uapi/linux/xfrm.h

0001 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
0002 #ifndef _LINUX_XFRM_H
0003 #define _LINUX_XFRM_H
0004
0005 #include <linux/in6.h>
0006 #include <linux/types.h>
0007
0008 /* All of the structures in this file may not change size as they are
0009  * passed into the kernel from userspace via netlink sockets.
0010  */
0011
0012 /* Structure to encapsulate addresses. I do not want to use
0013  * "standard" structure. My apologies.
0014  */
0015 typedef union {
0016     __be32      a4;
0017     __be32      a6[4];
0018     struct in6_addr in6;
0019 } xfrm_address_t;
0020
0021 /* Ident of a specific xfrm_state. It is used on input to lookup
0022  * the state by (spi,daddr,ah/esp) or to store information about
0023  * spi, protocol and tunnel address on output.
0024  */
0025 struct xfrm_id {
0026     xfrm_address_t  daddr;
0027     __be32      spi;
0028     __u8        proto;
0029 };
0030
0031 struct xfrm_sec_ctx {
0032     __u8    ctx_doi;
0033     __u8    ctx_alg;
0034     __u16   ctx_len;
0035     __u32   ctx_sid;
0036     char    ctx_str[];
0037 };
0038
0039 /* Security Context Domains of Interpretation */
0040 #define XFRM_SC_DOI_RESERVED 0
0041 #define XFRM_SC_DOI_LSM 1
0042
0043 /* Security Context Algorithms */
0044 #define XFRM_SC_ALG_RESERVED 0
0045 #define XFRM_SC_ALG_SELINUX 1
0046
0047 /* Selector, used as selector both on policy rules (SPD) and SAs. */
0048
0049 struct xfrm_selector {
0050     xfrm_address_t  daddr;
0051     xfrm_address_t  saddr;
0052     __be16  dport;
0053     __be16  dport_mask;
0054     __be16  sport;
0055     __be16  sport_mask;
0056     __u16   family;
0057     __u8    prefixlen_d;
0058     __u8    prefixlen_s;
0059     __u8    proto;
0060     int ifindex;
0061     __kernel_uid32_t    user;
0062 };
0063
0064 #define XFRM_INF (~(__u64)0)
0065
0066 struct xfrm_lifetime_cfg {
0067     __u64   soft_byte_limit;
0068     __u64   hard_byte_limit;
0069     __u64   soft_packet_limit;
0070     __u64   hard_packet_limit;
0071     __u64   soft_add_expires_seconds;
0072     __u64   hard_add_expires_seconds;
0073     __u64   soft_use_expires_seconds;
0074     __u64   hard_use_expires_seconds;
0075 };
0076
0077 struct xfrm_lifetime_cur {
0078     __u64   bytes;
0079     __u64   packets;
0080     __u64   add_time;
0081     __u64   use_time;
0082 };
0083
0084 struct xfrm_replay_state {
0085     __u32   oseq;
0086     __u32   seq;
0087     __u32   bitmap;
0088 };
0089
0090 #define XFRMA_REPLAY_ESN_MAX    4096
0091
0092 struct xfrm_replay_state_esn {
0093     unsigned int    bmp_len;
0094     __u32       oseq;
0095     __u32       seq;
0096     __u32       oseq_hi;
0097     __u32       seq_hi;
0098     __u32       replay_window;
0099     __u32       bmp[];
0100 };
0101
0102 struct xfrm_algo {
0103     char        alg_name[64];
0104     unsigned int    alg_key_len;    /* in bits */
0105     char        alg_key[];
0106 };
0107
0108 struct xfrm_algo_auth {
0109     char        alg_name[64];
0110     unsigned int    alg_key_len;    /* in bits */
0111     unsigned int    alg_trunc_len;  /* in bits */
0112     char        alg_key[];
0113 };
0114
0115 struct xfrm_algo_aead {
0116     char        alg_name[64];
0117     unsigned int    alg_key_len;    /* in bits */
0118     unsigned int    alg_icv_len;    /* in bits */
0119     char        alg_key[];
0120 };
0121
0122 struct xfrm_stats {
0123     __u32   replay_window;
0124     __u32   replay;
0125     __u32   integrity_failed;
0126 };
0127
0128 enum {
0129     XFRM_POLICY_TYPE_MAIN   = 0,
