Line data Source code
1 : /* $OpenBSD: ip_ipsp.h,v 1.193 2018/08/28 15:15:02 mpi Exp $ */
2 : /*
3 : * The authors of this code are John Ioannidis (ji@tla.org),
4 : * Angelos D. Keromytis (kermit@csd.uch.gr),
5 : * Niels Provos (provos@physnet.uni-hamburg.de) and
6 : * Niklas Hallqvist (niklas@appli.se).
7 : *
8 : * The original version of this code was written by John Ioannidis
9 : * for BSD/OS in Athens, Greece, in November 1995.
10 : *
11 : * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 : * by Angelos D. Keromytis.
13 : *
14 : * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 : * and Niels Provos.
16 : *
17 : * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
18 : *
19 : * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 : * Angelos D. Keromytis and Niels Provos.
21 : * Copyright (c) 1999 Niklas Hallqvist.
22 : * Copyright (c) 2001, Angelos D. Keromytis.
23 : *
24 : * Permission to use, copy, and modify this software with or without fee
25 : * is hereby granted, provided that this entire notice is included in
26 : * all copies of any software which is or includes a copy or
27 : * modification of this software.
28 : * You may use this code under the GNU public license if you so wish. Please
29 : * contribute changes back to the authors under this freer than GPL license
30 : * so that we may further the use of strong encryption without limitations to
31 : * all.
32 : *
33 : * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 : * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 : * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 : * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 : * PURPOSE.
38 : */
39 :
40 : #ifndef _NETINET_IPSP_H_
41 : #define _NETINET_IPSP_H_
42 :
43 : /* IPSP global definitions. */
44 :
45 : #include <sys/types.h>
46 : #include <netinet/in.h>
47 :
48 : union sockaddr_union {
49 : struct sockaddr sa;
50 : struct sockaddr_in sin;
51 : struct sockaddr_in6 sin6;
52 : };
53 :
54 : #define AH_HMAC_MAX_HASHLEN 32 /* 256 bits of authenticator for SHA512 */
55 : #define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */
56 : #define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */
57 :
58 : /* Authenticator lengths */
59 : #define AH_MD5_ALEN 16
60 : #define AH_SHA1_ALEN 20
61 : #define AH_RMD160_ALEN 20
62 : #define AH_SHA2_256_ALEN 32
63 : #define AH_SHA2_384_ALEN 48
64 : #define AH_SHA2_512_ALEN 64
65 : #define AH_ALEN_MAX 64 /* Keep updated */
66 :
67 : /* Reserved SPI numbers */
68 : #define SPI_LOCAL_USE 0
69 : #define SPI_RESERVED_MIN 1
70 : #define SPI_RESERVED_MAX 255
71 :
72 : /* Reserved CPI numbers */
73 : #define CPI_RESERVED_MIN 1
74 : #define CPI_RESERVED_MAX 255
75 : #define CPI_PRIVATE_MIN 61440
76 : #define CPI_PRIVATE_MAX 65535
77 :
78 : /* sysctl default values */
79 : #define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT 60 /* 1 minute */
80 : #define IPSEC_DEFAULT_PFS 1
81 : #define IPSEC_DEFAULT_SOFT_ALLOCATIONS 0
82 : #define IPSEC_DEFAULT_EXP_ALLOCATIONS 0
