ikedoor.h revision 0358d3a672326bc66debe0a1c3a2372cd9f0f662
0N/A * The contents of this file are subject to the terms of the 0N/A * Common Development and Distribution License (the "License"). 0N/A * You may not use this file except in compliance with the License. 0N/A * See the License for the specific language governing permissions 0N/A * and limitations under the License. 0N/A * When distributing Covered Code, include this CDDL HEADER in each 0N/A * If applicable, add the following below this CDDL HEADER, with the 0N/A * fields enclosed by brackets "[]" replaced with your own identifying 0N/A * information: Portions Copyright [yyyy] [name of copyright owner] 0N/A * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 0N/A * Use is subject to license terms. 1879N/A#
pragma ident "%Z%%M% %I% %E% SMI" 0N/A * This version number is intended to stop the calling process from 0N/A * getting confused if a structure is changed and a mismatch occurs. 1887N/A * This should be incremented each time a structure is changed. 141N/A * Debug categories. The debug level is a bitmask made up of 141N/A * flags indicating the desired categories; only 31 bits are 1879N/A * available, as the highest-order bit designates an invalid 1887N/A#
define D_OP 0x00000004 /* operational: config, init, mem */ 1887N/A#
define D_P1 0x00000008 /* phase 1 negotiation */ 1887N/A#
define D_P2 0x00000010 /* phase 2 negotiation */ * Access privilege levels: define level of access to keying information. * The privileges granted at each level is a superset of the privileges * granted at all lower levels. * The door operations which require special privileges are: * - receiving keying material for SAs and preshared key entries * IKE_PRIV_KEYMAT must be set for this. * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this. * If IKE_PRIV_MODKEYS is set, the information returned for a * get/dump request will not include the actual key; in order * to get the key itself, IKE_PRIV_KEYMAT must be set. * - modifying the privilege level: the daemon's privilege level * is set when the daemon is started; the level may only be * lowered via the door interface. * All other operations are allowed at any privilege level. /* global ike stats formatting structure */ /* structure used to pass default values used by in.iked back to ikeadm */ /* data formatting structures for P1 SA dumps */ /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */ /* following not from RFC; used only for preshared key definitions */ /* also not from RFC; used as wildcard */ /* values for p1hdr_state */ /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */ /* values for p1xf_dh_group (aligned with RFC3526) */ /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */ /* values for p1xf_prf */ * NOTE: the new and del counters count the actual number of SAs, * not the number of "suites", as defined in the ike monitoring * mib draft; we do this because we don't have a good way of * tracking the deletion of entire suites (we're notified of * deleted qm sas individually). * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data, * 64-bit aligned (pad bytes are added at the end, if necessary, * and NOT INCLUDED in the len value, which reflects the actual /* key info types for ike_p1_key_t struct */ * variable-length structures will be included here, as * stats and errors will be formatted as ike_p1_stats_t and * ike_p1_errors_t, respectively. * key info will be formatted as a series of p1_key_t structs. * local/remote ids will be formatted as sadb_ident_t structs. /* data formatting structure for policy (rule) dumps */ * Followed by several lists of variable-length structures, described * transforms ike_p1_xform_t structs * ranges of local ip addrs ike_addr_pr_t structs * ranges of remote ip addrs ike_addr_pr_t structs * local identification strings null-terminated ascii strings * remote identification strings null-terminated ascii strings * data formatting structure for preshared keys * ps_ike_mode field uses the IKE_XCHG_* defs * followed by variable-length structures, as indicated by * key info will be formatted as an array of bytes. * local/remote ids will be formatted as sadb_ident_t structs. /* identification types */ /* door interface error codes */ * Used to request the current debug level. * Upon request, dbg_level is 0 (don't care). * Upon return, dbg_level contains the current value. * Used to request modification of the debug level. * Upon request, dbg_level contains desired level. If debug output is * to be directed to a different file, the fd should be passed in the * door_desc_t field of the door_arg_t param. NOTE: if the daemon is * currently running in the background with no debug set, an output * Upon return, dbg_level contains the old debug level, and acknowledges * successful completion of the request. If an error is encountered, * ike_err_t is returned instead, with appropriate error value and cmd * Used to request the current privilege level. * Upon request, priv_level is 0 (don't care). * Upon return, priv_level contains the current value. * Used to request modification of the privilege level. * Upon request, priv_level contains the desired level. The level may * only be lowered via the door interface; it cannot be raised. Thus, * if in.iked is started at the lowest level, it cannot be changed. * Upon return, priv_level contains the old