xref: /titanic_52/usr/src/lib/libipsecutil/common/ikedoor.h (revision 8523fda3525b37e02f4d11efc8cf763bf08204ec)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_IKEDOOR_H
27 #define	_IKEDOOR_H
28 
29 #ifdef	__cplusplus
30 extern "C" {
31 #endif
32 
33 #include <limits.h>
34 #include <sys/sysmacros.h>
35 #include <net/pfkeyv2.h>
36 #include <door.h>
37 
38 /*
39  * This version number is intended to stop the calling process from
40  * getting confused if a structure is changed and a mismatch occurs.
41  * This should be incremented each time a structure is changed.
42  */
43 
44 /*
45  * The IKE process may be a 64-bit process, but ikeadm or any other IKE
46  * door consumer does not have to be.  We need to be strict ala. PF_KEY or
47  * any on-the-wire-protocol with respect to structure fields offsets and
48  * alignment.  Please make sure all structures are the same size on both
49  * 64-bit and 32-bit execution environments (or even other ones), and that
50  * apart from trivial 4-byte enums or base headers, that all structures are
51  * multiples of 8-bytes (64-bits).
52  */
53 #define	DOORVER 3
54 #define	DOORNM	"/var/run/ike_door"
55 
56 
57 typedef enum {
58 	IKE_SVC_GET_DBG,
59 	IKE_SVC_SET_DBG,
60 
61 	IKE_SVC_GET_PRIV,
62 	IKE_SVC_SET_PRIV,
63 
64 	IKE_SVC_GET_STATS,
65 
66 	IKE_SVC_GET_P1,
67 	IKE_SVC_DEL_P1,
68 	IKE_SVC_DUMP_P1S,
69 	IKE_SVC_FLUSH_P1S,
70 
71 	IKE_SVC_GET_RULE,
72 	IKE_SVC_NEW_RULE,
73 	IKE_SVC_DEL_RULE,
74 	IKE_SVC_DUMP_RULES,
75 	IKE_SVC_READ_RULES,
76 	IKE_SVC_WRITE_RULES,
77 
78 	IKE_SVC_GET_PS,
79 	IKE_SVC_NEW_PS,
80 	IKE_SVC_DEL_PS,
81 	IKE_SVC_DUMP_PS,
82 	IKE_SVC_READ_PS,
83 	IKE_SVC_WRITE_PS,
84 
85 	IKE_SVC_DBG_RBDUMP,
86 
87 	IKE_SVC_GET_DEFS,
88 
89 	IKE_SVC_SET_PIN,
90 	IKE_SVC_DEL_PIN,
91 
92 	IKE_SVC_DUMP_CERTCACHE,
93 	IKE_SVC_FLUSH_CERTCACHE,
94 
95 	IKE_SVC_ERROR
96 } ike_svccmd_t;
97 
98 /* DPD status */
99 
100 typedef enum dpd_status {
101 	DPD_NOT_INITIATED = 0,
102 	DPD_IN_PROGRESS,
103 	DPD_SUCCESSFUL,
104 	DPD_FAILURE
105 } dpd_status_t;
106 
107 #define	IKE_SVC_MAX	IKE_SVC_ERROR
108 
109 
110 /*
111  * Support structures/defines
112  */
113 
114 #define	IKEDOORROUNDUP(i)   P2ROUNDUP((i), sizeof (uint64_t))
115 
116 /*
117  * Debug categories.  The debug level is a bitmask made up of
118  * flags indicating the desired categories; only 31 bits are
119  * available, as the highest-order bit designates an invalid
120  * setting.
121  */
122 #define	D_INVALID	0x80000000
123 
124 #define	D_CERT		0x00000001	/* certificate management */
125 #define	D_KEY		0x00000002	/* key management */
126 #define	D_OP		0x00000004	/* operational: config, init, mem */
127 #define	D_P1		0x00000008	/* phase 1 negotiation */
128 #define	D_P2		0x00000010	/* phase 2 negotiation */
129 #define	D_PFKEY		0x00000020	/* pf key interface */
130 #define	D_POL		0x00000040	/* policy management */
131 #define	D_PROP		0x00000080	/* proposal construction */
132 #define	D_DOOR		0x00000100	/* door server */
133 #define	D_CONFIG	0x00000200	/* config file processing */
134 #define	D_LABEL		0x00000400	/* MAC labels */
135 
136 #define	D_HIGHBIT	0x00000400
137 #define	D_ALL		0x000007ff
138 
139 /*
140  * Access privilege levels: define level of access to keying information.
