ip_ipsp.h revision 1.72
1/* $OpenBSD: ip_ipsp.h,v 1.72 2000/09/20 19:13:17 angelos Exp $ */ 2 3/* 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr), 6 * Niels Provos (provos@physnet.uni-hamburg.de) and 7 * Niklas Hallqvist (niklas@appli.se). 8 * 9 * The original version of this code was written by John Ioannidis 10 * for BSD/OS in Athens, Greece, in November 1995. 11 * 12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 13 * by Angelos D. Keromytis. 14 * 15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 16 * and Niels Provos. 17 * 18 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 19 * 20 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 21 * Angelos D. Keromytis and Niels Provos. 22 * Copyright (c) 1999 Niklas Hallqvist. 23 * 24 * Permission to use, copy, and modify this software without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40#ifndef _NETINET_IPSP_H_ 41#define _NETINET_IPSP_H_ 42 43/* 44 * IPSP global definitions. 45 */ 46 47#include <sys/types.h> 48#include <sys/queue.h> 49#include <netinet/in.h> 50 51union sockaddr_union 52{ 53 struct sockaddr sa; 54 struct sockaddr_in sin; 55 struct sockaddr_in6 sin6; 56}; 57 58/* HMAC key sizes */ 59#define MD5HMAC96_KEYSIZE 16 60#define SHA1HMAC96_KEYSIZE 20 61#define RIPEMD160HMAC96_KEYSIZE 20 62 63#define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */ 64#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */ 65#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */ 66 67/* Authenticator lengths */ 68#define AH_MD5_ALEN 16 69#define AH_SHA1_ALEN 20 70#define AH_RMD160_ALEN 20 71#define AH_ALEN_MAX 20 /* Keep updated */ 72 73/* Reserved SPI numbers */ 74#define SPI_LOCAL_USE 0 75#define SPI_RESERVED_MIN 1 76#define SPI_RESERVED_MAX 255 77 78/* sysctl default values */ 79#define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */ 80#define IPSEC_DEFAULT_PFS 1 81#define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0 82#define IPSEC_DEFAULT_EXP_ALLOCATIONS 0 83#define IPSEC_DEFAULT_SOFT_BYTES 0 84#define IPSEC_DEFAULT_EXP_BYTES 0 85#define IPSEC_DEFAULT_SOFT_TIMEOUT 80000 86#define IPSEC_DEFAULT_EXP_TIMEOUT 86400 87#define IPSEC_DEFAULT_SOFT_FIRST_USE 3600 88#define IPSEC_DEFAULT_EXP_FIRST_USE 7200 89#define IPSEC_DEFAULT_DEF_ENC "3des" 90#define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1" 91#define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30 92 93struct sockaddr_encap 94{ 95 u_int8_t sen_len; /* length */ 96 u_int8_t sen_family; /* PF_KEY */ 97 u_int16_t sen_type; /* see SENT_* */ 98 union 99 { 100 struct /* SENT_IP4 */ 101 { 102 u_int8_t Direction; 103 struct in_addr Src; 104 struct in_addr Dst; 105 u_int8_t Proto; 106 u_int16_t Sport; 107 u_int16_t Dport; 108 } Sip4; 109 110 struct /* SENT_IP6 */ 111 { 112 u_int8_t Direction; 113 struct in6_addr Src; 114 struct in6_addr Dst; 115 u_int8_t Proto; 116 u_int16_t Sport; 117 u_int16_t Dport; 118 } Sip6; 119 120 struct ipsec_policy *PolicyHead; /* SENT_IPSP */ 121 } Sen; 122}; 123 124#define IPSP_DIRECTION_IN 0x1 125#define IPSP_DIRECTION_OUT 0x2 126 127#define sen_data Sen.Data 128#define sen_ip_src Sen.Sip4.Src 129#define sen_ip_dst Sen.Sip4.Dst 130#define sen_proto Sen.Sip4.Proto 131#define sen_sport Sen.Sip4.Sport 132#define sen_dport Sen.Sip4.Dport 133#define sen_direction Sen.Sip4.Direction 134#define sen_ip6_src Sen.Sip6.Src 135#define sen_ip6_dst Sen.Sip6.Dst 136#define sen_ip6_proto Sen.Sip6.Proto 137#define sen_ip6_sport Sen.Sip6.Sport 138#define sen_ip6_dport Sen.Sip6.Dport 139#define sen_ip6_direction Sen.Sip6.Direction 140#define sen_ipsp Sen.PolicyHead 141 142/* 143 * The "type" is really part of the address as far as the routing 144 * system is concerned. By using only one bit in the type field 145 * for each type, we sort-of make sure that different types of 146 * encapsulation addresses won't be matched against