1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 /* 26 * Copyright (c) 2018, Joyent, Inc. 27 * Copyright 2024 Oxide Computer Company 28 */ 29 30 #ifndef _NET_PFKEYV2_H 31 #define _NET_PFKEYV2_H 32 33 /* 34 * Definitions and structures for PF_KEY version 2. See RFC 2367 for 35 * more details. SA == Security Association, which is what PF_KEY provides 36 * an API for managing. 37 * 38 * Definitions of the form SADB_X_* are local extensions that are not present 39 * in the IPsec DOI. 40 */ 41 42 #ifdef __cplusplus 43 extern "C" { 44 #endif 45 46 #define PF_KEY_V2 2 47 #define PFKEYV2_REVISION 200109L 48 49 /* 50 * Base PF_KEY message. 51 */ 52 53 typedef struct sadb_msg { 54 uint8_t sadb_msg_version; /* Version, currently PF_KEY_V2 */ 55 uint8_t sadb_msg_type; /* ADD, UPDATE, etc. */ 56 uint8_t sadb_msg_errno; /* Error number from UNIX errno space */ 57 uint8_t sadb_msg_satype; /* ESP, AH, etc. */ 58 uint16_t sadb_msg_len; /* Length in 64-bit words. */ 59 uint16_t sadb_msg_reserved; /* must be zero */ 60 /* 61 * Use the reserved field for extended diagnostic information on errno 62 * responses. 63 */ 64 #define sadb_x_msg_diagnostic sadb_msg_reserved 65 /* Union is for guaranteeing 64-bit alignment. */ 66 union { 67 struct { 68 uint32_t sadb_x_msg_useq; /* Set by originator */ 69 uint32_t sadb_x_msg_upid; /* Set by originator */ 70 } sadb_x_msg_actual; 71 uint64_t sadb_x_msg_alignment; 72 } sadb_x_msg_u; 73 #define sadb_msg_seq sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_useq 74 #define sadb_msg_pid sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_upid 75 } sadb_msg_t; 76 77 /* 78 * Generic extension header. 79 */ 80 81 typedef struct sadb_ext { 82 union { 83 /* Union is for guaranteeing 64-bit alignment. */ 84 struct { 85 uint16_t sadb_x_ext_ulen; /* In 64s, inclusive */ 86 uint16_t sadb_x_ext_utype; /* 0 is reserved */ 87 } sadb_x_ext_actual; 88 uint64_t sadb_x_ext_alignment; 89 } sadb_x_ext_u; 90 #define sadb_ext_len sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_ulen 91 #define sadb_ext_type sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_utype 92 } sadb_ext_t; 93 94 /* 95 * Security Association information extension. 96 */ 97 98 typedef struct sadb_sa { 99 /* Union is for guaranteeing 64-bit alignment. */ 100 union { 101 struct { 102 uint16_t sadb_x_sa_ulen; 103 uint16_t sadb_x_sa_uexttype; /* ASSOCIATION */ 104 uint32_t sadb_x_sa_uspi; /* Sec. Param. Index */ 105 } sadb_x_sa_uactual; 106 uint64_t sadb_x_sa_alignment; 107 } sadb_x_sa_u; 108 #define sadb_sa_len sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_ulen 109 #define sadb_sa_exttype sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uexttype 110 #define sadb_sa_spi sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uspi 111 uint8_t sadb_sa_replay; /* Replay counter */ 112 uint8_t sadb_sa_state; /* MATURE, DEAD, DYING, LARVAL */ 113 uint8_t sadb_sa_auth; /* Authentication algorithm */ 114 uint8_t sadb_sa_encrypt; /* Encryption algorithm */ 115 uint32_t sadb_sa_flags; /* SA flags. */ 116 } sadb_sa_t; 117 118 /* 119 * SA Lifetime extension. Already 64-bit aligned thanks to uint64_t fields. 120 */ 121 122 typedef struct sadb_lifetime { 123 uint16_t sadb_lifetime_len; 124 uint16_t sadb_lifetime_exttype; /* SOFT, HARD, CURRENT */ 125 uint32_t sadb_lifetime_allocations; 126 uint64_t sadb_lifetime_bytes; 127 uint64_t sadb_lifetime_addtime; /* These fields are assumed to hold */ 128 uint64_t sadb_lifetime_usetime; /* >= sizeof (time_t). */ 129 } sadb_lifetime_t; 130 131 /* 132 * SA address information. 