1 /* $OpenBSD: ip_ipsp.h,v 1.245 2024/04/17 20:48:51 bluhm Exp $ */
2 /*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Niklas Hallqvist (niklas@appli.se).
7 *
8 * The original version of this code was written by John Ioannidis
9 * for BSD/OS in Athens, Greece, in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18 *
19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 1999 Niklas Hallqvist.
22 * Copyright (c) 2001, Angelos D. Keromytis.
23 *
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40 #ifndef _NETINET_IPSP_H_
41 #define _NETINET_IPSP_H_
42
43 /*
44 * Locks used to protect struct members in this file:
45 * I immutable after creation
46 * a atomic operations
47 * N net lock
48 * A ipsec_acquire_mtx
49 * F ipsec_flows_mtx
50 * P ipo_tdb_mtx link policy to TDB global mutex
51 * D tdb_sadb_mtx SA database global mutex
52 * m tdb_mtx fields of struct tdb
53 * S pfsync fields of struct tdb
54 */
55
56 /* IPSP global definitions. */
57
58 #include <sys/types.h>
59 #include <netinet/in.h>
60
61 union sockaddr_union {
62 struct sockaddr sa;
63 struct sockaddr_in sin;
64 struct sockaddr_in6 sin6;
65 };
66
67 #define AH_HMAC_MAX_HASHLEN 32 /* 256 bits of authenticator for SHA512 */
68 #define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */
69 #define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */
70
71 /* Authenticator lengths */
72 #define AH_MD5_ALEN 16
73 #define AH_SHA1_ALEN 20
74 #define AH_RMD160_ALEN 20
75 #define AH_SHA2_256_ALEN 32
76 #define AH_SHA2_384_ALEN 48
77 #define AH_SHA2_512_ALEN 64
78 #define AH_ALEN_MAX 64 /* Keep updated */
79
80 /* Reserved SPI numbers */
81 #define SPI_LOCAL_USE 0
82 #define SPI_RESERVED_MIN 1
83 #define SPI_RESERVED_MAX 255
84
85 /* Reserved CPI numbers */
86 #define CPI_RESERVED_MIN 1
87 #define CPI_RESERVED_MAX 255
88 #define CPI_PRIVATE_MIN 61440
89 #define CPI_PRIVATE_MAX 65535
90
91 /* sysctl default values */
92 #define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */
93 #define IPSEC_DEFAULT_PFS 1
94 #define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0
95 #define IPSEC_DEFAULT_EXP_ALLOCATIONS 0
96 #define IPSEC_DEFAULT_SOFT_BYTES 0
97 #define IPSEC_DEFAULT_EXP_BYTES 0
98 #define IPSEC_DEFAULT_SOFT_TIMEOUT 80000
99 #define IPSEC_DEFAULT_EXP_TIMEOUT 86400
100 #define IPSEC_DEFAULT_SOFT_FIRST_USE 3600
101 #define IPSEC_DEFAULT_EXP_FIRST_USE 7200
102 #define IPSEC_DEFAULT_DEF_ENC "aes"
103 #define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1"
104 #define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30
105 #define IPSEC_DEFAULT_DEF_COMP "deflate"
106
107 struct sockaddr_encap {
108 u_int8_t sen_len; /* length */
109 u_int8_t sen_family; /* PF_KEY */
110 u_int16_t sen_type; /* see SENT_* */
111 union {
112 struct { /* SENT_IP4 */
113 u_int8_t Direction;
114 struct in_addr Src;
115 struct in_addr Dst;
116 u_int8_t Proto;
117 u_int16_t Sport;
118 u_int16_t Dport;
119 } Sip4;
120
121 struct { /* SENT_IP6 */
122 u_int8_t Direction;
123 struct in6_addr Src;
124 struct in6_addr Dst;
125 u_int8_t Proto;
126 u_int16_t Sport;
127 u_int16_t Dport;
128 } Sip6;
129 } Sen;
130 };
131
132 #define IPSP_DIRECTION_IN 0x1
