xref: /openbsd/sys/net/pfkeyv2.h (revision 78b63d65) 
1 /* $OpenBSD: pfkeyv2.h,v 1.40 2001/07/05 08:38:32 angelos Exp $ */
2 /*
3 %%% copyright-nrl-98
4 This software is Copyright 1998 by Randall Atkinson, Ronald Lee,
5 Daniel McDonald, Bao Phan, and Chris Winters. All Rights Reserved. All
6 rights under this copyright have been assigned to the US Naval Research
7 Laboratory (NRL). The NRL Copyright Notice and License Agreement Version
8 1.1 (January 17, 1995) applies to this software.
9 You should have received a copy of the license with this software. If you
10 didn't get a copy, you may request one from <license@ipv6.nrl.navy.mil>.
11 
12 */
13 #ifndef _NET_PFKEY_V2_H_
14 #define _NET_PFKEY_V2_H_
15 
16 #define PF_KEY_V2			2
17 #define PFKEYV2_REVISION		199806L
18 
19 /* This should be updated whenever the API is altered.  */
20 #define _OPENBSD_IPSEC_API_VERSION	2
21 
22 #define SADB_RESERVED      0
23 #define SADB_GETSPI        1
24 #define SADB_UPDATE        2
25 #define SADB_ADD           3
26 #define SADB_DELETE        4
27 #define SADB_GET           5
28 #define SADB_ACQUIRE       6
29 #define SADB_REGISTER      7
30 #define SADB_EXPIRE        8
31 #define SADB_FLUSH         9
32 #define SADB_DUMP          10
33 #define SADB_X_PROMISC     11
34 #define SADB_X_ADDFLOW     12
35 #define SADB_X_DELFLOW     13
36 #define SADB_X_GRPSPIS     14
37 #define SADB_X_ASKPOLICY   15
38 #define SADB_MAX           15
39 
40 struct sadb_msg {
41   uint8_t sadb_msg_version;
42   uint8_t sadb_msg_type;
43   uint8_t sadb_msg_errno;
44   uint8_t sadb_msg_satype;
45   uint16_t sadb_msg_len;
46   uint16_t sadb_msg_reserved;
47   uint32_t sadb_msg_seq;
48   uint32_t sadb_msg_pid;
49 };
50 
51 struct sadb_ext {
52   uint16_t sadb_ext_len;
53   uint16_t sadb_ext_type;
54 };
55 
56 struct sadb_sa {
57   uint16_t sadb_sa_len;
58   uint16_t sadb_sa_exttype;
59   uint32_t sadb_sa_spi;
60   uint8_t sadb_sa_replay;
61   uint8_t sadb_sa_state;
62   uint8_t sadb_sa_auth;
63   uint8_t sadb_sa_encrypt;
64   uint32_t sadb_sa_flags;
65 };
66 
67 struct sadb_lifetime {
68   uint16_t sadb_lifetime_len;
69   uint16_t sadb_lifetime_exttype;
70   uint32_t sadb_lifetime_allocations;
71   uint64_t sadb_lifetime_bytes;
72   uint64_t sadb_lifetime_addtime;
73   uint64_t sadb_lifetime_usetime;
74 };
75 
76 struct sadb_address {
77   uint16_t sadb_address_len;
78   uint16_t sadb_address_exttype;
79   uint32_t sadb_address_reserved;
80 };
81 
82 struct sadb_key {
83   uint16_t sadb_key_len;
84   uint16_t sadb_key_exttype;
85   uint16_t sadb_key_bits;
86   uint16_t sadb_key_reserved;
87 };
88 
89 struct sadb_ident {
90   uint16_t sadb_ident_len;
91   uint16_t sadb_ident_exttype;
92   uint16_t sadb_ident_type;
93   uint16_t sadb_ident_reserved;
94   uint64_t sadb_ident_id;
95 };
96 
97 struct sadb_sens {
98   uint16_t sadb_sens_len;
99   uint16_t sadb_sens_exttype;
100   uint32_t sadb_sens_dpd;
101   uint8_t sadb_sens_sens_level;
102   uint8_t sadb_sens_sens_len;
103   uint8_t sadb_sens_integ_level;
104   uint8_t sadb_sens_integ_len;
105   uint32_t sadb_sens_reserved;
106 };
107 
108 struct sadb_prop {
109   uint16_t sadb_prop_len;
110   uint16_t sadb_prop_exttype;
111   uint8_t sadb_prop_num;
112   uint8_t sadb_prop_replay;
113   uint16_t sadb_prop_reserved;
114 };
115 
116 struct sadb_comb {
117   uint8_t sadb_comb_auth;
118   uint8_t sadb_comb_encrypt;
119   uint16_t sadb_comb_flags;
120   uint16_t sadb_comb_auth_minbits;
