xref: /titanic_44/usr/src/lib/libipsecutil/common/ikedoor.h (revision 63ea9ad24896f2939472f8f96f568086d190eb33)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_IKEDOOR_H
27 #define	_IKEDOOR_H
28 
29 #ifdef	__cplusplus
30 extern "C" {
31 #endif
32 
33 #include <limits.h>
34 #include <sys/sysmacros.h>
35 #include <net/pfkeyv2.h>
36 #include <door.h>
37 
38 /*
39  * This version number is intended to stop the calling process from
40  * getting confused if a structure is changed and a mismatch occurs.
41  * This should be incremented each time a structure is changed.
42  */
43 #define	DOORVER 2
44 #define	DOORNM	"/var/run/ike_door"
45 
46 
47 typedef enum {
48 	IKE_SVC_GET_DBG,
49 	IKE_SVC_SET_DBG,
50 
51 	IKE_SVC_GET_PRIV,
52 	IKE_SVC_SET_PRIV,
53 
54 	IKE_SVC_GET_STATS,
55 
56 	IKE_SVC_GET_P1,
57 	IKE_SVC_DEL_P1,
58 	IKE_SVC_DUMP_P1S,
59 	IKE_SVC_FLUSH_P1S,
60 
61 	IKE_SVC_GET_RULE,
62 	IKE_SVC_NEW_RULE,
63 	IKE_SVC_DEL_RULE,
64 	IKE_SVC_DUMP_RULES,
65 	IKE_SVC_READ_RULES,
66 	IKE_SVC_WRITE_RULES,
67 
68 	IKE_SVC_GET_PS,
69 	IKE_SVC_NEW_PS,
70 	IKE_SVC_DEL_PS,
71 	IKE_SVC_DUMP_PS,
72 	IKE_SVC_READ_PS,
73 	IKE_SVC_WRITE_PS,
74 
75 	IKE_SVC_DBG_RBDUMP,
76 
77 	IKE_SVC_GET_DEFS,
78 
79 	IKE_SVC_SET_PIN,
80 	IKE_SVC_DEL_PIN,
81 
82 	IKE_SVC_DUMP_CERTCACHE,
83 	IKE_SVC_FLUSH_CERTCACHE,
84 
85 	IKE_SVC_ERROR
86 } ike_svccmd_t;
87 
88 /* DPD status */
89 
90 typedef enum dpd_status {
91 	DPD_NOT_INITIATED = 0,
92 	DPD_IN_PROGRESS,
93 	DPD_SUCCESSFUL,
94 	DPD_FAILURE
95 } dpd_status_t;
96 
97 #define	IKE_SVC_MAX	IKE_SVC_ERROR
98 
99 
100 /*
101  * Support structures/defines
102  */
103 
104 #define	IKEDOORROUNDUP(i)   P2ROUNDUP((i), sizeof (uint64_t))
105 
106 /*
107  * Debug categories.  The debug level is a bitmask made up of
108  * flags indicating the desired categories; only 31 bits are
109  * available, as the highest-order bit designates an invalid
110  * setting.
111  */
112 #define	D_INVALID	0x80000000
113 
114 #define	D_CERT		0x00000001	/* certificate management */
115 #define	D_KEY		0x00000002	/* key management */
116 #define	D_OP		0x00000004	/* operational: config, init, mem */
117 #define	D_P1		0x00000008	/* phase 1 negotiation */
118 #define	D_P2		0x00000010	/* phase 2 negotiation */
119 #define	D_PFKEY		0x00000020	/* pf key interface */
120 #define	D_POL		0x00000040	/* policy management */
121 #define	D_PROP		0x00000080	/* proposal construction */
122 #define	D_DOOR		0x00000100	/* door server */
123 #define	D_CONFIG	0x00000200	/* config file processing */
124 
125 #define	D_HIGHBIT	0x00000200
126 #define	D_ALL		0x000003ff
127 
128 /*
129  * Access privilege levels: define level of access to keying information.
