1 /* $OpenBSD: pfkeyv2.h,v 1.50 2004/01/27 09:27:17 markus Exp $ */ 2 /* 3 * @(#)COPYRIGHT 1.1 (NRL) January 1998 4 * 5 * NRL grants permission for redistribution and use in source and binary 6 * forms, with or without modification, of the software and documentation 7 * created at NRL provided that the following conditions are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. All advertising materials mentioning features or use of this software 15 * must display the following acknowledgements: 16 * This product includes software developed by the University of 17 * California, Berkeley and its contributors. 18 * This product includes software developed at the Information 19 * Technology Division, US Naval Research Laboratory. 20 * 4. Neither the name of the NRL nor the names of its contributors 21 * may be used to endorse or promote products derived from this software 22 * without specific prior written permission. 23 * 24 * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS 25 * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 26 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 27 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR 28 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 29 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 30 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 31 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 32 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 33 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 34 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 * 36 * The views and conclusions contained in the software and documentation 37 * are those of the authors and should not be interpreted as representing 38 * official policies, either expressed or implied, of the US Naval 39 * Research Laboratory (NRL). 40 */ 41 42 #ifndef _NET_PFKEY_V2_H_ 43 #define _NET_PFKEY_V2_H_ 44 45 #define PF_KEY_V2 2 46 #define PFKEYV2_REVISION 199806L 47 48 /* This should be updated whenever the API is altered. */ 49 #define _OPENBSD_IPSEC_API_VERSION 2 50 51 #define SADB_RESERVED 0 52 #define SADB_GETSPI 1 53 #define SADB_UPDATE 2 54 #define SADB_ADD 3 55 #define SADB_DELETE 4 56 #define SADB_GET 5 57 #define SADB_ACQUIRE 6 58 #define SADB_REGISTER 7 59 #define SADB_EXPIRE 8 60 #define SADB_FLUSH 9 61 #define SADB_DUMP 10 62 #define SADB_X_PROMISC 11 63 #define SADB_X_ADDFLOW 12 64 #define SADB_X_DELFLOW 13 65 #define SADB_X_GRPSPIS 14 66 #define SADB_X_ASKPOLICY 15 67 #define SADB_MAX 15 68 69 struct sadb_msg { 70 uint8_t sadb_msg_version; 71 uint8_t sadb_msg_type; 72 uint8_t sadb_msg_errno; 73 uint8_t sadb_msg_satype; 74 uint16_t sadb_msg_len; 75 uint16_t sadb_msg_reserved; 76 uint32_t sadb_msg_seq; 77 uint32_t sadb_msg_pid; 78 }; 79 80 struct sadb_ext { 81 uint16_t sadb_ext_len; 82 uint16_t sadb_ext_type; 83 }; 84 85 struct sadb_sa { 86 uint16_t sadb_sa_len; 