141  * The privileges granted at each level is a superset of the privileges
142  * granted at all lower levels.
143  *
144  * The door operations which require special privileges are:
145  *
146  *	- receiving keying material for SAs and preshared key entries
147  *	  IKE_PRIV_KEYMAT must be set for this.
148  *
149  *	- get/dump/new/delete/read/write preshared keys
150  *	  IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
151  *	  If IKE_PRIV_MODKEYS is set, the information returned for a
152  *	  get/dump request will not include the actual key; in order
153  *	  to get the key itself, IKE_PRIV_KEYMAT must be set.
154  *
155  *	- modifying the privilege level: the daemon's privilege level
156  *	  is set when the daemon is started; the level may only be
157  *	  lowered via the door interface.
158  *
159  * All other operations are allowed at any privilege level.
160  */
161 #define	IKE_PRIV_MINIMUM	0
162 #define	IKE_PRIV_MODKEYS	1
163 #define	IKE_PRIV_KEYMAT		2
164 #define	IKE_PRIV_MAXIMUM	2
165 
166 /* global ike stats formatting structure */
167 typedef struct {
168 	uint32_t	st_init_p1_current;
169 	uint32_t	st_resp_p1_current;
170 	uint32_t	st_init_p1_total;
171 	uint32_t	st_resp_p1_total;
172 	uint32_t	st_init_p1_attempts;
173 	uint32_t	st_resp_p1_attempts;
174 	uint32_t	st_init_p1_noresp;   /* failed; no response from peer */
175 	uint32_t	st_init_p1_respfail; /* failed, but peer responded */
176 	uint32_t	st_resp_p1_fail;
177 	uint32_t	st_reserved;
178 	char		st_pkcs11_libname[PATH_MAX];
179 } ike_stats_t;
180 
181 /* structure used to pass default values used by in.iked back to ikeadm */
182 typedef struct {
183 	uint32_t	rule_p1_lifetime_secs;
184 	uint32_t	rule_p1_minlife;
185 	uint32_t	rule_p1_nonce_len;
186 	uint32_t	rule_p2_lifetime_secs;
187 	uint32_t	rule_p2_softlife_secs;
188 	uint32_t	rule_p2_idletime_secs;
189 	uint32_t	sys_p2_lifetime_secs;
190 	uint32_t	sys_p2_softlife_secs;
191 	uint32_t	sys_p2_idletime_secs;
192 	uint32_t	rule_p2_lifetime_kb;
193 	uint32_t	rule_p2_softlife_kb;
194 	uint32_t	sys_p2_lifetime_bytes;
195 	uint32_t	sys_p2_softlife_bytes;
196 	uint32_t	rule_p2_minlife;
197 	uint32_t	rule_p2_def_minlife;
198 	uint32_t	rule_p2_nonce_len;
199 	uint32_t	rule_p2_pfs;
200 	uint32_t	rule_p2_minsoft;
201 	uint32_t	rule_max_certs;
202 	uint32_t	rule_ike_port;
203 	uint32_t	rule_natt_port;
204 	uint32_t	defaults_reserved;	/* For 64-bit alignment. */
205 } ike_defaults_t;
206 
207 /* data formatting structures for P1 SA dumps */
208 typedef struct {
209 	struct sockaddr_storage	loc_addr;
210 	struct sockaddr_storage	rem_addr;
211 #define	beg_iprange	loc_addr
212 #define	end_iprange	rem_addr
213 } ike_addr_pr_t;
214 
215 typedef struct {
216 	uint64_t	cky_i;
217 	uint64_t	cky_r;
218 } ike_cky_pr_t;
