1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _IKEDOOR_H 27 #define _IKEDOOR_H 28 29 #ifdef __cplusplus 30 extern "C" { 31 #endif 32 33 #include <limits.h> 34 #include <sys/sysmacros.h> 35 #include <net/pfkeyv2.h> 36 #include <door.h> 37 38 /* 39 * This version number is intended to stop the calling process from 40 * getting confused if a structure is changed and a mismatch occurs. 41 * This should be incremented each time a structure is changed. 42 */ 43 #define DOORVER 2 44 #define DOORNM "/var/run/ike_door" 45 46 47 typedef enum { 48 IKE_SVC_GET_DBG, 49 IKE_SVC_SET_DBG, 50 51 IKE_SVC_GET_PRIV, 52 IKE_SVC_SET_PRIV, 53 54 IKE_SVC_GET_STATS, 55 56 IKE_SVC_GET_P1, 57 IKE_SVC_DEL_P1, 58 IKE_SVC_DUMP_P1S, 59 IKE_SVC_FLUSH_P1S, 60 61 IKE_SVC_GET_RULE, 62 IKE_SVC_NEW_RULE, 63 IKE_SVC_DEL_RULE, 64 IKE_SVC_DUMP_RULES, 65 IKE_SVC_READ_RULES, 66 IKE_SVC_WRITE_RULES, 67 68 IKE_SVC_GET_PS, 69 IKE_SVC_NEW_PS, 70 IKE_SVC_DEL_PS, 71 IKE_SVC_DUMP_PS, 72 IKE_SVC_READ_PS, 73 IKE_SVC_WRITE_PS, 74 75 IKE_SVC_DBG_RBDUMP, 76 77 IKE_SVC_GET_DEFS, 78 79 IKE_SVC_SET_PIN, 80 IKE_SVC_DEL_PIN, 81 82 IKE_SVC_DUMP_CERTCACHE, 83 IKE_SVC_FLUSH_CERTCACHE, 84 85 IKE_SVC_ERROR 86 } ike_svccmd_t; 87 88 /* DPD status */ 89 90 typedef enum dpd_status { 91 DPD_NOT_INITIATED = 0, 92 DPD_IN_PROGRESS, 93 DPD_SUCCESSFUL, 94 DPD_FAILURE 95 } dpd_status_t; 96 97 #define IKE_SVC_MAX IKE_SVC_ERROR 98 99 100 /* 101 * Support structures/defines 102 */ 103 104 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t)) 105 106 /* 107 * Debug categories. The debug level is a bitmask made up of 108 * flags indicating the desired categories; only 31 bits are 109 * available, as the highest-order bit designates an invalid 110 * setting. 111 */ 112 #define D_INVALID 0x80000000 113 114 #define D_CERT 0x00000001 /* certificate management */ 115 #define D_KEY 0x00000002 /* key management */ 116 #define D_OP 0x00000004 /* operational: config, init, mem */ 117 #define D_P1 0x00000008 /* phase 1 negotiation */ 118 #define D_P2 0x00000010 /* phase 2 negotiation */ 119 #define D_PFKEY 0x00000020 /* pf key interface */ 120 #define D_POL 0x00000040 /* policy management */ 121 #define D_PROP 0x00000080 /* proposal construction */ 122 #define D_DOOR 0x00000100 /* door server */ 123 #define D_CONFIG 0x00000200 /* config file processing */ 124 125 #define D_HIGHBIT 0x00000200 126 #define D_ALL 0x000003ff 127 128 /* 129 * Access privilege levels: define level of access to keying information. 130 * The privileges granted at each level is a superset of the privileges 131 * granted at all lower levels. 132 * 133 * The door operations which require special privileges are: 134 * 135 * - receiving keying material for SAs and preshared key entries 136 * IKE_PRIV_KEYMAT must be set for this. 137 * 138 * - get/dump/new/delete/read/write preshared keys 139 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this. 140 * If IKE_PRIV_MODKEYS is set, the information returned for a 141 * get/dump request will not include the actual key; in order 142 * to get the key itself, IKE_PRIV_KEYMAT must be set. 143 * 144 * - modifying the privilege level: the daemon's privilege level 145 * is set when the daemon is started; the level may only be 146 * lowered via the door interface. 147 * 148 * All other operations are allowed at any privilege level. 