Annotation of embedaddon/strongswan/src/libcharon/kernel/kernel_ipsec.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2016 Andreas Steffen
3: * Copyright (C) 2006-2018 Tobias Brunner
4: * Copyright (C) 2006 Daniel Roethlisberger
5: * Copyright (C) 2005-2006 Martin Willi
6: * Copyright (C) 2005 Jan Hutter
7: * HSR Hochschule fuer Technik Rapperswil
8: *
9: * This program is free software; you can redistribute it and/or modify it
10: * under the terms of the GNU General Public License as published by the
11: * Free Software Foundation; either version 2 of the License, or (at your
12: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13: *
14: * This program is distributed in the hope that it will be useful, but
15: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17: * for more details.
18: */
19:
20: /**
21: * @defgroup kernel_ipsec kernel_ipsec
22: * @{ @ingroup kernel
23: */
24:
25: #ifndef KERNEL_IPSEC_H_
26: #define KERNEL_IPSEC_H_
27:
28: typedef struct kernel_ipsec_t kernel_ipsec_t;
29: typedef struct kernel_ipsec_sa_id_t kernel_ipsec_sa_id_t;
30: typedef struct kernel_ipsec_add_sa_t kernel_ipsec_add_sa_t;
31: typedef struct kernel_ipsec_update_sa_t kernel_ipsec_update_sa_t;
32: typedef struct kernel_ipsec_query_sa_t kernel_ipsec_query_sa_t;
33: typedef struct kernel_ipsec_del_sa_t kernel_ipsec_del_sa_t;
34: typedef struct kernel_ipsec_policy_id_t kernel_ipsec_policy_id_t;
35: typedef struct kernel_ipsec_manage_policy_t kernel_ipsec_manage_policy_t;
36: typedef struct kernel_ipsec_query_policy_t kernel_ipsec_query_policy_t;
37:
38: #include <networking/host.h>
39: #include <ipsec/ipsec_types.h>
40: #include <selectors/traffic_selector.h>
41: #include <plugins/plugin.h>
42: #include <kernel/kernel_interface.h>
43:
44: /**
45: * Data required to identify an SA in the kernel
46: */
47: struct kernel_ipsec_sa_id_t {
48: /** Source address */
49: host_t *src;
50: /** Destination address */
51: host_t *dst;
52: /** SPI */
53: uint32_t spi;
54: /** Protocol (ESP/AH) */
55: uint8_t proto;
56: /** Optional mark */
57: mark_t mark;
58: /** Optional interface ID */
59: uint32_t if_id;
60: };
61:
62: /**
63: * Data required to add an SA to the kernel
64: */
65: struct kernel_ipsec_add_sa_t {
66: /** Reqid */
67: uint32_t reqid;
68: /** Mode (tunnel, transport...) */
69: ipsec_mode_t mode;
70: /** List of source traffic selectors */
71: linked_list_t *src_ts;
72: /** List of destination traffic selectors */
73: linked_list_t *dst_ts;
74: /** Network interface restricting policy */
75: char *interface;
76: /** Lifetime configuration */
77: lifetime_cfg_t *lifetime;
78: /** Encryption algorithm */
79: uint16_t enc_alg;
80: /** Encryption key */
81: chunk_t enc_key;
82: /** Integrity protection algorithm */
83: uint16_t int_alg;
84: /** Integrity protection key */
85: chunk_t int_key;
86: /** Anti-replay window size */
87: uint32_t replay_window;
88: /** Traffic Flow Confidentiality padding */
89: uint32_t tfc;
90: /** IPComp transform */
91: uint16_t ipcomp;
92: /** CPI for IPComp */
93: uint16_t cpi;
94: /** TRUE to enable UDP encapsulation for NAT traversal */
95: bool encap;
96: /** no (disabled), yes (enabled), auto (enabled if supported) */
97: hw_offload_t hw_offload;
98: /** Mark the SA should apply to packets after processing */
99: mark_t mark;
100: /** TRUE to use Extended Sequence Numbers */
101: bool esn;
102: /** TRUE to copy the DF bit to the outer IPv4 header in tunnel mode */
103: bool copy_df;
104: /** TRUE to copy the ECN header field to/from the outer header */
105: bool copy_ecn;
106: /** Whether to copy the DSCP header field to/from the outer header */
107: dscp_copy_t copy_dscp;
108: /** TRUE if initiator of the exchange creating the SA */
109: bool initiator;
110: /** TRUE if this is an inbound SA */
111: bool inbound;
112: /** TRUE if an SPI has already been allocated for this SA */
113: bool update;
114: };
