xref: /titanic_52/usr/src/lib/libipsecutil/common/ikedoor.h (revision 2e0fe3efe5f9d579d4e44b3532d8e342c68b40ca)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #ifndef	_IKEDOOR_H
26 #define	_IKEDOOR_H
27 
28 #ifdef	__cplusplus
29 extern "C" {
30 #endif
31 
32 #include <limits.h>
33 #include <sys/sysmacros.h>
34 #include <net/pfkeyv2.h>
35 #include <door.h>
36 
37 /*
38  * This version number is intended to stop the calling process from
39  * getting confused if a structure is changed and a mismatch occurs.
40  * This should be incremented each time a structure is changed.
41  */
42 
43 /*
44  * The IKE process may be a 64-bit process, but ikeadm or any other IKE
45  * door consumer does not have to be.  We need to be strict ala. PF_KEY or
46  * any on-the-wire-protocol with respect to structure fields offsets and
47  * alignment.  Please make sure all structures are the same size on both
48  * 64-bit and 32-bit execution environments (or even other ones), and that
49  * apart from trivial 4-byte enums or base headers, that all structures are
50  * multiples of 8-bytes (64-bits).
51  */
52 #define	DOORVER 4
53 #define	DOORNM	"/var/run/ike_door"
54 
55 
56 typedef enum {
57 	IKE_SVC_GET_DBG,
58 	IKE_SVC_SET_DBG,
59 
60 	IKE_SVC_GET_PRIV,
61 	IKE_SVC_SET_PRIV,
62 
63 	IKE_SVC_GET_STATS,
64 
65 	IKE_SVC_GET_P1,
66 	IKE_SVC_DEL_P1,
67 	IKE_SVC_DUMP_P1S,
68 	IKE_SVC_FLUSH_P1S,
69 
70 	IKE_SVC_GET_RULE,
71 	IKE_SVC_NEW_RULE,
72 	IKE_SVC_DEL_RULE,
73 	IKE_SVC_DUMP_RULES,
74 	IKE_SVC_READ_RULES,
75 	IKE_SVC_WRITE_RULES,
76 
77 	IKE_SVC_GET_PS,
78 	IKE_SVC_NEW_PS,
79 	IKE_SVC_DEL_PS,
80 	IKE_SVC_DUMP_PS,
81 	IKE_SVC_READ_PS,
82 	IKE_SVC_WRITE_PS,
83 
84 	IKE_SVC_DBG_RBDUMP,
85 
86 	IKE_SVC_GET_DEFS,
87 
88 	IKE_SVC_SET_PIN,
89 	IKE_SVC_DEL_PIN,
90 
91 	IKE_SVC_DUMP_CERTCACHE,
92 	IKE_SVC_FLUSH_CERTCACHE,
93 
94 	IKE_SVC_DUMP_GROUPS,
95 	IKE_SVC_DUMP_ENCRALGS,
96 	IKE_SVC_DUMP_AUTHALGS,
97 
98 	IKE_SVC_ERROR
99 } ike_svccmd_t;
100 
101 /* DPD status */
102 
103 typedef enum dpd_status {
104 	DPD_NOT_INITIATED = 0,
105 	DPD_IN_PROGRESS,
106 	DPD_SUCCESSFUL,
107 	DPD_FAILURE
108 } dpd_status_t;
109 
110 #define	IKE_SVC_MAX	IKE_SVC_ERROR
111 
112 
113 /*
114  * Support structures/defines
115  */
116 
117 #define	IKEDOORROUNDUP(i)   P2ROUNDUP((i), sizeof (uint64_t))
118 
119 /*
120  * Debug categories.  The debug level is a bitmask made up of
121  * flags indicating the desired categories; only 31 bits are
122  * available, as the highest-order bit designates an invalid
123  * setting.
124  */
125 #define	D_INVALID	0x80000000
126 
127 #define	D_CERT		0x00000001	/* certificate management */
128 #define	D_KEY		0x00000002	/* key management */
129 #define	D_OP		0x00000004	/* operational: config, init, mem */
130 #define	D_P1		0x00000008	/* phase 1 negotiation */
131 #define	D_P2		0x00000010	/* phase 2 negotiation */
132 #define	D_PFKEY		0x00000020	/* pf key interface */
133 #define	D_POL		0x00000040	/* policy management */
134 #define	D_PROP		0x00000080	/* proposal construction */
135 #define	D_DOOR		0x00000100	/* door server */
136 #define	D_CONFIG	0x00000200	/* config file processing */
137 #define	D_LABEL		0x00000400	/* MAC labels */
138 
139 #define	D_HIGHBIT	0x00000400
140 #define	D_ALL		0x000007ff
141 
142 /*
143  * Access privilege levels: define level of access to keying information.