133 #define IPSP_DIRECTION_OUT 0x2
134
135 struct ipsecstat {
136 uint64_t ipsec_tunnels; /* Number of active tunnels */
137 uint64_t ipsec_prevtunnels; /* Past number of tunnels */
138 uint64_t ipsec_ipackets; /* Input IPsec packets */
139 uint64_t ipsec_opackets; /* Output IPsec packets */
140 uint64_t ipsec_ibytes; /* Input bytes */
141 uint64_t ipsec_obytes; /* Output bytes */
142 uint64_t ipsec_idecompbytes; /* Input bytes, decompressed */
143 uint64_t ipsec_ouncompbytes; /* Output bytes, uncompressed */
144 uint64_t ipsec_idrops; /* Dropped on input */
145 uint64_t ipsec_odrops; /* Dropped on output */
146 uint64_t ipsec_crypto; /* Crypto processing failure */
147 uint64_t ipsec_notdb; /* No TDB was found */
148 uint64_t ipsec_noxform; /* Crypto error */
149 uint64_t ipsec_exctdb; /* TDBs with hardlimit excess */
150 };
151
152 struct ipsec_level {
153 u_char sl_auth; /* Authentication level */
154 u_char sl_esp_trans; /* ESP transport level */
155 u_char sl_esp_network; /* ESP network (encapsulation) level */
156 u_char sl_ipcomp; /* Compression level */
157 };
158
159 #ifdef _KERNEL
160
161 #include <sys/timeout.h>
162 #include <sys/tree.h>
163 #include <sys/queue.h>
164 #include <net/radix.h>
165 #include <sys/percpu.h>
166
167 enum ipsec_counters {
168 ipsec_tunnels,
169 ipsec_prevtunnels,
170 ipsec_ipackets,
171 ipsec_opackets,
172 ipsec_ibytes,
173 ipsec_obytes,
174 ipsec_idecompbytes,
175 ipsec_ouncompbytes,
176 ipsec_idrops,
177 ipsec_odrops,
178 ipsec_crypto,
179 ipsec_notdb,
180 ipsec_noxform,
181 ipsec_exctdb,
182 ipsec_ncounters
183 };
184
185 extern struct cpumem *ipseccounters;
186
187 static inline void
ipsecstat_inc(enum ipsec_counters c)188 ipsecstat_inc(enum ipsec_counters c)
189 {
190 counters_inc(ipseccounters, c);
191 }
192
193 static inline void
ipsecstat_dec(enum ipsec_counters c)194 ipsecstat_dec(enum ipsec_counters c)
195 {
196 counters_dec(ipseccounters, c);
197 }
198
199 static inline void
ipsecstat_add(enum ipsec_counters c,uint64_t v)200 ipsecstat_add(enum ipsec_counters c, uint64_t v)
201 {
202 counters_add(ipseccounters, c, v);
203 }
204
205 static inline void
ipsecstat_pkt(enum ipsec_counters p,enum ipsec_counters b,uint64_t v)206 ipsecstat_pkt(enum ipsec_counters p, enum ipsec_counters b, uint64_t v)
207 {
208 counters_pkt(ipseccounters, p, b, v);
209 }
210
211 struct m_tag;
212
213 #define sen_data Sen.Data
214 #define sen_ip_src Sen.Sip4.Src
215 #define sen_ip_dst Sen.Sip4.Dst
216 #define sen_proto Sen.Sip4.Proto
217 #define sen_sport Sen.Sip4.Sport
218 #define sen_dport Sen.Sip4.Dport
219 #define sen_direction Sen.Sip4.Direction
220 #define sen_ip6_src Sen.Sip6.Src
221 #define sen_ip6_dst Sen.Sip6.Dst
222 #define sen_ip6_proto Sen.Sip6.Proto
223 #define sen_ip6_sport Sen.Sip6.Sport
224 #define sen_ip6_dport Sen.Sip6.Dport
225 #define sen_ip6_direction Sen.Sip6.Direction
226
227 /*
228 * The "type" is really part of the address as far as the routing
229 * system is concerned. By using only one bit in the type field
230 * for each type, we sort-of make sure that different types of
231 * encapsulation addresses won't be matched against the wrong type.
