ip_ipsp.h revision 1.23 
1/*	$OpenBSD: ip_ipsp.h,v 1.23 1999/02/17 20:39:17 deraadt Exp $	*/
2
3/*
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr) and
6 * Niels Provos (provos@physnet.uni-hamburg.de).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
18 * and Niels Provos.
19 *
20 * Permission to use, copy, and modify this software without fee
21 * is hereby granted, provided that this entire notice is included in
22 * all copies of any software which is or includes a copy or
23 * modification of this software.
24 * You may use this code under the GNU public license if you so wish. Please
25 * contribute changes back to the authors under this freer than GPL license
26 * so that we may further the use of strong encryption without limitations to
27 * all.
28 *
29 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
30 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
31 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
32 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
33 * PURPOSE.
34 */
35
36/*
37 * IPSP global definitions.
38 */
39
40struct expiration {
41	u_int32_t	exp_timeout;
42	struct in_addr	exp_dst;
43	u_int32_t	exp_spi;
44	u_int8_t	exp_sproto;
45	struct expiration *exp_next;
46	struct expiration *exp_prev;
47};
48
49struct flow {
50	struct flow	*flow_next;	/* Next in flow chain */
51	struct flow	*flow_prev;	/* Previous in flow chain */
52	struct tdb	*flow_sa;	/* Pointer to the SA */
53	struct in_addr	flow_src;   	/* Source address */
54	struct in_addr	flow_srcmask;	/* Source netmask */
55	struct in_addr	flow_dst;	/* Destination address */
56	struct in_addr	flow_dstmask;	/* Destination netmask */
57	u_int16_t	flow_sport;	/* Source port, if applicable */
58	u_int16_t	flow_dport;	/* Destination port, if applicable */
59	u_int8_t	flow_proto;	/* Transport protocol, if applicable */
60	u_int8_t	foo[3];		/* Alignment */
61};
62
63struct tdb {				/* tunnel descriptor block */
64	struct tdb	*tdb_hnext;  	/* next in hash chain */
65	struct tdb	*tdb_onext;	/* next in output */
66	struct tdb	*tdb_inext;  	/* next in input (prev!) */
67	struct xformsw *tdb_xform;	/* transformation to use */
68	u_int32_t	tdb_spi;    	/* SPI to use */
69	u_int32_t	tdb_flags;  	/* Flags related to this TDB */
70#define TDBF_UNIQUE	   0x00001	/* This should not be used by others */
71#define TDBF_TIMER         0x00002	/* Absolute expiration timer in use */
72#define TDBF_BYTES         0x00004	/* Check the byte counters */
73#define TDBF_PACKETS       0x00008	/* Check the packet counters */
74#define TDBF_INVALID       0x00010	/* This SPI is not valid yet/anymore */
75#define TDBF_FIRSTUSE      0x00020	/* Expire after first use */
76#define TDBF_TUNNELING     0x00040	/* Do IP-in-IP encapsulation */
77#define TDBF_SOFT_TIMER    0x00080	/* Soft expiration */
78#define TDBF_SOFT_BYTES    0x00100	/* Soft expiration */
79#define TDBF_SOFT_PACKETS  0x00200	/* Soft expiration */
80#define TDBF_SOFT_FIRSTUSE 0x00400	/* Soft expiration */
81#define TDBF_SAME_TTL      0x00800	/* Keep the packet TTL, in tunneling */
82	u_int64_t	tdb_exp_packets; /* Expire after so many packets s|r */
83	u_int64_t	tdb_soft_packets; /* Expiration warning */
84	u_int64_t	tdb_cur_packets; /* Current number of packets s|r'ed */
85	u_int64_t	tdb_exp_bytes;	/* Expire after so many bytes passed */
86	u_int64_t	tdb_soft_bytes;	/* Expiration warning */
87	u_int64_t	tdb_cur_bytes;	/* Current count of bytes */
88	u_int64_t	tdb_exp_timeout; /* When does the SPI expire */
89	u_int64_t	tdb_soft_timeout; /* Send a soft-expire warning */
