ip_ipsp.h revision 1.105
1/* $OpenBSD: ip_ipsp.h,v 1.105 2001/06/24 18:22:47 provos Exp $ */ 2 3/* 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr), 6 * Niels Provos (provos@physnet.uni-hamburg.de) and 7 * Niklas Hallqvist (niklas@appli.se). 8 * 9 * The original version of this code was written by John Ioannidis 10 * for BSD/OS in Athens, Greece, in November 1995. 11 * 12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 13 * by Angelos D. Keromytis. 14 * 15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 16 * and Niels Provos. 17 * 18 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 19 * 20 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 21 * Angelos D. Keromytis and Niels Provos. 22 * Copyright (c) 1999 Niklas Hallqvist. 23 * 24 * Permission to use, copy, and modify this software without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40#ifndef _NETINET_IPSP_H_ 41#define _NETINET_IPSP_H_ 42 43/* IPSP global definitions. */ 44 45#include <sys/types.h> 46#include <sys/queue.h> 47#include <sys/timeout.h> 48#include <netinet/in.h> 49 50union sockaddr_union 51{ 52 struct sockaddr sa; 53 struct sockaddr_in sin; 54 struct sockaddr_in6 sin6; 55}; 56 57/* HMAC key sizes */ 58#define MD5HMAC96_KEYSIZE 16 59#define SHA1HMAC96_KEYSIZE 20 60#define RIPEMD160HMAC96_KEYSIZE 20 61 62#define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */ 63#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */ 64#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */ 65 66/* Authenticator lengths */ 67#define AH_MD5_ALEN 16 68#define AH_SHA1_ALEN 20 69#define AH_RMD160_ALEN 20 70#define AH_ALEN_MAX 20 /* Keep updated */ 71 72/* Reserved SPI numbers */ 73#define SPI_LOCAL_USE 0 74#define SPI_RESERVED_MIN 1 75#define SPI_RESERVED_MAX 255 76 77/* sysctl default values */ 78#define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */ 79#define IPSEC_DEFAULT_PFS 1 80#define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0 81#define IPSEC_DEFAULT_EXP_ALLOCATIONS 0 82#define IPSEC_DEFAULT_SOFT_BYTES 0 83#define IPSEC_DEFAULT_EXP_BYTES 0 84#define IPSEC_DEFAULT_SOFT_TIMEOUT 80000 85#define IPSEC_DEFAULT_EXP_TIMEOUT 86400 86#define IPSEC_DEFAULT_SOFT_FIRST_USE 3600 87#define IPSEC_DEFAULT_EXP_FIRST_USE 7200 88#define IPSEC_DEFAULT_DEF_ENC "aes" 89#define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1" 90#define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30 91 92struct sockaddr_encap 93{ 94 u_int8_t sen_len; /* length */ 95 u_int8_t sen_family; /* PF_KEY */ 96 u_int16_t sen_type; /* see SENT_* */ 97 union 98 { 99 struct /* SENT_IP4 */ 100 { 101 u_int8_t Direction; 102 struct in_addr Src; 103 struct in_addr Dst; 104 u_int8_t Proto; 105 u_int16_t Sport; 106 u_int16_t Dport; 107 } Sip4; 108 109 struct /* SENT_IP6 */ 110 { 111 u_int8_t Direction; 112 struct in6_addr Src; 113 struct in6_addr Dst; 114 u_int8_t Proto; 115 u_int16_t Sport; 116 u_int16_t Dport; 117 } Sip6; 118 119 struct ipsec_policy *PolicyHead; /* SENT_IPSP */ 120 } Sen; 121}; 122 123#define IPSP_DIRECTION_IN 0x1 124#define IPSP_DIRECTION_OUT 0x2 125 126#define sen_data Sen.Data 127#define sen_ip_src Sen.Sip4.Src 128#define sen_ip_dst Sen.Sip4.Dst 129#define sen_proto Sen.Sip4.Proto 130#define sen_sport Sen.Sip4.Sport 131#define sen_dport Sen.Sip4.Dport 132#define sen_direction Sen.Sip4.Direction 133#define sen_ip6_src Sen.Sip6.Src 134#define sen_ip6_dst Sen.Sip6.Dst 135#define sen_ip6_proto Sen.Sip6.Proto 136#define sen_ip6_sport Sen.Sip6.Sport 137#define sen_ip6_dport Sen.Sip6.Dport 138#define sen_ip6_direction Sen.Sip6.Direction 139#define sen_ipsp Sen.PolicyHead 140 141/* 142 * The "type" is really part of the address as far as the routing 143 * system is concerned. By using only one bit in the type field 144 * for each type, we sort-of make sure that different types of 145 * encapsulation addresses won't be matched against the wrong type. 146 * 147 */ 148 149#define SENT_IP4 0x0001 /* data is two struct in_addr */ 150#define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */ 151#define SENT_IP6 0x0004 152 153#define SENT_LEN sizeof(struct sockaddr_encap) 154 155struct ipsec_ref 156{ 157 u_int16_t ref_type; /* Subtype of data */ 158 int16_t ref_len; /* Length of data