ip_ipsp.h revision 1.27 
1/*	$OpenBSD: ip_ipsp.h,v 1.27 1999/02/25 01:30:49 angelos Exp $	*/
2
3/*
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr) and
6 * Niels Provos (provos@physnet.uni-hamburg.de).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis.
18 *
19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 *
22 * Permission to use, copy, and modify this software without fee
23 * is hereby granted, provided that this entire notice is included in
24 * all copies of any software which is or includes a copy or
25 * modification of this software.
26 * You may use this code under the GNU public license if you so wish. Please
27 * contribute changes back to the authors under this freer than GPL license
28 * so that we may further the use of strong encryption without limitations to
29 * all.
30 *
31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
35 * PURPOSE.
36 */
37
38#ifndef _NETINET_IPSP_H_
39#define _NETINET_IPSP_H_
40
41/*
42 * IPSP global definitions.
43 */
44
45#include <sys/types.h>
46#include <netinet/in.h>
47#include <sys/md5k.h>
48#include <netinet/ip_sha1.h>
49#include <netinet/ip_rmd160.h>
50#include <netinet/ip_blf.h>
51#include <netinet/ip_cast.h>
52#include <netinet/ip_skipjack.h>
53
54union sockaddr_union
55{
56    struct sockaddr     sa;
57    struct sockaddr_in  sin;
58    struct sockaddr_in6 sin6;
59    char  __maxsize[128];
60};
61
62/* HMAC key sizes */
63#define MD5HMAC96_KEYSIZE       16
64#define SHA1HMAC96_KEYSIZE      20
65#define RIPEMD160HMAC96_KEYSIZE 20
66
67/* IV lengths */
68#define ESP_DES_IVS		8
69#define ESP_3DES_IVS		8
70#define ESP_BLF_IVS             8
71#define ESP_CAST_IVS            8
72#define ESP_SKIPJACK_IVS	8
73#define ESP_MAX_IVS		8       /* Keep updated */
74
75/* Block sizes -- it is assumed that they're powers of 2 */
76#define ESP_DES_BLKS		8
77#define ESP_3DES_BLKS		8
78#define ESP_BLF_BLKS            8
79#define ESP_CAST_BLKS           8
80#define ESP_SKIPJACK_BLKS	8
81#define ESP_MAX_BLKS            8       /* Keep updated */
82
83#define HMAC_BLOCK_LEN		64
84
85#define AH_HMAC_HASHLEN		12	/* 96 bits of authenticator */
86#define AH_HMAC_RPLENGTH        4	/* 32 bits of replay counter */
87#define AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
88
89/* HMAC definitions */
90#define HMAC_IPAD_VAL           0x36
91#define HMAC_OPAD_VAL           0x5C
92#define HMAC_BLOCK_LEN          64
93
94/* Authenticator lengths */
95#define AH_MD5_ALEN		16
96#define AH_SHA1_ALEN		20
97#define AH_RMD160_ALEN		20
98#define AH_ALEN_MAX		20 	/* Keep updated */
99
100struct sockaddr_encap
101{
102    u_int8_t	sen_len;		/* length */
103    u_int8_t	sen_family;		/* PF_KEY */
104    u_int16_t	sen_type;		/* see SENT_* */
105    union
106    {
107	u_int8_t	Data[16];	/* other stuff mapped here */
108
109	struct				/* SENT_IP4 */
110	{
111	    struct in_addr Src;
112	    struct in_addr Dst;
113	    u_int16_t Sport;
114	    u_int16_t Dport;
115	    u_int8_t Proto;
116	    u_int8_t Filler[3];
117	} Sip4;
118
119	struct				/* SENT_IPSP */
120	{
121	    struct in_addr Dst;
122	    u_int32_t Spi;
123	    u_int8_t Sproto;
124	    u_int8_t Filler[7];
125	} Sipsp;
126    } Sen;
127};
128
129#define sen_data	Sen.Data
130#define sen_ip_src	Sen.Sip4.Src
131#define sen_ip_dst	Sen.Sip4.Dst
132#define sen_proto	Sen.Sip4.Proto
133#define sen_sport	Sen.Sip4.Sport
134#define sen_dport	Sen.Sip4.Dport
135#define sen_ipsp_dst	Sen.Sipsp.Dst
136#define sen_ipsp_spi	Sen.Sipsp.Spi
137#define sen_ipsp_sproto	Sen.Sipsp.Sproto
138
139/*
140 * The "type" is really part of the address as far as the routing
141 * system is concerned. By using only one bit in the type field
142 * for each type, we sort-of make sure that different types of
143 * encapsulation addresses won't be matched against the wrong type.
