1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #ifndef _IKEDOOR_H 26 #define _IKEDOOR_H 27 28 #ifdef __cplusplus 29 extern "C" { 30 #endif 31 32 #include <limits.h> 33 #include <sys/sysmacros.h> 34 #include <net/pfkeyv2.h> 35 #include <door.h> 36 37 /* 38 * This version number is intended to stop the calling process from 39 * getting confused if a structure is changed and a mismatch occurs. 40 * This should be incremented each time a structure is changed. 41 */ 42 43 /* 44 * The IKE process may be a 64-bit process, but ikeadm or any other IKE 45 * door consumer does not have to be. We need to be strict ala. PF_KEY or 46 * any on-the-wire-protocol with respect to structure fields offsets and 47 * alignment. Please make sure all structures are the same size on both 48 * 64-bit and 32-bit execution environments (or even other ones), and that 49 * apart from trivial 4-byte enums or base headers, that all structures are 50 * multiples of 8-bytes (64-bits). 51 */ 52 #define DOORVER 4 53 #define DOORNM "/var/run/ike_door" 54 55 56 typedef enum { 57 IKE_SVC_GET_DBG, 58 IKE_SVC_SET_DBG, 59 60 IKE_SVC_GET_PRIV, 61 IKE_SVC_SET_PRIV, 62 63 IKE_SVC_GET_STATS, 64 65 IKE_SVC_GET_P1, 66 IKE_SVC_DEL_P1, 67 IKE_SVC_DUMP_P1S, 68 IKE_SVC_FLUSH_P1S, 69 70 IKE_SVC_GET_RULE, 71 IKE_SVC_NEW_RULE, 72 IKE_SVC_DEL_RULE, 73 IKE_SVC_DUMP_RULES, 74 IKE_SVC_READ_RULES, 75 IKE_SVC_WRITE_RULES, 76 77 IKE_SVC_GET_PS, 78 IKE_SVC_NEW_PS, 79 IKE_SVC_DEL_PS, 80 IKE_SVC_DUMP_PS, 81 IKE_SVC_READ_PS, 82 IKE_SVC_WRITE_PS, 83 84 IKE_SVC_DBG_RBDUMP, 85 86 IKE_SVC_GET_DEFS, 87 88 IKE_SVC_SET_PIN, 89 IKE_SVC_DEL_PIN, 90 91 IKE_SVC_DUMP_CERTCACHE, 92 IKE_SVC_FLUSH_CERTCACHE, 93 94 IKE_SVC_DUMP_GROUPS, 95 IKE_SVC_DUMP_ENCRALGS, 96 IKE_SVC_DUMP_AUTHALGS, 97 98 IKE_SVC_ERROR 99 } ike_svccmd_t; 100 101 /* DPD status */ 102 103 typedef enum dpd_status { 104 DPD_NOT_INITIATED = 0, 105 DPD_IN_PROGRESS, 106 DPD_SUCCESSFUL, 107 DPD_FAILURE 108 } dpd_status_t; 109 110 #define IKE_SVC_MAX IKE_SVC_ERROR 111 112 113 /* 114 * Support structures/defines 115 */ 116 117 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t)) 118 119 /* 120 * Debug categories. The debug level is a bitmask made up of 121 * flags indicating the desired categories; only 31 bits are 122 * available, as the highest-order bit designates an invalid 123 * setting. 124 */ 125 #define D_INVALID 0x80000000 126 127 #define D_CERT 0x00000001 /* certificate management */ 128 #define D_KEY 0x00000002 /* key management */ 129 #define D_OP 0x00000004 /* operational: config, init, mem */ 130 #define D_P1 0x00000008 /* phase 1 negotiation */ 131 #define D_P2 0x00000010 /* phase 2 negotiation */ 132 #define D_PFKEY 0x00000020 /* pf key interface */ 133 #define D_POL 0x00000040 /* policy management */ 134 #define D_PROP 0x00000080 /* proposal construction */ 135 #define D_DOOR 0x00000100 /* door server */ 136 #define D_CONFIG 0x00000200 /* config file processing */ 137 #define D_LABEL 0x00000400 /* MAC labels */ 138 139 #define D_HIGHBIT 0x00000400 140 #define D_ALL 0x000007ff 141 142 /* 143 * Access privilege levels: define level of access to keying information. 144 * The privileges granted at each level is a superset of the privileges 145 * granted at all lower levels. 