xref: /openbsd/sys/netinet/ip_ipsp.h (revision 09467b48) 
1 /*	$OpenBSD: ip_ipsp.h,v 1.194 2020/04/23 19:38:08 tobhe Exp $	*/
2 /*
3  * The authors of this code are John Ioannidis (ji@tla.org),
4  * Angelos D. Keromytis (kermit@csd.uch.gr),
5  * Niels Provos (provos@physnet.uni-hamburg.de) and
6  * Niklas Hallqvist (niklas@appli.se).
7  *
8  * The original version of this code was written by John Ioannidis
9  * for BSD/OS in Athens, Greece, in November 1995.
10  *
11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12  * by Angelos D. Keromytis.
13  *
14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15  * and Niels Provos.
16  *
17  * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18  *
19  * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20  * Angelos D. Keromytis and Niels Provos.
21  * Copyright (c) 1999 Niklas Hallqvist.
22  * Copyright (c) 2001, Angelos D. Keromytis.
23  *
24  * Permission to use, copy, and modify this software with or without fee
25  * is hereby granted, provided that this entire notice is included in
26  * all copies of any software which is or includes a copy or
27  * modification of this software.
28  * You may use this code under the GNU public license if you so wish. Please
29  * contribute changes back to the authors under this freer than GPL license
30  * so that we may further the use of strong encryption without limitations to
31  * all.
32  *
33  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37  * PURPOSE.
38  */
39 
40 #ifndef _NETINET_IPSP_H_
41 #define _NETINET_IPSP_H_
42 
43 /* IPSP global definitions. */
44 
45 #include <sys/types.h>
46 #include <netinet/in.h>
47 
48 union sockaddr_union {
49 	struct sockaddr		sa;
50 	struct sockaddr_in	sin;
51 	struct sockaddr_in6	sin6;
52 };
53 
54 #define	AH_HMAC_MAX_HASHLEN	32	/* 256 bits of authenticator for SHA512 */
55 #define	AH_HMAC_RPLENGTH	4	/* 32 bits of replay counter */
56 #define	AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
57 
58 /* Authenticator lengths */
59 #define	AH_MD5_ALEN		16
60 #define	AH_SHA1_ALEN		20
61 #define	AH_RMD160_ALEN		20
62 #define	AH_SHA2_256_ALEN	32
63 #define	AH_SHA2_384_ALEN	48
64 #define	AH_SHA2_512_ALEN	64
65 #define	AH_ALEN_MAX		64 	/* Keep updated */
66 
67 /* Reserved SPI numbers */
68 #define	SPI_LOCAL_USE		0
69 #define	SPI_RESERVED_MIN	1
70 #define	SPI_RESERVED_MAX	255
71 
72 /* Reserved CPI numbers */
73 #define CPI_RESERVED_MIN	1
74 #define CPI_RESERVED_MAX	255
75 #define CPI_PRIVATE_MIN		61440
76 #define CPI_PRIVATE_MAX		65535
77 
78 /* sysctl default values */
79 #define	IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
80 #define	IPSEC_DEFAULT_PFS			1
81 #define	IPSEC_DEFAULT_SOFT_ALLOCATIONS		0
82 #define	IPSEC_DEFAULT_EXP_ALLOCATIONS		0
83 #define	IPSEC_DEFAULT_SOFT_BYTES		0
84 #define	IPSEC_DEFAULT_EXP_BYTES			0
85 #define	IPSEC_DEFAULT_SOFT_TIMEOUT		80000
86 #define	IPSEC_DEFAULT_EXP_TIMEOUT		86400
87 #define	IPSEC_DEFAULT_SOFT_FIRST_USE		3600
88 #define	IPSEC_DEFAULT_EXP_FIRST_USE		7200
89 #define	IPSEC_DEFAULT_DEF_ENC			"aes"
90 #define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
91 #define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
92 #define	IPSEC_DEFAULT_DEF_COMP			"deflate"
93 
94 struct sockaddr_encap {
95 	u_int8_t	sen_len;		/* length */
96 	u_int8_t	sen_family;		/* PF_KEY */
97 	u_int16_t	sen_type;		/* see SENT_* */
98 	union {
99 		struct {				/* SENT_IP4 */
100 			u_int8_t	Direction;
101 			struct in_addr	Src;
