1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _IKEDOOR_H 27 #define _IKEDOOR_H 28 29 #ifdef __cplusplus 30 extern "C" { 31 #endif 32 33 #include <limits.h> 34 #include <sys/sysmacros.h> 35 #include <net/pfkeyv2.h> 36 #include <door.h> 37 38 /* 39 * This version number is intended to stop the calling process from 40 * getting confused if a structure is changed and a mismatch occurs. 41 * This should be incremented each time a structure is changed. 42 */ 43 44 /* 45 * The IKE process may be a 64-bit process, but ikeadm or any other IKE 46 * door consumer does not have to be. We need to be strict ala. PF_KEY or 47 * any on-the-wire-protocol with respect to structure fields offsets and 48 * alignment. Please make sure all structures are the same size on both 49 * 64-bit and 32-bit execution environments (or even other ones), and that 50 * apart from trivial 4-byte enums or base headers, that all structures are 51 * multiples of 8-bytes (64-bits). 52 */ 53 #define DOORVER 3 54 #define DOORNM "/var/run/ike_door" 55 56 57 typedef enum { 58 IKE_SVC_GET_DBG, 59 IKE_SVC_SET_DBG, 60 61 IKE_SVC_GET_PRIV, 62 IKE_SVC_SET_PRIV, 63 64 IKE_SVC_GET_STATS, 65 66 IKE_SVC_GET_P1, 67 IKE_SVC_DEL_P1, 68 IKE_SVC_DUMP_P1S, 69 IKE_SVC_FLUSH_P1S, 70 71 IKE_SVC_GET_RULE, 72 IKE_SVC_NEW_RULE, 73 IKE_SVC_DEL_RULE, 74 IKE_SVC_DUMP_RULES, 75 IKE_SVC_READ_RULES, 76 IKE_SVC_WRITE_RULES, 77 78 IKE_SVC_GET_PS, 79 IKE_SVC_NEW_PS, 80 IKE_SVC_DEL_PS, 81 IKE_SVC_DUMP_PS, 82 IKE_SVC_READ_PS, 83 IKE_SVC_WRITE_PS, 84 85 IKE_SVC_DBG_RBDUMP, 86 87 IKE_SVC_GET_DEFS, 88 89 IKE_SVC_SET_PIN, 90 IKE_SVC_DEL_PIN, 91 92 IKE_SVC_DUMP_CERTCACHE, 93 IKE_SVC_FLUSH_CERTCACHE, 94 95 IKE_SVC_ERROR 96 } ike_svccmd_t; 97 98 /* DPD status */ 99 100 typedef enum dpd_status { 101 DPD_NOT_INITIATED = 0, 102 DPD_IN_PROGRESS, 103 DPD_SUCCESSFUL, 104 DPD_FAILURE 105 } dpd_status_t; 106 107 #define IKE_SVC_MAX IKE_SVC_ERROR 108 109 110 /* 111 * Support structures/defines 112 */ 113 114 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t)) 115 116 /* 117 * Debug categories. The debug level is a bitmask made up of 118 * flags indicating the desired categories; only 31 bits are 119 * available, as the highest-order bit designates an invalid 120 * setting. 121 */ 122 #define D_INVALID 0x80000000 123 124 #define D_CERT 0x00000001 /* certificate management */ 125 #define D_KEY 0x00000002 /* key management */ 126 #define D_OP 0x00000004 /* operational: config, init, mem */ 127 #define D_P1 0x00000008 /* phase 1 negotiation */ 128 #define D_P2 0x00000010 /* phase 2 negotiation */ 129 #define D_PFKEY 0x00000020 /* pf key interface */ 130 #define D_POL 0x00000040 /* policy management */ 131 #define D_PROP 0x00000080 /* proposal construction */ 132 #define D_DOOR 0x00000100 /* door server */ 133 #define D_CONFIG 0x00000200 /* config file processing */ 134 #define D_LABEL 0x00000400 /* MAC labels */ 135 136 #define D_HIGHBIT 0x00000400 137 #define D_ALL 0x000007ff 138 139 /* 140 * Access privilege levels: define level of access to keying information. 141 * The privileges granted at each level is a superset of the privileges 142 * granted at all lower levels. 143 * 144 * The door operations which require special privileges are: 145 * 146 * - receiving keying material for SAs and preshared key entries 147 * IKE_PRIV_KEYMAT must be set for this. 148 * 149 * - get/dump/new/delete/read/write preshared keys 150 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this. 151 * If IKE_PRIV_MODKEYS is set, the information returned for a 152 * get/dump request will not include the actual key; in order 153 * to get the key itself, IKE_PRIV_KEYMAT must be set. 154 * 155 * - modifying the privilege level: the daemon's privilege level 156 * is set when the daemon is started; the level may only be 157 * lowered via the door interface. 