144  * The privileges granted at each level is a superset of the privileges
145  * granted at all lower levels.
146  *
147  * The door operations which require special privileges are:
148  *
149  *	- receiving keying material for SAs and preshared key entries
150  *	  IKE_PRIV_KEYMAT must be set for this.
151  *
152  *	- get/dump/new/delete/read/write preshared keys
153  *	  IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
154  *	  If IKE_PRIV_MODKEYS is set, the information returned for a
155  *	  get/dump request will not include the actual key; in order
156  *	  to get the key itself, IKE_PRIV_KEYMAT must be set.
157  *
158  *	- modifying the privilege level: the daemon's privilege level
159  *	  is set when the daemon is started; the level may only be
160  *	  lowered via the door interface.
161  *
162  * All other operations are allowed at any privilege level.
163  */
164 #define	IKE_PRIV_MINIMUM	0
165 #define	IKE_PRIV_MODKEYS	1
166 #define	IKE_PRIV_KEYMAT		2
167 #define	IKE_PRIV_MAXIMUM	2
168 
169 /* global ike stats formatting structure */
170 typedef struct {
171 	uint32_t	st_init_p1_current;
172 	uint32_t	st_resp_p1_current;
173 	uint32_t	st_init_p1_total;
174 	uint32_t	st_resp_p1_total;
175 	uint32_t	st_init_p1_attempts;
176 	uint32_t	st_resp_p1_attempts;
177 	uint32_t	st_init_p1_noresp;   /* failed; no response from peer */
178 	uint32_t	st_init_p1_respfail; /* failed, but peer responded */
179 	uint32_t	st_resp_p1_fail;
180 	uint32_t	st_reserved;
181 	char		st_pkcs11_libname[PATH_MAX];
182 } ike_stats_t;
183 
184 /* structure used to pass default values used by in.iked back to ikeadm */
185 typedef struct {
186 	uint32_t	rule_p1_lifetime_secs;
187 	uint32_t	rule_p1_minlife;
188 	uint32_t	rule_p1_nonce_len;
189 	uint32_t	rule_p2_lifetime_secs;
190 	uint32_t	rule_p2_softlife_secs;
191 	uint32_t	rule_p2_idletime_secs;
192 	uint32_t	sys_p2_lifetime_secs;
193 	uint32_t	sys_p2_softlife_secs;
194 	uint32_t	sys_p2_idletime_secs;
195 	uint32_t	rule_p2_lifetime_kb;
196 	uint32_t	rule_p2_softlife_kb;
197 	uint32_t	sys_p2_lifetime_bytes;
198 	uint32_t	sys_p2_softlife_bytes;
199 	uint32_t	rule_p2_minlife_hard_secs;
200 	uint32_t	rule_p2_minlife_soft_secs;
201 	uint32_t	rule_p2_minlife_idle_secs;
202 	uint32_t	rule_p2_minlife_hard_kb;
203 	uint32_t	rule_p2_minlife_soft_kb;
204 	uint32_t	rule_p2_maxlife_secs;
205 	uint32_t	rule_p2_maxlife_kb;
206 	uint32_t	rule_p2_nonce_len;
207 	uint32_t	rule_p2_pfs;
208 	uint32_t	rule_p2_mindiff_secs;
209 	uint32_t	rule_p2_mindiff_kb;
210 	uint32_t	conversion_factor;	/* for secs to kbytes */
211 	uint32_t	rule_max_certs;
212 	uint32_t	rule_ike_port;
213 	uint32_t	rule_natt_port;
214 	uint32_t	defaults_reserved;	/* For 64-bit alignment. */
215 } ike_defaults_t;
216 
217 /* data formatting structures for P1 SA dumps */
218 typedef struct {
219 	struct sockaddr_storage	loc_addr;
220 	struct sockaddr_storage	rem_addr;
221 #define	beg_iprange	loc_addr
222 #define	end_iprange	rem_addr
223 } ike_addr_pr_t;
224 
225 typedef struct {
226 	uint64_t	cky_i;
227 	uint64_t	cky_r;
228 } ike_cky_pr_t;
229 
230 typedef struct {
