 | #define KERNEL_IPSEC_H_ | |
26 | ||
a341a68f | 27 | typedef enum ipsec_mode_t ipsec_mode_t; |
507f26f6 | 28 | typedef enum policy_dir_t policy_dir_t; |
bd7a2f3b | 29 | typedef enum policy_type_t policy_type_t; |
08c0d340 | 30 | typedef enum ipcomp_transform_t ipcomp_transform_t; |
507f26f6 | 31 | typedef struct kernel_ipsec_t kernel_ipsec_t; |
34cf6def | 32 | typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t; |
6f449d2e TB |
33 | typedef struct lifetime_cfg_t lifetime_cfg_t; |
34 | typedef struct mark_t mark_t; | |
507f26f6 TB |
35 | |
36 | #include <utils/host.h> | |
37 | #include <crypto/prf_plus.h> | |
6f449d2e | 38 | #include <selectors/traffic_selector.h> |
507f26f6 | 39 | |
a341a68f | 40 | /** |
08c0d340 | 41 | * Mode of an IPsec SA. |
a341a68f TB |
42 | */ |
43 | enum ipsec_mode_t { | |
44 | /** transport mode, no inner address */ | |
d24a74c5 | 45 | MODE_TRANSPORT = 1, |
a341a68f | 46 | /** tunnel mode, inner and outer addresses */ |
d24a74c5 | 47 | MODE_TUNNEL, |
a341a68f | 48 | /** BEET mode, tunnel mode but fixed, bound inner addresses */ |
d24a74c5 | 49 | MODE_BEET, |
f8799170 AS |
50 | /** passthrough policy for traffic without an IPsec SA */ |
51 | MODE_PASS, | |
52 | /** drop policy discarding traffic */ | |
53 | MODE_DROP | |
a341a68f TB |
54 | }; |
55 | ||
56 | /** | |
57 | * enum names for ipsec_mode_t. | |
58 | */ | |
59 | extern enum_name_t *ipsec_mode_names; | |
60 | ||
507f26f6 TB |
61 | /** |
62 | * Direction of a policy. These are equal to those | |
63 | * defined in xfrm.h, but we want to stay implementation | |
64 | * neutral here. | |
65 | */ | |
66 | enum policy_dir_t { | |
67 | /** Policy for inbound traffic */ | |
68 | POLICY_IN = 0, | |
69 | /** Policy for outbound traffic */ | |
70 | POLICY_OUT = 1, | |
71 | /** Policy for forwarded traffic */ | |
72 | POLICY_FWD = 2, | |
73 | }; | |
74 | ||
1adaa02b TB |
75 | /** |
76 | * enum names for policy_dir_t. | |
77 | */ | |
78 | extern enum_name_t *policy_dir_names; | |
79 | ||
bd7a2f3b TB |
80 | /** |
81 | * Type of a policy. | |
82 | */ | |
83 | enum policy_type_t { | |
84 | /** Normal IPsec policy */ | |
85 | POLICY_IPSEC = 1, | |
86 | /** Passthrough policy (traffic is ignored by IPsec) */ | |
87 | POLICY_PASS, | |
88 | /** Drop policy (traffic is discarded) */ | |
89 | POLICY_DROP, | |
90 | }; | |
91 | ||
08c0d340 TB |
92 | /** |
93 | * IPComp transform IDs, as in RFC 4306 | |
94 | */ | |
95 | enum ipcomp_transform_t { | |
96 | IPCOMP_NONE = 0, | |
97 | IPCOMP_OUI = 1, | |
98 | IPCOMP_DEFLATE = 2, | |
99 | IPCOMP_LZS = 3, | |
100 | IPCOMP_LZJH = 4, | |
101 | }; | |
102 | ||
103 | /** | |
104 | * enum strings for ipcomp_transform_t. | |
105 | */ | |
106 | extern enum_name_t *ipcomp_transform_names; | |
107 | ||
34cf6def TB |
108 | /** |
109 | * This struct contains details about IPsec SA(s) tied to a policy. | |
110 | */ | |
111 | struct ipsec_sa_cfg_t { | |
112 | /** mode of SA (tunnel, transport) */ | |
113 | ipsec_mode_t mode; | |
114 | /** unique ID */ | |
115 | u_int32_t reqid; | |
116 | /** details about ESP/AH */ | |
117 | struct { | |
118 | /** TRUE if this protocol is used */ | |
119 | bool use; | |
120 | /** SPI for ESP/AH */ | |
121 | u_int32_t spi; | |
122 | } esp, ah; | |
123 | /** details about IPComp */ | |
124 | struct { | |
125 | /** the IPComp transform used */ | |
126 | u_int16_t transform; | |
127 | /** CPI for IPComp */ | |
128 | u_int16_t cpi; | |
129 | } ipcomp; | |
130 | }; | |
131 | ||
6f449d2e TB |
132 | /** |
133 | * A lifetime_cfg_t defines the lifetime limits of an SA. | |
134 | * | |
135 | * Set any of these values to 0 to ignore. | |
136 | */ | |
137 | struct lifetime_cfg_t { | |
138 | struct { | |
139 | /** Limit before the SA gets invalid. */ | |
140 | u_int64_t life; | |
141 | /** Limit before the SA gets rekeyed. */ | |
