1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _NET_PFKEYV2_H 27 #define _NET_PFKEYV2_H 28 29 /* 30 * Definitions and structures for PF_KEY version 2. See RFC 2367 for 31 * more details. SA == Security Association, which is what PF_KEY provides 32 * an API for managing. 33 */ 34 35 #ifdef __cplusplus 36 extern "C" { 37 #endif 38 39 #define PF_KEY_V2 2 40 #define PFKEYV2_REVISION 200109L 41 42 /* 43 * Base PF_KEY message. 44 */ 45 46 typedef struct sadb_msg { 47 uint8_t sadb_msg_version; /* Version, currently PF_KEY_V2 */ 48 uint8_t sadb_msg_type; /* ADD, UPDATE, etc. */ 49 uint8_t sadb_msg_errno; /* Error number from UNIX errno space */ 50 uint8_t sadb_msg_satype; /* ESP, AH, etc. */ 51 uint16_t sadb_msg_len; /* Length in 64-bit words. */ 52 uint16_t sadb_msg_reserved; /* must be zero */ 53 /* 54 * Use the reserved field for extended diagnostic information on errno 55 * responses. 56 */ 57 #define sadb_x_msg_diagnostic sadb_msg_reserved 58 /* Union is for guaranteeing 64-bit alignment. */ 59 union { 60 struct { 61 uint32_t sadb_x_msg_useq; /* Set by originator */ 62 uint32_t sadb_x_msg_upid; /* Set by originator */ 63 } sadb_x_msg_actual; 64 uint64_t sadb_x_msg_alignment; 65 } sadb_x_msg_u; 66 #define sadb_msg_seq sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_useq 67 #define sadb_msg_pid sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_upid 68 } sadb_msg_t; 69 70 /* 71 * Generic extension header. 72 */ 73 74 typedef struct sadb_ext { 75 union { 76 /* Union is for guaranteeing 64-bit alignment. */ 77 struct { 78 uint16_t sadb_x_ext_ulen; /* In 64s, inclusive */ 79 uint16_t sadb_x_ext_utype; /* 0 is reserved */ 80 } sadb_x_ext_actual; 81 uint64_t sadb_x_ext_alignment; 82 } sadb_x_ext_u; 83 #define sadb_ext_len sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_ulen 84 #define sadb_ext_type sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_utype 85 } sadb_ext_t; 86 87 /* 88 * Security Association information extension. 89 */ 90 91 typedef struct sadb_sa { 92 /* Union is for guaranteeing 64-bit alignment. */ 93 union { 94 struct { 95 uint16_t sadb_x_sa_ulen; 96 uint16_t sadb_x_sa_uexttype; /* ASSOCIATION */ 97 uint32_t sadb_x_sa_uspi; /* Sec. Param. Index */ 98 } sadb_x_sa_uactual; 99 uint64_t sadb_x_sa_alignment; 100 } sadb_x_sa_u; 101 #define sadb_sa_len sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_ulen 102 #define sadb_sa_exttype sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uexttype 103 #define sadb_sa_spi sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uspi 104 uint8_t sadb_sa_replay; /* Replay counter */ 105 uint8_t sadb_sa_state; /* MATURE, DEAD, DYING, LARVAL */ 106 uint8_t sadb_sa_auth; /* Authentication algorithm */ 107 uint8_t sadb_sa_encrypt; /* Encryption algorithm */ 108 uint32_t sadb_sa_flags; /* SA flags. */ 109 } sadb_sa_t; 110 111 /* 112 * SA Lifetime extension. Already 64-bit aligned thanks to uint64_t fields. 113 */ 114 115 typedef struct sadb_lifetime { 116 uint16_t sadb_lifetime_len; 117 uint16_t sadb_lifetime_exttype; /* SOFT, HARD, CURRENT */ 118 uint32_t sadb_lifetime_allocations; 119 uint64_t sadb_lifetime_bytes; 120 uint64_t sadb_lifetime_addtime; /* These fields are assumed to hold */ 121 uint64_t sadb_lifetime_usetime; /* >= sizeof (time_t). */ 122 } sadb_lifetime_t; 123 124 /* 125 * SA address information. 