1 /* $OpenBSD: pfkeyv2.h,v 1.50 2004/01/27 09:27:17 markus Exp $ */
2 /*
3  *	@(#)COPYRIGHT	1.1 (NRL) January 1998
4  *
5  * NRL grants permission for redistribution and use in source and binary
6  * forms, with or without modification, of the software and documentation
7  * created at NRL provided that the following conditions are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  * 3. All advertising materials mentioning features or use of this software
15  *    must display the following acknowledgements:
16  * 	This product includes software developed by the University of
17  * 	California, Berkeley and its contributors.
18  * 	This product includes software developed at the Information
19  * 	Technology Division, US Naval Research Laboratory.
20  * 4. Neither the name of the NRL nor the names of its contributors
21  *    may be used to endorse or promote products derived from this software
22  *    without specific prior written permission.
23  *
24  * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS
25  * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
26  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
27  * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL NRL OR
28  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
29  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
30  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35  *
36  * The views and conclusions contained in the software and documentation
37  * are those of the authors and should not be interpreted as representing
38  * official policies, either expressed or implied, of the US Naval
39  * Research Laboratory (NRL).
40  */
41 
42 #ifndef _NET_PFKEY_V2_H_
43 #define _NET_PFKEY_V2_H_
44 
45 #define PF_KEY_V2			2
46 #define PFKEYV2_REVISION		199806L
47 
48 /* This should be updated whenever the API is altered.  */
49 #define _OPENBSD_IPSEC_API_VERSION	2
50 
51 #define SADB_RESERVED      0
52 #define SADB_GETSPI        1
53 #define SADB_UPDATE        2
54 #define SADB_ADD           3
55 #define SADB_DELETE        4
56 #define SADB_GET           5
57 #define SADB_ACQUIRE       6
58 #define SADB_REGISTER      7
59 #define SADB_EXPIRE        8
60 #define SADB_FLUSH         9
61 #define SADB_DUMP          10
62 #define SADB_X_PROMISC     11
63 #define SADB_X_ADDFLOW     12
64 #define SADB_X_DELFLOW     13
65 #define SADB_X_GRPSPIS     14
66 #define SADB_X_ASKPOLICY   15
67 #define SADB_MAX           15
68 
69 struct sadb_msg {
70 	uint8_t sadb_msg_version;
71 	uint8_t sadb_msg_type;
72 	uint8_t sadb_msg_errno;
73 	uint8_t sadb_msg_satype;
74 	uint16_t sadb_msg_len;
75 	uint16_t sadb_msg_reserved;
76 	uint32_t sadb_msg_seq;
77 	uint32_t sadb_msg_pid;
78 };
79 
80 struct sadb_ext {
81 	uint16_t sadb_ext_len;
82 	uint16_t sadb_ext_type;
83 };
84 
85 struct sadb_sa {
86 	uint16_t sadb_sa_len;
87 	uint16_t sadb_sa_exttype;
88 	uint32_t sadb_sa_spi;
89 	uint8_t sadb_sa_replay;
90 	uint8_t sadb_sa_state;
91 	uint8_t sadb_sa_auth;
92 	uint8_t sadb_sa_encrypt;
93 	uint32_t sadb_sa_flags;
94 };
95 
96 struct sadb_lifetime {
