1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _IKEDOOR_H 27 #define _IKEDOOR_H 28 29 #pragma ident "%Z%%M% %I% %E% SMI" 30 31 #ifdef __cplusplus 32 extern "C" { 33 #endif 34 35 #include <limits.h> 36 #include <sys/sysmacros.h> 37 #include <net/pfkeyv2.h> 38 #include <door.h> 39 40 /* 41 * This version number is intended to stop the calling process from 42 * getting confused if a structure is changed and a mismatch occurs. 43 * This should be incremented each time a structure is changed. 44 */ 45 #define DOORVER 2 46 #define DOORNM "/var/run/ike_door" 47 48 49 typedef enum { 50 IKE_SVC_GET_DBG, 51 IKE_SVC_SET_DBG, 52 53 IKE_SVC_GET_PRIV, 54 IKE_SVC_SET_PRIV, 55 56 IKE_SVC_GET_STATS, 57 58 IKE_SVC_GET_P1, 59 IKE_SVC_DEL_P1, 60 IKE_SVC_DUMP_P1S, 61 IKE_SVC_FLUSH_P1S, 62 63 IKE_SVC_GET_RULE, 64 IKE_SVC_NEW_RULE, 65 IKE_SVC_DEL_RULE, 66 IKE_SVC_DUMP_RULES, 67 IKE_SVC_READ_RULES, 68 IKE_SVC_WRITE_RULES, 69 70 IKE_SVC_GET_PS, 71 IKE_SVC_NEW_PS, 72 IKE_SVC_DEL_PS, 73 IKE_SVC_DUMP_PS, 74 IKE_SVC_READ_PS, 75 IKE_SVC_WRITE_PS, 76 77 IKE_SVC_DBG_RBDUMP, 78 79 IKE_SVC_GET_DEFS, 80 81 IKE_SVC_ERROR 82 } ike_svccmd_t; 83 84 #define IKE_SVC_MAX IKE_SVC_ERROR 85 86 87 /* 88 * Support structures/defines 89 */ 90 91 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t)) 92 93 /* 94 * Debug categories. The debug level is a bitmask made up of 95 * flags indicating the desired categories; only 31 bits are 96 * available, as the highest-order bit designates an invalid 97 * setting. 98 */ 99 #define D_INVALID 0x80000000 100 101 #define D_CERT 0x00000001 /* certificate management */ 102 #define D_KEY 0x00000002 /* key management */ 103 #define D_OP 0x00000004 /* operational: config, init, mem */ 104 #define D_P1 0x00000008 /* phase 1 negotiation */ 105 #define D_P2 0x00000010 /* phase 2 negotiation */ 106 #define D_PFKEY 0x00000020 /* pf key interface */ 107 #define D_POL 0x00000040 /* policy management */ 108 #define D_PROP 0x00000080 /* proposal construction */ 109 #define D_DOOR 0x00000100 /* door server */ 110 #define D_CONFIG 0x00000200 /* config file processing */ 111 112 #define D_HIGHBIT 0x00000200 113 #define D_ALL 0x000003ff 114 115 /* 116 * Access privilege levels: define level of access to keying information. 117 * The privileges granted at each level is a superset of the privileges 118 * granted at all lower levels. 119 * 120 * The door operations which require special privileges are: 121 * 122 * - receiving keying material for SAs and preshared key entries 123 * IKE_PRIV_KEYMAT must be set for this. 124 * 125 * - get/dump/new/delete/read/write preshared keys 126 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this. 127 * If IKE_PRIV_MODKEYS is set, the information returned for a 128 * get/dump request will not include the actual key; in order 129 * to get the key itself, IKE_PRIV_KEYMAT must be set. 130 * 131 * - modifying the privilege level: the daemon's privilege level 132 * is set when the daemon is started; the level may only be 133 * lowered via the door interface. 134 * 135 * All other operations are allowed at any privilege level. 