ip_ipsp.h revision 1.237 
1/*	$OpenBSD: ip_ipsp.h,v 1.237 2022/03/13 21:38:32 bluhm Exp $	*/
2/*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Niklas Hallqvist (niklas@appli.se).
7 *
8 * The original version of this code was written by John Ioannidis
9 * for BSD/OS in Athens, Greece, in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18 *
19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 1999 Niklas Hallqvist.
22 * Copyright (c) 2001, Angelos D. Keromytis.
23 *
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40#ifndef _NETINET_IPSP_H_
41#define _NETINET_IPSP_H_
42
43/*
44 * Locks used to protect struct members in this file:
45 *	I	immutable after creation
46 *	a	atomic operations
47 *	N	net lock
48 *	A	ipsec_acquire_mtx
49 *	F	ipsec_flows_mtx
50 *	m	tdb_mtx			fields of struct tdb
51 *	p	ipo_tdb_mtx		link policy to TDB global mutex
52 *	s	tdb_sadb_mtx		SA database global mutex
53 */
54
55/* IPSP global definitions. */
56
57#include <sys/types.h>
58#include <netinet/in.h>
59
60union sockaddr_union {
61	struct sockaddr		sa;
62	struct sockaddr_in	sin;
63	struct sockaddr_in6	sin6;
64};
65
66#define	AH_HMAC_MAX_HASHLEN	32	/* 256 bits of authenticator for SHA512 */
67#define	AH_HMAC_RPLENGTH	4	/* 32 bits of replay counter */
68#define	AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
69
70/* Authenticator lengths */
71#define	AH_MD5_ALEN		16
72#define	AH_SHA1_ALEN		20
73#define	AH_RMD160_ALEN		20
74#define	AH_SHA2_256_ALEN	32
75#define	AH_SHA2_384_ALEN	48
76#define	AH_SHA2_512_ALEN	64
77#define	AH_ALEN_MAX		64	/* Keep updated */
78
79/* Reserved SPI numbers */
80#define	SPI_LOCAL_USE		0
81#define	SPI_RESERVED_MIN	1
82#define	SPI_RESERVED_MAX	255
83
84/* Reserved CPI numbers */
85#define CPI_RESERVED_MIN	1
86#define CPI_RESERVED_MAX	255
87#define CPI_PRIVATE_MIN		61440
88#define CPI_PRIVATE_MAX		65535
89
90/* sysctl default values */
91#define	IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
92#define	IPSEC_DEFAULT_PFS			1
93#define	IPSEC_DEFAULT_SOFT_ALLOCATIONS		0
94#define	IPSEC_DEFAULT_EXP_ALLOCATIONS		0
95#define	IPSEC_DEFAULT_SOFT_BYTES		0
96#define	IPSEC_DEFAULT_EXP_BYTES			0
97#define	IPSEC_DEFAULT_SOFT_TIMEOUT		80000
98#define	IPSEC_DEFAULT_EXP_TIMEOUT		86400
99#define	IPSEC_DEFAULT_SOFT_FIRST_USE		3600
100#define	IPSEC_DEFAULT_EXP_FIRST_USE		7200
101#define	IPSEC_DEFAULT_DEF_ENC			"aes"
102#define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
103#define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
104#define	IPSEC_DEFAULT_DEF_COMP			"deflate"
105
106struct sockaddr_encap {
107	u_int8_t	sen_len;		/* length */
108	u_int8_t	sen_family;		/* PF_KEY */
109	u_int16_t	sen_type;		/* see SENT_* */
110	union {
111		struct {				/* SENT_IP4 */
112			u_int8_t	Direction;
113			struct in_addr	Src;
114			struct in_addr	Dst;
115			u_int8_t	Proto;
116			u_int16_t	Sport;
117			u_int16_t	Dport;
118		} Sip4;
119
120		struct {				/* SENT_IP6 */
