1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _INET_IPSEC_INFO_H 27 #define _INET_IPSEC_INFO_H 28 29 #ifdef __cplusplus 30 extern "C" { 31 #endif 32 33 #include <sys/crypto/common.h> 34 35 /* 36 * IPsec informational messages. These are M_CTL STREAMS messages, which 37 * convey IPsec information between various IP and related modules. Most 38 * have been deprecated by the de-STREAMS-ing of TCP/IP. What remains is: 39 * 40 * * Keysock consumer interface - These messages are wrappers for 41 * PF_KEY messages. They flow between AH/ESP and keysock. 42 * 43 */ 44 45 /* 46 * The IPsec M_CTL value MUST be something that will not be even close 47 * to an IPv4 or IPv6 header. This means the first byte must not be 48 * 0x40 - 0x4f or 0x60-0x6f. For big-endian machines, this is fixable with 49 * the IPSEC_M_CTL prefix. For little-endian machines, the actual M_CTL 50 * _type_ must not be in the aforementioned ranges. 51 * 52 * The reason for this avoidance is because M_CTL's with a real IPv4/IPv6 53 * datagram get sent from to TCP or UDP when an ICMP datagram affects a 54 * TCP/UDP session. 55 */ 56 #define IPSEC_M_CTL 0x73706900 57 58 /* 59 * M_CTL types for IPsec messages. Remember, the values 0x40 - 0x4f and 0x60 60 * - 0x6f are not to be used because of potential little-endian confusion. 61 * 62 * Offsets 3-7 (decimal) are in use, spread through this file. 63 * Check for duplicates through the whole file before adding. 64 */ 65 66 /* 67 * Keysock consumer interface. 68 * 69 * The driver/module keysock (which is a driver to PF_KEY sockets, but is 70 * a module to 'consumers' like AH and ESP) uses keysock consumer interface 71 * messages to pass on PF_KEY messages to consumers who process and act upon 72 * them. 73 */ 74 #define KEYSOCK_IN (IPSEC_M_CTL + 3) 75 #define KEYSOCK_OUT (IPSEC_M_CTL + 4) 76 #define KEYSOCK_OUT_ERR (IPSEC_M_CTL + 5) 77 #define KEYSOCK_HELLO (IPSEC_M_CTL + 6) 78 #define KEYSOCK_HELLO_ACK (IPSEC_M_CTL + 7) 79 80 /* 81 * KEYSOCK_HELLO is sent by keysock to a consumer when it is pushed on top 82 * of one (i.e. opened as a module). 83 * 84 * NOTE: Keysock_hello is simply an ipsec_info_t 85 */ 86 87 /* 88 * KEYSOCK_HELLO_ACK is sent by a consumer to acknowledge a KEYSOCK_HELLO. 89 * It contains the PF_KEYv2 sa_type, so keysock can redirect PF_KEY messages 90 * to the right consumer. 91 */ 92 typedef struct keysock_hello_ack_s { 93 uint32_t ks_hello_type; 94 uint32_t ks_hello_len; 95 uint8_t ks_hello_satype; /* PF_KEYv2 sa_type of ks client */ 96 } keysock_hello_ack_t; 97 98 #define KS_IN_ADDR_UNKNOWN 0 99 #define KS_IN_ADDR_NOTTHERE 1 100 #define KS_IN_ADDR_UNSPEC 2 101 #define KS_IN_ADDR_ME 3 102 #define KS_IN_ADDR_NOTME 4 103 #define KS_IN_ADDR_MBCAST 5 104 #define KS_IN_ADDR_DONTCARE 6 105 106 /* 107 * KEYSOCK_IN is a PF_KEY message from a PF_KEY socket destined for a consumer. 108 */ 109 typedef struct keysock_in_s { 110 uint32_t ks_in_type; 111 uint32_t ks_in_len; 112 /* 113 * NOTE: These pointers MUST be into the M_DATA that follows 114 * this M_CTL message. If they aren't, weirdness 115 * results. 116 */ 117 struct sadb_ext *ks_in_extv[SADB_EXT_MAX + 1]; 118 int ks_in_srctype; /* Source address type. */ 119 int ks_in_dsttype; /* Dest address type. */ 120 minor_t ks_in_serial; /* Serial # of sending socket. */ 121 } keysock_in_t; 122 123 /* 124 * KEYSOCK_OUT is a PF_KEY message from a consumer destined for a PF_KEY 125 * socket. 126 */ 127 typedef struct keysock_out_s { 128 uint32_t ks_out_type; 129 uint32_t ks_out_len; 130 minor_t ks_out_serial; /* Serial # of sending socket. */ 131 } keysock_out_t; 132 133 /* 134 * KEYSOCK_OUT_ERR is sent to a consumer from keysock if for some reason 135 * keysock could not find a PF_KEY socket to deliver a consumer-originated 136 * message (e.g. SADB_ACQUIRE). 137 */ 138 typedef struct keysock_out_err_s { 139 uint32_t ks_err_type; 140 uint32_t ks_err_len; 141 minor_t ks_err_serial; 142 int ks_err_errno; 143 /* 144 * Other, richer error information may end up going here eventually. 145 */ 146 } keysock_out_err_t; 147 148 /* 149 * All IPsec informational messages are placed into the ipsec_info_t 150 * union, so that allocation can be done once, and IPsec informational 151 * messages can be recycled. 152 */ 153 typedef union ipsec_info_u { 154 struct { 155 uint32_t ipsec_allu_type; 156 uint32_t ipsec_allu_len; /* In bytes */ 157 } ipsec_allu; 158 keysock_hello_ack_t keysock_hello_ack; 159 keysock_in_t keysock_in; 160 keysock_out_t keysock_out; 161 keysock_out_err_t keysock_out_err; 162 } ipsec_info_t; 163 #define ipsec_info_type ipsec_allu.ipsec_allu_type 164 #define ipsec_info_len ipsec_allu.ipsec_allu_len 165 166 #ifdef __cplusplus 167 } 168 #endif 169 170 #endif /* _INET_IPSEC_INFO_H */ 171