| /* |
| * Copyright (C) 2016 Andreas Steffen |
| * Copyright (C) 2006-2018 Tobias Brunner |
| * Copyright (C) 2006 Daniel Roethlisberger |
| * Copyright (C) 2005-2006 Martin Willi |
| * Copyright (C) 2005 Jan Hutter |
| * HSR Hochschule fuer Technik Rapperswil |
| * |
| * This program is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License as published by the |
| * Free Software Foundation; either version 2 of the License, or (at your |
| * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
| * |
| * This program is distributed in the hope that it will be useful, but |
| * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
| * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * for more details. |
| */ |
| |
| /** |
| * @defgroup kernel_ipsec kernel_ipsec |
| * @{ @ingroup kernel |
| */ |
| |
| #ifndef KERNEL_IPSEC_H_ |
| #define KERNEL_IPSEC_H_ |
| |
| typedef struct kernel_ipsec_t kernel_ipsec_t; |
| typedef struct kernel_ipsec_sa_id_t kernel_ipsec_sa_id_t; |
| typedef struct kernel_ipsec_add_sa_t kernel_ipsec_add_sa_t; |
| typedef struct kernel_ipsec_update_sa_t kernel_ipsec_update_sa_t; |
| typedef struct kernel_ipsec_query_sa_t kernel_ipsec_query_sa_t; |
| typedef struct kernel_ipsec_del_sa_t kernel_ipsec_del_sa_t; |
| typedef struct kernel_ipsec_policy_id_t kernel_ipsec_policy_id_t; |
| typedef struct kernel_ipsec_manage_policy_t kernel_ipsec_manage_policy_t; |
| typedef struct kernel_ipsec_query_policy_t kernel_ipsec_query_policy_t; |
| |
| #include <networking/host.h> |
| #include <ipsec/ipsec_types.h> |
| #include <selectors/traffic_selector.h> |
| #include <plugins/plugin.h> |
| #include <kernel/kernel_interface.h> |
| |
| /** |
| * Data required to identify an SA in the kernel |
| */ |
| struct kernel_ipsec_sa_id_t { |
| /** Source address */ |
| host_t *src; |
| /** Destination address */ |
| host_t *dst; |
| /** SPI */ |
| uint32_t spi; |
| /** Protocol (ESP/AH) */ |
| uint8_t proto; |
| /** Optional mark */ |
| mark_t mark; |
| /** Optional interface ID */ |
| uint32_t if_id; |
| }; |
| |
| /** |
| * Data required to add an SA to the kernel |
| */ |
| struct kernel_ipsec_add_sa_t { |
| /** Reqid */ |
| uint32_t reqid; |
| /** Mode (tunnel, transport...) */ |
| ipsec_mode_t mode; |
| /** List of source traffic selectors */ |
| linked_list_t *src_ts; |
| /** List of destination traffic selectors */ |
| linked_list_t *dst_ts; |
| /** Network interface restricting policy */ |
| char *interface; |
| /** Lifetime configuration */ |
| lifetime_cfg_t *lifetime; |
| /** Encryption algorithm */ |
| uint16_t enc_alg; |
| /** Encryption key */ |
| chunk_t enc_key; |
| /** Integrity protection algorithm */ |
| uint16_t int_alg; |
| /** Integrity protection key */ |
| chunk_t int_key; |
| /** Anti-replay window size */ |
| uint32_t replay_window; |
| /** Traffic Flow Confidentiality padding */ |
| uint32_t tfc; |
| /** IPComp transform */ |
| uint16_t ipcomp; |
| /** CPI for IPComp */ |
| uint16_t cpi; |
| /** TRUE to enable UDP encapsulation for NAT traversal */ |
| bool encap; |
| /** no (disabled), yes (enabled), auto (enabled if supported) */ |
| hw_offload_t hw_offload; |
| /** Mark the SA should apply to packets after processing */ |
| mark_t mark; |
| /** TRUE to use Extended Sequence Numbers */ |
| bool esn; |
| /** TRUE to copy the DF bit to the outer IPv4 header in tunnel mode */ |
| bool copy_df; |
| /** TRUE to copy the ECN header field to/from the outer header */ |
| bool copy_ecn; |
| /** Whether to copy the DSCP header field to/from the outer header */ |
| dscp_copy_t copy_dscp; |
| /** TRUE if initiator of the exchange creating the SA */ |
| bool initiator; |
| /** TRUE if this is an inbound SA */ |
| bool inbound; |
| /** TRUE if an SPI has already been allocated for this SA */ |
| bool update; |
| }; |
| |
| /** |
| * Data required to update the hosts of an SA in the kernel |
| */ |
| struct kernel_ipsec_update_sa_t { |
