ip_ipsp.h revision 1.155
1/* $OpenBSD: ip_ipsp.h,v 1.155 2013/07/04 09:48:49 mpi Exp $ */ 2/* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40#ifndef _NETINET_IPSP_H_ 41#define _NETINET_IPSP_H_ 42 43struct m_tag; 44 45/* IPSP global definitions. */ 46 47#include <sys/types.h> 48#include <sys/queue.h> 49#include <sys/timeout.h> 50#include <netinet/in.h> 51 52union sockaddr_union { 53 struct sockaddr sa; 54 struct sockaddr_in sin; 55 struct sockaddr_in6 sin6; 56}; 57 58/* HMAC key sizes */ 59#define MD5HMAC96_KEYSIZE 16 60#define SHA1HMAC96_KEYSIZE 20 61#define RIPEMD160HMAC96_KEYSIZE 20 62#define SHA2_256HMAC96_KEYSIZE 32 63#define SHA2_384HMAC96_KEYSIZE 48 64#define SHA2_512HMAC96_KEYSIZE 64 65 66#define AH_HMAC_MAX_HASHLEN 32 /* 256 bits of authenticator for SHA512 */ 67#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */ 68#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */ 69 70/* Authenticator lengths */ 71#define AH_MD5_ALEN 16 72#define AH_SHA1_ALEN 20 73#define AH_RMD160_ALEN 20 74#define AH_SHA2_256_ALEN 32 75#define AH_SHA2_384_ALEN 48 76#define AH_SHA2_512_ALEN 64 77#define AH_ALEN_MAX 64 /* Keep updated */ 78 79/* Reserved SPI numbers */ 80#define SPI_LOCAL_USE 0 81#define SPI_RESERVED_MIN 1 82#define SPI_RESERVED_MAX 255 83 84/* Reserved CPI numbers */ 85#define CPI_RESERVED_MIN 1 86#define CPI_RESERVED_MAX 255 87#define CPI_PRIVATE_MIN 61440 88#define CPI_PRIVATE_MAX 65535 89 90/* sysctl default values */ 91#define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */ 92#define IPSEC_DEFAULT_PFS 1 93#define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0 94#define IPSEC_DEFAULT_EXP_ALLOCATIONS 0 95#define IPSEC_DEFAULT_SOFT_BYTES 0 96#define IPSEC_DEFAULT_EXP_BYTES 0 97#define IPSEC_DEFAULT_SOFT_TIMEOUT 80000 98#define IPSEC_DEFAULT_EXP_TIMEOUT 86400 99#define IPSEC_DEFAULT_SOFT_FIRST_USE 3600 100#define IPSEC_DEFAULT_EXP_FIRST_USE 7200 101#define IPSEC_DEFAULT_DEF_ENC "aes" 102#define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1" 103#define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30 104#define IPSEC_DEFAULT_DEF_COMP "deflate" 105 106struct sockaddr_encap { 107 u_int8_t sen_len; /* length */ 108 u_int8_t sen_family; /* PF_KEY */ 109 u_int16_t sen_type; /* see SENT_* */ 110 union { 111 struct { /* SENT_IP4 */ 112 u_int8_t Direction; 113 struct in_addr Src; 114 struct in_addr Dst; 115 u_int8_t Proto; 116 u_int16_t Sport; 117 u_int16_t Dport; 118 } Sip4; 119 120 struct { /* SENT_IP6 */ 121 u_int8_t Direction; 122 struct in6_addr Src; 123 struct in6_addr Dst; 124 u_int8_t Proto; 125 u_int16_t Sport; 126 u_int16_t Dport; 127 } Sip6; 128 129 struct ipsec_policy *PolicyHead; /* SENT_IPSP */ 130 } Sen; 131}; 132 133#define IPSP_DIRECTION_IN 0x1 134#define IPSP_DIRECTION_OUT 0x2 135 136#define sen_data Sen.Data 137#define sen_ip_src Sen.Sip4.Src 138#define sen_ip_dst Sen.Sip4.Dst 139#define sen_proto Sen.Sip4.Proto 140#define sen_sport Sen.Sip4.Sport 141#define sen_dport Sen.Sip4.Dport 142#define sen_direction Sen.Sip4.Direction 143#define sen_ip6_src Sen.Sip6.Src 144#define sen_ip6_dst Sen.Sip6.Dst 145#define sen_ip6_proto Sen.Sip6.Proto 146#define sen_ip6_sport Sen.Sip6.Sport 147#define sen_ip6_dport Sen.Sip6.Dport 148#define sen_ip6_direction Sen.Sip6.Direction 149#define sen_ipsp Sen.PolicyHead 150 151/* 152 * The "type" is really part of the address as far as the routing 153 * system is concerned. By using only one bit in the type field 154 * for each type, we sort-of make sure that different types of 155 * encapsulation addresses won't be matched