102 			struct in_addr	Dst;
103 			u_int8_t	Proto;
104 			u_int16_t	Sport;
105 			u_int16_t	Dport;
106 		} Sip4;
107 
108 		struct {				/* SENT_IP6 */
109 			u_int8_t	Direction;
110 			struct in6_addr	Src;
111 			struct in6_addr	Dst;
112 			u_int8_t	Proto;
113 			u_int16_t	Sport;
114 			u_int16_t	Dport;
115 		} Sip6;
116 
117 		struct ipsec_policy	*PolicyHead;	/* SENT_IPSP */
118 	} Sen;
119 };
120 
121 #define	IPSP_DIRECTION_IN	0x1
122 #define	IPSP_DIRECTION_OUT	0x2
123 
124 struct ipsecstat {
125 	uint64_t	ipsec_tunnels;		/* Number of active tunnels */
126 	uint64_t	ipsec_prevtunnels;	/* Past number of tunnels */
127 	uint64_t	ipsec_ipackets;		/* Input IPsec packets */
128 	uint64_t	ipsec_opackets;		/* Output IPsec packets */
129 	uint64_t	ipsec_ibytes;		/* Input bytes */
130 	uint64_t	ipsec_obytes;		/* Output bytes */
131 	uint64_t	ipsec_idecompbytes;	/* Input bytes, decompressed */
132 	uint64_t	ipsec_ouncompbytes;	/* Output bytes, uncompressed */
133 	uint64_t	ipsec_idrops;		/* Dropped on input */
134 	uint64_t	ipsec_odrops;		/* Dropped on output */
135 	uint64_t	ipsec_crypto;		/* Crypto processing failure */
136 	uint64_t	ipsec_notdb;		/* Expired while in crypto */
137 	uint64_t	ipsec_noxform;		/* Crypto error */
138 };
139 
140 struct tdb_data {
141 	uint64_t	tdd_ipackets;		/* Input IPsec packets */
142 	uint64_t	tdd_opackets;		/* Output IPsec packets */
143 	uint64_t	tdd_ibytes;		/* Input bytes */
144 	uint64_t	tdd_obytes;		/* Output bytes */
145 	uint64_t	tdd_idrops;		/* Dropped on input */
146 	uint64_t	tdd_odrops;		/* Dropped on output */
147 	uint64_t	tdd_idecompbytes;	/* Input bytes, decompressed */
148 	uint64_t	tdd_ouncompbytes;	/* Output bytes, uncompressed */
149 };
150 
151 #ifdef _KERNEL
152 
153 #include <sys/timeout.h>
154 #include <sys/tree.h>
155 #include <sys/queue.h>
156 #include <net/radix.h>
157 #include <sys/percpu.h>
158 
159 enum ipsec_counters {
160 	ipsec_tunnels,
161 	ipsec_prevtunnels,
162 	ipsec_ipackets,
163 	ipsec_opackets,
164 	ipsec_ibytes,
165 	ipsec_obytes,
166 	ipsec_idecompbytes,
167 	ipsec_ouncompbytes,
168 	ipsec_idrops,
169 	ipsec_odrops,
170 	ipsec_crypto,
171 	ipsec_notdb,
172 	ipsec_noxform,
173 	ipsec_ncounters
174 };
175 
176 extern struct cpumem *ipseccounters;
177 
178 static inline void
179 ipsecstat_inc(enum ipsec_counters c)
180 {
181 	counters_inc(ipseccounters, c);
182 }
183 
184 static inline void
185 ipsecstat_dec(enum ipsec_counters c)
186 {
187 	counters_dec(ipseccounters, c);
188 }
189 
190 static inline void
191 ipsecstat_add(enum ipsec_counters c, uint64_t v)
192 {
193 	counters_add(ipseccounters, c, v);
194 }
195 
196 struct m_tag;
197 
198 #define	sen_data		Sen.Data
199 #define	sen_ip_src		Sen.Sip4.Src
200 #define	sen_ip_dst		Sen.Sip4.Dst
201 #define	sen_proto		Sen.Sip4.Proto
202 #define	sen_sport		Sen.Sip4.Sport
203 #define	sen_dport		Sen.Sip4.Dport
204 #define	sen_direction		Sen.Sip4.Direction
205 #define	sen_ip6_src		Sen.Sip6.Src
206 #define	sen_ip6_dst		Sen.Sip6.Dst
207 #define	sen_ip6_proto		Sen.Sip6.Proto
208 #define	sen_ip6_sport		Sen.Sip6.Sport
209 #define	sen_ip6_dport		Sen.Sip6.Dport
210 #define	sen_ip6_direction	Sen.Sip6.Direction
211 #define	sen_ipsp		Sen.PolicyHead
212 
213 /*
214  * The "type" is really part of the address as far as the routing
215  * system is concerned. By using only one bit in the type field
216  * for each type, we sort-of make sure that different types of
217  * encapsulation addresses won't be matched against the wrong type.
