ip_ipsp.h revision 1.120
1/* $OpenBSD: ip_ipsp.h,v 1.120 2002/05/31 02:39:53 angelos Exp $ */ 2/* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40#ifndef _NETINET_IPSP_H_ 41#define _NETINET_IPSP_H_ 42 43/* IPSP global definitions. */ 44 45#include <sys/types.h> 46#include <sys/queue.h> 47#include <sys/timeout.h> 48#include <netinet/in.h> 49 50union sockaddr_union { 51 struct sockaddr sa; 52 struct sockaddr_in sin; 53 struct sockaddr_in6 sin6; 54}; 55 56/* HMAC key sizes */ 57#define MD5HMAC96_KEYSIZE 16 58#define SHA1HMAC96_KEYSIZE 20 59#define RIPEMD160HMAC96_KEYSIZE 20 60 61#define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */ 62#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */ 63#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */ 64 65/* Authenticator lengths */ 66#define AH_MD5_ALEN 16 67#define AH_SHA1_ALEN 20 68#define AH_RMD160_ALEN 20 69#define AH_ALEN_MAX 20 /* Keep updated */ 70 71/* Reserved SPI numbers */ 72#define SPI_LOCAL_USE 0 73#define SPI_RESERVED_MIN 1 74#define SPI_RESERVED_MAX 255 75 76/* Reserved CPI numbers */ 77#define CPI_RESERVED_MIN 1 78#define CPI_RESERVED_MAX 255 79#define CPI_PRIVATE_MIN 61440 80#define CPI_PRIVATE_MAX 65535 81 82/* sysctl default values */ 83#define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */ 84#define IPSEC_DEFAULT_PFS 1 85#define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0 86#define IPSEC_DEFAULT_EXP_ALLOCATIONS 0 87#define IPSEC_DEFAULT_SOFT_BYTES 0 88#define IPSEC_DEFAULT_EXP_BYTES 0 89#define IPSEC_DEFAULT_SOFT_TIMEOUT 80000 90#define IPSEC_DEFAULT_EXP_TIMEOUT 86400 91#define IPSEC_DEFAULT_SOFT_FIRST_USE 3600 92#define IPSEC_DEFAULT_EXP_FIRST_USE 7200 93#define IPSEC_DEFAULT_DEF_ENC "aes" 94#define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1" 95#define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30 96#define IPSEC_DEFAULT_DEF_COMP "deflate" 97 98struct sockaddr_encap { 99 u_int8_t sen_len; /* length */ 100 u_int8_t sen_family; /* PF_KEY */ 101 u_int16_t sen_type; /* see SENT_* */ 102 union { 103 struct { /* SENT_IP4 */ 104 u_int8_t Direction; 105 struct in_addr Src; 106 struct in_addr Dst; 107 u_int8_t Proto; 108 u_int16_t Sport; 109 u_int16_t Dport; 110 } Sip4; 111 112 struct { /* SENT_IP6 */ 113 u_int8_t Direction; 114 struct in6_addr Src; 115 struct in6_addr Dst; 116 u_int8_t Proto; 117 u_int16_t Sport; 118 u_int16_t Dport; 119 } Sip6; 120 121 struct ipsec_policy *PolicyHead; /* SENT_IPSP */ 122 } Sen; 123}; 124 125#define IPSP_DIRECTION_IN 0x1 126#define IPSP_DIRECTION_OUT 0x2 127 128#define sen_data Sen.Data 129#define sen_ip_src Sen.Sip4.Src 130#define sen_ip_dst Sen.Sip4.Dst 131#define sen_proto Sen.Sip4.Proto 132#define sen_sport Sen.Sip4.Sport 133#define sen_dport Sen.Sip4.Dport 134#define sen_direction Sen.Sip4.Direction 135#define sen_ip6_src Sen.Sip6.Src 136#define sen_ip6_dst Sen.Sip6.Dst 137#define sen_ip6_proto Sen.Sip6.Proto 138#define sen_ip6_sport Sen.Sip6.Sport 139#define sen_ip6_dport Sen.Sip6.Dport 140#define sen_ip6_direction Sen.Sip6.Direction 141#define sen_ipsp Sen.PolicyHead 142 143/* 144 * The "type" is really part of the address as far as the routing 145 * system is concerned. By using only one bit in the type field 146 * for each type, we sort-of make sure that different types of 147 * encapsulation addresses won't be matched against the wrong type. 148 * 149 */ 150 151#define SENT_IP4 0x0001 /* data is two struct in_addr */ 152#define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */ 153#define SENT_IP6 0x0004 154 155#define SENT_LEN sizeof(struct sockaddr_encap) 156 157struct ipsec_ref { 158 u_int16_t ref_type; /* Subtype of data */ 159 int16_t ref_len; /* Length of data following */ 160 int ref_count; /* Reference count */ 161 