130  * The privileges granted at each level is a superset of the privileges
131  * granted at all lower levels.
132  *
133  * The door operations which require special privileges are:
134  *
135  *	- receiving keying material for SAs and preshared key entries
136  *	  IKE_PRIV_KEYMAT must be set for this.
137  *
138  *	- get/dump/new/delete/read/write preshared keys
139  *	  IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
140  *	  If IKE_PRIV_MODKEYS is set, the information returned for a
141  *	  get/dump request will not include the actual key; in order
142  *	  to get the key itself, IKE_PRIV_KEYMAT must be set.
143  *
144  *	- modifying the privilege level: the daemon's privilege level
145  *	  is set when the daemon is started; the level may only be
146  *	  lowered via the door interface.
147  *
148  * All other operations are allowed at any privilege level.
149  */
150 #define	IKE_PRIV_MINIMUM	0
151 #define	IKE_PRIV_MODKEYS	1
152 #define	IKE_PRIV_KEYMAT		2
153 #define	IKE_PRIV_MAXIMUM	2
154 
155 /* global ike stats formatting structure */
156 typedef struct {
157 	uint32_t	st_init_p1_current;
158 	uint32_t	st_resp_p1_current;
159 	uint32_t	st_init_p1_total;
160 	uint32_t	st_resp_p1_total;
161 	uint32_t	st_init_p1_attempts;
162 	uint32_t	st_resp_p1_attempts;
163 	uint32_t	st_init_p1_noresp;   /* failed; no response from peer */
164 	uint32_t	st_init_p1_respfail; /* failed, but peer responded */
165 	uint32_t	st_resp_p1_fail;
166 	uint32_t	st_reserved;
167 	char		st_pkcs11_libname[PATH_MAX];
168 } ike_stats_t;
169 
170 /* structure used to pass default values used by in.iked back to ikeadm */
171 typedef struct {
172 	uint32_t	rule_p1_lifetime_secs;
173 	uint32_t	rule_p1_minlife;
174 	uint32_t	rule_p1_nonce_len;
175 	uint32_t	rule_p2_lifetime_secs;
176 	uint32_t	rule_p2_softlife_secs;
177 	uint32_t	rule_p2_idletime_secs;
178 	uint32_t	sys_p2_lifetime_secs;
179 	uint32_t	sys_p2_softlife_secs;
180 	uint32_t	sys_p2_idletime_secs;
181 	uint32_t	rule_p2_lifetime_kb;
182 	uint32_t	rule_p2_softlife_kb;
183 	uint32_t	sys_p2_lifetime_bytes;
184 	uint32_t	sys_p2_softlife_bytes;
185 	uint32_t	rule_p2_minlife;
186 	uint32_t	rule_p2_def_minlife;
187 	uint32_t	rule_p2_nonce_len;
188 	uint32_t	rule_p2_pfs;
189 	uint32_t	rule_p2_minsoft;
190 	uint32_t	rule_max_certs;
191 	uint32_t	rule_ike_port;
192 	uint32_t	rule_natt_port;
193 } ike_defaults_t;
194 
195 /* data formatting structures for P1 SA dumps */
196 typedef struct {
197 	struct sockaddr_storage	loc_addr;
198 	struct sockaddr_storage	rem_addr;
199 #define	beg_iprange	loc_addr
200 #define	end_iprange	rem_addr
201 } ike_addr_pr_t;
202 
203 typedef struct {
204 	uint64_t	cky_i;
205 	uint64_t	cky_r;
206 } ike_cky_pr_t;
