ip_ipsp.h revision 1.197
1/* $OpenBSD: ip_ipsp.h,v 1.197 2021/05/04 09:28:04 mvs Exp $ */ 2/* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40#ifndef _NETINET_IPSP_H_ 41#define _NETINET_IPSP_H_ 42 43/* IPSP global definitions. */ 44 45#include <sys/types.h> 46#include <netinet/in.h> 47 48union sockaddr_union { 49 struct sockaddr sa; 50 struct sockaddr_in sin; 51 struct sockaddr_in6 sin6; 52}; 53 54#define AH_HMAC_MAX_HASHLEN 32 /* 256 bits of authenticator for SHA512 */ 55#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */ 56#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */ 57 58/* Authenticator lengths */ 59#define AH_MD5_ALEN 16 60#define AH_SHA1_ALEN 20 61#define AH_RMD160_ALEN 20 62#define AH_SHA2_256_ALEN 32 63#define AH_SHA2_384_ALEN 48 64#define AH_SHA2_512_ALEN 64 65#define AH_ALEN_MAX 64 /* Keep updated */ 66 67/* Reserved SPI numbers */ 68#define SPI_LOCAL_USE 0 69#define SPI_RESERVED_MIN 1 70#define SPI_RESERVED_MAX 255 71 72/* Reserved CPI numbers */ 73#define CPI_RESERVED_MIN 1 74#define CPI_RESERVED_MAX 255 75#define CPI_PRIVATE_MIN 61440 76#define CPI_PRIVATE_MAX 65535 77 78/* sysctl default values */ 79#define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */ 80#define IPSEC_DEFAULT_PFS 1 81#define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0 82#define IPSEC_DEFAULT_EXP_ALLOCATIONS 0 83#define IPSEC_DEFAULT_SOFT_BYTES 0 84#define IPSEC_DEFAULT_EXP_BYTES 0 85#define IPSEC_DEFAULT_SOFT_TIMEOUT 80000 86#define IPSEC_DEFAULT_EXP_TIMEOUT 86400 87#define IPSEC_DEFAULT_SOFT_FIRST_USE 3600 88#define IPSEC_DEFAULT_EXP_FIRST_USE 7200 89#define IPSEC_DEFAULT_DEF_ENC "aes" 90#define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1" 91#define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30 92#define IPSEC_DEFAULT_DEF_COMP "deflate" 93 94struct sockaddr_encap { 95 u_int8_t sen_len; /* length */ 96 u_int8_t sen_family; /* PF_KEY */ 97 u_int16_t sen_type; /* see SENT_* */ 98 union { 99 struct { /* SENT_IP4 */ 100 u_int8_t Direction; 101 struct in_addr Src; 102 struct in_addr Dst; 103 u_int8_t Proto; 104 u_int16_t Sport; 105 u_int16_t Dport; 106 } Sip4; 107 108 struct { /* SENT_IP6 */ 109 u_int8_t Direction; 110 struct in6_addr Src; 111 struct in6_addr Dst; 112 u_int8_t Proto; 113 u_int16_t Sport; 114 u_int16_t Dport; 115 } Sip6; 116 117 struct ipsec_policy *PolicyHead; /* SENT_IPSP */ 118 } Sen; 119}; 120 121#define IPSP_DIRECTION_IN 0x1 122#define IPSP_DIRECTION_OUT 0x2 123 124struct ipsecstat { 125 uint64_t ipsec_tunnels; /* Number of active tunnels */ 126 uint64_t ipsec_prevtunnels; /* Past number of tunnels */ 127 uint64_t ipsec_ipackets; /* Input IPsec packets */ 128 uint64_t ipsec_opackets; /* Output IPsec packets */ 129 uint64_t ipsec_ibytes; /* Input bytes */ 130 uint64_t ipsec_obytes; /* Output bytes */ 131 uint64_t ipsec_idecompbytes; /* Input bytes, decompressed */ 132 uint64_t ipsec_ouncompbytes; /* Output bytes, uncompressed */ 133 uint64_t ipsec_idrops; /* Dropped on input */ 134 uint64_t ipsec_odrops; /* Dropped on output */ 135 uint64_t ipsec_crypto; /* Crypto processing failure */ 136 uint64_t ipsec_notdb; /* Expired while in crypto */ 137 uint64_t ipsec_noxform; /* Crypto error */ 138}; 139 140struct tdb_data { 141 uint64_t tdd_ipackets; /* Input IPsec packets */ 142 uint64_t tdd_opackets; /* Output IPsec packets */ 143 uint64_t tdd_ibytes; /* Input bytes */ 144 uint64_t tdd_obytes; /* Output bytes */ 145 uint64_t tdd_idrops; /* Dropped on input */ 146 uint64_t tdd_odrops; /* Dropped on output */ 147 uint64_t tdd_idecompbytes; /* Input bytes, decompressed */ 148 uint64_t tdd_ouncompbytes; /* Output bytes, uncompressed */ 149}; 150 151#ifdef _KERNEL 152 153#include <sys/timeout.h> 154#include <sys/tree.h> 155#include <sys/queue.h> 156#include <net/radix.h> 157#include <sys/percpu.h> 158 