133 */ 134 135 typedef struct sadb_address { 136 /* Union is for guaranteeing 64-bit alignment. */ 137 union { 138 struct { 139 uint16_t sadb_x_address_ulen; 140 uint16_t sadb_x_address_uexttype; /* SRC, DST, PROXY */ 141 uint8_t sadb_x_address_uproto; /* Proto for ports... */ 142 uint8_t sadb_x_address_uprefixlen; /* Prefix length. */ 143 uint16_t sadb_x_address_ureserved; /* Padding */ 144 } sadb_x_address_actual; 145 uint64_t sadb_x_address_alignment; 146 } sadb_x_address_u; 147 #define sadb_address_len \ 148 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ulen 149 #define sadb_address_exttype \ 150 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uexttype 151 #define sadb_address_proto \ 152 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uproto 153 #define sadb_address_prefixlen \ 154 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uprefixlen 155 #define sadb_address_reserved \ 156 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ureserved 157 /* Followed by a sockaddr structure which may contain ports. */ 158 } sadb_address_t; 159 160 /* 161 * SA key information. 162 */ 163 164 typedef struct sadb_key { 165 /* Union is for guaranteeing 64-bit alignment. */ 166 union { 167 struct { 168 uint16_t sadb_x_key_ulen; 169 uint16_t sadb_x_key_uexttype; /* AUTH, ENCRYPT */ 170 uint16_t sadb_x_key_ubits; /* Actual len (bits) */ 171 uint16_t sadb_x_key_ureserved; 172 } sadb_x_key_actual; 173 uint64_t sadb_x_key_alignment; 174 } sadb_x_key_u; 175 #define sadb_key_len sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ulen 176 #define sadb_key_exttype sadb_x_key_u.sadb_x_key_actual.sadb_x_key_uexttype 177 #define sadb_key_bits sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ubits 178 #define sadb_key_reserved sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ureserved 179 /* Followed by actual key(s) in canonical (outbound proc.) order. */ 180 } sadb_key_t; 181 182 /* 183 * SA Identity information. Already 64-bit aligned thanks to uint64_t fields. 184 */ 185 186 typedef struct sadb_ident { 187 uint16_t sadb_ident_len; 188 uint16_t sadb_ident_exttype; /* SRC, DST, PROXY */ 189 uint16_t sadb_ident_type; /* FQDN, USER_FQDN, etc. */ 190 uint16_t sadb_ident_reserved; /* Padding */ 191 uint64_t sadb_ident_id; /* For userid, etc. */ 192 /* Followed by an identity null-terminate C string if present. */ 193 } sadb_ident_t; 194 195 /* 196 * SA sensitivity information. This is mostly useful on MLS systems. 197 */ 198 199 typedef struct sadb_sens { 200 /* Union is for guaranteeing 64-bit alignment. */ 201 union { 202 struct { 203 uint16_t sadb_x_sens_ulen; 204 uint16_t sadb_x_sens_uexttype; /* SENSITIVITY */ 205 uint32_t sadb_x_sens_udpd; /* Protection domain */ 206 } sadb_x_sens_actual; 207 uint64_t sadb_x_sens_alignment; 208 } sadb_x_sens_u; 209 #define sadb_sens_len sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_ulen 210 #define sadb_sens_exttype sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_uexttype 211 #define sadb_sens_dpd sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_udpd 212 uint8_t sadb_sens_sens_level; 213 uint8_t sadb_sens_sens_len; /* 64-bit words */ 214 uint8_t sadb_sens_integ_level; 215 uint8_t sadb_sens_integ_len; /* 64-bit words */ 216 uint32_t sadb_x_sens_flags; 217 /* 218 * followed by two uint64_t arrays 219 * uint64_t sadb_sens_bitmap[sens_bitmap_len]; 220 * uint64_t sadb_integ_bitmap[integ_bitmap_len]; 221 */ 222 } sadb_sens_t; 223 224 /* 225 * We recycled the formerly reserved word for flags. 226 */ 227 228 #define sadb_sens_reserved sadb_x_sens_flags 229 230 #define SADB_X_SENS_IMPLICIT 0x1 /* implicit labelling */ 231 #define SADB_X_SENS_UNLABELED 0x2 /* peer is unlabeled */ 232 233 /* 234 * a proposal extension. This is found in an ACQUIRE message, and it 235 * proposes what sort of SA the kernel would like to ACQUIRE. 