1 |
1254 |
phoenix |
//==========================================================================
|
2 |
|
|
//
|
3 |
|
|
// include/netinet/ipsp.h
|
4 |
|
|
//
|
5 |
|
|
//
|
6 |
|
|
//
|
7 |
|
|
//==========================================================================
|
8 |
|
|
//####BSDCOPYRIGHTBEGIN####
|
9 |
|
|
//
|
10 |
|
|
// -------------------------------------------
|
11 |
|
|
//
|
12 |
|
|
// Portions of this software may have been derived from OpenBSD or other sources,
|
13 |
|
|
// and are covered by the appropriate copyright disclaimers included herein.
|
14 |
|
|
//
|
15 |
|
|
// -------------------------------------------
|
16 |
|
|
//
|
17 |
|
|
//####BSDCOPYRIGHTEND####
|
18 |
|
|
//==========================================================================
|
19 |
|
|
//#####DESCRIPTIONBEGIN####
|
20 |
|
|
//
|
21 |
|
|
// Author(s): gthomas
|
22 |
|
|
// Contributors: gthomas
|
23 |
|
|
// Date: 2000-01-10
|
24 |
|
|
// Purpose:
|
25 |
|
|
// Description:
|
26 |
|
|
//
|
27 |
|
|
//
|
28 |
|
|
//####DESCRIPTIONEND####
|
29 |
|
|
//
|
30 |
|
|
//==========================================================================
|
31 |
|
|
|
32 |
|
|
|
33 |
|
|
/* $OpenBSD: ip_ipsp.h,v 1.50 1999/12/08 12:10:25 angelos Exp $ */
|
34 |
|
|
|
35 |
|
|
/*
|
36 |
|
|
* The authors of this code are John Ioannidis (ji@tla.org),
|
37 |
|
|
* Angelos D. Keromytis (kermit@csd.uch.gr),
|
38 |
|
|
* Niels Provos (provos@physnet.uni-hamburg.de) and
|
39 |
|
|
* Niklas Hallqvist (niklas@appli.se).
|
40 |
|
|
*
|
41 |
|
|
* This code was written by John Ioannidis for BSD/OS in Athens, Greece,
|
42 |
|
|
* in November 1995.
|
43 |
|
|
*
|
44 |
|
|
* Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
|
45 |
|
|
* by Angelos D. Keromytis.
|
46 |
|
|
*
|
47 |
|
|
* Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
|
48 |
|
|
* and Niels Provos.
|
49 |
|
|
*
|
50 |
|
|
* Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
|
51 |
|
|
*
|
52 |
|
|
* Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
|
53 |
|
|
* Angelos D. Keromytis and Niels Provos.
|
54 |
|
|
* Copyright (c) 1999 Niklas Hallqvist.
|
55 |
|
|
*
|
56 |
|
|
* Permission to use, copy, and modify this software without fee
|
57 |
|
|
* is hereby granted, provided that this entire notice is included in
|
58 |
|
|
* all copies of any software which is or includes a copy or
|
59 |
|
|
* modification of this software.
|
60 |
|
|
* You may use this code under the GNU public license if you so wish. Please
|
61 |
|
|
* contribute changes back to the authors under this freer than GPL license
|
62 |
|
|
* so that we may further the use of strong encryption without limitations to
|
63 |
|
|
* all.
|
64 |
|
|
*
|
65 |
|
|
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
|
66 |
|
|
* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
|
67 |
|
|
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
|
68 |
|
|
* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
|
69 |
|
|
* PURPOSE.
|
70 |
|
|
*/
|
71 |
|
|
|
72 |
|
|
#ifndef _NETINET_IPSP_H_
|
73 |
|
|
#define _NETINET_IPSP_H_
|
74 |
|
|
|
75 |
|
|
/*
|
76 |
|
|
* IPSP global definitions.
