/* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */1/*-2* The authors of this code are John Ioannidis ([email protected]),3* Angelos D. Keromytis ([email protected]),4* Niels Provos ([email protected]) and5* Niklas Hallqvist ([email protected]).6*7* The original version of this code was written by John Ioannidis8* for BSD/OS in Athens, Greece, in November 1995.9*10* Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,11* by Angelos D. Keromytis.12*13* Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis14* and Niels Provos.15*16* Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.17*18* Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,19* Angelos D. Keromytis and Niels Provos.20* Copyright (c) 1999 Niklas Hallqvist.21* Copyright (c) 2001, Angelos D. Keromytis.22*23* Permission to use, copy, and modify this software with or without fee24* is hereby granted, provided that this entire notice is included in25* all copies of any software which is or includes a copy or26* modification of this software.27* You may use this code under the GNU public license if you so wish. Please28* contribute changes back to the authors under this freer than GPL license29* so that we may further the use of strong encryption without limitations to30* all.31*32* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR33* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY34* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE35* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR36* PURPOSE.37*/3839#ifndef _NETIPSEC_XFORM_H_40#define _NETIPSEC_XFORM_H_4142#include <sys/types.h>43#include <sys/queue.h>44#include <netinet/in.h>45#include <opencrypto/xform.h>4647#define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */48#define AH_HMAC_MAXHASHLEN (SHA2_512_HASH_LEN/2) /* Keep this updated */49#define AH_HMAC_INITIAL_RPL 1 /* replay counter initial value */5051#ifdef _KERNEL52struct secpolicy;53struct secasvar;5455/*56* Packet tag assigned on completion of IPsec processing; used57* to speedup security policy checking for INBOUND packets.58*/59struct xform_history {60union sockaddr_union dst; /* destination address */61uint32_t spi; /* Security Parameters Index */62uint8_t proto; /* IPPROTO_ESP or IPPROTO_AH */63uint8_t mode; /* transport or tunnel */64};6566/*67* Opaque data structure hung off a crypto operation descriptor.68*/69struct xform_data {70struct secpolicy *sp; /* security policy */71struct secasvar *sav; /* related SA */72crypto_session_t cryptoid; /* used crypto session */73u_int idx; /* IPsec request index */74int protoff; /* current protocol offset */75int skip; /* data offset */76uint8_t nxt; /* next protocol, e.g. IPV4 */77struct vnet *vnet;78};7980#define XF_IP4 1 /* unused */81#define XF_AH 2 /* AH */82#define XF_ESP 3 /* ESP */83#define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */84#define XF_IPCOMP 6 /* IPCOMP */8586struct xformsw {87u_short xf_type; /* xform ID */88const char *xf_name; /* human-readable name */89int (*xf_init)(struct secasvar*, struct xformsw*); /* setup */90void (*xf_cleanup)(struct secasvar*); /* cleanup */91int (*xf_input)(struct mbuf*, struct secasvar*, /* input */92int, int);93int (*xf_output)(struct mbuf*, /* output */94struct secpolicy *, struct secasvar *, u_int, int, int);9596volatile u_int xf_cntr;97LIST_ENTRY(xformsw) chain;98};99100const struct enc_xform * enc_algorithm_lookup(int);101const struct auth_hash * auth_algorithm_lookup(int);102const struct comp_algo * comp_algorithm_lookup(int);103104void xform_attach(void *);105void xform_detach(void *);106int xform_init(struct secasvar *, u_short);107108struct crypto_session_params;109/* XF_AH */110int xform_ah_authsize(const struct auth_hash *);111int ah_init0(struct secasvar *, struct xformsw *,112struct crypto_session_params *);113extern size_t ah_hdrsiz(struct secasvar *);114115/* XF_ESP */116extern size_t esp_hdrsiz(struct secasvar *sav);117118#endif /* _KERNEL */119#endif /* _NETIPSEC_XFORM_H_ */120121122