1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _IKEDOOR_H 27 #define _IKEDOOR_H 28 29 #ifdef __cplusplus 30 extern "C" { 31 #endif 32 33 #include <limits.h> 34 #include <sys/sysmacros.h> 35 #include <net/pfkeyv2.h> 36 #include <door.h> 37 38 /* 39 * This version number is intended to stop the calling process from 40 * getting confused if a structure is changed and a mismatch occurs. 41 * This should be incremented each time a structure is changed. 42 */ 43 #define DOORVER 2 44 #define DOORNM "/var/run/ike_door" 45 46 47 typedef enum { 48 IKE_SVC_GET_DBG, 49 IKE_SVC_SET_DBG, 50 51 IKE_SVC_GET_PRIV, 52 IKE_SVC_SET_PRIV, 53 54 IKE_SVC_GET_STATS, 55 56 IKE_SVC_GET_P1, 57 IKE_SVC_DEL_P1, 58 IKE_SVC_DUMP_P1S, 59 IKE_SVC_FLUSH_P1S, 60 61 IKE_SVC_GET_RULE, 62 IKE_SVC_NEW_RULE, 63 IKE_SVC_DEL_RULE, 64 IKE_SVC_DUMP_RULES, 65 IKE_SVC_READ_RULES, 66 IKE_SVC_WRITE_RULES, 67 68 IKE_SVC_GET_PS, 69 IKE_SVC_NEW_PS, 70 IKE_SVC_DEL_PS, 71 IKE_SVC_DUMP_PS, 72 IKE_SVC_READ_PS, 73 IKE_SVC_WRITE_PS, 74 75 IKE_SVC_DBG_RBDUMP, 76 77 IKE_SVC_GET_DEFS, 78 79 IKE_SVC_ERROR 80 } ike_svccmd_t; 81 82 /* DPD status */ 83 84 typedef enum dpd_status { 85 DPD_NOT_INITIATED = 0, 86 DPD_IN_PROGRESS, 87 DPD_SUCCESSFUL, 88 DPD_FAILURE 89 } dpd_status_t; 90 91 #define IKE_SVC_MAX IKE_SVC_ERROR 92 93 94 /* 95 * Support structures/defines 96 */ 97 98 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t)) 99 100 /* 101 * Debug categories. The debug level is a bitmask made up of 102 * flags indicating the desired categories; only 31 bits are 103 * available, as the highest-order bit designates an invalid 104 * setting. 105 */ 106 #define D_INVALID 0x80000000 107 108 #define D_CERT 0x00000001 /* certificate management */ 109 #define D_KEY 0x00000002 /* key management */ 110 #define D_OP 0x00000004 /* operational: config, init, mem */ 111 #define D_P1 0x00000008 /* phase 1 negotiation */ 112 #define D_P2 0x00000010 /* phase 2 negotiation */ 113 #define D_PFKEY 0x00000020 /* pf key interface */ 114 #define D_POL 0x00000040 /* policy management */ 115 #define D_PROP 0x00000080 /* proposal construction */ 116 #define D_DOOR 0x00000100 /* door server */ 117 #define D_CONFIG 0x00000200 /* config file processing */ 118 119 #define D_HIGHBIT 0x00000200 120 #define D_ALL 0x000003ff 121 122 /* 123 * Access privilege levels: define level of access to keying information. 124 * The privileges granted at each level is a superset of the privileges 125 * granted at all lower levels. 126 * 127 * The door operations which require special privileges are: 128 * 129 * - receiving keying material for SAs and preshared key entries 130 * IKE_PRIV_KEYMAT must be set for this. 131 * 132 * - get/dump/new/delete/read/write preshared keys 133 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this. 134 * If IKE_PRIV_MODKEYS is set, the information returned for a 135 * get/dump request will not include the actual key; in order 136 * to get the key itself, IKE_PRIV_KEYMAT must be set. 137 * 138 * - modifying the privilege level: the daemon's privilege level 139 * is set when the daemon is started; the level may only be 140 * lowered via the door interface. 141 * 142 * All other operations are allowed at any privilege level. 