218  *
219  */
220 
221 #define	SENT_IP4	0x0001		/* data is two struct in_addr */
222 #define	SENT_IPSP	0x0002		/* data as in IP4/6 plus SPI */
223 #define	SENT_IP6	0x0004
224 
225 #define	SENT_LEN	sizeof(struct sockaddr_encap)
226 
227 struct ipsec_id {
228 	u_int16_t	type;		/* Subtype of data */
229 	int16_t		len;		/* Length of data following */
230 };
231 
232 struct ipsec_ids {
233 	RBT_ENTRY(ipsec_ids)	id_node_id;
234 	RBT_ENTRY(ipsec_ids)	id_node_flow;
235 	struct ipsec_id		*id_local;
236 	struct ipsec_id		*id_remote;
237 	u_int32_t		id_flow;
238 	int			id_refcount;
239 	struct timeout		id_timeout;
240 };
241 RBT_HEAD(ipsec_ids_flows, ipsec_ids);
242 RBT_HEAD(ipsec_ids_tree, ipsec_ids);
243 
244 struct ipsec_acquire {
245 	union sockaddr_union		ipa_addr;
246 	u_int32_t			ipa_seq;
247 	struct sockaddr_encap		ipa_info;
248 	struct sockaddr_encap		ipa_mask;
249 	struct timeout			ipa_timeout;
250 	struct ipsec_policy		*ipa_policy;
251 	struct inpcb                    *ipa_pcb;
252 	TAILQ_ENTRY(ipsec_acquire)	ipa_ipo_next;
253 	TAILQ_ENTRY(ipsec_acquire)	ipa_next;
254 };
255 
256 struct ipsec_policy {
257 	struct radix_node	ipo_nodes[2];	/* radix tree glue */
258 	struct sockaddr_encap	ipo_addr;
259 	struct sockaddr_encap	ipo_mask;
260 
261 	union sockaddr_union	ipo_src;	/* Local address to use */
262 	union sockaddr_union	ipo_dst;	/* Remote gateway -- if it's zeroed:
263 						 * - on output, we try to
264 						 * contact the remote host
265 						 * directly (if needed).
266 						 * - on input, we accept on if
267 						 * the inner source is the
268 						 * same as the outer source
269 						 * address, or if transport
270 						 * mode was used.