146 * 147 * The door operations which require special privileges are: 148 * 149 * - receiving keying material for SAs and preshared key entries 150 * IKE_PRIV_KEYMAT must be set for this. 151 * 152 * - get/dump/new/delete/read/write preshared keys 153 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this. 154 * If IKE_PRIV_MODKEYS is set, the information returned for a 155 * get/dump request will not include the actual key; in order 156 * to get the key itself, IKE_PRIV_KEYMAT must be set. 157 * 158 * - modifying the privilege level: the daemon's privilege level 159 * is set when the daemon is started; the level may only be 160 * lowered via the door interface. 161 * 162 * All other operations are allowed at any privilege level. 163 */ 164 #define IKE_PRIV_MINIMUM 0 165 #define IKE_PRIV_MODKEYS 1 166 #define IKE_PRIV_KEYMAT 2 167 #define IKE_PRIV_MAXIMUM 2 168 169 /* global ike stats formatting structure */ 170 typedef struct { 171 uint32_t st_init_p1_current; 172 uint32_t st_resp_p1_current; 173 uint32_t st_init_p1_total; 174 uint32_t st_resp_p1_total; 175 uint32_t st_init_p1_attempts; 176 uint32_t st_resp_p1_attempts; 177 uint32_t st_init_p1_noresp; /* failed; no response from peer */ 178 uint32_t st_init_p1_respfail; /* failed, but peer responded */ 179 uint32_t st_resp_p1_fail; 180 uint32_t st_reserved; 181 char st_pkcs11_libname[PATH_MAX]; 182 } ike_stats_t; 183 184 /* structure used to pass default values used by in.iked back to ikeadm */ 185 typedef struct { 186 uint32_t rule_p1_lifetime_secs; 187 uint32_t rule_p1_minlife; 188 uint32_t rule_p1_nonce_len; 189 uint32_t rule_p2_lifetime_secs; 190 uint32_t rule_p2_softlife_secs; 191 uint32_t rule_p2_idletime_secs; 192 uint32_t sys_p2_lifetime_secs; 193 uint32_t sys_p2_softlife_secs; 194 uint32_t sys_p2_idletime_secs; 195 uint32_t rule_p2_lifetime_kb; 196 uint32_t rule_p2_softlife_kb; 197 uint32_t sys_p2_lifetime_bytes; 198 uint32_t sys_p2_softlife_bytes; 199 uint32_t rule_p2_minlife_hard_secs; 200 uint32_t rule_p2_minlife_soft_secs; 201 uint32_t rule_p2_minlife_idle_secs; 202 uint32_t rule_p2_minlife_hard_kb; 203 uint32_t rule_p2_minlife_soft_kb; 204 uint32_t rule_p2_maxlife_secs; 205 uint32_t rule_p2_maxlife_kb; 206 uint32_t rule_p2_nonce_len; 207 uint32_t rule_p2_pfs; 208 uint32_t rule_p2_mindiff_secs; 209 uint32_t rule_p2_mindiff_kb; 210 uint32_t conversion_factor; /* for secs to kbytes */ 211 uint32_t rule_max_certs; 212 uint32_t rule_ike_port; 213 uint32_t rule_natt_port; 214 uint32_t defaults_reserved; /* For 64-bit alignment. */ 215 } ike_defaults_t; 216 217 /* data formatting structures for P1 SA dumps */ 218 typedef struct { 219 struct sockaddr_storage loc_addr; 220 struct sockaddr_storage rem_addr; 221 #define beg_iprange loc_addr 222 #define end_iprange rem_addr 223 } ike_addr_pr_t; 224 225 typedef struct { 226 uint64_t cky_i; 227 uint64_t cky_r; 228 } ike_cky_pr_t; 229 230 typedef struct { 231 ike_cky_pr_t p1hdr_cookies; 232 uint8_t p1hdr_major; 233 uint8_t p1hdr_minor; 234 uint8_t p1hdr_xchg; 235 uint8_t p1hdr_isinit; 236 uint32_t p1hdr_state; 237 boolean_t p1hdr_support_dpd; 238 dpd_status_t p1hdr_dpd_state; 239 uint64_t p1hdr_dpd_time; 