149 */ 150 #define IKE_PRIV_MINIMUM 0 151 #define IKE_PRIV_MODKEYS 1 152 #define IKE_PRIV_KEYMAT 2 153 #define IKE_PRIV_MAXIMUM 2 154 155 /* global ike stats formatting structure */ 156 typedef struct { 157 uint32_t st_init_p1_current; 158 uint32_t st_resp_p1_current; 159 uint32_t st_init_p1_total; 160 uint32_t st_resp_p1_total; 161 uint32_t st_init_p1_attempts; 162 uint32_t st_resp_p1_attempts; 163 uint32_t st_init_p1_noresp; /* failed; no response from peer */ 164 uint32_t st_init_p1_respfail; /* failed, but peer responded */ 165 uint32_t st_resp_p1_fail; 166 uint32_t st_reserved; 167 char st_pkcs11_libname[PATH_MAX]; 168 } ike_stats_t; 169 170 /* structure used to pass default values used by in.iked back to ikeadm */ 171 typedef struct { 172 uint32_t rule_p1_lifetime_secs; 173 uint32_t rule_p1_minlife; 174 uint32_t rule_p1_nonce_len; 175 uint32_t rule_p2_lifetime_secs; 176 uint32_t rule_p2_softlife_secs; 177 uint32_t rule_p2_idletime_secs; 178 uint32_t sys_p2_lifetime_secs; 179 uint32_t sys_p2_softlife_secs; 180 uint32_t sys_p2_idletime_secs; 181 uint32_t rule_p2_lifetime_kb; 182 uint32_t rule_p2_softlife_kb; 183 uint32_t sys_p2_lifetime_bytes; 184 uint32_t sys_p2_softlife_bytes; 185 uint32_t rule_p2_minlife; 186 uint32_t rule_p2_def_minlife; 187 uint32_t rule_p2_nonce_len; 188 uint32_t rule_p2_pfs; 189 uint32_t rule_p2_minsoft; 190 uint32_t rule_max_certs; 191 uint32_t rule_ike_port; 192 uint32_t rule_natt_port; 193 } ike_defaults_t; 194 195 /* data formatting structures for P1 SA dumps */ 196 typedef struct { 197 struct sockaddr_storage loc_addr; 198 struct sockaddr_storage rem_addr; 199 #define beg_iprange loc_addr 200 #define end_iprange rem_addr 201 } ike_addr_pr_t; 202 203 typedef struct { 204 uint64_t cky_i; 205 uint64_t cky_r; 206 } ike_cky_pr_t; 207 208 typedef struct { 209 ike_cky_pr_t p1hdr_cookies; 210 uint8_t p1hdr_major; 211 uint8_t p1hdr_minor; 212 uint8_t p1hdr_xchg; 213 uint8_t p1hdr_isinit; 214 uint32_t p1hdr_state; 215 boolean_t p1hdr_support_dpd; 216 dpd_status_t p1hdr_dpd_state; 217 time_t p1hdr_dpd_time; 218 } ike_p1_hdr_t; 219 220 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */ 221 #define IKE_XCHG_NONE 0 222 #define IKE_XCHG_BASE 1 223 #define IKE_XCHG_IDENTITY_PROTECT 2 224 #define IKE_XCHG_AUTH_ONLY 3 225 #define IKE_XCHG_AGGRESSIVE 4 226 /* following not from RFC; used only for preshared key definitions */ 227 #define IKE_XCHG_IP_AND_AGGR 240 228 /* also not from RFC; used as wildcard */ 229 #define IKE_XCHG_ANY 256 230 231 /* values for p1hdr_state */ 232 #define IKE_SA_STATE_INVALID 0 233 #define IKE_SA_STATE_INIT 1 234 #define IKE_SA_STATE_SENT_SA 2 235 #define IKE_SA_STATE_SENT_KE 3 236 #define IKE_SA_STATE_SENT_LAST 4 237 #define IKE_SA_STATE_DONE 5 238 #define IKE_SA_STATE_DELETED 6 239 240 typedef struct { 241 uint16_t p1xf_dh_group; 242 uint16_t p1xf_encr_alg; 243 uint16_t p1xf_encr_low_bits; 244 uint16_t p1xf_encr_high_bits; 245 uint16_t p1xf_auth_alg; 246 uint16_t p1xf_auth_meth; 247 uint16_t p1xf_prf; 248 uint16_t p1xf_pfs; 249 uint32_t p1xf_max_secs; 250 uint32_t p1xf_max_kbytes; 251 uint32_t p1xf_max_keyuses; 252 } ike_p1_xform_t; 253 254 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */ 255 #define IKE_GRP_DESC_MODP_768 1 256 #define IKE_GRP_DESC_MODP_1024 2 257 #define IKE_GRP_DESC_EC2N_155 3 258 #define IKE_GRP_DESC_EC2N_185 4 259 /* values