1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _IKEDOOR_H 27 #define _IKEDOOR_H 28 29 #ifdef __cplusplus 30 extern "C" { 31 #endif 32 33 #include <limits.h> 34 #include <sys/sysmacros.h> 35 #include <net/pfkeyv2.h> 36 #include <door.h> 37 38 /* 39 * This version number is intended to stop the calling process from 40 * getting confused if a structure is changed and a mismatch occurs. 41 * This should be incremented each time a structure is changed. 42 */ 43 44 /* 45 * The IKE process may be a 64-bit process, but ikeadm or any other IKE 46 * door consumer does not have to be. We need to be strict ala. PF_KEY or 47 * any on-the-wire-protocol with respect to structure fields offsets and 48 * alignment. Please make sure all structures are the same size on both 49 * 64-bit and 32-bit execution environments (or even other ones), and that 50 * apart from trivial 4-byte enums or base headers, that all structures are 51 * multiples of 8-bytes (64-bits). 52 */ 53 #define DOORVER 3 54 #define DOORNM "/var/run/ike_door" 55 56 57 typedef enum { 58 IKE_SVC_GET_DBG, 59 IKE_SVC_SET_DBG, 60 61 IKE_SVC_GET_PRIV, 62 IKE_SVC_SET_PRIV, 63 64 IKE_SVC_GET_STATS, 65 66 IKE_SVC_GET_P1, 67 IKE_SVC_DEL_P1, 68 IKE_SVC_DUMP_P1S, 69 IKE_SVC_FLUSH_P1S, 70 71 IKE_SVC_GET_RULE, 72 IKE_SVC_NEW_RULE, 73 IKE_SVC_DEL_RULE, 74 IKE_SVC_DUMP_RULES, 75 IKE_SVC_READ_RULES, 76 IKE_SVC_WRITE_RULES, 77 78 IKE_SVC_GET_PS, 79 IKE_SVC_NEW_PS, 80 IKE_SVC_DEL_PS, 81 IKE_SVC_DUMP_PS, 82 IKE_SVC_READ_PS, 83 IKE_SVC_WRITE_PS, 84 85 IKE_SVC_DBG_RBDUMP, 86 87 IKE_SVC_GET_DEFS, 88 89 IKE_SVC_SET_PIN, 90 IKE_SVC_DEL_PIN, 91 92 IKE_SVC_DUMP_CERTCACHE, 93 IKE_SVC_FLUSH_CERTCACHE, 94 95 IKE_SVC_ERROR 96 } ike_svccmd_t; 97 98 /* DPD status */ 99 100 typedef enum dpd_status { 101 DPD_NOT_INITIATED = 0, 102 DPD_IN_PROGRESS, 103 DPD_SUCCESSFUL, 104 DPD_FAILURE 105 } dpd_status_t; 106 107 #define IKE_SVC_MAX IKE_SVC_ERROR 108 109 110 /* 111 * Support structures/defines 112 */ 113 114 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t)) 115 116 /* 117 * Debug categories. The debug level is a bitmask made up of 118 * flags indicating the desired categories; only 31 bits are 119 * available, as the highest-order bit designates an invalid 120 * setting. 121 */ 122 #define D_INVALID 0x80000000 123 124 #define D_CERT 0x00000001 /* certificate management */ 125 #define D_KEY 0x00000002 /* key management */ 126 #define D_OP 0x00000004 /* operational: config, init, mem */ 127 #define D_P1 0x00000008 /* phase 1 negotiation */ 128 #define D_P2 0x00000010 /* phase 2 negotiation */ 129 #define D_PFKEY 0x00000020 /* pf key interface */ 130 #define D_POL 0x00000040 /* policy management */ 131 #define D_PROP 0x00000080 /* proposal construction */ 132 #define D_DOOR 0x00000100 /* door server */ 133 #define D_CONFIG 0x00000200 /* config file processing */ 134 #define D_LABEL 0x00000400 /* MAC labels */ 135 136 #define D_HIGHBIT 0x00000400 137 #define D_ALL 0x000007ff 138 139 /* 140 * Access privilege levels: define level of access to keying information. 141 * The privileges granted at each level is a superset of the privileges 142 * granted at all lower levels. 143 * 144 * The door operations which require special privileges are: 145 * 146 * - receiving keying material for SAs and preshared key entries 147 * IKE_PRIV_KEYMAT must be set for this. 148 * 149 * - get/dump/new/delete/read/write preshared keys 150 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this. 151 * If IKE_PRIV_MODKEYS is set, the information returned for a 152 * get/dump request will not include the actual key; in order 153 * to get the key itself, IKE_PRIV_KEYMAT must be set. 154 * 155 * - modifying the privilege level: the daemon's privilege level 156 * is set when the daemon is started; the level may only be 157 * lowered via the door interface. 