Annotation of sys/netinet/ip_ipsp.h, Revision 1.1.1.1
1.1 nbrk 1: /* $OpenBSD: ip_ipsp.h,v 1.135 2006/11/24 13:52:14 reyk Exp $ */
2: /*
3: * The authors of this code are John Ioannidis (ji@tla.org),
4: * Angelos D. Keromytis (kermit@csd.uch.gr),
5: * Niels Provos (provos@physnet.uni-hamburg.de) and
6: * Niklas Hallqvist (niklas@appli.se).
7: *
8: * The original version of this code was written by John Ioannidis
9: * for BSD/OS in Athens, Greece, in November 1995.
10: *
11: * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12: * by Angelos D. Keromytis.
13: *
14: * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15: * and Niels Provos.
16: *
17: * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18: *
19: * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20: * Angelos D. Keromytis and Niels Provos.
21: * Copyright (c) 1999 Niklas Hallqvist.
22: * Copyright (c) 2001, Angelos D. Keromytis.
23: *
24: * Permission to use, copy, and modify this software with or without fee
25: * is hereby granted, provided that this entire notice is included in
26: * all copies of any software which is or includes a copy or
27: * modification of this software.
28: * You may use this code under the GNU public license if you so wish. Please
29: * contribute changes back to the authors under this freer than GPL license
30: * so that we may further the use of strong encryption without limitations to
31: * all.
32: *
33: * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34: * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35: * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36: * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37: * PURPOSE.
38: */
39:
40: #ifndef _NETINET_IPSP_H_
41: #define _NETINET_IPSP_H_
42:
43: /* IPSP global definitions. */
44:
45: #include <sys/types.h>
46: #include <sys/queue.h>
47: #include <sys/timeout.h>
48: #include <netinet/in.h>
49:
50: union sockaddr_union {
51: struct sockaddr sa;
52: struct sockaddr_in sin;
53: struct sockaddr_in6 sin6;
54: };
55:
56: /* HMAC key sizes */
57: #define MD5HMAC96_KEYSIZE 16
58: #define SHA1HMAC96_KEYSIZE 20
59: #define RIPEMD160HMAC96_KEYSIZE 20
60: #define SHA2_256HMAC96_KEYSIZE 32
61: #define SHA2_384HMAC96_KEYSIZE 48
62: #define SHA2_512HMAC96_KEYSIZE 64
63:
64: #define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */
65: #define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */
66: #define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */
67:
68: /* Authenticator lengths */
69: #define AH_MD5_ALEN 16
70: #define AH_SHA1_ALEN 20
71: #define AH_RMD160_ALEN 20
72: #define AH_SHA2_256_ALEN 32
73: #define AH_SHA2_384_ALEN 48
74: #define AH_SHA2_512_ALEN 64
75: #define AH_ALEN_MAX 64 /* Keep updated */
76:
77: /* Reserved SPI numbers */
78: #define SPI_LOCAL_USE 0
79: #define SPI_RESERVED_MIN 1
80: #define SPI_RESERVED_MAX 255
81:
82: /* Reserved CPI numbers */
83: #define CPI_RESERVED_MIN 1
84: #define CPI_RESERVED_MAX 255
85: #define CPI_PRIVATE_MIN 61440
86: #define CPI_PRIVATE_MAX 65535
87:
88: /* sysctl default values */
89: #define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */
90: #define IPSEC_DEFAULT_PFS 1
91: #define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0
92: #define IPSEC_DEFAULT_EXP_ALLOCATIONS 0
93: #define IPSEC_DEFAULT_SOFT_BYTES 0
94: #define IPSEC_DEFAULT_EXP_BYTES 0
