xref: /titanic_50/usr/src/uts/common/net/pfkeyv2.h (revision 7c478bd95313f5f23a4c958a745db2134aa03244)
1*7c478bd9Sstevel@tonic-gate /*
2*7c478bd9Sstevel@tonic-gate  * CDDL HEADER START
3*7c478bd9Sstevel@tonic-gate  *
4*7c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5*7c478bd9Sstevel@tonic-gate  * Common Development and Distribution License, Version 1.0 only
6*7c478bd9Sstevel@tonic-gate  * (the "License").  You may not use this file except in compliance
7*7c478bd9Sstevel@tonic-gate  * with the License.
8*7c478bd9Sstevel@tonic-gate  *
9*7c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*7c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
11*7c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
12*7c478bd9Sstevel@tonic-gate  * and limitations under the License.
13*7c478bd9Sstevel@tonic-gate  *
14*7c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
15*7c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*7c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
17*7c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
18*7c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
19*7c478bd9Sstevel@tonic-gate  *
20*7c478bd9Sstevel@tonic-gate  * CDDL HEADER END
21*7c478bd9Sstevel@tonic-gate  */
22*7c478bd9Sstevel@tonic-gate /*
23*7c478bd9Sstevel@tonic-gate  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24*7c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
25*7c478bd9Sstevel@tonic-gate  */
26*7c478bd9Sstevel@tonic-gate 
27*7c478bd9Sstevel@tonic-gate #ifndef	_NET_PFKEYV2_H
28*7c478bd9Sstevel@tonic-gate #define	_NET_PFKEYV2_H
29*7c478bd9Sstevel@tonic-gate 
30*7c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
31*7c478bd9Sstevel@tonic-gate 
32*7c478bd9Sstevel@tonic-gate /*
33*7c478bd9Sstevel@tonic-gate  * Definitions and structures for PF_KEY version 2.  See RFC 2367 for
34*7c478bd9Sstevel@tonic-gate  * more details.  SA == Security Association, which is what PF_KEY provides
35*7c478bd9Sstevel@tonic-gate  * an API for managing.
36*7c478bd9Sstevel@tonic-gate  */
37*7c478bd9Sstevel@tonic-gate 
38*7c478bd9Sstevel@tonic-gate #ifdef	__cplusplus
39*7c478bd9Sstevel@tonic-gate extern "C" {
40*7c478bd9Sstevel@tonic-gate #endif
41*7c478bd9Sstevel@tonic-gate 
42*7c478bd9Sstevel@tonic-gate #define	PF_KEY_V2		2
43*7c478bd9Sstevel@tonic-gate #define	PFKEYV2_REVISION	200109L
44*7c478bd9Sstevel@tonic-gate 
45*7c478bd9Sstevel@tonic-gate /*
46*7c478bd9Sstevel@tonic-gate  * Base PF_KEY message.
47*7c478bd9Sstevel@tonic-gate  */
48*7c478bd9Sstevel@tonic-gate 
49*7c478bd9Sstevel@tonic-gate typedef struct sadb_msg {
50*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_msg_version;	/* Version, currently PF_KEY_V2 */
51*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_msg_type;		/* ADD, UPDATE, etc. */
52*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_msg_errno;		/* Error number from UNIX errno space */
53*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_msg_satype;	/* ESP, AH, etc. */
54*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_msg_len;		/* Length in 64-bit words. */
55*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_msg_reserved;	/* must be zero */
56*7c478bd9Sstevel@tonic-gate /*
57*7c478bd9Sstevel@tonic-gate  * Use the reserved field for extended diagnostic information on errno
58*7c478bd9Sstevel@tonic-gate  * responses.
59*7c478bd9Sstevel@tonic-gate  */
60*7c478bd9Sstevel@tonic-gate #define	sadb_x_msg_diagnostic sadb_msg_reserved
61*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
62*7c478bd9Sstevel@tonic-gate 	union {
63*7c478bd9Sstevel@tonic-gate 		struct {
64*7c478bd9Sstevel@tonic-gate 			uint32_t sadb_x_msg_useq;	/* Set by originator */
65*7c478bd9Sstevel@tonic-gate 			uint32_t sadb_x_msg_upid;	/* Set by originator */
66*7c478bd9Sstevel@tonic-gate 		} sadb_x_msg_actual;
67*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_msg_alignment;
68*7c478bd9Sstevel@tonic-gate 	} sadb_x_msg_u;
69*7c478bd9Sstevel@tonic-gate #define	sadb_msg_seq sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_useq
70*7c478bd9Sstevel@tonic-gate #define	sadb_msg_pid sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_upid
71*7c478bd9Sstevel@tonic-gate } sadb_msg_t;
72*7c478bd9Sstevel@tonic-gate 
73*7c478bd9Sstevel@tonic-gate /*
74*7c478bd9Sstevel@tonic-gate  * Generic extension header.
75*7c478bd9Sstevel@tonic-gate  */
76*7c478bd9Sstevel@tonic-gate 
77*7c478bd9Sstevel@tonic-gate typedef struct sadb_ext {
78*7c478bd9Sstevel@tonic-gate 	union {
79*7c478bd9Sstevel@tonic-gate 		/* Union is for guaranteeing 64-bit alignment. */
80*7c478bd9Sstevel@tonic-gate 		struct {
81*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_ext_ulen;	/* In 64s, inclusive */
82*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_ext_utype;	/* 0 is reserved */
83*7c478bd9Sstevel@tonic-gate 		} sadb_x_ext_actual;
84*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_ext_alignment;
85*7c478bd9Sstevel@tonic-gate 	} sadb_x_ext_u;
86*7c478bd9Sstevel@tonic-gate #define	sadb_ext_len sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_ulen
87*7c478bd9Sstevel@tonic-gate #define	sadb_ext_type sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_utype
88*7c478bd9Sstevel@tonic-gate } sadb_ext_t;
89*7c478bd9Sstevel@tonic-gate 
90*7c478bd9Sstevel@tonic-gate /*
91*7c478bd9Sstevel@tonic-gate  * Security Association information extension.