against the wrong type. 156 * 157 */ 158 159#define SENT_IP4 0x0001 /* data is two struct in_addr */ 160#define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */ 161#define SENT_IP6 0x0004 162 163#define SENT_LEN sizeof(struct sockaddr_encap) 164 165struct ipsec_ref { 166 u_int16_t ref_type; /* Subtype of data */ 167 int16_t ref_len; /* Length of data following */ 168 int ref_count; /* Reference count */ 169 int ref_malloctype; /* malloc(9) type, for freeing */ 170}; 171 172struct ipsec_acquire { 173 union sockaddr_union ipa_addr; 174 u_int32_t ipa_seq; 175 struct sockaddr_encap ipa_info; 176 struct sockaddr_encap ipa_mask; 177 struct timeout ipa_timeout; 178 struct ipsec_policy *ipa_policy; 179 struct inpcb *ipa_pcb; 180 TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next; 181 TAILQ_ENTRY(ipsec_acquire) ipa_next; 182 TAILQ_ENTRY(ipsec_acquire) ipa_inp_next; 183}; 184 185struct ipsec_policy { 186 struct sockaddr_encap ipo_addr; 187 struct sockaddr_encap ipo_mask; 188 189 union sockaddr_union ipo_src; /* Local address to use */ 190 union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed: 191 * - on output, we try to 192 * contact the remote host 193 * directly (if needed). 194 * - on input, we accept on if 195 * the inner source is the 196 * same as the outer source 197 * address, or if transport 198 * mode was used. 199 */ 200 201 u_int64_t ipo_last_searched; /* Timestamp of last lookup */ 202 203 u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */ 204 u_int8_t ipo_type; /* USE/ACQUIRE/... */ 205 u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */ 206 u_int ipo_rdomain; 207 208 int ipo_ref_count; 209 210 struct tdb *ipo_tdb; /* Cached entry */ 211 212 struct ipsec_ref *ipo_srcid; 213 struct ipsec_ref *ipo_dstid; 214 struct ipsec_ref *ipo_local_cred; 215 struct ipsec_ref *ipo_local_auth; 216 217 TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */ 218 TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */ 219 TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */ 220}; 221 222#define IPSP_POLICY_NONE 0x0000 /* No flags set */ 223#define IPSP_POLICY_SOCKET 0x0001 /* Socket-attached policy */ 224#define IPSP_POLICY_STATIC 0x0002 /* Static policy */ 225 226#define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */ 227#define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */ 228#define IPSP_IPSEC_REQUIRE 2 /* Require SA */ 229#define IPSP_PERMIT 3 /* Permit traffic through */ 230#define IPSP_DENY 4 /* Deny traffic */ 231#define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */ 232 233/* Notification types */ 234#define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */ 235#define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */ 236#define NOTIFY_REQUEST_SA 2 /* Establish an SA */ 237 238#define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */ 239#define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */ 240#define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */ 241#define NOTIFY_SATYPE_COMP 5 /* SA (IPCA) should use compression */ 242 243/* Authentication types */ 244#define IPSP_AUTH_NONE 0 245#define IPSP_AUTH_PASSPHRASE 1 246#define IPSP_AUTH_RSA 2 247 248/* Credential types */ 249#define IPSP_CRED_NONE 0 250#define IPSP_CRED_KEYNOTE 1 251#define IPSP_CRED_X509 2 252 253/* Identity types */ 254#define IPSP_IDENTITY_NONE 0 255#define IPSP_IDENTITY_PREFIX 1 256#define IPSP_IDENTITY_FQDN 2 257#define IPSP_IDENTITY_USERFQDN 3 258#define IPSP_IDENTITY_CONNECTION 4 259 260/* 261 * For encapsulation routes are possible not only for