search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
8989 Allow IKEV2 pf_key(7P) key management cookies to be updated after set
[unleashed.git] / usr / src / uts / common / net / pfkeyv2.h
blob2a504f2b869f2c80cf8504b82c7f67e51a2e2e61
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25 /*
26 * Copyright (c) 2018, Joyent, Inc.
27 */
28
29 #ifndef _NET_PFKEYV2_H
30 #define _NET_PFKEYV2_H
31
32 /*
33 * Definitions and structures for PF_KEY version 2. See RFC 2367 for
34 * more details. SA == Security Association, which is what PF_KEY provides
35 * an API for managing.
36 */
37
38 #ifdef __cplusplus
39 extern "C" {
40 #endif
41
42 #define PF_KEY_V2 2
43 #define PFKEYV2_REVISION 200109L
44
45 /*
46 * Base PF_KEY message.
47 */
48
49 typedef struct sadb_msg {
50 uint8_t sadb_msg_version; /* Version, currently PF_KEY_V2 */
51 uint8_t sadb_msg_type; /* ADD, UPDATE, etc. */
52 uint8_t sadb_msg_errno; /* Error number from UNIX errno space */
53 uint8_t sadb_msg_satype; /* ESP, AH, etc. */
54 uint16_t sadb_msg_len; /* Length in 64-bit words. */
55 uint16_t sadb_msg_reserved; /* must be zero */
56 /*
57 * Use the reserved field for extended diagnostic information on errno
58 * responses.
59 */
60 #define sadb_x_msg_diagnostic sadb_msg_reserved
61 /* Union is for guaranteeing 64-bit alignment. */
62 union {
63 struct {
64 uint32_t sadb_x_msg_useq; /* Set by originator */
65 uint32_t sadb_x_msg_upid; /* Set by originator */
66 } sadb_x_msg_actual;
67 uint64_t sadb_x_msg_alignment;
68 } sadb_x_msg_u;
69 #define sadb_msg_seq sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_useq
70 #define sadb_msg_pid sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_upid
71 } sadb_msg_t;
72
73 /*
74 * Generic extension header.
75 */
76
77 typedef struct sadb_ext {
78 union {
79 /* Union is for guaranteeing 64-bit alignment. */
80 struct {
81 uint16_t sadb_x_ext_ulen; /* In 64s, inclusive */
82 uint16_t sadb_x_ext_utype; /* 0 is reserved */
83 } sadb_x_ext_actual;
84 uint64_t sadb_x_ext_alignment;
85 } sadb_x_ext_u;
86 #define sadb_ext_len sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_ulen
87 #define sadb_ext_type sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_utype
88 } sadb_ext_t;
89
90 /*
91 * Security Association information extension.
92 */
93
94 typedef struct sadb_sa {
95 /* Union is for guaranteeing 64-bit alignment. */
96 union {
97 struct {
98 uint16_t sadb_x_sa_ulen;
99 uint16_t sadb_x_sa_uexttype; /* ASSOCIATION */
100 uint32_t sadb_x_sa_uspi; /* Sec. Param. Index */
101 } sadb_x_sa_uactual;
102 uint64_t sadb_x_sa_alignment;
103 } sadb_x_sa_u;
104 #define sadb_sa_len sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_ulen
105 #define sadb_sa_exttype sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uexttype
106 #define sadb_sa_spi sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uspi
107 uint8_t sadb_sa_replay; /* Replay counter */
108 uint8_t sadb_sa_state; /* MATURE, DEAD, DYING, LARVAL */
109 uint8_t sadb_sa_auth; /* Authentication algorithm */
110 uint8_t sadb_sa_encrypt; /* Encryption algorithm */
111 uint32_t sadb_sa_flags; /* SA flags. */
112 } sadb_sa_t;
113
114 /*
115 * SA Lifetime extension. Already 64-bit aligned thanks to uint64_t fields.
116 */
117
118 typedef struct sadb_lifetime {
119 uint16_t sadb_lifetime_len;
120 uint16_t sadb_lifetime_exttype; /* SOFT, HARD, CURRENT */
121 uint32_t sadb_lifetime_allocations;
122 uint64_t sadb_lifetime_bytes;
123 uint64_t sadb_lifetime_addtime; /* These fields are assumed to hold */
124 uint64_t sadb_lifetime_usetime; /* >= sizeof (time_t). */
125 } sadb_lifetime_t;
126
127 /*
128 * SA address information.