144 *
145 */
146
147#define SENT_IP4	0x0001		/* data is two struct in_addr */
148#define SENT_IPSP	0x0002		/* data as in IP4 plus SPI */
149
150/*
151 * SENT_HDRLEN is the length of the "header"
152 * SENT_*_LEN are the lengths of various forms of sen_data
153 * SENT_*_OFF are the offsets in the sen_data array of various fields
154 */
155
156#define SENT_HDRLEN	(2 * sizeof(u_int8_t) + sizeof(u_int16_t))
157
158#define SENT_IP4_SRCOFF	(0)
159#define SENT_IP4_DSTOFF (sizeof (struct in_addr))
160
161#define SENT_IP4_LEN	20
162#define SENT_IPSP_LEN	20
163
164#define NOTIFY_SOFT_EXPIRE      0       /* Soft expiration of SA */
165#define NOTIFY_HARD_EXPIRE      1       /* Hard expiration of SA */
166#define NOTIFY_REQUEST_SA       2       /* Establish an SA */
167
168#define NOTIFY_SATYPE_CONF      1       /* SA should do encryption */
169#define NOTIFY_SATYPE_AUTH      2       /* SA should do authentication */
170#define NOTIFY_SATYPE_TUNNEL    4       /* SA should use tunneling */
171
172/*
173 * For encapsulation routes are possible not only for the destination
174 * address but also for the protocol, source and destination ports
175 * if available
176 */
177
178struct route_enc {
179    struct rtentry *re_rt;
180    struct sockaddr_encap re_dst;
181};
182
183struct expiration
184{
185    u_int32_t             exp_timeout;
186    union sockaddr_union  exp_dst;
187    u_int32_t             exp_spi;
188    u_int8_t              exp_sproto;
189    struct expiration    *exp_next;
190    struct expiration    *exp_prev;
191};
192
193struct flow
194{
195    struct flow           *flow_next;	/* Next in flow chain */
196    struct flow           *flow_prev;	/* Previous in flow chain */
197    struct tdb            *flow_sa;	/* Pointer to the SA */
198    union sockaddr_union  flow_src;   	/* Source address */
199    union sockaddr_union  flow_srcmask; /* Source netmask */
200    union sockaddr_union  flow_dst;	/* Destination address */
201    union sockaddr_union  flow_dstmask;	/* Destination netmask */
202    u_int8_t	          flow_proto;	/* Transport protocol, if applicable */
203    u_int8_t	          foo[3];	/* Alignment */
204};
205
206struct tdb				/* tunnel descriptor block */
207{
208    struct tdb	     *tdb_hnext;  	/* Next in hash chain */
209    struct tdb	     *tdb_onext;        /* Next in output */
210    struct tdb	     *tdb_inext;        /* Previous in output */
211
212    struct xformsw   *tdb_xform;	/* Transformation to use */
213    struct enc_xform *tdb_encalgxform;  /* Encryption algorithm xform */
214    struct auth_hash *tdb_authalgxform; /* Authentication algorithm xform */
215
216#define TDBF_UNIQUE	      0x00001	/* This should not be used by others */
217#define TDBF_TIMER            0x00002	/* Absolute expiration timer in use */
218#define TDBF_BYTES            0x00004	/* Check the byte counters */
219#define TDBF_ALLOCATIONS      0x00008	/* Check the flows counters */
220#define TDBF_INVALID          0x00010	/* This SPI is not valid yet/anymore */
221#define TDBF_FIRSTUSE         0x00020	/* Expire after first use */
222#define TDBF_HALFIV           0x00040   /* Use half-length IV (ESP old only) */
223#define TDBF_SOFT_TIMER       0x00080	/* Soft expiration */
224#define TDBF_SOFT_BYTES       0x00100	/* Soft expiration */
