1 /* $OpenBSD: ip_ipsp.h,v 1.169 2015/04/17 11:04:01 mikeb Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #ifndef _NETINET_IPSP_H_ 41 #define _NETINET_IPSP_H_ 42 43 struct m_tag; 44 45 /* IPSP global definitions. */ 46 47 #include <sys/types.h> 48 #ifdef _KERNEL 49 #include <sys/timeout.h> 50 #endif 51 #include <sys/queue.h> 52 #include <netinet/in.h> 53 54 union sockaddr_union { 55 struct sockaddr sa; 56 struct sockaddr_in sin; 57 struct sockaddr_in6 sin6; 58 }; 59 60 /* HMAC key sizes */ 61 #define MD5HMAC96_KEYSIZE 16 62 #define SHA1HMAC96_KEYSIZE 20 63 #define RIPEMD160HMAC96_KEYSIZE 20 64 #define SHA2_256HMAC96_KEYSIZE 32 65 #define SHA2_384HMAC96_KEYSIZE 48 66 #define SHA2_512HMAC96_KEYSIZE 64 67 68 #define AH_HMAC_MAX_HASHLEN 32 /* 256 bits of authenticator for SHA512 */ 69 #define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */ 70 #define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */ 71 72 /* Authenticator lengths */ 73 #define AH_MD5_ALEN 16 74 #define AH_SHA1_ALEN 20 75 #define AH_RMD160_ALEN 20 76 #define AH_SHA2_256_ALEN 32 77 #define AH_SHA2_384_ALEN 48 78 #define AH_SHA2_512_ALEN 64 79 #define AH_ALEN_MAX 64 /* Keep updated */ 80 81 /* Reserved SPI numbers */ 82 #define SPI_LOCAL_USE 0 83 #define SPI_RESERVED_MIN 1 84 #define SPI_RESERVED_MAX 255 85 86 /* Reserved CPI numbers */ 87 #define CPI_RESERVED_MIN 1 88 #define CPI_RESERVED_MAX 255 89 #define CPI_PRIVATE_MIN 61440 90 #define CPI_PRIVATE_MAX 65535 91 92 /* sysctl default values */ 93 #define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */ 94 #define IPSEC_DEFAULT_PFS 1 95 #define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0 96 #define IPSEC_DEFAULT_EXP_ALLOCATIONS 0 97 #define IPSEC_DEFAULT_SOFT_BYTES 0 98 #define IPSEC_DEFAULT_EXP_BYTES 0 99 #define IPSEC_DEFAULT_SOFT_TIMEOUT 80000 100 #define IPSEC_DEFAULT_EXP_TIMEOUT 86400 101 #define IPSEC_DEFAULT_SOFT_FIRST_USE 3600 102 #define IPSEC_DEFAULT_EXP_FIRST_USE 7200 103 #define IPSEC_DEFAULT_DEF_ENC "aes" 104 #define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1" 105 #define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30 106 #define IPSEC_DEFAULT_DEF_COMP "deflate" 107 108 struct sockaddr_encap { 109 u_int8_t sen_len; /* length */ 110 u_int8_t sen_family; /* PF_KEY */ 111 u_int16_t sen_type; /* see SENT_* */ 112 union { 113 struct { /* SENT_IP4 */ 114 u_int8_t Direction; 115 struct in_addr Src; 116 struct in_addr Dst; 117 u_int8_t Proto; 118 u_int16_t Sport; 119 u_int16_t Dport; 120 } Sip4; 121 122 struct { /* SENT_IP6 */ 123 u_int8_t Direction; 124 struct in6_addr Src; 125 struct in6_addr Dst; 126 u_int8_t Proto; 127 u_int16_t Sport; 128 u_int16_t Dport; 129 } Sip6; 130 131 struct ipsec_policy *PolicyHead; /* SENT_IPSP */ 132 } Sen; 133 }; 134 135 #define IPSP_DIRECTION_IN 0x1 136 #define IPSP_DIRECTION_OUT 0x2 137 138 #ifdef _KERNEL 139 140 #define sen_data Sen.Data 141 #define sen_ip_src Sen.Sip4.Src 142 #define sen_ip_dst Sen.Sip4.Dst 143 #define sen_proto Sen.Sip4.Proto 144 #define sen_sport Sen.Sip4.Sport 145 #define sen_dport Sen.Sip4.Dport 146 #define sen_direction Sen.Sip4.Direction 147 #define sen_ip6_src Sen.Sip6.Src 148 #define sen_ip6_dst Sen.Sip6.Dst 149 #define sen_ip6_proto Sen.Sip6.Proto 150 #define sen_ip6_sport Sen.Sip6.Sport 151 #define sen_ip6_dport Sen.Sip6.Dport 152 #define sen_ip6_direction Sen.Sip6.Direction 153 #define sen_ipsp Sen.PolicyHead 154 155 /* 156 * The "type" is really part of the address as far as the routing 157 * system is concerned. By using only one bit in the type field 158 * for each type, we sort-of make sure that different types of 159 * encapsulation addresses won't be matched against the wrong type. 160 * 161 */ 162 163 #define SENT_IP4 0x0001 /* data is two