keydb.h revision 204074
1105197Ssam/* $FreeBSD: head/sys/netipsec/keydb.h 204074 2010-02-18 22:34:29Z pjd $ */ 2105197Ssam/* $KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $ */ 3105197Ssam 4139823Simp/*- 5105197Ssam * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6105197Ssam * All rights reserved. 7105197Ssam * 8105197Ssam * Redistribution and use in source and binary forms, with or without 9105197Ssam * modification, are permitted provided that the following conditions 10105197Ssam * are met: 11105197Ssam * 1. Redistributions of source code must retain the above copyright 12105197Ssam * notice, this list of conditions and the following disclaimer. 13105197Ssam * 2. Redistributions in binary form must reproduce the above copyright 14105197Ssam * notice, this list of conditions and the following disclaimer in the 15105197Ssam * documentation and/or other materials provided with the distribution. 16105197Ssam * 3. Neither the name of the project nor the names of its contributors 17105197Ssam * may be used to endorse or promote products derived from this software 18105197Ssam * without specific prior written permission. 19105197Ssam * 20105197Ssam * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21105197Ssam * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22105197Ssam * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23105197Ssam * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24105197Ssam * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25105197Ssam * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26105197Ssam * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27105197Ssam * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28105197Ssam * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29105197Ssam * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30105197Ssam * SUCH DAMAGE. 31105197Ssam */ 32105197Ssam 33105197Ssam#ifndef _NETIPSEC_KEYDB_H_ 34105197Ssam#define _NETIPSEC_KEYDB_H_ 35105197Ssam 36105197Ssam#ifdef _KERNEL 37105197Ssam 38105197Ssam#include <netipsec/key_var.h> 39105197Ssam 40135615Smlaier#ifndef _SOCKADDR_UNION_DEFINED 41135615Smlaier#define _SOCKADDR_UNION_DEFINED 42105197Ssam/* 43105197Ssam * The union of all possible address formats we handle. 44105197Ssam */ 45105197Ssamunion sockaddr_union { 46105197Ssam struct sockaddr sa; 47105197Ssam struct sockaddr_in sin; 48105197Ssam struct sockaddr_in6 sin6; 49105197Ssam}; 50135615Smlaier#endif /* _SOCKADDR_UNION_DEFINED */ 51105197Ssam 52105197Ssam/* Security Assocciation Index */ 53105197Ssam/* NOTE: Ensure to be same address family */ 54105197Ssamstruct secasindex { 55204074Spjd union sockaddr_union src; /* source address for SA */ 56105197Ssam union sockaddr_union dst; /* destination address for SA */ 57105197Ssam u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ 58105197Ssam u_int8_t mode; /* mode of protocol, see ipsec.h */ 59105197Ssam u_int32_t reqid; /* reqid id who owned this SA */ 60105197Ssam /* see IPSEC_MANUAL_REQID_MAX. */ 61105197Ssam}; 62105197Ssam 63157123Sgnn/* 64157123Sgnn * In order to split out the keydb implementation from that of the 65157123Sgnn * PF_KEY sockets we need to define a few structures that while they 66157123Sgnn * may seem common are likely to diverge over time. 67157123Sgnn */ 68157123Sgnn 69157123Sgnn/* sadb_identity */ 70157123Sgnnstruct secident { 71157123Sgnn u_int16_t type; 72157123Sgnn u_int64_t id; 73157123Sgnn}; 74157123Sgnn 75157123Sgnn/* sadb_key */ 76157123Sgnnstruct seckey { 77157123Sgnn u_int16_t bits; 78157123Sgnn char *key_data; 79157123Sgnn}; 80157123Sgnn 81157123Sgnnstruct seclifetime { 82157123Sgnn u_int32_t allocations; 83157123Sgnn u_int64_t bytes; 84157123Sgnn u_int64_t addtime; 85157123Sgnn u_int64_t usetime; 86157123Sgnn}; 87157123Sgnn 88105197Ssam/* Security Association Data Base */ 89105197Ssamstruct secashead { 90105197Ssam LIST_ENTRY(secashead) chain; 91105197Ssam 92105197Ssam struct secasindex saidx; 93105197Ssam 94157123Sgnn struct secident *idents; /* source identity */ 95157123Sgnn struct secident *identd; /* destination identity */ 96105197Ssam /* XXX I don't know how to use them. */ 97105197Ssam 98105197Ssam u_int8_t state; /* MATURE or DEAD. */ 99105197Ssam LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; 100105197Ssam /* SA chain */ 101105197Ssam /* The first of this list is newer SA */ 102105197Ssam 103105197Ssam struct route sa_route; /* route cache */ 104105197Ssam}; 105105197Ssam 106105197Ssamstruct xformsw; 107105197Ssamstruct enc_xform; 108105197Ssamstruct auth_hash; 109105197Ssamstruct comp_algo; 110105197Ssam 111105197Ssam/* Security Association */ 112105197Ssamstruct secasvar { 113105197Ssam LIST_ENTRY(secasvar) chain; 114119643Ssam struct mtx lock; /* update/access lock */ 115105197Ssam 