236 */ 237 238 /* First, a base structure... */ 239 240 typedef struct sadb_x_propbase { 241 uint16_t sadb_x_propb_len; 242 uint16_t sadb_x_propb_exttype; /* PROPOSAL, X_EPROP */ 243 union { 244 struct { 245 uint8_t sadb_x_propb_lenres_replay; 246 uint8_t sadb_x_propb_lenres_eres; 247 uint16_t sadb_x_propb_lenres_numecombs; 248 } sadb_x_propb_lenres; 249 struct { 250 uint8_t sadb_x_propb_oldres_replay; 251 uint8_t sadb_x_propb_oldres_reserved[3]; 252 } sadb_x_propb_oldres; 253 } sadb_x_propb_u; 254 #define sadb_x_propb_replay \ 255 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_replay 256 #define sadb_x_propb_reserved \ 257 sadb_x_propb_u.sadb_x_propb_oldres.sadb_x_propb_oldres_reserved 258 #define sadb_x_propb_ereserved \ 259 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_eres 260 #define sadb_x_propb_numecombs \ 261 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_numecombs 262 /* Followed by sadb_comb[] array or sadb_ecomb[] array. */ 263 } sadb_x_propbase_t; 264 265 /* Now, the actual sadb_prop structure, which will have alignment in it! */ 266 267 typedef struct sadb_prop { 268 /* Union is for guaranteeing 64-bit alignment. */ 269 union { 270 sadb_x_propbase_t sadb_x_prop_actual; 271 uint64_t sadb_x_prop_alignment; 272 } sadb_x_prop_u; 273 #define sadb_prop_len sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_len 274 #define sadb_prop_exttype sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_exttype 275 #define sadb_prop_replay sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_replay 276 #define sadb_prop_reserved \ 277 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_reserved 278 #define sadb_x_prop_ereserved \ 279 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_ereserved 280 #define sadb_x_prop_numecombs \ 281 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_numecombs 282 } sadb_prop_t; 283 284 /* 285 * This is a proposed combination. Many of these can follow a proposal 286 * extension. Already 64-bit aligned thanks to uint64_t fields. 287 */ 288 289 typedef struct sadb_comb { 290 uint8_t sadb_comb_auth; /* Authentication algorithm */ 291 uint8_t sadb_comb_encrypt; /* Encryption algorithm */ 292 uint16_t sadb_comb_flags; /* Comb. flags (e.g. PFS) */ 293 uint16_t sadb_comb_auth_minbits; /* Bit strengths for auth */ 294 uint16_t sadb_comb_auth_maxbits; 295 uint16_t sadb_comb_encrypt_minbits; /* Bit strengths for encrypt */ 296 uint16_t sadb_comb_encrypt_maxbits; 297 uint8_t sadb_x_comb_encrypt_saltbits; 298 uint8_t sadb_x_comb_reserved; 299 uint16_t sadb_comb_reserved; 300 uint32_t sadb_comb_soft_allocations; /* Lifetime proposals for */ 301 uint32_t sadb_comb_hard_allocations; /* this combination. */ 302 uint64_t sadb_comb_soft_bytes; 303 uint64_t sadb_comb_hard_bytes; 304 uint64_t sadb_comb_soft_addtime; 305 uint64_t sadb_comb_hard_addtime; 306 uint64_t sadb_comb_soft_usetime; 307 uint64_t sadb_comb_hard_usetime; 308 } sadb_comb_t; 309 310 /* 311 * An extended combination that can comprise of many SA types. 312 * A single combination has algorithms and SA types locked. 313 * These are represented by algorithm descriptors, the second structure 314 * in the list. For example, if the EACQUIRE requests AH(MD5) + ESP(DES/null) 315 * _or_ ESP(DES/MD5), it would have two combinations: 316 * 317 * COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES) 318 * COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES) 319 * 320 * If an SA type supports an algorithm type, and there's no descriptor, 321 * assume it requires NONE, just like it were explicitly stated. 322 * (This includes ESP NULL encryption, BTW.) 323 * 324 * Already 64-bit aligned thanks to uint64_t fields. 