Home | History | Annotate | Line # | Download | only in netipsec
keydb.h revision 1.1.4.2 
      1 /*	$NetBSD: keydb.h,v 1.1.4.2 2004/08/03 10:55:29 skrll Exp $	*/
      2 /*	$FreeBSD: src/sys/netipsec/keydb.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
      3 /*	$KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $	*/
      4 
      5 /*
      6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
      7  * All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in the
     16  *    documentation and/or other materials provided with the distribution.
     17  * 3. Neither the name of the project nor the names of its contributors
     18  *    may be used to endorse or promote products derived from this software
     19  *    without specific prior written permission.
     20  *
     21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
     22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
     25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     31  * SUCH DAMAGE.
     32  */
     33 
     34 #ifndef _NETIPSEC_KEYDB_H_
     35 #define _NETIPSEC_KEYDB_H_
     36 
     37 #ifdef _KERNEL
     38 
     39 #include <netipsec/key_var.h>
     40 #include <net/route.h>
     41 #include <netinet/in.h>
     42 
     43 /*
     44  * The union of all possible address formats we handle.
     45  */
     46 union sockaddr_union {
     47 	struct sockaddr		sa;
     48 	struct sockaddr_in	sin;
     49 	struct sockaddr_in6	sin6;
     50 };
     51 
     52 /* Security Assocciation Index */
     53 /* NOTE: Ensure to be same address family */
     54 struct secasindex {
     55 	union sockaddr_union src;	/* srouce address for SA */
     56 	union sockaddr_union dst;	/* destination address for SA */
     57 	u_int16_t proto;		/* IPPROTO_ESP or IPPROTO_AH */
     58 	u_int8_t mode;			/* mode of protocol, see ipsec.h */
     59 	u_int32_t reqid;		/* reqid id who owned this SA */
     60 					/* see IPSEC_MANUAL_REQID_MAX. */
     61 };
     62 
     63 /* Security Association Data Base */
     64 struct secashead {
     65 	LIST_ENTRY(secashead) chain;
     66 
     67 	struct secasindex saidx;
     68 
     69 	struct sadb_ident *idents;	/* source identity */
     70 	struct sadb_ident *identd;	/* destination identity */
     71 					/* XXX I don't know how to use them. */
     72 
     73 	u_int8_t state;			/* MATURE or DEAD. */
     74 	LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
     75 					/* SA chain */
     76 					/* The first of this list is newer SA */
     77 
     78 	struct route sa_route;		/* route cache */
     79 };
     80 
     81 struct xformsw;
     82 struct enc_xform;
     83 struct auth_hash;
     84 struct comp_algo;
     85 
     86 /* Security Association */
     87 struct secasvar {
     88 	LIST_ENTRY(secasvar) chain;
     89 
     90 	u_int refcnt;			/* reference count */
     91 	u_int8_t state;			/* Status of this Association */
     92 
     93 	u_int8_t alg_auth;		/* Authentication Algorithm Identifier*/
     94 	u_int8_t alg_enc;		/* Cipher Algorithm Identifier */
     95 	u_int8_t alg_comp;		/* Compression Algorithm Identifier */
     96 	u_int32_t spi;			/* SPI Value, network byte order */
     97 	u_int32_t flags;		/* holder for SADB_KEY_FLAGS */
     98 
     99 	struct sadb_key *key_auth;	/* Key for Authentication */
    100 	struct sadb_key *key_enc;	/* Key for Encryption */
    101 	caddr_t iv;			/* Initilization Vector */
    102 	u_int ivlen;			/* length of IV */
    103 	void *sched;			/* intermediate encryption key */
    104 	size_t schedlen;
    105 
    106 	struct secreplay *replay;	/* replay prevention */
    107 	long created;			/* for lifetime */
    108 
    109 	struct sadb_lifetime *lft_c;	/* CURRENT lifetime, it's constant. */
    110 	struct sadb_lifetime *lft_h;	/* HARD lifetime */
    111 	struct sadb_lifetime *lft_s;	/* SOFT lifetime */
    112 
    113 	u_int32_t seq;			/* sequence number */
    114 	pid_t pid;			/* message's pid */
    115 
    116 	struct secashead *sah;		/* back pointer to the secashead */
    117 
    118 	/*
    119 	 * NB: Fields with a tdb_ prefix are part of the "glue" used
    120 	 *     to interface to the OpenBSD crypto support.  This was done
    121 	 *     to distinguish this code from the mainline KAME code.
    122 	 */
    123 	struct xformsw *tdb_xform;	/* transform */
    124 	struct enc_xform *tdb_encalgxform;	/* encoding algorithm */
    125 	struct auth_hash *tdb_authalgxform;	/* authentication algorithm */
    126 	struct comp_algo *tdb_compalgxform;	/* compression algorithm */
    127 	u_int64_t tdb_cryptoid;		/* crypto session id */
    128 };
    129 
    130 /* replay prevention */
    131 struct secreplay {
    132 	u_int32_t count;
    133 	u_int wsize;		/* window size, i.g. 4 bytes */
    134 	u_int32_t seq;		/* used by sender */
    135 	u_int32_t lastseq;	/* used by receiver */
    136 	caddr_t bitmap;		/* used by receiver */
    137 	int overflow;		/* overflow flag */
    138 };
    139 
    140 /* socket table due to send PF_KEY messages. */
    141 struct secreg {
    142 	LIST_ENTRY(secreg) chain;
    143 
    144 	struct socket *so;
    145 };
    146 
    147 #ifndef IPSEC_NONBLOCK_ACQUIRE
    148 /* acquiring list table. */
    149 struct secacq {
    150 	LIST_ENTRY(secacq) chain;
    151 
    152 	struct secasindex saidx;
    153 
    154 	u_int32_t seq;		/* sequence number */
    155 	long created;		/* for lifetime */
    156 	int count;		/* for lifetime */
    157 };
    158 #endif
    159 
    160 /* Sensitivity Level Specification */
    161 /* nothing */
    162 
    163 #define SADB_KILL_INTERVAL	600	/* six seconds */
    164 
    165 /* secpolicy */
    166 extern struct secpolicy *keydb_newsecpolicy __P((void));
    167 extern void keydb_delsecpolicy __P((struct secpolicy *));
    168 /* secashead */
    169 extern struct secashead *keydb_newsecashead __P((void));
    170 extern void keydb_delsecashead __P((struct secashead *));
    171 /* secasvar */
    172 extern struct secasvar *keydb_newsecasvar __P((void));
    173 extern void keydb_refsecasvar __P((struct secasvar *));
    174 extern void keydb_freesecasvar __P((struct secasvar *));
    175 /* secreplay */
    176 extern struct secreplay *keydb_newsecreplay __P((size_t));
    177 extern void keydb_delsecreplay __P((struct secreplay *));
    178 /* secreg */
    179 extern struct secreg *keydb_newsecreg __P((void));
    180 extern void keydb_delsecreg __P((struct secreg *));
    181 
    182 #endif /* _KERNEL */
    183 
    184 #endif /* _NETIPSEC_KEYDB_H_ */
    185