1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #ifndef _IKEDOOR_H 26 #define _IKEDOOR_H 27 28 #ifdef __cplusplus 29 extern "C" { 30 #endif 31 32 #include <limits.h> 33 #include <sys/sysmacros.h> 34 #include <net/pfkeyv2.h> 35 #include <door.h> 36 37 /* 38 * This version number is intended to stop the calling process from 39 * getting confused if a structure is changed and a mismatch occurs. 40 * This should be incremented each time a structure is changed. 41 */ 42 43 /* 44 * The IKE process may be a 64-bit process, but ikeadm or any other IKE 45 * door consumer does not have to be. We need to be strict ala. PF_KEY or 46 * any on-the-wire-protocol with respect to structure fields offsets and 47 * alignment. Please make sure all structures are the same size on both 48 * 64-bit and 32-bit execution environments (or even other ones), and that 49 * apart from trivial 4-byte enums or base headers, that all structures are 50 * multiples of 8-bytes (64-bits). 51 */ 52 #define DOORVER 4 53 #define DOORNM "/var/run/ike_door" 54 55 56 typedef enum { 57 IKE_SVC_GET_DBG, 58 IKE_SVC_SET_DBG, 59 60 IKE_SVC_GET_PRIV, 61 IKE_SVC_SET_PRIV, 62 63 IKE_SVC_GET_STATS, 64 65 IKE_SVC_GET_P1, 66 IKE_SVC_DEL_P1, 67 IKE_SVC_DUMP_P1S, 68 IKE_SVC_FLUSH_P1S, 69 70 IKE_SVC_GET_RULE, 71 IKE_SVC_NEW_RULE, 72 IKE_SVC_DEL_RULE, 73 IKE_SVC_DUMP_RULES, 74 IKE_SVC_READ_RULES, 75 IKE_SVC_WRITE_RULES, 76 77 IKE_SVC_GET_PS, 78 IKE_SVC_NEW_PS, 79 IKE_SVC_DEL_PS, 80 IKE_SVC_DUMP_PS, 81 IKE_SVC_READ_PS, 82 IKE_SVC_WRITE_PS, 83 84 IKE_SVC_DBG_RBDUMP, 85 86 IKE_SVC_GET_DEFS, 87 88 IKE_SVC_SET_PIN, 89 IKE_SVC_DEL_PIN, 90 91 IKE_SVC_DUMP_CERTCACHE, 92 IKE_SVC_FLUSH_CERTCACHE, 93 94 IKE_SVC_DUMP_GROUPS, 95 IKE_SVC_DUMP_ENCRALGS, 96 IKE_SVC_DUMP_AUTHALGS, 97 98 IKE_SVC_ERROR 99 } ike_svccmd_t; 100 101 /* DPD status */ 102 103 typedef enum dpd_status { 104 DPD_NOT_INITIATED = 0, 105 DPD_IN_PROGRESS, 106 DPD_SUCCESSFUL, 107 DPD_FAILURE 108 } dpd_status_t; 109 110 #define IKE_SVC_MAX IKE_SVC_ERROR 111 112 113 /* 114 * Support structures/defines 115 */ 116 117 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t)) 118 119 /* 120 * Debug categories. The debug level is a bitmask made up of 121 * flags indicating the desired categories; only 31 bits are 122 * available, as the highest-order bit designates an invalid 123 * setting. 124 */ 125 #define D_INVALID 0x80000000 126 127 #define D_CERT 0x00000001 /* certificate management */ 128 #define D_KEY 0x00000002 /* key management */ 129 #define D_OP 0x00000004 /* operational: config, init, mem */ 130 #define D_P1 0x00000008 /* phase 1 negotiation */ 131 #define D_P2 0x00000010 /* phase 2 negotiation */ 132 #define D_PFKEY 0x00000020 /* pf key interface */ 133 #define D_POL 0x00000040 /* policy management */ 134 #define D_PROP 0x00000080 /* proposal construction */ 135 #define D_DOOR 0x00000100 /* door server */ 136 #define D_CONFIG 0x00000200 /* config file processing */ 137 #define D_LABEL 0x00000400 /* MAC labels */ 138 139 #define D_HIGHBIT 0x00000400 140 #define D_ALL 0x000007ff 141 142 /* 143 * Access privilege levels: define level of access to keying information. 144 * The privileges granted at each level is a superset of the privileges 145 * granted at all lower levels. 