83 : #define IPSEC_DEFAULT_SOFT_BYTES 0
84 : #define IPSEC_DEFAULT_EXP_BYTES 0
85 : #define IPSEC_DEFAULT_SOFT_TIMEOUT 80000
86 : #define IPSEC_DEFAULT_EXP_TIMEOUT 86400
87 : #define IPSEC_DEFAULT_SOFT_FIRST_USE 3600
88 : #define IPSEC_DEFAULT_EXP_FIRST_USE 7200
89 : #define IPSEC_DEFAULT_DEF_ENC "aes"
90 : #define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1"
91 : #define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30
92 : #define IPSEC_DEFAULT_DEF_COMP "deflate"
93 :
94 : struct sockaddr_encap {
95 : u_int8_t sen_len; /* length */
96 : u_int8_t sen_family; /* PF_KEY */
97 : u_int16_t sen_type; /* see SENT_* */
98 : union {
99 : struct { /* SENT_IP4 */
100 : u_int8_t Direction;
101 : struct in_addr Src;
102 : struct in_addr Dst;
103 : u_int8_t Proto;
104 : u_int16_t Sport;
105 : u_int16_t Dport;
106 : } Sip4;
107 :
108 : struct { /* SENT_IP6 */
109 : u_int8_t Direction;
110 : struct in6_addr Src;
111 : struct in6_addr Dst;
112 : u_int8_t Proto;
113 : u_int16_t Sport;
114 : u_int16_t Dport;
115 : } Sip6;
116 :
117 : struct ipsec_policy *PolicyHead; /* SENT_IPSP */
118 : } Sen;
119 : };
120 :
121 : #define IPSP_DIRECTION_IN 0x1
122 : #define IPSP_DIRECTION_OUT 0x2
123 :
124 : struct ipsecstat {
125 : uint64_t ipsec_tunnels; /* Number of active tunnels */
126 : uint64_t ipsec_prevtunnels; /* Past number of tunnels */
127 : uint64_t ipsec_ipackets; /* Input IPsec packets */
128 : uint64_t ipsec_opackets; /* Output IPsec packets */
129 : uint64_t ipsec_ibytes; /* Input bytes */
130 : uint64_t ipsec_obytes; /* Output bytes */
131 : uint64_t ipsec_idecompbytes; /* Input bytes, decompressed */
132 : uint64_t ipsec_ouncompbytes; /* Output bytes, uncompressed */
133 : uint64_t ipsec_idrops; /* Dropped on input */
134 : uint64_t ipsec_odrops; /* Dropped on output */
135 : uint64_t ipsec_crypto; /* Crypto processing failure */
136 : uint64_t ipsec_notdb; /* Expired while in crypto */
137 : uint64_t ipsec_noxform; /* Crypto error */
138 : };
139 :
140 : struct tdb_data {
141 : uint64_t tdd_ipackets; /* Input IPsec packets */
142 : uint64_t tdd_opackets; /* Output IPsec packets */
143 : uint64_t tdd_ibytes; /* Input bytes */
144 : uint64_t tdd_obytes; /* Output bytes */
145 : uint64_t tdd_idrops; /* Dropped on input */
146 : uint64_t tdd_odrops; /* Dropped on output */
147 : uint64_t tdd_idecompbytes; /* Input bytes, decompressed */
148 : uint64_t tdd_ouncompbytes; /* Output bytes, uncompressed */
149 : };
150 :
151 : #ifdef _KERNEL
152 :
153 : #include <sys/timeout.h>
154 : #include <sys/tree.h>
155 : #include <sys/queue.h>
156 : #include <net/radix.h>
157 : #include <sys/percpu.h>
158 :
159 : enum ipsec_counters {
160 : ipsec_tunnels,
161 : ipsec_prevtunnels,
162 : ipsec_ipackets,
163 : ipsec_opackets,
164 : ipsec_ibytes,
165 : ipsec_obytes,
166 : ipsec_idecompbytes,
167 : ipsec_ouncompbytes,
168 : ipsec_idrops,
169 : ipsec_odrops,
170 : ipsec_crypto,
171 : ipsec_notdb,
172 : ipsec_noxform,
173 : ipsec_ncounters
174 : };
175 :
