1 | /* $NetBSD: keydb.h,v 1.14 2015/03/30 03:51:50 ozaki-r Exp $ */ |
2 | /* $FreeBSD: src/sys/netipsec/keydb.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ |
3 | /* $KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $ */ |
4 | |
5 | /* |
6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
7 | * All rights reserved. |
8 | * |
9 | * Redistribution and use in source and binary forms, with or without |
10 | * modification, are permitted provided that the following conditions |
11 | * are met: |
12 | * 1. Redistributions of source code must retain the above copyright |
13 | * notice, this list of conditions and the following disclaimer. |
14 | * 2. Redistributions in binary form must reproduce the above copyright |
15 | * notice, this list of conditions and the following disclaimer in the |
16 | * documentation and/or other materials provided with the distribution. |
17 | * 3. Neither the name of the project nor the names of its contributors |
18 | * may be used to endorse or promote products derived from this software |
19 | * without specific prior written permission. |
20 | * |
21 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
31 | * SUCH DAMAGE. |
32 | */ |
33 | |
34 | #ifndef _NETIPSEC_KEYDB_H_ |
35 | #define _NETIPSEC_KEYDB_H_ |
36 | |
37 | #ifdef _KERNEL |
38 | |
39 | #include <netipsec/key_var.h> |
40 | #include <net/route.h> |
41 | #include <netinet/in.h> |
42 | |
43 | #ifndef _SOCKADDR_UNION_DEFINED |
44 | #define _SOCKADDR_UNION_DEFINED |
45 | /* |
46 | * The union of all possible address formats we handle. |
47 | */ |
48 | union sockaddr_union { |
49 | struct sockaddr sa; |
50 | struct sockaddr_in sin; |
51 | struct sockaddr_in6 sin6; |
52 | }; |
53 | #endif /* _SOCKADDR_UNION_DEFINED */ |
54 | |
55 | /* Security Assocciation Index */ |
56 | /* NOTE: Ensure to be same address family */ |
57 | struct secasindex { |
58 | union sockaddr_union src; /* source address for SA */ |
59 | union sockaddr_union dst; /* destination address for SA */ |
60 | u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ |
61 | u_int8_t mode; /* mode of protocol, see ipsec.h */ |
62 | u_int32_t reqid; /* reqid id who owned this SA */ |
63 | /* see IPSEC_MANUAL_REQID_MAX. */ |
64 | }; |
65 | |
66 | /* Security Association Data Base */ |
67 | struct secashead { |
68 | LIST_ENTRY(secashead) chain; |
69 | |
70 | struct secasindex saidx; |
71 | |
72 | struct sadb_ident *idents; /* source identity */ |
73 | struct sadb_ident *identd; /* destination identity */ |
74 | /* XXX I don't know how to use them. */ |
75 | |
76 | u_int8_t state; /* MATURE or DEAD. */ |
77 | LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; |
78 | /* SA chain */ |
79 | /* The first of this list is newer SA */ |
80 | |
81 | struct route sa_route; /* route cache */ |
82 | }; |
83 | |
84 | struct xformsw; |
85 | struct enc_xform; |
86 | struct auth_hash; |
87 | struct comp_algo; |
88 | |
89 | /* Security Association */ |
90 | struct secasvar { |
91 | LIST_ENTRY(secasvar) chain; |
92 | |
93 | u_int refcnt; /* reference count */ |
94 | u_int8_t state; /* Status of this Association */ |
95 | |
96 | u_int8_t alg_auth; /* Authentication Algorithm Identifier*/ |
97 | u_int8_t alg_enc; /* Cipher Algorithm Identifier */ |
98 | u_int8_t alg_comp; /* Compression Algorithm Identifier */ |
99 | u_int32_t spi; /* SPI Value, network byte order */ |
100 | u_int32_t flags; /* holder for SADB_KEY_FLAGS */ |
101 | |
102 | struct sadb_key *key_auth; /* Key for Authentication */ |
103 | struct sadb_key *key_enc; /* Key for Encryption */ |
104 | u_int ivlen; /* length of IV */ |
105 | |
106 | struct secreplay *replay; /* replay prevention */ |
107 | time_t created; /* for lifetime */ |
108 | |
109 | struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */ |
110 | struct sadb_lifetime *lft_h; /* HARD lifetime */ |
111 | struct sadb_lifetime *lft_s; /* SOFT lifetime */ |
112 | |
113 | u_int32_t seq; /* sequence number */ |
114 | pid_t pid; /* message's pid */ |
115 | |
116 | struct secashead *sah; /* back pointer to the secashead */ |
117 | |
118 | /* |
119 | * NB: Fields with a tdb_ prefix are part of the "glue" used |
120 | * to interface to the OpenBSD crypto support. This was done |
121 | * to distinguish this code from the mainline KAME code. |
122 | */ |
123 | const struct xformsw *tdb_xform; /* transform */ |
124 | const struct enc_xform *tdb_encalgxform; /* encoding algorithm */ |
125 | const struct auth_hash *tdb_authalgxform; /* authentication algorithm */ |
126 | const struct comp_algo *tdb_compalgxform; /* compression algorithm */ |
127 | u_int64_t tdb_cryptoid; /* crypto session id */ |
128 | |
129 | u_int16_t natt_type; |
130 | u_int16_t esp_frag; |
131 | }; |
132 | |
133 | /* replay prevention */ |
134 | struct secreplay { |
135 | u_int32_t count; |
136 | u_int wsize; /* window size, i.g. 4 bytes */ |
137 | u_int32_t seq; /* used by sender */ |
138 | u_int32_t lastseq; /* used by receiver */ |
139 | char *bitmap; /* used by receiver */ |
140 | int overflow; /* overflow flag */ |
141 | }; |
142 | |
143 | /* socket table due to send PF_KEY messages. */ |
144 | struct secreg { |
145 | LIST_ENTRY(secreg) chain; |
146 | |
147 | struct socket *so; |
148 | }; |
149 | |
150 | #ifndef IPSEC_NONBLOCK_ACQUIRE |
151 | /* acquiring list table. */ |
152 | struct secacq { |
153 | LIST_ENTRY(secacq) chain; |
154 | |
155 | struct secasindex saidx; |
156 | |
157 | u_int32_t seq; /* sequence number */ |
158 | time_t created; /* for lifetime */ |
159 | int count; /* for lifetime */ |
160 | }; |
161 | #endif |
162 | |
163 | /* Sensitivity Level Specification */ |
164 | /* nothing */ |
165 | |
166 | #define SADB_KILL_INTERVAL 600 /* six seconds */ |
167 | |
168 | /* secpolicy */ |
169 | struct secpolicy *keydb_newsecpolicy (void); |
170 | void keydb_delsecpolicy (struct secpolicy *); |
171 | /* secashead */ |
172 | struct secashead *keydb_newsecashead (void); |
173 | void keydb_delsecashead (struct secashead *); |
174 | /* secasvar */ |
175 | struct secasvar *keydb_newsecasvar (void); |
176 | void keydb_refsecasvar (struct secasvar *); |
177 | void keydb_freesecasvar (struct secasvar *); |
178 | /* secreplay */ |
179 | struct secreplay *keydb_newsecreplay (size_t); |
180 | void keydb_delsecreplay (struct secreplay *); |
181 | /* secreg */ |
182 | struct secreg *keydb_newsecreg (void); |
183 | void keydb_delsecreg (struct secreg *); |
184 | |
185 | #endif /* _KERNEL */ |
186 | |
187 | #endif /* !_NETIPSEC_KEYDB_H_ */ |
188 | |