xref: /titanic_52/usr/src/lib/libipsecutil/common/ikedoor.h (revision bdfc6d18da790deeec2e0eb09c625902defe2498)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2000-2003 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #ifndef	_IKEDOOR_H
28 #define	_IKEDOOR_H
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 #ifdef	__cplusplus
33 extern "C" {
34 #endif
35 
36 #include <limits.h>
37 #include <sys/sysmacros.h>
38 #include <net/pfkeyv2.h>
39 #include <door.h>
40 
41 #define	DOORNM	"/var/run/ike_door"
42 
43 
44 typedef enum {
45 	IKE_SVC_GET_DBG,
46 	IKE_SVC_SET_DBG,
47 
48 	IKE_SVC_GET_PRIV,
49 	IKE_SVC_SET_PRIV,
50 
51 	IKE_SVC_GET_STATS,
52 
53 	IKE_SVC_GET_P1,
54 	IKE_SVC_DEL_P1,
55 	IKE_SVC_DUMP_P1S,
56 	IKE_SVC_FLUSH_P1S,
57 
58 	IKE_SVC_GET_RULE,
59 	IKE_SVC_NEW_RULE,
60 	IKE_SVC_DEL_RULE,
61 	IKE_SVC_DUMP_RULES,
62 	IKE_SVC_READ_RULES,
63 	IKE_SVC_WRITE_RULES,
64 
65 	IKE_SVC_GET_PS,
66 	IKE_SVC_NEW_PS,
67 	IKE_SVC_DEL_PS,
68 	IKE_SVC_DUMP_PS,
69 	IKE_SVC_READ_PS,
70 	IKE_SVC_WRITE_PS,
71 
72 	IKE_SVC_DBG_RBDUMP,
73 
74 	IKE_SVC_ERROR
75 } ike_svccmd_t;
76 
77 #define	IKE_SVC_MAX	IKE_SVC_ERROR
78 
79 
80 /*
81  * Support structures/defines
82  */
83 
84 #define	IKEDOORROUNDUP(i)   P2ROUNDUP((i), sizeof (uint64_t))
85 
86 /*
87  * Debug categories.  The debug level is a bitmask made up of
88  * flags indicating the desired categories; only 31 bits are
89  * available, as the highest-order bit designates an invalid
90  * setting.
91  */
92 #define	D_INVALID	0x80000000
93 
94 #define	D_CERT		0x00000001	/* certificate management */
95 #define	D_KEY		0x00000002	/* key management */
96 #define	D_OP		0x00000004	/* operational: config, init, mem */
97 #define	D_P1		0x00000008	/* phase 1 negotiation */
98 #define	D_P2		0x00000010	/* phase 2 negotiation */
99 #define	D_PFKEY		0x00000020	/* pf key interface */
100 #define	D_POL		0x00000040	/* policy management */
101 #define	D_PROP		0x00000080	/* proposal construction */
102 #define	D_DOOR		0x00000100	/* door server */
103 #define	D_CONFIG	0x00000200	/* config file processing */
104 
105 #define	D_HIGHBIT	0x00000200
106 #define	D_ALL		0x000003ff
107 
108 /*
109  * Access privilege levels: define level of access to keying information.
110  * The privileges granted at each level is a superset of the privileges
111  * granted at all lower levels.
112  *
113  * The door operations which require special privileges are:
114  *
115  *	- receiving keying material for SAs and preshared key entries
116  *	  IKE_PRIV_KEYMAT must be set for this.
117  *
118  *	- get/dump/new/delete/read/write preshared keys
119  *	  IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
120  *	  If IKE_PRIV_MODKEYS is set, the information returned for a
121  *	  get/dump request will not include the actual key; in order
122  *	  to get the key itself, IKE_PRIV_KEYMAT must be set.
123  *
124  *	- modifying the privilege level: the daemon's privilege level
125  *	  is set when the daemon is started; the level may only be
126  *	  lowered via the door interface.
127  *
128  * All other operations are allowed at any privilege level.
