/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _NET_PFKEYV2_H
#define _NET_PFKEYV2_H
/*
* Definitions and structures for PF_KEY version 2. See RFC 2367 for
* more details. SA == Security Association, which is what PF_KEY provides
* an API for managing.
*/
#ifdef __cplusplus
extern "C" {
#endif
/*
* Base PF_KEY message.
*/
typedef struct sadb_msg {
/*
* Use the reserved field for extended diagnostic information on errno
* responses.
*/
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} sadb_x_msg_u;
} sadb_msg_t;
/*
* Generic extension header.
*/
typedef struct sadb_ext {
union {
/* Union is for guaranteeing 64-bit alignment. */
struct {
} sadb_x_ext_u;
} sadb_ext_t;
/*
* Security Association information extension.
*/
typedef struct sadb_sa {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} sadb_x_sa_u;
} sadb_sa_t;
/*
* SA Lifetime extension. Already 64-bit aligned thanks to uint64_t fields.
*/
typedef struct sadb_lifetime {
/*
* SA address information.
*/
typedef struct sadb_address {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define sadb_address_len \
#define sadb_address_exttype \
#define sadb_address_proto \
#define sadb_address_prefixlen \
#define sadb_address_reserved \
/* Followed by a sockaddr structure which may contain ports. */
/*
* SA key information.
*/
typedef struct sadb_key {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} sadb_x_key_u;
/* Followed by actual key(s) in canonical (outbound proc.) order. */
} sadb_key_t;
/*
* SA Identity information. Already 64-bit aligned thanks to uint64_t fields.
*/
typedef struct sadb_ident {
/* Followed by an identity null-terminate C string if present. */
} sadb_ident_t;
/*
* SA sensitivity information. This is mostly useful on MLS systems.
*/
typedef struct sadb_sens {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
/*
* followed by two uint64_t arrays
* uint64_t sadb_sens_bitmap[sens_bitmap_len];
* uint64_t sadb_integ_bitmap[integ_bitmap_len];
*/
} sadb_sens_t;
/*
* We recycled the formerly reserved word for flags.
*/
/*
* a proposal extension. This is found in an ACQUIRE message, and it
* proposes what sort of SA the kernel would like to ACQUIRE.
*/
/* First, a base structure... */
typedef struct sadb_x_propbase {
union {
struct {
struct {
#define sadb_x_propb_replay \
#define sadb_x_propb_reserved \
#define sadb_x_propb_ereserved \
#define sadb_x_propb_numecombs \
/* Followed by sadb_comb[] array or sadb_ecomb[] array. */
/* Now, the actual sadb_prop structure, which will have alignment in it! */
typedef struct sadb_prop {
/* Union is for guaranteeing 64-bit alignment. */
union {
#define sadb_prop_reserved \
#define sadb_x_prop_ereserved \
#define sadb_x_prop_numecombs \
} sadb_prop_t;
/*
* This is a proposed combination. Many of these can follow a proposal
* extension. Already 64-bit aligned thanks to uint64_t fields.
*/
typedef struct sadb_comb {
} sadb_comb_t;
/*
* An extended combination that can comprise of many SA types.
* A single combination has algorithms and SA types locked.
* These are represented by algorithm descriptors, the second structure
*
* COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES)
* COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES)
*
* If an SA type supports an algorithm type, and there's no descriptor,
* assume it requires NONE, just like it were explicitly stated.
* (This includes ESP NULL encryption, BTW.)
*
* Already 64-bit aligned thanks to uint64_t fields.
*/
typedef struct sadb_x_ecomb {
typedef struct sadb_x_algdesc {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define sadb_x_algdesc_satype \
#define sadb_x_algdesc_algtype \
#define sadb_x_algdesc_alg \
#define sadb_x_algdesc_reserved \
#define sadb_x_algdesc_minbits \
#define sadb_x_algdesc_maxbits \
/*
* When key mgmt. registers with the kernel, the kernel will tell key mgmt.
* its supported algorithms.
*/
typedef struct sadb_supported {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define sadb_supported_len \
#define sadb_supported_exttype \
#define sadb_supported_reserved \
/* First, a base structure... */
typedef struct sadb_x_algb {
union {
/*
* alg_increment: the number of bits from a key length to the next
*/
/* Now, the actual sadb_alg structure, which will have alignment in it. */
typedef struct sadb_alg {
/* Union is for guaranteeing 64-bit alignment. */
union {
} sadb_x_alg_u;
#define sadb_x_alg_increment \
} sadb_alg_t;
/*
* If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it
* asks the kernel with this extension in the SADB_GETSPI message.
*/
typedef struct sadb_spirange {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define sadb_spirange_max \
#define sadb_spirange_reserved \
/*
* For the "extended REGISTER" which'll tell the kernel to send me
* "extended ACQUIREs".
*/
typedef struct sadb_x_ereg {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
/* Array of SA types, 0-terminated. */
#define sadb_x_ereg_len \
#define sadb_x_ereg_exttype \
#define sadb_x_ereg_satypes \
/*
* For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD,
* SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE.
*/
typedef struct sadb_x_kmc {
union {
struct {
} sadb_x_kmc_u;
} sadb_x_kmc_t;
typedef struct sadb_x_pair {
union {
/* Union is for guaranteeing 64-bit alignment. */
struct {
#define sadb_x_pair_exttype \
/*
* For the Sequence numbers to be used with SADB_DUMP, SADB_GET, SADB_UPDATE.
*/
typedef struct sadb_x_replay_ctr {
/*
* For extended DUMP request. Dumps the SAs which were idle for
* longer than the timeout specified.
*/
typedef struct sadb_x_edump {
/*
* Base message types.
*/
#define SADB_RESERVED 0
/*
* SA flags
*/
/* Below flags are used by this implementation. Grow from left-to-right. */
#define SADB_X_SAFLAGS_KRES \
/*
* SA state.
*/
#define SADB_SASTATE_LARVAL 0
/*
* SA type. Gaps are present in the number space because (for the time being)
* these types correspond to the SA types in the IPsec DOI document.
*/
#define SADB_SATYPE_UNSPEC 0
/*
* Algorithm types. Gaps are present because (for the time being) these types
* correspond to the SA types in the IPsec DOI document.
*
* NOTE: These are numbered to play nice with the IPsec DOI. That's why
* there are gaps.
*/
/* Authentication algorithms */
#define SADB_AALG_NONE 0
/* Encryption algorithms */
#define SADB_EALG_NONE 0
/*
* Extension header values.
*/
#define SADB_EXT_RESERVED 0
/* These two are synonyms. */
/*
* Identity types.
*/
#define SADB_IDENTTYPE_RESERVED 0
/*
* For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC
* if not present.
*/
/*
* Protection DOI values for the SENSITIVITY extension. There are no values
* currently, so the MAX is the only non-zero value available.
*/
#define SADB_DPD_NONE 0
/*
* Diagnostic codes. These supplement error messages. Be sure to
* update libipsecutil's keysock_diag() if you change any of these.
*/
#define SADB_X_DIAGNOSTIC_NONE 0
/* Bad address family value */
/* in sockaddr->sa_family. */
/* These two are synonyms. */
/* Algorithm type for sadb_x_algdesc above... */
#define SADB_X_ALGTYPE_NONE 0
/* Key management protocol for sadb_x_kmc above... */
#define SADB_X_KMP_MANUAL 0
/*
* Handy conversion macros. Not part of the PF_KEY spec...
*/
#ifdef __cplusplus
}
#endif
#endif /* _NET_PFKEYV2_H */