142 | u_int64_t rekey; | |
143 | /** The range of a random value subtracted from rekey. */ | |
144 | u_int64_t jitter; | |
145 | } time, bytes, packets; | |
146 | }; | |
147 | ||
148 | /** | |
149 | * A mark_t defines an optional mark in an IPsec SA. | |
150 | */ | |
151 | struct mark_t { | |
152 | /** Mark value */ | |
153 | u_int32_t value; | |
154 | /** Mark mask */ | |
155 | u_int32_t mask; | |
156 | }; | |
157 | ||
507f26f6 TB |
158 | /** |
159 | * Interface to the ipsec subsystem of the kernel. | |
7daf5226 | 160 | * |
507f26f6 | 161 | * The kernel ipsec interface handles the communication with the kernel |
7daf5226 | 162 | * for SA and policy management. It allows setup of these, and provides |
507f26f6 TB |
163 | * further the handling of kernel events. |
164 | * Policy information are cached in the interface. This is necessary to do | |
165 | * reference counting. The Linux kernel does not allow the same policy | |
166 | * installed twice, but we need this as CHILD_SA exist multiple times | |
167 | * when rekeying. Thats why we do reference counting of policies. | |
168 | */ | |
169 | struct kernel_ipsec_t { | |
7daf5226 | 170 | |
507f26f6 TB |
171 | /** |
172 | * Get a SPI from the kernel. | |
173 | * | |
507f26f6 TB |
174 | * @param src source address of SA |
175 | * @param dst destination address of SA | |
176 | * @param protocol protocol for SA (ESP/AH) | |
177 | * @param reqid unique ID for this SA | |
178 | * @param spi allocated spi | |
179 | * @return SUCCESS if operation completed | |
180 | */ | |
7daf5226 | 181 | status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst, |
9f166d9a | 182 | u_int8_t protocol, u_int32_t reqid, u_int32_t *spi); |
7daf5226 | 183 | |
507f26f6 TB |
184 | /** |
185 | * Get a Compression Parameter Index (CPI) from the kernel. | |
7daf5226 | 186 | * |
507f26f6 TB |
187 | * @param src source address of SA |
188 | * @param dst destination address of SA | |
189 | * @param reqid unique ID for the corresponding SA | |
190 | * @param cpi allocated cpi | |
191 | * @return SUCCESS if operation completed | |
192 | */ | |
7daf5226 | 193 | status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst, |
507f26f6 | 194 | u_int32_t reqid, u_int16_t *cpi); |
7daf5226 | 195 | |
507f26f6 TB |
196 | /** |
197 | * Add an SA to the SAD. | |
888af963 | 198 | * |
507f26f6 TB |
199 | * add_sa() may update an already allocated |
200 | * SPI (via get_spi). In this case, the replace | |
201 | * flag must be set. | |
202 | * This function does install a single SA for a | |
888af963 TB |
203 | * single protocol in one direction. |
204 | * | |
507f26f6 TB |
205 | * @param src source address for this SA |
206 | * @param dst destination address for this SA | |
207 | * @param spi SPI allocated by us or remote peer | |
208 | * @param protocol protocol for this SA (ESP/AH) | |
209 | * @param reqid unique ID for this SA | |
ee26c537 | 210 | * @param mark mark for this SA |
d86bb6ef | 211 | * @param tfc Traffic Flow Confidentiality padding for this SA |
888af963 | 212 | * @param lifetime lifetime_cfg_t for this SA |
507f26f6 | 213 | * @param enc_alg Algorithm to use for encryption (ESP only) |
e517b4b1 | 214 | * @param enc_key key to use for encryption |
507f26f6 | 215 | * @param int_alg Algorithm to use for integrity protection |
e517b4b1 | 216 | * @param int_key key to use for integrity protection |
507f26f6 TB |
217 | * @param mode mode of the SA (tunnel, transport) |
218 | * @param ipcomp IPComp transform to use | |
ea625fab | 219 | * @param cpi CPI for IPComp |
507f26f6 | 220 | * @param encap enable UDP encapsulation for NAT traversal |
4876d4f3 | 221 | * @param esn TRUE to use Extended Sequence Numbers |
ea625fab | 222 | * @param inbound TRUE if this is an inbound SA |
6ec949e0 MW |
