xref: /titanic_51/usr/src/lib/libipsecutil/common/ikedoor.h (revision 4dd87b61fd8fd35014b2dc0e39c822fa0741a007)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_IKEDOOR_H
27 #define	_IKEDOOR_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 #ifdef	__cplusplus
32 extern "C" {
33 #endif
34 
35 #include <limits.h>
36 #include <sys/sysmacros.h>
37 #include <net/pfkeyv2.h>
38 #include <door.h>
39 
40 /*
41  * This version number is intended to stop the calling process from
42  * getting confused if a structure is changed and a mismatch occurs.
43  * This should be incremented each time a structure is changed.
44  */
45 #define	DOORVER 2
46 #define	DOORNM	"/var/run/ike_door"
47 
48 
49 typedef enum {
50 	IKE_SVC_GET_DBG,
51 	IKE_SVC_SET_DBG,
52 
53 	IKE_SVC_GET_PRIV,
54 	IKE_SVC_SET_PRIV,
55 
56 	IKE_SVC_GET_STATS,
57 
58 	IKE_SVC_GET_P1,
59 	IKE_SVC_DEL_P1,
60 	IKE_SVC_DUMP_P1S,
61 	IKE_SVC_FLUSH_P1S,
62 
63 	IKE_SVC_GET_RULE,
64 	IKE_SVC_NEW_RULE,
65 	IKE_SVC_DEL_RULE,
66 	IKE_SVC_DUMP_RULES,
67 	IKE_SVC_READ_RULES,
68 	IKE_SVC_WRITE_RULES,
69 
70 	IKE_SVC_GET_PS,
71 	IKE_SVC_NEW_PS,
72 	IKE_SVC_DEL_PS,
73 	IKE_SVC_DUMP_PS,
74 	IKE_SVC_READ_PS,
75 	IKE_SVC_WRITE_PS,
76 
77 	IKE_SVC_DBG_RBDUMP,
78 
79 	IKE_SVC_GET_DEFS,
80 
81 	IKE_SVC_ERROR
82 } ike_svccmd_t;
83 
84 #define	IKE_SVC_MAX	IKE_SVC_ERROR
85 
86 
87 /*
88  * Support structures/defines
89  */
90 
91 #define	IKEDOORROUNDUP(i)   P2ROUNDUP((i), sizeof (uint64_t))
92 
93 /*
94  * Debug categories.  The debug level is a bitmask made up of
95  * flags indicating the desired categories; only 31 bits are
96  * available, as the highest-order bit designates an invalid
97  * setting.
98  */
99 #define	D_INVALID	0x80000000
100 
101 #define	D_CERT		0x00000001	/* certificate management */
102 #define	D_KEY		0x00000002	/* key management */
103 #define	D_OP		0x00000004	/* operational: config, init, mem */
104 #define	D_P1		0x00000008	/* phase 1 negotiation */
105 #define	D_P2		0x00000010	/* phase 2 negotiation */
106 #define	D_PFKEY		0x00000020	/* pf key interface */
107 #define	D_POL		0x00000040	/* policy management */
108 #define	D_PROP		0x00000080	/* proposal construction */
109 #define	D_DOOR		0x00000100	/* door server */
110 #define	D_CONFIG	0x00000200	/* config file processing */
111 
112 #define	D_HIGHBIT	0x00000200
113 #define	D_ALL		0x000003ff
114 
115 /*
116  * Access privilege levels: define level of access to keying information.
117  * The privileges granted at each level is a superset of the privileges
118  * granted at all lower levels.
119  *
120  * The door operations which require special privileges are:
121  *
122  *	- receiving keying material for SAs and preshared key entries
123  *	  IKE_PRIV_KEYMAT must be set for this.
124  *
125  *	- get/dump/new/delete/read/write preshared keys
126  *	  IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
127  *	  If IKE_PRIV_MODKEYS is set, the information returned for a
128  *	  get/dump request will not include the actual key; in order
129  *	  to get the key itself, IKE_PRIV_KEYMAT must be set.
130  *
131  *	- modifying the privilege level: the daemon's privilege level
132  *	  is set when the daemon is started; the level may only be
133  *	  lowered via the door interface.