int ref_malloctype; /* malloc(9) type, for freeing */ 162}; 163 164struct ipsec_acquire { 165 union sockaddr_union ipa_addr; 166 u_int32_t ipa_seq; 167 struct sockaddr_encap ipa_info; 168 struct sockaddr_encap ipa_mask; 169 struct timeout ipa_timeout; 170 struct ipsec_policy *ipa_policy; 171 struct inpcb *ipa_pcb; 172 TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next; 173 TAILQ_ENTRY(ipsec_acquire) ipa_next; 174 TAILQ_ENTRY(ipsec_acquire) ipa_inp_next; 175}; 176 177struct ipsec_policy { 178 struct sockaddr_encap ipo_addr; 179 struct sockaddr_encap ipo_mask; 180 181 union sockaddr_union ipo_src; /* Local address to use */ 182 union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed: 183 * - on output, we try to contact the 184 * remote host directly (if needed). 185 * - on input, we accept on if the 186 * inner source is the same as the 187 * outer source address, or if transport 188 * mode was used. 189 */ 190 191 u_int64_t ipo_last_searched; /* Timestamp of last lookup */ 192 193 u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */ 194 u_int8_t ipo_type; /* USE/ACQUIRE/... */ 195 u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */ 196 197 int ipo_ref_count; 198 199 struct tdb *ipo_tdb; /* Cached entry */ 200 201 struct ipsec_ref *ipo_srcid; 202 struct ipsec_ref *ipo_dstid; 203 struct ipsec_ref *ipo_local_cred; 204 struct ipsec_ref *ipo_local_auth; 205 206 TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */ 207 TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */ 208 TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */ 209}; 210 211#define IPSP_POLICY_NONE 0x0000 /* No flags set */ 212#define IPSP_POLICY_SOCKET 0x0001 /* Socket-attached policy */ 213#define IPSP_POLICY_STATIC 0x0002 /* Static policy */ 214 215#define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */ 216#define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */ 217#define IPSP_IPSEC_REQUIRE 2 /* Require SA */ 218#define IPSP_PERMIT 3 /* Permit traffic through */ 219#define IPSP_DENY 4 /* Deny traffic */ 220#define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */ 221 222/* Notification types */ 223#define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */ 224#define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */ 225#define NOTIFY_REQUEST_SA 2 /* Establish an SA */ 226 227#define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */ 228#define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */ 229#define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */ 230#define NOTIFY_SATYPE_COMP 5 /* SA (IPCA) should use compression */ 231 232/* Authentication types */ 233#define IPSP_AUTH_NONE 0 234#define IPSP_AUTH_PASSPHRASE 1 235#define IPSP_AUTH_RSA 2 236 237/* Credential types */ 238#define IPSP_CRED_NONE 0 239#define IPSP_CRED_KEYNOTE 1 240#define IPSP_CRED_X509 2 241 242/* Identity types */ 243#define IPSP_IDENTITY_NONE 0 244#define IPSP_IDENTITY_PREFIX 1 245#define IPSP_IDENTITY_FQDN 2 246#define IPSP_IDENTITY_USERFQDN 3 247#define IPSP_IDENTITY_CONNECTION 4 248 249/* 250 * For encapsulation routes are possible not only for the destination 251 * address but also for the protocol, source and destination ports 252 * if available 253 */ 254 255struct route_enc { 256 struct rtentry *re_rt; 257 struct sockaddr_encap re_dst; 258}; 259 260struct tdb { /* tunnel descriptor block */ 261 /* 262 * Each TDB is on three hash tables: one keyed on dst/spi/sproto, 263 * one keyed on dst/sproto, and one keyed on src/sproto. The first 264 * is used for finding a specific TDB, the second for finding TDBs 265 * TDBs for outgoing policy matching, and the third for incoming 266 * policy matching. The following three fields maintain the hash 267 * queues in those three tables. 