325 */ 326 327 typedef struct sadb_x_ecomb { 328 uint8_t sadb_x_ecomb_numalgs; 329 uint8_t sadb_x_ecomb_reserved; 330 uint16_t sadb_x_ecomb_flags; /* E.g. PFS? */ 331 uint32_t sadb_x_ecomb_reserved2; 332 uint32_t sadb_x_ecomb_soft_allocations; 333 uint32_t sadb_x_ecomb_hard_allocations; 334 uint64_t sadb_x_ecomb_soft_bytes; 335 uint64_t sadb_x_ecomb_hard_bytes; 336 uint64_t sadb_x_ecomb_soft_addtime; 337 uint64_t sadb_x_ecomb_hard_addtime; 338 uint64_t sadb_x_ecomb_soft_usetime; 339 uint64_t sadb_x_ecomb_hard_usetime; 340 } sadb_x_ecomb_t; 341 342 typedef struct sadb_x_algdesc { 343 /* Union is for guaranteeing 64-bit alignment. */ 344 union { 345 struct { 346 uint8_t sadb_x_algdesc_usatype; /* ESP, AH, etc. */ 347 uint8_t sadb_x_algdesc_ualgtype; /* AUTH, CRYPT, COMP */ 348 uint8_t sadb_x_algdesc_ualg; /* 3DES, MD5, etc. */ 349 uint8_t sadb_x_algdesc_usaltbits; 350 uint16_t sadb_x_algdesc_uminbits; /* Bit strengths. */ 351 uint16_t sadb_x_algdesc_umaxbits; 352 } sadb_x_algdesc_actual; 353 uint64_t sadb_x_algdesc_alignment; 354 } sadb_x_algdesc_u; 355 #define sadb_x_algdesc_satype \ 356 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usatype 357 #define sadb_x_algdesc_algtype \ 358 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualgtype 359 #define sadb_x_algdesc_alg \ 360 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualg 361 #define sadb_x_algdesc_saltbits \ 362 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usaltbits 363 #define sadb_x_algdesc_minbits \ 364 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_uminbits 365 #define sadb_x_algdesc_maxbits \ 366 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_umaxbits 367 } sadb_x_algdesc_t; 368 369 /* 370 * When key mgmt. registers with the kernel, the kernel will tell key mgmt. 371 * its supported algorithms. 372 */ 373 374 typedef struct sadb_supported { 375 /* Union is for guaranteeing 64-bit alignment. */ 376 union { 377 struct { 378 uint16_t sadb_x_supported_ulen; 379 uint16_t sadb_x_supported_uexttype; 380 uint32_t sadb_x_supported_ureserved; 381 } sadb_x_supported_actual; 382 uint64_t sadb_x_supported_alignment; 383 } sadb_x_supported_u; 384 #define sadb_supported_len \ 385 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ulen 386 #define sadb_supported_exttype \ 387 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_uexttype 388 #define sadb_supported_reserved \ 389 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ureserved 390 } sadb_supported_t; 391 392 /* First, a base structure... */ 393 typedef struct sadb_x_algb { 394 uint8_t sadb_x_algb_id; /* Algorithm type. */ 395 uint8_t sadb_x_algb_ivlen; /* IV len, in bits */ 396 uint16_t sadb_x_algb_minbits; /* Min. key len (in bits) */ 397 uint16_t sadb_x_algb_maxbits; /* Max. key length */ 398 union { 399 uint16_t sadb_x_algb_ureserved; 400 uint8_t sadb_x_algb_udefaults[2]; 401 } sadb_x_algb_union; 402 403 #define sadb_x_algb_reserved sadb_x_algb_union.sadb_x_algb_ureserved 404 #define sadb_x_algb_increment sadb_x_algb_union.sadb_x_algb_udefaults[0] 405 #define sadb_x_algb_saltbits sadb_x_algb_union.sadb_x_algb_udefaults[1] 406 /* 407 * alg_increment: the number of bits from a key length to the next 408 */ 409 } sadb_x_algb_t; 410 411 /* Now, the actual sadb_alg structure, which will have alignment in it. */ 412 typedef struct sadb_alg { 413 /* Union is for guaranteeing 64-bit alignment. */ 414 union { 415 sadb_x_algb_t sadb_x_alg_actual; 416 uint64_t sadb_x_alg_alignment; 417 } sadb_x_alg_u; 418 #define sadb_alg_id sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_id 419 #define sadb_alg_ivlen sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_ivlen 420 #define sadb_alg_minbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_minbits 421 #define sadb_alg_maxbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_maxbits 422 #define sadb_alg_reserved sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_reserved 423 #define sadb_x_alg_increment \ 424 sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_increment 425 #define sadb_x_alg_saltbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_saltbits 426 } sadb_alg_t; 427 428 /* 429 * If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it 430 * asks the kernel with this extension in the SADB_GETSPI message. 