240 } ike_p1_hdr_t; 241 242 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */ 243 #define IKE_XCHG_NONE 0 244 #define IKE_XCHG_BASE 1 245 #define IKE_XCHG_IDENTITY_PROTECT 2 246 #define IKE_XCHG_AUTH_ONLY 3 247 #define IKE_XCHG_AGGRESSIVE 4 248 /* following not from RFC; used only for preshared key definitions */ 249 #define IKE_XCHG_IP_AND_AGGR 240 250 /* also not from RFC; used as wildcard */ 251 #define IKE_XCHG_ANY 256 252 253 /* values for p1hdr_state */ 254 #define IKE_SA_STATE_INVALID 0 255 #define IKE_SA_STATE_INIT 1 256 #define IKE_SA_STATE_SENT_SA 2 257 #define IKE_SA_STATE_SENT_KE 3 258 #define IKE_SA_STATE_SENT_LAST 4 259 #define IKE_SA_STATE_DONE 5 260 #define IKE_SA_STATE_DELETED 6 261 262 typedef struct { 263 uint16_t p1xf_dh_group; 264 uint16_t p1xf_encr_alg; 265 uint16_t p1xf_encr_low_bits; 266 uint16_t p1xf_encr_high_bits; 267 uint16_t p1xf_auth_alg; 268 uint16_t p1xf_auth_meth; 269 uint16_t p1xf_prf; 270 uint16_t p1xf_pfs; 271 uint32_t p1xf_max_secs; 272 uint32_t p1xf_max_kbytes; 273 uint32_t p1xf_max_keyuses; 274 uint32_t p1xf_reserved; /* Alignment to 64-bit. */ 275 } ike_p1_xform_t; 276 277 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */ 278 #define IKE_GRP_DESC_MODP_768 1 279 #define IKE_GRP_DESC_MODP_1024 2 280 #define IKE_GRP_DESC_EC2N_155 3 281 #define IKE_GRP_DESC_EC2N_185 4 282 /* values for p1xf_dh_group (aligned with RFC3526) */ 283 #define IKE_GRP_DESC_MODP_1536 5 284 #define IKE_GRP_DESC_MODP_2048 14 285 #define IKE_GRP_DESC_MODP_3072 15 286 #define IKE_GRP_DESC_MODP_4096 16 287 #define IKE_GRP_DESC_MODP_6144 17 288 #define IKE_GRP_DESC_MODP_8192 18 289 #define IKE_GRP_DESC_ECP_256 19 290 #define IKE_GRP_DESC_ECP_384 20 291 #define IKE_GRP_DESC_ECP_521 21 292 /* values for p1xf_dh_group (aligned with RFC5114) */ 293 #define IKE_GRP_DESC_MODP_1024_160 22 294 #define IKE_GRP_DESC_MODP_2048_224 23 295 #define IKE_GRP_DESC_MODP_2048_256 24 296 #define IKE_GRP_DESC_ECP_192 25 297 #define IKE_GRP_DESC_ECP_224 26 298 299 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */ 300 #define IKE_AUTH_METH_PRE_SHARED_KEY 1 301 #define IKE_AUTH_METH_DSS_SIG 2 302 #define IKE_AUTH_METH_RSA_SIG 3 303 #define IKE_AUTH_METH_RSA_ENCR 4 304 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5 305 306 /* values for p1xf_prf */ 307 #define IKE_PRF_NONE 0 308 #define IKE_PRF_HMAC_MD5 1 309 #define IKE_PRF_HMAC_SHA1 2 310 #define IKE_PRF_HMAC_SHA256 5 311 #define IKE_PRF_HMAC_SHA384 6 312 #define IKE_PRF_HMAC_SHA512 7 313 314 typedef struct { 315 /* 316 * NOTE: the new and del counters count the actual number of SAs, 317 * not the number of "suites", as defined in the ike monitoring 318 * mib draft; we do this because we don't have a good way of 319 * tracking the deletion of entire suites (we're notified of 320 * deleted qm sas individually). 321 */ 322 uint32_t p1stat_new_qm_sas; 323 uint32_t p1stat_del_qm_sas; 324 uint64_t p1stat_start; 325 uint32_t p1stat_kbytes; 326 uint32_t p1stat_keyuses; 327 } ike_p1_stats_t; 328 329 typedef struct { 330 uint32_t p1err_decrypt; 331 uint32_t p1err_hash; 332 uint32_t p1err_otherrx; 333 uint32_t p1err_tx; 334 } ike_p1_errors_t; 335 336 typedef struct { 337 uint32_t p1key_type; 338 uint32_t p1key_len; 339 /* 340 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data, 341 * 64-bit aligned (pad bytes are added at the end, if necessary, 342 * and NOT INCLUDED in the len value, which reflects the actual 343 * key size). 