271 						 */
272 
273 	u_int64_t		ipo_last_searched;	/* Timestamp of last lookup */
274 
275 	u_int8_t		ipo_flags;	/* See IPSP_POLICY_* definitions */
276 	u_int8_t		ipo_type;	/* USE/ACQUIRE/... */
277 	u_int8_t		ipo_sproto;	/* ESP/AH; if zero, use system dflts */
278 	u_int			ipo_rdomain;
279 
280 	int                     ipo_ref_count;
281 
282 	struct tdb		*ipo_tdb;		/* Cached entry */
283 
284 	struct ipsec_ids	*ipo_ids;
285 
286 	TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
287 	TAILQ_ENTRY(ipsec_policy)	ipo_tdb_next;	/* List TDB policies */
288 	TAILQ_ENTRY(ipsec_policy)	ipo_list;	/* List of all policies */
289 };
290 
291 #define	IPSP_POLICY_NONE	0x0000	/* No flags set */
292 #define	IPSP_POLICY_STATIC	0x0002	/* Static policy */
293 
294 #define	IPSP_IPSEC_USE		0	/* Use if existing, don't acquire */
295 #define	IPSP_IPSEC_ACQUIRE	1	/* Try acquire, let packet through */
296 #define	IPSP_IPSEC_REQUIRE	2	/* Require SA */
297 #define	IPSP_PERMIT		3	/* Permit traffic through */
298 #define	IPSP_DENY		4	/* Deny traffic */
299 #define	IPSP_IPSEC_DONTACQ	5	/* Require, but don't acquire */
300 
301 /* Identity types */
302 #define	IPSP_IDENTITY_NONE		0
303 #define	IPSP_IDENTITY_PREFIX		1
304 #define	IPSP_IDENTITY_FQDN		2
305 #define	IPSP_IDENTITY_USERFQDN		3
306 
307 struct tdb {				/* tunnel descriptor block */
308 	/*
309 	 * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
310 	 * one keyed on dst/sproto, and one keyed on src/sproto. The first
311 	 * is used for finding a specific TDB, the second for finding TDBs
312 	 * for outgoing policy matching, and the third for incoming
313 	 * policy matching. The following three fields maintain the hash
314 	 * queues in those three tables.
315 	 */
316 	struct tdb	*tdb_hnext;	/* dst/spi/sproto table */
317 	struct tdb	*tdb_dnext;	/* dst/sproto table */
318 	struct tdb	*tdb_snext;	/* src/sproto table */
319 	struct tdb	*tdb_inext;
320 	struct tdb	*tdb_onext;
321 
322 	struct xformsw		*tdb_xform;		/* Transform to use */
323 	struct enc_xform	*tdb_encalgxform;	/* Enc algorithm */
324 	struct auth_hash	*tdb_authalgxform;	/* Auth algorithm */
325 	struct comp_algo	*tdb_compalgxform;	/* Compression algo */
326 
327 #define	TDBF_UNIQUE		0x00001	/* This should not be used by others */
328 #define	TDBF_TIMER		0x00002	/* Absolute expiration timer in use */
329 #define	TDBF_BYTES		0x00004	/* Check the byte counters */
330 #define	TDBF_ALLOCATIONS	0x00008	/* Check the flows counters */
331 #define	TDBF_INVALID		0x00010	/* This SPI is not valid yet/anymore */
332 #define	TDBF_FIRSTUSE		0x00020	/* Expire after first use */
333 #define	TDBF_SOFT_TIMER		0x00080	/* Soft expiration */
334 #define	TDBF_SOFT_BYTES		0x00100	/* Soft expiration */
335 #define	TDBF_SOFT_ALLOCATIONS	0x00200	/* Soft expiration */
336 #define	TDBF_SOFT_FIRSTUSE	0x00400	/* Soft expiration */
337 #define	TDBF_PFS		0x00800	/* Ask for PFS from Key Mgmt. */
338 #define	TDBF_TUNNELING		0x01000	/* Force IP-IP encapsulation */
339 #define	TDBF_USEDTUNNEL		0x10000	/* Appended a tunnel header in past */
340 #define	TDBF_UDPENCAP		0x20000	/* UDP encapsulation */
341 #define	TDBF_PFSYNC		0x40000	/* TDB will be synced */
342 #define	TDBF_PFSYNC_RPL		0x80000	/* Replay counter should be bumped */
343 #define	TDBF_ESN		0x100000 /* 64-bit sequence numbers (ESN) */
344 
345 	u_int32_t	tdb_flags;	/* Flags related to this TDB */
346 
347 	struct timeout	tdb_timer_tmo;