|
77 |
|
|
*/
|
78 |
|
|
|
79 |
|
|
#include <sys/types.h>
|
80 |
|
|
#include <sys/queue.h>
|
81 |
|
|
#include <netinet/in.h>
|
82 |
|
|
#ifndef __ECOS
|
83 |
|
|
#include <sys/md5k.h>
|
84 |
|
|
#endif
|
85 |
|
|
#include <netinet/ip_sha1.h>
|
86 |
|
|
#include <netinet/ip_rmd160.h>
|
87 |
|
|
#include <netinet/ip_blf.h>
|
88 |
|
|
#include <netinet/ip_cast.h>
|
89 |
|
|
#include <netinet/ip_skipjack.h>
|
90 |
|
|
|
91 |
|
|
union sockaddr_union
|
92 |
|
|
{
|
93 |
|
|
struct sockaddr sa;
|
94 |
|
|
struct sockaddr_in sin;
|
95 |
|
|
struct sockaddr_in6 sin6;
|
96 |
|
|
};
|
97 |
|
|
|
98 |
|
|
/* HMAC key sizes */
|
99 |
|
|
#define MD5HMAC96_KEYSIZE 16
|
100 |
|
|
#define SHA1HMAC96_KEYSIZE 20
|
101 |
|
|
#define RIPEMD160HMAC96_KEYSIZE 20
|
102 |
|
|
|
103 |
|
|
/* IV lengths */
|
104 |
|
|
#define ESP_DES_IVS 8
|
105 |
|
|
#define ESP_3DES_IVS 8
|
106 |
|
|
#define ESP_BLF_IVS 8
|
107 |
|
|
#define ESP_CAST_IVS 8
|
108 |
|
|
#define ESP_SKIPJACK_IVS 8
|
109 |
|
|
#define ESP_MAX_IVS 8 /* Keep updated */
|
110 |
|
|
|
111 |
|
|
/* Block sizes -- it is assumed that they're powers of 2 */
|
112 |
|
|
#define ESP_DES_BLKS 8
|
113 |
|
|
#define ESP_3DES_BLKS 8
|
114 |
|
|
#define ESP_BLF_BLKS 8
|
115 |
|
|
#define ESP_CAST_BLKS 8
|
116 |
|
|
#define ESP_SKIPJACK_BLKS 8
|
117 |
|
|
#define ESP_MAX_BLKS 8 /* Keep updated */
|
118 |
|
|
|
119 |
|
|
#define HMAC_BLOCK_LEN 64
|
120 |
|
|
|
121 |
|
|
#define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */
|
122 |
|
|
#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */
|
123 |
|
|
#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */
|
124 |
|
|
|
125 |
|
|
/* HMAC definitions */
|
126 |
|
|
#define HMAC_IPAD_VAL 0x36
|
127 |
|
|
#define HMAC_OPAD_VAL 0x5C
|
128 |
|
|
#define HMAC_BLOCK_LEN 64
|
129 |
|
|
|
130 |
|
|
/* Authenticator lengths */
|
131 |
|
|
#define AH_MD5_ALEN 16
|
132 |
|
|
#define AH_SHA1_ALEN 20
|
133 |
|
|
#define AH_RMD160_ALEN 20
|
134 |
|
|
#define AH_ALEN_MAX 20 /* Keep updated */
|
135 |
|
|
|
136 |
|
|
/* Reserved SPI numbers */
|
137 |
|
|
#define SPI_LOCAL_USE 0
|
138 |
|
|
#define SPI_RESERVED_MIN 1
|
139 |
|
|
#define SPI_RESERVED_MAX 255
|
140 |
|
|
|
141 |
|
|
struct sockaddr_encap
|
142 |
|
|
{
|
143 |
|
|
u_int8_t sen_len; /* length */
|
144 |
|
|
u_int8_t sen_family; /* PF_KEY */
|
145 |
|
|
u_int16_t sen_type; /* see SENT_* */
|
146 |
|
|
union
|
147 |
|
|
{
|
148 |
|
|
u_int8_t Data[16]; /* other stuff mapped here */
|
149 |
|
|
|
150 |
|
|
struct /* SENT_IP4 */
|
151 |
|
|
{
|
152 |
|
|
struct in_addr Src;
|
153 |
|
|
struct in_addr Dst;
|
154 |
|
|
u_int16_t Sport;
|
155 |
|
|
u_int16_t Dport;
|
156 |
|
|
u_int8_t Proto;
|
157 |
|
|
u_int8_t Filler[3];
|
158 |
|
|
} Sip4;
|
159 |
|
|
|
160 |
|
|
struct /* SENT_IP6 */
|
161 |
|
|
{
|
162 |
|
|
struct in6_addr Src;
|
163 |
|
|
struct in6_addr Dst;
|
164 |
|
|
u_int16_t Sport;
|
165 |
|
|
u_int16_t Dport;
|
166 |
|
|
u_int8_t Proto;
|
167 |
|
|
u_int8_t Filler[3];
|
168 |
|
|
} Sip6;
|
169 |
|
|
|
170 |
|
|
struct /* SENT_IPSP */
|
171 |
|
|
{
|
172 |
|
|