232 *
233 */
234
235 #define SENT_IP4 0x0001 /* data is two struct in_addr */
236 #define SENT_IP6 0x0002
237
238 #define SENT_LEN sizeof(struct sockaddr_encap)
239
240 struct ipsec_id {
241 u_int16_t type; /* Subtype of data */
242 int16_t len; /* Length of data following */
243 };
244
245 struct ipsec_ids {
246 LIST_ENTRY(ipsec_ids) id_gc_list; /* [F] */
247 RBT_ENTRY(ipsec_ids) id_node_id; /* [F] */
248 RBT_ENTRY(ipsec_ids) id_node_flow; /* [F] */
249 struct ipsec_id *id_local; /* [I] */
250 struct ipsec_id *id_remote; /* [I] */
251 u_int32_t id_flow; /* [I] */
252 u_int id_refcount; /* [F] */
253 u_int id_gc_ttl; /* [F] */
254 };
255 RBT_HEAD(ipsec_ids_flows, ipsec_ids);
256 RBT_HEAD(ipsec_ids_tree, ipsec_ids);
257
258 struct ipsec_acquire {
259 union sockaddr_union ipa_addr;
260 u_int32_t ipa_seq;
261 struct sockaddr_encap ipa_info;
262 struct sockaddr_encap ipa_mask;
263 struct refcnt ipa_refcnt;
264 struct timeout ipa_timeout;
265 struct ipsec_policy *ipa_policy; /* [A] back pointer */
266 TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next; /* [A] per policy */
267 TAILQ_ENTRY(ipsec_acquire) ipa_next; /* [A] global list */
268 };
269
270 TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire);
271
272 struct ipsec_policy {
273 struct radix_node ipo_nodes[2]; /* radix tree glue */
274 struct sockaddr_encap ipo_addr;
275 struct sockaddr_encap ipo_mask;
276
277 union sockaddr_union ipo_src; /* Local address to use */
278 union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed:
279 * - on output, we try to
280 * contact the remote host
281 * directly (if needed).
282 * - on input, we accept on if
283 * the inner source is the
284 * same as the outer source
285 * address, or if transport
286 * mode was used.
287 */
288
289 u_int64_t ipo_last_searched; /* [P] Timestamp of lookup */
290
291 u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */
292 u_int8_t ipo_type; /* USE/ACQUIRE/... */
293 u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */
294 u_int ipo_rdomain;
295
296 struct refcnt ipo_refcnt;
297
298 struct tdb *ipo_tdb; /* [P] Cached TDB entry */
299
300 struct ipsec_ids *ipo_ids;
301
302 struct ipsec_acquire_head ipo_acquires; /* [A] List of acquires */
303 TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* [P] List TDB policies */
304 TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */
305 };
306
307 #define IPSP_POLICY_NONE 0x0000 /* No flags set */
308 #define IPSP_POLICY_STATIC 0x0002 /* Static policy */
309
310 #define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */
311 #define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */
312 #define IPSP_IPSEC_REQUIRE 2 /* Require SA */
313 #define IPSP_PERMIT 3 /* Permit traffic through */
314 #define IPSP_DENY 4 /* Deny traffic */
315 #define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */
316
317 /* Identity types */
318 #define IPSP_IDENTITY_NONE 0
319 #define IPSP_IDENTITY_PREFIX 1
320 #define IPSP_IDENTITY_FQDN 2
321 #define IPSP_IDENTITY_USERFQDN 3
322 #define IPSP_IDENTITY_ASN1_DN 4
323
324 struct tdb { /* tunnel descriptor block */
325 /*
326 * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
327 * one keyed on dst/sproto, and one keyed on src/sproto. The first
328 * is used for finding a specific TDB, the second for finding TDBs
329 * for outgoing policy matching, and the third for incoming
330 * policy matching. The following three fields maintain the hash
331 * queues in those three tables.