146 * 147 * The door operations which require special privileges are: 148 * 149 * - receiving keying material for SAs and preshared key entries 150 * IKE_PRIV_KEYMAT must be set for this. 151 * 152 * - get/dump/new/delete/read/write preshared keys 153 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this. 154 * If IKE_PRIV_MODKEYS is set, the information returned for a 155 * get/dump request will not include the actual key; in order 156 * to get the key itself, IKE_PRIV_KEYMAT must be set. 157 * 158 * - modifying the privilege level: the daemon's privilege level 159 * is set when the daemon is started; the level may only be 160 * lowered via the door interface. 161 * 162 * All other operations are allowed at any privilege level. 163 */ 164 #define IKE_PRIV_MINIMUM 0 165 #define IKE_PRIV_MODKEYS 1 166 #define IKE_PRIV_KEYMAT 2 167 #define IKE_PRIV_MAXIMUM 2 168 169 /* global ike stats formatting structure */ 170 typedef struct { 171 uint32_t st_init_p1_current; 172 uint32_t st_resp_p1_current; 173 uint32_t st_init_p1_total; 174 uint32_t st_resp_p1_total; 175 uint32_t st_init_p1_attempts; 176 uint32_t st_resp_p1_attempts; 177 uint32_t st_init_p1_noresp; /* failed; no response from peer */ 178 uint32_t st_init_p1_respfail; /* failed, but peer responded */ 179 uint32_t st_resp_p1_fail; 180 uint32_t st_reserved; 181 char st_pkcs11_libname[PATH_MAX]; 182 } ike_stats_t; 183 184 /* structure used to pass default values used by in.iked back to ikeadm */ 185 typedef struct { 186 uint32_t rule_p1_lifetime_secs; 187 uint32_t rule_p1_minlife; 188 uint32_t rule_p1_nonce_len; 189 uint32_t rule_p2_lifetime_secs; 190 uint32_t rule_p2_softlife_secs; 191 uint32_t rule_p2_idletime_secs; 192 uint32_t sys_p2_lifetime_secs; 193 uint32_t sys_p2_softlife_secs; 194 uint32_t sys_p2_idletime_secs; 195 uint32_t rule_p2_lifetime_kb; 196 uint32_t rule_p2_softlife_kb; 197 uint32_t sys_p2_lifetime_bytes; 198 uint32_t sys_p2_softlife_bytes; 199 uint32_t rule_p2_minlife_hard_secs; 200 uint32_t rule_p2_minlife_soft_secs; 201 uint32_t rule_p2_minlife_idle_secs; 202 uint32_t rule_p2_minlife_hard_kb; 203 uint32_t rule_p2_minlife_soft_kb; 204 uint32_t rule_p2_maxlife_secs; 205 uint32_t rule_p2_maxlife_kb; 206 uint32_t rule_p2_nonce_len; 207 uint32_t rule_p2_pfs; 208 uint32_t rule_p2_mindiff_secs; 209 uint32_t rule_p2_mindiff_kb; 210 uint32_t conversion_factor; /* for secs to kbytes */ 211 uint32_t rule_max_certs; 212 uint32_t rule_ike_port; 213 uint32_t rule_natt_port; 214 uint32_t defaults_reserved; /* For 64-bit alignment. */ 215 } ike_defaults_t; 216 217 /* data formatting structures for P1 SA dumps */ 218 typedef struct { 219 struct sockaddr_storage loc_addr; 220 struct sockaddr_storage rem_addr; 221 #define beg_iprange loc_addr 222 #define end_iprange rem_addr 223 } ike_addr_pr_t; 224 225 typedef struct { 226 uint64_t cky_i; 227 uint64_t cky_r; 228 } ike_cky_pr_t; 229 230 typedef struct { 231 ike_cky_pr_t p1hdr_cookies; 232 uint8_t p1hdr_major; 233 uint8_t p1hdr_minor; 234 uint8_t p1hdr_xchg; 235 uint8_t p1hdr_isinit; 236 uint32_t p1hdr_state; 237 boolean_t p1hdr_support_dpd; 238 dpd_status_t p1hdr_dpd_state; 239 uint64_t p1hdr_dpd_time; 240 } ike_p1_hdr_t; 241 242 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */ 243 #define IKE_XCHG_NONE 0 244 #define IKE_XCHG_BASE 1 245 #define IKE_XCHG_IDENTITY_PROTECT 2 246 #define IKE_XCHG_AUTH_ONLY 3 247 #define IKE_XCHG_AGGRESSIVE 4 248 /* following not from RFC; used only for preshared key definitions */ 249 #define IKE_XCHG_IP_AND_AGGR 240 250 /* also not from RFC; used as wildcard */ 251 #define IKE_XCHG_ANY 256 252 253 /* values for p1hdr_state */ 254 #define IKE_SA_STATE_INVALID 0 255 #define IKE_SA_STATE_INIT 1 256 #define IKE_SA_STATE_SENT_SA 2 257 #define IKE_SA_STATE_SENT_KE 3 258 #define IKE_SA_STATE_SENT_LAST 4 259 #define IKE_SA_STATE_DONE 5 260 #define IKE_SA_STATE_DELETED 6 261 262 typedef struct { 263 uint16_t p1xf_dh_group; 264 uint16_t p1xf_encr_alg; 265 uint16_t p1xf_encr_low_bits; 266 uint16_t p1xf_encr_high_bits; 267 uint16_t p1xf_auth_alg; 268 uint16_t p1xf_auth_meth; 269 uint16_t p1xf_prf; 270 uint16_t p1xf_pfs; 271 uint32_t p1xf_max_secs; 272 uint32_t p1xf_max_kbytes; 273 uint32_t p1xf_max_keyuses; 274 uint32_t p1xf_reserved; /* Alignment to 64-bit. */ 275 } ike_p1_xform_t; 276 277 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */ 278 #define IKE_GRP_DESC_MODP_768 1 279 #define IKE_GRP_DESC_MODP_1024 2 280 #define IKE_GRP_DESC_EC2N_155 3 281 #define IKE_GRP_DESC_EC2N_185 4 282 /* values for p1xf_dh_group (aligned with RFC3526) */ 283 #define IKE_GRP_DESC_MODP_1536 5 284 #define IKE_GRP_DESC_MODP_2048 14 285 #define IKE_GRP_DESC_MODP_3072 15 286 #define IKE_GRP_DESC_MODP_4096 16 287 #define IKE_GRP_DESC_MODP_6144 17 288 #define IKE_GRP_DESC_MODP_8192 18 289 #define IKE_GRP_DESC_ECP_256 19 290 #define IKE_GRP_DESC_ECP_384 20 291 #define IKE_GRP_DESC_ECP_521 21 292 /* values for p1xf_dh_group (aligned with RFC5114) */ 293 #define IKE_GRP_DESC_MODP_1024_160 22 294 #define IKE_GRP_DESC_MODP_2048_224 23 295 #define IKE_GRP_DESC_MODP_2048_256 24 296 #define IKE_GRP_DESC_ECP_192 25 297 #define IKE_GRP_DESC_ECP_224 26 298 299 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */ 300 #define IKE_AUTH_METH_PRE_SHARED_KEY 1 301 #define IKE_AUTH_METH_DSS_SIG 2 302 #define IKE_AUTH_METH_RSA_SIG 3 303 #define IKE_AUTH_METH_RSA_ENCR 4 304 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5 305 306 /* values for p1xf_prf */ 307 #define IKE_PRF_NONE 0 308 #define IKE_PRF_HMAC_MD5 1 309 #define IKE_PRF_HMAC_SHA1 2 310 #define IKE_PRF_HMAC_SHA256 5 311 #define IKE_PRF_HMAC_SHA384 6 312 #define IKE_PRF_HMAC_SHA512 7 313 314 typedef struct { 315 /* 316 * NOTE: the new and del counters count the actual number of SAs, 317 * not the number of "suites", as defined in the ike monitoring 318 * mib draft; we do this because we don't have a good way of 319 * tracking the deletion of entire suites (we're notified of 320 * deleted qm sas individually). 321 */ 322 uint32_t p1stat_new_qm_sas; 323 uint32_t p1stat_del_qm_sas; 324 uint64_t p1stat_start; 325 uint32_t p1stat_kbytes; 326 uint32_t p1stat_keyuses; 327 } ike_p1_stats_t; 328 329 typedef struct { 330 uint32_t p1err_decrypt; 331 uint32_t p1err_hash; 332 uint32_t p1err_otherrx; 333 uint32_t p1err_tx; 334 } ike_p1_errors_t; 335 336 typedef struct { 337 uint32_t p1key_type; 338 uint32_t p1key_len; 339 /* 340 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data, 341 * 64-bit aligned (pad bytes are added at the end, if necessary, 342 * and NOT INCLUDED in the len value, which reflects the actual 343 * key size). 