4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #ifndef _NET_PFKEYV2_H
27 #define _NET_PFKEYV2_H
30 * Definitions and structures for PF_KEY version 2. See RFC 2367 for
31 * more details. SA == Security Association, which is what PF_KEY provides
32 * an API for managing.
40 #define PFKEYV2_REVISION 200109L
43 * Base PF_KEY message.
46 typedef struct sadb_msg
{
47 uint8_t sadb_msg_version
; /* Version, currently PF_KEY_V2 */
48 uint8_t sadb_msg_type
; /* ADD, UPDATE, etc. */
49 uint8_t sadb_msg_errno
; /* Error number from UNIX errno space */
50 uint8_t sadb_msg_satype
; /* ESP, AH, etc. */
51 uint16_t sadb_msg_len
; /* Length in 64-bit words. */
52 uint16_t sadb_msg_reserved
; /* must be zero */
54 * Use the reserved field for extended diagnostic information on errno
57 #define sadb_x_msg_diagnostic sadb_msg_reserved
58 /* Union is for guaranteeing 64-bit alignment. */
61 uint32_t sadb_x_msg_useq
; /* Set by originator */
62 uint32_t sadb_x_msg_upid
; /* Set by originator */
64 uint64_t sadb_x_msg_alignment
;
66 #define sadb_msg_seq sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_useq
67 #define sadb_msg_pid sadb_x_msg_u.sadb_x_msg_actual.sadb_x_msg_upid
71 * Generic extension header.
74 typedef struct sadb_ext
{
76 /* Union is for guaranteeing 64-bit alignment. */
78 uint16_t sadb_x_ext_ulen
; /* In 64s, inclusive */
79 uint16_t sadb_x_ext_utype
; /* 0 is reserved */
81 uint64_t sadb_x_ext_alignment
;
83 #define sadb_ext_len sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_ulen
84 #define sadb_ext_type sadb_x_ext_u.sadb_x_ext_actual.sadb_x_ext_utype
88 * Security Association information extension.
91 typedef struct sadb_sa
{
92 /* Union is for guaranteeing 64-bit alignment. */
95 uint16_t sadb_x_sa_ulen
;
96 uint16_t sadb_x_sa_uexttype
; /* ASSOCIATION */
97 uint32_t sadb_x_sa_uspi
; /* Sec. Param. Index */
99 uint64_t sadb_x_sa_alignment
;
101 #define sadb_sa_len sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_ulen
102 #define sadb_sa_exttype sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uexttype
103 #define sadb_sa_spi sadb_x_sa_u.sadb_x_sa_uactual.sadb_x_sa_uspi
104 uint8_t sadb_sa_replay
; /* Replay counter */
105 uint8_t sadb_sa_state
; /* MATURE, DEAD, DYING, LARVAL */
106 uint8_t sadb_sa_auth
; /* Authentication algorithm */
107 uint8_t sadb_sa_encrypt
; /* Encryption algorithm */
108 uint32_t sadb_sa_flags
; /* SA flags. */
112 * SA Lifetime extension. Already 64-bit aligned thanks to uint64_t fields.
115 typedef struct sadb_lifetime
{
116 uint16_t sadb_lifetime_len
;
117 uint16_t sadb_lifetime_exttype
; /* SOFT, HARD, CURRENT */
118 uint32_t sadb_lifetime_allocations
;
119 uint64_t sadb_lifetime_bytes
;
120 uint64_t sadb_lifetime_addtime
; /* These fields are assumed to hold */
121 uint64_t sadb_lifetime_usetime
; /* >= sizeof (time_t). */
125 * SA address information.
128 typedef struct sadb_address
{
129 /* Union is for guaranteeing 64-bit alignment. */
132 uint16_t sadb_x_address_ulen
;
133 uint16_t sadb_x_address_uexttype
; /* SRC, DST, PROXY */
134 uint8_t sadb_x_address_uproto
; /* Proto for ports... */
135 uint8_t sadb_x_address_uprefixlen
; /* Prefix length. */
136 uint16_t sadb_x_address_ureserved
; /* Padding */
137 } sadb_x_address_actual
;
138 uint64_t sadb_x_address_alignment
;
140 #define sadb_address_len \
141 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ulen
142 #define sadb_address_exttype \
143 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uexttype
144 #define sadb_address_proto \
145 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uproto
146 #define sadb_address_prefixlen \
147 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_uprefixlen
148 #define sadb_address_reserved \
149 sadb_x_address_u.sadb_x_address_actual.sadb_x_address_ureserved
150 /* Followed by a sockaddr structure which may contain ports. */
154 * SA key information.