158 * 159 * All other operations are allowed at any privilege level. 160 */ 161 #define IKE_PRIV_MINIMUM 0 162 #define IKE_PRIV_MODKEYS 1 163 #define IKE_PRIV_KEYMAT 2 164 #define IKE_PRIV_MAXIMUM 2 165 166 /* global ike stats formatting structure */ 167 typedef struct { 168 uint32_t st_init_p1_current; 169 uint32_t st_resp_p1_current; 170 uint32_t st_init_p1_total; 171 uint32_t st_resp_p1_total; 172 uint32_t st_init_p1_attempts; 173 uint32_t st_resp_p1_attempts; 174 uint32_t st_init_p1_noresp; /* failed; no response from peer */ 175 uint32_t st_init_p1_respfail; /* failed, but peer responded */ 176 uint32_t st_resp_p1_fail; 177 uint32_t st_reserved; 178 char st_pkcs11_libname[PATH_MAX]; 179 } ike_stats_t; 180 181 /* structure used to pass default values used by in.iked back to ikeadm */ 182 typedef struct { 183 uint32_t rule_p1_lifetime_secs; 184 uint32_t rule_p1_minlife; 185 uint32_t rule_p1_nonce_len; 186 uint32_t rule_p2_lifetime_secs; 187 uint32_t rule_p2_softlife_secs; 188 uint32_t rule_p2_idletime_secs; 189 uint32_t sys_p2_lifetime_secs; 190 uint32_t sys_p2_softlife_secs; 191 uint32_t sys_p2_idletime_secs; 192 uint32_t rule_p2_lifetime_kb; 193 uint32_t rule_p2_softlife_kb; 194 uint32_t sys_p2_lifetime_bytes; 195 uint32_t sys_p2_softlife_bytes; 196 uint32_t rule_p2_minlife_hard_secs; 197 uint32_t rule_p2_minlife_soft_secs; 198 uint32_t rule_p2_minlife_idle_secs; 199 uint32_t rule_p2_minlife_hard_kb; 200 uint32_t rule_p2_minlife_soft_kb; 201 uint32_t rule_p2_maxlife_secs; 202 uint32_t rule_p2_maxlife_kb; 203 uint32_t rule_p2_nonce_len; 204 uint32_t rule_p2_pfs; 205 uint32_t rule_p2_mindiff_secs; 206 uint32_t rule_p2_mindiff_kb; 207 uint32_t conversion_factor; /* for secs to kbytes */ 208 uint32_t rule_max_certs; 209 uint32_t rule_ike_port; 210 uint32_t rule_natt_port; 211 uint32_t defaults_reserved; /* For 64-bit alignment. */ 212 } ike_defaults_t; 213 214 /* data formatting structures for P1 SA dumps */ 215 typedef struct { 216 struct sockaddr_storage loc_addr; 217 struct sockaddr_storage rem_addr; 218 #define beg_iprange loc_addr 219 #define end_iprange rem_addr 220 } ike_addr_pr_t; 221 222 typedef struct { 223 uint64_t cky_i; 224 uint64_t cky_r; 225 } ike_cky_pr_t; 226 227 typedef struct { 228 ike_cky_pr_t p1hdr_cookies; 229 uint8_t p1hdr_major; 230 uint8_t p1hdr_minor; 231 uint8_t p1hdr_xchg; 232 uint8_t p1hdr_isinit; 233 uint32_t p1hdr_state; 234 boolean_t p1hdr_support_dpd; 235 dpd_status_t p1hdr_dpd_state; 236 uint64_t p1hdr_dpd_time; 237 } ike_p1_hdr_t; 238 239 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */ 240 #define IKE_XCHG_NONE 0 241 #define IKE_XCHG_BASE 1 242 #define IKE_XCHG_IDENTITY_PROTECT 2 243 #define IKE_XCHG_AUTH_ONLY 3 244 #define IKE_XCHG_AGGRESSIVE 4 245 /* following not from RFC; used only for preshared key definitions */ 246 #define IKE_XCHG_IP_AND_AGGR 240 247 /* also not from RFC; used as wildcard */ 248 #define IKE_XCHG_ANY 256 249 250 /* values for p1hdr_state */ 251 #define IKE_SA_STATE_INVALID 0 252 #define IKE_SA_STATE_INIT 1 253 #define IKE_SA_STATE_SENT_SA 2 254 #define IKE_SA_STATE_SENT_KE 3 255 #define IKE_SA_STATE_SENT_LAST 4 256 #define IKE_SA_STATE_DONE 5 257 #define IKE_SA_STATE_DELETED 6 258 259 typedef struct { 260 uint16_t p1xf_dh_group; 261 uint16_t p1xf_encr_alg; 