129  */
130 #define	IKE_PRIV_MINIMUM	0
131 #define	IKE_PRIV_MODKEYS	1
132 #define	IKE_PRIV_KEYMAT		2
133 #define	IKE_PRIV_MAXIMUM	2
134 
135 /* global ike stats formatting structure */
136 typedef struct {
137 	uint32_t	st_init_p1_current;
138 	uint32_t	st_resp_p1_current;
139 	uint32_t	st_init_p1_total;
140 	uint32_t	st_resp_p1_total;
141 	uint32_t	st_init_p1_attempts;
142 	uint32_t	st_resp_p1_attempts;
143 	uint32_t	st_init_p1_noresp;   /* failed; no response from peer */
144 	uint32_t	st_init_p1_respfail; /* failed, but peer responded */
145 	uint32_t	st_resp_p1_fail;
146 	uint32_t	st_reserved;
147 	char		st_pkcs11_libname[PATH_MAX];
148 } ike_stats_t;
149 
150 
151 /* data formatting structures for P1 SA dumps */
152 typedef struct {
153 	struct sockaddr_storage	loc_addr;
154 	struct sockaddr_storage	rem_addr;
155 #define	beg_iprange	loc_addr
156 #define	end_iprange	rem_addr
157 } ike_addr_pr_t;
158 
159 typedef struct {
160 	uint64_t	cky_i;
161 	uint64_t	cky_r;
162 } ike_cky_pr_t;
163 
164 typedef struct {
165 	ike_cky_pr_t	p1hdr_cookies;
166 	uint8_t		p1hdr_major;
167 	uint8_t		p1hdr_minor;
168 	uint8_t		p1hdr_xchg;
169 	uint8_t		p1hdr_isinit;
170 	uint32_t	p1hdr_state;
171 } ike_p1_hdr_t;
172 
173 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
174 #define	IKE_XCHG_NONE			0
175 #define	IKE_XCHG_BASE			1
176 #define	IKE_XCHG_IDENTITY_PROTECT	2
177 #define	IKE_XCHG_AUTH_ONLY		3
178 #define	IKE_XCHG_AGGRESSIVE		4
179 /* following not from RFC; used only for preshared key definitions */
180 #define	IKE_XCHG_IP_AND_AGGR		240
181 /* also not from RFC; used as wildcard */
182 #define	IKE_XCHG_ANY			256
183 
184 /* values for p1hdr_state */
185 #define	IKE_SA_STATE_INVALID	0
186 #define	IKE_SA_STATE_INIT	1
187 #define	IKE_SA_STATE_SENT_SA	2
188 #define	IKE_SA_STATE_SENT_KE	3
189 #define	IKE_SA_STATE_SENT_LAST	4
190 #define	IKE_SA_STATE_DONE	5
191 #define	IKE_SA_STATE_DELETED	6
192 
193 typedef struct {
194 	uint16_t	p1xf_dh_group;
195 	uint16_t	p1xf_encr_alg;
196 	uint16_t	p1xf_auth_alg;
197 	uint16_t	p1xf_auth_meth;
198 	uint16_t	p1xf_prf;
199 	uint16_t	p1xf_pfs;
200 	uint32_t	p1xf_max_secs;
201 	uint32_t	p1xf_max_kbytes;
202 	uint32_t	p1xf_max_keyuses;
203 } ike_p1_xform_t;
204 
205 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
206 #define	IKE_GRP_DESC_MODP_768	1
207 #define	IKE_GRP_DESC_MODP_1024	2
208 #define	IKE_GRP_DESC_EC2N_155	3
209 #define	IKE_GRP_DESC_EC2N_185	4
210 #define	IKE_GRP_DESC_MODP_1536	5
211 
212 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
213 #define	IKE_AUTH_METH_PRE_SHARED_KEY	1
214 #define	IKE_AUTH_METH_DSS_SIG		2
215 #define	IKE_AUTH_METH_RSA_SIG		3
216 #define	IKE_AUTH_METH_RSA_ENCR		4
217 #define	IKE_AUTH_METH_RSA_ENCR_REVISED	5
218 
219 /* values for p1xf_prf */
220 #define	IKE_PRF_NONE		0
221 #define	IKE_PRF_HMAC_MD5	1
222 #define	IKE_PRF_HMAC_SHA1	2
223 
224 typedef struct {
225 	/*
226 	 * NOTE: the new and del counters count the actual number of SAs,
227 	 * not the number of "suites", as defined in the ike monitoring
228 	 * mib draft; we do this because we don't have a good way of
229 	 * tracking the deletion of entire suites (we're notified of
230 	 * deleted qm sas individually).
