pfkeyv2.h revision 9c2c14ab194d42014417b385d6bf226ba1a37995
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _NET_PFKEYV2_H
#define _NET_PFKEYV2_H
/*
* Definitions and structures for PF_KEY version 2. See RFC 2367 for
* more details. SA == Security Association, which is what PF_KEY provides
* an API for managing.
*/
#ifdef __cplusplus
extern "C" {
#endif
#define PF_KEY_V2 2
#define PFKEYV2_REVISION 200109L
/*
* Base PF_KEY message.
*/
typedef struct sadb_msg {
/*
* Use the reserved field for extended diagnostic information on errno
* responses.
*/
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} sadb_x_msg_u;
} sadb_msg_t;
/*
* Generic extension header.
*/
typedef struct sadb_ext {
union {
/* Union is for guaranteeing 64-bit alignment. */
struct {
} sadb_x_ext_u;
} sadb_ext_t;
/*
* Security Association information extension.
*/
typedef struct sadb_sa {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} sadb_x_sa_u;
} sadb_sa_t;
/*
* SA Lifetime extension. Already 64-bit aligned thanks to uint64_t fields.
*/
typedef struct sadb_lifetime {
/*
* SA address information.
*/
typedef struct sadb_address {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define sadb_address_len \
#define sadb_address_exttype \
#define sadb_address_proto \
#define sadb_address_prefixlen \
#define sadb_address_reserved \
/* Followed by a sockaddr structure which may contain ports. */
/*
* SA key information.
*/
typedef struct sadb_key {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} sadb_x_key_u;
/* Followed by actual key(s) in canonical (outbound proc.) order. */
} sadb_key_t;
/*
* SA Identity information. Already 64-bit aligned thanks to uint64_t fields.
*/
typedef struct sadb_ident {
/* Followed by an identity null-terminate C string if present. */
} sadb_ident_t;
/*
* SA sensitivity information. This is mostly useful on MLS systems.
*/
typedef struct sadb_sens {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
/*
* followed by two uint64_t arrays
* uint64_t sadb_sens_bitmap[sens_bitmap_len];
* uint64_t sadb_integ_bitmap[integ_bitmap_len];
*/
} sadb_sens_t;
/*
* A proposal extension. This is found in an ACQUIRE message, and it
* proposes what sort of SA the kernel would like to ACQUIRE.
*/
/* First, a base structure... */
typedef struct sadb_x_propbase {
union {
struct {
struct {
#define sadb_x_propb_replay \
#define sadb_x_propb_reserved \
#define sadb_x_propb_ereserved \
#define sadb_x_propb_numecombs \
/* Followed by sadb_comb[] array or sadb_ecomb[] array. */
/* Now, the actual sadb_prop structure, which will have alignment in it! */
typedef struct sadb_prop {
/* Union is for guaranteeing 64-bit alignment. */
union {
#define sadb_prop_reserved \
#define sadb_x_prop_ereserved \
#define sadb_x_prop_numecombs \
} sadb_prop_t;
/*
* This is a proposed combination. Many of these can follow a proposal
* extension. Already 64-bit aligned thanks to uint64_t fields.
*/
typedef struct sadb_comb {
} sadb_comb_t;
/*
* An extended combination that can comprise of many SA types.
* A single combination has algorithms and SA types locked.
* These are represented by algorithm descriptors, the second structure
*
* COMB: algdes(AH, AUTH, MD5), algdes(ESP, CRYPT, DES)
* COMB: algdes(ESP, AUTH, MD5), algdes(ESP, CRYPT, DES)
*
* If an SA type supports an algorithm type, and there's no descriptor,
* assume it requires NONE, just like it were explicitly stated.
* (This includes ESP NULL encryption, BTW.)
*
* Already 64-bit aligned thanks to uint64_t fields.
*/
typedef struct sadb_x_ecomb {
typedef struct sadb_x_algdesc {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define sadb_x_algdesc_satype \
#define sadb_x_algdesc_algtype \
#define sadb_x_algdesc_alg \
#define sadb_x_algdesc_reserved \
#define sadb_x_algdesc_minbits \
#define sadb_x_algdesc_maxbits \
/*
* When key mgmt. registers with the kernel, the kernel will tell key mgmt.
* its supported algorithms.