157 typedef struct sadb_key
{
158 /* Union is for guaranteeing 64-bit alignment. */
161 uint16_t sadb_x_key_ulen
;
162 uint16_t sadb_x_key_uexttype
; /* AUTH, ENCRYPT */
163 uint16_t sadb_x_key_ubits
; /* Actual len (bits) */
164 uint16_t sadb_x_key_ureserved
;
166 uint64_t sadb_x_key_alignment
;
168 #define sadb_key_len sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ulen
169 #define sadb_key_exttype sadb_x_key_u.sadb_x_key_actual.sadb_x_key_uexttype
170 #define sadb_key_bits sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ubits
171 #define sadb_key_reserved sadb_x_key_u.sadb_x_key_actual.sadb_x_key_ureserved
172 /* Followed by actual key(s) in canonical (outbound proc.) order. */
176 * SA Identity information. Already 64-bit aligned thanks to uint64_t fields.
179 typedef struct sadb_ident
{
180 uint16_t sadb_ident_len
;
181 uint16_t sadb_ident_exttype
; /* SRC, DST, PROXY */
182 uint16_t sadb_ident_type
; /* FQDN, USER_FQDN, etc. */
183 uint16_t sadb_ident_reserved
; /* Padding */
184 uint64_t sadb_ident_id
; /* For userid, etc. */
185 /* Followed by an identity null-terminate C string if present. */
189 * a proposal extension. This is found in an ACQUIRE message, and it
190 * proposes what sort of SA the kernel would like to ACQUIRE.
193 /* First, a base structure... */
195 typedef struct sadb_x_propbase
{
196 uint16_t sadb_x_propb_len
;
197 uint16_t sadb_x_propb_exttype
; /* PROPOSAL, X_EPROP */
200 uint8_t sadb_x_propb_lenres_replay
;
201 uint8_t sadb_x_propb_lenres_eres
;
202 uint16_t sadb_x_propb_lenres_numecombs
;
203 } sadb_x_propb_lenres
;
205 uint8_t sadb_x_propb_oldres_replay
;
206 uint8_t sadb_x_propb_oldres_reserved
[3];
207 } sadb_x_propb_oldres
;
209 #define sadb_x_propb_replay \
210 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_replay
211 #define sadb_x_propb_reserved \
212 sadb_x_propb_u.sadb_x_propb_oldres.sadb_x_propb_oldres_reserved
213 #define sadb_x_propb_ereserved \
214 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_eres
215 #define sadb_x_propb_numecombs \
216 sadb_x_propb_u.sadb_x_propb_lenres.sadb_x_propb_lenres_numecombs
217 /* Followed by sadb_comb[] array or sadb_ecomb[] array. */
220 /* Now, the actual sadb_prop structure, which will have alignment in it! */
222 typedef struct sadb_prop
{
223 /* Union is for guaranteeing 64-bit alignment. */
225 sadb_x_propbase_t sadb_x_prop_actual
;
226 uint64_t sadb_x_prop_alignment
;
228 #define sadb_prop_len sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_len
229 #define sadb_prop_exttype sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_exttype
230 #define sadb_prop_replay sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_replay
231 #define sadb_prop_reserved \
232 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_reserved
233 #define sadb_x_prop_ereserved \
234 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_ereserved
235 #define sadb_x_prop_numecombs \
236 sadb_x_prop_u.sadb_x_prop_actual.sadb_x_propb_numecombs
240 * This is a proposed combination. Many of these can follow a proposal
241 * extension. Already 64-bit aligned thanks to uint64_t fields.
