Annotation of embedaddon/strongswan/src/libcharon/kernel/kernel_ipsec.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2016 Andreas Steffen
! 3: * Copyright (C) 2006-2018 Tobias Brunner
! 4: * Copyright (C) 2006 Daniel Roethlisberger
! 5: * Copyright (C) 2005-2006 Martin Willi
! 6: * Copyright (C) 2005 Jan Hutter
! 7: * HSR Hochschule fuer Technik Rapperswil
! 8: *
! 9: * This program is free software; you can redistribute it and/or modify it
! 10: * under the terms of the GNU General Public License as published by the
! 11: * Free Software Foundation; either version 2 of the License, or (at your
! 12: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 13: *
! 14: * This program is distributed in the hope that it will be useful, but
! 15: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 16: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 17: * for more details.
! 18: */
! 19:
! 20: /**
! 21: * @defgroup kernel_ipsec kernel_ipsec
! 22: * @{ @ingroup kernel
! 23: */
! 24:
! 25: #ifndef KERNEL_IPSEC_H_
! 26: #define KERNEL_IPSEC_H_
! 27:
! 28: typedef struct kernel_ipsec_t kernel_ipsec_t;
! 29: typedef struct kernel_ipsec_sa_id_t kernel_ipsec_sa_id_t;
! 30: typedef struct kernel_ipsec_add_sa_t kernel_ipsec_add_sa_t;
! 31: typedef struct kernel_ipsec_update_sa_t kernel_ipsec_update_sa_t;
! 32: typedef struct kernel_ipsec_query_sa_t kernel_ipsec_query_sa_t;
! 33: typedef struct kernel_ipsec_del_sa_t kernel_ipsec_del_sa_t;
! 34: typedef struct kernel_ipsec_policy_id_t kernel_ipsec_policy_id_t;
! 35: typedef struct kernel_ipsec_manage_policy_t kernel_ipsec_manage_policy_t;
! 36: typedef struct kernel_ipsec_query_policy_t kernel_ipsec_query_policy_t;
! 37:
! 38: #include <networking/host.h>
! 39: #include <ipsec/ipsec_types.h>
! 40: #include <selectors/traffic_selector.h>
! 41: #include <plugins/plugin.h>
! 42: #include <kernel/kernel_interface.h>
! 43:
! 44: /**
! 45: * Data required to identify an SA in the kernel
! 46: */
! 47: struct kernel_ipsec_sa_id_t {
! 48: /** Source address */
! 49: host_t *src;
! 50: /** Destination address */
! 51: host_t *dst;
! 52: /** SPI */
! 53: uint32_t spi;
! 54: /** Protocol (ESP/AH) */
! 55: uint8_t proto;
! 56: /** Optional mark */
! 57: mark_t mark;
! 58: /** Optional interface ID */
! 59: uint32_t if_id;
! 60: };
! 61:
! 62: /**
! 63: * Data required to add an SA to the kernel
! 64: */
! 65: struct kernel_ipsec_add_sa_t {
! 66: /** Reqid */
! 67: uint32_t reqid;
! 68: /** Mode (tunnel, transport...) */
! 69: ipsec_mode_t mode;
! 70: /** List of source traffic selectors */
! 71: linked_list_t *src_ts;
! 72: /** List of destination traffic selectors */
! 73: linked_list_t *dst_ts;
! 74: /** Network interface restricting policy */
! 75: char *interface;
! 76: /** Lifetime configuration */
! 77: lifetime_cfg_t *lifetime;
! 78: /** Encryption algorithm */
! 79: uint16_t enc_alg;
! 80: /** Encryption key */
! 81: chunk_t enc_key;
! 82: /** Integrity protection algorithm */
! 83: uint16_t int_alg;
! 84: /** Integrity protection key */
! 85: chunk_t int_key;
! 86: /** Anti-replay window size */
! 87: uint32_t replay_window;
! 88: /** Traffic Flow Confidentiality padding */
! 89: uint32_t tfc;
! 90: /** IPComp transform */
! 91: uint16_t ipcomp;
! 92: /** CPI for IPComp */
! 93: uint16_t cpi;
! 94: /** TRUE to enable UDP encapsulation for NAT traversal */
! 95: bool encap;
! 96: /** no (disabled), yes (enabled), auto (enabled if supported) */
! 97: hw_offload_t hw_offload;
! 98: /** Mark the SA should apply to packets after processing */
! 99: mark_t mark;
! 100: /** TRUE to use Extended Sequence Numbers */
! 101: bool esn;
! 102: /** TRUE to copy the DF bit to the outer IPv4 header in tunnel mode */
! 103: bool copy_df;
! 104: /** TRUE to copy the ECN header field to/from the outer header */
! 105: bool copy_ecn;
! 106: /** Whether to copy the DSCP header field to/from the outer header */
! 107: dscp_copy_t copy_dscp;
! 108: /** TRUE if initiator of the exchange creating the SA */
! 109: bool initiator;
! 110: /** TRUE if this is an inbound SA */
! 111: bool inbound;
! 112: /** TRUE if an SPI has already been allocated for this SA */
! 113: bool update;