159enum ipsec_counters { 160 ipsec_tunnels, 161 ipsec_prevtunnels, 162 ipsec_ipackets, 163 ipsec_opackets, 164 ipsec_ibytes, 165 ipsec_obytes, 166 ipsec_idecompbytes, 167 ipsec_ouncompbytes, 168 ipsec_idrops, 169 ipsec_odrops, 170 ipsec_crypto, 171 ipsec_notdb, 172 ipsec_noxform, 173 ipsec_ncounters 174}; 175 176extern struct cpumem *ipseccounters; 177 178static inline void 179ipsecstat_inc(enum ipsec_counters c) 180{ 181 counters_inc(ipseccounters, c); 182} 183 184static inline void 185ipsecstat_dec(enum ipsec_counters c) 186{ 187 counters_dec(ipseccounters, c); 188} 189 190static inline void 191ipsecstat_add(enum ipsec_counters c, uint64_t v) 192{ 193 counters_add(ipseccounters, c, v); 194} 195 196struct m_tag; 197 198#define sen_data Sen.Data 199#define sen_ip_src Sen.Sip4.Src 200#define sen_ip_dst Sen.Sip4.Dst 201#define sen_proto Sen.Sip4.Proto 202#define sen_sport Sen.Sip4.Sport 203#define sen_dport Sen.Sip4.Dport 204#define sen_direction Sen.Sip4.Direction 205#define sen_ip6_src Sen.Sip6.Src 206#define sen_ip6_dst Sen.Sip6.Dst 207#define sen_ip6_proto Sen.Sip6.Proto 208#define sen_ip6_sport Sen.Sip6.Sport 209#define sen_ip6_dport Sen.Sip6.Dport 210#define sen_ip6_direction Sen.Sip6.Direction 211#define sen_ipsp Sen.PolicyHead 212 213/* 214 * The "type" is really part of the address as far as the routing 215 * system is concerned. By using only one bit in the type field 216 * for each type, we sort-of make sure that different types of 217 * encapsulation addresses won't be matched against the wrong type. 218 * 219 */ 220 221#define SENT_IP4 0x0001 /* data is two struct in_addr */ 222#define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */ 223#define SENT_IP6 0x0004 224 225#define SENT_LEN sizeof(struct sockaddr_encap) 226 227struct ipsec_id { 228 u_int16_t type; /* Subtype of data */ 229 int16_t len; /* Length of data following */ 230}; 231 232struct ipsec_ids { 233 RBT_ENTRY(ipsec_ids) id_node_id; 234 RBT_ENTRY(ipsec_ids) id_node_flow; 235 struct ipsec_id *id_local; 236 struct ipsec_id *id_remote; 237 u_int32_t id_flow; 238 int id_refcount; 239 struct timeout id_timeout; 240}; 241RBT_HEAD(ipsec_ids_flows, ipsec_ids); 242RBT_HEAD(ipsec_ids_tree, ipsec_ids); 243 244struct ipsec_acquire { 245 union sockaddr_union ipa_addr; 246 u_int32_t ipa_seq; 247 struct sockaddr_encap ipa_info; 248 struct sockaddr_encap ipa_mask; 249 struct timeout ipa_timeout; 250 struct ipsec_policy *ipa_policy; 251 struct inpcb *ipa_pcb; 252 TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next; 253 TAILQ_ENTRY(ipsec_acquire) ipa_next; 254}; 255 256struct ipsec_policy { 257 struct radix_node ipo_nodes[2]; /* radix tree glue */ 258 struct sockaddr_encap ipo_addr; 259 struct sockaddr_encap ipo_mask; 260 261 union sockaddr_union ipo_src; /* Local address to use */ 262 union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed: 263 * - on output, we try to 264 * contact the remote host 265 * directly (if needed). 266 * - on input, we accept on if 267 * the inner source is the 268 * same as the outer source 269 * address, or if transport 270 * mode was used. 271 */ 272 273 u_int64_t ipo_last_searched; /* Timestamp of last lookup */ 274 275 u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */ 276 u_int8_t ipo_type; /* USE/ACQUIRE/... */ 277 u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */ 278 u_int ipo_rdomain; 279 280 int ipo_ref_count; 281 282 struct tdb *ipo_tdb; /* Cached entry */ 283 284 struct ipsec_ids *ipo_ids; 285 286 TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */ 287 TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */ 288 TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */ 289}; 290 291#define IPSP_POLICY_NONE 0x0000 /* No flags set */ 292#define IPSP_POLICY_STATIC 0x0002 /* Static policy */ 293 