keydb.h revision 330897 
1/*	$FreeBSD: stable/11/sys/netipsec/keydb.h 330897 2018-03-14 03:19:51Z eadler $	*/
2/*	$KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $	*/
3
4/*-
5 * SPDX-License-Identifier: BSD-3-Clause
6 *
7 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the project nor the names of its contributors
19 *    may be used to endorse or promote products derived from this software
20 *    without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35#ifndef _NETIPSEC_KEYDB_H_
36#define _NETIPSEC_KEYDB_H_
37
38#ifdef _KERNEL
39#include <sys/counter.h>
40#include <sys/lock.h>
41#include <sys/mutex.h>
42
43#include <netipsec/key_var.h>
44
45#ifndef _SOCKADDR_UNION_DEFINED
46#define	_SOCKADDR_UNION_DEFINED
47/*
48 * The union of all possible address formats we handle.
49 */
50union sockaddr_union {
51	struct sockaddr		sa;
52	struct sockaddr_in	sin;
53	struct sockaddr_in6	sin6;
54};
55#endif /* _SOCKADDR_UNION_DEFINED */
56
57/* Security Assocciation Index */
58/* NOTE: Ensure to be same address family */
59struct secasindex {
60	union sockaddr_union src;	/* source address for SA */
61	union sockaddr_union dst;	/* destination address for SA */
62	uint8_t proto;			/* IPPROTO_ESP or IPPROTO_AH */
63	uint8_t mode;			/* mode of protocol, see ipsec.h */
64	uint32_t reqid;			/* reqid id who owned this SA */
65					/* see IPSEC_MANUAL_REQID_MAX. */
66};
67
68/*
69 * In order to split out the keydb implementation from that of the
70 * PF_KEY sockets we need to define a few structures that while they
71 * may seem common are likely to diverge over time.
72 */
73
74/* sadb_identity */
75struct secident {
76	u_int16_t type;
77	u_int64_t id;
78};
79
80/* sadb_key */
81struct seckey {
82	u_int16_t bits;
83	char *key_data;
84};
85
86struct seclifetime {
87	u_int32_t allocations;
88	u_int64_t bytes;
89	u_int64_t addtime;
90	u_int64_t usetime;
91};
92
93struct secnatt {
94	union sockaddr_union oai;	/* original addresses of initiator */
95	union sockaddr_union oar;	/* original address of responder */
96	uint16_t sport;			/* source port */
97	uint16_t dport;			/* destination port */
98	uint16_t cksum;			/* checksum delta */
99	uint16_t flags;
100#define	IPSEC_NATT_F_OAI	0x0001
101#define	IPSEC_NATT_F_OAR	0x0002
102};
103
104/* Security Association Data Base */
105TAILQ_HEAD(secasvar_queue, secasvar);
106struct secashead {
107	TAILQ_ENTRY(secashead) chain;
108	LIST_ENTRY(secashead) addrhash;	/* hash by sproto+src+dst addresses */
109	LIST_ENTRY(secashead) drainq;	/* used ONLY by flush callout */
110
111	struct secasindex saidx;
112
113	struct secident *idents;	/* source identity */
114	struct secident *identd;	/* destination identity */
115					/* XXX I don't know how to use them. */
116
117	volatile u_int refcnt;		/* reference count */
118	uint8_t state;			/* MATURE or DEAD. */
119	struct secasvar_queue savtree_alive;	/* MATURE and DYING SA */
120	struct secasvar_queue savtree_larval;	/* LARVAL SA */
121};
122
123struct xformsw;
124struct enc_xform;
125struct auth_hash;
126struct comp_algo;
127
128/*
129 * Security Association
130 *
131 * For INBOUND packets we do SA lookup using SPI, thus only SPIHASH is used.
132 * For OUTBOUND packets there may be several SA suitable for packet.
133 * We use key_preferred_oldsa variable to choose better SA. First of we do
134 * lookup for suitable SAH using packet's saidx. Then we use SAH's savtree
135 * to search better candidate. The newer SA (by created time) are placed
136 * in the beginning of the savtree list. There is no preference between
137 * DYING and MATURE.
138 *
139 * NB: Fields with a tdb_ prefix are part of the "glue" used
140 *     to interface to the OpenBSD crypto support.  This was done
141 *     to distinguish this code from the mainline KAME code.
142 * NB: Fields are sorted on the basis of the frequency of changes, i.e.
143 *     constants and unchangeable fields are going first.
144 * NB: if you want to change this structure, check that this will not break
145 *     key_updateaddresses().