158 * 159 * All other operations are allowed at any privilege level. 160 */ 161 #define IKE_PRIV_MINIMUM 0 162 #define IKE_PRIV_MODKEYS 1 163 #define IKE_PRIV_KEYMAT 2 164 #define IKE_PRIV_MAXIMUM 2 165 166 /* global ike stats formatting structure */ 167 typedef struct { 168 uint32_t st_init_p1_current; 169 uint32_t st_resp_p1_current; 170 uint32_t st_init_p1_total; 171 uint32_t st_resp_p1_total; 172 uint32_t st_init_p1_attempts; 173 uint32_t st_resp_p1_attempts; 174 uint32_t st_init_p1_noresp; /* failed; no response from peer */ 175 uint32_t st_init_p1_respfail; /* failed, but peer responded */ 176 uint32_t st_resp_p1_fail; 177 uint32_t st_reserved; 178 char st_pkcs11_libname[PATH_MAX]; 179 } ike_stats_t; 180 181 /* structure used to pass default values used by in.iked back to ikeadm */ 182 typedef struct { 183 uint32_t rule_p1_lifetime_secs; 184 uint32_t rule_p1_minlife; 185 uint32_t rule_p1_nonce_len; 186 uint32_t rule_p2_lifetime_secs; 187 uint32_t rule_p2_softlife_secs; 188 uint32_t rule_p2_idletime_secs; 189 uint32_t sys_p2_lifetime_secs; 190 uint32_t sys_p2_softlife_secs; 191 uint32_t sys_p2_idletime_secs; 192 uint32_t rule_p2_lifetime_kb; 193 uint32_t rule_p2_softlife_kb; 194 uint32_t sys_p2_lifetime_bytes; 195 uint32_t sys_p2_softlife_bytes; 196 uint32_t rule_p2_minlife_hard_secs; 197 uint32_t rule_p2_minlife_soft_secs; 198 uint32_t rule_p2_minlife_idle_secs; 199 uint32_t rule_p2_minlife_hard_kb; 200 uint32_t rule_p2_minlife_soft_kb; 201 uint32_t rule_p2_maxlife_secs; 202 uint32_t rule_p2_maxlife_kb; 203 uint32_t rule_p2_nonce_len; 204 uint32_t rule_p2_pfs; 205 uint32_t rule_p2_mindiff_secs; 206 uint32_t rule_p2_mindiff_kb; 207 uint32_t conversion_factor; /* for secs to kbytes */ 208 uint32_t rule_max_certs; 209 uint32_t rule_ike_port; 210 uint32_t rule_natt_port; 211 uint32_t defaults_reserved; /* For 64-bit alignment. */ 212 } ike_defaults_t; 213 214 /* data formatting structures for P1 SA dumps */ 215 typedef struct { 216 struct sockaddr_storage loc_addr; 217 struct sockaddr_storage rem_addr; 218 #define beg_iprange loc_addr 219 #define end_iprange rem_addr 220 } ike_addr_pr_t; 221 222 typedef struct { 223 uint64_t cky_i; 224 uint64_t cky_r; 225 } ike_cky_pr_t; 226 227 typedef struct { 228 ike_cky_pr_t p1hdr_cookies; 229 uint8_t p1hdr_major; 230 uint8_t p1hdr_minor; 231 uint8_t p1hdr_xchg; 232 uint8_t p1hdr_isinit; 233 uint32_t p1hdr_state; 234 boolean_t p1hdr_support_dpd; 235 dpd_status_t p1hdr_dpd_state; 236 uint64_t p1hdr_dpd_time; 237 } ike_p1_hdr_t; 238 239 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */ 240 #define IKE_XCHG_NONE 0 241 #define IKE_XCHG_BASE 1 242 #define IKE_XCHG_IDENTITY_PROTECT 2 243 #define IKE_XCHG_AUTH_ONLY 3 244 #define IKE_XCHG_AGGRESSIVE 4 245 /* following not from RFC; used only for preshared key definitions */ 246 #define IKE_XCHG_IP_AND_AGGR 240 247 /* also not from RFC; used as wildcard */ 248 #define IKE_XCHG_ANY 256 249 250 /* values for p1hdr_state */ 251 #define IKE_SA_STATE_INVALID 0 252 #define IKE_SA_STATE_INIT 1 253 #define IKE_SA_STATE_SENT_SA 2 254 #define IKE_SA_STATE_SENT_KE 3 255 #define IKE_SA_STATE_SENT_LAST 4 256 #define IKE_SA_STATE_DONE 5 257 #define IKE_SA_STATE_DELETED 6 258 259 typedef struct { 260 uint16_t p1xf_dh_group; 261 uint16_t p1xf_encr_alg; 262 uint16_t