1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #ifndef _IKEDOOR_H
26 #define _IKEDOOR_H
27
28 #ifdef __cplusplus
29 extern "C" {
30 #endif
31
32 #include <limits.h>
33 #include <sys/sysmacros.h>
34 #include <net/pfkeyv2.h>
35 #include <door.h>
36
37 /*
38 * This version number is intended to stop the calling process from
39 * getting confused if a structure is changed and a mismatch occurs.
40 * This should be incremented each time a structure is changed.
41 */
42
43 /*
44 * The IKE process may be a 64-bit process, but ikeadm or any other IKE
45 * door consumer does not have to be. We need to be strict ala. PF_KEY or
46 * any on-the-wire-protocol with respect to structure fields offsets and
47 * alignment. Please make sure all structures are the same size on both
48 * 64-bit and 32-bit execution environments (or even other ones), and that
49 * apart from trivial 4-byte enums or base headers, that all structures are
50 * multiples of 8-bytes (64-bits).
51 */
52 #define DOORVER 4
53 #define DOORNM "/var/run/ike_door"
54
55
56 typedef enum {
57 IKE_SVC_GET_DBG,
58 IKE_SVC_SET_DBG,
59
60 IKE_SVC_GET_PRIV,
61 IKE_SVC_SET_PRIV,
62
63 IKE_SVC_GET_STATS,
64
65 IKE_SVC_GET_P1,
66 IKE_SVC_DEL_P1,
67 IKE_SVC_DUMP_P1S,
68 IKE_SVC_FLUSH_P1S,
69
70 IKE_SVC_GET_RULE,
71 IKE_SVC_NEW_RULE,
72 IKE_SVC_DEL_RULE,
73 IKE_SVC_DUMP_RULES,
74 IKE_SVC_READ_RULES,
75 IKE_SVC_WRITE_RULES,
76
77 IKE_SVC_GET_PS,
78 IKE_SVC_NEW_PS,
79 IKE_SVC_DEL_PS,
80 IKE_SVC_DUMP_PS,
81 IKE_SVC_READ_PS,
82 IKE_SVC_WRITE_PS,
83
84 IKE_SVC_DBG_RBDUMP,
85
86 IKE_SVC_GET_DEFS,
87
88 IKE_SVC_SET_PIN,
89 IKE_SVC_DEL_PIN,
90
91 IKE_SVC_DUMP_CERTCACHE,
92 IKE_SVC_FLUSH_CERTCACHE,
93
94 IKE_SVC_DUMP_GROUPS,
95 IKE_SVC_DUMP_ENCRALGS,
96 IKE_SVC_DUMP_AUTHALGS,
97
98 IKE_SVC_ERROR
99 } ike_svccmd_t;
100
101 /* DPD status */
102
103 typedef enum dpd_status {
104 DPD_NOT_INITIATED = 0,
105 DPD_IN_PROGRESS,
106 DPD_SUCCESSFUL,
107 DPD_FAILURE
108 } dpd_status_t;
109
110 #define IKE_SVC_MAX IKE_SVC_ERROR
111
112
113 /*
114 * Support structures/defines
115 */
116
117 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t))
118
119 /*
120 * Debug categories. The debug level is a bitmask made up of
121 * flags indicating the desired categories; only 31 bits are
122 * available, as the highest-order bit designates an invalid
123 * setting.
124 */
125 #define D_INVALID 0x80000000
126
127 #define D_CERT 0x00000001 /* certificate management */
128 #define D_KEY 0x00000002 /* key management */
129 #define D_OP 0x00000004 /* operational: config, init, mem */
130 #define D_P1 0x00000008 /* phase 1 negotiation */
131 #define D_P2 0x00000010 /* phase 2 negotiation */
132 #define D_PFKEY 0x00000020 /* pf key interface */
133 #define D_POL 0x00000040 /* policy management */
134 #define D_PROP 0x00000080 /* proposal construction */
135 #define D_DOOR 0x00000100 /* door server */
136 #define D_CONFIG 0x00000200 /* config file processing */
137 #define D_LABEL 0x00000400 /* MAC labels */
138
139 #define D_HIGHBIT 0x00000400
140 #define D_ALL 0x000007ff
141
142 /*
143 * Access privilege levels: define level of access to keying information.
