ip_ipsp.h revision 1.154 
1/*	$OpenBSD: ip_ipsp.h,v 1.154 2013/04/11 12:06:25 mpi Exp $	*/
2/*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Niklas Hallqvist (niklas@appli.se).
7 *
8 * The original version of this code was written by John Ioannidis
9 * for BSD/OS in Athens, Greece, in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18 *
19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 1999 Niklas Hallqvist.
22 * Copyright (c) 2001, Angelos D. Keromytis.
23 *
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40#ifndef _NETINET_IPSP_H_
41#define _NETINET_IPSP_H_
42
43struct m_tag;
44
45/* IPSP global definitions. */
46
47#include <sys/types.h>
48#include <sys/queue.h>
49#include <sys/timeout.h>
50#include <netinet/in.h>
51
52union sockaddr_union {
53	struct sockaddr		sa;
54	struct sockaddr_in	sin;
55	struct sockaddr_in6	sin6;
56};
57
58/* HMAC key sizes */
59#define	MD5HMAC96_KEYSIZE	16
60#define	SHA1HMAC96_KEYSIZE	20
61#define	RIPEMD160HMAC96_KEYSIZE	20
62#define	SHA2_256HMAC96_KEYSIZE	32
63#define	SHA2_384HMAC96_KEYSIZE	48
64#define	SHA2_512HMAC96_KEYSIZE	64
65
66#define	AH_HMAC_MAX_HASHLEN	32	/* 256 bits of authenticator for SHA512 */
67#define	AH_HMAC_RPLENGTH	4	/* 32 bits of replay counter */
68#define	AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
69
70/* Authenticator lengths */
71#define	AH_MD5_ALEN		16
72#define	AH_SHA1_ALEN		20
73#define	AH_RMD160_ALEN		20
74#define	AH_SHA2_256_ALEN	32
75#define	AH_SHA2_384_ALEN	48
76#define	AH_SHA2_512_ALEN	64
77#define	AH_ALEN_MAX		64 	/* Keep updated */
78
79/* Reserved SPI numbers */
80#define	SPI_LOCAL_USE		0
81#define	SPI_RESERVED_MIN	1
82#define	SPI_RESERVED_MAX	255
83
84/* Reserved CPI numbers */
85#define CPI_RESERVED_MIN	1
86#define CPI_RESERVED_MAX	255
87#define CPI_PRIVATE_MIN		61440
88#define CPI_PRIVATE_MAX		65535
89
90/* sysctl default values */
91#define	IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
92#define	IPSEC_DEFAULT_PFS			1
93#define	IPSEC_DEFAULT_SOFT_ALLOCATIONS		0
94#define	IPSEC_DEFAULT_EXP_ALLOCATIONS		0
95#define	IPSEC_DEFAULT_SOFT_BYTES		0
96#define	IPSEC_DEFAULT_EXP_BYTES			0
97#define	IPSEC_DEFAULT_SOFT_TIMEOUT		80000
98#define	IPSEC_DEFAULT_EXP_TIMEOUT		86400
99#define	IPSEC_DEFAULT_SOFT_FIRST_USE		3600
100#define	IPSEC_DEFAULT_EXP_FIRST_USE		7200
101#define	IPSEC_DEFAULT_DEF_ENC			"aes"
102#define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
103#define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
104#define	IPSEC_DEFAULT_DEF_COMP			"deflate"
105
106struct sockaddr_encap {
107	u_int8_t	sen_len;		/* length */
108	u_int8_t	sen_family;		/* PF_KEY */
109	u_int16_t	sen_type;		/* see SENT_* */
110	union {
111		struct {				/* SENT_IP4 */
112			u_int8_t	Direction;
113			struct in_addr	Src;
114			struct in_addr	Dst;
115			u_int8_t	Proto;
116			u_int16_t	Sport;
117			u_int16_t	Dport;
118		} Sip4;
119
120		struct {				/* SENT_IP6 */
121			u_int8_t	Direction;
122			struct in6_addr	Src;
123			struct in6_addr	Dst;
124			u_int8_t	Proto;
125			u_int16_t	Sport;
126			u_int16_t	Dport;
127		} Sip6;
128
129		struct ipsec_policy	*PolicyHead;	/* SENT_IPSP */
130	} Sen;
131};
132
133#define	IPSP_DIRECTION_IN	0x1
134#define	IPSP_DIRECTION_OUT	0x2
135
136#define	sen_data		Sen.Data
137#define	sen_ip_src		Sen.Sip4.Src
138#define	sen_ip_dst		Sen.Sip4.Dst
139#define	sen_proto		Sen.Sip4.Proto
140#define	sen_sport		Sen.Sip4.Sport
141#define	sen_dport		Sen.Sip4.Dport
142#define	sen_direction		Sen.Sip4.Direction
143#define	sen_ip6_src		Sen.Sip6.Src
144#define	sen_ip6_dst		Sen.Sip6.Dst
145#define	sen_ip6_proto		Sen.Sip6.Proto
146#define	sen_ip6_sport		Sen.Sip6.Sport
147#define	sen_ip6_dport		Sen.Sip6.Dport
148#define	sen_ip6_direction	Sen.Sip6.Direction
149#define	sen_ipsp		Sen.PolicyHead
150
151/*
152 * The "type" is really part of the address as far as the routing
153 * system is concerned. By using only one bit in the type field
154 * for each type, we sort-of make sure that different types of
155 * encapsulation addresses won't be matched against the wrong type.