92*7c478bd9Sstevel@tonic-gate  */
93*7c478bd9Sstevel@tonic-gate 
94*7c478bd9Sstevel@tonic-gate typedef struct sadb_sa {
95*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
96*7c478bd9Sstevel@tonic-gate 	union {
97*7c478bd9Sstevel@tonic-gate 		struct {
98*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_sa_ulen;
99*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_sa_uexttype;	/* ASSOCIATION */
100*7c478bd9Sstevel@tonic-gate 			uint32_t sadb_x_sa_uspi;	/* Sec. Param. Index */
101*7c478bd9Sstevel@tonic-gate 		} sadb_x_sa_uactual;
102*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_sa_alignment;
103*7c478bd9Sstevel@tonic-gate 	} sadb_x_sa_u;
104*7c478bd9Sstevel@tonic-gate #define	sadb_sa_len sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_ulen
105*7c478bd9Sstevel@tonic-gate #define	sadb_sa_exttype sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uexttype
106*7c478bd9Sstevel@tonic-gate #define	sadb_sa_spi sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uspi
107*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_sa_replay;		/* Replay counter */
108*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_sa_state;		/* MATURE, DEAD, DYING, LARVAL */
109*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_sa_auth;		/* Authentication algorithm */
110*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_sa_encrypt;	/* Encryption algorithm */
111*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_sa_flags;		/* SA flags. */
112*7c478bd9Sstevel@tonic-gate } sadb_sa_t;
113*7c478bd9Sstevel@tonic-gate 
114*7c478bd9Sstevel@tonic-gate /*
115*7c478bd9Sstevel@tonic-gate  * SA Lifetime extension.  Already 64-bit aligned thanks to uint64_t fields.
116*7c478bd9Sstevel@tonic-gate  */
117*7c478bd9Sstevel@tonic-gate 
118*7c478bd9Sstevel@tonic-gate typedef struct sadb_lifetime {
119*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_lifetime_len;
120*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_lifetime_exttype;		/* SOFT, HARD, CURRENT */
121*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_lifetime_allocations;
122*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_lifetime_bytes;
123*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_lifetime_addtime;	/* These fields are assumed to hold */
124*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_lifetime_usetime;	/* >= sizeof (time_t). */
125*7c478bd9Sstevel@tonic-gate } sadb_lifetime_t;
126*7c478bd9Sstevel@tonic-gate 
127*7c478bd9Sstevel@tonic-gate /*
128*7c478bd9Sstevel@tonic-gate  * SA address information.
129*7c478bd9Sstevel@tonic-gate  */
130*7c478bd9Sstevel@tonic-gate 
131*7c478bd9Sstevel@tonic-gate typedef struct sadb_address {
132*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
133*7c478bd9Sstevel@tonic-gate 	union {
134*7c478bd9Sstevel@tonic-gate 		struct {
135*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_address_ulen;
136*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_address_uexttype; /* SRC, DST, PROXY */
137*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_address_uproto; /* Proto for ports... */
138*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_address_uprefixlen; /* Prefix length. */
139*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_address_ureserved; /* Padding */
140*7c478bd9Sstevel@tonic-gate 		} sadb_x_address_actual;
141*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_address_alignment;
142*7c478bd9Sstevel@tonic-gate 	} sadb_x_address_u;
143*7c478bd9Sstevel@tonic-gate #define	sadb_address_len \
144*7c478bd9Sstevel@tonic-gate 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ulen
145*7c478bd9Sstevel@tonic-gate #define	sadb_address_exttype \
146*7c478bd9Sstevel@tonic-gate 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uexttype
147*7c478bd9Sstevel@tonic-gate #define	sadb_address_proto \
148*7c478bd9Sstevel@tonic-gate 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uproto
149*7c478bd9Sstevel@tonic-gate #define	sadb_address_prefixlen \
150*7c478bd9Sstevel@tonic-gate 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uprefixlen
151*7c478bd9Sstevel@tonic-gate #define	sadb_address_reserved \
152*7c478bd9Sstevel@tonic-gate 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ureserved
153*7c478bd9Sstevel@tonic-gate 	/* Followed by a sockaddr structure which may contain ports. */
154*7c478bd9Sstevel@tonic-gate } sadb_address_t;
155*7c478bd9Sstevel@tonic-gate 
156*7c478bd9Sstevel@tonic-gate /*
157*7c478bd9Sstevel@tonic-gate  * SA key information.
158*7c478bd9Sstevel@tonic-gate  */
159*7c478bd9Sstevel@tonic-gate 
160*7c478bd9Sstevel@tonic-gate typedef struct sadb_key {
161*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
162*7c478bd9Sstevel@tonic-gate 	union {
163*7c478bd9Sstevel@tonic-gate 		struct {
164*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_key_ulen;
165*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_key_uexttype;	/* AUTH, ENCRYPT */
166*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_key_ubits;	/* Actual len (bits) */
167*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_key_ureserved;
168*7c478bd9Sstevel@tonic-gate 		} sadb_x_key_actual;
169*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_key_alignment;
170*7c478bd9Sstevel@tonic-gate 	} sadb_x_key_u;
171*7c478bd9Sstevel@tonic-gate #define	sadb_key_len sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ulen
172*7c478bd9Sstevel@tonic-gate #define	sadb_key_exttype sadb_x_key_u.sadb_x_key_actual.sadb_x_key_uexttype
173*7c478bd9Sstevel@tonic-gate #define	sadb_key_bits sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ubits
174*7c478bd9Sstevel@tonic-gate #define	sadb_key_reserved sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ureserved
175*7c478bd9Sstevel@tonic-gate 	/* Followed by actual key(s) in canonical (outbound proc.) order. */
176*7c478bd9Sstevel@tonic-gate } sadb_key_t;
177*7c478bd9Sstevel@tonic-gate 
178*7c478bd9Sstevel@tonic-gate /*
179*7c478bd9Sstevel@tonic-gate  * SA Identity information.  Already 64-bit aligned thanks to uint64_t fields.
180*7c478bd9Sstevel@tonic-gate  */
181*7c478bd9Sstevel@tonic-gate 
182*7c478bd9Sstevel@tonic-gate typedef struct sadb_ident {
183*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_ident_len;
184*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_ident_exttype;	/* SRC, DST, PROXY */
185*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_ident_type;	/* FQDN, USER_FQDN, etc. */
186*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_ident_reserved;	/* Padding */
187*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_ident_id;		/* For userid, etc. */
188*7c478bd9Sstevel@tonic-gate 	/* Followed by an identity null-terminate C string if present. */
189*7c478bd9Sstevel@tonic-gate } sadb_ident_t;
190*7c478bd9Sstevel@tonic-gate 
191*7c478bd9Sstevel@tonic-gate /*
192*7c478bd9Sstevel@tonic-gate  * SA sensitivity information.  This is mostly useful on MLS systems.