144 * The privileges granted at each level is a superset of the privileges
145 * granted at all lower levels.
146 *
147 * The door operations which require special privileges are:
148 *
149 * - receiving keying material for SAs and preshared key entries
150 * IKE_PRIV_KEYMAT must be set for this.
151 *
152 * - get/dump/new/delete/read/write preshared keys
153 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
154 * If IKE_PRIV_MODKEYS is set, the information returned for a
155 * get/dump request will not include the actual key; in order
156 * to get the key itself, IKE_PRIV_KEYMAT must be set.
157 *
158 * - modifying the privilege level: the daemon's privilege level
159 * is set when the daemon is started; the level may only be
160 * lowered via the door interface.
161 *
162 * All other operations are allowed at any privilege level.
163 */
164 #define IKE_PRIV_MINIMUM 0
165 #define IKE_PRIV_MODKEYS 1
166 #define IKE_PRIV_KEYMAT 2
167 #define IKE_PRIV_MAXIMUM 2
168
169 /* global ike stats formatting structure */
170 typedef struct {
171 uint32_t st_init_p1_current;
172 uint32_t st_resp_p1_current;
173 uint32_t st_init_p1_total;
174 uint32_t st_resp_p1_total;
175 uint32_t st_init_p1_attempts;
176 uint32_t st_resp_p1_attempts;
177 uint32_t st_init_p1_noresp; /* failed; no response from peer */
178 uint32_t st_init_p1_respfail; /* failed, but peer responded */
179 uint32_t st_resp_p1_fail;
180 uint32_t st_reserved;
181 char st_pkcs11_libname[PATH_MAX];
182 } ike_stats_t;
183
184 /* structure used to pass default values used by in.iked back to ikeadm */
185 typedef struct {
186 uint32_t rule_p1_lifetime_secs;
187 uint32_t rule_p1_minlife;
188 uint32_t rule_p1_nonce_len;
189 uint32_t rule_p2_lifetime_secs;
190 uint32_t rule_p2_softlife_secs;
191 uint32_t rule_p2_idletime_secs;
192 uint32_t sys_p2_lifetime_secs;
193 uint32_t sys_p2_softlife_secs;
194 uint32_t sys_p2_idletime_secs;
195 uint32_t rule_p2_lifetime_kb;
196 uint32_t rule_p2_softlife_kb;
197 uint32_t sys_p2_lifetime_bytes;
198 uint32_t sys_p2_softlife_bytes;
199 uint32_t rule_p2_minlife_hard_secs;
200 uint32_t rule_p2_minlife_soft_secs;
201 uint32_t rule_p2_minlife_idle_secs;
202 uint32_t rule_p2_minlife_hard_kb;
203 uint32_t rule_p2_minlife_soft_kb;
204 uint32_t rule_p2_maxlife_secs;
205 uint32_t rule_p2_maxlife_kb;
206 uint32_t rule_p2_nonce_len;
207 uint32_t rule_p2_pfs;
208 uint32_t rule_p2_mindiff_secs;
209 uint32_t rule_p2_mindiff_kb;
210 uint32_t conversion_factor; /* for secs to kbytes */
211 uint32_t rule_max_certs;
212 uint32_t rule_ike_port;
213 uint32_t rule_natt_port;
214 uint32_t defaults_reserved; /* For 64-bit alignment. */
215 } ike_defaults_t;
216
217 /* data formatting structures for P1 SA dumps */
218 typedef struct {
219 struct sockaddr_storage loc_addr;
220 struct sockaddr_storage rem_addr;
221 #define beg_iprange loc_addr
222 #define end_iprange rem_addr
223 } ike_addr_pr_t;
224
225 typedef struct {
226 uint64_t cky_i;
227 uint64_t cky_r;
228 } ike_cky_pr_t;
229
230 typedef struct {
231 ike_cky_pr_t p1hdr_cookies;