207 
208 typedef struct {
209 	ike_cky_pr_t	p1hdr_cookies;
210 	uint8_t		p1hdr_major;
211 	uint8_t		p1hdr_minor;
212 	uint8_t		p1hdr_xchg;
213 	uint8_t		p1hdr_isinit;
214 	uint32_t	p1hdr_state;
215 	boolean_t	p1hdr_support_dpd;
216 	dpd_status_t	p1hdr_dpd_state;
217 	time_t		p1hdr_dpd_time;
218 } ike_p1_hdr_t;
219 
220 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
221 #define	IKE_XCHG_NONE			0
222 #define	IKE_XCHG_BASE			1
223 #define	IKE_XCHG_IDENTITY_PROTECT	2
224 #define	IKE_XCHG_AUTH_ONLY		3
225 #define	IKE_XCHG_AGGRESSIVE		4
226 /* following not from RFC; used only for preshared key definitions */
227 #define	IKE_XCHG_IP_AND_AGGR		240
228 /* also not from RFC; used as wildcard */
229 #define	IKE_XCHG_ANY			256
230 
231 /* values for p1hdr_state */
232 #define	IKE_SA_STATE_INVALID	0
233 #define	IKE_SA_STATE_INIT	1
234 #define	IKE_SA_STATE_SENT_SA	2
235 #define	IKE_SA_STATE_SENT_KE	3
236 #define	IKE_SA_STATE_SENT_LAST	4
237 #define	IKE_SA_STATE_DONE	5
238 #define	IKE_SA_STATE_DELETED	6
239 
240 typedef struct {
241 	uint16_t	p1xf_dh_group;
242 	uint16_t	p1xf_encr_alg;
243 	uint16_t	p1xf_encr_low_bits;
244 	uint16_t	p1xf_encr_high_bits;
245 	uint16_t	p1xf_auth_alg;
246 	uint16_t	p1xf_auth_meth;
247 	uint16_t	p1xf_prf;
248 	uint16_t	p1xf_pfs;
249 	uint32_t	p1xf_max_secs;
250 	uint32_t	p1xf_max_kbytes;
251 	uint32_t	p1xf_max_keyuses;
252 } ike_p1_xform_t;
253 
254 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
255 #define	IKE_GRP_DESC_MODP_768	1
256 #define	IKE_GRP_DESC_MODP_1024	2
257 #define	IKE_GRP_DESC_EC2N_155	3
258 #define	IKE_GRP_DESC_EC2N_185	4
259 /* values for p1xf_dh_group (aligned with RFC3526) */
260 #define	IKE_GRP_DESC_MODP_1536	5
261 #define	IKE_GRP_DESC_MODP_2048	14
262 #define	IKE_GRP_DESC_MODP_3072	15
263 #define	IKE_GRP_DESC_MODP_4096	16
264 #define	IKE_GRP_DESC_MODP_6144	17
265 #define	IKE_GRP_DESC_MODP_8192	18
266 
267 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
268 #define	IKE_AUTH_METH_PRE_SHARED_KEY	1
269 #define	IKE_AUTH_METH_DSS_SIG		2
270 #define	IKE_AUTH_METH_RSA_SIG		3
271 #define	IKE_AUTH_METH_RSA_ENCR		4
272 #define	IKE_AUTH_METH_RSA_ENCR_REVISED	5
273 
274 /* values for p1xf_prf */
275 #define	IKE_PRF_NONE		0
276 #define	IKE_PRF_HMAC_MD5	1
277 #define	IKE_PRF_HMAC_SHA1	2
278 #define	IKE_PRF_HMAC_SHA256	5
279 #define	IKE_PRF_HMAC_SHA384	6
280 #define	IKE_PRF_HMAC_SHA512	7
281 
282 typedef struct {
283 	/*
284 	 * NOTE: the new and del counters count the actual number of SAs,
285 	 * not the number of "suites", as defined in the ike monitoring
286 	 * mib draft; we do this because we don't have a good way of
287 	 * tracking the deletion of entire suites (we're notified of
288 	 * deleted qm sas individually).