344 */ 345 } ike_p1_key_t; 346 347 /* key info types for ike_p1_key_t struct */ 348 #define IKE_KEY_PRESHARED 1 349 #define IKE_KEY_SKEYID 2 350 #define IKE_KEY_SKEYID_D 3 351 #define IKE_KEY_SKEYID_A 4 352 #define IKE_KEY_SKEYID_E 5 353 #define IKE_KEY_ENCR 6 354 #define IKE_KEY_IV 7 355 356 typedef struct { 357 ike_p1_hdr_t p1sa_hdr; 358 ike_p1_xform_t p1sa_xform; 359 ike_addr_pr_t p1sa_ipaddrs; 360 uint16_t p1sa_stat_off; 361 uint16_t p1sa_stat_len; 362 uint16_t p1sa_error_off; 363 uint16_t p1sa_error_len; 364 uint16_t p1sa_localid_off; 365 uint16_t p1sa_localid_len; 366 uint16_t p1sa_remoteid_off; 367 uint16_t p1sa_remoteid_len; 368 uint16_t p1sa_key_off; 369 uint16_t p1sa_key_len; 370 uint32_t p1sa_reserved; 371 /* 372 * variable-length structures will be included here, as 373 * indicated by offset/length fields. 374 * stats and errors will be formatted as ike_p1_stats_t and 375 * ike_p1_errors_t, respectively. 376 * key info will be formatted as a series of p1_key_t structs. 377 * local/remote ids will be formatted as sadb_ident_t structs. 378 */ 379 } ike_p1_sa_t; 380 381 382 #define MAX_LABEL_LEN 256 383 384 385 /* data formatting structure for policy (rule) dumps */ 386 387 typedef struct { 388 char rule_label[MAX_LABEL_LEN]; 389 uint32_t rule_kmcookie; 390 uint16_t rule_ike_mode; 391 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */ 392 uint32_t rule_p1_nonce_len; 393 uint32_t rule_p2_nonce_len; 394 uint32_t rule_p2_pfs; 395 uint32_t rule_p2_lifetime_secs; 396 uint32_t rule_p2_softlife_secs; 397 uint32_t rule_p2_idletime_secs; 398 uint32_t rule_p2_lifetime_kb; 399 uint32_t rule_p2_softlife_kb; 400 uint16_t rule_xform_cnt; 401 uint16_t rule_xform_off; 402 uint16_t rule_locip_cnt; 403 uint16_t rule_locip_off; 404 uint16_t rule_remip_cnt; 405 uint16_t rule_remip_off; 406 uint16_t rule_locid_inclcnt; 407 uint16_t rule_locid_exclcnt; 408 uint16_t rule_locid_off; 409 uint16_t rule_remid_inclcnt; 410 uint16_t rule_remid_exclcnt; 411 uint16_t rule_remid_off; 412 /* 413 * Followed by several lists of variable-length structures, described 414 * by counts and offsets: 415 * transforms ike_p1_xform_t structs 416 * ranges of local ip addrs ike_addr_pr_t structs 417 * ranges of remote ip addrs ike_addr_pr_t structs 418 * local identification strings null-terminated ascii strings 419 * remote identification strings null-terminated ascii strings 420 */ 421 } ike_rule_t; 422 423 /* data formatting structure for DH group dumps */ 424 typedef struct { 425 uint16_t group_number; 426 uint16_t group_bits; 427 char group_label[MAX_LABEL_LEN]; 428 } ike_group_t; 429 430 /* data formatting structure for encryption algorithm dumps */ 431 typedef struct { 432 uint_t encr_value; 433 char encr_name[MAX_LABEL_LEN]; 434 int encr_keylen_min; 435 int encr_keylen_max; 436 } ike_encralg_t; 437 438 /* data formatting structure for authentication algorithm dumps */ 439 typedef struct { 440 uint_t auth_value; 