1 files changed, 338 insertions, 0 deletions

diff --git a/linux/include/freeswan/ipsec_sa.h b/linux/include/freeswan/ipsec_sa.h
new file mode 100644
index 000000000..555df42d3
--- /dev/null
+++ b/linux/include/freeswan/ipsec_sa.h
@@ -0,0 +1,338 @@
+/*
+ * @(#) Definitions of IPsec Security Association (ipsec_sa)
+ *
+ * Copyright (C) 2001, 2002, 2003
+ *                      Richard Guy Briggs  <rgb@freeswan.org>
+ *                  and Michael Richardson  <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_sa.h,v 1.3 2004/04/28 08:07:11 as Exp $
+ *
+ * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
+ *
+ */
+
+/* 
+ * This file describes the IPsec Security Association Structure.
+ *
+ * This structure keeps track of a single transform that may be done
+ * to a set of packets. It can describe applying the transform or
+ * apply the reverse. (e.g. compression vs expansion). However, it
+ * only describes one at a time. To describe both, two structures would
+ * be used, but since the sides of the transform are performed 
+ * on different machines typically it is usual to have only one side
+ * of each association.
+ * 
+ */
+
+#ifndef _IPSEC_SA_H_
+
+#ifdef __KERNEL__
+#include "ipsec_stats.h"
+#include "ipsec_life.h"
+#include "ipsec_eroute.h"
+#endif /* __KERNEL__ */
+#include "ipsec_param.h"
+
+
+/* SAs are held in a table.
+ * Entries in this table are referenced by IPsecSAref_t values.
+ * IPsecSAref_t values are conceptually subscripts.  Because
+ * we want to allocate the table piece-meal, the subscripting
+ * is implemented with two levels, a bit like paged virtual memory.
+ * This representation mechanism is known as an Iliffe Vector.
+ *
+ * The Main table (AKA the refTable) consists of 2^IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
+ * pointers to subtables.
+ * Each subtable has 2^IPSEC_SA_REF_SUBTABLE_IDX_WIDTH entries, each of which
+ * is a pointer to an SA.
+ *
+ * An IPsecSAref_t contains either an exceptional value (signified by the
+ * high-order bit being on) or a reference to a table entry.  A table entry
+ * reference has the subtable subscript in the low-order
+ * IPSEC_SA_REF_SUBTABLE_IDX_WIDTH bits and the Main table subscript
+ * in the next lowest IPSEC_SA_REF_MAINTABLE_IDX_WIDTH bits.
+ *
+ * The Maintable entry for an IPsecSAref_t x, a pointer to its subtable, is
+ * IPsecSAref2table(x).  It is of type struct IPsecSArefSubTable *.
+ *
+ * The pointer to the SA for x is IPsecSAref2SA(x).  It is of type
+ * struct ipsec_sa*.  The macro definition clearly shows the two-level
+ * access needed to find the SA pointer.
+ *
+ * The Maintable is allocated when IPsec is initialized.
+ * Each subtable is allocated when needed, but the first is allocated
+ * when IPsec is initialized.
+ *
+ * IPsecSAref_t is designed to be smaller than an NFmark so that
+ * they can be stored in NFmarks and still leave a few bits for other
+ * purposes.  The spare bits are in the low order of the NFmark
+ * but in the high order of the IPsecSAref_t, so conversion is required.
+ * We pick the upper bits of NFmark on the theory that they are less likely to
+ * interfere with more pedestrian uses of nfmark.
+ */
+
+
+typedef unsigned short int IPsecRefTableUnusedCount;
+
+#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
+
+#ifdef __KERNEL__
+#if ((IPSEC_SA_REF_TABLE_IDX_WIDTH - (1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) < 0)
+#error "IPSEC_SA_REF_TABLE_IDX_WIDTH("IPSEC_SA_REF_TABLE_IDX_WIDTH") MUST be < 1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH("IPSEC_SA_REF_MAINTABLE_IDX_WIDTH")"
+#endif
+
+#define IPSEC_SA_REF_SUBTABLE_IDX_WIDTH (IPSEC_SA_REF_TABLE_IDX_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
+
+#define IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
+#define IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
+
+#ifdef CONFIG_NETFILTER
+#define IPSEC_SA_REF_HOST_FIELD(x) ((struct sk_buff*)(x))->nfmark
+#define IPSEC_SA_REF_HOST_FIELD_TYPE typeof(IPSEC_SA_REF_HOST_FIELD(NULL))
+#else /* CONFIG_NETFILTER */
