blob: c1bde9fcb732651596c347607aaf8df5db49aad9 [file] [log] [blame]
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or
* See the License for the specific language governing permissions
* and limitations under the License.
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
#ifdef __cplusplus
extern "C" {
#include <sys/crypto/common.h>
* IPsec informational messages. These are M_CTL STREAMS messages, which
* convey IPsec information between various IP and related modules. Most
* have been deprecated by the de-STREAMS-ing of TCP/IP. What remains is:
* * Keysock consumer interface - These messages are wrappers for
* PF_KEY messages. They flow between AH/ESP and keysock.
* The IPsec M_CTL value MUST be something that will not be even close
* to an IPv4 or IPv6 header. This means the first byte must not be
* 0x40 - 0x4f or 0x60-0x6f. For big-endian machines, this is fixable with
* the IPSEC_M_CTL prefix. For little-endian machines, the actual M_CTL
* _type_ must not be in the aforementioned ranges.
* The reason for this avoidance is because M_CTL's with a real IPv4/IPv6
* datagram get sent from to TCP or UDP when an ICMP datagram affects a
* TCP/UDP session.
#define IPSEC_M_CTL 0x73706900
* M_CTL types for IPsec messages. Remember, the values 0x40 - 0x4f and 0x60
* - 0x6f are not to be used because of potential little-endian confusion.
* Offsets 3-7 (decimal) are in use, spread through this file.
* Check for duplicates through the whole file before adding.
* Keysock consumer interface.
* The driver/module keysock (which is a driver to PF_KEY sockets, but is
* a module to 'consumers' like AH and ESP) uses keysock consumer interface
* messages to pass on PF_KEY messages to consumers who process and act upon
* them.
#define KEYSOCK_IN (IPSEC_M_CTL + 3)
* KEYSOCK_HELLO is sent by keysock to a consumer when it is pushed on top
* of one (i.e. opened as a module).
* NOTE: Keysock_hello is simply an ipsec_info_t
* KEYSOCK_HELLO_ACK is sent by a consumer to acknowledge a KEYSOCK_HELLO.
* It contains the PF_KEYv2 sa_type, so keysock can redirect PF_KEY messages
* to the right consumer.
typedef struct keysock_hello_ack_s {
uint32_t ks_hello_type;
uint32_t ks_hello_len;
uint8_t ks_hello_satype; /* PF_KEYv2 sa_type of ks client */
} keysock_hello_ack_t;
#define KS_IN_ADDR_ME 3
#define KS_IN_ADDR_NOTME 4
* KEYSOCK_IN is a PF_KEY message from a PF_KEY socket destined for a consumer.
typedef struct keysock_in_s {
uint32_t ks_in_type;
uint32_t ks_in_len;
* NOTE: These pointers MUST be into the M_DATA that follows
* this M_CTL message. If they aren't, weirdness
* results.
struct sadb_ext *ks_in_extv[SADB_EXT_MAX + 1];
int ks_in_srctype; /* Source address type. */
int ks_in_dsttype; /* Dest address type. */
minor_t ks_in_serial; /* Serial # of sending socket. */
} keysock_in_t;
* KEYSOCK_OUT is a PF_KEY message from a consumer destined for a PF_KEY
* socket.
typedef struct keysock_out_s {
uint32_t ks_out_type;
uint32_t ks_out_len;
minor_t ks_out_serial; /* Serial # of sending socket. */
} keysock_out_t;
* KEYSOCK_OUT_ERR is sent to a consumer from keysock if for some reason
* keysock could not find a PF_KEY socket to deliver a consumer-originated
* message (e.g. SADB_ACQUIRE).
typedef struct keysock_out_err_s {
uint32_t ks_err_type;
uint32_t ks_err_len;
minor_t ks_err_serial;
int ks_err_errno;
* Other, richer error information may end up going here eventually.
} keysock_out_err_t;
* All IPsec informational messages are placed into the ipsec_info_t
* union, so that allocation can be done once, and IPsec informational
* messages can be recycled.
typedef union ipsec_info_u {
struct {
uint32_t ipsec_allu_type;
uint32_t ipsec_allu_len; /* In bytes */
} ipsec_allu;
keysock_hello_ack_t keysock_hello_ack;
keysock_in_t keysock_in;
keysock_out_t keysock_out;
keysock_out_err_t keysock_out_err;
} ipsec_info_t;
#define ipsec_info_type ipsec_allu.ipsec_allu_type
#define ipsec_info_len ipsec_allu.ipsec_allu_len
#ifdef __cplusplus
#endif /* _INET_IPSEC_INFO_H */