219 
220 typedef struct {
221 	ike_cky_pr_t	p1hdr_cookies;
222 	uint8_t		p1hdr_major;
223 	uint8_t		p1hdr_minor;
224 	uint8_t		p1hdr_xchg;
225 	uint8_t		p1hdr_isinit;
226 	uint32_t	p1hdr_state;
227 	boolean_t	p1hdr_support_dpd;
228 	dpd_status_t	p1hdr_dpd_state;
229 	uint64_t	p1hdr_dpd_time;
230 } ike_p1_hdr_t;
231 
232 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
233 #define	IKE_XCHG_NONE			0
234 #define	IKE_XCHG_BASE			1
235 #define	IKE_XCHG_IDENTITY_PROTECT	2
236 #define	IKE_XCHG_AUTH_ONLY		3
237 #define	IKE_XCHG_AGGRESSIVE		4
238 /* following not from RFC; used only for preshared key definitions */
239 #define	IKE_XCHG_IP_AND_AGGR		240
240 /* also not from RFC; used as wildcard */
241 #define	IKE_XCHG_ANY			256
242 
243 /* values for p1hdr_state */
244 #define	IKE_SA_STATE_INVALID	0
245 #define	IKE_SA_STATE_INIT	1
246 #define	IKE_SA_STATE_SENT_SA	2
247 #define	IKE_SA_STATE_SENT_KE	3
248 #define	IKE_SA_STATE_SENT_LAST	4
249 #define	IKE_SA_STATE_DONE	5
250 #define	IKE_SA_STATE_DELETED	6
251 
252 typedef struct {
253 	uint16_t	p1xf_dh_group;
254 	uint16_t	p1xf_encr_alg;
255 	uint16_t	p1xf_encr_low_bits;
256 	uint16_t	p1xf_encr_high_bits;
257 	uint16_t	p1xf_auth_alg;
258 	uint16_t	p1xf_auth_meth;
259 	uint16_t	p1xf_prf;
260 	uint16_t	p1xf_pfs;
261 	uint32_t	p1xf_max_secs;
262 	uint32_t	p1xf_max_kbytes;
263 	uint32_t	p1xf_max_keyuses;
264 	uint32_t	p1xf_reserved;	/* Alignment to 64-bit. */
265 } ike_p1_xform_t;
266 
267 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
268 #define	IKE_GRP_DESC_MODP_768	1
269 #define	IKE_GRP_DESC_MODP_1024	2
270 #define	IKE_GRP_DESC_EC2N_155	3
271 #define	IKE_GRP_DESC_EC2N_185	4
272 /* values for p1xf_dh_group (aligned with RFC3526) */
273 #define	IKE_GRP_DESC_MODP_1536	5
274 #define	IKE_GRP_DESC_MODP_2048	14
275 #define	IKE_GRP_DESC_MODP_3072	15
276 #define	IKE_GRP_DESC_MODP_4096	16
277 #define	IKE_GRP_DESC_MODP_6144	17
278 #define	IKE_GRP_DESC_MODP_8192	18
279 
280 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
281 #define	IKE_AUTH_METH_PRE_SHARED_KEY	1
282 #define	IKE_AUTH_METH_DSS_SIG		2
283 #define	IKE_AUTH_METH_RSA_SIG		3
284 #define	IKE_AUTH_METH_RSA_ENCR		4
285 #define	IKE_AUTH_METH_RSA_ENCR_REVISED	5
286 
287 /* values for p1xf_prf */
288 #define	IKE_PRF_NONE		0
289 #define	IKE_PRF_HMAC_MD5	1
290 #define	IKE_PRF_HMAC_SHA1	2
291 #define	IKE_PRF_HMAC_SHA256	5
292 #define	IKE_PRF_HMAC_SHA384	6
293 #define	IKE_PRF_HMAC_SHA512	7
294 
295 typedef struct {
296 	/*
297 	 * NOTE: the new and del counters count the actual number of SAs,
298 	 * not the number of "suites", as defined in the ike monitoring
299 	 * mib draft; we do this because we don't have a good way of
300 	 * tracking the deletion of entire suites (we're notified of
301 	 * deleted qm sas individually).