344 */ 345 } ike_p1_key_t; 346 347 /* key info types for ike_p1_key_t struct */ 348 #define IKE_KEY_PRESHARED 1 349 #define IKE_KEY_SKEYID 2 350 #define IKE_KEY_SKEYID_D 3 351 #define IKE_KEY_SKEYID_A 4 352 #define IKE_KEY_SKEYID_E 5 353 #define IKE_KEY_ENCR 6 354 #define IKE_KEY_IV 7 355 356 typedef struct { 357 ike_p1_hdr_t p1sa_hdr; 358 ike_p1_xform_t p1sa_xform; 359 ike_addr_pr_t p1sa_ipaddrs; 360 uint16_t p1sa_stat_off; 361 uint16_t p1sa_stat_len; 362 uint16_t p1sa_error_off; 363 uint16_t p1sa_error_len; 364 uint16_t p1sa_localid_off; 365 uint16_t p1sa_localid_len; 366 uint16_t p1sa_remoteid_off; 367 uint16_t p1sa_remoteid_len; 368 uint16_t p1sa_key_off; 369 uint16_t p1sa_key_len; 370 uint32_t p1sa_reserved; 371 /* 372 * variable-length structures will be included here, as 373 * indicated by offset/length fields. 374 * stats and errors will be formatted as ike_p1_stats_t and 375 * ike_p1_errors_t, respectively. 376 * key info will be formatted as a series of p1_key_t structs. 377 * local/remote ids will be formatted as sadb_ident_t structs. 378 */ 379 } ike_p1_sa_t; 380 381 382 #define MAX_LABEL_LEN 256 383 384 385 /* data formatting structure for policy (rule) dumps */ 386 387 typedef struct { 388 char rule_label[MAX_LABEL_LEN]; 389 uint32_t rule_kmcookie; 390 uint16_t rule_ike_mode; 391 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */ 392 uint32_t rule_p1_nonce_len; 393 uint32_t rule_p2_nonce_len; 394 uint32_t rule_p2_pfs; 395 uint32_t rule_p2_lifetime_secs; 396 uint32_t rule_p2_softlife_secs; 397 uint32_t rule_p2_idletime_secs; 398 uint32_t rule_p2_lifetime_kb; 399 uint32_t rule_p2_softlife_kb; 400 uint16_t rule_xform_cnt; 401 uint16_t rule_xform_off; 402 uint16_t rule_locip_cnt; 403 uint16_t rule_locip_off; 404 uint16_t rule_remip_cnt; 405 uint16_t rule_remip_off; 406 uint16_t rule_locid_inclcnt; 407 uint16_t rule_locid_exclcnt; 408 uint16_t rule_locid_off; 409 uint16_t rule_remid_inclcnt; 410 uint16_t rule_remid_exclcnt; 411 uint16_t rule_remid_off; 412 /* 413 * Followed by several lists of variable-length structures, described 414 * by counts and offsets: 415 * transforms ike_p1_xform_t structs 416 * ranges of local ip addrs ike_addr_pr_t structs 417 * ranges of remote ip addrs ike_addr_pr_t structs 418 * local identification strings null-terminated ascii strings 419 * remote identification strings null-terminated ascii strings 420 */ 421 } ike_rule_t; 422 423 /* data formatting structure for DH group dumps */ 424 typedef struct { 425 uint16_t group_number; 426 uint16_t group_bits; 427 char group_label[MAX_LABEL_LEN]; 428 } ike_group_t; 429 430 /* data formatting structure for encryption algorithm dumps */ 431 typedef struct { 432 uint_t encr_value; 433 char encr_name[MAX_LABEL_LEN]; 434 int encr_keylen_min; 435 int encr_keylen_max; 436 } ike_encralg_t; 437 438 /* data formatting structure for authentication algorithm dumps */ 439 typedef struct { 440 uint_t auth_value; 441 char auth_name[MAX_LABEL_LEN]; 