for p1xf_dh_group (aligned with RFC3526) */ 260 #define IKE_GRP_DESC_MODP_1536 5 261 #define IKE_GRP_DESC_MODP_2048 14 262 #define IKE_GRP_DESC_MODP_3072 15 263 #define IKE_GRP_DESC_MODP_4096 16 264 #define IKE_GRP_DESC_MODP_6144 17 265 #define IKE_GRP_DESC_MODP_8192 18 266 267 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */ 268 #define IKE_AUTH_METH_PRE_SHARED_KEY 1 269 #define IKE_AUTH_METH_DSS_SIG 2 270 #define IKE_AUTH_METH_RSA_SIG 3 271 #define IKE_AUTH_METH_RSA_ENCR 4 272 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5 273 274 /* values for p1xf_prf */ 275 #define IKE_PRF_NONE 0 276 #define IKE_PRF_HMAC_MD5 1 277 #define IKE_PRF_HMAC_SHA1 2 278 #define IKE_PRF_HMAC_SHA256 5 279 #define IKE_PRF_HMAC_SHA384 6 280 #define IKE_PRF_HMAC_SHA512 7 281 282 typedef struct { 283 /* 284 * NOTE: the new and del counters count the actual number of SAs, 285 * not the number of "suites", as defined in the ike monitoring 286 * mib draft; we do this because we don't have a good way of 287 * tracking the deletion of entire suites (we're notified of 288 * deleted qm sas individually). 289 */ 290 uint32_t p1stat_new_qm_sas; 291 uint32_t p1stat_del_qm_sas; 292 uint64_t p1stat_start; 293 uint32_t p1stat_kbytes; 294 uint32_t p1stat_keyuses; 295 } ike_p1_stats_t; 296 297 typedef struct { 298 uint32_t p1err_decrypt; 299 uint32_t p1err_hash; 300 uint32_t p1err_otherrx; 301 uint32_t p1err_tx; 302 } ike_p1_errors_t; 303 304 typedef struct { 305 uint32_t p1key_type; 306 uint32_t p1key_len; 307 /* 308 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data, 309 * 64-bit aligned (pad bytes are added at the end, if necessary, 310 * and NOT INCLUDED in the len value, which reflects the actual 311 * key size). 312 */ 313 } ike_p1_key_t; 314 315 /* key info types for ike_p1_key_t struct */ 316 #define IKE_KEY_PRESHARED 1 317 #define IKE_KEY_SKEYID 2 318 #define IKE_KEY_SKEYID_D 3 319 #define IKE_KEY_SKEYID_A 4 320 #define IKE_KEY_SKEYID_E 5 321 #define IKE_KEY_ENCR 6 322 #define IKE_KEY_IV 7 323 324 typedef struct { 325 ike_p1_hdr_t p1sa_hdr; 326 ike_p1_xform_t p1sa_xform; 327 ike_addr_pr_t p1sa_ipaddrs; 328 uint16_t p1sa_stat_off; 329 uint16_t p1sa_stat_len; 330 uint16_t p1sa_error_off; 331 uint16_t p1sa_error_len; 332 uint16_t p1sa_localid_off; 333 uint16_t p1sa_localid_len; 334 uint16_t p1sa_remoteid_off; 335 uint16_t p1sa_remoteid_len; 336 uint16_t p1sa_key_off; 337 uint16_t p1sa_key_len; 338 uint32_t p1sa_reserved; 339 /* 340 * variable-length structures will be included here, as 341 * indicated by offset/length fields. 342 * stats and errors will be formatted as ike_p1_stats_t and 343 * ike_p1_errors_t, respectively. 344 * key info will be formatted as a series of p1_key_t structs. 345 * local/remote ids will be formatted as sadb_ident_t structs. 346 */ 347 } ike_p1_sa_t; 348 349 350 #define MAX_LABEL_LEN 256 351 352 353 /* data formatting structure for policy (rule) dumps */ 354 355 typedef struct { 356 char rule_label[MAX_LABEL_LEN]; 357 uint32_t rule_kmcookie; 358 uint16_t rule_ike_mode; 359 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */ 360 uint32_t rule_p1_nonce_len; 361 uint32_t rule_p2_nonce_len; 362 uint32_t rule_p2_pfs; 363 uint32_t rule_p2_lifetime_secs; 364 uint32_t rule_p2_softlife_secs; 365 uint32_t rule_p2_idletime_secs; 366 uint32_t rule_p2_lifetime_kb; 367 