193*7c478bd9Sstevel@tonic-gate  */
194*7c478bd9Sstevel@tonic-gate 
195*7c478bd9Sstevel@tonic-gate typedef struct sadb_sens {
196*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
197*7c478bd9Sstevel@tonic-gate 	union {
198*7c478bd9Sstevel@tonic-gate 		struct {
199*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_sens_ulen;
200*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_sens_uexttype;	/* SENSITIVITY */
201*7c478bd9Sstevel@tonic-gate 			uint32_t sadb_x_sens_udpd;	/* Protection domain */
202*7c478bd9Sstevel@tonic-gate 		} sadb_x_sens_actual;
203*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_sens_alignment;
204*7c478bd9Sstevel@tonic-gate 	} sadb_x_sens_u;
205*7c478bd9Sstevel@tonic-gate #define	sadb_sens_len sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_ulen
206*7c478bd9Sstevel@tonic-gate #define	sadb_sens_exttype sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_uexttype
207*7c478bd9Sstevel@tonic-gate #define	sadb_sens_dpd sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_udpd
208*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_sens_sens_level;
209*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_sens_sens_len;		/* 64-bit words */
210*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_sens_integ_level;
211*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_sens_integ_len;		/* 64-bit words */
212*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_sens_reserved;
213*7c478bd9Sstevel@tonic-gate 	/*
214*7c478bd9Sstevel@tonic-gate 	 * followed by two uint64_t arrays
215*7c478bd9Sstevel@tonic-gate 	 * uint64_t sadb_sens_bitmap[sens_bitmap_len];
216*7c478bd9Sstevel@tonic-gate 	 * uint64_t sadb_integ_bitmap[integ_bitmap_len];
217*7c478bd9Sstevel@tonic-gate 	 */
218*7c478bd9Sstevel@tonic-gate } sadb_sens_t;
219*7c478bd9Sstevel@tonic-gate 
220*7c478bd9Sstevel@tonic-gate /*
221*7c478bd9Sstevel@tonic-gate  * A proposal extension.  This is found in an ACQUIRE message, and it
222*7c478bd9Sstevel@tonic-gate  * proposes what sort of SA the kernel would like to ACQUIRE.
223*7c478bd9Sstevel@tonic-gate  */
224*7c478bd9Sstevel@tonic-gate 
225*7c478bd9Sstevel@tonic-gate /* First, a base structure... */
226*7c478bd9Sstevel@tonic-gate 
227*7c478bd9Sstevel@tonic-gate typedef struct sadb_x_propbase {
228*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_x_propb_len;
229*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_x_propb_exttype;	/* PROPOSAL, X_EPROP */
230*7c478bd9Sstevel@tonic-gate 	union {
231*7c478bd9Sstevel@tonic-gate 		struct {
232*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_propb_lenres_replay;
233*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_propb_lenres_eres;
234*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_propb_lenres_numecombs;
235*7c478bd9Sstevel@tonic-gate 		} sadb_x_propb_lenres;
236*7c478bd9Sstevel@tonic-gate 		struct {
237*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_propb_oldres_replay;
238*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_propb_oldres_reserved[3];
239*7c478bd9Sstevel@tonic-gate 		} sadb_x_propb_oldres;
240*7c478bd9Sstevel@tonic-gate 	} sadb_x_propb_u;
241*7c478bd9Sstevel@tonic-gate #define	sadb_x_propb_replay \
242*7c478bd9Sstevel@tonic-gate 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_replay
243*7c478bd9Sstevel@tonic-gate #define	sadb_x_propb_reserved \
244*7c478bd9Sstevel@tonic-gate 	sadb_x_propb_u.sadb_x_propb_oldres.sadb_x_propb_oldres_reserved
245*7c478bd9Sstevel@tonic-gate #define	sadb_x_propb_ereserved \
246*7c478bd9Sstevel@tonic-gate 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_eres
247*7c478bd9Sstevel@tonic-gate #define	sadb_x_propb_numecombs \
248*7c478bd9Sstevel@tonic-gate 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_numecombs
249*7c478bd9Sstevel@tonic-gate 	/* Followed by sadb_comb[] array or sadb_ecomb[] array. */
250*7c478bd9Sstevel@tonic-gate } sadb_x_propbase_t;
251*7c478bd9Sstevel@tonic-gate 
252*7c478bd9Sstevel@tonic-gate /* Now, the actual sadb_prop structure, which will have alignment in it! */
253*7c478bd9Sstevel@tonic-gate 
254*7c478bd9Sstevel@tonic-gate typedef struct sadb_prop {
255*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
256*7c478bd9Sstevel@tonic-gate 	union {
257*7c478bd9Sstevel@tonic-gate 		sadb_x_propbase_t sadb_x_prop_actual;
258*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_prop_alignment;
259*7c478bd9Sstevel@tonic-gate 	} sadb_x_prop_u;
260*7c478bd9Sstevel@tonic-gate #define	sadb_prop_len sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_len
261*7c478bd9Sstevel@tonic-gate #define	sadb_prop_exttype sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_exttype
262*7c478bd9Sstevel@tonic-gate #define	sadb_prop_replay sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_replay
263*7c478bd9Sstevel@tonic-gate #define	sadb_prop_reserved \
264*7c478bd9Sstevel@tonic-gate 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_reserved
265*7c478bd9Sstevel@tonic-gate #define	sadb_x_prop_ereserved \
266*7c478bd9Sstevel@tonic-gate 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_ereserved
267*7c478bd9Sstevel@tonic-gate #define	sadb_x_prop_numecombs \
268*7c478bd9Sstevel@tonic-gate 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_numecombs
269*7c478bd9Sstevel@tonic-gate } sadb_prop_t;
270*7c478bd9Sstevel@tonic-gate 
271*7c478bd9Sstevel@tonic-gate /*
272*7c478bd9Sstevel@tonic-gate  * This is a proposed combination.  Many of these can follow a proposal
273*7c478bd9Sstevel@tonic-gate  * extension.  Already 64-bit aligned thanks to uint64_t fields.
274*7c478bd9Sstevel@tonic-gate  */
275*7c478bd9Sstevel@tonic-gate 
276*7c478bd9Sstevel@tonic-gate typedef struct sadb_comb {
277*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_comb_auth;			/* Authentication algorithm */
278*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_comb_encrypt;		/* Encryption algorithm */
279*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_comb_flags;		/* Comb. flags (e.g. PFS) */
280*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_comb_auth_minbits;	/* Bit strengths for auth */
281*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_comb_auth_maxbits;
282*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_comb_encrypt_minbits;	/* Bit strengths for encrypt */
283*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_comb_encrypt_maxbits;
284*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_comb_reserved;
285*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_comb_soft_allocations;	/* Lifetime proposals for */
286*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_comb_hard_allocations;	/* this combination. */
287*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_comb_soft_bytes;
288*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_comb_hard_bytes;
289*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_comb_soft_addtime;
290*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_comb_hard_addtime;
291*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_comb_soft_usetime;
292*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_comb_hard_usetime;
293*7c478bd9Sstevel@tonic-gate } sadb_comb_t;
294*7c478bd9Sstevel@tonic-gate 
295*7c478bd9Sstevel@tonic-gate /*
296*7c478bd9Sstevel@tonic-gate  * An extended combination that can comprise of many SA types.