134  *
135  * All other operations are allowed at any privilege level.
136  */
137 #define	IKE_PRIV_MINIMUM	0
138 #define	IKE_PRIV_MODKEYS	1
139 #define	IKE_PRIV_KEYMAT		2
140 #define	IKE_PRIV_MAXIMUM	2
141 
142 /* global ike stats formatting structure */
143 typedef struct {
144 	uint32_t	st_init_p1_current;
145 	uint32_t	st_resp_p1_current;
146 	uint32_t	st_init_p1_total;
147 	uint32_t	st_resp_p1_total;
148 	uint32_t	st_init_p1_attempts;
149 	uint32_t	st_resp_p1_attempts;
150 	uint32_t	st_init_p1_noresp;   /* failed; no response from peer */
151 	uint32_t	st_init_p1_respfail; /* failed, but peer responded */
152 	uint32_t	st_resp_p1_fail;
153 	uint32_t	st_reserved;
154 	char		st_pkcs11_libname[PATH_MAX];
155 } ike_stats_t;
156 
157 /* structure used to pass default values used by in.iked back to ikeadm */
158 typedef struct {
159 	uint32_t	rule_p1_lifetime_secs;
160 	uint32_t	rule_p1_minlife;
161 	uint32_t	rule_p1_nonce_len;
162 	uint32_t	rule_p2_lifetime_secs;
163 	uint32_t	rule_p2_softlife_secs;
164 	uint32_t	sys_p2_lifetime_secs;
165 	uint32_t	sys_p2_softlife_secs;
166 	uint32_t	rule_p2_lifetime_kb;
167 	uint32_t	rule_p2_softlife_kb;
168 	uint32_t	sys_p2_lifetime_bytes;
169 	uint32_t	sys_p2_softlife_bytes;
170 	uint32_t	rule_p2_minlife;
171 	uint32_t	rule_p2_def_minlife;
172 	uint32_t	rule_p2_nonce_len;
173 	uint32_t	rule_p2_pfs;
174 	uint32_t	rule_p2_minsoft;
175 	uint32_t	rule_max_certs;
176 	uint32_t	rule_ike_port;
177 	uint32_t	rule_natt_port;
178 } ike_defaults_t;
179 
180 /* data formatting structures for P1 SA dumps */
181 typedef struct {
182 	struct sockaddr_storage	loc_addr;
183 	struct sockaddr_storage	rem_addr;
184 #define	beg_iprange	loc_addr
185 #define	end_iprange	rem_addr
186 } ike_addr_pr_t;
187 
188 typedef struct {
189 	uint64_t	cky_i;
190 	uint64_t	cky_r;
191 } ike_cky_pr_t;
192 
193 typedef struct {
194 	ike_cky_pr_t	p1hdr_cookies;
195 	uint8_t		p1hdr_major;
196 	uint8_t		p1hdr_minor;
197 	uint8_t		p1hdr_xchg;
198 	uint8_t		p1hdr_isinit;
199 	uint32_t	p1hdr_state;
200 } ike_p1_hdr_t;
201 
202 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
203 #define	IKE_XCHG_NONE			0
204 #define	IKE_XCHG_BASE			1
205 #define	IKE_XCHG_IDENTITY_PROTECT	2
206 #define	IKE_XCHG_AUTH_ONLY		3
207 #define	IKE_XCHG_AGGRESSIVE		4
208 /* following not from RFC; used only for preshared key definitions */
209 #define	IKE_XCHG_IP_AND_AGGR		240
210 /* also not from RFC; used as wildcard */
211 #define	IKE_XCHG_ANY			256
212 
213 /* values for p1hdr_state */
214 #define	IKE_SA_STATE_INVALID	0
215 #define	IKE_SA_STATE_INIT	1
216 #define	IKE_SA_STATE_SENT_SA	2
217 #define	IKE_SA_STATE_SENT_KE	3
218 #define	IKE_SA_STATE_SENT_LAST	4
219 #define	IKE_SA_STATE_DONE	5
220 #define	IKE_SA_STATE_DELETED	6
221 
222 typedef struct {
223 	uint16_t	p1xf_dh_group;
224 	uint16_t	p1xf_encr_alg;
225 	uint16_t	p1xf_encr_low_bits;
226 	uint16_t	p1xf_encr_high_bits;
227 	uint16_t	p1xf_auth_alg;
228 	uint16_t	p1xf_auth_meth;
229 	uint16_t	p1xf_prf;
