| blob | 95e71012d76e1a9894b3e0a8c7acc957f8cad941 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
25 #ifndef _IKEDOOR_H
26 #define _IKEDOOR_H
28 #ifdef __cplusplus
30 #endif
32 #include <limits.h>
33 #include <sys/sysmacros.h>
34 #include <net/pfkeyv2.h>
35 #include <door.h>
37 /*
38 * This version number is intended to stop the calling process from
39 * getting confused if a structure is changed and a mismatch occurs.
40 * This should be incremented each time a structure is changed.
41 */
43 /*
44 * The IKE process may be a 64-bit process, but ikeadm or any other IKE
45 * door consumer does not have to be. We need to be strict ala. PF_KEY or
46 * any on-the-wire-protocol with respect to structure fields offsets and
47 * alignment. Please make sure all structures are the same size on both
48 * 64-bit and 32-bit execution environments (or even other ones), and that
49 * apart from trivial 4-byte enums or base headers, that all structures are
50 * multiples of 8-bytes (64-bits).
51 */
52 #define DOORVER 4
57 IKE_SVC_GET_DBG,
58 IKE_SVC_SET_DBG,
60 IKE_SVC_GET_PRIV,
61 IKE_SVC_SET_PRIV,
63 IKE_SVC_GET_STATS,
65 IKE_SVC_GET_P1,
66 IKE_SVC_DEL_P1,
67 IKE_SVC_DUMP_P1S,
68 IKE_SVC_FLUSH_P1S,
70 IKE_SVC_GET_RULE,
71 IKE_SVC_NEW_RULE,
72 IKE_SVC_DEL_RULE,
73 IKE_SVC_DUMP_RULES,
74 IKE_SVC_READ_RULES,
75 IKE_SVC_WRITE_RULES,
77 IKE_SVC_GET_PS,
78 IKE_SVC_NEW_PS,
79 IKE_SVC_DEL_PS,
80 IKE_SVC_DUMP_PS,
81 IKE_SVC_READ_PS,
82 IKE_SVC_WRITE_PS,
84 IKE_SVC_DBG_RBDUMP,
86 IKE_SVC_GET_DEFS,
88 IKE_SVC_SET_PIN,
89 IKE_SVC_DEL_PIN,
91 IKE_SVC_DUMP_CERTCACHE,
92 IKE_SVC_FLUSH_CERTCACHE,
94 IKE_SVC_DUMP_GROUPS,
95 IKE_SVC_DUMP_ENCRALGS,
96 IKE_SVC_DUMP_AUTHALGS,
98 IKE_SVC_ERROR
101 /* DPD status */
105 DPD_IN_PROGRESS,
106 DPD_SUCCESSFUL,
107 DPD_FAILURE
110 #define IKE_SVC_MAX IKE_SVC_ERROR
113 /*
114 * Support structures/defines
115 */
117 #define IKEDOORROUNDUP(i) P2ROUNDUP((i), sizeof (uint64_t))
119 /*
120 * Debug categories. The debug level is a bitmask made up of
121 * flags indicating the desired categories; only 31 bits are
122 * available, as the highest-order bit designates an invalid
123 * setting.
124 */
125 #define D_INVALID 0x80000000
139 #define D_HIGHBIT 0x00000400
140 #define D_ALL 0x000007ff
142 /*
143 * Access privilege levels: define level of access to keying information.
144 * The privileges granted at each level is a superset of the privileges
145 * granted at all lower levels.
146 *
147 * The door operations which require special privileges are:
148 *
149 * - receiving keying material for SAs and preshared key entries
150 * IKE_PRIV_KEYMAT must be set for this.
151 *
152 * - get/dump/new/delete/read/write preshared keys
153 * IKE_PRIV_KEYMAT or IKE_PRIV_MODKEYS must be set to do this.
154 * If IKE_PRIV_MODKEYS is set, the information returned for a
155 * get/dump request will not include the actual key; in order
156 * to get the key itself, IKE_PRIV_KEYMAT must be set.
157 *
158 * - modifying the privilege level: the daemon's privilege level
159 * is set when the daemon is started; the level may only be
160 * lowered via the door interface.
161 *
162 * All other operations are allowed at any privilege level.