232 uint8_t p1hdr_major;
233 uint8_t p1hdr_minor;
234 uint8_t p1hdr_xchg;
235 uint8_t p1hdr_isinit;
236 uint32_t p1hdr_state;
237 boolean_t p1hdr_support_dpd;
238 dpd_status_t p1hdr_dpd_state;
239 uint64_t p1hdr_dpd_time;
240 } ike_p1_hdr_t;
241
242 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
243 #define IKE_XCHG_NONE 0
244 #define IKE_XCHG_BASE 1
245 #define IKE_XCHG_IDENTITY_PROTECT 2
246 #define IKE_XCHG_AUTH_ONLY 3
247 #define IKE_XCHG_AGGRESSIVE 4
248 /* following not from RFC; used only for preshared key definitions */
249 #define IKE_XCHG_IP_AND_AGGR 240
250 /* also not from RFC; used as wildcard */
251 #define IKE_XCHG_ANY 256
252
253 /* values for p1hdr_state */
254 #define IKE_SA_STATE_INVALID 0
255 #define IKE_SA_STATE_INIT 1
256 #define IKE_SA_STATE_SENT_SA 2
257 #define IKE_SA_STATE_SENT_KE 3
258 #define IKE_SA_STATE_SENT_LAST 4
259 #define IKE_SA_STATE_DONE 5
260 #define IKE_SA_STATE_DELETED 6
261
262 typedef struct {
263 uint16_t p1xf_dh_group;
264 uint16_t p1xf_encr_alg;
265 uint16_t p1xf_encr_low_bits;
266 uint16_t p1xf_encr_high_bits;
267 uint16_t p1xf_auth_alg;
268 uint16_t p1xf_auth_meth;
269 uint16_t p1xf_prf;
270 uint16_t p1xf_pfs;
271 uint32_t p1xf_max_secs;
272 uint32_t p1xf_max_kbytes;
273 uint32_t p1xf_max_keyuses;
274 uint32_t p1xf_reserved; /* Alignment to 64-bit. */
275 } ike_p1_xform_t;
276
277 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
278 #define IKE_GRP_DESC_MODP_768 1
279 #define IKE_GRP_DESC_MODP_1024 2
280 #define IKE_GRP_DESC_EC2N_155 3
281 #define IKE_GRP_DESC_EC2N_185 4
282 /* values for p1xf_dh_group (aligned with RFC3526) */
283 #define IKE_GRP_DESC_MODP_1536 5
284 #define IKE_GRP_DESC_MODP_2048 14
285 #define IKE_GRP_DESC_MODP_3072 15
286 #define IKE_GRP_DESC_MODP_4096 16
287 #define IKE_GRP_DESC_MODP_6144 17
288 #define IKE_GRP_DESC_MODP_8192 18
289 #define IKE_GRP_DESC_ECP_256 19
290 #define IKE_GRP_DESC_ECP_384 20
291 #define IKE_GRP_DESC_ECP_521 21
292 /* values for p1xf_dh_group (aligned with RFC5114) */
293 #define IKE_GRP_DESC_MODP_1024_160 22
294 #define IKE_GRP_DESC_MODP_2048_224 23
295 #define IKE_GRP_DESC_MODP_2048_256 24
296 #define IKE_GRP_DESC_ECP_192 25
297 #define IKE_GRP_DESC_ECP_224 26
298
299 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
300 #define IKE_AUTH_METH_PRE_SHARED_KEY 1
301 #define IKE_AUTH_METH_DSS_SIG 2
302 #define IKE_AUTH_METH_RSA_SIG 3
303 #define IKE_AUTH_METH_RSA_ENCR 4
304 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5
305
306 /* values for p1xf_prf */
307 #define IKE_PRF_NONE 0
308 #define IKE_PRF_HMAC_MD5 1
309 #define IKE_PRF_HMAC_SHA1 2
310 #define IKE_PRF_HMAC_SHA256 5
311 #define IKE_PRF_HMAC_SHA384 6
312 #define IKE_PRF_HMAC_SHA512 7
313
314 typedef struct {
315 /*
316 * NOTE: the new and del counters count the actual number of SAs,
317 * not the number of "suites", as defined in the ike monitoring
318 * mib draft; we do this because we don't have a good way of
319 * tracking the deletion of entire suites (we're notified of
320 * deleted qm sas individually).
