| /* $NetBSD: policy.h,v 1.8 2008/12/05 06:02:20 tteras Exp $ */ |
| |
| /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */ |
| |
| /* |
| * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
| * All rights reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in the |
| * documentation and/or other materials provided with the distribution. |
| * 3. Neither the name of the project nor the names of its contributors |
| * may be used to endorse or promote products derived from this software |
| * without specific prior written permission. |
| * |
| * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
| * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
| * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| * SUCH DAMAGE. |
| */ |
| |
| #ifndef _POLICY_H |
| #define _POLICY_H |
| |
| #include <sys/queue.h> |
| |
| |
| #ifdef HAVE_SECCTX |
| #define MAX_CTXSTR_SIZE 50 |
| struct security_ctx { |
| u_int8_t ctx_doi; /* Security Context DOI */ |
| u_int8_t ctx_alg; /* Security Context Algorithm */ |
| u_int16_t ctx_strlen; /* Security Context stringlength |
| * (includes terminating NULL) |
| */ |
| char ctx_str[MAX_CTXSTR_SIZE]; /* Security Context string */ |
| }; |
| #endif |
| |
| /* refs. ipsec.h */ |
| /* |
| * Security Policy Index |
| * NOTE: Ensure to be same address family and upper layer protocol. |
| * NOTE: ul_proto, port number, uid, gid: |
| * ANY: reserved for waldcard. |
| * 0 to (~0 - 1): is one of the number of each value. |
| */ |
| struct policyindex { |
| u_int8_t dir; /* direction of packet flow, see blow */ |
| struct sockaddr_storage src; /* IP src address for SP */ |
| struct sockaddr_storage dst; /* IP dst address for SP */ |
| u_int8_t prefs; /* prefix length in bits for src */ |
| u_int8_t prefd; /* prefix length in bits for dst */ |
| u_int16_t ul_proto; /* upper layer Protocol */ |
| u_int32_t priority; /* priority for the policy */ |
| u_int64_t created; /* Used for generated SPD entries deletion */ |
| #ifdef HAVE_SECCTX |
| struct security_ctx sec_ctx; /* Security Context */ |
| #endif |
| }; |
| |
| /* Security Policy Data Base */ |
| struct secpolicy { |
| TAILQ_ENTRY(secpolicy) chain; |
| |
| struct policyindex spidx; /* selector */ |
| u_int32_t id; /* It's unique number on the system. */ |
| |
| u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */ |
| struct ipsecrequest *req; |
| /* pointer to the ipsec request tree, */ |
| /* if policy == IPSEC else this value == NULL.*/ |
| |
| /* MIPv6 needs to perform negotiation of SA using different addresses |
| * than the endpoints of the SA (CoA for the source). In that case, |
| * MIGRATE msg provides that info (before movement occurs on the MN) */ |
| struct sockaddr *local; |
| struct sockaddr *remote; |
| }; |
| |
| /* Security Assocciation Index */ |
| /* NOTE: Ensure to be same address family */ |
| struct secasindex { |
| struct sockaddr_storage src; /* srouce address for SA */ |
| struct sockaddr_storage dst; /* destination address for SA */ |
| u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ |
| u_int8_t mode; /* mode of protocol, see ipsec.h */ |
| u_int32_t reqid; /* reqid id who owned this SA */ |
| /* see IPSEC_MANUAL_REQID_MAX. */ |
| }; |
| |
| /* Request for IPsec */ |
| struct ipsecrequest { |
| struct ipsecrequest *next; |
| /* pointer to next structure */ |
| /* If NULL, it means the end of chain. */ |
| |
| struct secasindex saidx;/* hint for search proper SA */ |
| /* if __ss_len == 0 then no address specified.*/ |
| u_int level; /* IPsec level defined below. */ |
| |
| struct secpolicy *sp; /* back pointer to SP */ |
| }; |
| |
| #ifdef HAVE_PFKEY_POLICY_PRIORITY |
| #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx) \ |
| do { \ |
| bzero((idx), sizeof(struct policyindex)); \ |
| (idx)->dir = (_dir); \ |
| (idx)->prefs = (ps); \ |
| (idx)->prefd = (pd); \ |
| (idx)->ul_proto = (ulp); \ |
| (idx)->priority = (_priority); \ |
| (idx)->created = (_created); \ |
| memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \ |
| memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \ |
| } while (0) |
| #else |
| #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx) \ |
| do { \ |
| bzero((idx), sizeof(struct policyindex)); \ |
| (idx)->dir = (_dir); \ |
| (idx)->prefs = (ps); \ |
| (idx)->prefd = (pd); \ |
| (idx)->ul_proto = (ulp); \ |
| (idx)->created = (_created); \ |
| memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \ |
| memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \ |
| } while (0) |
| #endif |
| |
| struct ph2handle; |
| struct policyindex; |
| extern struct secpolicy *getsp __P((struct policyindex *)); |
| extern struct secpolicy *getsp_r __P((struct policyindex *)); |
| struct secpolicy *getspbyspid __P((u_int32_t)); |
| extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *)); |
| extern int cmpspidxwild __P((struct policyindex *, struct policyindex *)); |
| extern struct secpolicy *newsp __P((void)); |
| extern void delsp __P((struct secpolicy *)); |
| extern void delsp_bothdir __P((struct policyindex *)); |
| extern void inssp __P((struct secpolicy *)); |
| extern void remsp __P((struct secpolicy *)); |
| extern void flushsp __P((void)); |
| extern void initsp __P((void)); |
| extern struct ipsecrequest *newipsecreq __P((void)); |
| |
| extern const char *spidx2str __P((const struct policyindex *)); |
| #ifdef HAVE_SECCTX |
| #include <selinux/selinux.h> |
| extern int get_security_context __P((vchar_t *, struct policyindex *)); |
| extern void init_avc __P((void)); |
| extern int within_range __P((security_context_t, security_context_t)); |
| extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex)); |
| #endif |
| |
| #endif /* _POLICY_H */ |