ip_ipsp.h revision 1.76 
1/*	$OpenBSD: ip_ipsp.h,v 1.76 2001/02/11 16:25:37 fgsch Exp $	*/
2
3/*
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr),
6 * Niels Provos (provos@physnet.uni-hamburg.de) and
7 * Niklas Hallqvist (niklas@appli.se).
8 *
9 * The original version of this code was written by John Ioannidis
10 * for BSD/OS in Athens, Greece, in November 1995.
11 *
12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
13 * by Angelos D. Keromytis.
14 *
15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
16 * and Niels Provos.
17 *
18 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
19 *
20 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
21 * Angelos D. Keromytis and Niels Provos.
22 * Copyright (c) 1999 Niklas Hallqvist.
23 *
24 * Permission to use, copy, and modify this software without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40#ifndef _NETINET_IPSP_H_
41#define _NETINET_IPSP_H_
42
43/*
44 * IPSP global definitions.
45 */
46
47#include <sys/types.h>
48#include <sys/queue.h>
49#include <netinet/in.h>
50
51union sockaddr_union
52{
53    struct sockaddr     sa;
54    struct sockaddr_in  sin;
55    struct sockaddr_in6 sin6;
56};
57
58/* HMAC key sizes */
59#define MD5HMAC96_KEYSIZE       16
60#define SHA1HMAC96_KEYSIZE      20
61#define RIPEMD160HMAC96_KEYSIZE 20
62
63#define AH_HMAC_HASHLEN		12	/* 96 bits of authenticator */
64#define AH_HMAC_RPLENGTH        4	/* 32 bits of replay counter */
65#define AH_HMAC_INITIAL_RPL	1	/* Replay counter initial value */
66
67/* Authenticator lengths */
68#define AH_MD5_ALEN		16
69#define AH_SHA1_ALEN		20
70#define AH_RMD160_ALEN		20
71#define AH_ALEN_MAX		20 	/* Keep updated */
72
73/* Reserved SPI numbers */
74#define SPI_LOCAL_USE		0
75#define SPI_RESERVED_MIN	1
76#define SPI_RESERVED_MAX	255
77
78/* sysctl default values */
79#define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
80#define IPSEC_DEFAULT_PFS                       1
81#define IPSEC_DEFAULT_SOFT_ALLOCATIONS          0
82#define IPSEC_DEFAULT_EXP_ALLOCATIONS           0
83#define IPSEC_DEFAULT_SOFT_BYTES                0
84#define IPSEC_DEFAULT_EXP_BYTES                 0
85#define IPSEC_DEFAULT_SOFT_TIMEOUT              80000
86#define IPSEC_DEFAULT_EXP_TIMEOUT               86400
87#define IPSEC_DEFAULT_SOFT_FIRST_USE            3600
88#define IPSEC_DEFAULT_EXP_FIRST_USE             7200
89#define IPSEC_DEFAULT_DEF_ENC                   "aes"
90#define IPSEC_DEFAULT_DEF_AUTH                   "hmac-sha1"
91#define IPSEC_DEFAULT_EXPIRE_ACQUIRE            30
92
93struct sockaddr_encap
94{
95    u_int8_t	sen_len;		/* length */
96    u_int8_t	sen_family;		/* PF_KEY */
97    u_int16_t	sen_type;		/* see SENT_* */
98    union
99    {
100	struct				/* SENT_IP4 */
101	{
102	    u_int8_t Direction;
103	    struct in_addr Src;
104	    struct in_addr Dst;
105	    u_int8_t Proto;
106	    u_int16_t Sport;
107	    u_int16_t Dport;
108	} Sip4;
109
110	struct				/* SENT_IP6 */
111	{
112	    u_int8_t Direction;
113	    struct in6_addr Src;
114	    struct in6_addr Dst;
115	    u_int8_t Proto;
116	    u_int16_t Sport;
117	    u_int16_t Dport;
118	} Sip6;
119
120	struct ipsec_policy *PolicyHead;  /* SENT_IPSP */
121    } Sen;
122};
123
124#define IPSP_DIRECTION_IN     0x1
125#define IPSP_DIRECTION_OUT    0x2
126
127#define sen_data	  Sen.Data
128#define sen_ip_src	  Sen.Sip4.Src
129#define sen_ip_dst	  Sen.Sip4.Dst
130#define sen_proto	  Sen.Sip4.Proto
131#define sen_sport	  Sen.Sip4.Sport
132#define sen_dport	  Sen.Sip4.Dport
133#define sen_direction     Sen.Sip4.Direction
134#define sen_ip6_src	  Sen.Sip6.Src
135#define sen_ip6_dst	  Sen.Sip6.Dst
136#define sen_ip6_proto	  Sen.Sip6.Proto
137#define sen_ip6_sport	  Sen.Sip6.Sport
138#define sen_ip6_dport	  Sen.Sip6.Dport
139#define sen_ip6_direction Sen.Sip6.Direction
140#define sen_ipsp          Sen.PolicyHead
