xref: /titanic_51/usr/src/lib/libipsecutil/common/ikedoor.h (revision f6cfb02b955a670e8c39660b2d0468385cbc7e80)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_IKEDOOR_H
27 #define	_IKEDOOR_H
28 
29 #ifdef	__cplusplus
30 extern "C" {
31 #endif
32 
33 #include <limits.h>
34 #include <sys/sysmacros.h>
35 #include <net/pfkeyv2.h>
36 #include <door.h>
37 
38 /*
39  * This version number is intended to stop the calling process from
40  * getting confused if a structure is changed and a mismatch occurs.
41  * This should be incremented each time a structure is changed.
42  */
43 #define	DOORVER 2
44 #define	DOORNM	"/var/run/ike_door"
45 
46 
47 typedef enum {
48 	IKE_SVC_GET_DBG,
49 	IKE_SVC_SET_DBG,
50 
51 	IKE_SVC_GET_PRIV,
52 	IKE_SVC_SET_PRIV,
53 
54 	IKE_SVC_GET_STATS,
55 
56 	IKE_SVC_GET_P1,
57 	IKE_SVC_DEL_P1,
58 	IKE_SVC_DUMP_P1S,
59 	IKE_SVC_FLUSH_P1S,
60 
61 	IKE_SVC_GET_RULE,
62 	IKE_SVC_NEW_RULE,
63 	IKE_SVC_DEL_RULE,
64 	IKE_SVC_DUMP_RULES,
65 	IKE_SVC_READ_RULES,
66 	IKE_SVC_WRITE_RULES,
67 
68 	IKE_SVC_GET_PS,
69 	IKE_SVC_NEW_PS,
70 	IKE_SVC_DEL_PS,
71 	IKE_SVC_DUMP_PS,
72 	IKE_SVC_READ_PS,
73 	IKE_SVC_WRITE_PS,
74 
75 	IKE_SVC_DBG_RBDUMP,
76 
77 	IKE_SVC_GET_DEFS,
78 
79 	IKE_SVC_ERROR
80 } ike_svccmd_t;
81 
82 /* DPD status */
83 
84 typedef enum dpd_status {
85 	DPD_NOT_INITIATED = 0,
86 	DPD_IN_PROGRESS,
87 	DPD_SUCCESSFUL,
88 	DPD_FAILURE
89 } dpd_status_t;
90 
91 #define	IKE_SVC_MAX	IKE_SVC_ERROR
92 
93 
94 /*
95  * Support structures/defines
96  */
97 
98 #define	IKEDOORROUNDUP(i)   P2ROUNDUP((i), sizeof (uint64_t))
99 
100 /*
101  * Debug categories.  The debug level is a bitmask made up of
102  * flags indicating the desired categories; only 31 bits are
103  * available, as the highest-order bit designates an invalid
104  * setting.
105  */
106 #define	D_INVALID	0x80000000
107 
108 #define	D_CERT		0x00000001	/* certificate management */
109 #define	D_KEY		0x00000002	/* key management */
110 #define	D_OP		0x00000004	/* operational: config, init, mem */
111 #define	D_P1		0x00000008	/* phase 1 negotiation */
112 #define	D_P2		0x00000010	/* phase 2 negotiation */
113 #define	D_PFKEY		0x00000020	/* pf key interface */
114 #define	D_POL		0x00000040	/* policy management */
115 #define	D_PROP		0x00000080	/* proposal construction */
116 #define	D_DOOR		0x00000100	/* door server */
117 #define	D_CONFIG	0x00000200	/* config file processing */
118 
119 #define	D_HIGHBIT	0x00000200
120 #define	D_ALL		0x000003ff
121 
122 /*
123  * Access privilege levels: define level of access to keying information.
124  * The privileges granted at each level is a superset of the privileges
125  * granted at all lower levels.
126  *
127  * The door operations which require special privileges are:
128  *
129  *	- receiving keying material for SAs and preshared key entries
130  *	  IKE_PRIV_KEYMAT must be set for this.
131  *
132  *	- get/dump/new/delete/read/write preshared keys
133  *	  IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
134  *	  If IKE_PRIV_MODKEYS is set, the information returned for a
135  *	  get/dump request will not include the actual key; in order
136  *	  to get the key itself, IKE_PRIV_KEYMAT must be set.