126 */ 127 128 typedef struct sadb_address { 129 /* Union is for guaranteeing 64-bit alignment. */ 130 union { 131 struct { 132 uint16_t sadb_x_address_ulen; 133 uint16_t sadb_x_address_uexttype; /* SRC, DST, PROXY */ 134 uint8_t sadb_x_address_uproto; /* Proto for ports... */ 135 uint8_t sadb_x_address_uprefixlen; /* Prefix length. */ 136 uint16_t sadb_x_address_ureserved; /* Padding */ 137 } sadb_x_address_actual; 138 uint64_t sadb_x_address_alignment; 139 } sadb_x_address_u; 140 #define sadb_address_len \ 141 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ulen 142 #define sadb_address_exttype \ 143 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uexttype 144 #define sadb_address_proto \ 145 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uproto 146 #define sadb_address_prefixlen \ 147 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uprefixlen 148 #define sadb_address_reserved \ 149 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ureserved 150 /* Followed by a sockaddr structure which may contain ports. */ 151 } sadb_address_t; 152 153 /* 154 * SA key information. 155 */ 156 157 typedef struct sadb_key { 158 /* Union is for guaranteeing 64-bit alignment. */ 159 union { 160 struct { 161 uint16_t sadb_x_key_ulen; 162 uint16_t sadb_x_key_uexttype; /* AUTH, ENCRYPT */ 163 uint16_t sadb_x_key_ubits; /* Actual len (bits) */ 164 uint16_t sadb_x_key_ureserved; 165 } sadb_x_key_actual; 166 uint64_t sadb_x_key_alignment; 167 } sadb_x_key_u; 168 #define sadb_key_len sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ulen 169 #define sadb_key_exttype sadb_x_key_u.sadb_x_key_actual.sadb_x_key_uexttype 170 #define sadb_key_bits sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ubits 171 #define sadb_key_reserved sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ureserved 172 /* Followed by actual key(s) in canonical (outbound proc.) order. */ 173 } sadb_key_t; 174 175 /* 176 * SA Identity information. Already 64-bit aligned thanks to uint64_t fields. 177 */ 178 179 typedef struct sadb_ident { 180 uint16_t sadb_ident_len; 181 uint16_t sadb_ident_exttype; /* SRC, DST, PROXY */ 182 uint16_t sadb_ident_type; /* FQDN, USER_FQDN, etc. */ 183 uint16_t sadb_ident_reserved; /* Padding */ 184 uint64_t sadb_ident_id; /* For userid, etc. */ 185 /* Followed by an identity null-terminate C string if present. */ 186 } sadb_ident_t; 187 188 /* 189 * SA sensitivity information. This is mostly useful on MLS systems. 190 */ 191 192 typedef struct sadb_sens { 193 /* Union is for guaranteeing 64-bit alignment. */ 194 union { 195 struct { 196 uint16_t sadb_x_sens_ulen; 197 uint16_t sadb_x_sens_uexttype; /* SENSITIVITY */ 198 uint32_t sadb_x_sens_udpd; /* Protection domain */ 199 } sadb_x_sens_actual; 200 uint64_t sadb_x_sens_alignment; 201 } sadb_x_sens_u; 202 #define sadb_sens_len sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_ulen 203 #define sadb_sens_exttype sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_uexttype 204 #define sadb_sens_dpd sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_udpd 205 uint8_t sadb_sens_sens_level; 206 uint8_t sadb_sens_sens_len; /* 64-bit words */ 207 uint8_t sadb_sens_integ_level; 208 uint8_t sadb_sens_integ_len; /* 64-bit words */ 209 uint32_t sadb_x_sens_flags; 210 /* 211 * followed by two uint64_t arrays 212 * uint64_t sadb_sens_bitmap[sens_bitmap_len]; 213 * uint64_t sadb_integ_bitmap[integ_bitmap_len]; 214 */ 215 } sadb_sens_t; 216 217 /* 218 * We recycled the formerly reserved word for flags. 219 */ 220 221 #define sadb_sens_reserved sadb_x_sens_flags 222 223 #define SADB_X_SENS_IMPLICIT 0x1 /* implicit labelling */ 224 #define SADB_X_SENS_UNLABELED 0x2 /* peer is unlabeled */ 225 226 /* 227 * a proposal extension. This is found in an ACQUIRE message, and it 228 * proposes what sort of SA the kernel would like to ACQUIRE. 