95: #define IPSEC_DEFAULT_SOFT_TIMEOUT 80000
96: #define IPSEC_DEFAULT_EXP_TIMEOUT 86400
97: #define IPSEC_DEFAULT_SOFT_FIRST_USE 3600
98: #define IPSEC_DEFAULT_EXP_FIRST_USE 7200
99: #define IPSEC_DEFAULT_DEF_ENC "aes"
100: #define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1"
101: #define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30
102: #define IPSEC_DEFAULT_DEF_COMP "deflate"
103:
104: struct sockaddr_encap {
105: u_int8_t sen_len; /* length */
106: u_int8_t sen_family; /* PF_KEY */
107: u_int16_t sen_type; /* see SENT_* */
108: union {
109: struct { /* SENT_IP4 */
110: u_int8_t Direction;
111: struct in_addr Src;
112: struct in_addr Dst;
113: u_int8_t Proto;
114: u_int16_t Sport;
115: u_int16_t Dport;
116: } Sip4;
117:
118: struct { /* SENT_IP6 */
119: u_int8_t Direction;
120: struct in6_addr Src;
121: struct in6_addr Dst;
122: u_int8_t Proto;
123: u_int16_t Sport;
124: u_int16_t Dport;
125: } Sip6;
126:
127: struct ipsec_policy *PolicyHead; /* SENT_IPSP */
128: } Sen;
129: };
130:
131: #define IPSP_DIRECTION_IN 0x1
132: #define IPSP_DIRECTION_OUT 0x2
133:
134: #define sen_data Sen.Data
135: #define sen_ip_src Sen.Sip4.Src
136: #define sen_ip_dst Sen.Sip4.Dst
137: #define sen_proto Sen.Sip4.Proto
138: #define sen_sport Sen.Sip4.Sport
139: #define sen_dport Sen.Sip4.Dport
140: #define sen_direction Sen.Sip4.Direction
141: #define sen_ip6_src Sen.Sip6.Src
142: #define sen_ip6_dst Sen.Sip6.Dst
143: #define sen_ip6_proto Sen.Sip6.Proto
144: #define sen_ip6_sport Sen.Sip6.Sport
145: #define sen_ip6_dport Sen.Sip6.Dport
146: #define sen_ip6_direction Sen.Sip6.Direction
147: #define sen_ipsp Sen.PolicyHead
148:
149: /*
150: * The "type" is really part of the address as far as the routing
151: * system is concerned. By using only one bit in the type field
152: * for each type, we sort-of make sure that different types of
153: * encapsulation addresses won't be matched against the wrong type.
154: *
155: */
156:
157: #define SENT_IP4 0x0001 /* data is two struct in_addr */
158: #define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */
159: #define SENT_IP6 0x0004
160:
161: #define SENT_LEN sizeof(struct sockaddr_encap)
162:
163: struct ipsec_ref {
164: u_int16_t ref_type; /* Subtype of data */
165: int16_t ref_len; /* Length of data following */
166: int ref_count; /* Reference count */
167: int ref_malloctype; /* malloc(9) type, for freeing */
168: };
169:
170: struct ipsec_acquire {
171: union sockaddr_union ipa_addr;
172: u_int32_t ipa_seq;
173: struct sockaddr_encap ipa_info;
174: struct sockaddr_encap ipa_mask;
175: struct timeout ipa_timeout;
176: struct ipsec_policy *ipa_policy;
177: struct inpcb *ipa_pcb;
178: TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next;
179: TAILQ_ENTRY(ipsec_acquire) ipa_next;
180: TAILQ_ENTRY(ipsec_acquire) ipa_inp_next;
181: };
182:
183: struct ipsec_policy {
184: struct sockaddr_encap ipo_addr;
185: struct sockaddr_encap ipo_mask;
186:
187: union sockaddr_union ipo_src; /* Local address to use */
188: union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed:
189: * - on output, we try to
190: * contact the remote host
191: * directly (if needed).
192: * - on input, we accept on if
193: * the inner source is the
194: * same as the outer source
195: * address, or if transport
196: * mode was used.