137  *
138  *	- modifying the privilege level: the daemon's privilege level
139  *	  is set when the daemon is started; the level may only be
140  *	  lowered via the door interface.
141  *
142  * All other operations are allowed at any privilege level.
143  */
144 #define	IKE_PRIV_MINIMUM	0
145 #define	IKE_PRIV_MODKEYS	1
146 #define	IKE_PRIV_KEYMAT		2
147 #define	IKE_PRIV_MAXIMUM	2
148 
149 /* global ike stats formatting structure */
150 typedef struct {
151 	uint32_t	st_init_p1_current;
152 	uint32_t	st_resp_p1_current;
153 	uint32_t	st_init_p1_total;
154 	uint32_t	st_resp_p1_total;
155 	uint32_t	st_init_p1_attempts;
156 	uint32_t	st_resp_p1_attempts;
157 	uint32_t	st_init_p1_noresp;   /* failed; no response from peer */
158 	uint32_t	st_init_p1_respfail; /* failed, but peer responded */
159 	uint32_t	st_resp_p1_fail;
160 	uint32_t	st_reserved;
161 	char		st_pkcs11_libname[PATH_MAX];
162 } ike_stats_t;
163 
164 /* structure used to pass default values used by in.iked back to ikeadm */
165 typedef struct {
166 	uint32_t	rule_p1_lifetime_secs;
167 	uint32_t	rule_p1_minlife;
168 	uint32_t	rule_p1_nonce_len;
169 	uint32_t	rule_p2_lifetime_secs;
170 	uint32_t	rule_p2_softlife_secs;
171 	uint32_t	rule_p2_idletime_secs;
172 	uint32_t	sys_p2_lifetime_secs;
173 	uint32_t	sys_p2_softlife_secs;
174 	uint32_t	sys_p2_idletime_secs;
175 	uint32_t	rule_p2_lifetime_kb;
176 	uint32_t	rule_p2_softlife_kb;
177 	uint32_t	sys_p2_lifetime_bytes;
178 	uint32_t	sys_p2_softlife_bytes;
179 	uint32_t	rule_p2_minlife;
180 	uint32_t	rule_p2_def_minlife;
181 	uint32_t	rule_p2_nonce_len;
182 	uint32_t	rule_p2_pfs;
183 	uint32_t	rule_p2_minsoft;
184 	uint32_t	rule_max_certs;
185 	uint32_t	rule_ike_port;
186 	uint32_t	rule_natt_port;
187 } ike_defaults_t;
188 
189 /* data formatting structures for P1 SA dumps */
190 typedef struct {
191 	struct sockaddr_storage	loc_addr;
192 	struct sockaddr_storage	rem_addr;
193 #define	beg_iprange	loc_addr
194 #define	end_iprange	rem_addr
195 } ike_addr_pr_t;
196 
197 typedef struct {
198 	uint64_t	cky_i;
199 	uint64_t	cky_r;
200 } ike_cky_pr_t;
201 
202 typedef struct {
203 	ike_cky_pr_t	p1hdr_cookies;
204 	uint8_t		p1hdr_major;
205 	uint8_t		p1hdr_minor;
206 	uint8_t		p1hdr_xchg;
207 	uint8_t		p1hdr_isinit;
208 	uint32_t	p1hdr_state;
209 	boolean_t	p1hdr_support_dpd;
210 	dpd_status_t	p1hdr_dpd_state;
211 	time_t		p1hdr_dpd_time;
212 } ike_p1_hdr_t;
213 
214 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
215 #define	IKE_XCHG_NONE			0
216 #define	IKE_XCHG_BASE			1
217 #define	IKE_XCHG_IDENTITY_PROTECT	2
218 #define	IKE_XCHG_AUTH_ONLY		3
219 #define	IKE_XCHG_AGGRESSIVE		4
220 /* following not from RFC; used only for preshared key definitions */