321 */
322 uint32_t p1stat_new_qm_sas;
323 uint32_t p1stat_del_qm_sas;
324 uint64_t p1stat_start;
325 uint32_t p1stat_kbytes;
326 uint32_t p1stat_keyuses;
327 } ike_p1_stats_t;
328
329 typedef struct {
330 uint32_t p1err_decrypt;
331 uint32_t p1err_hash;
332 uint32_t p1err_otherrx;
333 uint32_t p1err_tx;
334 } ike_p1_errors_t;
335
336 typedef struct {
337 uint32_t p1key_type;
338 uint32_t p1key_len;
339 /*
340 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
341 * 64-bit aligned (pad bytes are added at the end, if necessary,
342 * and NOT INCLUDED in the len value, which reflects the actual
343 * key size).
344 */
345 } ike_p1_key_t;
346
347 /* key info types for ike_p1_key_t struct */
348 #define IKE_KEY_PRESHARED 1
349 #define IKE_KEY_SKEYID 2
350 #define IKE_KEY_SKEYID_D 3
351 #define IKE_KEY_SKEYID_A 4
352 #define IKE_KEY_SKEYID_E 5
353 #define IKE_KEY_ENCR 6
354 #define IKE_KEY_IV 7
355
356 typedef struct {
357 ike_p1_hdr_t p1sa_hdr;
358 ike_p1_xform_t p1sa_xform;
359 ike_addr_pr_t p1sa_ipaddrs;
360 uint16_t p1sa_stat_off;
361 uint16_t p1sa_stat_len;
362 uint16_t p1sa_error_off;
363 uint16_t p1sa_error_len;
364 uint16_t p1sa_localid_off;
365 uint16_t p1sa_localid_len;
366 uint16_t p1sa_remoteid_off;
367 uint16_t p1sa_remoteid_len;
368 uint16_t p1sa_key_off;
369 uint16_t p1sa_key_len;
370 uint32_t p1sa_reserved;
371 /*
372 * variable-length structures will be included here, as
373 * indicated by offset/length fields.
374 * stats and errors will be formatted as ike_p1_stats_t and
375 * ike_p1_errors_t, respectively.
376 * key info will be formatted as a series of p1_key_t structs.
377 * local/remote ids will be formatted as sadb_ident_t structs.