289 	 */
290 	uint32_t	p1stat_new_qm_sas;
291 	uint32_t	p1stat_del_qm_sas;
292 	uint64_t	p1stat_start;
293 	uint32_t	p1stat_kbytes;
294 	uint32_t	p1stat_keyuses;
295 } ike_p1_stats_t;
296 
297 typedef struct {
298 	uint32_t	p1err_decrypt;
299 	uint32_t	p1err_hash;
300 	uint32_t	p1err_otherrx;
301 	uint32_t	p1err_tx;
302 } ike_p1_errors_t;
303 
304 typedef struct {
305 	uint32_t	p1key_type;
306 	uint32_t	p1key_len;
307 	/*
308 	 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
309 	 * 64-bit aligned (pad bytes are added at the end, if necessary,
310 	 * and NOT INCLUDED in the len value, which reflects the actual
311 	 * key size).
312 	 */
313 } ike_p1_key_t;
314 
315 /* key info types for ike_p1_key_t struct */
316 #define	IKE_KEY_PRESHARED	1
317 #define	IKE_KEY_SKEYID		2
318 #define	IKE_KEY_SKEYID_D	3
319 #define	IKE_KEY_SKEYID_A	4
320 #define	IKE_KEY_SKEYID_E	5
321 #define	IKE_KEY_ENCR		6
322 #define	IKE_KEY_IV		7
323 
324 typedef struct {
325 	ike_p1_hdr_t	p1sa_hdr;
326 	ike_p1_xform_t	p1sa_xform;
327 	ike_addr_pr_t	p1sa_ipaddrs;
328 	uint16_t	p1sa_stat_off;
329 	uint16_t	p1sa_stat_len;
330 	uint16_t	p1sa_error_off;
331 	uint16_t	p1sa_error_len;
332 	uint16_t	p1sa_localid_off;
333 	uint16_t	p1sa_localid_len;
334 	uint16_t	p1sa_remoteid_off;
335 	uint16_t	p1sa_remoteid_len;
336 	uint16_t	p1sa_key_off;
337 	uint16_t	p1sa_key_len;
338 	uint32_t	p1sa_reserved;
339 	/*
340 	 * variable-length structures will be included here, as
341 	 * indicated by offset/length fields.
342 	 * stats and errors will be formatted as ike_p1_stats_t and
343 	 * ike_p1_errors_t, respectively.
344 	 * key info will be formatted as a series of p1_key_t structs.
345 	 * local/remote ids will be formatted as sadb_ident_t structs.
346 	 */
347 } ike_p1_sa_t;
348 
349 
350 #define	MAX_LABEL_LEN	256
351 
352 
353 /* data formatting structure for policy (rule) dumps */
354 
355 typedef struct {
356 	char		rule_label[MAX_LABEL_LEN];
357 	uint32_t	rule_kmcookie;
358 	uint16_t	rule_ike_mode;
359 	uint16_t	rule_local_idtype;	/* SADB_IDENTTYPE_* value */
360 	uint32_t	rule_p1_nonce_len;
361 	uint32_t	rule_p2_nonce_len;
362 	uint32_t	rule_p2_pfs;
363 	uint32_t	rule_p2_lifetime_secs;
364 	uint32_t	rule_p2_softlife_secs;
365 	uint32_t	rule_p2_idletime_secs;
366 	uint32_t	rule_p2_lifetime_kb;
367 	uint32_t	rule_p2_softlife_kb;
368 	uint16_t	rule_xform_cnt;
369 	uint16_t	rule_xform_off;
370 	uint16_t	rule_locip_cnt;
371 	uint16_t	rule_locip_off;
372 	uint16_t	rule_remip_cnt;
373 	uint16_t	rule_remip_off;
374 	uint16_t	rule_locid_inclcnt;
375 	uint16_t	rule_locid_exclcnt;
376 	uint16_t	rule_locid_off;
377 	uint16_t	rule_remid_inclcnt;
378 	uint16_t	rule_remid_exclcnt;
379 	uint16_t	rule_remid_off;
380 	/*
381 	 * Followed by several lists of variable-length structures, described
382 	 * by counts and offsets:
383 	 *	transforms			ike_p1_xform_t structs
384 	 *	ranges of local ip addrs	ike_addr_pr_t structs
385 	 *	ranges of remote ip addrs	ike_addr_pr_t structs
386 	 *	local identification strings	null-terminated ascii strings
387 	 *	remote identification strings	null-terminated ascii strings
388 	 */
389 } ike_rule_t;
390 
391 
392 /*
393  * data formatting structure for preshared keys
394  * ps_ike_mode field uses the IKE_XCHG_* defs
395  */
396 typedef struct {
397 	ike_addr_pr_t	ps_ipaddrs;
398 	uint16_t	ps_ike_mode;
399 	uint16_t	ps_localid_off;
400 	uint16_t	ps_localid_len;
401 	uint16_t	ps_remoteid_off;
402 	uint16_t	ps_remoteid_len;
403 	uint16_t	ps_key_off;
404 	uint16_t	ps_key_len;
405 	uint16_t	ps_key_bits;
406 	/*
407 	 * followed by variable-length structures, as indicated by
408 	 * offset/length fields.
