2
* @(#) Definitions of IPsec Security Association (ipsec_sa)
4
* Copyright (C) 2001, 2002, 2003
5
* Richard Guy Briggs <rgb@freeswan.org>
6
* and Michael Richardson <mcr@freeswan.org>
8
* This program is free software; you can redistribute it and/or modify it
9
* under the terms of the GNU General Public License as published by the
10
* Free Software Foundation; either version 2 of the License, or (at your
11
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13
* This program is distributed in the hope that it will be useful, but
14
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18
* RCSID $Id: ipsec_sa.h,v 1.21 2004/08/20 21:45:37 mcr Exp $
20
* This file derived from ipsec_xform.h on 2001/9/18 by mcr.
25
* This file describes the IPsec Security Association Structure.
27
* This structure keeps track of a single transform that may be done
28
* to a set of packets. It can describe applying the transform or
29
* apply the reverse. (e.g. compression vs expansion). However, it
30
* only describes one at a time. To describe both, two structures would
31
* be used, but since the sides of the transform are performed
32
* on different machines typically it is usual to have only one side
33
* of each association.
40
#include "ipsec_stats.h"
41
#include "ipsec_life.h"
42
#include "ipsec_eroute.h"
43
#endif /* __KERNEL__ */
44
#include "ipsec_param.h"
47
/* SAs are held in a table.
48
* Entries in this table are referenced by IPsecSAref_t values.
49
* IPsecSAref_t values are conceptually subscripts. Because
50
* we want to allocate the table piece-meal, the subscripting
51
* is implemented with two levels, a bit like paged virtual memory.
52
* This representation mechanism is known as an Iliffe Vector.
54
* The Main table (AKA the refTable) consists of 2^IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
55
* pointers to subtables.
56
* Each subtable has 2^IPSEC_SA_REF_SUBTABLE_IDX_WIDTH entries, each of which
57
* is a pointer to an SA.
59
* An IPsecSAref_t contains either an exceptional value (signified by the
60
* high-order bit being on) or a reference to a table entry. A table entry
61
* reference has the subtable subscript in the low-order
62
* IPSEC_SA_REF_SUBTABLE_IDX_WIDTH bits and the Main table subscript
63
* in the next lowest IPSEC_SA_REF_MAINTABLE_IDX_WIDTH bits.
65
* The Maintable entry for an IPsecSAref_t x, a pointer to its subtable, is
66
* IPsecSAref2table(x). It is of type struct IPsecSArefSubTable *.
68
* The pointer to the SA for x is IPsecSAref2SA(x). It is of type
69
* struct ipsec_sa*. The macro definition clearly shows the two-level
70
* access needed to find the SA pointer.
72
* The Maintable is allocated when IPsec is initialized.
73
* Each subtable is allocated when needed, but the first is allocated
74
* when IPsec is initialized.
76
* IPsecSAref_t is designed to be smaller than an NFmark so that
77
* they can be stored in NFmarks and still leave a few bits for other
78
* purposes. The spare bits are in the low order of the NFmark
79
* but in the high order of the IPsecSAref_t, so conversion is required.
80
* We pick the upper bits of NFmark on the theory that they are less likely to
81
* interfere with more pedestrian uses of nfmark.
85
typedef unsigned short int IPsecRefTableUnusedCount;
87
#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
90
#if ((IPSEC_SA_REF_TABLE_IDX_WIDTH - (1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) < 0)
91
#error "IPSEC_SA_REF_TABLE_IDX_WIDTH("IPSEC_SA_REF_TABLE_IDX_WIDTH") MUST be < 1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH("IPSEC_SA_REF_MAINTABLE_IDX_WIDTH")"
94
#define IPSEC_SA_REF_SUBTABLE_IDX_WIDTH (IPSEC_SA_REF_TABLE_IDX_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
96
#define IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
97
#define IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
99
#ifdef CONFIG_NETFILTER
100
#define IPSEC_SA_REF_HOST_FIELD(x) ((struct sk_buff*)(x))->nfmark
101
#define IPSEC_SA_REF_HOST_FIELD_TYPE typeof(IPSEC_SA_REF_HOST_FIELD(NULL))
102
#else /* CONFIG_NETFILTER */
103
/* just make it work for now, it doesn't matter, since there is no nfmark */
104
#define IPSEC_SA_REF_HOST_FIELD_TYPE unsigned long
105
#endif /* CONFIG_NETFILTER */
106
#define IPSEC_SA_REF_HOST_FIELD_WIDTH (8 * sizeof(IPSEC_SA_REF_HOST_FIELD_TYPE))
107
#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
109
#define IPSEC_SA_REF_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
110
#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
111
#define IPSEC_SA_REF_ENTRY_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH))
113
#define IPsecSAref2table(x) (((x) & IPSEC_SA_REF_TABLE_MASK) >> IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
114
