root/netinet/ip_ipsp.h

INCLUDED FROM

DEFINITIONS

1. TAILQ_HEAD

    1 /*      $OpenBSD: ip_ipsp.h,v 1.135 2006/11/24 13:52:14 reyk Exp $      */
    2 /*
    3  * The authors of this code are John Ioannidis (ji@tla.org),
    4  * Angelos D. Keromytis (kermit@csd.uch.gr),
    5  * Niels Provos (provos@physnet.uni-hamburg.de) and
    6  * Niklas Hallqvist (niklas@appli.se).
    7  *
    8  * The original version of this code was written by John Ioannidis
    9  * for BSD/OS in Athens, Greece, in November 1995.
   10  *
   11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
   12  * by Angelos D. Keromytis.
   13  *
   14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
   15  * and Niels Provos.
   16  *
   17  * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
   18  *
   19  * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
   20  * Angelos D. Keromytis and Niels Provos.
   21  * Copyright (c) 1999 Niklas Hallqvist.
   22  * Copyright (c) 2001, Angelos D. Keromytis.
   23  *
   24  * Permission to use, copy, and modify this software with or without fee
   25  * is hereby granted, provided that this entire notice is included in
   26  * all copies of any software which is or includes a copy or
   27  * modification of this software.
   28  * You may use this code under the GNU public license if you so wish. Please
   29  * contribute changes back to the authors under this freer than GPL license
   30  * so that we may further the use of strong encryption without limitations to
   31  * all.
   32  *
   33  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   34  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   35  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   36  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   37  * PURPOSE.
   38  */
   40 #ifndef _NETINET_IPSP_H_
   41 #define _NETINET_IPSP_H_
   43 /* IPSP global definitions. */
   45 #include <sys/types.h>
   46 #include <sys/queue.h>
   47 #include <sys/timeout.h>
   48 #include <netinet/in.h>
   50 union sockaddr_union {
   51         struct sockaddr         sa;
   52         struct sockaddr_in      sin;
   53         struct sockaddr_in6     sin6;
   54 };
   56 /* HMAC key sizes */
   57 #define MD5HMAC96_KEYSIZE       16
   58 #define SHA1HMAC96_KEYSIZE      20
   59 #define RIPEMD160HMAC96_KEYSIZE 20
   60 #define SHA2_256HMAC96_KEYSIZE  32
   61 #define SHA2_384HMAC96_KEYSIZE  48
   62 #define SHA2_512HMAC96_KEYSIZE  64
   64 #define AH_HMAC_HASHLEN         12      /* 96 bits of authenticator */
   65 #define AH_HMAC_RPLENGTH        4       /* 32 bits of replay counter */
   66 #define AH_HMAC_INITIAL_RPL     1       /* Replay counter initial value */
   68 /* Authenticator lengths */
   69 #define AH_MD5_ALEN             16
   70 #define AH_SHA1_ALEN            20
   71 #define AH_RMD160_ALEN          20
   72 #define AH_SHA2_256_ALEN        32
   73 #define AH_SHA2_384_ALEN        48
   74 #define AH_SHA2_512_ALEN        64
   75 #define AH_ALEN_MAX             64      /* Keep updated */
   77 /* Reserved SPI numbers */
   78 #define SPI_LOCAL_USE           0
   79 #define SPI_RESERVED_MIN        1
   80 #define SPI_RESERVED_MAX        255
   82 /* Reserved CPI numbers */
   83 #define CPI_RESERVED_MIN        1
   84 #define CPI_RESERVED_MAX        255
   85 #define CPI_PRIVATE_MIN         61440
   86 #define CPI_PRIVATE_MAX         65535
   88 /* sysctl default values */
   89 #define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT      60      /* 1 minute */
   90 #define IPSEC_DEFAULT_PFS                       1
   91 #define IPSEC_DEFAULT_SOFT_ALLOCATIONS          0
   92 #define IPSEC_DEFAULT_EXP_ALLOCATIONS           0
   93 #define IPSEC_DEFAULT_SOFT_BYTES                0
   94 #define IPSEC_DEFAULT_EXP_BYTES                 0
   95 #define IPSEC_DEFAULT_SOFT_TIMEOUT              80000
   96 #define IPSEC_DEFAULT_EXP_TIMEOUT               86400
   97 #define IPSEC_DEFAULT_SOFT_FIRST_USE            3600
   98 #define IPSEC_DEFAULT_EXP_FIRST_USE             7200
   99 #define IPSEC_DEFAULT_DEF_ENC                   "aes"
  100 #define IPSEC_DEFAULT_DEF_AUTH                  "hmac-sha1"