221 #define	IKE_XCHG_IP_AND_AGGR		240
222 /* also not from RFC; used as wildcard */
223 #define	IKE_XCHG_ANY			256
224 
225 /* values for p1hdr_state */
226 #define	IKE_SA_STATE_INVALID	0
227 #define	IKE_SA_STATE_INIT	1
228 #define	IKE_SA_STATE_SENT_SA	2
229 #define	IKE_SA_STATE_SENT_KE	3
230 #define	IKE_SA_STATE_SENT_LAST	4
231 #define	IKE_SA_STATE_DONE	5
232 #define	IKE_SA_STATE_DELETED	6
233 
234 typedef struct {
235 	uint16_t	p1xf_dh_group;
236 	uint16_t	p1xf_encr_alg;
237 	uint16_t	p1xf_encr_low_bits;
238 	uint16_t	p1xf_encr_high_bits;
239 	uint16_t	p1xf_auth_alg;
240 	uint16_t	p1xf_auth_meth;
241 	uint16_t	p1xf_prf;
242 	uint16_t	p1xf_pfs;
243 	uint32_t	p1xf_max_secs;
244 	uint32_t	p1xf_max_kbytes;
245 	uint32_t	p1xf_max_keyuses;
246 } ike_p1_xform_t;
247 
248 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
249 #define	IKE_GRP_DESC_MODP_768	1
250 #define	IKE_GRP_DESC_MODP_1024	2
251 #define	IKE_GRP_DESC_EC2N_155	3
252 #define	IKE_GRP_DESC_EC2N_185	4
253 /* values for p1xf_dh_group (aligned with RFC3526) */
254 #define	IKE_GRP_DESC_MODP_1536	5
255 #define	IKE_GRP_DESC_MODP_2048	14
256 #define	IKE_GRP_DESC_MODP_3072	15
257 #define	IKE_GRP_DESC_MODP_4096	16
258 #define	IKE_GRP_DESC_MODP_6144	17
259 #define	IKE_GRP_DESC_MODP_8192	18
260 
261 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
262 #define	IKE_AUTH_METH_PRE_SHARED_KEY	1
263 #define	IKE_AUTH_METH_DSS_SIG		2
264 #define	IKE_AUTH_METH_RSA_SIG		3
265 #define	IKE_AUTH_METH_RSA_ENCR		4
266 #define	IKE_AUTH_METH_RSA_ENCR_REVISED	5
267 
268 /* values for p1xf_prf */
269 #define	IKE_PRF_NONE		0
270 #define	IKE_PRF_HMAC_MD5	1
271 #define	IKE_PRF_HMAC_SHA1	2
272 #define	IKE_PRF_HMAC_SHA256	5
273 #define	IKE_PRF_HMAC_SHA384	6
274 #define	IKE_PRF_HMAC_SHA512	7
275 
276 typedef struct {
277 	/*
278 	 * NOTE: the new and del counters count the actual number of SAs,
279 	 * not the number of "suites", as defined in the ike monitoring
280 	 * mib draft; we do this because we don't have a good way of
281 	 * tracking the deletion of entire suites (we're notified of
282 	 * deleted qm sas individually).
283 	 */
284 	uint32_t	p1stat_new_qm_sas;
285 	uint32_t	p1stat_del_qm_sas;
286 	uint64_t	p1stat_start;
287 	uint32_t	p1stat_kbytes;
288 	uint32_t	p1stat_keyuses;
289 } ike_p1_stats_t;
290 
291 typedef struct {
292 	uint32_t	p1err_decrypt;
293 	uint32_t	p1err_hash;
294 	uint32_t	p1err_otherrx;
295 	uint32_t	p1err_tx;
296 } ike_p1_errors_t;
297 
298 typedef struct {
299 	uint32_t	p1key_type;
300 	uint32_t	p1key_len;
301 	/*
302 	 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
303 	 * 64-bit aligned (pad bytes are added at the end, if necessary,
304 	 * and NOT INCLUDED in the len value, which reflects the actual
305 	 * key size).