struct in_addr */ 164 #define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */ 165 #define SENT_IP6 0x0004 166 167 #define SENT_LEN sizeof(struct sockaddr_encap) 168 169 struct ipsec_ref { 170 u_int16_t ref_type; /* Subtype of data */ 171 int16_t ref_len; /* Length of data following */ 172 int ref_count; /* Reference count */ 173 int ref_malloctype; /* malloc(9) type, for freeing */ 174 }; 175 176 struct ipsec_acquire { 177 union sockaddr_union ipa_addr; 178 u_int32_t ipa_seq; 179 struct sockaddr_encap ipa_info; 180 struct sockaddr_encap ipa_mask; 181 struct timeout ipa_timeout; 182 struct ipsec_policy *ipa_policy; 183 struct inpcb *ipa_pcb; 184 TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next; 185 TAILQ_ENTRY(ipsec_acquire) ipa_next; 186 }; 187 188 struct ipsec_policy { 189 struct sockaddr_encap ipo_addr; 190 struct sockaddr_encap ipo_mask; 191 192 union sockaddr_union ipo_src; /* Local address to use */ 193 union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed: 194 * - on output, we try to 195 * contact the remote host 196 * directly (if needed). 197 * - on input, we accept on if 198 * the inner source is the 199 * same as the outer source 200 * address, or if transport 201 * mode was used. 202 */ 203 204 u_int64_t ipo_last_searched; /* Timestamp of last lookup */ 205 206 u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */ 207 u_int8_t ipo_type; /* USE/ACQUIRE/... */ 208 u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */ 209 u_int ipo_rdomain; 210 211 int ipo_ref_count; 212 213 struct tdb *ipo_tdb; /* Cached entry */ 214 215 struct ipsec_ref *ipo_srcid; 216 struct ipsec_ref *ipo_dstid; 217 218 TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */ 219 TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */ 220 TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */ 221 }; 222 223 #define IPSP_POLICY_NONE 0x0000 /* No flags set */ 224 #define IPSP_POLICY_STATIC 0x0002 /* Static policy */ 225 226 #define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */ 227 #define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */ 228 #define IPSP_IPSEC_REQUIRE 2 /* Require SA */ 229 #define IPSP_PERMIT 3 /* Permit traffic through */ 230 #define IPSP_DENY 4 /* Deny traffic */ 231 #define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */ 232 233 /* Identity types */ 234 #define IPSP_IDENTITY_NONE 0 235 #define IPSP_IDENTITY_PREFIX 1 236 #define IPSP_IDENTITY_FQDN 2 237 #define IPSP_IDENTITY_USERFQDN 3 238 239 struct tdb { /* tunnel descriptor block */ 240 /* 241 * Each TDB is on three hash tables: one keyed on dst/spi/sproto, 242 * one keyed on dst/sproto, and one keyed on src/sproto. The first 243 * is used for finding a specific TDB, the second for finding TDBs 244 * for outgoing policy matching, and the third for incoming 245 * policy matching. The following three fields maintain the hash 246 * queues in those three tables. 247 */ 248 struct tdb *tdb_hnext; /* dst/spi/sproto table */ 249 struct tdb *tdb_dnext; /* dst/sproto table */ 250 struct tdb *tdb_snext; /* src/sproto table */ 251 struct tdb *tdb_inext; 252 struct tdb *tdb_onext; 253 254 struct xformsw *tdb_xform; /* Transform to use */ 255 struct enc_xform *tdb_encalgxform; /* Enc algorithm */ 256 struct auth_hash *tdb_authalgxform; /* Auth algorithm */ 257 struct comp_algo *tdb_compalgxform; /* Compression algo */ 258 259 #define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 260 #define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 261 #define TDBF_BYTES 0x00004 /* Check the byte counters */ 262 #define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */ 263 #define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 264 #define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 