121			u_int8_t	Direction;
122			struct in6_addr	Src;
123			struct in6_addr	Dst;
124			u_int8_t	Proto;
125			u_int16_t	Sport;
126			u_int16_t	Dport;
127		} Sip6;
128	} Sen;
129};
130
131#define	IPSP_DIRECTION_IN	0x1
132#define	IPSP_DIRECTION_OUT	0x2
133
134struct ipsecstat {
135	uint64_t	ipsec_tunnels;		/* Number of active tunnels */
136	uint64_t	ipsec_prevtunnels;	/* Past number of tunnels */
137	uint64_t	ipsec_ipackets;		/* Input IPsec packets */
138	uint64_t	ipsec_opackets;		/* Output IPsec packets */
139	uint64_t	ipsec_ibytes;		/* Input bytes */
140	uint64_t	ipsec_obytes;		/* Output bytes */
141	uint64_t	ipsec_idecompbytes;	/* Input bytes, decompressed */
142	uint64_t	ipsec_ouncompbytes;	/* Output bytes, uncompressed */
143	uint64_t	ipsec_idrops;		/* Dropped on input */
144	uint64_t	ipsec_odrops;		/* Dropped on output */
145	uint64_t	ipsec_crypto;		/* Crypto processing failure */
146	uint64_t	ipsec_notdb;		/* No TDB was found */
147	uint64_t	ipsec_noxform;		/* Crypto error */
148	uint64_t	ipsec_exctdb;		/* TDBs with hardlimit excess */
149};
150
151#ifdef _KERNEL
152
153#include <sys/timeout.h>
154#include <sys/tree.h>
155#include <sys/queue.h>
156#include <net/radix.h>
157#include <sys/percpu.h>
158
159enum ipsec_counters {
160	ipsec_tunnels,
161	ipsec_prevtunnels,
162	ipsec_ipackets,
163	ipsec_opackets,
164	ipsec_ibytes,
165	ipsec_obytes,
166	ipsec_idecompbytes,
167	ipsec_ouncompbytes,
168	ipsec_idrops,
169	ipsec_odrops,
170	ipsec_crypto,
171	ipsec_notdb,
172	ipsec_noxform,
173	ipsec_exctdb,
174	ipsec_ncounters
175};
176
177extern struct cpumem *ipseccounters;
178
179static inline void
180ipsecstat_inc(enum ipsec_counters c)
181{
182	counters_inc(ipseccounters, c);
183}
184
185static inline void
186ipsecstat_dec(enum ipsec_counters c)
187{
188	counters_dec(ipseccounters, c);
189}
190
191static inline void
192ipsecstat_add(enum ipsec_counters c, uint64_t v)
193{
194	counters_add(ipseccounters, c, v);
195}
196
197static inline void
198ipsecstat_pkt(enum ipsec_counters p, enum ipsec_counters b, uint64_t v)
199{
200	counters_pkt(ipseccounters, p, b, v);
201}
202
203struct m_tag;
204
205#define	sen_data		Sen.Data
206#define	sen_ip_src		Sen.Sip4.Src
207#define	sen_ip_dst		Sen.Sip4.Dst
208#define	sen_proto		Sen.Sip4.Proto
209#define	sen_sport		Sen.Sip4.Sport
210#define	sen_dport		Sen.Sip4.Dport
211#define	sen_direction		Sen.Sip4.Direction
212#define	sen_ip6_src		Sen.Sip6.Src
213#define	sen_ip6_dst		Sen.Sip6.Dst
214#define	sen_ip6_proto		Sen.Sip6.Proto
215#define	sen_ip6_sport		Sen.Sip6.Sport
216#define	sen_ip6_dport		Sen.Sip6.Dport
217#define	sen_ip6_direction	Sen.Sip6.Direction
218
219/*
220 * The "type" is really part of the address as far as the routing
221 * system is concerned. By using only one bit in the type field
222 * for each type, we sort-of make sure that different types of
223 * encapsulation addresses won't be matched against the wrong type.