121   uint16_t sadb_comb_auth_maxbits;
122   uint16_t sadb_comb_encrypt_minbits;
123   uint16_t sadb_comb_encrypt_maxbits;
124   uint32_t sadb_comb_reserved;
125   uint32_t sadb_comb_soft_allocations;
126   uint32_t sadb_comb_hard_allocations;
127   uint64_t sadb_comb_soft_bytes;
128   uint64_t sadb_comb_hard_bytes;
129   uint64_t sadb_comb_soft_addtime;
130   uint64_t sadb_comb_hard_addtime;
131   uint64_t sadb_comb_soft_usetime;
132   uint64_t sadb_comb_hard_usetime;
133 };
134 
135 struct sadb_supported {
136   uint16_t sadb_supported_len;
137   uint16_t sadb_supported_exttype;
138   uint32_t sadb_supported_reserved;
139 };
140 
141 struct sadb_alg {
142   uint8_t sadb_alg_id;
143   uint8_t sadb_alg_ivlen;
144   uint16_t sadb_alg_minbits;
145   uint16_t sadb_alg_maxbits;
146   uint16_t sadb_alg_reserved;
147 };
148 
149 struct sadb_spirange {
150   uint16_t sadb_spirange_len;
151   uint16_t sadb_spirange_exttype;
152   uint32_t sadb_spirange_min;
153   uint32_t sadb_spirange_max;
154   uint32_t sadb_spirange_reserved;
155 };
156 
157 struct sadb_protocol {
158   uint16_t sadb_protocol_len;
159   uint16_t sadb_protocol_exttype;
160   uint8_t  sadb_protocol_proto;
161   uint8_t  sadb_protocol_direction;
162   uint8_t  sadb_protocol_flags;
163   uint8_t  sadb_protocol_reserved2;
164 };
165 
166 struct sadb_x_policy {
167   uint16_t  sadb_x_policy_len;
168   uint16_t  sadb_x_policy_exttype;
169   u_int32_t sadb_x_policy_seq;
170 };
171 
172 struct sadb_x_cred {
173   uint16_t sadb_x_cred_len;
174   uint16_t sadb_x_cred_exttype;
175   uint16_t sadb_x_cred_type;
176   uint16_t sadb_x_cred_reserved;
177 };
178 
179 #ifdef _KERNEL
180 #define SADB_X_GETSPROTO(x) ( (x) == SADB_SATYPE_AH ? IPPROTO_AH :\
181                                 (x) == SADB_SATYPE_ESP ? IPPROTO_ESP :\
182                                     (x) == SADB_X_SATYPE_IPCOMP ? IPPROTO_IPCOMP:\
183                                                          IPPROTO_IPIP )
184 #endif
185 
186 #define SADB_EXT_RESERVED             0
187 #define SADB_EXT_SA                   1
188 #define SADB_EXT_LIFETIME_CURRENT     2
189 #define SADB_EXT_LIFETIME_HARD        3
190 #define SADB_EXT_LIFETIME_SOFT        4
191 #define SADB_EXT_ADDRESS_SRC          5
192 #define SADB_EXT_ADDRESS_DST          6
193 #define SADB_EXT_ADDRESS_PROXY        7
194 #define SADB_EXT_KEY_AUTH             8
195 #define SADB_EXT_KEY_ENCRYPT          9
196 #define SADB_EXT_IDENTITY_SRC         10
197 #define SADB_EXT_IDENTITY_DST         11
198 #define SADB_EXT_SENSITIVITY          12
199 #define SADB_EXT_PROPOSAL             13
200 #define SADB_EXT_SUPPORTED_AUTH	      14
201 #define SADB_EXT_SUPPORTED_ENCRYPT    15
202 #define SADB_EXT_SPIRANGE             16
203 #define SADB_X_EXT_SRC_MASK           17
204 #define SADB_X_EXT_DST_MASK           18
205 #define SADB_X_EXT_PROTOCOL           19
206 #define SADB_X_EXT_FLOW_TYPE          20
207 #define SADB_X_EXT_SRC_FLOW           21
208 #define SADB_X_EXT_DST_FLOW           22
209 #define SADB_X_EXT_SA2                23
210 #define SADB_X_EXT_DST2               24
211 #define SADB_X_EXT_POLICY             25
212 #define SADB_X_EXT_LOCAL_CREDENTIALS  26
213 #define SADB_X_EXT_REMOTE_CREDENTIALS 27
214 #define SADB_X_EXT_LOCAL_AUTH         28
215 #define SADB_X_EXT_REMOTE_AUTH        29
216 #define SADB_X_EXT_SUPPORTED_COMP     30
217 #define SADB_EXT_MAX                  30
218 
219 /* Fix pfkeyv2.c struct pfkeyv2_socket if SATYPE_MAX > 31 */
