ip_ipsp.h revision 1.237
1/* $OpenBSD: ip_ipsp.h,v 1.237 2022/03/13 21:38:32 bluhm Exp $ */ 2/* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40#ifndef _NETINET_IPSP_H_ 41#define _NETINET_IPSP_H_ 42 43/* 44 * Locks used to protect struct members in this file: 45 * I immutable after creation 46 * a atomic operations 47 * N net lock 48 * A ipsec_acquire_mtx 49 * F ipsec_flows_mtx 50 * m tdb_mtx fields of struct tdb 51 * p ipo_tdb_mtx link policy to TDB global mutex 52 * s tdb_sadb_mtx SA database global mutex 53 */ 54 55/* IPSP global definitions. */ 56 57#include <sys/types.h> 58#include <netinet/in.h> 59 60union sockaddr_union { 61 struct sockaddr sa; 62 struct sockaddr_in sin; 63 struct sockaddr_in6 sin6; 64}; 65 66#define AH_HMAC_MAX_HASHLEN 32 /* 256 bits of authenticator for SHA512 */ 67#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */ 68#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */ 69 70/* Authenticator lengths */ 71#define AH_MD5_ALEN 16 72#define AH_SHA1_ALEN 20 73#define AH_RMD160_ALEN 20 74#define AH_SHA2_256_ALEN 32 75#define AH_SHA2_384_ALEN 48 76#define AH_SHA2_512_ALEN 64 77#define AH_ALEN_MAX 64 /* Keep updated */ 78 79/* Reserved SPI numbers */ 80#define SPI_LOCAL_USE 0 81#define SPI_RESERVED_MIN 1 82#define SPI_RESERVED_MAX 255 83 84/* Reserved CPI numbers */ 85#define CPI_RESERVED_MIN 1 86#define CPI_RESERVED_MAX 255 87#define CPI_PRIVATE_MIN 61440 88#define CPI_PRIVATE_MAX 65535 89 90/* sysctl default values */ 91#define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */ 92#define IPSEC_DEFAULT_PFS 1 93#define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0 94#define IPSEC_DEFAULT_EXP_ALLOCATIONS 0 95#define IPSEC_DEFAULT_SOFT_BYTES 0 96#define IPSEC_DEFAULT_EXP_BYTES 0 97#define IPSEC_DEFAULT_SOFT_TIMEOUT 80000 98#define IPSEC_DEFAULT_EXP_TIMEOUT 86400 99#define IPSEC_DEFAULT_SOFT_FIRST_USE 3600 100#define IPSEC_DEFAULT_EXP_FIRST_USE 7200 101#define IPSEC_DEFAULT_DEF_ENC "aes" 102#define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1" 103#define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30 104#define IPSEC_DEFAULT_DEF_COMP "deflate" 105 106struct sockaddr_encap { 107 u_int8_t sen_len; /* length */ 108 u_int8_t sen_family; /* PF_KEY */ 109 u_int16_t sen_type; /* see SENT_* */ 110 union { 111 struct { /* SENT_IP4 */ 112 u_int8_t Direction; 113 struct in_addr Src; 114 struct in_addr Dst; 115 u_int8_t Proto; 116 u_int16_t Sport; 117 u_int16_t Dport; 118 } Sip4; 119 120 struct { /* SENT_IP6 */ 121 u_int8_t Direction; 122 struct in6_addr Src; 123 struct in6_addr Dst; 124 u_int8_t Proto; 125 u_int16_t Sport; 126 u_int16_t Dport; 127 } Sip6; 128 } Sen; 129}; 130 131#define IPSP_DIRECTION_IN 0x1 132#define IPSP_DIRECTION_OUT 0x2 133 134struct ipsecstat { 135 uint64_t ipsec_tunnels; /* Number of active tunnels */ 136 uint64_t ipsec_prevtunnels; /* Past number of tunnels */ 137 uint64_t ipsec_ipackets; /* Input IPsec packets */ 138 uint64_t ipsec_opackets; /* Output IPsec packets */ 139 uint64_t ipsec_ibytes; /* Input bytes */ 140 uint64_t ipsec_obytes; /* Output bytes */ 141 uint64_t ipsec_idecompbytes; /* Input bytes, decompressed */ 142 uint64_t ipsec_ouncompbytes; /* Output bytes, uncompressed */ 143 uint64_t ipsec_idrops; /* Dropped on input */ 144 uint64_t ipsec_odrops; /* Dropped on output */ 145 uint64_t ipsec_crypto; /* Crypto processing