Annotation of sys/netinet/ip_ipsp.h, Revision 1.1
1.1 ! nbrk 1: /* $OpenBSD: ip_ipsp.h,v 1.135 2006/11/24 13:52:14 reyk Exp $ */
! 2: /*
! 3: * The authors of this code are John Ioannidis (ji@tla.org),
! 4: * Angelos D. Keromytis (kermit@csd.uch.gr),
! 5: * Niels Provos (provos@physnet.uni-hamburg.de) and
! 6: * Niklas Hallqvist (niklas@appli.se).
! 7: *
! 8: * The original version of this code was written by John Ioannidis
! 9: * for BSD/OS in Athens, Greece, in November 1995.
! 10: *
! 11: * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
! 12: * by Angelos D. Keromytis.
! 13: *
! 14: * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
! 15: * and Niels Provos.
! 16: *
! 17: * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
! 18: *
! 19: * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
! 20: * Angelos D. Keromytis and Niels Provos.
! 21: * Copyright (c) 1999 Niklas Hallqvist.
! 22: * Copyright (c) 2001, Angelos D. Keromytis.
! 23: *
! 24: * Permission to use, copy, and modify this software with or without fee
! 25: * is hereby granted, provided that this entire notice is included in
! 26: * all copies of any software which is or includes a copy or
! 27: * modification of this software.
! 28: * You may use this code under the GNU public license if you so wish. Please
! 29: * contribute changes back to the authors under this freer than GPL license
! 30: * so that we may further the use of strong encryption without limitations to
! 31: * all.
! 32: *
! 33: * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
! 34: * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
! 35: * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
! 36: * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
! 37: * PURPOSE.
! 38: */
! 39:
! 40: #ifndef _NETINET_IPSP_H_
! 41: #define _NETINET_IPSP_H_
! 42:
! 43: /* IPSP global definitions. */
! 44:
! 45: #include <sys/types.h>
! 46: #include <sys/queue.h>
! 47: #include <sys/timeout.h>
! 48: #include <netinet/in.h>
! 49:
! 50: union sockaddr_union {
! 51: struct sockaddr sa;
! 52: struct sockaddr_in sin;
! 53: struct sockaddr_in6 sin6;
! 54: };
! 55:
! 56: /* HMAC key sizes */
! 57: #define MD5HMAC96_KEYSIZE 16
! 58: #define SHA1HMAC96_KEYSIZE 20
! 59: #define RIPEMD160HMAC96_KEYSIZE 20
! 60: #define SHA2_256HMAC96_KEYSIZE 32
! 61: #define SHA2_384HMAC96_KEYSIZE 48
! 62: #define SHA2_512HMAC96_KEYSIZE 64
! 63:
! 64: #define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */
! 65: #define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */
! 66: #define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */
! 67:
! 68: /* Authenticator lengths */
! 69: #define AH_MD5_ALEN 16
! 70: #define AH_SHA1_ALEN 20
! 71: #define AH_RMD160_ALEN 20
! 72: #define AH_SHA2_256_ALEN 32
! 73: #define AH_SHA2_384_ALEN 48
! 74: #define AH_SHA2_512_ALEN 64
! 75: #define AH_ALEN_MAX 64 /* Keep updated */
! 76:
! 77: /* Reserved SPI numbers */
! 78: #define SPI_LOCAL_USE 0
! 79: #define SPI_RESERVED_MIN 1
! 80: #define SPI_RESERVED_MAX 255
! 81:
! 82: /* Reserved CPI numbers */
! 83: #define CPI_RESERVED_MIN 1
! 84: #define CPI_RESERVED_MAX 255
! 85: #define CPI_PRIVATE_MIN 61440
! 86: #define CPI_PRIVATE_MAX 65535
! 87:
! 88: /* sysctl default values */
! 89: #define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */
! 90: #define IPSEC_DEFAULT_PFS 1
! 91: #define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0
! 92: #define IPSEC_DEFAULT_EXP_ALLOCATIONS 0
