sys/netipsec/keydb.h

   1 /*      $NetBSD: keydb.h,v 1.5 2007/06/27 20:38:33 degroote Exp $       */
   2 /*      $FreeBSD: src/sys/netipsec/keydb.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $      */
   3 /*      $KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $  */
   4
   5 /*
   6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
   7  * All rights reserved.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  * 3. Neither the name of the project nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #ifndef _NETIPSEC_KEYDB_H_
  35 #define _NETIPSEC_KEYDB_H_
  36
  37 #ifdef _KERNEL
  38
  39 #include "opt_ipsec.h"
  40
  41 #include <netipsec/key_var.h>
  42 #include <net/route.h>
  43 #include <netinet/in.h>
  44
  45 /*
  46  * The union of all possible address formats we handle.
  47  */
  48 union sockaddr_union {
  49         struct sockaddr         sa;
  50         struct sockaddr_in      sin;
  51         struct sockaddr_in6     sin6;
  52 };
  53
  54 /* Security Assocciation Index */
  55 /* NOTE: Ensure to be same address family */
  56 struct secasindex {
  57         union sockaddr_union src;       /* srouce address for SA */
  58         union sockaddr_union dst;       /* destination address for SA */
  59         u_int16_t proto;                /* IPPROTO_ESP or IPPROTO_AH */
  60         u_int8_t mode;                  /* mode of protocol, see ipsec.h */
  61         u_int32_t reqid;                /* reqid id who owned this SA */
  62                                         /* see IPSEC_MANUAL_REQID_MAX. */
  63 };
  64
  65 /* Security Association Data Base */
  66 struct secashead {
  67         LIST_ENTRY(secashead) chain;
  68
  69         struct secasindex saidx;
  70
  71         struct sadb_ident *idents;      /* source identity */
  72         struct sadb_ident *identd;      /* destination identity */
  73                                         /* XXX I don't know how to use them. */
  74
  75         u_int8_t state;                 /* MATURE or DEAD. */
  76         LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
  77                                         /* SA chain */
  78                                         /* The first of this list is newer SA */
  79
  80         struct route sa_route;          /* route cache */
  81 };
  82
  83 struct xformsw;
  84 struct enc_xform;
  85 struct auth_hash;
  86 struct comp_algo;
  87
  88 /* Security Association */
  89 struct secasvar {
  90         LIST_ENTRY(secasvar) chain;
  91
  92         u_int refcnt;                   /* reference count */
  93         u_int8_t state;                 /* Status of this Association */
  94
  95         u_int8_t alg_auth;              /* Authentication Algorithm Identifier*/
  96         u_int8_t alg_enc;               /* Cipher Algorithm Identifier */
  97         u_int8_t alg_comp;              /* Compression Algorithm Identifier */
  98         u_int32_t spi;                  /* SPI Value, network byte order */
  99         u_int32_t flags;                /* holder for SADB_KEY_FLAGS */
 100
 101         struct sadb_key *key_auth;      /* Key for Authentication */
 102         struct sadb_key *key_enc;       /* Key for Encryption */
 103         void *iv;                       /* Initilization Vector */
 104         u_int ivlen;                    /* length of IV */
 105         void *sched;                    /* intermediate encryption key */
 106         size_t schedlen;
 107
 108         struct secreplay *replay;       /* replay prevention */
 109         long created;                   /* for lifetime */
 110
 111         struct sadb_lifetime *lft_c;    /* CURRENT lifetime, it's constant. */
 112         struct sadb_lifetime *lft_h;    /* HARD lifetime */
 113         struct sadb_lifetime *lft_s;    /* SOFT lifetime */
 114
 115         u_int32_t seq;                  /* sequence number */
 116         pid_t pid;                      /* message's pid */
 117
 118         struct secashead *sah;          /* back pointer to the secashead */
 119
 120         /*
 121          * NB: Fields with a tdb_ prefix are part of the "glue" used
 122          *     to interface to the OpenBSD crypto support.  This was done
 123          *     to distinguish this code from the mainline KAME code.
 124          */
 125         struct xformsw *tdb_xform;      /* transform */
 126         struct enc_xform *tdb_encalgxform;      /* encoding algorithm */
 127         struct auth_hash *tdb_authalgxform;     /* authentication algorithm */
 128         struct comp_algo *tdb_compalgxform;     /* compression algorithm */
 129         u_int64_t tdb_cryptoid;         /* crypto session id */
 130
 131 #ifdef IPSEC_NAT_T
 132         u_int16_t natt_type;
 133         u_int16_t esp_frag;
 134 #endif
 135 };
 136
 137 /* replay prevention */
 138 struct secreplay {
 139         u_int32_t count;
 140         u_int wsize;            /* window size, i.g. 4 bytes */
 141         u_int32_t seq;          /* used by sender */
 142         u_int32_t lastseq;      /* used by receiver */
 143         char *bitmap;           /* used by receiver */
 144         int overflow;           /* overflow flag */
 145 };
 146
 147 /* socket table due to send PF_KEY messages. */
 148 struct secreg {
 149         LIST_ENTRY(secreg) chain;
 150
 151         struct socket *so;
 152 };
 153
 154 #ifndef IPSEC_NONBLOCK_ACQUIRE
 155 /* acquiring list table. */
 156 struct secacq {
 157         LIST_ENTRY(secacq) chain;
 158
 159         struct secasindex saidx;
 160
 161         u_int32_t seq;          /* sequence number */
 162         long created;           /* for lifetime */
 163         int count;              /* for lifetime */
 164 };
 165 #endif
 166
 167 /* Sensitivity Level Specification */
 168 /* nothing */
 169
 170 #define SADB_KILL_INTERVAL      600     /* six seconds */
 171
 172 /* secpolicy */
 173 struct secpolicy *keydb_newsecpolicy (void);
 174 void keydb_delsecpolicy (struct secpolicy *);
 175 /* secashead */
 176 struct secashead *keydb_newsecashead (void);
 177 void keydb_delsecashead (struct secashead *);
 178 /* secasvar */
 179 struct secasvar *keydb_newsecasvar (void);
 180 void keydb_refsecasvar (struct secasvar *);
 181 void keydb_freesecasvar (struct secasvar *);
 182 /* secreplay */
 183 struct secreplay *keydb_newsecreplay (size_t);
 184 void keydb_delsecreplay (struct secreplay *);
 185 /* secreg */
 186 struct secreg *keydb_newsecreg (void);
 187 void keydb_delsecreg (struct secreg *);
 188
 189 #endif /* _KERNEL */
 190
 191 #endif /* !_NETIPSEC_KEYDB_H_ */