378 */
379 } ike_p1_sa_t;
380
381
382 #define MAX_LABEL_LEN 256
383
384
385 /* data formatting structure for policy (rule) dumps */
386
387 typedef struct {
388 char rule_label[MAX_LABEL_LEN];
389 uint32_t rule_kmcookie;
390 uint16_t rule_ike_mode;
391 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */
392 uint32_t rule_p1_nonce_len;
393 uint32_t rule_p2_nonce_len;
394 uint32_t rule_p2_pfs;
395 uint32_t rule_p2_lifetime_secs;
396 uint32_t rule_p2_softlife_secs;
397 uint32_t rule_p2_idletime_secs;
398 uint32_t rule_p2_lifetime_kb;
399 uint32_t rule_p2_softlife_kb;
400 uint16_t rule_xform_cnt;
401 uint16_t rule_xform_off;
402 uint16_t rule_locip_cnt;
403 uint16_t rule_locip_off;
404 uint16_t rule_remip_cnt;
405 uint16_t rule_remip_off;
406 uint16_t rule_locid_inclcnt;
407 uint16_t rule_locid_exclcnt;
408 uint16_t rule_locid_off;
409 uint16_t rule_remid_inclcnt;
410 uint16_t rule_remid_exclcnt;
411 uint16_t rule_remid_off;
412 /*
413 * Followed by several lists of variable-length structures, described
414 * by counts and offsets:
415 * transforms ike_p1_xform_t structs
416 * ranges of local ip addrs ike_addr_pr_t structs
417 * ranges of remote ip addrs ike_addr_pr_t structs
418 * local identification strings null-terminated ascii strings
419 * remote identification strings null-terminated ascii strings
420 */
421 } ike_rule_t;
422
423 /* data formatting structure for DH group dumps */
424 typedef struct {
425 uint16_t group_number;
426 uint16_t group_bits;
427 char group_label[MAX_LABEL_LEN];
428 } ike_group_t;
429
430 /* data formatting structure for encryption algorithm dumps */
431 typedef struct {
432 uint_t encr_value;
433 char encr_name[MAX_LABEL_LEN];
434 int encr_keylen_min;
435 int encr_keylen_max;
436 } ike_encralg_t;
437
438 /* data formatting structure for authentication algorithm dumps */
439 typedef struct {
440 uint_t auth_value;
441 char auth_name[MAX_LABEL_LEN];
442 } ike_authalg_t;
443
444 /*
445 * data formatting structure for preshared keys
446 * ps_ike_mode field uses the IKE_XCHG_* defs
447 */
448 typedef struct {
449 ike_addr_pr_t ps_ipaddrs;
450 uint16_t ps_ike_mode;
451 uint16_t ps_localid_off;
452 uint16_t ps_localid_len;
453 uint16_t ps_remoteid_off;
454 uint16_t ps_remoteid_len;
455 uint16_t ps_key_off;
456 uint16_t ps_key_len;
457 uint16_t ps_key_bits;
458 int ps_localid_plen;
459 int ps_remoteid_plen;
460 /*
461 * followed by variable-length structures, as indicated by
462 * offset/length fields.
463 * key info will be formatted as an array of bytes.
464 * local/remote ids will be formatted as sadb_ident_t structs.
465 */
466 } ike_ps_t;
467
468 #define DN_MAX 1024
469 #define CERT_OFF_WIRE -1
470 #define CERT_NO_PRIVKEY 0
471 #define CERT_PRIVKEY_LOCKED 1
472 #define CERT_PRIVKEY_AVAIL 2
473
474 /*
475 * data formatting structure for cached certs
476 */
477 typedef struct {
478 uint32_t cache_id;
479 uint32_t certclass;
480 int linkage;
481 uint32_t certcache_padding; /* For 64-bit alignment. */
482 char subject[DN_MAX];
483 char issuer[DN_MAX];
484 } ike_certcache_t;
485
486 /* identification types */
487 #define IKE_ID_IDENT_PAIR 1
488 #define IKE_ID_ADDR_PAIR 2
489 #define IKE_ID_CKY_PAIR 3
490 #define IKE_ID_LABEL 4
491
492
493 /* locations for read/write requests */
494 #define IKE_RW_LOC_DEFAULT 1
495 #define IKE_RW_LOC_USER_SPEC 2
496
497
498 /* door interface error codes */
499 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */
500 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */
501 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */
502 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */
503 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */
504 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */
505 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */
506 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */
507 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */
508 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */
509 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */
510 #define IKE_ERR_NO_TOKEN 12 /* cannot login into pkcs#11 token */
511 #define IKE_ERR_NO_AUTH 13 /* not authorized */
512 #define IKE_ERR_IN_PROGRESS 14 /* operation already in progress */
513 #define IKE_ERR_NO_MEM 15 /* insufficient memory */
514
515
516 /*
517 * IKE_SVC_GET_DBG
518 * Used to request the current debug level.