! 114: };
! 115:
! 116: /**
! 117: * Data required to update the hosts of an SA in the kernel
! 118: */
! 119: struct kernel_ipsec_update_sa_t {
! 120: /** CPI in case IPComp is used */
! 121: uint16_t cpi;
! 122: /** New source address */
! 123: host_t *new_src;
! 124: /** New destination address */
! 125: host_t *new_dst;
! 126: /** TRUE if UDP encapsulation is currently enabled */
! 127: bool encap;
! 128: /** TRUE to enable UDP encapsulation */
! 129: bool new_encap;
! 130: };
! 131:
! 132: /**
! 133: * Data required to query an SA in the kernel
! 134: */
! 135: struct kernel_ipsec_query_sa_t {
! 136: uint16_t cpi;
! 137: };
! 138:
! 139: /**
! 140: * Data required to delete an SA in the kernel
! 141: */
! 142: struct kernel_ipsec_del_sa_t {
! 143: /** CPI in case IPComp is used */
! 144: uint16_t cpi;
! 145: };
! 146:
! 147: /**
! 148: * Data identifying a policy in the kernel
! 149: */
! 150: struct kernel_ipsec_policy_id_t {
! 151: /** Direction of traffic */
! 152: policy_dir_t dir;
! 153: /** Source traffic selector */
! 154: traffic_selector_t *src_ts;
! 155: /** Destination traffic selector */
! 156: traffic_selector_t *dst_ts;
! 157: /** Optional mark */
! 158: mark_t mark;
! 159: /** Optional interface ID */
! 160: uint32_t if_id;
! 161: /** Network interface restricting policy */
! 162: char *interface;
! 163: };
! 164:
! 165: /**
! 166: * Data required to add/delete a policy to/from the kernel
! 167: */
! 168: struct kernel_ipsec_manage_policy_t {
! 169: /** Type of policy */
! 170: policy_type_t type;
! 171: /** Priority class */
! 172: policy_priority_t prio;
! 173: /** Manually-set priority (automatic if set to 0) */
! 174: uint32_t manual_prio;
! 175: /** Source address of the SA(s) tied to this policy */
! 176: host_t *src;
! 177: /** Destination address of the SA(s) tied to this policy */
! 178: host_t *dst;
! 179: /** Details about the SA(s) tied to this policy */
! 180: ipsec_sa_cfg_t *sa;
! 181: };
! 182:
! 183: /**
! 184: * Data required to query a policy in the kernel
! 185: */
! 186: struct kernel_ipsec_query_policy_t {
! 187: };
! 188:
! 189: /**
! 190: * Interface to the ipsec subsystem of the kernel.
! 191: *
! 192: * The kernel ipsec interface handles the communication with the kernel
! 193: * for SA and policy management. It allows setup of these, and provides
! 194: * further the handling of kernel events.
! 195: * Policy information are cached in the interface. This is necessary to do
! 196: * reference counting. The Linux kernel does not allow the same policy
! 197: * installed twice, but we need this as CHILD_SA exist multiple times
! 198: * when rekeying. That's why we do reference counting of policies.
! 199: */
! 200: struct kernel_ipsec_t {
! 201:
! 202: /**
! 203: * Get the feature set supported by this kernel backend.
! 204: *
! 205: * @return ORed feature-set of backend
! 206: */
! 207: kernel_feature_t (*get_features)(kernel_ipsec_t *this);
! 208:
! 209: /**
! 210: * Get a SPI from the kernel.
! 211: *
! 212: * @param src source address of SA
! 213: * @param dst destination address of SA
! 214: * @param protocol protocol for SA (ESP/AH)
! 215: * @param spi allocated spi
! 216: * @return SUCCESS if operation completed
! 217: */
! 218: status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
! 219: uint8_t protocol, uint32_t *spi);
! 220:
! 221: /**
! 222: * Get a Compression Parameter Index (CPI) from the kernel.
! 223: *
! 224: * @param src source address of SA
! 225: * @param dst destination address of SA
! 226: * @param cpi allocated cpi
! 227: * @return SUCCESS if operation completed
! 228: */
! 229: status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
! 230: uint16_t *cpi);
! 231:
! 232: /**
! 233: * Add an SA to the SAD.
! 234: *
! 235: * This function does install a single SA for a single protocol in one
! 236: * direction.
! 237: *
! 238: * @param id data identifying this SA
! 239: * @param data data for this SA
! 240: * @return SUCCESS if operation completed
! 241: */
! 242: status_t (*add_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
! 243: kernel_ipsec_add_sa_t *data);
! 244:
! 245: /**
! 246: * Update the hosts on an installed SA.
