5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 #ifndef _INET_SADB_H
28 #define _INET_SADB_H
29
30 #ifdef __cplusplus
31 extern "C" {
32 #endif
33
34 #include <inet/ipsec_info.h>
35 #include <sys/crypto/common.h>
36 #include <sys/crypto/api.h>
37 #include <sys/note.h>
38
39 #define IPSA_MAX_ADDRLEN 4 /* Max address len. (in 32-bits) for an SA. */
40
41 #define MAXSALTSIZE 8
42
43 /*
44 * For combined mode ciphers, store the crypto_mechanism_t in the
230 time_t ipsa_idleuselt; /* Seconds of idle time after first use */
231 uint64_t ipsa_softbyteslt; /* Bytes of soft lifetime. */
232 uint64_t ipsa_hardbyteslt; /* Bytes of hard lifetime. */
233 uint64_t ipsa_bytes; /* Bytes encrypted/authed by this SA. */
234
235 /*
236 * "Allocations" are a concept mentioned in PF_KEYv2. We do not
237 * support them, except to record them per the PF_KEYv2 spec.
238 */
239 uint_t ipsa_softalloc; /* Allocations allowed (soft). */
240 uint_t ipsa_hardalloc; /* Allocations allowed (hard). */
241 uint_t ipsa_alloc; /* Allocations made. */
242
243 uint_t ipsa_type; /* Type of security association. (AH/etc.) */
244 uint_t ipsa_state; /* State of my association. */
245 uint_t ipsa_replay_wsize; /* Size of replay window */
246 uint32_t ipsa_flags; /* Flags for security association. */
247 uint32_t ipsa_spi; /* Security parameters index. */
248 uint32_t ipsa_replay; /* Highest seen replay value for this SA. */
249 uint32_t ipsa_kmp; /* key management proto */
250 uint32_t ipsa_kmc; /* key management cookie */
251
252 boolean_t ipsa_haspeer; /* Has peer in another table. */
253
254 /*
255 * Address storage.
256 * The source address can be INADDR_ANY, IN6ADDR_ANY, etc.
257 *
258 * Address families (per sys/socket.h) guide us. We could have just
259 * used sockaddr_storage
260 */
261 sa_family_t ipsa_addrfam;
262 sa_family_t ipsa_innerfam; /* Inner AF can be != src/dst AF. */
263
264 uint32_t ipsa_srcaddr[IPSA_MAX_ADDRLEN];
265 uint32_t ipsa_dstaddr[IPSA_MAX_ADDRLEN];
266 uint32_t ipsa_innersrc[IPSA_MAX_ADDRLEN];
267 uint32_t ipsa_innerdst[IPSA_MAX_ADDRLEN];
268
269 uint8_t ipsa_innersrcpfx;
270 uint8_t ipsa_innerdstpfx;
673 * and then can be used as a parameter to sadb_match_query() which returns
674 * B_TRUE if the SA matches the query.
675 *
676 * Under the covers, sadb_form_query populates the matchers[] array with
677 * functions which are called one at a time until one fails to match.
678 */
679 struct ipsa_query_s {
680 uint32_t req, match;
681 sadb_address_t *srcext, *dstext;
682 sadb_ident_t *srcid, *dstid;
683 sadb_x_kmc_t *kmcext;
684 sadb_sa_t *assoc;
685 uint32_t spi;
686 struct sockaddr_in *src;
687 struct sockaddr_in6 *src6;
688 struct sockaddr_in *dst;
689 struct sockaddr_in6 *dst6;
690 sa_family_t af;
691 uint32_t *srcaddr, *dstaddr;
692 uint32_t ifindex;
693 uint32_t kmc, kmp;
694 char *didstr, *sidstr;
695 uint16_t didtype, sidtype;
696 sadbp_t *spp;
697 sadb_t *sp;
698 isaf_t *inbound, *outbound;
699 uint32_t outhash;
700 uint32_t inhash;
701 ipsa_match_fn_t matchers[IPSA_NMATCH];
702 };
703
704 #define IPSA_Q_SA 0x00000001
705 #define IPSA_Q_DST 0x00000002
706 #define IPSA_Q_SRC 0x00000004
707 #define IPSA_Q_DSTID 0x00000008
708 #define IPSA_Q_SRCID 0x00000010
709 #define IPSA_Q_KMC 0x00000020
710 #define IPSA_Q_INBOUND 0x00000040 /* fill in inbound isaf_t */
711 #define IPSA_Q_OUTBOUND 0x00000080 /* fill in outbound isaf_t */
712
713 int sadb_form_query(keysock_in_t *, uint32_t, uint32_t, ipsa_query_t *, int *);
|
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright 2017 Joyent, Inc.
