keydb.h revision 157123
1353944Sdim/* $FreeBSD: head/sys/netipsec/keydb.h 157123 2006-03-25 13:38:52Z gnn $ */ 2353944Sdim/* $KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $ */ 3353944Sdim 4353944Sdim/*- 5353944Sdim * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6353944Sdim * All rights reserved. 7353944Sdim * 8353944Sdim * Redistribution and use in source and binary forms, with or without 9353944Sdim * modification, are permitted provided that the following conditions 10353944Sdim * are met: 11353944Sdim * 1. Redistributions of source code must retain the above copyright 12353944Sdim * notice, this list of conditions and the following disclaimer. 13353944Sdim * 2. Redistributions in binary form must reproduce the above copyright 14353944Sdim * notice, this list of conditions and the following disclaimer in the 15353944Sdim * documentation and/or other materials provided with the distribution. 16353944Sdim * 3. Neither the name of the project nor the names of its contributors 17353944Sdim * may be used to endorse or promote products derived from this software 18353944Sdim * without specific prior written permission. 19353944Sdim * 20353944Sdim * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21353944Sdim * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22353944Sdim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23353944Sdim * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24353944Sdim * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25353944Sdim * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26353944Sdim * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27353944Sdim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28353944Sdim * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29353944Sdim * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30353944Sdim * SUCH DAMAGE. 31353944Sdim */ 32353944Sdim 33353944Sdim#ifndef _NETIPSEC_KEYDB_H_ 34353944Sdim#define _NETIPSEC_KEYDB_H_ 35353944Sdim 36353944Sdim#ifdef _KERNEL 37353944Sdim 38353944Sdim#include <netipsec/key_var.h> 39353944Sdim 40353944Sdim#ifndef _SOCKADDR_UNION_DEFINED 41353944Sdim#define _SOCKADDR_UNION_DEFINED 42353944Sdim/* 43353944Sdim * The union of all possible address formats we handle. 44353944Sdim */ 45353944Sdimunion sockaddr_union { 46353944Sdim struct sockaddr sa; 47353944Sdim struct sockaddr_in sin; 48353944Sdim struct sockaddr_in6 sin6; 49353944Sdim}; 50353944Sdim#endif /* _SOCKADDR_UNION_DEFINED */ 51353944Sdim 52353944Sdim/* Security Assocciation Index */ 53353944Sdim/* NOTE: Ensure to be same address family */ 54353944Sdimstruct secasindex { 55353944Sdim union sockaddr_union src; /* srouce address for SA */ 56353944Sdim union sockaddr_union dst; /* destination address for SA */ 57353944Sdim u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ 58353944Sdim u_int8_t mode; /* mode of protocol, see ipsec.h */ 59353944Sdim u_int32_t reqid; /* reqid id who owned this SA */ 60353944Sdim /* see IPSEC_MANUAL_REQID_MAX. */ 61353944Sdim}; 62353944Sdim 63353944Sdim/* 64353944Sdim * In order to split out the keydb implementation from that of the 65353944Sdim * PF_KEY sockets we need to define a few structures that while they 66353944Sdim * may seem common are likely to diverge over time. 67353944Sdim */ 68353944Sdim 69353944Sdim/* sadb_identity */ 70353944Sdimstruct secident { 71353944Sdim u_int16_t type; 72 u_int64_t id; 73}; 74 75/* sadb_key */ 76struct seckey { 77 u_int16_t bits; 78 char *key_data; 79}; 80 81struct seclifetime { 82 u_int32_t allocations; 83 u_int64_t bytes; 84 u_int64_t addtime; 85 u_int64_t usetime; 86}; 87 88/* Security Association Data Base */ 89struct secashead { 90 LIST_ENTRY(secashead) chain; 91 92 struct secasindex saidx; 93 94 struct secident *idents; /* source identity */ 95 struct secident *identd; /* destination identity */ 96 /* XXX I don't know how to use them. */ 97 98 u_int8_t state; /* MATURE or DEAD. */ 99 LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; 100 /* SA chain */ 101 /* The first of this list is newer SA */ 102 103 struct route sa_route; /* route cache */ 104}; 105 106struct xformsw; 107struct enc_xform; 108struct auth_hash; 109struct comp_algo; 110 111/* Security Association */ 112struct secasvar { 113 LIST_ENTRY(secasvar) chain; 114 struct mtx lock; /* update/access lock */ 115 116 u_int refcnt; /* reference count */ 117 u_int8_t state; /* Status of this Association */ 118 119 u_int8_t alg_auth; /* Authentication Algorithm Identifier*/ 120 u_int8_t alg_enc; /* Cipher Algorithm Identifier */ 121 u_int8_t alg_comp; /* Compression Algorithm Identifier */ 122 u_int32_t spi; /* SPI Value, network byte order */ 123 u_int32_t flags; /* holder for SADB_KEY_FLAGS */ 124 125 struct seckey *key_auth; /* Key for Authentication */ 126 struct seckey *key_enc; /* Key for Encryption */ 127 caddr_t iv; /* Initilization Vector */ 128 u_int ivlen; /* length of IV */ 129 void *sched; /* intermediate encryption key */ 130 size_t schedlen; 131 132 struct secreplay *replay; /* replay prevention */ 133 time_t created; /* for lifetime */ 134 135 struct seclifetime *lft_c; /* CURRENT lifetime, it's constant. */ 136 struct seclifetime *lft_h; /* HARD lifetime */ 137 struct seclifetime *lft_s; /* SOFT lifetime */ 138 139 u_int32_t seq; /* sequence number */ 140 pid_t pid; /* message's pid */ 141 142 struct secashead *sah; /* back pointer to the secashead */ 143 144 /* 145 * NB: Fields with a tdb_ prefix are part of the "glue" used 146 * to interface to the OpenBSD crypto support. This was done 147 * to distinguish this code from the mainline KAME code. 148 */ 149 struct xformsw *tdb_xform; /* transform */ 150 struct enc_xform *tdb_encalgxform; /* encoding algorithm */ 151 struct auth_hash *tdb_authalgxform; /* authentication algorithm */ 152 struct comp_algo *tdb_compalgxform; /* compression algorithm */ 153 u_int64_t tdb_cryptoid; /* crypto session id */ 154}; 155 156#define SECASVAR_LOCK_INIT(_sav) \ 157 mtx_init(&(_sav)->lock, "ipsec association", NULL, MTX_DEF) 158#define SECASVAR_LOCK(_sav) mtx_lock(&(_sav)->lock) 159#define SECASVAR_UNLOCK(_sav) mtx_unlock(&(_sav)->lock) 160#define SECASVAR_LOCK_DESTROY(_sav) mtx_destroy(&(_sav)->lock) 161#define SECASVAR_LOCK_ASSERT(_sav) mtx_assert(&(_sav)->lock, MA_OWNED) 162 163/* replay prevention */ 164struct secreplay { 165 u_int32_t count; 166 u_int wsize; /* window size, i.g. 4 bytes */ 167 u_int32_t seq; /* used by sender */ 168 u_int32_t lastseq; /* used by receiver */ 169 caddr_t bitmap; /* used by receiver */ 170 int overflow; /* overflow flag */ 171}; 172 173/* socket table due to send PF_KEY messages. */ 174struct secreg { 175 LIST_ENTRY(secreg) chain; 176 177 struct socket *so; 178}; 179 180/* acquiring list table. */ 181struct secacq { 182 LIST_ENTRY(secacq) chain; 183 184 struct secasindex saidx; 185 186 u_int32_t seq; /* sequence number */ 187 time_t created; /* for lifetime */ 188 int count; /* for lifetime */ 189}; 190 191/* Sensitivity Level Specification */ 192/* nothing */ 193 194#define SADB_KILL_INTERVAL 600 /* six seconds */ 195 196/* secpolicy */ 197extern struct secpolicy *keydb_newsecpolicy __P((void)); 198extern void keydb_delsecpolicy __P((struct secpolicy *)); 199/* secashead */ 200extern struct secashead *keydb_newsecashead __P((void)); 201extern void keydb_delsecashead __P((struct secashead *)); 202/* secasvar */ 203extern struct secasvar *keydb_newsecasvar __P((void)); 204extern void keydb_refsecasvar __P((struct secasvar *)); 205extern void keydb_freesecasvar __P((struct secasvar *)); 206/* secreplay */ 207extern struct secreplay *keydb_newsecreplay __P((size_t)); 208extern void keydb_delsecreplay __P((struct secreplay *)); 209/* secreg */ 210extern struct secreg *keydb_newsecreg __P((void)); 211extern void keydb_delsecreg __P((struct secreg *)); 212 213#endif /* _KERNEL */ 214 215#endif /* _NETIPSEC_KEYDB_H_ */ 216