ip_ipsp.h revision 1.115 
1/*	$OpenBSD: ip_ipsp.h,v 1.115 2001/06/27 04:44:03 angelos Exp $	*/
2/*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Niklas Hallqvist (niklas@appli.se).
7 *
8 * The original version of this code was written by John Ioannidis
9 * for BSD/OS in Athens, Greece, in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18 *
19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 1999 Niklas Hallqvist.
22 * Copyright (c) 2001, Angelos D. Keromytis.
23 *
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40#ifndef _NETINET_IPSP_H_
41#define _NETINET_IPSP_H_
42
43/* IPSP global definitions. */
44
45#include <sys/types.h>
46#include <sys/queue.h>
47#include <sys/timeout.h>
48#include <netinet/in.h>
49
50union sockaddr_union {
51	struct sockaddr		sa;
52	struct sockaddr_in	sin;
53	struct sockaddr_in6	sin6;
54};
55
56/* HMAC key sizes */
57#define	MD5HMAC96_KEYSIZE	16
58#define	SHA1HMAC96_KEYSIZE	20
59#define	RIPEMD160HMAC96_KEYSIZE	20
60
61#define	AH_HMAC_HASHLEN		12	/* 96 bits of authenticator */
62#define	AH_HMAC_RPLENGTH	4	/* 32 bits of replay counter */
63#define	AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
64
65/* Authenticator lengths */
66#define	AH_MD5_ALEN		16
67#define	AH_SHA1_ALEN		20
68#define	AH_RMD160_ALEN		20
69#define	AH_ALEN_MAX		20 	/* Keep updated */
70
71/* Reserved SPI numbers */
72#define	SPI_LOCAL_USE		0
73#define	SPI_RESERVED_MIN	1
74#define	SPI_RESERVED_MAX	255
75
76/* sysctl default values */
77#define	IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
78#define	IPSEC_DEFAULT_PFS			1
79#define	IPSEC_DEFAULT_SOFT_ALLOCATIONS		0
80#define	IPSEC_DEFAULT_EXP_ALLOCATIONS		0
81#define	IPSEC_DEFAULT_SOFT_BYTES		0
82#define	IPSEC_DEFAULT_EXP_BYTES			0
83#define	IPSEC_DEFAULT_SOFT_TIMEOUT		80000
84#define	IPSEC_DEFAULT_EXP_TIMEOUT		86400
85#define	IPSEC_DEFAULT_SOFT_FIRST_USE		3600
86#define	IPSEC_DEFAULT_EXP_FIRST_USE		7200
87#define	IPSEC_DEFAULT_DEF_ENC			"aes"
88#define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
89#define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
90
91struct sockaddr_encap {
92	u_int8_t	sen_len;		/* length */
93	u_int8_t	sen_family;		/* PF_KEY */
94	u_int16_t	sen_type;		/* see SENT_* */
95	union {
96		struct {				/* SENT_IP4 */
97			u_int8_t	Direction;
98			struct in_addr	Src;
99			struct in_addr	Dst;
100			u_int8_t	Proto;
101			u_int16_t	Sport;
102			u_int16_t	Dport;
103		} Sip4;
104
105		struct {				/* SENT_IP6 */
106			u_int8_t	Direction;
107			struct in6_addr	Src;
108			struct in6_addr	Dst;
109			u_int8_t	Proto;
110			u_int16_t	Sport;
111			u_int16_t	Dport;
112		} Sip6;
113
114		struct ipsec_policy	*PolicyHead;	/* SENT_IPSP */
115	} Sen;
116};
117
118#define	IPSP_DIRECTION_IN	0x1
119#define	IPSP_DIRECTION_OUT	0x2
120
121#define	sen_data		Sen.Data
122#define	sen_ip_src		Sen.Sip4.Src
123#define	sen_ip_dst		Sen.Sip4.Dst
124#define	sen_proto		Sen.Sip4.Proto
125#define	sen_sport		Sen.Sip4.Sport
126#define	sen_dport		Sen.Sip4.Dport
127#define	sen_direction		Sen.Sip4.Direction
128#define	sen_ip6_src		Sen.Sip6.Src
129#define	sen_ip6_dst		Sen.Sip6.Dst
130#define	sen_ip6_proto		Sen.Sip6.Proto
131#define	sen_ip6_sport		Sen.Sip6.Sport
132#define	sen_ip6_dport		Sen.Sip6.Dport
133#define	sen_ip6_direction	Sen.Sip6.Direction
134#define	sen_ipsp		Sen.PolicyHead
135
136/*
137 * The "type" is really part of the address as far as the routing
138 * system is concerned. By using only one bit in the type field
139 * for each type, we sort-of make sure that different types of
140 * encapsulation addresses won't be matched against the wrong type.
