IPComp itself (include files). angelos@ ok.

4 files changed, 140 insertions, 7 deletions

diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 7e7dd7cfdf2..7cf3ae0f3bb 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in.h,v 1.52 2001/06/25 00:11:57 angelos Exp $	*/
+/*	$OpenBSD: in.h,v 1.53 2001/07/05 08:31:47 jjbg Exp $	*/
 /*	$NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $	*/
 
 /*
@@ -262,6 +262,7 @@ struct ip_opts {
 #define IP_IPSEC_REMOTE_CRED	26   /* buf; IPsec remote credentials */
 #define IP_IPSEC_LOCAL_AUTH	27   /* buf; IPsec local auth material */
 #define IP_IPSEC_REMOTE_AUTH	28   /* buf; IPsec remote auth material */
+#define IP_IPCOMP_LEVEL		29   /* int; compression used */
 
 /*
  * Security levels - IPsec, not IPSO
@@ -278,6 +279,7 @@ struct ip_opts {
 #define IPSEC_AUTH_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT
 #define IPSEC_ESP_TRANS_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT
 #define IPSEC_ESP_NETWORK_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT
+#define IPSEC_IPCOMP_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT
 
 /*
  * Defaults and limits for options
@@ -313,7 +315,7 @@ struct ip_mreq {
  * Third level is protocol number.
  * Fourth level is desired variable within that protocol.
  */
-#define	IPPROTO_MAXID	(IPPROTO_ETHERIP + 1)	/* don't list to IPPROTO_MAX */
+#define	IPPROTO_MAXID	(IPPROTO_IPCOMP + 1)	/* don't list to IPPROTO_MAX */
 
 #define	CTL_IPPROTO_NAMES { \
 	{ "ip", CTLTYPE_NODE }, \
@@ -414,6 +416,17 @@ struct ip_mreq {
 	{ 0, 0 }, \
 	{ 0, 0 }, \
 	{ "etherip", CTLTYPE_NODE }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ "ipcomp", CTLTYPE_NODE }, \
 }
 
 /*
@@ -451,7 +464,8 @@ struct ip_mreq {
 #define IPCTL_IPSEC_AUTH_ALGORITHM 26
 #define	IPCTL_MTUDISC		27	/* allow path MTU discovery */
 #define	IPCTL_MTUDISCTIMEOUT	28	/* allow path MTU discovery */
-#define	IPCTL_MAXID		29
+#define IPCTL_IPSEC_IPCOMP_ALGORITHM	29
+#define	IPCTL_MAXID		30
 
 #define	IPCTL_NAMES { \
 	{ 0, 0 }, \
@@ -483,6 +497,7 @@ struct ip_mreq {
 	{ "ipsec-auth-alg", CTLTYPE_STRING }, \
 	{ "mtudisc", CTLTYPE_INT }, \
 	{ "mtudisctimeout", CTLTYPE_INT }, \
+	{ "ipsec-comp-alg", CTLTYPE_STRING }, \
 }
 
 /* INET6 stuff */
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index 324c1a0ec5c..866c895a3cc 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.h,v 1.37 2001/06/12 10:59:53 angelos Exp $	*/
+/*	$OpenBSD: in_pcb.h,v 1.38 2001/07/05 08:31:47 jjbg Exp $	*/
 /*	$NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $	*/
 