p1xf_encr_low_bits; 263 uint16_t p1xf_encr_high_bits; 264 uint16_t p1xf_auth_alg; 265 uint16_t p1xf_auth_meth; 266 uint16_t p1xf_prf; 267 uint16_t p1xf_pfs; 268 uint32_t p1xf_max_secs; 269 uint32_t p1xf_max_kbytes; 270 uint32_t p1xf_max_keyuses; 271 uint32_t p1xf_reserved; /* Alignment to 64-bit. */ 272 } ike_p1_xform_t; 273 274 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */ 275 #define IKE_GRP_DESC_MODP_768 1 276 #define IKE_GRP_DESC_MODP_1024 2 277 #define IKE_GRP_DESC_EC2N_155 3 278 #define IKE_GRP_DESC_EC2N_185 4 279 /* values for p1xf_dh_group (aligned with RFC3526) */ 280 #define IKE_GRP_DESC_MODP_1536 5 281 #define IKE_GRP_DESC_MODP_2048 14 282 #define IKE_GRP_DESC_MODP_3072 15 283 #define IKE_GRP_DESC_MODP_4096 16 284 #define IKE_GRP_DESC_MODP_6144 17 285 #define IKE_GRP_DESC_MODP_8192 18 286 #define IKE_GRP_DESC_ECP_256 19 287 #define IKE_GRP_DESC_ECP_384 20 288 #define IKE_GRP_DESC_ECP_521 21 289 /* values for p1xf_dh_group (aligned with RFC5114) */ 290 #define IKE_GRP_DESC_MODP_1024_160 22 291 #define IKE_GRP_DESC_MODP_2048_224 23 292 #define IKE_GRP_DESC_MODP_2048_256 24 293 #define IKE_GRP_DESC_ECP_192 25 294 #define IKE_GRP_DESC_ECP_224 26 295 296 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */ 297 #define IKE_AUTH_METH_PRE_SHARED_KEY 1 298 #define IKE_AUTH_METH_DSS_SIG 2 299 #define IKE_AUTH_METH_RSA_SIG 3 300 #define IKE_AUTH_METH_RSA_ENCR 4 301 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5 302 303 /* values for p1xf_prf */ 304 #define IKE_PRF_NONE 0 305 #define IKE_PRF_HMAC_MD5 1 306 #define IKE_PRF_HMAC_SHA1 2 307 #define IKE_PRF_HMAC_SHA256 5 308 #define IKE_PRF_HMAC_SHA384 6 309 #define IKE_PRF_HMAC_SHA512 7 310 311 typedef struct { 312 /* 313 * NOTE: the new and del counters count the actual number of SAs, 314 * not the number of "suites", as defined in the ike monitoring 315 * mib draft; we do this because we don't have a good way of 316 * tracking the deletion of entire suites (we're notified of 317 * deleted qm sas individually). 318 */ 319 uint32_t p1stat_new_qm_sas; 320 uint32_t p1stat_del_qm_sas; 321 uint64_t p1stat_start; 322 uint32_t p1stat_kbytes; 323 uint32_t p1stat_keyuses; 324 } ike_p1_stats_t; 325 326 typedef struct { 327 uint32_t p1err_decrypt; 328 uint32_t p1err_hash; 329 uint32_t p1err_otherrx; 330 uint32_t p1err_tx; 331 } ike_p1_errors_t; 332 333 typedef struct { 334 uint32_t p1key_type; 335 uint32_t p1key_len; 336 /* 337 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data, 338 * 64-bit aligned (pad bytes are added at the end, if necessary, 339 * and NOT INCLUDED in the len value, which reflects the actual 340 * key size). 341 */ 342 } ike_p1_key_t; 343 344 /* key info types for ike_p1_key_t struct */ 345 #define IKE_KEY_PRESHARED 1 346 #define IKE_KEY_SKEYID 2 347 #define IKE_KEY_SKEYID_D 3 348 #define IKE_KEY_SKEYID_A 4 349 #define IKE_KEY_SKEYID_E 5 350 #define IKE_KEY_ENCR 6 351 #define IKE_KEY_IV 7 352 353 typedef struct { 354 ike_p1_hdr_t p1sa_hdr; 355 ike_p1_xform_t p1sa_xform; 356 ike_addr_pr_t p1sa_ipaddrs; 357 uint16_t p1sa_stat_off; 358 uint16_t p1sa_stat_len; 359 uint16_t p1sa_error_off; 360 uint16_t p1sa_error_len; 361 uint16_t p1sa_localid_off; 362 uint16_t p1sa_localid_len; 363 uint16_t p1sa_remoteid_off; 364 uint16_t p1sa_remoteid_len; 365 uint16_t p1sa_key_off; 366 uint16_t p1sa_key_len; 367 uint32_t p1sa_reserved; 368 /* 369 * variable-length structures will be included here, as 370 * indicated by offset/length fields. 371 * stats and errors will be formatted as ike_p1_stats_t and 372 * ike_p1_errors_t, respectively. 