! 93: #define IPSEC_DEFAULT_SOFT_BYTES 0
! 94: #define IPSEC_DEFAULT_EXP_BYTES 0
! 95: #define IPSEC_DEFAULT_SOFT_TIMEOUT 80000
! 96: #define IPSEC_DEFAULT_EXP_TIMEOUT 86400
! 97: #define IPSEC_DEFAULT_SOFT_FIRST_USE 3600
! 98: #define IPSEC_DEFAULT_EXP_FIRST_USE 7200
! 99: #define IPSEC_DEFAULT_DEF_ENC "aes"
! 100: #define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1"
! 101: #define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30
! 102: #define IPSEC_DEFAULT_DEF_COMP "deflate"
! 103:
! 104: struct sockaddr_encap {
! 105: u_int8_t sen_len; /* length */
! 106: u_int8_t sen_family; /* PF_KEY */
! 107: u_int16_t sen_type; /* see SENT_* */
! 108: union {
! 109: struct { /* SENT_IP4 */
! 110: u_int8_t Direction;
! 111: struct in_addr Src;
! 112: struct in_addr Dst;
! 113: u_int8_t Proto;
! 114: u_int16_t Sport;
! 115: u_int16_t Dport;
! 116: } Sip4;
! 117:
! 118: struct { /* SENT_IP6 */
! 119: u_int8_t Direction;
! 120: struct in6_addr Src;
! 121: struct in6_addr Dst;
! 122: u_int8_t Proto;
! 123: u_int16_t Sport;
! 124: u_int16_t Dport;
! 125: } Sip6;
! 126:
! 127: struct ipsec_policy *PolicyHead; /* SENT_IPSP */
! 128: } Sen;
! 129: };
! 130:
! 131: #define IPSP_DIRECTION_IN 0x1
! 132: #define IPSP_DIRECTION_OUT 0x2
! 133:
! 134: #define sen_data Sen.Data
! 135: #define sen_ip_src Sen.Sip4.Src
! 136: #define sen_ip_dst Sen.Sip4.Dst
! 137: #define sen_proto Sen.Sip4.Proto
! 138: #define sen_sport Sen.Sip4.Sport
! 139: #define sen_dport Sen.Sip4.Dport
! 140: #define sen_direction Sen.Sip4.Direction
! 141: #define sen_ip6_src Sen.Sip6.Src
! 142: #define sen_ip6_dst Sen.Sip6.Dst
! 143: #define sen_ip6_proto Sen.Sip6.Proto
! 144: #define sen_ip6_sport Sen.Sip6.Sport
! 145: #define sen_ip6_dport Sen.Sip6.Dport
! 146: #define sen_ip6_direction Sen.Sip6.Direction
! 147: #define sen_ipsp Sen.PolicyHead
! 148:
! 149: /*
! 150: * The "type" is really part of the address as far as the routing
! 151: * system is concerned. By using only one bit in the type field
! 152: * for each type, we sort-of make sure that different types of
! 153: * encapsulation addresses won't be matched against the wrong type.
! 154: *
! 155: */
! 156:
! 157: #define SENT_IP4 0x0001 /* data is two struct in_addr */
! 158: #define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */
! 159: #define SENT_IP6 0x0004
! 160:
! 161: #define SENT_LEN sizeof(struct sockaddr_encap)
! 162:
! 163: struct ipsec_ref {
! 164: u_int16_t ref_type; /* Subtype of data */
! 165: int16_t ref_len; /* Length of data following */
! 166: int ref_count; /* Reference count */
! 167: int ref_malloctype; /* malloc(9) type, for freeing */
! 168: };
! 169:
! 170: struct ipsec_acquire {
! 171: union sockaddr_union ipa_addr;
! 172: u_int32_t ipa_seq;
! 173: struct sockaddr_encap ipa_info;
! 174: struct sockaddr_encap ipa_mask;
! 175: struct timeout ipa_timeout;
! 176: struct ipsec_policy *ipa_policy;
! 177: struct inpcb *ipa_pcb;
! 178: TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next;
! 179: TAILQ_ENTRY(ipsec_acquire) ipa_next;
! 180: TAILQ_ENTRY(ipsec_acquire) ipa_inp_next;
! 181: };
! 182:
! 183: struct ipsec_policy {
! 184: struct sockaddr_encap ipo_addr;
! 185: struct sockaddr_encap ipo_mask;
! 186:
! 187: union sockaddr_union ipo_src; /* Local address to use */
! 188: union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed:
! 189: * - on output, we try to
! 190: * contact the remote host
! 191: * directly (if needed).