156 *
157 */
158
159#define	SENT_IP4	0x0001		/* data is two struct in_addr */
160#define	SENT_IPSP	0x0002		/* data as in IP4/6 plus SPI */
161#define	SENT_IP6	0x0004
162
163#define	SENT_LEN	sizeof(struct sockaddr_encap)
164
165struct ipsec_ref {
166	u_int16_t	ref_type;	/* Subtype of data */
167	int16_t		ref_len;	/* Length of data following */
168	int		ref_count;	/* Reference count */
169	int		ref_malloctype;	/* malloc(9) type, for freeing */
170};
171
172struct ipsec_acquire {
173	union sockaddr_union		ipa_addr;
174	u_int32_t			ipa_seq;
175	struct sockaddr_encap		ipa_info;
176	struct sockaddr_encap		ipa_mask;
177	struct timeout			ipa_timeout;
178	struct ipsec_policy		*ipa_policy;
179	struct inpcb                    *ipa_pcb;
180	TAILQ_ENTRY(ipsec_acquire)	ipa_ipo_next;
181	TAILQ_ENTRY(ipsec_acquire)	ipa_next;
182	TAILQ_ENTRY(ipsec_acquire)      ipa_inp_next;
183};
184
185struct ipsec_policy {
186	struct sockaddr_encap	ipo_addr;
187	struct sockaddr_encap	ipo_mask;
188
189	union sockaddr_union	ipo_src;	/* Local address to use */
190	union sockaddr_union	ipo_dst;	/* Remote gateway -- if it's zeroed:
191						 * - on output, we try to
192						 * contact the remote host
193						 * directly (if needed).
194						 * - on input, we accept on if
195						 * the inner source is the
196						 * same as the outer source
197						 * address, or if transport
198						 * mode was used.
199						 */
200
201	u_int64_t		ipo_last_searched;	/* Timestamp of last lookup */
202
203	u_int8_t		ipo_flags;	/* See IPSP_POLICY_* definitions */
204	u_int8_t		ipo_type;	/* USE/ACQUIRE/... */
205	u_int8_t		ipo_sproto;	/* ESP/AH; if zero, use system dflts */
206	u_int			ipo_rdomain;
207
208	int                     ipo_ref_count;
209
210	struct tdb		*ipo_tdb;		/* Cached entry */
211
212	struct ipsec_ref	*ipo_srcid;
213	struct ipsec_ref	*ipo_dstid;
214	struct ipsec_ref	*ipo_local_cred;
215	struct ipsec_ref	*ipo_local_auth;
216
217	TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
218	TAILQ_ENTRY(ipsec_policy)	ipo_tdb_next;	/* List TDB policies */
219	TAILQ_ENTRY(ipsec_policy)	ipo_list;	/* List of all policies */
220};
221
222#define	IPSP_POLICY_NONE	0x0000	/* No flags set */
223#define	IPSP_POLICY_SOCKET	0x0001	/* Socket-attached policy */
224#define	IPSP_POLICY_STATIC	0x0002	/* Static policy */
225
226#define	IPSP_IPSEC_USE		0	/* Use if existing, don't acquire */
227#define	IPSP_IPSEC_ACQUIRE	1	/* Try acquire, let packet through */
228#define	IPSP_IPSEC_REQUIRE	2	/* Require SA */
229#define	IPSP_PERMIT		3	/* Permit traffic through */
230#define	IPSP_DENY		4	/* Deny traffic */
231#define	IPSP_IPSEC_DONTACQ	5	/* Require, but don't acquire */
232
233/* Notification types */
234#define	NOTIFY_SOFT_EXPIRE	0	/* Soft expiration of SA */
235#define	NOTIFY_HARD_EXPIRE	1	/* Hard expiration of SA */
236#define	NOTIFY_REQUEST_SA	2	/* Establish an SA */
237
238#define	NOTIFY_SATYPE_CONF	1	/* SA should do encryption */
239#define	NOTIFY_SATYPE_AUTH	2	/* SA should do authentication */
240#define	NOTIFY_SATYPE_TUNNEL	4	/* SA should use tunneling */
241#define NOTIFY_SATYPE_COMP	5       /* SA (IPCA) should use compression */
242
243/* Authentication types */
244#define	IPSP_AUTH_NONE		0
245#define	IPSP_AUTH_PASSPHRASE	1
246#define	IPSP_AUTH_RSA		2
247
248/* Credential types */
249#define	IPSP_CRED_NONE		0
250#define	IPSP_CRED_KEYNOTE	1
251#define	IPSP_CRED_X509		2
252
253/* Identity types */
254#define	IPSP_IDENTITY_NONE		0
255#define	IPSP_IDENTITY_PREFIX		1
256#define	IPSP_IDENTITY_FQDN		2
257#define	IPSP_IDENTITY_USERFQDN		3
258#define	IPSP_IDENTITY_CONNECTION	4
259
260/*