129 */
130
131 typedef struct sadb_address {
132 /* Union is for guaranteeing 64-bit alignment. */
133 union {
134 struct {
135 uint16_t sadb_x_address_ulen;
136 uint16_t sadb_x_address_uexttype; /* SRC, DST, PROXY */
137 uint8_t sadb_x_address_uproto; /* Proto for ports... */
138 uint8_t sadb_x_address_uprefixlen; /* Prefix length. */
139 uint16_t sadb_x_address_ureserved; /* Padding */
140 } sadb_x_address_actual;
141 uint64_t sadb_x_address_alignment;
142 } sadb_x_address_u;
143 #define sadb_address_len \
144 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ulen
145 #define sadb_address_exttype \
146 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uexttype
147 #define sadb_address_proto \
148 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uproto
149 #define sadb_address_prefixlen \
150 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uprefixlen
151 #define sadb_address_reserved \
152 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ureserved
153 /* Followed by a sockaddr structure which may contain ports. */
154 } sadb_address_t;
155
156 /*
157 * SA key information.
158 */
159
160 typedef struct sadb_key {
161 /* Union is for guaranteeing 64-bit alignment. */
162 union {
163 struct {
164 uint16_t sadb_x_key_ulen;
165 uint16_t sadb_x_key_uexttype; /* AUTH, ENCRYPT */
166 uint16_t sadb_x_key_ubits; /* Actual len (bits) */
167 uint16_t sadb_x_key_ureserved;
168 } sadb_x_key_actual;
169 uint64_t sadb_x_key_alignment;
170 } sadb_x_key_u;
171 #define sadb_key_len sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ulen
172 #define sadb_key_exttype sadb_x_key_u.sadb_x_key_actual.sadb_x_key_uexttype
173 #define sadb_key_bits sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ubits
174 #define sadb_key_reserved sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ureserved
175 /* Followed by actual key(s) in canonical (outbound proc.) order. */
176 } sadb_key_t;
177
178 /*
179 * SA Identity information. Already 64-bit aligned thanks to uint64_t fields.
180 */
181
182 typedef struct sadb_ident {
183 uint16_t sadb_ident_len;
184 uint16_t sadb_ident_exttype; /* SRC, DST, PROXY */
185 uint16_t sadb_ident_type; /* FQDN, USER_FQDN, etc. */
186 uint16_t sadb_ident_reserved; /* Padding */
187 uint64_t sadb_ident_id; /* For userid, etc. */
188 /* Followed by an identity null-terminate C string if present. */
189 } sadb_ident_t;
190
191 /*
192 * SA sensitivity information. This is mostly useful on MLS systems.
193 */
194
195 typedef struct sadb_sens {
196 /* Union is for guaranteeing 64-bit alignment. */
197 union {
198 struct {
199 uint16_t sadb_x_sens_ulen;
200 uint16_t sadb_x_sens_uexttype; /* SENSITIVITY */
201 uint32_t sadb_x_sens_udpd; /* Protection domain */
202 } sadb_x_sens_actual;
203 uint64_t sadb_x_sens_alignment;
204 } sadb_x_sens_u;
205 #define sadb_sens_len sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_ulen
206 #define sadb_sens_exttype sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_uexttype
207 #define sadb_sens_dpd sadb_x_sens_u.sadb_x_sens_actual.sadb_x_sens_udpd
208 uint8_t sadb_sens_sens_level;
209 uint8_t sadb_sens_sens_len; /* 64-bit words */
210 uint8_t sadb_sens_integ_level;
211 uint8_t sadb_sens_integ_len; /* 64-bit words */
212 uint32_t sadb_x_sens_flags;
213 /*
214 * followed by two uint64_t arrays
215 * uint64_t sadb_sens_bitmap[sens_bitmap_len];
216 * uint64_t sadb_integ_bitmap[integ_bitmap_len];
217 */
218 } sadb_sens_t;
219
220 /*
221 * We recycled the formerly reserved word for flags.
222 */
223
224 #define sadb_sens_reserved sadb_x_sens_flags
225
226 #define SADB_X_SENS_IMPLICIT 0x1 /* implicit labelling */
227 #define SADB_X_SENS_UNLABELED 0x2 /* peer is unlabeled */
228
229 /*
230 * a proposal extension. This is found in an ACQUIRE message, and it
231 * proposes what sort of SA the kernel would like to ACQUIRE.