231 	 */
232 	uint32_t	p1stat_new_qm_sas;
233 	uint32_t	p1stat_del_qm_sas;
234 	uint64_t	p1stat_start;
235 	uint32_t	p1stat_kbytes;
236 	uint32_t	p1stat_keyuses;
237 } ike_p1_stats_t;
238 
239 typedef struct {
240 	uint32_t	p1err_decrypt;
241 	uint32_t	p1err_hash;
242 	uint32_t	p1err_otherrx;
243 	uint32_t	p1err_tx;
244 } ike_p1_errors_t;
245 
246 typedef struct {
247 	uint32_t	p1key_type;
248 	uint32_t	p1key_len;
249 	/*
250 	 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
251 	 * 64-bit aligned (pad bytes are added at the end, if necessary,
252 	 * and NOT INCLUDED in the len value, which reflects the actual
253 	 * key size).
254 	 */
255 } ike_p1_key_t;
256 
257 /* key info types for ike_p1_key_t struct */
258 #define	IKE_KEY_PRESHARED	1
259 #define	IKE_KEY_SKEYID		2
260 #define	IKE_KEY_SKEYID_D	3
261 #define	IKE_KEY_SKEYID_A	4
262 #define	IKE_KEY_SKEYID_E	5
263 #define	IKE_KEY_ENCR		6
264 #define	IKE_KEY_IV		7
265 
266 typedef struct {
267 	ike_p1_hdr_t	p1sa_hdr;
268 	ike_p1_xform_t	p1sa_xform;
269 	ike_addr_pr_t	p1sa_ipaddrs;
270 	uint16_t	p1sa_stat_off;
271 	uint16_t	p1sa_stat_len;
272 	uint16_t	p1sa_error_off;
273 	uint16_t	p1sa_error_len;
274 	uint16_t	p1sa_localid_off;
275 	uint16_t	p1sa_localid_len;
276 	uint16_t	p1sa_remoteid_off;
277 	uint16_t	p1sa_remoteid_len;
278 	uint16_t	p1sa_key_off;
279 	uint16_t	p1sa_key_len;
280 	uint32_t	p1sa_reserved;
281 	/*
282 	 * variable-length structures will be included here, as
283 	 * indicated by offset/length fields.
284 	 * stats and errors will be formatted as ike_p1_stats_t and
285 	 * ike_p1_errors_t, respectively.
286 	 * key info will be formatted as a series of p1_key_t structs.
287 	 * local/remote ids will be formatted as sadb_ident_t structs.
288 	 */
289 } ike_p1_sa_t;
290 
291 
292 #define	MAX_LABEL_LEN	256
293 
294 
295 /* data formatting structure for policy (rule) dumps */
296 
297 typedef struct {
298 	char		rule_label[MAX_LABEL_LEN];
299 	uint32_t	rule_kmcookie;
300 	uint16_t	rule_ike_mode;
301 	uint16_t	rule_local_idtype;	/* SADB_IDENTTYPE_* value */
302 	uint32_t	rule_p1_nonce_len;
303 	uint32_t	rule_p2_nonce_len;
304 	uint32_t	rule_p2_pfs;
305 	uint32_t	rule_p2_lifetime;
306 	uint16_t	rule_xform_cnt;
307 	uint16_t	rule_xform_off;
308 	uint16_t	rule_locip_cnt;
309 	uint16_t	rule_locip_off;
310 	uint16_t	rule_remip_cnt;
311 	uint16_t	rule_remip_off;
312 	uint16_t	rule_locid_inclcnt;
313 	uint16_t	rule_locid_exclcnt;
314 	uint16_t	rule_locid_off;
315 	uint16_t	rule_remid_inclcnt;
316 	uint16_t	rule_remid_exclcnt;
317 	uint16_t	rule_remid_off;
318 	/*
319 	 * Followed by several lists of variable-length structures, described
320 	 * by counts and offsets:
321 	 *	transforms			ike_p1_xform_t structs
322 	 *	ranges of local ip addrs	ike_addr_pr_t structs
323 	 *	ranges of remote ip addrs	ike_addr_pr_t structs
324 	 *	local identification strings	null-terminated ascii strings
325 	 *	remote identification strings	null-terminated ascii strings
326 	 */
327 } ike_rule_t;
328 
329 
330 /*
331  * data formatting structure for preshared keys
332  * ps_ike_mode field uses the IKE_XCHG_* defs
333  */
334 typedef struct {
335 	ike_addr_pr_t	ps_ipaddrs;
336 	uint16_t	ps_ike_mode;
337 	uint16_t	ps_localid_off;
338 	uint16_t	ps_localid_len;
339 	uint16_t	ps_remoteid_off;
340 	uint16_t	ps_remoteid_len;
341 	uint16_t	ps_key_off;
342 	uint16_t	ps_key_len;
343 	uint16_t	ps_key_bits;
344 	/*
345 	 * followed by variable-length structures, as indicated by
346 	 * offset/length fields.