0130     XFRM_POLICY_TYPE_SUB    = 1,
0131     XFRM_POLICY_TYPE_MAX    = 2,
0132     XFRM_POLICY_TYPE_ANY    = 255
0133 };
0134
0135 enum {
0136     XFRM_POLICY_IN  = 0,
0137     XFRM_POLICY_OUT = 1,
0138     XFRM_POLICY_FWD = 2,
0139     XFRM_POLICY_MASK = 3,
0140     XFRM_POLICY_MAX = 3
0141 };
0142
0143 enum {
0144     XFRM_SHARE_ANY,     /* No limitations */
0145     XFRM_SHARE_SESSION, /* For this session only */
0146     XFRM_SHARE_USER,    /* For this user only */
0147     XFRM_SHARE_UNIQUE   /* Use once */
0148 };
0149
0150 #define XFRM_MODE_TRANSPORT 0
0151 #define XFRM_MODE_TUNNEL 1
0152 #define XFRM_MODE_ROUTEOPTIMIZATION 2
0153 #define XFRM_MODE_IN_TRIGGER 3
0154 #define XFRM_MODE_BEET 4
0155 #define XFRM_MODE_MAX 5
0156
0157 /* Netlink configuration messages.  */
0158 enum {
0159     XFRM_MSG_BASE = 0x10,
0160
0161     XFRM_MSG_NEWSA = 0x10,
0162 #define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
0163     XFRM_MSG_DELSA,
0164 #define XFRM_MSG_DELSA XFRM_MSG_DELSA
0165     XFRM_MSG_GETSA,
0166 #define XFRM_MSG_GETSA XFRM_MSG_GETSA
0167
0168     XFRM_MSG_NEWPOLICY,
0169 #define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
0170     XFRM_MSG_DELPOLICY,
0171 #define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
0172     XFRM_MSG_GETPOLICY,
0173 #define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
0174
0175     XFRM_MSG_ALLOCSPI,
0176 #define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
0177     XFRM_MSG_ACQUIRE,
0178 #define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
0179     XFRM_MSG_EXPIRE,
0180 #define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
0181
0182     XFRM_MSG_UPDPOLICY,
0183 #define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
0184     XFRM_MSG_UPDSA,
0185 #define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
0186
0187     XFRM_MSG_POLEXPIRE,
0188 #define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
0189
0190     XFRM_MSG_FLUSHSA,
0191 #define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
0192     XFRM_MSG_FLUSHPOLICY,
0193 #define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
0194
0195     XFRM_MSG_NEWAE,
0196 #define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
0197     XFRM_MSG_GETAE,
0198 #define XFRM_MSG_GETAE XFRM_MSG_GETAE
0199
0200     XFRM_MSG_REPORT,
0201 #define XFRM_MSG_REPORT XFRM_MSG_REPORT
0202
0203     XFRM_MSG_MIGRATE,
0204 #define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE
0205
0206     XFRM_MSG_NEWSADINFO,
0207 #define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO
0208     XFRM_MSG_GETSADINFO,
0209 #define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO
0210
0211     XFRM_MSG_NEWSPDINFO,
0212 #define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
0213     XFRM_MSG_GETSPDINFO,
0214 #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
0215
0216     XFRM_MSG_MAPPING,
0217 #define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
0218
0219     XFRM_MSG_SETDEFAULT,
0220 #define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
0221     XFRM_MSG_GETDEFAULT,
0222 #define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
0223     __XFRM_MSG_MAX
0224 };
0225 #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
0226
0227 #define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
0228
0229 /*
0230  * Generic LSM security context for comunicating to user space
0231  * NOTE: Same format as sadb_x_sec_ctx
0232  */
0233 struct xfrm_user_sec_ctx {
0234     __u16           len;
