ip_ipsp.h revision 1.136 
1/*	$OpenBSD: ip_ipsp.h,v 1.136 2008/11/08 12:54:58 dlg Exp $	*/
2/*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Niklas Hallqvist (niklas@appli.se).
7 *
8 * The original version of this code was written by John Ioannidis
9 * for BSD/OS in Athens, Greece, in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18 *
19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 1999 Niklas Hallqvist.
22 * Copyright (c) 2001, Angelos D. Keromytis.
23 *
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40#ifndef _NETINET_IPSP_H_
41#define _NETINET_IPSP_H_
42
43/* IPSP global definitions. */
44
45#include <sys/types.h>
46#include <sys/queue.h>
47#include <sys/timeout.h>
48#include <netinet/in.h>
49
50union sockaddr_union {
51	struct sockaddr		sa;
52	struct sockaddr_in	sin;
53	struct sockaddr_in6	sin6;
54};
55
56/* HMAC key sizes */
57#define	MD5HMAC96_KEYSIZE	16
58#define	SHA1HMAC96_KEYSIZE	20
59#define	RIPEMD160HMAC96_KEYSIZE	20
60#define	SHA2_256HMAC96_KEYSIZE	32
61#define	SHA2_384HMAC96_KEYSIZE	48
62#define	SHA2_512HMAC96_KEYSIZE	64
63
64#define	AH_HMAC_HASHLEN		12	/* 96 bits of authenticator */
65#define	AH_HMAC_RPLENGTH	4	/* 32 bits of replay counter */
66#define	AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
67
68/* Authenticator lengths */
69#define	AH_MD5_ALEN		16
70#define	AH_SHA1_ALEN		20
71#define	AH_RMD160_ALEN		20
72#define	AH_SHA2_256_ALEN	32
73#define	AH_SHA2_384_ALEN	48
74#define	AH_SHA2_512_ALEN	64
75#define	AH_ALEN_MAX		64 	/* Keep updated */
76
77/* Reserved SPI numbers */
78#define	SPI_LOCAL_USE		0
79#define	SPI_RESERVED_MIN	1
80#define	SPI_RESERVED_MAX	255
81
82/* Reserved CPI numbers */
83#define CPI_RESERVED_MIN	1
84#define CPI_RESERVED_MAX	255
85#define CPI_PRIVATE_MIN		61440
86#define CPI_PRIVATE_MAX		65535
87
88/* sysctl default values */
89#define	IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
90#define	IPSEC_DEFAULT_PFS			1
91#define	IPSEC_DEFAULT_SOFT_ALLOCATIONS		0
92#define	IPSEC_DEFAULT_EXP_ALLOCATIONS		0
93#define	IPSEC_DEFAULT_SOFT_BYTES		0
94#define	IPSEC_DEFAULT_EXP_BYTES			0
95#define	IPSEC_DEFAULT_SOFT_TIMEOUT		80000
96#define	IPSEC_DEFAULT_EXP_TIMEOUT		86400
97#define	IPSEC_DEFAULT_SOFT_FIRST_USE		3600
98#define	IPSEC_DEFAULT_EXP_FIRST_USE		7200
99#define	IPSEC_DEFAULT_DEF_ENC			"aes"
100#define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
101#define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
102#define	IPSEC_DEFAULT_DEF_COMP			"deflate"
103
104struct sockaddr_encap {
105	u_int8_t	sen_len;		/* length */
106	u_int8_t	sen_family;		/* PF_KEY */
107	u_int16_t	sen_type;		/* see SENT_* */
108	union {
109		struct {				/* SENT_IP4 */
110			u_int8_t	Direction;
