Print this page
Cleanup
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/lib/libipsecutil/common/ikedoor.h
+++ new/usr/src/lib/libipsecutil/common/ikedoor.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 */
24 24
25 25 #ifndef _IKEDOOR_H
|
↓ open down ↓ |
25 lines elided |
↑ open up ↑ |
26 26 #define _IKEDOOR_H
27 27
28 28 #ifdef __cplusplus
29 29 extern "C" {
30 30 #endif
31 31
32 32 #include <limits.h>
33 33 #include <sys/sysmacros.h>
34 34 #include <net/pfkeyv2.h>
35 35 #include <door.h>
36 +#include <sys/socket.h>
36 37
37 38 /*
38 39 * This version number is intended to stop the calling process from
39 40 * getting confused if a structure is changed and a mismatch occurs.
40 41 * This should be incremented each time a structure is changed.
41 42 */
42 43
43 44 /*
44 45 * The IKE process may be a 64-bit process, but ikeadm or any other IKE
45 46 * door consumer does not have to be. We need to be strict ala. PF_KEY or
46 47 * any on-the-wire-protocol with respect to structure fields offsets and
47 48 * alignment. Please make sure all structures are the same size on both
48 49 * 64-bit and 32-bit execution environments (or even other ones), and that
49 50 * apart from trivial 4-byte enums or base headers, that all structures are
50 51 * multiples of 8-bytes (64-bits).
51 52 */
52 53 #define DOORVER 4
53 54 #define DOORNM "/var/run/ike_door"
54 55
55 56
56 57 typedef enum {
57 58 IKE_SVC_GET_DBG,
58 59 IKE_SVC_SET_DBG,
59 60
60 61 IKE_SVC_GET_PRIV,
61 62 IKE_SVC_SET_PRIV,
62 63
63 64 IKE_SVC_GET_STATS,
64 65
65 66 IKE_SVC_GET_P1,
66 67 IKE_SVC_DEL_P1,
67 68 IKE_SVC_DUMP_P1S,
68 69 IKE_SVC_FLUSH_P1S,
69 70
70 71 IKE_SVC_GET_RULE,
71 72 IKE_SVC_NEW_RULE,
72 73 IKE_SVC_DEL_RULE,
73 74 IKE_SVC_DUMP_RULES,
74 75 IKE_SVC_READ_RULES,
75 76 IKE_SVC_WRITE_RULES,
76 77
77 78 IKE_SVC_GET_PS,
78 79 IKE_SVC_NEW_PS,
79 80 IKE_SVC_DEL_PS,
80 81 IKE_SVC_DUMP_PS,
81 82 IKE_SVC_READ_PS,
82 83 IKE_SVC_WRITE_PS,
83 84
84 85 IKE_SVC_DBG_RBDUMP,
85 86
86 87 IKE_SVC_GET_DEFS,
87 88
88 89 IKE_SVC_SET_PIN,
89 90 IKE_SVC_DEL_PIN,
90 91
91 92 IKE_SVC_DUMP_CERTCACHE,
92 93 IKE_SVC_FLUSH_CERTCACHE,
93 94
94 95 IKE_SVC_DUMP_GROUPS,
95 96 IKE_SVC_DUMP_ENCRALGS,
96 97 IKE_SVC_DUMP_AUTHALGS,
97 98
98 99 IKE_SVC_ERROR
99 100 } ike_svccmd_t;
100 101
101 102 /* DPD status */
102 103
103 104 typedef enum dpd_status {
104 105 DPD_NOT_INITIATED = 0,
105 106 DPD_IN_PROGRESS,
106 107 DPD_SUCCESSFUL,
107 108 DPD_FAILURE
108 109 } dpd_status_t;
109 110
110 111 #define IKE_SVC_MAX IKE_SVC_ERROR
111 112
112 113
113 114 /*
114 115 * Support structures/defines
115 116 */
116 117
117 118 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t))
118 119
119 120 /*
120 121 * Debug categories. The debug level is a bitmask made up of
121 122 * flags indicating the desired categories; only 31 bits are
122 123 * available, as the highest-order bit designates an invalid
123 124 * setting.
