1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #ifndef _IKEDOOR_H
26 #define _IKEDOOR_H
27
28 #ifdef __cplusplus
29 extern "C" {
30 #endif
31
32 #include <limits.h>
33 #include <sys/sysmacros.h>
34 #include <net/pfkeyv2.h>
35 #include <door.h>
36 #include <sys/socket.h>
37
38 /*
39 * This version number is intended to stop the calling process from
40 * getting confused if a structure is changed and a mismatch occurs.
41 * This should be incremented each time a structure is changed.
42 */
43
44 /*
45 * The IKE process may be a 64-bit process, but ikeadm or any other IKE
46 * door consumer does not have to be. We need to be strict ala. PF_KEY or
47 * any on-the-wire-protocol with respect to structure fields offsets and
48 * alignment. Please make sure all structures are the same size on both
49 * 64-bit and 32-bit execution environments (or even other ones), and that
50 * apart from trivial 4-byte enums or base headers, that all structures are
51 * multiples of 8-bytes (64-bits).
52 */
53 #define DOORVER 4
54 #define DOORNM "/var/run/ike_door"
55
56
57 typedef enum {
58 IKE_SVC_GET_DBG,
59 IKE_SVC_SET_DBG,
60
61 IKE_SVC_GET_PRIV,
62 IKE_SVC_SET_PRIV,
63
64 IKE_SVC_GET_STATS,
65
66 IKE_SVC_GET_P1,
67 IKE_SVC_DEL_P1,
68 IKE_SVC_DUMP_P1S,
69 IKE_SVC_FLUSH_P1S,
70
71 IKE_SVC_GET_RULE,
72 IKE_SVC_NEW_RULE,
73 IKE_SVC_DEL_RULE,
74 IKE_SVC_DUMP_RULES,
75 IKE_SVC_READ_RULES,
76 IKE_SVC_WRITE_RULES,
77
78 IKE_SVC_GET_PS,
79 IKE_SVC_NEW_PS,
80 IKE_SVC_DEL_PS,
81 IKE_SVC_DUMP_PS,
82 IKE_SVC_READ_PS,
83 IKE_SVC_WRITE_PS,
84
85 IKE_SVC_DBG_RBDUMP,
86
87 IKE_SVC_GET_DEFS,
88
89 IKE_SVC_SET_PIN,
90 IKE_SVC_DEL_PIN,
91
92 IKE_SVC_DUMP_CERTCACHE,
93 IKE_SVC_FLUSH_CERTCACHE,
94
95 IKE_SVC_DUMP_GROUPS,
96 IKE_SVC_DUMP_ENCRALGS,
97 IKE_SVC_DUMP_AUTHALGS,
98
99 IKE_SVC_ERROR
100 } ike_svccmd_t;
101
102 /* DPD status */
103
104 typedef enum dpd_status {
105 DPD_NOT_INITIATED = 0,
106 DPD_IN_PROGRESS,
107 DPD_SUCCESSFUL,
108 DPD_FAILURE
109 } dpd_status_t;
110
111 #define IKE_SVC_MAX IKE_SVC_ERROR
112
113
114 /*
115 * Support structures/defines
116 */
117
118 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t))
119
120 /*
121 * Debug categories. The debug level is a bitmask made up of
122 * flags indicating the desired categories; only 31 bits are
123 * available, as the highest-order bit designates an invalid
124 * setting.
125 */
126 #define D_INVALID 0x80000000
127
128 #define D_CERT 0x00000001 /* certificate management */
129 #define D_KEY 0x00000002 /* key management */
130 #define D_OP 0x00000004 /* operational: config, init, mem */
131 #define D_P1 0x00000008 /* phase 1 negotiation */
132 #define D_P2 0x00000010 /* phase 2 negotiation */
133 #define D_PFKEY 0x00000020 /* pf key interface */
134 #define D_POL 0x00000040 /* policy management */
135 #define D_PROP 0x00000080 /* proposal construction */
136 #define D_DOOR 0x00000100 /* door server */
137 #define D_CONFIG 0x00000200 /* config file processing */
138 #define D_LABEL 0x00000400 /* MAC labels */
139
140 #define D_HIGHBIT 0x00000400
141 #define D_ALL 0x000007ff
142
143 /*
144 * Access privilege levels: define level of access to keying information.