232 */
233
234 /* First, a base structure... */
235
236 typedef struct sadb_x_propbase {
237 uint16_t sadb_x_propb_len;
238 uint16_t sadb_x_propb_exttype; /* PROPOSAL, X_EPROP */
239 union {
240 struct {
241 uint8_t sadb_x_propb_lenres_replay;
242 uint8_t sadb_x_propb_lenres_eres;
243 uint16_t sadb_x_propb_lenres_numecombs;
244 } sadb_x_propb_lenres;
245 struct {
246 uint8_t sadb_x_propb_oldres_replay;
247 uint8_t sadb_x_propb_oldres_reserved[3];
248 } sadb_x_propb_oldres;
249 } sadb_x_propb_u;
250 #define sadb_x_propb_replay \
251 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_replay
252 #define sadb_x_propb_reserved \
253 sadb_x_propb_u.sadb_x_propb_oldres.sadb_x_propb_oldres_reserved
254 #define sadb_x_propb_ereserved \
255 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_eres
256 #define sadb_x_propb_numecombs \
257 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_numecombs
258 /* Followed by sadb_comb[] array or sadb_ecomb[] array. */
259 } sadb_x_propbase_t;
260
261 /* Now, the actual sadb_prop structure, which will have alignment in it! */
262
263 typedef struct sadb_prop {
264 /* Union is for guaranteeing 64-bit alignment. */
265 union {
266 sadb_x_propbase_t sadb_x_prop_actual;
267 uint64_t sadb_x_prop_alignment;
268 } sadb_x_prop_u;
269 #define sadb_prop_len sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_len
270 #define sadb_prop_exttype sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_exttype
271 #define sadb_prop_replay sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_replay
272 #define sadb_prop_reserved \
273 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_reserved
274 #define sadb_x_prop_ereserved \
275 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_ereserved
276 #define sadb_x_prop_numecombs \
277 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_numecombs
278 } sadb_prop_t;
279
280 /*
281 * This is a proposed combination. Many of these can follow a proposal
282 * extension. Already 64-bit aligned thanks to uint64_t fields.
283 */
284
285 typedef struct sadb_comb {
286 uint8_t sadb_comb_auth; /* Authentication algorithm */
287 uint8_t sadb_comb_encrypt; /* Encryption algorithm */
288 uint16_t sadb_comb_flags; /* Comb. flags (e.g. PFS) */
289 uint16_t sadb_comb_auth_minbits; /* Bit strengths for auth */
290 uint16_t sadb_comb_auth_maxbits;
291 uint16_t sadb_comb_encrypt_minbits; /* Bit strengths for encrypt */
292 uint16_t sadb_comb_encrypt_maxbits;
293 uint32_t sadb_comb_reserved;
294 uint32_t sadb_comb_soft_allocations; /* Lifetime proposals for */
295 uint32_t sadb_comb_hard_allocations; /* this combination. */
296 uint64_t sadb_comb_soft_bytes;
297 uint64_t sadb_comb_hard_bytes;
298 uint64_t sadb_comb_soft_addtime;
299 uint64_t sadb_comb_hard_addtime;
300 uint64_t sadb_comb_soft_usetime;
301 uint64_t sadb_comb_hard_usetime;
302 } sadb_comb_t;
303
304 /*
305 * An extended combination that can comprise of many SA types.
306 * A single combination has algorithms and SA types locked.
307 * These are represented by algorithm descriptors, the second structure
308 * in the list. For example, if the EACQUIRE requests AH(MD5) + ESP(DES/null)
309 * _or_ ESP(DES/MD5), it would have two combinations:
310 *
311 * COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES)
312 * COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES)
313 *
314 * If an SA type supports an algorithm type, and there's no descriptor,
315 * assume it requires NONE, just like it were explicitly stated.
316 * (This includes ESP NULL encryption, BTW.)
317 *
318 * Already 64-bit aligned thanks to uint64_t fields.
319 */
320
321 typedef struct sadb_x_ecomb {
322 uint8_t sadb_x_ecomb_numalgs;
323 uint8_t sadb_x_ecomb_reserved;
324 uint16_t sadb_x_ecomb_flags; /* E.g. PFS? */
325 uint32_t sadb_x_ecomb_reserved2;
326 uint32_t sadb_x_ecomb_soft_allocations;
327 uint32_t sadb_x_ecomb_hard_allocations;
328 uint64_t sadb_x_ecomb_soft_bytes;
329 uint64_t sadb_x_ecomb_hard_bytes;
330 uint64_t sadb_x_ecomb_soft_addtime;
331 uint64_t sadb_x_ecomb_hard_addtime;
332 uint64_t sadb_x_ecomb_soft_usetime;
333 uint64_t sadb_x_ecomb_hard_usetime;
334 } sadb_x_ecomb_t;
335
336 typedef struct sadb_x_algdesc {
337 /* Union is for guaranteeing 64-bit alignment. */
338 union {
339 struct {
340 uint8_t sadb_x_algdesc_usatype; /* ESP, AH, etc. */
341 uint8_t sadb_x_algdesc_ualgtype; /* AUTH, CRYPT, COMP */
342 uint8_t sadb_x_algdesc_ualg; /* 3DES, MD5, etc. */
343 uint8_t sadb_x_algdesc_ureserved;
344 uint16_t sadb_x_algdesc_uminbits; /* Bit strengths. */
345 uint16_t sadb_x_algdesc_umaxbits;
346 } sadb_x_algdesc_actual;
347 uint64_t sadb_x_algdesc_alignment;
348 } sadb_x_algdesc_u;
349 #define sadb_x_algdesc_satype \
350 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usatype
351 #define sadb_x_algdesc_algtype \
352 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualgtype
353 #define sadb_x_algdesc_alg \
354 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualg
355 #define sadb_x_algdesc_reserved \
356 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ureserved
357 #define sadb_x_algdesc_minbits \
358 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_uminbits
359 #define sadb_x_algdesc_maxbits \
360 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_umaxbits
361 } sadb_x_algdesc_t;
362
363 /*
364 * When key mgmt. registers with the kernel, the kernel will tell key mgmt.