262 uint16_t p1xf_encr_low_bits; 263 uint16_t p1xf_encr_high_bits; 264 uint16_t p1xf_auth_alg; 265 uint16_t p1xf_auth_meth; 266 uint16_t p1xf_prf; 267 uint16_t p1xf_pfs; 268 uint32_t p1xf_max_secs; 269 uint32_t p1xf_max_kbytes; 270 uint32_t p1xf_max_keyuses; 271 uint32_t p1xf_reserved; /* Alignment to 64-bit. */ 272 } ike_p1_xform_t; 273 274 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */ 275 #define IKE_GRP_DESC_MODP_768 1 276 #define IKE_GRP_DESC_MODP_1024 2 277 #define IKE_GRP_DESC_EC2N_155 3 278 #define IKE_GRP_DESC_EC2N_185 4 279 /* values for p1xf_dh_group (aligned with RFC3526) */ 280 #define IKE_GRP_DESC_MODP_1536 5 281 #define IKE_GRP_DESC_MODP_2048 14 282 #define IKE_GRP_DESC_MODP_3072 15 283 #define IKE_GRP_DESC_MODP_4096 16 284 #define IKE_GRP_DESC_MODP_6144 17 285 #define IKE_GRP_DESC_MODP_8192 18 286 287 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */ 288 #define IKE_AUTH_METH_PRE_SHARED_KEY 1 289 #define IKE_AUTH_METH_DSS_SIG 2 290 #define IKE_AUTH_METH_RSA_SIG 3 291 #define IKE_AUTH_METH_RSA_ENCR 4 292 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5 293 294 /* values for p1xf_prf */ 295 #define IKE_PRF_NONE 0 296 #define IKE_PRF_HMAC_MD5 1 297 #define IKE_PRF_HMAC_SHA1 2 298 #define IKE_PRF_HMAC_SHA256 5 299 #define IKE_PRF_HMAC_SHA384 6 300 #define IKE_PRF_HMAC_SHA512 7 301 302 typedef struct { 303 /* 304 * NOTE: the new and del counters count the actual number of SAs, 305 * not the number of "suites", as defined in the ike monitoring 306 * mib draft; we do this because we don't have a good way of 307 * tracking the deletion of entire suites (we're notified of 308 * deleted qm sas individually). 309 */ 310 uint32_t p1stat_new_qm_sas; 311 uint32_t p1stat_del_qm_sas; 312 uint64_t p1stat_start; 313 uint32_t p1stat_kbytes; 314 uint32_t p1stat_keyuses; 315 } ike_p1_stats_t; 316 317 typedef struct { 318 uint32_t p1err_decrypt; 319 uint32_t p1err_hash; 320 uint32_t p1err_otherrx; 321 uint32_t p1err_tx; 322 } ike_p1_errors_t; 323 324 typedef struct { 325 uint32_t p1key_type; 326 uint32_t p1key_len; 327 /* 328 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data, 329 * 64-bit aligned (pad bytes are added at the end, if necessary, 330 * and NOT INCLUDED in the len value, which reflects the actual 331 * key size). 332 */ 333 } ike_p1_key_t; 334 335 /* key info types for ike_p1_key_t struct */ 336 #define IKE_KEY_PRESHARED 1 337 #define IKE_KEY_SKEYID 2 338 #define IKE_KEY_SKEYID_D 3 339 #define IKE_KEY_SKEYID_A 4 340 #define IKE_KEY_SKEYID_E 5 341 #define IKE_KEY_ENCR 6 342 #define IKE_KEY_IV 7 343 344 typedef struct { 345 ike_p1_hdr_t p1sa_hdr; 346 ike_p1_xform_t p1sa_xform; 347 ike_addr_pr_t p1sa_ipaddrs; 348 uint16_t p1sa_stat_off; 349 uint16_t p1sa_stat_len; 350 uint16_t p1sa_error_off; 351 uint16_t p1sa_error_len; 352 uint16_t p1sa_localid_off; 353 uint16_t p1sa_localid_len; 354 uint16_t p1sa_remoteid_off; 355 uint16_t p1sa_remoteid_len; 356 uint16_t p1sa_key_off; 357 uint16_t p1sa_key_len; 358 uint32_t p1sa_reserved; 359 /* 360 * variable-length structures will be included here, as 361 * indicated by offset/length fields. 362 * stats and errors will be formatted as ike_p1_stats_t and 363 * ike_p1_errors_t, respectively. 364 * key info will be formatted as a series of p1_key_t structs. 365 * local/remote ids will be formatted as sadb_ident_t structs. 