297*7c478bd9Sstevel@tonic-gate  * A single combination has algorithms and SA types locked.
298*7c478bd9Sstevel@tonic-gate  * These are represented by algorithm descriptors, the second structure
299*7c478bd9Sstevel@tonic-gate  * in the list.  For example, if the EACQUIRE requests AH(MD5) + ESP(DES/null)
300*7c478bd9Sstevel@tonic-gate  * _or_ ESP(DES/MD5), it would have two combinations:
301*7c478bd9Sstevel@tonic-gate  *
302*7c478bd9Sstevel@tonic-gate  * COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES)
303*7c478bd9Sstevel@tonic-gate  * COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES)
304*7c478bd9Sstevel@tonic-gate  *
305*7c478bd9Sstevel@tonic-gate  * If an SA type supports an algorithm type, and there's no descriptor,
306*7c478bd9Sstevel@tonic-gate  * assume it requires NONE, just like it were explicitly stated.
307*7c478bd9Sstevel@tonic-gate  * (This includes ESP NULL encryption, BTW.)
308*7c478bd9Sstevel@tonic-gate  *
309*7c478bd9Sstevel@tonic-gate  * Already 64-bit aligned thanks to uint64_t fields.
310*7c478bd9Sstevel@tonic-gate  */
311*7c478bd9Sstevel@tonic-gate 
312*7c478bd9Sstevel@tonic-gate typedef struct sadb_x_ecomb {
313*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_x_ecomb_numalgs;
314*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_x_ecomb_reserved;
315*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_x_ecomb_flags;	/* E.g. PFS? */
316*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_x_ecomb_reserved2;
317*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_x_ecomb_soft_allocations;
318*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_x_ecomb_hard_allocations;
319*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_x_ecomb_soft_bytes;
320*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_x_ecomb_hard_bytes;
321*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_x_ecomb_soft_addtime;
322*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_x_ecomb_hard_addtime;
323*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_x_ecomb_soft_usetime;
324*7c478bd9Sstevel@tonic-gate 	uint64_t sadb_x_ecomb_hard_usetime;
325*7c478bd9Sstevel@tonic-gate } sadb_x_ecomb_t;
326*7c478bd9Sstevel@tonic-gate 
327*7c478bd9Sstevel@tonic-gate typedef struct sadb_x_algdesc {
328*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
329*7c478bd9Sstevel@tonic-gate 	union {
330*7c478bd9Sstevel@tonic-gate 		struct {
331*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_algdesc_usatype;	/* ESP, AH, etc. */
332*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_algdesc_ualgtype; /* AUTH, CRYPT, COMP */
333*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_algdesc_ualg;	/* 3DES, MD5, etc. */
334*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_algdesc_ureserved;
335*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_algdesc_uminbits; /* Bit strengths. */
336*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_algdesc_umaxbits;
337*7c478bd9Sstevel@tonic-gate 		} sadb_x_algdesc_actual;
338*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_algdesc_alignment;
339*7c478bd9Sstevel@tonic-gate 	} sadb_x_algdesc_u;
340*7c478bd9Sstevel@tonic-gate #define	sadb_x_algdesc_satype \
341*7c478bd9Sstevel@tonic-gate 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usatype
342*7c478bd9Sstevel@tonic-gate #define	sadb_x_algdesc_algtype \
343*7c478bd9Sstevel@tonic-gate 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualgtype
344*7c478bd9Sstevel@tonic-gate #define	sadb_x_algdesc_alg \
345*7c478bd9Sstevel@tonic-gate 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualg
346*7c478bd9Sstevel@tonic-gate #define	sadb_x_algdesc_reserved \
347*7c478bd9Sstevel@tonic-gate 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ureserved
348*7c478bd9Sstevel@tonic-gate #define	sadb_x_algdesc_minbits \
349*7c478bd9Sstevel@tonic-gate 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_uminbits
350*7c478bd9Sstevel@tonic-gate #define	sadb_x_algdesc_maxbits \
351*7c478bd9Sstevel@tonic-gate 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_umaxbits
352*7c478bd9Sstevel@tonic-gate } sadb_x_algdesc_t;
353*7c478bd9Sstevel@tonic-gate 
354*7c478bd9Sstevel@tonic-gate /*
355*7c478bd9Sstevel@tonic-gate  * When key mgmt. registers with the kernel, the kernel will tell key mgmt.
356*7c478bd9Sstevel@tonic-gate  * its supported algorithms.