141 *
142 */
143
144#define	SENT_IP4	0x0001		/* data is two struct in_addr */
145#define	SENT_IPSP	0x0002		/* data as in IP4/6 plus SPI */
146#define	SENT_IP6	0x0004
147
148#define	SENT_LEN	sizeof(struct sockaddr_encap)
149
150struct ipsec_ref {
151	u_int16_t	ref_type;	/* Subtype of data */
152	int16_t		ref_len;	/* Length of data following */
153	int		ref_count;	/* Reference count */
154	int		ref_malloctype;	/* malloc(9) type, for freeing */
155};
156
157struct ipsec_acquire {
158	union sockaddr_union		ipa_addr;
159	u_int32_t			ipa_seq;
160	struct sockaddr_encap		ipa_info;
161	struct sockaddr_encap		ipa_mask;
162	struct timeout			ipa_timeout;
163	struct ipsec_policy		*ipa_policy;
164	TAILQ_ENTRY(ipsec_acquire)	ipa_ipo_next;
165	TAILQ_ENTRY(ipsec_acquire)	ipa_next;
166};
167
168struct ipsec_policy {
169	struct sockaddr_encap	ipo_addr;
170	struct sockaddr_encap	ipo_mask;
171
172	union sockaddr_union	ipo_src;	/* Local address to use */
173	union sockaddr_union	ipo_dst;	/* Remote gateway -- if it's zeroed:
174						 * - on output, we try to contact the
175						 * remote host directly (if needed).
176						 * - on input, we accept on if the
177						 * inner source is the same as the
178						 * outer source address, or if transport
179						 * mode was used.
180						 */
181
182	u_int64_t		ipo_last_searched;	/* Timestamp of last lookup */
183
184	u_int8_t		ipo_flags;	/* See IPSP_POLICY_* definitions */
185	u_int8_t		ipo_type;	/* USE/ACQUIRE/... */
186	u_int8_t		ipo_sproto;	/* ESP/AH; if zero, use system dflts */
187
188	struct tdb		*ipo_tdb;		/* Cached entry */
189
190	struct ipsec_ref	*ipo_srcid;
191	struct ipsec_ref	*ipo_dstid;
192	struct ipsec_ref	*ipo_local_cred;
193	struct ipsec_ref	*ipo_local_auth;
194
195	TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
196	TAILQ_ENTRY(ipsec_policy)	ipo_tdb_next;	/* List TDB policies */
197	TAILQ_ENTRY(ipsec_policy)	ipo_list;	/* List of all policies */
198};
199
200#define	IPSP_POLICY_NONE	0x0000	/* No flags set */
201#define	IPSP_POLICY_SOCKET	0x0001	/* Socket-attached policy */
202#define	IPSP_POLICY_STATIC	0x0002	/* Static policy */
203
204#define	IPSP_IPSEC_USE		0	/* Use if existing, don't acquire */
205#define	IPSP_IPSEC_ACQUIRE	1	/* Try acquire, let packet through */
206#define	IPSP_IPSEC_REQUIRE	2	/* Require SA */
207#define	IPSP_PERMIT		3	/* Permit traffic through */
208#define	IPSP_DENY		4	/* Deny traffic */
209#define	IPSP_IPSEC_DONTACQ	5	/* Require, but don't acquire */
210
211/* Notification types */
212#define	NOTIFY_SOFT_EXPIRE	0	/* Soft expiration of SA */
213#define	NOTIFY_HARD_EXPIRE	1	/* Hard expiration of SA */
214#define	NOTIFY_REQUEST_SA	2	/* Establish an SA */
215
216#define	NOTIFY_SATYPE_CONF	1	/* SA should do encryption */
217#define	NOTIFY_SATYPE_AUTH	2	/* SA should do authentication */
218#define	NOTIFY_SATYPE_TUNNEL	4	/* SA should use tunneling */
219
220/* Authentication types */
221#define	IPSP_AUTH_NONE		0
222#define	IPSP_AUTH_PASSPHRASE	1
223#define	IPSP_AUTH_RSA		2
224
225/* Credential types */
226#define	IPSP_CRED_NONE		0
227#define	IPSP_CRED_KEYNOTE	1
228#define	IPSP_CRED_X509		2
229
230/* Identity types */
231#define	IPSP_IDENTITY_NONE		0
232#define	IPSP_IDENTITY_PREFIX		1
233#define	IPSP_IDENTITY_FQDN		2
234#define	IPSP_IDENTITY_USERFQDN		3
235#define	IPSP_IDENTITY_CONNECTION	4
236
237/*
238 * For encapsulation routes are possible not only for the destination