176 : extern struct cpumem *ipseccounters;
177 :
178 : static inline void
179 0 : ipsecstat_inc(enum ipsec_counters c)
180 : {
181 0 : counters_inc(ipseccounters, c);
182 0 : }
183 :
184 : static inline void
185 0 : ipsecstat_dec(enum ipsec_counters c)
186 : {
187 0 : counters_dec(ipseccounters, c);
188 0 : }
189 :
190 : static inline void
191 0 : ipsecstat_add(enum ipsec_counters c, uint64_t v)
192 : {
193 0 : counters_add(ipseccounters, c, v);
194 0 : }
195 :
196 : struct m_tag;
197 :
198 : #define sen_data Sen.Data
199 : #define sen_ip_src Sen.Sip4.Src
200 : #define sen_ip_dst Sen.Sip4.Dst
201 : #define sen_proto Sen.Sip4.Proto
202 : #define sen_sport Sen.Sip4.Sport
203 : #define sen_dport Sen.Sip4.Dport
204 : #define sen_direction Sen.Sip4.Direction
205 : #define sen_ip6_src Sen.Sip6.Src
206 : #define sen_ip6_dst Sen.Sip6.Dst
207 : #define sen_ip6_proto Sen.Sip6.Proto
208 : #define sen_ip6_sport Sen.Sip6.Sport
209 : #define sen_ip6_dport Sen.Sip6.Dport
210 : #define sen_ip6_direction Sen.Sip6.Direction
211 : #define sen_ipsp Sen.PolicyHead
212 :
213 : /*
214 : * The "type" is really part of the address as far as the routing
215 : * system is concerned. By using only one bit in the type field
216 : * for each type, we sort-of make sure that different types of
217 : * encapsulation addresses won't be matched against the wrong type.
218 : *
219 : */
220 :
221 : #define SENT_IP4 0x0001 /* data is two struct in_addr */
222 : #define SENT_IPSP 0x0002 /* data as in IP4/6 plus SPI */
223 : #define SENT_IP6 0x0004
224 :
225 : #define SENT_LEN sizeof(struct sockaddr_encap)
226 :
227 : struct ipsec_id {
228 : u_int16_t type; /* Subtype of data */
229 : int16_t len; /* Length of data following */
230 : };
231 :
232 : struct ipsec_ids {
233 : RBT_ENTRY(ipsec_ids) id_node_id;
234 : RBT_ENTRY(ipsec_ids) id_node_flow;
235 : struct ipsec_id *id_local;
236 : struct ipsec_id *id_remote;
237 : u_int32_t id_flow;
238 : int id_refcount;
239 : struct timeout id_timeout;
240 : };
241 : RBT_HEAD(ipsec_ids_flows, ipsec_ids);
242 : RBT_HEAD(ipsec_ids_tree, ipsec_ids);
243 :
244 : struct ipsec_acquire {
245 : union sockaddr_union ipa_addr;
246 : u_int32_t ipa_seq;
247 : struct sockaddr_encap ipa_info;
248 : struct sockaddr_encap ipa_mask;
249 : struct timeout ipa_timeout;
250 : struct ipsec_policy *ipa_policy;
251 : struct inpcb *ipa_pcb;
252 : TAILQ_ENTRY(ipsec_acquire) ipa_ipo_next;
253 : TAILQ_ENTRY(ipsec_acquire) ipa_next;
254 : };
255 :
256 : struct ipsec_policy {
257 : struct radix_node ipo_nodes[2]; /* radix tree glue */
258 : struct sockaddr_encap ipo_addr;
259 : struct sockaddr_encap ipo_mask;
260 :
261 : union sockaddr_union ipo_src; /* Local address to use */
262 : union sockaddr_union ipo_dst; /* Remote gateway -- if it's zeroed:
263 : * - on output, we try to
264 : * contact the remote host
265 : * directly (if needed).
266 : * - on input, we accept on if
267 : * the inner source is the
268 : * same as the outer source
269 : * address, or if transport
270 : * mode was used.
