1105197Ssam/* $FreeBSD$ */ 2105197Ssam/* $KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $ */ 3105197Ssam 4139823Simp/*- 5105197Ssam * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6105197Ssam * All rights reserved. 7105197Ssam * 8105197Ssam * Redistribution and use in source and binary forms, with or without 9105197Ssam * modification, are permitted provided that the following conditions 10105197Ssam * are met: 11105197Ssam * 1. Redistributions of source code must retain the above copyright 12105197Ssam * notice, this list of conditions and the following disclaimer. 13105197Ssam * 2. Redistributions in binary form must reproduce the above copyright 14105197Ssam * notice, this list of conditions and the following disclaimer in the 15105197Ssam * documentation and/or other materials provided with the distribution. 16105197Ssam * 3. Neither the name of the project nor the names of its contributors 17105197Ssam * may be used to endorse or promote products derived from this software 18105197Ssam * without specific prior written permission. 19105197Ssam * 20105197Ssam * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21105197Ssam * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22105197Ssam * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23105197Ssam * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24105197Ssam * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25105197Ssam * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26105197Ssam * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27105197Ssam * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28105197Ssam * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29105197Ssam * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30105197Ssam * SUCH DAMAGE. 31105197Ssam */ 32105197Ssam 33105197Ssam#ifndef _NETIPSEC_KEYDB_H_ 34105197Ssam#define _NETIPSEC_KEYDB_H_ 35105197Ssam 36105197Ssam#ifdef _KERNEL 37105197Ssam 38105197Ssam#include <netipsec/key_var.h> 39105197Ssam 40135615Smlaier#ifndef _SOCKADDR_UNION_DEFINED 41135615Smlaier#define _SOCKADDR_UNION_DEFINED 42105197Ssam/* 43105197Ssam * The union of all possible address formats we handle. 44105197Ssam */ 45105197Ssamunion sockaddr_union { 46105197Ssam struct sockaddr sa; 47105197Ssam struct sockaddr_in sin; 48105197Ssam struct sockaddr_in6 sin6; 49105197Ssam}; 50135615Smlaier#endif /* _SOCKADDR_UNION_DEFINED */ 51105197Ssam 52105197Ssam/* Security Assocciation Index */ 53105197Ssam/* NOTE: Ensure to be same address family */ 54105197Ssamstruct secasindex { 55204074Spjd union sockaddr_union src; /* source address for SA */ 56105197Ssam union sockaddr_union dst; /* destination address for SA */ 57105197Ssam u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ 58105197Ssam u_int8_t mode; /* mode of protocol, see ipsec.h */ 59105197Ssam u_int32_t reqid; /* reqid id who owned this SA */ 60105197Ssam /* see IPSEC_MANUAL_REQID_MAX. */ 61105197Ssam}; 62105197Ssam 63157123Sgnn/* 64157123Sgnn * In order to split out the keydb implementation from that of the 65157123Sgnn * PF_KEY sockets we need to define a few structures that while they 66157123Sgnn * may seem common are likely to diverge over time. 67157123Sgnn */ 68157123Sgnn 69157123Sgnn/* sadb_identity */ 70157123Sgnnstruct secident { 71157123Sgnn u_int16_t type; 72157123Sgnn u_int64_t id; 73157123Sgnn}; 74157123Sgnn 75157123Sgnn/* sadb_key */ 76157123Sgnnstruct seckey { 77157123Sgnn u_int16_t bits; 78157123Sgnn char *key_data; 79157123Sgnn}; 80157123Sgnn 81157123Sgnnstruct seclifetime { 82157123Sgnn u_int32_t allocations; 83157123Sgnn u_int64_t bytes; 84157123Sgnn u_int64_t addtime; 85157123Sgnn u_int64_t usetime; 86157123Sgnn}; 87157123Sgnn 88105197Ssam/* Security Association Data Base */ 89105197Ssamstruct secashead { 90105197Ssam LIST_ENTRY(secashead) chain; 91105197Ssam 92105197Ssam struct secasindex saidx; 93105197Ssam 94157123Sgnn struct secident *idents; /* source identity */ 95157123Sgnn struct secident *identd; /* destination identity */ 96105197Ssam /* XXX I don't know how to use them. */ 97105197Ssam 98105197Ssam u_int8_t state; /* MATURE or DEAD. */ 99105197Ssam LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; 100105197Ssam /* SA chain */ 101105197Ssam /* The first of this list is newer SA */ 102105197Ssam}; 103105197Ssam 104105197Ssamstruct xformsw; 105105197Ssamstruct enc_xform; 106105197Ssamstruct auth_hash; 107105197Ssamstruct comp_algo; 108105197Ssam 109105197Ssam/* Security Association */ 110105197Ssamstruct secasvar { 111105197Ssam LIST_ENTRY(secasvar) chain; 112119643Ssam struct mtx lock; /* update/access lock */ 113105197Ssam 114105197Ssam u_int refcnt; /* reference