244 typedef struct sadb_comb
{
245 uint8_t sadb_comb_auth
; /* Authentication algorithm */
246 uint8_t sadb_comb_encrypt
; /* Encryption algorithm */
247 uint16_t sadb_comb_flags
; /* Comb. flags (e.g. PFS) */
248 uint16_t sadb_comb_auth_minbits
; /* Bit strengths for auth */
249 uint16_t sadb_comb_auth_maxbits
;
250 uint16_t sadb_comb_encrypt_minbits
; /* Bit strengths for encrypt */
251 uint16_t sadb_comb_encrypt_maxbits
;
252 uint32_t sadb_comb_reserved
;
253 uint32_t sadb_comb_soft_allocations
; /* Lifetime proposals for */
254 uint32_t sadb_comb_hard_allocations
; /* this combination. */
255 uint64_t sadb_comb_soft_bytes
;
256 uint64_t sadb_comb_hard_bytes
;
257 uint64_t sadb_comb_soft_addtime
;
258 uint64_t sadb_comb_hard_addtime
;
259 uint64_t sadb_comb_soft_usetime
;
260 uint64_t sadb_comb_hard_usetime
;
264 * An extended combination that can comprise of many SA types.
265 * A single combination has algorithms and SA types locked.
266 * These are represented by algorithm descriptors, the second structure
267 * in the list. For example, if the EACQUIRE requests AH(MD5) + ESP(DES/null)
268 * _or_ ESP(DES/MD5), it would have two combinations:
270 * COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES)
271 * COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES)
273 * If an SA type supports an algorithm type, and there's no descriptor,
274 * assume it requires NONE, just like it were explicitly stated.
275 * (This includes ESP NULL encryption, BTW.)
277 * Already 64-bit aligned thanks to uint64_t fields.
280 typedef struct sadb_x_ecomb
{
281 uint8_t sadb_x_ecomb_numalgs
;
282 uint8_t sadb_x_ecomb_reserved
;
283 uint16_t sadb_x_ecomb_flags
; /* E.g. PFS? */
284 uint32_t sadb_x_ecomb_reserved2
;
285 uint32_t sadb_x_ecomb_soft_allocations
;
286 uint32_t sadb_x_ecomb_hard_allocations
;
287 uint64_t sadb_x_ecomb_soft_bytes
;
288 uint64_t sadb_x_ecomb_hard_bytes
;
289 uint64_t sadb_x_ecomb_soft_addtime
;
290 uint64_t sadb_x_ecomb_hard_addtime
;
291 uint64_t sadb_x_ecomb_soft_usetime
;
292 uint64_t sadb_x_ecomb_hard_usetime
;
295 typedef struct sadb_x_algdesc
{
296 /* Union is for guaranteeing 64-bit alignment. */
299 uint8_t sadb_x_algdesc_usatype
; /* ESP, AH, etc. */
300 uint8_t sadb_x_algdesc_ualgtype
; /* AUTH, CRYPT, COMP */
301 uint8_t sadb_x_algdesc_ualg
; /* 3DES, MD5, etc. */
302 uint8_t sadb_x_algdesc_ureserved
;
303 uint16_t sadb_x_algdesc_uminbits
; /* Bit strengths. */
304 uint16_t sadb_x_algdesc_umaxbits
;
305 } sadb_x_algdesc_actual
;
306 uint64_t sadb_x_algdesc_alignment
;
308 #define sadb_x_algdesc_satype \
309 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_usatype
310 #define sadb_x_algdesc_algtype \
311 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualgtype
312 #define sadb_x_algdesc_alg \
313 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ualg
314 #define sadb_x_algdesc_reserved \
315 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_ureserved
316 #define sadb_x_algdesc_minbits \
317 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_uminbits
318 #define sadb_x_algdesc_maxbits \
319 sadb_x_algdesc_u.sadb_x_algdesc_actual.sadb_x_algdesc_umaxbits
323 * When key mgmt. registers with the kernel, the kernel will tell key mgmt.
324 * its supported algorithms.
