ip_ipsp.h revision 1.178 
1/*	$OpenBSD: ip_ipsp.h,v 1.178 2017/02/07 22:28:37 bluhm Exp $	*/
2/*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Niklas Hallqvist (niklas@appli.se).
7 *
8 * The original version of this code was written by John Ioannidis
9 * for BSD/OS in Athens, Greece, in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18 *
19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 1999 Niklas Hallqvist.
22 * Copyright (c) 2001, Angelos D. Keromytis.
23 *
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40#ifndef _NETINET_IPSP_H_
41#define _NETINET_IPSP_H_
42
43struct m_tag;
44
45/* IPSP global definitions. */
46
47#include <sys/types.h>
48#ifdef _KERNEL
49#include <sys/timeout.h>
50#include <sys/tree.h>
51#endif
52#include <sys/queue.h>
53#include <netinet/in.h>
54#include <net/radix.h>
55
56union sockaddr_union {
57	struct sockaddr		sa;
58	struct sockaddr_in	sin;
59	struct sockaddr_in6	sin6;
60};
61
62#define	AH_HMAC_MAX_HASHLEN	32	/* 256 bits of authenticator for SHA512 */
63#define	AH_HMAC_RPLENGTH	4	/* 32 bits of replay counter */
64#define	AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
65
66/* Authenticator lengths */
67#define	AH_MD5_ALEN		16
68#define	AH_SHA1_ALEN		20
69#define	AH_RMD160_ALEN		20
70#define	AH_SHA2_256_ALEN	32
71#define	AH_SHA2_384_ALEN	48
72#define	AH_SHA2_512_ALEN	64
73#define	AH_ALEN_MAX		64 	/* Keep updated */
74
75/* Reserved SPI numbers */
76#define	SPI_LOCAL_USE		0
77#define	SPI_RESERVED_MIN	1
78#define	SPI_RESERVED_MAX	255
79
80/* Reserved CPI numbers */
81#define CPI_RESERVED_MIN	1
82#define CPI_RESERVED_MAX	255
83#define CPI_PRIVATE_MIN		61440
84#define CPI_PRIVATE_MAX		65535
85
86/* sysctl default values */
87#define	IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
88#define	IPSEC_DEFAULT_PFS			1
89#define	IPSEC_DEFAULT_SOFT_ALLOCATIONS		0
90#define	IPSEC_DEFAULT_EXP_ALLOCATIONS		0
91#define	IPSEC_DEFAULT_SOFT_BYTES		0
92#define	IPSEC_DEFAULT_EXP_BYTES			0
93#define	IPSEC_DEFAULT_SOFT_TIMEOUT		80000
94#define	IPSEC_DEFAULT_EXP_TIMEOUT		86400
95#define	IPSEC_DEFAULT_SOFT_FIRST_USE		3600
96#define	IPSEC_DEFAULT_EXP_FIRST_USE		7200
97#define	IPSEC_DEFAULT_DEF_ENC			"aes"
98#define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
99#define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
100#define	IPSEC_DEFAULT_DEF_COMP			"deflate"
101
102struct sockaddr_encap {
103	u_int8_t	sen_len;		/* length */
104	u_int8_t	sen_family;		/* PF_KEY */
105	u_int16_t	sen_type;		/* see SENT_* */
106	union {
107		struct {				/* SENT_IP4 */
108			u_int8_t	Direction;
109			struct in_addr	Src;
110			struct in_addr	Dst;
111			u_int8_t	Proto;
112			u_int16_t	Sport;
113			u_int16_t	Dport;
114		} Sip4;
115
116		struct {				/* SENT_IP6 */
117			u_int8_t	Direction;