failure */ 146 uint64_t ipsec_notdb; /* No TDB was found */ 147 uint64_t ipsec_noxform; /* Crypto error */ 148 uint64_t ipsec_exctdb; /* TDBs with hardlimit excess */ 149}; 150 151#ifdef _KERNEL 152 153#include <sys/timeout.h> 154#include <sys/tree.h> 155#include <sys/queue.h> 156#include <net/radix.h> 157#include <sys/percpu.h> 158 159enum ipsec_counters { 160 ipsec_tunnels, 161 ipsec_prevtunnels, 162 ipsec_ipackets, 163 ipsec_opackets, 164 ipsec_ibytes, 165 ipsec_obytes, 166 ipsec_idecompbytes, 167 ipsec_ouncompbytes, 168 ipsec_idrops, 169 ipsec_odrops, 170 ipsec_crypto, 171 ipsec_notdb, 172 ipsec_noxform, 173 ipsec_exctdb, 174 ipsec_ncounters 175}; 176 177extern struct cpumem *ipseccounters; 178 179static inline void 180ipsecstat_inc(enum ipsec_counters c) 181{ 182 counters_inc(ipseccounters, c); 183} 184 185static inline void 186ipsecstat_dec(enum ipsec_counters c) 187{ 188 counters_dec(ipseccounters, c); 189} 190 191static inline void 192ipsecstat_add(enum ipsec_counters c, uint64_t v) 193{ 194 counters_add(ipseccounters, c, v); 195} 196 197static inline void 198ipsecstat_pkt(enum ipsec_counters p, enum ipsec_counters b, uint64_t v) 199{ 200 counters_pkt(ipseccounters, p, b, v); 201} 202 203struct m_tag; 204 205#define sen_data Sen.Data 206#define sen_ip_src Sen.Sip4.Src 207#define sen_ip_dst Sen.Sip4.Dst 208#define sen_proto Sen.Sip4.Proto 209#define sen_sport Sen.Sip4.Sport 210#define sen_dport Sen.Sip4.Dport 211#define sen_direction Sen.Sip4.Direction 212#define sen_ip6_src Sen.Sip6.Src 213#define sen_ip6_dst Sen.Sip6.Dst 214#define sen_ip6_proto Sen.Sip6.Proto 215#define sen_ip6_sport Sen.Sip6.Sport 216#define sen_ip6_dport Sen.Sip6.Dport 217#define sen_ip6_direction Sen.Sip6.Direction 218 219/* 220 * The "type" is really part of the address as far as the routing 221 * system is concerned. By using only one bit in the type field 222 * for each type, we sort-of make sure that different types of 223 * encapsulation addresses won't be matched against the wrong type. 224 * 225 */ 226 227#define SENT_IP4 0x0001 /* data is two struct in_addr */ 228#define SENT_IP6 0x0002 229 230#define SENT_LEN sizeof(struct sockaddr_encap) 231 232struct ipsec_id { 233 u_int16_t type; /* Subtype of data */ 234 int16_t len; /* Length of data following */ 235}; 236 237struct ipsec_ids { 238 LIST_ENTRY(ipsec_ids) id_gc_list; /* [F] */ 239 RBT_ENTRY(ipsec_ids) id_node_id; /* [F] */ 240 RBT_ENTRY(ipsec_ids) id_node_flow; /* [F] */ 241 struct ipsec_id *id_local; /* [I] */ 242 struct ipsec_id *id_remote; /* [I] */ 243 u_int32_t id_flow; /* [I] */ 244 u_int id_refcount; /* [a] */ 245 u_int id_gc_ttl; /* [F] */ 246}; 247RBT_HEAD(ipsec_ids_flows, ipsec_ids); 248RBT_HEAD(ipsec_ids_tree, ipsec_ids); 249 250struct ipsec_acquire { 251 union sockaddr_union ipa_addr; 252 u_int32_t ipa_seq; 253 struct sockaddr_encap ipa_info; 254 struct sockaddr_encap ipa_mask; 255 struct refcnt ipa_refcnt; 256 struct timeout ipa_timeout; 257 struct ipsec_policy *ipa_policy; /* [A] back pointer */ 258 TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next; /* [A] per policy */ 259 TAILQ_ENTRY(ipsec_acquire) ipa_next; /* [A] global list */ 260}; 261 262TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire); 263 264struct ipsec_policy { 265 struct radix_node ipo_nodes[2]; /* radix tree glue */ 266 struct sockaddr_encap ipo_addr; 267 struct sockaddr_encap ipo_mask; 268 269 union sockaddr_union ipo_src; /* Local address to use */ 270 union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed: 271 * - on output, we try to 272 * contact the remote host 273 * directly (if needed). 