xref: /titanic_50/usr/src/uts/common/net/pfkeyv2.h (revision 9d2159663a6316391e58ae8fc8a1e1a63dc9789c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_NET_PFKEYV2_H
27 #define	_NET_PFKEYV2_H
28 
29 /*
30  * Definitions and structures for PF_KEY version 2.  See RFC 2367 for
31  * more details.  SA == Security Association, which is what PF_KEY provides
32  * an API for managing.
33  */
34 
35 #ifdef	__cplusplus
36 extern "C" {
37 #endif
38 
39 #define	PF_KEY_V2		2
40 #define	PFKEYV2_REVISION	200109L
41 
42 /*
43  * Base PF_KEY message.
44  */
45 
46 typedef struct sadb_msg {
47 	uint8_t sadb_msg_version;	/* Version, currently PF_KEY_V2 */
48 	uint8_t sadb_msg_type;		/* ADD, UPDATE, etc. */
49 	uint8_t sadb_msg_errno;		/* Error number from UNIX errno space */
50 	uint8_t sadb_msg_satype;	/* ESP, AH, etc. */
51 	uint16_t sadb_msg_len;		/* Length in 64-bit words. */
52 	uint16_t sadb_msg_reserved;	/* must be zero */
53 /*
54  * Use the reserved field for extended diagnostic information on errno
55  * responses.
56  */
57 #define	sadb_x_msg_diagnostic sadb_msg_reserved
58 	/* Union is for guaranteeing 64-bit alignment. */
59 	union {
60 		struct {
61 			uint32_t sadb_x_msg_useq;	/* Set by originator */
62 			uint32_t sadb_x_msg_upid;	/* Set by originator */
63 		} sadb_x_msg_actual;
64 		uint64_t sadb_x_msg_alignment;
65 	} sadb_x_msg_u;
66 #define	sadb_msg_seq sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_useq
67 #define	sadb_msg_pid sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_upid
68 } sadb_msg_t;
69 
70 /*
71  * Generic extension header.
72  */
73 
74 typedef struct sadb_ext {
75 	union {
76 		/* Union is for guaranteeing 64-bit alignment. */
77 		struct {
78 			uint16_t sadb_x_ext_ulen;	/* In 64s, inclusive */
79 			uint16_t sadb_x_ext_utype;	/* 0 is reserved */
80 		} sadb_x_ext_actual;
81 		uint64_t sadb_x_ext_alignment;
82 	} sadb_x_ext_u;
83 #define	sadb_ext_len sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_ulen
84 #define	sadb_ext_type sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_utype
85 } sadb_ext_t;
86 
87 /*
88  * Security Association information extension.
89  */
90 
91 typedef struct sadb_sa {
92 	/* Union is for guaranteeing 64-bit alignment. */
93 	union {
94 		struct {
95 			uint16_t sadb_x_sa_ulen;
96 			uint16_t sadb_x_sa_uexttype;	/* ASSOCIATION */
97 			uint32_t sadb_x_sa_uspi;	/* Sec. Param. Index */
98 		} sadb_x_sa_uactual;
99 		uint64_t sadb_x_sa_alignment;
100 	} sadb_x_sa_u;
101 #define	sadb_sa_len sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_ulen
102 #define	sadb_sa_exttype sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uexttype
103 #define	sadb_sa_spi sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uspi
104 	uint8_t sadb_sa_replay;		/* Replay counter */
105 	uint8_t sadb_sa_state;		/* MATURE, DEAD, DYING, LARVAL */
106 	uint8_t sadb_sa_auth;		/* Authentication algorithm */
107 	uint8_t sadb_sa_encrypt;	/* Encryption algorithm */
108 	uint32_t sadb_sa_flags;		/* SA flags. */
109 } sadb_sa_t;
110 
111 /*
112  * SA Lifetime extension.  Already 64-bit aligned thanks to uint64_t fields.
113  */
114 
115 typedef struct sadb_lifetime {
116 	uint16_t sadb_lifetime_len;
117 	uint16_t sadb_lifetime_exttype;		/* SOFT, HARD, CURRENT */
118 	uint32_t sadb_lifetime_allocations;
119 	uint64_t sadb_lifetime_bytes;
120 	uint64_t sadb_lifetime_addtime;	/* These fields are assumed to hold */
121 	uint64_t sadb_lifetime_usetime;	/* >= sizeof (time_t). */
122 } sadb_lifetime_t;
123 
124 /*
125  * SA address information.
126  */
127 
128 typedef struct sadb_address {
129 	/* Union is for guaranteeing 64-bit alignment. */
130 	union {
131 		struct {
132 			uint16_t sadb_x_address_ulen;
133 			uint16_t sadb_x_address_uexttype; /* SRC, DST, PROXY */
134 			uint8_t sadb_x_address_uproto; /* Proto for ports... */
135 			uint8_t sadb_x_address_uprefixlen; /* Prefix length. */
136 			uint16_t sadb_x_address_ureserved; /* Padding */
137 		} sadb_x_address_actual;
138 		uint64_t sadb_x_address_alignment;
139 	} sadb_x_address_u;
140 #define	sadb_address_len \
141 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ulen
142 #define	sadb_address_exttype \
143 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uexttype
144 #define	sadb_address_proto \
145 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uproto
146 #define	sadb_address_prefixlen \
147 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uprefixlen
148 #define	sadb_address_reserved \
149 	sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ureserved
150 	/* Followed by a sockaddr structure which may contain ports. */
151 } sadb_address_t;
152 
153 /*
154  * SA key information.