163 */
164 #define IKE_PRIV_MINIMUM 0
165 #define IKE_PRIV_MODKEYS 1
166 #define IKE_PRIV_KEYMAT 2
167 #define IKE_PRIV_MAXIMUM 2
169 /* global ike stats formatting structure */
184 /* structure used to pass default values used by in.iked back to ikeadm */
217 /* data formatting structures for P1 SA dumps */
221 #define beg_iprange loc_addr
222 #define end_iprange rem_addr
231 ike_cky_pr_t p1hdr_cookies;
237 boolean_t p1hdr_support_dpd;
238 dpd_status_t p1hdr_dpd_state;
242 /* values for p1hdr_xchg (aligned with RFC2408, section 3.1) */
243 #define IKE_XCHG_NONE 0
244 #define IKE_XCHG_BASE 1
245 #define IKE_XCHG_IDENTITY_PROTECT 2
246 #define IKE_XCHG_AUTH_ONLY 3
247 #define IKE_XCHG_AGGRESSIVE 4
248 /* following not from RFC; used only for preshared key definitions */
249 #define IKE_XCHG_IP_AND_AGGR 240
250 /* also not from RFC; used as wildcard */
251 #define IKE_XCHG_ANY 256
253 /* values for p1hdr_state */
254 #define IKE_SA_STATE_INVALID 0
255 #define IKE_SA_STATE_INIT 1
256 #define IKE_SA_STATE_SENT_SA 2
257 #define IKE_SA_STATE_SENT_KE 3
258 #define IKE_SA_STATE_SENT_LAST 4
259 #define IKE_SA_STATE_DONE 5
260 #define IKE_SA_STATE_DELETED 6
277 /* values for p1xf_dh_group (aligned with RFC2409, Appendix A) */
278 #define IKE_GRP_DESC_MODP_768 1
279 #define IKE_GRP_DESC_MODP_1024 2
280 #define IKE_GRP_DESC_EC2N_155 3
281 #define IKE_GRP_DESC_EC2N_185 4
282 /* values for p1xf_dh_group (aligned with RFC3526) */
283 #define IKE_GRP_DESC_MODP_1536 5
284 #define IKE_GRP_DESC_MODP_2048 14
285 #define IKE_GRP_DESC_MODP_3072 15
286 #define IKE_GRP_DESC_MODP_4096 16
287 #define IKE_GRP_DESC_MODP_6144 17
288 #define IKE_GRP_DESC_MODP_8192 18
289 #define IKE_GRP_DESC_ECP_256 19
290 #define IKE_GRP_DESC_ECP_384 20
291 #define IKE_GRP_DESC_ECP_521 21
292 /* values for p1xf_dh_group (aligned with RFC5114) */
293 #define IKE_GRP_DESC_MODP_1024_160 22
294 #define IKE_GRP_DESC_MODP_2048_224 23
295 #define IKE_GRP_DESC_MODP_2048_256 24
296 #define IKE_GRP_DESC_ECP_192 25
297 #define IKE_GRP_DESC_ECP_224 26
299 /* values for p1xf_auth_meth (aligned with RFC2409, Appendix A) */
300 #define IKE_AUTH_METH_PRE_SHARED_KEY 1
301 #define IKE_AUTH_METH_DSS_SIG 2
302 #define IKE_AUTH_METH_RSA_SIG 3
303 #define IKE_AUTH_METH_RSA_ENCR 4
304 #define IKE_AUTH_METH_RSA_ENCR_REVISED 5
306 /* values for p1xf_prf */
307 #define IKE_PRF_NONE 0
308 #define IKE_PRF_HMAC_MD5 1
309 #define IKE_PRF_HMAC_SHA1 2
310 #define IKE_PRF_HMAC_SHA256 5
311 #define IKE_PRF_HMAC_SHA384 6
312 #define IKE_PRF_HMAC_SHA512 7
315 /*
316 * NOTE: the new and del counters count the actual number of SAs,
317 * not the number of "suites", as defined in the ike monitoring
318 * mib draft; we do this because we don't have a good way of
319 * tracking the deletion of entire suites (we're notified of
320 * deleted qm sas individually).
321 */
339 /*
340 * followed by (len - sizeof (ike_p1_key_t)) bytes of hex data,
341 * 64-bit aligned (pad bytes are added at the end, if necessary,
342 * and NOT INCLUDED in the len value, which reflects the actual
343 * key size).