224 *
225 */
226
227#define	SENT_IP4	0x0001		/* data is two struct in_addr */
228#define	SENT_IP6	0x0002
229
230#define	SENT_LEN	sizeof(struct sockaddr_encap)
231
232struct ipsec_id {
233	u_int16_t	type;		/* Subtype of data */
234	int16_t		len;		/* Length of data following */
235};
236
237struct ipsec_ids {
238	LIST_ENTRY(ipsec_ids)	id_gc_list;	/* [F] */
239	RBT_ENTRY(ipsec_ids)	id_node_id;	/* [F] */
240	RBT_ENTRY(ipsec_ids)	id_node_flow;	/* [F] */
241	struct ipsec_id		*id_local;	/* [I] */
242	struct ipsec_id		*id_remote;	/* [I] */
243	u_int32_t		id_flow;	/* [I] */
244	u_int			id_refcount;	/* [a] */
245	u_int			id_gc_ttl;	/* [F] */
246};
247RBT_HEAD(ipsec_ids_flows, ipsec_ids);
248RBT_HEAD(ipsec_ids_tree, ipsec_ids);
249
250struct ipsec_acquire {
251	union sockaddr_union		ipa_addr;
252	u_int32_t			ipa_seq;
253	struct sockaddr_encap		ipa_info;
254	struct sockaddr_encap		ipa_mask;
255	struct refcnt			ipa_refcnt;
256	struct timeout			ipa_timeout;
257	struct ipsec_policy		*ipa_policy;	/* [A] back pointer */
258	TAILQ_ENTRY(ipsec_acquire)	ipa_ipo_next;	/* [A] per policy */
259	TAILQ_ENTRY(ipsec_acquire)	ipa_next;	/* [A] global list */
260};
261
262TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire);
263
264struct ipsec_policy {
265	struct radix_node	ipo_nodes[2];	/* radix tree glue */
266	struct sockaddr_encap	ipo_addr;
267	struct sockaddr_encap	ipo_mask;
268
269	union sockaddr_union	ipo_src;	/* Local address to use */
270	union sockaddr_union	ipo_dst;	/* Remote gateway -- if it's zeroed:
271						 * - on output, we try to
272						 * contact the remote host
273						 * directly (if needed).
274						 * - on input, we accept on if
275						 * the inner source is the
276						 * same as the outer source
277						 * address, or if transport
278						 * mode was used.
279						 */
280
281	u_int64_t	ipo_last_searched;	/* [p] Timestamp of lookup */
282
283	u_int8_t		ipo_flags;	/* See IPSP_POLICY_* definitions */
284	u_int8_t		ipo_type;	/* USE/ACQUIRE/... */
285	u_int8_t		ipo_sproto;	/* ESP/AH; if zero, use system dflts */
286	u_int			ipo_rdomain;
287
288	struct refcnt		ipo_refcnt;
289
290	struct tdb		*ipo_tdb;	/* [p] Cached TDB entry */
291
292	struct ipsec_ids	*ipo_ids;
293
294	struct ipsec_acquire_head ipo_acquires;	/* [A] List of acquires */
295	TAILQ_ENTRY(ipsec_policy) ipo_tdb_next;	/* [p] List TDB policies */
296	TAILQ_ENTRY(ipsec_policy) ipo_list;	/* List of all policies */
297};
298
299#define	IPSP_POLICY_NONE	0x0000	/* No flags set */
300#define	IPSP_POLICY_STATIC	0x0002	/* Static policy */
301
302#define	IPSP_IPSEC_USE		0	/* Use if existing, don't acquire */
303#define	IPSP_IPSEC_ACQUIRE	1	/* Try acquire, let packet through */
304#define	IPSP_IPSEC_REQUIRE	2	/* Require SA */
305#define	IPSP_PERMIT		3	/* Permit traffic through */
306#define	IPSP_DENY		4	/* Deny traffic */
307#define	IPSP_IPSEC_DONTACQ	5	/* Require, but don't acquire */
308
309/* Identity types */
310#define	IPSP_IDENTITY_NONE		0
311#define	IPSP_IDENTITY_PREFIX		1
312#define	IPSP_IDENTITY_FQDN		2
313#define	IPSP_IDENTITY_USERFQDN		3
314#define	IPSP_IDENTITY_ASN1_DN		4
315
316struct tdb {				/* tunnel descriptor block */
317	/*
318	 * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
319	 * one keyed on dst/sproto, and one keyed on src/sproto. The first
320	 * is used for finding a specific TDB, the second for finding TDBs
321	 * for outgoing policy matching, and the third for incoming
322	 * policy matching. The following three fields maintain the hash
323	 * queues in those three tables.
