ip_ipsp.h revision 1.105 
1/*	$OpenBSD: ip_ipsp.h,v 1.105 2001/06/24 18:22:47 provos Exp $	*/
2
3/*
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr),
6 * Niels Provos (provos@physnet.uni-hamburg.de) and
7 * Niklas Hallqvist (niklas@appli.se).
8 *
9 * The original version of this code was written by John Ioannidis
10 * for BSD/OS in Athens, Greece, in November 1995.
11 *
12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
13 * by Angelos D. Keromytis.
14 *
15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
16 * and Niels Provos.
17 *
18 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
19 *
20 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
21 * Angelos D. Keromytis and Niels Provos.
22 * Copyright (c) 1999 Niklas Hallqvist.
23 *
24 * Permission to use, copy, and modify this software without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40#ifndef _NETINET_IPSP_H_
41#define _NETINET_IPSP_H_
42
43/* IPSP global definitions. */
44
45#include <sys/types.h>
46#include <sys/queue.h>
47#include <sys/timeout.h>
48#include <netinet/in.h>
49
50union sockaddr_union
51{
52    struct sockaddr     sa;
53    struct sockaddr_in  sin;
54    struct sockaddr_in6 sin6;
55};
56
57/* HMAC key sizes */
58#define MD5HMAC96_KEYSIZE       16
59#define SHA1HMAC96_KEYSIZE      20
60#define RIPEMD160HMAC96_KEYSIZE 20
61
62#define AH_HMAC_HASHLEN		12	/* 96 bits of authenticator */
63#define AH_HMAC_RPLENGTH        4	/* 32 bits of replay counter */
64#define AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
65
66/* Authenticator lengths */
67#define AH_MD5_ALEN		16
68#define AH_SHA1_ALEN		20
69#define AH_RMD160_ALEN		20
70#define AH_ALEN_MAX		20 	/* Keep updated */
71
72/* Reserved SPI numbers */
73#define SPI_LOCAL_USE		0
74#define SPI_RESERVED_MIN	1
75#define SPI_RESERVED_MAX	255
76
77/* sysctl default values */
78#define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
79#define IPSEC_DEFAULT_PFS                       1
80#define IPSEC_DEFAULT_SOFT_ALLOCATIONS          0
81#define IPSEC_DEFAULT_EXP_ALLOCATIONS           0
82#define IPSEC_DEFAULT_SOFT_BYTES                0
83#define IPSEC_DEFAULT_EXP_BYTES                 0
84#define IPSEC_DEFAULT_SOFT_TIMEOUT              80000
85#define IPSEC_DEFAULT_EXP_TIMEOUT               86400
86#define IPSEC_DEFAULT_SOFT_FIRST_USE            3600
87#define IPSEC_DEFAULT_EXP_FIRST_USE             7200
88#define IPSEC_DEFAULT_DEF_ENC                   "aes"
89#define IPSEC_DEFAULT_DEF_AUTH                   "hmac-sha1"
90#define IPSEC_DEFAULT_EXPIRE_ACQUIRE            30
91
92struct sockaddr_encap
93{
94    u_int8_t	sen_len;		/* length */
95    u_int8_t	sen_family;		/* PF_KEY */
96    u_int16_t	sen_type;		/* see SENT_* */
97    union
98    {
99	struct				/* SENT_IP4 */
100	{
101	    u_int8_t Direction;
102	    struct in_addr Src;
103	    struct in_addr Dst;
104	    u_int8_t Proto;
105	    u_int16_t Sport;
106	    u_int16_t Dport;
107	} Sip4;
108
109	struct				/* SENT_IP6 */
110	{
111	    u_int8_t Direction;
112	    struct in6_addr Src;
113	    struct in6_addr Dst;
114	    u_int8_t Proto;
115	    u_int16_t Sport;
116	    u_int16_t Dport;
117	} Sip6;
118
119	struct ipsec_policy *PolicyHead;  /* SENT_IPSP */
120    } Sen;
121};
122
123#define IPSP_DIRECTION_IN     0x1
124#define IPSP_DIRECTION_OUT    0x2
125
126#define sen_data	  Sen.Data
127#define sen_ip_src	  Sen.Sip4.Src
128#define sen_ip_dst	  Sen.Sip4.Dst
129#define sen_proto	  Sen.Sip4.Proto
130#define sen_sport	  Sen.Sip4.Sport
131#define sen_dport	  Sen.Sip4.Dport
132#define sen_direction     Sen.Sip4.Direction
133#define sen_ip6_src	  Sen.Sip6.Src
134#define sen_ip6_dst	  Sen.Sip6.Dst
135#define sen_ip6_proto	  Sen.Sip6.Proto
136#define sen_ip6_sport	  Sen.Sip6.Sport
137#define sen_ip6_dport	  Sen.Sip6.Dport
138#define sen_ip6_direction Sen.Sip6.Direction
139#define sen_ipsp          Sen.PolicyHead
140
141/*
142 * The "type" is really part of the address as far as the routing
143 * system is concerned. By using only one bit in the type field
144 * for each type, we sort-of make sure that different types of
145 * encapsulation addresses won't be matched against the wrong type.
