ip_ipsp.h revision 1.197 
1/*	$OpenBSD: ip_ipsp.h,v 1.197 2021/05/04 09:28:04 mvs Exp $	*/
2/*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Niklas Hallqvist (niklas@appli.se).
7 *
8 * The original version of this code was written by John Ioannidis
9 * for BSD/OS in Athens, Greece, in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18 *
19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 1999 Niklas Hallqvist.
22 * Copyright (c) 2001, Angelos D. Keromytis.
23 *
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40#ifndef _NETINET_IPSP_H_
41#define _NETINET_IPSP_H_
42
43/* IPSP global definitions. */
44
45#include <sys/types.h>
46#include <netinet/in.h>
47
48union sockaddr_union {
49	struct sockaddr		sa;
50	struct sockaddr_in	sin;
51	struct sockaddr_in6	sin6;
52};
53
54#define	AH_HMAC_MAX_HASHLEN	32	/* 256 bits of authenticator for SHA512 */
55#define	AH_HMAC_RPLENGTH	4	/* 32 bits of replay counter */
56#define	AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
57
58/* Authenticator lengths */
59#define	AH_MD5_ALEN		16
60#define	AH_SHA1_ALEN		20
61#define	AH_RMD160_ALEN		20
62#define	AH_SHA2_256_ALEN	32
63#define	AH_SHA2_384_ALEN	48
64#define	AH_SHA2_512_ALEN	64
65#define	AH_ALEN_MAX		64 	/* Keep updated */
66
67/* Reserved SPI numbers */
68#define	SPI_LOCAL_USE		0
69#define	SPI_RESERVED_MIN	1
70#define	SPI_RESERVED_MAX	255
71
72/* Reserved CPI numbers */
73#define CPI_RESERVED_MIN	1
74#define CPI_RESERVED_MAX	255
75#define CPI_PRIVATE_MIN		61440
76#define CPI_PRIVATE_MAX		65535
77
78/* sysctl default values */
79#define	IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
80#define	IPSEC_DEFAULT_PFS			1
81#define	IPSEC_DEFAULT_SOFT_ALLOCATIONS		0
82#define	IPSEC_DEFAULT_EXP_ALLOCATIONS		0
83#define	IPSEC_DEFAULT_SOFT_BYTES		0
84#define	IPSEC_DEFAULT_EXP_BYTES			0
85#define	IPSEC_DEFAULT_SOFT_TIMEOUT		80000
86#define	IPSEC_DEFAULT_EXP_TIMEOUT		86400
87#define	IPSEC_DEFAULT_SOFT_FIRST_USE		3600
88#define	IPSEC_DEFAULT_EXP_FIRST_USE		7200
89#define	IPSEC_DEFAULT_DEF_ENC			"aes"
90#define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
91#define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
92#define	IPSEC_DEFAULT_DEF_COMP			"deflate"
93
94struct sockaddr_encap {
95	u_int8_t	sen_len;		/* length */
96	u_int8_t	sen_family;		/* PF_KEY */
97	u_int16_t	sen_type;		/* see SENT_* */
98	union {
99		struct {				/* SENT_IP4 */
100			u_int8_t	Direction;
101			struct in_addr	Src;
102			struct in_addr	Dst;
103			u_int8_t	Proto;
104			u_int16_t	Sport;
105			u_int16_t	Dport;
106		} Sip4;
107
108		struct {				/* SENT_IP6 */
109			u_int8_t	Direction;
110			struct in6_addr	Src;
111			struct in6_addr	Dst;
112			u_int8_t	Proto;
113			u_int16_t	Sport;
114			u_int16_t	Dport;
115		} Sip6;
116
117		struct ipsec_policy	*PolicyHead;	/* SENT_IPSP */
118	} Sen;
119};
120
121#define	IPSP_DIRECTION_IN	0x1
122#define	IPSP_DIRECTION_OUT	0x2
123
124struct ipsecstat {
