ip_ipsp.h revision 1.23
1/* $OpenBSD: ip_ipsp.h,v 1.23 1999/02/17 20:39:17 deraadt Exp $ */ 2 3/* 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis 18 * and Niels Provos. 19 * 20 * Permission to use, copy, and modify this software without fee 21 * is hereby granted, provided that this entire notice is included in 22 * all copies of any software which is or includes a copy or 23 * modification of this software. 24 * You may use this code under the GNU public license if you so wish. Please 25 * contribute changes back to the authors under this freer than GPL license 26 * so that we may further the use of strong encryption without limitations to 27 * all. 28 * 29 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 30 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 31 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 32 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 33 * PURPOSE. 34 */ 35 36/* 37 * IPSP global definitions. 38 */ 39 40struct expiration { 41 u_int32_t exp_timeout; 42 struct in_addr exp_dst; 43 u_int32_t exp_spi; 44 u_int8_t exp_sproto; 45 struct expiration *exp_next; 46 struct expiration *exp_prev; 47}; 48 49struct flow { 50 struct flow *flow_next; /* Next in flow chain */ 51 struct flow *flow_prev; /* Previous in flow chain */ 52 struct tdb *flow_sa; /* Pointer to the SA */ 53 struct in_addr flow_src; /* Source address */ 54 struct in_addr flow_srcmask; /* Source netmask */ 55 struct in_addr flow_dst; /* Destination address */ 56 struct in_addr flow_dstmask; /* Destination netmask */ 57 u_int16_t flow_sport; /* Source port, if applicable */ 58 u_int16_t flow_dport; /* Destination port, if applicable */ 59 u_int8_t flow_proto; /* Transport protocol, if applicable */ 60 u_int8_t foo[3]; /* Alignment */ 61}; 62 63struct tdb { /* tunnel descriptor block */ 64 struct tdb *tdb_hnext; /* next in hash chain */ 65 struct tdb *tdb_onext; /* next in output */ 66 struct tdb *tdb_inext; /* next in input (prev!) */ 67 struct xformsw *tdb_xform; /* transformation to use */ 68 u_int32_t tdb_spi; /* SPI to use */ 69 u_int32_t tdb_flags; /* Flags related to this TDB */ 70#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 71#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 72#define TDBF_BYTES 0x00004 /* Check the byte counters */ 73#define TDBF_PACKETS 0x00008 /* Check the packet counters */ 74#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 75#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 76#define TDBF_TUNNELING 0x00040 /* Do IP-in-IP encapsulation */ 77#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 78#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 79#define TDBF_SOFT_PACKETS 0x00200 /* Soft expiration */ 80#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 81#define TDBF_SAME_TTL 0x00800 /* Keep the packet TTL, in tunneling */ 82 u_int64_t tdb_exp_packets; /* Expire after so many packets s|r */ 83 u_int64_t tdb_soft_packets; /* Expiration warning */ 84 u_int64_t tdb_cur_packets; /* Current number of packets s|r'ed */ 85 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 86 u_int64_t tdb_soft_bytes; /* Expiration warning */ 87 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 88 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 89 u_int64_t tdb_soft_timeout; /* Send a soft-expire warning */ 90 u_int64_t tdb_established; /* When was the SPI established */ 91 