146 *
147 */
148
149#define SENT_IP4	0x0001		/* data is two struct in_addr */
150#define SENT_IPSP	0x0002		/* data as in IP4/6 plus SPI */
151#define SENT_IP6        0x0004
152
153#define SENT_LEN        sizeof(struct sockaddr_encap)
154
155struct ipsec_ref
156{
157    u_int16_t ref_type;		/* Subtype of data */
158    int16_t   ref_len;		/* Length of data following */
159    int       ref_count;	/* Reference count */
160    int       ref_malloctype;	/* malloc(9) type, for freeing purposes */
161};
162
163struct ipsec_acquire
164{
165    union sockaddr_union       ipa_addr;
166    u_int64_t                  ipa_expire;
167    u_int32_t                  ipa_seq;
168    struct sockaddr_encap      ipa_info;
169    struct sockaddr_encap      ipa_mask;
170    struct mbuf               *ipa_packet;
171    TAILQ_ENTRY(ipsec_acquire) ipa_next;
172};
173
174struct ipsec_policy
175{
176    struct sockaddr_encap ipo_addr;
177    struct sockaddr_encap ipo_mask;
178
179    union sockaddr_union ipo_src;   /* Local address to use */
180    union sockaddr_union ipo_dst;   /* Remote gateway -- if it's zeroed:
181				     * - on output, we try to contact the
182				     * remote host directly (if needed).
183				     * - on input, we accept on if the
184				     * inner source is the same as the
185				     * outer source address, or if transport
186				     * mode was used.
187				     */
188
189    u_int64_t            ipo_last_searched; /* Timestamp of last lookup */
190
191    u_int8_t             ipo_flags; /* See IPSP_POLICY_* definitions */
192    u_int8_t             ipo_type;  /* USE/ACQUIRE/... */
193    u_int8_t             ipo_sproto;/* ESP, AH; if zero we use system dflts */
194
195    struct tdb          *ipo_tdb;   /* Cached entry */
196
197    struct ipsec_ref    *ipo_srcid;
198    struct ipsec_ref    *ipo_dstid;
199    struct ipsec_ref    *ipo_local_cred;
200    struct ipsec_ref    *ipo_local_auth;
201
202    TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List of policies on TDB */
203    TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policy entries */
204};
205
206#define IPSP_POLICY_NONE    0x0000  /* No flags set */
207#define IPSP_POLICY_SOCKET  0x0001  /* Socket-attached policy */
208#define IPSP_POLICY_STATIC  0x0002  /* Static policy */
209
210#define IPSP_IPSEC_USE      0 /* Use if existing, don't bother establishing */
211#define IPSP_IPSEC_ACQUIRE  1 /* Try to acquire in parallel but let packet */
212#define IPSP_IPSEC_REQUIRE  2 /* Require SA */
213#define IPSP_PERMIT         3 /* Permit traffic through */
214#define IPSP_DENY           4 /* Deny traffic */
215#define IPSP_IPSEC_DONTACQ  5 /* Require, but don't acquire */
216
217/* Notification types */
218#define NOTIFY_SOFT_EXPIRE      0       /* Soft expiration of SA */
219#define NOTIFY_HARD_EXPIRE      1       /* Hard expiration of SA */
220#define NOTIFY_REQUEST_SA       2       /* Establish an SA */
221
222#define NOTIFY_SATYPE_CONF      1       /* SA should do encryption */
223#define NOTIFY_SATYPE_AUTH      2       /* SA should do authentication */
224#define NOTIFY_SATYPE_TUNNEL    4       /* SA should use tunneling */
225
226/* Authentication types */
227#define IPSP_AUTH_NONE          0
228#define IPSP_AUTH_PASSPHRASE    1
229#define IPSP_AUTH_RSA           2
230
231/* Credential types */
232#define IPSP_CRED_NONE          0
233#define IPSP_CRED_KEYNOTE       1
234#define IPSP_CRED_X509          2
235
236/* Identity types */
237#define IPSP_IDENTITY_NONE       0
238#define IPSP_IDENTITY_PREFIX     1
239#define IPSP_IDENTITY_FQDN       2
240#define IPSP_IDENTITY_USERFQDN   3
241#define IPSP_IDENTITY_CONNECTION 4
242
243/*
244 * For encapsulation routes are possible not only for the destination
245 * address but also for the protocol, source and destination ports