0235     __u16           exttype;
0236     __u8            ctx_alg;  /* LSMs: e.g., selinux == 1 */
0237     __u8            ctx_doi;
0238     __u16           ctx_len;
0239 };
0240
0241 struct xfrm_user_tmpl {
0242     struct xfrm_id      id;
0243     __u16           family;
0244     xfrm_address_t      saddr;
0245     __u32           reqid;
0246     __u8            mode;
0247     __u8            share;
0248     __u8            optional;
0249     __u32           aalgos;
0250     __u32           ealgos;
0251     __u32           calgos;
0252 };
0253
0254 struct xfrm_encap_tmpl {
0255     __u16       encap_type;
0256     __be16      encap_sport;
0257     __be16      encap_dport;
0258     xfrm_address_t  encap_oa;
0259 };
0260
0261 /* AEVENT flags  */
0262 enum xfrm_ae_ftype_t {
0263     XFRM_AE_UNSPEC,
0264     XFRM_AE_RTHR=1, /* replay threshold*/
0265     XFRM_AE_RVAL=2, /* replay value */
0266     XFRM_AE_LVAL=4, /* lifetime value */
0267     XFRM_AE_ETHR=8, /* expiry timer threshold */
0268     XFRM_AE_CR=16, /* Event cause is replay update */
0269     XFRM_AE_CE=32, /* Event cause is timer expiry */
0270     XFRM_AE_CU=64, /* Event cause is policy update */
0271     __XFRM_AE_MAX
0272
0273 #define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
0274 };
0275
0276 struct xfrm_userpolicy_type {
0277     __u8        type;
0278     __u16       reserved1;
0279     __u8        reserved2;
0280 };
0281
0282 /* Netlink message attributes.  */
0283 enum xfrm_attr_type_t {
0284     XFRMA_UNSPEC,
0285     XFRMA_ALG_AUTH,     /* struct xfrm_algo */
0286     XFRMA_ALG_CRYPT,    /* struct xfrm_algo */
0287     XFRMA_ALG_COMP,     /* struct xfrm_algo */
0288     XFRMA_ENCAP,        /* struct xfrm_algo + struct xfrm_encap_tmpl */
0289     XFRMA_TMPL,     /* 1 or more struct xfrm_user_tmpl */
0290     XFRMA_SA,       /* struct xfrm_usersa_info  */
0291     XFRMA_POLICY,       /*struct xfrm_userpolicy_info */
0292     XFRMA_SEC_CTX,      /* struct xfrm_sec_ctx */
0293     XFRMA_LTIME_VAL,
0294     XFRMA_REPLAY_VAL,
0295     XFRMA_REPLAY_THRESH,
0296     XFRMA_ETIMER_THRESH,
0297     XFRMA_SRCADDR,      /* xfrm_address_t */
0298     XFRMA_COADDR,       /* xfrm_address_t */
0299     XFRMA_LASTUSED,     /* __u64 */
0300     XFRMA_POLICY_TYPE,  /* struct xfrm_userpolicy_type */
0301     XFRMA_MIGRATE,
0302     XFRMA_ALG_AEAD,     /* struct xfrm_algo_aead */
0303     XFRMA_KMADDRESS,        /* struct xfrm_user_kmaddress */
0304     XFRMA_ALG_AUTH_TRUNC,   /* struct xfrm_algo_auth */
0305     XFRMA_MARK,     /* struct xfrm_mark */
0306     XFRMA_TFCPAD,       /* __u32 */
0307     XFRMA_REPLAY_ESN_VAL,   /* struct xfrm_replay_state_esn */
0308     XFRMA_SA_EXTRA_FLAGS,   /* __u32 */
0309     XFRMA_PROTO,        /* __u8 */
0310     XFRMA_ADDRESS_FILTER,   /* struct xfrm_address_filter */
0311     XFRMA_PAD,
0312     XFRMA_OFFLOAD_DEV,  /* struct xfrm_user_offload */
0313     XFRMA_SET_MARK,     /* __u32 */
0314     XFRMA_SET_MARK_MASK,    /* __u32 */
0315     XFRMA_IF_ID,        /* __u32 */
0316     XFRMA_MTIMER_THRESH,    /* __u32 in seconds for input SA */
0317     __XFRMA_MAX
0318
0319 #define XFRMA_OUTPUT_MARK XFRMA_SET_MARK    /* Compatibility */
0320 #define XFRMA_MAX (__XFRMA_MAX - 1)
0321 };
0322
0323 struct xfrm_mark {
0324     __u32           v; /* value */
0325     __u32           m; /* mask */
0326 };
0327
0328 enum xfrm_sadattr_type_t {
0329     XFRMA_SAD_UNSPEC,
0330     XFRMA_SAD_CNT,
0331     XFRMA_SAD_HINFO,
0332     __XFRMA_SAD_MAX
0333
0334 #define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1)