146 */
147struct secasvar {
148	uint32_t spi;			/* SPI Value, network byte order */
149	uint32_t flags;			/* holder for SADB_KEY_FLAGS */
150	uint32_t seq;			/* sequence number */
151	pid_t pid;			/* message's pid */
152	u_int ivlen;			/* length of IV */
153
154	struct secashead *sah;		/* back pointer to the secashead */
155	struct seckey *key_auth;	/* Key for Authentication */
156	struct seckey *key_enc;	        /* Key for Encryption */
157	struct secreplay *replay;	/* replay prevention */
158	struct secnatt *natt;		/* NAT-T config */
159	struct mtx *lock;		/* update/access lock */
160
161	const struct xformsw *tdb_xform;	/* transform */
162	const struct enc_xform *tdb_encalgxform;/* encoding algorithm */
163	const struct auth_hash *tdb_authalgxform;/* authentication algorithm */
164	const struct comp_algo *tdb_compalgxform;/* compression algorithm */
165	uint64_t tdb_cryptoid;		/* crypto session id */
166
167	uint8_t alg_auth;		/* Authentication Algorithm Identifier*/
168	uint8_t alg_enc;		/* Cipher Algorithm Identifier */
169	uint8_t alg_comp;		/* Compression Algorithm Identifier */
170	uint8_t state;			/* Status of this SA (pfkeyv2.h) */
171
172	counter_u64_t lft_c;		/* CURRENT lifetime */
173#define	lft_c_allocations	lft_c
174#define	lft_c_bytes		lft_c + 1
175	struct seclifetime *lft_h;	/* HARD lifetime */
176	struct seclifetime *lft_s;	/* SOFT lifetime */
177
178	uint64_t created;		/* time when SA was created */
179	uint64_t firstused;		/* time when SA was first used */
180
181	TAILQ_ENTRY(secasvar) chain;
182	LIST_ENTRY(secasvar) spihash;
183	LIST_ENTRY(secasvar) drainq;	/* used ONLY by flush callout */
184
185	uint64_t cntr;			/* counter for GCM and CTR */
186	volatile u_int refcnt;		/* reference count */
187};
188
189#define	SECASVAR_LOCK(_sav)		mtx_lock((_sav)->lock)
190#define	SECASVAR_UNLOCK(_sav)		mtx_unlock((_sav)->lock)
191#define	SECASVAR_LOCK_ASSERT(_sav)	mtx_assert((_sav)->lock, MA_OWNED)
192#define	SAV_ISGCM(_sav)							\
193			((_sav)->alg_enc == SADB_X_EALG_AESGCM8 ||	\
194			(_sav)->alg_enc == SADB_X_EALG_AESGCM12 ||	\
195			(_sav)->alg_enc == SADB_X_EALG_AESGCM16)
196#define	SAV_ISCTR(_sav) ((_sav)->alg_enc == SADB_X_EALG_AESCTR)
197#define SAV_ISCTRORGCM(_sav)	(SAV_ISCTR((_sav)) || SAV_ISGCM((_sav)))
198
199/* Replay prevention, protected by SECASVAR_LOCK:
200 *  (m) locked by mtx
201 *  (c) read only except during creation / free
202 */
203struct secreplay {
204	u_int32_t count;	/* (m) */
205	u_int wsize;		/* (c) window size, i.g. 4 bytes */
206	u_int32_t seq;		/* (m) used by sender */
207	u_int32_t lastseq;	/* (m) used by receiver */
208	u_int32_t *bitmap;	/* (m) used by receiver */
209	u_int bitmap_size;	/* (c) size of the bitmap array */
210	int overflow;		/* (m) overflow flag */
211};
212
213/* socket table due to send PF_KEY messages. */
214struct secreg {
215	LIST_ENTRY(secreg) chain;
216
217	struct socket *so;
218};
219
220/* acquiring list table. */
221struct secacq {
222	LIST_ENTRY(secacq) chain;
223	LIST_ENTRY(secacq) addrhash;
224	LIST_ENTRY(secacq) seqhash;
225
226	struct secasindex saidx;
227	uint32_t seq;		/* sequence number */
228	time_t created;		/* for lifetime */
229	int count;		/* for lifetime */
230};
231
232/* Sensitivity Level Specification */
233/* nothing */
234
235#define SADB_KILL_INTERVAL	600	/* six seconds */
236
237/* secpolicy */
238extern struct secpolicy *keydb_newsecpolicy(void);
239extern void keydb_delsecpolicy(struct secpolicy *);
240/* secashead */
241extern struct secashead *keydb_newsecashead(void);
242extern void keydb_delsecashead(struct secashead *);
243/* secasvar */
244extern struct secasvar *keydb_newsecasvar(void);
245extern void keydb_refsecasvar(struct secasvar *);
246extern void keydb_freesecasvar(struct secasvar *);
247/* secreplay */
248extern struct secreplay *keydb_newsecreplay(size_t);
249extern void keydb_delsecreplay(struct secreplay *);
250/* secreg */
251extern struct secreg *keydb_newsecreg(void);
252extern void keydb_delsecreg(struct secreg *);
253
254#endif /* _KERNEL */
255
256#endif /* _NETIPSEC_KEYDB_H_ */
257