111			struct in_addr	Src;
112			struct in_addr	Dst;
113			u_int8_t	Proto;
114			u_int16_t	Sport;
115			u_int16_t	Dport;
116		} Sip4;
117
118		struct {				/* SENT_IP6 */
119			u_int8_t	Direction;
120			struct in6_addr	Src;
121			struct in6_addr	Dst;
122			u_int8_t	Proto;
123			u_int16_t	Sport;
124			u_int16_t	Dport;
125		} Sip6;
126
127		struct ipsec_policy	*PolicyHead;	/* SENT_IPSP */
128	} Sen;
129};
130
131#define	IPSP_DIRECTION_IN	0x1
132#define	IPSP_DIRECTION_OUT	0x2
133
134#define	sen_data		Sen.Data
135#define	sen_ip_src		Sen.Sip4.Src
136#define	sen_ip_dst		Sen.Sip4.Dst
137#define	sen_proto		Sen.Sip4.Proto
138#define	sen_sport		Sen.Sip4.Sport
139#define	sen_dport		Sen.Sip4.Dport
140#define	sen_direction		Sen.Sip4.Direction
141#define	sen_ip6_src		Sen.Sip6.Src
142#define	sen_ip6_dst		Sen.Sip6.Dst
143#define	sen_ip6_proto		Sen.Sip6.Proto
144#define	sen_ip6_sport		Sen.Sip6.Sport
145#define	sen_ip6_dport		Sen.Sip6.Dport
146#define	sen_ip6_direction	Sen.Sip6.Direction
147#define	sen_ipsp		Sen.PolicyHead
148
149/*
150 * The "type" is really part of the address as far as the routing
151 * system is concerned. By using only one bit in the type field
152 * for each type, we sort-of make sure that different types of
153 * encapsulation addresses won't be matched against the wrong type.
154 *
155 */
156
157#define	SENT_IP4	0x0001		/* data is two struct in_addr */
158#define	SENT_IPSP	0x0002		/* data as in IP4/6 plus SPI */
159#define	SENT_IP6	0x0004
160
161#define	SENT_LEN	sizeof(struct sockaddr_encap)
162
163struct ipsec_ref {
164	u_int16_t	ref_type;	/* Subtype of data */
165	int16_t		ref_len;	/* Length of data following */
166	int		ref_count;	/* Reference count */
167	int		ref_malloctype;	/* malloc(9) type, for freeing */
168};
169
170struct ipsec_acquire {
171	union sockaddr_union		ipa_addr;
172	u_int32_t			ipa_seq;
173	struct sockaddr_encap		ipa_info;
174	struct sockaddr_encap		ipa_mask;
175	struct timeout			ipa_timeout;
176	struct ipsec_policy		*ipa_policy;
177	struct inpcb                    *ipa_pcb;
178	TAILQ_ENTRY(ipsec_acquire)	ipa_ipo_next;
179	TAILQ_ENTRY(ipsec_acquire)	ipa_next;
180	TAILQ_ENTRY(ipsec_acquire)      ipa_inp_next;
181};
182
183struct ipsec_policy {
184	struct sockaddr_encap	ipo_addr;
185	struct sockaddr_encap	ipo_mask;
186
187	union sockaddr_union	ipo_src;	/* Local address to use */
188	union sockaddr_union	ipo_dst;	/* Remote gateway -- if it's zeroed:
189						 * - on output, we try to
190						 * contact the remote host
191						 * directly (if needed).
192						 * - on input, we accept on if
193						 * the inner source is the
194						 * same as the outer source
195						 * address, or if transport
196						 * mode was used.
