xref: /illumos-gate/usr/src/uts/common/net/pfkeyv2.h (revision fcabbd87549f01117a5d466ddcaaf1fa39ee2c14)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 /*
26  * Copyright (c) 2018, Joyent, Inc.
27  * Copyright 2024 Oxide Computer Company
28  */
29 
30 #ifndef	_NET_PFKEYV2_H
31 #define	_NET_PFKEYV2_H
32 
33 /*
34  * Definitions and structures for PF_KEY version 2.  See RFC 2367 for
35  * more details.  SA == Security Association, which is what PF_KEY provides
36  * an API for managing.
37  *
38  * Definitions of the form SADB_X_* are local extensions that are not present
39  * in the IPsec DOI.
40  */
41 
42 #ifdef	__cplusplus
43 extern "C" {
44 #endif
45 
46 #define	PF_KEY_V2		2
47 #define	PFKEYV2_REVISION	200109L
48 
49 /*
50  * Base PF_KEY message.
51  */
52 
53 typedef struct sadb_msg {
54 	uint8_t sadb_msg_version;	/* Version, currently PF_KEY_V2 */
55 	uint8_t sadb_msg_type;		/* ADD, UPDATE, etc. */
56 	uint8_t sadb_msg_errno;		/* Error number from UNIX errno space */
57 	uint8_t sadb_msg_satype;	/* ESP, AH, etc. */
58 	uint16_t sadb_msg_len;		/* Length in 64-bit words. */
59 	uint16_t sadb_msg_reserved;	/* must be zero */
60 /*
61  * Use the reserved field for extended diagnostic information on errno
62  * responses.
63  */
64 #define	sadb_x_msg_diagnostic sadb_msg_reserved
65 	/* Union is for guaranteeing 64-bit alignment. */
66 	union {
67 		struct {
68 			uint32_t sadb_x_msg_useq;	/* Set by originator */
69 			uint32_t sadb_x_msg_upid;	/* Set by originator */
70 		} sadb_x_msg_actual;
71 		uint64_t sadb_x_msg_alignment;
72 	} sadb_x_msg_u;
73 #define	sadb_msg_seq sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_useq
74 #define	sadb_msg_pid sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_upid
75 } sadb_msg_t;
76 
77 /*
78  * Generic extension header.
79  */
80 
81 typedef struct sadb_ext {
82 	union {
83 		/* Union is for guaranteeing 64-bit alignment. */
84 		struct {
85 			uint16_t sadb_x_ext_ulen;	/* In 64s, inclusive */
86 			uint16_t sadb_x_ext_utype;	/* 0 is reserved */
87 		} sadb_x_ext_actual;
88 		uint64_t sadb_x_ext_alignment;
89 	} sadb_x_ext_u;
90 #define	sadb_ext_len sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_ulen
91 #define	sadb_ext_type sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_utype
92 } sadb_ext_t;
93 
94 /*
95  * Security Association information extension.
96  */
97 
98 typedef struct sadb_sa {
99 	/* Union is for guaranteeing 64-bit alignment. */
100 	union {
101 		struct {
102 			uint16_t sadb_x_sa_ulen;
103 			uint16_t sadb_x_sa_uexttype;	/* ASSOCIATION */
104 			uint32_t sadb_x_sa_uspi;	/* Sec. Param. Index */
105 		} sadb_x_sa_uactual;
106 		uint64_t sadb_x_sa_alignment;
107 	} sadb_x_sa_u;
108 #define	sadb_sa_len sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_ulen
109 #define	sadb_sa_exttype sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uexttype
110 #define	sadb_sa_spi sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uspi
111 	uint8_t sadb_sa_replay;		/* Replay counter */
112 	uint8_t sadb_sa_state;		/* MATURE, DEAD, DYING, LARVAL */
113 	uint8_t sadb_sa_auth;		/* Authentication algorithm */
114 	uint8_t sadb_sa_encrypt;	/* Encryption algorithm */
115 	uint32_t sadb_sa_flags;		/* SA flags. */
116 } sadb_sa_t;
117 
118 /*
119  * SA Lifetime extension.  Already 64-bit aligned thanks to uint64_t fields.
120  */
121 
122 typedef struct sadb_lifetime {
123 	uint16_t sadb_lifetime_len;
124 	uint16_t sadb_lifetime_exttype;		/* SOFT, HARD, CURRENT */
125 	uint32_t sadb_lifetime_allocations;
126 	uint64_t sadb_lifetime_bytes;
127 	uint64_t sadb_lifetime_addtime;	/* These fields are assumed to hold */
128 	uint64_t sadb_lifetime_usetime;	/* >= sizeof (time_t). */
129 } sadb_lifetime_t;
130 
131 /*
132  * SA address information.