the wrong type. 147 * 148 */ 149 150#define SENT_IP4 0x0001 /* data is two struct in_addr */ 151#define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */ 152#define SENT_IP6 0x0004 153 154#define SENT_LEN sizeof(struct sockaddr_encap) 155 156struct ipsec_acquire 157{ 158 union sockaddr_union ipa_addr; 159 u_int64_t ipa_expire; 160 TAILQ_ENTRY(ipsec_acquire) ipa_next; 161}; 162 163struct ipsec_policy 164{ 165 struct sockaddr_encap ipo_addr; 166 struct sockaddr_encap ipo_mask; 167 168 union sockaddr_union ipo_src; /* Local address to use */ 169 union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed: 170 * - on output, we try to contact the 171 * remote host directly (if needed). 172 * - on input, we accept on if the 173 * inner source is the same as the 174 * outer source address, or if transport 175 * mode was used. 176 */ 177 178 u_int64_t ipo_last_searched; /* Timestamp of last lookup */ 179 180 u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */ 181 u_int8_t ipo_type; /* USE/ACQUIRE/... */ 182 u_int8_t ipo_sproto;/* ESP, AH; if zero we use system dflts */ 183 184 struct tdb *ipo_tdb; /* Cached entry */ 185 186 u_int16_t ipo_srcid_len; 187 u_int16_t ipo_dstid_len; 188 u_int16_t ipo_srcid_type; 189 u_int16_t ipo_dstid_type; 190 191 u_int8_t *ipo_srcid; 192 u_int8_t *ipo_dstid; 193 194 TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List of policies on TDB */ 195 TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policy entries */ 196}; 197 198#define IPSP_POLICY_NONE 0x0000 /* No flags set */ 199 200#define IPSP_IPSEC_USE 0 /* Use if existing, don't bother establishing */ 201#define IPSP_IPSEC_ACQUIRE 1 /* Try to acquire in parallel but let packet */ 202#define IPSP_IPSEC_REQUIRE 2 /* Require SA */ 203#define IPSP_PERMIT 3 /* Permit traffic through */ 204#define IPSP_DENY 4 /* Deny traffic */ 205#define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */ 206 207/* Notification types */ 208#define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */ 209#define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */ 210#define NOTIFY_REQUEST_SA 2 /* Establish an SA */ 211 212#define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */ 213#define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */ 214#define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */ 215 216/* 217 * For encapsulation routes are possible not only for the destination 218 * address but also for the protocol, source and destination ports 219 * if available 220 */ 221 222struct route_enc { 223 struct rtentry *re_rt; 224 struct sockaddr_encap re_dst; 225}; 226 227struct tdb /* tunnel descriptor block */ 228{ 229 /* 230 * Each TDB is on three hash tables: one keyed on dst/spi/sproto, 231 * one keyed on dst/sproto, and one keyed on src/sproto. The first 232 * is used for finding a specific TDB, the second for finding TDBs 233 * TDBs for outgoing policy matching, and the third for incoming 234 * policy matching. The following three fields maintain the hash 235 * queues in those three tables. 236 */ 237 struct tdb *tdb_hnext; /* dst/spi/sproto table */ 238 struct tdb *tdb_anext; /* dst/sproto table */ 239 struct tdb *tdb_snext; /* src/sproto table */ 240 struct tdb *tdb_inext; 241 struct tdb *tdb_onext; 242 243 struct xformsw *tdb_xform; /* Transformation to use */ 244 struct enc_xform *tdb_encalgxform; /* Encryption algorithm xform */ 245 struct auth_hash *tdb_authalgxform; /* Authentication algorithm xform */ 246 247#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ 248#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ 249#define TDBF_BYTES 0x00004 /* Check the byte counters */ 250#define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */ 251#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ 252#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ 253#define TDBF_HALFIV 