347 	 * key info will be formatted as an array of bytes.
348 	 * local/remote ids will be formatted as sadb_ident_t structs.
349 	 */
350 } ike_ps_t;
351 
352 
353 /* identification types */
354 #define	IKE_ID_IDENT_PAIR	1
355 #define	IKE_ID_ADDR_PAIR	2
356 #define	IKE_ID_CKY_PAIR		3
357 #define	IKE_ID_LABEL		4
358 
359 
360 /* locations for read/write requests */
361 #define	IKE_RW_LOC_DEFAULT	1
362 #define	IKE_RW_LOC_USER_SPEC	2
363 
364 
365 /* door interface error codes */
366 #define	IKE_ERR_NO_OBJ		1	/* nothing found to match the request */
367 #define	IKE_ERR_NO_DESC		2	/* fd was required with this request */
368 #define	IKE_ERR_ID_INVALID	3	/* invalid id info was provided */
369 #define	IKE_ERR_LOC_INVALID	4	/* invalid location info was provided */
370 #define	IKE_ERR_CMD_INVALID	5	/* invalid command was provided */
371 #define	IKE_ERR_DATA_INVALID	6	/* invalid data was provided */
372 #define	IKE_ERR_CMD_NOTSUP	7	/* unsupported command */
373 #define	IKE_ERR_REQ_INVALID	8	/* badly formatted request */
374 #define	IKE_ERR_NO_PRIV		9	/* privilege level not high enough */
375 #define	IKE_ERR_SYS_ERR		10	/* syserr occurred while processing */
376 
377 
378 /*
379  * IKE_SVC_GET_DBG
380  * Used to request the current debug level.
381  *
382  * Upon request, dbg_level is 0 (don't care).
383  *
384  * Upon return, dbg_level contains the current value.
385  *
386  *
387  * IKE_SVC_SET_DBG
388  * Used to request modification of the debug level.
389  *
390  * Upon request, dbg_level contains desired level.  If debug output is
391  * to be directed to a different file, the fd should be passed in the
392  * door_desc_t field of the door_arg_t param.  NOTE: if the daemon is
393  * currently running in the background with no debug set, an output
394  * file MUST be given.
395  *
396  * Upon return, dbg_level contains the old debug level, and acknowledges
397  * successful completion of the request.  If an error is encountered,
398  * ike_err_t is returned instead, with appropriate error value and cmd
399  * IKE_SVC_ERROR.
400  */
401 typedef struct {
402 	ike_svccmd_t	cmd;
403 	uint32_t	dbg_level;
404 } ike_dbg_t;
405 
406 /*
407  * IKE_SVC_GET_PRIV
408  * Used to request the current privilege level.
409  *
410  * Upon request, priv_level is 0 (don't care).
411  *
412  * Upon return, priv_level contains the current value.
413  *
414  *
415  * IKE_SVC_SET_PRIV
416  * Used to request modification of the privilege level.
417  *
418  * Upon request, priv_level contains the desired level.  The level may
419  * only be lowered via the door interface; it cannot be raised.  Thus,
420  * if in.iked is started at the lowest level, it cannot be changed.
421  *
422  * Upon return, priv_level contains the old privilege level, and
423  * acknowledges successful completion of the request.  If an error is
424  * encountered, ike_err_t is returned instead, with appropriate error
425  * value and cmd IKE_SVC_ERROR.
426  */
427 typedef struct {
428 	ike_svccmd_t	cmd;
429 	uint32_t	priv_level;
430 } ike_priv_t;
431 
432 
433 /*
434  * IKE_SVC_GET_STATS
435  * Used to request current statistics on Phase 1 SA creation and
436  * failures.  The statistics represent all activity in in.iked.
437  *
438  * Upon request, cmd is set, and stat_len does not matter.