302 	 */
303 	uint32_t	p1stat_new_qm_sas;
304 	uint32_t	p1stat_del_qm_sas;
305 	uint64_t	p1stat_start;
306 	uint32_t	p1stat_kbytes;
307 	uint32_t	p1stat_keyuses;
308 } ike_p1_stats_t;
309 
310 typedef struct {
311 	uint32_t	p1err_decrypt;
312 	uint32_t	p1err_hash;
313 	uint32_t	p1err_otherrx;
314 	uint32_t	p1err_tx;
315 } ike_p1_errors_t;
316 
317 typedef struct {
318 	uint32_t	p1key_type;
319 	uint32_t	p1key_len;
320 	/*
321 	 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
322 	 * 64-bit aligned (pad bytes are added at the end, if necessary,
323 	 * and NOT INCLUDED in the len value, which reflects the actual
324 	 * key size).
325 	 */
326 } ike_p1_key_t;
327 
328 /* key info types for ike_p1_key_t struct */
329 #define	IKE_KEY_PRESHARED	1
330 #define	IKE_KEY_SKEYID		2
331 #define	IKE_KEY_SKEYID_D	3
332 #define	IKE_KEY_SKEYID_A	4
333 #define	IKE_KEY_SKEYID_E	5
334 #define	IKE_KEY_ENCR		6
335 #define	IKE_KEY_IV		7
336 
337 typedef struct {
338 	ike_p1_hdr_t	p1sa_hdr;
339 	ike_p1_xform_t	p1sa_xform;
340 	ike_addr_pr_t	p1sa_ipaddrs;
341 	uint16_t	p1sa_stat_off;
342 	uint16_t	p1sa_stat_len;
343 	uint16_t	p1sa_error_off;
344 	uint16_t	p1sa_error_len;
345 	uint16_t	p1sa_localid_off;
346 	uint16_t	p1sa_localid_len;
347 	uint16_t	p1sa_remoteid_off;
348 	uint16_t	p1sa_remoteid_len;
349 	uint16_t	p1sa_key_off;
350 	uint16_t	p1sa_key_len;
351 	uint32_t	p1sa_reserved;
352 	/*
353 	 * variable-length structures will be included here, as
354 	 * indicated by offset/length fields.
355 	 * stats and errors will be formatted as ike_p1_stats_t and
356 	 * ike_p1_errors_t, respectively.
357 	 * key info will be formatted as a series of p1_key_t structs.
358 	 * local/remote ids will be formatted as sadb_ident_t structs.
359 	 */
360 } ike_p1_sa_t;
361 
362 
363 #define	MAX_LABEL_LEN	256
364 
365 
366 /* data formatting structure for policy (rule) dumps */
367 
368 typedef struct {
369 	char		rule_label[MAX_LABEL_LEN];
370 	uint32_t	rule_kmcookie;
371 	uint16_t	rule_ike_mode;
372 	uint16_t	rule_local_idtype;	/* SADB_IDENTTYPE_* value */
373 	uint32_t	rule_p1_nonce_len;
374 	uint32_t	rule_p2_nonce_len;
375 	uint32_t	rule_p2_pfs;
376 	uint32_t	rule_p2_lifetime_secs;
377 	uint32_t	rule_p2_softlife_secs;
378 	uint32_t	rule_p2_idletime_secs;
379 	uint32_t	rule_p2_lifetime_kb;
380 	uint32_t	rule_p2_softlife_kb;
381 	uint16_t	rule_xform_cnt;
382 	uint16_t	rule_xform_off;
383 	uint16_t	rule_locip_cnt;
384 	uint16_t	rule_locip_off;
385 	uint16_t	rule_remip_cnt;
386 	uint16_t	rule_remip_off;
387 	uint16_t	rule_locid_inclcnt;
388 	uint16_t	rule_locid_exclcnt;
389 	uint16_t	rule_locid_off;
390 	uint16_t	rule_remid_inclcnt;
391 	uint16_t	rule_remid_exclcnt;
392 	uint16_t	rule_remid_off;
393 	/*
394 	 * Followed by several lists of variable-length structures, described
395 	 * by counts and offsets:
396 	 *	transforms			ike_p1_xform_t structs