145 * The privileges granted at each level is a superset of the privileges
146 * granted at all lower levels.
147 *
148 * The door operations which require special privileges are:
149 *
150 * - receiving keying material for SAs and preshared key entries
151 * IKE_PRIV_KEYMAT must be set for this.
152 *
153 * - get/dump/new/delete/read/write preshared keys
154 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
155 * If IKE_PRIV_MODKEYS is set, the information returned for a
156 * get/dump request will not include the actual key; in order
157 * to get the key itself, IKE_PRIV_KEYMAT must be set.
158 *
159 * - modifying the privilege level: the daemon's privilege level
160 * is set when the daemon is started; the level may only be
161 * lowered via the door interface.
162 *
163 * All other operations are allowed at any privilege level.
164 */
165 #define IKE_PRIV_MINIMUM 0
166 #define IKE_PRIV_MODKEYS 1
167 #define IKE_PRIV_KEYMAT 2
168 #define IKE_PRIV_MAXIMUM 2
169
170 /* global ike stats formatting structure */
171 typedef struct {
172 uint32_t st_init_p1_current;
173 uint32_t st_resp_p1_current;
174 uint32_t st_init_p1_total;
175 uint32_t st_resp_p1_total;
176 uint32_t st_init_p1_attempts;
177 uint32_t st_resp_p1_attempts;
178 uint32_t st_init_p1_noresp; /* failed; no response from peer */
179 uint32_t st_init_p1_respfail; /* failed, but peer responded */
180 uint32_t st_resp_p1_fail;
181 uint32_t st_reserved;
182 char st_pkcs11_libname[PATH_MAX];
183 } ike_stats_t;
184
185 /* structure used to pass default values used by in.iked back to ikeadm */
186 typedef struct {
187 uint32_t rule_p1_lifetime_secs;
188 uint32_t rule_p1_minlife;
189 uint32_t rule_p1_nonce_len;
190 uint32_t rule_p2_lifetime_secs;
191 uint32_t rule_p2_softlife_secs;
192 uint32_t rule_p2_idletime_secs;
193 uint32_t sys_p2_lifetime_secs;
194 uint32_t sys_p2_softlife_secs;
195 uint32_t sys_p2_idletime_secs;
196 uint32_t rule_p2_lifetime_kb;
197 uint32_t rule_p2_softlife_kb;
198 uint32_t sys_p2_lifetime_bytes;
199 uint32_t sys_p2_softlife_bytes;
200 uint32_t rule_p2_minlife_hard_secs;
201 uint32_t rule_p2_minlife_soft_secs;
202 uint32_t rule_p2_minlife_idle_secs;
203 uint32_t rule_p2_minlife_hard_kb;
204 uint32_t rule_p2_minlife_soft_kb;
205 uint32_t rule_p2_maxlife_secs;
206 uint32_t rule_p2_maxlife_kb;
207 uint32_t rule_p2_nonce_len;
208 uint32_t rule_p2_pfs;
209 uint32_t rule_p2_mindiff_secs;
210 uint32_t rule_p2_mindiff_kb;
211 uint32_t conversion_factor; /* for secs to kbytes */
212 uint32_t rule_max_certs;
213 uint32_t rule_ike_port;
214 uint32_t rule_natt_port;
215 uint32_t defaults_reserved; /* For 64-bit alignment. */
216 } ike_defaults_t;
217
218 /* data formatting structures for P1 SA dumps */
219 typedef struct {
220 struct sockaddr_storage loc_addr;
221 struct sockaddr_storage rem_addr;
222 #define beg_iprange loc_addr
223 #define end_iprange rem_addr
224 } ike_addr_pr_t;
225
226 typedef struct {
227 uint64_t cky_i;
228 uint64_t cky_r;
229 } ike_cky_pr_t;
230
231 typedef struct {
232 ike_cky_pr_t p1hdr_cookies;