332 */
333 struct tdb *tdb_hnext; /* [D] dst/spi/sproto table */
334 struct tdb *tdb_dnext; /* [D] dst/sproto table */
335 struct tdb *tdb_snext; /* [D] src/sproto table */
336 struct tdb *tdb_inext;
337 struct tdb *tdb_onext;
338 SIMPLEQ_ENTRY(tdb) tdb_walk; /* [N] temp list for tdb walker */
339
340 struct refcnt tdb_refcnt;
341 struct mutex tdb_mtx;
342
343 const struct xformsw *tdb_xform; /* Transform to use */
344 const struct enc_xform *tdb_encalgxform; /* Enc algorithm */
345 const struct auth_hash *tdb_authalgxform; /* Auth algorithm */
346 const struct comp_algo *tdb_compalgxform; /* Compression algo */
347
348 #define TDBF_UNIQUE 0x00001 /* This should not be used by others */
349 #define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */
350 #define TDBF_BYTES 0x00004 /* Check the byte counters */
351 #define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */
352 #define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */
353 #define TDBF_FIRSTUSE 0x00020 /* Expire after first use */
354 #define TDBF_DELETED 0x00040 /* This TDB has already been deleted */
355 #define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */
356 #define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */
357 #define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */
358 #define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */
359 #define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */
360 #define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */
361 #define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */
362 #define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */
363 #define TDBF_PFSYNC 0x40000 /* TDB will be synced */
364 #define TDBF_PFSYNC_RPL 0x80000 /* Replay counter should be bumped */
365 #define TDBF_ESN 0x100000 /* 64-bit sequence numbers (ESN) */
366 #define TDBF_PFSYNC_SNAPPED 0x200000 /* entry is being dispatched to peer */
367 #define TDBF_IFACE 0x400000 /* entry policy is via sec(4) */
368
369 #define TDBF_BITS ("\20" \
370 "\1UNIQUE\2TIMER\3BYTES\4ALLOCATIONS" \
371 "\5INVALID\6FIRSTUSE\7DELETED\10SOFT_TIMER" \
372 "\11SOFT_BYTES\12SOFT_ALLOCATIONS\13SOFT_FIRSTUSE\14PFS" \
373 "\15TUNNELING" \
374 "\21USEDTUNNEL\22UDPENCAP\23PFSYNC\24PFSYNC_RPL" \
375 "\25ESN" "\26IFACE")
376
377 u_int32_t tdb_flags; /* [m] Flags related to this TDB */
378
379 struct timeout tdb_timer_tmo;
380 struct timeout tdb_first_tmo;
381 struct timeout tdb_stimer_tmo;
382 struct timeout tdb_sfirst_tmo;
383
384 u_int32_t tdb_seq; /* Tracking number for PFKEY */
385 u_int32_t tdb_exp_allocations; /* Expire after so many flows */
386 u_int32_t tdb_soft_allocations; /* Expiration warning */
387 u_int32_t tdb_cur_allocations; /* Total number of allocs */
388
389 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */
390 u_int64_t tdb_soft_bytes; /* Expiration warning */
391 u_int64_t tdb_cur_bytes; /* Current count of bytes */
392
393 u_int64_t tdb_exp_timeout; /* When does the SPI expire */
394 u_int64_t tdb_soft_timeout; /* Send soft-expire warning */
395 u_int64_t tdb_established; /* When was SPI established */
396
397 u_int64_t tdb_first_use; /* When was it first used */
398 u_int64_t tdb_soft_first_use; /* Soft warning */
399 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use +
400 * tdb_exp_first_use <= curtime
401 */
402
403 u_int64_t tdb_last_used; /* When was this SA last used */
404 u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */
405
406 struct cpumem *tdb_counters; /* stats about this TDB */
407
408 u_int64_t tdb_cryptoid; /* Crypto session ID */
409
410 u_int32_t tdb_spi; /* [I] SPI */
411 u_int16_t tdb_amxkeylen; /* Raw authentication key length */
412 u_int16_t tdb_emxkeylen; /* Raw encryption key length */
413 u_int16_t tdb_ivlen; /* IV length */
414 u_int8_t tdb_sproto; /* [I] IPsec protocol */
415 u_int8_t tdb_wnd; /* Replay window */