155  */
156 
157 typedef struct sadb_key {
158 	/* Union is for guaranteeing 64-bit alignment. */
159 	union {
160 		struct {
161 			uint16_t sadb_x_key_ulen;
162 			uint16_t sadb_x_key_uexttype;	/* AUTH, ENCRYPT */
163 			uint16_t sadb_x_key_ubits;	/* Actual len (bits) */
164 			uint16_t sadb_x_key_ureserved;
165 		} sadb_x_key_actual;
166 		uint64_t sadb_x_key_alignment;
167 	} sadb_x_key_u;
168 #define	sadb_key_len sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ulen
169 #define	sadb_key_exttype sadb_x_key_u.sadb_x_key_actual.sadb_x_key_uexttype
170 #define	sadb_key_bits sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ubits
171 #define	sadb_key_reserved sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ureserved
172 	/* Followed by actual key(s) in canonical (outbound proc.) order. */
173 } sadb_key_t;
174 
175 /*
176  * SA Identity information.  Already 64-bit aligned thanks to uint64_t fields.
177  */
178 
179 typedef struct sadb_ident {
180 	uint16_t sadb_ident_len;
181 	uint16_t sadb_ident_exttype;	/* SRC, DST, PROXY */
182 	uint16_t sadb_ident_type;	/* FQDN, USER_FQDN, etc. */
183 	uint16_t sadb_ident_reserved;	/* Padding */
184 	uint64_t sadb_ident_id;		/* For userid, etc. */
185 	/* Followed by an identity null-terminate C string if present. */
186 } sadb_ident_t;
187 
188 /*
189  * SA sensitivity information.  This is mostly useful on MLS systems.
190  */
191 
192 typedef struct sadb_sens {
193 	/* Union is for guaranteeing 64-bit alignment. */
194 	union {
195 		struct {
196 			uint16_t sadb_x_sens_ulen;
197 			uint16_t sadb_x_sens_uexttype;	/* SENSITIVITY */
198 			uint32_t sadb_x_sens_udpd;	/* Protection domain */
199 		} sadb_x_sens_actual;
200 		uint64_t sadb_x_sens_alignment;
201 	} sadb_x_sens_u;
202 #define	sadb_sens_len sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_ulen
203 #define	sadb_sens_exttype sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_uexttype
204 #define	sadb_sens_dpd sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_udpd
205 	uint8_t sadb_sens_sens_level;
206 	uint8_t sadb_sens_sens_len;		/* 64-bit words */
207 	uint8_t sadb_sens_integ_level;
208 	uint8_t sadb_sens_integ_len;		/* 64-bit words */
209 	uint32_t sadb_x_sens_flags;
210 	/*
211 	 * followed by two uint64_t arrays
212 	 * uint64_t sadb_sens_bitmap[sens_bitmap_len];
213 	 * uint64_t sadb_integ_bitmap[integ_bitmap_len];
214 	 */
215 } sadb_sens_t;
216 
217 /*
218  * We recycled the formerly reserved word for flags.
219  */
220 
221 #define	sadb_sens_reserved sadb_x_sens_flags
222 
223 #define	SADB_X_SENS_IMPLICIT 0x1	 /* implicit labelling */
224 #define	SADB_X_SENS_UNLABELED 0x2	 /* peer is unlabeled */
225 
226 /*
227  * a proposal extension.  This is found in an ACQUIRE message, and it
228  * proposes what sort of SA the kernel would like to ACQUIRE.