344 */
347 /* key info types for ike_p1_key_t struct */
348 #define IKE_KEY_PRESHARED 1
349 #define IKE_KEY_SKEYID 2
350 #define IKE_KEY_SKEYID_D 3
351 #define IKE_KEY_SKEYID_A 4
352 #define IKE_KEY_SKEYID_E 5
353 #define IKE_KEY_ENCR 6
354 #define IKE_KEY_IV 7
357 ike_p1_hdr_t p1sa_hdr;
358 ike_p1_xform_t p1sa_xform;
359 ike_addr_pr_t p1sa_ipaddrs;
371 /*
372 * variable-length structures will be included here, as
373 * indicated by offset/length fields.
374 * stats and errors will be formatted as ike_p1_stats_t and
375 * ike_p1_errors_t, respectively.
376 * key info will be formatted as a series of p1_key_t structs.
377 * local/remote ids will be formatted as sadb_ident_t structs.
378 */
382 #define MAX_LABEL_LEN 256
385 /* data formatting structure for policy (rule) dumps */
412 /*
413 * Followed by several lists of variable-length structures, described
414 * by counts and offsets:
415 * transforms ike_p1_xform_t structs
416 * ranges of local ip addrs ike_addr_pr_t structs
417 * ranges of remote ip addrs ike_addr_pr_t structs
418 * local identification strings null-terminated ascii strings
419 * remote identification strings null-terminated ascii strings
420 */
423 /* data formatting structure for DH group dumps */
430 /* data formatting structure for encryption algorithm dumps */
432 uint_t encr_value;
438 /* data formatting structure for authentication algorithm dumps */
440 uint_t auth_value;
444 /*
445 * data formatting structure for preshared keys
446 * ps_ike_mode field uses the IKE_XCHG_* defs
447 */
449 ike_addr_pr_t ps_ipaddrs;
460 /*
461 * followed by variable-length structures, as indicated by
462 * offset/length fields.
463 * key info will be formatted as an array of bytes.
464 * local/remote ids will be formatted as sadb_ident_t structs.
465 */
468 #define DN_MAX 1024
469 #define CERT_OFF_WIRE -1
470 #define CERT_NO_PRIVKEY 0
471 #define CERT_PRIVKEY_LOCKED 1
472 #define CERT_PRIVKEY_AVAIL 2
474 /*
475 * data formatting structure for cached certs
476 */
486 /* identification types */
487 #define IKE_ID_IDENT_PAIR 1
488 #define IKE_ID_ADDR_PAIR 2
489 #define IKE_ID_CKY_PAIR 3
490 #define IKE_ID_LABEL 4
493 /* locations for read/write requests */
494 #define IKE_RW_LOC_DEFAULT 1
495 #define IKE_RW_LOC_USER_SPEC 2
498 /* door interface error codes */
516 /*
517 * IKE_SVC_GET_DBG
518 * Used to request the current debug level.
519 *
520 * Upon request, dbg_level is 0 (don't care).
521 *
522 * Upon return, dbg_level contains the current value.
523 *
524 *
525 * IKE_SVC_SET_DBG
526 * Used to request modification of the debug level.
527 *
528 * Upon request, dbg_level contains desired level. If debug output is
529 * to be directed to a different file, the fd should be passed in the
530 * door_desc_t field of the door_arg_t param. NOTE: if the daemon is
531 * currently running in the background with no debug set, an output
532 * file MUST be given.
533 *
534 * Upon return, dbg_level contains the old debug level, and acknowledges
535 * successful completion of the request. If an error is encountered,
536 * ike_err_t is returned instead, with appropriate error value and cmd
537 * IKE_SVC_ERROR.
538 */
540 ike_svccmd_t cmd;
544 /*
545 * IKE_SVC_GET_PRIV
546 * Used to request the current privilege level.
547 *
548 * Upon request, priv_level is 0 (don't care).
549 *
550 * Upon return, priv_level contains the current value.
551 *
552 *
553 * IKE_SVC_SET_PRIV
554 * Used to request modification of the privilege level.
555 *
556 * Upon request, priv_level contains the desired level. The level may
557 * only be lowered via the door interface; it cannot be raised. Thus,
558 * if in.iked is started at the lowest level, it cannot be changed.