366 */ 367 } ike_p1_sa_t; 368 369 370 #define MAX_LABEL_LEN 256 371 372 373 /* data formatting structure for policy (rule) dumps */ 374 375 typedef struct { 376 char rule_label[MAX_LABEL_LEN]; 377 uint32_t rule_kmcookie; 378 uint16_t rule_ike_mode; 379 uint16_t rule_local_idtype; /* SADB_IDENTTYPE_* value */ 380 uint32_t rule_p1_nonce_len; 381 uint32_t rule_p2_nonce_len; 382 uint32_t rule_p2_pfs; 383 uint32_t rule_p2_lifetime_secs; 384 uint32_t rule_p2_softlife_secs; 385 uint32_t rule_p2_idletime_secs; 386 uint32_t rule_p2_lifetime_kb; 387 uint32_t rule_p2_softlife_kb; 388 uint16_t rule_xform_cnt; 389 uint16_t rule_xform_off; 390 uint16_t rule_locip_cnt; 391 uint16_t rule_locip_off; 392 uint16_t rule_remip_cnt; 393 uint16_t rule_remip_off; 394 uint16_t rule_locid_inclcnt; 395 uint16_t rule_locid_exclcnt; 396 uint16_t rule_locid_off; 397 uint16_t rule_remid_inclcnt; 398 uint16_t rule_remid_exclcnt; 399 uint16_t rule_remid_off; 400 /* 401 * Followed by several lists of variable-length structures, described 402 * by counts and offsets: 403 * transforms ike_p1_xform_t structs 404 * ranges of local ip addrs ike_addr_pr_t structs 405 * ranges of remote ip addrs ike_addr_pr_t structs 406 * local identification strings null-terminated ascii strings 407 * remote identification strings null-terminated ascii strings 408 */ 409 } ike_rule_t; 410 411 412 /* 413 * data formatting structure for preshared keys 414 * ps_ike_mode field uses the IKE_XCHG_* defs 415 */ 416 typedef struct { 417 ike_addr_pr_t ps_ipaddrs; 418 uint16_t ps_ike_mode; 419 uint16_t ps_localid_off; 420 uint16_t ps_localid_len; 421 uint16_t ps_remoteid_off; 422 uint16_t ps_remoteid_len; 423 uint16_t ps_key_off; 424 uint16_t ps_key_len; 425 uint16_t ps_key_bits; 426 /* 427 * followed by variable-length structures, as indicated by 428 * offset/length fields. 429 * key info will be formatted as an array of bytes. 430 * local/remote ids will be formatted as sadb_ident_t structs. 431 */ 432 } ike_ps_t; 433 434 #define DN_MAX 1024 435 #define CERT_OFF_WIRE -1 436 #define CERT_NO_PRIVKEY 0 437 #define CERT_PRIVKEY_LOCKED 1 438 #define CERT_PRIVKEY_AVAIL 2 439 440 /* 441 * data formatting structure for cached certs 442 */ 443 typedef struct { 444 uint32_t cache_id; 445 uint32_t certclass; 446 int linkage; 447 uint32_t certcache_padding; /* For 64-bit alignment. */ 448 char subject[DN_MAX]; 449 char issuer[DN_MAX]; 450 } ike_certcache_t; 451 452 /* identification types */ 453 #define IKE_ID_IDENT_PAIR 1 454 #define IKE_ID_ADDR_PAIR 2 455 #define IKE_ID_CKY_PAIR 3 456 #define IKE_ID_LABEL 4 457 458 459 /* locations for read/write requests */ 460 #define IKE_RW_LOC_DEFAULT 1 461 #define IKE_RW_LOC_USER_SPEC 2 462 463 464 /* door interface error codes */ 465 #define IKE_ERR_NO_OBJ 1 /* nothing found to match the request */ 466 #define IKE_ERR_NO_DESC 2 /* fd was required with this request */ 467 #define IKE_ERR_ID_INVALID 3 /* invalid id info was provided */ 468 #define IKE_ERR_LOC_INVALID 4 /* invalid location info was provided */ 469 #define IKE_ERR_CMD_INVALID 5 /* invalid command was provided */ 470 #define IKE_ERR_DATA_INVALID 6 /* invalid data was provided */ 471 #define IKE_ERR_CMD_NOTSUP 7 /* unsupported command */ 472 #define IKE_ERR_REQ_INVALID 8 /* badly formatted request */ 473 #define IKE_ERR_NO_PRIV 9 /* privilege level not high enough */ 474 #define IKE_ERR_SYS_ERR 10 /* syserr occurred while processing */ 475 #define IKE_ERR_DUP_IGNORED 11 /* attempt to add a duplicate entry */ 476 #define IKE_ERR_NO_TOKEN 12 /* cannot login into pkcs#11 token */ 477 #define IKE_ERR_NO_AUTH 13 /* not authorized */ 478 #define IKE_ERR_IN_PROGRESS 14 /* operation already in progress */ 479 #define IKE_ERR_NO_MEM 15 /* insufficient memory */ 480 481 482 /* 483 * IKE_SVC_GET_DBG 484 * Used to request the current debug level. 