239 * address but also for the protocol, source and destination ports
240 * if available
241 */
242
243struct route_enc {
244	struct rtentry		*re_rt;
245	struct sockaddr_encap	re_dst;
246};
247
248struct tdb {				/* tunnel descriptor block */
249	/*
250	 * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
251	 * one keyed on dst/sproto, and one keyed on src/sproto. The first
252	 * is used for finding a specific TDB, the second for finding TDBs
253	 * TDBs for outgoing policy matching, and the third for incoming
254	 * policy matching. The following three fields maintain the hash
255	 * queues in those three tables.
256	 */
257	struct tdb	*tdb_hnext;	/* dst/spi/sproto table */
258	struct tdb	*tdb_anext;	/* dst/sproto table */
259	struct tdb	*tdb_snext;	/* src/sproto table */
260	struct tdb	*tdb_inext;
261	struct tdb	*tdb_onext;
262
263	struct xformsw		*tdb_xform;		/* Transform to use */
264	struct enc_xform	*tdb_encalgxform;	/* Enc algorithm */
265	struct auth_hash	*tdb_authalgxform;	/* Auth algorithm */
266
267#define	TDBF_UNIQUE		0x00001	/* This should not be used by others */
268#define	TDBF_TIMER		0x00002	/* Absolute expiration timer in use */
269#define	TDBF_BYTES		0x00004	/* Check the byte counters */
270#define	TDBF_ALLOCATIONS	0x00008	/* Check the flows counters */
271#define	TDBF_INVALID		0x00010	/* This SPI is not valid yet/anymore */
272#define	TDBF_FIRSTUSE		0x00020	/* Expire after first use */
273#define	TDBF_HALFIV		0x00040	/* Use half-length IV (ESP old only) */
274#define	TDBF_SOFT_TIMER		0x00080	/* Soft expiration */
275#define	TDBF_SOFT_BYTES		0x00100	/* Soft expiration */
276#define	TDBF_SOFT_ALLOCATIONS	0x00200	/* Soft expiration */
277#define	TDBF_SOFT_FIRSTUSE	0x00400	/* Soft expiration */
278#define	TDBF_PFS		0x00800	/* Ask for PFS from Key Mgmt. */
279#define	TDBF_TUNNELING		0x01000	/* Force IP-IP encapsulation */
280#define	TDBF_NOREPLAY		0x02000	/* No replay counter present */
281#define	TDBF_RANDOMPADDING	0x04000	/* Random data in the ESP padding */
282#define	TDBF_SKIPCRYPTO		0x08000	/* Skip actual crypto processing */
283#define	TDBF_USEDTUNNEL		0x10000	/* Appended a tunnel header in past */
284
285	u_int32_t	tdb_flags;	/* Flags related to this TDB */
286
287	struct timeout	tdb_timer_tmo;
288	struct timeout	tdb_first_tmo;
289	struct timeout	tdb_stimer_tmo;
290	struct timeout	tdb_sfirst_tmo;
291
292	u_int32_t	tdb_seq;		/* Tracking number for PFKEY */
293	u_int32_t	tdb_exp_allocations;	/* Expire after so many flows */
294	u_int32_t	tdb_soft_allocations;	/* Expiration warning */
295	u_int32_t	tdb_cur_allocations;	/* Total number of allocs */
296
297	u_int64_t	tdb_exp_bytes;	/* Expire after so many bytes passed */
298	u_int64_t	tdb_soft_bytes;	/* Expiration warning */
299	u_int64_t	tdb_cur_bytes;	/* Current count of bytes */
300
301	u_int64_t	tdb_exp_timeout;	/* When does the SPI expire */
302	u_int64_t	tdb_soft_timeout;	/* Send soft-expire warning */
303	u_int64_t	tdb_established;	/* When was SPI established */
304
305	u_int64_t	tdb_first_use;		/* When was it first used */
306	u_int64_t	tdb_soft_first_use;	/* Soft warning */
307	u_int64_t	tdb_exp_first_use;	/* Expire if tdb_first_use +
308						 * tdb_exp_first_use <= curtime
309						 */
310
311	u_int64_t	tdb_last_used;	/* When was this SA last used */
312	u_int64_t	tdb_last_marked;/* Last SKIPCRYPTO status change */
313
314	u_int64_t	tdb_cryptoid;	/* Crypto session ID */