0x00040 /* Use half-length IV (ESP old only) */ 254#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ 255#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ 256#define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */ 257#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ 258#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ 259#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ 260#define TDBF_NOREPLAY 0x02000 /* No replay counter present */ 261#define TDBF_RANDOMPADDING 0x04000 /* Random data in the ESP padding */ 262 263 u_int32_t tdb_flags; /* Flags related to this TDB */ 264 265 TAILQ_ENTRY(tdb) tdb_expnext; /* Expiration cluster list link */ 266 TAILQ_ENTRY(tdb) tdb_explink; /* Expiration ordered list link */ 267 268 u_int32_t tdb_exp_allocations; /* Expire after so many flows */ 269 u_int32_t tdb_soft_allocations; /* Expiration warning */ 270 u_int32_t tdb_cur_allocations; /* Total number of allocations */ 271 272 u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ 273 u_int64_t tdb_soft_bytes; /* Expiration warning */ 274 u_int64_t tdb_cur_bytes; /* Current count of bytes */ 275 276 u_int64_t tdb_exp_timeout; /* When does the SPI expire */ 277 u_int64_t tdb_soft_timeout; /* Send a soft-expire warning */ 278 u_int64_t tdb_established; /* When was the SPI established */ 279 u_int64_t tdb_timeout; /* Next absolute expiration time. */ 280 281 u_int64_t tdb_first_use; /* When was it first used */ 282 u_int64_t tdb_soft_first_use; /* Soft warning */ 283 u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + 284 * tdb_exp_first_use <= curtime */ 285 u_int64_t tdb_cryptoid; /* Crypto session ID */ 286 287 u_int32_t tdb_spi; /* SPI */ 288 u_int16_t tdb_amxkeylen; /* Raw authentication key length */ 289 u_int16_t tdb_emxkeylen; /* Raw encryption key length */ 290 u_int16_t tdb_ivlen; /* IV length */ 291 u_int8_t tdb_sproto; /* IPsec protocol */ 292 u_int8_t tdb_wnd; /* Replay window */ 293 u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */ 294 295 union sockaddr_union tdb_dst; /* Destination address for this SA */ 296 union sockaddr_union tdb_src; /* Source address for this SA */ 297 union sockaddr_union tdb_proxy; 298 299 u_int8_t *tdb_srcid; /* Source ID for this SA */ 300 u_int8_t *tdb_dstid; /* Destination ID for this SA */ 301 u_int8_t *tdb_amxkey; /* Raw authentication key */ 302 u_int8_t *tdb_emxkey; /* Raw encryption key */ 303 304 u_int32_t tdb_rpl; /* Replay counter */ 305 u_int32_t tdb_bitmap; /* Used for replay sliding window */ 306 u_int32_t tdb_initial; /* Initial replay value */ 307 308 u_int32_t tdb_epoch; /* Used by the kernfs interface */ 309 u_int16_t tdb_srcid_len; 310 u_int16_t tdb_dstid_len; 311 u_int16_t tdb_srcid_type; 312 u_int16_t tdb_dstid_type; 313 314 u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ 315 316 caddr_t tdb_interface; 317 318 TAILQ_HEAD(tdb_inp_head, inpcb) tdb_inp; 319 TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; 320}; 321 322struct tdb_ident { 323 u_int32_t spi; 324 union sockaddr_union dst; 325 u_int8_t proto; 326}; 327 328struct tdb_crypto { 329 u_int32_t tc_spi; 330 union sockaddr_union tc_dst; 331 u_int8_t tc_proto; 332 int tc_protoff; 333 int tc_skip; 334 caddr_t tc_ptr; 335}; 336 337struct ipsecinit 338{ 339 u_int8_t *ii_enckey; 340 u_int8_t *ii_authkey; 341 u_int16_t ii_enckeylen; 342 u_int16_t ii_authkeylen; 343 u_int8_t ii_encalg; 344 u_int8_t ii_authalg; 345}; 346 347struct xformsw 348{ 349 u_short xf_type; /* Unique ID of xform */ 350 u_short xf_flags; /* flags (see below) */ 351 char *xf_name; /* human-readable name */ 352 int (*xf_attach)(void); /* called at config time */ 353 int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *); 354 int (*xf_zeroize)(struct tdb *); /* termination */ 355 int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */ 356 