diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-04-12 20:41:31 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-04-12 20:41:31 +0000 |
commit | 774a362e87feab25f1be16fbca08269ddc7121a4 (patch) | |
tree | cf71f4e7466468ac3edc2127125f333224a9acfb /src/libfreeswan/ipsec_policy.h | |
parent | c54a140a445bfe7aa66721f68bb0781f26add91c (diff) | |
download | vyos-strongswan-774a362e87feab25f1be16fbca08269ddc7121a4.tar.gz vyos-strongswan-774a362e87feab25f1be16fbca08269ddc7121a4.zip |
Major new upstream release, just ran svn-upgrade for now (and wrote some
debian/changelong entries).
Diffstat (limited to 'src/libfreeswan/ipsec_policy.h')
-rw-r--r-- | src/libfreeswan/ipsec_policy.h | 225 |
1 files changed, 225 insertions, 0 deletions
diff --git a/src/libfreeswan/ipsec_policy.h b/src/libfreeswan/ipsec_policy.h new file mode 100644 index 000000000..671919e4b --- /dev/null +++ b/src/libfreeswan/ipsec_policy.h @@ -0,0 +1,225 @@ +#ifndef _IPSEC_POLICY_H +/* + * policy interface file between pluto and applications + * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org> + * + * This library is free software; you can redistribute it and/or modify it + * under the terms of the GNU Library General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + * + * RCSID $Id: ipsec_policy.h,v 1.4 2004/10/04 22:43:56 as Exp $ + */ +#define _IPSEC_POLICY_H /* seen it, no need to see it again */ + + +/* + * this file defines an interface between an application (or rather an + * application library) and a key/policy daemon. It provides for inquiries + * as to the current state of a connected socket, as well as for general + * questions. + * + * In general, the interface is defined as a series of functional interfaces, + * and the policy messages should be internal. However, because this is in + * fact an ABI between pieces of the system that may get compiled and revised + * seperately, this ABI must be public and revision controlled. + * + * It is expected that the daemon will always support previous versions. + */ + +#define IPSEC_POLICY_MSG_REVISION (unsigned)200305061 + +enum ipsec_policy_command { + IPSEC_CMD_QUERY_FD = 1, + IPSEC_CMD_QUERY_HOSTPAIR = 2, + IPSEC_CMD_QUERY_DSTONLY = 3, +}; + +struct ipsec_policy_msg_head { + u_int32_t ipm_version; + u_int32_t ipm_msg_len; + u_int32_t ipm_msg_type; + u_int32_t ipm_msg_seq; +}; + +enum ipsec_privacy_quality { + IPSEC_PRIVACY_NONE = 0, + IPSEC_PRIVACY_INTEGRAL = 4, /* not private at all. AH-like */ + IPSEC_PRIVACY_UNKNOWN = 8, /* something is claimed, but details unavail */ + IPSEC_PRIVACY_ROT13 = 12, /* trivially breakable, i.e. 1DES */ + IPSEC_PRIVACY_GAK = 16, /* known eavesdroppers */ + IPSEC_PRIVACY_PRIVATE = 32, /* secure for at least a decade */ + IPSEC_PRIVACY_STRONG = 64, /* ridiculously secure */ + IPSEC_PRIVACY_TORTOISE = 192, /* even stronger, but very slow */ + IPSEC_PRIVACY_OTP = 224, /* some kind of *true* one time pad */ +}; + +enum ipsec_bandwidth_quality { + IPSEC_QOS_UNKNOWN = 0, /* unknown bandwidth */ + IPSEC_QOS_INTERACTIVE = 16, /* reasonably moderate jitter, moderate fast. + Good enough for telnet/ssh. */ + IPSEC_QOS_VOIP = 32, /* faster crypto, predicable jitter */ + IPSEC_QOS_FTP = 64, /* higher throughput crypto, perhaps hardware + offloaded, but latency/jitter may be bad */ + IPSEC_QOS_WIRESPEED = 128, /* expect to be able to fill your pipe */ +}; + +/* moved from programs/pluto/constants.h */ +/* IPsec AH transform values + * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3 + * and in http://www.iana.org/assignments/isakmp-registry + */ +enum ipsec_authentication_algo { + AH_NONE = 0, + AH_MD5 = 2, + AH_SHA = 3, + AH_DES = 4, + AH_SHA2_256 = 5, + AH_SHA2_384 = 6, + AH_SHA2_512 = 7, + AH_RIPEMD = 8 +}; + +/* IPsec ESP transform values + * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4 + * and from http://www.iana.org/assignments/isakmp-registry + */ + +enum ipsec_cipher_algo { + ESP_NONE = 0, + ESP_DES_IV64 = 1, + ESP_DES = 2, + ESP_3DES = 3, + ESP_RC5 = 4, + ESP_IDEA = 5, + ESP_CAST = 6, + ESP_BLOWFISH = 7, + ESP_3IDEA = 8, + ESP_DES_IV32 = 9, + ESP_RC4 = 10, + ESP_NULL = 11, + ESP_AES = 12, + ESP_AES_CTR = 13, + ESP_AES_CCM_8 = 14, + ESP_AES_CCM_12 = 15, + ESP_AES_CCM_16 = 16, + ESP_SERPENT = 252, + ESP_TWOFISH = 253 +}; + +/* IPCOMP transform values + * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5 + */ + +enum ipsec_comp_algo { + IPSCOMP_NONE = 0, + IPCOMP_OUI = 1, + IPCOMP_DEFLATE = 2, + IPCOMP_LZS = 3, + IPCOMP_LZJH = 4 +}; + +/* Identification type values + * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1 + */ + +enum ipsec_id_type { + ID_IMPOSSIBLE= (-2), /* private to Pluto */ + ID_MYID= (-1), /* private to Pluto */ + ID_NONE= 0, /* private to Pluto */ + ID_IPV4_ADDR= 1, + ID_FQDN= 2, + ID_USER_FQDN= 3, + ID_IPV4_ADDR_SUBNET= 4, + ID_IPV6_ADDR= 5, + ID_IPV6_ADDR_SUBNET= 6, + ID_IPV4_ADDR_RANGE= 7, + ID_IPV6_ADDR_RANGE= 8, + ID_DER_ASN1_DN= 9, + ID_DER_ASN1_GN= 10, + ID_KEY_ID= 11 +}; + +/* Certificate type values + * RFC 2408 ISAKMP, chapter 3.9 + */ +enum ipsec_cert_type { + CERT_NONE= 0, + CERT_PKCS7_WRAPPED_X509= 1, + CERT_PGP= 2, + CERT_DNS_SIGNED_KEY= 3, + CERT_X509_SIGNATURE= 4, + CERT_X509_KEY_EXCHANGE= 5, + CERT_KERBEROS_TOKENS= 6, + CERT_CRL= 7, + CERT_ARL= 8, + CERT_SPKI= 9, + CERT_X509_ATTRIBUTE= 10, + CERT_RAW_RSA_KEY= 11 +}; + +/* a SIG record in ASCII */ +struct ipsec_dns_sig { + char fqdn[256]; + char dns_sig[768]; /* empty string if not signed */ +}; + +struct ipsec_raw_key { + char id_name[256]; + char fs_keyid[8]; +}; + +struct ipsec_identity { + enum ipsec_id_type ii_type; + enum ipsec_cert_type ii_format; + union { + struct ipsec_dns_sig ipsec_dns_signed; + /* some thing for PGP */ + /* some thing for PKIX */ + struct ipsec_raw_key ipsec_raw_key; + } ii_credential; +}; + +#define IPSEC_MAX_CREDENTIALS 32 + +struct ipsec_policy_cmd_query { + struct ipsec_policy_msg_head head; + + /* Query section */ + ip_address query_local; /* us */ + ip_address query_remote; /* them */ + u_short src_port, dst_port; + + /* Answer section */ + enum ipsec_privacy_quality strength; + enum ipsec_bandwidth_quality bandwidth; + enum ipsec_authentication_algo auth_detail; + enum ipsec_cipher_algo esp_detail; + enum ipsec_comp_algo comp_detail; + + int credential_count; + + struct ipsec_identity credentials[IPSEC_MAX_CREDENTIALS]; +}; + +#define IPSEC_POLICY_SOCKET "/var/run/pluto.info" + +/* prototypes */ +extern err_t ipsec_policy_lookup(int fd, struct ipsec_policy_cmd_query *result); +extern err_t ipsec_policy_init(void); +extern err_t ipsec_policy_final(void); +extern err_t ipsec_policy_readmsg(int policysock, + unsigned char *buf, size_t buflen); +extern err_t ipsec_policy_sendrecv(unsigned char *buf, size_t buflen); +extern err_t ipsec_policy_cgilookup(struct ipsec_policy_cmd_query *result); + + +extern const char *ipsec_policy_version_code(void); +extern const char *ipsec_policy_version_string(void); + +#endif /* _IPSEC_POLICY_H */ |