230 	uint16_t	p1xf_pfs;
231 	uint32_t	p1xf_max_secs;
232 	uint32_t	p1xf_max_kbytes;
233 	uint32_t	p1xf_max_keyuses;
234 } ike_p1_xform_t;
235 
236 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
237 #define	IKE_GRP_DESC_MODP_768	1
238 #define	IKE_GRP_DESC_MODP_1024	2
239 #define	IKE_GRP_DESC_EC2N_155	3
240 #define	IKE_GRP_DESC_EC2N_185	4
241 /* values for p1xf_dh_group (aligned with RFC3526) */
242 #define	IKE_GRP_DESC_MODP_1536	5
243 #define	IKE_GRP_DESC_MODP_2048	14
244 #define	IKE_GRP_DESC_MODP_3072	15
245 #define	IKE_GRP_DESC_MODP_4096	16
246 #define	IKE_GRP_DESC_MODP_6144	17
247 #define	IKE_GRP_DESC_MODP_8192	18
248 
249 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
250 #define	IKE_AUTH_METH_PRE_SHARED_KEY	1
251 #define	IKE_AUTH_METH_DSS_SIG		2
252 #define	IKE_AUTH_METH_RSA_SIG		3
253 #define	IKE_AUTH_METH_RSA_ENCR		4
254 #define	IKE_AUTH_METH_RSA_ENCR_REVISED	5
255 
256 /* values for p1xf_prf */
257 #define	IKE_PRF_NONE		0
258 #define	IKE_PRF_HMAC_MD5	1
259 #define	IKE_PRF_HMAC_SHA1	2
260 #define	IKE_PRF_HMAC_SHA256	5
261 #define	IKE_PRF_HMAC_SHA384	6
262 #define	IKE_PRF_HMAC_SHA512	7
263 
264 typedef struct {
265 	/*
266 	 * NOTE: the new and del counters count the actual number of SAs,
267 	 * not the number of "suites", as defined in the ike monitoring
268 	 * mib draft; we do this because we don't have a good way of
269 	 * tracking the deletion of entire suites (we're notified of
270 	 * deleted qm sas individually).
271 	 */
272 	uint32_t	p1stat_new_qm_sas;
273 	uint32_t	p1stat_del_qm_sas;
274 	uint64_t	p1stat_start;
275 	uint32_t	p1stat_kbytes;
276 	uint32_t	p1stat_keyuses;
277 } ike_p1_stats_t;
278 
279 typedef struct {
280 	uint32_t	p1err_decrypt;
281 	uint32_t	p1err_hash;
282 	uint32_t	p1err_otherrx;
283 	uint32_t	p1err_tx;
284 } ike_p1_errors_t;
285 
286 typedef struct {
287 	uint32_t	p1key_type;
288 	uint32_t	p1key_len;
289 	/*
290 	 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
291 	 * 64-bit aligned (pad bytes are added at the end, if necessary,
292 	 * and NOT INCLUDED in the len value, which reflects the actual
293 	 * key size).
294 	 */
295 } ike_p1_key_t;
296 
297 /* key info types for ike_p1_key_t struct */
298 #define	IKE_KEY_PRESHARED	1
299 #define	IKE_KEY_SKEYID		2
300 #define	IKE_KEY_SKEYID_D	3
301 #define	IKE_KEY_SKEYID_A	4
302 #define	IKE_KEY_SKEYID_E	5
303 #define	IKE_KEY_ENCR		6
304 #define	IKE_KEY_IV		7
305 
306 typedef struct {
307 	ike_p1_hdr_t	p1sa_hdr;
308 	ike_p1_xform_t	p1sa_xform;
309 	ike_addr_pr_t	p1sa_ipaddrs;
310 	uint16_t	p1sa_stat_off;
311 	uint16_t	p1sa_stat_len;
312 	uint16_t	p1sa_error_off;
313 	uint16_t	p1sa_error_len;
314 	uint16_t	p1sa_localid_off;
315 	uint16_t	p1sa_localid_len;
316 	uint16_t	p1sa_remoteid_off;
317 	uint16_t	p1sa_remoteid_len;
318 	uint16_t	p1sa_key_off;
319 	uint16_t	p1sa_key_len;
320 	uint32_t	p1sa_reserved;
321 	/*
322 	 * variable-length structures will be included here, as
323 	 * indicated by offset/length fields.