#define IPsecSAref2entry(x) ((x) & IPSEC_SA_REF_ENTRY_MASK)
115
#define IPsecSArefBuild(x,y) (((x) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) + (y))
117
#define IPsecSAref2SA(x) (ipsec_sadb.refTable[IPsecSAref2table(x)]->entry[IPsecSAref2entry(x)])
118
#define IPsecSA2SAref(x) ((x)->ips_ref)
120
#define EMT_INBOUND 0x01 /* SA direction, 1=inbound */
122
/* 'struct ipsec_sa' should be 64bit aligned when allocated. */
125
IPsecSAref_t ips_ref; /* reference table entry number */
126
atomic_t ips_refcount; /* reference count for this struct */
127
struct ipsec_sa *ips_hnext; /* next in hash chain */
128
struct ipsec_sa *ips_inext; /* pointer to next xform */
129
struct ipsec_sa *ips_onext; /* pointer to prev xform */
131
struct ifnet *ips_rcvif; /* related rcv encap interface */
133
ip_said ips_said; /* SA ID */
135
__u32 ips_seq; /* seq num of msg that initiated this SA */
136
__u32 ips_pid; /* PID of process that initiated this SA */
137
__u8 ips_authalg; /* auth algorithm for this SA */
138
__u8 ips_encalg; /* enc algorithm for this SA */
140
struct ipsec_stats ips_errs;
142
__u8 ips_replaywin; /* replay window size */
143
__u8 ips_state; /* state of SA */
144
__u32 ips_replaywin_lastseq; /* last pkt sequence num */
145
__u64 ips_replaywin_bitmap; /* bitmap of received pkts */
146
__u32 ips_replaywin_maxdiff; /* max pkt sequence difference */
148
__u32 ips_flags; /* generic xform flags */
151
struct ipsec_lifetimes ips_life; /* lifetime records */
153
/* selector information */
154
__u8 ips_transport_protocol; /* protocol for this SA, if ports are involved */
155
struct sockaddr*ips_addr_s; /* src sockaddr */
156
struct sockaddr*ips_addr_d; /* dst sockaddr */
157
struct sockaddr*ips_addr_p; /* proxy sockaddr */
158
__u16 ips_addr_s_size;
159
__u16 ips_addr_d_size;
160
__u16 ips_addr_p_size;
161
ip_address ips_flow_s;
162
ip_address ips_flow_d;
163
ip_address ips_mask_s;
164
ip_address ips_mask_d;
166
__u16 ips_key_bits_a; /* size of authkey in bits */
167
__u16 ips_auth_bits; /* size of authenticator in bits */
168
__u16 ips_key_bits_e; /* size of enckey in bits */
169
__u16 ips_iv_bits; /* size of IV in bits */
171
__u16 ips_key_a_size;
172
__u16 ips_key_e_size;
174
caddr_t ips_key_a; /* authentication key */
175
caddr_t ips_key_e; /* encryption key */
176
caddr_t ips_iv; /* Initialisation Vector */
178
struct ident ips_ident_s; /* identity src */
179
struct ident ips_ident_d; /* identity dst */
181
#ifdef CONFIG_KLIPS_IPCOMP
182
__u16 ips_comp_adapt_tries; /* ipcomp self-adaption tries */
183
__u16 ips_comp_adapt_skip; /* ipcomp self-adaption to-skip */
184
__u64 ips_comp_ratio_cbytes; /* compressed bytes */
185
__u64 ips_comp_ratio_dbytes; /* decompressed (or uncompressed) bytes */
186
#endif /* CONFIG_KLIPS_IPCOMP */
188
#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
190
__u8 ips_natt_reserved[3];
191
__u16 ips_natt_sport;
192
__u16 ips_natt_dport;
194
struct sockaddr *ips_natt_oa;
195
__u16 ips_natt_oa_size;
196
__u16 ips_natt_reserved2;
201
__u8 ips_sens_sens_level;
202
__u8 ips_sens_sens_len;
203
__u64* ips_sens_sens_bitmap;
204
__u8 ips_sens_integ_level;
205
__u8 ips_sens_integ_len;
206
__u64* ips_sens_integ_bitmap;
208
struct ipsec_alg_enc *ips_alg_enc;
209
struct ipsec_alg_auth *ips_alg_auth;
210
IPsecSAref_t ips_ref_rel;
213
struct IPsecSArefSubTable
215
struct ipsec_sa* entry[IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES];
219
struct IPsecSArefSubTable* refTable[IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES];
220
IPsecSAref_t refFreeList[IPSEC_SA_REF_FREELIST_NUM_ENTRIES];
223
IPsecSAref_t refFreeListCont;
224
IPsecSAref_t said_hash[SADB_HASHMOD];
225
spinlock_t sadb_lock;
228
extern struct ipsec_sadb ipsec_sadb;
230
extern int ipsec_SAref_recycle(void);
231
extern int ipsec_SArefSubTable_alloc(unsigned table);
232
extern int ipsec_saref_freelist_init(void);
233
extern int ipsec_sadb_init(void);
234
extern struct ipsec_sa *ipsec_sa_alloc(int*error); /* pass in error var by pointer */
235
extern IPsecSAref_t ipsec_SAref_alloc(int*erorr); /* pass in error var by pointer */
236
extern int ipsec_sa_free(struct ipsec_sa* ips);
237
extern int ipsec_sa_put(struct ipsec_sa *ips);
238
extern int ipsec_sa_add(struct ipsec_sa *ips);
239
extern int ipsec_sa_del(struct ipsec_sa *ips);
240
extern int ipsec_sa_delchain(struct ipsec_sa *ips);
241
extern int ipsec_sadb_cleanup(__u8 proto);
242
extern int ipsec_sadb_free(void);
243
extern int ipsec_sa_wipe(struct ipsec_sa *ips);
244
#endif /* __KERNEL__ */
246
enum ipsec_direction {
252
#endif /* _IPSEC_SA_H_ */
255
* $Log: ipsec_sa.h,v $
256
* Revision 1.21 2004/08/20 21:45:37 mcr
257
* CONFIG_KLIPS_NAT_TRAVERSAL is not used in an attempt to
258
* be 26sec compatible. But, some defines where changed.