348 	struct timeout	tdb_first_tmo;
349 	struct timeout	tdb_stimer_tmo;
350 	struct timeout	tdb_sfirst_tmo;
351 
352 	u_int32_t	tdb_seq;		/* Tracking number for PFKEY */
353 	u_int32_t	tdb_exp_allocations;	/* Expire after so many flows */
354 	u_int32_t	tdb_soft_allocations;	/* Expiration warning */
355 	u_int32_t	tdb_cur_allocations;	/* Total number of allocs */
356 
357 	u_int64_t	tdb_exp_bytes;	/* Expire after so many bytes passed */
358 	u_int64_t	tdb_soft_bytes;	/* Expiration warning */
359 	u_int64_t	tdb_cur_bytes;	/* Current count of bytes */
360 
361 	u_int64_t	tdb_exp_timeout;	/* When does the SPI expire */
362 	u_int64_t	tdb_soft_timeout;	/* Send soft-expire warning */
363 	u_int64_t	tdb_established;	/* When was SPI established */
364 
365 	u_int64_t	tdb_first_use;		/* When was it first used */
366 	u_int64_t	tdb_soft_first_use;	/* Soft warning */
367 	u_int64_t	tdb_exp_first_use;	/* Expire if tdb_first_use +
368 						 * tdb_exp_first_use <= curtime
369 						 */
370 
371 	u_int64_t	tdb_last_used;	/* When was this SA last used */
372 	u_int64_t	tdb_last_marked;/* Last SKIPCRYPTO status change */
373 
374 	struct tdb_data	tdb_data;	/* stats about this TDB */
375 	u_int64_t	tdb_cryptoid;	/* Crypto session ID */
376 
377 	u_int32_t	tdb_spi;	/* SPI */
378 	u_int16_t	tdb_amxkeylen;	/* Raw authentication key length */
379 	u_int16_t	tdb_emxkeylen;	/* Raw encryption key length */
380 	u_int16_t	tdb_ivlen;	/* IV length */
381 	u_int8_t	tdb_sproto;	/* IPsec protocol */
382 	u_int8_t	tdb_wnd;	/* Replay window */
383 	u_int8_t	tdb_satype;	/* SA type (RFC2367, PF_KEY) */
384 	u_int8_t	tdb_updates;	/* pfsync update counter */
385 
386 	union sockaddr_union	tdb_dst;	/* Destination address */
387 	union sockaddr_union	tdb_src;	/* Source address */
388 
389 	u_int8_t	*tdb_amxkey;	/* Raw authentication key */
390 	u_int8_t	*tdb_emxkey;	/* Raw encryption key */
391 
392 #define TDB_REPLAYWASTE	32
393 #define TDB_REPLAYMAX	(2100+TDB_REPLAYWASTE)
394 
395 	u_int64_t	tdb_rpl;	/* Replay counter */
396 	u_int32_t	tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */
397 
398 	u_int8_t	tdb_iv[4];	/* Used for HALF-IV ESP */
399 
400 	struct ipsec_ids	*tdb_ids;	/* Src/Dst ID for this SA */
401 	int		tdb_ids_swapped;	/* XXX */
402 
403 	u_int32_t	tdb_mtu;	/* MTU at this point in the chain */
404 	u_int64_t	tdb_mtutimeout;	/* When to ignore this entry */
405 
406 	u_int16_t	tdb_udpencap_port;	/* Peer UDP port */
407 
408 	u_int16_t	tdb_tag;		/* Packet filter tag */
409 	u_int32_t	tdb_tap;		/* Alternate enc(4) interface */
410 
411 	u_int		tdb_rdomain;		/* Routing domain */
412 	u_int		tdb_rdomain_post;	/* Change domain */
413 
414 	struct sockaddr_encap   tdb_filter; /* What traffic is acceptable */
415 	struct sockaddr_encap   tdb_filtermask; /* And the mask */
416 
417 	TAILQ_HEAD(tdb_policy_head, ipsec_policy)	tdb_policy_head;
418 	TAILQ_ENTRY(tdb)	tdb_sync_entry;
419 };
420 #define tdb_ipackets		tdb_data.tdd_ipackets
421 #define tdb_opackets		tdb_data.tdd_opackets
422 #define tdb_ibytes		tdb_data.tdd_ibytes
423 #define tdb_obytes		tdb_data.tdd_obytes
424 #define tdb_idrops		tdb_data.tdd_idrops
425 #define tdb_odrops		tdb_data.tdd_odrops
426 #define tdb_idecompbytes	tdb_data.tdd_idecompbytes
427 #define tdb_ouncompbytes	tdb_data.tdd_ouncompbytes
428 
429 
430 struct tdb_ident {
431 	u_int32_t spi;
432 	union sockaddr_union dst;
433 	u_int8_t proto;
434 	u_int rdomain;
435 };
436 
437 struct tdb_crypto {