365 * its supported algorithms.
366 */
367
368 typedef struct sadb_supported {
369 /* Union is for guaranteeing 64-bit alignment. */
370 union {
371 struct {
372 uint16_t sadb_x_supported_ulen;
373 uint16_t sadb_x_supported_uexttype;
374 uint32_t sadb_x_supported_ureserved;
375 } sadb_x_supported_actual;
376 uint64_t sadb_x_supported_alignment;
377 } sadb_x_supported_u;
378 #define sadb_supported_len \
379 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ulen
380 #define sadb_supported_exttype \
381 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_uexttype
382 #define sadb_supported_reserved \
383 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ureserved
384 } sadb_supported_t;
385
386 /* First, a base structure... */
387 typedef struct sadb_x_algb {
388 uint8_t sadb_x_algb_id; /* Algorithm type. */
389 uint8_t sadb_x_algb_ivlen; /* IV len, in bits */
390 uint16_t sadb_x_algb_minbits; /* Min. key len (in bits) */
391 uint16_t sadb_x_algb_maxbits; /* Max. key length */
392 union {
393 uint16_t sadb_x_algb_ureserved;
394 uint8_t sadb_x_algb_udefaults[2];
395 } sadb_x_algb_union;
396
397 #define sadb_x_algb_reserved sadb_x_algb_union.sadb_x_algb_ureserved
398 #define sadb_x_algb_increment sadb_x_algb_union.sadb_x_algb_udefaults[0]
399 #define sadb_x_algb_saltbits sadb_x_algb_union.sadb_x_algb_udefaults[1]
400 /*
401 * alg_increment: the number of bits from a key length to the next
402 */
403 } sadb_x_algb_t;
404
405 /* Now, the actual sadb_alg structure, which will have alignment in it. */
406 typedef struct sadb_alg {
407 /* Union is for guaranteeing 64-bit alignment. */
408 union {
409 sadb_x_algb_t sadb_x_alg_actual;
410 uint64_t sadb_x_alg_alignment;
411 } sadb_x_alg_u;
412 #define sadb_alg_id sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_id
413 #define sadb_alg_ivlen sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_ivlen
414 #define sadb_alg_minbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_minbits
415 #define sadb_alg_maxbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_maxbits
416 #define sadb_alg_reserved sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_reserved
417 #define sadb_x_alg_increment \
418 sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_increment
419 #define sadb_x_alg_saltbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_saltbits
420 } sadb_alg_t;
421
422 /*
423 * If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it
424 * asks the kernel with this extension in the SADB_GETSPI message.
425 */
426
427 typedef struct sadb_spirange {
428 uint16_t sadb_spirange_len;
429 uint16_t sadb_spirange_exttype; /* SPI_RANGE */
430 uint32_t sadb_spirange_min;
431 /* Union is for guaranteeing 64-bit alignment. */
432 union {
433 struct {
434 uint32_t sadb_x_spirange_umax;
435 uint32_t sadb_x_spirange_ureserved;
436 } sadb_x_spirange_actual;
437 uint64_t sadb_x_spirange_alignment;
438 } sadb_x_spirange_u;
439 #define sadb_spirange_max \
440 sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_umax
441 #define sadb_spirange_reserved \
442 sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_ureserved
443 } sadb_spirange_t;
444
445 /*
446 * For the "extended REGISTER" which'll tell the kernel to send me
447 * "extended ACQUIREs".
448 */
449
450 typedef struct sadb_x_ereg {
451 /* Union is for guaranteeing 64-bit alignment. */
452 union {
453 struct {
454 uint16_t sadb_x_ereg_ulen;
455 uint16_t sadb_x_ereg_uexttype; /* X_EREG */
456 /* Array of SA types, 0-terminated. */
457 uint8_t sadb_x_ereg_usatypes[4];
458 } sadb_x_ereg_actual;
459 uint64_t sadb_x_ereg_alignment;
460 } sadb_x_ereg_u;
461 #define sadb_x_ereg_len \
462 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_ulen
463 #define sadb_x_ereg_exttype \
464 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_uexttype
465 #define sadb_x_ereg_satypes \
466 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_usatypes
467 } sadb_x_ereg_t;
468
469 /*
470 * For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD,
471 * SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE.
