xref: /freebsd/sys/netipsec/ipsec_support.h (revision 78ae60b447ebf420dd5cebfec30480866fd5cef4)
1 /*-
2  * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #ifndef _NETIPSEC_IPSEC_SUPPORT_H_
28 #define	_NETIPSEC_IPSEC_SUPPORT_H_
29 
30 #ifdef _KERNEL
31 #if defined(IPSEC) || defined(IPSEC_SUPPORT)
32 struct mbuf;
33 struct inpcb;
34 struct tcphdr;
35 struct sockopt;
36 struct sockaddr;
37 struct ipsec_support;
38 struct tcpmd5_support;
39 struct icmp;
40 struct ip6ctlparam;
41 
42 typedef union {
43 	struct icmp *icmp;
44 	struct ip6ctlparam *ip6cp;
45 } ipsec_ctlinput_param_t __attribute__((__transparent_union__));
46 
47 size_t ipsec_hdrsiz_inpcb(struct inpcb *);
48 int ipsec_init_pcbpolicy(struct inpcb *);
49 int ipsec_delete_pcbpolicy(struct inpcb *);
50 int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *);
51 
52 #ifdef INET
53 int udp_ipsec_input(struct mbuf *, int, int);
54 int udp_ipsec_pcbctl(struct inpcb *, struct sockopt *);
55 int ipsec4_in_reject(const struct mbuf *, struct inpcb *);
56 int ipsec4_input(struct mbuf *, int, int);
57 int ipsec4_forward(struct mbuf *);
58 int ipsec4_pcbctl(struct inpcb *, struct sockopt *);
59 int ipsec4_output(struct mbuf *, struct inpcb *);
60 int ipsec4_capability(struct mbuf *, u_int);
61 int ipsec4_ctlinput(ipsec_ctlinput_param_t);
62 #endif /* INET */
63 
64 #ifdef INET6
65 int ipsec6_input(struct mbuf *, int, int);
66 int ipsec6_in_reject(const struct mbuf *, struct inpcb *);
67 int ipsec6_forward(struct mbuf *);
68 int ipsec6_pcbctl(struct inpcb *, struct sockopt *);
69 int ipsec6_output(struct mbuf *, struct inpcb *);
70 int ipsec6_capability(struct mbuf *, u_int);
71 int ipsec6_ctlinput(ipsec_ctlinput_param_t);
72 #endif /* INET6 */
73 
74 struct ipsec_methods {
75 	int	(*input)(struct mbuf *, int, int);
76 	int	(*check_policy)(const struct mbuf *, struct inpcb *);
77 	int	(*forward)(struct mbuf *);
78 	int	(*output)(struct mbuf *, struct inpcb *);
79 	int	(*pcbctl)(struct inpcb *, struct sockopt *);
80 	size_t	(*hdrsize)(struct inpcb *);
81 	int	(*capability)(struct mbuf *, u_int);
82 	int	(*ctlinput)(ipsec_ctlinput_param_t);
83 
84 	int	(*udp_input)(struct mbuf *, int, int);
85 	int	(*udp_pcbctl)(struct inpcb *, struct sockopt *);
86 };
87 #define	IPSEC_CAP_OPERABLE		1
88 #define	IPSEC_CAP_BYPASS_FILTER		2
89 
90 struct tcpmd5_methods {
91 	int	(*input)(struct mbuf *, struct tcphdr *, u_char *);
92 	int	(*output)(struct mbuf *, struct tcphdr *, u_char *);
93 	int	(*pcbctl)(struct inpcb *, struct sockopt *);
94 };
95 
96 #define	IPSEC_MODULE_ENABLED	0x0001
97 #define	IPSEC_ENABLED(proto)	\
98     ((proto ## _ipsec_support)->enabled & IPSEC_MODULE_ENABLED)
99 #define	TCPMD5_ENABLED()	IPSEC_ENABLED(tcp)
100 
101 #ifdef TCP_SIGNATURE
102 /* TCP-MD5 build in the kernel */
103 struct tcpmd5_support {
104 	const u_int enabled;
105 	const struct tcpmd5_methods * const methods;
106 };
107 extern const struct tcpmd5_support * const tcp_ipsec_support;
108 
109 #define	TCPMD5_INPUT(m, ...)		\
110     (*tcp_ipsec_support->methods->input)(m, __VA_ARGS__)
111 #define	TCPMD5_OUTPUT(m, ...)		\
112     (*tcp_ipsec_support->methods->output)(m, __VA_ARGS__)
113 #define	TCPMD5_PCBCTL(inp, sopt)	\
114     (*tcp_ipsec_support->methods->pcbctl)(inp, sopt)
115 #elif defined(IPSEC_SUPPORT)
116 /* TCP-MD5 build as module */
117 struct tcpmd5_support {
118 	volatile u_int enabled;
119 	const struct tcpmd5_methods * volatile methods;
120 };
121 extern struct tcpmd5_support * const tcp_ipsec_support;
122 
123 void tcpmd5_support_enable(const struct tcpmd5_methods * const);
124 void tcpmd5_support_disable(void);
125 
126 int tcpmd5_kmod_pcbctl(struct tcpmd5_support * const, struct inpcb *,
127     struct sockopt *);
128 int tcpmd5_kmod_input(struct tcpmd5_support * const, struct mbuf *,
129     struct tcphdr *, u_char *);
130 int tcpmd5_kmod_output(struct tcpmd5_support * const, struct mbuf *,
131     struct tcphdr *, u_char *);
132 #define	TCPMD5_INPUT(m, ...)		\
133     tcpmd5_kmod_input(tcp_ipsec_support, m, __VA_ARGS__)
134 #define	TCPMD5_OUTPUT(m, ...)		\