125	uint64_t	ipsec_tunnels;		/* Number of active tunnels */
126	uint64_t	ipsec_prevtunnels;	/* Past number of tunnels */
127	uint64_t	ipsec_ipackets;		/* Input IPsec packets */
128	uint64_t	ipsec_opackets;		/* Output IPsec packets */
129	uint64_t	ipsec_ibytes;		/* Input bytes */
130	uint64_t	ipsec_obytes;		/* Output bytes */
131	uint64_t	ipsec_idecompbytes;	/* Input bytes, decompressed */
132	uint64_t	ipsec_ouncompbytes;	/* Output bytes, uncompressed */
133	uint64_t	ipsec_idrops;		/* Dropped on input */
134	uint64_t	ipsec_odrops;		/* Dropped on output */
135	uint64_t	ipsec_crypto;		/* Crypto processing failure */
136	uint64_t	ipsec_notdb;		/* Expired while in crypto */
137	uint64_t	ipsec_noxform;		/* Crypto error */
138};
139
140struct tdb_data {
141	uint64_t	tdd_ipackets;		/* Input IPsec packets */
142	uint64_t	tdd_opackets;		/* Output IPsec packets */
143	uint64_t	tdd_ibytes;		/* Input bytes */
144	uint64_t	tdd_obytes;		/* Output bytes */
145	uint64_t	tdd_idrops;		/* Dropped on input */
146	uint64_t	tdd_odrops;		/* Dropped on output */
147	uint64_t	tdd_idecompbytes;	/* Input bytes, decompressed */
148	uint64_t	tdd_ouncompbytes;	/* Output bytes, uncompressed */
149};
150
151#ifdef _KERNEL
152
153#include <sys/timeout.h>
154#include <sys/tree.h>
155#include <sys/queue.h>
156#include <net/radix.h>
157#include <sys/percpu.h>
158
159enum ipsec_counters {
160	ipsec_tunnels,
161	ipsec_prevtunnels,
162	ipsec_ipackets,
163	ipsec_opackets,
164	ipsec_ibytes,
165	ipsec_obytes,
166	ipsec_idecompbytes,
167	ipsec_ouncompbytes,
168	ipsec_idrops,
169	ipsec_odrops,
170	ipsec_crypto,
171	ipsec_notdb,
172	ipsec_noxform,
173	ipsec_ncounters
174};
175
176extern struct cpumem *ipseccounters;
177
178static inline void
179ipsecstat_inc(enum ipsec_counters c)
180{
181	counters_inc(ipseccounters, c);
182}
183
184static inline void
185ipsecstat_dec(enum ipsec_counters c)
186{
187	counters_dec(ipseccounters, c);
188}
189
190static inline void
191ipsecstat_add(enum ipsec_counters c, uint64_t v)
192{
193	counters_add(ipseccounters, c, v);
194}
195
196struct m_tag;
197
198#define	sen_data		Sen.Data
199#define	sen_ip_src		Sen.Sip4.Src
200#define	sen_ip_dst		Sen.Sip4.Dst
201#define	sen_proto		Sen.Sip4.Proto
202#define	sen_sport		Sen.Sip4.Sport
203#define	sen_dport		Sen.Sip4.Dport
204#define	sen_direction		Sen.Sip4.Direction
205#define	sen_ip6_src		Sen.Sip6.Src
206#define	sen_ip6_dst		Sen.Sip6.Dst
207#define	sen_ip6_proto		Sen.Sip6.Proto
208#define	sen_ip6_sport		Sen.Sip6.Sport
209#define	sen_ip6_dport		Sen.Sip6.Dport
210#define	sen_ip6_direction	Sen.Sip6.Direction
211#define	sen_ipsp		Sen.PolicyHead
212
213/*
214 * The "type" is really part of the address as far as the routing
215 * system is concerned. By using only one bit in the type field
216 * for each type, we sort-of make sure that different types of
217 * encapsulation addresses won't be matched against the wrong type.