324	 */
325	struct tdb	*tdb_hnext;	/* [s] dst/spi/sproto table */
326	struct tdb	*tdb_dnext;	/* [s] dst/sproto table */
327	struct tdb	*tdb_snext;	/* [s] src/sproto table */
328	struct tdb	*tdb_inext;
329	struct tdb	*tdb_onext;
330	SIMPLEQ_ENTRY(tdb) tdb_walk;	/* [N] temp list for tdb walker */
331
332	struct refcnt	tdb_refcnt;
333	struct mutex	tdb_mtx;
334
335	const struct xformsw	*tdb_xform;		/* Transform to use */
336	const struct enc_xform	*tdb_encalgxform;	/* Enc algorithm */
337	const struct auth_hash	*tdb_authalgxform;	/* Auth algorithm */
338	const struct comp_algo	*tdb_compalgxform;	/* Compression algo */
339
340#define	TDBF_UNIQUE		0x00001	/* This should not be used by others */
341#define	TDBF_TIMER		0x00002	/* Absolute expiration timer in use */
342#define	TDBF_BYTES		0x00004	/* Check the byte counters */
343#define	TDBF_ALLOCATIONS	0x00008	/* Check the flows counters */
344#define	TDBF_INVALID		0x00010	/* This SPI is not valid yet/anymore */
345#define	TDBF_FIRSTUSE		0x00020	/* Expire after first use */
346#define	TDBF_DELETED		0x00040	/* This TDB has already been deleted */
347#define	TDBF_SOFT_TIMER		0x00080	/* Soft expiration */
348#define	TDBF_SOFT_BYTES		0x00100	/* Soft expiration */
349#define	TDBF_SOFT_ALLOCATIONS	0x00200	/* Soft expiration */
350#define	TDBF_SOFT_FIRSTUSE	0x00400	/* Soft expiration */
351#define	TDBF_PFS		0x00800	/* Ask for PFS from Key Mgmt. */
352#define	TDBF_TUNNELING		0x01000	/* Force IP-IP encapsulation */
353#define	TDBF_USEDTUNNEL		0x10000	/* Appended a tunnel header in past */
354#define	TDBF_UDPENCAP		0x20000	/* UDP encapsulation */
355#define	TDBF_PFSYNC		0x40000	/* TDB will be synced */
356#define	TDBF_PFSYNC_RPL		0x80000	/* Replay counter should be bumped */
357#define	TDBF_ESN		0x100000 /* 64-bit sequence numbers (ESN) */
358
359#define TDBF_BITS ("\20" \
360	"\1UNIQUE\2TIMER\3BYTES\4ALLOCATIONS" \
361	"\5INVALID\6FIRSTUSE\7DELETED\10SOFT_TIMER" \
362	"\11SOFT_BYTES\12SOFT_ALLOCATIONS\13SOFT_FIRSTUSE\14PFS" \
363	"\15TUNNELING" \
364	"\21USEDTUNNEL\22UDPENCAP\23PFSYNC\24PFSYNC_RPL" \
365	"\25ESN")
366
367	u_int32_t	tdb_flags;	/* [m] Flags related to this TDB */
368
369	struct timeout	tdb_timer_tmo;
370	struct timeout	tdb_first_tmo;
371	struct timeout	tdb_stimer_tmo;
372	struct timeout	tdb_sfirst_tmo;
373
374	u_int32_t	tdb_seq;		/* Tracking number for PFKEY */
375	u_int32_t	tdb_exp_allocations;	/* Expire after so many flows */
376	u_int32_t	tdb_soft_allocations;	/* Expiration warning */
377	u_int32_t	tdb_cur_allocations;	/* Total number of allocs */
378
379	u_int64_t	tdb_exp_bytes;	/* Expire after so many bytes passed */
380	u_int64_t	tdb_soft_bytes;	/* Expiration warning */
381	u_int64_t	tdb_cur_bytes;	/* Current count of bytes */
382
383	u_int64_t	tdb_exp_timeout;	/* When does the SPI expire */
384	u_int64_t	tdb_soft_timeout;	/* Send soft-expire warning */
385	u_int64_t	tdb_established;	/* When was SPI established */
386
387	u_int64_t	tdb_first_use;		/* When was it first used */
