Home | History | Annotate | Download | only in racoon 
      1 /*	$NetBSD: policy.h,v 1.8 2008/12/05 06:02:20 tteras Exp $	*/
      2 
      3 /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
      4 
      5 /*
      6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
      7  * All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in the
     16  *    documentation and/or other materials provided with the distribution.
     17  * 3. Neither the name of the project nor the names of its contributors
     18  *    may be used to endorse or promote products derived from this software
     19  *    without specific prior written permission.
     20  *
     21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
     22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
     25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     31  * SUCH DAMAGE.
     32  */
     33 
     34 #ifndef _POLICY_H
     35 #define _POLICY_H
     36 
     37 #include <sys/queue.h>
     38 
     39 
     40 #ifdef HAVE_SECCTX
     41 #define MAX_CTXSTR_SIZE 50
     42 struct security_ctx {
     43 	u_int8_t ctx_doi;       /* Security Context DOI */
     44 	u_int8_t ctx_alg;       /* Security Context Algorithm */
     45 	u_int16_t ctx_strlen;   /* Security Context stringlength
     46 				 * (includes terminating NULL)
     47 				 */
     48 	char ctx_str[MAX_CTXSTR_SIZE];  /* Security Context string */
     49 };
     50 #endif
     51 
     52 /* refs. ipsec.h */
     53 /*
     54  * Security Policy Index
     55  * NOTE: Ensure to be same address family and upper layer protocol.
     56  * NOTE: ul_proto, port number, uid, gid:
     57  *	ANY: reserved for waldcard.
     58  *	0 to (~0 - 1): is one of the number of each value.
     59  */
     60 struct policyindex {
     61 	u_int8_t dir;			/* direction of packet flow, see blow */
     62 	struct sockaddr_storage src;	/* IP src address for SP */
     63 	struct sockaddr_storage dst;	/* IP dst address for SP */
     64 	u_int8_t prefs;			/* prefix length in bits for src */
     65 	u_int8_t prefd;			/* prefix length in bits for dst */
     66 	u_int16_t ul_proto;		/* upper layer Protocol */
     67 	u_int32_t priority;		/* priority for the policy */
     68  	u_int64_t created;		/* Used for generated SPD entries deletion */
     69 #ifdef HAVE_SECCTX
     70 	struct security_ctx sec_ctx;    /* Security Context */
     71 #endif
     72 };
     73 
     74 /* Security Policy Data Base */
     75 struct secpolicy {
     76 	TAILQ_ENTRY(secpolicy) chain;
     77 
     78 	struct policyindex spidx;	/* selector */
     79 	u_int32_t id;			/* It's unique number on the system. */
     80 
     81 	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
     82 	struct ipsecrequest *req;
     83 				/* pointer to the ipsec request tree, */
     84 				/* if policy == IPSEC else this value == NULL.*/
     85 
     86 	/* MIPv6 needs to perform negotiation of SA using different addresses
     87 	 * than the endpoints of the SA (CoA for the source). In that case,
     88 	 * MIGRATE msg provides that info (before movement occurs on the MN) */
     89 	struct sockaddr *local;
     90 	struct sockaddr *remote;
     91 };
     92 
     93 /* Security Assocciation Index */
     94 /* NOTE: Ensure to be same address family */
     95 struct secasindex {
     96 	struct sockaddr_storage src;	/* srouce address for SA */
     97 	struct sockaddr_storage dst;	/* destination address for SA */
     98 	u_int16_t proto;		/* IPPROTO_ESP or IPPROTO_AH */
     99 	u_int8_t mode;			/* mode of protocol, see ipsec.h */
    100 	u_int32_t reqid;		/* reqid id who owned this SA */
    101 					/* see IPSEC_MANUAL_REQID_MAX. */
    102 };
    103 
    104 /* Request for IPsec */
    105 struct ipsecrequest {
    106 	struct ipsecrequest *next;
    107 				/* pointer to next structure */
    108 				/* If NULL, it means the end of chain. */
    109 
    110 	struct secasindex saidx;/* hint for search proper SA */
    111 				/* if __ss_len == 0 then no address specified.*/
    112 	u_int level;		/* IPsec level defined below. */
    113 
    114 	struct secpolicy *sp;	/* back pointer to SP */
    115 };
    116 
    117 #ifdef HAVE_PFKEY_POLICY_PRIORITY
    118 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx)              \
    119 do {                                                                         \
    120 	bzero((idx), sizeof(struct policyindex));                            \
    121 	(idx)->dir = (_dir);                                                 \
    122 	(idx)->prefs = (ps);                                                 \
    123 	(idx)->prefd = (pd);                                                 \
    124 	(idx)->ul_proto = (ulp);                                             \
    125 	(idx)->priority = (_priority);                                        \
    126 	(idx)->created = (_created);                                        \
    127 	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
    128 	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
    129 } while (0)
    130 #else
    131 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx)              \
    132 do {                                                                         \
    133 	bzero((idx), sizeof(struct policyindex));                            \
    134 	(idx)->dir = (_dir);                                                 \
    135 	(idx)->prefs = (ps);                                                 \
    136 	(idx)->prefd = (pd);                                                 \
    137 	(idx)->ul_proto = (ulp);                                             \
    138 	(idx)->created = (_created);                                        \
    139 	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
    140 	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
    141 } while (0)
    142 #endif
    143 
    144 struct ph2handle;
    145 struct policyindex;
    146 extern struct secpolicy *getsp __P((struct policyindex *));
    147 extern struct secpolicy *getsp_r __P((struct policyindex *));
    148 struct secpolicy *getspbyspid __P((u_int32_t));
    149 extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *));
    150 extern int cmpspidxwild __P((struct policyindex *, struct policyindex *));
    151 extern struct secpolicy *newsp __P((void));
    152 extern void delsp __P((struct secpolicy *));
    153 extern void delsp_bothdir __P((struct policyindex *));
    154 extern void inssp __P((struct secpolicy *));
    155 extern void remsp __P((struct secpolicy *));
    156 extern void flushsp __P((void));
    157 extern void initsp __P((void));
    158 extern struct ipsecrequest *newipsecreq __P((void));
    159 
    160 extern const char *spidx2str __P((const struct policyindex *));
    161 #ifdef HAVE_SECCTX
    162 #include <selinux/selinux.h>
    163 extern int get_security_context __P((vchar_t *, struct policyindex *));
    164 extern void init_avc __P((void));
    165 extern int within_range __P((security_context_t, security_context_t));
    166 extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
    167 #endif
    168 
    169 #endif /* _POLICY_H */
    170