*/
typedef struct sadb_supported {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define sadb_supported_len \
#define sadb_supported_exttype \
#define sadb_supported_reserved \
/* First, a base structure... */
typedef struct sadb_x_algb {
union {
/*
* alg_increment: the number of bits from a key length to the next
* alg_defincr: the number of increments from the smallest possible
* key to the default key length
*/
/* useful macros for dealing with defincr */
/* Now, the actual sadb_alg structure, which will have alignment in it. */
typedef struct sadb_alg {
/* Union is for guaranteeing 64-bit alignment. */
union {
} sadb_x_alg_u;
#define sadb_x_alg_increment \
} sadb_alg_t;
/*
* If key mgmt. needs an SPI in a range (including 0 to 0xFFFFFFFF), it
* asks the kernel with this extension in the SADB_GETSPI message.
*/
typedef struct sadb_spirange {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define sadb_spirange_max \
#define sadb_spirange_reserved \
/*
* For the "extended REGISTER" which'll tell the kernel to send me
* "extended ACQUIREs".
*/
typedef struct sadb_x_ereg {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
/* Array of SA types, 0-terminated. */
#define sadb_x_ereg_len \
#define sadb_x_ereg_exttype \
#define sadb_x_ereg_satypes \
/*
* For conveying a Key Management Cookie with SADB_GETSPI, SADB_ADD,
* SADB_ACQUIRE, or SADB_X_INVERSE_ACQUIRE.
*/
typedef struct sadb_x_kmc {
union {
struct {
} sadb_x_kmc_u;
} sadb_x_kmc_t;
typedef struct sadb_x_pair {
union {
/* Union is for guaranteeing 64-bit alignment. */
struct {
#define sadb_x_pair_exttype \
/*
* For the Sequence numbers to be used with SADB_DUMP, SADB_GET, SADB_UPDATE.
*/
typedef struct sadb_x_replay_ctr {
/*
* For extended DUMP request. Dumps the SAs which were idle for
* longer than the timeout specified.
*/
typedef struct sadb_x_edump {
/*
* Base message types.
*/
#define SADB_RESERVED 0
#define SADB_GETSPI 1
#define SADB_UPDATE 2
#define SADB_ADD 3
#define SADB_DELETE 4
#define SADB_GET 5
#define SADB_ACQUIRE 6
#define SADB_REGISTER 7
#define SADB_EXPIRE 8
#define SADB_FLUSH 9
#define SADB_X_PROMISC 11
#define SADB_X_INVERSE_ACQUIRE 12
#define SADB_X_UPDATEPAIR 13
#define SADB_X_DELPAIR 14
#define SADB_X_DELPAIR_STATE 15
#define SADB_MAX 15
/*
* SA flags
*/
/* Below flags are used by this implementation. Grow from left-to-right. */
#define SADB_X_SAFLAGS_KRES \
/*
* SA state.
*/
#define SADB_SASTATE_LARVAL 0
#define SADB_SASTATE_MATURE 1
#define SADB_SASTATE_DYING 2
#define SADB_SASTATE_DEAD 3
#define SADB_X_SASTATE_ACTIVE_ELSEWHERE 4
#define SADB_X_SASTATE_IDLE 5
#define SADB_X_SASTATE_ACTIVE 6
#define SADB_SASTATE_MAX 6
/*
* SA type. Gaps are present in the number space because (for the time being)
* these types correspond to the SA types in the IPsec DOI document.
*/
#define SADB_SATYPE_UNSPEC 0
#define SADB_SATYPE_MAX 8
/*
* Algorithm types. Gaps are present because (for the time being) these types
* correspond to the SA types in the IPsec DOI document.
*
* NOTE: These are numbered to play nice with the IPsec DOI. That's why
* there are gaps.
*/
/* Authentication algorithms */
#define SADB_AALG_NONE 0
#define SADB_AALG_MD5HMAC 2
#define SADB_AALG_SHA1HMAC 3
#define SADB_AALG_SHA256HMAC 5
#define SADB_AALG_SHA384HMAC 6
#define SADB_AALG_SHA512HMAC 7
#define SADB_AALG_MAX 7
/* Encryption algorithms */
#define SADB_EALG_NONE 0
#define SADB_EALG_DESCBC 2
#define SADB_EALG_3DESCBC 3
#define SADB_EALG_BLOWFISH 7
#define SADB_EALG_NULL 11
#define SADB_EALG_AES 12
#define SADB_EALG_MAX 12
/*
* Extension header values.