438 	u_int32_t		tc_spi;
439 	union sockaddr_union	tc_dst;
440 	u_int8_t		tc_proto;
441 	int			tc_protoff;
442 	int			tc_skip;
443 	u_int			tc_rdomain;
444 };
445 
446 struct ipsecinit {
447 	u_int8_t	*ii_enckey;
448 	u_int8_t	*ii_authkey;
449 	u_int16_t	ii_enckeylen;
450 	u_int16_t	ii_authkeylen;
451 	u_int8_t	ii_encalg;
452 	u_int8_t	ii_authalg;
453 	u_int8_t	ii_compalg;
454 };
455 
456 /* xform IDs */
457 #define	XF_IP4		1	/* IP inside IP */
458 #define	XF_AH		2	/* AH */
459 #define	XF_ESP		3	/* ESP */
460 #define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
461 #define	XF_IPCOMP	6	/* IPCOMP */
462 
463 /* xform attributes */
464 #define	XFT_AUTH	0x0001
465 #define	XFT_CONF	0x0100
466 #define	XFT_COMP	0x1000
467 
468 #define	IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
469 
470 struct xformsw {
471 	u_short	xf_type;		/* Unique ID of xform */
472 	u_short	xf_flags;		/* flags (see below) */
473 	char	*xf_name;		/* human-readable name */
474 	int	(*xf_attach)(void);	/* called at config time */
475 	int	(*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
476 	int	(*xf_zeroize)(struct tdb *); /* termination */
477 	int	(*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
478 	int	(*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
479 	    int, int);        /* output */
480 };
481 
482 extern int ipsec_in_use;
483 extern u_int64_t ipsec_last_added;
484 extern int ipsec_policy_pool_initialized;
485 extern int encdebug;			/* enable message reporting */
486 
487 extern int ipsec_keep_invalid;		/* lifetime of embryonic SAs (in sec) */
488 extern int ipsec_require_pfs;		/* use Perfect Forward Secrecy */
489 extern int ipsec_expire_acquire;	/* wait for security assoc. (in sec) */
490 extern int ipsec_soft_allocations;	/* flows/SA before renegotiation */
491 extern int ipsec_exp_allocations;	/* num. of flows/SA before it expires */
492 extern int ipsec_soft_bytes;		/* bytes/SA before renegotiation */
493 extern int ipsec_exp_bytes;		/* num of bytes/SA before it expires */
494 extern int ipsec_soft_timeout;		/* seconds/SA before renegotiation */
495 extern int ipsec_exp_timeout;		/* seconds/SA before it expires */
496 extern int ipsec_soft_first_use;	/* seconds between 1st asso & renego */
497 extern int ipsec_exp_first_use;		/* seconds between 1st asso & expire */
498 
499 /*
500  * Names for IPsec sysctl objects
501  */
502 #define	IPSEC_ENCDEBUG			IPCTL_ENCDEBUG			/* 12 */
503 #define	IPSEC_STATS			IPCTL_IPSEC_STATS		/* 13 */
504 #define IPSEC_EXPIRE_ACQUIRE		IPCTL_IPSEC_EXPIRE_ACQUIRE	/* 14 */
505 #define IPSEC_EMBRYONIC_SA_TIMEOUT	IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */
506 #define IPSEC_REQUIRE_PFS		IPCTL_IPSEC_REQUIRE_PFS		/* 16 */
507 #define IPSEC_SOFT_ALLOCATIONS          IPCTL_IPSEC_SOFT_ALLOCATIONS	/* 17 */
508 #define IPSEC_ALLOCATIONS		IPCTL_IPSEC_ALLOCATIONS		/* 18 */
509 #define IPSEC_SOFT_BYTES		IPCTL_IPSEC_SOFT_BYTES		/* 19 */
510 #define IPSEC_BYTES			IPCTL_IPSEC_BYTES		/* 20 */
511 #define IPSEC_TIMEOUT			IPCTL_IPSEC_TIMEOUT		/* 21 */
512 #define IPSEC_SOFT_TIMEOUT		IPCTL_IPSEC_SOFT_TIMEOUT	/* 22 */
513 #define IPSEC_SOFT_FIRSTUSE		IPCTL_IPSEC_SOFT_FIRSTUSE	/* 23 */
514 #define IPSEC_FIRSTUSE			IPCTL_IPSEC_FIRSTUSE		/* 24 */
515 #define IPSEC_MAXID	25
516 
517 #define	IPSECCTL_VARS { \
518 	NULL, \
519 	NULL, \
520 	NULL, \
521 	NULL, \
522 	NULL, \
523 	NULL, \
524 	NULL, \
525 	NULL, \
526 	NULL, \
527 	NULL, \