294#define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */ 295#define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */ 296#define IPSP_IPSEC_REQUIRE 2 /* Require SA */ 297#define IPSP_PERMIT 3 /* Permit traffic through */ 298#define IPSP_DENY 4 /* Deny traffic */ 299#define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */ 300 301/* Identity types */ 302#define IPSP_IDENTITY_NONE 0 303#define IPSP_IDENTITY_PREFIX 1 304#define IPSP_IDENTITY_FQDN 2 305#define IPSP_IDENTITY_USERFQDN 3 306#define IPSP_IDENTITY_ASN1_DN 4 307 308struct tdb { /* tunnel descriptor block */ 309 /* 310 * Each TDB is on three hash tables: one keyed on dst/spi/sproto, 311 * one keyed on dst/sproto, and one keyed on src/sproto. The first 312 * is used for finding a specific TDB, the second for finding TDBs 313 * for outgoing policy matching, and the third for incoming 314 * policy matching. The following three fields maintain the hash 315 * queues in those three tables. 316 */ 317 struct tdb *tdb_hnext; /* dst/spi/sproto table */ 318 struct tdb *tdb_dnext; /* dst/sproto table */ 319 struct tdb *tdb_snext; /* src/sproto table */ 320 struct tdb *tdb_inext; 321 struct tdb *tdb_onext; 322 323 struct xformsw *tdb_xform; /* Transform to use */ 324 struct enc_xform *tdb_encalgxform; /* Enc algorithm */ 325 struct auth_hash *tdb_authalgxform; /* Auth algorithm */ 326 struct comp_algo *tdb_compalgxform; /* Compression algo */ 327 328#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 329#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 330#define TDBF_BYTES 0x00004 /* Check the byte counters */ 331#define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */ 332#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 333#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 334#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 335#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 336#define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */ 337#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 338#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ 339#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ 340#define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */ 341#define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */ 342#define TDBF_PFSYNC 0x40000 /* TDB will be synced */ 343#define TDBF_PFSYNC_RPL 0x80000 /* Replay counter should be bumped */ 344#define TDBF_ESN 0x100000 /* 64-bit sequence numbers (ESN) */ 345 346 u_int32_t tdb_flags; /* Flags related to this TDB */ 347 348 struct timeout tdb_timer_tmo; 349 struct timeout tdb_first_tmo; 350 struct timeout tdb_stimer_tmo; 351 struct timeout tdb_sfirst_tmo; 352 353 u_int32_t tdb_seq; /* Tracking number for PFKEY */ 354 u_int32_t tdb_exp_allocations; /* Expire after so many flows */ 355 u_int32_t tdb_soft_allocations; /* Expiration warning */ 356 u_int32_t tdb_cur_allocations; /* Total number of allocs */ 357 358 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 359 u_int64_t tdb_soft_bytes; /* Expiration warning */ 360 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 361 362 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 363 u_int64_t tdb_soft_timeout; /* Send soft-expire warning */ 364 u_int64_t tdb_established; /* When was SPI established */ 365 366 u_int64_t tdb_first_use; /* When was it first used */ 367 u_int64_t tdb_soft_first_use; /* Soft warning */ 368 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 369 * tdb_exp_first_use <= curtime 370 */ 371 372 u_int64_t tdb_last_used; /* When was this SA last used */ 373 u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */ 374 375 struct tdb_data tdb_data; /* stats about this TDB */ 376 u_int64_t tdb_cryptoid; /* Crypto session ID */ 377 378 u_int32_t tdb_spi; /* SPI */ 379 u_int16_t tdb_amxkeylen; /* Raw authentication key length */ 380 u_int16_t tdb_emxkeylen; /* Raw encryption key length */ 381 u_int16_t tdb_ivlen; /* IV length */ 382 u_int8_t tdb_sproto; /* IPsec protocol */ 383 u_int8_t tdb_wnd; /* Replay window */ 384 u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */ 385 u_int8_t tdb_updates; /* pfsync update counter */ 386 387 union sockaddr_union tdb_dst; /* Destination address */ 388 union sockaddr_union tdb_src; /* Source address */ 389 390 u_int8_t *tdb_amxkey; /* Raw authentication key */ 391 u_int8_t *tdb_emxkey; /* Raw encryption key */ 392 393#define TDB_REPLAYWASTE 32 394#define TDB_REPLAYMAX (2100+TDB_REPLAYWASTE) 395 396 u_int64_t tdb_rpl; /* Replay counter */ 397 u_int32_t tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */ 398 399 u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ 400 401 struct ipsec_ids *tdb_ids; /* Src/Dst ID for this SA */ 402 int tdb_ids_swapped; /* XXX */ 403 404 u_int32_t tdb_mtu; /* MTU at this point in the chain */ 405 u_int64_t tdb_mtutimeout; /* When to ignore this entry */ 406 407 u_int16_t tdb_udpencap_port; /* Peer UDP port */ 408 409 u_int16_t tdb_tag; /* Packet filter tag */ 410 u_int32_t tdb_tap; /* Alternate enc(4) interface */ 411 412 u_int tdb_rdomain; /* Routing domain */ 413 u_int tdb_rdomain_post; /* Change domain */ 414 415 struct sockaddr_encap tdb_filter; /* What traffic is acceptable */ 416 struct sockaddr_encap tdb_filtermask; /* And the mask */ 417 418 TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; 419 TAILQ_ENTRY(tdb) tdb_sync_entry; 420}; 421#define tdb_ipackets tdb_data.tdd_ipackets 422#define tdb_opackets tdb_data.tdd_opackets 423#define tdb_ibytes tdb_data.tdd_ibytes 424#define tdb_obytes tdb_data.tdd_obytes 425#define tdb_idrops tdb_data.tdd_idrops 426#define tdb_odrops tdb_data.tdd_odrops 427#define tdb_idecompbytes tdb_data.tdd_idecompbytes 428#define tdb_ouncompbytes tdb_data.tdd_ouncompbytes 429 430 431struct tdb_ident { 432 u_int32_t spi; 433 union sockaddr_union dst; 434 u_int8_t proto; 435 u_int rdomain; 436}; 437 438struct tdb_crypto { 439 u_int32_t tc_spi; 440 union sockaddr_union tc_dst; 441 u_int8_t tc_proto; 442 int tc_protoff; 443 int tc_skip; 444 u_int tc_rdomain; 445}; 446 447struct ipsecinit { 448 u_int8_t *ii_enckey; 449 u_int8_t *ii_authkey; 450 u_int16_t ii_enckeylen; 451 u_int16_t ii_authkeylen; 452 u_int8_t ii_encalg; 453 u_int8_t ii_authalg; 454 u_int8_t ii_compalg; 455}; 456 457/* xform IDs */ 458#define XF_IP4 1 /* IP inside IP */ 459#define XF_AH 2 /* AH */ 460#define XF_ESP 3 /* ESP */ 461#define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ 462#define XF_IPCOMP 6 /* IPCOMP */ 463 464/* xform attributes */ 465#define XFT_AUTH 0x0001 466#define XFT_CONF 0x0100 467#define XFT_COMP 0x1000 468 469#define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */ 470 471struct xformsw { 472 u_short xf_type; /* Unique ID of xform */ 473 u_short xf_flags; /* flags (see below) */ 474 char *xf_name; /* human-readable name */ 475 int (*xf_attach)(void); /* called at config time */ 476 int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *); 477 int (*xf_zeroize)(struct tdb *); /* termination */ 478 int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */ 479 int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, 480 int, int); /* output */ 481}; 482 483extern int ipsec_in_use; 484extern u_int64_t ipsec_last_added; 485extern int encdebug; /* enable message reporting */ 486 487extern int ipsec_keep_invalid; /* lifetime of embryonic SAs (in sec) */ 488extern int ipsec_require_pfs; /* use Perfect Forward Secrecy */ 489extern int ipsec_expire_acquire; /* wait for security assoc. (in sec) */ 490extern int ipsec_soft_allocations; /* flows/SA before renegotiation */ 491extern int ipsec_exp_allocations; /* num. of flows/SA before it expires */ 492extern int