409 	 * key info will be formatted as an array of bytes.
410 	 * local/remote ids will be formatted as sadb_ident_t structs.
411 	 */
412 } ike_ps_t;
413 
414 #define	DN_MAX			1024
415 #define	CERT_OFF_WIRE		-1
416 #define	CERT_NO_PRIVKEY		0
417 #define	CERT_PRIVKEY_LOCKED	1
418 #define	CERT_PRIVKEY_AVAIL	2
419 
420 /*
421  * data formatting structure for cached certs
422  */
423 typedef struct {
424 	uint32_t	cache_id;
425 	uint32_t	class;
426 	int		linkage;
427 	char		subject[DN_MAX];
428 	char		issuer[DN_MAX];
429 } ike_certcache_t;
430 
431 /* identification types */
432 #define	IKE_ID_IDENT_PAIR	1
433 #define	IKE_ID_ADDR_PAIR	2
434 #define	IKE_ID_CKY_PAIR		3
435 #define	IKE_ID_LABEL		4
436 
437 
438 /* locations for read/write requests */
439 #define	IKE_RW_LOC_DEFAULT	1
440 #define	IKE_RW_LOC_USER_SPEC	2
441 
442 
443 /* door interface error codes */
444 #define	IKE_ERR_NO_OBJ		1	/* nothing found to match the request */
445 #define	IKE_ERR_NO_DESC		2	/* fd was required with this request */
446 #define	IKE_ERR_ID_INVALID	3	/* invalid id info was provided */
447 #define	IKE_ERR_LOC_INVALID	4	/* invalid location info was provided */
448 #define	IKE_ERR_CMD_INVALID	5	/* invalid command was provided */
449 #define	IKE_ERR_DATA_INVALID	6	/* invalid data was provided */
450 #define	IKE_ERR_CMD_NOTSUP	7	/* unsupported command */
451 #define	IKE_ERR_REQ_INVALID	8	/* badly formatted request */
452 #define	IKE_ERR_NO_PRIV		9	/* privilege level not high enough */
453 #define	IKE_ERR_SYS_ERR		10	/* syserr occurred while processing */
454 #define	IKE_ERR_DUP_IGNORED	11	/* attempt to add a duplicate entry */
455 #define	IKE_ERR_NO_TOKEN	12	/* cannot login into pkcs#11 token */
456 #define	IKE_ERR_NO_AUTH		13	/* not authorized */
457 #define	IKE_ERR_IN_PROGRESS	14	/* operation already in progress */
458 #define	IKE_ERR_NO_MEM		15	/* insufficient memory */
459 
460 
461 /*
462  * IKE_SVC_GET_DBG
463  * Used to request the current debug level.
464  *
465  * Upon request, dbg_level is 0 (don't care).
466  *
467  * Upon return, dbg_level contains the current value.
468  *
469  *
470  * IKE_SVC_SET_DBG
471  * Used to request modification of the debug level.