141
142/*
143 * The "type" is really part of the address as far as the routing
144 * system is concerned. By using only one bit in the type field
145 * for each type, we sort-of make sure that different types of
146 * encapsulation addresses won't be matched against the wrong type.
147 *
148 */
149
150#define SENT_IP4	0x0001		/* data is two struct in_addr */
151#define SENT_IPSP	0x0002		/* data as in IP4/6 plus SPI */
152#define SENT_IP6        0x0004
153
154#define SENT_LEN        sizeof(struct sockaddr_encap)
155
156struct ipsec_acquire
157{
158    union sockaddr_union       ipa_addr;
159    u_int64_t                  ipa_expire;
160    u_int32_t                  ipa_seq;
161    struct sockaddr_encap      ipa_info;
162    struct sockaddr_encap      ipa_mask;
163    TAILQ_ENTRY(ipsec_acquire) ipa_next;
164};
165
166struct ipsec_policy
167{
168    struct sockaddr_encap ipo_addr;
169    struct sockaddr_encap ipo_mask;
170
171    union sockaddr_union ipo_src;   /* Local address to use */
172    union sockaddr_union ipo_dst;   /* Remote gateway -- if it's zeroed:
173				     * - on output, we try to contact the
174				     * remote host directly (if needed).
175				     * - on input, we accept on if the
176				     * inner source is the same as the
177				     * outer source address, or if transport
178				     * mode was used.
179				     */
180
181    u_int64_t            ipo_last_searched; /* Timestamp of last lookup */
182
183    u_int8_t             ipo_flags; /* See IPSP_POLICY_* definitions */
184    u_int8_t             ipo_type;  /* USE/ACQUIRE/... */
185    u_int8_t             ipo_sproto;/* ESP, AH; if zero we use system dflts */
186
187    struct tdb          *ipo_tdb;   /* Cached entry */
188
189    u_int16_t            ipo_srcid_len;
190    u_int16_t            ipo_dstid_len;
191    u_int16_t            ipo_srcid_type;
192    u_int16_t            ipo_dstid_type;
193
194    u_int8_t            *ipo_srcid;
195    u_int8_t            *ipo_dstid;
196
197    TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List of policies on TDB */
198    TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policy entries */
199};
200
201#define IPSP_POLICY_NONE    0x0000  /* No flags set */
202
203#define IPSP_IPSEC_USE      0 /* Use if existing, don't bother establishing */
204#define IPSP_IPSEC_ACQUIRE  1 /* Try to acquire in parallel but let packet */
205#define IPSP_IPSEC_REQUIRE  2 /* Require SA */
206#define IPSP_PERMIT         3 /* Permit traffic through */
207#define IPSP_DENY           4 /* Deny traffic */
208#define IPSP_IPSEC_DONTACQ  5 /* Require, but don't acquire */
209
210/* Notification types */
211#define NOTIFY_SOFT_EXPIRE      0       /* Soft expiration of SA */
212#define NOTIFY_HARD_EXPIRE      1       /* Hard expiration of SA */
213#define NOTIFY_REQUEST_SA       2       /* Establish an SA */
214
215#define NOTIFY_SATYPE_CONF      1       /* SA should do encryption */
216#define NOTIFY_SATYPE_AUTH      2       /* SA should do authentication */
217#define NOTIFY_SATYPE_TUNNEL    4       /* SA should use tunneling */
218
219/*
220 * For encapsulation routes are possible not only for the destination
221 * address but also for the protocol, source and destination ports
222 * if available
223 */
224
225struct route_enc {
226    struct rtentry *re_rt;
227    struct sockaddr_encap re_dst;
228};
229
230struct tdb				/* tunnel descriptor block */
231{
232    /*
233     * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
234     * one keyed on dst/sproto, and one keyed on src/sproto. The first
235     * is used for finding a specific TDB, the second for finding TDBs
236     * TDBs for outgoing policy matching, and the third for incoming
237     * policy matching. The following three fields maintain the hash
238     * queues in those three tables.