373 * key info will be formatted as a series of p1_key_t structs. 374 * local/remote ids will be formatted as sadb_ident_t structs. 375 */ 376 } ike_p1_sa_t; 377 378 379 #define MAX_LABEL_LEN 256 380 381 382 /* data formatting structure for policy (rule) dumps */ 383 384 typedef struct { 385 char rule_label[MAX_LABEL_LEN]; 386 uint32_t rule_kmcookie; 387 uint16_t rule_ike_mode; 388 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */ 389 uint32_t rule_p1_nonce_len; 390 uint32_t rule_p2_nonce_len; 391 uint32_t rule_p2_pfs; 392 uint32_t rule_p2_lifetime_secs; 393 uint32_t rule_p2_softlife_secs; 394 uint32_t rule_p2_idletime_secs; 395 uint32_t rule_p2_lifetime_kb; 396 uint32_t rule_p2_softlife_kb; 397 uint16_t rule_xform_cnt; 398 uint16_t rule_xform_off; 399 uint16_t rule_locip_cnt; 400 uint16_t rule_locip_off; 401 uint16_t rule_remip_cnt; 402 uint16_t rule_remip_off; 403 uint16_t rule_locid_inclcnt; 404 uint16_t rule_locid_exclcnt; 405 uint16_t rule_locid_off; 406 uint16_t rule_remid_inclcnt; 407 uint16_t rule_remid_exclcnt; 408 uint16_t rule_remid_off; 409 /* 410 * Followed by several lists of variable-length structures, described 411 * by counts and offsets: 412 * transforms ike_p1_xform_t structs 413 * ranges of local ip addrs ike_addr_pr_t structs 414 * ranges of remote ip addrs ike_addr_pr_t structs 415 * local identification strings null-terminated ascii strings 416 * remote identification strings null-terminated ascii strings 417 */ 418 } ike_rule_t; 419 420 421 /* 422 * data formatting structure for preshared keys 423 * ps_ike_mode field uses the IKE_XCHG_* defs 424 */ 425 typedef struct { 426 ike_addr_pr_t ps_ipaddrs; 427 uint16_t ps_ike_mode; 428 uint16_t ps_localid_off; 429 uint16_t ps_localid_len; 430 uint16_t ps_remoteid_off; 431 uint16_t ps_remoteid_len; 432 uint16_t ps_key_off; 433 uint16_t ps_key_len; 434 uint16_t ps_key_bits; 435 /* 436 * followed by variable-length structures, as indicated by 437 * offset/length fields. 438 * key info will be formatted as an array of bytes. 439 * local/remote ids will be formatted as sadb_ident_t structs. 440 */ 441 } ike_ps_t; 442 443 #define DN_MAX 1024 444 #define CERT_OFF_WIRE -1 445 #define CERT_NO_PRIVKEY 0 446 #define CERT_PRIVKEY_LOCKED 1 447 #define CERT_PRIVKEY_AVAIL 2 448 449 /* 450 * data formatting structure for cached certs 451 */ 452 typedef struct { 453 uint32_t cache_id; 454 uint32_t certclass; 455 int linkage; 456 uint32_t certcache_padding; /* For 64-bit alignment. */ 457 char subject[DN_MAX]; 458 char issuer[DN_MAX]; 459 } ike_certcache_t; 460 461 /* identification types */ 462 #define IKE_ID_IDENT_PAIR 1 463 #define IKE_ID_ADDR_PAIR 2 464 #define IKE_ID_CKY_PAIR 3 465 #define IKE_ID_LABEL 4 466 467 468 /* locations for read/write requests */ 469 #define IKE_RW_LOC_DEFAULT 1 470 #define IKE_RW_LOC_USER_SPEC 2 471 472 473 /* door interface error codes */ 474 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */ 475 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */ 476 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */ 477 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */ 478 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */ 479 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */ 480 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */ 481 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */ 482 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */ 483 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */ 484 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */ 485 #define IKE_ERR_NO_TOKEN 12 /* cannot login into pkcs#11 token */ 486 #define IKE_ERR_NO_AUTH 13 /* not authorized */ 487 #define IKE_ERR_IN_PROGRESS 14 /* operation already in progress */ 488 #define IKE_ERR_NO_MEM 15 /* insufficient memory */ 489 490 491 /* 492 * IKE_SVC_GET_DBG 493 * Used to request the current debug level. 