306 	 */
307 } ike_p1_key_t;
308 
309 /* key info types for ike_p1_key_t struct */
310 #define	IKE_KEY_PRESHARED	1
311 #define	IKE_KEY_SKEYID		2
312 #define	IKE_KEY_SKEYID_D	3
313 #define	IKE_KEY_SKEYID_A	4
314 #define	IKE_KEY_SKEYID_E	5
315 #define	IKE_KEY_ENCR		6
316 #define	IKE_KEY_IV		7
317 
318 typedef struct {
319 	ike_p1_hdr_t	p1sa_hdr;
320 	ike_p1_xform_t	p1sa_xform;
321 	ike_addr_pr_t	p1sa_ipaddrs;
322 	uint16_t	p1sa_stat_off;
323 	uint16_t	p1sa_stat_len;
324 	uint16_t	p1sa_error_off;
325 	uint16_t	p1sa_error_len;
326 	uint16_t	p1sa_localid_off;
327 	uint16_t	p1sa_localid_len;
328 	uint16_t	p1sa_remoteid_off;
329 	uint16_t	p1sa_remoteid_len;
330 	uint16_t	p1sa_key_off;
331 	uint16_t	p1sa_key_len;
332 	uint32_t	p1sa_reserved;
333 	/*
334 	 * variable-length structures will be included here, as
335 	 * indicated by offset/length fields.
336 	 * stats and errors will be formatted as ike_p1_stats_t and
337 	 * ike_p1_errors_t, respectively.
338 	 * key info will be formatted as a series of p1_key_t structs.
339 	 * local/remote ids will be formatted as sadb_ident_t structs.
340 	 */
341 } ike_p1_sa_t;
342 
343 
344 #define	MAX_LABEL_LEN	256
345 
346 
347 /* data formatting structure for policy (rule) dumps */
348 
349 typedef struct {
350 	char		rule_label[MAX_LABEL_LEN];
351 	uint32_t	rule_kmcookie;
352 	uint16_t	rule_ike_mode;
353 	uint16_t	rule_local_idtype;	/* SADB_IDENTTYPE_* value */
354 	uint32_t	rule_p1_nonce_len;
355 	uint32_t	rule_p2_nonce_len;
356 	uint32_t	rule_p2_pfs;
357 	uint32_t	rule_p2_lifetime_secs;
358 	uint32_t	rule_p2_softlife_secs;
359 	uint32_t	rule_p2_idletime_secs;
360 	uint32_t	rule_p2_lifetime_kb;
361 	uint32_t	rule_p2_softlife_kb;
362 	uint16_t	rule_xform_cnt;
363 	uint16_t	rule_xform_off;
364 	uint16_t	rule_locip_cnt;
365 	uint16_t	rule_locip_off;
366 	uint16_t	rule_remip_cnt;
367 	uint16_t	rule_remip_off;
368 	uint16_t	rule_locid_inclcnt;
369 	uint16_t	rule_locid_exclcnt;
370 	uint16_t	rule_locid_off;
371 	uint16_t	rule_remid_inclcnt;
372 	uint16_t	rule_remid_exclcnt;
373 	uint16_t	rule_remid_off;
374 	/*
375 	 * Followed by several lists of variable-length structures, described
376 	 * by counts and offsets:
377 	 *	transforms			ike_p1_xform_t structs
378 	 *	ranges of local ip addrs	ike_addr_pr_t structs
379 	 *	ranges of remote ip addrs	ike_addr_pr_t structs
380 	 *	local identification strings	null-terminated ascii strings
381 	 *	remote identification strings	null-terminated ascii strings
382 	 */
383 } ike_rule_t;
384 
385 
386 /*
387  * data formatting structure for preshared keys
388  * ps_ike_mode field uses the IKE_XCHG_* defs
389  */
390 typedef struct {
391 	ike_addr_pr_t	ps_ipaddrs;
392 	uint16_t	ps_ike_mode;
393 	uint16_t	ps_localid_off;
394 	uint16_t	ps_localid_len;
395 	uint16_t	ps_remoteid_off;
396 	uint16_t	ps_remoteid_len;
397 	uint16_t	ps_key_off;
398 	uint16_t	ps_key_len;
399 	uint16_t	ps_key_bits;
400 	/*
401 	 * followed by variable-length structures, as indicated by
402 	 * offset/length fields.
403 	 * key info will be formatted as an array of bytes.
404 	 * local/remote ids will be formatted as sadb_ident_t structs.