229  */
230 
231 /* First, a base structure... */
232 
233 typedef struct sadb_x_propbase {
234 	uint16_t sadb_x_propb_len;
235 	uint16_t sadb_x_propb_exttype;	/* PROPOSAL, X_EPROP */
236 	union {
237 		struct {
238 			uint8_t sadb_x_propb_lenres_replay;
239 			uint8_t sadb_x_propb_lenres_eres;
240 			uint16_t sadb_x_propb_lenres_numecombs;
241 		} sadb_x_propb_lenres;
242 		struct {
243 			uint8_t sadb_x_propb_oldres_replay;
244 			uint8_t sadb_x_propb_oldres_reserved[3];
245 		} sadb_x_propb_oldres;
246 	} sadb_x_propb_u;
247 #define	sadb_x_propb_replay \
248 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_replay
249 #define	sadb_x_propb_reserved \
250 	sadb_x_propb_u.sadb_x_propb_oldres.sadb_x_propb_oldres_reserved
251 #define	sadb_x_propb_ereserved \
252 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_eres
253 #define	sadb_x_propb_numecombs \
254 	sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_numecombs
255 	/* Followed by sadb_comb[] array or sadb_ecomb[] array. */
256 } sadb_x_propbase_t;
257 
258 /* Now, the actual sadb_prop structure, which will have alignment in it! */
259 
260 typedef struct sadb_prop {
261 	/* Union is for guaranteeing 64-bit alignment. */
262 	union {
263 		sadb_x_propbase_t sadb_x_prop_actual;
264 		uint64_t sadb_x_prop_alignment;
265 	} sadb_x_prop_u;
266 #define	sadb_prop_len sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_len
267 #define	sadb_prop_exttype sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_exttype
268 #define	sadb_prop_replay sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_replay
269 #define	sadb_prop_reserved \
270 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_reserved
271 #define	sadb_x_prop_ereserved \
272 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_ereserved
273 #define	sadb_x_prop_numecombs \
274 	sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_numecombs
275 } sadb_prop_t;
276 
277 /*
278  * This is a proposed combination.  Many of these can follow a proposal
279  * extension.  Already 64-bit aligned thanks to uint64_t fields.
280  */
281 
282 typedef struct sadb_comb {
283 	uint8_t sadb_comb_auth;			/* Authentication algorithm */
284 	uint8_t sadb_comb_encrypt;		/* Encryption algorithm */
285 	uint16_t sadb_comb_flags;		/* Comb. flags (e.g. PFS) */
286 	uint16_t sadb_comb_auth_minbits;	/* Bit strengths for auth */
287 	uint16_t sadb_comb_auth_maxbits;
288 	uint16_t sadb_comb_encrypt_minbits;	/* Bit strengths for encrypt */
289 	uint16_t sadb_comb_encrypt_maxbits;
290 	uint32_t sadb_comb_reserved;
291 	uint32_t sadb_comb_soft_allocations;	/* Lifetime proposals for */
292 	uint32_t sadb_comb_hard_allocations;	/* this combination. */
293 	uint64_t sadb_comb_soft_bytes;
294 	uint64_t sadb_comb_hard_bytes;
295 	uint64_t sadb_comb_soft_addtime;
296 	uint64_t sadb_comb_hard_addtime;
297 	uint64_t sadb_comb_soft_usetime;
298 	uint64_t sadb_comb_hard_usetime;
299 } sadb_comb_t;
300 
301 /*
302  * An extended combination that can comprise of many SA types.
303  * A single combination has algorithms and SA types locked.
304  * These are represented by algorithm descriptors, the second structure
305  * in the list.  For example, if the EACQUIRE requests AH(MD5) + ESP(DES/null)
306  * _or_ ESP(DES/MD5), it would have two combinations:
307  *
308  * COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES)
309  * COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES)
310  *
311  * If an SA type supports an algorithm type, and there's no descriptor,
312  * assume it requires NONE, just like it were explicitly stated.
313  * (This includes ESP NULL encryption, BTW.)
314  *
315  * Already 64-bit aligned thanks to uint64_t fields.
316  */
317 
318 typedef struct sadb_x_ecomb {
319 	uint8_t sadb_x_ecomb_numalgs;
320 	uint8_t sadb_x_ecomb_reserved;
321 	uint16_t sadb_x_ecomb_flags;	/* E.g. PFS? */
322 	uint32_t sadb_x_ecomb_reserved2;
323 	uint32_t sadb_x_ecomb_soft_allocations;
324 	uint32_t sadb_x_ecomb_hard_allocations;
325 	uint64_t sadb_x_ecomb_soft_bytes;
326 	uint64_t sadb_x_ecomb_hard_bytes;
327 	uint64_t sadb_x_ecomb_soft_addtime;
328 	uint64_t sadb_x_ecomb_hard_addtime;
329 	uint64_t sadb_x_ecomb_soft_usetime;
330 	uint64_t sadb_x_ecomb_hard_usetime;
331 } sadb_x_ecomb_t;
332 
333 typedef struct sadb_x_algdesc {
334 	/* Union is for guaranteeing 64-bit alignment. */
335 	union {
336 		struct {
337 			uint8_t sadb_x_algdesc_usatype;	/* ESP, AH, etc. */
338 			uint8_t sadb_x_algdesc_ualgtype; /* AUTH, CRYPT, COMP */
339 			uint8_t sadb_x_algdesc_ualg;	/* 3DES, MD5, etc. */
340 			uint8_t sadb_x_algdesc_ureserved;
341 			uint16_t sadb_x_algdesc_uminbits; /* Bit strengths. */
342 			uint16_t sadb_x_algdesc_umaxbits;
343 		} sadb_x_algdesc_actual;
344 		uint64_t sadb_x_algdesc_alignment;
345 	} sadb_x_algdesc_u;
346 #define	sadb_x_algdesc_satype \
347 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usatype
348 #define	sadb_x_algdesc_algtype \
349 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualgtype
350 #define	sadb_x_algdesc_alg \
351 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualg
352 #define	sadb_x_algdesc_reserved \
353 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ureserved
354 #define	sadb_x_algdesc_minbits \
355 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_uminbits
356 #define	sadb_x_algdesc_maxbits \
357 	sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_umaxbits
358 } sadb_x_algdesc_t;
359 
360 /*
361  * When key mgmt. registers with the kernel, the kernel will tell key mgmt.