133  */
134 
135 typedef struct sadb_address {
136 	/* Union is for guaranteeing 64-bit alignment. */
137 	union {
138 		struct {
139 			uint16_t sadb_x_address_ulen;
140 			uint16_t sadb_x_address_uexttype; /* SRC, DST, PROXY */
141 			uint8_t sadb_x_address_uproto; /* Proto for ports... */
142 			uint8_t sadb_x_address_uprefixlen; /* Prefix length. */
143 			uint16_t sadb_x_address_ureserved; /* Padding */
144 		} sadb_x_address_actual;
145 		uint64_t sadb_x_address_alignment;
146 	} sadb_x_address_u;
147 #define	sadb_address_len \
148 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ulen
149 #define	sadb_address_exttype \
150 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uexttype
151 #define	sadb_address_proto \
152 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uproto
153 #define	sadb_address_prefixlen \
154 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uprefixlen
155 #define	sadb_address_reserved \
156 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ureserved
157 	/* Followed by a sockaddr structure which may contain ports. */
158 } sadb_address_t;
159 
160 /*
161  * SA key information.
162  */
163 
164 typedef struct sadb_key {
165 	/* Union is for guaranteeing 64-bit alignment. */
166 	union {
167 		struct {
168 			uint16_t sadb_x_key_ulen;
169 			uint16_t sadb_x_key_uexttype;	/* AUTH, ENCRYPT */
170 			uint16_t sadb_x_key_ubits;	/* Actual len (bits) */
171 			uint16_t sadb_x_key_ureserved;
172 		} sadb_x_key_actual;
173 		uint64_t sadb_x_key_alignment;
174 	} sadb_x_key_u;
175 #define	sadb_key_len sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ulen
176 #define	sadb_key_exttype sadb_x_key_u.sadb_x_key_actual.sadb_x_key_uexttype
177 #define	sadb_key_bits sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ubits
178 #define	sadb_key_reserved sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ureserved
179 	/* Followed by actual key(s) in canonical (outbound proc.) order. */
180 } sadb_key_t;
181 
182 /*
183  * SA Identity information.  Already 64-bit aligned thanks to uint64_t fields.
184  */
185 
186 typedef struct sadb_ident {
187 	uint16_t sadb_ident_len;
188 	uint16_t sadb_ident_exttype;	/* SRC, DST, PROXY */
189 	uint16_t sadb_ident_type;	/* FQDN, USER_FQDN, etc. */
190 	uint16_t sadb_ident_reserved;	/* Padding */
191 	uint64_t sadb_ident_id;		/* For userid, etc. */
192 	/* Followed by an identity null-terminate C string if present. */
193 } sadb_ident_t;
194 
195 /*
196  * SA sensitivity information.  This is mostly useful on MLS systems.
197  */
198 
199 typedef struct sadb_sens {
200 	/* Union is for guaranteeing 64-bit alignment. */
201 	union {
202 		struct {
203 			uint16_t sadb_x_sens_ulen;
204 			uint16_t sadb_x_sens_uexttype;	/* SENSITIVITY */
205 			uint32_t sadb_x_sens_udpd;	/* Protection domain */
206 		} sadb_x_sens_actual;
207 		uint64_t sadb_x_sens_alignment;
208 	} sadb_x_sens_u;
209 #define	sadb_sens_len sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_ulen
210 #define	sadb_sens_exttype sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_uexttype
211 #define	sadb_sens_dpd sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_udpd
212 	uint8_t sadb_sens_sens_level;
213 	uint8_t sadb_sens_sens_len;		/* 64-bit words */
214 	uint8_t sadb_sens_integ_level;
215 	uint8_t sadb_sens_integ_len;		/* 64-bit words */
216 	uint32_t sadb_x_sens_flags;
217 	/*
218 	 * followed by two uint64_t arrays
219 	 * uint64_t sadb_sens_bitmap[sens_bitmap_len];
220 	 * uint64_t sadb_integ_bitmap[integ_bitmap_len];
221 	 */
222 } sadb_sens_t;
223 
224 /*
225  * We recycled the formerly reserved word for flags.
226  */
227 
228 #define	sadb_sens_reserved sadb_x_sens_flags
229 
230 #define	SADB_X_SENS_IMPLICIT 0x1	 /* implicit labelling */
231 #define	SADB_X_SENS_UNLABELED 0x2	 /* peer is unlabeled */
232 
233 /*
234  * a proposal extension.  This is found in an ACQUIRE message, and it
235  * proposes what sort of SA the kernel would like to ACQUIRE.