struct in_addr Dst;
|
173 |
|
|
u_int32_t Spi;
|
174 |
|
|
u_int8_t Sproto;
|
175 |
|
|
u_int8_t Filler[7];
|
176 |
|
|
} Sipsp;
|
177 |
|
|
|
178 |
|
|
struct /* SENT_IPSP6 */
|
179 |
|
|
{
|
180 |
|
|
struct in6_addr Dst;
|
181 |
|
|
u_int32_t Spi;
|
182 |
|
|
u_int8_t Sproto;
|
183 |
|
|
u_int8_t Filler[7];
|
184 |
|
|
} Sipsp6;
|
185 |
|
|
} Sen;
|
186 |
|
|
};
|
187 |
|
|
|
188 |
|
|
#define sen_data Sen.Data
|
189 |
|
|
#define sen_ip_src Sen.Sip4.Src
|
190 |
|
|
#define sen_ip_dst Sen.Sip4.Dst
|
191 |
|
|
#define sen_proto Sen.Sip4.Proto
|
192 |
|
|
#define sen_sport Sen.Sip4.Sport
|
193 |
|
|
#define sen_dport Sen.Sip4.Dport
|
194 |
|
|
#define sen_ip6_src Sen.Sip6.Src
|
195 |
|
|
#define sen_ip6_dst Sen.Sip6.Dst
|
196 |
|
|
#define sen_ip6_proto Sen.Sip6.Proto
|
197 |
|
|
#define sen_ip6_sport Sen.Sip6.Sport
|
198 |
|
|
#define sen_ip6_dport Sen.Sip6.Dport
|
199 |
|
|
#define sen_ipsp_dst Sen.Sipsp.Dst
|
200 |
|
|
#define sen_ipsp_spi Sen.Sipsp.Spi
|
201 |
|
|
#define sen_ipsp_sproto Sen.Sipsp.Sproto
|
202 |
|
|
#define sen_ipsp6_dst Sen.Sipsp6.Dst
|
203 |
|
|
#define sen_ipsp6_spi Sen.Sipsp6.Spi
|
204 |
|
|
#define sen_ipsp6_sproto Sen.Sipsp6.Sproto
|
205 |
|
|
|
206 |
|
|
/*
|
207 |
|
|
* The "type" is really part of the address as far as the routing
|
208 |
|
|
* system is concerned. By using only one bit in the type field
|
209 |
|
|
* for each type, we sort-of make sure that different types of
|
210 |
|
|
* encapsulation addresses won't be matched against the wrong type.
|
211 |
|
|
*
|
212 |
|
|
*/
|
213 |
|
|
|
214 |
|
|
#define SENT_IP4 0x0001 /* data is two struct in_addr */
|
215 |
|
|
#define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */
|
216 |
|
|
#define SENT_IP6 0x0004
|
217 |
|
|
#define SENT_IPSP6 0x0008
|
218 |
|
|
|
219 |
|
|
/*
|
220 |
|
|
* SENT_HDRLEN is the length of the "header"
|
221 |
|
|
* SENT_*_LEN are the lengths of various forms of sen_data
|
222 |
|
|
* SENT_*_OFF are the offsets in the sen_data array of various fields
|
223 |
|
|
*/
|
224 |
|
|
|
225 |
|
|
#define SENT_HDRLEN (2 * sizeof(u_int8_t) + sizeof(u_int16_t))
|
226 |
|
|
|
227 |
|
|
#define SENT_IP4_SRCOFF (0)
|
228 |
|
|
#define SENT_IP4_DSTOFF (sizeof (struct in_addr))
|
229 |
|
|
|
230 |
|
|
#define SENT_IP6_SRCOFF (0)
|
231 |
|
|
#define SENT_IP6_DSTOFF (sizeof (struct in6_addr))
|
232 |
|
|
|
233 |
|
|
#define SENT_IP4_LEN 20
|
234 |
|
|
#define SENT_IPSP_LEN 20
|
235 |
|
|
#define SENT_IP6_LEN 44
|
236 |
|
|
#define SENT_IPSP6_LEN 32
|
237 |
|
|
|
238 |
|
|
#define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */
|
239 |
|
|
#define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */
|
240 |
|
|
#define NOTIFY_REQUEST_SA 2 /* Establish an SA */
|
241 |
|
|
|
242 |
|
|
#define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */
|
243 |
|
|
#define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */
|
244 |
|
|
#define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */
|
245 |
|
|
|
246 |
|
|
/*
|
247 |
|
|
* For encapsulation routes are possible not only for the destination
|