0335 };
0336
0337 struct xfrmu_sadhinfo {
0338     __u32 sadhcnt; /* current hash bkts */
0339     __u32 sadhmcnt; /* max allowed hash bkts */
0340 };
0341
0342 enum xfrm_spdattr_type_t {
0343     XFRMA_SPD_UNSPEC,
0344     XFRMA_SPD_INFO,
0345     XFRMA_SPD_HINFO,
0346     XFRMA_SPD_IPV4_HTHRESH,
0347     XFRMA_SPD_IPV6_HTHRESH,
0348     __XFRMA_SPD_MAX
0349
0350 #define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1)
0351 };
0352
0353 struct xfrmu_spdinfo {
0354     __u32 incnt;
0355     __u32 outcnt;
0356     __u32 fwdcnt;
0357     __u32 inscnt;
0358     __u32 outscnt;
0359     __u32 fwdscnt;
0360 };
0361
0362 struct xfrmu_spdhinfo {
0363     __u32 spdhcnt;
0364     __u32 spdhmcnt;
0365 };
0366
0367 struct xfrmu_spdhthresh {
0368     __u8 lbits;
0369     __u8 rbits;
0370 };
0371
0372 struct xfrm_usersa_info {
0373     struct xfrm_selector        sel;
0374     struct xfrm_id          id;
0375     xfrm_address_t          saddr;
0376     struct xfrm_lifetime_cfg    lft;
0377     struct xfrm_lifetime_cur    curlft;
0378     struct xfrm_stats       stats;
0379     __u32               seq;
0380     __u32               reqid;
0381     __u16               family;
0382     __u8                mode;       /* XFRM_MODE_xxx */
0383     __u8                replay_window;
0384     __u8                flags;
0385 #define XFRM_STATE_NOECN    1
0386 #define XFRM_STATE_DECAP_DSCP   2
0387 #define XFRM_STATE_NOPMTUDISC   4
0388 #define XFRM_STATE_WILDRECV 8
0389 #define XFRM_STATE_ICMP     16
0390 #define XFRM_STATE_AF_UNSPEC    32
0391 #define XFRM_STATE_ALIGN4   64
0392 #define XFRM_STATE_ESN      128
0393 };
0394
0395 #define XFRM_SA_XFLAG_DONT_ENCAP_DSCP   1
0396 #define XFRM_SA_XFLAG_OSEQ_MAY_WRAP 2
0397
0398 struct xfrm_usersa_id {
0399     xfrm_address_t          daddr;
0400     __be32              spi;
0401     __u16               family;
0402     __u8                proto;
0403 };
0404
0405 struct xfrm_aevent_id {
0406     struct xfrm_usersa_id       sa_id;
0407     xfrm_address_t          saddr;
0408     __u32               flags;
0409     __u32               reqid;
0410 };
0411
0412 struct xfrm_userspi_info {
0413     struct xfrm_usersa_info     info;
0414     __u32               min;
0415     __u32               max;
0416 };
0417
0418 struct xfrm_userpolicy_info {
0419     struct xfrm_selector        sel;
0420     struct xfrm_lifetime_cfg    lft;
0421     struct xfrm_lifetime_cur    curlft;
0422     __u32               priority;
0423     __u32               index;
0424     __u8                dir;
0425     __u8                action;
0426 #define XFRM_POLICY_ALLOW   0
0427 #define XFRM_POLICY_BLOCK   1
0428     __u8                flags;
0429 #define XFRM_POLICY_LOCALOK 1   /* Allow user to override global policy */
0430     /* Automatically expand selector to include matching ICMP payloads. */
0431 #define XFRM_POLICY_ICMP    2
0432     __u8                share;
0433 };
0434
0435 struct xfrm_userpolicy_id {
0436     struct xfrm_selector        sel;
0437     __u32               index;
0438     __u8                dir;
0439 };
0440
0441 struct xfrm_user_acquire {
0442     struct xfrm_id          id;
0443     xfrm_address_t          saddr;
0444     struct xfrm_selector        sel;
0445     struct xfrm_userpolicy_info policy;
0446     __u32               aalgos;
0447     __u32               ealgos;
0448     __u32               calgos;
0449     __u32               seq;
0450 };
0451
0452 struct xfrm_user_expire {
0453     struct xfrm_usersa_info     state;