236  */
237 
238 /* First, a base structure... */
239 
240 typedef struct sadb_x_propbase {
241 	uint16_t sadb_x_propb_len;
242 	uint16_t sadb_x_propb_exttype;	/* PROPOSAL, X_EPROP */
243 	union {
244 		struct {
245 			uint8_t sadb_x_propb_lenres_replay;
246 			uint8_t sadb_x_propb_lenres_eres;
247 			uint16_t sadb_x_propb_lenres_numecombs;
248 		} sadb_x_propb_lenres;
249 		struct {
250 			uint8_t sadb_x_propb_oldres_replay;
251 			uint8_t sadb_x_propb_oldres_reserved[3];
252 		} sadb_x_propb_oldres;
253 	} sadb_x_propb_u;
254 #define	sadb_x_propb_replay \
255 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_replay
256 #define	sadb_x_propb_reserved \
257 	sadb_x_propb_u.sadb_x_propb_oldres.sadb_x_propb_oldres_reserved
258 #define	sadb_x_propb_ereserved \
259 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_eres
260 #define	sadb_x_propb_numecombs \
261 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_numecombs
262 	/* Followed by sadb_comb[] array or sadb_ecomb[] array. */
263 } sadb_x_propbase_t;
264 
265 /* Now, the actual sadb_prop structure, which will have alignment in it! */
266 
267 typedef struct sadb_prop {
268 	/* Union is for guaranteeing 64-bit alignment. */
269 	union {
270 		sadb_x_propbase_t sadb_x_prop_actual;
271 		uint64_t sadb_x_prop_alignment;
272 	} sadb_x_prop_u;
273 #define	sadb_prop_len sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_len
274 #define	sadb_prop_exttype sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_exttype
275 #define	sadb_prop_replay sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_replay
276 #define	sadb_prop_reserved \
277 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_reserved
278 #define	sadb_x_prop_ereserved \
279 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_ereserved
280 #define	sadb_x_prop_numecombs \
281 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_numecombs
282 } sadb_prop_t;
283 
284 /*
285  * This is a proposed combination.  Many of these can follow a proposal
286  * extension.  Already 64-bit aligned thanks to uint64_t fields.
287  */
288 
289 typedef struct sadb_comb {
290 	uint8_t sadb_comb_auth;			/* Authentication algorithm */
291 	uint8_t sadb_comb_encrypt;		/* Encryption algorithm */
292 	uint16_t sadb_comb_flags;		/* Comb. flags (e.g. PFS) */
293 	uint16_t sadb_comb_auth_minbits;	/* Bit strengths for auth */
294 	uint16_t sadb_comb_auth_maxbits;
295 	uint16_t sadb_comb_encrypt_minbits;	/* Bit strengths for encrypt */
296 	uint16_t sadb_comb_encrypt_maxbits;
297 	uint8_t sadb_x_comb_encrypt_saltbits;
298 	uint8_t sadb_x_comb_reserved;
299 	uint16_t sadb_comb_reserved;
300 	uint32_t sadb_comb_soft_allocations;	/* Lifetime proposals for */
301 	uint32_t sadb_comb_hard_allocations;	/* this combination. */
302 	uint64_t sadb_comb_soft_bytes;
303 	uint64_t sadb_comb_hard_bytes;
304 	uint64_t sadb_comb_soft_addtime;
305 	uint64_t sadb_comb_hard_addtime;
306 	uint64_t sadb_comb_soft_usetime;
307 	uint64_t sadb_comb_hard_usetime;
308 } sadb_comb_t;
309 
310 /*
311  * An extended combination that can comprise of many SA types.
312  * A single combination has algorithms and SA types locked.
313  * These are represented by algorithm descriptors, the second structure
314  * in the list.  For example, if the EACQUIRE requests AH(MD5) + ESP(DES/null)
315  * _or_ ESP(DES/MD5), it would have two combinations:
316  *
317  * COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES)
318  * COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES)
319  *
320  * If an SA type supports an algorithm type, and there's no descriptor,
321  * assume it requires NONE, just like it were explicitly stated.
322  * (This includes ESP NULL encryption, BTW.)
323  *
324  * Already 64-bit aligned thanks to uint64_t fields.
325  */
326 
327 typedef struct sadb_x_ecomb {
328 	uint8_t sadb_x_ecomb_numalgs;
329 	uint8_t sadb_x_ecomb_reserved;
330 	uint16_t sadb_x_ecomb_flags;	/* E.g. PFS? */
331 	uint32_t sadb_x_ecomb_reserved2;
332 	uint32_t sadb_x_ecomb_soft_allocations;
333 	uint32_t sadb_x_ecomb_hard_allocations;
334 	uint64_t sadb_x_ecomb_soft_bytes;
335 	uint64_t sadb_x_ecomb_hard_bytes;
336 	uint64_t sadb_x_ecomb_soft_addtime;
337 	uint64_t sadb_x_ecomb_hard_addtime;
338 	uint64_t sadb_x_ecomb_soft_usetime;
339 	uint64_t sadb_x_ecomb_hard_usetime;
340 } sadb_x_ecomb_t;
341 
342 typedef struct sadb_x_algdesc {
343 	/* Union is for guaranteeing 64-bit alignment. */
344 	union {
345 		struct {
346 			uint8_t sadb_x_algdesc_usatype;	/* ESP, AH, etc. */
347 			uint8_t sadb_x_algdesc_ualgtype; /* AUTH, CRYPT, COMP */
348 			uint8_t sadb_x_algdesc_ualg;	/* 3DES, MD5, etc. */
349 			uint8_t sadb_x_algdesc_usaltbits;
350 			uint16_t sadb_x_algdesc_uminbits; /* Bit strengths. */
351 			uint16_t sadb_x_algdesc_umaxbits;
352 		} sadb_x_algdesc_actual;
353 		uint64_t sadb_x_algdesc_alignment;
354 	} sadb_x_algdesc_u;
355 #define	sadb_x_algdesc_satype \
356 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usatype
357 #define	sadb_x_algdesc_algtype \
358 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualgtype
359 #define	sadb_x_algdesc_alg \
360 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualg
361 #define	sadb_x_algdesc_saltbits \
362 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usaltbits
363 #define	sadb_x_algdesc_minbits \
364 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_uminbits
365 #define	sadb_x_algdesc_maxbits \
366 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_umaxbits
367 } sadb_x_algdesc_t;
368 
369 /*
370  * When key mgmt. registers with the kernel, the kernel will tell key mgmt.