197: */
198:
199: u_int64_t ipo_last_searched; /* Timestamp of last lookup */
200:
201: u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */
202: u_int8_t ipo_type; /* USE/ACQUIRE/... */
203: u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */
204:
205: int ipo_ref_count;
206:
207: struct tdb *ipo_tdb; /* Cached entry */
208:
209: struct ipsec_ref *ipo_srcid;
210: struct ipsec_ref *ipo_dstid;
211: struct ipsec_ref *ipo_local_cred;
212: struct ipsec_ref *ipo_local_auth;
213:
214: TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
215: TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */
216: TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */
217: };
218:
219: #define IPSP_POLICY_NONE 0x0000 /* No flags set */
220: #define IPSP_POLICY_SOCKET 0x0001 /* Socket-attached policy */
221: #define IPSP_POLICY_STATIC 0x0002 /* Static policy */
222:
223: #define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */
224: #define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */
225: #define IPSP_IPSEC_REQUIRE 2 /* Require SA */
226: #define IPSP_PERMIT 3 /* Permit traffic through */
227: #define IPSP_DENY 4 /* Deny traffic */
228: #define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */
229:
230: /* Notification types */
231: #define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */
232: #define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */
233: #define NOTIFY_REQUEST_SA 2 /* Establish an SA */
234:
235: #define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */
236: #define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */
237: #define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */
238: #define NOTIFY_SATYPE_COMP 5 /* SA (IPCA) should use compression */
239:
240: /* Authentication types */
241: #define IPSP_AUTH_NONE 0
242: #define IPSP_AUTH_PASSPHRASE 1
243: #define IPSP_AUTH_RSA 2
244:
245: /* Credential types */
246: #define IPSP_CRED_NONE 0
247: #define IPSP_CRED_KEYNOTE 1
248: #define IPSP_CRED_X509 2
249:
250: /* Identity types */
251: #define IPSP_IDENTITY_NONE 0
252: #define IPSP_IDENTITY_PREFIX 1
253: #define IPSP_IDENTITY_FQDN 2
254: #define IPSP_IDENTITY_USERFQDN 3
255: #define IPSP_IDENTITY_CONNECTION 4
256:
257: /*
258: * For encapsulation routes are possible not only for the destination
259: * address but also for the protocol, source and destination ports
260: * if available
261: */
262:
263: struct route_enc {
264: struct rtentry *re_rt;
265: struct sockaddr_encap re_dst;
266: };
267:
268: struct tdb { /* tunnel descriptor block */
269: /*
270: * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
271: * one keyed on dst/sproto, and one keyed on src/sproto. The first
272: * is used for finding a specific TDB, the second for finding TDBs
273: * for outgoing policy matching, and the third for incoming
274: * policy matching. The following three fields maintain the hash
275: * queues in those three tables.
276: */
277: struct tdb *tdb_hnext; /* dst/spi/sproto table */
278: struct tdb *tdb_anext; /* dst/sproto table */
279: struct tdb *tdb_snext; /* src/sproto table */
280: struct tdb *tdb_inext;
281: struct tdb *tdb_onext;
282:
283: struct xformsw *tdb_xform; /* Transform to use */
284: struct enc_xform *tdb_encalgxform; /* Enc algorithm */
285: struct auth_hash *tdb_authalgxform; /* Auth algorithm */
286: struct comp_algo *tdb_compalgxform; /* Compression algo */
287:
288: #define TDBF_UNIQUE 0x00001 /* This should not be used by others */
289: #define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */
290: #define TDBF_BYTES 0x00004 /* Check the byte counters */
291: #define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */
292: #define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */
293: #define TDBF_FIRSTUSE 0x00020 /* Expire after first use */
294: #define TDBF_HALFIV 0x00040 /* Use half-length IV (ESP old only) */
295: #define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */
296: #define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */
297: #define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */
298: #define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */
299: #define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */
300: #define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */
301: #define TDBF_NOREPLAY 0x02000 /* No replay counter present */
302: #define TDBF_RANDOMPADDING 0x04000 /* Random data in the ESP padding */
303: #define TDBF_SKIPCRYPTO 0x08000 /* Skip actual crypto processing */
304: #define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */
305: #define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */
306:
307: u_int32_t tdb_flags; /* Flags related to this TDB */
308:
309: struct timeout tdb_timer_tmo;
310: struct timeout tdb_first_tmo;
311: struct timeout tdb_stimer_tmo;
312: struct timeout tdb_sfirst_tmo;
313:
314: u_int32_t tdb_seq; /* Tracking number for PFKEY */
315: u_int32_t tdb_exp_allocations; /* Expire after so many flows */
316: u_int32_t tdb_soft_allocations; /* Expiration warning */
317: u_int32_t tdb_cur_allocations; /* Total number of allocs */
318:
319: u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */
320: u_int64_t tdb_soft_bytes; /* Expiration warning */
321: u_int64_t tdb_cur_bytes; /* Current count of bytes */
322:
323: u_int64_t tdb_exp_timeout; /* When does the SPI expire */
324: u_int64_t tdb_soft_timeout; /* Send soft-expire warning */
325: u_int64_t tdb_established; /* When was SPI established */
326:
327: u_int64_t tdb_first_use; /* When was it first used */
328: u_int64_t tdb_soft_first_use; /* Soft warning */
329: u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use +
330: * tdb_exp_first_use <= curtime
331: */
332:
333: u_int64_t tdb_last_used; /* When was this SA last used */
334: u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */
335:
336: u_int64_t tdb_cryptoid; /* Crypto session ID */
337:
338: u_int32_t tdb_spi; /* SPI */
339: u_int16_t tdb_amxkeylen; /* Raw authentication key length */
340: u_int16_t tdb_emxkeylen; /* Raw encryption key length */
341: u_int16_t tdb_ivlen; /* IV length */
342: u_int8_t tdb_sproto; /* IPsec protocol */
343: u_int8_t tdb_wnd; /* Replay window */
344: u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */
345:
346: union sockaddr_union tdb_dst; /* Destination address */
347: union sockaddr_union tdb_src; /* Source address */
348: union sockaddr_union tdb_proxy;
349:
350: u_int8_t *tdb_amxkey; /* Raw authentication key */
351: u_int8_t *tdb_emxkey; /* Raw encryption key */
352:
353: u_int32_t tdb_rpl; /* Replay counter */
354: u_int32_t tdb_bitmap; /* Used for replay sliding window */
355:
356: u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */
357:
358: struct ipsec_ref *tdb_local_cred;
359: struct ipsec_ref *tdb_remote_cred;
360: struct ipsec_ref *tdb_srcid; /* Source ID for this SA */
361: struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */
362: struct ipsec_ref *tdb_local_auth;/* Local authentication material */
363: struct ipsec_ref *tdb_remote_auth;/* Remote authentication material */
364:
365: u_int32_t tdb_mtu; /* MTU at this point in the chain */
366: u_int64_t tdb_mtutimeout; /* When to ignore this entry */
367:
368: u_int16_t tdb_udpencap_port; /* Peer UDP port */
369:
370: u_int16_t tdb_tag; /* Packet filter tag */
371:
372: struct sockaddr_encap tdb_filter; /* What traffic is acceptable */
373: struct sockaddr_encap tdb_filtermask; /* And the mask */
374:
375: TAILQ_HEAD(tdb_inp_head_in, inpcb) tdb_inp_in;
376: TAILQ_HEAD(tdb_inp_head_out, inpcb) tdb_inp_out;
377: TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head;
378: };
379:
380: struct tdb_ident {
381: u_int32_t spi;
382: union sockaddr_union dst;
383: u_int8_t proto;
384: };
385:
386: struct tdb_crypto {
387: u_int32_t tc_spi;
388: union sockaddr_union tc_dst;
389: u_int8_t tc_proto;
390: int tc_protoff;
391: int tc_skip;
392: caddr_t tc_ptr;
393: };
394:
395: struct ipsecinit {
396: u_int8_t *ii_enckey;
397: u_int8_t *ii_authkey;
398: u_int16_t ii_enckeylen;
399: u_int16_t ii_authkeylen;
400: u_int8_t ii_encalg;
401: u_int8_t ii_authalg;
402: u_int8_t ii_compalg;
403: };
404:
405: /* xform IDs */
406: #define XF_IP4 1 /* IP inside IP */
407: #define XF_AH 2 /* AH */
408: #define XF_ESP 3 /* ESP */
409: #define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */
410: #define XF_IPCOMP 6 /* IPCOMP */
411:
412: /* xform attributes */
413: #define XFT_AUTH 0x0001
414: #define XFT_CONF 0x0100
415: #define XFT_COMP 0x1000
416:
417: #define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */
418:
419: #ifdef _KERNEL
420:
421: struct xformsw {
422: u_short xf_type; /* Unique ID of xform */
423: u_short xf_flags; /* flags (see below) */
424: char *xf_name; /* human-readable name */
425: int (*xf_attach)(void); /* called at config time */
426: int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
427: int (*xf_zeroize)(struct tdb *); /* termination */
428: int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
429: int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
430: int, int); /* output */
431: };
432:
433: /*
434: * Protects all tdb lists.
435: * Must at least be splsoftnet (note: do not use splsoftclock as it is
436: * special on some architectures, assuming it is always an spl lowering
437: * operation).