115:
116: /**
117: * Data required to update the hosts of an SA in the kernel
118: */
119: struct kernel_ipsec_update_sa_t {
120: /** CPI in case IPComp is used */
121: uint16_t cpi;
122: /** New source address */
123: host_t *new_src;
124: /** New destination address */
125: host_t *new_dst;
126: /** TRUE if UDP encapsulation is currently enabled */
127: bool encap;
128: /** TRUE to enable UDP encapsulation */
129: bool new_encap;
130: };
131:
132: /**
133: * Data required to query an SA in the kernel
134: */
135: struct kernel_ipsec_query_sa_t {
136: uint16_t cpi;
137: };
138:
139: /**
140: * Data required to delete an SA in the kernel
141: */
142: struct kernel_ipsec_del_sa_t {
143: /** CPI in case IPComp is used */
144: uint16_t cpi;
145: };
146:
147: /**
148: * Data identifying a policy in the kernel
149: */
150: struct kernel_ipsec_policy_id_t {
151: /** Direction of traffic */
152: policy_dir_t dir;
153: /** Source traffic selector */
154: traffic_selector_t *src_ts;
155: /** Destination traffic selector */
156: traffic_selector_t *dst_ts;
157: /** Optional mark */
158: mark_t mark;
159: /** Optional interface ID */
160: uint32_t if_id;
161: /** Network interface restricting policy */
162: char *interface;
163: };
164:
165: /**
166: * Data required to add/delete a policy to/from the kernel
167: */
168: struct kernel_ipsec_manage_policy_t {
169: /** Type of policy */
170: policy_type_t type;
171: /** Priority class */
172: policy_priority_t prio;
173: /** Manually-set priority (automatic if set to 0) */
174: uint32_t manual_prio;
175: /** Source address of the SA(s) tied to this policy */
176: host_t *src;
177: /** Destination address of the SA(s) tied to this policy */
178: host_t *dst;
179: /** Details about the SA(s) tied to this policy */
180: ipsec_sa_cfg_t *sa;
181: };
182:
183: /**
184: * Data required to query a policy in the kernel
185: */
186: struct kernel_ipsec_query_policy_t {
187: };
188:
189: /**
190: * Interface to the ipsec subsystem of the kernel.
191: *
192: * The kernel ipsec interface handles the communication with the kernel
193: * for SA and policy management. It allows setup of these, and provides
194: * further the handling of kernel events.
195: * Policy information are cached in the interface. This is necessary to do
196: * reference counting. The Linux kernel does not allow the same policy
197: * installed twice, but we need this as CHILD_SA exist multiple times
198: * when rekeying. That's why we do reference counting of policies.
199: */
200: struct kernel_ipsec_t {
201:
202: /**
203: * Get the feature set supported by this kernel backend.
204: *
205: * @return ORed feature-set of backend
206: */
207: kernel_feature_t (*get_features)(kernel_ipsec_t *this);
208:
209: /**
210: * Get a SPI from the kernel.
211: *
212: * @param src source address of SA
213: * @param dst destination address of SA
214: * @param protocol protocol for SA (ESP/AH)
215: * @param spi allocated spi
216: * @return SUCCESS if operation completed
217: */
218: status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
219: uint8_t protocol, uint32_t *spi);
220:
221: /**
222: * Get a Compression Parameter Index (CPI) from the kernel.
223: *
224: * @param src source address of SA
225: * @param dst destination address of SA
226: * @param cpi allocated cpi
227: * @return SUCCESS if operation completed
228: */
229: status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
230: uint16_t *cpi);
231:
232: /**
233: * Add an SA to the SAD.
234: *
235: * This function does install a single SA for a single protocol in one
236: * direction.
237: *
238: * @param id data identifying this SA
239: * @param data data for this SA
240: * @return SUCCESS if operation completed
241: */
242: status_t (*add_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
243: kernel_ipsec_add_sa_t *data);
244:
245: /**
246: * Update the hosts on an installed SA.