 /*
@@ -125,10 +125,11 @@ struct inpcb {
 	} inp_mou;
 #define inp_moptions inp_mou.mou_mo
 #define inp_moptions6 inp_mou.mou_mo6
-	u_char	  inp_seclevel[3];
+	u_char	  inp_seclevel[4];
 #define SL_AUTH           0             /* Authentication level */
 #define SL_ESP_TRANS      1             /* ESP transport level */
 #define SL_ESP_NETWORK    2             /* ESP network (encapsulation) level */
+#define SL_IPCOMP         3             /* Compression level */
 	u_int8_t  inp_secrequire:4,     /* Condensed State from above */
 	          inp_secresult:4;	/* Result from Key Management */
 #define SR_FAILED         1             /* Negotiation failed permanently */
diff --git a/sys/netinet/ip_ipcomp.h b/sys/netinet/ip_ipcomp.h
new file mode 100644
index 00000000000..ffc665ec671
--- /dev/null
+++ b/sys/netinet/ip_ipcomp.h
@@ -0,0 +1,81 @@
+/* $OpenBSD: ip_ipcomp.h,v 1.1 2001/07/05 08:31:48 jjbg Exp $ */
+
+/*
+ * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* IP payload compression protocol (IPComp), see RFC 2393 */
+
+#ifndef _NETINET_IP_IPCOMP_H_
+#define _NETINET_IP_IPCOMP_H_
+
+struct ipcompstat {
+	u_int32_t	ipcomps_hdrops;	/* Packet shorter than header shows */
+	u_int32_t	ipcomps_nopf;	/* Protocol family not supported */
+	u_int32_t	ipcomps_notdb;
+	u_int32_t	ipcomps_badkcr;
+	u_int32_t	ipcomps_qfull;
+	u_int32_t	ipcomps_noxform;
+	u_int32_t	ipcomps_wrap;
+	u_int32_t	ipcomps_input;	/* Input IPcomp packets */
+	u_int32_t	ipcomps_output;	/* Ouptut IPcomp packets */
+	u_int32_t	ipcomps_invalid;	/* Trying to use an invalid
+						 * TDB */
+	u_int32_t	ipcomps_ibytes;	/* Input bytes */
+	u_int32_t	ipcomps_obytes;	/* Output bytes */
+	u_int32_t	ipcomps_toobig;	/* Packet got larger than
+					 * IP_MAXPACKET */
+	u_int32_t	ipcomps_pdrops;	/* Packet blocked due to policy */
+	u_int32_t	ipcomps_crypto;	/* "Crypto" processing failure */
+};
+
+/* IPCOMP header */
+struct ipcomp {
+	u_int8_t	ipcomp_nh;	/* Next header */
+	u_int8_t	ipcomp_flags;	/* Flags: reserved field: 0 */
+	u_int16_t	ipcomp_cpi;	/* Compression Parameter Index,
+					 * Network order */
+};
+
+/* Length of IPCOMP header */
+#define IPCOMP_HLENGTH		4
+
+/*
+ * Names for IPCOMP sysctl objects
+ */
+#define IPCOMPCTL_ENABLE	1	/* Enable COMP processing */
+#define IPCOMPCTL_MAXID		2
+
+#define IPCOMPCTL_NAMES { \
+	{ 0, 0 }, \
+	{ "enable", CTLTYPE_INT}, \
+}
+
+#ifdef _KERNEL
+extern int ipcomp_enable;
+struct ipcompstat ipcompstat;
+#endif				/* _KERNEL */
+#endif	/* _NETINET_IP_IPCOMP_H_ */
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 5ddabac7b52..455c14a4227 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.115 2001/06/27 04:44:03 angelos Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.116 2001/07/05 08:31:48 jjbg Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -73,6 +73,12 @@ union sockaddr_union {
 #define	SPI_RESERVED_MIN	1
 #define	SPI_RESERVED_MAX	255
 
+/* Reserved CPI numbers */
+#define CPI_RESERVED_MIN	1
+#define CPI_RESERVED_MAX	255
+#define CPI_PRIVATE_MIN		61440
+#define CPI_PRIVATE_MAX		65535
+
 /* sysctl default values */
 #define	IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT	60	/* 1 minute */
 #define	IPSEC_DEFAULT_PFS			1
@@ -87,6 +93,7 @@ union sockaddr_union {
 #define	IPSEC_DEFAULT_DEF_ENC			"aes"
 #define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
 #define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
+#define IPSEC_DEFAULT_DEF_COMP			"deflate"
 
 struct sockaddr_encap {
 	u_int8_t	sen_len;		/* length */
@@ -216,6 +223,7 @@ struct ipsec_policy {
 #define	NOTIFY_SATYPE_CONF	1	/* SA should do encryption */
 #define	NOTIFY_SATYPE_AUTH	2	/* SA should do authentication */
 #define	NOTIFY_SATYPE_TUNNEL	4	/* SA should use tunneling */
+#define NOTIFY_SATYPE_COMP	5       /* SA (IPCA) should use compression */
 
 /* Authentication types */
 #define	IPSP_AUTH_NONE		0
@@ -263,6 +271,7 @@ struct tdb {				/* tunnel descriptor block */
 	struct xformsw		*tdb_xform;		/* Transform to use */
 	struct enc_xform	*tdb_encalgxform;	/* Enc algorithm */
 	struct auth_hash	*tdb_authalgxform;	/* Auth algorithm */
+	struct comp_algo	*tdb_compalgxform;	/* Compression algo */
 
 #define	TDBF_UNIQUE		0x00001	/* This should not be used by others */
 #define	TDBF_TIMER		0x00002	/* Absolute expiration timer in use */
@@ -373,6 +382,7 @@ struct ipsecinit {
 	u_int16_t	ii_authkeylen;
 	u_int8_t	ii_encalg;
 	u_int8_t	ii_authalg;
+	u_int8_t	ii_compalg;
 };
 
 struct xformsw {
@@ -392,10 +402,12 @@ struct xformsw {
 #define	XF_AH		2	/* AH */
 #define	XF_ESP		3	/* ESP */
 #define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
+#define XF_IPCOMP	6	/* IPCOMP */
 
 /* xform attributes */
 #define	XFT_AUTH	0x0001
 #define	XFT_CONF	0x0100
+#define XFT_COMP	0x1000
 
 #define	IPSEC_ZEROES_SIZE	256	/* Larger than an IP6 extension hdr. */
 #define	IPSEC_KERNFS_BUFSIZE	4096
@@ -452,6 +464,7 @@ extern int ipsec_soft_first_use;
 extern int ipsec_exp_first_use;
 extern char ipsec_def_enc[];
 extern char ipsec_def_auth[];
+extern char ipsec_def_comp[];
 
 extern struct enc_xform enc_xform_des;
 extern struct enc_xform enc_xform_3des;
@@ -463,6 +476,8 @@ extern struct auth_hash auth_hash_hmac_md5_96;
 extern struct auth_hash auth_hash_hmac_sha1_96;
 extern struct auth_hash auth_hash_hmac_ripemd_160_96;
 
+extern struct comp_algo comp_algo_deflate;
+
 extern TAILQ_HEAD(ipsec_policy_head, ipsec_policy) ipsec_policy_head;
 extern TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head;
 
@@ -470,7 +485,8 @@ extern struct xformsw xformsw[], *xformswNXFORMSW;
 
 /* Check if a given tdb has encryption, authentication and/or tunneling */
 #define	TDB_ATTRIB(x) (((x)->tdb_encalgxform ? NOTIFY_SATYPE_CONF : 0) | \
-		       ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0))
+		       ((x)->tdb_authalgxform ? NOTIFY_SATYPE_AUTH : 0) | \
+		       ((x)->tdb_compalgxform ? NOTIFY_SATYPE_COMP : 0))
 
 /* Traverse spi chain and get attributes */
 
@@ -571,6 +587,26 @@ extern int esp6_input __P((struct mbuf **, int *, int));
 extern int esp6_input_cb __P((struct mbuf *, int, int));
 #endif /* INET6 */
 
+/* XF_IPCOMP */
+extern int ipcomp_attach(void);
+extern int ipcomp_init(struct tdb *, struct xformsw *, struct ipsecinit *);
+extern int ipcomp_zeroize(struct tdb *);
+extern int ipcomp_output(struct mbuf *, struct tdb *, struct mbuf **, int, int);
+extern int ipcomp_output_cb(void *);
+extern int ipcomp_input(struct mbuf *, struct tdb *, int, int);
+extern int ipcomp_input_cb(void *);
+extern int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
+
+#ifdef INET
+extern void ipcomp4_input __P((struct mbuf *, ...));
+extern int ipcomp4_input_cb __P((struct mbuf *, ...));
+#endif /* INET */
+
+#ifdef INET6
+extern int ipcomp6_input __P((struct mbuf **, int *, int));
+extern int ipcomp6_input_cb __P((struct mbuf *, int, int));
+#endif /* INET6 */
+
 /* XF_TCPSIGNATURE */
 extern int tcp_signature_tdb_attach __P((void));
 extern int tcp_signature_tdb_init __P((struct tdb *, struct xformsw *,