441 char auth_name[MAX_LABEL_LEN]; 442 } ike_authalg_t; 443 444 /* 445 * data formatting structure for preshared keys 446 * ps_ike_mode field uses the IKE_XCHG_* defs 447 */ 448 typedef struct { 449 ike_addr_pr_t ps_ipaddrs; 450 uint16_t ps_ike_mode; 451 uint16_t ps_localid_off; 452 uint16_t ps_localid_len; 453 uint16_t ps_remoteid_off; 454 uint16_t ps_remoteid_len; 455 uint16_t ps_key_off; 456 uint16_t ps_key_len; 457 uint16_t ps_key_bits; 458 /* 459 * followed by variable-length structures, as indicated by 460 * offset/length fields. 461 * key info will be formatted as an array of bytes. 462 * local/remote ids will be formatted as sadb_ident_t structs. 463 */ 464 } ike_ps_t; 465 466 #define DN_MAX 1024 467 #define CERT_OFF_WIRE -1 468 #define CERT_NO_PRIVKEY 0 469 #define CERT_PRIVKEY_LOCKED 1 470 #define CERT_PRIVKEY_AVAIL 2 471 472 /* 473 * data formatting structure for cached certs 474 */ 475 typedef struct { 476 uint32_t cache_id; 477 uint32_t certclass; 478 int linkage; 479 uint32_t certcache_padding; /* For 64-bit alignment. */ 480 char subject[DN_MAX]; 481 char issuer[DN_MAX]; 482 } ike_certcache_t; 483 484 /* identification types */ 485 #define IKE_ID_IDENT_PAIR 1 486 #define IKE_ID_ADDR_PAIR 2 487 #define IKE_ID_CKY_PAIR 3 488 #define IKE_ID_LABEL 4 489 490 491 /* locations for read/write requests */ 492 #define IKE_RW_LOC_DEFAULT 1 493 #define IKE_RW_LOC_USER_SPEC 2 494 495 496 /* door interface error codes */ 497 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */ 498 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */ 499 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */ 500 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */ 501 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */ 502 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */ 503 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */ 504 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */ 505 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */ 506 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */ 507 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */ 508 #define IKE_ERR_NO_TOKEN 12 /* cannot login into pkcs#11 token */ 509 #define IKE_ERR_NO_AUTH 13 /* not authorized */ 510 #define IKE_ERR_IN_PROGRESS 14 /* operation already in progress */ 511 #define IKE_ERR_NO_MEM 15 /* insufficient memory */ 512 513 514 /* 515 * IKE_SVC_GET_DBG 516 * Used to request the current debug level. 517 * 518 * Upon request, dbg_level is 0 (don't care). 519 * 520 * Upon return, dbg_level contains the current value. 521 * 522 * 523 * IKE_SVC_SET_DBG 524 * Used to request modification of the debug level. 525 * 526 * Upon request, dbg_level contains desired level. If debug output is 527 * to be directed to a different file, the fd should be passed in the 528 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is 529 * currently running in the background with no debug set, an output 530 * file MUST be given. 531 * 532 * Upon return, dbg_level contains the old debug level, and acknowledges 533 * successful completion of the request. If an error is encountered, 534 * ike_err_t is returned instead, with appropriate error value and cmd 535 * IKE_SVC_ERROR. 