bsd/netkey/keydb.h

   1 /*      $KAME: keydb.h,v 1.9 2000/02/22 14:06:41 itojun Exp $   */
   2
   3 /*
   4  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  * 3. Neither the name of the project nor the names of its contributors
  16  *    may be used to endorse or promote products derived from this software
  17  *    without specific prior written permission.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  29  * SUCH DAMAGE.
  30  */
  31
  32 #ifndef _NETKEY_KEYDB_H_
  33 #define _NETKEY_KEYDB_H_
  34 #include <sys/appleapiopts.h>
  35
  36 #ifdef BSD_KERNEL_PRIVATE
  37
  38 #include <netkey/key_var.h>
  39
  40 /* Security Association Index */
  41 /* NOTE: Ensure to be same address family */
  42 struct secasindex {
  43         struct sockaddr_storage src;    /* srouce address for SA */
  44         struct sockaddr_storage dst;    /* destination address for SA */
  45         u_int16_t proto;                /* IPPROTO_ESP or IPPROTO_AH */
  46         u_int8_t mode;                  /* mode of protocol, see ipsec.h */
  47         u_int32_t reqid;                /* reqid id who owned this SA */
  48                                         /* see IPSEC_MANUAL_REQID_MAX. */
  49         u_int ipsec_ifindex;
  50 };
  51
  52 /* Security Association Data Base */
  53 struct secashead {
  54         LIST_ENTRY(secashead) chain;
  55
  56         struct secasindex saidx;
  57
  58         struct sadb_ident *idents;      /* source identity */
  59         struct sadb_ident *identd;      /* destination identity */
  60                                         /* XXX I don't know how to use them. */
  61
  62         ifnet_t ipsec_if;
  63         u_int outgoing_if;
  64         u_int8_t dir;                   /* IPSEC_DIR_INBOUND or IPSEC_DIR_OUTBOUND */
  65         u_int8_t state;                 /* MATURE or DEAD. */
  66         LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX + 1];
  67         /* SA chain */
  68         /* The first of this list is newer SA */
  69
  70         struct route_in6 sa_route;              /* route cache */
  71 };
  72
  73 #define MAX_REPLAY_WINDOWS 4
  74
  75 /* Security Association */
  76 struct secasvar {
  77         LIST_ENTRY(secasvar) chain;
  78         LIST_ENTRY(secasvar) spihash;
  79         int refcnt;                     /* reference count */
  80         u_int8_t state;                 /* Status of this Association */
  81
  82         u_int8_t alg_auth;              /* Authentication Algorithm Identifier*/
  83         u_int8_t alg_enc;               /* Cipher Algorithm Identifier */
  84         u_int32_t spi;                  /* SPI Value, network byte order */
  85         u_int32_t flags;                /* holder for SADB_KEY_FLAGS */
  86         u_int16_t flags2;               /* holder for SADB_SA2_KEY_FLAGS */
  87
  88         struct sadb_key *key_auth;      /* Key for Authentication */
  89         struct sadb_key *key_enc;       /* Key for Encryption */
  90         caddr_t iv;                     /* Initilization Vector */
  91         u_int ivlen;                    /* length of IV */
  92         void *sched;                    /* intermediate encryption key */
  93         size_t schedlen;
  94
  95         struct secreplay *replay[MAX_REPLAY_WINDOWS]; /* replay prevention */
  96
  97         long created;                   /* for lifetime */
  98
  99         struct sadb_lifetime *lft_c;    /* CURRENT lifetime, it's constant. */
 100         struct sadb_lifetime *lft_h;    /* HARD lifetime */
 101         struct sadb_lifetime *lft_s;    /* SOFT lifetime */
 102
 103         struct socket *so; /* Associated socket */
 104
 105         u_int32_t seq;                  /* sequence number */
 106         pid_t pid;                      /* message's pid */
 107
 108         struct secashead *sah;          /* back pointer to the secashead */
 109
 110         /* Nat Traversal related bits */
 111         u_int64_t       natt_last_activity;
 112         u_int16_t       remote_ike_port;
 113         u_int16_t       natt_encapsulated_src_port;     /* network byte order */
 114         u_int16_t       natt_interval; /* Interval in seconds */
 115         u_int16_t       natt_offload_interval; /* Hardware Offload Interval in seconds */
 116
 117         u_int8_t        always_expire; /* Send expire/delete messages even if unused */
 118 };
 119
 120 /* replay prevention */
 121 struct secreplay {
 122         u_int32_t count;
 123         u_int wsize;            /* window size, i.g. 4 bytes */
 124         u_int32_t seq;          /* used by sender */
 125         u_int32_t lastseq;      /* used by sender/receiver */
 126         caddr_t bitmap;         /* used by receiver */
 127         int overflow;           /* overflow flag */
 128 };
 129
 130 /* socket table due to send PF_KEY messages. */
 131 struct secreg {
 132         LIST_ENTRY(secreg) chain;
 133
 134         struct socket *so;
 135 };
 136
 137 #ifndef IPSEC_NONBLOCK_ACQUIRE
 138 /* acquiring list table. */
 139 struct secacq {
 140         LIST_ENTRY(secacq) chain;
 141
 142         struct secasindex saidx;
 143
 144         u_int32_t seq;          /* sequence number */
 145         long created;           /* for lifetime */
 146         int count;              /* for lifetime */
 147 };
 148 #endif
 149
 150 /* Sensitivity Level Specification */
 151 /* nothing */
 152
 153 #define SADB_KILL_INTERVAL      600     /* six seconds */
 154
 155 struct key_cb {
 156         int key_count;
 157         int any_count;
 158 };
 159
 160 /* secpolicy */
 161 extern struct secpolicy *keydb_newsecpolicy(void);
 162 extern void keydb_delsecpolicy(struct secpolicy *);
 163 /* secashead */
 164 extern struct secashead *keydb_newsecashead(void);
 165 // extern void keydb_delsecashead(struct secashead *);  // not used
 166 /* secasvar */
 167 // extern struct secasvar *keydb_newsecasvar(void);             // not used
 168 // extern void keydb_refsecasvar(struct secasvar *);    // not used
 169 // extern void keydb_freesecasvar(struct secasvar *);   // not used
 170 /* secreplay */
 171 extern struct secreplay *keydb_newsecreplay(size_t);
 172 extern void keydb_delsecreplay(struct secreplay *);
 173 /* secreg */
 174 // extern struct secreg *keydb_newsecreg(void);                 // not used
 175 // extern void keydb_delsecreg(struct secreg *);                // not used
 176
 177 #endif /* BSD_KERNEL_PRIVATE */
 178
 179 #endif /* _NETKEY_KEYDB_H_ */