327 typedef struct sadb_supported
{
328 /* Union is for guaranteeing 64-bit alignment. */
331 uint16_t sadb_x_supported_ulen
;
332 uint16_t sadb_x_supported_uexttype
;
333 uint32_t sadb_x_supported_ureserved
;
334 } sadb_x_supported_actual
;
335 uint64_t sadb_x_supported_alignment
;
336 } sadb_x_supported_u
;
337 #define sadb_supported_len \
338 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ulen
339 #define sadb_supported_exttype \
340 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_uexttype
341 #define sadb_supported_reserved \
342 sadb_x_supported_u.sadb_x_supported_actual.sadb_x_supported_ureserved
345 /* First, a base structure... */
346 typedef struct sadb_x_algb
{
347 uint8_t sadb_x_algb_id
; /* Algorithm type. */
348 uint8_t sadb_x_algb_ivlen
; /* IV len, in bits */
349 uint16_t sadb_x_algb_minbits
; /* Min. key len (in bits) */
350 uint16_t sadb_x_algb_maxbits
; /* Max. key length */
352 uint16_t sadb_x_algb_ureserved
;
353 uint8_t sadb_x_algb_udefaults
[2];
356 #define sadb_x_algb_reserved sadb_x_algb_union.sadb_x_algb_ureserved
357 #define sadb_x_algb_increment sadb_x_algb_union.sadb_x_algb_udefaults[0]
358 #define sadb_x_algb_saltbits sadb_x_algb_union.sadb_x_algb_udefaults[1]
360 * alg_increment: the number of bits from a key length to the next
364 /* Now, the actual sadb_alg structure, which will have alignment in it. */
365 typedef struct sadb_alg
{
366 /* Union is for guaranteeing 64-bit alignment. */
368 sadb_x_algb_t sadb_x_alg_actual
;
369 uint64_t sadb_x_alg_alignment
;
371 #define sadb_alg_id sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_id
372 #define sadb_alg_ivlen sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_ivlen
373 #define sadb_alg_minbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_minbits
374 #define sadb_alg_maxbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_maxbits
375 #define sadb_alg_reserved sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_reserved
376 #define sadb_x_alg_increment \
377 sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_increment
378 #define sadb_x_alg_saltbits sadb_x_alg_u.sadb_x_alg_actual.sadb_x_algb_saltbits
382 * If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it
383 * asks the kernel with this extension in the SADB_GETSPI message.
386 typedef struct sadb_spirange
{
387 uint16_t sadb_spirange_len
;
388 uint16_t sadb_spirange_exttype
; /* SPI_RANGE */
389 uint32_t sadb_spirange_min
;
390 /* Union is for guaranteeing 64-bit alignment. */
393 uint32_t sadb_x_spirange_umax
;
394 uint32_t sadb_x_spirange_ureserved
;
395 } sadb_x_spirange_actual
;
396 uint64_t sadb_x_spirange_alignment
;
398 #define sadb_spirange_max \
399 sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_umax
400 #define sadb_spirange_reserved \
401 sadb_x_spirange_u.sadb_x_spirange_actual.sadb_x_spirange_ureserved
405 * For the "extended REGISTER" which'll tell the kernel to send me
406 * "extended ACQUIREs".
409 typedef struct sadb_x_ereg
{
410 /* Union is for guaranteeing 64-bit alignment. */
413 uint16_t sadb_x_ereg_ulen
;
414 uint16_t sadb_x_ereg_uexttype
; /* X_EREG */
415 /* Array of SA types, 0-terminated. */
416 uint8_t sadb_x_ereg_usatypes
[4];
417 } sadb_x_ereg_actual
;
418 uint64_t sadb_x_ereg_alignment
;
420 #define sadb_x_ereg_len \
421 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_ulen
422 #define sadb_x_ereg_exttype \
423 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_uexttype
424 #define sadb_x_ereg_satypes \
425 sadb_x_ereg_u.sadb_x_ereg_actual.sadb_x_ereg_usatypes
429 * For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD,
430 * SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE.
433 typedef struct sadb_x_kmc
{
434 uint16_t sadb_x_kmc_len
;
435 uint16_t sadb_x_kmc_exttype
; /* X_KM_COOKIE */
436 uint32_t sadb_x_kmc_proto
; /* KM protocol */
439 uint32_t sadb_x_kmc_ucookie
; /* KMP-specific */
440 uint32_t sadb_x_kmc_ureserved
; /* Must be zero */
442 uint64_t sadb_x_kmc_alignment
;
444 #define sadb_x_kmc_cookie sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ucookie
445 #define sadb_x_kmc_reserved sadb_x_kmc_u.sadb_x_kmc_actual.sadb_x_kmc_ureserved
448 typedef struct sadb_x_pair
{
450 /* Union is for guaranteeing 64-bit alignment. */
452 uint16_t sadb_x_pair_ulen
;
453 uint16_t sadb_x_pair_uexttype
;
454 uint32_t sadb_x_pair_uspi
; /* SPI of paired SA */
455 } sadb_x_pair_actual
;
456 uint64_t sadb_x_ext_alignment
;
458 #define sadb_x_pair_len sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_ulen
459 #define sadb_x_pair_exttype \
460 sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uexttype
461 #define sadb_x_pair_spi sadb_x_pair_u.sadb_x_pair_actual.sadb_x_pair_uspi
465 * For the Sequence numbers to be used with SADB_DUMP, SADB_GET, SADB_UPDATE.