231 	ike_cky_pr_t	p1hdr_cookies;
232 	uint8_t		p1hdr_major;
233 	uint8_t		p1hdr_minor;
234 	uint8_t		p1hdr_xchg;
235 	uint8_t		p1hdr_isinit;
236 	uint32_t	p1hdr_state;
237 	boolean_t	p1hdr_support_dpd;
238 	dpd_status_t	p1hdr_dpd_state;
239 	uint64_t	p1hdr_dpd_time;
240 } ike_p1_hdr_t;
241 
242 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
243 #define	IKE_XCHG_NONE			0
244 #define	IKE_XCHG_BASE			1
245 #define	IKE_XCHG_IDENTITY_PROTECT	2
246 #define	IKE_XCHG_AUTH_ONLY		3
247 #define	IKE_XCHG_AGGRESSIVE		4
248 /* following not from RFC; used only for preshared key definitions */
249 #define	IKE_XCHG_IP_AND_AGGR		240
250 /* also not from RFC; used as wildcard */
251 #define	IKE_XCHG_ANY			256
252 
253 /* values for p1hdr_state */
254 #define	IKE_SA_STATE_INVALID	0
255 #define	IKE_SA_STATE_INIT	1
256 #define	IKE_SA_STATE_SENT_SA	2
257 #define	IKE_SA_STATE_SENT_KE	3
258 #define	IKE_SA_STATE_SENT_LAST	4
259 #define	IKE_SA_STATE_DONE	5
260 #define	IKE_SA_STATE_DELETED	6
261 
262 typedef struct {
263 	uint16_t	p1xf_dh_group;
264 	uint16_t	p1xf_encr_alg;
265 	uint16_t	p1xf_encr_low_bits;
266 	uint16_t	p1xf_encr_high_bits;
267 	uint16_t	p1xf_auth_alg;
268 	uint16_t	p1xf_auth_meth;
269 	uint16_t	p1xf_prf;
270 	uint16_t	p1xf_pfs;
271 	uint32_t	p1xf_max_secs;
272 	uint32_t	p1xf_max_kbytes;
273 	uint32_t	p1xf_max_keyuses;
274 	uint32_t	p1xf_reserved;	/* Alignment to 64-bit. */
275 } ike_p1_xform_t;
276 
277 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
278 #define	IKE_GRP_DESC_MODP_768	1
279 #define	IKE_GRP_DESC_MODP_1024	2
280 #define	IKE_GRP_DESC_EC2N_155	3
281 #define	IKE_GRP_DESC_EC2N_185	4
282 /* values for p1xf_dh_group (aligned with RFC3526) */
283 #define	IKE_GRP_DESC_MODP_1536		5
284 #define	IKE_GRP_DESC_MODP_2048		14
285 #define	IKE_GRP_DESC_MODP_3072		15
286 #define	IKE_GRP_DESC_MODP_4096		16
287 #define	IKE_GRP_DESC_MODP_6144		17
288 #define	IKE_GRP_DESC_MODP_8192		18
289 #define	IKE_GRP_DESC_ECP_256		19
290 #define	IKE_GRP_DESC_ECP_384		20
291 #define	IKE_GRP_DESC_ECP_521		21
292 /* values for p1xf_dh_group (aligned with RFC5114) */
293 #define	IKE_GRP_DESC_MODP_1024_160 	22
294 #define	IKE_GRP_DESC_MODP_2048_224 	23
295 #define	IKE_GRP_DESC_MODP_2048_256 	24
296 #define	IKE_GRP_DESC_ECP_192		25
297 #define	IKE_GRP_DESC_ECP_224		26
298 
299 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
300 #define	IKE_AUTH_METH_PRE_SHARED_KEY	1
301 #define	IKE_AUTH_METH_DSS_SIG		2
302 #define	IKE_AUTH_METH_RSA_SIG		3
303 #define	IKE_AUTH_METH_RSA_ENCR		4
304 #define	IKE_AUTH_METH_RSA_ENCR_REVISED	5
305 
306 /* values for p1xf_prf */
307 #define	IKE_PRF_NONE		0
308 #define	IKE_PRF_HMAC_MD5	1
309 #define	IKE_PRF_HMAC_SHA1	2
310 #define	IKE_PRF_HMAC_SHA256	5
311 #define	IKE_PRF_HMAC_SHA384	6
312 #define	IKE_PRF_HMAC_SHA512	7
313 
314 typedef struct {
315 	/*
316 	 * NOTE: the new and del counters count the actual number of SAs,
317 	 * not the number of "suites", as defined in the ike monitoring
318 	 * mib draft; we do this because we don't have a good way of
319 	 * tracking the deletion of entire suites (we're notified of
320 	 * deleted qm sas individually).