519 *
520 * Upon request, dbg_level is 0 (don't care).
521 *
522 * Upon return, dbg_level contains the current value.
523 *
524 *
525 * IKE_SVC_SET_DBG
526 * Used to request modification of the debug level.
527 *
528 * Upon request, dbg_level contains desired level. If debug output is
529 * to be directed to a different file, the fd should be passed in the
530 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is
531 * currently running in the background with no debug set, an output
532 * file MUST be given.
533 *
534 * Upon return, dbg_level contains the old debug level, and acknowledges
535 * successful completion of the request. If an error is encountered,
536 * ike_err_t is returned instead, with appropriate error value and cmd
537 * IKE_SVC_ERROR.
538 */
539 typedef struct {
540 ike_svccmd_t cmd;
541 uint32_t dbg_level;
542 } ike_dbg_t;
543
544 /*
545 * IKE_SVC_GET_PRIV
546 * Used to request the current privilege level.
547 *
548 * Upon request, priv_level is 0 (don't care).
549 *
550 * Upon return, priv_level contains the current value.
551 *
552 *
553 * IKE_SVC_SET_PRIV
554 * Used to request modification of the privilege level.
555 *
556 * Upon request, priv_level contains the desired level. The level may
557 * only be lowered via the door interface; it cannot be raised. Thus,
558 * if in.iked is started at the lowest level, it cannot be changed.
559 *
560 * Upon return, priv_level contains the old privilege level, and
561 * acknowledges successful completion of the request. If an error is
562 * encountered, ike_err_t is returned instead, with appropriate error
563 * value and cmd IKE_SVC_ERROR.
564 */
565 typedef struct {
566 ike_svccmd_t cmd;
567 uint32_t priv_level;
568 } ike_priv_t;
569
570
571 /*
572 * IKE_SVC_GET_STATS
573 * Used to request current statistics on Phase 1 SA creation and
574 * failures. The statistics represent all activity in in.iked.
575 *
576 * Upon request, cmd is set, and stat_len does not matter.
577 *
578 * Upon successful return, stat_len contains the total size of the
579 * returned buffer, which contains first the ike_statreq_t struct,
580 * followed by the stat data in the ike_stats_t structure. In case
581 * of an error in processing the request, ike_err_t is returned with
582 * IKE_SVC_ERROR command and appropriate error code.
583 */
584 typedef struct {
585 ike_svccmd_t cmd;
586 uint32_t stat_len;
587 } ike_statreq_t;
588
589 /*
590 * IKE_SVC_GET_DEFS
591 * Used to request default values from in.iked.
592 *
593 * Upon request, cmd is set, and stat_len does not matter.
594 *
595 * Upon successful return, stat_len contains the total size of the
596 * returned buffer, this contains a pair of ike_defaults_t's.
597 */
598 typedef struct {
599 ike_svccmd_t cmd;
600 uint32_t stat_len;
601 uint32_t version;
602 uint32_t defreq_reserved; /* For 64-bit alignment. */
603 } ike_defreq_t;
604
605 /*
606 * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE}
607 * Used to request a table dump, and to return info for a single table
608 * item. The expectation is that all of the table data will be passed
609 * through the door, one entry at a time; an individual request must be
610 * sent for each entry, however (the door server can't send unrequested
611 * data).
612 *
613 * Upon request: cmd is set, and dump_next contains the item number
614 * requested (0 for first request). dump_len is 0; no data follows.
615 *
616 * Upon return: cmd is set, and dump_next contains the item number of
617 * the *next* item in the table (to be used in the subsequent request).
618 * dump_next = 0 indicates that this is the last item in the table.