274 * - on input, we accept on if 275 * the inner source is the 276 * same as the outer source 277 * address, or if transport 278 * mode was used. 279 */ 280 281 u_int64_t ipo_last_searched; /* [p] Timestamp of lookup */ 282 283 u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */ 284 u_int8_t ipo_type; /* USE/ACQUIRE/... */ 285 u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */ 286 u_int ipo_rdomain; 287 288 struct refcnt ipo_refcnt; 289 290 struct tdb *ipo_tdb; /* [p] Cached TDB entry */ 291 292 struct ipsec_ids *ipo_ids; 293 294 struct ipsec_acquire_head ipo_acquires; /* [A] List of acquires */ 295 TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* [p] List TDB policies */ 296 TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */ 297}; 298 299#define IPSP_POLICY_NONE 0x0000 /* No flags set */ 300#define IPSP_POLICY_STATIC 0x0002 /* Static policy */ 301 302#define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */ 303#define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */ 304#define IPSP_IPSEC_REQUIRE 2 /* Require SA */ 305#define IPSP_PERMIT 3 /* Permit traffic through */ 306#define IPSP_DENY 4 /* Deny traffic */ 307#define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */ 308 309/* Identity types */ 310#define IPSP_IDENTITY_NONE 0 311#define IPSP_IDENTITY_PREFIX 1 312#define IPSP_IDENTITY_FQDN 2 313#define IPSP_IDENTITY_USERFQDN 3 314#define IPSP_IDENTITY_ASN1_DN 4 315 316struct tdb { /* tunnel descriptor block */ 317 /* 318 * Each TDB is on three hash tables: one keyed on dst/spi/sproto, 319 * one keyed on dst/sproto, and one keyed on src/sproto. The first 320 * is used for finding a specific TDB, the second for finding TDBs 321 * for outgoing policy matching, and the third for incoming 322 * policy matching. The following three fields maintain the hash 323 * queues in those three tables. 324 */ 325 struct tdb *tdb_hnext; /* [s] dst/spi/sproto table */ 326 struct tdb *tdb_dnext; /* [s] dst/sproto table */ 327 struct tdb *tdb_snext; /* [s] src/sproto table */ 328 struct tdb *tdb_inext; 329 struct tdb *tdb_onext; 330 SIMPLEQ_ENTRY(tdb) tdb_walk; /* [N] temp list for tdb walker */ 331 332 struct refcnt tdb_refcnt; 333 struct mutex tdb_mtx; 334 335 const struct xformsw *tdb_xform; /* Transform to use */ 336 const struct enc_xform *tdb_encalgxform; /* Enc algorithm */ 337 const struct auth_hash *tdb_authalgxform; /* Auth algorithm */ 338 const struct comp_algo *tdb_compalgxform; /* Compression algo */ 339 340#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 341#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 342#define TDBF_BYTES 0x00004 /* Check the byte counters */ 343#define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */ 344#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 345#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 346#define TDBF_DELETED 0x00040 /* This TDB has already been deleted */ 347#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 348#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 349#define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */ 350#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 