  101 #define IPSEC_DEFAULT_EXPIRE_ACQUIRE            30
  102 #define IPSEC_DEFAULT_DEF_COMP                  "deflate"
  104 struct sockaddr_encap {
u_int8_t        sen_len;                /* length */
u_int8_t        sen_family;             /* PF_KEY */
u_int16_t       sen_type;               /* see SENT_* */
  108         union {
  109                 struct {                                /* SENT_IP4 */
u_int8_t        Direction;
  111                         struct in_addr  Src;
  112                         struct in_addr  Dst;
u_int8_t        Proto;
u_int16_t       Sport;
u_int16_t       Dport;
  116                 } Sip4;
  118                 struct {                                /* SENT_IP6 */
u_int8_t        Direction;
  120                         struct in6_addr Src;
  121                         struct in6_addr Dst;
u_int8_t        Proto;
u_int16_t       Sport;
u_int16_t       Dport;
  125                 } Sip6;
  127                 struct ipsec_policy     *PolicyHead;    /* SENT_IPSP */
  128         } Sen;
  129 };
  131 #define IPSP_DIRECTION_IN       0x1
  132 #define IPSP_DIRECTION_OUT      0x2
  134 #define sen_data                Sen.Data
  135 #define sen_ip_src              Sen.Sip4.Src
  136 #define sen_ip_dst              Sen.Sip4.Dst
  137 #define sen_proto               Sen.Sip4.Proto
  138 #define sen_sport               Sen.Sip4.Sport
  139 #define sen_dport               Sen.Sip4.Dport
  140 #define sen_direction           Sen.Sip4.Direction
  141 #define sen_ip6_src             Sen.Sip6.Src
  142 #define sen_ip6_dst             Sen.Sip6.Dst
  143 #define sen_ip6_proto           Sen.Sip6.Proto
  144 #define sen_ip6_sport           Sen.Sip6.Sport
  145 #define sen_ip6_dport           Sen.Sip6.Dport
  146 #define sen_ip6_direction       Sen.Sip6.Direction
  147 #define sen_ipsp                Sen.PolicyHead
  149 /*
  150  * The "type" is really part of the address as far as the routing
  151  * system is concerned. By using only one bit in the type field
  152  * for each type, we sort-of make sure that different types of
  153  * encapsulation addresses won't be matched against the wrong type.
  154  *
  155  */
  157 #define SENT_IP4        0x0001          /* data is two struct in_addr */
  158 #define SENT_IPSP       0x0002          /* data as in IP4/6 plus SPI */
  159 #define SENT_IP6        0x0004
  161 #define SENT_LEN        sizeof(struct sockaddr_encap)
  163 struct ipsec_ref {
u_int16_t       ref_type;       /* Subtype of data */
int16_t         ref_len;        /* Length of data following */
  166         int             ref_count;      /* Reference count */
  167         int             ref_malloctype; /* malloc(9) type, for freeing */
  168 };
  170 struct ipsec_acquire {
  171         union sockaddr_union            ipa_addr;
u_int32_t                       ipa_seq;
  173         struct sockaddr_encap           ipa_info;
  174         struct sockaddr_encap           ipa_mask;
  175         struct timeout                  ipa_timeout;
  176         struct ipsec_policy             *ipa_policy;
  177         struct inpcb                    *ipa_pcb;
TAILQ_ENTRY(ipsec_acquire)      ipa_ipo_next;
TAILQ_ENTRY(ipsec_acquire)      ipa_next;
TAILQ_ENTRY(ipsec_acquire)      ipa_inp_next;
  181 };
  183 struct ipsec_policy {
  184         struct sockaddr_encap   ipo_addr;
  185         struct sockaddr_encap   ipo_mask;
  187         union sockaddr_union    ipo_src;        /* Local address to use */
  188         union sockaddr_union    ipo_dst;        /* Remote gateway -- if it's zeroed:
  189                                                  * - on output, we try to
  190                                                  * contact the remote host
  191                                                  * directly (if needed).  
  192                                                  * - on input, we accept on if
  193                                                  * the inner source is the
  194                                                  * same as the outer source
  195                                                  * address, or if transport
  196                                                  * mode was used.