233 uint8_t p1hdr_major;
234 uint8_t p1hdr_minor;
235 uint8_t p1hdr_xchg;
236 uint8_t p1hdr_isinit;
237 uint32_t p1hdr_state;
238 boolean_t p1hdr_support_dpd;
239 dpd_status_t p1hdr_dpd_state;
240 uint64_t p1hdr_dpd_time;
241 } ike_p1_hdr_t;
242
243 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
244 #define IKE_XCHG_NONE 0
245 #define IKE_XCHG_BASE 1
246 #define IKE_XCHG_IDENTITY_PROTECT 2
247 #define IKE_XCHG_AUTH_ONLY 3
248 #define IKE_XCHG_AGGRESSIVE 4
249 /* following not from RFC; used only for preshared key definitions */
250 #define IKE_XCHG_IP_AND_AGGR 240
251 /* also not from RFC; used as wildcard */
252 #define IKE_XCHG_ANY 256
253
254 /* values for p1hdr_state */
255 #define IKE_SA_STATE_INVALID 0
256 #define IKE_SA_STATE_INIT 1
257 #define IKE_SA_STATE_SENT_SA 2
258 #define IKE_SA_STATE_SENT_KE 3
259 #define IKE_SA_STATE_SENT_LAST 4
260 #define IKE_SA_STATE_DONE 5
261 #define IKE_SA_STATE_DELETED 6
262
263 typedef struct {
264 uint16_t p1xf_dh_group;
265 uint16_t p1xf_encr_alg;
266 uint16_t p1xf_encr_low_bits;
267 uint16_t p1xf_encr_high_bits;
268 uint16_t p1xf_auth_alg;
269 uint16_t p1xf_auth_meth;
270 uint16_t p1xf_prf;
271 uint16_t p1xf_pfs;
272 uint32_t p1xf_max_secs;
273 uint32_t p1xf_max_kbytes;
274 uint32_t p1xf_max_keyuses;
275 uint32_t p1xf_reserved; /* Alignment to 64-bit. */
276 } ike_p1_xform_t;
277
278 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
279 #define IKE_GRP_DESC_MODP_768 1
280 #define IKE_GRP_DESC_MODP_1024 2
281 #define IKE_GRP_DESC_EC2N_155 3
282 #define IKE_GRP_DESC_EC2N_185 4
283 /* values for p1xf_dh_group (aligned with RFC3526) */
284 #define IKE_GRP_DESC_MODP_1536 5
285 #define IKE_GRP_DESC_MODP_2048 14
286 #define IKE_GRP_DESC_MODP_3072 15
287 #define IKE_GRP_DESC_MODP_4096 16
288 #define IKE_GRP_DESC_MODP_6144 17
289 #define IKE_GRP_DESC_MODP_8192 18
290 #define IKE_GRP_DESC_ECP_256 19
291 #define IKE_GRP_DESC_ECP_384 20
292 #define IKE_GRP_DESC_ECP_521 21
293 /* values for p1xf_dh_group (aligned with RFC5114) */
294 #define IKE_GRP_DESC_MODP_1024_160 22
295 #define IKE_GRP_DESC_MODP_2048_224 23
296 #define IKE_GRP_DESC_MODP_2048_256 24
297 #define IKE_GRP_DESC_ECP_192 25
298 #define IKE_GRP_DESC_ECP_224 26
299
300 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
301 #define IKE_AUTH_METH_PRE_SHARED_KEY 1
302 #define IKE_AUTH_METH_DSS_SIG 2
303 #define IKE_AUTH_METH_RSA_SIG 3
304 #define IKE_AUTH_METH_RSA_ENCR 4
305 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5
306
307 /* values for p1xf_prf */
308 #define IKE_PRF_NONE 0
309 #define IKE_PRF_HMAC_MD5 1
310 #define IKE_PRF_HMAC_SHA1 2
311 #define IKE_PRF_HMAC_SHA256 5
312 #define IKE_PRF_HMAC_SHA384 6
313 #define IKE_PRF_HMAC_SHA512 7
314
315 typedef struct {
316 /*
317 * NOTE: the new and del counters count the actual number of SAs,
318 * not the number of "suites", as defined in the ike monitoring
319 * mib draft; we do this because we don't have a good way of
320 * tracking the deletion of entire suites (we're notified of
321 * deleted qm sas individually).