431 */ 432 433 typedef struct sadb_spirange { 434 uint16_t sadb_spirange_len; 435 uint16_t sadb_spirange_exttype; /* SPI_RANGE */ 436 uint32_t sadb_spirange_min; 437 /* Union is for guaranteeing 64-bit alignment. */ 438 union { 439 struct { 440 uint32_t sadb_x_spirange_umax; 441 uint32_t sadb_x_spirange_ureserved; 442 } sadb_x_spirange_actual; 443 uint64_t sadb_x_spirange_alignment; 444 } sadb_x_spirange_u; 445 #define sadb_spirange_max \ 446 sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_umax 447 #define sadb_spirange_reserved \ 448 sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_ureserved 449 } sadb_spirange_t; 450 451 /* 452 * For the "extended REGISTER" which'll tell the kernel to send me 453 * "extended ACQUIREs". 454 */ 455 456 typedef struct sadb_x_ereg { 457 /* Union is for guaranteeing 64-bit alignment. */ 458 union { 459 struct { 460 uint16_t sadb_x_ereg_ulen; 461 uint16_t sadb_x_ereg_uexttype; /* X_EREG */ 462 /* Array of SA types, 0-terminated. */ 463 uint8_t sadb_x_ereg_usatypes[4]; 464 } sadb_x_ereg_actual; 465 uint64_t sadb_x_ereg_alignment; 466 } sadb_x_ereg_u; 467 #define sadb_x_ereg_len \ 468 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_ulen 469 #define sadb_x_ereg_exttype \ 470 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_uexttype 471 #define sadb_x_ereg_satypes \ 472 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_usatypes 473 } sadb_x_ereg_t; 474 475 /* 476 * For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD, 477 * SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE. 478 */ 479 480 typedef struct sadb_x_kmc { 481 uint16_t sadb_x_kmc_len; 482 uint16_t sadb_x_kmc_exttype; /* X_KM_COOKIE */ 483 uint32_t sadb_x_kmc_proto; /* KM protocol */ 484 union { 485 struct { 486 uint32_t sadb_x_kmc_ucookie; /* KMP-specific */ 487 uint32_t sadb_x_kmc_ureserved; /* Must be zero */ 488 } sadb_x_kmc_actual; 489 uint64_t sadb_x_kmc_ucookie64; 490 } sadb_x_kmc_u; 491 #define sadb_x_kmc_cookie sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ucookie 492 #define sadb_x_kmc_reserved sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ureserved 493 #define sadb_x_kmc_cookie64 sadb_x_kmc_u.sadb_x_kmc_ucookie64 494 } sadb_x_kmc_t; 495 496 typedef struct sadb_x_pair { 497 union { 498 /* Union is for guaranteeing 64-bit alignment. */ 499 struct { 500 uint16_t sadb_x_pair_ulen; 501 uint16_t sadb_x_pair_uexttype; 502 uint32_t sadb_x_pair_uspi; /* SPI of paired SA */ 503 } sadb_x_pair_actual; 504 uint64_t sadb_x_ext_alignment; 505 } sadb_x_pair_u; 506 #define sadb_x_pair_len sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_ulen 507 #define sadb_x_pair_exttype \ 508 sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uexttype 509 #define sadb_x_pair_spi sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uspi 510 } sadb_x_pair_t; 511 512 /* 513 * For the Sequence numbers to be used with SADB_DUMP, SADB_GET, SADB_UPDATE. 514 */ 515 516 typedef struct sadb_x_replay_ctr { 517 uint16_t sadb_x_rc_len; 518 uint16_t sadb_x_rc_exttype; 519 uint32_t sadb_x_rc_replay32; /* For 240x SAs. */ 520 uint64_t sadb_x_rc_replay64; /* For 430x SAs. */ 521 } sadb_x_replay_ctr_t; 522 523 /* 524 * For extended DUMP request. Dumps the SAs which were idle for 525 * longer than the timeout specified. 526 */ 527 528 typedef struct sadb_x_edump { 529 uint16_t sadb_x_edump_len; 530 uint16_t sadb_x_edump_exttype; 531 uint32_t sadb_x_edump_reserved; 532 uint64_t sadb_x_edump_timeout; 533 } sadb_x_edump_t; 534 535 /* 536 * Base message types. 