218 *
219 */
220
221#define	SENT_IP4	0x0001		/* data is two struct in_addr */
222#define	SENT_IPSP	0x0002		/* data as in IP4/6 plus SPI */
223#define	SENT_IP6	0x0004
224
225#define	SENT_LEN	sizeof(struct sockaddr_encap)
226
227struct ipsec_id {
228	u_int16_t	type;		/* Subtype of data */
229	int16_t		len;		/* Length of data following */
230};
231
232struct ipsec_ids {
233	RBT_ENTRY(ipsec_ids)	id_node_id;
234	RBT_ENTRY(ipsec_ids)	id_node_flow;
235	struct ipsec_id		*id_local;
236	struct ipsec_id		*id_remote;
237	u_int32_t		id_flow;
238	int			id_refcount;
239	struct timeout		id_timeout;
240};
241RBT_HEAD(ipsec_ids_flows, ipsec_ids);
242RBT_HEAD(ipsec_ids_tree, ipsec_ids);
243
244struct ipsec_acquire {
245	union sockaddr_union		ipa_addr;
246	u_int32_t			ipa_seq;
247	struct sockaddr_encap		ipa_info;
248	struct sockaddr_encap		ipa_mask;
249	struct timeout			ipa_timeout;
250	struct ipsec_policy		*ipa_policy;
251	struct inpcb                    *ipa_pcb;
252	TAILQ_ENTRY(ipsec_acquire)	ipa_ipo_next;
253	TAILQ_ENTRY(ipsec_acquire)	ipa_next;
254};
255
256struct ipsec_policy {
257	struct radix_node	ipo_nodes[2];	/* radix tree glue */
258	struct sockaddr_encap	ipo_addr;
259	struct sockaddr_encap	ipo_mask;
260
261	union sockaddr_union	ipo_src;	/* Local address to use */
262	union sockaddr_union	ipo_dst;	/* Remote gateway -- if it's zeroed:
263						 * - on output, we try to
264						 * contact the remote host
265						 * directly (if needed).
266						 * - on input, we accept on if
267						 * the inner source is the
268						 * same as the outer source
269						 * address, or if transport
270						 * mode was used.
271						 */
272
273	u_int64_t		ipo_last_searched;	/* Timestamp of last lookup */
274
275	u_int8_t		ipo_flags;	/* See IPSP_POLICY_* definitions */
276	u_int8_t		ipo_type;	/* USE/ACQUIRE/... */
277	u_int8_t		ipo_sproto;	/* ESP/AH; if zero, use system dflts */
278	u_int			ipo_rdomain;
279
280	int                     ipo_ref_count;
281
282	struct tdb		*ipo_tdb;		/* Cached entry */
283
284	struct ipsec_ids	*ipo_ids;
285
286	TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
287	TAILQ_ENTRY(ipsec_policy)	ipo_tdb_next;	/* List TDB policies */
288	TAILQ_ENTRY(ipsec_policy)	ipo_list;	/* List of all policies */
289};
290
291#define	IPSP_POLICY_NONE	0x0000	/* No flags set */
292#define	IPSP_POLICY_STATIC	0x0002	/* Static policy */
293
294#define	IPSP_IPSEC_USE		0	/* Use if existing, don't acquire */
295#define	IPSP_IPSEC_ACQUIRE	1	/* Try acquire, let packet through */
296#define	IPSP_IPSEC_REQUIRE	2	/* Require SA */
297#define	IPSP_PERMIT		3	/* Permit traffic through */
298#define	IPSP_DENY		4	/* Deny traffic */
299#define	IPSP_IPSEC_DONTACQ	5	/* Require, but don't acquire */
300
301/* Identity types */
302#define	IPSP_IDENTITY_NONE		0
303#define	IPSP_IDENTITY_PREFIX		1
304#define	IPSP_IDENTITY_FQDN		2
305#define	IPSP_IDENTITY_USERFQDN		3
306#define	IPSP_IDENTITY_ASN1_DN		4
307
308struct tdb {				/* tunnel descriptor block */
309	/*
310	 * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
311	 * one keyed on dst/sproto, and one keyed on src/sproto. The first
312	 * is used for finding a specific TDB, the second for finding TDBs
313	 * for outgoing policy matching, and the third for incoming
314	 * policy matching. The following three fields maintain the hash
315	 * queues in those three tables.
