xref: /illumos-gate/usr/src/uts/common/net/pfkeyv2.h (revision f78cdc34af236a6199dd9e21376f4a46348c0d56)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 /*
26  * Copyright (c) 2018, Joyent, Inc.
27  */
28 
29 #ifndef	_NET_PFKEYV2_H
30 #define	_NET_PFKEYV2_H
31 
32 /*
33  * Definitions and structures for PF_KEY version 2.  See RFC 2367 for
34  * more details.  SA == Security Association, which is what PF_KEY provides
35  * an API for managing.
36  */
37 
38 #ifdef	__cplusplus
39 extern "C" {
40 #endif
41 
42 #define	PF_KEY_V2		2
43 #define	PFKEYV2_REVISION	200109L
44 
45 /*
46  * Base PF_KEY message.
47  */
48 
49 typedef struct sadb_msg {
50 	uint8_t sadb_msg_version;	/* Version, currently PF_KEY_V2 */
51 	uint8_t sadb_msg_type;		/* ADD, UPDATE, etc. */
52 	uint8_t sadb_msg_errno;		/* Error number from UNIX errno space */
53 	uint8_t sadb_msg_satype;	/* ESP, AH, etc. */
54 	uint16_t sadb_msg_len;		/* Length in 64-bit words. */
55 	uint16_t sadb_msg_reserved;	/* must be zero */
56 /*
57  * Use the reserved field for extended diagnostic information on errno
58  * responses.
59  */
60 #define	sadb_x_msg_diagnostic sadb_msg_reserved
61 	/* Union is for guaranteeing 64-bit alignment. */
62 	union {
63 		struct {
64 			uint32_t sadb_x_msg_useq;	/* Set by originator */
65 			uint32_t sadb_x_msg_upid;	/* Set by originator */
66 		} sadb_x_msg_actual;
67 		uint64_t sadb_x_msg_alignment;
68 	} sadb_x_msg_u;
69 #define	sadb_msg_seq sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_useq
70 #define	sadb_msg_pid sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_upid
71 } sadb_msg_t;
72 
73 /*
74  * Generic extension header.
75  */
76 
77 typedef struct sadb_ext {
78 	union {
79 		/* Union is for guaranteeing 64-bit alignment. */
80 		struct {
81 			uint16_t sadb_x_ext_ulen;	/* In 64s, inclusive */
82 			uint16_t sadb_x_ext_utype;	/* 0 is reserved */
83 		} sadb_x_ext_actual;
84 		uint64_t sadb_x_ext_alignment;
85 	} sadb_x_ext_u;
86 #define	sadb_ext_len sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_ulen
87 #define	sadb_ext_type sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_utype
88 } sadb_ext_t;
89 
90 /*
91  * Security Association information extension.
92  */
93 
94 typedef struct sadb_sa {
95 	/* Union is for guaranteeing 64-bit alignment. */
96 	union {
97 		struct {
98 			uint16_t sadb_x_sa_ulen;
99 			uint16_t sadb_x_sa_uexttype;	/* ASSOCIATION */
100 			uint32_t sadb_x_sa_uspi;	/* Sec. Param. Index */
101 		} sadb_x_sa_uactual;
102 		uint64_t sadb_x_sa_alignment;
103 	} sadb_x_sa_u;
104 #define	sadb_sa_len sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_ulen
105 #define	sadb_sa_exttype sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uexttype
106 #define	sadb_sa_spi sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uspi
107 	uint8_t sadb_sa_replay;		/* Replay counter */
108 	uint8_t sadb_sa_state;		/* MATURE, DEAD, DYING, LARVAL */
109 	uint8_t sadb_sa_auth;		/* Authentication algorithm */
110 	uint8_t sadb_sa_encrypt;	/* Encryption algorithm */
111 	uint32_t sadb_sa_flags;		/* SA flags. */
112 } sadb_sa_t;
113 
114 /*
115  * SA Lifetime extension.  Already 64-bit aligned thanks to uint64_t fields.
116  */
117 
118 typedef struct sadb_lifetime {
119 	uint16_t sadb_lifetime_len;
120 	uint16_t sadb_lifetime_exttype;		/* SOFT, HARD, CURRENT */
121 	uint32_t sadb_lifetime_allocations;
122 	uint64_t sadb_lifetime_bytes;
123 	uint64_t sadb_lifetime_addtime;	/* These fields are assumed to hold */
124 	uint64_t sadb_lifetime_usetime;	/* >= sizeof (time_t). */
125 } sadb_lifetime_t;
126 
127 /*
128  * SA address information.