324 	 * stats and errors will be formatted as ike_p1_stats_t and
325 	 * ike_p1_errors_t, respectively.
326 	 * key info will be formatted as a series of p1_key_t structs.
327 	 * local/remote ids will be formatted as sadb_ident_t structs.
328 	 */
329 } ike_p1_sa_t;
330 
331 
332 #define	MAX_LABEL_LEN	256
333 
334 
335 /* data formatting structure for policy (rule) dumps */
336 
337 typedef struct {
338 	char		rule_label[MAX_LABEL_LEN];
339 	uint32_t	rule_kmcookie;
340 	uint16_t	rule_ike_mode;
341 	uint16_t	rule_local_idtype;	/* SADB_IDENTTYPE_* value */
342 	uint32_t	rule_p1_nonce_len;
343 	uint32_t	rule_p2_nonce_len;
344 	uint32_t	rule_p2_pfs;
345 	uint32_t	rule_p2_lifetime_secs;
346 	uint32_t	rule_p2_softlife_secs;
347 	uint32_t	rule_p2_lifetime_kb;
348 	uint32_t	rule_p2_softlife_kb;
349 	uint16_t	rule_xform_cnt;
350 	uint16_t	rule_xform_off;
351 	uint16_t	rule_locip_cnt;
352 	uint16_t	rule_locip_off;
353 	uint16_t	rule_remip_cnt;
354 	uint16_t	rule_remip_off;
355 	uint16_t	rule_locid_inclcnt;
356 	uint16_t	rule_locid_exclcnt;
357 	uint16_t	rule_locid_off;
358 	uint16_t	rule_remid_inclcnt;
359 	uint16_t	rule_remid_exclcnt;
360 	uint16_t	rule_remid_off;
361 	/*
362 	 * Followed by several lists of variable-length structures, described
363 	 * by counts and offsets:
364 	 *	transforms			ike_p1_xform_t structs
365 	 *	ranges of local ip addrs	ike_addr_pr_t structs
366 	 *	ranges of remote ip addrs	ike_addr_pr_t structs
367 	 *	local identification strings	null-terminated ascii strings
368 	 *	remote identification strings	null-terminated ascii strings
369 	 */
370 } ike_rule_t;
371 
372 
373 /*
374  * data formatting structure for preshared keys
375  * ps_ike_mode field uses the IKE_XCHG_* defs
376  */
377 typedef struct {
378 	ike_addr_pr_t	ps_ipaddrs;
379 	uint16_t	ps_ike_mode;
380 	uint16_t	ps_localid_off;
381 	uint16_t	ps_localid_len;
382 	uint16_t	ps_remoteid_off;
383 	uint16_t	ps_remoteid_len;
384 	uint16_t	ps_key_off;
385 	uint16_t	ps_key_len;
386 	uint16_t	ps_key_bits;
387 	/*
388 	 * followed by variable-length structures, as indicated by
389 	 * offset/length fields.
390 	 * key info will be formatted as an array of bytes.
391 	 * local/remote ids will be formatted as sadb_ident_t structs.
