#define _NETKEY_KEYDB_H_
#include <sys/appleapiopts.h>
-#ifdef KERNEL
-#ifdef KERNEL_PRIVATE
+#ifdef BSD_KERNEL_PRIVATE
#include <netkey/key_var.h>
-#include <net/if_utun.h>
-/* Security Assocciation Index */
+/* Security Association Index */
/* NOTE: Ensure to be same address family */
struct secasindex {
- struct sockaddr_storage src; /* srouce address for SA */
- struct sockaddr_storage dst; /* destination address for SA */
- u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */
- u_int8_t mode; /* mode of protocol, see ipsec.h */
- u_int32_t reqid; /* reqid id who owned this SA */
- /* see IPSEC_MANUAL_REQID_MAX. */
+ struct sockaddr_storage src; /* srouce address for SA */
+ struct sockaddr_storage dst; /* destination address for SA */
+ u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */
+ u_int8_t mode; /* mode of protocol, see ipsec.h */
+ u_int32_t reqid; /* reqid id who owned this SA */
+ /* see IPSEC_MANUAL_REQID_MAX. */
+ u_int ipsec_ifindex;
};
+#define SECURITY_ASSOCIATION_ANY 0x0000
+#define SECURITY_ASSOCIATION_PFKEY 0x0001
+#define SECURITY_ASSOCIATION_CUSTOM_IPSEC 0x0010
+
/* Security Association Data Base */
struct secashead {
LIST_ENTRY(secashead) chain;
struct secasindex saidx;
- struct sadb_ident *idents; /* source identity */
- struct sadb_ident *identd; /* destination identity */
- /* XXX I don't know how to use them. */
-
+ ifnet_t ipsec_if;
+ u_int outgoing_if;
u_int8_t dir; /* IPSEC_DIR_INBOUND or IPSEC_DIR_OUTBOUND */
- u_int8_t state; /* MATURE or DEAD. */
- LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
- /* SA chain */
- /* The first of this list is newer SA */
+ u_int8_t state; /* MATURE or DEAD. */
+ LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX + 1];
+ /* SA chain */
+ /* The first of this list is newer SA */
+
+ struct route_in6 sa_route; /* route cache */
- struct route sa_route; /* route cache */
+ uint16_t flags;
+ u_int32_t use_count;
};
-typedef int (*utun_is_keepalive_func) __P((void *, void *, u_int16_t, u_int32_t, size_t));
-typedef int (*utun_input_func) __P((void *, void *, protocol_family_t family));
+#define MAX_REPLAY_WINDOWS 4
/* Security Association */
struct secasvar {
LIST_ENTRY(secasvar) chain;
LIST_ENTRY(secasvar) spihash;
- int refcnt; /* reference count */
- u_int8_t state; /* Status of this Association */
-
- u_int8_t alg_auth; /* Authentication Algorithm Identifier*/
- u_int8_t alg_enc; /* Cipher Algorithm Identifier */
- u_int32_t spi; /* SPI Value, network byte order */
- u_int32_t flags; /* holder for SADB_KEY_FLAGS */
-
- struct sadb_key *key_auth; /* Key for Authentication */
- struct sadb_key *key_enc; /* Key for Encryption */
- caddr_t iv; /* Initilization Vector */
- u_int ivlen; /* length of IV */
- void *sched; /* intermediate encryption key */
+ int refcnt; /* reference count */
+ u_int8_t state; /* Status of this Association */
+
+ u_int8_t alg_auth; /* Authentication Algorithm Identifier*/
+ u_int8_t alg_enc; /* Cipher Algorithm Identifier */
+ u_int32_t spi; /* SPI Value, network byte order */
+ u_int32_t flags; /* holder for SADB_KEY_FLAGS */
+ u_int16_t flags2; /* holder for SADB_SA2_KEY_FLAGS */
+
+ struct sadb_key *key_auth; /* Key for Authentication */
+ struct sadb_key *key_enc; /* Key for Encryption */
+ caddr_t iv; /* Initilization Vector */
+ u_int ivlen; /* length of IV */
+ void *sched; /* intermediate encryption key */
size_t schedlen;
- struct secreplay *replay; /* replay prevention */
- long created; /* for lifetime */
+ struct secreplay *replay[MAX_REPLAY_WINDOWS]; /* replay prevention */
+
+ long created; /* for lifetime */
+
+ struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */
+ struct sadb_lifetime *lft_h; /* HARD lifetime */
+ struct sadb_lifetime *lft_s; /* SOFT lifetime */
+
+ struct socket *so; /* Associated socket */
- struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */
- struct sadb_lifetime *lft_h; /* HARD lifetime */
- struct sadb_lifetime *lft_s; /* SOFT lifetime */
+ u_int32_t seq; /* sequence number */
+ pid_t pid; /* message's pid */
- u_int32_t seq; /* sequence number */
- pid_t pid; /* message's pid */
+ struct secashead *sah; /* back pointer to the secashead */
- struct secashead *sah; /* back pointer to the secashead */
-
/* Nat Traversal related bits */
- u_int32_t natt_last_activity;
- u_int16_t remote_ike_port;
- u_int16_t natt_encapsulated_src_port; /* network byte order */
+ u_int64_t natt_last_activity;
+ u_int16_t remote_ike_port;
+ u_int16_t natt_encapsulated_src_port; /* network byte order */
+ u_int16_t natt_interval; /* Interval in seconds */
+ u_int16_t natt_offload_interval; /* Hardware Offload Interval in seconds */
- void *utun_pcb;
- utun_is_keepalive_func utun_is_keepalive_fn;
- utun_input_func utun_in_fn;
+ u_int8_t always_expire; /* Send expire/delete messages even if unused */
};
/* replay prevention */
struct secreplay {
+ u_int8_t wsize; /* window size */
u_int32_t count;
- u_int wsize; /* window size, i.g. 4 bytes */
- u_int32_t seq; /* used by sender */
- u_int32_t lastseq; /* used by receiver */
- caddr_t bitmap; /* used by receiver */
- int overflow; /* overflow flag */
+ u_int32_t seq; /* used by sender */
+ u_int32_t lastseq; /* used by sender/receiver */
+ caddr_t bitmap; /* used by receiver */
+ int overflow; /* overflow flag */
};
/* socket table due to send PF_KEY messages. */
struct secasindex saidx;
- u_int32_t seq; /* sequence number */
- long created; /* for lifetime */
- int count; /* for lifetime */
+ u_int32_t seq; /* sequence number */
+ long created; /* for lifetime */
+ int count; /* for lifetime */
};
#endif
/* Sensitivity Level Specification */
/* nothing */
-#define SADB_KILL_INTERVAL 600 /* six seconds */
+#define SADB_KILL_INTERVAL 600 /* six seconds */
struct key_cb {
int key_count;
// extern void keydb_refsecasvar(struct secasvar *); // not used
// extern void keydb_freesecasvar(struct secasvar *); // not used
/* secreplay */
-extern struct secreplay *keydb_newsecreplay(size_t);
+extern struct secreplay *keydb_newsecreplay(u_int8_t);
extern void keydb_delsecreplay(struct secreplay *);
/* secreg */
// extern struct secreg *keydb_newsecreg(void); // not used
// extern void keydb_delsecreg(struct secreg *); // not used
-#endif /* KERNEL_PRIVATE */
-#endif /* KERNEL */
+#endif /* BSD_KERNEL_PRIVATE */
#endif /* _NETKEY_KEYDB_H_ */