90	u_int64_t	tdb_established; /* When was the SPI established */
91	u_int64_t	tdb_first_use;	/* When was it first used */
92	u_int64_t	tdb_soft_first_use; /* Soft warning */
93	u_int64_t	tdb_exp_first_use; /* Expire if tdb_first_use +
94					   tdb_exp_first_use <= curtime */
95	struct in_addr	tdb_dst;	/* dest address for this SPI */
96	struct in_addr	tdb_src;	/* source address for this SPI,
97					 * used when tunneling */
98	struct in_addr	tdb_osrc;
99	struct in_addr	tdb_odst;	/* Source and destination addresses
100					 * of outer IP header if we're doing
101					 * tunneling */
102	caddr_t		tdb_xdata;	/* transformation data (opaque) */
103	struct flow	*tdb_flow; 	/* Which flows use this SA */
104
105	u_int8_t	tdb_ttl;	/* TTL used in tunneling */
106	u_int8_t	tdb_sproto;	/* IPsec protocol */
107	u_int16_t	tdb_satype;	/* Alignment */
108	u_int32_t	tdb_epoch;	/* Used by the kernfs interface */
109	u_int8_t	*tdb_confname;	/* Used by the kernfs interface */
110	u_int8_t	*tdb_authname;	/* Used by the kernfs interface */
111};
112
113#define TDB_HASHMOD	257
114
115struct xformsw
116{
117	u_short		xf_type;	/* Unique ID of xform */
118	u_short		xf_flags;	/* flags (see below) */
119	char		*xf_name;	/* human-readable name */
120	int		(*xf_attach) __P((void));	/* called at config time */
121
122	/* xform initialization */
123	int		(*xf_init) __P((struct tdb *, struct xformsw *, struct mbuf *));
124
125	int		(*xf_zeroize) __P((struct tdb *));	/* termination */
126
127	/* called when packet received */
128	struct mbuf 	*(*xf_input) __P((struct mbuf *, struct tdb *));
129
130	/* called when packet sent */
131	int		(*xf_output) __P((struct mbuf *, struct sockaddr_encap *,
132			    struct tdb *, struct mbuf **));
133};
134
135#define XF_IP4			1	/* IP inside IP */
136#define XF_OLD_AH		2	/* RFCs 1828 & 1852 */
137#define XF_OLD_ESP		3	/* RFCs 1829 & 1851 */
138#define XF_NEW_AH		4	/* AH HMAC 96bits */
139#define XF_NEW_ESP		5	/* ESP + auth 96bits + replay counter */
140
141/* Supported key hash algorithms */
142#define ALG_AUTH_MD5		1
143#define ALG_AUTH_SHA1		2
144#define ALG_AUTH_RMD160		3
145
146/* Supported encryption algorithms */
147#define ALG_ENC_DES		1
148#define ALG_ENC_3DES		2
149#define ALG_ENC_BLF		3
150#define ALG_ENC_CAST		4
151#define ALG_ENC_SKIPJACK	5
152
153#define XFT_AUTH	0x0001
154#define XFT_CONF	0x0100
155
156#define IPSEC_ZEROES_SIZE	64
157#define IPSEC_KERNFS_BUFSIZE    4096
158
159#if BYTE_ORDER == LITTLE_ENDIAN
160static __inline u_int64_t
161htonq(u_int64_t q)
162{
163	register u_int32_t u, l;
164	u = q >> 32;
165	l = (u_int32_t) q;
166
167	return htonl(u) | ((u_int64_t)htonl(l) << 32);
168}
169
170#define ntohq(_x) htonq(_x)
171
172#elif BYTE_ORDER == BIG_ENDIAN
173
174#define htonq(_x) (_x)
175#define ntohq(_x) htonq(_x)
176
177#else
178#error  "Please fix <machine/endian.h>"
179#endif
180
181extern unsigned char ipseczeroes[];
182
183/*
184 * Names for IPsec sysctl objects
185 */
186#define IPSECCTL_ENCAP			0
187#define IPSECCTL_MAXID			1
188
189#define CTL_IPSEC_NAMES {\
190	{ "encap", CTLTYPE_NODE }, \
191}
192
193#ifdef _KERNEL
194extern int encdebug;
195
196struct tdb *tdbh[TDB_HASHMOD];
197struct expiration *explist;
198extern struct xformsw xformsw[], *xformswNXFORMSW;
199u_int32_t notify_msgids;
200
201/* Check if a given tdb has encryption, authentication and/or tunneling */
202#define TDB_ATTRIB(x) \
203    (((x)->tdb_confname != NULL ? NOTIFY_SATYPE_CONF : 0)| \
204    ((x)->tdb_authname != NULL ? NOTIFY_SATYPE_AUTH : 0)| \