265 #define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 266 #define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 267 #define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */ 268 #define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 269 #define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ 270 #define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ 271 #define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */ 272 #define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */ 273 #define TDBF_PFSYNC 0x40000 /* TDB will be synced */ 274 #define TDBF_PFSYNC_RPL 0x80000 /* Replay counter should be bumped */ 275 #define TDBF_ESN 0x100000 /* 64-bit sequence numbers (ESN) */ 276 277 u_int32_t tdb_flags; /* Flags related to this TDB */ 278 279 struct timeout tdb_timer_tmo; 280 struct timeout tdb_first_tmo; 281 struct timeout tdb_stimer_tmo; 282 struct timeout tdb_sfirst_tmo; 283 284 u_int32_t tdb_seq; /* Tracking number for PFKEY */ 285 u_int32_t tdb_exp_allocations; /* Expire after so many flows */ 286 u_int32_t tdb_soft_allocations; /* Expiration warning */ 287 u_int32_t tdb_cur_allocations; /* Total number of allocs */ 288 289 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 290 u_int64_t tdb_soft_bytes; /* Expiration warning */ 291 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 292 293 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 294 u_int64_t tdb_soft_timeout; /* Send soft-expire warning */ 295 u_int64_t tdb_established; /* When was SPI established */ 296 297 u_int64_t tdb_first_use; /* When was it first used */ 298 u_int64_t tdb_soft_first_use; /* Soft warning */ 299 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 300 * tdb_exp_first_use <= curtime 301 */ 302 303 u_int64_t tdb_last_used; /* When was this SA last used */ 304 u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */ 305 306 u_int64_t tdb_cryptoid; /* Crypto session ID */ 307 308 u_int32_t tdb_spi; /* SPI */ 309 u_int16_t tdb_amxkeylen; /* Raw authentication key length */ 310 u_int16_t tdb_emxkeylen; /* Raw encryption key length */ 311 u_int16_t tdb_ivlen; /* IV length */ 312 u_int8_t tdb_sproto; /* IPsec protocol */ 313 u_int8_t tdb_wnd; /* Replay window */ 314 u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */ 315 u_int8_t tdb_updates; /* pfsync update counter */ 316 317 union sockaddr_union tdb_dst; /* Destination address */ 318 union sockaddr_union tdb_src; /* Source address */ 319 320 u_int8_t *tdb_amxkey; /* Raw authentication key */ 321 u_int8_t *tdb_emxkey; /* Raw encryption key */ 322 323 #define TDB_REPLAYWASTE 32 324 #define TDB_REPLAYMAX (2100+TDB_REPLAYWASTE) 325 326 u_int64_t tdb_rpl; /* Replay counter */ 327 u_int32_t tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */ 328 329 u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ 330 331 struct ipsec_ref *tdb_srcid; /* Source ID for this SA */ 332 struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */ 333 334 u_int32_t tdb_mtu; /* MTU at this point in the chain */ 335 u_int64_t tdb_mtutimeout; /* When to ignore this entry */ 336 337 u_int16_t tdb_udpencap_port; /* Peer UDP port */ 338 339 u_int16_t tdb_tag; /* Packet filter tag */ 340 u_int32_t tdb_tap; /* Alternate enc(4) interface */ 341 342 u_int tdb_rdomain; /* Routing domain */ 343 344 struct sockaddr_encap tdb_filter; /* What traffic is acceptable */ 345 struct sockaddr_encap tdb_filtermask; /* And the mask */ 346 347 TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; 348 TAILQ_ENTRY(tdb) tdb_sync_entry; 349 }; 350 351 #endif /* _KERNEL */ 352 353 struct tdb_ident { 354 u_int32_t spi; 355 union sockaddr_union dst; 356 u_int8_t proto; 357 u_int rdomain; 358 }; 359 360 struct tdb_crypto { 361 