118			struct in6_addr	Src;
119			struct in6_addr	Dst;
120			u_int8_t	Proto;
121			u_int16_t	Sport;
122			u_int16_t	Dport;
123		} Sip6;
124
125		struct ipsec_policy	*PolicyHead;	/* SENT_IPSP */
126	} Sen;
127};
128
129#define	IPSP_DIRECTION_IN	0x1
130#define	IPSP_DIRECTION_OUT	0x2
131
132#ifdef _KERNEL
133
134#define	sen_data		Sen.Data
135#define	sen_ip_src		Sen.Sip4.Src
136#define	sen_ip_dst		Sen.Sip4.Dst
137#define	sen_proto		Sen.Sip4.Proto
138#define	sen_sport		Sen.Sip4.Sport
139#define	sen_dport		Sen.Sip4.Dport
140#define	sen_direction		Sen.Sip4.Direction
141#define	sen_ip6_src		Sen.Sip6.Src
142#define	sen_ip6_dst		Sen.Sip6.Dst
143#define	sen_ip6_proto		Sen.Sip6.Proto
144#define	sen_ip6_sport		Sen.Sip6.Sport
145#define	sen_ip6_dport		Sen.Sip6.Dport
146#define	sen_ip6_direction	Sen.Sip6.Direction
147#define	sen_ipsp		Sen.PolicyHead
148
149/*
150 * The "type" is really part of the address as far as the routing
151 * system is concerned. By using only one bit in the type field
152 * for each type, we sort-of make sure that different types of
153 * encapsulation addresses won't be matched against the wrong type.
154 *
155 */
156
157#define	SENT_IP4	0x0001		/* data is two struct in_addr */
158#define	SENT_IPSP	0x0002		/* data as in IP4/6 plus SPI */
159#define	SENT_IP6	0x0004
160
161#define	SENT_LEN	sizeof(struct sockaddr_encap)
162
163struct ipsec_id {
164	u_int16_t	type;		/* Subtype of data */
165	int16_t		len;		/* Length of data following */
166};
167
168struct ipsec_ids {
169	RBT_ENTRY(ipsec_ids)	id_node_id;
170	RBT_ENTRY(ipsec_ids)	id_node_flow;
171	struct ipsec_id		*id_local;
172	struct ipsec_id		*id_remote;
173	u_int32_t		id_flow;
174	int			id_refcount;
175	struct timeout		id_timeout;
176};
177RBT_HEAD(ipsec_ids_flows, ipsec_ids);
178RBT_HEAD(ipsec_ids_tree, ipsec_ids);
179
180struct ipsec_acquire {
181	union sockaddr_union		ipa_addr;
182	u_int32_t			ipa_seq;
183	struct sockaddr_encap		ipa_info;
184	struct sockaddr_encap		ipa_mask;
185	struct timeout			ipa_timeout;
186	struct ipsec_policy		*ipa_policy;
187	struct inpcb                    *ipa_pcb;
188	TAILQ_ENTRY(ipsec_acquire)	ipa_ipo_next;
189	TAILQ_ENTRY(ipsec_acquire)	ipa_next;
190};
191
192struct ipsec_policy {
193	struct radix_node	ipo_nodes[2];	/* radix tree glue */
194	struct sockaddr_encap	ipo_addr;
195	struct sockaddr_encap	ipo_mask;
196
197	union sockaddr_union	ipo_src;	/* Local address to use */
198	union sockaddr_union	ipo_dst;	/* Remote gateway -- if it's zeroed:
199						 * - on output, we try to
200						 * contact the remote host
201						 * directly (if needed).
202						 * - on input, we accept on if
203						 * the inner source is the
204						 * same as the outer source
205						 * address, or if transport
206						 * mode was used.
