#include <sys/types.h>
#include <sys/tree.h>
#include <sys/queue.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <limits.h>
#include <imsg.h>
#include <openssl/evp.h>
#include "types.h"
#include "dh.h"
#define MAXIMUM(a,b) (((a)>(b))?(a):(b))
#define MINIMUM(a,b) (((a)<(b))?(a):(b))
#define roundup(x, y) ((((x)+((y)-1))/(y))*(y))
#ifndef IKED_H
#define IKED_H
struct ike_header {
uint64_t ike_ispi;
uint64_t ike_rspi;
uint8_t ike_nextpayload;
uint8_t ike_version;
uint8_t ike_exchange;
uint8_t ike_flags;
uint32_t ike_msgid;
uint32_t ike_length;
} __packed;
struct imsgev {
struct imsgbuf ibuf;
void (*handler)(int, short, void *);
struct event ev;
struct privsep_proc *proc;
void *data;
short events;
const char *name;
};
#define IMSG_SIZE_CHECK(imsg, p) do { \
if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \
fatalx("bad length imsg received"); \
} while (0)
#define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE)
#define IKED_ADDR_EQ(_a, _b) \
((_a)->addr_mask == (_b)->addr_mask && \
sockaddr_cmp((struct sockaddr *)&(_a)->addr, \
(struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0)
#define IKED_ADDR_NEQ(_a, _b) \
((_a)->addr_mask != (_b)->addr_mask || \
sockaddr_cmp((struct sockaddr *)&(_a)->addr, \
(struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0)
struct control_sock {
const char *cs_name;
struct event cs_ev;
struct event cs_evt;
int cs_fd;
int cs_restricted;
void *cs_env;
};
struct ctl_conn {
TAILQ_ENTRY(ctl_conn) entry;
uint8_t flags;
#define CTL_CONN_NOTIFY 0x01
struct imsgev iev;
uint32_t peerid;
};
TAILQ_HEAD(ctl_connlist, ctl_conn);
extern enum privsep_procid privsep_process;
struct iked_timer {
struct event tmr_ev;
struct iked *tmr_env;
void (*tmr_cb)(struct iked *, void *);
void *tmr_cbarg;
};
struct iked_spi {
uint64_t spi;
uint8_t spi_size;
uint8_t spi_protoid;
};
struct iked_proposal {
uint8_t prop_id;
uint8_t prop_protoid;
struct iked_spi prop_localspi;
struct iked_spi prop_peerspi;
struct iked_transform *prop_xforms;
unsigned int prop_nxforms;
TAILQ_ENTRY(iked_proposal) prop_entry;
};
TAILQ_HEAD(iked_proposals, iked_proposal);
struct iked_addr {
int addr_af;
struct sockaddr_storage addr;
uint8_t addr_mask;
int addr_net;
in_port_t addr_port;
};
struct iked_ts {
struct iked_addr ts_addr;
uint8_t ts_ipproto;
TAILQ_ENTRY(iked_ts) ts_entry;
};
TAILQ_HEAD(iked_tss, iked_ts);
struct iked_flow {
struct iked_addr flow_src;
struct iked_addr flow_dst;
unsigned int flow_dir;
int flow_rdomain;
struct iked_addr flow_prenat;
int flow_fixed;
unsigned int flow_loaded;
uint8_t flow_saproto;
uint8_t flow_ipproto;
struct iked_addr *flow_local;
struct iked_addr *flow_peer;
struct iked_sa *flow_ikesa;
RB_ENTRY(iked_flow) flow_node;
TAILQ_ENTRY(iked_flow) flow_entry;
};
RB_HEAD(iked_flows, iked_flow);
TAILQ_HEAD(iked_saflows, iked_flow);
struct iked_childsa {
uint8_t csa_saproto;
unsigned int csa_dir;
uint64_t csa_peerspi;
uint8_t csa_loaded;
uint8_t csa_rekey;
uint8_t csa_allocated;
uint8_t csa_persistent;
uint8_t csa_esn;
uint8_t csa_transport;
struct iked_spi csa_spi;
struct ibuf *csa_encrkey;
uint16_t csa_encrid;
struct ibuf *csa_integrkey;
uint16_t csa_integrid;
struct iked_addr *csa_local;
struct iked_addr *csa_peer;
struct iked_sa *csa_ikesa;
struct iked_childsa *csa_peersa;
struct iked_childsa *csa_bundled;
uint16_t csa_pfsgrpid;
RB_ENTRY(iked_childsa) csa_node;
TAILQ_ENTRY(iked_childsa) csa_entry;
};
RB_HEAD(iked_activesas, iked_childsa);
TAILQ_HEAD(iked_childsas, iked_childsa);
struct iked_static_id {
uint8_t id_type;
uint8_t id_length;
uint8_t id_offset;
uint8_t id_data[IKED_ID_SIZE];
};
struct iked_auth {
uint8_t auth_method;
uint8_t auth_length;
uint16_t auth_eap;
uint8_t auth_data[IKED_PSK_SIZE];
};
struct iked_cfg {
uint8_t cfg_action;
uint16_t cfg_type;
union {
struct iked_addr address;
} cfg;
};
TAILQ_HEAD(iked_sapeers, iked_sa);
struct iked_lifetime {
uint64_t lt_bytes;
uint64_t lt_seconds;
};
struct iked_policy {
unsigned int pol_id;
char pol_name[IKED_ID_SIZE];
unsigned int pol_iface;
#define IKED_SKIP_FLAGS 0
#define IKED_SKIP_AF 1
#define IKED_SKIP_SRC_ADDR 2
#define IKED_SKIP_DST_ADDR 3
#define IKED_SKIP_COUNT 4
struct iked_policy *pol_skip[IKED_SKIP_COUNT];
unsigned int pol_flags;
#define IKED_POLICY_PASSIVE 0x000
#define IKED_POLICY_DEFAULT 0x001
#define IKED_POLICY_ACTIVE 0x002
#define IKED_POLICY_REFCNT 0x004
#define IKED_POLICY_QUICK 0x008
#define IKED_POLICY_SKIP 0x010
#define IKED_POLICY_IPCOMP 0x020
#define IKED_POLICY_TRANSPORT 0x040
#define IKED_POLICY_ROUTING 0x080
#define IKED_POLICY_NATT_FORCE 0x100
int pol_refcnt;
uint8_t pol_certreqtype;
int pol_af;
int pol_rdomain;
uint8_t pol_saproto;
unsigned int pol_ipproto[IKED_IPPROTO_MAX];
unsigned int pol_nipproto;
struct iked_addr pol_peer;
struct iked_static_id pol_peerid;
uint32_t pol_peerdh;
struct iked_addr pol_local;
struct iked_static_id pol_localid;
struct iked_auth pol_auth;
char pol_tag[IKED_TAG_SIZE];
unsigned int pol_tap;
struct iked_proposals pol_proposals;
size_t pol_nproposals;
struct iked_flows pol_flows;
size_t pol_nflows;
struct iked_tss pol_tssrc;
size_t pol_tssrc_count;
struct iked_tss pol_tsdst;
size_t pol_tsdst_count;
struct iked_cfg pol_cfg[IKED_CFG_MAX];
unsigned int pol_ncfg;
uint32_t pol_rekey;
struct iked_lifetime pol_lifetime;
struct iked_sapeers pol_sapeers;
TAILQ_ENTRY(iked_policy) pol_entry;
};
TAILQ_HEAD(iked_policies, iked_policy);
struct iked_hash {
uint8_t hash_type;
uint16_t hash_id;
const void *hash_priv;
void *hash_ctx;
int hash_fixedkey;
struct ibuf *hash_key;
size_t hash_length;
size_t hash_trunc;
struct iked_hash *hash_prf;
int hash_isaead;
};
struct iked_cipher {
uint8_t encr_type;
uint16_t encr_id;
const void *encr_priv;
void *encr_ctx;
int encr_fixedkey;
struct ibuf *encr_key;
struct ibuf *encr_iv;
uint64_t encr_civ;
size_t encr_ivlength;
size_t encr_length;
size_t encr_saltlength;
uint16_t encr_authid;
};
struct iked_dsa {
uint8_t dsa_method;
const void *dsa_priv;
void *dsa_ctx;
struct ibuf *dsa_keydata;
void *dsa_key;
int dsa_hmac;
int dsa_sign;
uint32_t dsa_flags;
};
struct iked_id {
uint8_t id_type;
uint8_t id_offset;
struct ibuf *id_buf;
};
#define IKED_REQ_CERT 0x0001
#define IKED_REQ_CERTVALID 0x0002
#define IKED_REQ_CERTREQ 0x0004
#define IKED_REQ_AUTH 0x0008
#define IKED_REQ_AUTHVALID 0x0010
#define IKED_REQ_SA 0x0020
#define IKED_REQ_EAPVALID 0x0040
#define IKED_REQ_CHILDSA 0x0080
#define IKED_REQ_INF 0x0100
#define IKED_REQ_BITS \
"\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \
"\10CHILDSA\11INF"
TAILQ_HEAD(iked_msgqueue, iked_msg_retransmit);
TAILQ_HEAD(iked_msg_fragqueue, iked_message);
struct iked_sahdr {
uint64_t sh_ispi;
uint64_t sh_rspi;
unsigned int sh_initiator;
} __packed;
struct iked_kex {
struct ibuf *kex_inonce;
struct ibuf *kex_rnonce;
struct dh_group *kex_dhgroup;
struct ibuf *kex_dhiexchange;
struct ibuf *kex_dhrexchange;
struct ibuf *kex_dhpeer;
};
struct iked_frag_entry {
uint8_t *frag_data;
size_t frag_size;
};
struct iked_frag {
struct iked_frag_entry **frag_arr;
size_t frag_count;
#define IKED_FRAG_TOTAL_MAX 111
size_t frag_total;
size_t frag_total_size;
uint8_t frag_nextpayload;
};
struct iked_ipcomp {
uint16_t ic_cpi_out;
uint16_t ic_cpi_in;
uint8_t ic_transform;
};
struct iked_sastats {
uint64_t sas_ipackets;
uint64_t sas_opackets;
uint64_t sas_ibytes;
uint64_t sas_obytes;
uint64_t sas_idrops;
uint64_t sas_odrops;
};
struct iked_sa {
struct iked_sahdr sa_hdr;
uint32_t sa_msgid;
int sa_msgid_set;
uint32_t sa_msgid_current;
uint32_t sa_reqid;
int sa_type;
#define IKED_SATYPE_LOOKUP 0
#define IKED_SATYPE_LOCAL 1
struct iked_addr sa_peer;
struct iked_addr sa_peer_loaded;
struct iked_addr sa_local;
int sa_fd;
struct iked_frag sa_fragments;
int sa_natt;
int sa_udpencap;
int sa_usekeepalive;
int sa_state;
unsigned int sa_stateflags;
unsigned int sa_stateinit;
unsigned int sa_statevalid;
int sa_cp;
struct iked_addr *sa_cp_addr;
struct iked_addr *sa_cp_addr6;
struct iked_addr *sa_cp_dns;
struct iked_policy *sa_policy;
struct timeval sa_timecreated;
struct timeval sa_timeused;
char *sa_tag;
const char *sa_reason;
struct iked_kex sa_kex;
#define sa_inonce sa_kex.kex_inonce
#define sa_rnonce sa_kex.kex_rnonce
#define sa_dhgroup sa_kex.kex_dhgroup
#define sa_dhiexchange sa_kex.kex_dhiexchange
#define sa_dhrexchange sa_kex.kex_dhrexchange
#define sa_dhpeer sa_kex.kex_dhpeer
struct iked_hash *sa_prf;
struct iked_hash *sa_integr;
struct iked_cipher *sa_encr;
struct ibuf *sa_key_d;
struct ibuf *sa_key_iauth;
struct ibuf *sa_key_rauth;
struct ibuf *sa_key_iencr;
struct ibuf *sa_key_rencr;
struct ibuf *sa_key_iprf;
struct ibuf *sa_key_rprf;
struct ibuf *sa_1stmsg;
struct ibuf *sa_2ndmsg;
struct iked_id sa_localauth;
struct iked_id sa_peerauth;
int sa_sigsha2;
#define IKED_SCERT_MAX 3
struct iked_id sa_iid;
struct iked_id sa_rid;
struct iked_id sa_icert;
struct iked_id sa_rcert;
struct iked_id sa_scert[IKED_SCERT_MAX];
#define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid)
#define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid)
char *sa_eapid;
struct iked_id sa_eap;
struct ibuf *sa_eapmsk;
struct ibuf *sa_eapclass;
struct iked_proposals sa_proposals;
struct iked_childsas sa_childsas;
struct iked_saflows sa_flows;
struct iked_sastats sa_stats;
struct iked_sa *sa_nexti;
struct iked_sa *sa_previ;
struct iked_sa *sa_nextr;
struct iked_sa *sa_prevr;
uint64_t sa_rekeyspi;
struct ibuf *sa_simult;
struct iked_ipcomp sa_ipcompi;
struct iked_ipcomp sa_ipcompr;
int sa_mobike;
int sa_frag;
int sa_use_transport_mode;
int sa_used_transport_mode;
struct iked_timer sa_timer;
#define IKED_IKE_SA_EXCHANGE_TIMEOUT 300
#define IKED_IKE_SA_REKEY_TIMEOUT 120
#define IKED_IKE_SA_DELETE_TIMEOUT 120
#define IKED_IKE_SA_ALIVE_TIMEOUT 60
struct iked_timer sa_keepalive;
#define IKED_IKE_SA_KEEPALIVE_TIMEOUT 20
struct iked_timer sa_rekey;
int sa_tmpfail;
struct iked_msgqueue sa_requests;
#define IKED_RETRANSMIT_TIMEOUT 2
struct iked_msgqueue sa_responses;
#define IKED_RESPONSE_TIMEOUT 120
TAILQ_ENTRY(iked_sa) sa_peer_entry;
RB_ENTRY(iked_sa) sa_entry;
RB_ENTRY(iked_sa) sa_dstid_entry;
int sa_dstid_entry_valid;
struct iked_addr *sa_addrpool;
RB_ENTRY(iked_sa) sa_addrpool_entry;
struct iked_addr *sa_addrpool6;
RB_ENTRY(iked_sa) sa_addrpool6_entry;
time_t sa_last_recvd;
#define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300
struct timespec sa_starttime;
struct iked_radserver_req *sa_radreq;
struct iked_addr *sa_rad_addr;
struct iked_addr *sa_rad_addr6;
};
RB_HEAD(iked_sas, iked_sa);
RB_HEAD(iked_dstid_sas, iked_sa);
RB_HEAD(iked_addrpool, iked_sa);
RB_HEAD(iked_addrpool6, iked_sa);
struct iked_stats {
uint64_t ikes_sa_created;
uint64_t ikes_sa_established_total;
uint64_t ikes_sa_established_current;
uint64_t ikes_sa_established_failures;
uint64_t ikes_sa_proposals_negotiate_failures;
uint64_t ikes_sa_rekeyed;
uint64_t ikes_sa_removed;
uint64_t ikes_csa_created;
uint64_t ikes_csa_removed;
uint64_t ikes_msg_sent;
uint64_t ikes_msg_send_failures;
uint64_t ikes_msg_rcvd;
uint64_t ikes_msg_rcvd_busy;
uint64_t ikes_msg_rcvd_dropped;
uint64_t ikes_retransmit_request;
uint64_t ikes_retransmit_response;
uint64_t ikes_retransmit_limit;
uint64_t ikes_frag_sent;
uint64_t ikes_frag_send_failures;
uint64_t ikes_frag_rcvd;
uint64_t ikes_frag_rcvd_drop;
uint64_t ikes_frag_reass_ok;
uint64_t ikes_frag_reass_drop;
uint64_t ikes_update_addresses_sent;
uint64_t ikes_dpd_sent;
uint64_t ikes_keepalive_sent;
};
#define ikestat_add(env, c, n) do { env->sc_stats.c += (n); } while(0)
#define ikestat_inc(env, c) ikestat_add(env, c, 1)
#define ikestat_dec(env, c) ikestat_add(env, c, -1)
struct iked_certreq {
struct ibuf *cr_data;
uint8_t cr_type;
SIMPLEQ_ENTRY(iked_certreq) cr_entry;
};
SIMPLEQ_HEAD(iked_certreqs, iked_certreq);
#define EAP_STATE_IDENTITY (1)
#define EAP_STATE_MSCHAPV2_CHALLENGE (2)
#define EAP_STATE_MSCHAPV2_SUCCESS (3)
#define EAP_STATE_SUCCESS (4)
struct eap_msg {
char *eam_identity;
char *eam_user;
int eam_type;
uint8_t eam_id;
uint8_t eam_msrid;
int eam_success;
int eam_found;
int eam_response;
uint8_t eam_challenge[16];
uint8_t eam_ntresponse[24];
uint32_t eam_state;
};
struct iked_message {
struct ibuf *msg_data;
size_t msg_offset;
struct sockaddr_storage msg_local;
socklen_t msg_locallen;
struct sockaddr_storage msg_peer;
socklen_t msg_peerlen;
struct iked_socket *msg_sock;
int msg_fd;
int msg_response;
int msg_responded;
int msg_valid;
int msg_natt;
int msg_natt_rcvd;
int msg_nat_detected;
int msg_error;
int msg_e;
struct iked_message *msg_parent;
struct iked_policy *msg_policy;
struct iked_sa *msg_sa;
uint32_t msg_msgid;
uint8_t msg_exchange;
struct iked_proposals msg_proposals;
struct iked_certreqs msg_certreqs;
struct iked_spi msg_rekey;
struct ibuf *msg_nonce;
uint16_t msg_dhgroup;
struct ibuf *msg_ke;
struct iked_id msg_auth;
struct iked_id msg_peerid;
struct iked_id msg_localid;
struct iked_id msg_cert;
struct iked_id msg_scert[IKED_SCERT_MAX];
struct ibuf *msg_cookie;
uint16_t msg_group;
uint16_t msg_cpi;
uint8_t msg_transform;
uint16_t msg_flags;
struct eap_msg msg_eap;
struct ibuf *msg_eapmsg;
size_t msg_del_spisize;
size_t msg_del_cnt;
struct ibuf *msg_del_buf;
int msg_del_protoid;
int msg_cp;
struct iked_addr *msg_cp_addr;
struct iked_addr *msg_cp_addr6;
struct iked_addr *msg_cp_dns;
uint16_t msg_frag_num;
int msg_update_sa_addresses;
struct ibuf *msg_cookie2;
struct iked_proposal *msg_prop;
uint16_t msg_attrlength;
TAILQ_ENTRY(iked_message)
msg_entry;
};
struct iked_msg_retransmit {
struct iked_msg_fragqueue mrt_frags;
TAILQ_ENTRY(iked_msg_retransmit) mrt_entry;
struct iked_timer mrt_timer;
int mrt_tries;
#define IKED_RETRANSMIT_TRIES 5
};
#define IKED_MSG_NAT_SRC_IP 0x01
#define IKED_MSG_NAT_DST_IP 0x02
#define IKED_MSG_FLAGS_FRAGMENTATION 0x0001
#define IKED_MSG_FLAGS_MOBIKE 0x0002
#define IKED_MSG_FLAGS_SIGSHA2 0x0004
#define IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND 0x0008
#define IKED_MSG_FLAGS_NO_ADDITIONAL_SAS 0x0010
#define IKED_MSG_FLAGS_AUTHENTICATION_FAILED 0x0020
#define IKED_MSG_FLAGS_INVALID_KE 0x0040
#define IKED_MSG_FLAGS_IPCOMP_SUPPORTED 0x0080
#define IKED_MSG_FLAGS_USE_TRANSPORT 0x0100
#define IKED_MSG_FLAGS_TEMPORARY_FAILURE 0x0200
#define IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN 0x0400
struct iked_user {
char usr_name[LOGIN_NAME_MAX];
char usr_pass[IKED_PASSWORD_SIZE];
RB_ENTRY(iked_user) usr_entry;
};
RB_HEAD(iked_users, iked_user);
struct iked_radserver_req;
struct iked_radserver {
int rs_sock;
int rs_accounting;
struct event rs_ev;
struct iked *rs_env;
struct sockaddr_storage rs_sockaddr;
TAILQ_ENTRY(iked_radserver) rs_entry;
struct in_addr rs_nas_ipv4;
struct in6_addr rs_nas_ipv6;
unsigned int rs_reqseq;
TAILQ_HEAD(, iked_radserver_req) rs_reqs;
char rs_secret[];
};
TAILQ_HEAD(iked_radservers, iked_radserver);
struct iked_raddae {
int rd_sock;
struct event rd_ev;
struct iked *rd_env;
struct sockaddr_storage rd_sockaddr;
TAILQ_ENTRY(iked_raddae) rd_entry;
};
TAILQ_HEAD(iked_raddaes, iked_raddae);
struct iked_radclient {
struct iked *rc_env;
struct sockaddr_storage rc_sockaddr;
TAILQ_ENTRY(iked_radclient) rc_entry;
char rc_secret[];
};
TAILQ_HEAD(iked_radclients , iked_radclient);
struct iked_radopts {
int max_tries;
int max_failovers;
};
struct iked_radcfgmap {
uint16_t cfg_type;
uint32_t vendor_id;
uint8_t attr_type;
TAILQ_ENTRY(iked_radcfgmap) entry;
};
TAILQ_HEAD(iked_radcfgmaps, iked_radcfgmap);
extern const struct iked_radcfgmap radius_cfgmaps[];
struct iked_radserver_req {
struct iked_radserver *rr_server;
struct iked_sa *rr_sa;
struct iked_timer rr_timer;
int rr_reqid;
int rr_accounting;
struct timespec rr_accttime;
void *rr_reqpkt;
struct ibuf *rr_state;
char *rr_user;
int rr_ntry;
int rr_nfailover;
struct iked_cfg rr_cfg[IKED_CFG_MAX];
unsigned int rr_ncfg;
TAILQ_ENTRY(iked_radserver_req) rr_entry;
};
struct privsep_pipes {
int *pp_pipes[PROC_MAX];
};
struct privsep {
struct privsep_pipes *ps_pipes[PROC_MAX];
struct privsep_pipes *ps_pp;
struct imsgev *ps_ievs[PROC_MAX];
const char *ps_title[PROC_MAX];
pid_t ps_pid[PROC_MAX];
struct passwd *ps_pw;
int ps_noaction;
struct control_sock ps_csock;
unsigned int ps_instances[PROC_MAX];
unsigned int ps_ninstances;
unsigned int ps_instance;
struct event ps_evsigint;
struct event ps_evsigterm;
struct event ps_evsigchld;
struct event ps_evsighup;
struct event ps_evsigpipe;
struct event ps_evsigusr1;
struct iked *ps_env;
unsigned int ps_connecting;
void (*ps_connected)(struct privsep *);
};
struct privsep_proc {
const char *p_title;
enum privsep_procid p_id;
int (*p_cb)(int, struct privsep_proc *,
struct imsg *);
void (*p_init)(struct privsep *,
struct privsep_proc *);
const char *p_chroot;
struct passwd *p_pw;
struct privsep *p_ps;
void (*p_shutdown)(void);
};
struct privsep_fd {
enum privsep_procid pf_procid;
unsigned int pf_instance;
};
#define PROC_PARENT_SOCK_FILENO 3
#define PROC_MAX_INSTANCES 32
struct iked_ocsp_entry {
TAILQ_ENTRY(iked_ocsp_entry) ioe_entry;
void *ioe_ocsp;
};
TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry);
enum natt_mode {
NATT_DEFAULT,
NATT_DISABLE,
NATT_FORCE,
};
struct iked_static {
uint64_t st_alive_timeout;
int st_cert_partial_chain;
int st_enforcesingleikesa;
uint8_t st_frag;
uint8_t st_mobike;
in_port_t st_nattport;
int st_stickyaddress;
int st_vendorid;
};
struct iked {
char sc_conffile[PATH_MAX];
uint32_t sc_opts;
enum natt_mode sc_nattmode;
uint8_t sc_passive;
uint8_t sc_decoupled;
struct iked_static sc_static;
#define sc_alive_timeout sc_static.st_alive_timeout
#define sc_cert_partial_chain sc_static.st_cert_partial_chain
#define sc_enforcesingleikesa sc_static.st_enforcesingleikesa
#define sc_frag sc_static.st_frag
#define sc_mobike sc_static.st_mobike
#define sc_nattport sc_static.st_nattport
#define sc_stickyaddress sc_static.st_stickyaddress
#define sc_vendorid sc_static.st_vendorid
struct iked_policies sc_policies;
struct iked_policy *sc_defaultcon;
struct iked_sas sc_sas;
struct iked_dstid_sas sc_dstid_sas;
struct iked_activesas sc_activesas;
struct iked_flows sc_activeflows;
struct iked_users sc_users;
struct iked_radopts sc_radauth;
struct iked_radopts sc_radacct;
int sc_radaccton;
struct iked_radservers sc_radauthservers;
struct iked_radservers sc_radacctservers;
struct iked_radcfgmaps sc_radcfgmaps;
struct iked_raddaes sc_raddaes;
struct iked_radclients sc_raddaeclients;
struct iked_stats sc_stats;
void *sc_priv;
int sc_pfkey;
struct event sc_pfkeyev;
struct event sc_routeev;
uint8_t sc_certreqtype;
struct ibuf *sc_certreq;
void *sc_vroute;
struct iked_socket *sc_sock4[2];
struct iked_socket *sc_sock6[2];
struct iked_timer sc_inittmr;
#define IKED_INITIATOR_INITIAL 2
#define IKED_INITIATOR_INTERVAL 60
struct privsep sc_ps;
struct iked_ocsp_requests sc_ocsp;
char *sc_ocsp_url;
long sc_ocsp_tolerate;
long sc_ocsp_maxage;
struct iked_addrpool sc_addrpool;
struct iked_addrpool6 sc_addrpool6;
};
struct iked_socket {
int sock_fd;
struct event sock_ev;
struct iked *sock_env;
struct sockaddr_storage sock_addr;
};
struct ipsec_xf {
const char *name;
unsigned int id;
unsigned int length;
unsigned int keylength;
unsigned int nonce;
unsigned int noauth;
};
struct ipsec_transforms {
const struct ipsec_xf **authxf;
unsigned int nauthxf;
const struct ipsec_xf **prfxf;
unsigned int nprfxf;
const struct ipsec_xf **encxf;
unsigned int nencxf;
const struct ipsec_xf **groupxf;
unsigned int ngroupxf;
const struct ipsec_xf **esnxf;
unsigned int nesnxf;
};
struct ipsec_mode {
struct ipsec_transforms **xfs;
unsigned int nxfs;
};
void parent_reload(struct iked *, int, const char *);
extern struct iked *iked_env;
void control(struct privsep *, struct privsep_proc *);
int control_init(struct privsep *, struct control_sock *);
int control_listen(struct control_sock *);
struct iked_policy *
config_new_policy(struct iked *);
void config_free_kex(struct iked_kex *);
void config_free_fragments(struct iked_frag *);
void config_free_sa(struct iked *, struct iked_sa *);
struct iked_sa *
config_new_sa(struct iked *, int);
struct iked_user *
config_new_user(struct iked *, struct iked_user *);
uint64_t
config_getspi(void);
struct iked_transform *
config_findtransform(struct iked_proposals *, uint8_t, unsigned int);
struct iked_transform *
config_findtransform_ext(struct iked_proposals *, uint8_t,int, unsigned int);
void config_free_policy(struct iked *, struct iked_policy *);
struct iked_proposal *
config_add_proposal(struct iked_proposals *, unsigned int,
unsigned int);
void config_free_proposal(struct iked_proposals *, struct iked_proposal *);
void config_free_proposals(struct iked_proposals *, unsigned int);
void config_free_flows(struct iked *, struct iked_flows *);
void config_free_childsas(struct iked *, struct iked_childsas *,
struct iked_spi *, struct iked_spi *);
int config_add_transform(struct iked_proposal *,
unsigned int, unsigned int, unsigned int, unsigned int);
int config_setcoupled(struct iked *, unsigned int);
int config_getcoupled(struct iked *, unsigned int);
int config_setmode(struct iked *, unsigned int);
int config_getmode(struct iked *, unsigned int);
int config_setreset(struct iked *, unsigned int, enum privsep_procid);
int config_getreset(struct iked *, struct imsg *);
int config_doreset(struct iked *, unsigned int);
int config_setpolicy(struct iked *, struct iked_policy *,
enum privsep_procid);
int config_getpolicy(struct iked *, struct imsg *);
int config_setflow(struct iked *, struct iked_policy *,
enum privsep_procid);
int config_getflow(struct iked *, struct imsg *);
int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t,
enum privsep_procid);
int config_getsocket(struct iked *env, struct imsg *,
void (*cb)(int, short, void *));
void config_enablesocket(struct iked *env);
int config_setpfkey(struct iked *);
int config_getpfkey(struct iked *, struct imsg *);
int config_setuser(struct iked *, struct iked_user *, enum privsep_procid);
int config_getuser(struct iked *, struct imsg *);
int config_setcompile(struct iked *, enum privsep_procid);
int config_getcompile(struct iked *);
int config_setocsp(struct iked *);
int config_getocsp(struct iked *, struct imsg *);
int config_setkeys(struct iked *);
int config_getkey(struct iked *, struct imsg *);
int config_setstatic(struct iked *);
int config_getstatic(struct iked *, struct imsg *);
int config_setradauth(struct iked *);
int config_getradauth(struct iked *, struct imsg *);
int config_setradacct(struct iked *);
int config_getradacct(struct iked *, struct imsg *);
int config_setradserver(struct iked *, struct sockaddr *, socklen_t,
char *, int);
int config_getradserver(struct iked *, struct imsg *);
int config_setradcfgmap(struct iked *, int, uint32_t, uint8_t);
int config_getradcfgmap(struct iked *, struct imsg *);
int config_setraddae(struct iked *, struct sockaddr *, socklen_t);
int config_getraddae(struct iked *, struct imsg *);
int config_setradclient(struct iked *, struct sockaddr *, socklen_t,
char *);
int config_getradclient(struct iked *, struct imsg *);
void policy_init(struct iked *);
int policy_lookup(struct iked *, struct iked_message *,
struct iked_proposals *, struct iked_flows *, int);
int policy_lookup_sa(struct iked *, struct iked_sa *);
struct iked_policy *
policy_test(struct iked *, struct iked_policy *);
int policy_generate_ts(struct iked_policy *);
void policy_calc_skip_steps(struct iked_policies *);
void policy_ref(struct iked *, struct iked_policy *);
void policy_unref(struct iked *, struct iked_policy *);
void sa_state(struct iked *, struct iked_sa *, int);
void sa_stateflags(struct iked_sa *, unsigned int);
int sa_stateok(const struct iked_sa *, int);
struct iked_sa *
sa_new(struct iked *, uint64_t, uint64_t, unsigned int,
struct iked_policy *);
void sa_free(struct iked *, struct iked_sa *);
void sa_free_flows(struct iked *, struct iked_saflows *);
int sa_configure_iface(struct iked *, struct iked_sa *, int);
int sa_address(struct iked_sa *, struct iked_addr *, struct sockaddr *);
void childsa_free(struct iked_childsa *);
struct iked_childsa *
childsa_lookup(struct iked_sa *, uint64_t, uint8_t);
void flow_free(struct iked_flow *);
int flow_equal(struct iked_flow *, struct iked_flow *);
struct iked_sa *
sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int);
struct iked_user *
user_lookup(struct iked *, const char *);
struct iked_sa *
sa_dstid_lookup(struct iked *, struct iked_sa *);
struct iked_sa *
sa_dstid_insert(struct iked *, struct iked_sa *);
void sa_dstid_remove(struct iked *, struct iked_sa *);
int proposals_negotiate(struct iked_proposals *, struct iked_proposals *,
struct iked_proposals *, int, int);
RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp);
RB_PROTOTYPE(iked_dstid_sas, iked_sa, sa_dstid_entry, sa_dstid_cmp);
RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp);
RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp);
RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp);
RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp);
RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp);
struct iked_hash *
hash_new(uint8_t, uint16_t);
struct ibuf *
hash_setkey(struct iked_hash *, void *, size_t);
void hash_free(struct iked_hash *);
void hash_init(struct iked_hash *);
void hash_update(struct iked_hash *, void *, size_t);
void hash_final(struct iked_hash *, void *, size_t *);
size_t hash_keylength(struct iked_hash *);
size_t hash_length(struct iked_hash *);
struct iked_cipher *
cipher_new(uint8_t, uint16_t, uint16_t);
struct ibuf *
cipher_setkey(struct iked_cipher *, const void *, size_t);
struct ibuf *
cipher_setiv(struct iked_cipher *, const void *, size_t);
int cipher_settag(struct iked_cipher *, uint8_t *, size_t);
int cipher_gettag(struct iked_cipher *, uint8_t *, size_t);
void cipher_free(struct iked_cipher *);
int cipher_init(struct iked_cipher *, int);
int cipher_init_encrypt(struct iked_cipher *);
int cipher_init_decrypt(struct iked_cipher *);
void cipher_aad(struct iked_cipher *, const void *, size_t, size_t *);
int cipher_update(struct iked_cipher *, const void *, size_t, void *, size_t *);
int cipher_final(struct iked_cipher *);
size_t cipher_length(struct iked_cipher *);
size_t cipher_keylength(struct iked_cipher *);
size_t cipher_ivlength(struct iked_cipher *);
size_t cipher_outlength(struct iked_cipher *, size_t);
struct iked_dsa *
dsa_new(uint8_t, struct iked_hash *, int);
struct iked_dsa *
dsa_sign_new(uint8_t, struct iked_hash *);
struct iked_dsa *
dsa_verify_new(uint8_t, struct iked_hash *);
struct ibuf *
dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t);
void dsa_free(struct iked_dsa *);
int dsa_init(struct iked_dsa *, const void *, size_t);
size_t dsa_prefix(struct iked_dsa *);
size_t dsa_length(struct iked_dsa *);
int dsa_update(struct iked_dsa *, const void *, size_t);
ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t);
ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t);
void vroute_init(struct iked *);
int vroute_setaddr(struct iked *, int, struct sockaddr *, int, unsigned int);
void vroute_cleanup(struct iked *);
int vroute_getaddr(struct iked *, struct imsg *);
int vroute_setdns(struct iked *, int, struct sockaddr *, unsigned int);
int vroute_getdns(struct iked *, struct imsg *);
int vroute_setaddroute(struct iked *, uint8_t, struct sockaddr *,
uint8_t, struct sockaddr *);
int vroute_setcloneroute(struct iked *, uint8_t, struct sockaddr *,
uint8_t, struct sockaddr *);
int vroute_setdelroute(struct iked *, uint8_t, struct sockaddr *,
uint8_t, struct sockaddr *);
int vroute_getroute(struct iked *, struct imsg *);
int vroute_getcloneroute(struct iked *, struct imsg *);
void ikev2(struct privsep *, struct privsep_proc *);
void ikev2_recv(struct iked *, struct iked_message *);
void ikev2_init_ike_sa(struct iked *, void *);
int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int);
int ikev2_childsa_enable(struct iked *, struct iked_sa *);
int ikev2_childsa_delete(struct iked *, struct iked_sa *,
uint8_t, uint64_t, uint64_t *, int);
void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *);
void ikev2_ike_sa_timeout(struct iked *env, void *);
void ikev2_ike_sa_setreason(struct iked_sa *, char *);
void ikev2_reset_alive_timer(struct iked *);
int ikev2_ike_sa_delete(struct iked *, struct iked_sa *);
struct ibuf *
ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *,
size_t);
ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **);
ssize_t ikev2_nat_detection(struct iked *, struct iked_message *,
void *, size_t, unsigned int, int);
void ikev2_enable_natt(struct iked *, struct iked_sa *,
struct iked_message *, int);
int ikev2_send_informational(struct iked *, struct iked_message *);
int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *,
uint8_t, uint8_t, int);
struct ike_header *
ikev2_add_header(struct ibuf *, struct iked_sa *,
uint32_t, uint8_t, uint8_t, uint8_t);
int ikev2_set_header(struct ike_header *, size_t);
struct ikev2_payload *
ikev2_add_payload(struct ibuf *);
int ikev2_next_payload(struct ikev2_payload *, size_t,
uint8_t);
int ikev2_child_sa_acquire(struct iked *, struct iked_flow *);
int ikev2_child_sa_drop(struct iked *, struct iked_spi *);
int ikev2_child_sa_rekey(struct iked *, struct iked_spi *);
void ikev2_disable_rekeying(struct iked *, struct iked_sa *);
int ikev2_print_id(struct iked_id *, char *, size_t);
int ikev2_print_static_id(struct iked_static_id *, char *, size_t);
const char *ikev2_ikesa_info(uint64_t, const char *msg);
#define SPI_IH(hdr) ikev2_ikesa_info(betoh64((hdr)->ike_ispi), NULL)
#define SPI_SH(sh, f) ikev2_ikesa_info((sh)->sh_ispi, (f))
#define SPI_SA(sa, f) SPI_SH(&(sa)->sa_hdr, (f))
void ikev2_msg_cb(int, short, void *);
struct ibuf *
ikev2_msg_init(struct iked *, struct iked_message *,
struct sockaddr_storage *, socklen_t,
struct sockaddr_storage *, socklen_t, int);
struct iked_message *
ikev2_msg_copy(struct iked *, struct iked_message *);
void ikev2_msg_cleanup(struct iked *, struct iked_message *);
uint32_t
ikev2_msg_id(struct iked *, struct iked_sa *);
struct ibuf
*ikev2_msg_auth(struct iked *, struct iked_sa *, int);
int ikev2_msg_authsign(struct iked *, struct iked_sa *,
struct iked_auth *, struct ibuf *);
int ikev2_msg_authverify(struct iked *, struct iked_sa *,
struct iked_auth *, uint8_t *, size_t, struct ibuf *);
int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *,
struct iked_message *);
int ikev2_msg_send(struct iked *, struct iked_message *);
int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *,
struct ibuf **, uint8_t, uint8_t, int);
struct ibuf
*ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *,
struct ibuf *);
struct ibuf *
ikev2_msg_decrypt(struct iked *, struct iked_sa *,
struct ibuf *, struct ibuf *);
int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *);
int ikev2_msg_frompeer(struct iked_message *);
struct iked_socket *
ikev2_msg_getsocket(struct iked *, int, int);
int ikev2_msg_enqueue(struct iked *, struct iked_msgqueue *,
struct iked_message *, int);
int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *,
struct iked_message *, struct ike_header *);
void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *,
struct iked_message *);
void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *,
struct iked_msg_retransmit *);
void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *);
struct iked_msg_retransmit *
ikev2_msg_lookup(struct iked *, struct iked_msgqueue *,
struct iked_message *, uint8_t);
int ikev2_pld_parse(struct iked *, struct ike_header *,
struct iked_message *, size_t);
int ikev2_pld_parse_quick(struct iked *, struct ike_header *,
struct iked_message *, size_t);
int eap_parse(struct iked *, const struct iked_sa *, struct iked_message*,
void *, int);
int eap_success(struct iked *, struct iked_sa *, int);
int eap_identity_request(struct iked *, struct iked_sa *);
int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int,
uint8_t *, size_t);
int eap_mschap_success(struct iked *, struct iked_sa *, int);
int eap_challenge_request(struct iked *, struct iked_sa *, int);
int iked_radius_request(struct iked *, struct iked_sa *,
struct iked_message *);
void iked_radius_request_free(struct iked *, struct iked_radserver_req *);
void iked_radius_on_event(int, short, void *);
void iked_radius_acct_on(struct iked *);
void iked_radius_acct_off(struct iked *);
void iked_radius_acct_start(struct iked *, struct iked_sa *);
void iked_radius_acct_stop(struct iked *, struct iked_sa *);
void iked_radius_dae_on_event(int, short, void *);
int pfkey_couple(struct iked *, struct iked_sas *, int);
int pfkey_flow_add(struct iked *, struct iked_flow *);
int pfkey_flow_delete(struct iked *, struct iked_flow *);
int pfkey_sa_init(struct iked *, struct iked_childsa *, uint32_t *);
int pfkey_sa_add(struct iked *, struct iked_childsa *, struct iked_childsa *);
int pfkey_sa_update_addresses(struct iked *, struct iked_childsa *);
int pfkey_sa_delete(struct iked *, struct iked_childsa *);
int pfkey_sa_last_used(struct iked *, struct iked_childsa *, uint64_t *);
int pfkey_flush(struct iked *);
int pfkey_socket(struct iked *);
void pfkey_init(struct iked *, int fd);
void caproc(struct privsep *, struct privsep_proc *);
int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *,
uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid);
int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *,
uint8_t, uint8_t *, size_t, enum privsep_procid);
int ca_setauth(struct iked *, struct iked_sa *,
struct ibuf *, enum privsep_procid);
void ca_getkey(struct privsep *, struct iked_id *, enum imsg_type);
int ca_certbundle_add(struct ibuf *, struct iked_id *);
int ca_privkey_serialize(EVP_PKEY *, struct iked_id *);
int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *);
void ca_sslerror(const char *);
char *ca_asn1_name(uint8_t *, size_t);
void *ca_x509_name_parse(char *);
void ca_cert_info(const char *, X509 *);
void timer_set(struct iked *, struct iked_timer *,
void (*)(struct iked *, void *), void *);
void timer_add(struct iked *, struct iked_timer *, int);
void timer_del(struct iked *, struct iked_timer *);
void proc_init(struct privsep *, struct privsep_proc *, unsigned int, int,
int, char **, enum privsep_procid);
void proc_kill(struct privsep *);
void proc_connect(struct privsep *, void (*)(struct privsep *));
void proc_dispatch(int, short event, void *);
void proc_run(struct privsep *, struct privsep_proc *,
struct privsep_proc *, unsigned int,
void (*)(struct privsep *, struct privsep_proc *, void *), void *);
void imsg_event_add(struct imsgev *);
int imsg_compose_event(struct imsgev *, uint16_t, uint32_t,
pid_t, int, void *, uint16_t);
int imsg_composev_event(struct imsgev *, uint16_t, uint32_t,
pid_t, int, const struct iovec *, int);
int proc_compose_imsg(struct privsep *, enum privsep_procid, int,
uint16_t, uint32_t, int, void *, uint16_t);
int proc_compose(struct privsep *, enum privsep_procid,
uint16_t, void *, uint16_t);
int proc_composev_imsg(struct privsep *, enum privsep_procid, int,
uint16_t, uint32_t, int, const struct iovec *, int);
int proc_composev(struct privsep *, enum privsep_procid,
uint16_t, const struct iovec *, int);
int proc_forward_imsg(struct privsep *, struct imsg *,
enum privsep_procid, int);
struct imsgbuf *
proc_ibuf(struct privsep *, enum privsep_procid, int);
struct imsgev *
proc_iev(struct privsep *, enum privsep_procid, int);
enum privsep_procid
proc_getid(struct privsep_proc *, unsigned int, const char *);
int proc_flush_imsg(struct privsep *, enum privsep_procid, int);
int socket_af(struct sockaddr *, in_port_t);
in_port_t
socket_getport(struct sockaddr *);
int socket_setport(struct sockaddr *, in_port_t);
int socket_getaddr(int, struct sockaddr_storage *);
int socket_bypass(int, struct sockaddr *);
int udp_bind(struct sockaddr *, in_port_t);
ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *,
socklen_t, struct sockaddr *, socklen_t);
ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *,
socklen_t *, struct sockaddr *, socklen_t *);
const char *
print_spi(uint64_t, int);
const char *
print_map(unsigned int, struct iked_constmap *);
void lc_idtype(char *);
void print_hex(const uint8_t *, off_t, size_t);
void print_hexval(const uint8_t *, off_t, size_t);
void print_hexbuf(struct ibuf *);
const char *
print_bits(unsigned short, unsigned char *);
int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int);
uint8_t mask2prefixlen(struct sockaddr *);
uint8_t mask2prefixlen6(struct sockaddr *);
struct in6_addr *
prefixlen2mask6(uint8_t, uint32_t *);
uint32_t
prefixlen2mask(uint8_t);
const char *
print_addr(void *);
char *get_string(uint8_t *, size_t);
const char *
print_proto(uint8_t);
int expand_string(char *, size_t, const char *, const char *);
uint8_t *string2unicode(const char *, size_t *);
void print_debug(const char *, ...)
__attribute__((format(printf, 1, 2)));
void print_verbose(const char *, ...)
__attribute__((format(printf, 1, 2)));
struct ibuf *
ibuf_new(const void *, size_t);
struct ibuf *
ibuf_static(void);
size_t ibuf_length(struct ibuf *);
int ibuf_setsize(struct ibuf *, size_t);
struct ibuf *
ibuf_getdata(struct ibuf *, size_t);
struct ibuf *
ibuf_dup(struct ibuf *);
struct ibuf *
ibuf_random(size_t);
void log_init(int, int);
void log_procinit(const char *);
void log_setverbose(int);
int log_getverbose(void);
void log_warn(const char *, ...)
__attribute__((__format__ (printf, 1, 2)));
void log_warnx(const char *, ...)
__attribute__((__format__ (printf, 1, 2)));
void log_info(const char *, ...)
__attribute__((__format__ (printf, 1, 2)));
void log_debug(const char *, ...)
__attribute__((__format__ (printf, 1, 2)));
void logit(int, const char *, ...)
__attribute__((__format__ (printf, 2, 3)));
void vlog(int, const char *, va_list)
__attribute__((__format__ (printf, 2, 0)));
__dead void fatal(const char *, ...)
__attribute__((__format__ (printf, 1, 2)));
__dead void fatalx(const char *, ...)
__attribute__((__format__ (printf, 1, 2)));
int ocsp_connect(struct iked *, struct imsg *);
int ocsp_receive_fd(struct iked *, struct imsg *);
int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr,
uint8_t, X509 *);
int parse_config(const char *, struct iked *);
int cmdline_symset(char *);
extern const struct ipsec_xf authxfs[];
extern const struct ipsec_xf prfxfs[];
extern const struct ipsec_xf *encxfs;
extern const struct ipsec_xf ikeencxfs[];
extern const struct ipsec_xf ipsecencxfs[];
extern const struct ipsec_xf groupxfs[];
extern const struct ipsec_xf esnxfs[];
extern const struct ipsec_xf methodxfs[];
extern const struct ipsec_xf saxfs[];
extern const struct ipsec_xf cpxfs[];
size_t keylength_xf(unsigned int, unsigned int, unsigned int);
size_t noncelength_xf(unsigned int, unsigned int);
int encxf_noauth(unsigned int);
void print_user(struct iked_user *);
void print_policy(struct iked_policy *);
const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *);
#endif