439  *
440  * Upon successful return, stat_len contains the total size of the
441  * returned buffer, which contains first the ike_statreq_t struct,
442  * followed by the stat data in the ike_stats_t structure. In case
443  * of an error in processing the request, ike_err_t is returned with
444  * IKE_SVC_ERROR command and appropriate error code.
445  */
446 typedef struct {
447 	ike_svccmd_t	cmd;
448 	uint32_t	stat_len;
449 } ike_statreq_t;
450 
451 
452 /*
453  * IKE_SVC_DUMP_{P1S|RULES|PS}
454  * Used to request a table dump, and to return info for a single table
455  * item.  The expectation is that all of the table data will be passed
456  * through the door, one entry at a time; an individual request must be
457  * sent for each entry, however (the door server can't send unrequested
458  * data).
459  *
460  * Upon request: cmd is set, and dump_next contains the item number
461  * requested (0 for first request).  dump_len is 0; no data follows.
462  *
463  * Upon return: cmd is set, and dump_next contains the item number of
464  * the *next* item in the table (to be used in the subsequent request).
465  * dump_next = 0 indicates that this is the last item in the table.
466  * dump_len is the total length (data + struct) returned.  Data is
467  * formatted as indicated by the cmd type:
468  *   IKE_SVC_DUMP_P1S:		ike_p1_sa_t
469  *   IKE_SVC_DUMP_RULES:	ike_rule_t
470  *   IKE_SVC_DUMP_PS:		ike_ps_t
471  */
472 typedef struct {
473 	ike_svccmd_t	cmd;
474 	uint32_t	dump_len;
475 	union {
476 		struct {
477 			uint32_t	dump_unext;
478 			uint32_t	dump_ureserved;
479 		} dump_actual;
480 		uint64_t dump_alignment;
481 	} dump_u;
482 #define	dump_next dump_u.dump_actual.dump_unext
483 #define	dump_reserved dump_u.dump_actual.dump_ureserved
484 	/* dump_len - sizeof (ike_dump_t) bytes of data included here */
485 } ike_dump_t;
486 
487 
488 /*
489  * IKE_SVC_GET_{P1|RULE|PS}
490  * Used to request and return individual table items.
491  *
492  * Upon request: get_len is the total msg length (struct + id data);
493  * get_idtype indicates the type of identification being used.
494  *   IKE_SVC_GET_P1:		ike_addr_pr_t or ike_cky_pr_t
495  *   IKE_SVC_GET_RULE:		char string (label)
496  *   IKE_SVC_GET_PS:		ike_addr_pr_t or pair of sadb_ident_t
497  *
498  * Upon return: get_len is the total size (struct + data), get_idtype
499  * is unused, and the data that follows is formatted according to cmd:
500  *   IKE_SVC_GET_P1:		ike_p1_sa_t
501  *   IKE_SVC_GET_RULE:		ike_rule_t
502  *   IKE_SVC_GET_PS:		ike_ps_t
503  */
504 typedef struct {
505 	ike_svccmd_t	cmd;
506 	uint32_t	get_len;
507 	union {
508 		struct {
509 			uint32_t	getu_idtype;
510 			uint32_t	getu_reserved;
511 		} get_actual;
512 		uint64_t get_alignment;
513 	} get_u;
514 #define	get_idtype get_u.get_actual.getu_idtype
515 #define	get_reserved get_u.get_actual.getu_reserved
516 	/* get_len - sizeof (ike_get_t) bytes of data included here */
517 } ike_get_t;
518 
519 
520 /*
521  * IKE_SVC_NEW_{RULE|PS}
522  * Used to request and acknowledge insertion of a table item.
523  *
524  * Upon request: new_len is the total (data + struct) size passed, or 0.
525  * new_len = 0 => a door_desc_t is also included with a file descriptor
526  * for a file containing the data to be added.  The file should include
527  * a single item: a rule, or a pre-shared key.  For new_len != 0, the
528  * data is formatted according to the cmd type:
529  *   IKE_SVC_NEW_RULE:		ike_rule_t
530  *   IKE_SVC_NEW_PS:		ike_ps_t
531  *
532  * Upon return: new_len is 0; simply acknowledges successful insertion
533  * of the requested item.  If insertion is not successful, ike_err_t is
534  * returned instead with appropriate error value.