248 |
|
|
* address but also for the protocol, source and destination ports
|
249 |
|
|
* if available
|
250 |
|
|
*/
|
251 |
|
|
|
252 |
|
|
struct route_enc {
|
253 |
|
|
struct rtentry *re_rt;
|
254 |
|
|
struct sockaddr_encap re_dst;
|
255 |
|
|
};
|
256 |
|
|
|
257 |
|
|
struct flow
|
258 |
|
|
{
|
259 |
|
|
struct flow *flow_next; /* Next in flow chain */
|
260 |
|
|
struct flow *flow_prev; /* Previous in flow chain */
|
261 |
|
|
struct tdb *flow_sa; /* Pointer to the SA */
|
262 |
|
|
union sockaddr_union flow_src; /* Source address */
|
263 |
|
|
union sockaddr_union flow_srcmask; /* Source netmask */
|
264 |
|
|
union sockaddr_union flow_dst; /* Destination address */
|
265 |
|
|
union sockaddr_union flow_dstmask; /* Destination netmask */
|
266 |
|
|
u_int8_t flow_proto; /* Transport protocol, if applicable */
|
267 |
|
|
u_int8_t foo[3]; /* Alignment */
|
268 |
|
|
};
|
269 |
|
|
|
270 |
|
|
struct tdb /* tunnel descriptor block */
|
271 |
|
|
{
|
272 |
|
|
struct tdb *tdb_hnext; /* Next in hash chain */
|
273 |
|
|
struct tdb *tdb_onext; /* Next in output */
|
274 |
|
|
struct tdb *tdb_inext; /* Previous in output */
|
275 |
|
|
|
276 |
|
|
struct xformsw *tdb_xform; /* Transformation to use */
|
277 |
|
|
struct enc_xform *tdb_encalgxform; /* Encryption algorithm xform */
|
278 |
|
|
struct auth_hash *tdb_authalgxform; /* Authentication algorithm xform */
|
279 |
|
|
|
280 |
|
|
#define TDBF_UNIQUE 0x00001 /* This should not be used by others */
|
281 |
|
|
#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */
|
282 |
|
|
#define TDBF_BYTES 0x00004 /* Check the byte counters */
|
283 |
|
|
#define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */
|
284 |
|
|
#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */
|
285 |
|
|
#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */
|
286 |
|
|
#define TDBF_HALFIV 0x00040 /* Use half-length IV (ESP old only) */
|
287 |
|
|
#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */
|
288 |
|
|
#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */
|
289 |
|
|
#define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */
|
290 |
|
|
#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */
|
291 |
|
|
#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */
|
292 |
|
|
#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */
|
293 |
|
|
u_int32_t tdb_flags; /* Flags related to this TDB */
|
294 |
|
|
|
295 |
|
|
TAILQ_ENTRY(tdb) tdb_expnext; /* Expiration cluster list link */
|
296 |
|
|
TAILQ_ENTRY(tdb) tdb_explink; /* Expiration ordered list link */
|
297 |
|
|
|
298 |
|
|
u_int32_t tdb_exp_allocations; /* Expire after so many flows */
|
299 |
|
|
u_int32_t tdb_soft_allocations; /* Expiration warning */
|
300 |
|
|
u_int32_t tdb_cur_allocations; /* Total number of allocations */
|
301 |
|
|
|
302 |
|
|
u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */
|
303 |
|
|
u_int64_t tdb_soft_bytes; /* Expiration warning */
|
304 |
|
|
u_int64_t tdb_cur_bytes; /* Current count of bytes */
|
305 |
|
|
|
306 |
|
|