438: */
439: #define spltdb splsoftnet
440:
441: extern int encdebug;
442: extern int ipsec_acl;
443: extern int ipsec_keep_invalid;
444: extern int ipsec_in_use;
445: extern u_int64_t ipsec_last_added;
446: extern int ipsec_require_pfs;
447: extern int ipsec_expire_acquire;
448:
449: extern int ipsec_policy_pool_initialized;
450:
451: extern int ipsec_soft_allocations;
452: extern int ipsec_exp_allocations;
453: extern int ipsec_soft_bytes;
454: extern int ipsec_exp_bytes;
455: extern int ipsec_soft_timeout;
456: extern int ipsec_exp_timeout;
457: extern int ipsec_soft_first_use;
458: extern int ipsec_exp_first_use;
459: extern char ipsec_def_enc[];
460: extern char ipsec_def_auth[];
461: extern char ipsec_def_comp[];
462:
463: extern struct enc_xform enc_xform_des;
464: extern struct enc_xform enc_xform_3des;
465: extern struct enc_xform enc_xform_blf;
466: extern struct enc_xform enc_xform_cast5;
467: extern struct enc_xform enc_xform_skipjack;
468:
469: extern struct auth_hash auth_hash_hmac_md5_96;
470: extern struct auth_hash auth_hash_hmac_sha1_96;
471: extern struct auth_hash auth_hash_hmac_ripemd_160_96;
472:
473: extern struct comp_algo comp_algo_deflate;
474:
475: extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
476: extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
477:
478: extern struct xformsw xformsw[], *xformswNXFORMSW;
479:
480: /* Check if a given tdb has encryption, authentication and/or tunneling */
481: #define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \
482: ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0) | \
483: ((x)->tdb_compalgxform ? NOTIFY_SATYPE_COMP : 0))
484:
485: /* Traverse spi chain and get attributes */
486:
487: #define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\
488: int s = spltdb(); \
489: struct tdb *tmptdb = (TDBP); \
490: \
491: (have) = 0; \
492: while (tmptdb && tmptdb->tdb_xform) { \
493: if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \
494: break; \
495: (have) |= TDB_ATTRIB(tmptdb); \
496: tmptdb = tmptdb->TDB_DIR; \
497: } \
498: splx(s); \
499: } while (0)
500:
501: /* Misc. */
502: extern char *inet_ntoa4(struct in_addr);
503: extern char *ipsp_address(union sockaddr_union);
504:
505: /* TDB management routines */
506: extern void tdb_add_inp(struct tdb *, struct inpcb *, int);
507: extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
508: union sockaddr_union *, u_int8_t, int *);
509: extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
510: extern struct tdb *gettdbbyaddr(union sockaddr_union *, u_int8_t,
511: struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *,
512: struct mbuf *, int, struct sockaddr_encap *, struct sockaddr_encap *);
513: extern struct tdb *gettdbbysrc(union sockaddr_union *, u_int8_t,
514: struct ipsec_ref *, struct ipsec_ref *, struct mbuf *, int,
515: struct sockaddr_encap *, struct sockaddr_encap *);
516: extern struct tdb *gettdbbysrcdst(u_int32_t, union sockaddr_union *,
517: union sockaddr_union *, u_int8_t);
518: extern void puttdb(struct tdb *);
519: extern void tdb_delete(struct tdb *);
520: extern struct tdb *tdb_alloc(void);
521: extern void tdb_free(struct tdb *);
522: extern int tdb_hash(u_int32_t, union sockaddr_union *, u_int8_t);
523: extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
524: extern int tdb_walk(int (*)(struct tdb *, void *, int), void *);
525:
526: /* XF_IP4 */
527: extern int ipe4_attach(void);
528: extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
529: extern int ipe4_zeroize(struct tdb *);
530: extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
531: extern void ipe4_input(struct mbuf *, ...);
532: extern void ipip_input(struct mbuf *, int, struct ifnet *);
533:
534: #ifdef INET
535: extern void ip4_input(struct mbuf *, ...);
536: #endif /* INET */
537:
538: #ifdef INET6
539: extern int ip4_input6(struct mbuf **, int *, int);
540: #endif /* INET */
541:
542: /* XF_ETHERIP */
543: extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **,
544: int, int);
545: extern void etherip_input(struct mbuf *, ...);
546:
547: /* XF_AH */
548: extern int ah_attach(void);
549: extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
550: extern int ah_zeroize(struct tdb *);
551: extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
552: extern int ah_output_cb(void *);
553: extern int ah_input(struct mbuf *, struct tdb *, int, int);
554: extern int ah_input_cb(void *);
555: extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
556: extern int ah_massage_headers(struct mbuf **, int, int, int, int);
557:
558: #ifdef INET
559: extern void ah4_input(struct mbuf *, ...);