416 u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */
417 u_int8_t tdb_iface_dir; /* [I] sec(4) iface direction */
418
419 union sockaddr_union tdb_dst; /* [N] Destination address */
420 union sockaddr_union tdb_src; /* [N] Source address */
421
422 u_int8_t *tdb_amxkey; /* Raw authentication key */
423 u_int8_t *tdb_emxkey; /* Raw encryption key */
424
425 #define TDB_REPLAYWASTE 32
426 #define TDB_REPLAYMAX (2100+TDB_REPLAYWASTE)
427
428 u_int64_t tdb_rpl; /* Replay counter */
429 u_int32_t tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */
430
431 u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */
432
433 struct ipsec_ids *tdb_ids; /* Src/Dst ID for this SA */
434 int tdb_ids_swapped; /* XXX */
435
436 u_int32_t tdb_mtu; /* MTU at this point in the chain */
437 u_int64_t tdb_mtutimeout; /* When to ignore this entry */
438
439 u_int16_t tdb_udpencap_port; /* Peer UDP port */
440
441 u_int16_t tdb_tag; /* Packet filter tag */
442 u_int32_t tdb_tap; /* Alternate enc(4) interface */
443 unsigned int tdb_iface; /* [I] sec(4) iface */
444
445 u_int tdb_rdomain; /* [I] Routing domain */
446 u_int tdb_rdomain_post; /* [I] Change domain */
447
448 struct sockaddr_encap tdb_filter; /* What traffic is acceptable */
449 struct sockaddr_encap tdb_filtermask; /* And the mask */
450
451 TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; /* [P] */
452 TAILQ_ENTRY(tdb) tdb_sync_entry; /* [S] pfsync tdb queue */
453 u_int32_t tdb_updates; /* [S] pfsync update counter */
454 };
455
456 enum tdb_counters {
457 tdb_ipackets, /* Input IPsec packets */
458 tdb_opackets, /* Output IPsec packets */
459 tdb_ibytes, /* Input bytes */
460 tdb_obytes, /* Output bytes */
461 tdb_idrops, /* Dropped on input */
462 tdb_odrops, /* Dropped on output */
463 tdb_idecompbytes, /* Input bytes, decompressed */
464 tdb_ouncompbytes, /* Output bytes, uncompressed */
465 tdb_ncounters
466 };
467
468 static inline void
tdbstat_inc(struct tdb * tdb,enum tdb_counters c)469 tdbstat_inc(struct tdb *tdb, enum tdb_counters c)
470 {
471 counters_inc(tdb->tdb_counters, c);
472 }
473
474 static inline void
tdbstat_add(struct tdb * tdb,enum tdb_counters c,uint64_t v)475 tdbstat_add(struct tdb *tdb, enum tdb_counters c, uint64_t v)
476 {
477 counters_add(tdb->tdb_counters, c, v);
478 }
479
480 static inline void
tdbstat_pkt(struct tdb * tdb,enum tdb_counters pc,enum tdb_counters bc,uint64_t bytes)481 tdbstat_pkt(struct tdb *tdb, enum tdb_counters pc, enum tdb_counters bc,
482 uint64_t bytes)
483 {
484 counters_pkt(tdb->tdb_counters, pc, bc, bytes);
485 }
486
487 struct tdb_ident {
488 u_int32_t spi;
489 union sockaddr_union dst;
490 u_int8_t proto;
491 u_int rdomain;
492 };
493
494 struct tdb_crypto {
495 union sockaddr_union tc_dst;
496 u_int64_t tc_rpl;
497 u_int32_t tc_spi;
498 int tc_protoff;
499 int tc_skip;
500 u_int tc_rdomain;
501 u_int8_t tc_proto;
502 };
503
504 struct ipsecinit {
505 u_int8_t *ii_enckey;
506 u_int8_t *ii_authkey;
507 u_int16_t ii_enckeylen;
508 u_int16_t ii_authkeylen;
509 u_int8_t ii_encalg;
510 u_int8_t ii_authalg;
511 u_int8_t ii_compalg;
512 };
513
514 /* xform IDs */
515 #define XF_IP4 1 /* IP inside IP */
516 #define XF_AH 2 /* AH */
517 #define XF_ESP 3 /* ESP */
518 #define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */
519 #define XF_IPCOMP 6 /* IPCOMP */
520
521 /* xform attributes */
522 #define XFT_AUTH 0x0001
523 #define XFT_CONF 0x0100
524 #define XFT_COMP 0x1000
525
526 #define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */
527
528 struct xformsw {
529 u_short xf_type; /* Unique ID of xform */
530 u_short xf_flags; /* flags (see below) */
531 char *xf_name; /* human-readable name */
532 int (*xf_attach)(void); /* called at config time */
533 int (*xf_init)(struct tdb *, const struct xformsw *,
534 struct ipsecinit *);
535 int (*xf_zeroize)(struct tdb *); /* termination */