! 192: * - on input, we accept on if
! 193: * the inner source is the
! 194: * same as the outer source
! 195: * address, or if transport
! 196: * mode was used.
! 197: */
! 198:
! 199: u_int64_t ipo_last_searched; /* Timestamp of last lookup */
! 200:
! 201: u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */
! 202: u_int8_t ipo_type; /* USE/ACQUIRE/... */
! 203: u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */
! 204:
! 205: int ipo_ref_count;
! 206:
! 207: struct tdb *ipo_tdb; /* Cached entry */
! 208:
! 209: struct ipsec_ref *ipo_srcid;
! 210: struct ipsec_ref *ipo_dstid;
! 211: struct ipsec_ref *ipo_local_cred;
! 212: struct ipsec_ref *ipo_local_auth;
! 213:
! 214: TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
! 215: TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */
! 216: TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */
! 217: };
! 218:
! 219: #define IPSP_POLICY_NONE 0x0000 /* No flags set */
! 220: #define IPSP_POLICY_SOCKET 0x0001 /* Socket-attached policy */
! 221: #define IPSP_POLICY_STATIC 0x0002 /* Static policy */
! 222:
! 223: #define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */
! 224: #define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */
! 225: #define IPSP_IPSEC_REQUIRE 2 /* Require SA */
! 226: #define IPSP_PERMIT 3 /* Permit traffic through */
! 227: #define IPSP_DENY 4 /* Deny traffic */
! 228: #define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */
! 229:
! 230: /* Notification types */
! 231: #define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */
! 232: #define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */
! 233: #define NOTIFY_REQUEST_SA 2 /* Establish an SA */
! 234:
! 235: #define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */
! 236: #define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */
! 237: #define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */
! 238: #define NOTIFY_SATYPE_COMP 5 /* SA (IPCA) should use compression */
! 239:
! 240: /* Authentication types */
! 241: #define IPSP_AUTH_NONE 0
! 242: #define IPSP_AUTH_PASSPHRASE 1
! 243: #define IPSP_AUTH_RSA 2
! 244:
! 245: /* Credential types */
! 246: #define IPSP_CRED_NONE 0
! 247: #define IPSP_CRED_KEYNOTE 1
! 248: #define IPSP_CRED_X509 2
! 249:
! 250: /* Identity types */
! 251: #define IPSP_IDENTITY_NONE 0
! 252: #define IPSP_IDENTITY_PREFIX 1
! 253: #define IPSP_IDENTITY_FQDN 2
! 254: #define IPSP_IDENTITY_USERFQDN 3
! 255: #define IPSP_IDENTITY_CONNECTION 4
! 256:
! 257: /*
! 258: * For encapsulation routes are possible not only for the destination
! 259: * address but also for the protocol, source and destination ports
! 260: * if available
! 261: */
! 262:
! 263: struct route_enc {
! 264: struct rtentry *re_rt;
! 265: struct sockaddr_encap re_dst;
! 266: };
! 267:
! 268: struct tdb { /* tunnel descriptor block */
! 269: /*
! 270: * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
! 271: * one keyed on dst/sproto, and one keyed on src/sproto. The first
! 272: * is used for finding a specific TDB, the second for finding TDBs
! 273: * for outgoing policy matching, and the third for incoming
! 274: * policy matching. The following three fields maintain the hash
! 275: * queues in those three tables.