! 247: *
! 248: * We cannot directly update the destination address as the kernel
! 249: * requires the spi, the protocol AND the destination address (and family)
! 250: * to identify SAs. Therefore if the destination address changed we
! 251: * create a new SA and delete the old one.
! 252: *
! 253: * @param id data identifying this SA
! 254: * @param data updated data for this SA
! 255: * @return SUCCESS if operation completed, NOT_SUPPORTED if
! 256: * the kernel interface can't update the SA
! 257: */
! 258: status_t (*update_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
! 259: kernel_ipsec_update_sa_t *data);
! 260:
! 261: /**
! 262: * Query the number of bytes processed by an SA from the SAD.
! 263: *
! 264: * @param id data identifying this SA
! 265: * @param data data to query the SA
! 266: * @param[out] bytes the number of bytes processed by SA
! 267: * @param[out] packets number of packets processed by SA
! 268: * @param[out] time last (monotonic) time of SA use
! 269: * @return SUCCESS if operation completed
! 270: */
! 271: status_t (*query_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
! 272: kernel_ipsec_query_sa_t *data, uint64_t *bytes,
! 273: uint64_t *packets, time_t *time);
! 274:
! 275: /**
! 276: * Delete a previously installed SA from the SAD.
! 277: *
! 278: * @param id data identifying this SA
! 279: * @param data data to delete the SA
! 280: * @return SUCCESS if operation completed
! 281: */
! 282: status_t (*del_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
! 283: kernel_ipsec_del_sa_t *data);
! 284:
! 285: /**
! 286: * Flush all SAs from the SAD.
! 287: *
! 288: * @return SUCCESS if operation completed
! 289: */
! 290: status_t (*flush_sas)(kernel_ipsec_t *this);
! 291:
! 292: /**
! 293: * Add a policy to the SPD.
! 294: *
! 295: * @param id data identifying this policy
! 296: * @param data data for this policy
! 297: * @return SUCCESS if operation completed
! 298: */
! 299: status_t (*add_policy)(kernel_ipsec_t *this,
! 300: kernel_ipsec_policy_id_t *id,
! 301: kernel_ipsec_manage_policy_t *data);
! 302:
! 303: /**
! 304: * Query the use time of a policy.
! 305: *
! 306: * The use time of a policy is the time the policy was used for the last
! 307: * time. It is not the system time, but a monotonic timestamp as returned
! 308: * by time_monotonic.
! 309: *
! 310: * @param id data identifying this policy
! 311: * @param data data to query the policy
! 312: * @param[out] use_time the monotonic timestamp of this SA's last use
! 313: * @return SUCCESS if operation completed
! 314: */
! 315: status_t (*query_policy)(kernel_ipsec_t *this,
! 316: kernel_ipsec_policy_id_t *id,
! 317: kernel_ipsec_query_policy_t *data,
! 318: time_t *use_time);
! 319:
! 320: /**
! 321: * Remove a policy from the SPD.
! 322: *
! 323: * @param id data identifying this policy
! 324: * @param data data for this policy
! 325: * @return SUCCESS if operation completed
! 326: */
! 327: status_t (*del_policy)(kernel_ipsec_t *this,
! 328: kernel_ipsec_policy_id_t *id,
! 329: kernel_ipsec_manage_policy_t *data);
! 330:
! 331: /**
! 332: * Flush all policies from the SPD.
! 333: *
! 334: * @return SUCCESS if operation completed
! 335: */
! 336: status_t (*flush_policies)(kernel_ipsec_t *this);
! 337:
! 338: /**
! 339: * Install a bypass policy for the given socket.
! 340: *
! 341: * @param fd socket file descriptor to setup policy for
! 342: * @param family protocol family of the socket
! 343: * @return TRUE of policy set up successfully
! 344: */
! 345: bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);
! 346:
! 347: /**
! 348: * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
! 349: *
! 350: * @param fd socket file descriptor
! 351: * @param family protocol family of the socket
! 352: * @param port the UDP port
! 353: * @return TRUE if UDP decapsulation was enabled successfully
! 354: */
! 355: bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family,
! 356: uint16_t port);
! 357:
! 358: /**
! 359: * Destroy the implementation.
! 360: */
! 361: void (*destroy)(kernel_ipsec_t *this);
! 362: };
! 363:
! 364: /**
! 365: * Helper function to (un-)register IPsec kernel interfaces from plugin features.
! 366: *
! 367: * This function is a plugin_feature_callback_t and can be used with the
! 368: * PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor.
! 369: *
! 370: * @param plugin plugin registering the kernel interface
! 371: * @param feature associated plugin feature
! 372: * @param reg TRUE to register, FALSE to unregister
! 373: * @param data data passed to callback, an kernel_ipsec_constructor_t
! 374: */
! 375: bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature,
! 376: bool reg, void *data);
! 377:
! 378: #endif /** KERNEL_IPSEC_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>