ip_ipsp.h revision 1.27
1/* $OpenBSD: ip_ipsp.h,v 1.27 1999/02/25 01:30:49 angelos Exp $ */ 2 3/* 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * 22 * Permission to use, copy, and modify this software without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38#ifndef _NETINET_IPSP_H_ 39#define _NETINET_IPSP_H_ 40 41/* 42 * IPSP global definitions. 43 */ 44 45#include <sys/types.h> 46#include <netinet/in.h> 47#include <sys/md5k.h> 48#include <netinet/ip_sha1.h> 49#include <netinet/ip_rmd160.h> 50#include <netinet/ip_blf.h> 51#include <netinet/ip_cast.h> 52#include <netinet/ip_skipjack.h> 53 54union sockaddr_union 55{ 56 struct sockaddr sa; 57 struct sockaddr_in sin; 58 struct sockaddr_in6 sin6; 59 char __maxsize[128]; 60}; 61 62/* HMAC key sizes */ 63#define MD5HMAC96_KEYSIZE 16 64#define SHA1HMAC96_KEYSIZE 20 65#define RIPEMD160HMAC96_KEYSIZE 20 66 67/* IV lengths */ 68#define ESP_DES_IVS 8 69#define ESP_3DES_IVS 8 70#define ESP_BLF_IVS 8 71#define ESP_CAST_IVS 8 72#define ESP_SKIPJACK_IVS 8 73#define ESP_MAX_IVS 8 /* Keep updated */ 74 75/* Block sizes -- it is assumed that they're powers of 2 */ 76#define ESP_DES_BLKS 8 77#define ESP_3DES_BLKS 8 78#define ESP_BLF_BLKS 8 79#define ESP_CAST_BLKS 8 80#define ESP_SKIPJACK_BLKS 8 81#define ESP_MAX_BLKS 8 /* Keep updated */ 82 83#define HMAC_BLOCK_LEN 64 84 85#define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */ 86#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */ 87#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */ 88 89/* HMAC definitions */ 90#define HMAC_IPAD_VAL 0x36 91#define HMAC_OPAD_VAL 0x5C 92#define HMAC_BLOCK_LEN 64 93 94/* Authenticator lengths */ 95#define AH_MD5_ALEN 16 96#define AH_SHA1_ALEN 20 97#define AH_RMD160_ALEN 20 98#define AH_ALEN_MAX 20 /* Keep updated */ 99 100struct sockaddr_encap 101{ 102 u_int8_t sen_len; /* length */ 103 u_int8_t sen_family; /* PF_KEY */ 104 u_int16_t sen_type; /* see SENT_* */ 105 union 106 { 107 u_int8_t Data[16]; /* other stuff mapped here */ 108 109 struct /* SENT_IP4 */ 110 { 111 struct in_addr Src; 112 struct in_addr Dst; 113 u_int16_t Sport; 114 u_int16_t Dport; 115 u_int8_t Proto; 116 u_int8_t Filler[3]; 117 } Sip4; 118 119 struct /* SENT_IPSP */ 120 { 121 struct in_addr Dst; 122 u_int32_t Spi; 123 u_int8_t Sproto; 124 u_int8_t Filler[7]; 125 } Sipsp; 126 } Sen; 127}; 128 129#define sen_data Sen.Data 130#define sen_ip_src Sen.Sip4.Src 131#define sen_ip_dst Sen.Sip4.Dst 132#define sen_proto Sen.Sip4.Proto 133#define sen_sport Sen.Sip4.Sport 134#define sen_dport Sen.Sip4.Dport 135#define sen_ipsp_dst Sen.Sipsp.Dst 136#define sen_ipsp_spi Sen.Sipsp.Spi 137#define sen_ipsp_sproto Sen.Sipsp.Sproto 138 139/* 140 * The "type" is really part of the address as far as the routing 141 * system is concerned. By using only one bit in the type field 142 * for each type, we sort-of make sure that different types of 143 * encapsulation addresses won't be matched against the wrong type. 144 * 145 */ 146 147#define SENT_IP4 0x0001 /* data is two struct in_addr */ 148#define SENT_IPSP 0x0002 /* data as in IP4 plus SPI */ 149 150/* 151 * SENT_HDRLEN is the length of the "header" 152 * SENT_*_LEN are the lengths of various forms of sen_data 153 * SENT_*_OFF are the offsets in the sen_data array of various fields 154 */ 155 156#define SENT_HDRLEN (2 * sizeof(u_int8_t) + sizeof(u_int16_t)) 157 158#define SENT_IP4_SRCOFF (0) 159#define SENT_IP4_DSTOFF (sizeof (struct in_addr)) 160 161#define SENT_IP4_LEN 20 162#define SENT_IPSP_LEN 20 163 164#define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */ 165#define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */ 166#define NOTIFY_REQUEST_SA 2 /* Establish an SA */ 167 168#define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */ 169#define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */ 170#define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */ 171 172/* 173 * For encapsulation routes are possible not only for the destination 174 * address but also for the protocol, source and destination ports 175 * if available 176 */ 177 178struct route_enc { 179 struct rtentry *re_rt; 180 struct sockaddr_encap re_dst; 181}; 182 183struct expiration 184{ 185 u_int32_t exp_timeout; 186 union sockaddr_union exp_dst; 187 u_int32_t exp_spi; 188 u_int8_t exp_sproto; 189 struct expiration *exp_next; 190 struct expiration *exp_prev; 191}; 192 193struct flow 194{ 195 struct flow *flow_next; /* Next in flow chain */ 196 struct flow *flow_prev; /* Previous in flow chain */ 197 struct tdb *flow_sa; /* Pointer to the SA */ 198 union sockaddr_union flow_src; /* Source address */ 199 union sockaddr_union flow_srcmask; /* Source netmask */ 200 union sockaddr_union flow_dst; /* Destination address */ 201 union sockaddr_union flow_dstmask; /* Destination netmask */ 202 u_int8_t flow_proto; /* Transport protocol, if applicable */ 203 u_int8_t foo[3]; /* Alignment */ 204}; 205 206struct tdb /* tunnel descriptor block */ 207{ 208 struct tdb *tdb_hnext; /* Next in hash chain */ 209 struct tdb *tdb_onext; /* Next in output */ 210 struct tdb *tdb_inext; /* Previous in output */ 211 212 struct xformsw *tdb_xform; /* Transformation to use */ 213 struct enc_xform *tdb_encalgxform; /* Encryption algorithm xform */ 214 struct auth_hash *tdb_authalgxform; /* Authentication algorithm xform */ 215 216#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 217#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 218#define TDBF_BYTES 0x00004 /* Check the byte counters */ 219#define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */ 220#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 221#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 222#define TDBF_HALFIV 0x00040 /* Use half-length IV (ESP old only) */ 223#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 224#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 225#define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */ 226#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 227#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ 228#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ 229 u_int32_t tdb_flags; /* Flags related to this TDB */ 230 231 u_int32_t tdb_exp_allocations; /* Expire after so many flows */ 232 u_int32_t tdb_soft_allocations; /* Expiration warning */ 233 u_int32_t tdb_cur_allocations; /* Total number of allocations */ 234 235 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 236 u_int64_t tdb_soft_bytes; /* Expiration warning */ 237 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 238 239 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 240 u_int64_t tdb_soft_timeout; /* Send a soft-expire warning */ 241 u_int64_t tdb_established; /* When was the SPI established */ 242 243 u_int64_t tdb_first_use; /* When was it first used */ 244 u_int64_t tdb_soft_first_use; /* Soft warning */ 245 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 246 * tdb_exp_first_use <= curtime */ 247 u_int32_t tdb_spi; /* SPI */ 248 u_int16_t tdb_amxkeylen; /* AH-old only */ 249 u_int16_t tdb_ivlen; /* IV length */ 250 u_int8_t tdb_sproto; /* IPsec protocol */ 251 u_int8_t tdb_wnd; /* Replay window */ 252 u_int16_t tdb_FILLER; /* Padding */ 253 254 union sockaddr_union tdb_dst; /* Destination address for this SA */ 255 union sockaddr_union tdb_src; /* Source address for this SA */ 256 union sockaddr_union tdb_proxy; 257 258 u_int8_t *tdb_key; /* Key material (schedules) */ 259 u_int8_t *tdb_ictx; /* Authentication