246 * if available
247 */
248
249struct route_enc {
250    struct rtentry *re_rt;
251    struct sockaddr_encap re_dst;
252};
253
254struct tdb				/* tunnel descriptor block */
255{
256    /*
257     * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
258     * one keyed on dst/sproto, and one keyed on src/sproto. The first
259     * is used for finding a specific TDB, the second for finding TDBs
260     * TDBs for outgoing policy matching, and the third for incoming
261     * policy matching. The following three fields maintain the hash
262     * queues in those three tables.
263     */
264    struct tdb	     *tdb_hnext;   /* dst/spi/sproto table */
265    struct tdb       *tdb_anext;   /* dst/sproto table */
266    struct tdb       *tdb_snext;   /* src/sproto table */
267    struct tdb       *tdb_inext;
268    struct tdb       *tdb_onext;
269
270    struct xformsw   *tdb_xform;	/* Transformation to use */
271    struct enc_xform *tdb_encalgxform;  /* Encryption algorithm xform */
272    struct auth_hash *tdb_authalgxform; /* Authentication algorithm xform */
273
274#define TDBF_UNIQUE	      0x00001	/* This should not be used by others */
275#define TDBF_TIMER            0x00002	/* Absolute expiration timer in use */
276#define TDBF_BYTES            0x00004	/* Check the byte counters */
277#define TDBF_ALLOCATIONS      0x00008	/* Check the flows counters */
278#define TDBF_INVALID          0x00010	/* This SPI is not valid yet/anymore */
279#define TDBF_FIRSTUSE         0x00020	/* Expire after first use */
280#define TDBF_HALFIV           0x00040	/* Use half-length IV (ESP old only) */
281#define TDBF_SOFT_TIMER       0x00080	/* Soft expiration */
282#define TDBF_SOFT_BYTES       0x00100	/* Soft expiration */
283#define TDBF_SOFT_ALLOCATIONS 0x00200	/* Soft expiration */
284#define TDBF_SOFT_FIRSTUSE    0x00400	/* Soft expiration */
285#define TDBF_PFS              0x00800	/* Ask for PFS from Key Mgmt. */
286#define TDBF_TUNNELING        0x01000	/* Force IP-IP encapsulation */
287#define TDBF_NOREPLAY         0x02000	/* No replay counter present */
288#define TDBF_RANDOMPADDING    0x04000	/* Random data in the ESP padding */
289#define TDBF_SKIPCRYPTO       0x08000	/* Skip actual crypto processing */
290#define TDBF_USEDTUNNEL       0x10000	/* Appended a tunnel header in past */
291
292    u_int32_t	      tdb_flags;	/* Flags related to this TDB */
293
294    struct timeout    tdb_timer_tmo;
295    struct timeout    tdb_first_tmo;
296    struct timeout    tdb_stimer_tmo;
297    struct timeout    tdb_sfirst_tmo;
298
299    u_int32_t         tdb_exp_allocations;  /* Expire after so many flows */
300    u_int32_t         tdb_soft_allocations; /* Expiration warning */
301    u_int32_t         tdb_cur_allocations;  /* Total number of allocations */
302
303    u_int64_t         tdb_exp_bytes;	/* Expire after so many bytes passed */
304    u_int64_t         tdb_soft_bytes;	/* Expiration warning */
305    u_int64_t         tdb_cur_bytes;	/* Current count of bytes */
306
307    u_int64_t         tdb_exp_timeout;	/* When does the SPI expire */
308    u_int64_t         tdb_soft_timeout;	/* Send a soft-expire warning */
309    u_int64_t         tdb_established;	/* When was the SPI established */
310
311    u_int64_t	      tdb_first_use;	  /* When was it first used */
312    u_int64_t         tdb_soft_first_use; /* Soft warning */
313    u_int64_t         tdb_exp_first_use;  /* Expire if tdb_first_use +
314					   * tdb_exp_first_use <= curtime */
315
316    u_int64_t         tdb_last_used;    /* When was this SA last used */
317    u_int64_t         tdb_last_marked;  /* Last SKIPCRYPTO status change */
318
319    u_int64_t         tdb_cryptoid;     /* Crypto session ID */
320
321    u_int32_t	      tdb_spi;    	/* SPI */