316	 */
317	struct tdb	*tdb_hnext;	/* dst/spi/sproto table */
318	struct tdb	*tdb_dnext;	/* dst/sproto table */
319	struct tdb	*tdb_snext;	/* src/sproto table */
320	struct tdb	*tdb_inext;
321	struct tdb	*tdb_onext;
322
323	struct xformsw		*tdb_xform;		/* Transform to use */
324	struct enc_xform	*tdb_encalgxform;	/* Enc algorithm */
325	struct auth_hash	*tdb_authalgxform;	/* Auth algorithm */
326	struct comp_algo	*tdb_compalgxform;	/* Compression algo */
327
328#define	TDBF_UNIQUE		0x00001	/* This should not be used by others */
329#define	TDBF_TIMER		0x00002	/* Absolute expiration timer in use */
330#define	TDBF_BYTES		0x00004	/* Check the byte counters */
331#define	TDBF_ALLOCATIONS	0x00008	/* Check the flows counters */
332#define	TDBF_INVALID		0x00010	/* This SPI is not valid yet/anymore */
333#define	TDBF_FIRSTUSE		0x00020	/* Expire after first use */
334#define	TDBF_SOFT_TIMER		0x00080	/* Soft expiration */
335#define	TDBF_SOFT_BYTES		0x00100	/* Soft expiration */
336#define	TDBF_SOFT_ALLOCATIONS	0x00200	/* Soft expiration */
337#define	TDBF_SOFT_FIRSTUSE	0x00400	/* Soft expiration */
338#define	TDBF_PFS		0x00800	/* Ask for PFS from Key Mgmt. */
339#define	TDBF_TUNNELING		0x01000	/* Force IP-IP encapsulation */
340#define	TDBF_USEDTUNNEL		0x10000	/* Appended a tunnel header in past */
341#define	TDBF_UDPENCAP		0x20000	/* UDP encapsulation */
342#define	TDBF_PFSYNC		0x40000	/* TDB will be synced */
343#define	TDBF_PFSYNC_RPL		0x80000	/* Replay counter should be bumped */
344#define	TDBF_ESN		0x100000 /* 64-bit sequence numbers (ESN) */
345
346	u_int32_t	tdb_flags;	/* Flags related to this TDB */
347
348	struct timeout	tdb_timer_tmo;
349	struct timeout	tdb_first_tmo;
350	struct timeout	tdb_stimer_tmo;
351	struct timeout	tdb_sfirst_tmo;
352
353	u_int32_t	tdb_seq;		/* Tracking number for PFKEY */
354	u_int32_t	tdb_exp_allocations;	/* Expire after so many flows */
355	u_int32_t	tdb_soft_allocations;	/* Expiration warning */
356	u_int32_t	tdb_cur_allocations;	/* Total number of allocs */
357
358	u_int64_t	tdb_exp_bytes;	/* Expire after so many bytes passed */
359	u_int64_t	tdb_soft_bytes;	/* Expiration warning */
360	u_int64_t	tdb_cur_bytes;	/* Current count of bytes */
361
362	u_int64_t	tdb_exp_timeout;	/* When does the SPI expire */
363	u_int64_t	tdb_soft_timeout;	/* Send soft-expire warning */
364	u_int64_t	tdb_established;	/* When was SPI established */
365
366	u_int64_t	tdb_first_use;		/* When was it first used */
367	u_int64_t	tdb_soft_first_use;	/* Soft warning */
368	u_int64_t	tdb_exp_first_use;	/* Expire if tdb_first_use +
369						 * tdb_exp_first_use <= curtime
370						 */
371
372	u_int64_t	tdb_last_used;	/* When was this SA last used */
373	u_int64_t	tdb_last_marked;/* Last SKIPCRYPTO status change */
374
375	struct tdb_data	tdb_data;	/* stats about this TDB */
376	u_int64_t	tdb_cryptoid;	/* Crypto session ID */
377
378	u_int32_t	tdb_spi;	/* SPI */
379	u_int16_t	tdb_amxkeylen;	/* Raw authentication key length */
380	u_int16_t	tdb_emxkeylen;	/* Raw encryption key length */
381	u_int16_t	tdb_ivlen;	/* IV length */
382	u_int8_t	tdb_sproto;	/* IPsec protocol */
383	u_int8_t	tdb_wnd;	/* Replay window */
384	u_int8_t	tdb_satype;	/* SA type (RFC2367, PF_KEY) */
385	u_int8_t	tdb_updates;	/* pfsync update counter */
386
387	union sockaddr_union	tdb_dst;	/* Destination address */
388	union sockaddr_union	tdb_src;	/* Source address */
389
390	u_int8_t	*tdb_amxkey;	/* Raw authentication key */
391	u_int8_t	*tdb_emxkey;	/* Raw encryption key */
392
393#define TDB_REPLAYWASTE	32
394#define TDB_REPLAYMAX	(2100+TDB_REPLAYWASTE)
395
396	u_int64_t	tdb_rpl;	/* Replay counter */