351#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ 352#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ 353#define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */ 354#define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */ 355#define TDBF_PFSYNC 0x40000 /* TDB will be synced */ 356#define TDBF_PFSYNC_RPL 0x80000 /* Replay counter should be bumped */ 357#define TDBF_ESN 0x100000 /* 64-bit sequence numbers (ESN) */ 358 359#define TDBF_BITS ("\20" \ 360 "\1UNIQUE\2TIMER\3BYTES\4ALLOCATIONS" \ 361 "\5INVALID\6FIRSTUSE\7DELETED\10SOFT_TIMER" \ 362 "\11SOFT_BYTES\12SOFT_ALLOCATIONS\13SOFT_FIRSTUSE\14PFS" \ 363 "\15TUNNELING" \ 364 "\21USEDTUNNEL\22UDPENCAP\23PFSYNC\24PFSYNC_RPL" \ 365 "\25ESN") 366 367 u_int32_t tdb_flags; /* [m] Flags related to this TDB */ 368 369 struct timeout tdb_timer_tmo; 370 struct timeout tdb_first_tmo; 371 struct timeout tdb_stimer_tmo; 372 struct timeout tdb_sfirst_tmo; 373 374 u_int32_t tdb_seq; /* Tracking number for PFKEY */ 375 u_int32_t tdb_exp_allocations; /* Expire after so many flows */ 376 u_int32_t tdb_soft_allocations; /* Expiration warning */ 377 u_int32_t tdb_cur_allocations; /* Total number of allocs */ 378 379 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 380 u_int64_t tdb_soft_bytes; /* Expiration warning */ 381 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 382 383 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 384 u_int64_t tdb_soft_timeout; /* Send soft-expire warning */ 385 u_int64_t tdb_established; /* When was SPI established */ 386 387 u_int64_t tdb_first_use; /* When was it first used */ 388 u_int64_t tdb_soft_first_use; /* Soft warning */ 389 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 390 * tdb_exp_first_use <= curtime 391 */ 392 393 u_int64_t tdb_last_used; /* When was this SA last used */ 394 u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */ 395 396 struct cpumem *tdb_counters; /* stats about this TDB */ 397 398 u_int64_t tdb_cryptoid; /* Crypto session ID */ 399 400 u_int32_t tdb_spi; /* [I] SPI */ 401 u_int16_t tdb_amxkeylen; /* Raw authentication key length */ 402 u_int16_t tdb_emxkeylen; /* Raw encryption key length */ 403 u_int16_t tdb_ivlen; /* IV length */ 404 u_int8_t tdb_sproto; /* [I] IPsec protocol */ 405 u_int8_t tdb_wnd; /* Replay window */ 406 u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */ 407 u_int8_t tdb_updates; /* pfsync update counter */ 408 409 union sockaddr_union tdb_dst; /* [N] Destination address */ 410 union sockaddr_union tdb_src; /* [N] Source address */ 411 412 u_int8_t *tdb_amxkey; /* Raw authentication key */ 413 u_int8_t *tdb_emxkey; /* Raw encryption key */ 414 415#define TDB_REPLAYWASTE 32 416#define TDB_REPLAYMAX (2100+TDB_REPLAYWASTE) 417 418 u_int64_t tdb_rpl; /* Replay counter */ 419 u_int32_t tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */ 420 421 u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ 422 423 struct ipsec_ids *tdb_ids; /* Src/Dst ID for this SA */ 424 int tdb_ids_swapped; /* XXX */ 425 426 u_int32_t tdb_mtu; /* MTU at this point in the chain */ 427 u_int64_t tdb_mtutimeout; /* When to ignore this entry */ 428 429 u_int16_t tdb_udpencap_port; /* Peer UDP port */ 430 431 u_int16_t tdb_tag; /* Packet filter tag */ 432 u_int32_t tdb_tap; /* Alternate enc(4) interface */ 433 434 u_int tdb_rdomain; /* [I] Routing