536 */ 537 typedef struct { 538 ike_svccmd_t cmd; 539 uint32_t dbg_level; 540 } ike_dbg_t; 541 542 /* 543 * IKE_SVC_GET_PRIV 544 * Used to request the current privilege level. 545 * 546 * Upon request, priv_level is 0 (don't care). 547 * 548 * Upon return, priv_level contains the current value. 549 * 550 * 551 * IKE_SVC_SET_PRIV 552 * Used to request modification of the privilege level. 553 * 554 * Upon request, priv_level contains the desired level. The level may 555 * only be lowered via the door interface; it cannot be raised. Thus, 556 * if in.iked is started at the lowest level, it cannot be changed. 557 * 558 * Upon return, priv_level contains the old privilege level, and 559 * acknowledges successful completion of the request. If an error is 560 * encountered, ike_err_t is returned instead, with appropriate error 561 * value and cmd IKE_SVC_ERROR. 562 */ 563 typedef struct { 564 ike_svccmd_t cmd; 565 uint32_t priv_level; 566 } ike_priv_t; 567 568 569 /* 570 * IKE_SVC_GET_STATS 571 * Used to request current statistics on Phase 1 SA creation and 572 * failures. The statistics represent all activity in in.iked. 573 * 574 * Upon request, cmd is set, and stat_len does not matter. 575 * 576 * Upon successful return, stat_len contains the total size of the 577 * returned buffer, which contains first the ike_statreq_t struct, 578 * followed by the stat data in the ike_stats_t structure. In case 579 * of an error in processing the request, ike_err_t is returned with 580 * IKE_SVC_ERROR command and appropriate error code. 581 */ 582 typedef struct { 583 ike_svccmd_t cmd; 584 uint32_t stat_len; 585 } ike_statreq_t; 586 587 /* 588 * IKE_SVC_GET_DEFS 589 * Used to request default values from in.iked. 590 * 591 * Upon request, cmd is set, and stat_len does not matter. 592 * 593 * Upon successful return, stat_len contains the total size of the 594 * returned buffer, this contains a pair of ike_defaults_t's. 595 */ 596 typedef struct { 597 ike_svccmd_t cmd; 598 uint32_t stat_len; 599 uint32_t version; 600 uint32_t defreq_reserved; /* For 64-bit alignment. */ 601 } ike_defreq_t; 602 603 /* 604 * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE} 605 * Used to request a table dump, and to return info for a single table 606 * item. The expectation is that all of the table data will be passed 607 * through the door, one entry at a time; an individual request must be 608 * sent for each entry, however (the door server can't send unrequested 609 * data). 610 * 611 * Upon request: cmd is set, and dump_next contains the item number 612 * requested (0 for first request). dump_len is 0; no data follows. 613 * 614 * Upon return: cmd is set, and dump_next contains the item number of 615 * the *next* item in the table (to be used in the subsequent request). 616 * dump_next = 0 indicates that this is the last item in the table. 