322 */
323 uint32_t p1stat_new_qm_sas;
324 uint32_t p1stat_del_qm_sas;
325 uint64_t p1stat_start;
326 uint32_t p1stat_kbytes;
327 uint32_t p1stat_keyuses;
328 } ike_p1_stats_t;
329
330 typedef struct {
331 uint32_t p1err_decrypt;
332 uint32_t p1err_hash;
333 uint32_t p1err_otherrx;
334 uint32_t p1err_tx;
335 } ike_p1_errors_t;
336
337 typedef struct {
338 uint32_t p1key_type;
339 uint32_t p1key_len;
340 /*
341 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
342 * 64-bit aligned (pad bytes are added at the end, if necessary,
343 * and NOT INCLUDED in the len value, which reflects the actual
344 * key size).
345 */
346 } ike_p1_key_t;
347
348 /* key info types for ike_p1_key_t struct */
349 #define IKE_KEY_PRESHARED 1
350 #define IKE_KEY_SKEYID 2
351 #define IKE_KEY_SKEYID_D 3
352 #define IKE_KEY_SKEYID_A 4
353 #define IKE_KEY_SKEYID_E 5
354 #define IKE_KEY_ENCR 6
355 #define IKE_KEY_IV 7
356
357 typedef struct {
358 ike_p1_hdr_t p1sa_hdr;
359 ike_p1_xform_t p1sa_xform;
360 ike_addr_pr_t p1sa_ipaddrs;
361 uint16_t p1sa_stat_off;
362 uint16_t p1sa_stat_len;
363 uint16_t p1sa_error_off;
364 uint16_t p1sa_error_len;
365 uint16_t p1sa_localid_off;
366 uint16_t p1sa_localid_len;
367 uint16_t p1sa_remoteid_off;
368 uint16_t p1sa_remoteid_len;
369 uint16_t p1sa_key_off;
370 uint16_t p1sa_key_len;
371 uint32_t p1sa_reserved;
372 /*
373 * variable-length structures will be included here, as
374 * indicated by offset/length fields.
375 * stats and errors will be formatted as ike_p1_stats_t and
376 * ike_p1_errors_t, respectively.
377 * key info will be formatted as a series of p1_key_t structs.
378 * local/remote ids will be formatted as sadb_ident_t structs.