229 */ 230 231 /* First, a base structure... */ 232 233 typedef struct sadb_x_propbase { 234 uint16_t sadb_x_propb_len; 235 uint16_t sadb_x_propb_exttype; /* PROPOSAL, X_EPROP */ 236 union { 237 struct { 238 uint8_t sadb_x_propb_lenres_replay; 239 uint8_t sadb_x_propb_lenres_eres; 240 uint16_t sadb_x_propb_lenres_numecombs; 241 } sadb_x_propb_lenres; 242 struct { 243 uint8_t sadb_x_propb_oldres_replay; 244 uint8_t sadb_x_propb_oldres_reserved[3]; 245 } sadb_x_propb_oldres; 246 } sadb_x_propb_u; 247 #define sadb_x_propb_replay \ 248 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_replay 249 #define sadb_x_propb_reserved \ 250 sadb_x_propb_u.sadb_x_propb_oldres.sadb_x_propb_oldres_reserved 251 #define sadb_x_propb_ereserved \ 252 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_eres 253 #define sadb_x_propb_numecombs \ 254 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_numecombs 255 /* Followed by sadb_comb[] array or sadb_ecomb[] array. */ 256 } sadb_x_propbase_t; 257 258 /* Now, the actual sadb_prop structure, which will have alignment in it! */ 259 260 typedef struct sadb_prop { 261 /* Union is for guaranteeing 64-bit alignment. */ 262 union { 263 sadb_x_propbase_t sadb_x_prop_actual; 264 uint64_t sadb_x_prop_alignment; 265 } sadb_x_prop_u; 266 #define sadb_prop_len sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_len 267 #define sadb_prop_exttype sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_exttype 268 #define sadb_prop_replay sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_replay 269 #define sadb_prop_reserved \ 270 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_reserved 271 #define sadb_x_prop_ereserved \ 272 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_ereserved 273 #define sadb_x_prop_numecombs \ 274 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_numecombs 275 } sadb_prop_t; 276 277 /* 278 * This is a proposed combination. Many of these can follow a proposal 279 * extension. Already 64-bit aligned thanks to uint64_t fields. 280 */ 281 282 typedef struct sadb_comb { 283 uint8_t sadb_comb_auth; /* Authentication algorithm */ 284 uint8_t sadb_comb_encrypt; /* Encryption algorithm */ 285 uint16_t sadb_comb_flags; /* Comb. flags (e.g. PFS) */ 286 uint16_t sadb_comb_auth_minbits; /* Bit strengths for auth */ 287 uint16_t sadb_comb_auth_maxbits; 288 uint16_t sadb_comb_encrypt_minbits; /* Bit strengths for encrypt */ 289 uint16_t sadb_comb_encrypt_maxbits; 290 uint32_t sadb_comb_reserved; 291 uint32_t sadb_comb_soft_allocations; /* Lifetime proposals for */ 292 uint32_t sadb_comb_hard_allocations; /* this combination. */ 293 uint64_t sadb_comb_soft_bytes; 294 uint64_t sadb_comb_hard_bytes; 295 uint64_t sadb_comb_soft_addtime; 296 uint64_t sadb_comb_hard_addtime; 297 uint64_t sadb_comb_soft_usetime; 298 uint64_t sadb_comb_hard_usetime; 299 } sadb_comb_t; 300 301 /* 302 * An extended combination that can comprise of many SA types. 303 * A single combination has algorithms and SA types locked. 304 * These are represented by algorithm descriptors, the second structure 305 * in the list. For example, if the EACQUIRE requests AH(MD5) + ESP(DES/null) 306 * _or_ ESP(DES/MD5), it would have two combinations: 307 * 308 * COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES) 309 * COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES) 310 * 311 * If an SA type supports an algorithm type, and there's no descriptor, 312 * assume it requires NONE, just like it were explicitly stated. 313 * (This includes ESP NULL encryption, BTW.) 314 * 315 * Already 64-bit aligned thanks to uint64_t fields. 