u_int64_t tdb_first_use; /* When was it first used */ 92 u_int64_t tdb_soft_first_use; /* Soft warning */ 93 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 94 tdb_exp_first_use <= curtime */ 95 struct in_addr tdb_dst; /* dest address for this SPI */ 96 struct in_addr tdb_src; /* source address for this SPI, 97 * used when tunneling */ 98 struct in_addr tdb_osrc; 99 struct in_addr tdb_odst; /* Source and destination addresses 100 * of outer IP header if we're doing 101 * tunneling */ 102 caddr_t tdb_xdata; /* transformation data (opaque) */ 103 struct flow *tdb_flow; /* Which flows use this SA */ 104 105 u_int8_t tdb_ttl; /* TTL used in tunneling */ 106 u_int8_t tdb_sproto; /* IPsec protocol */ 107 u_int16_t tdb_satype; /* Alignment */ 108 u_int32_t tdb_epoch; /* Used by the kernfs interface */ 109 u_int8_t *tdb_confname; /* Used by the kernfs interface */ 110 u_int8_t *tdb_authname; /* Used by the kernfs interface */ 111}; 112 113#define TDB_HASHMOD 257 114 115struct xformsw 116{ 117 u_short xf_type; /* Unique ID of xform */ 118 u_short xf_flags; /* flags (see below) */ 119 char *xf_name; /* human-readable name */ 120 int (*xf_attach) __P((void)); /* called at config time */ 121 122 /* xform initialization */ 123 int (*xf_init) __P((struct tdb *, struct xformsw *, struct mbuf *)); 124 125 int (*xf_zeroize) __P((struct tdb *)); /* termination */ 126 127 /* called when packet received */ 128 struct mbuf *(*xf_input) __P((struct mbuf *, struct tdb *)); 129 130 /* called when packet sent */ 131 int (*xf_output) __P((struct mbuf *, struct sockaddr_encap *, 132 struct tdb *, struct mbuf **)); 133}; 134 135#define XF_IP4 1 /* IP inside IP */ 136#define XF_OLD_AH 2 /* RFCs 1828 & 1852 */ 137#define XF_OLD_ESP 3 /* RFCs 1829 & 1851 */ 138#define XF_NEW_AH 4 /* AH HMAC 96bits */ 139#define XF_NEW_ESP 5 /* ESP + auth 96bits + replay counter */ 140 141/* Supported key hash algorithms */ 142#define ALG_AUTH_MD5 1 143#define ALG_AUTH_SHA1 2 144#define ALG_AUTH_RMD160 3 145 146/* Supported encryption algorithms */ 147#define ALG_ENC_DES 1 148#define ALG_ENC_3DES 2 149#define ALG_ENC_BLF 3 150#define ALG_ENC_CAST 4 151#define ALG_ENC_SKIPJACK 5 152 153#define XFT_AUTH 0x0001 154#define XFT_CONF 0x0100 155 156#define IPSEC_ZEROES_SIZE 64 157#define IPSEC_KERNFS_BUFSIZE 4096 158 159#if BYTE_ORDER == LITTLE_ENDIAN 160static __inline u_int64_t 161htonq(u_int64_t q) 162{ 163 register u_int32_t u, l; 164 u = q >> 32; 165 l = (u_int32_t) q; 166 167 return htonl(u) | ((u_int64_t)htonl(l) << 32); 168} 169 170#define ntohq(_x) htonq(_x) 171 172#elif BYTE_ORDER == BIG_ENDIAN 173 174#define htonq(_x) (_x) 175#define ntohq(_x) htonq(_x) 176 177#else 178#error "Please fix <machine/endian.h>" 179#endif 180 181extern unsigned char ipseczeroes[]; 182 183/* 184 * Names for IPsec sysctl objects 185 */ 186#define IPSECCTL_ENCAP 0 187#define IPSECCTL_MAXID 1 188 189#define CTL_IPSEC_NAMES {\ 190 { "encap", CTLTYPE_NODE }, \ 191} 192 193#ifdef _KERNEL 194extern int encdebug; 195 196struct tdb *tdbh[TDB_HASHMOD]; 197struct expiration *explist; 198extern struct xformsw xformsw[], *xformswNXFORMSW; 199u_int32_t notify_msgids; 200 201/* Check if a given tdb has encryption, authentication and/or tunneling */ 202#define TDB_ATTRIB(x) \ 203 (((x)->tdb_confname != NULL ? NOTIFY_SATYPE_CONF : 0)| \ 204 ((x)->tdb_authname != NULL ? NOTIFY_SATYPE_AUTH : 0)| \ 205 ((x)->tdb_confname != NULL && \ 206 ((x)->tdb_flags & TDBF_TUNNELING) ? NOTIFY_SATYPE_TUNNEL : 0)) 207 208/* Traverse spi chain and get attributes */ 209 210#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) { \ 211 struct tdb *tmptdb = (TDBP); \ 212 (have) = 0; \ 213 \ 214 while (tmptdb && tmptdb->tdb_xform) { \ 215 if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \ 216 break; \ 217 (have) |= TDB_ATTRIB(tmptdb); \ 218 tmptdb = tmptdb->TDB_DIR; \ 219 } \ 220} 221 222/* TDB management routines */ 223extern u_int32_t reserve_spi(u_int32_t, struct in_addr, u_int8_t, int *); 224extern struct tdb *gettdb(u_int32_t, struct in_addr, u_int8_t); 225extern void puttdb(struct tdb *); 226extern int tdb_delete(struct tdb *, int); 227 228/* Expiration management routines */ 229extern struct expiration *get_expiration(void); 230extern void put_expiration(struct expiration *); 231extern void handle_expirations(void *); 232extern void cleanup_expirations(struct in_addr, u_int32_t, u_int8_t); 233 234/* Flow management routines */ 235extern struct flow *get_flow(void); 236extern void put_flow(struct flow *, struct tdb *); 237extern void delete_flow(struct flow *, struct tdb *); 238extern struct flow *find_flow(struct in_addr, struct in_addr, struct in_addr, 239 struct in_addr, u_int8_t, u_int16_t, u_int16_t, 240 struct tdb *); 241extern struct flow *find_global_flow(struct in_addr, struct in_addr, 242 struct in_addr, struct in_addr, u_int8_t, 243 u_int16_t, u_int16_t); 244 245/* XF_IP4 */ 246extern int ipe4_attach(void); 247extern int ipe4_init(struct tdb *, struct xformsw *, struct mbuf *); 248extern int ipe4_zeroize(struct tdb *); 249extern int ipe4_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 250 struct mbuf **); 251extern void ipe4_input __P((struct mbuf *, ...)); 252extern void ip4_input __P((struct mbuf *, ...)); 253 254/* XF_OLD_AH */ 255extern int ah_old_attach(void); 256extern int ah_old_init(struct tdb *, struct xformsw *, struct mbuf *); 257extern int ah_old_zeroize(struct tdb *); 258extern int ah_old_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 259 struct mbuf **); 260extern struct mbuf *ah_old_input(struct mbuf *, struct tdb *); 261 262/* XF_NEW_AH */ 263extern int ah_new_attach(void); 264extern int ah_new_init(struct tdb *, struct xformsw *, struct mbuf *); 265extern int ah_new_zeroize(struct tdb *); 266extern int ah_new_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 267 struct mbuf **); 268extern struct mbuf *ah_new_input(struct mbuf *, struct tdb *); 269 270/* XF_OLD_ESP */ 271extern int esp_old_attach(void); 272extern int esp_old_init(struct tdb *, struct xformsw *, struct mbuf *); 273extern int esp_old_zeroize(struct tdb *); 274extern int esp_old_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 275 struct mbuf **); 276extern struct mbuf *esp_old_input(struct mbuf *, struct tdb *); 277 278/* XF_NEW_ESP */ 279extern int esp_new_attach(void); 280extern int esp_new_init(struct tdb *, struct xformsw *, struct mbuf *); 281extern int esp_new_zeroize(struct tdb *); 282extern int esp_new_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 283 struct mbuf **); 284extern struct mbuf *esp_new_input(struct mbuf *, struct tdb *); 285 286/* Padding */ 287extern caddr_t m_pad(struct mbuf *, int, int); 288 289/* Replay window */ 290extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t, 291 u_int32_t *); 292#endif 293