xref: /freebsd/sys/netipsec/keydb.h (revision bf4356266d568717f6ae3b7f060ded6598357788)
1 /*	$FreeBSD$	*/
2 /*	$KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $	*/
3 
4 /*-
5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. Neither the name of the project nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #ifndef _NETIPSEC_KEYDB_H_
34 #define _NETIPSEC_KEYDB_H_
35 
36 #ifdef _KERNEL
37 
38 #include <sys/mutex.h>
39 
40 #include <netipsec/key_var.h>
41 
42 #ifndef _SOCKADDR_UNION_DEFINED
43 #define	_SOCKADDR_UNION_DEFINED
44 /*
45  * The union of all possible address formats we handle.
46  */
47 union sockaddr_union {
48 	struct sockaddr		sa;
49 	struct sockaddr_in	sin;
50 	struct sockaddr_in6	sin6;
51 };
52 #endif /* _SOCKADDR_UNION_DEFINED */
53 
54 /* Security Assocciation Index */
55 /* NOTE: Ensure to be same address family */
56 struct secasindex {
57 	union sockaddr_union src;	/* source address for SA */
58 	union sockaddr_union dst;	/* destination address for SA */
59 	u_int16_t proto;		/* IPPROTO_ESP or IPPROTO_AH */
60 	u_int8_t mode;			/* mode of protocol, see ipsec.h */
61 	u_int32_t reqid;		/* reqid id who owned this SA */
62 					/* see IPSEC_MANUAL_REQID_MAX. */
63 };
64 
65 /*
66  * In order to split out the keydb implementation from that of the
67  * PF_KEY sockets we need to define a few structures that while they
68  * may seem common are likely to diverge over time.
69  */
70 
71 /* sadb_identity */
72 struct secident {
73 	u_int16_t type;
74 	u_int64_t id;
75 };
76 
77 /* sadb_key */
78 struct seckey {
79 	u_int16_t bits;
80 	char *key_data;
81 };
82 
83 struct seclifetime {
84 	u_int32_t allocations;
85 	u_int64_t bytes;
86 	u_int64_t addtime;
87 	u_int64_t usetime;
88 };
89 
90 /* Security Association Data Base */
91 struct secashead {
92 	LIST_ENTRY(secashead) chain;
93 
94 	struct secasindex saidx;
95 
96 	struct secident *idents;	/* source identity */
97 	struct secident *identd;	/* destination identity */
98 					/* XXX I don't know how to use them. */
99 
100 	u_int8_t state;			/* MATURE or DEAD. */
101 	LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
102 					/* SA chain */
103 					/* The first of this list is newer SA */
104 };
105 
106 struct xformsw;
107 struct enc_xform;
108 struct auth_hash;
109 struct comp_algo;
110 
111 /* Security Association */
112 struct secasvar {
113 	LIST_ENTRY(secasvar) chain;
114 	struct mtx lock;		/* update/access lock */
115 
116 	u_int refcnt;			/* reference count */
117 	u_int8_t state;			/* Status of this Association */
118 
119 	u_int8_t alg_auth;		/* Authentication Algorithm Identifier*/
120 	u_int8_t alg_enc;		/* Cipher Algorithm Identifier */
121 	u_int8_t alg_comp;		/* Compression Algorithm Identifier */
122 	u_int32_t spi;			/* SPI Value, network byte order */
123 	u_int32_t flags;		/* holder for SADB_KEY_FLAGS */
124 
125 	struct seckey *key_auth;	/* Key for Authentication */
126 	struct seckey *key_enc;	        /* Key for Encryption */
127 	u_int ivlen;			/* length of IV */
128 	void *sched;			/* intermediate encryption key */
129 	size_t schedlen;
130 	uint64_t cntr;			/* counter for GCM and CTR */
131 
132 	struct secreplay *replay;	/* replay prevention */
133 	time_t created;			/* for lifetime */
134 
135 	struct seclifetime *lft_c;	/* CURRENT lifetime, it's constant. */
136 	struct seclifetime *lft_h;	/* HARD lifetime */
137 	struct seclifetime *lft_s;	/* SOFT lifetime */
138 
139 	u_int32_t seq;			/* sequence number */
140 	pid_t pid;			/* message's pid */
141 
142 	struct secashead *sah;		/* back pointer to the secashead */
143 
144 	/*
145 	 * NB: Fields with a tdb_ prefix are part of the "glue" used
146 	 *     to interface to the OpenBSD crypto support.  This was done
147 	 *     to distinguish this code from the mainline KAME code.