  197                                                  */
u_int64_t               ipo_last_searched;      /* Timestamp of last lookup */
u_int8_t                ipo_flags;      /* See IPSP_POLICY_* definitions */
u_int8_t                ipo_type;       /* USE/ACQUIRE/... */
u_int8_t                ipo_sproto;     /* ESP/AH; if zero, use system dflts */
  205         int                     ipo_ref_count;
  207         struct tdb              *ipo_tdb;               /* Cached entry */
  209         struct ipsec_ref        *ipo_srcid;
  210         struct ipsec_ref        *ipo_dstid;
  211         struct ipsec_ref        *ipo_local_cred;
  212         struct ipsec_ref        *ipo_local_auth;
TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
TAILQ_ENTRY(ipsec_policy)       ipo_tdb_next;   /* List TDB policies */
TAILQ_ENTRY(ipsec_policy)       ipo_list;       /* List of all policies */
  217 };
  219 #define IPSP_POLICY_NONE        0x0000  /* No flags set */
  220 #define IPSP_POLICY_SOCKET      0x0001  /* Socket-attached policy */
  221 #define IPSP_POLICY_STATIC      0x0002  /* Static policy */
  223 #define IPSP_IPSEC_USE          0       /* Use if existing, don't acquire */
  224 #define IPSP_IPSEC_ACQUIRE      1       /* Try acquire, let packet through */
  225 #define IPSP_IPSEC_REQUIRE      2       /* Require SA */
  226 #define IPSP_PERMIT             3       /* Permit traffic through */
  227 #define IPSP_DENY               4       /* Deny traffic */
  228 #define IPSP_IPSEC_DONTACQ      5       /* Require, but don't acquire */
  230 /* Notification types */
  231 #define NOTIFY_SOFT_EXPIRE      0       /* Soft expiration of SA */
  232 #define NOTIFY_HARD_EXPIRE      1       /* Hard expiration of SA */
  233 #define NOTIFY_REQUEST_SA       2       /* Establish an SA */
  235 #define NOTIFY_SATYPE_CONF      1       /* SA should do encryption */
  236 #define NOTIFY_SATYPE_AUTH      2       /* SA should do authentication */
  237 #define NOTIFY_SATYPE_TUNNEL    4       /* SA should use tunneling */
  238 #define NOTIFY_SATYPE_COMP      5       /* SA (IPCA) should use compression */
  240 /* Authentication types */
  241 #define IPSP_AUTH_NONE          0
  242 #define IPSP_AUTH_PASSPHRASE    1
  243 #define IPSP_AUTH_RSA           2
  245 /* Credential types */
  246 #define IPSP_CRED_NONE          0
  247 #define IPSP_CRED_KEYNOTE       1
  248 #define IPSP_CRED_X509          2
  250 /* Identity types */
  251 #define IPSP_IDENTITY_NONE              0
  252 #define IPSP_IDENTITY_PREFIX            1
  253 #define IPSP_IDENTITY_FQDN              2
  254 #define IPSP_IDENTITY_USERFQDN          3
  255 #define IPSP_IDENTITY_CONNECTION        4
  257 /*
  258  * For encapsulation routes are possible not only for the destination
  259  * address but also for the protocol, source and destination ports
  260  * if available
  261  */
  263 struct route_enc {
  264         struct rtentry          *re_rt;
  265         struct sockaddr_encap   re_dst;
  266 };
  268 struct tdb {                            /* tunnel descriptor block */
  269         /*
  270          * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
  271          * one keyed on dst/sproto, and one keyed on src/sproto. The first
  272          * is used for finding a specific TDB, the second for finding TDBs
  273          * for outgoing policy matching, and the third for incoming
  274          * policy matching. The following three fields maintain the hash
  275          * queues in those three tables.