239     */
240    struct tdb	     *tdb_hnext;   /* dst/spi/sproto table */
241    struct tdb       *tdb_anext;   /* dst/sproto table */
242    struct tdb       *tdb_snext;   /* src/sproto table */
243    struct tdb       *tdb_inext;
244    struct tdb       *tdb_onext;
245
246    struct xformsw   *tdb_xform;	/* Transformation to use */
247    struct enc_xform *tdb_encalgxform;  /* Encryption algorithm xform */
248    struct auth_hash *tdb_authalgxform; /* Authentication algorithm xform */
249
250#define TDBF_UNIQUE	      0x00001	/* This should not be used by others */
251#define TDBF_TIMER            0x00002	/* Absolute expiration timer in use */
252#define TDBF_BYTES            0x00004	/* Check the byte counters */
253#define TDBF_ALLOCATIONS      0x00008	/* Check the flows counters */
254#define TDBF_INVALID          0x00010	/* This SPI is not valid yet/anymore */
255#define TDBF_FIRSTUSE         0x00020	/* Expire after first use */
256#define TDBF_HALFIV           0x00040   /* Use half-length IV (ESP old only) */
257#define TDBF_SOFT_TIMER       0x00080	/* Soft expiration */
258#define TDBF_SOFT_BYTES       0x00100	/* Soft expiration */
259#define TDBF_SOFT_ALLOCATIONS 0x00200	/* Soft expiration */
260#define TDBF_SOFT_FIRSTUSE    0x00400	/* Soft expiration */
261#define TDBF_PFS              0x00800	/* Ask for PFS from Key Mgmt. */
262#define TDBF_TUNNELING        0x01000	/* Force IP-IP encapsulation */
263#define TDBF_NOREPLAY         0x02000   /* No replay counter present */
264#define TDBF_RANDOMPADDING    0x04000   /* Random data in the ESP padding */
265
266    u_int32_t	      tdb_flags;  	/* Flags related to this TDB */
267
268    TAILQ_ENTRY(tdb)  tdb_expnext;	/* Expiration cluster list link */
269    TAILQ_ENTRY(tdb)  tdb_explink;	/* Expiration ordered list link */
270
271    u_int32_t         tdb_exp_allocations;  /* Expire after so many flows */
272    u_int32_t         tdb_soft_allocations; /* Expiration warning */
273    u_int32_t         tdb_cur_allocations;  /* Total number of allocations */
274
275    u_int64_t         tdb_exp_bytes;    /* Expire after so many bytes passed */
276    u_int64_t         tdb_soft_bytes;	/* Expiration warning */
277    u_int64_t         tdb_cur_bytes;	/* Current count of bytes */
278
279    u_int64_t         tdb_exp_timeout;	/* When does the SPI expire */
280    u_int64_t         tdb_soft_timeout;	/* Send a soft-expire warning */
281    u_int64_t         tdb_established;	/* When was the SPI established */
282    u_int64_t	      tdb_timeout;	/* Next absolute expiration time.  */
283
284    u_int64_t	      tdb_first_use;	  /* When was it first used */
285    u_int64_t         tdb_soft_first_use; /* Soft warning */
286    u_int64_t         tdb_exp_first_use;  /* Expire if tdb_first_use +
287					   * tdb_exp_first_use <= curtime */
288    u_int64_t         tdb_cryptoid;     /* Crypto session ID */
289
290    u_int32_t	      tdb_spi;    	/* SPI */
291    u_int16_t         tdb_amxkeylen;    /* Raw authentication key length */
292    u_int16_t         tdb_emxkeylen;    /* Raw encryption key length */
293    u_int16_t         tdb_ivlen;        /* IV length */
294    u_int8_t	      tdb_sproto;	/* IPsec protocol */
295    u_int8_t          tdb_wnd;          /* Replay window */
296    u_int8_t          tdb_satype;       /* SA type (RFC2367, PF_KEY) */
