sys/linux: describe PF_KEY

1 files changed, 198 insertions, 6 deletions

diff --git a/sys/linux/socket_key.txt b/sys/linux/socket_key.txt
index 52f2401c4..32971f453 100644
--- a/sys/linux/socket_key.txt
+++ b/sys/linux/socket_key.txt
@@ -3,10 +3,202 @@
 
 # AF_KEY support.
 
-# include <linux/socket.h>
-# include <linux/net.h>
-# include <uapi/linux/pfkeyv2.h>
+include <linux/socket.h>
+include <linux/net.h>
+include <linux/pfkeyv2.h>
+include <linux/ipsec.h>
 
-# See net/key/af_key.c, requires root.
-# resource sock_key[sock]
-# socket$key(domain const[AF_KEY], type const[SOCK_RAW], proto const[PF_KEY_V2]) sock_key
+resource sock_key[sock]
+
+socket$key(domain const[AF_KEY], type const[SOCK_RAW], proto const[PF_KEY_V2]) sock_key
+
+openat$pfkey(fd const[AT_FDCWD], file ptr[in, string["/proc/self/net/pfkey"]], flags flags[open_flags], mode const[0]) fd
+
+sendmsg$key(fd sock_key, msg ptr[in, send_msghdr_key], f flags[send_flags])
+
+send_msghdr_key {
+	msg_name	const[0, intptr]
+	msg_namelen	const[0, int32]
+	msg_iov		ptr[in, iovec_sadb_msg]
+	msg_iovlen	const[1, intptr]
+	msg_control	const[0, intptr]
+	msg_controllen	const[0, intptr]
+	msg_flags	const[0, int32]
+}
+
+iovec_sadb_msg {
+	addr	ptr[in, sadb_msg]
+	len	bytesize[addr, intptr]
+}
+
+sadb_msg {
+	sadb_msg_version	const[PF_KEY_V2, int8]
+	sadb_msg_type		int8[SADB_RESERVED:SADB_MAX]
+	sadb_msg_errno		int8
+	sadb_msg_satype		flags[sadb_satype, int8]
+	sadb_msg_len		bytesize8[parent, int16]
+	sadb_msg_reserved	const[0, int16]
+	sadb_msg_seq		int32
+# TODO: what is this port id? do we need to pass something meaningful?
+	sadb_msg_pid		int32
+	ext_headers		array[sadb_ext_hdr]
+} [packed]
+
+sadb_ext_hdr [
+	sadb_sa			sadb_sa
+	sadb_lifetime		sadb_lifetime
+	sadb_address		sadb_address
+	sadb_key		sadb_key
+	sadb_ident		sadb_ident
+	sadb_spirange		sadb_spirange
+	sadb_x_policy		sadb_x_policy
+	sadb_x_sa2		sadb_x_sa2
+	sadb_x_nat_t_type	sadb_x_nat_t_type
+	sadb_x_nat_t_port	sadb_x_nat_t_port
+	sadb_x_sec_ctx		sadb_x_sec_ctx
+	sadb_x_kmaddress	sadb_x_kmaddress
+	sadb_x_filter		sadb_x_filter
+] [varlen]
+
+sadb_sa {
+	sadb_len	bytesize8[parent, int16]
+	sadb_exttype	const[SADB_EXT_SA, int16]
+# TODO: what is this?
+	sadb_sa_spi	int32be
+	sadb_sa_replay	int8
+	sadb_sa_state	int8
+	sadb_sa_auth	int8[SADB_AALG_NONE:SADB_AALG_MAX]
+	sadb_sa_encrypt	int8[SADB_X_CALG_NONE:SADB_X_CALG_MAX]
+	sadb_sa_flags	int32
+} [packed, align_8]
+
+sadb_lifetime {
+	sadb_len			bytesize8[parent, int16]
+	sadb_exttype			flags[sadb_lifetime_type, int16]
+	sadb_lifetime_allocations	int32
+	sadb_lifetime_bytes		int64
+	sadb_lifetime_addtime		int64
+	sadb_lifetime_usetime		int64
+} [packed, align_8]
+
+sadb_address {
+	sadb_len		bytesize8[parent, int16]
+	sadb_exttype		flags[sadb_address_type, int16]
+	sadb_address_proto	int8
+	sadb_address_prefixlen	int8
+	sadb_address_reserved	const[0, int16]
+	addr			sadb_address_addr
+} [packed, align_8]
+
+sadb_address_addr [
+	in	sockaddr_in
+	in6	sockaddr_in6
+] [varlen]
+
+sadb_key {
+	sadb_len		bytesize8[parent, int16]
+	sadb_exttype		flags[sadb_key_type, int16]
+	sadb_key_bits		int16
+	sadb_key_reserved	const[0, int16]
+} [packed, align_8]
+
+sadb_ident {
+	sadb_len		bytesize8[parent, int16]
+	sadb_exttype		flags[sadb_ident_type, int16]
+	sadb_ident_type		int16
+	sadb_ident_reserved	const[0, int16]
+	sadb_ident_id		int64
+} [packed, align_8]
+
+sadb_spirange {
+	sadb_len		bytesize8[parent, int16]
+	sadb_exttype		const[SADB_EXT_SPIRANGE, int16]
+	sadb_spirange_min	int32
+	sadb_spirange_max	int32
+	sadb_spirange_reserved	const[0, int32]
+} [packed, align_8]
+
+sadb_x_policy {
+	sadb_len		bytesize8[parent, int16]
+	sadb_exttype		const[SADB_X_EXT_POLICY, int16]
+	sadb_x_policy_type	int16[IPSEC_POLICY_DISCARD:IPSEC_POLICY_BYPASS]
+	sadb_x_policy_dir	int8
+	sadb_x_policy_reserved	const[0, int8]
+	sadb_x_policy_id	int32
+	sadb_x_policy_priority	int32
+	policy			sadb_x_ipsecrequest
+} [packed, align_8]
+
+sadb_x_ipsecrequest {
+	sadb_x_ipsecrequest_len		int16
+	sadb_x_ipsecrequest_proto	int16
+	sadb_x_ipsecrequest_mode	int8
+	sadb_x_ipsecrequest_level	int8
+	sadb_x_ipsecrequest_reserved1	const[0, int16]
+	sadb_x_ipsecrequest_reqid	int32
+	sadb_x_ipsecrequest_reserved2	const[0, int32]
+} [packed, align_8]
+
+sadb_x_sa2 {
+	sadb_len		bytesize8[parent, int16]
+	sadb_exttype		const[SADB_X_EXT_SA2, int16]
+	sadb_x_sa2_mode		int8
+	sadb_x_sa2_reserved1	const[0, int8]
+	sadb_x_sa2_reserved2	const[0, int16]
+	sadb_x_sa2_sequence	int32
+	sadb_x_sa2_reqid	int32
+} [packed, align_8]
+
+sadb_x_nat_t_type {
+	sadb_len			bytesize8[parent, int16]
+	sadb_exttype			const[SADB_X_EXT_NAT_T_TYPE, int16]
+	sadb_x_nat_t_type_type		int8
+	sadb_x_nat_t_type_reserved	array[const[0, int8], 3]
+} [packed, align_8]
+
+sadb_x_nat_t_port {
+	sadb_len			bytesize8[parent, int16]
+	sadb_exttype			flags[sadb_nat_port_type, int16]
+	sadb_x_nat_t_port_port		proc[20000, 4, int16be]
+	sadb_x_nat_t_port_reserved	const[0, int16]
+} [packed, align_8]
+
+sadb_x_sec_ctx {
+	sadb_len	bytesize8[parent, int16]
+	sadb_exttype	const[SADB_X_EXT_SEC_CTX, int16]
+	sadb_x_ctx_alg	int8
+	sadb_x_ctx_doi	int8
+	sadb_x_ctx_len	bytesize[ctx, int16]
+	ctx		array[int8]
+} [packed, align_8]
+
+sadb_x_kmaddress {
+	sadb_len			bytesize8[parent, int16]
+	sadb_exttype			const[SADB_X_EXT_KMADDRESS, int16]
+	sadb_x_kmaddress_reserved	const[0, int32]
+	src				sadb_address_addr
+	dst				sadb_address_addr
+} [packed, align_8]
+
+sadb_x_filter {
+	sadb_len		bytesize8[parent, int16]
+	sadb_exttype		const[SADB_X_EXT_FILTER, int16]
+	sadb_x_filter_saddr	sadb_filter_addr
+	sadb_x_filter_daddr	sadb_filter_addr
+	sadb_x_filter_family	flags[socket_domain, int16]
+	sadb_x_filter_splen	flags[sadb_filter_addr_len, int8]
+	sadb_x_filter_dplen	flags[sadb_filter_addr_len, int8]
+} [packed, align_8]
+
+sadb_filter_addr [
+	in	ipv4_addr
+	in6	ipv6_addr
+]
+
+sadb_satype = SADB_SATYPE_UNSPEC, SADB_SATYPE_AH, SADB_SATYPE_ESP, SADB_SATYPE_RSVP, SADB_SATYPE_OSPFV2, SADB_SATYPE_RIPV2, SADB_SATYPE_MIP, SADB_X_SATYPE_IPCOMP, SADB_SATYPE_MAX
+sadb_lifetime_type = SADB_EXT_LIFETIME_CURRENT, SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT
+sadb_address_type = SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_X_EXT_NAT_T_OA
+sadb_key_type = SADB_EXT_KEY_AUTH, SADB_EXT_KEY_ENCRYPT
+sadb_ident_type = SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST
+sadb_nat_port_type = SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT
+sadb_filter_addr_len = 4, 16