129  */
130 
131 typedef struct sadb_address {
132 	/* Union is for guaranteeing 64-bit alignment. */
133 	union {
134 		struct {
135 			uint16_t sadb_x_address_ulen;
136 			uint16_t sadb_x_address_uexttype; /* SRC, DST, PROXY */
137 			uint8_t sadb_x_address_uproto; /* Proto for ports... */
138 			uint8_t sadb_x_address_uprefixlen; /* Prefix length. */
139 			uint16_t sadb_x_address_ureserved; /* Padding */
140 		} sadb_x_address_actual;
141 		uint64_t sadb_x_address_alignment;
142 	} sadb_x_address_u;
143 #define	sadb_address_len \
144 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ulen
145 #define	sadb_address_exttype \
146 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uexttype
147 #define	sadb_address_proto \
148 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uproto
149 #define	sadb_address_prefixlen \
150 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uprefixlen
151 #define	sadb_address_reserved \
152 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ureserved
153 	/* Followed by a sockaddr structure which may contain ports. */
154 } sadb_address_t;
155 
156 /*
157  * SA key information.
158  */
159 
160 typedef struct sadb_key {
161 	/* Union is for guaranteeing 64-bit alignment. */
162 	union {
163 		struct {
164 			uint16_t sadb_x_key_ulen;
165 			uint16_t sadb_x_key_uexttype;	/* AUTH, ENCRYPT */
166 			uint16_t sadb_x_key_ubits;	/* Actual len (bits) */
167 			uint16_t sadb_x_key_ureserved;
168 		} sadb_x_key_actual;
169 		uint64_t sadb_x_key_alignment;
170 	} sadb_x_key_u;
171 #define	sadb_key_len sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ulen
172 #define	sadb_key_exttype sadb_x_key_u.sadb_x_key_actual.sadb_x_key_uexttype
173 #define	sadb_key_bits sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ubits
174 #define	sadb_key_reserved sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ureserved
175 	/* Followed by actual key(s) in canonical (outbound proc.) order. */
176 } sadb_key_t;
177 
178 /*
179  * SA Identity information.  Already 64-bit aligned thanks to uint64_t fields.
180  */
181 
182 typedef struct sadb_ident {
183 	uint16_t sadb_ident_len;
184 	uint16_t sadb_ident_exttype;	/* SRC, DST, PROXY */
185 	uint16_t sadb_ident_type;	/* FQDN, USER_FQDN, etc. */
186 	uint16_t sadb_ident_reserved;	/* Padding */
187 	uint64_t sadb_ident_id;		/* For userid, etc. */
188 	/* Followed by an identity null-terminate C string if present. */
189 } sadb_ident_t;
190 
191 /*
192  * SA sensitivity information.  This is mostly useful on MLS systems.
193  */
194 
195 typedef struct sadb_sens {
196 	/* Union is for guaranteeing 64-bit alignment. */
197 	union {
198 		struct {
199 			uint16_t sadb_x_sens_ulen;
200 			uint16_t sadb_x_sens_uexttype;	/* SENSITIVITY */
201 			uint32_t sadb_x_sens_udpd;	/* Protection domain */
202 		} sadb_x_sens_actual;
203 		uint64_t sadb_x_sens_alignment;
204 	} sadb_x_sens_u;
205 #define	sadb_sens_len sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_ulen
206 #define	sadb_sens_exttype sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_uexttype
207 #define	sadb_sens_dpd sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_udpd
208 	uint8_t sadb_sens_sens_level;
209 	uint8_t sadb_sens_sens_len;		/* 64-bit words */
210 	uint8_t sadb_sens_integ_level;
211 	uint8_t sadb_sens_integ_len;		/* 64-bit words */
212 	uint32_t sadb_x_sens_flags;
213 	/*
214 	 * followed by two uint64_t arrays
215 	 * uint64_t sadb_sens_bitmap[sens_bitmap_len];
216 	 * uint64_t sadb_integ_bitmap[integ_bitmap_len];
217 	 */
218 } sadb_sens_t;
219 
220 /*
221  * We recycled the formerly reserved word for flags.
222  */
223 
224 #define	sadb_sens_reserved sadb_x_sens_flags
225 
226 #define	SADB_X_SENS_IMPLICIT 0x1	 /* implicit labelling */
227 #define	SADB_X_SENS_UNLABELED 0x2	 /* peer is unlabeled */
228 
229 /*
230  * a proposal extension.  This is found in an ACQUIRE message, and it
231  * proposes what sort of SA the kernel would like to ACQUIRE.