contexts */ 260 u_int8_t *tdb_octx; 261 u_int8_t *tdb_srcid; /* Source ID for this SA */ 262 u_int8_t *tdb_dstid; /* Destination ID for this SA */ 263 u_int8_t *tdb_amxkey; /* AH-old only */ 264 265 union 266 { 267 u_int8_t Iv[ESP_3DES_IVS]; /* That's enough space */ 268 u_int32_t Ivl; /* Make sure this is 4 bytes */ 269 u_int64_t Ivq; /* Make sure this is 8 bytes! */ 270 }IV; 271#define tdb_iv IV.Iv 272#define tdb_ivl IV.Ivl 273#define tdb_ivq IV.Ivq 274 275 u_int32_t tdb_rpl; /* Replay counter */ 276 u_int32_t tdb_bitmap; /* Used for replay sliding window */ 277 u_int32_t tdb_initial; /* Initial replay value */ 278 279 u_int32_t tdb_epoch; /* Used by the kernfs interface */ 280 u_int16_t tdb_srcid_len; 281 u_int16_t tdb_dstid_len; 282 u_int16_t tdb_srcid_type; 283 u_int16_t tdb_dstid_type; 284 285 struct flow *tdb_flow; /* Which flows use this SA */ 286}; 287 288#define TDB_HASHMOD 257 289 290struct auth_hash { 291 int type; 292 char *name; 293 u_int16_t keysize; 294 u_int16_t hashsize; 295 u_int16_t ctxsize; 296 void (*Init)(void *); 297 void (*Update)(void *, u_int8_t *, u_int16_t); 298 void (*Final)(u_int8_t *, void *); 299}; 300 301struct enc_xform { 302 int type; 303 char *name; 304 u_int16_t blocksize, ivsize; 305 u_int16_t minkey, maxkey; 306 u_int32_t ivmask; /* Or all possible modes, zero iv = 1 */ 307 void (*encrypt)(struct tdb *, u_int8_t *); 308 void (*decrypt)(struct tdb *, u_int8_t *); 309}; 310 311struct ipsecinit 312{ 313 u_int8_t *ii_enckey; 314 u_int8_t *ii_authkey; 315 u_int16_t ii_enckeylen; 316 u_int16_t ii_authkeylen; 317 u_int8_t ii_encalg; 318 u_int8_t ii_authalg; 319}; 320 321struct xformsw 322{ 323 u_short xf_type; /* Unique ID of xform */ 324 u_short xf_flags; /* flags (see below) */ 325 char *xf_name; /* human-readable name */ 326 int (*xf_attach)(void); /* called at config time */ 327 int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *); 328 int (*xf_zeroize)(struct tdb *); /* termination */ 329 struct mbuf *(*xf_input)(struct mbuf *, struct tdb *); /* input */ 330 int (*xf_output)(struct mbuf *, struct sockaddr_encap *, 331 struct tdb *, struct mbuf **); /* output */ 332}; 333 334/* xform IDs */ 335#define XF_IP4 1 /* IP inside IP */ 336#define XF_OLD_AH 2 /* RFCs 1828 & 1852 */ 337#define XF_OLD_ESP 3 /* RFCs 1829 & 1851 */ 338#define XF_NEW_AH 4 /* AH HMAC 96bits */ 339#define XF_NEW_ESP 5 /* ESP + auth 96bits + replay counter */ 340 341/* xform attributes */ 342#define XFT_AUTH 0x0001 343#define XFT_CONF 0x0100 344 345#define IPSEC_ZEROES_SIZE 64 346#define IPSEC_KERNFS_BUFSIZE 4096 347 348#if BYTE_ORDER == LITTLE_ENDIAN 349static __inline u_int64_t 350htonq(u_int64_t q) 351{ 352 register u_int32_t u, l; 353 u = q >> 32; 354 l = (u_int32_t) q; 355 356 return htonl(u) | ((u_int64_t)htonl(l) << 32); 357} 358 359#define ntohq(_x) htonq(_x) 360 361#elif BYTE_ORDER == BIG_ENDIAN 362 363#define htonq(_x) (_x) 364#define ntohq(_x) htonq(_x) 365 366#else 367#error "Please fix <machine/endian.h>" 368#endif 369 370/* 371 * Names for IPsec sysctl objects 372 */ 373#define IPSECCTL_PFKEY 0 374#define IPSECCTL_MAXID 1 375 376#define CTL_IPSEC_NAMES {\ 377 { "pfkey", CTLTYPE_NODE }, \ 378} 379 380#define PFKEYCTL_ENCDEBUG 1 381#define PFKEYCTL_MAXID 2 382 383#define PFKEYCTL_NAMES {\ 384 { 0, 0 }, \ 385 { "encdebug", CTLTYPE_INT }, \ 386} 387 388#ifdef _KERNEL 389extern int encdebug; 390extern int ipsec_in_use; 391extern u_int8_t hmac_ipad_buffer[64]; 392extern u_int8_t hmac_opad_buffer[64]; 393 394struct tdb *tdbh[TDB_HASHMOD]; 395struct expiration *explist; 396extern struct xformsw xformsw[], *xformswNXFORMSW; 397 398/* Check if a given tdb has encryption, authentication and/or tunneling */ 399#define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0)| \ 