| /** CPI in case IPComp is used */ |
| uint16_t cpi; |
| /** New source address */ |
| host_t *new_src; |
| /** New destination address */ |
| host_t *new_dst; |
| /** TRUE if UDP encapsulation is currently enabled */ |
| bool encap; |
| /** TRUE to enable UDP encapsulation */ |
| bool new_encap; |
| }; |
| |
| /** |
| * Data required to query an SA in the kernel |
| */ |
| struct kernel_ipsec_query_sa_t { |
| uint16_t cpi; |
| }; |
| |
| /** |
| * Data required to delete an SA in the kernel |
| */ |
| struct kernel_ipsec_del_sa_t { |
| /** CPI in case IPComp is used */ |
| uint16_t cpi; |
| }; |
| |
| /** |
| * Data identifying a policy in the kernel |
| */ |
| struct kernel_ipsec_policy_id_t { |
| /** Direction of traffic */ |
| policy_dir_t dir; |
| /** Source traffic selector */ |
| traffic_selector_t *src_ts; |
| /** Destination traffic selector */ |
| traffic_selector_t *dst_ts; |
| /** Optional mark */ |
| mark_t mark; |
| /** Optional interface ID */ |
| uint32_t if_id; |
| /** Network interface restricting policy */ |
| char *interface; |
| }; |
| |
| /** |
| * Data required to add/delete a policy to/from the kernel |
| */ |
| struct kernel_ipsec_manage_policy_t { |
| /** Type of policy */ |
| policy_type_t type; |
| /** Priority class */ |
| policy_priority_t prio; |
| /** Manually-set priority (automatic if set to 0) */ |
| uint32_t manual_prio; |
| /** Source address of the SA(s) tied to this policy */ |
| host_t *src; |
| /** Destination address of the SA(s) tied to this policy */ |
| host_t *dst; |
| /** Details about the SA(s) tied to this policy */ |
| ipsec_sa_cfg_t *sa; |
| }; |
| |
| /** |
| * Data required to query a policy in the kernel |
| */ |
| struct kernel_ipsec_query_policy_t { |
| }; |
| |
| /** |
| * Interface to the ipsec subsystem of the kernel. |
| * |
| * The kernel ipsec interface handles the communication with the kernel |
| * for SA and policy management. It allows setup of these, and provides |
| * further the handling of kernel events. |
| * Policy information are cached in the interface. This is necessary to do |
| * reference counting. The Linux kernel does not allow the same policy |
| * installed twice, but we need this as CHILD_SA exist multiple times |
| * when rekeying. That's why we do reference counting of policies. |
| */ |
| struct kernel_ipsec_t { |
| |
| /** |
| * Get the feature set supported by this kernel backend. |
| * |
| * @return ORed feature-set of backend |
| */ |
| kernel_feature_t (*get_features)(kernel_ipsec_t *this); |
| |
| /** |
| * Get a SPI from the kernel. |
| * |
| * @param src source address of SA |
| * @param dst destination address of SA |
| * @param protocol protocol for SA (ESP/AH) |
| * @param spi allocated spi |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst, |
| uint8_t protocol, uint32_t *spi); |
| |
| /** |
| * Get a Compression Parameter Index (CPI) from the kernel. |
| * |
| * @param src source address of SA |
| * @param dst destination address of SA |
| * @param cpi allocated cpi |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst, |
| uint16_t *cpi); |
| |
| /** |
| * Add an SA to the SAD. |
| * |
| * This function does install a single SA for a single protocol in one |
| * direction. |
| * |
| * @param id data identifying this SA |
| * @param data data for this SA |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*add_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
| kernel_ipsec_add_sa_t *data); |
| |
| /** |
| * Update the hosts on an installed SA. |
| * |
| * We cannot directly update the destination address as the kernel |
| * requires the spi, the protocol AND the destination address (and family) |
| * to identify SAs. Therefore if the destination address changed we |
| * create a new SA and delete the old one. |
| * |
| * @param id data identifying this SA |
| * @param data updated data for this SA |
| * @return SUCCESS if operation completed, NOT_SUPPORTED if |