232  */
233 
234 /* First, a base structure... */
235 
236 typedef struct sadb_x_propbase {
237 	uint16_t sadb_x_propb_len;
238 	uint16_t sadb_x_propb_exttype;	/* PROPOSAL, X_EPROP */
239 	union {
240 		struct {
241 			uint8_t sadb_x_propb_lenres_replay;
242 			uint8_t sadb_x_propb_lenres_eres;
243 			uint16_t sadb_x_propb_lenres_numecombs;
244 		} sadb_x_propb_lenres;
245 		struct {
246 			uint8_t sadb_x_propb_oldres_replay;
247 			uint8_t sadb_x_propb_oldres_reserved[3];
248 		} sadb_x_propb_oldres;
249 	} sadb_x_propb_u;
250 #define	sadb_x_propb_replay \
251 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_replay
252 #define	sadb_x_propb_reserved \
253 	sadb_x_propb_u.sadb_x_propb_oldres.sadb_x_propb_oldres_reserved
254 #define	sadb_x_propb_ereserved \
255 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_eres
256 #define	sadb_x_propb_numecombs \
257 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_numecombs
258 	/* Followed by sadb_comb[] array or sadb_ecomb[] array. */
259 } sadb_x_propbase_t;
260 
261 /* Now, the actual sadb_prop structure, which will have alignment in it! */
262 
263 typedef struct sadb_prop {
264 	/* Union is for guaranteeing 64-bit alignment. */
265 	union {
266 		sadb_x_propbase_t sadb_x_prop_actual;
267 		uint64_t sadb_x_prop_alignment;
268 	} sadb_x_prop_u;
269 #define	sadb_prop_len sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_len
270 #define	sadb_prop_exttype sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_exttype
271 #define	sadb_prop_replay sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_replay
272 #define	sadb_prop_reserved \
273 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_reserved
274 #define	sadb_x_prop_ereserved \
275 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_ereserved
276 #define	sadb_x_prop_numecombs \
277 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_numecombs
278 } sadb_prop_t;
279 
280 /*
281  * This is a proposed combination.  Many of these can follow a proposal
282  * extension.  Already 64-bit aligned thanks to uint64_t fields.
283  */
284 
285 typedef struct sadb_comb {
286 	uint8_t sadb_comb_auth;			/* Authentication algorithm */
287 	uint8_t sadb_comb_encrypt;		/* Encryption algorithm */
288 	uint16_t sadb_comb_flags;		/* Comb. flags (e.g. PFS) */
289 	uint16_t sadb_comb_auth_minbits;	/* Bit strengths for auth */
290 	uint16_t sadb_comb_auth_maxbits;
291 	uint16_t sadb_comb_encrypt_minbits;	/* Bit strengths for encrypt */
292 	uint16_t sadb_comb_encrypt_maxbits;
293 	uint8_t sadb_x_comb_encrypt_saltbits;
294 	uint8_t sadb_x_comb_reserved;
295 	uint16_t sadb_comb_reserved;
296 	uint32_t sadb_comb_soft_allocations;	/* Lifetime proposals for */
297 	uint32_t sadb_comb_hard_allocations;	/* this combination. */
298 	uint64_t sadb_comb_soft_bytes;
299 	uint64_t sadb_comb_hard_bytes;
300 	uint64_t sadb_comb_soft_addtime;
301 	uint64_t sadb_comb_hard_addtime;
302 	uint64_t sadb_comb_soft_usetime;
303 	uint64_t sadb_comb_hard_usetime;
304 } sadb_comb_t;
305 
306 /*
307  * An extended combination that can comprise of many SA types.
308  * A single combination has algorithms and SA types locked.
309  * These are represented by algorithm descriptors, the second structure
310  * in the list.  For example, if the EACQUIRE requests AH(MD5) + ESP(DES/null)
311  * _or_ ESP(DES/MD5), it would have two combinations:
312  *
313  * COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES)
314  * COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES)
315  *
316  * If an SA type supports an algorithm type, and there's no descriptor,
317  * assume it requires NONE, just like it were explicitly stated.
318  * (This includes ESP NULL encryption, BTW.)
319  *
320  * Already 64-bit aligned thanks to uint64_t fields.
321  */
322 
323 typedef struct sadb_x_ecomb {
324 	uint8_t sadb_x_ecomb_numalgs;
325 	uint8_t sadb_x_ecomb_reserved;
326 	uint16_t sadb_x_ecomb_flags;	/* E.g. PFS? */
327 	uint32_t sadb_x_ecomb_reserved2;
328 	uint32_t sadb_x_ecomb_soft_allocations;
329 	uint32_t sadb_x_ecomb_hard_allocations;
330 	uint64_t sadb_x_ecomb_soft_bytes;
331 	uint64_t sadb_x_ecomb_hard_bytes;
332 	uint64_t sadb_x_ecomb_soft_addtime;
333 	uint64_t sadb_x_ecomb_hard_addtime;
334 	uint64_t sadb_x_ecomb_soft_usetime;
335 	uint64_t sadb_x_ecomb_hard_usetime;
336 } sadb_x_ecomb_t;
337 
338 typedef struct sadb_x_algdesc {
339 	/* Union is for guaranteeing 64-bit alignment. */
340 	union {
341 		struct {
342 			uint8_t sadb_x_algdesc_usatype;	/* ESP, AH, etc. */
343 			uint8_t sadb_x_algdesc_ualgtype; /* AUTH, CRYPT, COMP */
344 			uint8_t sadb_x_algdesc_ualg;	/* 3DES, MD5, etc. */
345 			uint8_t sadb_x_algdesc_usaltbits;
346 			uint16_t sadb_x_algdesc_uminbits; /* Bit strengths. */
347 			uint16_t sadb_x_algdesc_umaxbits;
348 		} sadb_x_algdesc_actual;
349 		uint64_t sadb_x_algdesc_alignment;
350 	} sadb_x_algdesc_u;
351 #define	sadb_x_algdesc_satype \
352 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usatype
353 #define	sadb_x_algdesc_algtype \
354 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualgtype
355 #define	sadb_x_algdesc_alg \
356 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualg
357 #define	sadb_x_algdesc_saltbits \
358 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usaltbits
359 #define	sadb_x_algdesc_minbits \
360 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_uminbits
361 #define	sadb_x_algdesc_maxbits \
362 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_umaxbits
363 } sadb_x_algdesc_t;
364 
365 /*
366  * When key mgmt. registers with the kernel, the kernel will tell key mgmt.