268 */ 269 struct tdb *tdb_hnext; /* dst/spi/sproto table */ 270 struct tdb *tdb_anext; /* dst/sproto table */ 271 struct tdb *tdb_snext; /* src/sproto table */ 272 struct tdb *tdb_inext; 273 struct tdb *tdb_onext; 274 275 struct xformsw *tdb_xform; /* Transform to use */ 276 struct enc_xform *tdb_encalgxform; /* Enc algorithm */ 277 struct auth_hash *tdb_authalgxform; /* Auth algorithm */ 278 struct comp_algo *tdb_compalgxform; /* Compression algo */ 279 280#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 281#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 282#define TDBF_BYTES 0x00004 /* Check the byte counters */ 283#define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */ 284#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 285#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 286#define TDBF_HALFIV 0x00040 /* Use half-length IV (ESP old only) */ 287#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 288#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 289#define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */ 290#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 291#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ 292#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ 293#define TDBF_NOREPLAY 0x02000 /* No replay counter present */ 294#define TDBF_RANDOMPADDING 0x04000 /* Random data in the ESP padding */ 295#define TDBF_SKIPCRYPTO 0x08000 /* Skip actual crypto processing */ 296#define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */ 297 298 u_int32_t tdb_flags; /* Flags related to this TDB */ 299 300 struct timeout tdb_timer_tmo; 301 struct timeout tdb_first_tmo; 302 struct timeout tdb_stimer_tmo; 303 struct timeout tdb_sfirst_tmo; 304 305 u_int32_t tdb_seq; /* Tracking number for PFKEY */ 306 u_int32_t tdb_exp_allocations; /* Expire after so many flows */ 307 u_int32_t tdb_soft_allocations; /* Expiration warning */ 308 u_int32_t tdb_cur_allocations; /* Total number of allocs */ 309 310 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 311 u_int64_t tdb_soft_bytes; /* Expiration warning */ 312 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 313 314 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 315 u_int64_t tdb_soft_timeout; /* Send soft-expire warning */ 316 u_int64_t tdb_established; /* When was SPI established */ 317 318 u_int64_t tdb_first_use; /* When was it first used */ 319 u_int64_t tdb_soft_first_use; /* Soft warning */ 320 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 321 * tdb_exp_first_use <= curtime 322 */ 323 324 u_int64_t tdb_last_used; /* When was this SA last used */ 325 u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */ 326 327 u_int64_t tdb_cryptoid; /* Crypto session ID */ 328 329 u_int32_t tdb_spi; /* SPI */ 330 u_int16_t tdb_amxkeylen; /* Raw authentication key length */ 331 u_int16_t tdb_emxkeylen; /* Raw encryption key length */ 332 u_int16_t tdb_ivlen; /* IV length */ 333 u_int8_t tdb_sproto; /* IPsec protocol */ 334 u_int8_t tdb_wnd; /* Replay window */ 335 u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */ 336 337 union sockaddr_union tdb_dst; /* Destination address */ 338 union sockaddr_union tdb_src; /* Source address */ 339 union sockaddr_union tdb_proxy; 340 341 u_int8_t *tdb_amxkey; /* Raw authentication key */ 342 u_int8_t *tdb_emxkey; /* Raw encryption key */ 343 344 u_int32_t tdb_rpl; /* Replay counter */ 345 u_int32_t tdb_bitmap; /* Used for replay sliding window */ 346 347 u_int32_t tdb_epoch; /* Used by the kernfs interface */ 348 u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ 349 350 struct ipsec_ref *tdb_local_cred; 351 struct ipsec_ref *tdb_remote_cred; 352 struct ipsec_ref *tdb_srcid; /* Source ID for this SA */ 353 struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */ 354 struct ipsec_ref *tdb_local_auth;/* Local authentication material */ 355 struct ipsec_ref *tdb_remote_auth;/* Remote authentication material */ 356 357 u_int32_t tdb_mtu; /* MTU at this point in the chain */ 358 u_int64_t tdb_mtutimeout; /* When to ignore this entry */ 359 360 struct sockaddr_encap tdb_filter; /* What traffic is acceptable */ 361 struct sockaddr_encap tdb_filtermask; /* And the mask */ 362 363 TAILQ_HEAD(tdb_inp_head_in, inpcb) tdb_inp_in; 364 TAILQ_HEAD(tdb_inp_head_out, inpcb) tdb_inp_out; 365 TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; 366}; 367 368struct tdb_ident { 369 u_int32_t spi; 370 union sockaddr_union dst; 371 u_int8_t proto; 372}; 373 374struct tdb_crypto { 375 u_int32_t tc_spi; 376 union sockaddr_union tc_dst; 377 u_int8_t tc_proto; 378 int tc_protoff; 379 int tc_skip; 380 caddr_t tc_ptr; 381}; 382 383struct ipsecinit { 384 u_int8_t *ii_enckey; 385 u_int8_t *ii_authkey; 386 u_int16_t ii_enckeylen; 387 u_int16_t ii_authkeylen; 388 u_int8_t ii_encalg; 389 u_int8_t ii_authalg; 390 u_int8_t ii_compalg; 391}; 392 393/* xform IDs */ 394#define XF_IP4 1 /* IP inside IP */ 395#define XF_AH 2 /* AH */ 396#define XF_ESP 3 /* ESP */ 397#define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ 398#define XF_IPCOMP 6 /* IPCOMP */ 399 400/* xform attributes */ 401#define XFT_AUTH 0x0001 402#define XFT_CONF 0x0100 403#define XFT_COMP 0x1000 404 405#define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */ 406#define IPSEC_KERNFS_BUFSIZE 4096 407 408#if BYTE_ORDER == LITTLE_ENDIAN 409static __inline u_int64_t 410htonq(u_int64_t q) 411{ 412 register u_int32_t u, l; 413 u = q >> 32; 414 l = (u_int32_t) q; 415 416 return htonl(u) | ((u_int64_t)htonl(l) << 32); 417} 418 419#define ntohq(_x) htonq(_x) 420 421#elif BYTE_ORDER == BIG_ENDIAN 422 423#define htonq(_x) (_x) 424#define ntohq(_x) htonq(_x) 425 426#else 427#error "Please fix <machine/endian.h>" 428#endif 429 430#ifdef _KERNEL 431 432struct xformsw { 433 u_short xf_type; /* Unique ID of xform */ 434 u_short xf_flags; /* flags (see below) */ 435 char *xf_name; /* human-readable name */ 436 int (*xf_attach)(void); /* called at config time */ 437 int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *); 438 int (*xf_zeroize)(struct tdb *); /* termination */ 439 int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */ 440 int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, 441 int, int); /* output */ 442}; 443 444/* 445 * Protects all tdb lists. 446 * Must at least be splsoftnet (note: do not use splsoftclock as it is 447 * special on some architectures, assuming it is always an spl lowering 448 * operation). 449 */ 450#define spltdb splsoftnet 451 452extern int encdebug; 453extern int ipsec_acl; 454extern int ipsec_keep_invalid; 455extern int ipsec_in_use; 456extern u_int64_t ipsec_last_added; 457extern int ipsec_require_pfs; 458extern int ipsec_expire_acquire; 459 460extern int ipsec_policy_pool_initialized; 461 462extern int ipsec_soft_allocations; 463extern int ipsec_exp_allocations; 464extern int ipsec_soft_bytes; 465extern int ipsec_exp_bytes; 466extern int ipsec_soft_timeout; 467extern int ipsec_exp_timeout; 468extern int ipsec_soft_first_use; 469extern int ipsec_exp_first_use; 470extern char ipsec_def_enc[]; 471extern char ipsec_def_auth[]; 472extern char ipsec_def_comp[]; 473 474extern struct enc_xform enc_xform_des; 475extern struct enc_xform enc_xform_3des; 476extern struct enc_xform enc_xform_blf; 477extern struct enc_xform enc_xform_cast5; 478extern struct enc_xform enc_xform_skipjack; 479 480extern struct auth_hash auth_hash_hmac_md5_96; 481extern struct auth_hash auth_hash_hmac_sha1_96; 482extern struct auth_hash