136 */ 137 #define IKE_PRIV_MINIMUM 0 138 #define IKE_PRIV_MODKEYS 1 139 #define IKE_PRIV_KEYMAT 2 140 #define IKE_PRIV_MAXIMUM 2 141 142 /* global ike stats formatting structure */ 143 typedef struct { 144 uint32_t st_init_p1_current; 145 uint32_t st_resp_p1_current; 146 uint32_t st_init_p1_total; 147 uint32_t st_resp_p1_total; 148 uint32_t st_init_p1_attempts; 149 uint32_t st_resp_p1_attempts; 150 uint32_t st_init_p1_noresp; /* failed; no response from peer */ 151 uint32_t st_init_p1_respfail; /* failed, but peer responded */ 152 uint32_t st_resp_p1_fail; 153 uint32_t st_reserved; 154 char st_pkcs11_libname[PATH_MAX]; 155 } ike_stats_t; 156 157 /* structure used to pass default values used by in.iked back to ikeadm */ 158 typedef struct { 159 uint32_t rule_p1_lifetime_secs; 160 uint32_t rule_p1_minlife; 161 uint32_t rule_p1_nonce_len; 162 uint32_t rule_p2_lifetime_secs; 163 uint32_t rule_p2_softlife_secs; 164 uint32_t sys_p2_lifetime_secs; 165 uint32_t sys_p2_softlife_secs; 166 uint32_t rule_p2_lifetime_kb; 167 uint32_t rule_p2_softlife_kb; 168 uint32_t sys_p2_lifetime_bytes; 169 uint32_t sys_p2_softlife_bytes; 170 uint32_t rule_p2_minlife; 171 uint32_t rule_p2_def_minlife; 172 uint32_t rule_p2_nonce_len; 173 uint32_t rule_p2_pfs; 174 uint32_t rule_p2_minsoft; 175 uint32_t rule_max_certs; 176 uint32_t rule_ike_port; 177 uint32_t rule_natt_port; 178 } ike_defaults_t; 179 180 /* data formatting structures for P1 SA dumps */ 181 typedef struct { 182 struct sockaddr_storage loc_addr; 183 struct sockaddr_storage rem_addr; 184 #define beg_iprange loc_addr 185 #define end_iprange rem_addr 186 } ike_addr_pr_t; 187 188 typedef struct { 189 uint64_t cky_i; 190 uint64_t cky_r; 191 } ike_cky_pr_t; 192 193 typedef struct { 194 ike_cky_pr_t p1hdr_cookies; 195 uint8_t p1hdr_major; 196 uint8_t p1hdr_minor; 197 uint8_t p1hdr_xchg; 198 uint8_t p1hdr_isinit; 199 uint32_t p1hdr_state; 200 } ike_p1_hdr_t; 201 202 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */ 203 #define IKE_XCHG_NONE 0 204 #define IKE_XCHG_BASE 1 205 #define IKE_XCHG_IDENTITY_PROTECT 2 206 #define IKE_XCHG_AUTH_ONLY 3 207 #define IKE_XCHG_AGGRESSIVE 4 208 /* following not from RFC; used only for preshared key definitions */ 209 #define IKE_XCHG_IP_AND_AGGR 240 210 /* also not from RFC; used as wildcard */ 211 #define IKE_XCHG_ANY 256 212 213 /* values for p1hdr_state */ 214 #define IKE_SA_STATE_INVALID 0 215 #define IKE_SA_STATE_INIT 1 216 #define IKE_SA_STATE_SENT_SA 2 217 #define IKE_SA_STATE_SENT_KE 3 218 #define IKE_SA_STATE_SENT_LAST 4 219 #define IKE_SA_STATE_DONE 5 220 #define IKE_SA_STATE_DELETED 6 221 222 typedef struct { 223 uint16_t p1xf_dh_group; 224 uint16_t p1xf_encr_alg; 225 uint16_t p1xf_encr_low_bits; 226 uint16_t p1xf_encr_high_bits; 227 uint16_t p1xf_auth_alg; 228 uint16_t p1xf_auth_meth; 229 uint16_t p1xf_prf; 230 uint16_t p1xf_pfs; 231 uint32_t p1xf_max_secs; 232 uint32_t p1xf_max_kbytes; 233 uint32_t p1xf_max_keyuses; 234 } ike_p1_xform_t; 235 236 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */ 237 #define IKE_GRP_DESC_MODP_768 1 238 #define IKE_GRP_DESC_MODP_1024 2 239 #define IKE_GRP_DESC_EC2N_155 3 240 #define IKE_GRP_DESC_EC2N_185 4 241 /* values for p1xf_dh_group (aligned with RFC3526) */ 242 #define IKE_GRP_DESC_MODP_1536 5 243 #define IKE_GRP_DESC_MODP_2048 14 244 #define IKE_GRP_DESC_MODP_3072 15 245 #define IKE_GRP_DESC_MODP_4096 16 246 #define IKE_GRP_DESC_MODP_6144 17 247 #define IKE_GRP_DESC_MODP_8192 18 248 249 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */ 250 #define IKE_AUTH_METH_PRE_SHARED_KEY 1 251 #define IKE_AUTH_METH_DSS_SIG 2 252 #define IKE_AUTH_METH_RSA_SIG 3 253 #define IKE_AUTH_METH_RSA_ENCR 4 254 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5 255 256 /* values for p1xf_prf */ 257 #define IKE_PRF_NONE 0 258 #define IKE_PRF_HMAC_MD5 1 259 #define IKE_PRF_HMAC_SHA1 2 260 #define IKE_PRF_HMAC_SHA256 5 261 #define IKE_PRF_HMAC_SHA384 6 262 #define IKE_PRF_HMAC_SHA512 7 263 264 typedef struct { 265 /* 266 * NOTE: the new and del counters count the actual number of SAs, 267 * not the number of "suites", as defined in the ike monitoring 268 * mib draft; we do this because we don't have a good way of 269 * tracking the deletion of entire suites (we're notified of 270 * deleted qm sas individually). 