261 * For encapsulation routes are possible not only for the destination
262 * address but also for the protocol, source and destination ports
263 * if available
264 */
265
266struct route_enc {
267	struct rtentry		*re_rt;
268	u_long			re_tableid; /* u_long because of alignment */
269	struct sockaddr_encap	re_dst;
270};
271
272struct tdb {				/* tunnel descriptor block */
273	/*
274	 * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
275	 * one keyed on dst/sproto, and one keyed on src/sproto. The first
276	 * is used for finding a specific TDB, the second for finding TDBs
277	 * for outgoing policy matching, and the third for incoming
278	 * policy matching. The following three fields maintain the hash
279	 * queues in those three tables.
280	 */
281	struct tdb	*tdb_hnext;	/* dst/spi/sproto table */
282	struct tdb	*tdb_anext;	/* dst/sproto table */
283	struct tdb	*tdb_snext;	/* src/sproto table */
284	struct tdb	*tdb_inext;
285	struct tdb	*tdb_onext;
286
287	struct xformsw		*tdb_xform;		/* Transform to use */
288	struct enc_xform	*tdb_encalgxform;	/* Enc algorithm */
289	struct auth_hash	*tdb_authalgxform;	/* Auth algorithm */
290	struct comp_algo	*tdb_compalgxform;	/* Compression algo */
291
292#define	TDBF_UNIQUE		0x00001	/* This should not be used by others */
293#define	TDBF_TIMER		0x00002	/* Absolute expiration timer in use */
294#define	TDBF_BYTES		0x00004	/* Check the byte counters */
295#define	TDBF_ALLOCATIONS	0x00008	/* Check the flows counters */
296#define	TDBF_INVALID		0x00010	/* This SPI is not valid yet/anymore */
297#define	TDBF_FIRSTUSE		0x00020	/* Expire after first use */
298#define	TDBF_SOFT_TIMER		0x00080	/* Soft expiration */
299#define	TDBF_SOFT_BYTES		0x00100	/* Soft expiration */
300#define	TDBF_SOFT_ALLOCATIONS	0x00200	/* Soft expiration */
301#define	TDBF_SOFT_FIRSTUSE	0x00400	/* Soft expiration */
302#define	TDBF_PFS		0x00800	/* Ask for PFS from Key Mgmt. */
303#define	TDBF_TUNNELING		0x01000	/* Force IP-IP encapsulation */
304#define	TDBF_SKIPCRYPTO		0x08000	/* Skip actual crypto processing */
305#define	TDBF_USEDTUNNEL		0x10000	/* Appended a tunnel header in past */
306#define	TDBF_UDPENCAP		0x20000	/* UDP encapsulation */
307#define	TDBF_PFSYNC		0x40000	/* TDB will be synced */
308#define	TDBF_PFSYNC_RPL		0x80000	/* Replay counter should be bumped */
309#define	TDBF_ESN		0x100000 /* 64-bit sequence numbers (ESN) */
310
311	u_int32_t	tdb_flags;	/* Flags related to this TDB */
312
313	struct timeout	tdb_timer_tmo;
314	struct timeout	tdb_first_tmo;
315	struct timeout	tdb_stimer_tmo;
316	struct timeout	tdb_sfirst_tmo;
317
318	u_int32_t	tdb_seq;		/* Tracking number for PFKEY */
319	u_int32_t	tdb_exp_allocations;	/* Expire after so many flows */
320	u_int32_t	tdb_soft_allocations;	/* Expiration warning */
321	u_int32_t	tdb_cur_allocations;	/* Total number of allocs */
322
323	u_int64_t	tdb_exp_bytes;	/* Expire after so many bytes passed */
324	u_int64_t	tdb_soft_bytes;	/* Expiration warning */
325	u_int64_t	tdb_cur_bytes;	/* Current count of bytes */
326
327	u_int64_t	tdb_exp_timeout;	/* When does the SPI expire */
328	u_int64_t	tdb_soft_timeout;	/* Send soft-expire warning */
329	u_int64_t	tdb_established;	/* When was SPI established */
330
331	u_int64_t	tdb_first_use;		/* When was it first used */
332	u_int64_t	tdb_soft_first_use;	/* Soft warning */
333	u_int64_t	tdb_exp_first_use;	/* Expire if tdb_first_use +
334						 * tdb_exp_first_use <= curtime
335						 */
336
337	u_int64_t	tdb_last_used;	/* When was this SA last used */
338	u_int64_t	tdb_last_marked;/* Last SKIPCRYPTO status change */
339
340	u_int64_t	tdb_cryptoid;	/* Crypto session ID */
341