397	u_int32_t	tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */
398
399	u_int8_t	tdb_iv[4];	/* Used for HALF-IV ESP */
400
401	struct ipsec_ids	*tdb_ids;	/* Src/Dst ID for this SA */
402	int		tdb_ids_swapped;	/* XXX */
403
404	u_int32_t	tdb_mtu;	/* MTU at this point in the chain */
405	u_int64_t	tdb_mtutimeout;	/* When to ignore this entry */
406
407	u_int16_t	tdb_udpencap_port;	/* Peer UDP port */
408
409	u_int16_t	tdb_tag;		/* Packet filter tag */
410	u_int32_t	tdb_tap;		/* Alternate enc(4) interface */
411
412	u_int		tdb_rdomain;		/* Routing domain */
413	u_int		tdb_rdomain_post;	/* Change domain */
414
415	struct sockaddr_encap   tdb_filter; /* What traffic is acceptable */
416	struct sockaddr_encap   tdb_filtermask; /* And the mask */
417
418	TAILQ_HEAD(tdb_policy_head, ipsec_policy)	tdb_policy_head;
419	TAILQ_ENTRY(tdb)	tdb_sync_entry;
420};
421#define tdb_ipackets		tdb_data.tdd_ipackets
422#define tdb_opackets		tdb_data.tdd_opackets
423#define tdb_ibytes		tdb_data.tdd_ibytes
424#define tdb_obytes		tdb_data.tdd_obytes
425#define tdb_idrops		tdb_data.tdd_idrops
426#define tdb_odrops		tdb_data.tdd_odrops
427#define tdb_idecompbytes	tdb_data.tdd_idecompbytes
428#define tdb_ouncompbytes	tdb_data.tdd_ouncompbytes
429
430
431struct tdb_ident {
432	u_int32_t spi;
433	union sockaddr_union dst;
434	u_int8_t proto;
435	u_int rdomain;
436};
437
438struct tdb_crypto {
439	u_int32_t		tc_spi;
440	union sockaddr_union	tc_dst;
441	u_int8_t		tc_proto;
442	int			tc_protoff;
443	int			tc_skip;
444	u_int			tc_rdomain;
445};
446
447struct ipsecinit {
448	u_int8_t	*ii_enckey;
449	u_int8_t	*ii_authkey;
450	u_int16_t	ii_enckeylen;
451	u_int16_t	ii_authkeylen;
452	u_int8_t	ii_encalg;
453	u_int8_t	ii_authalg;
454	u_int8_t	ii_compalg;
455};
456
457/* xform IDs */
458#define	XF_IP4		1	/* IP inside IP */
459#define	XF_AH		2	/* AH */
460#define	XF_ESP		3	/* ESP */
461#define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
462#define	XF_IPCOMP	6	/* IPCOMP */
463
464/* xform attributes */
465#define	XFT_AUTH	0x0001
466#define	XFT_CONF	0x0100
467#define	XFT_COMP	0x1000
468
469#define	IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
470
471struct xformsw {
472	u_short	xf_type;		/* Unique ID of xform */
473	u_short	xf_flags;		/* flags (see below) */
474	char	*xf_name;		/* human-readable name */
475	int	(*xf_attach)(void);	/* called at config time */
476	int	(*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
477	int	(*xf_zeroize)(struct tdb *); /* termination */
478	int	(*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
479	int	(*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
480	    int, int);        /* output */
481};
482
483extern int ipsec_in_use;
484extern u_int64_t ipsec_last_added;
485extern int encdebug;			/* enable message reporting */
486
487extern int ipsec_keep_invalid;		/* lifetime of embryonic SAs (in sec) */
488extern int ipsec_require_pfs;		/* use Perfect Forward Secrecy */
489extern int ipsec_expire_acquire;	/* wait for security assoc. (in sec) */
490extern int ipsec_soft_allocations;	/* flows/SA before renegotiation */
491extern int ipsec_exp_allocations;	/* num. of flows/SA before it expires */
492extern int ipsec_soft_bytes;		/* bytes/SA before renegotiation */
493extern int ipsec_exp_bytes;		/* num of bytes/SA before it expires */
494extern int ipsec_soft_timeout;		/* seconds/SA before renegotiation */
495extern int ipsec_exp_timeout;		/* seconds/SA before it expires */
496extern int ipsec_soft_first_use;	/* seconds between 1st asso & renego */
497extern int ipsec_exp_first_use;		/* seconds between 1st asso & expire */
498