485 * 486 * Upon request, dbg_level is 0 (don't care). 487 * 488 * Upon return, dbg_level contains the current value. 489 * 490 * 491 * IKE_SVC_SET_DBG 492 * Used to request modification of the debug level. 493 * 494 * Upon request, dbg_level contains desired level. If debug output is 495 * to be directed to a different file, the fd should be passed in the 496 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is 497 * currently running in the background with no debug set, an output 498 * file MUST be given. 499 * 500 * Upon return, dbg_level contains the old debug level, and acknowledges 501 * successful completion of the request. If an error is encountered, 502 * ike_err_t is returned instead, with appropriate error value and cmd 503 * IKE_SVC_ERROR. 504 */ 505 typedef struct { 506 ike_svccmd_t cmd; 507 uint32_t dbg_level; 508 } ike_dbg_t; 509 510 /* 511 * IKE_SVC_GET_PRIV 512 * Used to request the current privilege level. 513 * 514 * Upon request, priv_level is 0 (don't care). 515 * 516 * Upon return, priv_level contains the current value. 517 * 518 * 519 * IKE_SVC_SET_PRIV 520 * Used to request modification of the privilege level. 521 * 522 * Upon request, priv_level contains the desired level. The level may 523 * only be lowered via the door interface; it cannot be raised. Thus, 524 * if in.iked is started at the lowest level, it cannot be changed. 525 * 526 * Upon return, priv_level contains the old privilege level, and 527 * acknowledges successful completion of the request. If an error is 528 * encountered, ike_err_t is returned instead, with appropriate error 529 * value and cmd IKE_SVC_ERROR. 530 */ 531 typedef struct { 532 ike_svccmd_t cmd; 533 uint32_t priv_level; 534 } ike_priv_t; 535 536 537 /* 538 * IKE_SVC_GET_STATS 539 * Used to request current statistics on Phase 1 SA creation and 540 * failures. The statistics represent all activity in in.iked. 541 * 542 * Upon request, cmd is set, and stat_len does not matter. 543 * 544 * Upon successful return, stat_len contains the total size of the 545 * returned buffer, which contains first the ike_statreq_t struct, 546 * followed by the stat data in the ike_stats_t structure. In case 547 * of an error in processing the request, ike_err_t is returned with 548 * IKE_SVC_ERROR command and appropriate error code. 549 */ 550 typedef struct { 551 ike_svccmd_t cmd; 552 uint32_t stat_len; 553 } ike_statreq_t; 554 555 /* 556 * IKE_SVC_GET_DEFS 557 * Used to request default values from in.iked. 558 * 559 * Upon request, cmd is set, and stat_len does not matter. 560 * 561 * Upon successful return, stat_len contains the total size of the 562 * returned buffer, this contains a pair of ike_defaults_t's. 563 */ 564 typedef struct { 565 ike_svccmd_t cmd; 566 uint32_t stat_len; 567 uint32_t version; 568 uint32_t defreq_reserved; /* For 64-bit alignment. */ 569 } ike_defreq_t; 570 571 /* 572 * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE} 573 * Used to request a table dump, and to return info for a single table 574 * item. The expectation is that all of the table data will be passed 575 * through the door, one entry at a time; an individual request must be 576 * sent for each entry, however (the door server can't send unrequested 577 * data). 578 * 579 * Upon request: cmd is set, and dump_next contains the item number 580 * requested (0 for first request). dump_len is 0; no data follows. 