321 	 */
322 	uint32_t	p1stat_new_qm_sas;
323 	uint32_t	p1stat_del_qm_sas;
324 	uint64_t	p1stat_start;
325 	uint32_t	p1stat_kbytes;
326 	uint32_t	p1stat_keyuses;
327 } ike_p1_stats_t;
328 
329 typedef struct {
330 	uint32_t	p1err_decrypt;
331 	uint32_t	p1err_hash;
332 	uint32_t	p1err_otherrx;
333 	uint32_t	p1err_tx;
334 } ike_p1_errors_t;
335 
336 typedef struct {
337 	uint32_t	p1key_type;
338 	uint32_t	p1key_len;
339 	/*
340 	 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
341 	 * 64-bit aligned (pad bytes are added at the end, if necessary,
342 	 * and NOT INCLUDED in the len value, which reflects the actual
343 	 * key size).
344 	 */
345 } ike_p1_key_t;
346 
347 /* key info types for ike_p1_key_t struct */
348 #define	IKE_KEY_PRESHARED	1
349 #define	IKE_KEY_SKEYID		2
350 #define	IKE_KEY_SKEYID_D	3
351 #define	IKE_KEY_SKEYID_A	4
352 #define	IKE_KEY_SKEYID_E	5
353 #define	IKE_KEY_ENCR		6
354 #define	IKE_KEY_IV		7
355 
356 typedef struct {
357 	ike_p1_hdr_t	p1sa_hdr;
358 	ike_p1_xform_t	p1sa_xform;
359 	ike_addr_pr_t	p1sa_ipaddrs;
360 	uint16_t	p1sa_stat_off;
361 	uint16_t	p1sa_stat_len;
362 	uint16_t	p1sa_error_off;
363 	uint16_t	p1sa_error_len;
364 	uint16_t	p1sa_localid_off;
365 	uint16_t	p1sa_localid_len;
366 	uint16_t	p1sa_remoteid_off;
367 	uint16_t	p1sa_remoteid_len;
368 	uint16_t	p1sa_key_off;
369 	uint16_t	p1sa_key_len;
370 	uint32_t	p1sa_reserved;
371 	/*
372 	 * variable-length structures will be included here, as
373 	 * indicated by offset/length fields.
374 	 * stats and errors will be formatted as ike_p1_stats_t and
375 	 * ike_p1_errors_t, respectively.
376 	 * key info will be formatted as a series of p1_key_t structs.
377 	 * local/remote ids will be formatted as sadb_ident_t structs.
