xref: /xnu-11417.140.69/bsd/netkey/keydb.h (revision 43a90889846e00bfb5cf1d255cdc0a701a1e05a4) 
1 /*	$KAME: keydb.h,v 1.9 2000/02/22 14:06:41 itojun Exp $	*/
2 
3 /*
4  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the project nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #ifndef _NETKEY_KEYDB_H_
33 #define _NETKEY_KEYDB_H_
34 #include <sys/appleapiopts.h>
35 
36 #ifdef BSD_KERNEL_PRIVATE
37 
38 #include <netkey/key_var.h>
39 
40 /* Security Association Index */
41 /* NOTE: Ensure to be same address family */
42 struct secasindex {
43 	struct sockaddr_storage src;    /* srouce address for SA */
44 	struct sockaddr_storage dst;    /* destination address for SA */
45 	u_int16_t proto;                /* IPPROTO_ESP or IPPROTO_AH */
46 	u_int8_t mode;                  /* mode of protocol, see ipsec.h */
47 	u_int32_t reqid;                /* reqid id who owned this SA */
48 	                                /* see IPSEC_MANUAL_REQID_MAX. */
49 	u_int ipsec_ifindex;
50 };
51 
52 #define SECURITY_ASSOCIATION_ANY          0x0000
53 #define SECURITY_ASSOCIATION_PFKEY        0x0001
54 #define SECURITY_ASSOCIATION_CUSTOM_IPSEC 0x0010
55 
56 /* Security Association Data Base */
57 struct secashead {
58 	LIST_ENTRY(secashead) chain;
59 
60 	struct secasindex saidx;
61 
62 	ifnet_t ipsec_if;
63 	u_int outgoing_if;
64 	u_int8_t dir;                   /* IPSEC_DIR_INBOUND or IPSEC_DIR_OUTBOUND */
65 	u_int8_t state;                 /* MATURE or DEAD. */
66 	LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX + 1];
67 	/* SA chain */
68 	/* The first of this list is newer SA */
69 
70 	struct route_in6 sa_route;              /* route cache */
71 
72 	uint16_t flags;
73 	u_int32_t use_count;
74 };
75 
76 #define MAX_REPLAY_WINDOWS 4
77 #define PER_TC_REPLAY_WINDOW_RANGE ((1ULL << 32) / MAX_REPLAY_WINDOWS)
78 #define PER_TC_REPLAY_WINDOW_SN_SHIFT 30
79 
80 /* Security Association */
81 struct secasvar {
82 	LIST_ENTRY(secasvar) chain;
83 	LIST_ENTRY(secasvar) spihash;
84 	int refcnt;                     /* reference count */
85 	u_int8_t state;                 /* Status of this Association */
86 
87 	u_int8_t alg_auth;              /* Authentication Algorithm Identifier*/
88 	u_int8_t alg_enc;               /* Cipher Algorithm Identifier */
89 	u_int32_t spi;                  /* SPI Value, network byte order */
90 	u_int32_t flags;                /* holder for SADB_KEY_FLAGS */
91 	u_int16_t flags2;               /* holder for SADB_SA2_KEY_FLAGS */
92 
93 	struct sadb_key *__sized_by(key_auth_len) key_auth;     /* Key for Authentication */
94 	struct sadb_key *__sized_by(key_enc_len) key_enc;       /* Key for Encryption */
95 	caddr_t __sized_by(ivlen) iv;                           /* Initialization Vector */
96 	void *__sized_by(schedlen_auth) sched_auth;             /* intermediate authentication key */
97 	void *__sized_by(schedlen_enc) sched_enc;               /* intermediate encryption key */
98 	uint32_t key_auth_len;
99 	uint32_t key_enc_len;
100 	size_t schedlen_auth;
101 	size_t schedlen_enc;
102 	u_int ivlen;                                            /* length of IV */
103 
104 	struct secreplay *replay[MAX_REPLAY_WINDOWS]; /* replay prevention */
105 
106 	u_int64_t created;              /* for lifetime */
107 
108 	struct sadb_lifetime *lft_c;    /* CURRENT lifetime, it's constant. */
109 	struct sadb_lifetime *lft_h;    /* HARD lifetime */
110 	struct sadb_lifetime *lft_s;    /* SOFT lifetime */
111 
112 	struct socket *so; /* Associated socket */
113 
114 	u_int32_t seq;                  /* sequence number */
115 	pid_t pid;                      /* message's pid */
116 
117 	struct secashead *sah;          /* back pointer to the secashead */
118 
119 	/* Nat Traversal related bits */
120 	u_int64_t       natt_last_activity;
121 	u_int16_t       remote_ike_port;
122 	u_int16_t       natt_encapsulated_src_port;     /* network byte order */
123 	u_int16_t       natt_interval; /* Interval in seconds */
124 	u_int16_t       natt_offload_interval; /* Hardware Offload Interval in seconds */
125 	/*
126 	 * Globally unique flow identifier for the SA.
127 	 * Added on outgoing packets by the IPSec driver.
128 	 */
129 	uint32_t        flowid;
130 
131 	u_int8_t        always_expire; /* Send expire/delete messages even if unused */
132 };
133 
134 /* replay prevention */
135 struct secreplay {
136 	u_int8_t wsize;                          /* window size */
137 	u_int32_t count;                         /* used by sender/receiver */
138 	u_int32_t seq;                           /* used by sender */
139 	u_int32_t lastseq;                       /* used by sender/receiver */
140 	caddr_t __sized_by(wsize) bitmap;        /* used by receiver */
141 	int overflow;                            /* overflow flag */
142 };
143 
144 /* socket table due to send PF_KEY messages. */
145 struct secreg {
146 	LIST_ENTRY(secreg) chain;
147 
148 	struct socket *so;
149 };
150 
151 #ifndef IPSEC_NONBLOCK_ACQUIRE
152 /* acquiring list table. */
153 struct secacq {
154 	LIST_ENTRY(secacq) chain;
155 
156 	struct secasindex saidx;
157 
158 	u_int32_t seq;          /* sequence number */
159 	u_int64_t created;      /* for lifetime */
160 	int count;              /* for lifetime */
161 };
162 #endif
163 
164 /* Sensitivity Level Specification */
165 /* nothing */
166 
167 #define SADB_KILL_INTERVAL      600     /* six seconds */
168 
169 struct key_cb {
170 	int key_count;
171 	int any_count;
172 };
173 
174 /* secpolicy */
175 extern struct secpolicy *keydb_newsecpolicy(void);
176 extern void keydb_delsecpolicy(struct secpolicy *);
177 /* secashead */
178 extern struct secashead *keydb_newsecashead(void);
179 // extern void keydb_delsecashead(struct secashead *);	// not used
180 /* secasvar */
181 // extern struct secasvar *keydb_newsecasvar(void);		// not used
182 // extern void keydb_refsecasvar(struct secasvar *);	// not used
183 // extern void keydb_freesecasvar(struct secasvar *);	// not used
184 /* secreplay */
185 extern struct secreplay *keydb_newsecreplay(u_int8_t);
186 extern void keydb_delsecreplay(struct secreplay *);
187 /* secreg */
188 // extern struct secreg *keydb_newsecreg(void);			// not used
189 // extern void keydb_delsecreg(struct secreg *);		// not used
190 
191 #endif /* BSD_KERNEL_PRIVATE */
192 
193 #endif /* _NETKEY_KEYDB_H_ */
194