367  * its supported algorithms.
368  */
369 
370 typedef struct sadb_supported {
371 	/* Union is for guaranteeing 64-bit alignment. */
372 	union {
373 		struct {
374 			uint16_t sadb_x_supported_ulen;
375 			uint16_t sadb_x_supported_uexttype;
376 			uint32_t sadb_x_supported_ureserved;
377 		} sadb_x_supported_actual;
378 		uint64_t sadb_x_supported_alignment;
379 	} sadb_x_supported_u;
380 #define	sadb_supported_len \
381 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ulen
382 #define	sadb_supported_exttype \
383 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_uexttype
384 #define	sadb_supported_reserved \
385 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ureserved
386 } sadb_supported_t;
387 
388 /* First, a base structure... */
389 typedef struct sadb_x_algb {
390 	uint8_t sadb_x_algb_id;		/* Algorithm type. */
391 	uint8_t sadb_x_algb_ivlen;		/* IV len, in bits */
392 	uint16_t sadb_x_algb_minbits;	/* Min. key len (in bits) */
393 	uint16_t sadb_x_algb_maxbits;	/* Max. key length */
394 	union {
395 		uint16_t sadb_x_algb_ureserved;
396 		uint8_t sadb_x_algb_udefaults[2];
397 	} sadb_x_algb_union;
398 
399 #define	sadb_x_algb_reserved sadb_x_algb_union.sadb_x_algb_ureserved
400 #define	sadb_x_algb_increment sadb_x_algb_union.sadb_x_algb_udefaults[0]
401 #define	sadb_x_algb_saltbits sadb_x_algb_union.sadb_x_algb_udefaults[1]
402 /*
403  * alg_increment: the number of bits from a key length to the next
404  */
405 } sadb_x_algb_t;
406 
407 /* Now, the actual sadb_alg structure, which will have alignment in it. */
408 typedef struct sadb_alg {
409 	/* Union is for guaranteeing 64-bit alignment. */
410 	union {
411 		sadb_x_algb_t sadb_x_alg_actual;
412 		uint64_t sadb_x_alg_alignment;
413 	} sadb_x_alg_u;
414 #define	sadb_alg_id sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_id
415 #define	sadb_alg_ivlen sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_ivlen
416 #define	sadb_alg_minbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_minbits
417 #define	sadb_alg_maxbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_maxbits
418 #define	sadb_alg_reserved sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_reserved
419 #define	sadb_x_alg_increment \
420 	sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_increment
421 #define	sadb_x_alg_saltbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_saltbits
422 } sadb_alg_t;
423 
424 /*
425  * If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it
426  * asks the kernel with this extension in the SADB_GETSPI message.
427  */
428 
429 typedef struct sadb_spirange {
430 	uint16_t sadb_spirange_len;
431 	uint16_t sadb_spirange_exttype;	/* SPI_RANGE */
432 	uint32_t sadb_spirange_min;
433 	/* Union is for guaranteeing 64-bit alignment. */
434 	union {
435 		struct {
436 			uint32_t sadb_x_spirange_umax;
437 			uint32_t sadb_x_spirange_ureserved;
438 		} sadb_x_spirange_actual;
439 		uint64_t sadb_x_spirange_alignment;
440 	} sadb_x_spirange_u;
441 #define	sadb_spirange_max \
442 	sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_umax
443 #define	sadb_spirange_reserved \
444 	sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_ureserved
445 } sadb_spirange_t;
446 
447 /*
448  * For the "extended REGISTER" which'll tell the kernel to send me
449  * "extended ACQUIREs".
450  */
451 
452 typedef struct sadb_x_ereg {
453 	/* Union is for guaranteeing 64-bit alignment. */
454 	union {
455 		struct {
456 			uint16_t sadb_x_ereg_ulen;
457 			uint16_t sadb_x_ereg_uexttype;	/* X_EREG */
458 			/* Array of SA types, 0-terminated. */
459 			uint8_t sadb_x_ereg_usatypes[4];
460 		} sadb_x_ereg_actual;
461 		uint64_t sadb_x_ereg_alignment;
462 	} sadb_x_ereg_u;
463 #define	sadb_x_ereg_len \
464 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_ulen
465 #define	sadb_x_ereg_exttype \
466 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_uexttype
467 #define	sadb_x_ereg_satypes \
468 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_usatypes
469 } sadb_x_ereg_t;
470 
471 /*
472  * For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD,
473  * SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE.