following */ 159 int ref_count; /* Reference count */ 160 int ref_malloctype; /* malloc(9) type, for freeing purposes */ 161}; 162 163struct ipsec_acquire 164{ 165 union sockaddr_union ipa_addr; 166 u_int64_t ipa_expire; 167 u_int32_t ipa_seq; 168 struct sockaddr_encap ipa_info; 169 struct sockaddr_encap ipa_mask; 170 struct mbuf *ipa_packet; 171 TAILQ_ENTRY(ipsec_acquire) ipa_next; 172}; 173 174struct ipsec_policy 175{ 176 struct sockaddr_encap ipo_addr; 177 struct sockaddr_encap ipo_mask; 178 179 union sockaddr_union ipo_src; /* Local address to use */ 180 union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed: 181 * - on output, we try to contact the 182 * remote host directly (if needed). 183 * - on input, we accept on if the 184 * inner source is the same as the 185 * outer source address, or if transport 186 * mode was used. 187 */ 188 189 u_int64_t ipo_last_searched; /* Timestamp of last lookup */ 190 191 u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */ 192 u_int8_t ipo_type; /* USE/ACQUIRE/... */ 193 u_int8_t ipo_sproto;/* ESP, AH; if zero we use system dflts */ 194 195 struct tdb *ipo_tdb; /* Cached entry */ 196 197 struct ipsec_ref *ipo_srcid; 198 struct ipsec_ref *ipo_dstid; 199 struct ipsec_ref *ipo_local_cred; 200 struct ipsec_ref *ipo_local_auth; 201 202 TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List of policies on TDB */ 203 TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policy entries */ 204}; 205 206#define IPSP_POLICY_NONE 0x0000 /* No flags set */ 207#define IPSP_POLICY_SOCKET 0x0001 /* Socket-attached policy */ 208#define IPSP_POLICY_STATIC 0x0002 /* Static policy */ 209 210#define IPSP_IPSEC_USE 0 /* Use if existing, don't bother establishing */ 211#define IPSP_IPSEC_ACQUIRE 1 /* Try to acquire in parallel but let packet */ 212#define IPSP_IPSEC_REQUIRE 2 /* Require SA */ 213#define IPSP_PERMIT 3 /* Permit traffic through */ 214#define IPSP_DENY 4 /* Deny traffic */ 215#define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */ 216 217/* Notification types */ 218#define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */ 219#define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */ 220#define NOTIFY_REQUEST_SA 2 /* Establish an SA */ 221 222#define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */ 223#define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */ 224#define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */ 225 226/* Authentication types */ 227#define IPSP_AUTH_NONE 0 228#define IPSP_AUTH_PASSPHRASE 1 229#define IPSP_AUTH_RSA 2 230 231/* Credential types */ 232#define IPSP_CRED_NONE 0 233#define IPSP_CRED_KEYNOTE 1 234#define IPSP_CRED_X509 2 235 236/* Identity types */ 237#define IPSP_IDENTITY_NONE 0 238#define IPSP_IDENTITY_PREFIX 1 239#define IPSP_IDENTITY_FQDN 2 240#define IPSP_IDENTITY_USERFQDN 3 241#define IPSP_IDENTITY_CONNECTION 4 242 243/* 244 * For encapsulation routes are possible not only for the destination 245 * address but also for the protocol, source and destination ports 246 * if available 247 */ 248 249struct route_enc { 250 struct rtentry *re_rt; 251 struct sockaddr_encap re_dst; 252}; 253 254struct tdb /* tunnel descriptor block */ 255{ 256 /* 257 * Each TDB is on three hash tables: one keyed on dst/spi/sproto, 258 * one keyed on dst/sproto, and one keyed on src/sproto. The first 259 * is used for finding a specific TDB, the second for finding TDBs 260 * TDBs for outgoing policy matching, and the third for incoming 261 * policy matching. The following three fields maintain the hash 262 * queues in those three tables. 263 */ 264 struct tdb *tdb_hnext; /* dst/spi/sproto table */ 265 struct tdb *tdb_anext; /* dst/sproto table */ 266 struct tdb *tdb_snext; /* src/sproto table */ 267 struct tdb *tdb_inext; 268 struct tdb *tdb_onext; 269 270 struct xformsw *tdb_xform; /* Transformation to use */ 271 struct enc_xform *tdb_encalgxform; /* Encryption algorithm xform */ 272 struct auth_hash *tdb_authalgxform; /* Authentication algorithm xform */ 273 274#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 275#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 276#define TDBF_BYTES 0x00004 /* Check the byte counters */ 277#define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */ 278#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 279#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 280#define TDBF_HALFIV 0x00040 /* Use half-length IV (ESP old only) */ 281#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 282#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 283#define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */ 284#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 285#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ 286#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ 287#define TDBF_NOREPLAY 0x02000 /* No replay counter present */ 288#define TDBF_RANDOMPADDING 0x04000 /* Random data in the ESP padding */ 289#define TDBF_SKIPCRYPTO 0x08000 /* Skip actual crypto processing */ 290#define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */ 291 292 u_int32_t tdb_flags; /* Flags related to this TDB */ 293 294 struct timeout tdb_timer_tmo; 295 struct timeout tdb_first_tmo; 296 struct timeout tdb_stimer_tmo; 297 struct timeout tdb_sfirst_tmo; 298 299 u_int32_t tdb_exp_allocations; /* Expire after so many flows */ 300 u_int32_t tdb_soft_allocations; /* Expiration warning */ 301 u_int32_t tdb_cur_allocations; /* Total number of allocations */ 302 303 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 304 u_int64_t tdb_soft_bytes; /* Expiration warning */ 305 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 306 307 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 308 u_int64_t tdb_soft_timeout; /* Send a soft-expire warning */ 309 u_int64_t tdb_established; /* When was the SPI established */ 310 311 u_int64_t tdb_first_use; /* When was it first used */ 312 u_int64_t tdb_soft_first_use; /* Soft warning */ 313 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 314 * tdb_exp_first_use <= curtime */ 315 316 u_int64_t tdb_last_used; /* When was this SA last used */ 317 u_int64_t tdb_last_marked; /* Last SKIPCRYPTO status change */ 318 319 u_int64_t tdb_cryptoid; /* Crypto session ID */ 320 321 u_int32_t tdb_spi; /* SPI */ 322 u_int16_t tdb_amxkeylen; /* Raw authentication key length */ 323 u_int16_t tdb_emxkeylen; /* Raw encryption key length */ 324 u_int16_t tdb_ivlen; /* IV length */ 325 u_int8_t tdb_sproto; /* IPsec protocol */ 326 u_int8_t tdb_wnd; /* Replay window */ 327 u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */ 328 329 union sockaddr_union tdb_dst; /* Destination address for this SA */ 330 union sockaddr_union tdb_src; /* Source address for this SA */ 331 union sockaddr_union tdb_proxy; 332 333 u_int8_t *tdb_amxkey; /* Raw authentication key */ 334 u_int8_t *tdb_emxkey; /* Raw encryption key */ 335 336 u_int32_t tdb_rpl; /* Replay counter */ 337 u_int32_t tdb_bitmap; /* Used for replay sliding window */ 338 u_int32_t tdb_initial; /* Initial replay value */ 339 340 u_int32_t tdb_epoch; /* Used by the kernfs interface */ 341 342 u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ 343 344 struct ipsec_ref *tdb_local_cred; 345 struct ipsec_ref *tdb_remote_cred; 346 struct ipsec_ref *tdb_srcid; /* Source ID for this SA */ 347 struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */ 348 struct ipsec_ref *tdb_local_auth; /* Local authentication material */ 349 struct ipsec_ref *tdb_remote_auth; /* Remote authentication material */ 350 351 u_int32_t tdb_mtu; /* MTU at this point in the chain */ 352 u_int64_t tdb_mtutimeout; /* When to ignore this entry */ 353 354 TAILQ_HEAD(tdb_inp_head_in, inpcb) tdb_inp_in; 355 TAILQ_HEAD(tdb_inp_head_out, inpcb) tdb_inp_out; 356 TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; 357}; 358 359struct tdb_ident 360{ 361 u_int32_t spi; 362 union sockaddr_union dst; 363 u_int8_t proto; 364}; 365 366struct tdb_crypto { 367 u_int32_t tc_spi; 368 union sockaddr_union tc_dst; 369 u_int8_t tc_proto; 370 int tc_protoff; 371 int tc_skip; 372 caddr_t tc_ptr; 373}; 374 375struct ipsecinit 376{ 377 u_int8_t *ii_enckey; 378 u_int8_t *ii_authkey; 379 u_int16_t ii_enckeylen; 380 u_int16_t ii_authkeylen; 381 u_int8_t ii_encalg; 382 u_int8_t ii_authalg; 383}; 384 385struct xformsw 386{ 387 u_short xf_type; /* Unique ID of xform */ 388 u_short xf_flags; /* flags (see below) */ 389 char *xf_name; /* human-readable name */ 390 int (*xf_attach)(void); /* called at config time */ 391 int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *); 392 int (*xf_zeroize)(struct tdb *); /* termination */ 393 int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */ 394 int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, int, int); /* output */ 395}; 396 397/* xform IDs */ 398#define XF_IP4 1 /* IP inside IP */ 399#define XF_AH 2 /* AH */ 400#define XF_ESP 3 /* ESP */ 401#define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ 402 403/* xform attributes */ 404#define XFT_AUTH 0x0001 405#define XFT_CONF 0x0100 406 407#define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */ 408#define IPSEC_KERNFS_BUFSIZE 4096 409 410#if BYTE_ORDER == LITTLE_ENDIAN 411static __inline u_int64_t 412htonq(u_int64_t q) 413{ 414 register u_int32_t u, l; 415 u = q >> 32; 416 l = (u_int32_t) q; 417 418 return htonl(u) | ((u_int64_t)htonl(l) << 32); 419} 420 421#define ntohq(_x) htonq(_x) 422 423#elif BYTE_ORDER == BIG_ENDIAN 424 425#define htonq(_x) (_x) 426#define ntohq(_x) htonq(_x) 427 428#else 429#error "Please fix <machine/endian.h>" 430#endif 431 432#ifdef _KERNEL 433 434/* 435 * Protects all tdb lists. 436 * Must at least be splsoftnet (note: do not use splsoftclock as it is 437 * special on some architectures, assuming it is always an spl lowering 438 * operation). 439 */ 440#define spltdb splsoftnet 441 442extern int encdebug; 443extern int ipsec_acl; 444extern int ipsec_keep_invalid; 445extern int ipsec_in_use; 446extern u_int64_t ipsec_last_added; 447extern int ipsec_require_pfs; 448extern int ipsec_expire_acquire; 449 450extern int ipsec_soft_allocations; 451extern int ipsec_exp_allocations; 452extern int ipsec_soft_bytes; 453extern int ipsec_exp_bytes; 454extern int ipsec_soft_timeout; 455extern int ipsec_exp_timeout; 456extern int ipsec_soft_first_use; 457extern int ipsec_exp_first_use; 458extern char ipsec_def_enc[]; 459extern char ipsec_def_auth[]; 460 461extern struct enc_xform enc_xform_des; 462extern struct enc_xform enc_xform_3des; 463extern struct enc_xform enc_xform_blf; 464extern struct enc_xform enc_xform_cast5; 465extern struct enc_xform enc_xform_skipjack; 466 467extern struct auth_hash auth_hash_hmac_md5_96; 468extern struct auth_hash auth_hash_hmac_sha1_96; 469extern struct auth_hash auth_hash_hmac_ripemd_160_96; 470 471extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head; 472extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head; 473 474extern struct xformsw xformsw[], *xformswNXFORMSW; 475 476/* Check if a given tdb has encryption, authentication and/or tunneling */ 477#define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0)| \ 478 ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0)) 479 480/* Traverse spi chain and get attributes */ 481 482#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\ 483 int s = spltdb(); \ 484 struct tdb *tmptdb = (TDBP); \ 485 \ 486 (have) = 0; \ 487 while (tmptdb && tmptdb->tdb_xform) { \ 488 if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \ 489 break; \ 490 (have) |= TDB_ATTRIB(tmptdb); \ 491 tmptdb = tmptdb->TDB_DIR; \ 492 } \ 493 splx(s); \ 494} while (0) 495 496/* Misc. */ 497extern char *inet_ntoa4(struct in_addr); 498extern char *ipsp_address(union sockaddr_union); 499 500/* TDB management routines */ 501extern void tdb_add_inp(struct tdb *, struct inpcb *, int); 502extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *, 503 union sockaddr_union *, u_int8_t, int *); 504extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t); 505extern struct tdb *gettdbbyaddr(union sockaddr_union *, struct ipsec_policy *, 506 struct mbuf *, int); 507extern struct tdb *gettdbbysrc(union sockaddr_union *, struct ipsec_policy *, 508 struct mbuf *, int); 509extern void puttdb(struct tdb *); 510extern void tdb_delete(struct tdb *); 511extern struct tdb *tdb_alloc(void); 512extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *); 513extern int tdb_walk(int (*)(struct tdb *, void *, int), void *); 514 515/* XF_IP4 */ 516extern int ipe4_attach(void); 517extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *); 518extern int ipe4_zeroize(struct tdb *); 519extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 520extern void