397 	 *	ranges of local ip addrs	ike_addr_pr_t structs
398 	 *	ranges of remote ip addrs	ike_addr_pr_t structs
399 	 *	local identification strings	null-terminated ascii strings
400 	 *	remote identification strings	null-terminated ascii strings
401 	 */
402 } ike_rule_t;
403 
404 
405 /*
406  * data formatting structure for preshared keys
407  * ps_ike_mode field uses the IKE_XCHG_* defs
408  */
409 typedef struct {
410 	ike_addr_pr_t	ps_ipaddrs;
411 	uint16_t	ps_ike_mode;
412 	uint16_t	ps_localid_off;
413 	uint16_t	ps_localid_len;
414 	uint16_t	ps_remoteid_off;
415 	uint16_t	ps_remoteid_len;
416 	uint16_t	ps_key_off;
417 	uint16_t	ps_key_len;
418 	uint16_t	ps_key_bits;
419 	/*
420 	 * followed by variable-length structures, as indicated by
421 	 * offset/length fields.
422 	 * key info will be formatted as an array of bytes.
423 	 * local/remote ids will be formatted as sadb_ident_t structs.
424 	 */
425 } ike_ps_t;
426 
427 #define	DN_MAX			1024
428 #define	CERT_OFF_WIRE		-1
429 #define	CERT_NO_PRIVKEY		0
430 #define	CERT_PRIVKEY_LOCKED	1
431 #define	CERT_PRIVKEY_AVAIL	2
432 
433 /*
434  * data formatting structure for cached certs
435  */
436 typedef struct {
437 	uint32_t	cache_id;
438 	uint32_t	class;
439 	int		linkage;
440 	uint32_t	certcache_padding;	/* For 64-bit alignment. */
441 	char		subject[DN_MAX];
442 	char		issuer[DN_MAX];
443 } ike_certcache_t;
444 
445 /* identification types */
446 #define	IKE_ID_IDENT_PAIR	1
447 #define	IKE_ID_ADDR_PAIR	2
448 #define	IKE_ID_CKY_PAIR		3
449 #define	IKE_ID_LABEL		4
450 
451 
452 /* locations for read/write requests */
453 #define	IKE_RW_LOC_DEFAULT	1
454 #define	IKE_RW_LOC_USER_SPEC	2
455 
456 
457 /* door interface error codes */
458 #define	IKE_ERR_NO_OBJ		1	/* nothing found to match the request */
459 #define	IKE_ERR_NO_DESC		2	/* fd was required with this request */
460 #define	IKE_ERR_ID_INVALID	3	/* invalid id info was provided */
461 #define	IKE_ERR_LOC_INVALID	4	/* invalid location info was provided */
462 #define	IKE_ERR_CMD_INVALID	5	/* invalid command was provided */
463 #define	IKE_ERR_DATA_INVALID	6	/* invalid data was provided */
464 #define	IKE_ERR_CMD_NOTSUP	7	/* unsupported command */
465 #define	IKE_ERR_REQ_INVALID	8	/* badly formatted request */
466 #define	IKE_ERR_NO_PRIV		9	/* privilege level not high enough */
467 #define	IKE_ERR_SYS_ERR		10	/* syserr occurred while processing */
468 #define	IKE_ERR_DUP_IGNORED	11	/* attempt to add a duplicate entry */
469 #define	IKE_ERR_NO_TOKEN	12	/* cannot login into pkcs#11 token */
470 #define	IKE_ERR_NO_AUTH		13	/* not authorized */
471 #define	IKE_ERR_IN_PROGRESS	14	/* operation already in progress */
472 #define	IKE_ERR_NO_MEM		15	/* insufficient memory */
473 
474 
475 /*
476  * IKE_SVC_GET_DBG
477  * Used to request the current debug level.
478  *
479  * Upon request, dbg_level is 0 (don't care).