*/
#define SADB_EXT_RESERVED 0
#define SADB_EXT_SA 1
#define SADB_EXT_LIFETIME_CURRENT 2
#define SADB_EXT_LIFETIME_HARD 3
#define SADB_EXT_LIFETIME_SOFT 4
#define SADB_EXT_ADDRESS_SRC 5
#define SADB_EXT_ADDRESS_DST 6
/* These two are synonyms. */
#define SADB_EXT_ADDRESS_PROXY 7
#define SADB_EXT_KEY_AUTH 8
#define SADB_EXT_KEY_ENCRYPT 9
#define SADB_EXT_IDENTITY_SRC 10
#define SADB_EXT_IDENTITY_DST 11
#define SADB_EXT_SENSITIVITY 12
#define SADB_EXT_PROPOSAL 13
#define SADB_EXT_SUPPORTED_AUTH 14
#define SADB_EXT_SUPPORTED_ENCRYPT 15
#define SADB_EXT_SPIRANGE 16
#define SADB_X_EXT_EREG 17
#define SADB_X_EXT_EPROP 18
#define SADB_X_EXT_KM_COOKIE 19
#define SADB_X_EXT_ADDRESS_NATT_LOC 20
#define SADB_X_EXT_ADDRESS_NATT_REM 21
#define SADB_X_EXT_ADDRESS_INNER_DST 22
#define SADB_X_EXT_PAIR 23
#define SADB_X_EXT_REPLAY_VALUE 24
#define SADB_X_EXT_EDUMP 25
#define SADB_X_EXT_LIFETIME_IDLE 26
#define SADB_EXT_MAX 26
/*
* Identity types.
*/
#define SADB_IDENTTYPE_RESERVED 0
/*
* For PREFIX and ADDR_RANGE, use the AF of the PROXY if present, or the SRC
* if not present.
*/
#define SADB_IDENTTYPE_PREFIX 1
#define SADB_X_IDENTTYPE_ADDR_RANGE 7
#define SADB_IDENTTYPE_MAX 7
/*
* Protection DOI values for the SENSITIVITY extension. There are no values
* currently, so the MAX is the only non-zero value available.
*/
#define SADB_DPD_NONE 0
#define SADB_DPD_MAX 1
/*
* Diagnostic codes. These supplement error messages. Be sure to
* update libipsecutil's keysock_diag() if you change any of these.
*/
#define SADB_X_DIAGNOSTIC_NONE 0
#define SADB_X_DIAGNOSTIC_UNKNOWN_MSG 1
#define SADB_X_DIAGNOSTIC_UNKNOWN_EXT 2
#define SADB_X_DIAGNOSTIC_BAD_EXTLEN 3
#define SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE 4
#define SADB_X_DIAGNOSTIC_SATYPE_NEEDED 5
#define SADB_X_DIAGNOSTIC_NO_SADBS 6
#define SADB_X_DIAGNOSTIC_NO_EXT 7
/* Bad address family value */
#define SADB_X_DIAGNOSTIC_BAD_SRC_AF 8
/* in sockaddr->sa_family. */
#define SADB_X_DIAGNOSTIC_BAD_DST_AF 9
/* These two are synonyms. */
#define SADB_X_DIAGNOSTIC_BAD_PROXY_AF 10
#define SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF 10
#define SADB_X_DIAGNOSTIC_AF_MISMATCH 11
#define SADB_X_DIAGNOSTIC_BAD_SRC 12
#define SADB_X_DIAGNOSTIC_BAD_DST 13
#define SADB_X_DIAGNOSTIC_ALLOC_HSERR 14
#define SADB_X_DIAGNOSTIC_BYTES_HSERR 15
#define SADB_X_DIAGNOSTIC_ADDTIME_HSERR 16
#define SADB_X_DIAGNOSTIC_USETIME_HSERR 17
#define SADB_X_DIAGNOSTIC_MISSING_SRC 18
#define SADB_X_DIAGNOSTIC_MISSING_DST 19
#define SADB_X_DIAGNOSTIC_MISSING_SA 20
#define SADB_X_DIAGNOSTIC_MISSING_EKEY 21
#define SADB_X_DIAGNOSTIC_MISSING_AKEY 22
#define SADB_X_DIAGNOSTIC_MISSING_RANGE 23
#define SADB_X_DIAGNOSTIC_DUPLICATE_SRC 24
#define SADB_X_DIAGNOSTIC_DUPLICATE_DST 25
#define SADB_X_DIAGNOSTIC_DUPLICATE_SA 26
#define SADB_X_DIAGNOSTIC_DUPLICATE_EKEY 27
#define SADB_X_DIAGNOSTIC_DUPLICATE_AKEY 28
#define SADB_X_DIAGNOSTIC_DUPLICATE_RANGE 29
#define SADB_X_DIAGNOSTIC_MALFORMED_SRC 30
#define SADB_X_DIAGNOSTIC_MALFORMED_DST 31
#define SADB_X_DIAGNOSTIC_MALFORMED_SA 32
#define SADB_X_DIAGNOSTIC_MALFORMED_EKEY 33
