Home | History | Annotate | Download | only in racoon
      1 /*	$NetBSD: policy.h,v 1.5.4.2 2007/06/07 20:34:19 manu Exp $	*/
      2 
      3 /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
      4 
      5 /*
      6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
      7  * All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in the
     16  *    documentation and/or other materials provided with the distribution.
     17  * 3. Neither the name of the project nor the names of its contributors
     18  *    may be used to endorse or promote products derived from this software
     19  *    without specific prior written permission.
     20  *
     21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
     22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
     25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     31  * SUCH DAMAGE.
     32  */
     33 
     34 #ifndef _POLICY_H
     35 #define _POLICY_H
     36 
     37 #include <sys/queue.h>
     38 
     39 
     40 #ifdef HAVE_SECCTX
     41 #define MAX_CTXSTR_SIZE 50
     42 struct security_ctx {
     43 	u_int8_t ctx_doi;       /* Security Context DOI */
     44 	u_int8_t ctx_alg;       /* Security Context Algorithm */
     45 	u_int16_t ctx_strlen;   /* Security Context stringlength
     46 				 * (includes terminating NULL)
     47 				 */
     48 	char ctx_str[MAX_CTXSTR_SIZE];  /* Security Context string */
     49 };
     50 #endif
     51 
     52 /* refs. ipsec.h */
     53 /*
     54  * Security Policy Index
     55  * NOTE: Ensure to be same address family and upper layer protocol.
     56  * NOTE: ul_proto, port number, uid, gid:
     57  *	ANY: reserved for waldcard.
     58  *	0 to (~0 - 1): is one of the number of each value.
     59  */
     60 struct policyindex {
     61 	u_int8_t dir;			/* direction of packet flow, see blow */
     62 	struct sockaddr_storage src;	/* IP src address for SP */
     63 	struct sockaddr_storage dst;	/* IP dst address for SP */
     64 	u_int8_t prefs;			/* prefix length in bits for src */
     65 	u_int8_t prefd;			/* prefix length in bits for dst */
     66 	u_int16_t ul_proto;		/* upper layer Protocol */
     67 	u_int32_t priority;		/* priority for the policy */
     68  	u_int64_t created;		/* Used for generated SPD entries deletion */
     69 #ifdef HAVE_SECCTX
     70 	struct security_ctx sec_ctx;    /* Security Context */
     71 #endif
     72 };
     73 
     74 /* Security Policy Data Base */
     75 struct secpolicy {
     76 	TAILQ_ENTRY(secpolicy) chain;
     77 
     78 	struct policyindex spidx;	/* selector */
     79 	u_int32_t id;			/* It's unique number on the system. */
     80 
     81 	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
     82 	struct ipsecrequest *req;
     83 				/* pointer to the ipsec request tree, */
     84 				/* if policy == IPSEC else this value == NULL.*/
     85 };
     86 
     87 /* Security Assocciation Index */
     88 /* NOTE: Ensure to be same address family */
     89 struct secasindex {
     90 	struct sockaddr_storage src;	/* srouce address for SA */
     91 	struct sockaddr_storage dst;	/* destination address for SA */
     92 	u_int16_t proto;		/* IPPROTO_ESP or IPPROTO_AH */
     93 	u_int8_t mode;			/* mode of protocol, see ipsec.h */
     94 	u_int32_t reqid;		/* reqid id who owned this SA */
     95 					/* see IPSEC_MANUAL_REQID_MAX. */
     96 };
     97 
     98 /* Request for IPsec */
     99 struct ipsecrequest {
    100 	struct ipsecrequest *next;
    101 				/* pointer to next structure */
    102 				/* If NULL, it means the end of chain. */
    103 
    104 	struct secasindex saidx;/* hint for search proper SA */
    105 				/* if __ss_len == 0 then no address specified.*/
    106 	u_int level;		/* IPsec level defined below. */
    107 
    108 	struct secpolicy *sp;	/* back pointer to SP */
    109 };
    110 
    111 #ifdef HAVE_PFKEY_POLICY_PRIORITY
    112 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx)              \
    113 do {                                                                         \
    114 	memset((idx), 0, sizeof(struct policyindex));                        \
    115 	(idx)->dir = (_dir);                                                 \
    116 	(idx)->prefs = (ps);                                                 \
    117 	(idx)->prefd = (pd);                                                 \
    118 	(idx)->ul_proto = (ulp);                                             \
    119 	(idx)->priority = (_priority);                                        \
    120 	(idx)->created = (_created);                                        \
    121 	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
    122 	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
    123 } while (0)
    124 #else
    125 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx)              \
    126 do {                                                                         \
    127 	memset((idx), 0, sizeof(struct policyindex));                        \
    128 	(idx)->dir = (_dir);                                                 \
    129 	(idx)->prefs = (ps);                                                 \
    130 	(idx)->prefd = (pd);                                                 \
    131 	(idx)->ul_proto = (ulp);                                             \
    132 	(idx)->created = (_created);                                        \
    133 	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
    134 	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
    135 } while (0)
    136 #endif
    137 
    138 struct ph2handle;
    139 struct policyindex;
    140 extern struct secpolicy *getsp __P((struct policyindex *));
    141 extern struct secpolicy *getsp_r __P((struct policyindex *));
    142 struct secpolicy *getspbyspid __P((u_int32_t));
    143 extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *));
    144 extern int cmpspidxwild __P((struct policyindex *, struct policyindex *));
    145 extern struct secpolicy *newsp __P((void));
    146 extern void delsp __P((struct secpolicy *));
    147 extern void delsp_bothdir __P((struct policyindex *));
    148 extern void inssp __P((struct secpolicy *));
    149 extern void remsp __P((struct secpolicy *));
    150 extern void flushsp __P((void));
    151 extern void initsp __P((void));
    152 extern struct ipsecrequest *newipsecreq __P((void));
    153 
    154 extern const char *spidx2str __P((const struct policyindex *));
    155 #ifdef HAVE_SECCTX
    156 #include <selinux/selinux.h>
    157 extern int get_security_context __P((vchar_t *, struct policyindex *));
    158 extern void init_avc __P((void));
    159 extern int within_range __P((security_context_t, security_context_t));
    160 extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
    161 #endif
    162 
    163 #endif /* _POLICY_H */
    164