581 * 582 * Upon return: cmd is set, and dump_next contains the item number of 583 * the *next* item in the table (to be used in the subsequent request). 584 * dump_next = 0 indicates that this is the last item in the table. 585 * dump_len is the total length (data + struct) returned. Data is 586 * formatted as indicated by the cmd type: 587 * IKE_SVC_DUMP_P1S: ike_p1_sa_t 588 * IKE_SVC_DUMP_RULES: ike_rule_t 589 * IKE_SVC_DUMP_PS: ike_ps_t 590 * IKE_SVC_DUMP_CERTCACHE: ike_certcache_t 591 */ 592 typedef struct { 593 ike_svccmd_t cmd; 594 uint32_t dump_len; 595 union { 596 struct { 597 uint32_t dump_unext; 598 uint32_t dump_ureserved; 599 } dump_actual; 600 uint64_t dump_alignment; 601 } dump_u; 602 #define dump_next dump_u.dump_actual.dump_unext 603 #define dump_reserved dump_u.dump_actual.dump_ureserved 604 /* dump_len - sizeof (ike_dump_t) bytes of data included here */ 605 } ike_dump_t; 606 607 608 /* 609 * IKE_SVC_GET_{P1|RULE|PS} 610 * Used to request and return individual table items. 611 * 612 * Upon request: get_len is the total msg length (struct + id data); 613 * get_idtype indicates the type of identification being used. 614 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t 615 * IKE_SVC_GET_RULE: char string (label) 616 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t 617 * 618 * Upon return: get_len is the total size (struct + data), get_idtype 619 * is unused, and the data that follows is formatted according to cmd: 620 * IKE_SVC_GET_P1: ike_p1_sa_t 621 * IKE_SVC_GET_RULE: ike_rule_t 622 * IKE_SVC_GET_PS: ike_ps_t 623 */ 624 typedef struct { 625 ike_svccmd_t cmd; 626 uint32_t get_len; 627 union { 628 struct { 629 uint32_t getu_idtype; 630 uint32_t getu_reserved; 631 } get_actual; 632 uint64_t get_alignment; 633 } get_u; 634 #define get_idtype get_u.get_actual.getu_idtype 635 #define get_reserved get_u.get_actual.getu_reserved 636 /* get_len - sizeof (ike_get_t) bytes of data included here */ 637 } ike_get_t; 638 639 640 /* 641 * IKE_SVC_NEW_{RULE|PS} 642 * Used to request and acknowledge insertion of a table item. 643 * 644 * Upon request: new_len is the total (data + struct) size passed, or 0. 645 * new_len = 0 => a door_desc_t is also included with a file descriptor 646 * for a file containing the data to be added. The file should include 647 * a single item: a rule, or a pre-shared key. For new_len != 0, the 648 * data is formatted according to the cmd type: 649 * IKE_SVC_NEW_RULE: ike_rule_t 650 * IKE_SVC_NEW_PS: ike_ps_t 651 * 652 * Upon return: new_len is 0; simply acknowledges successful insertion 653 * of the requested item. If insertion is not successful, ike_err_t is 654 * returned instead with appropriate error value. 655 */ 656 typedef struct { 657 ike_svccmd_t cmd; 658 uint32_t new_len; 659 /* new_len - sizeof (ike_new_t) bytes included here */ 660 uint64_t new_align; /* Padding for 64-bit alignment. */ 661 } ike_new_t; 662 663 664 /* 665 * IKE_SVC_DEL_{P1|RULE|PS} 666 * Used to request and acknowledge the deletion of an individual table 667 * item. 668 * 669 * Upon request: del_len is the total msg length (struct + id data); 670 * del_idtype indicates the type of identification being used. 671 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t 672 * IKE_SVC_DEL_RULE: char string (label) 673 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t 674 * 675 * Upon return: acknowledges deletion of the requested item; del_len and 676 * del_idtype are unspecified. If deletion is not successful, ike_err_t 677 * is returned instead with appropriate error value. 