617 * dump_len is the total length (data + struct) returned. Data is 618 * formatted as indicated by the cmd type: 619 * IKE_SVC_DUMP_P1S: ike_p1_sa_t 620 * IKE_SVC_DUMP_RULES: ike_rule_t 621 * IKE_SVC_DUMP_PS: ike_ps_t 622 * IKE_SVC_DUMP_CERTCACHE: ike_certcache_t 623 */ 624 typedef struct { 625 ike_svccmd_t cmd; 626 uint32_t dump_len; 627 union { 628 struct { 629 uint32_t dump_unext; 630 uint32_t dump_ureserved; 631 } dump_actual; 632 uint64_t dump_alignment; 633 } dump_u; 634 #define dump_next dump_u.dump_actual.dump_unext 635 #define dump_reserved dump_u.dump_actual.dump_ureserved 636 /* dump_len - sizeof (ike_dump_t) bytes of data included here */ 637 } ike_dump_t; 638 639 640 /* 641 * IKE_SVC_GET_{P1|RULE|PS} 642 * Used to request and return individual table items. 643 * 644 * Upon request: get_len is the total msg length (struct + id data); 645 * get_idtype indicates the type of identification being used. 646 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t 647 * IKE_SVC_GET_RULE: char string (label) 648 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t 649 * 650 * Upon return: get_len is the total size (struct + data), get_idtype 651 * is unused, and the data that follows is formatted according to cmd: 652 * IKE_SVC_GET_P1: ike_p1_sa_t 653 * IKE_SVC_GET_RULE: ike_rule_t 654 * IKE_SVC_GET_PS: ike_ps_t 655 */ 656 typedef struct { 657 ike_svccmd_t cmd; 658 uint32_t get_len; 659 union { 660 struct { 661 uint32_t getu_idtype; 662 uint32_t getu_reserved; 663 } get_actual; 664 uint64_t get_alignment; 665 } get_u; 666 #define get_idtype get_u.get_actual.getu_idtype 667 #define get_reserved get_u.get_actual.getu_reserved 668 /* get_len - sizeof (ike_get_t) bytes of data included here */ 669 } ike_get_t; 670 671 672 /* 673 * IKE_SVC_NEW_{RULE|PS} 674 * Used to request and acknowledge insertion of a table item. 675 * 676 * Upon request: new_len is the total (data + struct) size passed, or 0. 677 * new_len = 0 => a door_desc_t is also included with a file descriptor 678 * for a file containing the data to be added. The file should include 679 * a single item: a rule, or a pre-shared key. For new_len != 0, the 680 * data is formatted according to the cmd type: 681 * IKE_SVC_NEW_RULE: ike_rule_t 682 * IKE_SVC_NEW_PS: ike_ps_t 683 * 684 * Upon return: new_len is 0; simply acknowledges successful insertion 685 * of the requested item. If insertion is not successful, ike_err_t is 686 * returned instead with appropriate error value. 687 */ 688 typedef struct { 689 ike_svccmd_t cmd; 690 uint32_t new_len; 691 /* new_len - sizeof (ike_new_t) bytes included here */ 692 uint64_t new_align; /* Padding for 64-bit alignment. */ 693 } ike_new_t; 694 695 696 /* 697 * IKE_SVC_DEL_{P1|RULE|PS} 698 * Used to request and acknowledge the deletion of an individual table 699 * item. 700 * 701 * Upon request: del_len is the total msg length (struct + id data); 702 * del_idtype indicates the type of identification being used. 703 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t 704 * IKE_SVC_DEL_RULE: char string (label) 705 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t 706 * 707 * Upon return: acknowledges deletion of the requested item; del_len and 708 * del_idtype are unspecified. If deletion is not successful, ike_err_t 709 * is returned instead with appropriate error value. 