297
298    union sockaddr_union tdb_dst;	/* Destination address for this SA */
299    union sockaddr_union tdb_src;	/* Source address for this SA */
300    union sockaddr_union tdb_proxy;
301
302    u_int8_t         *tdb_srcid;        /* Source ID for this SA */
303    u_int8_t         *tdb_dstid;        /* Destination ID for this SA */
304    u_int8_t         *tdb_amxkey;       /* Raw authentication key */
305    u_int8_t         *tdb_emxkey;       /* Raw encryption key */
306
307    u_int32_t         tdb_rpl;	        /* Replay counter */
308    u_int32_t         tdb_bitmap;       /* Used for replay sliding window */
309    u_int32_t         tdb_initial;	/* Initial replay value */
310
311    u_int32_t         tdb_epoch;	/* Used by the kernfs interface */
312    u_int16_t         tdb_srcid_len;
313    u_int16_t         tdb_dstid_len;
314    u_int16_t         tdb_srcid_type;
315    u_int16_t         tdb_dstid_type;
316
317    u_int8_t          tdb_iv[4];        /* Used for HALF-IV ESP */
318
319    caddr_t           tdb_interface;
320
321    TAILQ_HEAD(tdb_inp_head, inpcb) tdb_inp;
322    TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head;
323};
324
325struct tdb_ident {
326    u_int32_t spi;
327    union sockaddr_union dst;
328    u_int8_t proto;
329};
330
331struct tdb_crypto {
332    u_int32_t			tc_spi;
333    union sockaddr_union	tc_dst;
334    u_int8_t			tc_proto;
335    int                         tc_protoff;
336    int                         tc_skip;
337    caddr_t                     tc_ptr;
338};
339
340struct ipsecinit
341{
342    u_int8_t       *ii_enckey;
343    u_int8_t       *ii_authkey;
344    u_int16_t       ii_enckeylen;
345    u_int16_t       ii_authkeylen;
346    u_int8_t        ii_encalg;
347    u_int8_t        ii_authalg;
348};
349
350struct xformsw
351{
352    u_short		xf_type;	/* Unique ID of xform */
353    u_short		xf_flags;	/* flags (see below) */
354    char		*xf_name;	/* human-readable name */
355    int		(*xf_attach)(void);	/* called at config time */
356    int		(*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
357    int		(*xf_zeroize)(struct tdb *); /* termination */
358    int         (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
359    int		(*xf_output)(struct mbuf *, struct tdb *, struct mbuf **, int, int);        /* output */
360};
361
362/* xform IDs */
363#define XF_IP4		1	/* IP inside IP */
364#define XF_AH		2	/* AH */
365#define XF_ESP		3	/* ESP */
366#define XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
367
368/* xform attributes */
369#define XFT_AUTH	0x0001
370#define XFT_CONF	0x0100
371
372#define IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
373#define IPSEC_KERNFS_BUFSIZE    4096
374
375#if BYTE_ORDER == LITTLE_ENDIAN
376static __inline u_int64_t
377htonq(u_int64_t q)
378{
379    register u_int32_t u, l;
380    u = q >> 32;
381    l = (u_int32_t) q;
382
383    return htonl(u) | ((u_int64_t)htonl(l) << 32);
384}
385
386#define ntohq(_x) htonq(_x)
387
388#elif BYTE_ORDER == BIG_ENDIAN
389
390#define htonq(_x) (_x)
391#define ntohq(_x) htonq(_x)
392
393#else
394#error  "Please fix <machine/endian.h>"
395#endif
396
397#ifdef _KERNEL
398#ifndef CRYPTO
399#error "Must define CRYPTO in kernel config"
400#endif
401
402/*
403 * Protects all tdb lists.