143 */ 144 #define IKE_PRIV_MINIMUM 0 145 #define IKE_PRIV_MODKEYS 1 146 #define IKE_PRIV_KEYMAT 2 147 #define IKE_PRIV_MAXIMUM 2 148 149 /* global ike stats formatting structure */ 150 typedef struct { 151 uint32_t st_init_p1_current; 152 uint32_t st_resp_p1_current; 153 uint32_t st_init_p1_total; 154 uint32_t st_resp_p1_total; 155 uint32_t st_init_p1_attempts; 156 uint32_t st_resp_p1_attempts; 157 uint32_t st_init_p1_noresp; /* failed; no response from peer */ 158 uint32_t st_init_p1_respfail; /* failed, but peer responded */ 159 uint32_t st_resp_p1_fail; 160 uint32_t st_reserved; 161 char st_pkcs11_libname[PATH_MAX]; 162 } ike_stats_t; 163 164 /* structure used to pass default values used by in.iked back to ikeadm */ 165 typedef struct { 166 uint32_t rule_p1_lifetime_secs; 167 uint32_t rule_p1_minlife; 168 uint32_t rule_p1_nonce_len; 169 uint32_t rule_p2_lifetime_secs; 170 uint32_t rule_p2_softlife_secs; 171 uint32_t rule_p2_idletime_secs; 172 uint32_t sys_p2_lifetime_secs; 173 uint32_t sys_p2_softlife_secs; 174 uint32_t sys_p2_idletime_secs; 175 uint32_t rule_p2_lifetime_kb; 176 uint32_t rule_p2_softlife_kb; 177 uint32_t sys_p2_lifetime_bytes; 178 uint32_t sys_p2_softlife_bytes; 179 uint32_t rule_p2_minlife; 180 uint32_t rule_p2_def_minlife; 181 uint32_t rule_p2_nonce_len; 182 uint32_t rule_p2_pfs; 183 uint32_t rule_p2_minsoft; 184 uint32_t rule_max_certs; 185 uint32_t rule_ike_port; 186 uint32_t rule_natt_port; 187 } ike_defaults_t; 188 189 /* data formatting structures for P1 SA dumps */ 190 typedef struct { 191 struct sockaddr_storage loc_addr; 192 struct sockaddr_storage rem_addr; 193 #define beg_iprange loc_addr 194 #define end_iprange rem_addr 195 } ike_addr_pr_t; 196 197 typedef struct { 198 uint64_t cky_i; 199 uint64_t cky_r; 200 } ike_cky_pr_t; 201 202 typedef struct { 203 ike_cky_pr_t p1hdr_cookies; 204 uint8_t p1hdr_major; 205 uint8_t p1hdr_minor; 206 uint8_t p1hdr_xchg; 207 uint8_t p1hdr_isinit; 208 uint32_t p1hdr_state; 209 boolean_t p1hdr_support_dpd; 210 dpd_status_t p1hdr_dpd_state; 211 time_t p1hdr_dpd_time; 212 } ike_p1_hdr_t; 213 214 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */ 215 #define IKE_XCHG_NONE 0 216 #define IKE_XCHG_BASE 1 217 #define IKE_XCHG_IDENTITY_PROTECT 2 218 #define IKE_XCHG_AUTH_ONLY 3 219 #define IKE_XCHG_AGGRESSIVE 4 220 /* following not from RFC; used only for preshared key definitions */ 221 #define IKE_XCHG_IP_AND_AGGR 240 222 /* also not from RFC; used as wildcard */ 223 #define IKE_XCHG_ANY 256 224 225 /* values for p1hdr_state */ 226 #define IKE_SA_STATE_INVALID 0 227 #define IKE_SA_STATE_INIT 1 228 #define IKE_SA_STATE_SENT_SA 2 229 #define IKE_SA_STATE_SENT_KE 3 230 #define IKE_SA_STATE_SENT_LAST 4 231 #define IKE_SA_STATE_DONE 5 232 #define IKE_SA_STATE_DELETED 6 233 234 typedef struct { 235 uint16_t p1xf_dh_group; 236 uint16_t p1xf_encr_alg; 237 uint16_t p1xf_encr_low_bits; 238 uint16_t p1xf_encr_high_bits; 239 uint16_t p1xf_auth_alg; 240 uint16_t p1xf_auth_meth; 241 uint16_t p1xf_prf; 242 uint16_t p1xf_pfs; 243 uint32_t p1xf_max_secs; 244 uint32_t p1xf_max_kbytes; 245 uint32_t p1xf_max_keyuses; 246 } ike_p1_xform_t; 247 248 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */ 249 #define IKE_GRP_DESC_MODP_768 1 250 #define IKE_GRP_DESC_MODP_1024 2 251 #define IKE_GRP_DESC_EC2N_155 3 252 #define IKE_GRP_DESC_EC2N_185 4 253 /* values for p1xf_dh_group (aligned with RFC3526) */ 254 #define IKE_GRP_DESC_MODP_1536 5 255 #define IKE_GRP_DESC_MODP_2048 14 256 #define IKE_GRP_DESC_MODP_3072 15 257 #define IKE_GRP_DESC_MODP_4096 16 258 #define IKE_GRP_DESC_MODP_6144 17 259 #define IKE_GRP_DESC_MODP_8192 18 260 261 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */ 262 #define IKE_AUTH_METH_PRE_SHARED_KEY 1 263 #define IKE_AUTH_METH_DSS_SIG 2 264 #define IKE_AUTH_METH_RSA_SIG 3 265 #define IKE_AUTH_METH_RSA_ENCR 4 266 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5 267 268 /* values for p1xf_prf */ 269 #define IKE_PRF_NONE 0 270 #define IKE_PRF_HMAC_MD5 1 271 #define IKE_PRF_HMAC_SHA1 2 272 #define IKE_PRF_HMAC_SHA256 5 273 #define IKE_PRF_HMAC_SHA384 6 274 #define IKE_PRF_HMAC_SHA512 7 275 276 typedef struct { 277 /* 278 * NOTE: the new and del counters count the actual number of SAs, 279 * not the number of "suites", as defined in the ike monitoring 280 * mib draft; we do this because we don't have a good way of 281 * tracking the deletion of entire suites (we're notified of 282 * deleted qm sas individually). 