u_int32_t tc_spi; 362 union sockaddr_union tc_dst; 363 u_int8_t tc_proto; 364 int tc_protoff; 365 int tc_skip; 366 u_int tc_rdomain; 367 }; 368 369 struct ipsecinit { 370 u_int8_t *ii_enckey; 371 u_int8_t *ii_authkey; 372 u_int16_t ii_enckeylen; 373 u_int16_t ii_authkeylen; 374 u_int8_t ii_encalg; 375 u_int8_t ii_authalg; 376 u_int8_t ii_compalg; 377 }; 378 379 /* xform IDs */ 380 #define XF_IP4 1 /* IP inside IP */ 381 #define XF_AH 2 /* AH */ 382 #define XF_ESP 3 /* ESP */ 383 #define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ 384 #define XF_IPCOMP 6 /* IPCOMP */ 385 386 /* xform attributes */ 387 #define XFT_AUTH 0x0001 388 #define XFT_CONF 0x0100 389 #define XFT_COMP 0x1000 390 391 #define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */ 392 393 #ifdef _KERNEL 394 395 struct xformsw { 396 u_short xf_type; /* Unique ID of xform */ 397 u_short xf_flags; /* flags (see below) */ 398 char *xf_name; /* human-readable name */ 399 int (*xf_attach)(void); /* called at config time */ 400 int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *); 401 int (*xf_zeroize)(struct tdb *); /* termination */ 402 int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */ 403 int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, 404 int, int); /* output */ 405 }; 406 407 extern int ipsec_in_use; 408 extern u_int64_t ipsec_last_added; 409 extern int ipsec_policy_pool_initialized; 410 411 extern int ipsec_keep_invalid; /* lifetime of embryonic SAs (in sec) */ 412 extern int ipsec_require_pfs; /* use Perfect Forward Secrecy */ 413 extern int ipsec_expire_acquire; /* wait for security assoc. (in sec) */ 414 extern int ipsec_soft_allocations; /* flows/SA before renegotiation */ 415 extern int ipsec_exp_allocations; /* num. of flows/SA before it expires */ 416 extern int ipsec_soft_bytes; /* bytes/SA before renegotiation */ 417 extern int ipsec_exp_bytes; /* num of bytes/SA before it expires */ 418 extern int ipsec_soft_timeout; /* seconds/SA before renegotiation */ 419 extern int ipsec_exp_timeout; /* seconds/SA before it expires */ 420 extern int ipsec_soft_first_use; /* seconds between 1st asso & renego */ 421 extern int ipsec_exp_first_use; /* seconds between 1st asso & expire */ 422 423 extern char ipsec_def_enc[]; 424 extern char ipsec_def_auth[]; 425 extern char ipsec_def_comp[]; 426 427 extern struct enc_xform enc_xform_des; 428 extern struct enc_xform enc_xform_3des; 429 extern struct enc_xform enc_xform_blf; 430 extern struct enc_xform enc_xform_cast5; 431 432 extern struct auth_hash auth_hash_hmac_md5_96; 433 extern struct auth_hash auth_hash_hmac_sha1_96; 434 extern struct auth_hash auth_hash_hmac_ripemd_160_96; 435 436 extern struct comp_algo comp_algo_deflate; 437 438 extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head; 439 extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head; 440 441 /* Misc. */ 442 #ifdef ENCDEBUG 443 const char *ipsp_address(union sockaddr_union *, char *, socklen_t); 444 #endif /* ENCDEBUG */ 445 446 /* TDB management routines */ 447 uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *, 448 union sockaddr_union *, u_int8_t, int *); 449 struct tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t); 450 struct tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t, 451 struct ipsec_ref *, struct ipsec_ref *, 452 struct sockaddr_encap *, struct sockaddr_encap *); 453 struct tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t, 454 struct ipsec_ref *, struct ipsec_ref *, 455 struct sockaddr_encap *, struct sockaddr_encap *); 456 struct tdb *gettdbbysrcdst(u_int, u_int32_t, union sockaddr_union *, 457 union sockaddr_union *, u_int8_t); 458 void puttdb(struct tdb *); 459 void tdb_delete(struct tdb *); 460 struct tdb *tdb_alloc(u_int); 