379 */
380 } ike_p1_sa_t;
381
382
383 #define MAX_LABEL_LEN 256
384
385
386 /* data formatting structure for policy (rule) dumps */
387
388 typedef struct {
389 char rule_label[MAX_LABEL_LEN];
390 uint32_t rule_kmcookie;
391 uint16_t rule_ike_mode;
392 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */
393 uint32_t rule_p1_nonce_len;
394 uint32_t rule_p2_nonce_len;
395 uint32_t rule_p2_pfs;
396 uint32_t rule_p2_lifetime_secs;
397 uint32_t rule_p2_softlife_secs;
398 uint32_t rule_p2_idletime_secs;
399 uint32_t rule_p2_lifetime_kb;
400 uint32_t rule_p2_softlife_kb;
401 uint16_t rule_xform_cnt;
402 uint16_t rule_xform_off;
403 uint16_t rule_locip_cnt;
404 uint16_t rule_locip_off;
405 uint16_t rule_remip_cnt;
406 uint16_t rule_remip_off;
407 uint16_t rule_locid_inclcnt;
408 uint16_t rule_locid_exclcnt;
409 uint16_t rule_locid_off;
410 uint16_t rule_remid_inclcnt;
411 uint16_t rule_remid_exclcnt;
412 uint16_t rule_remid_off;
413 /*
414 * Followed by several lists of variable-length structures, described
415 * by counts and offsets:
416 * transforms ike_p1_xform_t structs
417 * ranges of local ip addrs ike_addr_pr_t structs
418 * ranges of remote ip addrs ike_addr_pr_t structs
419 * local identification strings null-terminated ascii strings
420 * remote identification strings null-terminated ascii strings
421 */
422 } ike_rule_t;
423
424 /* data formatting structure for DH group dumps */
425 typedef struct {
426 uint16_t group_number;
427 uint16_t group_bits;
428 char group_label[MAX_LABEL_LEN];
429 } ike_group_t;
430
431 /* data formatting structure for encryption algorithm dumps */
432 typedef struct {
433 uint_t encr_value;
434 char encr_name[MAX_LABEL_LEN];
435 int encr_keylen_min;
436 int encr_keylen_max;
437 } ike_encralg_t;
438
439 /* data formatting structure for authentication algorithm dumps */
440 typedef struct {
441 uint_t auth_value;
442 char auth_name[MAX_LABEL_LEN];
443 } ike_authalg_t;
444
445 /*
446 * data formatting structure for preshared keys
447 * ps_ike_mode field uses the IKE_XCHG_* defs
448 */
449 typedef struct {
450 ike_addr_pr_t ps_ipaddrs;
451 uint16_t ps_ike_mode;
452 uint16_t ps_localid_off;
453 uint16_t ps_localid_len;
454 uint16_t ps_remoteid_off;
455 uint16_t ps_remoteid_len;
456 uint16_t ps_key_off;
457 uint16_t ps_key_len;
458 uint16_t ps_key_bits;
459 int ps_localid_plen;
460 int ps_remoteid_plen;
461 /*
462 * followed by variable-length structures, as indicated by
463 * offset/length fields.
464 * key info will be formatted as an array of bytes.
465 * local/remote ids will be formatted as sadb_ident_t structs.
466 */
467 } ike_ps_t;
468
469 #define DN_MAX 1024
470 #define CERT_OFF_WIRE -1
471 #define CERT_NO_PRIVKEY 0
472 #define CERT_PRIVKEY_LOCKED 1
473 #define CERT_PRIVKEY_AVAIL 2
474
475 /*
476 * data formatting structure for cached certs
477 */
478 typedef struct {
479 uint32_t cache_id;
480 uint32_t certclass;
481 int linkage;
482 uint32_t certcache_padding; /* For 64-bit alignment. */
483 char subject[DN_MAX];
484 char issuer[DN_MAX];
485 } ike_certcache_t;
486
487 /* identification types */
488 #define IKE_ID_IDENT_PAIR 1
489 #define IKE_ID_ADDR_PAIR 2
490 #define IKE_ID_CKY_PAIR 3
491 #define IKE_ID_LABEL 4
492
493
494 /* locations for read/write requests */
495 #define IKE_RW_LOC_DEFAULT 1
496 #define IKE_RW_LOC_USER_SPEC 2
497
498
499 /* door interface error codes */
500 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */
501 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */
502 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */
503 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */
504 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */
505 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */
506 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */
507 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */
508 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */
509 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */
510 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */
511 #define IKE_ERR_NO_TOKEN 12 /* cannot login into pkcs#11 token */
512 #define IKE_ERR_NO_AUTH 13 /* not authorized */
513 #define IKE_ERR_IN_PROGRESS 14 /* operation already in progress */
514 #define IKE_ERR_NO_MEM 15 /* insufficient memory */
515
516
517 /*
518 * IKE_SVC_GET_DBG
519 * Used to request the current debug level.