559 *
560 * Upon return, priv_level contains the old privilege level, and
561 * acknowledges successful completion of the request. If an error is
562 * encountered, ike_err_t is returned instead, with appropriate error
563 * value and cmd IKE_SVC_ERROR.
564 */
566 ike_svccmd_t cmd;
571 /*
572 * IKE_SVC_GET_STATS
573 * Used to request current statistics on Phase 1 SA creation and
574 * failures. The statistics represent all activity in in.iked.
575 *
576 * Upon request, cmd is set, and stat_len does not matter.
577 *
578 * Upon successful return, stat_len contains the total size of the
579 * returned buffer, which contains first the ike_statreq_t struct,
580 * followed by the stat data in the ike_stats_t structure. In case
581 * of an error in processing the request, ike_err_t is returned with
582 * IKE_SVC_ERROR command and appropriate error code.
583 */
585 ike_svccmd_t cmd;
589 /*
590 * IKE_SVC_GET_DEFS
591 * Used to request default values from in.iked.
592 *
593 * Upon request, cmd is set, and stat_len does not matter.
594 *
595 * Upon successful return, stat_len contains the total size of the
596 * returned buffer, this contains a pair of ike_defaults_t's.
597 */
599 ike_svccmd_t cmd;
605 /*
606 * IKE_SVC_DUMP_{P1S|RULES|PS|CERTCACHE}
607 * Used to request a table dump, and to return info for a single table
608 * item. The expectation is that all of the table data will be passed
609 * through the door, one entry at a time; an individual request must be
610 * sent for each entry, however (the door server can't send unrequested
611 * data).
612 *
613 * Upon request: cmd is set, and dump_next contains the item number
614 * requested (0 for first request). dump_len is 0; no data follows.
615 *
616 * Upon return: cmd is set, and dump_next contains the item number of
617 * the *next* item in the table (to be used in the subsequent request).
618 * dump_next = 0 indicates that this is the last item in the table.
619 * dump_len is the total length (data + struct) returned. Data is
620 * formatted as indicated by the cmd type:
621 * IKE_SVC_DUMP_P1S: ike_p1_sa_t
622 * IKE_SVC_DUMP_RULES: ike_rule_t
623 * IKE_SVC_DUMP_PS: ike_ps_t
624 * IKE_SVC_DUMP_CERTCACHE: ike_certcache_t
625 */
627 ike_svccmd_t cmd;
636 #define dump_next dump_u.dump_actual.dump_unext
637 #define dump_reserved dump_u.dump_actual.dump_ureserved
638 /* dump_len - sizeof (ike_dump_t) bytes of data included here */
642 /*
643 * IKE_SVC_GET_{P1|RULE|PS}
644 * Used to request and return individual table items.
645 *
646 * Upon request: get_len is the total msg length (struct + id data);
647 * get_idtype indicates the type of identification being used.
648 * IKE_SVC_GET_P1: ike_addr_pr_t or ike_cky_pr_t
649 * IKE_SVC_GET_RULE: char string (label)
650 * IKE_SVC_GET_PS: ike_addr_pr_t or pair of sadb_ident_t
651 *
652 * Upon return: get_len is the total size (struct + data), get_idtype
653 * is unused, and the data that follows is formatted according to cmd:
654 * IKE_SVC_GET_P1: ike_p1_sa_t
655 * IKE_SVC_GET_RULE: ike_rule_t
656 * IKE_SVC_GET_PS: ike_ps_t
657 */
659 ike_svccmd_t cmd;
668 #define get_idtype get_u.get_actual.getu_idtype
669 #define get_reserved get_u.get_actual.getu_reserved
670 /* get_len - sizeof (ike_get_t) bytes of data included here */
674 /*
675 * IKE_SVC_NEW_{RULE|PS}
676 * Used to request and acknowledge insertion of a table item.
677 *
678 * Upon request: new_len is the total (data + struct) size passed, or 0.
679 * new_len = 0 => a door_desc_t is also included with a file descriptor
680 * for a file containing the data to be added. The file should include
681 * a single item: a rule, or a pre-shared key. For new_len != 0, the
682 * data is formatted according to the cmd type:
683 * IKE_SVC_NEW_RULE: ike_rule_t
684 * IKE_SVC_NEW_PS: ike_ps_t
685 *
686 * Upon return: new_len is 0; simply acknowledges successful insertion
687 * of the requested item. If insertion is not successful, ike_err_t is
688 * returned instead with appropriate error value.