223 | * @param src_ts traffic selector with BEET source address |
224 | * @param dst_ts traffic selector with BEET destination address | |
507f26f6 TB |
225 | * @return SUCCESS if operation completed |
226 | */ | |
227 | status_t (*add_sa) (kernel_ipsec_t *this, | |
228 | host_t *src, host_t *dst, u_int32_t spi, | |
9f166d9a | 229 | u_int8_t protocol, u_int32_t reqid, |
d86bb6ef | 230 | mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, |
888af963 TB |
231 | u_int16_t enc_alg, chunk_t enc_key, |
232 | u_int16_t int_alg, chunk_t int_key, | |
ea625fab | 233 | ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, |
4876d4f3 | 234 | bool encap, bool esn, bool inbound, |
6ec949e0 | 235 | traffic_selector_t *src_ts, traffic_selector_t *dst_ts); |
7daf5226 | 236 | |
507f26f6 TB |
237 | /** |
238 | * Update the hosts on an installed SA. | |
239 | * | |
240 | * We cannot directly update the destination address as the kernel | |
241 | * requires the spi, the protocol AND the destination address (and family) | |
242 | * to identify SAs. Therefore if the destination address changed we | |
243 | * create a new SA and delete the old one. | |
244 | * | |
245 | * @param spi SPI of the SA | |
246 | * @param protocol protocol for this SA (ESP/AH) | |
ea625fab | 247 | * @param cpi CPI for IPComp, 0 if no IPComp is used |
507f26f6 TB |
248 | * @param src current source address |
249 | * @param dst current destination address | |
250 | * @param new_src new source address | |
251 | * @param new_dst new destination address | |
ea625fab TB |
252 | * @param encap current use of UDP encapsulation |
253 | * @param new_encap new use of UDP encapsulation | |
ee26c537 | 254 | * @param mark optional mark for this SA |
ea625fab | 255 | * @return SUCCESS if operation completed, NOT_SUPPORTED if |
323f9f99 | 256 | * the kernel interface can't update the SA |
507f26f6 TB |
257 | */ |
258 | status_t (*update_sa)(kernel_ipsec_t *this, | |
9f166d9a | 259 | u_int32_t spi, u_int8_t protocol, u_int16_t cpi, |
7daf5226 | 260 | host_t *src, host_t *dst, |
ea625fab | 261 | host_t *new_src, host_t *new_dst, |
ee26c537 | 262 | bool encap, bool new_encap, mark_t mark); |
7daf5226 | 263 | |
2ad51539 AS |
264 | /** |
265 | * Query the number of bytes processed by an SA from the SAD. | |
7daf5226 | 266 | * |
2ad51539 AS |
267 | * @param src source address for this SA |
268 | * @param dst destination address for this SA | |
269 | * @param spi SPI allocated by us or remote peer | |
270 | * @param protocol protocol for this SA (ESP/AH) | |
ee26c537 | 271 | * @param mark optional mark for this SA |
2ad51539 AS |
272 | * @param[out] bytes the number of bytes processed by SA |
273 | * @return SUCCESS if operation completed | |
274 | */ | |
275 | status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, | |
9f166d9a | 276 | u_int32_t spi, u_int8_t protocol, mark_t mark, |
ee26c537 | 277 | u_int64_t *bytes); |
7daf5226 | 278 | |
507f26f6 TB |
279 | /** |
280 | * Delete a previusly installed SA from the SAD. | |
7daf5226 | 281 | * |
d24a74c5 | 282 | * @param src source address for this SA |
507f26f6 TB |
283 | * @param dst destination address for this SA |
284 | * @param spi SPI allocated by us or remote peer | |
285 | * @param protocol protocol for this SA (ESP/AH) | |
ea625fab | 286 | * @param cpi CPI for IPComp or 0 |
ee26c537 | 287 | * @param mark optional mark for this SA |
507f26f6 TB |
288 | * @return SUCCESS if operation completed |
289 | */ | |
d24a74c5 | 290 | status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, |
9f166d9a | 291 | u_int32_t spi, u_int8_t protocol, u_int16_t cpi, |
ee26c537 | 292 | mark_t mark); |
7daf5226 | 293 | |
507f26f6 TB |
294 | /** |
295 | * Add a policy to the SPD. | |
7daf5226 | 296 | * |
507f26f6 TB |