388	u_int64_t	tdb_soft_first_use;	/* Soft warning */
389	u_int64_t	tdb_exp_first_use;	/* Expire if tdb_first_use +
390						 * tdb_exp_first_use <= curtime
391						 */
392
393	u_int64_t	tdb_last_used;	/* When was this SA last used */
394	u_int64_t	tdb_last_marked;/* Last SKIPCRYPTO status change */
395
396	struct cpumem   *tdb_counters;  /* stats about this TDB */
397
398	u_int64_t	tdb_cryptoid;	/* Crypto session ID */
399
400	u_int32_t	tdb_spi;	/* [I] SPI */
401	u_int16_t	tdb_amxkeylen;	/* Raw authentication key length */
402	u_int16_t	tdb_emxkeylen;	/* Raw encryption key length */
403	u_int16_t	tdb_ivlen;	/* IV length */
404	u_int8_t	tdb_sproto;	/* [I] IPsec protocol */
405	u_int8_t	tdb_wnd;	/* Replay window */
406	u_int8_t	tdb_satype;	/* SA type (RFC2367, PF_KEY) */
407	u_int8_t	tdb_updates;	/* pfsync update counter */
408
409	union sockaddr_union	tdb_dst;	/* [N] Destination address */
410	union sockaddr_union	tdb_src;	/* [N] Source address */
411
412	u_int8_t	*tdb_amxkey;	/* Raw authentication key */
413	u_int8_t	*tdb_emxkey;	/* Raw encryption key */
414
415#define TDB_REPLAYWASTE	32
416#define TDB_REPLAYMAX	(2100+TDB_REPLAYWASTE)
417
418	u_int64_t	tdb_rpl;	/* Replay counter */
419	u_int32_t	tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */
420
421	u_int8_t	tdb_iv[4];	/* Used for HALF-IV ESP */
422
423	struct ipsec_ids	*tdb_ids;	/* Src/Dst ID for this SA */
424	int		tdb_ids_swapped;	/* XXX */
425
426	u_int32_t	tdb_mtu;	/* MTU at this point in the chain */
427	u_int64_t	tdb_mtutimeout;	/* When to ignore this entry */
428
429	u_int16_t	tdb_udpencap_port;	/* Peer UDP port */
430
431	u_int16_t	tdb_tag;		/* Packet filter tag */
432	u_int32_t	tdb_tap;		/* Alternate enc(4) interface */
433
434	u_int		tdb_rdomain;		/* [I] Routing domain */
435	u_int		tdb_rdomain_post;	/* [I] Change domain */
436
437	struct sockaddr_encap   tdb_filter; /* What traffic is acceptable */
438	struct sockaddr_encap   tdb_filtermask; /* And the mask */
439
440	TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; /* [p] */
441	TAILQ_ENTRY(tdb)	tdb_sync_entry;
442};
443
444enum tdb_counters {
445	tdb_ipackets,           /* Input IPsec packets */
446	tdb_opackets,           /* Output IPsec packets */
447	tdb_ibytes,             /* Input bytes */
448	tdb_obytes,             /* Output bytes */
449	tdb_idrops,             /* Dropped on input */
450	tdb_odrops,             /* Dropped on output */
451	tdb_idecompbytes,       /* Input bytes, decompressed */
452	tdb_ouncompbytes,       /* Output bytes, uncompressed */
453	tdb_ncounters
454};
455
456static inline void
457tdbstat_inc(struct tdb *tdb, enum tdb_counters c)
458{
459	counters_inc(tdb->tdb_counters, c);
460}
461
462static inline void
463tdbstat_add(struct tdb *tdb, enum tdb_counters c, uint64_t v)
464{
465	counters_add(tdb->tdb_counters, c, v);
466}
467
468static inline void
469tdbstat_pkt(struct tdb *tdb, enum tdb_counters pc, enum tdb_counters bc,
470    uint64_t bytes)
471{
472	counters_pkt(tdb->tdb_counters, pc, bc, bytes);
