1/*	$NetBSD: policy.h,v 1.5.4.2 2007/06/07 20:34:19 manu Exp $	*/
2
3/* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#ifndef _POLICY_H
35#define _POLICY_H
36
37#include <sys/queue.h>
38
39
40#ifdef HAVE_SECCTX
41#define MAX_CTXSTR_SIZE 50
42struct security_ctx {
43	u_int8_t ctx_doi;       /* Security Context DOI */
44	u_int8_t ctx_alg;       /* Security Context Algorithm */
45	u_int16_t ctx_strlen;   /* Security Context stringlength
46				 * (includes terminating NULL)
47				 */
48	char ctx_str[MAX_CTXSTR_SIZE];  /* Security Context string */
49};
50#endif
51
52/* refs. ipsec.h */
53/*
54 * Security Policy Index
55 * NOTE: Ensure to be same address family and upper layer protocol.
56 * NOTE: ul_proto, port number, uid, gid:
57 *	ANY: reserved for waldcard.
58 *	0 to (~0 - 1): is one of the number of each value.
59 */
60struct policyindex {
61	u_int8_t dir;			/* direction of packet flow, see blow */
62	struct sockaddr_storage src;	/* IP src address for SP */
63	struct sockaddr_storage dst;	/* IP dst address for SP */
64	u_int8_t prefs;			/* prefix length in bits for src */
65	u_int8_t prefd;			/* prefix length in bits for dst */
66	u_int16_t ul_proto;		/* upper layer Protocol */
67	u_int32_t priority;		/* priority for the policy */
68 	u_int64_t created;		/* Used for generated SPD entries deletion */
69#ifdef HAVE_SECCTX
70	struct security_ctx sec_ctx;    /* Security Context */
71#endif
72};
73
74/* Security Policy Data Base */
75struct secpolicy {
76	TAILQ_ENTRY(secpolicy) chain;
77
78	struct policyindex spidx;	/* selector */
79	u_int32_t id;			/* It's unique number on the system. */
80
81	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
82	struct ipsecrequest *req;
83				/* pointer to the ipsec request tree, */
84				/* if policy == IPSEC else this value == NULL.*/
85};
86
87/* Security Assocciation Index */
88/* NOTE: Ensure to be same address family */
89struct secasindex {
90	struct sockaddr_storage src;	/* srouce address for SA */
91	struct sockaddr_storage dst;	/* destination address for SA */
92	u_int16_t proto;		/* IPPROTO_ESP or IPPROTO_AH */
93	u_int8_t mode;			/* mode of protocol, see ipsec.h */
94	u_int32_t reqid;		/* reqid id who owned this SA */
95					/* see IPSEC_MANUAL_REQID_MAX. */
96};
97
98/* Request for IPsec */
99struct ipsecrequest {
100	struct ipsecrequest *next;
101				/* pointer to next structure */
102				/* If NULL, it means the end of chain. */
103
104	struct secasindex saidx;/* hint for search proper SA */
105				/* if __ss_len == 0 then no address specified.*/
106	u_int level;		/* IPsec level defined below. */
107
108	struct secpolicy *sp;	/* back pointer to SP */
109};
110
111#ifdef HAVE_PFKEY_POLICY_PRIORITY
112#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx)              \
113do {                                                                         \
114	memset((idx), 0, sizeof(struct policyindex));                        \
115	(idx)->dir = (_dir);                                                 \
116	(idx)->prefs = (ps);                                                 \
117	(idx)->prefd = (pd);                                                 \
118	(idx)->ul_proto = (ulp);                                             \
119	(idx)->priority = (_priority);                                        \
120	(idx)->created = (_created);                                        \
121	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
122	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
123} while (0)
124#else
125#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx)              \
126do {                                                                         \
127	memset((idx), 0, sizeof(struct policyindex));                        \
128	(idx)->dir = (_dir);                                                 \
129	(idx)->prefs = (ps);                                                 \
130	(idx)->prefd = (pd);                                                 \
131	(idx)->ul_proto = (ulp);                                             \
132	(idx)->created = (_created);                                        \
133	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
134	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
135} while (0)
136#endif
137
138struct ph2handle;
139struct policyindex;
140extern struct secpolicy *getsp __P((struct policyindex *));
141extern struct secpolicy *getsp_r __P((struct policyindex *));
142struct secpolicy *getspbyspid __P((u_int32_t));
143extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *));
144extern int cmpspidxwild __P((struct policyindex *, struct policyindex *));
145extern struct secpolicy *newsp __P((void));
146extern void delsp __P((struct secpolicy *));
147extern void delsp_bothdir __P((struct policyindex *));
148extern void inssp __P((struct secpolicy *));
149extern void remsp __P((struct secpolicy *));
150extern void flushsp __P((void));
151extern void initsp __P((void));
152extern struct ipsecrequest *newipsecreq __P((void));
153
154extern const char *spidx2str __P((const struct policyindex *));
155#ifdef HAVE_SECCTX
156#include <selinux/selinux.h>
157extern int get_security_context __P((vchar_t *, struct policyindex *));
158extern void init_avc __P((void));
159extern int within_range __P((security_context_t, security_context_t));
160extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
161#endif
162
163#endif /* _POLICY_H */
164