the destination 262 * address but also for the protocol, source and destination ports 263 * if available 264 */ 265 266struct route_enc { 267 struct rtentry *re_rt; 268 u_long re_tableid; /* u_long because of alignment */ 269 struct sockaddr_encap re_dst; 270}; 271 272struct tdb { /* tunnel descriptor block */ 273 /* 274 * Each TDB is on three hash tables: one keyed on dst/spi/sproto, 275 * one keyed on dst/sproto, and one keyed on src/sproto. The first 276 * is used for finding a specific TDB, the second for finding TDBs 277 * for outgoing policy matching, and the third for incoming 278 * policy matching. The following three fields maintain the hash 279 * queues in those three tables. 280 */ 281 struct tdb *tdb_hnext; /* dst/spi/sproto table */ 282 struct tdb *tdb_anext; /* dst/sproto table */ 283 struct tdb *tdb_snext; /* src/sproto table */ 284 struct tdb *tdb_inext; 285 struct tdb *tdb_onext; 286 287 struct xformsw *tdb_xform; /* Transform to use */ 288 struct enc_xform *tdb_encalgxform; /* Enc algorithm */ 289 struct auth_hash *tdb_authalgxform; /* Auth algorithm */ 290 struct comp_algo *tdb_compalgxform; /* Compression algo */ 291 292#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 293#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 294#define TDBF_BYTES 0x00004 /* Check the byte counters */ 295#define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */ 296#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 297#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 298#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 299#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 300#define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */ 301#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 302#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ 303#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ 304#define TDBF_SKIPCRYPTO 0x08000 /* Skip actual crypto processing */ 305#define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */ 306#define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */ 307#define TDBF_PFSYNC 0x40000 /* TDB will be synced */ 308#define TDBF_PFSYNC_RPL 0x80000 /* Replay counter should be bumped */ 309#define TDBF_ESN 0x100000 /* 64-bit sequence numbers (ESN) */ 310 311 u_int32_t tdb_flags; /* Flags related to this TDB */ 312 313 struct timeout tdb_timer_tmo; 314 struct timeout tdb_first_tmo; 315 struct timeout tdb_stimer_tmo; 316 struct timeout tdb_sfirst_tmo; 317 318 u_int32_t tdb_seq; /* Tracking number for PFKEY */ 319 u_int32_t tdb_exp_allocations; /* Expire after so many flows */ 320 u_int32_t tdb_soft_allocations; /* Expiration warning */ 321 u_int32_t tdb_cur_allocations; /* Total number of allocs */ 322 323 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 324 u_int64_t tdb_soft_bytes; /* Expiration warning */ 325 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 326 327 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 328 u_int64_t tdb_soft_timeout; /* Send soft-expire warning */ 329 u_int64_t tdb_established; /* When was SPI established */ 330 331 u_int64_t tdb_first_use; /* When was it first used */ 332 u_int64_t tdb_soft_first_use; /* Soft warning */ 333 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 334 * tdb_exp_first_use <= curtime 335 */ 336 337 u_int64_t tdb_last_used; /* When was this SA last used */ 338 u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */ 339 340 u_int64_t tdb_cryptoid; /* Crypto session ID */ 341 342 u_int32_t tdb_spi; /* SPI */ 343 u_int16_t tdb_amxkeylen; /* Raw authentication