536 int (*xf_input)(struct mbuf **, struct tdb *, int, int);
537 int (*xf_output)(struct mbuf *, struct tdb *, int, int);
538 };
539
540 extern int ipsec_in_use;
541 extern u_int64_t ipsec_last_added;
542 extern int encdebug; /* enable message reporting */
543 extern struct pool tdb_pool;
544
545 extern int ipsec_keep_invalid; /* lifetime of embryonic SAs (in sec) */
546 extern int ipsec_require_pfs; /* use Perfect Forward Secrecy */
547 extern int ipsec_expire_acquire; /* wait for security assoc. (in sec) */
548 extern int ipsec_soft_allocations; /* flows/SA before renegotiation */
549 extern int ipsec_exp_allocations; /* num. of flows/SA before it expires */
550 extern int ipsec_soft_bytes; /* bytes/SA before renegotiation */
551 extern int ipsec_exp_bytes; /* num of bytes/SA before it expires */
552 extern int ipsec_soft_timeout; /* seconds/SA before renegotiation */
553 extern int ipsec_exp_timeout; /* seconds/SA before it expires */
554 extern int ipsec_soft_first_use; /* seconds between 1st asso & renego */
555 extern int ipsec_exp_first_use; /* seconds between 1st asso & expire */
556
557 /*
558 * Names for IPsec sysctl objects
559 */
560 #define IPSEC_ENCDEBUG IPCTL_ENCDEBUG /* 12 */
561 #define IPSEC_STATS IPCTL_IPSEC_STATS /* 13 */
562 #define IPSEC_EXPIRE_ACQUIRE IPCTL_IPSEC_EXPIRE_ACQUIRE /* 14 */
563 #define IPSEC_EMBRYONIC_SA_TIMEOUT IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */
564 #define IPSEC_REQUIRE_PFS IPCTL_IPSEC_REQUIRE_PFS /* 16 */
565 #define IPSEC_SOFT_ALLOCATIONS IPCTL_IPSEC_SOFT_ALLOCATIONS /* 17 */
566 #define IPSEC_ALLOCATIONS IPCTL_IPSEC_ALLOCATIONS /* 18 */
567 #define IPSEC_SOFT_BYTES IPCTL_IPSEC_SOFT_BYTES /* 19 */
568 #define IPSEC_BYTES IPCTL_IPSEC_BYTES /* 20 */
569 #define IPSEC_TIMEOUT IPCTL_IPSEC_TIMEOUT /* 21 */
570 #define IPSEC_SOFT_TIMEOUT IPCTL_IPSEC_SOFT_TIMEOUT /* 22 */
571 #define IPSEC_SOFT_FIRSTUSE IPCTL_IPSEC_SOFT_FIRSTUSE /* 23 */
572 #define IPSEC_FIRSTUSE IPCTL_IPSEC_FIRSTUSE /* 24 */
573 #define IPSEC_MAXID 25
574
575 extern char ipsec_def_enc[];
576 extern char ipsec_def_auth[];
577 extern char ipsec_def_comp[];
578
579 extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
580
581 extern struct mutex tdb_sadb_mtx;
582 extern struct mutex ipo_tdb_mtx;
583
584 struct cryptop;
585
586 /* Misc. */
587 const char *ipsp_address(union sockaddr_union *, char *, socklen_t);
588
589 /* SPD tables */
590 struct radix_node_head *spd_table_add(unsigned int);
591 struct radix_node_head *spd_table_get(unsigned int);
592 int spd_table_walk(unsigned int,
593 int (*walker)(struct ipsec_policy *, void *, unsigned int), void *);
594
595 /* TDB management routines */
596 uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
597 union sockaddr_union *, u_int8_t, int *);
598 struct tdb *gettdb_dir(u_int, u_int32_t, union sockaddr_union *, u_int8_t, int);
599 #define gettdb(a,b,c,d) gettdb_dir((a),(b),(c),(d),0)
600 #define gettdb_rev(a,b,c,d) gettdb_dir((a),(b),(c),(d),1)
601 struct tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
602 struct ipsec_ids *,
603 struct sockaddr_encap *, struct sockaddr_encap *);
604 struct tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
605 struct ipsec_ids *,
606 struct sockaddr_encap *, struct sockaddr_encap *);
607 struct tdb *gettdbbysrcdst_dir(u_int, u_int32_t, union sockaddr_union *,
608 union sockaddr_union *, u_int8_t, int);
609 #define gettdbbysrcdst(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),0)
610 #define gettdbbysrcdst_rev(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),1)
611 void puttdb(struct tdb *);
612 void puttdb_locked(struct tdb *);
613 void tdb_delete(struct tdb *);
614 struct tdb *tdb_alloc(u_int);
615 struct tdb *tdb_ref(struct tdb *);
616 void tdb_unref(struct tdb *);
617 void tdb_free(struct tdb *);
618 int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
619 void tdb_unlink(struct tdb *);
620 void tdb_unlink_locked(struct tdb *);
621 void tdb_cleanspd(struct tdb *);
622 void tdb_unbundle(struct tdb *);
623 void tdb_addtimeouts(struct tdb *);
624 void tdb_deltimeouts(struct tdb *);
625 int tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *);
626 void tdb_printit(void *, int, int (*)(const char *, ...));
627
628 /* XF_IP4 */
629 int ipe4_attach(void);
630 int ipe4_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
631 int ipe4_zeroize(struct tdb *);
632 int ipe4_input(struct mbuf **, struct tdb *, int, int);
633
634 /* XF_AH */
635 int ah_attach(void);
636 int ah_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
637 int ah_zeroize(struct tdb *);
638 int ah_input(struct mbuf **, struct tdb *, int, int);
639 int ah_output(struct mbuf *, struct tdb *, int, int);
640 int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
641
642 int ah46_input(struct mbuf **, int *, int, int);
643 void ah4_ctlinput(int, struct sockaddr *, u_int, void *);
644 void udpencap_ctlinput(int, struct sockaddr *, u_int, void *);
645
646 /* XF_ESP */
647 int esp_attach(void);
648 int esp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
649 int esp_zeroize(struct tdb *);
650 int esp_input(struct mbuf **, struct tdb *, int, int);
651 int esp_output(struct mbuf *, struct tdb *, int, int);
652 int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
653
654 int esp46_input(struct mbuf **, int *, int, int);
655 void esp4_ctlinput(int, struct sockaddr *, u_int, void *);
656
657 /* XF_IPCOMP */
658 int ipcomp_attach(void);
659 int ipcomp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
660 int ipcomp_zeroize(struct tdb *);
661 int ipcomp_input(struct mbuf **, struct tdb *, int, int);
662 int ipcomp_output(struct mbuf *, struct tdb *, int, int);
663 int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
664 int ipcomp46_input(struct mbuf **, int *, int, int);
665
666 /* XF_TCPSIGNATURE */
667 int tcp_signature_tdb_attach(void);
668 int tcp_signature_tdb_init(struct tdb *, const struct xformsw *,
669 struct ipsecinit *);
670 int tcp_signature_tdb_zeroize(struct tdb *);
671 int tcp_signature_tdb_input(struct mbuf **, struct tdb *, int, int);
672 int tcp_signature_tdb_output(struct mbuf *, struct tdb *, int, int);
673
674 /* Replay window */
675 int checkreplaywindow(struct tdb *, u_int64_t, u_int32_t, u_int32_t *, int);
676
677 /* Packet processing */
678 int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
679 int ipsp_process_done(struct mbuf *, struct tdb *);
680 int ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
681 const struct ipsec_level *, struct tdb **, struct ipsec_ids *);
682 int ipsp_is_unspecified(union sockaddr_union);
683 int ipsp_aux_match(struct tdb *, struct ipsec_ids *,
684 struct sockaddr_encap *, struct sockaddr_encap *);
685 int ipsp_ids_match(struct ipsec_ids *, struct ipsec_ids *);
686 struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *);
687 struct ipsec_ids *ipsp_ids_lookup(u_int32_t);
688 void ipsp_ids_free(struct ipsec_ids *);
689
690 void ipsp_init(void);
691 void ipsec_init(void);
692 int ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
693 int ipsec_common_input(struct mbuf **, int, int, int, int, int);
694 int ipsec_common_input_cb(struct mbuf **, struct tdb *, int, int);
695 int ipsec_input_disabled(struct mbuf **, int *, int, int);
696 int ipsec_protoff(struct mbuf *, int, int);
697 int ipsec_delete_policy(struct ipsec_policy *);
698 ssize_t ipsec_hdrsz(struct tdb *);
699 void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
700 void ipsec_set_mtu(struct tdb *, u_int32_t);
701 struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
702 void ipsec_unref_acquire(struct ipsec_acquire *);
703 int ipsec_forward_check(struct mbuf *, int, int);
704 int ipsec_local_check(struct mbuf *, int, int, int);
705
706 #endif /* _KERNEL */
707 #endif /* _NETINET_IPSP_H_ */
708