472 */
473
474 typedef struct sadb_x_kmc {
475 uint16_t sadb_x_kmc_len;
476 uint16_t sadb_x_kmc_exttype; /* X_KM_COOKIE */
477 uint32_t sadb_x_kmc_proto; /* KM protocol */
478 union {
479 struct {
480 uint32_t sadb_x_kmc_ucookie; /* KMP-specific */
481 uint32_t sadb_x_kmc_ureserved; /* Must be zero */
482 } sadb_x_kmc_actual;
483 uint64_t sadb_x_kmc_ucookie64;
484 } sadb_x_kmc_u;
485 #define sadb_x_kmc_cookie sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ucookie
486 #define sadb_x_kmc_reserved sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ureserved
487 #define sadb_x_kmc_cookie64 sadb_x_kmc_u.sadb_x_kmc_ucookie64
488 } sadb_x_kmc_t;
489
490 typedef struct sadb_x_pair {
491 union {
492 /* Union is for guaranteeing 64-bit alignment. */
493 struct {
494 uint16_t sadb_x_pair_ulen;
495 uint16_t sadb_x_pair_uexttype;
496 uint32_t sadb_x_pair_uspi; /* SPI of paired SA */
497 } sadb_x_pair_actual;
498 uint64_t sadb_x_ext_alignment;
499 } sadb_x_pair_u;
500 #define sadb_x_pair_len sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_ulen
501 #define sadb_x_pair_exttype \
502 sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uexttype
503 #define sadb_x_pair_spi sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uspi
504 } sadb_x_pair_t;
505
506 /*
507 * For the Sequence numbers to be used with SADB_DUMP, SADB_GET, SADB_UPDATE.
508 */
509
510 typedef struct sadb_x_replay_ctr {
511 uint16_t sadb_x_rc_len;
512 uint16_t sadb_x_rc_exttype;
513 uint32_t sadb_x_rc_replay32; /* For 240x SAs. */
514 uint64_t sadb_x_rc_replay64; /* For 430x SAs. */
515 } sadb_x_replay_ctr_t;
516
517 /*
518 * For extended DUMP request. Dumps the SAs which were idle for
519 * longer than the timeout specified.
520 */
521
522 typedef struct sadb_x_edump {
523 uint16_t sadb_x_edump_len;
524 uint16_t sadb_x_edump_exttype;
525 uint32_t sadb_x_edump_reserved;
526 uint64_t sadb_x_edump_timeout;
527 } sadb_x_edump_t;
528
529 /*
530 * Base message types.
531 */
532
533 #define SADB_RESERVED 0
534 #define SADB_GETSPI 1
535 #define SADB_UPDATE 2
536 #define SADB_ADD 3
537 #define SADB_DELETE 4
538 #define SADB_GET 5
539 #define SADB_ACQUIRE 6
540 #define SADB_REGISTER 7
541 #define SADB_EXPIRE 8
542 #define SADB_FLUSH 9
543 #define SADB_DUMP 10 /* not used normally */
544 #define SADB_X_PROMISC 11
545 #define SADB_X_INVERSE_ACQUIRE 12
546 #define SADB_X_UPDATEPAIR 13
547 #define SADB_X_DELPAIR 14
548 #define SADB_X_DELPAIR_STATE 15
549 #define SADB_MAX 15
550
551 /*
552 * SA flags
553 */
554
555 #define SADB_SAFLAGS_PFS 0x1 /* Perfect forward secrecy? */
556 #define SADB_SAFLAGS_NOREPLAY 0x2 /* Replay field NOT PRESENT. */
557
558 /* Below flags are used by this implementation. Grow from left-to-right. */
559 #define SADB_X_SAFLAGS_USED 0x80000000 /* SA used/not used */
560 #define SADB_X_SAFLAGS_UNIQUE 0x40000000 /* SA unique/reusable */
561 #define SADB_X_SAFLAGS_AALG1 0x20000000 /* Auth-alg specific flag 1 */
562 #define SADB_X_SAFLAGS_AALG2 0x10000000 /* Auth-alg specific flag 2 */
563 #define SADB_X_SAFLAGS_EALG1 0x8000000 /* Encr-alg specific flag 1 */
564 #define SADB_X_SAFLAGS_EALG2 0x4000000 /* Encr-alg specific flag 2 */
565 #define SADB_X_SAFLAGS_KM1 0x2000000 /* Key mgmt. specific flag 1 */
566 #define SADB_X_SAFLAGS_KM2 0x1000000 /* Key mgmt. specific flag 2 */
567 #define SADB_X_SAFLAGS_KM3 0x800000 /* Key mgmt. specific flag 3 */
568 #define SADB_X_SAFLAGS_KM4 0x400000 /* Key mgmt. specific flag 4 */
569 #define SADB_X_SAFLAGS_KRES1 0x200000 /* Reserved by the kernel */
570 #define SADB_X_SAFLAGS_NATT_LOC 0x100000 /* this has a natted src SA */
571 #define SADB_X_SAFLAGS_NATT_REM 0x80000 /* this has a natted dst SA */
572 #define SADB_X_SAFLAGS_KRES2 0x40000 /* Reserved by the kernel */
573 #define SADB_X_SAFLAGS_TUNNEL 0x20000 /* tunnel mode */
574 #define SADB_X_SAFLAGS_PAIRED 0x10000 /* inbound/outbound pair */
575 #define SADB_X_SAFLAGS_OUTBOUND 0x8000 /* SA direction bit */
576 #define SADB_X_SAFLAGS_INBOUND 0x4000 /* SA direction bit */
577 #define SADB_X_SAFLAGS_NATTED 0x1000 /* Local node is behind a NAT */
578
579 #define SADB_X_SAFLAGS_KRES \
580 SADB_X_SAFLAGS_KRES1 | SADB_X_SAFLAGS_KRES2
581
582 /*
583 * SA state.