362  * its supported algorithms.
363  */
364 
365 typedef struct sadb_supported {
366 	/* Union is for guaranteeing 64-bit alignment. */
367 	union {
368 		struct {
369 			uint16_t sadb_x_supported_ulen;
370 			uint16_t sadb_x_supported_uexttype;
371 			uint32_t sadb_x_supported_ureserved;
372 		} sadb_x_supported_actual;
373 		uint64_t sadb_x_supported_alignment;
374 	} sadb_x_supported_u;
375 #define	sadb_supported_len \
376 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ulen
377 #define	sadb_supported_exttype \
378 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_uexttype
379 #define	sadb_supported_reserved \
380 	sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ureserved
381 } sadb_supported_t;
382 
383 /* First, a base structure... */
384 typedef struct sadb_x_algb {
385 	uint8_t sadb_x_algb_id;		/* Algorithm type. */
386 	uint8_t sadb_x_algb_ivlen;		/* IV len, in bits */
387 	uint16_t sadb_x_algb_minbits;	/* Min. key len (in bits) */
388 	uint16_t sadb_x_algb_maxbits;	/* Max. key length */
389 	union {
390 		uint16_t sadb_x_algb_ureserved;
391 		uint8_t sadb_x_algb_udefaults[2];
392 	} sadb_x_algb_union;
393 
394 #define	sadb_x_algb_reserved sadb_x_algb_union.sadb_x_algb_ureserved
395 #define	sadb_x_algb_increment sadb_x_algb_union.sadb_x_algb_udefaults[0]
396 #define	sadb_x_algb_saltbits sadb_x_algb_union.sadb_x_algb_udefaults[1]
397 /*
398  * alg_increment: the number of bits from a key length to the next
399  */
400 } sadb_x_algb_t;
401 
402 /* Now, the actual sadb_alg structure, which will have alignment in it. */
403 typedef struct sadb_alg {
404 	/* Union is for guaranteeing 64-bit alignment. */
405 	union {
406 		sadb_x_algb_t sadb_x_alg_actual;
407 		uint64_t sadb_x_alg_alignment;
408 	} sadb_x_alg_u;
409 #define	sadb_alg_id sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_id
410 #define	sadb_alg_ivlen sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_ivlen
411 #define	sadb_alg_minbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_minbits
412 #define	sadb_alg_maxbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_maxbits
413 #define	sadb_alg_reserved sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_reserved
414 #define	sadb_x_alg_increment \
415 	sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_increment
416 #define	sadb_x_alg_saltbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_saltbits
417 } sadb_alg_t;
418 
419 /*
420  * If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it
421  * asks the kernel with this extension in the SADB_GETSPI message.
422  */
423 
424 typedef struct sadb_spirange {
425 	uint16_t sadb_spirange_len;
426 	uint16_t sadb_spirange_exttype;	/* SPI_RANGE */
427 	uint32_t sadb_spirange_min;
428 	/* Union is for guaranteeing 64-bit alignment. */
429 	union {
430 		struct {
431 			uint32_t sadb_x_spirange_umax;
432 			uint32_t sadb_x_spirange_ureserved;
433 		} sadb_x_spirange_actual;
434 		uint64_t sadb_x_spirange_alignment;
435 	} sadb_x_spirange_u;
436 #define	sadb_spirange_max \
437 	sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_umax
438 #define	sadb_spirange_reserved \
439 	sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_ureserved
440 } sadb_spirange_t;
441 
442 /*
443  * For the "extended REGISTER" which'll tell the kernel to send me
444  * "extended ACQUIREs".
445  */
446 
447 typedef struct sadb_x_ereg {
448 	/* Union is for guaranteeing 64-bit alignment. */
449 	union {
450 		struct {
451 			uint16_t sadb_x_ereg_ulen;
452 			uint16_t sadb_x_ereg_uexttype;	/* X_EREG */
453 			/* Array of SA types, 0-terminated. */
454 			uint8_t sadb_x_ereg_usatypes[4];
455 		} sadb_x_ereg_actual;
456 		uint64_t sadb_x_ereg_alignment;
457 	} sadb_x_ereg_u;
458 #define	sadb_x_ereg_len \
459 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_ulen
460 #define	sadb_x_ereg_exttype \
461 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_uexttype
462 #define	sadb_x_ereg_satypes \
463 	sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_usatypes
464 } sadb_x_ereg_t;
465 
466 /*
467  * For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD,
468  * SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE.
