The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_ipsp.h

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $OpenBSD: ip_ipsp.h,v 1.240 2022/07/14 13:52:10 mvs Exp $       */
    2 /*
    3  * The authors of this code are John Ioannidis (ji@tla.org),
    4  * Angelos D. Keromytis (kermit@csd.uch.gr),
    5  * Niels Provos (provos@physnet.uni-hamburg.de) and
    6  * Niklas Hallqvist (niklas@appli.se).
    7  *
    8  * The original version of this code was written by John Ioannidis
    9  * for BSD/OS in Athens, Greece, in November 1995.
   10  *
   11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
   12  * by Angelos D. Keromytis.
   13  *
   14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
   15  * and Niels Provos.
   16  *
   17  * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
   18  *
   19  * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
   20  * Angelos D. Keromytis and Niels Provos.
   21  * Copyright (c) 1999 Niklas Hallqvist.
   22  * Copyright (c) 2001, Angelos D. Keromytis.
   23  *
   24  * Permission to use, copy, and modify this software with or without fee
   25  * is hereby granted, provided that this entire notice is included in
   26  * all copies of any software which is or includes a copy or
   27  * modification of this software.
   28  * You may use this code under the GNU public license if you so wish. Please
   29  * contribute changes back to the authors under this freer than GPL license
   30  * so that we may further the use of strong encryption without limitations to
   31  * all.
   32  *
   33  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   34  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   35  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   36  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   37  * PURPOSE.
   38  */
   39 
   40 #ifndef _NETINET_IPSP_H_
   41 #define _NETINET_IPSP_H_
   42 
   43 /*
   44  * Locks used to protect struct members in this file:
   45  *      I       immutable after creation
   46  *      a       atomic operations
   47  *      N       net lock
   48  *      A       ipsec_acquire_mtx
   49  *      F       ipsec_flows_mtx
   50  *      P       ipo_tdb_mtx             link policy to TDB global mutex
   51  *      D       tdb_sadb_mtx            SA database global mutex
   52  *      m       tdb_mtx                 fields of struct tdb
   53  */
   54 
   55 /* IPSP global definitions. */
   56 
   57 #include <sys/types.h>
   58 #include <netinet/in.h>
   59 
   60 union sockaddr_union {
   61         struct sockaddr         sa;
   62         struct sockaddr_in      sin;
   63         struct sockaddr_in6     sin6;
   64 };
   65 
   66 #define AH_HMAC_MAX_HASHLEN     32      /* 256 bits of authenticator for SHA512 */
   67 #define AH_HMAC_RPLENGTH        4       /* 32 bits of replay counter */
   68 #define AH_HMAC_INITIAL_RPL     1       /* Replay counter initial value */
   69 
   70 /* Authenticator lengths */
   71 #define AH_MD5_ALEN             16
   72 #define AH_SHA1_ALEN            20
   73 #define AH_RMD160_ALEN          20
   74 #define AH_SHA2_256_ALEN        32
   75 #define AH_SHA2_384_ALEN        48
   76 #define AH_SHA2_512_ALEN        64
   77 #define AH_ALEN_MAX             64      /* Keep updated */
   78 
   79 /* Reserved SPI numbers */
   80 #define SPI_LOCAL_USE           0
   81 #define SPI_RESERVED_MIN        1
   82 #define SPI_RESERVED_MAX        255
   83 
   84 /* Reserved CPI numbers */
   85 #define CPI_RESERVED_MIN        1
   86 #define CPI_RESERVED_MAX        255
   87 #define CPI_PRIVATE_MIN         61440
   88 #define CPI_PRIVATE_MAX         65535
   89 
   90 /* sysctl default values */
   91 #define IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT      60      /* 1 minute */
   92 #define IPSEC_DEFAULT_PFS                       1
   93 #define IPSEC_DEFAULT_SOFT_ALLOCATIONS          0
   94 #define IPSEC_DEFAULT_EXP_ALLOCATIONS           0
   95 #define IPSEC_DEFAULT_SOFT_BYTES                0
   96 #define IPSEC_DEFAULT_EXP_BYTES                 0
   97 #define IPSEC_DEFAULT_SOFT_TIMEOUT              80000
   98 #define IPSEC_DEFAULT_EXP_TIMEOUT               86400
   99 #define IPSEC_DEFAULT_SOFT_FIRST_USE            3600
  100 #define IPSEC_DEFAULT_EXP_FIRST_USE             7200
  101 #define IPSEC_DEFAULT_DEF_ENC                   "aes"
  102 #define IPSEC_DEFAULT_DEF_AUTH                  "hmac-sha1"
  103 #define IPSEC_DEFAULT_EXPIRE_ACQUIRE            30
  104 #define IPSEC_DEFAULT_DEF_COMP                  "deflate"
  105 
  106 struct sockaddr_encap {
  107         u_int8_t        sen_len;                /* length */