520 *
521 * Upon request, dbg_level is 0 (don't care).
522 *
523 * Upon return, dbg_level contains the current value.
524 *
525 *
526 * IKE_SVC_SET_DBG
527 * Used to request modification of the debug level.
528 *
529 * Upon request, dbg_level contains desired level. If debug output is
530 * to be directed to a different file, the fd should be passed in the
531 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is
532 * currently running in the background with no debug set, an output
533 * file MUST be given.
534 *
535 * Upon return, dbg_level contains the old debug level, and acknowledges
536 * successful completion of the request. If an error is encountered,
537 * ike_err_t is returned instead, with appropriate error value and cmd
538 * IKE_SVC_ERROR.
539 */
540 typedef struct {
541 ike_svccmd_t cmd;
542 uint32_t dbg_level;
543 } ike_dbg_t;
544
545 /*
546 * IKE_SVC_GET_PRIV
547 * Used to request the current privilege level.
548 *
549 * Upon request, priv_level is 0 (don't care).
550 *
551 * Upon return, priv_level contains the current value.
552 *
553 *
554 * IKE_SVC_SET_PRIV
555 * Used to request modification of the privilege level.
556 *
557 * Upon request, priv_level contains the desired level. The level may
558 * only be lowered via the door interface; it cannot be raised. Thus,
559 * if in.iked is started at the lowest level, it cannot be changed.
560 *
561 * Upon return, priv_level contains the old privilege level, and
562 * acknowledges successful completion of the request. If an error is
563 * encountered, ike_err_t is returned instead, with appropriate error
564 * value and cmd IKE_SVC_ERROR.
565 */
566 typedef struct {
567 ike_svccmd_t cmd;
568 uint32_t priv_level;
569 } ike_priv_t;
570
571
572 /*
573 * IKE_SVC_GET_STATS
574 * Used to request current statistics on Phase 1 SA creation and
575 * failures. The statistics represent all activity in in.iked.
576 *
577 * Upon request, cmd is set, and stat_len does not matter.
578 *
579 * Upon successful return, stat_len contains the total size of the
580 * returned buffer, which contains first the ike_statreq_t struct,
581 * followed by the stat data in the ike_stats_t structure. In case
582 * of an error in processing the request, ike_err_t is returned with
583 * IKE_SVC_ERROR command and appropriate error code.
584 */
585 typedef struct {
586 ike_svccmd_t cmd;
587 uint32_t stat_len;
588 } ike_statreq_t;
589
590 /*
591 * IKE_SVC_GET_DEFS
592 * Used to request default values from in.iked.
593 *
594 * Upon request, cmd is set, and stat_len does not matter.
595 *
596 * Upon successful return, stat_len contains the total size of the
597 * returned buffer, this contains a pair of ike_defaults_t's.
598 */
599 typedef struct {
600 ike_svccmd_t cmd;
601 uint32_t stat_len;
602 uint32_t version;
603 uint32_t defreq_reserved; /* For 64-bit alignment. */
604 } ike_defreq_t;
605
606 /*
607 * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE}
608 * Used to request a table dump, and to return info for a single table
609 * item. The expectation is that all of the table data will be passed
610 * through the door, one entry at a time; an individual request must be
611 * sent for each entry, however (the door server can't send unrequested
612 * data).
613 *
614 * Upon request: cmd is set, and dump_next contains the item number
615 * requested (0 for first request). dump_len is 0; no data follows.
616 *
617 * Upon return: cmd is set, and dump_next contains the item number of
618 * the *next* item in the table (to be used in the subsequent request).
619 * dump_next = 0 indicates that this is the last item in the table.