220 #define SADB_SATYPE_UNSPEC		 0
221 #define SADB_SATYPE_AH			 1
222 #define SADB_SATYPE_ESP			 2
223 #define SADB_SATYPE_RSVP		 3
224 #define SADB_SATYPE_OSPFV2		 4
225 #define SADB_SATYPE_RIPV2		 5
226 #define SADB_SATYPE_MIP			 6
227 #define SADB_X_SATYPE_IPIP		 7
228 #define SADB_X_SATYPE_TCPSIGNATURE	 8
229 #define SADB_X_SATYPE_IPCOMP		 9
230 #define SADB_SATYPE_MAX			 9
231 
232 #define SADB_SASTATE_LARVAL   0
233 #define SADB_SASTATE_MATURE   1
234 #define SADB_SASTATE_DYING    2
235 #define SADB_SASTATE_DEAD     3
236 #define SADB_SASTATE_MAX      3
237 
238 #define SADB_AALG_NONE               0
239 #define SADB_AALG_MD5HMAC            2
240 #define SADB_AALG_SHA1HMAC           3
241 #define SADB_AALG_DES                4
242 #define SADB_AALG_SHA2_256           5
243 #define SADB_AALG_SHA2_384           6
244 #define SADB_AALG_SHA2_512           7
245 #define SADB_AALG_RIPEMD160HMAC      8
246 #define SADB_X_AALG_MD5              249
247 #define SADB_X_AALG_SHA1             250
248 #define SADB_AALG_MAX                250
249 
250 #define SADB_EALG_NONE        0
251 #define SADB_X_EALG_DES_IV64  1
252 #define SADB_EALG_DESCBC      2
253 #define SADB_EALG_3DESCBC     3
254 #define SADB_X_EALG_RC5       4
255 #define SADB_X_EALG_IDEA      5
256 #define SADB_X_EALG_CAST      6
257 #define SADB_X_EALG_BLF       7
258 #define SADB_X_EALG_3IDEA     8
259 #define SADB_X_EALG_DES_IV32  9
260 #define SADB_X_EALG_RC4       10
261 #define SADB_X_EALG_NULL      11
262 #define SADB_X_EALG_AES       12
263 #define SADB_X_EALG_SKIPJACK  249
264 #define SADB_EALG_MAX         249
265 
266 #define SADB_X_CALG_NONE	0
267 #define SADB_X_CALG_OUI		1
268 #define SADB_X_CALG_DEFLATE	2
269 #define SADB_X_CALG_LSZ		3
270 #define SADB_X_CALG_MAX		4
271 
272 #define SADB_SAFLAGS_PFS         	0x001    /* perfect forward secrecy */
273 #define SADB_X_SAFLAGS_HALFIV    	0x002    /* Used for ESP-old */
274 #define SADB_X_SAFLAGS_TUNNEL	 	0x004    /* Force tunneling */
275 #define SADB_X_SAFLAGS_CHAINDEL  	0x008    /* Delete whole SA chain */
276 #define SADB_X_SAFLAGS_RANDOMPADDING    0x080    /* Random ESP padding */
277 #define SADB_X_SAFLAGS_NOREPLAY         0x100    /* No replay counter */
278 
279 #define SADB_X_POLICYFLAGS_POLICY       0x0001	/* This is a static policy */
280 
281 #define SADB_IDENTTYPE_RESERVED     0
282 #define SADB_IDENTTYPE_PREFIX       1
283 #define SADB_IDENTTYPE_FQDN         2
284 #define SADB_IDENTTYPE_USERFQDN     3
285 #define SADB_X_IDENTTYPE_CONNECTION 4
286 #define SADB_IDENTTYPE_MAX          4
287 
288 #define SADB_KEY_FLAGS_MAX 0
289 
290 #ifdef _KERNEL
291 #define PFKEYV2_LIFETIME_HARD      0
292 #define PFKEYV2_LIFETIME_SOFT      1
293 #define PFKEYV2_LIFETIME_CURRENT   2
294 
295 #define PFKEYV2_IDENTITY_SRC       0
296 #define PFKEYV2_IDENTITY_DST       1
297 
298 #define PFKEYV2_ENCRYPTION_KEY     0
299 #define PFKEYV2_AUTHENTICATION_KEY 1
300 
301 #define PFKEYV2_SOCKETFLAGS_REGISTERED 1
302 #define PFKEYV2_SOCKETFLAGS_PROMISC    2
303 
304 #define PFKEYV2_SENDMESSAGE_UNICAST    1
305 #define PFKEYV2_SENDMESSAGE_REGISTERED 2
306 #define PFKEYV2_SENDMESSAGE_BROADCAST  3
307 #endif /* _KERNEL */
308 
309 #define SADB_X_CREDTYPE_NONE         0
310 #define SADB_X_CREDTYPE_X509         1   /* ASN1 encoding of the certificate */
311 #define SADB_X_CREDTYPE_KEYNOTE      2   /* NUL-terminated buffer */
312 #define SADB_X_CREDTYPE_MAX          3
313 