283 */ 284 uint32_t p1stat_new_qm_sas; 285 uint32_t p1stat_del_qm_sas; 286 uint64_t p1stat_start; 287 uint32_t p1stat_kbytes; 288 uint32_t p1stat_keyuses; 289 } ike_p1_stats_t; 290 291 typedef struct { 292 uint32_t p1err_decrypt; 293 uint32_t p1err_hash; 294 uint32_t p1err_otherrx; 295 uint32_t p1err_tx; 296 } ike_p1_errors_t; 297 298 typedef struct { 299 uint32_t p1key_type; 300 uint32_t p1key_len; 301 /* 302 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data, 303 * 64-bit aligned (pad bytes are added at the end, if necessary, 304 * and NOT INCLUDED in the len value, which reflects the actual 305 * key size). 306 */ 307 } ike_p1_key_t; 308 309 /* key info types for ike_p1_key_t struct */ 310 #define IKE_KEY_PRESHARED 1 311 #define IKE_KEY_SKEYID 2 312 #define IKE_KEY_SKEYID_D 3 313 #define IKE_KEY_SKEYID_A 4 314 #define IKE_KEY_SKEYID_E 5 315 #define IKE_KEY_ENCR 6 316 #define IKE_KEY_IV 7 317 318 typedef struct { 319 ike_p1_hdr_t p1sa_hdr; 320 ike_p1_xform_t p1sa_xform; 321 ike_addr_pr_t p1sa_ipaddrs; 322 uint16_t p1sa_stat_off; 323 uint16_t p1sa_stat_len; 324 uint16_t p1sa_error_off; 325 uint16_t p1sa_error_len; 326 uint16_t p1sa_localid_off; 327 uint16_t p1sa_localid_len; 328 uint16_t p1sa_remoteid_off; 329 uint16_t p1sa_remoteid_len; 330 uint16_t p1sa_key_off; 331 uint16_t p1sa_key_len; 332 uint32_t p1sa_reserved; 333 /* 334 * variable-length structures will be included here, as 335 * indicated by offset/length fields. 336 * stats and errors will be formatted as ike_p1_stats_t and 337 * ike_p1_errors_t, respectively. 338 * key info will be formatted as a series of p1_key_t structs. 339 * local/remote ids will be formatted as sadb_ident_t structs. 340 */ 341 } ike_p1_sa_t; 342 343 344 #define MAX_LABEL_LEN 256 345 346 347 /* data formatting structure for policy (rule) dumps */ 348 349 typedef struct { 350 char rule_label[MAX_LABEL_LEN]; 351 uint32_t rule_kmcookie; 352 uint16_t rule_ike_mode; 353 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */ 354 uint32_t rule_p1_nonce_len; 355 uint32_t rule_p2_nonce_len; 356 uint32_t rule_p2_pfs; 357 uint32_t rule_p2_lifetime_secs; 358 uint32_t rule_p2_softlife_secs; 359 uint32_t rule_p2_idletime_secs; 360 uint32_t rule_p2_lifetime_kb; 361 uint32_t rule_p2_softlife_kb; 362 uint16_t rule_xform_cnt; 363 uint16_t rule_xform_off; 364 uint16_t rule_locip_cnt; 365 uint16_t rule_locip_off; 366 uint16_t rule_remip_cnt; 367 uint16_t rule_remip_off; 368 uint16_t rule_locid_inclcnt; 369 uint16_t rule_locid_exclcnt; 370 uint16_t rule_locid_off; 371 uint16_t rule_remid_inclcnt; 372 uint16_t rule_remid_exclcnt; 373 uint16_t rule_remid_off; 374 /* 375 * Followed by several lists of variable-length structures, described 376 * by counts and offsets: 377 * transforms ike_p1_xform_t structs 378 * ranges of local ip addrs ike_addr_pr_t structs 379 * ranges of remote ip addrs ike_addr_pr_t structs 380 * local identification strings null-terminated ascii strings 381 * remote identification strings null-terminated ascii strings 382 */ 383 } ike_rule_t; 384 385 386 /* 387 * data formatting structure for preshared keys 388 * ps_ike_mode field uses the IKE_XCHG_* defs 389 */ 390 typedef struct { 391 ike_addr_pr_t ps_ipaddrs; 392 uint16_t ps_ike_mode; 393 uint16_t ps_localid_off; 394 uint16_t ps_localid_len; 395 uint16_t ps_remoteid_off; 396 uint16_t ps_remoteid_len; 397 uint16_t ps_key_off; 398 uint16_t ps_key_len; 399 uint16_t ps_key_bits; 400 /* 401 * followed by variable-length structures, as indicated by 402 * offset/length fields. 