87 uint16_t sadb_sa_exttype; 88 uint32_t sadb_sa_spi; 89 uint8_t sadb_sa_replay; 90 uint8_t sadb_sa_state; 91 uint8_t sadb_sa_auth; 92 uint8_t sadb_sa_encrypt; 93 uint32_t sadb_sa_flags; 94 }; 95 96 struct sadb_lifetime { 97 uint16_t sadb_lifetime_len; 98 uint16_t sadb_lifetime_exttype; 99 uint32_t sadb_lifetime_allocations; 100 uint64_t sadb_lifetime_bytes; 101 uint64_t sadb_lifetime_addtime; 102 uint64_t sadb_lifetime_usetime; 103 }; 104 105 struct sadb_address { 106 uint16_t sadb_address_len; 107 uint16_t sadb_address_exttype; 108 uint32_t sadb_address_reserved; 109 }; 110 111 struct sadb_key { 112 uint16_t sadb_key_len; 113 uint16_t sadb_key_exttype; 114 uint16_t sadb_key_bits; 115 uint16_t sadb_key_reserved; 116 }; 117 118 struct sadb_ident { 119 uint16_t sadb_ident_len; 120 uint16_t sadb_ident_exttype; 121 uint16_t sadb_ident_type; 122 uint16_t sadb_ident_reserved; 123 uint64_t sadb_ident_id; 124 }; 125 126 struct sadb_sens { 127 uint16_t sadb_sens_len; 128 uint16_t sadb_sens_exttype; 129 uint32_t sadb_sens_dpd; 130 uint8_t sadb_sens_sens_level; 131 uint8_t sadb_sens_sens_len; 132 uint8_t sadb_sens_integ_level; 133 uint8_t sadb_sens_integ_len; 134 uint32_t sadb_sens_reserved; 135 }; 136 137 struct sadb_prop { 138 uint16_t sadb_prop_len; 139 uint16_t sadb_prop_exttype; 140 uint8_t sadb_prop_num; 141 uint8_t sadb_prop_replay; 142 uint16_t sadb_prop_reserved; 143 }; 144 145 struct sadb_comb { 146 uint8_t sadb_comb_auth; 147 uint8_t sadb_comb_encrypt; 148 uint16_t sadb_comb_flags; 149 uint16_t sadb_comb_auth_minbits; 150 uint16_t sadb_comb_auth_maxbits; 151 uint16_t sadb_comb_encrypt_minbits; 152 uint16_t sadb_comb_encrypt_maxbits; 153 uint32_t sadb_comb_reserved; 154 uint32_t sadb_comb_soft_allocations; 155 uint32_t sadb_comb_hard_allocations; 156 uint64_t sadb_comb_soft_bytes; 157 uint64_t sadb_comb_hard_bytes; 158 uint64_t sadb_comb_soft_addtime; 159 uint64_t sadb_comb_hard_addtime; 160 uint64_t sadb_comb_soft_usetime; 161 uint64_t sadb_comb_hard_usetime; 162 }; 163 164 struct sadb_supported { 165 uint16_t sadb_supported_len; 166 uint16_t sadb_supported_exttype; 167 uint32_t sadb_supported_reserved; 168 }; 169 170 struct sadb_alg { 171 uint8_t sadb_alg_id; 172 uint8_t sadb_alg_ivlen; 173 uint16_t sadb_alg_minbits; 174 uint16_t sadb_alg_maxbits; 175 uint16_t sadb_alg_reserved; 176 }; 177 178 struct sadb_spirange { 179 uint16_t sadb_spirange_len; 180 uint16_t sadb_spirange_exttype; 181 uint32_t sadb_spirange_min; 182 uint32_t sadb_spirange_max; 183 uint32_t sadb_spirange_reserved; 184 }; 185 186 struct sadb_protocol { 187 uint16_t sadb_protocol_len; 188 uint16_t sadb_protocol_exttype; 189 uint8_t sadb_protocol_proto; 190 uint8_t sadb_protocol_direction; 191 uint8_t sadb_protocol_flags; 192 uint8_t sadb_protocol_reserved2; 193 }; 194 195 struct sadb_x_policy { 196 uint16_t sadb_x_policy_len; 197 uint16_t