473}
474
475struct tdb_ident {
476	u_int32_t spi;
477	union sockaddr_union dst;
478	u_int8_t proto;
479	u_int rdomain;
480};
481
482struct tdb_crypto {
483	union sockaddr_union	tc_dst;
484	u_int64_t		tc_rpl;
485	u_int32_t		tc_spi;
486	int			tc_protoff;
487	int			tc_skip;
488	u_int			tc_rdomain;
489	u_int8_t		tc_proto;
490};
491
492struct ipsecinit {
493	u_int8_t	*ii_enckey;
494	u_int8_t	*ii_authkey;
495	u_int16_t	ii_enckeylen;
496	u_int16_t	ii_authkeylen;
497	u_int8_t	ii_encalg;
498	u_int8_t	ii_authalg;
499	u_int8_t	ii_compalg;
500};
501
502/* xform IDs */
503#define	XF_IP4		1	/* IP inside IP */
504#define	XF_AH		2	/* AH */
505#define	XF_ESP		3	/* ESP */
506#define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
507#define	XF_IPCOMP	6	/* IPCOMP */
508
509/* xform attributes */
510#define	XFT_AUTH	0x0001
511#define	XFT_CONF	0x0100
512#define	XFT_COMP	0x1000
513
514#define	IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
515
516struct xformsw {
517	u_short	xf_type;		/* Unique ID of xform */
518	u_short	xf_flags;		/* flags (see below) */
519	char	*xf_name;		/* human-readable name */
520	int	(*xf_attach)(void);	/* called at config time */
521	int	(*xf_init)(struct tdb *, const struct xformsw *,
522		    struct ipsecinit *);
523	int	(*xf_zeroize)(struct tdb *); /* termination */
524	int	(*xf_input)(struct mbuf **, struct tdb *, int, int);
525	int	(*xf_output)(struct mbuf *, struct tdb *, int, int);
526};
527
528extern int ipsec_in_use;
529extern u_int64_t ipsec_last_added;
530extern int encdebug;			/* enable message reporting */
531extern struct pool tdb_pool;
532
533extern int ipsec_keep_invalid;		/* lifetime of embryonic SAs (in sec) */
534extern int ipsec_require_pfs;		/* use Perfect Forward Secrecy */
535extern int ipsec_expire_acquire;	/* wait for security assoc. (in sec) */
536extern int ipsec_soft_allocations;	/* flows/SA before renegotiation */
537extern int ipsec_exp_allocations;	/* num. of flows/SA before it expires */
538extern int ipsec_soft_bytes;		/* bytes/SA before renegotiation */
539extern int ipsec_exp_bytes;		/* num of bytes/SA before it expires */
540extern int ipsec_soft_timeout;		/* seconds/SA before renegotiation */
541extern int ipsec_exp_timeout;		/* seconds/SA before it expires */
542extern int ipsec_soft_first_use;	/* seconds between 1st asso & renego */
543extern int ipsec_exp_first_use;		/* seconds between 1st asso & expire */
544
545/*
546 * Names for IPsec sysctl objects
547 */
548#define	IPSEC_ENCDEBUG			IPCTL_ENCDEBUG			/* 12 */
549#define	IPSEC_STATS			IPCTL_IPSEC_STATS		/* 13 */
550#define IPSEC_EXPIRE_ACQUIRE		IPCTL_IPSEC_EXPIRE_ACQUIRE	/* 14 */
551#define IPSEC_EMBRYONIC_SA_TIMEOUT	IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */
552#define IPSEC_REQUIRE_PFS		IPCTL_IPSEC_REQUIRE_PFS		/* 16 */
553#define IPSEC_SOFT_ALLOCATIONS          IPCTL_IPSEC_SOFT_ALLOCATIONS	/* 17 */
554#define IPSEC_ALLOCATIONS		IPCTL_IPSEC_ALLOCATIONS		/* 18 */
555#define IPSEC_SOFT_BYTES		IPCTL_IPSEC_SOFT_BYTES		/* 19 */