404 * Must at least be splsoftnet (note: do not use splsoftclock as it is
405 * special on some architectures, assuming it is always an spl lowering
406 * operation).
407 */
408#define spltdb	splsoftnet
409
410extern int encdebug;
411extern int ipsec_acl;
412extern int ipsec_keep_invalid;
413extern int ipsec_in_use;
414extern u_int64_t ipsec_last_added;
415extern int ipsec_require_pfs;
416extern int ipsec_expire_acquire;
417
418extern int ipsec_soft_allocations;
419extern int ipsec_exp_allocations;
420extern int ipsec_soft_bytes;
421extern int ipsec_exp_bytes;
422extern int ipsec_soft_timeout;
423extern int ipsec_exp_timeout;
424extern int ipsec_soft_first_use;
425extern int ipsec_exp_first_use;
426extern char ipsec_def_enc[];
427extern char ipsec_def_auth[];
428
429extern struct enc_xform enc_xform_des;
430extern struct enc_xform enc_xform_3des;
431extern struct enc_xform enc_xform_blf;
432extern struct enc_xform enc_xform_cast5;
433extern struct enc_xform enc_xform_skipjack;
434
435extern struct auth_hash auth_hash_hmac_md5_96;
436extern struct auth_hash auth_hash_hmac_sha1_96;
437extern struct auth_hash auth_hash_hmac_ripemd_160_96;
438
439extern TAILQ_HEAD(expclusterlist_head, tdb) expclusterlist;
440extern TAILQ_HEAD(explist_head, tdb) explist;
441extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
442extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
443
444extern struct xformsw xformsw[], *xformswNXFORMSW;
445
446/* Check if a given tdb has encryption, authentication and/or tunneling */
447#define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0)| \
448		       ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0))
449
450/* Traverse spi chain and get attributes */
451
452#define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\
453	int s = spltdb(); \
454	struct tdb *tmptdb = (TDBP); \
455	\
456	(have) = 0; \
457	while (tmptdb && tmptdb->tdb_xform) { \
458	        if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \
459	                break; \
460                (have) |= TDB_ATTRIB(tmptdb); \
461                tmptdb = tmptdb->TDB_DIR; \
462        } \
463	splx(s); \
464} while (0)
465
466/* Misc. */
467extern char *inet_ntoa4(struct in_addr);
468extern char *ipsp_address(union sockaddr_union);
469
470/* TDB management routines */
471extern void tdb_add_inp(struct tdb *tdb, struct inpcb *inp);
472extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
473			     union sockaddr_union *, u_int8_t, int *);
474extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
475extern struct tdb *gettdbbyaddr(union sockaddr_union *, u_int8_t,
476				struct mbuf *, int);
477extern struct tdb *gettdbbysrc(union sockaddr_union *, u_int8_t,
478			       struct mbuf *, int);
479extern void puttdb(struct tdb *);
480extern void tdb_delete(struct tdb *, int);
481extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
482extern void tdb_expiration(struct tdb *, int);
483/* Flag values for the last argument of tdb_expiration().  */
484#define TDBEXP_EARLY	1	/* The tdb is likely to end up early.  */
485#define TDBEXP_TIMEOUT	2	/* Maintain expiration timeout.  */
486extern int tdb_walk(int (*)(struct tdb *, void *, int), void *);
487extern void handle_expirations(void *);
488
489/* XF_IP4 */
490extern int ipe4_attach(void);
491extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
492extern int ipe4_zeroize(struct tdb *);
493extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
494extern void ipe4_input __P((struct mbuf *, ...));