584 */
585
586 #define SADB_SASTATE_LARVAL 0
587 #define SADB_SASTATE_MATURE 1
588 #define SADB_SASTATE_DYING 2
589 #define SADB_SASTATE_DEAD 3
590 #define SADB_X_SASTATE_ACTIVE_ELSEWHERE 4
591 #define SADB_X_SASTATE_IDLE 5
592 #define SADB_X_SASTATE_ACTIVE 6
593
594 #define SADB_SASTATE_MAX 6
595
596 /*
597 * SA type. Gaps are present in the number space because (for the time being)
598 * these types correspond to the SA types in the IPsec DOI document.
599 */
600
601 #define SADB_SATYPE_UNSPEC 0
602 #define SADB_SATYPE_AH 2 /* RFC-1826 */
603 #define SADB_SATYPE_ESP 3 /* RFC-1827 */
604 #define SADB_SATYPE_RSVP 5 /* RSVP Authentication */
605 #define SADB_SATYPE_OSPFV2 6 /* OSPFv2 Authentication */
606 #define SADB_SATYPE_RIPV2 7 /* RIPv2 Authentication */
607 #define SADB_SATYPE_MIP 8 /* Mobile IPv4 Authentication */
608
609 #define SADB_SATYPE_MAX 8
610
611 /*
612 * Algorithm types. Gaps are present because (for the time being) these types
613 * correspond to the SA types in the IPsec DOI document.
614 *
615 * NOTE: These are numbered to play nice with the IPsec DOI. That's why
616 * there are gaps.
617 */
618
619 /* Authentication algorithms */
620 #define SADB_AALG_NONE 0
621 #define SADB_AALG_MD5HMAC 2
622 #define SADB_AALG_SHA1HMAC 3
623 #define SADB_AALG_SHA256HMAC 5
624 #define SADB_AALG_SHA384HMAC 6
625 #define SADB_AALG_SHA512HMAC 7
626
627 #define SADB_AALG_MAX 7
628
629 /* Encryption algorithms */
630 #define SADB_EALG_NONE 0
631 #define SADB_EALG_DESCBC 2
632 #define SADB_EALG_3DESCBC 3
633 #define SADB_EALG_BLOWFISH 7
634 #define SADB_EALG_NULL 11
635 #define SADB_EALG_AES 12
636 #define SADB_EALG_AES_CCM_8 14
637 #define SADB_EALG_AES_CCM_12 15
638 #define SADB_EALG_AES_CCM_16 16
639 #define SADB_EALG_AES_GCM_8 18
640 #define SADB_EALG_AES_GCM_12 19
641 #define SADB_EALG_AES_GCM_16 20
642 #define SADB_EALG_MAX 20
643
644 /*
645 * Extension header values.
646 */
647
648 #define SADB_EXT_RESERVED 0
649
650 #define SADB_EXT_SA 1
651 #define SADB_EXT_LIFETIME_CURRENT 2
652 #define SADB_EXT_LIFETIME_HARD 3
653 #define SADB_EXT_LIFETIME_SOFT 4
654 #define SADB_EXT_ADDRESS_SRC 5
655 #define SADB_EXT_ADDRESS_DST 6
656 /* These two are synonyms. */
657 #define SADB_EXT_ADDRESS_PROXY 7
658 #define SADB_X_EXT_ADDRESS_INNER_SRC SADB_EXT_ADDRESS_PROXY
659 #define SADB_EXT_KEY_AUTH 8
660 #define SADB_EXT_KEY_ENCRYPT 9
661 #define SADB_EXT_IDENTITY_SRC 10
662 #define SADB_EXT_IDENTITY_DST 11
663 #define SADB_EXT_SENSITIVITY 12
664 #define SADB_EXT_PROPOSAL 13
665 #define SADB_EXT_SUPPORTED_AUTH 14
666 #define SADB_EXT_SUPPORTED_ENCRYPT 15
667 #define SADB_EXT_SPIRANGE 16
668 #define SADB_X_EXT_EREG 17
669 #define SADB_X_EXT_EPROP 18
670 #define SADB_X_EXT_KM_COOKIE 19
671 #define SADB_X_EXT_ADDRESS_NATT_LOC 20
672 #define SADB_X_EXT_ADDRESS_NATT_REM 21
673 #define SADB_X_EXT_ADDRESS_INNER_DST 22
674 #define SADB_X_EXT_PAIR 23
675 #define SADB_X_EXT_REPLAY_VALUE 24
676 #define SADB_X_EXT_EDUMP 25
677 #define SADB_X_EXT_LIFETIME_IDLE 26
678 #define SADB_X_EXT_OUTER_SENS 27
679
680 #define SADB_EXT_MAX 27
681
682 /*
683 * Identity types.