116105197Ssam u_int refcnt; /* reference count */ 117105197Ssam u_int8_t state; /* Status of this Association */ 118105197Ssam 119105197Ssam u_int8_t alg_auth; /* Authentication Algorithm Identifier*/ 120105197Ssam u_int8_t alg_enc; /* Cipher Algorithm Identifier */ 121105197Ssam u_int8_t alg_comp; /* Compression Algorithm Identifier */ 122105197Ssam u_int32_t spi; /* SPI Value, network byte order */ 123105197Ssam u_int32_t flags; /* holder for SADB_KEY_FLAGS */ 124105197Ssam 125157123Sgnn struct seckey *key_auth; /* Key for Authentication */ 126157123Sgnn struct seckey *key_enc; /* Key for Encryption */ 127105197Ssam caddr_t iv; /* Initilization Vector */ 128105197Ssam u_int ivlen; /* length of IV */ 129105197Ssam void *sched; /* intermediate encryption key */ 130105197Ssam size_t schedlen; 131105197Ssam 132105197Ssam struct secreplay *replay; /* replay prevention */ 133120585Ssam time_t created; /* for lifetime */ 134105197Ssam 135157123Sgnn struct seclifetime *lft_c; /* CURRENT lifetime, it's constant. */ 136157123Sgnn struct seclifetime *lft_h; /* HARD lifetime */ 137157123Sgnn struct seclifetime *lft_s; /* SOFT lifetime */ 138105197Ssam 139105197Ssam u_int32_t seq; /* sequence number */ 140105197Ssam pid_t pid; /* message's pid */ 141105197Ssam 142105197Ssam struct secashead *sah; /* back pointer to the secashead */ 143105197Ssam 144105197Ssam /* 145105197Ssam * NB: Fields with a tdb_ prefix are part of the "glue" used 146105197Ssam * to interface to the OpenBSD crypto support. This was done 147105197Ssam * to distinguish this code from the mainline KAME code. 148105197Ssam */ 149105197Ssam struct xformsw *tdb_xform; /* transform */ 150105197Ssam struct enc_xform *tdb_encalgxform; /* encoding algorithm */ 151105197Ssam struct auth_hash *tdb_authalgxform; /* authentication algorithm */ 152105197Ssam struct comp_algo *tdb_compalgxform; /* compression algorithm */ 153105197Ssam u_int64_t tdb_cryptoid; /* crypto session id */ 154194062Svanhu 155194062Svanhu /* 156194062Svanhu * NAT-Traversal. 157194062Svanhu */ 158194062Svanhu u_int16_t natt_type; /* IKE/ESP-marker in output. */ 159194062Svanhu u_int16_t natt_esp_frag_len; /* MTU for payload fragmentation. */ 160105197Ssam}; 161105197Ssam 162120585Ssam#define SECASVAR_LOCK_INIT(_sav) \ 163120585Ssam mtx_init(&(_sav)->lock, "ipsec association", NULL, MTX_DEF) 164120585Ssam#define SECASVAR_LOCK(_sav) mtx_lock(&(_sav)->lock) 165120585Ssam#define SECASVAR_UNLOCK(_sav) mtx_unlock(&(_sav)->lock) 166120585Ssam#define SECASVAR_LOCK_DESTROY(_sav) mtx_destroy(&(_sav)->lock) 167120585Ssam#define SECASVAR_LOCK_ASSERT(_sav) mtx_assert(&(_sav)->lock, MA_OWNED) 168120585Ssam 169105197Ssam/* replay prevention */ 170105197Ssamstruct secreplay { 171105197Ssam u_int32_t count; 172105197Ssam u_int wsize; /* window size, i.g. 4 bytes */ 173105197Ssam u_int32_t seq; /* used by sender */ 174105197Ssam u_int32_t lastseq; /* used by receiver */ 175105197Ssam caddr_t bitmap; /* used by receiver */ 176105197Ssam int overflow; /* overflow flag */ 177105197Ssam}; 178105197Ssam 179105197Ssam/* socket table due to send PF_KEY messages. */ 180105197Ssamstruct secreg { 181105197Ssam LIST_ENTRY(secreg) chain; 182105197Ssam 183105197Ssam struct socket *so; 184105197Ssam}; 185105197Ssam 186105197Ssam/* acquiring list table. */ 187105197Ssamstruct secacq { 188105197Ssam LIST_ENTRY(secacq) chain; 189105197Ssam 190105197Ssam struct secasindex saidx; 191105197Ssam 192105197Ssam u_int32_t seq; /* sequence number */ 193120585Ssam time_t created; /* for lifetime */ 194105197Ssam int count; /* for lifetime */ 195105197Ssam}; 196105197Ssam 197105197Ssam/* Sensitivity Level Specification */ 198105197Ssam/* nothing */ 199105197Ssam 200105197Ssam#define SADB_KILL_INTERVAL 600 /* six seconds */ 201105197Ssam 202105197Ssam/* secpolicy */ 203105197Ssamextern struct secpolicy *keydb_newsecpolicy __P((void)); 204105197Ssamextern void keydb_delsecpolicy __P((struct secpolicy *)); 205105197Ssam/* secashead */ 206105197Ssamextern struct secashead *keydb_newsecashead __P((void)); 207105197Ssamextern void keydb_delsecashead __P((struct secashead *)); 208105197Ssam/* secasvar */ 209105197Ssamextern struct secasvar *keydb_newsecasvar __P((void)); 210105197Ssamextern void keydb_refsecasvar __P((struct secasvar *)); 211105197Ssamextern void keydb_freesecasvar __P((struct secasvar *)); 212105197Ssam/* secreplay */ 213105197Ssamextern struct secreplay *keydb_newsecreplay __P((size_t)); 214105197Ssamextern void keydb_delsecreplay __P((struct secreplay *)); 215105197Ssam/* secreg */ 216105197Ssamextern struct secreg *keydb_newsecreg __P((void)); 217105197Ssamextern void keydb_delsecreg __P((struct secreg *)); 218105197Ssam 219105197Ssam#endif /* _KERNEL */ 220105197Ssam 221105197Ssam#endif /* _NETIPSEC_KEYDB_H_ */ 222