ipsec_soft_bytes; /* bytes/SA before renegotiation */ 493extern int ipsec_exp_bytes; /* num of bytes/SA before it expires */ 494extern int ipsec_soft_timeout; /* seconds/SA before renegotiation */ 495extern int ipsec_exp_timeout; /* seconds/SA before it expires */ 496extern int ipsec_soft_first_use; /* seconds between 1st asso & renego */ 497extern int ipsec_exp_first_use; /* seconds between 1st asso & expire */ 498 499/* 500 * Names for IPsec sysctl objects 501 */ 502#define IPSEC_ENCDEBUG IPCTL_ENCDEBUG /* 12 */ 503#define IPSEC_STATS IPCTL_IPSEC_STATS /* 13 */ 504#define IPSEC_EXPIRE_ACQUIRE IPCTL_IPSEC_EXPIRE_ACQUIRE /* 14 */ 505#define IPSEC_EMBRYONIC_SA_TIMEOUT IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */ 506#define IPSEC_REQUIRE_PFS IPCTL_IPSEC_REQUIRE_PFS /* 16 */ 507#define IPSEC_SOFT_ALLOCATIONS IPCTL_IPSEC_SOFT_ALLOCATIONS /* 17 */ 508#define IPSEC_ALLOCATIONS IPCTL_IPSEC_ALLOCATIONS /* 18 */ 509#define IPSEC_SOFT_BYTES IPCTL_IPSEC_SOFT_BYTES /* 19 */ 510#define IPSEC_BYTES IPCTL_IPSEC_BYTES /* 20 */ 511#define IPSEC_TIMEOUT IPCTL_IPSEC_TIMEOUT /* 21 */ 512#define IPSEC_SOFT_TIMEOUT IPCTL_IPSEC_SOFT_TIMEOUT /* 22 */ 513#define IPSEC_SOFT_FIRSTUSE IPCTL_IPSEC_SOFT_FIRSTUSE /* 23 */ 514#define IPSEC_FIRSTUSE IPCTL_IPSEC_FIRSTUSE /* 24 */ 515#define IPSEC_MAXID 25 516 517extern char ipsec_def_enc[]; 518extern char ipsec_def_auth[]; 519extern char ipsec_def_comp[]; 520 521extern struct enc_xform enc_xform_des; 522extern struct enc_xform enc_xform_3des; 523extern struct enc_xform enc_xform_blf; 524extern struct enc_xform enc_xform_cast5; 525 526extern struct auth_hash auth_hash_hmac_md5_96; 527extern struct auth_hash auth_hash_hmac_sha1_96; 528extern struct auth_hash auth_hash_hmac_ripemd_160_96; 529 530extern struct comp_algo comp_algo_deflate; 531 532extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head; 533 534struct cryptop; 535 536/* Misc. */ 537#ifdef ENCDEBUG 538const char *ipsp_address(union sockaddr_union *, char *, socklen_t); 539#endif /* ENCDEBUG */ 540 541/* SPD tables */ 542struct radix_node_head *spd_table_add(unsigned int); 543struct radix_node_head *spd_table_get(unsigned int); 544int spd_table_walk(unsigned int, 545 int (*walker)(struct ipsec_policy *, void *, unsigned int), void *); 546 547/* TDB management routines */ 548uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *, 549 union sockaddr_union *, u_int8_t, int *); 550struct tdb *gettdb_dir(u_int, u_int32_t, union sockaddr_union *, u_int8_t, int); 551#define gettdb(a,b,c,d) gettdb_dir((a),(b),(c),(d),0) 552#define gettdb_rev(a,b,c,d) gettdb_dir((a),(b),(c),(d),1) 553struct tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t, 554 struct ipsec_ids *, 555 struct sockaddr_encap *, struct sockaddr_encap *); 556struct tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t, 557 struct ipsec_ids *, 558 struct sockaddr_encap *, struct sockaddr_encap *); 559struct tdb *gettdbbysrcdst_dir(u_int, u_int32_t, union sockaddr_union *, 560 union sockaddr_union *, u_int8_t, int); 561#define gettdbbysrcdst(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),0) 562#define gettdbbysrcdst_rev(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),1) 563void puttdb(struct tdb *); 564void tdb_delete(struct tdb *); 565struct tdb *tdb_alloc(u_int); 566void tdb_free(struct tdb *); 567int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *); 568void tdb_unlink(struct tdb *); 569int tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *); 570 571/* XF_IP4 */ 572int ipe4_attach(void); 573int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *); 574int ipe4_zeroize(struct tdb *); 575int ipe4_input(struct mbuf *, struct tdb *, int, int); 576 577/* XF_AH */ 578int ah_attach(void); 579int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *); 580int ah_zeroize(struct