148 	 */
149 	struct xformsw *tdb_xform;	/* transform */
150 	struct enc_xform *tdb_encalgxform;	/* encoding algorithm */
151 	struct auth_hash *tdb_authalgxform;	/* authentication algorithm */
152 	struct comp_algo *tdb_compalgxform;	/* compression algorithm */
153 	u_int64_t tdb_cryptoid;		/* crypto session id */
154 
155 	/*
156 	 * NAT-Traversal.
157 	 */
158 	u_int16_t natt_type;		/* IKE/ESP-marker in output. */
159 	u_int16_t natt_esp_frag_len;	/* MTU for payload fragmentation. */
160 };
161 
162 #define	SECASVAR_LOCK_INIT(_sav) \
163 	mtx_init(&(_sav)->lock, "ipsec association", NULL, MTX_DEF)
164 #define	SECASVAR_LOCK(_sav)		mtx_lock(&(_sav)->lock)
165 #define	SECASVAR_UNLOCK(_sav)		mtx_unlock(&(_sav)->lock)
166 #define	SECASVAR_LOCK_DESTROY(_sav)	mtx_destroy(&(_sav)->lock)
167 #define	SECASVAR_LOCK_ASSERT(_sav)	mtx_assert(&(_sav)->lock, MA_OWNED)
168 #define	SAV_ISGCM(_sav)							\
169 			((_sav)->alg_enc == SADB_X_EALG_AESGCM8 ||	\
170 			(_sav)->alg_enc == SADB_X_EALG_AESGCM12 ||	\
171 			(_sav)->alg_enc == SADB_X_EALG_AESGCM16)
172 #define	SAV_ISCTR(_sav) ((_sav)->alg_enc == SADB_X_EALG_AESCTR)
173 #define SAV_ISCTRORGCM(_sav)	(SAV_ISCTR((_sav)) || SAV_ISGCM((_sav)))
174 
175 /* Replay prevention, protected by SECASVAR_LOCK:
176  *  (m) locked by mtx
177  *  (c) read only except during creation / free
178  */
179 struct secreplay {
180 	u_int32_t count;	/* (m) */
181 	u_int wsize;		/* (c) window size, i.g. 4 bytes */
182 	u_int32_t seq;		/* (m) used by sender */
183 	u_int32_t lastseq;	/* (m) used by receiver */
184 	u_int32_t *bitmap;	/* (m) used by receiver */
185 	u_int bitmap_size;	/* (c) size of the bitmap array */
186 	int overflow;		/* (m) overflow flag */
187 };
188 
189 /* socket table due to send PF_KEY messages. */
190 struct secreg {
191 	LIST_ENTRY(secreg) chain;
192 
193 	struct socket *so;
194 };
195 
196 /* acquiring list table. */
197 struct secacq {
198 	LIST_ENTRY(secacq) chain;
199 
200 	struct secasindex saidx;
201 
202 	u_int32_t seq;		/* sequence number */
203 	time_t created;		/* for lifetime */
204 	int count;		/* for lifetime */
205 };
206 
207 /* Sensitivity Level Specification */
208 /* nothing */
209 
210 #define SADB_KILL_INTERVAL	600	/* six seconds */
211 
212 /* secpolicy */
213 extern struct secpolicy *keydb_newsecpolicy(void);
214 extern void keydb_delsecpolicy(struct secpolicy *);
215 /* secashead */
216 extern struct secashead *keydb_newsecashead(void);
217 extern void keydb_delsecashead(struct secashead *);
218 /* secasvar */
219 extern struct secasvar *keydb_newsecasvar(void);
220 extern void keydb_refsecasvar(struct secasvar *);
221 extern void keydb_freesecasvar(struct secasvar *);
222 /* secreplay */
223 extern struct secreplay *keydb_newsecreplay(size_t);
224 extern void keydb_delsecreplay(struct secreplay *);
225 /* secreg */
226 extern struct secreg *keydb_newsecreg(void);
227 extern void keydb_delsecreg(struct secreg *);
228 
229 #endif /* _KERNEL */
230 
231 #endif /* _NETIPSEC_KEYDB_H_ */
232