297 | * A policy is always associated to an SA. Traffic which matches a |
298 | * policy is handled by the SA with the same reqid. | |
7daf5226 | 299 | * |
507f26f6 TB |
300 | * @param src source address of SA |
301 | * @param dst dest address of SA | |
302 | * @param src_ts traffic selector to match traffic source | |
303 | * @param dst_ts traffic selector to match traffic dest | |
211943be | 304 | * @param direction direction of traffic, POLICY_(IN|OUT|FWD) |
bd7a2f3b | 305 | * @param type type of policy, POLICY_(IPSEC|PASS|DROP) |
34cf6def | 306 | * @param sa details about the SA(s) tied to this policy |
ee26c537 | 307 | * @param mark mark for this policy |
ea625fab | 308 | * @param routed TRUE, if this policy is routed in the kernel |
507f26f6 TB |
309 | * @return SUCCESS if operation completed |
310 | */ | |
311 | status_t (*add_policy) (kernel_ipsec_t *this, | |
312 | host_t *src, host_t *dst, | |
313 | traffic_selector_t *src_ts, | |
314 | traffic_selector_t *dst_ts, | |
bd7a2f3b | 315 | policy_dir_t direction, policy_type_t type, |
34cf6def | 316 | ipsec_sa_cfg_t *sa, mark_t mark, bool routed); |
7daf5226 | 317 | |
507f26f6 TB |
318 | /** |
319 | * Query the use time of a policy. | |
320 | * | |
6180a558 MW |
321 | * The use time of a policy is the time the policy was used for the last |
322 | * time. It is not the system time, but a monotonic timestamp as returned | |
323 | * by time_monotonic. | |
7daf5226 | 324 | * |
507f26f6 TB |
325 | * @param src_ts traffic selector to match traffic source |
326 | * @param dst_ts traffic selector to match traffic dest | |
211943be | 327 | * @param direction direction of traffic, POLICY_(IN|OUT|FWD) |
ee26c537 | 328 | * @param mark optional mark |
6180a558 | 329 | * @param[out] use_time the monotonic timestamp of this SA's last use |
507f26f6 TB |
330 | * @return SUCCESS if operation completed |
331 | */ | |
332 | status_t (*query_policy) (kernel_ipsec_t *this, | |
7daf5226 | 333 | traffic_selector_t *src_ts, |
507f26f6 | 334 | traffic_selector_t *dst_ts, |
ee26c537 AS |
335 | policy_dir_t direction, mark_t mark, |
336 | u_int32_t *use_time); | |
7daf5226 | 337 | |
507f26f6 TB |
338 | /** |
339 | * Remove a policy from the SPD. | |
340 | * | |
341 | * The kernel interface implements reference counting for policies. | |
342 | * If the same policy is installed multiple times (in the case of rekeying), | |
343 | * the reference counter is increased. del_policy() decreases the ref counter | |
344 | * and removes the policy only when no more references are available. | |
345 | * | |
346 | * @param src_ts traffic selector to match traffic source | |
347 | * @param dst_ts traffic selector to match traffic dest | |
211943be | 348 | * @param direction direction of traffic, POLICY_(IN|OUT|FWD) |
ee26c537 | 349 | * @param mark optional mark |
ea625fab | 350 | * @param unrouted TRUE, if this policy is unrouted from the kernel |
507f26f6 TB |
351 | * @return SUCCESS if operation completed |
352 | */ | |
353 | status_t (*del_policy) (kernel_ipsec_t *this, | |
7daf5226 | 354 | traffic_selector_t *src_ts, |
507f26f6 | 355 | traffic_selector_t *dst_ts, |
ee26c537 | 356 | policy_dir_t direction, mark_t mark, |
ea625fab | 357 | bool unrouted); |
7daf5226 | 358 | |
54f81859 MW |
359 | /** |
360 | * Install a bypass policy for the given socket. | |
361 | * | |
362 | * @param fd socket file descriptor to setup policy for | |
363 | * @param family protocol family of the socket | |
364 | * @return TRUE of policy set up successfully | |
365 | */ | |
366 | bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family); | |
367 | ||
507f26f6 TB |
368 | /** |
369 | * Destroy the implementation. | |
370 | */ | |
371 | void (*destroy) (kernel_ipsec_t *this); | |
372 | }; | |
373 | ||
1490ff4d | 374 | #endif /** KERNEL_IPSEC_H_ @}*/ |