619 * dump_len is the total length (data + struct) returned. Data is
620 * formatted as indicated by the cmd type:
621 * IKE_SVC_DUMP_P1S: ike_p1_sa_t
622 * IKE_SVC_DUMP_RULES: ike_rule_t
623 * IKE_SVC_DUMP_PS: ike_ps_t
624 * IKE_SVC_DUMP_CERTCACHE: ike_certcache_t
625 */
626 typedef struct {
627 ike_svccmd_t cmd;
628 uint32_t dump_len;
629 union {
630 struct {
631 uint32_t dump_unext;
632 uint32_t dump_ureserved;
633 } dump_actual;
634 uint64_t dump_alignment;
635 } dump_u;
636 #define dump_next dump_u.dump_actual.dump_unext
637 #define dump_reserved dump_u.dump_actual.dump_ureserved
638 /* dump_len - sizeof (ike_dump_t) bytes of data included here */
639 } ike_dump_t;
640
641
642 /*
643 * IKE_SVC_GET_{P1|RULE|PS}
644 * Used to request and return individual table items.
645 *
646 * Upon request: get_len is the total msg length (struct + id data);
647 * get_idtype indicates the type of identification being used.
648 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t
649 * IKE_SVC_GET_RULE: char string (label)
650 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t
651 *
652 * Upon return: get_len is the total size (struct + data), get_idtype
653 * is unused, and the data that follows is formatted according to cmd:
654 * IKE_SVC_GET_P1: ike_p1_sa_t
655 * IKE_SVC_GET_RULE: ike_rule_t
656 * IKE_SVC_GET_PS: ike_ps_t
657 */
658 typedef struct {
659 ike_svccmd_t cmd;
660 uint32_t get_len;
661 union {
662 struct {
663 uint32_t getu_idtype;
664 uint32_t getu_reserved;
665 } get_actual;
666 uint64_t get_alignment;
667 } get_u;
668 #define get_idtype get_u.get_actual.getu_idtype
669 #define get_reserved get_u.get_actual.getu_reserved
670 /* get_len - sizeof (ike_get_t) bytes of data included here */
671 } ike_get_t;
672
673
674 /*
675 * IKE_SVC_NEW_{RULE|PS}
676 * Used to request and acknowledge insertion of a table item.
677 *
678 * Upon request: new_len is the total (data + struct) size passed, or 0.
679 * new_len = 0 => a door_desc_t is also included with a file descriptor
680 * for a file containing the data to be added. The file should include
681 * a single item: a rule, or a pre-shared key. For new_len != 0, the
682 * data is formatted according to the cmd type:
683 * IKE_SVC_NEW_RULE: ike_rule_t
684 * IKE_SVC_NEW_PS: ike_ps_t
685 *
686 * Upon return: new_len is 0; simply acknowledges successful insertion
687 * of the requested item. If insertion is not successful, ike_err_t is
688 * returned instead with appropriate error value.
689 */
690 typedef struct {
691 ike_svccmd_t cmd;
692 uint32_t new_len;
693 /* new_len - sizeof (ike_new_t) bytes included here */
694 uint64_t new_align; /* Padding for 64-bit alignment. */
695 } ike_new_t;
696
697
698 /*
699 * IKE_SVC_DEL_{P1|RULE|PS}
700 * Used to request and acknowledge the deletion of an individual table
701 * item.
702 *
703 * Upon request: del_len is the total msg length (struct + id data);
704 * del_idtype indicates the type of identification being used.
705 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t
706 * IKE_SVC_DEL_RULE: char string (label)
707 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t
708 *
709 * Upon return: acknowledges deletion of the requested item; del_len and
710 * del_idtype are unspecified. If deletion is not successful, ike_err_t
711 * is returned instead with appropriate error value.