domain */ 435 u_int tdb_rdomain_post; /* [I] Change domain */ 436 437 struct sockaddr_encap tdb_filter; /* What traffic is acceptable */ 438 struct sockaddr_encap tdb_filtermask; /* And the mask */ 439 440 TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; /* [p] */ 441 TAILQ_ENTRY(tdb) tdb_sync_entry; 442}; 443 444enum tdb_counters { 445 tdb_ipackets, /* Input IPsec packets */ 446 tdb_opackets, /* Output IPsec packets */ 447 tdb_ibytes, /* Input bytes */ 448 tdb_obytes, /* Output bytes */ 449 tdb_idrops, /* Dropped on input */ 450 tdb_odrops, /* Dropped on output */ 451 tdb_idecompbytes, /* Input bytes, decompressed */ 452 tdb_ouncompbytes, /* Output bytes, uncompressed */ 453 tdb_ncounters 454}; 455 456static inline void 457tdbstat_inc(struct tdb *tdb, enum tdb_counters c) 458{ 459 counters_inc(tdb->tdb_counters, c); 460} 461 462static inline void 463tdbstat_add(struct tdb *tdb, enum tdb_counters c, uint64_t v) 464{ 465 counters_add(tdb->tdb_counters, c, v); 466} 467 468static inline void 469tdbstat_pkt(struct tdb *tdb, enum tdb_counters pc, enum tdb_counters bc, 470 uint64_t bytes) 471{ 472 counters_pkt(tdb->tdb_counters, pc, bc, bytes); 473} 474 475struct tdb_ident { 476 u_int32_t spi; 477 union sockaddr_union dst; 478 u_int8_t proto; 479 u_int rdomain; 480}; 481 482struct tdb_crypto { 483 union sockaddr_union tc_dst; 484 u_int64_t tc_rpl; 485 u_int32_t tc_spi; 486 int tc_protoff; 487 int tc_skip; 488 u_int tc_rdomain; 489 u_int8_t tc_proto; 490}; 491 492struct ipsecinit { 493 u_int8_t *ii_enckey; 494 u_int8_t *ii_authkey; 495 u_int16_t ii_enckeylen; 496 u_int16_t ii_authkeylen; 497 u_int8_t ii_encalg; 498 u_int8_t ii_authalg; 499 u_int8_t ii_compalg; 500}; 501 502/* xform IDs */ 503#define XF_IP4 1 /* IP inside IP */ 504#define XF_AH 2 /* AH */ 505#define XF_ESP 3 /* ESP */ 506#define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ 507#define XF_IPCOMP 6 /* IPCOMP */ 508 509/* xform attributes */ 510#define XFT_AUTH 0x0001 511#define XFT_CONF 0x0100 512#define XFT_COMP 0x1000 513 514#define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */ 515 516struct xformsw { 517 u_short xf_type; /* Unique ID of xform */ 518 u_short xf_flags; /* flags (see below) */ 519 char *xf_name; /* human-readable name */ 520 int (*xf_attach)(void); /* called at config time */ 521 int (*xf_init)(struct tdb *, const struct xformsw *, 522 struct ipsecinit *); 523 int (*xf_zeroize)(struct tdb *); /* termination */ 524 int (*xf_input)(struct mbuf **, struct tdb *, int, int); 525 int (*xf_output)(struct mbuf *, struct tdb *, int, int); 526}; 527 528extern int ipsec_in_use; 529extern u_int64_t ipsec_last_added; 530extern int encdebug; /* enable message reporting */ 531extern struct pool tdb_pool; 532 533extern int ipsec_keep_invalid; /* lifetime of embryonic SAs (in sec) */ 534extern int ipsec_require_pfs; /* use Perfect Forward Secrecy */ 535extern int ipsec_expire_acquire; /* wait for security assoc. (in sec) */ 536extern int ipsec_soft_allocations; /* flows/SA before renegotiation */ 537extern int ipsec_exp_allocations; /* num. of flows/SA before it expires */ 538extern int ipsec_soft_bytes; /* bytes/SA before renegotiation */ 539extern int ipsec_exp_bytes; /* num of bytes/SA before it expires */ 540extern int ipsec_soft_timeout; /* seconds/SA before renegotiation */ 541extern int ipsec_exp_timeout; /* seconds/SA