472  *
473  * Upon request, dbg_level contains desired level.  If debug output is
474  * to be directed to a different file, the fd should be passed in the
475  * door_desc_t field of the door_arg_t param.  NOTE: if the daemon is
476  * currently running in the background with no debug set, an output
477  * file MUST be given.
478  *
479  * Upon return, dbg_level contains the old debug level, and acknowledges
480  * successful completion of the request.  If an error is encountered,
481  * ike_err_t is returned instead, with appropriate error value and cmd
482  * IKE_SVC_ERROR.
483  */
484 typedef struct {
485 	ike_svccmd_t	cmd;
486 	uint32_t	dbg_level;
487 } ike_dbg_t;
488 
489 /*
490  * IKE_SVC_GET_PRIV
491  * Used to request the current privilege level.
492  *
493  * Upon request, priv_level is 0 (don't care).
494  *
495  * Upon return, priv_level contains the current value.
496  *
497  *
498  * IKE_SVC_SET_PRIV
499  * Used to request modification of the privilege level.
500  *
501  * Upon request, priv_level contains the desired level.  The level may
502  * only be lowered via the door interface; it cannot be raised.  Thus,
503  * if in.iked is started at the lowest level, it cannot be changed.
504  *
505  * Upon return, priv_level contains the old privilege level, and
506  * acknowledges successful completion of the request.  If an error is
507  * encountered, ike_err_t is returned instead, with appropriate error
508  * value and cmd IKE_SVC_ERROR.
509  */
510 typedef struct {
511 	ike_svccmd_t	cmd;
512 	uint32_t	priv_level;
513 } ike_priv_t;
514 
515 
516 /*
517  * IKE_SVC_GET_STATS
518  * Used to request current statistics on Phase 1 SA creation and
519  * failures.  The statistics represent all activity in in.iked.
520  *
521  * Upon request, cmd is set, and stat_len does not matter.
522  *
523  * Upon successful return, stat_len contains the total size of the
524  * returned buffer, which contains first the ike_statreq_t struct,
525  * followed by the stat data in the ike_stats_t structure. In case
526  * of an error in processing the request, ike_err_t is returned with
527  * IKE_SVC_ERROR command and appropriate error code.
528  */
529 typedef struct {
530 	ike_svccmd_t	cmd;
531 	uint32_t	stat_len;
532 } ike_statreq_t;
533 
534 /*
535  * IKE_SVC_GET_DEFS
536  * Used to request default values from in.iked.
537  *
538  * Upon request, cmd is set, and stat_len does not matter.
539  *
540  * Upon successful return, stat_len contains the total size of the
541  * returned buffer, this contains a pair of ike_defaults_t's.
542  */
543 typedef struct {
544 	ike_svccmd_t	cmd;
545 	uint32_t	stat_len;
546 	uint32_t	version;
547 } ike_defreq_t;
548 
549 /*
550  * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE}
551  * Used to request a table dump, and to return info for a single table
552  * item.  The expectation is that all of the table data will be passed
553  * through the door, one entry at a time; an individual request must be
554  * sent for each entry, however (the door server can't send unrequested
555  * data).
556  *
557  * Upon request: cmd is set, and dump_next contains the item number
558  * requested (0 for first request).  dump_len is 0; no data follows.
559  *
560  * Upon return: cmd is set, and dump_next contains the item number of
561  * the *next* item in the table (to be used in the subsequent request).
562  * dump_next = 0 indicates that this is the last item in the table.