207						 */
208
209	u_int64_t		ipo_last_searched;	/* Timestamp of last lookup */
210
211	u_int8_t		ipo_flags;	/* See IPSP_POLICY_* definitions */
212	u_int8_t		ipo_type;	/* USE/ACQUIRE/... */
213	u_int8_t		ipo_sproto;	/* ESP/AH; if zero, use system dflts */
214	u_int			ipo_rdomain;
215
216	int                     ipo_ref_count;
217
218	struct tdb		*ipo_tdb;		/* Cached entry */
219
220	struct ipsec_ids	*ipo_ids;
221
222	TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
223	TAILQ_ENTRY(ipsec_policy)	ipo_tdb_next;	/* List TDB policies */
224	TAILQ_ENTRY(ipsec_policy)	ipo_list;	/* List of all policies */
225};
226
227#define	IPSP_POLICY_NONE	0x0000	/* No flags set */
228#define	IPSP_POLICY_STATIC	0x0002	/* Static policy */
229
230#define	IPSP_IPSEC_USE		0	/* Use if existing, don't acquire */
231#define	IPSP_IPSEC_ACQUIRE	1	/* Try acquire, let packet through */
232#define	IPSP_IPSEC_REQUIRE	2	/* Require SA */
233#define	IPSP_PERMIT		3	/* Permit traffic through */
234#define	IPSP_DENY		4	/* Deny traffic */
235#define	IPSP_IPSEC_DONTACQ	5	/* Require, but don't acquire */
236
237/* Identity types */
238#define	IPSP_IDENTITY_NONE		0
239#define	IPSP_IDENTITY_PREFIX		1
240#define	IPSP_IDENTITY_FQDN		2
241#define	IPSP_IDENTITY_USERFQDN		3
242
243struct tdb {				/* tunnel descriptor block */
244	/*
245	 * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
246	 * one keyed on dst/sproto, and one keyed on src/sproto. The first
247	 * is used for finding a specific TDB, the second for finding TDBs
248	 * for outgoing policy matching, and the third for incoming
249	 * policy matching. The following three fields maintain the hash
250	 * queues in those three tables.
251	 */
252	struct tdb	*tdb_hnext;	/* dst/spi/sproto table */
253	struct tdb	*tdb_dnext;	/* dst/sproto table */
254	struct tdb	*tdb_snext;	/* src/sproto table */
255	struct tdb	*tdb_inext;
256	struct tdb	*tdb_onext;
257
258	struct xformsw		*tdb_xform;		/* Transform to use */
259	struct enc_xform	*tdb_encalgxform;	/* Enc algorithm */
260	struct auth_hash	*tdb_authalgxform;	/* Auth algorithm */
261	struct comp_algo	*tdb_compalgxform;	/* Compression algo */
262
263#define	TDBF_UNIQUE		0x00001	/* This should not be used by others */
264#define	TDBF_TIMER		0x00002	/* Absolute expiration timer in use */
265#define	TDBF_BYTES		0x00004	/* Check the byte counters */
266#define	TDBF_ALLOCATIONS	0x00008	/* Check the flows counters */
267#define	TDBF_INVALID		0x00010	/* This SPI is not valid yet/anymore */
268#define	TDBF_FIRSTUSE		0x00020	/* Expire after first use */
269#define	TDBF_SOFT_TIMER		0x00080	/* Soft expiration */
270#define	TDBF_SOFT_BYTES		0x00100	/* Soft expiration */
271#define	TDBF_SOFT_ALLOCATIONS	0x00200	/* Soft expiration */
272#define	TDBF_SOFT_FIRSTUSE	0x00400	/* Soft expiration */
273#define	TDBF_PFS		0x00800	/* Ask for PFS from Key Mgmt. */
274#define	TDBF_TUNNELING		0x01000	/* Force IP-IP encapsulation */
275#define	TDBF_USEDTUNNEL		0x10000	/* Appended a tunnel header in past */
276#define	TDBF_UDPENCAP		0x20000	/* UDP encapsulation */
277#define	TDBF_PFSYNC		0x40000	/* TDB will be synced */
278#define	TDBF_PFSYNC_RPL		0x80000	/* Replay counter should be bumped */
279#define	TDBF_ESN		0x100000 /* 64-bit sequence numbers (ESN) */
280
281	u_int32_t	tdb_flags;	/* Flags related to this TDB */
282
283	struct timeout	tdb_timer_tmo;
284	struct timeout	tdb_first_tmo;
285	struct timeout	tdb_stimer_tmo;
286	struct timeout	tdb_sfirst_tmo;