| * the kernel interface can't update the SA |
| */ |
| status_t (*update_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
| kernel_ipsec_update_sa_t *data); |
| |
| /** |
| * Query the number of bytes processed by an SA from the SAD. |
| * |
| * @param id data identifying this SA |
| * @param data data to query the SA |
| * @param[out] bytes the number of bytes processed by SA |
| * @param[out] packets number of packets processed by SA |
| * @param[out] time last (monotonic) time of SA use |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*query_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
| kernel_ipsec_query_sa_t *data, uint64_t *bytes, |
| uint64_t *packets, time_t *time); |
| |
| /** |
| * Delete a previously installed SA from the SAD. |
| * |
| * @param id data identifying this SA |
| * @param data data to delete the SA |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*del_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
| kernel_ipsec_del_sa_t *data); |
| |
| /** |
| * Flush all SAs from the SAD. |
| * |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*flush_sas)(kernel_ipsec_t *this); |
| |
| /** |
| * Add a policy to the SPD. |
| * |
| * @param id data identifying this policy |
| * @param data data for this policy |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*add_policy)(kernel_ipsec_t *this, |
| kernel_ipsec_policy_id_t *id, |
| kernel_ipsec_manage_policy_t *data); |
| |
| /** |
| * Query the use time of a policy. |
| * |
| * The use time of a policy is the time the policy was used for the last |
| * time. It is not the system time, but a monotonic timestamp as returned |
| * by time_monotonic. |
| * |
| * @param id data identifying this policy |
| * @param data data to query the policy |
| * @param[out] use_time the monotonic timestamp of this SA's last use |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*query_policy)(kernel_ipsec_t *this, |
| kernel_ipsec_policy_id_t *id, |
| kernel_ipsec_query_policy_t *data, |
| time_t *use_time); |
| |
| /** |
| * Remove a policy from the SPD. |
| * |
| * @param id data identifying this policy |
| * @param data data for this policy |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*del_policy)(kernel_ipsec_t *this, |
| kernel_ipsec_policy_id_t *id, |
| kernel_ipsec_manage_policy_t *data); |
| |
| /** |
| * Flush all policies from the SPD. |
| * |
| * @return SUCCESS if operation completed |
| */ |
| status_t (*flush_policies)(kernel_ipsec_t *this); |
| |
| /** |
| * Install a bypass policy for the given socket. |
| * |
| * @param fd socket file descriptor to setup policy for |
| * @param family protocol family of the socket |
| * @return TRUE of policy set up successfully |
| */ |
| bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family); |
| |
| /** |
| * Enable decapsulation of ESP-in-UDP packets for the given port/socket. |
| * |
| * @param fd socket file descriptor |
| * @param family protocol family of the socket |
| * @param port the UDP port |
| * @return TRUE if UDP decapsulation was enabled successfully |
| */ |
| bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family, |
| uint16_t port); |
| |
| /** |
| * Destroy the implementation. |
| */ |
| void (*destroy)(kernel_ipsec_t *this); |
| }; |
| |
| /** |
| * Helper function to (un-)register IPsec kernel interfaces from plugin features. |
| * |
| * This function is a plugin_feature_callback_t and can be used with the |
| * PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor. |
| * |
| * @param plugin plugin registering the kernel interface |
| * @param feature associated plugin feature |
| * @param reg TRUE to register, FALSE to unregister |
| * @param data data passed to callback, an kernel_ipsec_constructor_t |
| */ |
| bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature, |
| bool reg, void *data); |
| |
| #endif /** KERNEL_IPSEC_H_ @}*/ |