528 	NULL, \
529 	NULL, \
530 	&encdebug, \
531 	NULL, /* ipsecstat */ \
532 	&ipsec_expire_acquire, \
533 	&ipsec_keep_invalid, \
534 	&ipsec_require_pfs, \
535 	&ipsec_soft_allocations, \
536 	&ipsec_exp_allocations, \
537 	&ipsec_soft_bytes, \
538 	&ipsec_exp_bytes, \
539 	&ipsec_exp_timeout, \
540 	&ipsec_soft_timeout, \
541 	&ipsec_soft_first_use, \
542 	&ipsec_exp_first_use, \
543 }
544 
545 extern char ipsec_def_enc[];
546 extern char ipsec_def_auth[];
547 extern char ipsec_def_comp[];
548 
549 extern struct enc_xform enc_xform_des;
550 extern struct enc_xform enc_xform_3des;
551 extern struct enc_xform enc_xform_blf;
552 extern struct enc_xform enc_xform_cast5;
553 
554 extern struct auth_hash auth_hash_hmac_md5_96;
555 extern struct auth_hash auth_hash_hmac_sha1_96;
556 extern struct auth_hash auth_hash_hmac_ripemd_160_96;
557 
558 extern struct comp_algo comp_algo_deflate;
559 
560 extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
561 
562 struct cryptop;
563 
564 /* Misc. */
565 #ifdef ENCDEBUG
566 const char *ipsp_address(union sockaddr_union *, char *, socklen_t);
567 #endif /* ENCDEBUG */
568 
569 /* SPD tables */
570 struct radix_node_head *spd_table_add(unsigned int);
571 struct radix_node_head *spd_table_get(unsigned int);
572 int spd_table_walk(unsigned int,
573     int (*walker)(struct ipsec_policy *, void *, unsigned int), void *);
574 
575 /* TDB management routines */
576 uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
577 		union sockaddr_union *, u_int8_t, int *);
578 struct	tdb *gettdb_dir(u_int, u_int32_t, union sockaddr_union *, u_int8_t, int);
579 #define gettdb(a,b,c,d)		gettdb_dir((a),(b),(c),(d),0)
580 #define gettdb_rev(a,b,c,d)	gettdb_dir((a),(b),(c),(d),1)
581 struct	tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
582 		struct ipsec_ids *,
583 		struct sockaddr_encap *, struct sockaddr_encap *);
584 struct	tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
585 		struct ipsec_ids *,
586 		struct sockaddr_encap *, struct sockaddr_encap *);
587 struct	tdb *gettdbbysrcdst_dir(u_int, u_int32_t, union sockaddr_union *,
588 		union sockaddr_union *, u_int8_t, int);
589 #define gettdbbysrcdst(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),0)
590 #define gettdbbysrcdst_rev(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),1)
591 void	puttdb(struct tdb *);
592 void	tdb_delete(struct tdb *);
593 struct	tdb *tdb_alloc(u_int);
594 void	tdb_free(struct tdb *);
595 int	tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
596 void	tdb_unlink(struct tdb *);
597 int	tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *);
598 
599 /* XF_IP4 */
600 int	ipe4_attach(void);
601 int	ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
602 int	ipe4_zeroize(struct tdb *);
603 int	ipe4_input(struct mbuf *, struct tdb *, int, int);
604 
605 /* XF_AH */
606 int 	ah_attach(void);
607 int 	ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
608 int 	ah_zeroize(struct tdb *);
609 int	ah_input(struct mbuf *, struct tdb *, int, int);
610 int	ah_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
611 int	ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
612 int	ah_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
613 	    int);
614 int	ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
615 
616 int	ah4_input(struct mbuf **, int *, int, int);
617 void	ah4_ctlinput(int, struct sockaddr *, u_int, void *);