560: extern int ah4_input_cb(struct mbuf *, ...);
561: extern void *ah4_ctlinput(int, struct sockaddr *, void *);
562: extern void *udpencap_ctlinput(int, struct sockaddr *, void *);
563: #endif /* INET */
564:
565: #ifdef INET6
566: extern int ah6_input(struct mbuf **, int *, int);
567: extern int ah6_input_cb(struct mbuf *, int, int);
568: #endif /* INET6 */
569:
570: /* XF_ESP */
571: extern int esp_attach(void);
572: extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
573: extern int esp_zeroize(struct tdb *);
574: extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
575: extern int esp_output_cb(void *);
576: extern int esp_input(struct mbuf *, struct tdb *, int, int);
577: extern int esp_input_cb(void *);
578: extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
579:
580: #ifdef INET
581: extern void esp4_input(struct mbuf *, ...);
582: extern int esp4_input_cb(struct mbuf *, ...);
583: extern void *esp4_ctlinput(int, struct sockaddr *, void *);
584: #endif /* INET */
585:
586: #ifdef INET6
587: extern int esp6_input(struct mbuf **, int *, int);
588: extern int esp6_input_cb(struct mbuf *, int, int);
589: #endif /* INET6 */
590:
591: /* XF_IPCOMP */
592: extern int ipcomp_attach(void);
593: extern int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
594: extern int ipcomp_zeroize(struct tdb *);
595: extern int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
596: extern int ipcomp_output_cb(void *);
597: extern int ipcomp_input(struct mbuf *, struct tdb *, int, int);
598: extern int ipcomp_input_cb(void *);
599: extern int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
600:
601: #ifdef INET
602: extern void ipcomp4_input(struct mbuf *, ...);
603: extern int ipcomp4_input_cb(struct mbuf *, ...);
604: #endif /* INET */
605:
606: #ifdef INET6
607: extern int ipcomp6_input(struct mbuf **, int *, int);
608: extern int ipcomp6_input_cb(struct mbuf *, int, int);
609: #endif /* INET6 */
610:
611: /* XF_TCPSIGNATURE */
612: extern int tcp_signature_tdb_attach(void);
613: extern int tcp_signature_tdb_init(struct tdb *, struct xformsw *,
614: struct ipsecinit *);
615: extern int tcp_signature_tdb_zeroize(struct tdb *);
616: extern int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int,
617: int);
618: extern int tcp_signature_tdb_output(struct mbuf *, struct tdb *,
619: struct mbuf **, int, int);
620:
621: /* Padding */
622: extern caddr_t m_pad(struct mbuf *, int);
623:
624: /* Replay window */
625: extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
626: u_int32_t *, int);
627:
628: extern unsigned char ipseczeroes[];
629:
630: /* Packet processing */
631: extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
632: extern int ipsp_process_done(struct mbuf *, struct tdb *);
633: extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
634: struct tdb *, struct inpcb *);
635: extern struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
636: struct tdb *, struct inpcb *, struct ipsec_policy *);
637: extern int ipsec_common_input(struct mbuf *, int, int, int, int, int);
638: extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
639: struct m_tag *);
640: extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
641: union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
642: extern struct ipsec_policy *ipsec_add_policy(struct inpcb *, int, int);
643: extern void ipsec_update_policy(struct inpcb *, struct ipsec_policy *,
644: int, int);
645: extern int ipsec_delete_policy(struct ipsec_policy *);
646: extern struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *,
647: union sockaddr_union *);
648: extern void ipsp_delete_acquire(void *);
649: extern int ipsp_is_unspecified(union sockaddr_union);
650: extern void ipsp_reffree(struct ipsec_ref *);
651: extern void ipsp_skipcrypto_unmark(struct tdb_ident *);
652: extern void ipsp_skipcrypto_mark(struct tdb_ident *);
653: extern struct m_tag *ipsp_parse_headers(struct mbuf *, int, u_int8_t);
654: extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *);
655: extern ssize_t ipsec_hdrsz(struct tdb *);
656: extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
657: extern int ipsp_print_tdb(struct tdb *, char *, size_t);
658: extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
659: extern int ipsp_aux_match(struct tdb *,
660: struct ipsec_ref *, struct ipsec_ref *,
661: struct ipsec_ref *, struct ipsec_ref *,
662: struct sockaddr_encap *, struct sockaddr_encap *);
663: #endif /* _KERNEL */
664: #endif /* _NETINET_IPSP_H_ */
CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to ip_ipsp.h CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / sys / netinet