key length */ 344 u_int16_t tdb_emxkeylen; /* Raw encryption key length */ 345 u_int16_t tdb_ivlen; /* IV length */ 346 u_int8_t tdb_sproto; /* IPsec protocol */ 347 u_int8_t tdb_wnd; /* Replay window */ 348 u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */ 349 u_int8_t tdb_updates; /* pfsync update counter */ 350 351 union sockaddr_union tdb_dst; /* Destination address */ 352 union sockaddr_union tdb_src; /* Source address */ 353 union sockaddr_union tdb_proxy; 354 355 u_int8_t *tdb_amxkey; /* Raw authentication key */ 356 u_int8_t *tdb_emxkey; /* Raw encryption key */ 357 358#define TDB_REPLAYWASTE 32 359#define TDB_REPLAYMAX (2100+TDB_REPLAYWASTE) 360 361 u_int64_t tdb_rpl; /* Replay counter */ 362 u_int32_t tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */ 363 364 u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ 365 366 struct ipsec_ref *tdb_local_cred; 367 struct ipsec_ref *tdb_remote_cred; 368 struct ipsec_ref *tdb_srcid; /* Source ID for this SA */ 369 struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */ 370 struct ipsec_ref *tdb_local_auth;/* Local authentication material */ 371 struct ipsec_ref *tdb_remote_auth;/* Remote authentication material */ 372 373 u_int32_t tdb_mtu; /* MTU at this point in the chain */ 374 u_int64_t tdb_mtutimeout; /* When to ignore this entry */ 375 376 u_int16_t tdb_udpencap_port; /* Peer UDP port */ 377 378 u_int16_t tdb_tag; /* Packet filter tag */ 379 u_int32_t tdb_tap; /* Alternate enc(4) interface */ 380 381 u_int tdb_rdomain; /* Routing domain */ 382 383 struct sockaddr_encap tdb_filter; /* What traffic is acceptable */ 384 struct sockaddr_encap tdb_filtermask; /* And the mask */ 385 386 TAILQ_HEAD(tdb_inp_head_in, inpcb) tdb_inp_in; 387 TAILQ_HEAD(tdb_inp_head_out, inpcb) tdb_inp_out; 388 TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; 389 TAILQ_ENTRY(tdb) tdb_sync_entry; 390}; 391 392struct tdb_ident { 393 u_int32_t spi; 394 union sockaddr_union dst; 395 u_int8_t proto; 396 u_int rdomain; 397}; 398 399struct tdb_crypto { 400 u_int32_t tc_spi; 401 union sockaddr_union tc_dst; 402 u_int8_t tc_proto; 403 int tc_protoff; 404 int tc_skip; 405 caddr_t tc_ptr; 406 u_int tc_rdomain; 407}; 408 409struct ipsecinit { 410 u_int8_t *ii_enckey; 411 u_int8_t *ii_authkey; 412 u_int16_t ii_enckeylen; 413 u_int16_t ii_authkeylen; 414 u_int8_t ii_encalg; 415 u_int8_t ii_authalg; 416 u_int8_t ii_compalg; 417}; 418 419/* xform IDs */ 420#define XF_IP4 1 /* IP inside IP */ 421#define XF_AH 2 /* AH */ 422#define XF_ESP 3 /* ESP */ 423#define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ 424#define XF_IPCOMP 6 /* IPCOMP */ 425 426/* xform attributes */ 427#define XFT_AUTH 0x0001 428#define XFT_CONF 0x0100 429#define XFT_COMP 0x1000 430 431#define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */ 432 433#ifdef _KERNEL 434 435struct xformsw { 436 u_short xf_type; /* Unique ID of xform */ 437 u_short xf_flags; /* flags (see below) */ 438 char *xf_name; /* human-readable name */ 439 int (*xf_attach)(void); /* called at config time */ 440 int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *); 441 int (*xf_zeroize)(struct tdb *); /* termination */ 442 int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */ 443 int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, 444 int, int); /* output */ 445}; 446 447extern int ipsec_in_use; 448extern u_int64_t ipsec_last_added; 449extern int ipsec_policy_pool_initialized; 450 451extern int ipsec_keep_invalid; /* lifetime of embryonic SAs (in sec) */ 452extern int ipsec_require_pfs; /* use