124 125 */
125 126 #define D_INVALID 0x80000000
126 127
127 128 #define D_CERT 0x00000001 /* certificate management */
128 129 #define D_KEY 0x00000002 /* key management */
129 130 #define D_OP 0x00000004 /* operational: config, init, mem */
130 131 #define D_P1 0x00000008 /* phase 1 negotiation */
131 132 #define D_P2 0x00000010 /* phase 2 negotiation */
132 133 #define D_PFKEY 0x00000020 /* pf key interface */
133 134 #define D_POL 0x00000040 /* policy management */
134 135 #define D_PROP 0x00000080 /* proposal construction */
135 136 #define D_DOOR 0x00000100 /* door server */
136 137 #define D_CONFIG 0x00000200 /* config file processing */
137 138 #define D_LABEL 0x00000400 /* MAC labels */
138 139
139 140 #define D_HIGHBIT 0x00000400
140 141 #define D_ALL 0x000007ff
141 142
142 143 /*
143 144 * Access privilege levels: define level of access to keying information.
144 145 * The privileges granted at each level is a superset of the privileges
145 146 * granted at all lower levels.
146 147 *
147 148 * The door operations which require special privileges are:
148 149 *
149 150 * - receiving keying material for SAs and preshared key entries
150 151 * IKE_PRIV_KEYMAT must be set for this.
151 152 *
152 153 * - get/dump/new/delete/read/write preshared keys
153 154 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
154 155 * If IKE_PRIV_MODKEYS is set, the information returned for a
155 156 * get/dump request will not include the actual key; in order
156 157 * to get the key itself, IKE_PRIV_KEYMAT must be set.
157 158 *
158 159 * - modifying the privilege level: the daemon's privilege level
159 160 * is set when the daemon is started; the level may only be
160 161 * lowered via the door interface.
161 162 *
162 163 * All other operations are allowed at any privilege level.
163 164 */
164 165 #define IKE_PRIV_MINIMUM 0
165 166 #define IKE_PRIV_MODKEYS 1
166 167 #define IKE_PRIV_KEYMAT 2
167 168 #define IKE_PRIV_MAXIMUM 2
168 169
169 170 /* global ike stats formatting structure */
170 171 typedef struct {
171 172 uint32_t st_init_p1_current;
172 173 uint32_t st_resp_p1_current;
173 174 uint32_t st_init_p1_total;
174 175 uint32_t st_resp_p1_total;
175 176 uint32_t st_init_p1_attempts;
176 177 uint32_t st_resp_p1_attempts;
177 178 uint32_t st_init_p1_noresp; /* failed; no response from peer */
178 179 uint32_t st_init_p1_respfail; /* failed, but peer responded */
179 180 uint32_t st_resp_p1_fail;
180 181 uint32_t st_reserved;
181 182 char st_pkcs11_libname[PATH_MAX];
182 183 } ike_stats_t;
183 184
184 185 /* structure used to pass default values used by in.iked back to ikeadm */
185 186 typedef struct {
186 187 uint32_t rule_p1_lifetime_secs;
187 188 uint32_t rule_p1_minlife;
188 189 uint32_t rule_p1_nonce_len;
189 190 uint32_t rule_p2_lifetime_secs;
190 191 uint32_t rule_p2_softlife_secs;
191 192 uint32_t rule_p2_idletime_secs;
192 193 uint32_t sys_p2_lifetime_secs;
193 194 uint32_t sys_p2_softlife_secs;
194 195 uint32_t sys_p2_idletime_secs;
195 196 uint32_t rule_p2_lifetime_kb;
196 197 uint32_t rule_p2_softlife_kb;
197 198 uint32_t sys_p2_lifetime_bytes;
198 199 uint32_t sys_p2_softlife_bytes;
199 200 uint32_t rule_p2_minlife_hard_secs;
200 201 uint32_t rule_p2_minlife_soft_secs;
201 202 uint32_t rule_p2_minlife_idle_secs;
202 203 uint32_t rule_p2_minlife_hard_kb;
203 204 uint32_t rule_p2_minlife_soft_kb;
204 205 uint32_t rule_p2_maxlife_secs;
205 206 uint32_t rule_p2_maxlife_kb;
206 207 uint32_t rule_p2_nonce_len;
207 208 uint32_t rule_p2_pfs;
208 209 uint32_t rule_p2_mindiff_secs;
209 210 uint32_t rule_p2_mindiff_kb;
210 211 uint32_t conversion_factor; /* for secs to kbytes */
211 212 uint32_t rule_max_certs;
212 213 uint32_t rule_ike_port;
213 214 uint32_t rule_natt_port;
214 215 uint32_t defaults_reserved; /* For 64-bit alignment. */
215 216 } ike_defaults_t;