316 */ 317 318 typedef struct sadb_x_ecomb { 319 uint8_t sadb_x_ecomb_numalgs; 320 uint8_t sadb_x_ecomb_reserved; 321 uint16_t sadb_x_ecomb_flags; /* E.g. PFS? */ 322 uint32_t sadb_x_ecomb_reserved2; 323 uint32_t sadb_x_ecomb_soft_allocations; 324 uint32_t sadb_x_ecomb_hard_allocations; 325 uint64_t sadb_x_ecomb_soft_bytes; 326 uint64_t sadb_x_ecomb_hard_bytes; 327 uint64_t sadb_x_ecomb_soft_addtime; 328 uint64_t sadb_x_ecomb_hard_addtime; 329 uint64_t sadb_x_ecomb_soft_usetime; 330 uint64_t sadb_x_ecomb_hard_usetime; 331 } sadb_x_ecomb_t; 332 333 typedef struct sadb_x_algdesc { 334 /* Union is for guaranteeing 64-bit alignment. */ 335 union { 336 struct { 337 uint8_t sadb_x_algdesc_usatype; /* ESP, AH, etc. */ 338 uint8_t sadb_x_algdesc_ualgtype; /* AUTH, CRYPT, COMP */ 339 uint8_t sadb_x_algdesc_ualg; /* 3DES, MD5, etc. */ 340 uint8_t sadb_x_algdesc_ureserved; 341 uint16_t sadb_x_algdesc_uminbits; /* Bit strengths. */ 342 uint16_t sadb_x_algdesc_umaxbits; 343 } sadb_x_algdesc_actual; 344 uint64_t sadb_x_algdesc_alignment; 345 } sadb_x_algdesc_u; 346 #define sadb_x_algdesc_satype \ 347 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usatype 348 #define sadb_x_algdesc_algtype \ 349 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualgtype 350 #define sadb_x_algdesc_alg \ 351 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualg 352 #define sadb_x_algdesc_reserved \ 353 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ureserved 354 #define sadb_x_algdesc_minbits \ 355 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_uminbits 356 #define sadb_x_algdesc_maxbits \ 357 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_umaxbits 358 } sadb_x_algdesc_t; 359 360 /* 361 * When key mgmt. registers with the kernel, the kernel will tell key mgmt. 362 * its supported algorithms. 363 */ 364 365 typedef struct sadb_supported { 366 /* Union is for guaranteeing 64-bit alignment. */ 367 union { 368 struct { 369 uint16_t sadb_x_supported_ulen; 370 uint16_t sadb_x_supported_uexttype; 371 uint32_t sadb_x_supported_ureserved; 372 } sadb_x_supported_actual; 373 uint64_t sadb_x_supported_alignment; 374 } sadb_x_supported_u; 375 #define sadb_supported_len \ 376 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ulen 377 #define sadb_supported_exttype \ 378 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_uexttype 379 #define sadb_supported_reserved \ 380 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ureserved 381 } sadb_supported_t; 382 383 /* First, a base structure... */ 384 typedef struct sadb_x_algb { 385 uint8_t sadb_x_algb_id; /* Algorithm type. */ 386 uint8_t sadb_x_algb_ivlen; /* IV len, in bits */ 387 uint16_t sadb_x_algb_minbits; /* Min. key len (in bits) */ 388 uint16_t sadb_x_algb_maxbits; /* Max. key length */ 389 union { 390 uint16_t sadb_x_algb_ureserved; 391 uint8_t sadb_x_algb_udefaults[2]; 392 } sadb_x_algb_union; 393 394 #define sadb_x_algb_reserved sadb_x_algb_union.sadb_x_algb_ureserved 395 #define sadb_x_algb_increment sadb_x_algb_union.sadb_x_algb_udefaults[0] 396 #define sadb_x_algb_saltbits sadb_x_algb_union.sadb_x_algb_udefaults[1] 397 /* 398 * alg_increment: the number of bits from a key length to the next 399 */ 400 } sadb_x_algb_t; 401 402 /* Now, the actual sadb_alg structure, which will have alignment in it. */ 403 typedef struct sadb_alg { 404 /* Union is for guaranteeing 64-bit alignment. */ 405 union { 406 sadb_x_algb_t sadb_x_alg_actual; 407 uint64_t sadb_x_alg_alignment; 408 } sadb_x_alg_u; 409 #define sadb_alg_id sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_id 410 #define sadb_alg_ivlen sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_ivlen 411 #define sadb_alg_minbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_minbits 412 #define sadb_alg_maxbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_maxbits 413 #define sadb_alg_reserved sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_reserved 414 #define sadb_x_alg_increment \ 415 sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_increment 416 #define sadb_x_alg_saltbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_saltbits 417 } sadb_alg_t; 418 419 /* 420 * If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it 421 * asks the kernel with this extension in the SADB_GETSPI message. 