468 typedef struct sadb_x_replay_ctr
{
469 uint16_t sadb_x_rc_len
;
470 uint16_t sadb_x_rc_exttype
;
471 uint32_t sadb_x_rc_replay32
; /* For 240x SAs. */
472 uint64_t sadb_x_rc_replay64
; /* For 430x SAs. */
473 } sadb_x_replay_ctr_t
;
476 * For extended DUMP request. Dumps the SAs which were idle for
477 * longer than the timeout specified.
480 typedef struct sadb_x_edump
{
481 uint16_t sadb_x_edump_len
;
482 uint16_t sadb_x_edump_exttype
;
483 uint32_t sadb_x_edump_reserved
;
484 uint64_t sadb_x_edump_timeout
;
488 * Base message types.
491 #define SADB_RESERVED 0
492 #define SADB_GETSPI 1
493 #define SADB_UPDATE 2
495 #define SADB_DELETE 4
497 #define SADB_ACQUIRE 6
498 #define SADB_REGISTER 7
499 #define SADB_EXPIRE 8
501 #define SADB_DUMP 10 /* not used normally */
502 #define SADB_X_PROMISC 11
503 #define SADB_X_INVERSE_ACQUIRE 12
504 #define SADB_X_UPDATEPAIR 13
505 #define SADB_X_DELPAIR 14
506 #define SADB_X_DELPAIR_STATE 15
513 #define SADB_SAFLAGS_PFS 0x1 /* Perfect forward secrecy? */
514 #define SADB_SAFLAGS_NOREPLAY 0x2 /* Replay field NOT PRESENT. */
516 /* Below flags are used by this implementation. Grow from left-to-right. */
517 #define SADB_X_SAFLAGS_USED 0x80000000 /* SA used/not used */
518 #define SADB_X_SAFLAGS_UNIQUE 0x40000000 /* SA unique/reusable */
519 #define SADB_X_SAFLAGS_AALG1 0x20000000 /* Auth-alg specific flag 1 */
520 #define SADB_X_SAFLAGS_AALG2 0x10000000 /* Auth-alg specific flag 2 */
521 #define SADB_X_SAFLAGS_EALG1 0x8000000 /* Encr-alg specific flag 1 */
522 #define SADB_X_SAFLAGS_EALG2 0x4000000 /* Encr-alg specific flag 2 */
523 #define SADB_X_SAFLAGS_KM1 0x2000000 /* Key mgmt. specific flag 1 */
524 #define SADB_X_SAFLAGS_KM2 0x1000000 /* Key mgmt. specific flag 2 */
525 #define SADB_X_SAFLAGS_KM3 0x800000 /* Key mgmt. specific flag 3 */
526 #define SADB_X_SAFLAGS_KM4 0x400000 /* Key mgmt. specific flag 4 */
527 #define SADB_X_SAFLAGS_KRES1 0x200000 /* Reserved by the kernel */
528 #define SADB_X_SAFLAGS_NATT_LOC 0x100000 /* this has a natted src SA */
529 #define SADB_X_SAFLAGS_NATT_REM 0x80000 /* this has a natted dst SA */
530 #define SADB_X_SAFLAGS_KRES2 0x40000 /* Reserved by the kernel */
531 #define SADB_X_SAFLAGS_TUNNEL 0x20000 /* tunnel mode */
532 #define SADB_X_SAFLAGS_PAIRED 0x10000 /* inbound/outbound pair */
533 #define SADB_X_SAFLAGS_OUTBOUND 0x8000 /* SA direction bit */
534 #define SADB_X_SAFLAGS_INBOUND 0x4000 /* SA direction bit */
535 #define SADB_X_SAFLAGS_NATTED 0x1000 /* Local node is behind a NAT */
537 #define SADB_X_SAFLAGS_KRES \
538 SADB_X_SAFLAGS_KRES1 | SADB_X_SAFLAGS_KRES2
544 #define SADB_SASTATE_LARVAL 0
545 #define SADB_SASTATE_MATURE 1
546 #define SADB_SASTATE_DYING 2
547 #define SADB_SASTATE_DEAD 3
548 #define SADB_X_SASTATE_ACTIVE_ELSEWHERE 4
549 #define SADB_X_SASTATE_IDLE 5
550 #define SADB_X_SASTATE_ACTIVE 6
552 #define SADB_SASTATE_MAX 6
555 * SA type. Gaps are present in the number space because (for the time being)
556 * these types correspond to the SA types in the IPsec DOI document.