499/*
500 * Names for IPsec sysctl objects
501 */
502#define	IPSEC_ENCDEBUG			IPCTL_ENCDEBUG			/* 12 */
503#define	IPSEC_STATS			IPCTL_IPSEC_STATS		/* 13 */
504#define IPSEC_EXPIRE_ACQUIRE		IPCTL_IPSEC_EXPIRE_ACQUIRE	/* 14 */
505#define IPSEC_EMBRYONIC_SA_TIMEOUT	IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */
506#define IPSEC_REQUIRE_PFS		IPCTL_IPSEC_REQUIRE_PFS		/* 16 */
507#define IPSEC_SOFT_ALLOCATIONS          IPCTL_IPSEC_SOFT_ALLOCATIONS	/* 17 */
508#define IPSEC_ALLOCATIONS		IPCTL_IPSEC_ALLOCATIONS		/* 18 */
509#define IPSEC_SOFT_BYTES		IPCTL_IPSEC_SOFT_BYTES		/* 19 */
510#define IPSEC_BYTES			IPCTL_IPSEC_BYTES		/* 20 */
511#define IPSEC_TIMEOUT			IPCTL_IPSEC_TIMEOUT		/* 21 */
512#define IPSEC_SOFT_TIMEOUT		IPCTL_IPSEC_SOFT_TIMEOUT	/* 22 */
513#define IPSEC_SOFT_FIRSTUSE		IPCTL_IPSEC_SOFT_FIRSTUSE	/* 23 */
514#define IPSEC_FIRSTUSE			IPCTL_IPSEC_FIRSTUSE		/* 24 */
515#define IPSEC_MAXID	25
516
517extern char ipsec_def_enc[];
518extern char ipsec_def_auth[];
519extern char ipsec_def_comp[];
520
521extern struct enc_xform enc_xform_des;
522extern struct enc_xform enc_xform_3des;
523extern struct enc_xform enc_xform_blf;
524extern struct enc_xform enc_xform_cast5;
525
526extern struct auth_hash auth_hash_hmac_md5_96;
527extern struct auth_hash auth_hash_hmac_sha1_96;
528extern struct auth_hash auth_hash_hmac_ripemd_160_96;
529
530extern struct comp_algo comp_algo_deflate;
531
532extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
533
534struct cryptop;
535
536/* Misc. */
537#ifdef ENCDEBUG
538const char *ipsp_address(union sockaddr_union *, char *, socklen_t);
539#endif /* ENCDEBUG */
540
541/* SPD tables */
542struct radix_node_head *spd_table_add(unsigned int);
543struct radix_node_head *spd_table_get(unsigned int);
544int spd_table_walk(unsigned int,
545    int (*walker)(struct ipsec_policy *, void *, unsigned int), void *);
546
547/* TDB management routines */
548uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
549		union sockaddr_union *, u_int8_t, int *);
550struct	tdb *gettdb_dir(u_int, u_int32_t, union sockaddr_union *, u_int8_t, int);
551#define gettdb(a,b,c,d)		gettdb_dir((a),(b),(c),(d),0)
552#define gettdb_rev(a,b,c,d)	gettdb_dir((a),(b),(c),(d),1)
553struct	tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
554		struct ipsec_ids *,
555		struct sockaddr_encap *, struct sockaddr_encap *);
556struct	tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
557		struct ipsec_ids *,
558		struct sockaddr_encap *, struct sockaddr_encap *);
559struct	tdb *gettdbbysrcdst_dir(u_int, u_int32_t, union sockaddr_union *,
560		union sockaddr_union *, u_int8_t, int);
561#define gettdbbysrcdst(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),0)
562#define gettdbbysrcdst_rev(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),1)
563void	puttdb(struct tdb *);
564void	tdb_delete(struct tdb *);
565struct	tdb *tdb_alloc(u_int);
566void	tdb_free(struct tdb *);
567int	tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
568void	tdb_unlink(struct tdb *);
569int	tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *);
570
571/* XF_IP4 */
572int	ipe4_attach(void);
573int	ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
574int	ipe4_zeroize(struct tdb *);
575int	ipe4_input(struct mbuf *, struct tdb *, int, int);
576
577/* XF_AH */
578int 	ah_attach(void);
579int 	ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
580int 	ah_zeroize(struct tdb *);
581int	ah_input(struct mbuf *, struct tdb *, int, int);
582int	ah_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
583int	ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