684 */
685
686 #define SADB_IDENTTYPE_RESERVED 0
687
688 /*
689 * For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC
690 * if not present.
691 */
692 #define SADB_IDENTTYPE_PREFIX 1
693 #define SADB_IDENTTYPE_FQDN 2 /* Fully qualified domain name. */
694 #define SADB_IDENTTYPE_USER_FQDN 3 /* e.g. root@domain.com */
695 #define SADB_X_IDENTTYPE_DN 4 /* ASN.1 DER Distinguished Name. */
696 #define SADB_X_IDENTTYPE_GN 5 /* ASN.1 DER Generic Name. */
697 #define SADB_X_IDENTTYPE_KEY_ID 6 /* Generic KEY ID. */
698 #define SADB_X_IDENTTYPE_ADDR_RANGE 7
699
700 #define SADB_IDENTTYPE_MAX 7
701
702 /*
703 * Protection DOI values for the SENSITIVITY extension. There are no values
704 * currently, so the MAX is the only non-zero value available.
705 */
706
707 #define SADB_DPD_NONE 0
708
709 #define SADB_DPD_MAX 1
710
711 /*
712 * Diagnostic codes. These supplement error messages. Be sure to
713 * update libipsecutil's keysock_diag() if you change any of these.
714 */
715
716 #define SADB_X_DIAGNOSTIC_PRESET -1 /* Internal value. */
717
718 #define SADB_X_DIAGNOSTIC_NONE 0
719
720 #define SADB_X_DIAGNOSTIC_UNKNOWN_MSG 1
721 #define SADB_X_DIAGNOSTIC_UNKNOWN_EXT 2
722 #define SADB_X_DIAGNOSTIC_BAD_EXTLEN 3
723 #define SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE 4
724 #define SADB_X_DIAGNOSTIC_SATYPE_NEEDED 5
725 #define SADB_X_DIAGNOSTIC_NO_SADBS 6
726 #define SADB_X_DIAGNOSTIC_NO_EXT 7
727 /* Bad address family value */
728 #define SADB_X_DIAGNOSTIC_BAD_SRC_AF 8
729 /* in sockaddr->sa_family. */
730 #define SADB_X_DIAGNOSTIC_BAD_DST_AF 9
731 /* These two are synonyms. */
732 #define SADB_X_DIAGNOSTIC_BAD_PROXY_AF 10
733 #define SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF 10
734
735 #define SADB_X_DIAGNOSTIC_AF_MISMATCH 11
736
737 #define SADB_X_DIAGNOSTIC_BAD_SRC 12
738 #define SADB_X_DIAGNOSTIC_BAD_DST 13
739
740 #define SADB_X_DIAGNOSTIC_ALLOC_HSERR 14
741 #define SADB_X_DIAGNOSTIC_BYTES_HSERR 15
742 #define SADB_X_DIAGNOSTIC_ADDTIME_HSERR 16
743 #define SADB_X_DIAGNOSTIC_USETIME_HSERR 17
744
745 #define SADB_X_DIAGNOSTIC_MISSING_SRC 18
746 #define SADB_X_DIAGNOSTIC_MISSING_DST 19
747 #define SADB_X_DIAGNOSTIC_MISSING_SA 20
748 #define SADB_X_DIAGNOSTIC_MISSING_EKEY 21
749 #define SADB_X_DIAGNOSTIC_MISSING_AKEY 22
750 #define SADB_X_DIAGNOSTIC_MISSING_RANGE 23
751
752 #define SADB_X_DIAGNOSTIC_DUPLICATE_SRC 24
753 #define SADB_X_DIAGNOSTIC_DUPLICATE_DST 25
754 #define SADB_X_DIAGNOSTIC_DUPLICATE_SA 26
755 #define SADB_X_DIAGNOSTIC_DUPLICATE_EKEY 27
756 #define SADB_X_DIAGNOSTIC_DUPLICATE_AKEY 28
757 #define SADB_X_DIAGNOSTIC_DUPLICATE_RANGE 29
758
759 #define SADB_X_DIAGNOSTIC_MALFORMED_SRC 30
760 #define SADB_X_DIAGNOSTIC_MALFORMED_DST 31
761 #define SADB_X_DIAGNOSTIC_MALFORMED_SA 32
762 #define SADB_X_DIAGNOSTIC_MALFORMED_EKEY 33
763 #define SADB_X_DIAGNOSTIC_MALFORMED_AKEY 34
764 #define SADB_X_DIAGNOSTIC_MALFORMED_RANGE 35
765
766 #define SADB_X_DIAGNOSTIC_AKEY_PRESENT 36
767 #define SADB_X_DIAGNOSTIC_EKEY_PRESENT 37
768 #define SADB_X_DIAGNOSTIC_PROP_PRESENT 38
769 #define SADB_X_DIAGNOSTIC_SUPP_PRESENT 39
770
771 #define SADB_X_DIAGNOSTIC_BAD_AALG 40
772 #define SADB_X_DIAGNOSTIC_BAD_EALG 41
773 #define SADB_X_DIAGNOSTIC_BAD_SAFLAGS 42