535  */
536 typedef struct {
537 	ike_svccmd_t	cmd;
538 	uint32_t	new_len;
539 	/* new_len - sizeof (ike_new_t) bytes included here */
540 	uint64_t	new_align;	/* Padding for 64-bit alignment. */
541 } ike_new_t;
542 
543 
544 /*
545  * IKE_SVC_DEL_{P1|RULE|PS}
546  * Used to request and acknowledge the deletion of an individual table
547  * item.
548  *
549  * Upon request: del_len is the total msg length (struct + id data);
550  * del_idtype indicates the type of identification being used.
551  *   IKE_SVC_DEL_P1:		ike_addr_pr_t or ike_cky_pr_t
552  *   IKE_SVC_DEL_RULE:		char string (label)
553  *   IKE_SVC_DEL_PS:		ike_addr_pr_t or pair of sadb_ident_t
554  *
555  * Upon return: acknowledges deletion of the requested item; del_len and
556  * del_idtype are unspecified.  If deletion is not successful, ike_err_t
557  * is returned instead with appropriate error value.
558  */
559 typedef struct {
560 	ike_svccmd_t	cmd;
561 	uint32_t	del_len;
562 	uint32_t	del_idtype;
563 	uint32_t	del_reserved;
564 	/* del_len - sizeof (ike_del_t) bytes of data included here. */
565 } ike_del_t;
566 
567 
568 /*
569  * IKE_SVC_READ_{RULES|PS}
570  * Used to ask daemon to re-read particular configuration info.
571  *
572  * Upon request: rw_loc indicates where the info should be read from:
573  * either from a user-supplied file descriptor(s), or from the default
574  * location(s).  If rw_loc indicates user-supplied location, the file
575  * descriptor(s) should be passed in the door_desc_t struct.  For the
576  * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
577  * first, one for the config file which contains the data to be read,
578  * and second, one for the cookie file which will be written to as
579  * in.iked process the config file.
580  *
581  * Upon return: rw_loc is unspecified; the message simply acknowledges
582  * successful completion of the request.  If an error occurred,
583  * ike_err_t is returned instead with appropriate error value.
584  *
585  *
586  * IKE_SVC_WRITE_{RULES|PS}
587  * Used to ask daemon to write its current config info to files.
588  *
589  * Request and return are handled the same as for the IKE_SVC_READ_*
590  * cmds; however, the rw_loc MUST be a user-supplied location.  Also,
591  * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
592  * only a single fd, for the file to which the config info should be
593  * written, should be passed in.
594  */
595 typedef struct {
596 	ike_svccmd_t	cmd;
597 	uint32_t	rw_loc;
598 } ike_rw_t;
599 
600 
601 /*
602  * IKE_SVC_FLUSH_P1S
603  * Used to request and acknowledge tear-down of all P1 SAs.
604  */
605 typedef struct {
606 	ike_svccmd_t	cmd;
607 } ike_flush_t;
608 
609 
610 /*
611  * IKE_SVC_ERROR
612  * Used on return if server encountered an error while processing
613  * the request.  An appropriate error code is included (as defined
614  * in this header file); in the case of IKE_ERR_SYS_ERR, a value
615  * from the UNIX errno space is included in the ike_err_unix field.
616  */
617 typedef struct {
618 	ike_svccmd_t	cmd;
619 	uint32_t	ike_err;
620 	uint32_t	ike_err_unix;
621 	uint32_t	ike_err_reserved;
622 } ike_err_t;
623 
624 
625 /*
626  * Generic type for use when the request/reply type is unknown
627  */
628 typedef struct {
629 	ike_svccmd_t	cmd;
630 } ike_cmd_t;
631 
632 
633 /*
634  * Union containing all possible request/retrun structures.
635  */
636 typedef union {
637 	ike_cmd_t	svc_cmd;
638 	ike_dbg_t	svc_dbg;
639 	ike_priv_t	svc_priv;
640 	ike_statreq_t	svc_stats;
641 	ike_dump_t	svc_dump;
642 	ike_get_t	svc_get;
643 	ike_new_t	svc_new;
644 	ike_del_t	svc_del;
645 	ike_rw_t	svc_rw;
646 	ike_flush_t	svc_flush;
647 	ike_err_t	svc_err;
648 } ike_service_t;
649 
650 #ifdef	__cplusplus
651 }
652 #endif
653 
654 #endif	/* _IKEDOOR_H */
655