216 217
217 218 /* data formatting structures for P1 SA dumps */
218 219 typedef struct {
219 220 struct sockaddr_storage loc_addr;
220 221 struct sockaddr_storage rem_addr;
221 222 #define beg_iprange loc_addr
222 223 #define end_iprange rem_addr
223 224 } ike_addr_pr_t;
224 225
225 226 typedef struct {
226 227 uint64_t cky_i;
227 228 uint64_t cky_r;
228 229 } ike_cky_pr_t;
229 230
230 231 typedef struct {
231 232 ike_cky_pr_t p1hdr_cookies;
232 233 uint8_t p1hdr_major;
233 234 uint8_t p1hdr_minor;
234 235 uint8_t p1hdr_xchg;
235 236 uint8_t p1hdr_isinit;
236 237 uint32_t p1hdr_state;
237 238 boolean_t p1hdr_support_dpd;
238 239 dpd_status_t p1hdr_dpd_state;
239 240 uint64_t p1hdr_dpd_time;
240 241 } ike_p1_hdr_t;
241 242
242 243 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
243 244 #define IKE_XCHG_NONE 0
244 245 #define IKE_XCHG_BASE 1
245 246 #define IKE_XCHG_IDENTITY_PROTECT 2
246 247 #define IKE_XCHG_AUTH_ONLY 3
247 248 #define IKE_XCHG_AGGRESSIVE 4
248 249 /* following not from RFC; used only for preshared key definitions */
249 250 #define IKE_XCHG_IP_AND_AGGR 240
250 251 /* also not from RFC; used as wildcard */
251 252 #define IKE_XCHG_ANY 256
252 253
253 254 /* values for p1hdr_state */
254 255 #define IKE_SA_STATE_INVALID 0
255 256 #define IKE_SA_STATE_INIT 1
256 257 #define IKE_SA_STATE_SENT_SA 2
257 258 #define IKE_SA_STATE_SENT_KE 3
258 259 #define IKE_SA_STATE_SENT_LAST 4
259 260 #define IKE_SA_STATE_DONE 5
260 261 #define IKE_SA_STATE_DELETED 6
261 262
262 263 typedef struct {
263 264 uint16_t p1xf_dh_group;
264 265 uint16_t p1xf_encr_alg;
265 266 uint16_t p1xf_encr_low_bits;
266 267 uint16_t p1xf_encr_high_bits;
267 268 uint16_t p1xf_auth_alg;
268 269 uint16_t p1xf_auth_meth;
269 270 uint16_t p1xf_prf;
270 271 uint16_t p1xf_pfs;
271 272 uint32_t p1xf_max_secs;
272 273 uint32_t p1xf_max_kbytes;
273 274 uint32_t p1xf_max_keyuses;
274 275 uint32_t p1xf_reserved; /* Alignment to 64-bit. */
275 276 } ike_p1_xform_t;
276 277
277 278 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
278 279 #define IKE_GRP_DESC_MODP_768 1
279 280 #define IKE_GRP_DESC_MODP_1024 2
280 281 #define IKE_GRP_DESC_EC2N_155 3
281 282 #define IKE_GRP_DESC_EC2N_185 4
282 283 /* values for p1xf_dh_group (aligned with RFC3526) */
283 284 #define IKE_GRP_DESC_MODP_1536 5
284 285 #define IKE_GRP_DESC_MODP_2048 14
285 286 #define IKE_GRP_DESC_MODP_3072 15
286 287 #define IKE_GRP_DESC_MODP_4096 16
287 288 #define IKE_GRP_DESC_MODP_6144 17
288 289 #define IKE_GRP_DESC_MODP_8192 18
289 290 #define IKE_GRP_DESC_ECP_256 19
290 291 #define IKE_GRP_DESC_ECP_384 20
291 292 #define IKE_GRP_DESC_ECP_521 21
292 293 /* values for p1xf_dh_group (aligned with RFC5114) */
293 294 #define IKE_GRP_DESC_MODP_1024_160 22
294 295 #define IKE_GRP_DESC_MODP_2048_224 23
295 296 #define IKE_GRP_DESC_MODP_2048_256 24
296 297 #define IKE_GRP_DESC_ECP_192 25
297 298 #define IKE_GRP_DESC_ECP_224 26
298 299
299 300 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
300 301 #define IKE_AUTH_METH_PRE_SHARED_KEY 1
301 302 #define IKE_AUTH_METH_DSS_SIG 2
302 303 #define IKE_AUTH_METH_RSA_SIG 3
303 304 #define IKE_AUTH_METH_RSA_ENCR 4
304 305 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5
305 306
306 307 /* values for p1xf_prf */
307 308 #define IKE_PRF_NONE 0
308 309 #define IKE_PRF_HMAC_MD5 1
309 310 #define IKE_PRF_HMAC_SHA1 2
310 311 #define IKE_PRF_HMAC_SHA256 5
311 312 #define IKE_PRF_HMAC_SHA384 6
312 313 #define IKE_PRF_HMAC_SHA512 7
313 314
314 315 typedef struct {
315 316 /*
316 317 * NOTE: the new and del counters count the actual number of SAs,
317 318 * not the number of "suites", as defined in the ike monitoring
318 319 * mib draft; we do this because we don't have a good way of
319 320 * tracking the deletion of entire suites (we're notified of
320 321 * deleted qm sas individually).
