/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _INET_IPSEC_INFO_H #define _INET_IPSEC_INFO_H #ifdef __cplusplus extern "C" { #endif #include /* * IPsec informational messages. These are M_CTL STREAMS messages, which * convey IPsec information between various IP and related modules. Most * have been deprecated by the de-STREAMS-ing of TCP/IP. What remains is: * * * Keysock consumer interface - These messages are wrappers for * PF_KEY messages. They flow between AH/ESP and keysock. * */ /* * The IPsec M_CTL value MUST be something that will not be even close * to an IPv4 or IPv6 header. This means the first byte must not be * 0x40 - 0x4f or 0x60-0x6f. For big-endian machines, this is fixable with * the IPSEC_M_CTL prefix. For little-endian machines, the actual M_CTL * _type_ must not be in the aforementioned ranges. * * The reason for this avoidance is because M_CTL's with a real IPv4/IPv6 * datagram get sent from to TCP or UDP when an ICMP datagram affects a * TCP/UDP session. */ #define IPSEC_M_CTL 0x73706900 /* * M_CTL types for IPsec messages. Remember, the values 0x40 - 0x4f and 0x60 * - 0x6f are not to be used because of potential little-endian confusion. * * Offsets 3-7 (decimal) are in use, spread through this file. * Check for duplicates through the whole file before adding. */ /* * Keysock consumer interface. * * The driver/module keysock (which is a driver to PF_KEY sockets, but is * a module to 'consumers' like AH and ESP) uses keysock consumer interface * messages to pass on PF_KEY messages to consumers who process and act upon * them. */ #define KEYSOCK_IN (IPSEC_M_CTL + 3) #define KEYSOCK_OUT (IPSEC_M_CTL + 4) #define KEYSOCK_OUT_ERR (IPSEC_M_CTL + 5) #define KEYSOCK_HELLO (IPSEC_M_CTL + 6) #define KEYSOCK_HELLO_ACK (IPSEC_M_CTL + 7) /* * KEYSOCK_HELLO is sent by keysock to a consumer when it is pushed on top * of one (i.e. opened as a module). * * NOTE: Keysock_hello is simply an ipsec_info_t */ /* * KEYSOCK_HELLO_ACK is sent by a consumer to acknowledge a KEYSOCK_HELLO. * It contains the PF_KEYv2 sa_type, so keysock can redirect PF_KEY messages * to the right consumer. */ typedef struct keysock_hello_ack_s { uint32_t ks_hello_type; uint32_t ks_hello_len; uint8_t ks_hello_satype; /* PF_KEYv2 sa_type of ks client */ } keysock_hello_ack_t; #define KS_IN_ADDR_UNKNOWN 0 #define KS_IN_ADDR_NOTTHERE 1 #define KS_IN_ADDR_UNSPEC 2 #define KS_IN_ADDR_ME 3 #define KS_IN_ADDR_NOTME 4 #define KS_IN_ADDR_MBCAST 5 #define KS_IN_ADDR_DONTCARE 6 /* * KEYSOCK_IN is a PF_KEY message from a PF_KEY socket destined for a consumer. */ typedef struct keysock_in_s { uint32_t ks_in_type; uint32_t ks_in_len; /* * NOTE: These pointers MUST be into the M_DATA that follows * this M_CTL message. If they aren't, weirdness * results. */ struct sadb_ext *ks_in_extv[SADB_EXT_MAX + 1]; int ks_in_srctype; /* Source address type. */ int ks_in_dsttype; /* Dest address type. */ minor_t ks_in_serial; /* Serial # of sending socket. */ } keysock_in_t; /* * KEYSOCK_OUT is a PF_KEY message from a consumer destined for a PF_KEY * socket. */ typedef struct keysock_out_s { uint32_t ks_out_type; uint32_t ks_out_len; minor_t ks_out_serial; /* Serial # of sending socket. */ } keysock_out_t; /* * KEYSOCK_OUT_ERR is sent to a consumer from keysock if for some reason * keysock could not find a PF_KEY socket to deliver a consumer-originated * message (e.g. SADB_ACQUIRE). */ typedef struct keysock_out_err_s { uint32_t ks_err_type; uint32_t ks_err_len; minor_t ks_err_serial; int ks_err_errno; /* * Other, richer error information may end up going here eventually. */ } keysock_out_err_t; /* * All IPsec informational messages are placed into the ipsec_info_t * union, so that allocation can be done once, and IPsec informational * messages can be recycled. */ typedef union ipsec_info_u { struct { uint32_t ipsec_allu_type; uint32_t ipsec_allu_len; /* In bytes */ } ipsec_allu; keysock_hello_ack_t keysock_hello_ack; keysock_in_t keysock_in; keysock_out_t keysock_out; keysock_out_err_t keysock_out_err; } ipsec_info_t; #define ipsec_info_type ipsec_allu.ipsec_allu_type #define ipsec_info_len ipsec_allu.ipsec_allu_len #ifdef __cplusplus } #endif #endif /* _INET_IPSEC_INFO_H */