392 	 */
393 } ike_ps_t;
394 
395 
396 /* identification types */
397 #define	IKE_ID_IDENT_PAIR	1
398 #define	IKE_ID_ADDR_PAIR	2
399 #define	IKE_ID_CKY_PAIR		3
400 #define	IKE_ID_LABEL		4
401 
402 
403 /* locations for read/write requests */
404 #define	IKE_RW_LOC_DEFAULT	1
405 #define	IKE_RW_LOC_USER_SPEC	2
406 
407 
408 /* door interface error codes */
409 #define	IKE_ERR_NO_OBJ		1	/* nothing found to match the request */
410 #define	IKE_ERR_NO_DESC		2	/* fd was required with this request */
411 #define	IKE_ERR_ID_INVALID	3	/* invalid id info was provided */
412 #define	IKE_ERR_LOC_INVALID	4	/* invalid location info was provided */
413 #define	IKE_ERR_CMD_INVALID	5	/* invalid command was provided */
414 #define	IKE_ERR_DATA_INVALID	6	/* invalid data was provided */
415 #define	IKE_ERR_CMD_NOTSUP	7	/* unsupported command */
416 #define	IKE_ERR_REQ_INVALID	8	/* badly formatted request */
417 #define	IKE_ERR_NO_PRIV		9	/* privilege level not high enough */
418 #define	IKE_ERR_SYS_ERR		10	/* syserr occurred while processing */
419 #define	IKE_ERR_DUP_IGNORED	11	/* attempt to add a duplicate entry */
420 
421 
422 /*
423  * IKE_SVC_GET_DBG
424  * Used to request the current debug level.
425  *
426  * Upon request, dbg_level is 0 (don't care).
427  *
428  * Upon return, dbg_level contains the current value.
429  *
430  *
431  * IKE_SVC_SET_DBG
432  * Used to request modification of the debug level.
433  *
434  * Upon request, dbg_level contains desired level.  If debug output is
435  * to be directed to a different file, the fd should be passed in the
436  * door_desc_t field of the door_arg_t param.  NOTE: if the daemon is
437  * currently running in the background with no debug set, an output
438  * file MUST be given.
439  *
440  * Upon return, dbg_level contains the old debug level, and acknowledges
441  * successful completion of the request.  If an error is encountered,
442  * ike_err_t is returned instead, with appropriate error value and cmd
443  * IKE_SVC_ERROR.
444  */
445 typedef struct {
446 	ike_svccmd_t	cmd;
447 	uint32_t	dbg_level;
448 } ike_dbg_t;
449 
450 /*
451  * IKE_SVC_GET_PRIV
452  * Used to request the current privilege level.
453  *
454  * Upon request, priv_level is 0 (don't care).
455  *
456  * Upon return, priv_level contains the current value.
457  *
458  *
459  * IKE_SVC_SET_PRIV
460  * Used to request modification of the privilege level.
461  *
462  * Upon request, priv_level contains the desired level.  The level may
463  * only be lowered via the door interface; it cannot be raised.  Thus,
464  * if in.iked is started at the lowest level, it cannot be changed.
465  *
466  * Upon return, priv_level contains the old privilege level, and
467  * acknowledges successful completion of the request.  If an error is
468  * encountered, ike_err_t is returned instead, with appropriate error
469  * value and cmd IKE_SVC_ERROR.
470  */
471 typedef struct {
472 	ike_svccmd_t	cmd;
473 	uint32_t	priv_level;
474 } ike_priv_t;
475 
476 
477 /*
478  * IKE_SVC_GET_STATS
479  * Used to request current statistics on Phase 1 SA creation and
480  * failures.  The statistics represent all activity in in.iked.
481  *
482  * Upon request, cmd is set, and stat_len does not matter.
483  *
484  * Upon successful return, stat_len contains the total size of the
485  * returned buffer, which contains first the ike_statreq_t struct,
486  * followed by the stat data in the ike_stats_t structure. In case
487  * of an error in processing the request, ike_err_t is returned with
488  * IKE_SVC_ERROR command and appropriate error code.
489  */
490 typedef struct {
491 	ike_svccmd_t	cmd;
492 	uint32_t	stat_len;
493 } ike_statreq_t;
494 
495 /*
496  * IKE_SVC_GET_DEFS
497  * Used to request default values from in.iked.
498  *
499  * Upon request, cmd is set, and stat_len does not matter.
500  *
501  * Upon successful return, stat_len contains the total size of the
502  * returned buffer, this contains a pair of ike_defaults_t's.