uint32_t rule_p2_softlife_kb; 368 uint16_t rule_xform_cnt; 369 uint16_t rule_xform_off; 370 uint16_t rule_locip_cnt; 371 uint16_t rule_locip_off; 372 uint16_t rule_remip_cnt; 373 uint16_t rule_remip_off; 374 uint16_t rule_locid_inclcnt; 375 uint16_t rule_locid_exclcnt; 376 uint16_t rule_locid_off; 377 uint16_t rule_remid_inclcnt; 378 uint16_t rule_remid_exclcnt; 379 uint16_t rule_remid_off; 380 /* 381 * Followed by several lists of variable-length structures, described 382 * by counts and offsets: 383 * transforms ike_p1_xform_t structs 384 * ranges of local ip addrs ike_addr_pr_t structs 385 * ranges of remote ip addrs ike_addr_pr_t structs 386 * local identification strings null-terminated ascii strings 387 * remote identification strings null-terminated ascii strings 388 */ 389 } ike_rule_t; 390 391 392 /* 393 * data formatting structure for preshared keys 394 * ps_ike_mode field uses the IKE_XCHG_* defs 395 */ 396 typedef struct { 397 ike_addr_pr_t ps_ipaddrs; 398 uint16_t ps_ike_mode; 399 uint16_t ps_localid_off; 400 uint16_t ps_localid_len; 401 uint16_t ps_remoteid_off; 402 uint16_t ps_remoteid_len; 403 uint16_t ps_key_off; 404 uint16_t ps_key_len; 405 uint16_t ps_key_bits; 406 /* 407 * followed by variable-length structures, as indicated by 408 * offset/length fields. 409 * key info will be formatted as an array of bytes. 410 * local/remote ids will be formatted as sadb_ident_t structs. 411 */ 412 } ike_ps_t; 413 414 #define DN_MAX 1024 415 #define CERT_OFF_WIRE -1 416 #define CERT_NO_PRIVKEY 0 417 #define CERT_PRIVKEY_LOCKED 1 418 #define CERT_PRIVKEY_AVAIL 2 419 420 /* 421 * data formatting structure for cached certs 422 */ 423 typedef struct { 424 uint32_t cache_id; 425 uint32_t class; 426 int linkage; 427 char subject[DN_MAX]; 428 char issuer[DN_MAX]; 429 } ike_certcache_t; 430 431 /* identification types */ 432 #define IKE_ID_IDENT_PAIR 1 433 #define IKE_ID_ADDR_PAIR 2 434 #define IKE_ID_CKY_PAIR 3 435 #define IKE_ID_LABEL 4 436 437 438 /* locations for read/write requests */ 439 #define IKE_RW_LOC_DEFAULT 1 440 #define IKE_RW_LOC_USER_SPEC 2 441 442 443 /* door interface error codes */ 444 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */ 445 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */ 446 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */ 447 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */ 448 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */ 449 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */ 450 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */ 451 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */ 452 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */ 453 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */ 454 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */ 455 #define IKE_ERR_NO_TOKEN 12 /* cannot login into pkcs#11 token */ 456 #define IKE_ERR_NO_AUTH 13 /* not authorized */ 457 #define IKE_ERR_IN_PROGRESS 14 /* operation already in progress */ 458 #define IKE_ERR_NO_MEM 15 /* insufficient memory */ 459 460 461 /* 462 * IKE_SVC_GET_DBG 463 * Used to request the current debug level. 464 * 465 * Upon request, dbg_level is 0 (don't care). 466 * 467 * Upon return, dbg_level contains the current value. 468 * 469 * 470 * IKE_SVC_SET_DBG 471 * Used to request modification of the debug level. 