563  * dump_len is the total length (data + struct) returned.  Data is
564  * formatted as indicated by the cmd type:
565  *   IKE_SVC_DUMP_P1S:		ike_p1_sa_t
566  *   IKE_SVC_DUMP_RULES:	ike_rule_t
567  *   IKE_SVC_DUMP_PS:		ike_ps_t
568  *   IKE_SVC_DUMP_CERTCACHE:	ike_certcache_t
569  */
570 typedef struct {
571 	ike_svccmd_t	cmd;
572 	uint32_t	dump_len;
573 	union {
574 		struct {
575 			uint32_t	dump_unext;
576 			uint32_t	dump_ureserved;
577 		} dump_actual;
578 		uint64_t dump_alignment;
579 	} dump_u;
580 #define	dump_next dump_u.dump_actual.dump_unext
581 #define	dump_reserved dump_u.dump_actual.dump_ureserved
582 	/* dump_len - sizeof (ike_dump_t) bytes of data included here */
583 } ike_dump_t;
584 
585 
586 /*
587  * IKE_SVC_GET_{P1|RULE|PS}
588  * Used to request and return individual table items.
589  *
590  * Upon request: get_len is the total msg length (struct + id data);
591  * get_idtype indicates the type of identification being used.
592  *   IKE_SVC_GET_P1:		ike_addr_pr_t or ike_cky_pr_t
593  *   IKE_SVC_GET_RULE:		char string (label)
594  *   IKE_SVC_GET_PS:		ike_addr_pr_t or pair of sadb_ident_t
595  *
596  * Upon return: get_len is the total size (struct + data), get_idtype
597  * is unused, and the data that follows is formatted according to cmd:
598  *   IKE_SVC_GET_P1:		ike_p1_sa_t
599  *   IKE_SVC_GET_RULE:		ike_rule_t
600  *   IKE_SVC_GET_PS:		ike_ps_t
601  */
602 typedef struct {
603 	ike_svccmd_t	cmd;
604 	uint32_t	get_len;
605 	union {
606 		struct {
607 			uint32_t	getu_idtype;
608 			uint32_t	getu_reserved;
609 		} get_actual;
610 		uint64_t get_alignment;
611 	} get_u;
612 #define	get_idtype get_u.get_actual.getu_idtype
613 #define	get_reserved get_u.get_actual.getu_reserved
614 	/* get_len - sizeof (ike_get_t) bytes of data included here */
615 } ike_get_t;
616 
617 
618 /*
619  * IKE_SVC_NEW_{RULE|PS}
620  * Used to request and acknowledge insertion of a table item.
621  *
622  * Upon request: new_len is the total (data + struct) size passed, or 0.
623  * new_len = 0 => a door_desc_t is also included with a file descriptor
624  * for a file containing the data to be added.  The file should include
625  * a single item: a rule, or a pre-shared key.  For new_len != 0, the
626  * data is formatted according to the cmd type:
627  *   IKE_SVC_NEW_RULE:		ike_rule_t
628  *   IKE_SVC_NEW_PS:		ike_ps_t
629  *
630  * Upon return: new_len is 0; simply acknowledges successful insertion
631  * of the requested item.  If insertion is not successful, ike_err_t is
632  * returned instead with appropriate error value.
633  */
634 typedef struct {
635 	ike_svccmd_t	cmd;
636 	uint32_t	new_len;
637 	/* new_len - sizeof (ike_new_t) bytes included here */
638 	uint64_t	new_align;	/* Padding for 64-bit alignment. */
639 } ike_new_t;
640 
641 
642 /*
643  * IKE_SVC_DEL_{P1|RULE|PS}
644  * Used to request and acknowledge the deletion of an individual table
645  * item.
646  *
647  * Upon request: del_len is the total msg length (struct + id data);
648  * del_idtype indicates the type of identification being used.
649  *   IKE_SVC_DEL_P1:		ike_addr_pr_t or ike_cky_pr_t
650  *   IKE_SVC_DEL_RULE:		char string (label)
651  *   IKE_SVC_DEL_PS:		ike_addr_pr_t or pair of sadb_ident_t
652  *
653  * Upon return: acknowledges deletion of the requested item; del_len and
654  * del_idtype are unspecified.  If deletion is not successful, ike_err_t
655  * is returned instead with appropriate error value.