! 276: */
! 277: struct tdb *tdb_hnext; /* dst/spi/sproto table */
! 278: struct tdb *tdb_anext; /* dst/sproto table */
! 279: struct tdb *tdb_snext; /* src/sproto table */
! 280: struct tdb *tdb_inext;
! 281: struct tdb *tdb_onext;
! 282:
! 283: struct xformsw *tdb_xform; /* Transform to use */
! 284: struct enc_xform *tdb_encalgxform; /* Enc algorithm */
! 285: struct auth_hash *tdb_authalgxform; /* Auth algorithm */
! 286: struct comp_algo *tdb_compalgxform; /* Compression algo */
! 287:
! 288: #define TDBF_UNIQUE 0x00001 /* This should not be used by others */
! 289: #define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */
! 290: #define TDBF_BYTES 0x00004 /* Check the byte counters */
! 291: #define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */
! 292: #define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */
! 293: #define TDBF_FIRSTUSE 0x00020 /* Expire after first use */
! 294: #define TDBF_HALFIV 0x00040 /* Use half-length IV (ESP old only) */
! 295: #define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */
! 296: #define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */
! 297: #define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */
! 298: #define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */
! 299: #define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */
! 300: #define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */
! 301: #define TDBF_NOREPLAY 0x02000 /* No replay counter present */
! 302: #define TDBF_RANDOMPADDING 0x04000 /* Random data in the ESP padding */
! 303: #define TDBF_SKIPCRYPTO 0x08000 /* Skip actual crypto processing */
! 304: #define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */
! 305: #define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */
! 306:
! 307: u_int32_t tdb_flags; /* Flags related to this TDB */
! 308:
! 309: struct timeout tdb_timer_tmo;
! 310: struct timeout tdb_first_tmo;
! 311: struct timeout tdb_stimer_tmo;
! 312: struct timeout tdb_sfirst_tmo;
! 313:
! 314: u_int32_t tdb_seq; /* Tracking number for PFKEY */
! 315: u_int32_t tdb_exp_allocations; /* Expire after so many flows */
! 316: u_int32_t tdb_soft_allocations; /* Expiration warning */
! 317: u_int32_t tdb_cur_allocations; /* Total number of allocs */
! 318:
! 319: u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */
! 320: u_int64_t tdb_soft_bytes; /* Expiration warning */
! 321: u_int64_t tdb_cur_bytes; /* Current count of bytes */
! 322:
! 323: u_int64_t tdb_exp_timeout; /* When does the SPI expire */
! 324: u_int64_t tdb_soft_timeout; /* Send soft-expire warning */
! 325: u_int64_t tdb_established; /* When was SPI established */
! 326:
! 327: u_int64_t tdb_first_use; /* When was it first used */
! 328: u_int64_t tdb_soft_first_use; /* Soft warning */
! 329: u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use +
! 330: * tdb_exp_first_use <= curtime
! 331: */
! 332:
! 333: u_int64_t tdb_last_used; /* When was this SA last used */
! 334: u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */
! 335:
! 336: u_int64_t tdb_cryptoid; /* Crypto session ID */
! 337:
! 338: u_int32_t tdb_spi; /* SPI */
! 339: u_int16_t tdb_amxkeylen; /* Raw authentication key length */
! 340: u_int16_t tdb_emxkeylen; /* Raw encryption key length */
! 341: u_int16_t tdb_ivlen; /* IV length */
! 342: u_int8_t tdb_sproto; /* IPsec protocol */
! 343: u_int8_t tdb_wnd; /* Replay window */
! 344: u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */
! 345:
! 346: union sockaddr_union tdb_dst; /* Destination address */
! 347: union sockaddr_union tdb_src; /* Source address */
! 348: union sockaddr_union tdb_proxy;
! 349:
! 350: u_int8_t *tdb_amxkey; /* Raw authentication key */
! 351: u_int8_t *tdb_emxkey; /* Raw encryption key */
! 352:
! 353: u_int32_t tdb_rpl; /* Replay counter */
! 354: u_int32_t tdb_bitmap; /* Used for replay sliding window */
! 355:
! 356: u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */
! 357:
! 358: struct ipsec_ref *tdb_local_cred;
! 359: struct ipsec_ref *tdb_remote_cred;
! 360: struct ipsec_ref *tdb_srcid; /* Source ID for this SA */