197						 */
198
199	u_int64_t		ipo_last_searched;	/* Timestamp of last lookup */
200
201	u_int8_t		ipo_flags;	/* See IPSP_POLICY_* definitions */
202	u_int8_t		ipo_type;	/* USE/ACQUIRE/... */
203	u_int8_t		ipo_sproto;	/* ESP/AH; if zero, use system dflts */
204
205	int                     ipo_ref_count;
206
207	struct tdb		*ipo_tdb;		/* Cached entry */
208
209	struct ipsec_ref	*ipo_srcid;
210	struct ipsec_ref	*ipo_dstid;
211	struct ipsec_ref	*ipo_local_cred;
212	struct ipsec_ref	*ipo_local_auth;
213
214	TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
215	TAILQ_ENTRY(ipsec_policy)	ipo_tdb_next;	/* List TDB policies */
216	TAILQ_ENTRY(ipsec_policy)	ipo_list;	/* List of all policies */
217};
218
219#define	IPSP_POLICY_NONE	0x0000	/* No flags set */
220#define	IPSP_POLICY_SOCKET	0x0001	/* Socket-attached policy */
221#define	IPSP_POLICY_STATIC	0x0002	/* Static policy */
222
223#define	IPSP_IPSEC_USE		0	/* Use if existing, don't acquire */
224#define	IPSP_IPSEC_ACQUIRE	1	/* Try acquire, let packet through */
225#define	IPSP_IPSEC_REQUIRE	2	/* Require SA */
226#define	IPSP_PERMIT		3	/* Permit traffic through */
227#define	IPSP_DENY		4	/* Deny traffic */
228#define	IPSP_IPSEC_DONTACQ	5	/* Require, but don't acquire */
229
230/* Notification types */
231#define	NOTIFY_SOFT_EXPIRE	0	/* Soft expiration of SA */
232#define	NOTIFY_HARD_EXPIRE	1	/* Hard expiration of SA */
233#define	NOTIFY_REQUEST_SA	2	/* Establish an SA */
234
235#define	NOTIFY_SATYPE_CONF	1	/* SA should do encryption */
236#define	NOTIFY_SATYPE_AUTH	2	/* SA should do authentication */
237#define	NOTIFY_SATYPE_TUNNEL	4	/* SA should use tunneling */
238#define NOTIFY_SATYPE_COMP	5       /* SA (IPCA) should use compression */
239
240/* Authentication types */
241#define	IPSP_AUTH_NONE		0
242#define	IPSP_AUTH_PASSPHRASE	1
243#define	IPSP_AUTH_RSA		2
244
245/* Credential types */
246#define	IPSP_CRED_NONE		0
247#define	IPSP_CRED_KEYNOTE	1
248#define	IPSP_CRED_X509		2
249
250/* Identity types */
251#define	IPSP_IDENTITY_NONE		0
252#define	IPSP_IDENTITY_PREFIX		1
253#define	IPSP_IDENTITY_FQDN		2
254#define	IPSP_IDENTITY_USERFQDN		3
255#define	IPSP_IDENTITY_CONNECTION	4
256
257/*
258 * For encapsulation routes are possible not only for the destination
259 * address but also for the protocol, source and destination ports
260 * if available
261 */
262
263struct route_enc {
264	struct rtentry		*re_rt;
265	struct sockaddr_encap	re_dst;
266};
267
268struct tdb {				/* tunnel descriptor block */
269	/*
270	 * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
271	 * one keyed on dst/sproto, and one keyed on src/sproto. The first
272	 * is used for finding a specific TDB, the second for finding TDBs
273	 * for outgoing policy matching, and the third for incoming
274	 * policy matching. The following three fields maintain the hash
275	 * queues in those three tables.