494 * 495 * Upon request, dbg_level is 0 (don't care). 496 * 497 * Upon return, dbg_level contains the current value. 498 * 499 * 500 * IKE_SVC_SET_DBG 501 * Used to request modification of the debug level. 502 * 503 * Upon request, dbg_level contains desired level. If debug output is 504 * to be directed to a different file, the fd should be passed in the 505 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is 506 * currently running in the background with no debug set, an output 507 * file MUST be given. 508 * 509 * Upon return, dbg_level contains the old debug level, and acknowledges 510 * successful completion of the request. If an error is encountered, 511 * ike_err_t is returned instead, with appropriate error value and cmd 512 * IKE_SVC_ERROR. 513 */ 514 typedef struct { 515 ike_svccmd_t cmd; 516 uint32_t dbg_level; 517 } ike_dbg_t; 518 519 /* 520 * IKE_SVC_GET_PRIV 521 * Used to request the current privilege level. 522 * 523 * Upon request, priv_level is 0 (don't care). 524 * 525 * Upon return, priv_level contains the current value. 526 * 527 * 528 * IKE_SVC_SET_PRIV 529 * Used to request modification of the privilege level. 530 * 531 * Upon request, priv_level contains the desired level. The level may 532 * only be lowered via the door interface; it cannot be raised. Thus, 533 * if in.iked is started at the lowest level, it cannot be changed. 534 * 535 * Upon return, priv_level contains the old privilege level, and 536 * acknowledges successful completion of the request. If an error is 537 * encountered, ike_err_t is returned instead, with appropriate error 538 * value and cmd IKE_SVC_ERROR. 539 */ 540 typedef struct { 541 ike_svccmd_t cmd; 542 uint32_t priv_level; 543 } ike_priv_t; 544 545 546 /* 547 * IKE_SVC_GET_STATS 548 * Used to request current statistics on Phase 1 SA creation and 549 * failures. The statistics represent all activity in in.iked. 550 * 551 * Upon request, cmd is set, and stat_len does not matter. 552 * 553 * Upon successful return, stat_len contains the total size of the 554 * returned buffer, which contains first the ike_statreq_t struct, 555 * followed by the stat data in the ike_stats_t structure. In case 556 * of an error in processing the request, ike_err_t is returned with 557 * IKE_SVC_ERROR command and appropriate error code. 558 */ 559 typedef struct { 560 ike_svccmd_t cmd; 561 uint32_t stat_len; 562 } ike_statreq_t; 563 564 /* 565 * IKE_SVC_GET_DEFS 566 * Used to request default values from in.iked. 567 * 568 * Upon request, cmd is set, and stat_len does not matter. 569 * 570 * Upon successful return, stat_len contains the total size of the 571 * returned buffer, this contains a pair of ike_defaults_t's. 572 */ 573 typedef struct { 574 ike_svccmd_t cmd; 575 uint32_t stat_len; 576 uint32_t version; 577 uint32_t defreq_reserved; /* For 64-bit alignment. */ 578 } ike_defreq_t; 579 580 /* 581 * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE} 582 * Used to request a table dump, and to return info for a single table 583 * item. The expectation is that all of the table data will be passed 584 * through the door, one entry at a time; an individual request must be 585 * sent for each entry, however (the door server can't send unrequested 586 * data). 