! 361: struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */
! 362: struct ipsec_ref *tdb_local_auth;/* Local authentication material */
! 363: struct ipsec_ref *tdb_remote_auth;/* Remote authentication material */
! 364:
! 365: u_int32_t tdb_mtu; /* MTU at this point in the chain */
! 366: u_int64_t tdb_mtutimeout; /* When to ignore this entry */
! 367:
! 368: u_int16_t tdb_udpencap_port; /* Peer UDP port */
! 369:
! 370: u_int16_t tdb_tag; /* Packet filter tag */
! 371:
! 372: struct sockaddr_encap tdb_filter; /* What traffic is acceptable */
! 373: struct sockaddr_encap tdb_filtermask; /* And the mask */
! 374:
! 375: TAILQ_HEAD(tdb_inp_head_in, inpcb) tdb_inp_in;
! 376: TAILQ_HEAD(tdb_inp_head_out, inpcb) tdb_inp_out;
! 377: TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head;
! 378: };
! 379:
! 380: struct tdb_ident {
! 381: u_int32_t spi;
! 382: union sockaddr_union dst;
! 383: u_int8_t proto;
! 384: };
! 385:
! 386: struct tdb_crypto {
! 387: u_int32_t tc_spi;
! 388: union sockaddr_union tc_dst;
! 389: u_int8_t tc_proto;
! 390: int tc_protoff;
! 391: int tc_skip;
! 392: caddr_t tc_ptr;
! 393: };
! 394:
! 395: struct ipsecinit {
! 396: u_int8_t *ii_enckey;
! 397: u_int8_t *ii_authkey;
! 398: u_int16_t ii_enckeylen;
! 399: u_int16_t ii_authkeylen;
! 400: u_int8_t ii_encalg;
! 401: u_int8_t ii_authalg;
! 402: u_int8_t ii_compalg;
! 403: };
! 404:
! 405: /* xform IDs */
! 406: #define XF_IP4 1 /* IP inside IP */
! 407: #define XF_AH 2 /* AH */
! 408: #define XF_ESP 3 /* ESP */
! 409: #define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */
! 410: #define XF_IPCOMP 6 /* IPCOMP */
! 411:
! 412: /* xform attributes */
! 413: #define XFT_AUTH 0x0001
! 414: #define XFT_CONF 0x0100
! 415: #define XFT_COMP 0x1000
! 416:
! 417: #define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */
! 418:
! 419: #ifdef _KERNEL
! 420:
! 421: struct xformsw {
! 422: u_short xf_type; /* Unique ID of xform */
! 423: u_short xf_flags; /* flags (see below) */
! 424: char *xf_name; /* human-readable name */
! 425: int (*xf_attach)(void); /* called at config time */
! 426: int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
! 427: int (*xf_zeroize)(struct tdb *); /* termination */
! 428: int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
! 429: int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
! 430: int, int); /* output */
! 431: };
! 432:
! 433: /*
! 434: * Protects all tdb lists.
! 435: * Must at least be splsoftnet (note: do not use splsoftclock as it is
! 436: * special on some architectures, assuming it is always an spl lowering
! 437: * operation).
! 438: */
! 439: #define spltdb splsoftnet
! 440:
! 441: extern int encdebug;
! 442: extern int ipsec_acl;
! 443: extern int ipsec_keep_invalid;
! 444: extern int ipsec_in_use;
! 445: extern u_int64_t ipsec_last_added;
! 446: extern int ipsec_require_pfs;
! 447: extern int ipsec_expire_acquire;
! 448:
! 449: extern int ipsec_policy_pool_initialized;
! 450:
! 451: extern int ipsec_soft_allocations;
! 452: extern int ipsec_exp_allocations;
! 453: extern int ipsec_soft_bytes;
! 454: extern int ipsec_exp_bytes;
! 455: extern int ipsec_soft_timeout;
! 456: extern int ipsec_exp_timeout;
! 457: extern int ipsec_soft_first_use;
! 458: extern int ipsec_exp_first_use;
! 459: extern char ipsec_def_enc[];
! 460: extern char ipsec_def_auth[];
! 461: extern char ipsec_def_comp[];
! 462:
! 463: extern struct enc_xform enc_xform_des;
! 464: extern struct enc_xform enc_xform_3des;
! 465: extern struct enc_xform enc_xform_blf;
! 466: extern struct enc_xform enc_xform_cast5;
! 467: extern struct enc_xform enc_xform_skipjack;
! 468:
! 469: extern struct auth_hash auth_hash_hmac_md5_96;
! 470: extern struct auth_hash auth_hash_hmac_sha1_96;
! 471: extern struct auth_hash auth_hash_hmac_ripemd_160_96;
! 472:
! 473: extern struct comp_algo comp_algo_deflate;
! 474:
! 475: extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
! 476: extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
! 477:
! 478: extern struct xformsw xformsw[], *xformswNXFORMSW;