322    u_int16_t         tdb_amxkeylen;    /* Raw authentication key length */
323    u_int16_t         tdb_emxkeylen;    /* Raw encryption key length */
324    u_int16_t         tdb_ivlen;        /* IV length */
325    u_int8_t	      tdb_sproto;	/* IPsec protocol */
326    u_int8_t          tdb_wnd;          /* Replay window */
327    u_int8_t          tdb_satype;       /* SA type (RFC2367, PF_KEY) */
328
329    union sockaddr_union tdb_dst;	/* Destination address for this SA */
330    union sockaddr_union tdb_src;	/* Source address for this SA */
331    union sockaddr_union tdb_proxy;
332
333    u_int8_t         *tdb_amxkey;       /* Raw authentication key */
334    u_int8_t         *tdb_emxkey;       /* Raw encryption key */
335
336    u_int32_t         tdb_rpl;	        /* Replay counter */
337    u_int32_t         tdb_bitmap;       /* Used for replay sliding window */
338    u_int32_t         tdb_initial;	/* Initial replay value */
339
340    u_int32_t         tdb_epoch;	/* Used by the kernfs interface */
341
342    u_int8_t          tdb_iv[4];        /* Used for HALF-IV ESP */
343
344    struct ipsec_ref *tdb_local_cred;
345    struct ipsec_ref *tdb_remote_cred;
346    struct ipsec_ref *tdb_srcid;	/* Source ID for this SA */
347    struct ipsec_ref *tdb_dstid;	/* Destination ID for this SA */
348    struct ipsec_ref *tdb_local_auth;	/* Local authentication material */
349    struct ipsec_ref *tdb_remote_auth;	/* Remote authentication material */
350
351    u_int32_t	      tdb_mtu;		/* MTU at this point in the chain */
352    u_int64_t	      tdb_mtutimeout;	/* When to ignore this entry */
353
354    TAILQ_HEAD(tdb_inp_head_in, inpcb) tdb_inp_in;
355    TAILQ_HEAD(tdb_inp_head_out, inpcb) tdb_inp_out;
356    TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head;
357};
358
359struct tdb_ident
360{
361    u_int32_t spi;
362    union sockaddr_union dst;
363    u_int8_t proto;
364};
365
366struct tdb_crypto {
367    u_int32_t			tc_spi;
368    union sockaddr_union	tc_dst;
369    u_int8_t			tc_proto;
370    int                         tc_protoff;
371    int                         tc_skip;
372    caddr_t                     tc_ptr;
373};
374
375struct ipsecinit
376{
377    u_int8_t       *ii_enckey;
378    u_int8_t       *ii_authkey;
379    u_int16_t       ii_enckeylen;
380    u_int16_t       ii_authkeylen;
381    u_int8_t        ii_encalg;
382    u_int8_t        ii_authalg;
383};
384
385struct xformsw
386{
387    u_short		xf_type;	/* Unique ID of xform */
388    u_short		xf_flags;	/* flags (see below) */
389    char		*xf_name;	/* human-readable name */
390    int		(*xf_attach)(void);	/* called at config time */
391    int		(*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
392    int		(*xf_zeroize)(struct tdb *); /* termination */
393    int         (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
394    int		(*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, int, int);        /* output */
395};
396
397/* xform IDs */
398#define XF_IP4		1	/* IP inside IP */
399#define XF_AH		2	/* AH */
400#define XF_ESP		3	/* ESP */
401#define XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
402
403/* xform attributes */
404#define XFT_AUTH	0x0001
405#define XFT_CONF	0x0100
406
407#define IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
408#define IPSEC_KERNFS_BUFSIZE    4096
409
410#if BYTE_ORDER == LITTLE_ENDIAN
411static __inline u_int64_t
412htonq(u_int64_t q)
413{
414    register u_int32_t u, l;
415    u = q >> 32;
416    l = (u_int32_t) q;
417
418    return htonl(u) | ((u_int64_t)htonl(l) << 32);
419}
420
421#define ntohq(_x) htonq(_x)
422
423#elif BYTE_ORDER == BIG_ENDIAN
424
425#define htonq(_x) (_x)
426#define ntohq(_x) htonq(_x)
427
428#else
429#error  "Please fix <machine/endian.h>"
430#endif
431
432#ifdef _KERNEL
433
434/*
435 * Protects all tdb lists.