710 */ 711 typedef struct { 712 ike_svccmd_t cmd; 713 uint32_t del_len; 714 uint32_t del_idtype; 715 uint32_t del_reserved; 716 /* del_len - sizeof (ike_del_t) bytes of data included here. */ 717 } ike_del_t; 718 719 720 /* 721 * IKE_SVC_READ_{RULES|PS} 722 * Used to ask daemon to re-read particular configuration info. 723 * 724 * Upon request: rw_loc indicates where the info should be read from: 725 * either from a user-supplied file descriptor(s), or from the default 726 * location(s). If rw_loc indicates user-supplied location, the file 727 * descriptor(s) should be passed in the door_desc_t struct. For the 728 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified: 729 * first, one for the config file which contains the data to be read, 730 * and second, one for the cookie file which will be written to as 731 * in.iked process the config file. 732 * 733 * Upon return: rw_loc is unspecified; the message simply acknowledges 734 * successful completion of the request. If an error occurred, 735 * ike_err_t is returned instead with appropriate error value. 736 * 737 * 738 * IKE_SVC_WRITE_{RULES|PS} 739 * Used to ask daemon to write its current config info to files. 740 * 741 * Request and return are handled the same as for the IKE_SVC_READ_* 742 * cmds; however, the rw_loc MUST be a user-supplied location. Also, 743 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required; 744 * only a single fd, for the file to which the config info should be 745 * written, should be passed in. 746 */ 747 typedef struct { 748 ike_svccmd_t cmd; 749 uint32_t rw_loc; 750 } ike_rw_t; 751 752 753 /* 754 * IKE_SVC_FLUSH_P1S 755 * IKE_SVC_FLUSH_CERTCACHE 756 * 757 * Used to request and acknowledge tear-down of all P1 SAs 758 * or to flush the certificate cache. 759 */ 760 typedef struct { 761 ike_svccmd_t cmd; 762 } ike_flush_t; 763 764 765 #ifndef PKCS11_TOKSIZE 766 #define PKCS11_TOKSIZE 32 767 #endif 768 #define MAX_PIN_LEN 256 769 /* 770 * IKE_SVC_SET_PIN 771 * IKE_SVC_DEL_PIN 772 * 773 * Used to supply a pin for a PKCS#11 tokenj object. 774 * 775 */ 776 typedef struct { 777 ike_svccmd_t cmd; 778 uint32_t pin_reserved; /* For 64-bit alignment. */ 779 char pkcs11_token[PKCS11_TOKSIZE]; 780 uchar_t token_pin[MAX_PIN_LEN]; 781 } ike_pin_t; 782 783 /* 784 * IKE_SVC_ERROR 785 * Used on return if server encountered an error while processing 786 * the request. An appropriate error code is included (as defined 787 * in this header file); in the case of IKE_ERR_SYS_ERR, a value 788 * from the UNIX errno space is included in the ike_err_unix field. 789 */ 790 typedef struct { 791 ike_svccmd_t cmd; 792 uint32_t ike_err; 793 uint32_t ike_err_unix; 794 uint32_t ike_err_reserved; 795 } ike_err_t; 796 797 /* 798 * Generic type for use when the request/reply type is unknown 799 */ 800 typedef struct { 801 ike_svccmd_t cmd; 802 } ike_cmd_t; 803 804 805 /* 806 * Union containing all possible request/return structures. 807 */ 808 typedef union { 809 ike_cmd_t svc_cmd; 810 ike_dbg_t svc_dbg; 811 ike_priv_t svc_priv; 812 ike_statreq_t svc_stats; 813 ike_dump_t svc_dump; 814 ike_get_t svc_get; 815 ike_new_t svc_new; 816 ike_del_t svc_del; 817 ike_rw_t svc_rw; 818 ike_flush_t svc_flush; 819 ike_pin_t svc_pin; 820 ike_err_t svc_err; 821 ike_defreq_t svc_defaults; 822 } ike_service_t; 823 824 #ifdef __cplusplus 825 } 826 #endif 827 828 #endif /* _IKEDOOR_H */ 829