97 	uint16_t sadb_lifetime_len;
98 	uint16_t sadb_lifetime_exttype;
99 	uint32_t sadb_lifetime_allocations;
100 	uint64_t sadb_lifetime_bytes;
101 	uint64_t sadb_lifetime_addtime;
102 	uint64_t sadb_lifetime_usetime;
103 };
104 
105 struct sadb_address {
106 	uint16_t sadb_address_len;
107 	uint16_t sadb_address_exttype;
108 	uint32_t sadb_address_reserved;
109 };
110 
111 struct sadb_key {
112 	uint16_t sadb_key_len;
113 	uint16_t sadb_key_exttype;
114 	uint16_t sadb_key_bits;
115 	uint16_t sadb_key_reserved;
116 };
117 
118 struct sadb_ident {
119 	uint16_t sadb_ident_len;
120 	uint16_t sadb_ident_exttype;
121 	uint16_t sadb_ident_type;
122 	uint16_t sadb_ident_reserved;
123 	uint64_t sadb_ident_id;
124 };
125 
126 struct sadb_sens {
127 	uint16_t sadb_sens_len;
128 	uint16_t sadb_sens_exttype;
129 	uint32_t sadb_sens_dpd;
130 	uint8_t sadb_sens_sens_level;
131 	uint8_t sadb_sens_sens_len;
132 	uint8_t sadb_sens_integ_level;
133 	uint8_t sadb_sens_integ_len;
134 	uint32_t sadb_sens_reserved;
135 };
136 
137 struct sadb_prop {
138 	uint16_t sadb_prop_len;
139 	uint16_t sadb_prop_exttype;
140 	uint8_t sadb_prop_num;
141 	uint8_t sadb_prop_replay;
142 	uint16_t sadb_prop_reserved;
143 };
144 
145 struct sadb_comb {
146 	uint8_t sadb_comb_auth;
147 	uint8_t sadb_comb_encrypt;
148 	uint16_t sadb_comb_flags;
149 	uint16_t sadb_comb_auth_minbits;
150 	uint16_t sadb_comb_auth_maxbits;
151 	uint16_t sadb_comb_encrypt_minbits;
152 	uint16_t sadb_comb_encrypt_maxbits;
153 	uint32_t sadb_comb_reserved;
154 	uint32_t sadb_comb_soft_allocations;
155 	uint32_t sadb_comb_hard_allocations;
156 	uint64_t sadb_comb_soft_bytes;
157 	uint64_t sadb_comb_hard_bytes;
158 	uint64_t sadb_comb_soft_addtime;
159 	uint64_t sadb_comb_hard_addtime;
160 	uint64_t sadb_comb_soft_usetime;
161 	uint64_t sadb_comb_hard_usetime;
162 };
163 
164 struct sadb_supported {
165 	uint16_t sadb_supported_len;
166 	uint16_t sadb_supported_exttype;
167 	uint32_t sadb_supported_reserved;
168 };
169 
170 struct sadb_alg {
171 	uint8_t sadb_alg_id;
172 	uint8_t sadb_alg_ivlen;
173 	uint16_t sadb_alg_minbits;
174 	uint16_t sadb_alg_maxbits;
175 	uint16_t sadb_alg_reserved;
176 };
177 
178 struct sadb_spirange {
179 	uint16_t sadb_spirange_len;
180 	uint16_t sadb_spirange_exttype;
181 	uint32_t sadb_spirange_min;
182 	uint32_t sadb_spirange_max;
183 	uint32_t sadb_spirange_reserved;
184 };
185 
186 struct sadb_protocol {
187 	uint16_t sadb_protocol_len;
188 	uint16_t sadb_protocol_exttype;
189 	uint8_t  sadb_protocol_proto;
190 	uint8_t  sadb_protocol_direction;
191 	uint8_t  sadb_protocol_flags;
192 	uint8_t  sadb_protocol_reserved2;
193 };
194 
195 struct sadb_x_policy {
196 	uint16_t  sadb_x_policy_len;
197 	uint16_t  sadb_x_policy_exttype;
198 	u_int32_t sadb_x_policy_seq;
199 };
200 
201 struct sadb_x_cred {
202 	uint16_t sadb_x_cred_len;
203 	uint16_t sadb_x_cred_exttype;
204 	uint16_t sadb_x_cred_type;
205 	uint16_t sadb_x_cred_reserved;
206 };
207 
208 struct sadb_x_udpencap {
209 	uint16_t sadb_x_udpencap_len;
210 	uint16_t sadb_x_udpencap_exttype;