  276          */
  277         struct tdb      *tdb_hnext;     /* dst/spi/sproto table */
  278         struct tdb      *tdb_anext;     /* dst/sproto table */
  279         struct tdb      *tdb_snext;     /* src/sproto table */
  280         struct tdb      *tdb_inext;
  281         struct tdb      *tdb_onext;
  283         struct xformsw          *tdb_xform;             /* Transform to use */
  284         struct enc_xform        *tdb_encalgxform;       /* Enc algorithm */
  285         struct auth_hash        *tdb_authalgxform;      /* Auth algorithm */
  286         struct comp_algo        *tdb_compalgxform;      /* Compression algo */
  288 #define TDBF_UNIQUE             0x00001 /* This should not be used by others */
  289 #define TDBF_TIMER              0x00002 /* Absolute expiration timer in use */
  290 #define TDBF_BYTES              0x00004 /* Check the byte counters */
  291 #define TDBF_ALLOCATIONS        0x00008 /* Check the flows counters */
  292 #define TDBF_INVALID            0x00010 /* This SPI is not valid yet/anymore */
  293 #define TDBF_FIRSTUSE           0x00020 /* Expire after first use */
  294 #define TDBF_HALFIV             0x00040 /* Use half-length IV (ESP old only) */
  295 #define TDBF_SOFT_TIMER         0x00080 /* Soft expiration */
  296 #define TDBF_SOFT_BYTES         0x00100 /* Soft expiration */
  297 #define TDBF_SOFT_ALLOCATIONS   0x00200 /* Soft expiration */
  298 #define TDBF_SOFT_FIRSTUSE      0x00400 /* Soft expiration */
  299 #define TDBF_PFS                0x00800 /* Ask for PFS from Key Mgmt. */
  300 #define TDBF_TUNNELING          0x01000 /* Force IP-IP encapsulation */
  301 #define TDBF_NOREPLAY           0x02000 /* No replay counter present */
  302 #define TDBF_RANDOMPADDING      0x04000 /* Random data in the ESP padding */
  303 #define TDBF_SKIPCRYPTO         0x08000 /* Skip actual crypto processing */
  304 #define TDBF_USEDTUNNEL         0x10000 /* Appended a tunnel header in past */
  305 #define TDBF_UDPENCAP           0x20000 /* UDP encapsulation */
u_int32_t       tdb_flags;      /* Flags related to this TDB */
  309         struct timeout  tdb_timer_tmo;
  310         struct timeout  tdb_first_tmo;
  311         struct timeout  tdb_stimer_tmo;
  312         struct timeout  tdb_sfirst_tmo;
u_int32_t       tdb_seq;                /* Tracking number for PFKEY */
u_int32_t       tdb_exp_allocations;    /* Expire after so many flows */
u_int32_t       tdb_soft_allocations;   /* Expiration warning */
u_int32_t       tdb_cur_allocations;    /* Total number of allocs */
u_int64_t       tdb_exp_bytes;  /* Expire after so many bytes passed */
u_int64_t       tdb_soft_bytes; /* Expiration warning */
u_int64_t       tdb_cur_bytes;  /* Current count of bytes */
u_int64_t       tdb_exp_timeout;        /* When does the SPI expire */
u_int64_t       tdb_soft_timeout;       /* Send soft-expire warning */
u_int64_t       tdb_established;        /* When was SPI established */
u_int64_t       tdb_first_use;          /* When was it first used */
u_int64_t       tdb_soft_first_use;     /* Soft warning */
u_int64_t       tdb_exp_first_use;      /* Expire if tdb_first_use +
  330                                                  * tdb_exp_first_use <= curtime
  331                                                  */
u_int64_t       tdb_last_used;  /* When was this SA last used */
u_int64_t       tdb_last_marked;/* Last SKIPCRYPTO status change */
u_int64_t       tdb_cryptoid;   /* Crypto session ID */
u_int32_t       tdb_spi;        /* SPI */
u_int16_t       tdb_amxkeylen;  /* Raw authentication key length */
u_int16_t       tdb_emxkeylen;  /* Raw encryption key length */
u_int16_t       tdb_ivlen;      /* IV length */