469  */
470 
471 typedef struct sadb_x_kmc {
472 	uint16_t sadb_x_kmc_len;
473 	uint16_t sadb_x_kmc_exttype;	/* X_KM_COOKIE */
474 	uint32_t sadb_x_kmc_proto;	/* KM protocol */
475 	union {
476 		struct {
477 			uint32_t sadb_x_kmc_ucookie;	/* KMP-specific */
478 			uint32_t sadb_x_kmc_ureserved;	/* Must be zero */
479 		} sadb_x_kmc_actual;
480 		uint64_t sadb_x_kmc_alignment;
481 	} sadb_x_kmc_u;
482 #define	sadb_x_kmc_cookie sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ucookie
483 #define	sadb_x_kmc_reserved sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ureserved
484 } sadb_x_kmc_t;
485 
486 typedef struct sadb_x_pair {
487 	union {
488 		/* Union is for guaranteeing 64-bit alignment. */
489 		struct {
490 			uint16_t sadb_x_pair_ulen;
491 			uint16_t sadb_x_pair_uexttype;
492 			uint32_t sadb_x_pair_uspi;	/* SPI of paired SA */
493 		} sadb_x_pair_actual;
494 		uint64_t sadb_x_ext_alignment;
495 	} sadb_x_pair_u;
496 #define	sadb_x_pair_len sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_ulen
497 #define	sadb_x_pair_exttype \
498 	sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uexttype
499 #define	sadb_x_pair_spi sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uspi
500 } sadb_x_pair_t;
501 
502 /*
503  * For the Sequence numbers to be used with SADB_DUMP, SADB_GET, SADB_UPDATE.
504  */
505 
506 typedef struct sadb_x_replay_ctr {
507 	uint16_t sadb_x_rc_len;
508 	uint16_t sadb_x_rc_exttype;
509 	uint32_t sadb_x_rc_replay32;    /* For 240x SAs. */
510 	uint64_t sadb_x_rc_replay64;    /* For 430x SAs. */
511 } sadb_x_replay_ctr_t;
512 
513 /*
514  * For extended DUMP request. Dumps the SAs which were idle for
515  * longer than the timeout specified.
516  */
517 
518 typedef struct sadb_x_edump {
519 	uint16_t sadb_x_edump_len;
520 	uint16_t sadb_x_edump_exttype;
521 	uint32_t sadb_x_edump_reserved;
522 	uint64_t sadb_x_edump_timeout;
523 } sadb_x_edump_t;
524 
525 /*
526  * Base message types.
527  */
528 
529 #define	SADB_RESERVED	0
530 #define	SADB_GETSPI	1
531 #define	SADB_UPDATE	2
532 #define	SADB_ADD	3
533 #define	SADB_DELETE	4
534 #define	SADB_GET	5
535 #define	SADB_ACQUIRE	6
536 #define	SADB_REGISTER	7
537 #define	SADB_EXPIRE	8
538 #define	SADB_FLUSH	9
539 #define	SADB_DUMP	10   /* not used normally */
540 #define	SADB_X_PROMISC	11
541 #define	SADB_X_INVERSE_ACQUIRE	12
542 #define	SADB_X_UPDATEPAIR	13
543 #define	SADB_X_DELPAIR		14
544 #define	SADB_X_DELPAIR_STATE	15
545 #define	SADB_MAX		15
546 
547 /*
548  * SA flags
549  */
550 
551 #define	SADB_SAFLAGS_PFS	0x1	/* Perfect forward secrecy? */
552 #define	SADB_SAFLAGS_NOREPLAY	0x2	/* Replay field NOT PRESENT. */
553 
554 /* Below flags are used by this implementation.  Grow from left-to-right. */
555 #define	SADB_X_SAFLAGS_USED	0x80000000	/* SA used/not used */
556 #define	SADB_X_SAFLAGS_UNIQUE	0x40000000	/* SA unique/reusable */
557 #define	SADB_X_SAFLAGS_AALG1	0x20000000	/* Auth-alg specific flag 1 */
558 #define	SADB_X_SAFLAGS_AALG2	0x10000000	/* Auth-alg specific flag 2 */
559 #define	SADB_X_SAFLAGS_EALG1	 0x8000000	/* Encr-alg specific flag 1 */
560 #define	SADB_X_SAFLAGS_EALG2	 0x4000000	/* Encr-alg specific flag 2 */
561 #define	SADB_X_SAFLAGS_KM1	 0x2000000	/* Key mgmt. specific flag 1 */
562 #define	SADB_X_SAFLAGS_KM2	 0x1000000	/* Key mgmt. specific flag 2 */
563 #define	SADB_X_SAFLAGS_KM3	  0x800000	/* Key mgmt. specific flag 3 */
564 #define	SADB_X_SAFLAGS_KM4	  0x400000	/* Key mgmt. specific flag 4 */
565 #define	SADB_X_SAFLAGS_KRES1	  0x200000	/* Reserved by the kernel */
566 #define	SADB_X_SAFLAGS_NATT_LOC	  0x100000	/* this has a natted src SA */
567 #define	SADB_X_SAFLAGS_NATT_REM	   0x80000	/* this has a natted dst SA */
568 #define	SADB_X_SAFLAGS_KRES2	   0x40000	/* Reserved by the kernel */
569 #define	SADB_X_SAFLAGS_TUNNEL	   0x20000	/* tunnel mode */
570 #define	SADB_X_SAFLAGS_PAIRED	   0x10000	/* inbound/outbound pair */
571 #define	SADB_X_SAFLAGS_OUTBOUND	    0x8000	/* SA direction bit */
572 #define	SADB_X_SAFLAGS_INBOUND	    0x4000	/* SA direction bit */
573 #define	SADB_X_SAFLAGS_NATTED	    0x1000	/* Local node is behind a NAT */
574 
575 #define	SADB_X_SAFLAGS_KRES	\
576 	SADB_X_SAFLAGS_KRES1 | SADB_X_SAFLAGS_KRES2
577 
578 /*
579  * SA state.