472 * 473 * Upon request, dbg_level contains desired level. If debug output is 474 * to be directed to a different file, the fd should be passed in the 475 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is 476 * currently running in the background with no debug set, an output 477 * file MUST be given. 478 * 479 * Upon return, dbg_level contains the old debug level, and acknowledges 480 * successful completion of the request. If an error is encountered, 481 * ike_err_t is returned instead, with appropriate error value and cmd 482 * IKE_SVC_ERROR. 483 */ 484 typedef struct { 485 ike_svccmd_t cmd; 486 uint32_t dbg_level; 487 } ike_dbg_t; 488 489 /* 490 * IKE_SVC_GET_PRIV 491 * Used to request the current privilege level. 492 * 493 * Upon request, priv_level is 0 (don't care). 494 * 495 * Upon return, priv_level contains the current value. 496 * 497 * 498 * IKE_SVC_SET_PRIV 499 * Used to request modification of the privilege level. 500 * 501 * Upon request, priv_level contains the desired level. The level may 502 * only be lowered via the door interface; it cannot be raised. Thus, 503 * if in.iked is started at the lowest level, it cannot be changed. 504 * 505 * Upon return, priv_level contains the old privilege level, and 506 * acknowledges successful completion of the request. If an error is 507 * encountered, ike_err_t is returned instead, with appropriate error 508 * value and cmd IKE_SVC_ERROR. 509 */ 510 typedef struct { 511 ike_svccmd_t cmd; 512 uint32_t priv_level; 513 } ike_priv_t; 514 515 516 /* 517 * IKE_SVC_GET_STATS 518 * Used to request current statistics on Phase 1 SA creation and 519 * failures. The statistics represent all activity in in.iked. 520 * 521 * Upon request, cmd is set, and stat_len does not matter. 522 * 523 * Upon successful return, stat_len contains the total size of the 524 * returned buffer, which contains first the ike_statreq_t struct, 525 * followed by the stat data in the ike_stats_t structure. In case 526 * of an error in processing the request, ike_err_t is returned with 527 * IKE_SVC_ERROR command and appropriate error code. 528 */ 529 typedef struct { 530 ike_svccmd_t cmd; 531 uint32_t stat_len; 532 } ike_statreq_t; 533 534 /* 535 * IKE_SVC_GET_DEFS 536 * Used to request default values from in.iked. 537 * 538 * Upon request, cmd is set, and stat_len does not matter. 539 * 540 * Upon successful return, stat_len contains the total size of the 541 * returned buffer, this contains a pair of ike_defaults_t's. 542 */ 543 typedef struct { 544 ike_svccmd_t cmd; 545 uint32_t stat_len; 546 uint32_t version; 547 } ike_defreq_t; 548 549 /* 550 * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE} 551 * Used to request a table dump, and to return info for a single table 552 * item. The expectation is that all of the table data will be passed 553 * through the door, one entry at a time; an individual request must be 554 * sent for each entry, however (the door server can't send unrequested 555 * data). 556 * 557 * Upon request: cmd is set, and dump_next contains the item number 558 * requested (0 for first request). dump_len is 0; no data follows. 559 * 560 * Upon return: cmd is set, and dump_next contains the item number of 561 * the *next* item in the table (to be used in the subsequent request). 562 * dump_next = 0 indicates that this is the last item in the table. 