u_int8_t        tdb_sproto;     /* IPsec protocol */
u_int8_t        tdb_wnd;        /* Replay window */
u_int8_t        tdb_satype;     /* SA type (RFC2367, PF_KEY) */
  346         union sockaddr_union    tdb_dst;        /* Destination address */
  347         union sockaddr_union    tdb_src;        /* Source address */
  348         union sockaddr_union    tdb_proxy;
u_int8_t        *tdb_amxkey;    /* Raw authentication key */
u_int8_t        *tdb_emxkey;    /* Raw encryption key */
u_int32_t       tdb_rpl;        /* Replay counter */
u_int32_t       tdb_bitmap;     /* Used for replay sliding window */
u_int8_t        tdb_iv[4];      /* Used for HALF-IV ESP */
  358         struct ipsec_ref        *tdb_local_cred;
  359         struct ipsec_ref        *tdb_remote_cred;
  360         struct ipsec_ref        *tdb_srcid;     /* Source ID for this SA */
  361         struct ipsec_ref        *tdb_dstid;     /* Destination ID for this SA */
  362         struct ipsec_ref        *tdb_local_auth;/* Local authentication material */
  363         struct ipsec_ref        *tdb_remote_auth;/* Remote authentication material */
u_int32_t       tdb_mtu;        /* MTU at this point in the chain */
u_int64_t       tdb_mtutimeout; /* When to ignore this entry */
u_int16_t       tdb_udpencap_port;      /* Peer UDP port */
u_int16_t       tdb_tag;                /* Packet filter tag */
  372         struct sockaddr_encap   tdb_filter; /* What traffic is acceptable */
  373         struct sockaddr_encap   tdb_filtermask; /* And the mask */
TAILQ_HEAD(tdb_inp_head_in, inpcb)      tdb_inp_in;
TAILQ_HEAD(tdb_inp_head_out, inpcb)     tdb_inp_out;
TAILQ_HEAD(tdb_policy_head, ipsec_policy)       tdb_policy_head;
  378 };
  380 struct tdb_ident {
u_int32_t spi;
  382         union sockaddr_union dst;
u_int8_t proto;
  384 };
  386 struct tdb_crypto {
u_int32_t               tc_spi;
  388         union sockaddr_union    tc_dst;
u_int8_t                tc_proto;
  390         int                     tc_protoff;
  391         int                     tc_skip;
caddr_t                 tc_ptr;
  393 };
  395 struct ipsecinit {
u_int8_t        *ii_enckey;
u_int8_t        *ii_authkey;
u_int16_t       ii_enckeylen;
u_int16_t       ii_authkeylen;
u_int8_t        ii_encalg;
u_int8_t        ii_authalg;
u_int8_t        ii_compalg;
  403 };
  405 /* xform IDs */
  406 #define XF_IP4          1       /* IP inside IP */
  407 #define XF_AH           2       /* AH */
  408 #define XF_ESP          3       /* ESP */
  409 #define XF_TCPSIGNATURE 5       /* TCP MD5 Signature option, RFC 2358 */
  410 #define XF_IPCOMP       6       /* IPCOMP */
  412 /* xform attributes */
  413 #define XFT_AUTH        0x0001
  414 #define XFT_CONF        0x0100
  415 #define XFT_COMP        0x1000
  417 #define IPSEC_ZEROES_SIZE       256     /* Larger than an IP6 extension hdr. */
  419 #ifdef _KERNEL
  421 struct xformsw {
u_short xf_type;                /* Unique ID of xform */
u_short xf_flags;               /* flags (see below) */
  424         char    *xf_name;               /* human-readable name */
  425         int     (*xf_attach)(void);     /* called at config time */
  426         int     (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
  427         int     (*xf_zeroize)(struct tdb *); /* termination */
  428         int     (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
  429         int     (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
  430             int, int);        /* output */
  431 };
  433 /*
  434  * Protects all tdb lists.
  435  * Must at least be splsoftnet (note: do not use splsoftclock as it is
  436  * special on some architectures, assuming it is always an spl lowering
  437  * operation).