580  */
581 
582 #define	SADB_SASTATE_LARVAL		0
583 #define	SADB_SASTATE_MATURE		1
584 #define	SADB_SASTATE_DYING		2
585 #define	SADB_SASTATE_DEAD		3
586 #define	SADB_X_SASTATE_ACTIVE_ELSEWHERE	4
587 #define	SADB_X_SASTATE_IDLE		5
588 #define	SADB_X_SASTATE_ACTIVE		6
589 
590 #define	SADB_SASTATE_MAX		6
591 
592 /*
593  * SA type.  Gaps are present in the number space because (for the time being)
594  * these types correspond to the SA types in the IPsec DOI document.
595  */
596 
597 #define	SADB_SATYPE_UNSPEC	0
598 #define	SADB_SATYPE_AH		2  /* RFC-1826 */
599 #define	SADB_SATYPE_ESP		3  /* RFC-1827 */
600 #define	SADB_SATYPE_RSVP	5  /* RSVP Authentication */
601 #define	SADB_SATYPE_OSPFV2	6  /* OSPFv2 Authentication */
602 #define	SADB_SATYPE_RIPV2	7  /* RIPv2 Authentication */
603 #define	SADB_SATYPE_MIP		8  /* Mobile IPv4 Authentication */
604 
605 #define	SADB_SATYPE_MAX		8
606 
607 /*
608  * Algorithm types.  Gaps are present because (for the time being) these types
609  * correspond to the SA types in the IPsec DOI document.
610  *
611  * NOTE:  These are numbered to play nice with the IPsec DOI.  That's why
612  *	  there are gaps.
613  */
614 
615 /* Authentication algorithms */
616 #define	SADB_AALG_NONE		0
617 #define	SADB_AALG_MD5HMAC	2
618 #define	SADB_AALG_SHA1HMAC	3
619 #define	SADB_AALG_SHA256HMAC	5
620 #define	SADB_AALG_SHA384HMAC	6
621 #define	SADB_AALG_SHA512HMAC	7
622 
623 #define	SADB_AALG_MAX		7
624 
625 /* Encryption algorithms */
626 #define	SADB_EALG_NONE		0
627 #define	SADB_EALG_DESCBC	2
628 #define	SADB_EALG_3DESCBC	3
629 #define	SADB_EALG_BLOWFISH	7
630 #define	SADB_EALG_NULL		11
631 #define	SADB_EALG_AES		12
632 #define	SADB_EALG_AES_CCM_8	14
633 #define	SADB_EALG_AES_CCM_12	15
634 #define	SADB_EALG_AES_CCM_16	16
635 #define	SADB_EALG_AES_GCM_8	18
636 #define	SADB_EALG_AES_GCM_12	19
637 #define	SADB_EALG_AES_GCM_16	20
638 #define	SADB_EALG_MAX		20
639 
640 /*
641  * Extension header values.
642  */
643 
644 #define	SADB_EXT_RESERVED		0
645 
646 #define	SADB_EXT_SA			1
647 #define	SADB_EXT_LIFETIME_CURRENT	2
648 #define	SADB_EXT_LIFETIME_HARD		3
649 #define	SADB_EXT_LIFETIME_SOFT		4
650 #define	SADB_EXT_ADDRESS_SRC		5
651 #define	SADB_EXT_ADDRESS_DST		6
652 /* These two are synonyms. */
653 #define	SADB_EXT_ADDRESS_PROXY		7
654 #define	SADB_X_EXT_ADDRESS_INNER_SRC	SADB_EXT_ADDRESS_PROXY
655 #define	SADB_EXT_KEY_AUTH		8
656 #define	SADB_EXT_KEY_ENCRYPT		9
657 #define	SADB_EXT_IDENTITY_SRC		10
658 #define	SADB_EXT_IDENTITY_DST		11
659 #define	SADB_EXT_SENSITIVITY		12
660 #define	SADB_EXT_PROPOSAL		13
661 #define	SADB_EXT_SUPPORTED_AUTH		14
662 #define	SADB_EXT_SUPPORTED_ENCRYPT	15
663 #define	SADB_EXT_SPIRANGE		16
664 #define	SADB_X_EXT_EREG			17
665 #define	SADB_X_EXT_EPROP		18
666 #define	SADB_X_EXT_KM_COOKIE		19
667 #define	SADB_X_EXT_ADDRESS_NATT_LOC	20
668 #define	SADB_X_EXT_ADDRESS_NATT_REM	21
669 #define	SADB_X_EXT_ADDRESS_INNER_DST	22
670 #define	SADB_X_EXT_PAIR			23
671 #define	SADB_X_EXT_REPLAY_VALUE		24
672 #define	SADB_X_EXT_EDUMP		25
673 #define	SADB_X_EXT_LIFETIME_IDLE	26
674 #define	SADB_X_EXT_OUTER_SENS		27
675 
676 #define	SADB_EXT_MAX			27
677 
678 /*
679  * Identity types.