620 * dump_len is the total length (data + struct) returned. Data is
621 * formatted as indicated by the cmd type:
622 * IKE_SVC_DUMP_P1S: ike_p1_sa_t
623 * IKE_SVC_DUMP_RULES: ike_rule_t
624 * IKE_SVC_DUMP_PS: ike_ps_t
625 * IKE_SVC_DUMP_CERTCACHE: ike_certcache_t
626 */
627 typedef struct {
628 ike_svccmd_t cmd;
629 uint32_t dump_len;
630 union {
631 struct {
632 uint32_t dump_unext;
633 uint32_t dump_ureserved;
634 } dump_actual;
635 uint64_t dump_alignment;
636 } dump_u;
637 #define dump_next dump_u.dump_actual.dump_unext
638 #define dump_reserved dump_u.dump_actual.dump_ureserved
639 /* dump_len - sizeof (ike_dump_t) bytes of data included here */
640 } ike_dump_t;
641
642
643 /*
644 * IKE_SVC_GET_{P1|RULE|PS}
645 * Used to request and return individual table items.
646 *
647 * Upon request: get_len is the total msg length (struct + id data);
648 * get_idtype indicates the type of identification being used.
649 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t
650 * IKE_SVC_GET_RULE: char string (label)
651 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t
652 *
653 * Upon return: get_len is the total size (struct + data), get_idtype
654 * is unused, and the data that follows is formatted according to cmd:
655 * IKE_SVC_GET_P1: ike_p1_sa_t
656 * IKE_SVC_GET_RULE: ike_rule_t
657 * IKE_SVC_GET_PS: ike_ps_t
658 */
659 typedef struct {
660 ike_svccmd_t cmd;
661 uint32_t get_len;
662 union {
663 struct {
664 uint32_t getu_idtype;
665 uint32_t getu_reserved;
666 } get_actual;
667 uint64_t get_alignment;
668 } get_u;
669 #define get_idtype get_u.get_actual.getu_idtype
670 #define get_reserved get_u.get_actual.getu_reserved
671 /* get_len - sizeof (ike_get_t) bytes of data included here */
672 } ike_get_t;
673
674
675 /*
676 * IKE_SVC_NEW_{RULE|PS}
677 * Used to request and acknowledge insertion of a table item.
678 *
679 * Upon request: new_len is the total (data + struct) size passed, or 0.
680 * new_len = 0 => a door_desc_t is also included with a file descriptor
681 * for a file containing the data to be added. The file should include
682 * a single item: a rule, or a pre-shared key. For new_len != 0, the
683 * data is formatted according to the cmd type:
684 * IKE_SVC_NEW_RULE: ike_rule_t
685 * IKE_SVC_NEW_PS: ike_ps_t
686 *
687 * Upon return: new_len is 0; simply acknowledges successful insertion
688 * of the requested item. If insertion is not successful, ike_err_t is
689 * returned instead with appropriate error value.
690 */
691 typedef struct {
692 ike_svccmd_t cmd;
693 uint32_t new_len;
694 /* new_len - sizeof (ike_new_t) bytes included here */
695 uint64_t new_align; /* Padding for 64-bit alignment. */
696 } ike_new_t;
697
698
699 /*
700 * IKE_SVC_DEL_{P1|RULE|PS}
701 * Used to request and acknowledge the deletion of an individual table
702 * item.
703 *
704 * Upon request: del_len is the total msg length (struct + id data);
705 * del_idtype indicates the type of identification being used.
706 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t
707 * IKE_SVC_DEL_RULE: char string (label)
708 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t
709 *
710 * Upon return: acknowledges deletion of the requested item; del_len and
711 * del_idtype are unspecified. If deletion is not successful, ike_err_t
712 * is returned instead with appropriate error value.