537 */ 538 539 #define SADB_RESERVED 0 540 #define SADB_GETSPI 1 541 #define SADB_UPDATE 2 542 #define SADB_ADD 3 543 #define SADB_DELETE 4 544 #define SADB_GET 5 545 #define SADB_ACQUIRE 6 546 #define SADB_REGISTER 7 547 #define SADB_EXPIRE 8 548 #define SADB_FLUSH 9 549 #define SADB_DUMP 10 /* not used normally */ 550 #define SADB_X_PROMISC 11 551 #define SADB_X_INVERSE_ACQUIRE 12 552 #define SADB_X_UPDATEPAIR 13 553 #define SADB_X_DELPAIR 14 554 #define SADB_X_DELPAIR_STATE 15 555 #define SADB_MAX 15 556 557 /* 558 * SA flags 559 */ 560 561 #define SADB_SAFLAGS_PFS 0x1 /* Perfect forward secrecy? */ 562 #define SADB_SAFLAGS_NOREPLAY 0x2 /* Replay field NOT PRESENT. */ 563 564 /* Below flags are used by this implementation. Grow from left-to-right. */ 565 #define SADB_X_SAFLAGS_USED 0x80000000 /* SA used/not used */ 566 #define SADB_X_SAFLAGS_UNIQUE 0x40000000 /* SA unique/reusable */ 567 #define SADB_X_SAFLAGS_AALG1 0x20000000 /* Auth-alg specific flag 1 */ 568 #define SADB_X_SAFLAGS_AALG2 0x10000000 /* Auth-alg specific flag 2 */ 569 #define SADB_X_SAFLAGS_EALG1 0x8000000 /* Encr-alg specific flag 1 */ 570 #define SADB_X_SAFLAGS_EALG2 0x4000000 /* Encr-alg specific flag 2 */ 571 #define SADB_X_SAFLAGS_KM1 0x2000000 /* Key mgmt. specific flag 1 */ 572 #define SADB_X_SAFLAGS_KM2 0x1000000 /* Key mgmt. specific flag 2 */ 573 #define SADB_X_SAFLAGS_KM3 0x800000 /* Key mgmt. specific flag 3 */ 574 #define SADB_X_SAFLAGS_KM4 0x400000 /* Key mgmt. specific flag 4 */ 575 #define SADB_X_SAFLAGS_KRES1 0x200000 /* Reserved by the kernel */ 576 #define SADB_X_SAFLAGS_NATT_LOC 0x100000 /* this has a natted src SA */ 577 #define SADB_X_SAFLAGS_NATT_REM 0x80000 /* this has a natted dst SA */ 578 #define SADB_X_SAFLAGS_KRES2 0x40000 /* Reserved by the kernel */ 579 #define SADB_X_SAFLAGS_TUNNEL 0x20000 /* tunnel mode */ 580 #define SADB_X_SAFLAGS_PAIRED 0x10000 /* inbound/outbound pair */ 581 #define SADB_X_SAFLAGS_OUTBOUND 0x8000 /* SA direction bit */ 582 #define SADB_X_SAFLAGS_INBOUND 0x4000 /* SA direction bit */ 583 #define SADB_X_SAFLAGS_TCPSIG 0x2000 /* SA is for a TCP signature */ 584 #define SADB_X_SAFLAGS_NATTED 0x1000 /* Local node is behind a NAT */ 585 586 #define SADB_X_SAFLAGS_KRES \ 587 SADB_X_SAFLAGS_KRES1 | SADB_X_SAFLAGS_KRES2 588 589 /* 590 * SA state. 591 */ 592 593 #define SADB_SASTATE_LARVAL 0 594 #define SADB_SASTATE_MATURE 1 595 #define SADB_SASTATE_DYING 2 596 #define SADB_SASTATE_DEAD 3 597 #define SADB_X_SASTATE_ACTIVE_ELSEWHERE 4 598 #define SADB_X_SASTATE_IDLE 5 599 #define SADB_X_SASTATE_ACTIVE 6 600 601 #define SADB_SASTATE_MAX 6 602 603 /* 604 * SA type. Gaps are present in the number space because (for the time being) 605 * these types correspond to the SA types in the IPsec DOI document. 606 */ 607 608 #define SADB_SATYPE_UNSPEC 0 609 #define SADB_SATYPE_AH 2 /* RFC-1826 */ 610 #define SADB_SATYPE_ESP 3 /* RFC-1827 */ 611 #define SADB_X_SATYPE_TCPSIG 4 /* RFC-2385 */ 612 #define SADB_SATYPE_RSVP 5 /* RSVP Authentication */ 613 #define SADB_SATYPE_OSPFV2 6 /* OSPFv2 Authentication */ 614 #define SADB_SATYPE_RIPV2 7 /* RIPv2 Authentication */ 615 #define SADB_SATYPE_MIP 8 /* Mobile IPv4 Authentication */ 616 617 #define SADB_SATYPE_MAX 8 618 619 #define TCPSIG_MD5_KEY_LEN 80 620 621 /* 622 * Algorithm types. Gaps are present because (for the time being) these types 623 * correspond to the SA types in the IPsec DOI document. 624 * 625 * NOTE: These are numbered to play nice with the IPsec DOI. That's why 626 * there are gaps. 627 */ 628 629 /* Authentication algorithms */ 630 #define SADB_AALG_NONE 0 631 #define SADB_AALG_MD5 1 632 #define SADB_AALG_MD5HMAC 2 633 #define SADB_AALG_SHA1HMAC 3 634 #define SADB_AALG_SHA256HMAC 5 635 #define SADB_AALG_SHA384HMAC 6 636 #define SADB_AALG_SHA512HMAC 7 637 638 #define SADB_AALG_MAX 7 639 640 /* Encryption algorithms */ 641 #define SADB_EALG_NONE 0 642 #define SADB_EALG_DESCBC 2 643 #define SADB_EALG_3DESCBC 3 644 #define SADB_EALG_BLOWFISH 7 645 #define SADB_EALG_NULL 11 646 #define SADB_EALG_AES 12 647 #define SADB_EALG_AES_CCM_8 14 648 #define SADB_EALG_AES_CCM_12 15 649 #define SADB_EALG_AES_CCM_16 16 650 #define SADB_EALG_AES_GCM_8 18 651 #define SADB_EALG_AES_GCM_12 19 652 #define SADB_EALG_AES_GCM_16 20 653 #define SADB_EALG_MAX 20 654 655 /* 656 * Extension header values. 