405 	 */
406 } ike_ps_t;
407 
408 
409 /* identification types */
410 #define	IKE_ID_IDENT_PAIR	1
411 #define	IKE_ID_ADDR_PAIR	2
412 #define	IKE_ID_CKY_PAIR		3
413 #define	IKE_ID_LABEL		4
414 
415 
416 /* locations for read/write requests */
417 #define	IKE_RW_LOC_DEFAULT	1
418 #define	IKE_RW_LOC_USER_SPEC	2
419 
420 
421 /* door interface error codes */
422 #define	IKE_ERR_NO_OBJ		1	/* nothing found to match the request */
423 #define	IKE_ERR_NO_DESC		2	/* fd was required with this request */
424 #define	IKE_ERR_ID_INVALID	3	/* invalid id info was provided */
425 #define	IKE_ERR_LOC_INVALID	4	/* invalid location info was provided */
426 #define	IKE_ERR_CMD_INVALID	5	/* invalid command was provided */
427 #define	IKE_ERR_DATA_INVALID	6	/* invalid data was provided */
428 #define	IKE_ERR_CMD_NOTSUP	7	/* unsupported command */
429 #define	IKE_ERR_REQ_INVALID	8	/* badly formatted request */
430 #define	IKE_ERR_NO_PRIV		9	/* privilege level not high enough */
431 #define	IKE_ERR_SYS_ERR		10	/* syserr occurred while processing */
432 #define	IKE_ERR_DUP_IGNORED	11	/* attempt to add a duplicate entry */
433 
434 
435 /*
436  * IKE_SVC_GET_DBG
437  * Used to request the current debug level.
438  *
439  * Upon request, dbg_level is 0 (don't care).
440  *
441  * Upon return, dbg_level contains the current value.
442  *
443  *
444  * IKE_SVC_SET_DBG
445  * Used to request modification of the debug level.
446  *
447  * Upon request, dbg_level contains desired level.  If debug output is
448  * to be directed to a different file, the fd should be passed in the
449  * door_desc_t field of the door_arg_t param.  NOTE: if the daemon is
450  * currently running in the background with no debug set, an output
451  * file MUST be given.
452  *
453  * Upon return, dbg_level contains the old debug level, and acknowledges
454  * successful completion of the request.  If an error is encountered,
455  * ike_err_t is returned instead, with appropriate error value and cmd
456  * IKE_SVC_ERROR.
457  */
458 typedef struct {
459 	ike_svccmd_t	cmd;
460 	uint32_t	dbg_level;
461 } ike_dbg_t;
462 
463 /*
464  * IKE_SVC_GET_PRIV
465  * Used to request the current privilege level.
466  *
467  * Upon request, priv_level is 0 (don't care).
468  *
469  * Upon return, priv_level contains the current value.
470  *
471  *
472  * IKE_SVC_SET_PRIV
473  * Used to request modification of the privilege level.
474  *
475  * Upon request, priv_level contains the desired level.  The level may
476  * only be lowered via the door interface; it cannot be raised.  Thus,
477  * if in.iked is started at the lowest level, it cannot be changed.
478  *
479  * Upon return, priv_level contains the old privilege level, and
480  * acknowledges successful completion of the request.  If an error is
481  * encountered, ike_err_t is returned instead, with appropriate error
482  * value and cmd IKE_SVC_ERROR.
483  */
484 typedef struct {
485 	ike_svccmd_t	cmd;
486 	uint32_t	priv_level;
487 } ike_priv_t;
488 
489 
490 /*
491  * IKE_SVC_GET_STATS
492  * Used to request current statistics on Phase 1 SA creation and
493  * failures.  The statistics represent all activity in in.iked.
494  *
495  * Upon request, cmd is set, and stat_len does not matter.
496  *
497  * Upon successful return, stat_len contains the total size of the
498  * returned buffer, which contains first the ike_statreq_t struct,
499  * followed by the stat data in the ike_stats_t structure. In case
500  * of an error in processing the request, ike_err_t is returned with
501  * IKE_SVC_ERROR command and appropriate error code.
502  */
503 typedef struct {
504 	ike_svccmd_t	cmd;
505 	uint32_t	stat_len;
506 } ike_statreq_t;
507 
508 /*
509  * IKE_SVC_GET_DEFS
510  * Used to request default values from in.iked.
511  *
512  * Upon request, cmd is set, and stat_len does not matter.
513  *
514  * Upon successful return, stat_len contains the total size of the
515  * returned buffer, this contains a pair of ike_defaults_t's.