680  */
681 
682 #define	SADB_IDENTTYPE_RESERVED 0
683 
684 /*
685  * For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC
686  * if not present.
687  */
688 #define	SADB_IDENTTYPE_PREFIX		1
689 #define	SADB_IDENTTYPE_FQDN		2  /* Fully qualified domain name. */
690 #define	SADB_IDENTTYPE_USER_FQDN	3  /* e.g. root@domain.com */
691 #define	SADB_X_IDENTTYPE_DN		4  /* ASN.1 DER Distinguished Name. */
692 #define	SADB_X_IDENTTYPE_GN		5  /* ASN.1 DER Generic Name. */
693 #define	SADB_X_IDENTTYPE_KEY_ID		6  /* Generic KEY ID. */
694 #define	SADB_X_IDENTTYPE_ADDR_RANGE	7
695 
696 #define	SADB_IDENTTYPE_MAX 	7
697 
698 /*
699  * Protection DOI values for the SENSITIVITY extension.  There are no values
700  * currently, so the MAX is the only non-zero value available.
701  */
702 
703 #define	SADB_DPD_NONE	0
704 
705 #define	SADB_DPD_MAX	1
706 
707 /*
708  * Diagnostic codes.  These supplement error messages.  Be sure to
709  * update libipsecutil's keysock_diag() if you change any of these.
710  */
711 
712 #define	SADB_X_DIAGNOSTIC_PRESET		-1	/* Internal value. */
713 
714 #define	SADB_X_DIAGNOSTIC_NONE			0
715 
716 #define	SADB_X_DIAGNOSTIC_UNKNOWN_MSG		1
717 #define	SADB_X_DIAGNOSTIC_UNKNOWN_EXT		2
718 #define	SADB_X_DIAGNOSTIC_BAD_EXTLEN		3
719 #define	SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE	4
720 #define	SADB_X_DIAGNOSTIC_SATYPE_NEEDED		5
721 #define	SADB_X_DIAGNOSTIC_NO_SADBS		6
722 #define	SADB_X_DIAGNOSTIC_NO_EXT		7
723 /* Bad address family value */
724 #define	SADB_X_DIAGNOSTIC_BAD_SRC_AF		8
725 /* in sockaddr->sa_family. */
726 #define	SADB_X_DIAGNOSTIC_BAD_DST_AF		9
727 /* These two are synonyms. */
728 #define	SADB_X_DIAGNOSTIC_BAD_PROXY_AF		10
729 #define	SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF	10
730 
731 #define	SADB_X_DIAGNOSTIC_AF_MISMATCH		11
732 
733 #define	SADB_X_DIAGNOSTIC_BAD_SRC		12
734 #define	SADB_X_DIAGNOSTIC_BAD_DST		13
735 
736 #define	SADB_X_DIAGNOSTIC_ALLOC_HSERR		14
737 #define	SADB_X_DIAGNOSTIC_BYTES_HSERR		15
738 #define	SADB_X_DIAGNOSTIC_ADDTIME_HSERR		16
739 #define	SADB_X_DIAGNOSTIC_USETIME_HSERR		17
740 
741 #define	SADB_X_DIAGNOSTIC_MISSING_SRC		18
742 #define	SADB_X_DIAGNOSTIC_MISSING_DST		19
743 #define	SADB_X_DIAGNOSTIC_MISSING_SA		20
744 #define	SADB_X_DIAGNOSTIC_MISSING_EKEY		21
745 #define	SADB_X_DIAGNOSTIC_MISSING_AKEY		22
746 #define	SADB_X_DIAGNOSTIC_MISSING_RANGE		23
747 
748 #define	SADB_X_DIAGNOSTIC_DUPLICATE_SRC		24
749 #define	SADB_X_DIAGNOSTIC_DUPLICATE_DST		25
750 #define	SADB_X_DIAGNOSTIC_DUPLICATE_SA		26
751 #define	SADB_X_DIAGNOSTIC_DUPLICATE_EKEY	27
752 #define	SADB_X_DIAGNOSTIC_DUPLICATE_AKEY	28
753 #define	SADB_X_DIAGNOSTIC_DUPLICATE_RANGE	29
754 
755 #define	SADB_X_DIAGNOSTIC_MALFORMED_SRC		30
756 #define	SADB_X_DIAGNOSTIC_MALFORMED_DST		31
757 #define	SADB_X_DIAGNOSTIC_MALFORMED_SA		32
758 #define	SADB_X_DIAGNOSTIC_MALFORMED_EKEY	33
759 #define	SADB_X_DIAGNOSTIC_MALFORMED_AKEY	34
760 #define	SADB_X_DIAGNOSTIC_MALFORMED_RANGE	35
761 
762 #define	SADB_X_DIAGNOSTIC_AKEY_PRESENT		36
763 #define	SADB_X_DIAGNOSTIC_EKEY_PRESENT		37
764 #define	SADB_X_DIAGNOSTIC_PROP_PRESENT		38
765 #define	SADB_X_DIAGNOSTIC_SUPP_PRESENT		39
766 
767 #define	SADB_X_DIAGNOSTIC_BAD_AALG		40
768 #define	SADB_X_DIAGNOSTIC_BAD_EALG		41