225#define TDBF_SOFT_ALLOCATIONS 0x00200	/* Soft expiration */
226#define TDBF_SOFT_FIRSTUSE    0x00400	/* Soft expiration */
227#define TDBF_PFS              0x00800	/* Ask for PFS from Key Mgmt. */
228#define TDBF_TUNNELING        0x01000	/* Force IP-IP encapsulation */
229    u_int32_t	      tdb_flags;  	/* Flags related to this TDB */
230
231    u_int32_t         tdb_exp_allocations;  /* Expire after so many flows */
232    u_int32_t         tdb_soft_allocations; /* Expiration warning */
233    u_int32_t         tdb_cur_allocations;  /* Total number of allocations */
234
235    u_int64_t         tdb_exp_bytes;    /* Expire after so many bytes passed */
236    u_int64_t         tdb_soft_bytes;	/* Expiration warning */
237    u_int64_t         tdb_cur_bytes;	/* Current count of bytes */
238
239    u_int64_t         tdb_exp_timeout;	/* When does the SPI expire */
240    u_int64_t         tdb_soft_timeout;	/* Send a soft-expire warning */
241    u_int64_t         tdb_established;	/* When was the SPI established */
242
243    u_int64_t	      tdb_first_use;	  /* When was it first used */
244    u_int64_t         tdb_soft_first_use; /* Soft warning */
245    u_int64_t         tdb_exp_first_use;  /* Expire if tdb_first_use +
246					   * tdb_exp_first_use <= curtime */
247    u_int32_t	      tdb_spi;    	/* SPI */
248    u_int16_t         tdb_amxkeylen;    /* AH-old only */
249    u_int16_t         tdb_ivlen;        /* IV length */
250    u_int8_t	      tdb_sproto;	/* IPsec protocol */
251    u_int8_t          tdb_wnd;          /* Replay window */
252    u_int16_t         tdb_FILLER;       /* Padding */
253
254    union sockaddr_union tdb_dst;	/* Destination address for this SA */
255    union sockaddr_union tdb_src;	/* Source address for this SA */
256    union sockaddr_union tdb_proxy;
257
258    u_int8_t         *tdb_key;          /* Key material (schedules) */
259    u_int8_t         *tdb_ictx;         /* Authentication contexts */
260    u_int8_t         *tdb_octx;
261    u_int8_t         *tdb_srcid;        /* Source ID for this SA */
262    u_int8_t         *tdb_dstid;        /* Destination ID for this SA */
263    u_int8_t         *tdb_amxkey;       /* AH-old only */
264
265    union
266    {
267	u_int8_t  Iv[ESP_3DES_IVS];     /* That's enough space */
268	u_int32_t Ivl;        	        /* Make sure this is 4 bytes */
269	u_int64_t Ivq; 		        /* Make sure this is 8 bytes! */
270    }IV;
271#define tdb_iv  IV.Iv
272#define tdb_ivl IV.Ivl
273#define tdb_ivq IV.Ivq
274
275    u_int32_t         tdb_rpl;	        /* Replay counter */
276    u_int32_t         tdb_bitmap;       /* Used for replay sliding window */
277    u_int32_t         tdb_initial;	/* Initial replay value */
278
279    u_int32_t         tdb_epoch;	/* Used by the kernfs interface */
280    u_int16_t         tdb_srcid_len;
281    u_int16_t         tdb_dstid_len;
282    u_int16_t         tdb_srcid_type;
283    u_int16_t         tdb_dstid_type;
284
285    struct flow	     *tdb_flow; 	/* Which flows use this SA */
286};
287
288#define TDB_HASHMOD	257
289
290struct auth_hash {
291    int type;
292    char *name;
293    u_int16_t keysize;
294    u_int16_t hashsize;
295    u_int16_t ctxsize;
296    void (*Init)(void *);
297    void (*Update)(void *, u_int8_t *, u_int16_t);
298    void (*Final)(u_int8_t *, void *);
299};