357*7c478bd9Sstevel@tonic-gate  */
358*7c478bd9Sstevel@tonic-gate 
359*7c478bd9Sstevel@tonic-gate typedef struct sadb_supported {
360*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
361*7c478bd9Sstevel@tonic-gate 	union {
362*7c478bd9Sstevel@tonic-gate 		struct {
363*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_supported_ulen;
364*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_supported_uexttype;
365*7c478bd9Sstevel@tonic-gate 			uint32_t sadb_x_supported_ureserved;
366*7c478bd9Sstevel@tonic-gate 		} sadb_x_supported_actual;
367*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_supported_alignment;
368*7c478bd9Sstevel@tonic-gate 	} sadb_x_supported_u;
369*7c478bd9Sstevel@tonic-gate #define	sadb_supported_len \
370*7c478bd9Sstevel@tonic-gate 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ulen
371*7c478bd9Sstevel@tonic-gate #define	sadb_supported_exttype \
372*7c478bd9Sstevel@tonic-gate 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_uexttype
373*7c478bd9Sstevel@tonic-gate #define	sadb_supported_reserved \
374*7c478bd9Sstevel@tonic-gate 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ureserved
375*7c478bd9Sstevel@tonic-gate } sadb_supported_t;
376*7c478bd9Sstevel@tonic-gate 
377*7c478bd9Sstevel@tonic-gate /* First, a base structure... */
378*7c478bd9Sstevel@tonic-gate typedef struct sadb_x_algb {
379*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_x_algb_id;		/* Algorithm type. */
380*7c478bd9Sstevel@tonic-gate 	uint8_t sadb_x_algb_ivlen;		/* IV len, in bits */
381*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_x_algb_minbits;	/* Min. key len (in bits) */
382*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_x_algb_maxbits;	/* Max. key length */
383*7c478bd9Sstevel@tonic-gate 	union {
384*7c478bd9Sstevel@tonic-gate 		uint16_t sadb_x_algb_ureserved;
385*7c478bd9Sstevel@tonic-gate 		uint8_t sadb_x_algb_udefaults[2];
386*7c478bd9Sstevel@tonic-gate 	} sadb_x_algb_union;
387*7c478bd9Sstevel@tonic-gate 
388*7c478bd9Sstevel@tonic-gate #define	sadb_x_algb_reserved sadb_x_algb_union.sadb_x_algb_ureserved
389*7c478bd9Sstevel@tonic-gate #define	sadb_x_algb_increment sadb_x_algb_union.sadb_x_algb_udefaults[0]
390*7c478bd9Sstevel@tonic-gate #define	sadb_x_algb_defincr sadb_x_algb_union.sadb_x_algb_udefaults[1]
391*7c478bd9Sstevel@tonic-gate /*
392*7c478bd9Sstevel@tonic-gate  * alg_increment: the number of bits from a key length to the next
393*7c478bd9Sstevel@tonic-gate  * alg_defincr: the number of increments from the smallest possible
394*7c478bd9Sstevel@tonic-gate  * key to the default key length
395*7c478bd9Sstevel@tonic-gate  */
396*7c478bd9Sstevel@tonic-gate } sadb_x_algb_t;
397*7c478bd9Sstevel@tonic-gate /* useful macros for dealing with defincr */
398*7c478bd9Sstevel@tonic-gate #define	SADB_ALG_DEFAULT_LEN(min, incr, defincr) ((min) + ((defincr) * (incr)))
399*7c478bd9Sstevel@tonic-gate #define	SADB_ALG_DEFAULT_INCR(min, incr, default) (((default) - (min)) / (incr))
400*7c478bd9Sstevel@tonic-gate 
401*7c478bd9Sstevel@tonic-gate /* Now, the actual sadb_alg structure, which will have alignment in it. */
402*7c478bd9Sstevel@tonic-gate typedef struct sadb_alg {
403*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
404*7c478bd9Sstevel@tonic-gate 	union {
405*7c478bd9Sstevel@tonic-gate 		sadb_x_algb_t sadb_x_alg_actual;
406*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_alg_alignment;
407*7c478bd9Sstevel@tonic-gate 	} sadb_x_alg_u;
408*7c478bd9Sstevel@tonic-gate #define	sadb_alg_id sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_id
409*7c478bd9Sstevel@tonic-gate #define	sadb_alg_ivlen sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_ivlen
410*7c478bd9Sstevel@tonic-gate #define	sadb_alg_minbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_minbits
411*7c478bd9Sstevel@tonic-gate #define	sadb_alg_maxbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_maxbits
412*7c478bd9Sstevel@tonic-gate #define	sadb_alg_reserved sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_reserved
413*7c478bd9Sstevel@tonic-gate #define	sadb_x_alg_increment \
414*7c478bd9Sstevel@tonic-gate 	sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_increment
415*7c478bd9Sstevel@tonic-gate #define	sadb_x_alg_defincr sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_defincr
416*7c478bd9Sstevel@tonic-gate } sadb_alg_t;
417*7c478bd9Sstevel@tonic-gate 
418*7c478bd9Sstevel@tonic-gate /*
419*7c478bd9Sstevel@tonic-gate  * If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it
420*7c478bd9Sstevel@tonic-gate  * asks the kernel with this extension in the SADB_GETSPI message.
421*7c478bd9Sstevel@tonic-gate  */
422*7c478bd9Sstevel@tonic-gate 
423*7c478bd9Sstevel@tonic-gate typedef struct sadb_spirange {
424*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_spirange_len;
425*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_spirange_exttype;	/* SPI_RANGE */
426*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_spirange_min;
427*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
428*7c478bd9Sstevel@tonic-gate 	union {
429*7c478bd9Sstevel@tonic-gate 		struct {
430*7c478bd9Sstevel@tonic-gate 			uint32_t sadb_x_spirange_umax;
431*7c478bd9Sstevel@tonic-gate 			uint32_t sadb_x_spirange_ureserved;
432*7c478bd9Sstevel@tonic-gate 		} sadb_x_spirange_actual;
433*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_spirange_alignment;
434*7c478bd9Sstevel@tonic-gate 	} sadb_x_spirange_u;
435*7c478bd9Sstevel@tonic-gate #define	sadb_spirange_max \
436*7c478bd9Sstevel@tonic-gate 	sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_umax
437*7c478bd9Sstevel@tonic-gate #define	sadb_spirange_reserved \
438*7c478bd9Sstevel@tonic-gate 	sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_ureserved
439*7c478bd9Sstevel@tonic-gate } sadb_spirange_t;
440*7c478bd9Sstevel@tonic-gate 
441*7c478bd9Sstevel@tonic-gate /*
442*7c478bd9Sstevel@tonic-gate  * For the "extended REGISTER" which'll tell the kernel to send me
443*7c478bd9Sstevel@tonic-gate  * "extended ACQUIREs".
444*7c478bd9Sstevel@tonic-gate  */
445*7c478bd9Sstevel@tonic-gate 
446*7c478bd9Sstevel@tonic-gate typedef struct sadb_x_ereg {
447*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
448*7c478bd9Sstevel@tonic-gate 	union {
449*7c478bd9Sstevel@tonic-gate 		struct {
450*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_ereg_ulen;
451*7c478bd9Sstevel@tonic-gate 			uint16_t sadb_x_ereg_uexttype;	/* X_EREG */
452*7c478bd9Sstevel@tonic-gate 			/* Array of SA types, 0-terminated. */
453*7c478bd9Sstevel@tonic-gate 			uint8_t sadb_x_ereg_usatypes[4];
454*7c478bd9Sstevel@tonic-gate 		} sadb_x_ereg_actual;
455*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_ereg_alignment;
456*7c478bd9Sstevel@tonic-gate 	} sadb_x_ereg_u;
457*7c478bd9Sstevel@tonic-gate #define	sadb_x_ereg_len \
458*7c478bd9Sstevel@tonic-gate 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_ulen
459*7c478bd9Sstevel@tonic-gate #define	sadb_x_ereg_exttype \
460*7c478bd9Sstevel@tonic-gate 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_uexttype
461*7c478bd9Sstevel@tonic-gate #define	sadb_x_ereg_satypes \
462*7c478bd9Sstevel@tonic-gate 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_usatypes
463*7c478bd9Sstevel@tonic-gate } sadb_x_ereg_t;
464*7c478bd9Sstevel@tonic-gate 
465*7c478bd9Sstevel@tonic-gate /*
466*7c478bd9Sstevel@tonic-gate  * For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD,
467*7c478bd9Sstevel@tonic-gate  * SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE.