sadb_x_policy_exttype; 198 u_int32_t sadb_x_policy_seq; 199 }; 200 201 struct sadb_x_cred { 202 uint16_t sadb_x_cred_len; 203 uint16_t sadb_x_cred_exttype; 204 uint16_t sadb_x_cred_type; 205 uint16_t sadb_x_cred_reserved; 206 }; 207 208 struct sadb_x_udpencap { 209 uint16_t sadb_x_udpencap_len; 210 uint16_t sadb_x_udpencap_exttype; 211 uint16_t sadb_x_udpencap_port; 212 uint16_t sadb_x_udpencap_reserved; 213 }; 214 215 #ifdef _KERNEL 216 #define SADB_X_GETSPROTO(x) \ 217 ( (x) == SADB_SATYPE_AH ? IPPROTO_AH :\ 218 (x) == SADB_SATYPE_ESP ? IPPROTO_ESP :\ 219 (x) == SADB_X_SATYPE_TCPSIGNATURE ? IPPROTO_TCP :\ 220 (x) == SADB_X_SATYPE_IPCOMP ? IPPROTO_IPCOMP: IPPROTO_IPIP ) 221 #endif 222 223 #define SADB_EXT_RESERVED 0 224 #define SADB_EXT_SA 1 225 #define SADB_EXT_LIFETIME_CURRENT 2 226 #define SADB_EXT_LIFETIME_HARD 3 227 #define SADB_EXT_LIFETIME_SOFT 4 228 #define SADB_EXT_ADDRESS_SRC 5 229 #define SADB_EXT_ADDRESS_DST 6 230 #define SADB_EXT_ADDRESS_PROXY 7 231 #define SADB_EXT_KEY_AUTH 8 232 #define SADB_EXT_KEY_ENCRYPT 9 233 #define SADB_EXT_IDENTITY_SRC 10 234 #define SADB_EXT_IDENTITY_DST 11 235 #define SADB_EXT_SENSITIVITY 12 236 #define SADB_EXT_PROPOSAL 13 237 #define SADB_EXT_SUPPORTED_AUTH 14 238 #define SADB_EXT_SUPPORTED_ENCRYPT 15 239 #define SADB_EXT_SPIRANGE 16 240 #define SADB_X_EXT_SRC_MASK 17 241 #define SADB_X_EXT_DST_MASK 18 242 #define SADB_X_EXT_PROTOCOL 19 243 #define SADB_X_EXT_FLOW_TYPE 20 244 #define SADB_X_EXT_SRC_FLOW 21 245 #define SADB_X_EXT_DST_FLOW 22 246 #define SADB_X_EXT_SA2 23 247 #define SADB_X_EXT_DST2 24 248 #define SADB_X_EXT_POLICY 25 249 #define SADB_X_EXT_LOCAL_CREDENTIALS 26 250 #define SADB_X_EXT_REMOTE_CREDENTIALS 27 251 #define SADB_X_EXT_LOCAL_AUTH 28 252 #define SADB_X_EXT_REMOTE_AUTH 29 253 #define SADB_X_EXT_SUPPORTED_COMP 30 254 #define SADB_X_EXT_UDPENCAP 31 255 #define SADB_EXT_MAX 31 256 257 /* Fix pfkeyv2.c struct pfkeyv2_socket if SATYPE_MAX > 31 */ 258 #define SADB_SATYPE_UNSPEC 0 259 #define SADB_SATYPE_AH 1 260 #define SADB_SATYPE_ESP 2 261 #define SADB_SATYPE_RSVP 3 262 #define SADB_SATYPE_OSPFV2 4 263 #define SADB_SATYPE_RIPV2 5 264 #define SADB_SATYPE_MIP 6 265 #define SADB_X_SATYPE_IPIP 7 266 #define SADB_X_SATYPE_TCPSIGNATURE 8 267 #define SADB_X_SATYPE_IPCOMP 9 268 #define SADB_SATYPE_MAX 9 269 270 #define SADB_SASTATE_LARVAL 0 271 #define SADB_SASTATE_MATURE 1 272 #define SADB_SASTATE_DYING 2 273 #define SADB_SASTATE_DEAD 3 274 #define SADB_SASTATE_MAX 3 275 276 #define SADB_AALG_NONE 0 277 #define SADB_AALG_MD5HMAC 2 278 #define SADB_AALG_SHA1HMAC 3 279 #define SADB_X_AALG_DES 4 280 #define SADB_X_AALG_SHA2_256 5 281 #define SADB_X_AALG_SHA2_384 6 282 #define SADB_X_AALG_SHA2_512 7 283 #define SADB_X_AALG_RIPEMD160HMAC 8 284 #define SADB_X_AALG_MD5 249 285 #define SADB_X_AALG_SHA1 250 286 #define SADB_AALG_MAX 250 287 288 #define SADB_EALG_NONE 0 289 #define