563 * dump_len is the total length (data + struct) returned. Data is 564 * formatted as indicated by the cmd type: 565 * IKE_SVC_DUMP_P1S: ike_p1_sa_t 566 * IKE_SVC_DUMP_RULES: ike_rule_t 567 * IKE_SVC_DUMP_PS: ike_ps_t 568 * IKE_SVC_DUMP_CERTCACHE: ike_certcache_t 569 */ 570 typedef struct { 571 ike_svccmd_t cmd; 572 uint32_t dump_len; 573 union { 574 struct { 575 uint32_t dump_unext; 576 uint32_t dump_ureserved; 577 } dump_actual; 578 uint64_t dump_alignment; 579 } dump_u; 580 #define dump_next dump_u.dump_actual.dump_unext 581 #define dump_reserved dump_u.dump_actual.dump_ureserved 582 /* dump_len - sizeof (ike_dump_t) bytes of data included here */ 583 } ike_dump_t; 584 585 586 /* 587 * IKE_SVC_GET_{P1|RULE|PS} 588 * Used to request and return individual table items. 589 * 590 * Upon request: get_len is the total msg length (struct + id data); 591 * get_idtype indicates the type of identification being used. 592 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t 593 * IKE_SVC_GET_RULE: char string (label) 594 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t 595 * 596 * Upon return: get_len is the total size (struct + data), get_idtype 597 * is unused, and the data that follows is formatted according to cmd: 598 * IKE_SVC_GET_P1: ike_p1_sa_t 599 * IKE_SVC_GET_RULE: ike_rule_t 600 * IKE_SVC_GET_PS: ike_ps_t 601 */ 602 typedef struct { 603 ike_svccmd_t cmd; 604 uint32_t get_len; 605 union { 606 struct { 607 uint32_t getu_idtype; 608 uint32_t getu_reserved; 609 } get_actual; 610 uint64_t get_alignment; 611 } get_u; 612 #define get_idtype get_u.get_actual.getu_idtype 613 #define get_reserved get_u.get_actual.getu_reserved 614 /* get_len - sizeof (ike_get_t) bytes of data included here */ 615 } ike_get_t; 616 617 618 /* 619 * IKE_SVC_NEW_{RULE|PS} 620 * Used to request and acknowledge insertion of a table item. 621 * 622 * Upon request: new_len is the total (data + struct) size passed, or 0. 623 * new_len = 0 => a door_desc_t is also included with a file descriptor 624 * for a file containing the data to be added. The file should include 625 * a single item: a rule, or a pre-shared key. For new_len != 0, the 626 * data is formatted according to the cmd type: 627 * IKE_SVC_NEW_RULE: ike_rule_t 628 * IKE_SVC_NEW_PS: ike_ps_t 629 * 630 * Upon return: new_len is 0; simply acknowledges successful insertion 631 * of the requested item. If insertion is not successful, ike_err_t is 632 * returned instead with appropriate error value. 633 */ 634 typedef struct { 635 ike_svccmd_t cmd; 636 uint32_t new_len; 637 /* new_len - sizeof (ike_new_t) bytes included here */ 638 uint64_t new_align; /* Padding for 64-bit alignment. */ 639 } ike_new_t; 640 641 642 /* 643 * IKE_SVC_DEL_{P1|RULE|PS} 644 * Used to request and acknowledge the deletion of an individual table 645 * item. 646 * 647 * Upon request: del_len is the total msg length (struct + id data); 648 * del_idtype indicates the type of identification being used. 649 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t 650 * IKE_SVC_DEL_RULE: char string (label) 651 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t 652 * 653 * Upon return: acknowledges deletion of the requested item; del_len and 654 * del_idtype are unspecified. If deletion is not successful, ike_err_t 655 * is returned instead with appropriate error value. 