  108         u_int8_t        sen_family;             /* PF_KEY */
  109         u_int16_t       sen_type;               /* see SENT_* */
  110         union {
  111                 struct {                                /* SENT_IP4 */
  112                         u_int8_t        Direction;
  113                         struct in_addr  Src;
  114                         struct in_addr  Dst;
  115                         u_int8_t        Proto;
  116                         u_int16_t       Sport;
  117                         u_int16_t       Dport;
  118                 } Sip4;
  119 
  120                 struct {                                /* SENT_IP6 */
  121                         u_int8_t        Direction;
  122                         struct in6_addr Src;
  123                         struct in6_addr Dst;
  124                         u_int8_t        Proto;
  125                         u_int16_t       Sport;
  126                         u_int16_t       Dport;
  127                 } Sip6;
  128         } Sen;
  129 };
  130 
  131 #define IPSP_DIRECTION_IN       0x1
  132 #define IPSP_DIRECTION_OUT      0x2
  133 
  134 struct ipsecstat {
  135         uint64_t        ipsec_tunnels;          /* Number of active tunnels */
  136         uint64_t        ipsec_prevtunnels;      /* Past number of tunnels */
  137         uint64_t        ipsec_ipackets;         /* Input IPsec packets */
  138         uint64_t        ipsec_opackets;         /* Output IPsec packets */
  139         uint64_t        ipsec_ibytes;           /* Input bytes */
  140         uint64_t        ipsec_obytes;           /* Output bytes */
  141         uint64_t        ipsec_idecompbytes;     /* Input bytes, decompressed */
  142         uint64_t        ipsec_ouncompbytes;     /* Output bytes, uncompressed */
  143         uint64_t        ipsec_idrops;           /* Dropped on input */
  144         uint64_t        ipsec_odrops;           /* Dropped on output */
  145         uint64_t        ipsec_crypto;           /* Crypto processing failure */
  146         uint64_t        ipsec_notdb;            /* No TDB was found */
  147         uint64_t        ipsec_noxform;          /* Crypto error */
  148         uint64_t        ipsec_exctdb;           /* TDBs with hardlimit excess */
  149 };
  150 
  151 #ifdef _KERNEL
  152 
  153 #include <sys/timeout.h>
  154 #include <sys/tree.h>
  155 #include <sys/queue.h>
  156 #include <net/radix.h>
  157 #include <sys/percpu.h>
  158 
  159 enum ipsec_counters {
  160         ipsec_tunnels,
  161         ipsec_prevtunnels,
  162         ipsec_ipackets,
  163         ipsec_opackets,
  164         ipsec_ibytes,
  165         ipsec_obytes,
  166         ipsec_idecompbytes,
  167         ipsec_ouncompbytes,
  168         ipsec_idrops,
  169         ipsec_odrops,
  170         ipsec_crypto,
  171         ipsec_notdb,
  172         ipsec_noxform,
  173         ipsec_exctdb,
  174         ipsec_ncounters
  175 };
  176 
  177 extern struct cpumem *ipseccounters;
  178 
  179 static inline void
  180 ipsecstat_inc(enum ipsec_counters c)
  181 {
  182         counters_inc(ipseccounters, c);
  183 }
  184 
  185 static inline void
  186 ipsecstat_dec(enum ipsec_counters c)
  187 {
  188         counters_dec(ipseccounters, c);
  189 }
  190 
  191 static inline void
  192 ipsecstat_add(enum ipsec_counters c, uint64_t v)
  193 {
  194         counters_add(ipseccounters, c, v);
  195 }
  196 
  197 static inline void
  198 ipsecstat_pkt(enum ipsec_counters p, enum ipsec_counters b, uint64_t v)
  199 {
  200         counters_pkt(ipseccounters, p, b, v);
  201 }
  202 
  203 struct m_tag;
  204 
  205 #define sen_data                Sen.Data
  206 #define sen_ip_src              Sen.Sip4.Src
  207 #define sen_ip_dst              Sen.Sip4.Dst
  208 #define sen_proto               Sen.Sip4.Proto
  209 #define sen_sport               Sen.Sip4.Sport
  210 #define sen_dport               Sen.Sip4.Dport
  211 #define sen_direction           Sen.Sip4.Direction
  212 #define sen_ip6_src             Sen.Sip6.Src
  213 #define sen_ip6_dst             Sen.Sip6.Dst
  214 #define sen_ip6_proto           Sen.Sip6.Proto
  215 #define sen_ip6_sport           Sen.Sip6.Sport
  216 #define sen_ip6_dport           Sen.Sip6.Dport
  217 #define sen_ip6_direction       Sen.Sip6.Direction
  218 
  219 /*
  220  * The "type" is really part of the address as far as the routing
  221  * system is concerned. By using only one bit in the type field
  222  * for each type, we sort-of make sure that different types of
  223  * encapsulation addresses won't be matched against the wrong type.