0454     __u8                hard;
0455 };
0456
0457 struct xfrm_user_polexpire {
0458     struct xfrm_userpolicy_info pol;
0459     __u8                hard;
0460 };
0461
0462 struct xfrm_usersa_flush {
0463     __u8                proto;
0464 };
0465
0466 struct xfrm_user_report {
0467     __u8                proto;
0468     struct xfrm_selector        sel;
0469 };
0470
0471 /* Used by MIGRATE to pass addresses IKE should use to perform
0472  * SA negotiation with the peer */
0473 struct xfrm_user_kmaddress {
0474     xfrm_address_t                  local;
0475     xfrm_address_t                  remote;
0476     __u32               reserved;
0477     __u16               family;
0478 };
0479
0480 struct xfrm_user_migrate {
0481     xfrm_address_t          old_daddr;
0482     xfrm_address_t          old_saddr;
0483     xfrm_address_t          new_daddr;
0484     xfrm_address_t          new_saddr;
0485     __u8                proto;
0486     __u8                mode;
0487     __u16               reserved;
0488     __u32               reqid;
0489     __u16               old_family;
0490     __u16               new_family;
0491 };
0492
0493 struct xfrm_user_mapping {
0494     struct xfrm_usersa_id       id;
0495     __u32               reqid;
0496     xfrm_address_t          old_saddr;
0497     xfrm_address_t          new_saddr;
0498     __be16              old_sport;
0499     __be16              new_sport;
0500 };
0501
0502 struct xfrm_address_filter {
0503     xfrm_address_t          saddr;
0504     xfrm_address_t          daddr;
0505     __u16               family;
0506     __u8                splen;
0507     __u8                dplen;
0508 };
0509
0510 struct xfrm_user_offload {
0511     int             ifindex;
0512     __u8                flags;
0513 };
0514 /* This flag was exposed without any kernel code that supports it.
0515  * Unfortunately, strongswan has the code that sets this flag,
0516  * which makes it impossible to reuse this bit.
0517  *
0518  * So leave it here to make sure that it won't be reused by mistake.
0519  */
0520 #define XFRM_OFFLOAD_IPV6   1
0521 #define XFRM_OFFLOAD_INBOUND    2
0522
0523 struct xfrm_userpolicy_default {
0524 #define XFRM_USERPOLICY_UNSPEC  0
0525 #define XFRM_USERPOLICY_BLOCK   1
0526 #define XFRM_USERPOLICY_ACCEPT  2
0527     __u8                in;
0528     __u8                fwd;
0529     __u8                out;
0530 };
0531
0532 #ifndef __KERNEL__
0533 /* backwards compatibility for userspace */
0534 #define XFRMGRP_ACQUIRE     1
0535 #define XFRMGRP_EXPIRE      2
0536 #define XFRMGRP_SA      4
0537 #define XFRMGRP_POLICY      8
0538 #define XFRMGRP_REPORT      0x20
0539 #endif
0540
0541 enum xfrm_nlgroups {
0542     XFRMNLGRP_NONE,
0543 #define XFRMNLGRP_NONE      XFRMNLGRP_NONE
0544     XFRMNLGRP_ACQUIRE,
0545 #define XFRMNLGRP_ACQUIRE   XFRMNLGRP_ACQUIRE
0546     XFRMNLGRP_EXPIRE,
0547 #define XFRMNLGRP_EXPIRE    XFRMNLGRP_EXPIRE
0548     XFRMNLGRP_SA,
0549 #define XFRMNLGRP_SA        XFRMNLGRP_SA
0550     XFRMNLGRP_POLICY,
0551 #define XFRMNLGRP_POLICY    XFRMNLGRP_POLICY
0552     XFRMNLGRP_AEVENTS,
0553 #define XFRMNLGRP_AEVENTS   XFRMNLGRP_AEVENTS
0554     XFRMNLGRP_REPORT,
0555 #define XFRMNLGRP_REPORT    XFRMNLGRP_REPORT
0556     XFRMNLGRP_MIGRATE,
0557 #define XFRMNLGRP_MIGRATE   XFRMNLGRP_MIGRATE
0558     XFRMNLGRP_MAPPING,
0559 #define XFRMNLGRP_MAPPING   XFRMNLGRP_MAPPING
0560     __XFRMNLGRP_MAX
0561 };
0562 #define XFRMNLGRP_MAX   (__XFRMNLGRP_MAX - 1)
0563
0564 #endif /* _LINUX_XFRM_H */