587 * 588 * Upon request: cmd is set, and dump_next contains the item number 589 * requested (0 for first request). dump_len is 0; no data follows. 590 * 591 * Upon return: cmd is set, and dump_next contains the item number of 592 * the *next* item in the table (to be used in the subsequent request). 593 * dump_next = 0 indicates that this is the last item in the table. 594 * dump_len is the total length (data + struct) returned. Data is 595 * formatted as indicated by the cmd type: 596 * IKE_SVC_DUMP_P1S: ike_p1_sa_t 597 * IKE_SVC_DUMP_RULES: ike_rule_t 598 * IKE_SVC_DUMP_PS: ike_ps_t 599 * IKE_SVC_DUMP_CERTCACHE: ike_certcache_t 600 */ 601 typedef struct { 602 ike_svccmd_t cmd; 603 uint32_t dump_len; 604 union { 605 struct { 606 uint32_t dump_unext; 607 uint32_t dump_ureserved; 608 } dump_actual; 609 uint64_t dump_alignment; 610 } dump_u; 611 #define dump_next dump_u.dump_actual.dump_unext 612 #define dump_reserved dump_u.dump_actual.dump_ureserved 613 /* dump_len - sizeof (ike_dump_t) bytes of data included here */ 614 } ike_dump_t; 615 616 617 /* 618 * IKE_SVC_GET_{P1|RULE|PS} 619 * Used to request and return individual table items. 620 * 621 * Upon request: get_len is the total msg length (struct + id data); 622 * get_idtype indicates the type of identification being used. 623 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t 624 * IKE_SVC_GET_RULE: char string (label) 625 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t 626 * 627 * Upon return: get_len is the total size (struct + data), get_idtype 628 * is unused, and the data that follows is formatted according to cmd: 629 * IKE_SVC_GET_P1: ike_p1_sa_t 630 * IKE_SVC_GET_RULE: ike_rule_t 631 * IKE_SVC_GET_PS: ike_ps_t 632 */ 633 typedef struct { 634 ike_svccmd_t cmd; 635 uint32_t get_len; 636 union { 637 struct { 638 uint32_t getu_idtype; 639 uint32_t getu_reserved; 640 } get_actual; 641 uint64_t get_alignment; 642 } get_u; 643 #define get_idtype get_u.get_actual.getu_idtype 644 #define get_reserved get_u.get_actual.getu_reserved 645 /* get_len - sizeof (ike_get_t) bytes of data included here */ 646 } ike_get_t; 647 648 649 /* 650 * IKE_SVC_NEW_{RULE|PS} 651 * Used to request and acknowledge insertion of a table item. 652 * 653 * Upon request: new_len is the total (data + struct) size passed, or 0. 654 * new_len = 0 => a door_desc_t is also included with a file descriptor 655 * for a file containing the data to be added. The file should include 656 * a single item: a rule, or a pre-shared key. For new_len != 0, the 657 * data is formatted according to the cmd type: 658 * IKE_SVC_NEW_RULE: ike_rule_t 659 * IKE_SVC_NEW_PS: ike_ps_t 660 * 661 * Upon return: new_len is 0; simply acknowledges successful insertion 662 * of the requested item. If insertion is not successful, ike_err_t is 663 * returned instead with appropriate error value. 664 */ 665 typedef struct { 666 ike_svccmd_t cmd; 667 uint32_t new_len; 668 /* new_len - sizeof (ike_new_t) bytes included here */ 669 uint64_t new_align; /* Padding for 64-bit alignment. */ 670 } ike_new_t; 671 672 673 /* 674 * IKE_SVC_DEL_{P1|RULE|PS} 675 * Used to request and acknowledge the deletion of an individual table 676 * item. 677 * 678 * Upon request: del_len is the total msg length (struct + id data); 679 * del_idtype indicates the type of identification being used. 680 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t 681 * IKE_SVC_DEL_RULE: char string (label) 682 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t 683 * 684 * Upon return: acknowledges deletion of the requested item; del_len and 685 * del_idtype are unspecified. If deletion is not successful, ike_err_t 686 * is returned instead with appropriate error value. 