559 #define SADB_SATYPE_UNSPEC 0
560 #define SADB_SATYPE_AH 2 /* RFC-1826 */
561 #define SADB_SATYPE_ESP 3 /* RFC-1827 */
562 #define SADB_SATYPE_RSVP 5 /* RSVP Authentication */
563 #define SADB_SATYPE_OSPFV2 6 /* OSPFv2 Authentication */
564 #define SADB_SATYPE_RIPV2 7 /* RIPv2 Authentication */
565 #define SADB_SATYPE_MIP 8 /* Mobile IPv4 Authentication */
567 #define SADB_SATYPE_MAX 8
570 * Algorithm types. Gaps are present because (for the time being) these types
571 * correspond to the SA types in the IPsec DOI document.
573 * NOTE: These are numbered to play nice with the IPsec DOI. That's why
577 /* Authentication algorithms */
578 #define SADB_AALG_NONE 0
579 #define SADB_AALG_MD5HMAC 2
580 #define SADB_AALG_SHA1HMAC 3
581 #define SADB_AALG_SHA256HMAC 5
582 #define SADB_AALG_SHA384HMAC 6
583 #define SADB_AALG_SHA512HMAC 7
585 #define SADB_AALG_MAX 7
587 /* Encryption algorithms */
588 #define SADB_EALG_NONE 0
589 #define SADB_EALG_DESCBC 2
590 #define SADB_EALG_3DESCBC 3
591 #define SADB_EALG_BLOWFISH 7
592 #define SADB_EALG_NULL 11
593 #define SADB_EALG_AES 12
594 #define SADB_EALG_AES_CCM_8 14
595 #define SADB_EALG_AES_CCM_12 15
596 #define SADB_EALG_AES_CCM_16 16
597 #define SADB_EALG_AES_GCM_8 18
598 #define SADB_EALG_AES_GCM_12 19
599 #define SADB_EALG_AES_GCM_16 20
600 #define SADB_EALG_MAX 20
603 * Extension header values.
606 #define SADB_EXT_RESERVED 0
608 #define SADB_EXT_SA 1
609 #define SADB_EXT_LIFETIME_CURRENT 2
610 #define SADB_EXT_LIFETIME_HARD 3
611 #define SADB_EXT_LIFETIME_SOFT 4
612 #define SADB_EXT_ADDRESS_SRC 5
613 #define SADB_EXT_ADDRESS_DST 6
614 /* These two are synonyms. */
615 #define SADB_EXT_ADDRESS_PROXY 7
616 #define SADB_X_EXT_ADDRESS_INNER_SRC SADB_EXT_ADDRESS_PROXY
617 #define SADB_EXT_KEY_AUTH 8
618 #define SADB_EXT_KEY_ENCRYPT 9
619 #define SADB_EXT_IDENTITY_SRC 10
620 #define SADB_EXT_IDENTITY_DST 11
621 #define SADB_EXT_SENSITIVITY 12
622 #define SADB_EXT_PROPOSAL 13
623 #define SADB_EXT_SUPPORTED_AUTH 14
624 #define SADB_EXT_SUPPORTED_ENCRYPT 15
625 #define SADB_EXT_SPIRANGE 16
626 #define SADB_X_EXT_EREG 17
627 #define SADB_X_EXT_EPROP 18
628 #define SADB_X_EXT_KM_COOKIE 19
629 #define SADB_X_EXT_ADDRESS_NATT_LOC 20
630 #define SADB_X_EXT_ADDRESS_NATT_REM 21
631 #define SADB_X_EXT_ADDRESS_INNER_DST 22
632 #define SADB_X_EXT_PAIR 23
633 #define SADB_X_EXT_REPLAY_VALUE 24
634 #define SADB_X_EXT_EDUMP 25
635 #define SADB_X_EXT_LIFETIME_IDLE 26
636 #define SADB_X_EXT_OUTER_SENS 27
638 #define SADB_EXT_MAX 27
644 #define SADB_IDENTTYPE_RESERVED 0
647 * For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC
650 #define SADB_IDENTTYPE_PREFIX 1
651 #define SADB_IDENTTYPE_FQDN 2 /* Fully qualified domain name. */
652 #define SADB_IDENTTYPE_USER_FQDN 3 /* e.g. root@domain.com */
653 #define SADB_X_IDENTTYPE_DN 4 /* ASN.1 DER Distinguished Name. */