422 */ 423 424 typedef struct sadb_spirange { 425 uint16_t sadb_spirange_len; 426 uint16_t sadb_spirange_exttype; /* SPI_RANGE */ 427 uint32_t sadb_spirange_min; 428 /* Union is for guaranteeing 64-bit alignment. */ 429 union { 430 struct { 431 uint32_t sadb_x_spirange_umax; 432 uint32_t sadb_x_spirange_ureserved; 433 } sadb_x_spirange_actual; 434 uint64_t sadb_x_spirange_alignment; 435 } sadb_x_spirange_u; 436 #define sadb_spirange_max \ 437 sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_umax 438 #define sadb_spirange_reserved \ 439 sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_ureserved 440 } sadb_spirange_t; 441 442 /* 443 * For the "extended REGISTER" which'll tell the kernel to send me 444 * "extended ACQUIREs". 445 */ 446 447 typedef struct sadb_x_ereg { 448 /* Union is for guaranteeing 64-bit alignment. */ 449 union { 450 struct { 451 uint16_t sadb_x_ereg_ulen; 452 uint16_t sadb_x_ereg_uexttype; /* X_EREG */ 453 /* Array of SA types, 0-terminated. */ 454 uint8_t sadb_x_ereg_usatypes[4]; 455 } sadb_x_ereg_actual; 456 uint64_t sadb_x_ereg_alignment; 457 } sadb_x_ereg_u; 458 #define sadb_x_ereg_len \ 459 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_ulen 460 #define sadb_x_ereg_exttype \ 461 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_uexttype 462 #define sadb_x_ereg_satypes \ 463 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_usatypes 464 } sadb_x_ereg_t; 465 466 /* 467 * For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD, 468 * SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE. 469 */ 470 471 typedef struct sadb_x_kmc { 472 uint16_t sadb_x_kmc_len; 473 uint16_t sadb_x_kmc_exttype; /* X_KM_COOKIE */ 474 uint32_t sadb_x_kmc_proto; /* KM protocol */ 475 union { 476 struct { 477 uint32_t sadb_x_kmc_ucookie; /* KMP-specific */ 478 uint32_t sadb_x_kmc_ureserved; /* Must be zero */ 479 } sadb_x_kmc_actual; 480 uint64_t sadb_x_kmc_alignment; 481 } sadb_x_kmc_u; 482 #define sadb_x_kmc_cookie sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ucookie 483 #define sadb_x_kmc_reserved sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ureserved 484 } sadb_x_kmc_t; 485 486 typedef struct sadb_x_pair { 487 union { 488 /* Union is for guaranteeing 64-bit alignment. */ 489 struct { 490 uint16_t sadb_x_pair_ulen; 491 uint16_t sadb_x_pair_uexttype; 492 uint32_t sadb_x_pair_uspi; /* SPI of paired SA */ 493 } sadb_x_pair_actual; 494 uint64_t sadb_x_ext_alignment; 495 } sadb_x_pair_u; 496 #define sadb_x_pair_len sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_ulen 497 #define sadb_x_pair_exttype \ 498 sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uexttype 499 #define sadb_x_pair_spi sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uspi 500 } sadb_x_pair_t; 501 502 /* 503 * For the Sequence numbers to be used with SADB_DUMP, SADB_GET, SADB_UPDATE. 504 */ 505 506 typedef struct sadb_x_replay_ctr { 507 uint16_t sadb_x_rc_len; 508 uint16_t sadb_x_rc_exttype; 509 uint32_t sadb_x_rc_replay32; /* For 240x SAs. */ 510 uint64_t sadb_x_rc_replay64; /* For 430x SAs. */ 511 } sadb_x_replay_ctr_t; 512 513 /* 514 * For extended DUMP request. Dumps the SAs which were idle for 515 * longer than the timeout specified. 516 */ 517 518 typedef struct sadb_x_edump { 519 uint16_t sadb_x_edump_len; 520 uint16_t sadb_x_edump_exttype; 521 uint32_t sadb_x_edump_reserved; 522 uint64_t sadb_x_edump_timeout; 523 } sadb_x_edump_t; 524 525 /* 526 * Base message types. 