before it expires */ 542extern int ipsec_soft_first_use; /* seconds between 1st asso & renego */ 543extern int ipsec_exp_first_use; /* seconds between 1st asso & expire */ 544 545/* 546 * Names for IPsec sysctl objects 547 */ 548#define IPSEC_ENCDEBUG IPCTL_ENCDEBUG /* 12 */ 549#define IPSEC_STATS IPCTL_IPSEC_STATS /* 13 */ 550#define IPSEC_EXPIRE_ACQUIRE IPCTL_IPSEC_EXPIRE_ACQUIRE /* 14 */ 551#define IPSEC_EMBRYONIC_SA_TIMEOUT IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */ 552#define IPSEC_REQUIRE_PFS IPCTL_IPSEC_REQUIRE_PFS /* 16 */ 553#define IPSEC_SOFT_ALLOCATIONS IPCTL_IPSEC_SOFT_ALLOCATIONS /* 17 */ 554#define IPSEC_ALLOCATIONS IPCTL_IPSEC_ALLOCATIONS /* 18 */ 555#define IPSEC_SOFT_BYTES IPCTL_IPSEC_SOFT_BYTES /* 19 */ 556#define IPSEC_BYTES IPCTL_IPSEC_BYTES /* 20 */ 557#define IPSEC_TIMEOUT IPCTL_IPSEC_TIMEOUT /* 21 */ 558#define IPSEC_SOFT_TIMEOUT IPCTL_IPSEC_SOFT_TIMEOUT /* 22 */ 559#define IPSEC_SOFT_FIRSTUSE IPCTL_IPSEC_SOFT_FIRSTUSE /* 23 */ 560#define IPSEC_FIRSTUSE IPCTL_IPSEC_FIRSTUSE /* 24 */ 561#define IPSEC_MAXID 25 562 563extern char ipsec_def_enc[]; 564extern char ipsec_def_auth[]; 565extern char ipsec_def_comp[]; 566 567extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head; 568 569extern struct mutex tdb_sadb_mtx; 570extern struct mutex ipo_tdb_mtx; 571 572struct cryptop; 573 574/* Misc. */ 575const char *ipsp_address(union sockaddr_union *, char *, socklen_t); 576 577/* SPD tables */ 578struct radix_node_head *spd_table_add(unsigned int); 579struct radix_node_head *spd_table_get(unsigned int); 580int spd_table_walk(unsigned int, 581 int (*walker)(struct ipsec_policy *, void *, unsigned int), void *); 582 583/* TDB management routines */ 584uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *, 585 union sockaddr_union *, u_int8_t, int *); 586struct tdb *gettdb_dir(u_int, u_int32_t, union sockaddr_union *, u_int8_t, int); 587#define gettdb(a,b,c,d) gettdb_dir((a),(b),(c),(d),0) 588#define gettdb_rev(a,b,c,d) gettdb_dir((a),(b),(c),(d),1) 589struct tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t, 590 struct ipsec_ids *, 591 struct sockaddr_encap *, struct sockaddr_encap *); 592struct tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t, 593 struct ipsec_ids *, 594 struct sockaddr_encap *, struct sockaddr_encap *); 595struct tdb *gettdbbysrcdst_dir(u_int, u_int32_t, union sockaddr_union *, 596 union sockaddr_union *, u_int8_t, int); 597#define gettdbbysrcdst(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),0) 598#define gettdbbysrcdst_rev(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),1) 599void puttdb(struct tdb *); 600void puttdb_locked(struct tdb *); 601void tdb_delete(struct tdb *); 602struct tdb *tdb_alloc(u_int); 603struct tdb *tdb_ref(struct tdb *); 604void tdb_unref(struct tdb *); 605void tdb_free(struct tdb *); 606int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *); 607void tdb_unlink(struct tdb *); 608void tdb_unlink_locked(struct tdb *); 609void tdb_cleanspd(struct tdb *); 610void tdb_unbundle(struct tdb *); 611void tdb_deltimeouts(struct tdb *); 612int tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *); 613void tdb_printit(void *, int, int (*)(const char *, ...)); 614 615/* XF_IP4 */ 616int ipe4_attach(void); 617int ipe4_init(struct tdb *, const struct xformsw *, struct ipsecinit *); 618int ipe4_zeroize(struct tdb *); 