712 */
713 typedef struct {
714 ike_svccmd_t cmd;
715 uint32_t del_len;
716 uint32_t del_idtype;
717 uint32_t del_reserved;
718 /* del_len - sizeof (ike_del_t) bytes of data included here. */
719 } ike_del_t;
720
721
722 /*
723 * IKE_SVC_READ_{RULES|PS}
724 * Used to ask daemon to re-read particular configuration info.
725 *
726 * Upon request: rw_loc indicates where the info should be read from:
727 * either from a user-supplied file descriptor(s), or from the default
728 * location(s). If rw_loc indicates user-supplied location, the file
729 * descriptor(s) should be passed in the door_desc_t struct. For the
730 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
731 * first, one for the config file which contains the data to be read,
732 * and second, one for the cookie file which will be written to as
733 * in.iked process the config file.
734 *
735 * Upon return: rw_loc is unspecified; the message simply acknowledges
736 * successful completion of the request. If an error occurred,
737 * ike_err_t is returned instead with appropriate error value.
738 *
739 *
740 * IKE_SVC_WRITE_{RULES|PS}
741 * Used to ask daemon to write its current config info to files.
742 *
743 * Request and return are handled the same as for the IKE_SVC_READ_*
744 * cmds; however, the rw_loc MUST be a user-supplied location. Also,
745 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
746 * only a single fd, for the file to which the config info should be
747 * written, should be passed in.
748 */
749 typedef struct {
750 ike_svccmd_t cmd;
751 uint32_t rw_loc;
752 } ike_rw_t;
753
754
755 /*
756 * IKE_SVC_FLUSH_P1S
757 * IKE_SVC_FLUSH_CERTCACHE
758 *
759 * Used to request and acknowledge tear-down of all P1 SAs
760 * or to flush the certificate cache.
761 */
762 typedef struct {
763 ike_svccmd_t cmd;
764 } ike_flush_t;
765
766
767 #ifndef PKCS11_TOKSIZE
768 #define PKCS11_TOKSIZE 32
769 #endif
770 #define MAX_PIN_LEN 256
771 /*
772 * IKE_SVC_SET_PIN
773 * IKE_SVC_DEL_PIN
774 *
775 * Used to supply a pin for a PKCS#11 tokenj object.
776 *
777 */
778 typedef struct {
779 ike_svccmd_t cmd;
780 uint32_t pin_reserved; /* For 64-bit alignment. */
781 char pkcs11_token[PKCS11_TOKSIZE];
782 uchar_t token_pin[MAX_PIN_LEN];
783 } ike_pin_t;
784
785 /*
786 * IKE_SVC_ERROR
787 * Used on return if server encountered an error while processing
788 * the request. An appropriate error code is included (as defined
789 * in this header file); in the case of IKE_ERR_SYS_ERR, a value
790 * from the UNIX errno space is included in the ike_err_unix field.
791 */
792 typedef struct {
793 ike_svccmd_t cmd;
794 uint32_t ike_err;
795 uint32_t ike_err_unix;
796 uint32_t ike_err_reserved;
797 } ike_err_t;
798
799 /*
800 * Generic type for use when the request/reply type is unknown
801 */
802 typedef struct {
803 ike_svccmd_t cmd;
804 } ike_cmd_t;
805
806
807 /*
808 * Union containing all possible request/return structures.
809 */
810 typedef union {
811 ike_cmd_t svc_cmd;
812 ike_dbg_t svc_dbg;
813 ike_priv_t svc_priv;
814 ike_statreq_t svc_stats;
815 ike_dump_t svc_dump;
816 ike_get_t svc_get;
817 ike_new_t svc_new;
818 ike_del_t svc_del;
819 ike_rw_t svc_rw;
820 ike_flush_t svc_flush;
821 ike_pin_t svc_pin;
822 ike_err_t svc_err;
823 ike_defreq_t svc_defaults;
824 } ike_service_t;
825
826 #ifdef __cplusplus
827 }
828 #endif
829
830 #endif /* _IKEDOOR_H */