527 */ 528 529 #define SADB_RESERVED 0 530 #define SADB_GETSPI 1 531 #define SADB_UPDATE 2 532 #define SADB_ADD 3 533 #define SADB_DELETE 4 534 #define SADB_GET 5 535 #define SADB_ACQUIRE 6 536 #define SADB_REGISTER 7 537 #define SADB_EXPIRE 8 538 #define SADB_FLUSH 9 539 #define SADB_DUMP 10 /* not used normally */ 540 #define SADB_X_PROMISC 11 541 #define SADB_X_INVERSE_ACQUIRE 12 542 #define SADB_X_UPDATEPAIR 13 543 #define SADB_X_DELPAIR 14 544 #define SADB_X_DELPAIR_STATE 15 545 #define SADB_MAX 15 546 547 /* 548 * SA flags 549 */ 550 551 #define SADB_SAFLAGS_PFS 0x1 /* Perfect forward secrecy? */ 552 #define SADB_SAFLAGS_NOREPLAY 0x2 /* Replay field NOT PRESENT. */ 553 554 /* Below flags are used by this implementation. Grow from left-to-right. */ 555 #define SADB_X_SAFLAGS_USED 0x80000000 /* SA used/not used */ 556 #define SADB_X_SAFLAGS_UNIQUE 0x40000000 /* SA unique/reusable */ 557 #define SADB_X_SAFLAGS_AALG1 0x20000000 /* Auth-alg specific flag 1 */ 558 #define SADB_X_SAFLAGS_AALG2 0x10000000 /* Auth-alg specific flag 2 */ 559 #define SADB_X_SAFLAGS_EALG1 0x8000000 /* Encr-alg specific flag 1 */ 560 #define SADB_X_SAFLAGS_EALG2 0x4000000 /* Encr-alg specific flag 2 */ 561 #define SADB_X_SAFLAGS_KM1 0x2000000 /* Key mgmt. specific flag 1 */ 562 #define SADB_X_SAFLAGS_KM2 0x1000000 /* Key mgmt. specific flag 2 */ 563 #define SADB_X_SAFLAGS_KM3 0x800000 /* Key mgmt. specific flag 3 */ 564 #define SADB_X_SAFLAGS_KM4 0x400000 /* Key mgmt. specific flag 4 */ 565 #define SADB_X_SAFLAGS_KRES1 0x200000 /* Reserved by the kernel */ 566 #define SADB_X_SAFLAGS_NATT_LOC 0x100000 /* this has a natted src SA */ 567 #define SADB_X_SAFLAGS_NATT_REM 0x80000 /* this has a natted dst SA */ 568 #define SADB_X_SAFLAGS_KRES2 0x40000 /* Reserved by the kernel */ 569 #define SADB_X_SAFLAGS_TUNNEL 0x20000 /* tunnel mode */ 570 #define SADB_X_SAFLAGS_PAIRED 0x10000 /* inbound/outbound pair */ 571 #define SADB_X_SAFLAGS_OUTBOUND 0x8000 /* SA direction bit */ 572 #define SADB_X_SAFLAGS_INBOUND 0x4000 /* SA direction bit */ 573 #define SADB_X_SAFLAGS_NATTED 0x1000 /* Local node is behind a NAT */ 574 575 #define SADB_X_SAFLAGS_KRES \ 576 SADB_X_SAFLAGS_KRES1 | SADB_X_SAFLAGS_KRES2 577 578 /* 579 * SA state. 580 */ 581 582 #define SADB_SASTATE_LARVAL 0 583 #define SADB_SASTATE_MATURE 1 584 #define SADB_SASTATE_DYING 2 585 #define SADB_SASTATE_DEAD 3 586 #define SADB_X_SASTATE_ACTIVE_ELSEWHERE 4 587 #define SADB_X_SASTATE_IDLE 5 588 #define SADB_X_SASTATE_ACTIVE 6 589 590 #define SADB_SASTATE_MAX 6 591 592 /* 593 * SA type. Gaps are present in the number space because (for the time being) 594 * these types correspond to the SA types in the IPsec DOI document. 595 */ 596 597 #define SADB_SATYPE_UNSPEC 0 598 #define SADB_SATYPE_AH 2 /* RFC-1826 */ 599 #define SADB_SATYPE_ESP 3 /* RFC-1827 */ 600 #define SADB_SATYPE_RSVP 5 /* RSVP Authentication */ 601 #define SADB_SATYPE_OSPFV2 6 /* OSPFv2 Authentication */ 602 #define SADB_SATYPE_RIPV2 7 /* RIPv2 Authentication */ 603 #define SADB_SATYPE_MIP 8 /* Mobile IPv4 Authentication */ 604 605 #define SADB_SATYPE_MAX 8 606 607 /* 608 * Algorithm types. Gaps are present because (for the time being) these types 609 * correspond to the SA types in the IPsec DOI document. 610 * 611 * NOTE: These are numbered to play nice with the IPsec DOI. That's why 612 * there are gaps. 613 */ 614 615 /* Authentication algorithms */ 616 #define SADB_AALG_NONE 0 617 #define SADB_AALG_MD5HMAC 2 618 #define SADB_AALG_SHA1HMAC 3 619 #define SADB_AALG_SHA256HMAC 5 620 #define SADB_AALG_SHA384HMAC 6 621 #define SADB_AALG_SHA512HMAC 7 622 623 #define SADB_AALG_MAX 7 624 625 /* Encryption algorithms */ 626 #define SADB_EALG_NONE 0 627 #define SADB_EALG_DESCBC 2 628 #define SADB_EALG_3DESCBC 3 629 #define SADB_EALG_BLOWFISH 7 630 #define SADB_EALG_NULL 11 631 #define SADB_EALG_AES 12 632 #define SADB_EALG_AES_CCM_8 14 633 #define SADB_EALG_AES_CCM_12 15 634 #define SADB_EALG_AES_CCM_16 16 635 #define SADB_EALG_AES_GCM_8 18 636 #define SADB_EALG_AES_GCM_12 19 637 #define SADB_EALG_AES_GCM_16 20 638 #define SADB_EALG_MAX 20 639 640 /* 641 * Extension header values. 