#define SADB_X_DIAGNOSTIC_MALFORMED_AKEY 34
#define SADB_X_DIAGNOSTIC_MALFORMED_RANGE 35
#define SADB_X_DIAGNOSTIC_AKEY_PRESENT 36
#define SADB_X_DIAGNOSTIC_EKEY_PRESENT 37
#define SADB_X_DIAGNOSTIC_PROP_PRESENT 38
#define SADB_X_DIAGNOSTIC_SUPP_PRESENT 39
#define SADB_X_DIAGNOSTIC_BAD_AALG 40
#define SADB_X_DIAGNOSTIC_BAD_EALG 41
#define SADB_X_DIAGNOSTIC_BAD_SAFLAGS 42
#define SADB_X_DIAGNOSTIC_BAD_SASTATE 43
#define SADB_X_DIAGNOSTIC_BAD_AKEYBITS 44
#define SADB_X_DIAGNOSTIC_BAD_EKEYBITS 45
#define SADB_X_DIAGNOSTIC_ENCR_NOTSUPP 46
#define SADB_X_DIAGNOSTIC_WEAK_EKEY 47
#define SADB_X_DIAGNOSTIC_WEAK_AKEY 48
#define SADB_X_DIAGNOSTIC_DUPLICATE_KMP 49
#define SADB_X_DIAGNOSTIC_DUPLICATE_KMC 50
#define SADB_X_DIAGNOSTIC_MISSING_NATT_LOC 51
#define SADB_X_DIAGNOSTIC_MISSING_NATT_REM 52
#define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC 53
#define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM 54
#define SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC 55
#define SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM 56
#define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS 57
#define SADB_X_DIAGNOSTIC_MISSING_INNER_SRC 58
#define SADB_X_DIAGNOSTIC_MISSING_INNER_DST 59
#define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC 60
#define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST 61
#define SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC 62
#define SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST 63
#define SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC 64
#define SADB_X_DIAGNOSTIC_PREFIX_INNER_DST 65
#define SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF 66
#define SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH 67
#define SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF 68
#define SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF 69
#define SADB_X_DIAGNOSTIC_PROTO_MISMATCH 70
#define SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH 71
#define SADB_X_DIAGNOSTIC_DUAL_PORT_SETS 72
#define SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE 73
#define SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH 74
#define SADB_X_DIAGNOSTIC_PAIR_ALREADY 75
#define SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND 76
#define SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION 77
#define SADB_X_DIAGNOSTIC_SA_NOTFOUND 78
#define SADB_X_DIAGNOSTIC_SA_EXPIRED 79
#define SADB_X_DIAGNOSTIC_MAX 79
/* Algorithm type for sadb_x_algdesc above... */
#define SADB_X_ALGTYPE_NONE 0
#define SADB_X_ALGTYPE_AUTH 1
#define SADB_X_ALGTYPE_CRYPT 2
#define SADB_X_ALGTYPE_COMPRESS 3
#define SADB_X_ALGTYPE_MAX 3
/* Key management protocol for sadb_x_kmc above... */
#define SADB_X_KMP_MANUAL 0
#define SADB_X_KMP_IKE 1
#define SADB_X_KMP_KINK 2
#define SADB_X_KMP_MAX 2
/*
* Handy conversion macros. Not part of the PF_KEY spec...
*/
#define SADB_64TO8(x) ((x) << 3)
#define SADB_8TO64(x) ((x) >> 3)
#define SADB_8TO1(x) ((x) << 3)
#define SADB_1TO8(x) ((x) >> 3)
#ifdef __cplusplus
}
#endif
#endif /* _NET_PFKEYV2_H */