556#define IPSEC_BYTES			IPCTL_IPSEC_BYTES		/* 20 */
557#define IPSEC_TIMEOUT			IPCTL_IPSEC_TIMEOUT		/* 21 */
558#define IPSEC_SOFT_TIMEOUT		IPCTL_IPSEC_SOFT_TIMEOUT	/* 22 */
559#define IPSEC_SOFT_FIRSTUSE		IPCTL_IPSEC_SOFT_FIRSTUSE	/* 23 */
560#define IPSEC_FIRSTUSE			IPCTL_IPSEC_FIRSTUSE		/* 24 */
561#define IPSEC_MAXID	25
562
563extern char ipsec_def_enc[];
564extern char ipsec_def_auth[];
565extern char ipsec_def_comp[];
566
567extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
568
569extern struct mutex tdb_sadb_mtx;
570extern struct mutex ipo_tdb_mtx;
571
572struct cryptop;
573
574/* Misc. */
575const char *ipsp_address(union sockaddr_union *, char *, socklen_t);
576
577/* SPD tables */
578struct radix_node_head *spd_table_add(unsigned int);
579struct radix_node_head *spd_table_get(unsigned int);
580int spd_table_walk(unsigned int,
581    int (*walker)(struct ipsec_policy *, void *, unsigned int), void *);
582
583/* TDB management routines */
584uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
585		union sockaddr_union *, u_int8_t, int *);
586struct	tdb *gettdb_dir(u_int, u_int32_t, union sockaddr_union *, u_int8_t, int);
587#define gettdb(a,b,c,d)		gettdb_dir((a),(b),(c),(d),0)
588#define gettdb_rev(a,b,c,d)	gettdb_dir((a),(b),(c),(d),1)
589struct	tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
590		struct ipsec_ids *,
591		struct sockaddr_encap *, struct sockaddr_encap *);
592struct	tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
593		struct ipsec_ids *,
594		struct sockaddr_encap *, struct sockaddr_encap *);
595struct	tdb *gettdbbysrcdst_dir(u_int, u_int32_t, union sockaddr_union *,
596		union sockaddr_union *, u_int8_t, int);
597#define gettdbbysrcdst(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),0)
598#define gettdbbysrcdst_rev(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),1)
599void	puttdb(struct tdb *);
600void	puttdb_locked(struct tdb *);
601void	tdb_delete(struct tdb *);
602struct	tdb *tdb_alloc(u_int);
603struct	tdb *tdb_ref(struct tdb *);
604void	tdb_unref(struct tdb *);
605void	tdb_free(struct tdb *);
606int	tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
607void	tdb_unlink(struct tdb *);
608void	tdb_unlink_locked(struct tdb *);
609void	tdb_cleanspd(struct tdb *);
610void	tdb_unbundle(struct tdb *);
611void	tdb_deltimeouts(struct tdb *);
612int	tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *);
613void	tdb_printit(void *, int, int (*)(const char *, ...));
614
615/* XF_IP4 */
616int	ipe4_attach(void);
617int	ipe4_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
618int	ipe4_zeroize(struct tdb *);
619int	ipe4_input(struct mbuf **, struct tdb *, int, int);
620
621/* XF_AH */
622int	ah_attach(void);
623int	ah_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
624int	ah_zeroize(struct tdb *);
625int	ah_input(struct mbuf **, struct tdb *, int, int);
626int	ah_output(struct mbuf *, struct tdb *, int, int);
627int	ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