211 	uint16_t sadb_x_udpencap_port;
212 	uint16_t sadb_x_udpencap_reserved;
213 };
214 
215 #ifdef _KERNEL
216 #define SADB_X_GETSPROTO(x) \
217 	( (x) == SADB_SATYPE_AH ? IPPROTO_AH :\
218 	(x) == SADB_SATYPE_ESP ? IPPROTO_ESP :\
219 	(x) == SADB_X_SATYPE_TCPSIGNATURE ? IPPROTO_TCP :\
220 	(x) == SADB_X_SATYPE_IPCOMP ? IPPROTO_IPCOMP: IPPROTO_IPIP )
221 #endif
222 
223 #define SADB_EXT_RESERVED             0
224 #define SADB_EXT_SA                   1
225 #define SADB_EXT_LIFETIME_CURRENT     2
226 #define SADB_EXT_LIFETIME_HARD        3
227 #define SADB_EXT_LIFETIME_SOFT        4
228 #define SADB_EXT_ADDRESS_SRC          5
229 #define SADB_EXT_ADDRESS_DST          6
230 #define SADB_EXT_ADDRESS_PROXY        7
231 #define SADB_EXT_KEY_AUTH             8
232 #define SADB_EXT_KEY_ENCRYPT          9
233 #define SADB_EXT_IDENTITY_SRC         10
234 #define SADB_EXT_IDENTITY_DST         11
235 #define SADB_EXT_SENSITIVITY          12
236 #define SADB_EXT_PROPOSAL             13
237 #define SADB_EXT_SUPPORTED_AUTH	      14
238 #define SADB_EXT_SUPPORTED_ENCRYPT    15
239 #define SADB_EXT_SPIRANGE             16
240 #define SADB_X_EXT_SRC_MASK           17
241 #define SADB_X_EXT_DST_MASK           18
242 #define SADB_X_EXT_PROTOCOL           19
243 #define SADB_X_EXT_FLOW_TYPE          20
244 #define SADB_X_EXT_SRC_FLOW           21
245 #define SADB_X_EXT_DST_FLOW           22
246 #define SADB_X_EXT_SA2                23
247 #define SADB_X_EXT_DST2               24
248 #define SADB_X_EXT_POLICY             25
249 #define SADB_X_EXT_LOCAL_CREDENTIALS  26
250 #define SADB_X_EXT_REMOTE_CREDENTIALS 27
251 #define SADB_X_EXT_LOCAL_AUTH         28
252 #define SADB_X_EXT_REMOTE_AUTH        29
253 #define SADB_X_EXT_SUPPORTED_COMP     30
254 #define SADB_X_EXT_UDPENCAP           31
255 #define SADB_EXT_MAX                  31
256 
257 /* Fix pfkeyv2.c struct pfkeyv2_socket if SATYPE_MAX > 31 */
258 #define SADB_SATYPE_UNSPEC		 0
259 #define SADB_SATYPE_AH			 1
260 #define SADB_SATYPE_ESP			 2
261 #define SADB_SATYPE_RSVP		 3
262 #define SADB_SATYPE_OSPFV2		 4
263 #define SADB_SATYPE_RIPV2		 5
264 #define SADB_SATYPE_MIP			 6
265 #define SADB_X_SATYPE_IPIP		 7
266 #define SADB_X_SATYPE_TCPSIGNATURE	 8
267 #define SADB_X_SATYPE_IPCOMP		 9
268 #define SADB_SATYPE_MAX			 9
269 
270 #define SADB_SASTATE_LARVAL   0
271 #define SADB_SASTATE_MATURE   1
272 #define SADB_SASTATE_DYING    2
273 #define SADB_SASTATE_DEAD     3
274 #define SADB_SASTATE_MAX      3
275 
276 #define SADB_AALG_NONE               0
277 #define SADB_AALG_MD5HMAC            2
278 #define SADB_AALG_SHA1HMAC           3
279 #define SADB_X_AALG_DES              4
280 #define SADB_X_AALG_SHA2_256         5
281 #define SADB_X_AALG_SHA2_384         6
282 #define SADB_X_AALG_SHA2_512         7
283 #define SADB_X_AALG_RIPEMD160HMAC    8
284 #define SADB_X_AALG_MD5              249
285 #define SADB_X_AALG_SHA1             250
286 #define SADB_AALG_MAX                250
287 
288 #define SADB_EALG_NONE        0
289 #define SADB_X_EALG_DES_IV64  1