321 322 */
322 323 uint32_t p1stat_new_qm_sas;
323 324 uint32_t p1stat_del_qm_sas;
324 325 uint64_t p1stat_start;
325 326 uint32_t p1stat_kbytes;
326 327 uint32_t p1stat_keyuses;
327 328 } ike_p1_stats_t;
328 329
329 330 typedef struct {
330 331 uint32_t p1err_decrypt;
331 332 uint32_t p1err_hash;
332 333 uint32_t p1err_otherrx;
333 334 uint32_t p1err_tx;
334 335 } ike_p1_errors_t;
335 336
336 337 typedef struct {
337 338 uint32_t p1key_type;
338 339 uint32_t p1key_len;
339 340 /*
340 341 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
341 342 * 64-bit aligned (pad bytes are added at the end, if necessary,
342 343 * and NOT INCLUDED in the len value, which reflects the actual
343 344 * key size).
344 345 */
345 346 } ike_p1_key_t;
346 347
347 348 /* key info types for ike_p1_key_t struct */
348 349 #define IKE_KEY_PRESHARED 1
349 350 #define IKE_KEY_SKEYID 2
350 351 #define IKE_KEY_SKEYID_D 3
351 352 #define IKE_KEY_SKEYID_A 4
352 353 #define IKE_KEY_SKEYID_E 5
353 354 #define IKE_KEY_ENCR 6
354 355 #define IKE_KEY_IV 7
355 356
356 357 typedef struct {
357 358 ike_p1_hdr_t p1sa_hdr;
358 359 ike_p1_xform_t p1sa_xform;
359 360 ike_addr_pr_t p1sa_ipaddrs;
360 361 uint16_t p1sa_stat_off;
361 362 uint16_t p1sa_stat_len;
362 363 uint16_t p1sa_error_off;
363 364 uint16_t p1sa_error_len;
364 365 uint16_t p1sa_localid_off;
365 366 uint16_t p1sa_localid_len;
366 367 uint16_t p1sa_remoteid_off;
367 368 uint16_t p1sa_remoteid_len;
368 369 uint16_t p1sa_key_off;
369 370 uint16_t p1sa_key_len;
370 371 uint32_t p1sa_reserved;
371 372 /*
372 373 * variable-length structures will be included here, as
373 374 * indicated by offset/length fields.
374 375 * stats and errors will be formatted as ike_p1_stats_t and
375 376 * ike_p1_errors_t, respectively.
376 377 * key info will be formatted as a series of p1_key_t structs.
377 378 * local/remote ids will be formatted as sadb_ident_t structs.
