2 * @(#) Definitions of IPsec Security Association (ipsec_sa)
4 * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
5 * and Michael Richardson <mcr@freeswan.org>
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * RCSID $Id: ipsec_sa.h,v 1.2 2001/11/26 09:16:15 rgb Exp $
19 * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
24 * This file describes the IPsec Security Association Structure.
26 * This structure keeps track of a single transform that may be done
27 * to a set of packets. It can describe applying the transform or
28 * apply the reverse. (e.g. compression vs expansion). However, it
29 * only describes one at a time. To describe both, two structures would
30 * be used, but since the sides of the transform are performed
31 * on different machines typically it is usual to have only one side
32 * of each association.
37 #ifdef USE_IXP4XX_CRYPTO
39 #endif /* USE_IXP4XX_CRYPTO */
41 #include "ipsec_stats.h"
42 #include "ipsec_life.h"
43 #include "ipsec_eroute.h"
45 struct _IpsecXmitDesc;
48 /* 'struct ipsec_sa' should be 64bit aligned when allocated. */
51 atomic_t ips_usecount; /* use count for this struct */
52 struct ipsec_sa *ips_hnext; /* next in hash chain */
53 struct ipsec_sa *ips_inext; /* pointer to next xform */
54 struct ipsec_sa *ips_onext; /* pointer to prev xform */
56 struct ifnet *ips_rcvif; /* related rcv encap interface */
58 struct sa_id ips_said; /* SA ID */
60 __u32 ips_seq; /* seq num of msg that initiated this SA */
61 __u32 ips_pid; /* PID of process that initiated this SA */
62 __u8 ips_authalg; /* auth algorithm for this SA */
63 __u8 ips_encalg; /* enc algorithm for this SA */
65 struct ipsec_stats ips_errs;
67 __u8 ips_replaywin; /* replay window size */
68 __u8 ips_state; /* state of SA */
69 #ifdef USE_IXP4XX_CRYPTO
70 __u8 ips_teardown_initiated;/* to initiate teardown */
71 #endif /* USE_IXP4XX_CRYPTO */
72 __u32 ips_replaywin_lastseq; /* last pkt sequence num */
73 __u64 ips_replaywin_bitmap; /* bitmap of received pkts */
74 __u32 ips_replaywin_maxdiff; /* max pkt sequence difference */
76 __u32 ips_flags; /* generic xform flags */
79 struct ipsec_lifetimes ips_life; /* lifetime records */
81 /* selector information */
82 struct sockaddr*ips_addr_s; /* src sockaddr */
83 struct sockaddr*ips_addr_d; /* dst sockaddr */
84 struct sockaddr*ips_addr_p; /* proxy sockaddr */
85 __u16 ips_addr_s_size;
86 __u16 ips_addr_d_size;
87 __u16 ips_addr_p_size;
88 ip_address ips_flow_s;
89 ip_address ips_flow_d;
90 ip_address ips_mask_s;
91 ip_address ips_mask_d;
93 __u16 ips_key_bits_a; /* size of authkey in bits */
94 __u16 ips_auth_bits; /* size of authenticator in bits */
95 __u16 ips_key_bits_e; /* size of enckey in bits */
96 __u16 ips_iv_bits; /* size of IV in bits */
101 #ifdef USE_IXP4XX_CRYPTO
102 #ifdef CONFIG_IPSEC_ALG
103 __u16 ips_enc_blksize; /* cipher block size in bytes */
104 #endif /* CONFIG_IPSEC_ALG */
105 #endif /* USE_IXP4XX_CRYPTO */
106 caddr_t ips_key_a; /* authentication key */
107 caddr_t ips_key_e; /* encryption key */
108 caddr_t ips_iv; /* Initialisation Vector */
110 struct ident ips_ident_s; /* identity src */
111 struct ident ips_ident_d; /* identity dst */
113 #ifdef CONFIG_IPSEC_IPCOMP
114 __u16 ips_comp_adapt_tries; /* ipcomp self-adaption tries */
115 __u16 ips_comp_adapt_skip; /* ipcomp self-adaption to-skip */
116 __u64 ips_comp_ratio_cbytes; /* compressed bytes */
117 __u64 ips_comp_ratio_dbytes; /* decompressed (or uncompressed) bytes */
118 #endif /* CONFIG_IPSEC_IPCOMP */
120 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