642 */ 643 644 #define SADB_EXT_RESERVED 0 645 646 #define SADB_EXT_SA 1 647 #define SADB_EXT_LIFETIME_CURRENT 2 648 #define SADB_EXT_LIFETIME_HARD 3 649 #define SADB_EXT_LIFETIME_SOFT 4 650 #define SADB_EXT_ADDRESS_SRC 5 651 #define SADB_EXT_ADDRESS_DST 6 652 /* These two are synonyms. */ 653 #define SADB_EXT_ADDRESS_PROXY 7 654 #define SADB_X_EXT_ADDRESS_INNER_SRC SADB_EXT_ADDRESS_PROXY 655 #define SADB_EXT_KEY_AUTH 8 656 #define SADB_EXT_KEY_ENCRYPT 9 657 #define SADB_EXT_IDENTITY_SRC 10 658 #define SADB_EXT_IDENTITY_DST 11 659 #define SADB_EXT_SENSITIVITY 12 660 #define SADB_EXT_PROPOSAL 13 661 #define SADB_EXT_SUPPORTED_AUTH 14 662 #define SADB_EXT_SUPPORTED_ENCRYPT 15 663 #define SADB_EXT_SPIRANGE 16 664 #define SADB_X_EXT_EREG 17 665 #define SADB_X_EXT_EPROP 18 666 #define SADB_X_EXT_KM_COOKIE 19 667 #define SADB_X_EXT_ADDRESS_NATT_LOC 20 668 #define SADB_X_EXT_ADDRESS_NATT_REM 21 669 #define SADB_X_EXT_ADDRESS_INNER_DST 22 670 #define SADB_X_EXT_PAIR 23 671 #define SADB_X_EXT_REPLAY_VALUE 24 672 #define SADB_X_EXT_EDUMP 25 673 #define SADB_X_EXT_LIFETIME_IDLE 26 674 #define SADB_X_EXT_OUTER_SENS 27 675 676 #define SADB_EXT_MAX 27 677 678 /* 679 * Identity types. 680 */ 681 682 #define SADB_IDENTTYPE_RESERVED 0 683 684 /* 685 * For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC 686 * if not present. 687 */ 688 #define SADB_IDENTTYPE_PREFIX 1 689 #define SADB_IDENTTYPE_FQDN 2 /* Fully qualified domain name. */ 690 #define SADB_IDENTTYPE_USER_FQDN 3 /* e.g. root@domain.com */ 691 #define SADB_X_IDENTTYPE_DN 4 /* ASN.1 DER Distinguished Name. */ 692 #define SADB_X_IDENTTYPE_GN 5 /* ASN.1 DER Generic Name. */ 693 #define SADB_X_IDENTTYPE_KEY_ID 6 /* Generic KEY ID. */ 694 #define SADB_X_IDENTTYPE_ADDR_RANGE 7 695 696 #define SADB_IDENTTYPE_MAX 7 697 698 /* 699 * Protection DOI values for the SENSITIVITY extension. There are no values 700 * currently, so the MAX is the only non-zero value available. 701 */ 702 703 #define SADB_DPD_NONE 0 704 705 #define SADB_DPD_MAX 1 706 707 /* 708 * Diagnostic codes. These supplement error messages. Be sure to 709 * update libipsecutil's keysock_diag() if you change any of these. 710 */ 711 712 #define SADB_X_DIAGNOSTIC_PRESET -1 /* Internal value. */ 713 714 #define SADB_X_DIAGNOSTIC_NONE 0 715 716 #define SADB_X_DIAGNOSTIC_UNKNOWN_MSG 1 717 #define SADB_X_DIAGNOSTIC_UNKNOWN_EXT 2 718 #define SADB_X_DIAGNOSTIC_BAD_EXTLEN 3 719 #define SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE 4 720 #define SADB_X_DIAGNOSTIC_SATYPE_NEEDED 5 721 #define SADB_X_DIAGNOSTIC_NO_SADBS 6 722 #define SADB_X_DIAGNOSTIC_NO_EXT 7 723 /* Bad address family value */ 724 #define SADB_X_DIAGNOSTIC_BAD_SRC_AF 8 725 /* in sockaddr->sa_family. */ 726 #define SADB_X_DIAGNOSTIC_BAD_DST_AF 9 727 /* These two are synonyms. */ 728 #define SADB_X_DIAGNOSTIC_BAD_PROXY_AF 10 729 #define SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF 10 730 731 #define SADB_X_DIAGNOSTIC_AF_MISMATCH 11 732 733 #define SADB_X_DIAGNOSTIC_BAD_SRC 12 734 #define SADB_X_DIAGNOSTIC_BAD_DST 13 735 736 #define SADB_X_DIAGNOSTIC_ALLOC_HSERR 14 737 #define SADB_X_DIAGNOSTIC_BYTES_HSERR 15 738 #define SADB_X_DIAGNOSTIC_ADDTIME_HSERR 16 739 #define SADB_X_DIAGNOSTIC_USETIME_HSERR 17 740 741 #define SADB_X_DIAGNOSTIC_MISSING_SRC 18 742 #define SADB_X_DIAGNOSTIC_MISSING_DST 19 743 #define SADB_X_DIAGNOSTIC_MISSING_SA 20 744 #define SADB_X_DIAGNOSTIC_MISSING_EKEY 21 745 #define SADB_X_DIAGNOSTIC_MISSING_AKEY 22 746 #define SADB_X_DIAGNOSTIC_MISSING_RANGE 23 747 748 #define SADB_X_DIAGNOSTIC_DUPLICATE_SRC 24 749 #define SADB_X_DIAGNOSTIC_DUPLICATE_DST 25 750 #define SADB_X_DIAGNOSTIC_DUPLICATE_SA 26 751 #define SADB_X_DIAGNOSTIC_DUPLICATE_EKEY 27 752 #define SADB_X_DIAGNOSTIC_DUPLICATE_AKEY 28 753 #define SADB_X_DIAGNOSTIC_DUPLICATE_RANGE 