689 */
691 ike_svccmd_t cmd;
693 /* new_len - sizeof (ike_new_t) bytes included here */
698 /*
699 * IKE_SVC_DEL_{P1|RULE|PS}
700 * Used to request and acknowledge the deletion of an individual table
701 * item.
702 *
703 * Upon request: del_len is the total msg length (struct + id data);
704 * del_idtype indicates the type of identification being used.
705 * IKE_SVC_DEL_P1: ike_addr_pr_t or ike_cky_pr_t
706 * IKE_SVC_DEL_RULE: char string (label)
707 * IKE_SVC_DEL_PS: ike_addr_pr_t or pair of sadb_ident_t
708 *
709 * Upon return: acknowledges deletion of the requested item; del_len and
710 * del_idtype are unspecified. If deletion is not successful, ike_err_t
711 * is returned instead with appropriate error value.
712 */
714 ike_svccmd_t cmd;
718 /* del_len - sizeof (ike_del_t) bytes of data included here. */
722 /*
723 * IKE_SVC_READ_{RULES|PS}
724 * Used to ask daemon to re-read particular configuration info.
725 *
726 * Upon request: rw_loc indicates where the info should be read from:
727 * either from a user-supplied file descriptor(s), or from the default
728 * location(s). If rw_loc indicates user-supplied location, the file
729 * descriptor(s) should be passed in the door_desc_t struct. For the
730 * IKE_SVC_READ_RULES cmd, two file descriptors should be specified:
731 * first, one for the config file which contains the data to be read,
732 * and second, one for the cookie file which will be written to as
733 * in.iked process the config file.
734 *
735 * Upon return: rw_loc is unspecified; the message simply acknowledges
736 * successful completion of the request. If an error occurred,
737 * ike_err_t is returned instead with appropriate error value.
738 *
739 *
740 * IKE_SVC_WRITE_{RULES|PS}
741 * Used to ask daemon to write its current config info to files.
742 *
743 * Request and return are handled the same as for the IKE_SVC_READ_*
744 * cmds; however, the rw_loc MUST be a user-supplied location. Also,
745 * for the IKE_SVC_WRITE_RULES cmd, the cookie file fd is not required;
746 * only a single fd, for the file to which the config info should be
747 * written, should be passed in.
748 */
750 ike_svccmd_t cmd;
755 /*
756 * IKE_SVC_FLUSH_P1S
757 * IKE_SVC_FLUSH_CERTCACHE
758 *
759 * Used to request and acknowledge tear-down of all P1 SAs
760 * or to flush the certificate cache.
761 */
763 ike_svccmd_t cmd;
767 #ifndef PKCS11_TOKSIZE
768 #define PKCS11_TOKSIZE 32
769 #endif
770 #define MAX_PIN_LEN 256
771 /*
772 * IKE_SVC_SET_PIN
773 * IKE_SVC_DEL_PIN
774 *
775 * Used to supply a pin for a PKCS#11 tokenj object.
776 *
777 */
779 ike_svccmd_t cmd;
785 /*
786 * IKE_SVC_ERROR
787 * Used on return if server encountered an error while processing
788 * the request. An appropriate error code is included (as defined
789 * in this header file); in the case of IKE_ERR_SYS_ERR, a value
790 * from the UNIX errno space is included in the ike_err_unix field.
791 */
793 ike_svccmd_t cmd;
799 /*
800 * Generic type for use when the request/reply type is unknown
801 */
803 ike_svccmd_t cmd;
807 /*
808 * Union containing all possible request/return structures.
809 */
811 ike_cmd_t svc_cmd;
812 ike_dbg_t svc_dbg;
813 ike_priv_t svc_priv;
814 ike_statreq_t svc_stats;
815 ike_dump_t svc_dump;
816 ike_get_t svc_get;
817 ike_new_t svc_new;
818 ike_del_t svc_del;
819 ike_rw_t svc_rw;
820 ike_flush_t svc_flush;
821 ike_pin_t svc_pin;
822 ike_err_t svc_err;
823 ike_defreq_t svc_defaults;
826 #ifdef __cplusplus
827 }
828 #endif