u_int64_t tdb_exp_timeout; /* When does the SPI expire */
|
307 |
|
|
u_int64_t tdb_soft_timeout; /* Send a soft-expire warning */
|
308 |
|
|
u_int64_t tdb_established; /* When was the SPI established */
|
309 |
|
|
u_int64_t tdb_timeout; /* Next absolute expiration time. */
|
310 |
|
|
|
311 |
|
|
u_int64_t tdb_first_use; /* When was it first used */
|
312 |
|
|
u_int64_t tdb_soft_first_use; /* Soft warning */
|
313 |
|
|
u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use +
|
314 |
|
|
* tdb_exp_first_use <= curtime */
|
315 |
|
|
|
316 |
|
|
u_int32_t tdb_spi; /* SPI */
|
317 |
|
|
u_int16_t tdb_amxkeylen; /* AH-old only */
|
318 |
|
|
u_int16_t tdb_ivlen; /* IV length */
|
319 |
|
|
u_int8_t tdb_sproto; /* IPsec protocol */
|
320 |
|
|
u_int8_t tdb_wnd; /* Replay window */
|
321 |
|
|
u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */
|
322 |
|
|
u_int8_t tdb_FILLER; /* Padding */
|
323 |
|
|
|
324 |
|
|
union sockaddr_union tdb_dst; /* Destination address for this SA */
|
325 |
|
|
union sockaddr_union tdb_src; /* Source address for this SA */
|
326 |
|
|
union sockaddr_union tdb_proxy;
|
327 |
|
|
|
328 |
|
|
u_int8_t *tdb_key; /* Key material (schedules) */
|
329 |
|
|
u_int8_t *tdb_ictx; /* Authentication contexts */
|
330 |
|
|
u_int8_t *tdb_octx;
|
331 |
|
|
u_int8_t *tdb_srcid; /* Source ID for this SA */
|
332 |
|
|
u_int8_t *tdb_dstid; /* Destination ID for this SA */
|
333 |
|
|
u_int8_t *tdb_amxkey; /* AH-old only */
|
334 |
|
|
|
335 |
|
|
union
|
336 |
|
|
{
|
337 |
|
|
u_int8_t Iv[ESP_3DES_IVS]; /* That's enough space */
|
338 |
|
|
u_int32_t Ivl; /* Make sure this is 4 bytes */
|
339 |
|
|
u_int64_t Ivq; /* Make sure this is 8 bytes! */
|
340 |
|
|
}IV;
|
341 |
|
|
#define tdb_iv IV.Iv
|
342 |
|
|
#define tdb_ivl IV.Ivl
|
343 |
|
|
#define tdb_ivq IV.Ivq
|
344 |
|
|
|
345 |
|
|
u_int32_t tdb_rpl; /* Replay counter */
|
346 |
|
|
u_int32_t tdb_bitmap; /* Used for replay sliding window */
|
347 |
|
|
u_int32_t tdb_initial; /* Initial replay value */
|
348 |
|
|
|
349 |
|
|
u_int32_t tdb_epoch; /* Used by the kernfs interface */
|
350 |
|
|
u_int16_t tdb_srcid_len;
|
351 |
|
|
u_int16_t tdb_dstid_len;
|
352 |
|
|
u_int16_t tdb_srcid_type;
|
353 |
|
|
u_int16_t tdb_dstid_type;
|
354 |
|
|
|
355 |
|
|
caddr_t tdb_interface;
|
356 |
|
|
struct flow *tdb_flow; /* Which flows use this SA */
|
357 |
|
|
|
358 |
|
|
struct tdb *tdb_bind_out; /* Outgoing SA to use */
|
359 |
|
|
TAILQ_HEAD(tdb_bind_head, tdb) tdb_bind_in;
|
360 |
|
|
TAILQ_ENTRY(tdb) tdb_bind_in_next; /* Refering Incoming SAs */
|
361 |
|
|
TAILQ_HEAD(tdb_inp_head, inpcb) tdb_inp;
|
362 |
|
|
};
|
363 |
|
|
|
364 |
|
|
#ifndef __ECOS
|
365 |
|
|
union authctx_old {
|
366 |
|
|
MD5_CTX md5ctx;
|
367 |
|
|
SHA1_CTX sha1ctx;
|
368 |
|
|
};
|
369 |
|
|
|
370 |
|
|
union authctx {
|
371 |
|
|
MD5_CTX md5ctx;
|
372 |
|
|
SHA1_CTX sha1ctx;
|
373 |
|
|
RMD160_CTX rmd160ctx;
|
374 |
|
|
};
|
375 |
|
|
#endif
|
376 |
|
|
|
377 |
|
|
struct tdb_ident {
|
378 |
|
|
u_int32_t spi;
|
379 |
|
|
union sockaddr_union dst;
|
380 |
|
|
u_int8_t proto;
|
381 |
|
|
};
|
382 |
|
|
|
383 |
|
|
struct auth_hash {
|
384 |
|
|
int type;
|
385 |
|
|
char *name;
|
386 |
|
|
u_int16_t keysize;
|
387 |
|
|
u_int16_t hashsize;
|
388 |
|
|
u_int16_t ctxsize;
|
389 |
|
|
void (*Init)(void *);
|
390 |
|
|
void (*Update)(void *, u_int8_t *, u_int16_t);
|
391 |
|
|
void (*Final)(u_int8_t *, void *);
|
392 |
|
|
};
|
393 |
|
|
|
394 |
|
|
struct enc_xform {
|
395 |
|
|
int type;
|
396 |
|
|
char *name;
|
397 |
|
|
u_int16_t blocksize, ivsize;
|
398 |
|
|
u_int16_t minkey, maxkey;
|
399 |
|
|
u_int32_t ivmask; /* Or all possible modes, zero iv = 1 */
|
400 |
|
|
void (*encrypt)(struct tdb *, u_int8_t *);
|
401 |
|
|
void (*decrypt)(struct tdb *, u_int8_t *);
|
402 |
|
|
void (*setkey)(u_int8_t **, u_int8_t *, int len);
|
403 |
|
|
void (*zerokey)(u_int8_t **);
|
404 |
|
|
};
|
405 |
|
|
|
406 |
|
|
struct ipsecinit
|
407 |
|
|
{
|
408 |
|
|
u_int8_t *ii_enckey;
|
409 |
|
|
u_int8_t *ii_authkey;
|
410 |
|
|
u_int16_t ii_enckeylen;
|
411 |
|
|
u_int16_t ii_authkeylen;
|
412 |
|
|
u_int8_t ii_encalg;
|
413 |
|
|
u_int8_t ii_authalg;
|
414 |
|
|
};
|
415 |
|
|
|
416 |
|
|
struct xformsw
|
417 |
|
|
{
|
418 |
|
|
u_short xf_type; /* Unique ID of xform */
|
419 |
|
|
u_short xf_flags; /* flags (see below) */
|
420 |
|
|
char *xf_name; /* human-readable name */
|
421 |
|
|
int (*xf_attach)(void); /* called at config time */
|
422 |
|
|
int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
|
423 |
|
|
int (*xf_zeroize)(struct tdb *); /* termination */
|
424 |
|
|
struct mbuf *(*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
|
425 |
|
|
int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, int, int); /* output */
|
426 |
|
|
};
|
427 |
|
|
|
428 |
|
|
/* xform IDs */
|
429 |
|
|
#define XF_IP4 1 /* IP inside IP */
|
430 |
|
|
#define XF_OLD_AH 2 /* RFCs 1828 & 1852 */
|
431 |
|
|
#define XF_OLD_ESP 3 /* RFCs 1829 & 1851 */
|
432 |
|
|
#define XF_NEW_AH 4 /* AH HMAC 96bits */
|
433 |
|
|
#define XF_NEW_ESP 5 /* ESP + auth 96bits + replay counter */
|
434 |
|
|
#define XF_TCPSIGNATURE 6 /* TCP MD5 Signature option, RFC 2358 */
|
435 |
|
|
|
436 |
|
|
/* xform attributes */
|
437 |
|
|
#define XFT_AUTH 0x0001
|
438 |
|
|
#define XFT_CONF 0x0100
|
439 |
|
|
|
440 |
|
|
#define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */
|
441 |
|
|
#define IPSEC_KERNFS_BUFSIZE 4096
|
442 |
|
|
|
443 |
|
|
#if BYTE_ORDER == LITTLE_ENDIAN
|
444 |
|
|
static __inline u_int64_t
|
445 |
|
|
htonq(u_int64_t q)
|
446 |
|
|
{
|
447 |
|
|
register u_int32_t u, l;
|
448 |
|
|
u = q >> 32;
|
449 |
|
|
l = (u_int32_t) q;
|
450 |
|
|
|
451 |
|
|
return htonl(u) | ((u_int64_t)htonl(l) << 32);
|
452 |
|
|
}
|
453 |
|
|
|
454 |
|
|
#define ntohq(_x) htonq(_x)
|
455 |
|
|
|
456 |
|
|
#elif BYTE_ORDER == BIG_ENDIAN
|
457 |
|
|
|
458 |
|
|
#define htonq(_x) (_x)
|
459 |
|
|
#define ntohq(_x) htonq(_x)
|
460 |
|
|
|
461 |
|
|
#else
|
462 |
|
|
#error "Please fix <machine/endian.h>"
|
463 |
|
|
#endif
|
464 |
|
|
|
465 |
|
|
#ifdef _KERNEL
|
466 |
|
|
|
467 |
|
|
/*
|
468 |
|
|
* Protects all tdb lists.