656  */
657 typedef struct {
658 	ike_svccmd_t	cmd;
659 	uint32_t	del_len;
660 	uint32_t	del_idtype;
661 	uint32_t	del_reserved;
662 	/* del_len - sizeof (ike_del_t) bytes of data included here. */
663 } ike_del_t;
664 
665 
666 /*
667  * IKE_SVC_READ_{RULES|PS}
668  * Used to ask daemon to re-read particular configuration info.
669  *
670  * Upon request: rw_loc indicates where the info should be read from:
671  * either from a user-supplied file descriptor(s), or from the default
672  * location(s).  If rw_loc indicates user-supplied location, the file
673  * descriptor(s) should be passed in the door_desc_t struct.  For the
674  * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
675  * first, one for the config file which contains the data to be read,
676  * and second, one for the cookie file which will be written to as
677  * in.iked process the config file.
678  *
679  * Upon return: rw_loc is unspecified; the message simply acknowledges
680  * successful completion of the request.  If an error occurred,
681  * ike_err_t is returned instead with appropriate error value.
682  *
683  *
684  * IKE_SVC_WRITE_{RULES|PS}
685  * Used to ask daemon to write its current config info to files.
686  *
687  * Request and return are handled the same as for the IKE_SVC_READ_*
688  * cmds; however, the rw_loc MUST be a user-supplied location.  Also,
689  * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
690  * only a single fd, for the file to which the config info should be
691  * written, should be passed in.
692  */
693 typedef struct {
694 	ike_svccmd_t	cmd;
695 	uint32_t	rw_loc;
696 } ike_rw_t;
697 
698 
699 /*
700  * IKE_SVC_FLUSH_P1S
701  * IKE_SVC_FLUSH_CERTCACHE
702  *
703  * Used to request and acknowledge tear-down of all P1 SAs
704  * or to flush the certificate cache.
705  */
706 typedef struct {
707 	ike_svccmd_t	cmd;
708 } ike_flush_t;
709 
710 
711 #ifndef PKCS11_TOKSIZE
712 #define	PKCS11_TOKSIZE 32
713 #endif
714 #define	MAX_PIN_LEN 256
715 /*
716  * IKE_SVC_SET_PIN
717  * IKE_SVC_DEL_PIN
718  *
719  * Used to supply a pin for a PKCS#11 tokenj object.
720  *
721  */
722 typedef struct {
723 	ike_svccmd_t	cmd;
724 	char pkcs11_token[PKCS11_TOKSIZE];
725 	uchar_t token_pin[MAX_PIN_LEN];
726 } ike_pin_t;
727 
728 /*
729  * IKE_SVC_ERROR
730  * Used on return if server encountered an error while processing
731  * the request.  An appropriate error code is included (as defined
732  * in this header file); in the case of IKE_ERR_SYS_ERR, a value
733  * from the UNIX errno space is included in the ike_err_unix field.
734  */
735 typedef struct {
736 	ike_svccmd_t	cmd;
737 	uint32_t	ike_err;
738 	uint32_t	ike_err_unix;
739 	uint32_t	ike_err_reserved;
740 } ike_err_t;
741 
742 /*
743  * Generic type for use when the request/reply type is unknown
744  */
745 typedef struct {
746 	ike_svccmd_t	cmd;
747 } ike_cmd_t;
748 
749 
750 /*
751  * Union containing all possible request/return structures.
752  */
753 typedef union {
754 	ike_cmd_t	svc_cmd;
755 	ike_dbg_t	svc_dbg;
756 	ike_priv_t	svc_priv;
757 	ike_statreq_t	svc_stats;
758 	ike_dump_t	svc_dump;
759 	ike_get_t	svc_get;
760 	ike_new_t	svc_new;
761 	ike_del_t	svc_del;
762 	ike_rw_t	svc_rw;
763 	ike_flush_t	svc_flush;
764 	ike_pin_t	svc_pin;
765 	ike_err_t	svc_err;
766 	ike_defreq_t	svc_defaults;
767 } ike_service_t;
768 
769 #ifdef	__cplusplus
770 }
771 #endif
772 
773 #endif	/* _IKEDOOR_H */
774