378 	 */
379 } ike_p1_sa_t;
380 
381 
382 #define	MAX_LABEL_LEN	256
383 
384 
385 /* data formatting structure for policy (rule) dumps */
386 
387 typedef struct {
388 	char		rule_label[MAX_LABEL_LEN];
389 	uint32_t	rule_kmcookie;
390 	uint16_t	rule_ike_mode;
391 	uint16_t	rule_local_idtype;	/* SADB_IDENTTYPE_* value */
392 	uint32_t	rule_p1_nonce_len;
393 	uint32_t	rule_p2_nonce_len;
394 	uint32_t	rule_p2_pfs;
395 	uint32_t	rule_p2_lifetime_secs;
396 	uint32_t	rule_p2_softlife_secs;
397 	uint32_t	rule_p2_idletime_secs;
398 	uint32_t	rule_p2_lifetime_kb;
399 	uint32_t	rule_p2_softlife_kb;
400 	uint16_t	rule_xform_cnt;
401 	uint16_t	rule_xform_off;
402 	uint16_t	rule_locip_cnt;
403 	uint16_t	rule_locip_off;
404 	uint16_t	rule_remip_cnt;
405 	uint16_t	rule_remip_off;
406 	uint16_t	rule_locid_inclcnt;
407 	uint16_t	rule_locid_exclcnt;
408 	uint16_t	rule_locid_off;
409 	uint16_t	rule_remid_inclcnt;
410 	uint16_t	rule_remid_exclcnt;
411 	uint16_t	rule_remid_off;
412 	/*
413 	 * Followed by several lists of variable-length structures, described
414 	 * by counts and offsets:
415 	 *	transforms			ike_p1_xform_t structs
416 	 *	ranges of local ip addrs	ike_addr_pr_t structs
417 	 *	ranges of remote ip addrs	ike_addr_pr_t structs
418 	 *	local identification strings	null-terminated ascii strings
419 	 *	remote identification strings	null-terminated ascii strings
420 	 */
421 } ike_rule_t;
422 
423 /* data formatting structure for DH group dumps */
424 typedef struct {
425 	uint16_t	group_number;
426 	uint16_t	group_bits;
427 	char		group_label[MAX_LABEL_LEN];
428 } ike_group_t;
429 
430 /* data formatting structure for encryption algorithm dumps */
431 typedef struct {
432 	uint_t		encr_value;
433 	char		encr_name[MAX_LABEL_LEN];
434 	int		encr_keylen_min;
435 	int		encr_keylen_max;
436 } ike_encralg_t;
437 
438 /* data formatting structure for authentication algorithm dumps */
439 typedef struct {
440 	uint_t		auth_value;
441 	char		auth_name[MAX_LABEL_LEN];
442 } ike_authalg_t;
443 
444 /*
445  * data formatting structure for preshared keys
446  * ps_ike_mode field uses the IKE_XCHG_* defs
447  */
448 typedef struct {
449 	ike_addr_pr_t	ps_ipaddrs;
450 	uint16_t	ps_ike_mode;
451 	uint16_t	ps_localid_off;
452 	uint16_t	ps_localid_len;
453 	uint16_t	ps_remoteid_off;
454 	uint16_t	ps_remoteid_len;
455 	uint16_t	ps_key_off;
456 	uint16_t	ps_key_len;
457 	uint16_t	ps_key_bits;
458 	int		ps_localid_plen;
459 	int		ps_remoteid_plen;
460 	/*
461 	 * followed by variable-length structures, as indicated by
462 	 * offset/length fields.
463 	 * key info will be formatted as an array of bytes.
464 	 * local/remote ids will be formatted as sadb_ident_t structs.
465 	 */
466 } ike_ps_t;
467 
468 #define	DN_MAX			1024
469 #define	CERT_OFF_WIRE		-1
470 #define	CERT_NO_PRIVKEY		0
471 #define	CERT_PRIVKEY_LOCKED	1
472 #define	CERT_PRIVKEY_AVAIL	2
473 
474 /*
475  * data formatting structure for cached certs
476  */
477 typedef struct {
478 	uint32_t	cache_id;
479 	uint32_t	certclass;
480 	int		linkage;
481 	uint32_t	certcache_padding;	/* For 64-bit alignment. */
482 	char		subject[DN_MAX];
483 	char		issuer[DN_MAX];
484 } ike_certcache_t;
485 
486 /* identification types */
487 #define	IKE_ID_IDENT_PAIR	1
488 #define	IKE_ID_ADDR_PAIR	2
489 #define	IKE_ID_CKY_PAIR		3
490 #define	IKE_ID_LABEL		4
491 
492 
493 /* locations for read/write requests */
494 #define	IKE_RW_LOC_DEFAULT	1
495 #define	IKE_RW_LOC_USER_SPEC	2
496 
497 
498 /* door interface error codes */
499 #define	IKE_ERR_NO_OBJ		1	/* nothing found to match the request */
500 #define	IKE_ERR_NO_DESC		2	/* fd was required with this request */
501 #define	IKE_ERR_ID_INVALID	3	/* invalid id info was provided */
502 #define	IKE_ERR_LOC_INVALID	4	/* invalid location info was provided */
503 #define	IKE_ERR_CMD_INVALID	5	/* invalid command was provided */
504 #define	IKE_ERR_DATA_INVALID	6	/* invalid data was provided */
505 #define	IKE_ERR_CMD_NOTSUP	7	/* unsupported command */
506 #define	IKE_ERR_REQ_INVALID	8	/* badly formatted request */
507 #define	IKE_ERR_NO_PRIV		9	/* privilege level not high enough */
508 #define	IKE_ERR_SYS_ERR		10	/* syserr occurred while processing */
509 #define	IKE_ERR_DUP_IGNORED	11	/* attempt to add a duplicate entry */
510 #define	IKE_ERR_NO_TOKEN	12	/* cannot login into pkcs#11 token */
511 #define	IKE_ERR_NO_AUTH		13	/* not authorized */
512 #define	IKE_ERR_IN_PROGRESS	14	/* operation already in progress */
513 #define	IKE_ERR_NO_MEM		15	/* insufficient memory */
514 
515 
516 /*
517  * IKE_SVC_GET_DBG
518  * Used to request the current debug level.