687 */ 688 typedef struct { 689 ike_svccmd_t cmd; 690 uint32_t del_len; 691 uint32_t del_idtype; 692 uint32_t del_reserved; 693 /* del_len - sizeof (ike_del_t) bytes of data included here. */ 694 } ike_del_t; 695 696 697 /* 698 * IKE_SVC_READ_{RULES|PS} 699 * Used to ask daemon to re-read particular configuration info. 700 * 701 * Upon request: rw_loc indicates where the info should be read from: 702 * either from a user-supplied file descriptor(s), or from the default 703 * location(s). If rw_loc indicates user-supplied location, the file 704 * descriptor(s) should be passed in the door_desc_t struct. For the 705 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified: 706 * first, one for the config file which contains the data to be read, 707 * and second, one for the cookie file which will be written to as 708 * in.iked process the config file. 709 * 710 * Upon return: rw_loc is unspecified; the message simply acknowledges 711 * successful completion of the request. If an error occurred, 712 * ike_err_t is returned instead with appropriate error value. 713 * 714 * 715 * IKE_SVC_WRITE_{RULES|PS} 716 * Used to ask daemon to write its current config info to files. 717 * 718 * Request and return are handled the same as for the IKE_SVC_READ_* 719 * cmds; however, the rw_loc MUST be a user-supplied location. Also, 720 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required; 721 * only a single fd, for the file to which the config info should be 722 * written, should be passed in. 723 */ 724 typedef struct { 725 ike_svccmd_t cmd; 726 uint32_t rw_loc; 727 } ike_rw_t; 728 729 730 /* 731 * IKE_SVC_FLUSH_P1S 732 * IKE_SVC_FLUSH_CERTCACHE 733 * 734 * Used to request and acknowledge tear-down of all P1 SAs 735 * or to flush the certificate cache. 736 */ 737 typedef struct { 738 ike_svccmd_t cmd; 739 } ike_flush_t; 740 741 742 #ifndef PKCS11_TOKSIZE 743 #define PKCS11_TOKSIZE 32 744 #endif 745 #define MAX_PIN_LEN 256 746 /* 747 * IKE_SVC_SET_PIN 748 * IKE_SVC_DEL_PIN 749 * 750 * Used to supply a pin for a PKCS#11 tokenj object. 751 * 752 */ 753 typedef struct { 754 ike_svccmd_t cmd; 755 uint32_t pin_reserved; /* For 64-bit alignment. */ 756 char pkcs11_token[PKCS11_TOKSIZE]; 757 uchar_t token_pin[MAX_PIN_LEN]; 758 } ike_pin_t; 759 760 /* 761 * IKE_SVC_ERROR 762 * Used on return if server encountered an error while processing 763 * the request. An appropriate error code is included (as defined 764 * in this header file); in the case of IKE_ERR_SYS_ERR, a value 765 * from the UNIX errno space is included in the ike_err_unix field. 766 */ 767 typedef struct { 768 ike_svccmd_t cmd; 769 uint32_t ike_err; 770 uint32_t ike_err_unix; 771 uint32_t ike_err_reserved; 772 } ike_err_t; 773 774 /* 775 * Generic type for use when the request/reply type is unknown 776 */ 777 typedef struct { 778 ike_svccmd_t cmd; 779 } ike_cmd_t; 780 781 782 /* 783 * Union containing all possible request/return structures. 784 */ 785 typedef union { 786 ike_cmd_t svc_cmd; 787 ike_dbg_t svc_dbg; 788 ike_priv_t svc_priv; 789 ike_statreq_t svc_stats; 790 ike_dump_t svc_dump; 791 ike_get_t svc_get; 792 ike_new_t svc_new; 793 ike_del_t svc_del; 794 ike_rw_t svc_rw; 795 ike_flush_t svc_flush; 796 ike_pin_t svc_pin; 797 ike_err_t svc_err; 798 ike_defreq_t svc_defaults; 799 } ike_service_t; 800 801 #ifdef __cplusplus 802 } 803 #endif 804 805 #endif /* _IKEDOOR_H */ 806