503  */
504 typedef struct {
505 	ike_svccmd_t	cmd;
506 	uint32_t	stat_len;
507 	uint32_t	version;
508 } ike_defreq_t;
509 
510 /*
511  * IKE_SVC_DUMP_{P1S|RULES|PS}
512  * Used to request a table dump, and to return info for a single table
513  * item.  The expectation is that all of the table data will be passed
514  * through the door, one entry at a time; an individual request must be
515  * sent for each entry, however (the door server can't send unrequested
516  * data).
517  *
518  * Upon request: cmd is set, and dump_next contains the item number
519  * requested (0 for first request).  dump_len is 0; no data follows.
520  *
521  * Upon return: cmd is set, and dump_next contains the item number of
522  * the *next* item in the table (to be used in the subsequent request).
523  * dump_next = 0 indicates that this is the last item in the table.
524  * dump_len is the total length (data + struct) returned.  Data is
525  * formatted as indicated by the cmd type:
526  *   IKE_SVC_DUMP_P1S:		ike_p1_sa_t
527  *   IKE_SVC_DUMP_RULES:	ike_rule_t
528  *   IKE_SVC_DUMP_PS:		ike_ps_t
529  */
530 typedef struct {
531 	ike_svccmd_t	cmd;
532 	uint32_t	dump_len;
533 	union {
534 		struct {
535 			uint32_t	dump_unext;
536 			uint32_t	dump_ureserved;
537 		} dump_actual;
538 		uint64_t dump_alignment;
539 	} dump_u;
540 #define	dump_next dump_u.dump_actual.dump_unext
541 #define	dump_reserved dump_u.dump_actual.dump_ureserved
542 	/* dump_len - sizeof (ike_dump_t) bytes of data included here */
543 } ike_dump_t;
544 
545 
546 /*
547  * IKE_SVC_GET_{P1|RULE|PS}
548  * Used to request and return individual table items.
549  *
550  * Upon request: get_len is the total msg length (struct + id data);
551  * get_idtype indicates the type of identification being used.
552  *   IKE_SVC_GET_P1:		ike_addr_pr_t or ike_cky_pr_t
553  *   IKE_SVC_GET_RULE:		char string (label)
554  *   IKE_SVC_GET_PS:		ike_addr_pr_t or pair of sadb_ident_t
555  *
556  * Upon return: get_len is the total size (struct + data), get_idtype
557  * is unused, and the data that follows is formatted according to cmd:
558  *   IKE_SVC_GET_P1:		ike_p1_sa_t
559  *   IKE_SVC_GET_RULE:		ike_rule_t
560  *   IKE_SVC_GET_PS:		ike_ps_t
561  */
562 typedef struct {
563 	ike_svccmd_t	cmd;
564 	uint32_t	get_len;
565 	union {
566 		struct {
567 			uint32_t	getu_idtype;
568 			uint32_t	getu_reserved;
569 		} get_actual;
570 		uint64_t get_alignment;
571 	} get_u;
572 #define	get_idtype get_u.get_actual.getu_idtype
573 #define	get_reserved get_u.get_actual.getu_reserved
574 	/* get_len - sizeof (ike_get_t) bytes of data included here */
575 } ike_get_t;
576 
577 
578 /*
579  * IKE_SVC_NEW_{RULE|PS}
580  * Used to request and acknowledge insertion of a table item.
581  *
582  * Upon request: new_len is the total (data + struct) size passed, or 0.
583  * new_len = 0 => a door_desc_t is also included with a file descriptor
584  * for a file containing the data to be added.  The file should include
585  * a single item: a rule, or a pre-shared key.  For new_len != 0, the
586  * data is formatted according to the cmd type:
587  *   IKE_SVC_NEW_RULE:		ike_rule_t
588  *   IKE_SVC_NEW_PS:		ike_ps_t
589  *
590  * Upon return: new_len is 0; simply acknowledges successful insertion
591  * of the requested item.  If insertion is not successful, ike_err_t is
592  * returned instead with appropriate error value.
593  */
594 typedef struct {
595 	ike_svccmd_t	cmd;
596 	uint32_t	new_len;
597 	/* new_len - sizeof (ike_new_t) bytes included here */
598 	uint64_t	new_align;	/* Padding for 64-bit alignment. */
599 } ike_new_t;
600 
601 
602 /*
603  * IKE_SVC_DEL_{P1|RULE|PS}
604  * Used to request and acknowledge the deletion of an individual table
605  * item.