403 * key info will be formatted as an array of bytes. 404 * local/remote ids will be formatted as sadb_ident_t structs. 405 */ 406 } ike_ps_t; 407 408 409 /* identification types */ 410 #define IKE_ID_IDENT_PAIR 1 411 #define IKE_ID_ADDR_PAIR 2 412 #define IKE_ID_CKY_PAIR 3 413 #define IKE_ID_LABEL 4 414 415 416 /* locations for read/write requests */ 417 #define IKE_RW_LOC_DEFAULT 1 418 #define IKE_RW_LOC_USER_SPEC 2 419 420 421 /* door interface error codes */ 422 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */ 423 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */ 424 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */ 425 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */ 426 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */ 427 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */ 428 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */ 429 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */ 430 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */ 431 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */ 432 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */ 433 434 435 /* 436 * IKE_SVC_GET_DBG 437 * Used to request the current debug level. 438 * 439 * Upon request, dbg_level is 0 (don't care). 440 * 441 * Upon return, dbg_level contains the current value. 442 * 443 * 444 * IKE_SVC_SET_DBG 445 * Used to request modification of the debug level. 446 * 447 * Upon request, dbg_level contains desired level. If debug output is 448 * to be directed to a different file, the fd should be passed in the 449 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is 450 * currently running in the background with no debug set, an output 451 * file MUST be given. 452 * 453 * Upon return, dbg_level contains the old debug level, and acknowledges 454 * successful completion of the request. If an error is encountered, 455 * ike_err_t is returned instead, with appropriate error value and cmd 456 * IKE_SVC_ERROR. 457 */ 458 typedef struct { 459 ike_svccmd_t cmd; 460 uint32_t dbg_level; 461 } ike_dbg_t; 462 463 /* 464 * IKE_SVC_GET_PRIV 465 * Used to request the current privilege level. 466 * 467 * Upon request, priv_level is 0 (don't care). 468 * 469 * Upon return, priv_level contains the current value. 470 * 471 * 472 * IKE_SVC_SET_PRIV 473 * Used to request modification of the privilege level. 474 * 475 * Upon request, priv_level contains the desired level. The level may 476 * only be lowered via the door interface; it cannot be raised. Thus, 477 * if in.iked is started at the lowest level, it cannot be changed. 478 * 479 * Upon return, priv_level contains the old privilege level, and 480 * acknowledges successful completion of the request. If an error is 481 * encountered, ike_err_t is returned instead, with appropriate error 482 * value and cmd IKE_SVC_ERROR. 483 */ 484 typedef struct { 485 ike_svccmd_t cmd; 486 uint32_t priv_level; 487 } ike_priv_t; 488 489 490 /* 491 * IKE_SVC_GET_STATS 492 * Used to request current statistics on Phase 1 SA creation and 493 * failures. The statistics represent all activity in in.iked. 494 * 495 * Upon request, cmd is set, and stat_len does not matter. 496 * 497 * Upon successful return, stat_len contains the total size of the 498 * returned buffer, which contains first the ike_statreq_t struct, 499 * followed by the stat data in the ike_stats_t structure. In case 500 * of an error in processing the request, ike_err_t is returned with 501 * IKE_SVC_ERROR command and appropriate error code. 502 */ 503 typedef struct { 504 ike_svccmd_t cmd; 505 uint32_t stat_len; 506 } ike_statreq_t; 507 508 /* 509 * IKE_SVC_GET_DEFS 510 * Used to request default values from in.iked. 511 * 512 * Upon request, cmd is set, and stat_len does not matter. 513 * 514 * Upon successful return, stat_len contains the total size of the 515 * returned buffer, this contains a pair of ike_defaults_t's. 516 */ 517 typedef struct { 518 ike_svccmd_t cmd; 519 uint32_t stat_len; 520 uint32_t version; 521 } ike_defreq_t; 522 523 /* 524 * IKE_SVC_DUMP_{P1S|RULES|PS} 525 * Used to request a table dump, and to return info for a single table 526 * item. The expectation is that all of the table data will be passed 527 * through the door, one entry at a time; an individual request must be 528 * sent for each entry, however (the door server can't send unrequested 529 * data). 530 * 531 * Upon request: cmd is set, and dump_next contains the item number 532 * requested (0 for first request). dump_len is 0; no data follows. 533 * 534 * Upon return: cmd is set, and dump_next contains the item number of 535 * the *next* item in the table (to be used in the subsequent request). 536 * dump_next = 0 indicates that this is the last item in the table. 537 * dump_len is the total length (data + struct) returned. Data is 538 * formatted as indicated by the cmd type: 539 * IKE_SVC_DUMP_P1S: ike_p1_sa_t 540 * IKE_SVC_DUMP_RULES: ike_rule_t 541 * IKE_SVC_DUMP_PS: ike_ps_t 542 */ 543 typedef struct { 544 ike_svccmd_t cmd; 545 uint32_t dump_len; 546 union { 547 struct { 548 uint32_t dump_unext; 549 uint32_t dump_ureserved; 550 } dump_actual; 551 uint64_t dump_alignment; 552 } dump_u; 553 #define dump_next dump_u.dump_actual.dump_unext 554 #define dump_reserved dump_u.dump_actual.dump_ureserved 555 /* dump_len - sizeof (ike_dump_t) bytes of data included here */ 556 } ike_dump_t; 557 558 559 /* 560 * IKE_SVC_GET_{P1|RULE|PS} 561 * Used to request and return individual table items. 562 * 563 * Upon request: get_len is the total msg length (struct + id data); 564 * get_idtype indicates the type of identification being used. 565 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t 566 * IKE_SVC_GET_RULE: char string (label) 567 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t 568 * 569 * Upon return: get_len is the total size (struct + data), get_idtype 570 * is unused, and the data that follows is formatted according to cmd: 571 * IKE_SVC_GET_P1: ike_p1_sa_t 572 * IKE_SVC_GET_RULE: ike_rule_t 573 * IKE_SVC_GET_PS: ike_ps_t 574 */ 575 typedef struct { 576 ike_svccmd_t cmd; 577 uint32_t get_len; 578 union { 579 struct { 580 uint32_t getu_idtype; 581 uint32_t getu_reserved; 582 } get_actual; 583 uint64_t get_alignment; 584 } get_u; 585 #define get_idtype get_u.get_actual.getu_idtype 586 #define get_reserved get_u.get_actual.getu_reserved 587 /* get_len - sizeof (ike_get_t) bytes of data included here */ 588 } ike_get_t; 589 590 591 /* 592 * IKE_SVC_NEW_{RULE|PS} 593 * Used to request and acknowledge insertion of a table item. 594 * 595 * Upon request: new_len is the total (data + struct) size passed, or 0. 596 * new_len = 0 => a door_desc_t is also included with a file descriptor 597 * for a file containing the data to be added. The file should include 598 * a single item: a rule, or a pre-shared key. For new_len != 0, the 599 * data is formatted according to the cmd type: 600 * IKE_SVC_NEW_RULE: ike_rule_t 601 * IKE_SVC_NEW_PS: ike_ps_t 602 * 603 * Upon return: new_len is 0; simply acknowledges successful insertion 604 * of the requested item. If insertion is not successful, ike_err_t is 605 * returned instead with appropriate error value. 606 */ 607 typedef struct { 608 ike_svccmd_t cmd; 609 uint32_t new_len; 610 /* new_len - sizeof (ike_new_t) bytes included here */ 611 uint64_t new_align; /* Padding for 64-bit alignment. */ 612 } ike_new_t; 613 614 615 /* 616 * IKE_SVC_DEL_{P1|RULE|PS} 617 * Used to request and acknowledge the deletion of an individual table 618 * item. 619 * 620 * Upon request: del_len is the total msg length (struct + id data); 621 * del_idtype indicates the type of identification being used. 622 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t 623 * IKE_SVC_DEL_RULE: char string (label) 624 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t 625 * 626 * Upon return: acknowledges deletion of the requested item; del_len and 627 * del_idtype are unspecified. If deletion is not successful, ike_err_t 628 * is returned instead with appropriate error value. 629 */ 630 typedef struct { 631 ike_svccmd_t cmd; 632 uint32_t del_len; 633 uint32_t del_idtype; 634 uint32_t del_reserved; 635 /* del_len - sizeof (ike_del_t) bytes of data included here. */ 636 } ike_del_t; 637 638 639 /* 640 * IKE_SVC_READ_{RULES|PS} 641 * Used to ask daemon to re-read particular configuration info. 642 * 643 * Upon request: rw_loc indicates where the info should be read from: 644 * either from a user-supplied file descriptor(s), or from the default 645 * location(s). If rw_loc indicates user-supplied location, the file 646 * descriptor(s) should be passed in the door_desc_t struct. For the 647 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified: 648 * first, one for the config file which contains the data to be read, 649 * and second, one for the cookie file which will be written to as 650 * in.iked process the config file. 651 * 652 * Upon return: rw_loc is unspecified; the message simply acknowledges 653 * successful completion of the request. If an error occurred, 654 * ike_err_t is returned instead with appropriate error value. 655 * 656 * 657 * IKE_SVC_WRITE_{RULES|PS} 658 * Used to ask daemon to write its current config info to files. 659 * 660 * Request and return are handled the same as for the IKE_SVC_READ_* 661 * cmds; however, the rw_loc MUST be a user-supplied location. Also, 662 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required; 663 * only a single fd, for the file to which the config info should be 664 * written, should be passed in. 665 */ 666 typedef struct { 667 ike_svccmd_t cmd; 668 uint32_t rw_loc; 669 } ike_rw_t; 670 671 672 /* 673 * IKE_SVC_FLUSH_P1S 674 * Used to request and acknowledge tear-down of all P1 SAs. 675 */ 676 typedef struct { 677 ike_svccmd_t cmd; 678 } ike_flush_t; 679 680 681 /* 682 * IKE_SVC_ERROR 683 * Used on return if server encountered an error while processing 684 * the request. An appropriate error code is included (as defined 685 * in this header file); in the case of IKE_ERR_SYS_ERR, a value 686 * from the UNIX errno space is included in the ike_err_unix field. 687 */ 688 typedef struct { 689 ike_svccmd_t cmd; 690 uint32_t ike_err; 691 uint32_t ike_err_unix; 692 uint32_t ike_err_reserved; 693 } ike_err_t; 694 695 696 /* 697 * Generic type for use when the request/reply type is unknown 698 */ 699 typedef struct { 700 ike_svccmd_t cmd; 701 } ike_cmd_t; 702 703 704 /* 705 * Union containing all possible request/retrun structures. 706 */ 707 typedef union { 708 ike_cmd_t svc_cmd; 709 ike_dbg_t svc_dbg; 710 ike_priv_t svc_priv; 711 ike_statreq_t svc_stats; 712 ike_dump_t svc_dump; 713 ike_get_t svc_get; 714 ike_new_t svc_new; 715 ike_del_t svc_del; 716 ike_rw_t svc_rw; 717 ike_flush_t svc_flush; 718 ike_err_t svc_err; 719 ike_defreq_t svc_defaults; 720 } ike_service_t; 721 722 #ifdef __cplusplus 723 } 724 #endif 725 726 #endif /* _IKEDOOR_H */ 727