371  * its supported algorithms.
372  */
373 
374 typedef struct sadb_supported {
375 	/* Union is for guaranteeing 64-bit alignment. */
376 	union {
377 		struct {
378 			uint16_t sadb_x_supported_ulen;
379 			uint16_t sadb_x_supported_uexttype;
380 			uint32_t sadb_x_supported_ureserved;
381 		} sadb_x_supported_actual;
382 		uint64_t sadb_x_supported_alignment;
383 	} sadb_x_supported_u;
384 #define	sadb_supported_len \
385 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ulen
386 #define	sadb_supported_exttype \
387 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_uexttype
388 #define	sadb_supported_reserved \
389 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ureserved
390 } sadb_supported_t;
391 
392 /* First, a base structure... */
393 typedef struct sadb_x_algb {
394 	uint8_t sadb_x_algb_id;		/* Algorithm type. */
395 	uint8_t sadb_x_algb_ivlen;		/* IV len, in bits */
396 	uint16_t sadb_x_algb_minbits;	/* Min. key len (in bits) */
397 	uint16_t sadb_x_algb_maxbits;	/* Max. key length */
398 	union {
399 		uint16_t sadb_x_algb_ureserved;
400 		uint8_t sadb_x_algb_udefaults[2];
401 	} sadb_x_algb_union;
402 
403 #define	sadb_x_algb_reserved sadb_x_algb_union.sadb_x_algb_ureserved
404 #define	sadb_x_algb_increment sadb_x_algb_union.sadb_x_algb_udefaults[0]
405 #define	sadb_x_algb_saltbits sadb_x_algb_union.sadb_x_algb_udefaults[1]
406 /*
407  * alg_increment: the number of bits from a key length to the next
408  */
409 } sadb_x_algb_t;
410 
411 /* Now, the actual sadb_alg structure, which will have alignment in it. */
412 typedef struct sadb_alg {
413 	/* Union is for guaranteeing 64-bit alignment. */
414 	union {
415 		sadb_x_algb_t sadb_x_alg_actual;
416 		uint64_t sadb_x_alg_alignment;
417 	} sadb_x_alg_u;
418 #define	sadb_alg_id sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_id
419 #define	sadb_alg_ivlen sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_ivlen
420 #define	sadb_alg_minbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_minbits
421 #define	sadb_alg_maxbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_maxbits
422 #define	sadb_alg_reserved sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_reserved
423 #define	sadb_x_alg_increment \
424 	sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_increment
425 #define	sadb_x_alg_saltbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_saltbits
426 } sadb_alg_t;
427 
428 /*
429  * If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it
430  * asks the kernel with this extension in the SADB_GETSPI message.
431  */
432 
433 typedef struct sadb_spirange {
434 	uint16_t sadb_spirange_len;
435 	uint16_t sadb_spirange_exttype;	/* SPI_RANGE */
436 	uint32_t sadb_spirange_min;
437 	/* Union is for guaranteeing 64-bit alignment. */
438 	union {
439 		struct {
440 			uint32_t sadb_x_spirange_umax;
441 			uint32_t sadb_x_spirange_ureserved;
442 		} sadb_x_spirange_actual;
443 		uint64_t sadb_x_spirange_alignment;
444 	} sadb_x_spirange_u;
445 #define	sadb_spirange_max \
446 	sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_umax
447 #define	sadb_spirange_reserved \
448 	sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_ureserved
449 } sadb_spirange_t;
450 
451 /*
452  * For the "extended REGISTER" which'll tell the kernel to send me
453  * "extended ACQUIREs".
454  */
455 
456 typedef struct sadb_x_ereg {
457 	/* Union is for guaranteeing 64-bit alignment. */
458 	union {
459 		struct {
460 			uint16_t sadb_x_ereg_ulen;
461 			uint16_t sadb_x_ereg_uexttype;	/* X_EREG */
462 			/* Array of SA types, 0-terminated. */
463 			uint8_t sadb_x_ereg_usatypes[4];
464 		} sadb_x_ereg_actual;
465 		uint64_t sadb_x_ereg_alignment;
466 	} sadb_x_ereg_u;
467 #define	sadb_x_ereg_len \
468 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_ulen
469 #define	sadb_x_ereg_exttype \
470 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_uexttype
471 #define	sadb_x_ereg_satypes \
472 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_usatypes
473 } sadb_x_ereg_t;
474 
475 /*
476  * For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD,
477  * SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE.
478  */
479 
480 typedef struct sadb_x_kmc {
481 	uint16_t sadb_x_kmc_len;
482 	uint16_t sadb_x_kmc_exttype;	/* X_KM_COOKIE */
483 	uint32_t sadb_x_kmc_proto;	/* KM protocol */
484 	union {
485 		struct {
486 			uint32_t sadb_x_kmc_ucookie;	/* KMP-specific */
487 			uint32_t sadb_x_kmc_ureserved;	/* Must be zero */
488 		} sadb_x_kmc_actual;
489 		uint64_t sadb_x_kmc_ucookie64;
490 	} sadb_x_kmc_u;
491 #define	sadb_x_kmc_cookie sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ucookie
492 #define	sadb_x_kmc_reserved sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ureserved
493 #define	sadb_x_kmc_cookie64 sadb_x_kmc_u.sadb_x_kmc_ucookie64
494 } sadb_x_kmc_t;
495 
496 typedef struct sadb_x_pair {
497 	union {
498 		/* Union is for guaranteeing 64-bit alignment. */
499 		struct {
500 			uint16_t sadb_x_pair_ulen;
501 			uint16_t sadb_x_pair_uexttype;
502 			uint32_t sadb_x_pair_uspi;	/* SPI of paired SA */
503 		} sadb_x_pair_actual;
504 		uint64_t sadb_x_ext_alignment;
505 	} sadb_x_pair_u;
506 #define	sadb_x_pair_len sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_ulen
507 #define	sadb_x_pair_exttype \
508 	sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uexttype
509 #define	sadb_x_pair_spi sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uspi
510 } sadb_x_pair_t;
511 
512 /*
513  * For the Sequence numbers to be used with SADB_DUMP, SADB_GET, SADB_UPDATE.
514  */
515 
516 typedef struct sadb_x_replay_ctr {
517 	uint16_t sadb_x_rc_len;
518 	uint16_t sadb_x_rc_exttype;
519 	uint32_t sadb_x_rc_replay32;    /* For 240x SAs. */
520 	uint64_t sadb_x_rc_replay64;    /* For 430x SAs. */
521 } sadb_x_replay_ctr_t;
522 
523 /*
524  * For extended DUMP request. Dumps the SAs which were idle for
525  * longer than the timeout specified.
526  */
527 
528 typedef struct sadb_x_edump {
529 	uint16_t sadb_x_edump_len;
530 	uint16_t sadb_x_edump_exttype;
531 	uint32_t sadb_x_edump_reserved;
532 	uint64_t sadb_x_edump_timeout;
533 } sadb_x_edump_t;
534 
535 /*
536  * Base message types.
537  */
538 
539 #define	SADB_RESERVED	0
540 #define	SADB_GETSPI	1
541 #define	SADB_UPDATE	2
542 #define	SADB_ADD	3
543 #define	SADB_DELETE	4
544 #define	SADB_GET	5
545 #define	SADB_ACQUIRE	6
546 #define	SADB_REGISTER	7
547 #define	SADB_EXPIRE	8
548 #define	SADB_FLUSH	9
549 #define	SADB_DUMP	10   /* not used normally */
550 #define	SADB_X_PROMISC	11
551 #define	SADB_X_INVERSE_ACQUIRE	12
552 #define	SADB_X_UPDATEPAIR	13
553 #define	SADB_X_DELPAIR		14
554 #define	SADB_X_DELPAIR_STATE	15
555 #define	SADB_MAX		15
556 
557 /*
558  * SA flags
559  */
560 
561 #define	SADB_SAFLAGS_PFS	0x1	/* Perfect forward secrecy? */
562 #define	SADB_SAFLAGS_NOREPLAY	0x2	/* Replay field NOT PRESENT. */
563 
564 /* Below flags are used by this implementation.  Grow from left-to-right. */
565 #define	SADB_X_SAFLAGS_USED	0x80000000	/* SA used/not used */
566 #define	SADB_X_SAFLAGS_UNIQUE	0x40000000	/* SA unique/reusable */
567 #define	SADB_X_SAFLAGS_AALG1	0x20000000	/* Auth-alg specific flag 1 */
568 #define	SADB_X_SAFLAGS_AALG2	0x10000000	/* Auth-alg specific flag 2 */
569 #define	SADB_X_SAFLAGS_EALG1	 0x8000000	/* Encr-alg specific flag 1 */
570 #define	SADB_X_SAFLAGS_EALG2	 0x4000000	/* Encr-alg specific flag 2 */
571 #define	SADB_X_SAFLAGS_KM1	 0x2000000	/* Key mgmt. specific flag 1 */
572 #define	SADB_X_SAFLAGS_KM2	 0x1000000	/* Key mgmt. specific flag 2 */
573 #define	SADB_X_SAFLAGS_KM3	  0x800000	/* Key mgmt. specific flag 3 */
574 #define	SADB_X_SAFLAGS_KM4	  0x400000	/* Key mgmt. specific flag 4 */
575 #define	SADB_X_SAFLAGS_KRES1	  0x200000	/* Reserved by the kernel */
576 #define	SADB_X_SAFLAGS_NATT_LOC	  0x100000	/* this has a natted src SA */
577 #define	SADB_X_SAFLAGS_NATT_REM	   0x80000	/* this has a natted dst SA */
578 #define	SADB_X_SAFLAGS_KRES2	   0x40000	/* Reserved by the kernel */
579 #define	SADB_X_SAFLAGS_TUNNEL	   0x20000	/* tunnel mode */
580 #define	SADB_X_SAFLAGS_PAIRED	   0x10000	/* inbound/outbound pair */
581 #define	SADB_X_SAFLAGS_OUTBOUND	    0x8000	/* SA direction bit */
582 #define	SADB_X_SAFLAGS_INBOUND	    0x4000	/* SA direction bit */
583 #define	SADB_X_SAFLAGS_TCPSIG	    0x2000	/* SA is for a TCP signature */
584 #define	SADB_X_SAFLAGS_NATTED	    0x1000	/* Local node is behind a NAT */
585 
586 #define	SADB_X_SAFLAGS_KRES	\
587 	SADB_X_SAFLAGS_KRES1 | SADB_X_SAFLAGS_KRES2
588 
589 /*
590  * SA state.
591  */
592 
593 #define	SADB_SASTATE_LARVAL		0
594 #define	SADB_SASTATE_MATURE		1
595 #define	SADB_SASTATE_DYING		2
596 #define	SADB_SASTATE_DEAD		3
597 #define	SADB_X_SASTATE_ACTIVE_ELSEWHERE	4
598 #define	SADB_X_SASTATE_IDLE		5
599 #define	SADB_X_SASTATE_ACTIVE		6
600 
601 #define	SADB_SASTATE_MAX		6
602 
603 /*
604  * SA type.  Gaps are present in the number space because (for the time being)
605  * these types correspond to the SA types in the IPsec DOI document.
606  */
607 
608 #define	SADB_SATYPE_UNSPEC	0
609 #define	SADB_SATYPE_AH		2  /* RFC-1826 */
610 #define	SADB_SATYPE_ESP		3  /* RFC-1827 */
611 #define	SADB_X_SATYPE_TCPSIG	4  /* RFC-2385 */
612 #define	SADB_SATYPE_RSVP	5  /* RSVP Authentication */
613 #define	SADB_SATYPE_OSPFV2	6  /* OSPFv2 Authentication */
614 #define	SADB_SATYPE_RIPV2	7  /* RIPv2 Authentication */
615 #define	SADB_SATYPE_MIP		8  /* Mobile IPv4 Authentication */
616 
617 #define	SADB_SATYPE_MAX		8
618 
619 #define	TCPSIG_MD5_KEY_LEN	80
620 
621 /*
622  * Algorithm types.  Gaps are present because (for the time being) these types
623  * correspond to the SA types in the IPsec DOI document.
624  *
625  * NOTE:  These are numbered to play nice with the IPsec DOI.  That's why
626  *	  there are gaps.
627  */
628 
629 /* Authentication algorithms */
630 #define	SADB_AALG_NONE		0
631 #define	SADB_AALG_MD5		1
632 #define	SADB_AALG_MD5HMAC	2
633 #define	SADB_AALG_SHA1HMAC	3
634 #define	SADB_AALG_SHA256HMAC	5
635 #define	SADB_AALG_SHA384HMAC	6
636 #define	SADB_AALG_SHA512HMAC	7
637 
638 #define	SADB_AALG_MAX		7
639 
640 /* Encryption algorithms */
641 #define	SADB_EALG_NONE		0
642 #define	SADB_EALG_DESCBC	2
643 #define	SADB_EALG_3DESCBC	3
644 #define	SADB_EALG_BLOWFISH	7
645 #define	SADB_EALG_NULL		11
646 #define	SADB_EALG_AES		12
647 #define	SADB_EALG_AES_CCM_8	14
648 #define	SADB_EALG_AES_CCM_12	15
649 #define	SADB_EALG_AES_CCM_16	16
650 #define	SADB_EALG_AES_GCM_8	18
651 #define	SADB_EALG_AES_GCM_12	19
652 #define	SADB_EALG_AES_GCM_16	20
653 #define	SADB_EALG_MAX		20
654 
655 /*
656  * Extension header values.
657  */
658 
659 #define	SADB_EXT_RESERVED		0
660 
661 #define	SADB_EXT_SA			1
662 #define	SADB_EXT_LIFETIME_CURRENT	2
663 #define	SADB_EXT_LIFETIME_HARD		3
664 #define	SADB_EXT_LIFETIME_SOFT		4
665 #define	SADB_EXT_ADDRESS_SRC		5
666 #define	SADB_EXT_ADDRESS_DST		6
667 /* These two are synonyms. */
668 #define	SADB_EXT_ADDRESS_PROXY		7
669 #define	SADB_X_EXT_ADDRESS_INNER_SRC	SADB_EXT_ADDRESS_PROXY
670 #define	SADB_EXT_KEY_AUTH		8
671 #define	SADB_EXT_KEY_ENCRYPT		9
672 #define	SADB_EXT_IDENTITY_SRC		10
673 #define	SADB_EXT_IDENTITY_DST		11
674 #define	SADB_EXT_SENSITIVITY		12
675 #define	SADB_EXT_PROPOSAL		13
676 #define	SADB_EXT_SUPPORTED_AUTH		14
677 #define	SADB_EXT_SUPPORTED_ENCRYPT	15
678 #define	SADB_EXT_SPIRANGE		16
679 #define	SADB_X_EXT_EREG			17
680 #define	SADB_X_EXT_EPROP		18
681 #define	SADB_X_EXT_KM_COOKIE		19
682 #define	SADB_X_EXT_ADDRESS_NATT_LOC	20
683 #define	SADB_X_EXT_ADDRESS_NATT_REM	21
684 #define	SADB_X_EXT_ADDRESS_INNER_DST	22
685 #define	SADB_X_EXT_PAIR			23
686 #define	SADB_X_EXT_REPLAY_VALUE		24
687 #define	SADB_X_EXT_EDUMP		25
688 #define	SADB_X_EXT_LIFETIME_IDLE	26
689 #define	SADB_X_EXT_OUTER_SENS		27
690 #define	SADB_X_EXT_STR_AUTH		28
691 
692 #define	SADB_EXT_MAX			28
693 
694 /*
695  * Identity types.
696  */
697 
698 #define	SADB_IDENTTYPE_RESERVED 0
699 
700 /*
701  * For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC
702  * if not present.
703  */
704 #define	SADB_IDENTTYPE_PREFIX		1
705 #define	SADB_IDENTTYPE_FQDN		2  /* Fully qualified domain name. */
706 #define	SADB_IDENTTYPE_USER_FQDN	3  /* e.g. root@domain.com */
707 #define	SADB_X_IDENTTYPE_DN		4  /* ASN.1 DER Distinguished Name. */
708 #define	SADB_X_IDENTTYPE_GN		5  /* ASN.1 DER Generic Name. */
709 #define	SADB_X_IDENTTYPE_KEY_ID		6  /* Generic KEY ID. */
710 #define	SADB_X_IDENTTYPE_ADDR_RANGE	7
711 
712 #define	SADB_IDENTTYPE_MAX		7
713 
714 /*
715  * Protection DOI values for the SENSITIVITY extension.  There are no values
716  * currently, so the MAX is the only non-zero value available.
717  */
718 
719 #define	SADB_DPD_NONE	0
720 
721 #define	SADB_DPD_MAX	1
722 
723 /*
724  * Diagnostic codes.  These supplement error messages.  Be sure to
725  * update libipsecutil's keysock_diag() if you change any of these.
726  */
727 
728 #define	SADB_X_DIAGNOSTIC_PRESET		-1	/* Internal value. */
729 
730 #define	SADB_X_DIAGNOSTIC_NONE			0
731 
732 #define	SADB_X_DIAGNOSTIC_UNKNOWN_MSG		1
733 #define	SADB_X_DIAGNOSTIC_UNKNOWN_EXT		2
734 #define	SADB_X_DIAGNOSTIC_BAD_EXTLEN		3
735 #define	SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE	4
736 #define	SADB_X_DIAGNOSTIC_SATYPE_NEEDED		5
737 #define	SADB_X_DIAGNOSTIC_NO_SADBS		6
738 #define	SADB_X_DIAGNOSTIC_NO_EXT		7
739 /* Bad address family value */
740 #define	SADB_X_DIAGNOSTIC_BAD_SRC_AF		8
741 /* in sockaddr->sa_family. */
742 #define	SADB_X_DIAGNOSTIC_BAD_DST_AF		9
743 /* These two are synonyms. */
744 #define	SADB_X_DIAGNOSTIC_BAD_PROXY_AF		10
745 #define	SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF	10
746 
747 #define	SADB_X_DIAGNOSTIC_AF_MISMATCH		11
748 
749 #define	SADB_X_DIAGNOSTIC_BAD_SRC		12
750 #define	SADB_X_DIAGNOSTIC_BAD_DST		13
751 
752 #define	SADB_X_DIAGNOSTIC_ALLOC_HSERR		14
753 #define	SADB_X_DIAGNOSTIC_BYTES_HSERR		15
754 #define	SADB_X_DIAGNOSTIC_ADDTIME_HSERR		16
755 #define	SADB_X_DIAGNOSTIC_USETIME_HSERR		17
756 
757 #define	SADB_X_DIAGNOSTIC_MISSING_SRC		18
758 #define	SADB_X_DIAGNOSTIC_MISSING_DST		19
759 #define	SADB_X_DIAGNOSTIC_MISSING_SA		20
760 #define	SADB_X_DIAGNOSTIC_MISSING_EKEY		21
761 #define	SADB_X_DIAGNOSTIC_MISSING_AKEY		22
762 #define	SADB_X_DIAGNOSTIC_MISSING_RANGE		23
763 
764 #define	SADB_X_DIAGNOSTIC_DUPLICATE_SRC		24
765 #define	SADB_X_DIAGNOSTIC_DUPLICATE_DST		25
766 #define	SADB_X_DIAGNOSTIC_DUPLICATE_SA		26
767 #define	SADB_X_DIAGNOSTIC_DUPLICATE_EKEY	27
768 #define	SADB_X_DIAGNOSTIC_DUPLICATE_AKEY	28
769 #define	SADB_X_DIAGNOSTIC_DUPLICATE_RANGE	29
770 
771 #define	SADB_X_DIAGNOSTIC_MALFORMED_SRC		30
772 #define	SADB_X_DIAGNOSTIC_MALFORMED_DST		31
773 #define	SADB_X_DIAGNOSTIC_MALFORMED_SA		32
774 #define	SADB_X_DIAGNOSTIC_MALFORMED_EKEY	33
775 #define	SADB_X_DIAGNOSTIC_MALFORMED_AKEY	34
776 #define	SADB_X_DIAGNOSTIC_MALFORMED_RANGE	35
777 
778 #define	SADB_X_DIAGNOSTIC_AKEY_PRESENT		36
779 #define	SADB_X_DIAGNOSTIC_EKEY_PRESENT		37
780 #define	SADB_X_DIAGNOSTIC_PROP_PRESENT		38
781 #define	SADB_X_DIAGNOSTIC_SUPP_PRESENT		39
782 
783 #define	SADB_X_DIAGNOSTIC_BAD_AALG		40
784 #define	SADB_X_DIAGNOSTIC_BAD_EALG		41
785 #define	SADB_X_DIAGNOSTIC_BAD_SAFLAGS		42
786 #define	SADB_X_DIAGNOSTIC_BAD_SASTATE		43
787 
788 #define	SADB_X_DIAGNOSTIC_BAD_AKEYBITS		44
789 #define	SADB_X_DIAGNOSTIC_BAD_EKEYBITS		45
790 
791 #define	SADB_X_DIAGNOSTIC_ENCR_NOTSUPP		46
792 
793 #define	SADB_X_DIAGNOSTIC_WEAK_EKEY		47
794 #define	SADB_X_DIAGNOSTIC_WEAK_AKEY		48
795 
796 #define	SADB_X_DIAGNOSTIC_DUPLICATE_KMP		49
797 #define	SADB_X_DIAGNOSTIC_DUPLICATE_KMC		50
798 
799 #define	SADB_X_DIAGNOSTIC_MISSING_NATT_LOC	51
800 #define	SADB_X_DIAGNOSTIC_MISSING_NATT_REM	52
801 #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC	53
802 #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM	54
803 #define	SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC	55
804 #define	SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM	56
805 #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS	57
806 
807 #define	SADB_X_DIAGNOSTIC_MISSING_INNER_SRC	58
808 #define	SADB_X_DIAGNOSTIC_MISSING_INNER_DST	59
809 #define	SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC	60
810 #define	SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST	61
811 #define	SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC	62
812 #define	SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST	63
813 
814 #define	SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC	64
815 #define	SADB_X_DIAGNOSTIC_PREFIX_INNER_DST	65
816 #define	SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF	66
817 #define	SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH	67
818 
819 #define	SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF	68
820 #define	SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF	69
821 
822 #define	SADB_X_DIAGNOSTIC_PROTO_MISMATCH	70
823 #define	SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH	71
824 
825 #define	SADB_X_DIAGNOSTIC_DUAL_PORT_SETS	72
826 
827 #define	SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE	73
828 #define	SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH	74
829 #define	SADB_X_DIAGNOSTIC_PAIR_ALREADY		75
830 #define	SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND	76
831 #define	SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION	77
832 
833 #define	SADB_X_DIAGNOSTIC_SA_NOTFOUND		78
834 #define	SADB_X_DIAGNOSTIC_SA_EXPIRED		79
835 #define	SADB_X_DIAGNOSTIC_BAD_CTX		80
836 #define	SADB_X_DIAGNOSTIC_INVALID_REPLAY	81
837 #define	SADB_X_DIAGNOSTIC_MISSING_LIFETIME	82
838 
839 #define	SADB_X_DIAGNOSTIC_BAD_LABEL		83
840 
841 #define	SADB_X_DIAGNOSTIC_MISSING_ASTR		84
842 #define	SADB_X_DIAGNOSTIC_DUPLICATE_ASTR	85
843 #define	SADB_X_DIAGNOSTIC_MALFORMED_ASTR	86
844 
845 #define	SADB_X_DIAGNOSTIC_MAX			86
846 
847 /* Algorithm type for sadb_x_algdesc above... */
848 
849 #define	SADB_X_ALGTYPE_NONE		0
850 #define	SADB_X_ALGTYPE_AUTH		1
851 #define	SADB_X_ALGTYPE_CRYPT		2
852 #define	SADB_X_ALGTYPE_COMPRESS		3
853 
854 #define	SADB_X_ALGTYPE_MAX		3
855 
856 /* Key management protocol for sadb_x_kmc above... */
857 
858 #define	SADB_X_KMP_MANUAL	0	/* Cookie is ignored. */
859 #define	SADB_X_KMP_IKE		1
860 #define	SADB_X_KMP_KINK		2
861 #define	SADB_X_KMP_IKEV2	3
862 
863 #define	SADB_X_KMP_MAX		SADB_X_KMP_IKEV2
864 
865 /*
866  * Handy conversion macros.  Not part of the PF_KEY spec...
867  */
868 
869 #define	SADB_64TO8(x)	((x) << 3)
870 #define	SADB_8TO64(x)	((x) >> 3)
871 #define	SADB_8TO1(x)	((x) << 3)
872 #define	SADB_1TO8(x)	((x) >> 3)
873 
874 #ifdef	__cplusplus
875 }
876 #endif
877 
878 #endif	/* _NET_PFKEYV2_H */
879