461 void tdb_free(struct tdb *); 462 int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *); 463 int tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *); 464 465 /* XF_IP4 */ 466 int ipe4_attach(void); 467 int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *); 468 int ipe4_zeroize(struct tdb *); 469 void ipe4_input(struct mbuf *, ...); 470 void ipip_input(struct mbuf *, int, struct ifnet *, int); 471 int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 472 473 void ip4_input(struct mbuf *, ...); 474 475 #ifdef INET6 476 int ip4_input6(struct mbuf **, int *, int); 477 #endif /* INET */ 478 479 /* XF_AH */ 480 int ah_attach(void); 481 int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *); 482 int ah_zeroize(struct tdb *); 483 int ah_input(struct mbuf *, struct tdb *, int, int); 484 int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 485 int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t); 486 487 void ah4_input(struct mbuf *, ...); 488 void *ah4_ctlinput(int, struct sockaddr *, u_int, void *); 489 void *udpencap_ctlinput(int, struct sockaddr *, u_int, void *); 490 491 #ifdef INET6 492 int ah6_input(struct mbuf **, int *, int); 493 #endif /* INET6 */ 494 495 /* XF_ESP */ 496 int esp_attach(void); 497 int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 498 int esp_zeroize(struct tdb *); 499 int esp_input(struct mbuf *, struct tdb *, int, int); 500 int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 501 int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 502 503 void esp4_input(struct mbuf *, ...); 504 void *esp4_ctlinput(int, struct sockaddr *, u_int, void *); 505 506 #ifdef INET6 507 int esp6_input(struct mbuf **, int *, int); 508 #endif /* INET6 */ 509 510 /* XF_IPCOMP */ 511 int ipcomp_attach(void); 512 int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 513 int ipcomp_zeroize(struct tdb *); 514 int ipcomp_input(struct mbuf *, struct tdb *, int, int); 515 int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 516 int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 517 518 void ipcomp4_input(struct mbuf *, ...); 519 520 #ifdef INET6 521 int ipcomp6_input(struct mbuf **, int *, int); 522 #endif /* INET6 */ 523 524 /* XF_TCPSIGNATURE */ 525 int tcp_signature_tdb_attach(void); 526 int tcp_signature_tdb_init(struct tdb *, struct xformsw *, 527 struct ipsecinit *); 528 int tcp_signature_tdb_zeroize(struct tdb *); 529 int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, int); 530 int tcp_signature_tdb_output(struct mbuf *, struct tdb *, struct mbuf **, 531 int, int); 532 533 /* Replay window */ 534 int checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int); 535 536 /* Packet processing */ 537 int ipsp_process_packet(struct mbuf *, struct tdb *, int, int); 538 int ipsp_process_done(struct mbuf *, struct tdb *); 539 struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int, 540 struct tdb *, struct inpcb *, u_int32_t); 541 struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int, 542 struct tdb *, struct inpcb *, struct ipsec_policy *); 543 int ipsp_is_unspecified(union sockaddr_union); 544 int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *); 545 void ipsp_reffree(struct ipsec_ref *); 546 int ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *, 547 struct sockaddr_encap *, struct sockaddr_encap *); 548 549 int ipsec_common_input(struct mbuf *, int, int, int, int, int); 550 int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int); 551 int ipsec_delete_policy(struct ipsec_policy *); 552 ssize_t ipsec_hdrsz(struct tdb *); 553 void ipsec_adjust_mtu(struct mbuf *, u_int32_t); 554 struct ipsec_acquire *ipsec_get_acquire(u_int32_t); 555 556 #endif /* _KERNEL */ 557 #endif /* _NETINET_IPSP_H_ */ 558