678 */ 679 typedef struct { 680 ike_svccmd_t cmd; 681 uint32_t del_len; 682 uint32_t del_idtype; 683 uint32_t del_reserved; 684 /* del_len - sizeof (ike_del_t) bytes of data included here. */ 685 } ike_del_t; 686 687 688 /* 689 * IKE_SVC_READ_{RULES|PS} 690 * Used to ask daemon to re-read particular configuration info. 691 * 692 * Upon request: rw_loc indicates where the info should be read from: 693 * either from a user-supplied file descriptor(s), or from the default 694 * location(s). If rw_loc indicates user-supplied location, the file 695 * descriptor(s) should be passed in the door_desc_t struct. For the 696 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified: 697 * first, one for the config file which contains the data to be read, 698 * and second, one for the cookie file which will be written to as 699 * in.iked process the config file. 700 * 701 * Upon return: rw_loc is unspecified; the message simply acknowledges 702 * successful completion of the request. If an error occurred, 703 * ike_err_t is returned instead with appropriate error value. 704 * 705 * 706 * IKE_SVC_WRITE_{RULES|PS} 707 * Used to ask daemon to write its current config info to files. 708 * 709 * Request and return are handled the same as for the IKE_SVC_READ_* 710 * cmds; however, the rw_loc MUST be a user-supplied location. Also, 711 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required; 712 * only a single fd, for the file to which the config info should be 713 * written, should be passed in. 714 */ 715 typedef struct { 716 ike_svccmd_t cmd; 717 uint32_t rw_loc; 718 } ike_rw_t; 719 720 721 /* 722 * IKE_SVC_FLUSH_P1S 723 * IKE_SVC_FLUSH_CERTCACHE 724 * 725 * Used to request and acknowledge tear-down of all P1 SAs 726 * or to flush the certificate cache. 727 */ 728 typedef struct { 729 ike_svccmd_t cmd; 730 } ike_flush_t; 731 732 733 #ifndef PKCS11_TOKSIZE 734 #define PKCS11_TOKSIZE 32 735 #endif 736 #define MAX_PIN_LEN 256 737 /* 738 * IKE_SVC_SET_PIN 739 * IKE_SVC_DEL_PIN 740 * 741 * Used to supply a pin for a PKCS#11 tokenj object. 742 * 743 */ 744 typedef struct { 745 ike_svccmd_t cmd; 746 uint32_t pin_reserved; /* For 64-bit alignment. */ 747 char pkcs11_token[PKCS11_TOKSIZE]; 748 uchar_t token_pin[MAX_PIN_LEN]; 749 } ike_pin_t; 750 751 /* 752 * IKE_SVC_ERROR 753 * Used on return if server encountered an error while processing 754 * the request. An appropriate error code is included (as defined 755 * in this header file); in the case of IKE_ERR_SYS_ERR, a value 756 * from the UNIX errno space is included in the ike_err_unix field. 757 */ 758 typedef struct { 759 ike_svccmd_t cmd; 760 uint32_t ike_err; 761 uint32_t ike_err_unix; 762 uint32_t ike_err_reserved; 763 } ike_err_t; 764 765 /* 766 * Generic type for use when the request/reply type is unknown 767 */ 768 typedef struct { 769 ike_svccmd_t cmd; 770 } ike_cmd_t; 771 772 773 /* 774 * Union containing all possible request/return structures. 775 */ 776 typedef union { 777 ike_cmd_t svc_cmd; 778 ike_dbg_t svc_dbg; 779 ike_priv_t svc_priv; 780 ike_statreq_t svc_stats; 781 ike_dump_t svc_dump; 782 ike_get_t svc_get; 783 ike_new_t svc_new; 784 ike_del_t svc_del; 785 ike_rw_t svc_rw; 786 ike_flush_t svc_flush; 787 ike_pin_t svc_pin; 788 ike_err_t svc_err; 789 ike_defreq_t svc_defaults; 790 } ike_service_t; 791 792 #ifdef __cplusplus 793 } 794 #endif 795 796 #endif /* _IKEDOOR_H */ 797
Indexes created Wed Feb 10 00:19:07 UTC 2010
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Site Map |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
© 2010, Oracle Corporation and/or its affiliates