276	 */
277	struct tdb	*tdb_hnext;	/* dst/spi/sproto table */
278	struct tdb	*tdb_anext;	/* dst/sproto table */
279	struct tdb	*tdb_snext;	/* src/sproto table */
280	struct tdb	*tdb_inext;
281	struct tdb	*tdb_onext;
282
283	struct xformsw		*tdb_xform;		/* Transform to use */
284	struct enc_xform	*tdb_encalgxform;	/* Enc algorithm */
285	struct auth_hash	*tdb_authalgxform;	/* Auth algorithm */
286	struct comp_algo	*tdb_compalgxform;	/* Compression algo */
287
288#define	TDBF_UNIQUE		0x00001	/* This should not be used by others */
289#define	TDBF_TIMER		0x00002	/* Absolute expiration timer in use */
290#define	TDBF_BYTES		0x00004	/* Check the byte counters */
291#define	TDBF_ALLOCATIONS	0x00008	/* Check the flows counters */
292#define	TDBF_INVALID		0x00010	/* This SPI is not valid yet/anymore */
293#define	TDBF_FIRSTUSE		0x00020	/* Expire after first use */
294#define	TDBF_HALFIV		0x00040	/* Use half-length IV (ESP old only) */
295#define	TDBF_SOFT_TIMER		0x00080	/* Soft expiration */
296#define	TDBF_SOFT_BYTES		0x00100	/* Soft expiration */
297#define	TDBF_SOFT_ALLOCATIONS	0x00200	/* Soft expiration */
298#define	TDBF_SOFT_FIRSTUSE	0x00400	/* Soft expiration */
299#define	TDBF_PFS		0x00800	/* Ask for PFS from Key Mgmt. */
300#define	TDBF_TUNNELING		0x01000	/* Force IP-IP encapsulation */
301#define	TDBF_NOREPLAY		0x02000	/* No replay counter present */
302#define	TDBF_RANDOMPADDING	0x04000	/* Random data in the ESP padding */
303#define	TDBF_SKIPCRYPTO		0x08000	/* Skip actual crypto processing */
304#define	TDBF_USEDTUNNEL		0x10000	/* Appended a tunnel header in past */
305#define	TDBF_UDPENCAP		0x20000	/* UDP encapsulation */
306
307	u_int32_t	tdb_flags;	/* Flags related to this TDB */
308
309	struct timeout	tdb_timer_tmo;
310	struct timeout	tdb_first_tmo;
311	struct timeout	tdb_stimer_tmo;
312	struct timeout	tdb_sfirst_tmo;
313
314	u_int32_t	tdb_seq;		/* Tracking number for PFKEY */
315	u_int32_t	tdb_exp_allocations;	/* Expire after so many flows */
316	u_int32_t	tdb_soft_allocations;	/* Expiration warning */
317	u_int32_t	tdb_cur_allocations;	/* Total number of allocs */
318
319	u_int64_t	tdb_exp_bytes;	/* Expire after so many bytes passed */
320	u_int64_t	tdb_soft_bytes;	/* Expiration warning */
321	u_int64_t	tdb_cur_bytes;	/* Current count of bytes */
322
323	u_int64_t	tdb_exp_timeout;	/* When does the SPI expire */
324	u_int64_t	tdb_soft_timeout;	/* Send soft-expire warning */
325	u_int64_t	tdb_established;	/* When was SPI established */
326
327	u_int64_t	tdb_first_use;		/* When was it first used */
328	u_int64_t	tdb_soft_first_use;	/* Soft warning */
329	u_int64_t	tdb_exp_first_use;	/* Expire if tdb_first_use +
330						 * tdb_exp_first_use <= curtime
331						 */
332
333	u_int64_t	tdb_last_used;	/* When was this SA last used */
334	u_int64_t	tdb_last_marked;/* Last SKIPCRYPTO status change */
335
336	u_int64_t	tdb_cryptoid;	/* Crypto session ID */
337
338	u_int32_t	tdb_spi;	/* SPI */
339	u_int16_t	tdb_amxkeylen;	/* Raw authentication key length */
340	u_int16_t	tdb_emxkeylen;	/* Raw encryption key length */
341	u_int16_t	tdb_ivlen;	/* IV length */