713 */
714 typedef struct {
715 ike_svccmd_t cmd;
716 uint32_t del_len;
717 uint32_t del_idtype;
718 uint32_t del_reserved;
719 /* del_len - sizeof (ike_del_t) bytes of data included here. */
720 } ike_del_t;
721
722
723 /*
724 * IKE_SVC_READ_{RULES|PS}
725 * Used to ask daemon to re-read particular configuration info.
726 *
727 * Upon request: rw_loc indicates where the info should be read from:
728 * either from a user-supplied file descriptor(s), or from the default
729 * location(s). If rw_loc indicates user-supplied location, the file
730 * descriptor(s) should be passed in the door_desc_t struct. For the
731 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
732 * first, one for the config file which contains the data to be read,
733 * and second, one for the cookie file which will be written to as
734 * in.iked process the config file.
735 *
736 * Upon return: rw_loc is unspecified; the message simply acknowledges
737 * successful completion of the request. If an error occurred,
738 * ike_err_t is returned instead with appropriate error value.
739 *
740 *
741 * IKE_SVC_WRITE_{RULES|PS}
742 * Used to ask daemon to write its current config info to files.
743 *
744 * Request and return are handled the same as for the IKE_SVC_READ_*
745 * cmds; however, the rw_loc MUST be a user-supplied location. Also,
746 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
747 * only a single fd, for the file to which the config info should be
748 * written, should be passed in.
749 */
750 typedef struct {
751 ike_svccmd_t cmd;
752 uint32_t rw_loc;
753 } ike_rw_t;
754
755
756 /*
757 * IKE_SVC_FLUSH_P1S
758 * IKE_SVC_FLUSH_CERTCACHE
759 *
760 * Used to request and acknowledge tear-down of all P1 SAs
761 * or to flush the certificate cache.
762 */
763 typedef struct {
764 ike_svccmd_t cmd;
765 } ike_flush_t;
766
767
768 #ifndef PKCS11_TOKSIZE
769 #define PKCS11_TOKSIZE 32
770 #endif
771 #define MAX_PIN_LEN 256
772 /*
773 * IKE_SVC_SET_PIN
774 * IKE_SVC_DEL_PIN
775 *
776 * Used to supply a pin for a PKCS#11 tokenj object.
777 *
778 */
779 typedef struct {
780 ike_svccmd_t cmd;
781 uint32_t pin_reserved; /* For 64-bit alignment. */
782 char pkcs11_token[PKCS11_TOKSIZE];
783 uchar_t token_pin[MAX_PIN_LEN];
784 } ike_pin_t;
785
786 /*
787 * IKE_SVC_ERROR
788 * Used on return if server encountered an error while processing
789 * the request. An appropriate error code is included (as defined
790 * in this header file); in the case of IKE_ERR_SYS_ERR, a value
791 * from the UNIX errno space is included in the ike_err_unix field.
792 */
793 typedef struct {
794 ike_svccmd_t cmd;
795 uint32_t ike_err;
796 uint32_t ike_err_unix;
797 uint32_t ike_err_reserved;
798 } ike_err_t;
799
800 /*
801 * Generic type for use when the request/reply type is unknown
802 */
803 typedef struct {
804 ike_svccmd_t cmd;
805 } ike_cmd_t;
806
807
808 /*
809 * Union containing all possible request/return structures.
810 */
811 typedef union {
812 ike_cmd_t svc_cmd;
813 ike_dbg_t svc_dbg;
814 ike_priv_t svc_priv;
815 ike_statreq_t svc_stats;
816 ike_dump_t svc_dump;
817 ike_get_t svc_get;
818 ike_new_t svc_new;
819 ike_del_t svc_del;
820 ike_rw_t svc_rw;
821 ike_flush_t svc_flush;
822 ike_pin_t svc_pin;
823 ike_err_t svc_err;
824 ike_defreq_t svc_defaults;
825 } ike_service_t;
826
827 #ifdef __cplusplus
828 }
829 #endif
830
831 #endif /* _IKEDOOR_H */