26 */
27
28 #ifndef _INET_SADB_H
29 #define _INET_SADB_H
30
31 #ifdef __cplusplus
32 extern "C" {
33 #endif
34
35 #include <inet/ipsec_info.h>
36 #include <sys/crypto/common.h>
37 #include <sys/crypto/api.h>
38 #include <sys/note.h>
39
40 #define IPSA_MAX_ADDRLEN 4 /* Max address len. (in 32-bits) for an SA. */
41
42 #define MAXSALTSIZE 8
43
44 /*
45 * For combined mode ciphers, store the crypto_mechanism_t in the
231 time_t ipsa_idleuselt; /* Seconds of idle time after first use */
232 uint64_t ipsa_softbyteslt; /* Bytes of soft lifetime. */
233 uint64_t ipsa_hardbyteslt; /* Bytes of hard lifetime. */
234 uint64_t ipsa_bytes; /* Bytes encrypted/authed by this SA. */
235
236 /*
237 * "Allocations" are a concept mentioned in PF_KEYv2. We do not
238 * support them, except to record them per the PF_KEYv2 spec.
239 */
240 uint_t ipsa_softalloc; /* Allocations allowed (soft). */
241 uint_t ipsa_hardalloc; /* Allocations allowed (hard). */
242 uint_t ipsa_alloc; /* Allocations made. */
243
244 uint_t ipsa_type; /* Type of security association. (AH/etc.) */
245 uint_t ipsa_state; /* State of my association. */
246 uint_t ipsa_replay_wsize; /* Size of replay window */
247 uint32_t ipsa_flags; /* Flags for security association. */
248 uint32_t ipsa_spi; /* Security parameters index. */
249 uint32_t ipsa_replay; /* Highest seen replay value for this SA. */
250 uint32_t ipsa_kmp; /* key management proto */
251 uint64_t ipsa_kmc; /* key management cookie (now 64-bit) */
252
253 boolean_t ipsa_haspeer; /* Has peer in another table. */
254
255 /*
256 * Address storage.
257 * The source address can be INADDR_ANY, IN6ADDR_ANY, etc.
258 *
259 * Address families (per sys/socket.h) guide us. We could have just
260 * used sockaddr_storage
261 */
262 sa_family_t ipsa_addrfam;
263 sa_family_t ipsa_innerfam; /* Inner AF can be != src/dst AF. */
264
265 uint32_t ipsa_srcaddr[IPSA_MAX_ADDRLEN];
266 uint32_t ipsa_dstaddr[IPSA_MAX_ADDRLEN];
267 uint32_t ipsa_innersrc[IPSA_MAX_ADDRLEN];
268 uint32_t ipsa_innerdst[IPSA_MAX_ADDRLEN];
269
270 uint8_t ipsa_innersrcpfx;
271 uint8_t ipsa_innerdstpfx;
674 * and then can be used as a parameter to sadb_match_query() which returns
675 * B_TRUE if the SA matches the query.
676 *
677 * Under the covers, sadb_form_query populates the matchers[] array with
678 * functions which are called one at a time until one fails to match.
679 */
680 struct ipsa_query_s {
681 uint32_t req, match;
682 sadb_address_t *srcext, *dstext;
683 sadb_ident_t *srcid, *dstid;
684 sadb_x_kmc_t *kmcext;
685 sadb_sa_t *assoc;
686 uint32_t spi;
687 struct sockaddr_in *src;
688 struct sockaddr_in6 *src6;
689 struct sockaddr_in *dst;
690 struct sockaddr_in6 *dst6;
691 sa_family_t af;
692 uint32_t *srcaddr, *dstaddr;
693 uint32_t ifindex;
694 uint32_t kmp;
695 uint64_t kmc;
696 char *didstr, *sidstr;
697 uint16_t didtype, sidtype;
698 sadbp_t *spp;
699 sadb_t *sp;
700 isaf_t *inbound, *outbound;
701 uint32_t outhash;
702 uint32_t inhash;
703 ipsa_match_fn_t matchers[IPSA_NMATCH];
704 };
705
706 #define IPSA_Q_SA 0x00000001
707 #define IPSA_Q_DST 0x00000002
708 #define IPSA_Q_SRC 0x00000004
709 #define IPSA_Q_DSTID 0x00000008
710 #define IPSA_Q_SRCID 0x00000010
711 #define IPSA_Q_KMC 0x00000020
712 #define IPSA_Q_INBOUND 0x00000040 /* fill in inbound isaf_t */
713 #define IPSA_Q_OUTBOUND 0x00000080 /* fill in outbound isaf_t */
714
715 int sadb_form_query(keysock_in_t *, uint32_t, uint32_t, ipsa_query_t *, int *);
|