|
469 |
|
|
* Must at least be splsoftnet (note: do not use splsoftclock as it is
|
470 |
|
|
* special on some architectures, assuming it is always an spl lowering
|
471 |
|
|
* operation).
|
472 |
|
|
*/
|
473 |
|
|
#define spltdb splsoftnet
|
474 |
|
|
|
475 |
|
|
extern int encdebug;
|
476 |
|
|
extern int ipsec_in_use;
|
477 |
|
|
extern u_int8_t hmac_ipad_buffer[64];
|
478 |
|
|
extern u_int8_t hmac_opad_buffer[64];
|
479 |
|
|
|
480 |
|
|
extern TAILQ_HEAD(expclusterlist_head, tdb) expclusterlist;
|
481 |
|
|
extern TAILQ_HEAD(explist_head, tdb) explist;
|
482 |
|
|
extern struct xformsw xformsw[], *xformswNXFORMSW;
|
483 |
|
|
|
484 |
|
|
/* Check if a given tdb has encryption, authentication and/or tunneling */
|
485 |
|
|
#define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0)| \
|
486 |
|
|
((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0))
|
487 |
|
|
|
488 |
|
|
/* Traverse spi chain and get attributes */
|
489 |
|
|
|
490 |
|
|
#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\
|
491 |
|
|
int s = spltdb(); \
|
492 |
|
|
struct tdb *tmptdb = (TDBP); \
|
493 |
|
|
\
|
494 |
|
|
(have) = 0; \
|
495 |
|
|
while (tmptdb && tmptdb->tdb_xform) { \
|
496 |
|
|
if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \
|
497 |
|
|
break; \
|
498 |
|
|
(have) |= TDB_ATTRIB(tmptdb); \
|
499 |
|
|
tmptdb = tmptdb->TDB_DIR; \
|
500 |
|
|
} \
|
501 |
|
|
splx(s); \
|
502 |
|
|
} while (0)
|
503 |
|
|
|
504 |
|
|
/* Misc. */
|
505 |
|
|
extern char *inet_ntoa4(struct in_addr);
|
506 |
|
|
|
507 |
|
|
#ifdef INET6
|
508 |
|
|
extern char *inet6_ntoa4(struct in6_addr);
|
509 |
|
|
#endif /* INET6 */
|
510 |
|
|
|
511 |
|
|
extern char *ipsp_address(union sockaddr_union);
|
512 |
|
|
|
513 |
|
|
/* TDB management routines */
|
514 |
|
|
extern void tdb_add_inp(struct tdb *tdb, struct inpcb *inp);
|
515 |
|
|
extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
|
516 |
|
|
union sockaddr_union *, u_int8_t, int *);
|
517 |
|
|
extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
|
518 |
|
|
extern void puttdb(struct tdb *);
|
519 |
|
|
extern void tdb_delete(struct tdb *, int, int);
|
520 |
|
|
extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
|
521 |
|
|
extern void tdb_expiration(struct tdb *, int);
|
522 |
|
|
/* Flag values for the last argument of tdb_expiration(). */
|
523 |
|
|
#define TDBEXP_EARLY 1 /* The tdb is likely to end up early. */
|
524 |
|
|
#define TDBEXP_TIMEOUT 2 /* Maintain expiration timeout. */
|
525 |
|
|
extern int tdb_walk(int (*)(struct tdb *, void *), void *);
|
526 |
|
|
extern void handle_expirations(void *);
|
527 |
|
|
|
528 |
|
|
/* Flow management routines */
|
529 |
|
|
extern struct flow *get_flow(void);
|
530 |
|
|
extern void put_flow(struct flow *, struct tdb *);
|
531 |
|
|
extern void delete_flow(struct flow *, struct tdb *);
|
532 |
|
|
extern struct flow *find_flow(union sockaddr_union *, union sockaddr_union *,
|
533 |
|
|
union sockaddr_union *, union sockaddr_union *,
|
534 |
|
|
u_int8_t, struct tdb *);
|
535 |
|
|
extern struct flow *find_global_flow(union sockaddr_union *,
|
536 |
|
|
union sockaddr_union *,
|
537 |
|
|
union sockaddr_union *,
|
538 |