271 */ 272 uint32_t p1stat_new_qm_sas; 273 uint32_t p1stat_del_qm_sas; 274 uint64_t p1stat_start; 275 uint32_t p1stat_kbytes; 276 uint32_t p1stat_keyuses; 277 } ike_p1_stats_t; 278 279 typedef struct { 280 uint32_t p1err_decrypt; 281 uint32_t p1err_hash; 282 uint32_t p1err_otherrx; 283 uint32_t p1err_tx; 284 } ike_p1_errors_t; 285 286 typedef struct { 287 uint32_t p1key_type; 288 uint32_t p1key_len; 289 /* 290 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data, 291 * 64-bit aligned (pad bytes are added at the end, if necessary, 292 * and NOT INCLUDED in the len value, which reflects the actual 293 * key size). 294 */ 295 } ike_p1_key_t; 296 297 /* key info types for ike_p1_key_t struct */ 298 #define IKE_KEY_PRESHARED 1 299 #define IKE_KEY_SKEYID 2 300 #define IKE_KEY_SKEYID_D 3 301 #define IKE_KEY_SKEYID_A 4 302 #define IKE_KEY_SKEYID_E 5 303 #define IKE_KEY_ENCR 6 304 #define IKE_KEY_IV 7 305 306 typedef struct { 307 ike_p1_hdr_t p1sa_hdr; 308 ike_p1_xform_t p1sa_xform; 309 ike_addr_pr_t p1sa_ipaddrs; 310 uint16_t p1sa_stat_off; 311 uint16_t p1sa_stat_len; 312 uint16_t p1sa_error_off; 313 uint16_t p1sa_error_len; 314 uint16_t p1sa_localid_off; 315 uint16_t p1sa_localid_len; 316 uint16_t p1sa_remoteid_off; 317 uint16_t p1sa_remoteid_len; 318 uint16_t p1sa_key_off; 319 uint16_t p1sa_key_len; 320 uint32_t p1sa_reserved; 321 /* 322 * variable-length structures will be included here, as 323 * indicated by offset/length fields. 324 * stats and errors will be formatted as ike_p1_stats_t and 325 * ike_p1_errors_t, respectively. 326 * key info will be formatted as a series of p1_key_t structs. 327 * local/remote ids will be formatted as sadb_ident_t structs. 328 */ 329 } ike_p1_sa_t; 330 331 332 #define MAX_LABEL_LEN 256 333 334 335 /* data formatting structure for policy (rule) dumps */ 336 337 typedef struct { 338 char rule_label[MAX_LABEL_LEN]; 339 uint32_t rule_kmcookie; 340 uint16_t rule_ike_mode; 341 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */ 342 uint32_t rule_p1_nonce_len; 343 uint32_t rule_p2_nonce_len; 344 uint32_t rule_p2_pfs; 345 uint32_t rule_p2_lifetime_secs; 346 uint32_t rule_p2_softlife_secs; 347 uint32_t rule_p2_lifetime_kb; 348 uint32_t rule_p2_softlife_kb; 349 uint16_t rule_xform_cnt; 350 uint16_t rule_xform_off; 351 uint16_t rule_locip_cnt; 352 uint16_t rule_locip_off; 353 uint16_t rule_remip_cnt; 354 uint16_t rule_remip_off; 355 uint16_t rule_locid_inclcnt; 356 uint16_t rule_locid_exclcnt; 357 uint16_t rule_locid_off; 358 uint16_t rule_remid_inclcnt; 359 uint16_t rule_remid_exclcnt; 360 uint16_t rule_remid_off; 361 /* 362 * Followed by several lists of variable-length structures, described 363 * by counts and offsets: 364 * transforms ike_p1_xform_t structs 365 * ranges of local ip addrs ike_addr_pr_t structs 366 * ranges of remote ip addrs ike_addr_pr_t structs 367 * local identification strings null-terminated ascii strings 368 * remote identification strings null-terminated ascii strings 369 */ 370 } ike_rule_t; 371 372 373 /* 374 * data formatting structure for preshared keys 375 * ps_ike_mode field uses the IKE_XCHG_* defs 376 */ 377 typedef struct { 378 ike_addr_pr_t ps_ipaddrs; 379 uint16_t ps_ike_mode; 380 uint16_t ps_localid_off; 381 uint16_t ps_localid_len; 382 uint16_t ps_remoteid_off; 383 uint16_t ps_remoteid_len; 384 uint16_t ps_key_off; 385 uint16_t ps_key_len; 386 uint16_t ps_key_bits; 387 /* 388 * followed by variable-length structures, as indicated by 389 * offset/length fields. 