Perfect Forward Secrecy */ 453extern int ipsec_expire_acquire; /* wait for security assoc. (in sec) */ 454extern int ipsec_soft_allocations; /* flows/SA before renegotiation */ 455extern int ipsec_exp_allocations; /* num. of flows/SA before it expires */ 456extern int ipsec_soft_bytes; /* bytes/SA before renegotiation */ 457extern int ipsec_exp_bytes; /* num of bytes/SA before it expires */ 458extern int ipsec_soft_timeout; /* seconds/SA before renegotiation */ 459extern int ipsec_exp_timeout; /* seconds/SA before it expires */ 460extern int ipsec_soft_first_use; /* seconds between 1st asso & renego */ 461extern int ipsec_exp_first_use; /* seconds between 1st asso & expire */ 462 463extern char ipsec_def_enc[]; 464extern char ipsec_def_auth[]; 465extern char ipsec_def_comp[]; 466 467extern struct enc_xform enc_xform_des; 468extern struct enc_xform enc_xform_3des; 469extern struct enc_xform enc_xform_blf; 470extern struct enc_xform enc_xform_cast5; 471 472extern struct auth_hash auth_hash_hmac_md5_96; 473extern struct auth_hash auth_hash_hmac_sha1_96; 474extern struct auth_hash auth_hash_hmac_ripemd_160_96; 475 476extern struct comp_algo comp_algo_deflate; 477 478extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head; 479extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head; 480 481/* Check if a given tdb has encryption, authentication and/or tunneling */ 482#define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \ 483 ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0) | \ 484 ((x)->tdb_compalgxform ? NOTIFY_SATYPE_COMP : 0)) 485 486/* Traverse spi chain and get attributes */ 487 488#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) \ 489do { \ 490 int s = splsoftnet(); \ 491 struct tdb *tmptdb = (TDBP); \ 492 \ 493 (have) = 0; \ 494 while (tmptdb && tmptdb->tdb_xform) { \ 495 if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \ 496 break; \ 497 (have) |= TDB_ATTRIB(tmptdb); \ 498 tmptdb = tmptdb->TDB_DIR; \ 499 } \ 500 splx(s); \ 501} while (/* CONSTCOND */ 0) 502 503/* Misc. */ 504uint8_t get_sa_require(struct inpcb *); 505#ifdef ENCDEBUG 506char *inet_ntoa4(struct in_addr); 507char *ipsp_address(union sockaddr_union); 508#endif /* ENCDEBUG */ 509 510/* TDB management routines */ 511void tdb_add_inp(struct tdb *, struct inpcb *, int); 512uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *, 513 union sockaddr_union *, u_int8_t, int *); 514struct tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t); 515struct tdb *gettdbbyaddr(u_int, union sockaddr_union *, u_int8_t, 516 struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *, 517 struct mbuf *, int, struct sockaddr_encap *, 518 struct sockaddr_encap *); 519struct tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t, 520 struct ipsec_ref *, struct ipsec_ref *, struct mbuf *, int, 521 struct sockaddr_encap *, struct sockaddr_encap *); 522struct tdb *gettdbbysrcdst(u_int, u_int32_t, union sockaddr_union *, 523 union sockaddr_union *, u_int8_t); 524void puttdb(struct tdb *); 525void tdb_delete(struct tdb *); 526struct tdb *tdb_alloc(u_int); 527void tdb_free(struct tdb *); 528int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *); 529int tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *); 530 531/* XF_IP4 */ 532int ipe4_attach(void); 533int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *); 534int ipe4_zeroize(struct tdb *); 535void ipe4_input(struct mbuf *, ...); 536void ipip_input(struct mbuf *, int, struct ifnet *, int); 537int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 538 539#ifdef