618 void	udpencap_ctlinput(int, struct sockaddr *, u_int, void *);
619 
620 #ifdef INET6
621 int	ah6_input(struct mbuf **, int *, int, int);
622 #endif /* INET6 */
623 
624 /* XF_ESP */
625 int	esp_attach(void);
626 int	esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
627 int	esp_zeroize(struct tdb *);
628 int	esp_input(struct mbuf *, struct tdb *, int, int);
629 int	esp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
630 int	esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
631 int	esp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
632 	    int);
633 int	esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
634 
635 int	esp4_input(struct mbuf **, int *, int, int);
636 void	esp4_ctlinput(int, struct sockaddr *, u_int, void *);
637 
638 #ifdef INET6
639 int 	esp6_input(struct mbuf **, int *, int, int);
640 #endif /* INET6 */
641 
642 /* XF_IPCOMP */
643 int	ipcomp_attach(void);
644 int	ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
645 int	ipcomp_zeroize(struct tdb *);
646 int	ipcomp_input(struct mbuf *, struct tdb *, int, int);
647 int	ipcomp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
648 int	ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
649 int	ipcomp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
650 	    int);
651 int	ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
652 int	ipcomp4_input(struct mbuf **, int *, int, int);
653 #ifdef INET6
654 int	ipcomp6_input(struct mbuf **, int *, int, int);
655 #endif /* INET6 */
656 
657 /* XF_TCPSIGNATURE */
658 int	tcp_signature_tdb_attach(void);
659 int	tcp_signature_tdb_init(struct tdb *, struct xformsw *,
660 	    struct ipsecinit *);
661 int	tcp_signature_tdb_zeroize(struct tdb *);
662 int	tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, int);
663 int	tcp_signature_tdb_output(struct mbuf *, struct tdb *, struct mbuf **,
664 	  int, int);
665 
666 /* Replay window */
667 int	checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int);
668 
669 /* Packet processing */
670 int	ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
671 int	ipsp_process_done(struct mbuf *, struct tdb *);
672 struct	tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
673 	    struct tdb *, struct inpcb *, u_int32_t);
674 struct	tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
675 	    struct tdb *, struct inpcb *, struct ipsec_policy *);
676 int	ipsp_is_unspecified(union sockaddr_union);
677 int	ipsp_aux_match(struct tdb *, struct ipsec_ids *,
678 	    struct sockaddr_encap *, struct sockaddr_encap *);
679 int	ipsp_ids_match(struct ipsec_ids *, struct ipsec_ids *);
680 struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *);
681 struct ipsec_ids *ipsp_ids_lookup(u_int32_t);
682 void	ipsp_ids_free(struct ipsec_ids *);
683 
684 void	ipsec_init(void);
685 int	ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
686 int	ipsec_common_input(struct mbuf *, int, int, int, int, int);
687 void	ipsec_input_cb(struct cryptop *);
688 void	ipsec_output_cb(struct cryptop *);
689 int	ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
690 int	ipsec_delete_policy(struct ipsec_policy *);
691 ssize_t	ipsec_hdrsz(struct tdb *);
692 void	ipsec_adjust_mtu(struct mbuf *, u_int32_t);
693 struct	ipsec_acquire *ipsec_get_acquire(u_int32_t);
694 int	ipsec_forward_check(struct mbuf *, int, int);
695 int	ipsec_local_check(struct mbuf *, int, int, int);
696 
697 #endif /* _KERNEL */
698 #endif /* _NETINET_IPSP_H_ */
699