122 __u8 ips_natt_reserved[3];
123 __u16 ips_natt_sport;
124 __u16 ips_natt_dport;
126 struct sockaddr *ips_natt_oa;
127 __u16 ips_natt_oa_size;
128 __u16 ips_natt_reserved2;
133 __u8 ips_sens_sens_level;
134 __u8 ips_sens_sens_len;
135 __u64* ips_sens_sens_bitmap;
136 __u8 ips_sens_integ_level;
137 __u8 ips_sens_integ_len;
138 __u64* ips_sens_integ_bitmap;
140 #ifdef USE_IXP4XX_CRYPTO
141 __u32 ips_crypto_state;
142 __u32 ips_crypto_context_id; /* IXP4XX Cryto Context ID */
144 /* The two lists below - XmitDesc_head and RcvDesc_head
145 are used for check and balance of the packets. When we tear down
146 a tunnel we reset the sa's to NULL in the descriptor lists for that sa. */
147 struct _IpsecXmitDesc *XmitDesc_head; /* used to keep track of which xmit descriptors belong to the sa */
148 struct _IpsecRcvDesc *RcvDesc_head; /* used to keep track of which rcv descriptors belong to the sa */
149 struct _IpsecXmitDesc *XmitDesc_tail; /* used to keep track of which xmit descriptors belong to the sa */
150 struct _IpsecRcvDesc *RcvDesc_tail; /* used to keep track of which rcv descriptors belong to the sa */
151 #endif /* USE_IXP4XX_CRYPTO */
152 struct ipsec_alg_enc *ips_alg_enc;
153 struct ipsec_alg_auth *ips_alg_auth;
156 enum ipsec_direction {
161 #ifdef IPSEC_KLIPS1_COMPAT
162 #define tdb_hnext ips_hnext
163 #define tdb_inext ips_inext
164 #define tdb_onext ips_onext
165 #define tdb_said ips_said
166 #define tdb_addr_s ips_addr_s
167 #define tdb_addr_s_size ips_addr_s_size
168 #define tdb_addr_d ips_addr_d
169 #define tdb_addr_d_size ips_addr_d_size
170 #define tdb_addr_p ips_addr_p
171 #define tdb_addr_p_size ips_addr_p_size
172 #define tdb_ident_s ips_ident_s
173 #define tdb_ident_d ips_ident_d
174 #define tdb_state ips_state
176 #define tdb_replaywin ips_replaywin
177 #define tdb_replaywin_lastseq ips_replaywin_lastseq
178 #define tdb_replaywin_bitmap ips_replaywin_bitmap
179 #define tdb_replaywin_maxdiff ips_replaywin_maxdiff
180 #define tdb_replaywin_errs ips_errs.ips_replaywin_errs
182 #define tdb_encalg ips_encalg
183 #define tdb_encsize_errs ips_errs.ips_encsize_errs
184 #define tdb_encpad_errs ips_errs.ips_encpad_errs
185 #define tdb_alg_errs ips_errs.ips_alg_errs
186 #define tdb_authalg ips_authalg
187 #define tdb_auth_errs ips_errs.ips_auth_errs
188 #define tdb_iv ips_iv
189 #define tdb_iv_size ips_iv_size
190 #define tdb_iv_bits ips_iv_bits
191 #define tdb_key_e ips_key_e
192 #define tdb_key_e_size ips_key_e_size
193 #define tdb_key_bits_e ips_key_bits_e
194 #define tdb_key_bits_a ips_key_bits_a
195 #define tdb_key_a ips_key_a
196 #define tdb_auth_bits ips_auth_bits
197 #define tdb_key_a_size ips_key_a_size
199 #define tdb_comp_ratio_cbytes ips_comp_ratio_cbytes
200 #define tdb_comp_ratio_dbytes ips_comp_ratio_dbytes
201 #define tdb_comp_adapt_tries ips_comp_adapt_tries
202 #define tdb_comp_adapt_skip ips_comp_adapt_skip
204 #define tdb_mask_s ips_mask_s
205 #define tdb_flow_s ips_flow_s
206 #define tdb_mask_d ips_mask_d
207 #define tdb_flow_d ips_flow_d
209 #define tdb_flags ips_flags
210 #define tdb_rcvif ips_rcvif
212 #endif /* IPSEC_KLIPS1_COMPAT */
214 #ifndef USE_IXP4XX_CRYPTO
216 #endif /* USE_IXP4XX_CRYPTO */
217 #endif /* _IPSEC_SA_H_ */
220 * $Log: ipsec_sa.h,v $
221 * Revision 1.2 2001/11/26 09:16:15 rgb
222 * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
224 * Revision 1.1.2.1 2001/09/25 02:24:58 mcr
225 * struct tdb -> struct ipsec_sa.
226 * sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
227 * ipsec_xform.c removed. header file still contains useful things.
231 * c-file-style: "linux"