+/* just make it work for now, it doesn't matter, since there is no nfmark */
+#define IPSEC_SA_REF_HOST_FIELD_TYPE unsigned long
+#endif /* CONFIG_NETFILTER */
+#define IPSEC_SA_REF_HOST_FIELD_WIDTH (8 * sizeof(IPSEC_SA_REF_HOST_FIELD_TYPE))
+#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
+
+#define IPSEC_SA_REF_MASK        (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
+#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
+#define IPSEC_SA_REF_ENTRY_MASK  (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH))
+
+#define IPsecSAref2table(x) (((x) & IPSEC_SA_REF_TABLE_MASK) >> IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
+#define IPsecSAref2entry(x) ((x) & IPSEC_SA_REF_ENTRY_MASK)
+#define IPsecSArefBuild(x,y) (((x) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) + (y))
+
+#define IPsecSAref2SA(x) (ipsec_sadb.refTable[IPsecSAref2table(x)]->entry[IPsecSAref2entry(x)])
+#define IPsecSA2SAref(x) ((x)->ips_ref)
+
+#define EMT_INBOUND	0x01	/* SA direction, 1=inbound */
+
+/* 'struct ipsec_sa' should be 64bit aligned when allocated. */
+struct ipsec_sa 	                        
+{
+	IPsecSAref_t	ips_ref;		/* reference table entry number */
+	atomic_t	ips_refcount;		/* reference count for this struct */
+	struct ipsec_sa	*ips_hnext;		/* next in hash chain */
+	struct ipsec_sa	*ips_inext;	 	/* pointer to next xform */
+	struct ipsec_sa	*ips_onext;	 	/* pointer to prev xform */
+
+	struct ifnet	*ips_rcvif;	 	/* related rcv encap interface */
+
+	struct sa_id	ips_said;	 	/* SA ID */
+
+	__u32		ips_seq;		/* seq num of msg that initiated this SA */
+	__u32		ips_pid;		/* PID of process that initiated this SA */
+	__u8		ips_authalg;		/* auth algorithm for this SA */
+	__u8		ips_encalg;		/* enc algorithm for this SA */
+
+	struct ipsec_stats ips_errs;
+
+	__u8		ips_replaywin;		/* replay window size */
+	__u8		ips_state;		/* state of SA */
+	__u32		ips_replaywin_lastseq;	/* last pkt sequence num */
+	__u64		ips_replaywin_bitmap;	/* bitmap of received pkts */
+	__u32		ips_replaywin_maxdiff;	/* max pkt sequence difference */
+
+	__u32		ips_flags;		/* generic xform flags */
+
+
+	struct ipsec_lifetimes ips_life;	/* lifetime records */
+
+	/* selector information */
+	struct sockaddr*ips_addr_s;		/* src sockaddr */
+	struct sockaddr*ips_addr_d;		/* dst sockaddr */
+	struct sockaddr*ips_addr_p;		/* proxy sockaddr */
+	__u16		ips_addr_s_size;
+	__u16		ips_addr_d_size;
+	__u16		ips_addr_p_size;
+	ip_address	ips_flow_s;
+	ip_address	ips_flow_d;
+	ip_address	ips_mask_s;
+	ip_address	ips_mask_d;
+
+	__u16		ips_key_bits_a;		/* size of authkey in bits */
+	__u16		ips_auth_bits;		/* size of authenticator in bits */
+	__u16		ips_key_bits_e;		/* size of enckey in bits */
+	__u16		ips_iv_bits;	 	/* size of IV in bits */
+	__u8		ips_iv_size;
+	__u16		ips_key_a_size;
+	__u16		ips_key_e_size;
+
+	caddr_t		ips_key_a;		/* authentication key */
+	caddr_t		ips_key_e;		/* encryption key */
+	caddr_t	        ips_iv;			/* Initialisation Vector */
+
+	struct ident	ips_ident_s;		/* identity src */
+	struct ident	ips_ident_d;		/* identity dst */
+
+#ifdef CONFIG_IPSEC_IPCOMP
+	__u16		ips_comp_adapt_tries;	/* ipcomp self-adaption tries */
+	__u16		ips_comp_adapt_skip;	/* ipcomp self-adaption to-skip */
+	__u64		ips_comp_ratio_cbytes;	/* compressed bytes */
+	__u64		ips_comp_ratio_dbytes;	/* decompressed (or uncompressed) bytes */
+#endif /* CONFIG_IPSEC_IPCOMP */
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	__u8		ips_natt_type;
+	__u8		ips_natt_reserved[3];
+	__u16		ips_natt_sport;
+	__u16		ips_natt_dport;
+
+	struct sockaddr *ips_natt_oa;
+	__u16		ips_natt_oa_size;
+	__u16		ips_natt_reserved2;
+#endif
+
+#if 0
+	__u32		ips_sens_dpd;
+	__u8		ips_sens_sens_level;
+	__u8		ips_sens_sens_len;
+	__u64*		ips_sens_sens_bitmap;
+	__u8		ips_sens_integ_level;
+	__u8		ips_sens_integ_len;
+	__u64*		ips_sens_integ_bitmap;
+#endif
+	struct ipsec_alg_enc *ips_alg_enc;
+	struct ipsec_alg_auth *ips_alg_auth;
+	IPsecSAref_t	ips_ref_rel;
+};
+
+struct IPsecSArefSubTable
+{
+	struct ipsec_sa* entry[IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES];
+};
+
+struct ipsec_sadb {