342	u_int32_t	tdb_spi;	/* SPI */
343	u_int16_t	tdb_amxkeylen;	/* Raw authentication key length */
344	u_int16_t	tdb_emxkeylen;	/* Raw encryption key length */
345	u_int16_t	tdb_ivlen;	/* IV length */
346	u_int8_t	tdb_sproto;	/* IPsec protocol */
347	u_int8_t	tdb_wnd;	/* Replay window */
348	u_int8_t	tdb_satype;	/* SA type (RFC2367, PF_KEY) */
349	u_int8_t	tdb_updates;	/* pfsync update counter */
350
351	union sockaddr_union	tdb_dst;	/* Destination address */
352	union sockaddr_union	tdb_src;	/* Source address */
353	union sockaddr_union	tdb_proxy;
354
355	u_int8_t	*tdb_amxkey;	/* Raw authentication key */
356	u_int8_t	*tdb_emxkey;	/* Raw encryption key */
357
358#define TDB_REPLAYWASTE	32
359#define TDB_REPLAYMAX	(2100+TDB_REPLAYWASTE)
360
361	u_int64_t	tdb_rpl;	/* Replay counter */
362	u_int32_t	tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */
363
364	u_int8_t	tdb_iv[4];	/* Used for HALF-IV ESP */
365
366	struct ipsec_ref	*tdb_local_cred;
367	struct ipsec_ref	*tdb_remote_cred;
368	struct ipsec_ref	*tdb_srcid;	/* Source ID for this SA */
369	struct ipsec_ref	*tdb_dstid;	/* Destination ID for this SA */
370	struct ipsec_ref	*tdb_local_auth;/* Local authentication material */
371	struct ipsec_ref	*tdb_remote_auth;/* Remote authentication material */
372
373	u_int32_t	tdb_mtu;	/* MTU at this point in the chain */
374	u_int64_t	tdb_mtutimeout;	/* When to ignore this entry */
375
376	u_int16_t	tdb_udpencap_port;	/* Peer UDP port */
377
378	u_int16_t	tdb_tag;		/* Packet filter tag */
379	u_int32_t	tdb_tap;		/* Alternate enc(4) interface */
380
381	u_int		tdb_rdomain;		/* Routing domain */
382
383	struct sockaddr_encap   tdb_filter; /* What traffic is acceptable */
384	struct sockaddr_encap   tdb_filtermask; /* And the mask */
385
386	TAILQ_HEAD(tdb_inp_head_in, inpcb)	tdb_inp_in;
387	TAILQ_HEAD(tdb_inp_head_out, inpcb)	tdb_inp_out;
388	TAILQ_HEAD(tdb_policy_head, ipsec_policy)	tdb_policy_head;
389	TAILQ_ENTRY(tdb)	tdb_sync_entry;
390};
391
392struct tdb_ident {
393	u_int32_t spi;
394	union sockaddr_union dst;
395	u_int8_t proto;
396	u_int rdomain;
397};
398
399struct tdb_crypto {
400	u_int32_t		tc_spi;
401	union sockaddr_union	tc_dst;
402	u_int8_t		tc_proto;
403	int			tc_protoff;
404	int			tc_skip;
405	caddr_t			tc_ptr;
406	u_int			tc_rdomain;
407};
408
409struct ipsecinit {
410	u_int8_t	*ii_enckey;
411	u_int8_t	*ii_authkey;
412	u_int16_t	ii_enckeylen;
413	u_int16_t	ii_authkeylen;
414	u_int8_t	ii_encalg;
415	u_int8_t	ii_authalg;
416	u_int8_t	ii_compalg;
417};
418
419/* xform IDs */
420#define	XF_IP4		1	/* IP inside IP */
421#define	XF_AH		2	/* AH */
422#define	XF_ESP		3	/* ESP */
423#define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
424#define	XF_IPCOMP	6	/* IPCOMP */
425
426/* xform attributes */
427#define	XFT_AUTH	0x0001
428#define	XFT_CONF	0x0100
429#define	XFT_COMP	0x1000
430
431#define	IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
432
433#ifdef _KERNEL
434
435struct xformsw {
436	u_short	xf_type;		/* Unique ID of xform */
437	u_short	xf_flags;		/* flags (see below) */
438	char	*xf_name;		/* human-readable name */
439	int	(*xf_attach)(void);	/* called at config time */
440	int	(*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
441	int	(*xf_zeroize)(struct tdb *); /* termination */
442	int	(*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
443	int	(*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
444	    int, int);        /* output */
445};
446
447extern int ipsec_in_use;
448extern u_int64_t ipsec_last_added;
449extern int ipsec_policy_pool_initialized;
450
451extern int ipsec_keep_invalid;		/* lifetime of embryonic SAs (in sec) */
