sys/netkey/keydb.h

   1 /*      $NetBSD: keydb.h,v 1.28 2007/05/02 20:40:29 dyoung Exp $        */
   2 /*      $KAME: keydb.h,v 1.23 2003/09/07 05:25:20 itojun Exp $  */
   3
   4 /*
   5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  * 1. Redistributions of source code must retain the above copyright
  12  *    notice, this list of conditions and the following disclaimer.
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  * 3. Neither the name of the project nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32
  33 #ifndef _NETKEY_KEYDB_H_
  34 #define _NETKEY_KEYDB_H_
  35
  36 #ifdef _KERNEL
  37
  38 #if defined(_KERNEL_OPT)
  39 #include "opt_ipsec.h"
  40 #endif
  41
  42 #include <sys/mallocvar.h>
  43 #include <netkey/key_var.h>
  44
  45 MALLOC_DECLARE(M_SECA);
  46
  47 /* Security Assocciation Index */
  48 /* NOTE: Ensure to be same address family */
  49 struct secasindex {
  50         struct sockaddr_storage src;    /* srouce address for SA */
  51         struct sockaddr_storage dst;    /* destination address for SA */
  52         u_int16_t proto;                /* IPPROTO_ESP or IPPROTO_AH */
  53         u_int8_t mode;                  /* mode of protocol, see ipsec.h */
  54         u_int16_t reqid;                /* reqid id who owned this SA */
  55                                         /* see IPSEC_MANUAL_REQID_MAX. */
  56 };
  57
  58 /* Security Association Data Base */
  59 struct secashead {
  60         LIST_ENTRY(secashead) chain;
  61
  62         struct secasindex saidx;
  63
  64         struct sadb_ident *idents;      /* source identity */
  65         struct sadb_ident *identd;      /* destination identity */
  66                                         /* XXX I don't know how to use them. */
  67
  68         u_int8_t state;                 /* MATURE or DEAD. */
  69         LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
  70                                         /* SA chain */
  71                                         /* The first of this list is newer SA */
  72
  73         struct route sa_route;
  74 };
  75
  76 /* Security Association */
  77 struct secasvar {
  78         TAILQ_ENTRY(secasvar) tailq;
  79         LIST_ENTRY(secasvar) chain;
  80         LIST_ENTRY(secasvar) spihash;
  81
  82         int refcnt;                     /* reference count */
  83         u_int8_t state;                 /* Status of this Association */
  84
  85         u_int8_t alg_auth;              /* Authentication Algorithm Identifier*/
  86         u_int8_t alg_enc;               /* Cipher Algorithm Identifier */
  87         u_int32_t spi;                  /* SPI Value, network byte order */
  88         u_int32_t flags;                /* holder for SADB_KEY_FLAGS */
  89
  90         struct sadb_key *key_auth;      /* Key for Authentication */
  91         struct sadb_key *key_enc;       /* Key for Encryption */
  92         void *iv;                       /* Initilization Vector */
  93         u_int ivlen;                    /* length of IV */
  94         void *sched;                    /* intermediate encryption key */
  95         size_t schedlen;
  96
  97         struct secreplay *replay;       /* replay prevention */
  98         long created;                   /* for lifetime */
  99
 100         struct sadb_lifetime *lft_c;    /* CURRENT lifetime, it's constant. */
 101         struct sadb_lifetime *lft_h;    /* HARD lifetime */
 102         struct sadb_lifetime *lft_s;    /* SOFT lifetime */
 103
 104         u_int64_t seq;                  /* sequence number */
 105         pid_t pid;                      /* message's pid */
 106
 107         struct secashead *sah;          /* back pointer to the secashead */
 108
 109         u_int32_t id;                   /* SA id */
 110         /* Nat-Traversal state */
 111 #ifdef IPSEC_NAT_T
 112         u_int16_t       natt_type;
 113         u_int16_t       esp_frag;
 114 #endif
 115 };
 116
 117 /* replay prevention */
 118 struct secreplay {
 119         u_int64_t count;
 120         u_int wsize;            /* window size, i.g. 4 bytes */
 121         u_int64_t seq;          /* used by sender */
 122         u_int64_t lastseq;      /* used by receiver */
 123         u_int8_t *bitmap;       /* used by receiver */
 124         int overflow;           /* what round does the counter take. */
 125 };
 126
 127 /* socket table due to send PF_KEY messages. */
 128 struct secreg {
 129         LIST_ENTRY(secreg) chain;
 130
 131         struct socket *so;
 132 };
 133
 134 #ifndef IPSEC_NONBLOCK_ACQUIRE
 135 /* acquiring list table. */
 136 struct secacq {
 137         LIST_ENTRY(secacq) chain;
 138
 139         struct secasindex saidx;
 140
 141         u_int32_t seq;          /* sequence number */
 142         long created;           /* for lifetime */
 143         int count;              /* for lifetime */
 144 };
 145 #endif
 146
 147 /* Sensitivity Level Specification */
 148 /* nothing */
 149
 150 #define SADB_KILL_INTERVAL      600     /* six seconds */
 151
 152 struct key_cb {
 153         int key_count;
 154         int any_count;
 155 };
 156
 157 /* secpolicy */
 158 struct secpolicy;
 159 struct secpolicyindex;
 160 extern struct secpolicy *keydb_newsecpolicy(void);
 161 extern u_int32_t keydb_newspid(void);
 162 extern void keydb_delsecpolicy(struct secpolicy *);
 163 extern int keydb_setsecpolicyindex
 164 (struct secpolicy *, struct secpolicyindex *);
 165 /* secashead */
 166 extern struct secashead *keydb_newsecashead(void);
 167 extern void keydb_delsecashead(struct secashead *);
 168 /* secasvar */
 169 extern struct secasvar *keydb_newsecasvar(void);
 170 extern void keydb_delsecasvar(struct secasvar *);
 171 /* secreplay */
 172 extern struct secreplay *keydb_newsecreplay(size_t);
 173 extern void keydb_delsecreplay(struct secreplay *);
 174 /* secreg */
 175 extern struct secreg *keydb_newsecreg(void);
 176 extern void keydb_delsecreg(struct secreg *);
 177
 178 #endif /* _KERNEL */
 179
 180 #endif /* !_NETKEY_KEYDB_H_ */