314 #ifdef _KERNEL
315 #define PFKEYV2_AUTH_LOCAL           0
316 #define PFKEYV2_AUTH_REMOTE          1
317 
318 #define PFKEYV2_CRED_LOCAL           0
319 #define PFKEYV2_CRED_REMOTE          1
320 #endif /* _KERNEL */
321 
322 #define SADB_X_AUTHTYPE_NONE         0
323 #define SADB_X_AUTHTYPE_PASSPHRASE   1
324 #define SADB_X_AUTHTYPE_RSA          2
325 #define SADB_X_AUTHTYPE_MAX          2
326 
327 #define SADB_X_FLOW_TYPE_USE           1
328 #define SADB_X_FLOW_TYPE_ACQUIRE       2
329 #define SADB_X_FLOW_TYPE_REQUIRE       3
330 #define SADB_X_FLOW_TYPE_BYPASS        4
331 #define SADB_X_FLOW_TYPE_DENY          5
332 #define SADB_X_FLOW_TYPE_DONTACQ       6
333 
334 #ifdef _KERNEL
335 struct tdb;
336 struct socket;
337 struct mbuf;
338 
339 #define EXTLEN(x) (((struct sadb_ext *)(x))->sadb_ext_len * sizeof(uint64_t))
340 #define PADUP(x) (((x) + sizeof(uint64_t) - 1) & ~(sizeof(uint64_t) - 1))
341 
342 struct pfkey_version
343 {
344     int protocol;
345     int (*create)(struct socket *socket);
346     int (*release)(struct socket *socket);
347     int (*send)(struct socket *socket, void *message, int len);
348 };
349 
350 struct pfkeyv2_socket
351 {
352     struct pfkeyv2_socket *next;
353     struct socket *socket;
354     int flags;
355     uint32_t pid;
356     uint32_t registration;    /* Increase size if SATYPE_MAX > 31 */
357 };
358 
359 struct dump_state
360 {
361     struct sadb_msg *sadb_msg;
362     struct socket *socket;
363 };
364 
365 int pfkeyv2_init(void);
366 int pfkeyv2_cleanup(void);
367 int pfkeyv2_parsemessage(void *, int, void **);
368 int pfkeyv2_expire(struct tdb *, u_int16_t);
369 int pfkeyv2_acquire(struct ipsec_policy *, union sockaddr_union *,
370                     union sockaddr_union *, u_int32_t *,
371 		    struct sockaddr_encap *);
372 
373 int pfkey_register(struct pfkey_version *version);
374 int pfkey_unregister(struct pfkey_version *version);
375 int pfkey_sendup(struct socket *socket, struct mbuf *packet, int more);
376 
377 int pfkeyv2_create(struct socket *);
378 int pfkeyv2_get(struct tdb *, void **, void **);
379 int pfkeyv2_policy(struct ipsec_acquire *, void **, void **);
380 int pfkeyv2_release(struct socket *);
381 int pfkeyv2_send(struct socket *, void *, int);
382 int pfkeyv2_sendmessage(void **, int, struct socket *, u_int8_t, int);
383 int pfkeyv2_dump_walker(struct tdb *, void *, int);
384 int pfkeyv2_flush_walker(struct tdb *, void *, int);
385 int pfkeyv2_get_proto_alg(u_int8_t, u_int8_t *, int *);
386 
387 int pfdatatopacket(void *, int, struct mbuf **);
388 
389 void export_address(void **, struct sockaddr *);
390 void export_identity(void **, struct tdb *, int);
391 void export_lifetime(void **, struct tdb *, int);
392 void export_credentials(void **, struct tdb *, int);
393 void export_sa(void **, struct tdb *);
394 void export_key(void **, struct tdb *, int);
395 void export_auth(void **, struct tdb *, int);
396 
397 void import_auth(struct tdb *, struct sadb_x_cred *, int);
398 void import_address(struct sockaddr *, struct sadb_address *);
399 void import_identity(struct tdb *, struct sadb_ident *, int);
400 void import_key(struct ipsecinit *, struct sadb_key *, int);
401 void import_lifetime(struct tdb *, struct sadb_lifetime *, int);
402 void import_credentials(struct tdb *, struct sadb_x_cred *, int);
403 void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *);
404 #endif /* _KERNEL */
405 #endif /* _NET_PFKEY_V2_H_ */
406