privilege level, and * acknowledges successful completion of the request. If an error is * encountered, ike_err_t is returned instead, with appropriate error * value and cmd IKE_SVC_ERROR. * Used to request current statistics on Phase 1 SA creation and * failures. The statistics represent all activity in in.iked. * Upon request, cmd is set, and stat_len does not matter. * Upon successful return, stat_len contains the total size of the * returned buffer, which contains first the ike_statreq_t struct, * followed by the stat data in the ike_stats_t structure. In case * of an error in processing the request, ike_err_t is returned with * IKE_SVC_ERROR command and appropriate error code. * Used to request default values from in.iked. * Upon request, cmd is set, and stat_len does not matter. * Upon successful return, stat_len contains the total size of the * returned buffer, this contains a pair of ike_defaults_t's. * IKE_SVC_DUMP_{P1S|RULES|PS} * Used to request a table dump, and to return info for a single table * item. The expectation is that all of the table data will be passed * through the door, one entry at a time; an individual request must be * sent for each entry, however (the door server can't send unrequested * Upon request: cmd is set, and dump_next contains the item number * requested (0 for first request). dump_len is 0; no data follows. * Upon return: cmd is set, and dump_next contains the item number of * the *next* item in the table (to be used in the subsequent request). * dump_next = 0 indicates that this is the last item in the table. * dump_len is the total length (data + struct) returned. Data is * formatted as indicated by the cmd type: * IKE_SVC_DUMP_P1S: ike_p1_sa_t * IKE_SVC_DUMP_RULES: ike_rule_t * IKE_SVC_DUMP_PS: ike_ps_t /* dump_len - sizeof (ike_dump_t) bytes of data included here */ * IKE_SVC_GET_{P1|RULE|PS} * Used to request and return individual table items. * Upon request: get_len is the total msg length (struct + id data); * get_idtype indicates the type of identification being used. * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t * IKE_SVC_GET_RULE: char string (label) * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t * Upon return: get_len is the total size (struct + data), get_idtype * is unused, and the data that follows is formatted according to cmd: * IKE_SVC_GET_P1: ike_p1_sa_t * IKE_SVC_GET_RULE: ike_rule_t * IKE_SVC_GET_PS: ike_ps_t /* get_len - sizeof (ike_get_t) bytes of data included here */ * Used to request and acknowledge insertion of a table item. * Upon request: new_len is the total (data + struct) size passed, or 0. * new_len = 0 => a door_desc_t is also included with a file descriptor * for a file containing the data to be added. The file should include * a single item: a rule, or a pre-shared key. For new_len != 0, the * data is formatted according to the cmd type: * IKE_SVC_NEW_RULE: ike_rule_t * IKE_SVC_NEW_PS: ike_ps_t * Upon return: new_len is 0; simply acknowledges successful insertion * of the requested item. If insertion is not successful, ike_err_t is * returned instead with appropriate error value. /* new_len - sizeof (ike_new_t) bytes included here */ * IKE_SVC_DEL_{P1|RULE|PS} * Used to request and acknowledge the deletion of an individual table * Upon request: del_len is the total msg length (struct + id data); * del_idtype indicates the type of identification being used. * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t * IKE_SVC_DEL_RULE: char string (label) * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t * Upon return: acknowledges deletion of the requested item; del_len and * del_idtype are unspecified. If deletion is not successful, ike_err_t * is returned instead with appropriate error value. /* del_len - sizeof (ike_del_t) bytes of data included here. */ * IKE_SVC_READ_{RULES|PS} * Used to ask daemon to re-read particular configuration info. * Upon request: rw_loc indicates where the info should be read from: * either from a user-supplied file descriptor(s), or from the default * location(s). If rw_loc indicates user-supplied location, the file * descriptor(s) should be passed in the door_desc_t struct. For the * IKE_SVC_READ_RULES cmd, two file descriptors should be specified: * first, one for the config file which contains the data to be read, * and second, one for the cookie file which will be written to as * in.iked process the config file. * Upon return: rw_loc is unspecified; the message simply acknowledges * successful completion of the request. If an error occurred, * ike_err_t is returned instead with appropriate error value. * IKE_SVC_WRITE_{RULES|PS} * Used to ask daemon to write its current config info to files. * Request and return are handled the same as for the IKE_SVC_READ_* * cmds; however, the rw_loc MUST be a user-supplied location. Also, * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required; * only a single fd, for the file to which the config info should be * written, should be passed in. * Used to request and acknowledge tear-down of all P1 SAs. * Used on return if server encountered an error while processing * the request. An appropriate error code is included (as defined * in this header file); in the case of IKE_ERR_SYS_ERR, a value * from the UNIX errno space is included in the ike_err_unix field. * Generic type for use when the request/reply type is unknown