495extern void ipip_input __P((struct mbuf *, int));
496
497#ifdef INET
498extern void ip4_input __P((struct mbuf *, ...));
499#endif /* INET */
500
501#ifdef INET6
502extern int ip4_input6 __P((struct mbuf **, int *, int));
503#endif /* INET */
504
505/* XF_ETHERIP */
506extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **,
507			  int, int);
508extern void etherip_input __P((struct mbuf *, ...));
509
510/* XF_AH */
511extern int ah_attach(void);
512extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
513extern int ah_zeroize(struct tdb *);
514extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
515extern int ah_output_cb(void *);
516extern int ah_input(struct mbuf *, struct tdb *, int, int);
517extern int ah_input_cb(void *);
518extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
519extern int ah_massage_headers(struct mbuf **, int, int, int, int);
520
521#ifdef INET
522extern void ah4_input __P((struct mbuf *, ...));
523extern int ah4_input_cb __P((struct mbuf *, ...));
524#endif /* INET */
525
526#ifdef INET6
527extern int ah6_input __P((struct mbuf **, int *, int));
528extern int ah6_input_cb __P((struct mbuf *, int, int));
529#endif /* INET6 */
530
531/* XF_ESP */
532extern int esp_attach(void);
533extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
534extern int esp_zeroize(struct tdb *);
535extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
536extern int esp_output_cb(void *);
537extern int esp_input(struct mbuf *, struct tdb *, int, int);
538extern int esp_input_cb(void *);
539extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
540
541#ifdef INET
542extern void esp4_input __P((struct mbuf *, ...));
543extern int esp4_input_cb __P((struct mbuf *, ...));
544#endif /* INET */
545
546#ifdef INET6
547extern int esp6_input __P((struct mbuf **, int *, int));
548extern int esp6_input_cb __P((struct mbuf *, int, int));
549#endif /* INET6 */
550
551/* XF_TCPSIGNATURE */
552extern int tcp_signature_tdb_attach __P((void));
553extern int tcp_signature_tdb_init __P((struct tdb *, struct xformsw *,
554				       struct ipsecinit *));
555extern int tcp_signature_tdb_zeroize __P((struct tdb *));
556extern int tcp_signature_tdb_input __P((struct mbuf *, struct tdb *, int,
557					int));
558extern int tcp_signature_tdb_output __P((struct mbuf *, struct tdb *,
559					 struct mbuf **, int, int));
560
561/* Padding */
562extern caddr_t m_pad(struct mbuf *, int);
563
564/* Replay window */
565extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
566                               u_int32_t *);
567
568extern unsigned char ipseczeroes[];
569
570/* Packet processing */
571extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
572extern int ipsp_process_done(struct mbuf *, struct tdb *);
573extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
574                                   struct tdb *, struct inpcb *);
575extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
576extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
577			   union sockaddr_union *, struct sockaddr_encap *);
578extern struct ipsec_policy *ipsec_add_policy(struct sockaddr_encap *,
579					     struct sockaddr_encap *,
580					     union sockaddr_union *, int, int);
581extern int ipsp_match_policy(struct tdb *, struct ipsec_policy *,
582			     struct mbuf *, int);
583extern void ipsp_acquire_expirations(void *);
584extern int ipsec_delete_policy(struct ipsec_policy *);
585extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
586#endif /* _KERNEL */
587#endif /* _NETINET_IPSP_H_ */
588