474  */
475 
476 typedef struct sadb_x_kmc {
477 	uint16_t sadb_x_kmc_len;
478 	uint16_t sadb_x_kmc_exttype;	/* X_KM_COOKIE */
479 	uint32_t sadb_x_kmc_proto;	/* KM protocol */
480 	union {
481 		struct {
482 			uint32_t sadb_x_kmc_ucookie;	/* KMP-specific */
483 			uint32_t sadb_x_kmc_ureserved;	/* Must be zero */
484 		} sadb_x_kmc_actual;
485 		uint64_t sadb_x_kmc_ucookie64;
486 	} sadb_x_kmc_u;
487 #define	sadb_x_kmc_cookie sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ucookie
488 #define	sadb_x_kmc_reserved sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ureserved
489 #define	sadb_x_kmc_cookie64 sadb_x_kmc_u.sadb_x_kmc_ucookie64
490 } sadb_x_kmc_t;
491 
492 typedef struct sadb_x_pair {
493 	union {
494 		/* Union is for guaranteeing 64-bit alignment. */
495 		struct {
496 			uint16_t sadb_x_pair_ulen;
497 			uint16_t sadb_x_pair_uexttype;
498 			uint32_t sadb_x_pair_uspi;	/* SPI of paired SA */
499 		} sadb_x_pair_actual;
500 		uint64_t sadb_x_ext_alignment;
501 	} sadb_x_pair_u;
502 #define	sadb_x_pair_len sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_ulen
503 #define	sadb_x_pair_exttype \
504 	sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uexttype
505 #define	sadb_x_pair_spi sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uspi
506 } sadb_x_pair_t;
507 
508 /*
509  * For the Sequence numbers to be used with SADB_DUMP, SADB_GET, SADB_UPDATE.
510  */
511 
512 typedef struct sadb_x_replay_ctr {
513 	uint16_t sadb_x_rc_len;
514 	uint16_t sadb_x_rc_exttype;
515 	uint32_t sadb_x_rc_replay32;    /* For 240x SAs. */
516 	uint64_t sadb_x_rc_replay64;    /* For 430x SAs. */
517 } sadb_x_replay_ctr_t;
518 
519 /*
520  * For extended DUMP request. Dumps the SAs which were idle for
521  * longer than the timeout specified.
522  */
523 
524 typedef struct sadb_x_edump {
525 	uint16_t sadb_x_edump_len;
526 	uint16_t sadb_x_edump_exttype;
527 	uint32_t sadb_x_edump_reserved;
528 	uint64_t sadb_x_edump_timeout;
529 } sadb_x_edump_t;
530 
531 /*
532  * Base message types.
533  */
534 
535 #define	SADB_RESERVED	0
536 #define	SADB_GETSPI	1
537 #define	SADB_UPDATE	2
538 #define	SADB_ADD	3
539 #define	SADB_DELETE	4
540 #define	SADB_GET	5
541 #define	SADB_ACQUIRE	6
542 #define	SADB_REGISTER	7
543 #define	SADB_EXPIRE	8
544 #define	SADB_FLUSH	9
545 #define	SADB_DUMP	10   /* not used normally */
546 #define	SADB_X_PROMISC	11
547 #define	SADB_X_INVERSE_ACQUIRE	12
548 #define	SADB_X_UPDATEPAIR	13
549 #define	SADB_X_DELPAIR		14
550 #define	SADB_X_DELPAIR_STATE	15
551 #define	SADB_MAX		15
552 
553 /*
554  * SA flags
555  */
556 
557 #define	SADB_SAFLAGS_PFS	0x1	/* Perfect forward secrecy? */
558 #define	SADB_SAFLAGS_NOREPLAY	0x2	/* Replay field NOT PRESENT. */
559 
560 /* Below flags are used by this implementation.  Grow from left-to-right. */
561 #define	SADB_X_SAFLAGS_USED	0x80000000	/* SA used/not used */
562 #define	SADB_X_SAFLAGS_UNIQUE	0x40000000	/* SA unique/reusable */
563 #define	SADB_X_SAFLAGS_AALG1	0x20000000	/* Auth-alg specific flag 1 */
564 #define	SADB_X_SAFLAGS_AALG2	0x10000000	/* Auth-alg specific flag 2 */
565 #define	SADB_X_SAFLAGS_EALG1	 0x8000000	/* Encr-alg specific flag 1 */
566 #define	SADB_X_SAFLAGS_EALG2	 0x4000000	/* Encr-alg specific flag 2 */
567 #define	SADB_X_SAFLAGS_KM1	 0x2000000	/* Key mgmt. specific flag 1 */
568 #define	SADB_X_SAFLAGS_KM2	 0x1000000	/* Key mgmt. specific flag 2 */
569 #define	SADB_X_SAFLAGS_KM3	  0x800000	/* Key mgmt. specific flag 3 */
570 #define	SADB_X_SAFLAGS_KM4	  0x400000	/* Key mgmt. specific flag 4 */
571 #define	SADB_X_SAFLAGS_KRES1	  0x200000	/* Reserved by the kernel */
572 #define	SADB_X_SAFLAGS_NATT_LOC	  0x100000	/* this has a natted src SA */
573 #define	SADB_X_SAFLAGS_NATT_REM	   0x80000	/* this has a natted dst SA */
574 #define	SADB_X_SAFLAGS_KRES2	   0x40000	/* Reserved by the kernel */
575 #define	SADB_X_SAFLAGS_TUNNEL	   0x20000	/* tunnel mode */
576 #define	SADB_X_SAFLAGS_PAIRED	   0x10000	/* inbound/outbound pair */
577 #define	SADB_X_SAFLAGS_OUTBOUND	    0x8000	/* SA direction bit */
578 #define	SADB_X_SAFLAGS_INBOUND	    0x4000	/* SA direction bit */
579 #define	SADB_X_SAFLAGS_NATTED	    0x1000	/* Local node is behind a NAT */
580 
581 #define	SADB_X_SAFLAGS_KRES	\
582 	SADB_X_SAFLAGS_KRES1 | SADB_X_SAFLAGS_KRES2
583 
584 /*
585  * SA state.