769 #define	SADB_X_DIAGNOSTIC_BAD_SAFLAGS		42
770 #define	SADB_X_DIAGNOSTIC_BAD_SASTATE		43
771 
772 #define	SADB_X_DIAGNOSTIC_BAD_AKEYBITS		44
773 #define	SADB_X_DIAGNOSTIC_BAD_EKEYBITS		45
774 
775 #define	SADB_X_DIAGNOSTIC_ENCR_NOTSUPP		46
776 
777 #define	SADB_X_DIAGNOSTIC_WEAK_EKEY		47
778 #define	SADB_X_DIAGNOSTIC_WEAK_AKEY		48
779 
780 #define	SADB_X_DIAGNOSTIC_DUPLICATE_KMP		49
781 #define	SADB_X_DIAGNOSTIC_DUPLICATE_KMC		50
782 
783 #define	SADB_X_DIAGNOSTIC_MISSING_NATT_LOC	51
784 #define	SADB_X_DIAGNOSTIC_MISSING_NATT_REM	52
785 #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC	53
786 #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM	54
787 #define	SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC	55
788 #define	SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM	56
789 #define	SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS	57
790 
791 #define	SADB_X_DIAGNOSTIC_MISSING_INNER_SRC	58
792 #define	SADB_X_DIAGNOSTIC_MISSING_INNER_DST	59
793 #define	SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC	60
794 #define	SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST	61
795 #define	SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC	62
796 #define	SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST	63
797 
798 #define	SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC	64
799 #define	SADB_X_DIAGNOSTIC_PREFIX_INNER_DST	65
800 #define	SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF	66
801 #define	SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH	67
802 
803 #define	SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF	68
804 #define	SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF	69
805 
806 #define	SADB_X_DIAGNOSTIC_PROTO_MISMATCH	70
807 #define	SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH	71
808 
809 #define	SADB_X_DIAGNOSTIC_DUAL_PORT_SETS	72
810 
811 #define	SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE	73
812 #define	SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH	74
813 #define	SADB_X_DIAGNOSTIC_PAIR_ALREADY		75
814 #define	SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND	76
815 #define	SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION	77
816 
817 #define	SADB_X_DIAGNOSTIC_SA_NOTFOUND		78
818 #define	SADB_X_DIAGNOSTIC_SA_EXPIRED		79
819 #define	SADB_X_DIAGNOSTIC_BAD_CTX		80
820 #define	SADB_X_DIAGNOSTIC_INVALID_REPLAY	81
821 #define	SADB_X_DIAGNOSTIC_MISSING_LIFETIME	82
822 
823 #define	SADB_X_DIAGNOSTIC_BAD_LABEL		83
824 #define	SADB_X_DIAGNOSTIC_MAX			83
825 
826 /* Algorithm type for sadb_x_algdesc above... */
827 
828 #define	SADB_X_ALGTYPE_NONE		0
829 #define	SADB_X_ALGTYPE_AUTH		1
830 #define	SADB_X_ALGTYPE_CRYPT		2
831 #define	SADB_X_ALGTYPE_COMPRESS		3
832 
833 #define	SADB_X_ALGTYPE_MAX		3
834 
835 /* Key management protocol for sadb_x_kmc above... */
836 
837 #define	SADB_X_KMP_MANUAL	0
838 #define	SADB_X_KMP_IKE		1
839 #define	SADB_X_KMP_KINK		2
840 
841 #define	SADB_X_KMP_MAX		2
842 
843 /*
844  * Handy conversion macros.  Not part of the PF_KEY spec...
845  */
846 
847 #define	SADB_64TO8(x)	((x) << 3)
848 #define	SADB_8TO64(x)	((x) >> 3)
849 #define	SADB_8TO1(x)	((x) << 3)
850 #define	SADB_1TO8(x)	((x) >> 3)
851 
852 #ifdef	__cplusplus
853 }
854 #endif
855 
856 #endif	/* _NET_PFKEYV2_H */
857