auth_hash_hmac_ripemd_160_96; 483 484extern struct comp_algo comp_algo_deflate; 485 486extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head; 487extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head; 488 489extern struct xformsw xformsw[], *xformswNXFORMSW; 490 491/* Check if a given tdb has encryption, authentication and/or tunneling */ 492#define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \ 493 ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0) | \ 494 ((x)->tdb_compalgxform ? NOTIFY_SATYPE_COMP : 0)) 495 496/* Traverse spi chain and get attributes */ 497 498#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\ 499 int s = spltdb(); \ 500 struct tdb *tmptdb = (TDBP); \ 501 \ 502 (have) = 0; \ 503 while (tmptdb && tmptdb->tdb_xform) { \ 504 if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \ 505 break; \ 506 (have) |= TDB_ATTRIB(tmptdb); \ 507 tmptdb = tmptdb->TDB_DIR; \ 508 } \ 509 splx(s); \ 510} while (0) 511 512/* Misc. */ 513extern char *inet_ntoa4(struct in_addr); 514extern char *ipsp_address(union sockaddr_union); 515 516/* TDB management routines */ 517extern void tdb_add_inp(struct tdb *, struct inpcb *, int); 518extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *, 519 union sockaddr_union *, u_int8_t, int *); 520extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t); 521extern struct tdb *gettdbbyaddr(union sockaddr_union *, u_int8_t, 522 struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *, 523 struct mbuf *, int, struct sockaddr_encap *, struct sockaddr_encap *); 524extern struct tdb *gettdbbysrc(union sockaddr_union *, u_int8_t, 525 struct ipsec_ref *, struct ipsec_ref *, struct mbuf *, int, 526 struct sockaddr_encap *, struct sockaddr_encap *); 527extern void puttdb(struct tdb *); 528extern void tdb_delete(struct tdb *); 529extern struct tdb *tdb_alloc(void); 530extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *); 531extern int tdb_walk(int (*)(struct tdb *, void *, int), void *); 532 533/* XF_IP4 */ 534extern int ipe4_attach(void); 535extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *); 536extern int ipe4_zeroize(struct tdb *); 537extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 538extern void ipe4_input(struct mbuf *, ...); 539extern void ipip_input(struct mbuf *, int, struct ifnet *); 540 541#ifdef INET 542extern void ip4_input(struct mbuf *, ...); 543#endif /* INET */ 544 545#ifdef INET6 546extern int ip4_input6(struct mbuf **, int *, int); 547#endif /* INET */ 548 549/* XF_ETHERIP */ 550extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **, 551 int, int); 552extern void etherip_input(struct mbuf *, ...); 553 554/* XF_AH */ 555extern int ah_attach(void); 556extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *); 557extern int ah_zeroize(struct tdb *); 558extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 559extern int ah_output_cb(void *); 560extern int ah_input(struct mbuf *, struct tdb *, int, int); 561extern int ah_input_cb(void *); 562extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t); 563extern int ah_massage_headers(struct mbuf **, int, int, int, int); 564 565#ifdef INET 566extern void ah4_input(struct mbuf *, ...); 567extern int ah4_input_cb(struct mbuf *, ...); 568extern void *ah4_ctlinput(int, struct sockaddr *, void *); 569#endif /* INET */ 570 571#ifdef INET6 572extern int ah6_input(struct mbuf **, int *, int); 573extern int ah6_input_cb(struct mbuf *, int, int); 574#endif /* INET6 */ 575 576/* XF_ESP */ 577extern int esp_attach(void); 578extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 579extern int esp_zeroize(struct tdb *); 580extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 581extern int esp_output_cb(void *); 582extern int esp_input(struct mbuf *, struct