586  */
587 
588 #define	SADB_SASTATE_LARVAL		0
589 #define	SADB_SASTATE_MATURE		1
590 #define	SADB_SASTATE_DYING		2
591 #define	SADB_SASTATE_DEAD		3
592 #define	SADB_X_SASTATE_ACTIVE_ELSEWHERE	4
593 #define	SADB_X_SASTATE_IDLE		5
594 #define	SADB_X_SASTATE_ACTIVE		6
595 
596 #define	SADB_SASTATE_MAX		6
597 
598 /*
599  * SA type.  Gaps are present in the number space because (for the time being)
600  * these types correspond to the SA types in the IPsec DOI document.
601  */
602 
603 #define	SADB_SATYPE_UNSPEC	0
604 #define	SADB_SATYPE_AH		2  /* RFC-1826 */
605 #define	SADB_SATYPE_ESP		3  /* RFC-1827 */
606 #define	SADB_SATYPE_RSVP	5  /* RSVP Authentication */
607 #define	SADB_SATYPE_OSPFV2	6  /* OSPFv2 Authentication */
608 #define	SADB_SATYPE_RIPV2	7  /* RIPv2 Authentication */
609 #define	SADB_SATYPE_MIP		8  /* Mobile IPv4 Authentication */
610 
611 #define	SADB_SATYPE_MAX		8
612 
613 /*
614  * Algorithm types.  Gaps are present because (for the time being) these types
615  * correspond to the SA types in the IPsec DOI document.
616  *
617  * NOTE:  These are numbered to play nice with the IPsec DOI.  That's why
618  *	  there are gaps.
619  */
620 
621 /* Authentication algorithms */
622 #define	SADB_AALG_NONE		0
623 #define	SADB_AALG_MD5HMAC	2
624 #define	SADB_AALG_SHA1HMAC	3
625 #define	SADB_AALG_SHA256HMAC	5
626 #define	SADB_AALG_SHA384HMAC	6
627 #define	SADB_AALG_SHA512HMAC	7
628 
629 #define	SADB_AALG_MAX		7
630 
631 /* Encryption algorithms */
632 #define	SADB_EALG_NONE		0
633 #define	SADB_EALG_DESCBC	2
634 #define	SADB_EALG_3DESCBC	3
635 #define	SADB_EALG_BLOWFISH	7
636 #define	SADB_EALG_NULL		11
637 #define	SADB_EALG_AES		12
638 #define	SADB_EALG_AES_CCM_8	14
639 #define	SADB_EALG_AES_CCM_12	15
640 #define	SADB_EALG_AES_CCM_16	16
641 #define	SADB_EALG_AES_GCM_8	18
642 #define	SADB_EALG_AES_GCM_12	19
643 #define	SADB_EALG_AES_GCM_16	20
644 #define	SADB_EALG_MAX		20
645 
646 /*
647  * Extension header values.
648  */
649 
650 #define	SADB_EXT_RESERVED		0
651 
652 #define	SADB_EXT_SA			1
653 #define	SADB_EXT_LIFETIME_CURRENT	2
654 #define	SADB_EXT_LIFETIME_HARD		3
655 #define	SADB_EXT_LIFETIME_SOFT		4
656 #define	SADB_EXT_ADDRESS_SRC		5
657 #define	SADB_EXT_ADDRESS_DST		6
658 /* These two are synonyms. */
659 #define	SADB_EXT_ADDRESS_PROXY		7
660 #define	SADB_X_EXT_ADDRESS_INNER_SRC	SADB_EXT_ADDRESS_PROXY
661 #define	SADB_EXT_KEY_AUTH		8
662 #define	SADB_EXT_KEY_ENCRYPT		9
663 #define	SADB_EXT_IDENTITY_SRC		10
664 #define	SADB_EXT_IDENTITY_DST		11
665 #define	SADB_EXT_SENSITIVITY		12
666 #define	SADB_EXT_PROPOSAL		13
667 #define	SADB_EXT_SUPPORTED_AUTH		14
668 #define	SADB_EXT_SUPPORTED_ENCRYPT	15
669 #define	SADB_EXT_SPIRANGE		16
670 #define	SADB_X_EXT_EREG			17
671 #define	SADB_X_EXT_EPROP		18
672 #define	SADB_X_EXT_KM_COOKIE		19
673 #define	SADB_X_EXT_ADDRESS_NATT_LOC	20
674 #define	SADB_X_EXT_ADDRESS_NATT_REM	21
675 #define	SADB_X_EXT_ADDRESS_INNER_DST	22
676 #define	SADB_X_EXT_PAIR			23
677 #define	SADB_X_EXT_REPLAY_VALUE		24
678 #define	SADB_X_EXT_EDUMP		25
679 #define	SADB_X_EXT_LIFETIME_IDLE	26
680 #define	SADB_X_EXT_OUTER_SENS		27
681 
682 #define	SADB_EXT_MAX			27
683 
684 /*
685  * Identity types.
686  */
687 
688 #define	SADB_IDENTTYPE_RESERVED 0
689 
690 /*
691  * For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC
692  * if not present.
693  */
694 #define	SADB_IDENTTYPE_PREFIX		1
695 #define	SADB_IDENTTYPE_FQDN		2  /* Fully qualified domain name. */
696 #define	SADB_IDENTTYPE_USER_FQDN	3  /* e.g. root@domain.com */
697 #define	SADB_X_IDENTTYPE_DN		4  /* ASN.1 DER Distinguished Name. */
698 #define	SADB_X_IDENTTYPE_GN		5  /* ASN.1 DER Generic Name. */
699 #define	SADB_X_IDENTTYPE_KEY_ID		6  /* Generic KEY ID. */
700 #define	SADB_X_IDENTTYPE_ADDR_RANGE	7
701 
702 #define	SADB_IDENTTYPE_MAX 	7
703 
704 /*
705  * Protection DOI values for the SENSITIVITY extension.  There are no values
706  * currently, so the MAX is the only non-zero value available.
707  */
708 
709 #define	SADB_DPD_NONE	0
710 
711 #define	SADB_DPD_MAX	1
712 
713 /*
714  * Diagnostic codes.  These supplement error messages.  Be sure to
715  * update libipsecutil's keysock_diag() if you change any of these.
716  */
717 
718 #define	SADB_X_DIAGNOSTIC_PRESET		-1	/* Internal value. */
719 
720 #define	SADB_X_DIAGNOSTIC_NONE			0
721 
722 #define	SADB_X_DIAGNOSTIC_UNKNOWN_MSG		1
723 #define	SADB_X_DIAGNOSTIC_UNKNOWN_EXT		2
724 #define	SADB_X_DIAGNOSTIC_BAD_EXTLEN		3
725 #define	SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE	4
726 #define	SADB_X_DIAGNOSTIC_SATYPE_NEEDED		5
727 #define	SADB_X_DIAGNOSTIC_NO_SADBS		6
728 #define	SADB_X_DIAGNOSTIC_NO_EXT		7
729 /* Bad address family value */
730 #define	SADB_X_DIAGNOSTIC_BAD_SRC_AF		8
731 /* in sockaddr->sa_family. */
732 #define	SADB_X_DIAGNOSTIC_BAD_DST_AF		9
733 /* These two are synonyms. */
734 #define	SADB_X_DIAGNOSTIC_BAD_PROXY_AF		10
735 #define	SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF	10
736 
737 #define	SADB_X_DIAGNOSTIC_AF_MISMATCH		11
738 
739 #define	SADB_X_DIAGNOSTIC_BAD_SRC		12
740 #define	SADB_X_DIAGNOSTIC_BAD_DST		13
741 
742 #define	SADB_X_DIAGNOSTIC_ALLOC_HSERR		14
743 #define	SADB_X_DIAGNOSTIC_BYTES_HSERR		15
744 #define	SADB_X_DIAGNOSTIC_ADDTIME_HSERR		16
745 #define	SADB_X_DIAGNOSTIC_USETIME_HSERR		17
746 
747 #define	SADB_X_DIAGNOSTIC_MISSING_SRC		18
748 #define	SADB_X_DIAGNOSTIC_MISSING_DST		19
749 #define	SADB_X_DIAGNOSTIC_MISSING_SA		20
750 #define	SADB_X_DIAGNOSTIC_MISSING_EKEY		21
751 #define	SADB_X_DIAGNOSTIC_MISSING_AKEY		22
752 #define	SADB_X_DIAGNOSTIC_MISSING_RANGE		23
753 
754 #define	SADB_X_DIAGNOSTIC_DUPLICATE_SRC		24
755 #define	SADB_X_DIAGNOSTIC_DUPLICATE_DST		25
756 #define	SADB_X_DIAGNOSTIC_DUPLICATE_SA		26
757 #define	SADB_X_DIAGNOSTIC_DUPLICATE_EKEY	27
758 #define	SADB_X_DIAGNOSTIC_DUPLICATE_AKEY	28
759 #define	SADB_X_DIAGNOSTIC_DUPLICATE_RANGE	29
760 
761 #define	SADB_X_DIAGNOSTIC_MALFORMED_SRC		30
762 #define	SADB_X_DIAGNOSTIC_MALFORMED_DST		31
763 #define	SADB_X_DIAGNOSTIC_MALFORMED_SA		32
764 #define	SADB_X_DIAGNOSTIC_MALFORMED_EKEY	33
765 #define	SADB_X_DIAGNOSTIC_MALFORMED_AKEY	34
766 #define	SADB_X_DIAGNOSTIC_MALFORMED_RANGE	35
767 
768 #define	SADB_X_DIAGNOSTIC_AKEY_PRESENT		36
769 #define	SADB_X_DIAGNOSTIC_EKEY_PRESENT		37
770 #define	SADB_X_DIAGNOSTIC_PROP_PRESENT		38
771 #define	SADB_X_DIAGNOSTIC_SUPP_PRESENT		39
772 
773 #define	SADB_X_DIAGNOSTIC_BAD_AALG		40
774 #define	SADB_X_DIAGNOSTIC_BAD_EALG		41
775 #define	SADB_X_DIAGNOSTIC_BAD_SAFLAGS		42
776 #define	SADB_X_DIAGNOSTIC_BAD_SASTATE		43
777 
778 #define	SADB_X_DIAGNOSTIC_BAD_AKEYBITS		44
779 #define	SADB_X_DIAGNOSTIC_BAD_EKEYBITS		45
780 
781 #define	SADB_X_DIAGNOSTIC_ENCR_NOTSUPP		46
782 
783 #define	SADB_X_DIAGNOSTIC_WEAK_EKEY		47
784 #define	SADB_X_DIAGNOSTIC_WEAK_AKEY		48
785 
786 #define	SADB_X_DIAGNOSTIC_DUPLICATE_KMP		49
787 #define	SADB_X_DIAGNOSTIC_DUPLICATE_KMC		50
788 
789 #define	SADB_X_DIAGNOSTIC_MISSING_NATT_LOC	51
790 #define	SADB_X_DIAGNOSTIC_MISSING_NATT_REM	52
791 #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC	53
792 #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM	54
793 #define	SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC	55
794 #define	SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM	56
795 #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS	57
796 
797 #define	SADB_X_DIAGNOSTIC_MISSING_INNER_SRC	58
798 #define	SADB_X_DIAGNOSTIC_MISSING_INNER_DST	59
799 #define	SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC	60
800 #define	SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST	61
801 #define	SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC	62
802 #define	SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST	63
803 
804 #define	SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC	64
805 #define	SADB_X_DIAGNOSTIC_PREFIX_INNER_DST	65
806 #define	SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF	66
807 #define	SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH	67
808 
809 #define	SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF	68
810 #define	SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF	69
811 
812 #define	SADB_X_DIAGNOSTIC_PROTO_MISMATCH	70
813 #define	SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH	71
814 
815 #define	SADB_X_DIAGNOSTIC_DUAL_PORT_SETS	72
816 
817 #define	SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE	73
818 #define	SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH	74
819 #define	SADB_X_DIAGNOSTIC_PAIR_ALREADY		75
820 #define	SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND	76
821 #define	SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION	77
822 
823 #define	SADB_X_DIAGNOSTIC_SA_NOTFOUND		78
824 #define	SADB_X_DIAGNOSTIC_SA_EXPIRED		79
825 #define	SADB_X_DIAGNOSTIC_BAD_CTX		80
826 #define	SADB_X_DIAGNOSTIC_INVALID_REPLAY	81
827 #define	SADB_X_DIAGNOSTIC_MISSING_LIFETIME	82
828 
829 #define	SADB_X_DIAGNOSTIC_BAD_LABEL		83
830 #define	SADB_X_DIAGNOSTIC_MAX			83
831 
832 /* Algorithm type for sadb_x_algdesc above... */
833 
834 #define	SADB_X_ALGTYPE_NONE		0
835 #define	SADB_X_ALGTYPE_AUTH		1
836 #define	SADB_X_ALGTYPE_CRYPT		2
837 #define	SADB_X_ALGTYPE_COMPRESS		3
838 
839 #define	SADB_X_ALGTYPE_MAX		3
840 
841 /* Key management protocol for sadb_x_kmc above... */
842 
843 #define	SADB_X_KMP_MANUAL	0	/* Cookie is ignored. */
844 #define	SADB_X_KMP_IKE		1
845 #define	SADB_X_KMP_KINK		2
846 #define	SADB_X_KMP_IKEV2	3
847 
848 #define	SADB_X_KMP_MAX		SADB_X_KMP_IKEV2
849 
850 /*
851  * Handy conversion macros.  Not part of the PF_KEY spec...
852  */
853 
854 #define	SADB_64TO8(x)	((x) << 3)
855 #define	SADB_8TO64(x)	((x) >> 3)
856 #define	SADB_8TO1(x)	((x) << 3)
857 #define	SADB_1TO8(x)	((x) >> 3)
858 
859 #ifdef	__cplusplus
860 }
861 #endif
862 
863 #endif	/* _NET_PFKEYV2_H */
864