315
316	u_int32_t	tdb_spi;	/* SPI */
317	u_int16_t	tdb_amxkeylen;	/* Raw authentication key length */
318	u_int16_t	tdb_emxkeylen;	/* Raw encryption key length */
319	u_int16_t	tdb_ivlen;	/* IV length */
320	u_int8_t	tdb_sproto;	/* IPsec protocol */
321	u_int8_t	tdb_wnd;	/* Replay window */
322	u_int8_t	tdb_satype;	/* SA type (RFC2367, PF_KEY) */
323
324	union sockaddr_union	tdb_dst;	/* Destination address */
325	union sockaddr_union	tdb_src;	/* Source address */
326	union sockaddr_union	tdb_proxy;
327
328	u_int8_t	*tdb_amxkey;	/* Raw authentication key */
329	u_int8_t	*tdb_emxkey;	/* Raw encryption key */
330
331	u_int32_t	tdb_rpl;	/* Replay counter */
332	u_int32_t	tdb_bitmap;	/* Used for replay sliding window */
333	u_int32_t	tdb_initial;	/* Initial replay value */
334
335	u_int32_t	tdb_epoch;	/* Used by the kernfs interface */
336
337	u_int8_t	tdb_iv[4];	/* Used for HALF-IV ESP */
338
339	struct ipsec_ref	*tdb_local_cred;
340	struct ipsec_ref	*tdb_remote_cred;
341	struct ipsec_ref	*tdb_srcid;	/* Source ID for this SA */
342	struct ipsec_ref	*tdb_dstid;	/* Destination ID for this SA */
343	struct ipsec_ref	*tdb_local_auth;/* Local authentication material */
344	struct ipsec_ref	*tdb_remote_auth;/* Remote authentication material */
345
346	u_int32_t	tdb_mtu;	/* MTU at this point in the chain */
347	u_int64_t	tdb_mtutimeout;	/* When to ignore this entry */
348
349	TAILQ_HEAD(tdb_inp_head_in, inpcb)	tdb_inp_in;
350	TAILQ_HEAD(tdb_inp_head_out, inpcb)	tdb_inp_out;
351	TAILQ_HEAD(tdb_policy_head, ipsec_policy)	tdb_policy_head;
352};
353
354struct tdb_ident {
355	u_int32_t spi;
356	union sockaddr_union dst;
357	u_int8_t proto;
358};
359
360struct tdb_crypto {
361	u_int32_t		tc_spi;
362	union sockaddr_union	tc_dst;
363	u_int8_t		tc_proto;
364	int			tc_protoff;
365	int			tc_skip;
366	caddr_t			tc_ptr;
367};
368
369struct ipsecinit {
370	u_int8_t	*ii_enckey;
371	u_int8_t	*ii_authkey;
372	u_int16_t	ii_enckeylen;
373	u_int16_t	ii_authkeylen;
374	u_int8_t	ii_encalg;
375	u_int8_t	ii_authalg;
376};
377
378struct xformsw {
379	u_short	xf_type;		/* Unique ID of xform */
380	u_short	xf_flags;		/* flags (see below) */
381	char	*xf_name;		/* human-readable name */
382	int	(*xf_attach)(void);	/* called at config time */
383	int	(*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
384	int	(*xf_zeroize)(struct tdb *); /* termination */
385	int	(*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
386	int	(*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
387	    int, int);        /* output */
388};
389
390/* xform IDs */
391#define	XF_IP4		1	/* IP inside IP */
392#define	XF_AH		2	/* AH */
393#define	XF_ESP		3	/* ESP */
394#define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
395
396/* xform attributes */
397#define	XFT_AUTH	0x0001
398#define	XFT_CONF	0x0100
399
400#define	IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
401#define	IPSEC_KERNFS_BUFSIZE	4096
402
403#if BYTE_ORDER == LITTLE_ENDIAN
404static __inline u_int64_t
405htonq(u_int64_t q)
406{
407	register u_int32_t u, l;
408	u = q >> 32;
409	l = (u_int32_t) q;
410
411	return htonl(u) | ((u_int64_t)htonl(l) << 32);
412}
413
414#define	ntohq(_x)	htonq(_x)
415
416#elif BYTE_ORDER == BIG_ENDIAN
417
418#define	htonq(_x)	(_x)
419#define	ntohq(_x)	htonq(_x)
420
421#else
422#error	"Please fix <machine/endian.h>"
423#endif
424
425#ifdef _KERNEL
426
427/*
428 * Protects all tdb lists.