342	u_int8_t	tdb_sproto;	/* IPsec protocol */
343	u_int8_t	tdb_wnd;	/* Replay window */
344	u_int8_t	tdb_satype;	/* SA type (RFC2367, PF_KEY) */
345
346	union sockaddr_union	tdb_dst;	/* Destination address */
347	union sockaddr_union	tdb_src;	/* Source address */
348	union sockaddr_union	tdb_proxy;
349
350	u_int8_t	*tdb_amxkey;	/* Raw authentication key */
351	u_int8_t	*tdb_emxkey;	/* Raw encryption key */
352
353	u_int32_t	tdb_rpl;	/* Replay counter */
354	u_int32_t	tdb_bitmap;	/* Used for replay sliding window */
355
356	u_int8_t	tdb_iv[4];	/* Used for HALF-IV ESP */
357
358	struct ipsec_ref	*tdb_local_cred;
359	struct ipsec_ref	*tdb_remote_cred;
360	struct ipsec_ref	*tdb_srcid;	/* Source ID for this SA */
361	struct ipsec_ref	*tdb_dstid;	/* Destination ID for this SA */
362	struct ipsec_ref	*tdb_local_auth;/* Local authentication material */
363	struct ipsec_ref	*tdb_remote_auth;/* Remote authentication material */
364
365	u_int32_t	tdb_mtu;	/* MTU at this point in the chain */
366	u_int64_t	tdb_mtutimeout;	/* When to ignore this entry */
367
368	u_int16_t	tdb_udpencap_port;	/* Peer UDP port */
369
370	u_int16_t	tdb_tag;		/* Packet filter tag */
371
372	struct sockaddr_encap   tdb_filter; /* What traffic is acceptable */
373	struct sockaddr_encap   tdb_filtermask; /* And the mask */
374
375	TAILQ_HEAD(tdb_inp_head_in, inpcb)	tdb_inp_in;
376	TAILQ_HEAD(tdb_inp_head_out, inpcb)	tdb_inp_out;
377	TAILQ_HEAD(tdb_policy_head, ipsec_policy)	tdb_policy_head;
378};
379
380struct tdb_ident {
381	u_int32_t spi;
382	union sockaddr_union dst;
383	u_int8_t proto;
384};
385
386struct tdb_crypto {
387	u_int32_t		tc_spi;
388	union sockaddr_union	tc_dst;
389	u_int8_t		tc_proto;
390	int			tc_protoff;
391	int			tc_skip;
392	caddr_t			tc_ptr;
393};
394
395struct ipsecinit {
396	u_int8_t	*ii_enckey;
397	u_int8_t	*ii_authkey;
398	u_int16_t	ii_enckeylen;
399	u_int16_t	ii_authkeylen;
400	u_int8_t	ii_encalg;
401	u_int8_t	ii_authalg;
402	u_int8_t	ii_compalg;
403};
404
405/* xform IDs */
406#define	XF_IP4		1	/* IP inside IP */
407#define	XF_AH		2	/* AH */
408#define	XF_ESP		3	/* ESP */
409#define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
410#define	XF_IPCOMP	6	/* IPCOMP */
411
412/* xform attributes */
413#define	XFT_AUTH	0x0001
414#define	XFT_CONF	0x0100
415#define	XFT_COMP	0x1000
416
417#define	IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
418
419#ifdef _KERNEL
420
421struct xformsw {
422	u_short	xf_type;		/* Unique ID of xform */
423	u_short	xf_flags;		/* flags (see below) */
424	char	*xf_name;		/* human-readable name */
425	int	(*xf_attach)(void);	/* called at config time */
426	int	(*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
427	int	(*xf_zeroize)(struct tdb *); /* termination */
428	int	(*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
429	int	(*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
430	    int, int);        /* output */
431};
432
433/*
434 * Protects all tdb lists.
435 * Must at least be splsoftnet (note: do not use splsoftclock as it is
436 * special on some architectures, assuming it is always an spl lowering
437 * operation).