|
|
union sockaddr_union *, u_int8_t);
|
539 |
|
|
|
540 |
|
|
/* XF_IP4 */
|
541 |
|
|
extern int ipe4_attach(void);
|
542 |
|
|
extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
|
543 |
|
|
extern int ipe4_zeroize(struct tdb *);
|
544 |
|
|
extern int ipe4_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
|
545 |
|
|
extern void ipe4_input __P((struct mbuf *, ...));
|
546 |
|
|
extern void ip4_input __P((struct mbuf *, ...));
|
547 |
|
|
|
548 |
|
|
/* XF_ETHERIP */
|
549 |
|
|
extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **,
|
550 |
|
|
int, int);
|
551 |
|
|
extern void etherip_input __P((struct mbuf *, ...));
|
552 |
|
|
|
553 |
|
|
/* XF_OLD_AH */
|
554 |
|
|
extern int ah_old_attach(void);
|
555 |
|
|
extern int ah_old_init(struct tdb *, struct xformsw *, struct ipsecinit *);
|
556 |
|
|
extern int ah_old_zeroize(struct tdb *);
|
557 |
|
|
extern int ah_old_output(struct mbuf *, struct tdb *, struct mbuf **,
|
558 |
|
|
int, int);
|
559 |
|
|
extern struct mbuf *ah_old_input(struct mbuf *, struct tdb *, int, int);
|
560 |
|
|
|
561 |
|
|
/* XF_NEW_AH */
|
562 |
|
|
extern int ah_new_attach(void);
|
563 |
|
|
extern int ah_new_init(struct tdb *, struct xformsw *, struct ipsecinit *);
|
564 |
|
|
extern int ah_new_zeroize(struct tdb *);
|
565 |
|
|
extern int ah_new_output(struct mbuf *, struct tdb *, struct mbuf **,
|
566 |
|
|
int, int);
|
567 |
|
|
extern struct mbuf *ah_new_input(struct mbuf *, struct tdb *, int, int);
|
568 |
|
|
|
569 |
|
|
/* XF_OLD_ESP */
|
570 |
|
|
extern int esp_old_attach(void);
|
571 |
|
|
extern int esp_old_init(struct tdb *, struct xformsw *, struct ipsecinit *);
|
572 |
|
|
extern int esp_old_zeroize(struct tdb *);
|
573 |
|
|
extern int esp_old_output(struct mbuf *, struct tdb *, struct mbuf **,
|
574 |
|
|
int, int);
|
575 |
|
|
extern struct mbuf *esp_old_input(struct mbuf *, struct tdb *, int, int);
|
576 |
|
|
|
577 |
|
|
/* XF_NEW_ESP */
|
578 |
|
|
extern int esp_new_attach(void);
|
579 |
|
|
extern int esp_new_init(struct tdb *, struct xformsw *, struct ipsecinit *);
|
580 |
|
|
extern int esp_new_zeroize(struct tdb *);
|
581 |
|
|
extern int esp_new_output(struct mbuf *, struct tdb *, struct mbuf **,
|
582 |
|
|
int, int);
|
583 |
|
|
extern struct mbuf *esp_new_input(struct mbuf *, struct tdb *, int, int);
|
584 |
|
|
|
585 |
|
|
/* XF_TCPSIGNATURE */
|
586 |
|
|
extern int tcp_signature_tdb_attach __P((void));
|
587 |
|
|
extern int tcp_signature_tdb_init __P((struct tdb *, struct xformsw *,
|
588 |
|
|
struct ipsecinit *));
|
589 |
|
|
extern int tcp_signature_tdb_zeroize __P((struct tdb *));
|
590 |
|
|
extern struct mbuf *tcp_signature_tdb_input __P((struct mbuf *, struct tdb *));
|
591 |
|
|
extern int tcp_signature_tdb_output __P((struct mbuf *, struct tdb *,
|
592 |
|
|
struct mbuf **));
|
593 |
|
|
|
594 |
|
|
/* Padding */
|
595 |
|
|
extern caddr_t m_pad(struct mbuf *, int, int);
|
596 |
|
|
|
597 |
|
|
/* Replay window */
|
598 |
|
|
extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
|
599 |
|
|
u_int32_t *);
|
600 |
|
|
|
601 |
|
|
extern unsigned char ipseczeroes[];
|
602 |
|
|
#endif /* _KERNEL */
|
603 |
|
|
#endif /* _NETINET_IPSP_H_ */
|