516  */
517 typedef struct {
518 	ike_svccmd_t	cmd;
519 	uint32_t	stat_len;
520 	uint32_t	version;
521 } ike_defreq_t;
522 
523 /*
524  * IKE_SVC_DUMP_{P1S|RULES|PS}
525  * Used to request a table dump, and to return info for a single table
526  * item.  The expectation is that all of the table data will be passed
527  * through the door, one entry at a time; an individual request must be
528  * sent for each entry, however (the door server can't send unrequested
529  * data).
530  *
531  * Upon request: cmd is set, and dump_next contains the item number
532  * requested (0 for first request).  dump_len is 0; no data follows.
533  *
534  * Upon return: cmd is set, and dump_next contains the item number of
535  * the *next* item in the table (to be used in the subsequent request).
536  * dump_next = 0 indicates that this is the last item in the table.
537  * dump_len is the total length (data + struct) returned.  Data is
538  * formatted as indicated by the cmd type:
539  *   IKE_SVC_DUMP_P1S:		ike_p1_sa_t
540  *   IKE_SVC_DUMP_RULES:	ike_rule_t
541  *   IKE_SVC_DUMP_PS:		ike_ps_t
542  */
543 typedef struct {
544 	ike_svccmd_t	cmd;
545 	uint32_t	dump_len;
546 	union {
547 		struct {
548 			uint32_t	dump_unext;
549 			uint32_t	dump_ureserved;
550 		} dump_actual;
551 		uint64_t dump_alignment;
552 	} dump_u;
553 #define	dump_next dump_u.dump_actual.dump_unext
554 #define	dump_reserved dump_u.dump_actual.dump_ureserved
555 	/* dump_len - sizeof (ike_dump_t) bytes of data included here */
556 } ike_dump_t;
557 
558 
559 /*
560  * IKE_SVC_GET_{P1|RULE|PS}
561  * Used to request and return individual table items.
562  *
563  * Upon request: get_len is the total msg length (struct + id data);
564  * get_idtype indicates the type of identification being used.
565  *   IKE_SVC_GET_P1:		ike_addr_pr_t or ike_cky_pr_t
566  *   IKE_SVC_GET_RULE:		char string (label)
567  *   IKE_SVC_GET_PS:		ike_addr_pr_t or pair of sadb_ident_t
568  *
569  * Upon return: get_len is the total size (struct + data), get_idtype
570  * is unused, and the data that follows is formatted according to cmd:
571  *   IKE_SVC_GET_P1:		ike_p1_sa_t
572  *   IKE_SVC_GET_RULE:		ike_rule_t
573  *   IKE_SVC_GET_PS:		ike_ps_t
574  */
575 typedef struct {
576 	ike_svccmd_t	cmd;
577 	uint32_t	get_len;
578 	union {
579 		struct {
580 			uint32_t	getu_idtype;
581 			uint32_t	getu_reserved;
582 		} get_actual;
583 		uint64_t get_alignment;
584 	} get_u;
585 #define	get_idtype get_u.get_actual.getu_idtype
586 #define	get_reserved get_u.get_actual.getu_reserved
587 	/* get_len - sizeof (ike_get_t) bytes of data included here */
588 } ike_get_t;
589 
590 
591 /*
592  * IKE_SVC_NEW_{RULE|PS}
593  * Used to request and acknowledge insertion of a table item.
594  *
595  * Upon request: new_len is the total (data + struct) size passed, or 0.
596  * new_len = 0 => a door_desc_t is also included with a file descriptor
597  * for a file containing the data to be added.  The file should include
598  * a single item: a rule, or a pre-shared key.  For new_len != 0, the
599  * data is formatted according to the cmd type:
600  *   IKE_SVC_NEW_RULE:		ike_rule_t
601  *   IKE_SVC_NEW_PS:		ike_ps_t
602  *
603  * Upon return: new_len is 0; simply acknowledges successful insertion
604  * of the requested item.  If insertion is not successful, ike_err_t is
605  * returned instead with appropriate error value.