! 479:
! 480: /* Check if a given tdb has encryption, authentication and/or tunneling */
! 481: #define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \
! 482: ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0) | \
! 483: ((x)->tdb_compalgxform ? NOTIFY_SATYPE_COMP : 0))
! 484:
! 485: /* Traverse spi chain and get attributes */
! 486:
! 487: #define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\
! 488: int s = spltdb(); \
! 489: struct tdb *tmptdb = (TDBP); \
! 490: \
! 491: (have) = 0; \
! 492: while (tmptdb && tmptdb->tdb_xform) { \
! 493: if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \
! 494: break; \
! 495: (have) |= TDB_ATTRIB(tmptdb); \
! 496: tmptdb = tmptdb->TDB_DIR; \
! 497: } \
! 498: splx(s); \
! 499: } while (0)
! 500:
! 501: /* Misc. */
! 502: extern char *inet_ntoa4(struct in_addr);
! 503: extern char *ipsp_address(union sockaddr_union);
! 504:
! 505: /* TDB management routines */
! 506: extern void tdb_add_inp(struct tdb *, struct inpcb *, int);
! 507: extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
! 508: union sockaddr_union *, u_int8_t, int *);
! 509: extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
! 510: extern struct tdb *gettdbbyaddr(union sockaddr_union *, u_int8_t,
! 511: struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *,
! 512: struct mbuf *, int, struct sockaddr_encap *, struct sockaddr_encap *);
! 513: extern struct tdb *gettdbbysrc(union sockaddr_union *, u_int8_t,
! 514: struct ipsec_ref *, struct ipsec_ref *, struct mbuf *, int,
! 515: struct sockaddr_encap *, struct sockaddr_encap *);
! 516: extern struct tdb *gettdbbysrcdst(u_int32_t, union sockaddr_union *,
! 517: union sockaddr_union *, u_int8_t);
! 518: extern void puttdb(struct tdb *);
! 519: extern void tdb_delete(struct tdb *);
! 520: extern struct tdb *tdb_alloc(void);
! 521: extern void tdb_free(struct tdb *);
! 522: extern int tdb_hash(u_int32_t, union sockaddr_union *, u_int8_t);
! 523: extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
! 524: extern int tdb_walk(int (*)(struct tdb *, void *, int), void *);
! 525:
! 526: /* XF_IP4 */
! 527: extern int ipe4_attach(void);
! 528: extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
! 529: extern int ipe4_zeroize(struct tdb *);
! 530: extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
! 531: extern void ipe4_input(struct mbuf *, ...);
! 532: extern void ipip_input(struct mbuf *, int, struct ifnet *);
! 533:
! 534: #ifdef INET
! 535: extern void ip4_input(struct mbuf *, ...);
! 536: #endif /* INET */
! 537:
! 538: #ifdef INET6
! 539: extern int ip4_input6(struct mbuf **, int *, int);
! 540: #endif /* INET */
! 541:
! 542: /* XF_ETHERIP */
! 543: extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **,
! 544: int, int);
! 545: extern void etherip_input(struct mbuf *, ...);
! 546:
! 547: /* XF_AH */
! 548: extern int ah_attach(void);
! 549: extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
! 550: extern int ah_zeroize(struct tdb *);
! 551: extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
! 552: extern int ah_output_cb(void *);
! 553: extern int ah_input(struct mbuf *, struct tdb *, int, int);
! 554: extern int ah_input_cb(void *);
! 555: extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
! 556: extern int ah_massage_headers(struct mbuf **, int, int, int, int);
! 557:
! 558: #ifdef INET
! 559: extern void ah4_input(struct mbuf *, ...);
! 560: extern int ah4_input_cb(struct mbuf *, ...);
! 561: extern void *ah4_ctlinput(int, struct sockaddr *, void *);
! 562: extern void *udpencap_ctlinput(int, struct sockaddr *, void *);
! 563: #endif /* INET */
! 564:
! 565: #ifdef INET6
! 566: extern int ah6_input(struct mbuf **, int *, int);
! 567: extern int ah6_input_cb(struct mbuf *, int, int);
! 568: #endif /* INET6 */
! 569:
! 570: /* XF_ESP */
! 571: extern int esp_attach(void);
! 572: extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
! 573: extern int esp_zeroize(struct tdb *);
! 574: extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
! 575: extern int esp_output_cb(void *);