438 */
439#define	spltdb	splsoftnet
440
441extern int encdebug;
442extern int ipsec_acl;
443extern int ipsec_keep_invalid;
444extern int ipsec_in_use;
445extern u_int64_t ipsec_last_added;
446extern int ipsec_require_pfs;
447extern int ipsec_expire_acquire;
448
449extern int ipsec_policy_pool_initialized;
450
451extern int ipsec_soft_allocations;
452extern int ipsec_exp_allocations;
453extern int ipsec_soft_bytes;
454extern int ipsec_exp_bytes;
455extern int ipsec_soft_timeout;
456extern int ipsec_exp_timeout;
457extern int ipsec_soft_first_use;
458extern int ipsec_exp_first_use;
459extern char ipsec_def_enc[];
460extern char ipsec_def_auth[];
461extern char ipsec_def_comp[];
462
463extern struct enc_xform enc_xform_des;
464extern struct enc_xform enc_xform_3des;
465extern struct enc_xform enc_xform_blf;
466extern struct enc_xform enc_xform_cast5;
467extern struct enc_xform enc_xform_skipjack;
468
469extern struct auth_hash auth_hash_hmac_md5_96;
470extern struct auth_hash auth_hash_hmac_sha1_96;
471extern struct auth_hash auth_hash_hmac_ripemd_160_96;
472
473extern struct comp_algo comp_algo_deflate;
474
475extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
476extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
477
478extern struct xformsw xformsw[], *xformswNXFORMSW;
479
480/* Check if a given tdb has encryption, authentication and/or tunneling */
481#define	TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \
482		       ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0) | \
483		       ((x)->tdb_compalgxform ? NOTIFY_SATYPE_COMP : 0))
484
485/* Traverse spi chain and get attributes */
486
487#define	SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP)				\
488do {									\
489	int s = spltdb();						\
490	struct tdb *tmptdb = (TDBP);					\
491									\
492	(have) = 0;							\
493	while (tmptdb && tmptdb->tdb_xform) {				\
494	        if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID)	\
495			break;						\
496		(have) |= TDB_ATTRIB(tmptdb);				\
497		tmptdb = tmptdb->TDB_DIR;				\
498	}								\
499	splx(s);							\
500} while (/* CONSTCOND */ 0)
501
502/* Misc. */
503extern char *inet_ntoa4(struct in_addr);
504extern char *ipsp_address(union sockaddr_union);
505
506/* TDB management routines */
507extern void tdb_add_inp(struct tdb *, struct inpcb *, int);
508extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
509    union sockaddr_union *, u_int8_t, int *);
510extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
511extern struct tdb *gettdbbyaddr(union sockaddr_union *, u_int8_t,
512    struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *,
513    struct mbuf *, int, struct sockaddr_encap *, struct sockaddr_encap *);
514extern struct tdb *gettdbbysrc(union sockaddr_union *, u_int8_t,
515    struct ipsec_ref *, struct ipsec_ref *, struct mbuf *, int,
516    struct sockaddr_encap *, struct sockaddr_encap *);
517extern struct tdb *gettdbbysrcdst(u_int32_t, union sockaddr_union *,
518    union sockaddr_union *, u_int8_t);
519extern void puttdb(struct tdb *);
520extern void tdb_delete(struct tdb *);
521extern struct tdb *tdb_alloc(void);
522extern void tdb_free(struct tdb *);
523extern int tdb_hash(u_int32_t, union sockaddr_union *, u_int8_t);
524extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
525extern int tdb_walk(int (*)(struct tdb *, void *, int), void *);
526
527/* XF_IP4 */
528extern int ipe4_attach(void);
529extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
530extern int ipe4_zeroize(struct tdb *);
531extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
532extern void ipe4_input(struct mbuf *, ...);
533extern void ipip_input(struct mbuf *, int, struct ifnet *);
534
535#ifdef INET
536extern void ip4_input(struct mbuf *, ...);
537#endif /* INET */
538
539#ifdef INET6
540extern int ip4_input6(struct mbuf **, int *, int);
541#endif /* INET */
542
543/* XF_ETHERIP */
544extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **,
545    int, int);
546extern void etherip_input(struct mbuf *, ...);
547
548/* XF_AH */
549extern int ah_attach(void);
550extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
551extern int ah_zeroize(struct tdb *);
552extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
553extern int ah_output_cb(void *);
554extern int ah_input(struct mbuf *, struct tdb *, int, int);
555extern int ah_input_cb(void *);
556extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