390 * key info will be formatted as an array of bytes. 391 * local/remote ids will be formatted as sadb_ident_t structs. 392 */ 393 } ike_ps_t; 394 395 396 /* identification types */ 397 #define IKE_ID_IDENT_PAIR 1 398 #define IKE_ID_ADDR_PAIR 2 399 #define IKE_ID_CKY_PAIR 3 400 #define IKE_ID_LABEL 4 401 402 403 /* locations for read/write requests */ 404 #define IKE_RW_LOC_DEFAULT 1 405 #define IKE_RW_LOC_USER_SPEC 2 406 407 408 /* door interface error codes */ 409 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */ 410 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */ 411 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */ 412 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */ 413 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */ 414 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */ 415 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */ 416 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */ 417 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */ 418 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */ 419 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */ 420 421 422 /* 423 * IKE_SVC_GET_DBG 424 * Used to request the current debug level. 425 * 426 * Upon request, dbg_level is 0 (don't care). 427 * 428 * Upon return, dbg_level contains the current value. 429 * 430 * 431 * IKE_SVC_SET_DBG 432 * Used to request modification of the debug level. 433 * 434 * Upon request, dbg_level contains desired level. If debug output is 435 * to be directed to a different file, the fd should be passed in the 436 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is 437 * currently running in the background with no debug set, an output 438 * file MUST be given. 439 * 440 * Upon return, dbg_level contains the old debug level, and acknowledges 441 * successful completion of the request. If an error is encountered, 442 * ike_err_t is returned instead, with appropriate error value and cmd 443 * IKE_SVC_ERROR. 444 */ 445 typedef struct { 446 ike_svccmd_t cmd; 447 uint32_t dbg_level; 448 } ike_dbg_t; 449 450 /* 451 * IKE_SVC_GET_PRIV 452 * Used to request the current privilege level. 453 * 454 * Upon request, priv_level is 0 (don't care). 455 * 456 * Upon return, priv_level contains the current value. 457 * 458 * 459 * IKE_SVC_SET_PRIV 460 * Used to request modification of the privilege level. 461 * 462 * Upon request, priv_level contains the desired level. The level may 463 * only be lowered via the door interface; it cannot be raised. Thus, 464 * if in.iked is started at the lowest level, it cannot be changed. 465 * 466 * Upon return, priv_level contains the old privilege level, and 467 * acknowledges successful completion of the request. If an error is 468 * encountered, ike_err_t is returned instead, with appropriate error 469 * value and cmd IKE_SVC_ERROR. 470 */ 471 typedef struct { 472 ike_svccmd_t cmd; 473 uint32_t priv_level; 474 } ike_priv_t; 475 476 477 /* 478 * IKE_SVC_GET_STATS 479 * Used to request current statistics on Phase 1 SA creation and 480 * failures. The statistics represent all activity in in.iked. 481 * 482 * Upon request, cmd is set, and stat_len does not matter. 483 * 484 * Upon successful return, stat_len contains the total size of the 485 * returned buffer, which contains first the ike_statreq_t struct, 486 * followed by the stat data in the ike_stats_t structure. In case 487 * of an error in processing the request, ike_err_t is returned with 488 * IKE_SVC_ERROR command and appropriate error code. 489 */ 490 typedef struct { 491 ike_svccmd_t cmd; 492 uint32_t stat_len; 493 } ike_statreq_t; 494 495 /* 496 * IKE_SVC_GET_DEFS 497 * Used to request default values from in.iked. 498 * 499 * Upon request, cmd is set, and stat_len does not matter. 