! 576: extern int esp_input(struct mbuf *, struct tdb *, int, int);
! 577: extern int esp_input_cb(void *);
! 578: extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
! 579:
! 580: #ifdef INET
! 581: extern void esp4_input(struct mbuf *, ...);
! 582: extern int esp4_input_cb(struct mbuf *, ...);
! 583: extern void *esp4_ctlinput(int, struct sockaddr *, void *);
! 584: #endif /* INET */
! 585:
! 586: #ifdef INET6
! 587: extern int esp6_input(struct mbuf **, int *, int);
! 588: extern int esp6_input_cb(struct mbuf *, int, int);
! 589: #endif /* INET6 */
! 590:
! 591: /* XF_IPCOMP */
! 592: extern int ipcomp_attach(void);
! 593: extern int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
! 594: extern int ipcomp_zeroize(struct tdb *);
! 595: extern int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
! 596: extern int ipcomp_output_cb(void *);
! 597: extern int ipcomp_input(struct mbuf *, struct tdb *, int, int);
! 598: extern int ipcomp_input_cb(void *);
! 599: extern int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
! 600:
! 601: #ifdef INET
! 602: extern void ipcomp4_input(struct mbuf *, ...);
! 603: extern int ipcomp4_input_cb(struct mbuf *, ...);
! 604: #endif /* INET */
! 605:
! 606: #ifdef INET6
! 607: extern int ipcomp6_input(struct mbuf **, int *, int);
! 608: extern int ipcomp6_input_cb(struct mbuf *, int, int);
! 609: #endif /* INET6 */
! 610:
! 611: /* XF_TCPSIGNATURE */
! 612: extern int tcp_signature_tdb_attach(void);
! 613: extern int tcp_signature_tdb_init(struct tdb *, struct xformsw *,
! 614: struct ipsecinit *);
! 615: extern int tcp_signature_tdb_zeroize(struct tdb *);
! 616: extern int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int,
! 617: int);
! 618: extern int tcp_signature_tdb_output(struct mbuf *, struct tdb *,
! 619: struct mbuf **, int, int);
! 620:
! 621: /* Padding */
! 622: extern caddr_t m_pad(struct mbuf *, int);
! 623:
! 624: /* Replay window */
! 625: extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
! 626: u_int32_t *, int);
! 627:
! 628: extern unsigned char ipseczeroes[];
! 629:
! 630: /* Packet processing */
! 631: extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
! 632: extern int ipsp_process_done(struct mbuf *, struct tdb *);
! 633: extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
! 634: struct tdb *, struct inpcb *);
! 635: extern struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
! 636: struct tdb *, struct inpcb *, struct ipsec_policy *);
! 637: extern int ipsec_common_input(struct mbuf *, int, int, int, int, int);
! 638: extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
! 639: struct m_tag *);
! 640: extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
! 641: union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
! 642: extern struct ipsec_policy *ipsec_add_policy(struct inpcb *, int, int);
! 643: extern void ipsec_update_policy(struct inpcb *, struct ipsec_policy *,
! 644: int, int);
! 645: extern int ipsec_delete_policy(struct ipsec_policy *);
! 646: extern struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *,
! 647: union sockaddr_union *);
! 648: extern void ipsp_delete_acquire(void *);
! 649: extern int ipsp_is_unspecified(union sockaddr_union);
! 650: extern void ipsp_reffree(struct ipsec_ref *);
! 651: extern void ipsp_skipcrypto_unmark(struct tdb_ident *);
! 652: extern void ipsp_skipcrypto_mark(struct tdb_ident *);
! 653: extern struct m_tag *ipsp_parse_headers(struct mbuf *, int, u_int8_t);
! 654: extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *);
! 655: extern ssize_t ipsec_hdrsz(struct tdb *);
! 656: extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
! 657: extern int ipsp_print_tdb(struct tdb *, char *, size_t);
! 658: extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
! 659: extern int ipsp_aux_match(struct tdb *,
! 660: struct ipsec_ref *, struct ipsec_ref *,
! 661: struct ipsec_ref *, struct ipsec_ref *,
! 662: struct sockaddr_encap *, struct sockaddr_encap *);
! 663: #endif /* _KERNEL */
! 664: #endif /* _NETINET_IPSP_H_ */
CVSweb