300
301struct enc_xform {
302    int type;
303    char *name;
304    u_int16_t blocksize, ivsize;
305    u_int16_t minkey, maxkey;
306    u_int32_t ivmask;           /* Or all possible modes, zero iv = 1 */
307    void (*encrypt)(struct tdb *, u_int8_t *);
308    void (*decrypt)(struct tdb *, u_int8_t *);
309};
310
311struct ipsecinit
312{
313    u_int8_t       *ii_enckey;
314    u_int8_t       *ii_authkey;
315    u_int16_t       ii_enckeylen;
316    u_int16_t       ii_authkeylen;
317    u_int8_t        ii_encalg;
318    u_int8_t        ii_authalg;
319};
320
321struct xformsw
322{
323    u_short		xf_type;	/* Unique ID of xform */
324    u_short		xf_flags;	/* flags (see below) */
325    char		*xf_name;	/* human-readable name */
326    int		(*xf_attach)(void);	/* called at config time */
327    int		(*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
328    int		(*xf_zeroize)(struct tdb *); /* termination */
329    struct mbuf 	*(*xf_input)(struct mbuf *, struct tdb *); /* input */
330    int		(*xf_output)(struct mbuf *, struct sockaddr_encap *,
331			     struct tdb *, struct mbuf **);        /* output */
332};
333
334/* xform IDs */
335#define XF_IP4		1	/* IP inside IP */
336#define XF_OLD_AH	2	/* RFCs 1828 & 1852 */
337#define XF_OLD_ESP	3	/* RFCs 1829 & 1851 */
338#define XF_NEW_AH	4	/* AH HMAC 96bits */
339#define XF_NEW_ESP	5	/* ESP + auth 96bits + replay counter */
340
341/* xform attributes */
342#define XFT_AUTH	0x0001
343#define XFT_CONF	0x0100
344
345#define IPSEC_ZEROES_SIZE	64
346#define IPSEC_KERNFS_BUFSIZE    4096
347
348#if BYTE_ORDER == LITTLE_ENDIAN
349static __inline u_int64_t
350htonq(u_int64_t q)
351{
352    register u_int32_t u, l;
353    u = q >> 32;
354    l = (u_int32_t) q;
355
356    return htonl(u) | ((u_int64_t)htonl(l) << 32);
357}
358
359#define ntohq(_x) htonq(_x)
360
361#elif BYTE_ORDER == BIG_ENDIAN
362
363#define htonq(_x) (_x)
364#define ntohq(_x) htonq(_x)
365
366#else
367#error  "Please fix <machine/endian.h>"
368#endif
369
370/*
371 * Names for IPsec sysctl objects
372 */
373#define IPSECCTL_PFKEY  		0
374#define IPSECCTL_MAXID			1
375
376#define CTL_IPSEC_NAMES {\
377	{ "pfkey", CTLTYPE_NODE }, \
378}
379
380#define PFKEYCTL_ENCDEBUG	1
381#define PFKEYCTL_MAXID		2
382
383#define PFKEYCTL_NAMES {\
384	{ 0, 0 }, \
385	{ "encdebug", CTLTYPE_INT }, \
386}
387
388#ifdef _KERNEL
389extern int encdebug;
390extern int ipsec_in_use;
391extern u_int8_t hmac_ipad_buffer[64];
392extern u_int8_t hmac_opad_buffer[64];
393
394struct tdb *tdbh[TDB_HASHMOD];
395struct expiration *explist;
396extern struct xformsw xformsw[], *xformswNXFORMSW;
397
398/* Check if a given tdb has encryption, authentication and/or tunneling */
399#define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0)| \
400		       ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0))
401
402/* Traverse spi chain and get attributes */
403
404#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) {\
405	struct tdb *tmptdb = (TDBP); \
406	(have) = 0; \
407	\
408	while (tmptdb && tmptdb->tdb_xform) { \
409	        if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \
410	                break; \
411                (have) |= TDB_ATTRIB(tmptdb); \
412                tmptdb = tmptdb->TDB_DIR; \
413        } \
414}
415
416/* Misc. */
417extern char *inet_ntoa4(struct in_addr);