287
288	u_int32_t	tdb_seq;		/* Tracking number for PFKEY */
289	u_int32_t	tdb_exp_allocations;	/* Expire after so many flows */
290	u_int32_t	tdb_soft_allocations;	/* Expiration warning */
291	u_int32_t	tdb_cur_allocations;	/* Total number of allocs */
292
293	u_int64_t	tdb_exp_bytes;	/* Expire after so many bytes passed */
294	u_int64_t	tdb_soft_bytes;	/* Expiration warning */
295	u_int64_t	tdb_cur_bytes;	/* Current count of bytes */
296
297	u_int64_t	tdb_exp_timeout;	/* When does the SPI expire */
298	u_int64_t	tdb_soft_timeout;	/* Send soft-expire warning */
299	u_int64_t	tdb_established;	/* When was SPI established */
300
301	u_int64_t	tdb_first_use;		/* When was it first used */
302	u_int64_t	tdb_soft_first_use;	/* Soft warning */
303	u_int64_t	tdb_exp_first_use;	/* Expire if tdb_first_use +
304						 * tdb_exp_first_use <= curtime
305						 */
306
307	u_int64_t	tdb_last_used;	/* When was this SA last used */
308	u_int64_t	tdb_last_marked;/* Last SKIPCRYPTO status change */
309
310	u_int64_t	tdb_cryptoid;	/* Crypto session ID */
311
312	u_int32_t	tdb_spi;	/* SPI */
313	u_int16_t	tdb_amxkeylen;	/* Raw authentication key length */
314	u_int16_t	tdb_emxkeylen;	/* Raw encryption key length */
315	u_int16_t	tdb_ivlen;	/* IV length */
316	u_int8_t	tdb_sproto;	/* IPsec protocol */
317	u_int8_t	tdb_wnd;	/* Replay window */
318	u_int8_t	tdb_satype;	/* SA type (RFC2367, PF_KEY) */
319	u_int8_t	tdb_updates;	/* pfsync update counter */
320
321	union sockaddr_union	tdb_dst;	/* Destination address */
322	union sockaddr_union	tdb_src;	/* Source address */
323
324	u_int8_t	*tdb_amxkey;	/* Raw authentication key */
325	u_int8_t	*tdb_emxkey;	/* Raw encryption key */
326
327#define TDB_REPLAYWASTE	32
328#define TDB_REPLAYMAX	(2100+TDB_REPLAYWASTE)
329
330	u_int64_t	tdb_rpl;	/* Replay counter */
331	u_int32_t	tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */
332
333	u_int8_t	tdb_iv[4];	/* Used for HALF-IV ESP */
334
335	struct ipsec_ids	*tdb_ids;	/* Src/Dst ID for this SA */
336	int		tdb_ids_swapped;	/* XXX */
337
338	u_int32_t	tdb_mtu;	/* MTU at this point in the chain */
339	u_int64_t	tdb_mtutimeout;	/* When to ignore this entry */
340
341	u_int16_t	tdb_udpencap_port;	/* Peer UDP port */
342
343	u_int16_t	tdb_tag;		/* Packet filter tag */
344	u_int32_t	tdb_tap;		/* Alternate enc(4) interface */
345
346	u_int		tdb_rdomain;		/* Routing domain */
347
348	struct sockaddr_encap   tdb_filter; /* What traffic is acceptable */
349	struct sockaddr_encap   tdb_filtermask; /* And the mask */
350
351	TAILQ_HEAD(tdb_policy_head, ipsec_policy)	tdb_policy_head;
352	TAILQ_ENTRY(tdb)	tdb_sync_entry;
353};
354
355#endif /* _KERNEL */
356
357struct tdb_ident {
358	u_int32_t spi;
359	union sockaddr_union dst;
360	u_int8_t proto;
361	u_int rdomain;
362};
363
364struct tdb_crypto {
365	u_int32_t		tc_spi;
366	union sockaddr_union	tc_dst;
367	u_int8_t		tc_proto;
368	int			tc_protoff;
369	int			tc_skip;
370	u_int			tc_rdomain;
371};
372
373struct ipsecinit {
374	u_int8_t	*ii_enckey;
375	u_int8_t	*ii_authkey;
376	u_int16_t	ii_enckeylen;
377	u_int16_t	ii_authkeylen;
378	u_int8_t	ii_encalg;
379	u_int8_t	ii_authalg;
380	u_int8_t	ii_compalg;
381};
382
383/* xform IDs */
384#define	XF_IP4		1	/* IP inside IP */
385#define	XF_AH		2	/* AH */
386#define	XF_ESP		3	/* ESP */
387#define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
388#define	XF_IPCOMP	6	/* IPCOMP */
389
390/* xform attributes */
391#define	XFT_AUTH	0x0001