  438  */
  439 #define spltdb  splsoftnet
  441 extern int encdebug;
  442 extern int ipsec_acl;
  443 extern int ipsec_keep_invalid;
  444 extern int ipsec_in_use;
  445 extern u_int64_t ipsec_last_added;
  446 extern int ipsec_require_pfs;
  447 extern int ipsec_expire_acquire;
  449 extern int ipsec_policy_pool_initialized;
  451 extern int ipsec_soft_allocations;
  452 extern int ipsec_exp_allocations;
  453 extern int ipsec_soft_bytes;
  454 extern int ipsec_exp_bytes;
  455 extern int ipsec_soft_timeout;
  456 extern int ipsec_exp_timeout;
  457 extern int ipsec_soft_first_use;
  458 extern int ipsec_exp_first_use;
  459 extern char ipsec_def_enc[];
  460 extern char ipsec_def_auth[];
  461 extern char ipsec_def_comp[];
  463 extern struct enc_xform enc_xform_des;
  464 extern struct enc_xform enc_xform_3des;
  465 extern struct enc_xform enc_xform_blf;
  466 extern struct enc_xform enc_xform_cast5;
  467 extern struct enc_xform enc_xform_skipjack;
  469 extern struct auth_hash auth_hash_hmac_md5_96;
  470 extern struct auth_hash auth_hash_hmac_sha1_96;
  471 extern struct auth_hash auth_hash_hmac_ripemd_160_96;
  473 extern struct comp_algo comp_algo_deflate;
  475 extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
  476 extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
  478 extern struct xformsw xformsw[], *xformswNXFORMSW;
  480 /* Check if a given tdb has encryption, authentication and/or tunneling */
  481 #define TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \
  482                        ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0) | \
  483                        ((x)->tdb_compalgxform ? NOTIFY_SATYPE_COMP : 0))
  485 /* Traverse spi chain and get attributes */
  487 #define SPI_CHAIN_ATTRIB(have, TDB_DIR, TDBP) do {\
  488         int s = spltdb(); \
  489         struct tdb *tmptdb = (TDBP); \
  490         \
  491         (have) = 0; \
  492         while (tmptdb && tmptdb->tdb_xform) { \
  493                 if (tmptdb == NULL || tmptdb->tdb_flags & TDBF_INVALID) \
  494                         break; \
  495                 (have) |= TDB_ATTRIB(tmptdb); \
tmptdb = tmptdb->TDB_DIR; \
  497         } \
splx(s); \
  499 } while (0)
  501 /* Misc. */
  502 extern char *inet_ntoa4(struct in_addr);
  503 extern char *ipsp_address(union sockaddr_union);
  505 /* TDB management routines */
  506 extern void tdb_add_inp(struct tdb *, struct inpcb *, int);
  507 extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
  508     union sockaddr_union *, u_int8_t, int *);
  509 extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
  510 extern struct tdb *gettdbbyaddr(union sockaddr_union *, u_int8_t,
  511     struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *,
  512     struct mbuf *, int, struct sockaddr_encap *, struct sockaddr_encap *);
  513 extern struct tdb *gettdbbysrc(union sockaddr_union *, u_int8_t,
  514     struct ipsec_ref *, struct ipsec_ref *, struct mbuf *, int,
  515     struct sockaddr_encap *, struct sockaddr_encap *);
  516 extern struct tdb *gettdbbysrcdst(u_int32_t, union sockaddr_union *,
  517     union sockaddr_union *, u_int8_t);
  518 extern void puttdb(struct tdb *);
  519 extern void tdb_delete(struct tdb *);
  520 extern struct tdb *tdb_alloc(void);
  521 extern void tdb_free(struct tdb *);
  522 extern int tdb_hash(u_int32_t, union sockaddr_union *, u_int8_t);
  523 extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
  524 extern int tdb_walk(int (*)(struct tdb *, void *, int), void *);
  526 /* XF_IP4 */
  527 extern int ipe4_attach(void);
  528 extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
  529 extern int ipe4_zeroize(struct tdb *);
  530 extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
  531 extern void ipe4_input(struct mbuf *, ...);
  532 extern void ipip_input(struct mbuf *, int, struct ifnet *);
  534 #ifdef INET
  535 extern void ip4_input(struct mbuf *, ...);
  536 #endif /* INET */
  538 #ifdef INET6
  539 extern int ip4_input6(struct mbuf **, int *, int);
  540 #endif /* INET */
  542 /* XF_ETHERIP */
  543 extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **,
  544     int, int);
  545 extern void etherip_input(struct mbuf *, ...);
  547 /* XF_AH */
  548 extern int ah_attach(void);
  549 extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
  550 extern int ah_zeroize(struct tdb *);
  551 extern int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
  552 extern int ah_output_cb(void *);
  553 extern int ah_input(struct mbuf *, struct tdb *, int, int);
  554 extern int ah_input_cb(void *);
  555 extern int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
  556 extern int ah_massage_headers(struct mbuf **, int, int, int, int);