135     tcpmd5_kmod_output(tcp_ipsec_support, m, __VA_ARGS__)
136 #define	TCPMD5_PCBCTL(inp, sopt)	\
137     tcpmd5_kmod_pcbctl(tcp_ipsec_support, inp, sopt)
138 #endif
139 
140 #endif /* IPSEC || IPSEC_SUPPORT */
141 
142 #if defined(IPSEC)
143 struct ipsec_support {
144 	const u_int enabled;
145 	const struct ipsec_methods * const methods;
146 };
147 extern const struct ipsec_support * const ipv4_ipsec_support;
148 extern const struct ipsec_support * const ipv6_ipsec_support;
149 
150 #define	IPSEC_INPUT(proto, m, ...)		\
151     (*(proto ## _ipsec_support)->methods->input)(m, __VA_ARGS__)
152 #define	IPSEC_CHECK_POLICY(proto, m, ...)	\
153     (*(proto ## _ipsec_support)->methods->check_policy)(m, __VA_ARGS__)
154 #define	IPSEC_FORWARD(proto, m)		\
155     (*(proto ## _ipsec_support)->methods->forward)(m)
156 #define	IPSEC_OUTPUT(proto, m, ...)		\
157     (*(proto ## _ipsec_support)->methods->output)(m, __VA_ARGS__)
158 #define	IPSEC_PCBCTL(proto, inp, sopt)		\
159     (*(proto ## _ipsec_support)->methods->pcbctl)(inp, sopt)
160 #define	IPSEC_CAPS(proto, m, ...)		\
161     (*(proto ## _ipsec_support)->methods->capability)(m, __VA_ARGS__)
162 #define	IPSEC_HDRSIZE(proto, inp)		\
163     (*(proto ## _ipsec_support)->methods->hdrsize)(inp)
164 #define	IPSEC_CTLINPUT(proto, param)		\
165     (*(proto ## _ipsec_support)->methods->ctlinput)(param)
166 
167 #define	UDPENCAP_INPUT(proto, m, ...)			\
168     (*(proto ## _ipsec_support)->methods->udp_input)(m, __VA_ARGS__)
169 #define	UDPENCAP_PCBCTL(proto, inp, sopt)		\
170     (*(proto ## _ipsec_support)->methods->udp_pcbctl)(inp, sopt)
171 
172 #elif defined(IPSEC_SUPPORT)
173 struct ipsec_support {
174 	volatile u_int enabled;
175 	const struct ipsec_methods * volatile methods;
176 };
177 extern struct ipsec_support * const ipv4_ipsec_support;
178 extern struct ipsec_support * const ipv6_ipsec_support;
179 
180 void ipsec_support_enable(struct ipsec_support * const,
181     const struct ipsec_methods * const);
182 void ipsec_support_disable(struct ipsec_support * const);
183 
184 int ipsec_kmod_input(struct ipsec_support * const, struct mbuf *, int, int);
185 int ipsec_kmod_check_policy(struct ipsec_support * const, struct mbuf *,
186     struct inpcb *);
187 int ipsec_kmod_forward(struct ipsec_support * const, struct mbuf *);
188 int ipsec_kmod_output(struct ipsec_support * const, struct mbuf *,
189     struct inpcb *);
190 int ipsec_kmod_pcbctl(struct ipsec_support * const, struct inpcb *,
191     struct sockopt *);
192 int ipsec_kmod_capability(struct ipsec_support * const, struct mbuf *, u_int);
193 size_t ipsec_kmod_hdrsize(struct ipsec_support * const, struct inpcb *);
194 int ipsec_kmod_ctlinput(struct ipsec_support *, ipsec_ctlinput_param_t);
195 int ipsec_kmod_udp_input(struct ipsec_support * const, struct mbuf *, int, int);
196 int ipsec_kmod_udp_pcbctl(struct ipsec_support * const, struct inpcb *,
197     struct sockopt *);
198 
199 #define	UDPENCAP_INPUT(proto, m, ...)		\
200     ipsec_kmod_udp_input(proto ## _ipsec_support, m, __VA_ARGS__)
201 #define	UDPENCAP_PCBCTL(proto, inp, sopt)	\
202     ipsec_kmod_udp_pcbctl(proto ## _ipsec_support, inp, sopt)
203 
204 #define	IPSEC_INPUT(proto, ...)		\
205     ipsec_kmod_input(proto ## _ipsec_support, __VA_ARGS__)
206 #define	IPSEC_CHECK_POLICY(proto, ...)	\
207     ipsec_kmod_check_policy(proto ## _ipsec_support, __VA_ARGS__)
208 #define	IPSEC_FORWARD(proto, ...)	\
209     ipsec_kmod_forward(proto ## _ipsec_support, __VA_ARGS__)
210 #define	IPSEC_OUTPUT(proto, ...)	\
211     ipsec_kmod_output(proto ## _ipsec_support, __VA_ARGS__)
212 #define	IPSEC_PCBCTL(proto, ...)	\
213     ipsec_kmod_pcbctl(proto ## _ipsec_support, __VA_ARGS__)
214 #define	IPSEC_CAPS(proto, ...)		\
215     ipsec_kmod_capability(proto ## _ipsec_support, __VA_ARGS__)
216 #define	IPSEC_HDRSIZE(proto, ...)	\
217     ipsec_kmod_hdrsize(proto ## _ipsec_support, __VA_ARGS__)
218 #define	IPSEC_CTLINPUT(proto, ...)	\
219     ipsec_kmod_ctlinput(proto ## _ipsec_support, __VA_ARGS__)
220 #endif /* IPSEC_SUPPORT */
221 #endif /* _KERNEL */
222 #endif /* _NETIPSEC_IPSEC_SUPPORT_H_ */
223