606  */
607 typedef struct {
608 	ike_svccmd_t	cmd;
609 	uint32_t	new_len;
610 	/* new_len - sizeof (ike_new_t) bytes included here */
611 	uint64_t	new_align;	/* Padding for 64-bit alignment. */
612 } ike_new_t;
613 
614 
615 /*
616  * IKE_SVC_DEL_{P1|RULE|PS}
617  * Used to request and acknowledge the deletion of an individual table
618  * item.
619  *
620  * Upon request: del_len is the total msg length (struct + id data);
621  * del_idtype indicates the type of identification being used.
622  *   IKE_SVC_DEL_P1:		ike_addr_pr_t or ike_cky_pr_t
623  *   IKE_SVC_DEL_RULE:		char string (label)
624  *   IKE_SVC_DEL_PS:		ike_addr_pr_t or pair of sadb_ident_t
625  *
626  * Upon return: acknowledges deletion of the requested item; del_len and
627  * del_idtype are unspecified.  If deletion is not successful, ike_err_t
628  * is returned instead with appropriate error value.
629  */
630 typedef struct {
631 	ike_svccmd_t	cmd;
632 	uint32_t	del_len;
633 	uint32_t	del_idtype;
634 	uint32_t	del_reserved;
635 	/* del_len - sizeof (ike_del_t) bytes of data included here. */
636 } ike_del_t;
637 
638 
639 /*
640  * IKE_SVC_READ_{RULES|PS}
641  * Used to ask daemon to re-read particular configuration info.
642  *
643  * Upon request: rw_loc indicates where the info should be read from:
644  * either from a user-supplied file descriptor(s), or from the default
645  * location(s).  If rw_loc indicates user-supplied location, the file
646  * descriptor(s) should be passed in the door_desc_t struct.  For the
647  * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
648  * first, one for the config file which contains the data to be read,
649  * and second, one for the cookie file which will be written to as
650  * in.iked process the config file.
651  *
652  * Upon return: rw_loc is unspecified; the message simply acknowledges
653  * successful completion of the request.  If an error occurred,
654  * ike_err_t is returned instead with appropriate error value.
655  *
656  *
657  * IKE_SVC_WRITE_{RULES|PS}
658  * Used to ask daemon to write its current config info to files.
659  *
660  * Request and return are handled the same as for the IKE_SVC_READ_*
661  * cmds; however, the rw_loc MUST be a user-supplied location.  Also,
662  * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
663  * only a single fd, for the file to which the config info should be
664  * written, should be passed in.
665  */
666 typedef struct {
667 	ike_svccmd_t	cmd;
668 	uint32_t	rw_loc;
669 } ike_rw_t;
670 
671 
672 /*
673  * IKE_SVC_FLUSH_P1S
674  * Used to request and acknowledge tear-down of all P1 SAs.
675  */
676 typedef struct {
677 	ike_svccmd_t	cmd;
678 } ike_flush_t;
679 
680 
681 /*
682  * IKE_SVC_ERROR
683  * Used on return if server encountered an error while processing
684  * the request.  An appropriate error code is included (as defined
685  * in this header file); in the case of IKE_ERR_SYS_ERR, a value
686  * from the UNIX errno space is included in the ike_err_unix field.
687  */
688 typedef struct {
689 	ike_svccmd_t	cmd;
690 	uint32_t	ike_err;
691 	uint32_t	ike_err_unix;
692 	uint32_t	ike_err_reserved;
693 } ike_err_t;
694 
695 
696 /*
697  * Generic type for use when the request/reply type is unknown
698  */
699 typedef struct {
700 	ike_svccmd_t	cmd;
701 } ike_cmd_t;
702 
703 
704 /*
705  * Union containing all possible request/retrun structures.
706  */
707 typedef union {
708 	ike_cmd_t	svc_cmd;
709 	ike_dbg_t	svc_dbg;
710 	ike_priv_t	svc_priv;
711 	ike_statreq_t	svc_stats;
712 	ike_dump_t	svc_dump;
713 	ike_get_t	svc_get;
714 	ike_new_t	svc_new;
715 	ike_del_t	svc_del;
716 	ike_rw_t	svc_rw;
717 	ike_flush_t	svc_flush;
718 	ike_err_t	svc_err;
719 	ike_defreq_t	svc_defaults;
720 } ike_service_t;
721 
722 #ifdef	__cplusplus
723 }
724 #endif
725 
726 #endif	/* _IKEDOOR_H */
727