584int	ah_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
585	    int);
586int	ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
587
588int	ah4_input(struct mbuf **, int *, int, int);
589void	ah4_ctlinput(int, struct sockaddr *, u_int, void *);
590void	udpencap_ctlinput(int, struct sockaddr *, u_int, void *);
591
592#ifdef INET6
593int	ah6_input(struct mbuf **, int *, int, int);
594#endif /* INET6 */
595
596/* XF_ESP */
597int	esp_attach(void);
598int	esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
599int	esp_zeroize(struct tdb *);
600int	esp_input(struct mbuf *, struct tdb *, int, int);
601int	esp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
602int	esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
603int	esp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
604	    int);
605int	esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
606
607int	esp4_input(struct mbuf **, int *, int, int);
608void	esp4_ctlinput(int, struct sockaddr *, u_int, void *);
609
610#ifdef INET6
611int 	esp6_input(struct mbuf **, int *, int, int);
612#endif /* INET6 */
613
614/* XF_IPCOMP */
615int	ipcomp_attach(void);
616int	ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
617int	ipcomp_zeroize(struct tdb *);
618int	ipcomp_input(struct mbuf *, struct tdb *, int, int);
619int	ipcomp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
620int	ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
621int	ipcomp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
622	    int);
623int	ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
624int	ipcomp4_input(struct mbuf **, int *, int, int);
625#ifdef INET6
626int	ipcomp6_input(struct mbuf **, int *, int, int);
627#endif /* INET6 */
628
629/* XF_TCPSIGNATURE */
630int	tcp_signature_tdb_attach(void);
631int	tcp_signature_tdb_init(struct tdb *, struct xformsw *,
632	    struct ipsecinit *);
633int	tcp_signature_tdb_zeroize(struct tdb *);
634int	tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, int);
635int	tcp_signature_tdb_output(struct mbuf *, struct tdb *, struct mbuf **,
636	  int, int);
637
638/* Replay window */
639int	checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int);
640
641/* Packet processing */
642int	ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
643int	ipsp_process_done(struct mbuf *, struct tdb *);
644struct	tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
645	    struct tdb *, struct inpcb *, u_int32_t);
646struct	tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
647	    struct tdb *, struct inpcb *, struct ipsec_policy *);
648int	ipsp_is_unspecified(union sockaddr_union);
649int	ipsp_aux_match(struct tdb *, struct ipsec_ids *,
650	    struct sockaddr_encap *, struct sockaddr_encap *);
651int	ipsp_ids_match(struct ipsec_ids *, struct ipsec_ids *);
652struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *);
653struct ipsec_ids *ipsp_ids_lookup(u_int32_t);
654void	ipsp_ids_free(struct ipsec_ids *);
655
656void	ipsec_init(void);
657int	ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
658int	ipsec_common_input(struct mbuf *, int, int, int, int, int);
659void	ipsec_input_cb(struct cryptop *);
660void	ipsec_output_cb(struct cryptop *);
661int	ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
662int	ipsec_delete_policy(struct ipsec_policy *);
663ssize_t	ipsec_hdrsz(struct tdb *);
664void	ipsec_adjust_mtu(struct mbuf *, u_int32_t);
665struct	ipsec_acquire *ipsec_get_acquire(u_int32_t);
666int	ipsec_forward_check(struct mbuf *, int, int);
667int	ipsec_local_check(struct mbuf *, int, int, int);
668
669#endif /* _KERNEL */
670#endif /* _NETINET_IPSP_H_ */
671