  224  *
  225  */
  226 
  227 #define SENT_IP4        0x0001          /* data is two struct in_addr */
  228 #define SENT_IP6        0x0002
  229 
  230 #define SENT_LEN        sizeof(struct sockaddr_encap)
  231 
  232 struct ipsec_id {
  233         u_int16_t       type;           /* Subtype of data */
  234         int16_t         len;            /* Length of data following */
  235 };
  236 
  237 struct ipsec_ids {
  238         LIST_ENTRY(ipsec_ids)   id_gc_list;     /* [F] */
  239         RBT_ENTRY(ipsec_ids)    id_node_id;     /* [F] */
  240         RBT_ENTRY(ipsec_ids)    id_node_flow;   /* [F] */
  241         struct ipsec_id         *id_local;      /* [I] */
  242         struct ipsec_id         *id_remote;     /* [I] */
  243         u_int32_t               id_flow;        /* [I] */
  244         u_int                   id_refcount;    /* [F] */
  245         u_int                   id_gc_ttl;      /* [F] */
  246 };
  247 RBT_HEAD(ipsec_ids_flows, ipsec_ids);
  248 RBT_HEAD(ipsec_ids_tree, ipsec_ids);
  249 
  250 struct ipsec_acquire {
  251         union sockaddr_union            ipa_addr;
  252         u_int32_t                       ipa_seq;
  253         struct sockaddr_encap           ipa_info;
  254         struct sockaddr_encap           ipa_mask;
  255         struct refcnt                   ipa_refcnt;
  256         struct timeout                  ipa_timeout;
  257         struct ipsec_policy             *ipa_policy;    /* [A] back pointer */
  258         TAILQ_ENTRY(ipsec_acquire)      ipa_ipo_next;   /* [A] per policy */
  259         TAILQ_ENTRY(ipsec_acquire)      ipa_next;       /* [A] global list */
  260 };
  261 
  262 TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire);
  263 
  264 struct ipsec_policy {
  265         struct radix_node       ipo_nodes[2];   /* radix tree glue */
  266         struct sockaddr_encap   ipo_addr;
  267         struct sockaddr_encap   ipo_mask;
  268 
  269         union sockaddr_union    ipo_src;        /* Local address to use */
  270         union sockaddr_union    ipo_dst;        /* Remote gateway -- if it's zeroed:
  271                                                  * - on output, we try to
  272                                                  * contact the remote host
  273                                                  * directly (if needed).
  274                                                  * - on input, we accept on if
  275                                                  * the inner source is the
  276                                                  * same as the outer source
  277                                                  * address, or if transport
  278                                                  * mode was used.
  279                                                  */
  280 
  281         u_int64_t       ipo_last_searched;      /* [P] Timestamp of lookup */
  282 
  283         u_int8_t                ipo_flags;      /* See IPSP_POLICY_* definitions */
  284         u_int8_t                ipo_type;       /* USE/ACQUIRE/... */
  285         u_int8_t                ipo_sproto;     /* ESP/AH; if zero, use system dflts */
  286         u_int                   ipo_rdomain;
  287 
  288         struct refcnt           ipo_refcnt;
  289 
  290         struct tdb              *ipo_tdb;       /* [P] Cached TDB entry */
  291 
  292         struct ipsec_ids        *ipo_ids;
  293 
  294         struct ipsec_acquire_head ipo_acquires; /* [A] List of acquires */
  295         TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* [P] List TDB policies */
  296         TAILQ_ENTRY(ipsec_policy) ipo_list;     /* List of all policies */
  297 };
  298 
  299 #define IPSP_POLICY_NONE        0x0000  /* No flags set */
  300 #define IPSP_POLICY_STATIC      0x0002  /* Static policy */
  301 
  302 #define IPSP_IPSEC_USE          0       /* Use if existing, don't acquire */
  303 #define IPSP_IPSEC_ACQUIRE      1       /* Try acquire, let packet through */
  304 #define IPSP_IPSEC_REQUIRE      2       /* Require SA */
  305 #define IPSP_PERMIT             3       /* Permit traffic through */
  306 #define IPSP_DENY               4       /* Deny traffic */
  307 #define IPSP_IPSEC_DONTACQ      5       /* Require, but don't acquire */
  308 
  309 /* Identity types */
  310 #define IPSP_IDENTITY_NONE              0
  311 #define IPSP_IDENTITY_PREFIX            1
  312 #define IPSP_IDENTITY_FQDN              2
  313 #define IPSP_IDENTITY_USERFQDN          3
  314 #define IPSP_IDENTITY_ASN1_DN           4
  315 
  316 struct tdb {                            /* tunnel descriptor block */
  317         /*
  318          * Each TDB is on three hash tables: one keyed on dst/spi/sproto,
  319          * one keyed on dst/sproto, and one keyed on src/sproto. The first
  320          * is used for finding a specific TDB, the second for finding TDBs
  321          * for outgoing policy matching, and the third for incoming
  322          * policy matching. The following three fields maintain the hash
  323          * queues in those three tables.
  324          */
  325         struct tdb      *tdb_hnext;     /* [D] dst/spi/sproto table */
  326         struct tdb      *tdb_dnext;     /* [D] dst/sproto table */
  327         struct tdb      *tdb_snext;     /* [D] src/sproto table */
  328         struct tdb      *tdb_inext;
  329         struct tdb      *tdb_onext;
  330         SIMPLEQ_ENTRY(tdb) tdb_walk;    /* [N] temp list for tdb walker */
  331 
  332         struct refcnt   tdb_refcnt;
  333         struct mutex    tdb_mtx;
  334 
  335         const struct xformsw    *tdb_xform;             /* Transform to use */
  336         const struct enc_xform  *tdb_encalgxform;       /* Enc algorithm */
  337         const struct auth_hash  *tdb_authalgxform;      /* Auth algorithm */
  338         const struct comp_algo  *tdb_compalgxform;      /* Compression algo */
  339 
  340 #define TDBF_UNIQUE             0x00001 /* This should not be used by others */
  341 #define TDBF_TIMER              0x00002 /* Absolute expiration timer in use */
  342 #define TDBF_BYTES              0x00004 /* Check the byte counters */
  343 #define TDBF_ALLOCATIONS        0x00008 /* Check the flows counters */
  344 #define TDBF_INVALID            0x00010 /* This SPI is not valid yet/anymore */
  345 #define TDBF_FIRSTUSE           0x00020 /* Expire after first use */
  346 #define TDBF_DELETED            0x00040 /* This TDB has already been deleted */
  347 #define TDBF_SOFT_TIMER         0x00080 /* Soft expiration */
  348 #define TDBF_SOFT_BYTES         0x00100 /* Soft expiration */
  349 #define TDBF_SOFT_ALLOCATIONS   0x00200 /* Soft expiration */
  350 #define TDBF_SOFT_FIRSTUSE      0x00400 /* Soft expiration */
  351 #define TDBF_PFS                0x00800 /* Ask for PFS from Key Mgmt. */
  352 #define TDBF_TUNNELING          0x01000 /* Force IP-IP encapsulation */
  353 #define TDBF_USEDTUNNEL         0x10000 /* Appended a tunnel header in past */
  354 #define TDBF_UDPENCAP           0x20000 /* UDP encapsulation */
  355 #define TDBF_PFSYNC             0x40000 /* TDB will be synced */
  356 #define TDBF_PFSYNC_RPL         0x80000 /* Replay counter should be bumped */
  357 #define TDBF_ESN                0x100000 /* 64-bit sequence numbers (ESN) */
  358 #define TDBF_PFSYNC_SNAPPED     0x200000 /* entry is being dispatched to peer */
  359 
  360 #define TDBF_BITS ("\2" \
  361         "\1UNIQUE\2TIMER\3BYTES\4ALLOCATIONS" \
  362         "\5INVALID\6FIRSTUSE\7DELETED\10SOFT_TIMER" \
  363         "\11SOFT_BYTES\12SOFT_ALLOCATIONS\13SOFT_FIRSTUSE\14PFS" \
  364         "\15TUNNELING" \
  365         "\21USEDTUNNEL\22UDPENCAP\23PFSYNC\24PFSYNC_RPL" \
  366         "\25ESN")
  367 
  368         u_int32_t       tdb_flags;      /* [m] Flags related to this TDB */
  369 
  370         struct timeout  tdb_timer_tmo;
  371         struct timeout  tdb_first_tmo;
  372         struct timeout  tdb_stimer_tmo;
  373         struct timeout  tdb_sfirst_tmo;
  374 
  375         u_int32_t       tdb_seq;                /* Tracking number for PFKEY */
  376         u_int32_t       tdb_exp_allocations;    /* Expire after so many flows */
  377         u_int32_t       tdb_soft_allocations;   /* Expiration warning */
  378         u_int32_t       tdb_cur_allocations;    /* Total number of allocs */
  379 
  380         u_int64_t       tdb_exp_bytes;  /* Expire after so many bytes passed */
  381         u_int64_t       tdb_soft_bytes; /* Expiration warning */
  382         u_int64_t       tdb_cur_bytes;  /* Current count of bytes */
  383 
  384         u_int64_t       tdb_exp_timeout;        /* When does the SPI expire */
  385         u_int64_t       tdb_soft_timeout;       /* Send soft-expire warning */
  386         u_int64_t       tdb_established;        /* When was SPI established */
  387 
  388         u_int64_t       tdb_first_use;          /* When was it first used */
  389         u_int64_t       tdb_soft_first_use;     /* Soft warning */
  390         u_int64_t       tdb_exp_first_use;      /* Expire if tdb_first_use +
  391                                                  * tdb_exp_first_use <= curtime
  392                                                  */
  393 
  394         u_int64_t       tdb_last_used;  /* When was this SA last used */
  395         u_int64_t       tdb_last_marked;/* Last SKIPCRYPTO status change */
  396 
  397         struct cpumem   *tdb_counters;  /* stats about this TDB */
  398 
  399         u_int64_t       tdb_cryptoid;   /* Crypto session ID */
  400 
  401         u_int32_t       tdb_spi;        /* [I] SPI */
  402         u_int16_t       tdb_amxkeylen;  /* Raw authentication key length */
  403         u_int16_t       tdb_emxkeylen;  /* Raw encryption key length */
  404         u_int16_t       tdb_ivlen;      /* IV length */
  405         u_int8_t        tdb_sproto;     /* [I] IPsec protocol */
  406         u_int8_t        tdb_wnd;        /* Replay window */
  407         u_int8_t        tdb_satype;     /* SA type (RFC2367, PF_KEY) */
  408         u_int8_t        tdb_updates;    /* pfsync update counter */
  409 
  410         union sockaddr_union    tdb_dst;        /* [N] Destination address */
  411         union sockaddr_union    tdb_src;        /* [N] Source address */
  412 
  413         u_int8_t        *tdb_amxkey;    /* Raw authentication key */
  414         u_int8_t        *tdb_emxkey;    /* Raw encryption key */
  415 
  416 #define TDB_REPLAYWASTE 32
  417 #define TDB_REPLAYMAX   (2100+TDB_REPLAYWASTE)
  418 
  419         u_int64_t       tdb_rpl;        /* Replay counter */
  420         u_int32_t       tdb_seen[howmany(TDB_REPLAYMAX, 32)]; /* Anti-replay window */
  421 
  422         u_int8_t        tdb_iv[4];      /* Used for HALF-IV ESP */
  423 
  424         struct ipsec_ids        *tdb_ids;       /* Src/Dst ID for this SA */
  425         int             tdb_ids_swapped;        /* XXX */
  426 
  427         u_int32_t       tdb_mtu;        /* MTU at this point in the chain */
  428         u_int64_t       tdb_mtutimeout; /* When to ignore this entry */
  429 
  430         u_int16_t       tdb_udpencap_port;      /* Peer UDP port */
  431 
  432         u_int16_t       tdb_tag;                /* Packet filter tag */
  433         u_int32_t       tdb_tap;                /* Alternate enc(4) interface */
  434 
  435         u_int           tdb_rdomain;            /* [I] Routing domain */
  436         u_int           tdb_rdomain_post;       /* [I] Change domain */
  437 
  438         struct sockaddr_encap   tdb_filter; /* What traffic is acceptable */
  439         struct sockaddr_encap   tdb_filtermask; /* And the mask */
  440 
  441         TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; /* [P] */
  442         TAILQ_ENTRY(tdb)        tdb_sync_entry;
  443         TAILQ_ENTRY(tdb)        tdb_sync_snap;
  444 };
  445 
  446 enum tdb_counters {
  447         tdb_ipackets,           /* Input IPsec packets */
  448         tdb_opackets,           /* Output IPsec packets */
  449         tdb_ibytes,             /* Input bytes */
  450         tdb_obytes,             /* Output bytes */
  451         tdb_idrops,             /* Dropped on input */
  452         tdb_odrops,             /* Dropped on output */
  453         tdb_idecompbytes,       /* Input bytes, decompressed */
  454         tdb_ouncompbytes,       /* Output bytes, uncompressed */
  455         tdb_ncounters
  456 };
  457 
  458 static inline void
  459 tdbstat_inc(struct tdb *tdb, enum tdb_counters c)
  460 {
  461         counters_inc(tdb->tdb_counters, c);
  462 }
  463 
  464 static inline void
  465 tdbstat_add(struct tdb *tdb, enum tdb_counters c, uint64_t v)
  466 {
  467         counters_add(tdb->tdb_counters, c, v);
  468 }
  469 
  470 static inline void
  471 tdbstat_pkt(struct tdb *tdb, enum tdb_counters pc, enum tdb_counters bc,
  472     uint64_t bytes)
  473 {
  474         counters_pkt(tdb->tdb_counters, pc, bc, bytes);
  475 }
  476 
  477 struct tdb_ident {
  478         u_int32_t spi;
  479         union sockaddr_union dst;
  480         u_int8_t proto;
  481         u_int rdomain;
  482 };
  483 
  484 struct tdb_crypto {
  485         union sockaddr_union    tc_dst;
  486         u_int64_t               tc_rpl;
  487         u_int32_t               tc_spi;
  488         int                     tc_protoff;
  489         int                     tc_skip;
  490         u_int                   tc_rdomain;
  491         u_int8_t                tc_proto;
  492 };
  493 
  494 struct ipsecinit {
  495         u_int8_t        *ii_enckey;
  496         u_int8_t        *ii_authkey;
  497         u_int16_t       ii_enckeylen;
  498         u_int16_t       ii_authkeylen;
  499         u_int8_t        ii_encalg;
  500         u_int8_t        ii_authalg;
  501         u_int8_t        ii_compalg;
  502 };
  503 
  504 /* xform IDs */
  505 #define XF_IP4          1       /* IP inside IP */
  506 #define XF_AH           2       /* AH */
  507 #define XF_ESP          3       /* ESP */
  508 #define XF_TCPSIGNATURE 5       /* TCP MD5 Signature option, RFC 2358 */
  509 #define XF_IPCOMP       6       /* IPCOMP */
  510 
  511 /* xform attributes */
  512 #define XFT_AUTH        0x0001
  513 #define XFT_CONF        0x0100
  514 #define XFT_COMP        0x1000
  515 
  516 #define IPSEC_ZEROES_SIZE       256     /* Larger than an IP6 extension hdr. */
  517 
  518 struct xformsw {
  519         u_short xf_type;                /* Unique ID of xform */
  520         u_short xf_flags;               /* flags (see below) */
  521         char    *xf_name;               /* human-readable name */
  522         int     (*xf_attach)(void);     /* called at config time */
  523         int     (*xf_init)(struct tdb *, const struct xformsw *,
  524                     struct ipsecinit *);
  525         int     (*xf_zeroize)(struct tdb *); /* termination */
  526         int     (*xf_input)(struct mbuf **, struct tdb *, int, int);
  527         int     (*xf_output)(struct mbuf *, struct tdb *, int, int);
  528 };
  529 
  530 extern int ipsec_in_use;
  531 extern u_int64_t ipsec_last_added;
  532 extern int encdebug;                    /* enable message reporting */
  533 extern struct pool tdb_pool;
  534 
  535 extern int ipsec_keep_invalid;          /* lifetime of embryonic SAs (in sec) */
  536 extern int ipsec_require_pfs;           /* use Perfect Forward Secrecy */
  537 extern int ipsec_expire_acquire;        /* wait for security assoc. (in sec) */
  538 extern int ipsec_soft_allocations;      /* flows/SA before renegotiation */
  539 extern int ipsec_exp_allocations;       /* num. of flows/SA before it expires */
  540 extern int ipsec_soft_bytes;            /* bytes/SA before renegotiation */
  541 extern int ipsec_exp_bytes;             /* num of bytes/SA before it expires */
  542 extern int ipsec_soft_timeout;          /* seconds/SA before renegotiation */
  543 extern int ipsec_exp_timeout;           /* seconds/SA before it expires */
  544 extern int ipsec_soft_first_use;        /* seconds between 1st asso & renego */
  545 extern int ipsec_exp_first_use;         /* seconds between 1st asso & expire */
  546 
  547 /*
  548  * Names for IPsec sysctl objects
  549  */
  550 #define IPSEC_ENCDEBUG                  IPCTL_ENCDEBUG                  /* 12 */
  551 #define IPSEC_STATS                     IPCTL_IPSEC_STATS               /* 13 */
  552 #define IPSEC_EXPIRE_ACQUIRE            IPCTL_IPSEC_EXPIRE_ACQUIRE      /* 14 */
  553 #define IPSEC_EMBRYONIC_SA_TIMEOUT      IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */
  554 #define IPSEC_REQUIRE_PFS               IPCTL_IPSEC_REQUIRE_PFS         /* 16 */
  555 #define IPSEC_SOFT_ALLOCATIONS          IPCTL_IPSEC_SOFT_ALLOCATIONS    /* 17 */
  556 #define IPSEC_ALLOCATIONS               IPCTL_IPSEC_ALLOCATIONS         /* 18 */
  557 #define IPSEC_SOFT_BYTES                IPCTL_IPSEC_SOFT_BYTES          /* 19 */
  558 #define IPSEC_BYTES                     IPCTL_IPSEC_BYTES               /* 20 */
  559 #define IPSEC_TIMEOUT                   IPCTL_IPSEC_TIMEOUT             /* 21 */
  560 #define IPSEC_SOFT_TIMEOUT              IPCTL_IPSEC_SOFT_TIMEOUT        /* 22 */
  561 #define IPSEC_SOFT_FIRSTUSE             IPCTL_IPSEC_SOFT_FIRSTUSE       /* 23 */
  562 #define IPSEC_FIRSTUSE                  IPCTL_IPSEC_FIRSTUSE            /* 24 */
  563 #define IPSEC_MAXID     25
  564 
  565 extern char ipsec_def_enc[];
  566 extern char ipsec_def_auth[];
  567 extern char ipsec_def_comp[];
  568 
  569 extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
  570 
  571 extern struct mutex tdb_sadb_mtx;
  572 extern struct mutex ipo_tdb_mtx;
  573 
  574 struct cryptop;
  575 
  576 /* Misc. */
  577 const char *ipsp_address(union sockaddr_union *, char *, socklen_t);
  578 
  579 /* SPD tables */
  580 struct radix_node_head *spd_table_add(unsigned int);
  581 struct radix_node_head *spd_table_get(unsigned int);
  582 int spd_table_walk(unsigned int,
  583     int (*walker)(struct ipsec_policy *, void *, unsigned int), void *);
  584 
  585 /* TDB management routines */
  586 uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
  587                 union sockaddr_union *, u_int8_t, int *);
  588 struct  tdb *gettdb_dir(u_int, u_int32_t, union sockaddr_union *, u_int8_t, int);
  589 #define gettdb(a,b,c,d)         gettdb_dir((a),(b),(c),(d),0)
  590 #define gettdb_rev(a,b,c,d)     gettdb_dir((a),(b),(c),(d),1)
  591 struct  tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
  592                 struct ipsec_ids *,
  593                 struct sockaddr_encap *, struct sockaddr_encap *);
  594 struct  tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
  595                 struct ipsec_ids *,
  596                 struct sockaddr_encap *, struct sockaddr_encap *);
  597 struct  tdb *gettdbbysrcdst_dir(u_int, u_int32_t, union sockaddr_union *,
  598                 union sockaddr_union *, u_int8_t, int);
  599 #define gettdbbysrcdst(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),0)
  600 #define gettdbbysrcdst_rev(a,b,c,d,e) gettdbbysrcdst_dir((a),(b),(c),(d),(e),1)
  601 void    puttdb(struct tdb *);
  602 void    puttdb_locked(struct tdb *);
  603 void    tdb_delete(struct tdb *);
  604 struct  tdb *tdb_alloc(u_int);
  605 struct  tdb *tdb_ref(struct tdb *);
  606 void    tdb_unref(struct tdb *);
  607 void    tdb_free(struct tdb *);
  608 int     tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
  609 void    tdb_unlink(struct tdb *);
  610 void    tdb_unlink_locked(struct tdb *);
  611 void    tdb_cleanspd(struct tdb *);
  612 void    tdb_unbundle(struct tdb *);
  613 void    tdb_deltimeouts(struct tdb *);
  614 int     tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *);
  615 void    tdb_printit(void *, int, int (*)(const char *, ...));
  616 
  617 /* XF_IP4 */
  618 int     ipe4_attach(void);
  619 int     ipe4_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
  620 int     ipe4_zeroize(struct tdb *);
  621 int     ipe4_input(struct mbuf **, struct tdb *, int, int);
  622 
  623 /* XF_AH */
  624 int     ah_attach(void);
  625 int     ah_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
  626 int     ah_zeroize(struct tdb *);
  627 int     ah_input(struct mbuf **, struct tdb *, int, int);
  628 int     ah_output(struct mbuf *, struct tdb *, int, int);
  629 int     ah_sysctl(int *, u_int, void *, size_t *, void *, size_t);
  630 
  631 int     ah46_input(struct mbuf **, int *, int, int);
  632 void    ah4_ctlinput(int, struct sockaddr *, u_int, void *);
  633 void    udpencap_ctlinput(int, struct sockaddr *, u_int, void *);
  634 
  635 /* XF_ESP */
  636 int     esp_attach(void);
  637 int     esp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
  638 int     esp_zeroize(struct tdb *);
  639 int     esp_input(struct mbuf **, struct tdb *, int, int);
  640 int     esp_output(struct mbuf *, struct tdb *, int, int);
  641 int     esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
  642 
  643 int     esp46_input(struct mbuf **, int *, int, int);
  644 void    esp4_ctlinput(int, struct sockaddr *, u_int, void *);
  645 
  646 /* XF_IPCOMP */
  647 int     ipcomp_attach(void);
  648 int     ipcomp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
  649 int     ipcomp_zeroize(struct tdb *);
  650 int     ipcomp_input(struct mbuf **, struct tdb *, int, int);
  651 int     ipcomp_output(struct mbuf *, struct tdb *, int, int);
  652 int     ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
  653 int     ipcomp46_input(struct mbuf **, int *, int, int);
  654 
  655 /* XF_TCPSIGNATURE */
  656 int     tcp_signature_tdb_attach(void);
  657 int     tcp_signature_tdb_init(struct tdb *, const struct xformsw *,
  658             struct ipsecinit *);
  659 int     tcp_signature_tdb_zeroize(struct tdb *);
  660 int     tcp_signature_tdb_input(struct mbuf **, struct tdb *, int, int);
  661 int     tcp_signature_tdb_output(struct mbuf *, struct tdb *, int, int);
  662 
  663 /* Replay window */
  664 int     checkreplaywindow(struct tdb *, u_int64_t, u_int32_t, u_int32_t *, int);
  665 
  666 /* Packet processing */
  667 int     ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
  668 int     ipsp_process_done(struct mbuf *, struct tdb *);
  669 int     ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
  670             struct inpcb *, struct tdb **, struct ipsec_ids *);
  671 int     ipsp_is_unspecified(union sockaddr_union);
  672 int     ipsp_aux_match(struct tdb *, struct ipsec_ids *,
  673             struct sockaddr_encap *, struct sockaddr_encap *);
  674 int     ipsp_ids_match(struct ipsec_ids *, struct ipsec_ids *);
  675 struct ipsec_ids *ipsp_ids_insert(struct ipsec_ids *);
  676 struct ipsec_ids *ipsp_ids_lookup(u_int32_t);
  677 void    ipsp_ids_free(struct ipsec_ids *);
  678 
  679 void    ipsp_init(void);
  680 void    ipsec_init(void);
  681 int     ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
  682 int     ipsec_common_input(struct mbuf **, int, int, int, int, int);
  683 int     ipsec_common_input_cb(struct mbuf **, struct tdb *, int, int);
  684 int     ipsec_input_disabled(struct mbuf **, int *, int, int);
  685 int     ipsec_protoff(struct mbuf *, int, int);
  686 int     ipsec_delete_policy(struct ipsec_policy *);
  687 ssize_t ipsec_hdrsz(struct tdb *);
  688 void    ipsec_adjust_mtu(struct mbuf *, u_int32_t);
  689 void    ipsec_set_mtu(struct tdb *, u_int32_t);
  690 struct  ipsec_acquire *ipsec_get_acquire(u_int32_t);
  691 void    ipsec_unref_acquire(struct ipsec_acquire *);
  692 int     ipsec_forward_check(struct mbuf *, int, int);
  693 int     ipsec_local_check(struct mbuf *, int, int, int);
  694 
  695 #endif /* _KERNEL */
  696 #endif /* _NETINET_IPSP_H_ */

Cache object: 8b7179df286c8ed03eac84267a477f3e


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.