654 #define SADB_X_IDENTTYPE_GN 5 /* ASN.1 DER Generic Name. */
655 #define SADB_X_IDENTTYPE_KEY_ID 6 /* Generic KEY ID. */
656 #define SADB_X_IDENTTYPE_ADDR_RANGE 7
658 #define SADB_IDENTTYPE_MAX 7
661 * Protection DOI values for the SENSITIVITY extension. There are no values
662 * currently, so the MAX is the only non-zero value available.
665 #define SADB_DPD_NONE 0
667 #define SADB_DPD_MAX 1
670 * Diagnostic codes. These supplement error messages. Be sure to
671 * update libipsecutil's keysock_diag() if you change any of these.
674 #define SADB_X_DIAGNOSTIC_PRESET -1 /* Internal value. */
676 #define SADB_X_DIAGNOSTIC_NONE 0
678 #define SADB_X_DIAGNOSTIC_UNKNOWN_MSG 1
679 #define SADB_X_DIAGNOSTIC_UNKNOWN_EXT 2
680 #define SADB_X_DIAGNOSTIC_BAD_EXTLEN 3
681 #define SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE 4
682 #define SADB_X_DIAGNOSTIC_SATYPE_NEEDED 5
683 #define SADB_X_DIAGNOSTIC_NO_SADBS 6
684 #define SADB_X_DIAGNOSTIC_NO_EXT 7
685 /* Bad address family value */
686 #define SADB_X_DIAGNOSTIC_BAD_SRC_AF 8
687 /* in sockaddr->sa_family. */
688 #define SADB_X_DIAGNOSTIC_BAD_DST_AF 9
689 /* These two are synonyms. */
690 #define SADB_X_DIAGNOSTIC_BAD_PROXY_AF 10
691 #define SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF 10
693 #define SADB_X_DIAGNOSTIC_AF_MISMATCH 11
695 #define SADB_X_DIAGNOSTIC_BAD_SRC 12
696 #define SADB_X_DIAGNOSTIC_BAD_DST 13
698 #define SADB_X_DIAGNOSTIC_ALLOC_HSERR 14
699 #define SADB_X_DIAGNOSTIC_BYTES_HSERR 15
700 #define SADB_X_DIAGNOSTIC_ADDTIME_HSERR 16
701 #define SADB_X_DIAGNOSTIC_USETIME_HSERR 17
703 #define SADB_X_DIAGNOSTIC_MISSING_SRC 18
704 #define SADB_X_DIAGNOSTIC_MISSING_DST 19
705 #define SADB_X_DIAGNOSTIC_MISSING_SA 20
706 #define SADB_X_DIAGNOSTIC_MISSING_EKEY 21
707 #define SADB_X_DIAGNOSTIC_MISSING_AKEY 22
708 #define SADB_X_DIAGNOSTIC_MISSING_RANGE 23
710 #define SADB_X_DIAGNOSTIC_DUPLICATE_SRC 24
711 #define SADB_X_DIAGNOSTIC_DUPLICATE_DST 25
712 #define SADB_X_DIAGNOSTIC_DUPLICATE_SA 26
713 #define SADB_X_DIAGNOSTIC_DUPLICATE_EKEY 27
714 #define SADB_X_DIAGNOSTIC_DUPLICATE_AKEY 28
715 #define SADB_X_DIAGNOSTIC_DUPLICATE_RANGE 29
717 #define SADB_X_DIAGNOSTIC_MALFORMED_SRC 30
718 #define SADB_X_DIAGNOSTIC_MALFORMED_DST 31
719 #define SADB_X_DIAGNOSTIC_MALFORMED_SA 32
720 #define SADB_X_DIAGNOSTIC_MALFORMED_EKEY 33
721 #define SADB_X_DIAGNOSTIC_MALFORMED_AKEY 34
722 #define SADB_X_DIAGNOSTIC_MALFORMED_RANGE 35
724 #define SADB_X_DIAGNOSTIC_AKEY_PRESENT 36
725 #define SADB_X_DIAGNOSTIC_EKEY_PRESENT 37
726 #define SADB_X_DIAGNOSTIC_PROP_PRESENT 38
727 #define SADB_X_DIAGNOSTIC_SUPP_PRESENT 39
729 #define SADB_X_DIAGNOSTIC_BAD_AALG 40
730 #define SADB_X_DIAGNOSTIC_BAD_EALG 41
731 #define SADB_X_DIAGNOSTIC_BAD_SAFLAGS 42
732 #define SADB_X_DIAGNOSTIC_BAD_SASTATE 43
734 #define SADB_X_DIAGNOSTIC_BAD_AKEYBITS 44
735 #define SADB_X_DIAGNOSTIC_BAD_EKEYBITS 45