656 */ 657 typedef struct { 658 ike_svccmd_t cmd; 659 uint32_t del_len; 660 uint32_t del_idtype; 661 uint32_t del_reserved; 662 /* del_len - sizeof (ike_del_t) bytes of data included here. */ 663 } ike_del_t; 664 665 666 /* 667 * IKE_SVC_READ_{RULES|PS} 668 * Used to ask daemon to re-read particular configuration info. 669 * 670 * Upon request: rw_loc indicates where the info should be read from: 671 * either from a user-supplied file descriptor(s), or from the default 672 * location(s). If rw_loc indicates user-supplied location, the file 673 * descriptor(s) should be passed in the door_desc_t struct. For the 674 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified: 675 * first, one for the config file which contains the data to be read, 676 * and second, one for the cookie file which will be written to as 677 * in.iked process the config file. 678 * 679 * Upon return: rw_loc is unspecified; the message simply acknowledges 680 * successful completion of the request. If an error occurred, 681 * ike_err_t is returned instead with appropriate error value. 682 * 683 * 684 * IKE_SVC_WRITE_{RULES|PS} 685 * Used to ask daemon to write its current config info to files. 686 * 687 * Request and return are handled the same as for the IKE_SVC_READ_* 688 * cmds; however, the rw_loc MUST be a user-supplied location. Also, 689 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required; 690 * only a single fd, for the file to which the config info should be 691 * written, should be passed in. 692 */ 693 typedef struct { 694 ike_svccmd_t cmd; 695 uint32_t rw_loc; 696 } ike_rw_t; 697 698 699 /* 700 * IKE_SVC_FLUSH_P1S 701 * IKE_SVC_FLUSH_CERTCACHE 702 * 703 * Used to request and acknowledge tear-down of all P1 SAs 704 * or to flush the certificate cache. 705 */ 706 typedef struct { 707 ike_svccmd_t cmd; 708 } ike_flush_t; 709 710 711 #ifndef PKCS11_TOKSIZE 712 #define PKCS11_TOKSIZE 32 713 #endif 714 #define MAX_PIN_LEN 256 715 /* 716 * IKE_SVC_SET_PIN 717 * IKE_SVC_DEL_PIN 718 * 719 * Used to supply a pin for a PKCS#11 tokenj object. 720 * 721 */ 722 typedef struct { 723 ike_svccmd_t cmd; 724 char pkcs11_token[PKCS11_TOKSIZE]; 725 uchar_t token_pin[MAX_PIN_LEN]; 726 } ike_pin_t; 727 728 /* 729 * IKE_SVC_ERROR 730 * Used on return if server encountered an error while processing 731 * the request. An appropriate error code is included (as defined 732 * in this header file); in the case of IKE_ERR_SYS_ERR, a value 733 * from the UNIX errno space is included in the ike_err_unix field. 734 */ 735 typedef struct { 736 ike_svccmd_t cmd; 737 uint32_t ike_err; 738 uint32_t ike_err_unix; 739 uint32_t ike_err_reserved; 740 } ike_err_t; 741 742 /* 743 * Generic type for use when the request/reply type is unknown 744 */ 745 typedef struct { 746 ike_svccmd_t cmd; 747 } ike_cmd_t; 748 749 750 /* 751 * Union containing all possible request/return structures. 752 */ 753 typedef union { 754 ike_cmd_t svc_cmd; 755 ike_dbg_t svc_dbg; 756 ike_priv_t svc_priv; 757 ike_statreq_t svc_stats; 758 ike_dump_t svc_dump; 759 ike_get_t svc_get; 760 ike_new_t svc_new; 761 ike_del_t svc_del; 762 ike_rw_t svc_rw; 763 ike_flush_t svc_flush; 764 ike_pin_t svc_pin; 765 ike_err_t svc_err; 766 ike_defreq_t svc_defaults; 767 } ike_service_t; 768 769 #ifdef __cplusplus 770 } 771 #endif 772 773 #endif /* _IKEDOOR_H */ 774