  558 #ifdef INET
  559 extern void ah4_input(struct mbuf *, ...);
  560 extern int ah4_input_cb(struct mbuf *, ...);
  561 extern void *ah4_ctlinput(int, struct sockaddr *, void *);
  562 extern void *udpencap_ctlinput(int, struct sockaddr *, void *);
  563 #endif /* INET */
  565 #ifdef INET6
  566 extern int ah6_input(struct mbuf **, int *, int);
  567 extern int ah6_input_cb(struct mbuf *, int, int);
  568 #endif /* INET6 */
  570 /* XF_ESP */
  571 extern int esp_attach(void);
  572 extern int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
  573 extern int esp_zeroize(struct tdb *);
  574 extern int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
  575 extern int esp_output_cb(void *);
  576 extern int esp_input(struct mbuf *, struct tdb *, int, int);
  577 extern int esp_input_cb(void *);
  578 extern int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
  580 #ifdef INET
  581 extern void esp4_input(struct mbuf *, ...);
  582 extern int esp4_input_cb(struct mbuf *, ...);
  583 extern void *esp4_ctlinput(int, struct sockaddr *, void *);
  584 #endif /* INET */
  586 #ifdef INET6
  587 extern int esp6_input(struct mbuf **, int *, int);
  588 extern int esp6_input_cb(struct mbuf *, int, int);
  589 #endif /* INET6 */
  591 /* XF_IPCOMP */
  592 extern int ipcomp_attach(void);
  593 extern int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
  594 extern int ipcomp_zeroize(struct tdb *);
  595 extern int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
  596 extern int ipcomp_output_cb(void *);
  597 extern int ipcomp_input(struct mbuf *, struct tdb *, int, int);
  598 extern int ipcomp_input_cb(void *);
  599 extern int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
  601 #ifdef INET
  602 extern void ipcomp4_input(struct mbuf *, ...);
  603 extern int ipcomp4_input_cb(struct mbuf *, ...);
  604 #endif /* INET */
  606 #ifdef INET6
  607 extern int ipcomp6_input(struct mbuf **, int *, int);
  608 extern int ipcomp6_input_cb(struct mbuf *, int, int);
  609 #endif /* INET6 */
  611 /* XF_TCPSIGNATURE */
  612 extern int tcp_signature_tdb_attach(void);
  613 extern int tcp_signature_tdb_init(struct tdb *, struct xformsw *,
  614     struct ipsecinit *);
  615 extern int tcp_signature_tdb_zeroize(struct tdb *);
  616 extern int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int,
  617     int);
  618 extern int tcp_signature_tdb_output(struct mbuf *, struct tdb *,
  619     struct mbuf **, int, int);
  621 /* Padding */
  622 extern caddr_t m_pad(struct mbuf *, int);
  624 /* Replay window */
  625 extern int checkreplaywindow32(u_int32_t, u_int32_t, u_int32_t *, u_int32_t,
u_int32_t *, int);
  628 extern unsigned char ipseczeroes[];
  630 /* Packet processing */
  631 extern int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
  632 extern int ipsp_process_done(struct mbuf *, struct tdb *);
  633 extern struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
  634     struct tdb *, struct inpcb *);
  635 extern struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
  636     struct tdb *, struct inpcb *, struct ipsec_policy *);
  637 extern int ipsec_common_input(struct mbuf *, int, int, int, int, int);
  638 extern int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
  639     struct m_tag *);
  640 extern int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
  641     union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
  642 extern struct ipsec_policy *ipsec_add_policy(struct inpcb *, int, int);
  643 extern void ipsec_update_policy(struct inpcb *, struct ipsec_policy *,
  644     int, int);
  645 extern int ipsec_delete_policy(struct ipsec_policy *);
  646 extern struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *,
  647     union sockaddr_union *);
  648 extern void ipsp_delete_acquire(void *);
  649 extern int ipsp_is_unspecified(union sockaddr_union);
  650 extern void ipsp_reffree(struct ipsec_ref *);
  651 extern void ipsp_skipcrypto_unmark(struct tdb_ident *);
  652 extern void ipsp_skipcrypto_mark(struct tdb_ident *);
  653 extern struct m_tag *ipsp_parse_headers(struct mbuf *, int, u_int8_t);
  654 extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *);
  655 extern ssize_t ipsec_hdrsz(struct tdb *);
  656 extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
  657 extern int ipsp_print_tdb(struct tdb *, char *, size_t);
  658 extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
  659 extern int ipsp_aux_match(struct tdb *,
  660     struct ipsec_ref *, struct ipsec_ref *,
  661     struct ipsec_ref *, struct ipsec_ref *,
  662     struct sockaddr_encap *, struct sockaddr_encap *);
  663 #endif /* _KERNEL */
  664 #endif /* _NETINET_IPSP_H_ */