429 * Must at least be splsoftnet (note: do not use splsoftclock as it is
430 * special on some architectures, assuming it is always an spl lowering
431 * operation).
432 */
433#define	spltdb	splsoftnet
434
435extern int encdebug;
436extern int ipsec_acl;
437extern int ipsec_keep_invalid;
438extern int ipsec_in_use;
439extern u_int64_t ipsec_last_added;
440extern int ipsec_require_pfs;
441extern int ipsec_expire_acquire;
442
443extern int ipsec_policy_pool_initialized;
444
445extern int ipsec_soft_allocations;
446extern int ipsec_exp_allocations;
447extern int ipsec_soft_bytes;
448extern int ipsec_exp_bytes;
449extern int ipsec_soft_timeout;
450extern int ipsec_exp_timeout;
451extern int ipsec_soft_first_use;
452extern int ipsec_exp_first_use;
453extern char ipsec_def_enc[];
454extern char ipsec_def_auth[];
455
456extern struct enc_xform enc_xform_des;
457extern struct enc_xform enc_xform_3des;
458extern struct enc_xform enc_xform_blf;
459extern struct enc_xform enc_xform_cast5;
460extern struct enc_xform enc_xform_skipjack;
461
462extern struct auth_hash auth_hash_hmac_md5_96;
463extern struct auth_hash auth_hash_hmac_sha1_96;
464extern struct auth_hash auth_hash_hmac_ripemd_160_96;
465
466extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
467extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
468
469extern struct xformsw xformsw[], *xformswNXFORMSW;
470
471/* Check if a given tdb has encryption, authentication and/or tunneling */
472#define	TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \
473		       ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0))
474
475/* Traverse spi chain and get attributes */
476
477#define	SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\
478	int s = spltdb(); \
479	struct tdb *tmptdb = (TDBP); \
480	\
481	(have) = 0; \
482	while (tmptdb && tmptdb->tdb_xform) { \
483	        if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \
484			break; \
485		(have) |= TDB_ATTRIB(tmptdb); \
486		tmptdb = tmptdb->TDB_DIR; \
487	} \
488	splx(s); \
489} while (0)
490
491/* Misc. */
492extern char *inet_ntoa4(struct in_addr);
493extern char *ipsp_address(union sockaddr_union);
494
495/* TDB management routines */
496extern void tdb_add_inp(struct tdb *, struct inpcb *, int);
497extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
498    union sockaddr_union *, u_int8_t, int *);
499extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
500extern struct tdb *gettdbbyaddr(union sockaddr_union *, struct ipsec_policy *,
501    struct mbuf *, int);
502extern struct tdb *gettdbbysrc(union sockaddr_union *, struct ipsec_policy *,
503    struct mbuf *, int);
504extern void puttdb(struct tdb *);
505extern void tdb_delete(struct tdb *);
506extern struct tdb *tdb_alloc(void);
507extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
508extern int tdb_walk(int (*)(struct tdb *, void *, int), void *);
509
510/* XF_IP4 */
511extern int ipe4_attach(void);
512extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
513extern int ipe4_zeroize(struct tdb *);
514extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
515extern void ipe4_input __P((struct mbuf *, ...));
516extern void ipip_input __P((struct mbuf *, int));
517
518#ifdef INET
519extern void ip4_input __P((struct mbuf *, ...));
520#endif /* INET */
521
522#ifdef INET6
523extern int ip4_input6 __P((struct mbuf **, int *, int));
524#endif /* INET */
525
526/* XF_ETHERIP */
527extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **,
528    int, int);
529extern void etherip_input __P((struct mbuf *, ...));
530
531/* XF_AH */
532extern int ah_attach(void);
533extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
534extern int ah_zeroize(struct tdb *);
535extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
536extern int ah_output_cb(void *);
537extern int ah_input(struct mbuf *, struct tdb *, int, int);
538extern int ah_input_cb(void *);
539extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
540extern int ah_massage_headers(struct mbuf **, int, int, int, int);
541
542#ifdef INET
543extern void ah4_input __P((struct mbuf *, ...));
544extern int ah4_input_cb __P((struct mbuf *, ...));
545extern void *ah4_ctlinput __P((int, struct sockaddr *, void *));
546#endif /* INET */
547
548#ifdef INET6
549extern int ah6_input __P((struct mbuf **, int *, int));
550extern int ah6_input_cb __P((struct mbuf *, int, int));
551#endif /* INET6 */
552
553/* XF_ESP */
554extern int esp_attach(void);
555extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
556extern int esp_zeroize(struct tdb *);
557extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
558extern int esp_output_cb(void *);
559extern int esp_input(struct mbuf *, struct tdb *, int, int);
560extern int esp_input_cb(void *);
561extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
562
563#ifdef INET
564extern void esp4_input __P((struct mbuf *, ...));
565extern int esp4_input_cb __P((struct mbuf *, ...));
566extern void *esp4_ctlinput __P((int, struct sockaddr *, void *));
567#endif /* INET */
568
569#ifdef INET6
570extern int esp6_input __P((struct mbuf **, int *, int));
571extern int esp6_input_cb __P((struct mbuf *, int, int));
572#endif /* INET6 */
573
574/* XF_TCPSIGNATURE */
575extern int tcp_signature_tdb_attach __P((void));
576extern int tcp_signature_tdb_init __P((struct tdb *, struct xformsw *,
577    struct ipsecinit *));
578extern int tcp_signature_tdb_zeroize __P((struct tdb *));
579extern int tcp_signature_tdb_input __P((struct mbuf *, struct tdb *, int,
580    int));
581extern int tcp_signature_tdb_output __P((struct mbuf *, struct tdb *,
582    struct mbuf **, int, int));
583
584/* Padding */
585extern caddr_t m_pad(struct mbuf *, int);
586
587/* Replay window */
588extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
589    u_int32_t *);
590
591extern unsigned char ipseczeroes[];
592
593/* Packet processing */
594extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
595extern int ipsp_process_done(struct mbuf *, struct tdb *);
596extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
597    struct tdb *, struct inpcb *);
598extern struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
599    struct tdb *, struct inpcb *, struct ipsec_policy *);
600extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
601    struct m_tag *);
602extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
603    union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
604extern struct ipsec_policy *ipsec_add_policy(struct sockaddr_encap *,
605    struct sockaddr_encap *, union sockaddr_union *, int, int);
606extern int ipsec_delete_policy(struct ipsec_policy *);
607extern struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *,
608    union sockaddr_union *);
609extern void ipsp_delete_acquire(void *);
610extern int ipsp_is_unspecified(union sockaddr_union);
611extern void ipsp_reffree(struct ipsec_ref *);
612extern void ipsp_skipcrypto_unmark(struct tdb_ident *);
613extern void ipsp_skipcrypto_mark(struct tdb_ident *);
614extern struct m_tag *ipsp_parse_headers(struct mbuf *, int, u_int8_t);
615extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *);
616extern ssize_t ipsec_hdrsz(struct tdb *);
617extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
618extern int ipsp_print_tdb(struct tdb *, char *);
619extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
620#endif /* _KERNEL */
621#endif /* _NETINET_IPSP_H_ */
622