SADB_X_EALG_DES_IV64 1 290 #define SADB_EALG_DESCBC 2 291 #define SADB_EALG_3DESCBC 3 292 #define SADB_X_EALG_RC5 4 293 #define SADB_X_EALG_IDEA 5 294 #define SADB_X_EALG_CAST 6 295 #define SADB_X_EALG_BLF 7 296 #define SADB_X_EALG_3IDEA 8 297 #define SADB_X_EALG_DES_IV32 9 298 #define SADB_X_EALG_RC4 10 299 #define SADB_EALG_NULL 11 300 #define SADB_X_EALG_AES 12 301 #define SADB_X_EALG_SKIPJACK 249 302 #define SADB_EALG_MAX 249 303 304 #define SADB_X_CALG_NONE 0 305 #define SADB_X_CALG_OUI 1 306 #define SADB_X_CALG_DEFLATE 2 307 #define SADB_X_CALG_LZS 3 308 #define SADB_X_CALG_MAX 3 309 310 #define SADB_SAFLAGS_PFS 0x001 /* perfect forward secrecy */ 311 #define SADB_X_SAFLAGS_HALFIV 0x002 /* Used for ESP-old */ 312 #define SADB_X_SAFLAGS_TUNNEL 0x004 /* Force tunneling */ 313 #define SADB_X_SAFLAGS_CHAINDEL 0x008 /* Delete whole SA chain */ 314 #define SADB_X_SAFLAGS_RANDOMPADDING 0x080 /* Random ESP padding */ 315 #define SADB_X_SAFLAGS_NOREPLAY 0x100 /* No replay counter */ 316 #define SADB_X_SAFLAGS_UDPENCAP 0x200 /* ESP in UDP */ 317 318 #define SADB_X_POLICYFLAGS_POLICY 0x0001 /* This is a static policy */ 319 320 #define SADB_IDENTTYPE_RESERVED 0 321 #define SADB_IDENTTYPE_PREFIX 1 322 #define SADB_IDENTTYPE_FQDN 2 323 #define SADB_IDENTTYPE_USERFQDN 3 324 #define SADB_X_IDENTTYPE_CONNECTION 4 325 #define SADB_IDENTTYPE_MAX 4 326 327 #define SADB_KEY_FLAGS_MAX 0 328 329 #ifdef _KERNEL 330 #define PFKEYV2_LIFETIME_HARD 0 331 #define PFKEYV2_LIFETIME_SOFT 1 332 #define PFKEYV2_LIFETIME_CURRENT 2 333 334 #define PFKEYV2_IDENTITY_SRC 0 335 #define PFKEYV2_IDENTITY_DST 1 336 337 #define PFKEYV2_ENCRYPTION_KEY 0 338 #define PFKEYV2_AUTHENTICATION_KEY 1 339 340 #define PFKEYV2_SOCKETFLAGS_REGISTERED 1 341 #define PFKEYV2_SOCKETFLAGS_PROMISC 2 342 343 #define PFKEYV2_SENDMESSAGE_UNICAST 1 344 #define PFKEYV2_SENDMESSAGE_REGISTERED 2 345 #define PFKEYV2_SENDMESSAGE_BROADCAST 3 346 #endif /* _KERNEL */ 347 348 #define SADB_X_CREDTYPE_NONE 0 349 #define SADB_X_CREDTYPE_X509 1 /* ASN1 encoding of the certificate */ 350 #define SADB_X_CREDTYPE_KEYNOTE 2 /* NUL-terminated buffer */ 351 #define SADB_X_CREDTYPE_MAX 3 352 353 #ifdef _KERNEL 354 #define PFKEYV2_AUTH_LOCAL 0 355 #define PFKEYV2_AUTH_REMOTE 1 356 357 #define PFKEYV2_CRED_LOCAL 0 358 #define PFKEYV2_CRED_REMOTE 1 359 #endif /* _KERNEL */ 360 361 #define SADB_X_AUTHTYPE_NONE 0 362 #define SADB_X_AUTHTYPE_PASSPHRASE 1 363 #define SADB_X_AUTHTYPE_RSA 2 364 #define SADB_X_AUTHTYPE_MAX 2 365 366 #define SADB_X_FLOW_TYPE_USE 1 367 #define SADB_X_FLOW_TYPE_ACQUIRE 2 368 #define SADB_X_FLOW_TYPE_REQUIRE 3 369 #define SADB_X_FLOW_TYPE_BYPASS 4 370 #define SADB_X_FLOW_TYPE_DENY 5 371 #define SADB_X_FLOW_TYPE_DONTACQ 6 372 373 #ifdef _KERNEL 374 struct tdb; 375 struct socket; 376 struct mbuf; 377 378 #define EXTLEN(x) (((struct sadb_ext *)(x))->sadb_ext_len * sizeof(uint64_t)) 