519  *
520  * Upon request, dbg_level is 0 (don't care).
521  *
522  * Upon return, dbg_level contains the current value.
523  *
524  *
525  * IKE_SVC_SET_DBG
526  * Used to request modification of the debug level.
527  *
528  * Upon request, dbg_level contains desired level.  If debug output is
529  * to be directed to a different file, the fd should be passed in the
530  * door_desc_t field of the door_arg_t param.  NOTE: if the daemon is
531  * currently running in the background with no debug set, an output
532  * file MUST be given.
533  *
534  * Upon return, dbg_level contains the old debug level, and acknowledges
535  * successful completion of the request.  If an error is encountered,
536  * ike_err_t is returned instead, with appropriate error value and cmd
537  * IKE_SVC_ERROR.
538  */
539 typedef struct {
540 	ike_svccmd_t	cmd;
541 	uint32_t	dbg_level;
542 } ike_dbg_t;
543 
544 /*
545  * IKE_SVC_GET_PRIV
546  * Used to request the current privilege level.
547  *
548  * Upon request, priv_level is 0 (don't care).
549  *
550  * Upon return, priv_level contains the current value.
551  *
552  *
553  * IKE_SVC_SET_PRIV
554  * Used to request modification of the privilege level.
555  *
556  * Upon request, priv_level contains the desired level.  The level may
557  * only be lowered via the door interface; it cannot be raised.  Thus,
558  * if in.iked is started at the lowest level, it cannot be changed.
559  *
560  * Upon return, priv_level contains the old privilege level, and
561  * acknowledges successful completion of the request.  If an error is
562  * encountered, ike_err_t is returned instead, with appropriate error
563  * value and cmd IKE_SVC_ERROR.
564  */
565 typedef struct {
566 	ike_svccmd_t	cmd;
567 	uint32_t	priv_level;
568 } ike_priv_t;
569 
570 
571 /*
572  * IKE_SVC_GET_STATS
573  * Used to request current statistics on Phase 1 SA creation and
574  * failures.  The statistics represent all activity in in.iked.
575  *
576  * Upon request, cmd is set, and stat_len does not matter.
577  *
578  * Upon successful return, stat_len contains the total size of the
579  * returned buffer, which contains first the ike_statreq_t struct,
580  * followed by the stat data in the ike_stats_t structure. In case
581  * of an error in processing the request, ike_err_t is returned with
582  * IKE_SVC_ERROR command and appropriate error code.
583  */
584 typedef struct {
585 	ike_svccmd_t	cmd;
586 	uint32_t	stat_len;
587 } ike_statreq_t;
588 
589 /*
590  * IKE_SVC_GET_DEFS
591  * Used to request default values from in.iked.
592  *
593  * Upon request, cmd is set, and stat_len does not matter.
594  *
595  * Upon successful return, stat_len contains the total size of the
596  * returned buffer, this contains a pair of ike_defaults_t's.
597  */
598 typedef struct {
599 	ike_svccmd_t	cmd;
600 	uint32_t	stat_len;
601 	uint32_t	version;
602 	uint32_t	defreq_reserved;	/* For 64-bit alignment. */
603 } ike_defreq_t;
604 
605 /*
606  * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE}
607  * Used to request a table dump, and to return info for a single table
608  * item.  The expectation is that all of the table data will be passed
609  * through the door, one entry at a time; an individual request must be
610  * sent for each entry, however (the door server can't send unrequested
611  * data).
612  *
613  * Upon request: cmd is set, and dump_next contains the item number
614  * requested (0 for first request).  dump_len is 0; no data follows.