606  *
607  * Upon request: del_len is the total msg length (struct + id data);
608  * del_idtype indicates the type of identification being used.
609  *   IKE_SVC_DEL_P1:		ike_addr_pr_t or ike_cky_pr_t
610  *   IKE_SVC_DEL_RULE:		char string (label)
611  *   IKE_SVC_DEL_PS:		ike_addr_pr_t or pair of sadb_ident_t
612  *
613  * Upon return: acknowledges deletion of the requested item; del_len and
614  * del_idtype are unspecified.  If deletion is not successful, ike_err_t
615  * is returned instead with appropriate error value.
616  */
617 typedef struct {
618 	ike_svccmd_t	cmd;
619 	uint32_t	del_len;
620 	uint32_t	del_idtype;
621 	uint32_t	del_reserved;
622 	/* del_len - sizeof (ike_del_t) bytes of data included here. */
623 } ike_del_t;
624 
625 
626 /*
627  * IKE_SVC_READ_{RULES|PS}
628  * Used to ask daemon to re-read particular configuration info.
629  *
630  * Upon request: rw_loc indicates where the info should be read from:
631  * either from a user-supplied file descriptor(s), or from the default
632  * location(s).  If rw_loc indicates user-supplied location, the file
633  * descriptor(s) should be passed in the door_desc_t struct.  For the
634  * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
635  * first, one for the config file which contains the data to be read,
636  * and second, one for the cookie file which will be written to as
637  * in.iked process the config file.
638  *
639  * Upon return: rw_loc is unspecified; the message simply acknowledges
640  * successful completion of the request.  If an error occurred,
641  * ike_err_t is returned instead with appropriate error value.
642  *
643  *
644  * IKE_SVC_WRITE_{RULES|PS}
645  * Used to ask daemon to write its current config info to files.
646  *
647  * Request and return are handled the same as for the IKE_SVC_READ_*
648  * cmds; however, the rw_loc MUST be a user-supplied location.  Also,
649  * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
650  * only a single fd, for the file to which the config info should be
651  * written, should be passed in.
652  */
653 typedef struct {
654 	ike_svccmd_t	cmd;
655 	uint32_t	rw_loc;
656 } ike_rw_t;
657 
658 
659 /*
660  * IKE_SVC_FLUSH_P1S
661  * Used to request and acknowledge tear-down of all P1 SAs.
662  */
663 typedef struct {
664 	ike_svccmd_t	cmd;
665 } ike_flush_t;
666 
667 
668 /*
669  * IKE_SVC_ERROR
670  * Used on return if server encountered an error while processing
671  * the request.  An appropriate error code is included (as defined
672  * in this header file); in the case of IKE_ERR_SYS_ERR, a value
673  * from the UNIX errno space is included in the ike_err_unix field.
674  */
675 typedef struct {
676 	ike_svccmd_t	cmd;
677 	uint32_t	ike_err;
678 	uint32_t	ike_err_unix;
679 	uint32_t	ike_err_reserved;
680 } ike_err_t;
681 
682 
683 /*
684  * Generic type for use when the request/reply type is unknown
685  */
686 typedef struct {
687 	ike_svccmd_t	cmd;
688 } ike_cmd_t;
689 
690 
691 /*
692  * Union containing all possible request/retrun structures.
693  */
694 typedef union {
695 	ike_cmd_t	svc_cmd;
696 	ike_dbg_t	svc_dbg;
697 	ike_priv_t	svc_priv;
698 	ike_statreq_t	svc_stats;
699 	ike_dump_t	svc_dump;
700 	ike_get_t	svc_get;
701 	ike_new_t	svc_new;
702 	ike_del_t	svc_del;
703 	ike_rw_t	svc_rw;
704 	ike_flush_t	svc_flush;
705 	ike_err_t	svc_err;
706 	ike_defreq_t	svc_defaults;
707 } ike_service_t;
708 
709 #ifdef	__cplusplus
710 }
711 #endif
712 
713 #endif	/* _IKEDOOR_H */
714