378 379 */
379 380 } ike_p1_sa_t;
380 381
381 382
382 383 #define MAX_LABEL_LEN 256
383 384
384 385
385 386 /* data formatting structure for policy (rule) dumps */
386 387
387 388 typedef struct {
388 389 char rule_label[MAX_LABEL_LEN];
389 390 uint32_t rule_kmcookie;
390 391 uint16_t rule_ike_mode;
391 392 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */
392 393 uint32_t rule_p1_nonce_len;
393 394 uint32_t rule_p2_nonce_len;
394 395 uint32_t rule_p2_pfs;
395 396 uint32_t rule_p2_lifetime_secs;
396 397 uint32_t rule_p2_softlife_secs;
397 398 uint32_t rule_p2_idletime_secs;
398 399 uint32_t rule_p2_lifetime_kb;
399 400 uint32_t rule_p2_softlife_kb;
400 401 uint16_t rule_xform_cnt;
401 402 uint16_t rule_xform_off;
402 403 uint16_t rule_locip_cnt;
403 404 uint16_t rule_locip_off;
404 405 uint16_t rule_remip_cnt;
405 406 uint16_t rule_remip_off;
406 407 uint16_t rule_locid_inclcnt;
407 408 uint16_t rule_locid_exclcnt;
408 409 uint16_t rule_locid_off;
409 410 uint16_t rule_remid_inclcnt;
410 411 uint16_t rule_remid_exclcnt;
411 412 uint16_t rule_remid_off;
412 413 /*
413 414 * Followed by several lists of variable-length structures, described
414 415 * by counts and offsets:
415 416 * transforms ike_p1_xform_t structs
416 417 * ranges of local ip addrs ike_addr_pr_t structs
417 418 * ranges of remote ip addrs ike_addr_pr_t structs
418 419 * local identification strings null-terminated ascii strings
419 420 * remote identification strings null-terminated ascii strings
420 421 */
421 422 } ike_rule_t;
422 423
423 424 /* data formatting structure for DH group dumps */
424 425 typedef struct {
425 426 uint16_t group_number;
426 427 uint16_t group_bits;
427 428 char group_label[MAX_LABEL_LEN];
428 429 } ike_group_t;
429 430
430 431 /* data formatting structure for encryption algorithm dumps */
431 432 typedef struct {
432 433 uint_t encr_value;
433 434 char encr_name[MAX_LABEL_LEN];
434 435 int encr_keylen_min;
435 436 int encr_keylen_max;
436 437 } ike_encralg_t;
437 438
438 439 /* data formatting structure for authentication algorithm dumps */
439 440 typedef struct {
440 441 uint_t auth_value;
441 442 char auth_name[MAX_LABEL_LEN];
442 443 } ike_authalg_t;
443 444
444 445 /*
445 446 * data formatting structure for preshared keys
446 447 * ps_ike_mode field uses the IKE_XCHG_* defs
447 448 */
448 449 typedef struct {
449 450 ike_addr_pr_t ps_ipaddrs;
450 451 uint16_t ps_ike_mode;
451 452 uint16_t ps_localid_off;
452 453 uint16_t ps_localid_len;
453 454 uint16_t ps_remoteid_off;
454 455 uint16_t ps_remoteid_len;
455 456 uint16_t ps_key_off;
456 457 uint16_t ps_key_len;
457 458 uint16_t ps_key_bits;
458 459 int ps_localid_plen;
459 460 int ps_remoteid_plen;
460 461 /*
461 462 * followed by variable-length structures, as indicated by
462 463 * offset/length fields.
463 464 * key info will be formatted as an array of bytes.
464 465 * local/remote ids will be formatted as sadb_ident_t structs.
465 466 */
466 467 } ike_ps_t;
467 468
468 469 #define DN_MAX 1024
469 470 #define CERT_OFF_WIRE -1
470 471 #define CERT_NO_PRIVKEY 0
471 472 #define CERT_PRIVKEY_LOCKED 1
472 473 #define CERT_PRIVKEY_AVAIL 2
473 474
474 475 /*
475 476 * data formatting structure for cached certs
476 477 */
477 478 typedef struct {
478 479 uint32_t cache_id;
479 480 uint32_t certclass;
480 481 int linkage;
481 482 uint32_t certcache_padding; /* For 64-bit alignment. */
482 483 char subject[DN_MAX];
483 484 char issuer[DN_MAX];
484 485 } ike_certcache_t;
485 486
486 487 /* identification types */
487 488 #define IKE_ID_IDENT_PAIR 1
488 489 #define IKE_ID_ADDR_PAIR 2
489 490 #define IKE_ID_CKY_PAIR 3
490 491 #define IKE_ID_LABEL 4
491 492
492 493
493 494 /* locations for read/write requests */
494 495 #define IKE_RW_LOC_DEFAULT 1
495 496 #define IKE_RW_LOC_USER_SPEC 2
496 497
497 498
498 499 /* door interface error codes */
499 500 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */
500 501 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */
501 502 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */
502 503 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */
503 504 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */
504 505 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */
505 506 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */
506 507 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */
507 508 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */
508 509 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */
509 510 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */
510 511 #define IKE_ERR_NO_TOKEN 12 /* cannot login into pkcs#11 token */
511 512 #define IKE_ERR_NO_AUTH 13 /* not authorized */
512 513 #define IKE_ERR_IN_PROGRESS 14 /* operation already in progress */
513 514 #define IKE_ERR_NO_MEM 15 /* insufficient memory */
514 515
515 516
516 517 /*
517 518 * IKE_SVC_GET_DBG
518 519 * Used to request the current debug level.
