1 /* $OpenBSD: ip_ipsp.h,v 1.135 2006/11/24 13:52:14 reyk Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #ifndef _NETINET_IPSP_H_ 41 #define _NETINET_IPSP_H_ 42 43 /* IPSP global definitions. */ 44 45 #include <sys/types.h> 46 #include <sys/queue.h> 47 #include <sys/timeout.h> 48 #include <netinet/in.h> 49 50 union sockaddr_union { 51 struct sockaddr sa; 52 struct sockaddr_in sin; 53 struct sockaddr_in6 sin6; 54 }; 55 56 /* HMAC key sizes */ 57 #define MD5HMAC96_KEYSIZE 16 58 #define SHA1HMAC96_KEYSIZE 20 59 #define RIPEMD160HMAC96_KEYSIZE 20 60 #define SHA2_256HMAC96_KEYSIZE 32 61 #define SHA2_384HMAC96_KEYSIZE 48 62 #define SHA2_512HMAC96_KEYSIZE 64 63 64 #define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */ 65 #define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */ 66 #define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */ 67 68 /* Authenticator lengths */ 69 #define AH_MD5_ALEN 16 70 #define AH_SHA1_ALEN 20 71 #define AH_RMD160_ALEN 20 72 #define AH_SHA2_256_ALEN 32 73 #define AH_SHA2_384_ALEN 48 74 #define AH_SHA2_512_ALEN 64 75 #define AH_ALEN_MAX 64 /* Keep updated */ 76 77 /* Reserved SPI numbers */ 78 #define SPI_LOCAL_USE 0 79 #define SPI_RESERVED_MIN 1 80 #define SPI_RESERVED_MAX 255 81 82 /* Reserved CPI numbers */ 83 #define CPI_RESERVED_MIN 1 84 #define CPI_RESERVED_MAX 255 85 #define CPI_PRIVATE_MIN 61440 86 #define CPI_PRIVATE_MAX 65535 87 88 /* sysctl default values */ 89 #define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */ 90 #define IPSEC_DEFAULT_PFS 1 91 #define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0 92 #define IPSEC_DEFAULT_EXP_ALLOCATIONS 0 93 #define IPSEC_DEFAULT_SOFT_BYTES 0 94 #define IPSEC_DEFAULT_EXP_BYTES 0 95 #define IPSEC_DEFAULT_SOFT_TIMEOUT 80000 96 #define IPSEC_DEFAULT_EXP_TIMEOUT 86400 97 #define IPSEC_DEFAULT_SOFT_FIRST_USE 3600 98 #define IPSEC_DEFAULT_EXP_FIRST_USE 7200 99 #define IPSEC_DEFAULT_DEF_ENC "aes" 100 #define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1" 101 #define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30 102 #define IPSEC_DEFAULT_DEF_COMP "deflate" 103 104 struct sockaddr_encap { 105 u_int8_t sen_len; /* length */ 106 u_int8_t sen_family; /* PF_KEY */ 107 u_int16_t sen_type; /* see SENT_* */ 108 union { 109 struct { /* SENT_IP4 */ 110 u_int8_t Direction; 111 struct in_addr Src; 112 struct in_addr Dst; 113 u_int8_t Proto; 114 u_int16_t Sport; 115 u_int16_t Dport; 116 } Sip4; 117 118 struct { /* SENT_IP6 */ 119 u_int8_t Direction; 120 struct in6_addr Src; 121 struct in6_addr Dst; 122 u_int8_t Proto; 123 u_int16_t Sport; 124 u_int16_t Dport; 125 } Sip6; 126 127 struct ipsec_policy *PolicyHead; /* SENT_IPSP */ 128 } Sen; 129 }; 130 131 #define IPSP_DIRECTION_IN 0x1 132 #define IPSP_DIRECTION_OUT 0x2 133 134 #define sen_data Sen.Data 135 #define sen_ip_src Sen.Sip4.Src 136 #define sen_ip_dst Sen.Sip4.Dst 137 #define sen_proto Sen.Sip4.Proto 138 #define sen_sport Sen.Sip4.Sport 139 #define sen_dport Sen.Sip4.Dport 140 #define sen_direction Sen.Sip4.Direction 141 #define sen_ip6_src Sen.Sip6.Src 142 #define sen_ip6_dst Sen.Sip6.Dst 143 #define sen_ip6_proto Sen.Sip6.Proto 144 #define sen_ip6_sport Sen.Sip6.Sport 145 #define sen_ip6_dport Sen.Sip6.Dport 146 #define sen_ip6_direction Sen.Sip6.Direction 147 #define sen_ipsp Sen.PolicyHead 148 149 /* 150 * The "type" is really part of the address as far as the routing 151 * system is concerned. By using only one bit in the type field 152 * for each type, we sort-of make sure that different types of 153 * encapsulation addresses won't be matched against the wrong type. 154 * 155 */ 156 157 #define SENT_IP4 0x0001 /* data is two struct in_addr */ 158 #define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */ 159 #define SENT_IP6 0x0004 160 161 #define SENT_LEN sizeof(struct sockaddr_encap) 162 163 struct ipsec_ref { 164 u_int16_t ref_type; /* Subtype of data */ 165 int16_t ref_len; /* Length of data following */ 166 int ref_count; /* Reference count */ 167 int ref_malloctype; /* malloc(9) type, for freeing */ 168 }; 169 170 struct ipsec_acquire { 171 union sockaddr_union ipa_addr; 172 u_int32_t ipa_seq; 173 struct sockaddr_encap ipa_info; 174 struct sockaddr_encap ipa_mask; 175 struct timeout ipa_timeout; 176 struct ipsec_policy *ipa_policy; 177 struct inpcb *ipa_pcb; 178 TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next; 179 TAILQ_ENTRY(ipsec_acquire) ipa_next; 180 TAILQ_ENTRY(ipsec_acquire) ipa_inp_next; 181 }; 182 183 struct ipsec_policy { 184 struct sockaddr_encap ipo_addr; 185 struct sockaddr_encap ipo_mask; 186 187 union sockaddr_union ipo_src; /* Local address to use */ 188 union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed: 189 * - on output, we try to 190 * contact the remote host 191 * directly (if needed). 192 * - on input, we accept on if 193 * the inner source is the 194 * same as the outer source 195 * address, or if transport 196 * mode was used. 197 */ 198 199 u_int64_t ipo_last_searched; /* Timestamp of last lookup */ 200 201 u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */ 202 u_int8_t ipo_type; /* USE/ACQUIRE/... */ 203 u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */ 204 205 int ipo_ref_count; 206 207 struct tdb *ipo_tdb; /* Cached entry */ 208 209 struct ipsec_ref *ipo_srcid; 210 struct ipsec_ref *ipo_dstid; 211 struct ipsec_ref *ipo_local_cred; 212 struct ipsec_ref *ipo_local_auth; 213 214 TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */ 215 TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */ 216 TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */ 217 }; 218 219 #define IPSP_POLICY_NONE 0x0000 /* No flags set */ 220 #define IPSP_POLICY_SOCKET 0x0001 /* Socket-attached policy */ 221 #define IPSP_POLICY_STATIC 0x0002 /* Static policy */ 222 223 #define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */ 224 #define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */ 225 #define IPSP_IPSEC_REQUIRE 2 /* Require SA */ 226 #define IPSP_PERMIT 3 /* Permit traffic through */ 227 #define IPSP_DENY 4 /* Deny traffic */ 228 #define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */ 229 230 /* Notification types */ 231 #define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */ 232 #define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */ 233 #define NOTIFY_REQUEST_SA 2 /* Establish an SA */ 234 235 #define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */ 236 #define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */ 237 #define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */ 238 #define NOTIFY_SATYPE_COMP 5 /* SA (IPCA) should use compression */ 239 240 /* Authentication types */ 241 #define IPSP_AUTH_NONE 0 242 #define IPSP_AUTH_PASSPHRASE 1 243 #define IPSP_AUTH_RSA 2 244 245 /* Credential types */ 246 #define IPSP_CRED_NONE 0 247 #define IPSP_CRED_KEYNOTE 1 248 #define IPSP_CRED_X509 2 249 250 /* Identity types */ 251 #define IPSP_IDENTITY_NONE 0 252 #define IPSP_IDENTITY_PREFIX 1 253 #define IPSP_IDENTITY_FQDN 2 254 #define IPSP_IDENTITY_USERFQDN 3 255 #define IPSP_IDENTITY_CONNECTION 4 256 257 /* 258 * For encapsulation routes are possible not only for the destination 259 * address but also for the protocol, source and destination ports 260 * if available 261 */ 262 263 struct route_enc { 264 struct rtentry *re_rt; 265 struct sockaddr_encap re_dst; 266 }; 267 268 struct tdb { /* tunnel descriptor block */ 269 /* 270 * Each TDB is on three hash tables: one keyed on dst/spi/sproto, 271 * one keyed on dst/sproto, and one keyed on src/sproto. The first 272 * is used for finding a specific TDB, the second for finding TDBs 273 * for outgoing policy matching, and the third for incoming 274 * policy matching. The following three fields maintain the hash 275 * queues in those three tables. 276 */ 277 struct tdb *tdb_hnext; /* dst/spi/sproto table */ 278 struct tdb *tdb_anext; /* dst/sproto table */ 279 struct tdb *tdb_snext; /* src/sproto table */ 280 struct tdb *tdb_inext; 281 struct tdb *tdb_onext; 282 283 struct xformsw *tdb_xform; /* Transform to use */ 284 struct enc_xform *tdb_encalgxform; /* Enc algorithm */ 285 struct auth_hash *tdb_authalgxform; /* Auth algorithm */ 286 struct comp_algo *tdb_compalgxform; /* Compression algo */ 287 288 #define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 289 #define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 290 #define TDBF_BYTES 0x00004 /* Check the byte counters */ 291 #define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */ 292 #define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 293 #define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 294 #define TDBF_HALFIV 0x00040 /* Use half-length IV (ESP old only) */ 295 #define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 296 #define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 297 #define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */ 298 #define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 299 #define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ 300 #define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ 301 #define TDBF_NOREPLAY 0x02000 /* No replay counter present */ 302 #define TDBF_RANDOMPADDING 0x04000 /* Random data in the ESP padding */ 303 #define TDBF_SKIPCRYPTO 0x08000 /* Skip actual crypto processing */ 304 #define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */ 305 #define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */ 306 307 u_int32_t tdb_flags; /* Flags related to this TDB */ 308 309 struct timeout tdb_timer_tmo; 310 struct timeout tdb_first_tmo; 311 struct timeout tdb_stimer_tmo; 312 struct timeout tdb_sfirst_tmo; 313 314 u_int32_t tdb_seq; /* Tracking number for PFKEY */ 315 u_int32_t tdb_exp_allocations; /* Expire after so many flows */ 316 u_int32_t tdb_soft_allocations; /* Expiration warning */ 317 u_int32_t tdb_cur_allocations; /* Total number of allocs */ 318 319 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 320 u_int64_t tdb_soft_bytes; /* Expiration warning */ 321 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 322 323 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 324 u_int64_t tdb_soft_timeout; /* Send soft-expire warning */ 325 u_int64_t tdb_established; /* When was SPI established */ 326 327 u_int64_t tdb_first_use; /* When was it first used */ 328 u_int64_t tdb_soft_first_use; /* Soft warning */ 329 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 330 * tdb_exp_first_use <= curtime 331 */ 332 333 u_int64_t tdb_last_used; /* When was this SA last used */ 334 u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */ 335 336 u_int64_t tdb_cryptoid; /* Crypto session ID */ 337 338 u_int32_t tdb_spi; /* SPI */ 339 u_int16_t tdb_amxkeylen; /* Raw authentication key length */ 340 u_int16_t tdb_emxkeylen; /* Raw encryption key length */ 341 u_int16_t tdb_ivlen; /* IV length */ 342 u_int8_t tdb_sproto; /* IPsec protocol */ 343 u_int8_t tdb_wnd; /* Replay window */ 344 u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */ 345 346 union sockaddr_union tdb_dst; /* Destination address */ 347 union sockaddr_union tdb_src; /* Source address */ 348 union sockaddr_union tdb_proxy; 349 350 u_int8_t *tdb_amxkey; /* Raw authentication key */ 351 u_int8_t *tdb_emxkey; /* Raw encryption key */ 352 353 u_int32_t tdb_rpl; /* Replay counter */ 354 u_int32_t tdb_bitmap; /* Used for replay sliding window */ 355 356 u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ 357 358 struct ipsec_ref *tdb_local_cred; 359 struct ipsec_ref *tdb_remote_cred; 360 struct ipsec_ref *tdb_srcid; /* Source ID for this SA */ 361 struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */ 362 struct ipsec_ref *tdb_local_auth;/* Local authentication material */ 363 struct ipsec_ref *tdb_remote_auth;/* Remote authentication material */ 364 365 u_int32_t tdb_mtu; /* MTU at this point in the chain */ 366 u_int64_t tdb_mtutimeout; /* When to ignore this entry */ 367 368 u_int16_t tdb_udpencap_port; /* Peer UDP port */ 369 370 u_int16_t tdb_tag; /* Packet filter tag */ 371 372 struct sockaddr_encap tdb_filter; /* What traffic is acceptable */ 373 struct sockaddr_encap tdb_filtermask; /* And the mask */ 374 375 TAILQ_HEAD(tdb_inp_head_in, inpcb) tdb_inp_in; 376 TAILQ_HEAD(tdb_inp_head_out, inpcb) tdb_inp_out; 377 TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; 378 }; 379 380 struct tdb_ident { 381 u_int32_t spi; 382 union sockaddr_union dst; 383 u_int8_t proto; 384 }; 385 386 struct tdb_crypto { 387 u_int32_t tc_spi; 388 union sockaddr_union tc_dst; 389 u_int8_t tc_proto; 390 int tc_protoff; 391 int tc_skip; 392 caddr_t tc_ptr; 393 }; 394 395 struct ipsecinit { 396 u_int8_t *ii_enckey; 397 u_int8_t *ii_authkey; 398 u_int16_t ii_enckeylen; 399 u_int16_t ii_authkeylen; 400 u_int8_t ii_encalg; 401 u_int8_t ii_authalg; 402 u_int8_t ii_compalg; 403 }; 404 405 /* xform IDs */ 406 #define XF_IP4 1 /* IP inside IP */ 407 #define XF_AH 2 /* AH */ 408 #define XF_ESP 3 /* ESP */ 409 #define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ 410 #define XF_IPCOMP 6 /* IPCOMP */ 411 412 /* xform attributes */ 413 #define XFT_AUTH 0x0001 414 #define XFT_CONF 0x0100 415 #define XFT_COMP 0x1000 416 417 #define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */ 418 419 #ifdef _KERNEL 420 421 struct xformsw { 422 u_short xf_type; /* Unique ID of xform */ 423 u_short xf_flags; /* flags (see below) */ 424 char *xf_name; /* human-readable name */ 425 int (*xf_attach)(void); /* called at config time */ 426 int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *); 427 int (*xf_zeroize)(struct tdb *); /* termination */ 428 int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */ 429 int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, 430 int, int); /* output */ 431 }; 432 433 /* 434 * Protects all tdb lists. 435 * Must at least be splsoftnet (note: do not use splsoftclock as it is 436 * special on some architectures, assuming it is always an spl lowering 437 * operation). 438 */ 439 #define spltdb splsoftnet 440 441 extern int encdebug; 442 extern int ipsec_acl; 443 extern int ipsec_keep_invalid; 444 extern int ipsec_in_use; 445 extern u_int64_t ipsec_last_added; 446 extern int ipsec_require_pfs; 447 extern int ipsec_expire_acquire; 448 449 extern int ipsec_policy_pool_initialized; 450 451 extern int ipsec_soft_allocations; 452 extern int ipsec_exp_allocations; 453 extern int ipsec_soft_bytes; 454 extern int ipsec_exp_bytes; 455 extern int ipsec_soft_timeout; 456 extern int ipsec_exp_timeout; 457 extern int ipsec_soft_first_use; 458 extern int ipsec_exp_first_use; 459 extern char ipsec_def_enc[]; 460 extern char ipsec_def_auth[]; 461 extern char ipsec_def_comp[]; 462 463 extern struct enc_xform enc_xform_des; 464 extern struct enc_xform enc_xform_3des; 465 extern struct enc_xform enc_xform_blf; 466 extern struct enc_xform enc_xform_cast5; 467 extern struct enc_xform enc_xform_skipjack; 468 469 extern struct auth_hash auth_hash_hmac_md5_96; 470 extern struct auth_hash auth_hash_hmac_sha1_96; 471 extern struct auth_hash auth_hash_hmac_ripemd_160_96; 472 473 extern struct comp_algo comp_algo_deflate; 474 475 extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head; 476 extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head; 477 478 extern struct xformsw xformsw[], *xformswNXFORMSW; 479 480 /* Check if a given tdb has encryption, authentication and/or tunneling */ 481 #define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \ 482 ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0) | \ 483 ((x)->tdb_compalgxform ? NOTIFY_SATYPE_COMP : 0)) 484 485 /* Traverse spi chain and get attributes */ 486 487 #define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\ 488 int s = spltdb(); \ 489 struct tdb *tmptdb = (TDBP); \ 490 \ 491 (have) = 0; \ 492 while (tmptdb && tmptdb->tdb_xform) { \ 493 if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \ 494 break; \ 495 (have) |= TDB_ATTRIB(tmptdb); \ 496 tmptdb = tmptdb->TDB_DIR; \ 497 } \ 498 splx(s); \ 499 } while (0) 500 501 /* Misc. */ 502 extern char *inet_ntoa4(struct in_addr); 503 extern char *ipsp_address(union sockaddr_union); 504 505 /* TDB management routines */ 506 extern void tdb_add_inp(struct tdb *, struct inpcb *, int); 507 extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *, 508 union sockaddr_union *, u_int8_t, int *); 509 extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t); 510 extern struct tdb *gettdbbyaddr(union sockaddr_union *, u_int8_t, 511 struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *, 512 struct mbuf *, int, struct sockaddr_encap *, struct sockaddr_encap *); 513 extern struct tdb *gettdbbysrc(union sockaddr_union *, u_int8_t, 514 struct ipsec_ref *, struct ipsec_ref *, struct mbuf *, int, 515 struct sockaddr_encap *, struct sockaddr_encap *); 516 extern struct tdb *gettdbbysrcdst(u_int32_t, union sockaddr_union *, 517 union sockaddr_union *, u_int8_t); 518 extern void puttdb(struct tdb *); 519 extern void tdb_delete(struct tdb *); 520 extern struct tdb *tdb_alloc(void); 521 extern void tdb_free(struct tdb *); 522 extern int tdb_hash(u_int32_t, union sockaddr_union *, u_int8_t); 523 extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *); 524 extern int tdb_walk(int (*)(struct tdb *, void *, int), void *); 525 526 /* XF_IP4 */ 527 extern int ipe4_attach(void); 528 extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *); 529 extern int ipe4_zeroize(struct tdb *); 530 extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 531 extern void ipe4_input(struct mbuf *, ...); 532 extern void ipip_input(struct mbuf *, int, struct ifnet *); 533 534 #ifdef INET 535 extern void ip4_input(struct mbuf *, ...); 536 #endif /* INET */ 537 538 #ifdef INET6 539 extern int ip4_input6(struct mbuf **, int *, int); 540 #endif /* INET */ 541 542 /* XF_ETHERIP */ 543 extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **, 544 int, int); 545 extern void etherip_input(struct mbuf *, ...); 546 547 /* XF_AH */ 548 extern int ah_attach(void); 549 extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *); 550 extern int ah_zeroize(struct tdb *); 551 extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 552 extern int ah_output_cb(void *); 553 extern int ah_input(struct mbuf *, struct tdb *, int, int); 554 extern int ah_input_cb(void *); 555 extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t); 556 extern int ah_massage_headers(struct mbuf **, int, int, int, int); 557 558 #ifdef INET 559 extern void ah4_input(struct mbuf *, ...); 560 extern int ah4_input_cb(struct mbuf *, ...); 561 extern void *ah4_ctlinput(int, struct sockaddr *, void *); 562 extern void *udpencap_ctlinput(int, struct sockaddr *, void *); 563 #endif /* INET */ 564 565 #ifdef INET6 566 extern int ah6_input(struct mbuf **, int *, int); 567 extern int ah6_input_cb(struct mbuf *, int, int); 568 #endif /* INET6 */ 569 570 /* XF_ESP */ 571 extern int esp_attach(void); 572 extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 573 extern int esp_zeroize(struct tdb *); 574 extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 575 extern int esp_output_cb(void *); 576 extern int esp_input(struct mbuf *, struct tdb *, int, int); 577 extern int esp_input_cb(void *); 578 extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 579 580 #ifdef INET 581 extern void esp4_input(struct mbuf *, ...); 582 extern int esp4_input_cb(struct mbuf *, ...); 583 extern void *esp4_ctlinput(int, struct sockaddr *, void *); 584 #endif /* INET */ 585 586 #ifdef INET6 587 extern int esp6_input(struct mbuf **, int *, int); 588 extern int esp6_input_cb(struct mbuf *, int, int); 589 #endif /* INET6 */ 590 591 /* XF_IPCOMP */ 592 extern int ipcomp_attach(void); 593 extern int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 594 extern int ipcomp_zeroize(struct tdb *); 595 extern int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 596 extern int ipcomp_output_cb(void *); 597 extern int ipcomp_input(struct mbuf *, struct tdb *, int, int); 598 extern int ipcomp_input_cb(void *); 599 extern int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 600 601 #ifdef INET 602 extern void ipcomp4_input(struct mbuf *, ...); 603 extern int ipcomp4_input_cb(struct mbuf *, ...); 604 #endif /* INET */ 605 606 #ifdef INET6 607 extern int ipcomp6_input(struct mbuf **, int *, int); 608 extern int ipcomp6_input_cb(struct mbuf *, int, int); 609 #endif /* INET6 */ 610 611 /* XF_TCPSIGNATURE */ 612 extern int tcp_signature_tdb_attach(void); 613 extern int tcp_signature_tdb_init(struct tdb *, struct xformsw *, 614 struct ipsecinit *); 615 extern int tcp_signature_tdb_zeroize(struct tdb *); 616 extern int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, 617 int); 618 extern int tcp_signature_tdb_output(struct mbuf *, struct tdb *, 619 struct mbuf **, int, int); 620 621 /* Padding */ 622 extern caddr_t m_pad(struct mbuf *, int); 623 624 /* Replay window */ 625 extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t, 626 u_int32_t *, int); 627 628 extern unsigned char ipseczeroes[]; 629 630 /* Packet processing */ 631 extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int); 632 extern int ipsp_process_done(struct mbuf *, struct tdb *); 633 extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int, 634 struct tdb *, struct inpcb *); 635 extern struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int, 636 struct tdb *, struct inpcb *, struct ipsec_policy *); 637 extern int ipsec_common_input(struct mbuf *, int, int, int, int, int); 638 extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int, 639 struct m_tag *); 640 extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *, 641 union sockaddr_union *, struct sockaddr_encap *, struct mbuf *); 642 extern struct ipsec_policy *ipsec_add_policy(struct inpcb *, int, int); 643 extern void ipsec_update_policy(struct inpcb *, struct ipsec_policy *, 644 int, int); 645 extern int ipsec_delete_policy(struct ipsec_policy *); 646 extern struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *, 647 union sockaddr_union *); 648 extern void ipsp_delete_acquire(void *); 649 extern int ipsp_is_unspecified(union sockaddr_union); 650 extern void ipsp_reffree(struct ipsec_ref *); 651 extern void ipsp_skipcrypto_unmark(struct tdb_ident *); 652 extern void ipsp_skipcrypto_mark(struct tdb_ident *); 653 extern struct m_tag *ipsp_parse_headers(struct mbuf *, int, u_int8_t); 654 extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *); 655 extern ssize_t ipsec_hdrsz(struct tdb *); 656 extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t); 657 extern int ipsp_print_tdb(struct tdb *, char *, size_t); 658 extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t); 659 extern int ipsp_aux_match(struct tdb *, 660 struct ipsec_ref *, struct ipsec_ref *, 661 struct ipsec_ref *, struct ipsec_ref *, 662 struct sockaddr_encap *, struct sockaddr_encap *); 663 #endif /* _KERNEL */ 664 #endif /* _NETINET_IPSP_H_ */ 665