400 ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0)) 401 402/* Traverse spi chain and get attributes */ 403 404#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) {\ 405 struct tdb *tmptdb = (TDBP); \ 406 (have) = 0; \ 407 \ 408 while (tmptdb && tmptdb->tdb_xform) { \ 409 if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \ 410 break; \ 411 (have) |= TDB_ATTRIB(tmptdb); \ 412 tmptdb = tmptdb->TDB_DIR; \ 413 } \ 414} 415 416/* Misc. */ 417extern char *inet_ntoa4(struct in_addr); 418extern char *ipsp_address(union sockaddr_union); 419 420/* TDB management routines */ 421extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *, 422 union sockaddr_union *, u_int8_t, int *); 423extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t); 424extern void puttdb(struct tdb *); 425extern int tdb_delete(struct tdb *, int); 426extern int tdb_init (struct tdb *, u_int16_t, struct ipsecinit *); 427 428/* Expiration management routines */ 429extern struct expiration *get_expiration(void); 430extern void put_expiration(struct expiration *); 431extern void handle_expirations(void *); 432extern void cleanup_expirations(union sockaddr_union *, u_int32_t, u_int8_t); 433 434/* Flow management routines */ 435extern struct flow *get_flow(void); 436extern void put_flow(struct flow *, struct tdb *); 437extern void delete_flow(struct flow *, struct tdb *); 438extern struct flow *find_flow(union sockaddr_union *, union sockaddr_union *, 439 union sockaddr_union *, union sockaddr_union *, 440 u_int8_t, struct tdb *); 441extern struct flow *find_global_flow(union sockaddr_union *, 442 union sockaddr_union *, 443 union sockaddr_union *, 444 union sockaddr_union *, u_int8_t); 445 446/* XF_IP4 */ 447extern int ipe4_attach(void); 448extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *); 449extern int ipe4_zeroize(struct tdb *); 450extern int ipe4_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 451 struct mbuf **); 452extern void ipe4_input __P((struct mbuf *, ...)); 453extern void ip4_input __P((struct mbuf *, ...)); 454 455/* XF_OLD_AH */ 456extern int ah_old_attach(void); 457extern int ah_old_init(struct tdb *, struct xformsw *, struct ipsecinit *); 458extern int ah_old_zeroize(struct tdb *); 459extern int ah_old_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 460 struct mbuf **); 461extern struct mbuf *ah_old_input(struct mbuf *, struct tdb *); 462 463/* XF_NEW_AH */ 464extern int ah_new_attach(void); 465extern int ah_new_init(struct tdb *, struct xformsw *, struct ipsecinit *); 466extern int ah_new_zeroize(struct tdb *); 467extern int ah_new_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 468 struct mbuf **); 469extern struct mbuf *ah_new_input(struct mbuf *, struct tdb *); 470 471/* XF_OLD_ESP */ 472extern int esp_old_attach(void); 473extern int esp_old_init(struct tdb *, struct xformsw *, struct ipsecinit *); 474extern int esp_old_zeroize(struct tdb *); 475extern int esp_old_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 476 struct mbuf **); 477extern struct mbuf *esp_old_input(struct mbuf *, struct tdb *); 478 479/* XF_NEW_ESP */ 480extern int esp_new_attach(void); 481extern int esp_new_init(struct tdb *, struct xformsw *, struct ipsecinit *); 482extern int esp_new_zeroize(struct tdb *); 483extern int esp_new_output(struct mbuf *, struct sockaddr_encap *, struct tdb *, 484 struct mbuf **); 485extern struct mbuf *esp_new_input(struct mbuf *, struct tdb *); 486 487/* Padding */ 488extern caddr_t m_pad(struct mbuf *, int, int); 489 490/* Replay window */ 491extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t, 492 u_int32_t *); 493 494extern unsigned char ipseczeroes[]; 495#endif /* _KERNEL */ 496#endif /* _NETINET_IPSP_H_ */ 497