452extern int ipsec_require_pfs;		/* use Perfect Forward Secrecy */
453extern int ipsec_expire_acquire;	/* wait for security assoc. (in sec) */
454extern int ipsec_soft_allocations;	/* flows/SA before renegotiation */
455extern int ipsec_exp_allocations;	/* num. of flows/SA before it expires */
456extern int ipsec_soft_bytes;		/* bytes/SA before renegotiation */
457extern int ipsec_exp_bytes;		/* num of bytes/SA before it expires */
458extern int ipsec_soft_timeout;		/* seconds/SA before renegotiation */
459extern int ipsec_exp_timeout;		/* seconds/SA before it expires */
460extern int ipsec_soft_first_use;	/* seconds between 1st asso & renego */
461extern int ipsec_exp_first_use;		/* seconds between 1st asso & expire */
462
463extern char ipsec_def_enc[];
464extern char ipsec_def_auth[];
465extern char ipsec_def_comp[];
466
467extern struct enc_xform enc_xform_des;
468extern struct enc_xform enc_xform_3des;
469extern struct enc_xform enc_xform_blf;
470extern struct enc_xform enc_xform_cast5;
471
472extern struct auth_hash auth_hash_hmac_md5_96;
473extern struct auth_hash auth_hash_hmac_sha1_96;
474extern struct auth_hash auth_hash_hmac_ripemd_160_96;
475
476extern struct comp_algo comp_algo_deflate;
477
478extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
479extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
480
481/* Check if a given tdb has encryption, authentication and/or tunneling */
482#define	TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \
483		       ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0) | \
484		       ((x)->tdb_compalgxform ? NOTIFY_SATYPE_COMP : 0))
485
486/* Traverse spi chain and get attributes */
487
488#define	SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP)				\
489do {									\
490	int s = splsoftnet();						\
491	struct tdb *tmptdb = (TDBP);					\
492									\
493	(have) = 0;							\
494	while (tmptdb && tmptdb->tdb_xform) {				\
495	        if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID)	\
496			break;						\
497		(have) |= TDB_ATTRIB(tmptdb);				\
498		tmptdb = tmptdb->TDB_DIR;				\
499	}								\
500	splx(s);							\
501} while (/* CONSTCOND */ 0)
502
503/* Misc. */
504uint8_t	get_sa_require(struct inpcb *);
505char	*inet_ntoa4(struct in_addr);
506char	*ipsp_address(union sockaddr_union);
507
508/* TDB management routines */
509void	tdb_add_inp(struct tdb *, struct inpcb *, int);
510uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
511		union sockaddr_union *, u_int8_t, int *);
512struct	tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t);
513struct	tdb *gettdbbyaddr(u_int, union sockaddr_union *, u_int8_t,
514		struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *,
515		struct mbuf *, int, struct sockaddr_encap *,
516		struct sockaddr_encap *);
517struct	tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
518		struct ipsec_ref *, struct ipsec_ref *, struct mbuf *, int,
519		struct sockaddr_encap *, struct sockaddr_encap *);
520struct	tdb *gettdbbysrcdst(u_int, u_int32_t, union sockaddr_union *,
521		union sockaddr_union *, u_int8_t);
522void	puttdb(struct tdb *);
523void	tdb_delete(struct tdb *);
524struct	tdb *tdb_alloc(u_int);
525void	tdb_free(struct tdb *);
526int	tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
527int	tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *);
528
529/* XF_IP4 */
530int	ipe4_attach(void);
531int	ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
532int	ipe4_zeroize(struct tdb *);
533void	ipe4_input(struct mbuf *, ...);
534void	ipip_input(struct mbuf *, int, struct ifnet *, int);
535int	ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