29 754 755 #define SADB_X_DIAGNOSTIC_MALFORMED_SRC 30 756 #define SADB_X_DIAGNOSTIC_MALFORMED_DST 31 757 #define SADB_X_DIAGNOSTIC_MALFORMED_SA 32 758 #define SADB_X_DIAGNOSTIC_MALFORMED_EKEY 33 759 #define SADB_X_DIAGNOSTIC_MALFORMED_AKEY 34 760 #define SADB_X_DIAGNOSTIC_MALFORMED_RANGE 35 761 762 #define SADB_X_DIAGNOSTIC_AKEY_PRESENT 36 763 #define SADB_X_DIAGNOSTIC_EKEY_PRESENT 37 764 #define SADB_X_DIAGNOSTIC_PROP_PRESENT 38 765 #define SADB_X_DIAGNOSTIC_SUPP_PRESENT 39 766 767 #define SADB_X_DIAGNOSTIC_BAD_AALG 40 768 #define SADB_X_DIAGNOSTIC_BAD_EALG 41 769 #define SADB_X_DIAGNOSTIC_BAD_SAFLAGS 42 770 #define SADB_X_DIAGNOSTIC_BAD_SASTATE 43 771 772 #define SADB_X_DIAGNOSTIC_BAD_AKEYBITS 44 773 #define SADB_X_DIAGNOSTIC_BAD_EKEYBITS 45 774 775 #define SADB_X_DIAGNOSTIC_ENCR_NOTSUPP 46 776 777 #define SADB_X_DIAGNOSTIC_WEAK_EKEY 47 778 #define SADB_X_DIAGNOSTIC_WEAK_AKEY 48 779 780 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMP 49 781 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMC 50 782 783 #define SADB_X_DIAGNOSTIC_MISSING_NATT_LOC 51 784 #define SADB_X_DIAGNOSTIC_MISSING_NATT_REM 52 785 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC 53 786 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM 54 787 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC 55 788 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM 56 789 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS 57 790 791 #define SADB_X_DIAGNOSTIC_MISSING_INNER_SRC 58 792 #define SADB_X_DIAGNOSTIC_MISSING_INNER_DST 59 793 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC 60 794 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST 61 795 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC 62 796 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST 63 797 798 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC 64 799 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_DST 65 800 #define SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF 66 801 #define SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH 67 802 803 #define SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF 68 804 #define SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF 69 805 806 #define SADB_X_DIAGNOSTIC_PROTO_MISMATCH 70 807 #define SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH 71 808 809 #define SADB_X_DIAGNOSTIC_DUAL_PORT_SETS 72 810 811 #define SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE 73 812 #define SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH 74 813 #define SADB_X_DIAGNOSTIC_PAIR_ALREADY 75 814 #define SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND 76 815 #define SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION 77 816 817 #define SADB_X_DIAGNOSTIC_SA_NOTFOUND 78 818 #define SADB_X_DIAGNOSTIC_SA_EXPIRED 79 819 #define SADB_X_DIAGNOSTIC_BAD_CTX 80 820 #define SADB_X_DIAGNOSTIC_INVALID_REPLAY 81 821 #define SADB_X_DIAGNOSTIC_MISSING_LIFETIME 82 822 823 #define SADB_X_DIAGNOSTIC_BAD_LABEL 83 824 #define SADB_X_DIAGNOSTIC_MAX 83 825 826 /* Algorithm type for sadb_x_algdesc above... */ 827 828 #define SADB_X_ALGTYPE_NONE 0 829 #define SADB_X_ALGTYPE_AUTH 1 830 #define SADB_X_ALGTYPE_CRYPT 2 831 #define SADB_X_ALGTYPE_COMPRESS 3 832 833 #define SADB_X_ALGTYPE_MAX 3 834 835 /* Key management protocol for sadb_x_kmc above... */ 836 837 #define SADB_X_KMP_MANUAL 0 838 #define SADB_X_KMP_IKE 1 839 #define SADB_X_KMP_KINK 2 840 841 #define SADB_X_KMP_MAX 2 842 843 /* 844 * Handy conversion macros. Not part of the PF_KEY spec... 845 */ 846 847 #define SADB_64TO8(x) ((x) << 3) 848 #define SADB_8TO64(x) ((x) >> 3) 849 #define SADB_8TO1(x) ((x) << 3) 850 #define SADB_1TO8(x) ((x) >> 3) 851 852 #ifdef __cplusplus 853 } 854 #endif 855 856 #endif /* _NET_PFKEYV2_H */ 857