count */ 115105197Ssam u_int8_t state; /* Status of this Association */ 116105197Ssam 117105197Ssam u_int8_t alg_auth; /* Authentication Algorithm Identifier*/ 118105197Ssam u_int8_t alg_enc; /* Cipher Algorithm Identifier */ 119105197Ssam u_int8_t alg_comp; /* Compression Algorithm Identifier */ 120105197Ssam u_int32_t spi; /* SPI Value, network byte order */ 121105197Ssam u_int32_t flags; /* holder for SADB_KEY_FLAGS */ 122105197Ssam 123157123Sgnn struct seckey *key_auth; /* Key for Authentication */ 124157123Sgnn struct seckey *key_enc; /* Key for Encryption */ 125105197Ssam caddr_t iv; /* Initilization Vector */ 126105197Ssam u_int ivlen; /* length of IV */ 127105197Ssam void *sched; /* intermediate encryption key */ 128105197Ssam size_t schedlen; 129105197Ssam 130105197Ssam struct secreplay *replay; /* replay prevention */ 131120585Ssam time_t created; /* for lifetime */ 132105197Ssam 133157123Sgnn struct seclifetime *lft_c; /* CURRENT lifetime, it's constant. */ 134157123Sgnn struct seclifetime *lft_h; /* HARD lifetime */ 135157123Sgnn struct seclifetime *lft_s; /* SOFT lifetime */ 136105197Ssam 137105197Ssam u_int32_t seq; /* sequence number */ 138105197Ssam pid_t pid; /* message's pid */ 139105197Ssam 140105197Ssam struct secashead *sah; /* back pointer to the secashead */ 141105197Ssam 142105197Ssam /* 143105197Ssam * NB: Fields with a tdb_ prefix are part of the "glue" used 144105197Ssam * to interface to the OpenBSD crypto support. This was done 145105197Ssam * to distinguish this code from the mainline KAME code. 146105197Ssam */ 147105197Ssam struct xformsw *tdb_xform; /* transform */ 148105197Ssam struct enc_xform *tdb_encalgxform; /* encoding algorithm */ 149105197Ssam struct auth_hash *tdb_authalgxform; /* authentication algorithm */ 150105197Ssam struct comp_algo *tdb_compalgxform; /* compression algorithm */ 151105197Ssam u_int64_t tdb_cryptoid; /* crypto session id */ 152194062Svanhu 153194062Svanhu /* 154194062Svanhu * NAT-Traversal. 155194062Svanhu */ 156194062Svanhu u_int16_t natt_type; /* IKE/ESP-marker in output. */ 157194062Svanhu u_int16_t natt_esp_frag_len; /* MTU for payload fragmentation. */ 158105197Ssam}; 159105197Ssam 160120585Ssam#define SECASVAR_LOCK_INIT(_sav) \ 161120585Ssam mtx_init(&(_sav)->lock, "ipsec association", NULL, MTX_DEF) 162120585Ssam#define SECASVAR_LOCK(_sav) mtx_lock(&(_sav)->lock) 163120585Ssam#define SECASVAR_UNLOCK(_sav) mtx_unlock(&(_sav)->lock) 164120585Ssam#define SECASVAR_LOCK_DESTROY(_sav) mtx_destroy(&(_sav)->lock) 165120585Ssam#define SECASVAR_LOCK_ASSERT(_sav) mtx_assert(&(_sav)->lock, MA_OWNED) 166120585Ssam 167105197Ssam/* replay prevention */ 168105197Ssamstruct secreplay { 169105197Ssam u_int32_t count; 170105197Ssam u_int wsize; /* window size, i.g. 4 bytes */ 171105197Ssam u_int32_t seq; /* used by sender */ 172105197Ssam u_int32_t lastseq; /* used by receiver */ 173105197Ssam caddr_t bitmap; /* used by receiver */ 174105197Ssam int overflow; /* overflow flag */ 175105197Ssam}; 176105197Ssam 177105197Ssam/* socket table due to send PF_KEY messages. */ 178105197Ssamstruct secreg { 179105197Ssam LIST_ENTRY(secreg) chain; 180105197Ssam 181105197Ssam struct socket *so; 182105197Ssam}; 183105197Ssam 184105197Ssam/* acquiring list table. */ 185105197Ssamstruct secacq { 186105197Ssam LIST_ENTRY(secacq) chain; 187105197Ssam 188105197Ssam struct secasindex saidx; 189105197Ssam 190105197Ssam u_int32_t seq; /* sequence number */ 191120585Ssam time_t created; /* for lifetime */ 192105197Ssam int count; /* for lifetime */ 193105197Ssam}; 194105197Ssam 195105197Ssam/* Sensitivity Level Specification */ 196105197Ssam/* nothing */ 197105197Ssam 198105197Ssam#define SADB_KILL_INTERVAL 600 /* six seconds */ 199105197Ssam 200105197Ssam/* secpolicy */ 201283902Saeextern struct secpolicy *keydb_newsecpolicy(void); 202283902Saeextern void keydb_delsecpolicy(struct secpolicy *); 203105197Ssam/* secashead */ 204283902Saeextern struct secashead *keydb_newsecashead(void); 205283902Saeextern void keydb_delsecashead(struct secashead *); 206105197Ssam/* secasvar */ 207283902Saeextern struct secasvar *keydb_newsecasvar(void); 208283902Saeextern void keydb_refsecasvar(struct secasvar *); 209283902Saeextern void keydb_freesecasvar(struct secasvar *); 210105197Ssam/* secreplay */ 211283902Saeextern struct secreplay *keydb_newsecreplay(size_t); 212283902Saeextern void keydb_delsecreplay(struct secreplay *); 213105197Ssam/* secreg */ 214283902Saeextern struct secreg *keydb_newsecreg(void); 215283902Saeextern void keydb_delsecreg(struct secreg *); 216105197Ssam 217105197Ssam#endif /* _KERNEL */ 218105197Ssam 219105197Ssam#endif /* _NETIPSEC_KEYDB_H_ */ 220