418extern char *ipsp_address(union sockaddr_union);
419
420/* TDB management routines */
421extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
422			     union sockaddr_union *, u_int8_t, int *);
423extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
424extern void puttdb(struct tdb *);
425extern int tdb_delete(struct tdb *, int);
426extern int tdb_init (struct tdb *, u_int16_t, struct ipsecinit *);
427
428/* Expiration management routines */
429extern struct expiration *get_expiration(void);
430extern void put_expiration(struct expiration *);
431extern void handle_expirations(void *);
432extern void cleanup_expirations(union sockaddr_union *, u_int32_t, u_int8_t);
433
434/* Flow management routines */
435extern struct flow *get_flow(void);
436extern void put_flow(struct flow *, struct tdb *);
437extern void delete_flow(struct flow *, struct tdb *);
438extern struct flow *find_flow(union sockaddr_union *, union sockaddr_union *,
439			      union sockaddr_union *, union sockaddr_union *,
440			      u_int8_t, struct tdb *);
441extern struct flow *find_global_flow(union sockaddr_union *,
442				     union sockaddr_union *,
443				     union sockaddr_union *,
444				     union sockaddr_union *, u_int8_t);
445
446/* XF_IP4 */
447extern int ipe4_attach(void);
448extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
449extern int ipe4_zeroize(struct tdb *);
450extern int ipe4_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
451		       struct mbuf **);
452extern void ipe4_input __P((struct mbuf *, ...));
453extern void ip4_input __P((struct mbuf *, ...));
454
455/* XF_OLD_AH */
456extern int ah_old_attach(void);
457extern int ah_old_init(struct tdb *, struct xformsw *, struct ipsecinit *);
458extern int ah_old_zeroize(struct tdb *);
459extern int ah_old_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
460			 struct mbuf **);
461extern struct mbuf *ah_old_input(struct mbuf *, struct tdb *);
462
463/* XF_NEW_AH */
464extern int ah_new_attach(void);
465extern int ah_new_init(struct tdb *, struct xformsw *, struct ipsecinit *);
466extern int ah_new_zeroize(struct tdb *);
467extern int ah_new_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
468			 struct mbuf **);
469extern struct mbuf *ah_new_input(struct mbuf *, struct tdb *);
470
471/* XF_OLD_ESP */
472extern int esp_old_attach(void);
473extern int esp_old_init(struct tdb *, struct xformsw *, struct ipsecinit *);
474extern int esp_old_zeroize(struct tdb *);
475extern int esp_old_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
476			  struct mbuf **);
477extern struct mbuf *esp_old_input(struct mbuf *, struct tdb *);
478
479/* XF_NEW_ESP */
480extern int esp_new_attach(void);
481extern int esp_new_init(struct tdb *, struct xformsw *, struct ipsecinit *);
482extern int esp_new_zeroize(struct tdb *);
483extern int esp_new_output(struct mbuf *, struct sockaddr_encap *, struct tdb *,
484			  struct mbuf **);
485extern struct mbuf *esp_new_input(struct mbuf *, struct tdb *);
486
487/* Padding */
488extern caddr_t m_pad(struct mbuf *, int, int);
489
490/* Replay window */
491extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
492                               u_int32_t *);
493
494extern unsigned char ipseczeroes[];
495#endif /* _KERNEL */
496#endif /* _NETINET_IPSP_H_ */
497