379 #define PADUP(x) (((x) + sizeof(uint64_t) - 1) & ~(sizeof(uint64_t) - 1)) 380 381 struct pfkey_version 382 { 383 int protocol; 384 int (*create)(struct socket *socket); 385 int (*release)(struct socket *socket); 386 int (*send)(struct socket *socket, void *message, int len); 387 }; 388 389 struct pfkeyv2_socket 390 { 391 struct pfkeyv2_socket *next; 392 struct socket *socket; 393 int flags; 394 uint32_t pid; 395 uint32_t registration; /* Increase size if SATYPE_MAX > 31 */ 396 }; 397 398 struct dump_state 399 { 400 struct sadb_msg *sadb_msg; 401 struct socket *socket; 402 }; 403 404 int pfkeyv2_init(void); 405 int pfkeyv2_cleanup(void); 406 int pfkeyv2_parsemessage(void *, int, void **); 407 int pfkeyv2_expire(struct tdb *, u_int16_t); 408 int pfkeyv2_acquire(struct ipsec_policy *, union sockaddr_union *, 409 union sockaddr_union *, u_int32_t *, struct sockaddr_encap *); 410 411 int pfkey_register(struct pfkey_version *version); 412 int pfkey_unregister(struct pfkey_version *version); 413 int pfkey_sendup(struct socket *socket, struct mbuf *packet, int more); 414 415 int pfkeyv2_create(struct socket *); 416 int pfkeyv2_get(struct tdb *, void **, void **); 417 int pfkeyv2_policy(struct ipsec_acquire *, void **, void **); 418 int pfkeyv2_release(struct socket *); 419 int pfkeyv2_send(struct socket *, void *, int); 420 int pfkeyv2_sendmessage(void **, int, struct socket *, u_int8_t, int); 421 int pfkeyv2_dump_walker(struct tdb *, void *, int); 422 int pfkeyv2_flush_walker(struct tdb *, void *, int); 423 int pfkeyv2_get_proto_alg(u_int8_t, u_int8_t *, int *); 424 425 int pfdatatopacket(void *, int, struct mbuf **); 426 427 void export_address(void **, struct sockaddr *); 428 void export_identity(void **, struct tdb *, int); 429 void export_lifetime(void **, struct tdb *, int); 430 void export_credentials(void **, struct tdb *, int); 431 void export_sa(void **, struct tdb *); 432 void export_key(void **, struct tdb *, int); 433 void export_auth(void **, struct tdb *, int); 434 void export_udpencap(void **, struct tdb *); 435 436 void import_auth(struct tdb *, struct sadb_x_cred *, int); 437 void import_address(struct sockaddr *, struct sadb_address *); 438 void import_identity(struct tdb *, struct sadb_ident *, int); 439 void import_key(struct ipsecinit *, struct sadb_key *, int); 440 void import_lifetime(struct tdb *, struct sadb_lifetime *, int); 441 void import_credentials(struct tdb *, struct sadb_x_cred *, int); 442 void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *); 443 void import_flow(struct sockaddr_encap *, struct sockaddr_encap *, 444 struct sadb_address *, struct sadb_address *, struct sadb_address *, 445 struct sadb_address *, struct sadb_protocol *, struct sadb_protocol *); 446 void import_udpencap(struct tdb *, struct sadb_x_udpencap *); 447 #endif /* _KERNEL */ 448 #endif /* _NET_PFKEY_V2_H_ */ 449