480  *
481  * Upon return, dbg_level contains the current value.
482  *
483  *
484  * IKE_SVC_SET_DBG
485  * Used to request modification of the debug level.
486  *
487  * Upon request, dbg_level contains desired level.  If debug output is
488  * to be directed to a different file, the fd should be passed in the
489  * door_desc_t field of the door_arg_t param.  NOTE: if the daemon is
490  * currently running in the background with no debug set, an output
491  * file MUST be given.
492  *
493  * Upon return, dbg_level contains the old debug level, and acknowledges
494  * successful completion of the request.  If an error is encountered,
495  * ike_err_t is returned instead, with appropriate error value and cmd
496  * IKE_SVC_ERROR.
497  */
498 typedef struct {
499 	ike_svccmd_t	cmd;
500 	uint32_t	dbg_level;
501 } ike_dbg_t;
502 
503 /*
504  * IKE_SVC_GET_PRIV
505  * Used to request the current privilege level.
506  *
507  * Upon request, priv_level is 0 (don't care).
508  *
509  * Upon return, priv_level contains the current value.
510  *
511  *
512  * IKE_SVC_SET_PRIV
513  * Used to request modification of the privilege level.
514  *
515  * Upon request, priv_level contains the desired level.  The level may
516  * only be lowered via the door interface; it cannot be raised.  Thus,
517  * if in.iked is started at the lowest level, it cannot be changed.
518  *
519  * Upon return, priv_level contains the old privilege level, and
520  * acknowledges successful completion of the request.  If an error is
521  * encountered, ike_err_t is returned instead, with appropriate error
522  * value and cmd IKE_SVC_ERROR.
523  */
524 typedef struct {
525 	ike_svccmd_t	cmd;
526 	uint32_t	priv_level;
527 } ike_priv_t;
528 
529 
530 /*
531  * IKE_SVC_GET_STATS
532  * Used to request current statistics on Phase 1 SA creation and
533  * failures.  The statistics represent all activity in in.iked.
534  *
535  * Upon request, cmd is set, and stat_len does not matter.
536  *
537  * Upon successful return, stat_len contains the total size of the
538  * returned buffer, which contains first the ike_statreq_t struct,
539  * followed by the stat data in the ike_stats_t structure. In case
540  * of an error in processing the request, ike_err_t is returned with
541  * IKE_SVC_ERROR command and appropriate error code.
542  */
543 typedef struct {
544 	ike_svccmd_t	cmd;
545 	uint32_t	stat_len;
546 } ike_statreq_t;
547 
548 /*
549  * IKE_SVC_GET_DEFS
550  * Used to request default values from in.iked.
551  *
552  * Upon request, cmd is set, and stat_len does not matter.
553  *
554  * Upon successful return, stat_len contains the total size of the
555  * returned buffer, this contains a pair of ike_defaults_t's.
556  */
557 typedef struct {
558 	ike_svccmd_t	cmd;
559 	uint32_t	stat_len;
560 	uint32_t	version;
561 	uint32_t	defreq_reserved;	/* For 64-bit alignment. */
562 } ike_defreq_t;
563 
564 /*
565  * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE}
566  * Used to request a table dump, and to return info for a single table
567  * item.  The expectation is that all of the table data will be passed
568  * through the door, one entry at a time; an individual request must be
569  * sent for each entry, however (the door server can't send unrequested
570  * data).
571  *
572  * Upon request: cmd is set, and dump_next contains the item number
573  * requested (0 for first request).  dump_len is 0; no data follows.
574  *
575  * Upon return: cmd is set, and dump_next contains the item number of
576  * the *next* item in the table (to be used in the subsequent request).
577  * dump_next = 0 indicates that this is the last item in the table.