615  *
616  * Upon return: cmd is set, and dump_next contains the item number of
617  * the *next* item in the table (to be used in the subsequent request).
618  * dump_next = 0 indicates that this is the last item in the table.
619  * dump_len is the total length (data + struct) returned.  Data is
620  * formatted as indicated by the cmd type:
621  *   IKE_SVC_DUMP_P1S:		ike_p1_sa_t
622  *   IKE_SVC_DUMP_RULES:	ike_rule_t
623  *   IKE_SVC_DUMP_PS:		ike_ps_t
624  *   IKE_SVC_DUMP_CERTCACHE:	ike_certcache_t
625  */
626 typedef struct {
627 	ike_svccmd_t	cmd;
628 	uint32_t	dump_len;
629 	union {
630 		struct {
631 			uint32_t	dump_unext;
632 			uint32_t	dump_ureserved;
633 		} dump_actual;
634 		uint64_t dump_alignment;
635 	} dump_u;
636 #define	dump_next dump_u.dump_actual.dump_unext
637 #define	dump_reserved dump_u.dump_actual.dump_ureserved
638 	/* dump_len - sizeof (ike_dump_t) bytes of data included here */
639 } ike_dump_t;
640 
641 
642 /*
643  * IKE_SVC_GET_{P1|RULE|PS}
644  * Used to request and return individual table items.
645  *
646  * Upon request: get_len is the total msg length (struct + id data);
647  * get_idtype indicates the type of identification being used.
648  *   IKE_SVC_GET_P1:		ike_addr_pr_t or ike_cky_pr_t
649  *   IKE_SVC_GET_RULE:		char string (label)
650  *   IKE_SVC_GET_PS:		ike_addr_pr_t or pair of sadb_ident_t
651  *
652  * Upon return: get_len is the total size (struct + data), get_idtype
653  * is unused, and the data that follows is formatted according to cmd:
654  *   IKE_SVC_GET_P1:		ike_p1_sa_t
655  *   IKE_SVC_GET_RULE:		ike_rule_t
656  *   IKE_SVC_GET_PS:		ike_ps_t
657  */
658 typedef struct {
659 	ike_svccmd_t	cmd;
660 	uint32_t	get_len;
661 	union {
662 		struct {
663 			uint32_t	getu_idtype;
664 			uint32_t	getu_reserved;
665 		} get_actual;
666 		uint64_t get_alignment;
667 	} get_u;
668 #define	get_idtype get_u.get_actual.getu_idtype
669 #define	get_reserved get_u.get_actual.getu_reserved
670 	/* get_len - sizeof (ike_get_t) bytes of data included here */
671 } ike_get_t;
672 
673 
674 /*
675  * IKE_SVC_NEW_{RULE|PS}
676  * Used to request and acknowledge insertion of a table item.
677  *
678  * Upon request: new_len is the total (data + struct) size passed, or 0.
679  * new_len = 0 => a door_desc_t is also included with a file descriptor
680  * for a file containing the data to be added.  The file should include
681  * a single item: a rule, or a pre-shared key.  For new_len != 0, the
682  * data is formatted according to the cmd type:
683  *   IKE_SVC_NEW_RULE:		ike_rule_t
684  *   IKE_SVC_NEW_PS:		ike_ps_t
685  *
686  * Upon return: new_len is 0; simply acknowledges successful insertion
687  * of the requested item.  If insertion is not successful, ike_err_t is
688  * returned instead with appropriate error value.
689  */
690 typedef struct {
691 	ike_svccmd_t	cmd;
692 	uint32_t	new_len;
693 	/* new_len - sizeof (ike_new_t) bytes included here */
694 	uint64_t	new_align;	/* Padding for 64-bit alignment. */
695 } ike_new_t;
696 
697 
698 /*
699  * IKE_SVC_DEL_{P1|RULE|PS}
700  * Used to request and acknowledge the deletion of an individual table
701  * item.
702  *
703  * Upon request: del_len is the total msg length (struct + id data);
704  * del_idtype indicates the type of identification being used.
705  *   IKE_SVC_DEL_P1:		ike_addr_pr_t or ike_cky_pr_t
706  *   IKE_SVC_DEL_RULE:		char string (label)
707  *   IKE_SVC_DEL_PS:		ike_addr_pr_t or pair of sadb_ident_t
708  *
709  * Upon return: acknowledges deletion of the requested item; del_len and
710  * del_idtype are unspecified.  If deletion is not successful, ike_err_t
711  * is returned instead with appropriate error value.