205    ((x)->tdb_confname != NULL && \
206    ((x)->tdb_flags & TDBF_TUNNELING) ? NOTIFY_SATYPE_TUNNEL : 0))
207
208/* Traverse spi chain and get attributes */
209
210#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) { \
211	struct tdb *tmptdb = (TDBP); \
212	(have) = 0; \
213	\
214	while (tmptdb && tmptdb->tdb_xform) { \
215	        if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \
216	                break; \
217                (have) |= TDB_ATTRIB(tmptdb); \
218                tmptdb = tmptdb->TDB_DIR; \
219        } \
220}
221
222/* TDB management routines */
223extern u_int32_t reserve_spi(u_int32_t, struct in_addr, u_int8_t, int *);
224extern struct tdb *gettdb(u_int32_t, struct in_addr, u_int8_t);
225extern void puttdb(struct tdb *);
226extern int tdb_delete(struct tdb *, int);
227
228/* Expiration management routines */
229extern struct expiration *get_expiration(void);
230extern void put_expiration(struct expiration *);
231extern void handle_expirations(void *);
232extern void cleanup_expirations(struct in_addr, u_int32_t, u_int8_t);
233
234/* Flow management routines */
235extern struct flow *get_flow(void);
236extern void put_flow(struct flow *, struct tdb *);
237extern void delete_flow(struct flow *, struct tdb *);
238extern struct flow *find_flow(struct in_addr, struct in_addr, struct in_addr,
239			      struct in_addr, u_int8_t, u_int16_t, u_int16_t,
240			      struct tdb *);
241extern struct flow *find_global_flow(struct in_addr, struct in_addr,
242				     struct in_addr, struct in_addr, u_int8_t,
243				     u_int16_t, u_int16_t);
244
245/* XF_IP4 */
246extern int ipe4_attach(void);
247extern int ipe4_init(struct tdb *, struct xformsw *, struct mbuf *);
248extern int ipe4_zeroize(struct tdb *);
249extern int ipe4_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
250		       struct mbuf **);
251extern void ipe4_input __P((struct mbuf *, ...));
252extern void ip4_input __P((struct mbuf *, ...));
253
254/* XF_OLD_AH */
255extern int ah_old_attach(void);
256extern int ah_old_init(struct tdb *, struct xformsw *, struct mbuf *);
257extern int ah_old_zeroize(struct tdb *);
258extern int ah_old_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
259			 struct mbuf **);
260extern struct mbuf *ah_old_input(struct mbuf *, struct tdb *);
261
262/* XF_NEW_AH */
263extern int ah_new_attach(void);
264extern int ah_new_init(struct tdb *, struct xformsw *, struct mbuf *);
265extern int ah_new_zeroize(struct tdb *);
266extern int ah_new_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
267			 struct mbuf **);
268extern struct mbuf *ah_new_input(struct mbuf *, struct tdb *);
269
270/* XF_OLD_ESP */
271extern int esp_old_attach(void);
272extern int esp_old_init(struct tdb *, struct xformsw *, struct mbuf *);
273extern int esp_old_zeroize(struct tdb *);
274extern int esp_old_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
275			  struct mbuf **);
276extern struct mbuf *esp_old_input(struct mbuf *, struct tdb *);
277
278/* XF_NEW_ESP */
279extern int esp_new_attach(void);
280extern int esp_new_init(struct tdb *, struct xformsw *, struct mbuf *);
281extern int esp_new_zeroize(struct tdb *);
282extern int esp_new_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
283			  struct mbuf **);
284extern struct mbuf *esp_new_input(struct mbuf *, struct tdb *);
285
286/* Padding */
287extern caddr_t m_pad(struct mbuf *, int, int);
288
289/* Replay window */
290extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
291			       u_int32_t *);
292#endif
293