xref: /titanic_50/usr/src/uts/common/inet/ipsec_info.h (revision 694c35faa87b858ecdadfe4fc592615f4eefbb07)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_INET_IPSEC_INFO_H
27 #define	_INET_IPSEC_INFO_H
28 
29 #ifdef	__cplusplus
30 extern "C" {
31 #endif
32 
33 #include <sys/crypto/common.h>
34 
35 /*
36  * IPsec informational messages.  These are M_CTL STREAMS messages, which
37  * convey IPsec information between various IP and related modules.  Most
38  * have been deprecated by the de-STREAMS-ing of TCP/IP.  What remains is:
39  *
40  *	* Keysock consumer interface  -  These messages are wrappers for
41  *	  PF_KEY messages.  They flow between AH/ESP and keysock.
42  *
43  */
44 
45 /*
46  * The IPsec M_CTL value MUST be something that will not be even close
47  * to an IPv4 or IPv6 header.  This means the first byte must not be
48  * 0x40 - 0x4f or 0x60-0x6f.  For big-endian machines, this is fixable with
49  * the IPSEC_M_CTL prefix.  For little-endian machines, the actual M_CTL
50  * _type_ must not be in the aforementioned ranges.
51  *
52  * The reason for this avoidance is because M_CTL's with a real IPv4/IPv6
53  * datagram get sent from to TCP or UDP when an ICMP datagram affects a
54  * TCP/UDP session.
55  */
56 #define	IPSEC_M_CTL	0x73706900
57 
58 /*
59  * M_CTL types for IPsec messages.  Remember, the values 0x40 - 0x4f and 0x60
60  * - 0x6f are not to be used because of potential little-endian confusion.
61  *
62  * Offsets 3-7 (decimal) are in use, spread through this file.
63  * Check for duplicates through the whole file before adding.
64  */
65 
66 /*
67  * Keysock consumer interface.
68  *
69  * The driver/module keysock (which is a driver to PF_KEY sockets, but is
70  * a module to 'consumers' like AH and ESP) uses keysock consumer interface
71  * messages to pass on PF_KEY messages to consumers who process and act upon
72  * them.
73  */
74 #define	KEYSOCK_IN		(IPSEC_M_CTL + 3)
75 #define	KEYSOCK_OUT		(IPSEC_M_CTL + 4)
76 #define	KEYSOCK_OUT_ERR		(IPSEC_M_CTL + 5)
77 #define	KEYSOCK_HELLO		(IPSEC_M_CTL + 6)
78 #define	KEYSOCK_HELLO_ACK	(IPSEC_M_CTL + 7)
79 
80 /*
81  * KEYSOCK_HELLO is sent by keysock to a consumer when it is pushed on top
82  * of one (i.e. opened as a module).
83  *
84  * NOTE: Keysock_hello is simply an ipsec_info_t
85  */
86 
87 /*
88  * KEYSOCK_HELLO_ACK is sent by a consumer to acknowledge a KEYSOCK_HELLO.
89  * It contains the PF_KEYv2 sa_type, so keysock can redirect PF_KEY messages
90  * to the right consumer.
91  */
92 typedef struct keysock_hello_ack_s {
93 	uint32_t ks_hello_type;
94 	uint32_t ks_hello_len;
95 	uint8_t ks_hello_satype;	/* PF_KEYv2 sa_type of ks client */
96 } keysock_hello_ack_t;
97 
98 #define	KS_IN_ADDR_UNKNOWN 0
99 #define	KS_IN_ADDR_NOTTHERE 1
100 #define	KS_IN_ADDR_UNSPEC 2
101 #define	KS_IN_ADDR_ME 3
102 #define	KS_IN_ADDR_NOTME 4
103 #define	KS_IN_ADDR_MBCAST 5
104 #define	KS_IN_ADDR_DONTCARE 6
105 
106 /*
107  * KEYSOCK_IN is a PF_KEY message from a PF_KEY socket destined for a consumer.
108  */
109 typedef struct keysock_in_s {
110 	uint32_t ks_in_type;
111 	uint32_t ks_in_len;
112 	/*
113 	 * NOTE:	These pointers MUST be into the M_DATA that follows
114 	 *		this M_CTL message.  If they aren't, weirdness
115 	 *		results.
116 	 */
117 	struct sadb_ext *ks_in_extv[SADB_EXT_MAX + 1];
118 	int ks_in_srctype;	/* Source address type. */
119 	int ks_in_dsttype;	/* Dest address type. */
120 	minor_t ks_in_serial;	/* Serial # of sending socket. */
121 } keysock_in_t;
122 
123 /*
124  * KEYSOCK_OUT is a PF_KEY message from a consumer destined for a PF_KEY
125  * socket.
126  */
127 typedef struct keysock_out_s {
128 	uint32_t ks_out_type;
129 	uint32_t ks_out_len;
130 	minor_t ks_out_serial;	/* Serial # of sending socket. */
131 } keysock_out_t;
132 
133 /*
134  * KEYSOCK_OUT_ERR is sent to a consumer from keysock if for some reason
135  * keysock could not find a PF_KEY socket to deliver a consumer-originated
136  * message (e.g. SADB_ACQUIRE).
137  */
138 typedef struct keysock_out_err_s {
139 	uint32_t ks_err_type;
140 	uint32_t ks_err_len;
141 	minor_t ks_err_serial;
142 	int ks_err_errno;
143 	/*
144 	 * Other, richer error information may end up going here eventually.
145 	 */
146 } keysock_out_err_t;
147 
148 /*
149  * All IPsec informational messages are placed into the ipsec_info_t
150  * union, so that allocation can be done once, and IPsec informational
151  * messages can be recycled.
152  */
153 typedef union ipsec_info_u {
154 	struct {
155 		uint32_t ipsec_allu_type;
156 		uint32_t ipsec_allu_len;	/* In bytes */
157 	} ipsec_allu;
158 	keysock_hello_ack_t keysock_hello_ack;
159 	keysock_in_t keysock_in;
160 	keysock_out_t keysock_out;
161 	keysock_out_err_t keysock_out_err;
162 } ipsec_info_t;
163 #define	ipsec_info_type ipsec_allu.ipsec_allu_type
164 #define	ipsec_info_len ipsec_allu.ipsec_allu_len
165 
166 #ifdef	__cplusplus
167 }
168 #endif
169 
170 #endif	/* _INET_IPSEC_INFO_H */
171