737 #define SADB_X_DIAGNOSTIC_ENCR_NOTSUPP 46
739 #define SADB_X_DIAGNOSTIC_WEAK_EKEY 47
740 #define SADB_X_DIAGNOSTIC_WEAK_AKEY 48
742 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMP 49
743 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMC 50
745 #define SADB_X_DIAGNOSTIC_MISSING_NATT_LOC 51
746 #define SADB_X_DIAGNOSTIC_MISSING_NATT_REM 52
747 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC 53
748 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM 54
749 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC 55
750 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM 56
751 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS 57
753 #define SADB_X_DIAGNOSTIC_MISSING_INNER_SRC 58
754 #define SADB_X_DIAGNOSTIC_MISSING_INNER_DST 59
755 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC 60
756 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST 61
757 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC 62
758 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST 63
760 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC 64
761 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_DST 65
762 #define SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF 66
763 #define SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH 67
765 #define SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF 68
766 #define SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF 69
768 #define SADB_X_DIAGNOSTIC_PROTO_MISMATCH 70
769 #define SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH 71
771 #define SADB_X_DIAGNOSTIC_DUAL_PORT_SETS 72
773 #define SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE 73
774 #define SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH 74
775 #define SADB_X_DIAGNOSTIC_PAIR_ALREADY 75
776 #define SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND 76
777 #define SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION 77
779 #define SADB_X_DIAGNOSTIC_SA_NOTFOUND 78
780 #define SADB_X_DIAGNOSTIC_SA_EXPIRED 79
781 #define SADB_X_DIAGNOSTIC_BAD_CTX 80
782 #define SADB_X_DIAGNOSTIC_INVALID_REPLAY 81
783 #define SADB_X_DIAGNOSTIC_MISSING_LIFETIME 82
785 #define SADB_X_DIAGNOSTIC_BAD_LABEL 83
786 #define SADB_X_DIAGNOSTIC_MAX 83
788 /* Algorithm type for sadb_x_algdesc above... */
790 #define SADB_X_ALGTYPE_NONE 0
791 #define SADB_X_ALGTYPE_AUTH 1
792 #define SADB_X_ALGTYPE_CRYPT 2
793 #define SADB_X_ALGTYPE_COMPRESS 3
795 #define SADB_X_ALGTYPE_MAX 3
797 /* Key management protocol for sadb_x_kmc above... */
799 #define SADB_X_KMP_MANUAL 0
800 #define SADB_X_KMP_IKE 1
801 #define SADB_X_KMP_KINK 2
803 #define SADB_X_KMP_MAX 2
806 * Handy conversion macros. Not part of the PF_KEY spec...
809 #define SADB_64TO8(x) ((x) << 3)
810 #define SADB_8TO64(x) ((x) >> 3)
811 #define SADB_8TO1(x) ((x) << 3)
812 #define SADB_1TO8(x) ((x) >> 3)
818 #endif /* _NET_PFKEYV2_H */