442 } ike_authalg_t; 443 444 /* 445 * data formatting structure for preshared keys 446 * ps_ike_mode field uses the IKE_XCHG_* defs 447 */ 448 typedef struct { 449 ike_addr_pr_t ps_ipaddrs; 450 uint16_t ps_ike_mode; 451 uint16_t ps_localid_off; 452 uint16_t ps_localid_len; 453 uint16_t ps_remoteid_off; 454 uint16_t ps_remoteid_len; 455 uint16_t ps_key_off; 456 uint16_t ps_key_len; 457 uint16_t ps_key_bits; 458 int ps_localid_plen; 459 int ps_remoteid_plen; 460 /* 461 * followed by variable-length structures, as indicated by 462 * offset/length fields. 463 * key info will be formatted as an array of bytes. 464 * local/remote ids will be formatted as sadb_ident_t structs. 465 */ 466 } ike_ps_t; 467 468 #define DN_MAX 1024 469 #define CERT_OFF_WIRE -1 470 #define CERT_NO_PRIVKEY 0 471 #define CERT_PRIVKEY_LOCKED 1 472 #define CERT_PRIVKEY_AVAIL 2 473 474 /* 475 * data formatting structure for cached certs 476 */ 477 typedef struct { 478 uint32_t cache_id; 479 uint32_t certclass; 480 int linkage; 481 uint32_t certcache_padding; /* For 64-bit alignment. */ 482 char subject[DN_MAX]; 483 char issuer[DN_MAX]; 484 } ike_certcache_t; 485 486 /* identification types */ 487 #define IKE_ID_IDENT_PAIR 1 488 #define IKE_ID_ADDR_PAIR 2 489 #define IKE_ID_CKY_PAIR 3 490 #define IKE_ID_LABEL 4 491 492 493 /* locations for read/write requests */ 494 #define IKE_RW_LOC_DEFAULT 1 495 #define IKE_RW_LOC_USER_SPEC 2 496 497 498 /* door interface error codes */ 499 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */ 500 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */ 501 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */ 502 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */ 503 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */ 504 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */ 505 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */ 506 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */ 507 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */ 508 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */ 509 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */ 510 #define IKE_ERR_NO_TOKEN 12 /* cannot login into pkcs#11 token */ 511 #define IKE_ERR_NO_AUTH 13 /* not authorized */ 512 #define IKE_ERR_IN_PROGRESS 14 /* operation already in progress */ 513 #define IKE_ERR_NO_MEM 15 /* insufficient memory */ 514 515 516 /* 517 * IKE_SVC_GET_DBG 518 * Used to request the current debug level. 519 * 520 * Upon request, dbg_level is 0 (don't care). 521 * 522 * Upon return, dbg_level contains the current value. 523 * 524 * 525 * IKE_SVC_SET_DBG 526 * Used to request modification of the debug level. 527 * 528 * Upon request, dbg_level contains desired level. If debug output is 529 * to be directed to a different file, the fd should be passed in the 530 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is 531 * currently running in the background with no debug set, an output 532 * file MUST be given. 533 * 534 * Upon return, dbg_level contains the old debug level, and acknowledges 535 * successful completion of the request. If an error is encountered, 536 * ike_err_t is returned instead, with appropriate error value and cmd 537 * IKE_SVC_ERROR. 