+	struct IPsecSArefSubTable* refTable[IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES];
+	IPsecSAref_t refFreeList[IPSEC_SA_REF_FREELIST_NUM_ENTRIES];
+	int refFreeListHead;
+	int refFreeListTail;
+	IPsecSAref_t refFreeListCont;
+	IPsecSAref_t said_hash[SADB_HASHMOD];
+	spinlock_t sadb_lock;
+};
+
+extern struct ipsec_sadb ipsec_sadb;
+
+extern int ipsec_SAref_recycle(void);
+extern int ipsec_SArefSubTable_alloc(unsigned table);
+extern int ipsec_saref_freelist_init(void);
+extern int ipsec_sadb_init(void);
+extern struct ipsec_sa *ipsec_sa_alloc(int*error); /* pass in error var by pointer */
+extern IPsecSAref_t ipsec_SAref_alloc(int*erorr); /* pass in error var by pointer */
+extern int ipsec_sa_free(struct ipsec_sa* ips);
+extern struct ipsec_sa *ipsec_sa_getbyid(struct sa_id *said);
+extern int ipsec_sa_put(struct ipsec_sa *ips);
+extern int ipsec_sa_add(struct ipsec_sa *ips);
+extern int ipsec_sa_del(struct ipsec_sa *ips);
+extern int ipsec_sa_delchain(struct ipsec_sa *ips);
+extern int ipsec_sadb_cleanup(__u8 proto);
+extern int ipsec_sadb_free(void);
+extern int ipsec_sa_wipe(struct ipsec_sa *ips);
+#endif /* __KERNEL__ */
+
+enum ipsec_direction {
+	ipsec_incoming = 1,
+	ipsec_outgoing = 2
+};
+
+#define _IPSEC_SA_H_
+#endif /* _IPSEC_SA_H_ */
+
+/*
+ * $Log: ipsec_sa.h,v $
+ * Revision 1.3  2004/04/28 08:07:11  as
+ * added dhr's freeswan-2.06 changes
+ *
+ * Revision 1.2  2004/03/22 21:53:18  as
+ * merged alg-0.8.1 branch with HEAD
+ *
+ * Revision 1.1.2.1.2.1  2004/03/16 09:48:18  as
+ * alg-0.8.1rc12 patch merged
+ *
+ * Revision 1.1.2.1  2004/03/15 22:30:06  as
+ * nat-0.6c patch merged
+ *
+ * Revision 1.1  2004/03/15 20:35:25  as
+ * added files from freeswan-2.04-x509-1.5.3
+ *
+ * Revision 1.15  2003/05/11 00:53:09  mcr
+ * 	IPsecSAref_t and macros were moved to freeswan.h.
+ *
+ * Revision 1.14  2003/02/12 19:31:55  rgb
+ * Fixed bug in "file seen" machinery.
+ * Updated copyright year.
+ *
+ * Revision 1.13  2003/01/30 02:31:52  rgb
+ *
+ * Re-wrote comments describing SAref system for accuracy.
+ * Rename SAref table macro names for clarity.
+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
+ * Transmit error code through to caller from callee for better diagnosis of problems.
+ * Enclose all macro arguments in parens to avoid any possible obscrure bugs.
+ *
+ * Revision 1.12  2002/10/07 18:31:19  rgb
+ * Change comment to reflect the flexible nature of the main and sub-table widths.
+ * Added a counter for the number of unused entries in each subtable.
+ * Further break up host field type macro to host field.
+ * Move field width sanity checks to ipsec_sa.c
+ * Define a mask for an entire saref.
+ *
+ * Revision 1.11  2002/09/20 15:40:33  rgb
+ * Re-write most of the SAref macros and types to eliminate any pointer references to Entrys.
+ * Fixed SAref/nfmark macros.
+ * Rework saref freeslist.
+ * Place all ipsec sadb globals into one struct.
+ * Restrict some bits to kernel context for use to klips utils.
+ *
+ * Revision 1.10  2002/09/20 05:00:34  rgb
+ * Update copyright date.
+ *
+ * Revision 1.9  2002/09/17 17:19:29  mcr
+ * 	make it compile even if there is no netfilter - we lost
+ * 	functionality, but it works, especially on 2.2.
+ *
+ * Revision 1.8  2002/07/28 22:59:53  mcr
+ * 	clarified/expanded one comment.
+ *
+ * Revision 1.7  2002/07/26 08:48:31  rgb
+ * Added SA ref table code.
+ *
+ * Revision 1.6  2002/05/31 17:27:48  rgb
+ * Comment fix.
+ *
+ * Revision 1.5  2002/05/27 18:55:03  rgb
+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
+ *
+ * Revision 1.4  2002/05/23 07:13:36  rgb
+ * Convert "usecount" to "refcount" to remove ambiguity.
+ *
+ * Revision 1.3  2002/04/24 07:36:47  mcr
+ * Moved from ./klips/net/ipsec/ipsec_sa.h,v
+ *
+ * Revision 1.2  2001/11/26 09:16:15  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:24:58  mcr
+ * 	struct tdb -> struct ipsec_sa.
+ * 	sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
+ * 	ipsec_xform.c removed. header file still contains useful things.
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */