1105197Ssam/*	$FreeBSD$	*/
2105197Ssam/*	$OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $	*/
3139823Simp/*-
4105197Ssam * The authors of this code are John Ioannidis (ji@tla.org),
5105197Ssam * Angelos D. Keromytis (kermit@csd.uch.gr),
6105197Ssam * Niels Provos (provos@physnet.uni-hamburg.de) and
7105197Ssam * Niklas Hallqvist (niklas@appli.se).
8105197Ssam *
9105197Ssam * The original version of this code was written by John Ioannidis
10105197Ssam * for BSD/OS in Athens, Greece, in November 1995.
11105197Ssam *
12105197Ssam * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
13105197Ssam * by Angelos D. Keromytis.
14105197Ssam *
15105197Ssam * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
16105197Ssam * and Niels Provos.
17105197Ssam *
18105197Ssam * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
19105197Ssam *
20105197Ssam * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
21105197Ssam * Angelos D. Keromytis and Niels Provos.
22105197Ssam * Copyright (c) 1999 Niklas Hallqvist.
23105197Ssam * Copyright (c) 2001, Angelos D. Keromytis.
24105197Ssam *
25105197Ssam * Permission to use, copy, and modify this software with or without fee
26105197Ssam * is hereby granted, provided that this entire notice is included in
27105197Ssam * all copies of any software which is or includes a copy or
28105197Ssam * modification of this software.
29105197Ssam * You may use this code under the GNU public license if you so wish. Please
30105197Ssam * contribute changes back to the authors under this freer than GPL license
31105197Ssam * so that we may further the use of strong encryption without limitations to
32105197Ssam * all.
33105197Ssam *
34105197Ssam * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35105197Ssam * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36105197Ssam * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37105197Ssam * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
38105197Ssam * PURPOSE.
39105197Ssam */
40105197Ssam
41105197Ssam#ifndef _NETIPSEC_XFORM_H_
42105197Ssam#define _NETIPSEC_XFORM_H_
43105197Ssam
44105197Ssam#include <sys/types.h>
45105197Ssam#include <netinet/in.h>
46105197Ssam#include <opencrypto/xform.h>
47105197Ssam
48105197Ssam#define	AH_HMAC_HASHLEN		12	/* 96 bits of authenticator */
49218794Svanhu#define	AH_HMAC_MAXHASHLEN	(SHA2_512_HASH_LEN/2)	/* Keep this updated */
50105197Ssam#define	AH_HMAC_INITIAL_RPL	1	/* replay counter initial value */
51105197Ssam
52105197Ssam/*
53105197Ssam * Packet tag assigned on completion of IPsec processing; used
54105197Ssam * to speedup processing when/if the packet comes back for more
55105197Ssam * processing.
56105197Ssam */
57105197Ssamstruct tdb_ident {
58105197Ssam	u_int32_t spi;
59105197Ssam	union sockaddr_union dst;
60105197Ssam	u_int8_t proto;
61174054Sbz	/* Cache those two for enc(4) in xform_ipip. */
62174054Sbz	u_int8_t alg_auth;
63174054Sbz	u_int8_t alg_enc;
64105197Ssam};
65105197Ssam
66105197Ssam/*
67105197Ssam * Opaque data structure hung off a crypto operation descriptor.
68105197Ssam */
69105197Ssamstruct tdb_crypto {
70105197Ssam	struct ipsecrequest	*tc_isr;	/* ipsec request state */
71105197Ssam	u_int32_t		tc_spi;		/* associated SPI */
72105197Ssam	union sockaddr_union	tc_dst;		/* dst addr of packet */
73105197Ssam	u_int8_t		tc_proto;	/* current protocol, e.g. AH */
74105197Ssam	u_int8_t		tc_nxt;		/* next protocol, e.g. IPV4 */
75105197Ssam	int			tc_protoff;	/* current protocol offset */
76105197Ssam	int			tc_skip;	/* data offset */
77105197Ssam	caddr_t			tc_ptr;		/* associated crypto data */
78220206Sfabient	struct secasvar 	*tc_sav;	/* related SA */
79105197Ssam};
80105197Ssam
81105197Ssamstruct secasvar;
82105197Ssamstruct ipescrequest;
83105197Ssam
84105197Ssamstruct xformsw {
85105197Ssam	u_short	xf_type;		/* xform ID */
86105197Ssam#define	XF_IP4		1	/* IP inside IP */
87105197Ssam#define	XF_AH		2	/* AH */
88105197Ssam#define	XF_ESP		3	/* ESP */
89105197Ssam#define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
90105197Ssam#define	XF_IPCOMP	6	/* IPCOMP */
91105197Ssam	u_short	xf_flags;
92105197Ssam#define	XFT_AUTH	0x0001
93105197Ssam#define	XFT_CONF	0x0100
94105197Ssam#define	XFT_COMP	0x1000
95105197Ssam	char	*xf_name;			/* human-readable name */
96105197Ssam	int	(*xf_init)(struct secasvar*, struct xformsw*);	/* setup */
97105197Ssam	int	(*xf_zeroize)(struct secasvar*);		/* cleanup */
98105197Ssam	int	(*xf_input)(struct mbuf*, struct secasvar*,	/* input */
99105197Ssam			int, int);
100105197Ssam	int	(*xf_output)(struct mbuf*,	       		/* output */
101105197Ssam			struct ipsecrequest *, struct mbuf **, int, int);
102105197Ssam	struct xformsw *xf_next;		/* list of registered xforms */
103105197Ssam};
104105197Ssam
105105197Ssam#ifdef _KERNEL
106105197Ssamextern void xform_register(struct xformsw*);
107105197Ssamextern int xform_init(struct secasvar *sav, int xftype);
108105197Ssam
109105197Ssamstruct cryptoini;
110105197Ssam
111105197Ssam/* XF_IP4 */
112105197Ssamextern	int ip4_input6(struct mbuf **m, int *offp, int proto);
113157306Sbzextern	void ip4_input(struct mbuf *m, int);
114105197Ssamextern	int ipip_output(struct mbuf *, struct ipsecrequest *,
115105197Ssam			struct mbuf **, int, int);
116105197Ssam
117105197Ssam/* XF_AH */
118105197Ssamextern int ah_init0(struct secasvar *, struct xformsw *, struct cryptoini *);
119105197Ssamextern int ah_zeroize(struct secasvar *sav);
120105197Ssamextern struct auth_hash *ah_algorithm_lookup(int alg);
121105197Ssamextern size_t ah_hdrsiz(struct secasvar *);
122105197Ssam
123105197Ssam/* XF_ESP */
124105197Ssamextern struct enc_xform *esp_algorithm_lookup(int alg);
125105197Ssamextern size_t esp_hdrsiz(struct secasvar *sav);
126105197Ssam
127105197Ssam/* XF_COMP */
128105197Ssamextern struct comp_algo *ipcomp_algorithm_lookup(int alg);
129105197Ssam
130105197Ssam#endif /* _KERNEL */
131105197Ssam#endif /* _NETIPSEC_XFORM_H_ */
132