538 */ 539 typedef struct { 540 ike_svccmd_t cmd; 541 uint32_t dbg_level; 542 } ike_dbg_t; 543 544 /* 545 * IKE_SVC_GET_PRIV 546 * Used to request the current privilege level. 547 * 548 * Upon request, priv_level is 0 (don't care). 549 * 550 * Upon return, priv_level contains the current value. 551 * 552 * 553 * IKE_SVC_SET_PRIV 554 * Used to request modification of the privilege level. 555 * 556 * Upon request, priv_level contains the desired level. The level may 557 * only be lowered via the door interface; it cannot be raised. Thus, 558 * if in.iked is started at the lowest level, it cannot be changed. 559 * 560 * Upon return, priv_level contains the old privilege level, and 561 * acknowledges successful completion of the request. If an error is 562 * encountered, ike_err_t is returned instead, with appropriate error 563 * value and cmd IKE_SVC_ERROR. 564 */ 565 typedef struct { 566 ike_svccmd_t cmd; 567 uint32_t priv_level; 568 } ike_priv_t; 569 570 571 /* 572 * IKE_SVC_GET_STATS 573 * Used to request current statistics on Phase 1 SA creation and 574 * failures. The statistics represent all activity in in.iked. 575 * 576 * Upon request, cmd is set, and stat_len does not matter. 577 * 578 * Upon successful return, stat_len contains the total size of the 579 * returned buffer, which contains first the ike_statreq_t struct, 580 * followed by the stat data in the ike_stats_t structure. In case 581 * of an error in processing the request, ike_err_t is returned with 582 * IKE_SVC_ERROR command and appropriate error code. 583 */ 584 typedef struct { 585 ike_svccmd_t cmd; 586 uint32_t stat_len; 587 } ike_statreq_t; 588 589 /* 590 * IKE_SVC_GET_DEFS 591 * Used to request default values from in.iked. 592 * 593 * Upon request, cmd is set, and stat_len does not matter. 594 * 595 * Upon successful return, stat_len contains the total size of the 596 * returned buffer, this contains a pair of ike_defaults_t's. 597 */ 598 typedef struct { 599 ike_svccmd_t cmd; 600 uint32_t stat_len; 601 uint32_t version; 602 uint32_t defreq_reserved; /* For 64-bit alignment. */ 603 } ike_defreq_t; 604 605 /* 606 * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE} 607 * Used to request a table dump, and to return info for a single table 608 * item. The expectation is that all of the table data will be passed 609 * through the door, one entry at a time; an individual request must be 610 * sent for each entry, however (the door server can't send unrequested 611 * data). 612 * 613 * Upon request: cmd is set, and dump_next contains the item number 614 * requested (0 for first request). dump_len is 0; no data follows. 615 * 616 * Upon return: cmd is set, and dump_next contains the item number of 617 * the *next* item in the table (to be used in the subsequent request). 618 * dump_next = 0 indicates that this is the last item in the table. 619 * dump_len is the total length (data + struct) returned. Data is 620 * formatted as indicated by the cmd type: 621 * IKE_SVC_DUMP_P1S: ike_p1_sa_t 622 * IKE_SVC_DUMP_RULES: ike_rule_t 623 * IKE_SVC_DUMP_PS: ike_ps_t 624 * IKE_SVC_DUMP_CERTCACHE: ike_certcache_t 625 */ 626 typedef struct { 627 ike_svccmd_t cmd; 628 uint32_t dump_len; 629 union { 630 struct { 631 uint32_t dump_unext; 632 uint32_t dump_ureserved; 633 } dump_actual; 634 uint64_t dump_alignment; 635 } dump_u; 636 #define dump_next dump_u.dump_actual.dump_unext 637 #define dump_reserved dump_u.dump_actual.dump_ureserved 638 /* dump_len - sizeof (ike_dump_t) bytes of data included here */ 639 } ike_dump_t; 640 641 642 /* 643 * IKE_SVC_GET_{P1|RULE|PS} 644 * Used to request and return individual table items. 645 * 646 * Upon request: get_len is the total msg length (struct + id data); 647 * get_idtype indicates the type of identification being used. 648 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t 649 * IKE_SVC_GET_RULE: char string (label) 650 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t 651 * 652 * Upon return: get_len is the total size (struct + data), get_idtype 653 * is unused, and the data that follows is formatted according to cmd: 654 * IKE_SVC_GET_P1: ike_p1_sa_t 655 * IKE_SVC_GET_RULE: ike_rule_t 656 * IKE_SVC_GET_PS: ike_ps_t 657 */ 658 typedef struct { 659 ike_svccmd_t cmd; 660 uint32_t get_len; 661 union { 662 struct { 663 uint32_t getu_idtype; 664 uint32_t getu_reserved; 665 } get_actual; 666 uint64_t get_alignment; 667 } get_u; 668 #define get_idtype get_u.get_actual.getu_idtype 669 #define get_reserved get_u.get_actual.getu_reserved 670 /* get_len - sizeof (ike_get_t) bytes of data included here */ 671 } ike_get_t; 672 673 674 /* 675 * IKE_SVC_NEW_{RULE|PS} 676 * Used to request and acknowledge insertion of a table item. 677 * 678 * Upon request: new_len is the total (data + struct) size passed, or 0. 679 * new_len = 0 => a door_desc_t is also included with a file descriptor 680 * for a file containing the data to be added. The file should include 681 * a single item: a rule, or a pre-shared key. For new_len != 0, the 682 * data is formatted according to the cmd type: 683 * IKE_SVC_NEW_RULE: ike_rule_t 684 * IKE_SVC_NEW_PS: ike_ps_t 685 * 686 * Upon return: new_len is 0; simply acknowledges successful insertion 687 * of the requested item. If insertion is not successful, ike_err_t is 688 * returned instead with appropriate error value. 689 */ 690 typedef struct { 691 ike_svccmd_t cmd; 692 uint32_t new_len; 693 /* new_len - sizeof (ike_new_t) bytes included here */ 694 uint64_t new_align; /* Padding for 64-bit alignment. */ 695 } ike_new_t; 696 697 698 /* 699 * IKE_SVC_DEL_{P1|RULE|PS} 700 * Used to request and acknowledge the deletion of an individual table 701 * item. 702 * 703 * Upon request: del_len is the total msg length (struct + id data); 704 * del_idtype indicates the type of identification being used. 705 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t 706 * IKE_SVC_DEL_RULE: char string (label) 707 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t 708 * 709 * Upon return: acknowledges deletion of the requested item; del_len and 710 * del_idtype are unspecified. If deletion is not successful, ike_err_t 711 * is returned instead with appropriate error value. 712 */ 713 typedef struct { 714 ike_svccmd_t cmd; 715 uint32_t del_len; 716 uint32_t del_idtype; 717 uint32_t del_reserved; 718 /* del_len - sizeof (ike_del_t) bytes of data included here. */ 719 } ike_del_t; 720 721 722 /* 723 * IKE_SVC_READ_{RULES|PS} 724 * Used to ask daemon to re-read particular configuration info. 725 * 726 * Upon request: rw_loc indicates where the info should be read from: 727 * either from a user-supplied file descriptor(s), or from the default 728 * location(s). If rw_loc indicates user-supplied location, the file 729 * descriptor(s) should be passed in the door_desc_t struct. For the 730 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified: 731 * first, one for the config file which contains the data to be read, 732 * and second, one for the cookie file which will be written to as 733 * in.iked process the config file. 734 * 735 * Upon return: rw_loc is unspecified; the message simply acknowledges 736 * successful completion of the request. If an error occurred, 737 * ike_err_t is returned instead with appropriate error value. 738 * 739 * 740 * IKE_SVC_WRITE_{RULES|PS} 741 * Used to ask daemon to write its current config info to files. 742 * 743 * Request and return are handled the same as for the IKE_SVC_READ_* 744 * cmds; however, the rw_loc MUST be a user-supplied location. Also, 745 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required; 746 * only a single fd, for the file to which the config info should be 747 * written, should be passed in. 748 */ 749 typedef struct { 750 ike_svccmd_t cmd; 751 uint32_t rw_loc; 752 } ike_rw_t; 753 754 755 /* 756 * IKE_SVC_FLUSH_P1S 757 * IKE_SVC_FLUSH_CERTCACHE 758 * 759 * Used to request and acknowledge tear-down of all P1 SAs 760 * or to flush the certificate cache. 761 */ 762 typedef struct { 763 ike_svccmd_t cmd; 764 } ike_flush_t; 765 766 767 #ifndef PKCS11_TOKSIZE 768 #define PKCS11_TOKSIZE 32 769 #endif 770 #define MAX_PIN_LEN 256 771 /* 772 * IKE_SVC_SET_PIN 773 * IKE_SVC_DEL_PIN 774 * 775 * Used to supply a pin for a PKCS#11 tokenj object. 776 * 777 */ 778 typedef struct { 779 ike_svccmd_t cmd; 780 uint32_t pin_reserved; /* For 64-bit alignment. */ 781 char pkcs11_token[PKCS11_TOKSIZE]; 782 uchar_t token_pin[MAX_PIN_LEN]; 783 } ike_pin_t; 784 785 /* 786 * IKE_SVC_ERROR 787 * Used on return if server encountered an error while processing 788 * the request. An appropriate error code is included (as defined 789 * in this header file); in the case of IKE_ERR_SYS_ERR, a value 790 * from the UNIX errno space is included in the ike_err_unix field. 791 */ 792 typedef struct { 793 ike_svccmd_t cmd; 794 uint32_t ike_err; 795 uint32_t ike_err_unix; 796 uint32_t ike_err_reserved; 797 } ike_err_t; 798 799 /* 800 * Generic type for use when the request/reply type is unknown 801 */ 802 typedef struct { 803 ike_svccmd_t cmd; 804 } ike_cmd_t; 805 806 807 /* 808 * Union containing all possible request/return structures. 809 */ 810 typedef union { 811 ike_cmd_t svc_cmd; 812 ike_dbg_t svc_dbg; 813 ike_priv_t svc_priv; 814 ike_statreq_t svc_stats; 815 ike_dump_t svc_dump; 816 ike_get_t svc_get; 817 ike_new_t svc_new; 818 ike_del_t svc_del; 819 ike_rw_t svc_rw; 820 ike_flush_t svc_flush; 821 ike_pin_t svc_pin; 822 ike_err_t svc_err; 823 ike_defreq_t svc_defaults; 824 } ike_service_t; 825 826 #ifdef __cplusplus 827 } 828 #endif 829 830 #endif /* _IKEDOOR_H */ 831