290 #define SADB_EALG_DESCBC      2
291 #define SADB_EALG_3DESCBC     3
292 #define SADB_X_EALG_RC5       4
293 #define SADB_X_EALG_IDEA      5
294 #define SADB_X_EALG_CAST      6
295 #define SADB_X_EALG_BLF       7
296 #define SADB_X_EALG_3IDEA     8
297 #define SADB_X_EALG_DES_IV32  9
298 #define SADB_X_EALG_RC4       10
299 #define SADB_EALG_NULL        11
300 #define SADB_X_EALG_AES       12
301 #define SADB_X_EALG_SKIPJACK  249
302 #define SADB_EALG_MAX         249
303 
304 #define SADB_X_CALG_NONE	0
305 #define SADB_X_CALG_OUI		1
306 #define SADB_X_CALG_DEFLATE	2
307 #define SADB_X_CALG_LZS		3
308 #define SADB_X_CALG_MAX		3
309 
310 #define SADB_SAFLAGS_PFS         	0x001    /* perfect forward secrecy */
311 #define SADB_X_SAFLAGS_HALFIV    	0x002    /* Used for ESP-old */
312 #define SADB_X_SAFLAGS_TUNNEL	 	0x004    /* Force tunneling */
313 #define SADB_X_SAFLAGS_CHAINDEL  	0x008    /* Delete whole SA chain */
314 #define SADB_X_SAFLAGS_RANDOMPADDING    0x080    /* Random ESP padding */
315 #define SADB_X_SAFLAGS_NOREPLAY         0x100    /* No replay counter */
316 #define SADB_X_SAFLAGS_UDPENCAP         0x200    /* ESP in UDP  */
317 
318 #define SADB_X_POLICYFLAGS_POLICY       0x0001	/* This is a static policy */
319 
320 #define SADB_IDENTTYPE_RESERVED     0
321 #define SADB_IDENTTYPE_PREFIX       1
322 #define SADB_IDENTTYPE_FQDN         2
323 #define SADB_IDENTTYPE_USERFQDN     3
324 #define SADB_X_IDENTTYPE_CONNECTION 4
325 #define SADB_IDENTTYPE_MAX          4
326 
327 #define SADB_KEY_FLAGS_MAX 0
328 
329 #ifdef _KERNEL
330 #define PFKEYV2_LIFETIME_HARD      0
331 #define PFKEYV2_LIFETIME_SOFT      1
332 #define PFKEYV2_LIFETIME_CURRENT   2
333 
334 #define PFKEYV2_IDENTITY_SRC       0
335 #define PFKEYV2_IDENTITY_DST       1
336 
337 #define PFKEYV2_ENCRYPTION_KEY     0
338 #define PFKEYV2_AUTHENTICATION_KEY 1
339 
340 #define PFKEYV2_SOCKETFLAGS_REGISTERED 1
341 #define PFKEYV2_SOCKETFLAGS_PROMISC    2
342 
343 #define PFKEYV2_SENDMESSAGE_UNICAST    1
344 #define PFKEYV2_SENDMESSAGE_REGISTERED 2
345 #define PFKEYV2_SENDMESSAGE_BROADCAST  3
346 #endif /* _KERNEL */
347 
348 #define SADB_X_CREDTYPE_NONE         0
349 #define SADB_X_CREDTYPE_X509         1   /* ASN1 encoding of the certificate */
350 #define SADB_X_CREDTYPE_KEYNOTE      2   /* NUL-terminated buffer */
351 #define SADB_X_CREDTYPE_MAX          3
352 
353 #ifdef _KERNEL
354 #define PFKEYV2_AUTH_LOCAL           0
355 #define PFKEYV2_AUTH_REMOTE          1
356 
357 #define PFKEYV2_CRED_LOCAL           0
358 #define PFKEYV2_CRED_REMOTE          1
359 #endif /* _KERNEL */
360 
361 #define SADB_X_AUTHTYPE_NONE         0
362 #define SADB_X_AUTHTYPE_PASSPHRASE   1
363 #define SADB_X_AUTHTYPE_RSA          2
364 #define SADB_X_AUTHTYPE_MAX          2
365 
366 #define SADB_X_FLOW_TYPE_USE           1
367 #define SADB_X_FLOW_TYPE_ACQUIRE       2
368 #define SADB_X_FLOW_TYPE_REQUIRE       3
369 #define SADB_X_FLOW_TYPE_BYPASS        4
370 #define SADB_X_FLOW_TYPE_DENY          5
371 #define SADB_X_FLOW_TYPE_DONTACQ       6
372 