int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, int, int); /* output */ 357}; 358 359/* xform IDs */ 360#define XF_IP4 1 /* IP inside IP */ 361#define XF_AH 2 /* AH */ 362#define XF_ESP 3 /* ESP */ 363#define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ 364 365/* xform attributes */ 366#define XFT_AUTH 0x0001 367#define XFT_CONF 0x0100 368 369#define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */ 370#define IPSEC_KERNFS_BUFSIZE 4096 371 372#if BYTE_ORDER == LITTLE_ENDIAN 373static __inline u_int64_t 374htonq(u_int64_t q) 375{ 376 register u_int32_t u, l; 377 u = q >> 32; 378 l = (u_int32_t) q; 379 380 return htonl(u) | ((u_int64_t)htonl(l) << 32); 381} 382 383#define ntohq(_x) htonq(_x) 384 385#elif BYTE_ORDER == BIG_ENDIAN 386 387#define htonq(_x) (_x) 388#define ntohq(_x) htonq(_x) 389 390#else 391#error "Please fix <machine/endian.h>" 392#endif 393 394#ifdef _KERNEL 395 396/* 397 * Protects all tdb lists. 398 * Must at least be splsoftnet (note: do not use splsoftclock as it is 399 * special on some architectures, assuming it is always an spl lowering 400 * operation). 401 */ 402#define spltdb splsoftnet 403 404extern int encdebug; 405extern int ipsec_acl; 406extern int ipsec_keep_invalid; 407extern int ipsec_in_use; 408extern u_int64_t ipsec_last_added; 409extern int ipsec_require_pfs; 410extern int ipsec_expire_acquire; 411 412extern int ipsec_soft_allocations; 413extern int ipsec_exp_allocations; 414extern int ipsec_soft_bytes; 415extern int ipsec_exp_bytes; 416extern int ipsec_soft_timeout; 417extern int ipsec_exp_timeout; 418extern int ipsec_soft_first_use; 419extern int ipsec_exp_first_use; 420extern char ipsec_def_enc[]; 421extern char ipsec_def_auth[]; 422 423extern struct enc_xform enc_xform_des; 424extern struct enc_xform enc_xform_3des; 425extern struct enc_xform enc_xform_blf; 426extern struct enc_xform enc_xform_cast5; 427extern struct enc_xform enc_xform_skipjack; 428 429extern struct auth_hash auth_hash_hmac_md5_96; 430extern struct auth_hash auth_hash_hmac_sha1_96; 431extern struct auth_hash auth_hash_hmac_ripemd_160_96; 432 433extern TAILQ_HEAD(expclusterlist_head, tdb) expclusterlist; 434extern TAILQ_HEAD(explist_head, tdb) explist; 435extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head; 436extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head; 437 438extern struct xformsw xformsw[], *xformswNXFORMSW; 439 440/* Check if a given tdb has encryption, authentication and/or tunneling */ 441#define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0)| \ 442 ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0)) 443 444/* Traverse spi chain and get attributes */ 445 446#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\ 447 int s = spltdb(); \ 448 struct tdb *tmptdb = (TDBP); \ 449 \ 450 (have) = 0; \ 451 while (tmptdb && tmptdb->tdb_xform) { \ 452 if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \ 453 break; \ 454 (have) |= TDB_ATTRIB(tmptdb); \ 455 tmptdb = tmptdb->TDB_DIR; \ 456 } \ 457 splx(s); \ 458} while (0) 459 460/* Misc. */ 461extern char *inet_ntoa4(struct in_addr); 462extern char *ipsp_address(union sockaddr_union); 463 464/* TDB management routines */ 465extern void tdb_add_inp(struct tdb *tdb, struct inpcb *inp); 466extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *, 467 union sockaddr_union *, u_int8_t, int *); 468extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t); 469extern struct tdb *gettdbbyaddr(union sockaddr_union *, u_int8_t, 470 struct mbuf *, int); 471extern struct tdb *gettdbbysrc(union sockaddr_union *, u_int8_t, 472 struct mbuf *, int); 473extern void puttdb(struct tdb *); 474extern void tdb_delete(struct tdb *, int); 475extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *); 476extern void tdb_expiration(struct tdb *, int); 477/* Flag values for the last argument of tdb_expiration(). */ 478#define TDBEXP_EARLY 1 /* The tdb is likely to end up early. */ 479#define TDBEXP_TIMEOUT 2 /* Maintain expiration timeout. */ 480extern int tdb_walk(int (*)(struct tdb *, void *), void *); 481extern void handle_expirations(void *); 482 483/* XF_IP4 */ 484extern int ipe4_attach(void); 485extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *); 486extern int ipe4_zeroize(struct tdb *); 487extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 488extern void ipe4_input __P((struct mbuf *, ...)); 489extern void ipip_input __P((struct mbuf *, int)); 490 491#ifdef INET 492extern void ip4_input __P((struct mbuf *, ...)); 493#endif /* INET */ 494 495#ifdef INET6 496extern int ip4_input6 __P((struct mbuf **, int *, int)); 497#endif /* INET */ 498 499/* XF_ETHERIP */ 500extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **, 501 int, int); 502extern void etherip_input __P((struct mbuf *, ...)); 503 504/* XF_AH */ 505extern int ah_attach(void); 506extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *); 507extern int ah_zeroize(struct tdb *); 508extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 509extern int ah_output_cb(void *); 510extern int ah_input(struct mbuf *, struct tdb *, int, int); 511extern int ah_input_cb(void *); 512extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t); 513extern int ah_massage_headers(struct mbuf **, int, int, int, int); 514 515#ifdef INET 516extern void ah4_input __P((struct mbuf *, ...)); 517extern int ah4_input_cb __P((struct mbuf *, ...)); 518#endif /* INET */ 519 520#ifdef INET6 521extern int ah6_input __P((struct mbuf **, int *, int)); 522extern int ah6_input_cb __P((struct mbuf *, int, int)); 523#endif /* INET6 */ 524 525/* XF_ESP */ 526extern int esp_attach(void); 527extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *); 528extern int esp_zeroize(struct tdb *); 529extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); 530extern int esp_output_cb(void *); 531extern int esp_input(struct mbuf *, struct tdb *, int, int); 532extern int esp_input_cb(void *); 533extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t); 534 535#ifdef INET 536extern void esp4_input __P((struct mbuf *, ...)); 537extern int esp4_input_cb __P((struct mbuf *, ...)); 538#endif /* INET */ 539 540#ifdef INET6 541extern int esp6_input __P((struct mbuf **, int *, int)); 542extern int esp6_input_cb __P((struct mbuf *, int, int)); 543#endif /* INET6 */ 544 545/* XF_TCPSIGNATURE */ 546extern int tcp_signature_tdb_attach __P((void)); 547extern int tcp_signature_tdb_init __P((struct tdb *, struct xformsw *, 548 struct ipsecinit *)); 549extern int tcp_signature_tdb_zeroize __P((struct tdb *)); 550extern int tcp_signature_tdb_input __P((struct mbuf *, struct tdb *, int, 551 int)); 552extern int tcp_signature_tdb_output __P((struct mbuf *, struct tdb *, 553 struct mbuf **, int, int)); 554 555/* Padding */ 556extern caddr_t m_pad(struct mbuf *, int); 557 558/* Replay window */ 559extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t, 560 u_int32_t *); 561 562extern unsigned char ipseczeroes[]; 563 564/* Packet processing */ 565extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int); 566extern int ipsp_process_done(struct mbuf *, struct tdb *); 567extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int, 568 struct tdb *, struct inpcb *); 569extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int); 570extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *, 571 union sockaddr_union *); 572extern struct ipsec_policy *ipsec_add_policy(struct sockaddr_encap *, 573 struct sockaddr_encap *, 574 union sockaddr_union *, int, int); 575extern int ipsp_match_policy(struct tdb *, struct ipsec_policy *, 576 struct mbuf *, int); 577extern void ipsp_acquire_expirations(void *); 578extern int ipsec_delete_policy(struct ipsec_policy *); 579#endif /* _KERNEL */ 580#endif /* _NETINET_IPSP_H_ */ 581