519 520 *
520 521 * Upon request, dbg_level is 0 (don't care).
521 522 *
522 523 * Upon return, dbg_level contains the current value.
523 524 *
524 525 *
525 526 * IKE_SVC_SET_DBG
526 527 * Used to request modification of the debug level.
527 528 *
528 529 * Upon request, dbg_level contains desired level. If debug output is
529 530 * to be directed to a different file, the fd should be passed in the
530 531 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is
531 532 * currently running in the background with no debug set, an output
532 533 * file MUST be given.
533 534 *
534 535 * Upon return, dbg_level contains the old debug level, and acknowledges
535 536 * successful completion of the request. If an error is encountered,
536 537 * ike_err_t is returned instead, with appropriate error value and cmd
537 538 * IKE_SVC_ERROR.
538 539 */
539 540 typedef struct {
540 541 ike_svccmd_t cmd;
541 542 uint32_t dbg_level;
542 543 } ike_dbg_t;
543 544
544 545 /*
545 546 * IKE_SVC_GET_PRIV
546 547 * Used to request the current privilege level.
547 548 *
548 549 * Upon request, priv_level is 0 (don't care).
549 550 *
550 551 * Upon return, priv_level contains the current value.
551 552 *
552 553 *
553 554 * IKE_SVC_SET_PRIV
554 555 * Used to request modification of the privilege level.
555 556 *
556 557 * Upon request, priv_level contains the desired level. The level may
557 558 * only be lowered via the door interface; it cannot be raised. Thus,
558 559 * if in.iked is started at the lowest level, it cannot be changed.
559 560 *
560 561 * Upon return, priv_level contains the old privilege level, and
561 562 * acknowledges successful completion of the request. If an error is
562 563 * encountered, ike_err_t is returned instead, with appropriate error
563 564 * value and cmd IKE_SVC_ERROR.
564 565 */
565 566 typedef struct {
566 567 ike_svccmd_t cmd;
567 568 uint32_t priv_level;
568 569 } ike_priv_t;
569 570
570 571
571 572 /*
572 573 * IKE_SVC_GET_STATS
573 574 * Used to request current statistics on Phase 1 SA creation and
574 575 * failures. The statistics represent all activity in in.iked.
575 576 *
576 577 * Upon request, cmd is set, and stat_len does not matter.
577 578 *
578 579 * Upon successful return, stat_len contains the total size of the
579 580 * returned buffer, which contains first the ike_statreq_t struct,
580 581 * followed by the stat data in the ike_stats_t structure. In case
581 582 * of an error in processing the request, ike_err_t is returned with
582 583 * IKE_SVC_ERROR command and appropriate error code.
583 584 */
584 585 typedef struct {
585 586 ike_svccmd_t cmd;
586 587 uint32_t stat_len;
587 588 } ike_statreq_t;
588 589
589 590 /*
590 591 * IKE_SVC_GET_DEFS
591 592 * Used to request default values from in.iked.
592 593 *
593 594 * Upon request, cmd is set, and stat_len does not matter.
594 595 *
595 596 * Upon successful return, stat_len contains the total size of the
596 597 * returned buffer, this contains a pair of ike_defaults_t's.
597 598 */
598 599 typedef struct {
599 600 ike_svccmd_t cmd;
600 601 uint32_t stat_len;
601 602 uint32_t version;
602 603 uint32_t defreq_reserved; /* For 64-bit alignment. */
603 604 } ike_defreq_t;
604 605
605 606 /*
606 607 * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE}
607 608 * Used to request a table dump, and to return info for a single table
608 609 * item. The expectation is that all of the table data will be passed
609 610 * through the door, one entry at a time; an individual request must be
610 611 * sent for each entry, however (the door server can't send unrequested
611 612 * data).
612 613 *
613 614 * Upon request: cmd is set, and dump_next contains the item number
614 615 * requested (0 for first request). dump_len is 0; no data follows.
615 616 *
616 617 * Upon return: cmd is set, and dump_next contains the item number of
617 618 * the *next* item in the table (to be used in the subsequent request).
618 619 * dump_next = 0 indicates that this is the last item in the table.