468*7c478bd9Sstevel@tonic-gate  */
469*7c478bd9Sstevel@tonic-gate 
470*7c478bd9Sstevel@tonic-gate typedef struct sadb_x_kmc {
471*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_x_kmc_len;
472*7c478bd9Sstevel@tonic-gate 	uint16_t sadb_x_kmc_exttype;	/* X_KM_COOKIE */
473*7c478bd9Sstevel@tonic-gate 	uint32_t sadb_x_kmc_proto;	/* KM protocol */
474*7c478bd9Sstevel@tonic-gate 	union {
475*7c478bd9Sstevel@tonic-gate 		struct {
476*7c478bd9Sstevel@tonic-gate 			uint32_t sadb_x_kmc_ucookie;	/* KMP-specific */
477*7c478bd9Sstevel@tonic-gate 			uint32_t sadb_x_kmc_ureserved;	/* Must be zero */
478*7c478bd9Sstevel@tonic-gate 		} sadb_x_kmc_actual;
479*7c478bd9Sstevel@tonic-gate 		uint64_t sadb_x_kmc_alignment;
480*7c478bd9Sstevel@tonic-gate 	} sadb_x_kmc_u;
481*7c478bd9Sstevel@tonic-gate #define	sadb_x_kmc_cookie sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ucookie
482*7c478bd9Sstevel@tonic-gate #define	sadb_x_kmc_reserved sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ureserved
483*7c478bd9Sstevel@tonic-gate } sadb_x_kmc_t;
484*7c478bd9Sstevel@tonic-gate 
485*7c478bd9Sstevel@tonic-gate 
486*7c478bd9Sstevel@tonic-gate 
487*7c478bd9Sstevel@tonic-gate /*
488*7c478bd9Sstevel@tonic-gate  * Base message types.
489*7c478bd9Sstevel@tonic-gate  */
490*7c478bd9Sstevel@tonic-gate 
491*7c478bd9Sstevel@tonic-gate #define	SADB_RESERVED	0
492*7c478bd9Sstevel@tonic-gate #define	SADB_GETSPI	1
493*7c478bd9Sstevel@tonic-gate #define	SADB_UPDATE	2
494*7c478bd9Sstevel@tonic-gate #define	SADB_ADD	3
495*7c478bd9Sstevel@tonic-gate #define	SADB_DELETE	4
496*7c478bd9Sstevel@tonic-gate #define	SADB_GET	5
497*7c478bd9Sstevel@tonic-gate #define	SADB_ACQUIRE	6
498*7c478bd9Sstevel@tonic-gate #define	SADB_REGISTER	7
499*7c478bd9Sstevel@tonic-gate #define	SADB_EXPIRE	8
500*7c478bd9Sstevel@tonic-gate #define	SADB_FLUSH	9
501*7c478bd9Sstevel@tonic-gate #define	SADB_DUMP	10   /* not used normally */
502*7c478bd9Sstevel@tonic-gate #define	SADB_X_PROMISC	11
503*7c478bd9Sstevel@tonic-gate #define	SADB_X_INVERSE_ACQUIRE	12
504*7c478bd9Sstevel@tonic-gate #define	SADB_MAX		12
505*7c478bd9Sstevel@tonic-gate 
506*7c478bd9Sstevel@tonic-gate /*
507*7c478bd9Sstevel@tonic-gate  * SA flags
508*7c478bd9Sstevel@tonic-gate  */
509*7c478bd9Sstevel@tonic-gate 
510*7c478bd9Sstevel@tonic-gate #define	SADB_SAFLAGS_PFS	0x1	/* Perfect forward secrecy? */
511*7c478bd9Sstevel@tonic-gate #define	SADB_SAFLAGS_NOREPLAY	0x2	/* Replay field NOT PRESENT. */
512*7c478bd9Sstevel@tonic-gate 
513*7c478bd9Sstevel@tonic-gate /* Below flags are used by this implementation.  Grow from left-to-right. */
514*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_USED	0x80000000	/* SA used/not used */
515*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_UNIQUE	0x40000000	/* SA unique/reusable */
516*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_AALG1	0x20000000	/* Auth-alg specific flag 1 */
517*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_AALG2	0x10000000	/* Auth-alg specific flag 2 */
518*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_EALG1	 0x8000000	/* Encr-alg specific flag 1 */
519*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_EALG2	 0x4000000	/* Encr-alg specific flag 2 */
520*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_KM1	 0x2000000	/* Key mgmt. specific flag 1 */
521*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_KM2	 0x1000000	/* Key mgmt. specific flag 2 */
522*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_KM3	  0x800000	/* Key mgmt. specific flag 3 */
523*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_KM4	  0x400000	/* Key mgmt. specific flag 4 */
524*7c478bd9Sstevel@tonic-gate 	/* skip x200000 because it's used in the kernel */
525*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_NATT_LOC	  0x100000	/* this has a natted src SA */
526*7c478bd9Sstevel@tonic-gate #define	SADB_X_SAFLAGS_NATT_REM	   0x80000	/* this has a natted dst SA */
527*7c478bd9Sstevel@tonic-gate /*
528*7c478bd9Sstevel@tonic-gate  * SA state.
529*7c478bd9Sstevel@tonic-gate  */
530*7c478bd9Sstevel@tonic-gate 
531*7c478bd9Sstevel@tonic-gate #define	SADB_SASTATE_LARVAL	  0
532*7c478bd9Sstevel@tonic-gate #define	SADB_SASTATE_MATURE	  1
533*7c478bd9Sstevel@tonic-gate #define	SADB_SASTATE_DYING	  2
534*7c478bd9Sstevel@tonic-gate #define	SADB_SASTATE_DEAD	  3
535*7c478bd9Sstevel@tonic-gate 
536*7c478bd9Sstevel@tonic-gate #define	SADB_SASTATE_MAX	  3
537*7c478bd9Sstevel@tonic-gate 
538*7c478bd9Sstevel@tonic-gate /*
539*7c478bd9Sstevel@tonic-gate  * SA type.  Gaps are present in the number space because (for the time being)
540*7c478bd9Sstevel@tonic-gate  * these types correspond to the SA types in the IPsec DOI document.
541*7c478bd9Sstevel@tonic-gate  */
542*7c478bd9Sstevel@tonic-gate 
543*7c478bd9Sstevel@tonic-gate #define	SADB_SATYPE_UNSPEC	0
544*7c478bd9Sstevel@tonic-gate #define	SADB_SATYPE_AH		2  /* RFC-1826 */
545*7c478bd9Sstevel@tonic-gate #define	SADB_SATYPE_ESP		3  /* RFC-1827 */
546*7c478bd9Sstevel@tonic-gate #define	SADB_SATYPE_RSVP	5  /* RSVP Authentication */
547*7c478bd9Sstevel@tonic-gate #define	SADB_SATYPE_OSPFV2	6  /* OSPFv2 Authentication */
548*7c478bd9Sstevel@tonic-gate #define	SADB_SATYPE_RIPV2	7  /* RIPv2 Authentication */
549*7c478bd9Sstevel@tonic-gate #define	SADB_SATYPE_MIP		8  /* Mobile IPv4 Authentication */
550*7c478bd9Sstevel@tonic-gate 
551*7c478bd9Sstevel@tonic-gate #define	SADB_SATYPE_MAX		8
552*7c478bd9Sstevel@tonic-gate 
553*7c478bd9Sstevel@tonic-gate /*
554*7c478bd9Sstevel@tonic-gate  * Algorithm types.  Gaps are present because (for the time being) these types
555*7c478bd9Sstevel@tonic-gate  * correspond to the SA types in the IPsec DOI document.
556*7c478bd9Sstevel@tonic-gate  *
557*7c478bd9Sstevel@tonic-gate  * NOTE:  These are numbered to play nice with the IPsec DOI.  That's why
558*7c478bd9Sstevel@tonic-gate  *	  there are gaps.
559*7c478bd9Sstevel@tonic-gate  */
560*7c478bd9Sstevel@tonic-gate 
561*7c478bd9Sstevel@tonic-gate /* Authentication algorithms */
562*7c478bd9Sstevel@tonic-gate #define	SADB_AALG_NONE		0
563*7c478bd9Sstevel@tonic-gate #define	SADB_AALG_MD5HMAC	2
564*7c478bd9Sstevel@tonic-gate #define	SADB_AALG_SHA1HMAC	3
565*7c478bd9Sstevel@tonic-gate 
566*7c478bd9Sstevel@tonic-gate #define	SADB_AALG_MAX		3
567*7c478bd9Sstevel@tonic-gate 
568*7c478bd9Sstevel@tonic-gate /* Encryption algorithms */
569*7c478bd9Sstevel@tonic-gate #define	SADB_EALG_NONE		0
570*7c478bd9Sstevel@tonic-gate #define	SADB_EALG_DESCBC	2
571*7c478bd9Sstevel@tonic-gate #define	SADB_EALG_3DESCBC	3
572*7c478bd9Sstevel@tonic-gate #define	SADB_EALG_BLOWFISH	7
573*7c478bd9Sstevel@tonic-gate #define	SADB_EALG_NULL		11
574*7c478bd9Sstevel@tonic-gate #define	SADB_EALG_AES		12
575*7c478bd9Sstevel@tonic-gate #define	SADB_EALG_MAX		12
576*7c478bd9Sstevel@tonic-gate 
577*7c478bd9Sstevel@tonic-gate /*
578*7c478bd9Sstevel@tonic-gate  * Extension header values.
579*7c478bd9Sstevel@tonic-gate  */
580*7c478bd9Sstevel@tonic-gate 
581*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_RESERVED		0
582*7c478bd9Sstevel@tonic-gate 
583*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_SA			1
584*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_LIFETIME_CURRENT	2
585*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_LIFETIME_HARD		3
586*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_LIFETIME_SOFT		4
587*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_ADDRESS_SRC		5
588*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_ADDRESS_DST		6
589*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_ADDRESS_PROXY		7
590*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_KEY_AUTH		8
591*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_KEY_ENCRYPT		9
592*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_IDENTITY_SRC		10
593*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_IDENTITY_DST		11
594*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_SENSITIVITY		12
595*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_PROPOSAL		13
596*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_SUPPORTED_AUTH		14
597*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_SUPPORTED_ENCRYPT	15
598*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_SPIRANGE		16
599*7c478bd9Sstevel@tonic-gate #define	SADB_X_EXT_EREG			17
600*7c478bd9Sstevel@tonic-gate #define	SADB_X_EXT_EPROP		18
601*7c478bd9Sstevel@tonic-gate #define	SADB_X_EXT_KM_COOKIE		19
602*7c478bd9Sstevel@tonic-gate #define	SADB_X_EXT_ADDRESS_NATT_LOC	20
603*7c478bd9Sstevel@tonic-gate #define	SADB_X_EXT_ADDRESS_NATT_REM	21
604*7c478bd9Sstevel@tonic-gate 
605*7c478bd9Sstevel@tonic-gate #define	SADB_EXT_MAX			21
606*7c478bd9Sstevel@tonic-gate 
607*7c478bd9Sstevel@tonic-gate /*
608*7c478bd9Sstevel@tonic-gate  * Identity types.
609*7c478bd9Sstevel@tonic-gate  */
610*7c478bd9Sstevel@tonic-gate 
611*7c478bd9Sstevel@tonic-gate #define	SADB_IDENTTYPE_RESERVED 0
612*7c478bd9Sstevel@tonic-gate 
613*7c478bd9Sstevel@tonic-gate /*
614*7c478bd9Sstevel@tonic-gate  * For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC
615*7c478bd9Sstevel@tonic-gate  * if not present.
616*7c478bd9Sstevel@tonic-gate  */
617*7c478bd9Sstevel@tonic-gate #define	SADB_IDENTTYPE_PREFIX		1
618*7c478bd9Sstevel@tonic-gate #define	SADB_IDENTTYPE_FQDN		2  /* Fully qualified domain name. */
619*7c478bd9Sstevel@tonic-gate #define	SADB_IDENTTYPE_USER_FQDN	3  /* e.g. root@domain.com */
620*7c478bd9Sstevel@tonic-gate #define	SADB_X_IDENTTYPE_DN		4  /* ASN.1 DER Distinguished Name. */
621*7c478bd9Sstevel@tonic-gate #define	SADB_X_IDENTTYPE_GN		5  /* ASN.1 DER Generic Name. */
622*7c478bd9Sstevel@tonic-gate #define	SADB_X_IDENTTYPE_KEY_ID		6  /* Generic KEY ID. */
623*7c478bd9Sstevel@tonic-gate #define	SADB_X_IDENTTYPE_ADDR_RANGE	7
624*7c478bd9Sstevel@tonic-gate 
625*7c478bd9Sstevel@tonic-gate #define	SADB_IDENTTYPE_MAX 	7
626*7c478bd9Sstevel@tonic-gate 
627*7c478bd9Sstevel@tonic-gate /*
628*7c478bd9Sstevel@tonic-gate  * Protection DOI values for the SENSITIVITY extension.  There are no values
629*7c478bd9Sstevel@tonic-gate  * currently, so the MAX is the only non-zero value available.
630*7c478bd9Sstevel@tonic-gate  */
631*7c478bd9Sstevel@tonic-gate 
632*7c478bd9Sstevel@tonic-gate #define	SADB_DPD_NONE	0
633*7c478bd9Sstevel@tonic-gate 
634*7c478bd9Sstevel@tonic-gate #define	SADB_DPD_MAX	1
635*7c478bd9Sstevel@tonic-gate 
636*7c478bd9Sstevel@tonic-gate /*
637*7c478bd9Sstevel@tonic-gate  * Diagnostic codes.  These supplement error messages.  Be sure to
638*7c478bd9Sstevel@tonic-gate  * update libipsecutil's keysock_diag() if you change any of these.
639*7c478bd9Sstevel@tonic-gate  */
640*7c478bd9Sstevel@tonic-gate 
641*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_PRESET		-1	/* Internal value. */
642*7c478bd9Sstevel@tonic-gate 
643*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_NONE			0
644*7c478bd9Sstevel@tonic-gate 
645*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_UNKNOWN_MSG		1
646*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_UNKNOWN_EXT		2
647*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_EXTLEN		3
648*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE	4
649*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_SATYPE_NEEDED		5
650*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_NO_SADBS		6
651*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_NO_EXT		7
652*7c478bd9Sstevel@tonic-gate /* Bad address family value */
653*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_SRC_AF		8
654*7c478bd9Sstevel@tonic-gate /* in sockaddr->sa_family. */
655*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_DST_AF		9
656*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_PROXY_AF		10
657*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_AF_MISMATCH		11
658*7c478bd9Sstevel@tonic-gate 
659*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_SRC		12
660*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_DST		13
661*7c478bd9Sstevel@tonic-gate 
662*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_ALLOC_HSERR		14
663*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BYTES_HSERR		15
664*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_ADDTIME_HSERR		16
665*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_USETIME_HSERR		17
666*7c478bd9Sstevel@tonic-gate 
667*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MISSING_SRC		18
668*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MISSING_DST		19
669*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MISSING_SA		20
670*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MISSING_EKEY		21
671*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MISSING_AKEY		22
672*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MISSING_RANGE		23
673*7c478bd9Sstevel@tonic-gate 
674*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_SRC		24
675*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_DST		25
676*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_SA		26
677*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_EKEY	27
678*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_AKEY	28
679*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_RANGE	29
680*7c478bd9Sstevel@tonic-gate 
681*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MALFORMED_SRC		30
682*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MALFORMED_DST		31
683*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MALFORMED_SA		32
684*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MALFORMED_EKEY	33
685*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MALFORMED_AKEY	34
686*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MALFORMED_RANGE	35
687*7c478bd9Sstevel@tonic-gate 
688*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_AKEY_PRESENT		36
689*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_EKEY_PRESENT		37
690*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_PROP_PRESENT		38
691*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_SUPP_PRESENT		39
692*7c478bd9Sstevel@tonic-gate 
693*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_AALG		40
694*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_EALG		41
695*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_SAFLAGS		42
696*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_SASTATE		43
697*7c478bd9Sstevel@tonic-gate 
698*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_AKEYBITS		44
699*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_BAD_EKEYBITS		45
700*7c478bd9Sstevel@tonic-gate 
701*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_ENCR_NOTSUPP		46
702*7c478bd9Sstevel@tonic-gate 
703*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_WEAK_EKEY		47
704*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_WEAK_AKEY		48
705*7c478bd9Sstevel@tonic-gate 
706*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_KMP		49
707*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_KMC		50
708*7c478bd9Sstevel@tonic-gate 
709*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MISSING_NATT_LOC	51
710*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MISSING_NATT_REM	52
711*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC	53
712*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM	54
713*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC	55
714*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM	56
715*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS	57
716*7c478bd9Sstevel@tonic-gate #define	SADB_X_DIAGNOSTIC_MAX			57
717*7c478bd9Sstevel@tonic-gate 
718*7c478bd9Sstevel@tonic-gate /* Algorithm type for sadb_x_algdesc above... */
719*7c478bd9Sstevel@tonic-gate 
720*7c478bd9Sstevel@tonic-gate #define	SADB_X_ALGTYPE_NONE		0
721*7c478bd9Sstevel@tonic-gate #define	SADB_X_ALGTYPE_AUTH		1
722*7c478bd9Sstevel@tonic-gate #define	SADB_X_ALGTYPE_CRYPT		2
723*7c478bd9Sstevel@tonic-gate #define	SADB_X_ALGTYPE_COMPRESS		3
724*7c478bd9Sstevel@tonic-gate 
725*7c478bd9Sstevel@tonic-gate #define	SADB_X_ALGTYPE_MAX		3
726*7c478bd9Sstevel@tonic-gate 
727*7c478bd9Sstevel@tonic-gate /* Key management protocol for sadb_x_kmc above... */
728*7c478bd9Sstevel@tonic-gate 
729*7c478bd9Sstevel@tonic-gate #define	SADB_X_KMP_MANUAL	0
730*7c478bd9Sstevel@tonic-gate #define	SADB_X_KMP_IKE		1
731*7c478bd9Sstevel@tonic-gate #define	SADB_X_KMP_KINK		2
732*7c478bd9Sstevel@tonic-gate 
733*7c478bd9Sstevel@tonic-gate #define	SADB_X_KMP_MAX		2
734*7c478bd9Sstevel@tonic-gate 
735*7c478bd9Sstevel@tonic-gate /*
736*7c478bd9Sstevel@tonic-gate  * Handy conversion macros.  Not part of the PF_KEY spec...
737*7c478bd9Sstevel@tonic-gate  */
738*7c478bd9Sstevel@tonic-gate 
739*7c478bd9Sstevel@tonic-gate #define	SADB_64TO8(x)	((x) << 3)
740*7c478bd9Sstevel@tonic-gate #define	SADB_8TO64(x)	((x) >> 3)
741*7c478bd9Sstevel@tonic-gate #define	SADB_8TO1(x)	((x) << 3)
742*7c478bd9Sstevel@tonic-gate #define	SADB_1TO8(x)	((x) >> 3)
743*7c478bd9Sstevel@tonic-gate 
744*7c478bd9Sstevel@tonic-gate #ifdef	__cplusplus
745*7c478bd9Sstevel@tonic-gate }
746*7c478bd9Sstevel@tonic-gate #endif
747*7c478bd9Sstevel@tonic-gate 
748*7c478bd9Sstevel@tonic-gate #endif	/* _NET_PFKEYV2_H */
749