628
629int	ah46_input(struct mbuf **, int *, int, int);
630void	ah4_ctlinput(int, struct sockaddr *, u_int, void *);
631void	udpencap_ctlinput(int, struct sockaddr *, u_int, void *);
632
633/* XF_ESP */
634int	esp_attach(void);
635int	esp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
636int	esp_zeroize(struct tdb *);
637int	esp_input(struct mbuf **, struct tdb *, int, int);
638int	esp_output(struct mbuf *, struct tdb *, int, int);
639int	esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
640
641int	esp46_input(struct mbuf **, int *, int, int);
642void	esp4_ctlinput(int, struct sockaddr *, u_int, void *);
643
644/* XF_IPCOMP */
645int	ipcomp_attach(void);
646int	ipcomp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
647int	ipcomp_zeroize(struct tdb *);
648int	ipcomp_input(struct mbuf **, struct tdb *, int, int);
649int	ipcomp_output(struct mbuf *, struct tdb *, int, int);
650int	ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
651int	ipcomp46_input(struct mbuf **, int *, int, int);
652
653/* XF_TCPSIGNATURE */
654int	tcp_signature_tdb_attach(void);
655int	tcp_signature_tdb_init(struct tdb *, const struct xformsw *,
656	    struct ipsecinit *);
657int	tcp_signature_tdb_zeroize(struct tdb *);
658int	tcp_signature_tdb_input(struct mbuf **, struct tdb *, int, int);
659int	tcp_signature_tdb_output(struct mbuf *, struct tdb *, int, int);
660
661/* Replay window */
662int	checkreplaywindow(struct tdb *, u_int64_t, u_int32_t, u_int32_t *, int);
663
664/* Packet processing */
665int	ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
666int	ipsp_process_done(struct mbuf *, struct tdb *);
667int	ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
668	    struct inpcb *, struct tdb **, struct ipsec_ids *);
669int	ipsp_is_unspecified(union sockaddr_union);
670int	ipsp_aux_match(struct tdb *, struct ipsec_ids *,
671	    struct sockaddr_encap *, struct sockaddr_encap *);
672int	ipsp_ids_match(struct ipsec_ids *, struct ipsec_ids *);
673struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *);
674struct ipsec_ids *ipsp_ids_lookup(u_int32_t);
675void	ipsp_ids_free(struct ipsec_ids *);
676
677void	ipsp_init(void);
678void	ipsec_init(void);
679int	ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
680int	ipsec_common_input(struct mbuf **, int, int, int, int, int);
681int	ipsec_common_input_cb(struct mbuf **, struct tdb *, int, int);
682int	ipsec_input_disabled(struct mbuf **, int *, int, int);
683int	ipsec_protoff(struct mbuf *, int, int);
684int	ipsec_delete_policy(struct ipsec_policy *);
685ssize_t	ipsec_hdrsz(struct tdb *);
686void	ipsec_adjust_mtu(struct mbuf *, u_int32_t);
687void	ipsec_set_mtu(struct tdb *, u_int32_t);
688struct	ipsec_acquire *ipsec_get_acquire(u_int32_t);
689void	ipsec_unref_acquire(struct ipsec_acquire *);
690int	ipsec_forward_check(struct mbuf *, int, int);
691int	ipsec_local_check(struct mbuf *, int, int, int);
692
693#endif /* _KERNEL */
694#endif /* _NETINET_IPSP_H_ */
695