INET 540void ip4_input(struct mbuf *, ...); 541#endif /* INET */ 542 543#ifdef INET6 544int ip4_input6(struct mbuf **, int *, int); 545#endif /* INET */ 546 547/* XF_AH */ 548int ah_attach(void); 549int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *); 550int ah_zeroize(struct tdb *); 551int ah_input(struct mbuf *, struct tdb *, int, int); 552int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 553int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t); 554 555#ifdef INET 556void ah4_input(struct mbuf *, ...); 557void *ah4_ctlinput(int, struct sockaddr *, u_int, void *); 558void *udpencap_ctlinput(int, struct sockaddr *, u_int, void *); 559#endif /* INET */ 560 561#ifdef INET6 562int ah6_input(struct mbuf **, int *, int); 563#endif /* INET6 */ 564 565/* XF_ESP */ 566int esp_attach(void); 567int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 568int esp_zeroize(struct tdb *); 569int esp_input(struct mbuf *, struct tdb *, int, int); 570int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 571int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 572 573#ifdef INET 574void esp4_input(struct mbuf *, ...); 575void *esp4_ctlinput(int, struct sockaddr *, u_int, void *); 576#endif /* INET */ 577 578#ifdef INET6 579int esp6_input(struct mbuf **, int *, int); 580#endif /* INET6 */ 581 582/* XF_IPCOMP */ 583int ipcomp_attach(void); 584int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 585int ipcomp_zeroize(struct tdb *); 586int ipcomp_input(struct mbuf *, struct tdb *, int, int); 587int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 588int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 589 590#ifdef INET 591void ipcomp4_input(struct mbuf *, ...); 592#endif /* INET */ 593 594#ifdef INET6 595int ipcomp6_input(struct mbuf **, int *, int); 596#endif /* INET6 */ 597 598/* XF_TCPSIGNATURE */ 599int tcp_signature_tdb_attach(void); 600int tcp_signature_tdb_init(struct tdb *, struct xformsw *, 601 struct ipsecinit *); 602int tcp_signature_tdb_zeroize(struct tdb *); 603int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, int); 604int tcp_signature_tdb_output(struct mbuf *, struct tdb *, struct mbuf **, 605 int, int); 606 607/* Replay window */ 608int checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int); 609 610/* Packet processing */ 611int ipsp_process_packet(struct mbuf *, struct tdb *, int, int); 612int ipsp_process_done(struct mbuf *, struct tdb *); 613struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int, 614 struct tdb *, struct inpcb *, u_int32_t); 615struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int, 616 struct tdb *, struct inpcb *, struct ipsec_policy *); 617int ipsp_is_unspecified(union sockaddr_union); 618int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *); 619void ipsp_reffree(struct ipsec_ref *); 620void ipsp_skipcrypto_mark(struct tdb_ident *); 621void ipsp_skipcrypto_unmark(struct tdb_ident *); 622int ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *, 623 struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *, 624 struct sockaddr_encap *); 625 626int ipsec_common_input(struct mbuf *, int, int, int, int, int); 627int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int, 628 struct m_tag *); 629int ipsec_delete_policy(struct ipsec_policy *); 630ssize_t ipsec_hdrsz(struct tdb *); 631void ipsec_adjust_mtu(struct mbuf *, u_int32_t); 632struct ipsec_policy *ipsec_add_policy(struct inpcb *, int, int); 633struct ipsec_acquire *ipsec_get_acquire(u_int32_t); 634 635#endif /* _KERNEL */ 636#endif /* _NETINET_IPSP_H_ */ 637