436 * Must at least be splsoftnet (note: do not use splsoftclock as it is
437 * special on some architectures, assuming it is always an spl lowering
438 * operation).
439 */
440#define spltdb	splsoftnet
441
442extern int encdebug;
443extern int ipsec_acl;
444extern int ipsec_keep_invalid;
445extern int ipsec_in_use;
446extern u_int64_t ipsec_last_added;
447extern int ipsec_require_pfs;
448extern int ipsec_expire_acquire;
449
450extern int ipsec_soft_allocations;
451extern int ipsec_exp_allocations;
452extern int ipsec_soft_bytes;
453extern int ipsec_exp_bytes;
454extern int ipsec_soft_timeout;
455extern int ipsec_exp_timeout;
456extern int ipsec_soft_first_use;
457extern int ipsec_exp_first_use;
458extern char ipsec_def_enc[];
459extern char ipsec_def_auth[];
460
461extern struct enc_xform enc_xform_des;
462extern struct enc_xform enc_xform_3des;
463extern struct enc_xform enc_xform_blf;
464extern struct enc_xform enc_xform_cast5;
465extern struct enc_xform enc_xform_skipjack;
466
467extern struct auth_hash auth_hash_hmac_md5_96;
468extern struct auth_hash auth_hash_hmac_sha1_96;
469extern struct auth_hash auth_hash_hmac_ripemd_160_96;
470
471extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
472extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
473
474extern struct xformsw xformsw[], *xformswNXFORMSW;
475
476/* Check if a given tdb has encryption, authentication and/or tunneling */
477#define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0)| \
478		       ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0))
479
480/* Traverse spi chain and get attributes */
481
482#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\
483	int s = spltdb(); \
484	struct tdb *tmptdb = (TDBP); \
485	\
486	(have) = 0; \
487	while (tmptdb && tmptdb->tdb_xform) { \
488	        if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \
489	                break; \
490                (have) |= TDB_ATTRIB(tmptdb); \
491                tmptdb = tmptdb->TDB_DIR; \
492        } \
493	splx(s); \
494} while (0)
495
496/* Misc. */
497extern char *inet_ntoa4(struct in_addr);
498extern char *ipsp_address(union sockaddr_union);
499
500/* TDB management routines */
501extern void tdb_add_inp(struct tdb *, struct inpcb *, int);
502extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
503			     union sockaddr_union *, u_int8_t, int *);
504extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
505extern struct tdb *gettdbbyaddr(union sockaddr_union *, struct ipsec_policy *,
506				struct mbuf *, int);
507extern struct tdb *gettdbbysrc(union sockaddr_union *, struct ipsec_policy *,
508			       struct mbuf *, int);
509extern void puttdb(struct tdb *);
510extern void tdb_delete(struct tdb *);
511extern struct tdb *tdb_alloc(void);
512extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
513extern int tdb_walk(int (*)(struct tdb *, void *, int), void *);
514
515/* XF_IP4 */
516extern int ipe4_attach(void);
517extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
518extern int ipe4_zeroize(struct tdb *);
519extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
520extern void ipe4_input __P((struct mbuf *, ...));
521extern void ipip_input __P((struct mbuf *, int));
522
523#ifdef INET
524extern void ip4_input __P((struct mbuf *, ...));
525#endif /* INET */
526
527#ifdef INET6
528extern int ip4_input6 __P((struct mbuf **, int *, int));
529#endif /* INET */
530
531/* XF_ETHERIP */
532extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **,
533			  int, int);
534extern void etherip_input __P((struct mbuf *, ...));
535
536/* XF_AH */
537extern int ah_attach(void);
538extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
539extern int ah_zeroize(struct tdb *);
540extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
541extern int ah_output_cb(void *);
542extern int ah_input(struct mbuf *, struct tdb *, int, int);
543extern int ah_input_cb(void *);
544extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
545extern int ah_massage_headers(struct mbuf **, int, int, int, int);
546
547#ifdef INET
548extern void ah4_input __P((struct mbuf *, ...));
549extern int ah4_input_cb __P((struct mbuf *, ...));
550extern void *ah4_ctlinput __P((int, struct sockaddr *, void *));
551#endif /* INET */
552
553#ifdef INET6
554extern int ah6_input __P((struct mbuf **, int *, int));
555extern int ah6_input_cb __P((struct mbuf *, int, int));
556#endif /* INET6 */
557
558/* XF_ESP */
559extern int esp_attach(void);
560extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
561extern int esp_zeroize(struct tdb *);
562extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
563extern int esp_output_cb(void *);
564extern int esp_input(struct mbuf *, struct tdb *, int, int);
565extern int esp_input_cb(void *);
566extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
567
568#ifdef INET
569extern void esp4_input __P((struct mbuf *, ...));
570extern int esp4_input_cb __P((struct mbuf *, ...));
571extern void *esp4_ctlinput __P((int, struct sockaddr *, void *));
572#endif /* INET */
573
574#ifdef INET6
575extern int esp6_input __P((struct mbuf **, int *, int));
576extern int esp6_input_cb __P((struct mbuf *, int, int));
577#endif /* INET6 */
578
579/* XF_TCPSIGNATURE */
580extern int tcp_signature_tdb_attach __P((void));
581extern int tcp_signature_tdb_init __P((struct tdb *, struct xformsw *,
582				       struct ipsecinit *));
583extern int tcp_signature_tdb_zeroize __P((struct tdb *));
584extern int tcp_signature_tdb_input __P((struct mbuf *, struct tdb *, int,
585					int));
586extern int tcp_signature_tdb_output __P((struct mbuf *, struct tdb *,
587					 struct mbuf **, int, int));
588
589/* Padding */
590extern caddr_t m_pad(struct mbuf *, int);
591
592/* Replay window */
593extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
594                               u_int32_t *);
595
596extern unsigned char ipseczeroes[];
597
598/* Packet processing */
599extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
600extern int ipsp_process_done(struct mbuf *, struct tdb *);
601extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
602                                   struct tdb *, struct inpcb *);
603extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
604				 struct m_tag *);
605extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
606			   union sockaddr_union *, struct sockaddr_encap *,
607			   struct mbuf *);
608extern struct ipsec_policy *ipsec_add_policy(struct sockaddr_encap *,
609					     struct sockaddr_encap *,
610					     union sockaddr_union *, int, int);
611extern int ipsec_delete_policy(struct ipsec_policy *);
612extern void ipsp_acquire_expirations(void *);
613extern struct ipsec_acquire *ipsp_pending_acquire(union sockaddr_union *);
614extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
615extern void ipsp_delete_acquire(struct ipsec_acquire *);
616extern void ipsp_clear_acquire(struct tdb *);
617extern int ipsp_is_unspecified(union sockaddr_union);
618extern void ipsp_reffree(struct ipsec_ref *);
619extern void ipsp_skipcrypto_unmark(struct tdb_ident *);
620extern void ipsp_skipcrypto_mark(struct tdb_ident *);
621extern struct m_tag *ipsp_parse_headers(struct mbuf *, int, u_int8_t);
622extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *);
623extern ssize_t ipsec_hdrsz(struct tdb *);
624extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
625#endif /* _KERNEL */
626#endif /* _NETINET_IPSP_H_ */
627