tdb *, int, int); 583extern int esp_input_cb(void *); 584extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 585 586#ifdef INET 587extern void esp4_input(struct mbuf *, ...); 588extern int esp4_input_cb(struct mbuf *, ...); 589extern void *esp4_ctlinput(int, struct sockaddr *, void *); 590#endif /* INET */ 591 592#ifdef INET6 593extern int esp6_input(struct mbuf **, int *, int); 594extern int esp6_input_cb(struct mbuf *, int, int); 595#endif /* INET6 */ 596 597/* XF_IPCOMP */ 598extern int ipcomp_attach(void); 599extern int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 600extern int ipcomp_zeroize(struct tdb *); 601extern int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 602extern int ipcomp_output_cb(void *); 603extern int ipcomp_input(struct mbuf *, struct tdb *, int, int); 604extern int ipcomp_input_cb(void *); 605extern int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 606 607#ifdef INET 608extern void ipcomp4_input(struct mbuf *, ...); 609extern int ipcomp4_input_cb(struct mbuf *, ...); 610#endif /* INET */ 611 612#ifdef INET6 613extern int ipcomp6_input(struct mbuf **, int *, int); 614extern int ipcomp6_input_cb(struct mbuf *, int, int); 615#endif /* INET6 */ 616 617/* XF_TCPSIGNATURE */ 618extern int tcp_signature_tdb_attach(void); 619extern int tcp_signature_tdb_init(struct tdb *, struct xformsw *, 620 struct ipsecinit *); 621extern int tcp_signature_tdb_zeroize(struct tdb *); 622extern int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, 623 int); 624extern int tcp_signature_tdb_output(struct mbuf *, struct tdb *, 625 struct mbuf **, int, int); 626 627/* Padding */ 628extern caddr_t m_pad(struct mbuf *, int); 629 630/* Replay window */ 631extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t, 632 u_int32_t *, int); 633 634extern unsigned char ipseczeroes[]; 635 636/* Packet processing */ 637extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int); 638extern int ipsp_process_done(struct mbuf *, struct tdb *); 639extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int, 640 struct tdb *, struct inpcb *); 641extern struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int, 642 struct tdb *, struct inpcb *, struct ipsec_policy *); 643extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int, 644 struct m_tag *); 645extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *, 646 union sockaddr_union *, struct sockaddr_encap *, struct mbuf *); 647extern struct ipsec_policy *ipsec_add_policy(struct inpcb *, int, int); 648extern void ipsec_update_policy(struct inpcb *, struct ipsec_policy *, 649 int, int); 650extern int ipsec_delete_policy(struct ipsec_policy *); 651extern struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *, 652 union sockaddr_union *); 653extern void ipsp_delete_acquire(void *); 654extern int ipsp_is_unspecified(union sockaddr_union); 655extern void ipsp_reffree(struct ipsec_ref *); 656extern void ipsp_skipcrypto_unmark(struct tdb_ident *); 657extern void ipsp_skipcrypto_mark(struct tdb_ident *); 658extern struct m_tag *ipsp_parse_headers(struct mbuf *, int, u_int8_t); 659extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *); 660extern ssize_t ipsec_hdrsz(struct tdb *); 661extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t); 662extern int ipsp_print_tdb(struct tdb *, char *); 663extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t); 664extern int ipsp_aux_match(struct ipsec_ref *, struct ipsec_ref *, 665 struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *, 666 struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *, 667 struct sockaddr_encap *, struct sockaddr_encap *, 668 struct sockaddr_encap *, struct sockaddr_encap *); 669#endif /* _KERNEL */ 670#endif /* _NETINET_IPSP_H_ */ 671