271 : */
272 :
273 : u_int64_t ipo_last_searched; /* Timestamp of last lookup */
274 :
275 : u_int8_t ipo_flags; /* See IPSP_POLICY_* definitions */
276 : u_int8_t ipo_type; /* USE/ACQUIRE/... */
277 : u_int8_t ipo_sproto; /* ESP/AH; if zero, use system dflts */
278 : u_int ipo_rdomain;
279 :
280 : int ipo_ref_count;
281 :
282 : struct tdb *ipo_tdb; /* Cached entry */
283 :
284 : struct ipsec_ids *ipo_ids;
285 :
286 : TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
287 : TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */
288 : TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policies */
289 : };
290 :
291 : #define IPSP_POLICY_NONE 0x0000 /* No flags set */
292 : #define IPSP_POLICY_STATIC 0x0002 /* Static policy */
293 :
294 : #define IPSP_IPSEC_USE 0 /* Use if existing, don't acquire */
295 : #define IPSP_IPSEC_ACQUIRE 1 /* Try acquire, let packet through */
296 : #define IPSP_IPSEC_REQUIRE 2 /* Require SA */
297 : #define IPSP_PERMIT 3 /* Permit traffic through */
298 : #define IPSP_DENY 4 /* Deny traffic */
299 : #define IPSP_IPSEC_DONTACQ 5 /* Require, but don't acquire */
300 :
301 : /* Identity types */
302 : #define IPSP_IDENTITY_NONE 0
303 : #define IPSP_IDENTITY_PREFIX 1
304 : #define IPSP_IDENTITY_FQDN 2
305 : #define IPSP_IDENTITY_USERFQDN 3
306 :
307 : struct tdb { /* tunnel descriptor block */
308 : /*
309 : * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
310 : * one keyed on dst/sproto, and one keyed on src/sproto. The first
311 : * is used for finding a specific TDB, the second for finding TDBs
312 : * for outgoing policy matching, and the third for incoming
313 : * policy matching. The following three fields maintain the hash
314 : * queues in those three tables.
315 : */
316 : struct tdb *tdb_hnext; /* dst/spi/sproto table */
317 : struct tdb *tdb_dnext; /* dst/sproto table */
318 : struct tdb *tdb_snext; /* src/sproto table */
319 : struct tdb *tdb_inext;
320 : struct tdb *tdb_onext;
321 :
322 : struct xformsw *tdb_xform; /* Transform to use */
323 : struct enc_xform *tdb_encalgxform; /* Enc algorithm */
324 : struct auth_hash *tdb_authalgxform; /* Auth algorithm */
325 : struct comp_algo *tdb_compalgxform; /* Compression algo */
326 :
327 : #define TDBF_UNIQUE 0x00001 /* This should not be used by others */
328 : #define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */
329 : #define TDBF_BYTES 0x00004 /* Check the byte counters */
330 : #define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */
331 : #define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */
332 : #define TDBF_FIRSTUSE 0x00020 /* Expire after first use */
333 : #define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */
334 : #define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */
335 : #define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */
336 : #define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */
337 : #define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */
338 : #define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */
339 : #define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */
340 : #define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */
341 : #define TDBF_PFSYNC 0x40000 /* TDB will be synced */
342 : #define TDBF_PFSYNC_RPL 0x80000 /* Replay counter should be bumped */
343 : #define TDBF_ESN 0x100000 /* 64-bit sequence numbers (ESN) */
344 :
345 : u_int32_t tdb_flags; /* Flags related to this TDB */
346 :
347 : struct timeout tdb_timer_tmo;
348 : struct timeout tdb_first_tmo;
349 : struct timeout tdb_stimer_tmo;
350 : struct timeout tdb_sfirst_tmo;
351 :
352 : u_int32_t tdb_seq; /* Tracking number for PFKEY */
353 : u_int32_t tdb_exp_allocations; /* Expire after so many flows */
354 : u_int32_t tdb_soft_allocations; /* Expiration warning */
355 : u_int32_t tdb_cur_allocations; /* Total number of allocs */
356 :
357 : u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */
358 : u_int64_t tdb_soft_bytes; /* Expiration warning */
359 : u_int64_t tdb_cur_bytes; /* Current count of bytes */
360 :
361 : u_int64_t tdb_exp_timeout; /* When does the SPI expire */
362 : u_int64_t tdb_soft_timeout; /* Send soft-expire warning */
363 : u_int64_t tdb_established; /* When was SPI established */
364 :
365 : u_int64_t tdb_first_use; /* When was it first used */
366 : u_int64_t tdb_soft_first_use; /* Soft warning */
367 : u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use +
368 : * tdb_exp_first_use <= curtime
369 : */
370 :
371 : u_int64_t tdb_last_used; /* When was this SA last used */
372 : u_int64_t tdb_last_marked;/* Last SKIPCRYPTO status change */
373 :
374 : struct tdb_data tdb_data; /* stats about this TDB */
375 : u_int64_t tdb_cryptoid; /* Crypto session ID */
376 :
377 : u_int32_t tdb_spi; /* SPI */
378 : u_int16_t tdb_amxkeylen; /* Raw authentication key length */
379 : u_int16_t tdb_emxkeylen; /* Raw encryption key length */
380 : u_int16_t tdb_ivlen; /* IV length */
381 : u_int8_t tdb_sproto; /* IPsec protocol */
382 : u_int8_t tdb_wnd; /* Replay window */
383 : u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */
384 : u_int8_t tdb_updates; /* pfsync update counter */
385 :
386 : union sockaddr_union tdb_dst; /* Destination address */
387 : union sockaddr_union tdb_src; /* Source address */
388 :
389 : u_int8_t *tdb_amxkey; /* Raw authentication key */
390 : u_int8_t *tdb_emxkey; /* Raw encryption key */
391 :
392 : #define TDB_REPLAYWASTE 32
393 : #define TDB_REPLAYMAX (2100+TDB_REPLAYWASTE)
394 :
395 : u_int64_t tdb_rpl; /* Replay counter */
396 : u_int32_t tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */
397 :
398 : u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */
399 :
400 : struct ipsec_ids *tdb_ids; /* Src/Dst ID for this SA */
401 : int tdb_ids_swapped; /* XXX */
402 :
403 : u_int32_t tdb_mtu; /* MTU at this point in the chain */
404 : u_int64_t tdb_mtutimeout; /* When to ignore this entry */
405 :
406 : u_int16_t tdb_udpencap_port; /* Peer UDP port */
407 :
408 : u_int16_t tdb_tag; /* Packet filter tag */
409 : u_int32_t tdb_tap; /* Alternate enc(4) interface */
410 :
411 : u_int tdb_rdomain; /* Routing domain */
412 :
413 : struct sockaddr_encap tdb_filter; /* What traffic is acceptable */
414 : struct sockaddr_encap tdb_filtermask; /* And the mask */
415 :
416 : TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head;
417 : TAILQ_ENTRY(tdb) tdb_sync_entry;
418 : };
419 : #define tdb_ipackets tdb_data.tdd_ipackets
420 : #define tdb_opackets tdb_data.tdd_opackets
421 : #define tdb_ibytes tdb_data.tdd_ibytes
422 : #define tdb_obytes tdb_data.tdd_obytes
423 : #define tdb_idrops tdb_data.tdd_idrops
424 : #define tdb_odrops tdb_data.tdd_odrops
425 : #define tdb_idecompbytes tdb_data.tdd_idecompbytes
426 : #define tdb_ouncompbytes tdb_data.tdd_ouncompbytes
427 :
428 :
429 : struct tdb_ident {
430 : u_int32_t spi;
431 : union sockaddr_union dst;
432 : u_int8_t proto;