247: *
248: * We cannot directly update the destination address as the kernel
249: * requires the spi, the protocol AND the destination address (and family)
250: * to identify SAs. Therefore if the destination address changed we
251: * create a new SA and delete the old one.
252: *
253: * @param id data identifying this SA
254: * @param data updated data for this SA
255: * @return SUCCESS if operation completed, NOT_SUPPORTED if
256: * the kernel interface can't update the SA
257: */
258: status_t (*update_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
259: kernel_ipsec_update_sa_t *data);
260:
261: /**
262: * Query the number of bytes processed by an SA from the SAD.
263: *
264: * @param id data identifying this SA
265: * @param data data to query the SA
266: * @param[out] bytes the number of bytes processed by SA
267: * @param[out] packets number of packets processed by SA
268: * @param[out] time last (monotonic) time of SA use
269: * @return SUCCESS if operation completed
270: */
271: status_t (*query_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
272: kernel_ipsec_query_sa_t *data, uint64_t *bytes,
273: uint64_t *packets, time_t *time);
274:
275: /**
276: * Delete a previously installed SA from the SAD.
277: *
278: * @param id data identifying this SA
279: * @param data data to delete the SA
280: * @return SUCCESS if operation completed
281: */
282: status_t (*del_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
283: kernel_ipsec_del_sa_t *data);
284:
285: /**
286: * Flush all SAs from the SAD.
287: *
288: * @return SUCCESS if operation completed
289: */
290: status_t (*flush_sas)(kernel_ipsec_t *this);
291:
292: /**
293: * Add a policy to the SPD.
294: *
295: * @param id data identifying this policy
296: * @param data data for this policy
297: * @return SUCCESS if operation completed
298: */
299: status_t (*add_policy)(kernel_ipsec_t *this,
300: kernel_ipsec_policy_id_t *id,
301: kernel_ipsec_manage_policy_t *data);
302:
303: /**
304: * Query the use time of a policy.
305: *
306: * The use time of a policy is the time the policy was used for the last
307: * time. It is not the system time, but a monotonic timestamp as returned
308: * by time_monotonic.
309: *
310: * @param id data identifying this policy
311: * @param data data to query the policy
312: * @param[out] use_time the monotonic timestamp of this SA's last use
313: * @return SUCCESS if operation completed
314: */
315: status_t (*query_policy)(kernel_ipsec_t *this,
316: kernel_ipsec_policy_id_t *id,
317: kernel_ipsec_query_policy_t *data,
318: time_t *use_time);
319:
320: /**
321: * Remove a policy from the SPD.
322: *
323: * @param id data identifying this policy
324: * @param data data for this policy
325: * @return SUCCESS if operation completed
326: */
327: status_t (*del_policy)(kernel_ipsec_t *this,
328: kernel_ipsec_policy_id_t *id,
329: kernel_ipsec_manage_policy_t *data);
330:
331: /**
332: * Flush all policies from the SPD.
333: *
334: * @return SUCCESS if operation completed
335: */
336: status_t (*flush_policies)(kernel_ipsec_t *this);
337:
338: /**
339: * Install a bypass policy for the given socket.
340: *
341: * @param fd socket file descriptor to setup policy for
342: * @param family protocol family of the socket
343: * @return TRUE of policy set up successfully
344: */
345: bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);
346:
347: /**
348: * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
349: *
350: * @param fd socket file descriptor
351: * @param family protocol family of the socket
352: * @param port the UDP port
353: * @return TRUE if UDP decapsulation was enabled successfully
354: */
355: bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family,
356: uint16_t port);
357:
358: /**
359: * Destroy the implementation.
360: */
361: void (*destroy)(kernel_ipsec_t *this);
362: };
363:
364: /**
365: * Helper function to (un-)register IPsec kernel interfaces from plugin features.
366: *
367: * This function is a plugin_feature_callback_t and can be used with the
368: * PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor.
369: *
370: * @param plugin plugin registering the kernel interface
371: * @param feature associated plugin feature
372: * @param reg TRUE to register, FALSE to unregister
373: * @param data data passed to callback, an kernel_ipsec_constructor_t
374: */
375: bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature,
376: bool reg, void *data);
377:
378: #endif /** KERNEL_IPSEC_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to kernel_ipsec.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / kernel