578  * dump_len is the total length (data + struct) returned.  Data is
579  * formatted as indicated by the cmd type:
580  *   IKE_SVC_DUMP_P1S:		ike_p1_sa_t
581  *   IKE_SVC_DUMP_RULES:	ike_rule_t
582  *   IKE_SVC_DUMP_PS:		ike_ps_t
583  *   IKE_SVC_DUMP_CERTCACHE:	ike_certcache_t
584  */
585 typedef struct {
586 	ike_svccmd_t	cmd;
587 	uint32_t	dump_len;
588 	union {
589 		struct {
590 			uint32_t	dump_unext;
591 			uint32_t	dump_ureserved;
592 		} dump_actual;
593 		uint64_t dump_alignment;
594 	} dump_u;
595 #define	dump_next dump_u.dump_actual.dump_unext
596 #define	dump_reserved dump_u.dump_actual.dump_ureserved
597 	/* dump_len - sizeof (ike_dump_t) bytes of data included here */
598 } ike_dump_t;
599 
600 
601 /*
602  * IKE_SVC_GET_{P1|RULE|PS}
603  * Used to request and return individual table items.
604  *
605  * Upon request: get_len is the total msg length (struct + id data);
606  * get_idtype indicates the type of identification being used.
607  *   IKE_SVC_GET_P1:		ike_addr_pr_t or ike_cky_pr_t
608  *   IKE_SVC_GET_RULE:		char string (label)
609  *   IKE_SVC_GET_PS:		ike_addr_pr_t or pair of sadb_ident_t
610  *
611  * Upon return: get_len is the total size (struct + data), get_idtype
612  * is unused, and the data that follows is formatted according to cmd:
613  *   IKE_SVC_GET_P1:		ike_p1_sa_t
614  *   IKE_SVC_GET_RULE:		ike_rule_t
615  *   IKE_SVC_GET_PS:		ike_ps_t
616  */
617 typedef struct {
618 	ike_svccmd_t	cmd;
619 	uint32_t	get_len;
620 	union {
621 		struct {
622 			uint32_t	getu_idtype;
623 			uint32_t	getu_reserved;
624 		} get_actual;
625 		uint64_t get_alignment;
626 	} get_u;
627 #define	get_idtype get_u.get_actual.getu_idtype
628 #define	get_reserved get_u.get_actual.getu_reserved
629 	/* get_len - sizeof (ike_get_t) bytes of data included here */
630 } ike_get_t;
631 
632 
633 /*
634  * IKE_SVC_NEW_{RULE|PS}
635  * Used to request and acknowledge insertion of a table item.
636  *
637  * Upon request: new_len is the total (data + struct) size passed, or 0.
638  * new_len = 0 => a door_desc_t is also included with a file descriptor
639  * for a file containing the data to be added.  The file should include
640  * a single item: a rule, or a pre-shared key.  For new_len != 0, the
641  * data is formatted according to the cmd type:
642  *   IKE_SVC_NEW_RULE:		ike_rule_t
643  *   IKE_SVC_NEW_PS:		ike_ps_t
644  *
645  * Upon return: new_len is 0; simply acknowledges successful insertion
646  * of the requested item.  If insertion is not successful, ike_err_t is
647  * returned instead with appropriate error value.
648  */
649 typedef struct {
650 	ike_svccmd_t	cmd;
651 	uint32_t	new_len;
652 	/* new_len - sizeof (ike_new_t) bytes included here */
653 	uint64_t	new_align;	/* Padding for 64-bit alignment. */
654 } ike_new_t;
655 
656 
657 /*
658  * IKE_SVC_DEL_{P1|RULE|PS}
659  * Used to request and acknowledge the deletion of an individual table
660  * item.
661  *
662  * Upon request: del_len is the total msg length (struct + id data);
663  * del_idtype indicates the type of identification being used.
664  *   IKE_SVC_DEL_P1:		ike_addr_pr_t or ike_cky_pr_t
665  *   IKE_SVC_DEL_RULE:		char string (label)
666  *   IKE_SVC_DEL_PS:		ike_addr_pr_t or pair of sadb_ident_t
667  *
668  * Upon return: acknowledges deletion of the requested item; del_len and
669  * del_idtype are unspecified.  If deletion is not successful, ike_err_t
670  * is returned instead with appropriate error value.