433 : u_int rdomain;
434 : };
435 :
436 : struct tdb_crypto {
437 : u_int32_t tc_spi;
438 : union sockaddr_union tc_dst;
439 : u_int8_t tc_proto;
440 : int tc_protoff;
441 : int tc_skip;
442 : u_int tc_rdomain;
443 : };
444 :
445 : struct ipsecinit {
446 : u_int8_t *ii_enckey;
447 : u_int8_t *ii_authkey;
448 : u_int16_t ii_enckeylen;
449 : u_int16_t ii_authkeylen;
450 : u_int8_t ii_encalg;
451 : u_int8_t ii_authalg;
452 : u_int8_t ii_compalg;
453 : };
454 :
455 : /* xform IDs */
456 : #define XF_IP4 1 /* IP inside IP */
457 : #define XF_AH 2 /* AH */
458 : #define XF_ESP 3 /* ESP */
459 : #define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */
460 : #define XF_IPCOMP 6 /* IPCOMP */
461 :
462 : /* xform attributes */
463 : #define XFT_AUTH 0x0001
464 : #define XFT_CONF 0x0100
465 : #define XFT_COMP 0x1000
466 :
467 : #define IPSEC_ZEROES_SIZE 256 /* Larger than an IP6 extension hdr. */
468 :
469 : struct xformsw {
470 : u_short xf_type; /* Unique ID of xform */
471 : u_short xf_flags; /* flags (see below) */
472 : char *xf_name; /* human-readable name */
473 : int (*xf_attach)(void); /* called at config time */
474 : int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *);
475 : int (*xf_zeroize)(struct tdb *); /* termination */
476 : int (*xf_input)(struct mbuf *, struct tdb *, int, int); /* input */
477 : int (*xf_output)(struct mbuf *, struct tdb *, struct mbuf **,
478 : int, int); /* output */
479 : };
480 :
481 : extern int ipsec_in_use;
482 : extern u_int64_t ipsec_last_added;
483 : extern int ipsec_policy_pool_initialized;
484 : extern int encdebug; /* enable message reporting */
485 :
486 : extern int ipsec_keep_invalid; /* lifetime of embryonic SAs (in sec) */
487 : extern int ipsec_require_pfs; /* use Perfect Forward Secrecy */
488 : extern int ipsec_expire_acquire; /* wait for security assoc. (in sec) */
489 : extern int ipsec_soft_allocations; /* flows/SA before renegotiation */
490 : extern int ipsec_exp_allocations; /* num. of flows/SA before it expires */
491 : extern int ipsec_soft_bytes; /* bytes/SA before renegotiation */
492 : extern int ipsec_exp_bytes; /* num of bytes/SA before it expires */
493 : extern int ipsec_soft_timeout; /* seconds/SA before renegotiation */
494 : extern int ipsec_exp_timeout; /* seconds/SA before it expires */
495 : extern int ipsec_soft_first_use; /* seconds between 1st asso & renego */
496 : extern int ipsec_exp_first_use; /* seconds between 1st asso & expire */
497 :
498 : /*
499 : * Names for IPsec sysctl objects
500 : */
501 : #define IPSEC_ENCDEBUG IPCTL_ENCDEBUG /* 12 */
502 : #define IPSEC_STATS IPCTL_IPSEC_STATS /* 13 */
503 : #define IPSEC_EXPIRE_ACQUIRE IPCTL_IPSEC_EXPIRE_ACQUIRE /* 14 */
504 : #define IPSEC_EMBRYONIC_SA_TIMEOUT IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */
505 : #define IPSEC_REQUIRE_PFS IPCTL_IPSEC_REQUIRE_PFS /* 16 */
506 : #define IPSEC_SOFT_ALLOCATIONS IPCTL_IPSEC_SOFT_ALLOCATIONS /* 17 */
507 : #define IPSEC_ALLOCATIONS IPCTL_IPSEC_ALLOCATIONS /* 18 */
508 : #define IPSEC_SOFT_BYTES IPCTL_IPSEC_SOFT_BYTES /* 19 */
509 : #define IPSEC_BYTES IPCTL_IPSEC_BYTES /* 20 */
510 : #define IPSEC_TIMEOUT IPCTL_IPSEC_TIMEOUT /* 21 */
511 : #define IPSEC_SOFT_TIMEOUT IPCTL_IPSEC_SOFT_TIMEOUT /* 22 */
512 : #define IPSEC_SOFT_FIRSTUSE IPCTL_IPSEC_SOFT_FIRSTUSE /* 23 */
513 : #define IPSEC_FIRSTUSE IPCTL_IPSEC_FIRSTUSE /* 24 */
514 : #define IPSEC_MAXID 25
515 :
516 : #define IPSECCTL_VARS { \
517 : NULL, \
518 : NULL, \
519 : NULL, \
520 : NULL, \
521 : NULL, \
522 : NULL, \
523 : NULL, \
524 : NULL, \
525 : NULL, \
526 : NULL, \
527 : NULL, \
528 : NULL, \
529 : &encdebug, \
530 : NULL, /* ipsecstat */ \
531 : &ipsec_expire_acquire, \
532 : &ipsec_keep_invalid, \
533 : &ipsec_require_pfs, \
534 : &ipsec_soft_allocations, \
535 : &ipsec_exp_allocations, \
536 : &ipsec_soft_bytes, \
537 : &ipsec_exp_bytes, \
538 : &ipsec_exp_timeout, \
539 : &ipsec_soft_timeout, \
540 : &ipsec_soft_first_use, \
541 : &ipsec_exp_first_use, \
542 : }
543 :
544 : extern char ipsec_def_enc[];
545 : extern char ipsec_def_auth[];
546 : extern char ipsec_def_comp[];
547 :
548 : extern struct enc_xform enc_xform_des;
549 : extern struct enc_xform enc_xform_3des;
550 : extern struct enc_xform enc_xform_blf;
551 : extern struct enc_xform enc_xform_cast5;
552 :
553 : extern struct auth_hash auth_hash_hmac_md5_96;
554 : extern struct auth_hash auth_hash_hmac_sha1_96;
555 : extern struct auth_hash auth_hash_hmac_ripemd_160_96;
556 :
557 : extern struct comp_algo comp_algo_deflate;
558 :
559 : extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
560 :
561 : struct cryptop;
562 :
563 : /* Misc. */
564 : #ifdef ENCDEBUG
565 : const char *ipsp_address(union sockaddr_union *, char *, socklen_t);
566 : #endif /* ENCDEBUG */
567 :
568 : /* SPD tables */
569 : struct radix_node_head *spd_table_add(unsigned int);
570 : struct radix_node_head *spd_table_get(unsigned int);
571 : int spd_table_walk(unsigned int,
572 : int (*walker)(struct ipsec_policy *, void *, unsigned int), void *);
573 :
574 : /* TDB management routines */
575 : uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
576 : union sockaddr_union *, u_int8_t, int *);
577 : struct tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t);
578 : struct tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
579 : struct ipsec_ids *,
580 : struct sockaddr_encap *, struct sockaddr_encap *);
581 : struct tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
582 : struct ipsec_ids *,
583 : struct sockaddr_encap *, struct sockaddr_encap *);
584 : struct tdb *gettdbbysrcdst(u_int, u_int32_t, union sockaddr_union *,
585 : union sockaddr_union *, u_int8_t);
586 : void puttdb(struct tdb *);
587 : void tdb_delete(struct tdb *);
588 : struct tdb *tdb_alloc(u_int);
589 : void tdb_free(struct tdb *);
590 : int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
591 : void tdb_unlink(struct tdb *);
592 : int tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *);
593 :
594 : /* XF_IP4 */
595 : int ipe4_attach(void);
596 : int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *);
597 : int ipe4_zeroize(struct tdb *);
598 : int ipe4_input(struct mbuf *, struct tdb *, int, int);
599 :
600 : /* XF_AH */
601 : int ah_attach(void);
602 : int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *);
603 : int ah_zeroize(struct tdb *);
604 : int ah_input(struct mbuf *, struct tdb *, int, int);
605 : int ah_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
606 : int ah_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
607 : int ah_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
608 : int);
609 : int ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
610 :
611 : int ah4_input(struct mbuf **, int *, int, int);
612 : void ah4_ctlinput(int, struct sockaddr *, u_int, void *);
613 : void udpencap_ctlinput(int, struct sockaddr *, u_int, void *);
614 :
615 : #ifdef INET6
616 : int ah6_input(struct mbuf **, int *, int, int);
617 : #endif /* INET6 */
618 :
619 : /* XF_ESP */
620 : int esp_attach(void);
621 : int esp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
622 : int esp_zeroize(struct tdb *);
623 : int esp_input(struct mbuf *, struct tdb *, int, int);
624 : int esp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
625 : int esp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
626 : int esp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
627 : int);
628 : int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
629 :
630 : int esp4_input(struct mbuf **, int *, int, int);
631 : void esp4_ctlinput(int, struct sockaddr *, u_int, void *);
632 :
633 : #ifdef INET6
634 : int esp6_input(struct mbuf **, int *, int, int);
635 : #endif /* INET6 */
636 :
637 : /* XF_IPCOMP */
638 : int ipcomp_attach(void);
639 : int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
640 : int ipcomp_zeroize(struct tdb *);
641 : int ipcomp_input(struct mbuf *, struct tdb *, int, int);
642 : int ipcomp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
643 : int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
644 : int ipcomp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
645 : int);
646 : int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
647 : int ipcomp4_input(struct mbuf **, int *, int, int);
648 : #ifdef INET6
649 : int ipcomp6_input(struct mbuf **, int *, int, int);
650 : #endif /* INET6 */
651 :
652 : /* XF_TCPSIGNATURE */
653 : int tcp_signature_tdb_attach(void);
654 : int tcp_signature_tdb_init(struct tdb *, struct xformsw *,
655 : struct ipsecinit *);
656 : int tcp_signature_tdb_zeroize(struct tdb *);
657 : int tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, int);
658 : int tcp_signature_tdb_output(struct mbuf *, struct tdb *, struct mbuf **,
659 : int, int);
660 :
661 : /* Replay window */
662 : int checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int);
663 :
664 : /* Packet processing */
665 : int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
666 : int ipsp_process_done(struct mbuf *, struct tdb *);
667 : struct tdb *ipsp_spd_lookup(struct mbuf *, int, int, int *, int,
668 : struct tdb *, struct inpcb *, u_int32_t);
669 : struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int,
670 : struct tdb *, struct inpcb *, struct ipsec_policy *);
671 : int ipsp_is_unspecified(union sockaddr_union);
672 : int ipsp_aux_match(struct tdb *, struct ipsec_ids *,
673 : struct sockaddr_encap *, struct sockaddr_encap *);
674 : int ipsp_ids_match(struct ipsec_ids *, struct ipsec_ids *);
675 : struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *);
676 : struct ipsec_ids *ipsp_ids_lookup(u_int32_t);
677 : void ipsp_ids_free(struct ipsec_ids *);
678 :
679 : void ipsec_init(void);
680 : int ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
681 : int ipsec_common_input(struct mbuf *, int, int, int, int, int);
682 : void ipsec_input_cb(struct cryptop *);
683 : void ipsec_output_cb(struct cryptop *);
684 : int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
685 : int ipsec_delete_policy(struct ipsec_policy *);
686 : ssize_t ipsec_hdrsz(struct tdb *);
687 : void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
688 : struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
689 : int ipsec_forward_check(struct mbuf *, int, int);
690 : int ipsec_local_check(struct mbuf *, int, int, int);
691 :
692 : #endif /* _KERNEL */
693 : #endif /* _NETINET_IPSP_H_ */
|