619 620 * dump_len is the total length (data + struct) returned. Data is
620 621 * formatted as indicated by the cmd type:
621 622 * IKE_SVC_DUMP_P1S: ike_p1_sa_t
622 623 * IKE_SVC_DUMP_RULES: ike_rule_t
623 624 * IKE_SVC_DUMP_PS: ike_ps_t
624 625 * IKE_SVC_DUMP_CERTCACHE: ike_certcache_t
625 626 */
626 627 typedef struct {
627 628 ike_svccmd_t cmd;
628 629 uint32_t dump_len;
629 630 union {
630 631 struct {
631 632 uint32_t dump_unext;
632 633 uint32_t dump_ureserved;
633 634 } dump_actual;
634 635 uint64_t dump_alignment;
635 636 } dump_u;
636 637 #define dump_next dump_u.dump_actual.dump_unext
637 638 #define dump_reserved dump_u.dump_actual.dump_ureserved
638 639 /* dump_len - sizeof (ike_dump_t) bytes of data included here */
639 640 } ike_dump_t;
640 641
641 642
642 643 /*
643 644 * IKE_SVC_GET_{P1|RULE|PS}
644 645 * Used to request and return individual table items.
645 646 *
646 647 * Upon request: get_len is the total msg length (struct + id data);
647 648 * get_idtype indicates the type of identification being used.
648 649 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t
649 650 * IKE_SVC_GET_RULE: char string (label)
650 651 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t
651 652 *
652 653 * Upon return: get_len is the total size (struct + data), get_idtype
653 654 * is unused, and the data that follows is formatted according to cmd:
654 655 * IKE_SVC_GET_P1: ike_p1_sa_t
655 656 * IKE_SVC_GET_RULE: ike_rule_t
656 657 * IKE_SVC_GET_PS: ike_ps_t
657 658 */
658 659 typedef struct {
659 660 ike_svccmd_t cmd;
660 661 uint32_t get_len;
661 662 union {
662 663 struct {
663 664 uint32_t getu_idtype;
664 665 uint32_t getu_reserved;
665 666 } get_actual;
666 667 uint64_t get_alignment;
667 668 } get_u;
668 669 #define get_idtype get_u.get_actual.getu_idtype
669 670 #define get_reserved get_u.get_actual.getu_reserved
670 671 /* get_len - sizeof (ike_get_t) bytes of data included here */
671 672 } ike_get_t;
672 673
673 674
674 675 /*
675 676 * IKE_SVC_NEW_{RULE|PS}
676 677 * Used to request and acknowledge insertion of a table item.
677 678 *
678 679 * Upon request: new_len is the total (data + struct) size passed, or 0.
679 680 * new_len = 0 => a door_desc_t is also included with a file descriptor
680 681 * for a file containing the data to be added. The file should include
681 682 * a single item: a rule, or a pre-shared key. For new_len != 0, the
682 683 * data is formatted according to the cmd type:
683 684 * IKE_SVC_NEW_RULE: ike_rule_t
684 685 * IKE_SVC_NEW_PS: ike_ps_t
685 686 *
686 687 * Upon return: new_len is 0; simply acknowledges successful insertion
687 688 * of the requested item. If insertion is not successful, ike_err_t is
688 689 * returned instead with appropriate error value.
689 690 */
690 691 typedef struct {
691 692 ike_svccmd_t cmd;
692 693 uint32_t new_len;
693 694 /* new_len - sizeof (ike_new_t) bytes included here */
694 695 uint64_t new_align; /* Padding for 64-bit alignment. */
695 696 } ike_new_t;
696 697
697 698
698 699 /*
699 700 * IKE_SVC_DEL_{P1|RULE|PS}
700 701 * Used to request and acknowledge the deletion of an individual table
701 702 * item.
702 703 *
703 704 * Upon request: del_len is the total msg length (struct + id data);
704 705 * del_idtype indicates the type of identification being used.
705 706 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t
706 707 * IKE_SVC_DEL_RULE: char string (label)
707 708 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t
708 709 *
709 710 * Upon return: acknowledges deletion of the requested item; del_len and
710 711 * del_idtype are unspecified. If deletion is not successful, ike_err_t
711 712 * is returned instead with appropriate error value.