500 * 501 * Upon successful return, stat_len contains the total size of the 502 * returned buffer, this contains a pair of ike_defaults_t's. 503 */ 504 typedef struct { 505 ike_svccmd_t cmd; 506 uint32_t stat_len; 507 uint32_t version; 508 } ike_defreq_t; 509 510 /* 511 * IKE_SVC_DUMP_{P1S|RULES|PS} 512 * Used to request a table dump, and to return info for a single table 513 * item. The expectation is that all of the table data will be passed 514 * through the door, one entry at a time; an individual request must be 515 * sent for each entry, however (the door server can't send unrequested 516 * data). 517 * 518 * Upon request: cmd is set, and dump_next contains the item number 519 * requested (0 for first request). dump_len is 0; no data follows. 520 * 521 * Upon return: cmd is set, and dump_next contains the item number of 522 * the *next* item in the table (to be used in the subsequent request). 523 * dump_next = 0 indicates that this is the last item in the table. 524 * dump_len is the total length (data + struct) returned. Data is 525 * formatted as indicated by the cmd type: 526 * IKE_SVC_DUMP_P1S: ike_p1_sa_t 527 * IKE_SVC_DUMP_RULES: ike_rule_t 528 * IKE_SVC_DUMP_PS: ike_ps_t 529 */ 530 typedef struct { 531 ike_svccmd_t cmd; 532 uint32_t dump_len; 533 union { 534 struct { 535 uint32_t dump_unext; 536 uint32_t dump_ureserved; 537 } dump_actual; 538 uint64_t dump_alignment; 539 } dump_u; 540 #define dump_next dump_u.dump_actual.dump_unext 541 #define dump_reserved dump_u.dump_actual.dump_ureserved 542 /* dump_len - sizeof (ike_dump_t) bytes of data included here */ 543 } ike_dump_t; 544 545 546 /* 547 * IKE_SVC_GET_{P1|RULE|PS} 548 * Used to request and return individual table items. 549 * 550 * Upon request: get_len is the total msg length (struct + id data); 551 * get_idtype indicates the type of identification being used. 552 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t 553 * IKE_SVC_GET_RULE: char string (label) 554 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t 555 * 556 * Upon return: get_len is the total size (struct + data), get_idtype 557 * is unused, and the data that follows is formatted according to cmd: 558 * IKE_SVC_GET_P1: ike_p1_sa_t 559 * IKE_SVC_GET_RULE: ike_rule_t 560 * IKE_SVC_GET_PS: ike_ps_t 561 */ 562 typedef struct { 563 ike_svccmd_t cmd; 564 uint32_t get_len; 565 union { 566 struct { 567 uint32_t getu_idtype; 568 uint32_t getu_reserved; 569 } get_actual; 570 uint64_t get_alignment; 571 } get_u; 572 #define get_idtype get_u.get_actual.getu_idtype 573 #define get_reserved get_u.get_actual.getu_reserved 574 /* get_len - sizeof (ike_get_t) bytes of data included here */ 575 } ike_get_t; 576 577 578 /* 579 * IKE_SVC_NEW_{RULE|PS} 580 * Used to request and acknowledge insertion of a table item. 581 * 582 * Upon request: new_len is the total (data + struct) size passed, or 0. 583 * new_len = 0 => a door_desc_t is also included with a file descriptor 584 * for a file containing the data to be added. The file should include 585 * a single item: a rule, or a pre-shared key. For new_len != 0, the 586 * data is formatted according to the cmd type: 587 * IKE_SVC_NEW_RULE: ike_rule_t 588 * IKE_SVC_NEW_PS: ike_ps_t 589 * 590 * Upon return: new_len is 0; simply acknowledges successful insertion 591 * of the requested item. If insertion is not successful, ike_err_t is 592 * returned instead with appropriate error value. 593 */ 594 typedef struct { 595 ike_svccmd_t cmd; 596 uint32_t new_len; 597 /* new_len - sizeof (ike_new_t) bytes included here */ 598 uint64_t new_align; /* Padding for 64-bit alignment. */ 599 } ike_new_t; 600 601 602 /* 603 * IKE_SVC_DEL_{P1|RULE|PS} 604 * Used to request and acknowledge the deletion of an individual table 605 * item. 606 * 607 * Upon request: del_len is the total msg length (struct + id data); 608 * del_idtype indicates the type of identification being used. 609 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t 610 * IKE_SVC_DEL_RULE: char string (label) 611 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t 612 * 613 * Upon return: acknowledges deletion of the requested item; del_len and 614 * del_idtype are unspecified. If deletion is not successful, ike_err_t 615 * is returned instead with appropriate error value. 616 */ 617 typedef struct { 618 ike_svccmd_t cmd; 619 uint32_t del_len; 620 uint32_t del_idtype; 621 uint32_t del_reserved; 622 /* del_len - sizeof (ike_del_t) bytes of data included here. */ 623 } ike_del_t; 624 625 626 /* 627 * IKE_SVC_READ_{RULES|PS} 628 * Used to ask daemon to re-read particular configuration info. 629 * 630 * Upon request: rw_loc indicates where the info should be read from: 631 * either from a user-supplied file descriptor(s), or from the default 632 * location(s). If rw_loc indicates user-supplied location, the file 633 * descriptor(s) should be passed in the door_desc_t struct. For the 634 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified: 635 * first, one for the config file which contains the data to be read, 636 * and second, one for the cookie file which will be written to as 637 * in.iked process the config file. 638 * 639 * Upon return: rw_loc is unspecified; the message simply acknowledges 640 * successful completion of the request. If an error occurred, 641 * ike_err_t is returned instead with appropriate error value. 642 * 643 * 644 * IKE_SVC_WRITE_{RULES|PS} 645 * Used to ask daemon to write its current config info to files. 646 * 647 * Request and return are handled the same as for the IKE_SVC_READ_* 648 * cmds; however, the rw_loc MUST be a user-supplied location. Also, 649 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required; 650 * only a single fd, for the file to which the config info should be 651 * written, should be passed in. 652 */ 653 typedef struct { 654 ike_svccmd_t cmd; 655 uint32_t rw_loc; 656 } ike_rw_t; 657 658 659 /* 660 * IKE_SVC_FLUSH_P1S 661 * Used to request and acknowledge tear-down of all P1 SAs. 662 */ 663 typedef struct { 664 ike_svccmd_t cmd; 665 } ike_flush_t; 666 667 668 /* 669 * IKE_SVC_ERROR 670 * Used on return if server encountered an error while processing 671 * the request. An appropriate error code is included (as defined 672 * in this header file); in the case of IKE_ERR_SYS_ERR, a value 673 * from the UNIX errno space is included in the ike_err_unix field. 674 */ 675 typedef struct { 676 ike_svccmd_t cmd; 677 uint32_t ike_err; 678 uint32_t ike_err_unix; 679 uint32_t ike_err_reserved; 680 } ike_err_t; 681 682 683 /* 684 * Generic type for use when the request/reply type is unknown 685 */ 686 typedef struct { 687 ike_svccmd_t cmd; 688 } ike_cmd_t; 689 690 691 /* 692 * Union containing all possible request/retrun structures. 693 */ 694 typedef union { 695 ike_cmd_t svc_cmd; 696 ike_dbg_t svc_dbg; 697 ike_priv_t svc_priv; 698 ike_statreq_t svc_stats; 699 ike_dump_t svc_dump; 700 ike_get_t svc_get; 701 ike_new_t svc_new; 702 ike_del_t svc_del; 703 ike_rw_t svc_rw; 704 ike_flush_t svc_flush; 705 ike_err_t svc_err; 706 ike_defreq_t svc_defaults; 707 } ike_service_t; 708 709 #ifdef __cplusplus 710 } 711 #endif 712 713 #endif /* _IKEDOOR_H */ 714