ipe4_input __P((struct mbuf *, ...)); 521extern void ipip_input __P((struct mbuf *, int)); 522 523#ifdef INET 524extern void ip4_input __P((struct mbuf *, ...)); 525#endif /* INET */ 526 527#ifdef INET6 528extern int ip4_input6 __P((struct mbuf **, int *, int)); 529#endif /* INET */ 530 531/* XF_ETHERIP */ 532extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **, 533 int, int); 534extern void etherip_input __P((struct mbuf *, ...)); 535 536/* XF_AH */ 537extern int ah_attach(void); 538extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *); 539extern int ah_zeroize(struct tdb *); 540extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 541extern int ah_output_cb(void *); 542extern int ah_input(struct mbuf *, struct tdb *, int, int); 543extern int ah_input_cb(void *); 544extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t); 545extern int ah_massage_headers(struct mbuf **, int, int, int, int); 546 547#ifdef INET 548extern void ah4_input __P((struct mbuf *, ...)); 549extern int ah4_input_cb __P((struct mbuf *, ...)); 550extern void *ah4_ctlinput __P((int, struct sockaddr *, void *)); 551#endif /* INET */ 552 553#ifdef INET6 554extern int ah6_input __P((struct mbuf **, int *, int)); 555extern int ah6_input_cb __P((struct mbuf *, int, int)); 556#endif /* INET6 */ 557 558/* XF_ESP */ 559extern int esp_attach(void); 560extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 561extern int esp_zeroize(struct tdb *); 562extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 563extern int esp_output_cb(void *); 564extern int esp_input(struct mbuf *, struct tdb *, int, int); 565extern int esp_input_cb(void *); 566extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 567 568#ifdef INET 569extern void esp4_input __P((struct mbuf *, ...)); 570extern int esp4_input_cb __P((struct mbuf *, ...)); 571extern void *esp4_ctlinput __P((int, struct sockaddr *, void *)); 572#endif /* INET */ 573 574#ifdef INET6 575extern int esp6_input __P((struct mbuf **, int *, int)); 576extern int esp6_input_cb __P((struct mbuf *, int, int)); 577#endif /* INET6 */ 578 579/* XF_TCPSIGNATURE */ 580extern int tcp_signature_tdb_attach __P((void)); 581extern int tcp_signature_tdb_init __P((struct tdb *, struct xformsw *, 582 struct ipsecinit *)); 583extern int tcp_signature_tdb_zeroize __P((struct tdb *)); 584extern int tcp_signature_tdb_input __P((struct mbuf *, struct tdb *, int, 585 int)); 586extern int tcp_signature_tdb_output __P((struct mbuf *, struct tdb *, 587 struct mbuf **, int, int)); 588 589/* Padding */ 590extern caddr_t m_pad(struct mbuf *, int); 591 592/* Replay window */ 593extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t, 594 u_int32_t *); 595 596extern unsigned char ipseczeroes[]; 597 598/* Packet processing */ 599extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int); 600extern int ipsp_process_done(struct mbuf *, struct tdb *); 601extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int, 602 struct tdb *, struct inpcb *); 603extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int, 604 struct m_tag *); 605extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *, 606 union sockaddr_union *, struct sockaddr_encap *, 607 struct mbuf *); 608extern struct ipsec_policy *ipsec_add_policy(struct sockaddr_encap *, 609 struct sockaddr_encap *, 610 union sockaddr_union *, int, int); 611extern int ipsec_delete_policy(struct ipsec_policy *); 612extern void ipsp_acquire_expirations(void *); 613extern struct ipsec_acquire *ipsp_pending_acquire(union sockaddr_union *); 614extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t); 615extern void ipsp_delete_acquire(struct ipsec_acquire *); 616extern void ipsp_clear_acquire(struct tdb *); 617extern int ipsp_is_unspecified(union sockaddr_union); 618extern void ipsp_reffree(struct ipsec_ref *); 619extern void ipsp_skipcrypto_unmark(struct tdb_ident *); 620extern void ipsp_skipcrypto_mark(struct tdb_ident *); 621extern struct m_tag *ipsp_parse_headers(struct mbuf *, int, u_int8_t); 622extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *); 623extern ssize_t ipsec_hdrsz(struct tdb *); 624extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t); 625#endif /* _KERNEL */ 626#endif /* _NETINET_IPSP_H_ */ 627