671  */
672 typedef struct {
673 	ike_svccmd_t	cmd;
674 	uint32_t	del_len;
675 	uint32_t	del_idtype;
676 	uint32_t	del_reserved;
677 	/* del_len - sizeof (ike_del_t) bytes of data included here. */
678 } ike_del_t;
679 
680 
681 /*
682  * IKE_SVC_READ_{RULES|PS}
683  * Used to ask daemon to re-read particular configuration info.
684  *
685  * Upon request: rw_loc indicates where the info should be read from:
686  * either from a user-supplied file descriptor(s), or from the default
687  * location(s).  If rw_loc indicates user-supplied location, the file
688  * descriptor(s) should be passed in the door_desc_t struct.  For the
689  * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
690  * first, one for the config file which contains the data to be read,
691  * and second, one for the cookie file which will be written to as
692  * in.iked process the config file.
693  *
694  * Upon return: rw_loc is unspecified; the message simply acknowledges
695  * successful completion of the request.  If an error occurred,
696  * ike_err_t is returned instead with appropriate error value.
697  *
698  *
699  * IKE_SVC_WRITE_{RULES|PS}
700  * Used to ask daemon to write its current config info to files.
701  *
702  * Request and return are handled the same as for the IKE_SVC_READ_*
703  * cmds; however, the rw_loc MUST be a user-supplied location.  Also,
704  * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
705  * only a single fd, for the file to which the config info should be
706  * written, should be passed in.
707  */
708 typedef struct {
709 	ike_svccmd_t	cmd;
710 	uint32_t	rw_loc;
711 } ike_rw_t;
712 
713 
714 /*
715  * IKE_SVC_FLUSH_P1S
716  * IKE_SVC_FLUSH_CERTCACHE
717  *
718  * Used to request and acknowledge tear-down of all P1 SAs
719  * or to flush the certificate cache.
720  */
721 typedef struct {
722 	ike_svccmd_t	cmd;
723 } ike_flush_t;
724 
725 
726 #ifndef PKCS11_TOKSIZE
727 #define	PKCS11_TOKSIZE 32
728 #endif
729 #define	MAX_PIN_LEN 256
730 /*
731  * IKE_SVC_SET_PIN
732  * IKE_SVC_DEL_PIN
733  *
734  * Used to supply a pin for a PKCS#11 tokenj object.
735  *
736  */
737 typedef struct {
738 	ike_svccmd_t	cmd;
739 	uint32_t	pin_reserved;	/* For 64-bit alignment. */
740 	char pkcs11_token[PKCS11_TOKSIZE];
741 	uchar_t token_pin[MAX_PIN_LEN];
742 } ike_pin_t;
743 
744 /*
745  * IKE_SVC_ERROR
746  * Used on return if server encountered an error while processing
747  * the request.  An appropriate error code is included (as defined
748  * in this header file); in the case of IKE_ERR_SYS_ERR, a value
749  * from the UNIX errno space is included in the ike_err_unix field.
750  */
751 typedef struct {
752 	ike_svccmd_t	cmd;
753 	uint32_t	ike_err;
754 	uint32_t	ike_err_unix;
755 	uint32_t	ike_err_reserved;
756 } ike_err_t;
757 
758 /*
759  * Generic type for use when the request/reply type is unknown
760  */
761 typedef struct {
762 	ike_svccmd_t	cmd;
763 } ike_cmd_t;
764 
765 
766 /*
767  * Union containing all possible request/return structures.
768  */
769 typedef union {
770 	ike_cmd_t	svc_cmd;
771 	ike_dbg_t	svc_dbg;
772 	ike_priv_t	svc_priv;
773 	ike_statreq_t	svc_stats;
774 	ike_dump_t	svc_dump;
775 	ike_get_t	svc_get;
776 	ike_new_t	svc_new;
777 	ike_del_t	svc_del;
778 	ike_rw_t	svc_rw;
779 	ike_flush_t	svc_flush;
780 	ike_pin_t	svc_pin;
781 	ike_err_t	svc_err;
782 	ike_defreq_t	svc_defaults;
783 } ike_service_t;
784 
785 #ifdef	__cplusplus
786 }
787 #endif
788 
789 #endif	/* _IKEDOOR_H */
790