657 */ 658 659 #define SADB_EXT_RESERVED 0 660 661 #define SADB_EXT_SA 1 662 #define SADB_EXT_LIFETIME_CURRENT 2 663 #define SADB_EXT_LIFETIME_HARD 3 664 #define SADB_EXT_LIFETIME_SOFT 4 665 #define SADB_EXT_ADDRESS_SRC 5 666 #define SADB_EXT_ADDRESS_DST 6 667 /* These two are synonyms. */ 668 #define SADB_EXT_ADDRESS_PROXY 7 669 #define SADB_X_EXT_ADDRESS_INNER_SRC SADB_EXT_ADDRESS_PROXY 670 #define SADB_EXT_KEY_AUTH 8 671 #define SADB_EXT_KEY_ENCRYPT 9 672 #define SADB_EXT_IDENTITY_SRC 10 673 #define SADB_EXT_IDENTITY_DST 11 674 #define SADB_EXT_SENSITIVITY 12 675 #define SADB_EXT_PROPOSAL 13 676 #define SADB_EXT_SUPPORTED_AUTH 14 677 #define SADB_EXT_SUPPORTED_ENCRYPT 15 678 #define SADB_EXT_SPIRANGE 16 679 #define SADB_X_EXT_EREG 17 680 #define SADB_X_EXT_EPROP 18 681 #define SADB_X_EXT_KM_COOKIE 19 682 #define SADB_X_EXT_ADDRESS_NATT_LOC 20 683 #define SADB_X_EXT_ADDRESS_NATT_REM 21 684 #define SADB_X_EXT_ADDRESS_INNER_DST 22 685 #define SADB_X_EXT_PAIR 23 686 #define SADB_X_EXT_REPLAY_VALUE 24 687 #define SADB_X_EXT_EDUMP 25 688 #define SADB_X_EXT_LIFETIME_IDLE 26 689 #define SADB_X_EXT_OUTER_SENS 27 690 #define SADB_X_EXT_STR_AUTH 28 691 692 #define SADB_EXT_MAX 28 693 694 /* 695 * Identity types. 696 */ 697 698 #define SADB_IDENTTYPE_RESERVED 0 699 700 /* 701 * For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC 702 * if not present. 703 */ 704 #define SADB_IDENTTYPE_PREFIX 1 705 #define SADB_IDENTTYPE_FQDN 2 /* Fully qualified domain name. */ 706 #define SADB_IDENTTYPE_USER_FQDN 3 /* e.g. root@domain.com */ 707 #define SADB_X_IDENTTYPE_DN 4 /* ASN.1 DER Distinguished Name. */ 708 #define SADB_X_IDENTTYPE_GN 5 /* ASN.1 DER Generic Name. */ 709 #define SADB_X_IDENTTYPE_KEY_ID 6 /* Generic KEY ID. */ 710 #define SADB_X_IDENTTYPE_ADDR_RANGE 7 711 712 #define SADB_IDENTTYPE_MAX 7 713 714 /* 715 * Protection DOI values for the SENSITIVITY extension. There are no values 716 * currently, so the MAX is the only non-zero value available. 717 */ 718 719 #define SADB_DPD_NONE 0 720 721 #define SADB_DPD_MAX 1 722 723 /* 724 * Diagnostic codes. These supplement error messages. Be sure to 725 * update libipsecutil's keysock_diag() if you change any of these. 726 */ 727 728 #define SADB_X_DIAGNOSTIC_PRESET -1 /* Internal value. */ 729 730 #define SADB_X_DIAGNOSTIC_NONE 0 731 732 #define SADB_X_DIAGNOSTIC_UNKNOWN_MSG 1 733 #define SADB_X_DIAGNOSTIC_UNKNOWN_EXT 2 734 #define SADB_X_DIAGNOSTIC_BAD_EXTLEN 3 735 #define SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE 4 736 #define SADB_X_DIAGNOSTIC_SATYPE_NEEDED 5 737 #define SADB_X_DIAGNOSTIC_NO_SADBS 6 738 #define SADB_X_DIAGNOSTIC_NO_EXT 7 739 /* Bad address family value */ 740 #define SADB_X_DIAGNOSTIC_BAD_SRC_AF 8 741 /* in sockaddr->sa_family. */ 742 #define SADB_X_DIAGNOSTIC_BAD_DST_AF 9 743 /* These two are synonyms. */ 744 #define SADB_X_DIAGNOSTIC_BAD_PROXY_AF 10 745 #define SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF 10 746 747 #define SADB_X_DIAGNOSTIC_AF_MISMATCH 11 748 749 #define SADB_X_DIAGNOSTIC_BAD_SRC 12 750 #define SADB_X_DIAGNOSTIC_BAD_DST 13 751 752 #define SADB_X_DIAGNOSTIC_ALLOC_HSERR 14 753 #define SADB_X_DIAGNOSTIC_BYTES_HSERR 15 754 #define SADB_X_DIAGNOSTIC_ADDTIME_HSERR 16 755 #define SADB_X_DIAGNOSTIC_USETIME_HSERR 17 756 757 #define SADB_X_DIAGNOSTIC_MISSING_SRC 18 758 #define SADB_X_DIAGNOSTIC_MISSING_DST 19 759 #define SADB_X_DIAGNOSTIC_MISSING_SA 20 760 #define SADB_X_DIAGNOSTIC_MISSING_EKEY 21 761 #define SADB_X_DIAGNOSTIC_MISSING_AKEY 22 762 #define SADB_X_DIAGNOSTIC_MISSING_RANGE 23 763 764 #define SADB_X_DIAGNOSTIC_DUPLICATE_SRC 24 765 #define SADB_X_DIAGNOSTIC_DUPLICATE_DST 25 766 #define SADB_X_DIAGNOSTIC_DUPLICATE_SA 26 767 #define SADB_X_DIAGNOSTIC_DUPLICATE_EKEY 27 768 #define SADB_X_DIAGNOSTIC_DUPLICATE_AKEY 28 769 #define SADB_X_DIAGNOSTIC_DUPLICATE_RANGE 29 770 771 #define SADB_X_DIAGNOSTIC_MALFORMED_SRC 30 772 #define SADB_X_DIAGNOSTIC_MALFORMED_DST 31 773 #define SADB_X_DIAGNOSTIC_MALFORMED_SA 32 774 #define SADB_X_DIAGNOSTIC_MALFORMED_EKEY 33 775 #define SADB_X_DIAGNOSTIC_MALFORMED_AKEY 34 776 #define SADB_X_DIAGNOSTIC_MALFORMED_RANGE 35 777 778 #define SADB_X_DIAGNOSTIC_AKEY_PRESENT 36 779 #define SADB_X_DIAGNOSTIC_EKEY_PRESENT 37 780 #define SADB_X_DIAGNOSTIC_PROP_PRESENT 38 781 #define SADB_X_DIAGNOSTIC_SUPP_PRESENT 39 782 783 #define SADB_X_DIAGNOSTIC_BAD_AALG 40 784 #define SADB_X_DIAGNOSTIC_BAD_EALG 41 785 #define SADB_X_DIAGNOSTIC_BAD_SAFLAGS 42 786 #define SADB_X_DIAGNOSTIC_BAD_SASTATE 43 787 788 #define SADB_X_DIAGNOSTIC_BAD_AKEYBITS 44 789 #define SADB_X_DIAGNOSTIC_BAD_EKEYBITS 45 790 791 #define SADB_X_DIAGNOSTIC_ENCR_NOTSUPP 46 792 793 #define SADB_X_DIAGNOSTIC_WEAK_EKEY 47 794 #define SADB_X_DIAGNOSTIC_WEAK_AKEY 48 795 796 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMP 49 797 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMC 50 798 799 #define SADB_X_DIAGNOSTIC_MISSING_NATT_LOC 51 800 #define SADB_X_DIAGNOSTIC_MISSING_NATT_REM 52 801 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC 53 802 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM 54 803 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC 55 804 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM 56 805 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS 57 806 807 #define SADB_X_DIAGNOSTIC_MISSING_INNER_SRC 58 808 #define SADB_X_DIAGNOSTIC_MISSING_INNER_DST 59 809 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC 60 810 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST 61 811 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC 62 812 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST 63 813 814 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC 64 815 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_DST 65 816 #define SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF 66 817 #define SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH 67 818 819 #define SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF 68 820 #define SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF 69 821 822 #define SADB_X_DIAGNOSTIC_PROTO_MISMATCH 70 823 #define SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH 71 824 825 #define SADB_X_DIAGNOSTIC_DUAL_PORT_SETS 72 826 827 #define SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE 73 828 #define SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH 74 829 #define SADB_X_DIAGNOSTIC_PAIR_ALREADY 75 830 #define SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND 76 831 #define SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION 77 832 833 #define SADB_X_DIAGNOSTIC_SA_NOTFOUND 78 834 #define SADB_X_DIAGNOSTIC_SA_EXPIRED 79 835 #define SADB_X_DIAGNOSTIC_BAD_CTX 80 836 #define SADB_X_DIAGNOSTIC_INVALID_REPLAY 81 837 #define SADB_X_DIAGNOSTIC_MISSING_LIFETIME 82 838 839 #define SADB_X_DIAGNOSTIC_BAD_LABEL 83 840 841 #define SADB_X_DIAGNOSTIC_MISSING_ASTR 84 842 #define SADB_X_DIAGNOSTIC_DUPLICATE_ASTR 85 843 #define SADB_X_DIAGNOSTIC_MALFORMED_ASTR 86 844 845 #define SADB_X_DIAGNOSTIC_MAX 86 846 847 /* Algorithm type for sadb_x_algdesc above... */ 848 849 #define SADB_X_ALGTYPE_NONE 0 850 #define SADB_X_ALGTYPE_AUTH 1 851 #define SADB_X_ALGTYPE_CRYPT 2 852 #define SADB_X_ALGTYPE_COMPRESS 3 853 854 #define SADB_X_ALGTYPE_MAX 3 855 856 /* Key management protocol for sadb_x_kmc above... */ 857 858 #define SADB_X_KMP_MANUAL 0 /* Cookie is ignored. */ 859 #define SADB_X_KMP_IKE 1 860 #define SADB_X_KMP_KINK 2 861 #define SADB_X_KMP_IKEV2 3 862 863 #define SADB_X_KMP_MAX SADB_X_KMP_IKEV2 864 865 /* 866 * Handy conversion macros. Not part of the PF_KEY spec... 867 */ 868 869 #define SADB_64TO8(x) ((x) << 3) 870 #define SADB_8TO64(x) ((x) >> 3) 871 #define SADB_8TO1(x) ((x) << 3) 872 #define SADB_1TO8(x) ((x) >> 3) 873 874 #ifdef __cplusplus 875 } 876 #endif 877 878 #endif /* _NET_PFKEYV2_H */ 879