619int ipe4_input(struct mbuf **, struct tdb *, int, int); 620 621/* XF_AH */ 622int ah_attach(void); 623int ah_init(struct tdb *, const struct xformsw *, struct ipsecinit *); 624int ah_zeroize(struct tdb *); 625int ah_input(struct mbuf **, struct tdb *, int, int); 626int ah_output(struct mbuf *, struct tdb *, int, int); 627int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t); 628 629int ah46_input(struct mbuf **, int *, int, int); 630void ah4_ctlinput(int, struct sockaddr *, u_int, void *); 631void udpencap_ctlinput(int, struct sockaddr *, u_int, void *); 632 633/* XF_ESP */ 634int esp_attach(void); 635int esp_init(struct tdb *, const struct xformsw *, struct ipsecinit *); 636int esp_zeroize(struct tdb *); 637int esp_input(struct mbuf **, struct tdb *, int, int); 638int esp_output(struct mbuf *, struct tdb *, int, int); 639int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 640 641int esp46_input(struct mbuf **, int *, int, int); 642void esp4_ctlinput(int, struct sockaddr *, u_int, void *); 643 644/* XF_IPCOMP */ 645int ipcomp_attach(void); 646int ipcomp_init(struct tdb *, const struct xformsw *, struct ipsecinit *); 647int ipcomp_zeroize(struct tdb *); 648int ipcomp_input(struct mbuf **, struct tdb *, int, int); 649int ipcomp_output(struct mbuf *, struct tdb *, int, int); 650int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 651int ipcomp46_input(struct mbuf **, int *, int, int); 652 653/* XF_TCPSIGNATURE */ 654int tcp_signature_tdb_attach(void); 655int tcp_signature_tdb_init(struct tdb *, const struct xformsw *, 656 struct ipsecinit *); 657int tcp_signature_tdb_zeroize(struct tdb *); 658int tcp_signature_tdb_input(struct mbuf **, struct tdb *, int, int); 659int tcp_signature_tdb_output(struct mbuf *, struct tdb *, int, int); 660 661/* Replay window */ 662int checkreplaywindow(struct tdb *, u_int64_t, u_int32_t, u_int32_t *, int); 663 664/* Packet processing */ 665int ipsp_process_packet(struct mbuf *, struct tdb *, int, int); 666int ipsp_process_done(struct mbuf *, struct tdb *); 667int ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *, 668 struct inpcb *, struct tdb **, struct ipsec_ids *); 669int ipsp_is_unspecified(union sockaddr_union); 670int ipsp_aux_match(struct tdb *, struct ipsec_ids *, 671 struct sockaddr_encap *, struct sockaddr_encap *); 672int ipsp_ids_match(struct ipsec_ids *, struct ipsec_ids *); 673struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *); 674struct ipsec_ids *ipsp_ids_lookup(u_int32_t); 675void ipsp_ids_free(struct ipsec_ids *); 676 677void ipsp_init(void); 678void ipsec_init(void); 679int ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t); 680int ipsec_common_input(struct mbuf **, int, int, int, int, int); 681int ipsec_common_input_cb(struct mbuf **, struct tdb *, int, int); 682int ipsec_input_disabled(struct mbuf **, int *, int, int); 683int ipsec_protoff(struct mbuf *, int, int); 684int ipsec_delete_policy(struct ipsec_policy *); 685ssize_t ipsec_hdrsz(struct tdb *); 686void ipsec_adjust_mtu(struct mbuf *, u_int32_t); 687void ipsec_set_mtu(struct tdb *, u_int32_t); 688struct ipsec_acquire *ipsec_get_acquire(u_int32_t); 689void ipsec_unref_acquire(struct ipsec_acquire *); 690int ipsec_forward_check(struct mbuf *, int, int); 691int ipsec_local_check(struct mbuf *, int, int, int); 692 693#endif /* _KERNEL */ 694#endif /* _NETINET_IPSP_H_ */ 695