260
* Revision 1.20 2004/07/10 19:08:41 mcr
261
* CONFIG_IPSEC -> CONFIG_KLIPS.
263
* Revision 1.19 2004/04/05 19:55:06 mcr
264
* Moved from linux/include/freeswan/ipsec_sa.h,v
266
* Revision 1.18 2004/04/05 19:41:05 mcr
267
* merged alg-branch code.
269
* Revision 1.17.2.1 2003/12/22 15:25:52 jjo
270
* . Merged algo-0.8.1-rc11-test1 into alg-branch
272
* Revision 1.17 2003/12/10 01:20:06 mcr
273
* NAT-traversal patches to KLIPS.
275
* Revision 1.16 2003/10/31 02:27:05 mcr
276
* pulled up port-selector patches and sa_id elimination.
278
* Revision 1.15.4.1 2003/10/29 01:10:19 mcr
279
* elimited "struct sa_id"
281
* Revision 1.15 2003/05/11 00:53:09 mcr
282
* IPsecSAref_t and macros were moved to freeswan.h.
284
* Revision 1.14 2003/02/12 19:31:55 rgb
285
* Fixed bug in "file seen" machinery.
286
* Updated copyright year.
288
* Revision 1.13 2003/01/30 02:31:52 rgb
290
* Re-wrote comments describing SAref system for accuracy.
291
* Rename SAref table macro names for clarity.
292
* Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
293
* Transmit error code through to caller from callee for better diagnosis of problems.
294
* Enclose all macro arguments in parens to avoid any possible obscrure bugs.
296
* Revision 1.12 2002/10/07 18:31:19 rgb
297
* Change comment to reflect the flexible nature of the main and sub-table widths.
298
* Added a counter for the number of unused entries in each subtable.
299
* Further break up host field type macro to host field.
300
* Move field width sanity checks to ipsec_sa.c
301
* Define a mask for an entire saref.
303
* Revision 1.11 2002/09/20 15:40:33 rgb
304
* Re-write most of the SAref macros and types to eliminate any pointer references to Entrys.
305
* Fixed SAref/nfmark macros.
306
* Rework saref freeslist.
307
* Place all ipsec sadb globals into one struct.
308
* Restrict some bits to kernel context for use to klips utils.
310
* Revision 1.10 2002/09/20 05:00:34 rgb
311
* Update copyright date.
313
* Revision 1.9 2002/09/17 17:19:29 mcr
314
* make it compile even if there is no netfilter - we lost
315
* functionality, but it works, especially on 2.2.
317
* Revision 1.8 2002/07/28 22:59:53 mcr
318
* clarified/expanded one comment.
320
* Revision 1.7 2002/07/26 08:48:31 rgb
321
* Added SA ref table code.
323
* Revision 1.6 2002/05/31 17:27:48 rgb
326
* Revision 1.5 2002/05/27 18:55:03 rgb
327
* Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
329
* Revision 1.4 2002/05/23 07:13:36 rgb
330
* Convert "usecount" to "refcount" to remove ambiguity.
332
* Revision 1.3 2002/04/24 07:36:47 mcr
333
* Moved from ./klips/net/ipsec/ipsec_sa.h,v
335
* Revision 1.2 2001/11/26 09:16:15 rgb
336
* Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
338
* Revision 1.1.2.1 2001/09/25 02:24:58 mcr
339
* struct tdb -> struct ipsec_sa.
340
* sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
341
* ipsec_xform.c removed. header file still contains useful things.
345
* c-file-style: "linux"