392#define	XFT_CONF	0x0100
393#define	XFT_COMP	0x1000
394
395#define	IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
396
397#ifdef _KERNEL
398
399struct xformsw {
400	u_short	xf_type;		/* Unique ID of xform */
401	u_short	xf_flags;		/* flags (see below) */
402	char	*xf_name;		/* human-readable name */
403	int	(*xf_attach)(void);	/* called at config time */
404	int	(*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
405	int	(*xf_zeroize)(struct tdb *); /* termination */
406	int	(*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
407	int	(*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
408	    int, int);        /* output */
409};
410
411extern int ipsec_in_use;
412extern u_int64_t ipsec_last_added;
413extern int ipsec_policy_pool_initialized;
414
415extern int ipsec_keep_invalid;		/* lifetime of embryonic SAs (in sec) */
416extern int ipsec_require_pfs;		/* use Perfect Forward Secrecy */
417extern int ipsec_expire_acquire;	/* wait for security assoc. (in sec) */
418extern int ipsec_soft_allocations;	/* flows/SA before renegotiation */
419extern int ipsec_exp_allocations;	/* num. of flows/SA before it expires */
420extern int ipsec_soft_bytes;		/* bytes/SA before renegotiation */
421extern int ipsec_exp_bytes;		/* num of bytes/SA before it expires */
422extern int ipsec_soft_timeout;		/* seconds/SA before renegotiation */
423extern int ipsec_exp_timeout;		/* seconds/SA before it expires */
424extern int ipsec_soft_first_use;	/* seconds between 1st asso & renego */
425extern int ipsec_exp_first_use;		/* seconds between 1st asso & expire */
426
427extern char ipsec_def_enc[];
428extern char ipsec_def_auth[];
429extern char ipsec_def_comp[];
430
431extern struct enc_xform enc_xform_des;
432extern struct enc_xform enc_xform_3des;
433extern struct enc_xform enc_xform_blf;
434extern struct enc_xform enc_xform_cast5;
435
436extern struct auth_hash auth_hash_hmac_md5_96;
437extern struct auth_hash auth_hash_hmac_sha1_96;
438extern struct auth_hash auth_hash_hmac_ripemd_160_96;
439
440extern struct comp_algo comp_algo_deflate;
441
442extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
443extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
444
445/* Misc. */
446#ifdef ENCDEBUG
447const char *ipsp_address(union sockaddr_union *, char *, socklen_t);
448#endif /* ENCDEBUG */
449
450/* SPD tables */
451struct radix_node_head *spd_table_add(unsigned int);
452struct radix_node_head *spd_table_get(unsigned int);
453
454/* TDB management routines */
455uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
456		union sockaddr_union *, u_int8_t, int *);
457struct	tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t);
458struct	tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
459		struct ipsec_ids *,
460		struct sockaddr_encap *, struct sockaddr_encap *);
461struct	tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
462		struct ipsec_ids *,
463		struct sockaddr_encap *, struct sockaddr_encap *);
464struct	tdb *gettdbbysrcdst(u_int, u_int32_t, union sockaddr_union *,
465		union sockaddr_union *, u_int8_t);
466void	puttdb(struct tdb *);
467void	tdb_delete(struct tdb *);
468struct	tdb *tdb_alloc(u_int);
469void	tdb_free(struct tdb *);
470int	tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
471int	tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *);
472
473/* XF_IP4 */
474int	ipe4_attach(void);
475int	ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