557extern int ah_massage_headers(struct mbuf **, int, int, int, int);
558
559#ifdef INET
560extern void ah4_input(struct mbuf *, ...);
561extern int ah4_input_cb(struct mbuf *, ...);
562extern void *ah4_ctlinput(int, struct sockaddr *, void *);
563extern void *udpencap_ctlinput(int, struct sockaddr *, void *);
564#endif /* INET */
565
566#ifdef INET6
567extern int ah6_input(struct mbuf **, int *, int);
568extern int ah6_input_cb(struct mbuf *, int, int);
569#endif /* INET6 */
570
571/* XF_ESP */
572extern int esp_attach(void);
573extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
574extern int esp_zeroize(struct tdb *);
575extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
576extern int esp_output_cb(void *);
577extern int esp_input(struct mbuf *, struct tdb *, int, int);
578extern int esp_input_cb(void *);
579extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
580
581#ifdef INET
582extern void esp4_input(struct mbuf *, ...);
583extern int esp4_input_cb(struct mbuf *, ...);
584extern void *esp4_ctlinput(int, struct sockaddr *, void *);
585#endif /* INET */
586
587#ifdef INET6
588extern int esp6_input(struct mbuf **, int *, int);
589extern int esp6_input_cb(struct mbuf *, int, int);
590#endif /* INET6 */
591
592/* XF_IPCOMP */
593extern int ipcomp_attach(void);
594extern int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
595extern int ipcomp_zeroize(struct tdb *);
596extern int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
597extern int ipcomp_output_cb(void *);
598extern int ipcomp_input(struct mbuf *, struct tdb *, int, int);
599extern int ipcomp_input_cb(void *);
600extern int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
601
602#ifdef INET
603extern void ipcomp4_input(struct mbuf *, ...);
604extern int ipcomp4_input_cb(struct mbuf *, ...);
605#endif /* INET */
606
607#ifdef INET6
608extern int ipcomp6_input(struct mbuf **, int *, int);
609extern int ipcomp6_input_cb(struct mbuf *, int, int);
610#endif /* INET6 */
611
612/* XF_TCPSIGNATURE */
613extern int tcp_signature_tdb_attach(void);
614extern int tcp_signature_tdb_init(struct tdb *, struct xformsw *,
615    struct ipsecinit *);
616extern int tcp_signature_tdb_zeroize(struct tdb *);
617extern int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int,
618    int);
619extern int tcp_signature_tdb_output(struct mbuf *, struct tdb *,
620    struct mbuf **, int, int);
621
622/* Padding */
623extern caddr_t m_pad(struct mbuf *, int);
624
625/* Replay window */
626extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
627    u_int32_t *, int);
628
629extern unsigned char ipseczeroes[];
630
631/* Packet processing */
632extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
633extern int ipsp_process_done(struct mbuf *, struct tdb *);
634extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
635    struct tdb *, struct inpcb *);
636extern struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
637    struct tdb *, struct inpcb *, struct ipsec_policy *);
638extern int ipsec_common_input(struct mbuf *, int, int, int, int, int);
639extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
640    struct m_tag *);
641extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
642    union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
643extern struct ipsec_policy *ipsec_add_policy(struct inpcb *, int, int);
644extern void ipsec_update_policy(struct inpcb *, struct ipsec_policy *,
645    int, int);
646extern int ipsec_delete_policy(struct ipsec_policy *);
647extern struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *,
648    union sockaddr_union *);
649extern void ipsp_delete_acquire(void *);
650extern int ipsp_is_unspecified(union sockaddr_union);
651extern void ipsp_reffree(struct ipsec_ref *);
652extern void ipsp_skipcrypto_unmark(struct tdb_ident *);
653extern void ipsp_skipcrypto_mark(struct tdb_ident *);
654extern struct m_tag *ipsp_parse_headers(struct mbuf *, int, u_int8_t);
655extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *);
656extern ssize_t ipsec_hdrsz(struct tdb *);
657extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
658extern int ipsp_print_tdb(struct tdb *, char *, size_t);
659extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
660extern int ipsp_aux_match(struct tdb *,
661    struct ipsec_ref *, struct ipsec_ref *,
662    struct ipsec_ref *, struct ipsec_ref *,
663    struct sockaddr_encap *, struct sockaddr_encap *);
664#endif /* _KERNEL */
665#endif /* _NETINET_IPSP_H_ */
666