712 713 */
713 714 typedef struct {
714 715 ike_svccmd_t cmd;
715 716 uint32_t del_len;
716 717 uint32_t del_idtype;
717 718 uint32_t del_reserved;
718 719 /* del_len - sizeof (ike_del_t) bytes of data included here. */
719 720 } ike_del_t;
720 721
721 722
722 723 /*
723 724 * IKE_SVC_READ_{RULES|PS}
724 725 * Used to ask daemon to re-read particular configuration info.
725 726 *
726 727 * Upon request: rw_loc indicates where the info should be read from:
727 728 * either from a user-supplied file descriptor(s), or from the default
728 729 * location(s). If rw_loc indicates user-supplied location, the file
729 730 * descriptor(s) should be passed in the door_desc_t struct. For the
730 731 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
731 732 * first, one for the config file which contains the data to be read,
732 733 * and second, one for the cookie file which will be written to as
733 734 * in.iked process the config file.
734 735 *
735 736 * Upon return: rw_loc is unspecified; the message simply acknowledges
736 737 * successful completion of the request. If an error occurred,
737 738 * ike_err_t is returned instead with appropriate error value.
738 739 *
739 740 *
740 741 * IKE_SVC_WRITE_{RULES|PS}
741 742 * Used to ask daemon to write its current config info to files.
742 743 *
743 744 * Request and return are handled the same as for the IKE_SVC_READ_*
744 745 * cmds; however, the rw_loc MUST be a user-supplied location. Also,
745 746 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
746 747 * only a single fd, for the file to which the config info should be
747 748 * written, should be passed in.
748 749 */
749 750 typedef struct {
750 751 ike_svccmd_t cmd;
751 752 uint32_t rw_loc;
752 753 } ike_rw_t;
753 754
754 755
755 756 /*
756 757 * IKE_SVC_FLUSH_P1S
757 758 * IKE_SVC_FLUSH_CERTCACHE
758 759 *
759 760 * Used to request and acknowledge tear-down of all P1 SAs
760 761 * or to flush the certificate cache.
761 762 */
762 763 typedef struct {
763 764 ike_svccmd_t cmd;
764 765 } ike_flush_t;
765 766
766 767
767 768 #ifndef PKCS11_TOKSIZE
768 769 #define PKCS11_TOKSIZE 32
769 770 #endif
770 771 #define MAX_PIN_LEN 256
771 772 /*
772 773 * IKE_SVC_SET_PIN
773 774 * IKE_SVC_DEL_PIN
774 775 *
775 776 * Used to supply a pin for a PKCS#11 tokenj object.
776 777 *
777 778 */
778 779 typedef struct {
779 780 ike_svccmd_t cmd;
780 781 uint32_t pin_reserved; /* For 64-bit alignment. */
781 782 char pkcs11_token[PKCS11_TOKSIZE];
782 783 uchar_t token_pin[MAX_PIN_LEN];
783 784 } ike_pin_t;
784 785
785 786 /*
786 787 * IKE_SVC_ERROR
787 788 * Used on return if server encountered an error while processing
788 789 * the request. An appropriate error code is included (as defined
789 790 * in this header file); in the case of IKE_ERR_SYS_ERR, a value
790 791 * from the UNIX errno space is included in the ike_err_unix field.
791 792 */
792 793 typedef struct {
793 794 ike_svccmd_t cmd;
794 795 uint32_t ike_err;
795 796 uint32_t ike_err_unix;
796 797 uint32_t ike_err_reserved;
797 798 } ike_err_t;
798 799
799 800 /*
800 801 * Generic type for use when the request/reply type is unknown
801 802 */
802 803 typedef struct {
803 804 ike_svccmd_t cmd;
804 805 } ike_cmd_t;
805 806
806 807
807 808 /*
808 809 * Union containing all possible request/return structures.
809 810 */
810 811 typedef union {
811 812 ike_cmd_t svc_cmd;
812 813 ike_dbg_t svc_dbg;
813 814 ike_priv_t svc_priv;
814 815 ike_statreq_t svc_stats;
815 816 ike_dump_t svc_dump;
816 817 ike_get_t svc_get;
817 818 ike_new_t svc_new;
818 819 ike_del_t svc_del;
819 820 ike_rw_t svc_rw;
820 821 ike_flush_t svc_flush;
821 822 ike_pin_t svc_pin;
822 823 ike_err_t svc_err;
823 824 ike_defreq_t svc_defaults;
824 825 } ike_service_t;
825 826
826 827 #ifdef __cplusplus
827 828 }
828 829 #endif
829 830
830 831 #endif /* _IKEDOOR_H */
|
↓ open down ↓ |
785 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX