# SPDX-License-Identifier: GPL-2.0-only
#
# XFRM configuration
#
config XFRM
	bool
	depends on INET
	select GRO_CELLS
	select SKB_EXTENSIONS

config XFRM_OFFLOAD
	bool

config XFRM_ALGO
	tristate
	select XFRM
	select CRYPTO
	select CRYPTO_AEAD
	select CRYPTO_HASH
	select CRYPTO_SKCIPHER

if INET
config XFRM_USER
	tristate "Transformation user configuration interface"
	select XFRM_ALGO
	help
	  Support for Transformation(XFRM) user configuration interface
	  like IPsec used by native Linux tools.

	  If unsure, say Y.

config XFRM_USER_COMPAT
	tristate "Compatible ABI support"
	depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \
		HAVE_EFFICIENT_UNALIGNED_ACCESS
	select WANT_COMPAT_NETLINK_MESSAGES
	help
	  Transformation(XFRM) user configuration interface like IPsec
	  used by compatible Linux applications.

	  If unsure, say N.

config XFRM_INTERFACE
	tristate "Transformation virtual interface"
	depends on XFRM && IPV6
	help
	  This provides a virtual interface to route IPsec traffic.

	  If unsure, say N.

config XFRM_SUB_POLICY
	bool "Transformation sub policy support"
	depends on XFRM
	help
	  Support sub policy for developers. By using sub policy with main
	  one, two policies can be applied to the same packet at once.
	  Policy which lives shorter time in kernel should be a sub.

	  If unsure, say N.

config XFRM_MIGRATE
	bool "Transformation migrate database"
	depends on XFRM
	help
	  A feature to update locator(s) of a given IPsec security
	  association dynamically.  This feature is required, for
	  instance, in a Mobile IPv6 environment with IPsec configuration
	  where mobile nodes change their attachment point to the Internet.

	  If unsure, say N.

config XFRM_STATISTICS
	bool "Transformation statistics"
	depends on XFRM && PROC_FS
	help
	  This statistics is not a SNMP/MIB specification but shows
	  statistics about transformation error (or almost error) factor
	  at packet processing for developer.

	  If unsure, say N.

# This option selects XFRM_ALGO along with the AH authentication algorithms that
# RFC 8221 lists as MUST be implemented.
config XFRM_AH
	tristate
	select XFRM_ALGO
	select CRYPTO
	select CRYPTO_HMAC
	select CRYPTO_SHA256

# This option selects XFRM_ALGO along with the ESP encryption and authentication
# algorithms that RFC 8221 lists as MUST be implemented.
config XFRM_ESP
	tristate
	select XFRM_ALGO
	select CRYPTO
	select CRYPTO_AES
	select CRYPTO_AUTHENC
	select CRYPTO_CBC
	select CRYPTO_ECHAINIV
	select CRYPTO_GCM
	select CRYPTO_HMAC
	select CRYPTO_SEQIV
	select CRYPTO_SHA256

config XFRM_IPCOMP
	tristate
	select XFRM_ALGO
	select CRYPTO
	select CRYPTO_DEFLATE

config NET_KEY
	tristate "PF_KEY sockets"
	select XFRM_ALGO
	help
	  PF_KEYv2 socket family, compatible to KAME ones.
	  They are required if you are going to use IPsec tools ported
	  from KAME.

	  Say Y unless you know what you are doing.

config NET_KEY_MIGRATE
	bool "PF_KEY MIGRATE"
	depends on NET_KEY
	select XFRM_MIGRATE
	help
	  Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
	  The PF_KEY MIGRATE message is used to dynamically update
	  locator(s) of a given IPsec security association.
	  This feature is required, for instance, in a Mobile IPv6
	  environment with IPsec configuration where mobile nodes
	  change their attachment point to the Internet.  Detail
	  information can be found in the internet-draft
	  <draft-sugimoto-mip6-pfkey-migrate>.

	  If unsure, say N.

config XFRM_ESPINTCP
	bool

endif # INET