712  */
713 typedef struct {
714 	ike_svccmd_t	cmd;
715 	uint32_t	del_len;
716 	uint32_t	del_idtype;
717 	uint32_t	del_reserved;
718 	/* del_len - sizeof (ike_del_t) bytes of data included here. */
719 } ike_del_t;
720 
721 
722 /*
723  * IKE_SVC_READ_{RULES|PS}
724  * Used to ask daemon to re-read particular configuration info.
725  *
726  * Upon request: rw_loc indicates where the info should be read from:
727  * either from a user-supplied file descriptor(s), or from the default
728  * location(s).  If rw_loc indicates user-supplied location, the file
729  * descriptor(s) should be passed in the door_desc_t struct.  For the
730  * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
731  * first, one for the config file which contains the data to be read,
732  * and second, one for the cookie file which will be written to as
733  * in.iked process the config file.
734  *
735  * Upon return: rw_loc is unspecified; the message simply acknowledges
736  * successful completion of the request.  If an error occurred,
737  * ike_err_t is returned instead with appropriate error value.
738  *
739  *
740  * IKE_SVC_WRITE_{RULES|PS}
741  * Used to ask daemon to write its current config info to files.
742  *
743  * Request and return are handled the same as for the IKE_SVC_READ_*
744  * cmds; however, the rw_loc MUST be a user-supplied location.  Also,
745  * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
746  * only a single fd, for the file to which the config info should be
747  * written, should be passed in.
748  */
749 typedef struct {
750 	ike_svccmd_t	cmd;
751 	uint32_t	rw_loc;
752 } ike_rw_t;
753 
754 
755 /*
756  * IKE_SVC_FLUSH_P1S
757  * IKE_SVC_FLUSH_CERTCACHE
758  *
759  * Used to request and acknowledge tear-down of all P1 SAs
760  * or to flush the certificate cache.
761  */
762 typedef struct {
763 	ike_svccmd_t	cmd;
764 } ike_flush_t;
765 
766 
767 #ifndef PKCS11_TOKSIZE
768 #define	PKCS11_TOKSIZE 32
769 #endif
770 #define	MAX_PIN_LEN 256
771 /*
772  * IKE_SVC_SET_PIN
773  * IKE_SVC_DEL_PIN
774  *
775  * Used to supply a pin for a PKCS#11 tokenj object.
776  *
777  */
778 typedef struct {
779 	ike_svccmd_t	cmd;
780 	uint32_t	pin_reserved;	/* For 64-bit alignment. */
781 	char pkcs11_token[PKCS11_TOKSIZE];
782 	uchar_t token_pin[MAX_PIN_LEN];
783 } ike_pin_t;
784 
785 /*
786  * IKE_SVC_ERROR
787  * Used on return if server encountered an error while processing
788  * the request.  An appropriate error code is included (as defined
789  * in this header file); in the case of IKE_ERR_SYS_ERR, a value
790  * from the UNIX errno space is included in the ike_err_unix field.
791  */
792 typedef struct {
793 	ike_svccmd_t	cmd;
794 	uint32_t	ike_err;
795 	uint32_t	ike_err_unix;
796 	uint32_t	ike_err_reserved;
797 } ike_err_t;
798 
799 /*
800  * Generic type for use when the request/reply type is unknown
801  */
802 typedef struct {
803 	ike_svccmd_t	cmd;
804 } ike_cmd_t;
805 
806 
807 /*
808  * Union containing all possible request/return structures.
809  */
810 typedef union {
811 	ike_cmd_t	svc_cmd;
812 	ike_dbg_t	svc_dbg;
813 	ike_priv_t	svc_priv;
814 	ike_statreq_t	svc_stats;
815 	ike_dump_t	svc_dump;
816 	ike_get_t	svc_get;
817 	ike_new_t	svc_new;
818 	ike_del_t	svc_del;
819 	ike_rw_t	svc_rw;
820 	ike_flush_t	svc_flush;
821 	ike_pin_t	svc_pin;
822 	ike_err_t	svc_err;
823 	ike_defreq_t	svc_defaults;
824 } ike_service_t;
825 
826 #ifdef	__cplusplus
827 }
828 #endif
829 
830 #endif	/* _IKEDOOR_H */
831