tdb *); 581int ah_input(struct mbuf *, struct tdb *, int, int); 582int ah_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int); 583int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 584int ah_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int, 585 int); 586int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t); 587 588int ah4_input(struct mbuf **, int *, int, int); 589void ah4_ctlinput(int, struct sockaddr *, u_int, void *); 590void udpencap_ctlinput(int, struct sockaddr *, u_int, void *); 591 592#ifdef INET6 593int ah6_input(struct mbuf **, int *, int, int); 594#endif /* INET6 */ 595 596/* XF_ESP */ 597int esp_attach(void); 598int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 599int esp_zeroize(struct tdb *); 600int esp_input(struct mbuf *, struct tdb *, int, int); 601int esp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int); 602int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 603int esp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int, 604 int); 605int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 606 607int esp4_input(struct mbuf **, int *, int, int); 608void esp4_ctlinput(int, struct sockaddr *, u_int, void *); 609 610#ifdef INET6 611int esp6_input(struct mbuf **, int *, int, int); 612#endif /* INET6 */ 613 614/* XF_IPCOMP */ 615int ipcomp_attach(void); 616int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 617int ipcomp_zeroize(struct tdb *); 618int ipcomp_input(struct mbuf *, struct tdb *, int, int); 619int ipcomp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int); 620int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 621int ipcomp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int, 622 int); 623int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 624int ipcomp4_input(struct mbuf **, int *, int, int); 625#ifdef INET6 626int ipcomp6_input(struct mbuf **, int *, int, int); 627#endif /* INET6 */ 628 629/* XF_TCPSIGNATURE */ 630int tcp_signature_tdb_attach(void); 631int tcp_signature_tdb_init(struct tdb *, struct xformsw *, 632 struct ipsecinit *); 633int tcp_signature_tdb_zeroize(struct tdb *); 634int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, int); 635int tcp_signature_tdb_output(struct mbuf *, struct tdb *, struct mbuf **, 636 int, int); 637 638/* Replay window */ 639int checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int); 640 641/* Packet processing */ 642int ipsp_process_packet(struct mbuf *, struct tdb *, int, int); 643int ipsp_process_done(struct mbuf *, struct tdb *); 644struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int, 645 struct tdb *, struct inpcb *, u_int32_t); 646struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int, 647 struct tdb *, struct inpcb *, struct ipsec_policy *); 648int ipsp_is_unspecified(union sockaddr_union); 649int ipsp_aux_match(struct tdb *, struct ipsec_ids *, 650 struct sockaddr_encap *, struct sockaddr_encap *); 651int ipsp_ids_match(struct ipsec_ids *, struct ipsec_ids *); 652struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *); 653struct ipsec_ids *ipsp_ids_lookup(u_int32_t); 654void ipsp_ids_free(struct ipsec_ids *); 655 656void ipsec_init(void); 657int ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t); 658int ipsec_common_input(struct mbuf *, int, int, int, int, int); 659void ipsec_input_cb(struct cryptop *); 660void ipsec_output_cb(struct cryptop *); 661int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int); 662int ipsec_delete_policy(struct ipsec_policy *); 663ssize_t ipsec_hdrsz(struct tdb *); 664void ipsec_adjust_mtu(struct mbuf *, u_int32_t); 665struct ipsec_acquire *ipsec_get_acquire(u_int32_t); 666int ipsec_forward_check(struct mbuf *, int, int); 667int ipsec_local_check(struct mbuf *, int, int, int); 668 669#endif /* _KERNEL */ 670#endif /* _NETINET_IPSP_H_ */ 671