536
537#ifdef INET
538void	ip4_input(struct mbuf *, ...);
539#endif /* INET */
540
541#ifdef INET6
542int	ip4_input6(struct mbuf **, int *, int);
543#endif /* INET */
544
545/* XF_AH */
546int 	ah_attach(void);
547int 	ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
548int 	ah_zeroize(struct tdb *);
549int	ah_input(struct mbuf *, struct tdb *, int, int);
550int	ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
551int	ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
552
553#ifdef INET
554void	ah4_input(struct mbuf *, ...);
555void	*ah4_ctlinput(int, struct sockaddr *, u_int, void *);
556void	*udpencap_ctlinput(int, struct sockaddr *, u_int, void *);
557#endif /* INET */
558
559#ifdef INET6
560int	ah6_input(struct mbuf **, int *, int);
561#endif /* INET6 */
562
563/* XF_ESP */
564int	esp_attach(void);
565int	esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
566int	esp_zeroize(struct tdb *);
567int	esp_input(struct mbuf *, struct tdb *, int, int);
568int	esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
569int	esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
570
571#ifdef INET
572void	esp4_input(struct mbuf *, ...);
573void	*esp4_ctlinput(int, struct sockaddr *, u_int, void *);
574#endif /* INET */
575
576#ifdef INET6
577int 	esp6_input(struct mbuf **, int *, int);
578#endif /* INET6 */
579
580/* XF_IPCOMP */
581int	ipcomp_attach(void);
582int	ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
583int	ipcomp_zeroize(struct tdb *);
584int	ipcomp_input(struct mbuf *, struct tdb *, int, int);
585int	ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
586int	ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
587
588#ifdef INET
589void	ipcomp4_input(struct mbuf *, ...);
590#endif /* INET */
591
592#ifdef INET6
593int	ipcomp6_input(struct mbuf **, int *, int);
594#endif /* INET6 */
595
596/* XF_TCPSIGNATURE */
597int	tcp_signature_tdb_attach(void);
598int	tcp_signature_tdb_init(struct tdb *, struct xformsw *,
599	    struct ipsecinit *);
600int	tcp_signature_tdb_zeroize(struct tdb *);
601int	tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, int);
602int	tcp_signature_tdb_output(struct mbuf *, struct tdb *, struct mbuf **,
603	  int, int);
604
605/* Replay window */
606int	checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int);
607
608/* Packet processing */
609int	ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
610int	ipsp_process_done(struct mbuf *, struct tdb *);
611struct	tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
612	    struct tdb *, struct inpcb *, u_int32_t);
613struct	tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
614	    struct tdb *, struct inpcb *, struct ipsec_policy *);
615int	ipsp_is_unspecified(union sockaddr_union);
616int	ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *);
617void	ipsp_reffree(struct ipsec_ref *);
618void	ipsp_skipcrypto_mark(struct tdb_ident *);
619void	ipsp_skipcrypto_unmark(struct tdb_ident *);
620int	ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *,
621	    struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *,
622	    struct sockaddr_encap *);
623
624int	ipsec_common_input(struct mbuf *, int, int, int, int, int);
625int	ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
626	    struct m_tag *);
627int	ipsec_delete_policy(struct ipsec_policy *);
628ssize_t	ipsec_hdrsz(struct tdb *);
629void	ipsec_adjust_mtu(struct mbuf *, u_int32_t);
630struct	ipsec_policy *ipsec_add_policy(struct inpcb *, int, int);
631struct	ipsec_acquire *ipsec_get_acquire(u_int32_t);
632
633#endif /* _KERNEL */
634#endif /* _NETINET_IPSP_H_ */
635