476int	ipe4_zeroize(struct tdb *);
477void	ipe4_input(struct mbuf *, int, int);
478int	ipip_input(struct mbuf **, int *, struct ifnet *, int);
479int	ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
480
481int	ip4_input(struct mbuf **, int *, int);
482
483/* XF_AH */
484int 	ah_attach(void);
485int 	ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
486int 	ah_zeroize(struct tdb *);
487int	ah_input(struct mbuf *, struct tdb *, int, int);
488int	ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
489int	ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
490
491int	ah4_input(struct mbuf **, int *, int);
492void	ah4_ctlinput(int, struct sockaddr *, u_int, void *);
493void	udpencap_ctlinput(int, struct sockaddr *, u_int, void *);
494
495#ifdef INET6
496int	ah6_input(struct mbuf **, int *, int);
497#endif /* INET6 */
498
499/* XF_ESP */
500int	esp_attach(void);
501int	esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
502int	esp_zeroize(struct tdb *);
503int	esp_input(struct mbuf *, struct tdb *, int, int);
504int	esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
505int	esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
506
507int	esp4_input(struct mbuf **, int *, int);
508void	esp4_ctlinput(int, struct sockaddr *, u_int, void *);
509
510#ifdef INET6
511int 	esp6_input(struct mbuf **, int *, int);
512#endif /* INET6 */
513
514/* XF_IPCOMP */
515int	ipcomp_attach(void);
516int	ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
517int	ipcomp_zeroize(struct tdb *);
518int	ipcomp_input(struct mbuf *, struct tdb *, int, int);
519int	ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
520int	ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
521int	ipcomp4_input(struct mbuf **, int *, int);
522#ifdef INET6
523int	ipcomp6_input(struct mbuf **, int *, int);
524#endif /* INET6 */
525
526/* XF_TCPSIGNATURE */
527int	tcp_signature_tdb_attach(void);
528int	tcp_signature_tdb_init(struct tdb *, struct xformsw *,
529	    struct ipsecinit *);
530int	tcp_signature_tdb_zeroize(struct tdb *);
531int	tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, int);
532int	tcp_signature_tdb_output(struct mbuf *, struct tdb *, struct mbuf **,
533	  int, int);
534
535/* Replay window */
536int	checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int);
537
538/* Packet processing */
539int	ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
540int	ipsp_process_done(struct mbuf *, struct tdb *);
541struct	tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
542	    struct tdb *, struct inpcb *, u_int32_t);
543struct	tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
544	    struct tdb *, struct inpcb *, struct ipsec_policy *);
545int	ipsp_is_unspecified(union sockaddr_union);
546int	ipsp_aux_match(struct tdb *, struct ipsec_ids *,
547	    struct sockaddr_encap *, struct sockaddr_encap *);
548int	ipsp_ids_match(struct ipsec_ids *, struct ipsec_ids *);
549struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *);
550struct ipsec_ids *ipsp_ids_lookup(u_int32_t);
551void	ipsp_ids_free(struct ipsec_ids *);
552
553int	ipsec_common_input(struct mbuf *, int, int, int, int, int);
554void	ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
555int	ipsec_delete_policy(struct ipsec_policy *);
556ssize_t	ipsec_hdrsz(struct tdb *);
557void	ipsec_adjust_mtu(struct mbuf *, u_int32_t);
558struct	ipsec_acquire *ipsec_get_acquire(u_int32_t);
559
560#endif /* _KERNEL */
561#endif /* _NETINET_IPSP_H_ */
562