774 #define SADB_X_DIAGNOSTIC_BAD_SASTATE 43
775
776 #define SADB_X_DIAGNOSTIC_BAD_AKEYBITS 44
777 #define SADB_X_DIAGNOSTIC_BAD_EKEYBITS 45
778
779 #define SADB_X_DIAGNOSTIC_ENCR_NOTSUPP 46
780
781 #define SADB_X_DIAGNOSTIC_WEAK_EKEY 47
782 #define SADB_X_DIAGNOSTIC_WEAK_AKEY 48
783
784 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMP 49
785 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMC 50
786
787 #define SADB_X_DIAGNOSTIC_MISSING_NATT_LOC 51
788 #define SADB_X_DIAGNOSTIC_MISSING_NATT_REM 52
789 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC 53
790 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM 54
791 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC 55
792 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM 56
793 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS 57
794
795 #define SADB_X_DIAGNOSTIC_MISSING_INNER_SRC 58
796 #define SADB_X_DIAGNOSTIC_MISSING_INNER_DST 59
797 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC 60
798 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST 61
799 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC 62
800 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST 63
801
802 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC 64
803 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_DST 65
804 #define SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF 66
805 #define SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH 67
806
807 #define SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF 68
808 #define SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF 69
809
810 #define SADB_X_DIAGNOSTIC_PROTO_MISMATCH 70
811 #define SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH 71
812
813 #define SADB_X_DIAGNOSTIC_DUAL_PORT_SETS 72
814
815 #define SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE 73
816 #define SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH 74
817 #define SADB_X_DIAGNOSTIC_PAIR_ALREADY 75
818 #define SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND 76
819 #define SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION 77
820
821 #define SADB_X_DIAGNOSTIC_SA_NOTFOUND 78
822 #define SADB_X_DIAGNOSTIC_SA_EXPIRED 79
823 #define SADB_X_DIAGNOSTIC_BAD_CTX 80
824 #define SADB_X_DIAGNOSTIC_INVALID_REPLAY 81
825 #define SADB_X_DIAGNOSTIC_MISSING_LIFETIME 82
826
827 #define SADB_X_DIAGNOSTIC_BAD_LABEL 83
828 #define SADB_X_DIAGNOSTIC_MAX 83
829
830 /* Algorithm type for sadb_x_algdesc above... */
831
832 #define SADB_X_ALGTYPE_NONE 0
833 #define SADB_X_ALGTYPE_AUTH 1
834 #define SADB_X_ALGTYPE_CRYPT 2
835 #define SADB_X_ALGTYPE_COMPRESS 3
836
837 #define SADB_X_ALGTYPE_MAX 3
838
839 /* Key management protocol for sadb_x_kmc above... */
840
841 #define SADB_X_KMP_MANUAL 0 /* Cookie is ignored. */
842 #define SADB_X_KMP_IKE 1
843 #define SADB_X_KMP_KINK 2
844 #define SADB_X_KMP_IKEV2 3
845
846 #define SADB_X_KMP_MAX SADB_X_KMP_IKEV2
847
848 /*
849 * Handy conversion macros. Not part of the PF_KEY spec...
850 */
851
852 #define SADB_64TO8(x) ((x) << 3)
853 #define SADB_8TO64(x) ((x) >> 3)
854 #define SADB_8TO1(x) ((x) << 3)
855 #define SADB_1TO8(x) ((x) >> 3)
856
857 #ifdef __cplusplus
858 }
859 #endif
860
861 #endif /* _NET_PFKEYV2_H */
Unleashed OS