373 #ifdef _KERNEL
374 struct tdb;
375 struct socket;
376 struct mbuf;
377 
378 #define EXTLEN(x) (((struct sadb_ext *)(x))->sadb_ext_len * sizeof(uint64_t))
379 #define PADUP(x) (((x) + sizeof(uint64_t) - 1) & ~(sizeof(uint64_t) - 1))
380 
381 struct pfkey_version
382 {
383 	int protocol;
384 	int (*create)(struct socket *socket);
385 	int (*release)(struct socket *socket);
386 	int (*send)(struct socket *socket, void *message, int len);
387 };
388 
389 struct pfkeyv2_socket
390 {
391 	struct pfkeyv2_socket *next;
392 	struct socket *socket;
393 	int flags;
394 	uint32_t pid;
395 	uint32_t registration;    /* Increase size if SATYPE_MAX > 31 */
396 };
397 
398 struct dump_state
399 {
400 	struct sadb_msg *sadb_msg;
401 	struct socket *socket;
402 };
403 
404 int pfkeyv2_init(void);
405 int pfkeyv2_cleanup(void);
406 int pfkeyv2_parsemessage(void *, int, void **);
407 int pfkeyv2_expire(struct tdb *, u_int16_t);
408 int pfkeyv2_acquire(struct ipsec_policy *, union sockaddr_union *,
409     union sockaddr_union *, u_int32_t *, struct sockaddr_encap *);
410 
411 int pfkey_register(struct pfkey_version *version);
412 int pfkey_unregister(struct pfkey_version *version);
413 int pfkey_sendup(struct socket *socket, struct mbuf *packet, int more);
414 
415 int pfkeyv2_create(struct socket *);
416 int pfkeyv2_get(struct tdb *, void **, void **);
417 int pfkeyv2_policy(struct ipsec_acquire *, void **, void **);
418 int pfkeyv2_release(struct socket *);
419 int pfkeyv2_send(struct socket *, void *, int);
420 int pfkeyv2_sendmessage(void **, int, struct socket *, u_int8_t, int);
421 int pfkeyv2_dump_walker(struct tdb *, void *, int);
422 int pfkeyv2_flush_walker(struct tdb *, void *, int);
423 int pfkeyv2_get_proto_alg(u_int8_t, u_int8_t *, int *);
424 
425 int pfdatatopacket(void *, int, struct mbuf **);
426 
427 void export_address(void **, struct sockaddr *);
428 void export_identity(void **, struct tdb *, int);
429 void export_lifetime(void **, struct tdb *, int);
430 void export_credentials(void **, struct tdb *, int);
431 void export_sa(void **, struct tdb *);
432 void export_key(void **, struct tdb *, int);
433 void export_auth(void **, struct tdb *, int);
434 void export_udpencap(void **, struct tdb *);
435 
436 void import_auth(struct tdb *, struct sadb_x_cred *, int);
437 void import_address(struct sockaddr *, struct sadb_address *);
438 void import_identity(struct tdb *, struct sadb_ident *, int);
439 void import_key(struct ipsecinit *, struct sadb_key *, int);
440 void import_lifetime(struct tdb *, struct sadb_lifetime *, int);
441 void import_credentials(struct tdb *, struct sadb_x_cred *, int);
442 void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *);
443 void import_flow(struct sockaddr_encap *, struct sockaddr_encap *,
444     struct sadb_address *, struct sadb_address *, struct sadb_address *,
445     struct sadb_address *, struct sadb_protocol *, struct sadb_protocol *);
446 void import_udpencap(struct tdb *, struct sadb_x_udpencap *);
447 #endif /* _KERNEL */
448 #endif /* _NET_PFKEY_V2_H_ */
449